dirmngr: Add basic libdns support
authorJustus Winter <justus@g10code.com>
Mon, 5 Dec 2016 16:31:37 +0000 (17:31 +0100)
committerWerner Koch <wk@gnupg.org>
Wed, 14 Dec 2016 14:56:31 +0000 (15:56 +0100)
* dirmngr/dns.c: New file.
* dirmngr/dns.h: New file.
* dirmngr/Makefile.am (dirmngr_SOURCES): Add new files.
* dirmngr/dns-stuff.c: Include dns.h.xxx use libdns
(libdns): New global var for the libdns state.
(libdns_error_to_gpg_error): New.
(libdns_init): New.
(resolve_name_libdns): New.
(get_dns_cert_libdns): New stub.
(getsrv_libdns): New stub.
(get_dns_cname_libdns): New stub.

Signed-off-by: Justus Winter <justus@g10code.com>
dirmngr/Makefile.am
dirmngr/dns-stuff.c
dirmngr/dns.c [new file with mode: 0644]
dirmngr/dns.h [new file with mode: 0644]

index 2a18a50..5c29468 100644 (file)
@@ -59,6 +59,7 @@ dirmngr_SOURCES = dirmngr.c dirmngr.h server.c crlcache.c crlfetch.c  \
        loadswdb.c \
        cdb.h cdblib.c misc.c dirmngr-err.h  \
        ocsp.c ocsp.h validate.c validate.h  \
+       dns.c dns.h \
        dns-stuff.c dns-stuff.h \
        http.c http.h \
        ks-action.c ks-action.h ks-engine.h \
@@ -102,7 +103,7 @@ dirmngr_client_LDADD = $(libcommon) \
 dirmngr_client_LDFLAGS = $(extra_bin_ldflags)
 
 
-t_common_src = t-support.h
+t_common_src = t-support.h dns.c dns.h
 t_common_ldadd = $(libcommon) $(LIBASSUAN_LIBS) $(LIBGCRYPT_LIBS) \
                  $(GPG_ERROR_LIBS) $(NETLIBS) \
                  $(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) \
@@ -130,7 +131,7 @@ endif
 
 
 # http tests
-t_http_SOURCES = t-http.c http.c dns-stuff.c
+t_http_SOURCES = $(t_common_src) t-http.c http.c dns-stuff.c
 t_http_CFLAGS  = -DWITHOUT_NPTH=1 \
                 $(LIBGCRYPT_CFLAGS) $(NTBTLS_CFLAGS) $(LIBGNUTLS_CFLAGS) \
                  $(GPG_ERROR_CFLAGS)
@@ -147,7 +148,7 @@ t_ldap_parse_uri_LDADD = $(ldaplibs) $(t_common_ldadd) $(DNSLIBS)
 
 t_dns_stuff_CFLAGS = -DWITHOUT_NPTH=1 \
                     $(LIBGCRYPT_CFLAGS) $(GPG_ERROR_CFLAGS)
-t_dns_stuff_SOURCES = t-dns-stuff.c dns-stuff.c
+t_dns_stuff_SOURCES = $(t_common_src) t-dns-stuff.c dns-stuff.c
 t_dns_stuff_LDADD   = $(t_common_ldadd) $(DNSLIBS)
 
 $(PROGRAMS) : $(libcommon) $(libcommonpth)
index 6ec440d..a795363 100644 (file)
@@ -46,6 +46,9 @@
 #include <string.h>
 #include <unistd.h>
 
+/* William Ahern's DNS library, included as a source copy.  */
+#include "dns.h"
+
 #ifdef WITHOUT_NPTH /* Give the Makefile a chance to build without Pth.  */
 # undef USE_NPTH
 #endif
@@ -125,6 +128,8 @@ standard_resolver_p (void)
 gpg_error_t
 enable_dns_tormode (int new_circuit)
 {
+  /* XXX: dns.c doesn't support SOCKS credentials.  */
+
   if (!*tor_credentials || new_circuit)
     {
       static unsigned int counter;
@@ -193,6 +198,191 @@ map_eai_to_gpg_error (int ec)
   return err;
 }
 
+struct
+{
+  struct dns_resolv_conf *resolv_conf;
+  struct dns_hosts *hosts;
+  struct dns_hints *hints;
+
+  struct sockaddr_storage socks_host;
+} libdns;
+
+static gpg_error_t
+libdns_error_to_gpg_error (int error)
+{
+  gpg_err_code_t ec;
+
+  switch (error)
+    {
+    case 0:
+      return 0;
+
+    default:
+      /* XXX */
+      fprintf (stderr, "libdns: %s\n", dns_strerror (error));
+      ec = GPG_ERR_GENERAL;
+      break;
+    }
+  return gpg_error (ec);
+}
+
+static gpg_error_t
+libdns_init (void)
+{
+  int error;
+
+  libdns.resolv_conf = dns_resconf_open (&error);
+  if (! libdns.resolv_conf)
+    goto leave;
+
+#if 0
+  error = dns_resconf_pton (&libdns.resolv_conf->nameserver[0],
+                            "[127.0.0.1]:53");
+  if (error)
+    goto leave;
+#else
+  error        = dns_resconf_loadpath (libdns.resolv_conf, "/etc/resolv.conf");
+  if (error)
+    goto leave;
+
+  error        = dns_nssconf_loadpath (libdns.resolv_conf, "/etc/nsswitch.conf");
+  if (error)
+    goto leave;
+#endif
+
+  libdns.hosts = dns_hosts_open (&error);
+  if (! libdns.hosts)
+    goto leave;
+
+  /* dns_hints_local for stub mode, dns_hints_root for recursive.  */
+  libdns.hints = dns_hints_local (libdns.resolv_conf, &error);
+  if (! libdns.hints)
+    goto leave;
+
+  /* XXX */
+ leave:
+  return libdns_error_to_gpg_error (error);
+}
+
+
+static gpg_error_t
+resolve_name_libdns (const char *name, unsigned short port,
+                     int want_family, int want_socktype,
+                     dns_addrinfo_t *r_dai, char **r_canonname)
+{
+  gpg_error_t err = 0;
+  dns_addrinfo_t daihead = NULL;
+  dns_addrinfo_t dai;
+  struct dns_resolver *res;
+  struct dns_addrinfo *ai = NULL;
+  struct addrinfo hints;
+  struct addrinfo *ent;
+  char portstr_[21];
+  char *portstr = portstr_;
+  int ret;
+
+  err = libdns_init ();
+  if (err)
+    return err;
+
+  *r_dai = NULL;
+  if (r_canonname)
+    *r_canonname = NULL;
+
+  memset (&hints, 0, sizeof hints);
+  hints.ai_family = want_family;
+  hints.ai_socktype = want_socktype;
+  hints.ai_flags = AI_ADDRCONFIG;
+  if (r_canonname)
+    hints.ai_flags |= AI_CANONNAME;
+
+  if (port)
+    snprintf (portstr_, sizeof portstr_, "%hu", port);
+  else
+    portstr = NULL;
+
+  res = dns_res_open (libdns.resolv_conf, libdns.hosts, libdns.hints, NULL,
+                      dns_opts (/*.socks_host=&libdns.socks_host*/), &ret);
+  if (! res)
+    return libdns_error_to_gpg_error (ret);
+
+  ai = dns_ai_open (name, portstr, 0, &hints, res, &ret);
+  if (! ai)
+    goto leave;
+
+  /* XXX this is blocking.  */
+  do {
+    ret = dns_ai_nextent (&ent, ai);
+    switch (ret) {
+    case 0:
+      if (r_canonname && ! *r_canonname && ent && ent->ai_canonname)
+        {
+          *r_canonname = xtrystrdup (ent->ai_canonname);
+          if (!*r_canonname)
+            {
+              err = gpg_error_from_syserror ();
+              goto leave;
+            }
+        }
+
+      dai = xtrymalloc (sizeof *dai + ent->ai_addrlen - 1);
+      if (dai == NULL)
+        {
+          err = ENOMEM;
+          goto leave;
+        }
+
+      dai->family = ent->ai_family;
+      dai->socktype = ent->ai_socktype;
+      dai->protocol = ent->ai_protocol;
+      dai->addrlen = ent->ai_addrlen;
+      memcpy (dai->addr, ent->ai_addr, ent->ai_addrlen);
+      dai->next = daihead;
+      daihead = dai;
+
+      xfree (ent);
+      break;
+
+    case ENOENT:
+      break;
+
+    case EAGAIN:
+      if (dns_ai_elapsed (ai) > 30)
+        log_assert (! "XXX: query timed-out");
+
+      dns_ai_poll (ai, 1);
+      break;
+
+    default:
+      goto leave;
+    }
+  } while (ret != ENOENT);
+
+  if (ret == ENOENT && daihead != NULL)
+    ret = 0;   /* We got some results, we're good.  */
+
+ leave:
+  dns_ai_close (ai);
+  dns_res_close (res);
+
+  if (ret && ! err)
+    err = libdns_error_to_gpg_error (ret);
+
+  if (err)
+    {
+      if (r_canonname)
+        {
+          xfree (*r_canonname);
+          *r_canonname = NULL;
+        }
+      free_dns_addrinfo (daihead);
+    }
+  else
+    *r_dai = daihead;
+
+  return err;
+}
+
 
 /* Resolve a name using the standard system function.  */
 static gpg_error_t
@@ -376,11 +566,10 @@ resolve_dns_name (const char *name, unsigned short port,
                   int want_family, int want_socktype,
                   dns_addrinfo_t *r_ai, char **r_canonname)
 {
-#ifdef NOTYET
   if (!standard_resolver)
     return resolve_name_libdns (name, port, want_family, want_socktype,
                                 r_ai, r_canonname);
-#endif
+
   return resolve_name_standard (name, port, want_family, want_socktype,
                                 r_ai, r_canonname);
 }
@@ -475,6 +664,16 @@ is_onion_address (const char *name)
 }
 
 
+/* libdns version of get_dns_cert.  */
+static gpg_error_t
+get_dns_cert_libdns (const char *name, int want_certtype,
+                     void **r_key, size_t *r_keylen,
+                     unsigned char **r_fpr, size_t *r_fprlen, char **r_url)
+{
+  return gpg_error (ENOTSUP);
+}
+
+
 /* Standard resolver version of get_dns_cert.  */
 static gpg_error_t
 get_dns_cert_standard (const char *name, int want_certtype,
@@ -701,11 +900,10 @@ get_dns_cert (const char *name, int want_certtype,
   *r_fprlen = 0;
   *r_url = NULL;
 
-#ifdef NOTYET
   if (!standard_resolver)
     return get_dns_cert_libdns (name, want_certtype, r_key, r_keylen,
                                 r_fpr, r_fprlen, r_url);
-#endif
+
   return get_dns_cert_standard (name, want_certtype, r_key, r_keylen,
                                 r_fpr, r_fprlen, r_url);
 }
@@ -728,6 +926,14 @@ priosort(const void *a,const void *b)
 static int
 getsrv_standard (const char *name, struct srventry **list)
 {
+  return gpg_error (ENOTSUP);
+}
+
+
+/* libdns based helper for getsrv.  */
+static int
+getsrv_libdns (const char *name, struct srventry **list)
+{
 #ifdef HAVE_SYSTEM_RESOLVER
   union {
     unsigned char ans[2048];
@@ -850,12 +1056,8 @@ getsrv (const char *name, struct srventry **list)
 
   *list = NULL;
 
-  if (0)
-    ;
-#ifdef NOTYET
-  else if (!standard_resolver)
+  if (!standard_resolver)
     srvcount = getsrv_libdns (name, list);
-#endif
   else
     srvcount = getsrv_standard (name, list);
 
@@ -939,6 +1141,14 @@ getsrv (const char *name, struct srventry **list)
 }
 
 
+/* libdns version of get_dns_cname.  */
+gpg_error_t
+get_dns_cname_libdns (const char *name, char **r_cname)
+{
+  return gpg_error (ENOTSUP);
+}
+
+
 /* Standard resolver version of get_dns_cname.  */
 gpg_error_t
 get_dns_cname_standard (const char *name, char **r_cname)
@@ -1022,10 +1232,8 @@ get_dns_cname (const char *name, char **r_cname)
 {
   *r_cname = NULL;
 
-#ifdef NOTYET
   if (!standard_resolver)
     return get_dns_cname_libdns (name, r_cname);
-#endif
 
   return get_dns_cname_standard (name, r_cname);
 }
diff --git a/dirmngr/dns.c b/dirmngr/dns.c
new file mode 100644 (file)
index 0000000..f29158c
--- /dev/null
@@ -0,0 +1,11152 @@
+/* ==========================================================================
+ * dns.c - Recursive, Reentrant DNS Resolver.
+ * --------------------------------------------------------------------------
+ * Copyright (c) 2008, 2009, 2010, 2012-2016  William Ahern
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to permit
+ * persons to whom the Software is furnished to do so, subject to the
+ * following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included
+ * in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+ * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+ * OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
+ * USE OR OTHER DEALINGS IN THE SOFTWARE.
+ * ==========================================================================
+ */
+#if HAVE_CONFIG_H
+#include "config.h"
+#elif !defined _GNU_SOURCE
+#define _GNU_SOURCE 1
+#endif
+
+#include <limits.h>            /* INT_MAX */
+#include <stdarg.h>            /* va_list va_start va_end */
+#include <stddef.h>            /* offsetof() */
+#ifdef _WIN32
+/* JW: This breaks our mingw build: #define uint32_t unsigned int */
+#else
+#include <stdint.h>            /* uint32_t */
+#endif
+#include <stdlib.h>            /* malloc(3) realloc(3) free(3) rand(3) random(3) arc4random(3) */
+#include <stdio.h>             /* FILE fopen(3) fclose(3) getc(3) rewind(3) vsnprintf(3) */
+#include <string.h>            /* memcpy(3) strlen(3) memmove(3) memchr(3) memcmp(3) strchr(3) strsep(3) strcspn(3) */
+#include <strings.h>           /* strcasecmp(3) strncasecmp(3) */
+#include <ctype.h>             /* isspace(3) isdigit(3) */
+#include <time.h>              /* time_t time(2) difftime(3) */
+#include <signal.h>            /* SIGPIPE sigemptyset(3) sigaddset(3) sigpending(2) sigprocmask(2) pthread_sigmask(3) sigtimedwait(2) */
+#include <errno.h>             /* errno EINVAL ENOENT */
+#undef NDEBUG
+#include <assert.h>            /* assert(3) */
+
+#if _WIN32
+#ifndef FD_SETSIZE
+#define FD_SETSIZE 256
+#endif
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#else
+#include <sys/time.h>          /* gettimeofday(2) */
+#include <sys/types.h>         /* FD_SETSIZE socklen_t */
+#include <sys/select.h>                /* FD_ZERO FD_SET fd_set select(2) */
+#include <sys/socket.h>                /* AF_INET AF_INET6 AF_UNIX struct sockaddr struct sockaddr_in struct sockaddr_in6 socket(2) */
+#if defined(AF_UNIX)
+#include <sys/un.h>            /* struct sockaddr_un */
+#endif
+#include <fcntl.h>             /* F_SETFD F_GETFL F_SETFL O_NONBLOCK fcntl(2) */
+#include <unistd.h>            /* _POSIX_THREADS gethostname(3) close(2) */
+#include <poll.h>              /* POLLIN POLLOUT */
+#include <netinet/in.h>                /* struct sockaddr_in struct sockaddr_in6 */
+#include <arpa/inet.h>         /* inet_pton(3) inet_ntop(3) htons(3) ntohs(3) */
+#include <netdb.h>             /* struct addrinfo */
+#endif
+
+#include "dns.h"
+
+
+/*
+ * C O M P I L E R  V E R S I O N  &  F E A T U R E  D E T E C T I O N
+ *
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+#define DNS_GNUC_2VER(M, m, p) (((M) * 10000) + ((m) * 100) + (p))
+#define DNS_GNUC_PREREQ(M, m, p) (__GNUC__ > 0 && DNS_GNUC_2VER(__GNUC__, __GNUC_MINOR__, __GNUC_PATCHLEVEL__) >= DNS_GNUC_2VER((M), (m), (p)))
+
+#define DNS_MSC_2VER(M, m, p) ((((M) + 6) * 10000000) + ((m) * 1000000) + (p))
+#define DNS_MSC_PREREQ(M, m, p) (_MSC_VER_FULL > 0 && _MSC_VER_FULL >= DNS_MSC_2VER((M), (m), (p)))
+
+#define DNS_SUNPRO_PREREQ(M, m, p) (__SUNPRO_C > 0 && __SUNPRO_C >= 0x ## M ## m ## p)
+
+#if defined __has_builtin
+#define dns_has_builtin(x) __has_builtin(x)
+#else
+#define dns_has_builtin(x) 0
+#endif
+
+#if defined __has_extension
+#define dns_has_extension(x) __has_extension(x)
+#else
+#define dns_has_extension(x) 0
+#endif
+
+#ifndef HAVE___ASSUME
+#define HAVE___ASSUME DNS_MSC_PREREQ(8,0,0)
+#endif
+
+#ifndef HAVE___BUILTIN_TYPES_COMPATIBLE_P
+#define HAVE___BUILTIN_TYPES_COMPATIBLE_P (DNS_GNUC_PREREQ(3,1,1) || __clang__)
+#endif
+
+#ifndef HAVE___BUILTIN_UNREACHABLE
+#define HAVE___BUILTIN_UNREACHABLE (DNS_GNUC_PREREQ(4,5,0) || dns_has_builtin(__builtin_unreachable))
+#endif
+
+#ifndef HAVE_PRAGMA_MESSAGE
+#define HAVE_PRAGMA_MESSAGE (DNS_GNUC_PREREQ(4,4,0) || __clang__ || _MSC_VER)
+#endif
+
+
+/*
+ * C O M P I L E R  A N N O T A T I O N S
+ *
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+#if __GNUC__
+#define DNS_NOTUSED __attribute__((unused))
+#define DNS_NORETURN __attribute__((noreturn))
+#else
+#define DNS_NOTUSED
+#define DNS_NORETURN
+#endif
+
+#if __clang__
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wunused-parameter"
+#pragma clang diagnostic ignored "-Wmissing-field-initializers"
+#elif DNS_GNUC_PREREQ(4,6,0)
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-parameter"
+#pragma GCC diagnostic ignored "-Wmissing-field-initializers"
+#endif
+
+
+/*
+ * S T A N D A R D  M A C R O S
+ *
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+#if HAVE___BUILTIN_TYPES_COMPATIBLE_P
+#define dns_same_type(a, b, def) __builtin_types_compatible_p(__typeof__ (a), __typeof__ (b))
+#else
+#define dns_same_type(a, b, def) (def)
+#endif
+#define dns_isarray(a) (!dns_same_type((a), (&(a)[0]), 0))
+/* NB: "_" field silences Sun Studio "zero-sized struct/union" error diagnostic */
+#define dns_inline_assert(cond) ((void)(sizeof (struct { int:-!(cond); int _; })))
+
+#if HAVE___ASSUME
+#define dns_assume(cond) __assume(cond)
+#elif HAVE___BUILTIN_UNREACHABLE
+#define dns_assume(cond) do { if (!(cond)) __builtin_unreachable(); } while (0)
+#else
+#define dns_assume(cond) do { (void)(cond); } while (0)
+#endif
+
+#ifndef lengthof
+#define lengthof(a) (dns_inline_assert(dns_isarray(a)), (sizeof (a) / sizeof (a)[0]))
+#endif
+
+#ifndef endof
+#define endof(a) (dns_inline_assert(dns_isarray(a)), &(a)[lengthof((a))])
+#endif
+
+
+/*
+ * M I S C E L L A N E O U S  C O M P A T
+ *
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+#if _WIN32 || _WIN64
+#define PRIuZ "Iu"
+#else
+#define PRIuZ "zu"
+#endif
+
+#ifndef DNS_THREAD_SAFE
+#if (defined _REENTRANT || defined _THREAD_SAFE) && _POSIX_THREADS > 0
+#define DNS_THREAD_SAFE 1
+#else
+#define DNS_THREAD_SAFE 0
+#endif
+#endif
+
+#ifndef HAVE__STATIC_ASSERT
+#define HAVE__STATIC_ASSERT \
+       (dns_has_extension(c_static_assert) || DNS_GNUC_PREREQ(4,6,0) || \
+        __C11FEATURES__ || __STDC_VERSION__ >= 201112L)
+#endif
+
+#ifndef HAVE_STATIC_ASSERT
+#if DNS_GNUC_PREREQ(0,0,0) && !DNS_GNUC_PREREQ(4,6,0)
+#define HAVE_STATIC_ASSERT 0 /* glibc doesn't check GCC version */
+#else
+#define HAVE_STATIC_ASSERT (defined static_assert)
+#endif
+#endif
+
+#if HAVE_STATIC_ASSERT
+#define dns_static_assert(cond, msg) static_assert(cond, msg)
+#elif HAVE__STATIC_ASSERT
+#define dns_static_assert(cond, msg) _Static_assert(cond, msg)
+#else
+#define dns_static_assert(cond, msg) extern char DNS_PP_XPASTE(dns_assert_, __LINE__)[sizeof (int[1 - 2*!(cond)])]
+#endif
+
+
+/*
+ * D E B U G  M A C R O S
+ *
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+int *dns_debug_p(void) {
+       static int debug;
+
+       return &debug;
+} /* dns_debug_p() */
+
+#if DNS_DEBUG
+
+#undef DNS_DEBUG
+#define DNS_DEBUG dns_debug
+
+#define DNS_SAY_(fmt, ...) \
+       do { if (DNS_DEBUG > 0) fprintf(stderr, fmt "%.1s", __func__, __LINE__, __VA_ARGS__); } while (0)
+#define DNS_SAY(...) DNS_SAY_("@@ (%s:%d) " __VA_ARGS__, "\n")
+#define DNS_HAI DNS_SAY("HAI")
+
+#define DNS_SHOW_(P, fmt, ...) do {                                    \
+       if (DNS_DEBUG > 1) {                                            \
+       fprintf(stderr, "@@ BEGIN * * * * * * * * * * * *\n");          \
+       fprintf(stderr, "@@ " fmt "%.0s\n", __VA_ARGS__);               \
+       dns_p_dump((P), stderr);                                        \
+       fprintf(stderr, "@@ END * * * * * * * * * * * * *\n\n");        \
+       }                                                               \
+} while (0)
+
+#define DNS_SHOW(...)  DNS_SHOW_(__VA_ARGS__, "")
+
+#else /* !DNS_DEBUG */
+
+#undef DNS_DEBUG
+#define DNS_DEBUG 0
+
+#define DNS_SAY(...)
+#define DNS_HAI
+#define DNS_SHOW(...)
+
+#endif /* DNS_DEBUG */
+
+#define DNS_CARP(...) DNS_SAY(__VA_ARGS__)
+
+
+/*
+ * V E R S I O N  R O U T I N E S
+ *
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+const char *dns_vendor(void) {
+       return DNS_VENDOR;
+} /* dns_vendor() */
+
+
+int dns_v_rel(void) {
+       return DNS_V_REL;
+} /* dns_v_rel() */
+
+
+int dns_v_abi(void) {
+       return DNS_V_ABI;
+} /* dns_v_abi() */
+
+
+int dns_v_api(void) {
+       return DNS_V_API;
+} /* dns_v_api() */
+
+
+/*
+ * E R R O R  R O U T I N E S
+ *
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+#if _WIN32
+
+#define DNS_EINTR      WSAEINTR
+#define DNS_EINPROGRESS        WSAEINPROGRESS
+#define DNS_EISCONN    WSAEISCONN
+#define DNS_EWOULDBLOCK        WSAEWOULDBLOCK
+#define DNS_EALREADY   WSAEALREADY
+#define DNS_EAGAIN     EAGAIN
+#define DNS_ETIMEDOUT  WSAETIMEDOUT
+
+#define dns_syerr()    ((int)GetLastError())
+#define dns_soerr()    ((int)WSAGetLastError())
+
+#else
+
+#define DNS_EINTR      EINTR
+#define DNS_EINPROGRESS        EINPROGRESS
+#define DNS_EISCONN    EISCONN
+#define DNS_EWOULDBLOCK        EWOULDBLOCK
+#define DNS_EALREADY   EALREADY
+#define DNS_EAGAIN     EAGAIN
+#define DNS_ETIMEDOUT  ETIMEDOUT
+
+#define dns_syerr()    errno
+#define dns_soerr()    errno
+
+#endif
+
+
+const char *dns_strerror(int error) {
+       switch (error) {
+       case DNS_ENOBUFS:
+               return "DNS packet buffer too small";
+       case DNS_EILLEGAL:
+               return "Illegal DNS RR name or data";
+       case DNS_EORDER:
+               return "Attempt to push RR out of section order";
+       case DNS_ESECTION:
+               return "Invalid section specified";
+       case DNS_EUNKNOWN:
+               return "Unknown DNS error";
+       case DNS_EADDRESS:
+               return "Invalid textual address form";
+       case DNS_ENOQUERY:
+               return "Bad execution state (missing query packet)";
+       case DNS_ENOANSWER:
+               return "Bad execution state (missing answer packet)";
+       case DNS_EFETCHED:
+               return "Answer already fetched";
+       case DNS_ESERVICE:
+               return "The service passed was not recognized for the specified socket type";
+       case DNS_ENONAME:
+               return "The name does not resolve for the supplied parameters";
+       case DNS_EFAIL:
+               return "A non-recoverable error occurred when attempting to resolve the name";
+       case DNS_ECONNFIN:
+               return "Connection closed";
+       case DNS_EVERIFY:
+               return "Reply failed verification";
+       default:
+               return strerror(error);
+       } /* switch() */
+} /* dns_strerror() */
+
+
+/*
+ * A T O M I C  R O U T I N E S
+ *
+ * Use GCC's __atomic built-ins if possible. Unlike the __sync built-ins, we
+ * can use the preprocessor to detect API and, more importantly, ISA
+ * support. We want to avoid linking headaches where the API depends on an
+ * external library if the ISA (e.g. i386) doesn't support lockless
+ * operation.
+ *
+ * TODO: Support C11's atomic API. Although that may require some finesse
+ * with how we define some public types, such as dns_atomic_t and struct
+ * dns_resolv_conf.
+ *
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+#ifndef HAVE___ATOMIC_FETCH_ADD
+#define HAVE___ATOMIC_FETCH_ADD (defined __ATOMIC_RELAXED)
+#endif
+
+#ifndef HAVE___ATOMIC_FETCH_SUB
+#define HAVE___ATOMIC_FETCH_SUB HAVE___ATOMIC_FETCH_ADD
+#endif
+
+#ifndef DNS_ATOMIC_FETCH_ADD
+#if HAVE___ATOMIC_FETCH_ADD && __GCC_ATOMIC_LONG_LOCK_FREE == 2
+#define DNS_ATOMIC_FETCH_ADD(i) __atomic_fetch_add((i), 1, __ATOMIC_RELAXED)
+#else
+#pragma message("no atomic_fetch_add available")
+#define DNS_ATOMIC_FETCH_ADD(i) ((*(i))++)
+#endif
+#endif
+
+#ifndef DNS_ATOMIC_FETCH_SUB
+#if HAVE___ATOMIC_FETCH_SUB && __GCC_ATOMIC_LONG_LOCK_FREE == 2
+#define DNS_ATOMIC_FETCH_SUB(i) __atomic_fetch_sub((i), 1, __ATOMIC_RELAXED)
+#else
+#pragma message("no atomic_fetch_sub available")
+#define DNS_ATOMIC_FETCH_SUB(i) ((*(i))--)
+#endif
+#endif
+
+static inline unsigned dns_atomic_fetch_add(dns_atomic_t *i) {
+       return DNS_ATOMIC_FETCH_ADD(i);
+} /* dns_atomic_fetch_add() */
+
+
+static inline unsigned dns_atomic_fetch_sub(dns_atomic_t *i) {
+       return DNS_ATOMIC_FETCH_SUB(i);
+} /* dns_atomic_fetch_sub() */
+
+
+/*
+ * C R Y P T O  R O U T I N E S
+ *
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+/*
+ * P R N G
+ */
+
+#ifndef DNS_RANDOM
+#if defined(HAVE_ARC4RANDOM)   \
+ || defined(__OpenBSD__)       \
+ || defined(__FreeBSD__)       \
+ || defined(__NetBSD__)                \
+ || defined(__APPLE__)
+#define DNS_RANDOM     arc4random
+#elif __linux
+#define DNS_RANDOM     random
+#else
+#define DNS_RANDOM     rand
+#endif
+#endif
+
+#define DNS_RANDOM_arc4random  1
+#define DNS_RANDOM_random      2
+#define DNS_RANDOM_rand                3
+#define DNS_RANDOM_RAND_bytes  4
+
+#define DNS_RANDOM_OPENSSL     (DNS_RANDOM_RAND_bytes == DNS_PP_XPASTE(DNS_RANDOM_, DNS_RANDOM))
+
+#if DNS_RANDOM_OPENSSL
+#include <openssl/rand.h>
+#endif
+
+static unsigned dns_random_(void) {
+#if DNS_RANDOM_OPENSSL
+       unsigned r;
+       _Bool ok;
+
+       ok = (1 == RAND_bytes((unsigned char *)&r, sizeof r));
+       assert(ok && "1 == RAND_bytes()");
+
+       return r;
+#else
+       return DNS_RANDOM();
+#endif
+} /* dns_random_() */
+
+dns_random_f **dns_random_p(void) {
+       static dns_random_f *random_f = &dns_random_;
+
+       return &random_f;
+} /* dns_random_p() */
+
+
+/*
+ * P E R M U T A T I O N  G E N E R A T O R
+ */
+
+#define DNS_K_TEA_KEY_SIZE     16
+#define DNS_K_TEA_BLOCK_SIZE   8
+#define DNS_K_TEA_CYCLES       32
+#define DNS_K_TEA_MAGIC                0x9E3779B9U
+
+struct dns_k_tea {
+       uint32_t key[DNS_K_TEA_KEY_SIZE / sizeof (uint32_t)];
+       unsigned cycles;
+}; /* struct dns_k_tea */
+
+
+static void dns_k_tea_init(struct dns_k_tea *tea, uint32_t key[], unsigned cycles) {
+       memcpy(tea->key, key, sizeof tea->key);
+
+       tea->cycles     = (cycles)? cycles : DNS_K_TEA_CYCLES;
+} /* dns_k_tea_init() */
+
+
+static void dns_k_tea_encrypt(struct dns_k_tea *tea, uint32_t v[], uint32_t *w) {
+       uint32_t y, z, sum, n;
+
+       y       = v[0];
+       z       = v[1];
+       sum     = 0;
+
+       for (n = 0; n < tea->cycles; n++) {
+               sum     += DNS_K_TEA_MAGIC;
+               y       += ((z << 4) + tea->key[0]) ^ (z + sum) ^ ((z >> 5) + tea->key[1]);
+               z       += ((y << 4) + tea->key[2]) ^ (y + sum) ^ ((y >> 5) + tea->key[3]);
+       }
+
+       w[0]    = y;
+       w[1]    = z;
+
+       return /* void */;
+} /* dns_k_tea_encrypt() */
+
+
+/*
+ * Permutation generator, based on a Luby-Rackoff Feistel construction.
+ *
+ * Specifically, this is a generic balanced Feistel block cipher using TEA
+ * (another block cipher) as the pseudo-random function, F. At best it's as
+ * strong as F (TEA), notwithstanding the seeding. F could be AES, SHA-1, or
+ * perhaps Bernstein's Salsa20 core; I am naively trying to keep things
+ * simple.
+ *
+ * The generator can create a permutation of any set of numbers, as long as
+ * the size of the set is an even power of 2. This limitation arises either
+ * out of an inherent property of balanced Feistel constructions, or by my
+ * own ignorance. I'll tackle an unbalanced construction after I wrap my
+ * head around Schneier and Kelsey's paper.
+ *
+ * CAVEAT EMPTOR. IANAC.
+ */
+#define DNS_K_PERMUTOR_ROUNDS  8
+
+struct dns_k_permutor {
+       unsigned stepi, length, limit;
+       unsigned shift, mask, rounds;
+
+       struct dns_k_tea tea;
+}; /* struct dns_k_permutor */
+
+
+static inline unsigned dns_k_permutor_powof(unsigned n) {
+       unsigned m, i = 0;
+
+       for (m = 1; m < n; m <<= 1, i++)
+               ;;
+
+       return i;
+} /* dns_k_permutor_powof() */
+
+static void dns_k_permutor_init(struct dns_k_permutor *p, unsigned low, unsigned high) {
+       uint32_t key[DNS_K_TEA_KEY_SIZE / sizeof (uint32_t)];
+       unsigned width, i;
+
+       p->stepi        = 0;
+
+       p->length       = (high - low) + 1;
+       p->limit        = high;
+
+       width           = dns_k_permutor_powof(p->length);
+       width           += width % 2;
+
+       p->shift        = width / 2;
+       p->mask         = (1U << p->shift) - 1;
+       p->rounds       = DNS_K_PERMUTOR_ROUNDS;
+
+       for (i = 0; i < lengthof(key); i++)
+               key[i]  = dns_random();
+
+       dns_k_tea_init(&p->tea, key, 0);
+
+       return /* void */;
+} /* dns_k_permutor_init() */
+
+
+static unsigned dns_k_permutor_F(struct dns_k_permutor *p, unsigned k, unsigned x) {
+       uint32_t in[DNS_K_TEA_BLOCK_SIZE / sizeof (uint32_t)], out[DNS_K_TEA_BLOCK_SIZE / sizeof (uint32_t)];
+
+       memset(in, '\0', sizeof in);
+
+       in[0]   = k;
+       in[1]   = x;
+
+       dns_k_tea_encrypt(&p->tea, in, out);
+
+       return p->mask & out[0];
+} /* dns_k_permutor_F() */
+
+
+static unsigned dns_k_permutor_E(struct dns_k_permutor *p, unsigned n) {
+       unsigned l[2], r[2];
+       unsigned i;
+
+       i       = 0;
+       l[i]    = p->mask & (n >> p->shift);
+       r[i]    = p->mask & (n >> 0);
+
+       do {
+               l[(i + 1) % 2]  = r[i % 2];
+               r[(i + 1) % 2]  = l[i % 2] ^ dns_k_permutor_F(p, i, r[i % 2]);
+
+               i++;
+       } while (i < p->rounds - 1);
+
+       return ((l[i % 2] & p->mask) << p->shift) | ((r[i % 2] & p->mask) << 0);
+} /* dns_k_permutor_E() */
+
+
+DNS_NOTUSED static unsigned dns_k_permutor_D(struct dns_k_permutor *p, unsigned n) {
+       unsigned l[2], r[2];
+       unsigned i;
+
+       i               = p->rounds - 1;
+       l[i % 2]        = p->mask & (n >> p->shift);
+       r[i % 2]        = p->mask & (n >> 0);
+
+       do {
+               i--;
+
+               r[i % 2]        = l[(i + 1) % 2];
+               l[i % 2]        = r[(i + 1) % 2] ^ dns_k_permutor_F(p, i, l[(i + 1) % 2]);
+       } while (i > 0);
+
+       return ((l[i % 2] & p->mask) << p->shift) | ((r[i % 2] & p->mask) << 0);
+} /* dns_k_permutor_D() */
+
+
+static unsigned dns_k_permutor_step(struct dns_k_permutor *p) {
+       unsigned n;
+
+       do {
+               n       = dns_k_permutor_E(p, p->stepi++);
+       } while (n >= p->length);
+
+       return n + (p->limit + 1 - p->length);
+} /* dns_k_permutor_step() */
+
+
+/*
+ * Simple permutation box. Useful for shuffling rrsets from an iterator.
+ * Uses AES s-box to provide good diffusion.
+ *
+ * Seems to pass muster under runs test.
+ *
+ * $ for i in 0 1 2 3 4 5 6 7 8 9; do ./dns shuffle-16 > /tmp/out; done
+ * $ R -q -f /dev/stdin 2>/dev/null <<-EOF | awk '/p-value/{ print $8 }'
+ *     library(lawstat)
+ *     runs.test(scan(file="/tmp/out"))
+ * EOF
+ */
+static unsigned short dns_k_shuffle16(unsigned short n, unsigned s) {
+       static const unsigned char sbox[256] =
+       { 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5,
+         0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
+         0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0,
+         0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
+         0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc,
+         0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
+         0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a,
+         0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
+         0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0,
+         0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
+         0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b,
+         0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
+         0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85,
+         0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
+         0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5,
+         0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
+         0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17,
+         0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
+         0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88,
+         0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
+         0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c,
+         0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
+         0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9,
+         0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
+         0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6,
+         0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
+         0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e,
+         0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
+         0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94,
+         0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
+         0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68,
+         0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 };
+       unsigned char a, b;
+       unsigned i;
+
+       a = 0xff & (n >> 0);
+       b = 0xff & (n >> 8);
+
+       for (i = 0; i < 4; i++) {
+               a ^= 0xff & s;
+               a = sbox[a] ^ b;
+               b = sbox[b] ^ a;
+               s >>= 8;
+       }
+
+       return ((0xff00 & (a << 8)) | (0x00ff & (b << 0)));
+} /* dns_k_shuffle16() */
+
+/*
+ * S T A T E  M A C H I N E  R O U T I N E S
+ *
+ * Application code should define DNS_SM_RESTORE and DNS_SM_SAVE, and the
+ * local variable pc.
+ *
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+#define DNS_SM_ENTER \
+       do { \
+       static const int pc0 = __LINE__; \
+       DNS_SM_RESTORE; \
+       switch (pc0 + pc) { \
+       case __LINE__: (void)0
+
+#define DNS_SM_SAVE_AND_DO(do_statement) \
+       do { \
+               pc = __LINE__ - pc0; \
+               DNS_SM_SAVE; \
+               do_statement; \
+               case __LINE__: (void)0; \
+       } while (0)
+
+#define DNS_SM_YIELD(rv) \
+       DNS_SM_SAVE_AND_DO(return (rv))
+
+#define DNS_SM_EXIT \
+       do { goto leave; } while (0)
+
+#define DNS_SM_LEAVE \
+       leave: (void)0; \
+       DNS_SM_SAVE_AND_DO(break); \
+       } \
+       } while (0)
+
+/*
+ * U T I L I T Y  R O U T I N E S
+ *
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+#define DNS_MAXINTERVAL 300
+
+struct dns_clock {
+       time_t sample, elapsed;
+}; /* struct dns_clock */
+
+static void dns_begin(struct dns_clock *clk) {
+       clk->sample = time(0);
+       clk->elapsed = 0;
+} /* dns_begin() */
+
+static time_t dns_elapsed(struct dns_clock *clk) {
+       time_t curtime;
+
+       if ((time_t)-1 == time(&curtime))
+               return clk->elapsed;
+
+       if (curtime > clk->sample)
+               clk->elapsed += (time_t)DNS_PP_MIN(difftime(curtime, clk->sample), DNS_MAXINTERVAL);
+
+       clk->sample = curtime;
+
+       return clk->elapsed;
+} /* dns_elapsed() */
+
+
+DNS_NOTUSED static size_t dns_strnlen(const char *src, size_t m) {
+       size_t n = 0;
+
+       while (*src++ && n < m)
+               ++n;
+
+       return n;
+} /* dns_strnlen() */
+
+
+DNS_NOTUSED static size_t dns_strnlcpy(char *dst, size_t lim, const char *src, size_t max) {
+       size_t len = dns_strnlen(src, max), n;
+
+       if (lim > 0) {
+               n = DNS_PP_MIN(lim - 1, len);
+               memcpy(dst, src, n);
+               dst[n] = '\0';
+       }
+
+       return len;
+} /* dns_strnlcpy() */
+
+
+#define DNS_HAVE_SOCKADDR_UN (defined AF_UNIX && !defined _WIN32)
+
+static size_t dns_af_len(int af) {
+       static const size_t table[AF_MAX]       = {
+               [AF_INET6]      = sizeof (struct sockaddr_in6),
+               [AF_INET]       = sizeof (struct sockaddr_in),
+#if DNS_HAVE_SOCKADDR_UN
+               [AF_UNIX]       = sizeof (struct sockaddr_un),
+#endif
+       };
+
+       return table[af];
+} /* dns_af_len() */
+
+#define dns_sa_family(sa)      (((struct sockaddr *)(sa))->sa_family)
+
+#define dns_sa_len(sa)         dns_af_len(dns_sa_family(sa))
+
+
+#define DNS_SA_NOPORT  &dns_sa_noport
+static unsigned short dns_sa_noport;
+
+static unsigned short *dns_sa_port(int af, void *sa) {
+       switch (af) {
+       case AF_INET6:
+               return &((struct sockaddr_in6 *)sa)->sin6_port;
+       case AF_INET:
+               return &((struct sockaddr_in *)sa)->sin_port;
+       default:
+               return DNS_SA_NOPORT;
+       }
+} /* dns_sa_port() */
+
+
+static void *dns_sa_addr(int af, const void *sa, socklen_t *size) {
+       switch (af) {
+       case AF_INET6: {
+               struct in6_addr *in6 = &((struct sockaddr_in6 *)sa)->sin6_addr;
+
+               if (size)
+                       *size = sizeof *in6;
+
+               return in6;
+       }
+       case AF_INET: {
+               struct in_addr *in = &((struct sockaddr_in *)sa)->sin_addr;
+
+               if (size)
+                       *size = sizeof *in;
+
+               return in;
+       }
+       default:
+               if (size)
+                       *size = 0;
+
+               return 0;
+       }
+} /* dns_sa_addr() */
+
+
+#if DNS_HAVE_SOCKADDR_UN
+#define DNS_SUNPATHMAX (sizeof ((struct sockaddr_un *)0)->sun_path)
+#endif
+
+DNS_NOTUSED static void *dns_sa_path(void *sa, socklen_t *size) {
+       switch (dns_sa_family(sa)) {
+#if DNS_HAVE_SOCKADDR_UN
+       case AF_UNIX: {
+               char *path = ((struct sockaddr_un *)sa)->sun_path;
+
+               if (size)
+                       *size = dns_strnlen(path, DNS_SUNPATHMAX);
+
+               return path;
+       }
+#endif
+       default:
+               if (size)
+                       *size = 0;
+
+               return NULL;
+       }
+} /* dns_sa_path() */
+
+
+static int dns_sa_cmp(void *a, void *b) {
+       int cmp, af;
+
+       if ((cmp = dns_sa_family(a) - dns_sa_family(b)))
+               return cmp;
+
+       switch ((af = dns_sa_family(a))) {
+       case AF_INET: {
+               struct in_addr *a4, *b4;
+
+               if ((cmp = htons(*dns_sa_port(af, a)) - htons(*dns_sa_port(af, b))))
+                       return cmp;
+
+               a4 = dns_sa_addr(af, a, NULL);
+               b4 = dns_sa_addr(af, b, NULL);
+
+               if (ntohl(a4->s_addr) < ntohl(b4->s_addr))
+                       return -1;
+               if (ntohl(a4->s_addr) > ntohl(b4->s_addr))
+                       return 1;
+
+               return 0;
+       }
+       case AF_INET6: {
+               struct in6_addr *a6, *b6;
+               size_t i;
+
+               if ((cmp = htons(*dns_sa_port(af, a)) - htons(*dns_sa_port(af, b))))
+                       return cmp;
+
+               a6 = dns_sa_addr(af, a, NULL);
+               b6 = dns_sa_addr(af, b, NULL);
+
+               /* XXX: do we need to use in6_clearscope()? */
+               for (i = 0; i < sizeof a6->s6_addr; i++) {
+                       if ((cmp = a6->s6_addr[i] - b6->s6_addr[i]))
+                               return cmp;
+               }
+
+               return 0;
+       }
+#if DNS_HAVE_SOCKADDR_UN
+       case AF_UNIX: {
+               char a_path[DNS_SUNPATHMAX + 1], b_path[sizeof a_path];
+
+               dns_strnlcpy(a_path, sizeof a_path, dns_sa_path(a, NULL), DNS_SUNPATHMAX);
+               dns_strnlcpy(b_path, sizeof b_path, dns_sa_path(b, NULL), DNS_SUNPATHMAX);
+
+               return strcmp(a_path, b_path);
+       }
+#endif
+       default:
+               return -1;
+       }
+} /* dns_sa_cmp() */
+
+
+#if _WIN32
+static int dns_inet_pton(int af, const void *src, void *dst) {
+       union { struct sockaddr_in sin; struct sockaddr_in6 sin6; } u;
+
+       u.sin.sin_family        = af;
+
+       if (0 != WSAStringToAddressA((void *)src, af, (void *)0, (struct sockaddr *)&u, &(int){ sizeof u }))
+               return -1;
+
+       switch (af) {
+       case AF_INET6:
+               *(struct in6_addr *)dst = u.sin6.sin6_addr;
+
+               return 1;
+       case AF_INET:
+               *(struct in_addr *)dst  = u.sin.sin_addr;
+
+               return 1;
+       default:
+               return 0;
+       }
+} /* dns_inet_pton() */
+
+static const char *dns_inet_ntop(int af, const void *src, void *dst, unsigned long lim) {
+       union { struct sockaddr_in sin; struct sockaddr_in6 sin6; } u;
+
+       /* NOTE: WSAAddressToString will print .sin_port unless zeroed. */
+       memset(&u, 0, sizeof u);
+
+       u.sin.sin_family        = af;
+
+       switch (af) {
+       case AF_INET6:
+               u.sin6.sin6_addr        = *(struct in6_addr *)src;
+               break;
+       case AF_INET:
+               u.sin.sin_addr          = *(struct in_addr *)src;
+
+               break;
+       default:
+               return 0;
+       }
+
+       if (0 != WSAAddressToStringA((struct sockaddr *)&u, dns_sa_len(&u), (void *)0, dst, &lim))
+               return 0;
+
+       return dst;
+} /* dns_inet_ntop() */
+#else
+#define dns_inet_pton(...)     inet_pton(__VA_ARGS__)
+#define dns_inet_ntop(...)     inet_ntop(__VA_ARGS__)
+#endif
+
+
+static dns_error_t dns_pton(int af, const void *src, void *dst) {
+       switch (dns_inet_pton(af, src, dst)) {
+       case 1:
+               return 0;
+       case -1:
+               return dns_soerr();
+       default:
+               return DNS_EADDRESS;
+       }
+} /* dns_pton() */
+
+
+static dns_error_t dns_ntop(int af, const void *src, void *dst, unsigned long lim) {
+       return (dns_inet_ntop(af, src, dst, lim))? 0 : dns_soerr();
+} /* dns_ntop() */
+
+
+size_t dns_strlcpy(char *dst, const char *src, size_t lim) {
+       char *d         = dst;
+       char *e         = &dst[lim];
+       const char *s   = src;
+
+       if (d < e) {
+               do {
+                       if ('\0' == (*d++ = *s++))
+                               return s - src - 1;
+               } while (d < e);
+
+               d[-1]   = '\0';
+       }
+
+       while (*s++ != '\0')
+               ;;
+
+       return s - src - 1;
+} /* dns_strlcpy() */
+
+
+size_t dns_strlcat(char *dst, const char *src, size_t lim) {
+       char *d = memchr(dst, '\0', lim);
+       char *e = &dst[lim];
+       const char *s = src;
+       const char *p;
+
+       if (d && d < e) {
+               do {
+                       if ('\0' == (*d++ = *s++))
+                               return d - dst - 1;
+               } while (d < e);
+
+               d[-1] = '\0';
+       }
+
+       p = s;
+
+       while (*s++ != '\0')
+               ;;
+
+       return lim + (s - p - 1);
+} /* dns_strlcat() */
+
+
+static void *dns_reallocarray(void *p, size_t nmemb, size_t size, dns_error_t *error) {
+       void *rp;
+
+       if (nmemb > 0 && SIZE_MAX / nmemb < size) {
+               *error = EOVERFLOW;
+               return NULL;
+       }
+
+       if (!(rp = realloc(p, nmemb * size)))
+               *error = (errno)? errno : EINVAL;
+
+       return rp;
+} /* dns_reallocarray() */
+
+
+#if _WIN32
+
+static char *dns_strsep(char **sp, const char *delim) {
+       char *p;
+
+       if (!(p = *sp))
+               return 0;
+
+       *sp += strcspn(p, delim);
+
+       if (**sp != '\0') {
+               **sp = '\0';
+               ++*sp;
+       } else
+               *sp = NULL;
+
+       return p;
+} /* dns_strsep() */
+
+#else
+#define dns_strsep(...)        strsep(__VA_ARGS__)
+#endif
+
+
+#if _WIN32
+#define strcasecmp(...)                _stricmp(__VA_ARGS__)
+#define strncasecmp(...)       _strnicmp(__VA_ARGS__)
+#endif
+
+
+static inline _Bool dns_isalpha(unsigned char c) {
+       return isalpha(c);
+} /* dns_isalpha() */
+
+static inline _Bool dns_isdigit(unsigned char c) {
+       return isdigit(c);
+} /* dns_isdigit() */
+
+static inline _Bool dns_isalnum(unsigned char c) {
+       return isalnum(c);
+} /* dns_isalnum() */
+
+static inline _Bool dns_isspace(unsigned char c) {
+       return isspace(c);
+} /* dns_isspace() */
+
+static inline _Bool dns_isgraph(unsigned char c) {
+       return isgraph(c);
+} /* dns_isgraph() */
+
+
+static int dns_poll(int fd, short events, int timeout) {
+       fd_set rset, wset;
+
+       if (!events)
+               return 0;
+
+       assert(fd >= 0 && (unsigned)fd < FD_SETSIZE);
+
+       FD_ZERO(&rset);
+       FD_ZERO(&wset);
+
+       if (events & DNS_POLLIN)
+               FD_SET(fd, &rset);
+
+       if (events & DNS_POLLOUT)
+               FD_SET(fd, &wset);
+
+       select(fd + 1, &rset, &wset, 0, (timeout >= 0)? &(struct timeval){ timeout, 0 } : NULL);
+
+       return 0;
+} /* dns_poll() */
+
+
+#if !_WIN32
+DNS_NOTUSED static int dns_sigmask(int how, const sigset_t *set, sigset_t *oset) {
+#if DNS_THREAD_SAFE
+       return pthread_sigmask(how, set, oset);
+#else
+       return (0 == sigprocmask(how, set, oset))? 0 : errno;
+#endif
+} /* dns_sigmask() */
+#endif
+
+
+static size_t dns_send(int fd, const void *src, size_t len, int flags, dns_error_t *error) {
+       long n = send(fd, src, len, flags);
+
+       if (n < 0) {
+               *error = dns_soerr();
+               return 0;
+       } else {
+               *error = 0;
+               return n;
+       }
+} /* dns_send() */
+
+static size_t dns_recv(int fd, void *dst, size_t lim, int flags, dns_error_t *error) {
+       long n = recv(fd, dst, lim, flags);
+
+       if (n < 0) {
+               *error = dns_soerr();
+               return 0;
+       } else if (n == 0) {
+               *error = (lim > 0)? DNS_ECONNFIN : EINVAL;
+               return 0;
+       } else {
+               *error = 0;
+               return n;
+       }
+} /* dns_recv() */
+
+static size_t dns_send_nopipe(int fd, const void *src, size_t len, int flags, dns_error_t *_error) {
+#if _WIN32 || !defined SIGPIPE || defined SO_NOSIGPIPE
+       return dns_send(fd, src, len, flags, _error);
+#elif defined MSG_NOSIGNAL
+       return dns_send(fd, src, len, (flags|MSG_NOSIGNAL), _error);
+#elif _POSIX_REALTIME_SIGNALS > 0 /* require sigtimedwait */
+       /*
+        * SIGPIPE handling similar to the approach described in
+        * http://krokisplace.blogspot.com/2010/02/suppressing-sigpipe-in-library.html
+        */
+       sigset_t pending, blocked, piped;
+       size_t count;
+       int error;
+
+       sigemptyset(&pending);
+       sigpending(&pending);
+
+       if (!sigismember(&pending, SIGPIPE)) {
+               sigemptyset(&piped);
+               sigaddset(&piped, SIGPIPE);
+               sigemptyset(&blocked);
+
+               if ((error = dns_sigmask(SIG_BLOCK, &piped, &blocked)))
+                       goto error;
+       }
+
+       count = dns_send(fd, src, len, flags, &error);
+
+       if (!sigismember(&pending, SIGPIPE)) {
+               int saved = error;
+
+               if (!count && error == EPIPE) {
+                       while (-1 == sigtimedwait(&piped, NULL, &(struct timespec){ 0, 0 }) && errno == EINTR)
+                               ;;
+               }
+
+               if ((error = dns_sigmask(SIG_SETMASK, &blocked, NULL)))
+                       goto error;
+
+               error = saved;
+       }
+
+       *_error = error;
+       return count;
+error:
+       *_error = error;
+       return 0;
+#else
+#error "unable to suppress SIGPIPE"
+       return dns_send(fd, src, len, flags, _error);
+#endif
+} /* dns_send_nopipe() */
+
+
+static dns_error_t dns_connect(int fd, const struct sockaddr *addr, socklen_t addrlen) {
+       if (0 != connect(fd, addr, addrlen))
+               return dns_soerr();
+       return 0;
+} /* dns_connect() */
+
+
+#define DNS_FOPEN_STDFLAGS "rwabt+"
+
+static dns_error_t dns_fopen_addflag(char *dst, const char *src, size_t lim, int fc) {
+       char *p = dst, *pe = dst + lim;
+
+       /* copy standard flags */
+       while (*src && strchr(DNS_FOPEN_STDFLAGS, *src)) {
+               if (!(p < pe))
+                       return ENOMEM;
+               *p++ = *src++;
+       }
+
+       /* append flag to standard flags */
+       if (!(p < pe))
+               return ENOMEM;
+       *p++ = fc;
+
+       /* copy remaining mode string, including '\0' */
+       do {
+               if (!(p < pe))
+                       return ENOMEM;
+       } while ((*p++ = *src++));
+
+       return 0;
+} /* dns_fopen_addflag() */
+
+static FILE *dns_fopen(const char *path, const char *mode, dns_error_t *_error) {
+       FILE *fp;
+       char mode_cloexec[32];
+       int error;
+
+       assert(path && mode && *mode);
+       if (!*path) {
+               error = EINVAL;
+               goto error;
+       }
+
+#if _WIN32 || _WIN64
+       if ((error = dns_fopen_addflag(mode_cloexec, mode, sizeof mode_cloexec, 'N')))
+               goto error;
+       if (!(fp = fopen(path, mode_cloexec)))
+               goto syerr;
+#else
+       if ((error = dns_fopen_addflag(mode_cloexec, mode, sizeof mode_cloexec, 'e')))
+               goto error;
+       if (!(fp = fopen(path, mode_cloexec))) {
+               if (errno != EINVAL)
+                       goto syerr;
+               if (!(fp = fopen(path, mode)))
+                       goto syerr;
+       }
+#endif
+
+       return fp;
+syerr:
+       error = dns_syerr();
+error:
+       *_error = error;
+
+       return NULL;
+} /* dns_fopen() */
+
+
+struct dns_hxd_lines_i {
+       int pc;
+       size_t p;
+};
+
+#define DNS_SM_RESTORE \
+       do { \
+               pc = state->pc; \
+               sp = src + state->p; \
+               se = src + len; \
+       } while (0)
+#define DNS_SM_SAVE \
+       do { \
+               state->p = sp - src; \
+               state->pc = pc; \
+       } while (0)
+
+static size_t dns_hxd_lines(void *dst, size_t lim, const unsigned char *src, size_t len, struct dns_hxd_lines_i *state) {
+       static const unsigned char hex[] = "0123456789abcdef";
+       static const unsigned char tmpl[] = "                                                    |                |\n";
+       unsigned char ln[sizeof tmpl];
+       const unsigned char *sp, *se;
+       unsigned char *h, *g;
+       unsigned i, n;
+       int pc;
+
+       DNS_SM_ENTER;
+
+       while (sp < se) {
+               memcpy(ln, tmpl, sizeof ln);
+
+               h = &ln[2];
+               g = &ln[53];
+
+               for (n = 0; n < 2; n++) {
+                       for (i = 0; i < 8 && se - sp > 0; i++, sp++) {
+                               h[0] = hex[0x0f & (*sp >> 4)];
+                               h[1] = hex[0x0f & (*sp >> 0)];
+                               h += 3;
+
+                               *g++ = (dns_isgraph(*sp))? *sp : '.';
+                       }
+
+                       h++;
+               }
+
+               n = dns_strlcpy(dst, (char *)ln, lim);
+               DNS_SM_YIELD(n);
+       }
+
+       DNS_SM_EXIT;
+       DNS_SM_LEAVE;
+
+       return 0;
+}
+
+#undef DNS_SM_SAVE
+#undef DNS_SM_RESTORE
+
+/*
+ * A R I T H M E T I C  R O U T I N E S
+ *
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+#define DNS_CHECK_OVERFLOW(error, r, f, ...) \
+       do { \
+               uintmax_t _r; \
+               *(error) = f(&_r, __VA_ARGS__); \
+               *(r) = _r; \
+       } while (0)
+
+static dns_error_t dns_clamp_overflow(uintmax_t *r, uintmax_t n, uintmax_t clamp) {
+       if (n > clamp) {
+               *r = clamp;
+               return ERANGE;
+       } else {
+               *r = n;
+               return 0;
+       }
+} /* dns_clamp_overflow() */
+
+static dns_error_t dns_add_overflow(uintmax_t *r, uintmax_t a, uintmax_t b, uintmax_t clamp) {
+       if (~a < b) {
+               *r = DNS_PP_MIN(clamp, ~UINTMAX_C(0));
+               return ERANGE;
+       } else {
+               return dns_clamp_overflow(r, a + b, clamp);
+       }
+} /* dns_add_overflow() */
+
+static dns_error_t dns_mul_overflow(uintmax_t *r, uintmax_t a, uintmax_t b, uintmax_t clamp) {
+       if (a > 0 && UINTMAX_MAX / a < b) {
+               *r = DNS_PP_MIN(clamp, ~UINTMAX_C(0));
+               return ERANGE;
+       } else {
+               return dns_clamp_overflow(r, a * b, clamp);
+       }
+} /* dns_mul_overflow() */
+
+/*
+ * F I X E D - S I Z E D  B U F F E R  R O U T I N E S
+ *
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+#define DNS_B_INIT(src, n) { \
+       (unsigned char *)(src), \
+       (unsigned char *)(src), \
+       (unsigned char *)(src) + (n), \
+}
+
+#define DNS_B_FROM(src, n) DNS_B_INIT((src), (n))
+#define DNS_B_INTO(src, n) DNS_B_INIT((src), (n))
+
+struct dns_buf {
+       const unsigned char *base;
+       unsigned char *p;
+       const unsigned char *pe;
+       dns_error_t error;
+       size_t overflow;
+}; /* struct dns_buf */
+
+static inline size_t
+dns_b_tell(struct dns_buf *b)
+{
+       return b->p - b->base;
+}
+
+static inline dns_error_t
+dns_b_setoverflow(struct dns_buf *b, size_t n, dns_error_t error)
+{
+       b->overflow += n;
+       return b->error = error;
+}
+
+DNS_NOTUSED static struct dns_buf *
+dns_b_into(struct dns_buf *b, void *src, size_t n)
+{
+       *b = (struct dns_buf)DNS_B_INTO(src, n);
+
+       return b;
+}
+
+static dns_error_t
+dns_b_putc(struct dns_buf *b, unsigned char uc)
+{
+       if (!(b->p < b->pe))
+               return dns_b_setoverflow(b, 1, DNS_ENOBUFS);
+
+       *b->p++ = uc;
+
+       return 0;
+}
+
+static dns_error_t
+dns_b_pputc(struct dns_buf *b, unsigned char uc, size_t p)
+{
+       size_t pe = b->pe - b->base;
+       if (pe <= p)
+               return dns_b_setoverflow(b, p - pe + 1, DNS_ENOBUFS);
+
+       *((unsigned char *)b->base + p) = uc;
+
+       return 0;
+}
+
+static inline dns_error_t
+dns_b_put16(struct dns_buf *b, uint16_t u)
+{
+       return dns_b_putc(b, u >> 8), dns_b_putc(b, u >> 0);
+}
+
+static inline dns_error_t
+dns_b_pput16(struct dns_buf *b, uint16_t u, size_t p)
+{
+       if (dns_b_pputc(b, u >> 8, p) || dns_b_pputc(b, u >> 0, p + 1))
+               return b->error;
+
+       return 0;
+}
+
+DNS_NOTUSED static inline dns_error_t
+dns_b_put32(struct dns_buf *b, uint32_t u)
+{
+       return dns_b_putc(b, u >> 24), dns_b_putc(b, u >> 16),
+           dns_b_putc(b, u >> 8), dns_b_putc(b, u >> 0);
+}
+
+static dns_error_t
+dns_b_put(struct dns_buf *b, const void *src, size_t len)
+{
+       size_t n = DNS_PP_MIN((size_t)(b->pe - b->p), len);
+
+       memcpy(b->p, src, n);
+       b->p += n;
+
+       if (n < len)
+               return dns_b_setoverflow(b, len - n, DNS_ENOBUFS);
+
+       return 0;
+}
+
+static dns_error_t
+dns_b_puts(struct dns_buf *b, const void *src)
+{
+       return dns_b_put(b, src, strlen(src));
+}
+
+DNS_NOTUSED static inline dns_error_t
+dns_b_fmtju(struct dns_buf *b, const uintmax_t u, const unsigned width)
+{
+       size_t digits, padding, overflow;
+       uintmax_t r;
+       unsigned char *tp, *te, tc;
+
+       digits = 0;
+       r = u;
+       do {
+               digits++;
+               r /= 10;
+       } while (r);
+
+       padding = width - DNS_PP_MIN(digits, width);
+       overflow = (digits + padding) - DNS_PP_MIN((size_t)(b->pe - b->p), (digits + padding));
+
+       while (padding--) {
+               dns_b_putc(b, '0');
+       }
+
+       digits = 0;
+       tp = b->p;
+       r = u;
+       do {
+               if (overflow < ++digits)
+                       dns_b_putc(b, '0' + (r % 10));
+               r /= 10;
+       } while (r);
+
+       te = b->p;
+       while (tp < te) {
+               tc = *--te;
+               *te = *tp;
+               *tp++ = tc;
+       }
+
+       return b->error;
+}
+
+static void
+dns_b_popc(struct dns_buf *b)
+{
+       if (b->overflow && !--b->overflow)
+               b->error = 0;
+       if (b->p > b->base)
+               b->p--;
+}
+
+static inline const char *
+dns_b_tolstring(struct dns_buf *b, size_t *n)
+{
+       if (b->p < b->pe) {
+               *b->p = '\0';
+               *n = b->p - b->base;
+
+               return (const char *)b->base;
+       } else if (b->p > b->base) {
+               if (b->p[-1] != '\0') {
+                       dns_b_setoverflow(b, 1, DNS_ENOBUFS);
+                       b->p[-1] = '\0';
+               }
+               *n = &b->p[-1] - b->base;
+
+               return (const char *)b->base;
+       } else {
+               *n = 0;
+
+               return "";
+       }
+}
+
+static inline const char *
+dns_b_tostring(struct dns_buf *b)
+{
+       size_t n;
+       return dns_b_tolstring(b, &n);
+}
+
+static inline size_t
+dns_b_strlen(struct dns_buf *b)
+{
+       size_t n;
+       dns_b_tolstring(b, &n);
+       return n;
+}
+
+static inline size_t
+dns_b_strllen(struct dns_buf *b)
+{
+       size_t n = dns_b_strlen(b);
+       return n + b->overflow;
+}
+
+DNS_NOTUSED static const struct dns_buf *
+dns_b_from(const struct dns_buf *b, const void *src, size_t n)
+{
+       *(struct dns_buf *)b = (struct dns_buf)DNS_B_FROM(src, n);
+
+       return b;
+}
+
+static inline int
+dns_b_getc(const struct dns_buf *_b, const int eof)
+{
+       struct dns_buf *b = (struct dns_buf *)_b;
+
+       if (!(b->p < b->pe))
+               return dns_b_setoverflow(b, 1, DNS_EILLEGAL), eof;
+
+       return *b->p++;
+}
+
+static inline intmax_t
+dns_b_get16(const struct dns_buf *b, const intmax_t eof)
+{
+       intmax_t n;
+
+       n = (dns_b_getc(b, 0) << 8);
+       n |= (dns_b_getc(b, 0) << 0);
+
+       return (!b->overflow)? n : eof;
+}
+
+DNS_NOTUSED static inline intmax_t
+dns_b_get32(const struct dns_buf *b, const intmax_t eof)
+{
+       intmax_t n;
+
+       n = (dns_b_get16(b, 0) << 16);
+       n |= (dns_b_get16(b, 0) << 0);
+
+       return (!b->overflow)? n : eof;
+}
+
+static inline dns_error_t
+dns_b_move(struct dns_buf *dst, const struct dns_buf *_src, size_t n)
+{
+       struct dns_buf *src = (struct dns_buf *)_src;
+       size_t src_n = DNS_PP_MIN((size_t)(src->pe - src->p), n);
+       size_t src_r = n - src_n;
+
+       dns_b_put(dst, src->p, src_n);
+       src->p += src_n;
+
+       if (src_r)
+               return dns_b_setoverflow(src, src_r, DNS_EILLEGAL);
+
+       return dst->error;
+}
+
+/*
+ * T I M E  R O U T I N E S
+ *
+ * Most functions still rely on the older time routines defined in the
+ * utility routines section, above.
+ *
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+#define DNS_TIME_C(n) UINT64_C(n)
+#define DNS_TIME_INF (~DNS_TIME_C(0))
+
+typedef uint64_t dns_time_t;
+typedef dns_time_t dns_microseconds_t;
+
+static dns_error_t dns_time_add(dns_time_t *r, dns_time_t a, dns_time_t b) {
+       int error;
+       DNS_CHECK_OVERFLOW(&error, r, dns_add_overflow, a, b, DNS_TIME_INF);
+       return error;
+}
+
+static dns_error_t dns_time_mul(dns_time_t *r, dns_time_t a, dns_time_t b) {
+       int error;
+       DNS_CHECK_OVERFLOW(&error, r, dns_mul_overflow, a, b, DNS_TIME_INF);
+       return error;
+}
+
+static dns_error_t dns_time_diff(dns_time_t *r, dns_time_t a, dns_time_t b) {
+       if (a < b) {
+               *r = DNS_TIME_C(0);
+               return ERANGE;
+       } else {
+               *r = a - b;
+               return 0;
+       }
+}
+
+static dns_microseconds_t dns_ts2us(const struct timespec *ts, _Bool rup) {
+       if (ts) {
+               dns_time_t sec = DNS_PP_MAX(0, ts->tv_sec);
+               dns_time_t nsec = DNS_PP_MAX(0, ts->tv_nsec);
+               dns_time_t usec = nsec / 1000;
+               dns_microseconds_t r;
+
+               if (rup && nsec % 1000 > 0)
+                       usec++;
+               dns_time_mul(&r, sec, DNS_TIME_C(1000000));
+               dns_time_add(&r, r, usec);
+
+               return r;
+       } else {
+               return DNS_TIME_INF;
+       }
+} /* dns_ts2us() */
+
+static struct timespec *dns_tv2ts(struct timespec *ts, const struct timeval *tv) {
+       if (tv) {
+               ts->tv_sec = tv->tv_sec;
+               ts->tv_nsec = tv->tv_usec * 1000;
+
+               return ts;
+       } else {
+               return NULL;
+       }
+} /* dns_tv2ts() */
+
+static size_t dns_utime_print(void *_dst, size_t lim, dns_microseconds_t us) {
+       struct dns_buf dst = DNS_B_INTO(_dst, lim);
+
+       dns_b_fmtju(&dst, us / 1000000, 1);
+       dns_b_putc(&dst, '.');
+       dns_b_fmtju(&dst, us % 1000000, 6);
+
+       return dns_b_strllen(&dst);
+} /* dns_utime_print() */
+
+/*
+ * P A C K E T  R O U T I N E S
+ *
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+unsigned dns_p_count(struct dns_packet *P, enum dns_section section) {
+       unsigned count;
+
+       switch (section) {
+       case DNS_S_QD:
+               return ntohs(dns_header(P)->qdcount);
+       case DNS_S_AN:
+               return ntohs(dns_header(P)->ancount);
+       case DNS_S_NS:
+               return ntohs(dns_header(P)->nscount);
+       case DNS_S_AR:
+               return ntohs(dns_header(P)->arcount);
+       default:
+               count = 0;
+
+               if (section & DNS_S_QD)
+                       count += ntohs(dns_header(P)->qdcount);
+               if (section & DNS_S_AN)
+                       count += ntohs(dns_header(P)->ancount);
+               if (section & DNS_S_NS)
+                       count += ntohs(dns_header(P)->nscount);
+               if (section & DNS_S_AR)
+                       count += ntohs(dns_header(P)->arcount);
+
+               return count;
+       }
+} /* dns_p_count() */
+
+
+struct dns_packet *dns_p_init(struct dns_packet *P, size_t size) {
+       if (!P)
+               return 0;
+
+       assert(size >= offsetof(struct dns_packet, data) + 12);
+
+       memset(P, 0, sizeof *P);
+       P->size = size - offsetof(struct dns_packet, data);
+       P->end  = 12;
+
+       memset(P->data, '\0', 12);
+
+       return P;
+} /* dns_p_init() */
+
+
+static struct dns_packet *dns_p_reset(struct dns_packet *P) {
+       return dns_p_init(P, offsetof(struct dns_packet, data) + P->size);
+} /* dns_p_reset() */
+
+
+static unsigned short dns_p_qend(struct dns_packet *P) {
+       unsigned short qend     = 12;
+       unsigned i, count       = dns_p_count(P, DNS_S_QD);
+
+       for (i = 0; i < count && qend < P->end; i++) {
+               if (P->end == (qend = dns_d_skip(qend, P)))
+                       goto invalid;
+
+               if (P->end - qend < 4)
+                       goto invalid;
+
+               qend    += 4;
+       }
+
+       return DNS_PP_MIN(qend, P->end);
+invalid:
+       return P->end;
+} /* dns_p_qend() */
+
+
+struct dns_packet *dns_p_make(size_t len, int *error) {
+       struct dns_packet *P;
+       size_t size = dns_p_calcsize(len);
+
+       if (!(P = dns_p_init(malloc(size), size)))
+               *error = dns_syerr();
+
+       return P;
+} /* dns_p_make() */
+
+
+static void dns_p_free(struct dns_packet *P) {
+       free(P);
+} /* dns_p_free() */
+
+
+/* convience routine to free any existing packet before storing new packet */
+static struct dns_packet *dns_p_setptr(struct dns_packet **dst, struct dns_packet *src) {
+       dns_p_free(*dst);
+
+       *dst = src;
+
+       return src;
+} /* dns_p_setptr() */
+
+
+static struct dns_packet *dns_p_movptr(struct dns_packet **dst, struct dns_packet **src) {
+       dns_p_setptr(dst, *src);
+
+       *src = NULL;
+
+       return *dst;
+} /* dns_p_movptr() */
+
+
+int dns_p_grow(struct dns_packet **P) {
+       struct dns_packet *tmp;
+       size_t size;
+       int error;
+
+       if (!*P) {
+               if (!(*P = dns_p_make(DNS_P_QBUFSIZ, &error)))
+                       return error;
+
+               return 0;
+       }
+
+       size = dns_p_sizeof(*P);
+       size |= size >> 1;
+       size |= size >> 2;
+       size |= size >> 4;
+       size |= size >> 8;
+       size++;
+
+       if (size > 65536)
+               return DNS_ENOBUFS;
+
+       if (!(tmp = realloc(*P, dns_p_calcsize(size))))
+               return dns_syerr();
+
+       tmp->size = size;
+       *P = tmp;
+
+       return 0;
+} /* dns_p_grow() */
+
+
+struct dns_packet *dns_p_copy(struct dns_packet *P, const struct dns_packet *P0) {
+       if (!P)
+               return 0;
+
+       P->end  = DNS_PP_MIN(P->size, P0->end);
+
+       memcpy(P->data, P0->data, P->end);
+
+       return P;
+} /* dns_p_copy() */
+
+
+struct dns_packet *dns_p_merge(struct dns_packet *A, enum dns_section Amask, struct dns_packet *B, enum dns_section Bmask, int *error_) {
+       size_t bufsiz = DNS_PP_MIN(65535, ((A)? A->end : 0) + ((B)? B->end : 0));
+       struct dns_packet *M;
+       enum dns_section section;
+       struct dns_rr rr, mr;
+       int error, copy;
+
+       if (!A && B) {
+               A = B;
+               Amask = Bmask;
+               B = 0;
+       }
+
+merge:
+       if (!(M = dns_p_make(bufsiz, &error)))
+               goto error;
+
+       for (section = DNS_S_QD; (DNS_S_ALL & section); section <<= 1) {
+               if (A && (section & Amask)) {
+                       dns_rr_foreach(&rr, A, .section = section) {
+                               if ((error = dns_rr_copy(M, &rr, A)))
+                                       goto error;
+                       }
+               }
+
+               if (B && (section & Bmask)) {
+                       dns_rr_foreach(&rr, B, .section = section) {
+                               copy = 1;
+
+                               dns_rr_foreach(&mr, M, .type = rr.type, .section = DNS_S_ALL) {
+                                       if (!(copy = dns_rr_cmp(&rr, B, &mr, M)))
+                                               break;
+                               }
+
+                               if (copy && (error = dns_rr_copy(M, &rr, B)))
+                                       goto error;
+                       }
+               }
+       }
+
+       return M;
+error:
+       dns_p_setptr(&M, NULL);
+
+       if (error == DNS_ENOBUFS && bufsiz < 65535) {
+               bufsiz = DNS_PP_MIN(65535, bufsiz * 2);
+
+               goto merge;
+       }
+
+       *error_ = error;
+
+       return 0;
+} /* dns_p_merge() */
+
+
+static unsigned short dns_l_skip(unsigned short, const unsigned char *, size_t);
+
+void dns_p_dictadd(struct dns_packet *P, unsigned short dn) {
+       unsigned short lp, lptr, i;
+
+       lp      = dn;
+
+       while (lp < P->end) {
+               if (0xc0 == (0xc0 & P->data[lp]) && P->end - lp >= 2 && lp != dn) {
+                       lptr    = ((0x3f & P->data[lp + 0]) << 8)
+                               | ((0xff & P->data[lp + 1]) << 0);
+
+                       for (i = 0; i < lengthof(P->dict) && P->dict[i]; i++) {
+                               if (P->dict[i] == lptr) {
+                                       P->dict[i]      = dn;
+
+                                       return;
+                               }
+                       }
+               }
+
+               lp      = dns_l_skip(lp, P->data, P->end);
+       }
+
+       for (i = 0; i < lengthof(P->dict); i++) {
+               if (!P->dict[i]) {
+                       P->dict[i]      = dn;
+
+                       break;
+               }
+       }
+} /* dns_p_dictadd() */
+
+
+int dns_p_push(struct dns_packet *P, enum dns_section section, const void *dn, size_t dnlen, enum dns_type type, enum dns_class class, unsigned ttl, const void *any) {
+       size_t end = P->end;
+       int error;
+
+       if ((error = dns_d_push(P, dn, dnlen)))
+               goto error;
+
+       if (P->size - P->end < 4)
+               goto nobufs;
+
+       P->data[P->end++] = 0xff & (type >> 8);
+       P->data[P->end++] = 0xff & (type >> 0);
+
+       P->data[P->end++] = 0xff & (class >> 8);
+       P->data[P->end++] = 0xff & (class >> 0);
+
+       if (section == DNS_S_QD)
+               goto update;
+
+       if (P->size - P->end < 6)
+               goto nobufs;
+
+       if (type != DNS_T_OPT)
+               ttl = DNS_PP_MIN(ttl, 0x7fffffffU);
+       P->data[P->end++] = ttl >> 24;
+       P->data[P->end++] = ttl >> 16;
+       P->data[P->end++] = ttl >> 8;
+       P->data[P->end++] = ttl >> 0;
+
+       if ((error = dns_any_push(P, (union dns_any *)any, type)))
+               goto error;
+
+update:
+       switch (section) {
+       case DNS_S_QD:
+               if (dns_p_count(P, DNS_S_AN|DNS_S_NS|DNS_S_AR))
+                       goto order;
+
+               if (!P->memo.qd.base && (error = dns_p_study(P)))
+                       goto error;
+
+               dns_header(P)->qdcount = htons(ntohs(dns_header(P)->qdcount) + 1);
+
+               P->memo.qd.end  = P->end;
+               P->memo.an.base = P->end;
+               P->memo.an.end  = P->end;
+               P->memo.ns.base = P->end;
+               P->memo.ns.end  = P->end;
+               P->memo.ar.base = P->end;
+               P->memo.ar.end  = P->end;
+
+               break;
+       case DNS_S_AN:
+               if (dns_p_count(P, DNS_S_NS|DNS_S_AR))
+                       goto order;
+
+               if (!P->memo.an.base && (error = dns_p_study(P)))
+                       goto error;
+
+               dns_header(P)->ancount = htons(ntohs(dns_header(P)->ancount) + 1);
+
+               P->memo.an.end  = P->end;
+               P->memo.ns.base = P->end;
+               P->memo.ns.end  = P->end;
+               P->memo.ar.base = P->end;
+               P->memo.ar.end  = P->end;
+
+               break;
+       case DNS_S_NS:
+               if (dns_p_count(P, DNS_S_AR))
+                       goto order;
+
+               if (!P->memo.ns.base && (error = dns_p_study(P)))
+                       goto error;
+
+               dns_header(P)->nscount = htons(ntohs(dns_header(P)->nscount) + 1);
+
+               P->memo.ns.end  = P->end;
+               P->memo.ar.base = P->end;
+               P->memo.ar.end  = P->end;
+
+               break;
+       case DNS_S_AR:
+               if (!P->memo.ar.base && (error = dns_p_study(P)))
+                       goto error;
+
+               dns_header(P)->arcount = htons(ntohs(dns_header(P)->arcount) + 1);
+
+               P->memo.ar.end = P->end;
+
+               if (type == DNS_T_OPT && !P->memo.opt.p) {
+                       P->memo.opt.p = end;
+                       P->memo.opt.maxudp = class;
+                       P->memo.opt.ttl = ttl;
+               }
+
+               break;
+       default:
+               error = DNS_ESECTION;
+
+               goto error;
+       } /* switch() */
+
+       return 0;
+nobufs:
+       error = DNS_ENOBUFS;
+
+       goto error;
+order:
+       error = DNS_EORDER;
+
+       goto error;
+error:
+       P->end = end;
+
+       return error;
+} /* dns_p_push() */
+
+#define DNS_SM_RESTORE do { pc = state->pc; error = state->error; } while (0)
+#define DNS_SM_SAVE do { state->error = error; state->pc = pc; } while (0)
+
+struct dns_p_lines_i {
+       int pc;
+       enum dns_section section;
+       struct dns_rr rr;
+       int error;
+};
+
+static size_t dns_p_lines_fmt(void *dst, size_t lim, dns_error_t *_error, const char *fmt, ...) {
+       va_list ap;
+       int error = 0, n;
+
+       va_start(ap, fmt);
+       if ((n = vsnprintf(dst, lim, fmt, ap)) < 0)
+               error = errno;
+       va_end(ap);
+
+       *_error = error;
+       return DNS_PP_MAX(n, 0);
+} /* dns_p_lines_fmt() */
+
+#define DNS_P_LINE(...) \
+       do { \
+               len = dns_p_lines_fmt(dst, lim, &error, __VA_ARGS__); \
+               if (len == 0 && error) \
+                       goto error; \
+               DNS_SM_YIELD(len); \
+       } while (0)
+
+static size_t dns_p_lines(void *dst, size_t lim, dns_error_t *_error, struct dns_packet *P, struct dns_rr_i *I, struct dns_p_lines_i *state) {
+       int error, pc;
+       size_t len;
+
+       *_error = 0;
+
+       DNS_SM_ENTER;
+
+       DNS_P_LINE(";; [HEADER]\n");
+       DNS_P_LINE(";;    qid : %d\n", ntohs(dns_header(P)->qid));
+       DNS_P_LINE(";;     qr : %s(%d)\n", (dns_header(P)->qr)? "RESPONSE" : "QUERY", dns_header(P)->qr);
+       DNS_P_LINE(";; opcode : %s(%d)\n", dns_stropcode(dns_header(P)->opcode), dns_header(P)->opcode);
+       DNS_P_LINE(";;     aa : %s(%d)\n", (dns_header(P)->aa)? "AUTHORITATIVE" : "NON-AUTHORITATIVE", dns_header(P)->aa);
+       DNS_P_LINE(";;     tc : %s(%d)\n", (dns_header(P)->tc)? "TRUNCATED" : "NOT-TRUNCATED", dns_header(P)->tc);
+       DNS_P_LINE(";;     rd : %s(%d)\n", (dns_header(P)->rd)? "RECURSION-DESIRED" : "RECURSION-NOT-DESIRED", dns_header(P)->rd);
+       DNS_P_LINE(";;     ra : %s(%d)\n", (dns_header(P)->ra)? "RECURSION-ALLOWED" : "RECURSION-NOT-ALLOWED", dns_header(P)->ra);
+       DNS_P_LINE(";;  rcode : %s(%d)\n", dns_strrcode(dns_p_rcode(P)), dns_p_rcode(P));
+
+       while (dns_rr_grep(&state->rr, 1, I, P, &error)) {
+               if (state->section != state->rr.section) {
+                       DNS_P_LINE("\n");
+                       DNS_P_LINE(";; [%s:%d]\n", dns_strsection(state->rr.section), dns_p_count(P, state->rr.section));
+               }
+
+               if (!(len = dns_rr_print(dst, lim, &state->rr, P, &error)))
+                       goto error;
+               dns_strlcat(dst, "\n", lim);
+               DNS_SM_YIELD(len + 1);
+
+               state->section = state->rr.section;
+       }
+
+       if (error)
+               goto error;
+
+       DNS_SM_EXIT;
+error:
+       for (;;) {
+               *_error = error;
+               DNS_SM_YIELD(0);
+       }
+
+       DNS_SM_LEAVE;
+
+       *_error = 0;
+       return 0;
+} /* dns_p_lines() */
+
+#undef DNS_P_LINE
+#undef DNS_SM_SAVE
+#undef DNS_SM_RESTORE
+
+static void dns_p_dump3(struct dns_packet *P, struct dns_rr_i *I, FILE *fp) {
+       struct dns_p_lines_i lines = { 0 };
+       char line[sizeof (union dns_any) * 2];
+       size_t len;
+       int error;
+
+       while ((len = dns_p_lines(line, sizeof line, &error, P, I, &lines))) {
+               if (len < sizeof line) {
+                       fwrite(line, 1, len, fp);
+               } else {
+                       fwrite(line, 1, sizeof line - 1, fp);
+                       fputc('\n', fp);
+               }
+       }
+} /* dns_p_dump3() */
+
+
+void dns_p_dump(struct dns_packet *P, FILE *fp) {
+       dns_p_dump3(P, dns_rr_i_new(P, .section = 0), fp);
+} /* dns_p_dump() */
+
+
+static void dns_s_unstudy(struct dns_s_memo *m)
+       { m->base = 0; m->end = 0; }
+
+static void dns_m_unstudy(struct dns_p_memo *m) {
+       dns_s_unstudy(&m->qd);
+       dns_s_unstudy(&m->an);
+       dns_s_unstudy(&m->ns);
+       dns_s_unstudy(&m->ar);
+       m->opt.p = 0;
+       m->opt.maxudp = 0;
+       m->opt.ttl = 0;
+} /* dns_m_unstudy() */
+
+static int dns_s_study(struct dns_s_memo *m, enum dns_section section, unsigned short base, struct dns_packet *P) {
+       unsigned short count, rp;
+
+       count = dns_p_count(P, section);
+
+       for (rp = base; count && rp < P->end; count--)
+               rp = dns_rr_skip(rp, P);
+
+       m->base = base;
+       m->end  = rp;
+
+       return 0;
+} /* dns_s_study() */
+
+static int dns_m_study(struct dns_p_memo *m, struct dns_packet *P) {
+       struct dns_rr rr;
+       int error;
+
+       if ((error = dns_s_study(&m->qd, DNS_S_QD, 12, P)))
+               goto error;
+       if ((error = dns_s_study(&m->an, DNS_S_AN, m->qd.end, P)))
+               goto error;
+       if ((error = dns_s_study(&m->ns, DNS_S_NS, m->an.end, P)))
+               goto error;
+       if ((error = dns_s_study(&m->ar, DNS_S_AR, m->ns.end, P)))
+               goto error;
+
+       m->opt.p = 0;
+       m->opt.maxudp = 0;
+       m->opt.ttl = 0;
+       dns_rr_foreach(&rr, P, .type = DNS_T_OPT, .section = DNS_S_AR) {
+               m->opt.p = rr.dn.p;
+               m->opt.maxudp = rr.class;
+               m->opt.ttl = rr.ttl;
+               break;
+       }
+
+       return 0;
+error:
+       dns_m_unstudy(m);
+
+       return error;
+} /* dns_m_study() */
+
+int dns_p_study(struct dns_packet *P) {
+       return dns_m_study(&P->memo, P);
+} /* dns_p_study() */
+
+
+enum dns_rcode dns_p_rcode(struct dns_packet *P) {
+       return 0xfff & ((P->memo.opt.ttl >> 20) | dns_header(P)->rcode);
+} /* dns_p_rcode() */
+
+
+/*
+ * Q U E R Y  P A C K E T  R O U T I N E S
+ *
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+#define DNS_Q_RD    0x1 /* recursion desired */
+#define DNS_Q_EDNS0 0x2 /* include OPT RR */
+
+static dns_error_t
+dns_q_make2(struct dns_packet **_Q, const char *qname, size_t qlen, enum dns_type qtype, enum dns_class qclass, int qflags)
+{
+       struct dns_packet *Q = NULL;
+       int error;
+
+       if (dns_p_movptr(&Q, _Q)) {
+               dns_p_reset(Q);
+       } else if (!(Q = dns_p_make(DNS_P_QBUFSIZ, &error))) {
+               goto error;
+       }
+
+       if ((error = dns_p_push(Q, DNS_S_QD, qname, qlen, qtype, qclass, 0, 0)))
+               goto error;
+
+       dns_header(Q)->rd = !!(qflags & DNS_Q_RD);
+
+       if (qflags & DNS_Q_EDNS0) {
+               struct dns_opt opt = DNS_OPT_INIT(&opt);
+
+               opt.version = 0; /* RFC 6891 version */
+               opt.maxudp = 4096;
+
+               if ((error = dns_p_push(Q, DNS_S_AR, ".", 1, DNS_T_OPT, dns_opt_class(&opt), dns_opt_ttl(&opt), &opt)))
+                       goto error;
+       }
+
+       *_Q = Q;
+
+       return 0;
+error:
+       dns_p_free(Q);
+
+       return error;
+}
+
+static dns_error_t
+dns_q_make(struct dns_packet **Q, const char *qname, enum dns_type qtype, enum dns_class qclass, int qflags)
+{
+       return dns_q_make2(Q, qname, strlen(qname), qtype, qclass, qflags);
+}
+
+static dns_error_t
+dns_q_remake(struct dns_packet **Q, int qflags)
+{
+       char qname[DNS_D_MAXNAME + 1];
+       size_t qlen;
+       struct dns_rr rr;
+       int error;
+
+       assert(Q && *Q);
+       if ((error = dns_rr_parse(&rr, 12, *Q)))
+               return error;
+       if (!(qlen = dns_d_expand(qname, sizeof qname, rr.dn.p, *Q, &error)))
+               return error;
+       if (qlen >= sizeof qname)
+               return DNS_EILLEGAL;
+       return dns_q_make2(Q, qname, qlen, rr.type, rr.class, qflags);
+}
+
+/*
+ * D O M A I N  N A M E  R O U T I N E S
+ *
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+#ifndef DNS_D_MAXPTRS
+#define DNS_D_MAXPTRS  127     /* Arbitrary; possible, valid depth is something like packet size / 2 + fudge. */
+#endif
+
+static size_t dns_l_expand(unsigned char *dst, size_t lim, unsigned short src, unsigned short *nxt, const unsigned char *data, size_t end) {
+       unsigned short len;
+       unsigned nptrs  = 0;
+
+retry:
+       if (src >= end)
+               goto invalid;
+
+       switch (0x03 & (data[src] >> 6)) {
+       case 0x00:
+               len     = (0x3f & (data[src++]));
+
+               if (end - src < len)
+                       goto invalid;
+
+               if (lim > 0) {
+                       memcpy(dst, &data[src], DNS_PP_MIN(lim, len));
+
+                       dst[DNS_PP_MIN(lim - 1, len)]   = '\0';
+               }
+
+               *nxt    = src + len;
+
+               return len;
+       case 0x01:
+               goto invalid;
+       case 0x02:
+               goto invalid;
+       case 0x03:
+               if (++nptrs > DNS_D_MAXPTRS)
+                       goto invalid;
+
+               if (end - src < 2)
+                       goto invalid;
+
+               src     = ((0x3f & data[src + 0]) << 8)
+                       | ((0xff & data[src + 1]) << 0);
+
+               goto retry;
+       } /* switch() */
+
+       /* NOT REACHED */
+invalid:
+       *nxt    = end;
+
+       return 0;
+} /* dns_l_expand() */
+
+
+static unsigned short dns_l_skip(unsigned short src, const unsigned char *data, size_t end) {
+       unsigned short len;
+
+       if (src >= end)
+               goto invalid;
+
+       switch (0x03 & (data[src] >> 6)) {
+       case 0x00:
+               len     = (0x3f & (data[src++]));
+
+               if (end - src < len)
+                       goto invalid;
+
+               return (len)? src + len : end;
+       case 0x01:
+               goto invalid;
+       case 0x02:
+               goto invalid;
+       case 0x03:
+               return end;
+       } /* switch() */
+
+       /* NOT REACHED */
+invalid:
+       return end;
+} /* dns_l_skip() */
+
+
+static _Bool dns_d_isanchored(const void *_src, size_t len) {
+       const unsigned char *src = _src;
+       return len > 0 && src[len - 1] == '.';
+} /* dns_d_isanchored() */
+
+
+static size_t dns_d_ndots(const void *_src, size_t len) {
+       const unsigned char *p = _src, *pe = p + len;
+       size_t ndots = 0;
+
+       while ((p = memchr(p, '.', pe - p))) {
+               ndots++;
+               p++;
+       }
+
+       return ndots;
+} /* dns_d_ndots() */
+
+
+static size_t dns_d_trim(void *dst_, size_t lim, const void *src_, size_t len, int flags) {
+       unsigned char *dst = dst_;
+       const unsigned char *src = src_;
+       size_t dp = 0, sp = 0;
+       int lc;
+
+       /* trim any leading dot(s) */
+       while (sp < len && src[sp] == '.')
+               sp++;
+
+       for (lc = 0; sp < len; lc = src[sp++]) {
+               /* trim extra dot(s) */
+               if (src[sp] == '.' && lc == '.')
+                       continue;
+
+               if (dp < lim)
+                       dst[dp] = src[sp];
+
+               dp++;
+       }
+
+       if ((flags & DNS_D_ANCHOR) && lc != '.') {
+               if (dp < lim)
+                       dst[dp] = '.';
+
+               dp++;
+       }
+
+       if (lim > 0)
+               dst[DNS_PP_MIN(dp, lim - 1)] = '\0';
+
+       return dp;
+} /* dns_d_trim() */
+
+
+char *dns_d_init(void *dst, size_t lim, const void *src, size_t len, int flags) {
+       if (flags & DNS_D_TRIM) {
+               dns_d_trim(dst, lim, src, len, flags);
+       } if (flags & DNS_D_ANCHOR) {
+               dns_d_anchor(dst, lim, src, len);
+       } else {
+               memmove(dst, src, DNS_PP_MIN(lim, len));
+
+               if (lim > 0)
+                       ((char *)dst)[DNS_PP_MIN(len, lim - 1)] = '\0';
+       }
+
+       return dst;
+} /* dns_d_init() */
+
+
+size_t dns_d_anchor(void *dst, size_t lim, const void *src, size_t len) {
+       if (len == 0)
+               return 0;
+
+       memmove(dst, src, DNS_PP_MIN(lim, len));
+
+       if (((const char *)src)[len - 1] != '.') {
+               if (len < lim)
+                       ((char *)dst)[len]      = '.';
+               len++;
+       }
+
+       if (lim > 0)
+               ((char *)dst)[DNS_PP_MIN(lim - 1, len)] = '\0';
+
+       return len;
+} /* dns_d_anchor() */
+
+
+size_t dns_d_cleave(void *dst, size_t lim, const void *src, size_t len) {
+       const char *dot;
+
+       /* XXX: Skip any leading dot. Handles cleaving root ".". */
+       if (len == 0 || !(dot = memchr((const char *)src + 1, '.', len - 1)))
+               return 0;
+
+       len     -= dot - (const char *)src;
+
+       /* XXX: Unless root, skip the label's trailing dot. */
+       if (len > 1) {
+               src     = ++dot;
+               len--;
+       } else
+               src     = dot;
+
+       memmove(dst, src, DNS_PP_MIN(lim, len));
+
+       if (lim > 0)
+               ((char *)dst)[DNS_PP_MIN(lim - 1, len)] = '\0';
+
+       return len;
+} /* dns_d_cleave() */
+
+
+size_t dns_d_comp(void *dst_, size_t lim, const void *src_, size_t len, struct dns_packet *P, int *error) {
+       struct { unsigned char *b; size_t p, x; } dst, src;
+       unsigned char ch        = '.';
+
+       dst.b   = dst_;
+       dst.p   = 0;
+       dst.x   = 1;
+
+       src.b   = (unsigned char *)src_;
+       src.p   = 0;
+       src.x   = 0;
+
+       while (src.x < len) {
+               ch      = src.b[src.x];
+
+               if (ch == '.') {
+                       if (dst.p < lim)
+                               dst.b[dst.p]    = (0x3f & (src.x - src.p));
+
+                       dst.p   = dst.x++;
+                       src.p   = ++src.x;
+               } else {
+                       if (dst.x < lim)
+                               dst.b[dst.x]    = ch;
+
+                       dst.x++;
+                       src.x++;
+               }
+       } /* while() */
+
+       if (src.x > src.p) {
+               if (dst.p < lim)
+                       dst.b[dst.p]    = (0x3f & (src.x - src.p));
+
+               dst.p   = dst.x;
+       }
+
+       if (dst.p > 1) {
+               if (dst.p < lim)
+                       dst.b[dst.p]    = 0x00;
+
+               dst.p++;
+       }
+
+#if 1
+       if (dst.p < lim) {
+               struct { unsigned char label[DNS_D_MAXLABEL + 1]; size_t len; unsigned short p, x, y; } a, b;
+               unsigned i;
+
+               a.p     = 0;
+
+               while ((a.len = dns_l_expand(a.label, sizeof a.label, a.p, &a.x, dst.b, lim))) {
+                       for (i = 0; i < lengthof(P->dict) && P->dict[i]; i++) {
+                               b.p     = P->dict[i];
+
+                               while ((b.len = dns_l_expand(b.label, sizeof b.label, b.p, &b.x, P->data, P->end))) {
+                                       a.y     = a.x;
+                                       b.y     = b.x;
+
+                                       while (a.len && b.len && 0 == strcasecmp((char *)a.label, (char *)b.label)) {
+                                               a.len = dns_l_expand(a.label, sizeof a.label, a.y, &a.y, dst.b, lim);
+                                               b.len = dns_l_expand(b.label, sizeof b.label, b.y, &b.y, P->data, P->end);
+                                       }
+
+                                       if (a.len == 0 && b.len == 0 && b.p <= 0x3fff) {
+                                               dst.b[a.p++]    = 0xc0
+                                                               | (0x3f & (b.p >> 8));
+                                               dst.b[a.p++]    = (0xff & (b.p >> 0));
+
+                                               /* silence static analyzers */
+                                               dns_assume(a.p > 0);
+
+                                               return a.p;
+                                       }
+
+                                       b.p     = b.x;
+                               } /* while() */
+                       } /* for() */
+
+                       a.p     = a.x;
+               } /* while() */
+       } /* if () */
+#endif
+
+       if (!dst.p)
+               *error = DNS_EILLEGAL;
+
+       return dst.p;
+} /* dns_d_comp() */
+
+
+unsigned short dns_d_skip(unsigned short src, struct dns_packet *P) {
+       unsigned short len;
+
+       while (src < P->end) {
+               switch (0x03 & (P->data[src] >> 6)) {
+               case 0x00:      /* FOLLOWS */
+                       len     = (0x3f & P->data[src++]);
+
+                       if (0 == len) {
+/* success ==> */              return src;
+                       } else if (P->end - src > len) {
+                               src     += len;
+
+                               break;
+                       } else
+                               goto invalid;
+
+                       /* NOT REACHED */
+               case 0x01:      /* RESERVED */
+                       goto invalid;
+               case 0x02:      /* RESERVED */
+                       goto invalid;
+               case 0x03:      /* POINTER */
+                       if (P->end - src < 2)
+                               goto invalid;
+
+                       src     += 2;
+
+/* success ==> */      return src;
+               } /* switch() */
+       } /* while() */
+
+invalid:
+       return P->end;
+} /* dns_d_skip() */
+
+
+#include <stdio.h>
+
+size_t dns_d_expand(void *dst, size_t lim, unsigned short src, struct dns_packet *P, int *error) {
+       size_t dstp     = 0;
+       unsigned nptrs  = 0;
+       unsigned char len;
+
+       while (src < P->end) {
+               switch ((0x03 & (P->data[src] >> 6))) {
+               case 0x00:      /* FOLLOWS */
+                       len     = (0x3f & P->data[src]);
+
+                       if (0 == len) {
+                               if (dstp == 0) {
+                                       if (dstp < lim)
+                                               ((unsigned char *)dst)[dstp]    = '.';
+
+                                       dstp++;
+                               }
+
+                               /* NUL terminate */
+                               if (lim > 0)
+                                       ((unsigned char *)dst)[DNS_PP_MIN(dstp, lim - 1)]       = '\0';
+
+/* success ==> */              return dstp;
+                       }
+
+                       src++;
+
+                       if (P->end - src < len)
+                               goto toolong;
+
+                       if (dstp < lim)
+                               memcpy(&((unsigned char *)dst)[dstp], &P->data[src], DNS_PP_MIN(len, lim - dstp));
+
+                       src     += len;
+                       dstp    += len;
+
+                       if (dstp < lim)
+                               ((unsigned char *)dst)[dstp]    = '.';
+
+                       dstp++;
+
+                       nptrs   = 0;
+
+                       continue;
+               case 0x01:      /* RESERVED */
+                       goto reserved;
+               case 0x02:      /* RESERVED */
+                       goto reserved;
+               case 0x03:      /* POINTER */
+                       if (++nptrs > DNS_D_MAXPTRS)
+                               goto toolong;
+
+                       if (P->end - src < 2)
+                               goto toolong;
+
+                       src     = ((0x3f & P->data[src + 0]) << 8)
+                               | ((0xff & P->data[src + 1]) << 0);
+
+                       continue;
+               } /* switch() */
+       } /* while() */
+
+toolong:
+       *error  = DNS_EILLEGAL;
+
+       if (lim > 0)
+               ((unsigned char *)dst)[DNS_PP_MIN(dstp, lim - 1)]       = '\0';
+
+       return 0;
+reserved:
+       *error  = DNS_EILLEGAL;
+
+       if (lim > 0)
+               ((unsigned char *)dst)[DNS_PP_MIN(dstp, lim - 1)]       = '\0';
+
+       return 0;
+} /* dns_d_expand() */
+
+
+int dns_d_push(struct dns_packet *P, const void *dn, size_t len) {
+       size_t lim      = P->size - P->end;
+       unsigned dp     = P->end;
+       int error       = DNS_EILLEGAL; /* silence compiler */
+
+       len     = dns_d_comp(&P->data[dp], lim, dn, len, P, &error);
+
+       if (len == 0)
+               return error;
+       if (len > lim)
+               return DNS_ENOBUFS;
+
+       P->end  += len;
+
+       dns_p_dictadd(P, dp);
+
+       return 0;
+} /* dns_d_push() */
+
+
+size_t dns_d_cname(void *dst, size_t lim, const void *dn, size_t len, struct dns_packet *P, int *error_) {
+       char host[DNS_D_MAXNAME + 1];
+       struct dns_rr_i i;
+       struct dns_rr rr;
+       unsigned depth;
+       int error;
+
+       if (sizeof host <= dns_d_anchor(host, sizeof host, dn, len))
+               { error = ENAMETOOLONG; goto error; }
+
+       for (depth = 0; depth < 7; depth++) {
+               dns_rr_i_init(memset(&i, 0, sizeof i), P);
+
+               i.section       = DNS_S_ALL & ~DNS_S_QD;
+               i.name          = host;
+               i.type          = DNS_T_CNAME;
+
+               if (!dns_rr_grep(&rr, 1, &i, P, &error))
+                       break;
+
+               if ((error = dns_cname_parse((struct dns_cname *)host, &rr, P)))
+                       goto error;
+       }
+
+       return dns_strlcpy(dst, host, lim);
+error:
+       *error_ = error;
+
+       return 0;
+} /* dns_d_cname() */
+
+
+/*
+ * R E S O U R C E  R E C O R D  R O U T I N E S
+ *
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+int dns_rr_copy(struct dns_packet *P, struct dns_rr *rr, struct dns_packet *Q) {
+       unsigned char dn[DNS_D_MAXNAME + 1];
+       union dns_any any;
+       size_t len;
+       int error;
+
+       if (!(len = dns_d_expand(dn, sizeof dn, rr->dn.p, Q, &error)))
+               return error;
+       else if (len >= sizeof dn)
+               return DNS_EILLEGAL;
+
+       if (rr->section != DNS_S_QD && (error = dns_any_parse(dns_any_init(&any, sizeof any), rr, Q)))
+               return error;
+
+       return dns_p_push(P, rr->section, dn, len, rr->type, rr->class, rr->ttl, &any);
+} /* dns_rr_copy() */
+
+
+int dns_rr_parse(struct dns_rr *rr, unsigned short src, struct dns_packet *P) {
+       unsigned short p        = src;
+
+       if (src >= P->end)
+               goto invalid;
+
+       rr->dn.p   = p;
+       rr->dn.len = (p = dns_d_skip(p, P)) - rr->dn.p;
+
+       if (P->end - p < 4)
+               goto invalid;
+
+       rr->type = ((0xff & P->data[p + 0]) << 8)
+                | ((0xff & P->data[p + 1]) << 0);
+
+       rr->class = ((0xff & P->data[p + 2]) << 8)
+                 | ((0xff & P->data[p + 3]) << 0);
+
+       p += 4;
+
+       if (src < dns_p_qend(P)) {
+               rr->section = DNS_S_QUESTION;
+
+               rr->ttl    = 0;
+               rr->rd.p   = 0;
+               rr->rd.len = 0;
+
+               return 0;
+       }
+
+       if (P->end - p < 4)
+               goto invalid;
+
+       rr->ttl = ((0xff & P->data[p + 0]) << 24)
+               | ((0xff & P->data[p + 1]) << 16)
+               | ((0xff & P->data[p + 2]) << 8)
+               | ((0xff & P->data[p + 3]) << 0);
+       if (rr->type != DNS_T_OPT)
+               rr->ttl = DNS_PP_MIN(rr->ttl, 0x7fffffffU);
+
+       p += 4;
+
+       if (P->end - p < 2)
+               goto invalid;
+
+       rr->rd.len = ((0xff & P->data[p + 0]) << 8)
+                  | ((0xff & P->data[p + 1]) << 0);
+       rr->rd.p = p + 2;
+
+       p += 2;
+
+       if (P->end - p < rr->rd.len)
+               goto invalid;
+
+       return 0;
+invalid:
+       return DNS_EILLEGAL;
+} /* dns_rr_parse() */
+
+
+static unsigned short dns_rr_len(const unsigned short src, struct dns_packet *P) {
+       unsigned short rp, rdlen;
+
+       rp      = dns_d_skip(src, P);
+
+       if (P->end - rp < 4)
+               return P->end - src;
+
+       rp      += 4;   /* TYPE, CLASS */
+
+       if (rp <= dns_p_qend(P))
+               return rp - src;
+
+       if (P->end - rp < 6)
+               return P->end - src;
+
+       rp      += 6;   /* TTL, RDLEN */
+
+       rdlen   = ((0xff & P->data[rp - 2]) << 8)
+               | ((0xff & P->data[rp - 1]) << 0);
+
+       if (P->end - rp < rdlen)
+               return P->end - src;
+
+       rp      += rdlen;
+
+       return rp - src;
+} /* dns_rr_len() */
+
+
+unsigned short dns_rr_skip(unsigned short src, struct dns_packet *P) {
+       return src + dns_rr_len(src, P);
+} /* dns_rr_skip() */
+
+
+static enum dns_section dns_rr_section(unsigned short src, struct dns_packet *P) {
+       enum dns_section section;
+       unsigned count, index;
+       unsigned short rp;
+
+       if (src >= P->memo.qd.base && src < P->memo.qd.end)
+               return DNS_S_QD;
+       if (src >= P->memo.an.base && src < P->memo.an.end)
+               return DNS_S_AN;
+       if (src >= P->memo.ns.base && src < P->memo.ns.end)
+               return DNS_S_NS;
+       if (src >= P->memo.ar.base && src < P->memo.ar.end)
+               return DNS_S_AR;
+
+       /* NOTE: Possibly bad memoization. Try it the hard-way. */
+
+       for (rp = 12, index = 0; rp < src && rp < P->end; index++)
+               rp = dns_rr_skip(rp, P);
+
+       section = DNS_S_QD;
+       count   = dns_p_count(P, section);
+
+       while (index >= count && section <= DNS_S_AR) {
+               section <<= 1;
+               count += dns_p_count(P, section);
+       }
+
+       return DNS_S_ALL & section;
+} /* dns_rr_section() */
+
+
+static enum dns_type dns_rr_type(unsigned short src, struct dns_packet *P) {
+       struct dns_rr rr;
+       int error;
+
+       if ((error = dns_rr_parse(&rr, src, P)))
+               return 0;
+
+       return rr.type;
+} /* dns_rr_type() */
+
+
+int dns_rr_cmp(struct dns_rr *r0, struct dns_packet *P0, struct dns_rr *r1, struct dns_packet *P1) {
+       char host0[DNS_D_MAXNAME + 1], host1[DNS_D_MAXNAME + 1];
+       union dns_any any0, any1;
+       int cmp, error;
+       size_t len;
+
+       if ((cmp = r0->type - r1->type))
+               return cmp;
+
+       if ((cmp = r0->class - r1->class))
+               return cmp;
+
+       /*
+        * FIXME: Do label-by-label comparison to handle illegally long names?
+        */
+
+       if (!(len = dns_d_expand(host0, sizeof host0, r0->dn.p, P0, &error))
+       ||  len >= sizeof host0)
+               return -1;
+
+       if (!(len = dns_d_expand(host1, sizeof host1, r1->dn.p, P1, &error))
+       ||  len >= sizeof host1)
+               return 1;
+
+       if ((cmp = strcasecmp(host0, host1)))
+               return cmp;
+
+       if (DNS_S_QD & (r0->section | r1->section)) {
+               if (r0->section == r1->section)
+                       return 0;
+
+               return (r0->section == DNS_S_QD)? -1 : 1;
+       }
+
+       if ((error = dns_any_parse(&any0, r0, P0)))
+               return -1;
+
+       if ((error = dns_any_parse(&any1, r1, P1)))
+               return 1;
+
+       return dns_any_cmp(&any0, r0->type, &any1, r1->type);
+} /* dns_rr_cmp() */
+
+
+static _Bool dns_rr_exists(struct dns_rr *rr0, struct dns_packet *P0, struct dns_packet *P1) {
+       struct dns_rr rr1;
+
+       dns_rr_foreach(&rr1, P1, .section = rr0->section, .type = rr0->type) {
+               if (0 == dns_rr_cmp(rr0, P0, &rr1, P1))
+                       return 1;
+       }
+
+       return 0;
+} /* dns_rr_exists() */
+
+
+static unsigned short dns_rr_offset(struct dns_rr *rr) {
+       return rr->dn.p;
+} /* dns_rr_offset() */
+
+
+static _Bool dns_rr_i_match(struct dns_rr *rr, struct dns_rr_i *i, struct dns_packet *P) {
+       if (i->section && !(rr->section & i->section))
+               return 0;
+
+       if (i->type && rr->type != i->type && i->type != DNS_T_ALL)
+               return 0;
+
+       if (i->class && rr->class != i->class && i->class != DNS_C_ANY)
+               return 0;
+
+       if (i->name) {
+               char dn[DNS_D_MAXNAME + 1];
+               size_t len;
+               int error;
+
+               if (!(len = dns_d_expand(dn, sizeof dn, rr->dn.p, P, &error))
+               ||  len >= sizeof dn)
+                       return 0;
+
+               if (0 != strcasecmp(dn, i->name))
+                       return 0;
+       }
+
+       if (i->data && i->type && rr->section > DNS_S_QD) {
+               union dns_any rd;
+               int error;
+
+               if ((error = dns_any_parse(&rd, rr, P)))
+                       return 0;
+
+               if (0 != dns_any_cmp(&rd, rr->type, i->data, i->type))
+                       return 0;
+       }
+
+       return 1;
+} /* dns_rr_i_match() */
+
+
+static unsigned short dns_rr_i_start(struct dns_rr_i *i, struct dns_packet *P) {
+       unsigned short rp;
+       struct dns_rr r0, rr;
+       int error;
+
+       if ((i->section & DNS_S_QD) && P->memo.qd.base)
+               rp = P->memo.qd.base;
+       else if ((i->section & DNS_S_AN) && P->memo.an.base)
+               rp = P->memo.an.base;
+       else if ((i->section & DNS_S_NS) && P->memo.ns.base)
+               rp = P->memo.ns.base;
+       else if ((i->section & DNS_S_AR) && P->memo.ar.base)
+               rp = P->memo.ar.base;
+       else
+               rp = 12;
+
+       for (; rp < P->end; rp = dns_rr_skip(rp, P)) {
+               if ((error = dns_rr_parse(&rr, rp, P)))
+                       continue;
+
+               rr.section = dns_rr_section(rp, P);
+
+               if (!dns_rr_i_match(&rr, i, P))
+                       continue;
+
+               r0 = rr;
+
+               goto lower;
+       }
+
+       return P->end;
+lower:
+       if (i->sort == &dns_rr_i_packet)
+               return dns_rr_offset(&r0);
+
+       while ((rp = dns_rr_skip(rp, P)) < P->end) {
+               if ((error = dns_rr_parse(&rr, rp, P)))
+                       continue;
+
+               rr.section = dns_rr_section(rp, P);
+
+               if (!dns_rr_i_match(&rr, i, P))
+                       continue;
+
+               if (i->sort(&rr, &r0, i, P) < 0)
+                       r0 = rr;
+       }
+
+       return dns_rr_offset(&r0);
+} /* dns_rr_i_start() */
+
+
+static unsigned short dns_rr_i_skip(unsigned short rp, struct dns_rr_i *i, struct dns_packet *P) {
+       struct dns_rr r0, r1, rr;
+       int error;
+
+       if ((error = dns_rr_parse(&r0, rp, P)))
+               return P->end;
+
+       r0.section = dns_rr_section(rp, P);
+
+       rp = (i->sort == &dns_rr_i_packet)? dns_rr_skip(rp, P) : 12;
+
+       for (; rp < P->end; rp = dns_rr_skip(rp, P)) {
+               if ((error = dns_rr_parse(&rr, rp, P)))
+                       continue;
+
+               rr.section = dns_rr_section(rp, P);
+
+               if (!dns_rr_i_match(&rr, i, P))
+                       continue;
+
+               if (i->sort(&rr, &r0, i, P) <= 0)
+                       continue;
+
+               r1 = rr;
+
+               goto lower;
+       }
+
+       return P->end;
+lower:
+       if (i->sort == &dns_rr_i_packet)
+               return dns_rr_offset(&r1);
+
+       while ((rp = dns_rr_skip(rp, P)) < P->end) {
+               if ((error = dns_rr_parse(&rr, rp, P)))
+                       continue;
+
+               rr.section = dns_rr_section(rp, P);
+
+               if (!dns_rr_i_match(&rr, i, P))
+                       continue;
+
+               if (i->sort(&rr, &r0, i, P) <= 0)
+                       continue;
+
+               if (i->sort(&rr, &r1, i, P) >= 0)
+                       continue;
+
+               r1 = rr;
+       }
+
+       return dns_rr_offset(&r1);
+} /* dns_rr_i_skip() */
+
+
+int dns_rr_i_packet(struct dns_rr *a, struct dns_rr *b, struct dns_rr_i *i, struct dns_packet *P) {
+       (void)i;
+       (void)P;
+
+       return (int)a->dn.p - (int)b->dn.p;
+} /* dns_rr_i_packet() */
+
+
+int dns_rr_i_order(struct dns_rr *a, struct dns_rr *b, struct dns_rr_i *i, struct dns_packet *P) {
+       int cmp;
+
+       (void)i;
+
+       if ((cmp = a->section - b->section))
+               return cmp;
+
+       if (a->type != b->type)
+               return (int)a->dn.p - (int)b->dn.p;
+
+       return dns_rr_cmp(a, P, b, P);
+} /* dns_rr_i_order() */
+
+
+int dns_rr_i_shuffle(struct dns_rr *a, struct dns_rr *b, struct dns_rr_i *i, struct dns_packet *P) {
+       int cmp;
+
+       (void)i;
+       (void)P;
+
+       while (!i->state.regs[0])
+               i->state.regs[0]        = dns_random();
+
+       if ((cmp = a->section - b->section))
+               return cmp;
+
+       return dns_k_shuffle16(a->dn.p, i->state.regs[0]) - dns_k_shuffle16(b->dn.p, i->state.regs[0]);
+} /* dns_rr_i_shuffle() */
+
+
+struct dns_rr_i *dns_rr_i_init(struct dns_rr_i *i, struct dns_packet *P) {
+       static const struct dns_rr_i i_initializer;
+
+       (void)P;
+
+       i->state        = i_initializer.state;
+       i->saved        = i->state;
+
+       return i;
+} /* dns_rr_i_init() */
+
+
+unsigned dns_rr_grep(struct dns_rr *rr, unsigned lim, struct dns_rr_i *i, struct dns_packet *P, int *error_) {
+       unsigned count  = 0;
+       int error;
+
+       switch (i->state.exec) {
+       case 0:
+               if (!i->sort)
+                       i->sort = &dns_rr_i_packet;
+
+               i->state.next   = dns_rr_i_start(i, P);
+               i->state.exec++;
+
+               /* FALL THROUGH */
+       case 1:
+               while (count < lim && i->state.next < P->end) {
+                       if ((error = dns_rr_parse(rr, i->state.next, P)))
+                               goto error;
+
+                       rr->section     = dns_rr_section(i->state.next, P);
+
+                       rr++;
+                       count++;
+                       i->state.count++;
+
+                       i->state.next   = dns_rr_i_skip(i->state.next, i, P);
+               } /* while() */
+
+               break;
+       } /* switch() */
+
+       return count;
+error:
+       *error_ = error;
+
+       return count;
+} /* dns_rr_grep() */
+
+
+size_t dns_rr_print(void *_dst, size_t lim, struct dns_rr *rr, struct dns_packet *P, int *_error) {
+       struct dns_buf dst = DNS_B_INTO(_dst, lim);
+       union dns_any any;
+       size_t n;
+       int error;
+
+       if (rr->section == DNS_S_QD)
+               dns_b_putc(&dst, ';');
+
+       if (!(n = dns_d_expand(any.ns.host, sizeof any.ns.host, rr->dn.p, P, &error)))
+               goto error;
+       dns_b_put(&dst, any.ns.host, DNS_PP_MIN(n, sizeof any.ns.host - 1));
+
+       if (rr->section != DNS_S_QD) {
+               dns_b_putc(&dst, ' ');
+               dns_b_fmtju(&dst, rr->ttl, 0);
+       }
+
+       dns_b_putc(&dst, ' ');
+       dns_b_puts(&dst, dns_strclass(rr->class));
+       dns_b_putc(&dst, ' ');
+       dns_b_puts(&dst, dns_strtype(rr->type));
+
+       if (rr->section == DNS_S_QD)
+               goto epilog;
+
+       dns_b_putc(&dst, ' ');
+
+       if ((error = dns_any_parse(dns_any_init(&any, sizeof any), rr, P)))
+               goto error;
+
+       n = dns_any_print(dst.p, dst.pe - dst.p, &any, rr->type);
+       dst.p += DNS_PP_MIN(n, (size_t)(dst.pe - dst.p));
+epilog:
+       return dns_b_strllen(&dst);
+error:
+       *_error = error;
+
+       return 0;
+} /* dns_rr_print() */
+
+
+int dns_a_parse(struct dns_a *a, struct dns_rr *rr, struct dns_packet *P) {
+       unsigned long addr;
+
+       if (rr->rd.len != 4)
+               return DNS_EILLEGAL;
+
+       addr    = ((0xffU & P->data[rr->rd.p + 0]) << 24)
+               | ((0xffU & P->data[rr->rd.p + 1]) << 16)
+               | ((0xffU & P->data[rr->rd.p + 2]) << 8)
+               | ((0xffU & P->data[rr->rd.p + 3]) << 0);
+
+       a->addr.s_addr  = htonl(addr);
+
+       return 0;
+} /* dns_a_parse() */
+
+
+int dns_a_push(struct dns_packet *P, struct dns_a *a) {
+       unsigned long addr;
+
+       if (P->size - P->end < 6)
+               return DNS_ENOBUFS;
+
+       P->data[P->end++]       = 0x00;
+       P->data[P->end++]       = 0x04;
+
+       addr    = ntohl(a->addr.s_addr);
+
+       P->data[P->end++]       = 0xffU & (addr >> 24);
+       P->data[P->end++]       = 0xffU & (addr >> 16);
+       P->data[P->end++]       = 0xffU & (addr >> 8);
+       P->data[P->end++]       = 0xffU & (addr >> 0);
+
+       return 0;
+} /* dns_a_push() */
+
+
+size_t dns_a_arpa(void *_dst, size_t lim, const struct dns_a *a) {
+       struct dns_buf dst = DNS_B_INTO(_dst, lim);
+       unsigned long octets = ntohl(a->addr.s_addr);
+       unsigned i;
+
+       for (i = 0; i < 4; i++) {
+               dns_b_fmtju(&dst, 0xff & octets, 0);
+               dns_b_putc(&dst, '.');
+               octets >>= 8;
+       }
+
+       dns_b_puts(&dst, "in-addr.arpa.");
+
+       return dns_b_strllen(&dst);
+} /* dns_a_arpa() */
+
+
+int dns_a_cmp(const struct dns_a *a, const struct dns_a *b) {
+       if (ntohl(a->addr.s_addr) < ntohl(b->addr.s_addr))
+               return -1;
+       if (ntohl(a->addr.s_addr) > ntohl(b->addr.s_addr))
+               return 1;
+
+       return 0;
+} /* dns_a_cmp() */
+
+
+size_t dns_a_print(void *dst, size_t lim, struct dns_a *a) {
+       char addr[INET_ADDRSTRLEN + 1]  = "0.0.0.0";
+
+       dns_inet_ntop(AF_INET, &a->addr, addr, sizeof addr);
+
+       return dns_strlcpy(dst, addr, lim);
+} /* dns_a_print() */
+
+
+int dns_aaaa_parse(struct dns_aaaa *aaaa, struct dns_rr *rr, struct dns_packet *P) {
+       if (rr->rd.len != sizeof aaaa->addr.s6_addr)
+               return DNS_EILLEGAL;
+
+       memcpy(aaaa->addr.s6_addr, &P->data[rr->rd.p], sizeof aaaa->addr.s6_addr);
+
+       return 0;
+} /* dns_aaaa_parse() */
+
+
+int dns_aaaa_push(struct dns_packet *P, struct dns_aaaa *aaaa) {
+       if (P->size - P->end < 2 + sizeof aaaa->addr.s6_addr)
+               return DNS_ENOBUFS;
+
+       P->data[P->end++]       = 0x00;
+       P->data[P->end++]       = 0x10;
+
+       memcpy(&P->data[P->end], aaaa->addr.s6_addr, sizeof aaaa->addr.s6_addr);
+
+       P->end  += sizeof aaaa->addr.s6_addr;
+
+       return 0;
+} /* dns_aaaa_push() */
+
+
+int dns_aaaa_cmp(const struct dns_aaaa *a, const struct dns_aaaa *b) {
+       unsigned i;
+       int cmp;
+
+       for (i = 0; i < lengthof(a->addr.s6_addr); i++) {
+               if ((cmp = (a->addr.s6_addr[i] - b->addr.s6_addr[i])))
+                       return cmp;
+       }
+
+       return 0;
+} /* dns_aaaa_cmp() */
+
+
+size_t dns_aaaa_arpa(void *_dst, size_t lim, const struct dns_aaaa *aaaa) {
+       static const unsigned char hex[16] = "0123456789abcdef";
+       struct dns_buf dst = DNS_B_INTO(_dst, lim);
+       unsigned nyble;
+       int i, j;
+
+       for (i = sizeof aaaa->addr.s6_addr - 1; i >= 0; i--) {
+               nyble = aaaa->addr.s6_addr[i];
+
+               for (j = 0; j < 2; j++) {
+                       dns_b_putc(&dst, hex[0x0f & nyble]);
+                       dns_b_putc(&dst, '.');
+                       nyble >>= 4;
+               }
+       }
+
+       dns_b_puts(&dst, "ip6.arpa.");
+
+       return dns_b_strllen(&dst);
+} /* dns_aaaa_arpa() */
+
+
+size_t dns_aaaa_print(void *dst, size_t lim, struct dns_aaaa *aaaa) {
+       char addr[INET6_ADDRSTRLEN + 1] = "::";
+
+       dns_inet_ntop(AF_INET6, &aaaa->addr, addr, sizeof addr);
+
+       return dns_strlcpy(dst, addr, lim);
+} /* dns_aaaa_print() */
+
+
+int dns_mx_parse(struct dns_mx *mx, struct dns_rr *rr, struct dns_packet *P) {
+       size_t len;
+       int error;
+
+       if (rr->rd.len < 3)
+               return DNS_EILLEGAL;
+
+       mx->preference  = (0xff00 & (P->data[rr->rd.p + 0] << 8))
+                       | (0x00ff & (P->data[rr->rd.p + 1] << 0));
+
+       if (!(len = dns_d_expand(mx->host, sizeof mx->host, rr->rd.p + 2, P, &error)))
+               return error;
+       else if (len >= sizeof mx->host)
+               return DNS_EILLEGAL;
+
+       return 0;
+} /* dns_mx_parse() */
+
+
+int dns_mx_push(struct dns_packet *P, struct dns_mx *mx) {
+       size_t end, len;
+       int error;
+
+       if (P->size - P->end < 5)
+               return DNS_ENOBUFS;
+
+       end     = P->end;
+       P->end  += 2;
+
+       P->data[P->end++]       = 0xff & (mx->preference >> 8);
+       P->data[P->end++]       = 0xff & (mx->preference >> 0);
+
+       if ((error = dns_d_push(P, mx->host, strlen(mx->host))))
+               goto error;
+
+       len     = P->end - end - 2;
+
+       P->data[end + 0]        = 0xff & (len >> 8);
+       P->data[end + 1]        = 0xff & (len >> 0);
+
+       return 0;
+error:
+       P->end  = end;
+
+       return error;
+} /* dns_mx_push() */
+
+
+int dns_mx_cmp(const struct dns_mx *a, const struct dns_mx *b) {
+       int cmp;
+
+       if ((cmp = a->preference - b->preference))
+               return cmp;
+
+       return strcasecmp(a->host, b->host);
+} /* dns_mx_cmp() */
+
+
+size_t dns_mx_print(void *_dst, size_t lim, struct dns_mx *mx) {
+       struct dns_buf dst = DNS_B_INTO(_dst, lim);
+
+       dns_b_fmtju(&dst, mx->preference, 0);
+       dns_b_putc(&dst, ' ');
+       dns_b_puts(&dst, mx->host);
+
+       return dns_b_strllen(&dst);
+} /* dns_mx_print() */
+
+
+size_t dns_mx_cname(void *dst, size_t lim, struct dns_mx *mx) {
+       return dns_strlcpy(dst, mx->host, lim);
+} /* dns_mx_cname() */
+
+
+int dns_ns_parse(struct dns_ns *ns, struct dns_rr *rr, struct dns_packet *P) {
+       size_t len;
+       int error;
+
+       if (!(len = dns_d_expand(ns->host, sizeof ns->host, rr->rd.p, P, &error)))
+               return error;
+       else if (len >= sizeof ns->host)
+               return DNS_EILLEGAL;
+
+       return 0;
+} /* dns_ns_parse() */
+
+
+int dns_ns_push(struct dns_packet *P, struct dns_ns *ns) {
+       size_t end, len;
+       int error;
+
+       if (P->size - P->end < 3)
+               return DNS_ENOBUFS;
+
+       end     = P->end;
+       P->end  += 2;
+
+       if ((error = dns_d_push(P, ns->host, strlen(ns->host))))
+               goto error;
+
+       len     = P->end - end - 2;
+
+       P->data[end + 0]        = 0xff & (len >> 8);
+       P->data[end + 1]        = 0xff & (len >> 0);
+
+       return 0;
+error:
+       P->end  = end;
+
+       return error;
+} /* dns_ns_push() */
+
+
+int dns_ns_cmp(const struct dns_ns *a, const struct dns_ns *b) {
+       return strcasecmp(a->host, b->host);
+} /* dns_ns_cmp() */
+
+
+size_t dns_ns_print(void *dst, size_t lim, struct dns_ns *ns) {
+       return dns_strlcpy(dst, ns->host, lim);
+} /* dns_ns_print() */
+
+
+size_t dns_ns_cname(void *dst, size_t lim, struct dns_ns *ns) {
+       return dns_strlcpy(dst, ns->host, lim);
+} /* dns_ns_cname() */
+
+
+int dns_cname_parse(struct dns_cname *cname, struct dns_rr *rr, struct dns_packet *P) {
+       return dns_ns_parse((struct dns_ns *)cname, rr, P);
+} /* dns_cname_parse() */
+
+
+int dns_cname_push(struct dns_packet *P, struct dns_cname *cname) {
+       return dns_ns_push(P, (struct dns_ns *)cname);
+} /* dns_cname_push() */
+
+
+int dns_cname_cmp(const struct dns_cname *a, const struct dns_cname *b) {
+       return strcasecmp(a->host, b->host);
+} /* dns_cname_cmp() */
+
+
+size_t dns_cname_print(void *dst, size_t lim, struct dns_cname *cname) {
+       return dns_ns_print(dst, lim, (struct dns_ns *)cname);
+} /* dns_cname_print() */
+
+
+size_t dns_cname_cname(void *dst, size_t lim, struct dns_cname *cname) {
+       return dns_strlcpy(dst, cname->host, lim);
+} /* dns_cname_cname() */
+
+
+int dns_soa_parse(struct dns_soa *soa, struct dns_rr *rr, struct dns_packet *P) {
+       struct { void *dst; size_t lim; } dn[] =
+               { { soa->mname, sizeof soa->mname },
+                 { soa->rname, sizeof soa->rname } };
+       unsigned *ts[] =
+               { &soa->serial, &soa->refresh, &soa->retry, &soa->expire, &soa->minimum };
+       unsigned short rp;
+       unsigned i, j, n;
+       int error;
+
+       /* MNAME / RNAME */
+       if ((rp = rr->rd.p) >= P->end)
+               return DNS_EILLEGAL;
+
+       for (i = 0; i < lengthof(dn); i++) {
+               if (!(n = dns_d_expand(dn[i].dst, dn[i].lim, rp, P, &error)))
+                       return error;
+               else if (n >= dn[i].lim)
+                       return DNS_EILLEGAL;
+
+               if ((rp = dns_d_skip(rp, P)) >= P->end)
+                       return DNS_EILLEGAL;
+       }
+
+       /* SERIAL / REFRESH / RETRY / EXPIRE / MINIMUM */
+       for (i = 0; i < lengthof(ts); i++) {
+               for (j = 0; j < 4; j++, rp++) {
+                       if (rp >= P->end)
+                               return DNS_EILLEGAL;
+
+                       *ts[i]  <<= 8;
+                       *ts[i]  |= (0xff & P->data[rp]);
+               }
+       }
+
+       return 0;
+} /* dns_soa_parse() */
+
+
+int dns_soa_push(struct dns_packet *P, struct dns_soa *soa) {
+       void *dn[]      = { soa->mname, soa->rname };
+       unsigned ts[]   = { (0xffffffff & soa->serial),
+                           (0x7fffffff & soa->refresh),
+                           (0x7fffffff & soa->retry),
+                           (0x7fffffff & soa->expire),
+                           (0xffffffff & soa->minimum) };
+       unsigned i, j;
+       size_t end, len;
+       int error;
+
+       end     = P->end;
+
+       if ((P->end += 2) >= P->size)
+               goto toolong;
+
+       /* MNAME / RNAME */
+       for (i = 0; i < lengthof(dn); i++) {
+               if ((error = dns_d_push(P, dn[i], strlen(dn[i]))))
+                       goto error;
+       }
+
+       /* SERIAL / REFRESH / RETRY / EXPIRE / MINIMUM */
+       for (i = 0; i < lengthof(ts); i++) {
+               if ((P->end += 4) >= P->size)
+                       goto toolong;
+
+               for (j = 1; j <= 4; j++) {
+                       P->data[P->end - j]     = (0xff & ts[i]);
+                       ts[i]                   >>= 8;
+               }
+       }
+
+       len                     = P->end - end - 2;
+       P->data[end + 0]        = (0xff & (len >> 8));
+       P->data[end + 1]        = (0xff & (len >> 0));
+
+       return 0;
+toolong:
+       error   = DNS_ENOBUFS;
+
+       /* FALL THROUGH */
+error:
+       P->end  = end;
+
+       return error;
+} /* dns_soa_push() */
+
+
+int dns_soa_cmp(const struct dns_soa *a, const struct dns_soa *b) {
+       int cmp;
+
+       if ((cmp = strcasecmp(a->mname, b->mname)))
+               return cmp;
+
+       if ((cmp = strcasecmp(a->rname, b->rname)))
+               return cmp;
+
+       if (a->serial > b->serial)
+               return -1;
+       else if (a->serial < b->serial)
+               return 1;
+
+       if (a->refresh > b->refresh)
+               return -1;
+       else if (a->refresh < b->refresh)
+               return 1;
+
+       if (a->retry > b->retry)
+               return -1;
+       else if (a->retry < b->retry)
+               return 1;
+
+       if (a->expire > b->expire)
+               return -1;
+       else if (a->expire < b->expire)
+               return 1;
+
+       if (a->minimum > b->minimum)
+               return -1;
+       else if (a->minimum < b->minimum)
+               return 1;
+
+       return 0;
+} /* dns_soa_cmp() */
+
+
+size_t dns_soa_print(void *_dst, size_t lim, struct dns_soa *soa) {
+       struct dns_buf dst = DNS_B_INTO(_dst, lim);
+
+       dns_b_puts(&dst, soa->mname);
+       dns_b_putc(&dst, ' ');
+       dns_b_puts(&dst, soa->rname);
+       dns_b_putc(&dst, ' ');
+       dns_b_fmtju(&dst, soa->serial, 0);
+       dns_b_putc(&dst, ' ');
+       dns_b_fmtju(&dst, soa->refresh, 0);
+       dns_b_putc(&dst, ' ');
+       dns_b_fmtju(&dst, soa->retry, 0);
+       dns_b_putc(&dst, ' ');
+       dns_b_fmtju(&dst, soa->expire, 0);
+       dns_b_putc(&dst, ' ');
+       dns_b_fmtju(&dst, soa->minimum, 0);
+
+       return dns_b_strllen(&dst);
+} /* dns_soa_print() */
+
+
+int dns_srv_parse(struct dns_srv *srv, struct dns_rr *rr, struct dns_packet *P) {
+       unsigned short rp;
+       unsigned i;
+       size_t n;
+       int error;
+
+       memset(srv, '\0', sizeof *srv);
+
+       rp      = rr->rd.p;
+
+       if (rr->rd.len < 7)
+               return DNS_EILLEGAL;
+
+       for (i = 0; i < 2; i++, rp++) {
+               srv->priority   <<= 8;
+               srv->priority   |= (0xff & P->data[rp]);
+       }
+
+       for (i = 0; i < 2; i++, rp++) {
+               srv->weight     <<= 8;
+               srv->weight     |= (0xff & P->data[rp]);
+       }
+
+       for (i = 0; i < 2; i++, rp++) {
+               srv->port       <<= 8;
+               srv->port       |= (0xff & P->data[rp]);
+       }
+
+       if (!(n = dns_d_expand(srv->target, sizeof srv->target, rp, P, &error)))
+               return error;
+       else if (n >= sizeof srv->target)
+               return DNS_EILLEGAL;
+
+       return 0;
+} /* dns_srv_parse() */
+
+
+int dns_srv_push(struct dns_packet *P, struct dns_srv *srv) {
+       size_t end, len;
+       int error;
+
+       end     = P->end;
+
+       if (P->size - P->end < 2)
+               goto toolong;
+
+       P->end  += 2;
+
+       if (P->size - P->end < 6)
+               goto toolong;
+
+       P->data[P->end++]       = 0xff & (srv->priority >> 8);
+       P->data[P->end++]       = 0xff & (srv->priority >> 0);
+
+       P->data[P->end++]       = 0xff & (srv->weight >> 8);
+       P->data[P->end++]       = 0xff & (srv->weight >> 0);
+
+       P->data[P->end++]       = 0xff & (srv->port >> 8);
+       P->data[P->end++]       = 0xff & (srv->port >> 0);
+
+       if (0 == (len = dns_d_comp(&P->data[P->end], P->size - P->end, srv->target, strlen(srv->target), P, &error)))
+               goto error;
+       else if (P->size - P->end < len)
+               goto toolong;
+
+       P->end  += len;
+
+       if (P->end > 65535)
+               goto toolong;
+
+       len     = P->end - end - 2;
+
+       P->data[end + 0]        = 0xff & (len >> 8);
+       P->data[end + 1]        = 0xff & (len >> 0);
+
+       return 0;
+toolong:
+       error   = DNS_ENOBUFS;
+
+       /* FALL THROUGH */
+error:
+       P->end  = end;
+
+       return error;
+} /* dns_srv_push() */
+
+
+int dns_srv_cmp(const struct dns_srv *a, const struct dns_srv *b) {
+       int cmp;
+
+       if ((cmp = a->priority - b->priority))
+               return cmp;
+
+       /*
+        * FIXME: We need some sort of random seed to implement the dynamic
+        * weighting required by RFC 2782.
+        */
+       if ((cmp = a->weight - b->weight))
+               return cmp;
+
+       if ((cmp = a->port - b->port))
+               return cmp;
+
+       return strcasecmp(a->target, b->target);
+} /* dns_srv_cmp() */
+
+
+size_t dns_srv_print(void *_dst, size_t lim, struct dns_srv *srv) {
+       struct dns_buf dst = DNS_B_INTO(_dst, lim);
+
+       dns_b_fmtju(&dst, srv->priority, 0);
+       dns_b_putc(&dst, ' ');
+       dns_b_fmtju(&dst, srv->weight, 0);
+       dns_b_putc(&dst, ' ');
+       dns_b_fmtju(&dst, srv->port, 0);
+       dns_b_putc(&dst, ' ');
+       dns_b_puts(&dst, srv->target);
+
+       return dns_b_strllen(&dst);
+} /* dns_srv_print() */
+
+
+size_t dns_srv_cname(void *dst, size_t lim, struct dns_srv *srv) {
+       return dns_strlcpy(dst, srv->target, lim);
+} /* dns_srv_cname() */
+
+
+unsigned int dns_opt_ttl(const struct dns_opt *opt) {
+       unsigned int ttl = 0;
+
+       ttl |= (0xffU & opt->rcode) << 24;
+       ttl |= (0xffU & opt->version) << 16;
+       ttl |= (0xffffU & opt->flags) << 0;
+
+       return ttl;
+} /* dns_opt_ttl() */
+
+
+unsigned short dns_opt_class(const struct dns_opt *opt) {
+       return opt->maxudp;
+} /* dns_opt_class() */
+
+
+struct dns_opt *dns_opt_init(struct dns_opt *opt, size_t size) {
+       assert(size >= offsetof(struct dns_opt, data));
+
+       opt->size = size - offsetof(struct dns_opt, data);
+       opt->len  = 0;
+
+       opt->rcode   = 0;
+       opt->version = 0;
+       opt->maxudp  = 0;
+
+       return opt;
+} /* dns_opt_init() */
+
+
+static union dns_any *dns_opt_initany(union dns_any *any, size_t size) {
+       return dns_opt_init(&any->opt, size), any;
+} /* dns_opt_initany() */
+
+
+int dns_opt_parse(struct dns_opt *opt, struct dns_rr *rr, struct dns_packet *P) {
+       const struct dns_buf src = DNS_B_FROM(&P->data[rr->rd.p], rr->rd.len);
+       struct dns_buf dst = DNS_B_INTO(opt->data, opt->size);
+       int error;
+
+       opt->rcode = 0xfff & ((rr->ttl >> 20) | dns_header(P)->rcode);
+       opt->version = 0xff & (rr->ttl >> 16);
+       opt->flags = 0xffff & rr->ttl;
+       opt->maxudp = 0xffff & rr->class;
+
+       while (src.p < src.pe) {
+               int code, len;
+
+               if (-1 == (code = dns_b_get16(&src, -1)))
+                       return src.error;
+               if (-1 == (len = dns_b_get16(&src, -1)))
+                       return src.error;
+
+               switch (code) {
+               default:
+                       dns_b_put16(&dst, code);
+                       dns_b_put16(&dst, len);
+                       if ((error = dns_b_move(&dst, &src, len)))
+                               return error;
+                       break;
+               }
+       }
+
+       return 0;
+} /* dns_opt_parse() */
+
+
+int dns_opt_push(struct dns_packet *P, struct dns_opt *opt) {
+       const struct dns_buf src = DNS_B_FROM(opt->data, opt->len);
+       struct dns_buf dst = DNS_B_INTO(&P->data[P->end], (P->size - P->end));
+       int error;
+
+       /* rdata length (see below) */
+       if ((error = dns_b_put16(&dst, 0)))
+               goto error;
+
+       /* ... push known options here */
+
+       /* push opaque option data */
+       if ((error = dns_b_move(&dst, &src, (size_t)(src.pe - src.p))))
+               goto error;
+
+       /* rdata length */
+       if ((error = dns_b_pput16(&dst, dns_b_tell(&dst) - 2, 0)))
+               goto error;
+
+#if !DNS_DEBUG_OPT_FORMERR
+       P->end += dns_b_tell(&dst);
+#endif
+
+       return 0;
+error:
+       return error;
+} /* dns_opt_push() */
+
+
+int dns_opt_cmp(const struct dns_opt *a, const struct dns_opt *b) {
+       (void)a;
+       (void)b;
+
+       return -1;
+} /* dns_opt_cmp() */
+
+
+size_t dns_opt_print(void *_dst, size_t lim, struct dns_opt *opt) {
+       struct dns_buf dst = DNS_B_INTO(_dst, lim);
+       size_t p;
+
+       dns_b_putc(&dst, '"');
+
+       for (p = 0; p < opt->len; p++) {
+               dns_b_putc(&dst, '\\');
+               dns_b_fmtju(&dst, opt->data[p], 3);
+       }
+
+       dns_b_putc(&dst, '"');
+
+       return dns_b_strllen(&dst);
+} /* dns_opt_print() */
+
+
+int dns_ptr_parse(struct dns_ptr *ptr, struct dns_rr *rr, struct dns_packet *P) {
+       return dns_ns_parse((struct dns_ns *)ptr, rr, P);
+} /* dns_ptr_parse() */
+
+
+int dns_ptr_push(struct dns_packet *P, struct dns_ptr *ptr) {
+       return dns_ns_push(P, (struct dns_ns *)ptr);
+} /* dns_ptr_push() */
+
+
+size_t dns_ptr_qname(void *dst, size_t lim, int af, void *addr) {
+       switch (af) {
+       case AF_INET6:
+               return dns_aaaa_arpa(dst, lim, addr);
+       case AF_INET:
+               return dns_a_arpa(dst, lim, addr);
+       default: {
+               struct dns_a a;
+               a.addr.s_addr = INADDR_NONE;
+               return dns_a_arpa(dst, lim, &a);
+       }
+       }
+} /* dns_ptr_qname() */
+
+
+int dns_ptr_cmp(const struct dns_ptr *a, const struct dns_ptr *b) {
+       return strcasecmp(a->host, b->host);
+} /* dns_ptr_cmp() */
+
+
+size_t dns_ptr_print(void *dst, size_t lim, struct dns_ptr *ptr) {
+       return dns_ns_print(dst, lim, (struct dns_ns *)ptr);
+} /* dns_ptr_print() */
+
+
+size_t dns_ptr_cname(void *dst, size_t lim, struct dns_ptr *ptr) {
+       return dns_strlcpy(dst, ptr->host, lim);
+} /* dns_ptr_cname() */
+
+
+int dns_sshfp_parse(struct dns_sshfp *fp, struct dns_rr *rr, struct dns_packet *P) {
+       unsigned p = rr->rd.p, pe = rr->rd.p + rr->rd.len;
+
+       if (pe - p < 2)
+               return DNS_EILLEGAL;
+
+       fp->algo = P->data[p++];
+       fp->type = P->data[p++];
+
+       switch (fp->type) {
+       case DNS_SSHFP_SHA1:
+               if (pe - p < sizeof fp->digest.sha1)
+                       return DNS_EILLEGAL;
+
+               memcpy(fp->digest.sha1, &P->data[p], sizeof fp->digest.sha1);
+
+               break;
+       default:
+               break;
+       } /* switch() */
+
+       return 0;
+} /* dns_sshfp_parse() */
+
+
+int dns_sshfp_push(struct dns_packet *P, struct dns_sshfp *fp) {
+       unsigned p = P->end, pe = P->size, n;
+
+       if (pe - p < 4)
+               return DNS_ENOBUFS;
+
+       p += 2;
+       P->data[p++] = 0xff & fp->algo;
+       P->data[p++] = 0xff & fp->type;
+
+       switch (fp->type) {
+       case DNS_SSHFP_SHA1:
+               if (pe - p < sizeof fp->digest.sha1)
+                       return DNS_ENOBUFS;
+
+               memcpy(&P->data[p], fp->digest.sha1, sizeof fp->digest.sha1);
+               p += sizeof fp->digest.sha1;
+
+               break;
+       default:
+               return DNS_EILLEGAL;
+       } /* switch() */
+
+       n = p - P->end - 2;
+       P->data[P->end++] = 0xff & (n >> 8);
+       P->data[P->end++] = 0xff & (n >> 0);
+       P->end = p;
+
+       return 0;
+} /* dns_sshfp_push() */
+
+
+int dns_sshfp_cmp(const struct dns_sshfp *a, const struct dns_sshfp *b) {
+       int cmp;
+
+       if ((cmp = a->algo - b->algo) || (cmp = a->type - b->type))
+               return cmp;
+
+       switch (a->type) {
+       case DNS_SSHFP_SHA1:
+               return memcmp(a->digest.sha1, b->digest.sha1, sizeof a->digest.sha1);
+       default:
+               return 0;
+       } /* switch() */
+
+       /* NOT REACHED */
+} /* dns_sshfp_cmp() */
+
+
+size_t dns_sshfp_print(void *_dst, size_t lim, struct dns_sshfp *fp) {
+       static const unsigned char hex[16] = "0123456789abcdef";
+       struct dns_buf dst = DNS_B_INTO(_dst, lim);
+       size_t i;
+
+       dns_b_fmtju(&dst, fp->algo, 0);
+       dns_b_putc(&dst, ' ');
+       dns_b_fmtju(&dst, fp->type, 0);
+       dns_b_putc(&dst, ' ');
+
+       switch (fp->type) {
+       case DNS_SSHFP_SHA1:
+               for (i = 0; i < sizeof fp->digest.sha1; i++) {
+                       dns_b_putc(&dst, hex[0x0f & (fp->digest.sha1[i] >> 4)]);
+                       dns_b_putc(&dst, hex[0x0f & (fp->digest.sha1[i] >> 0)]);
+               }
+
+               break;
+       default:
+               dns_b_putc(&dst, '0');
+
+               break;
+       } /* switch() */
+
+       return dns_b_strllen(&dst);
+} /* dns_sshfp_print() */
+
+
+struct dns_txt *dns_txt_init(struct dns_txt *txt, size_t size) {
+       assert(size > offsetof(struct dns_txt, data));
+
+       txt->size       = size - offsetof(struct dns_txt, data);
+       txt->len        = 0;
+
+       return txt;
+} /* dns_txt_init() */
+
+
+static union dns_any *dns_txt_initany(union dns_any *any, size_t size) {
+       /* NB: union dns_any is already initialized as struct dns_txt */
+       (void)size;
+       return any;
+} /* dns_txt_initany() */
+
+
+int dns_txt_parse(struct dns_txt *txt, struct dns_rr *rr, struct dns_packet *P) {
+       struct { unsigned char *b; size_t p, end; } dst, src;
+       unsigned n;
+
+       dst.b   = txt->data;
+       dst.p   = 0;
+       dst.end = txt->size;
+
+       src.b   = P->data;
+       src.p   = rr->rd.p;
+       src.end = src.p + rr->rd.len;
+
+       while (src.p < src.end) {
+               n       = 0xff & P->data[src.p++];
+
+               if (src.end - src.p < n || dst.end - dst.p < n)
+                       return DNS_EILLEGAL;
+
+               memcpy(&dst.b[dst.p], &src.b[src.p], n);
+
+               dst.p   += n;
+               src.p   += n;
+       }
+
+       txt->len        = dst.p;
+
+       return 0;
+} /* dns_txt_parse() */
+
+
+int dns_txt_push(struct dns_packet *P, struct dns_txt *txt) {
+       struct { unsigned char *b; size_t p, end; } dst, src;
+       unsigned n;
+
+       dst.b   = P->data;
+       dst.p   = P->end;
+       dst.end = P->size;
+
+       src.b   = txt->data;
+       src.p   = 0;
+       src.end = txt->len;
+
+       if (dst.end - dst.p < 2)
+               return DNS_ENOBUFS;
+
+       n       = txt->len + ((txt->len + 254) / 255);
+
+       dst.b[dst.p++]  = 0xff & (n >> 8);
+       dst.b[dst.p++]  = 0xff & (n >> 0);
+
+       while (src.p < src.end) {
+               n       = DNS_PP_MIN(255, src.end - src.p);
+
+               if (dst.p >= dst.end)
+                       return DNS_ENOBUFS;
+
+               dst.b[dst.p++]  = n;
+
+               if (dst.end - dst.p < n)
+                       return DNS_ENOBUFS;
+
+               memcpy(&dst.b[dst.p], &src.b[src.p], n);
+
+               dst.p   += n;
+               src.p   += n;
+       }
+
+       P->end  = dst.p;
+
+       return 0;
+} /* dns_txt_push() */
+
+
+int dns_txt_cmp(const struct dns_txt *a, const struct dns_txt *b) {
+       (void)a;
+       (void)b;
+
+       return -1;
+} /* dns_txt_cmp() */
+
+
+size_t dns_txt_print(void *_dst, size_t lim, struct dns_txt *txt) {
+       struct dns_buf src = DNS_B_FROM(txt->data, txt->len);
+       struct dns_buf dst = DNS_B_INTO(_dst, lim);
+       unsigned i;
+
+       if (src.p < src.pe) {
+               do {
+                       dns_b_putc(&dst, '"');
+
+                       for (i = 0; i < 256 && src.p < src.pe; i++, src.p++) {
+                               if (*src.p < 32 || *src.p > 126 || *src.p == '"' || *src.p == '\\') {
+                                       dns_b_putc(&dst, '\\');
+                                       dns_b_fmtju(&dst, *src.p, 3);
+                               } else {
+                                       dns_b_putc(&dst, *src.p);
+                               }
+                       }
+
+                       dns_b_putc(&dst, '"');
+                       dns_b_putc(&dst, ' ');
+               } while (src.p < src.pe);
+
+               dns_b_popc(&dst);
+       } else {
+               dns_b_putc(&dst, '"');
+               dns_b_putc(&dst, '"');
+       }
+
+       return dns_b_strllen(&dst);
+} /* dns_txt_print() */
+
+
+static const struct dns_rrtype {
+       enum dns_type type;
+       const char *name;
+       union dns_any *(*init)(union dns_any *, size_t);
+       int (*parse)();
+       int (*push)();
+       int (*cmp)();
+       size_t (*print)();
+       size_t (*cname)();
+} dns_rrtypes[]        = {
+       { DNS_T_A,      "A",      0,                 &dns_a_parse,      &dns_a_push,      &dns_a_cmp,      &dns_a_print,      0,                },
+       { DNS_T_AAAA,   "AAAA",   0,                 &dns_aaaa_parse,   &dns_aaaa_push,   &dns_aaaa_cmp,   &dns_aaaa_print,   0,                },
+       { DNS_T_MX,     "MX",     0,                 &dns_mx_parse,     &dns_mx_push,     &dns_mx_cmp,     &dns_mx_print,     &dns_mx_cname,    },
+       { DNS_T_NS,     "NS",     0,                 &dns_ns_parse,     &dns_ns_push,     &dns_ns_cmp,     &dns_ns_print,     &dns_ns_cname,    },
+       { DNS_T_CNAME,  "CNAME",  0,                 &dns_cname_parse,  &dns_cname_push,  &dns_cname_cmp,  &dns_cname_print,  &dns_cname_cname, },
+       { DNS_T_SOA,    "SOA",    0,                 &dns_soa_parse,    &dns_soa_push,    &dns_soa_cmp,    &dns_soa_print,    0,                },
+       { DNS_T_SRV,    "SRV",    0,                 &dns_srv_parse,    &dns_srv_push,    &dns_srv_cmp,    &dns_srv_print,    &dns_srv_cname,   },
+       { DNS_T_OPT,    "OPT",    &dns_opt_initany,  &dns_opt_parse,    &dns_opt_push,    &dns_opt_cmp,    &dns_opt_print,    0,                },
+       { DNS_T_PTR,    "PTR",    0,                 &dns_ptr_parse,    &dns_ptr_push,    &dns_ptr_cmp,    &dns_ptr_print,    &dns_ptr_cname,   },
+       { DNS_T_TXT,    "TXT",    &dns_txt_initany,  &dns_txt_parse,    &dns_txt_push,    &dns_txt_cmp,    &dns_txt_print,    0,                },
+       { DNS_T_SPF,    "SPF",    &dns_txt_initany,  &dns_txt_parse,    &dns_txt_push,    &dns_txt_cmp,    &dns_txt_print,    0,                },
+       { DNS_T_SSHFP,  "SSHFP",  0,                 &dns_sshfp_parse,  &dns_sshfp_push,  &dns_sshfp_cmp,  &dns_sshfp_print,  0,                },
+       { DNS_T_AXFR,   "AXFR",   0,                 0,                 0,                0,               0,                 0,                },
+}; /* dns_rrtypes[] */
+
+static const struct dns_rrtype *dns_rrtype(enum dns_type type) {
+       const struct dns_rrtype *t;
+
+       for (t = dns_rrtypes; t < endof(dns_rrtypes); t++) {
+               if (t->type == type && t->parse) {
+                       return t;
+               }
+       }
+
+       return NULL;
+} /* dns_rrtype() */
+
+
+union dns_any *dns_any_init(union dns_any *any, size_t size) {
+       dns_static_assert(dns_same_type(any->txt, any->rdata, 1), "unexpected rdata type");
+       return (union dns_any *)dns_txt_init(&any->rdata, size);
+} /* dns_any_init() */
+
+
+static size_t dns_any_sizeof(union dns_any *any) {
+       dns_static_assert(dns_same_type(any->txt, any->rdata, 1), "unexpected rdata type");
+       return offsetof(struct dns_txt, data) + any->rdata.size;
+} /* dns_any_sizeof() */
+
+static union dns_any *dns_any_reinit(union dns_any *any, const struct dns_rrtype *t) {
+       return (t->init)? t->init(any, dns_any_sizeof(any)) : any;
+} /* dns_any_reinit() */
+
+int dns_any_parse(union dns_any *any, struct dns_rr *rr, struct dns_packet *P) {
+       const struct dns_rrtype *t;
+
+       if ((t = dns_rrtype(rr->type)))
+               return t->parse(dns_any_reinit(any, t), rr, P);
+
+       if (rr->rd.len > any->rdata.size)
+               return DNS_EILLEGAL;
+
+       memcpy(any->rdata.data, &P->data[rr->rd.p], rr->rd.len);
+       any->rdata.len  = rr->rd.len;
+
+       return 0;
+} /* dns_any_parse() */
+
+
+int dns_any_push(struct dns_packet *P, union dns_any *any, enum dns_type type) {
+       const struct dns_rrtype *t;
+
+       if ((t = dns_rrtype(type)))
+               return t->push(P, any);
+
+       if (P->size - P->end < any->rdata.len + 2)
+               return DNS_ENOBUFS;
+
+       P->data[P->end++]       = 0xff & (any->rdata.len >> 8);
+       P->data[P->end++]       = 0xff & (any->rdata.len >> 0);
+
+       memcpy(&P->data[P->end], any->rdata.data, any->rdata.len);
+       P->end  += any->rdata.len;
+
+       return 0;
+} /* dns_any_push() */
+
+
+int dns_any_cmp(const union dns_any *a, enum dns_type x, const union dns_any *b, enum dns_type y) {
+       const struct dns_rrtype *t;
+       int cmp;
+
+       if ((cmp = x - y))
+               return cmp;
+
+       if ((t = dns_rrtype(x)))
+               return t->cmp(a, b);
+
+       return -1;
+} /* dns_any_cmp() */
+
+
+size_t dns_any_print(void *_dst, size_t lim, union dns_any *any, enum dns_type type) {
+       const struct dns_rrtype *t;
+       struct dns_buf src, dst;
+
+       if ((t = dns_rrtype(type)))
+               return t->print(_dst, lim, any);
+
+       dns_b_from(&src, any->rdata.data, any->rdata.len);
+       dns_b_into(&dst, _dst, lim);
+
+       dns_b_putc(&dst, '"');
+
+       while (src.p < src.pe) {
+               dns_b_putc(&dst, '\\');
+               dns_b_fmtju(&dst, *src.p++, 3);
+       }
+
+       dns_b_putc(&dst, '"');
+
+       return dns_b_strllen(&dst);
+} /* dns_any_print() */
+
+
+size_t dns_any_cname(void *dst, size_t lim, union dns_any *any, enum dns_type type) {
+       const struct dns_rrtype *t;
+
+       if ((t = dns_rrtype(type)) && t->cname)
+               return t->cname(dst, lim, any);
+
+       return 0;
+} /* dns_any_cname() */
+
+
+/*
+ * E V E N T  T R A C I N G  R O U T I N E S
+ *
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+#include <float.h> /* DBL_MANT_DIG */
+#include <inttypes.h> /* PRIu64 */
+
+/* for default trace ID generation try to fit in lua_Number, usually double */
+#define DNS_TRACE_ID_BITS DNS_PP_MIN(DBL_MANT_DIG, (sizeof (dns_trace_id_t) * CHAR_BIT)) /* assuming FLT_RADIX == 2 */
+#define DNS_TRACE_ID_MASK (((DNS_TRACE_ID_C(1) << (DNS_TRACE_ID_BITS - 1)) - 1) | (DNS_TRACE_ID_C(1) << (DNS_TRACE_ID_BITS - 1)))
+#define DNS_TRACE_ID_PRI PRIu64
+
+static inline dns_trace_id_t dns_trace_mkid(void) {
+       dns_trace_id_t id = 0;
+       unsigned r; /* return type of dns_random() */
+       const size_t id_bit = sizeof id * CHAR_BIT;
+       const size_t r_bit = sizeof r * CHAR_BIT;
+
+       for (size_t n = 0; n < id_bit; n += r_bit) {
+               r = dns_random();
+               id <<= r_bit;
+               id |= r;
+       }
+
+       return DNS_TRACE_ID_MASK & id;
+}
+
+struct dns_trace {
+       dns_atomic_t refcount;
+
+       FILE *fp;
+       dns_trace_id_t id;
+
+       struct {
+               struct dns_trace_cname {
+                       char host[DNS_D_MAXNAME + 1];
+                       struct sockaddr_storage addr;
+               } base[4];
+               size_t p;
+       } cnames;
+};
+
+static void dns_te_initname(struct sockaddr_storage *ss, int fd, int (*f)(int, struct sockaddr *, socklen_t *)) {
+       socklen_t n = sizeof *ss;
+
+       if (0 != f(fd, (struct sockaddr *)ss, &n))
+               goto unspec;
+
+       if (n > sizeof *ss)
+               goto unspec;
+
+       return;
+unspec:
+       memset(ss, '\0', sizeof *ss);
+       ss->ss_family = AF_UNSPEC;
+}
+
+static void dns_te_initnames(struct sockaddr_storage *local, struct sockaddr_storage *remote, int fd) {
+       dns_te_initname(local, fd, &getsockname);
+       dns_te_initname(remote, fd, &getpeername);
+}
+
+static struct dns_trace_event *dns_te_init(struct dns_trace_event *te, int type) {
+       /* NB: silence valgrind */
+       memset(te, '\0', offsetof(struct dns_trace_event, data));
+       te->type = type;
+       return te;
+}
+
+int dns_trace_abi(void) {
+       return DNS_TRACE_ABI;
+}
+
+struct dns_trace *dns_trace_open(FILE *fp, dns_error_t *error) {
+       static const struct dns_trace trace_initializer = { .refcount = 1 };
+       struct dns_trace *trace;
+
+       if (!(trace = malloc(sizeof *trace)))
+               goto syerr;
+
+       *trace = trace_initializer;
+
+       if (fp) {
+               trace->fp = fp;
+       } else if (!(fp = tmpfile())) {
+               goto syerr;
+       }
+
+       trace->id = dns_trace_mkid();
+
+       return trace;
+syerr:
+       *error = dns_syerr();
+
+       dns_trace_close(trace);
+
+       return NULL;
+} /* dns_trace_open() */
+
+void dns_trace_close(struct dns_trace *trace) {
+       if (!trace || 1 != dns_trace_release(trace))
+               return;
+
+       if (trace->fp)
+               fclose(trace->fp);
+       free(trace);
+} /* dns_trace_close() */
+
+dns_refcount_t dns_trace_acquire(struct dns_trace *trace) {
+       return dns_atomic_fetch_add(&trace->refcount);
+} /* dns_trace_acquire() */
+
+static struct dns_trace *dns_trace_acquire_p(struct dns_trace *trace) {
+       return (trace)? dns_trace_acquire(trace), trace : NULL;
+} /* dns_trace_acquire_p() */
+
+dns_refcount_t dns_trace_release(struct dns_trace *trace) {
+       return dns_atomic_fetch_sub(&trace->refcount);
+} /* dns_trace_release() */
+
+dns_trace_id_t dns_trace_id(struct dns_trace *trace) {
+       return trace->id;
+} /* dns_trace_id() */
+
+dns_trace_id_t dns_trace_setid(struct dns_trace *trace, dns_trace_id_t id) {
+       trace->id = (id)? id : dns_trace_mkid();
+       return trace->id;
+} /* dns_trace_setid() */
+
+struct dns_trace_event *dns_trace_get(struct dns_trace *trace, struct dns_trace_event **tp, dns_error_t *error) {
+       return dns_trace_fget(tp, trace->fp, error);
+} /* dns_trace_get() */
+
+dns_error_t dns_trace_put(struct dns_trace *trace, const struct dns_trace_event *te, const void *data, size_t datasize) {
+       return dns_trace_fput(te, data, datasize, trace->fp);
+} /* dns_trace_put() */
+
+struct dns_trace_event *dns_trace_tag(struct dns_trace *trace, struct dns_trace_event *te) {
+       struct timeval tv;
+
+       te->id = trace->id;
+       gettimeofday(&tv, NULL);
+       dns_tv2ts(&te->ts, &tv);
+       te->abi = DNS_TRACE_ABI;
+
+       return te;
+} /* dns_trace_tag() */
+
+static dns_error_t dns_trace_tag_and_put(struct dns_trace *trace, struct dns_trace_event *te, const void *data, size_t datasize) {
+       return dns_trace_put(trace, dns_trace_tag(trace, te), data, datasize);
+} /* dns_trace_tag_and_put() */
+
+struct dns_trace_event *dns_trace_fget(struct dns_trace_event **tp, FILE *fp, dns_error_t *error) {
+       const size_t headsize = offsetof(struct dns_trace_event, data);
+       struct dns_trace_event tmp, *te;
+       size_t n;
+
+       errno = 0;
+       if (!(n = fread(&tmp, 1, headsize, fp)))
+               goto none;
+       if (n < offsetof(struct dns_trace_event, data))
+               goto some;
+
+       if (!(te = realloc(*tp, DNS_PP_MAX(headsize, tmp.size)))) {
+               *error = errno;
+               return NULL;
+       }
+
+       *tp = te;
+       memcpy(te, &tmp, offsetof(struct dns_trace_event, data));
+
+       if (dns_te_datasize(te)) {
+               errno = 0;
+               if (!(n = fread(te->data, 1, dns_te_datasize(te), fp)))
+                       goto none;
+               if (n < dns_te_datasize(te))
+                       goto some;
+       }
+
+       return te;
+none:
+       *error = (ferror(fp))? errno : 0;
+       return NULL;
+some:
+       *error = 0;
+       return NULL;
+}
+
+dns_error_t dns_trace_fput(const struct dns_trace_event *te, const void *data, size_t datasize, FILE *fp) {
+       size_t headsize = offsetof(struct dns_trace_event, data);
+       struct dns_trace_event tmp;
+
+       memcpy(&tmp, te, headsize);
+       tmp.size = headsize + datasize;
+
+       /* NB: ignore seek error as fp might not point to a regular file */
+       (void)fseek(fp, 0, SEEK_END);
+
+       if (fwrite(&tmp, 1, headsize, fp) < headsize)
+               return errno;
+       if (fwrite(data, 1, datasize, fp) < datasize)
+               return errno;
+       if (fflush(fp))
+               return errno;
+
+       return 0;
+}
+
+static void dns_trace_setcname(struct dns_trace *trace, const char *host, const struct sockaddr *addr) {
+       if (!trace || !trace->fp)
+               return;
+
+       struct dns_trace_cname *cname = &trace->cnames.base[trace->cnames.p];
+       dns_strlcpy(cname->host, host, sizeof cname->host);
+       memcpy(&cname->addr, addr, DNS_PP_MIN(dns_sa_len(addr), sizeof cname->addr));
+
+       trace->cnames.p = (trace->cnames.p + 1) % lengthof(trace->cnames.base);
+}
+
+static const char *dns_trace_cname(struct dns_trace *trace, const struct sockaddr *addr) {
+       if (!trace || !trace->fp)
+               return NULL;
+
+       /* NB: start search from the write cursor to  */
+       for (const struct dns_trace_cname *cname = trace->cnames.base; cname < endof(trace->cnames.base); cname++) {
+               if (0 == dns_sa_cmp((struct sockaddr *)addr, (struct sockaddr *)&cname->addr))
+                       return cname->host;
+       }
+
+       return NULL;
+}
+
+static void dns_trace_res_submit(struct dns_trace *trace, const char *qname, enum dns_type qtype, enum dns_class qclass, int error) {
+       if (!trace || !trace->fp)
+               return;
+
+       struct dns_trace_event te;
+       dns_te_init(&te, DNS_TE_RES_SUBMIT);
+       dns_strlcpy(te.res_submit.qname, qname, sizeof te.res_submit.qname);
+       te.res_submit.qtype = qtype;
+       te.res_submit.qclass = qclass;
+       te.res_submit.error = error;
+       dns_trace_tag_and_put(trace, &te, NULL, 0);
+}
+
+static void dns_trace_res_fetch(struct dns_trace *trace, const struct dns_packet *packet, int error) {
+       if (!trace || !trace->fp)
+               return;
+
+       struct dns_trace_event te;
+       dns_te_init(&te, DNS_TE_RES_FETCH);
+       const void *data = (packet)? packet->data : NULL;
+       size_t datasize = (packet)? packet->end : 0;
+       te.res_fetch.error = error;
+       dns_trace_tag_and_put(trace, &te, data, datasize);
+}
+
+static void dns_trace_so_submit(struct dns_trace *trace, const struct dns_packet *packet, const struct sockaddr *haddr, int error) {
+       if (!trace || !trace->fp)
+               return;
+
+       struct dns_trace_event te;
+       dns_te_init(&te, DNS_TE_SO_SUBMIT);
+       memcpy(&te.so_submit.haddr, haddr, DNS_PP_MIN(dns_sa_len(haddr), sizeof te.so_submit.haddr));
+       const char *cname;
+       if ((cname = dns_trace_cname(trace, haddr)))
+               dns_strlcpy(te.so_submit.hname, cname, sizeof te.so_submit.hname);
+       te.so_submit.error = error;
+       dns_trace_tag_and_put(trace, &te, packet->data, packet->end);
+}
+
+static void dns_trace_so_verify(struct dns_trace *trace, const struct dns_packet *packet, int error) {
+       if (!trace || !trace->fp)
+               return;
+
+       struct dns_trace_event te;
+       dns_te_init(&te, DNS_TE_SO_VERIFY);
+       te.so_verify.error = error;
+       dns_trace_tag_and_put(trace, &te, packet->data, packet->end);
+}
+
+static void dns_trace_so_fetch(struct dns_trace *trace, const struct dns_packet *packet, int error) {
+       if (!trace || !trace->fp)
+               return;
+
+       struct dns_trace_event te;
+       dns_te_init(&te, DNS_TE_SO_FETCH);
+       const void *data = (packet)? packet->data : NULL;
+       size_t datasize = (packet)? packet->end : 0;
+       te.so_fetch.error = error;
+       dns_trace_tag_and_put(trace, &te, data, datasize);
+}
+
+static void dns_trace_sys_connect(struct dns_trace *trace, int fd, int socktype, const struct sockaddr *dst, int error) {
+       if (!trace || !trace->fp)
+               return;
+
+       struct dns_trace_event te;
+       dns_te_init(&te, DNS_TE_SYS_CONNECT);
+       dns_te_initname(&te.sys_connect.src, fd, &getsockname);
+       memcpy(&te.sys_connect.dst, dst, DNS_PP_MIN(dns_sa_len(dst), sizeof te.sys_connect.dst));
+       te.sys_connect.socktype = socktype;
+       te.sys_connect.error = error;
+       dns_trace_tag_and_put(trace, &te, NULL, 0);
+}
+
+static void dns_trace_sys_send(struct dns_trace *trace, int fd, int socktype, const void *data, size_t datasize, int error) {
+       if (!trace || !trace->fp)
+               return;
+
+       struct dns_trace_event te;
+       dns_te_init(&te, DNS_TE_SYS_SEND);
+       dns_te_initnames(&te.sys_send.src, &te.sys_send.dst, fd);
+       te.sys_send.socktype = socktype;
+       te.sys_send.error = error;
+       dns_trace_tag_and_put(trace, &te, data, datasize);
+}
+
+static void dns_trace_sys_recv(struct dns_trace *trace, int fd, int socktype, const void *data, size_t datasize, int error) {
+       if (!trace || !trace->fp)
+               return;
+
+       struct dns_trace_event te;
+       dns_te_init(&te, DNS_TE_SYS_RECV);
+       dns_te_initnames(&te.sys_recv.dst, &te.sys_recv.src, fd);
+       te.sys_recv.socktype = socktype;
+       te.sys_recv.error = error;
+       dns_trace_tag_and_put(trace, &te, data, datasize);
+}
+
+static dns_error_t dns_trace_dump_packet(struct dns_trace *trace, const char *prefix, const unsigned char *data, size_t datasize, FILE *fp) {
+       struct dns_packet *packet = NULL;
+       char *line = NULL, *p;
+       size_t size = 1, skip = 0;
+       int error;
+
+       if (!(packet = dns_p_make(datasize, &error)))
+               goto error;
+
+       memcpy(packet->data, data, datasize);
+       packet->end = datasize;
+       (void)dns_p_study(packet);
+resize:
+       if (!(p = dns_reallocarray(line, size, 2, &error)))
+               goto error;
+       line = p;
+       size *= 2;
+
+       struct dns_rr_i records = { 0 };
+       struct dns_p_lines_i lines = { 0 };
+       size_t len, count = 0;
+
+       while ((len = dns_p_lines(line, size, &error, packet, &records, &lines))) {
+               if (!(len < size)) {
+                       skip = count;
+                       goto resize;
+               } else if (skip <= count) {
+                       fputs(prefix, fp);
+                       fwrite(line, 1, len, fp);
+               }
+               count++;
+       }
+
+       if (error)
+               goto error;
+
+       error = 0;
+error:
+       free(line);
+       dns_p_free(packet);
+
+       return error;
+}
+
+static dns_error_t dns_trace_dump_data(struct dns_trace *trace, const char *prefix, const unsigned char *data, size_t datasize, FILE *fp) {
+       struct dns_hxd_lines_i lines = { 0 };
+       char line[128];
+       size_t len;
+
+       while ((len = dns_hxd_lines(line, sizeof line, data, datasize, &lines))) {
+               if (len >= sizeof line)
+                       return EOVERFLOW; /* shouldn't be possible */
+               fputs(prefix, fp);
+               fwrite(line, 1, len, fp);
+       }
+
+       return 0;
+}
+
+static dns_error_t dns_trace_dump_addr(struct dns_trace *trace, const char *prefix, const struct sockaddr_storage *ss, FILE *fp) {
+       const void *addr;
+       const char *path;
+       socklen_t len;
+       int error;
+
+       if ((addr = dns_sa_addr(ss->ss_family, (struct sockaddr *)ss, NULL))) {
+               char ip[INET6_ADDRSTRLEN + 1];
+
+               if ((error = dns_ntop(ss->ss_family, addr, ip, sizeof ip)))
+                       return error;
+               fprintf(fp, "%s%s\n", prefix, ip);
+       } else if ((path = dns_sa_path((struct sockaddr *)ss, &len))) {
+               fprintf(fp, "%sunix:%.*s", prefix, (int)len, path);
+       } else {
+               return EINVAL;
+       }
+
+       return 0;
+}
+
+static dns_error_t dns_trace_dump_meta(struct dns_trace *trace, const char *prefix, const struct dns_trace_event *te, dns_microseconds_t elapsed, FILE *fp) {
+       char time_s[48], elapsed_s[48];
+
+       dns_utime_print(time_s, sizeof time_s, dns_ts2us(&te->ts, 0));
+       dns_utime_print(elapsed_s, sizeof elapsed_s, elapsed);
+
+       fprintf(fp, "%sid: %"DNS_TRACE_ID_PRI"\n", prefix, te->id);
+       fprintf(fp, "%sts: %s (%s)\n", prefix, time_s, elapsed_s);
+       fprintf(fp, "%sabi: 0x%x (0x%x)\n", prefix, te->abi, DNS_TRACE_ABI);
+       return 0;
+}
+
+static dns_error_t dns_trace_dump_error(struct dns_trace *trace, const char *prefix, int error, FILE *fp) {
+       fprintf(fp, "%s%d (%s)\n", prefix, error, (error)? dns_strerror(error) : "none");
+       return 0;
+}
+
+dns_error_t dns_trace_dump(struct dns_trace *trace, FILE *fp) {
+       struct dns_trace_event *te = NULL;
+       struct {
+               dns_trace_id_t id;
+               dns_microseconds_t begin, elapsed;
+       } state = { 0 };
+       int error;
+
+       if (!trace || !trace->fp)
+               return EINVAL;
+
+       if (0 != fseek(trace->fp, 0, SEEK_SET))
+               goto syerr;
+
+       while (dns_trace_fget(&te, trace->fp, &error)) {
+               size_t datasize = dns_te_datasize(te);
+               const unsigned char *data = (datasize)? te->data : NULL;
+
+               if (state.id != te->id) {
+                       state.id = te->id;
+                       state.begin = dns_ts2us(&te->ts, 0);
+               }
+               dns_time_diff(&state.elapsed, dns_ts2us(&te->ts, 0), state.begin);
+
+               switch(te->type) {
+               case DNS_TE_RES_SUBMIT:
+                       fprintf(fp, "dns_res_submit:\n");
+                       dns_trace_dump_meta(trace, "  ", te, state.elapsed, fp);
+                       fprintf(fp, "  qname: %s\n", te->res_submit.qname);
+                       fprintf(fp, "  qtype: %s\n", dns_strtype(te->res_submit.qtype));
+                       fprintf(fp, "  qclass: %s\n", dns_strclass(te->res_submit.qclass));
+                       dns_trace_dump_error(trace, "  error: ", te->res_submit.error, fp);
+                       break;
+               case DNS_TE_RES_FETCH:
+                       fprintf(fp, "dns_res_fetch:\n");
+                       dns_trace_dump_meta(trace, "  ", te, state.elapsed, fp);
+                       dns_trace_dump_error(trace, "  error: ", te->res_fetch.error, fp);
+
+                       if (data) {
+                               fprintf(fp, "  packet: |\n");
+                               if ((error = dns_trace_dump_packet(trace, "    ", data, datasize, fp)))
+                                       goto error;
+                               fprintf(fp, "  data: |\n");
+                               if ((error = dns_trace_dump_data(trace, "    ", data, datasize, fp)))
+                                       goto error;
+                       }
+
+                       break;
+               case DNS_TE_SO_SUBMIT:
+                       fprintf(fp, "dns_so_submit:\n");
+                       dns_trace_dump_meta(trace, "  ", te, state.elapsed, fp);
+                       fprintf(fp, "  hname: %s\n", te->so_submit.hname);
+                       dns_trace_dump_addr(trace, "  haddr: ", &te->so_submit.haddr, fp);
+                       dns_trace_dump_error(trace, "  error: ", te->so_submit.error, fp);
+
+                       if (data) {
+                               fprintf(fp, "  packet: |\n");
+                               if ((error = dns_trace_dump_packet(trace, "    ", data, datasize, fp)))
+                                       goto error;
+                               fprintf(fp, "  data: |\n");
+                               if ((error = dns_trace_dump_data(trace, "    ", data, datasize, fp)))
+                                       goto error;
+                       }
+
+                       break;
+               case DNS_TE_SO_VERIFY:
+                       fprintf(fp, "dns_so_verify:\n");
+                       dns_trace_dump_meta(trace, "  ", te, state.elapsed, fp);
+                       dns_trace_dump_error(trace, "  error: ", te->so_verify.error, fp);
+
+                       if (data) {
+                               fprintf(fp, "  packet: |\n");
+                               if ((error = dns_trace_dump_packet(trace, "    ", data, datasize, fp)))
+                                       goto error;
+                               fprintf(fp, "  data: |\n");
+                               if ((error = dns_trace_dump_data(trace, "    ", data, datasize, fp)))
+                                       goto error;
+                       }
+
+                       break;
+               case DNS_TE_SO_FETCH:
+                       fprintf(fp, "dns_so_fetch:\n");
+                       dns_trace_dump_meta(trace, "  ", te, state.elapsed, fp);
+                       dns_trace_dump_error(trace, "  error: ", te->so_fetch.error, fp);
+
+                       if (data) {
+                               fprintf(fp, "  packet: |\n");
+                               if ((error = dns_trace_dump_packet(trace, "    ", data, datasize, fp)))
+                                       goto error;
+                               fprintf(fp, "  data: |\n");
+                               if ((error = dns_trace_dump_data(trace, "    ", data, datasize, fp)))
+                                       goto error;
+                       }
+
+                       break;
+               case DNS_TE_SYS_CONNECT: {
+                       fprintf(fp, "dns_sys_connect:\n");
+                       dns_trace_dump_meta(trace, "  ", te, state.elapsed, fp);
+                       dns_trace_dump_addr(trace, "  src: ", &te->sys_connect.src, fp);
+                       dns_trace_dump_addr(trace, "  dst: ", &te->sys_connect.dst, fp);
+                       int socktype = te->sys_connect.socktype;
+                       fprintf(fp, "  socktype: %d (%s)\n", socktype, ((socktype == SOCK_STREAM)? "SOCK_STREAM" : (socktype == SOCK_DGRAM)? "SOCK_DGRAM" : "?"));
+                       dns_trace_dump_error(trace, "  error: ", te->sys_connect.error, fp);
+
+                       break;
+               }
+               case DNS_TE_SYS_SEND: {
+                       fprintf(fp, "dns_sys_send:\n");
+                       dns_trace_dump_meta(trace, "  ", te, state.elapsed, fp);
+                       dns_trace_dump_addr(trace, "  src: ", &te->sys_send.src, fp);
+                       dns_trace_dump_addr(trace, "  dst: ", &te->sys_send.dst, fp);
+                       int socktype = te->sys_send.socktype;
+                       fprintf(fp, "  socktype: %d (%s)\n", socktype, ((socktype == SOCK_STREAM)? "SOCK_STREAM" : (socktype == SOCK_DGRAM)? "SOCK_DGRAM" : "?"));
+                       dns_trace_dump_error(trace, "  error: ", te->sys_send.error, fp);
+
+                       if (data) {
+                               fprintf(fp, "  data: |\n");
+                               if ((error = dns_trace_dump_data(trace, "    ", data, datasize, fp)))
+                                       goto error;
+                       }
+
+                       break;
+               }
+               case DNS_TE_SYS_RECV: {
+                       fprintf(fp, "dns_sys_recv:\n");
+                       dns_trace_dump_meta(trace, "  ", te, state.elapsed, fp);
+                       dns_trace_dump_addr(trace, "  src: ", &te->sys_recv.src, fp);
+                       dns_trace_dump_addr(trace, "  dst: ", &te->sys_recv.dst, fp);
+                       int socktype = te->sys_recv.socktype;
+                       fprintf(fp, "  socktype: %d (%s)\n", socktype, ((socktype == SOCK_STREAM)? "SOCK_STREAM" : (socktype == SOCK_DGRAM)? "SOCK_DGRAM" : "?"));
+                       dns_trace_dump_error(trace, "  error: ", te->sys_recv.error, fp);
+
+                       if (data) {
+                               fprintf(fp, "  data: |\n");
+                               if ((error = dns_trace_dump_data(trace, "    ", data, datasize, fp)))
+                                       goto error;
+                       }
+
+                       break;
+               }
+               default:
+                       fprintf(fp, "unknown(0x%.2x):\n", te->type);
+                       dns_trace_dump_meta(trace, "  ", te, state.elapsed, fp);
+
+                       if (data) {
+                               fprintf(fp, "  data: |\n");
+                               if ((error = dns_trace_dump_data(trace, "    ", data, datasize, fp)))
+                                       goto error;
+                       }
+
+                       break;
+               }
+       }
+
+       goto epilog;
+syerr:
+       error = errno;
+error:
+       (void)0;
+epilog:
+       free(te);
+
+       return error;
+}
+
+/*
+ * H O S T S  R O U T I N E S
+ *
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+struct dns_hosts {
+       struct dns_hosts_entry {
+               char host[DNS_D_MAXNAME + 1];
+               char arpa[73 + 1];
+
+               int af;
+
+               union {
+                       struct in_addr a4;
+                       struct in6_addr a6;
+               } addr;
+
+               _Bool alias;
+
+               struct dns_hosts_entry *next;
+       } *head, **tail;
+
+       dns_atomic_t refcount;
+}; /* struct dns_hosts */
+
+
+struct dns_hosts *dns_hosts_open(int *error) {
+       static const struct dns_hosts hosts_initializer = { .refcount = 1 };
+       struct dns_hosts *hosts;
+
+       if (!(hosts = malloc(sizeof *hosts)))
+               goto syerr;
+
+       *hosts  = hosts_initializer;
+
+       hosts->tail     = &hosts->head;
+
+       return hosts;
+syerr:
+       *error  = dns_syerr();
+
+       free(hosts);
+
+       return 0;
+} /* dns_hosts_open() */
+
+
+void dns_hosts_close(struct dns_hosts *hosts) {
+       struct dns_hosts_entry *ent, *xnt;
+
+       if (!hosts || 1 != dns_hosts_release(hosts))
+               return;
+
+       for (ent = hosts->head; ent; ent = xnt) {
+               xnt     = ent->next;
+
+               free(ent);
+       }
+
+       free(hosts);
+
+       return;
+} /* dns_hosts_close() */
+
+
+dns_refcount_t dns_hosts_acquire(struct dns_hosts *hosts) {
+       return dns_atomic_fetch_add(&hosts->refcount);
+} /* dns_hosts_acquire() */
+
+
+dns_refcount_t dns_hosts_release(struct dns_hosts *hosts) {
+       return dns_atomic_fetch_sub(&hosts->refcount);
+} /* dns_hosts_release() */
+
+
+struct dns_hosts *dns_hosts_mortal(struct dns_hosts *hosts) {
+       if (hosts)
+               dns_hosts_release(hosts);
+
+       return hosts;
+} /* dns_hosts_mortal() */
+
+
+struct dns_hosts *dns_hosts_local(int *error_) {
+       struct dns_hosts *hosts;
+       int error;
+
+       if (!(hosts = dns_hosts_open(&error)))
+               goto error;
+
+       if ((error = dns_hosts_loadpath(hosts, "/etc/hosts")))
+               goto error;
+
+       return hosts;
+error:
+       *error_ = error;
+
+       dns_hosts_close(hosts);
+
+       return 0;
+} /* dns_hosts_local() */
+
+
+#define dns_hosts_issep(ch)    (dns_isspace(ch))
+#define dns_hosts_iscom(ch)    ((ch) == '#' || (ch) == ';')
+
+int dns_hosts_loadfile(struct dns_hosts *hosts, FILE *fp) {
+       struct dns_hosts_entry ent;
+       char word[DNS_PP_MAX(INET6_ADDRSTRLEN, DNS_D_MAXNAME) + 1];
+       unsigned wp, wc, skip;
+       int ch, error;
+
+       rewind(fp);
+
+       do {
+               memset(&ent, '\0', sizeof ent);
+               wc      = 0;
+               skip    = 0;
+
+               do {
+                       memset(word, '\0', sizeof word);
+                       wp      = 0;
+
+                       while (EOF != (ch = fgetc(fp)) && ch != '\n') {
+                               skip    |= !!dns_hosts_iscom(ch);
+
+                               if (skip)
+                                       continue;
+
+                               if (dns_hosts_issep(ch))
+                                       break;
+
+                               if (wp < sizeof word - 1)
+                                       word[wp]        = ch;
+                               wp++;
+                       }
+
+                       if (!wp)
+                               continue;
+
+                       wc++;
+
+                       switch (wc) {
+                       case 0:
+                               break;
+                       case 1:
+                               ent.af  = (strchr(word, ':'))? AF_INET6 : AF_INET;
+                               skip    = (1 != dns_inet_pton(ent.af, word, &ent.addr));
+
+                               break;
+                       default:
+                               if (!wp)
+                                       break;
+
+                               dns_d_anchor(ent.host, sizeof ent.host, word, wp);
+
+                               if ((error = dns_hosts_insert(hosts, ent.af, &ent.addr, ent.host, (wc > 2))))
+                                       return error;
+
+                               break;
+                       } /* switch() */
+               } while (ch != EOF && ch != '\n');
+       } while (ch != EOF);
+
+       return 0;
+} /* dns_hosts_loadfile() */
+
+
+int dns_hosts_loadpath(struct dns_hosts *hosts, const char *path) {
+       FILE *fp;
+       int error;
+
+       if (!(fp = dns_fopen(path, "rt", &error)))
+               return error;
+
+       error = dns_hosts_loadfile(hosts, fp);
+
+       fclose(fp);
+
+       return error;
+} /* dns_hosts_loadpath() */
+
+
+int dns_hosts_dump(struct dns_hosts *hosts, FILE *fp) {
+       struct dns_hosts_entry *ent, *xnt;
+       char addr[INET6_ADDRSTRLEN + 1];
+       unsigned i;
+
+       for (ent = hosts->head; ent; ent = xnt) {
+               xnt     = ent->next;
+
+               dns_inet_ntop(ent->af, &ent->addr, addr, sizeof addr);
+
+               fputs(addr, fp);
+
+               for (i = strlen(addr); i < INET_ADDRSTRLEN; i++)
+                       fputc(' ', fp);
+
+               fputc(' ', fp);
+
+               fputs(ent->host, fp);
+               fputc('\n', fp);
+       }
+
+       return 0;
+} /* dns_hosts_dump() */
+
+
+int dns_hosts_insert(struct dns_hosts *hosts, int af, const void *addr, const void *host, _Bool alias) {
+       struct dns_hosts_entry *ent;
+       int error;
+
+       if (!(ent = malloc(sizeof *ent)))
+               goto syerr;
+
+       dns_d_anchor(ent->host, sizeof ent->host, host, strlen(host));
+
+       switch ((ent->af = af)) {
+       case AF_INET6:
+               memcpy(&ent->addr.a6, addr, sizeof ent->addr.a6);
+
+               dns_aaaa_arpa(ent->arpa, sizeof ent->arpa, addr);
+
+               break;
+       case AF_INET:
+               memcpy(&ent->addr.a4, addr, sizeof ent->addr.a4);
+
+               dns_a_arpa(ent->arpa, sizeof ent->arpa, addr);
+
+               break;
+       default:
+               error   = EINVAL;
+
+               goto error;
+       } /* switch() */
+
+       ent->alias      = alias;
+
+       ent->next       = 0;
+       *hosts->tail    = ent;
+       hosts->tail     = &ent->next;
+
+       return 0;
+syerr:
+       error   = dns_syerr();
+error:
+       free(ent);
+
+       return error;
+} /* dns_hosts_insert() */
+
+
+struct dns_packet *dns_hosts_query(struct dns_hosts *hosts, struct dns_packet *Q, int *error_) {
+       struct dns_packet *P    = dns_p_new(512);
+       struct dns_packet *A    = 0;
+       struct dns_rr rr;
+       struct dns_hosts_entry *ent;
+       int error, af;
+       char qname[DNS_D_MAXNAME + 1];
+       size_t qlen;
+
+       if ((error = dns_rr_parse(&rr, 12, Q)))
+               goto error;
+
+       if (!(qlen = dns_d_expand(qname, sizeof qname, rr.dn.p, Q, &error)))
+               goto error;
+       else if (qlen >= sizeof qname)
+               goto toolong;
+
+       if ((error = dns_p_push(P, DNS_S_QD, qname, qlen, rr.type, rr.class, 0, 0)))
+               goto error;
+
+       switch (rr.type) {
+       case DNS_T_PTR:
+               for (ent = hosts->head; ent; ent = ent->next) {
+                       if (ent->alias || 0 != strcasecmp(qname, ent->arpa))
+                               continue;
+
+                       if ((error = dns_p_push(P, DNS_S_AN, qname, qlen, rr.type, rr.class, 0, ent->host)))
+                               goto error;
+               }
+
+               break;
+       case DNS_T_AAAA:
+               af      = AF_INET6;
+
+               goto loop;
+       case DNS_T_A:
+               af      = AF_INET;
+
+loop:          for (ent = hosts->head; ent; ent = ent->next) {
+                       if (ent->af != af || 0 != strcasecmp(qname, ent->host))
+                               continue;
+
+                       if ((error = dns_p_push(P, DNS_S_AN, qname, qlen, rr.type, rr.class, 0, &ent->addr)))
+                               goto error;
+               }
+
+               break;
+       default:
+               break;
+       } /* switch() */
+
+
+       if (!(A = dns_p_copy(dns_p_make(P->end, &error), P)))
+               goto error;
+
+       return A;
+toolong:
+       error = DNS_EILLEGAL;
+error:
+       *error_ = error;
+
+       dns_p_free(A);
+
+       return 0;
+} /* dns_hosts_query() */
+
+
+/*
+ * R E S O L V . C O N F  R O U T I N E S
+ *
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+struct dns_resolv_conf *dns_resconf_open(int *error) {
+       static const struct dns_resolv_conf resconf_initializer = {
+               .lookup = "bf",
+               .family = { AF_INET, AF_INET6 },
+               .options = { .ndots = 1, .timeout = 5, .attempts = 2, .tcp = DNS_RESCONF_TCP_ENABLE, },
+               .iface = { .ss_family = AF_INET },
+       };
+       struct dns_resolv_conf *resconf;
+       struct sockaddr_in *sin;
+
+       if (!(resconf = malloc(sizeof *resconf)))
+               goto syerr;
+
+       *resconf = resconf_initializer;
+
+       sin = (struct sockaddr_in *)&resconf->nameserver[0];
+       sin->sin_family      = AF_INET;
+       sin->sin_addr.s_addr = INADDR_ANY;
+       sin->sin_port        = htons(53);
+#if defined(SA_LEN)
+       sin->sin_len         = sizeof *sin;
+#endif
+
+       if (0 != gethostname(resconf->search[0], sizeof resconf->search[0]))
+               goto syerr;
+
+       dns_d_anchor(resconf->search[0], sizeof resconf->search[0], resconf->search[0], strlen(resconf->search[0]));
+       dns_d_cleave(resconf->search[0], sizeof resconf->search[0], resconf->search[0], strlen(resconf->search[0]));
+
+       /*
+        * XXX: If gethostname() returned a string without any label
+        *      separator, then search[0][0] should be NUL.
+        */
+
+       dns_resconf_acquire(resconf);
+
+       return resconf;
+syerr:
+       *error  = dns_syerr();
+
+       free(resconf);
+
+       return 0;
+} /* dns_resconf_open() */
+
+
+void dns_resconf_close(struct dns_resolv_conf *resconf) {
+       if (!resconf || 1 != dns_resconf_release(resconf))
+               return /* void */;
+
+       free(resconf);
+} /* dns_resconf_close() */
+
+
+dns_refcount_t dns_resconf_acquire(struct dns_resolv_conf *resconf) {
+       return dns_atomic_fetch_add(&resconf->_.refcount);
+} /* dns_resconf_acquire() */
+
+
+dns_refcount_t dns_resconf_release(struct dns_resolv_conf *resconf) {
+       return dns_atomic_fetch_sub(&resconf->_.refcount);
+} /* dns_resconf_release() */
+
+
+struct dns_resolv_conf *dns_resconf_mortal(struct dns_resolv_conf *resconf) {
+       if (resconf)
+               dns_resconf_release(resconf);
+
+       return resconf;
+} /* dns_resconf_mortal() */
+
+
+struct dns_resolv_conf *dns_resconf_local(int *error_) {
+       struct dns_resolv_conf *resconf;
+       int error;
+
+       if (!(resconf = dns_resconf_open(&error)))
+               goto error;
+
+       if ((error = dns_resconf_loadpath(resconf, "/etc/resolv.conf"))) {
+               /*
+                * NOTE: Both the glibc and BIND9 resolvers ignore a missing
+                * /etc/resolv.conf, defaulting to a nameserver of
+                * 127.0.0.1. See also dns_hints_insert_resconf, and the
+                * default initialization of nameserver[0] in
+                * dns_resconf_open.
+                */
+               if (error != ENOENT)
+                       goto error;
+       }
+
+       if ((error = dns_nssconf_loadpath(resconf, "/etc/nsswitch.conf"))) {
+               if (error != ENOENT)
+                       goto error;
+       }
+
+       return resconf;
+error:
+       *error_ = error;
+
+       dns_resconf_close(resconf);
+
+       return 0;
+} /* dns_resconf_local() */
+
+
+struct dns_resolv_conf *dns_resconf_root(int *error) {
+       struct dns_resolv_conf *resconf;
+
+       if ((resconf = dns_resconf_local(error)))
+               resconf->options.recurse = 1;
+
+       return resconf;
+} /* dns_resconf_root() */
+
+
+static time_t dns_resconf_timeout(const struct dns_resolv_conf *resconf) {
+       return (time_t)DNS_PP_MIN(INT_MAX, resconf->options.timeout);
+} /* dns_resconf_timeout() */
+
+
+enum dns_resconf_keyword {
+       DNS_RESCONF_NAMESERVER,
+       DNS_RESCONF_DOMAIN,
+       DNS_RESCONF_SEARCH,
+       DNS_RESCONF_LOOKUP,
+       DNS_RESCONF_FILE,
+       DNS_RESCONF_BIND,
+       DNS_RESCONF_CACHE,
+       DNS_RESCONF_FAMILY,
+       DNS_RESCONF_INET4,
+       DNS_RESCONF_INET6,
+       DNS_RESCONF_OPTIONS,
+       DNS_RESCONF_EDNS0,
+       DNS_RESCONF_NDOTS,
+       DNS_RESCONF_TIMEOUT,
+       DNS_RESCONF_ATTEMPTS,
+       DNS_RESCONF_ROTATE,
+       DNS_RESCONF_RECURSE,
+       DNS_RESCONF_SMART,
+       DNS_RESCONF_TCP,
+       DNS_RESCONF_TCPx,
+       DNS_RESCONF_INTERFACE,
+       DNS_RESCONF_ZERO,
+       DNS_RESCONF_ONE,
+       DNS_RESCONF_ENABLE,
+       DNS_RESCONF_ONLY,
+       DNS_RESCONF_DISABLE,
+}; /* enum dns_resconf_keyword */
+
+static enum dns_resconf_keyword dns_resconf_keyword(const char *word) {
+       static const char *words[]      = {
+               [DNS_RESCONF_NAMESERVER]        = "nameserver",
+               [DNS_RESCONF_DOMAIN]            = "domain",
+               [DNS_RESCONF_SEARCH]            = "search",
+               [DNS_RESCONF_LOOKUP]            = "lookup",
+               [DNS_RESCONF_FILE]              = "file",
+               [DNS_RESCONF_BIND]              = "bind",
+               [DNS_RESCONF_CACHE]             = "cache",
+               [DNS_RESCONF_FAMILY]            = "family",
+               [DNS_RESCONF_INET4]             = "inet4",
+               [DNS_RESCONF_INET6]             = "inet6",
+               [DNS_RESCONF_OPTIONS]           = "options",
+               [DNS_RESCONF_EDNS0]             = "edns0",
+               [DNS_RESCONF_ROTATE]            = "rotate",
+               [DNS_RESCONF_RECURSE]           = "recurse",
+               [DNS_RESCONF_SMART]             = "smart",
+               [DNS_RESCONF_TCP]               = "tcp",
+               [DNS_RESCONF_INTERFACE]         = "interface",
+               [DNS_RESCONF_ZERO]              = "0",
+               [DNS_RESCONF_ONE]               = "1",
+               [DNS_RESCONF_ENABLE]            = "enable",
+               [DNS_RESCONF_ONLY]              = "only",
+               [DNS_RESCONF_DISABLE]           = "disable",
+       };
+       unsigned i;
+
+       for (i = 0; i < lengthof(words); i++) {
+               if (words[i] && 0 == strcasecmp(words[i], word))
+                       return i;
+       }
+
+       if (0 == strncasecmp(word, "ndots:", sizeof "ndots:" - 1))
+               return DNS_RESCONF_NDOTS;
+
+       if (0 == strncasecmp(word, "timeout:", sizeof "timeout:" - 1))
+               return DNS_RESCONF_TIMEOUT;
+
+       if (0 == strncasecmp(word, "attempts:", sizeof "attempts:" - 1))
+               return DNS_RESCONF_ATTEMPTS;
+
+       if (0 == strncasecmp(word, "tcp:", sizeof "tcp:" - 1))
+               return DNS_RESCONF_TCPx;
+
+       return -1;
+} /* dns_resconf_keyword() */
+
+
+/** OpenBSD-style "[1.2.3.4]:53" nameserver syntax */
+int dns_resconf_pton(struct sockaddr_storage *ss, const char *src) {
+       struct { char buf[128], *p; } addr = { "", addr.buf };
+       unsigned short port = 0;
+       int ch, af = AF_INET, error;
+
+       while ((ch = *src++)) {
+               switch (ch) {
+               case ' ':
+                       /* FALL THROUGH */
+               case '\t':
+                       break;
+               case '[':
+                       break;
+               case ']':
+                       while ((ch = *src++)) {
+                               if (dns_isdigit(ch)) {
+                                       port *= 10;
+                                       port += ch - '0';
+                               }
+                       }
+
+                       goto inet;
+               case ':':
+                       af = AF_INET6;
+
+                       /* FALL THROUGH */
+               default:
+                       if (addr.p < endof(addr.buf) - 1)
+                               *addr.p++ = ch;
+
+                       break;
+               } /* switch() */
+       } /* while() */
+inet:
+
+       if ((error = dns_pton(af, addr.buf, dns_sa_addr(af, ss, NULL))))
+               return error;
+
+       port = (!port)? 53 : port;
+       *dns_sa_port(af, ss) = htons(port);
+       dns_sa_family(ss) = af;
+
+       return 0;
+} /* dns_resconf_pton() */
+
+#define dns_resconf_issep(ch)  (dns_isspace(ch) || (ch) == ',')
+#define dns_resconf_iscom(ch)  ((ch) == '#' || (ch) == ';')
+
+int dns_resconf_loadfile(struct dns_resolv_conf *resconf, FILE *fp) {
+       unsigned sa_count       = 0;
+       char words[6][DNS_D_MAXNAME + 1];
+       unsigned wp, wc, i, j, n;
+       int ch, error;
+
+       rewind(fp);
+
+       do {
+               memset(words, '\0', sizeof words);
+               wp      = 0;
+               wc      = 0;
+
+               while (EOF != (ch = getc(fp)) && ch != '\n') {
+                       if (dns_resconf_issep(ch)) {
+                               if (wp > 0) {
+                                       wp      = 0;
+
+                                       if (++wc >= lengthof(words))
+                                               goto skip;
+                               }
+                       } else if (dns_resconf_iscom(ch)) {
+skip:
+                               do {
+                                       ch      = getc(fp);
+                               } while (ch != EOF && ch != '\n');
+
+                               break;
+                       } else if (wp < sizeof words[wc] - 1) {
+                               words[wc][wp++] = ch;
+                       } else {
+                               wp = 0; /* drop word */
+                               goto skip;
+                       }
+               }
+
+               if (wp > 0)
+                       wc++;
+
+               if (wc < 2)
+                       continue;
+
+               switch (dns_resconf_keyword(words[0])) {
+               case DNS_RESCONF_NAMESERVER:
+                       if (sa_count >= lengthof(resconf->nameserver))
+                               continue;
+
+                       if ((error = dns_resconf_pton(&resconf->nameserver[sa_count], words[1])))
+                               continue;
+
+                       sa_count++;
+
+                       break;
+               case DNS_RESCONF_DOMAIN:
+               case DNS_RESCONF_SEARCH:
+                       memset(resconf->search, '\0', sizeof resconf->search);
+
+                       for (i = 1, j = 0; i < wc && j < lengthof(resconf->search); i++, j++)
+                               dns_d_anchor(resconf->search[j], sizeof resconf->search[j], words[i], strlen(words[i]));
+
+                       break;
+               case DNS_RESCONF_LOOKUP:
+                       for (i = 1, j = 0; i < wc && j < lengthof(resconf->lookup); i++) {
+                               switch (dns_resconf_keyword(words[i])) {
+                               case DNS_RESCONF_FILE:
+                                       resconf->lookup[j++]    = 'f';
+
+                                       break;
+                               case DNS_RESCONF_BIND:
+                                       resconf->lookup[j++]    = 'b';
+
+                                       break;
+                               case DNS_RESCONF_CACHE:
+                                       resconf->lookup[j++]    = 'c';
+
+                                       break;
+                               default:
+                                       break;
+                               } /* switch() */
+                       } /* for() */
+
+                       break;
+               case DNS_RESCONF_FAMILY:
+                       for (i = 1, j = 0; i < wc && j < lengthof(resconf->family); i++) {
+                               switch (dns_resconf_keyword(words[i])) {
+                               case DNS_RESCONF_INET4:
+                                       resconf->family[j++]    = AF_INET;
+
+                                       break;
+                               case DNS_RESCONF_INET6:
+                                       resconf->family[j++]    = AF_INET6;
+
+                                       break;
+                               default:
+                                       break;
+                               }
+                       }
+
+                       break;
+               case DNS_RESCONF_OPTIONS:
+                       for (i = 1; i < wc; i++) {
+                               switch (dns_resconf_keyword(words[i])) {
+                               case DNS_RESCONF_EDNS0:
+                                       resconf->options.edns0  = 1;
+
+                                       break;
+                               case DNS_RESCONF_NDOTS:
+                                       for (j = sizeof "ndots:" - 1, n = 0; dns_isdigit(words[i][j]); j++) {
+                                               n       *= 10;
+                                               n       += words[i][j] - '0';
+                                       } /* for() */
+
+                                       resconf->options.ndots  = n;
+
+                                       break;
+                               case DNS_RESCONF_TIMEOUT:
+                                       for (j = sizeof "timeout:" - 1, n = 0; dns_isdigit(words[i][j]); j++) {
+                                               n       *= 10;
+                                               n       += words[i][j] - '0';
+                                       } /* for() */
+
+                                       resconf->options.timeout        = n;
+
+                                       break;
+                               case DNS_RESCONF_ATTEMPTS:
+                                       for (j = sizeof "attempts:" - 1, n = 0; dns_isdigit(words[i][j]); j++) {
+                                               n       *= 10;
+                                               n       += words[i][j] - '0';
+                                       } /* for() */
+
+                                       resconf->options.attempts       = n;
+
+                                       break;
+                               case DNS_RESCONF_ROTATE:
+                                       resconf->options.rotate         = 1;
+
+                                       break;
+                               case DNS_RESCONF_RECURSE:
+                                       resconf->options.recurse        = 1;
+
+                                       break;
+                               case DNS_RESCONF_SMART:
+                                       resconf->options.smart          = 1;
+
+                                       break;
+                               case DNS_RESCONF_TCP:
+                                       resconf->options.tcp            = DNS_RESCONF_TCP_ONLY;
+
+                                       break;
+                               case DNS_RESCONF_TCPx:
+                                       switch (dns_resconf_keyword(&words[i][sizeof "tcp:" - 1])) {
+                                       case DNS_RESCONF_ENABLE:
+                                               resconf->options.tcp    = DNS_RESCONF_TCP_ENABLE;
+
+                                               break;
+                                       case DNS_RESCONF_ONE:
+                                       case DNS_RESCONF_ONLY:
+                                               resconf->options.tcp    = DNS_RESCONF_TCP_ONLY;
+
+                                               break;
+                                       case DNS_RESCONF_ZERO:
+                                       case DNS_RESCONF_DISABLE:
+                                               resconf->options.tcp    = DNS_RESCONF_TCP_DISABLE;
+
+                                               break;
+                                       default:
+                                               break;
+                                       } /* switch() */
+
+                                       break;
+                               default:
+                                       break;
+                               } /* switch() */
+                       } /* for() */
+
+                       break;
+               case DNS_RESCONF_INTERFACE:
+                       for (i = 0, n = 0; dns_isdigit(words[2][i]); i++) {
+                               n       *= 10;
+                               n       += words[2][i] - '0';
+                       }
+
+                       dns_resconf_setiface(resconf, words[1], n);
+
+                       break;
+               default:
+                       break;
+               } /* switch() */
+       } while (ch != EOF);
+
+       return 0;
+} /* dns_resconf_loadfile() */
+
+
+int dns_resconf_loadpath(struct dns_resolv_conf *resconf, const char *path) {
+       FILE *fp;
+       int error;
+
+       if (!(fp = dns_fopen(path, "rt", &error)))
+               return error;
+
+       error = dns_resconf_loadfile(resconf, fp);
+
+       fclose(fp);
+
+       return error;
+} /* dns_resconf_loadpath() */
+
+
+struct dns_anyconf {
+       char *token[16];
+       unsigned count;
+       char buffer[1024], *tp, *cp;
+}; /* struct dns_anyconf */
+
+
+static void dns_anyconf_reset(struct dns_anyconf *cf) {
+       cf->count = 0;
+       cf->tp = cf->cp = cf->buffer;
+} /* dns_anyconf_reset() */
+
+
+static int dns_anyconf_push(struct dns_anyconf *cf) {
+       if (!(cf->cp < endof(cf->buffer) && cf->count < lengthof(cf->token)))
+               return ENOMEM;
+
+       *cf->cp++ = '\0';
+       cf->token[cf->count++] = cf->tp;
+       cf->tp = cf->cp;
+
+       return 0;
+} /* dns_anyconf_push() */
+
+
+static void dns_anyconf_pop(struct dns_anyconf *cf) {
+       if (cf->count > 0) {
+               --cf->count;
+               cf->tp = cf->cp = cf->token[cf->count];
+               cf->token[cf->count] = 0;
+       }
+} /* dns_anyconf_pop() */
+
+
+static int dns_anyconf_addc(struct dns_anyconf *cf, int ch) {
+       if (!(cf->cp < endof(cf->buffer)))
+               return ENOMEM;
+
+       *cf->cp++ = ch;
+
+       return 0;
+} /* dns_anyconf_addc() */
+
+
+static _Bool dns_anyconf_match(const char *pat, int mc) {
+       _Bool match;
+       int pc;
+
+       if (*pat == '^') {
+               match = 0;
+               ++pat;
+       } else {
+               match = 1;
+       }
+
+       while ((pc = *(const unsigned char *)pat++)) {
+               switch (pc) {
+               case '%':
+                       if (!(pc = *(const unsigned char *)pat++))
+                               return !match;
+
+                       switch (pc) {
+                       case 'a':
+                               if (dns_isalpha(mc))
+                                       return match;
+                               break;
+                       case 'd':
+                               if (dns_isdigit(mc))
+                                       return match;
+                               break;
+                       case 'w':
+                               if (dns_isalnum(mc))
+                                       return match;
+                               break;
+                       case 's':
+                               if (dns_isspace(mc))
+                                       return match;
+                               break;
+                       default:
+                               if (mc == pc)
+                                       return match;
+                               break;
+                       } /* switch() */
+
+                       break;
+               default:
+                       if (mc == pc)
+                               return match;
+                       break;
+               } /* switch() */
+       } /* while() */
+
+       return !match;
+} /* dns_anyconf_match() */
+
+
+static int dns_anyconf_peek(FILE *fp) {
+       int ch;
+       ch = getc(fp);
+       ungetc(ch, fp);
+       return ch;
+} /* dns_anyconf_peek() */
+
+
+static size_t dns_anyconf_skip(const char *pat, FILE *fp) {
+       size_t count = 0;
+       int ch;
+
+       while (EOF != (ch = getc(fp))) {
+               if (dns_anyconf_match(pat, ch)) {
+                       count++;
+                       continue;
+               }
+
+               ungetc(ch, fp);
+
+               break;
+       }
+
+       return count;
+} /* dns_anyconf_skip() */
+
+
+static size_t dns_anyconf_scan(struct dns_anyconf *cf, const char *pat, FILE *fp, int *error) {
+       size_t len;
+       int ch;
+
+       while (EOF != (ch = getc(fp))) {
+               if (dns_anyconf_match(pat, ch)) {
+                       if ((*error = dns_anyconf_addc(cf, ch)))
+                               return 0;
+
+                       continue;
+               } else {
+                       ungetc(ch, fp);
+
+                       break;
+               }
+       }
+
+       if ((len = cf->cp - cf->tp)) {
+               if ((*error = dns_anyconf_push(cf)))
+                       return 0;
+
+               return len;
+       } else {
+               *error = 0;
+
+               return 0;
+       }
+} /* dns_anyconf_scan() */
+
+
+DNS_NOTUSED static void dns_anyconf_dump(struct dns_anyconf *cf, FILE *fp) {
+       unsigned i;
+
+       fprintf(fp, "tokens:");
+
+       for (i = 0; i < cf->count; i++) {
+               fprintf(fp, " %s", cf->token[i]);
+       }
+
+       fputc('\n', fp);
+} /* dns_anyconf_dump() */
+
+
+enum dns_nssconf_keyword {
+       DNS_NSSCONF_INVALID = 0,
+       DNS_NSSCONF_HOSTS   = 1,
+       DNS_NSSCONF_SUCCESS,
+       DNS_NSSCONF_NOTFOUND,
+       DNS_NSSCONF_UNAVAIL,
+       DNS_NSSCONF_TRYAGAIN,
+       DNS_NSSCONF_CONTINUE,
+       DNS_NSSCONF_RETURN,
+       DNS_NSSCONF_FILES,
+       DNS_NSSCONF_DNS,
+       DNS_NSSCONF_MDNS,
+
+       DNS_NSSCONF_LAST,
+}; /* enum dns_nssconf_keyword */
+
+static enum dns_nssconf_keyword dns_nssconf_keyword(const char *word) {
+       static const char *list[] = {
+               [DNS_NSSCONF_HOSTS]    = "hosts",
+               [DNS_NSSCONF_SUCCESS]  = "success",
+               [DNS_NSSCONF_NOTFOUND] = "notfound",
+               [DNS_NSSCONF_UNAVAIL]  = "unavail",
+               [DNS_NSSCONF_TRYAGAIN] = "tryagain",
+               [DNS_NSSCONF_CONTINUE] = "continue",
+               [DNS_NSSCONF_RETURN]   = "return",
+               [DNS_NSSCONF_FILES]    = "files",
+               [DNS_NSSCONF_DNS]      = "dns",
+               [DNS_NSSCONF_MDNS]     = "mdns",
+       };
+       unsigned i;
+
+       for (i = 1; i < lengthof(list); i++) {
+               if (list[i] && 0 == strcasecmp(list[i], word))
+                       return i;
+       }
+
+       return DNS_NSSCONF_INVALID;
+} /* dns_nssconf_keyword() */
+
+
+static enum dns_nssconf_keyword dns_nssconf_c2k(int ch) {
+       static const char map[] = {
+               ['S'] = DNS_NSSCONF_SUCCESS,
+               ['N'] = DNS_NSSCONF_NOTFOUND,
+               ['U'] = DNS_NSSCONF_UNAVAIL,
+               ['T'] = DNS_NSSCONF_TRYAGAIN,
+               ['C'] = DNS_NSSCONF_CONTINUE,
+               ['R'] = DNS_NSSCONF_RETURN,
+               ['f'] = DNS_NSSCONF_FILES,
+               ['F'] = DNS_NSSCONF_FILES,
+               ['d'] = DNS_NSSCONF_DNS,
+               ['D'] = DNS_NSSCONF_DNS,
+               ['b'] = DNS_NSSCONF_DNS,
+               ['B'] = DNS_NSSCONF_DNS,
+               ['m'] = DNS_NSSCONF_MDNS,
+               ['M'] = DNS_NSSCONF_MDNS,
+       };
+
+       return (ch >= 0 && ch < (int)lengthof(map))? map[ch] : DNS_NSSCONF_INVALID;
+} /* dns_nssconf_c2k() */
+
+
+DNS_PRAGMA_PUSH
+DNS_PRAGMA_QUIET
+
+static int dns_nssconf_k2c(int k) {
+       static const char map[DNS_NSSCONF_LAST] = {
+               [DNS_NSSCONF_SUCCESS]  = 'S',
+               [DNS_NSSCONF_NOTFOUND] = 'N',
+               [DNS_NSSCONF_UNAVAIL]  = 'U',
+               [DNS_NSSCONF_TRYAGAIN] = 'T',
+               [DNS_NSSCONF_CONTINUE] = 'C',
+               [DNS_NSSCONF_RETURN]   = 'R',
+               [DNS_NSSCONF_FILES]    = 'f',
+               [DNS_NSSCONF_DNS]      = 'b',
+               [DNS_NSSCONF_MDNS]     = 'm',
+       };
+
+       return (k >= 0 && k < (int)lengthof(map))? (map[k]? map[k] : '?') : '?';
+} /* dns_nssconf_k2c() */
+
+static const char *dns_nssconf_k2s(int k) {
+       static const char *const map[DNS_NSSCONF_LAST] = {
+               [DNS_NSSCONF_SUCCESS]  = "SUCCESS",
+               [DNS_NSSCONF_NOTFOUND] = "NOTFOUND",
+               [DNS_NSSCONF_UNAVAIL]  = "UNAVAIL",
+               [DNS_NSSCONF_TRYAGAIN] = "TRYAGAIN",
+               [DNS_NSSCONF_CONTINUE] = "continue",
+               [DNS_NSSCONF_RETURN]   = "return",
+               [DNS_NSSCONF_FILES]    = "files",
+               [DNS_NSSCONF_DNS]      = "dns",
+               [DNS_NSSCONF_MDNS]     = "mdns",
+       };
+
+       return (k >= 0 && k < (int)lengthof(map))? (map[k]? map[k] : "") : "";
+} /* dns_nssconf_k2s() */
+
+DNS_PRAGMA_POP
+
+
+int dns_nssconf_loadfile(struct dns_resolv_conf *resconf, FILE *fp) {
+       enum dns_nssconf_keyword source, status, action;
+       char lookup[sizeof resconf->lookup] = "", *lp;
+       struct dns_anyconf cf;
+       size_t i;
+       int error;
+
+       while (!feof(fp) && !ferror(fp)) {
+               dns_anyconf_reset(&cf);
+
+               dns_anyconf_skip("%s", fp);
+
+               if (!dns_anyconf_scan(&cf, "%w_", fp, &error))
+                       goto nextent;
+
+               if (DNS_NSSCONF_HOSTS != dns_nssconf_keyword(cf.token[0]))
+                       goto nextent;
+
+               dns_anyconf_pop(&cf);
+
+               if (!dns_anyconf_skip(": \t", fp))
+                       goto nextent;
+
+               *(lp = lookup) = '\0';
+
+               while (dns_anyconf_scan(&cf, "%w_", fp, &error)) {
+                       dns_anyconf_skip(" \t", fp);
+
+                       if ('[' == dns_anyconf_peek(fp)) {
+                               dns_anyconf_skip("[ \t", fp);
+
+                               while (dns_anyconf_scan(&cf, "%w_", fp, &error)) {
+                                       dns_anyconf_skip("= \t", fp);
+                                       if (!dns_anyconf_scan(&cf, "%w_", fp, &error)) {
+                                               dns_anyconf_pop(&cf); /* discard status */
+                                               dns_anyconf_skip("^#;]\n", fp); /* skip to end of criteria */
+                                               break;
+                                       }
+                                       dns_anyconf_skip(" \t", fp);
+                               }
+
+                               dns_anyconf_skip("] \t", fp);
+                       }
+
+                       if ((size_t)(endof(lookup) - lp) < cf.count + 1) /* +1 for '\0' */
+                               goto nextsrc;
+
+                       source = dns_nssconf_keyword(cf.token[0]);
+
+                       switch (source) {
+                       case DNS_NSSCONF_DNS:
+                       case DNS_NSSCONF_MDNS:
+                       case DNS_NSSCONF_FILES:
+                               *lp++ = dns_nssconf_k2c(source);
+                               break;
+                       default:
+                               goto nextsrc;
+                       }
+
+                       for (i = 1; i + 1 < cf.count; i += 2) {
+                               status = dns_nssconf_keyword(cf.token[i]);
+                               action = dns_nssconf_keyword(cf.token[i + 1]);
+
+                               switch (status) {
+                               case DNS_NSSCONF_SUCCESS:
+                               case DNS_NSSCONF_NOTFOUND:
+                               case DNS_NSSCONF_UNAVAIL:
+                               case DNS_NSSCONF_TRYAGAIN:
+                                       *lp++ = dns_nssconf_k2c(status);
+                                       break;
+                               default:
+                                       continue;
+                               }
+
+                               switch (action) {
+                               case DNS_NSSCONF_CONTINUE:
+                               case DNS_NSSCONF_RETURN:
+                                       break;
+                               default:
+                                       action = (status == DNS_NSSCONF_SUCCESS)
+                                              ? DNS_NSSCONF_RETURN
+                                              : DNS_NSSCONF_CONTINUE;
+                                       break;
+                               }
+
+                               *lp++ = dns_nssconf_k2c(action);
+                       }
+nextsrc:
+                       *lp = '\0';
+                       dns_anyconf_reset(&cf);
+               }
+nextent:
+               dns_anyconf_skip("^\n", fp);
+       }
+
+       if (*lookup)
+               strncpy(resconf->lookup, lookup, sizeof resconf->lookup);
+
+       return 0;
+} /* dns_nssconf_loadfile() */
+
+
+int dns_nssconf_loadpath(struct dns_resolv_conf *resconf, const char *path) {
+       FILE *fp;
+       int error;
+
+       if (!(fp = dns_fopen(path, "rt", &error)))
+               return error;
+
+       error = dns_nssconf_loadfile(resconf, fp);
+
+       fclose(fp);
+
+       return error;
+} /* dns_nssconf_loadpath() */
+
+
+struct dns_nssconf_source {
+       enum dns_nssconf_keyword source, success, notfound, unavail, tryagain;
+}; /* struct dns_nssconf_source */
+
+typedef unsigned dns_nssconf_i;
+
+static inline int dns_nssconf_peek(const struct dns_resolv_conf *resconf, dns_nssconf_i state) {
+       return (state < lengthof(resconf->lookup) && resconf->lookup[state])? resconf->lookup[state] : 0;
+} /* dns_nssconf_peek() */
+
+static _Bool dns_nssconf_next(struct dns_nssconf_source *src, const struct dns_resolv_conf *resconf, dns_nssconf_i *state) {
+       int source, status, action;
+
+       src->source = DNS_NSSCONF_INVALID;
+       src->success = DNS_NSSCONF_RETURN;
+       src->notfound = DNS_NSSCONF_CONTINUE;
+       src->unavail = DNS_NSSCONF_CONTINUE;
+       src->tryagain = DNS_NSSCONF_CONTINUE;
+
+       while ((source = dns_nssconf_peek(resconf, *state))) {
+               source = dns_nssconf_c2k(source);
+               ++*state;
+
+               switch (source) {
+               case DNS_NSSCONF_FILES:
+               case DNS_NSSCONF_DNS:
+               case DNS_NSSCONF_MDNS:
+                       src->source = source;
+                       break;
+               default:
+                       continue;
+               }
+
+               while ((status = dns_nssconf_peek(resconf, *state)) && (action = dns_nssconf_peek(resconf, *state + 1))) {
+                       status = dns_nssconf_c2k(status);
+                       action = dns_nssconf_c2k(action);
+
+                       switch (action) {
+                       case DNS_NSSCONF_RETURN:
+                       case DNS_NSSCONF_CONTINUE:
+                               break;
+                       default:
+                               goto done;
+                       }
+
+                       switch (status) {
+                       case DNS_NSSCONF_SUCCESS:
+                               src->success = action;
+                               break;
+                       case DNS_NSSCONF_NOTFOUND:
+                               src->notfound = action;
+                               break;
+                       case DNS_NSSCONF_UNAVAIL:
+                               src->unavail = action;
+                               break;
+                       case DNS_NSSCONF_TRYAGAIN:
+                               src->tryagain = action;
+                               break;
+                       default:
+                               goto done;
+                       }
+
+                       *state += 2;
+               }
+
+               break;
+       }
+done:
+       return src->source != DNS_NSSCONF_INVALID;
+} /* dns_nssconf_next() */
+
+
+static int dns_nssconf_dump_status(int status, int action, unsigned *count, FILE *fp) {
+       switch (status) {
+       case DNS_NSSCONF_SUCCESS:
+               if (action == DNS_NSSCONF_RETURN)
+                       return 0;
+               break;
+       default:
+               if (action == DNS_NSSCONF_CONTINUE)
+                       return 0;
+               break;
+       }
+
+       fputc(' ', fp);
+
+       if (!*count)
+               fputc('[', fp);
+
+       fprintf(fp, "%s=%s", dns_nssconf_k2s(status), dns_nssconf_k2s(action));
+
+       ++*count;
+
+       return 0;
+} /* dns_nssconf_dump_status() */
+
+
+int dns_nssconf_dump(struct dns_resolv_conf *resconf, FILE *fp) {
+       struct dns_nssconf_source src;
+       dns_nssconf_i i = 0;
+
+       fputs("hosts:", fp);
+
+       while (dns_nssconf_next(&src, resconf, &i)) {
+               unsigned n = 0;
+
+               fprintf(fp, " %s", dns_nssconf_k2s(src.source));
+
+               dns_nssconf_dump_status(DNS_NSSCONF_SUCCESS, src.success, &n, fp);
+               dns_nssconf_dump_status(DNS_NSSCONF_NOTFOUND, src.notfound, &n, fp);
+               dns_nssconf_dump_status(DNS_NSSCONF_UNAVAIL, src.unavail, &n, fp);
+               dns_nssconf_dump_status(DNS_NSSCONF_TRYAGAIN, src.tryagain, &n, fp);
+
+               if (n)
+                       fputc(']', fp);
+       }
+
+       fputc('\n', fp);
+
+       return 0;
+} /* dns_nssconf_dump() */
+
+
+int dns_resconf_setiface(struct dns_resolv_conf *resconf, const char *addr, unsigned short port) {
+       int af = (strchr(addr, ':'))? AF_INET6 : AF_INET;
+       int error;
+
+       if ((error = dns_pton(af, addr, dns_sa_addr(af, &resconf->iface, NULL))))
+               return error;
+
+       *dns_sa_port(af, &resconf->iface)       = htons(port);
+       resconf->iface.ss_family                = af;
+
+       return 0;
+} /* dns_resconf_setiface() */
+
+
+#define DNS_SM_RESTORE \
+       do { \
+               pc = 0xff & (*state >> 0); \
+               srchi = 0xff & (*state >> 8); \
+               ndots = 0xff & (*state >> 16); \
+       } while (0)
+
+#define DNS_SM_SAVE \
+       do { \
+               *state = ((0xff & pc) << 0) \
+                      | ((0xff & srchi) << 8) \
+                      | ((0xff & ndots) << 16); \
+       } while (0)
+
+size_t dns_resconf_search(void *dst, size_t lim, const void *qname, size_t qlen, struct dns_resolv_conf *resconf, dns_resconf_i_t *state) {
+       unsigned pc, srchi, ndots, len;
+
+       DNS_SM_ENTER;
+
+       /* if FQDN then return as-is and finish */
+       if (dns_d_isanchored(qname, qlen)) {
+               len = dns_d_anchor(dst, lim, qname, qlen);
+               DNS_SM_YIELD(len);
+               DNS_SM_EXIT;
+       }
+
+       ndots = dns_d_ndots(qname, qlen);
+
+       if (ndots >= resconf->options.ndots) {
+               len = dns_d_anchor(dst, lim, qname, qlen);
+               DNS_SM_YIELD(len);
+       }
+
+       while (srchi < lengthof(resconf->search) && resconf->search[srchi][0]) {
+               struct dns_buf buf = DNS_B_INTO(dst, lim);
+               const char *dn = resconf->search[srchi++];
+
+               dns_b_put(&buf, qname, qlen);
+               dns_b_putc(&buf, '.');
+               dns_b_puts(&buf, dn);
+               if (!dns_d_isanchored(dn, strlen(dn)))
+                       dns_b_putc(&buf, '.');
+               len = dns_b_strllen(&buf);
+               DNS_SM_YIELD(len);
+       }
+
+       if (ndots < resconf->options.ndots) {
+               len = dns_d_anchor(dst, lim, qname, qlen);
+               DNS_SM_YIELD(len);
+       }
+
+       DNS_SM_LEAVE;
+
+       return dns_strlcpy(dst, "", lim);
+} /* dns_resconf_search() */
+
+#undef DNS_SM_SAVE
+#undef DNS_SM_RESTORE
+
+
+int dns_resconf_dump(struct dns_resolv_conf *resconf, FILE *fp) {
+       unsigned i;
+       int af;
+
+       for (i = 0; i < lengthof(resconf->nameserver) && (af = resconf->nameserver[i].ss_family) != AF_UNSPEC; i++) {
+               char addr[INET6_ADDRSTRLEN + 1] = "[INVALID]";
+               unsigned short port;
+
+               dns_inet_ntop(af, dns_sa_addr(af, &resconf->nameserver[i], NULL), addr, sizeof addr);
+               port = ntohs(*dns_sa_port(af, &resconf->nameserver[i]));
+
+               if (port == 53)
+                       fprintf(fp, "nameserver %s\n", addr);
+               else
+                       fprintf(fp, "nameserver [%s]:%hu\n", addr, port);
+       }
+
+
+       fprintf(fp, "search");
+
+       for (i = 0; i < lengthof(resconf->search) && resconf->search[i][0]; i++)
+               fprintf(fp, " %s", resconf->search[i]);
+
+       fputc('\n', fp);
+
+
+       fputs("; ", fp);
+       dns_nssconf_dump(resconf, fp);
+
+       fprintf(fp, "lookup");
+
+       for (i = 0; i < lengthof(resconf->lookup) && resconf->lookup[i]; i++) {
+               switch (resconf->lookup[i]) {
+               case 'b':
+                       fprintf(fp, " bind"); break;
+               case 'f':
+                       fprintf(fp, " file"); break;
+               case 'c':
+                       fprintf(fp, " cache"); break;
+               }
+       }
+
+       fputc('\n', fp);
+
+
+       fprintf(fp, "options ndots:%u timeout:%u attempts:%u", resconf->options.ndots, resconf->options.timeout, resconf->options.attempts);
+
+       if (resconf->options.edns0)
+               fprintf(fp, " edns0");
+       if (resconf->options.rotate)
+               fprintf(fp, " rotate");
+       if (resconf->options.recurse)
+               fprintf(fp, " recurse");
+       if (resconf->options.smart)
+               fprintf(fp, " smart");
+
+       switch (resconf->options.tcp) {
+       case DNS_RESCONF_TCP_ENABLE:
+               break;
+       case DNS_RESCONF_TCP_ONLY:
+               fprintf(fp, " tcp");
+               break;
+       case DNS_RESCONF_TCP_SOCKS:
+               fprintf(fp, " tcp:socks");
+               break;
+       case DNS_RESCONF_TCP_DISABLE:
+               fprintf(fp, " tcp:disable");
+               break;
+       }
+
+       fputc('\n', fp);
+
+
+       if ((af = resconf->iface.ss_family) != AF_UNSPEC) {
+               char addr[INET6_ADDRSTRLEN + 1] = "[INVALID]";
+
+               dns_inet_ntop(af, dns_sa_addr(af, &resconf->iface, NULL), addr, sizeof addr);
+
+               fprintf(fp, "interface %s %hu\n", addr, ntohs(*dns_sa_port(af, &resconf->iface)));
+       }
+
+       return 0;
+} /* dns_resconf_dump() */
+
+
+/*
+ * H I N T  S E R V E R  R O U T I N E S
+ *
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+struct dns_hints_soa {
+       unsigned char zone[DNS_D_MAXNAME + 1];
+
+       struct {
+               struct sockaddr_storage ss;
+               unsigned priority;
+       } addrs[16];
+
+       unsigned count;
+
+       struct dns_hints_soa *next;
+}; /* struct dns_hints_soa */
+
+
+struct dns_hints {
+       dns_atomic_t refcount;
+
+       struct dns_hints_soa *head;
+}; /* struct dns_hints */
+
+
+struct dns_hints *dns_hints_open(struct dns_resolv_conf *resconf, int *error) {
+       static const struct dns_hints H_initializer;
+       struct dns_hints *H;
+
+       (void)resconf;
+
+       if (!(H = malloc(sizeof *H)))
+               goto syerr;
+
+       *H      = H_initializer;
+
+       dns_hints_acquire(H);
+
+       return H;
+syerr:
+       *error  = dns_syerr();
+
+       free(H);
+
+       return 0;
+} /* dns_hints_open() */
+
+
+void dns_hints_close(struct dns_hints *H) {
+       struct dns_hints_soa *soa, *nxt;
+
+       if (!H || 1 != dns_hints_release(H))
+               return /* void */;
+
+       for (soa = H->head; soa; soa = nxt) {
+               nxt     = soa->next;
+
+               free(soa);
+       }
+
+       free(H);
+
+       return /* void */;
+} /* dns_hints_close() */
+
+
+dns_refcount_t dns_hints_acquire(struct dns_hints *H) {
+       return dns_atomic_fetch_add(&H->refcount);
+} /* dns_hints_acquire() */
+
+
+dns_refcount_t dns_hints_release(struct dns_hints *H) {
+       return dns_atomic_fetch_sub(&H->refcount);
+} /* dns_hints_release() */
+
+
+struct dns_hints *dns_hints_mortal(struct dns_hints *hints) {
+       if (hints)
+               dns_hints_release(hints);
+
+       return hints;
+} /* dns_hints_mortal() */
+
+
+struct dns_hints *dns_hints_local(struct dns_resolv_conf *resconf, int *error_) {
+       struct dns_hints *hints         = 0;
+       int error;
+
+       if (resconf)
+               dns_resconf_acquire(resconf);
+       else if (!(resconf = dns_resconf_local(&error)))
+               goto error;
+
+       if (!(hints = dns_hints_open(resconf, &error)))
+               goto error;
+
+       error   = 0;
+
+       if (0 == dns_hints_insert_resconf(hints, ".", resconf, &error) && error)
+               goto error;
+
+       dns_resconf_close(resconf);
+
+       return hints;
+error:
+       *error_ = error;
+
+       dns_resconf_close(resconf);
+       dns_hints_close(hints);
+
+       return 0;
+} /* dns_hints_local() */
+
+
+struct dns_hints *dns_hints_root(struct dns_resolv_conf *resconf, int *error_) {
+       static const struct {
+               int af;
+               char addr[INET6_ADDRSTRLEN];
+       } root_hints[] = {
+               { AF_INET,      "198.41.0.4"            },      /* A.ROOT-SERVERS.NET. */
+               { AF_INET6,     "2001:503:ba3e::2:30"   },      /* A.ROOT-SERVERS.NET. */
+               { AF_INET,      "192.228.79.201"        },      /* B.ROOT-SERVERS.NET. */
+               { AF_INET6,     "2001:500:84::b"        },      /* B.ROOT-SERVERS.NET. */
+               { AF_INET,      "192.33.4.12"           },      /* C.ROOT-SERVERS.NET. */
+               { AF_INET6,     "2001:500:2::c"         },      /* C.ROOT-SERVERS.NET. */
+               { AF_INET,      "199.7.91.13"           },      /* D.ROOT-SERVERS.NET. */
+               { AF_INET6,     "2001:500:2d::d"        },      /* D.ROOT-SERVERS.NET. */
+               { AF_INET,      "192.203.230.10"        },      /* E.ROOT-SERVERS.NET. */
+               { AF_INET,      "192.5.5.241"           },      /* F.ROOT-SERVERS.NET. */
+               { AF_INET6,     "2001:500:2f::f"        },      /* F.ROOT-SERVERS.NET. */
+               { AF_INET,      "192.112.36.4"          },      /* G.ROOT-SERVERS.NET. */
+               { AF_INET,      "128.63.2.53"           },      /* H.ROOT-SERVERS.NET. */
+               { AF_INET6,     "2001:500:1::803f:235"  },      /* H.ROOT-SERVERS.NET. */
+               { AF_INET,      "192.36.148.17"         },      /* I.ROOT-SERVERS.NET. */
+               { AF_INET6,     "2001:7FE::53"          },      /* I.ROOT-SERVERS.NET. */
+               { AF_INET,      "192.58.128.30"         },      /* J.ROOT-SERVERS.NET. */
+               { AF_INET6,     "2001:503:c27::2:30"    },      /* J.ROOT-SERVERS.NET. */
+               { AF_INET,      "193.0.14.129"          },      /* K.ROOT-SERVERS.NET. */
+               { AF_INET6,     "2001:7FD::1"           },      /* K.ROOT-SERVERS.NET. */
+               { AF_INET,      "199.7.83.42"           },      /* L.ROOT-SERVERS.NET. */
+               { AF_INET6,     "2001:500:3::42"        },      /* L.ROOT-SERVERS.NET. */
+               { AF_INET,      "202.12.27.33"          },      /* M.ROOT-SERVERS.NET. */
+               { AF_INET6,     "2001:DC3::35"          },      /* M.ROOT-SERVERS.NET. */
+       };
+       struct dns_hints *hints         = 0;
+       struct sockaddr_storage ss;
+       unsigned i;
+       int error, af;
+
+       if (!(hints = dns_hints_open(resconf, &error)))
+               goto error;
+
+       for (i = 0; i < lengthof(root_hints); i++) {
+               af      = root_hints[i].af;
+
+               if ((error = dns_pton(af, root_hints[i].addr, dns_sa_addr(af, &ss, NULL))))
+                       goto error;
+
+               *dns_sa_port(af, &ss)   = htons(53);
+               ss.ss_family            = af;
+
+               if ((error = dns_hints_insert(hints, ".", (struct sockaddr *)&ss, 1)))
+                       goto error;
+       }
+
+       return hints;
+error:
+       *error_ = error;
+
+       dns_hints_close(hints);
+
+       return 0;
+} /* dns_hints_root() */
+
+
+static struct dns_hints_soa *dns_hints_fetch(struct dns_hints *H, const char *zone) {
+       struct dns_hints_soa *soa;
+
+       for (soa = H->head; soa; soa = soa->next) {
+               if (0 == strcasecmp(zone, (char *)soa->zone))
+                       return soa;
+       }
+
+       return 0;
+} /* dns_hints_fetch() */
+
+
+int dns_hints_insert(struct dns_hints *H, const char *zone, const struct sockaddr *sa, unsigned priority) {
+       static const struct dns_hints_soa soa_initializer;
+       struct dns_hints_soa *soa;
+       unsigned i;
+
+       if (!(soa = dns_hints_fetch(H, zone))) {
+               if (!(soa = malloc(sizeof *soa)))
+                       return dns_syerr();
+               *soa = soa_initializer;
+               dns_strlcpy((char *)soa->zone, zone, sizeof soa->zone);
+
+               soa->next = H->head;
+               H->head = soa;
+       }
+
+       i = soa->count % lengthof(soa->addrs);
+
+       memcpy(&soa->addrs[i].ss, sa, dns_sa_len(sa));
+
+       soa->addrs[i].priority = DNS_PP_MAX(1, priority);
+
+       if (soa->count < lengthof(soa->addrs))
+               soa->count++;
+
+       return 0;
+} /* dns_hints_insert() */
+
+
+static _Bool dns_hints_isinaddr_any(const void *sa) {
+       struct in_addr *addr;
+
+       if (dns_sa_family(sa) != AF_INET)
+               return 0;
+
+       addr = dns_sa_addr(AF_INET, sa, NULL);
+       return addr->s_addr == htonl(INADDR_ANY);
+}
+
+unsigned dns_hints_insert_resconf(struct dns_hints *H, const char *zone, const struct dns_resolv_conf *resconf, int *error_) {
+       unsigned i, n, p;
+       int error;
+
+       for (i = 0, n = 0, p = 1; i < lengthof(resconf->nameserver) && resconf->nameserver[i].ss_family != AF_UNSPEC; i++, n++) {
+               union { struct sockaddr_in sin; } tmp;
+               struct sockaddr *ns;
+
+               /*
+                * dns_resconf_open initializes nameserver[0] to INADDR_ANY.
+                *
+                * Traditionally the semantics of 0.0.0.0 meant the default
+                * interface, which evolved to mean the loopback interface.
+                * See comment block preceding resolv/res_init.c:res_init in
+                * glibc 2.23. As of 2.23, glibc no longer translates
+                * 0.0.0.0 despite the code comment, but it does default to
+                * 127.0.0.1 when no nameservers are present.
+                *
+                * BIND9 as of 9.10.3 still translates 0.0.0.0 to 127.0.0.1.
+                * See lib/lwres/lwconfig.c:lwres_create_addr and the
+                * convert_zero flag. 127.0.0.1 is also the default when no
+                * nameservers are present.
+                */
+               if (dns_hints_isinaddr_any(&resconf->nameserver[i])) {
+                       memcpy(&tmp.sin, &resconf->nameserver[i], sizeof tmp.sin);
+                       tmp.sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+                       ns = (struct sockaddr *)&tmp.sin;
+               } else {
+                       ns = (struct sockaddr *)&resconf->nameserver[i];
+               }
+
+               if ((error = dns_hints_insert(H, zone, ns, p)))
+                       goto error;
+
+               p += !resconf->options.rotate;
+       }
+
+       return n;
+error:
+       *error_ = error;
+
+       return n;
+} /* dns_hints_insert_resconf() */
+
+
+static int dns_hints_i_cmp(unsigned a, unsigned b, struct dns_hints_i *i, struct dns_hints_soa *soa) {
+       int cmp;
+
+       if ((cmp = soa->addrs[a].priority - soa->addrs[b].priority))
+               return cmp;
+
+       return dns_k_shuffle16(a, i->state.seed) - dns_k_shuffle16(b, i->state.seed);
+} /* dns_hints_i_cmp() */
+
+
+static unsigned dns_hints_i_start(struct dns_hints_i *i, struct dns_hints_soa *soa) {
+       unsigned p0, p;
+
+       p0      = 0;
+
+       for (p = 1; p < soa->count; p++) {
+               if (dns_hints_i_cmp(p, p0, i, soa) < 0)
+                       p0      = p;
+       }
+
+       return p0;
+} /* dns_hints_i_start() */
+
+
+static unsigned dns_hints_i_skip(unsigned p0, struct dns_hints_i *i, struct dns_hints_soa *soa) {
+       unsigned pZ, p;
+
+       for (pZ = 0; pZ < soa->count; pZ++) {
+               if (dns_hints_i_cmp(pZ, p0, i, soa) > 0)
+                       goto cont;
+       }
+
+       return soa->count;
+cont:
+       for (p = pZ + 1; p < soa->count; p++) {
+               if (dns_hints_i_cmp(p, p0, i, soa) <= 0)
+                       continue;
+
+               if (dns_hints_i_cmp(p, pZ, i, soa) >= 0)
+                       continue;
+
+               pZ      = p;
+       }
+
+
+       return pZ;
+} /* dns_hints_i_skip() */
+
+
+static struct dns_hints_i *dns_hints_i_init(struct dns_hints_i *i, struct dns_hints *hints) {
+       static const struct dns_hints_i i_initializer;
+       struct dns_hints_soa *soa;
+
+       i->state        = i_initializer.state;
+
+       do {
+               i->state.seed   = dns_random();
+       } while (0 == i->state.seed);
+
+       if ((soa = dns_hints_fetch(hints, i->zone))) {
+               i->state.next   = dns_hints_i_start(i, soa);
+       }
+
+       return i;
+} /* dns_hints_i_init() */
+
+
+unsigned dns_hints_grep(struct sockaddr **sa, socklen_t *sa_len, unsigned lim, struct dns_hints_i *i, struct dns_hints *H) {
+       struct dns_hints_soa *soa;
+       unsigned n;
+
+       if (!(soa = dns_hints_fetch(H, i->zone)))
+               return 0;
+
+       n       = 0;
+
+       while (i->state.next < soa->count && n < lim) {
+               *sa     = (struct sockaddr *)&soa->addrs[i->state.next].ss;
+               *sa_len = dns_sa_len(*sa);
+
+               sa++;
+               sa_len++;
+               n++;
+
+               i->state.next   = dns_hints_i_skip(i->state.next, i, soa);
+       }
+
+       return n;
+} /* dns_hints_grep() */
+
+
+struct dns_packet *dns_hints_query(struct dns_hints *hints, struct dns_packet *Q, int *error_) {
+       struct dns_packet *A, *P;
+       struct dns_rr rr;
+       char zone[DNS_D_MAXNAME + 1];
+       size_t zlen;
+       struct dns_hints_i i;
+       struct sockaddr *sa;
+       socklen_t slen;
+       int error;
+
+       if (!dns_rr_grep(&rr, 1, dns_rr_i_new(Q, .section = DNS_S_QUESTION), Q, &error))
+               goto error;
+
+       if (!(zlen = dns_d_expand(zone, sizeof zone, rr.dn.p, Q, &error)))
+               goto error;
+       else if (zlen >= sizeof zone)
+               goto toolong;
+
+       P                       = dns_p_new(512);
+       dns_header(P)->qr       = 1;
+
+       if ((error = dns_rr_copy(P, &rr, Q)))
+               goto error;
+
+       if ((error = dns_p_push(P, DNS_S_AUTHORITY, ".", strlen("."), DNS_T_NS, DNS_C_IN, 0, "hints.local.")))
+               goto error;
+
+       do {
+               i.zone  = zone;
+
+               dns_hints_i_init(&i, hints);
+
+               while (dns_hints_grep(&sa, &slen, 1, &i, hints)) {
+                       int af          = sa->sa_family;
+                       int rtype       = (af == AF_INET6)? DNS_T_AAAA : DNS_T_A;
+
+                       if ((error = dns_p_push(P, DNS_S_ADDITIONAL, "hints.local.", strlen("hints.local."), rtype, DNS_C_IN, 0, dns_sa_addr(af, sa, NULL))))
+                               goto error;
+               }
+       } while ((zlen = dns_d_cleave(zone, sizeof zone, zone, zlen)));
+
+       if (!(A = dns_p_copy(dns_p_make(P->end, &error), P)))
+               goto error;
+
+       return A;
+toolong:
+       error = DNS_EILLEGAL;
+error:
+       *error_ = error;
+
+       return 0;
+} /* dns_hints_query() */
+
+
+/** ugly hack to support specifying ports other than 53 in resolv.conf. */
+static unsigned short dns_hints_port(struct dns_hints *hints, int af, void *addr) {
+       struct dns_hints_soa *soa;
+       void *addrsoa;
+       socklen_t addrlen;
+       unsigned short port;
+       unsigned i;
+
+       for (soa = hints->head; soa; soa = soa->next) {
+               for (i = 0; i < soa->count; i++) {
+                       if (af != soa->addrs[i].ss.ss_family)
+                               continue;
+
+                       if (!(addrsoa = dns_sa_addr(af, &soa->addrs[i].ss, &addrlen)))
+                               continue;
+
+                       if (memcmp(addr, addrsoa, addrlen))
+                               continue;
+
+                       port = *dns_sa_port(af, &soa->addrs[i].ss);
+
+                       return (port)? port : htons(53);
+               }
+       }
+
+       return htons(53);
+} /* dns_hints_port() */
+
+
+int dns_hints_dump(struct dns_hints *hints, FILE *fp) {
+       struct dns_hints_soa *soa;
+       char addr[INET6_ADDRSTRLEN];
+       unsigned i;
+       int af, error;
+
+       for (soa = hints->head; soa; soa = soa->next) {
+               fprintf(fp, "ZONE \"%s\"\n", soa->zone);
+
+               for (i = 0; i < soa->count; i++) {
+                       af = soa->addrs[i].ss.ss_family;
+
+                       if ((error = dns_ntop(af, dns_sa_addr(af, &soa->addrs[i].ss, NULL), addr, sizeof addr)))
+                               return error;
+
+                       fprintf(fp, "\t(%d) [%s]:%hu\n", (int)soa->addrs[i].priority, addr, ntohs(*dns_sa_port(af, &soa->addrs[i].ss)));
+               }
+       }
+
+       return 0;
+} /* dns_hints_dump() */
+
+
+/*
+ * C A C H E  R O U T I N E S
+ *
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+static dns_refcount_t dns_cache_acquire(struct dns_cache *cache) {
+       return dns_atomic_fetch_add(&cache->_.refcount);
+} /* dns_cache_acquire() */
+
+
+static dns_refcount_t dns_cache_release(struct dns_cache *cache) {
+       return dns_atomic_fetch_sub(&cache->_.refcount);
+} /* dns_cache_release() */
+
+
+static struct dns_packet *dns_cache_query(struct dns_packet *query, struct dns_cache *cache, int *error) {
+       (void)query;
+       (void)cache;
+       (void)error;
+
+       return NULL;
+} /* dns_cache_query() */
+
+
+static int dns_cache_submit(struct dns_packet *query, struct dns_cache *cache) {
+       (void)query;
+       (void)cache;
+
+       return 0;
+} /* dns_cache_submit() */
+
+
+static int dns_cache_check(struct dns_cache *cache) {
+       (void)cache;
+
+       return 0;
+} /* dns_cache_check() */
+
+
+static struct dns_packet *dns_cache_fetch(struct dns_cache *cache, int *error) {
+       (void)cache;
+       (void)error;
+
+       return NULL;
+} /* dns_cache_fetch() */
+
+
+static int dns_cache_pollfd(struct dns_cache *cache) {
+       (void)cache;
+
+       return -1;
+} /* dns_cache_pollfd() */
+
+
+static short dns_cache_events(struct dns_cache *cache) {
+       (void)cache;
+
+       return 0;
+} /* dns_cache_events() */
+
+
+static void dns_cache_clear(struct dns_cache *cache) {
+       (void)cache;
+
+       return;
+} /* dns_cache_clear() */
+
+
+struct dns_cache *dns_cache_init(struct dns_cache *cache) {
+       static const struct dns_cache c_init = {
+               .acquire = &dns_cache_acquire,
+               .release = &dns_cache_release,
+               .query   = &dns_cache_query,
+               .submit  = &dns_cache_submit,
+               .check   = &dns_cache_check,
+               .fetch   = &dns_cache_fetch,
+               .pollfd  = &dns_cache_pollfd,
+               .events  = &dns_cache_events,
+               .clear   = &dns_cache_clear,
+               ._ = { .refcount = 1, },
+       };
+
+       *cache = c_init;
+
+       return cache;
+} /* dns_cache_init() */
+
+
+void dns_cache_close(struct dns_cache *cache) {
+       if (cache)
+               cache->release(cache);
+} /* dns_cache_close() */
+
+
+/*
+ * S O C K E T  R O U T I N E S
+ *
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+static void dns_socketclose(int *fd, const struct dns_options *opts) {
+       if (opts && opts->closefd.cb)
+               opts->closefd.cb(fd, opts->closefd.arg);
+
+       if (*fd != -1) {
+#if _WIN32
+               closesocket(*fd);
+#else
+               close(*fd);
+#endif
+               *fd     = -1;
+       }
+} /* dns_socketclose() */
+
+
+#ifndef HAVE_IOCTLSOCKET
+#define HAVE_IOCTLSOCKET (_WIN32 || _WIN64)
+#endif
+
+#ifndef HAVE_SOCK_CLOEXEC
+#define HAVE_SOCK_CLOEXEC (defined SOCK_CLOEXEC)
+#endif
+
+#ifndef HAVE_SOCK_NONBLOCK
+#define HAVE_SOCK_NONBLOCK (defined SOCK_NONBLOCK)
+#endif
+
+#define DNS_SO_MAXTRY  7
+
+static int dns_socket(struct sockaddr *local, int type, int *error_) {
+       int fd = -1, flags, error;
+#if defined FIONBIO
+       unsigned long opt;
+#endif
+
+       flags = 0;
+#if HAVE_SOCK_CLOEXEC
+       flags |= SOCK_CLOEXEC;
+#endif
+#if HAVE_SOCK_NONBLOCK
+       flags |= SOCK_NONBLOCK;
+#endif
+       if (-1 == (fd = socket(local->sa_family, type|flags, 0)))
+               goto soerr;
+
+#if defined F_SETFD && !HAVE_SOCK_CLOEXEC
+       if (-1 == fcntl(fd, F_SETFD, 1))
+               goto syerr;
+#endif
+
+#if defined O_NONBLOCK && !HAVE_SOCK_NONBLOCK
+       if (-1 == (flags = fcntl(fd, F_GETFL)))
+               goto syerr;
+       if (-1 == fcntl(fd, F_SETFL, flags | O_NONBLOCK))
+               goto syerr;
+#elif defined FIONBIO && HAVE_IOCTLSOCKET
+       opt = 1;
+       if (0 != ioctlsocket(fd, FIONBIO, &opt))
+               goto soerr;
+#endif
+
+#if defined SO_NOSIGPIPE
+       if (type != SOCK_DGRAM) {
+               if (0 != setsockopt(fd, SOL_SOCKET, SO_NOSIGPIPE, &(int){ 1 }, sizeof (int)))
+                       goto soerr;
+       }
+#endif
+
+       if (local->sa_family != AF_INET && local->sa_family != AF_INET6)
+               return fd;
+
+       if (type != SOCK_DGRAM)
+               return fd;
+
+       /*
+        * FreeBSD, Linux, OpenBSD, OS X, and Solaris use random ports by
+        * default. Though the ephemeral range is quite small on OS X
+        * (49152-65535 on 10.10) and Linux (32768-60999 on 4.4.0, Ubuntu
+        * Xenial). See also RFC 6056.
+        *
+        * TODO: Optionally rely on the kernel to select a random port.
+        */
+       if (*dns_sa_port(local->sa_family, local) == 0) {
+               struct sockaddr_storage tmp;
+               unsigned i, port;
+
+               memcpy(&tmp, local, dns_sa_len(local));
+
+               for (i = 0; i < DNS_SO_MAXTRY; i++) {
+                       port = 1025 + (dns_random() % 64510);
+
+                       *dns_sa_port(tmp.ss_family, &tmp) = htons(port);
+
+                       if (0 == bind(fd, (struct sockaddr *)&tmp, dns_sa_len(&tmp)))
+                               return fd;
+               }
+
+               /* NB: continue to next bind statement */
+       }
+
+       if (0 == bind(fd, local, dns_sa_len(local)))
+               return fd;
+
+       /* FALL THROUGH */
+soerr:
+       error = dns_soerr();
+
+       goto error;
+#if (defined F_SETFD && !HAVE_SOCK_CLOEXEC) || (defined O_NONBLOCK && !HAVE_SOCK_NONBLOCK)
+syerr:
+       error = dns_syerr();
+
+       goto error;
+#endif
+error:
+       *error_ = error;
+
+       dns_socketclose(&fd, NULL);
+
+       return -1;
+} /* dns_socket() */
+
+
+enum {
+       DNS_SO_UDP_INIT = 1,
+       DNS_SO_UDP_CONN,
+       DNS_SO_UDP_SEND,
+       DNS_SO_UDP_RECV,
+       DNS_SO_UDP_DONE,
+
+       DNS_SO_TCP_INIT,
+       DNS_SO_TCP_CONN,
+       DNS_SO_TCP_SEND,
+       DNS_SO_TCP_RECV,
+       DNS_SO_TCP_DONE,
+
+       DNS_SO_SOCKS_INIT,
+       DNS_SO_SOCKS_CONN,
+       DNS_SO_SOCKS_AUTH_SEND,
+       DNS_SO_SOCKS_AUTH_RECV,
+       DNS_SO_SOCKS_REQUEST_SEND,
+       DNS_SO_SOCKS_REQUEST_RECV,
+       DNS_SO_SOCKS_REQUEST_RECV_V6,
+       DNS_SO_SOCKS_HANDSHAKE_DONE,
+};
+
+struct dns_socket {
+       struct dns_options opts;
+
+       int udp;
+       int tcp;
+
+       int *old;
+       unsigned onum, olim;
+
+       int type;
+
+       struct sockaddr_storage local, remote;
+
+       struct dns_k_permutor qids;
+
+       struct dns_stat stat;
+
+       struct dns_trace *trace;
+
+       /*
+        * NOTE: dns_so_reset() zeroes everything from here down.
+        */
+       int state;
+
+       unsigned short qid;
+       char qname[DNS_D_MAXNAME + 1];
+       size_t qlen;
+       enum dns_type qtype;
+       enum dns_class qclass;
+
+       struct dns_packet *query;
+       size_t qout;
+
+       /* During a SOCKS handshake the query is temporarily stored
+        * here.  */
+       struct dns_packet *query_backup;
+
+       struct dns_clock elapsed;
+
+       struct dns_packet *answer;
+       size_t alen, apos;
+}; /* struct dns_socket */
+
+
+/*
+ * NOTE: Actual closure delayed so that kqueue(2) and epoll(2) callers have
+ * a chance to recognize a state change after installing a persistent event
+ * and where sequential descriptors with the same integer value returned
+ * from _pollfd() would be ambiguous. See dns_so_closefds().
+ */
+static int dns_so_closefd(struct dns_socket *so, int *fd) {
+       int error;
+
+       if (*fd == -1)
+               return 0;
+
+       if (so->opts.closefd.cb) {
+               if ((error = so->opts.closefd.cb(fd, so->opts.closefd.arg))) {
+                       return error;
+               } else if (*fd == -1)
+                       return 0;
+       }
+
+       if (!(so->onum < so->olim)) {
+               unsigned olim = DNS_PP_MAX(4, so->olim * 2);
+               void *old;
+
+               if (!(old = realloc(so->old, sizeof so->old[0] * olim)))
+                       return dns_syerr();
+
+               so->old  = old;
+               so->olim = olim;
+       }
+
+       so->old[so->onum++] = *fd;
+       *fd = -1;
+
+       return 0;
+} /* dns_so_closefd() */
+
+
+#define DNS_SO_CLOSE_UDP 0x01
+#define DNS_SO_CLOSE_TCP 0x02
+#define DNS_SO_CLOSE_OLD 0x04
+#define DNS_SO_CLOSE_ALL (DNS_SO_CLOSE_UDP|DNS_SO_CLOSE_TCP|DNS_SO_CLOSE_OLD)
+
+static void dns_so_closefds(struct dns_socket *so, int which) {
+       if (DNS_SO_CLOSE_UDP & which)
+               dns_socketclose(&so->udp, &so->opts);
+       if (DNS_SO_CLOSE_TCP & which)
+               dns_socketclose(&so->tcp, &so->opts);
+       if (DNS_SO_CLOSE_OLD & which) {
+               unsigned i;
+               for (i = 0; i < so->onum; i++)
+                       dns_socketclose(&so->old[i], &so->opts);
+               so->onum = 0;
+               free(so->old);
+               so->old  = 0;
+               so->olim = 0;
+       }
+} /* dns_so_closefds() */
+
+
+static void dns_so_destroy(struct dns_socket *);
+
+static struct dns_socket *dns_so_init(struct dns_socket *so, const struct sockaddr *local, int type, const struct dns_options *opts, int *error) {
+       static const struct dns_socket so_initializer = { .opts = DNS_OPTS_INITIALIZER, .udp = -1, .tcp = -1, };
+
+       *so             = so_initializer;
+       so->type        = type;
+
+       if (opts)
+               so->opts = *opts;
+
+       if (local)
+               memcpy(&so->local, local, dns_sa_len(local));
+
+       if (-1 == (so->udp = dns_socket((struct sockaddr *)&so->local, SOCK_DGRAM, error)))
+               goto error;
+
+       dns_k_permutor_init(&so->qids, 1, 65535);
+
+       return so;
+error:
+       dns_so_destroy(so);
+
+       return 0;
+} /* dns_so_init() */
+
+
+struct dns_socket *dns_so_open(const struct sockaddr *local, int type, const struct dns_options *opts, int *error) {
+       struct dns_socket *so;
+
+       if (!(so = malloc(sizeof *so)))
+               goto syerr;
+
+       if (!dns_so_init(so, local, type, opts, error))
+               goto error;
+
+       return so;
+syerr:
+       *error  = dns_syerr();
+error:
+       dns_so_close(so);
+
+       return 0;
+} /* dns_so_open() */
+
+
+static void dns_so_destroy(struct dns_socket *so) {
+       dns_so_reset(so);
+       dns_so_closefds(so, DNS_SO_CLOSE_ALL);
+       dns_trace_close(so->trace);
+} /* dns_so_destroy() */
+
+
+void dns_so_close(struct dns_socket *so) {
+       if (!so)
+               return;
+
+       dns_so_destroy(so);
+
+       free(so);
+} /* dns_so_close() */
+
+
+void dns_so_reset(struct dns_socket *so) {
+       dns_p_setptr(&so->answer, NULL);
+
+       memset(&so->state, '\0', sizeof *so - offsetof(struct dns_socket, state));
+} /* dns_so_reset() */
+
+
+unsigned short dns_so_mkqid(struct dns_socket *so) {
+       return dns_k_permutor_step(&so->qids);
+} /* dns_so_mkqid() */
+
+
+#define DNS_SO_MINBUF  768
+
+static int dns_so_newanswer(struct dns_socket *so, size_t len) {
+       size_t size     = offsetof(struct dns_packet, data) + DNS_PP_MAX(len, DNS_SO_MINBUF);
+       void *p;
+
+       if (!(p = realloc(so->answer, size)))
+               return dns_syerr();
+
+       so->answer      = dns_p_init(p, size);
+
+       return 0;
+} /* dns_so_newanswer() */
+
+
+int dns_so_submit(struct dns_socket *so, struct dns_packet *Q, struct sockaddr *host) {
+       struct dns_rr rr;
+       int error = DNS_EUNKNOWN;
+
+       dns_so_reset(so);
+
+       if ((error = dns_rr_parse(&rr, 12, Q)))
+               goto error;
+
+       if (!(so->qlen = dns_d_expand(so->qname, sizeof so->qname, rr.dn.p, Q, &error)))
+               goto error;
+       /*
+        * NOTE: Don't bail if expansion is too long; caller may be
+        * intentionally sending long names. However, we won't be able to
+        * verify it on return.
+        */
+
+       so->qtype       = rr.type;
+       so->qclass      = rr.class;
+
+       if ((error = dns_so_newanswer(so, (Q->memo.opt.maxudp)? Q->memo.opt.maxudp : DNS_SO_MINBUF)))
+               goto syerr;
+
+       memcpy(&so->remote, host, dns_sa_len(host));
+
+       so->query       = Q;
+       so->qout        = 0;
+
+       dns_begin(&so->elapsed);
+
+       if (dns_header(so->query)->qid == 0)
+               dns_header(so->query)->qid      = dns_so_mkqid(so);
+
+       so->qid         = dns_header(so->query)->qid;
+       so->state       = (so->opts.socks_host && so->opts.socks_host->ss_family) ? DNS_SO_SOCKS_INIT :
+               (so->type == SOCK_STREAM)? DNS_SO_TCP_INIT : DNS_SO_UDP_INIT;
+
+       so->stat.queries++;
+       dns_trace_so_submit(so->trace, Q, host, 0);
+
+       return 0;
+syerr:
+       error   = dns_syerr();
+error:
+       dns_so_reset(so);
+       dns_trace_so_submit(so->trace, Q, host, error);
+       return error;
+} /* dns_so_submit() */
+
+
+static int dns_so_verify(struct dns_socket *so, struct dns_packet *P) {
+       char qname[DNS_D_MAXNAME + 1];
+       size_t qlen;
+       struct dns_rr rr;
+       int error = -1;
+
+       if (P->end < 12)
+               goto reject;
+
+       if (so->qid != dns_header(P)->qid)
+               goto reject;
+
+       if (!dns_p_count(P, DNS_S_QD))
+               goto reject;
+
+       if (0 != dns_rr_parse(&rr, 12, P))
+               goto reject;
+
+       if (rr.type != so->qtype || rr.class != so->qclass)
+               goto reject;
+
+       if (!(qlen = dns_d_expand(qname, sizeof qname, rr.dn.p, P, &error)))
+               goto error;
+       else if (qlen >= sizeof qname || qlen != so->qlen)
+               goto reject;
+
+       if (0 != strcasecmp(so->qname, qname))
+               goto reject;
+
+       dns_trace_so_verify(so->trace, P, 0);
+
+       return 0;
+reject:
+       error = DNS_EVERIFY;
+error:
+       DNS_SHOW(P, "rejecting packet (%s)", dns_strerror(error));
+       dns_trace_so_verify(so->trace, P, error);
+
+       return error;
+} /* dns_so_verify() */
+
+
+static _Bool dns_so_tcp_keep(struct dns_socket *so) {
+       struct sockaddr_storage remote;
+
+       if (so->tcp == -1)
+               return 0;
+
+       if (0 != getpeername(so->tcp, (struct sockaddr *)&remote, &(socklen_t){ sizeof remote }))
+               return 0;
+
+       return 0 == dns_sa_cmp(&remote, &so->remote);
+} /* dns_so_tcp_keep() */
+
+
+#if defined __clang__
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Warray-bounds"
+#endif
+
+static int dns_so_tcp_send(struct dns_socket *so) {
+       unsigned char *qsrc;
+       size_t qend;
+       int error;
+       size_t n;
+
+       so->query->data[-2] = 0xff & (so->query->end >> 8);
+       so->query->data[-1] = 0xff & (so->query->end >> 0);
+
+       qend = so->query->end + 2;
+
+       while (so->qout < qend) {
+               qsrc = &so->query->data[-2] + so->qout;
+               n = dns_send_nopipe(so->tcp, (void *)qsrc, qend - so->qout, 0, &error);
+               dns_trace_sys_send(so->trace, so->tcp, SOCK_STREAM, qsrc, n, error);
+               if (error)
+                       return error;
+               so->qout += n;
+               so->stat.tcp.sent.bytes += n;
+       }
+
+       so->stat.tcp.sent.count++;
+
+       return 0;
+} /* dns_so_tcp_send() */
+
+
+static int dns_so_tcp_recv(struct dns_socket *so) {
+       unsigned char *asrc;
+       size_t aend, alen, n;
+       int error;
+
+       aend = so->alen + 2;
+
+       while (so->apos < aend) {
+               asrc = &so->answer->data[-2];
+
+               n = dns_recv(so->tcp, (void *)&asrc[so->apos], aend - so->apos, 0, &error);
+               dns_trace_sys_recv(so->trace, so->tcp, SOCK_STREAM, &asrc[so->apos], n, error);
+               if (error)
+                       return error;
+
+               so->apos += n;
+               so->stat.tcp.rcvd.bytes += n;
+
+               if (so->alen == 0 && so->apos >= 2) {
+                       alen = ((0xff & so->answer->data[-2]) << 8)
+                            | ((0xff & so->answer->data[-1]) << 0);
+
+                       if ((error = dns_so_newanswer(so, alen)))
+                               return error;
+
+                       so->alen = alen;
+                       aend = alen + 2;
+               }
+       }
+
+       so->answer->end = so->alen;
+       so->stat.tcp.rcvd.count++;
+
+       return 0;
+} /* dns_so_tcp_recv() */
+
+#if __clang__
+#pragma clang diagnostic pop
+#endif
+
+
+int dns_so_check(struct dns_socket *so) {
+       int error;
+       size_t n;
+
+       /* XXX */
+       unsigned char *buffer;
+       int method;
+
+retry:
+       switch (so->state) {
+       case DNS_SO_UDP_INIT:
+               so->state++;
+       case DNS_SO_UDP_CONN:
+               error = dns_connect(so->udp, (struct sockaddr *)&so->remote, dns_sa_len(&so->remote));
+               dns_trace_sys_connect(so->trace, so->udp, SOCK_DGRAM, (struct sockaddr *)&so->remote, error);
+               if (error)
+                       goto error;
+
+               so->state++;
+       case DNS_SO_UDP_SEND:
+               n = dns_send(so->udp, (void *)so->query->data, so->query->end, 0, &error);
+               dns_trace_sys_send(so->trace, so->udp, SOCK_DGRAM, so->query->data, n, error);
+               if (error)
+                       goto error;
+
+               so->stat.udp.sent.bytes += n;
+               so->stat.udp.sent.count++;
+
+               so->state++;
+       case DNS_SO_UDP_RECV:
+               n = dns_recv(so->udp, (void *)so->answer->data, so->answer->size, 0, &error);
+               dns_trace_sys_recv(so->trace, so->udp, SOCK_DGRAM, so->answer->data, n, error);
+               if (error)
+                       goto error;
+
+               so->answer->end = n;
+               so->stat.udp.rcvd.bytes += n;
+               so->stat.udp.rcvd.count++;
+
+               if ((error = dns_so_verify(so, so->answer)))
+                       goto trash;
+
+               so->state++;
+       case DNS_SO_UDP_DONE:
+               if (!dns_header(so->answer)->tc || so->type == SOCK_DGRAM)
+                       return 0;
+
+               so->state++;
+       case DNS_SO_TCP_INIT:
+               if (dns_so_tcp_keep(so)) {
+                       so->state = DNS_SO_TCP_SEND;
+
+                       goto retry;
+               }
+
+               if ((error = dns_so_closefd(so, &so->tcp)))
+                       goto error;
+
+               if (-1 == (so->tcp = dns_socket((struct sockaddr *)&so->local, SOCK_STREAM, &error)))
+                       goto error;
+
+               so->state++;
+       case DNS_SO_TCP_CONN:
+               error = dns_connect(so->tcp, (struct sockaddr *)&so->remote, dns_sa_len(&so->remote));
+               dns_trace_sys_connect(so->trace, so->tcp, SOCK_STREAM, (struct sockaddr *)&so->remote, error);
+               if (error && error != DNS_EISCONN)
+                       goto error;
+
+               so->state++;
+       case DNS_SO_TCP_SEND:
+               if ((error = dns_so_tcp_send(so)))
+                       goto error;
+
+               so->state++;
+       case DNS_SO_TCP_RECV:
+               if ((error = dns_so_tcp_recv(so)))
+                       goto error;
+
+               so->state++;
+       case DNS_SO_TCP_DONE:
+               /* close unless DNS_RESCONF_TCP_ONLY (see dns_res_tcp2type) */
+               if (so->type != SOCK_STREAM) {
+                       if ((error = dns_so_closefd(so, &so->tcp)))
+                               goto error;
+               }
+
+               if ((error = dns_so_verify(so, so->answer)))
+                       goto error;
+
+               return 0;
+       case DNS_SO_SOCKS_INIT:
+               if ((error = dns_so_closefd(so, &so->tcp)))
+                       goto error;
+
+               if (-1 == (so->tcp = dns_socket((struct sockaddr *)&so->local, SOCK_STREAM, &error)))
+                       goto error;
+
+               so->state++;
+       case DNS_SO_SOCKS_CONN:
+               error = dns_connect(so->tcp, (struct sockaddr *)so->opts.socks_host, dns_sa_len(so->opts.socks_host));
+               dns_trace_sys_connect(so->trace, so->tcp, SOCK_STREAM, (struct sockaddr *)so->opts.socks_host, error);
+               if (error && error != DNS_EISCONN)
+                       goto error;
+
+               /* We need to do a handshake with the SOCKS server,
+                * but the query is already in the buffer.  Move it
+                * out of the way.  */
+               dns_p_movptr(&so->query_backup, &so->query);
+
+               /* Create a new buffer for the handshake.  */
+               dns_p_grow(&so->query);
+
+               /* Skip the two octets length field when
+                  transmitting, send three octets.  */
+               so->qout = 2;
+               so->query->end = 3;
+               buffer = so->query->data;
+
+               /* Negotiate method.  */
+               buffer[0] = 5; /* RFC-1928 VER field.  */
+               buffer[1] = 1; /* NMETHODS */
+               if (0 /* XXX */)
+                       method = 2;  /* Method: username/password authentication. */
+               else
+                       method = 0;  /* Method: No authentication required. */
+               buffer[2] = method;
+
+               so->state++;
+       case DNS_SO_SOCKS_AUTH_SEND:
+               if ((error = dns_so_tcp_send(so)))
+                       goto error;
+
+               /* Skip the two length octets, and receive two octets.  */
+               so->apos = 2;
+               so->alen = 2;
+
+               so->state++;
+       case DNS_SO_SOCKS_AUTH_RECV:
+               if ((error = dns_so_tcp_recv(so)))
+                       goto error;
+
+               buffer = so->answer->data;
+               method = 0; /* XXX authentication not yet supported */
+               if (buffer[0] != 5 || buffer[1] != method) {
+                       /* Socks server returned wrong version or does
+                          not support our requested method.  */
+                       error = ENOTSUP; /* Fixme: Is there a better errno? */
+                       goto error;
+               }
+
+               /* Skip the two octets length field when
+                  transmitting.  */
+               so->qout = 2;
+               buffer = so->query->data;
+
+               /* Send request details (rfc-1928, 4).  */
+               buffer[0] = 5; /* VER  */
+               buffer[1] = 1; /* CMD = CONNECT  */
+               buffer[2] = 0; /* RSV  */
+               if (so->remote.ss_family == AF_INET6) {
+                       struct sockaddr_in6 *addr_in6 = (struct sockaddr_in6 *)&so->remote;
+
+                       buffer[3] = 4; /* ATYP = IPv6 */
+                       memcpy (buffer+ 4, &addr_in6->sin6_addr.s6_addr, 16); /* DST.ADDR */
+                       memcpy (buffer+20, &addr_in6->sin6_port, 2);          /* DST.PORT */
+                       so->query->end = 22;
+               } else {
+                       struct sockaddr_in *addr_in = (struct sockaddr_in *)&so->remote;
+
+                       buffer[3] = 1; /* ATYP = IPv4 */
+                       memcpy (buffer+4, &addr_in->sin_addr.s_addr, 4); /* DST.ADDR */
+                       memcpy (buffer+8, &addr_in->sin_port, 2);        /* DST.PORT */
+                       so->query->end = 10;
+               }
+
+               so->state++;
+       case DNS_SO_SOCKS_REQUEST_SEND:
+               if ((error = dns_so_tcp_send(so)))
+                       goto error;
+
+               /* Skip the two length octets, and receive ten octets.
+                * This is the length of the response assuming a IPv4
+                * address is used.  */
+               so->apos = 2;
+               so->alen = 10;
+
+               so->state++;
+       case DNS_SO_SOCKS_REQUEST_RECV:
+               if ((error = dns_so_tcp_recv(so)))
+                       goto error;
+
+               buffer = so->answer->data;
+               if (buffer[0] != 5 || buffer[2] != 0 ) {
+                       /* Socks server returned wrong version or the
+                          reserved field is not zero.  */
+                       error = EPROTO;
+                       goto error;
+               }
+               if (buffer[1]) {
+                       switch (buffer[1]) {
+                       case 0x01: /* general SOCKS server failure.  */
+                               error = ENETDOWN;
+                               break;
+                       case 0x02: /* connection not allowed by ruleset.  */
+                               error = EACCES;
+                               break;
+                       case 0x03: /* Network unreachable */
+                               error = ENETUNREACH;
+                               break;
+                       case 0x04: /* Host unreachable */
+                               error = EHOSTUNREACH;
+                               break;
+                       case 0x05: /* Connection refused */
+                               error = ECONNREFUSED;
+                               break;
+                       case 0x06: /* TTL expired */
+                               error = ETIMEDOUT;
+                               break;
+                       case 0x08: /* Address type not supported */
+                               error = EPROTONOSUPPORT;
+                               break;
+                       case 0x07: /* Command not supported */
+                       default:
+                               error = ENOTSUP; /* Fixme: Is there a better error? */
+                               break;
+                       }
+                       goto error;
+               }
+
+               if (buffer[3] == 1) {
+                       /* This was indeed an IPv4 address.  */
+                       so->state = DNS_SO_SOCKS_HANDSHAKE_DONE;
+                       goto retry;
+               }
+
+               if (buffer[3] != 4) {
+                       error = ENOTSUP;
+                       goto error;
+               }
+
+               /* ATYP indicates a v6 address.  Skip the two length
+                * octets, and receive twelve octets.  This accounts
+                * for the remaining bytes assuming an IPv6 address is
+                * used.  */
+               so->apos = 2;
+               so->alen = 12;
+
+               so->state++;
+       case DNS_SO_SOCKS_REQUEST_RECV_V6:
+               if ((error = dns_so_tcp_recv(so)))
+                       goto error;
+
+               so->state++;
+       case DNS_SO_SOCKS_HANDSHAKE_DONE:
+               /* We have not way to store the actual address used by
+                * the server.  Then again, we don't really care.  */
+
+               /* Restore the query.  */
+               dns_p_movptr(&so->query, &so->query_backup);
+
+               /* Reset cursors.  */
+               so->qout = 0;
+               so->apos = 0;
+               so->alen = 0;
+
+               /* SOCKS handshake is done.  Proceed with the
+                * lookup.  */
+               so->state = DNS_SO_TCP_SEND;
+               goto retry;
+       default:
+               error   = DNS_EUNKNOWN;
+
+               goto error;
+       } /* switch() */
+
+trash:
+       DNS_CARP("discarding packet");
+       goto retry;
+error:
+       switch (error) {
+       case DNS_EINTR:
+               goto retry;
+       case DNS_EINPROGRESS:
+               /* FALL THROUGH */
+       case DNS_EALREADY:
+               /* FALL THROUGH */
+#if DNS_EWOULDBLOCK != DNS_EAGAIN
+       case DNS_EWOULDBLOCK:
+               /* FALL THROUGH */
+#endif
+               error   = DNS_EAGAIN;
+
+               break;
+       } /* switch() */
+
+       return error;
+} /* dns_so_check() */
+
+
+struct dns_packet *dns_so_fetch(struct dns_socket *so, int *error) {
+       struct dns_packet *answer;
+
+       switch (so->state) {
+       case DNS_SO_UDP_DONE:
+       case DNS_SO_TCP_DONE:
+               answer          = so->answer;
+               so->answer      = 0;
+               dns_trace_so_fetch(so->trace, answer, 0);
+
+               return answer;
+       default:
+               *error  = DNS_EUNKNOWN;
+               dns_trace_so_fetch(so->trace, NULL, *error);
+
+               return 0;
+       }
+} /* dns_so_fetch() */
+
+
+struct dns_packet *dns_so_query(struct dns_socket *so, struct dns_packet *Q, struct sockaddr *host, int *error_) {
+       struct dns_packet *A;
+       int error;
+
+       if (!so->state) {
+               if ((error = dns_so_submit(so, Q, host)))
+                       goto error;
+       }
+
+       if ((error = dns_so_check(so)))
+               goto error;
+
+       if (!(A = dns_so_fetch(so, &error)))
+               goto error;
+
+       dns_so_reset(so);
+
+       return A;
+error:
+       *error_ = error;
+
+       return 0;
+} /* dns_so_query() */
+
+
+time_t dns_so_elapsed(struct dns_socket *so) {
+       return dns_elapsed(&so->elapsed);
+} /* dns_so_elapsed() */
+
+
+void dns_so_clear(struct dns_socket *so) {
+       dns_so_closefds(so, DNS_SO_CLOSE_OLD);
+} /* dns_so_clear() */
+
+
+static int dns_so_events2(struct dns_socket *so, enum dns_events type) {
+       int events = 0;
+
+       switch (so->state) {
+       case DNS_SO_UDP_CONN:
+       case DNS_SO_UDP_SEND:
+               events |= DNS_POLLOUT;
+
+               break;
+       case DNS_SO_UDP_RECV:
+               events |= DNS_POLLIN;
+
+               break;
+       case DNS_SO_TCP_CONN:
+       case DNS_SO_TCP_SEND:
+               events |= DNS_POLLOUT;
+
+               break;
+       case DNS_SO_TCP_RECV:
+               events |= DNS_POLLIN;
+
+               break;
+       } /* switch() */
+
+       switch (type) {
+       case DNS_LIBEVENT:
+               return DNS_POLL2EV(events);
+       default:
+               return events;
+       } /* switch() */
+} /* dns_so_events2() */
+
+
+int dns_so_events(struct dns_socket *so) {
+       return dns_so_events2(so, so->opts.events);
+} /* dns_so_events() */
+
+
+int dns_so_pollfd(struct dns_socket *so) {
+       switch (so->state) {
+       case DNS_SO_UDP_CONN:
+       case DNS_SO_UDP_SEND:
+       case DNS_SO_UDP_RECV:
+               return so->udp;
+       case DNS_SO_TCP_CONN:
+       case DNS_SO_TCP_SEND:
+       case DNS_SO_TCP_RECV:
+               return so->tcp;
+       } /* switch() */
+
+       return -1;
+} /* dns_so_pollfd() */
+
+
+int dns_so_poll(struct dns_socket *so, int timeout) {
+       return dns_poll(dns_so_pollfd(so), dns_so_events2(so, DNS_SYSPOLL), timeout);
+} /* dns_so_poll() */
+
+
+const struct dns_stat *dns_so_stat(struct dns_socket *so) {
+       return &so->stat;
+} /* dns_so_stat() */
+
+
+struct dns_trace *dns_so_trace(struct dns_socket *so) {
+       return so->trace;
+} /* dns_so_trace() */
+
+
+void dns_so_settrace(struct dns_socket *so, struct dns_trace *trace) {
+       struct dns_trace *otrace = so->trace;
+       so->trace = dns_trace_acquire_p(trace);
+       dns_trace_close(otrace);
+} /* dns_so_settrace() */
+
+
+/*
+ * R E S O L V E R  R O U T I N E S
+ *
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+enum dns_res_state {
+       DNS_R_INIT,
+       DNS_R_GLUE,
+       DNS_R_SWITCH,           /* (B)IND, (F)ILE, (C)ACHE */
+
+       DNS_R_FILE,             /* Lookup in local hosts database */
+
+       DNS_R_CACHE,            /* Lookup in application cache */
+       DNS_R_SUBMIT,
+       DNS_R_CHECK,
+       DNS_R_FETCH,
+
+       DNS_R_BIND,             /* Lookup in the network */
+       DNS_R_SEARCH,
+       DNS_R_HINTS,
+       DNS_R_ITERATE,
+       DNS_R_FOREACH_NS,
+       DNS_R_RESOLV0_NS,       /* Prologue: Setup next frame and recurse */
+       DNS_R_RESOLV1_NS,       /* Epilog: Inspect answer */
+       DNS_R_FOREACH_A,
+       DNS_R_QUERY_A,
+       DNS_R_CNAME0_A,
+       DNS_R_CNAME1_A,
+
+       DNS_R_FINISH,
+       DNS_R_SMART0_A,
+       DNS_R_SMART1_A,
+       DNS_R_DONE,
+       DNS_R_SERVFAIL,
+}; /* enum dns_res_state */
+
+
+#define DNS_R_MAXDEPTH 8
+#define DNS_R_ENDFRAME (DNS_R_MAXDEPTH - 1)
+
+struct dns_resolver {
+       struct dns_socket so;
+
+       struct dns_resolv_conf *resconf;
+       struct dns_hosts *hosts;
+       struct dns_hints *hints;
+       struct dns_cache *cache;
+       struct dns_trace *trace;
+
+       dns_atomic_t refcount;
+
+       /* Reset zeroes everything below here. */
+
+       char qname[DNS_D_MAXNAME + 1];
+       size_t qlen;
+
+       enum dns_type qtype;
+       enum dns_class qclass;
+
+       struct dns_clock elapsed;
+
+       dns_resconf_i_t search;
+
+       struct dns_rr_i smart;
+
+       struct dns_packet *nodata; /* answer if nothing better */
+
+       unsigned sp;
+
+       struct dns_res_frame {
+               enum dns_res_state state;
+
+               int error;
+               int which;      /* (B)IND, (F)ILE; index into resconf->lookup */
+               int qflags;
+
+               unsigned attempts;
+
+               struct dns_packet *query, *answer, *hints;
+
+               struct dns_rr_i hints_i, hints_j;
+               struct dns_rr hints_ns, ans_cname;
+       } stack[DNS_R_MAXDEPTH];
+}; /* struct dns_resolver */
+
+
+static int dns_res_tcp2type(int tcp) {
+       switch (tcp) {
+       case DNS_RESCONF_TCP_ONLY:
+       case DNS_RESCONF_TCP_SOCKS:
+               return SOCK_STREAM;
+       case DNS_RESCONF_TCP_DISABLE:
+               return SOCK_DGRAM;
+       default:
+               return 0;
+       }
+} /* dns_res_tcp2type() */
+
+struct dns_resolver *dns_res_open(struct dns_resolv_conf *resconf, struct dns_hosts *hosts, struct dns_hints *hints, struct dns_cache *cache, const struct dns_options *opts, int *_error) {
+       static const struct dns_resolver R_initializer
+               = { .refcount = 1, };
+       struct dns_resolver *R  = 0;
+       int type, error;
+
+       /*
+        * Grab ref count early because the caller may have passed us a mortal
+        * reference, and we want to do the right thing if we return early
+        * from an error.
+        */
+       if (resconf)
+               dns_resconf_acquire(resconf);
+       if (hosts)
+               dns_hosts_acquire(hosts);
+       if (hints)
+               dns_hints_acquire(hints);
+       if (cache)
+               dns_cache_acquire(cache);
+
+       /*
+        * Don't try to load it ourselves because a NULL object might be an
+        * error from, say, dns_resconf_root(), and loading
+        * dns_resconf_local() by default would create undesirable surpises.
+        */
+       if (!resconf || !hosts || !hints) {
+               if (!*_error)
+                       *_error = EINVAL;
+               goto _error;
+       }
+
+       if (!(R = malloc(sizeof *R)))
+               goto syerr;
+
+       *R      = R_initializer;
+       type    = dns_res_tcp2type(resconf->options.tcp);
+
+       if (!dns_so_init(&R->so, (struct sockaddr *)&resconf->iface, type, opts, &error))
+               goto error;
+
+       R->resconf      = resconf;
+       R->hosts        = hosts;
+       R->hints        = hints;
+       R->cache        = cache;
+
+       return R;
+syerr:
+       error   = dns_syerr();
+error:
+       *_error = error;
+_error:
+       dns_res_close(R);
+
+       dns_resconf_close(resconf);
+       dns_hosts_close(hosts);
+       dns_hints_close(hints);
+       dns_cache_close(cache);
+
+       return 0;
+} /* dns_res_open() */
+
+
+struct dns_resolver *dns_res_stub(const struct dns_options *opts, int *error) {
+       struct dns_resolv_conf *resconf = 0;
+       struct dns_hosts *hosts         = 0;
+       struct dns_hints *hints         = 0;
+       struct dns_resolver *res        = 0;
+
+       if (!(resconf = dns_resconf_local(error)))
+               goto epilog;
+
+       if (!(hosts = dns_hosts_local(error)))
+               goto epilog;
+
+       if (!(hints = dns_hints_local(resconf, error)))
+               goto epilog;
+
+       if (!(res = dns_res_open(resconf, hosts, hints, NULL, opts, error)))
+               goto epilog;
+
+epilog:
+       dns_resconf_close(resconf);
+       dns_hosts_close(hosts);
+       dns_hints_close(hints);
+
+       return res;
+} /* dns_res_stub() */
+
+
+static void dns_res_frame_destroy(struct dns_resolver *R, struct dns_res_frame *frame) {
+       (void)R;
+
+       dns_p_setptr(&frame->query, NULL);
+       dns_p_setptr(&frame->answer, NULL);
+       dns_p_setptr(&frame->hints, NULL);
+} /* dns_res_frame_destroy() */
+
+
+static void dns_res_frame_init(struct dns_resolver *R, struct dns_res_frame *frame) {
+       memset(frame, '\0', sizeof *frame);
+
+       /*
+        * NB: Can be invoked from dns_res_open, before R->resconf has been
+        * initialized.
+        */
+       if (R->resconf) {
+               if (!R->resconf->options.recurse)
+                       frame->qflags |= DNS_Q_RD;
+               if (R->resconf->options.edns0)
+                       frame->qflags |= DNS_Q_EDNS0;
+       }
+} /* dns_res_frame_init() */
+
+
+static void dns_res_frame_reset(struct dns_resolver *R, struct dns_res_frame *frame) {
+       dns_res_frame_destroy(R, frame);
+       dns_res_frame_init(R, frame);
+} /* dns_res_frame_reset() */
+
+
+static dns_error_t dns_res_frame_prepare(struct dns_resolver *R, struct dns_res_frame *F, const char *qname, enum dns_type qtype, enum dns_class qclass) {
+       struct dns_packet *P = NULL;
+
+       if (!(F < endof(R->stack)))
+               return DNS_EUNKNOWN;
+
+       dns_p_movptr(&P, &F->query);
+       dns_res_frame_reset(R, F);
+       dns_p_movptr(&F->query, &P);
+
+       return dns_q_make(&F->query, qname, qtype, qclass, F->qflags);
+} /* dns_res_frame_prepare() */
+
+
+void dns_res_reset(struct dns_resolver *R) {
+       unsigned i;
+
+       dns_so_reset(&R->so);
+       dns_p_setptr(&R->nodata, NULL);
+
+       for (i = 0; i < lengthof(R->stack); i++)
+               dns_res_frame_destroy(R, &R->stack[i]);
+
+       memset(&R->qname, '\0', sizeof *R - offsetof(struct dns_resolver, qname));
+
+       for (i = 0; i < lengthof(R->stack); i++)
+               dns_res_frame_init(R, &R->stack[i]);
+} /* dns_res_reset() */
+
+
+void dns_res_close(struct dns_resolver *R) {
+       if (!R || 1 < dns_res_release(R))
+               return;
+
+       dns_res_reset(R);
+
+       dns_so_destroy(&R->so);
+
+       dns_hints_close(R->hints);
+       dns_hosts_close(R->hosts);
+       dns_resconf_close(R->resconf);
+       dns_cache_close(R->cache);
+       dns_trace_close(R->trace);
+
+       free(R);
+} /* dns_res_close() */
+
+
+dns_refcount_t dns_res_acquire(struct dns_resolver *R) {
+       return dns_atomic_fetch_add(&R->refcount);
+} /* dns_res_acquire() */
+
+
+dns_refcount_t dns_res_release(struct dns_resolver *R) {
+       return dns_atomic_fetch_sub(&R->refcount);
+} /* dns_res_release() */
+
+
+struct dns_resolver *dns_res_mortal(struct dns_resolver *res) {
+       if (res)
+               dns_res_release(res);
+       return res;
+} /* dns_res_mortal() */
+
+
+static struct dns_packet *dns_res_merge(struct dns_packet *P0, struct dns_packet *P1, int *error_) {
+       size_t bufsiz   = P0->end + P1->end;
+       struct dns_packet *P[3] = { P0, P1, 0 };
+       struct dns_rr rr[3];
+       int error, copy, i;
+       enum dns_section section;
+
+retry:
+       if (!(P[2] = dns_p_make(bufsiz, &error)))
+               goto error;
+
+       dns_rr_foreach(&rr[0], P[0], .section = DNS_S_QD) {
+               if ((error = dns_rr_copy(P[2], &rr[0], P[0])))
+                       goto error;
+       }
+
+       for (section = DNS_S_AN; (DNS_S_ALL & section); section <<= 1) {
+               for (i = 0; i < 2; i++) {
+                       dns_rr_foreach(&rr[i], P[i], .section = section) {
+                               copy    = 1;
+
+                               dns_rr_foreach(&rr[2], P[2], .type = rr[i].type, .section = (DNS_S_ALL & ~DNS_S_QD)) {
+                                       if (0 == dns_rr_cmp(&rr[i], P[i], &rr[2], P[2])) {
+                                               copy    = 0;
+
+                                               break;
+                                       }
+                               }
+
+                               if (copy && (error = dns_rr_copy(P[2], &rr[i], P[i]))) {
+                                       if (error == DNS_ENOBUFS && bufsiz < 65535) {
+                                               dns_p_setptr(&P[2], NULL);
+
+                                               bufsiz  = DNS_PP_MAX(65535, bufsiz * 2);
+
+                                               goto retry;
+                                       }
+
+                                       goto error;
+                               }
+                       } /* foreach(rr) */
+               } /* foreach(packet) */
+       } /* foreach(section) */
+
+       return P[2];
+error:
+       *error_ = error;
+
+       dns_p_free(P[2]);
+
+       return 0;
+} /* dns_res_merge() */
+
+
+static struct dns_packet *dns_res_glue(struct dns_resolver *R, struct dns_packet *Q) {
+       struct dns_packet *P    = dns_p_new(512);
+       char qname[DNS_D_MAXNAME + 1];
+       size_t qlen;
+       enum dns_type qtype;
+       struct dns_rr rr;
+       unsigned sp;
+       int error;
+
+       if (!(qlen = dns_d_expand(qname, sizeof qname, 12, Q, &error))
+       ||  qlen >= sizeof qname)
+               return 0;
+
+       if (!(qtype = dns_rr_type(12, Q)))
+               return 0;
+
+       if ((error = dns_p_push(P, DNS_S_QD, qname, strlen(qname), qtype, DNS_C_IN, 0, 0)))
+               return 0;
+
+       for (sp = 0; sp <= R->sp; sp++) {
+               if (!R->stack[sp].answer)
+                       continue;
+
+               dns_rr_foreach(&rr, R->stack[sp].answer, .name = qname, .type = qtype, .section = (DNS_S_ALL & ~DNS_S_QD)) {
+                       rr.section      = DNS_S_AN;
+
+                       if ((error = dns_rr_copy(P, &rr, R->stack[sp].answer)))
+                               return 0;
+               }
+       }
+
+       if (dns_p_count(P, DNS_S_AN) > 0)
+               goto copy;
+
+       /* Otherwise, look for a CNAME */
+       for (sp = 0; sp <= R->sp; sp++) {
+               if (!R->stack[sp].answer)
+                       continue;
+
+               dns_rr_foreach(&rr, R->stack[sp].answer, .name = qname, .type = DNS_T_CNAME, .section = (DNS_S_ALL & ~DNS_S_QD)) {
+                       rr.section      = DNS_S_AN;
+
+                       if ((error = dns_rr_copy(P, &rr, R->stack[sp].answer)))
+                               return 0;
+               }
+       }
+
+       if (!dns_p_count(P, DNS_S_AN))
+               return 0;
+
+copy:
+       return dns_p_copy(dns_p_make(P->end, &error), P);
+} /* dns_res_glue() */
+
+
+/*
+ * Sort NS records by three criteria:
+ *
+ *     1) Whether glue is present.
+ *     2) Whether glue record is original or of recursive lookup.
+ *     3) Randomly shuffle records which share the above criteria.
+ *
+ * NOTE: Assumes only NS records passed, AND ASSUMES no new NS records will
+ *       be added during an iteration.
+ *
+ * FIXME: Only groks A glue, not AAAA glue.
+ */
+static int dns_res_nameserv_cmp(struct dns_rr *a, struct dns_rr *b, struct dns_rr_i *i, struct dns_packet *P) {
+       _Bool glued[2] = { 0 };
+       struct dns_rr x = { 0 }, y = { 0 };
+       struct dns_ns ns;
+       int cmp, error;
+
+       if (!(error = dns_ns_parse(&ns, a, P)))
+               glued[0] = !!dns_rr_grep(&x, 1, dns_rr_i_new(P, .section = (DNS_S_ALL & ~DNS_S_QD), .name = ns.host, .type = DNS_T_A), P, &error);
+
+       if (!(error = dns_ns_parse(&ns, b, P)))
+               glued[1] = !!dns_rr_grep(&y, 1, dns_rr_i_new(P, .section = (DNS_S_ALL & ~DNS_S_QD), .name = ns.host, .type = DNS_T_A), P, &error);
+
+       if ((cmp = glued[1] - glued[0])) {
+               return cmp;
+       } else if ((cmp = (dns_rr_offset(&y) < i->args[0]) - (dns_rr_offset(&x) < i->args[0]))) {
+               return cmp;
+       } else {
+               return dns_rr_i_shuffle(a, b, i, P);
+       }
+} /* dns_res_nameserv_cmp() */
+
+
+#define dgoto(sp, i)   \
+       do { R->stack[(sp)].state = (i); goto exec; } while (0)
+
+static int dns_res_exec(struct dns_resolver *R) {
+       struct dns_res_frame *F;
+       struct dns_packet *P;
+       union {
+               char host[DNS_D_MAXNAME + 1];
+               char name[DNS_D_MAXNAME + 1];
+               struct dns_ns ns;
+               struct dns_cname cname;
+       } u;
+       size_t len;
+       struct dns_rr rr;
+       int error;
+
+exec:
+
+       F       = &R->stack[R->sp];
+
+       switch (F->state) {
+       case DNS_R_INIT:
+               F->state++;
+       case DNS_R_GLUE:
+               if (R->sp == 0)
+                       dgoto(R->sp, DNS_R_SWITCH);
+
+               if (!F->query)
+                       goto noquery;
+
+               if (!(F->answer = dns_res_glue(R, F->query)))
+                       dgoto(R->sp, DNS_R_SWITCH);
+
+               if (!(len = dns_d_expand(u.name, sizeof u.name, 12, F->query, &error)))
+                       goto error;
+               else if (len >= sizeof u.name)
+                       goto toolong;
+
+               dns_rr_foreach(&rr, F->answer, .name = u.name, .type = dns_rr_type(12, F->query), .section = DNS_S_AN) {
+                       dgoto(R->sp, DNS_R_FINISH);
+               }
+
+               dns_rr_foreach(&rr, F->answer, .name = u.name, .type = DNS_T_CNAME, .section = DNS_S_AN) {
+                       F->ans_cname    = rr;
+
+                       dgoto(R->sp, DNS_R_CNAME0_A);
+               }
+
+               F->state++;
+       case DNS_R_SWITCH:
+               while (F->which < (int)sizeof R->resconf->lookup && R->resconf->lookup[F->which]) {
+                       switch (R->resconf->lookup[F->which++]) {
+                       case 'b': case 'B':
+                               dgoto(R->sp, DNS_R_BIND);
+                       case 'f': case 'F':
+                               dgoto(R->sp, DNS_R_FILE);
+                       case 'c': case 'C':
+                               if (R->cache)
+                                       dgoto(R->sp, DNS_R_CACHE);
+
+                               break;
+                       default:
+                               break;
+                       }
+               }
+
+               /*
+                * FIXME: Examine more closely whether our logic is correct
+                * and DNS_R_SERVFAIL is the correct default response.
+                *
+                * Case 1: We got here because we never got an answer on the
+                *   wire. All queries timed-out and we reached maximum
+                *   attempts count. See DNS_R_FOREACH_NS. In that case
+                *   DNS_R_SERVFAIL is the correct state, unless we want to
+                *   return DNS_ETIMEDOUT.
+                *
+                * Case 2: We were a stub resolver and got an unsatisfactory
+                *   answer (empty ANSWER section) which caused us to jump
+                *   back to DNS_R_SEARCH and ultimately to DNS_R_SWITCH. We
+                *   return the answer returned from the wire, which we
+                *   stashed in R->nodata.
+                *
+                * Case 3: We reached maximum attempts count as in case #1,
+                *   but never got an authoritative response which caused us
+                *   to short-circuit. See end of DNS_R_QUERY_A case. We
+                *   should probably prepare R->nodata as in case #2.
+                */
+               if (R->sp == 0 && R->nodata) { /* XXX: can we just return nodata regardless? */
+                       dns_p_movptr(&F->answer, &R->nodata);
+                       dgoto(R->sp, DNS_R_FINISH);
+               }
+
+               dgoto(R->sp, DNS_R_SERVFAIL);
+       case DNS_R_FILE:
+               if (R->sp > 0) {
+                       if (!dns_p_setptr(&F->answer, dns_hosts_query(R->hosts, F->query, &error)))
+                               goto error;
+
+                       if (dns_p_count(F->answer, DNS_S_AN) > 0)
+                               dgoto(R->sp, DNS_R_FINISH);
+
+                       dns_p_setptr(&F->answer, NULL);
+               } else {
+                       R->search = 0;
+
+                       while ((len = dns_resconf_search(u.name, sizeof u.name, R->qname, R->qlen, R->resconf, &R->search))) {
+                               if ((error = dns_q_make2(&F->query, u.name, len, R->qtype, R->qclass, F->qflags)))
+                                       goto error;
+
+                               if (!dns_p_setptr(&F->answer, dns_hosts_query(R->hosts, F->query, &error)))
+                                       goto error;
+
+                               if (dns_p_count(F->answer, DNS_S_AN) > 0)
+                                       dgoto(R->sp, DNS_R_FINISH);
+
+                               dns_p_setptr(&F->answer, NULL);
+                       }
+               }
+
+               dgoto(R->sp, DNS_R_SWITCH);
+       case DNS_R_CACHE:
+               error = 0;
+
+               if (!F->query && (error = dns_q_make(&F->query, R->qname, R->qtype, R->qclass, F->qflags)))
+                       goto error;
+
+               if (dns_p_setptr(&F->answer, R->cache->query(F->query, R->cache, &error))) {
+                       if (dns_p_count(F->answer, DNS_S_AN) > 0)
+                               dgoto(R->sp, DNS_R_FINISH);
+
+                       dns_p_setptr(&F->answer, NULL);
+
+                       dgoto(R->sp, DNS_R_SWITCH);
+               } else if (error)
+                       goto error;
+
+               F->state++;
+       case DNS_R_SUBMIT:
+               if ((error = R->cache->submit(F->query, R->cache)))
+                       goto error;
+
+               F->state++;
+       case DNS_R_CHECK:
+               if ((error = R->cache->check(R->cache)))
+                       goto error;
+
+               F->state++;
+       case DNS_R_FETCH:
+               error = 0;
+
+               if (dns_p_setptr(&F->answer, R->cache->fetch(R->cache, &error))) {
+                       if (dns_p_count(F->answer, DNS_S_AN) > 0)
+                               dgoto(R->sp, DNS_R_FINISH);
+
+                       dns_p_setptr(&F->answer, NULL);
+
+                       dgoto(R->sp, DNS_R_SWITCH);
+               } else if (error)
+                       goto error;
+
+               dgoto(R->sp, DNS_R_SWITCH);
+       case DNS_R_BIND:
+               if (R->sp > 0) {
+                       if (!F->query)
+                               goto noquery;
+
+                       dgoto(R->sp, DNS_R_HINTS);
+               }
+
+               R->search = 0;
+
+               F->state++;
+       case DNS_R_SEARCH:
+               /*
+                * XXX: We probably should only apply the domain search
+                * algorithm if R->sp == 0.
+                */
+               if (!(len = dns_resconf_search(u.name, sizeof u.name, R->qname, R->qlen, R->resconf, &R->search)))
+                       dgoto(R->sp, DNS_R_SWITCH);
+
+               if ((error = dns_q_make2(&F->query, u.name, len, R->qtype, R->qclass, F->qflags)))
+                       goto error;
+
+               F->state++;
+       case DNS_R_HINTS:
+               if (!dns_p_setptr(&F->hints, dns_hints_query(R->hints, F->query, &error)))
+                       goto error;
+
+               F->state++;
+       case DNS_R_ITERATE:
+               dns_rr_i_init(&F->hints_i, F->hints);
+
+               F->hints_i.section      = DNS_S_AUTHORITY;
+               F->hints_i.type         = DNS_T_NS;
+               F->hints_i.sort         = &dns_res_nameserv_cmp;
+               F->hints_i.args[0]      = F->hints->end;
+
+               F->state++;
+       case DNS_R_FOREACH_NS:
+               dns_rr_i_save(&F->hints_i);
+
+               /* Load our next nameserver host. */
+               if (!dns_rr_grep(&F->hints_ns, 1, &F->hints_i, F->hints, &error)) {
+                       if (++F->attempts < R->resconf->options.attempts)
+                               dgoto(R->sp, DNS_R_ITERATE);
+
+                       dgoto(R->sp, DNS_R_SWITCH);
+               }
+
+               dns_rr_i_init(&F->hints_j, F->hints);
+
+               /* Assume there are glue records */
+               dgoto(R->sp, DNS_R_FOREACH_A);
+       case DNS_R_RESOLV0_NS:
+               /* Have we reached our max depth? */
+               if (&F[1] >= endof(R->stack))
+                       dgoto(R->sp, DNS_R_FOREACH_NS);
+
+               if ((error = dns_ns_parse(&u.ns, &F->hints_ns, F->hints)))
+                       goto error;
+               if ((error = dns_res_frame_prepare(R, &F[1], u.ns.host, DNS_T_A, DNS_C_IN)))
+                       goto error;
+
+               F->state++;
+
+               dgoto(++R->sp, DNS_R_INIT);
+       case DNS_R_RESOLV1_NS:
+               if (!(len = dns_d_expand(u.host, sizeof u.host, 12, F[1].query, &error)))
+                       goto error;
+               else if (len >= sizeof u.host)
+                       goto toolong;
+
+               dns_rr_foreach(&rr, F[1].answer, .name = u.host, .type = DNS_T_A, .section = (DNS_S_ALL & ~DNS_S_QD)) {
+                       rr.section      = DNS_S_AR;
+
+                       if ((error = dns_rr_copy(F->hints, &rr, F[1].answer)))
+                               goto error;
+
+                       dns_rr_i_rewind(&F->hints_i);   /* Now there's glue. */
+               }
+
+               dgoto(R->sp, DNS_R_FOREACH_NS);
+       case DNS_R_FOREACH_A: {
+               struct dns_a a;
+               struct sockaddr_in sin;
+
+               /*
+                * NOTE: Iterator initialized in DNS_R_FOREACH_NS because
+                * this state is re-entrant, but we need to reset
+                * .name to a valid pointer each time.
+                */
+               if ((error = dns_ns_parse(&u.ns, &F->hints_ns, F->hints)))
+                       goto error;
+
+               F->hints_j.name         = u.ns.host;
+               F->hints_j.type         = DNS_T_A;
+               F->hints_j.section      = DNS_S_ALL & ~DNS_S_QD;
+
+               if (!dns_rr_grep(&rr, 1, &F->hints_j, F->hints, &error)) {
+                       if (!dns_rr_i_count(&F->hints_j))
+                               dgoto(R->sp, DNS_R_RESOLV0_NS);
+
+                       dgoto(R->sp, DNS_R_FOREACH_NS);
+               }
+
+               if ((error = dns_a_parse(&a, &rr, F->hints)))
+                       goto error;
+
+               memset(&sin, '\0', sizeof sin); /* NB: silence valgrind */
+               sin.sin_family  = AF_INET;
+               sin.sin_addr    = a.addr;
+               if (R->sp == 0)
+                       sin.sin_port = dns_hints_port(R->hints, AF_INET, &sin.sin_addr);
+               else
+                       sin.sin_port = htons(53);
+
+               if (DNS_DEBUG) {
+                       char addr[INET_ADDRSTRLEN + 1];
+                       dns_a_print(addr, sizeof addr, &a);
+                       dns_header(F->query)->qid = dns_so_mkqid(&R->so);
+                       DNS_SHOW(F->query, "ASKING: %s/%s @ DEPTH: %u)", u.ns.host, addr, R->sp);
+               }
+
+               dns_trace_setcname(R->trace, u.ns.host, (struct sockaddr *)&sin);
+
+               if ((error = dns_so_submit(&R->so, F->query, (struct sockaddr *)&sin)))
+                       goto error;
+
+               F->state++;
+       }
+       case DNS_R_QUERY_A:
+               if (dns_so_elapsed(&R->so) >= dns_resconf_timeout(R->resconf))
+                       dgoto(R->sp, DNS_R_FOREACH_A);
+
+               if ((error = dns_so_check(&R->so)))
+                       goto error;
+
+               if (!dns_p_setptr(&F->answer, dns_so_fetch(&R->so, &error)))
+                       goto error;
+
+               if (DNS_DEBUG) {
+                       DNS_SHOW(F->answer, "ANSWER @ DEPTH: %u)", R->sp);
+               }
+
+               if (dns_p_rcode(F->answer) == DNS_RC_FORMERR ||
+                   dns_p_rcode(F->answer) == DNS_RC_NOTIMP ||
+                   dns_p_rcode(F->answer) == DNS_RC_BADVERS) {
+                       /* Temporarily disable EDNS0 and try again. */
+                       if (F->qflags & DNS_Q_EDNS0) {
+                               F->qflags &= ~DNS_Q_EDNS0;
+                               if ((error = dns_q_remake(&F->query, F->qflags)))
+                                       goto error;
+
+                               dgoto(R->sp, DNS_R_FOREACH_A);
+                       }
+               }
+
+               if ((error = dns_rr_parse(&rr, 12, F->query)))
+                       goto error;
+
+               if (!(len = dns_d_expand(u.name, sizeof u.name, rr.dn.p, F->query, &error)))
+                       goto error;
+               else if (len >= sizeof u.name)
+                       goto toolong;
+
+               dns_rr_foreach(&rr, F->answer, .section = DNS_S_AN, .name = u.name, .type = rr.type) {
+                       dgoto(R->sp, DNS_R_FINISH);     /* Found */
+               }
+
+               dns_rr_foreach(&rr, F->answer, .section = DNS_S_AN, .name = u.name, .type = DNS_T_CNAME) {
+                       F->ans_cname    = rr;
+
+                       dgoto(R->sp, DNS_R_CNAME0_A);
+               }
+
+               /*
+                * XXX: The condition here should probably check whether
+                * R->sp == 0, because DNS_R_SEARCH runs regardless of
+                * options.recurse. See DNS_R_BIND.
+                */
+               if (!R->resconf->options.recurse) {
+                       /* Make first answer our tentative answer */
+                       if (!R->nodata)
+                               dns_p_movptr(&R->nodata, &F->answer);
+
+                       dgoto(R->sp, DNS_R_SEARCH);
+               }
+
+               dns_rr_foreach(&rr, F->answer, .section = DNS_S_NS, .type = DNS_T_NS) {
+                       dns_p_movptr(&F->hints, &F->answer);
+
+                       dgoto(R->sp, DNS_R_ITERATE);
+               }
+
+               /* XXX: Should this go further up? */
+               if (dns_header(F->answer)->aa)
+                       dgoto(R->sp, DNS_R_FINISH);
+
+               /* XXX: Should we copy F->answer to R->nodata? */
+
+               dgoto(R->sp, DNS_R_FOREACH_A);
+       case DNS_R_CNAME0_A:
+               if (&F[1] >= endof(R->stack))
+                       dgoto(R->sp, DNS_R_FINISH);
+
+               if ((error = dns_cname_parse(&u.cname, &F->ans_cname, F->answer)))
+                       goto error;
+               if ((error = dns_res_frame_prepare(R, &F[1], u.cname.host, dns_rr_type(12, F->query), DNS_C_IN)))
+                       goto error;
+
+               F->state++;
+
+               dgoto(++R->sp, DNS_R_INIT);
+       case DNS_R_CNAME1_A:
+               if (!(P = dns_res_merge(F->answer, F[1].answer, &error)))
+                       goto error;
+
+               dns_p_setptr(&F->answer, P);
+
+               dgoto(R->sp, DNS_R_FINISH);
+       case DNS_R_FINISH:
+               if (!F->answer)
+                       goto noanswer;
+
+               if (!R->resconf->options.smart || R->sp > 0)
+                       dgoto(R->sp, DNS_R_DONE);
+
+               R->smart.section        = DNS_S_AN;
+               R->smart.type           = R->qtype;
+
+               dns_rr_i_init(&R->smart, F->answer);
+
+               F->state++;
+       case DNS_R_SMART0_A:
+               if (&F[1] >= endof(R->stack))
+                       dgoto(R->sp, DNS_R_DONE);
+
+               while (dns_rr_grep(&rr, 1, &R->smart, F->answer, &error)) {
+                       union {
+                               struct dns_ns ns;
+                               struct dns_mx mx;
+                               struct dns_srv srv;
+                       } rd;
+                       const char *qname;
+                       enum dns_type qtype;
+                       enum dns_class qclass;
+
+                       switch (rr.type) {
+                       case DNS_T_NS:
+                               if ((error = dns_ns_parse(&rd.ns, &rr, F->answer)))
+                                       goto error;
+
+                               qname   = rd.ns.host;
+                               qtype   = DNS_T_A;
+                               qclass  = DNS_C_IN;
+
+                               break;
+                       case DNS_T_MX:
+                               if ((error = dns_mx_parse(&rd.mx, &rr, F->answer)))
+                                       goto error;
+
+                               qname   = rd.mx.host;
+                               qtype   = DNS_T_A;
+                               qclass  = DNS_C_IN;
+
+                               break;
+                       case DNS_T_SRV:
+                               if ((error = dns_srv_parse(&rd.srv, &rr, F->answer)))
+                                       goto error;
+
+                               qname   = rd.srv.target;
+                               qtype   = DNS_T_A;
+                               qclass  = DNS_C_IN;
+
+                               break;
+                       default:
+                               continue;
+                       } /* switch() */
+
+                       if ((error = dns_res_frame_prepare(R, &F[1], qname, qtype, qclass)))
+                               goto error;
+
+                       F->state++;
+
+                       dgoto(++R->sp, DNS_R_INIT);
+               } /* while() */
+
+               /*
+                * NOTE: SMTP specification says to fallback&