Re: CVS commit: pkgsrc/net/dnsmasq

To: Filip Hajny <fhajny%netbsd.org@localhost>
Subject: Re: CVS commit: pkgsrc/net/dnsmasq
From: Alexander Nasonov <alnsn%yandex.ru@localhost>
Date: Wed, 15 Jul 2015 08:09:11 +0100
New version doesn't work for me.

My config:

no-resolv
server=127.0.0.1#9053
no-poll
interface=lo0
no-dhcp-interface=


2.72 works fine:

$ nslookup www.ya.ru
Server:		127.0.0.1
Address:	127.0.0.1#53

Non-authoritative answer:
Name:	www.ya.ru
Address: 93.158.134.3


2.73 returns REFUSED:

$ nslookup www.ya.ru
Server:		127.0.0.1
Address:	127.0.0.1#53

** server can't find www.ya.ru: REFUSED

I don't have time to investigate right now.

Alex

Filip Hajny wrote:
> Module Name:	pkgsrc
> Committed By:	fhajny
> Date:		Tue Jul 14 09:57:13 UTC 2015
> 
> Modified Files:
> 	pkgsrc/net/dnsmasq: Makefile distinfo
> 	pkgsrc/net/dnsmasq/patches: patch-src_bpf.c
> Removed Files:
> 	pkgsrc/net/dnsmasq/patches: patch-src_rfc1035.c
> 
> Log Message:
> Update net/dnsmasq to 2.73.
> Fix build on SunOS.
> 
> Version 2.73
>   Fix crash at startup when an empty suffix is supplied to
>   --conf-dir, also trivial memory leak. Thanks to
>   Tomas Hozza for spotting this.
> 
>   Remove floor of 4096 on advertised EDNS0 packet size when
>   DNSSEC in use, the original rationale for this has long gone.
>   Thanks to Anders Kaseorg for spotting this.
> 
>   Use inotify for checking on updates to /etc/resolv.conf and
>   friends under Linux. This fixes race conditions when the files are
>   updated rapidly and saves CPU by noy polling. To build
>   a binary that runs on old Linux kernels without inotify,
>   use make COPTS=-DNO_INOTIFY
> 
>   Fix breakage of --domain=<domain>,<subnet>,local - only reverse
>   queries were intercepted. THis appears to have been broken
>   since 2.69. Thanks to Josh Stone for finding the bug.
> 
>   Eliminate IPv6 privacy addresses and deprecated addresses from
>   the answers given by --interface-name. Note that reverse queries
>   (ie looking for names, given addresses) are not affected.
>   Thanks to Michael Gorbach for the suggestion.
> 
>   Fix crash in DNSSEC code with long RRs. Thanks to Marco Davids
>   for the bug report.
> 
>   Add --ignore-address option. Ignore replies to A-record
>   queries which include the specified address. No error is
>   generated, dnsmasq simply continues to listen for another
>   reply. This is useful to defeat blocking strategies which
>   rely on quickly supplying a forged answer to a DNS
>   request for certain domains, before the correct answer can
>   arrive. Thanks to Glen Huang for the patch.
> 
>   Revisit the part of DNSSEC validation which determines if an
>   unsigned answer is legit, or is in some part of the DNS
>   tree which should be signed. Dnsmasq now works from the
>   DNS root downward looking for the limit of signed
>   delegations, rather than working bottom up. This is
>   both more correct, and less likely to trip over broken
>   nameservers in the unsigned parts of the DNS tree
>   which don't respond well to DNSSEC queries.
> 
>   Add --log-queries=extra option, which makes logs easier
>   to search automatically.
> 
>   Add --min-cache-ttl option. I've resisted this for a long
>   time, on the grounds that disbelieving TTLs is never a
>   good idea, but I've been persuaded that there are
>   sometimes reasons to do it. (Step forward, GFW).
>   To avoid misuse, there's a hard limit on the TTL
>   floor of one hour. Thansk to RinSatsuki for the patch.
> 
>   Cope with multiple interfaces with the same link-local
>   address. (IPv6 addresses are scoped, so this is allowed.)
>   Thanks to Cory Benfield for help with this.
> 
>   Add --dhcp-hostsdir. This allows addition of new host
>   configurations to a running dnsmasq instance much more
>   cheaply than having dnsmasq re-read all its existing
>   configuration each time.
> 
>   Don't reply to DHCPv6 SOLICIT messages if we're not
>   configured to do stateful DHCPv6. Thanks to Win King Wan
>   for the patch.
> 
>   Fix broken DNSSEC validation of ECDSA signatures.
> 
>   Add --dnssec-timestamp option, which provides an automatic
>   way to detect when the system time becomes valid after
>   boot on systems without an RTC, whilst allowing DNS
>   queries before the clock is valid so that NTP can run.
>   Thanks to Kevin Darbyshire-Bryant for developing this idea.
> 
>   Add --tftp-no-fail option. Thanks to Stefan Tomanek for
>   the patch.
> 
>   Fix crash caused by looking up servers.bind, CHAOS text
>   record, when more than about five --servers= lines are
>   in the dnsmasq config. This causes memory corruption
>   which causes a crash later. Thanks to Matt Coddington for
>   sterling work chasing this down.
> 
>   Fix crash on receipt of certain malformed DNS requests.
>   Thanks to Nick Sampanis for spotting the problem.
>   Note that this is could allow the dnsmasq process's
>   memory to be read by an attacker under certain
>   circumstances, so it has a CVE, CVE-2015-3294
> 
>   Fix crash in authoritative DNS code, if a .arpa zone
>   is declared as authoritative, and then a PTR query which
>   is not to be treated as authoritative arrived. Normally,
>   directly declaring .arpa zone as authoritative is not
>   done, so this crash wouldn't be seen. Instead the
>   relevant .arpa zone should be specified as a subnet
>   in the auth-zone declaration. Thanks to Johnny S. Lee
>   for the bugreport and initial patch.
> 
>   Fix authoritative DNS code to correctly reply to NS
>   and SOA queries for .arpa zones for which we are
>   declared authoritative by means of a subnet in auth-zone.
>   Previously we provided correct answers to PTR queries
>   in such zones (including NS and SOA) but not direct
>   NS and SOA queries. Thanks to Johnny S. Lee for
>   pointing out the problem.
> 
>   Fix logging of DHCPREPLY which should be suppressed
>   by quiet-dhcp6. Thanks to J. Pablo Abonia for
>   spotting the problem.
> 
>   Try and handle net connections with broken fragmentation
>   that lose large UDP packets. If a server times out,
>   reduce the maximum UDP packet size field in the EDNS0
>   header to 1280 bytes. If it then answers, make that
>   change permanent.
> 
>   Check IPv4-mapped IPv6 addresses when --stop-rebind
>   is active. Thanks to Jordan Milne for spotting this.
> 
>   Allow DHCPv4 options T1 and T2 to be set using --dhcp-option.
>   Thanks to Kevin Benton for patches and work on this.
> 
>   Fix code for DHCPCONFIRM DHCPv6 messages to confirm addresses
>   in the correct subnet, even of not in dynamic address
>   allocation range. Thanks to Steve Hirsch for spotting
>   the problem.
> 
>   Add AddDhcpLease and DeleteDhcpLease DBus methods. Thanks
>   to Nicolas Cavallari for the patch.
> 
>   Allow configuration of router advertisements without the
>   "on-link" bit set. Thanks to Neil Jerram for the patch.
> 
>   Extend --bridge-interface to DHCPv6 and router
>   advertisements. Thanks to Neil Jerram for the patch.
> 
> 
> To generate a diff of this commit:
> cvs rdiff -u -r1.29 -r1.30 pkgsrc/net/dnsmasq/Makefile
> cvs rdiff -u -r1.27 -r1.28 pkgsrc/net/dnsmasq/distinfo
> cvs rdiff -u -r1.5 -r1.6 pkgsrc/net/dnsmasq/patches/patch-src_bpf.c
> cvs rdiff -u -r1.2 -r0 pkgsrc/net/dnsmasq/patches/patch-src_rfc1035.c
> 
> Please note that diffs are not public domain; they are subject to the
> copyright notices on the relevant files.
> 
> 

-- 
Alex
Prev by Date: Re: Moving pkgsrc-wip away from SourceForge
Next by Date: Re: Moving pkgsrc-wip away from SourceForge
Previous by Thread: adobe-flash-plugin11 distfile not found
Next by Thread: bbpager does not parse horizontal/vertical correctly
Indexes:
Home | Main Index | Thread Index | Old Index