diff options
Diffstat (limited to 'CHANGELOG')
| -rw-r--r-- | CHANGELOG | 183 |
1 files changed, 183 insertions, 0 deletions
@@ -1,3 +1,186 @@ +version 2.82 + Improve behaviour in the face of network interfaces which come + and go and change index. Thanks to Petr Mensik for the patch. + + Convert hard startup failure on NETLINK_NO_ENOBUFS under qemu-user + to a warning. + + Allow IPv6 addresses ofthe form [::ffff:1.2.3.4] in --dhcp-option. + + Fix crash under heavy TCP connection load introduced in 2.81. + Thanks to Frank for good work chasing this down. + + Change default lease time for DHCPv6 to one day. + + Alter calculation of preferred and valid times in router + advertisements, so that these do not have a floor applied + of the lease time in the dhcp-range if this is not explicitly + specified and is merely the default. + Thanks to Martin-Éric Racine for suggestions on this. + + +version 2.81 + Improve cache behaviour for TCP connections. For ease of + implementation, dnsmasq has always forked a new process to handle + each incoming TCP connection. A side-effect of this is that + any DNS queries answered from TCP connections are not cached: + when TCP connections were rare, this was not a problem. + With the coming of DNSSEC, it is now the case that some + DNSSEC queries have answers which spill to TCP, and if, + for instance, this applies to the keys for the root, then + those never get cached, and performance is very bad. + This fix passes cache entries back from the TCP child process to + the main server process, and fixes the problem. + + Remove the NO_FORK compile-time option, and support for uclinux. + In an era where everything has an MMU, this looks like + an anachronism, and it adds to (Ok, multiplies!) the + combinatorial explosion of compile-time options. Thanks to + Kevin Darbyshire-Bryant for the patch. + + Fix line-counting when reading /etc/hosts and friends; for + correct error messages. Thanks to Christian Rosentreter + for reporting this. + + Fix bug in DNS non-terminal code, added in 2.80, which could + sometimes cause a NODATA rather than an NXDOMAIN reply. + Thanks to Norman Rasmussen, Sven Mueller and Maciej Żenczykowski + for spotting and diagnosing the bug and providing patches. + + Support TCP-fastopen (RFC-7413) on both incoming and + outgoing TCP connections, if supported and enabled in the OS. + + Improve kernel-capability manipulation code under Linux. Dnsmasq + now fails early if a required capability is not available, and + tries not to request capabilities not required by its + configuration. + + Add --shared-network config. This enables allocation of addresses + by the DHCP server in subnets where the server (or relay) does not + have an interface on the network in that subnet. Many thanks to + kamp.de for sponsoring this feature. + + Fix broken contrib/lease_tools/dhcp_lease_time.c. A packet + validation check got borked in commit 2b38e382 and release 2.80. + Thanks to Tomasz Szajner for spotting this. + + Fix compilation against nettle version 3.5 and later. + + Fix spurious DNSSEC validation failures when the auth section + of a reply contains unsigned RRs from a signed zone, + with the exception that NSEC and NSEC3 RRs must always be signed. + Thanks to Tore Anderson for spotting and diagnosing the bug. + + Add --dhcp-ignore-clid. This disables reading of DHCP client + identifier option (option 61), so clients are only identified by + MAC addresses. + + Fix a bug which stopped --dhcp-name-match from working when a hostname + is supplied in --dhcp-host. Thanks to James Feeney for spotting this. + + Fix bug which caused very rarely caused zero-length DHCPv6 packets. + Thanks to Dereck Higgins for spotting this. + + Add --tftp-single-port option. + + Enhance --conf-dir to load files in a deterministic order. Thanks to + Evgenii Seliavka for the suggestion and initial patch. + + In the router advert code, handle case where we have two + different interfaces on the same IPv6 net, and we are doing + RA/DHCP service on only one of them. Thanks to NIIBE Yutaka + for spotting this case and making the initial patch. + + Support prefixed ranges of ipv6 addresses in dhcp-host. + This eases problems chain-netbooting, where each link in the + chain requests an address using a different UID. With a single + address, only one gets the "static" address, but with this + fix, enough addresses can be reserved for all the stages of the + boot. Many thanks to Harald Jensås for his work on this idea and + earlier patches. + + Add filtering by tag of --dhcp-host directives. Based on a patch + by Harald Jensås. + + Allow empty server spec in --rev-server, to match --server. + + Remove DSA signature verification from DNSSEC, as specified in + RFC 8624. Thanks to Loganaden Velvindron for the original patch. + + Add --script-on-renewal option. + + +version 2.80 + Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method + for the initial patch and motivation. + + Alter the default for dnssec-check-unsigned. Versions of + dnsmasq prior to 2.80 defaulted to not checking unsigned + replies, and used --dnssec-check-unsigned to switch + this on. Such configurations will continue to work as before, + but those which used the default of no checking will need to be + altered to explicitly select no checking. The new default is + because switching off checking for unsigned replies is + inherently dangerous. Not only does it open the possiblity of forged + replies, but it allows everything to appear to be working even + when the upstream namesevers do not support DNSSEC, and in this + case no DNSSEC validation at all is occuring. + + Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip + are set. Thanks to Daniel Miess for help with this. + + Add a facilty to store DNS packets sent/recieved in a + pcap-format file for later debugging. The file location + is given by the --dumpfile option, and a bitmap controlling + which packets should be dumped is given by the --dumpmask + option. + + Handle the case of both standard and constructed dhcp-ranges on the + same interface better. We don't now contruct a dhcp-range if there's + already one specified. This allows the specified interface to + have different parameters and avoids advertising the same + prefix twice. Thanks to Luis Marsano for spotting this case. + + Allow zone transfer in authoritative mode if auth-peer is specified, + even if auth-sec-servers is not. Thanks to Raphaël Halimi for + the suggestion. + + Fix bug which sometimes caused dnsmasq to wrongly return answers + without DNSSEC RRs to queries with the do-bit set, but only when + DNSSEC validation was not enabled. + Thanks to Petr Menšík for spotting this. + + Fix missing fatal errors with some malformed options + (server, local, address, rebind-domain-ok, ipset, alias). + Thanks to Eugene Lozovoy for spotting the problem. + + Fix crash on startup with a --synth-domain which has no prefix. + Introduced in 2.79. Thanks to Andreas Engel for the bug report. + + Fix missing EDNS0 section in some replies generated by local + DNS configuration which confused systemd-resolvd. Thanks to + Steve Dodd for characterising the problem. + + Add --dhcp-name-match config option. + + Add --caa-record config option. + + Implement --address=/example.com/# as (more efficient) syntactic + sugar for --address=/example.com/0.0.0.0 and + --address=/example.com/:: + Returning null addresses is a useful technique for ad-blocking. + Thanks to Peter Russell for the suggestion. + + Change anti cache-snooping behaviour with queries with the + recursion-desired bit unset. Instead to returning SERVFAIL, we + now always forward, and never answer from the cache. This + allows "dig +trace" command to work. + + Include in the example config file a formulation which + stops DHCP clients from claiming the DNS name "wpad". + This is a fix for the CERT Vulnerability VU#598349. + + version 2.79 Fix parsing of CNAME arguments, which are confused by extra spaces. Thanks to Diego Aguirre for spotting the bug. |