Hello community, here is the log from the commit of package dnsmasq for openSUSE:Factory checked in at 2014-06-19 13:19:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dnsmasq (Old) and /work/SRC/openSUSE:Factory/.dnsmasq.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dnsmasq" Changes: -------- --- /work/SRC/openSUSE:Factory/dnsmasq/dnsmasq.changes 2014-03-28 12:10:12.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.dnsmasq.new/dnsmasq.changes 2014-06-19 13:19:48.000000000 +0200 @@ -1,0 +2,427 @@ +Thu Jun 12 08:15:29 UTC 2014 - cdenic...@suse.com + +- license update: GPL-2.0 or GPL-3.0 + correct license is dual GPL-2.0 or GPL-3.0; please add COPYING-v3-file to + RPM. + +------------------------------------------------------------------- +Wed Jun 11 15:27:24 UTC 2014 - dmuel...@suse.com + +- update to 2.71: + Subtle change to error handling to help DNSSEC validation + when servers fail to provide NODATA answers for + non-existent DS records. + + Tweak code which removes DNSSEC records from answers when + not required. Fixes broken answers when additional section + has real records in it. Thanks to Marco Davids for the bug + report. + + Fix DNSSEC validation of ANY queries. Thanks to Marco Davids + for spotting that too. + + Fix total DNS failure and 100% CPU use if cachesize set to zero, + regression introduced in 2.69. Thanks to James Hunt and + the Ubuntu crowd for assistance in fixing this. + + + Fix crash, introduced in 2.69, on TCP request when dnsmasq + compiled with DNSSEC support, but running without DNSSEC + enabled. Thanks to Manish Sing for spotting that one. + + Fix regression which broke ipset functionality. Thanks to + Wang Jian for the bug report. + + + Implement dynamic interface discovery on *BSD. This allows + the contructor: syntax to be used in dhcp-range for DHCPv6 + on the BSD platform. Thanks to Matthias Andree for + valuable research on how to implement this. + + Fix infinite loop associated with some --bogus-nxdomain + configs. Thanks fogobogo for the bug report. + + Fix missing RA RDNS option with configuration like + --dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer + for spotting the problem. + + Add [fd00::] and [fe80::] as special addresses in DHCPv6 + options, analogous to [::]. [fd00::] is replaced with the + actual ULA of the interface on the machine running + dnsmasq, [fe80::] with the link-local address. + Thanks to Tsachi Kimeldorfer for championing this. + + DNSSEC validation and caching. Dnsmasq needs to be + compiled with this enabled, with + + make dnsmasq COPTS=-DHAVE_DNSSEC + + this add dependencies on the nettle crypto library and the + gmp maths library. It's possible to have these linked + statically with + + make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC' + + which bloats the dnsmasq binary, but saves the size of + the shared libraries which are much bigger. + + To enable, DNSSEC, you will need a set of + trust-anchors. Now that the TLDs are signed, this can be + the keys for the root zone, and for convenience they are + included in trust-anchors.conf in the dnsmasq + distribution. You should of course check that these are + legitimate and up-to-date. So, adding + + conf-file=/path/to/trust-anchors.conf + dnssec + + to your config is all thats needed to get things + working. The upstream nameservers have to be DNSSEC-capable + too, of course. Many ISP nameservers aren't, but the + Google public nameservers (8.8.8.8 and 8.8.4.4) are. + When DNSSEC is configured, dnsmasq validates any queries + for domains which are signed. Query results which are + bogus are replaced with SERVFAIL replies, and results + which are correctly signed have the AD bit set. In + addition, and just as importantly, dnsmasq supplies + correct DNSSEC information to clients which are doing + their own validation, and caches DNSKEY, DS and RRSIG + records, which significantly improve the performance of + downstream validators. Setting --log-queries will show + DNSSEC in action. + + If a domain is returned from an upstream nameserver without + DNSSEC signature, dnsmasq by default trusts this. This + means that for unsigned zone (still the majority) there + is effectively no cost for having DNSSEC enabled. Of course + this allows an attacker to replace a signed record with a + false unsigned record. This is addressed by the + --dnssec-check-unsigned flag, which instructs dnsmasq + to prove that an unsigned record is legitimate, by finding + a secure proof that the zone containing the record is not + signed. Doing this has costs (typically one or two extra + upstream queries). It also has a nasty failure mode if + dnsmasq's upstream nameservers are not DNSSEC capable. + Without --dnssec-check-unsigned using such an upstream + server will simply result in not queries being validated; + with --dnssec-check-unsigned enabled and a + DNSSEC-ignorant upstream server, _all_ queries will fail. + + Note that DNSSEC requires that the local time is valid and + accurate, if not then DNSSEC validation will fail. NTP + should be running. This presents a problem for routers + without a battery-backed clock. To set the time needs NTP + to do DNS lookups, but lookups will fail until NTP has run. + To address this, there's a flag, --dnssec-no-timecheck + which disables the time checks (only) in DNSSEC. When dnsmasq + is started and the clock is not synced, this flag should + be used. As soon as the clock is synced, SIGHUP dnsmasq. + The SIGHUP clears the cache of partially-validated data and + resets the no-timecheck flag, so that all DNSSEC checks + henceforward will be complete. + + The development of DNSSEC in dnsmasq was started by + Giovanni Bajo, to whom huge thanks are owed. It has been + supported by Comcast, whose techfund grant has allowed for + an invaluable period of full-time work to get it to + a workable state. + + Add --rev-server. Thanks to Dave Taht for suggesting this. + + Add --servers-file. Allows dynamic update of upstream servers + full access to configuration. + + Add --local-service. Accept DNS queries only from hosts + whose address is on a local subnet, ie a subnet for which + an interface exists on the server. This option + only has effect if there are no --interface --except-interface, + --listen-address or --auth-server options. It is intended + to be set as a default on installation, to allow + unconfigured installations to be useful but also safe from + being used for DNS amplification attacks. + + Fix crashes in cache_get_cname_target() when dangling CNAMEs + encountered. Thanks to Andy and the rt-n56u project for + find this and helping to chase it down. + + Fix wrong RCODE in authoritative DNS replies to PTR queries. The + correct answer was included, but the RCODE was set to NXDOMAIN. + Thanks to Craig McQueen for spotting this. + + Make statistics available as DNS queries in the .bind TLD as + well as logging them. + + + Use random addresses for DHCPv6 temporary address + allocations, instead of algorithmically determined stable + addresses. + + Fix bug which meant that the DHCPv6 DUID was not available + in DHCP script runs during the lifetime of the dnsmasq + process which created the DUID de-novo. Once the DUID was + created and stored in the lease file and dnsmasq + restarted, this bug disappeared. + + Fix bug introduced in 2.67 which could result in erroneous + NXDOMAIN returns to CNAME queries. + + Fix build failures on MacOS X and openBSD. + + Allow subnet specifications in --auth-zone to be interface + names as well as address literals. This makes it possible + to configure authoritative DNS when local address ranges + are dynamic and works much better than the previous + work-around which exempted contructed DHCP ranges from the + IP address filtering. As a consequence, that work-around + is removed. Under certain circumstances, this change wil + break existing configuration: if you're relying on the + contructed-range exception, you need to change --auth-zone + to specify the same interface as is used to construct your + DHCP ranges, probably with a trailing "/6" like this: + --auth-zone=example.com,eth0/6 to limit the addresses to + IPv6 addresses of eth0. + + Fix problems when advertising deleted IPv6 prefixes. If + the prefix is deleted (rather than replaced), it doesn't + get advertised with zero preferred time. Thanks to Tsachi + for the bug report. + + Fix segfault with some locally configured CNAMEs. Thanks + to Andrew Childs for spotting the problem. + + Fix memory leak on re-reading /etc/hosts and friends, + introduced in 2.67. + + Check the arrival interface of incoming DNS and TFTP + requests via IPv6, even in --bind-interfaces mode. This + isn't possible for IPv4 and can generate scary warnings, ++++ 230 more lines (skipped) ++++ between /work/SRC/openSUSE:Factory/dnsmasq/dnsmasq.changes ++++ and /work/SRC/openSUSE:Factory/.dnsmasq.new/dnsmasq.changes Old: ---- dnsmasq-2.65.tar.gz New: ---- dnsmasq-2.71.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dnsmasq.spec ++++++ --- /var/tmp/diff_new_pack.4oFrMD/_old 2014-06-19 13:19:49.000000000 +0200 +++ /var/tmp/diff_new_pack.4oFrMD/_new 2014-06-19 13:19:49.000000000 +0200 @@ -18,9 +18,9 @@ Name: dnsmasq Summary: Lightweight, Easy-to-Configure DNS Forwarder and DHCP Server -License: GPL-2.0 +License: GPL-2.0 or GPL-3.0 Group: Productivity/Networking/DNS/Servers -Version: 2.65 +Version: 2.71 Release: 0 Provides: dns_daemon PreReq: /usr/sbin/useradd /bin/mkdir @@ -119,7 +119,7 @@ %files -f %{name}.lang %defattr(-,root,root) -%doc CHANGELOG COPYING FAQ doc.html setup.html dnsmasq.conf.example contrib README.SUSE dbus +%doc CHANGELOG COPYING COPYING-v3 FAQ doc.html setup.html dnsmasq.conf.example contrib README.SUSE dbus %config(noreplace) %{_sysconfdir}/dnsmasq.conf %{_sbindir}/dnsmasq %{_sbindir}/rcdnsmasq ++++++ dnsmasq-2.65.tar.gz -> dnsmasq-2.71.tar.gz ++++++ ++++ 47147 lines of diff (skipped) ++++++ group_and_isc.patch ++++++ --- /var/tmp/diff_new_pack.4oFrMD/_old 2014-06-19 13:19:50.000000000 +0200 +++ /var/tmp/diff_new_pack.4oFrMD/_new 2014-06-19 13:19:50.000000000 +0200 @@ -4,8 +4,10 @@ src/config.h | 6 +++--- 3 files changed, 6 insertions(+), 5 deletions(-) ---- a/Makefile -+++ b/Makefile +Index: dnsmasq-2.71/Makefile +=================================================================== +--- dnsmasq-2.71.orig/Makefile ++++ dnsmasq-2.71/Makefile @@ -18,7 +18,7 @@ # Variables you may well want to override. @@ -15,18 +17,20 @@ BINDIR = $(PREFIX)/sbin MANDIR = $(PREFIX)/share/man LOCALEDIR = $(PREFIX)/share/locale -@@ -127,7 +127,7 @@ $(objs:.o=.c) $(hdrs): +@@ -150,7 +150,7 @@ $(objs:.o=.c) $(hdrs): $(CC) $(CFLAGS) $(COPTS) $(i18n) $(build_cflags) $(RPM_OPT_FLAGS) -c $< - dnsmasq : .configured $(hdrs) $(objs) + dnsmasq : .configured $(hdrs) $(objs) - $(CC) $(LDFLAGS) -o $@ $(objs) $(build_libs) $(LIBS) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(objs) $(build_libs) $(LIBS) dnsmasq.pot : $(objs:.o=.c) $(hdrs) $(XGETTEXT) -d dnsmasq --foreign-user --omit-header --keyword=_ -o $@ -i $(objs:.o=.c) ---- a/man/dnsmasq.8 -+++ b/man/dnsmasq.8 -@@ -125,6 +125,7 @@ can be over-ridden with this switch. +Index: dnsmasq-2.71/man/dnsmasq.8 +=================================================================== +--- dnsmasq-2.71.orig/man/dnsmasq.8 ++++ dnsmasq-2.71/man/dnsmasq.8 +@@ -135,6 +135,7 @@ can be over-ridden with this switch. Specify the group which dnsmasq will run as. The defaults to "dip", if available, to facilitate access to /etc/ppp/resolv.conf which is not normally world readable. @@ -34,9 +38,11 @@ .TP .B \-v, --version Print the version number. ---- a/src/config.h -+++ b/src/config.h -@@ -24,7 +24,7 @@ +Index: dnsmasq-2.71/src/config.h +=================================================================== +--- dnsmasq-2.71.orig/src/config.h ++++ dnsmasq-2.71/src/config.h +@@ -25,7 +25,7 @@ #define FORWARD_TIME 20 /* or 20 seconds */ #define RANDOM_SOCKS 64 /* max simultaneous random ports */ #define LEASE_RETRY 60 /* on error, retry writing leasefile after LEASE_RETRY seconds */ @@ -45,7 +51,7 @@ #define MAXLEASES 1000 /* maximum number of DHCP leases */ #define PING_WAIT 3 /* wait for ping address-in-use test */ #define PING_CACHE_TIME 30 /* Ping test assumed to be valid this long. */ -@@ -34,8 +34,8 @@ +@@ -36,8 +36,8 @@ #define HOSTSFILE "/etc/hosts" #define ETHERSFILE "/etc/ethers" #define DEFLEASE 3600 /* default lease time, 1 hour */ -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org