- Response actions based on IP address from Jinmei Tatuya (Infoblox).

git-svn-id: file:///svn/unbound/trunk@4035 be551aaa-1e26-0410-a405-d3ace91eadb9
2024-09-21 06:37:08 +00:00 · 2017-03-07 14:58:51 +00:00 · 2017-03-07 14:58:51 +00:00 · cae9809e11
commit cae9809e11
parent 570564a375
32 changed files with 4878 additions and 2495 deletions
--- a/Makefile.in
+++ b/Makefile.in
@ -113,7 +113,8 @@ util/ub_event.c util/ub_event_pluggable.c util/winsock_event.c \
 validator/autotrust.c validator/val_anchor.c validator/validator.c \
 validator/val_kcache.c validator/val_kentry.c validator/val_neg.c \
 validator/val_nsec3.c validator/val_nsec.c validator/val_secalgo.c \
-validator/val_sigcrypt.c validator/val_utils.c dns64/dns64.c cachedb/cachedb.c $(CHECKLOCK_SRC) \
+validator/val_sigcrypt.c validator/val_utils.c dns64/dns64.c \
+cachedb/cachedb.c respip/respip.c $(CHECKLOCK_SRC) \
 $(DNSTAP_SRC)
 COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \
 as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
@ -126,6 +127,7 @@ slabhash.lo timehist.lo tube.lo winsock_event.lo autotrust.lo val_anchor.lo \
 validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \
 val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo \
 $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ)
+COMMON_OBJ_WITHOUT_NETCALL+=respip.lo
 COMMON_OBJ_WITHOUT_UB_EVENT=$(COMMON_OBJ_WITHOUT_NETCALL) netevent.lo listen_dnsport.lo \
 outside_network.lo
 COMMON_OBJ=$(COMMON_OBJ_WITHOUT_UB_EVENT) ub_event.lo
@ -1294,3 +1296,4 @@ sha512.lo sha512.o: $(srcdir)/compat/sha512.c config.h
 reallocarray.lo reallocarray.o: $(srcdir)/compat/reallocarray.c config.h
 isblank.lo isblank.o: $(srcdir)/compat/isblank.c config.h
 strsep.lo strsep.o: $(srcdir)/compat/strsep.c config.h
+respip.lo respip.o: $(srcdir)/respip/respip.c config.h $(srcdir)/respip/respip.h $(srcdir)/util/module.h $(srcdir)/services/outbound_list.h
--- a/daemon/daemon.c
+++ b/daemon/daemon.c
@ -87,6 +87,7 @@
 #include "util/tube.h"
 #include "util/net_help.h"
 #include "sldns/keyraw.h"
+#include "respip/respip.h"
 #include <signal.h>

 #ifdef HAVE_SYSTEMD
@ -562,6 +563,8 @@ daemon_stop_others(struct daemon* daemon)
 void 
 daemon_fork(struct daemon* daemon)
 {
+	int have_view_respip_cfg = 0;
+
 	log_assert(daemon);
 	if(!(daemon->views = views_create()))
 		fatal_exit("Could not create views: out of memory");
@ -577,9 +580,27 @@ daemon_fork(struct daemon* daemon)
 	if(!local_zones_apply_cfg(daemon->local_zones, daemon->cfg))
 		fatal_exit("Could not set up local zones");

+	/* process raw response-ip configuration data */
+	if(!(daemon->respip_set = respip_set_create()))
+		fatal_exit("Could not create response IP set");
+	if(!respip_global_apply_cfg(daemon->respip_set, daemon->cfg))
+		fatal_exit("Could not set up response IP set");
+	if(!respip_views_apply_cfg(daemon->views, daemon->cfg,
+		&have_view_respip_cfg))
+		fatal_exit("Could not set up per-view response IP sets");
+	daemon->use_response_ip = !respip_set_is_empty(daemon->respip_set) ||
+		have_view_respip_cfg;
+
 	/* setup modules */
 	daemon_setup_modules(daemon);

+	/* response-ip-xxx options don't work as expected without the respip
+	 * module.  To avoid run-time operational surprise we reject such
+	 * configuration. */
+	if(daemon->use_response_ip &&
+		modstack_find(&daemon->mods, "respip") < 0)
+		fatal_exit("response-ip options require respip module");
+
 	/* first create all the worker structures, so we can pass
 	 * them to the newly created threads. 
 	 */
@ -645,6 +666,8 @@ daemon_cleanup(struct daemon* daemon)
 	slabhash_clear(daemon->env->msg_cache);
 	local_zones_delete(daemon->local_zones);
 	daemon->local_zones = NULL;
+	respip_set_delete(daemon->respip_set);
+	daemon->respip_set = NULL;
 	views_delete(daemon->views);
 	daemon->views = NULL;
 	/* key cache is cleared by module desetup during next daemon_fork() */
--- a/daemon/daemon.h
+++ b/daemon/daemon.h
@ -56,6 +56,7 @@ struct local_zones;
 struct views;
 struct ub_randstate;
 struct daemon_remote;
+struct respip_set;
 struct shm_main_info;

 #include "dnstap/dnstap_config.h"
@ -120,6 +121,10 @@ struct daemon {
 	struct dt_env* dtenv;
 #endif
 	struct shm_main_info* shm_info;
+	/** response-ip set with associated actions and tags. */
+	struct respip_set* respip_set;
+	/** some response-ip tags or actions are configured if true */
+	int use_response_ip;
 };

 /**
--- a/daemon/remote.c
+++ b/daemon/remote.c
@ -853,11 +853,12 @@ static int
 print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon)
 {
 	int m;
-	size_t msg, rrset, val, iter;
+	size_t msg, rrset, val, iter, respip;
 	msg = slabhash_get_mem(daemon->env->msg_cache);
 	rrset = slabhash_get_mem(&daemon->env->rrset_cache->table);
 	val=0;
 	iter=0;
+	respip=0;
 	m = modstack_find(&worker->env.mesh->mods, "validator");
 	if(m != -1) {
 		fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->
@ -872,6 +873,13 @@ print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon)
 		iter = (*worker->env.mesh->mods.mod[m]->get_mem)
 			(&worker->env, m);
 	}
+	m = modstack_find(&worker->env.mesh->mods, "respip");
+	if(m != -1) {
+		fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->
+			mods.mod[m]->get_mem));
+		respip = (*worker->env.mesh->mods.mod[m]->get_mem)
+			(&worker->env, m);
+	}

 	if(!print_longnum(ssl, "mem.cache.rrset"SQ, rrset))
 		return 0;
@ -881,6 +889,8 @@ print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon)
 		return 0;
 	if(!print_longnum(ssl, "mem.mod.validator"SQ, val))
 		return 0;
+	if(!print_longnum(ssl, "mem.mod.respip"SQ, respip))
+		return 0;
 	return 1;
 }

--- a/daemon/worker.c
+++ b/daemon/worker.c
@ -69,6 +69,7 @@
 #include "iterator/iter_hints.h"
 #include "validator/autotrust.h"
 #include "validator/val_anchor.h"
+#include "respip/respip.h"
 #include "libunbound/context.h"
 #include "libunbound/libworker.h"
 #include "sldns/sbuffer.h"
@ -511,17 +512,70 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
 	return 1;
 }

-/** answer query from the cache */
+/** Apply, if applicable, a response IP action to a cached answer.
+ * If the answer is rewritten as a result of an action, '*encode_repp' will
+ * point to the reply info containing the modified answer.  '*encode_repp' will
+ * be intact otherwise.
+ * It returns 1 on success, 0 otherwise. */
+static int
+apply_respip_action(struct worker* worker, const struct query_info* qinfo,
+	struct respip_client_info* cinfo, struct reply_info* rep,
+	struct comm_reply* repinfo, struct ub_packed_rrset_key** alias_rrset,
+	struct reply_info** encode_repp)
+{
+	struct respip_action_info actinfo = {respip_none, NULL};
+
+	if(qinfo->qtype != LDNS_RR_TYPE_A &&
+		qinfo->qtype != LDNS_RR_TYPE_AAAA &&
+		qinfo->qtype != LDNS_RR_TYPE_ANY)
+		return 1;
+
+	if(!respip_rewrite_reply(qinfo, cinfo, rep, encode_repp, &actinfo,
+		alias_rrset, 0, worker->scratchpad))
+		return 0;
+
+	/* xxx_deny actions mean dropping the reply, unless the original reply
+	 * was redirected to response-ip data. */
+	if((actinfo.action == respip_deny ||
+		actinfo.action == respip_inform_deny) &&
+		*encode_repp == rep)
+		*encode_repp = NULL;
+
+	/* If address info is returned, it means the action should be an
+	 * 'inform' variant and the information should be logged. */
+	if(actinfo.addrinfo) {
+		respip_inform_print(actinfo.addrinfo, qinfo->qname,
+			qinfo->qtype, qinfo->qclass, qinfo->local_alias,
+			repinfo);
+	}
+
+	return 1;
+}
+
+/** answer query from the cache.
+ * Normally, the answer message will be built in repinfo->c->buffer; if the
+ * answer is supposed to be suppressed or the answer is supposed to be an
+ * incomplete CNAME chain, the buffer is explicitly cleared to signal the
+ * caller as such.  In the latter case *partial_rep will point to the incomplete
+ * reply, and this function is (possibly) supposed to be called again with that
+ * *partial_rep value to complete the chain.  In addition, if the query should
+ * be completely dropped, '*need_drop' will be set to 1. */
 static int
 answer_from_cache(struct worker* worker, struct query_info* qinfo,
+	struct respip_client_info* cinfo, int* need_drop,
+	struct ub_packed_rrset_key** alias_rrset,
+	struct reply_info** partial_repp,
 	struct reply_info* rep, uint16_t id, uint16_t flags, 
 	struct comm_reply* repinfo, struct edns_data* edns)
 {
 	time_t timenow = *worker->env.now;
 	uint16_t udpsize = edns->udp_size;
+	struct reply_info* encode_rep = rep;
+	struct reply_info* partial_rep = *partial_repp;
 	int secure;
 	int must_validate = (!(flags&BIT_CD) || worker->env.cfg->ignore_cd)
 		&& worker->env.need_to_validate;
+	*partial_repp = NULL;	/* avoid accidental further pass */
 	if(worker->env.cfg->serve_expired) {
 		/* always lock rrsets, rep->ttl is ignored */
 		if(!rrset_array_lock(rep->ref, rep->rrset_count, 0))
@ -601,7 +655,33 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
 	if(!inplace_cb_reply_cache_call(&worker->env, qinfo, NULL, rep,
 		(int)(flags&LDNS_RCODE_MASK), edns, worker->scratchpad))
 		goto bail_out;
-	if(!reply_info_answer_encode(qinfo, rep, id, flags, 
+	*alias_rrset = NULL; /* avoid confusion if caller set it to non-NULL */
+	if(worker->daemon->use_response_ip && !partial_rep &&
+	   !apply_respip_action(worker, qinfo, cinfo, rep, repinfo, alias_rrset,
+			&encode_rep)) {
+		goto bail_out;
+	} else if(partial_rep &&
+		!respip_merge_cname(partial_rep, qinfo, rep, cinfo,
+		must_validate, &encode_rep, worker->scratchpad)) {
+		goto bail_out;
+	}
+	if(encode_rep != rep)
+		secure = 0; /* if rewritten, it can't be considered "secure" */
+	if(!encode_rep || *alias_rrset) {
+		sldns_buffer_clear(repinfo->c->buffer);
+		sldns_buffer_flip(repinfo->c->buffer);
+		if(!encode_rep)
+			*need_drop = 1;
+		else {
+			/* If a partial CNAME chain is found, we first need to
+			 * make a copy of the reply in the scratchpad so we
+			 * can release the locks and lookup the cache again. */
+			*partial_repp = reply_info_copy(encode_rep, NULL,
+				worker->scratchpad);
+			if(!*partial_repp)
+				goto bail_out;
+		}
+	} else if(!reply_info_answer_encode(qinfo, encode_rep, id, flags,
 		repinfo->c->buffer, timenow, 1, worker->scratchpad,
 		udpsize, edns, (int)(edns->bits & EDNS_DO), secure)) {
 		if(!inplace_cb_reply_servfail_call(&worker->env, qinfo, NULL, NULL,
@ -622,14 +702,18 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
 	return 1;
 }

-/** Reply to client and perform prefetch to keep cache up to date */
+/** Reply to client and perform prefetch to keep cache up to date.
+ * If the buffer for the reply is empty, it indicates that only prefetch is
+ * necessary and the reply should be suppressed (because it's dropped or
+ * being deferred). */
 static void
 reply_and_prefetch(struct worker* worker, struct query_info* qinfo, 
 	uint16_t flags, struct comm_reply* repinfo, time_t leeway)
 {
 	/* first send answer to client to keep its latency 
 	 * as small as a cachereply */
-	comm_point_send_reply(repinfo);
+	if(sldns_buffer_limit(repinfo->c->buffer) != 0)
+		comm_point_send_reply(repinfo);
 	server_stats_prefetch(&worker->stats, worker);
 	
 	/* create the prefetch in the mesh as a normal lookup without
@ -795,6 +879,15 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 	enum acl_access acl;
 	struct acl_addr* acladdr;
 	int rc = 0;
+	int need_drop = 0;
+	/* We might have to chase a CNAME chain internally, in which case
+	 * we'll have up to two replies and combine them to build a complete
+	 * answer.  These variables control this case. */
+	struct ub_packed_rrset_key* alias_rrset = NULL;
+	struct reply_info* partial_rep = NULL;
+	struct query_info* lookup_qinfo = &qinfo;
+	struct query_info qinfo_tmp; /* placeholdoer for lookup_qinfo */
+	struct respip_client_info* cinfo = NULL, cinfo_tmp;

 	if(error != NETEVENT_NOERROR) {
 		/* some bad tcp query DNS formats give these error calls */
@ -1037,16 +1130,43 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		qinfo.qname_len = d->rr_len[0] - 2;
 	}

+	/* If we may apply IP-based actions to the answer, build the client
+	 * information.  As this can be expensive, skip it if there is
+	 * absolutely no possibility of it. */
+	if(worker->daemon->use_response_ip &&
+		(qinfo.qtype == LDNS_RR_TYPE_A ||
+		qinfo.qtype == LDNS_RR_TYPE_AAAA ||
+		qinfo.qtype == LDNS_RR_TYPE_ANY)) {
+		cinfo_tmp.taglist = acladdr->taglist;
+		cinfo_tmp.taglen = acladdr->taglen;
+		cinfo_tmp.tag_actions = acladdr->tag_actions;
+		cinfo_tmp.tag_actions_size = acladdr->tag_actions_size;
+		cinfo_tmp.tag_datas = acladdr->tag_datas;
+		cinfo_tmp.tag_datas_size = acladdr->tag_datas_size;
+		cinfo_tmp.view = acladdr->view;
+		cinfo_tmp.respip_set = worker->daemon->respip_set;
+		cinfo = &cinfo_tmp;
+	}
+
+lookup_cache:
+	/* Lookup the cache.  In case we chase an intermediate CNAME chain
+	 * this is a two-pass operation, and lookup_qinfo is different for
+	 * each pass.  We should still pass the original qinfo to
+	 * answer_from_cache(), however, since it's used to build the reply. */
 	if(!edns_bypass_cache_stage(edns.opt_list, &worker->env)) {
-		h = query_info_hash(&qinfo, sldns_buffer_read_u16_at(c->buffer, 2));
-		if((e=slabhash_lookup(worker->env.msg_cache, h, &qinfo, 0))) {
+		h = query_info_hash(lookup_qinfo, sldns_buffer_read_u16_at(c->buffer, 2));
+		if((e=slabhash_lookup(worker->env.msg_cache, h, lookup_qinfo, 0))) {
 			/* answer from cache - we have acquired a readlock on it */
 			if(answer_from_cache(worker, &qinfo, 
+				cinfo, &need_drop, &alias_rrset, &partial_rep,
 				(struct reply_info*)e->data, 
 				*(uint16_t*)(void *)sldns_buffer_begin(c->buffer), 
 				sldns_buffer_read_u16_at(c->buffer, 2), repinfo, 
 				&edns)) {
-				/* prefetch it if the prefetch TTL expired */
+				/* prefetch it if the prefetch TTL expired.
+				 * Note that if there is more than one pass
+				 * its qname must be that used for cache
+				 * lookup. */
 				if((worker->env.cfg->prefetch || worker->env.cfg->serve_expired)
 					&& *worker->env.now >=
 					((struct reply_info*)e->data)->prefetch_ttl) {
@ -1056,16 +1176,38 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 						< *worker->env.now)
 						leeway = 0;
 					lock_rw_unlock(&e->lock);
-					reply_and_prefetch(worker, &qinfo, 
+					reply_and_prefetch(worker, lookup_qinfo,
 						sldns_buffer_read_u16_at(c->buffer, 2),
 						repinfo, leeway);
-					rc = 0;
+					if(!partial_rep) {
+						rc = 0;
+						regional_free_all(worker->scratchpad);
+						goto send_reply_rc;
+					}
+				} else if(!partial_rep) {
+					lock_rw_unlock(&e->lock);
 					regional_free_all(worker->scratchpad);
-					goto send_reply_rc;
+					goto send_reply;
 				}
+				/* We've found a partial reply ending with an
+				 * alias.  Replace the lookup qinfo for the
+				 * alias target and lookup the cache again to
+				 * (possibly) complete the reply.  As we're
+				 * passing the "base" reply, there will be no
+				 * more alias chasing. */
 				lock_rw_unlock(&e->lock);
-				regional_free_all(worker->scratchpad);
-				goto send_reply;
+				memset(&qinfo_tmp, 0, sizeof(qinfo_tmp));
+				get_cname_target(alias_rrset, &qinfo_tmp.qname,
+					&qinfo_tmp.qname_len);
+				if(!qinfo_tmp.qname) {
+					log_err("unexpected: invalid answer alias");
+					regional_free_all(worker->scratchpad);
+					return 0; /* drop query */
+				}
+				qinfo_tmp.qtype = qinfo.qtype;
+				qinfo_tmp.qclass = qinfo.qclass;
+				lookup_qinfo = &qinfo_tmp;
+				goto lookup_cache;
 			}
 			verbose(VERB_ALGO, "answer from the cache failed");
 			lock_rw_unlock(&e->lock);
@ -1094,7 +1236,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 	}

 	/* grab a work request structure for this new request */
-	mesh_new_client(worker->env.mesh, &qinfo, 
+	mesh_new_client(worker->env.mesh, &qinfo, cinfo,
 		sldns_buffer_read_u16_at(c->buffer, 2),
 		&edns, repinfo, *(uint16_t*)(void *)sldns_buffer_begin(c->buffer));
 	regional_free_all(worker->scratchpad);
@ -1104,6 +1246,10 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 send_reply:
 	rc = 1;
 send_reply_rc:
+	if(need_drop) {
+		comm_point_drop_reply(repinfo);
+		return 0;
+	}
 #ifdef USE_DNSTAP
 	if(worker->dtenv.log_client_response_messages)
 		dt_msg_send_client_response(&worker->dtenv, &repinfo->addr,
--- a/dns64/dns64.c
+++ b/dns64/dns64.c
@ -411,31 +411,6 @@ handle_ipv6_ptr(struct module_qstate* qstate, int id)
    return module_wait_subquery;
 }

-/** allocate (special) rrset keys, return 0 on error */
-static int
-repinfo_alloc_rrset_keys(struct reply_info* rep, 
-	struct regional* region)
-{
-	size_t i;
-	for(i=0; i<rep->rrset_count; i++) {
-		if(region) {
-			rep->rrsets[i] = (struct ub_packed_rrset_key*)
-				regional_alloc(region, 
-				sizeof(struct ub_packed_rrset_key));
-			if(rep->rrsets[i]) {
-				memset(rep->rrsets[i], 0, 
-					sizeof(struct ub_packed_rrset_key));
-				rep->rrsets[i]->entry.key = rep->rrsets[i];
-			}
-		}
-		else return 0;/*	rep->rrsets[i] = alloc_special_obtain(alloc);*/
-		if(!rep->rrsets[i])
-			return 0;
-		rep->rrsets[i]->entry.data = NULL;
-	}
-	return 1;
-}
-
 static enum module_ext_state
 generate_type_A_query(struct module_qstate* qstate, int id)
 {
@ -707,7 +682,7 @@ dns64_adjust_a(int id, struct module_qstate* super, struct module_qstate* qstate
 		return;

 	/* allocate ub_key structures special or not */
-	if(!repinfo_alloc_rrset_keys(cp, super->region)) {
+	if(!reply_info_alloc_rrset_keys(cp, NULL, super->region)) {
 		return;
 	}

--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,6 +1,7 @@
 7 March 2017: Wouter
 	- Fix #1230: swig version 2.0.0 is required for pythonmod, with
 	  1.3.40 it crashes when running repeatly unbound-control reload.
+	- Response actions based on IP address from Jinmei Tatuya (Infoblox).

 6 March 2017: Wouter
 	- Fix #1229: Systemd service sandboxing in contrib/unbound.service.
--- a/doc/IP-BasedActions.pdf
+++ b/doc/IP-BasedActions.pdf
--- a/respip/respip.c
+++ b/respip/respip.c
--- a/respip/respip.h
+++ b/respip/respip.h
@ -0,0 +1,230 @@
+/*
+ * respip/respip.h - IP-based response modification module
+ */
+
+/**
+ * \file
+ *
+ * This file contains a module that selectively modifies query responses
+ * based on their AAAA/A IP addresses.
+ */
+
+#ifndef RESPIP_RESPIP_H
+#define RESPIP_RESPIP_H
+
+#include "util/module.h"
+#include "services/localzone.h"
+
+/**
+ * Set of response IP addresses with associated actions and tags. 
+ * Forward declaration only here.  Actual definition is hidden within the
+ * module.
+ */
+struct respip_set;
+
+/**
+ * Forward declaration for the structure that represents a node in the
+ * respip_set address tree
+ */
+struct resp_addr;
+
+/**
+ * Forward declaration for the structure that represents a tree of view data.
+ */
+struct views;
+
+struct respip_addr_info;
+
+/**
+ * Client-specific attributes that can affect IP-based actions.
+ * This is essentially a subset of acl_addr (except for respip_set) but
+ * defined as a separate structure to avoid dependency on the daemon-specific
+ * structure.
+ * respip_set is supposed to refer to the response-ip set for the global view.
+ */
+struct respip_client_info {
+	uint8_t* taglist;
+	size_t taglen;
+	uint8_t* tag_actions;
+	size_t tag_actions_size;
+	struct config_strlist** tag_datas;
+	size_t tag_datas_size;
+	struct view* view;
+	struct respip_set* respip_set;
+};
+
+/**
+ * Data items representing the result of response-ip processing.
+ * Note: this structure currently only define a few members, but exists
+ * as a separate struct mainly for the convenience of custom extensions.
+ */
+struct respip_action_info {
+	enum respip_action action;
+	struct respip_addr_info* addrinfo; /* set only for inform variants */
+};
+
+/**
+  * Forward declaration for the structure that represents a node in the
+  * respip_set address tree
+  */
+struct resp_addr;
+
+/**
+ * Create response IP set.
+ * @return new struct or NULL on error.
+ */
+struct respip_set* respip_set_create(void);
+
+/**
+ * Delete response IP set.
+ * @param set: to delete.
+ */
+void respip_set_delete(struct respip_set* set);
+
+/**
+ * Apply response-ip config settings to the global (default) view.
+ * It assumes exclusive access to set (no internal locks).
+ * @param set: processed global respip config data
+ * @param cfg: config data.
+ * @return 1 on success, 0 on error.
+ */
+int respip_global_apply_cfg(struct respip_set* set, struct config_file* cfg);
+
+/**
+ * Apply response-ip config settings in named views.
+ * @param vs: view structures with processed config data
+ * @param cfg: config data.
+ * @param have_view_respip_cfg: set to true if any named view has respip
+ * 	configuration; otherwise set to false
+ * @return 1 on success, 0 on error.
+ */
+int respip_views_apply_cfg(struct views* vs, struct config_file* cfg,
+	int* have_view_respip_cfg);
+
+/**
+ * Merge two replies to build a complete CNAME chain.
+ * It appends the content of 'tgt_rep' to 'base_rep', assuming (but not
+ * checking) the former ends with a CNAME and the latter resolves its target.
+ * A merged new reply will be built using 'region' and *new_repp will point
+ * to the new one on success.
+ * If the target reply would also be subject to a response-ip action for
+ * 'cinfo', this function uses 'base_rep' as the merged reply, ignoring
+ * 'tgt_rep'.  This is for avoiding cases like a CNAME loop or failure of
+ * applying an action to an address.
+ * RRSIGs in 'tgt_rep' will be excluded in the merged reply, as the resulting
+ * reply is assumed to be faked due to a response-ip action and can't be
+ * considered secure in terms of DNSSEC.
+ * The caller must ensure that neither 'base_rep' nor 'tgt_rep' can be modified
+ * until this function returns. 
+ * @param base_rep: the reply info containing an incomplete CNAME.
+ * @param qinfo: query info corresponding to 'base_rep'.
+ * @param tgt_rep: the reply info that completes the CNAME chain.
+ * @param cinfo: client info corresponding to 'base_rep'.
+ * @param must_validate: whether 'tgt_rep' must be DNSSEC-validated.
+ * @param new_repp: pointer placeholder for the merged reply.  will be intact
+ *   on error.
+ * @param region: allocator to build *new_repp.
+ * @return 1 on success, 0 on error.
+ */
+int respip_merge_cname(struct reply_info* base_rep,
+	const struct query_info* qinfo, const struct reply_info* tgt_rep,
+	const struct respip_client_info* cinfo, int must_validate,
+	struct reply_info** new_repp, struct regional* region);
+
+/**
+ * See if any IP-based action should apply to any IP address of AAAA/A answer
+ * record in the reply.  If so, apply the action.  In some cases it rewrites
+ * the reply rrsets, in which case *new_repp will point to the updated reply
+ * info.  Depending on the action, some of the rrsets in 'rep' will be
+ * shallow-copied into '*new_repp'; the caller must ensure that the rrsets
+ * in 'rep' are valid throughout the lifetime of *new_repp, and it must
+ * provide appropriate mutex if the rrsets can be shared by multiple threads.
+ * @param qinfo: query info corresponding to the reply.
+ * @param cinfo: client-specific info to identify the best matching action.
+ *   can be NULL.
+ * @param rep: original reply info.  must not be NULL.
+ * @param new_repp: can be set to the rewritten reply info (intact on failure).
+ * @param actinfo: result of response-ip processing
+ * @param alias_rrset: must not be NULL.
+ * @param search_only: if true, only check if an action would apply.  actionp
+ *   will be set (or intact) accordingly but the modified reply won't be built.
+ * @param region: allocator to build *new_repp.
+ * @return 1 on success, 0 on error.
+ */
+int respip_rewrite_reply(const struct query_info* qinfo,
+	const struct respip_client_info* cinfo,
+	const struct reply_info *rep, struct reply_info** new_repp,
+	struct respip_action_info* actinfo,
+	struct ub_packed_rrset_key** alias_rrset,
+	int search_only, struct regional* region);
+
+/**
+ * Get the response-ip function block.
+ * @return: function block with function pointers to response-ip methods.
+ */
+struct module_func_block* respip_get_funcblock(void);
+
+/** response-ip init */
+int respip_init(struct module_env* env, int id);
+
+/** response-ip deinit */
+void respip_deinit(struct module_env* env, int id);
+
+/** response-ip operate on a query */
+void respip_operate(struct module_qstate* qstate, enum module_ev event, int id,
+	struct outbound_entry* outbound);
+
+/** inform response-ip super */
+void respip_inform_super(struct module_qstate* qstate, int id,
+	struct module_qstate* super);
+
+/** response-ip cleanup query state */
+void respip_clear(struct module_qstate* qstate, int id);
+
+/**
+ * returns address of the IP address tree of the specified respip set;
+ * returns NULL for NULL input; exists for test purposes only
+ */
+struct rbtree_type* respip_set_get_tree(struct respip_set* set);
+
+/**
+ * returns respip action for the specified node in the respip address
+ * returns respip_none for NULL input; exists for test purposes only
+ */
+enum respip_action resp_addr_get_action(const struct resp_addr* addr);
+
+/**
+ * returns rrset portion of the specified node in the respip address
+ * tree; returns NULL for NULL input; exists for test purposes only
+ */
+struct ub_packed_rrset_key* resp_addr_get_rrset(struct resp_addr* addr);
+
+/** response-ip alloc size routine */
+size_t respip_get_mem(struct module_env* env, int id);
+
+/**
+ * respip set emptiness test
+ * @param set respip set to test
+ * @return 0 if the specified set exists (non-NULL) and is non-empty;
+ *	otherwise returns 1
+ */
+int respip_set_is_empty(const struct respip_set* set);
+
+/**
+ * print log information for a query subject to an inform or inform-deny
+ * response-ip action.
+ * @param resp_addr response-ip information that causes the action
+ * @param qname query name in the context, will be ignored if local_alias is
+ *   non-NULL.
+ * @param qtype query type, in host byte order.
+ * @param qclass query class, in host byte order.
+ * @param local_alias set to a local alias if the query matches an alias in
+ *  a local zone.  In this case its owner name will be considered the actual
+ *  query name.
+ * @param repinfo reply info containing the client's source address and port.
+ */
+void respip_inform_print(struct respip_addr_info* respip_addr, uint8_t* qname,
+	uint16_t qtype, uint16_t qclass, struct local_rrset* local_alias,
+	struct comm_reply* repinfo);
+
+#endif	/* RESPIP_RESPIP_H */
--- a/services/localzone.c
+++ b/services/localzone.c
@ -229,9 +229,8 @@ lz_enter_zone(struct local_zones* zones, const char* name, const char* type,
 	return z;
 }

-/** return name and class and rdata of rr; parses string */
-static int
-get_rr_content(const char* str, uint8_t** nm, uint16_t* type,
+int
+rrstr_get_rr_content(const char* str, uint8_t** nm, uint16_t* type,
 	uint16_t* dclass, time_t* ttl, uint8_t* rr, size_t len,
 	uint8_t** rdata, size_t* rdata_len)
 {
@ -353,8 +352,8 @@ new_local_rrset(struct regional* region, struct local_data* node,
 }

 /** insert RR into RRset data structure; Wastes a couple of bytes */
-static int
-insert_rr(struct regional* region, struct packed_rrset_data* pd,
+int
+rrset_insert_rr(struct regional* region, struct packed_rrset_data* pd,
 	uint8_t* rdata, size_t rdata_len, time_t ttl, const char* rrstr)
 {
 	size_t* oldlen = pd->rr_len;
@ -456,8 +455,8 @@ lz_enter_rr_into_zone(struct local_zone* z, const char* rrstr)
 	uint8_t rr[LDNS_RR_BUF_SIZE];
 	uint8_t* rdata;
 	size_t rdata_len;
-	if(!get_rr_content(rrstr, &nm, &rrtype, &rrclass, &ttl, rr, sizeof(rr),
-		&rdata, &rdata_len)) {
+	if(!rrstr_get_rr_content(rrstr, &nm, &rrtype, &rrclass, &ttl, rr,
+		sizeof(rr), &rdata, &rdata_len)) {
 		log_err("bad local-data: %s", rrstr);
 		return 0;
 	}
@ -513,7 +512,7 @@ lz_enter_rr_into_zone(struct local_zone* z, const char* rrstr)
 		verbose(VERB_ALGO, "ignoring duplicate RR: %s", rrstr);
 		return 1;
 	} 
-	return insert_rr(z->region, pd, rdata, rdata_len, ttl, rrstr);
+	return rrset_insert_rr(z->region, pd, rdata, rdata_len, ttl, rrstr);
 }

 /** enter a data RR into auth data; a zone for it must exist */
@ -1233,9 +1232,10 @@ local_error_encode(struct query_info* qinfo, struct module_env* env,
 }

 /** find local data tag string match for the given type in the list */
-static int
-find_tag_datas(struct query_info* qinfo, struct config_strlist* list,
-	struct ub_packed_rrset_key* r, struct regional* temp)
+int
+local_data_find_tag_datas(const struct query_info* qinfo,
+	struct config_strlist* list, struct ub_packed_rrset_key* r,
+	struct regional* temp)
 {
 	struct config_strlist* p;
 	char buf[65536];
@ -1315,10 +1315,21 @@ find_tag_datas(struct query_info* qinfo, struct config_strlist* list,
 			if(!d) return 0; /* out of memory */
 		d->count++;
 	}
+	if(r->rk.dname)
+		return 1;
+	return 0;
+}
+
+static int
+find_tag_datas(struct query_info* qinfo, struct config_strlist* list,
+	struct ub_packed_rrset_key* r, struct regional* temp)
+{
+	int result = local_data_find_tag_datas(qinfo, list, r, temp);
+
 	/* If we've found a non-exact alias type of local data, make a shallow
 	 * copy of the RRset and remember it in qinfo to complete the alias
 	 * chain later. */
-	if(r->rk.dname && qinfo->qtype != LDNS_RR_TYPE_CNAME &&
+	if(result && qinfo->qtype != LDNS_RR_TYPE_CNAME &&
 		r->rk.type == htons(LDNS_RR_TYPE_CNAME)) {
 		qinfo->local_alias =
 			regional_alloc_zero(temp, sizeof(struct local_rrset));
@ -1329,9 +1340,7 @@ find_tag_datas(struct query_info* qinfo, struct config_strlist* list,
 		if(!qinfo->local_alias->rrset)
 			return 0; /* out of memory */
 	}
-	if(r->rk.dname)
-		return 1;
-	return 0;
+	return result;
 }

 /** answer local data match */
@ -1497,8 +1506,6 @@ lz_type(uint8_t *taglist, size_t taglen, uint8_t *taglist2, size_t taglen2,
 	struct comm_reply* repinfo, struct rbtree_type* override_tree,
 	int* tag, char** tagname, int num_tags)
 {
-	size_t i, j;
-	uint8_t tagmatch;
 	struct local_zone_override* lzo;	
 	if(repinfo && override_tree) {
 		lzo = (struct local_zone_override*)addr_tree_lookup(
@ -1511,6 +1518,19 @@ lz_type(uint8_t *taglist, size_t taglen, uint8_t *taglist2, size_t taglen2,
 	}
 	if(!taglist || !taglist2)
 		return lzt;
+	return local_data_find_tag_action(taglist, taglen, taglist2, taglen2,
+		tagactions, tagactionssize, lzt, tag, tagname, num_tags);
+}
+
+enum localzone_type
+local_data_find_tag_action(const uint8_t* taglist, size_t taglen,
+	const uint8_t* taglist2, size_t taglen2, const uint8_t* tagactions,
+	size_t tagactionssize, enum localzone_type lzt, int* tag,
+	char* const* tagname, int num_tags)
+{
+	size_t i, j;
+	uint8_t tagmatch;
+
 	for(i=0; i<taglen && i<taglen2; i++) {
 		tagmatch = (taglist[i] & taglist2[i]);
 		for(j=0; j<8 && tagmatch>0; j++) {
--- a/services/localzone.h
+++ b/services/localzone.h
@ -46,6 +46,7 @@
 #include "util/storage/dnstree.h"
 #include "util/module.h"
 #include "services/view.h"
+struct packed_rrset_data;
 struct ub_packed_rrset_key;
 struct regional;
 struct config_file;
@ -389,4 +390,111 @@ void local_zones_del_data(struct local_zones* zones,
 */
 int parse_dname(const char* str, uint8_t** res, size_t* len, int* labs);

+/**
+ * Find local data tag string match for the given type (in qinfo) in the list.
+ * If found, 'r' will be filled with corresponding rrset information.
+ * @param qinfo: contains name, type, and class for the data
+ * @param list: stores local tag data to be searched
+ * @param r: rrset key to be filled for matched data
+ * @param temp: region to allocate rrset in 'r'
+ * @return 1 if a match is found and rrset is built; otherwise 0 including
+ * errors.
+ */
+int local_data_find_tag_datas(const struct query_info* qinfo,
+	struct config_strlist* list, struct ub_packed_rrset_key* r,
+	struct regional* temp);
+
+/**
+ * See if two sets of tag lists (in the form of bitmap) have the same tag that
+ * has an action.  If so, '*tag' will be set to the found tag index, and the
+ * corresponding action will be returned in the form of local zone type.
+ * Otherwise the passed type (lzt) will be returned as the default action.
+ * Pointers except tagactions must not be NULL.
+ * @param taglist: 1st list of tags
+ * @param taglen: size of taglist in bytes
+ * @param taglist2: 2nd list of tags
+ * @param taglen2: size of taglist2 in bytes
+ * @param tagactions: local data actions for tags. May be NULL.
+ * @param tagactionssize: length of the tagactions.
+ * @param lzt: default action (local zone type) if no tag action is found.
+ * @param tag: see above.
+ * @param tagname: array of tag name strings (for debug output).
+ * @param num_tags: number of items in tagname array.
+ * @return found tag action or the default action.
+ */
+enum localzone_type local_data_find_tag_action(const uint8_t* taglist,
+	size_t taglen, const uint8_t* taglist2, size_t taglen2,
+	const uint8_t* tagactions, size_t tagactionssize,
+	enum localzone_type lzt, int* tag, char* const* tagname, int num_tags);
+
+/**
+  * Parses resource record string into wire format, also returning its field values.
+  * @param str: input resource record
+  * @param nm: domain name field
+  * @param type: record type field
+  * @param dclass: record class field
+  * @param ttl: ttl field
+  * @param rr: buffer for the parsed rr in wire format
+  * @param len: buffer length
+  * @param rdata: rdata field
+  * @param rdata_len: rdata field length
+  * @return 1 on success; 0 otherwise.
+  */
+int rrstr_get_rr_content(const char* str, uint8_t** nm, uint16_t* type,
+	uint16_t* dclass, time_t* ttl, uint8_t* rr, size_t len,
+	uint8_t** rdata, size_t* rdata_len);
+
+/**
+  * Insert specified rdata into the specified resource record.
+  * @param region: allocator
+  * @param pd: data portion of the destination resource record
+  * @param rdata: source rdata
+  * @param rdata_len: source rdata length
+  * @param ttl: time to live
+  * @param rrstr: resource record in text form (for logging)
+  * @return 1 on success; 0 otherwise.
+  */
+int rrset_insert_rr(struct regional* region, struct packed_rrset_data* pd,
+	uint8_t* rdata, size_t rdata_len, time_t ttl, const char* rrstr);
+
+/**
+  * Valid response ip actions for the IP-response-driven-action feature;
+  * defined here instead of in the respip module to enable sharing of enum
+  * values with the localzone_type enum.
+  * Note that these values except 'none' are the same as localzone types of
+  * the 'same semantics'.  It's intentional as we use these values via
+  * access-control-tags, which can be shared for both response ip actions and
+  * local zones.
+  */
+enum respip_action {
+	/** no respip action */
+	respip_none = local_zone_unset,
+	/** don't answer */
+	respip_deny = local_zone_deny,
+	/** redirect as per provided data */
+	respip_redirect = local_zone_redirect,
+        /** log query source and answer query */
+	respip_inform = local_zone_inform,
+        /** log query source and don't answer query */
+	respip_inform_deny = local_zone_inform_deny,
+        /** resolve normally, even when there is response-ip data */
+	respip_always_transparent = local_zone_always_transparent,
+        /** answer with 'refused' response */
+	respip_always_refuse = local_zone_always_refuse,
+        /** answer with 'no such domain' response */
+	respip_always_nxdomain = local_zone_always_nxdomain,
+
+	/* The rest of the values are only possible as
+	 * access-control-tag-action */
+
+	/** serves response data (if any), else, drops queries. */
+	respip_refuse = local_zone_refuse,
+	/** serves response data, else, nodata answer. */
+	respip_static = local_zone_static,
+	/** gives response data (if any), else nodata answer. */
+	respip_transparent = local_zone_transparent,
+	/** gives response data (if any), else nodata answer. */
+	respip_typetransparent = local_zone_typetransparent,
+};
+
 #endif /* SERVICES_LOCALZONE_H */
--- a/services/mesh.c
+++ b/services/mesh.c
@ -59,6 +59,7 @@
 #include "sldns/wire2str.h"
 #include "services/localzone.h"
 #include "util/data/dname.h"
+#include "respip/respip.h"

 /** subtract timers and the values do not overflow or become negative */
 static void
@ -124,11 +125,64 @@ timeval_smaller(const struct timeval* x, const struct timeval* y)
 #endif
 }

+/*
+ * Compare two response-ip client info entries for the purpose of mesh state
+ * compare.  It returns 0 if ci_a and ci_b are considered equal; otherwise
+ * 1 or -1 (they mean 'ci_a is larger/smaller than ci_b', respectively, but
+ * in practice it should be only used to mean they are different).
+ * We cannot share the mesh state for two queries if different response-ip
+ * actions can apply in the end, even if those queries are otherwise identical.
+ * For this purpose we compare tag lists and tag action lists; they should be
+ * identical to share the same state.
+ * For tag data, we don't look into the data content, as it can be
+ * expensive; unless tag data are not defined for both or they point to the
+ * exact same data in memory (i.e., they come from the same ACL entry), we
+ * consider these data different.
+ * Likewise, if the client info is associated with views, we don't look into
+ * the views.  They are considered different unless they are exactly the same
+ * even if the views only differ in the names.
+ */
+static int
+client_info_compare(const struct respip_client_info* ci_a,
+	const struct respip_client_info* ci_b)
+{
+	int cmp;
+
+	if(!ci_a && !ci_b)
+		return 0;
+	if(ci_a && !ci_b)
+		return -1;
+	if(!ci_a && ci_b)
+		return 1;
+	if(ci_a->taglen != ci_b->taglen)
+		return (ci_a->taglen < ci_b->taglen) ? -1 : 1;
+	cmp = memcmp(ci_a->taglist, ci_b->taglist, ci_a->taglen);
+	if(cmp != 0)
+		return cmp;
+	if(ci_a->tag_actions_size != ci_b->tag_actions_size)
+		return (ci_a->tag_actions_size < ci_b->tag_actions_size) ?
+			-1 : 1;
+	cmp = memcmp(ci_a->tag_actions, ci_b->tag_actions,
+		ci_a->tag_actions_size);
+	if(cmp != 0)
+		return cmp;
+	if(ci_a->tag_datas != ci_b->tag_datas)
+		return ci_a->tag_datas < ci_b->tag_datas ? -1 : 1;
+	if(ci_a->view != ci_b->view)
+		return ci_a->view < ci_b->view ? -1 : 1;
+	/* For the unbound daemon these should be non-NULL and identical,
+	 * but we check that just in case. */
+	if(ci_a->respip_set != ci_b->respip_set)
+		return ci_a->respip_set < ci_b->respip_set ? -1 : 1;
+        return 0;
+}
+
 int
 mesh_state_compare(const void* ap, const void* bp)
 {
 	struct mesh_state* a = (struct mesh_state*)ap;
 	struct mesh_state* b = (struct mesh_state*)bp;
+	int cmp;

 	if(a->unique < b->unique)
 		return -1;
@ -155,7 +209,10 @@ mesh_state_compare(const void* ap, const void* bp)
 	if(!(a->s.query_flags&BIT_CD) && (b->s.query_flags&BIT_CD))
 		return 1;

-	return query_info_compare(&a->s.qinfo, &b->s.qinfo);
+	cmp = query_info_compare(&a->s.qinfo, &b->s.qinfo);
+	if(cmp != 0)
+		return cmp;
+	return client_info_compare(a->s.client_info, b->s.client_info);
 }

 int
@ -287,8 +344,8 @@ int mesh_make_new_space(struct mesh_area* mesh, sldns_buffer* qbuf)
 }

 void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
-        uint16_t qflags, struct edns_data* edns, struct comm_reply* rep,
-        uint16_t qid)
+	struct respip_client_info* cinfo, uint16_t qflags,
+	struct edns_data* edns, struct comm_reply* rep, uint16_t qid)
 {
 	struct mesh_state* s = NULL;
 	int unique = edns_unique_mesh_state(edns->opt_list, mesh->env);
@ -296,7 +353,7 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
 	int was_noreply = 0;
 	int added = 0;
 	if(!unique)
-		s = mesh_area_find(mesh, qinfo, qflags&(BIT_RD|BIT_CD), 0, 0);
+		s = mesh_area_find(mesh, cinfo, qinfo, qflags&(BIT_RD|BIT_CD), 0, 0);
 	/* does this create a new reply state? */
 	if(!s || s->list_select == mesh_no_list) {
 		if(!mesh_make_new_space(mesh, rep->c->buffer)) {
@ -323,7 +380,8 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
 #ifdef UNBOUND_DEBUG
 		struct rbnode_type* n;
 #endif
-		s = mesh_state_create(mesh->env, qinfo, qflags&(BIT_RD|BIT_CD), 0, 0);
+		s = mesh_state_create(mesh->env, qinfo, cinfo,
+			qflags&(BIT_RD|BIT_CD), 0, 0);
 		if(!s) {
 			log_err("mesh_state_create: out of memory; SERVFAIL");
 			if(!inplace_cb_reply_servfail_call(mesh->env, qinfo, NULL, NULL,
@ -417,7 +475,8 @@ mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo,
 	int was_noreply = 0;
 	int added = 0;
 	if(!unique)
-		s = mesh_area_find(mesh, qinfo, qflags&(BIT_RD|BIT_CD), 0, 0);
+		s = mesh_area_find(mesh, NULL, qinfo, qflags&(BIT_RD|BIT_CD), 0, 0);
+
 	/* there are no limits on the number of callbacks */

 	/* see if it already exists, if not, create one */
@ -425,7 +484,8 @@ mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo,
 #ifdef UNBOUND_DEBUG
 		struct rbnode_type* n;
 #endif
-		s = mesh_state_create(mesh->env, qinfo, qflags&(BIT_RD|BIT_CD), 0, 0);
+		s = mesh_state_create(mesh->env, qinfo, NULL,
+			qflags&(BIT_RD|BIT_CD), 0, 0);
 		if(!s) {
 			return 0;
 		}
@ -476,8 +536,8 @@ mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo,
 void mesh_new_prefetch(struct mesh_area* mesh, struct query_info* qinfo,
        uint16_t qflags, time_t leeway)
 {
-	struct mesh_state* s = mesh_area_find(mesh, qinfo, qflags&(BIT_RD|BIT_CD),
-		0, 0);
+	struct mesh_state* s = mesh_area_find(mesh, NULL, qinfo,
+		qflags&(BIT_RD|BIT_CD), 0, 0);
 #ifdef UNBOUND_DEBUG
 	struct rbnode_type* n;
 #endif
@ -497,7 +557,8 @@ void mesh_new_prefetch(struct mesh_area* mesh, struct query_info* qinfo,
 		return;
 	}

-	s = mesh_state_create(mesh->env, qinfo, qflags&(BIT_RD|BIT_CD), 0, 0);
+	s = mesh_state_create(mesh->env, qinfo, NULL,
+		qflags&(BIT_RD|BIT_CD), 0, 0);
 	if(!s) {
 		log_err("prefetch mesh_state_create: out of memory");
 		return;
@ -546,7 +607,8 @@ void mesh_report_reply(struct mesh_area* mesh, struct outbound_entry* e,

 struct mesh_state* 
 mesh_state_create(struct module_env* env, struct query_info* qinfo, 
-	uint16_t qflags, int prime, int valrec)
+	struct respip_client_info* cinfo, uint16_t qflags, int prime,
+	int valrec)
 {
 	struct regional* region = alloc_reg_obtain(env->alloc);
 	struct mesh_state* mstate;
@ -582,6 +644,14 @@ mesh_state_create(struct module_env* env, struct query_info* qinfo,
 		alloc_reg_release(env->alloc, region);
 		return NULL;
 	}
+	if(cinfo) {
+		mstate->s.client_info = regional_alloc_init(region, cinfo,
+			sizeof(*cinfo));
+		if(!mstate->s.client_info) {
+			alloc_reg_release(env->alloc, region);
+			return NULL;
+		}
+	}
 	/* remove all weird bits from qflags */
 	mstate->s.query_flags = (qflags & (BIT_RD|BIT_CD));
 	mstate->s.is_priming = prime;
@ -756,7 +826,8 @@ int mesh_attach_sub(struct module_qstate* qstate, struct query_info* qinfo,
 {
 	/* find it, if not, create it */
 	struct mesh_area* mesh = qstate->env->mesh;
-	struct mesh_state* sub = mesh_area_find(mesh, qinfo, qflags, prime, valrec);
+	struct mesh_state* sub = mesh_area_find(mesh, NULL, qinfo, qflags,
+		prime, valrec);
 	int was_detached;
 	if(mesh_detect_cycle_found(qstate, sub)) {
 		verbose(VERB_ALGO, "attach failed, cycle detected");
@ -767,7 +838,8 @@ int mesh_attach_sub(struct module_qstate* qstate, struct query_info* qinfo,
 		struct rbnode_type* n;
 #endif
 		/* create a new one */
-		sub = mesh_state_create(qstate->env, qinfo, qflags, prime, valrec);
+		sub = mesh_state_create(qstate->env, qinfo, NULL, qflags, prime,
+			valrec);
 		if(!sub) {
 			log_err("mesh_attach_sub: out of memory");
 			return 0;
@ -1035,8 +1107,25 @@ void mesh_query_done(struct mesh_state* mstate)
 	struct reply_info* rep = (mstate->s.return_msg?
 		mstate->s.return_msg->rep:NULL);
 	for(r = mstate->reply_list; r; r = r->next) {
-		mesh_send_reply(mstate, mstate->s.return_rcode, rep, r, prev);
-		prev = r;
+		/* if a response-ip address block has been stored the
+		 *  information should be logged for each client. */
+		if(mstate->s.respip_action_info &&
+			mstate->s.respip_action_info->addrinfo) {
+			respip_inform_print(mstate->s.respip_action_info->addrinfo,
+				r->qname, mstate->s.qinfo.qtype,
+				mstate->s.qinfo.qclass, r->local_alias,
+				&r->query_reply);
+		}
+
+		/* if this query is determined to be dropped during the
+		 * mesh processing, this is the point to take that action. */
+		if(mstate->s.is_drop)
+			comm_point_drop_reply(&r->query_reply);
+		else {
+			mesh_send_reply(mstate, mstate->s.return_rcode, rep,
+				r, prev);
+			prev = r;
+		}
 	}
 	mstate->replies_sent = 1;
 	for(c = mstate->cb_list; c; c = c->next) {
@ -1060,7 +1149,8 @@ void mesh_walk_supers(struct mesh_area* mesh, struct mesh_state* mstate)
 }

 struct mesh_state* mesh_area_find(struct mesh_area* mesh,
-	struct query_info* qinfo, uint16_t qflags, int prime, int valrec)
+	struct respip_client_info* cinfo, struct query_info* qinfo,
+	uint16_t qflags, int prime, int valrec)
 {
 	struct mesh_state key;
 	struct mesh_state* result;
@ -1074,6 +1164,7 @@ struct mesh_state* mesh_area_find(struct mesh_area* mesh,
 	 * aggregate the state. Thus unique is set to NULL. (default when we
 	 * desire aggregation).*/
 	key.unique = NULL;
+	key.s.client_info = cinfo;
 	
 	result = (struct mesh_state*)rbtree_search(&mesh->all, &key);
 	return result;
@ -1378,7 +1469,7 @@ mesh_detect_cycle(struct module_qstate* qstate, struct query_info* qinfo,
 	struct mesh_area* mesh = qstate->env->mesh;
 	struct mesh_state* dep_m = NULL;
 	if(!mesh_state_is_unique(qstate->mesh_info))
-		dep_m = mesh_area_find(mesh, qinfo, flags, prime, valrec);
+		dep_m = mesh_area_find(mesh, NULL, qinfo, flags, prime, valrec);
 	return mesh_detect_cycle_found(qstate, dep_m);
 }

--- a/services/mesh.h
+++ b/services/mesh.h
@ -59,6 +59,7 @@ struct query_info;
 struct reply_info;
 struct outbound_entry;
 struct timehist;
+struct respip_client_info;

 /**
 * Maximum number of mesh state activations. Any more is likely an
@ -274,14 +275,18 @@ void mesh_delete(struct mesh_area* mesh);
 *
 * @param mesh: the mesh.
 * @param qinfo: query from client.
+ * @param cinfo: additional information associated with the query client.
+ * 	'cinfo' itself is ephemeral but data pointed to by its members
+ *      can be assumed to be valid and unchanged until the query processing is
+ *      completed.
 * @param qflags: flags from client query.
 * @param edns: edns data from client query.
 * @param rep: where to reply to.
 * @param qid: query id to reply with.
 */
 void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
-	uint16_t qflags, struct edns_data* edns, struct comm_reply* rep, 
-	uint16_t qid);
+	struct respip_client_info* cinfo, uint16_t qflags,
+	struct edns_data* edns, struct comm_reply* rep, uint16_t qid);

 /**
 * New query with callback. Create new query state if needed, and
@ -409,14 +414,16 @@ void mesh_state_delete(struct module_qstate* qstate);
 * Does not put the mesh state into rbtrees and so on.
 * @param env: module environment to set.
 * @param qinfo: query info that the mesh is for.
+ * @param cinfo: control info for the query client (can be NULL).
 * @param qflags: flags for query (RD / CD flag).
 * @param prime: if true, it is a priming query, set is_priming on mesh state.
 * @param valrec: if true, it is a validation recursion query, and sets
 * 	is_valrec on the mesh state.
 * @return: new mesh state or NULL on allocation error.
 */
-struct mesh_state* mesh_state_create(struct module_env* env, 
-	struct query_info* qinfo, uint16_t qflags, int prime, int valrec);
+struct mesh_state* mesh_state_create(struct module_env* env,
+	struct query_info* qinfo, struct respip_client_info* cinfo,
+	uint16_t qflags, int prime, int valrec);

 /**
 * Check if the mesh state is unique.
@ -451,14 +458,17 @@ void mesh_delete_all(struct mesh_area* mesh);
 * Find a mesh state in the mesh area. Pass relevant flags.
 *
 * @param mesh: the mesh area to look in.
+ * @param cinfo: if non-NULL client specific info that may affect IP-based
+ * 	actions that apply to the query result.
 * @param qinfo: what query
 * @param qflags: if RD / CD bit is set or not.
 * @param prime: if it is a priming query.
 * @param valrec: if it is a validation-recursion query.
 * @return: mesh state or NULL if not found.
 */
-struct mesh_state* mesh_area_find(struct mesh_area* mesh, 
-	struct query_info* qinfo, uint16_t qflags, int prime, int valrec);
+struct mesh_state* mesh_area_find(struct mesh_area* mesh,
+	struct respip_client_info* cinfo, struct query_info* qinfo,
+	uint16_t qflags, int prime, int valrec);

 /**
 * Setup attachment super/sub relation between super and sub mesh state.
--- a/services/modstack.c
+++ b/services/modstack.c
@ -46,6 +46,7 @@
 #include "dns64/dns64.h"
 #include "iterator/iterator.h"
 #include "validator/validator.h"
+#include "respip/respip.h"

 #ifdef WITH_PYTHONMODULE
 #include "pythonmod/pythonmod.h"
@ -127,6 +128,7 @@ module_list_avail(void)
 #ifdef USE_CACHEDB
 		"cachedb",
 #endif
+		"respip",
 		"validator", 
 		"iterator", 
 		NULL};
@ -148,6 +150,7 @@ module_funcs_avail(void)
 #ifdef USE_CACHEDB
 		&cachedb_get_funcblock,
 #endif
+		&respip_get_funcblock,
 		&val_get_funcblock, 
 		&iter_get_funcblock, 
 		NULL};
--- a/services/view.c
+++ b/services/view.c
@ -66,6 +66,10 @@ views_create(void)
 	return v;
 }

+/** This prototype is defined in in respip.h, but we want to avoid
+  * unnecessary dependencies */
+void respip_set_delete(struct respip_set *);
+
 void 
 view_delete(struct view* v)
 {
@ -73,6 +77,7 @@ view_delete(struct view* v)
 		return;
 	lock_rw_destroy(&v->lock);
 	local_zones_delete(v->local_zones);
+	respip_set_delete(v->respip_set);
 	free(v->name);
 	free(v);
 }
--- a/services/view.h
+++ b/services/view.h
@ -47,6 +47,7 @@
 struct regional;
 struct config_file;
 struct config_view;
+struct respip_set;


 /**
@ -71,6 +72,8 @@ struct view {
 	char* name;
 	/** view specific local authority zones */
 	struct local_zones* local_zones;
+	/** response-ip configuration data for this view */
+	struct respip_set* respip_set;
 	/** Fallback to global local_zones when there is no match in the view
 	 * specific tree. 1 for yes, 0 for no */	
 	int isfirst;
--- a/smallapp/unbound-checkconf.c
+++ b/smallapp/unbound-checkconf.c
@ -53,6 +53,8 @@
 #include "iterator/iter_hints.h"
 #include "validator/validator.h"
 #include "services/localzone.h"
+#include "services/view.h"
+#include "respip/respip.h"
 #include "sldns/sbuffer.h"
 #ifdef HAVE_GETOPT_H
 #include <getopt.h>
@ -141,6 +143,27 @@ localzonechecks(struct config_file* cfg)
 	local_zones_delete(zs);
 }

+/** check view and response-ip configuration */
+static void
+view_and_respipchecks(struct config_file* cfg)
+{
+	struct views* views = NULL;
+	struct respip_set* respip = NULL;
+	int ignored = 0;
+	if(!(views = views_create()))
+		fatal_exit("Could not create views: out of memory");
+	if(!(respip = respip_set_create()))
+		fatal_exit("Could not create respip set: out of memory");
+	if(!views_apply_cfg(views, cfg))
+		fatal_exit("Could not set up views");
+        if(!respip_global_apply_cfg(respip, cfg))
+		fatal_exit("Could not setup respip set");
+        if(!respip_views_apply_cfg(views, cfg, &ignored))
+		fatal_exit("Could not setup per-view respip sets");
+	views_delete(views);
+	respip_set_delete(respip);
+}
+
 /** emit warnings for IP in hosts */
 static void
 warn_hosts(const char* typ, struct config_stub* list)
@ -406,11 +429,17 @@ morechecks(struct config_file* cfg, const char* fname)
 	/* remove chroot setting so that modules are not stripping pathnames*/
 	free(cfg->chrootdir);
 	cfg->chrootdir = NULL;
-	
+
+	/* There should be no reason for 'respip' module not to work with
+	 * dns64, but it's not explicitly confirmed,  so the combination is
+	 * excluded below.   It's simply unknown yet for the combination of
+	 * respip and other modules. */
 	if(strcmp(cfg->module_conf, "iterator") != 0 
 		&& strcmp(cfg->module_conf, "validator iterator") != 0
 		&& strcmp(cfg->module_conf, "dns64 validator iterator") != 0
 		&& strcmp(cfg->module_conf, "dns64 iterator") != 0
+		&& strcmp(cfg->module_conf, "respip iterator") != 0
+		&& strcmp(cfg->module_conf, "respip validator iterator") != 0
 #ifdef WITH_PYTHONMODULE
 		&& strcmp(cfg->module_conf, "python iterator") != 0 
 		&& strcmp(cfg->module_conf, "python validator iterator") != 0 
@ -464,6 +493,7 @@ morechecks(struct config_file* cfg, const char* fname)
 	}

 	localzonechecks(cfg);
+	view_and_respipchecks(cfg);
 }

 /** check forwards */
--- a/testcode/unitmain.c
+++ b/testcode/unitmain.c
@ -558,6 +558,267 @@ rnd_test(void)
 	ub_randfree(r);
 }

+#include "respip/respip.h"
+#include "services/localzone.h"
+#include "util/data/packed_rrset.h"
+typedef struct addr_action {char* ip; char* sact; enum respip_action act;}
+	addr_action_t;
+
+/** Utility function that verifies that the respip set has actions as expected */
+static void
+verify_respip_set_actions(struct respip_set* set, addr_action_t actions[],
+	int actions_len)
+{
+	int i = 0;
+	struct rbtree_type* tree = respip_set_get_tree(set);
+	for (i=0; i<actions_len; i++) {
+		struct sockaddr_storage addr;
+		int net;
+		socklen_t addrlen;
+		struct resp_addr* node;
+		netblockstrtoaddr(actions[i].ip, UNBOUND_DNS_PORT, &addr,
+			&addrlen, &net);
+		node = (struct resp_addr*)addr_tree_find(tree, &addr, addrlen, net);
+
+		/** we have the node and the node has the correct action
+		  * and has no data */
+		unit_assert(node);
+		unit_assert(actions[i].act ==
+			resp_addr_get_action(node));
+		unit_assert(resp_addr_get_rrset(node) == NULL);
+	}
+	unit_assert(actions_len && i == actions_len);
+	unit_assert(actions_len == (int)tree->count);
+}
+
+/** Global respip actions test; apply raw config data and verify that
+  * all the nodes in the respip set, looked up by address, have expected
+  * actions */
+static void
+respip_conf_actions_test(void)
+{
+	addr_action_t config_response_ip[] = {
+		{"192.0.1.0/24", "deny", respip_deny},
+		{"192.0.2.0/24", "redirect", respip_redirect},
+		{"192.0.3.0/26", "inform", respip_inform},
+		{"192.0.4.0/27", "inform_deny", respip_inform_deny},
+		{"2001:db8:1::/48", "always_transparent", respip_always_transparent},
+		{"2001:db8:2::/49", "always_refuse", respip_always_refuse},
+		{"2001:db8:3::/50", "always_nxdomain", respip_always_nxdomain},
+	};
+	int i;
+	struct respip_set* set = respip_set_create();
+	struct config_file cfg;
+	int clen = sizeof(config_response_ip) / sizeof(addr_action_t);
+
+	unit_assert(set);
+	unit_show_feature("global respip config actions apply");
+	memset(&cfg, 0, sizeof(cfg));
+	for(i=0; i<clen; i++) {
+		char* ip = strdup(config_response_ip[i].ip);
+		char* sact = strdup(config_response_ip[i].sact);
+		unit_assert(ip && sact);
+		if(!cfg_str2list_insert(&cfg.respip_actions, ip, sact))
+			unit_assert(0);
+	}
+	unit_assert(respip_global_apply_cfg(set, &cfg));
+	verify_respip_set_actions(set, config_response_ip, clen);
+}
+
+/** Per-view respip actions test; apply raw configuration with two views
+  * and verify that actions are as expected in respip sets of both views */
+static void
+respip_view_conf_actions_test(void)
+{
+	addr_action_t config_response_ip_view1[] = {
+		{"192.0.1.0/24", "deny", respip_deny},
+		{"192.0.2.0/24", "redirect", respip_redirect},
+		{"192.0.3.0/26", "inform", respip_inform},
+		{"192.0.4.0/27", "inform_deny", respip_inform_deny},
+	};
+	addr_action_t config_response_ip_view2[] = {
+		{"2001:db8:1::/48", "always_transparent", respip_always_transparent},
+		{"2001:db8:2::/49", "always_refuse", respip_always_refuse},
+		{"2001:db8:3::/50", "always_nxdomain", respip_always_nxdomain},
+	};
+	int i;
+	struct config_file cfg;
+	int clen1 = sizeof(config_response_ip_view1) / sizeof(addr_action_t);
+	int clen2 = sizeof(config_response_ip_view2) / sizeof(addr_action_t);
+	struct config_view* cv1;
+	struct config_view* cv2;
+	int have_respip_cfg = 0;
+	struct views* views = NULL;
+	struct view* v = NULL;
+
+	unit_show_feature("per-view respip config actions apply");
+	memset(&cfg, 0, sizeof(cfg));
+	cv1 = (struct config_view*)calloc(1, sizeof(struct config_view));
+	cv2 = (struct config_view*)calloc(1, sizeof(struct config_view));
+	unit_assert(cv1 && cv2);
+	cv1->name = strdup("view1");
+	cv2->name = strdup("view2");
+	unit_assert(cv1->name && cv2->name);
+	cv1->next = cv2;
+	cfg.views = cv1;
+
+	for(i=0; i<clen1; i++) {
+		char* ip = strdup(config_response_ip_view1[i].ip);
+		char* sact = strdup(config_response_ip_view1[i].sact);
+		unit_assert(ip && sact);
+		if(!cfg_str2list_insert(&cv1->respip_actions, ip, sact))
+			unit_assert(0);
+	}
+	for(i=0; i<clen2; i++) {
+		char* ip = strdup(config_response_ip_view2[i].ip);
+		char* sact = strdup(config_response_ip_view2[i].sact);
+		unit_assert(ip && sact);
+		if(!cfg_str2list_insert(&cv2->respip_actions, ip, sact))
+			unit_assert(0);
+	}
+	views = views_create();
+	unit_assert(views);
+	unit_assert(views_apply_cfg(views, &cfg));
+	unit_assert(respip_views_apply_cfg(views, &cfg, &have_respip_cfg));
+
+	/* now verify the respip sets in each view */
+	v = views_find_view(views, "view1", 0);
+	unit_assert(v);
+	verify_respip_set_actions(v->respip_set, config_response_ip_view1, clen1);
+	v = views_find_view(views, "view2", 0);
+	unit_assert(v);
+	verify_respip_set_actions(v->respip_set, config_response_ip_view2, clen2);
+}
+
+typedef struct addr_data {char* ip; char* data;} addr_data_t;
+
+/** find the respip address node in the specified tree (by address lookup)
+  * and verify type and address of the specified rdata (by index) in this
+  * node's rrset */
+static void
+verify_rrset(struct respip_set* set, const char* ipstr,
+	const char* rdatastr, size_t rdi, uint16_t type)
+{
+	struct sockaddr_storage addr;
+	int net;
+	char buf[65536];
+	socklen_t addrlen;
+	struct rbtree_type* tree;
+	struct resp_addr* node;
+	const struct ub_packed_rrset_key* rrs;
+
+	netblockstrtoaddr(ipstr, UNBOUND_DNS_PORT, &addr, &addrlen, &net);
+	tree = respip_set_get_tree(set);
+	node = (struct resp_addr*)addr_tree_find(tree, &addr, addrlen, net);
+	unit_assert(node);
+	unit_assert((rrs = resp_addr_get_rrset(node)));
+	unit_assert(ntohs(rrs->rk.type) == type);
+	packed_rr_to_string((struct ub_packed_rrset_key*)rrs,
+		rdi, 0, buf, sizeof(buf));
+	unit_assert(strstr(buf, rdatastr));
+}
+
+/** Dataset used to test redirect rrset initialization for both
+  * global and per-view respip redirect configuration */
+static addr_data_t config_response_ip_data[] = {
+	{"192.0.1.0/24", "A 1.2.3.4"},
+	{"192.0.1.0/24", "A 11.12.13.14"},
+	{"192.0.2.0/24", "CNAME www.example.com."},
+	{"2001:db8:1::/48", "AAAA 2001:db8:1::2:1"},
+};
+
+/** Populate raw respip redirect config data, used for both global and
+  * view-based respip redirect test case */
+static void
+cfg_insert_respip_data(struct config_str2list** respip_actions,
+	struct config_str2list** respip_data)
+{
+	int clen = sizeof(config_response_ip_data) / sizeof(addr_data_t);
+	int i = 0;
+
+	/* insert actions (duplicate netblocks don't matter) */
+	for(i=0; i<clen; i++) {
+		char* ip = strdup(config_response_ip_data[i].ip);
+		char* sact = strdup("redirect");
+		unit_assert(ip && sact);
+		if(!cfg_str2list_insert(respip_actions, ip, sact))
+			unit_assert(0);
+	}
+	/* insert data */
+	for(i=0; i<clen; i++) {
+		char* ip = strdup(config_response_ip_data[i].ip);
+		char* data = strdup(config_response_ip_data[i].data);
+		unit_assert(ip && data);
+		if(!cfg_str2list_insert(respip_data, ip, data))
+			unit_assert(0);
+	}
+}
+
+/** Test global respip redirect w/ data directives */
+static void
+respip_conf_data_test(void)
+{
+	struct respip_set* set = respip_set_create();
+	struct config_file cfg;
+
+	unit_show_feature("global respip config data apply");
+	memset(&cfg, 0, sizeof(cfg));
+
+	cfg_insert_respip_data(&cfg.respip_actions, &cfg.respip_data);
+
+	/* apply configuration and verify rrsets */
+	unit_assert(respip_global_apply_cfg(set, &cfg));
+	verify_rrset(set, "192.0.1.0/24", "1.2.3.4", 0, LDNS_RR_TYPE_A);
+	verify_rrset(set, "192.0.1.0/24", "11.12.13.14", 1, LDNS_RR_TYPE_A);
+	verify_rrset(set, "192.0.2.0/24", "www.example.com", 0, LDNS_RR_TYPE_CNAME);
+	verify_rrset(set, "2001:db8:1::/48", "2001:db8:1::2:1", 0, LDNS_RR_TYPE_AAAA);
+}
+
+/** Test per-view respip redirect w/ data directives */
+static void
+respip_view_conf_data_test(void)
+{
+	struct config_file cfg;
+	struct config_view* cv;
+	int have_respip_cfg = 0;
+	struct views* views = NULL;
+	struct view* v = NULL;
+
+	unit_show_feature("per-view respip config data apply");
+	memset(&cfg, 0, sizeof(cfg));
+	cv = (struct config_view*)calloc(1, sizeof(struct config_view));
+	unit_assert(cv);
+	cv->name = strdup("view1");
+	unit_assert(cv->name);
+	cfg.views = cv;
+	cfg_insert_respip_data(&cv->respip_actions, &cv->respip_data);
+	views = views_create();
+	unit_assert(views);
+	unit_assert(views_apply_cfg(views, &cfg));
+
+	/* apply configuration and verify rrsets */
+	unit_assert(respip_views_apply_cfg(views, &cfg, &have_respip_cfg));
+	v = views_find_view(views, "view1", 0);
+	unit_assert(v);
+	verify_rrset(v->respip_set, "192.0.1.0/24", "1.2.3.4",
+		0, LDNS_RR_TYPE_A);
+	verify_rrset(v->respip_set, "192.0.1.0/24", "11.12.13.14",
+		1, LDNS_RR_TYPE_A);
+	verify_rrset(v->respip_set, "192.0.2.0/24", "www.example.com",
+		0, LDNS_RR_TYPE_CNAME);
+	verify_rrset(v->respip_set, "2001:db8:1::/48", "2001:db8:1::2:1",
+		0, LDNS_RR_TYPE_AAAA);
+}
+
+/** respip unit tests */
+static void respip_test(void)
+{
+	respip_view_conf_data_test();
+	respip_conf_data_test();
+	respip_view_conf_actions_test();
+	respip_conf_actions_test();
+}
+
 void unit_show_func(const char* file, const char* func)
 {
 	printf("test %s:%s\n", file, func);
@ -604,6 +865,7 @@ main(int argc, char* argv[])
 	checklock_start();
 	neg_test();
 	rnd_test();
+	respip_test();
 	verify_test();
 	net_test();
 	config_memsize_test();
--- a/util/config_file.c
+++ b/util/config_file.c
@ -832,6 +832,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_IFC(opt, "define-tag", num_tags, tagname)
 	else O_LTG(opt, "local-zone-tag", local_zone_tags)
 	else O_LTG(opt, "access-control-tag", acl_tags)
+	else O_LTG(opt, "response-ip-tag", respip_tags)
 	else O_LS3(opt, "local-zone-override", local_zone_overrides)
 	else O_LS3(opt, "access-control-tag-action", acl_tag_actions)
 	else O_LS3(opt, "access-control-tag-data", acl_tag_datas)
@ -1112,6 +1113,7 @@ config_delete(struct config_file* cfg)
 	config_del_strarray(cfg->tagname, cfg->num_tags);
 	config_del_strbytelist(cfg->local_zone_tags);
 	config_del_strbytelist(cfg->acl_tags);
+	config_del_strbytelist(cfg->respip_tags);
 	config_deltrplstrlist(cfg->acl_tag_actions);
 	config_deltrplstrlist(cfg->acl_tag_datas);
 	config_delstrlist(cfg->control_ifs);
--- a/util/config_file.h
+++ b/util/config_file.h
@ -321,6 +321,12 @@ struct config_file {
 	struct config_str3list* acl_tag_datas;
 	/** list of aclname, view*/
 	struct config_str2list* acl_view;
+	/** list of IP-netblock, tagbitlist */
+	struct config_strbytelist* respip_tags;
+	/** list of response-driven access control entries, linked list */
+	struct config_str2list* respip_actions;
+	/** RRs configured for response-driven access controls */
+	struct config_str2list* respip_data;
 	/** tag list, array with tagname[i] is malloced string */
 	char** tagname;
 	/** number of items in the taglist */
@ -472,6 +478,10 @@ struct config_view {
 	/** Fallback to global local_zones when there is no match in the view
 	 * view specific tree. 1 for yes, 0 for no */	
 	int isfirst;
+	/** predefined actions for particular IP address responses */
+	struct config_str2list* respip_actions;
+	/** data complementing the 'redirect' response IP actions */
+	struct config_str2list* respip_data;
 };

 /**
--- a/util/configlexer.c
+++ b/util/configlexer.c
--- a/util/configlexer.lex
+++ b/util/configlexer.lex
@ -399,6 +399,9 @@ ratelimit-for-domain{COLON}	{ YDVAR(2, VAR_RATELIMIT_FOR_DOMAIN) }
 ratelimit-below-domain{COLON}	{ YDVAR(2, VAR_RATELIMIT_BELOW_DOMAIN) }
 ip-ratelimit-factor{COLON}		{ YDVAR(1, VAR_IP_RATELIMIT_FACTOR) }
 ratelimit-factor{COLON}		{ YDVAR(1, VAR_RATELIMIT_FACTOR) }
+response-ip-tag{COLON}		{ YDVAR(2, VAR_RESPONSE_IP_TAG) }
+response-ip{COLON}		{ YDVAR(2, VAR_RESPONSE_IP) }
+response-ip-data{COLON}		{ YDVAR(2, VAR_RESPONSE_IP_DATA) }
 <INITIAL,val>{NEWLINE}		{ LEXOUT(("NL\n")); cfg_parser->line++; }

 	/* Quoted strings. Strip leading and ending quotes */
--- a/util/configparser.c
+++ b/util/configparser.c
--- a/util/configparser.h
+++ b/util/configparser.h
@ -200,40 +200,43 @@ extern int yydebug;
    VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 410,
    VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 411,
    VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 412,
-    VAR_HARDEN_ALGO_DOWNGRADE = 413,
-    VAR_IP_TRANSPARENT = 414,
-    VAR_DISABLE_DNSSEC_LAME_CHECK = 415,
-    VAR_IP_RATELIMIT = 416,
-    VAR_IP_RATELIMIT_SLABS = 417,
-    VAR_IP_RATELIMIT_SIZE = 418,
-    VAR_RATELIMIT = 419,
-    VAR_RATELIMIT_SLABS = 420,
-    VAR_RATELIMIT_SIZE = 421,
-    VAR_RATELIMIT_FOR_DOMAIN = 422,
-    VAR_RATELIMIT_BELOW_DOMAIN = 423,
-    VAR_IP_RATELIMIT_FACTOR = 424,
-    VAR_RATELIMIT_FACTOR = 425,
-    VAR_CAPS_WHITELIST = 426,
-    VAR_CACHE_MAX_NEGATIVE_TTL = 427,
-    VAR_PERMIT_SMALL_HOLDDOWN = 428,
-    VAR_QNAME_MINIMISATION = 429,
-    VAR_QNAME_MINIMISATION_STRICT = 430,
-    VAR_IP_FREEBIND = 431,
-    VAR_DEFINE_TAG = 432,
-    VAR_LOCAL_ZONE_TAG = 433,
-    VAR_ACCESS_CONTROL_TAG = 434,
-    VAR_LOCAL_ZONE_OVERRIDE = 435,
-    VAR_ACCESS_CONTROL_TAG_ACTION = 436,
-    VAR_ACCESS_CONTROL_TAG_DATA = 437,
-    VAR_VIEW = 438,
-    VAR_ACCESS_CONTROL_VIEW = 439,
-    VAR_VIEW_FIRST = 440,
-    VAR_SERVE_EXPIRED = 441,
-    VAR_FAKE_DSA = 442,
-    VAR_LOG_IDENTITY = 443,
-    VAR_USE_SYSTEMD = 444,
-    VAR_SHM_ENABLE = 445,
-    VAR_SHM_KEY = 446
+    VAR_RESPONSE_IP_TAG = 413,
+    VAR_RESPONSE_IP = 414,
+    VAR_RESPONSE_IP_DATA = 415,
+    VAR_HARDEN_ALGO_DOWNGRADE = 416,
+    VAR_IP_TRANSPARENT = 417,
+    VAR_DISABLE_DNSSEC_LAME_CHECK = 418,
+    VAR_IP_RATELIMIT = 419,
+    VAR_IP_RATELIMIT_SLABS = 420,
+    VAR_IP_RATELIMIT_SIZE = 421,
+    VAR_RATELIMIT = 422,
+    VAR_RATELIMIT_SLABS = 423,
+    VAR_RATELIMIT_SIZE = 424,
+    VAR_RATELIMIT_FOR_DOMAIN = 425,
+    VAR_RATELIMIT_BELOW_DOMAIN = 426,
+    VAR_IP_RATELIMIT_FACTOR = 427,
+    VAR_RATELIMIT_FACTOR = 428,
+    VAR_CAPS_WHITELIST = 429,
+    VAR_CACHE_MAX_NEGATIVE_TTL = 430,
+    VAR_PERMIT_SMALL_HOLDDOWN = 431,
+    VAR_QNAME_MINIMISATION = 432,
+    VAR_QNAME_MINIMISATION_STRICT = 433,
+    VAR_IP_FREEBIND = 434,
+    VAR_DEFINE_TAG = 435,
+    VAR_LOCAL_ZONE_TAG = 436,
+    VAR_ACCESS_CONTROL_TAG = 437,
+    VAR_LOCAL_ZONE_OVERRIDE = 438,
+    VAR_ACCESS_CONTROL_TAG_ACTION = 439,
+    VAR_ACCESS_CONTROL_TAG_DATA = 440,
+    VAR_VIEW = 441,
+    VAR_ACCESS_CONTROL_VIEW = 442,
+    VAR_VIEW_FIRST = 443,
+    VAR_SERVE_EXPIRED = 444,
+    VAR_FAKE_DSA = 445,
+    VAR_LOG_IDENTITY = 446,
+    VAR_USE_SYSTEMD = 447,
+    VAR_SHM_ENABLE = 448,
+    VAR_SHM_KEY = 449
  };
 #endif
 /* Tokens.  */
@ -392,51 +395,54 @@ extern int yydebug;
 #define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 410
 #define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 411
 #define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 412
-#define VAR_HARDEN_ALGO_DOWNGRADE 413
-#define VAR_IP_TRANSPARENT 414
-#define VAR_DISABLE_DNSSEC_LAME_CHECK 415
-#define VAR_IP_RATELIMIT 416
-#define VAR_IP_RATELIMIT_SLABS 417
-#define VAR_IP_RATELIMIT_SIZE 418
-#define VAR_RATELIMIT 419
-#define VAR_RATELIMIT_SLABS 420
-#define VAR_RATELIMIT_SIZE 421
-#define VAR_RATELIMIT_FOR_DOMAIN 422
-#define VAR_RATELIMIT_BELOW_DOMAIN 423
-#define VAR_IP_RATELIMIT_FACTOR 424
-#define VAR_RATELIMIT_FACTOR 425
-#define VAR_CAPS_WHITELIST 426
-#define VAR_CACHE_MAX_NEGATIVE_TTL 427
-#define VAR_PERMIT_SMALL_HOLDDOWN 428
-#define VAR_QNAME_MINIMISATION 429
-#define VAR_QNAME_MINIMISATION_STRICT 430
-#define VAR_IP_FREEBIND 431
-#define VAR_DEFINE_TAG 432
-#define VAR_LOCAL_ZONE_TAG 433
-#define VAR_ACCESS_CONTROL_TAG 434
-#define VAR_LOCAL_ZONE_OVERRIDE 435
-#define VAR_ACCESS_CONTROL_TAG_ACTION 436
-#define VAR_ACCESS_CONTROL_TAG_DATA 437
-#define VAR_VIEW 438
-#define VAR_ACCESS_CONTROL_VIEW 439
-#define VAR_VIEW_FIRST 440
-#define VAR_SERVE_EXPIRED 441
-#define VAR_FAKE_DSA 442
-#define VAR_LOG_IDENTITY 443
-#define VAR_USE_SYSTEMD 444
-#define VAR_SHM_ENABLE 445
-#define VAR_SHM_KEY 446
+#define VAR_RESPONSE_IP_TAG 413
+#define VAR_RESPONSE_IP 414
+#define VAR_RESPONSE_IP_DATA 415
+#define VAR_HARDEN_ALGO_DOWNGRADE 416
+#define VAR_IP_TRANSPARENT 417
+#define VAR_DISABLE_DNSSEC_LAME_CHECK 418
+#define VAR_IP_RATELIMIT 419
+#define VAR_IP_RATELIMIT_SLABS 420
+#define VAR_IP_RATELIMIT_SIZE 421
+#define VAR_RATELIMIT 422
+#define VAR_RATELIMIT_SLABS 423
+#define VAR_RATELIMIT_SIZE 424
+#define VAR_RATELIMIT_FOR_DOMAIN 425
+#define VAR_RATELIMIT_BELOW_DOMAIN 426
+#define VAR_IP_RATELIMIT_FACTOR 427
+#define VAR_RATELIMIT_FACTOR 428
+#define VAR_CAPS_WHITELIST 429
+#define VAR_CACHE_MAX_NEGATIVE_TTL 430
+#define VAR_PERMIT_SMALL_HOLDDOWN 431
+#define VAR_QNAME_MINIMISATION 432
+#define VAR_QNAME_MINIMISATION_STRICT 433
+#define VAR_IP_FREEBIND 434
+#define VAR_DEFINE_TAG 435
+#define VAR_LOCAL_ZONE_TAG 436
+#define VAR_ACCESS_CONTROL_TAG 437
+#define VAR_LOCAL_ZONE_OVERRIDE 438
+#define VAR_ACCESS_CONTROL_TAG_ACTION 439
+#define VAR_ACCESS_CONTROL_TAG_DATA 440
+#define VAR_VIEW 441
+#define VAR_ACCESS_CONTROL_VIEW 442
+#define VAR_VIEW_FIRST 443
+#define VAR_SERVE_EXPIRED 444
+#define VAR_FAKE_DSA 445
+#define VAR_LOG_IDENTITY 446
+#define VAR_USE_SYSTEMD 447
+#define VAR_SHM_ENABLE 448
+#define VAR_SHM_KEY 449

 /* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED

 union YYSTYPE
 {
-#line 64 "./util/configparser.y" /* yacc.c:1909  */
+#line 66 "./util/configparser.y" /* yacc.c:1909  */

 	char*	str;

-#line 440 "util/configparser.h" /* yacc.c:1909  */
+#line 446 "util/configparser.h" /* yacc.c:1909  */
 };

 typedef union YYSTYPE YYSTYPE;
--- a/util/configparser.y
+++ b/util/configparser.y
@ -51,6 +51,8 @@
 int ub_c_lex(void);
 void ub_c_error(const char *message);

+static void validate_respip_action(const char* action);
+
 /* these need to be global, otherwise they cannot be used inside yacc */
 extern struct config_parser_state* cfg_parser;

@ -122,6 +124,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES
 %token VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES
 %token VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES
+%token VAR_RESPONSE_IP_TAG VAR_RESPONSE_IP VAR_RESPONSE_IP_DATA
 %token VAR_HARDEN_ALGO_DOWNGRADE VAR_IP_TRANSPARENT
 %token VAR_DISABLE_DNSSEC_LAME_CHECK
 %token VAR_IP_RATELIMIT VAR_IP_RATELIMIT_SLABS VAR_IP_RATELIMIT_SIZE
@ -214,6 +217,7 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_access_control_tag_data | server_access_control_view |
 	server_qname_minimisation_strict | server_serve_expired |
 	server_fake_dsa | server_log_identity | server_use_systemd |
+	server_response_ip_tag | server_response_ip | server_response_ip_data |
 	server_shm_enable | server_shm_key
 	;
 stubstart: VAR_STUB_ZONE
@ -266,7 +270,8 @@ viewstart: VAR_VIEW
 	;
 contents_view: contents_view content_view 
 	| ;
-content_view: view_name | view_local_zone | view_local_data | view_first
+content_view: view_name | view_local_zone | view_local_data | view_first |
+		view_response_ip | view_response_ip_data
 	;
 server_num_threads: VAR_NUM_THREADS STRING_ARG 
 	{ 
@ -1530,6 +1535,25 @@ server_access_control_view: VAR_ACCESS_CONTROL_VIEW STRING_ARG STRING_ARG
 		}
 	}
 	;
+server_response_ip_tag: VAR_RESPONSE_IP_TAG STRING_ARG STRING_ARG
+	{
+		size_t len = 0;
+		uint8_t* bitlist = config_parse_taglist(cfg_parser->cfg, $3,
+			&len);
+		free($3);
+		OUTYY(("P(response_ip_tag:%s)\n", $2));
+		if(!bitlist)
+			yyerror("could not parse tags, (define-tag them first)");
+		if(bitlist) {
+			if(!cfg_strbytelist_insert(
+				&cfg_parser->cfg->respip_tags,
+				$2, bitlist, len)) {
+				yyerror("out of memory");
+				free($2);
+			}
+		}
+	}
+	;
 server_ip_ratelimit: VAR_IP_RATELIMIT STRING_ARG 
 	{ 
 		OUTYY(("P(server_ip_ratelimit:%s)\n", $2)); 
@ -1790,6 +1814,24 @@ view_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG
 		}
 	}
 	;
+view_response_ip: VAR_RESPONSE_IP STRING_ARG STRING_ARG
+	{
+		OUTYY(("P(view_response_ip:%s %s)\n", $2, $3));
+		validate_respip_action($3);
+		if(!cfg_str2list_insert(
+			&cfg_parser->cfg->views->respip_actions, $2, $3))
+			fatal_exit("out of memory adding per-view "
+				"response-ip action");
+	}
+	;
+view_response_ip_data: VAR_RESPONSE_IP_DATA STRING_ARG STRING_ARG
+	{
+		OUTYY(("P(view_response_ip_data:%s)\n", $2));
+		if(!cfg_str2list_insert(
+			&cfg_parser->cfg->views->respip_data, $2, $3))
+			fatal_exit("out of memory adding response-ip-data");
+	}
+	;
 view_local_data: VAR_LOCAL_DATA STRING_ARG
 	{
 		OUTYY(("P(view_local_data:%s)\n", $2));
@ -2031,6 +2073,39 @@ server_log_identity: VAR_LOG_IDENTITY STRING_ARG
 		cfg_parser->cfg->log_identity = $2;
 	}
 	;
+server_response_ip: VAR_RESPONSE_IP STRING_ARG STRING_ARG
+	{
+		OUTYY(("P(server_response_ip:%s %s)\n", $2, $3));
+		validate_respip_action($3);
+		if(!cfg_str2list_insert(&cfg_parser->cfg->respip_actions,
+			$2, $3))
+			fatal_exit("out of memory adding response-ip");
+	}
+	;
+server_response_ip_data: VAR_RESPONSE_IP_DATA STRING_ARG STRING_ARG
+	{
+		OUTYY(("P(server_response_ip_data:%s)\n", $2));
+			if(!cfg_str2list_insert(&cfg_parser->cfg->respip_data,
+				$2, $3))
+				fatal_exit("out of memory adding response-ip-data");
+	}
+	;
 %%

 /* parse helper routines could be here */
+static void
+validate_respip_action(const char* action)
+{
+	if(strcmp(action, "deny")!=0 &&
+		strcmp(action, "redirect")!=0 &&
+		strcmp(action, "inform")!=0 &&
+		strcmp(action, "inform_deny")!=0 &&
+		strcmp(action, "always_transparent")!=0 &&
+		strcmp(action, "always_refuse")!=0 &&
+		strcmp(action, "always_nxdomain")!=0)
+	{
+		yyerror("response-ip action: expected deny, redirect, "
+			"inform, inform_deny, always_transparent, "
+			"always_refuse or always_nxdomain");
+	}
+}
--- a/util/data/msgencode.c
+++ b/util/data/msgencode.c
@ -459,6 +459,10 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
 	owner_labs = dname_count_labels(key->rk.dname);
 	owner_pos = sldns_buffer_position(pkt);

+	/* For an rrset with a fixed TTL, use the rrset's TTL as given */
+	if((key->rk.flags & PACKED_RRSET_FIXEDTTL) != 0)
+		timenow = 0;
+
 	if(do_data) {
 		const sldns_rr_descriptor* c = type_rdata_compressable(key);
 		for(i=0; i<data->count; i++) {
--- a/util/data/msgreply.c
+++ b/util/data/msgreply.c
@ -133,9 +133,8 @@ parse_create_repinfo(struct msg_parse* msg, struct reply_info** rep,
 	return 1;
 }

-/** allocate (special) rrset keys, return 0 on error */
-static int
-repinfo_alloc_rrset_keys(struct reply_info* rep, struct alloc_cache* alloc, 
+int
+reply_info_alloc_rrset_keys(struct reply_info* rep, struct alloc_cache* alloc,
 	struct regional* region)
 {
 	size_t i;
@ -438,7 +437,7 @@ parse_create_msg(sldns_buffer* pkt, struct msg_parse* msg,
 		return 0;
 	if(!parse_create_repinfo(msg, rep, region))
 		return 0;
-	if(!repinfo_alloc_rrset_keys(*rep, alloc, region))
+	if(!reply_info_alloc_rrset_keys(*rep, alloc, region))
 		return 0;
 	if(!parse_copy_decompress(pkt, msg, *rep, region))
 		return 0;
@ -688,7 +687,7 @@ reply_info_copy(struct reply_info* rep, struct alloc_cache* alloc,
 	if(!cp)
 		return NULL;
 	/* allocate ub_key structures special or not */
-	if(!repinfo_alloc_rrset_keys(cp, alloc, region)) {
+	if(!reply_info_alloc_rrset_keys(cp, alloc, region)) {
 		if(!region)
 			reply_info_parsedelete(cp, alloc);
 		return NULL;
--- a/util/data/msgreply.h
+++ b/util/data/msgreply.h
@ -356,6 +356,21 @@ struct msgreply_entry* query_info_entrysetup(struct query_info* q,
 struct reply_info* reply_info_copy(struct reply_info* rep, 
 	struct alloc_cache* alloc, struct regional* region);

+/**
+ * Allocate (special) rrset keys.
+ * @param rep: reply info in which the rrset keys to be allocated, rrset[]
+ *	array should have bee allocated with NULL pointers.
+ * @param alloc: how to allocate rrset keys.
+ *	Not used if region!=NULL, it can be NULL in that case.
+ * @region: if this parameter is NULL then the alloc is used.
+ *	otherwise, rrset keys are allocated in this region.
+ *	In a region, no special rrset key structures are needed (not shared).
+ *	and no rrset_ref array in the reply needs to be built up.
+ * @return 1 on success, 0 on error
+ */
+int reply_info_alloc_rrset_keys(struct reply_info* rep,
+	struct alloc_cache* alloc, struct regional* region);
+
 /**
 * Copy a parsed rrset into given key, decompressing and allocating rdata.
 * @param pkt: packet for decompression
--- a/util/data/packed_rrset.h
+++ b/util/data/packed_rrset.h
@ -57,6 +57,10 @@ typedef uint64_t rrset_id_type;
 * this is set on SOA rrsets in the authority section, to keep its TTL separate
 * from the SOA in the answer section from a direct SOA query or ANY query. */
 #define PACKED_RRSET_SOA_NEG 0x4
+/** This rrset is considered to have a fixed TTL; its TTL doesn't have to be
+ * updated on encoding in a reply.  This flag is not expected to be set in
+ * cached data. */
+#define PACKED_RRSET_FIXEDTTL 0x80000000

 /** number of rrs and rrsets for integer overflow protection.  More than
 * this is not really possible (64K packet has much less RRs and RRsets) in
@ -83,6 +87,7 @@ struct packed_rrset_key {
 	 * 	o PACKED_RRSET_NSEC_AT_APEX
 	 * 	o PACKED_RRSET_PARENT_SIDE
 	 * 	o PACKED_RRSET_SOA_NEG
+	 * 	o PACKED_RRSET_FIXEDTTL (not supposed to be cached)
 	 */
 	uint32_t flags;
 	/** the rrset type in network format */
--- a/util/fptr_wlist.c
+++ b/util/fptr_wlist.c
@ -75,6 +75,7 @@
 #ifdef UB_ON_WINDOWS
 #include "winrc/win_svc.h"
 #endif
+#include "respip/respip.h"

 #ifdef WITH_PYTHONMODULE
 #include "pythonmod/pythonmod.h"
@ -318,6 +319,7 @@ fptr_whitelist_mod_init(int (*fptr)(struct module_env* env, int id))
 	if(fptr == &iter_init) return 1;
 	else if(fptr == &val_init) return 1;
 	else if(fptr == &dns64_init) return 1;
+	else if(fptr == &respip_init) return 1;
 #ifdef WITH_PYTHONMODULE
 	else if(fptr == &pythonmod_init) return 1;
 #endif
@ -333,6 +335,7 @@ fptr_whitelist_mod_deinit(void (*fptr)(struct module_env* env, int id))
 	if(fptr == &iter_deinit) return 1;
 	else if(fptr == &val_deinit) return 1;
 	else if(fptr == &dns64_deinit) return 1;
+	else if(fptr == &respip_deinit) return 1;
 #ifdef WITH_PYTHONMODULE
 	else if(fptr == &pythonmod_deinit) return 1;
 #endif
@ -349,6 +352,7 @@ fptr_whitelist_mod_operate(void (*fptr)(struct module_qstate* qstate,
 	if(fptr == &iter_operate) return 1;
 	else if(fptr == &val_operate) return 1;
 	else if(fptr == &dns64_operate) return 1;
+	else if(fptr == &respip_operate) return 1;
 #ifdef WITH_PYTHONMODULE
 	else if(fptr == &pythonmod_operate) return 1;
 #endif
@ -365,6 +369,7 @@ fptr_whitelist_mod_inform_super(void (*fptr)(
 	if(fptr == &iter_inform_super) return 1;
 	else if(fptr == &val_inform_super) return 1;
 	else if(fptr == &dns64_inform_super) return 1;
+	else if(fptr == &respip_inform_super) return 1;
 #ifdef WITH_PYTHONMODULE
 	else if(fptr == &pythonmod_inform_super) return 1;
 #endif
@ -381,6 +386,7 @@ fptr_whitelist_mod_clear(void (*fptr)(struct module_qstate* qstate,
 	if(fptr == &iter_clear) return 1;
 	else if(fptr == &val_clear) return 1;
 	else if(fptr == &dns64_clear) return 1;
+	else if(fptr == &respip_clear) return 1;
 #ifdef WITH_PYTHONMODULE
 	else if(fptr == &pythonmod_clear) return 1;
 #endif
@ -396,6 +402,7 @@ fptr_whitelist_mod_get_mem(size_t (*fptr)(struct module_env* env, int id))
 	if(fptr == &iter_get_mem) return 1;
 	else if(fptr == &val_get_mem) return 1;
 	else if(fptr == &dns64_get_mem) return 1;
+	else if(fptr == &respip_get_mem) return 1;
 #ifdef WITH_PYTHONMODULE
 	else if(fptr == &pythonmod_get_mem) return 1;
 #endif
--- a/util/module.h
+++ b/util/module.h
@ -174,6 +174,9 @@ struct val_anchors;
 struct val_neg_cache;
 struct iter_forwards;
 struct iter_hints;
+struct respip_set;
+struct respip_client_info;
+struct respip_addr_info;

 /** Maximum number of modules in operation */
 #define MAX_MODULE 16
@ -508,6 +511,8 @@ struct sock_list {
 	struct sockaddr_storage addr;
 };

+struct respip_action_info;
+
 /**
 * Module state, per query.
 */
@ -562,6 +567,19 @@ struct module_qstate {
 	int no_cache_lookup;
 	/** whether modules should store answer in the cache */
 	int no_cache_store;
+
+	/**
+	 * Attributes of clients that share the qstate that may affect IP-based
+	 * actions.
+	 */
+	struct respip_client_info* client_info;
+
+	/** Extended result of response-ip action processing, mainly
+	 *  for logging purposes. */
+	struct respip_action_info* respip_action_info;
+
+	/** whether the reply should be dropped */
+	int is_drop;
 };

 /**