[ipfire-2.x.git] / src / patches / dnsmasq / 0070-Return-INSECURE-rather-than-BOGUS-when-DS-proved-not.patch

From fe3992f9fa69fa975ea31919c53933b5f6a63527 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 3 Apr 2015 21:25:05 +0100
Subject: [PATCH 70/78] Return INSECURE, rather than BOGUS when DS proved not
 to exist.

Return INSECURE when validating DNS replies which have RRSIGs, but
when a needed DS record in the trust chain is proved not to exist.
It's allowed for a zone to set up DNSKEY and RRSIG records first, then
add a DS later, completing the chain of trust.

Also, since we don't have the infrastructure to track that these
non-validated replies have RRSIGS, don't cache them, so we don't
provide answers with missing RRSIGS from the cache.
---
 src/dnsmasq.h |  1 +
 src/dnssec.c  |  2 +-
 src/forward.c | 87 +++++++++++++++++++++++++++++++++++++++++++++--------------
 3 files changed, 69 insertions(+), 21 deletions(-)

diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index 42952fc76c7a..6fe4a4189188 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -583,6 +583,7 @@ struct hostsfile {
 #define STAT_NO_NS             10
 #define STAT_NEED_DS_NEG       11
 #define STAT_CHASE_CNAME       12
+#define STAT_INSECURE_DS       13
 
 #define FREC_NOREBIND           1
 #define FREC_CHECKING_DISABLED  2
diff --git a/src/dnssec.c b/src/dnssec.c
index 14bae7e9bf75..05e0983cb251 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -981,7 +981,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
   
   /* If we've cached that DS provably doesn't exist, result must be INSECURE */
   if (crecp->flags & F_NEG)
-    return STAT_INSECURE;
+    return STAT_INSECURE_DS;
   
   /* NOTE, we need to find ONE DNSKEY which matches the DS */
   for (valid = 0, j = ntohs(header->ancount); j != 0 && !valid; j--) 
diff --git a/src/forward.c b/src/forward.c
index 985814c3aec5..e8cf615aa939 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -521,7 +521,8 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
 }
 
 static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind, 
-			    int no_cache, int cache_secure, int ad_reqd, int do_bit, int added_pheader, int check_subnet, union mysockaddr *query_source)
+			    int no_cache, int cache_secure, int bogusanswer, int ad_reqd, int do_bit, int added_pheader, 
+			    int check_subnet, union mysockaddr *query_source)
 {
   unsigned char *pheader, *sizep;
   char **sets = 0;
@@ -634,7 +635,7 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
     }
   
 #ifdef HAVE_DNSSEC
-  if (no_cache && !(header->hb4 & HB4_CD)) 
+  if (bogusanswer && !(header->hb4 & HB4_CD)) 
     {
       if (!option_bool(OPT_DNSSEC_DEBUG))
 	{
@@ -786,7 +787,7 @@ void reply_query(int fd, int family, time_t now)
      everything is broken */
   if (forward->forwardall == 0 || --forward->forwardall == 1 || RCODE(header) != SERVFAIL)
     {
-      int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0;
+      int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;
 
       if (option_bool(OPT_NO_REBIND))
 	check_rebind = !(forward->flags & FREC_NOREBIND);
@@ -819,7 +820,13 @@ void reply_query(int fd, int family, time_t now)
 	  else if (forward->flags & FREC_DS_QUERY)
 	    {
 	      status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
-	      if (status == STAT_NO_DS || status == STAT_NO_NS)
+	      /* Provably no DS, everything below is insecure, even if signatures are offered */
+	      if (status == STAT_NO_DS)
+		/* We only cache sigs when we've validated a reply.
+		   Avoid caching a reply with sigs if there's a vaildated break in the 
+		   DS chain, so we don't return replies from cache missing sigs. */
+		status = STAT_INSECURE_DS;
+	      else if (status == STAT_NO_NS)
 		status = STAT_BOGUS;
 	    }
 	  else if (forward->flags & FREC_CHECK_NOSIGN)
@@ -959,8 +966,14 @@ void reply_query(int fd, int family, time_t now)
 		  else if (forward->flags & FREC_DS_QUERY)
 		    {
 		      status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
-		      if (status == STAT_NO_DS || status == STAT_NO_NS)
-			status = STAT_BOGUS;
+		       /* Provably no DS, everything below is insecure, even if signatures are offered */
+		      if (status == STAT_NO_DS)
+			/* We only cache sigs when we've validated a reply.
+			   Avoid caching a reply with sigs if there's a vaildated break in the 
+			   DS chain, so we don't return replies from cache missing sigs. */
+			status = STAT_INSECURE_DS;
+		      else if (status == STAT_NO_NS)
+			status = STAT_BOGUS; 
 		    }
 		  else if (forward->flags & FREC_CHECK_NOSIGN)
 		    {
@@ -985,6 +998,17 @@ void reply_query(int fd, int family, time_t now)
 		}
 	    }
 	  
+	  no_cache_dnssec = 0;
+
+	  if (status == STAT_INSECURE_DS)
+	    {
+	      /* We only cache sigs when we've validated a reply.
+		 Avoid caching a reply with sigs if there's a vaildated break in the 
+		 DS chain, so we don't return replies from cache missing sigs. */
+	      status = STAT_INSECURE;
+	      no_cache_dnssec = 1;
+	    }
+	  
 	  if (status == STAT_TRUNCATED)
 	    header->hb3 |= HB3_TC;
 	  else
@@ -1002,12 +1026,13 @@ void reply_query(int fd, int family, time_t now)
 	      log_query(F_KEYTAG | F_SECSTAT, "result", NULL, result);
 	    }
 	  
-	  no_cache_dnssec = 0;
-	  
 	  if (status == STAT_SECURE)
 	    cache_secure = 1;
 	  else if (status == STAT_BOGUS)
-	    no_cache_dnssec = 1;
+	    {
+	      no_cache_dnssec = 1;
+	      bogusanswer = 1;
+	    }
 	}
 #endif     
       
@@ -1017,7 +1042,7 @@ void reply_query(int fd, int family, time_t now)
       else
 	header->hb4 &= ~HB4_CD;
       
-      if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure,
+      if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure, bogusanswer, 
 			      forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION, 
 			      forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->source)))
 	{
@@ -1420,7 +1445,7 @@ static int do_check_sign(struct frec *forward, int status, time_t now, char *nam
     }
 }
 
-/* Move toward the root, until we find a signed non-existance of a DS, in which case
+/* Move down from the root, until we find a signed non-existance of a DS, in which case
    an unsigned answer is OK, or we find a signed DS, in which case there should be 
    a signature, and the answer is BOGUS */
 static int  tcp_check_for_unsigned_zone(time_t now, struct dns_header *header, size_t plen, int class, char *name, 
@@ -1570,8 +1595,13 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
   else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
     {
       new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
-      if (status == STAT_NEED_DS && (new_status == STAT_NO_DS || new_status == STAT_NO_NS))
-	new_status = STAT_BOGUS;
+      if (status == STAT_NEED_DS)
+	{
+	  if (new_status == STAT_NO_DS)
+	    new_status = STAT_INSECURE_DS;
+	  else if (new_status == STAT_NO_NS)
+	    new_status = STAT_BOGUS;
+	}
     }
   else if (status == STAT_CHASE_CNAME)
     new_status = dnssec_chase_cname(now, header, n, name, keyname);
@@ -1630,8 +1660,13 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
 	      else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
 		{
 		  new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
-		  if (status == STAT_NEED_DS  && (new_status == STAT_NO_DS || new_status == STAT_NO_NS))
-		    new_status = STAT_BOGUS; /* Validated no DS */
+		  if (status == STAT_NEED_DS)
+		    {
+		      if (new_status == STAT_NO_DS)
+			new_status = STAT_INSECURE_DS;
+		      else if (new_status == STAT_NO_NS)
+			new_status = STAT_BOGUS; /* Validated no DS */
+		    }
 		}
 	      else if (status == STAT_CHASE_CNAME)
 		new_status = dnssec_chase_cname(now, header, n, name, keyname);
@@ -1652,7 +1687,7 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
 		goto another_tcp_key;
 	    }
 	}
-
+      
       free(packet);
     }
   return new_status;
@@ -1673,7 +1708,7 @@ unsigned char *tcp_request(int confd, time_t now,
   int local_auth = 0;
 #endif
   int checking_disabled, ad_question, do_bit, added_pheader = 0;
-  int check_subnet, no_cache_dnssec = 0, cache_secure = 0;
+  int check_subnet, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;
   size_t m;
   unsigned short qtype;
   unsigned int gotname;
@@ -1941,6 +1976,15 @@ unsigned char *tcp_request(int confd, time_t now,
 			  int status = tcp_key_recurse(now, STAT_TRUNCATED, header, m, 0, daemon->namebuff, daemon->keyname, last_server, &keycount);
 			  char *result;
 
+			  if (status == STAT_INSECURE_DS)
+			    {
+			      /* We only cache sigs when we've validated a reply.
+				 Avoid caching a reply with sigs if there's a vaildated break in the 
+				 DS chain, so we don't return replies from cache missing sigs. */
+			      status = STAT_INSECURE;
+			      no_cache_dnssec = 1;
+			    }
+			  
 			  if (keycount == 0)
 			    {
 			      result = "ABANDONED";
@@ -1952,8 +1996,11 @@ unsigned char *tcp_request(int confd, time_t now,
 			  log_query(F_KEYTAG | F_SECSTAT, "result", NULL, result);
 			  
 			  if (status == STAT_BOGUS)
-			    no_cache_dnssec = 1;
-			  
+			    {
+			      no_cache_dnssec = 1;
+			      bogusanswer = 1;
+			    }
+
 			  if (status == STAT_SECURE)
 			    cache_secure = 1;
 			}
@@ -1987,7 +2034,7 @@ unsigned char *tcp_request(int confd, time_t now,
 #endif
 
 		      m = process_reply(header, now, last_server, (unsigned int)m, 
-					option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec,
+					option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec, bogusanswer,
 					cache_secure, ad_question, do_bit, added_pheader, check_subnet, &peer_addr); 
 		      
 		      break;
-- 
2.1.0
Commit	Line	Data
c6ce1e7e MT	1	From fe3992f9fa69fa975ea31919c53933b5f6a63527 Mon Sep 17 00:00:00 2001
	2	From: Simon Kelley <simon@thekelleys.org.uk>
	3	Date: Fri, 3 Apr 2015 21:25:05 +0100
d54a2ce4	4	Subject: [PATCH 70/78] Return INSECURE, rather than BOGUS when DS proved not
c6ce1e7e MT	5	to exist.
	6
	7	Return INSECURE when validating DNS replies which have RRSIGs, but
	8	when a needed DS record in the trust chain is proved not to exist.
	9	It's allowed for a zone to set up DNSKEY and RRSIG records first, then
	10	add a DS later, completing the chain of trust.
	11
	12	Also, since we don't have the infrastructure to track that these
	13	non-validated replies have RRSIGS, don't cache them, so we don't
	14	provide answers with missing RRSIGS from the cache.
	15	---
	16	src/dnsmasq.h \| 1 +
	17	src/dnssec.c \| 2 +-
	18	src/forward.c \| 87 +++++++++++++++++++++++++++++++++++++++++++++--------------
	19	3 files changed, 69 insertions(+), 21 deletions(-)
	20
	21	diff --git a/src/dnsmasq.h b/src/dnsmasq.h
	22	index 42952fc76c7a..6fe4a4189188 100644
	23	--- a/src/dnsmasq.h
	24	+++ b/src/dnsmasq.h
	25	@@ -583,6 +583,7 @@ struct hostsfile {
	26	#define STAT_NO_NS 10
	27	#define STAT_NEED_DS_NEG 11
	28	#define STAT_CHASE_CNAME 12
	29	+#define STAT_INSECURE_DS 13
	30
	31	#define FREC_NOREBIND 1
	32	#define FREC_CHECKING_DISABLED 2
	33	diff --git a/src/dnssec.c b/src/dnssec.c
	34	index 14bae7e9bf75..05e0983cb251 100644
	35	--- a/src/dnssec.c
	36	+++ b/src/dnssec.c
	37	@@ -981,7 +981,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
	38
	39	/* If we've cached that DS provably doesn't exist, result must be INSECURE */
	40	if (crecp->flags & F_NEG)
	41	- return STAT_INSECURE;
	42	+ return STAT_INSECURE_DS;
	43
	44	/* NOTE, we need to find ONE DNSKEY which matches the DS */
	45	for (valid = 0, j = ntohs(header->ancount); j != 0 && !valid; j--)
	46	diff --git a/src/forward.c b/src/forward.c
	47	index 985814c3aec5..e8cf615aa939 100644
	48	--- a/src/forward.c
	49	+++ b/src/forward.c
	50	@@ -521,7 +521,8 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
	51	}
	52
	53	static size_t process_reply(struct dns_header header, time_t now, struct server server, size_t n, int check_rebind,
	54	- int no_cache, int cache_secure, int ad_reqd, int do_bit, int added_pheader, int check_subnet, union mysockaddr *query_source)
	55	+ int no_cache, int cache_secure, int bogusanswer, int ad_reqd, int do_bit, int added_pheader,
	56	+ int check_subnet, union mysockaddr *query_source)
	57	{
	58	unsigned char pheader, sizep;
	59	char **sets = 0;
	60	@@ -634,7 +635,7 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
	61	}
	62
	63	#ifdef HAVE_DNSSEC
	64	- if (no_cache && !(header->hb4 & HB4_CD))
	65	+ if (bogusanswer && !(header->hb4 & HB4_CD))
	66	{
	67	if (!option_bool(OPT_DNSSEC_DEBUG))
	68	{
69	@@ -786,7 +787,7 @@ void reply_query(int fd, int family, time_t now)
70	everything is broken */
71	if (forward->forwardall == 0 \|\| --forward->forwardall == 1 \|\| RCODE(header) != SERVFAIL)
72	{
73	- int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0;
74	+ int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;
75
76	if (option_bool(OPT_NO_REBIND))
77	check_rebind = !(forward->flags & FREC_NOREBIND);
78	@@ -819,7 +820,13 @@ void reply_query(int fd, int family, time_t now)
79	else if (forward->flags & FREC_DS_QUERY)
80	{
81	status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
82	- if (status == STAT_NO_DS \|\| status == STAT_NO_NS)
83	+ /* Provably no DS, everything below is insecure, even if signatures are offered */
84	+ if (status == STAT_NO_DS)
85	+ /* We only cache sigs when we've validated a reply.
86	+ Avoid caching a reply with sigs if there's a vaildated break in the
87	+ DS chain, so we don't return replies from cache missing sigs. */
88	+ status = STAT_INSECURE_DS;
89	+ else if (status == STAT_NO_NS)
90	status = STAT_BOGUS;
91	}
92	else if (forward->flags & FREC_CHECK_NOSIGN)
93	@@ -959,8 +966,14 @@ void reply_query(int fd, int family, time_t now)
94	else if (forward->flags & FREC_DS_QUERY)
95	{
96	status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
97	- if (status == STAT_NO_DS \|\| status == STAT_NO_NS)
98	- status = STAT_BOGUS;
99	+ /* Provably no DS, everything below is insecure, even if signatures are offered */
100	+ if (status == STAT_NO_DS)
101	+ /* We only cache sigs when we've validated a reply.
102	+ Avoid caching a reply with sigs if there's a vaildated break in the
103	+ DS chain, so we don't return replies from cache missing sigs. */
104	+ status = STAT_INSECURE_DS;
105	+ else if (status == STAT_NO_NS)
106	+ status = STAT_BOGUS;
107	}
108	else if (forward->flags & FREC_CHECK_NOSIGN)
109	{
110	@@ -985,6 +998,17 @@ void reply_query(int fd, int family, time_t now)
111	}
112	}
113
114	+ no_cache_dnssec = 0;
115	+
116	+ if (status == STAT_INSECURE_DS)
117	+ {
118	+ /* We only cache sigs when we've validated a reply.
119	+ Avoid caching a reply with sigs if there's a vaildated break in the
120	+ DS chain, so we don't return replies from cache missing sigs. */
121	+ status = STAT_INSECURE;
122	+ no_cache_dnssec = 1;
123	+ }
124	+
125	if (status == STAT_TRUNCATED)
126	header->hb3 \|= HB3_TC;
127	else
128	@@ -1002,12 +1026,13 @@ void reply_query(int fd, int family, time_t now)
129	log_query(F_KEYTAG \| F_SECSTAT, "result", NULL, result);
130	}
131
132	- no_cache_dnssec = 0;
133	-
134	if (status == STAT_SECURE)
135	cache_secure = 1;
136	else if (status == STAT_BOGUS)
137	- no_cache_dnssec = 1;
138	+ {
139	+ no_cache_dnssec = 1;
140	+ bogusanswer = 1;
141	+ }
142	}
143	#endif
144
145	@@ -1017,7 +1042,7 @@ void reply_query(int fd, int family, time_t now)
146	else
147	header->hb4 &= ~HB4_CD;
148
149	- if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure,
150	+ if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure, bogusanswer,
151	forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION,
152	forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->source)))
153	{
154	@@ -1420,7 +1445,7 @@ static int do_check_sign(struct frec forward, int status, time_t now, char nam
155	}
156	}
157
158	-/* Move toward the root, until we find a signed non-existance of a DS, in which case
159	+/* Move down from the root, until we find a signed non-existance of a DS, in which case
160	an unsigned answer is OK, or we find a signed DS, in which case there should be
161	a signature, and the answer is BOGUS */
162	static int tcp_check_for_unsigned_zone(time_t now, struct dns_header header, size_t plen, int class, char name,
163	@@ -1570,8 +1595,13 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
164	else if (status == STAT_NEED_DS \|\| status == STAT_NEED_DS_NEG)
165	{
166	new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
167	- if (status == STAT_NEED_DS && (new_status == STAT_NO_DS \|\| new_status == STAT_NO_NS))
168	- new_status = STAT_BOGUS;
169	+ if (status == STAT_NEED_DS)
170	+ {
171	+ if (new_status == STAT_NO_DS)
172	+ new_status = STAT_INSECURE_DS;
173	+ else if (new_status == STAT_NO_NS)
174	+ new_status = STAT_BOGUS;
175	+ }
176	}
177	else if (status == STAT_CHASE_CNAME)
178	new_status = dnssec_chase_cname(now, header, n, name, keyname);
179	@@ -1630,8 +1660,13 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
180	else if (status == STAT_NEED_DS \|\| status == STAT_NEED_DS_NEG)
181	{
182	new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
183	- if (status == STAT_NEED_DS && (new_status == STAT_NO_DS \|\| new_status == STAT_NO_NS))
184	- new_status = STAT_BOGUS; /* Validated no DS */
185	+ if (status == STAT_NEED_DS)
186	+ {
187	+ if (new_status == STAT_NO_DS)
188	+ new_status = STAT_INSECURE_DS;
189	+ else if (new_status == STAT_NO_NS)
190	+ new_status = STAT_BOGUS; /* Validated no DS */
191	+ }
192	}
193	else if (status == STAT_CHASE_CNAME)
194	new_status = dnssec_chase_cname(now, header, n, name, keyname);
195	@@ -1652,7 +1687,7 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
196	goto another_tcp_key;
197	}
198	}
199	-
200	+
201	free(packet);
202	}
203	return new_status;
204	@@ -1673,7 +1708,7 @@ unsigned char *tcp_request(int confd, time_t now,
205	int local_auth = 0;
206	#endif
207	int checking_disabled, ad_question, do_bit, added_pheader = 0;
208	- int check_subnet, no_cache_dnssec = 0, cache_secure = 0;
209	+ int check_subnet, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;
210	size_t m;
211	unsigned short qtype;
212	unsigned int gotname;
213	@@ -1941,6 +1976,15 @@ unsigned char *tcp_request(int confd, time_t now,
214	int status = tcp_key_recurse(now, STAT_TRUNCATED, header, m, 0, daemon->namebuff, daemon->keyname, last_server, &keycount);
215	char *result;
216
217	+ if (status == STAT_INSECURE_DS)
218	+ {
219	+ /* We only cache sigs when we've validated a reply.
220	+ Avoid caching a reply with sigs if there's a vaildated break in the
221	+ DS chain, so we don't return replies from cache missing sigs. */
222	+ status = STAT_INSECURE;
223	+ no_cache_dnssec = 1;
224	+ }
225	+
226	if (keycount == 0)
227	{
228	result = "ABANDONED";
229	@@ -1952,8 +1996,11 @@ unsigned char *tcp_request(int confd, time_t now,
230	log_query(F_KEYTAG \| F_SECSTAT, "result", NULL, result);
231
232	if (status == STAT_BOGUS)
233	- no_cache_dnssec = 1;
234	-
235	+ {
236	+ no_cache_dnssec = 1;
237	+ bogusanswer = 1;
238	+ }
239	+
240	if (status == STAT_SECURE)
241	cache_secure = 1;
242	}
243	@@ -1987,7 +2034,7 @@ unsigned char *tcp_request(int confd, time_t now,
244	#endif
245
246	m = process_reply(header, now, last_server, (unsigned int)m,
247	- option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec,
248	+ option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec, bogusanswer,
249	cache_secure, ad_question, do_bit, added_pheader, check_subnet, &peer_addr);
250
251	break;
252	--
253	2.1.0
254