Re: [Dnsmasq-discuss] localdomain non-responsive without edns on ubuntu 14.04

2016-02-13 Thread Simon Kelley
I'm running 14.04 and just tried that experiment. I can't see any difference in behaviour. In each case the query gets passed on to the upstream nameserver, so I guess that the effect might originate there. Cheers, Simon On 12/02/16 17:44, Justin Karneges wrote: > Hi list, > > I noticed a

Re: [Dnsmasq-discuss] Floating point exception

2016-02-13 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 The condition that causes it is having the start address all zeros and the end address all ones. Dnsmasq calculates the size of the range, in this case ff - 0 and then adds one to it, overflowing the 64-bit variable back to zero. It then

Re: [Dnsmasq-discuss] no-ping option treats hosts as 'cannot ping'

2016-02-12 Thread Simon Kelley
On 10/02/16 22:39, Joolee wrote: > I am currently doing some testing with DHCP Spoofing and DHCP Starvation > attacks. When performing the starvation attack with pig.py, I noticed that > dnsmasq keeps assigning the same IP addresses over and over again with > consecutive runs. That is potentially

Re: [Dnsmasq-discuss] dnsmasq offering dynamic instead of static dhcp leases - what am I doing incorrectly?

2016-02-12 Thread Simon Kelley
On 12/02/16 00:29, Michael Evans wrote: > Re-sending after temporarily subscribing > > On Thu, Feb 11, 2016 at 4:11 PM Michael Evans wrote: > >> My goal is to have dnsmasq serve DHCP leases on an interface, either for >> static addresses (either within that interface's

Re: [Dnsmasq-discuss] DNS TTL for responses based on DHCP leases

2016-02-12 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 11/02/16 07:54, Lorin Weilenmann wrote: > Hi list, > > Currently, dnsmasq sets the DNS TTL for queries which it answers > from local sources to 0 (or the value of --local-ttl). While this > may be okay for entries out of /etc/hosts and addn-host

Re: [Dnsmasq-discuss] spaces in hostnames

2016-02-09 Thread Simon Kelley
On 07/02/16 02:04, Jim Alles wrote: > Simon, Sir: > > in 2007 @ > https://www.mail-archive.com/dnsmasq-discuss%40lists.thekelleys.org.uk/msg01532.html > > you said: > > "Hmm, an interesting can of worms. My first reaction to this was "it's > > not a problem, spaces are not legal in hostnames

Re: [Dnsmasq-discuss] Any way to force dnsmasq to reply on interface secondary IP ? (Linux)

2016-02-05 Thread Simon Kelley
On 05/02/16 10:36, Jarek Polok wrote: > Hello everybody ! > > I'm trying to set up the pxe server / proxy dhcp, > using dnsmasq 2.66 and setting options: > > [...] > #system interface setup > #eth2: > #[...] > #inet X.X.X.158/YY brd X.X.X.159 scope global eth2 > #inet X.X.X.150/YY scope global

Re: [Dnsmasq-discuss] Some dns entries are not cached properly

2016-02-05 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 03/02/16 10:47, Comerma Pare, Antoni wrote: > Hi, > > We are experiencing some weird behavior when using dnsmasq as dns > cache. We are using it in a webserver that makes lots of dns > request for just a bunch of backend servers, so the # of

Re: [Dnsmasq-discuss] Returning SOA for local domains?

2016-02-05 Thread Simon Kelley
On 04/02/16 15:48, Maxim Khitrov wrote: > When you configure a domain as local, meaning that dnsmasq will never > forward queries within that domain, there is no way to configure a > negative cache TTL value since there is no SOA record. As a result, I > frequently run into a problem where I try

Re: [Dnsmasq-discuss] [PATCH] --dont-mirror-queries option

2016-02-05 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 That's very ingenious! Your post begs the question "Will you merge the patch?" I'm not sure: it's a pretty niche application, and there are lots of cases where it does the wrong thing. For instance when a query arrives from area1, there's nothing

Re: [Dnsmasq-discuss] No caching unless recursion enabled?

2016-02-03 Thread Simon Kelley
On 27/01/16 03:49, bob tatus wrote: > Thanks for that, so essentially I need to download the source code, > modify and recompile? There is no simple way for me to otherwise do > this with my current installation, as that isn't really an option in > this environment. A configuration option to

Re: [Dnsmasq-discuss] dnsmasq forgets dns records

2016-02-01 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 28/01/16 07:00, Stefan Priebe - Profihost AG wrote: > Hi, > > i've a problem where dnsmasq seems to forget the DNS / hostnames. > > Those devices affected are debian wheezy machines running > dhclient. > > Wenn they're freshly booted the

Re: [Dnsmasq-discuss] prevent dnsmasq from releasing IPs

2016-01-26 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 26/01/16 07:25, Stefan Priebe - Profihost AG wrote: > > > Am 25.01.2016 um 23:20 schrieb Simon Kelley: >> Not directly. If you just want a record of leases after they've >> been released, then you can save information

Re: [Dnsmasq-discuss] prevent dnsmasq from releasing IPs

2016-01-26 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 26/01/16 13:42, Stefan Priebe - Profihost AG wrote: > > > what about writing and sending kill 1 / HUP? > No. The only only way to make that work would be to 1) Stop dnsmasq with SIGTERM 2) modify the leases file 3) restart dnsmasq in

Re: [Dnsmasq-discuss] prevent dnsmasq from releasing IPs

2016-01-26 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 26/01/16 14:56, Stefan Priebe - Profihost AG wrote: > >> Am 26.01.2016 um 14:46 schrieb Simon Kelley >> <si...@thekelleys.org.uk>: >> > > >>>> On 26/01/16 13:42, Stefan Priebe - Profiho

Re: [Dnsmasq-discuss] prevent dnsmasq from releasing IPs

2016-01-26 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 26/01/16 16:03, Neil Jerram wrote: > On 26/01/16 15:09, Stefan Priebe - Profihost AG wrote: >>> Am 26.01.2016 um 14:46 schrieb Simon Kelley >>> <si...@thekelleys.org.uk>: >>> >>> --

Re: [Dnsmasq-discuss] [PATCH] Regression: dnsmasq replies to forwarded query too early when receiving REFUSED response from upstream server

2016-01-25 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Patch applied. Many thanks. Simon. On 25/01/16 02:27, Chris Novakovic wrote: > Treat REFUSED (not SERVFAIL) as an unsuccessful upstream response > > Commit 51967f9807665dae403f1497b827165c5fa1084b began treating > SERVFAIL as a successful

Re: [Dnsmasq-discuss] No caching unless recursion enabled?

2016-01-25 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 The no-caching behaviour is provided by this code, at the end of extract_addresses() in rfc1035.c /* Don't put stuff from a truncated packet into the cache. Don't cache replies from non-recursive nameservers, since we may get a reply

Re: [Dnsmasq-discuss] prevent dnsmasq from releasing IPs

2016-01-25 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Not directly. If you just want a record of leases after they've been released, then you can save information by using the dhcp-script function. If you want to stop re-use of the addresses, then the best you can easily do is to allocate static

Re: [Dnsmasq-discuss] No caching unless recursion enabled?

2016-01-23 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 21/01/16 23:16, bob tatus wrote: > > Hi there, > > I've been using Dnsmasq for a few days now with no problems, it > was caching well and helping a lot. > > Yesterday I disabled recursive DNS queries on my DNS server (Bind > 9) as this is

Re: [Dnsmasq-discuss] [PATCH] dnsmasq: max-port support for outbound dns queries

2016-01-23 Thread Simon Kelley
these DHCP relays as full proxies."), NULL }, @@ > -2512,6 +2515,11 @@ static int one_opt(int option, char *arg, char > *errstr, char *gen_err, int comma ret_err(gen_err); break; > > +case LOPT_MAXPORT: /* --max-port */ + if > (!atoi_check16(arg, >max_port))

Re: [Dnsmasq-discuss] [PATCH] DHCPv6: Add support for more than one hardware address per IPv6 address

2016-01-20 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 16/01/16 15:00, Pali Rohár wrote: > On Friday 15 January 2016 22:48:31 Simon Kelley wrote: >> On 01/01/16 21:29, Pali Rohár wrote: >>> On Friday 01 January 2016 21:23:36 Simon Kelley wrote: >>>> On 23

Re: [Dnsmasq-discuss] dnsmasq pxe-service and IPv6

2016-01-20 Thread Simon Kelley
Dnsmasq doesn't do PXE-boot over IPv6, sorry. It's on a (long) list of future enhancements. Cheers, Simon. On 19/01/16 14:11, Grundschöttel, Eduard wrote: > Dear Sir or Madam, > > I want to use the pxe-service of dnsmasq in an IPv6 environment. > Unfortunately I couldn't > configure and

Re: [Dnsmasq-discuss] [PATCH] RADV: Send same RDNSS address as in DHCPv6

2016-01-20 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 16/01/16 15:10, Pali Rohár wrote: > On Friday 15 January 2016 22:37:46 you wrote: >> On 01/01/16 21:07, Pali Rohár wrote: >>> On Friday 01 January 2016 20:58:42 Simon Kelley wrote: >>>> Does the existin

Re: [Dnsmasq-discuss] refused responses for simple hostnames, domain-needed, and no upstream servers

2016-01-19 Thread Simon Kelley
On 17/01/16 23:18, Legacy, Allain wrote: > Hi, We have noticed an inconsistency in how dnsmasq responds to > queries for simple hostnames (no dots) depending on whether there are > any configured upstream servers or not. I am unsure if this is > because we have misconfigured something, whether

Re: [Dnsmasq-discuss] Feature request: allow to enable/disable --dnssec-check-unsigned per upstream server

2016-01-14 Thread Simon Kelley
. On 12/01/16 10:16, Andre Heider wrote: > On Mon, Jan 11, 2016 at 10:27 PM, Simon Kelley <si...@thekelleys.org.uk> > wrote: >> dig @5.9.49.12 dnskey . | dnssec-dsfromkey -2 -f - . >> >> The -2 flag tells dsfromkey to make the SHA2

Re: [Dnsmasq-discuss] Feature request: allow to enable/disable --dnssec-check-unsigned per upstream server

2016-01-11 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 10/01/16 14:46, Andre Heider wrote: > Hi, > > On Sat, Jan 9, 2016 at 7:25 PM, Simon Kelley > <si...@thekelleys.org.uk> wrote: >> No that one slipped though the net. Thinking about that some >> more, there a

Re: [Dnsmasq-discuss] Feature request: allow to enable/disable --dnssec-check-unsigned per upstream server

2016-01-09 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 08/01/16 14:18, Andre Heider wrote: > Hi, > > On Sat, Sep 6, 2014 at 6:55 PM, Simon Kelley > <si...@thekelleys.org.uk> wrote: >> On 29/08/14 08:59, Rene Bartsch wrote: >>> Hi, >>> >

Re: [Dnsmasq-discuss] Rewrite TTL on MX RR

2016-01-09 Thread Simon Kelley
hat should be how it's done. Cheers, Simon. > > Regards, Anthony > > > 2016-01-06 19:30 GMT+01:00 Simon Kelley <si...@thekelleys.org.uk>: > > It's expected, in the sense that it's coded that way: dnsmasq > doesn't do anything with with replies to queries for anyt

Re: [Dnsmasq-discuss] dnsmasq used in AWS

2016-01-09 Thread Simon Kelley
ore. > > thanks, Walter > > > -- > > > Message: 1 Date: Thu, 7 Jan 2016 20:55:55 + From: Simon Kelley > <si...@thekelleys.org.uk> To: > dnsmasq-discuss@lists.thekelleys.org.uk Subject: Re:

Re: [Dnsmasq-discuss] DHCP using DNS...can I do the following ?

2016-01-07 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 It do can exactly that. The configuration goes in dhcp-host statements dhcp-host=mickey,192.168.0.10 ensures that when a DHCP request turns up from a macine idetifying itself as "mickey", it gets given address 102.168.0.10 and "mickey"

Re: [Dnsmasq-discuss] Do we support RFC4702?

2016-01-06 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Define "support". It knows about the option, and if the client requests it, will send a suitable value created from the hostname and the value of the --domain configuration option. 81 is one of the options that dnsmasq stops you from setting

Re: [Dnsmasq-discuss] Hint needed: neither patched 'dnsmasq 2.75' nor '2.76test4' will compile

2016-01-06 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 05/01/16 20:55, Matthias Andree wrote: > However, I can reproduce the issue on a vanilla 2.76test4, > apparently an #undef HAVE_DHCP isn't properly supported in > 2.76test4. > > Simon, do you need to comment out the do_script_run() calls in

Re: [Dnsmasq-discuss] Rewrite TTL on MX RR

2016-01-06 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 It's expected, in the sense that it's coded that way: dnsmasq doesn't do anything with with replies to queries for anything other then A (IPv4 address) and (ipv6 address) queries. Now I think about it, I rather class this as a bug, and would

Re: [Dnsmasq-discuss] Hint needed: neither patched 'dnsmasq 2.75' nor '2.76test4' will compile

2016-01-06 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Good call. Fixed now. Cheers, Simon. On 06/01/16 19:39, Lonnie Abelbeck wrote: > Simon, do_arp_script_run() does not have arguments, shouldn't ... > ? > > - while (do_arp_script_run(now)); + while (do_arp_script_run()); > > Lonnie > >

Re: [Dnsmasq-discuss] Wildcard Domain resolving does not work with DNSSEC

2016-01-04 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 04/01/16 17:29, Uwe Schindler wrote: > Hi, > > That is fixed already (used 2.75 from debian, no bleeding edge)! I > tried test3 (now test4 because of spinning bug) and this one worked > correctly. The test page also passed:

Re: [Dnsmasq-discuss] Wildcard Domain resolving does not work with DNSSEC

2016-01-04 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 What release are you using, Uwe. I just tried the git-HEAD code, and pangaea.de is OK, both issues.pangea.de, which is a genuine record, and simon.pangea.de which is an expansion of the wildcard ;simon.pangaea.de. IN A ;; ANSWER

Re: [Dnsmasq-discuss] CPU spin in master

2016-01-04 Thread Simon Kelley
Allee 63, D-28213 Bremen > http://www.thetaphi.de eMail: u...@thetaphi.de > > >> -Original Message- From: Dnsmasq-discuss >> [mailto:dnsmasq-discuss- boun...@lists.thekelleys.org.uk] On >> Behalf Of Simon Kelley Sent: Monday, January 04, 2016 5:15 PM To: >>

Re: [Dnsmasq-discuss] CPU spin in master

2016-01-04 Thread Simon Kelley
taphi.de > > >> -Original Message- From: Simon Kelley >> [mailto:si...@thekelleys.org.uk] Sent: Monday, January 04, 2016 >> 6:04 PM To: Uwe Schindler <u...@thetaphi.de> Cc: >> dnsmasq-discuss@lists.thekelleys.org.uk Subject: Re: >> [Dnsmasq-discuss] CP

Re: [Dnsmasq-discuss] CPU spin in master

2016-01-04 Thread Simon Kelley
ier-Allee 63, D-28213 Bremen > http://www.thetaphi.de eMail: u...@thetaphi.de > > >> -Original Message- From: Simon Kelley >> [mailto:si...@thekelleys.org.uk] Sent: Monday, January 04, 2016 >> 6:04 PM To: Uwe Schindler <u...@thetaphi.de> Cc: >> dnsmasq-discuss@l

Re: [Dnsmasq-discuss] CPU spin in master

2016-01-04 Thread Simon Kelley
spelling & top > posting > >> On 2 Jan 2016, at 17:20, Kevin Darbyshire-Bryant >> <ke...@darbyshire-bryant.me.uk> wrote: >> >> >> >>> On 01/01/16 20:27, Simon Kelley wrote: >>>> On 01/01/16 11:28, Kevin Darbyshire-Bryant wrote:

Re: [Dnsmasq-discuss] [PATCH] Fix compilation without HAVE_DNSSEC

2016-01-01 Thread Simon Kelley
On 23/12/15 21:10, Pali Rohár wrote: > Do not call add_do_bit which is only for dnssec code. > --- > src/forward.c |2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/src/forward.c b/src/forward.c > index 041353c..bffea78 100644 > --- a/src/forward.c > +++ b/src/forward.c > @@ -793,8

Re: [Dnsmasq-discuss] [PATCH] RADV: Send same RDNSS address as in DHCPv6

2016-01-01 Thread Simon Kelley
Does the existing behaviour cause you problems? The rationale for why it behaves the way it does is that link-local addresses are good IF client and server are on the same link, since there's no possibility of addresses changing or renumbering. A client getting DNS server addresses from RADV is by

Re: [Dnsmasq-discuss] CPU spin in master

2016-01-01 Thread Simon Kelley
On 01/01/16 11:28, Kevin Darbyshire-Bryant wrote: > Hi Simon, > > First off, Happy New Year! and to you, and all our readers! > > I compiled master ec0628c4b2a06e1fc21216091bb040d61a43b271 on OpenWrt > (mips Archer C7 v2 platform Linux 4.1) a few hours ago and have > experienced dnsmasq

Re: [Dnsmasq-discuss] [PATCH] DHCPv6: Add support for more than one hardware address per IPv6 address

2016-01-01 Thread Simon Kelley
On 23/12/15 21:10, Pali Rohár wrote: > This patch allows to assign one IPv6 address for more config entries > specified by MAC address. This is similar function as for IPv4 addresses > in DHCPv4 server code part. This needs some thinking about: DHCPv6 is different from DHCPv4 in that clients are

Re: [Dnsmasq-discuss] [PATCH] Treat records signed using unknown algorithms as unsigned instead of bogus

2015-12-30 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 > The only remark I have this time is that it might be nice to also > include digest/signing algorithms in DS query logs. Seeing > something like this in your logs can be confusing: > > reply caint.su is DS keytag 697 reply caint.su is DS

Re: [Dnsmasq-discuss] [PATCH] Treat records signed using unknown algorithms as unsigned instead of bogus

2015-12-20 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 18/12/15 13:22, Michał Kępień wrote: > A useful test subject for these issues is the caint.su zone, which > uses two keys, each using a different algorithm (RSA and ECC-GOST) > and also provides three separate hashes of each of those keys in >

Re: [Dnsmasq-discuss] [PATCH] Treat records signed using unknown algorithms as unsigned instead of bogus

2015-12-17 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 17/12/15 14:31, Michał Kępień wrote: >> OK. Fixing this turned into a marathon re-write session. The >> result is a huge improvement: by doing the core things right I've >> vastly simplified the code and made it much easier to understand >> and

Re: [Dnsmasq-discuss] [PATCH] Treat records signed using unknown algorithms as unsigned instead of bogus

2015-12-16 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OK. Fixing this turned into a marathon re-write session. The result is a huge improvement: by doing the core things right I've vastly simplified the code and made it much easier to understand and modify. The final patch, to make a zone which has a

Re: [Dnsmasq-discuss] [PATCH] Flush dynamic configuration on reload and discard DHCPv6 options on SIGHUP

2015-12-15 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Apologies for ignoring this 'till now. I'm in heavy coding mode now, and plan to take a look at this in the next day or two. Cheers, Simon. On 02/12/15 13:50, Alin Nastac wrote: > Reload configuration from dynamic configuration files when

Re: [Dnsmasq-discuss] segv using 2.75 with dnssec

2015-12-08 Thread Simon Kelley
12:08 AM, Simon Kelley > <si...@thekelleys.org.uk> wrote: >> I think the problem may be the code-path in get_new_frec() which >> frees old frecs. Warping the time will make all the records >> suddenly old, and they'll get freed by the loop. The problem is >> that

Re: [Dnsmasq-discuss] dnsmasq 2.75 build options

2015-12-07 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/12/15 04:39, Shane Manjarres wrote: > Looking at the build options listed in /src/config.h it states the > following: > > The default set of options to build > > HAVE_DHCP HAVE_DHCP6 HAVE_TFTP HAVE_SCRIPT HAVE_AUTH HAVE_IPSET > HAVE_LOOP

Re: [Dnsmasq-discuss] segv using 2.75 with dnssec

2015-12-07 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I think the problem may be the code-path in get_new_frec() which frees old frecs. Warping the time will make all the records suddenly old, and they'll get freed by the loop. The problem is that some will be freed by the recursive calls to free_frec

Re: [Dnsmasq-discuss] dnsmasq exists with sigterm following bootp messages

2015-12-07 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Why do you think that this is BOOTP related? I can't see any evidence that your clients are sending bootp requests. Background: BOOTP is an old protocol that pre-dates DHCP. DHCP packets are actually BOOTP packets with lots of extra options. From

Re: [Dnsmasq-discuss] [PATCH] Treat records signed using unknown algorithms as unsigned instead of bogus

2015-12-02 Thread Simon Kelley
On 25/11/15 07:40, Michał Kępień wrote: >> Caveat. I'm not sure what the answer is. I'm certainly not arguing for a >> fixed interpretation, not even the current behaviour of dnsmasq, and I'm >> trying to understand what the correct behaviour should be. As always, >> I'm terrified of breaking

Re: [Dnsmasq-discuss] dnsmasq-tftp : failed sending file

2015-11-23 Thread Simon Kelley
/grubx64.efi to > 192.168.0.97 Nov 22 19:52:15 tiger dnsmasq-tftp[3344]: sent > /srv/tftpboot/grubx64.efi to 192.168.0.97 > > > On Sun, Nov 22, 2015 at 5:47 PM, Simon Kelley > <si...@thekelleys.org.uk> wrote: > > > > On 22/11/15 07:14, Louis Garcia wrote: >

Re: [Dnsmasq-discuss] [PATCH] Treat records signed using unknown algorithms as unsigned instead of bogus

2015-11-23 Thread Simon Kelley
On 23/11/15 13:21, Michał Kępień wrote: >> OK, I've done some more thinking about this. We have to be careful to >> distinguish between validating a DS RRset and using that DS RRset to >> prove that the DNSKEY RRset it refers to is valid. If we can't validate >> a DS RRset, either because its

Re: [Dnsmasq-discuss] dnsmasq-tftp : failed sending file

2015-11-22 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 22/11/15 07:14, Louis Garcia wrote: > I am trying to debug a uefi pxe problem and found tftp failing to > send files. I created /var/lib/tftpboot/test.txt file and from > another computer I used the tftp command to get the file. > > $tftp

Re: [Dnsmasq-discuss] coredump in dnsmasq on InfiniBand network with OpenStack

2015-11-21 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 This bug was fixed in the 2.67 release. The fix is here: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=53c4c5c85942d4 733f4723531c4d325235448326 the patch should apply fine to the version you're using, if that suits you best. Cheers,

Re: [Dnsmasq-discuss] dnsmasq process in S, D state causing high load average

2015-11-20 Thread Simon Kelley
On 18/11/15 12:23, green krypton wrote: > I have around 500 dnsmasq process which are configured to give ipv6,ipv4 > addresses out of this some fluctuate between D and S state while others are > in continuous S state.Probably because of too many processes in D state > with "rtnetlink_rcv" in wchan

Re: [Dnsmasq-discuss] [PATCH] Treat records signed using unknown algorithms as unsigned instead of bogus

2015-11-20 Thread Simon Kelley
On 17/11/15 11:01, Michał Kępień wrote: > --- > When dnsmasq is running with DNSSEC validation enabled, it returns > SERVFAIL when trying to resolve any record within a zone which uses a > signing algorithm it doesn't understand. This behavior doesn't play > nicely with RFC 4035, section 5.2: >

Re: [Dnsmasq-discuss] [PATCH] Treat records signed using unknown algorithms as unsigned instead of bogus

2015-11-19 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 My first thought on reading this is that it's a big hole. All an attacker needs to do is supply a false DS with nonsense algorithm numbers to turn off validation. Then I thought again, and realised that's not actually true, as long as the DS records

Re: [Dnsmasq-discuss] How small is a 'small network'?

2015-11-17 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 16/11/15 22:05, Norman Gray wrote: > > Greetings. > > The dnsmasq documentation stresses that it's a good solution for > 'small networks', but how small is small? The overview seems to > give as examples home networks, or mentions dnsmasq

Re: [Dnsmasq-discuss] How small is a 'small network'?

2015-11-17 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 It's more complex than number of sockets available to a process. The number of clients is not limited by the number of sockets. Talking to clients, one (or a few) sockets handles many clients. Talking upstream, you need to create a new socket for

Re: [Dnsmasq-discuss] Wildcard DNS on amazon EC2 instance

2015-11-16 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 12/11/15 12:09, Lorenz Vanthillo wrote: > > > > > > > > > > > > > > > I have OpenShift v3 installed on an Amazon EC2 instance. It's not a > problem when you don't know OpenShift to answer this question. > OpenShift contains a

Re: [Dnsmasq-discuss] local host as cname target

2015-11-16 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 If the local host's IP address is in /etc/hosts (which is normal), then you can create a CNAME to it. Otherwise, myabe use - --interface-name to create a name for the local host, and make CNAMEs to that? Cheers, Simon. On 15/11/15 18:57,

Re: [Dnsmasq-discuss] NULL dereference in cache_insert

2015-11-14 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Thanks for that. The problem occurs when there's an A (or ) record defined locally in a hosts file, and then some reply from upstream includes an empty record for the same name. The code is supposed to check for a clash between local and

Re: [Dnsmasq-discuss] reply is (false) BOGUS DS, validation result is BOGUS

2015-11-14 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 2.72 is along time ago on the rocky road to correct DNSSEC. There have been many fixes since then. I just tried the current development code on the server 217.31.204.13, checking 2ip.ru and it seems we get it right now. dnsmasq: started, version

Re: [Dnsmasq-discuss] dhcpv6 problem with static allocations and "no addresses available"

2015-10-22 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 22/10/15 21:05, Carlos Carvalho wrote: > What if, with an id* declaration, dnsmasq accepts any DUID the > first time but refuses other requests with different DUIDs? This > hypothesis explains the events above and all others I've seen. >

Re: [Dnsmasq-discuss] Possible Bug: DHCPV6 Does Not Make Lease Entry for DHCP CONFIRM

2015-10-22 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I'm not clear how the current behaviour should change. For DHCPv4, if a DHCP client renews a lease which isn;t in the database, then it gets added - this is explicitly to improve behaviour when the lease database is lost. Maybe the same should be

Re: [Dnsmasq-discuss] RFC6303 support - especially IPv6

2015-10-21 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 > > Good! How about adding the equivalent for names, according to > RFC6761? I'll add it as a sub-task of the "make wildcard lookups fast" rewrite. Cheers, Simon. > > ___ Dnsmasq-discuss > mailing

Re: [Dnsmasq-discuss] dhcpv6 problem with static allocations and "no addresses available"

2015-10-21 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 20/10/15 22:33, Carlos Carvalho wrote: > I'm stumbling on an important problem that looks like a bug in > dnsmasq. Clients declared statically in a zone are being denied > their address with the message "no addresses available": > > Oct 20

Re: [Dnsmasq-discuss] Specifying an 'NS' record possible?

2015-10-21 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dnsmasq can act as an authoritive server, and when doing so it supplies suitable NS records. See the section AUTHORITATIVE CONFIGURATION in the manpage for details. Cheers. Simon. On 21/10/15 01:25, ku.gro.syellek...@danols.com wrote: > Is

Re: [Dnsmasq-discuss] Dnsmasq does not cache a authoritative response from upstream ?

2015-10-20 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 17/10/15 01:59, Carlos Carvalho wrote: > A non-recursive upstream is of little use. I suggest putting a > warning in the logs and leaving it as is. There is already a warning if any upstream server is not recursive. Simon. > >

Re: [Dnsmasq-discuss] Enable bogus-priv by default

2015-10-20 Thread Simon Kelley
To add to the list of canonical uses for dnsmasq: DHCP and DNS services to VMs and containers in things like OpenStack. These typically use RFC1918 addresses (there's no point in being able to spin a new VM in seconds if you have to go buy it a real IPv4 address on the black market first.) so

Re: [Dnsmasq-discuss] RFC6303 support - especially IPv6

2015-10-20 Thread Simon Kelley
On 19/10/15 14:01, Kevin Darbyshire-Bryant wrote: > Hi Simon, > > I wonder if I could encourage you to look at extending the 'bogus-priv' > option to include some IPv6 zones? In essence dnsmasq is currently > forwarding ipv6 link-local reverse queries when in reality root servers > aren't going

Re: [Dnsmasq-discuss] ProxyDHCP with UEFI systems

2015-10-20 Thread Simon Kelley
local, > now), OPTION_VENDOR_CLASS_OPT, DHOPT_VENDOR_MATCH, mess, end, 0); > + if (num_services != 1) > + do_encap_opts(pxe_opts(pxearch, tagif_netid, tmp->local, > now), OPTION_VENDOR_CLASS_OPT, DHOPT_VENDOR_MATCH, mess, end, 0); >

Re: [Dnsmasq-discuss] Safe to use static DHCP allocations within dynamic range?

2015-10-20 Thread Simon Kelley
On 15/10/15 12:39, Ed W wrote: > Hi, I'm not quite clear from the manual pages, so can I please get a > definitive answer: > > - Am I safe to use to assign a static IP allocation using --dhcp-host > options, *within* an IP range allocated using --dhcp-range ? > > Specifically, whilst I realise

Re: [Dnsmasq-discuss] Possible Bug: DHCPV6 Does Not Make Lease Entry for DHCP CONFIRM

2015-10-20 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dnsmasq doesn't insert a DHCP lease into the database when it gets a SOLICIT, that happens when it gets a REQUEST. I think there are two things here. The first is that openWRT doesn't keep the lease database in non-volatile storage. Dnsmasq really

Re: [Dnsmasq-discuss] Dnsmasq does not cache a authoritative response from upstream ?

2015-10-16 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Tracing this through the code, it turns out that what's inhibiting caching is not that the upstream server is authoritative. Rather, the problem is that it's NOT recursive. There's even a relevant comment in the code that explains why. /* Don't

Re: [Dnsmasq-discuss] Listing the current DNS servers and domain prefixes?

2015-10-14 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Whenever the set of ipstream servers changes, (because /etc/resolv.conf got re-read, or a DBus method go invoked,or whatever, then dnsmasq logs the complete list of all the upstream servers, and the dns suffixes they handle. Cheers, Simon. On

Re: [Dnsmasq-discuss] Dnsmasq does not cache a authoritative response from upstream ?

2015-10-14 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 So, you're saying that an AA bit in an answer stops dnsmasq from caching that answer? It's no-trivial for me to test that just now, but I'm not aware of any reason why dnsmasq should behave in that way, and A quick grep of the code shows no obvious

Re: [Dnsmasq-discuss] Problem with VM and dnsmasq

2015-10-13 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 mario explained that the problem was an IPtables rule. iptables -A OUTPUT -d 255.255.255.255 -j DROP I'm not surprised that such a rule breaks things: it's mentioned twice in the dnsmasq FAQ :-) I am surprised that it results in an error return

Re: [Dnsmasq-discuss] preemptive upstream dns refresh

2015-10-07 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Nothing was done, but it would be an interesting thing to try. I've added it to my list of stuff to do over the winter. Cheers, Simon. On 07/10/15 17:01, Patrick Hemmer wrote: > I'm looking to use dnsmasq in a solution with unreliable and slow

Re: [Dnsmasq-discuss] Problem with VM and dnsmasq

2015-10-07 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/10/15 14:41, mario wrote: > Hello, my first post. > > I use as a gateway a Debian Jessie pc with dnsmasq providing both > DHCP and DNS. > I wonder if this is the same bug as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798981 If

Re: [Dnsmasq-discuss] Can dnsmasq using tcp to query the upstream dns servers?

2015-10-06 Thread Simon Kelley
On 06/10/15 02:11, Hongyi Zhao wrote: > Hi Simon, > > I want to do the following thing with dnsmasq: > > 1- Query some upstream dns servers with udp for some domains. > 2- Query some upstream dns servers with tcp for some domains. > > Can this be done? > > Regards > No. The protocol used to

Re: [Dnsmasq-discuss] Two issues on using the server option.

2015-10-05 Thread Simon Kelley
On 01/10/15 16:40, Hongyi Zhao wrote: > Hi Simon, > > Please see the following two commands to running the dnsmasq: > > $ sudo dnsmasq -d -q -R -h --server=/google.com/8.8.8.8#53 > --server=/google.com/8.8.4.4#53 -p 5356 --no-poll --all-servers > dnsmasq: started, version 2.76test1-11-g4790115

Re: [Dnsmasq-discuss] ProxyDHCP with UEFI systems

2015-10-05 Thread Simon Kelley
The problem in known, but not the solution. I did start working on that about six months ago, but got bogged down in creating a test system. What would be really useful would be to find an implementation that works with UEFI and proxy DHCP, and getting for packet captures to show what should be

Re: [Dnsmasq-discuss] DNSMasq forwarding timeout

2015-10-05 Thread Simon Kelley
It looks like there's a routing problem that's stopping the query getting to 8.8.8.8, or stopping the answer getting back. Does dig @8.8.8.8 google.com work? Until you can make that work, dnsmasq is not going to work either. Simon. On 04/10/15 06:17, Tj Glawitsch wrote: > I have dnsmasq

Re: [Dnsmasq-discuss] [PATCH] Allow PXE style proxy mode for arbitrary Vendor Classes

2015-10-05 Thread Simon Kelley
On 04/10/15 23:03, Stefan Bruens wrote: > On Friday 28 August 2015 14:54:36 you wrote: >> Currently dnsmasq provides PXE style DHCP Proxy server support only >> for clients with a Vendor Class Identifier matching "^PXEClient.*". >> PXE is only defined for a few architectures, but the Proxy

Re: [Dnsmasq-discuss] Many immortals slow down dnsmasq. Bug or expected ?

2015-10-05 Thread Simon Kelley
On 05/10/15 15:35, wkitt...@gmail.com wrote: > On 10/03/2015 06:37 PM, Simon Kelley wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA256 >> >> address=/abcd/0.0.0.0/ does NOT use the cache code. There's an implied >> wildcard in the domain name

Re: [Dnsmasq-discuss] Many immortals slow down dnsmasq. Bug or expected ?

2015-10-03 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 address=/abcd/0.0.0.0/ does NOT use the cache code. There's an implied wildcard in the domain name, it matches *.abcd. The matching for this is a relatively slow, linear, search. It is certainly not suitable for 25 names! If you don't need the

Re: [Dnsmasq-discuss] How to let dnsmasq using multiple upstream dns servers with non-standard ports.

2015-09-30 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 30/09/15 02:02, Hongyi Zhao wrote: > 2015-09-30 5:04 GMT+08:00 Simon Kelley <si...@thekelleys.org.uk>: >> On 27/09/15 04:44, Hongyi Zhao wrote: >>> 2015-09-27 4:53 GMT+08:00 Simon Kelley >>> <si...@thekel

Re: [Dnsmasq-discuss] How to let dnsmasq using multiple upstream dns servers with non-standard ports.

2015-09-29 Thread Simon Kelley
On 27/09/15 04:44, Hongyi Zhao wrote: > 2015-09-27 4:53 GMT+08:00 Simon Kelley <si...@thekelleys.org.uk>: >> You can't put non-standard ports in a resolv-file, the format of those >> files does not include ports. >> >> It is possible to put a non-standard po

Re: [Dnsmasq-discuss] How to let dnsmasq using multiple upstream dns servers with non-standard ports.

2015-09-26 Thread Simon Kelley
You can't put non-standard ports in a resolv-file, the format of those files does not include ports. It is possible to put a non-standard port in dnsmasq configuration files using server=server1#port1 So simply make your file look like server=server1#port1 server=server2#port2

Re: [Dnsmasq-discuss] strict-order still considered broken?

2015-09-26 Thread Simon Kelley
ource ports and thus not get serviced by my dnsmasq. > > Is the identification of a retry standardized? > I could not find any information on this. > Otherwise I should probably not use strict-order if I'm not in control > of the clients. > > /Thomas > > > On 2015-09-22 16:24, Simon

Re: [Dnsmasq-discuss] TTL for "temporary" NXDOMAIN

2015-09-26 Thread Simon Kelley
The short answer is that there's no way to make dnsmasq do that. It's a pretty crazy way for a DNS server to behave. The question is, why DNS lookups to you application are failing when it restarts? DNS queries have timeouts and retries, so it should just wait for it to come back. I guess we need

Re: [Dnsmasq-discuss] no leases left

2015-09-26 Thread Simon Kelley
Dnsmasq has a global limit on the number of leases in use at any time, and it's that limit you're hitting, not running out of addresses. The default is 1000 leases, you can increase it by putting dhcp-lease-max=2000 ,or whatever, in the config file. Cheers, Simon. On 26/09/15 17:50, Ben

Re: [Dnsmasq-discuss] Relay-Only Mode?

2015-09-22 Thread Simon Kelley
On 22/09/15 21:37, Joel Krauska wrote: > Is there a technique/filter I can apply so that dnsmasq will ONLY respond > to direct relay requests? (as opposed to local LAN broadcast requests?) > > I'd like to test using dnsmasq in my environment, but don't want it to > conflict with another DHCP

Re: [Dnsmasq-discuss] strict-order still considered broken?

2015-09-22 Thread Simon Kelley
The strict-order option does what it's documented to do, as far as I know. If what you're actually asking is "does the strict-order option still not allow me to give priority to a nameserver which has a different idea of the DNS to the secondary nameserver(s)" then the answer to that is that it

<    1   2   3   4   5   6   7   8   9   10   >