embedaddon/dnsmasq/CHANGELOG - diff

Return to CHANGELOG CVS log

Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / dnsmasq

Diff for /embedaddon/dnsmasq/CHANGELOG between versions 1.1.1.3 and 1.1.1.4

version 1.1.1.3, 2016/11/02 09:57:01	version 1.1.1.4, 2021/03/17 00:56:46
Line 1	Line 1
	version 2.83
	Use the values of --min-port and --max-port in outgoing
	TCP connections to upstream DNS servers.

	Fix a remote buffer overflow problem in the DNSSEC code. Any
	dnsmasq with DNSSEC compiled in and enabled is vulnerable to this,
	referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683
	CVE-2020-25687.

	Be sure to only accept UDP DNS query replies at the address
	from which the query was originated. This keeps as much entropy
	in the {query-ID, random-port} tuple as possible, to help defeat
	cache poisoning attacks. Refer: CVE-2020-25684.

	Use the SHA-256 hash function to verify that DNS answers
	received are for the questions originally asked. This replaces
	the slightly insecure SHA-1 (when compiled with DNSSEC) or
	the very insecure CRC32 (otherwise). Refer: CVE-2020-25685.

	Handle multiple identical near simultaneous DNS queries better.
	Previously, such queries would all be forwarded
	independently. This is, in theory, inefficent but in practise
	not a problem, _except_ that is means that an answer for any
	of the forwarded queries will be accepted and cached.
	An attacker can send a query multiple times, and for each repeat,
	another {port, ID} becomes capable of accepting the answer he is
	sending in the blind, to random IDs and ports. The chance of a
	succesful attack is therefore multiplied by the number of repeats
	of the query. The new behaviour detects repeated queries and
	merely stores the clients sending repeats so that when the
	first query completes, the answer can be sent to all the
	clients who asked. Refer: CVE-2020-25686.


	version 2.82
	Improve behaviour in the face of network interfaces which come
	and go and change index. Thanks to Petr Mensik for the patch.

	Convert hard startup failure on NETLINK_NO_ENOBUFS under qemu-user
	to a warning.

	Allow IPv6 addresses ofthe form [::ffff:1.2.3.4] in --dhcp-option.

	Fix crash under heavy TCP connection load introduced in 2.81.
	Thanks to Frank for good work chasing this down.

	Change default lease time for DHCPv6 to one day.

	Alter calculation of preferred and valid times in router
	advertisements, so that these do not have a floor applied
	of the lease time in the dhcp-range if this is not explicitly
	specified and is merely the default.
	Thanks to Martin-Éric Racine for suggestions on this.


	version 2.81
	Improve cache behaviour for TCP connections. For ease of
	implementation, dnsmasq has always forked a new process to handle
	each incoming TCP connection. A side-effect of this is that
	any DNS queries answered from TCP connections are not cached:
	when TCP connections were rare, this was not a problem.
	With the coming of DNSSEC, it is now the case that some
	DNSSEC queries have answers which spill to TCP, and if,
	for instance, this applies to the keys for the root, then
	those never get cached, and performance is very bad.
	This fix passes cache entries back from the TCP child process to
	the main server process, and fixes the problem.

	Remove the NO_FORK compile-time option, and support for uclinux.
	In an era where everything has an MMU, this looks like
	an anachronism, and it adds to (Ok, multiplies!) the
	combinatorial explosion of compile-time options. Thanks to
	Kevin Darbyshire-Bryant for the patch.

	Fix line-counting when reading /etc/hosts and friends; for
	correct error messages. Thanks to Christian Rosentreter
	for reporting this.

	Fix bug in DNS non-terminal code, added in 2.80, which could
	sometimes cause a NODATA rather than an NXDOMAIN reply.
	Thanks to Norman Rasmussen, Sven Mueller and Maciej Żenczykowski
	for spotting and diagnosing the bug and providing patches.

	Support TCP-fastopen (RFC-7413) on both incoming and
	outgoing TCP connections, if supported and enabled in the OS.

	Improve kernel-capability manipulation code under Linux. Dnsmasq
	now fails early if a required capability is not available, and
	tries not to request capabilities not required by its
	configuration.

	Add --shared-network config. This enables allocation of addresses
	by the DHCP server in subnets where the server (or relay) does not
	have an interface on the network in that subnet. Many thanks to
	kamp.de for sponsoring this feature.

	Fix broken contrib/lease_tools/dhcp_lease_time.c. A packet
	validation check got borked in commit 2b38e382 and release 2.80.
	Thanks to Tomasz Szajner for spotting this.

	Fix compilation against nettle version 3.5 and later.

	Fix spurious DNSSEC validation failures when the auth section
	of a reply contains unsigned RRs from a signed zone,
	with the exception that NSEC and NSEC3 RRs must always be signed.
	Thanks to Tore Anderson for spotting and diagnosing the bug.

	Add --dhcp-ignore-clid. This disables reading of DHCP client
	identifier option (option 61), so clients are only identified by
	MAC addresses.

	Fix a bug which stopped --dhcp-name-match from working when a hostname
	is supplied in --dhcp-host. Thanks to James Feeney for spotting this.

	Fix bug which caused very rarely caused zero-length DHCPv6 packets.
	Thanks to Dereck Higgins for spotting this.

	Add --tftp-single-port option.

	Enhance --conf-dir to load files in a deterministic order. Thanks to
	Evgenii Seliavka for the suggestion and initial patch.

	In the router advert code, handle case where we have two
	different interfaces on the same IPv6 net, and we are doing
	RA/DHCP service on only one of them. Thanks to NIIBE Yutaka
	for spotting this case and making the initial patch.

	Support prefixed ranges of ipv6 addresses in dhcp-host.
	This eases problems chain-netbooting, where each link in the
	chain requests an address using a different UID. With a single
	address, only one gets the "static" address, but with this
	fix, enough addresses can be reserved for all the stages of the
	boot. Many thanks to Harald Jensås for his work on this idea and
	earlier patches.

	Add filtering by tag of --dhcp-host directives. Based on a patch
	by Harald Jensås.

	Allow empty server spec in --rev-server, to match --server.

	Remove DSA signature verification from DNSSEC, as specified in
	RFC 8624. Thanks to Loganaden Velvindron for the original patch.

	Add --script-on-renewal option.


	version 2.80
	Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method
	for the initial patch and motivation.

	Alter the default for dnssec-check-unsigned. Versions of
	dnsmasq prior to 2.80 defaulted to not checking unsigned
	replies, and used --dnssec-check-unsigned to switch
	this on. Such configurations will continue to work as before,
	but those which used the default of no checking will need to be
	altered to explicitly select no checking. The new default is
	because switching off checking for unsigned replies is
	inherently dangerous. Not only does it open the possiblity of forged
	replies, but it allows everything to appear to be working even
	when the upstream namesevers do not support DNSSEC, and in this
	case no DNSSEC validation at all is occuring.

	Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip
	are set. Thanks to Daniel Miess for help with this.

	Add a facilty to store DNS packets sent/recieved in a
	pcap-format file for later debugging. The file location
	is given by the --dumpfile option, and a bitmap controlling
	which packets should be dumped is given by the --dumpmask
	option.

	Handle the case of both standard and constructed dhcp-ranges on the
	same interface better. We don't now contruct a dhcp-range if there's
	already one specified. This allows the specified interface to
	have different parameters and avoids advertising the same
	prefix twice. Thanks to Luis Marsano for spotting this case.

	Allow zone transfer in authoritative mode if auth-peer is specified,
	even if auth-sec-servers is not. Thanks to Raphaël Halimi for
	the suggestion.

	Fix bug which sometimes caused dnsmasq to wrongly return answers
	without DNSSEC RRs to queries with the do-bit set, but only when
	DNSSEC validation was not enabled.
	Thanks to Petr Menšík for spotting this.

	Fix missing fatal errors with some malformed options
	(server, local, address, rebind-domain-ok, ipset, alias).
	Thanks to Eugene Lozovoy for spotting the problem.

	Fix crash on startup with a --synth-domain which has no prefix.
	Introduced in 2.79. Thanks to Andreas Engel for the bug report.

	Fix missing EDNS0 section in some replies generated by local
	DNS configuration which confused systemd-resolvd. Thanks to
	Steve Dodd for characterising the problem.

	Add --dhcp-name-match config option.

	Add --caa-record config option.

	Implement --address=/example.com/# as (more efficient) syntactic
	sugar for --address=/example.com/0.0.0.0 and
	--address=/example.com/::
	Returning null addresses is a useful technique for ad-blocking.
	Thanks to Peter Russell for the suggestion.

	Change anti cache-snooping behaviour with queries with the
	recursion-desired bit unset. Instead to returning SERVFAIL, we
	now always forward, and never answer from the cache. This
	allows "dig +trace" command to work.

	Include in the example config file a formulation which
	stops DHCP clients from claiming the DNS name "wpad".
	This is a fix for the CERT Vulnerability VU#598349.


	version 2.79
	Fix parsing of CNAME arguments, which are confused by extra spaces.
	Thanks to Diego Aguirre for spotting the bug.

	Where available, use IP_UNICAST_IF or IPV6_UNICAST_IF to bind
	upstream servers to an interface, rather than SO_BINDTODEVICE.
	Thanks to Beniamino Galvani for the patch.

	Always return a SERVFAIL answer to DNS queries without the
	recursion desired bit set, UNLESS acting as an authoritative
	DNS server. This avoids a potential route to cache snooping.

	Add support for Ed25519 signatures in DNSSEC validation.

	No longer support RSA/MD5 signatures in DNSSEC validation,
	since these are not secure. This behaviour is mandated in
	RFC-6944.

	Fix incorrect error exit code from dhcp_release6 utility.
	Thanks Gaudenz Steinlin for the bug report.

	Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC
	time validation when --dnssec-no-timecheck is in use.
	Note that this is an incompatible change from earlier releases.

	Allow more than one --bridge-interface option to refer to an
	interface, so that we can use
	--bridge-interface=int1,alias1
	--bridge-interface=int1,alias2
	as an alternative to
	--bridge-interface=int1,alias1,alias2
	Thanks to Neil Jerram for work on this.

	Fix for DNSSEC with wildcard-derived NSEC records.
	It's OK for NSEC records to be expanded from wildcards,
	but in that case, the proof of non-existence is only valid
	starting at the wildcard name, *.<domain> NOT the name expanded
	from the wildcard. Without this check it's possible for an
	attacker to craft an NSEC which wrongly proves non-existence.
	Thanks to Ralph Dolmans for finding this, and co-ordinating
	the vulnerability tracking and fix release.
	CVE-2017-15107 applies.

	Remove special handling of A-for-A DNS queries. These
	are no longer a significant problem in the global DNS.
	http://cs.northwestern.edu/~ychen/Papers/DNS_ToN15.pdf
	Thanks to Mattias Hellström for the initial patch.

	Fix failure to delete dynamically created dhcp options
	from files in -dhcp-optsdir directories. Thanks to
	Lindgren Fredrik for the bug report.

	Add to --synth-domain the ability to create names using
	sequential numbers, as well as encodings of IP addresses.
	For instance,
	--synth-domain=thekelleys.org.uk,192.168.0.50,192.168.0.70,internal-*
	creates 21 domain names of the form
	internal-4.thekelleys.org.uk over the address range given, with
	internal-0.thekelleys.org.uk being 192.168.0.50 and
	internal-20.thekelleys.org.uk being 192.168.0.70
	Thanks to Andy Hawkins for the suggestion.

	Tidy up Crypto code, removing workarounds for ancient
	versions of libnettle. We now require libnettle 3.


	version 2.78
	Fix logic of appending ".<layer>" to PXE basename. Thanks to Chris
	Novakovic for the patch.

	Revert ping-check of address in DHCPDISCOVER if there
	already exists a lease for the address. Under some
	circumstances, and netbooted windows installation can reply
	to pings before if has a DHCP lease and block allocation
	of the address it already used during netboot. Thanks to
	Jan Psota for spotting this.

	Fix DHCP relaying, broken in 2.76 and 2.77 by commit
	ff325644c7afae2588583f935f4ea9b9694eb52e. Thanks to
	John Fitzgibbon for the diagnosis and patch.

	Try other servers if first returns REFUSED when
	--strict-order active. Thanks to Hans Dedecker
	for the patch

	Fix regression in 2.77, ironically added as a security
	improvement, which resulted in a crash when a DNS
	query exceeded 512 bytes (or the EDNS0 packet size,
	if different.) Thanks to Christian Kujau, Arne Woerner
	Juan Manuel Fernandez and Kevin Darbyshire-Bryant for
	chasing this one down. CVE-2017-13704 applies.

	Fix heap overflow in DNS code. This is a potentially serious
	security hole. It allows an attacker who can make DNS
	requests to dnsmasq, and who controls the contents of
	a domain, which is thereby queried, to overflow
	(by 2 bytes) a heap buffer and either crash, or
	even take control of, dnsmasq.
	CVE-2017-14491 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

	Fix heap overflow in IPv6 router advertisement code.
	This is a potentially serious security hole, as a
	crafted RA request can overflow a buffer and crash or
	control dnsmasq. Attacker must be on the local network.
	CVE-2017-14492 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	and Kevin Hamacher of the Google Security Team for
	finding this.

	Fix stack overflow in DHCPv6 code. An attacker who can send
	a DHCPv6 request to dnsmasq can overflow the stack frame and
	crash or control dnsmasq.
	CVE-2017-14493 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

	Fix information leak in DHCPv6. A crafted DHCPv6 packet can
	cause dnsmasq to forward memory from outside the packet
	buffer to a DHCPv6 server when acting as a relay.
	CVE-2017-14494 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

	Fix DoS in DNS. Invalid boundary checks in the
	add_pseudoheader function allows a memcpy call with negative
	size An attacker which can send malicious DNS queries
	to dnsmasq can trigger a DoS remotely.
	dnsmasq is vulnerable only if one of the following option is
	specified: --add-mac, --add-cpe-id or --add-subnet.
	CVE-2017-14496 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

	Fix out-of-memory Dos vulnerability. An attacker which can
	send malicious DNS queries to dnsmasq can trigger memory
	allocations in the add_pseudoheader function
	The allocated memory is never freed which leads to a DoS
	through memory exhaustion. dnsmasq is vulnerable only
	if one of the following option is specified:
	--add-mac, --add-cpe-id or --add-subnet.
	CVE-2017-14495 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.


	version 2.77
	Generate an error when configured with a CNAME loop,
	rather than a crash. Thanks to George Metz for
	spotting this problem.

	Calculate the length of TFTP error reply packet
	correctly. This fixes a problem when the error
	message in a TFTP packet exceeds the arbitrary
	limit of 500 characters. The message was correctly
	truncated, but not the packet length, so
	extra data was appended. This is a possible
	security risk, since the extra data comes from
	a buffer which is also used for DNS, so that
	previous DNS queries or replies may be leaked.
	Thanks to Mozilla for funding the security audit
	which spotted this bug.

	Fix logic error in Linux netlink code. This could
	cause dnsmasq to enter a tight loop on systems
	with a very large number of network interfaces.
	Thanks to Ivan Kokshaysky for the diagnosis and
	patch.

	Fix problem with --dnssec-timestamp whereby receipt
	of SIGHUP would erroneously engage timestamp checking.
	Thanks to Kevin Darbyshire-Bryant for this work.

	Bump zone serial on reloading /etc/hosts and friends
	when providing authoritative DNS. Thanks to Harrald
	Dunkel for spotting this.

	Handle v4-mapped IPv6 addresses sanely in --synth-domain.
	These have standard representation like ::ffff:1.2.3.4
	and are now converted to names like
	<prefix>--ffff-1-2-3-4.<domain>

	Handle binding upstream servers to an interface
	(--server=1.2.3.4@eth0) when the named interface
	is destroyed and recreated in the kernel. Thanks to
	Beniamino Galvani for the patch.

	Allow wildcard CNAME records in authoritative zones.
	For example --cname=*.example.com,default.example.com
	Thanks to Pro Backup for sponsoring this development.

	Bump the allowed backlog of TCP connections from 5 to 32,
	and make this a compile-time configurable option. Thanks
	to Donatas Abraitis for diagnosing this as a potential
	problem.

	Add DNSMASQ_REQUESTED_OPTIONS environment variable to the
	lease-change script. Thanks to ZHAO Yu for the patch.

	Fix foobar in rrfilter code, that could cause malformed
	replies, especially when DNSSEC validation on, and
	the upstream server returns answer with the RRs in a
	particular order. The only DNS server known to tickle
	this is Nominum's. Thanks to Dave Täht for spotting the
	bug and assisting in the fix.

	Fix the manpage which lied that only the primary address
	of an interface is used by --interface-name.

	Make --localise-queries apply to names from --interface-name.
	Thanks to Kevin Darbyshire-Bryant and Eric Luehrsen
	for pushing this.

	Improve connection handling when talking to TCP upstream
	servers. Specifically, be prepared to open a new TCP
	connection when we want to make multiple queries
	but the upstream server accepts fewer queries per connection.

	Improve logging of upstream servers when there are a lot
	of "local addresses only" entries. Thanks to Hannu Nyman for
	the patch.

	Make --bogus-priv apply to IPv6, for the prefixes specified
	in RFC6303. Thanks to Kevin Darbyshire-Bryant for work on this.

	Allow use of MAC addresses with --tftp-unique-root. Thanks
	to Floris Bos for the patch.

	Add --dhcp-reply-delay option. Thanks to Floris Bos
	for the patch.

	Add mtu setting facility to --ra-param. Thanks to David
	Flamand for the patch.

	Capture STDOUT and STDERR output from dhcp-script and log
	it as part of the dnsmasq log stream. Makes life easier
	for diagnosing unexpected problems in scripts.
	Thanks to Petr Mensik for the patch.

	Generate fatal errors when failing to parse the output
	of the dhcp-script in "init" mode. Avoids strange errors
	when the script accidentally emits error messages.
	Thanks to Petr Mensik for the patch.

	Make --rev-server for an RFC1918 subnet work even in the
	presence of the --bogus-priv flag. Thanks to
	Vladislav Grishenko for the patch.

	Extend --ra-param mtu: field to allow an interface name.
	This allows the MTU of a WAN interface to be advertised on
	the internal interfaces of a router. Thanks to
	Vladislav Grishenko for the patch.

	Do ICMP-ping check for address-in-use for DHCPv4 when
	the client specifies an address in DHCPDISCOVER, and when
	an address in configured locally. Thanks to Alin Năstac
	for spotting the problem.

	Add new DHCP tag "known-othernet" which is set when only a
	dhcp-host exists for another subnet. Can be used to ensure
	that privileged hosts are not given "guest" addresses by
	accident. Thanks to Todd Sanket for the suggestion.

	Remove historic automatic inclusion of IDN support when
	building internationalisation support. This doesn't
	fit now there is a choice of IDN libraries. Be sure
	to include either -DHAVE_IDN or -DHAVE_LIBIDN2 for
	IDN support.


version 2.76	version 2.76
Include 0.0.0.0/8 in DNS rebind checks. This range	Include 0.0.0.0/8 in DNS rebind checks. This range
translates to hosts on the local network, or, at	translates to hosts on the local network, or, at
least, 0.0.0.0 accesses the local host, so could	least, 0.0.0.0 accesses the local host, so could
be targets for DNS rebinding. See RFC 5735 section 3	be targets for DNS rebinding. See RFC 5735 section 3
for details. Thanks to Stephen Röttger for the bug report.	for details. Thanks to Stephen Röttger for the bug report.

Enhance --add-subnet to allow arbitrary subnet addresses.	Enhance --add-subnet to allow arbitrary subnet addresses.
Thanks to Ed Barsley for the patch.	Thanks to Ed Barsley for the patch.

Respect the --no-resolv flag in inotify code. Fixes bug	Respect the --no-resolv flag in inotify code. Fixes bug
which caused dnsmasq to fail to start if a resolv-file	which caused dnsmasq to fail to start if a resolv-file
was a dangling symbolic link, even of --no-resolv set.	was a dangling symbolic link, even of --no-resolv set.
Thanks to Alexander Kurtz for spotting the problem.	Thanks to Alexander Kurtz for spotting the problem.

Fix crash when an A or AAAA record is defined locally,	Fix crash when an A or AAAA record is defined locally,
in a hosts file, and an upstream server sends a reply	in a hosts file, and an upstream server sends a reply
that the same name is empty. Thanks to Edwin Török for	that the same name is empty. Thanks to Edwin Török for
the patch.	the patch.

Fix failure to correctly calculate cache-size when	Fix failure to correctly calculate cache-size when
reading a hosts-file fails. Thanks to André Glüpker	reading a hosts-file fails. Thanks to André Glüpker
for the patch.	for the patch.

Fix wrong answer to simple name query when --domain-needed	Fix wrong answer to simple name query when --domain-needed
set, but no upstream servers configured. Dnsmasq returned	set, but no upstream servers configured. Dnsmasq returned
REFUSED, in this case, when it should be the same as when	REFUSED, in this case, when it should be the same as when
upstream servers are configured - NOERROR. Thanks to	upstream servers are configured - NOERROR. Thanks to
Allain Legacy for spotting the problem.	Allain Legacy for spotting the problem.

Return REFUSED when running out of forwarding table slots,	Return REFUSED when running out of forwarding table slots,
not SERVFAIL.	not SERVFAIL.

Add --max-port configuration. Thanks to Hans Dedecker for	Add --max-port configuration. Thanks to Hans Dedecker for
the patch.	the patch.

Add --script-arp and two new functions for the dhcp-script.	Add --script-arp and two new functions for the dhcp-script.
These are "arp" and "arp-old" which announce the arrival and	These are "arp" and "arp-old" which announce the arrival and
removal of entries in the ARP or nieghbour tables.	removal of entries in the ARP or neighbour tables.

Extend --add-mac to allow a new encoding of the MAC address	Extend --add-mac to allow a new encoding of the MAC address
as base64, by configurting --add-mac=base64	as base64, by configuring --add-mac=base64

Add --add-cpe-id option.

Don't crash with divide-by-zero if an IPv6 dhcp-range	Add --add-cpe-id option.
is declared as a whole /64.
(ie xx::0 to xx::ffff:ffff:ffff:ffff)
Thanks to Laurent Bendel for spotting this problem.

Add support for a TTL parameter in --host-record and	Don't crash with divide-by-zero if an IPv6 dhcp-range
--cname.	is declared as a whole /64.
	(ie xx::0 to xx::ffff:ffff:ffff:ffff)
	Thanks to Laurent Bendel for spotting this problem.

Add --dhcp-ttl option.	Add support for a TTL parameter in --host-record and
	--cname.

Add --tftp-mtu option. Thanks to Patrick McLean for the	Add --dhcp-ttl option.
initial patch.

Check return-code of inet_pton() when parsing dhcp-option.	Add --tftp-mtu option. Thanks to Patrick McLean for the
Bad addresses could fail to generate errors and result in	initial patch.
garbage dhcp-options being sent. Thanks to Marc Branchaud
for spotting this.

Fix wrong value for EDNS UDP packet size when using	Check return-code of inet_pton() when parsing dhcp-option.
--servers-file to define upstream DNS servers. Thanks to	Bad addresses could fail to generate errors and result in
Scott Bonar for the bug report.	garbage dhcp-options being sent. Thanks to Marc Branchaud
	for spotting this.

Move the dhcp_release and dhcp_lease_time tools from	Fix wrong value for EDNS UDP packet size when using
contrib/wrt to contrib/lease-tools.	--servers-file to define upstream DNS servers. Thanks to
	Scott Bonar for the bug report.

Add dhcp_release6 to contrib/lease-tools. Many thanks	Move the dhcp_release and dhcp_lease_time tools from
to Sergey Nechaev for this code.	contrib/wrt to contrib/lease-tools.

To avoid filling logs in configurations which define	Add dhcp_release6 to contrib/lease-tools. Many thanks
many upstream nameservers, don't log more that 30 servers.	to Sergey Nechaev for this code.
The number to be logged can be changed as SERVERS_LOGGED
in src/config.h.

Swap the values if BC_EFI and x86-64_EFI in --pxe-service.	To avoid filling logs in configurations which define
These were previously wrong due to an error in RFC 4578.	many upstream nameservers, don't log more that 30 servers.
If you're using BC_EFI to boot 64-bit EFI machines, you	The number to be logged can be changed as SERVERS_LOGGED
will need to update your config.	in src/config.h.

Add ARM32_EFI and ARM64_EFI as valid architectures in	Swap the values if BC_EFI and x86-64_EFI in --pxe-service.
--pxe-service.	These were previously wrong due to an error in RFC 4578.
	If you're using BC_EFI to boot 64-bit EFI machines, you
	will need to update your config.

Fix PXE booting for UEFI architectures. Modify PXE boot	Add ARM32_EFI and ARM64_EFI as valid architectures in
sequence in this case to force the client to talk to dnsmasq	--pxe-service.
over port 4011. This makes PXE and especially proxy-DHCP PXE
work with these archictectures.

Workaround problems with UEFI PXE clients. There exist	Fix PXE booting for UEFI architectures. Modify PXE boot
in the wild PXE clients which have problems with PXE	sequence in this case to force the client to talk to dnsmasq
boot menus. To work around this, when there's a single	over port 4011. This makes PXE and especially proxy-DHCP PXE
--pxe-service which applies to client, then that target	work with these architectures.
will be booted directly, rather then sending a
single-item boot menu.

Many thanks to Jarek Polok, Michael Kuron and Dreamcat4	Workaround problems with UEFI PXE clients. There exist
for their work on the long-standing UEFI PXE problem.	in the wild PXE clients which have problems with PXE
	boot menus. To work around this, when there's a single
	--pxe-service which applies to client, then that target
	will be booted directly, rather then sending a
	single-item boot menu.

Subtle change in the semantics of "basename" in	Many thanks to Jarek Polok, Michael Kuron and Dreamcat4
--pxe-service. The historical behaviour has always been	for their work on the long-standing UEFI PXE problem.
that the actual filename downloaded from the TFTP server
is <basename>.<layer> where <layer> is an integer which
corresponds to the layer parameter supplied by the client.
It's not clear what the function of the "layer"
actually is in the PXE protocol, and in practise layer
is always zero, so the filename is <basename>.0
The new behaviour is the same as the old, except when
<basename> includes a file suffix, in which case
the layer suffix is no longer added. This allows
sensible suffices to be used, rather then the
meaningless ".0". Only in the unlikely event that you
have a config with a basename which already has a
suffix, is this an incompatible change, since the file
downloaded will change from name.suffix.0 to just
name.suffix

	Subtle change in the semantics of "basename" in
	--pxe-service. The historical behaviour has always been
	that the actual filename downloaded from the TFTP server
	is <basename>.<layer> where <layer> is an integer which
	corresponds to the layer parameter supplied by the client.
	It's not clear what the function of the "layer"
	actually is in the PXE protocol, and in practise layer
	is always zero, so the filename is <basename>.0
	The new behaviour is the same as the old, except when
	<basename> includes a file suffix, in which case
	the layer suffix is no longer added. This allows
	sensible suffices to be used, rather then the
	meaningless ".0". Only in the unlikely event that you
	have a config with a basename which already has a
	suffix, is this an incompatible change, since the file
	downloaded will change from name.suffix.0 to just
	name.suffix


version 2.75	version 2.75
Fix reversion on 2.74 which caused 100% CPU use when a	Fix reversion on 2.74 which caused 100% CPU use when a
dhcp-script is configured. Thanks to Adrian Davey for	dhcp-script is configured. Thanks to Adrian Davey for
reporting the bug and testing the fix.	reporting the bug and testing the fix.


version 2.74	version 2.74
Fix reversion in 2.73 where --conf-file would attempt to	Fix reversion in 2.73 where --conf-file would attempt to
read the default file, rather than no file.	read the default file, rather than no file.

Fix inotify code to handle dangling symlinks better and	Fix inotify code to handle dangling symlinks better and
not SEGV in some circumstances.	not SEGV in some circumstances.

DNSSEC fix. In the case of a signed CNAME generated by a	DNSSEC fix. In the case of a signed CNAME generated by a
wildcard which pointed to an unsigned domain, the wrong	wildcard which pointed to an unsigned domain, the wrong
status would be logged, and some necessary checks omitted.	status would be logged, and some necessary checks omitted.



version 2.73	version 2.73
Fix crash at startup when an empty suffix is supplied to	Fix crash at startup when an empty suffix is supplied to
--conf-dir, also trivial memory leak. Thanks to	--conf-dir, also trivial memory leak. Thanks to
Tomas Hozza for spotting this.	Tomas Hozza for spotting this.

Remove floor of 4096 on advertised EDNS0 packet size when	Remove floor of 4096 on advertised EDNS0 packet size when
DNSSEC in use, the original rationale for this has long gone.	DNSSEC in use, the original rationale for this has long gone.
Thanks to Anders Kaseorg for spotting this.	Thanks to Anders Kaseorg for spotting this.

Use inotify for checking on updates to /etc/resolv.conf and	Use inotify for checking on updates to /etc/resolv.conf and
friends under Linux. This fixes race conditions when the files are	friends under Linux. This fixes race conditions when the files are
updated rapidly and saves CPU by noy polling. To build	updated rapidly and saves CPU by noy polling. To build
a binary that runs on old Linux kernels without inotify,	a binary that runs on old Linux kernels without inotify,
use make COPTS=-DNO_INOTIFY	use make COPTS=-DNO_INOTIFY

Fix breakage of --domain=<domain>,<subnet>,local - only reverse	Fix breakage of --domain=<domain>,<subnet>,local - only reverse
queries were intercepted. THis appears to have been broken	queries were intercepted. THis appears to have been broken
since 2.69. Thanks to Josh Stone for finding the bug.	since 2.69. Thanks to Josh Stone for finding the bug.

Eliminate IPv6 privacy addresses and deprecated addresses from	Eliminate IPv6 privacy addresses and deprecated addresses from
the answers given by --interface-name. Note that reverse queries	the answers given by --interface-name. Note that reverse queries
(ie looking for names, given addresses) are not affected.	(ie looking for names, given addresses) are not affected.
Thanks to Michael Gorbach for the suggestion.	Thanks to Michael Gorbach for the suggestion.

Fix crash in DNSSEC code with long RRs. Thanks to Marco Davids	Fix crash in DNSSEC code with long RRs. Thanks to Marco Davids
for the bug report.	for the bug report.

Add --ignore-address option. Ignore replies to A-record
queries which include the specified address. No error is
generated, dnsmasq simply continues to listen for another
reply. This is useful to defeat blocking strategies which
rely on quickly supplying a forged answer to a DNS
request for certain domains, before the correct answer can
arrive. Thanks to Glen Huang for the patch.

Revisit the part of DNSSEC validation which determines if an
unsigned answer is legit, or is in some part of the DNS
tree which should be signed. Dnsmasq now works from the
DNS root downward looking for the limit of signed
delegations, rather than working bottom up. This is
both more correct, and less likely to trip over broken
nameservers in the unsigned parts of the DNS tree
which don't respond well to DNSSEC queries.

Add --log-queries=extra option, which makes logs easier	Add --ignore-address option. Ignore replies to A-record
to search automatically.	queries which include the specified address. No error is
	generated, dnsmasq simply continues to listen for another
	reply. This is useful to defeat blocking strategies which
	rely on quickly supplying a forged answer to a DNS
	request for certain domains, before the correct answer can
	arrive. Thanks to Glen Huang for the patch.

Add --min-cache-ttl option. I've resisted this for a long	Revisit the part of DNSSEC validation which determines if an
time, on the grounds that disbelieving TTLs is never a	unsigned answer is legit, or is in some part of the DNS
good idea, but I've been persuaded that there are	tree which should be signed. Dnsmasq now works from the
sometimes reasons to do it. (Step forward, GFW).	DNS root downward looking for the limit of signed
To avoid misuse, there's a hard limit on the TTL	delegations, rather than working bottom up. This is
floor of one hour. Thansk to RinSatsuki for the patch.	both more correct, and less likely to trip over broken
	nameservers in the unsigned parts of the DNS tree
	which don't respond well to DNSSEC queries.

Cope with multiple interfaces with the same link-local	Add --log-queries=extra option, which makes logs easier
address. (IPv6 addresses are scoped, so this is allowed.)	to search automatically.
Thanks to Cory Benfield for help with this.

Add --dhcp-hostsdir. This allows addition of new host	Add --min-cache-ttl option. I've resisted this for a long
configurations to a running dnsmasq instance much more	time, on the grounds that disbelieving TTLs is never a
cheaply than having dnsmasq re-read all its existing	good idea, but I've been persuaded that there are
configuration each time.	sometimes reasons to do it. (Step forward, GFW).
	To avoid misuse, there's a hard limit on the TTL
Don't reply to DHCPv6 SOLICIT messages if we're not	floor of one hour. Thanks to RinSatsuki for the patch.
configured to do stateful DHCPv6. Thanks to Win King Wan
for the patch.

Fix broken DNSSEC validation of ECDSA signatures.	Cope with multiple interfaces with the same link-local
	address. (IPv6 addresses are scoped, so this is allowed.)
	Thanks to Cory Benfield for help with this.

Add --dnssec-timestamp option, which provides an automatic	Add --dhcp-hostsdir. This allows addition of new host
way to detect when the system time becomes valid after	configurations to a running dnsmasq instance much more
boot on systems without an RTC, whilst allowing DNS	cheaply than having dnsmasq re-read all its existing
queries before the clock is valid so that NTP can run.	configuration each time.
Thanks to Kevin Darbyshire-Bryant for developing this idea.

Add --tftp-no-fail option. Thanks to Stefan Tomanek for	Don't reply to DHCPv6 SOLICIT messages if we're not
the patch.	configured to do stateful DHCPv6. Thanks to Win King Wan
	for the patch.

Fix crash caused by looking up servers.bind, CHAOS text	Fix broken DNSSEC validation of ECDSA signatures.
record, when more than about five --servers= lines are
in the dnsmasq config. This causes memory corruption
which causes a crash later. Thanks to Matt Coddington for
sterling work chasing this down.

Fix crash on receipt of certain malformed DNS requests.	Add --dnssec-timestamp option, which provides an automatic
Thanks to Nick Sampanis for spotting the problem.	way to detect when the system time becomes valid after
Note that this is could allow the dnsmasq process's	boot on systems without an RTC, whilst allowing DNS
memory to be read by an attacker under certain	queries before the clock is valid so that NTP can run.
circumstances, so it has a CVE, CVE-2015-3294	Thanks to Kevin Darbyshire-Bryant for developing this idea.

Fix crash in authoritative DNS code, if a .arpa zone	Add --tftp-no-fail option. Thanks to Stefan Tomanek for
is declared as authoritative, and then a PTR query which	the patch.
is not to be treated as authoritative arrived. Normally,
directly declaring .arpa zone as authoritative is not
done, so this crash wouldn't be seen. Instead the
relevant .arpa zone should be specified as a subnet
in the auth-zone declaration. Thanks to Johnny S. Lee
for the bugreport and initial patch.

Fix authoritative DNS code to correctly reply to NS	Fix crash caused by looking up servers.bind, CHAOS text
and SOA queries for .arpa zones for which we are	record, when more than about five --servers= lines are
declared authoritative by means of a subnet in auth-zone.	in the dnsmasq config. This causes memory corruption
Previously we provided correct answers to PTR queries	which causes a crash later. Thanks to Matt Coddington for
in such zones (including NS and SOA) but not direct	sterling work chasing this down.
NS and SOA queries. Thanks to Johnny S. Lee for
pointing out the problem.

Fix logging of DHCPREPLY which should be suppressed	Fix crash on receipt of certain malformed DNS requests.
by quiet-dhcp6. Thanks to J. Pablo Abonia for	Thanks to Nick Sampanis for spotting the problem.
spotting the problem.	Note that this is could allow the dnsmasq process's
	memory to be read by an attacker under certain
	circumstances, so it has a CVE, CVE-2015-3294

Try and handle net connections with broken fragmentation	Fix crash in authoritative DNS code, if a .arpa zone
that lose large UDP packets. If a server times out,	is declared as authoritative, and then a PTR query which
reduce the maximum UDP packet size field in the EDNS0	is not to be treated as authoritative arrived. Normally,
header to 1280 bytes. If it then answers, make that	directly declaring .arpa zone as authoritative is not
change permanent.	done, so this crash wouldn't be seen. Instead the
	relevant .arpa zone should be specified as a subnet
	in the auth-zone declaration. Thanks to Johnny S. Lee
	for the bugreport and initial patch.

Check IPv4-mapped IPv6 addresses when --stop-rebind	Fix authoritative DNS code to correctly reply to NS
is active. Thanks to Jordan Milne for spotting this.	and SOA queries for .arpa zones for which we are
	declared authoritative by means of a subnet in auth-zone.
	Previously we provided correct answers to PTR queries
	in such zones (including NS and SOA) but not direct
	NS and SOA queries. Thanks to Johnny S. Lee for
	pointing out the problem.

Allow DHCPv4 options T1 and T2 to be set using --dhcp-option.	Fix logging of DHCPREPLY which should be suppressed
Thanks to Kevin Benton for patches and work on this.	by quiet-dhcp6. Thanks to J. Pablo Abonia for
	spotting the problem.

Fix code for DHCPCONFIRM DHCPv6 messages to confirm addresses	Try and handle net connections with broken fragmentation
in the correct subnet, even of not in dynamic address	that lose large UDP packets. If a server times out,
allocation range. Thanks to Steve Hirsch for spotting	reduce the maximum UDP packet size field in the EDNS0
the problem.	header to 1280 bytes. If it then answers, make that
	change permanent.

Add AddDhcpLease and DeleteDhcpLease DBus methods. Thanks	Check IPv4-mapped IPv6 addresses when --stop-rebind
to Nicolas Cavallari for the patch.	is active. Thanks to Jordan Milne for spotting this.

Allow configuration of router advertisements without the	Allow DHCPv4 options T1 and T2 to be set using --dhcp-option.
"on-link" bit set. Thanks to Neil Jerram for the patch.	Thanks to Kevin Benton for patches and work on this.

Extend --bridge-interface to DHCPv6 and router	Fix code for DHCPCONFIRM DHCPv6 messages to confirm addresses
advertisements. Thanks to Neil Jerram for the patch.	in the correct subnet, even of not in dynamic address
	allocation range. Thanks to Steve Hirsch for spotting
	the problem.

	Add AddDhcpLease and DeleteDhcpLease DBus methods. Thanks
	to Nicolas Cavallari for the patch.

	Allow configuration of router advertisements without the
	"on-link" bit set. Thanks to Neil Jerram for the patch.

	Extend --bridge-interface to DHCPv6 and router
	advertisements. Thanks to Neil Jerram for the patch.


version 2.72	version 2.72
Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.	Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.

Add support for "ipsets" in *BSD, using pf. Thanks to	Add support for "ipsets" in *BSD, using pf. Thanks to
Sven Falempim for the patch.	Sven Falempin for the patch.

Fix race condition which could lock up dnsmasq when an	Fix race condition which could lock up dnsmasq when an
interface goes down and up rapidly. Thanks to Conrad	interface goes down and up rapidly. Thanks to Conrad
Kostecki for helping to chase this down.	Kostecki for helping to chase this down.

Add DBus methods SetFilterWin2KOption and SetBogusPrivOption	Add DBus methods SetFilterWin2KOption and SetBogusPrivOption
Thanks to the Smoothwall project for the patch.	Thanks to the Smoothwall project for the patch.

Fix failure to build against Nettle-3.0. Thanks to Steven	Fix failure to build against Nettle-3.0. Thanks to Steven
Barth for spotting this and finding the fix.	Barth for spotting this and finding the fix.

When assigning existing DHCP leases to intefaces by comparing
networks, handle the case that two or more interfaces have the
same network part, but different prefix lengths (favour the
longer prefix length.) Thanks to Lung-Pin Chang for the
patch.

Add a mode which detects and removes DNS forwarding loops, ie
a query sent to an upstream server returns as a new query to
dnsmasq, and would therefore be forwarded again, resulting in
a query which loops many times before being dropped. Upstream
servers which loop back are disabled and this event is logged.
Thanks to Smoothwall for their sponsorship of this feature.

Extend --conf-dir to allow filtering of files. So	When assigning existing DHCP leases to interfaces by comparing
--conf-dir=/etc/dnsmasq.d,\*.conf	networks, handle the case that two or more interfaces have the
will load all the files in /etc/dnsmasq.d which end in .conf	same network part, but different prefix lengths (favour the
	longer prefix length.) Thanks to Lung-Pin Chang for the
Fix bug when resulted in NXDOMAIN answers instead of NODATA in	patch.
some circumstances.

Fix bug which caused dnsmasq to become unresponsive if it	Add a mode which detects and removes DNS forwarding loops, ie
failed to send packets due to a network interface disappearing.	a query sent to an upstream server returns as a new query to
Thanks to Niels Peen for spotting this.	dnsmasq, and would therefore be forwarded again, resulting in
	a query which loops many times before being dropped. Upstream
Fix problem with --local-service option on big-endian platforms	servers which loop back are disabled and this event is logged.
Thanks to Richard Genoud for the patch.	Thanks to Smoothwall for their sponsorship of this feature.

	Extend --conf-dir to allow filtering of files. So
	--conf-dir=/etc/dnsmasq.d,\*.conf
	will load all the files in /etc/dnsmasq.d which end in .conf

	Fix bug when resulted in NXDOMAIN answers instead of NODATA in
	some circumstances.

	Fix bug which caused dnsmasq to become unresponsive if it
	failed to send packets due to a network interface disappearing.
	Thanks to Niels Peen for spotting this.

	Fix problem with --local-service option on big-endian platforms
	Thanks to Richard Genoud for the patch.


version 2.71	version 2.71
Subtle change to error handling to help DNSSEC validation	Subtle change to error handling to help DNSSEC validation
when servers fail to provide NODATA answers for	when servers fail to provide NODATA answers for
non-existent DS records.	non-existent DS records.

Tweak code which removes DNSSEC records from answers when	Tweak code which removes DNSSEC records from answers when
not required. Fixes broken answers when additional section	not required. Fixes broken answers when additional section
has real records in it. Thanks to Marco Davids for the bug	has real records in it. Thanks to Marco Davids for the bug
report.	report.

Fix DNSSEC validation of ANY queries. Thanks to Marco Davids	Fix DNSSEC validation of ANY queries. Thanks to Marco Davids
for spotting that too.	for spotting that too.

Fix total DNS failure and 100% CPU use if cachesize set to zero,	Fix total DNS failure and 100% CPU use if cachesize set to zero,
regression introduced in 2.69. Thanks to James Hunt and	regression introduced in 2.69. Thanks to James Hunt and
the Ubuntu crowd for assistance in fixing this.	the Ubuntu crowd for assistance in fixing this.


version 2.70	version 2.70
Fix crash, introduced in 2.69, on TCP request when dnsmasq	Fix crash, introduced in 2.69, on TCP request when dnsmasq
compiled with DNSSEC support, but running without DNSSEC	compiled with DNSSEC support, but running without DNSSEC
enabled. Thanks to Manish Sing for spotting that one.	enabled. Thanks to Manish Sing for spotting that one.

Fix regression which broke ipset functionality. Thanks to	Fix regression which broke ipset functionality. Thanks to
Wang Jian for the bug report.	Wang Jian for the bug report.


version 2.69	version 2.69
Implement dynamic interface discovery on *BSD. This allows	Implement dynamic interface discovery on *BSD. This allows
the contructor: syntax to be used in dhcp-range for DHCPv6	the constructor: syntax to be used in dhcp-range for DHCPv6
on the BSD platform. Thanks to Matthias Andree for	on the BSD platform. Thanks to Matthias Andree for
valuable research on how to implement this.	valuable research on how to implement this.

Fix infinite loop associated with some --bogus-nxdomain	Fix infinite loop associated with some --bogus-nxdomain
configs. Thanks fogobogo for the bug report.	configs. Thanks fogobogo for the bug report.

Fix missing RA RDNS option with configuration like	Fix missing RA RDNS option with configuration like
--dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer	--dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer
for spotting the problem.	for spotting the problem.

Add [fd00::] and [fe80::] as special addresses in DHCPv6	Add [fd00::] and [fe80::] as special addresses in DHCPv6
options, analogous to [::]. [fd00::] is replaced with the	options, analogous to [::]. [fd00::] is replaced with the
actual ULA of the interface on the machine running	actual ULA of the interface on the machine running
dnsmasq, [fe80::] with the link-local address.	dnsmasq, [fe80::] with the link-local address.
Thanks to Tsachi Kimeldorfer for championing this.	Thanks to Tsachi Kimeldorfer for championing this.

DNSSEC validation and caching. Dnsmasq needs to be	DNSSEC validation and caching. Dnsmasq needs to be
compiled with this enabled, with	compiled with this enabled, with

make dnsmasq COPTS=-DHAVE_DNSSEC

this add dependencies on the nettle crypto library and the
gmp maths library. It's possible to have these linked
statically with

make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC'

which bloats the dnsmasq binary, but saves the size of
the shared libraries which are much bigger.

To enable, DNSSEC, you will need a set of	make dnsmasq COPTS=-DHAVE_DNSSEC
trust-anchors. Now that the TLDs are signed, this can be
the keys for the root zone, and for convenience they are
included in trust-anchors.conf in the dnsmasq
distribution. You should of course check that these are
legitimate and up-to-date. So, adding

conf-file=/path/to/trust-anchors.conf
dnssec

to your config is all thats needed to get things	this adds dependencies on the nettle crypto library and the
working. The upstream nameservers have to be DNSSEC-capable	gmp maths library. It's possible to have these linked
too, of course. Many ISP nameservers aren't, but the	statically with
Google public nameservers (8.8.8.8 and 8.8.4.4) are.
When DNSSEC is configured, dnsmasq validates any queries
for domains which are signed. Query results which are
bogus are replaced with SERVFAIL replies, and results
which are correctly signed have the AD bit set. In
addition, and just as importantly, dnsmasq supplies
correct DNSSEC information to clients which are doing
their own validation, and caches DNSKEY, DS and RRSIG
records, which significantly improve the performance of
downstream validators. Setting --log-queries will show
DNSSEC in action.

If a domain is returned from an upstream nameserver without	make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC'
DNSSEC signature, dnsmasq by default trusts this. This
means that for unsigned zone (still the majority) there
is effectively no cost for having DNSSEC enabled. Of course
this allows an attacker to replace a signed record with a
false unsigned record. This is addressed by the
--dnssec-check-unsigned flag, which instructs dnsmasq
to prove that an unsigned record is legitimate, by finding
a secure proof that the zone containing the record is not
signed. Doing this has costs (typically one or two extra
upstream queries). It also has a nasty failure mode if
dnsmasq's upstream nameservers are not DNSSEC capable.
Without --dnssec-check-unsigned using such an upstream
server will simply result in not queries being validated;
with --dnssec-check-unsigned enabled and a
DNSSEC-ignorant upstream server, _all_ queries will fail.

Note that DNSSEC requires that the local time is valid and	which bloats the dnsmasq binary, but saves the size of
accurate, if not then DNSSEC validation will fail. NTP	the shared libraries which are much bigger.
should be running. This presents a problem for routers
without a battery-backed clock. To set the time needs NTP
to do DNS lookups, but lookups will fail until NTP has run.
To address this, there's a flag, --dnssec-no-timecheck
which disables the time checks (only) in DNSSEC. When dnsmasq
is started and the clock is not synced, this flag should
be used. As soon as the clock is synced, SIGHUP dnsmasq.
The SIGHUP clears the cache of partially-validated data and
resets the no-timecheck flag, so that all DNSSEC checks
henceforward will be complete.

The development of DNSSEC in dnsmasq was started by
Giovanni Bajo, to whom huge thanks are owed. It has been
supported by Comcast, whose techfund grant has allowed for
an invaluable period of full-time work to get it to
a workable state.

Add --rev-server. Thanks to Dave Taht for suggesting this.

Add --servers-file. Allows dynamic update of upstream servers
full access to configuration.

Add --local-service. Accept DNS queries only from hosts	To enable, DNSSEC, you will need a set of
whose address is on a local subnet, ie a subnet for which	trust-anchors. Now that the TLDs are signed, this can be
an interface exists on the server. This option	the keys for the root zone, and for convenience they are
only has effect if there are no --interface --except-interface,	included in trust-anchors.conf in the dnsmasq
--listen-address or --auth-server options. It is intended	distribution. You should of course check that these are
to be set as a default on installation, to allow	legitimate and up-to-date. So, adding
unconfigured installations to be useful but also safe from
being used for DNS amplification attacks.

Fix crashes in cache_get_cname_target() when dangling CNAMEs	conf-file=/path/to/trust-anchors.conf
encountered. Thanks to Andy and the rt-n56u project for	dnssec
find this and helping to chase it down.

Fix wrong RCODE in authoritative DNS replies to PTR queries. The	to your config is all that's needed to get things
correct answer was included, but the RCODE was set to NXDOMAIN.	working. The upstream nameservers have to be DNSSEC-capable
Thanks to Craig McQueen for spotting this.	too, of course. Many ISP nameservers aren't, but the
	Google public nameservers (8.8.8.8 and 8.8.4.4) are.
	When DNSSEC is configured, dnsmasq validates any queries
	for domains which are signed. Query results which are
	bogus are replaced with SERVFAIL replies, and results
	which are correctly signed have the AD bit set. In
	addition, and just as importantly, dnsmasq supplies
	correct DNSSEC information to clients which are doing
	their own validation, and caches DNSKEY, DS and RRSIG
	records, which significantly improve the performance of
	downstream validators. Setting --log-queries will show
	DNSSEC in action.

Make statistics available as DNS queries in the .bind TLD as	If a domain is returned from an upstream nameserver without
well as logging them.	DNSSEC signature, dnsmasq by default trusts this. This
	means that for unsigned zone (still the majority) there
	is effectively no cost for having DNSSEC enabled. Of course
	this allows an attacker to replace a signed record with a
	false unsigned record. This is addressed by the
	--dnssec-check-unsigned flag, which instructs dnsmasq
	to prove that an unsigned record is legitimate, by finding
	a secure proof that the zone containing the record is not
	signed. Doing this has costs (typically one or two extra
	upstream queries). It also has a nasty failure mode if
	dnsmasq's upstream nameservers are not DNSSEC capable.
	Without --dnssec-check-unsigned using such an upstream
	server will simply result in not queries being validated;
	with --dnssec-check-unsigned enabled and a
	DNSSEC-ignorant upstream server, _all_ queries will fail.

	Note that DNSSEC requires that the local time is valid and
	accurate, if not then DNSSEC validation will fail. NTP
	should be running. This presents a problem for routers
	without a battery-backed clock. To set the time needs NTP
	to do DNS lookups, but lookups will fail until NTP has run.
	To address this, there's a flag, --dnssec-no-timecheck
	which disables the time checks (only) in DNSSEC. When dnsmasq
	is started and the clock is not synced, this flag should
	be used. As soon as the clock is synced, SIGHUP dnsmasq.
	The SIGHUP clears the cache of partially-validated data and
	resets the no-timecheck flag, so that all DNSSEC checks
	henceforward will be complete.

	The development of DNSSEC in dnsmasq was started by
	Giovanni Bajo, to whom huge thanks are owed. It has been
	supported by Comcast, whose techfund grant has allowed for
	an invaluable period of full-time work to get it to
	a workable state.

	Add --rev-server. Thanks to Dave Taht for suggesting this.

	Add --servers-file. Allows dynamic update of upstream servers
	full access to configuration.

	Add --local-service. Accept DNS queries only from hosts
	whose address is on a local subnet, ie a subnet for which
	an interface exists on the server. This option
	only has effect if there are no --interface --except-interface,
	--listen-address or --auth-server options. It is intended
	to be set as a default on installation, to allow
	unconfigured installations to be useful but also safe from
	being used for DNS amplification attacks.

	Fix crashes in cache_get_cname_target() when dangling CNAMEs
	encountered. Thanks to Andy and the rt-n56u project for
	find this and helping to chase it down.

	Fix wrong RCODE in authoritative DNS replies to PTR queries. The
	correct answer was included, but the RCODE was set to NXDOMAIN.
	Thanks to Craig McQueen for spotting this.

	Make statistics available as DNS queries in the .bind TLD as
	well as logging them.


version 2.68	version 2.68
Use random addresses for DHCPv6 temporary address	Use random addresses for DHCPv6 temporary address
allocations, instead of algorithmically determined stable	allocations, instead of algorithmically determined stable
addresses.	addresses.

Fix bug which meant that the DHCPv6 DUID was not available	Fix bug which meant that the DHCPv6 DUID was not available
in DHCP script runs during the lifetime of the dnsmasq	in DHCP script runs during the lifetime of the dnsmasq
process which created the DUID de-novo. Once the DUID was	process which created the DUID de-novo. Once the DUID was
created and stored in the lease file and dnsmasq	created and stored in the lease file and dnsmasq
restarted, this bug disappeared.	restarted, this bug disappeared.

Fix bug introduced in 2.67 which could result in erroneous	Fix bug introduced in 2.67 which could result in erroneous
NXDOMAIN returns to CNAME queries.	NXDOMAIN returns to CNAME queries.

Fix build failures on MacOS X and openBSD.	Fix build failures on MacOS X and openBSD.

Allow subnet specifications in --auth-zone to be interface	Allow subnet specifications in --auth-zone to be interface
names as well as address literals. This makes it possible	names as well as address literals. This makes it possible
to configure authoritative DNS when local address ranges	to configure authoritative DNS when local address ranges
are dynamic and works much better than the previous	are dynamic and works much better than the previous
work-around which exempted contructed DHCP ranges from the	work-around which exempted constructed DHCP ranges from the
IP address filtering. As a consequence, that work-around	IP address filtering. As a consequence, that work-around
is removed. Under certain circumstances, this change wil	is removed. Under certain circumstances, this change wil
break existing configuration: if you're relying on the	break existing configuration: if you're relying on the
contructed-range exception, you need to change --auth-zone	constructed-range exception, you need to change --auth-zone
to specify the same interface as is used to construct your	to specify the same interface as is used to construct your
DHCP ranges, probably with a trailing "/6" like this:	DHCP ranges, probably with a trailing "/6" like this:
--auth-zone=example.com,eth0/6 to limit the addresses to	--auth-zone=example.com,eth0/6 to limit the addresses to
IPv6 addresses of eth0.	IPv6 addresses of eth0.

Fix problems when advertising deleted IPv6 prefixes. If	Fix problems when advertising deleted IPv6 prefixes. If
the prefix is deleted (rather than replaced), it doesn't	the prefix is deleted (rather than replaced), it doesn't
get advertised with zero preferred time. Thanks to Tsachi	get advertised with zero preferred time. Thanks to Tsachi
for the bug report.	for the bug report.

Fix segfault with some locally configured CNAMEs. Thanks	Fix segfault with some locally configured CNAMEs. Thanks
to Andrew Childs for spotting the problem.	to Andrew Childs for spotting the problem.

Fix memory leak on re-reading /etc/hosts and friends,	Fix memory leak on re-reading /etc/hosts and friends,
introduced in 2.67.	introduced in 2.67.

Check the arrival interface of incoming DNS and TFTP	Check the arrival interface of incoming DNS and TFTP
requests via IPv6, even in --bind-interfaces mode. This	requests via IPv6, even in --bind-interfaces mode. This
isn't possible for IPv4 and can generate scary warnings,	isn't possible for IPv4 and can generate scary warnings,
but as it's always possible for IPv6 (the API always	but as it's always possible for IPv6 (the API always
exists) then we should do it always.	exists) then we should do it always.

Tweak the rules on prefix-lengths in --dhcp-range for
IPv6. The new rule is that the specified prefix length
must be larger than or equal to the prefix length of the
corresponding address on the local interface.

	Tweak the rules on prefix-lengths in --dhcp-range for
	IPv6. The new rule is that the specified prefix length
	must be larger than or equal to the prefix length of the
	corresponding address on the local interface.


version 2.67	version 2.67
Fix crash if upstream server returns SERVFAIL when	Fix crash if upstream server returns SERVFAIL when
--conntrack in use. Thanks to Giacomo Tazzari for finding	--conntrack in use. Thanks to Giacomo Tazzari for finding
this and supplying the patch.	this and supplying the patch.

Repair regression in 2.64. That release stopped sending	Repair regression in 2.64. That release stopped sending
lease-time information in the reply to DHCPINFORM	lease-time information in the reply to DHCPINFORM
requests, on the correct grounds that it was a standards	requests, on the correct grounds that it was a standards
violation. However, this broke the dnsmasq-specific	violation. However, this broke the dnsmasq-specific
dhcp_lease_time utility. Now, DHCPINFORM returns	dhcp_lease_time utility. Now, DHCPINFORM returns
lease-time only if it's specifically requested	lease-time only if it's specifically requested
(maintaining standards) and the dhcp_lease_time utility	(maintaining standards) and the dhcp_lease_time utility
has been taught to ask for it (restoring functionality).	has been taught to ask for it (restoring functionality).

Fix --dhcp-match, --dhcp-vendorclass and --dhcp-userclass	Fix --dhcp-match, --dhcp-vendorclass and --dhcp-userclass
to work with BOOTP and well as DHCP. Thanks to Peter	to work with BOOTP and well as DHCP. Thanks to Peter
Korsgaard for spotting the problem.	Korsgaard for spotting the problem.

Add --synth-domain. Thanks to Vishvananda Ishaya for	Add --synth-domain. Thanks to Vishvananda Ishaya for
suggesting this.	suggesting this.

Fix failure to compile ipset.c if old kernel headers are	Fix failure to compile ipset.c if old kernel headers are
in use. Thanks to Eugene Rudoy for pointing this out.	in use. Thanks to Eugene Rudoy for pointing this out.

Handle IPv4 interface-address labels in Linux. These are	Handle IPv4 interface-address labels in Linux. These are
often used to emulate the old IP-alias addresses. Before,	often used to emulate the old IP-alias addresses. Before,
using --interface=eth0 would service all the addresses of	using --interface=eth0 would service all the addresses of
eth0, including ones configured as aliases, which appear	eth0, including ones configured as aliases, which appear
in ifconfig as eth0:0. Now, only addresses with the label	in ifconfig as eth0:0. Now, only addresses with the label
eth0 are active. This is not backwards compatible: if you	eth0 are active. This is not backwards compatible: if you
want to continue to bind the aliases too, you need to add	want to continue to bind the aliases too, you need to add
eg. --interface=eth0:0 to the config.	eg. --interface=eth0:0 to the config.

Fix "failed to set SO_BINDTODEVICE on DHCP socket: Socket
operation on non-socket" error on startup with
configurations which have exactly one --interface option
and do RA but _not_ DHCPv6. Thanks to Trever Adams for the
bug report.

Generalise --interface-name to cope with IPv6 addresses	Fix "failed to set SO_BINDTODEVICE on DHCP socket: Socket
and multiple addresses per interface per address family.	operation on non-socket" error on startup with
	configurations which have exactly one --interface option
	and do RA but _not_ DHCPv6. Thanks to Trever Adams for the
	bug report.

Fix option parsing for --dhcp-host, which was generating a	Generalise --interface-name to cope with IPv6 addresses
spurious error when all seven possible items were	and multiple addresses per interface per address family.
included. Thanks to Zhiqiang Wang for the bug report.

Remove restriction on prefix-length in --auth-zone. Thanks	Fix option parsing for --dhcp-host, which was generating a
to Toke Hoiland-Jorgensen for suggesting this.	spurious error when all seven possible items were
	included. Thanks to Zhiqiang Wang for the bug report.

Log when the maximum number of concurrent DNS queries is	Remove restriction on prefix-length in --auth-zone. Thanks
reached. Thanks to Marcelo Salhab Brogliato for the patch.	to Toke Hoiland-Jorgensen for suggesting this.

If wildcards are used in --interface, don't assume that	Log when the maximum number of concurrent DNS queries is
there will only ever be one available interface for DHCP	reached. Thanks to Marcelo Salhab Brogliato for the patch.
just because there is one at start-up. More may appear, so
we can't use SO_BINDTODEVICE. Thanks to Natrio for the bug
report.

Increase timeout/number of retries in TFTP to accomodate	If wildcards are used in --interface, don't assume that
AudioCodes Voice Gateways doing streaming writes to flash.	there will only ever be one available interface for DHCP
Thanks to Damian Kaczkowski for spotting the problem.	just because there is one at start-up. More may appear, so
	we can't use SO_BINDTODEVICE. Thanks to Natrio for the bug
	report.

Fix crash with empty DHCP string options when adding zero	Increase timeout/number of retries in TFTP to accommodate
terminator. Thanks to Patrick McLean for the bug report.	AudioCodes Voice Gateways doing streaming writes to flash.
	Thanks to Damian Kaczkowski for spotting the problem.

Allow hostnames to start with a number, as allowed in	Fix crash with empty DHCP string options when adding zero
RFC-1123. Thanks to Kyle Mestery for the patch.	terminator. Thanks to Patrick McLean for the bug report.

Fixes to DHCP FQDN option handling: don't terminate FQDN	Allow hostnames to start with a number, as allowed in
if domain not known and allow a FQDN option with blank	RFC-1123. Thanks to Kyle Mestery for the patch.
name to request that a FQDN option is returned in the
reply. Thanks to Roy Marples for the patch.

Make --clear-on-reload apply to setting upstream servers	Fixes to DHCP FQDN option handling: don't terminate FQDN
via DBus too.	if domain not known and allow a FQDN option with blank
	name to request that a FQDN option is returned in the
	reply. Thanks to Roy Marples for the patch.

When the address which triggered the construction of an	Make --clear-on-reload apply to setting upstream servers
advertised IPv6 prefix disappears, continue to advertise	via DBus too.
the prefix for up to 2 hours, with the preferred lifetime
set to zero. This satisfies RFC 6204 4.3 L-13 and makes
things work better if a prefix disappears without being
deprecated first. Thanks to Uwe Schindler for persuasively
arguing for this.

Fix MAC address enumeration on *BSD. Thanks to Brad Smith	When the address which triggered the construction of an
for the bug report.	advertised IPv6 prefix disappears, continue to advertise
	the prefix for up to 2 hours, with the preferred lifetime
	set to zero. This satisfies RFC 6204 4.3 L-13 and makes
	things work better if a prefix disappears without being
	deprecated first. Thanks to Uwe Schindler for persuasively
	arguing for this.

Support RFC-4242 information-refresh-time options in the	Fix MAC address enumeration on *BSD. Thanks to Brad Smith
reply to DHCPv6 information-request. The lease time of the	for the bug report.
smallest valid dhcp-range is sent. Thanks to Uwe Schindler
for suggesting this.

Make --listen-address higher priority than --except-interface	Support RFC-4242 information-refresh-time options in the
in all circumstances. Thanks to Thomas Hood for the bugreport.	reply to DHCPv6 information-request. The lease time of the
	smallest valid dhcp-range is sent. Thanks to Uwe Schindler
	for suggesting this.

Provide independent control over which interfaces get TFTP	Make --listen-address higher priority than --except-interface
service. If enable-tftp is given a list of interfaces, then TFTP	in all circumstances. Thanks to Thomas Hood for the bugreport.
is provided on those. Without the list, the previous behaviour
(provide TFTP to the same interfaces we provide DHCP to)
is retained. Thanks to Lonnie Abelbeck for the suggestion.

Add --dhcp-relay config option. Many thanks to vtsl.net	Provide independent control over which interfaces get TFTP
for sponsoring this development.	service. If enable-tftp is given a list of interfaces, then TFTP
	is provided on those. Without the list, the previous behaviour
	(provide TFTP to the same interfaces we provide DHCP to)
	is retained. Thanks to Lonnie Abelbeck for the suggestion.

Fix crash with empty tag: in --dhcp-range. Thanks to	Add --dhcp-relay config option. Many thanks to vtsl.net
Kaspar Schleiser for the bug report.	for sponsoring this development.

Add "baseline" and "bloatcheck" makefile targets, for	Fix crash with empty tag: in --dhcp-range. Thanks to
revealing size changes during development. Thanks to	Kaspar Schleiser for the bug report.
Vladislav Grishenko for the patch.

Cope with DHCPv6 clients which send REQUESTs without	Add "baseline" and "bloatcheck" makefile targets, for
address options - treat them as SOLICIT with rapid commit.	revealing size changes during development. Thanks to
	Vladislav Grishenko for the patch.

Support identification of clients by MAC address in	Cope with DHCPv6 clients which send REQUESTs without
DHCPv6. When using a relay, the relay must support RFC	address options - treat them as SOLICIT with rapid commit.
6939 for this to work. It always works for directly
connected clients. Thanks to Vladislav Grishenko
for prompting this feature.

Remove the rule for constructed DHCP ranges that the local
address must be either the first or last address in the
range. This was originally to avoid SLAAC addresses, but
we now explicitly autoconfig and privacy addresses instead.

Update Polish translation. Thanks to Jan Psota.	Support identification of clients by MAC address in
	DHCPv6. When using a relay, the relay must support RFC
	6939 for this to work. It always works for directly
	connected clients. Thanks to Vladislav Grishenko
	for prompting this feature.

Fix problem in DHCPv6 vendorclass/userclass matching	Remove the rule for constructed DHCP ranges that the local
code. Thanks to Tanguy Bouzeloc for the patch.	address must be either the first or last address in the
	range. This was originally to avoid SLAAC addresses, but
	we now explicitly autoconfig and privacy addresses instead.

Update Spanish transalation. Thanks to Vicente Soriano.	Update Polish translation. Thanks to Jan Psota.

Add --ra-param option. Thanks to Vladislav Grishenko for	Fix problem in DHCPv6 vendorclass/userclass matching
inspiration on this.	code. Thanks to Tanguy Bouzeloc for the patch.

Add --add-subnet configuration, to tell upstream DNS	Update Spanish translation. Thanks to Vicente Soriano.
servers where the original client is. Thanks to DNSthingy
for sponsoring this feature.

Add --quiet-dhcp, --quiet-dhcp6 and --quiet-ra. Thanks to	Add --ra-param option. Thanks to Vladislav Grishenko for
Kevin Darbyshire-Bryant for the initial patch.	inspiration on this.

Allow A/AAAA records created by --interface-name to be the	Add --add-subnet configuration, to tell upstream DNS
target of --cname. Thanks to Hadmut Danisch for the	servers where the original client is. Thanks to DNSthingy
suggestion.	for sponsoring this feature.

Avoid treating a --dhcp-host which has an IPv6 address	Add --quiet-dhcp, --quiet-dhcp6 and --quiet-ra. Thanks to
as eligable for use with DHCPv4 on the grounds that it has	Kevin Darbyshire-Bryant for the initial patch.
no address, and vice-versa. Thanks to Yury Konovalov for
spotting the problem.

Do a better job caching dangling CNAMEs. Thanks to Yves	Allow A/AAAA records created by --interface-name to be the
Dorfsman for spotting the problem.	target of --cname. Thanks to Hadmut Danisch for the
	suggestion.

	Avoid treating a --dhcp-host which has an IPv6 address
	as eligible for use with DHCPv4 on the grounds that it has
	no address, and vice-versa. Thanks to Yury Konovalov for
	spotting the problem.

	Do a better job caching dangling CNAMEs. Thanks to Yves
	Dorfsman for spotting the problem.


version 2.66	version 2.66
Add the ability to act as an authoritative DNS	Add the ability to act as an authoritative DNS
server. Dnsmasq can now answer queries from the wider 'net	server. Dnsmasq can now answer queries from the wider 'net
with local data, as long as the correct NS records are set	with local data, as long as the correct NS records are set
up. Only local data is provided, to avoid creating an open	up. Only local data is provided, to avoid creating an open
DNS relay. Zone transfer is supported, to allow secondary	DNS relay. Zone transfer is supported, to allow secondary
servers to be configured.	servers to be configured.

Add "constructed DHCP ranges" for DHCPv6. This is intended	Add "constructed DHCP ranges" for DHCPv6. This is intended
for IPv6 routers which get prefixes dynamically via prefix	for IPv6 routers which get prefixes dynamically via prefix
delegation. With suitable configuration, stateful DHCPv6	delegation. With suitable configuration, stateful DHCPv6
and RA can happen automatically as prefixes are delegated	and RA can happen automatically as prefixes are delegated
and then deprecated, without having to re-write the	and then deprecated, without having to re-write the
dnsmasq configuration file or restart the daemon. Thanks to	dnsmasq configuration file or restart the daemon. Thanks to
Steven Barth for extensive testing and development work on	Steven Barth for extensive testing and development work on
this idea.	this idea.

Fix crash on startup on Solaris 11. Regression probably	Fix crash on startup on Solaris 11. Regression probably
introduced in 2.61. Thanks to Geoff Johnstone for the	introduced in 2.61. Thanks to Geoff Johnstone for the
patch.	patch.

Add code to make behaviour for TCP DNS requests that same	Add code to make behaviour for TCP DNS requests that same
as for UDP requests, when a request arrives for an allowed	as for UDP requests, when a request arrives for an allowed
address, but via a banned interface. This change is only	address, but via a banned interface. This change is only
active on Linux, since the relevant API is missing (AFAIK)	active on Linux, since the relevant API is missing (AFAIK)
on other platforms. Many thanks to Tomas Hozza for	on other platforms. Many thanks to Tomas Hozza for
spotting the problem, and doing invaluable discovery of	spotting the problem, and doing invaluable discovery of
the obscure and undocumented API required for the solution.	the obscure and undocumented API required for the solution.

Don't send the default DHCP option advertising dnsmasq as	Don't send the default DHCP option advertising dnsmasq as
the local DNS server if dnsmasq is configured to not act	the local DNS server if dnsmasq is configured to not act
as DNS server, or it's configured to a non-standard port.	as DNS server, or it's configured to a non-standard port.

Add DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBCRIBER_ID,
DNSMASQ_REMOTE_ID variables to the environment of the
lease-change script (and the corresponding Lua). These hold
information inserted into the DHCP request by a DHCP relay
agent. Thanks to Lakefield Communications for providing a
bounty for this addition.

Fixed crash, introduced in 2.64, whilst handling DHCPv6
information-requests with some common configurations.
Thanks to Robert M. Albrecht for the bug report and
chasing the problem.

Add --ipset option. Thanks to Jason A. Donenfeld for the	Add DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBSCRIBER_ID,
patch.	DNSMASQ_REMOTE_ID variables to the environment of the
	lease-change script (and the corresponding Lua). These hold
	information inserted into the DHCP request by a DHCP relay
	agent. Thanks to Lakefield Communications for providing a
	bounty for this addition.

Don't erroneously reject some option names in --dhcp-match	Fixed crash, introduced in 2.64, whilst handling DHCPv6
options. Thanks to Benedikt Hochstrasser for the bug report.	information-requests with some common configurations.
	Thanks to Robert M. Albrecht for the bug report and
Allow a trailing '*' wildcard in all interface-name	chasing the problem.
configurations. Thanks to Christian Parpart for the patch.

Handle the situation where libc headers define	Add --ipset option. Thanks to Jason A. Donenfeld for the
SO_REUSEPORT, but the kernel in use doesn't, to cope with	patch.
the introduction of this option to Linux. Thanks to Rich
Felker for the bug report.

Update Polish translation. Thanks to Jan Psota.	Don't erroneously reject some option names in --dhcp-match
	options. Thanks to Benedikt Hochstrasser for the bug report.

Fix crash if the configured DHCP lease limit is	Allow a trailing '*' wildcard in all interface-name
reached. Regression occurred in 2.61. Thanks to Tsachi for	configurations. Thanks to Christian Parpart for the patch.
the bug report.

Update the French translation. Thanks to Gildas le Nadan.

	Handle the situation where libc headers define
	SO_REUSEPORT, but the kernel in use doesn't, to cope with
	the introduction of this option to Linux. Thanks to Rich
	Felker for the bug report.

	Update Polish translation. Thanks to Jan Psota.

	Fix crash if the configured DHCP lease limit is
	reached. Regression occurred in 2.61. Thanks to Tsachi for
	the bug report.

	Update the French translation. Thanks to Gildas le Nadan.


version 2.65	version 2.65
Fix regression which broke forwarding of queries sent via	Fix regression which broke forwarding of queries sent via
TCP which are not for A and AAAA and which were directed to	TCP which are not for A and AAAA and which were directed to
non-default servers. Thanks to Niax for the bug report.	non-default servers. Thanks to Niax for the bug report.

Fix failure to build with DHCP support excluded. Thanks to	Fix failure to build with DHCP support excluded. Thanks to
Gustavo Zacarias for the patch.	Gustavo Zacarias for the patch.

Fix nasty regression in 2.64 which completely broke cacheing.

	Fix nasty regression in 2.64 which completely broke caching.


version 2.64	version 2.64
Handle DHCP FQDN options with all flag bits zero and	Handle DHCP FQDN options with all flag bits zero and
--dhcp-client-update set. Thanks to Bernd Krumbroeck for	--dhcp-client-update set. Thanks to Bernd Krumbroeck for
spotting the problem.	spotting the problem.

Finesse the check for /etc/hosts names which conflict with	Finesse the check for /etc/hosts names which conflict with
DHCP names. Previously a name/address pair in /etc/hosts	DHCP names. Previously a name/address pair in /etc/hosts
which didn't match the name/address of a DHCP lease would	which didn't match the name/address of a DHCP lease would
generate a warning. Now that only happesn if there is not	generate a warning. Now that only happens if there is not
also a match. This allows multiple addresses for a name in	also a match. This allows multiple addresses for a name in
/etc/hosts with one of them assigned via DHCP.	/etc/hosts with one of them assigned via DHCP.

Fix broken vendor-option processing for BOOTP. Thanks to	Fix broken vendor-option processing for BOOTP. Thanks to
Hans-Joachim Baader for the bug report.	Hans-Joachim Baader for the bug report.

Don't report spurious netlink errors, regression in	Don't report spurious netlink errors, regression in
2.63. Thanks to Vladislav Grishenko for the patch.	2.63. Thanks to Vladislav Grishenko for the patch.

Flag DHCP or DHCPv6 in starup logging. Thanks to	Flag DHCP or DHCPv6 in startup logging. Thanks to
Vladislav Grishenko for the patch.	Vladislav Grishenko for the patch.

Add SetServersEx method in DBus interface. Thanks to Dan	Add SetServersEx method in DBus interface. Thanks to Dan
Williams for the patch.	Williams for the patch.

Add SetDomainServers method in DBus interface. Thanks to	Add SetDomainServers method in DBus interface. Thanks to
Roy Marples for the patch.	Roy Marples for the patch.

Fix build with later Lua libraries. Thansk to Cristian	Fix build with later Lua libraries. Thanks to Cristian
Rodriguez for the patch.	Rodriguez for the patch.

Add --max-cache-ttl option. Thanks to Dennis Kaarsemaker	Add --max-cache-ttl option. Thanks to Dennis Kaarsemaker
for the patch.	for the patch.

Fix breakage of --host-record parsing, resulting in	Fix breakage of --host-record parsing, resulting in
infinte loop at startup. Regression in 2.63. Thanks to	infinite loop at startup. Regression in 2.63. Thanks to
Haim Gelfenbeyn for spotting this.	Haim Gelfenbeyn for spotting this.

Set SO_REUSEADDRESS and SO_V6ONLY options on the DHCPv6	Set SO_REUSEADDRESS and SO_V6ONLY options on the DHCPv6
socket, this allows multiple instances of dnsmasq on a	socket, this allows multiple instances of dnsmasq on a
single machine, in the same way as for DHCPv4. Thanks to	single machine, in the same way as for DHCPv4. Thanks to
Gene Czarcinski and Vladislav Grishenko for work on this.	Gene Czarcinski and Vladislav Grishenko for work on this.

Fix DHCPv6 to do access control correctly when it's	Fix DHCPv6 to do access control correctly when it's
configured with --listen-address. Thanks to	configured with --listen-address. Thanks to
Gene Czarcinski for sorting this out.	Gene Czarcinski for sorting this out.

Add a "wildcard" dhcp-range which works for any IPv6	Add a "wildcard" dhcp-range which works for any IPv6
subnet, --dhcp-range=::,static Useful for Stateless	subnet, --dhcp-range=::,static Useful for Stateless
DHCPv6. Thanks to Vladislav Grishenko for the patch.	DHCPv6. Thanks to Vladislav Grishenko for the patch.

Don't include lease-time in DHCPACK replies to DHCPINFORM	Don't include lease-time in DHCPACK replies to DHCPINFORM
queries, since RFC-2131 says we shouldn't. Thanks to	queries, since RFC-2131 says we shouldn't. Thanks to
Wouter Ibens for pointing this out.	Wouter Ibens for pointing this out.

Makefile tweak to do dependency checking on header files.	Makefile tweak to do dependency checking on header files.
Thanks to Johan Peeters for the patch.	Thanks to Johan Peeters for the patch.

Check interface for outgoing unsolicited router	Check interface for outgoing unsolicited router
advertisements, rather than relying on interface address	advertisements, rather than relying on interface address
configuration. Thanks to Gene Czarinski for the patch.	configuration. Thanks to Gene Czarinski for the patch.

Handle better attempts to transmit on interfaces which are	Handle better attempts to transmit on interfaces which are
still doing DAD, and specifically do not just transmit	still doing DAD, and specifically do not just transmit
without setting source address and interface, since this	without setting source address and interface, since this
can cause very puzzling effects when a router	can cause very puzzling effects when a router
advertisement goes astray. Thanks again to Gene Czarinski.	advertisement goes astray. Thanks again to Gene Czarinski.

Get RA timers right when there is more than one	Get RA timers right when there is more than one
dhcp-range on a subnet.	dhcp-range on a subnet.



version 2.63	version 2.63
Do duplicate dhcp-host address check in --test mode.	Do duplicate dhcp-host address check in --test mode.

Check that tftp-root directories are accessible before	Check that tftp-root directories are accessible before
start-up. Thanks to Daniel Veillard for the initial patch.	start-up. Thanks to Daniel Veillard for the initial patch.

Allow more than one --tfp-root flag. The per-interface	Allow more than one --tfp-root flag. The per-interface
stuff is pointless without that.	stuff is pointless without that.

Add --bind-dynamic. A hybrid mode between the default and	Add --bind-dynamic. A hybrid mode between the default and
--bind-interfaces which copes with dynamically created	--bind-interfaces which copes with dynamically created
interfaces.	interfaces.

A couple of fixes to the build system for Android. Thanks
to Metin Kaya for the patches.

Remove the interface:<interface> argument in --dhcp-range, and	A couple of fixes to the build system for Android. Thanks
the interface argument to --enable-tftp. These were a	to Metin Kaya for the patches.
still-born attempt to allow automatic isolated
configuration by libvirt, but have never (to my knowledge)
been used, had very strange semantics, and have been
superceded by other mechanisms.

Fixed bug logging filenames when duplicate dhcp-host	Remove the interface:<interface> argument in --dhcp-range, and
addresses are found. Thanks to John Hanks for the patch.	the interface argument to --enable-tftp. These were a
	still-born attempt to allow automatic isolated
	configuration by libvirt, but have never (to my knowledge)
	been used, had very strange semantics, and have been
	superseded by other mechanisms.

Fix regression in 2.61 which broke caching of CNAME	Fixed bug logging filenames when duplicate dhcp-host
chains. Thanks to Atul Gupta for the bug report.	addresses are found. Thanks to John Hanks for the patch.

Allow the target of a --cname flag to be another --cname.	Fix regression in 2.61 which broke caching of CNAME
	chains. Thanks to Atul Gupta for the bug report.

Teach DHCPv6 about the RFC 4242 information-refresh-time	Allow the target of a --cname flag to be another --cname.
option, and add parsing if the minutes, hours and days
format for options. Thanks to Francois-Xavier Le Bail for
the suggestion.

Allow "w" (for week) as multiplier in lease times, as well	Teach DHCPv6 about the RFC 4242 information-refresh-time
as seconds, minutes, hours and days. Álvaro Gámez Machado	option, and add parsing if the minutes, hours and days
spotted the ommission.	format for options. Thanks to Francois-Xavier Le Bail for
	the suggestion.
Update French translation. Thanks to Gildas Le Nadan.

Allow a DBus service name to be given with --enable-dbus	Allow "w" (for week) as multiplier in lease times, as well
which overrides the default,	as seconds, minutes, hours and days. Álvaro Gámez Machado
uk.org.thekelleys.dnsmasq. Thanks to Mathieu	spotted the omission.
Trudel-Lapierre for the patch.

Set the "prefix on-link" bit in Router	Update French translation. Thanks to Gildas Le Nadan.
Advertisements. Thanks to Gui Iribarren for the patch.

	Allow a DBus service name to be given with --enable-dbus
	which overrides the default,
	uk.org.thekelleys.dnsmasq. Thanks to Mathieu
	Trudel-Lapierre for the patch.

	Set the "prefix on-link" bit in Router
	Advertisements. Thanks to Gui Iribarren for the patch.


version 2.62	version 2.62
Update German translation. Thanks to Conrad Kostecki.	Update German translation. Thanks to Conrad Kostecki.

Cope with router-solict packets wich don't have a valid	Cope with router-solict packets which don't have a valid
source address. Thanks to Vladislav Grishenko for the patch.	source address. Thanks to Vladislav Grishenko for the patch.

Fixed bug which caused missing periodic router	Fixed bug which caused missing periodic router
advertisements with some configurations. Thanks to	advertisements with some configurations. Thanks to
Vladislav Grishenko for the patch.	Vladislav Grishenko for the patch.

Fixed bug which broke DHCPv6/RA with prefix lengths	Fixed bug which broke DHCPv6/RA with prefix lengths
which are not divisible by 8. Thanks to Andre Coetzee	which are not divisible by 8. Thanks to Andre Coetzee
for spotting this.	for spotting this.

Fix non-response to router-solicitations when	Fix non-response to router-solicitations when
router-advertisement configured, but DHCPv6 not	router-advertisement configured, but DHCPv6 not
configured. Thanks to Marien Zwart for the patch.	configured. Thanks to Marien Zwart for the patch.

Add --dns-rr, to allow arbitrary DNS resource records.	Add --dns-rr, to allow arbitrary DNS resource records.

Fixed bug which broke RA scheduling when an interface had	Fixed bug which broke RA scheduling when an interface had
two addresses in the same network. Thanks to Jim Bos for	two addresses in the same network. Thanks to Jim Bos for
his help nailing this.	his help nailing this.

version 2.61	version 2.61
Re-write interface discovery code on *BSD to use	Re-write interface discovery code on *BSD to use
getifaddrs. This is more portable, more straightforward,	getifaddrs. This is more portable, more straightforward,
and allows us to find the prefix length for IPv6	and allows us to find the prefix length for IPv6
addresses.	addresses.

Add ra-names, ra-stateless and slaac keywords for DHCPv6.	Add ra-names, ra-stateless and slaac keywords for DHCPv6.
Dnsmasq can now synthesise AAAA records for dual-stack	Dnsmasq can now synthesise AAAA records for dual-stack
hosts which get IPv6 addresses via SLAAC. It is also now	hosts which get IPv6 addresses via SLAAC. It is also now
possible to use SLAAC and stateless DHCPv6, and to	possible to use SLAAC and stateless DHCPv6, and to
tell clients to use SLAAC addresses as well as DHCP ones.	tell clients to use SLAAC addresses as well as DHCP ones.
Thanks to Dave Taht for help with this.	Thanks to Dave Taht for help with this.

Add --dhcp-duid to allow DUID-EN uids to be used.	Add --dhcp-duid to allow DUID-EN uids to be used.

Explicity send DHCPv6 replies to the correct port, instead	Explicitly send DHCPv6 replies to the correct port, instead
of relying on clients to send requests with the correct	of relying on clients to send requests with the correct
source address, since at least one client in the wild gets	source address, since at least one client in the wild gets
this wrong. Thanks to Conrad Kostecki for help tracking	this wrong. Thanks to Conrad Kostecki for help tracking
this down.	this down.

Send a preference value of 255 in DHCPv6 replies when	Send a preference value of 255 in DHCPv6 replies when
--dhcp-authoritative is in effect. This tells clients not	--dhcp-authoritative is in effect. This tells clients not
to wait around for other DHCP servers.	to wait around for other DHCP servers.

Better logging of DHCPv6 options.	Better logging of DHCPv6 options.

Add --host-record. Thanks to Rob Zwissler for the	Add --host-record. Thanks to Rob Zwissler for the
suggestion.	suggestion.

Invoke the DHCP script with action "tftp" when a TFTP file	Invoke the DHCP script with action "tftp" when a TFTP file
transfer completes. The size of the file, address to which	transfer completes. The size of the file, address to which
it was sent and complete pathname are supplied. Note that	it was sent and complete pathname are supplied. Note that
version 2.60 introduced some script incompatibilties	version 2.60 introduced some script incompatibilities
associated with DHCPv6, and this is a further change. To	associated with DHCPv6, and this is a further change. To
be safe, scripts should ignore unknown actions, and if	be safe, scripts should ignore unknown actions, and if
not IPv6-aware, should exit if the environment	not IPv6-aware, should exit if the environment
variable DNSMASQ_IAID is set. The use-case for this is	variable DNSMASQ_IAID is set. The use-case for this is
to track netboot/install. Suggestion from Shantanu	to track netboot/install. Suggestion from Shantanu
Gadgil.	Gadgil.

Update contrib/port-forward/dnsmasq-portforward to reflect	Update contrib/port-forward/dnsmasq-portforward to reflect
the above.	the above.

Set the environment variable DNSMASQ_LOG_DHCP when running	Set the environment variable DNSMASQ_LOG_DHCP when running
the script id --log-dhcp is in effect, so that script can	the script id --log-dhcp is in effect, so that script can
taylor their logging verbosity. Suggestion from Malte	taylor their logging verbosity. Suggestion from Malte
Forkel.	Forkel.

Arrange that addresses specified with --listen-address
work even if there is no interface carrying the
address. This is chiefly useful for IPv4 loopback
addresses, where any address in 127.0.0.0/8 is a valid
loopback address, but normally only 127.0.0.1 appears on
the lo interface. Thanks to Mathieu Trudel-Lapierre for
the idea and initial patch.

Fix crash, introduced in 2.60, when a DHCPINFORM is	Arrange that addresses specified with --listen-address
received from a network which has no valid dhcp-range.	work even if there is no interface carrying the
Thanks to Stephane Glondu for the bug report.	address. This is chiefly useful for IPv4 loopback
	addresses, where any address in 127.0.0.0/8 is a valid
	loopback address, but normally only 127.0.0.1 appears on
	the lo interface. Thanks to Mathieu Trudel-Lapierre for
	the idea and initial patch.

Add a new DHCP lease time keyword, "deprecated" for	Fix crash, introduced in 2.60, when a DHCPINFORM is
--dhcp-range. This is only valid for IPv6, and sets the	received from a network which has no valid dhcp-range.
preffered lease time for both DHCP and RA to zero. The	Thanks to Stephane Glondu for the bug report.
effect is that clients can continue to use the address
for existing connections, but new connections will use
other addresses, if they exist. This makes hitless
renumbering at least possible.

Fix bug in address6_available() which caused DHCPv6 lease	Add a new DHCP lease time keyword, "deprecated" for
aquisition to fail if more than one dhcp-range in use.	--dhcp-range. This is only valid for IPv6, and sets the
	preferred lease time for both DHCP and RA to zero. The
	effect is that clients can continue to use the address
	for existing connections, but new connections will use
	other addresses, if they exist. This makes hitless
	renumbering at least possible.

Provide RDNSS and DNSSL data in router advertisements,	Fix bug in address6_available() which caused DHCPv6 lease
using the settings provided for DHCP options	acquisition to fail if more than one dhcp-range in use.
option6:domain-search and option6:dns-server.

Tweak logo/favicon.ico to add some transparency. Thanks to	Provide RDNSS and DNSSL data in router advertisements,
SamLT for work on this.	using the settings provided for DHCP options
	option6:domain-search and option6:dns-server.
Don't cache data from non-recursive nameservers, since it
may erroneously look like a valid CNAME to a non-exitant
name. Thanks to Ben Winslow for finding this.

Call SO_BINDTODEVICE on the DHCP socket(s) when doing DHCP	Tweak logo/favicon.ico to add some transparency. Thanks to
on exactly one interface and --bind-interfaces is set. This	SamLT for work on this.
makes the OpenStack use-case of one dnsmasq per virtual
interface work. This is only available on Linux; it's not
supported on other platforms. Thanks to Vishvananda Ishaya
and the OpenStack team for the suggestion.

Updated French translation. Thanks to Gildas Le Nadan.	Don't cache data from non-recursive nameservers, since it
	may erroneously look like a valid CNAME to a non-existent
	name. Thanks to Ben Winslow for finding this.

Give correct from-cache answers to explict CNAME queries.	Call SO_BINDTODEVICE on the DHCP socket(s) when doing DHCP
Thanks to Rob Zwissler for spotting this.	on exactly one interface and --bind-interfaces is set. This
	makes the OpenStack use-case of one dnsmasq per virtual
Add --tftp-lowercase option. Thanks to Oliver Rath for the	interface work. This is only available on Linux; it's not
patch.	supported on other platforms. Thanks to Vishvananda Ishaya
	and the OpenStack team for the suggestion.

Ensure that the DBus DhcpLeaseUpdated events are generated	Updated French translation. Thanks to Gildas Le Nadan.
when a lease goes through INIT_REBOOT state, even if the
dhcp-script is not in use. Thanks to Antoaneta-Ecaterina
Ene for the patch.

Fix failure of TFTP over IPv4 on OpenBSD platform. Thanks	Give correct from-cache answers to explicit CNAME queries.
to Brad Smith for spotting this.	Thanks to Rob Zwissler for spotting this.


	Add --tftp-lowercase option. Thanks to Oliver Rath for the
	patch.

	Ensure that the DBus DhcpLeaseUpdated events are generated
	when a lease goes through INIT_REBOOT state, even if the
	dhcp-script is not in use. Thanks to Antoaneta-Ecaterina
	Ene for the patch.

	Fix failure of TFTP over IPv4 on OpenBSD platform. Thanks
	to Brad Smith for spotting this.


version 2.60	version 2.60
Fix compilation problem in Mac OS X Lion. Thanks to Olaf	Fix compilation problem in Mac OS X Lion. Thanks to Olaf
Flebbe for the patch.	Flebbe for the patch.

Fix DHCP when using --listen-address with an IP address	Fix DHCP when using --listen-address with an IP address
which is not the primary address of an interface.	which is not the primary address of an interface.

Add --dhcp-client-update option.	Add --dhcp-client-update option.

Add Lua integration. Dnsmasq can now execute a DHCP	Add Lua integration. Dnsmasq can now execute a DHCP
lease-change script written in Lua. This needs to be	lease-change script written in Lua. This needs to be
enabled at compile time by setting HAVE_LUASCRIPT in	enabled at compile time by setting HAVE_LUASCRIPT in
src/config.h or running "make COPTS=-DHAVE_LUASCRIPT"	src/config.h or running "make COPTS=-DHAVE_LUASCRIPT"
Thanks to Jan-Piet Mens for the idea and proof-of-concept	Thanks to Jan-Piet Mens for the idea and proof-of-concept
implementation.	implementation.

Tidied src/config.h to distinguish between
platform-dependent compile-time options which are selected
automatically, and builder-selectable compile time
options. Document the latter better, and describe how to
set them from the make command line.

Tidied up IPPROTO_IP/SOL_IP (and IPv6 equivalent)	Tidied src/config.h to distinguish between
confusion. IPPROTO_IP works everywhere now.	platform-dependent compile-time options which are selected
	automatically, and builder-selectable compile time
Set TOS on DHCP sockets, this improves things on busy	options. Document the latter better, and describe how to
wireless networks. Thanks to Dave Taht for the patch.	set them from the make command line.

Determine VERSION automatically based on git magic:	Tidied up IPPROTO_IP/SOL_IP (and IPv6 equivalent)
release tags or hash values.	confusion. IPPROTO_IP works everywhere now.

Improve start-up speed when reading large hosts files	Set TOS on DHCP sockets, this improves things on busy
containing many distinct addresses.	wireless networks. Thanks to Dave Taht for the patch.

Fix problem if dnsmasq is started without the stdin,	Determine VERSION automatically based on git magic:
stdout and stderr file descriptors open. This can manifest	release tags or hash values.
itself as 100% CPU use. Thanks to Chris Moore for finding
this.

Fix shell-scripting bug in bld/pkg-wrapper. Thanks to	Improve start-up speed when reading large hosts files
Mark Mitchell for the patch.	containing many distinct addresses.

Allow the TFP server or boot server in --pxe-service, to	Fix problem if dnsmasq is started without the stdin,
be a domain name instead of an IP address. This allows for	stdout and stderr file descriptors open. This can manifest
round-robin to multiple servers, in the same way as	itself as 100% CPU use. Thanks to Chris Moore for finding
--dhcp-boot. A good suggestion from Cristiano Cumer.	this.

Support BUILDDIR variable in the Makefile. Allows builds	Fix shell-scripting bug in bld/pkg-wrapper. Thanks to
for multiple archs from the same source tree with eg.	Mark Mitchell for the patch.
make BUILDDIR=linux (relative to dnsmasq tree)
make BUILDDIR=/tmp/openbsd (absolute path)
If BUILDDIR is not set, compilation happens in the src
directory, as before. Suggestion from Mark Mitchell.

Support DHCPv6. Support is there for the sort of things	Allow the TFP server or boot server in --pxe-service, to
the existing v4 server does, including tags, options,	be a domain name instead of an IP address. This allows for
static addresses and relay support. Missing is prefix	round-robin to multiple servers, in the same way as
delegation, which is probably not required in the dnsmasq	--dhcp-boot. A good suggestion from Cristiano Cumer.
niche, and an easy way to accept prefix delegations from
an upstream DHCPv6 server, which is. Future plans include
support for DHCPv6 router option and MAC address option
(to make selecting clients by MAC address work like IPv4).
These will be added as the standards mature.
This code has been tested, but this is the first release,
so don't bet the farm on it just yet. Many thanks to all
testers who have got it this far.

Support IPv6 router advertisements. This is a	Support BUILDDIR variable in the Makefile. Allows builds
simple-minded implementation, aimed at providing the	for multiple archs from the same source tree with eg.
vestigial RA needed to go alongside IPv6. Is picks up	make BUILDDIR=linux (relative to dnsmasq tree)
configuration from the DHCPv6 conf, and should just need	make BUILDDIR=/tmp/openbsd (absolute path)
enabling with --enable-ra.	If BUILDDIR is not set, compilation happens in the src
	directory, as before. Suggestion from Mark Mitchell.

Fix long-standing wrinkle with --localise-queries that	Support DHCPv6. Support is there for the sort of things
could result in wrong answers when DNS packets arrive	the existing v4 server does, including tags, options,
via an interface other than the expected one. Thanks to	static addresses and relay support. Missing is prefix
Lorenzo Milesi and John Hanks for spotting this one.	delegation, which is probably not required in the dnsmasq
	niche, and an easy way to accept prefix delegations from
Update French translation. Thanks to Gildas Le Nadan.	an upstream DHCPv6 server, which is. Future plans include
	support for DHCPv6 router option and MAC address option
	(to make selecting clients by MAC address work like IPv4).
	These will be added as the standards mature.
	This code has been tested, but this is the first release,
	so don't bet the farm on it just yet. Many thanks to all
	testers who have got it this far.

Update Polish translation. Thanks to Jan Psota.	Support IPv6 router advertisements. This is a
	simple-minded implementation, aimed at providing the
	vestigial RA needed to go alongside IPv6. Is picks up
	configuration from the DHCPv6 conf, and should just need
	enabling with --enable-ra.

	Fix long-standing wrinkle with --localise-queries that
	could result in wrong answers when DNS packets arrive
	via an interface other than the expected one. Thanks to
	Lorenzo Milesi and John Hanks for spotting this one.

	Update French translation. Thanks to Gildas Le Nadan.

	Update Polish translation. Thanks to Jan Psota.


version 2.59	version 2.59
Fix regression in 2.58 which caused failure to start up	Fix regression in 2.58 which caused failure to start up
with some combinations of dnsmasq config and IPv6 kernel	with some combinations of dnsmasq config and IPv6 kernel
network config. Thanks to Brielle Bruns for the bug	network config. Thanks to Brielle Bruns for the bug
report.	report.

Improve dnsmasq's behaviour when network interfaces are	Improve dnsmasq's behaviour when network interfaces are
still doing duplicate address detection (DAD). Previously,	still doing duplicate address detection (DAD). Previously,
dnsmasq would wait up to 20 seconds at start-up for the	dnsmasq would wait up to 20 seconds at start-up for the
DAD state to terminate. This is broken for bridge	DAD state to terminate. This is broken for bridge
interfaces on recent Linux kernels, which don't start DAD	interfaces on recent Linux kernels, which don't start DAD
until the bridge comes up, and so can take arbitrary	until the bridge comes up, and so can take arbitrary
time. The new behaviour lets dnsmasq poll for an arbitrary	time. The new behaviour lets dnsmasq poll for an arbitrary
time whilst providing service on other interfaces. Thanks	time whilst providing service on other interfaces. Thanks
to Stephen Hemminger for pointing out the problem.	to Stephen Hemminger for pointing out the problem.


version 2.58	version 2.58
Provide a definition of the SA_SIZE macro where it's	Provide a definition of the SA_SIZE macro where it's
missing. Fixes build failure on openBSD.	missing. Fixes build failure on openBSD.

Don't include a zero terminator at the end of messages	Don't include a zero terminator at the end of messages
sent to /dev/log when /dev/log is a datagram socket.	sent to /dev/log when /dev/log is a datagram socket.
Thanks to Didier Rabound for spotting the problem.	Thanks to Didier Rabound for spotting the problem.

Add --dhcp-sequential-ip flag, to force allocation of IP	Add --dhcp-sequential-ip flag, to force allocation of IP
addresses in ascending order. Note that the default	addresses in ascending order. Note that the default
pseudo-random mode is in general better but some	pseudo-random mode is in general better but some
server-deployment applications need this.	server-deployment applications need this.

Fix problem where a server-id of 0.0.0.0 is sent to a	Fix problem where a server-id of 0.0.0.0 is sent to a
client when a dhcp-relay is in use if a client renews a	client when a dhcp-relay is in use if a client renews a
lease after dnsmasq restart and before any clients on the	lease after dnsmasq restart and before any clients on the
subnet get a new lease. Thanks to Mike Ruiz for assistance	subnet get a new lease. Thanks to Mike Ruiz for assistance
in chasing this one down.	in chasing this one down.

Don't return NXDOMAIN to an AAAA query if we have CNAME	Don't return NXDOMAIN to an AAAA query if we have CNAME
which points to an A record only: NODATA is the correct	which points to an A record only: NODATA is the correct
reply in this case. Thanks to Tom Fernandes for spotting	reply in this case. Thanks to Tom Fernandes for spotting
the problem.	the problem.

Relax the need to supply a netmask in --dhcp-range for	Relax the need to supply a netmask in --dhcp-range for
networks which use a DHCP relay. Whilst this is still	networks which use a DHCP relay. Whilst this is still
desireable, in the absence of a netmask dnsmasq will use	desirable, in the absence of a netmask dnsmasq will use
a default based on the class (A, B, or C) of the address.	a default based on the class (A, B, or C) of the address.
This should at least remove a cause of mysterious failure	This should at least remove a cause of mysterious failure
for people using RFC1918 addresses and relays.	for people using RFC1918 addresses and relays.

Add support for Linux conntrack connection marking. If	Add support for Linux conntrack connection marking. If
enabled with --conntrack, the connection mark for incoming	enabled with --conntrack, the connection mark for incoming
DNS queries will be copied to the outgoing connections	DNS queries will be copied to the outgoing connections
used to answer those queries. This allows clever firewall	used to answer those queries. This allows clever firewall
and accounting stuff. Only available if dnsmasq is	and accounting stuff. Only available if dnsmasq is
compiled with HAVE_CONNTRACK and adds a dependency on	compiled with HAVE_CONNTRACK and adds a dependency on
libnetfilter-conntrack. Thanks to Ed Wildgoose for the	libnetfilter-conntrack. Thanks to Ed Wildgoose for the
initial idea, testing and sponsorship of this function.	initial idea, testing and sponsorship of this function.

Provide a sane error message when someone attempts to	Provide a sane error message when someone attempts to
match a tag in --dhcp-host.	match a tag in --dhcp-host.

Tweak the behaviour of --domain-needed, to avoid problems	Tweak the behaviour of --domain-needed, to avoid problems
with recursive nameservers downstream of dnsmasq. The new	with recursive nameservers downstream of dnsmasq. The new
behaviour only stops A and AAAA queries, and returns	behaviour only stops A and AAAA queries, and returns
NODATA rather than NXDOMAIN replies.	NODATA rather than NXDOMAIN replies.

Efficiency fix for very large DHCP configurations, thanks	Efficiency fix for very large DHCP configurations, thanks
to James Gartrell and Mike Ruiz for help with this.	to James Gartrell and Mike Ruiz for help with this.

Allow the TFTP-server address in --dhcp-boot to be a	Allow the TFTP-server address in --dhcp-boot to be a
domain-name which is looked up in /etc/hosts. This can	domain-name which is looked up in /etc/hosts. This can
give multiple IP addresses which are used round-robin,	give multiple IP addresses which are used round-robin,
thus doing TFTP server load-balancing. Thanks to Sushil	thus doing TFTP server load-balancing. Thanks to Sushil
Agrawal for the patch.	Agrawal for the patch.

When two tagged dhcp-options for a particular option	When two tagged dhcp-options for a particular option
number are both valid, use the one which is valid without	number are both valid, use the one which is valid without
a tag from the dhcp-range. Allows overriding of the value	a tag from the dhcp-range. Allows overriding of the value
of a DHCP option for a particular host as well as	of a DHCP option for a particular host as well as
per-network values. So	per-network values. So
--dhcp-range=set:interface1,......	--dhcp-range=set:interface1,......
--dhcp-host=set:myhost,.....	--dhcp-host=set:myhost,.....
--dhcp-option=tag:interface1,option:nis-domain,"domain1"	--dhcp-option=tag:interface1,option:nis-domain,"domain1"
--dhcp-option=tag:myhost,option:nis-domain,"domain2"	--dhcp-option=tag:myhost,option:nis-domain,"domain2"
will set the NIS-domain to domain1 for hosts in the range, but	will set the NIS-domain to domain1 for hosts in the range, but
override that to domain2 for a particular host.	override that to domain2 for a particular host.

Fix bug which resulted in truncated files and timeouts for	Fix bug which resulted in truncated files and timeouts for
some TFTP transfers. The bug only occurs with netascii	some TFTP transfers. The bug only occurs with netascii
transfers and needs an unfortunate relationship between	transfers and needs an unfortunate relationship between
file size, blocksize and the number of newlines in the	file size, blocksize and the number of newlines in the
last block before it manifests itself. Many thanks to	last block before it manifests itself. Many thanks to
Alkis Georgopoulos for spotting the problem and providing	Alkis Georgopoulos for spotting the problem and providing
a comprehensive test-case.	a comprehensive test-case.

Fix regression in TFTP server on *BSD platforms introduced	Fix regression in TFTP server on *BSD platforms introduced
in version 2.56, due to confusion with sockaddr	in version 2.56, due to confusion with sockaddr
length. Many thanks to Loic Pefferkorn for finding this.	length. Many thanks to Loic Pefferkorn for finding this.

Support scope-ids in IPv6 addresses of nameservers from	Support scope-ids in IPv6 addresses of nameservers from
/etc/resolv.conf and in --server options. Eg	/etc/resolv.conf and in --server options. Eg
nameserver fe80::202:a412:4512:7bbf%eth0 or	nameserver fe80::202:a412:4512:7bbf%eth0 or
server=fe80::202:a412:4512:7bbf%eth0. Thanks to	server=fe80::202:a412:4512:7bbf%eth0. Thanks to
Michael Stapelberg for the suggestion.	Michael Stapelberg for the suggestion.

Update Polish translation, thanks to Jan Psota.	Update Polish translation, thanks to Jan Psota.

Update French translation. Thanks to Gildas Le Nadan.	Update French translation. Thanks to Gildas Le Nadan.


version 2.57	version 2.57
Add patches to allow build under Android.	Add patches to allow build under Android.

Provide our own header for the DNS protocol, rather than	Provide our own header for the DNS protocol, rather than
relying on arpa/nameser.h. This has proved more or less	relying on arpa/nameser.h. This has proved more or less
defective over the years and the final straw is that it's	defective over the years and the final straw is that it's
effectively empty on Android.	effectively empty on Android.

Fix regression in 2.56 which caused hex constants in	Fix regression in 2.56 which caused hex constants in
configuration to be rejected if they contain the '*'	configuration to be rejected if they contain the '*'
wildcard.	wildcard.

Correct wrong casts of arguments to ctype.h functions,	Correct wrong casts of arguments to ctype.h functions,
isdigit(), isxdigit() etc. Thanks to Matthias Andree for	isdigit(), isxdigit() etc. Thanks to Matthias Andree for
spotting this.	spotting this.

Allow build with IDN support independently from i18n.	Allow build with IDN support independently from i18n.
IDN support continues to be included automatically	IDN support continues to be included automatically
when i18n is included.	when i18n is included.
'make COPTS=-DHAVE_IDN' is the magic incantation.	'make COPTS=-DHAVE_IDN' is the magic incantation.

Modify check on extraneous command line junk (added in	Modify check on extraneous command line junk (added in
2.56) so that it doesn't complain about extra _empty_	2.56) so that it doesn't complain about extra _empty_
arguments. Otherwise this breaks libvirt.	arguments. Otherwise this breaks libvirt.


version 2.56	version 2.56
Add a patch to allow dnsmasq to get interface names right in a	Add a patch to allow dnsmasq to get interface names right in a
Solaris zone. Thanks to Dj Padzensky for this.	Solaris zone. Thanks to Dj Padzensky for this.

Improve data-type parsing heuristics so that	Improve data-type parsing heuristics so that
--dhcp-option=option:domain-search,.	--dhcp-option=option:domain-search,.
treats the value as a string and not an IP address.	treats the value as a string and not an IP address.
Thanks to Clemens Fischer for spotting that.	Thanks to Clemens Fischer for spotting that.

Add IPv6 support to the TFTP server. Many thanks to Jan	Add IPv6 support to the TFTP server. Many thanks to Jan
'RedBully' Seiffert for the patches.	'RedBully' Seiffert for the patches.

Log DNS queries at level LOG_INFO, rather then
LOG_DEBUG. This makes things consistent with DHCP
logging. Thanks to Adam Pribyl for spotting the problem.

Ensure that dnsmasq terminates cleanly when using	Log DNS queries at level LOG_INFO, rather then
--syslog-async even if it cannot make a connection to the	LOG_DEBUG. This makes things consistent with DHCP
syslogd.	logging. Thanks to Adam Pribyl for spotting the problem.

Add --add-mac option. This is to support currently	Ensure that dnsmasq terminates cleanly when using
experimental DNS filtering facilities. Thanks to Benjamin	--syslog-async even if it cannot make a connection to the
Petrin for the orignal patch.	syslogd.

Fix bug which meant that tags were ignored in dhcp-range	Add --add-mac option. This is to support currently
configuration specifying PXE-proxy service. Thanks to	experimental DNS filtering facilities. Thanks to Benjamin
Cristiano Cumer for spotting this.	Petrin for the original patch.

Raise an error if there is extra junk, not part of an	Fix bug which meant that tags were ignored in dhcp-range
option, on the command line.	configuration specifying PXE-proxy service. Thanks to
	Cristiano Cumer for spotting this.

Flag a couple of log messages in cache.c as coming from	Raise an error if there is extra junk, not part of an
the DHCP subsystem. Thanks to Olaf Westrik for the patch.	option, on the command line.

Omit timestamps from logs when a) logging to stderr and	Flag a couple of log messages in cache.c as coming from
b) --keep-in-forground is set. The logging facility on the	the DHCP subsystem. Thanks to Olaf Westrik for the patch.
other end of stderr can be assumned to supply them. Thanks
to John Hallam for the patch.

Don't complain about strings longer than 255 characters in	Omit timestamps from logs when a) logging to stderr and
--txt-record, just split the long strings into 255	b) --keep-in-foreground is set. The logging facility on the
character chunks instead.	other end of stderr can be assumed to supply them. Thanks
	to John Hallam for the patch.

Fix crash on double-free. This bug can only happen when	Don't complain about strings longer than 255 characters in
dhcp-script is in use and then only in rare circumstances	--txt-record, just split the long strings into 255
triggered by high DHCP transaction rate and a slow	character chunks instead.
script. Thanks to Ferenc Wagner for finding the problem.

Only log that a file has been sent by TFTP after the	Fix crash on double-free. This bug can only happen when
transfer has completed succesfully.	dhcp-script is in use and then only in rare circumstances
	triggered by high DHCP transaction rate and a slow
	script. Thanks to Ferenc Wagner for finding the problem.

A good suggestion from Ferenc Wagner: extend	Only log that a file has been sent by TFTP after the
the --domain option to allow this sort of thing:	transfer has completed successfully.
--domain=thekelleys.org.uk,192.168.0.0/24,local
which automatically creates
--local=/thekelleys.org.uk/
--local=/0.168.192.in-addr.arpa/

Tighten up syntax checking of hex contants in the config	A good suggestion from Ferenc Wagner: extend
file. Thanks to Fred Damen for spotting this.	the --domain option to allow this sort of thing:
	--domain=thekelleys.org.uk,192.168.0.0/24,local
	which automatically creates
	--local=/thekelleys.org.uk/
	--local=/0.168.192.in-addr.arpa/

Add dnsmasq logo/icon, contributed by Justin Swift. Many	Tighten up syntax checking of hex constants in the config
thanks for that.	file. Thanks to Fred Damen for spotting this.

Never cache DNS replies which have the 'cd' bit set, or	Add dnsmasq logo/icon, contributed by Justin Swift. Many
which result from queries forwarded with the 'cd' bit	thanks for that.
set. The 'cd' bit instructs a DNSSEC validating server
upstream to ignore signature failures and return replies
anyway. Without this change it's possible to pollute the
dnsmasq cache with bad data by making a query with the
'cd' bit set and subsequent queries would return this data
without its being marked as suspect. Thanks to Anders
Kaseorg for pointing out this problem.

Add --proxy-dnssec flag, for compliance with RFC	Never cache DNS replies which have the 'cd' bit set, or
4035. Dnsmasq will now clear the 'ad' bit in answers returned	which result from queries forwarded with the 'cd' bit
from upstream validating nameservers unless this option is	set. The 'cd' bit instructs a DNSSEC validating server
set.	upstream to ignore signature failures and return replies
	anyway. Without this change it's possible to pollute the
	dnsmasq cache with bad data by making a query with the
	'cd' bit set and subsequent queries would return this data
	without its being marked as suspect. Thanks to Anders
	Kaseorg for pointing out this problem.

Allow a filename of "-" for --conf-file to read	Add --proxy-dnssec flag, for compliance with RFC
stdin. Suggestion from Timothy Redaelli.	4035. Dnsmasq will now clear the 'ad' bit in answers returned
	from upstream validating nameservers unless this option is
	set.

Rotate the order of SRV records in replies, to provide	Allow a filename of "-" for --conf-file to read
round-robin load balancing when all the priorities are	stdin. Suggestion from Timothy Redaelli.
equal. Thanks to Peter McKinney for the suggestion.

Edit	Rotate the order of SRV records in replies, to provide
contrib/MacOSX-launchd/uk.org.thekelleys.dnsmasq.plist	round-robin load balancing when all the priorities are
so that it doesn't log all queries to a file by	equal. Thanks to Peter McKinney for the suggestion.
default. Thanks again to Peter McKinney.

By default, setting an IPv4 address for a domain but not	Edit
an IPv6 address causes dnsmasq to return	contrib/MacOSX-launchd/uk.org.thekelleys.dnsmasq.plist
an NODATA reply for IPv6 (or vice-versa). So	so that it doesn't log all queries to a file by
--address=/google.com/1.2.3.4 stops IPv6 queries for	default. Thanks again to Peter McKinney.
*google.com from being forwarded. Make it possible to
override this behaviour by defining the sematics if the
same domain appears in both --server and --address.
In that case, the --address has priority for the address
family in which is appears, but the --server has priority
of the address family which doesn't appear in --adddress
So:
--address=/google.com/1.2.3.4
--server=/google.com/#
will return 1.2.3.4 for IPv4 queries for *.google.com but
forward IPv6 queries to the normal upstream nameserver.
Similarly when setting an IPv6 address
only this will allow forwarding of IPv4 queries. Thanks to
William for pointing out the need for this.

Allow more than one --dhcp-optsfile and --dhcp-hostsfile	By default, setting an IPv4 address for a domain but not
and make them understand directories as arguments in the	an IPv6 address causes dnsmasq to return
same way as --addn-hosts. Suggestion from John Hanks.	a NODATA reply for IPv6 (or vice-versa). So
	--address=/google.com/1.2.3.4 stops IPv6 queries for
	*google.com from being forwarded. Make it possible to
	override this behaviour by defining the semantics if the
	same domain appears in both --server and --address.
	In that case, the --address has priority for the address
	family in which is appears, but the --server has priority
	of the address family which doesn't appear in --address
	So:
	--address=/google.com/1.2.3.4
	--server=/google.com/#
	will return 1.2.3.4 for IPv4 queries for *.google.com but
	forward IPv6 queries to the normal upstream nameserver.
	Similarly when setting an IPv6 address
	only this will allow forwarding of IPv4 queries. Thanks to
	William for pointing out the need for this.

Ignore rebinding requests for leases we don't know	Allow more than one --dhcp-optsfile and --dhcp-hostsfile
about. Rebind is broadcast, so we might get to overhear a	and make them understand directories as arguments in the
request meant for another DHCP server. NAKing this is	same way as --addn-hosts. Suggestion from John Hanks.
wrong. Thanks to Brad D'Hondt for assistance with this.

Fix cosmetic bug which produced strange output when	Ignore rebinding requests for leases we don't know
dumping cache statistics with some configurations. Thanks	about. Rebind is broadcast, so we might get to overhear a
to Fedor Kozhevnikov for spotting this.	request meant for another DHCP server. NAKing this is
	wrong. Thanks to Brad D'Hondt for assistance with this.

	Fix cosmetic bug which produced strange output when
	dumping cache statistics with some configurations. Thanks
	to Fedor Kozhevnikov for spotting this.


version 2.55	version 2.55
Fix crash when /etc/ethers is in use. Thanks to	Fix crash when /etc/ethers is in use. Thanks to
Gianluigi Tiesi for finding this.	Gianluigi Tiesi for finding this.

Fix crash in netlink_multicast(). Thanks to Arno Wald for	Fix crash in netlink_multicast(). Thanks to Arno Wald for
finding this one.	finding this one.

Allow the empty domain "." in dhcp domain-search (119)	Allow the empty domain "." in dhcp domain-search (119)
options.	options.


version 2.54	version 2.54
There is no version 2.54 to avoid confusion with 2.53,	There is no version 2.54 to avoid confusion with 2.53,
which incorrectly identifies itself as 2.54.	which incorrectly identifies itself as 2.54.


version 2.53	version 2.53
Fix failure to compile on Debian/kFreeBSD. Thanks to	Fix failure to compile on Debian/kFreeBSD. Thanks to
Axel Beckert and Petr Salinger.	Axel Beckert and Petr Salinger.

Fix code to avoid scary strict-aliasing warnings	Fix code to avoid scary strict-aliasing warnings
generated by gcc 4.4.	generated by gcc 4.4.

Added FAQ entry warning about DHCP failures with Vista	Added FAQ entry warning about DHCP failures with Vista
when firewalls block 255.255.255.255.	when firewalls block 255.255.255.255.

Fixed bug which caused bad things to happen if a	Fixed bug which caused bad things to happen if a
resolv.conf file which exists is subsequently removed.	resolv.conf file which exists is subsequently removed.
Thanks to Nikolai Saoukh for the patch.	Thanks to Nikolai Saoukh for the patch.

Rationalised the DHCP tag system. Every configuration item	Rationalised the DHCP tag system. Every configuration item
which can set a tag does so by adding "set:<tag>" and	which can set a tag does so by adding "set:<tag>" and
every configuration item which is conditional on a tag is	every configuration item which is conditional on a tag is
made so by "tag:<tag>". The NOT operator changes to '!',	made so by "tag:<tag>". The NOT operator changes to '!',
which is a bit more intuitive too. Dhcp-host directives	which is a bit more intuitive too. Dhcp-host directives
can set more than one tag now. The old '#' NOT,	can set more than one tag now. The old '#' NOT,
"net:" prefix and no-prefixes are still honoured, so	"net:" prefix and no-prefixes are still honoured, so
no existing config file needs to be changed, but	no existing config file needs to be changed, but
the documentation and new-style config files should be	the documentation and new-style config files should be
much less confusing.	much less confusing.

Added --tag-if to allow boolean operations on tags.	Added --tag-if to allow boolean operations on tags.
This allows complicated logic to be clearer and more	This allows complicated logic to be clearer and more
general. A great suggestion from Richard Voigt.	general. A great suggestion from Richard Voigt.

Add broadcast/unicast information to DHCP logging.	Add broadcast/unicast information to DHCP logging.

Allow --dhcp-broadcast to be unconditional.	Allow --dhcp-broadcast to be unconditional.

Fixed incorrect behaviour with NOT <tag> conditionals in	Fixed incorrect behaviour with NOT <tag> conditionals in
dhcp-options. Thanks to Max Turkewitz for assistance	dhcp-options. Thanks to Max Turkewitz for assistance
finding this.	finding this.

If we send vendor-class encapsulated options based on the	If we send vendor-class encapsulated options based on the
vendor-class supplied by the client, and no explicit	vendor-class supplied by the client, and no explicit
vendor-class option is given, echo back the vendor-class	vendor-class option is given, echo back the vendor-class
from the client.	from the client.

Fix bug which stopped dnsmasq from matching both a	Fix bug which stopped dnsmasq from matching both a
circuitid and a remoteid. Thanks to Ignacio Bravo for	circuitid and a remoteid. Thanks to Ignacio Bravo for
finding this.	finding this.

Add --dhcp-proxy, which makes it possible to configure	Add --dhcp-proxy, which makes it possible to configure
dnsmasq to use a DHCP relay agent as a full proxy, with	dnsmasq to use a DHCP relay agent as a full proxy, with
all DHCP messages passing through the proxy. This is	all DHCP messages passing through the proxy. This is
useful if the relay adds extra information to the packets	useful if the relay adds extra information to the packets
it forwards, but cannot be configured with the RFC 5107	it forwards, but cannot be configured with the RFC 5107
server-override option.	server-override option.

Added interface:<iface name> part to dhcp-range. The	Added interface:<iface name> part to dhcp-range. The
semantics of this are very odd at first sight, but it	semantics of this are very odd at first sight, but it
allows a single line of the form	allows a single line of the form
dhcp-range=interface:virt0,192.168.0.4,192.168.0.200	dhcp-range=interface:virt0,192.168.0.4,192.168.0.200
to be added to dnsmasq configuration which then supplies	to be added to dnsmasq configuration which then supplies
DHCP and DNS services to that interface, without affecting	DHCP and DNS services to that interface, without affecting
what services are supplied to other interfaces and	what services are supplied to other interfaces and
irrespective of the existance or lack of	irrespective of the existence or lack of
interface=<interface>	interface=<interface>
lines elsewhere in the dnsmasq configuration. The idea is	lines elsewhere in the dnsmasq configuration. The idea is
that such a line can be added automatically by libvirt	that such a line can be added automatically by libvirt
or equivalent systems, without disturbing any manual	or equivalent systems, without disturbing any manual
configuration.	configuration.

Similarly to the above, allow --enable-tftp=<interface>	Similarly to the above, allow --enable-tftp=<interface>

Allow a TFTP root to be set separately for requests via	Allow a TFTP root to be set separately for requests via
different interfaces, --tftp-root=<path>,<interface>	different interfaces, --tftp-root=<path>,<interface>

Correctly handle and log clashes between CNAMES and	Correctly handle and log clashes between CNAMES and
DNS names being given to DHCP leases. This fixes a bug	DNS names being given to DHCP leases. This fixes a bug
which caused nonsense IP addresses to be logged. Thanks to	which caused nonsense IP addresses to be logged. Thanks to
Sergei Zhirikov for finding and analysing the problem.	Sergei Zhirikov for finding and analysing the problem.

Tweak flush_log so as to avoid leaving the log	Tweak flush_log so as to avoid leaving the log
file in non-blocking mode. O_NONBLOCK is a property of the	file in non-blocking mode. O_NONBLOCK is a property of the
file, not the process/descriptor.	file, not the process/descriptor.

Fix contrib/Solaris10/create_package	Fix contrib/Solaris10/create_package
(/usr/man -> /usr/share/man) Thanks to Vita Batrla.	(/usr/man -> /usr/share/man) Thanks to Vita Batrla.

Fix a problem where, if a client got a lease, then went	Fix a problem where, if a client got a lease, then went
to another subnet and got another lease, then moved back,	to another subnet and got another lease, then moved back,
it couldn't resume the old lease, but would instead get	it couldn't resume the old lease, but would instead get
a new address. Thanks to Leonardo Rodrigues for spotting	a new address. Thanks to Leonardo Rodrigues for spotting
this and testing the fix.	this and testing the fix.

Fix weird bug which sometimes omitted certain characters
from the start of quoted strings in dhcp-options. Thanks
to Dayton Turner for spotting the problem.

Add facility to redirect some domains to the standard	Fix weird bug which sometimes omitted certain characters
upstream servers: this allows something like	from the start of quoted strings in dhcp-options. Thanks
--server=/google.com/1.2.3.4 --server=/www.google.com/#	to Dayton Turner for spotting the problem.
which will send queries for *.google.com to 1.2.3.4,
except *www.google.com which will be forwarded as usual.
Thanks to AJ Weber for prompting this addition.

Improve the hash-algorithm used to generate IP addresses
from MAC addresses during initial DHCP address
allocation. This improves performance when large numbers
of hosts with similar MAC addresses all try and get an IP
address at the same time. Thanks to Paul Smith for his
work on this.

Tweak DHCP code so that --bridge-interface can be used to	Add facility to redirect some domains to the standard
select which IP alias of an interface should be used for	upstream servers: this allows something like
DHCP purposes on Linux. If eth0 has an alias eth0:dhcp	--server=/google.com/1.2.3.4 --server=/www.google.com/#
then adding --bridge-interface=eth0:dhcp,eth0 will use	which will send queries for *.google.com to 1.2.3.4,
the address of eth0:dhcp to determine the correct subnet	except *www.google.com which will be forwarded as usual.
for DHCP address allocation. Thanks to Pawel Golaszewski	Thanks to AJ Weber for prompting this addition.
for prompting this and Eric Cooper for further testing.

Add --dhcp-generate-names. Suggestion by Ferenc Wagner.	Improve the hash-algorithm used to generate IP addresses
	from MAC addresses during initial DHCP address
	allocation. This improves performance when large numbers
	of hosts with similar MAC addresses all try and get an IP
	address at the same time. Thanks to Paul Smith for his
	work on this.

Tweak DNS server selection algorithm when there is more	Tweak DHCP code so that --bridge-interface can be used to
than one server available for a domain, eg.	select which IP alias of an interface should be used for
--server=/mydomain/1.1.1.1	DHCP purposes on Linux. If eth0 has an alias eth0:dhcp
--server=/mydomain/2.2.2.2	then adding --bridge-interface=eth0:dhcp,eth0 will use
Thanks to Alberto Cuesta-Canada for spotting a weakness	the address of eth0:dhcp to determine the correct subnet
here.	for DHCP address allocation. Thanks to Pawel Golaszewski
	for prompting this and Eric Cooper for further testing.

Add --max-ttl. Thanks to Fredrik Ringertz for the patch.	Add --dhcp-generate-names. Suggestion by Ferenc Wagner.

Allow --log-facility=- to force all logging to	Tweak DNS server selection algorithm when there is more
stderr. Suggestion from Clemens Fischer.	than one server available for a domain, eg.
	--server=/mydomain/1.1.1.1
	--server=/mydomain/2.2.2.2
	Thanks to Alberto Cuesta-Canada for spotting a weakness
	here.

Fix regression which caused configuration like	Add --max-ttl. Thanks to Fredrik Ringertz for the patch.
--address=/.domain.com/1.2.3.4 to be rejected. The dot to the
left of the domain has been implied and not required for a
long time, but it should be accepted for backward
compatibility. Thanks to Andrew Burcin for spotting this.

Add --rebind-domain-ok and --rebind-localhost-ok.
Suggestion from Clemens Fischer.

Log replies to queries of type TXT, when --log-queries	Allow --log-facility=- to force all logging to
is set.	stderr. Suggestion from Clemens Fischer.

Fix compiler warnings when compiled with -DNO_DHCP. Thanks	Fix regression which caused configuration like
to Shantanu Gadgil for the patch.	--address=/.domain.com/1.2.3.4 to be rejected. The dot to the
	left of the domain has been implied and not required for a
	long time, but it should be accepted for backward
	compatibility. Thanks to Andrew Burcin for spotting this.

Updated French translation. Thanks to Gildas Le Nadan.	Add --rebind-domain-ok and --rebind-localhost-ok.
	Suggestion from Clemens Fischer.

Updated Polish translation. Thanks to Jan Psota.	Log replies to queries of type TXT, when --log-queries
	is set.

Updated German translation. Thanks to Matthias Andree.	Fix compiler warnings when compiled with -DNO_DHCP. Thanks
	to Shantanu Gadgil for the patch.

Added contrib/static-arp, thanks to Darren Hoo.	Updated French translation. Thanks to Gildas Le Nadan.

Fix corruption of the domain when a name from /etc/hosts
overrides one supplied by a DHCP client. Thanks to Fedor
Kozhevnikov for spotting the problem.

Updated Spanish translation. Thanks to Chris Chatham.	Updated Polish translation. Thanks to Jan Psota.

	Updated German translation. Thanks to Matthias Andree.

	Added contrib/static-arp, thanks to Darren Hoo.

	Fix corruption of the domain when a name from /etc/hosts
	overrides one supplied by a DHCP client. Thanks to Fedor
	Kozhevnikov for spotting the problem.

	Updated Spanish translation. Thanks to Chris Chatham.


version 2.52	version 2.52
Work around a Linux kernel bug which insists that the	Work around a Linux kernel bug which insists that the
length of the option passed to setsockopt must be at least	length of the option passed to setsockopt must be at least
sizeof(int) bytes, even if we're calling SO_BINDTODEVICE	sizeof(int) bytes, even if we're calling SO_BINDTODEVICE
and the device name is "lo". Note that this is fixed	and the device name is "lo". Note that this is fixed
in kernel 2.6.31, but the workaround is harmless and	in kernel 2.6.31, but the workaround is harmless and
allows earlier kernels to be used. Also fix dnsmasq	allows earlier kernels to be used. Also fix dnsmasq
bug which reported the wrong address when this failed.	bug which reported the wrong address when this failed.
Thanks to Fedor for finding this.	Thanks to Fedor for finding this.

The API for IPv6 PKTINFO changed around Linux kernel	The API for IPv6 PKTINFO changed around Linux kernel
2.6.14. Workaround the case where dnsmasq is compiled	2.6.14. Workaround the case where dnsmasq is compiled
against newer headers, but then run on an old kernel:	against newer headers, but then run on an old kernel:
necessary for some *WRT distros.	necessary for some *WRT distros.

Re-read the set of network interfaces when re-loading	Re-read the set of network interfaces when re-loading
/etc/resolv.conf if --bind-interfaces is not set. This	/etc/resolv.conf if --bind-interfaces is not set. This
handles the case that loopback interfaces do not exist	handles the case that loopback interfaces do not exist
when dnsmasq is first started.	when dnsmasq is first started.

Tweak the PXE code to support port 4011. This should	Tweak the PXE code to support port 4011. This should
reduce broadcasts and make things more reliable when other	reduce broadcasts and make things more reliable when other
servers are around. It also improves inter-operability	servers are around. It also improves inter-operability
with certain clients.	with certain clients.

Make a pxe-service configuration with no filename or boot	Make a pxe-service configuration with no filename or boot
service type legal: this does a local boot. eg.	service type legal: this does a local boot. eg.
pxe-service=x86PC, "Local boot"	pxe-service=x86PC, "Local boot"

Be more conservative in detecting "A for A"	Be more conservative in detecting "A for A"
queries. Dnsmasq checks if the name in a type=A query looks	queries. Dnsmasq checks if the name in a type=A query looks
like a dotted-quad IP address and answers the query itself	like a dotted-quad IP address and answers the query itself
if so, rather than forwarding it. Previously dnsmasq	if so, rather than forwarding it. Previously dnsmasq
relied in the library function inet_addr() to convert	relied in the library function inet_addr() to convert
addresses, and that will accept some things which are	addresses, and that will accept some things which are
confusing in this context, like 1.2.3 or even just	confusing in this context, like 1.2.3 or even just
1234. Now we only do A for A processing for four decimal	1234. Now we only do A for A processing for four decimal
numbers delimited by dots.	numbers delimited by dots.

A couple of tweaks to fix compilation on Solaris. Thanks	A couple of tweaks to fix compilation on Solaris. Thanks
to Joel Macklow for help with this.	to Joel Macklow for help with this.

Another Solaris compilation tweak, needed for Solaris	Another Solaris compilation tweak, needed for Solaris
2009.06. Thanks to Lee Essen for that.	2009.06. Thanks to Lee Essen for that.

Added extract packaging stuff from Lee Essen to	Added extract packaging stuff from Lee Essen to
contrib/Solaris10.	contrib/Solaris10.

Increased the default limit on number of leases to 1000
(from 150). This is mainly a defence against DoS attacks,
and for the average "one for two class C networks"
installation, IP address exhaustion does that just as
well. Making the limit greater than the number of IP
addresses available in such an installation removes a
surprise which otherwise can catch people out.

Removed extraneous trailing space in the value of the	Increased the default limit on number of leases to 1000
DNSMASQ_TIME_REMAINING DNSMASQ_LEASE_LENGTH and	(from 150). This is mainly a defence against DoS attacks,
DNSMASQ_LEASE_EXPIRES environment variables. Thanks to	and for the average "one for two class C networks"
Gildas Le Nadan for spotting this.	installation, IP address exhaustion does that just as
	well. Making the limit greater than the number of IP
	addresses available in such an installation removes a
	surprise which otherwise can catch people out.

Provide the network-id tags for a DHCP transaction to	Removed extraneous trailing space in the value of the
the lease-change script in the environment variable	DNSMASQ_TIME_REMAINING DNSMASQ_LEASE_LENGTH and
DNSMASQ_TAGS. A good suggestion from Gildas Le Nadan.	DNSMASQ_LEASE_EXPIRES environment variables. Thanks to
	Gildas Le Nadan for spotting this.

Add support for RFC3925 "Vendor-Identifying Vendor	Provide the network-id tags for a DHCP transaction to
Options". The syntax looks like this:	the lease-change script in the environment variable
--dhcp-option=vi-encap:<enterprise number>, .........	DNSMASQ_TAGS. A good suggestion from Gildas Le Nadan.

Add support to --dhcp-match to allow matching against	Add support for RFC3925 "Vendor-Identifying Vendor
RFC3925 "Vendor-Identifying Vendor Classes". The syntax	Options". The syntax looks like this:
looks like this:	--dhcp-option=vi-encap:<enterprise number>, .........
--dhcp-match=tag,vi-encap<enterprise number>, <value>

Add some application specific code to assist in
implementing the Broadband forum TR069 CPE-WAN
specification. The details are in contrib/CPE-WAN/README

Increase the default DNS packet size limit to 4096, as	Add support to --dhcp-match to allow matching against
recommended by RFC5625 section 4.4.3. This can be	RFC3925 "Vendor-Identifying Vendor Classes". The syntax
reconfigured using --edns-packet-max if needed. Thanks to	looks like this:
Francis Dupont for pointing this out.	--dhcp-match=tag,vi-encap<enterprise number>, <value>

Rewrite query-ids even for TSIG signed packets, since	Add some application specific code to assist in
this is allowed by RFC5625 section 4.5.	implementing the Broadband forum TR069 CPE-WAN
	specification. The details are in contrib/CPE-WAN/README
Use getopt_long by default on OS X. It has been supported
since version 10.3.0. Thanks to Arek Dreyer for spotting
this.

Added up-to-date startup configuration for MacOSX/launchd	Increase the default DNS packet size limit to 4096, as
in contrib/MacOSX-launchd. Thanks to Arek Dreyer for	recommended by RFC5625 section 4.4.3. This can be
providing this.	reconfigured using --edns-packet-max if needed. Thanks to
	Francis Dupont for pointing this out.

Fix link error when including Dbus but excluding DHCP.	Rewrite query-ids even for TSIG signed packets, since
Thanks to Oschtan for the bug report.	this is allowed by RFC5625 section 4.5.

Updated French translation. Thanks to Gildas Le Nadan.	Use getopt_long by default on OS X. It has been supported
	since version 10.3.0. Thanks to Arek Dreyer for spotting
Updated Polish translation. Thanks to Jan Psota.	this.

Updated Spanish translation. Thanks to Chris Chatham.	Added up-to-date startup configuration for MacOSX/launchd
	in contrib/MacOSX-launchd. Thanks to Arek Dreyer for
	providing this.

Fixed confusion about domains, when looking up DHCP hosts	Fix link error when including Dbus but excluding DHCP.
in /etc/hosts. This could cause spurious "Ignoring	Thanks to Oschtan for the bug report.
domain..." messages. Thanks to Fedor Kozhevnikov for
finding and analysing the problem.

	Updated French translation. Thanks to Gildas Le Nadan.

	Updated Polish translation. Thanks to Jan Psota.

	Updated Spanish translation. Thanks to Chris Chatham.

	Fixed confusion about domains, when looking up DHCP hosts
	in /etc/hosts. This could cause spurious "Ignoring
	domain..." messages. Thanks to Fedor Kozhevnikov for
	finding and analysing the problem.


version 2.51	version 2.51
Add support for internationalised DNS. Non-ASCII characters	Add support for internationalised DNS. Non-ASCII characters
in domain names found in /etc/hosts, /etc/ethers and	in domain names found in /etc/hosts, /etc/ethers and
/etc/dnsmasq.conf will be correctly handled by translation to	/etc/dnsmasq.conf will be correctly handled by translation to
punycode, as specified in RFC3490. This function is only	punycode, as specified in RFC3490. This function is only
available if dnsmasq is compiled with internationalisation	available if dnsmasq is compiled with internationalisation
support, and adds a dependency on GNU libidn. Without i18n	support, and adds a dependency on GNU libidn. Without i18n
support, dnsmasq continues to be compilable with just	support, dnsmasq continues to be compilable with just
standard tools. Thanks to Yves Dorfsman for the	standard tools. Thanks to Yves Dorfsman for the
suggestion.	suggestion.

Add two more environment variables for lease-change scripts:	Add two more environment variables for lease-change scripts:
First, DNSMASQ_SUPPLIED_HOSTNAME; this is set to the hostname	First, DNSMASQ_SUPPLIED_HOSTNAME; this is set to the hostname
supplied by a client, even if the actual hostname used is	supplied by a client, even if the actual hostname used is
over-ridden by dhcp-host or dhcp-ignore-names directives.	over-ridden by dhcp-host or dhcp-ignore-names directives.
Also DNSMASQ_RELAY_ADDRESS which gives the address of	Also DNSMASQ_RELAY_ADDRESS which gives the address of
a DHCP relay, if used.	a DHCP relay, if used.
Suggestions from Michael Rack.	Suggestions from Michael Rack.

Fix regression which broke echo of relay-agent	Fix regression which broke echo of relay-agent
options. Thanks to Michael Rack for spotting this.	options. Thanks to Michael Rack for spotting this.

Don't treat option 67 as being interchangeable with
dhcp-boot parameters if it's specified as
dhcp-option-force.

Make the code to call scripts on lease-change compile-time	Don't treat option 67 as being interchangeable with
optional. It can be switched off by editing src/config.h	dhcp-boot parameters if it's specified as
or building with "make COPTS=-DNO_SCRIPT".	dhcp-option-force.

Make the TFTP server cope with filenames from Windows/DOS
which use '\' as pathname separator. Thanks to Ralf for
the patch.

Updated Polish translation. Thanks to Jan Psota.	Make the code to call scripts on lease-change compile-time
	optional. It can be switched off by editing src/config.h
Warn if an IP address is duplicated in /etc/ethers. Thanks	or building with "make COPTS=-DNO_SCRIPT".
to Felix Schwarz for pointing this out.

Teach --conf-dir to take an option list of file suffices	Make the TFTP server cope with filenames from Windows/DOS
which will be ignored when scanning the directory. Useful	which use '\' as pathname separator. Thanks to Ralf for
for backup files etc. Thanks to Helmut Hullen for the	the patch.
suggestion.

Add new DHCP option named tftpserver-address, which	Updated Polish translation. Thanks to Jan Psota.
corresponds to the third argument of dhcp-boot. This
allows the complete functionality of dhcp-boot to be
replicated with dhcp-option. Useful when using
dhcp-optsfile.

Test which upstream nameserver to use every 10 seconds	Warn if an IP address is duplicated in /etc/ethers. Thanks
or 50 queries and not just when a query times out and	to Felix Schwarz for pointing this out.
is retried. This should improve performance when there
is a slow nameserver in the list. Thanks to Joe for the
suggestion.

Don't do any PXE processing, even for clients with the	Teach --conf-dir to take an option list of file suffices
correct vendorclass, unless at least one pxe-prompt or	which will be ignored when scanning the directory. Useful
pxe-service option is given. This stops dnsmasq	for backup files etc. Thanks to Helmut Hullen for the
interfering with proxy PXE subsystems when it is just	suggestion.
the DHCP server. Thanks to Spencer Clark for spotting this.

Limit the blocksize used for TFTP transfers to a value	Add new DHCP option named tftpserver-address, which
which avoids packet fragmentation, based on the MTU of the	corresponds to the third argument of dhcp-boot. This
local interface. Many netboot ROMs can't cope with	allows the complete functionality of dhcp-boot to be
fragmented packets.	replicated with dhcp-option. Useful when using
	dhcp-optsfile.

Honour dhcp-ignore configuration for PXE and proxy-PXE	Test which upstream nameserver to use every 10 seconds
requests. Thanks to Niels Basjes for the bug report.	or 50 queries and not just when a query times out and
	is retried. This should improve performance when there
	is a slow nameserver in the list. Thanks to Joe for the
	suggestion.

Updated French translation. Thanks to Gildas Le Nadan.	Don't do any PXE processing, even for clients with the
	correct vendorclass, unless at least one pxe-prompt or
	pxe-service option is given. This stops dnsmasq
	interfering with proxy PXE subsystems when it is just
	the DHCP server. Thanks to Spencer Clark for spotting this.

	Limit the blocksize used for TFTP transfers to a value
	which avoids packet fragmentation, based on the MTU of the
	local interface. Many netboot ROMs can't cope with
	fragmented packets.

	Honour dhcp-ignore configuration for PXE and proxy-PXE
	requests. Thanks to Niels Basjes for the bug report.

	Updated French translation. Thanks to Gildas Le Nadan.


version 2.50	version 2.50
Fix security problem which allowed any host permitted to	Fix security problem which allowed any host permitted to
do TFTP to possibly compromise dnsmasq by remote buffer	do TFTP to possibly compromise dnsmasq by remote buffer
overflow when TFTP enabled. Thanks to Core Security	overflow when TFTP enabled. Thanks to Core Security
Technologies and Iván Arce, Pablo Hernán Jorge, Alejandro	Technologies and Iván Arce, Pablo Hernán Jorge, Alejandro
Pablo Rodriguez, Martín Coco, Alberto Soliño Testa and	Pablo Rodriguez, Martín Coco, Alberto Soliño Testa and
Pablo Annetta. This problem has Bugtraq id: 36121	Pablo Annetta. This problem has Bugtraq id: 36121
and CVE: 2009-2957	and CVE: 2009-2957

Fix a problem which allowed a malicious TFTP client to	Fix a problem which allowed a malicious TFTP client to
crash dnsmasq. Thanks to Steve Grubb at Red Hat for	crash dnsmasq. Thanks to Steve Grubb at Red Hat for
spotting this. This problem has Bugtraq id: 36120 and	spotting this. This problem has Bugtraq id: 36120 and
CVE: 2009-2958	CVE: 2009-2958


version 2.49	version 2.49
Fix regression in 2.48 which disables the lease-change	Fix regression in 2.48 which disables the lease-change
script. Thanks to Jose Luis Duran for spotting this.	script. Thanks to Jose Luis Duran for spotting this.

Log TFTP "file not found" errors. These were not logged,	Log TFTP "file not found" errors. These were not logged,
since a normal PXELinux boot generates many of them, but	since a normal PXELinux boot generates many of them, but
the lack of the messages seems to be more confusing than	the lack of the messages seems to be more confusing than
routinely seeing them when there is no real error.	routinely seeing them when there is no real error.

Update Spanish translation. Thanks to Chris Chatham.	Update Spanish translation. Thanks to Chris Chatham.



version 2.48	version 2.48
Archived the extensive, backwards, changelog to	Archived the extensive, backwards, changelog to
CHANGELOG.archive. The current changelog now runs from	CHANGELOG.archive. The current changelog now runs from
version 2.43 and runs conventionally.	version 2.43 and runs conventionally.

Fixed bug which broke binding of servers to physical	Fixed bug which broke binding of servers to physical
interfaces when interface names were longer than four	interfaces when interface names were longer than four
characters. Thanks to MURASE Katsunori for the patch.	characters. Thanks to MURASE Katsunori for the patch.

Fixed netlink code to check that messages come from the	Fixed netlink code to check that messages come from the
correct source, and not another userspace process. Thanks	correct source, and not another userspace process. Thanks
to Steve Grubb for the patch.	to Steve Grubb for the patch.

Maintainability drive: removed bug and missing feature	Maintainability drive: removed bug and missing feature
workarounds for some old platforms. Solaris 9, OpenBSD	workarounds for some old platforms. Solaris 9, OpenBSD
older than 4.1, Glibc older than 2.2, Linux 2.2.x and	older than 4.1, Glibc older than 2.2, Linux 2.2.x and
DBus older than 1.1.x are no longer supported.	DBus older than 1.1.x are no longer supported.

Don't read included configuration files more than once:	Don't read included configuration files more than once:
allows complex configuration structures without problems.	allows complex configuration structures without problems.

Mark log messages from the various subsystems in dnsmasq:	Mark log messages from the various subsystems in dnsmasq:
messages from the DHCP subsystem now have the ident string	messages from the DHCP subsystem now have the ident string
"dnsmasq-dhcp" and messages from TFTP have ident	"dnsmasq-dhcp" and messages from TFTP have ident
"dnsmasq-tftp". Thanks to Olaf Westrik for the patch.	"dnsmasq-tftp". Thanks to Olaf Westrik for the patch.

Fix possible infinite DHCP protocol loop when an IP	Fix possible infinite DHCP protocol loop when an IP
address nailed to a hostname (not a MAC address) and a	address nailed to a hostname (not a MAC address) and a
host sometimes provides the name, sometimes not.	host sometimes provides the name, sometimes not.

Allow --addn-hosts to take a directory: all the files	Allow --addn-hosts to take a directory: all the files
in the directory are read. Thanks to Phil Cornelius for	in the directory are read. Thanks to Phil Cornelius for
the suggestion.	the suggestion.

Support --bridge-interface on all platforms, not just BSD.	Support --bridge-interface on all platforms, not just BSD.

Added support for advanced PXE functions. It's now
possible to define a prompt and menu options which will
be displayed when a client PXE boots. It's also possible to
hand-off booting to other boot servers. Proxy-DHCP, where
dnsmasq just supplies the PXE information and another DHCP
server does address allocation, is also allowed. See the
--pxe-prompt and --pxe-service keywords. Thanks to
Alkis Georgopoulos for the suggestion and Guilherme Moro
and Michael Brown for assistance.

Improvements to DHCP logging. Thanks to Tom Metro for	Added support for advanced PXE functions. It's now
useful suggestions.	possible to define a prompt and menu options which will
	be displayed when a client PXE boots. It's also possible to
Add ability to build dnsmasq without DHCP support. To do	hand-off booting to other boot servers. Proxy-DHCP, where
this, edit src/config.h or build with	dnsmasq just supplies the PXE information and another DHCP
"make COPTS=-DNO_DHCP". Thanks to Mahavir Jain for the patch.	server does address allocation, is also allowed. See the
	--pxe-prompt and --pxe-service keywords. Thanks to
Added --test command-line switch - syntax check	Alkis Georgopoulos for the suggestion and Guilherme Moro
configuration files only.	and Michael Brown for assistance.

Updated French translation. Thanks to Gildas Le Nadan.

	Improvements to DHCP logging. Thanks to Tom Metro for
	useful suggestions.

	Add ability to build dnsmasq without DHCP support. To do
	this, edit src/config.h or build with
	"make COPTS=-DNO_DHCP". Thanks to Mahavir Jain for the patch.

	Added --test command-line switch - syntax check
	configuration files only.

	Updated French translation. Thanks to Gildas Le Nadan.


version 2.47	version 2.47
Updated French translation. Thanks to Gildas Le Nadan.	Updated French translation. Thanks to Gildas Le Nadan.

Fixed interface enumeration code to work on NetBSD	Fixed interface enumeration code to work on NetBSD
5.0. Thanks to Roy Marples for the patch.	5.0. Thanks to Roy Marples for the patch.

Updated config.h to use the same location for the lease	Updated config.h to use the same location for the lease
file on NetBSD as the other *BSD variants. Also allow	file on NetBSD as the other *BSD variants. Also allow
LEASEFILE and CONFFILE symbols to be overriden in CFLAGS.	LEASEFILE and CONFFILE symbols to be overridden in CFLAGS.

Handle duplicate address detection on IPv6 more	Handle duplicate address detection on IPv6 more
intelligently. In IPv6, an interface can have an address	intelligently. In IPv6, an interface can have an address
which is not usable, because it is still undergoing DAD	which is not usable, because it is still undergoing DAD
(such addresses are marked "tentative"). Attempting to	(such addresses are marked "tentative"). Attempting to
bind to an address in this state returns an error,	bind to an address in this state returns an error,
EADDRNOTAVAIL. Previously, on getting such an error,	EADDRNOTAVAIL. Previously, on getting such an error,
dnsmasq would silently abandon the address, and never	dnsmasq would silently abandon the address, and never
listen on it. Now, it retries once per second for 20	listen on it. Now, it retries once per second for 20
seconds before generating a fatal error. 20 seconds should	seconds before generating a fatal error. 20 seconds should
be long enough for any DAD process to complete, but can be	be long enough for any DAD process to complete, but can be
adjusted in src/config.h if necessary. Thanks to Martin	adjusted in src/config.h if necessary. Thanks to Martin
Krafft for the bug report.	Krafft for the bug report.

Add DBus introspection. Patch from Jeremy Laine.	Add DBus introspection. Patch from Jeremy Laine.

Update Dbus configuration file. Patch from Colin Walters.	Update Dbus configuration file. Patch from Colin Walters.
Fix for this bug:	Fix for this bug:
http://bugs.freedesktop.org/show_bug.cgi?id=18961	http://bugs.freedesktop.org/show_bug.cgi?id=18961

Support arbitrarily encapsulated DHCP options, suggestion	Support arbitrarily encapsulated DHCP options, suggestion
and initial patch from Samium Gromoff. This is useful for	and initial patch from Samium Gromoff. This is useful for
(eg) gPXE, which expect all its private options to be	(eg) iPXE, which expect all its private options to be
encapsulated inside a single option 175. So, eg,	encapsulated inside a single option 175. So, eg,

dhcp-option = encap:175, 190, "iscsi-client0"	dhcp-option = encap:175, 190, "iscsi-client0"
dhcp-option = encap:175, 191, "iscsi-client0-secret"	dhcp-option = encap:175, 191, "iscsi-client0-secret"

will provide iSCSI parameters to gPXE.

Enhance --dhcp-match to allow testing of the contents of a	will provide iSCSI parameters to iPXE.
client-sent option, as well as its presence. This
application in mind for this is RFC 4578
client-architecture specifiers, but it's generally useful.
Joey Korkames suggested the enhancement.

Move from using the IP_XMIT_IF ioctl to IP_BOUND_IF on	Enhance --dhcp-match to allow testing of the contents of a
OpenSolaris. Thanks to Bastian Machek for the heads-up.	client-sent option, as well as its presence. This
	application in mind for this is RFC 4578
	client-architecture specifiers, but it's generally useful.
	Joey Korkames suggested the enhancement.

No longer complain about blank lines in	Move from using the IP_XMIT_IF ioctl to IP_BOUND_IF on
/etc/ethers. Thanks to Jon Nelson for the patch.	OpenSolaris. Thanks to Bastian Machek for the heads-up.

Fix binding of servers to physical devices, eg	No longer complain about blank lines in
--server=/domain/1.2.3.4@eth0 which was broken from 2.43	/etc/ethers. Thanks to Jon Nelson for the patch.
onwards unless --query-port=0 set. Thanks to Peter Naulls
for the bug report.

Reply to DHCPINFORM requests even when the supplied ciaddr	Fix binding of servers to physical devices, eg
doesn't fall in any dhcp-range. In this case it's not	--server=/domain/1.2.3.4@eth0 which was broken from 2.43
possible to supply a complete configuration, but	onwards unless --query-port=0 set. Thanks to Peter Naulls
individually-configured options (eg PAC) may be useful.	for the bug report.

Allow the source address of an alias to be a range:	Reply to DHCPINFORM requests even when the supplied ciaddr
--alias=192.168.0.0,10.0.0.0,255.255.255.0 maps the whole	doesn't fall in any dhcp-range. In this case it's not
subnet 192.168.0.0->192.168.0.255 to 10.0.0.0->10.0.0.255,	possible to supply a complete configuration, but
as before.	individually-configured options (eg PAC) may be useful.
--alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
maps only the 192.168.0.10->192.168.0.40 region. Thanks to
Ib Uhrskov for the suggestion.

Don't dynamically allocate DHCP addresses which may break	Allow the source address of an alias to be a range:
Windows. Addresses which end in .255 or .0 are broken in	--alias=192.168.0.0,10.0.0.0,255.255.255.0 maps the whole
Windows even when using supernetting.	subnet 192.168.0.0->192.168.0.255 to 10.0.0.0->10.0.0.255,
--dhcp-range=192.168.0.1,192.168.1.254,255,255,254.0 means	as before.
192.168.0.255 is a valid IP address, but not for Windows.	--alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
See Microsoft KB281579. We therefore no longer allocate	maps only the 192.168.0.10->192.168.0.40 region. Thanks to
these addresses to avoid hard-to-diagnose problems.	Ib Uhrskov for the suggestion.

Update Polish translation. Thanks to Jan Psota.	Don't dynamically allocate DHCP addresses which may break
	Windows. Addresses which end in .255 or .0 are broken in
	Windows even when using supernetting.
	--dhcp-range=192.168.0.1,192.168.1.254,255,255,254.0 means
	192.168.0.255 is a valid IP address, but not for Windows.
	See Microsoft KB281579. We therefore no longer allocate
	these addresses to avoid hard-to-diagnose problems.

Delete the PID-file when dnsmasq shuts down. Note that by	Update Polish translation. Thanks to Jan Psota.
this time, dnsmasq is normally not running as root, so
this will fail if the PID-file is stored in a root-owned
directory; such failure is silently ignored. To take
advantage of this feature, the PID-file must be stored in a
directory owned and write-able by the user running
dnsmasq.

	Delete the PID-file when dnsmasq shuts down. Note that by
	this time, dnsmasq is normally not running as root, so
	this will fail if the PID-file is stored in a root-owned
	directory; such failure is silently ignored. To take
	advantage of this feature, the PID-file must be stored in a
	directory owned and write-able by the user running
	dnsmasq.


version 2.46	version 2.46
Allow --bootp-dynamic to take a netid tag, so that it may	Allow --bootp-dynamic to take a netid tag, so that it may
be selectively enabled. Thanks to Olaf Westrik for the	be selectively enabled. Thanks to Olaf Westrik for the
suggestion.	suggestion.

Remove ISC-leasefile reading code. This has been	Remove ISC-leasefile reading code. This has been
deprecated for a long time, and last time I removed it, it	deprecated for a long time, and last time I removed it, it
ended up going back by request of one user. This time,	ended up going back by request of one user. This time,
it's gone for good; otherwise it would need to be	it's gone for good; otherwise it would need to be
re-worked to support multiple domains (see below).	re-worked to support multiple domains (see below).

Support DHCP clients in multiple DNS domains. This is a	Support DHCP clients in multiple DNS domains. This is a
long-standing request. Clients are assigned to a domain	long-standing request. Clients are assigned to a domain
based in their IP address.	based in their IP address.

Add --dhcp-fqdn flag, which changes behaviour if DNS names	Add --dhcp-fqdn flag, which changes behaviour if DNS names
assigned to DHCP clients. When this is set, there must be	assigned to DHCP clients. When this is set, there must be
a domain associated with each client, and only	a domain associated with each client, and only
fully-qualified domain names are added to the DNS. The	fully-qualified domain names are added to the DNS. The
advantage is that the only the FQDN needs to be unique,	advantage is that the only the FQDN needs to be unique,
so that two or more DHCP clients can share a hostname, as	so that two or more DHCP clients can share a hostname, as
long as they are in different domains.	long as they are in different domains.

Set environment variable DNSMASQ_DOMAIN when invoking	Set environment variable DNSMASQ_DOMAIN when invoking
lease-change script. This may be useful information to	lease-change script. This may be useful information to
have now that it's variable.	have now that it's variable.

Tighten up data-checking code for DNS packet	Tighten up data-checking code for DNS packet
handling. Thanks to Steve Dodd who found certain illegal	handling. Thanks to Steve Dodd who found certain illegal
packets which could crash dnsmasq. No memory overwrite was	packets which could crash dnsmasq. No memory overwrite was
possible, so this is not a security issue beyond the DoS	possible, so this is not a security issue beyond the DoS
potential.	potential.

Update example config dhcp option 47, the previous	Update example config dhcp option 47, the previous
suggestion generated an illegal, zero-length,	suggestion generated an illegal, zero-length,
option. Thanks to Matthias Andree for finding this.	option. Thanks to Matthias Andree for finding this.

Rewrite hosts-file reading code to remove the limit of	Rewrite hosts-file reading code to remove the limit of
1024 characters per line. John C Meuser found this.	1024 characters per line. John C Meuser found this.

Create a net-id tag with the name of the interface on	Create a net-id tag with the name of the interface on
which the DHCP request was received.	which the DHCP request was received.

Fixed minor memory leak in DBus code, thanks to Jeremy	Fixed minor memory leak in DBus code, thanks to Jeremy
Laine for the patch.	Laine for the patch.

Emit DBus signals as the DHCP lease database	Emit DBus signals as the DHCP lease database
changes. Thanks to Jeremy Laine for the patch.	changes. Thanks to Jeremy Laine for the patch.

Allow for more that one MAC address in a dhcp-host	Allow for more that one MAC address in a dhcp-host
line. This configuration tells dnsmasq that it's OK to	line. This configuration tells dnsmasq that it's OK to
abandon a DHCP lease of the fixed address to one MAC	abandon a DHCP lease of the fixed address to one MAC
address, if another MAC address in the dhcp-host statement	address, if another MAC address in the dhcp-host statement
asks for an address. This is useful to give a fixed	asks for an address. This is useful to give a fixed
address to a host which has two network interfaces	address to a host which has two network interfaces
(say, a laptop with wired and wireless interfaces.)	(say, a laptop with wired and wireless interfaces.)
It's very important to ensure that only one interface	It's very important to ensure that only one interface
at a time is up, since dnsmasq abandons the first lease	at a time is up, since dnsmasq abandons the first lease
and re-uses the address before the leased time has	and re-uses the address before the leased time has
elapsed. John Gray suggested this.	elapsed. John Gray suggested this.

Tweak the response to a DHCP request packet with a wrong	Tweak the response to a DHCP request packet with a wrong
server-id when --dhcp-authoritative is set; dnsmasq now	server-id when --dhcp-authoritative is set; dnsmasq now
returns a DHCPNAK, rather than silently ignoring the	returns a DHCPNAK, rather than silently ignoring the
packet. Thanks to Chris Marget for spotting this	packet. Thanks to Chris Marget for spotting this
improvement.	improvement.

Add --cname option. This provides a limited alias	Add --cname option. This provides a limited alias
function, usable for DHCP names. Thanks to AJ Weber for	function, usable for DHCP names. Thanks to AJ Weber for
suggestions on this.	suggestions on this.

Updated contrib/webmin with latest version from Neil	Updated contrib/webmin with latest version from Neil
Fisher.	Fisher.

Updated Polish translation. Thanks to Jan Psota.	Updated Polish translation. Thanks to Jan Psota.

Correct the text names for DHCP options 64 and 65 to be
"nis+-domain" and "nis+-servers".

Updated Spanish translation. Thanks to Chris Chatham.	Correct the text names for DHCP options 64 and 65 to be
	"nis+-domain" and "nis+-servers".

Force re-reading of /etc/resolv.conf when an "interface	Updated Spanish translation. Thanks to Chris Chatham.
up" event occurs.

	Force re-reading of /etc/resolv.conf when an "interface
	up" event occurs.


version 2.45	version 2.45
Fix total DNS failure in release 2.44 unless --min-port	Fix total DNS failure in release 2.44 unless --min-port
specified. Thanks to Steven Barth and Grant Coady for	specified. Thanks to Steven Barth and Grant Coady for
bugreport. Also reject out-of-range port spec, which could	bugreport. Also reject out-of-range port spec, which could
break things too: suggestion from Gilles Espinasse.	break things too: suggestion from Gilles Espinasse.



version 2.44	version 2.44
Fix crash when unknown client attempts to renew a DHCP	Fix crash when unknown client attempts to renew a DHCP
lease, problem introduced in version 2.43. Thanks to	lease, problem introduced in version 2.43. Thanks to
Carlos Carvalho for help chasing this down.	Carlos Carvalho for help chasing this down.

Fix potential crash when a host which doesn't have a lease	Fix potential crash when a host which doesn't have a lease
does DHCPINFORM. Again introduced in 2.43. This bug has	does DHCPINFORM. Again introduced in 2.43. This bug has
never been reported in the wild.	never been reported in the wild.

Fix crash in netlink code introduced in 2.43. Thanks to	Fix crash in netlink code introduced in 2.43. Thanks to
Jean Wolter for finding this.	Jean Wolter for finding this.

Change implementation of min_port to work even if min-port	Change implementation of min_port to work even if min-port
is large.	is large.

Patch to enable compilation of latest Mac OS X. Thanks to	Patch to enable compilation of latest Mac OS X. Thanks to
David Gilman.	David Gilman.

Update Spanish translation. Thanks to Christopher Chatham.	Update Spanish translation. Thanks to Christopher Chatham.


version 2.43	version 2.43
Updated Polish translation. Thanks to Jan Psota.	Updated Polish translation. Thanks to Jan Psota.

Flag errors when configuration options are repeated	Flag errors when configuration options are repeated
illegally.	illegally.

Further tweaks for GNU/kFreeBSD	Further tweaks for GNU/kFreeBSD

Add --no-wrap to msgmerge call - provides nicer .po file	Add --no-wrap to msgmerge call - provides nicer .po file
format.	format.

Honour lease-time spec in dhcp-host lines even for	Honour lease-time spec in dhcp-host lines even for
BOOTP. The user is assumed to known what they are doing in	BOOTP. The user is assumed to known what they are doing in
this case. (Hosts without the time spec still get infinite	this case. (Hosts without the time spec still get infinite
leases for BOOTP, over-riding the default in the	leases for BOOTP, over-riding the default in the
dhcp-range.) Thanks to Peter Katzmann for uncovering this.	dhcp-range.) Thanks to Peter Katzmann for uncovering this.

Fix problem matching relay-agent ids. Thanks to Michael	Fix problem matching relay-agent ids. Thanks to Michael
Rack for the bug report.	Rack for the bug report.

Add --naptr-record option. Suggestion from Johan	Add --naptr-record option. Suggestion from Johan
Bergquist.	Bergquist.

Implement RFC 5107 server-id-override DHCP relay agent	Implement RFC 5107 server-id-override DHCP relay agent
option.	option.

Apply patches from Stefan Kruger for compilation on	Apply patches from Stefan Kruger for compilation on
Solaris 10 under Sun studio.	Solaris 10 under Sun studio.

Yet more tweaking of Linux capability code, to suppress	Yet more tweaking of Linux capability code, to suppress
pointless wingeing from kernel 2.6.25 and above.	pointless wingeing from kernel 2.6.25 and above.

Improve error checking during startup. Previously, some	Improve error checking during startup. Previously, some
errors which occurred during startup would be worked	errors which occurred during startup would be worked
around, with dnsmasq still starting up. Some were logged,	around, with dnsmasq still starting up. Some were logged,
some silent. Now, they all cause a fatal error and dnsmasq	some silent. Now, they all cause a fatal error and dnsmasq
terminates with a non-zero exit code. The errors are those	terminates with a non-zero exit code. The errors are those
associated with changing uid and gid, setting process	associated with changing uid and gid, setting process
capabilities and writing the pidfile. Thanks to Uwe	capabilities and writing the pidfile. Thanks to Uwe
Gansert and the Suse security team for pointing out	Gansert and the Suse security team for pointing out
this improvement, and Bill Reimers for good implementation	this improvement, and Bill Reimers for good implementation
suggestions.	suggestions.

Provide NO_LARGEFILE compile option to switch off largefile	Provide NO_LARGEFILE compile option to switch off largefile
support when compiling against versions of uclibc which	support when compiling against versions of uclibc which
don't support it. Thanks to Stephane Billiart for the patch.	don't support it. Thanks to Stephane Billiart for the patch.

Implement random source ports for interactions with
upstream nameservers. New spoofing attacks have been found
against nameservers which do not do this, though it is not
clear if dnsmasq is vulnerable, since to doesn't implement
recursion. By default dnsmasq will now use a different
source port (and socket) for each query it sends
upstream. This behaviour can suppressed using the
--query-port option, and the old default behaviour
restored using --query-port=0. Explicit source-port
specifications in --server configs are still honoured.

Replace the random number generator, for better	Implement random source ports for interactions with
security. On most BSD systems, dnsmasq uses the	upstream nameservers. New spoofing attacks have been found
arc4random() RNG, which is secure, but on other platforms,	against nameservers which do not do this, though it is not
it relied on the C-library RNG, which may be	clear if dnsmasq is vulnerable, since to doesn't implement
guessable and therefore allow spoofing. This release	recursion. By default dnsmasq will now use a different
replaces the libc RNG with the SURF RNG, from Daniel	source port (and socket) for each query it sends
J. Berstein's DJBDNS package.	upstream. This behaviour can suppressed using the
	--query-port option, and the old default behaviour
	restored using --query-port=0. Explicit source-port
	specifications in --server configs are still honoured.

Don't attempt to change user or group or set capabilities	Replace the random number generator, for better
if dnsmasq is run as a non-root user. Without this, the	security. On most BSD systems, dnsmasq uses the
change from soft to hard errors when these fail causes	arc4random() RNG, which is secure, but on other platforms,
problems for non-root daemons listening on high	it relied on the C-library RNG, which may be
ports. Thanks to Patrick McLean for spotting this.	guessable and therefore allow spoofing. This release
	replaces the libc RNG with the SURF RNG, from Daniel
	J. Berstein's DJBDNS package.

Updated French translation. Thanks to Gildas Le Nadan.	Don't attempt to change user or group or set capabilities
	if dnsmasq is run as a non-root user. Without this, the
	change from soft to hard errors when these fail causes
	problems for non-root daemons listening on high
	ports. Thanks to Patrick McLean for spotting this.

	Updated French translation. Thanks to Gildas Le Nadan.


version 2.42	version 2.42
The changelog for version 2.42 and earlier is	The changelog for version 2.42 and earlier is
available in CHANGELOG.archive.	available in CHANGELOG.archive.

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>