On Sun, Mar 18, 2018 at 04:58:53PM +, Simon Kelley wrote:
> I just tagged and push the final 2.79 release.
Cool!
> Release notes below.
Euh, I do miss
Inotify: Ignore backup files created by editors
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/
> Enjoy.
>
>
> Simon.
>
> version 2.79
> Fix parsing of CNAME arguments, which are confused by extra
> spaces. Thanks to Diego Aguirre for spotting the bug.
>
> Where available, use IP_UNICAST_IF or IPV6_UNICAST_IF to bind
> upstream servers to an interface, rather than SO_BINDTODEVICE.
> Thanks to Beniamino Galvani for the patch.
>
> Always return a SERVFAIL answer to DNS queries without the
> recursion desired bit set, UNLESS acting as an authoritative
> DNS server. This avoids a potential route to cache snooping.
>
> Add support for Ed25519 signatures in DNSSEC validation.
>
> No longer support RSA/MD5 signatures in DNSSEC validation,
> since these are not secure. This behaviour is mandated in
> RFC-6944.
>
> Fix incorrect error exit code from dhcp_release6 utility.
> Thanks Gaudenz Steinlin for the bug report.
>
> Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC
> time validation when --dnssec-no-timecheck is in use.
> Note that this is an incompatible change from earlier releases.
>
> Allow more than one --bridge-interface option to refer to an
> interface, so that we can use
> --bridge-interface=int1,alias1
> --bridge-interface=int1,alias2
> as an alternative to
> --bridge-interface=int1,alias1,alias2
> Thanks to Neil Jerram for work on this.
>
> Fix for DNSSEC with wildcard-derived NSEC records.
> It's OK for NSEC records to be expanded from wildcards,
> but in that case, the proof of non-existence is only valid
> starting at the wildcard name, *. NOT the name expanded
> from the wildcard. Without this check it's possible for an
> attacker to craft an NSEC which wrongly proves non-existence.
> Thanks to Ralph Dolmans for finding this, and co-ordinating
> the vulnerability tracking and fix release.
> CVE-2017-15107 applies.
>
> Remove special handling of A-for-A DNS queries. These
> are no longer a significant problem in the global DNS.
> http://cs.northwestern.edu/~ychen/Papers/DNS_ToN15.pdf
> Thanks to Mattias Hellström for the initial patch.
>
> Fix failure to delete dynamically created dhcp options
> from files in -dhcp-optsdir directories. Thanks to
> Lindgren Fredrik for the bug report.
>
>
> Add to --synth-domain the ability to create names using
> sequential numbers, as well as encodings of IP addresses.
> For instance,
> --synth-domain=thekelleys.org.uk,192.168.0.50,192.168.0.70,internal-*
> creates 21 domain names of the form
> internal-4.thekelleys.org.uk over the address range given, with
> internal-0.thekelleys.org.uk being 192.168.0.50 and
> internal-20.thekelleys.org.uk being 192.168.0.70
> Thanks to Andy Hawkins for the suggestion.
>
> Tidy up Crypto code, removing workarounds for ancient
> versions of libnettle. We now require libnettle 3.
>
>
Groeten
Geert Stappers
--
Leven en laten leven
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
