kpriv/pkgsrc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

dnsmasq: update to 2.80. add dnssec option (default disabled)

Browse source 
From i3endek, thanks!

version 2.80
	Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method
	for the initial patch and motivation.

	Alter the default for dnssec-check-unsigned. Versions of
	dnsmasq prior to 2.80 defaulted to not checking unsigned
	replies, and used --dnssec-check-unsigned to switch
        this on. Such configurations will continue to work as before,
        but those which used the default of no checking will need to be
        altered to explicitly select no checking. The new default is
        because switching off checking for unsigned replies is
	inherently dangerous. Not only does it open the possiblity of forged
        replies, but it allows everything to appear to be working even
        when the upstream namesevers do not support DNSSEC, and in this
        case no DNSSEC validation at all is occuring.

        Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip
	are set. Thanks to Daniel Miess for help with this.

	Add a facilty to store DNS packets sent/recieved in a
	pcap-format file for later debugging. The file location
	is given by the --dumpfile option, and a bitmap controlling
	which packets should be dumped is given by the --dumpmask
	option.

	Handle the case of both standard and constructed dhcp-ranges on the
	same interface better. We don't now contruct a dhcp-range if there's
	already one specified. This allows the specified interface to
	have different parameters and avoids advertising the same
	prefix twice. Thanks to Luis Marsano for spotting this case.

	Allow zone transfer in authoritative mode if auth-peer is specified,
	even if auth-sec-servers is not. Thanks to Raphaël Halimi for
	the suggestion.

	Fix bug which sometimes caused dnsmasq to wrongly return answers
	without DNSSEC RRs to queries with the do-bit set, but only when
	DNSSEC validation was not enabled.
	Thanks to Petr Menšík for spotting this.

	Fix missing fatal errors with some malformed options
	(server, local, address, rebind-domain-ok, ipset, alias).
	Thanks to Eugene Lozovoy for spotting the problem.

	Fix crash on startup with a --synth-domain which has no prefix.
	Introduced in 2.79. Thanks to Andreas Engel for the bug report.

	Fix missing EDNS0 section in some replies generated by local
	DNS configuration which confused systemd-resolvd. Thanks to
	Steve Dodd for characterising the problem.

	Add --dhcp-name-match config option.

	Add --caa-record config option.

	Implement --address=/example.com/# as (more efficient) syntactic
	sugar for --address=/example.com/0.0.0.0 and
	--address=/example.com/::
	Returning null addresses is a useful technique for ad-blocking.
	Thanks to Peter Russell for the suggestion.

	Change anti cache-snooping behaviour with queries with the
	recursion-desired bit unset. Instead to returning SERVFAIL, we
	now always forward, and never answer from the cache. This
	allows "dig +trace" command to work.

	Include in the example config file a formulation which
	stops DHCP clients from claiming the DNS name "wpad".
	This is a fix for the CERT Vulnerability VU#598349.
This commit is contained in:
maya 2018-10-27 07:57:10 +00:00
parent c5c0c27e82
commit 207a47a811
3 changed files with 16 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
net/dnsmasq/Makefile
View file

@ -1,6 +1,6 @@
# $NetBSD: Makefile,v 1.37 2018/03/23 12:58:43 adam Exp $
# $NetBSD: Makefile,v 1.38 2018/10/27 07:57:10 maya Exp $
DISTNAME= dnsmasq-2.79
DISTNAME= dnsmasq-2.80
CATEGORIES= net
MASTER_SITES= http://www.thekelleys.org.uk/dnsmasq/
EXTRACT_SUFX= .tar.xz

10
net/dnsmasq/distinfo
View file

@ -1,7 +1,7 @@
$NetBSD: distinfo,v 1.35 2018/03/23 12:58:43 adam Exp $
$NetBSD: distinfo,v 1.36 2018/10/27 07:57:10 maya Exp $
SHA1 (dnsmasq-2.79.tar.xz) = d4a1af08b02b27736954ce8b2db2da7799d75812
RMD160 (dnsmasq-2.79.tar.xz) = e4cb81b4a08b32c5253520ee146d5f40cd3ff7b3
SHA512 (dnsmasq-2.79.tar.xz) = 2c06212696ab55e1584f6133872f5b196013509e4b1822d0457787b456e14341afdde887749e370a2e512124cb4138f012f4601b08690707be4acc7cf2f2876f
Size (dnsmasq-2.79.tar.xz) = 493036 bytes
SHA1 (dnsmasq-2.80.tar.xz) = 45317f3ce129c670c812428f97b92273b5286df0
RMD160 (dnsmasq-2.80.tar.xz) = 5a26def1ae9a47a2debe08845dfc41d14f3bfa2e
SHA512 (dnsmasq-2.80.tar.xz) = 58e56beb553fc41311e5dc16d8b0eb3b6801e2bdfbcd0e7a6659703f08960b6ad10d48b0b14a4d727636faf35483e01597cff2ae49e7fe9fa9e214f437b1c068
Size (dnsmasq-2.80.tar.xz) = 501072 bytes
SHA1 (patch-src_bpf.c) = 05dc64c016c608e6b963ce9ee80c28e872a88f9e

11
net/dnsmasq/options.mk
View file

@ -1,7 +1,7 @@
# $NetBSD: options.mk,v 1.4 2017/06/02 08:37:49 adam Exp $
# $NetBSD: options.mk,v 1.5 2018/10/27 07:57:10 maya Exp $
PKG_OPTIONS_VAR= PKG_OPTIONS.dnsmasq
PKG_SUPPORTED_OPTIONS= dbus inet6
PKG_SUPPORTED_OPTIONS= dbus inet6 dnssec
PKG_SUGGESTED_OPTIONS= inet6
.include "../../mk/bsd.options.mk"
@ -20,3 +20,10 @@ PLIST.dbus= yes
.if empty(PKG_OPTIONS:Minet6)
CFLAGS+= -DNO_IPV6
.endif
.if !empty(PKG_OPTIONS:Mdnssec)
USE_TOOLS+= pkg-config
CFLAGS+= -DHAVE_DNSSEC
.include "../../security/nettle/buildlink3.mk"
.include "../../devel/gmp/buildlink3.mk"
.endif