PKG_NAME:=dnsmasq
PKG_VERSION:=2.80test2
-PKG_RELEASE:=3
+PKG_RELEASE:=4
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/test-releases
From f84e674d8aa2316fea8d2145a40fcef0441e3856 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 4 May 2018 16:29:57 +0100
-Subject: [PATCH 01/10] Be persistent with broken-upstream-DNSSEC warnings.
+Subject: [PATCH 01/17] Be persistent with broken-upstream-DNSSEC warnings.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
---
From 0669ee7a69a004ce34fed41e50aa575f8e04427b Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 4 May 2018 16:46:24 +0100
-Subject: [PATCH 02/10] Fix DHCP broken-ness when --no-ping AND
+Subject: [PATCH 02/17] Fix DHCP broken-ness when --no-ping AND
--dhcp-sequential-ip are set.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
From 07ed585c38d8f7c0a18470d2e79cf46ea92ea96a Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 4 May 2018 21:52:22 +0100
-Subject: [PATCH 03/10] Add logging for DNS error returns from upstream and
+Subject: [PATCH 03/17] Add logging for DNS error returns from upstream and
local configuration.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
From 6b17335209639a56f214d011eaed4ebcde8dd276 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Tue, 8 May 2018 18:32:14 +0100
-Subject: [PATCH 04/10] Add packet-dump debugging facility.
+Subject: [PATCH 04/17] Add packet-dump debugging facility.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
---
From 34e26e14c5e0fb2d5f05f67858319c9db2058333 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Thu, 10 May 2018 20:54:57 +0100
-Subject: [PATCH 05/10] Retry query to other servers on receipt of SERVFAIL
+Subject: [PATCH 05/17] Retry query to other servers on receipt of SERVFAIL
rcode.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
From a0088e83640d7d1544127dd668660462e9f78e52 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Thu, 10 May 2018 21:43:14 +0100
-Subject: [PATCH 06/10] Handle query retry on REFUSED or SERVFAIL for
+Subject: [PATCH 06/17] Handle query retry on REFUSED or SERVFAIL for
DNSSEC-generated queries.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
From 1f60a18ea1c64beb8b6cffa0650a2bfad95ac352 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 11 May 2018 16:44:16 +0100
-Subject: [PATCH 07/10] Retry SERVFAIL DNSSEC queries to a different server, if
+Subject: [PATCH 07/17] Retry SERVFAIL DNSSEC queries to a different server, if
possible.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
From e27825b0ef1e79ab05b1752c8c838cb43ad39d79 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 11 May 2018 17:20:47 +0100
-Subject: [PATCH 08/10] Fix logging in previous.
+Subject: [PATCH 08/17] Fix logging in previous.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
---
From 0a496f059c1e9d75c33cce4c1211d58422ba4f62 Mon Sep 17 00:00:00 2001
From: Maarten de Vries <maarten+dnsmasq@m.de-vri.es>
Date: Fri, 11 May 2018 23:20:58 +0100
-Subject: [PATCH 09/10] Do unsolicited RAs for interfaces which appear after
+Subject: [PATCH 09/17] Do unsolicited RAs for interfaces which appear after
dnsmasq startup.
I noticed that dnsmasq often wasn't sending any unsolicited RAs for me.
From 1f1873aadd092a0fab505dd278a484d887ba0ec3 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 11 May 2018 23:38:23 +0100
-Subject: [PATCH 10/10] Log warning on very large cachesize config, instead of
+Subject: [PATCH 10/17] Log warning on very large cachesize config, instead of
truncating it.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
--- /dev/null
+From c488b68e75ee5304007eef37203c4fc10193d191 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Sat, 2 Jun 2018 13:06:00 +0100
+Subject: [PATCH 11/17] Handle standard and contructed dhcp-ranges on the same
+ interface.
+
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ CHANGELOG | 6 ++++++
+ src/dhcp6.c | 29 +++++++++++++++++------------
+ 2 files changed, 23 insertions(+), 12 deletions(-)
+
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -23,6 +23,12 @@ version 2.80
+ which packets should be dumped is given by the --dumpmask
+ option.
+
++ Handle the case of both standard and constructed dhcp-ranges on the
++ same interface better. We don't now contruct a dhcp-range if there's
++ already one specified. This allows the specified interface to
++ have different parameters and avoids advertising the same
++ prefix twice. Thanks to Luis Marsano for spotting this case.
++
+
+ version 2.79
+ Fix parsing of CNAME arguments, which are confused by extra spaces.
+--- a/src/dhcp6.c
++++ b/src/dhcp6.c
+@@ -667,23 +667,28 @@ static int construct_worker(struct in6_a
+ end6 = *local;
+ setaddr6part(&end6, addr6part(&template->end6));
+
++ /* If there's an absolute address context covering this address
++ then don't contruct one as well. */
+ for (context = daemon->dhcp6; context; context = context->next)
+- if ((context->flags & CONTEXT_CONSTRUCTED) &&
++ if (!(context->flags & CONTEXT_TEMPLATE) &&
+ IN6_ARE_ADDR_EQUAL(&start6, &context->start6) &&
+ IN6_ARE_ADDR_EQUAL(&end6, &context->end6))
+ {
+- int flags = context->flags;
+- context->flags &= ~(CONTEXT_GC | CONTEXT_OLD);
+- if (flags & CONTEXT_OLD)
++ if (context->flags & CONTEXT_CONSTRUCTED)
+ {
+- /* address went, now it's back */
+- log_context(AF_INET6, context);
+- /* fast RAs for a while */
+- ra_start_unsolicited(param->now, context);
+- param->newone = 1;
+- /* Add address to name again */
+- if (context->flags & CONTEXT_RA_NAME)
+- param->newname = 1;
++ int cflags = context->flags;
++ context->flags &= ~(CONTEXT_GC | CONTEXT_OLD);
++ if (cflags & CONTEXT_OLD)
++ {
++ /* address went, now it's back */
++ log_context(AF_INET6, context);
++ /* fast RAs for a while */
++ ra_start_unsolicited(param->now, context);
++ param->newone = 1;
++ /* Add address to name again */
++ if (context->flags & CONTEXT_RA_NAME)
++ param->newname = 1;
++ }
+ }
+ break;
+ }
--- /dev/null
+From cc5cc8f1e0b4deaaea4cbefe677989b186c84837 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Sat, 2 Jun 2018 14:45:17 +0100
+Subject: [PATCH 12/17] Sane error message when pcap file header is wrong.
+
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ src/dump.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/src/dump.c
++++ b/src/dump.c
+@@ -64,9 +64,10 @@ void dump_init(void)
+ die(_("cannot create %s: %s"), daemon->dump_file, EC_FILE);
+ }
+ else if ((daemon->dumpfd = open(daemon->dump_file, O_APPEND | O_RDWR)) == -1 ||
+- !read_write(daemon->dumpfd, (void *)&header, sizeof(header), 1) ||
+- header.magic_number != 0xa1b2c3d4)
++ !read_write(daemon->dumpfd, (void *)&header, sizeof(header), 1))
+ die(_("cannot access %s: %s"), daemon->dump_file, EC_FILE);
++ else if (header.magic_number != 0xa1b2c3d4)
++ die(_("bad header in %s"), daemon->dump_file, EC_FILE);
+ else
+ {
+ /* count existing records */
--- /dev/null
+From 090856c7e6d483bc4d7ec41f55208a9842769c45 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Sat, 2 Jun 2018 18:37:07 +0100
+Subject: [PATCH 13/17] Allow zone transfer in authoritative mode whenever
+ auth-peer is specified.
+
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ CHANGELOG | 4 ++++
+ man/dnsmasq.8 | 6 +++++-
+ src/auth.c | 5 +++--
+ 3 files changed, 12 insertions(+), 3 deletions(-)
+
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -29,6 +29,10 @@ version 2.80
+ have different parameters and avoids advertising the same
+ prefix twice. Thanks to Luis Marsano for spotting this case.
+
++ Allow zone transfer in authoritative mode if auth-peer is specified,
++ even if auth-sec-servers is not. Thanks to Raphaël Halimi for
++ the suggestion.
++
+
+ version 2.79
+ Fix parsing of CNAME arguments, which are confused by extra spaces.
+--- a/man/dnsmasq.8
++++ b/man/dnsmasq.8
+@@ -817,7 +817,11 @@ authoritative zones as dnsmasq.
+ Specify the addresses of secondary servers which are allowed to
+ initiate zone transfer (AXFR) requests for zones for which dnsmasq is
+ authoritative. If this option is not given, then AXFR requests will be
+-accepted from any secondary.
++accepted from any secondary. Specifying
++.B auth-peer
++without
++.B auth-sec-servers
++enables zone transfer but does not advertise the secondary in NS records returned by dnsmasq.
+ .TP
+ .B --conntrack
+ Read the Linux connection track mark associated with incoming DNS
+--- a/src/auth.c
++++ b/src/auth.c
+@@ -436,8 +436,9 @@ size_t answer_auth(struct dns_header *he
+ if (sockaddr_isequal(peer_addr, &peers->addr))
+ break;
+
+- /* Refuse all AXFR unless --auth-sec-servers is set */
+- if ((!peers && daemon->auth_peers) || !daemon->secondary_forward_server)
++ /* Refuse all AXFR unless --auth-sec-servers or auth-peers is set */
++ if ((!daemon->secondary_forward_server && !daemon->auth_peers) ||
++ (daemon->auth_peers && !peers))
+ {
+ if (peer_addr->sa.sa_family == AF_INET)
+ inet_ntop(AF_INET, &peer_addr->in.sin_addr, daemon->addrbuff, ADDRSTRLEN);
--- /dev/null
+From 7dcca6c62211e60905e2252a185bede909391877 Mon Sep 17 00:00:00 2001
+From: Geert Stappers <stappers@stappers.nl>
+Date: Sat, 2 Jun 2018 18:54:04 +0100
+Subject: [PATCH 14/17] Warn about the impact of cache-size on performance.
+
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ man/dnsmasq.8 | 2 +-
+ man/es/dnsmasq.8 | 3 ++-
+ man/fr/dnsmasq.8 | 3 ++-
+ 3 files changed, 5 insertions(+), 3 deletions(-)
+
+--- a/man/dnsmasq.8
++++ b/man/dnsmasq.8
+@@ -692,7 +692,7 @@ will add 1.2.3.0/24 for both IPv4 and IP
+
+ .TP
+ .B \-c, --cache-size=<cachesize>
+-Set the size of dnsmasq's cache. The default is 150 names. Setting the cache size to zero disables caching.
++Set the size of dnsmasq's cache. The default is 150 names. Setting the cache size to zero disables caching. Note: huge cache size impacts performance.
+ .TP
+ .B \-N, --no-negcache
+ Disable negative caching. Negative caching allows dnsmasq to remember
+--- a/man/es/dnsmasq.8
++++ b/man/es/dnsmasq.8
+@@ -478,7 +478,8 @@ la traza reversa dirección-a-nombre.
+ .TP
+ .B \-c, --cache-size=<tamaño de caché>
+ Fijar el tamaño del caché de dnsmasq. El predeterminado es 150 nombres.
+-Fijar el tamaño a cero deshabilita el caché.
++Fijar el tamaño a cero deshabilita el caché. Nota: el gran tamaño de
++caché afecta el rendimiento.
+ .TP
+ .B \-N, --no-negcache
+ Deshabilitar caché negativo. El caché negativo le permite a dnsmasq
+--- a/man/fr/dnsmasq.8
++++ b/man/fr/dnsmasq.8
+@@ -666,7 +666,8 @@ différentes pourraient-être rencontré
+ .TP
+ .B \-c, --cache-size=<taille>
+ Définit la taille du cache de Dnsmasq. La valeur par défaut est de 150 noms.
+-Définir une valeur de zéro désactive le cache.
++Définir une valeur de zéro désactive le cache. Remarque: la taille importante
++du cache a un impact sur les performances.
+ .TP
+ .B \-N, --no-negcache
+ Désactive le "cache négatif". Le "cache négatif" permet à Dnsmasq de se souvenir
--- /dev/null
+From db0f488ea8f5ded7c57400c9108ec3c9367d75c5 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Thu, 7 Jun 2018 21:37:02 +0100
+Subject: [PATCH 15/17] Handle some corner cases in RA contructed interfaces
+ with addresses changing interface.
+
+Thanks to Vladislav Grishenko for work on this.
+
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ src/dhcp6.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/src/dhcp6.c
++++ b/src/dhcp6.c
+@@ -640,7 +640,7 @@ static int construct_worker(struct in6_a
+ return 0;
+
+ for (template = daemon->dhcp6; template; template = template->next)
+- if (!(template->flags & CONTEXT_TEMPLATE))
++ if (!(template->flags & (CONTEXT_TEMPLATE | CONTEXT_CONSTRUCTED)))
+ {
+ /* non-template entries, just fill in interface and local addresses */
+ if (prefix <= template->prefix &&
+@@ -667,20 +667,23 @@ static int construct_worker(struct in6_a
+ end6 = *local;
+ setaddr6part(&end6, addr6part(&template->end6));
+
+- /* If there's an absolute address context covering this address
+- then don't contruct one as well. */
+ for (context = daemon->dhcp6; context; context = context->next)
+ if (!(context->flags & CONTEXT_TEMPLATE) &&
+ IN6_ARE_ADDR_EQUAL(&start6, &context->start6) &&
+ IN6_ARE_ADDR_EQUAL(&end6, &context->end6))
+ {
+- if (context->flags & CONTEXT_CONSTRUCTED)
++ /* If there's an absolute address context covering this address
++ then don't construct one as well. */
++ if (!(context->flags & CONTEXT_CONSTRUCTED))
++ break;
++
++ if (context->if_index == if_index)
+ {
+ int cflags = context->flags;
+ context->flags &= ~(CONTEXT_GC | CONTEXT_OLD);
+ if (cflags & CONTEXT_OLD)
+ {
+- /* address went, now it's back */
++ /* address went, now it's back, and on the same interface */
+ log_context(AF_INET6, context);
+ /* fast RAs for a while */
+ ra_start_unsolicited(param->now, context);
+@@ -688,9 +691,10 @@ static int construct_worker(struct in6_a
+ /* Add address to name again */
+ if (context->flags & CONTEXT_RA_NAME)
+ param->newname = 1;
++
++ break;
+ }
+ }
+- break;
+ }
+
+ if (!context && (context = whine_malloc(sizeof (struct dhcp_context))))
--- /dev/null
+From 05ff659a3c0d95be6d41fae755243988a1bb3387 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Tue, 12 Jun 2018 16:03:09 +0100
+Subject: [PATCH 16/17] Fix stupid infinite loop introduced by preceding
+ commit.
+
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ src/dhcp6.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/dhcp6.c
++++ b/src/dhcp6.c
+@@ -692,8 +692,8 @@ static int construct_worker(struct in6_a
+ if (context->flags & CONTEXT_RA_NAME)
+ param->newname = 1;
+
+- break;
+ }
++ break;
+ }
+ }
+
--- /dev/null
+From 51e4eeeb04b8dd8510ed267d580751525e77cb77 Mon Sep 17 00:00:00 2001
+From: Paul Maddock <Paul@whitefall.co.uk>
+Date: Tue, 12 Jun 2018 16:37:40 +0100
+Subject: [PATCH 17/17] Fix address-dependent domains for IPv6.
+
+Thanks to Paul Maddock for spotting this.
+It seems to have been broken forever.
+
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ src/lease.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/lease.c
++++ b/src/lease.c
+@@ -87,7 +87,7 @@ static int read_leases(time_t now, FILE
+ if ((lease = lease6_allocate(&addr.addr.addr6, lease_type)))
+ {
+ lease_set_iaid(lease, strtoul(s, NULL, 10));
+- domain = get_domain6((struct in6_addr *)lease->hwaddr);
++ domain = get_domain6(&lease->addr6);
+ }
+ }
+ #endif
--- /dev/null
+From a997ca0da044719a0ce8a232d14da8b30022592b Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Fri, 29 Jun 2018 14:39:41 +0100
+Subject: [PATCH 18/18] Fix sometimes missing DNSSEC RRs when DNSSEC validation
+ not enabled.
+
+Dnsmasq does pass on the do-bit, and return DNSSEC RRs, irrespective
+of of having DNSSEC validation compiled in or enabled.
+
+The thing to understand here is that the cache does not store all the
+DNSSEC RRs, and dnsmasq doesn't have the (very complex) logic required
+to determine the set of DNSSEC RRs required in an answer. Therefore if
+the client wants the DNSSEC RRs, the query can not be answered from
+the cache. When DNSSEC validation is enabled, any query with the
+do-bit set is never answered from the cache, unless the domain is
+known not to be signed: the query is always forwarded. This ensures
+that the DNSEC RRs are included.
+
+The same thing should be true when DNSSEC validation is not enabled,
+but there's a bug in the logic.
+
+line 1666 of src/rfc1035.c looks like this
+
+ if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !do_bit || !(crecp->flags & F_DNSSECOK))
+
+{ ...answer from cache ... }
+
+So local stuff (hosts, DHCP, ) get answered. If the do_bit is not set
+then the query is answered, and if the domain is known not to be
+signed, the query is answered.
+
+Unfortunately, if DNSSEC validation is not turned on then the
+F_DNSSECOK bit is not valid, and it's always zero, so the question
+always gets answered from the cache, even when the do-bit is set.
+
+This code should look like that at line 1468, dealing with PTR queries
+
+ if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
+ !do_bit ||
+ (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
+
+where the F_DNSSECOK bit is only used when validation is enabled.
+
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ CHANGELOG | 7 ++++++-
+ src/rfc1035.c | 6 ++++--
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -33,7 +33,12 @@ version 2.80
+ even if auth-sec-servers is not. Thanks to Raphaël Halimi for
+ the suggestion.
+
+-
++ Fix bug which sometimes caused dnsmasq to wrongly return answers
++ without DNSSEC RRs to queries with the do-bit set, but only when
++ DNSSEC validation was not enabled.
++ Thanks to Petr Menšík for spotting this.
++
++
+ version 2.79
+ Fix parsing of CNAME arguments, which are confused by extra spaces.
+ Thanks to Diego Aguirre for spotting the bug.
+--- a/src/rfc1035.c
++++ b/src/rfc1035.c
+@@ -1663,7 +1663,9 @@ size_t answer_request(struct dns_header
+ }
+
+ /* If the client asked for DNSSEC don't use cached data. */
+- if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !do_bit || !(crecp->flags & F_DNSSECOK))
++ if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
++ !do_bit ||
++ (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
+ do
+ {
+ /* don't answer wildcard queries with data not from /etc/hosts
+@@ -1747,7 +1749,7 @@ size_t answer_request(struct dns_header
+ {
+ if ((crecp = cache_find_by_name(NULL, name, now, F_CNAME | (dryrun ? F_NO_RR : 0))) &&
+ (qtype == T_CNAME || (crecp->flags & F_CONFIG)) &&
+- ((crecp->flags & F_CONFIG) || !do_bit || !(crecp->flags & F_DNSSECOK)))
++ ((crecp->flags & F_CONFIG) || !do_bit || (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK))))
+ {
+ if (!(crecp->flags & F_DNSSECOK))
+ sec_data = 0;