5 files changed, 38 insertions, 18 deletions

diff --git a/services/authzone.c b/services/authzone.c
index 1f56ac8cfc87..7ec280bafd92 100644
--- a/services/authzone.c
+++ b/services/authzone.c
@@ -3425,14 +3425,17 @@ xfr_process_notify(struct auth_xfer* xfr, struct module_env* env,
 {
 	/* if the serial of notify is older than we have, don't fetch
 	 * a zone, we already have it */
-	if(has_serial && !xfr_serial_means_update(xfr, serial))
+	if(has_serial && !xfr_serial_means_update(xfr, serial)) {
+		lock_basic_unlock(&xfr->lock);
 		return;
+	}
 	/* start new probe with this addr src, or note serial */
 	if(!xfr_start_probe(xfr, env, fromhost)) {
 		/* not started because already in progress, note the serial */
 		xfr_note_notify_serial(xfr, has_serial, serial);
 		lock_basic_unlock(&xfr->lock);
 	}
+	/* successful end of start_probe unlocked xfr->lock */
 }
 
 int auth_zones_notify(struct auth_zones* az, struct module_env* env,
diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c
index 6639fd3fc5cf..a6922888aa49 100644
--- a/services/listen_dnsport.c
+++ b/services/listen_dnsport.c
@@ -1059,7 +1059,7 @@ set_recvpktinfo(int s, int family)
 /** see if interface is ssl, its port number == the ssl port number */
 static int
 if_is_ssl(const char* ifname, const char* port, int ssl_port,
-	struct config_strlist* additional_tls_port)
+	struct config_strlist* tls_additional_ports)
 {
 	struct config_strlist* s;
 	char* p = strchr(ifname, '@');
@@ -1067,7 +1067,7 @@ if_is_ssl(const char* ifname, const char* port, int ssl_port,
 		return 1;
 	if(p && atoi(p+1) == ssl_port)
 		return 1;
-	for(s = additional_tls_port; s; s = s->next) {
+	for(s = tls_additional_ports; s; s = s->next) {
 		if(p && atoi(p+1) == atoi(s->str))
 			return 1;
 		if(!p && atoi(port) == atoi(s->str))
@@ -1089,7 +1089,7 @@ if_is_ssl(const char* ifname, const char* port, int ssl_port,
  * @param rcv: receive buffer size for UDP
  * @param snd: send buffer size for UDP
  * @param ssl_port: ssl service port number
- * @param additional_tls_port: list of additional ssl service port numbers.
+ * @param tls_additional_ports: list of additional ssl service port numbers.
  * @param reuseport: try to set SO_REUSEPORT if nonNULL and true.
  * 	set to false on exit if reuseport failed due to no kernel support.
  * @param transparent: set IP_TRANSPARENT socket option.
@@ -1103,7 +1103,7 @@ static int
 ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, 
 	struct addrinfo *hints, const char* port, struct listen_port** list,
 	size_t rcv, size_t snd, int ssl_port,
-	struct config_strlist* additional_tls_port, int* reuseport,
+	struct config_strlist* tls_additional_ports, int* reuseport,
 	int transparent, int tcp_mss, int freebind, int use_systemd,
 	int dnscrypt_port)
 {
@@ -1170,7 +1170,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
 	}
 	if(do_tcp) {
 		int is_ssl = if_is_ssl(ifname, port, ssl_port,
-			additional_tls_port);
+			tls_additional_ports);
 		if((s = make_sock_port(SOCK_STREAM, ifname, port, hints, 1, 
 			&noip6, 0, 0, reuseport, transparent, tcp_mss,
 			freebind, use_systemd)) == -1) {
@@ -1356,7 +1356,7 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
 				do_auto, cfg->do_udp, do_tcp, 
 				&hints, portbuf, &list,
 				cfg->so_rcvbuf, cfg->so_sndbuf,
-				cfg->ssl_port, cfg->additional_tls_port,
+				cfg->ssl_port, cfg->tls_additional_ports,
 				reuseport, cfg->ip_transparent,
 				cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
 				cfg->dnscrypt_port)) {
@@ -1370,7 +1370,7 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
 				do_auto, cfg->do_udp, do_tcp, 
 				&hints, portbuf, &list,
 				cfg->so_rcvbuf, cfg->so_sndbuf,
-				cfg->ssl_port, cfg->additional_tls_port,
+				cfg->ssl_port, cfg->tls_additional_ports,
 				reuseport, cfg->ip_transparent,
 				cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
 				cfg->dnscrypt_port)) {
@@ -1386,7 +1386,7 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
 			if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp, 
 				do_tcp, &hints, portbuf, &list, 
 				cfg->so_rcvbuf, cfg->so_sndbuf,
-				cfg->ssl_port, cfg->additional_tls_port,
+				cfg->ssl_port, cfg->tls_additional_ports,
 				reuseport, cfg->ip_transparent,
 				cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
 				cfg->dnscrypt_port)) {
@@ -1400,7 +1400,7 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
 			if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp, 
 				do_tcp, &hints, portbuf, &list, 
 				cfg->so_rcvbuf, cfg->so_sndbuf,
-				cfg->ssl_port, cfg->additional_tls_port,
+				cfg->ssl_port, cfg->tls_additional_ports,
 				reuseport, cfg->ip_transparent,
 				cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
 				cfg->dnscrypt_port)) {
diff --git a/services/mesh.c b/services/mesh.c
index 3027cef00900..41aba74ab260 100644
--- a/services/mesh.c
+++ b/services/mesh.c
@@ -1173,6 +1173,10 @@ void mesh_query_done(struct mesh_state* mstate)
 	while((c = mstate->cb_list) != NULL) {
 		/* take this cb off the list; so that the list can be
 		 * changed, eg. by adds from the callback routine */
+		if(!mstate->reply_list && mstate->cb_list && !c->next) {
+			/* was a reply state, not anymore */
+			mstate->s.env->mesh->num_reply_states--;
+		}
 		mstate->cb_list = c->next;
 		if(!mstate->reply_list && !mstate->cb_list &&
 			mstate->super_set.count == 0)
diff --git a/services/outside_network.c b/services/outside_network.c
index 63dfe4961183..5700ef8a95e5 100644
--- a/services/outside_network.c
+++ b/services/outside_network.c
@@ -1301,8 +1301,8 @@ pending_tcp_query(struct serviced_query* sq, sldns_buffer* packet,
 	w->ssl_upstream = sq->ssl_upstream;
 	w->tls_auth_name = sq->tls_auth_name;
 #ifndef S_SPLINT_S
-	tv.tv_sec = timeout;
-	tv.tv_usec = 0;
+	tv.tv_sec = timeout/1000;
+	tv.tv_usec = (timeout%1000)*1000;
 #endif
 	comm_timer_set(w->timer, &tv);
 	if(pend) {
@@ -1812,7 +1812,12 @@ serviced_tcp_callback(struct comm_point* c, void* arg, int error,
 	}
 	if(sq->tcp_upstream || sq->ssl_upstream) {
 	    struct timeval now = *sq->outnet->now_tv;
-	    if(now.tv_sec > sq->last_sent_time.tv_sec ||
+	    if(error!=NETEVENT_NOERROR) {
+	        if(!infra_rtt_update(sq->outnet->infra, &sq->addr,
+		    sq->addrlen, sq->zone, sq->zonelen, sq->qtype,
+		    -1, sq->last_rtt, (time_t)now.tv_sec))
+		    log_err("out of memory in TCP exponential backoff.");
+	    } else if(now.tv_sec > sq->last_sent_time.tv_sec ||
 		(now.tv_sec == sq->last_sent_time.tv_sec &&
 		now.tv_usec > sq->last_sent_time.tv_usec)) {
 		/* convert from microseconds to milliseconds */
@@ -1822,7 +1827,7 @@ serviced_tcp_callback(struct comm_point* c, void* arg, int error,
 		log_assert(roundtime >= 0);
 		/* only store if less then AUTH_TIMEOUT seconds, it could be
 		 * huge due to system-hibernated and we woke up */
-		if(roundtime < TCP_AUTH_QUERY_TIMEOUT*1000) {
+		if(roundtime < 60000) {
 		    if(!infra_rtt_update(sq->outnet->infra, &sq->addr,
 			sq->addrlen, sq->zone, sq->zonelen, sq->qtype,
 			roundtime, sq->last_rtt, (time_t)now.tv_sec))
@@ -1863,18 +1868,26 @@ serviced_tcp_initiate(struct serviced_query* sq, sldns_buffer* buff)
 static int
 serviced_tcp_send(struct serviced_query* sq, sldns_buffer* buff)
 {
-	int vs, rtt;
+	int vs, rtt, timeout;
 	uint8_t edns_lame_known;
 	if(!infra_host(sq->outnet->infra, &sq->addr, sq->addrlen, sq->zone,
 		sq->zonelen, *sq->outnet->now_secs, &vs, &edns_lame_known,
 		&rtt))
 		return 0;
+	sq->last_rtt = rtt;
 	if(vs != -1)
 		sq->status = serviced_query_TCP_EDNS;
 	else 	sq->status = serviced_query_TCP;
 	serviced_encode(sq, buff, sq->status == serviced_query_TCP_EDNS);
 	sq->last_sent_time = *sq->outnet->now_tv;
-	sq->pending = pending_tcp_query(sq, buff, TCP_AUTH_QUERY_TIMEOUT,
+	if(sq->tcp_upstream || sq->ssl_upstream) {
+		timeout = rtt;
+		if(rtt >= 376 && rtt < TCP_AUTH_QUERY_TIMEOUT)
+			timeout = TCP_AUTH_QUERY_TIMEOUT;
+	} else {
+		timeout = TCP_AUTH_QUERY_TIMEOUT;
+	}
+	sq->pending = pending_tcp_query(sq, buff, timeout,
 		serviced_tcp_callback, sq);
 	return sq->pending != NULL;
 }
diff --git a/services/outside_network.h b/services/outside_network.h
index 105f7651363f..01a307417eac 100644
--- a/services/outside_network.h
+++ b/services/outside_network.h
@@ -376,7 +376,7 @@ struct serviced_query {
 	int retry;
 	/** time last UDP was sent */
 	struct timeval last_sent_time;
-	/** rtt of last (UDP) message */
+	/** rtt of last message */
 	int last_rtt;
 	/** do we know edns probe status already, for UDP_EDNS queries */
 	int edns_lame_known;
@@ -456,7 +456,7 @@ struct pending* pending_udp_query(struct serviced_query* sq,
  * checks id.
  * @param sq: serviced query.
  * @param packet: wireformat query to send to destination. copied from.
- * @param timeout: in seconds from now.
+ * @param timeout: in milliseconds from now.
  *    Timer starts running now. Timer may expire if all buffers are used,
  *    without any query been sent to the server yet.
  * @param callback: function to call on error, timeout or reply.