[Cerowrt-devel] Fwd: [Dnsmasq-discuss] Announce: dnsmasq-2.73
Dave Taht
dave.taht at gmail.com
Sun Jun 14 17:48:43 EDT 2015
:whew:
for a while there I was thinking this would never ship.
That said, no doubt more DNSSEC breakage is in our futures with NAT64, etc.
My hat off to simon and his crew to working so hard on making this
release the best release of dnsmasq ever!
(no, my last build did not have this version)
---------- Forwarded message ----------
From: Simon Kelley <simon at thekelleys.org.uk>
Date: Sun, Jun 14, 2015 at 1:24 PM
Subject: [Dnsmasq-discuss] Announce: dnsmasq-2.73
To: "dnsmasq-discuss at lists.thekelleys.org.uk"
<dnsmasq-discuss at lists.thekelleys.org.uk>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
After many delays and tribulations, I've just released dnsmasq-2.73
Get it here: http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.73.tar.gz
Release notes are below.
Cheers,
Simon.
-
---------------------------------------------------------------------------------------------
version 2.73
Fix crash at startup when an empty suffix is supplied to
--conf-dir, also trivial memory leak. Thanks to
Tomas Hozza for spotting this.
Remove floor of 4096 on advertised EDNS0 packet size when
DNSSEC in use, the original rationale for this has long
gone.
Thanks to Anders Kaseorg for spotting this.
Use inotify for checking on updates to /etc/resolv.conf and
friends under Linux. This fixes race conditions when the
files are updated rapidly and saves CPU by not polling. To
build a binary that runs on old Linux kernels without
inotify, use make COPTS=-DNO_INOTIFY
Fix breakage of --domain=<domain>,<subnet>,local - only
reverse queries were intercepted. THis appears to have been
broken since 2.69. Thanks to Josh Stone for finding the bug.
Eliminate IPv6 privacy addresses and deprecated addresses
from the answers given by --interface-name. Note that
reverse queries (ie looking for names, given addresses) are
not affected.
Thanks to Michael Gorbach for the suggestion.
Fix crash in DNSSEC code with long RRs. Thanks to Marco
Davids for the bug report.
Add --ignore-address option. Ignore replies to A-record
queries which include the specified address. No error is
generated, dnsmasq simply continues to listen for another
reply. This is useful to defeat blocking strategies which
rely on quickly supplying a forged answer to a DNS
request for certain domains, before the correct answer can
arrive. Thanks to Glen Huang for the patch.
Revisit the part of DNSSEC validation which determines if
an unsigned answer is legit, or is in some part of the DNS
tree which should be signed. Dnsmasq now works from the
DNS root downward looking for the limit of signed
delegations, rather than working bottom up. This is
both more correct, and less likely to trip over broken
nameservers in the unsigned parts of the DNS tree
which don't respond well to DNSSEC queries.
Add --log-queries=extra option, which makes logs easier
to search automatically.
Add --min-cache-ttl option. I've resisted this for a long
time, on the grounds that disbelieving TTLs is never a
good idea, but I've been persuaded that there are
sometimes reasons to do it. (Step forward, GFW).
To avoid misuse, there's a hard limit on the TTL
floor of one hour. Thansk to RinSatsuki for the patch.
Cope with multiple interfaces with the same link-local
address. (IPv6 addresses are scoped, so this is allowed.)
Thanks to Cory Benfield for help with this.
Add --dhcp-hostsdir. This allows addition of new host
configurations to a running dnsmasq instance much more
cheaply than having dnsmasq re-read all its existing
configuration each time.
Don't reply to DHCPv6 SOLICIT messages if we're not
configured to do stateful DHCPv6. Thanks to Win King Wan
for the patch.
Fix broken DNSSEC validation of ECDSA signatures.
Add --dnssec-timestamp option, which provides an automatic
way to detect when the system time becomes valid after
boot on systems without an RTC, whilst allowing DNS
queries before the clock is valid so that NTP can run.
Thanks to Kevin Darbyshire-Bryant for developing this idea.
Add --tftp-no-fail option. Thanks to Stefan Tomanek for
the patch.
Fix crash caused by looking up servers.bind, CHAOS text
record, when more than about five --servers= lines are
in the dnsmasq config. This causes memory corruption
which causes a crash later. Thanks to Matt Coddington for
sterling work chasing this down.
Fix crash on receipt of certain malformed DNS requests.
Thanks to Nick Sampanis for spotting the problem.
Note that this is could allow the dnsmasq process's
memory to be read by an attacker under certain
circumstances, so it has a CVE, CVE-2015-3294
Fix crash in authoritative DNS code, if a .arpa zone
is declared as authoritative, and then a PTR query which
is not to be treated as authoritative arrived. Normally,
directly declaring .arpa zone as authoritative is not
done, so this crash wouldn't be seen. Instead the
relevant .arpa zone should be specified as a subnet
in the auth-zone declaration. Thanks to Johnny S. Lee
for the bugreport and initial patch.
Fix authoritative DNS code to correctly reply to NS
and SOA queries for .arpa zones for which we are
declared authoritative by means of a subnet in auth-zone.
Previously we provided correct answers to PTR queries
in such zones (including NS and SOA) but not direct
NS and SOA queries. Thanks to Johnny S. Lee for
pointing out the problem.
Fix logging of DHCPREPLY which should be suppressed
by quiet-dhcp6. Thanks to J. Pablo Abonia for
spotting the problem.
Try and handle net connections with broken fragmentation
that lose large UDP packets. If a server times out,
reduce the maximum UDP packet size field in the EDNS0
header to 1280 bytes. If it then answers, make that
change permanent.
Check IPv4-mapped IPv6 addresses when --stop-rebind
is active. Thanks to Jordan Milne for spotting this.
Allow DHCPv4 options T1 and T2 to be set using --dhcp-
option.
Thanks to Kevin Benton for patches and work on this.
Fix code for DHCPCONFIRM DHCPv6 messages to confirm
addresses in the correct subnet, even of not in dynamic
address allocation range. Thanks to Steve Hirsch for
spotting the problem.
Add AddDhcpLease and DeleteDhcpLease DBus methods. Thanks
to Nicolas Cavallari for the patch.
Allow configuration of router advertisements without the
"on-link" bit set. Thanks to Neil Jerram for the patch.
Extend --bridge-interface to DHCPv6 and router
advertisements. Thanks to Neil Jerram for the patch.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVfeMUAAoJEBXN2mrhkTWiJO8P/26+Rss1+LtO+TysyeK0QwN1
B1b15byVyQdAYNXk5SpjPzFaeTb0Oal+yfTAWyVBoKBGHaZp4TN28EaTxfbnXuAX
nlYimUcdv6VOfuQvXjsJDLZlWgBmE43JgTTo2iR6vPt0mF2Y1+xbGlMrSip64/1v
A0DGszCBi0yAjviWSKVoCKIHdxkALYBfREcHK1OJNVWLmXWACOXfAb0+aGj6bYLu
mss9GOPmSYxwyswWgfvHREJkTFK3W/qkkEdLUkU1NzpaxPTOgnqi45aZfwbtdrRc
ng7tGxDIQHp+HMwEA+QMJqBJj5G61wzod/po9nrrtexl+n+Gw+A7vAVeLafa2jC5
lHbzJR/mvARkDPD50f+t+A7609lTEM8/QdfwTNw6y4ea9oFIebbj7NrRIbW28YvR
BeKNUXseDZkLoXBZHJKsjau1+P6fwCAPN5sVDMtVKbrl7gI0NblEund2341lH7W1
an3nckQnzq0TC8FY5w1My8jb4rpSTUwx7m+zucpppC/F9msh9mYVvDB8MwWDCQdi
K0EwsZ4kDq7CK+BbxdJxMknRTX+c4JbFfjdAKJvgN3nVlcI02xA4Mws9C5/QoslL
0YfAGWDdf6ELEEYU/DaQPF1rqK3S5BWwuTVVGnsFm5FlAhvxYWxjHLaY0UcDUwUc
mygjijpbyT2IotTe4fyC
=fPq3
-----END PGP SIGNATURE-----
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss at lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
--
Dave Täht
What will it take to vastly improve wifi for everyone?
https://plus.google.com/u/0/explore/makewififast
More information about the Cerowrt-devel
mailing list