about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--.gitignore10
-rw-r--r--AUTHORS2
-rw-r--r--COPYING13
-rw-r--r--INSTALL167
-rw-r--r--Makefile149
-rw-r--r--NEWS6
-rw-r--r--README27
-rw-r--r--configure475
-rw-r--r--doc/dnsfunnel-daemon.html112
-rw-r--r--doc/dnsfunnel-translate.html70
-rw-r--r--doc/dnsfunneld.html160
-rw-r--r--doc/index.html116
-rw-r--r--doc/upgrade.html28
-rw-r--r--package/deps-build2
-rw-r--r--package/deps.mak16
-rw-r--r--package/info4
-rw-r--r--package/modes3
-rw-r--r--package/targets.mak7
-rw-r--r--src/dnsfunnel/deps-exe/dnsfunnel-daemon1
-rw-r--r--src/dnsfunnel/deps-exe/dnsfunnel-translate1
-rw-r--r--src/dnsfunnel/deps-exe/dnsfunneld4
-rw-r--r--src/dnsfunnel/dnsfunnel-daemon.c150
-rw-r--r--src/dnsfunnel/dnsfunnel-translate.c93
-rw-r--r--src/dnsfunnel/dnsfunneld.c305
-rw-r--r--src/dnsfunnel/dnsfunneld.h44
-rw-r--r--src/dnsfunnel/dnsfunneld_answer.c132
-rw-r--r--src/dnsfunnel/dnsfunneld_process.c136
-rwxr-xr-xtools/gen-deps.sh93
-rwxr-xr-xtools/install.sh64
29 files changed, 2390 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..8c7ef95
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,10 @@
+*.o
+*.a
+*.lo
+*.so
+*.so.*
+/config.mak
+/src/include/dnsfunnel/config.h
+/dnsfunnel-daemon
+/dnsfunneld
+/dnsfunnel-translate
diff --git a/AUTHORS b/AUTHORS
new file mode 100644
index 0000000..7a708a1
--- /dev/null
+++ b/AUTHORS
@@ -0,0 +1,2 @@
+Main author:
+  Laurent Bercot <ska-skaware@skarnet.org>
diff --git a/COPYING b/COPYING
new file mode 100644
index 0000000..6b16aad
--- /dev/null
+++ b/COPYING
@@ -0,0 +1,13 @@
+Copyright (c) 2020 Laurent Bercot <ska-skaware@skarnet.org>
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
diff --git a/INSTALL b/INSTALL
new file mode 100644
index 0000000..2c3583d
--- /dev/null
+++ b/INSTALL
@@ -0,0 +1,167 @@
+Build Instructions
+------------------
+
+* Requirements
+  ------------
+
+  - A POSIX-compliant C development environment
+  - GNU make version 3.81 or later
+  - skalibs version 2.10.0.0 or later: https://skarnet.org/software/skalibs/
+  - s6-dns version 2.3.3.0 or later: https://skarnet.org/software/s6-dns/
+
+ This software will run on any operating system that implements
+POSIX.1-2008, available at:
+  http://pubs.opengroup.org/onlinepubs/9699919799/
+
+
+* Standard usage
+  --------------
+
+  ./configure && make && sudo make install
+
+ will work for most users.
+ It will install the binaries in /bin.
+
+ You can strip the binaries and libraries of their extra symbols via
+"make strip" before the "make install" phase. It will shave a few bytes
+off them.
+
+
+* Customization
+  -------------
+
+ You can customize paths via flags given to configure.
+ See ./configure --help for a list of all available configure options.
+
+
+* Environment variables
+  ---------------------
+
+ Controlling a build process via environment variables is a big and
+dangerous hammer. You should try and pass flags to configure instead;
+nevertheless, a few standard environment variables are recognized.
+
+ If the CC environment variable is set, its value will override compiler
+detection by configure. The --host=HOST option will still add a HOST-
+prefix to the value of CC.
+
+ The values of CFLAGS, CPPFLAGS and LDFLAGS will be appended to flags
+auto-detected by configure. To entirely override the flags set by
+configure instead, use make variables.
+
+
+* Make variables
+  --------------
+
+ You can invoke make with a few variables for more configuration.
+
+ CC, CFLAGS, CPPFLAGS, LDFLAGS, LDLIBS, AR, RANLIB, STRIP, INSTALL and
+CROSS_COMPILE can all be overridden on the make command line. This is
+an even bigger hammer than running ./configure with environment
+variables, so it is advised to only do this when it is the only way of
+obtaining the behaviour you want.
+
+ DESTDIR can be given on the "make install" command line in order to
+install to a staging directory.
+
+
+* Shared libraries
+  ----------------
+
+ Software from skarnet.org is small enough that shared libraries are
+generally not worth using. Static linking is simpler and incurs less
+runtime overhead and less points of failure: so by default, shared
+libraries are not built and binaries are linked against the static
+versions of the skarnet.org libraries. Nevertheless, you can:
+  * build shared libraries: --enable-shared
+  * link binaries against shared libraries: --disable-allstatic
+
+
+* Static binaries
+  ---------------
+
+ By default, binaries are linked against static versions of all the
+libraries they depend on, except for the libc. You can enforce
+linking against the static libc with --enable-static-libc.
+
+ Be aware that the GNU libc behaves badly with static linking and
+produces huge executables, which is why it is not the default.
+Other libcs are better suited to static linking, for instance
+musl: http://musl-libc.org/
+
+
+* Cross-compilation
+  -----------------
+
+ skarnet.org packages centralize all the difficulty of
+cross-compilation in one place: skalibs. Once you have
+cross-compiled skalibs, the rest is easy.
+
+ * Use the --host=HOST option to configure, HOST being the triplet
+for your target.
+ * Make sure your cross-toolchain binaries (i.e. prefixed with HOST-)
+are accessible via your PATH environment variable.
+ * Make sure to use the correct version of skalibs for your target,
+and the correct sysdeps directory, making use of the
+--with-include, --with-lib, --with-dynlib and --with-sysdeps
+options as necessary.
+
+
+* The slashpackage convention
+  ---------------------------
+
+ The slashpackage convention (http://cr.yp.to/slashpackage.html)
+is a package installation scheme that provides a few guarantees
+over other conventions such as the FHS, for instance fixed
+absolute pathnames. skarnet.org packages support it: use the
+--enable-slashpackage option to configure, or
+--enable-slashpackage=DIR for a prefixed DIR/package tree.
+This option will activate slashpackage support during the build
+and set slashpackage-compatible installation directories.
+If $package_home is the home of the package, defined as
+DIR/package/$category/$package-$version with the variables
+read from the package/info file, then:
+
+  --dynlibdir is set to $package_home/library.so
+  --bindir is set to $package_home/command
+  --sbindir is also set to $package_home/command (slashpackage
+differentiates root-only binaries by their Unix rights, not their
+location in the filesystem)
+  --libexecdir is also set to $package_home/command (slashpackage
+does not need a specific directory for internal binaries)
+  --libdir is set to $package_home/library
+  --includedir is set to $package_home/include
+
+ --prefix is pretty much ignored when you use --enable-slashpackage.
+You should probably not use both --enable-slashpackage and --prefix.
+
+ When using slashpackage, two additional Makefile targets are
+available after "make install":
+ - "make update" changes the default version of the software to the
+freshly installed one. (This is useful when you have several installed
+versions of the same software, which slashpackage supports.)
+ - "make -L global-links" adds links from /command and /library.so to the
+default version of the binaries and shared libraries. The "-L" option to
+make is necessary because targets are symbolic links, and the default make
+behaviour is to check the pointed file's timestamp and not the symlink's
+timestamp.
+
+
+* Absolute pathnames
+  ------------------
+
+ You may want to use fixed absolute pathnames even if you're not
+following the slashpackage convention: for instance, the Nix packaging
+system prefers calling binaries with immutable paths rather than rely on
+PATH resolution. If you are in that case, use the --enable-absolute-paths
+option to configure. This will ensure that programs calling binaries from
+this package will call them with their full installation path (in bindir)
+without relying on a PATH search.
+
+
+* Out-of-tree builds
+  ------------------
+
+ skarnet.org packages do not support out-of-tree builds. They
+are small, so it does not cost much to duplicate the entire
+source tree if parallel builds are needed.
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..94a820f
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,149 @@
+#
+# This Makefile requires GNU make.
+#
+# Do not make changes here.
+# Use the included .mak files.
+#
+
+it: all
+
+make_need := 3.81
+ifeq "" "$(strip $(filter $(make_need), $(firstword $(sort $(make_need) $(MAKE_VERSION)))))"
+fail := $(error Your make ($(MAKE_VERSION)) is too old. You need $(make_need) or newer)
+endif
+
+CC = $(error Please use ./configure first)
+
+STATIC_LIBS :=
+SHARED_LIBS :=
+INTERNAL_LIBS :=
+EXTRA_TARGETS :=
+LIB_DEFS :=
+
+define library_definition
+LIB$(firstword $(subst =, ,$(1))) := lib$(lastword $(subst =, ,$(1))).$(if $(DO_ALLSTATIC),a,so).xyzzy
+ifdef DO_SHARED
+SHARED_LIBS += lib$(lastword $(subst =, ,$(1))).so.xyzzy
+endif
+ifdef DO_STATIC
+STATIC_LIBS += lib$(lastword $(subst =, ,$(1))).a.xyzzy
+endif
+endef
+
+-include config.mak
+include package/targets.mak
+
+$(foreach var,$(LIB_DEFS),$(eval $(call library_definition,$(var))))
+
+include package/deps.mak
+
+version_m := $(basename $(version))
+version_M := $(basename $(version_m))
+version_l := $(basename $(version_M))
+CPPFLAGS_ALL := $(CPPFLAGS_AUTO) $(CPPFLAGS)
+CFLAGS_ALL := $(CFLAGS_AUTO) $(CFLAGS)
+ifeq ($(strip $(STATIC_LIBS_ARE_PIC)),)
+CFLAGS_SHARED := -fPIC
+else
+CFLAGS_SHARED :=
+endif
+LDFLAGS_ALL := $(LDFLAGS_AUTO) $(LDFLAGS)
+AR := $(CROSS_COMPILE)ar
+RANLIB := $(CROSS_COMPILE)ranlib
+STRIP := $(CROSS_COMPILE)strip
+INSTALL := ./tools/install.sh
+
+ALL_BINS := $(LIBEXEC_TARGETS) $(BIN_TARGETS)
+ALL_LIBS := $(SHARED_LIBS) $(STATIC_LIBS) $(INTERNAL_LIBS)
+ALL_INCLUDES := $(wildcard src/include/$(package)/*.h)
+
+all: $(ALL_LIBS) $(ALL_BINS) $(ALL_INCLUDES)
+
+clean:
+	@exec rm -f $(ALL_LIBS) $(ALL_BINS) $(wildcard src/*/*.o src/*/*.lo) $(EXTRA_TARGETS)
+
+distclean: clean
+	@exec rm -f config.mak src/include/$(package)/config.h
+
+tgz: distclean
+	@. package/info && \
+	rm -rf /tmp/$$package-$$version && \
+	cp -a . /tmp/$$package-$$version && \
+	cd /tmp && \
+	tar -zpcv --owner=0 --group=0 --numeric-owner --exclude=.git* -f /tmp/$$package-$$version.tar.gz $$package-$$version && \
+	exec rm -rf /tmp/$$package-$$version
+
+strip: $(ALL_LIBS) $(ALL_BINS)
+ifneq ($(strip $(STATIC_LIBS)),)
+	exec $(STRIP) -x -R .note -R .comment -R .note.GNU-stack $(STATIC_LIBS)
+endif
+ifneq ($(strip $(ALL_BINS)$(SHARED_LIBS)),)
+	exec $(STRIP) -R .note -R .comment -R .note.GNU-stack $(ALL_BINS) $(SHARED_LIBS)
+endif
+
+install: install-dynlib install-libexec install-bin install-lib install-include
+install-dynlib: $(SHARED_LIBS:lib%.so.xyzzy=$(DESTDIR)$(dynlibdir)/lib%.so)
+install-libexec: $(LIBEXEC_TARGETS:%=$(DESTDIR)$(libexecdir)/%)
+install-bin: $(BIN_TARGETS:%=$(DESTDIR)$(bindir)/%)
+install-lib: $(STATIC_LIBS:lib%.a.xyzzy=$(DESTDIR)$(libdir)/lib%.a)
+install-include: $(ALL_INCLUDES:src/include/$(package)/%.h=$(DESTDIR)$(includedir)/$(package)/%.h)
+install-data: $(ALL_DATA:src/etc/%=$(DESTDIR)$(datadir)/%)
+
+ifneq ($(exthome),)
+
+$(DESTDIR)$(exthome): $(DESTDIR)$(home)
+	exec $(INSTALL) -l $(notdir $(home)) $(DESTDIR)$(exthome)
+
+update: $(DESTDIR)$(exthome)
+
+global-links: $(DESTDIR)$(exthome) $(SHARED_LIBS:lib%.so.xyzzy=$(DESTDIR)$(sproot)/library.so/lib%.so.$(version_M)) $(BIN_TARGETS:%=$(DESTDIR)$(sproot)/command/%)
+
+$(DESTDIR)$(sproot)/command/%: $(DESTDIR)$(home)/command/%
+	exec $(INSTALL) -D -l ..$(subst $(sproot),,$(exthome))/command/$(<F) $@
+
+$(DESTDIR)$(sproot)/library.so/lib%.so.$(version_M): $(DESTDIR)$(dynlibdir)/lib%.so.$(version_M)
+	exec $(INSTALL) -D -l ..$(subst $(sproot),,$(exthome))/library.so/$(<F) $@
+
+.PHONY: update global-links
+
+endif
+
+$(DESTDIR)$(datadir)/%: src/etc/%
+	exec $(INSTALL) -D -m 644 $< $@
+
+$(DESTDIR)$(dynlibdir)/lib%.so $(DESTDIR)$(dynlibdir)/lib%.so.$(version_M): lib%.so.xyzzy
+	$(INSTALL) -D -m 755 $< $@.$(version) && \
+	$(INSTALL) -l $(@F).$(version) $@.$(version_M) && \
+	exec $(INSTALL) -l $(@F).$(version_M) $@
+
+$(DESTDIR)$(libexecdir)/% $(DESTDIR)$(bindir)/%: % package/modes
+	exec $(INSTALL) -D -m 600 $< $@
+	grep -- ^$(@F) < package/modes | { read name mode owner && \
+	if [ x$$owner != x ] ; then chown -- $$owner $@ ; fi && \
+	chmod $$mode $@ ; }
+
+$(DESTDIR)$(libdir)/lib%.a: lib%.a.xyzzy
+	exec $(INSTALL) -D -m 644 $< $@
+
+$(DESTDIR)$(includedir)/$(package)/%.h: src/include/$(package)/%.h
+	exec $(INSTALL) -D -m 644 $< $@
+
+%.o: %.c
+	exec $(CC) $(CPPFLAGS_ALL) $(CFLAGS_ALL) -c -o $@ $<
+
+%.lo: %.c
+	exec $(CC) $(CPPFLAGS_ALL) $(CFLAGS_ALL) $(CFLAGS_SHARED) -c -o $@ $<
+
+$(ALL_BINS):
+	exec $(CC) -o $@ $(CFLAGS_ALL) $(LDFLAGS_ALL) $(LDFLAGS_NOSHARED) $^ $(EXTRA_LIBS) $(LDLIBS)
+
+lib%.a.xyzzy:
+	exec $(AR) rc $@ $^
+	exec $(RANLIB) $@
+
+lib%.so.xyzzy:
+	exec $(CC) -o $@ $(CFLAGS_ALL) $(CFLAGS_SHARED) $(LDFLAGS_ALL) $(LDFLAGS_SHARED) -Wl,-soname,$(patsubst lib%.so.xyzzy,lib%.so.$(version_M),$@) $^ $(EXTRA_LIBS) $(LDLIBS)
+
+.PHONY: it all clean distclean tgz strip install install-dynlib install-bin install-lib install-include install-data
+
+.DELETE_ON_ERROR:
diff --git a/NEWS b/NEWS
new file mode 100644
index 0000000..8c45fe2
--- /dev/null
+++ b/NEWS
@@ -0,0 +1,6 @@
+Changelog for mdevd.
+
+In 0.0.1.0
+----------
+
+ - Initial release.
diff --git a/README b/README
new file mode 100644
index 0000000..bae9170
--- /dev/null
+++ b/README
@@ -0,0 +1,27 @@
+dnsfunnel - a small local DNS forwarder
+---------------------------------------
+
+ dnsfunnel is a DNS forwarder (aka, a DNS cache without a
+cache) meant to listen to local requests and forward them to
+real caches. The point is to move from a
+"list several caches in /etc/resolv.conf" model to a
+"only list 127.0.0.1 in /etc/resolv.conf" one, which has
+architectural advantages and isolates the libc's stub resolver
+from various DNS implementation infelicities.
+
+ See https://skarnet.org/software/dnsfunnel/ for details.
+
+
+* Installation
+  ------------
+
+ See the INSTALL file.
+
+
+* Contact information
+  -------------------
+
+ Laurent Bercot <ska-skaware at skarnet.org>
+
+ Please use the <skaware at list.skarnet.org> mailing-list for
+questions about dnsfunnel.
diff --git a/configure b/configure
new file mode 100644
index 0000000..664a43f
--- /dev/null
+++ b/configure
@@ -0,0 +1,475 @@
+#!/bin/sh
+
+cd `dirname "$0"`
+. package/info
+
+usage () {
+cat <<EOF
+Usage: $0 [OPTION]... [TARGET]
+
+Defaults for the options are specified in brackets.
+
+System types:
+  --target=TARGET               configure to run on target TARGET [detected]
+  --host=TARGET                 same as --target
+
+Installation directories:
+  --prefix=PREFIX               main installation prefix [/]
+  --exec-prefix=EPREFIX         installation prefix for executable files [PREFIX]
+
+Fine tuning of the installation directories:
+  --dynlibdir=DIR               shared library files [PREFIX/lib]
+  --bindir=BINDIR               user executables [EPREFIX/bin]
+  --libexecdir=DIR              package-scoped executables [EPREFIX/libexec]
+  --libdir=DIR                  static library files [PREFIX/lib/$package]
+  --includedir=DIR              C header files [PREFIX/include]
+
+ If no --prefix option is given, by default libdir (but not dynlibdir) will be
+ /usr/lib/$package, and includedir will be /usr/include.
+
+Dependencies:
+  --with-sysdeps=DIR            use sysdeps in DIR [PREFIX/lib/skalibs/sysdeps]
+  --with-include=DIR            add DIR to the list of searched directories for headers
+  --with-lib=DIR                add DIR to the list of searched directories for static libraries
+  --with-dynlib=DIR             add DIR to the list of searched directories for shared libraries
+
+ If no --prefix option is given, by default sysdeps will be fetched from
+ /usr/lib/skalibs/sysdeps.
+
+Optional features:
+  --enable-shared               build shared libraries [disabled]
+  --disable-static              do not build static libraries [enabled]
+  --disable-allstatic           do not prefer linking against static libraries [enabled]
+  --enable-static-libc          make entirely static binaries [disabled]
+  --disable-all-pic             do not build executables or static libs as PIC [enabled]
+  --enable-slashpackage[=ROOT]  assume /package installation at ROOT [disabled]
+  --enable-absolute-paths       do not rely on PATH to access this package's binaries,
+                                  hardcode absolute BINDIR/foobar paths instead [disabled]
+
+  --with-cachelist=FILE         use FILE as default cache list [/run/dnsfunnel-caches]
+EOF
+exit 0
+}
+
+# Helper functions
+
+# If your system does not have printf, you can comment this, but it is
+# generally not a good idea to use echo.
+# See http://etalabs.net/sh_tricks.html
+echo () {
+  IFS=" "
+  printf %s\\n "$*"
+}
+
+quote () {
+  tr '\n' ' ' <<EOF | grep '^[-[:alnum:]_=,./:]* $' >/dev/null 2>&1 && { echo "$1" ; return 0 ; }
+$1
+EOF
+  echo "$1" | sed -e "s/'/'\\\\''/g" -e "1s/^/'/" -e "\$s/\$/'/" -e "s#^'\([-[:alnum:]_,./:]*\)=\(.*\)\$#\1='\2#" -e "s|\*/|* /|g"
+}
+
+fail () {
+  echo "$*"
+  exit 1
+}
+
+fnmatch () {
+  eval "case \"\$2\" in $1) return 0 ;; *) return 1 ;; esac"
+}
+
+cmdexists () {
+  type "$1" >/dev/null 2>&1
+}
+
+trycc () {
+  test -z "$CC_AUTO" && cmdexists "$1" && CC_AUTO="$*"
+}
+
+stripdir () {
+  while eval "fnmatch '*/' \"\${$1}\"" ; do
+    eval "$1=\${$1%/}"
+  done
+}
+
+tryflag () {
+  echo "Checking whether compiler accepts $2 ..."
+  echo "typedef int x;" > "$tmpc"
+  if $CC_AUTO $CPPFLAGS_AUTO $CPPFLAGS $CPPFLAGS_POST $CFLAGS_AUTO $CFLAGS $CFLAGS_POST "$2" -c -o /dev/null "$tmpc" >/dev/null 2>&1 ; then
+    echo "  ... yes"
+    eval "$1=\"\${$1} \$2\""
+    eval "$1=\${$1# }"
+    return 0
+  else
+    echo "  ... no"
+    return 1
+  fi
+}
+
+tryldflag () {
+  echo "Checking whether linker accepts $2 ..."
+  echo "typedef int x;" > "$tmpc"
+  if $CC_AUTO $CFLAGS_AUTO $CFLAGS $CFLAGS_POST $LDFLAGS_AUTO $LDFLAGS $LDFLAGS_POST -nostdlib "$2" -o /dev/null "$tmpc" >/dev/null 2>&1 ; then
+    echo "  ... yes"
+    eval "$1=\"\${$1} \$2\""
+    eval "$1=\${$1# }"
+    return 0
+  else
+    echo "  ... no"
+    return 1
+  fi
+}
+
+
+# Actual script
+
+CC_AUTO=
+CPPFLAGS_AUTO="-D_POSIX_C_SOURCE=200809L -D_XOPEN_SOURCE=700 -iquote src/include-local -Isrc/include"
+CPPFLAGS_POST="$CPPFLAGS"
+CPPFLAGS=
+CFLAGS_AUTO="-pipe -Wall"
+CFLAGS_POST="$CFLAGS"
+CFLAGS=-O2
+LDFLAGS_AUTO=
+LDFLAGS_POST="$LDFLAGS"
+LDFLAGS=
+LDFLAGS_NOSHARED=
+LDFLAGS_SHARED=-shared
+prefix=
+exec_prefix='$prefix'
+dynlibdir='$prefix/lib'
+libexecdir='$exec_prefix/libexec'
+bindir='$exec_prefix/bin'
+libdir='$prefix/lib/$package'
+includedir='$prefix/include'
+sysdeps='$prefix/lib/skalibs/sysdeps'
+manualsysdeps=false
+shared=false
+static=true
+allpic=true
+slashpackage=false
+abspath=false
+sproot=
+home=
+exthome=
+allstatic=true
+evenmorestatic=false
+addincpath=''
+addlibspath=''
+addlibdpath=''
+vpaths=''
+vpathd=''
+build=
+cachelist=/run/dnsfunnel-caches
+
+for arg ; do
+  case "$arg" in
+    --help) usage ;;
+    --prefix=*) prefix=${arg#*=} ;;
+    --exec-prefix=*) exec_prefix=${arg#*=} ;;
+    --dynlibdir=*) dynlibdir=${arg#*=} ;;
+    --libexecdir=*) libexecdir=${arg#*=} ;;
+    --bindir=*) bindir=${arg#*=} ;;
+    --libdir=*) libdir=${arg#*=} ;;
+    --includedir=*) includedir=${arg#*=} ;;
+    --with-sysdeps=*) sysdeps=${arg#*=} manualsysdeps=true ;;
+    --with-include=*) var=${arg#*=} ; stripdir var ; addincpath="$addincpath -I$var" ;;
+    --with-lib=*) var=${arg#*=} ; stripdir var ; addlibspath="$addlibspath -L$var" ; vpaths="$vpaths $var" ;;
+    --with-dynlib=*) var=${arg#*=} ; stripdir var ; addlibdpath="$addlibdpath -L$var" ; vpathd="$vpathd $var" ;;
+    --enable-shared|--enable-shared=yes) shared=true ;;
+    --disable-shared|--enable-shared=no) shared=false ;;
+    --enable-static|--enable-static=yes) static=true ;;
+    --disable-static|--enable-static=no) static=false ;;
+    --enable-allstatic|--enable-allstatic=yes) allstatic=true ;;
+    --disable-allstatic|--enable-allstatic=no) allstatic=false ; evenmorestatic=false ;;
+    --enable-static-libc|--enable-static-libc=yes) allstatic=true ; evenmorestatic=true ;;
+    --disable-static-libc|--enable-static-libc=no) evenmorestatic=false ;;
+    --enable-all-pic|--enable-all-pic=yes) allpic=true ;;
+    --disable-all-pic|--enable-all-pic=no) allpic=false ;;
+    --enable-slashpackage=*) sproot=${arg#*=} ; slashpackage=true ; ;;
+    --enable-slashpackage) sproot= ; slashpackage=true ;;
+    --disable-slashpackage) sproot= ; slashpackage=false ;;
+    --enable-absolute-paths|--enable-absolute-paths=yes) abspath=true ;;
+    --disable-absolute-paths|--enable-absolute-paths=no) abspath=false ;;
+    --with-cachelist=*) cachelist=${arg#*=} ;;
+    --enable-*|--disable-*|--with-*|--without-*|--*dir=*) ;;
+    --host=*|--target=*) target=${arg#*=} ;;
+    --build=*) build=${arg#*=} ;;
+    -* ) echo "$0: unknown option $arg" ;;
+    *=*) ;;
+    *) target=$arg ;;
+  esac
+done
+
+# Add /usr in the default default case
+if test -z "$prefix" ; then
+  if test "$libdir" = '$prefix/lib/$package' ; then
+    libdir=/usr/lib/$package
+  fi
+  if test "$includedir" = '$prefix/include' ; then
+    includedir=/usr/include
+  fi
+  if test "$sysdeps" = '$prefix/lib/skalibs/sysdeps' ; then
+    sysdeps=/usr/lib/skalibs/sysdeps
+  fi
+fi
+
+# Expand installation directories
+stripdir prefix
+for i in exec_prefix dynlibdir libexecdir bindir libdir includedir sysdeps sproot ; do
+  eval tmp=\${$i}
+  eval $i=$tmp
+  stripdir $i
+done
+
+# Get usable temp filenames
+i=0
+set -C
+while : ; do
+  i=$(($i+1))
+  tmpc="./tmp-configure-$$-$PPID-$i.c"
+  tmpe="./tmp-configure-$$-$PPID-$i.tmp"
+  2>|/dev/null > "$tmpc" && break
+  2>|/dev/null > "$tmpe" && break
+  test "$i" -gt 50 && fail "$0: cannot create temporary files"
+done
+set +C
+trap 'rm -f "$tmpc" "$tmpe"' EXIT ABRT INT QUIT TERM HUP
+
+# Set slashpackage values
+if $slashpackage ; then
+  home=${sproot}/package/${category}/${package}-${version}
+  exthome=${sproot}/package/${category}/${package}
+  if $manualsysdeps ; then
+    :
+  else
+    sysdeps=${sproot}/package/prog/skalibs/sysdeps
+  fi
+  extbinprefix=${exthome}/command
+  dynlibdir=${home}/library.so
+  bindir=${home}/command
+  libdir=${home}/library
+  libexecdir=$bindir
+  includedir=${home}/include
+  while read dep condvar ; do
+    if test -n "$condvar" ; then
+      eval "cond=$condvar"
+    else
+      cond=true
+    fi
+    if $cond ; then
+      addincpath="$addincpath -I${sproot}${dep}/include"
+      vpaths="$vpaths ${sproot}${dep}/library"
+      addlibspath="$addlibspath -L${sproot}${dep}/library"
+      vpathd="$vpathd ${sproot}${dep}/library.so"
+      addlibdpath="$addlibdpath -L${sproot}${dep}/library.so"
+    fi
+  done < package/deps-build
+fi
+
+# Find a C compiler to use
+if test -n "$target" && test x${build} != x${target} ; then
+  cross=${target}-
+else
+  cross=
+fi
+echo "Checking for C compiler..."
+trycc ${CC}
+if test -n "$CC_AUTO" ; then
+  b=`basename "$CC"`
+  adjust_cross=false
+  if test "$b" != "$CC" ; then
+    adjust_cross=true
+    echo "$0: warning: compiler $CC is declared with its own path. If it's not accessible via PATH, you will need to pass AR, RANLIB and STRIP make variables to the make invocation." 1>&2
+  fi
+  if test -n "$cross" ; then
+    if test "$b" = "${b##$cross}" ; then
+      echo "$0: warning: compiler $CC is declared as a cross-compiler for target $target but does not start with prefix ${cross}" 1>&2
+    elif $adjust_cross ; then
+      cross=`dirname "$CC"`/"$cross"
+    fi
+  fi
+fi
+trycc ${cross}gcc
+trycc ${cross}clang
+trycc ${cross}cc
+test -n "$CC_AUTO" || { echo "$0: cannot find a C compiler" ; exit 1 ; }
+echo "  ... $CC_AUTO"
+echo "Checking whether C compiler works... "
+echo "typedef int x;" > "$tmpc"
+if $CC_AUTO $CPPFLAGS_AUTO $CPPFLAGS $CPPFLAGS_POST $CFLAGS_AUTO $CFLAGS $CFLAGS_POST -c -o /dev/null "$tmpc" 2>"$tmpe" ; then
+  echo "  ... yes"
+else
+  echo "  ... no. Compiler output follows:"
+  cat < "$tmpe"
+  exit 1
+fi
+
+echo "Checking target system type..."
+if test -z "$target" ; then
+  if test -n "$build" ; then
+    target=$build ;
+  else
+    target=$($CC_AUTO -dumpmachine 2>/dev/null) || target=unknown
+  fi
+fi
+echo "  ... $target"
+if test ! -d $sysdeps || test ! -f $sysdeps/target ; then
+  echo "$0: error: $sysdeps is not a valid sysdeps directory"
+  exit 1
+fi
+if [ "x$target" != "x$(cat $sysdeps/target)" ] ; then
+  echo "$0: error: target $target does not match the contents of $sysdeps/target"
+  exit 1
+fi
+
+spawn_lib=$(cat $sysdeps/spawn.lib)
+socket_lib=$(cat $sysdeps/socket.lib)
+sysclock_lib=$(cat $sysdeps/sysclock.lib)
+timer_lib=$(cat $sysdeps/timer.lib)
+util_lib=$(cat $sysdeps/util.lib)
+
+if $allpic ; then
+  tryflag CPPFLAGS_AUTO -fPIC
+fi
+tryflag CFLAGS_AUTO -std=c99
+tryflag CFLAGS -fomit-frame-pointer
+tryflag CFLAGS_AUTO -fno-exceptions
+tryflag CFLAGS_AUTO -fno-unwind-tables
+tryflag CFLAGS_AUTO -fno-asynchronous-unwind-tables
+tryflag CFLAGS_AUTO -Wa,--noexecstack
+tryflag CPPFLAGS_AUTO -Werror=implicit-function-declaration
+tryflag CPPFLAGS_AUTO -Werror=implicit-int
+tryflag CPPFLAGS_AUTO -Werror=pointer-sign
+tryflag CPPFLAGS_AUTO -Werror=pointer-arith
+tryflag CFLAGS_AUTO -ffunction-sections
+tryflag CFLAGS_AUTO -fdata-sections
+
+tryldflag LDFLAGS_AUTO -Wl,--sort-section=alignment
+tryldflag LDFLAGS_AUTO -Wl,--sort-common
+
+CPPFLAGS_AUTO="${CPPFLAGS_AUTO}${addincpath}"
+
+if $evenmorestatic ; then
+  LDFLAGS_NOSHARED=-static
+fi
+
+if $shared ; then
+  tryldflag LDFLAGS -Wl,--hash-style=both
+fi
+
+LDFLAGS_SHARED="${LDFLAGS_SHARED}${addlibdpath}"
+
+if test -z "$vpaths" ; then
+  while read dep ; do
+    base=$(basename $dep) ;
+    vpaths="$vpaths /usr/lib/$base"
+    addlibspath="$addlibspath -L/usr/lib/$base"
+  done < package/deps-build  
+fi
+
+if $allstatic ; then
+  LDFLAGS_NOSHARED="${LDFLAGS_NOSHARED}${addlibspath}"
+  tryldflag LDFLAGS_NOSHARED -Wl,--gc-sections
+else
+  LDFLAGS_NOSHARED="${LDFLAGS_NOSHARED}${addlibdpath}"
+fi
+
+echo "Creating config.mak..."
+cmdline=$(quote "$0")
+for i ; do cmdline="$cmdline $(quote "$i")" ; done
+exec 3>&1 1>config.mak
+cat << EOF
+# This file was generated by:
+# $cmdline
+# Any changes made here will be lost if configure is re-run.
+
+target := $target
+package := $package
+prefix := $prefix
+exec_prefix := $exec_prefix
+dynlibdir := $dynlibdir
+libexecdir := $libexecdir
+bindir := $bindir
+libdir := $libdir
+includedir := $includedir
+sysdeps := $sysdeps
+slashpackage := $slashpackage
+sproot := $sproot
+version := $version
+home := $home
+exthome := $exthome
+SPAWN_LIB := ${spawn_lib}
+SOCKET_LIB := ${socket_lib}
+SYSCLOCK_LIB := ${sysclock_lib}
+TIMER_LIB := ${timer_lib}
+UTIL_LIB := ${util_lib}
+
+CC := $CC_AUTO
+CPPFLAGS_AUTO := $CPPFLAGS_AUTO
+CPPFLAGS := $CPPFLAGS $CPPFLAGS_POST
+CFLAGS_AUTO := $CFLAGS_AUTO
+CFLAGS := $CFLAGS $CFLAGS_POST
+LDFLAGS_AUTO := $LDFLAGS_AUTO
+LDFLAGS := $LDFLAGS $LDFLAGS_POST
+LDFLAGS_SHARED := $LDFLAGS_SHARED
+LDFLAGS_NOSHARED := $LDFLAGS_NOSHARED
+CROSS_COMPILE := $cross
+
+vpath lib%.a$vpaths
+vpath lib%.so$vpathd
+EOF
+if $allstatic ; then
+  echo ".LIBPATTERNS := lib%.a"
+  echo "DO_ALLSTATIC := 1"
+else
+  echo ".LIBPATTERNS := lib%.so"
+fi
+if $static ; then
+  echo "DO_STATIC := 1"
+else
+  echo "DO_STATIC :="
+fi
+if $shared ; then
+  echo "DO_SHARED := 1"
+else
+  echo "DO_SHARED :="
+fi
+if $allpic ; then
+  echo "STATIC_LIBS_ARE_PIC := 1"
+else
+  echo "STATIC_LIBS_ARE_PIC :="
+fi
+
+exec 1>&3 3>&-
+echo "  ... done."
+
+echo "Creating src/include/${package}/config.h..."
+mkdir -p -m 0755 src/include/${package}
+exec 3>&1 1> src/include/${package}/config.h
+cat <<EOF
+/* ISC license. */
+
+/* Generated by: $cmdline */
+
+#ifndef ${package_macro_name}_CONFIG_H
+#define ${package_macro_name}_CONFIG_H
+
+#define ${package_macro_name}_VERSION "$version"
+EOF
+if $slashpackage ; then
+  echo "#define ${package_macro_name}_BINPREFIX \"$bindir/\""
+  echo "#define ${package_macro_name}_EXTBINPREFIX \"$extbinprefix/\""
+elif $abspath ; then
+  echo "#define ${package_macro_name}_BINPREFIX \"$bindir/\""
+  echo "#define ${package_macro_name}_EXTBINPREFIX \"$bindir/\""
+else
+  echo "#define ${package_macro_name}_BINPREFIX \"\""
+  echo "#define ${package_macro_name}_EXTBINPREFIX \"\""
+fi
+echo "#define ${package_macro_name}_LIBEXECPREFIX \"$libexecdir/\""
+echo
+echo "#define ${package_macro_name}_DEFAULT_CACHELIST  \"$cachelist\""
+echo
+echo "#endif"
+exec 1>&3 3>&-
+echo "  ... done."
diff --git a/doc/dnsfunnel-daemon.html b/doc/dnsfunnel-daemon.html
new file mode 100644
index 0000000..d93d463
--- /dev/null
+++ b/doc/dnsfunnel-daemon.html
@@ -0,0 +1,112 @@
+<html>
+  <head>
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+    <meta http-equiv="Content-Language" content="en" />
+    <title>dnsfunnel: the dnsfunnel-daemon program</title>
+    <meta name="Description" content="dnsfunnel: the dnsfunnel-daemon program" />
+    <meta name="Keywords" content="dnsfunnel daemon /etc/resolv.conf local cache resolver 127.0.0.1" />
+    <!-- <link rel="stylesheet" type="text/css" href="//skarnet.org/default.css" /> -->
+  </head>
+<body>
+
+<p>
+<a href="index.html">dnsfunnel</a><br />
+<a href="//skarnet.org/software/">Software</a><br />
+<a href="//skarnet.org/">skarnet.org</a>
+</p>
+
+<h1> The <tt>dnsfunnel-daemon</tt> program </h1>
+
+<p>
+<tt>dnsfunnel-daemon</tt> binds to a local UDP socket, drops its
+privileges, then executes into <a href="dnsfunneld.html">dnsfunneld</a>.
+</p>
+
+<h2> Interface </h2>
+
+<pre>
+     dnsfunnel-daemon [ -v verbosity ] [ -d notif ] [ -U | -u uid -g gid ] [ -i ip:port ] [ -R root ] [ -b bufsize ] [ -f cachelist ] [ -T | -t ] [ -N | -n ]
+</pre>
+
+<ul>
+ <li> dnsfunnel-daemon creates a UDP inet domain socket and binds it
+to IPv4 address <em>ip</em> (normally 127.0.0.1) and port <em>port</em>
+(normally 53). </li>
+ <li> Depending on the options it has been given, it may chroot and lose
+privileges on its gid and uid. </li>
+ <li> It execs into <a href="dnsfunneld.html">dnsfunneld</a> with the
+UDP socket as its standard input. </li>
+</ul>
+
+<p>
+ The point of <tt>dnsfunnel-daemon</tt> is to separate the administrative
+operations of starting a daemon from the actual serving part, which is
+handled by <a href="dnsfunneld.html">dnsfunneld</a>.
+</p>
+
+<h2> Exit codes </h2>
+
+<ul>
+ <li> 100: wrong usage </li>
+ <li> 111: system call failed </li>
+ <li> 126: failed to exec <a href="dnsfunneld.html">dnsfunneld</a> </li>
+ <li> 127: could not find the <a href="dnsfunneld.html">dnsfunneld</a> executable </li>
+</ul>
+
+<h2> Options </h2>
+
+<ul>
+ <li> <tt>-v&nbsp;<em>verbosity</em></tt>&nbsp;: verbosity of the
+<a href="dnsfunneld.html">dnsfunneld</a> program. This option is passed as is
+to <a href="dnsfunneld.html">dnsfunneld</a>. Default is 1. 0 suppresses warning
+messages. Higher values may give more informational messages. </li>
+ <li> <tt>-d&nbsp;<em>notif</em></tt>&nbsp;: readiness notification. This option
+is passed as is to <a href="dnsfunneld.html">dnsfunneld</a>, which will print a
+newline to descriptor <em>notif</em> when it is ready. Default is no readiness
+notification. </li>
+ <li> <tt>-U</tt>&nbsp;: read an uid in the UID environment variable and a gid
+in the GID environment variable, and drop privileges to that uid/gid. </li>
+ <li> <tt>-u&nbsp;<em>uid</em></tt>&nbsp;: drop privileges to numerical uid
+<em>uid</em>. </li>
+ <li> <tt>-g&nbsp;<em>gid</em></tt>&nbsp;: drop privileges to numerical gid
+<em>gid</em>. </li>
+ <li> <tt>-i&nbsp;<em>ip</em>:<em>port</em></tt>&nbsp;: bind the socket to
+IPv4 <em>ip</em> and port <em>port</em>. Default for <em>ip</em> is
+<tt>127.0.0.1</tt>; default for <em>port</em> is 53. </li>
+ <li> <tt>-R&nbsp;<em>root</em></tt>&nbsp;: chroot to <em>root</em>. Note that
+this option only increases security if you also drop privileges. </li>
+ <li> <tt>-b&nbsp;<em>bufsize</em></tt>&nbsp;: try and reserve a kernel buffer
+size of <em>bufsize</em> bytes for the socket. Default is 131072. If the given
+<em>bufsize</em> is 0, then <tt>dnsfunnel-daemon</tt> will use whatever the
+default is for your kernel. </li>
+ <li> <tt>-f&nbsp;<em>cachelist</em></tt>&nbsp;: Use <em>cachelist</em> as the
+file that <a href="dnsfunneld.html">dnsfunneld</a> reads its cache addresses
+from. Default is <tt>/run/dnsfunnel-caches</tt>, or <em>file</em>
+if the <tt>--with-cachelist=<em>file</em></tt> option has been given to the
+configure script at build time. </li>
+</ul>
+
+<p>
+ The other options control the activation or deactivation of various
+<a href="dnsfunneld.html">dnsfunneld</a> features:
+</p>
+ <li> <tt>-T</tt>&nbsp;: Do not activate truncation of responses. This is
+the default. </li>
+ <li> <tt>-t</tt>&nbsp;: If a DNS response is bigger than 510 bytes,
+truncate its last resource records until it fits into 510 bytes and can
+be sent in a UDP packet. </li>
+ <li> <tt>-N</tt>&nbsp;: Do not activate nxdomain workaround. This is the
+default. </li>
+ <li> <tt>-n</tt>&nbsp;: Activate nxdomain workaround. When receiving an A
+(resp. AAAA) query to forward, also make an AAAA (resp. A) query, and adjust
+the response accordingly. Some DNS servers incorrectly answer NXDOMAIN when
+they should just answer NODATA, and querying for another, existing, record
+type for the same domain allows dnsfunneld to tell the difference between a
+real NXDOMAIN (in which case that response is forwarded to the client) and
+an incorrect one (in which case NODATA is answered to the client instead). </li>
+ <li> Other options may be added in the future. </li>
+</ul>
+
+</body>
+</html>
diff --git a/doc/dnsfunnel-translate.html b/doc/dnsfunnel-translate.html
new file mode 100644
index 0000000..9dde27d
--- /dev/null
+++ b/doc/dnsfunnel-translate.html
@@ -0,0 +1,70 @@
+<html>
+  <head>
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+    <meta http-equiv="Content-Language" content="en" />
+    <title>dnsfunnel: the dnsfunnel-translate program</title>
+    <meta name="Description" content="dnsfunnel: the dnsfunnel-translate program" />
+    <meta name="Keywords" content="dnsfunnel translate /etc/resolv.conf nameserver cache address" />
+    <!-- <link rel="stylesheet" type="text/css" href="//skarnet.org/default.css" /> -->
+  </head>
+<body>
+
+<p>
+<a href="index.html">dnsfunnel</a><br />
+<a href="//skarnet.org/software/">Software</a><br />
+<a href="//skarnet.org/">skarnet.org</a>
+</p>
+
+<h1> The <tt>dnsfunnel-translate</tt> program </h1>
+
+<p>
+<tt>dnsfunnel-translate</tt> translates a file in <tt>resolv.conf</tt>
+format to a file in <a href="dnsfunneld.html">dnsfunneld</a> format.
+</p>
+
+<h2> Interface </h2>
+
+<pre>
+     dnsfunnel-translate [ -i inputfile ] [ -o outputfile ] [ -x ignoredip ]
+</pre>
+
+<ul>
+ <li> dnsfunnel-translate opens <em>inputfile</em> and parses it. It reads
+and processes lines beginning with <tt>nameserver</tt> followed by an IP
+address (v4 or v6). It ignores other lines. </li>
+ <li> It writes the IP addresses, without the <tt>nameserver</tt> keyword,
+to <tt>outputfile</tt>, one per line. </li>
+ <li> If a <tt>nameserver</tt> address is <em>ignoredip</em>, it does not
+get printed to <tt>outputfile</tt>
+ <li> dnsfunnel-translate exits 0 when it has finished processing
+<em>inputfile</em>. </li>
+</ul>
+
+<h2> Exit codes </h2>
+
+<ul>
+ <li> 0: success </li>
+ <li> 1: no suitable IP found in the input file </li>
+ <li> 100: wrong usage </li>
+ <li> 111: system call failed </li>
+</ul>
+
+<h2> Options </h2>
+
+<ul>
+ <li> <tt>-i&nbsp;<em>inputfile</em></tt>&nbsp;: process <em>inputfile</em>.
+Default is <tt>/etc/resolv.conf</tt>. </li>
+ <li> <tt>-o&nbsp;<em>outputfile</em></tt>&nbsp;: write the result to
+<em>outputfile</em>. Default is <tt>/run/dnsfunnel-caches</tt>, or <em>file</em>
+if the <tt>--with-cachelist=<em>file</em></tt> option has been given to the
+configure script at build time. </li>
+ <li> <tt>-x&nbsp;<em>ignoredip</em></tt>&nbsp;: ignore the <em>ignoredip</em>
+IPv4 address if it shows up as a <tt>nameserver</tt> in <em>inputfile</em>.
+Default is <tt>127.0.0.1</tt>. The point of this option is to avoid copying
+to <tt>outputfile</tt> the IPv4 address that the
+<a href="dnsfunnel-daemon.html">dnsfunnel-daemon</a> daemon will be bound to. </li>
+</ul>
+
+</body>
+</html>
diff --git a/doc/dnsfunneld.html b/doc/dnsfunneld.html
new file mode 100644
index 0000000..006a6d6
--- /dev/null
+++ b/doc/dnsfunneld.html
@@ -0,0 +1,160 @@
+<html>
+  <head>
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+    <meta http-equiv="Content-Language" content="en" />
+    <title>dnsfunnel: the dnsfunnel-daemon program</title>
+    <meta name="Description" content="dnsfunnel: the dnsfunnel-daemon program" />
+    <meta name="Keywords" content="dnsfunnel daemon /etc/resolv.conf local cache resolver 127.0.0.1" />
+    <!-- <link rel="stylesheet" type="text/css" href="//skarnet.org/default.css" /> -->
+  </head>
+<body>
+
+<p>
+<a href="index.html">dnsfunnel</a><br />
+<a href="//skarnet.org/software/">Software</a><br />
+<a href="//skarnet.org/">skarnet.org</a>
+</p>
+
+<h1> The <tt>dnsfunneld</tt> program </h1>
+
+<p>
+<tt>dnsfunneld</tt> is a small DNS forwarder daemon. It receives
+DNS queries from clients, then forwards them to one or more DNS caches.
+It collects the responses and forwards them back to the clients. Depending
+on the options it is given, it may perform light processing on the
+queries, the responses, or both.
+</p>
+
+<h2> Interface </h2>
+
+<pre>
+     dnsfunneld [ -v verbosity ] [ -d notif ] [ -o ops ] cachelist
+</pre>
+
+<ul>
+ <li> dnsfunneld reads the <em>cachelist</em> file, expecting to find
+a list of IP (v4 or v6) addresses, one per line. These addresses are the
+DNS caches it will forward the queries to. </li>
+ <li> dnsfunneld expects to have a bound UDP inet domain socket as
+its standard input. It expects to receive packets no more than 512
+bytes long, only containing DNS normal queries (QUERY) for the IN
+class. </li>
+ <li> Depending on <em>ops</em>, dnsfunneld may send additional queries
+to the caches listed in <em>cachelist</em>. It handles the answers
+internally: the additional queries are invisible to clients. </li>
+ <li> dnsfunneld is a long-lived process. </li>
+</ul>
+
+<h2> Signals </h2>
+
+<ul>
+ <li> SIGHUP: read the <em>cachelist</em> file again, updating its
+in-memory cache list. In-flight queries are still handled by the old
+list; the new list will only apply for queries arriving after the SIGHUP. </li>
+ <li> SIGTERM: enter lame-duck mode, do not accept any more queries. When
+all in-flight queries have been answered, exit 0.
+</ul>
+
+<h2> Exit codes </h2>
+
+<ul>
+ <li> 0: SIGTERM received and all in-flight queries have been answered </li>
+ <li> 100: wrong usage </li>
+ <li> 111: system call failed </li>
+</ul>
+
+<h2> Options </h2>
+
+<ul>
+ <li> <tt>-v&nbsp;<em>verbosity</em></tt>&nbsp;: verbosity.
+Default is 1. 0 suppresses warning messages. Higher values may give more
+informational messages in the future. </li>
+ <li> <tt>-d&nbsp;<em>notif</em></tt>&nbsp;: readiness notification. When
+dnsfunneld is ready to process queries, write a newline to file descriptor
+<em>notif</em>. <em>notif</em> must be 3 or greater. Default is no notification
+at all. </li>
+ <li> <tt>-o&nbsp;<em>ops</em></tt>&nbsp;: perform various operations on
+queries. <em>ops</em> is a decimal integer that is treated as a bitfield.
+Default is 0. Operations are listed below. </li>
+</ul>
+
+<h2> DNS forwarding behaviour </h2>
+
+<ul>
+ <li> When it receives a query, dnsfunneld forwards it to the first DNS cache
+in the list it has read from the <em>cachelist</em> file. </li>
+ <li> If it receives a response with the TC bit, it resends the query over TCP. </li>
+ <li> If it receives a suitable response within a given time frame, it forwards
+it to the client. </li>
+ <li> On SERVFAIL, or after a timeout of 1 second, it gives up and sends the
+query to the next DNS cache in its list. (If the first cache answers after the time
+frame, the answer is dropped.)
+ <li> If dnsfunneld reaches the end of its cache list, it retries the whole
+procedure starting at the beginning of the list, but with a timeout of 3 seconds.
+Caches that returned a SERVFAIL are crossed off the list for that query. </li>
+ <li> If the second pass fails again, dnsfunneld tries again with a timeout of
+11 seconds, then with a timeout of 45 seconds. If all of this fails, it returns
+a SERVFAIL to the client. </li>
+ <li> A machine should not use a DNS cache that is too far away. In normal operation,
+a timeout of 1 second should be more than enough for a cache to answer, if it already
+has the answer. If the answer is absent from all caches and it takes them more than
+1 second to resolve the query, the answer will be obtained by dnsfunneld in the second
+pass. Realistically, the only cases when caches that are not at the top of the list
+are used are:
+ <ul>
+  <li> obscure DNS queries, not likely to be in the caches, and that will take
+time to resolve; </li>
+  <li> or the first cache has really gone to lunch. </li>
+ </ul>
+</ul>
+
+<h2> dnsfunneld operations </h2>
+
+<p>
+ <em>ops</em> is an integer used as a bitfield. Depending on which bits are set,
+various operations are performed on queries or answers, slightly modifying the
+behaviour described above.
+</p>
+
+<ul>
+ <li> bit 0: activate truncation. If a DNS response is more than 510 bytes
+long, dnsfunneld will truncate the <em>last</em> resource records in the response,
+until it fits into 510 bytes and can be given to the client in a UDP packet.
+The structure of a DNS packet makes it so the RRs are listed in order of
+decreasing importance, so keeping as many RRs as will fit in 510 bytes
+without reordering them is the natural way of truncating a response. </li>
+ <li> bit 1: activate workaround for some servers that incorrectly report
+NXDOMAIN when they're asked for an AAAA record, and no such record exists
+for the domain but an A record exists. When that bit is set in <em>ops</em>,
+for every A or AAAA query dnsfunneld receives and forwards, it also sends
+an additional AAAA or A query for the same domain. If the main query returns
+NXDOMAIN, dnsfunneld waits for the response to the auxiliary query: if this
+response is not NXDOMAIN, then dnsfunneld answers NODATA to the client instead
+of NXDOMAIN. Be aware that activating this workaround can practically double
+the number of queries sent to the DNS caches, and may cause additional delays
+before the clients get their answers. </li>
+</ul>
+
+<h2> Notes </h2>
+
+<ul>
+ <li> The point of dnsfunneld is to work around ill-designed or unreliable
+client setups with several motley <tt>nameserver</tt> entries in
+<tt>/etc/resolv.conf</tt>. By converting those entries to a cache list
+instead (via the <a href="dnsfunnel-translate.html">dnsfunnel-translate</a>
+program), running dnsfunneld on 127.0.0.1, and enforcing a policy of one
+single <tt>nameserver 127.0.0.1</tt> entry in <tt>/etc/resolv.conf</tt>,
+the setup can be made more reliable and more consistent. </li>
+ <li> Such a policy can be automated, for instance, by listening to
+changes on the <tt>/etc/resolv.conf</tt> file (via inotify or kqueue,
+depending on your system) and immediately calling
+<a href="dnsfunnel-translate.html">dnsfunnel-translate</a>, sending
+a SIGHUP to dnsfunneld, and forcefully overwriting <tt>/etc/resolv.conf</tt>. </li>
+ <li> It is easy to send a SIGHUP to dnsfunneld even without knowing its
+pid, if it is run under a process supervision system such as
+<a href="//skarnet.org/software/s6/">s6</a>. </li>
+</ul>
+
+</body>
+</html>
diff --git a/doc/index.html b/doc/index.html
new file mode 100644
index 0000000..fe8e8d4
--- /dev/null
+++ b/doc/index.html
@@ -0,0 +1,116 @@
+<html>
+  <head>
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+    <meta http-equiv="Content-Language" content="en" />
+    <title>dnsfunnel - A small local DNS cache daemon</title>
+    <meta name="Description" content="dnsfunnel - a small local DNS cache daemon" />
+    <meta name="Keywords" content="dnsfunnel DNS domain cache local /etc/resolv.conf resolver forwarder laurent bercot ska skarnet" />
+    <!-- <link rel="stylesheet" type="text/css" href="//skarnet.org/default.css" /> -->
+  </head>
+<body>
+
+<p>
+<a href="//skarnet.org/software/">Software</a><br />
+<a href="//skarnet.org/">skarnet.org</a>
+</p>
+
+<h1> dnsfunnel </h1>
+
+<h2> What is it&nbsp;? </h2>
+
+<p>
+ dnsfunnel is a small daemon listening to DNS client requests over UDP
+(typically from the libc's
+<a href="https://pubs.opengroup.org/onlinepubs/9699919799/functions/getaddrinfo.html">getaddrinfo()</a>
+function) and forwards them to a list of DNS caches. It provides the
+client with the first answer it gets, trimming the answer so it fits
+in an UDP packet.
+</p>
+
+<p>
+ dnsfunnel is especially useful for distributions using the
+<a href="https://musl-libc.org">musl</a> libc, which does not support
+TCP DNS transport. It was originally written to be used in the
+<a href="https://alpinelinux.org/">Alpine Linux</a> distribution.
+</p>
+
+<hr />
+
+<h2> Installation </h2>
+
+<h3> Requirements </h3>
+
+<ul>
+ <li> A POSIX-compliant system with a standard C development environment.
+The system must also support <tt>chroot()</tt> </li>
+ <li> GNU make, version 3.81 or later </li>
+ <li> <a href="//skarnet.org/software/skalibs/">skalibs</a> version
+2.10.0.0 or later. It's a build-time requirement. It's also a run-time
+requirement if you link against the shared version of the skalibs
+library. </li>
+ <li> <a href="//skarnet.org/software/s6-dns/">s6-dns</a> version
+2.3.3.0 or later. It's a build-time requirement. It's also a run-time
+requirement if you link against the shared version of the s6dns
+library. </li>
+
+</ul>
+
+<h3> Licensing </h3>
+
+<p>
+ dnsfunnel is free software. It is available under the
+<a href="https://opensource.org/licenses/ISC">ISC license</a>.
+</p>
+
+<h3> Download </h3>
+
+<ul>
+ <li> The current released version of dnsfunnel is
+<a href="dnsfunnel-0.0.1.0.tar.gz">0.0.1.0</a>.
+ (This is a lie.
+dnsfunnel is in alpha development at the moment, and only
+available through git.) </li>
+ <li> Alternatively, you can checkout a copy of the
+<a href="//git.skarnet.org/cgi-bin/cgit.cgi/dnsfunnel/">dnsfunnel
+git repository</a>:
+<pre> git clone git://git.skarnet.org/dnsfunnel </pre> </li>
+ <li> There's also a
+<a href="https://github.com/skarnet/dnsfunnel">GitHub mirror</a>
+of the dnsfunnel git repository. </li>
+</ul>
+
+<h3> Compilation </h3>
+
+<ul>
+ <li> See the enclosed INSTALL file for installation details. </li>
+</ul>
+
+<h3> Upgrade notes </h3>
+
+<ul>
+ <li> <a href="upgrade.html">This page</a> lists the differences to be aware of between
+the previous versions of dnsfunnel and the current one. </li>
+</ul>
+
+<hr />
+
+<h2> Reference </h2>
+
+<h3> Commands </h3>
+
+<ul>
+<li><a href="dnsfunnel-daemon.html">The <tt>dnsfunnel-daemon</tt> program</a></li>
+<li><a href="dnsfunneld.html">The <tt>dnsfunneld</tt> program</a></li>
+<li><a href="dnsfunnel-translate.html">The <tt>dnsfunnel-translate</tt> program</a></li>
+</ul>
+
+<h2> Related resources </h2>
+
+<ul>
+ <li> <tt>dnsfunnel</tt> is discussed on the
+<a href="//skarnet.org/lists.html#skaware">skaware</a> mailing-list. </li>
+</ul>
+
+</body>
+</html>
diff --git a/doc/upgrade.html b/doc/upgrade.html
new file mode 100644
index 0000000..6b46bde
--- /dev/null
+++ b/doc/upgrade.html
@@ -0,0 +1,28 @@
+<html>
+  <head>
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+    <meta http-equiv="Content-Language" content="en" />
+    <title>dnsfunnel: how to upgrade</title>
+    <meta name="Description" content="dnsfunnel: how to upgrade" />
+    <meta name="Keywords" content="dnsfunnel installation upgrade" />
+    <!-- <link rel="stylesheet" type="text/css" href="//skarnet.org/default.css" /> -->
+  </head>
+<body>
+
+<p>
+<a href="index.html">dnsfunnel</a><br />
+<a href="//skarnet.org/software/">Software</a><br />
+<a href="//skarnet.org/">skarnet.org</a>
+</p>
+
+<h1> What has changed in dnsfunnel </h1>
+
+<h2> in 0.0.1.0 </h2>
+
+<ul>
+ <li> Initial release. </li>
+</ul>
+
+</body>
+</html>
diff --git a/package/deps-build b/package/deps-build
new file mode 100644
index 0000000..6b9f75d
--- /dev/null
+++ b/package/deps-build
@@ -0,0 +1,2 @@
+/package/prog/skalibs
+/package/web/s6-dns
diff --git a/package/deps.mak b/package/deps.mak
new file mode 100644
index 0000000..29eaab1
--- /dev/null
+++ b/package/deps.mak
@@ -0,0 +1,16 @@
+#
+# This file has been generated by tools/gen-deps.sh
+#
+
+src/dnsfunnel/dnsfunnel-daemon.o src/dnsfunnel/dnsfunnel-daemon.lo: src/dnsfunnel/dnsfunnel-daemon.c src/include/dnsfunnel/config.h
+src/dnsfunnel/dnsfunnel-translate.o src/dnsfunnel/dnsfunnel-translate.lo: src/dnsfunnel/dnsfunnel-translate.c src/include/dnsfunnel/config.h
+src/dnsfunnel/dnsfunneld.o src/dnsfunnel/dnsfunneld.lo: src/dnsfunnel/dnsfunneld.c src/dnsfunnel/dnsfunneld.h
+src/dnsfunnel/dnsfunneld_answer.o src/dnsfunnel/dnsfunneld_answer.lo: src/dnsfunnel/dnsfunneld_answer.c src/dnsfunnel/dnsfunneld.h
+src/dnsfunnel/dnsfunneld_process.o src/dnsfunnel/dnsfunneld_process.lo: src/dnsfunnel/dnsfunneld_process.c src/dnsfunnel/dnsfunneld.h
+
+dnsfunnel-daemon: EXTRA_LIBS := -lskarnet
+dnsfunnel-daemon: src/dnsfunnel/dnsfunnel-daemon.o
+dnsfunnel-translate: EXTRA_LIBS := -lskarnet
+dnsfunnel-translate: src/dnsfunnel/dnsfunnel-translate.o
+dnsfunneld: EXTRA_LIBS := -ls6dns -lskarnet
+dnsfunneld: src/dnsfunnel/dnsfunneld.o src/dnsfunnel/dnsfunneld_answer.o src/dnsfunnel/dnsfunneld_process.o
diff --git a/package/info b/package/info
new file mode 100644
index 0000000..0705998
--- /dev/null
+++ b/package/info
@@ -0,0 +1,4 @@
+package=dnsfunnel
+version=0.0.1.0
+category=web
+package_macro_name=DNSFUNNEL
diff --git a/package/modes b/package/modes
new file mode 100644
index 0000000..d42c9a1
--- /dev/null
+++ b/package/modes
@@ -0,0 +1,3 @@
+dnsfunnel-daemon	0755
+dnsfunneld		0755
+dnsfunnel-translate	0755
diff --git a/package/targets.mak b/package/targets.mak
new file mode 100644
index 0000000..1a65a56
--- /dev/null
+++ b/package/targets.mak
@@ -0,0 +1,7 @@
+BIN_TARGETS := \
+dnsfunnel-daemon \
+dnsfunneld \
+dnsfunnel-translate
+
+LIBEXEC_TARGETS :=
+
diff --git a/src/dnsfunnel/deps-exe/dnsfunnel-daemon b/src/dnsfunnel/deps-exe/dnsfunnel-daemon
new file mode 100644
index 0000000..e7187fe
--- /dev/null
+++ b/src/dnsfunnel/deps-exe/dnsfunnel-daemon
@@ -0,0 +1 @@
+-lskarnet
diff --git a/src/dnsfunnel/deps-exe/dnsfunnel-translate b/src/dnsfunnel/deps-exe/dnsfunnel-translate
new file mode 100644
index 0000000..e7187fe
--- /dev/null
+++ b/src/dnsfunnel/deps-exe/dnsfunnel-translate
@@ -0,0 +1 @@
+-lskarnet
diff --git a/src/dnsfunnel/deps-exe/dnsfunneld b/src/dnsfunnel/deps-exe/dnsfunneld
new file mode 100644
index 0000000..90302a1
--- /dev/null
+++ b/src/dnsfunnel/deps-exe/dnsfunneld
@@ -0,0 +1,4 @@
+dnsfunneld_answer.o
+dnsfunneld_process.o
+-ls6dns
+-lskarnet
diff --git a/src/dnsfunnel/dnsfunnel-daemon.c b/src/dnsfunnel/dnsfunnel-daemon.c
new file mode 100644
index 0000000..1df6a38
--- /dev/null
+++ b/src/dnsfunnel/dnsfunnel-daemon.c
@@ -0,0 +1,150 @@
+/* ISC license. */
+
+#include <skalibs/sysdeps.h>
+
+#ifndef SKALIBS_HASCHROOT
+# error "this program can only be built on systems that provide a chroot() function"
+#endif
+
+#include <skalibs/nonposix.h>  /* chroot */
+#include <stdint.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <stdlib.h>
+
+#include <skalibs/uint16.h>
+#include <skalibs/types.h>
+#include <skalibs/fmtscan.h>
+#include <skalibs/sgetopt.h>
+#include <skalibs/strerr2.h>
+#include <skalibs/djbunix.h>
+#include <skalibs/socket.h>
+#include <skalibs/exec.h>
+
+#include <dnsfunnel/config.h>
+
+#define USAGE "dnsfunnel-daemon [ -v verbosity ] [ -d notif ] [ -U | -u uid -g gid ] [ -i ip:port ] [ -R root ] [ -b bufsize ] [ -f cachelist ] [ -T | -t ] [ -N | -n ] "
+#define dieusage() strerr_dieusage(100, USAGE)
+
+int main (int argc, char const *const *argv)
+{
+  int notif = 0 ;
+  unsigned int verbosity = 1 ;
+  unsigned int bufsize = 131072 ;
+  int flagU = 0 ;
+  uid_t uid = -1 ;
+  gid_t gid = -1 ;
+  char const *ipport = "127.0.0.1:53" ;
+  char const *newroot = 0 ;
+  char const *cachelist = DNSFUNNEL_DEFAULT_CACHELIST ;
+  uint32_t ops = 0 ;
+  PROG = "dnsfunnel-daemon" ;
+  {
+    subgetopt_t l = SUBGETOPT_ZERO ;
+    for (;;)
+    {
+      int opt = subgetopt_r(argc, argv, "v:d:Uu:g:i:R:b:f:TtNn", &l) ;
+      if (opt == -1) break ;
+      switch (opt)
+      {
+        case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ;
+        case 'd' : if (!uint0_scan(l.arg, (unsigned int *)&notif)) dieusage() ; break ;
+        case 'U' : flagU = 1 ; break ;
+        case 'u' : if (!uid0_scan(l.arg, &uid)) dieusage() ; break ;
+        case 'g' : if (!gid0_scan(l.arg, &gid)) dieusage() ; break ;
+        case 'i' : ipport = l.arg ; break ;
+        case 'R' : newroot = l.arg ; break ;
+        case 'b' : if (!uint0_scan(l.arg, &bufsize)) dieusage() ; break ;
+        case 'f' : cachelist = l.arg ; break ;
+        case 'T' : ops &= ~1 ; break ;
+        case 't' : ops |= 1 ; break ;
+        case 'N' : ops &= ~2 ; break ;
+        case 'n' : ops |= 2 ; break ;
+        default : dieusage() ;
+      }
+    }
+    argc -= l.ind ; argv += l.ind ;
+  }
+
+  {
+    int fd ;
+    char ip[4] ;
+    uint16_t port ;
+    size_t pos = ip4_scan(ipport, ip) ;
+    if (!pos) dieusage() ;
+    if (ipport[pos] != ':') dieusage() ;
+    if (!uint160_scan(ipport + pos + 1, &port)) dieusage() ;
+    fd = socket_udp4() ;
+    if (fd < 0) strerr_diefu1sys(111, "create UDP socket") ;
+    if (socket_bind4_reuse(fd, ip, port) < 0)
+    {
+      char fmti[IP4_FMT] ;
+      char fmtp[UINT16_FMT] ;
+      fmti[ip4_fmt(fmti, ip)] = 0 ;
+      fmtp[uint16_fmt(fmtp, port)] = 0 ;
+      strerr_diefu4sys(111, "bind on ip ", fmti, " port ", fmtp) ;
+    }
+    if (bufsize) socket_tryreservein(fd, bufsize) ;
+    if (fd_move(0, fd) < 0)
+      strerr_diefu1sys(111, "move file descriptors") ;
+  }
+
+  if (newroot)
+  {
+    if (chdir(newroot) < 0 || chroot(".") < 0)
+      strerr_diefu2sys(111, "chroot to ", newroot) ;
+  }
+
+  if (flagU)
+  {
+    char const *x = getenv("UID") ;
+    if (x && !uid0_scan(x, &uid))
+      strerr_dieinvalid(100, "UID") ;
+    x = getenv("GID") ;
+    if (x && !gid0_scan(x, &gid))
+      strerr_dieinvalid(100, "GID") ;
+  }
+  if (gid != (gid_t)-1 && setgid(gid) < 0)
+  {
+    char fmt[GID_FMT] ;
+    fmt[gid_fmt(fmt, gid)] = 0 ;
+    strerr_diefu2sys(111, "setgid to ", fmt) ;
+  }
+  if (uid != (uid_t)-1 && setuid(uid) < 0)
+  {
+    char fmt[UID_FMT] ;
+    fmt[uid_fmt(fmt, uid)] = 0 ;
+    strerr_diefu2sys(111, "setuid to ", fmt) ;
+  }
+
+  {
+    char const *newargv[10] = { "dnsfunneld" } ;
+    char const *newenvp[1] = { 0 } ;
+    unsigned int m = 1 ;
+    char fmtv[UINT_FMT] ;
+    char fmtn[UINT_FMT] ;
+    char fmto[UINT_FMT] ;
+    if (verbosity != 1)
+    {
+      fmtv[uint_fmt(fmtv, verbosity)] = 0 ;
+      newargv[m++] = "-v" ;
+      newargv[m++] = fmtv ;
+    }
+    if (notif)
+    {
+      fmtn[uint_fmt(fmtn, notif)] = 0 ;
+      newargv[m++] = "-d" ;
+      newargv[m++] = fmtn ;
+    }
+    if (ops)
+    {
+      fmto[uint_fmt(fmto, ops)] = 0 ;
+      newargv[m++] = "-o" ;
+      newargv[m++] = fmto ;
+    }   
+    newargv[m++] = "--" ;
+    newargv[m++] = cachelist ;
+    newargv[m++] = 0 ;
+    xexec_ae(DNSFUNNEL_BINPREFIX "dnsfunneld", newargv, newenvp) ;
+  }
+}
diff --git a/src/dnsfunnel/dnsfunnel-translate.c b/src/dnsfunnel/dnsfunnel-translate.c
new file mode 100644
index 0000000..70610b8
--- /dev/null
+++ b/src/dnsfunnel/dnsfunnel-translate.c
@@ -0,0 +1,93 @@
+/* ISC license. */
+
+#include <string.h>
+
+#include <skalibs/bytestr.h>
+#include <skalibs/sgetopt.h>
+#include <skalibs/buffer.h>
+#include <skalibs/fmtscan.h>
+#include <skalibs/strerr2.h>
+#include <skalibs/djbunix.h>
+#include <skalibs/ip46.h>
+
+#include <s6-dns/s6dns-constants.h>
+
+#include <dnsfunnel/config.h>
+
+#define USAGE "dnsfunnel-translate [ -i resolvconf ] [ -o cachelist ] [ -x ignoredip ]"
+#define dieusage() strerr_dieusage(100, USAGE)
+
+
+static size_t parse_nameservers (ip46_t *list, char const *file, char const *ignore)
+{
+  static char const zero[SKALIBS_IP_SIZE] = { 0 } ;
+  char buf[4096] ;
+  size_t n = 0, i = 0 ;
+  ssize_t len = openreadnclose(file, buf, 4095) ;
+  if (len < 0) strerr_diefu2sys(111, "open ", file) ;
+  buf[len++] = '\n' ;
+  while ((i < len) && (n < S6DNS_MAX_SERVERS))
+  {
+    size_t j = byte_chr(buf + i, len - i, '\n') ;
+    if ((i + j < len) && (j > 13U) && !memcmp("nameserver", buf + i, 10))
+    {
+      size_t k = 0 ;
+      while ((buf[i+10+k] == ' ') || (buf[i+10+k] == '\t')) k++ ;
+      if (k && ip46_scan(buf+i+10+k, list + n)
+       && memcmp(list[n].ip, zero, SKALIBS_IP_SIZE)
+       && (ip46_is6(list + n) || memcmp(list[n].ip, ignore, 4))
+      ) n++ ;
+    }
+    i += j + 1 ;
+  }
+  return n ;
+}
+
+
+int main (int argc, char const *const *argv)
+{
+  ip46_t list[S6DNS_MAX_SERVERS] = { IP46_ZERO } ;
+  char const *resolvconf = "/etc/resolv.conf" ;
+  char const *cachelist = DNSFUNNEL_DEFAULT_CACHELIST ;
+  char ignore[4] = "\177\0\0\1" ;
+  size_t n ;
+  PROG = "dnsfunnel-translate" ;
+  {
+    subgetopt_t l = SUBGETOPT_ZERO ;
+    for (;;)
+    {
+      int opt = subgetopt_r(argc, argv, "i:o:x:", &l) ;
+      if (opt == -1) break ;
+      switch (opt)
+      {
+        case 'i' : resolvconf = l.arg ; break ;
+        case 'o' : cachelist = l.arg ; break ;
+        case 'x' : if (!ip4_scan(l.arg, ignore)) dieusage() ; break ;
+        default : dieusage() ;
+      }
+    }
+    argc -= l.ind ; argv += l.ind ;
+  }
+
+  n = parse_nameservers(list, resolvconf, ignore) ;
+  if (!n) strerr_dief2x(1, "no suitable cache address in ", resolvconf) ;
+
+  {
+    char buf[4096] ;
+    buffer b ;
+    int fd = openc_trunc(cachelist) ;
+    if (fd < 0) strerr_diefu2sys(111, "open ", cachelist) ;
+    buffer_init(&b, &buffer_write, fd, buf, 4096) ;
+    for (size_t i = 0 ; i < n ; i++)
+    {
+      char fmt[IP46_FMT] ;
+      size_t len = ip46_fmt(fmt, list + i) ;
+      fmt[len++] = '\n' ;
+      if (buffer_put(&b, fmt, len) < len)
+        strerr_diefu2sys(111, "write to ", cachelist) ;
+    }
+    if (!buffer_flush(&b))
+      strerr_diefu2sys(111, "write to ", cachelist) ;
+  }
+  return 0 ;
+}
diff --git a/src/dnsfunnel/dnsfunneld.c b/src/dnsfunnel/dnsfunneld.c
new file mode 100644
index 0000000..bd4dc89
--- /dev/null
+++ b/src/dnsfunnel/dnsfunneld.c
@@ -0,0 +1,305 @@
+/* ISC license. */
+
+#include <stdint.h>
+#include <string.h>
+#include <signal.h>
+#include <fcntl.h>
+#include <errno.h>
+
+#include <skalibs/uint32.h>
+#include <skalibs/types.h>
+#include <skalibs/allreadwrite.h>
+#include <skalibs/error.h>
+#include <skalibs/bitarray.h>
+#include <skalibs/strerr2.h>
+#include <skalibs/sgetopt.h>
+#include <skalibs/stralloc.h>
+#include <skalibs/sig.h>
+#include <skalibs/socket.h>
+#include <skalibs/tai.h>
+#include <skalibs/djbunix.h>
+#include <skalibs/iopause.h>
+#include <skalibs/selfpipe.h>
+#include <skalibs/gensetdyn.h>
+
+#include <s6-dns/s6dns.h>
+
+#include "dnsfunneld.h"
+
+#define USAGE "dnsfunneld [ -v verbosity ] [ -d notif ] [ -o operations ] cachelist"
+#define dieusage() strerr_dieusage(100, USAGE)
+
+#define DNSFUNNELD_INPUT_MAX 64
+
+unsigned int verbosity = 1 ;
+static tain_t globaltto = TAIN_INFINITE_RELATIVE ;
+static int cont = 1 ;
+static char const *cachelistfile = 0 ;
+static s6dns_ip46list_t cachelist ;
+static uint32_t ops = 0 ;
+
+static inline void X (void)
+{
+  strerr_dief1x(101, "internal inconsistency. Please submit a bug-report.") ;
+}
+
+static inline void s6dns_ip46list_copy (s6dns_ip46list_t *dst, ip46full_t const *src, size_t n)
+{
+  if (n >= S6DNS_MAX_SERVERS) n = S6DNS_MAX_SERVERS - 1 ;
+  for (size_t i = 0 ; i < n ; i++)
+  {
+    memcpy(dst->ip + i * SKALIBS_IP_SIZE, src[i].ip, SKALIBS_IP_SIZE) ;
+#ifdef SKALIBS_IPV6_ENABLED
+    bitarray_poke(dst->is6, i, ip46_is6(src + i)) ;
+#endif
+  }
+  memset(dst->ip + n * SKALIBS_IP_SIZE, 0, SKALIBS_IP_SIZE) ;
+}
+
+static int load_cachelist (int initial)
+{
+  char buf[4096] ;
+  ip46full_t list[S6DNS_MAX_SERVERS] ;
+  size_t n ;
+  ssize_t r = openreadnclose_nb(cachelistfile, buf, 4095) ;
+  if (r < 0) return -1 ;
+  buf[r++] = 0 ;
+  ip46_scanlist(list, S6DNS_MAX_SERVERS, buf, &n) ;
+  if (!n) return -2 ;
+  s6dns_ip46list_copy(&cachelist, list, n) ;
+  return 0 ;
+}
+
+static inline void handle_signals (void)
+{
+  for (;;)
+  {
+    switch (selfpipe_read())
+    {
+      case -1 : strerr_diefu1sys(111, "read from selfpipe") ;
+      case 0 : return ;
+      case SIGTERM : cont = 0 ; break ;
+      case SIGHUP :
+      {
+        switch (load_cachelist(0))
+        {
+          case 0 : query_process_reload() ; break ;
+          case -1 : strerr_warnwu2sys("read ", cachelistfile) ; break ;
+          case -2 : strerr_warnw2x("invalid cache list in ", cachelistfile) ; break ;
+          default : X() ;
+        }
+        break ;
+      }
+      default : X() ;
+    }
+  }
+}
+
+static dfquery_t const dfquery_zero = DFQUERY_ZERO ;
+static gensetdyn queries = GENSETDYN_INIT(dfquery_t, 16, 3, 8) ;
+static uint32_t sentinel ;
+#define inflight (gensetdyn_n(&queries) - 1)
+#define QUERY(i) GENSETDYN_P(dfquery_t, &queries, i)
+
+void query_new (s6dns_domain_t const *d, uint16_t qtype, uint16_t id, uint32_t ip, uint16_t port, uint32_t procid)
+{
+  dfquery_t q =
+  {
+    .next = QUERY(sentinel)->next,
+    .xindex = 0,
+    .procid = procid,
+    .ip = ip,
+    .port = port,
+    .id = id,
+    .dt = S6DNS_ENGINE_ZERO
+  } ;
+  tain_t deadline ;
+  uint32_t i ;
+  if (!gensetdyn_new(&queries, &i))
+    strerr_diefu1sys(111, "create new query") ;
+  tain_add_g(&deadline, &globaltto) ;
+  if (!s6dns_engine_init_g(&q.dt, &cachelist, S6DNS_O_RECURSIVE, d->s, d->len, qtype, &deadline))
+    strerr_diefu1sys(111, "start new query") ;
+  *QUERY(i) = q ;
+  QUERY(sentinel)->next = i ;
+}
+
+static inline void sanitize_and_new (char const *buf, unsigned int len, char const *ippack, uint16_t port)
+{
+  s6dns_domain_t d ;
+  uint32_t ip ;
+  unsigned int pos ;
+  s6dns_message_header_t hdr ;
+  s6dns_message_counts_t counts ;
+  uint16_t qtype ;
+  if (!s6dns_message_parse_init(&hdr, &counts, buf, len, &pos)
+   || hdr.qr
+   || hdr.opcode
+   || !hdr.rd
+   || hdr.counts.qd != 1 || hdr.counts.an || hdr.counts.ns || hdr.counts.nr
+   || !s6dns_message_parse_question(&counts, &d, &qtype, buf, len, &pos))
+    return ;
+  uint32_unpack_big(ippack, &ip) ;
+  if (ops) query_process_question(ops, &d, qtype, hdr.id, ip, port) ;
+  else query_new(&d, qtype, hdr.id, ip, port, 0) ;
+}
+
+int main (int argc, char const *const *argv)
+{
+  int spfd = -1 ;
+  int notif = -1 ;
+  PROG = "dnsfunneld" ;
+  {
+    subgetopt_t l = SUBGETOPT_ZERO ;
+    for (;;)
+    {
+      int opt = subgetopt_r(argc, argv, "v:d:o:", &l) ;
+      if (opt == -1) break ;
+      switch (opt)
+      {
+        case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ;
+        case 'd' : if (!uint0_scan(l.arg, (unsigned int *)&notif)) dieusage() ; break ;
+        case 'o' : if (!uint320_scan(l.arg, &ops)) dieusage() ; break ;
+        default : dieusage() ;
+      }
+    }
+    argc -= l.ind ; argv += l.ind ;
+    if (!argc) dieusage() ;
+  }
+  if (notif >= 0)
+  {
+    if (notif < 3) strerr_dief1x(100, "notification fd must be 3 or more") ;
+    if (fcntl(notif, F_GETFD) < 0) strerr_dief1sys(100, "invalid notification fd") ;
+  }
+
+  if (ndelay_on(0) < 0) strerr_diefu1sys(111, "turn stdin non-blocking") ;
+  if (sig_ignore(SIGPIPE) < 0) strerr_diefu1sys(111, "ignore SIGPIPE") ;
+  cachelistfile = argv[0] ;
+  switch (load_cachelist(1))
+  {
+    case 0 : break ;
+    case -1 : strerr_diefu2sys(111, "read ", cachelistfile) ;
+    case -2 : strerr_dief2x(100, "invalid cache list in ", cachelistfile) ;
+    default : X() ;
+  }
+  if (!s6dns_init()) strerr_diefu1sys(111, "s6dns_init") ;
+  spfd = selfpipe_init() ;
+  if (spfd < 0) strerr_diefu1sys(111, "init selfpipe") ;
+  {
+    sigset_t set ;
+    sigemptyset(&set) ;
+    sigaddset(&set, SIGTERM) ;
+    sigaddset(&set, SIGHUP) ;
+    if (selfpipe_trapset(&set) < 0) strerr_diefu1sys(111, "trap signals") ;
+  }
+  if (!gensetdyn_new(&queries, &sentinel))
+    strerr_diefu1sys(111, "initialize query structure") ;
+  *QUERY(sentinel) = dfquery_zero ;
+  QUERY(sentinel)->next = sentinel ;
+  if (!query_process_init())
+    strerr_diefu1sys(111, "initialize query processing") ;
+  tain_now_set_stopwatch_g() ;
+
+  if (notif >= 0)
+  {
+    fd_write(notif, "\n", 1) ;
+    fd_close(notif) ;
+  }
+                  
+  for (;;)                
+  {
+    tain_t deadline = TAIN_INFINITE ;
+    uint32_t i = QUERY(sentinel)->next ;
+    uint32_t j = 2 ;
+    int r ;
+    iopause_fd x[2 + inflight] ;
+  
+    x[0].fd = spfd ;
+    x[0].events = IOPAUSE_READ ;
+    x[1].fd = 0 ;
+    x[1].events = (cont ? IOPAUSE_READ : 0) | (dfanswer_pending() ? IOPAUSE_WRITE : 0) ;
+    if (!x[1].events && !inflight) break ;
+
+    while (i != sentinel)
+    {
+      dfquery_t *q = QUERY(i) ;
+      s6dns_engine_nextdeadline(&q->dt, &deadline) ;
+      x[j].fd = q->dt.fd ;
+      x[j].events = 0 ;
+      if (s6dns_engine_isreadable(&q->dt)) x[j].events |= IOPAUSE_READ ;
+      if (s6dns_engine_iswritable(&q->dt)) x[j].events |= IOPAUSE_WRITE ;
+      q->xindex = j++ ;
+      i = q->next ;
+    }
+
+    r = iopause_g(x, j, &deadline) ;
+    if (r < 0) strerr_diefu1sys(111, "iopause") ;
+
+    if (!r) 
+    {
+      i = QUERY(sentinel)->next ;
+      j = sentinel ;
+      while (i != sentinel)
+      {
+        dfquery_t *q = QUERY(i) ;
+        uint32_t k = q->next ;
+        if (s6dns_engine_timeout_g(&q->dt))
+        {
+          query_process_response_failure(ops, q) ;
+          QUERY(j)->next = k ;
+          stralloc_free(&q->dt.sa) ;
+          gensetdyn_delete(&queries, i) ;
+        }
+        else j = i ;
+        i = k ;
+      }
+      continue ;
+    }
+
+    if (x[0].revents & IOPAUSE_READ) handle_signals() ;
+
+    if (x[1].revents & IOPAUSE_WRITE)
+    {
+      int r = dfanswer_flush() ;
+      if (r < 0) strerr_diefu1sys(111, "send DNS answer to client") ;
+    }
+                        
+    i = QUERY(sentinel)->next ;
+    j = sentinel ;
+    while (i != sentinel)
+    {
+      dfquery_t *q = QUERY(i) ;
+      uint32_t k = q->next ;
+      int r = s6dns_engine_event_g(&q->dt) ;
+      if (r)
+      {
+        if (r > 0) query_process_response_success(ops, q) ;
+        else query_process_response_failure(ops, q) ;
+        QUERY(j)->next = k ;
+        if (r > 0) s6dns_engine_free(&q->dt) ;
+        else stralloc_free(&q->dt.sa) ;
+        gensetdyn_delete(&queries, i) ;
+      }
+      else j = i ;
+      i = k ;
+    }
+
+    if (x[0].revents & IOPAUSE_READ)
+    {
+      uint32_t n = DNSFUNNELD_INPUT_MAX ;
+      while (n--)
+      {
+        char ip[4] ;
+        uint16_t port ;
+        char buf[512] ;
+        ssize_t r = socket_recv4(0, buf, 512, ip, &port) ;
+        if (r < 0)
+          if (error_isagain(errno)) break ;
+          else strerr_diefu1sys(111, "socket_recv") ;
+        else if (!r) continue ;
+        else sanitize_and_new(buf, r, ip, port) ;
+      }
+    }
+  }
+  return 0 ;
+}
diff --git a/src/dnsfunnel/dnsfunneld.h b/src/dnsfunnel/dnsfunneld.h
new file mode 100644
index 0000000..9fc0bbf
--- /dev/null
+++ b/src/dnsfunnel/dnsfunneld.h
@@ -0,0 +1,44 @@
+/* ISC license. */
+
+#ifndef DNSFUNNELD_H
+#define DNSFUNNELD_H
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include <skalibs/gensetdyn.h>
+
+#include <s6-dns/s6dns-domain.h>
+#include <s6-dns/s6dns-engine.h>
+
+typedef struct dfquery_s dfquery_t, *dfquery_t_ref ;
+struct dfquery_s
+{
+  uint32_t next ;
+  uint32_t xindex ;
+  uint32_t procid ;
+  uint32_t ip ;
+  uint16_t port ;
+  uint16_t id ;
+  s6dns_engine_t dt ;
+} ;
+#define DFQUERY_ZERO { .next = 0, .xindex = 0, .procid = 0, .ip = 0, .port = 0, .id = 0, .dt = S6DNS_ENGINE_ZERO }
+
+extern unsigned int verbosity ;
+extern size_t dfanswer_pending (void) ;
+extern int dfanswer_flush (void) ;
+extern void dfanswer_fail (dfquery_t const *) ;
+extern void dfanswer_nxdomain (dfquery_t const *) ;
+extern void dfanswer_nodata (dfquery_t const *) ;
+extern void dfanswer_pass (dfquery_t const *, char *, unsigned int) ;
+
+
+extern void query_new (s6dns_domain_t const *, uint16_t, uint16_t, uint32_t, uint16_t, uint32_t) ;
+
+extern int query_process_init (void) ;
+extern void query_process_reload (void) ;
+extern void query_process_question (uint32_t, s6dns_domain_t const *, uint16_t, uint16_t, uint32_t, uint16_t) ;
+extern void query_process_response_failure (uint32_t, dfquery_t const *) ;
+extern void query_process_response_success (uint32_t, dfquery_t const *) ;
+
+#endif
diff --git a/src/dnsfunnel/dnsfunneld_answer.c b/src/dnsfunnel/dnsfunneld_answer.c
new file mode 100644
index 0000000..a6ee526
--- /dev/null
+++ b/src/dnsfunnel/dnsfunneld_answer.c
@@ -0,0 +1,132 @@
+/* ISC license. */
+
+#include <errno.h>
+#include <stdint.h>
+#include <string.h>
+
+#include <skalibs/uint16.h>
+#include <skalibs/uint32.h>
+#include <skalibs/error.h>
+#include <skalibs/strerr2.h>
+#include <skalibs/genqdyn.h>
+#include <skalibs/socket.h>
+
+#include <s6-dns/s6dns-message.h>
+
+#include "dnsfunneld.h"
+
+typedef struct dfanswer_s dfanswer_t, *dfanswer_t_ref ;
+struct dfanswer_s
+{
+  char buf[512] ;
+  char ip[4] ;
+  uint16_t len ;
+  uint16_t port ;
+} ;
+#define DFANSWER_ZERO { .buf = { 0 }, .ip = "\0\0\0", .len = 0, .port = 0 }
+
+static genqdyn dfanswers = GENQDYN_INIT(dfanswer_t, 1, 8) ;
+
+size_t dfanswer_pending ()
+{
+  return genqdyn_n(&dfanswers) ;
+}
+
+static void dfanswer_push (char const *s, size_t len, uint32_t ip, uint16_t port)
+{
+  if (len > 510)
+  {
+    if (verbosity)
+      strerr_warnw1x("answer too big, dropping - enable truncation to avoid this") ;
+  }
+  else
+  {
+    dfanswer_t ans = { .len = len, .port = port } ;
+    uint16_pack_big(ans.buf, ans.len) ;
+    memcpy(ans.buf, s+2, len) ;
+    uint32_pack_big(ans.ip, ip) ;
+    if (!genqdyn_push(&dfanswers, &ans))
+      strerr_diefu1sys(111, "queue answer to client") ;
+  }
+}
+
+int dfanswer_flush ()
+{
+  while (dfanswer_pending())
+  {
+    dfanswer_t *ans = GENQDYN_PEEK(dfanswer_t, &dfanswers) ;
+    if (socket_send4(0, ans->buf, ans->len, ans->ip, ans->port) < 0)
+      return error_isagain(errno) ? (errno = 0, 0) : -1 ;
+    genqdyn_pop(&dfanswers) ;
+  }
+  return 1 ;
+}
+
+void dfanswer_fail (dfquery_t const *q)
+{
+  char buf[510] ;
+  uint16_t len ;
+  s6dns_message_header_t hdr ;
+  uint16_unpack_big(q->dt.sa.s, &len) ;
+  memcpy(buf, q->dt.sa.s + 2, len) ;
+  s6dns_message_header_unpack(buf, &hdr) ;
+  hdr.id = q->id ;
+  hdr.qr = 1 ;
+  hdr.aa = 0 ;
+  hdr.tc = 0 ;
+  hdr.rd = 1 ;
+  hdr.ra = 1 ;
+  hdr.z = 0 ;
+  hdr.rcode = 2 ;  /* servfail */
+  s6dns_message_header_pack(buf, &hdr) ;
+  dfanswer_push(buf, len, q->ip, q->port) ;
+}
+
+void dfanswer_nxdomain (dfquery_t const *q)
+{
+  char buf[510] ;
+  uint16_t len ;
+  s6dns_message_header_t hdr ;
+  uint16_unpack_big(q->dt.sa.s, &len) ;
+  memcpy(buf, q->dt.sa.s + 2, len) ;
+  s6dns_message_header_unpack(buf, &hdr) ;
+  hdr.id = q->id ;
+  hdr.qr = 1 ;
+  hdr.aa = 1 ;
+  hdr.tc = 0 ;
+  hdr.rd = 1 ;
+  hdr.ra = 1 ;
+  hdr.z = 0 ;
+  hdr.rcode = 3 ;  /* nxdomain */
+  s6dns_message_header_pack(buf, &hdr) ;
+  dfanswer_push(buf, len, q->ip, q->port) ;
+}
+
+void dfanswer_nodata (dfquery_t const *q)
+{
+  char buf[510] ;
+  uint16_t len ;
+  s6dns_message_header_t hdr ;
+  uint16_unpack_big(q->dt.sa.s, &len) ;
+  memcpy(buf, q->dt.sa.s + 2, len) ;
+  s6dns_message_header_unpack(buf, &hdr) ;
+  hdr.id = q->id ;
+  hdr.qr = 1 ;
+  hdr.aa = 1 ;
+  hdr.tc = 0 ;
+  hdr.rd = 1 ;
+  hdr.ra = 1 ;
+  hdr.z = 0 ;
+  hdr.rcode = 0 ;  /* success */
+  s6dns_message_header_pack(buf, &hdr) ;
+  dfanswer_push(buf, len, q->ip, q->port) ;
+}
+
+void dfanswer_pass (dfquery_t const *q, char *s, unsigned int len)
+{
+  s6dns_message_header_t hdr ;
+  s6dns_message_header_unpack(s, &hdr) ;
+  hdr.id = q->id ;
+  s6dns_message_header_pack(s, &hdr) ;
+  dfanswer_push(s, len, q->ip, q->port) ;
+}
diff --git a/src/dnsfunnel/dnsfunneld_process.c b/src/dnsfunnel/dnsfunneld_process.c
new file mode 100644
index 0000000..9d90289
--- /dev/null
+++ b/src/dnsfunnel/dnsfunneld_process.c
@@ -0,0 +1,136 @@
+/* ISC license. */
+
+#include <stdint.h>
+
+#include <skalibs/uint16.h>
+#include <skalibs/strerr2.h>
+#include <skalibs/gensetdyn.h>
+
+#include <s6-dns/s6dns-constants.h>
+#include <s6-dns/s6dns-domain.h>
+#include <s6-dns/s6dns-message.h>
+#include <s6-dns/s6dns-engine.h>
+
+#include "dnsfunneld.h"
+
+static gensetdyn rinfo = GENSETDYN_INIT(uint8_t, 16, 3, 8) ;
+#define RINFO(i) GENSETDYN_P(uint8_t, &rinfo, i)
+
+int query_process_init ()
+{
+  return 1 ;
+}
+
+void query_process_reload ()
+{
+}
+
+void query_process_question (uint32_t ops, s6dns_domain_t const *d, uint16_t qtype, uint16_t id, uint32_t ip, uint16_t port)
+{
+  if (ops & 2 && (qtype == S6DNS_T_A || qtype == S6DNS_T_AAAA))
+  {
+    uint32_t i ;
+    if (!gensetdyn_new(&rinfo, &i)) strerr_diefu1sys(111, "process query") ;
+    *RINFO(i) = (qtype == S6DNS_T_AAAA) << 7 ;
+    query_new(d, S6DNS_T_A, id, ip, port, i+1) ;
+    query_new(d, S6DNS_T_AAAA, id, ip, port, i+1) ; 
+  }
+  else query_new(d, qtype, id, ip, port, 0) ;
+}
+
+static inline unsigned int truncate_packet (char *s, unsigned int olen)
+{
+  s6dns_message_header_t hdr ;
+  s6dns_message_counts_t counts ;
+  unsigned int section ;
+  unsigned int pos ;
+  if (!s6dns_message_parse_init(&hdr, &counts, s, olen, &pos)) return 0 ;
+  if (hdr.rcode) return 0 ;
+  section = s6dns_message_parse_skipqd(&counts, s, olen, &pos) ;
+  while (section)
+  {
+    s6dns_message_rr_t rr ;
+    s6dns_message_counts_t newcounts = counts ;
+    unsigned int tmp = pos ;
+    if (!s6dns_message_parse_getrr(&rr, s, olen, &tmp)) return 0 ;
+    section = s6dns_message_parse_next(&newcounts, &rr, s, olen, &tmp) ;
+    if (tmp > 510)
+    {
+      hdr.counts.qd -= counts.qd ;
+      hdr.counts.an -= counts.an ;
+      hdr.counts.ns -= counts.ns ;
+      hdr.counts.nr -= counts.nr ;
+      s6dns_message_header_pack(s, &hdr) ;
+      return pos ;
+    }
+    pos = tmp ;
+    counts = newcounts ;
+  }
+  return olen ;
+}
+
+static inline uint16_t extract_qtype (dfquery_t const *q)
+{
+  s6dns_domain_t name ;
+  uint16_t qtype ;
+  uint16_t len ;
+  s6dns_message_header_t hdr ;
+  s6dns_message_counts_t counts ;
+  unsigned int pos ;
+  uint16_unpack_big(q->dt.sa.s, &len) ;
+  if (!s6dns_message_parse_init(&hdr, &counts, q->dt.sa.s + 2, len, &pos)) return 0 ;
+  if (!s6dns_message_parse_question(&counts, &name, &qtype, q->dt.sa.s + 2, len, &pos)) return 0 ;
+  return qtype ;
+}
+
+static int isnxdomain (dfquery_t const *q)
+{
+  s6dns_message_header_t hdr ;
+  s6dns_message_counts_t counts ;
+  unsigned int pos ;
+  if (!s6dns_message_parse_init(&hdr, &counts, s6dns_engine_packet(&q->dt), s6dns_engine_packetlen(&q->dt), &pos)) return 0 ;
+  return hdr.rcode == 3 ;
+}
+
+static int input_event (dfquery_t const *q, unsigned int ev)
+{
+  static uint8_t const table[5][6] =
+  {
+    { 0x11, 0x03, 0x81, 0x02, 0x02, 0x04 },
+    { 0x06, 0x06, 0x06, 0x05, 0x05, 0x05 },
+    { 0x15, 0x25, 0x85, 0x06, 0x06, 0x06 },
+    { 0x06, 0x06, 0x06, 0x25, 0x25, 0x45 },
+    { 0x15, 0x45, 0x85, 0x06, 0x06, 0x06 }
+  } ;
+  uint8_t b = *RINFO(q->procid - 1) ;
+  uint8_t isaux = 3 * (b >> 7 != (extract_qtype(q) == S6DNS_T_AAAA)) ;
+  uint8_t state = (b >> isaux) & 7 ;
+  uint8_t c = table[state][ev + isaux] ;
+  state = c & 7 ;
+  *RINFO(q->procid - 1) = (b & ~(7 << isaux)) | (state << isaux) ;
+  if (c & 0x10) dfanswer_fail(q) ;
+  if (c & 0x20) dfanswer_nxdomain(q) ;
+  if (c & 0x40) dfanswer_nodata(q) ;
+  if (c & 0x80) dfanswer_pass(q, s6dns_engine_packet(&q->dt), s6dns_engine_packetlen(&q->dt)) ;
+  if (state >= 6) strerr_dief1x(101, "problem in main/aux transition table; please submit a bug-report.") ;
+  if (state == 5) gensetdyn_delete(&rinfo, q->procid - 1) ;
+  return !!(c & 0xf0) ;
+}
+
+void query_process_response_failure (uint32_t ops, dfquery_t const *q)
+{
+  if (ops & 2 && q->procid && input_event(q, 0)) return ;
+  else dfanswer_fail(q) ;
+}
+
+void query_process_response_success (uint32_t ops, dfquery_t const *q)
+{
+  if (ops & 2 && q->procid && input_event(q, 1 + !isnxdomain(q))) return ;
+  if (ops & 1 && s6dns_engine_packetlen(&q->dt) > 510)
+  {
+    unsigned int len = truncate_packet(s6dns_engine_packet(&q->dt), s6dns_engine_packetlen(&q->dt)) ;
+    if (!len) dfanswer_fail(q) ;
+    else dfanswer_pass(q, s6dns_engine_packet(&q->dt), len) ;
+  }
+  else dfanswer_pass(q, s6dns_engine_packet(&q->dt), s6dns_engine_packetlen(&q->dt)) ;
+}
diff --git a/tools/gen-deps.sh b/tools/gen-deps.sh
new file mode 100755
index 0000000..27e5b3e
--- /dev/null
+++ b/tools/gen-deps.sh
@@ -0,0 +1,93 @@
+#!/bin/sh -e
+
+. package/info
+
+echo '#'
+echo '# This file has been generated by tools/gen-deps.sh'
+echo '#'
+echo
+
+for dir in src/include/${package} src/* ; do
+  for file in $(ls -1 $dir | grep -- \\.h$) ; do
+    {
+      grep -F -- "#include <${package}/" < ${dir}/$file | cut -d'<' -f2 | cut -d'>' -f1 ;
+      grep -- '#include ".*\.h"' < ${dir}/$file | cut -d'"' -f2
+    } | sort -u | {
+      deps=
+      while read dep ; do
+        if echo $dep | grep -q "^${package}/" ; then
+          deps="$deps src/include/$dep"
+        elif test -f "${dir}/$dep" ; then
+          deps="$deps ${dir}/$dep"
+        else
+          deps="$deps src/include-local/$dep"
+        fi
+      done
+      if test -n "$deps" ; then
+        echo "${dir}/${file}:${deps}"
+      fi
+    }
+  done
+done
+
+for dir in src/* ; do
+  for file in $(ls -1 $dir | grep -- \\.c$) ; do
+    {
+      grep -F -- "#include <${package}/" < ${dir}/$file | cut -d'<' -f2 | cut -d'>' -f1 ;
+      grep -- '#include ".*\.h"' < ${dir}/$file | cut -d'"' -f2
+    } | sort -u | {
+      deps=" ${dir}/$file"
+      while read dep ; do
+        if echo $dep | grep -q "^${package}/" ; then
+          deps="$deps src/include/$dep"
+        elif test -f "${dir}/$dep" ; then
+          deps="$deps ${dir}/$dep"
+        else
+          deps="$deps src/include-local/$dep"
+        fi
+      done
+      o=$(echo $file | sed s/\\.c$/.o/)
+      lo=$(echo $file | sed s/\\.c$/.lo/)
+      echo "${dir}/${o} ${dir}/${lo}:${deps}"
+    }
+  done
+done
+echo
+
+for dir in $(ls -1 src | grep -v ^include) ; do
+  for file in $(ls -1 src/$dir/deps-lib) ; do
+    deps=
+    libs=
+    while read dep ; do
+      if echo $dep | grep -q -e ^-l -e '^\${.*_LIB}' ; then
+        libs="$libs $dep"
+      else
+        deps="$deps src/$dir/$dep"
+      fi
+    done < src/$dir/deps-lib/$file
+    echo 'ifeq ($(strip $(STATIC_LIBS_ARE_PIC)),)'
+    echo "lib${file}.a.xyzzy:$deps"
+    echo else
+    echo "lib${file}.a.xyzzy:$(echo "$deps" | sed 's/\.o/.lo/g')"
+    echo endif
+    echo "lib${file}.so.xyzzy: EXTRA_LIBS :=$libs"
+    echo "lib${file}.so.xyzzy:$(echo "$deps" | sed 's/\.o/.lo/g')"
+  done
+
+  for file in $(ls -1 src/$dir/deps-exe) ; do
+    deps=
+    libs=
+    while read dep ; do
+      if echo $dep | grep -q -- \\.o$ ; then
+        dep="src/$dir/$dep"
+      fi
+      if echo $dep | grep -q -e ^-l -e '^\${.*_LIB}' ; then
+        libs="$libs $dep"
+      else
+        deps="$deps $dep"
+      fi
+    done < src/$dir/deps-exe/$file
+    echo "$file: EXTRA_LIBS :=$libs"
+    echo "$file: src/$dir/$file.o$deps"
+  done
+done
diff --git a/tools/install.sh b/tools/install.sh
new file mode 100755
index 0000000..89f9428
--- /dev/null
+++ b/tools/install.sh
@@ -0,0 +1,64 @@
+#!/bin/sh
+
+usage() {
+  echo "usage: $0 [-D] [-l] [-m mode] src dst" 1>&2
+  exit 1
+}
+
+mkdirp=false
+symlink=false
+mode=0755
+
+while getopts Dlm: name ; do
+  case "$name" in
+    D) mkdirp=true ;;
+    l) symlink=true ;;
+    m) mode=$OPTARG ;;
+    ?) usage ;;
+  esac
+done
+shift $(($OPTIND - 1))
+
+test "$#" -eq 2 || usage
+src=$1
+dst=$2
+tmp="$dst.tmp.$$"
+
+case "$dst" in
+  */) echo "$0: $dst ends in /" 1>&2 ; exit 1 ;;
+esac
+
+set -C
+set -e
+
+if $mkdirp ; then
+  umask 022
+  case "$2" in
+    */*) mkdir -p "${dst%/*}" ;;
+  esac
+fi
+
+trap 'rm -f "$tmp"' EXIT INT QUIT TERM HUP
+
+umask 077
+
+if $symlink ; then
+  ln -s "$src" "$tmp"
+else
+  cat < "$1" > "$tmp"
+  chmod "$mode" "$tmp"
+fi
+
+mv -f "$tmp" "$dst"
+if test -d "$dst" ; then
+  rm -f "$dst/$(basename $tmp)"
+  if $symlink ; then
+    mkdir "$tmp"
+    ln -s "$src" "$tmp/$(basename $dst)"
+    mv -f "$tmp/$(basename $dst)" "${dst%/*}"
+    rmdir "$tmp"
+  else
+    echo "$0: $dst is a directory" 1>&2
+    exit 1
+  fi
+fi