more dns cookie handling code

2020-07-02 14:21:47 +00:00
parent fe478e954d
commit 5fdf4f780d
6 changed files with 225 additions and 84 deletions
--- a/mio/Makefile.in
+++ b/mio/Makefile.in
@ -164,8 +164,8 @@ am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/ac/ar-lib \
 	$(top_srcdir)/ac/compile $(top_srcdir)/ac/config.guess \
 	$(top_srcdir)/ac/config.sub $(top_srcdir)/ac/install-sh \
 	$(top_srcdir)/ac/ltmain.sh $(top_srcdir)/ac/missing ac/ar-lib \
-	ac/compile ac/config.guess ac/config.sub ac/install-sh \
-	ac/ltmain.sh ac/missing
+	ac/compile ac/config.guess ac/config.sub ac/depcomp \
+	ac/install-sh ac/ltmain.sh ac/missing
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 distdir = $(PACKAGE)-$(VERSION)
 top_distdir = $(distdir)
--- a/mio/bin/t01.c
+++ b/mio/bin/t01.c
@ -697,21 +697,28 @@ int z = 0;

 static void on_dnc_resolve(mio_svc_dnc_t* dnc, mio_dns_msg_t* reqmsg, mio_errnum_t status, const void* data, mio_oow_t dlen)
 {
-	mio_dns_pkt_info_t* pi = MIO_NULL;
+	mio_dns_pkt_info_t* pi = (mio_dns_pkt_info_t*)data;

-	if (data) // status == MIO_ENOERR
+	if (pi) // status == MIO_ENOERR
 	{
 		mio_uint32_t i;

-		pi = mio_dns_make_packet_info(mio_svc_dnc_getmio(dnc), data, dlen);
-		if (!pi) goto no_data;
-
-		if (pi->hdr.rcode != MIO_DNS_RCODE_NOERROR) goto no_data;
-
-		if (pi->ancount < 0) goto no_data;

 		printf (">>>>>>>> RRDLEN = %d\n", (int)pi->_rrdlen);
 		printf (">>>>>>>> RCODE %d EDNS exist %d uplen %d version %d dnssecok %d\n", pi->hdr.rcode, pi->edns.exist, pi->edns.uplen, pi->edns.version, pi->edns.dnssecok);
+		if (pi->hdr.rcode == MIO_DNS_RCODE_BADCOOKIE)
+		{
+			/* TODO: must retry */
+		}
+
+		if (pi->edns.cookie.client_len > 0 && !pi->edns.cookie_verified) /* TODO: do i need to check if cookie.server_len > 0? */
+		{
+			/* client cookie is bad.. */
+			printf ("CLIENT COOKIE IS BAD>>>>>>>>>>>>>>>>>>>\n");
+		}
+
+		//if (pi->hdr.rcode != MIO_DNS_RCODE_NOERROR) goto no_data;
+		if (pi->ancount < 0) goto no_data;

 		for (i = 0; i < pi->ancount; i++)
 		{
@ -763,7 +770,8 @@ static void on_dnc_resolve(mio_svc_dnc_t* dnc, mio_dns_msg_t* reqmsg, mio_errnum
 	}

 done:
-	if (pi) mio_dns_free_packet_info(mio_svc_dnc_getmio(dnc), pi);
+	/* nothing special */
+	return;
 }

 static void on_dnc_resolve_brief (mio_svc_dnc_t* dnc, mio_dns_msg_t* reqmsg, mio_errnum_t status, const void* data, mio_oow_t dlen)
@ -971,6 +979,32 @@ static void handle_signal (int sig)
 	if (g_mio) mio_stop (g_mio, MIO_STOPREQ_TERMINATION);
 }

+static int schedule_timer_job_after (mio_t* mio, const mio_ntime_t* fire_after, mio_tmrjob_handler_t handler, void* ctx)
+{
+	mio_tmrjob_t tmrjob;
+
+	memset (&tmrjob, 0, MIO_SIZEOF(tmrjob));
+	tmrjob.ctx = ctx;
+
+	mio_gettime (mio, &tmrjob.when);
+	MIO_ADD_NTIME (&tmrjob.when, &tmrjob.when, fire_after);
+
+	tmrjob.handler = handler;
+	tmrjob.idxptr = MIO_NULL;
+
+	return mio_instmrjob(mio, &tmrjob);
+}
+
+
+static void send_test_query (mio_t* mio, const mio_ntime_t* now, mio_tmrjob_t* job)
+{
+	//if (!mio_svc_dnc_resolve((mio_svc_dnc_t*)job->ctx, "www.microsoft.com", MIO_DNS_RRT_CNAME, MIO_SVC_DNC_RESOLVE_FLAG_COOKIE, on_dnc_resolve, 0))
+	if (!mio_svc_dnc_resolve((mio_svc_dnc_t*)job->ctx, "mailserver.manyhost.net", MIO_DNS_RRT_A, MIO_SVC_DNC_RESOLVE_FLAG_COOKIE, on_dnc_resolve, 0))
+	{
+		printf ("resolve attempt failure ---> mailserver.manyhost.net\n");
+	}
+}
+
 int main (int argc, char* argv[])
 {
 	int i;
@ -1183,7 +1217,9 @@ for (i = 0; i < 5; i++)
 	reply_tmout.sec = 1;
 	reply_tmout.nsec = 0;

-	mio_bcstrtoskad (mio, "8.8.8.8:53", &servaddr);
+	//mio_bcstrtoskad (mio, "8.8.8.8:53", &servaddr);
+	//mio_bcstrtoskad (mio, "130.59.31.29:53", &servaddr); // ns2.switch.ch
+	mio_bcstrtoskad (mio, "134.119.216.86:53", &servaddr); // ns.manyhost.net
 	//mio_bcstrtoskad (mio, "[fe80::c7e2:bd6e:1209:ac1b]:1153", &servaddr);
 	//mio_bcstrtoskad (mio, "[fe80::c7e2:bd6e:1209:ac1b%eno1]:1153", &servaddr);

@ -1191,11 +1227,17 @@ for (i = 0; i < 5; i++)
 	mio_bcstrtoskad (mio, "0.0.0.0:9988", &htts_bind_addr);

 	dnc = mio_svc_dnc_start(mio, &servaddr, MIO_NULL, &send_tmout, &reply_tmout, 2); /* option - send to all, send one by one */
+	if (!dnc)
+	{
+		MIO_INFO1 (mio, "UNABLE TO START DNC - %js\n", mio_geterrmsg(mio));
+	}
+
 	htts = mio_svc_htts_start(mio, &htts_bind_addr, process_http_request);
 	if (htts) mio_svc_htts_setservernamewithbcstr (htts, "MIO-HTTP");
 	else MIO_INFO1 (mio, "UNABLE TO START HTTS - %js\n", mio_geterrmsg(mio));

-#if 1
+#if 0
+	if (dnc)
 	{
 		mio_dns_bqr_t qrs[] = 
 		{
@ -1275,42 +1317,48 @@ for (i = 0; i < 5; i++)
 	}
 #endif

+	if (dnc)
+	{
+		mio_ntime_t x;
+		MIO_INIT_NTIME (&x, 5, 0);
+		schedule_timer_job_after (mio, &x, send_test_query, dnc);

-if (!mio_svc_dnc_resolve(dnc, "b.wild.com", MIO_DNS_RRT_A, MIO_SVC_DNC_RESOLVE_FLAG_PREFER_TCP, on_dnc_resolve, 0))
-{
-	printf ("resolve attempt failure ---> a.wild.com\n");
-}
+		if (!mio_svc_dnc_resolve(dnc, "b.wild.com", MIO_DNS_RRT_A, MIO_SVC_DNC_RESOLVE_FLAG_PREFER_TCP, on_dnc_resolve, 0))
+		{
+			printf ("resolve attempt failure ---> a.wild.com\n");
+		}
 		
-if (!mio_svc_dnc_resolve(dnc, "www.microsoft.com", MIO_DNS_RRT_CNAME, MIO_SVC_DNC_RESOLVE_FLAG_COOKIE, on_dnc_resolve, 0))
-{
-	printf ("resolve attempt failure ---> www.microsoft.com\n");
-}
+		if (!mio_svc_dnc_resolve(dnc, "www.microsoft.com", MIO_DNS_RRT_CNAME, MIO_SVC_DNC_RESOLVE_FLAG_COOKIE, on_dnc_resolve, 0))
+		{
+			printf ("resolve attempt failure ---> www.microsoft.com\n");
+		}
 		
 		
-//if (!mio_svc_dnc_resolve(dnc, "www.microsoft.com", MIO_DNS_RRT_A, MIO_SVC_DNC_RESOLVE_FLAG_BRIEF, on_dnc_resolve_brief, 0))
-if (!mio_svc_dnc_resolve(dnc, "code.miflux.com", MIO_DNS_RRT_A, MIO_SVC_DNC_RESOLVE_FLAG_BRIEF | MIO_SVC_DNC_RESOLVE_FLAG_PREFER_TCP, on_dnc_resolve_brief, 0))
-{
-	printf ("resolve attempt failure ---> code.miflux.com\n");
-}
+		//if (!mio_svc_dnc_resolve(dnc, "www.microsoft.com", MIO_DNS_RRT_A, MIO_SVC_DNC_RESOLVE_FLAG_BRIEF, on_dnc_resolve_brief, 0))
+		if (!mio_svc_dnc_resolve(dnc, "code.miflux.com", MIO_DNS_RRT_A, MIO_SVC_DNC_RESOLVE_FLAG_BRIEF | MIO_SVC_DNC_RESOLVE_FLAG_PREFER_TCP, on_dnc_resolve_brief, 0))
+		{
+			printf ("resolve attempt failure ---> code.miflux.com\n");
+		}
 		
-if (!mio_svc_dnc_resolve(dnc, "45.77.246.105.in-addr.arpa", MIO_DNS_RRT_PTR, MIO_SVC_DNC_RESOLVE_FLAG_BRIEF, on_dnc_resolve_brief, 0))
-{
-	printf ("resolve attempt failure ---> 45.77.246.105.in-addr.arpa.\n");
-}
+		if (!mio_svc_dnc_resolve(dnc, "45.77.246.105.in-addr.arpa", MIO_DNS_RRT_PTR, MIO_SVC_DNC_RESOLVE_FLAG_BRIEF, on_dnc_resolve_brief, 0))
+		{
+			printf ("resolve attempt failure ---> 45.77.246.105.in-addr.arpa.\n");
+		}
 		
-#if 0
-if (!mio_svc_dnc_resolve(dnc, "1.1.1.1.in-addr.arpa", MIO_DNS_RRT_PTR, MIO_SVC_DNC_RESOLVE_FLAG_BRIEF, on_dnc_resolve_brief, 0))
-{
-	printf ("resolve attempt failure ---> 1.1.1.1.in-addr.arpa\n");
-}
+		#if 0
+		if (!mio_svc_dnc_resolve(dnc, "1.1.1.1.in-addr.arpa", MIO_DNS_RRT_PTR, MIO_SVC_DNC_RESOLVE_FLAG_BRIEF, on_dnc_resolve_brief, 0))
+		{
+			printf ("resolve attempt failure ---> 1.1.1.1.in-addr.arpa\n");
+		}
 		
-//if (!mio_svc_dnc_resolve(dnc, "ipv6.google.com", MIO_DNS_RRT_AAAA, MIO_SVC_DNC_RESOLVE_FLAG_BRIEF, on_dnc_resolve_brief, 0))
-if (!mio_svc_dnc_resolve(dnc, "google.com", MIO_DNS_RRT_SOA, MIO_SVC_DNC_RESOLVE_FLAG_BRIEF, on_dnc_resolve_brief, 0))
-//if (!mio_svc_dnc_resolve(dnc, "google.com", MIO_DNS_RRT_NS, MIO_SVC_DNC_RESOLVE_FLAG_BRIEF, on_dnc_resolve_brief, 0))
-{
-	printf ("resolve attempt failure ---> code.miflux.com\n");
-}
-#endif
+		//if (!mio_svc_dnc_resolve(dnc, "ipv6.google.com", MIO_DNS_RRT_AAAA, MIO_SVC_DNC_RESOLVE_FLAG_BRIEF, on_dnc_resolve_brief, 0))
+		if (!mio_svc_dnc_resolve(dnc, "google.com", MIO_DNS_RRT_SOA, MIO_SVC_DNC_RESOLVE_FLAG_BRIEF, on_dnc_resolve_brief, 0))
+		//if (!mio_svc_dnc_resolve(dnc, "google.com", MIO_DNS_RRT_NS, MIO_SVC_DNC_RESOLVE_FLAG_BRIEF, on_dnc_resolve_brief, 0))
+		{
+			printf ("resolve attempt failure ---> code.miflux.com\n");
+		}
+		#endif
+	}

 #if 0
 {
@ -1342,7 +1390,7 @@ for (i = 0; i < 20; i++)

 	/* TODO: let mio close it ... dnc is svc. sck is dev. */
 	if (htts) mio_svc_htts_stop (htts);
-	mio_svc_dnc_stop (dnc);
+	if (dnc) mio_svc_dnc_stop (dnc);
 }

 	g_mio = MIO_NULL;
--- a/mio/bin/t04.c
+++ b/mio/bin/t04.c
@ -1,3 +1,4 @@
+#if defined(MIO_ENABLE_MARIADB)

 #include <mio.h>
 #include <mio-mar.h>
@ -286,3 +287,16 @@ printf ("about to close mio...\n");
 	if (mio) mio_close (mio);
 	return 0;
 }
+
+
+
+
+#else
+
+#include <stdio.h>
+int main (int argc, char* argv[])
+{
+	printf ("mariadb not enabled\n");
+	return 0;
+}
+#endif
--- a/mio/lib/dns-cli.c
+++ b/mio/lib/dns-cli.c
@ -56,6 +56,8 @@ struct mio_svc_dnc_t
 	 * regardless of max_tries. */ 
 	mio_oow_t max_tries; 

+	mio_dns_cookie_t cookie;
+
 	mio_oow_t seq;
 	mio_dns_msg_t* pending_req;
 };
@ -843,6 +845,7 @@ struct dnc_dns_msg_resolve_xtn_t
 {
 	mio_dns_rrt_t qtype;
 	int flags;
+	mio_uint8_t client_cookie[MIO_DNS_COOKIE_CLIENT_LEN];
 	mio_svc_dnc_on_resolve_t on_resolve;
 };
 typedef struct dnc_dns_msg_resolve_xtn_t dnc_dns_msg_resolve_xtn_t;
@ -857,14 +860,7 @@ static void on_dnc_resolve (mio_svc_dnc_t* dnc, mio_dns_msg_t* reqmsg, mio_errnu
 {
 	mio_t* mio = mio_svc_dnc_getmio(dnc);
 	mio_dns_pkt_info_t* pi = MIO_NULL;
-	dnc_dns_msg_resolve_xtn_t* reqmsgxtn = dnc_dns_msg_resolve_getxtn(reqmsg);
-
-	if (!(reqmsgxtn->flags & MIO_SVC_DNC_RESOLVE_FLAG_BRIEF))
-	{
-		/* the full reply packet is requested. no transformation is required */
-		if (reqmsgxtn->on_resolve) reqmsgxtn->on_resolve (dnc, reqmsg, status, data, dlen);
-		return;
-	}
+	dnc_dns_msg_resolve_xtn_t* resolxtn = dnc_dns_msg_resolve_getxtn(reqmsg);

 	if (data)
 	{
@ -879,12 +875,46 @@ static void on_dnc_resolve (mio_svc_dnc_t* dnc, mio_dns_msg_t* reqmsg, mio_errnu
 			goto no_data;
 		}

-/*
-if (pi->hdr.code == MIO_DNS_RCODE_BADCOOKIE)
-{
-// retry with server cookie received....
-}
-*/
+		if (resolxtn->flags & MIO_SVC_DNC_RESOLVE_FLAG_COOKIE)
+		{
+			/* ------------------------------------------------- */
+			if (pi->edns.cookie.client_len > 0)
+			{
+				if (MIO_MEMCMP(resolxtn->client_cookie, pi->edns.cookie.data.client, pi->edns.cookie.client_len) == 0)
+				{
+					pi->edns.cookie_verified = 1; /*  UGLY to set data in mio_dns_pkt_info_t */
+				}
+			}
+
+			if (pi->edns.cookie.server_len > 0)
+			{
+				MIO_MEMCPY (dnc->cookie.data.server, pi->edns.cookie.data.server, pi->edns.cookie.server_len);
+				dnc->cookie.server_len = pi->edns.cookie.server_len;
+			}
+	
+				
+#if 0
+			if (pi->hdr.rcode == MIO_DNS_RCODE_BADCOOKIE)
+			{
+				/* TODO: retry it */
+#if 0
+				if (mio_svc_dnc_resolve(dnc, qname, resolxtn->qtype, resolxtn->flags, on_dnc_resolve, resolxtn->xtnsize) <= -1)
+				{
+				}
+#endif
+				/*how to retry?*/
+			}
+#endif
+			/* ------------------------------------------------- */
+
+		}
+
+		if (!(resolxtn->flags & MIO_SVC_DNC_RESOLVE_FLAG_BRIEF))
+		{
+			/* the full reply packet is requested. */
+			if (resolxtn->on_resolve) resolxtn->on_resolve (dnc, reqmsg, status, pi, 0);
+			goto done;
+		}

 		if (pi->hdr.rcode != MIO_DNS_RCODE_NOERROR) 
 		{
@ -895,7 +925,7 @@ if (pi->hdr.code == MIO_DNS_RCODE_BADCOOKIE)
 		if (pi->ancount < 0) goto no_data;

 		/* in the brief mode, we inspect the answer section only */
-		if (reqmsgxtn->qtype == MIO_DNS_RRT_Q_ANY)
+		if (resolxtn->qtype == MIO_DNS_RRT_Q_ANY)
 		{
 			/* return A or AAAA for ANY in the brief mode */
 			for (i = 0; i < pi->ancount; i++)
@ -903,7 +933,7 @@ if (pi->hdr.code == MIO_DNS_RCODE_BADCOOKIE)
 				if (pi->rr.an[i].rrtype == MIO_DNS_RRT_A || pi->rr.an[i].rrtype == MIO_DNS_RRT_AAAA)
 				{
 				match_found:
-					if (reqmsgxtn->on_resolve) reqmsgxtn->on_resolve (dnc, reqmsg, status, &pi->rr.an[i], MIO_SIZEOF(pi->rr.an[i]));
+					if (resolxtn->on_resolve) resolxtn->on_resolve (dnc, reqmsg, status, &pi->rr.an[i], MIO_SIZEOF(pi->rr.an[i]));
 					goto done;
 				}
 			}
@ -914,7 +944,7 @@ if (pi->hdr.code == MIO_DNS_RCODE_BADCOOKIE)
 			/* it is a bit time taking to retreive the query type from the packet
 			 * bundled in reqmsg as it requires parsing of the packet. let me use
 			 * the query type i stored in the extension space. */
-			switch (reqmsgxtn->qtype)
+			switch (resolxtn->qtype)
 			{
 				case MIO_DNS_RRT_Q_ANY: 
 				case MIO_DNS_RRT_Q_AFXR: /* AFXR doesn't make sense in the brief mode. just treat it like ANY */
@ -933,7 +963,7 @@ if (pi->hdr.code == MIO_DNS_RCODE_BADCOOKIE)
 					break;

 				default:
-					if (pi->rr.an[i].rrtype == reqmsgxtn->qtype) goto match_found;
+					if (pi->rr.an[i].rrtype == resolxtn->qtype) goto match_found;
 					break;
 			}
 		}
@ -942,7 +972,7 @@ if (pi->hdr.code == MIO_DNS_RCODE_BADCOOKIE)
 	else
 	{
 	no_data:
-		if (reqmsgxtn->on_resolve) reqmsgxtn->on_resolve (dnc, reqmsg, status, MIO_NULL, 0);
+		if (resolxtn->on_resolve) resolxtn->on_resolve (dnc, reqmsg, status, MIO_NULL, 0);
 	}

 done:
@ -988,10 +1018,10 @@ mio_dns_msg_t* mio_svc_dnc_resolve (mio_svc_dnc_t* dnc, const mio_bch_t* qname,

 	if (resolve_flags & MIO_SVC_DNC_RESOLVE_FLAG_COOKIE)
 	{
-		static mio_uint8_t dummy[48];
 		beopt_cookie.code = MIO_DNS_EOPT_COOKIE;
-		beopt_cookie.dlen = MIO_COUNTOF(dummy);
-		beopt_cookie.dptr = dummy;
+		beopt_cookie.dlen = MIO_DNS_COOKIE_CLIENT_LEN; 
+		if (dnc->cookie.server_len > 0) beopt_cookie.dlen += dnc->cookie.server_len;
+		beopt_cookie.dptr = &dnc->cookie.data;

 		qedns.beonum = 1;
 		qedns.beoptr = &beopt_cookie;
@ -1002,9 +1032,12 @@ mio_dns_msg_t* mio_svc_dnc_resolve (mio_svc_dnc_t* dnc, const mio_bch_t* qname,
 	{
 		int send_flags;

-		if (resolve_flags & MIO_SVC_DNC_RESOLVE_FLAG_COOKIE)
+#if 0
+		if ((resolve_flags & MIO_SVC_DNC_RESOLVE_FLAG_COOKIE) && dnc->cookie.server_len == 0)
 		{
-			/* ASSUMPTIONS:
+			/* Exclude the server cookie from the packet when the server cookie is not available.
+			 *
+			 * ASSUMPTIONS:
 			 *  the eopt entries are at the back of the packet.
 			 *  only 1 eopt entry(MIO_DNS_EOPT_COOKIE) has been added. 
 			 * 
@ -1014,25 +1047,25 @@ mio_dns_msg_t* mio_svc_dnc_resolve (mio_svc_dnc_t* dnc, const mio_bch_t* qname,
 			mio_dns_rrtr_t* edns_rrtr;
 			mio_dns_eopt_t* eopt;

-/* TODO: generate the client cookie and copy it */
-/* if the server cookie is available, copy it to the packet. but the server cookike may still be shorter than 40. so some manipulation is still needed
- * if not, manipualte the length like below */
 			edns_rrtr = (mio_dns_rrtr_t*)((mio_uint8_t*)mio_dns_msg_to_pkt(reqmsg) + reqmsg->ednsrrtroff);
-			reqmsg->pktlen -= 40; /* maximum server cookie space */
+			reqmsg->pktlen -= MIO_DNS_COOKIE_SERVER_MAX_LEN;

 			MIO_ASSERT (dnc->mio, edns_rrtr->rrtype == MIO_CONST_HTON16(MIO_DNS_RRT_OPT));
-			MIO_ASSERT (dnc->mio, edns_rrtr->dlen == MIO_CONST_HTON16(52));
+			MIO_ASSERT (dnc->mio, edns_rrtr->dlen == MIO_CONST_HTON16(MIO_SIZEOF(mio_dns_eopt_t) + MIO_DNS_COOKIE_MAX_LEN));
+			edns_rrtr->dlen = MIO_CONST_HTON16(MIO_SIZEOF(mio_dns_eopt_t) + MIO_DNS_COOKIE_CLIENT_LEN);

-			edns_rrtr->dlen = MIO_CONST_HTON16(12);
 			eopt = (mio_dns_eopt_t*)(edns_rrtr + 1);
-			MIO_ASSERT (dnc->mio, eopt->dlen == MIO_CONST_HTON16(48));
-			eopt->dlen = MIO_CONST_HTON16(8);
+			MIO_ASSERT (dnc->mio, eopt->dlen == MIO_CONST_HTON16(MIO_DNS_COOKIE_MAX_LEN));
+			eopt->dlen = MIO_CONST_HTON16(MIO_DNS_COOKIE_CLIENT_LEN);
 		}
+#endif

 		resolxtn = dnc_dns_msg_resolve_getxtn(reqmsg);
 		resolxtn->on_resolve = on_resolve;
 		resolxtn->qtype = qtype;
 		resolxtn->flags = resolve_flags;
+		/* store in the extension area the client cookie set in the packet */
+		MIO_MEMCPY (resolxtn->client_cookie, dnc->cookie.data.client, MIO_DNS_COOKIE_CLIENT_LEN);

 		send_flags = (resolve_flags & MIO_SVC_DNC_SEND_FLAG_ALL);
 		if (MIO_UNLIKELY(qtype == MIO_DNS_RRT_Q_AFXR)) send_flags |= MIO_SVC_DNC_SEND_FLAG_PREFER_TCP;
--- a/mio/lib/dns.c
+++ b/mio/lib/dns.c
@ -277,7 +277,9 @@ static int parse_answer_rr (mio_t* mio, mio_dns_rr_part_t rr_part, mio_oow_t pos
 			*/

 			/* TODO: do i need to check if rrname is <ROOT>? */
-			pi->edns.exist = 1;
+			/* TODO: do i need to check if rr_part  is MIO_DNS_RR_PART_ADDITIONAL? the OPT pseudo-RR may exist in the ADDITIONAL section only */
+			/* TODO: do i need to check if there is more than 1 OPT RRs */
+			pi->edns.exist++; /* you may treat this as the number of OPT RRs */
 			pi->edns.uplen = mio_ntoh16(rrtr->rrclass);
 			pi->hdr.rcode |= (rrtr->ttl >> 24);
 			pi->edns.version = (rrtr->ttl >> 16) & 0xFF;
@ -295,8 +297,26 @@ static int parse_answer_rr (mio_t* mio, mio_dns_rr_part_t rr_part, mio_oow_t pos

 				if (eopt->code == MIO_CONST_HTON16(MIO_DNS_EOPT_COOKIE))
 				{
-					if (eopt_len < 8) goto oops; /* the client cookie must be 8 bytes */
-					/* TODO: dns cookies */
+					if (eopt_len == MIO_DNS_COOKIE_CLIENT_LEN)
+					{
+						/* client cookie only */
+						MIO_MEMCPY (pi->edns.cookie.data.client, eopt + 1, eopt_len);
+						pi->edns.cookie.client_len = eopt_len;
+						pi->edns.cookie.server_len = 0;
+					}
+					else if (eopt_len >= (MIO_DNS_COOKIE_CLIENT_LEN + MIO_DNS_COOKIE_SERVER_MIN_LEN) &&
+					         eopt_len <= (MIO_DNS_COOKIE_CLIENT_LEN + MIO_DNS_COOKIE_SERVER_MAX_LEN))
+					{
+						/* both client and server cookie */
+						MIO_MEMCPY (&pi->edns.cookie.data, eopt + 1, eopt_len);
+						pi->edns.cookie.client_len = MIO_DNS_COOKIE_CLIENT_LEN;
+						pi->edns.cookie.server_len = eopt_len - MIO_DNS_COOKIE_CLIENT_LEN;
+					}
+					else
+					{
+						/* wrong cookie length */
+						goto oops;
+					}
 				}

 				eopt_tot_len -= MIO_SIZEOF(mio_dns_eopt_t) + eopt_len;
--- a/mio/lib/mio-dns.h
+++ b/mio/lib/mio-dns.h
@ -414,6 +414,29 @@ typedef enum mio_svc_dnc_resolve_flag_t  mio_svc_dnc_resolve_flag_t;

 /* ---------------------------------------------------------------- */

+#define MIO_DNS_COOKIE_CLIENT_LEN (8)
+#define MIO_DNS_COOKIE_SERVER_MIN_LEN (16)
+#define MIO_DNS_COOKIE_SERVER_MAX_LEN (40)
+#define MIO_DNS_COOKIE_MAX_LEN (MIO_DNS_COOKIE_CLIENT_LEN + MIO_DNS_COOKIE_SERVER_MAX_LEN)
+
+typedef struct mio_dns_cookie_data_t mio_dns_cookie_data_t;
+#include <mio-pac1.h>
+struct mio_dns_cookie_data_t
+{
+	mio_uint8_t client[MIO_DNS_COOKIE_CLIENT_LEN];
+	mio_uint8_t server[MIO_DNS_COOKIE_SERVER_MAX_LEN];
+};
+#include <mio-upac.h>
+
+typedef struct mio_dns_cookie_t mio_dns_cookie_t;
+struct mio_dns_cookie_t
+{
+	mio_dns_cookie_data_t data;
+	mio_uint8_t client_len;
+	mio_uint8_t server_len;
+};
+
+/* ---------------------------------------------------------------- */

 struct mio_dns_pkt_info_t
 {
@ -433,6 +456,8 @@ struct mio_dns_pkt_info_t
 		mio_uint16_t uplen; /* udp payload len - will be placed in the qclass field of RR. */
 		mio_uint8_t  version; 
 		mio_uint8_t  dnssecok;
+		mio_dns_cookie_t cookie;
+		int cookie_verified; /* UGLY: set via mio_svc_dnc_resolve() only. mio_dns_make_packet_info() doesn't set this */
 	} edns;

 	mio_uint16_t qdcount; /* number of questions */
@ -447,6 +472,7 @@ struct mio_dns_pkt_info_t
 		mio_dns_brr_t* ns;
 		mio_dns_brr_t* ar;
 	} rr;
+
 };
 typedef struct mio_dns_pkt_info_t mio_dns_pkt_info_t;