Re: [Dnsmasq-discuss] Dsmasq tags, options, matches understanding (Re: Dnsmasq dhcp lease file)

2015-09-22 Thread Simon Kelley
krishnan M < > sivabalakrishna...@gmail.com> wrote: > >> Thanks much Simon. Yes, this helps. Got it. >> >> Thanks, Siva >> >> On Fri, Aug 21, 2015 at 12:50 PM, Simon Kelley >> <si...@thekelleys.org.uk> wrote: >> > The exp

Re: [Dnsmasq-discuss] dhcp-option 0.0.0.0 address interpretation possible bug?

2015-09-10 Thread Simon Kelley
On 10/09/15 10:39, Kevin Darbyshire-Bryant wrote: > Hi All, > > dnsmasq 2.75 > > Putting 'dhcp-option=ntp-server,0.0.0.0' in dnsmasq.conf is throwing an > error "bad dhcp-option at line 73 of /etc/dnsmasq.conf" Replacing it > with 'dhcp-option=42,0.0.0.0' allows dnsmasq to start and behave >

Re: [Dnsmasq-discuss] Assign a domain by tag?

2015-09-10 Thread Simon Kelley
On 10/09/15 14:36, Jonathan Fisher wrote: > Is there a way to assign a domain to a tag? The option: > > -s, --domain=[,[,local]] > > Gives you the ability to assign it to an IP range, but not a tag. If no, > could that be added as an enhancement? No it can't, and it's difficult to do. The

Re: [Dnsmasq-discuss] Only DNS server over DHCPv6

2015-09-10 Thread Simon Kelley
This is complicated by the fact that router advertisements can provide DNS-server addresses as well. I think, that you want the Fritzbox to continue to do RA, and the Pi to do stateless-DHCPv6. The configuration you give will make dnsmasq do RA as well, which is likely to confuse things. Try

Re: [Dnsmasq-discuss] RFC 5908 - DHCPv6 NTP option 56

2015-09-10 Thread Simon Kelley
On 10/09/15 13:55, Kevin Darbyshire-Bryant wrote: > Hi All, > > I've been looking at providing NTP server addresses to my DHCPv6 clients > using dnsmasq. 2 RFCs seem applicable, Simple NTP provision RFC4075 > defines option 31 and known to dnsmasq as 'sntp-server'. RFC5908 > defines a more

Re: [Dnsmasq-discuss] DNS-over-TLS

2015-09-09 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 08/09/15 23:58, Matt Taggart wrote: > Hi Simon, > > Thanks for the comments. Here is a little more info I found. > > Simon Kelley writes: >> It actually not that easy to do. DNS-over-TLS happens, by >> necessity,

Re: [Dnsmasq-discuss] DNSSEC failure with v2.73rc10

2015-09-08 Thread Simon Kelley
On 01/09/15 09:15, Toke Høiland-Jørgensen wrote: > Toke Høiland-Jørgensen writes: > >>> The two CNAME domains are signed, but the eurovps.com isnt. >>> >>> Hence the result of the A query is not validatable, and check-unsigned >>> has to prove that's OK, by showing that there's a

Re: [Dnsmasq-discuss] Regarding RFC- 3203

2015-09-05 Thread Simon Kelley
There is no support for the DHCP reconfigure extension in dnsmasq. Cheers, Simon. On 03/09/15 05:43, @shuToSH Ch@tURveDI wrote: > Hi, > > > regarding this RFC-3203, dnsmasq include this support or not, > as i know dhcp support this RFC. > > > let me know if anyone can help in this, > >

Re: [Dnsmasq-discuss] DLV and DnsMasq

2015-09-05 Thread Simon Kelley
There's no support for DLV in dnsmasq. The DNSSEC support was added after the DNSSEC root had been signed, so DLV was arguably already obsolete at that point. I not that ISC is phasing out the DLV registry now. Cheers, Simon. On 05/09/15 16:14, Jason - wrote: > Hello! I have Ubuntu 15.04.

Re: [Dnsmasq-discuss] dhcp-host match based on set of tags

2015-09-05 Thread Simon Kelley
On 02/09/15 20:32, Kincl, Jason C. wrote: > Hi Peter, > > We discussed a solution and Simon said it was good but it has not yet been > implemented. > > https://www.mail-archive.com/dnsmasq-discuss%40lists.thekelleys.org.uk/msg09297.html > > Simon, with 2.75 out the door already, is this

Re: [Dnsmasq-discuss] what's the usefulness of cache-size=0?

2015-08-26 Thread Simon Kelley
On 26/08/15 19:21, Carlos Carvalho wrote: Is it useful to set cache-size=0 instead of using upstream nameservers directly in /etc/resolv.conf? I'm surprised to see that NetworkManager has it hardcoded. If the upstream servers can change, then yes, since long-running processes may not

Re: [Dnsmasq-discuss] can't take away IPv4 address

2015-08-26 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 26/08/15 07:57, Harald Dunkel wrote: Hi Simon, On 08/25/15 23:18, Simon Kelley wrote: Dnsmasq does the check which the standards require, which is to send an ICMP ping (echo request) to the address it's about to allocate. The fact

Re: [Dnsmasq-discuss] can't take away IPv4 address

2015-08-26 Thread Simon Kelley
On 26/08/15 08:37, Uwe Schindler wrote: Hi Harald, Dnsmasq does the check which the standards require, which is to send an ICMP ping (echo request) to the address it's about to allocate. The fact that the client doesn't respond would seem to indicate that the clients are NOT using IP

Re: [Dnsmasq-discuss] ipv6 dns-server being sent when it shouldn't

2015-08-25 Thread Simon Kelley
Hi Carlos, I just pushed a possible fix for this. Please could you check it. The RA problem is a documentation fix. The behaviour changed. I'll look at fixing that too. Cheers, Simon. On 18/08/15 21:03, Carlos Carvalho wrote: It seems the IPv6 of the dns server is always sent, even when

Re: [Dnsmasq-discuss] can't take away IPv4 address

2015-08-25 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 25/08/15 07:33, Harald Dunkel wrote: Hi folks, AFAICS there is no way for dnsmasq to make a client stop using an IPv4 address if the lease expires. Esp. some Apple and Android devices seem to play dirty. Sure, they accept the new IP

Re: [Dnsmasq-discuss] Keeping upstream answers order

2015-08-22 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 As Carlos mentioned. The dnsmasq localise-queries flag might work for you, if the servers are on the same subnets as the clients. Apart from that, then the behaviour you're seeing is called round-robin DNS and it's considered to be the polite way

Re: [Dnsmasq-discuss] Ack with address from incorrect DHCP range when using tags

2015-08-16 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 12/08/15 12:36, Andreas Misje wrote: Greetings, I have two IPv4 dhcp-range options in my configuration file, one of them matching a tag. DHCP discovers and requests from clients with the given tag are usually answered with an address from

Re: [Dnsmasq-discuss] [libvirt] [PATCHv3 1/2] network: added waiting for DAD to finish for bridge address.

2015-08-11 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 10/08/15 22:29, Laine Stump wrote: On 08/10/2015 01:08 PM, Maxim Perevedentsev wrote: This is a fix for commit db488c79173b240459c7754f38c3c6af9b432970 dnsmasq main process exits without waiting for DAD, this is dnsmasq daemon's task. So

Re: [Dnsmasq-discuss] split-horizon

2015-08-09 Thread Simon Kelley
On 06/06/15 09:59, Ermanno Scaglione wrote: auth-server=owncloud.local.lan,wan host-record=owncloud.local.lan,x.x.x.x auth-zone=owncloud.local.lanm,x.x.x.x/32 address=/owncloud.local.lan/192.168.1.y also hosts inside the lan are answered x.x.x.x when querying for owncloud.local.lan, it is

Re: [Dnsmasq-discuss] split-horizon

2015-08-06 Thread Simon Kelley
, 2015 at 11:14 PM, Simon Kelley si...@thekelleys.org.uk wrote: On 07/06/15 22:44, Ermanno Scaglione wrote: Yes adding an host record with an internal address cause dnsmasq to reply alternately the internal and external record to internal queries, useless, also --localise-queries has no effect

Re: [Dnsmasq-discuss] [PATCH] --add-subnet custom values

2015-08-05 Thread Simon Kelley
Patch applied, with trivial formating changes. Many thanks. Thanks for including documentation updates. Cheers, Simon. On 25/07/15 03:36, Ed Bardsley wrote: Hi folks - I wrote up some changes to --add-subnet to, in addition to the current behavior, let you specify things like

[Dnsmasq-discuss] Announce: dnsmasq-2.75

2015-07-30 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 It turns out that release 2.74 has a small but critical bug, triggered by using --dhcp-script. 2.75 fixes this. Apologies for the inconvenience. Cheers, Simon. -BEGIN PGP SIGNATURE- Version: GnuPG v1

Re: [Dnsmasq-discuss] Can't resolve hosts containing a 192.168.122.0/24 address

2015-07-29 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Remove stop-dns-rebind from your config. That should fix it. Cheers, Simon. On 29/07/15 16:23, Tim Schumacher wrote: Hi folks, I have created a domain „int.datenknoten.me“ which contains hosts from a lan. I created A records, added SSHFP

[Dnsmasq-discuss] Announce: dnsmasq-2.74

2015-07-28 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I've just released dnsmasq 2.74. This is a bugfix release which addresses a few irritating and inconvenient regressions in 2.73, and fixes a couple of DNSSEC corner-cases. CHANGELOG below. Cheers, Simon. version 2.74 Fix reversion

Re: [Dnsmasq-discuss] [PATCH] Update DNSSEC timestamp file on process TERM

2015-07-27 Thread Simon Kelley
Patch applied. Many thanks. Cheers, Simon. On 18/07/15 20:51, Kevin Darbyshire-Bryant wrote: Patch to update the DNSSEC timestamp file upon receipt of SIGTERM. Helps to ensure the last known good time is noted at system shutdown. Signed-off-by: Kevin Darbyshire-Bryant

Re: [Dnsmasq-discuss] Cannot resolve csail.mit.edu with --dnssec

2015-07-27 Thread Simon Kelley
I just committed a fix to this. Cheers, Simon. On 17/07/15 10:54, Anders Kaseorg wrote: csail.mit.edu is a signed zone inside the unsigned mit.edu zone. (It happens to be registered in dlv.isc.org, but that’s not relevant to dnsmasq.) Since an NSEC3 record in edu verifies that mit.edu is

Re: [Dnsmasq-discuss] RFC5011?

2015-07-27 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I've considered it, and in an ideal world would like to implement it. My experience is the _nothing_ to do with DNSSEC is not too difficult and, to be honest, any system deploying the releases of dnsmasq with DNSSEC to-date which can't be updated is

Re: [Dnsmasq-discuss] [PATCH] --add-subnet custom values

2015-07-27 Thread Simon Kelley
Thanks for this. I plan to return to it in a week or so, once the 2.74 bugfix release is done. Cheers, Simon. On 25/07/15 03:36, Ed Bardsley wrote: Hi folks - I wrote up some changes to --add-subnet to, in addition to the current behavior, let you specify things like

Re: [Dnsmasq-discuss] Cannot resolve csail.mit.edu with --dnssec

2015-07-17 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Looking at the contents of the DNS, csail.mit.edu arrives with a signature against a non-existent key for csail.mit.edu. Dnsmasq seems to be barfing at that point, without checking to see if unsigned records are legit there. Another corner case. No

Re: [Dnsmasq-discuss] IPv6 RA issues when bound to IPv4

2015-07-16 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dnsmasq needs to advertise the global address, I think. Receiving RAs shouldn't be a problem, dnsmasq binds the correct multicast address. Cheers, Simon. On 16/07/15 16:27, Michal Zatloukal wrote: Hi all, I'm using dnsmasq (2.68-1ubuntu0.1)

[Dnsmasq-discuss] Announce: dnsmasq 2.74rc1

2015-07-14 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Considering its lengthy gestation, 2.73 seems to have been successful, but there are a few nasty regressions which are causing people problems. 1) The meaning of --conf-file without an argument changed from don't read any conf-file to read the

Re: [Dnsmasq-discuss] Dnsmasq masks dnssec signatures for AAAA records when serving local A records for the same hostname

2015-07-13 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 09/07/15 16:45, Felix Lechner wrote: Hello Simon, What version of dnsmasq are you using? Shibby's changelog states that an update to dnsmaq 2.72+ occurred in his Tomato version 1.25. Presumably that is also in the Tomato 1.28 on my

Re: [Dnsmasq-discuss] Dnsmasq masks dnssec signatures for AAAA records when serving local A records for the same hostname

2015-07-07 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 What version of dnsmasq are you using? Are you saying that dnsmasq strips the signatures from the answers which arrive from upstream? Do you have DNSSEC validation enabled in dnsmasq? Cheers, Simon. On 30/06/15 04:07, Felix Lechner wrote:

Re: [Dnsmasq-discuss] how to avoid reading /etc/dnsmasq.conf

2015-07-07 Thread Simon Kelley
$ dnsmasq --version Dnsmasq version 2.73 Copyright (c) 2000-2015 Simon Kelley Compile time options: IPv6 GNU-getopt DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect inotify Why does the conf-file take presedence over command-line args? Why does it try

Re: [Dnsmasq-discuss] dnsmasq segfault

2015-07-06 Thread Simon Kelley
-Toke On 6 July 2015 20:04:13 CEST, Simon Kelley si...@thekelleys.org.uk wrote: That works. The wrinkle is that you have to replace /etc/resolv.conf with a dangling symlink, rather than using --resolv-file to make dnsmasq look in some other place where you put a dangling symlink, because

Re: [Dnsmasq-discuss] openvpn + dnsmasq

2015-07-06 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Guessing the German error messages, this might be fixable by replacing bind-interfaces in your dnsmasq configuration with bind-dynamic. Cheers, Simon. On 06/07/15 06:27, Johannes Martin wrote: Hi Anton, it might have helped if the error

Re: [Dnsmasq-discuss] dnsmasq segfault

2015-07-06 Thread Simon Kelley
. Cheers, Simon. On 06/07/15 14:24, Dave Reisner wrote: On Sun, Jul 05, 2015 at 10:44:24PM +0100, Simon Kelley wrote: This clearly a dnsmasq bug: it shouldn't segfault, but the description relies of lots of other stuff which makes it difficult to work out what systemd is doing to provoke

Re: [Dnsmasq-discuss] view running config

2015-07-05 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Whenever the config is updated via DBus, the complete set of upstream servers is logged, I think. Cheers, Simon. On 22/06/15 14:34, CircleCode wrote: Hi, with dbus interface enabled, the config dnsmasq runs with is something like dynamic.

Re: [Dnsmasq-discuss] DNSMASQ log output format

2015-07-05 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 If you have the latest release, 2.73 then - --log-queries=extra Will enchance the logging format in a way which makes it easier to link requests and replies. Cheers, Simon. On 28/06/15 12:54, ma...@manfbraun.de wrote: Hello ! I am just

Re: [Dnsmasq-discuss] Hang when system time is changed backwards

2015-07-05 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Using monotonic time seems to be a bit of a portability nightmare, as an alternative, I've added code to count the number of zero returns from select(). The standard wait is three seconds, so once select() has returned zero 12 times, the loop ends

Re: [Dnsmasq-discuss] 2.73 crashes; 2.72 runs fine

2015-06-18 Thread Simon Kelley
output. Cheers, Simon. On 18/06/15 16:05, Carlos Carvalho wrote: Simon Kelley (si...@thekelleys.org.uk) wrote on Thu, Jun 18, 2015 at 06:28:08AM BRT: If you could do a quick check and see if 2.73rc9 behaves the same way, that would be useful. The change most likely to have provoked this happened

Re: [Dnsmasq-discuss] not giving name because the name exists..

2015-06-18 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 As Albert says, the whole thing is explained by the printer getting an IP address other than the one you configured for it. Looking in the logs for what happened during that event is the key to this. Cheers, Simon. On 18/06/15 08:08, Albert

Re: [Dnsmasq-discuss] 2.73 crashes; 2.72 runs fine

2015-06-18 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 If you could do a quick check and see if 2.73rc9 behaves the same way, that would be useful. The change most likely to have provoked this happened after rc9. Cheers, Simon. On 17/06/15 22:32, Carlos Carvalho wrote: I tried 2.73 today but it

[Dnsmasq-discuss] Announce: dnsmasq-2.73

2015-06-14 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 After many delays and tribulations, I've just released dnsmasq-2.73 Get it here: http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.73.tar.gz Release notes are below. Cheers, Simon. -

Re: [Dnsmasq-discuss] Integration with iptables?

2015-06-12 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 12/06/15 08:17, Joachim Zobel wrote: A way to maintain ipsets via dnsmasq would for example do what I need. It's there already. Are you using the latest release? Look for --ipset in the man page. Simon. -BEGIN PGP SIGNATURE-

Re: [Dnsmasq-discuss] DNSSEC failure with v2.73rc10

2015-06-12 Thread Simon Kelley
Thanks Toke, finding these failure cases and fixing them, one at a time, is very necessary, but somewhat gruelling. In this case, database.srku.dk. is a CNAME for database.studenterraad.dk. and that's a CNAME for web21.sd.eurovps.com. The two CNAME domains are signed, but the eurovps.com isnt.

Re: [Dnsmasq-discuss] local-service feature doesn't detect new/changed interfaces/networks

2015-06-12 Thread Simon Kelley
Current versions of dnsmasq have an alternative to --bind-interfaces, called --bind-dynamic, which should solve this problem, I think. --bind-dynamic Enable a network mode which is a hybrid between --bind-interfaces and the default. Dnsmasq binds the address of

Re: [Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9

2015-06-12 Thread Simon Kelley
On 12/06/15 12:16, Maciej Soltysiak wrote: I think I have discovered what the problem is and it's unlikely to be dnsmasq. What I do is that I have a setup which is basically a split horizon: - users who are not on the service get A record for using.dnscrypt from a DNSSEC signed zone -

Re: [Dnsmasq-discuss] Patches: Extend --bridge-interface aliasing to DHCPv6 and Router Advertisements

2015-06-10 Thread Simon Kelley
On 10/06/15 10:57, Neil Jerram wrote: Alternatively, here is the whole patch set again, regenerated so as to incorporate those deltas at the appropriate places. Many thanks for your time looking at these enhancements. Regards, Neil Many thanks. Patches applied, and 2.73rc10

Re: [Dnsmasq-discuss] split-horizon

2015-06-09 Thread Simon Kelley
On 07/06/15 22:44, Ermanno Scaglione wrote: Yes adding an host record with an internal address cause dnsmasq to reply alternately the internal and external record to internal queries, useless, also --localise-queries has no effect. Maybe the new flag should be called localise-auth-queries :-)

Re: [Dnsmasq-discuss] Patches: Extend --bridge-interface aliasing to DHCPv6 and Router Advertisements

2015-06-09 Thread Simon Kelley
17:45, Simon Kelley wrote: On 07/10/14 18:28, Neil Jerram wrote: On 03/10/14 16:54, Neil Jerram wrote: I'd like to propose the attached patches, which extend the aliasing concept of the --bridge-interface option to DHCPv6 and Router Advertisement processing. [...] A query: the semantics

Re: [Dnsmasq-discuss] [PATCH 2/2 v2] Add D-Bus methods to add or remove a lease from the internal database.

2015-06-09 Thread Simon Kelley
On 09/06/15 11:14, Nicolas Cavallari wrote: AddDhcpLease can be used to add or update a lease in the internal database, while DeleteDhcpLease deletes a lease. These methods will still trigger the notifications via D-Bus or the lease script. Update the dbus/DBus-interface document

Re: [Dnsmasq-discuss] dnssec-check-unsigned breaks linux.conf.au

2015-06-07 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/06/15 09:06, Karl-Johan Karlsson wrote: On Sat 06 Jun 2015 23.16.42 Simon Kelley wrote: Turns out that this domain has a weird by valid use of NSEC3 which broke dnsmasq's corner-case code. 2.73rc9 should fix it. Thanks, it looks like

Re: [Dnsmasq-discuss] split-horizon

2015-06-06 Thread Simon Kelley
I can see exactly why it's behaving this way. The code attempts to answer directly queries from internal hosts for auth domains that would otherwise be forwarded, and then return to the authoritative side of dnsmasq. This is a performance hack. I don't think you ingenious use of address= was

Re: [Dnsmasq-discuss] dnssec-check-unsigned breaks linux.conf.au

2015-06-06 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 06/06/15 09:58, Karl-Johan Karlsson wrote: Hello, When dnssec-check-unsigned is set, dnsmasq (2.72 and 2.73rc8) returns SERVFAIL for queries for linux.conf.au, claiming a BOGUS DS: Jun 06 10:15:24 [dnsmasq] query[ANY] linux.conf.au from

Re: [Dnsmasq-discuss] [PATCH 2/2] Add D-Bus methods to add or remove a lease from the internal database.

2015-06-06 Thread Simon Kelley
On 05/06/15 11:47, Nicolas Cavallari wrote: On 04/06/2015 23:12, Simon Kelley wrote: Long delay, I've returned to this. The many parameters seem a bit ugly (I'm no Dbus expert, so I may be wrong), especially having to includes is_temporary and IAID in DHCPv4 leases. One solution

Re: [Dnsmasq-discuss] dnssec-check-unsigned breaks linux.conf.au

2015-06-06 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Turns out that this domain has a weird by valid use of NSEC3 which broke dnsmasq's corner-case code. 2.73rc9 should fix it. Cheers, Simon. On 06/06/15 09:58, Karl-Johan Karlsson wrote: Hello, When dnssec-check-unsigned is set, dnsmasq

Re: [Dnsmasq-discuss] [PATCH 2/2] Add D-Bus methods to add or remove a lease from the internal database.

2015-06-04 Thread Simon Kelley
? Cheers, Simon. On 29/04/15 12:17, Nicolas Cavallari wrote: On 28/04/2015 22:58, Simon Kelley wrote: On 27/04/15 12:53, Nicolas Cavallari wrote: AddDhcpLease can be used to add or update a lease in the internal database, while DeleteDhcpLease deletes a lease. I can see the utility

Re: [Dnsmasq-discuss] Unseen cache limit?

2015-06-03 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 02/06/15 01:03, Lonnie Abelbeck wrote: Robert, Looking at the code there is an upper limit of 1 for --cache-size -- src/option.c -- case 'c': /* --cache-size */ { int size; if (!atoi_check(arg, size)) ret_err(gen_err); else { /*

Re: [Dnsmasq-discuss] issue with except-interface

2015-06-01 Thread Simon Kelley
On 18/05/15 19:58, e9hack wrote: Hi, it seems that '--except-interface' doesn't work properly. I need one interface which is never used by dnsmasq. I would like to run hostapd with driver wired on it. If I use '--except-interface=xxx', it doesn't work because hostapd complains about

Re: [Dnsmasq-discuss] [PATCH] fix bug of FORMERR

2015-06-01 Thread Simon Kelley
Patch applied, also cleared AA bit. Many thanks for this. Cheers, Simon. On 27/05/15 20:41, swigger wrote: Signed-off-by: swigger swig...@gmail.com First, sorry for my poor English, hope you can read it. My openwrt router at 192.168.1.1 runs dnsmasq. There are two DNS ips set

Re: [Dnsmasq-discuss] format of lease database

2015-06-01 Thread Simon Kelley
On 27/05/15 05:34, Kevin Benton wrote: Hi, Is there a pointer to the format of the lease database somewhere? I'm interested in what the last column is used for. It looks like the MAC of the client with an extra hex pair at the front. It's the DHCP client-id. Cheers, Simon. I just

Re: [Dnsmasq-discuss] Wrong server IP in dual normal/proxyDHCP mode

2015-05-21 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 21/05/15 08:59, Alkis Georgopoulos wrote: On 20/05/2015 10:21 μμ, Simon Kelley wrote: Thanks for staying with this. I just checked in another patch. Is that any better? That did the trick! It worked in all the cases that I tried

Re: [Dnsmasq-discuss] Wrong server IP in dual normal/proxyDHCP mode

2015-05-20 Thread Simon Kelley
, Alkis On 20/05/2015 07:10 πμ, Alkis Georgopoulos wrote: On 20/05/2015 01:04 πμ, Simon Kelley wrote: I just pushed a patch into git http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=7f8565b94ca52dde31f7688a9f9a0cc611d9dae3 Please could you see if that helps? It should

Re: [Dnsmasq-discuss] cache stats query

2015-05-20 Thread Simon Kelley
What version of dnsmasq are you running? This facility was added fairly recently. Cheers, Simon. On 20/05/15 18:55, Thomas James wrote: The command 'dig +short chaos txt cachesize.bind' is not recognized by dnsmasq and if forwarded on to the upstream nameserver. The status returned is

Re: [Dnsmasq-discuss] Minor typo in english man page

2015-05-20 Thread Simon Kelley
Patch applied, thanks. Simon. On 20/05/15 15:14, Christian Demsar wrote: Found a small typo in the english version, master branch. == START DIFF == 1391c1391 (IPv4 only) By default, the DHCP server will attempt to ensure that an address in --- (IPv4 only) By default, the DHCP server

[Dnsmasq-discuss] Security warning for those at the bleeding edge.

2015-05-15 Thread Simon Kelley
Anyone running 2.67rc6 or 2.67rc7 should be aware that there's a remotely exploitable buffer overflow in those trees. I just tagged 2.67rc8, which includes the fix. Cheers, Simon. ___ Dnsmasq-discuss mailing list

Re: [Dnsmasq-discuss] New: IPAM - dnsmasq configurator

2015-05-15 Thread Simon Kelley
Thanks for that. GestióIP looks very interesting. The commercial IPAM systems are in general quite clunky in my experience. Cheers, Simon. On 15/05/15 11:43, Dave Parker wrote: I have published some logic that generates dnsmasq configuration from a gestioip mysql database. It generates

Re: [Dnsmasq-discuss] Bug list and DHCP test harness

2015-05-15 Thread Simon Kelley
On 15/05/15 17:22, Tom Isaacson wrote: We have a device (not made by us) that's using dnsmasq V2.46 and occasionally we've seen a few problems with it - DHCP renews being sent out every minute, different IP address being provided on renew. Is there a bug list for dnsmasq that shows what bugs

Re: [Dnsmasq-discuss] Wrong server IP in dual normal/proxyDHCP mode

2015-05-15 Thread Simon Kelley
, Vendor-Option Option 252 On 14/05/2015 11:32 μμ, Simon Kelley wrote: On 14/05/15 06:34, Alkis Georgopoulos wrote: Since proxyDHCP mode doesn't yet work for UEFI clients, I'm using the following as a workaround

Re: [Dnsmasq-discuss] Security warning for those at the bleeding edge.

2015-05-15 Thread Simon Kelley
On 15/05/15 21:12, Lonnie Abelbeck wrote: On May 15, 2015, at 2:37 PM, Simon Kelley si...@thekelleys.org.uk wrote: Anyone running 2.67rc6 or 2.67rc7 should be aware that there's a remotely exploitable buffer overflow in those trees. I just tagged 2.67rc8, which includes the fix. Cheers

Re: [Dnsmasq-discuss] DHCPv6 client DUID

2015-05-14 Thread Simon Kelley
On 14/05/15 19:43, Suresh Ramamurthy wrote: Hi I am trying support IPv6 in our product. We are using dnsmasq and we wanted to use Stateful DHCPv6. In order to do it, I would create a mapping between DUID and IPv6 address in dhcphosts.txt on the server that runs dnsmasq. So that when

Re: [Dnsmasq-discuss] Wrong server IP in dual normal/proxyDHCP mode

2015-05-14 Thread Simon Kelley
On 14/05/15 06:34, Alkis Georgopoulos wrote: Since proxyDHCP mode doesn't yet work for UEFI clients, I'm using the following as a workaround: dhcp-range=tag:!efi,10.161.254.0,proxy dhcp-range=tag:efi,192.168.67.20,192.168.67.250,8h This is with a single NIC, dual IP server (10.161.254.11,

Re: [Dnsmasq-discuss] Provide a full text searchable mailing list archive

2015-05-13 Thread Simon Kelley
um 22:56 schrieb Simon Kelley: google with site:lists.thekelleys.org.uk as a search term works for me. The list is already on mail-archive: http://api.elasticemail.com/tracking/click?msgid=ma9n39-4jkm0qkt9rym3rtarget=https%3a%2f%2fwww.mail-archive.com%2fdnsmasq-discuss

Re: [Dnsmasq-discuss] [patch] added Requires=network.target to systemd unit

2015-05-13 Thread Simon Kelley
On 09/05/15 21:38, Karl-Philipp Richter wrote: Hi, It makes sense to make `dnsmasq` dependent on the network configuration in `systemd`. -Kalle Richter Patch applied. Cheers, Simon. ___ Dnsmasq-discuss mailing list

Re: [Dnsmasq-discuss] Provide a full text searchable mailing list archive

2015-05-11 Thread Simon Kelley
google with site:lists.thekelleys.org.uk as a search term works for me. The list is already on mail-archive: https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk Cheers, Simon. On 09/05/15 21:58, Karl-Philipp Richter wrote: Hi, The current mailing list archive at

Re: [Dnsmasq-discuss] seeing www.ietf.org fail dnssec with dnsmasq rc7

2015-05-08 Thread Simon Kelley
On 08/05/15 16:52, Loganaden Velvindron wrote: On Fri, May 8, 2015 at 3:40 PM, Simon Kelley si...@thekelleys.org.uk wrote: On 07/05/15 16:51, Nicholas Weaver wrote: One important consideration: The Internet has decreed a long time ago that fragments don't work for IPv4, and REALLY don't work

Re: [Dnsmasq-discuss] seeing www.ietf.org fail dnssec with dnsmasq rc7

2015-05-08 Thread Simon Kelley
On 07/05/15 16:51, Nicholas Weaver wrote: One important consideration: The Internet has decreed a long time ago that fragments don't work for IPv4, and REALLY don't work for IPv6: the amount of systems that drop fragments for V6 is off the chart. For DNS, this means you get silent

Re: [Dnsmasq-discuss] seeing www.ietf.org fail dnssec with dnsmasq rc7

2015-05-08 Thread Simon Kelley
Forwarding something from a parallel conversation to the list. Simon. Forwarded Message Subject: Re: testing edns0 on bind Date: Thu, 7 May 2015 09:58:56 -0700 From: Evan Hunt e...@isc.org To: Simon Kelley si...@thekelleys.org.uk CC: Dave Taht dave.t...@gmail.com, Toke

Re: [Dnsmasq-discuss] Multiple networks, one dnsmasq

2015-05-08 Thread Simon Kelley
On 03/05/15 01:45, Yan Seiner wrote: I have a router with 4 subnets, each on its own interface. (Yes, I'm using vlans for 3 of them.) 192.168.3.0 eth2- dmz.lan 192.168.4.0 eth1.4- auth.lan 192.168.5.0 eth1.5- guest.lan 192.168.6.0 eth1.6- tenant.lan

Re: [Dnsmasq-discuss] Any way to set the lease-time for hosts derived from /etc/ethers?

2015-05-08 Thread Simon Kelley
On 04/05/15 12:42, Rick Thomas wrote: Is there any way to set the lease time for a client derived from the /etc/ethers file? I can set a lease time for a lease derived from a “dhcp-range” or “dhcp-host” config statement, but I can’t find any way to set it for the “implied” dhcp-host

Re: [Dnsmasq-discuss] dns sometimes not considering override

2015-05-08 Thread Simon Kelley
What is the content of your /etc/resolv.conf file? Cheers, Simon. On 04/05/15 16:10, Lorenzo Milesi wrote: hi. I'm experiencing a strange issue with dnsmasq 2.68 bundled in Ubuntu 12.04: sometimes my custom DNS records are skipped, and the upstream reply is returned. For example I

Re: [Dnsmasq-discuss] problem with not executed /etc/dhcp-script.d/10dhcpscript

2015-05-08 Thread Simon Kelley
Are you sure the low-memory thing is relevant? Do you see the same problem on a newly booted machine? The logs you include are odd. Doing DHCP on the loopback interface is unusual, and may be a cause. Cheers, Simon. On 30/04/15 11:16, Bastian Bittorf wrote: (only CC'ing to openwrt-dev)

Re: [Dnsmasq-discuss] DNS rebinding prevention misses IPv4-mapped IPv6 addrs containing RFC1918 addrs

2015-05-08 Thread Simon Kelley
Thanks for the heads-up. I just checked in code to the git repo to fix this. http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=b059c96dc69dfe3055c5b32b078a05c53b11ebb3 Cheers, Simon. On 30/04/15 02:59, Jordan Milne wrote: dnsmasq correctly filters A records containing RFC1918

Re: [Dnsmasq-discuss] seeing www.ietf.org fail dnssec with dnsmasq rc7

2015-05-07 Thread Simon Kelley
On 06/05/15 23:12, Toke Høiland-Jørgensen wrote: Simon Kelley si...@thekelleys.org.uk writes: The MTU if the SIXXs IPv6 network interface is 1428. Failure to receive UDP packets larger than the MTU is a bigger bug than DNS, but I don't know if it's a SIXXS problem or a wider IPv6 one

Re: [Dnsmasq-discuss] seeing www.ietf.org fail dnssec with dnsmasq rc7

2015-05-07 Thread Simon Kelley
us about the path to the server and its fragmentation behavior, the really interesting stuff goes the other way. Simon. On 07/05/15 10:41, Toke Høiland-Jørgensen wrote: Simon Kelley si...@thekelleys.org.uk writes: It's difficult to see how that would work in practise for DNS. Take

Re: [Dnsmasq-discuss] seeing www.ietf.org fail dnssec with dnsmasq rc7

2015-05-07 Thread Simon Kelley
On 07/05/15 10:41, Toke Høiland-Jørgensen wrote: Simon Kelley si...@thekelleys.org.uk writes: It's difficult to see how that would work in practise for DNS. Take the Google-public-DNS example. It's clearly not sane for Google's servers to do PMTU on the address of every client, just to send

Re: [Dnsmasq-discuss] seeing www.ietf.org fail dnssec with dnsmasq rc7

2015-05-06 Thread Simon Kelley
I can demonstrate that there's a problem here, independent of dnsmasq srk@holly:~$ dig @2001:4860:4860:: dnskey org +dnssec ; DiG 9.9.5-3ubuntu0.2-Ubuntu @2001:4860:4860:: dnskey org +dnssec ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be

Re: [Dnsmasq-discuss] seeing www.ietf.org fail dnssec with dnsmasq rc7

2015-05-06 Thread Simon Kelley
This stuff does worry me. It's a big source of brittleness. One thing that's worth pointing out is that it's not necessarily the answer to the original query that's too big, it might be the answer to one of the DS or DNSKEY queries needed to validate it. If the answer to one of those comes back

Re: [Dnsmasq-discuss] seeing www.ietf.org fail dnssec with dnsmasq rc7

2015-05-06 Thread Simon Kelley
All the above is on IPv4. Dave are you using IPv6? I'll try that next. Right, using a SIXXS tunnel, I never see a reply to the query for DNSKEY org query. Presumably something in the IPv6 connection is failing to do fragmentation/reassembly. The dig times out without an answer. Dropping

Re: [Dnsmasq-discuss] bugs.gentoo.org and dnssec

2015-04-28 Thread Simon Kelley
rcvd: 91 On Wed, 2015-04-22 at 22:02 +0100, Simon Kelley wrote: On 21/04/15 21:51, Alon Bar-Lev wrote: On 21 April 2015 at 21:41, Simon Kelley si...@thekelleys.org.uk wrote: Thanks for the report. I just tested 2.72 and the current code in git, and both worked fine, using Google public

Re: [Dnsmasq-discuss] bugs.gentoo.org and dnssec

2015-04-28 Thread Simon Kelley
at 22:02 +0100, Simon Kelley wrote: On 21/04/15 21:51, Alon Bar-Lev wrote: On 21 April 2015 at 21:41, Simon Kelley si...@thekelleys.org.uk wrote: Thanks for the report. I just tested 2.72 and the current code in git, and both worked fine, using Google public DNS (8.8.8.8) as upstream. I

Re: [Dnsmasq-discuss] [PATCH 2/2] Add D-Bus methods to add or remove a lease from the internal database.

2015-04-28 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 27/04/15 12:53, Nicolas Cavallari wrote: AddDhcpLease can be used to add or update a lease in the internal database, while DeleteDhcpLease deletes a lease. I can see the utility of DeleteDhcpLease (there's already a hacky little utility that

Re: [Dnsmasq-discuss] Host Records

2015-04-26 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 26/04/15 00:02, David G. wrote: How does the host-record option work? I tried adding it to the conf and that didn't work. I keep getting Bad name in host-record. I tried the sample given in the man page, from the command line and that didn't

Re: [Dnsmasq-discuss] The get-version script doesn't recognize git submodule

2015-04-26 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thanks for that. Patch applied as-is. Cheers, Simon. On 26/04/15 00:18, Johnny S. Lee wrote: bld/get-version would return UNKNOWN if the repository was a git submodule, because in this case TOP/.git would be a text file instead of a

Re: [Dnsmasq-discuss] NAT Congestion Enhancement for DNS Client Port Selection

2015-04-25 Thread Simon Kelley
have processed (max-concurrent reused or %10 of cache or random again?). This will keep its profile on the NAT down and it will maintain the moving target against attacks. Simon Kelley Wed Apr 22 21:58:02 BST 2015 I think that would probably defeat the object of having random ports

Re: [Dnsmasq-discuss] bugs.gentoo.org and dnssec

2015-04-22 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 21/04/15 21:51, Alon Bar-Lev wrote: On 21 April 2015 at 21:41, Simon Kelley si...@thekelleys.org.uk wrote: Thanks for the report. I just tested 2.72 and the current code in git, and both worked fine, using Google public DNS (8.8.8.8

Re: [Dnsmasq-discuss] NAT Congestion Enhancement for DNS Client Port Selection

2015-04-22 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 22/04/15 03:49, Eric Luehrsen wrote: A while ago, DNSMASQ changed to roaming client ports to prevent from being a sitting duck for [various response] attacks. Each new request forward is assigned a new client return port. This is a good.

Re: [Dnsmasq-discuss] bugs.gentoo.org and dnssec

2015-04-21 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Thanks for the report. I just tested 2.72 and the current code in git, and both worked fine, using Google public DNS (8.8.8.8) as upstream. What do you know about the upstream server you're forwarding to? Is there a possibility that it's fiddling

Re: [Dnsmasq-discuss] Don't reply to requests for DHCPv6 addresses when M flag is off

2015-04-20 Thread Simon Kelley
to work normally. p.s in my previous mail was a typo, RFC 2119, of course, not 2219. sorry Best Regards, Vladislav Grishenko -Original Message- From: Simon Kelley [mailto:si...@thekelleys.org.uk] Sent: Monday, April 20, 2015 1:21 AM To: Vladislav Grishenko; 'Win King Wan' Cc: dnsmasq

<    2   3   4   5   6   7   8   9   10   11   >