[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: CVS commit: pkgsrc/net/dnsmasq
New version doesn't work for me.
2.72 works fine:
$ nslookup www.ya.ru
2.73 returns REFUSED:
$ nslookup www.ya.ru
** server can't find www.ya.ru: REFUSED
I don't have time to investigate right now.
Filip Hajny wrote:
> Module Name: pkgsrc
> Committed By: fhajny
> Date: Tue Jul 14 09:57:13 UTC 2015
> Modified Files:
> pkgsrc/net/dnsmasq: Makefile distinfo
> pkgsrc/net/dnsmasq/patches: patch-src_bpf.c
> Removed Files:
> pkgsrc/net/dnsmasq/patches: patch-src_rfc1035.c
> Log Message:
> Update net/dnsmasq to 2.73.
> Fix build on SunOS.
> Version 2.73
> Fix crash at startup when an empty suffix is supplied to
> --conf-dir, also trivial memory leak. Thanks to
> Tomas Hozza for spotting this.
> Remove floor of 4096 on advertised EDNS0 packet size when
> DNSSEC in use, the original rationale for this has long gone.
> Thanks to Anders Kaseorg for spotting this.
> Use inotify for checking on updates to /etc/resolv.conf and
> friends under Linux. This fixes race conditions when the files are
> updated rapidly and saves CPU by noy polling. To build
> a binary that runs on old Linux kernels without inotify,
> use make COPTS=-DNO_INOTIFY
> Fix breakage of --domain=<domain>,<subnet>,local - only reverse
> queries were intercepted. THis appears to have been broken
> since 2.69. Thanks to Josh Stone for finding the bug.
> Eliminate IPv6 privacy addresses and deprecated addresses from
> the answers given by --interface-name. Note that reverse queries
> (ie looking for names, given addresses) are not affected.
> Thanks to Michael Gorbach for the suggestion.
> Fix crash in DNSSEC code with long RRs. Thanks to Marco Davids
> for the bug report.
> Add --ignore-address option. Ignore replies to A-record
> queries which include the specified address. No error is
> generated, dnsmasq simply continues to listen for another
> reply. This is useful to defeat blocking strategies which
> rely on quickly supplying a forged answer to a DNS
> request for certain domains, before the correct answer can
> arrive. Thanks to Glen Huang for the patch.
> Revisit the part of DNSSEC validation which determines if an
> unsigned answer is legit, or is in some part of the DNS
> tree which should be signed. Dnsmasq now works from the
> DNS root downward looking for the limit of signed
> delegations, rather than working bottom up. This is
> both more correct, and less likely to trip over broken
> nameservers in the unsigned parts of the DNS tree
> which don't respond well to DNSSEC queries.
> Add --log-queries=extra option, which makes logs easier
> to search automatically.
> Add --min-cache-ttl option. I've resisted this for a long
> time, on the grounds that disbelieving TTLs is never a
> good idea, but I've been persuaded that there are
> sometimes reasons to do it. (Step forward, GFW).
> To avoid misuse, there's a hard limit on the TTL
> floor of one hour. Thansk to RinSatsuki for the patch.
> Cope with multiple interfaces with the same link-local
> address. (IPv6 addresses are scoped, so this is allowed.)
> Thanks to Cory Benfield for help with this.
> Add --dhcp-hostsdir. This allows addition of new host
> configurations to a running dnsmasq instance much more
> cheaply than having dnsmasq re-read all its existing
> configuration each time.
> Don't reply to DHCPv6 SOLICIT messages if we're not
> configured to do stateful DHCPv6. Thanks to Win King Wan
> for the patch.
> Fix broken DNSSEC validation of ECDSA signatures.
> Add --dnssec-timestamp option, which provides an automatic
> way to detect when the system time becomes valid after
> boot on systems without an RTC, whilst allowing DNS
> queries before the clock is valid so that NTP can run.
> Thanks to Kevin Darbyshire-Bryant for developing this idea.
> Add --tftp-no-fail option. Thanks to Stefan Tomanek for
> the patch.
> Fix crash caused by looking up servers.bind, CHAOS text
> record, when more than about five --servers= lines are
> in the dnsmasq config. This causes memory corruption
> which causes a crash later. Thanks to Matt Coddington for
> sterling work chasing this down.
> Fix crash on receipt of certain malformed DNS requests.
> Thanks to Nick Sampanis for spotting the problem.
> Note that this is could allow the dnsmasq process's
> memory to be read by an attacker under certain
> circumstances, so it has a CVE, CVE-2015-3294
> Fix crash in authoritative DNS code, if a .arpa zone
> is declared as authoritative, and then a PTR query which
> is not to be treated as authoritative arrived. Normally,
> directly declaring .arpa zone as authoritative is not
> done, so this crash wouldn't be seen. Instead the
> relevant .arpa zone should be specified as a subnet
> in the auth-zone declaration. Thanks to Johnny S. Lee
> for the bugreport and initial patch.
> Fix authoritative DNS code to correctly reply to NS
> and SOA queries for .arpa zones for which we are
> declared authoritative by means of a subnet in auth-zone.
> Previously we provided correct answers to PTR queries
> in such zones (including NS and SOA) but not direct
> NS and SOA queries. Thanks to Johnny S. Lee for
> pointing out the problem.
> Fix logging of DHCPREPLY which should be suppressed
> by quiet-dhcp6. Thanks to J. Pablo Abonia for
> spotting the problem.
> Try and handle net connections with broken fragmentation
> that lose large UDP packets. If a server times out,
> reduce the maximum UDP packet size field in the EDNS0
> header to 1280 bytes. If it then answers, make that
> change permanent.
> Check IPv4-mapped IPv6 addresses when --stop-rebind
> is active. Thanks to Jordan Milne for spotting this.
> Allow DHCPv4 options T1 and T2 to be set using --dhcp-option.
> Thanks to Kevin Benton for patches and work on this.
> Fix code for DHCPCONFIRM DHCPv6 messages to confirm addresses
> in the correct subnet, even of not in dynamic address
> allocation range. Thanks to Steve Hirsch for spotting
> the problem.
> Add AddDhcpLease and DeleteDhcpLease DBus methods. Thanks
> to Nicolas Cavallari for the patch.
> Allow configuration of router advertisements without the
> "on-link" bit set. Thanks to Neil Jerram for the patch.
> Extend --bridge-interface to DHCPv6 and router
> advertisements. Thanks to Neil Jerram for the patch.
> To generate a diff of this commit:
> cvs rdiff -u -r1.29 -r1.30 pkgsrc/net/dnsmasq/Makefile
> cvs rdiff -u -r1.27 -r1.28 pkgsrc/net/dnsmasq/distinfo
> cvs rdiff -u -r1.5 -r1.6 pkgsrc/net/dnsmasq/patches/patch-src_bpf.c
> cvs rdiff -u -r1.2 -r0 pkgsrc/net/dnsmasq/patches/patch-src_rfc1035.c
> Please note that diffs are not public domain; they are subject to the
> copyright notices on the relevant files.
Main Index |
Thread Index |