Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package dnsmasq for openSUSE:Factory checked in at 2026-02-05 17:56:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dnsmasq (Old) and /work/SRC/openSUSE:Factory/.dnsmasq.new.1670 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dnsmasq" Thu Feb 5 17:56:56 2026 rev:103 rq:1331006 version:2.92 Changes: -------- --- /work/SRC/openSUSE:Factory/dnsmasq/dnsmasq.changes 2025-08-27 21:34:47.730973743 +0200 +++ /work/SRC/openSUSE:Factory/.dnsmasq.new.1670/dnsmasq.changes 2026-02-05 17:57:33.408449606 +0100 @@ -1,0 +2,70 @@ +Sat Jan 24 18:00:51 UTC 2026 - Frank Schreiner <[email protected]> + +- update to 2.92 + * Redesign the interaction between DNSSEC validation and per-domain + servers, specified as --server=/<domain>/<ip-address>. This should + just work in all cases now. If the normal chain-of-trust exists into + the delegated domain then whether the domain is signed or not, DNSSEC + validation will function normally. In the case the delegated domain + is an "overlay" on top of the global DNS and no NS and/or DS records + exist connecting it to the global dns, then if the domain is + unsigned the situation will be handled by synthesising a + proof-of-non-existence-of-DS for the domain and queries will be + answered unvalidated; this action will be logged. A signed domain + without chain-of-trust can be validated if a suitable trust-anchor + is provided using --trust-anchor. This change should be backwards + compatible for all existing working configurations; it extends the + space of possible configurations which are functional. + * Fix a couple of problems with DNSSEC validation and DNAME. One + could cause validation failure on correct domains, and the other + would fail to spot an invalid domain. Thanks to Graham Clinch + for spotting the problem. + * Add --log-queries=auth option to only log replies from the auth DNS + facility. + * Fix some edge-cases with domains and --address and --server. There + has been some regressions with this in previous releases. This change + fixes the priority order from lower to highest as: + --address with a IPv4 or IPv6 address (as long as the query matches the type) + --address with # for all-zeros, as long as the query is A or AAAA) + --address with no address, which returns NXDOMAIN or NOERROR for all types. + --server with address set to # to use the unqualified servers. + --server with matching domain. + --server without domain or from /etc/resolv.conf. + * Fix problems with ipset or nftset and TCP DNS transport. Previously + this was racy, and insertion of addresses could fail on a busy server + when DNS-over-TCP transport was involved. + * DNSSEC validation change for reverse lookups in RFC-1918 ranges and friends. + The large public DNS services seem not to return proof-of-nonexistence + for DS records at the start of RFC-1918 in-addr.arpa domains and the their + IPv6 equivalents. 10.in-addr.arpa, 168.192.in-addr.arpa etc. + Since dnsmasq already has an option which instructs it not bother + upstream servers with pointless queries about these address ranges, + namely --bogus-priv, we extend that to enable behaviour which allows + dnsmasq to assume that insecure NXDOMAIN replies for these domains + are expected and to assume that the domains are legitimately unsigned. + This behaviour only matters when some address range is directed to + another upstream server using --rev-server. In that case it allows + replies from that server to pass DNSSEC validation. Without such a + server configured, queries are never sent upstream so they are never + validated and the new behaviour is moot. + * Add support for leasequery to the dnsmasq DHCPv4 server. + This has to be specifically enabled with the --leasequery option. + Many thanks to JAXPORT, Jacksonville Port Authority for sponsoring + this enhancement to dnsmasq. + * Fix failure to cache PTR RRs when a reply contains more than one answer. + Thanks to Dmitry for spotting this. + * Add TFTP options windowsize (RFC 7440) and timeout (RFC 2349). + * Change the behaviour of the DHCPv6 server when a REBIND message + is received but no lease exists. Under these circumstances a new + lease is created _only_ when the --dhcp-authoritative option is + set. This matches the behavior of the DHCPv4 server. + * Add --dhcp-split-relay option. This makes a DHCPv4 relay which + is functional when client and server networks aren't mutually + route-able. + * Fix failure to add client MAC address to queries in TCP mode. + The options which cause dnsmasq to decorate a DNS query with the MAC + address on the originating client can fail when the query is sent + using TCP. Thanks to Bruno Ravara for spotting and + characterising this bug. + +------------------------------------------------------------------- Old: ---- dnsmasq-2.91.tar.xz dnsmasq-2.91.tar.xz.asc New: ---- dnsmasq-2.92.tar.xz dnsmasq-2.92.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dnsmasq.spec ++++++ --- /var/tmp/diff_new_pack.k3pYwm/_old 2026-02-05 17:57:34.436492779 +0100 +++ /var/tmp/diff_new_pack.k3pYwm/_new 2026-02-05 17:57:34.440492947 +0100 @@ -1,7 +1,7 @@ # # spec file for package dnsmasq # -# Copyright (c) 2025 SUSE LLC +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -27,7 +27,7 @@ %define dnsmasq_group nogroup %endif Name: dnsmasq -Version: 2.91 +Version: 2.92 Release: 0 Summary: DNS Forwarder and DHCP Server License: GPL-2.0-only OR GPL-3.0-only ++++++ dnsmasq-2.91.tar.xz -> dnsmasq-2.92.tar.xz ++++++ ++++ 51070 lines of diff (skipped)
