From patchwork Tue Sep 12 10:47:12 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "plaisthos (Code Review)" <gerrit@openvpn.net>
X-Patchwork-Id: 3345
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7300:390:b0:d7:3b0f:3938 with SMTP id 16csp317714dyq;
        Tue, 12 Sep 2023 03:48:21 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IEGKKZxB6vvhZhIUxKyjIM/WeWYGxCT2JXhBKsDsb8HMM9uvRo6HZxYhr1UvA991aQZzVOq
X-Received: by 2002:a05:6a20:a10c:b0:13f:9233:58d with SMTP id
 q12-20020a056a20a10c00b0013f9233058dmr14625100pzk.2.1694515701382;
        Tue, 12 Sep 2023 03:48:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1694515701; cv=none;
        d=google.com; s=arc-20160816;
        b=uALuCFulwEOPEw7zOJsWu1wFQKyKE6PiIAR8hHwG2DbqE4/D6X0pxns5OyF3tHCr+2
         O8FdKYZp4ctuEvIxfPNE77r+6CoCk0vAJlaqXePKV33x30KGFTnALwfVXv/8QW9+kwnb
         c0K/IwMZ4q/2sHn29IAtzy92wWasnxmYX+DFir9y4lJNHVSuochfkQs5JZ8jrHfKosHm
         J6RdGCbXm88brIqz6ONdnukaTlgqHv0Gd//z3zuK+TE+pKrI6P16JM/XwF30m3VTB8Jc
         9oe/ZBuEBolxShLw17WhevNwBPAaIUMrJV2IOEgbsRkNh7SKe+5bpL9/0vmHUksf8/Fm
         tQPA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:cc:reply-to:list-subscribe:list-help:list-post
         :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent
         :mime-version:message-id:references:auto-submitted:date:from
         :dkim-signature:dkim-signature:dkim-signature;
        bh=QpTqm/ya2vVH8LeP02aKYEuWiwAZRW+/Mel+2sHX+lY=;
        fh=bN1KrMFM30R6KjIYOgW17mFPlfEh+E3W3qDsp7E904k=;
        b=W1hV9vAD5OFnK4v0EZ8rrxOCj27D1wSLn+C9O2CgNyNEqg1Ek0GQ/nIxwgIF54C9Kv
         Lgjsilrug3UH0WtlSBCLAs510Aai0czPa7h/J48iLdLXkMQmzmbRBguBaBQzwvfNPPYj
         VVp+DZXEFwVDW7MwlX8ERIkT+8Ope4Sk8RSRzmv14ZXL/3UH1YcZe3IHykMktZTO0B7H
         16b6R+ib1eK5nd/BExGSms1lrY2uxAi8Zo24dE8jif0tRjaPfaJn72JktSCMm9nWyub8
         y0rileiLeWzgPrmH1kXxhPRyrzzoGM5DYyaoU2xTsZgxoGli8mxodicmQX3BF2YeUbfK
         zbQQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=lYfAdCHZ;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=AaDGE81o;
       dkim=neutral (body hash did not verify) header.i=@openvpn.net
 header.s=google header.b=C8GNxHLX;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 g18-20020a056a000b9200b0068e38752b4csi7982326pfj.205.2023.09.12.03.48.21
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 12 Sep 2023 03:48:21 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=lYfAdCHZ;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=AaDGE81o;
       dkim=neutral (body hash did not verify) header.i=@openvpn.net
 header.s=google header.b=C8GNxHLX;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net
Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com)
	by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1qg0vZ-0005id-DU;
	Tue, 12 Sep 2023 10:47:30 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <gerrit@openvpn.net>) id 1qg0vW-0005iU-Ue
 for openvpn-devel@lists.sourceforge.net;
 Tue, 12 Sep 2023 10:47:27 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version
 :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:Date:From
 :Sender:To:Content-ID:Content-Description:Resent-Date:Resent-From:
 Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=aJiSNHhUSYVCumbQTjs66vW8oxrEetqcIZ/qMw+Jx18=; b=lYfAdCHZlGxit5zWJnQEGs9GqY
 Jj90bfDk84+03IzRg73Z0fhPkwaiOPT30efxMRL7lTc+DYBbgOacML5rmpsB+TDSVd6yQChGz7UIR
 3vDTV09LyeywMpU4eRCE1ffolNPUOBlGJcW+HZYIEUItMspULb7J8f9iEo4P6Iv6Ud5o=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To:
 References:Subject:List-Unsubscribe:List-Id:Cc:Date:From:Sender:To:Content-ID
 :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:
 Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post:
 List-Owner:List-Archive; bh=aJiSNHhUSYVCumbQTjs66vW8oxrEetqcIZ/qMw+Jx18=; b=A
 aDGE81ozAKrLeB54FsUv2lss9zKy5SleK7EtWPH2QI6ufY711AoH4MhBvYJuzmPqdmLg085wMXfDj
 CxHW/rGYldicQ9txA6yKA1+33K6hVmkhgJRIaqJ4dJ/kGACWQaTC/beCRqOhv++SjSNpAd6NHjCCI
 Iean5icgXDDyiIBE=;
Received: from mail-wr1-f48.google.com ([209.85.221.48])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95)
 id 1qg0vQ-000284-W1 for openvpn-devel@lists.sourceforge.net;
 Tue, 12 Sep 2023 10:47:27 +0000
Received: by mail-wr1-f48.google.com with SMTP id
 ffacd0b85a97d-31aec0a1a8bso3439937f8f.0
 for <openvpn-devel@lists.sourceforge.net>;
 Tue, 12 Sep 2023 03:47:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=openvpn.net; s=google; t=1694515635; x=1695120435;
 darn=lists.sourceforge.net;
 h=user-agent:content-disposition:content-transfer-encoding
 :mime-version:message-id:reply-to:references:subject
 :list-unsubscribe:list-id:auto-submitted:cc:date:from:from:to:cc
 :subject:date:message-id:reply-to;
 bh=aJiSNHhUSYVCumbQTjs66vW8oxrEetqcIZ/qMw+Jx18=;
 b=C8GNxHLX1w/FLPYt0ojakPY+MVRbmONb0EN3f6hTzfzFZi2NI7P6WYAQE8Y+nZLDcc
 weh9FZTuZg9vxtFB8+SDOtGxvdfiWaskTcrgKkVE0RvUorQXKSwWVvpIuHh9C4ab1EYv
 UcpgP5e7+Al8TVkqitWR7rXo5TtHyHG6YJ5oNhooWNoquzKC/WsITwpFFJf90PV8Q7I3
 s1WhIkSbgZJ2SsyTT7HJ8JXuqAp0eULq1F8OCf2bHYJ5Yy6cgEi6F6ZH6iNYns+uqLTm
 I7D6iRBT18wLarhalYNiJwRIyznPFUSOMXtgqMRbnpLPpM4qwSEHAZ8dermmMp+7ejxV
 f3Lg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1694515635; x=1695120435;
 h=user-agent:content-disposition:content-transfer-encoding
 :mime-version:message-id:reply-to:references:subject
 :list-unsubscribe:list-id:auto-submitted:cc:date:from
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=aJiSNHhUSYVCumbQTjs66vW8oxrEetqcIZ/qMw+Jx18=;
 b=jn71zwk3m3XfSrg287k6p7VwvR3UdmovWuBy9kBmE4h9Q4dm8wxj1ZkVJ+PfVP6yhX
 znXaL8Bd219YagMS4S9fok0Yq3J7pO0ZiU2oq6YFke2X1XSfBG7CA21F7WBXmTtlvwPb
 xZ9AafQ+wNoJc70+bfIgWNMVFTZ1/c8v7XgF1lD2Jgd6Zgbk+duB5xIr1S+eX6qC6b/I
 HPdX5273hUiiMPnN8+AZoTSAmsbHVyW4aqkJe24UlcBdHd/wyN6VW0b/KN5t3U4UoAEd
 cjUHBbOHKVy15I1F1Yk09A+3XMEJzVrNuoxCG7ThDXT0nrODVh060Yyu9QhbYJGvUVC+
 xDgg==
X-Gm-Message-State: AOJu0YwBd8MCpKmnFPZg2auv++HDQEYMnqZEWZF6CpL3i+3D1e3nWX31
 s/DtTCplvmlOBtSHKdwXs807DLw3yv7dwuo7drk=
X-Received: by 2002:a05:6000:1364:b0:31c:8c5f:877e with SMTP id
 q4-20020a056000136400b0031c8c5f877emr1495974wrz.33.1694515633899;
 Tue, 12 Sep 2023 03:47:13 -0700 (PDT)
Received: from gerrit.openvpn.in
 (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78])
 by smtp.gmail.com with ESMTPSA id
 24-20020a05600c029800b003fbe4cecc3bsm15789665wmk.16.2023.09.12.03.47.13
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 12 Sep 2023 03:47:13 -0700 (PDT)
From: "flichtenheld (Code Review)" <gerrit@openvpn.net>
X-Google-Original-From: "flichtenheld (Code Review)"
 <gerrit@gerrit.openvpn.in>
X-Gerrit-PatchSet: 5
Date: Tue, 12 Sep 2023 10:47:12 +0000
Auto-Submitted: auto-generated
X-Gerrit-MessageType: newchange
X-Gerrit-Change-Id: I1f97d8e5ae8f049d72db5c12ce627f601d87505c
X-Gerrit-Change-Number: 40
X-Gerrit-Project: openvpn
X-Gerrit-ChangeURL: <http://gerrit.openvpn.net/c/openvpn/+/40?usp=email>
X-Gerrit-Commit: 2bd6adfdfcd22edc0b9839e92a199157ff8ac785
References: 
 <gerrit.1677715752000.I1f97d8e5ae8f049d72db5c12ce627f601d87505c@gerrit.openvpn.net>
Message-ID: <769d164ba2866f9cd007ee3a62f801f5df6f9961-HTML@gerrit.openvpn.net>
MIME-Version: 1.0
User-Agent: Gerrit/3.8.0
X-Spam-Score: 1.0 (+)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-2.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  Attention is currently required from: flichtenheld,
 plaisthos. d12fk has uploaded this change for review. (
 http://gerrit.openvpn.net/c/openvpn/+/40?usp=email
 ) Change subject: dns option: make server id/priority optional
 Content analysis details:   (1.0 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.0 SPF_PASS               SPF: sender matches SPF record
 1.2 MISSING_HEADERS        Missing To: header
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
 no trust [209.85.221.48 listed in list.dnswl.org]
 -0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
 [209.85.221.48 listed in wl.mailspike.net]
 0.0 WEIRD_PORT             URI: Uses non-standard port number for HTTP
 0.0 HTML_MESSAGE           BODY: HTML included in message
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
 author's domain
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily
 valid
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted
 Colors in HTML
X-Headers-End: 1qg0vQ-000284-W1
Subject: [Openvpn-devel] [M] Change in openvpn[master]: dns option: make
 server id/priority optional
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Reply-To: frank@lichtenheld.com, arne-openvpn@rfc2549.org, heiko@openvpn.net,
 openvpn-devel@lists.sourceforge.net
Cc: plaisthos <arne-openvpn@rfc2549.org>, d12fk <heiko@openvpn.net>,
 openvpn-devel <openvpn-devel@lists.sourceforge.net>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1776828496395890066?=
X-GMAIL-MSGID: =?utf-8?q?1776828496395890066?=

Attention is currently required from: flichtenheld, plaisthos.

d12fk has uploaded this change for review. ( http://gerrit.openvpn.net/c/openvpn/+/40?usp=email )


Change subject: dns option: make server id/priority optional
......................................................................

dns option: make server id/priority optional

With the discovery that most of the time only one DNS server's settings
can be applied on various systems, the priority value will likely serve
no purpose most of the time.

This is to make it optional to give a --dns server priority, for cases
where you only specify one DNS server anyway. We keep the priority
because it still serves the case where you want to override pushed
server settings with local ones and when you run backends which do
support multiple server's settings like dnsmasq(8).

Change-Id: I1f97d8e5ae8f049d72db5c12ce627f601d87505c
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
---
M doc/man-sections/client-options.rst
M src/openvpn/dns.c
M src/openvpn/dns.h
M src/openvpn/options.c
4 files changed, 37 insertions(+), 28 deletions(-)



  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/40/40/5

diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst
index 4555534..df8ac43 100644
--- a/doc/man-sections/client-options.rst
+++ b/doc/man-sections/client-options.rst
@@ -168,11 +168,11 @@
   ::
 
      dns search-domains domain [domain ...]
-     dns server n address addr[:port] [addr[:port] ...]
-     dns server n resolve-domains domain [domain ...]
-     dns server n dnssec yes|optional|no
-     dns server n transport DoH|DoT|plain
-     dns server n sni server-name
+     dns server [n] address addr[:port] [addr[:port] ...]
+     dns server [n] resolve-domains domain [domain ...]
+     dns server [n] dnssec yes|optional|no
+     dns server [n] transport DoH|DoT|plain
+     dns server [n] sni server-name
 
   The ``--dns search-domains`` directive takes one or more domain names
   to be added as DNS domain suffixes. If it is repeated multiple times within
@@ -180,6 +180,7 @@
   a server will amend locally defined ones.
 
   The ``--dns server`` directive is used to configure DNS server ``n``.
+  If the ``n`` parameter is omitted the directive configures DNS server ``0``.
   The server id ``n`` must be a value between -128 and 127. For pushed
   DNS server options it must be between 0 and 127. The server id is used
   to group options and also for ordering the list of configured DNS servers;
diff --git a/src/openvpn/dns.c b/src/openvpn/dns.c
index 51fca2f..5f5e06b 100644
--- a/src/openvpn/dns.c
+++ b/src/openvpn/dns.c
@@ -159,13 +159,18 @@
 }
 
 bool
-dns_server_priority_parse(long *priority, const char *str, bool pulled)
+dns_server_priority_parse(long *priority, size_t *subidx, const char *str, bool pulled)
 {
     char *endptr;
     const long min = pulled ? 0 : INT8_MIN;
     const long max = INT8_MAX;
     long prio = strtol(str, &endptr, 10);
-    if (*endptr != '\0' || prio < min || prio > max)
+    if (endptr == str)
+    {
+        /* No priority found, str isn't numeric */
+        *subidx -= 1;
+    }
+    else if (*endptr != '\0' || prio < min || prio > max)
     {
         return false;
     }
diff --git a/src/openvpn/dns.h b/src/openvpn/dns.h
index e497857..d0258f7 100644
--- a/src/openvpn/dns.h
+++ b/src/openvpn/dns.h
@@ -78,11 +78,13 @@
  * Parses a string DNS server priority and validates it.
  *
  * @param   priority    Pointer to where the priority should be stored
+ * @param   subidx      Pointer to the sub-option index, decremented if no
+ *                      priority value could be found
  * @param   str         Priority string to parse
  * @param   pulled      Whether this was pulled from a server
  * @return              True if priority in string is valid
  */
-bool dns_server_priority_parse(long *priority, const char *str, bool pulled);
+bool dns_server_priority_parse(long *priority, size_t *subidx, const char *str, bool pulled);
 
 /**
  * Find or create DNS server with priority in a linked list.
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 3e0cb62..ea69ea7 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -510,7 +510,7 @@
     "                  ignore or reject causes the option to be allowed, removed or\n"
     "                  rejected with error. May be specified multiple times, and\n"
     "                  each filter is applied in the order of appearance.\n"
-    "--dns server <n> <option> <value> [value ...] : Configure option for DNS server #n\n"
+    "--dns server [n] <option> <value> [value ...] : Configure option for DNS server #n\n"
     "                  Valid options are :\n"
     "                  address <addr[:port]> [addr[:port] ...] : server addresses 4/6\n"
     "                  resolve-domains <domain> [domain ...] : split domains\n"
@@ -7997,10 +7997,11 @@
         {
             dns_domain_list_append(&options->dns_options.search_domains, &p[2], &options->dns_options.gc);
         }
-        else if (streq(p[1], "server") && p[2] && p[3] && p[4])
+        else if (streq(p[1], "server") && p[2] && p[3])
         {
             long priority;
-            if (!dns_server_priority_parse(&priority, p[2], pull_mode))
+            size_t subcmd = 3; /* one after priority, if a priority was given */
+            if (!dns_server_priority_parse(&priority, &subcmd, p[2], pull_mode))
             {
                 msg(msglevel, "--dns server: invalid priority value '%s'", p[2]);
                 goto err;
@@ -8008,9 +8009,9 @@
 
             struct dns_server *server = dns_server_get(&options->dns_options.servers, priority, &options->dns_options.gc);
 
-            if (streq(p[3], "address") && p[4])
+            if (streq(p[subcmd], "address") && p[subcmd + 1])
             {
-                for (int i = 4; p[i]; ++i)
+                for (int i = subcmd + 1; p[i]; ++i)
                 {
                     if (!dns_server_addr_parse(server, p[i]))
                     {
@@ -8019,57 +8020,57 @@
                     }
                 }
             }
-            else if (streq(p[3], "resolve-domains"))
+            else if (streq(p[subcmd], "resolve-domains") && p[subcmd + 1])
             {
-                dns_domain_list_append(&server->domains, &p[4], &options->dns_options.gc);
+                dns_domain_list_append(&server->domains, &p[subcmd + 1], &options->dns_options.gc);
             }
-            else if (streq(p[3], "dnssec") && !p[5])
+            else if (streq(p[subcmd], "dnssec") && p[subcmd + 1] && !p[subcmd + 2])
             {
-                if (streq(p[4], "yes"))
+                if (streq(p[subcmd + 1], "yes"))
                 {
                     server->dnssec = DNS_SECURITY_YES;
                 }
-                else if (streq(p[4], "no"))
+                else if (streq(p[subcmd + 1], "no"))
                 {
                     server->dnssec = DNS_SECURITY_NO;
                 }
-                else if (streq(p[4], "optional"))
+                else if (streq(p[subcmd + 1], "optional"))
                 {
                     server->dnssec = DNS_SECURITY_OPTIONAL;
                 }
                 else
                 {
-                    msg(msglevel, "--dns server %ld: malformed dnssec value '%s'", priority, p[4]);
+                    msg(msglevel, "--dns server %ld: malformed dnssec value '%s'", priority, p[subcmd + 1]);
                     goto err;
                 }
             }
-            else if (streq(p[3], "transport") && !p[5])
+            else if (streq(p[subcmd], "transport") && p[subcmd + 1] && !p[subcmd + 2])
             {
-                if (streq(p[4], "plain"))
+                if (streq(p[subcmd + 1], "plain"))
                 {
                     server->transport = DNS_TRANSPORT_PLAIN;
                 }
-                else if (streq(p[4], "DoH"))
+                else if (streq(p[subcmd + 1], "DoH"))
                 {
                     server->transport = DNS_TRANSPORT_HTTPS;
                 }
-                else if (streq(p[4], "DoT"))
+                else if (streq(p[subcmd + 1], "DoT"))
                 {
                     server->transport = DNS_TRANSPORT_TLS;
                 }
                 else
                 {
-                    msg(msglevel, "--dns server %ld: malformed transport value '%s'", priority, p[4]);
+                    msg(msglevel, "--dns server %ld: malformed transport value '%s'", priority, p[subcmd + 1]);
                     goto err;
                 }
             }
-            else if (streq(p[3], "sni") && !p[5])
+            else if (streq(p[subcmd], "sni") && p[subcmd + 1] && !p[subcmd + 2])
             {
-                server->sni = p[4];
+                server->sni = p[subcmd + 1];
             }
             else
             {
-                msg(msglevel, "--dns server %ld: unknown option type '%s' or missing or unknown parameter", priority, p[3]);
+                msg(msglevel, "--dns server %ld: unknown option type '%s' or missing or unknown parameter", priority, p[subcmd]);
                 goto err;
             }
         }