|
version 1.1, 2013/07/29 19:37:40
|
version 1.1.1.2, 2014/06/15 16:31:38
|
|
Line 1
|
Line 1
|
| |
version 2.71 |
| |
Subtle change to error handling to help DNSSEC validation |
| |
when servers fail to provide NODATA answers for |
| |
non-existent DS records. |
| |
|
| |
Tweak code which removes DNSSEC records from answers when |
| |
not required. Fixes broken answers when additional section |
| |
has real records in it. Thanks to Marco Davids for the bug |
| |
report. |
| |
|
| |
Fix DNSSEC validation of ANY queries. Thanks to Marco Davids |
| |
for spotting that too. |
| |
|
| |
Fix total DNS failure and 100% CPU use if cachesize set to zero, |
| |
regression introduced in 2.69. Thanks to James Hunt and |
| |
the Ubuntu crowd for assistance in fixing this. |
| |
|
| |
|
| |
version 2.70 |
| |
Fix crash, introduced in 2.69, on TCP request when dnsmasq |
| |
compiled with DNSSEC support, but running without DNSSEC |
| |
enabled. Thanks to Manish Sing for spotting that one. |
| |
|
| |
Fix regression which broke ipset functionality. Thanks to |
| |
Wang Jian for the bug report. |
| |
|
| |
|
| |
version 2.69 |
| |
Implement dynamic interface discovery on *BSD. This allows |
| |
the contructor: syntax to be used in dhcp-range for DHCPv6 |
| |
on the BSD platform. Thanks to Matthias Andree for |
| |
valuable research on how to implement this. |
| |
|
| |
Fix infinite loop associated with some --bogus-nxdomain |
| |
configs. Thanks fogobogo for the bug report. |
| |
|
| |
Fix missing RA RDNS option with configuration like |
| |
--dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer |
| |
for spotting the problem. |
| |
|
| |
Add [fd00::] and [fe80::] as special addresses in DHCPv6 |
| |
options, analogous to [::]. [fd00::] is replaced with the |
| |
actual ULA of the interface on the machine running |
| |
dnsmasq, [fe80::] with the link-local address. |
| |
Thanks to Tsachi Kimeldorfer for championing this. |
| |
|
| |
DNSSEC validation and caching. Dnsmasq needs to be |
| |
compiled with this enabled, with |
| |
|
| |
make dnsmasq COPTS=-DHAVE_DNSSEC |
| |
|
| |
this add dependencies on the nettle crypto library and the |
| |
gmp maths library. It's possible to have these linked |
| |
statically with |
| |
|
| |
make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC' |
| |
|
| |
which bloats the dnsmasq binary, but saves the size of |
| |
the shared libraries which are much bigger. |
| |
|
| |
To enable, DNSSEC, you will need a set of |
| |
trust-anchors. Now that the TLDs are signed, this can be |
| |
the keys for the root zone, and for convenience they are |
| |
included in trust-anchors.conf in the dnsmasq |
| |
distribution. You should of course check that these are |
| |
legitimate and up-to-date. So, adding |
| |
|
| |
conf-file=/path/to/trust-anchors.conf |
| |
dnssec |
| |
|
| |
to your config is all thats needed to get things |
| |
working. The upstream nameservers have to be DNSSEC-capable |
| |
too, of course. Many ISP nameservers aren't, but the |
| |
Google public nameservers (8.8.8.8 and 8.8.4.4) are. |
| |
When DNSSEC is configured, dnsmasq validates any queries |
| |
for domains which are signed. Query results which are |
| |
bogus are replaced with SERVFAIL replies, and results |
| |
which are correctly signed have the AD bit set. In |
| |
addition, and just as importantly, dnsmasq supplies |
| |
correct DNSSEC information to clients which are doing |
| |
their own validation, and caches DNSKEY, DS and RRSIG |
| |
records, which significantly improve the performance of |
| |
downstream validators. Setting --log-queries will show |
| |
DNSSEC in action. |
| |
|
| |
If a domain is returned from an upstream nameserver without |
| |
DNSSEC signature, dnsmasq by default trusts this. This |
| |
means that for unsigned zone (still the majority) there |
| |
is effectively no cost for having DNSSEC enabled. Of course |
| |
this allows an attacker to replace a signed record with a |
| |
false unsigned record. This is addressed by the |
| |
--dnssec-check-unsigned flag, which instructs dnsmasq |
| |
to prove that an unsigned record is legitimate, by finding |
| |
a secure proof that the zone containing the record is not |
| |
signed. Doing this has costs (typically one or two extra |
| |
upstream queries). It also has a nasty failure mode if |
| |
dnsmasq's upstream nameservers are not DNSSEC capable. |
| |
Without --dnssec-check-unsigned using such an upstream |
| |
server will simply result in not queries being validated; |
| |
with --dnssec-check-unsigned enabled and a |
| |
DNSSEC-ignorant upstream server, _all_ queries will fail. |
| |
|
| |
Note that DNSSEC requires that the local time is valid and |
| |
accurate, if not then DNSSEC validation will fail. NTP |
| |
should be running. This presents a problem for routers |
| |
without a battery-backed clock. To set the time needs NTP |
| |
to do DNS lookups, but lookups will fail until NTP has run. |
| |
To address this, there's a flag, --dnssec-no-timecheck |
| |
which disables the time checks (only) in DNSSEC. When dnsmasq |
| |
is started and the clock is not synced, this flag should |
| |
be used. As soon as the clock is synced, SIGHUP dnsmasq. |
| |
The SIGHUP clears the cache of partially-validated data and |
| |
resets the no-timecheck flag, so that all DNSSEC checks |
| |
henceforward will be complete. |
| |
|
| |
The development of DNSSEC in dnsmasq was started by |
| |
Giovanni Bajo, to whom huge thanks are owed. It has been |
| |
supported by Comcast, whose techfund grant has allowed for |
| |
an invaluable period of full-time work to get it to |
| |
a workable state. |
| |
|
| |
Add --rev-server. Thanks to Dave Taht for suggesting this. |
| |
|
| |
Add --servers-file. Allows dynamic update of upstream servers |
| |
full access to configuration. |
| |
|
| |
Add --local-service. Accept DNS queries only from hosts |
| |
whose address is on a local subnet, ie a subnet for which |
| |
an interface exists on the server. This option |
| |
only has effect if there are no --interface --except-interface, |
| |
--listen-address or --auth-server options. It is intended |
| |
to be set as a default on installation, to allow |
| |
unconfigured installations to be useful but also safe from |
| |
being used for DNS amplification attacks. |
| |
|
| |
Fix crashes in cache_get_cname_target() when dangling CNAMEs |
| |
encountered. Thanks to Andy and the rt-n56u project for |
| |
find this and helping to chase it down. |
| |
|
| |
Fix wrong RCODE in authoritative DNS replies to PTR queries. The |
| |
correct answer was included, but the RCODE was set to NXDOMAIN. |
| |
Thanks to Craig McQueen for spotting this. |
| |
|
| |
Make statistics available as DNS queries in the .bind TLD as |
| |
well as logging them. |
| |
|
| |
|
| |
version 2.68 |
| |
Use random addresses for DHCPv6 temporary address |
| |
allocations, instead of algorithmically determined stable |
| |
addresses. |
| |
|
| |
Fix bug which meant that the DHCPv6 DUID was not available |
| |
in DHCP script runs during the lifetime of the dnsmasq |
| |
process which created the DUID de-novo. Once the DUID was |
| |
created and stored in the lease file and dnsmasq |
| |
restarted, this bug disappeared. |
| |
|
| |
Fix bug introduced in 2.67 which could result in erroneous |
| |
NXDOMAIN returns to CNAME queries. |
| |
|
| |
Fix build failures on MacOS X and openBSD. |
| |
|
| |
Allow subnet specifications in --auth-zone to be interface |
| |
names as well as address literals. This makes it possible |
| |
to configure authoritative DNS when local address ranges |
| |
are dynamic and works much better than the previous |
| |
work-around which exempted contructed DHCP ranges from the |
| |
IP address filtering. As a consequence, that work-around |
| |
is removed. Under certain circumstances, this change wil |
| |
break existing configuration: if you're relying on the |
| |
contructed-range exception, you need to change --auth-zone |
| |
to specify the same interface as is used to construct your |
| |
DHCP ranges, probably with a trailing "/6" like this: |
| |
--auth-zone=example.com,eth0/6 to limit the addresses to |
| |
IPv6 addresses of eth0. |
| |
|
| |
Fix problems when advertising deleted IPv6 prefixes. If |
| |
the prefix is deleted (rather than replaced), it doesn't |
| |
get advertised with zero preferred time. Thanks to Tsachi |
| |
for the bug report. |
| |
|
| |
Fix segfault with some locally configured CNAMEs. Thanks |
| |
to Andrew Childs for spotting the problem. |
| |
|
| |
Fix memory leak on re-reading /etc/hosts and friends, |
| |
introduced in 2.67. |
| |
|
| |
Check the arrival interface of incoming DNS and TFTP |
| |
requests via IPv6, even in --bind-interfaces mode. This |
| |
isn't possible for IPv4 and can generate scary warnings, |
| |
but as it's always possible for IPv6 (the API always |
| |
exists) then we should do it always. |
| |
|
| |
Tweak the rules on prefix-lengths in --dhcp-range for |
| |
IPv6. The new rule is that the specified prefix length |
| |
must be larger than or equal to the prefix length of the |
| |
corresponding address on the local interface. |
| |
|
| |
|
| |
version 2.67 |
| |
Fix crash if upstream server returns SERVFAIL when |
| |
--conntrack in use. Thanks to Giacomo Tazzari for finding |
| |
this and supplying the patch. |
| |
|
| |
Repair regression in 2.64. That release stopped sending |
| |
lease-time information in the reply to DHCPINFORM |
| |
requests, on the correct grounds that it was a standards |
| |
violation. However, this broke the dnsmasq-specific |
| |
dhcp_lease_time utility. Now, DHCPINFORM returns |
| |
lease-time only if it's specifically requested |
| |
(maintaining standards) and the dhcp_lease_time utility |
| |
has been taught to ask for it (restoring functionality). |
| |
|
| |
Fix --dhcp-match, --dhcp-vendorclass and --dhcp-userclass |
| |
to work with BOOTP and well as DHCP. Thanks to Peter |
| |
Korsgaard for spotting the problem. |
| |
|
| |
Add --synth-domain. Thanks to Vishvananda Ishaya for |
| |
suggesting this. |
| |
|
| |
Fix failure to compile ipset.c if old kernel headers are |
| |
in use. Thanks to Eugene Rudoy for pointing this out. |
| |
|
| |
Handle IPv4 interface-address labels in Linux. These are |
| |
often used to emulate the old IP-alias addresses. Before, |
| |
using --interface=eth0 would service all the addresses of |
| |
eth0, including ones configured as aliases, which appear |
| |
in ifconfig as eth0:0. Now, only addresses with the label |
| |
eth0 are active. This is not backwards compatible: if you |
| |
want to continue to bind the aliases too, you need to add |
| |
eg. --interface=eth0:0 to the config. |
| |
|
| |
Fix "failed to set SO_BINDTODEVICE on DHCP socket: Socket |
| |
operation on non-socket" error on startup with |
| |
configurations which have exactly one --interface option |
| |
and do RA but _not_ DHCPv6. Thanks to Trever Adams for the |
| |
bug report. |
| |
|
| |
Generalise --interface-name to cope with IPv6 addresses |
| |
and multiple addresses per interface per address family. |
| |
|
| |
Fix option parsing for --dhcp-host, which was generating a |
| |
spurious error when all seven possible items were |
| |
included. Thanks to Zhiqiang Wang for the bug report. |
| |
|
| |
Remove restriction on prefix-length in --auth-zone. Thanks |
| |
to Toke Hoiland-Jorgensen for suggesting this. |
| |
|
| |
Log when the maximum number of concurrent DNS queries is |
| |
reached. Thanks to Marcelo Salhab Brogliato for the patch. |
| |
|
| |
If wildcards are used in --interface, don't assume that |
| |
there will only ever be one available interface for DHCP |
| |
just because there is one at start-up. More may appear, so |
| |
we can't use SO_BINDTODEVICE. Thanks to Natrio for the bug |
| |
report. |
| |
|
| |
Increase timeout/number of retries in TFTP to accomodate |
| |
AudioCodes Voice Gateways doing streaming writes to flash. |
| |
Thanks to Damian Kaczkowski for spotting the problem. |
| |
|
| |
Fix crash with empty DHCP string options when adding zero |
| |
terminator. Thanks to Patrick McLean for the bug report. |
| |
|
| |
Allow hostnames to start with a number, as allowed in |
| |
RFC-1123. Thanks to Kyle Mestery for the patch. |
| |
|
| |
Fixes to DHCP FQDN option handling: don't terminate FQDN |
| |
if domain not known and allow a FQDN option with blank |
| |
name to request that a FQDN option is returned in the |
| |
reply. Thanks to Roy Marples for the patch. |
| |
|
| |
Make --clear-on-reload apply to setting upstream servers |
| |
via DBus too. |
| |
|
| |
When the address which triggered the construction of an |
| |
advertised IPv6 prefix disappears, continue to advertise |
| |
the prefix for up to 2 hours, with the preferred lifetime |
| |
set to zero. This satisfies RFC 6204 4.3 L-13 and makes |
| |
things work better if a prefix disappears without being |
| |
deprecated first. Thanks to Uwe Schindler for persuasively |
| |
arguing for this. |
| |
|
| |
Fix MAC address enumeration on *BSD. Thanks to Brad Smith |
| |
for the bug report. |
| |
|
| |
Support RFC-4242 information-refresh-time options in the |
| |
reply to DHCPv6 information-request. The lease time of the |
| |
smallest valid dhcp-range is sent. Thanks to Uwe Schindler |
| |
for suggesting this. |
| |
|
| |
Make --listen-address higher priority than --except-interface |
| |
in all circumstances. Thanks to Thomas Hood for the bugreport. |
| |
|
| |
Provide independent control over which interfaces get TFTP |
| |
service. If enable-tftp is given a list of interfaces, then TFTP |
| |
is provided on those. Without the list, the previous behaviour |
| |
(provide TFTP to the same interfaces we provide DHCP to) |
| |
is retained. Thanks to Lonnie Abelbeck for the suggestion. |
| |
|
| |
Add --dhcp-relay config option. Many thanks to vtsl.net |
| |
for sponsoring this development. |
| |
|
| |
Fix crash with empty tag: in --dhcp-range. Thanks to |
| |
Kaspar Schleiser for the bug report. |
| |
|
| |
Add "baseline" and "bloatcheck" makefile targets, for |
| |
revealing size changes during development. Thanks to |
| |
Vladislav Grishenko for the patch. |
| |
|
| |
Cope with DHCPv6 clients which send REQUESTs without |
| |
address options - treat them as SOLICIT with rapid commit. |
| |
|
| |
Support identification of clients by MAC address in |
| |
DHCPv6. When using a relay, the relay must support RFC |
| |
6939 for this to work. It always works for directly |
| |
connected clients. Thanks to Vladislav Grishenko |
| |
for prompting this feature. |
| |
|
| |
Remove the rule for constructed DHCP ranges that the local |
| |
address must be either the first or last address in the |
| |
range. This was originally to avoid SLAAC addresses, but |
| |
we now explicitly autoconfig and privacy addresses instead. |
| |
|
| |
Update Polish translation. Thanks to Jan Psota. |
| |
|
| |
Fix problem in DHCPv6 vendorclass/userclass matching |
| |
code. Thanks to Tanguy Bouzeloc for the patch. |
| |
|
| |
Update Spanish transalation. Thanks to Vicente Soriano. |
| |
|
| |
Add --ra-param option. Thanks to Vladislav Grishenko for |
| |
inspiration on this. |
| |
|
| |
Add --add-subnet configuration, to tell upstream DNS |
| |
servers where the original client is. Thanks to DNSthingy |
| |
for sponsoring this feature. |
| |
|
| |
Add --quiet-dhcp, --quiet-dhcp6 and --quiet-ra. Thanks to |
| |
Kevin Darbyshire-Bryant for the initial patch. |
| |
|
| |
Allow A/AAAA records created by --interface-name to be the |
| |
target of --cname. Thanks to Hadmut Danisch for the |
| |
suggestion. |
| |
|
| |
Avoid treating a --dhcp-host which has an IPv6 address |
| |
as eligable for use with DHCPv4 on the grounds that it has |
| |
no address, and vice-versa. Thanks to Yury Konovalov for |
| |
spotting the problem. |
| |
|
| |
Do a better job caching dangling CNAMEs. Thanks to Yves |
| |
Dorfsman for spotting the problem. |
| |
|
| |
|
| version 2.66 |
version 2.66 |
| Add the ability to act as an authoritative DNS |
Add the ability to act as an authoritative DNS |
| server. Dnsmasq can now answer queries from the wider 'net |
server. Dnsmasq can now answer queries from the wider 'net |
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to CHANGELOG CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / dnsmasq