The NetBSD Project

CVS log for pkgsrc/net/dnsmasq/Makefile

[BACK] Up to [cvs.NetBSD.org] / pkgsrc / net / dnsmasq

Request diff between arbitrary revisions


Keyword substitution: kv
Default branch: MAIN


Revision 1.51: download - view: text, markup, annotated - select for diffs
Sat Feb 17 02:20:26 2024 UTC (9 months, 3 weeks ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2024Q3-base, pkgsrc-2024Q3, pkgsrc-2024Q2-base, pkgsrc-2024Q2, pkgsrc-2024Q1-base, pkgsrc-2024Q1, HEAD
Diff to: previous 1.50: preferred, colored
Changes since revision 1.50: +2 -3 lines
dnsmasq: updated to 2.90

version 2.90

Fix reversion in --rev-server introduced in 2.88 which
caused breakage if the prefix length is not exactly divisible
by 8 (IPv4) or 4 (IPv6).

Fix possible SEGV when there server(s) for a particular
domain are configured, but no server which is not qualified
for a particular domain. Thanks to Daniel Danzberger for
spotting this bug.

Set the default maximum DNS UDP packet sice to 1232. This
has been the recommended value since 2020 because it's the
largest value that avoid fragmentation, and fragmentation
is just not reliable on the modern internet, especially
for IPv6. It's still possible to override this with
--edns-packet-max for special circumstances.

Add --no-dhcpv4-interface and --no-dhcpv6-interface for
better control over which inetrfaces are providing DHCP service.

Fix issue with stale caching: After replying with stale data,
dnsmasq sends the query upstream to refresh the cache asynchronously
and sometimes sends the wrong packet: packet length can be wrong,
and if an EDE marking stale data is added to the answer that can
end up in the query also. This bug only seems to cause problems
when the usptream server is a DOH/DOT proxy. Thanks to Justin He
for the bug report.

Add configurable caching for arbitrary RR-types.

Add --filter-rr option, to filter arbitrary RR-types.
--filter-rr=ANY has a special meaning: it filters the
answers to queries for the ANY RR-type.

Add limits on the resources used to do DNSSEC validation.
DNSSEC introduces a potential CPU DoS, because a crafted domain
can force a validator to a large number of cryptographic
operations whilst attempting to do validation. When using TCP
transport a DNSKEY RRset contain thousands of members and any
RRset can have thousands of signatures. The potential number
of signature validations to follow the RFC for validation
for one RRset is the cross product of the keys and signatures,
so millions. In practice, the actual numbers are much lower,
so attacks can be mitigated by limiting the amount of
cryptographic "work" to a much lower amount. The actual
limits are number a signature validation fails per RRset(20),
number of signature validations and hash computations
per query(200), number of sub-queries  to fetch  DS and DNSKEY
RRsets per query(40), and the number of iterations in a
NSEC3 record(150). These values are sensible, but there is, as yet,
no standardisation on the values for a "conforming" domain, so a
new option --dnssec-limit is provided should they need to be altered.
The algorithm to validate DS records has also been altered to reduce
the maximum work from cross product of the number of DS records and
number of DNSKEYs to the cross product of the number of DS records
and supported DS digest types. As the number of DS digest types
is in single figures, this reduces the exposure.

Credit is due to Elias Heftrig, Haya Schulmann, Niklas Vogel,
and Michael Waidner from the German National Research Center for
Applied Cybersecurity ATHENE for finding this vulnerability.

CVE 2023-50387 and CVE 2023-50868 apply.
Note that the is a security vulnerablity only when DNSSEC validation
is enabled.

Revision 1.50: download - view: text, markup, annotated - select for diffs
Sat Feb 25 03:30:47 2023 UTC (21 months, 2 weeks ago) by riastradh
Branches: MAIN
CVS tags: pkgsrc-2023Q4-base, pkgsrc-2023Q4, pkgsrc-2023Q3-base, pkgsrc-2023Q3, pkgsrc-2023Q2-base, pkgsrc-2023Q2, pkgsrc-2023Q1-base, pkgsrc-2023Q1
Diff to: previous 1.49: preferred, colored
Changes since revision 1.49: +2 -1 lines
net/dnsmasq: Patch away ctype(3) abuse.

Revision 1.49: download - view: text, markup, annotated - select for diffs
Tue Feb 7 08:51:45 2023 UTC (22 months ago) by adam
Branches: MAIN
Diff to: previous 1.48: preferred, colored
Changes since revision 1.48: +2 -2 lines
dnsmasq: updated to 2.89

version 2.89

Fix bug introduced in 2.88 (commit fe91134b) which can result
in corruption of the DNS cache internal data structures and
logging of "cache internal error". This has only been seen
in one place in the wild, and it took considerable effort
to even generate a test case to reproduce it, but there's
no way to be sure it won't strike, and the effect is to break
the cache badly. Installations with DNSSEC enabled are more
likely to see the problem, but not running DNSSEC does not
guarantee that it won't happen. Thanks to Timo van Roermund
for reporting the bug and for his great efforts in chasing
it down.

Revision 1.48: download - view: text, markup, annotated - select for diffs
Wed Dec 7 08:07:11 2022 UTC (2 years ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2022Q4-base, pkgsrc-2022Q4
Diff to: previous 1.47: preferred, colored
Changes since revision 1.47: +2 -2 lines
dnsmasq: updated to 2.88

version 2.88

Fix bug in --dynamic-host when an interface has /16 IPv4
address. Thanks to Mark Dietzer for spotting this.

Add --fast-dns-retry option. This gives dnsmasq the ability
to originate retries for upstream DNS queries itself, rather
than relying on the downstream client. This is most useful
when doing DNSSEC over unreliable upstream networks. It comes
with some cost in memory usage and network bandwidth.

Add --use-stale-cache option. When set, if a DNS name exists
in the cache, but its time-to-live has expired, dnsmasq will
return the data anyway. (It attempts to refresh the
data with an upstream query after returning the stale data.)
This can improve speed and reliability. It comes
at the expense of sometimes returning out-of-date data and
less efficient cache utilisation, since old data cannot be
flushed when its TTL expires, so the cache becomes
strictly least-recently-used.

Make --hostsdir (but NOT --dhcp-hostsdir and --dhcp-optsdir)
handle removal of whole files or entries within files.
Thanks to Dominik Derigs for the initial patches for this.

Fix bug, introduced in 2.87, which could result in DNS
servers being removed from the configuration when reloading
server configuration from DBus, or re-reading /etc/resolv.conf
Only servers from the same source should be replaced, but some
servers from other sources (i.e., hard coded or another dynamic source)
could mysteriously disappear. Thanks to all reporting this,
but especially Christopher J. Madsen who reduced the problem
to an easily reproducible case which saved much labour in
finding it.

Add --no-round-robin option.

Allow domain names as well as IP addresses when specifying
upstream DNS servers. There are some gotchas associated with this
(it will mysteriously fail to work if the dnsmasq instance
being started is in the path from the system resolver to the DNS),
and a seemingly sensible configuration like
--server=domain.name@1.2.3.4 is unactionable if domain.name
only resolves to an IPv6 address). There are, however,
cases where is can be useful. Thanks to Dominik Derigs for
the patch.

Handle DS records for unsupported crypto algorithms correctly.
Such a DS, as long as it is validated, should allow answers
in the domain it attests to be returned as unvalidated, and not
as a validation error.

Optimise reading large numbers of --server options. When re-reading
upstream servers from /etc/resolv.conf or other sources that
can change dnsmasq tries to avoid memory fragmentation by re-using
existing records that are being re-read unchanged. This involves
seaching all the server records for each new one installed.
During startup this search is pointless, and can cause long
start times with thousands of --server options because the work
needed is O(n^2). Handle this case more intelligently.
Thanks to Ye Zhou for spotting the problem and an initial patch.

If we detect that a DNS reply from upstream is malformed don't
return it to the requestor; send a SEVFAIL rcode instead.

Revision 1.47: download - view: text, markup, annotated - select for diffs
Mon Sep 26 13:23:31 2022 UTC (2 years, 2 months ago) by adam
Branches: MAIN
Diff to: previous 1.46: preferred, colored
Changes since revision 1.46: +2 -2 lines
dnsmasq: updated to 2.87

version 2.87

Allow arbitrary prefix lengths in --rev-server and
--domain=....,local

Replace --address=/#/..... functionality which got
missed in the 2.86 domain search rewrite.

Add --nftset option, like --ipset but for the newer nftables.
Thanks to Chen Zhenge for the patch.

Add --filter-A and --filter-AAAA options, to remove IPv4 or IPv6
addresses from DNS answers.

Fix crash doing netbooting when --port is set to zero
to disable the DNS server. Thanks to Drexl Johannes
for the bug report.

Generalise --dhcp-relay. Sending via broadcast/multicast is
now supported for both IPv4 and IPv6 and the configuration
syntax made easier (but backwards compatible).

Add snooping of IPv6 prefix-delegations to the DHCP-relay system.

Finesse parsing of --dhcp-remoteid and --dhcp-subscrid. To be treated
as hex, the pattern must consist of only hex digits AND contain
at least one ':'. Thanks to Bengt-Erik Sandstrom who tripped
over a pattern consisting of a decimal number which was interpreted
surprisingly.

Include client address in TFTP file-not-found error reports.
Thanks to Stefan Rink for the initial patch, which has been
re-worked by me (srk). All bugs mine.

Note in manpage the change in behaviour of -address. This behaviour
actually changed in v2.86, but was undocumented there. From 2.86 on,
(eg) --address=/example.com/1.2.3.4 ONLY applies to A queries. All other
types of query will be sent upstream. Pre 2.86, that would catch the
whole example.com domain and queries for other types would get
a local NODATA answer. The pre-2.86 behaviour is still available,
by configuring --address=/example.com/1.2.3.4 --local=/example.com/

Fix problem with binding DHCP sockets to an individual interface.
Despite the fact that the system call tales the interface _name_ as
a parameter, it actually, binds the socket to interface _index_.
Deleting the interface and creating a new one with the same name
leaves the socket bound to the old index. (Creating new sockets
always allocates a fresh index, they are not reused). We now
take this behaviour into account and keep up with changing indexes.

Add --conf-script configuration option.

Enhance --domain to accept, for instance,
--domain=net2.thekelleys.org.uk,eth2 so that hosts get a domain
which relects the interface they are attached to in a way which
doesn't require hard-coding addresses. Thanks to Sten Spans for
the idea.

Fix write-after-free error in DHCPv6 server code.
CVE-2022-0934 refers.

Add the ability to specify destination port in
DHCP-relay mode. This change also removes a previous bug
where --dhcp-alternate-port would affect the port used
to relay _to_ as well as the port being listened on.
The new feature allows configuration to provide bug-for-bug
compatibility, if required. Thanks to Damian Kaczkowski
for the feature suggestion.

Bound the value of UDP packet size in the EDNS0 header of
forwarded queries to the configured or default value of
edns-packet-max. There's no point letting a client set a larger
value if we're unable to return the answer. Thanks to Bertie
Taylor for pointing out the problem and supplying the patch.

Fix problem with the configuration

--server=/some.domain/# --address=/#/<ip> --server=<server_ip>

This would return <ip> for queries in some.domain, rather than
forwarding the query via the default server.

Tweak DHCPv6 relay code so that packets relayed towards a server
have source address on the server-facing network, not the
client facing network. Thanks to Luis Thomas for spotting this
and initial patch.

Revision 1.46: download - view: text, markup, annotated - select for diffs
Fri Sep 17 21:04:39 2021 UTC (3 years, 2 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2022Q3-base, pkgsrc-2022Q3, pkgsrc-2022Q2-base, pkgsrc-2022Q2, pkgsrc-2022Q1-base, pkgsrc-2022Q1, pkgsrc-2021Q4-base, pkgsrc-2021Q4, pkgsrc-2021Q3-base, pkgsrc-2021Q3
Diff to: previous 1.45: preferred, colored
Changes since revision 1.45: +2 -2 lines
dnsmasq: updated to 2.86

version 2.86

Handle DHCPREBIND requests in the DHCPv6 server code.
Thanks to Aichun Li for spotting this omission, and the initial
patch.

Fix bug which caused dnsmasq to lose track of processes forked
to handle TCP DNS connections under heavy load. The code
checked that at least one free process table slot was
available before listening on TCP sockets, but didn't take
into account that more than one TCP connection could
arrive, so that check was not sufficient to ensure that
there would be slots for all new processes. It compounded
this error by silently failing to store the process when
it did run out of slots. Even when this bug is triggered,
all the right things happen, and answers are still returned.
Only under very exceptional circumstances, does the bug
manifest itself: see
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q2/014976.html
Thanks to Tijs Van Buggenhout for finding the conditions under
which the bug manifests itself, and then working out
exactly what was going on.

Major rewrite of the DNS server and domain handling code.
This should be largely transparent, but it drastically
improves performance and reduces memory foot-print when
configuring large numbers domains of the form
local=/adserver.com/
or
local=/adserver.com/#
Lookup times now grow as log-to-base-2 of the number of domains,
rather than greater than linearly, as before.
The change makes multiple addresses associated with a domain work
address=/example.com/1.2.3.4
address=/example.com/5.6.7.8
It also handles multiple upstream servers for a domain better; using
the same try/retry algorithms as non domain-specific servers. This
also applies to DNSSEC-generated queries.
Finally, some of the oldest and gnarliest code in dnsmasq has had
a significant clean-up. It's far from perfect, but it _is_ better.

Revise resource handling for number of concurrent DNS queries. This
used to have a global limit, but that has a problem when using
different servers for different upstream domains. Queries which are
routed by domain to an upstream server which is not responding will
build up and trigger the limit, which breaks DNS service for
all other domains which could be handled by other servers. The
change is to make the limit per server-group, where a server group
is the set of servers configured for a particular domain. In the
common case, where only default servers are declared, there is
no effective change.

Improve efficiency of DNSSEC. The sharing point for DNSSEC RR data
used to be when it entered the cache, having been validated. After
that queries requiring the KEY or DS records would share the cached
values. There is a common case in dual-stack hosts that queries for
A and AAAA records for the same domain are made simultaneously.
If required keys were not in the cache, this would result in two
requests being sent upstream for the same key data (and all the
subsequent chain-of-trust queries.) Now we combine these requests
and elide the duplicates, resulting in fewer queries upstream
and better performance. To keep a better handle on what's
going on, the "extra" logging mode has been modified to associate
queries and answers  for DNSSEC queries in the same way as ordinary
queries. The requesting address and port have been removed from
DNSSEC logging lines, since this is no longer strictly defined.

Connection track mark based DNS query filtering. Thanks to
Etan Kissling for implementing this It extends query filtering
support beyond what is currently possible
with the `--ipset` configuration option, by adding support for:
1) Specifying allowlists on a per-client basis, based on their
   associated Linux connection track mark.
2) Dynamic configuration of allowlists via Ubus.
3) Reporting when a DNS query resolves or is rejected via Ubus.
4) DNS name patterns containing wildcards.
Disallowed queries are not forwarded; they are rejected
with a REFUSED error code.

Allow smaller than 64 prefix lengths in synth-domain, with caveats.
--synth-domain=1234:4567::/56,example.com is now valid.

Make domains generated by --synth-domain appear in replies
when in authoritative mode.

Ensure CAP_NET_ADMIN capability is available when
conntrack is configured. Thanks to Yick Xie for spotting
the lack of this.

When --dhcp-hostsfile --dhcp-optsfile and --addn-hosts are
given a directory as argument, define the order in which
files within that directory are read (alphabetical order
of filename). Thanks to Ed Wildgoose for the initial patch
and motivation for this.

Revision 1.45: download - view: text, markup, annotated - select for diffs
Mon Apr 12 10:06:45 2021 UTC (3 years, 8 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2021Q2-base, pkgsrc-2021Q2
Diff to: previous 1.44: preferred, colored
Changes since revision 1.44: +4 -4 lines
dnsmasq: updated to 2.85

version 2.85

Fix problem with DNS retries in 2.83/2.84.
The new logic in 2.83/2.84 which merges distinct requests
for the same domain causes problems with clients which do
retries as distinct requests (differing IDs and/or source ports.)
The retries just get piggy-backed on the first, failed, request.
The logic is now changed so that distinct requests for repeated
queries still get merged into a single ID/source port, but
they now always trigger a re-try upstream.
Thanks to Nicholas Mu for his analysis.

Tweak sort order of tags in get-version. v2.84 sorts
before v2.83, but v2.83 sorts before v2.83rc1 and 2.83rc1
sorts before v2.83test1. This fixes the problem which lead
to 2.84 announcing itself as 2.84rc2.

Avoid treating a --dhcp-host which has an IPv6 address
as eligible for use with DHCPv4 on the grounds that it has
no address, and vice-versa. Thanks to Viktor Papp for
spotting the problem. (This bug was fixed was back in 2.67, and
then regressed in 2.81).

Add --dynamic-host option: A and AAAA records which take their
network part from the network of a local interface. Useful
for routers with dynamically prefixes. Thanks
to Fred F for the suggestion.

Teach --bogus-nxdomain and --ignore-address to take an IPv4 subnet.

Use random source ports where possible if source
addresses/interfaces in use.
CVE-2021-3448 applies. Thanks to Petr Menšík for spotting this.
It's possible to specify the source address or interface to be
used when contacting upstream name servers: server=8.8.8.8@1.2.3.4
or server=8.8.8.8@1.2.3.4#66 or server=8.8.8.8@eth0, and all of
these have, until now, used a single socket, bound to a fixed
port. This was originally done to allow an error (non-existent
interface, or non-local address) to be detected at start-up. This
means that any upstream servers specified in such a way don't use
random source ports, and are more susceptible to cache-poisoning
attacks.
We now use random ports where possible, even when the
source is specified, so server=8.8.8.8@1.2.3.4 or
server=8.8.8.8@eth0 will use random source
ports. server=8.8.8.8@1.2.3.4#66 or any use of --query-port will
use the explicitly configured port, and should only be done with
understanding of the security implications.
Note that this change changes non-existing interface, or non-local
source address errors from fatal to run-time. The error will be
logged and communication with the server not possible.

Change the method of allocation of random source ports for DNS.
Previously, without min-port or max-port configured, dnsmasq would
default to the compiled in defaults for those, which are 1024 and
65535. Now, when neither are configured, it defaults instead to
the kernel's ephemeral port range, which is typically
32768 to 60999 on Linux systems. This change eliminates the
possibility that dnsmasq may be using a registered port > 1024
when a long-running daemon starts up and wishes to claim it.
This change does likely slightly reduce the number of random ports
and therefore the protection from reply spoofing. The older
behaviour can be restored using the min-port and max-port config
switches should that be a concern.

Scale the size of the DNS random-port pool based on the
value of the --dns-forward-max configuration.

Tweak TFTP code to check sender of all received packets, as
specified in RFC 1350 para 4.

Revision 1.44: download - view: text, markup, annotated - select for diffs
Fri Feb 5 20:04:43 2021 UTC (3 years, 10 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2021Q1-base, pkgsrc-2021Q1
Diff to: previous 1.43: preferred, colored
Changes since revision 1.43: +2 -2 lines
dnsmasq: updated to 2.84

version 2.84
Unknown changes

version 2.83
Use the values of --min-port and --max-port in outgoing
TCP connections to upstream DNS servers.

Fix a remote buffer overflow problem in the DNSSEC code. Any
dnsmasq with DNSSEC compiled in and enabled is vulnerable to this,
referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683
CVE-2020-25687.

Be sure to only accept UDP DNS query replies at the address
from which the query was originated. This keeps as much entropy
in the {query-ID, random-port} tuple as possible, to help defeat
cache poisoning attacks. Refer: CVE-2020-25684.

Use the SHA-256 hash function to verify that DNS answers
received are for the questions originally asked. This replaces
the slightly insecure SHA-1 (when compiled with DNSSEC) or
the very insecure CRC32 (otherwise). Refer: CVE-2020-25685.

Handle multiple identical near simultaneous DNS queries better.
Previously, such queries would all be forwarded
independently. This is, in theory, inefficent but in practise
not a problem, _except_ that is means that an answer for any
of the forwarded queries will be accepted and cached.
An attacker can send a query multiple times, and for each repeat,
another {port, ID} becomes capable of accepting the answer he is
sending in the blind, to random IDs and ports. The chance of a
succesful attack is therefore multiplied by the number of repeats
of the query. The new behaviour detects repeated queries and
merely stores the clients sending repeats so that when the
first query completes, the answer can be sent to all the
clients who asked. Refer: CVE-2020-25686.

Revision 1.43: download - view: text, markup, annotated - select for diffs
Mon Jul 27 16:41:11 2020 UTC (4 years, 4 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2020Q4-base, pkgsrc-2020Q4, pkgsrc-2020Q3-base, pkgsrc-2020Q3
Diff to: previous 1.42: preferred, colored
Changes since revision 1.42: +2 -3 lines
dnsmasq: updated to 2.82

version 2.82

Improve behaviour in the face of network interfaces which come
and go and change index. Thanks to Petr Mensik for the patch.

Convert hard startup failure on NETLINK_NO_ENOBUFS under qemu-user
to a warning.

Allow IPv6 addresses ofthe form [::ffff:1.2.3.4] in --dhcp-option.

Fix crash under heavy TCP connection load introduced in 2.81.
Thanks to Frank for good work chasing this down.

Change default lease time for DHCPv6 to one day.

Alter calculation of preferred and valid times in router
advertisements, so that these do not have a floor applied
of the lease time in the dhcp-range if this is not explicitly
specified and is merely the default.

Revision 1.42: download - view: text, markup, annotated - select for diffs
Fri May 22 10:56:26 2020 UTC (4 years, 6 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2020Q2-base, pkgsrc-2020Q2
Diff to: previous 1.41: preferred, colored
Changes since revision 1.41: +2 -1 lines
revbump after updating security/nettle

Revision 1.41: download - view: text, markup, annotated - select for diffs
Wed Apr 29 12:38:52 2020 UTC (4 years, 7 months ago) by adam
Branches: MAIN
Diff to: previous 1.40: preferred, colored
Changes since revision 1.40: +5 -6 lines
dnsmasq: updated to 2.81

version 2.81

Improve cache behaviour for TCP connections. For ease of
implementaion, dnsmasq has always forked a new process to handle
each incoming TCP connection. A side-effect of this is that
any DNS queries answered from TCP connections are not cached:
when TCP connections were rare, this was not a problem.
With the coming of DNSSEC, it is now the case that some
DNSSEC queries have answers which spill to TCP, and if,
for instance, this applies to the keys for the root, then
those never get cached, and performance is very bad.
This fix passes cache entries back from the TCP child process to
the main server process, and fixes the problem.

Remove the NO_FORK compile-time option, and support for uclinux.
In an era where everything has an MMU, this looks like
an anachronism, and it adds to (Ok, multiplies!) the
combinatorial explosion of compile-time options. Thanks to
Kevin Darbyshire-Bryant for the patch.

Fix line-counting when reading /etc/hosts and friends; for
correct error messages. Thanks to Christian Rosentreter
for reporting this.

Fix bug in DNS non-terminal code, added in 2.80, which could
sometimes cause a NODATA rather than an NXDOMAIN reply.
Thanks to Norman Rasmussen, Sven Mueller and Maciej Żenczykowski
for spotting and diagnosing the bug and providing patches.

Support TCP-fastopen (RFC-7413) on both incoming and
outgoing TCP connections, if supported and enabled in the OS.

Improve kernel-capability manipulation code under Linux. Dnsmasq
now fails early if a required capability is not available, and
tries not to request capabilities not required by its
configuration.

Add --shared-network config. This enables allocation of addresses
by the DHCP server in subnets where the server (or relay) does not
have an interface on the network in that subnet. Many thanks to
kamp.de for sponsoring this feature.

Fix broken contrib/lease_tools/dhcp_lease_time.c. A packet
validation check got borked in commit 2b38e382 and release 2.80.
Thanks to Tomasz Szajner for spotting this.

Fix compilation against nettle version 3.5 and later.

Fix spurious DNSSEC validation failures when the auth section
of a reply contains unsigned RRs from a signed zone,
with the exception that NSEC and NSEC3 RRs must always be signed.
Thanks to Tore Anderson for spotting and diagnosing the bug.

Add --dhcp-ignore-clid. This disables reading of DHCP client
identifier option (option 61), so clients are only identified by
MAC addresses.

Fix a bug which stopped --dhcp-name-match from working when a hostname
is supplied in --dhcp-host. Thanks to James Feeney for spotting this.

Fix bug which caused very rarely caused zero-length DHCPv6 packets.
Thanks to Dereck Higgins for spotting this.

Add --tftp-single-port option.

Enhance --conf-dir to load files in a deterministic order. Thanks to
Evgenii Seliavka for the suggestion and initial patch.

In the router advert code, handle case where we have two
different interfaces on the same IPv6 net, and we are doing
RA/DHCP service on only one of them. Thanks to NIIBE Yutaka
for spotting this case and making the initial patch.

Support prefixed ranges of ipv6 addresses in dhcp-host.
This eases problems chain-netbooting, where each link in the
chain requests an address using a different UID. With a single
address, only one gets the "static" address, but with this
fix, enough addresses can be reserved for all the stages of the
boot. Many thanks to Harald Jensås for his work on this idea and
earlier patches.

Add filtering by tag of --dhcp-host directives. Based on a patch
by Harald Jensås.

Allow empty server spec in --rev-server, to match --server.

Remove DSA signature verification from DNSSEC, as specified in
RFC 8624. Thanks to Loganaden Velvindron for the original patch.

Add --script-on-renewal option.

Revision 1.40: download - view: text, markup, annotated - select for diffs
Sun Nov 3 11:45:34 2019 UTC (5 years, 1 month ago) by rillig
Branches: MAIN
CVS tags: pkgsrc-2020Q1-base, pkgsrc-2020Q1, pkgsrc-2019Q4-base, pkgsrc-2019Q4
Diff to: previous 1.39: preferred, colored
Changes since revision 1.39: +2 -2 lines
net: align variable assignments

pkglint -Wall -F --only aligned --only indent -r

No manual corrections.

Revision 1.39: download - view: text, markup, annotated - select for diffs
Sat Jul 20 22:46:37 2019 UTC (5 years, 4 months ago) by wiz
Branches: MAIN
CVS tags: pkgsrc-2019Q3-base, pkgsrc-2019Q3
Diff to: previous 1.38: preferred, colored
Changes since revision 1.38: +2 -1 lines
*: recursive bump for nettle 3.5.1

Revision 1.38: download - view: text, markup, annotated - select for diffs
Sat Oct 27 07:57:10 2018 UTC (6 years, 1 month ago) by maya
Branches: MAIN
CVS tags: pkgsrc-2019Q2-base, pkgsrc-2019Q2, pkgsrc-2019Q1-base, pkgsrc-2019Q1, pkgsrc-2018Q4-base, pkgsrc-2018Q4
Diff to: previous 1.37: preferred, colored
Changes since revision 1.37: +2 -2 lines
dnsmasq: update to 2.80. add dnssec option (default disabled)
From i3endek, thanks!

version 2.80
	Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method
	for the initial patch and motivation.

	Alter the default for dnssec-check-unsigned. Versions of
	dnsmasq prior to 2.80 defaulted to not checking unsigned
	replies, and used --dnssec-check-unsigned to switch
        this on. Such configurations will continue to work as before,
        but those which used the default of no checking will need to be
        altered to explicitly select no checking. The new default is
        because switching off checking for unsigned replies is
	inherently dangerous. Not only does it open the possiblity of forged
        replies, but it allows everything to appear to be working even
        when the upstream namesevers do not support DNSSEC, and in this
        case no DNSSEC validation at all is occuring.

        Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip
	are set. Thanks to Daniel Miess for help with this.

	Add a facilty to store DNS packets sent/recieved in a
	pcap-format file for later debugging. The file location
	is given by the --dumpfile option, and a bitmap controlling
	which packets should be dumped is given by the --dumpmask
	option.

	Handle the case of both standard and constructed dhcp-ranges on the
	same interface better. We don't now contruct a dhcp-range if there's
	already one specified. This allows the specified interface to
	have different parameters and avoids advertising the same
	prefix twice. Thanks to Luis Marsano for spotting this case.

	Allow zone transfer in authoritative mode if auth-peer is specified,
	even if auth-sec-servers is not. Thanks to Raphaël Halimi for
	the suggestion.

	Fix bug which sometimes caused dnsmasq to wrongly return answers
	without DNSSEC RRs to queries with the do-bit set, but only when
	DNSSEC validation was not enabled.
	Thanks to Petr Menšík for spotting this.

	Fix missing fatal errors with some malformed options
	(server, local, address, rebind-domain-ok, ipset, alias).
	Thanks to Eugene Lozovoy for spotting the problem.

	Fix crash on startup with a --synth-domain which has no prefix.
	Introduced in 2.79. Thanks to Andreas Engel for the bug report.

	Fix missing EDNS0 section in some replies generated by local
	DNS configuration which confused systemd-resolvd. Thanks to
	Steve Dodd for characterising the problem.

	Add --dhcp-name-match config option.

	Add --caa-record config option.

	Implement --address=/example.com/# as (more efficient) syntactic
	sugar for --address=/example.com/0.0.0.0 and
	--address=/example.com/::
	Returning null addresses is a useful technique for ad-blocking.
	Thanks to Peter Russell for the suggestion.

	Change anti cache-snooping behaviour with queries with the
	recursion-desired bit unset. Instead to returning SERVFAIL, we
	now always forward, and never answer from the cache. This
	allows "dig +trace" command to work.

	Include in the example config file a formulation which
	stops DHCP clients from claiming the DNS name "wpad".
	This is a fix for the CERT Vulnerability VU#598349.

Revision 1.37: download - view: text, markup, annotated - select for diffs
Fri Mar 23 12:58:43 2018 UTC (6 years, 8 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2018Q3-base, pkgsrc-2018Q3, pkgsrc-2018Q2-base, pkgsrc-2018Q2, pkgsrc-2018Q1-base, pkgsrc-2018Q1
Diff to: previous 1.36: preferred, colored
Changes since revision 1.36: +4 -5 lines
dnsmasq: updated to 2.79

version 2.79
Fix parsing of CNAME arguments, which are confused by extra spaces.
Thanks to Diego Aguirre for spotting the bug.

Where available, use IP_UNICAST_IF or IPV6_UNICAST_IF to bind
upstream servers to an interface, rather than SO_BINDTODEVICE.
Thanks to Beniamino Galvani for the patch.

Always return a SERVFAIL answer to DNS queries without the
recursion desired bit set, UNLESS acting as an authoritative
DNS server. This avoids a potential route to cache snooping.

Add support for Ed25519 signatures in DNSSEC validation.

No longer support RSA/MD5 signatures in DNSSEC validation,
since these are not secure. This behaviour is mandated in
RFC-6944.

Fix incorrect error exit code from dhcp_release6 utility.
Thanks Gaudenz Steinlin for the bug report.

Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC
time validation when --dnssec-no-timecheck is in use.
Note that this is an incompatible change from earlier releases.

Allow more than one --bridge-interface option to refer to an
interface, so that we can use
--bridge-interface=int1,alias1
--bridge-interface=int1,alias2
as an alternative to
--bridge-interface=int1,alias1,alias2
Thanks to Neil Jerram for work on this.

Fix for DNSSEC with wildcard-derived NSEC records.
It's OK for NSEC records to be expanded from wildcards,
but in that case, the proof of non-existence is only valid
starting at the wildcard name, *.<domain> NOT the name expanded
from the wildcard. Without this check it's possible for an
attacker to craft an NSEC which wrongly proves non-existence.
Thanks to Ralph Dolmans for finding this, and co-ordinating
the vulnerability tracking and fix release.
CVE-2017-15107 applies.

Remove special handling of A-for-A DNS queries. These
are no longer a significant problem in the global DNS.
http://cs.northwestern.edu/~ychen/Papers/DNS_ToN15.pdf
Thanks to Mattias Hellström for the initial patch.

Fix failure to delete dynamically created dhcp options
from files in -dhcp-optsdir directories. Thanks to
Lindgren Fredrik for the bug report.

Add to --synth-domain the ability to create names using
sequential numbers, as well as encodings of IP addresses.
For instance,
--synth-domain=thekelleys.org.uk,192.168.0.50,192.168.0.70,internal-*
creates 21 domain names of the form
internal-4.thekelleys.org.uk over the address range given, with
internal-0.thekelleys.org.uk being 192.168.0.50 and
internal-20.thekelleys.org.uk being 192.168.0.70
Thanks to Andy Hawkins for the suggestion.

Tidy up Crypto code, removing workarounds for ancient
versions of libnettle. We now require libnettle 3.

Revision 1.36: download - view: text, markup, annotated - select for diffs
Tue Oct 24 01:04:19 2017 UTC (7 years, 1 month ago) by khorben
Branches: MAIN
CVS tags: pkgsrc-2017Q4-base, pkgsrc-2017Q4
Diff to: previous 1.35: preferred, colored
Changes since revision 1.35: +2 -1 lines
Add support for LDFLAGS

This notably fixes building with RELRO enabled.

Revision 1.35: download - view: text, markup, annotated - select for diffs
Mon Oct 2 15:50:55 2017 UTC (7 years, 2 months ago) by wiz
Branches: MAIN
Diff to: previous 1.34: preferred, colored
Changes since revision 1.34: +2 -2 lines
dnsmasq: update to 2.78.

version 2.78
        Fix logic of appending ".<layer>" to PXE basename. Thanks to Chris
	Novakovic for the patch.

	Revert ping-check of address in DHCPDISCOVER if there
	already exists a lease for the address. Under some
	circumstances, and netbooted windows installation can reply
	to pings before if has a DHCP lease and block allocation
	of the address it already used during netboot. Thanks to
	Jan Psota for spotting this.

	Fix DHCP relaying, broken in 2.76 and 2.77 by commit
	ff325644c7afae2588583f935f4ea9b9694eb52e. Thanks to
	John Fitzgibbon for the diagnosis and patch.

        Try other servers if first returns REFUSED when
	--strict-order active. Thanks to Hans Dedecker
	for the patch

	Fix regression in 2.77, ironically added as a security
	improvement, which resulted in a crash when a DNS
	query exceeded 512 bytes (or the EDNS0 packet size,
	if different.) Thanks to Christian Kujau, Arne Woerner
	Juan Manuel Fernandez and Kevin Darbyshire-Bryant for
	chasing this one down.  CVE-2017-13704 applies.

	Fix heap overflow in DNS code. This is a potentially serious
	security hole. It allows an attacker who can make DNS
	requests to dnsmasq, and who controls the contents of
	a domain, which is thereby queried, to overflow
	(by 2 bytes) a heap buffer and either crash, or
	even take control of, dnsmasq.
	CVE-2017-14491 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

	Fix heap overflow in IPv6 router advertisement code.
	This is a potentially serious security hole, as a
	crafted RA request can overflow a buffer and crash or
	control dnsmasq. Attacker must be on the local network.
	CVE-2017-14492 applies.
        Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	and Kevin Hamacher of the Google Security Team for
	finding this.

	Fix stack overflow in DHCPv6 code. An attacker who can send
	a DHCPv6 request to dnsmasq can overflow the stack frame and
	crash or control dnsmasq.
	CVE-2017-14493 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

	Fix information leak in DHCPv6. A crafted DHCPv6 packet can
	cause dnsmasq to forward memory from outside the packet
	buffer to a DHCPv6 server when acting as a relay.
	CVE-2017-14494 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

	Fix DoS in DNS. Invalid boundary checks in the
	add_pseudoheader function allows a memcpy call with negative
	size An attacker which can send malicious DNS queries
	to dnsmasq can trigger a DoS remotely.
	dnsmasq is vulnerable only if one of the following option is
	specified: --add-mac, --add-cpe-id or --add-subnet.
	CVE-2017-14496 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

	Fix out-of-memory Dos vulnerability. An attacker which can
	send malicious DNS queries to dnsmasq can trigger memory
	allocations in the add_pseudoheader function
	The allocated memory is never freed which leads to a DoS
	through memory exhaustion. dnsmasq is vulnerable only
	if one of the following option is specified:
	--add-mac, --add-cpe-id or --add-subnet.
	CVE-2017-14495 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

Revision 1.34: download - view: text, markup, annotated - select for diffs
Fri Jun 2 08:37:49 2017 UTC (7 years, 6 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2017Q3-base, pkgsrc-2017Q3, pkgsrc-2017Q2-base, pkgsrc-2017Q2
Diff to: previous 1.33: preferred, colored
Changes since revision 1.33: +12 -29 lines
version 2.77
	    Generate an error when configured with a CNAME loop,
	    rather than a crash. Thanks to George Metz for
	    spotting this problem.

	    Calculate the length of TFTP error reply packet
	    correctly. This fixes a problem when the error
	    message in a TFTP packet exceeds the arbitrary
	    limit of 500 characters. The message was correctly
	    truncated, but not the packet length, so
	    extra data was appended. This is a possible
	    security risk, since the extra data comes from
	    a buffer which is also used for DNS, so that
	    previous DNS queries or replies may be leaked.

	    Fix logic error in Linux netlink code. This could
	    cause dnsmasq to enter a tight loop on systems
	    with a very large number of network interfaces.

	    Fix problem with --dnssec-timestamp whereby receipt
	    of SIGHUP would erroneously engage timestamp checking.

	    Bump zone serial on reloading /etc/hosts and friends
	    when providing authoritative DNS.

	    Handle v4-mapped IPv6 addresses sanely in --synth-domain.
	    These have standard representation like ::ffff:1.2.3.4
	    and are now converted to names like
	    <prefix>--ffff-1-2-3-4.<domain>

	    Handle binding upstream servers to an interface
	    (--server=1.2.3.4@eth0) when the named interface
	    is destroyed and recreated in the kernel.

	    Allow wildcard CNAME records in authoritative zones.
	    For example --cname=*.example.com,default.example.com

more...

Revision 1.33: download - view: text, markup, annotated - select for diffs
Tue Nov 8 11:59:05 2016 UTC (8 years, 1 month ago) by mef
Branches: MAIN
CVS tags: pkgsrc-2017Q1-base, pkgsrc-2017Q1, pkgsrc-2016Q4-base, pkgsrc-2016Q4
Diff to: previous 1.32: preferred, colored
Changes since revision 1.32: +2 -2 lines
Updated net/dnsmasq to 2.76
---------------------------
version 2.76
            Include 0.0.0.0/8 in DNS rebind checks. This range
	    translates to hosts on  the local network, or, at
	    least, 0.0.0.0 accesses the local host, so could
	    be targets for DNS rebinding. See RFC 5735 section 3
	    for details. Thanks to Stephen R旦ttger for the bug report.

	    Enhance --add-subnet to allow arbitrary subnet addresses.
            Thanks to Ed Barsley for the patch.

	    Respect the --no-resolv flag in inotify code. Fixes bug
	    which caused dnsmasq to fail to start if a resolv-file
	    was a dangling symbolic link, even of --no-resolv set.
	    Thanks to Alexander Kurtz for spotting the problem.

	    Fix crash when an A or AAAA record is defined locally,
	    in a hosts file, and an upstream server sends a reply
	    that the same name is empty. Thanks to Edwin T旦r旦k for
	    the patch.

	    Fix failure to correctly calculate cache-size when
	    reading a hosts-file fails. Thanks to Andr辿 Gl端pker
	    for the patch.

	    Fix wrong answer to simple name query when --domain-needed
	    set, but no upstream servers configured. Dnsmasq returned
	    REFUSED, in this case, when it should be the same as when
	    upstream servers are configured - NOERROR. Thanks to
	    Allain Legacy for spotting the problem.

	    Return REFUSED when running out of forwarding table slots,
	    not SERVFAIL.

            Add --max-port configuration. Thanks to Hans Dedecker for
	    the patch.

	    Add --script-arp and two new functions for the dhcp-script.
	    These are "arp" and "arp-old" which announce the arrival and
	    removal of entries in the ARP or nieghbour tables.

	    Extend --add-mac to allow a new encoding of the MAC address
	    as base64, by configurting --add-mac=base64

	    Add --add-cpe-id option.

            Don't crash with divide-by-zero if an IPv6 dhcp-range
	    is declared as a whole /64.
	    (ie xx::0 to xx::ffff:ffff:ffff:ffff)
	    Thanks to Laurent Bendel for spotting this problem.

	    Add support for a TTL parameter in --host-record and
	    --cname.

	    Add --dhcp-ttl option.

	    Add --tftp-mtu option. Thanks to Patrick McLean for the
	    initial patch.

	    Check return-code of inet_pton() when parsing dhcp-option.
	    Bad addresses could fail to generate errors and result in
	    garbage dhcp-options being sent. Thanks to Marc Branchaud
	    for spotting this.

	    Fix wrong value for EDNS UDP packet size when using
	    --servers-file to define upstream DNS servers. Thanks to
	    Scott Bonar for the bug report.

	    Move the dhcp_release and dhcp_lease_time tools from
	    contrib/wrt to contrib/lease-tools.

	    Add dhcp_release6 to contrib/lease-tools. Many thanks
	    to Sergey Nechaev for this code.

	    To avoid filling logs in configurations which define
	    many upstream nameservers, don't log more that 30 servers.
	    The number to be logged can be changed as SERVERS_LOGGED
	    in src/config.h.

	    Swap the values if BC_EFI and x86-64_EFI in --pxe-service.
	    These were previously wrong due to an error in RFC 4578.
	    If you're using BC_EFI to boot 64-bit EFI machines, you
	    will need to update your config.

	    Add ARM32_EFI and ARM64_EFI as valid architectures in
	    --pxe-service.

            Fix PXE booting for UEFI architectures. Modify PXE boot
	    sequence in this case to force the client to talk to dnsmasq
	    over port 4011. This makes PXE and especially proxy-DHCP PXE
	    work with these archictectures.

	    Workaround problems with UEFI PXE clients. There exist
	    in the wild PXE clients which have problems with PXE
	    boot menus. To work around this, when there's a single
	    --pxe-service which applies to client, then that target
	    will be booted directly, rather then sending a
	    single-item boot menu.

            Many thanks to Jarek Polok, Michael Kuron and Dreamcat4
	    for their work on the long-standing UEFI PXE problem.

	    Subtle change in the semantics of "basename" in
	    --pxe-service. The historical behaviour has always been
	    that the actual filename downloaded from the TFTP server
	    is <basename>.<layer> where <layer> is an integer which
	    corresponds to the layer parameter supplied by the client.
	    It's not clear what the function of the "layer"
	    actually is in the PXE protocol, and in practise layer
	    is always zero, so the filename is <basename>.0
	    The new behaviour is the same as the old, except when
	    <basename> includes a file suffix, in which case
	    the layer suffix is no longer added. This allows
	    sensible suffices to be used, rather then the
	    meaningless ".0". Only in the unlikely event that you
	    have a config with a basename which already has a
	    suffix, is this an incompatible change, since the file
	    downloaded will change from name.suffix.0 to justy
	    name.suffix

Revision 1.32: download - view: text, markup, annotated - select for diffs
Thu Feb 25 16:20:50 2016 UTC (8 years, 9 months ago) by jperkin
Branches: MAIN
CVS tags: pkgsrc-2016Q3-base, pkgsrc-2016Q3, pkgsrc-2016Q2-base, pkgsrc-2016Q2, pkgsrc-2016Q1-base, pkgsrc-2016Q1
Diff to: previous 1.31: preferred, colored
Changes since revision 1.31: +2 -4 lines
Use OPSYSVARS.

Revision 1.31: download - view: text, markup, annotated - select for diffs
Sat Aug 15 12:38:17 2015 UTC (9 years, 3 months ago) by leot
Branches: MAIN
CVS tags: pkgsrc-2015Q4-base, pkgsrc-2015Q4, pkgsrc-2015Q3-base, pkgsrc-2015Q3
Diff to: previous 1.30: preferred, colored
Changes since revision 1.30: +8 -8 lines
Update net/dnsmasq to dnsmasq-2.75, based on patches from Benedek Gergely via
pkgsrc-users@.

ok wiz@

pkgsrc changes:
o Pass COPTS via MAKE_FLAGS. This avoid to completely rebuild dnsmasq when dbus
option is selected.

Changes:
version 2.75
            Fix reversion on 2.74 which caused 100% CPU use when a
            dhcp-script is configured. Thanks to Adrian Davey for
            reporting the bug and testing the fix.


version 2.74
            Fix reversion in 2.73 where --conf-file would attempt to
            read the default file, rather than no file.

            Fix inotify code to handle dangling symlinks better and
            not SEGV in some circumstances.

            DNSSEC fix. In the case of a signed CNAME generated by a
            wildcard which pointed to an unsigned domain, the wrong
            status would be logged, and some necessary checks omitted.

Revision 1.30: download - view: text, markup, annotated - select for diffs
Tue Jul 14 09:57:13 2015 UTC (9 years, 5 months ago) by fhajny
Branches: MAIN
Diff to: previous 1.29: preferred, colored
Changes since revision 1.29: +6 -2 lines
Update net/dnsmasq to 2.73.
Fix build on SunOS.

Version 2.73
  Fix crash at startup when an empty suffix is supplied to
  --conf-dir, also trivial memory leak. Thanks to
  Tomas Hozza for spotting this.

  Remove floor of 4096 on advertised EDNS0 packet size when
  DNSSEC in use, the original rationale for this has long gone.
  Thanks to Anders Kaseorg for spotting this.

  Use inotify for checking on updates to /etc/resolv.conf and
  friends under Linux. This fixes race conditions when the files are
  updated rapidly and saves CPU by noy polling. To build
  a binary that runs on old Linux kernels without inotify,
  use make COPTS=-DNO_INOTIFY

  Fix breakage of --domain=<domain>,<subnet>,local - only reverse
  queries were intercepted. THis appears to have been broken
  since 2.69. Thanks to Josh Stone for finding the bug.

  Eliminate IPv6 privacy addresses and deprecated addresses from
  the answers given by --interface-name. Note that reverse queries
  (ie looking for names, given addresses) are not affected.
  Thanks to Michael Gorbach for the suggestion.

  Fix crash in DNSSEC code with long RRs. Thanks to Marco Davids
  for the bug report.

  Add --ignore-address option. Ignore replies to A-record
  queries which include the specified address. No error is
  generated, dnsmasq simply continues to listen for another
  reply. This is useful to defeat blocking strategies which
  rely on quickly supplying a forged answer to a DNS
  request for certain domains, before the correct answer can
  arrive. Thanks to Glen Huang for the patch.

  Revisit the part of DNSSEC validation which determines if an
  unsigned answer is legit, or is in some part of the DNS
  tree which should be signed. Dnsmasq now works from the
  DNS root downward looking for the limit of signed
  delegations, rather than working bottom up. This is
  both more correct, and less likely to trip over broken
  nameservers in the unsigned parts of the DNS tree
  which don't respond well to DNSSEC queries.

  Add --log-queries=extra option, which makes logs easier
  to search automatically.

  Add --min-cache-ttl option. I've resisted this for a long
  time, on the grounds that disbelieving TTLs is never a
  good idea, but I've been persuaded that there are
  sometimes reasons to do it. (Step forward, GFW).
  To avoid misuse, there's a hard limit on the TTL
  floor of one hour. Thansk to RinSatsuki for the patch.

  Cope with multiple interfaces with the same link-local
  address. (IPv6 addresses are scoped, so this is allowed.)
  Thanks to Cory Benfield for help with this.

  Add --dhcp-hostsdir. This allows addition of new host
  configurations to a running dnsmasq instance much more
  cheaply than having dnsmasq re-read all its existing
  configuration each time.

  Don't reply to DHCPv6 SOLICIT messages if we're not
  configured to do stateful DHCPv6. Thanks to Win King Wan
  for the patch.

  Fix broken DNSSEC validation of ECDSA signatures.

  Add --dnssec-timestamp option, which provides an automatic
  way to detect when the system time becomes valid after
  boot on systems without an RTC, whilst allowing DNS
  queries before the clock is valid so that NTP can run.
  Thanks to Kevin Darbyshire-Bryant for developing this idea.

  Add --tftp-no-fail option. Thanks to Stefan Tomanek for
  the patch.

  Fix crash caused by looking up servers.bind, CHAOS text
  record, when more than about five --servers= lines are
  in the dnsmasq config. This causes memory corruption
  which causes a crash later. Thanks to Matt Coddington for
  sterling work chasing this down.

  Fix crash on receipt of certain malformed DNS requests.
  Thanks to Nick Sampanis for spotting the problem.
  Note that this is could allow the dnsmasq process's
  memory to be read by an attacker under certain
  circumstances, so it has a CVE, CVE-2015-3294

  Fix crash in authoritative DNS code, if a .arpa zone
  is declared as authoritative, and then a PTR query which
  is not to be treated as authoritative arrived. Normally,
  directly declaring .arpa zone as authoritative is not
  done, so this crash wouldn't be seen. Instead the
  relevant .arpa zone should be specified as a subnet
  in the auth-zone declaration. Thanks to Johnny S. Lee
  for the bugreport and initial patch.

  Fix authoritative DNS code to correctly reply to NS
  and SOA queries for .arpa zones for which we are
  declared authoritative by means of a subnet in auth-zone.
  Previously we provided correct answers to PTR queries
  in such zones (including NS and SOA) but not direct
  NS and SOA queries. Thanks to Johnny S. Lee for
  pointing out the problem.

  Fix logging of DHCPREPLY which should be suppressed
  by quiet-dhcp6. Thanks to J. Pablo Abonia for
  spotting the problem.

  Try and handle net connections with broken fragmentation
  that lose large UDP packets. If a server times out,
  reduce the maximum UDP packet size field in the EDNS0
  header to 1280 bytes. If it then answers, make that
  change permanent.

  Check IPv4-mapped IPv6 addresses when --stop-rebind
  is active. Thanks to Jordan Milne for spotting this.

  Allow DHCPv4 options T1 and T2 to be set using --dhcp-option.
  Thanks to Kevin Benton for patches and work on this.

  Fix code for DHCPCONFIRM DHCPv6 messages to confirm addresses
  in the correct subnet, even of not in dynamic address
  allocation range. Thanks to Steve Hirsch for spotting
  the problem.

  Add AddDhcpLease and DeleteDhcpLease DBus methods. Thanks
  to Nicolas Cavallari for the patch.

  Allow configuration of router advertisements without the
  "on-link" bit set. Thanks to Neil Jerram for the patch.

  Extend --bridge-interface to DHCPv6 and router
  advertisements. Thanks to Neil Jerram for the patch.

Revision 1.29: download - view: text, markup, annotated - select for diffs
Wed May 6 06:08:48 2015 UTC (9 years, 7 months ago) by mef
Branches: MAIN
CVS tags: pkgsrc-2015Q2-base, pkgsrc-2015Q2
Diff to: previous 1.28: preferred, colored
Changes since revision 1.28: +2 -3 lines
Update 2.67 to 2.72
-------------------
version 2.72
            Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.

	    Add support for "ipsets" in *BSD, using pf. Thanks to
	    Sven Falempim for the patch.

	    Fix race condition which could lock up dnsmasq when an
	    interface goes down and up rapidly. Thanks to Conrad
	    Kostecki for helping to chase this down.

	    Add DBus methods SetFilterWin2KOption and SetBogusPrivOption
	    Thanks to the Smoothwall project for the patch.

	    Fix failure to build against Nettle-3.0. Thanks to Steven
	    Barth for spotting this and finding the fix.

	    When assigning existing DHCP leases to intefaces by comparing
	    networks, handle the case that two or more interfaces have the
	    same network part, but different prefix lengths (favour the
	    longer prefix length.) Thanks to Lung-Pin Chang for the
	    patch.

	    Add a mode which detects and removes DNS forwarding loops, ie
	    a query sent to an upstream server returns as a new query to
	    dnsmasq, and would therefore be forwarded again, resulting in
	    a query which loops many times before being dropped. Upstream
	    servers which loop back are disabled and this event is logged.
	    Thanks to Smoothwall for their sponsorship of this feature.

	    Extend --conf-dir to allow filtering of files. So
	    --conf-dir=/etc/dnsmasq.d,\*.conf
	    will load all the files in /etc/dnsmasq.d which end in .conf

            Fix bug when resulted in NXDOMAIN answers instead of NODATA in
            some circumstances.

	    Fix bug which caused dnsmasq to become unresponsive if it
	    failed to send packets due to a network interface disappearing.
	    Thanks to Niels Peen for spotting this.

            Fix problem with --local-service option on big-endian platforms
	    Thanks to Richard Genoud for the patch.


version 2.71
            Subtle change to error handling to help DNSSEC validation
	    when servers fail to provide NODATA answers for
	    non-existent DS records.

	    Tweak code which removes DNSSEC records from answers when
	    not required. Fixes broken answers when additional section
	    has real records in it. Thanks to Marco Davids for the bug
	    report.

	    Fix DNSSEC validation of ANY queries. Thanks to Marco Davids
	    for spotting that too.

	    Fix total DNS failure and 100% CPU use if cachesize set to zero,
	    regression introduced in 2.69. Thanks to James Hunt and
	    the Ubuntu crowd for assistance in fixing this.


version 2.70
            Fix crash, introduced in 2.69, on TCP request when dnsmasq
	    compiled with DNSSEC support, but running without DNSSEC
	    enabled. Thanks to Manish Sing for spotting that one.

	    Fix regression which broke ipset functionality. Thanks to
	    Wang Jian for the bug report.


version 2.69
	    Implement dynamic interface discovery on *BSD. This allows
	    the contructor: syntax to be used in dhcp-range for DHCPv6
	    on the BSD platform. Thanks to Matthias Andree for
	    valuable research on how to implement this.

	    Fix infinite loop associated with some --bogus-nxdomain
	    configs. Thanks fogobogo for the bug report.

	    Fix missing RA RDNS option with configuration like
	    --dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer
	    for spotting the problem.

	    Add [fd00::] and [fe80::] as special addresses in DHCPv6
	    options, analogous to [::]. [fd00::] is replaced with the
	    actual ULA of the interface on the machine running
	    dnsmasq, [fe80::] with the link-local address.
	    Thanks to Tsachi Kimeldorfer for championing this.

	    DNSSEC validation and caching. Dnsmasq needs to be
	    compiled with this enabled, with

	    make dnsmasq COPTS=-DHAVE_DNSSEC

	    this add dependencies on the nettle crypto library and the
	    gmp maths library. It's possible to have these linked
	    statically with

	    make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC'

	    which bloats the dnsmasq binary, but saves the size of
	    the shared libraries which are much bigger.

	    To enable, DNSSEC, you will need a set of
	    trust-anchors. Now that the TLDs are signed, this can be
	    the keys for the root zone, and for convenience they are
	    included in trust-anchors.conf in the dnsmasq
	    distribution. You should of course check that these are
	    legitimate and up-to-date. So, adding

	    conf-file=/path/to/trust-anchors.conf
	    dnssec

	    to your config is all thats needed to get things
	    working. The upstream nameservers have to be DNSSEC-capable
	    too, of course. Many ISP nameservers aren't, but the
	    Google public nameservers (8.8.8.8 and 8.8.4.4) are.
	    When DNSSEC is configured, dnsmasq validates any queries
	    for domains which are signed. Query results which are
	    bogus are replaced with SERVFAIL replies, and results
	    which are correctly signed have the AD bit set. In
	    addition, and just as importantly, dnsmasq supplies
	    correct DNSSEC information to clients which are doing
	    their own validation, and caches DNSKEY, DS and RRSIG
	    records, which significantly improve the performance of
	    downstream validators. Setting --log-queries will show
	    DNSSEC in action.

	    If a domain is returned from an upstream nameserver without
	    DNSSEC signature, dnsmasq by default trusts this. This
	    means that for unsigned zone (still the majority) there
	    is effectively no cost for having DNSSEC enabled. Of course
	    this allows an attacker to replace a signed record with a
	    false unsigned record. This is addressed by the
	    --dnssec-check-unsigned flag, which instructs dnsmasq
	    to prove that an unsigned record is legitimate, by finding
	    a secure proof that the zone containing the record is not
	    signed. Doing this has costs (typically one or two extra
	    upstream queries). It also has a nasty failure mode if
	    dnsmasq's upstream nameservers are not DNSSEC capable.
	    Without --dnssec-check-unsigned using such an upstream
	    server will simply result in not queries being validated;
	    with --dnssec-check-unsigned enabled and a
	    DNSSEC-ignorant upstream server, _all_ queries will fail.

	    Note that DNSSEC requires that the local time is valid and
	    accurate, if not then DNSSEC validation will fail. NTP
	    should be running. This presents a problem for routers
	    without a battery-backed clock. To set the time needs NTP
	    to do DNS lookups, but lookups will fail until NTP has run.
	    To address this, there's a flag, --dnssec-no-timecheck
	    which disables the time checks (only) in DNSSEC. When dnsmasq
	    is started and the clock is not synced, this flag should
	    be used. As soon as the clock is synced, SIGHUP dnsmasq.
	    The SIGHUP clears the cache of partially-validated data and
	    resets the no-timecheck flag, so that all DNSSEC checks
	    henceforward will be complete.

	    The development of DNSSEC in dnsmasq was started by
	    Giovanni Bajo, to whom huge thanks are owed. It has been
	    supported by Comcast, whose techfund grant has allowed for
	    an invaluable period of full-time work to get it to
	    a workable state.

	    Add --rev-server. Thanks to Dave Taht for suggesting this.

	    Add --servers-file. Allows dynamic update of upstream servers
	    full access to configuration.

	    Add --local-service. Accept DNS queries only from hosts
            whose address is on a local subnet, ie a subnet for which
            an interface exists on the server. This option
            only has effect if there are no --interface --except-interface,
            --listen-address or --auth-server options. It is intended
            to be set as a default on installation, to allow
            unconfigured installations to be useful but also safe from
	    being used for DNS amplification attacks.

	    Fix crashes in cache_get_cname_target() when dangling CNAMEs
	    encountered. Thanks to Andy and the rt-n56u project for
	    find this and helping to chase it down.

	    Fix wrong RCODE in authoritative DNS replies to PTR queries. The
	    correct answer was included, but the RCODE was set to NXDOMAIN.
	    Thanks to Craig McQueen for spotting this.

	    Make statistics available as DNS queries in the .bind TLD as
	    well as logging them.


version 2.68
            Use random addresses for DHCPv6 temporary address
            allocations, instead of algorithmically determined stable
            addresses.

	    Fix bug which meant that the DHCPv6 DUID was not available
	    in DHCP script runs during the lifetime of the dnsmasq
	    process which created the DUID de-novo. Once the DUID was
	    created and stored in the lease file and dnsmasq
	    restarted, this bug disappeared.

	    Fix bug introduced in 2.67 which could result in erroneous
	    NXDOMAIN returns to CNAME queries.

	    Fix build failures on MacOS X and openBSD.

	    Allow subnet specifications in --auth-zone to be interface
	    names as well as address literals. This makes it possible
	    to configure authoritative DNS when local address ranges
	    are dynamic and works much better than the previous
	    work-around which exempted contructed DHCP ranges from the
	    IP address filtering. As a consequence, that work-around
	    is removed. Under certain circumstances, this change wil
	    break existing configuration: if you're relying on the
	    contructed-range exception, you need to change --auth-zone
	    to specify the same interface as is used to construct your
	    DHCP ranges, probably with a trailing "/6" like this:
	    --auth-zone=example.com,eth0/6 to limit the addresses to
	    IPv6 addresses of eth0.

	    Fix problems when advertising deleted IPv6 prefixes. If
	    the prefix is deleted (rather than replaced), it doesn't
	    get advertised with zero preferred time. Thanks to Tsachi
	    for the bug report.

	    Fix segfault with some locally configured CNAMEs. Thanks
	    to Andrew Childs for spotting the problem.

	    Fix memory leak on re-reading /etc/hosts and friends,
	    introduced in 2.67.

	    Check the arrival interface of incoming DNS and TFTP
	    requests via IPv6, even in --bind-interfaces mode. This
	    isn't possible for IPv4 and can generate scary warnings,
	    but as it's always possible for IPv6 (the API always
	    exists) then we should do it always.

	    Tweak the rules on prefix-lengths in --dhcp-range for
	    IPv6. The new rule is that the specified prefix length
	    must be larger than or equal to the prefix length of the
	    corresponding address on the local interface.

Revision 1.26.4.1: download - view: text, markup, annotated - select for diffs
Wed Apr 29 18:40:55 2015 UTC (9 years, 7 months ago) by spz
Branches: pkgsrc-2015Q1
Diff to: previous 1.26: preferred, colored; next MAIN 1.27: preferred, colored
Changes since revision 1.26: +3 -3 lines
Pullup ticket #4706 - requested by roy
net/dnsmasq: security patch

Revisions pulled up:
- net/dnsmasq/Makefile                                          1.28,1.27
- net/dnsmasq/distinfo                                          1.26,1.25
- net/dnsmasq/files/dnsmasq.sh                                  1.3
- net/dnsmasq/patches/patch-src_bpf.c                           1.4
- net/dnsmasq/patches/patch-src_rfc1035.c                       1.1

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   roy
   Date:           Wed Apr 29 12:53:02 UTC 2015

   Modified Files:
           pkgsrc/net/dnsmasq: Makefile distinfo
   Added Files:
           pkgsrc/net/dnsmasq/patches: patch-src_rfc1035.c

   Log Message:
   Add a patch to fix CVE-2015-3294.
   Remove myself as maintainer.


   To generate a diff of this commit:
   cvs rdiff -u -r1.27 -r1.28 pkgsrc/net/dnsmasq/Makefile
   cvs rdiff -u -r1.25 -r1.26 pkgsrc/net/dnsmasq/distinfo
   cvs rdiff -u -r0 -r1.1 pkgsrc/net/dnsmasq/patches/patch-src_rfc1035.c

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   abs
   Date:           Wed Apr 22 14:57:22 UTC 2015

   Modified Files:
           pkgsrc/net/dnsmasq: Makefile distinfo
           pkgsrc/net/dnsmasq/files: dnsmasq.sh
           pkgsrc/net/dnsmasq/patches: patch-src_bpf.c

   Log Message:
   Add a 'reload' rc.d option (automatically uses the pid file), which will
   make dnsmasq reload the dhcp file. Add patch comment and mps
   Bump PKGREVISION


   To generate a diff of this commit:
   cvs rdiff -u -r1.26 -r1.27 pkgsrc/net/dnsmasq/Makefile
   cvs rdiff -u -r1.24 -r1.25 pkgsrc/net/dnsmasq/distinfo
   cvs rdiff -u -r1.2 -r1.3 pkgsrc/net/dnsmasq/files/dnsmasq.sh
   cvs rdiff -u -r1.3 -r1.4 pkgsrc/net/dnsmasq/patches/patch-src_bpf.c

Revision 1.28: download - view: text, markup, annotated - select for diffs
Wed Apr 29 12:53:02 2015 UTC (9 years, 7 months ago) by roy
Branches: MAIN
Diff to: previous 1.27: preferred, colored
Changes since revision 1.27: +3 -3 lines
Add a patch to fix CVE-2015-3294.
Remove myself as maintainer.

Revision 1.27: download - view: text, markup, annotated - select for diffs
Wed Apr 22 14:57:22 2015 UTC (9 years, 7 months ago) by abs
Branches: MAIN
Diff to: previous 1.26: preferred, colored
Changes since revision 1.26: +2 -3 lines
Add a 'reload' rc.d option (automatically uses the pid file), which will
make dnsmasq reload the dhcp file. Add patch comment and mps
Bump PKGREVISION

Revision 1.26: download - view: text, markup, annotated - select for diffs
Sun Nov 23 13:16:23 2014 UTC (10 years ago) by cheusov
Branches: MAIN
CVS tags: pkgsrc-2015Q1-base, pkgsrc-2014Q4-base, pkgsrc-2014Q4
Branch point for: pkgsrc-2015Q1
Diff to: previous 1.25: preferred, colored
Changes since revision 1.25: +4 -4 lines
Fix pkglint warnings

Revision 1.25: download - view: text, markup, annotated - select for diffs
Sun Nov 23 13:10:03 2014 UTC (10 years ago) by cheusov
Branches: MAIN
Diff to: previous 1.24: preferred, colored
Changes since revision 1.24: +15 -1 lines
user and group "dnsmasq" are created; ++pkgrevision

Revision 1.24: download - view: text, markup, annotated - select for diffs
Tue Nov 12 12:12:45 2013 UTC (11 years, 1 month ago) by roy
Branches: MAIN
CVS tags: pkgsrc-2014Q3-base, pkgsrc-2014Q3, pkgsrc-2014Q2-base, pkgsrc-2014Q2, pkgsrc-2014Q1-base, pkgsrc-2014Q1, pkgsrc-2013Q4-base, pkgsrc-2013Q4
Diff to: previous 1.23: preferred, colored
Changes since revision 1.23: +2 -3 lines
Update to 2.67

Revision 1.23: download - view: text, markup, annotated - select for diffs
Sun Jul 21 07:59:26 2013 UTC (11 years, 4 months ago) by roy
Branches: MAIN
CVS tags: pkgsrc-2013Q3-base, pkgsrc-2013Q3
Diff to: previous 1.22: preferred, colored
Changes since revision 1.22: +2 -1 lines
Support partial FQDN option

Revision 1.22: download - view: text, markup, annotated - select for diffs
Tue May 28 09:32:00 2013 UTC (11 years, 6 months ago) by fhajny
Branches: MAIN
CVS tags: pkgsrc-2013Q2-base, pkgsrc-2013Q2
Diff to: previous 1.21: preferred, colored
Changes since revision 1.21: +2 -3 lines
Update dnsmasq to 2.66.

Changes in 2.66
- Add the ability to act as an authoritative DNS server
- Add "constructed DHCP ranges" for DHCPv6
- Fix crash on startup on Solaris 11
- Add code to make behaviour for TCP DNS requests when a request arrives
  for an allowed address, but via a banned interface
- Don't send the default DHCP option advertising dnsmasq as the local
  DNS server if dnsmasq is configured to not act as DNS server, or
  it's configured to a non-standard port.
- Add DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBCRIBER_ID, DNSMASQ_REMOTE_ID variables
  to the environment of the lease-change script
- Fixed crash whilst handling DHCPv6 information-requests
- Add --ipset option
- Don't erroneously reject some option names in --dhcp-match options
- Allow a trailing '*' wildcard in all interface-name configurations
- Handle the situation where libc headers define SO_REUSEPORT, but
  the kernel in use doesn't
- Update Polish translation
- Fix crash if the configured DHCP lease limit is reached
- Update the French translation

Changes in 2.65:
- Fix regression which broke forwarding of queries sent via TCP which
  are not for A and AAAA and which were directed to non-default servers
- Fix failure to build with DHCP support excluded
- Fix nasty regression in 2.64 which completely broke cacheing

See full changelog:

  http://www.thekelleys.org.uk/dnsmasq/CHANGELOG

Revision 1.21: download - view: text, markup, annotated - select for diffs
Thu Apr 4 12:38:59 2013 UTC (11 years, 8 months ago) by jperkin
Branches: MAIN
Diff to: previous 1.20: preferred, colored
Changes since revision 1.20: +2 -1 lines
Pull in fixes from upstream for interface enumeration, fixes segfault on SunOS.

Bump PKGREVISION.

Revision 1.20: download - view: text, markup, annotated - select for diffs
Thu Dec 6 12:24:04 2012 UTC (12 years ago) by roy
Branches: MAIN
CVS tags: pkgsrc-2013Q1-base, pkgsrc-2013Q1, pkgsrc-2012Q4-base, pkgsrc-2012Q4
Diff to: previous 1.19: preferred, colored
Changes since revision 1.19: +2 -2 lines
Upgrade to dnsmasq-2.64.
Highlights include:
* SetDomainServers DBUS interface for openresolv
* Many DHCPv6 improvements
* Don't send a leasetime to DHCP INFORM messages

Revision 1.19: download - view: text, markup, annotated - select for diffs
Tue Oct 23 17:18:17 2012 UTC (12 years, 1 month ago) by asau
Branches: MAIN
Diff to: previous 1.18: preferred, colored
Changes since revision 1.18: +1 -2 lines
Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days.

Revision 1.18: download - view: text, markup, annotated - select for diffs
Wed Jul 4 08:26:37 2012 UTC (12 years, 5 months ago) by roy
Branches: MAIN
CVS tags: pkgsrc-2012Q3-base, pkgsrc-2012Q3
Diff to: previous 1.17: preferred, colored
Changes since revision 1.17: +3 -2 lines
Update to dnsmsq-2.62

Changes include:
DHCPv6 support
RA support
Many misc fixes

Revision 1.17: download - view: text, markup, annotated - select for diffs
Tue Jun 12 15:45:59 2012 UTC (12 years, 6 months ago) by wiz
Branches: MAIN
CVS tags: pkgsrc-2012Q2-base, pkgsrc-2012Q2
Diff to: previous 1.16: preferred, colored
Changes since revision 1.16: +2 -1 lines
Add inet6 to default suggested options. It's 2012.

Revision 1.16: download - view: text, markup, annotated - select for diffs
Tue Jan 31 12:39:22 2012 UTC (12 years, 10 months ago) by roy
Branches: MAIN
CVS tags: pkgsrc-2012Q1-base, pkgsrc-2012Q1
Diff to: previous 1.15: preferred, colored
Changes since revision 1.15: +24 -4 lines
Update to dnsmasq-2.59
When building DBus support, install the config file for DBus

Notable Changes from 2.55:
IPv6 interface fixes
Fixed an invalid server id of 0.0.0.0 being sent in some situations
Correctly return NODATA for an AAAA query to a CNAME with only an A
Fixed a bug with some truncated TFTP files
Support IPv6 scope ids in resolv.conf

Revision 1.15: download - view: text, markup, annotated - select for diffs
Sat Nov 27 13:24:47 2010 UTC (14 years ago) by roy
Branches: MAIN
CVS tags: pkgsrc-2011Q4-base, pkgsrc-2011Q4, pkgsrc-2011Q3-base, pkgsrc-2011Q3, pkgsrc-2011Q2-base, pkgsrc-2011Q2, pkgsrc-2011Q1-base, pkgsrc-2011Q1, pkgsrc-2010Q4-base, pkgsrc-2010Q4
Diff to: previous 1.14: preferred, colored
Changes since revision 1.14: +3 -3 lines
Update to dnsmasq-2.55 with the following changes:
* Allow the empty domain "." in dhcp domain-search (119) options.
* Fix corruption of the domain when a name from /etc/hosts
  overrides one supplied by a DHCP client.
* Fix regression which caused configuration like
  --address=/.domain.com/1.2.3.4 to be rejected.
* Many new options added and improved.

Revision 1.14: download - view: text, markup, annotated - select for diffs
Fri Jan 29 12:33:06 2010 UTC (14 years, 10 months ago) by roy
Branches: MAIN
CVS tags: pkgsrc-2010Q3-base, pkgsrc-2010Q3, pkgsrc-2010Q2-base, pkgsrc-2010Q2, pkgsrc-2010Q1-base, pkgsrc-2010Q1
Diff to: previous 1.13: preferred, colored
Changes since revision 1.13: +3 -3 lines
Update to dnsmsasq-2.52

Changes from dnsmasq-2.51 include
* More conservative in detecing "A for A" queries
* Increased default number of leases to 1000
* Added support for RFC3925 "Vendor-Identifying Vendor Options"
* Default DNS packet size now 4096 as recommended by RFC5625

Revision 1.13: download - view: text, markup, annotated - select for diffs
Sat Nov 14 12:14:07 2009 UTC (15 years, 1 month ago) by roy
Branches: MAIN
CVS tags: pkgsrc-2009Q4-base, pkgsrc-2009Q4
Diff to: previous 1.12: preferred, colored
Changes since revision 1.12: +2 -2 lines
Bump to 2.51
Changes from 2.50 include:
* TFTP supports Windows/Dos \ separator.
* Warn if IP duplicated in /etc/ethers
* Test upstream responsiveness to work around upstream server slowdowns
* PXE and relay agent fixes

Revision 1.11.2.1: download - view: text, markup, annotated - select for diffs
Sun Sep 13 14:26:46 2009 UTC (15 years, 3 months ago) by tron
Branches: pkgsrc-2009Q2
Diff to: previous 1.11: preferred, colored; next MAIN 1.12: preferred, colored
Changes since revision 1.11: +2 -2 lines
Pullup ticket #2887 - requested by roy
dnsmasq: security update

Revisions pulled up:
- net/dnsmasq/Makefile				1.12
- net/dnsmasq/distinfo				1.11
---
Module Name:    pkgsrc
Committed By:   roy
Date:           Sat Sep  5 21:16:08 UTC 2009

Modified Files:
         pkgsrc/net/dnsmasq: Makefile distinfo

Log Message:
Bump to dnsmasq-2.50

Fixes CVE 2009-2957 and CVE 2009-2958

Revision 1.12: download - view: text, markup, annotated - select for diffs
Sat Sep 5 21:16:08 2009 UTC (15 years, 3 months ago) by roy
Branches: MAIN
CVS tags: pkgsrc-2009Q3-base, pkgsrc-2009Q3
Diff to: previous 1.11: preferred, colored
Changes since revision 1.11: +2 -2 lines
Bump to dnsmasq-2.50

Fixes CVE 2009-2957 and CVE 2009-2958

Revision 1.11: download - view: text, markup, annotated - select for diffs
Sun Jun 14 21:15:50 2009 UTC (15 years, 6 months ago) by roy
Branches: MAIN
CVS tags: pkgsrc-2009Q2-base
Branch point for: pkgsrc-2009Q2
Diff to: previous 1.10: preferred, colored
Changes since revision 1.10: +2 -2 lines
Update to dnsmasq-2.49

Changes since 2.47 include
 * Fix a possible infinite with fixed hostnames to ip and the client
   sometimes sending one and sometimes not
 * Improved DHCP logging
 * addn-hosts now works with a directory instead of just a file

Revision 1.10: download - view: text, markup, annotated - select for diffs
Thu Feb 19 11:17:19 2009 UTC (15 years, 9 months ago) by roy
Branches: MAIN
CVS tags: pkgsrc-2009Q1-base, pkgsrc-2009Q1
Diff to: previous 1.9: preferred, colored
Changes since revision 1.9: +2 -2 lines
Update to dnsmasq-2.47

Fixes from 2.46 include:
 * NetBSD-5 support
 * Better duplicate IPv6 address detection
 * DBus introspection
 * work with blank lines in /etc/ethers

Revision 1.9: download - view: text, markup, annotated - select for diffs
Fri Dec 19 07:53:43 2008 UTC (15 years, 11 months ago) by roy
Branches: MAIN
CVS tags: pkgsrc-2008Q4-base, pkgsrc-2008Q4
Diff to: previous 1.8: preferred, colored
Changes since revision 1.8: +23 -12 lines
Update to dnsmasq-2.46
Noteable changes include:
   NetBSD-5 support
   Optional DBus and IPv6 support
   ISC leasefile support removed
   Support DHCP clients in multiple DNS domains
   Re-read /etc/resolv.conf when an "interface up" event occurs

Revision 1.8: download - view: text, markup, annotated - select for diffs
Sat Nov 22 18:59:54 2008 UTC (16 years ago) by ahoka
Branches: MAIN
Diff to: previous 1.7: preferred, colored
Changes since revision 1.7: +2 -2 lines
Add missed file in previous commit.

Revision 1.7: download - view: text, markup, annotated - select for diffs
Mon Nov 17 23:12:12 2008 UTC (16 years ago) by ahoka
Branches: MAIN
Diff to: previous 1.6: preferred, colored
Changes since revision 1.6: +2 -2 lines
Fix an sa_len problem on NetBSD 5.0.

Patch submitted by Roy Marples.

Revision 1.6: download - view: text, markup, annotated - select for diffs
Thu Sep 25 20:33:53 2008 UTC (16 years, 2 months ago) by ahoka
Branches: MAIN
CVS tags: pkgsrc-2008Q3-base, pkgsrc-2008Q3
Diff to: previous 1.5: preferred, colored
Changes since revision 1.5: +4 -1 lines
Make it look for it's config file at the right place.

Revision 1.4.14.1: download - view: text, markup, annotated - select for diffs
Thu Jul 24 10:28:03 2008 UTC (16 years, 4 months ago) by rtr
Branches: pkgsrc-2008Q2
Diff to: previous 1.4: preferred, colored; next MAIN 1.5: preferred, colored
Changes since revision 1.4: +2 -2 lines
pullup ticket #2456 requested by tonnerre
dnsmasq: update package for fixes and CVE

revisions pulled up:
pkgsrc/net/dnsmasq/Makefile		1.5
pkgsrc/net/dnsmasq/distinfo		1.4
pkgsrc/net/dnsmasq/patches/patch-aa	1.3

   Module Name:	pkgsrc
   Committed By:	tonnerre
   Date:		Wed Jul 23 23:46:08 UTC 2008

   Modified Files:
   	pkgsrc/net/dnsmasq: Makefile distinfo
   	pkgsrc/net/dnsmasq/patches: patch-aa

   Log Message:
   Update dnsmasq to version 2.45 in order to fix CVE-2008-1447.

   Changes since version 2.38:
    - Names ending in a dot now work.
    - Whitespaces arround commata in config files are now ignored.
    - Asynchronous logging.
    - New --log-dhcp flag was added.
    - RFC3046 relay agent data matching.
    - RFC3993 subscriber ID relay agent data matching.
    - RFC 5107 server-id-override DHCP relay agent option.
    - Option for interface names added.
    - SIGUSR2 now closes and reopens the log files.
    - DNS LOC record support.
    - Allow disabling the DNS functionality by setting the port to 0.
    - DNSMASQ_INTERFACE is now part of the environment of the lease change
   script.
    - PMTUd disabled on DHCP and TFTP sockets.
    - --dhcp-bridge now works on all BSD variants.
    - Now including a Solaris 10 SMF.
    - Random source ports for DNS queries (CVE-2008-1447).

Revision 1.5: download - view: text, markup, annotated - select for diffs
Wed Jul 23 23:46:08 2008 UTC (16 years, 4 months ago) by tonnerre
Branches: MAIN
CVS tags: cube-native-xorg-base, cube-native-xorg
Diff to: previous 1.4: preferred, colored
Changes since revision 1.4: +2 -2 lines
Update dnsmasq to version 2.45 in order to fix CVE-2008-1447.

Changes since version 2.38:
 - Names ending in a dot now work.
 - Whitespaces arround commata in config files are now ignored.
 - Asynchronous logging.
 - New --log-dhcp flag was added.
 - RFC3046 relay agent data matching.
 - RFC3993 subscriber ID relay agent data matching.
 - RFC 5107 server-id-override DHCP relay agent option.
 - Option for interface names added.
 - SIGUSR2 now closes and reopens the log files.
 - DNS LOC record support.
 - Allow disabling the DNS functionality by setting the port to 0.
 - DNSMASQ_INTERFACE is now part of the environment of the lease change script.
 - PMTUd disabled on DHCP and TFTP sockets.
 - --dhcp-bridge now works on all BSD variants.
 - Now including a Solaris 10 SMF.
 - Random source ports for DNS queries (CVE-2008-1447).

Revision 1.4: download - view: text, markup, annotated - select for diffs
Fri Feb 23 15:08:07 2007 UTC (17 years, 9 months ago) by wiz
Branches: MAIN
CVS tags: pkgsrc-2008Q2-base, pkgsrc-2008Q1-base, pkgsrc-2008Q1, pkgsrc-2007Q4-base, pkgsrc-2007Q4, pkgsrc-2007Q3-base, pkgsrc-2007Q3, pkgsrc-2007Q2-base, pkgsrc-2007Q2, pkgsrc-2007Q1-base, pkgsrc-2007Q1, cwrapper
Branch point for: pkgsrc-2008Q2
Diff to: previous 1.3: preferred, colored
Changes since revision 1.3: +2 -3 lines
Update to 2.38:

version 2.24
            Updated contrib/openvpn/dnsmasq.patch from Joseph Tate.

	    Tweaked DHCP NAK code, a DHCP NAK is now unicast as a
	    fallback in cases where a broadcast is futile: namely in
	    response to a unicast REQUEST from a non-local network
	    which was not sent via a relay.

	    Slightly changed the semantics of domain matching in
	    --server and --address configs. --server=/domain.com/ still
	    matches domain.com and sub.domain.com but does not
	    now match newdomain.com The semantics of
            --server=/.domain.com/ are unchanged.
	    Thanks to Chris Blaise for the patch.

	    Added backwards-compatible internationalisation support.
	    The existing make targets, (all, dnsmasq, install) work as
	    before. New ones (all-i18n, and install-i18n) add gettext.
	    The translations live in po/ There are not too many
	    strings, so if anybody can provide translations (and for
	    the manpage....) please send them in.

	    Tweak behaviour on receipt of REFUSED or SERVFAIL rcodes,
	    now the query gets retried on all servers before returning
	    the error to the source of the query. Thanks to Javier
	    Kohen for the report.

	    Added Polish translation - thanks to Tomasz Sochanski.

	    Changed default manpage install location from /usr/man
	    to /usr/share/man

	    Added Spanish translation - thanks to Christopher Chatham.

	    Log a warning when a DHCP packet is truncated due to lack
	    of space. (Thanks to Michael Welle for the prompt to do
	    this.)

	    Added French translation - thanks to Lionel Tricon.

	    Added Indonesian translation - thanks to Salman AS.

	    Tweaked the netlink code to cope with interface broadcast
	    address not set, or set to 0.0.0.0.

	    Fixed problem assigning fixed addresses to hosts when more
	    than one dhcp-range is available. Thanks to Sorin Panca
	    for help chasing this down.

	    Added more explict error mesages to the hosts file and
	    ethers file reading code. Markus Kaiserswerth suffered to
	    make this happen.

	    Ensure that a hostname supplied by a DHCP client can never
	    override one configured on the server. Previously, any
	    host claiming a name would be given it, even if that
	    over-rode a dhcp-host declaration, leading to potentially
            confusing situations.

	    Added Slackware package-build stuff into contrib/ The i18n
	    effort broke the current scripts, and working ones were
	    needed for testing, so they ended up here rather than make
	    Pat re-invent the wheel.

	    Added Romanian translation, thanks to Sorin Panca for
	    that.

version 2.25
            Fixed RedHat spec file for FC4 - thanks to Werner Hoelzl
            and Andrew Bird.

            Fixed Suse spec file - thanks to Steven Springl.

	    Fixed DHCP bug when two distict subnets are on the same
	    physical interface. Thanks to Pawel Zawora for finding
	    this and suggesting the fix.

	    Added logging to make it explicit when dnsmasq falls back
	    from using RT-netlink sockets to the old ioctl API for
	    getting information about interfaces. Doing this
	    completely silently made remote debugging hard.

	    Merged uclibc build fixes from the OpenWRT package into
	    src/config.h

	    Added Norwegian translation - thanks to Jan Erik Askildt.

version 2.26
	    Fixed SuSe rpm patch problem - thanks to Steven Springl.

	    Fixed crash when attempting to send a DHCP NAK to a host
	    which believes it has a lease on an unknown
	    network. Thanks to Lutz Pressler for the bug report and
	    patch.

version 2.27
	    Tweaked DHCP behaviour when a client attempts to renew a lease
            which dnsmasq doesn't know about. Previously that would always
            result in a DHCPNAK. Now, in dhcp-authoritative mode, the
            lease will be created, if it's legal. This makes dnsmasq work
            better if the lease database is lost, for example on an OpenWRT
	    system which reboots. Thanks to Stephen Rose for work on
	    this.

	    Added the ability to support RFC-3442 style destination
	    descriptors in dhcp-options. This makes classless static
	    routes easy to do, eg dhcp-option=121,192.168.1.0/24,1.2.3.4

	    Added error-checking to the code which writes the lease
	    file. If this fails for any reason, an error is logged,
	    and a retry occurs after one minute. This should improve
	    things eg when a filesystem is full. Thanks to Jens Holze
	    for the bug report.

	    Fixed breakage of the "/#/ matches any domain" facility
	    which happened in 2.24. Thanks to Peter Surda for the bug
	    report.

	    Use "size_t" and "ssize_t" types where appropriate in the
	    code.

	    Fix buggy CNAME handling in mixed IPv4 and IPv6
	    queries. Thanks to Andreas Pelme for help finding that.

	    Added some code to attempt to re-transmit DNS queries when
	    a network interface comes up.  This helps on DoD links,
	    where frequently the packet which triggers dialling is
            a DNS query, which then gets lost. By re-sending, we can
	    avoid the lookup failing. This function is only active
	    when netlink support is compiled in, and therefore only
	    under Linux. Thanks to Jean Wolter for help with this.

	    Tweaked the DHCP tag-matching code to work correctly with
	    NOT-tag conditions. Thanks to Lutz Pressler for finding
	    the bug.

	    Generalised netid-tag matching in dhcp-range statements to
	    allow more than one tag.

	    Added --dhcp-mac to do MAC address matching in the same
	    way as vendorclass and userclass matching. A good
	    suggestion from Lutz Pressler.

	    Add workaround for buggy early Microsoft DHCP clients
	    which need zero-termination in string options.
	    Thanks to Fabiano Pires for help with this.

	    Generalised the DHCP code to cope with any hardware
	    address type, at least on Linux. *BSD is still limited to
	    ethernet only.

version 2.28
            Eliminated all raw network access when running on
            Linux. All DHCP network activity now goes through the IP
            stack. Packet sockets are no longer required. Apart from
            being a neat hack, this should also allow DHCP over IPsec
            to work better. On *BSD and OS X, the old method of raw net
            access through BPF is retained.

	    Simplified build options. Networking is now slimmed down
	    to a choice of "linux" or "other". Netlink is always used
	    under Linux. Since netlink has been available since 2.2
	    and non-optional in an IPv4-configured  kernel since 2.4,
	    and the dnsmasq netlink code is now well tested, this
	    should work out fine.

	    Removed decayed build support for libc5 and Solaris.

	    Removed pselect code: use a pipe for race-free signal
	    handling instead, as this works everywhere.

	    No longer enable the ISC leasefile reading code in the
	    distributed sources. I doubt there are many people left
	    using this 1.x compatibility code. Those that are will
	    have to explicitly enable it in src/config.h.

	    Don't send the "DHCP maximum message size" option, even if
	    requested. RFC2131 says this is a "MUST NOT".

	    Support larger-than-minimum DHCP message. Dnsmasq is now
	    happy to get larger than 576-byte DHCP messages, and will
	    return large messages, if permitted by the "maximum
	    message size" option of the message to which it is
	    replying. There's now an arbitrary sanity limit of 16384
	    bytes.

	    Added --no-ping option. This fixes an RFC2131 "SHOULD".

	    Building on the 2.27 MAC-address changes, allow clients to
	    provide no MAC address at all, relying on the client-id as
	    a unique identifier. This should make things like DHCP for
	    USB come easier.

	    Fixed regression in netlink code under 2.2.x kernels which
	    occurred in 2.27. Erik Jan Tromp is the vintage kernel fan
	    who found this. P.S. It looks like this "netlink bind:
	    permission denied" problem occured in kernels at least as
	    late a 2.4.18. Good information from Alain Richoux.

	    Added a warning when it's impossible to give a host its
	    configured address because the address is leased
	    elsewhere.  A sensible suggestion from Mircea Bardac.

	    Added minimal support for RFC 3046 DHCP relay agent-id
	    options. The DHCP server now echoes these back to the
	    relay, as required by the RFC. Also, RFC 3527 link selection
	    sub-options are honoured.

	    Set the process "dumpable" flag when running in debug
	    mode: this makes getting core dumps from root processes
	    much easier.

	    Fixed one-byte buffer overflow which seems to only cause
	    problems when dnsmasq is linked with uclibc. Thanks to
	    Eric House and Eric Spakman for help in chasing this down.

	    Tolerate configuration screwups which lead to the DHCP
	    server attemping to allocate its own address to a
	    client; eg setting the whole subnet range as a DHCP
	    range. Addresses in use by the server are now excluded
	    from use by clients.

	    Did some thinking about HAVE_BROKEN_RTC mode, and made it
	    much simpler and better. The key is to just keep lease
	    lengths in the lease file. Since these normally never
	    change, even as the lease is renewed, the lease file never
	    needs to change except when machines arrive on the network
	    or leave. This eliminates the code for timed writes, and
	    reduces the amount of wear on a flash filesystem to the
	    absolute minimum. Also re-did the basic time function in
	    this mode to use the portable times(), rather than parsing
	    /proc/uptime.

	    Believe the source port number when replying to unicast
	    DHCP requests and DHCP requests via a relay, instead of always
            using the standard ports.  This will allow relays on
            non-standard ports and DHCPINFORM from unprivileged ports
            to work. The source port sent by unconfigured clients is still
            ignored, since this may be unreliable. This means that a DHCP
            client must use the standard port to do full configuration.

version 2.29
	    Fixed compilation on OpenBSD (thanks to Tom Hensel for the
	    report).

	    Fixed false "no interface" errors when --bind-interfaces is
	    set along with --interface=lo or --listen-address. Thanks
	    to Paul Wise for the report.

	    Updated patch for SuSE rpm. Thanks to Steven Springl.

	    It turns out that there are some Linux kernel
	    configurations which make using the capability system
	    impossible. If this situation occurs then continue, running
	    as root, and log a warning. Thanks to Scott Wehrenberg
	    for help tracking this down.

version 2.30
            Fixed crash when a DHCP client requested a broadcast
            reply. This problem was introduced in version 2.28.
	    Thanks to Sandra Dekkers for the bug report.

version 2.31
	    Added --dhcp-script option. There have been calls for this
	    for a long time from many good people. Fabio Muzzi gets
	    the prize for finally convincing me.

	    Added example dbus config file and moved dbus stuff into
	    its own directory.

	    Removed horribly outdated Redhat RPM build files. These
	    are obsolete now that dnsmasq in in Fedora extras. Thanks
	    to Patrick "Jima" Laughton, the Fedora package
	    maintainer.

	    Added workaround for Linux kernel bug. This manifests
	    itself as failure of DHCP on kernels with "support for
	    classical IP over ATM" configured. That includes most
	    Debian kernel packages. Many thanks to A. Costa and
	    Benjamin Kudria for their huge efforts in chasing this
	    down.

	    Force-kill child processes when dnsmasq is sent a sigterm,
	    otherwise an unclosed TCP connection could keep dnsmasq
	    hanging round for a few minutes.

	    Tweaked config.h logic for uclibc build. It will now pick
	    up MMU and IPV6 status correctly on every system I tested.

version 2.32
	    Attempt a better job of replacing previous configuration
	    when re-reading /etc/hosts and /etc/ethers. SIGHUP is
	    still not identical to a restart under all circumstances,
	    but it is for the common case of name->MAC address in
	    /etc/ethers and name->IP address in /etc/hosts.

	    Fall back to broadcast for DHCP to an unconfigured client
	    when the MAC address size is greater than 14 bytes.

	    Fix problem in 2.28-onwards releases which breaks DNS on
	    Mac OS X. Thanks to Doug Fields for the bug report and
	    testing.

	    Added fix to allow compilation on c89-only compilers.
	    Thanks to John Mastwijk for the patch.

	    Tweak resolv file polling code to work better if there is
	    a race between updating the mtime and file contents. This
	    is not normally a problem, but it can be on systems which
	    replace nameservers whilst active. The code now continues
	    to read resolv.conf until it gets at least one usable
	    server. Thanks to Holger Mauermann for help with this.

	    If a client DECLINEs an address which is allocated to it
	    via dhcp-host or /etc/hosts, lock that address out of use
	    for ten minutes, instead of forever, and log when it's not
	    being used because of the lock-out. This should provide
	    less surprising behaviour when a configured address can't be
	    used. Thanks to Peter Surda and Heinz Deinhart for input
	    on this.

	    Fixed *BSD DHCP breakage with only some
	    arches/compilers, depending on structure padding rules.
	    Thanks to Jeb Campbell and Tom Hensel for help with this.

	    Added --conf-dir option. Suggestion from Aaron Tygart.

	    Applied patch from Brent Cook which allows netids in
	    dhcp-option configuration lines to be prefixed by
	    "net:". This is not required by the syntax, but it is
	    consistent with other configuration items.

	    Added --log-facility option. Suggestion from Fabio Muzzi.

	    Major update to Spanish translation. Many thanks to Chris
	    Chatham.

	    Fixed gcc-4.1 strict-alias compilation warning.

version 2.33
            Remove bash-specific shellcode from the Makefile.

	    Fix breakage with some DHCP relay implementations which
	    was introduced in 2.28. Believing the source port in
	    DHCP requests and sending the reply there is sometimes a
	    bad thing to do, so I've reverted to always sending to
	    the relay on port 68. Thanks to Daniel Hamlin and Alex
	    (alde) for bug reports on this.

	    Moved the SuSe packaging files to contrib. I will no
	    longer attempt to maintain this in the source tarball. It
	    will be done externally, in the same way as packaging for
	    other distros. Suse packages are available from
	    ftp://ftp.suse.com/pub/people/ug/

	    Merged patch from Gentoo to honour $LDFLAGS environment.

	    Fix bug in resolv.conf processing when more than one file
	    is being checked.

	    Add --dns-forward-max option.

	    Warn if --resolv-file flags are ignored because of
	    --no-resolv. Thanks to Martin F Krafft for spotting this
	    one.

            Add --leasefile-ro option which allows the use of an
            external lease database. Many thanks to Steve Horbachuk
	    for assistance developing this feature.

	    Provide extra information to lease-change script via its
	    environment. If the host has a client-id, then
	    DNSMASQ_CLIENT_ID will be set. Either the lease length (in
	    DNSMASQ_LEASE_LENGTH) or lease expiry time (in
	    DNSMASQ_LEASE_EXPIRES) will be set, depending on the
	    HAVE_BROKEN_RTC compile-time option. This extra
	    information should make it possible to maintain the lease
	    database in external storage such as LDAP or a relational
	    database. Note that while leasefile-ro is set, the script
            will be called with "old"  events more often, since
	    changes to the client-id and lease length
	    (HAVE_BROKEN_RTC) or lease expiry time (otherwise)
	    are now flagged.

	    Add contrib/wrt/* which is an example implementation of an
	    external persistent lease database for *WRT distros with
	    the nvram command.

	    Add contrib/wrt/dhcp_release.c which is a small utility
	    which removes DHCP leases using DHCPRELEASE operation in
	    the DHCP protocol.

version 2.34
	    Tweak network-determination code for another corner case:
	    in this case a host forced to move between dhcp-ranges on
	    the same physical interface. Thanks to Matthias Andree.

	    Improve handling of high DNS loads by throttling acceptance of
	    new queries when resources are tight. This should be a
	    better response than the "forwarding table full..."
	    message which was logged before.

	    Fixed intermittent infinite loop when re-reading
	    /etc/ethers after SIGHUP. Thanks to Eldon Ziegler for the
	    bug report.

	    Provide extra information to the lease-change script: when
	    a lease loses its hostname (because a new lease comes
	    along and claims the same new), the "old" action is called
	    with the current state of the lease, ie no name. The
	    change is to provide the former name which the lease had
	    in the environment variable DNSMASQ_OLD_HOSTNAME. This
	    helps scripts which do stuff based on hostname, rather
	    than IP address. Also provide vendor-class and user-class
	    information to the lease-change script when a new lease is
	    created in the DNSMASQ_VENDOR_CLASS and
	    DNSMASQ_USER_CLASS<n> environment variables. Suggestion
            from Francois-Xavier Le Bail.

	    Run the lease change script as root, even when dnsmasq is
	    configured to change UID to an unprivileged user. Since
	    most uses of the lease change script need root, this
	    allows its use whilst keeping the security advantages of
	    running the daemon without privs. The script is invoked
	    via a small helper process which keeps root UID, and
	    validates all data received from the main process. To get
	    root, an attacker would have to break dnsmasq and then
	    break the helper through the restricted comms channel
	    linking the two.

	    Add contrib/port-forward/* which is a script to set up
	    port-forwards using the DHCP lease-change script. It's
	    possible to add a host to a config file by name, and when
	    that host gets a DHCP lease, the script will use iptables
	    to set up port-forwards to configured ports at the address
	    which the host is allocated. The script also handles
	    setting up the port-forward iptables entries after reboot,
	    using the persistent lease database, and removing them
	    when a host leaves and its DHCP lease expires.

	    Fix unaligned access problem which caused wrong log
	    messages with some clients on some architectures. Thanks
	    to Francois-Xavier Le Bail for the bugreport.

	    Fixed problem with DHCPRELEASE and multi-address
	    interfaces. Enhanced contrib/wrt/dhcp_release to cope
	    under these circumstances too. Thanks to Eldon Ziegler for
	    input on this.

	    Updated French translation: thanks to Gildas Le Nadan.

	    Upgraded the name hash function in the DNS cache. Thanks
	    to Oleg Khovayko for good work on this.

	    Added --clear-on-reload flag.  Suggestion from Johannes
	    Stezenbach.

	    Treat a nameserver address of 0.0.0.0 as "nothing". Erwin
            Cabrera spotted that specifying a nameserver as 0.0.0.0
	    breaks things badly; this is because the network stack
	    treats is as "this host" and an endless loop ensues.

            Added Webmin module in contrib/webmin. Thanks to Neil
            Fisher for that.

version 2.35
	    Generate an "old" script event when a client does a DHCPREQUEST
	    in INIT-REBOOT or SELECTING state and the lease already
	    exists. Supply vendor and user class information to these
	    script calls.

	    Added support for Dragonfly BSD to src/config.h

	    Removed "Upgrading to 2.0" document, which is ancient
	    history now.

	    Tweak DHCP networking code for BSD, esp OpenBSD. Added a
	    workaround for a bug in OpenBSD 4.0: there should finally
            be support for multiple interfaces under OpenBSD now.
	    Note that no version of dnsmasq before 2.35 will work for
	    DHCP under OpenBSD 4.0 because of a kernel bug.
	    Thanks to Claudio Jeker, Jeb Campbell and Cristobal
	    Palmer for help with this.

	    Optimised the cache code for the case of large
	    /etc/hosts. This is mainly to remove the O(n-squared)
	    algorithm which made reading large (50000 lines) files
	    slow, but it also takes into account the size of
	    /etc/hosts when building hash tables, so overall
	    performance should be better. Thanks to "koko" for
	    pointing out the problem.

version 2.36
	    Added --dhcp-ignore-names flag which tells dnsmasq not to
	    use names provided by DHCP clients. Suggestion from
	    Thomas M Steenholdt.

	    Send netmask and broadcast address DHCP options always,
	    even if the client doesn't request them. This makes a few
	    odd clients work better.

	    Added simple TFTP function, optimised for net-boot. It is
	    now possible to net boot hosts using only dnsmasq. The
	    TFTP server is read-only, binary-mode only, and designed to be
	    secure; it adds about 4K to the dnsmasq binary.

	    Support DHCP option 120, SIP servers, (RFC 3361). Both
            encodings are supported, so both --dhcp-option=120,192.168.2.3
            and	--dhcp-option=120,sip.example.net will work. Brian
            Candler pointed out the need for this.

	    Allow spaces in domain names, to support DNS-SD.

	    Add --ptr-record flag, again for DNS-SD. Thanks to Stephan
	    Sokolow for the suggestion.

	    Tolerate leading space on lines in the config file. Thanks
	    to Luigi Rizzo for pointing this out.

	    Fixed netlink.c to cope with headers from the Linux 2.6.19
	    kernel. Thanks to Philip Wall for the bug report.

	    Added --dhcp-bridge option, but only to the FreeBSD
	    build. This fixes an oddity with a a particular bridged
	    network configuration on FreeBSD. Thanks to Luigi Rizzo
	    for the patch.

	    Added FAQ entry about running dnsmasq in a Linux
	    vserver. Thanks to Gildas le Nadan for the information.

	    Fixed problem with option parsing which interpreted "/" as
	    an address and not a string. Thanks to Luigi Rizzo
	    for the patch.

	    Ignore the --domain-needed flag when forwarding NS
	    and SOA queries, since NS queries of TLDs are always legit.
	    Marcus Better pointed out this problem.

	    Take care to forward signed DNS requests bit-perfect, so
	    as not to affect the validity of the signature. This
	    should allow DDNS updates to be forwarded.

version 2.37
            Add better support for RFC-2855 DHCP-over-firewire and RFC
           -4390 DHCP-over-InfiniBand. A good suggestion from Karl Svec.

	    Some efficiency tweaks to the cache code for very large
	    /etc/hosts files. Should improve reverse (address->name)
	    lookups and garbage collection. Thanks to Jan 'RedBully'
	    Seiffert for input on this.

	    Fix regression in 2.36 which made bogus-nxdomain
	    and DNS caching unreliable. Thanks to Dennis DeDonatis
	    and Jan Seiffert for bug reports.

	    Make DHCP encapsulated vendor-class	options sane. Be
	    warned that some conceivable existing configurations
	    using these may break, but they work in a much
	    simpler and more logical way now. Prepending
	    "vendor:<client-id>" to an option encapsulates it
	    in option 43, and the option is sent only if the
	    client-supplied vendor-class substring-matches with
	    the given client-id. Thanks to Dennis DeDonatis for
	    help with this.

	    Apply patch from Jan Seiffert to tidy up tftp.c

	    Add support for overloading the filename and servername
	    fields in DHCP packet. This gives extra option-space when
	    these fields are not being used or with a modern client
	    which supports moving them into options.

	    Added a LIMITS section to the man-page, with guidance on
	    maximum numbers of clients, file sizes and tuning.

release 2.38
	    Fix compilation on *BSD. Thanks to Tom Hensel.

	    Don't send length zero DHCP option 43 and cope with
	    encapsulated options whose total length exceeds 255 octets
	    by splitting them into multiple option 43 pieces.

	    Avoid queries being retried forever when --strict-order is
	    set and an upstream server returns a SERVFAIL
	    error. Thanks to Johannes Stezenbach for spotting this.

	    Fix BOOTP support, broken in version 2.37.

	    Add example dhcp-options for Etherboot.

	    Add \e (for ASCII ESCape) to the set of valid escapes
	    in config-file strings.

	    Added --dhcp-option-force flag and examples in the
	    configuration file which use this to control PXELinux.

	    Added --tftp-no-blocksize option.

	    Set netid tag "bootp" when BOOTP (rather than DHCP) is in
	    use. This makes it easy to customise which options are
	    sent to BOOTP clients. (BOOTP allows only 64 octets for
	    options, so it can be necessary to trim things.)

	    Fix rare hang in cache code, a 2.37 regression. This
	    probably needs an infinite DHCP lease and some bad luck to
	    trigger. Thanks to Detlef Reichelt for bug reports and testing.

Revision 1.3: download - view: text, markup, annotated - select for diffs
Sun Feb 5 23:10:23 2006 UTC (18 years, 10 months ago) by joerg
Branches: MAIN
CVS tags: pkgsrc-2006Q4-base, pkgsrc-2006Q4, pkgsrc-2006Q3-base, pkgsrc-2006Q3, pkgsrc-2006Q2-base, pkgsrc-2006Q2, pkgsrc-2006Q1-base, pkgsrc-2006Q1
Diff to: previous 1.2: preferred, colored
Changes since revision 1.2: +2 -1 lines
Recursive revision bump / recommended bump for gettext ABI change.

Revision 1.2: download - view: text, markup, annotated - select for diffs
Thu Dec 29 06:21:58 2005 UTC (18 years, 11 months ago) by jlam
Branches: MAIN
Diff to: previous 1.1: preferred, colored
Changes since revision 1.1: +1 -2 lines
Remove USE_PKGINSTALL from pkgsrc now that mk/install/pkginstall.mk
automatically detects whether we want the pkginstall machinery to be
used by the package Makefile.

Revision 1.1.1.1 (vendor branch): download - view: text, markup, annotated - select for diffs
Tue Oct 18 04:41:59 2005 UTC (19 years, 1 month ago) by minskim
Branches: TNF
CVS tags: pkgsrc-base, pkgsrc-2005Q4-base, pkgsrc-2005Q4
Diff to: previous 1.1: preferred, colored
Changes since revision 1.1: +0 -0 lines
Import dnsmasq from pkgsrc-wip.  Packaged by pancake and updated by
dhowland.

Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP
server.  It is designed to provide DNS and, optionally, DHCP, to a
small network.  It can serve the names of local machines which are not
in the global DNS.  The DHCP server integrates with the DNS server and
allows machines with DHCP-allocated addresses to appear in the DNS
with names configured either in each host or in a central
configuration file.  Dnsmasq supports static and dynamic DHCP leases
and BOOTP for network booting of diskless machines.

Revision 1.1: download - view: text, markup, annotated - select for diffs
Tue Oct 18 04:41:59 2005 UTC (19 years, 1 month ago) by minskim
Branches: MAIN
Initial revision

Diff request

This form allows you to request diffs between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.

Log view options

CVSweb <webmaster@jp.NetBSD.org>