--- embedaddon/dnsmasq/CHANGELOG 2013/07/29 19:37:40 1.1
+++ embedaddon/dnsmasq/CHANGELOG 2016/11/02 09:57:01 1.1.1.3
@@ -1,3 +1,678 @@
+version 2.76
+ Include 0.0.0.0/8 in DNS rebind checks. This range
+ translates to hosts on the local network, or, at
+ least, 0.0.0.0 accesses the local host, so could
+ be targets for DNS rebinding. See RFC 5735 section 3
+ for details. Thanks to Stephen Röttger for the bug report.
+
+ Enhance --add-subnet to allow arbitrary subnet addresses.
+ Thanks to Ed Barsley for the patch.
+
+ Respect the --no-resolv flag in inotify code. Fixes bug
+ which caused dnsmasq to fail to start if a resolv-file
+ was a dangling symbolic link, even of --no-resolv set.
+ Thanks to Alexander Kurtz for spotting the problem.
+
+ Fix crash when an A or AAAA record is defined locally,
+ in a hosts file, and an upstream server sends a reply
+ that the same name is empty. Thanks to Edwin Török for
+ the patch.
+
+ Fix failure to correctly calculate cache-size when
+ reading a hosts-file fails. Thanks to André Glüpker
+ for the patch.
+
+ Fix wrong answer to simple name query when --domain-needed
+ set, but no upstream servers configured. Dnsmasq returned
+ REFUSED, in this case, when it should be the same as when
+ upstream servers are configured - NOERROR. Thanks to
+ Allain Legacy for spotting the problem.
+
+ Return REFUSED when running out of forwarding table slots,
+ not SERVFAIL.
+
+ Add --max-port configuration. Thanks to Hans Dedecker for
+ the patch.
+
+ Add --script-arp and two new functions for the dhcp-script.
+ These are "arp" and "arp-old" which announce the arrival and
+ removal of entries in the ARP or nieghbour tables.
+
+ Extend --add-mac to allow a new encoding of the MAC address
+ as base64, by configurting --add-mac=base64
+
+ Add --add-cpe-id option.
+
+ Don't crash with divide-by-zero if an IPv6 dhcp-range
+ is declared as a whole /64.
+ (ie xx::0 to xx::ffff:ffff:ffff:ffff)
+ Thanks to Laurent Bendel for spotting this problem.
+
+ Add support for a TTL parameter in --host-record and
+ --cname.
+
+ Add --dhcp-ttl option.
+
+ Add --tftp-mtu option. Thanks to Patrick McLean for the
+ initial patch.
+
+ Check return-code of inet_pton() when parsing dhcp-option.
+ Bad addresses could fail to generate errors and result in
+ garbage dhcp-options being sent. Thanks to Marc Branchaud
+ for spotting this.
+
+ Fix wrong value for EDNS UDP packet size when using
+ --servers-file to define upstream DNS servers. Thanks to
+ Scott Bonar for the bug report.
+
+ Move the dhcp_release and dhcp_lease_time tools from
+ contrib/wrt to contrib/lease-tools.
+
+ Add dhcp_release6 to contrib/lease-tools. Many thanks
+ to Sergey Nechaev for this code.
+
+ To avoid filling logs in configurations which define
+ many upstream nameservers, don't log more that 30 servers.
+ The number to be logged can be changed as SERVERS_LOGGED
+ in src/config.h.
+
+ Swap the values if BC_EFI and x86-64_EFI in --pxe-service.
+ These were previously wrong due to an error in RFC 4578.
+ If you're using BC_EFI to boot 64-bit EFI machines, you
+ will need to update your config.
+
+ Add ARM32_EFI and ARM64_EFI as valid architectures in
+ --pxe-service.
+
+ Fix PXE booting for UEFI architectures. Modify PXE boot
+ sequence in this case to force the client to talk to dnsmasq
+ over port 4011. This makes PXE and especially proxy-DHCP PXE
+ work with these archictectures.
+
+ Workaround problems with UEFI PXE clients. There exist
+ in the wild PXE clients which have problems with PXE
+ boot menus. To work around this, when there's a single
+ --pxe-service which applies to client, then that target
+ will be booted directly, rather then sending a
+ single-item boot menu.
+
+ Many thanks to Jarek Polok, Michael Kuron and Dreamcat4
+ for their work on the long-standing UEFI PXE problem.
+
+ Subtle change in the semantics of "basename" in
+ --pxe-service. The historical behaviour has always been
+ that the actual filename downloaded from the TFTP server
+ is <basename>.<layer> where <layer> is an integer which
+ corresponds to the layer parameter supplied by the client.
+ It's not clear what the function of the "layer"
+ actually is in the PXE protocol, and in practise layer
+ is always zero, so the filename is <basename>.0
+ The new behaviour is the same as the old, except when
+ <basename> includes a file suffix, in which case
+ the layer suffix is no longer added. This allows
+ sensible suffices to be used, rather then the
+ meaningless ".0". Only in the unlikely event that you
+ have a config with a basename which already has a
+ suffix, is this an incompatible change, since the file
+ downloaded will change from name.suffix.0 to just
+ name.suffix
+
+
+version 2.75
+ Fix reversion on 2.74 which caused 100% CPU use when a
+ dhcp-script is configured. Thanks to Adrian Davey for
+ reporting the bug and testing the fix.
+
+
+version 2.74
+ Fix reversion in 2.73 where --conf-file would attempt to
+ read the default file, rather than no file.
+
+ Fix inotify code to handle dangling symlinks better and
+ not SEGV in some circumstances.
+
+ DNSSEC fix. In the case of a signed CNAME generated by a
+ wildcard which pointed to an unsigned domain, the wrong
+ status would be logged, and some necessary checks omitted.
+
+
+version 2.73
+ Fix crash at startup when an empty suffix is supplied to
+ --conf-dir, also trivial memory leak. Thanks to
+ Tomas Hozza for spotting this.
+
+ Remove floor of 4096 on advertised EDNS0 packet size when
+ DNSSEC in use, the original rationale for this has long gone.
+ Thanks to Anders Kaseorg for spotting this.
+
+ Use inotify for checking on updates to /etc/resolv.conf and
+ friends under Linux. This fixes race conditions when the files are
+ updated rapidly and saves CPU by noy polling. To build
+ a binary that runs on old Linux kernels without inotify,
+ use make COPTS=-DNO_INOTIFY
+
+ Fix breakage of --domain=<domain>,<subnet>,local - only reverse
+ queries were intercepted. THis appears to have been broken
+ since 2.69. Thanks to Josh Stone for finding the bug.
+
+ Eliminate IPv6 privacy addresses and deprecated addresses from
+ the answers given by --interface-name. Note that reverse queries
+ (ie looking for names, given addresses) are not affected.
+ Thanks to Michael Gorbach for the suggestion.
+
+ Fix crash in DNSSEC code with long RRs. Thanks to Marco Davids
+ for the bug report.
+
+ Add --ignore-address option. Ignore replies to A-record
+ queries which include the specified address. No error is
+ generated, dnsmasq simply continues to listen for another
+ reply. This is useful to defeat blocking strategies which
+ rely on quickly supplying a forged answer to a DNS
+ request for certain domains, before the correct answer can
+ arrive. Thanks to Glen Huang for the patch.
+
+ Revisit the part of DNSSEC validation which determines if an
+ unsigned answer is legit, or is in some part of the DNS
+ tree which should be signed. Dnsmasq now works from the
+ DNS root downward looking for the limit of signed
+ delegations, rather than working bottom up. This is
+ both more correct, and less likely to trip over broken
+ nameservers in the unsigned parts of the DNS tree
+ which don't respond well to DNSSEC queries.
+
+ Add --log-queries=extra option, which makes logs easier
+ to search automatically.
+
+ Add --min-cache-ttl option. I've resisted this for a long
+ time, on the grounds that disbelieving TTLs is never a
+ good idea, but I've been persuaded that there are
+ sometimes reasons to do it. (Step forward, GFW).
+ To avoid misuse, there's a hard limit on the TTL
+ floor of one hour. Thansk to RinSatsuki for the patch.
+
+ Cope with multiple interfaces with the same link-local
+ address. (IPv6 addresses are scoped, so this is allowed.)
+ Thanks to Cory Benfield for help with this.
+
+ Add --dhcp-hostsdir. This allows addition of new host
+ configurations to a running dnsmasq instance much more
+ cheaply than having dnsmasq re-read all its existing
+ configuration each time.
+
+ Don't reply to DHCPv6 SOLICIT messages if we're not
+ configured to do stateful DHCPv6. Thanks to Win King Wan
+ for the patch.
+
+ Fix broken DNSSEC validation of ECDSA signatures.
+
+ Add --dnssec-timestamp option, which provides an automatic
+ way to detect when the system time becomes valid after
+ boot on systems without an RTC, whilst allowing DNS
+ queries before the clock is valid so that NTP can run.
+ Thanks to Kevin Darbyshire-Bryant for developing this idea.
+
+ Add --tftp-no-fail option. Thanks to Stefan Tomanek for
+ the patch.
+
+ Fix crash caused by looking up servers.bind, CHAOS text
+ record, when more than about five --servers= lines are
+ in the dnsmasq config. This causes memory corruption
+ which causes a crash later. Thanks to Matt Coddington for
+ sterling work chasing this down.
+
+ Fix crash on receipt of certain malformed DNS requests.
+ Thanks to Nick Sampanis for spotting the problem.
+ Note that this is could allow the dnsmasq process's
+ memory to be read by an attacker under certain
+ circumstances, so it has a CVE, CVE-2015-3294
+
+ Fix crash in authoritative DNS code, if a .arpa zone
+ is declared as authoritative, and then a PTR query which
+ is not to be treated as authoritative arrived. Normally,
+ directly declaring .arpa zone as authoritative is not
+ done, so this crash wouldn't be seen. Instead the
+ relevant .arpa zone should be specified as a subnet
+ in the auth-zone declaration. Thanks to Johnny S. Lee
+ for the bugreport and initial patch.
+
+ Fix authoritative DNS code to correctly reply to NS
+ and SOA queries for .arpa zones for which we are
+ declared authoritative by means of a subnet in auth-zone.
+ Previously we provided correct answers to PTR queries
+ in such zones (including NS and SOA) but not direct
+ NS and SOA queries. Thanks to Johnny S. Lee for
+ pointing out the problem.
+
+ Fix logging of DHCPREPLY which should be suppressed
+ by quiet-dhcp6. Thanks to J. Pablo Abonia for
+ spotting the problem.
+
+ Try and handle net connections with broken fragmentation
+ that lose large UDP packets. If a server times out,
+ reduce the maximum UDP packet size field in the EDNS0
+ header to 1280 bytes. If it then answers, make that
+ change permanent.
+
+ Check IPv4-mapped IPv6 addresses when --stop-rebind
+ is active. Thanks to Jordan Milne for spotting this.
+
+ Allow DHCPv4 options T1 and T2 to be set using --dhcp-option.
+ Thanks to Kevin Benton for patches and work on this.
+
+ Fix code for DHCPCONFIRM DHCPv6 messages to confirm addresses
+ in the correct subnet, even of not in dynamic address
+ allocation range. Thanks to Steve Hirsch for spotting
+ the problem.
+
+ Add AddDhcpLease and DeleteDhcpLease DBus methods. Thanks
+ to Nicolas Cavallari for the patch.
+
+ Allow configuration of router advertisements without the
+ "on-link" bit set. Thanks to Neil Jerram for the patch.
+
+ Extend --bridge-interface to DHCPv6 and router
+ advertisements. Thanks to Neil Jerram for the patch.
+
+
+version 2.72
+ Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.
+
+ Add support for "ipsets" in *BSD, using pf. Thanks to
+ Sven Falempim for the patch.
+
+ Fix race condition which could lock up dnsmasq when an
+ interface goes down and up rapidly. Thanks to Conrad
+ Kostecki for helping to chase this down.
+
+ Add DBus methods SetFilterWin2KOption and SetBogusPrivOption
+ Thanks to the Smoothwall project for the patch.
+
+ Fix failure to build against Nettle-3.0. Thanks to Steven
+ Barth for spotting this and finding the fix.
+
+ When assigning existing DHCP leases to intefaces by comparing
+ networks, handle the case that two or more interfaces have the
+ same network part, but different prefix lengths (favour the
+ longer prefix length.) Thanks to Lung-Pin Chang for the
+ patch.
+
+ Add a mode which detects and removes DNS forwarding loops, ie
+ a query sent to an upstream server returns as a new query to
+ dnsmasq, and would therefore be forwarded again, resulting in
+ a query which loops many times before being dropped. Upstream
+ servers which loop back are disabled and this event is logged.
+ Thanks to Smoothwall for their sponsorship of this feature.
+
+ Extend --conf-dir to allow filtering of files. So
+ --conf-dir=/etc/dnsmasq.d,\*.conf
+ will load all the files in /etc/dnsmasq.d which end in .conf
+
+ Fix bug when resulted in NXDOMAIN answers instead of NODATA in
+ some circumstances.
+
+ Fix bug which caused dnsmasq to become unresponsive if it
+ failed to send packets due to a network interface disappearing.
+ Thanks to Niels Peen for spotting this.
+
+ Fix problem with --local-service option on big-endian platforms
+ Thanks to Richard Genoud for the patch.
+
+
+version 2.71
+ Subtle change to error handling to help DNSSEC validation
+ when servers fail to provide NODATA answers for
+ non-existent DS records.
+
+ Tweak code which removes DNSSEC records from answers when
+ not required. Fixes broken answers when additional section
+ has real records in it. Thanks to Marco Davids for the bug
+ report.
+
+ Fix DNSSEC validation of ANY queries. Thanks to Marco Davids
+ for spotting that too.
+
+ Fix total DNS failure and 100% CPU use if cachesize set to zero,
+ regression introduced in 2.69. Thanks to James Hunt and
+ the Ubuntu crowd for assistance in fixing this.
+
+
+version 2.70
+ Fix crash, introduced in 2.69, on TCP request when dnsmasq
+ compiled with DNSSEC support, but running without DNSSEC
+ enabled. Thanks to Manish Sing for spotting that one.
+
+ Fix regression which broke ipset functionality. Thanks to
+ Wang Jian for the bug report.
+
+
+version 2.69
+ Implement dynamic interface discovery on *BSD. This allows
+ the contructor: syntax to be used in dhcp-range for DHCPv6
+ on the BSD platform. Thanks to Matthias Andree for
+ valuable research on how to implement this.
+
+ Fix infinite loop associated with some --bogus-nxdomain
+ configs. Thanks fogobogo for the bug report.
+
+ Fix missing RA RDNS option with configuration like
+ --dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer
+ for spotting the problem.
+
+ Add [fd00::] and [fe80::] as special addresses in DHCPv6
+ options, analogous to [::]. [fd00::] is replaced with the
+ actual ULA of the interface on the machine running
+ dnsmasq, [fe80::] with the link-local address.
+ Thanks to Tsachi Kimeldorfer for championing this.
+
+ DNSSEC validation and caching. Dnsmasq needs to be
+ compiled with this enabled, with
+
+ make dnsmasq COPTS=-DHAVE_DNSSEC
+
+ this add dependencies on the nettle crypto library and the
+ gmp maths library. It's possible to have these linked
+ statically with
+
+ make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC'
+
+ which bloats the dnsmasq binary, but saves the size of
+ the shared libraries which are much bigger.
+
+ To enable, DNSSEC, you will need a set of
+ trust-anchors. Now that the TLDs are signed, this can be
+ the keys for the root zone, and for convenience they are
+ included in trust-anchors.conf in the dnsmasq
+ distribution. You should of course check that these are
+ legitimate and up-to-date. So, adding
+
+ conf-file=/path/to/trust-anchors.conf
+ dnssec
+
+ to your config is all thats needed to get things
+ working. The upstream nameservers have to be DNSSEC-capable
+ too, of course. Many ISP nameservers aren't, but the
+ Google public nameservers (8.8.8.8 and 8.8.4.4) are.
+ When DNSSEC is configured, dnsmasq validates any queries
+ for domains which are signed. Query results which are
+ bogus are replaced with SERVFAIL replies, and results
+ which are correctly signed have the AD bit set. In
+ addition, and just as importantly, dnsmasq supplies
+ correct DNSSEC information to clients which are doing
+ their own validation, and caches DNSKEY, DS and RRSIG
+ records, which significantly improve the performance of
+ downstream validators. Setting --log-queries will show
+ DNSSEC in action.
+
+ If a domain is returned from an upstream nameserver without
+ DNSSEC signature, dnsmasq by default trusts this. This
+ means that for unsigned zone (still the majority) there
+ is effectively no cost for having DNSSEC enabled. Of course
+ this allows an attacker to replace a signed record with a
+ false unsigned record. This is addressed by the
+ --dnssec-check-unsigned flag, which instructs dnsmasq
+ to prove that an unsigned record is legitimate, by finding
+ a secure proof that the zone containing the record is not
+ signed. Doing this has costs (typically one or two extra
+ upstream queries). It also has a nasty failure mode if
+ dnsmasq's upstream nameservers are not DNSSEC capable.
+ Without --dnssec-check-unsigned using such an upstream
+ server will simply result in not queries being validated;
+ with --dnssec-check-unsigned enabled and a
+ DNSSEC-ignorant upstream server, _all_ queries will fail.
+
+ Note that DNSSEC requires that the local time is valid and
+ accurate, if not then DNSSEC validation will fail. NTP
+ should be running. This presents a problem for routers
+ without a battery-backed clock. To set the time needs NTP
+ to do DNS lookups, but lookups will fail until NTP has run.
+ To address this, there's a flag, --dnssec-no-timecheck
+ which disables the time checks (only) in DNSSEC. When dnsmasq
+ is started and the clock is not synced, this flag should
+ be used. As soon as the clock is synced, SIGHUP dnsmasq.
+ The SIGHUP clears the cache of partially-validated data and
+ resets the no-timecheck flag, so that all DNSSEC checks
+ henceforward will be complete.
+
+ The development of DNSSEC in dnsmasq was started by
+ Giovanni Bajo, to whom huge thanks are owed. It has been
+ supported by Comcast, whose techfund grant has allowed for
+ an invaluable period of full-time work to get it to
+ a workable state.
+
+ Add --rev-server. Thanks to Dave Taht for suggesting this.
+
+ Add --servers-file. Allows dynamic update of upstream servers
+ full access to configuration.
+
+ Add --local-service. Accept DNS queries only from hosts
+ whose address is on a local subnet, ie a subnet for which
+ an interface exists on the server. This option
+ only has effect if there are no --interface --except-interface,
+ --listen-address or --auth-server options. It is intended
+ to be set as a default on installation, to allow
+ unconfigured installations to be useful but also safe from
+ being used for DNS amplification attacks.
+
+ Fix crashes in cache_get_cname_target() when dangling CNAMEs
+ encountered. Thanks to Andy and the rt-n56u project for
+ find this and helping to chase it down.
+
+ Fix wrong RCODE in authoritative DNS replies to PTR queries. The
+ correct answer was included, but the RCODE was set to NXDOMAIN.
+ Thanks to Craig McQueen for spotting this.
+
+ Make statistics available as DNS queries in the .bind TLD as
+ well as logging them.
+
+
+version 2.68
+ Use random addresses for DHCPv6 temporary address
+ allocations, instead of algorithmically determined stable
+ addresses.
+
+ Fix bug which meant that the DHCPv6 DUID was not available
+ in DHCP script runs during the lifetime of the dnsmasq
+ process which created the DUID de-novo. Once the DUID was
+ created and stored in the lease file and dnsmasq
+ restarted, this bug disappeared.
+
+ Fix bug introduced in 2.67 which could result in erroneous
+ NXDOMAIN returns to CNAME queries.
+
+ Fix build failures on MacOS X and openBSD.
+
+ Allow subnet specifications in --auth-zone to be interface
+ names as well as address literals. This makes it possible
+ to configure authoritative DNS when local address ranges
+ are dynamic and works much better than the previous
+ work-around which exempted contructed DHCP ranges from the
+ IP address filtering. As a consequence, that work-around
+ is removed. Under certain circumstances, this change wil
+ break existing configuration: if you're relying on the
+ contructed-range exception, you need to change --auth-zone
+ to specify the same interface as is used to construct your
+ DHCP ranges, probably with a trailing "/6" like this:
+ --auth-zone=example.com,eth0/6 to limit the addresses to
+ IPv6 addresses of eth0.
+
+ Fix problems when advertising deleted IPv6 prefixes. If
+ the prefix is deleted (rather than replaced), it doesn't
+ get advertised with zero preferred time. Thanks to Tsachi
+ for the bug report.
+
+ Fix segfault with some locally configured CNAMEs. Thanks
+ to Andrew Childs for spotting the problem.
+
+ Fix memory leak on re-reading /etc/hosts and friends,
+ introduced in 2.67.
+
+ Check the arrival interface of incoming DNS and TFTP
+ requests via IPv6, even in --bind-interfaces mode. This
+ isn't possible for IPv4 and can generate scary warnings,
+ but as it's always possible for IPv6 (the API always
+ exists) then we should do it always.
+
+ Tweak the rules on prefix-lengths in --dhcp-range for
+ IPv6. The new rule is that the specified prefix length
+ must be larger than or equal to the prefix length of the
+ corresponding address on the local interface.
+
+
+version 2.67
+ Fix crash if upstream server returns SERVFAIL when
+ --conntrack in use. Thanks to Giacomo Tazzari for finding
+ this and supplying the patch.
+
+ Repair regression in 2.64. That release stopped sending
+ lease-time information in the reply to DHCPINFORM
+ requests, on the correct grounds that it was a standards
+ violation. However, this broke the dnsmasq-specific
+ dhcp_lease_time utility. Now, DHCPINFORM returns
+ lease-time only if it's specifically requested
+ (maintaining standards) and the dhcp_lease_time utility
+ has been taught to ask for it (restoring functionality).
+
+ Fix --dhcp-match, --dhcp-vendorclass and --dhcp-userclass
+ to work with BOOTP and well as DHCP. Thanks to Peter
+ Korsgaard for spotting the problem.
+
+ Add --synth-domain. Thanks to Vishvananda Ishaya for
+ suggesting this.
+
+ Fix failure to compile ipset.c if old kernel headers are
+ in use. Thanks to Eugene Rudoy for pointing this out.
+
+ Handle IPv4 interface-address labels in Linux. These are
+ often used to emulate the old IP-alias addresses. Before,
+ using --interface=eth0 would service all the addresses of
+ eth0, including ones configured as aliases, which appear
+ in ifconfig as eth0:0. Now, only addresses with the label
+ eth0 are active. This is not backwards compatible: if you
+ want to continue to bind the aliases too, you need to add
+ eg. --interface=eth0:0 to the config.
+
+ Fix "failed to set SO_BINDTODEVICE on DHCP socket: Socket
+ operation on non-socket" error on startup with
+ configurations which have exactly one --interface option
+ and do RA but _not_ DHCPv6. Thanks to Trever Adams for the
+ bug report.
+
+ Generalise --interface-name to cope with IPv6 addresses
+ and multiple addresses per interface per address family.
+
+ Fix option parsing for --dhcp-host, which was generating a
+ spurious error when all seven possible items were
+ included. Thanks to Zhiqiang Wang for the bug report.
+
+ Remove restriction on prefix-length in --auth-zone. Thanks
+ to Toke Hoiland-Jorgensen for suggesting this.
+
+ Log when the maximum number of concurrent DNS queries is
+ reached. Thanks to Marcelo Salhab Brogliato for the patch.
+
+ If wildcards are used in --interface, don't assume that
+ there will only ever be one available interface for DHCP
+ just because there is one at start-up. More may appear, so
+ we can't use SO_BINDTODEVICE. Thanks to Natrio for the bug
+ report.
+
+ Increase timeout/number of retries in TFTP to accomodate
+ AudioCodes Voice Gateways doing streaming writes to flash.
+ Thanks to Damian Kaczkowski for spotting the problem.
+
+ Fix crash with empty DHCP string options when adding zero
+ terminator. Thanks to Patrick McLean for the bug report.
+
+ Allow hostnames to start with a number, as allowed in
+ RFC-1123. Thanks to Kyle Mestery for the patch.
+
+ Fixes to DHCP FQDN option handling: don't terminate FQDN
+ if domain not known and allow a FQDN option with blank
+ name to request that a FQDN option is returned in the
+ reply. Thanks to Roy Marples for the patch.
+
+ Make --clear-on-reload apply to setting upstream servers
+ via DBus too.
+
+ When the address which triggered the construction of an
+ advertised IPv6 prefix disappears, continue to advertise
+ the prefix for up to 2 hours, with the preferred lifetime
+ set to zero. This satisfies RFC 6204 4.3 L-13 and makes
+ things work better if a prefix disappears without being
+ deprecated first. Thanks to Uwe Schindler for persuasively
+ arguing for this.
+
+ Fix MAC address enumeration on *BSD. Thanks to Brad Smith
+ for the bug report.
+
+ Support RFC-4242 information-refresh-time options in the
+ reply to DHCPv6 information-request. The lease time of the
+ smallest valid dhcp-range is sent. Thanks to Uwe Schindler
+ for suggesting this.
+
+ Make --listen-address higher priority than --except-interface
+ in all circumstances. Thanks to Thomas Hood for the bugreport.
+
+ Provide independent control over which interfaces get TFTP
+ service. If enable-tftp is given a list of interfaces, then TFTP
+ is provided on those. Without the list, the previous behaviour
+ (provide TFTP to the same interfaces we provide DHCP to)
+ is retained. Thanks to Lonnie Abelbeck for the suggestion.
+
+ Add --dhcp-relay config option. Many thanks to vtsl.net
+ for sponsoring this development.
+
+ Fix crash with empty tag: in --dhcp-range. Thanks to
+ Kaspar Schleiser for the bug report.
+
+ Add "baseline" and "bloatcheck" makefile targets, for
+ revealing size changes during development. Thanks to
+ Vladislav Grishenko for the patch.
+
+ Cope with DHCPv6 clients which send REQUESTs without
+ address options - treat them as SOLICIT with rapid commit.
+
+ Support identification of clients by MAC address in
+ DHCPv6. When using a relay, the relay must support RFC
+ 6939 for this to work. It always works for directly
+ connected clients. Thanks to Vladislav Grishenko
+ for prompting this feature.
+
+ Remove the rule for constructed DHCP ranges that the local
+ address must be either the first or last address in the
+ range. This was originally to avoid SLAAC addresses, but
+ we now explicitly autoconfig and privacy addresses instead.
+
+ Update Polish translation. Thanks to Jan Psota.
+
+ Fix problem in DHCPv6 vendorclass/userclass matching
+ code. Thanks to Tanguy Bouzeloc for the patch.
+
+ Update Spanish transalation. Thanks to Vicente Soriano.
+
+ Add --ra-param option. Thanks to Vladislav Grishenko for
+ inspiration on this.
+
+ Add --add-subnet configuration, to tell upstream DNS
+ servers where the original client is. Thanks to DNSthingy
+ for sponsoring this feature.
+
+ Add --quiet-dhcp, --quiet-dhcp6 and --quiet-ra. Thanks to
+ Kevin Darbyshire-Bryant for the initial patch.
+
+ Allow A/AAAA records created by --interface-name to be the
+ target of --cname. Thanks to Hadmut Danisch for the
+ suggestion.
+
+ Avoid treating a --dhcp-host which has an IPv6 address
+ as eligable for use with DHCPv4 on the grounds that it has
+ no address, and vice-versa. Thanks to Yury Konovalov for
+ spotting the problem.
+
+ Do a better job caching dangling CNAMEs. Thanks to Yves
+ Dorfsman for spotting the problem.
+
+
version 2.66
Add the ability to act as an authoritative DNS
server. Dnsmasq can now answer queries from the wider 'net