CVS commit: pkgsrc/net/dnsmasq

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/net/dnsmasq
From: "Adam Ciarcinski" <adam%netbsd.org@localhost>
Date: Tue, 8 Apr 2025 09:09:17 +0000

Module Name:    pkgsrc
Committed By:   adam
Date:           Tue Apr  8 09:09:17 UTC 2025

Modified Files:
        pkgsrc/net/dnsmasq: Makefile distinfo

Log Message:
dnsmasq: updated to 2.91

version 2.91

        Fix spurious "resource limit exceeded messages". Thanks to
        Dominik Derigs for the bug report.

        Fix out-of-bounds heap read in order_qsort().
        We only need to order two server records on the ->serial field.
        Literal address records are smaller and don't have
        this field and don't need to be ordered on it.
        To actually provoke this bug seems to need the same server-literal
        to be repeated twice, e.g., --address=/a/1.1.1.1 --address-/a/1.1.1.1
        which is clearly rare in the wild, but if it did exist it could
        provoke a SIGSEGV. Thanks to Daniel Rhea for fuzzing this one.

        Fix buffer overflow when configured lease-change script name
        is too long.
        Thanks to Daniel Rhea for finding this one.

        Improve behaviour in the face of non-responsive upstream TCP DNS
        servers. Without shorter timeouts, clients are blocked for too long
        and fail with their own timeouts.

        Set --fast-dns-retries by default when doing DNSSEC. A single
        downstream query can trigger many upstream queries. On an
        unreliable network, there may not be enough downstream retries
        to ensure that all these queries complete.

        Improve behaviour in the face of truncated answers to queries
        for DNSSEC records. Getting these answers by TCP doesn't now
        involve a faked truncated answer to the downstream client to
        force it to move to TCP. This improves performance and robustness
        in the face of broken clients which can't fall back to TCP.

        No longer remove data from truncated upstream answers. If an
        upstream replies with a truncated answer, but the answer has some
        RRs included, return those RRs, rather than returning and
        empty answer.

        Fix handling of EDNS0 UDP packet sizes.
        When talking upstream we always add a pseudo header, and set the
        UDP packet size to --edns-packet-max. Answering queries from
        downstream, we get the answer (either from upstream or local
        data) If local data won't fit the advertised size (or 512 if
        there's not an EDNS0 header) return truncated. If upstream
        returns truncated, do likewise. If upstream is OK, but the
        answer is too big for downstream, truncate the answer.

        Modify the behaviour of --synth-domain for IPv6.
        When deriving a domain name from an IPv6 address, an address
        such as 1234:: would become 1234--.example.com, which is
        not legal in IDNA2008. Stop using the :: compression method,
        so 1234:: becomes
        1234-0000-0000-0000-0000-0000-0000-0000.example.com

        Fix broken dhcp-relay on *BSD. Thanks to Harold for finding
        this problem.

        Add --dhcp-option-pxe config. This acts almost exactly like
        --dhcp-option except that the defined option is only sent when
        replying to PXE clients. More importantly, these options are sent
        in reply PXE clients when dnsmasq in acting in PXE proxy mode. In
        PXE proxy mode, the set of options sent is defined by the PXE standard
        and the normal set of options is not sent. This config allows arbitrary
        options in PXE-proxy replies. A typical use-case is to send option
        175 to iPXE. Thanks to Jason Berry for finding the requirement for
        this.

        Support PXE proxy-DHCP and DHCP-relay at the same time.
        When using PXE proxy-DHCP, dnsmasq supplies PXE information to
        the client, which also talks to another "normal" DHCP server
        for address allocation and similar. The normal DHCP server may
        be on the local network, but it may also be remote, and accessed via
        a DHCP relay. This change allows dnsmasq to act as both a
        PXE proxy-DHCP server AND a DHCP relay for the same network.

        Fix erroneous "DNSSEC validated" state with non-DNSSEC
        upstream servers.  Thanks to Dominik Derigs for the bug report.

        Handle queries with EDNS client subnet fields better. If dnsmasq
        is configured to add an EDNS client subnet to a query, it is careful
        to suppress use of the cache, since a cached answer may not be valid
        for a query with a different client subnet. Extend this behaviour
        to queries which arrive a dnsmasq already carrying an EDNS client
        subnet.

        Handle DS queries to auth zones. When dnsmasq is configured to
        act as an authoritative server and has an authoritative zone
        configured, and receives a query for that zone _as_forwarder_
        it answers the query directly rather than forwarding it. This
        doesn't affect the answer, but it saves dnsmasq forwarding the
        query to the recursor upstream, which then bounces it back to dnsmasq
        in auth mode. The exception should be when the query is for the root
        of zone, for a DS RR. The answer to that has to come from the parent,
        via the recursor, and will typically be a proof-of-non-existence
        since dnsmasq doesn't support signed zones. This patch suppresses
        local answers and forces forwarding to the upstream recursor for such
        queries. It stops breakage when a DNSSEC validating client makes
        queries to dnsmasq acting as forwarder for a zone for which it is
        authoritative.

        Implement "DNS-0x20 encoding", for extra protection against
        reply-spoof attacks. Since DNS queries are case-insensitive,
        it's possible to randomly flip the case of letters in a query
        and still get the correct answer back.
        This adds an extra dimension for a cache-poisoning attacker
        to guess when sending replies in-the-blind since it's expected
        that the legitimate answer will have the same  pattern of upper
        and lower case as the query, so any replies which don't can be
        ignored as malicious. The amount of extra entropy clearly depends
        on the number of a-z and A-Z characters in the query, and this
        implementation puts a hard limit of 32 bits to make resource
        allocation easy. This about doubles entropy over the standard
        random ID and random port combination. This technique can interact
        badly with rare broken DNS servers which don't preserve the case
        of the query in their reply. The first time a reply is returned
        which matches the query in all respects except case, a warning
        will be logged. In this release, 0x020-encoding is default-off
        and must be explicitly enabled with --do-0x20-encoding. In future
        releases it may default on. You can avoid a future release
        changing the behaviour of an installation with --no-x20-encode.

        Fix a long-standing problem when two queries which are identical
        in every repect _except_ case, get combined by dnsmasq. If
        dnsmasq gets eg, two queries for example.com and Example.com
        in quick succession it will get the answer for example.com from
        upstream and send that answer to both requestors. This means that
        the query for Example.com will get an answer for example.com, and
        in the modern DNS, that answer may not be accepted.


To generate a diff of this commit:
cvs rdiff -u -r1.51 -r1.52 pkgsrc/net/dnsmasq/Makefile
cvs rdiff -u -r1.49 -r1.50 pkgsrc/net/dnsmasq/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/dnsmasq/Makefile
diff -u pkgsrc/net/dnsmasq/Makefile:1.51 pkgsrc/net/dnsmasq/Makefile:1.52
--- pkgsrc/net/dnsmasq/Makefile:1.51    Sat Feb 17 02:20:26 2024
+++ pkgsrc/net/dnsmasq/Makefile Tue Apr  8 09:09:16 2025
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.51 2024/02/17 02:20:26 adam Exp $
+# $NetBSD: Makefile,v 1.52 2025/04/08 09:09:16 adam Exp $
 
-DISTNAME=      dnsmasq-2.90
+DISTNAME=      dnsmasq-2.91
 CATEGORIES=    net
 MASTER_SITES=  https://thekelleys.org.uk/dnsmasq/
 EXTRACT_SUFX=  .tar.xz

Index: pkgsrc/net/dnsmasq/distinfo
diff -u pkgsrc/net/dnsmasq/distinfo:1.49 pkgsrc/net/dnsmasq/distinfo:1.50
--- pkgsrc/net/dnsmasq/distinfo:1.49    Sat Feb 17 02:20:26 2024
+++ pkgsrc/net/dnsmasq/distinfo Tue Apr  8 09:09:16 2025
@@ -1,7 +1,7 @@
-$NetBSD: distinfo,v 1.49 2024/02/17 02:20:26 adam Exp $
+$NetBSD: distinfo,v 1.50 2025/04/08 09:09:16 adam Exp $
 
-BLAKE2s (dnsmasq-2.90.tar.xz) = 3fded3fc5310c3dd68af5ed02abdadc556aa7ec467dd09e6736279c21ff7d317
-SHA512 (dnsmasq-2.90.tar.xz) = e169de1892f935e219b0f49d90107f95cba42b40bca20bd3c973313c2cd4df58b929af6628cd988419051d81c3b4ccf8e9f816274df7d0840e79f5bf49602442
-Size (dnsmasq-2.90.tar.xz) = 570672 bytes
+BLAKE2s (dnsmasq-2.91.tar.xz) = a86badd4a272826e1124ea2fbb9c60d42c3263800cbacbc6455a0ed9bb6c525f
+SHA512 (dnsmasq-2.91.tar.xz) = d8b062d28f32d0e499e551aeebba75d3ea9f6a5173d78f45292cb1ef28a5d0f7c86982d987fe25c3cee9f139023b1fd023130dddd0dc849fb0cfbd969c3b0c7f
+Size (dnsmasq-2.91.tar.xz) = 576820 bytes
 SHA1 (patch-src_bpf.c) = 4115a5391f57564663bbfc448fbb865c370318a6
 SHA1 (patch-src_dump.c) = e5788d9e3112b1e5b2ef7ce500b0262b95c375c6

Prev by Date: CVS commit: pkgsrc/lang/nodejs
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/lang/nodejs
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index