From 02afb350f8b396a7005b72143f9914eaf92584fd3a23deeafc2957d394c1c221 Mon Sep 17 00:00:00 2001 From: Reinhard Max Date: Thu, 12 Jun 2014 13:39:16 +0000 Subject: [PATCH] Accepting request 236965 from home:dirkmueller:branches:network - license update: GPL-2.0 or GPL-3.0 correct license is dual GPL-2.0 or GPL-3.0; please add COPYING-v3-file to RPM. - update to 2.71: Subtle change to error handling to help DNSSEC validation when servers fail to provide NODATA answers for non-existent DS records. Tweak code which removes DNSSEC records from answers when not required. Fixes broken answers when additional section has real records in it. Thanks to Marco Davids for the bug report. Fix DNSSEC validation of ANY queries. Thanks to Marco Davids for spotting that too. Fix total DNS failure and 100% CPU use if cachesize set to zero, regression introduced in 2.69. Thanks to James Hunt and the Ubuntu crowd for assistance in fixing this. Fix crash, introduced in 2.69, on TCP request when dnsmasq compiled with DNSSEC support, but running without DNSSEC enabled. Thanks to Manish Sing for spotting that one. Fix regression which broke ipset functionality. Thanks to Wang Jian for the bug report. Implement dynamic interface discovery on *BSD. This allows the contructor: syntax to be used in dhcp-range for DHCPv6 on the BSD platform. Thanks to Matthias Andree for valuable research on how to implement this. Fix infinite loop associated with some --bogus-nxdomain configs. Thanks fogobogo for the bug report. Fix missing RA RDNS option with configuration like --dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer OBS-URL: https://build.opensuse.org/request/show/236965 OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=58 --- dnsmasq-2.65.tar.gz | 3 - dnsmasq-2.71.tar.gz | 3 + dnsmasq.changes | 427 ++++++++++++++++++++++++++++++++++++++++++++ dnsmasq.spec | 6 +- group_and_isc.patch | 28 +-- 5 files changed, 450 insertions(+), 17 deletions(-) delete mode 100644 dnsmasq-2.65.tar.gz create mode 100644 dnsmasq-2.71.tar.gz diff --git a/dnsmasq-2.65.tar.gz b/dnsmasq-2.65.tar.gz deleted file mode 100644 index cd02996..0000000 --- a/dnsmasq-2.65.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:f5ddf3111b4ec372d0e07bcc036bbe3a4c5a1a68b60c2a1018102a0099bc0740 -size 536832 diff --git a/dnsmasq-2.71.tar.gz b/dnsmasq-2.71.tar.gz new file mode 100644 index 0000000..c8c0124 --- /dev/null +++ b/dnsmasq-2.71.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7d8c64f66a396442e01b639df3ea6b4e02ba88cbe206c80be8de68b6841634c4 +size 641092 diff --git a/dnsmasq.changes b/dnsmasq.changes index 054571f..f405f23 100644 --- a/dnsmasq.changes +++ b/dnsmasq.changes @@ -1,3 +1,430 @@ +------------------------------------------------------------------- +Thu Jun 12 08:15:29 UTC 2014 - cdenicolo@suse.com + +- license update: GPL-2.0 or GPL-3.0 + correct license is dual GPL-2.0 or GPL-3.0; please add COPYING-v3-file to + RPM. + +------------------------------------------------------------------- +Wed Jun 11 15:27:24 UTC 2014 - dmueller@suse.com + +- update to 2.71: + Subtle change to error handling to help DNSSEC validation + when servers fail to provide NODATA answers for + non-existent DS records. + + Tweak code which removes DNSSEC records from answers when + not required. Fixes broken answers when additional section + has real records in it. Thanks to Marco Davids for the bug + report. + + Fix DNSSEC validation of ANY queries. Thanks to Marco Davids + for spotting that too. + + Fix total DNS failure and 100% CPU use if cachesize set to zero, + regression introduced in 2.69. Thanks to James Hunt and + the Ubuntu crowd for assistance in fixing this. + + + Fix crash, introduced in 2.69, on TCP request when dnsmasq + compiled with DNSSEC support, but running without DNSSEC + enabled. Thanks to Manish Sing for spotting that one. + + Fix regression which broke ipset functionality. Thanks to + Wang Jian for the bug report. + + + Implement dynamic interface discovery on *BSD. This allows + the contructor: syntax to be used in dhcp-range for DHCPv6 + on the BSD platform. Thanks to Matthias Andree for + valuable research on how to implement this. + + Fix infinite loop associated with some --bogus-nxdomain + configs. Thanks fogobogo for the bug report. + + Fix missing RA RDNS option with configuration like + --dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer + for spotting the problem. + + Add [fd00::] and [fe80::] as special addresses in DHCPv6 + options, analogous to [::]. [fd00::] is replaced with the + actual ULA of the interface on the machine running + dnsmasq, [fe80::] with the link-local address. + Thanks to Tsachi Kimeldorfer for championing this. + + DNSSEC validation and caching. Dnsmasq needs to be + compiled with this enabled, with + + make dnsmasq COPTS=-DHAVE_DNSSEC + + this add dependencies on the nettle crypto library and the + gmp maths library. It's possible to have these linked + statically with + + make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC' + + which bloats the dnsmasq binary, but saves the size of + the shared libraries which are much bigger. + + To enable, DNSSEC, you will need a set of + trust-anchors. Now that the TLDs are signed, this can be + the keys for the root zone, and for convenience they are + included in trust-anchors.conf in the dnsmasq + distribution. You should of course check that these are + legitimate and up-to-date. So, adding + + conf-file=/path/to/trust-anchors.conf + dnssec + + to your config is all thats needed to get things + working. The upstream nameservers have to be DNSSEC-capable + too, of course. Many ISP nameservers aren't, but the + Google public nameservers (8.8.8.8 and 8.8.4.4) are. + When DNSSEC is configured, dnsmasq validates any queries + for domains which are signed. Query results which are + bogus are replaced with SERVFAIL replies, and results + which are correctly signed have the AD bit set. In + addition, and just as importantly, dnsmasq supplies + correct DNSSEC information to clients which are doing + their own validation, and caches DNSKEY, DS and RRSIG + records, which significantly improve the performance of + downstream validators. Setting --log-queries will show + DNSSEC in action. + + If a domain is returned from an upstream nameserver without + DNSSEC signature, dnsmasq by default trusts this. This + means that for unsigned zone (still the majority) there + is effectively no cost for having DNSSEC enabled. Of course + this allows an attacker to replace a signed record with a + false unsigned record. This is addressed by the + --dnssec-check-unsigned flag, which instructs dnsmasq + to prove that an unsigned record is legitimate, by finding + a secure proof that the zone containing the record is not + signed. Doing this has costs (typically one or two extra + upstream queries). It also has a nasty failure mode if + dnsmasq's upstream nameservers are not DNSSEC capable. + Without --dnssec-check-unsigned using such an upstream + server will simply result in not queries being validated; + with --dnssec-check-unsigned enabled and a + DNSSEC-ignorant upstream server, _all_ queries will fail. + + Note that DNSSEC requires that the local time is valid and + accurate, if not then DNSSEC validation will fail. NTP + should be running. This presents a problem for routers + without a battery-backed clock. To set the time needs NTP + to do DNS lookups, but lookups will fail until NTP has run. + To address this, there's a flag, --dnssec-no-timecheck + which disables the time checks (only) in DNSSEC. When dnsmasq + is started and the clock is not synced, this flag should + be used. As soon as the clock is synced, SIGHUP dnsmasq. + The SIGHUP clears the cache of partially-validated data and + resets the no-timecheck flag, so that all DNSSEC checks + henceforward will be complete. + + The development of DNSSEC in dnsmasq was started by + Giovanni Bajo, to whom huge thanks are owed. It has been + supported by Comcast, whose techfund grant has allowed for + an invaluable period of full-time work to get it to + a workable state. + + Add --rev-server. Thanks to Dave Taht for suggesting this. + + Add --servers-file. Allows dynamic update of upstream servers + full access to configuration. + + Add --local-service. Accept DNS queries only from hosts + whose address is on a local subnet, ie a subnet for which + an interface exists on the server. This option + only has effect if there are no --interface --except-interface, + --listen-address or --auth-server options. It is intended + to be set as a default on installation, to allow + unconfigured installations to be useful but also safe from + being used for DNS amplification attacks. + + Fix crashes in cache_get_cname_target() when dangling CNAMEs + encountered. Thanks to Andy and the rt-n56u project for + find this and helping to chase it down. + + Fix wrong RCODE in authoritative DNS replies to PTR queries. The + correct answer was included, but the RCODE was set to NXDOMAIN. + Thanks to Craig McQueen for spotting this. + + Make statistics available as DNS queries in the .bind TLD as + well as logging them. + + + Use random addresses for DHCPv6 temporary address + allocations, instead of algorithmically determined stable + addresses. + + Fix bug which meant that the DHCPv6 DUID was not available + in DHCP script runs during the lifetime of the dnsmasq + process which created the DUID de-novo. Once the DUID was + created and stored in the lease file and dnsmasq + restarted, this bug disappeared. + + Fix bug introduced in 2.67 which could result in erroneous + NXDOMAIN returns to CNAME queries. + + Fix build failures on MacOS X and openBSD. + + Allow subnet specifications in --auth-zone to be interface + names as well as address literals. This makes it possible + to configure authoritative DNS when local address ranges + are dynamic and works much better than the previous + work-around which exempted contructed DHCP ranges from the + IP address filtering. As a consequence, that work-around + is removed. Under certain circumstances, this change wil + break existing configuration: if you're relying on the + contructed-range exception, you need to change --auth-zone + to specify the same interface as is used to construct your + DHCP ranges, probably with a trailing "/6" like this: + --auth-zone=example.com,eth0/6 to limit the addresses to + IPv6 addresses of eth0. + + Fix problems when advertising deleted IPv6 prefixes. If + the prefix is deleted (rather than replaced), it doesn't + get advertised with zero preferred time. Thanks to Tsachi + for the bug report. + + Fix segfault with some locally configured CNAMEs. Thanks + to Andrew Childs for spotting the problem. + + Fix memory leak on re-reading /etc/hosts and friends, + introduced in 2.67. + + Check the arrival interface of incoming DNS and TFTP + requests via IPv6, even in --bind-interfaces mode. This + isn't possible for IPv4 and can generate scary warnings, + but as it's always possible for IPv6 (the API always + exists) then we should do it always. + + Tweak the rules on prefix-lengths in --dhcp-range for + IPv6. The new rule is that the specified prefix length + must be larger than or equal to the prefix length of the + corresponding address on the local interface. + + + Fix crash if upstream server returns SERVFAIL when + --conntrack in use. Thanks to Giacomo Tazzari for finding + this and supplying the patch. + + Repair regression in 2.64. That release stopped sending + lease-time information in the reply to DHCPINFORM + requests, on the correct grounds that it was a standards + violation. However, this broke the dnsmasq-specific + dhcp_lease_time utility. Now, DHCPINFORM returns + lease-time only if it's specifically requested + (maintaining standards) and the dhcp_lease_time utility + has been taught to ask for it (restoring functionality). + + Fix --dhcp-match, --dhcp-vendorclass and --dhcp-userclass + to work with BOOTP and well as DHCP. Thanks to Peter + Korsgaard for spotting the problem. + + Add --synth-domain. Thanks to Vishvananda Ishaya for + suggesting this. + + Fix failure to compile ipset.c if old kernel headers are + in use. Thanks to Eugene Rudoy for pointing this out. + + Handle IPv4 interface-address labels in Linux. These are + often used to emulate the old IP-alias addresses. Before, + using --interface=eth0 would service all the addresses of + eth0, including ones configured as aliases, which appear + in ifconfig as eth0:0. Now, only addresses with the label + eth0 are active. This is not backwards compatible: if you + want to continue to bind the aliases too, you need to add + eg. --interface=eth0:0 to the config. + + Fix "failed to set SO_BINDTODEVICE on DHCP socket: Socket + operation on non-socket" error on startup with + configurations which have exactly one --interface option + and do RA but _not_ DHCPv6. Thanks to Trever Adams for the + bug report. + + Generalise --interface-name to cope with IPv6 addresses + and multiple addresses per interface per address family. + + Fix option parsing for --dhcp-host, which was generating a + spurious error when all seven possible items were + included. Thanks to Zhiqiang Wang for the bug report. + + Remove restriction on prefix-length in --auth-zone. Thanks + to Toke Hoiland-Jorgensen for suggesting this. + + Log when the maximum number of concurrent DNS queries is + reached. Thanks to Marcelo Salhab Brogliato for the patch. + + If wildcards are used in --interface, don't assume that + there will only ever be one available interface for DHCP + just because there is one at start-up. More may appear, so + we can't use SO_BINDTODEVICE. Thanks to Natrio for the bug + report. + + Increase timeout/number of retries in TFTP to accomodate + AudioCodes Voice Gateways doing streaming writes to flash. + Thanks to Damian Kaczkowski for spotting the problem. + + Fix crash with empty DHCP string options when adding zero + terminator. Thanks to Patrick McLean for the bug report. + + Allow hostnames to start with a number, as allowed in + RFC-1123. Thanks to Kyle Mestery for the patch. + + Fixes to DHCP FQDN option handling: don't terminate FQDN + if domain not known and allow a FQDN option with blank + name to request that a FQDN option is returned in the + reply. Thanks to Roy Marples for the patch. + + Make --clear-on-reload apply to setting upstream servers + via DBus too. + + When the address which triggered the construction of an + advertised IPv6 prefix disappears, continue to advertise + the prefix for up to 2 hours, with the preferred lifetime + set to zero. This satisfies RFC 6204 4.3 L-13 and makes + things work better if a prefix disappears without being + deprecated first. Thanks to Uwe Schindler for persuasively + arguing for this. + + Fix MAC address enumeration on *BSD. Thanks to Brad Smith + for the bug report. + + Support RFC-4242 information-refresh-time options in the + reply to DHCPv6 information-request. The lease time of the + smallest valid dhcp-range is sent. Thanks to Uwe Schindler + for suggesting this. + + Make --listen-address higher priority than --except-interface + in all circumstances. Thanks to Thomas Hood for the bugreport. + + Provide independent control over which interfaces get TFTP + service. If enable-tftp is given a list of interfaces, then TFTP + is provided on those. Without the list, the previous behaviour + (provide TFTP to the same interfaces we provide DHCP to) + is retained. Thanks to Lonnie Abelbeck for the suggestion. + + Add --dhcp-relay config option. Many thanks to vtsl.net + for sponsoring this development. + + Fix crash with empty tag: in --dhcp-range. Thanks to + Kaspar Schleiser for the bug report. + + Add "baseline" and "bloatcheck" makefile targets, for + revealing size changes during development. Thanks to + Vladislav Grishenko for the patch. + + Cope with DHCPv6 clients which send REQUESTs without + address options - treat them as SOLICIT with rapid commit. + + Support identification of clients by MAC address in + DHCPv6. When using a relay, the relay must support RFC + 6939 for this to work. It always works for directly + connected clients. Thanks to Vladislav Grishenko + for prompting this feature. + + Remove the rule for constructed DHCP ranges that the local + address must be either the first or last address in the + range. This was originally to avoid SLAAC addresses, but + we now explicitly autoconfig and privacy addresses instead. + + Update Polish translation. Thanks to Jan Psota. + + Fix problem in DHCPv6 vendorclass/userclass matching + code. Thanks to Tanguy Bouzeloc for the patch. + + Update Spanish transalation. Thanks to Vicente Soriano. + + Add --ra-param option. Thanks to Vladislav Grishenko for + inspiration on this. + + Add --add-subnet configuration, to tell upstream DNS + servers where the original client is. Thanks to DNSthingy + for sponsoring this feature. + + Add --quiet-dhcp, --quiet-dhcp6 and --quiet-ra. Thanks to + Kevin Darbyshire-Bryant for the initial patch. + + Allow A/AAAA records created by --interface-name to be the + target of --cname. Thanks to Hadmut Danisch for the + suggestion. + + Avoid treating a --dhcp-host which has an IPv6 address + as eligable for use with DHCPv4 on the grounds that it has + no address, and vice-versa. Thanks to Yury Konovalov for + spotting the problem. + + Do a better job caching dangling CNAMEs. Thanks to Yves + Dorfsman for spotting the problem. + + + Add the ability to act as an authoritative DNS + server. Dnsmasq can now answer queries from the wider 'net + with local data, as long as the correct NS records are set + up. Only local data is provided, to avoid creating an open + DNS relay. Zone transfer is supported, to allow secondary + servers to be configured. + + Add "constructed DHCP ranges" for DHCPv6. This is intended + for IPv6 routers which get prefixes dynamically via prefix + delegation. With suitable configuration, stateful DHCPv6 + and RA can happen automatically as prefixes are delegated + and then deprecated, without having to re-write the + dnsmasq configuration file or restart the daemon. Thanks to + Steven Barth for extensive testing and development work on + this idea. + + Fix crash on startup on Solaris 11. Regression probably + introduced in 2.61. Thanks to Geoff Johnstone for the + patch. + + Add code to make behaviour for TCP DNS requests that same + as for UDP requests, when a request arrives for an allowed + address, but via a banned interface. This change is only + active on Linux, since the relevant API is missing (AFAIK) + on other platforms. Many thanks to Tomas Hozza for + spotting the problem, and doing invaluable discovery of + the obscure and undocumented API required for the solution. + + Don't send the default DHCP option advertising dnsmasq as + the local DNS server if dnsmasq is configured to not act + as DNS server, or it's configured to a non-standard port. + + Add DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBCRIBER_ID, + DNSMASQ_REMOTE_ID variables to the environment of the + lease-change script (and the corresponding Lua). These hold + information inserted into the DHCP request by a DHCP relay + agent. Thanks to Lakefield Communications for providing a + bounty for this addition. + + Fixed crash, introduced in 2.64, whilst handling DHCPv6 + information-requests with some common configurations. + Thanks to Robert M. Albrecht for the bug report and + chasing the problem. + + Add --ipset option. Thanks to Jason A. Donenfeld for the + patch. + + Don't erroneously reject some option names in --dhcp-match + options. Thanks to Benedikt Hochstrasser for the bug report. + + Allow a trailing '*' wildcard in all interface-name + configurations. Thanks to Christian Parpart for the patch. + + Handle the situation where libc headers define + SO_REUSEPORT, but the kernel in use doesn't, to cope with + the introduction of this option to Linux. Thanks to Rich + Felker for the bug report. + + Update Polish translation. Thanks to Jan Psota. + + Fix crash if the configured DHCP lease limit is + reached. Regression occurred in 2.61. Thanks to Tsachi for + the bug report. + + Update the French translation. Thanks to Gildas le Nadan. + ------------------------------------------------------------------- Wed Mar 26 16:56:34 UTC 2014 - crrodriguez@opensuse.org diff --git a/dnsmasq.spec b/dnsmasq.spec index 49d5018..f674c2b 100644 --- a/dnsmasq.spec +++ b/dnsmasq.spec @@ -18,9 +18,9 @@ Name: dnsmasq Summary: Lightweight, Easy-to-Configure DNS Forwarder and DHCP Server -License: GPL-2.0 +License: GPL-2.0 or GPL-3.0 Group: Productivity/Networking/DNS/Servers -Version: 2.65 +Version: 2.71 Release: 0 Provides: dns_daemon PreReq: /usr/sbin/useradd /bin/mkdir @@ -119,7 +119,7 @@ rm contrib/wrt/{dhcp_release,dhcp_lease_time} %files -f %{name}.lang %defattr(-,root,root) -%doc CHANGELOG COPYING FAQ doc.html setup.html dnsmasq.conf.example contrib README.SUSE dbus +%doc CHANGELOG COPYING COPYING-v3 FAQ doc.html setup.html dnsmasq.conf.example contrib README.SUSE dbus %config(noreplace) %{_sysconfdir}/dnsmasq.conf %{_sbindir}/dnsmasq %{_sbindir}/rcdnsmasq diff --git a/group_and_isc.patch b/group_and_isc.patch index fe76f8a..b9a5522 100644 --- a/group_and_isc.patch +++ b/group_and_isc.patch @@ -4,8 +4,10 @@ src/config.h | 6 +++--- 3 files changed, 6 insertions(+), 5 deletions(-) ---- a/Makefile -+++ b/Makefile +Index: dnsmasq-2.71/Makefile +=================================================================== +--- dnsmasq-2.71.orig/Makefile ++++ dnsmasq-2.71/Makefile @@ -18,7 +18,7 @@ # Variables you may well want to override. @@ -15,18 +17,20 @@ BINDIR = $(PREFIX)/sbin MANDIR = $(PREFIX)/share/man LOCALEDIR = $(PREFIX)/share/locale -@@ -127,7 +127,7 @@ $(objs:.o=.c) $(hdrs): +@@ -150,7 +150,7 @@ $(objs:.o=.c) $(hdrs): $(CC) $(CFLAGS) $(COPTS) $(i18n) $(build_cflags) $(RPM_OPT_FLAGS) -c $< - dnsmasq : .configured $(hdrs) $(objs) + dnsmasq : .configured $(hdrs) $(objs) - $(CC) $(LDFLAGS) -o $@ $(objs) $(build_libs) $(LIBS) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(objs) $(build_libs) $(LIBS) dnsmasq.pot : $(objs:.o=.c) $(hdrs) $(XGETTEXT) -d dnsmasq --foreign-user --omit-header --keyword=_ -o $@ -i $(objs:.o=.c) ---- a/man/dnsmasq.8 -+++ b/man/dnsmasq.8 -@@ -125,6 +125,7 @@ can be over-ridden with this switch. +Index: dnsmasq-2.71/man/dnsmasq.8 +=================================================================== +--- dnsmasq-2.71.orig/man/dnsmasq.8 ++++ dnsmasq-2.71/man/dnsmasq.8 +@@ -135,6 +135,7 @@ can be over-ridden with this switch. Specify the group which dnsmasq will run as. The defaults to "dip", if available, to facilitate access to /etc/ppp/resolv.conf which is not normally world readable. @@ -34,9 +38,11 @@ .TP .B \-v, --version Print the version number. ---- a/src/config.h -+++ b/src/config.h -@@ -24,7 +24,7 @@ +Index: dnsmasq-2.71/src/config.h +=================================================================== +--- dnsmasq-2.71.orig/src/config.h ++++ dnsmasq-2.71/src/config.h +@@ -25,7 +25,7 @@ #define FORWARD_TIME 20 /* or 20 seconds */ #define RANDOM_SOCKS 64 /* max simultaneous random ports */ #define LEASE_RETRY 60 /* on error, retry writing leasefile after LEASE_RETRY seconds */ @@ -45,7 +51,7 @@ #define MAXLEASES 1000 /* maximum number of DHCP leases */ #define PING_WAIT 3 /* wait for ping address-in-use test */ #define PING_CACHE_TIME 30 /* Ping test assumed to be valid this long. */ -@@ -34,8 +34,8 @@ +@@ -36,8 +36,8 @@ #define HOSTSFILE "/etc/hosts" #define ETHERSFILE "/etc/ethers" #define DEFLEASE 3600 /* default lease time, 1 hour */