[packages/bind.git] / bind-edns-client-subnet.patch

These patches add the ability to send and receive DNS messages with
edns-client-subnet options to BIND's dig utility.

Example:

wilmer@fiona:~/src/bind-ecs$ bin/dig/dig @ns1.google.com www.google.com +client=130.89.89.130

; <<>> DiG 9.7.1-P2 <<>> @ns1.google.com www.google.com +client=130.89.89.130
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; CLIENT-SUBNET: 130.89.89.130/32/21
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         604800  IN      CNAME   www.l.google.com.
www.l.google.com.       300     IN      A       74.125.79.104
www.l.google.com.       300     IN      A       74.125.79.99
www.l.google.com.       300     IN      A       74.125.79.147

Copyright 2010 Google Inc.
Author: Wilmer van der Gaast <wilmer@google.com>


diff -uNr bin/dig/dig.c bin/dig/dig.c
--- bin/dig/dig.c	2010-05-13 01:42:26.000000000 +0100
+++ bin/dig/dig.c	2011-02-16 15:58:31.000000000 +0000
@@ -188,6 +188,7 @@
 "                 +bufsize=###        (Set EDNS0 Max UDP packet size)\n"
 "                 +ndots=###          (Set NDOTS value)\n"
 "                 +edns=###           (Set EDNS version)\n"
+"                 +client=addr        (Set edns-client-subnet option)\n"
 "                 +[no]search         (Set whether to use searchlist)\n"
 "                 +[no]showsearch     (Search with intermediate results)\n"
 "                 +[no]defname        (Ditto)\n"
@@ -804,8 +805,25 @@
 			}
 			break;
 		case 'l': /* cl */
-			FULLCHECK("cl");
-			noclass = ISC_TF(!state);
+			switch (cmd[2]) {
+			case 'i':/* client */
+				FULLCHECK("client");
+				if (value == NULL)
+					goto need_value;
+				if (state && lookup->edns == -1)
+					lookup->edns = 0;
+				if (parse_netprefix(&lookup->ecs_addr,
+				                    &lookup->ecs_len,
+				                    value) != ISC_R_SUCCESS)
+					fatal("Couldn't parse client");
+				break;
+			case '\0':
+				FULLCHECK("cl");
+				noclass = ISC_TF(!state);
+				break;
+			default:
+				goto invalid_option;
+			}
 			break;
 		case 'm': /* cmd */
 			FULLCHECK("cmd");
diff -uNr bin/dig/dighost.c bin/dig/dighost.c
--- bin/dig/dighost.c	2010-12-09 01:05:27.000000000 +0000
+++ bin/dig/dighost.c	2011-02-16 15:58:31.000000000 +0000
@@ -96,6 +96,9 @@
 
 #include <dig/dig.h>
 
+/* parse_netprefix */
+#include <netdb.h>
+
 #if ! defined(NS_INADDRSZ)
 #define NS_INADDRSZ	 4
 #endif
@@ -789,6 +792,8 @@
 	looknew->new_search = ISC_FALSE;
 	looknew->done_as_is = ISC_FALSE;
 	looknew->need_search = ISC_FALSE;
+	looknew->ecs_addr = NULL;
+	looknew->ecs_len = 0;
 	ISC_LINK_INIT(looknew, link);
 	ISC_LIST_INIT(looknew->q);
 	ISC_LIST_INIT(looknew->my_server_list);
@@ -805,6 +810,7 @@
 dig_lookup_t *
 clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
 	dig_lookup_t *looknew;
+	size_t len;
 
 	debug("clone_lookup()");
 
@@ -865,6 +871,19 @@
 	looknew->need_search = lookold->need_search;
 	looknew->done_as_is = lookold->done_as_is;
 
+	if (lookold->ecs_addr) {
+		if (lookold->ecs_addr->sa_family == AF_INET)
+			len = sizeof(struct sockaddr_in);
+		else if (lookold->ecs_addr->sa_family == AF_INET6)
+			len = sizeof(struct sockaddr_in6);
+		else
+			INSIST(0);
+
+		looknew->ecs_addr = isc_mem_allocate(mctx, len);
+		memcpy(looknew->ecs_addr, lookold->ecs_addr, len);
+		looknew->ecs_len = lookold->ecs_len;
+	}
+
 	if (servers)
 		clone_server_list(lookold->my_server_list,
 				  &looknew->my_server_list);
@@ -974,6 +993,48 @@
 	return (tmp);
 }
 
+isc_result_t
+parse_netprefix(struct sockaddr **sa, isc_uint32_t *netmask,
+                const char *value) {
+	struct addrinfo *res, hints;
+	char *addr, *slash;
+	isc_uint32_t result;
+	
+	addr = isc_mem_strdup(mctx, value);
+	if ((slash = strchr(addr, '/'))) {
+		*slash = '\0';
+		result = isc_parse_uint32(netmask, slash + 1, 10);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_free(mctx, addr);
+			printf("invalid %s '%s': %s\n", "prefix length",
+			       value, isc_result_totext(result));
+			return (result);
+		}
+	} else {
+		*netmask = 128;
+	}
+	
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_flags = AI_NUMERICHOST;
+	if ((result = getaddrinfo(addr, NULL, &hints, &res)) != 0) {
+		isc_mem_free(mctx, addr);
+		printf("getaddrinfo() error: %s\n", gai_strerror(result));
+		return ISC_R_FAILURE;
+	}
+	isc_mem_free(mctx, addr);
+	
+	*sa = isc_mem_allocate(mctx, res->ai_addrlen);
+	memcpy(*sa, res->ai_addr, res->ai_addrlen);
+	
+	if (res->ai_family == AF_INET && *netmask > 32)
+		*netmask = 32;
+	else if (res->ai_family == AF_INET6 && *netmask > 128)
+		*netmask = 128;
+
+	freeaddrinfo(res);
+	return (ISC_R_SUCCESS);
+}
+
 
 /*
  * Parse HMAC algorithm specification
@@ -1361,12 +1422,15 @@
  */
 static void
 add_opt(dns_message_t *msg, isc_uint16_t udpsize, isc_uint16_t edns,
-	isc_boolean_t dnssec, isc_boolean_t nsid)
+	isc_boolean_t dnssec, isc_boolean_t nsid,
+	struct sockaddr *ecs_addr, isc_uint32_t ecs_len)
 {
 	dns_rdataset_t *rdataset = NULL;
 	dns_rdatalist_t *rdatalist = NULL;
 	dns_rdata_t *rdata = NULL;
 	isc_result_t result;
+	unsigned char data[64];
+	isc_buffer_t buf;
 
 	debug("add_opt()");
 	result = dns_message_gettemprdataset(msg, &rdataset);
@@ -1384,20 +1448,37 @@
 	rdatalist->ttl = edns << 16;
 	if (dnssec)
 		rdatalist->ttl |= DNS_MESSAGEEXTFLAG_DO;
-	if (nsid) {
-		isc_buffer_t *b = NULL;
 
-		result = isc_buffer_allocate(mctx, &b, 4);
-		check_result(result, "isc_buffer_allocate");
-		isc_buffer_putuint16(b, DNS_OPT_NSID);
-		isc_buffer_putuint16(b, 0);
-		rdata->data = isc_buffer_base(b);
-		rdata->length = isc_buffer_usedlength(b);
-		dns_message_takebuffer(msg, &b);
-	} else {
-		rdata->data = NULL;
-		rdata->length = 0;
+	isc_buffer_init(&buf, data, sizeof(data));
+	if (nsid) {
+		isc_buffer_putuint16(&buf, DNS_OPT_NSID);
+		isc_buffer_putuint16(&buf, 0);
 	}
+	if (ecs_addr) {
+		size_t addrl = (ecs_len + 7) / 8;
+		
+		isc_buffer_putuint16(&buf, DNS_OPT_CLIENT_SUBNET);
+		isc_buffer_putuint16(&buf, 4 + addrl);
+		if (ecs_addr->sa_family == AF_INET) {
+			struct sockaddr_in *ad = (struct sockaddr_in *) ecs_addr;
+			isc_buffer_putuint16(&buf, 1);
+			isc_buffer_putuint8(&buf, ecs_len);
+			isc_buffer_putuint8(&buf, 0);
+			isc_buffer_putmem(&buf, (isc_uint8_t*) &ad->sin_addr, addrl);
+		}
+		else /* if (ecs_addr->sa_family == AF_INET6) */ {
+			struct sockaddr_in6 *ad = (struct sockaddr_in6 *) ecs_addr;
+			isc_buffer_putuint16(&buf, 2);
+			isc_buffer_putuint8(&buf, ecs_len);
+			isc_buffer_putuint8(&buf, 0);
+			isc_buffer_putmem(&buf, (isc_uint8_t*) &ad->sin6_addr, addrl);
+		}
+	}
+	if ((rdata->length = isc_buffer_usedlength(&buf)) > 0)
+		rdata->data = data;
+	else
+		rdata->data = NULL;
+
 	ISC_LIST_INIT(rdatalist->rdata);
 	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
 	dns_rdatalist_tordataset(rdatalist, rdataset);
@@ -1546,6 +1627,9 @@
 	if (lookup->tsigctx != NULL)
 		dst_context_destroy(&lookup->tsigctx);
 
+	if (lookup->ecs_addr != NULL)
+		isc_mem_free(mctx, lookup->ecs_addr);
+
 	isc_mem_free(mctx, lookup);
 }
 
@@ -2210,7 +2294,8 @@
 		if (lookup->edns < 0)
 			lookup->edns = 0;
 		add_opt(lookup->sendmsg, lookup->udpsize,
-			lookup->edns, lookup->dnssec, lookup->nsid);
+			lookup->edns, lookup->dnssec, lookup->nsid,
+			lookup->ecs_addr, lookup->ecs_len);
 	}
 
 	result = dns_message_rendersection(lookup->sendmsg,
diff -uNr bin/dig/include/dig/dig.h bin/dig/include/dig/dig.h
--- bin/dig/include/dig/dig.h	2009-09-29 16:06:06.000000000 +0100
+++ bin/dig/include/dig/dig.h	2011-02-16 15:58:31.000000000 +0000
@@ -183,6 +183,8 @@
 	isc_buffer_t *querysig;
 	isc_uint32_t msgcounter;
 	dns_fixedname_t fdomain;
+	struct sockaddr *ecs_addr; /*% edns-client-subnet */
+	isc_uint32_t ecs_len;
 };
 
 /*% The dig_query structure */
@@ -330,6 +332,10 @@
 parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
 	   const char *desc);
 
+isc_result_t
+parse_netprefix(struct sockaddr **sa, isc_uint32_t *netmask,
+                const char *value);
+
 void
 parse_hmac(const char *hmacstr);
 
diff -uNr lib/dns/include/dns/message.h lib/dns/include/dns/message.h
--- lib/dns/include/dns/message.h	2009-10-26 23:47:35.000000000 +0000
+++ lib/dns/include/dns/message.h	2011-02-16 15:58:31.000000000 +0000
@@ -105,6 +105,7 @@
 
 /*%< EDNS0 extended OPT codes */
 #define DNS_OPT_NSID		0x0003		/*%< NSID opt code */
+#define DNS_OPT_CLIENT_SUBNET	0x50fa		/*%< client subnet opt code */
 
 #define DNS_MESSAGE_REPLYPRESERVE	(DNS_MESSAGEFLAG_RD|DNS_MESSAGEFLAG_CD)
 #define DNS_MESSAGEEXTFLAG_REPLYPRESERVE (DNS_MESSAGEEXTFLAG_DO)
diff -uNr lib/dns/message.c lib/dns/message.c
--- lib/dns/message.c	2010-06-03 06:27:59.000000000 +0100
+++ lib/dns/message.c	2011-02-16 15:58:31.000000000 +0000
@@ -3236,6 +3236,35 @@
 
 			if (optcode == DNS_OPT_NSID) {
 				ADD_STRING(target, "; NSID");
+			} else if (optcode == DNS_OPT_CLIENT_SUBNET) {
+				int i;
+				char addr[16], addr_text[64];
+				isc_uint16_t family;
+				isc_uint8_t addrlen, addrbytes, scopelen;
+				
+				family = isc_buffer_getuint16(&optbuf);
+				addrlen = isc_buffer_getuint8(&optbuf);
+				scopelen = isc_buffer_getuint8(&optbuf);
+				addrbytes = (addrlen + 7) / 8;
+				memset(addr, 0, sizeof(addr));
+				for (i = 0; i < addrbytes; i ++)
+					addr[i] = isc_buffer_getuint8(&optbuf);
+				
+				ADD_STRING(target, "; CLIENT-SUBNET: ");
+				if (family == 1)
+					inet_ntop(AF_INET, addr, addr_text, sizeof(addr_text));
+				else if (family == 2)
+					inet_ntop(AF_INET6, addr, addr_text, sizeof(addr_text));
+				else
+					snprintf(addr_text, sizeof(addr_text),
+					         "Unsupported(family=%d)", family);
+
+				ADD_STRING(target, addr_text);
+				sprintf(addr_text, "/%d/%d", addrlen, scopelen);
+				ADD_STRING(target, addr_text);
+
+				/* Disable the dumb byte representation below. */
+				optlen = 0;
 			} else {
 				ADD_STRING(target, "; OPT=");
 				sprintf(buf, "%u", optcode);
Commit	Line	Data
d085b054	1	These patches add the ability to send and receive DNS messages with
	2	edns-client-subnet options to BIND's dig utility.
	3
	4	Example:
	5
	6	wilmer@fiona:~/src/bind-ecs$ bin/dig/dig @ns1.google.com www.google.com +client=130.89.89.130
	7
	8	; <<>> DiG 9.7.1-P2 <<>> @ns1.google.com www.google.com +client=130.89.89.130
	9	;; OPT PSEUDOSECTION:
	10	; EDNS: version: 0, flags:; udp: 512
	11	; CLIENT-SUBNET: 130.89.89.130/32/21
	12	;; QUESTION SECTION:
	13	;www.google.com. IN A
	14
	15	;; ANSWER SECTION:
	16	www.google.com. 604800 IN CNAME www.l.google.com.
	17	www.l.google.com. 300 IN A 74.125.79.104
	18	www.l.google.com. 300 IN A 74.125.79.99
	19	www.l.google.com. 300 IN A 74.125.79.147
	20
	21	Copyright 2010 Google Inc.
	22	Author: Wilmer van der Gaast <wilmer@google.com>
	23
	24
	25	diff -uNr bin/dig/dig.c bin/dig/dig.c
	26	--- bin/dig/dig.c 2010-05-13 01:42:26.000000000 +0100
	27	+++ bin/dig/dig.c 2011-02-16 15:58:31.000000000 +0000
	28	@@ -188,6 +188,7 @@
	29	" +bufsize=### (Set EDNS0 Max UDP packet size)\n"
	30	" +ndots=### (Set NDOTS value)\n"
	31	" +edns=### (Set EDNS version)\n"
	32	+" +client=addr (Set edns-client-subnet option)\n"
	33	" +[no]search (Set whether to use searchlist)\n"
	34	" +[no]showsearch (Search with intermediate results)\n"
	35	" +[no]defname (Ditto)\n"
	36	@@ -804,8 +805,25 @@
	37	}
	38	break;
	39	case 'l': /* cl */
	40	- FULLCHECK("cl");
	41	- noclass = ISC_TF(!state);
	42	+ switch (cmd[2]) {
	43	+ case 'i':/* client */
	44	+ FULLCHECK("client");
	45	+ if (value == NULL)
	46	+ goto need_value;
	47	+ if (state && lookup->edns == -1)
	48	+ lookup->edns = 0;
	49	+ if (parse_netprefix(&lookup->ecs_addr,
	50	+ &lookup->ecs_len,
	51	+ value) != ISC_R_SUCCESS)
	52	+ fatal("Couldn't parse client");
	53	+ break;
	54	+ case '\0':
	55	+ FULLCHECK("cl");
	56	+ noclass = ISC_TF(!state);
	57	+ break;
	58	+ default:
	59	+ goto invalid_option;
	60	+ }
	61	break;
	62	case 'm': /* cmd */
	63	FULLCHECK("cmd");
	64	diff -uNr bin/dig/dighost.c bin/dig/dighost.c
65	--- bin/dig/dighost.c 2010-12-09 01:05:27.000000000 +0000
66	+++ bin/dig/dighost.c 2011-02-16 15:58:31.000000000 +0000
67	@@ -96,6 +96,9 @@
68
69	#include <dig/dig.h>
70
71	+/* parse_netprefix */
72	+#include <netdb.h>
73	+
74	#if ! defined(NS_INADDRSZ)
75	#define NS_INADDRSZ 4
76	#endif
77	@@ -789,6 +792,8 @@
78	looknew->new_search = ISC_FALSE;
79	looknew->done_as_is = ISC_FALSE;
80	looknew->need_search = ISC_FALSE;
81	+ looknew->ecs_addr = NULL;
82	+ looknew->ecs_len = 0;
83	ISC_LINK_INIT(looknew, link);
84	ISC_LIST_INIT(looknew->q);
85	ISC_LIST_INIT(looknew->my_server_list);
86	@@ -805,6 +810,7 @@
87	dig_lookup_t *
88	clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
89	dig_lookup_t *looknew;
90	+ size_t len;
91
92	debug("clone_lookup()");
93
94	@@ -865,6 +871,19 @@
95	looknew->need_search = lookold->need_search;
96	looknew->done_as_is = lookold->done_as_is;
97
98	+ if (lookold->ecs_addr) {
99	+ if (lookold->ecs_addr->sa_family == AF_INET)
100	+ len = sizeof(struct sockaddr_in);
101	+ else if (lookold->ecs_addr->sa_family == AF_INET6)
102	+ len = sizeof(struct sockaddr_in6);
103	+ else
104	+ INSIST(0);
105	+
106	+ looknew->ecs_addr = isc_mem_allocate(mctx, len);
107	+ memcpy(looknew->ecs_addr, lookold->ecs_addr, len);
108	+ looknew->ecs_len = lookold->ecs_len;
109	+ }
110	+
111	if (servers)
112	clone_server_list(lookold->my_server_list,
113	&looknew->my_server_list);
114	@@ -974,6 +993,48 @@
115	return (tmp);
116	}
117
118	+isc_result_t
119	+parse_netprefix(struct sockaddr *sa, isc_uint32_t netmask,
120	+ const char *value) {
121	+ struct addrinfo *res, hints;
122	+ char addr, slash;
123	+ isc_uint32_t result;
124	+
125	+ addr = isc_mem_strdup(mctx, value);
126	+ if ((slash = strchr(addr, '/'))) {
127	+ *slash = '\0';
128	+ result = isc_parse_uint32(netmask, slash + 1, 10);
129	+ if (result != ISC_R_SUCCESS) {
130	+ isc_mem_free(mctx, addr);
131	+ printf("invalid %s '%s': %s\n", "prefix length",
132	+ value, isc_result_totext(result));
133	+ return (result);
134	+ }
135	+ } else {
136	+ *netmask = 128;
137	+ }
138	+
139	+ memset(&hints, 0, sizeof(hints));
140	+ hints.ai_flags = AI_NUMERICHOST;
141	+ if ((result = getaddrinfo(addr, NULL, &hints, &res)) != 0) {
142	+ isc_mem_free(mctx, addr);
143	+ printf("getaddrinfo() error: %s\n", gai_strerror(result));
144	+ return ISC_R_FAILURE;
145	+ }
146	+ isc_mem_free(mctx, addr);
147	+
148	+ *sa = isc_mem_allocate(mctx, res->ai_addrlen);
149	+ memcpy(*sa, res->ai_addr, res->ai_addrlen);
150	+
151	+ if (res->ai_family == AF_INET && *netmask > 32)
152	+ *netmask = 32;
153	+ else if (res->ai_family == AF_INET6 && *netmask > 128)
154	+ *netmask = 128;
155	+
156	+ freeaddrinfo(res);
157	+ return (ISC_R_SUCCESS);
158	+}
159	+
160
161	/*
162	* Parse HMAC algorithm specification
163	@@ -1361,12 +1422,15 @@
164	*/
165	static void
166	add_opt(dns_message_t *msg, isc_uint16_t udpsize, isc_uint16_t edns,
167	- isc_boolean_t dnssec, isc_boolean_t nsid)
168	+ isc_boolean_t dnssec, isc_boolean_t nsid,
169	+ struct sockaddr *ecs_addr, isc_uint32_t ecs_len)
170	{
171	dns_rdataset_t *rdataset = NULL;
172	dns_rdatalist_t *rdatalist = NULL;
173	dns_rdata_t *rdata = NULL;
174	isc_result_t result;
175	+ unsigned char data[64];
176	+ isc_buffer_t buf;
177
178	debug("add_opt()");
179	result = dns_message_gettemprdataset(msg, &rdataset);
180	@@ -1384,20 +1448,37 @@
181	rdatalist->ttl = edns << 16;
182	if (dnssec)
183	rdatalist->ttl \|= DNS_MESSAGEEXTFLAG_DO;
184	- if (nsid) {
185	- isc_buffer_t *b = NULL;
186
187	- result = isc_buffer_allocate(mctx, &b, 4);
188	- check_result(result, "isc_buffer_allocate");
189	- isc_buffer_putuint16(b, DNS_OPT_NSID);
190	- isc_buffer_putuint16(b, 0);
191	- rdata->data = isc_buffer_base(b);
192	- rdata->length = isc_buffer_usedlength(b);
193	- dns_message_takebuffer(msg, &b);
194	- } else {
195	- rdata->data = NULL;
196	- rdata->length = 0;
197	+ isc_buffer_init(&buf, data, sizeof(data));
198	+ if (nsid) {
199	+ isc_buffer_putuint16(&buf, DNS_OPT_NSID);
200	+ isc_buffer_putuint16(&buf, 0);
201	}
202	+ if (ecs_addr) {
203	+ size_t addrl = (ecs_len + 7) / 8;
204	+
205	+ isc_buffer_putuint16(&buf, DNS_OPT_CLIENT_SUBNET);
206	+ isc_buffer_putuint16(&buf, 4 + addrl);
207	+ if (ecs_addr->sa_family == AF_INET) {
208	+ struct sockaddr_in ad = (struct sockaddr_in ) ecs_addr;
209	+ isc_buffer_putuint16(&buf, 1);
210	+ isc_buffer_putuint8(&buf, ecs_len);
211	+ isc_buffer_putuint8(&buf, 0);
212	+ isc_buffer_putmem(&buf, (isc_uint8_t*) &ad->sin_addr, addrl);
213	+ }
214	+ else /* if (ecs_addr->sa_family == AF_INET6) */ {
215	+ struct sockaddr_in6 ad = (struct sockaddr_in6 ) ecs_addr;
216	+ isc_buffer_putuint16(&buf, 2);
217	+ isc_buffer_putuint8(&buf, ecs_len);
218	+ isc_buffer_putuint8(&buf, 0);
219	+ isc_buffer_putmem(&buf, (isc_uint8_t*) &ad->sin6_addr, addrl);
220	+ }
221	+ }
222	+ if ((rdata->length = isc_buffer_usedlength(&buf)) > 0)
223	+ rdata->data = data;
224	+ else
225	+ rdata->data = NULL;
226	+
227	ISC_LIST_INIT(rdatalist->rdata);
228	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
229	dns_rdatalist_tordataset(rdatalist, rdataset);
230	@@ -1546,6 +1627,9 @@
231	if (lookup->tsigctx != NULL)
232	dst_context_destroy(&lookup->tsigctx);
233
234	+ if (lookup->ecs_addr != NULL)
235	+ isc_mem_free(mctx, lookup->ecs_addr);
236	+
237	isc_mem_free(mctx, lookup);
238	}
239
240	@@ -2210,7 +2294,8 @@
241	if (lookup->edns < 0)
242	lookup->edns = 0;
243	add_opt(lookup->sendmsg, lookup->udpsize,
244	- lookup->edns, lookup->dnssec, lookup->nsid);
245	+ lookup->edns, lookup->dnssec, lookup->nsid,
246	+ lookup->ecs_addr, lookup->ecs_len);
247	}
248
249	result = dns_message_rendersection(lookup->sendmsg,
250	diff -uNr bin/dig/include/dig/dig.h bin/dig/include/dig/dig.h
251	--- bin/dig/include/dig/dig.h 2009-09-29 16:06:06.000000000 +0100
252	+++ bin/dig/include/dig/dig.h 2011-02-16 15:58:31.000000000 +0000
253	@@ -183,6 +183,8 @@
254	isc_buffer_t *querysig;
255	isc_uint32_t msgcounter;
256	dns_fixedname_t fdomain;
257	+ struct sockaddr ecs_addr; /% edns-client-subnet */
258	+ isc_uint32_t ecs_len;
259	};
260
261	/% The dig_query structure /
262	@@ -330,6 +332,10 @@
263	parse_uint(isc_uint32_t uip, const char value, isc_uint32_t max,
264	const char *desc);
265
266	+isc_result_t
267	+parse_netprefix(struct sockaddr *sa, isc_uint32_t netmask,
268	+ const char *value);
269	+
270	void
271	parse_hmac(const char *hmacstr);
272
273	diff -uNr lib/dns/include/dns/message.h lib/dns/include/dns/message.h
274	--- lib/dns/include/dns/message.h 2009-10-26 23:47:35.000000000 +0000
275	+++ lib/dns/include/dns/message.h 2011-02-16 15:58:31.000000000 +0000
276	@@ -105,6 +105,7 @@
277
278	/%< EDNS0 extended OPT codes /
279	#define DNS_OPT_NSID 0x0003 /%< NSID opt code /
280	+#define DNS_OPT_CLIENT_SUBNET 0x50fa /%< client subnet opt code /
281
282	#define DNS_MESSAGE_REPLYPRESERVE (DNS_MESSAGEFLAG_RD\|DNS_MESSAGEFLAG_CD)
283	#define DNS_MESSAGEEXTFLAG_REPLYPRESERVE (DNS_MESSAGEEXTFLAG_DO)
284	diff -uNr lib/dns/message.c lib/dns/message.c
285	--- lib/dns/message.c 2010-06-03 06:27:59.000000000 +0100
286	+++ lib/dns/message.c 2011-02-16 15:58:31.000000000 +0000
287	@@ -3236,6 +3236,35 @@
288
289	if (optcode == DNS_OPT_NSID) {
290	ADD_STRING(target, "; NSID");
291	+ } else if (optcode == DNS_OPT_CLIENT_SUBNET) {
292	+ int i;
293	+ char addr[16], addr_text[64];
294	+ isc_uint16_t family;
295	+ isc_uint8_t addrlen, addrbytes, scopelen;
296	+
297	+ family = isc_buffer_getuint16(&optbuf);
298	+ addrlen = isc_buffer_getuint8(&optbuf);
299	+ scopelen = isc_buffer_getuint8(&optbuf);
300	+ addrbytes = (addrlen + 7) / 8;
301	+ memset(addr, 0, sizeof(addr));
302	+ for (i = 0; i < addrbytes; i ++)
303	+ addr[i] = isc_buffer_getuint8(&optbuf);
304	+
305	+ ADD_STRING(target, "; CLIENT-SUBNET: ");
306	+ if (family == 1)
307	+ inet_ntop(AF_INET, addr, addr_text, sizeof(addr_text));
308	+ else if (family == 2)
309	+ inet_ntop(AF_INET6, addr, addr_text, sizeof(addr_text));
310	+ else
311	+ snprintf(addr_text, sizeof(addr_text),
312	+ "Unsupported(family=%d)", family);
313	+
314	+ ADD_STRING(target, addr_text);
315	+ sprintf(addr_text, "/%d/%d", addrlen, scopelen);
316	+ ADD_STRING(target, addr_text);
317	+
318	+ /* Disable the dumb byte representation below. */
319	+ optlen = 0;
320	} else {
321	ADD_STRING(target, "; OPT=");
322	sprintf(buf, "%u", optcode);