Hello community,
here is the log from the commit of package dnsmasq for openSUSE:Factory checked
in at 2014-06-19 13:19:46
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/dnsmasq (Old)
and /work/SRC/openSUSE:Factory/.dnsmasq.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dnsmasq"
Changes:
--------
--- /work/SRC/openSUSE:Factory/dnsmasq/dnsmasq.changes 2014-03-28
12:10:12.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.dnsmasq.new/dnsmasq.changes 2014-06-19
13:19:48.000000000 +0200
@@ -1,0 +2,427 @@
+Thu Jun 12 08:15:29 UTC 2014 - cdenic...@suse.com
+
+- license update: GPL-2.0 or GPL-3.0
+ correct license is dual GPL-2.0 or GPL-3.0; please add COPYING-v3-file to
+ RPM.
+
+-------------------------------------------------------------------
+Wed Jun 11 15:27:24 UTC 2014 - dmuel...@suse.com
+
+- update to 2.71:
+ Subtle change to error handling to help DNSSEC validation
+ when servers fail to provide NODATA answers for
+ non-existent DS records.
+
+ Tweak code which removes DNSSEC records from answers when
+ not required. Fixes broken answers when additional section
+ has real records in it. Thanks to Marco Davids for the bug
+ report.
+
+ Fix DNSSEC validation of ANY queries. Thanks to Marco Davids
+ for spotting that too.
+
+ Fix total DNS failure and 100% CPU use if cachesize set to zero,
+ regression introduced in 2.69. Thanks to James Hunt and
+ the Ubuntu crowd for assistance in fixing this.
+
+
+ Fix crash, introduced in 2.69, on TCP request when dnsmasq
+ compiled with DNSSEC support, but running without DNSSEC
+ enabled. Thanks to Manish Sing for spotting that one.
+
+ Fix regression which broke ipset functionality. Thanks to
+ Wang Jian for the bug report.
+
+
+ Implement dynamic interface discovery on *BSD. This allows
+ the contructor: syntax to be used in dhcp-range for DHCPv6
+ on the BSD platform. Thanks to Matthias Andree for
+ valuable research on how to implement this.
+
+ Fix infinite loop associated with some --bogus-nxdomain
+ configs. Thanks fogobogo for the bug report.
+
+ Fix missing RA RDNS option with configuration like
+ --dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer
+ for spotting the problem.
+
+ Add [fd00::] and [fe80::] as special addresses in DHCPv6
+ options, analogous to [::]. [fd00::] is replaced with the
+ actual ULA of the interface on the machine running
+ dnsmasq, [fe80::] with the link-local address.
+ Thanks to Tsachi Kimeldorfer for championing this.
+
+ DNSSEC validation and caching. Dnsmasq needs to be
+ compiled with this enabled, with
+
+ make dnsmasq COPTS=-DHAVE_DNSSEC
+
+ this add dependencies on the nettle crypto library and the
+ gmp maths library. It's possible to have these linked
+ statically with
+
+ make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC'
+
+ which bloats the dnsmasq binary, but saves the size of
+ the shared libraries which are much bigger.
+
+ To enable, DNSSEC, you will need a set of
+ trust-anchors. Now that the TLDs are signed, this can be
+ the keys for the root zone, and for convenience they are
+ included in trust-anchors.conf in the dnsmasq
+ distribution. You should of course check that these are
+ legitimate and up-to-date. So, adding
+
+ conf-file=/path/to/trust-anchors.conf
+ dnssec
+
+ to your config is all thats needed to get things
+ working. The upstream nameservers have to be DNSSEC-capable
+ too, of course. Many ISP nameservers aren't, but the
+ Google public nameservers (8.8.8.8 and 8.8.4.4) are.
+ When DNSSEC is configured, dnsmasq validates any queries
+ for domains which are signed. Query results which are
+ bogus are replaced with SERVFAIL replies, and results
+ which are correctly signed have the AD bit set. In
+ addition, and just as importantly, dnsmasq supplies
+ correct DNSSEC information to clients which are doing
+ their own validation, and caches DNSKEY, DS and RRSIG
+ records, which significantly improve the performance of
+ downstream validators. Setting --log-queries will show
+ DNSSEC in action.
+
+ If a domain is returned from an upstream nameserver without
+ DNSSEC signature, dnsmasq by default trusts this. This
+ means that for unsigned zone (still the majority) there
+ is effectively no cost for having DNSSEC enabled. Of course
+ this allows an attacker to replace a signed record with a
+ false unsigned record. This is addressed by the
+ --dnssec-check-unsigned flag, which instructs dnsmasq
+ to prove that an unsigned record is legitimate, by finding
+ a secure proof that the zone containing the record is not
+ signed. Doing this has costs (typically one or two extra
+ upstream queries). It also has a nasty failure mode if
+ dnsmasq's upstream nameservers are not DNSSEC capable.
+ Without --dnssec-check-unsigned using such an upstream
+ server will simply result in not queries being validated;
+ with --dnssec-check-unsigned enabled and a
+ DNSSEC-ignorant upstream server, _all_ queries will fail.
+
+ Note that DNSSEC requires that the local time is valid and
+ accurate, if not then DNSSEC validation will fail. NTP
+ should be running. This presents a problem for routers
+ without a battery-backed clock. To set the time needs NTP
+ to do DNS lookups, but lookups will fail until NTP has run.
+ To address this, there's a flag, --dnssec-no-timecheck
+ which disables the time checks (only) in DNSSEC. When dnsmasq
+ is started and the clock is not synced, this flag should
+ be used. As soon as the clock is synced, SIGHUP dnsmasq.
+ The SIGHUP clears the cache of partially-validated data and
+ resets the no-timecheck flag, so that all DNSSEC checks
+ henceforward will be complete.
+
+ The development of DNSSEC in dnsmasq was started by
+ Giovanni Bajo, to whom huge thanks are owed. It has been
+ supported by Comcast, whose techfund grant has allowed for
+ an invaluable period of full-time work to get it to
+ a workable state.
+
+ Add --rev-server. Thanks to Dave Taht for suggesting this.
+
+ Add --servers-file. Allows dynamic update of upstream servers
+ full access to configuration.
+
+ Add --local-service. Accept DNS queries only from hosts
+ whose address is on a local subnet, ie a subnet for which
+ an interface exists on the server. This option
+ only has effect if there are no --interface --except-interface,
+ --listen-address or --auth-server options. It is intended
+ to be set as a default on installation, to allow
+ unconfigured installations to be useful but also safe from
+ being used for DNS amplification attacks.
+
+ Fix crashes in cache_get_cname_target() when dangling CNAMEs
+ encountered. Thanks to Andy and the rt-n56u project for
+ find this and helping to chase it down.
+
+ Fix wrong RCODE in authoritative DNS replies to PTR queries. The
+ correct answer was included, but the RCODE was set to NXDOMAIN.
+ Thanks to Craig McQueen for spotting this.
+
+ Make statistics available as DNS queries in the .bind TLD as
+ well as logging them.
+
+
+ Use random addresses for DHCPv6 temporary address
+ allocations, instead of algorithmically determined stable
+ addresses.
+
+ Fix bug which meant that the DHCPv6 DUID was not available
+ in DHCP script runs during the lifetime of the dnsmasq
+ process which created the DUID de-novo. Once the DUID was
+ created and stored in the lease file and dnsmasq
+ restarted, this bug disappeared.
+
+ Fix bug introduced in 2.67 which could result in erroneous
+ NXDOMAIN returns to CNAME queries.
+
+ Fix build failures on MacOS X and openBSD.
+
+ Allow subnet specifications in --auth-zone to be interface
+ names as well as address literals. This makes it possible
+ to configure authoritative DNS when local address ranges
+ are dynamic and works much better than the previous
+ work-around which exempted contructed DHCP ranges from the
+ IP address filtering. As a consequence, that work-around
+ is removed. Under certain circumstances, this change wil
+ break existing configuration: if you're relying on the
+ contructed-range exception, you need to change --auth-zone
+ to specify the same interface as is used to construct your
+ DHCP ranges, probably with a trailing "/6" like this:
+ --auth-zone=example.com,eth0/6 to limit the addresses to
+ IPv6 addresses of eth0.
+
+ Fix problems when advertising deleted IPv6 prefixes. If
+ the prefix is deleted (rather than replaced), it doesn't
+ get advertised with zero preferred time. Thanks to Tsachi
+ for the bug report.
+
+ Fix segfault with some locally configured CNAMEs. Thanks
+ to Andrew Childs for spotting the problem.
+
+ Fix memory leak on re-reading /etc/hosts and friends,
+ introduced in 2.67.
+
+ Check the arrival interface of incoming DNS and TFTP
+ requests via IPv6, even in --bind-interfaces mode. This
+ isn't possible for IPv4 and can generate scary warnings,
++++ 230 more lines (skipped)
++++ between /work/SRC/openSUSE:Factory/dnsmasq/dnsmasq.changes
++++ and /work/SRC/openSUSE:Factory/.dnsmasq.new/dnsmasq.changes
Old:
----
dnsmasq-2.65.tar.gz
New:
----
dnsmasq-2.71.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ dnsmasq.spec ++++++
--- /var/tmp/diff_new_pack.4oFrMD/_old 2014-06-19 13:19:49.000000000 +0200
+++ /var/tmp/diff_new_pack.4oFrMD/_new 2014-06-19 13:19:49.000000000 +0200
@@ -18,9 +18,9 @@
Name: dnsmasq
Summary: Lightweight, Easy-to-Configure DNS Forwarder and DHCP Server
-License: GPL-2.0
+License: GPL-2.0 or GPL-3.0
Group: Productivity/Networking/DNS/Servers
-Version: 2.65
+Version: 2.71
Release: 0
Provides: dns_daemon
PreReq: /usr/sbin/useradd /bin/mkdir
@@ -119,7 +119,7 @@
%files -f %{name}.lang
%defattr(-,root,root)
-%doc CHANGELOG COPYING FAQ doc.html setup.html dnsmasq.conf.example contrib
README.SUSE dbus
+%doc CHANGELOG COPYING COPYING-v3 FAQ doc.html setup.html dnsmasq.conf.example
contrib README.SUSE dbus
%config(noreplace) %{_sysconfdir}/dnsmasq.conf
%{_sbindir}/dnsmasq
%{_sbindir}/rcdnsmasq
++++++ dnsmasq-2.65.tar.gz -> dnsmasq-2.71.tar.gz ++++++
++++ 47147 lines of diff (skipped)
++++++ group_and_isc.patch ++++++
--- /var/tmp/diff_new_pack.4oFrMD/_old 2014-06-19 13:19:50.000000000 +0200
+++ /var/tmp/diff_new_pack.4oFrMD/_new 2014-06-19 13:19:50.000000000 +0200
@@ -4,8 +4,10 @@
src/config.h | 6 +++---
3 files changed, 6 insertions(+), 5 deletions(-)
---- a/Makefile
-+++ b/Makefile
+Index: dnsmasq-2.71/Makefile
+===================================================================
+--- dnsmasq-2.71.orig/Makefile
++++ dnsmasq-2.71/Makefile
@@ -18,7 +18,7 @@
# Variables you may well want to override.
@@ -15,18 +17,20 @@
BINDIR = $(PREFIX)/sbin
MANDIR = $(PREFIX)/share/man
LOCALEDIR = $(PREFIX)/share/locale
-@@ -127,7 +127,7 @@ $(objs:.o=.c) $(hdrs):
+@@ -150,7 +150,7 @@ $(objs:.o=.c) $(hdrs):
$(CC) $(CFLAGS) $(COPTS) $(i18n) $(build_cflags) $(RPM_OPT_FLAGS) -c $<
- dnsmasq : .configured $(hdrs) $(objs)
+ dnsmasq : .configured $(hdrs) $(objs)
- $(CC) $(LDFLAGS) -o $@ $(objs) $(build_libs) $(LIBS)
+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(objs) $(build_libs) $(LIBS)
dnsmasq.pot : $(objs:.o=.c) $(hdrs)
$(XGETTEXT) -d dnsmasq --foreign-user --omit-header --keyword=_ -o $@
-i $(objs:.o=.c)
---- a/man/dnsmasq.8
-+++ b/man/dnsmasq.8
-@@ -125,6 +125,7 @@ can be over-ridden with this switch.
+Index: dnsmasq-2.71/man/dnsmasq.8
+===================================================================
+--- dnsmasq-2.71.orig/man/dnsmasq.8
++++ dnsmasq-2.71/man/dnsmasq.8
+@@ -135,6 +135,7 @@ can be over-ridden with this switch.
Specify the group which dnsmasq will run
as. The defaults to "dip", if available, to facilitate access to
/etc/ppp/resolv.conf which is not normally world readable.
@@ -34,9 +38,11 @@
.TP
.B \-v, --version
Print the version number.
---- a/src/config.h
-+++ b/src/config.h
-@@ -24,7 +24,7 @@
+Index: dnsmasq-2.71/src/config.h
+===================================================================
+--- dnsmasq-2.71.orig/src/config.h
++++ dnsmasq-2.71/src/config.h
+@@ -25,7 +25,7 @@
#define FORWARD_TIME 20 /* or 20 seconds */
#define RANDOM_SOCKS 64 /* max simultaneous random ports */
#define LEASE_RETRY 60 /* on error, retry writing leasefile after LEASE_RETRY
seconds */
@@ -45,7 +51,7 @@
#define MAXLEASES 1000 /* maximum number of DHCP leases */
#define PING_WAIT 3 /* wait for ping address-in-use test */
#define PING_CACHE_TIME 30 /* Ping test assumed to be valid this long. */
-@@ -34,8 +34,8 @@
+@@ -36,8 +36,8 @@
#define HOSTSFILE "/etc/hosts"
#define ETHERSFILE "/etc/ethers"
#define DEFLEASE 3600 /* default lease time, 1 hour */
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
