[Dnsmasq-discuss] Announce: dnsmasq-2.69rc1

Simon Kelley simon at thekelleys.org.uk
Sat Mar 22 20:03:44 UTC 2014

It's time to start the release process for 2.69

The big new for this release is DNSSEC validation. I've made a first
release-candidate, available at


Please run it if you can, and report any problems. If you can configure
DNSSEC and test that, all the better. CHANGELOG attached below.




            Implement dynamic interface discovery on *BSD. This allows
            the contructor: syntax to be used in dhcp-range for DHCPv6
            on the BSD platform. Thanks to Matthias Andree for
            valuable research on how to implement this.

            Fix infinite loop associated with some --bogus-nxdomain
            configs. Thanks fogobogo for the bug report.

            Fix missing RA RDNS option with configuration like
            --dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer
            for spotting the problem.

            Add [fd00::] and [fe80::] as special addresses in DHCPv6
            options, analogous to [::]. [fd00::] is replaced with the
            actual ULA of the interface on the machine running
            dnsmasq, [fe80::] with the link-local address.
            Thanks to Tsachi Kimeldorfer for championing this.

            DNSSEC validation and caching. Dnsmasq needs to be
            compiled with this enabled, with

            make dnsmasq COPTS=-DHAVE_DNSSEC

            this add dependencies on the nettle crypto library and the
            gmp maths library. It's possible to have these linked
            statically with

            make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC'

            which bloats the dnsmasq binary to over a megabyte, but
            saves the size of the shared libraries which are five
            times that size.
            To enable, DNSSEC, you will need a set of
            trust-anchors. Now that the TLDs are signed, this can be
            the keys for the root zone, and for convenience they are
            included in trust-anchors.conf in the dnsmasq
            distribution. You should of course check that these are
            legitimate and up-to-date. So, adding


            to your config is all thats needed to get things
            working. The upstream nameservers have to be DNSSEC-capable
            too, of course. Many ISP nameservers aren't, but the
            Google public nameservers ( and are.
            When DNSSEC is configured, dnsmasq validates any queries
            for domains which are signed. Query results which are
            bogus are replaced with SERVFAIL replies, and results
            which are correctly signed have the AD bit set. In
            addition, and just as importantly, dnsmasq supplies
            correct DNSSEC information to clients which are doing
            their own validation, and caches DNSKEY, DS and RRSIG
            records, which significantly improve the performance of
            downstream validators. Setting --log-queries will show
            DNSSEC in action.

            The development of DNSSEC in dnsmasq was started by
            Giovanni Bajo, to whom huge thanks are owed. It has been
            supported by Comcast, whose techfund grant has allowed for
            an invaluable period of full-time work to get it to
            a workable state.

	    Add --rev-server. Thanks to Dave Taht for suggesting this.

            Add --servers-file. Allows dynamic update of upstream
            servers full access to configuration.

            Add --local-service. Accept DNS queries only from hosts
            whose address is on a local subnet, ie a subnet for which
            an interface exists on the server. This option
            only has effect if there are no --interface --except-
            interface, --listen-address or --auth-server options. It is
            intended  to be set as a default on installation, to allow
            unconfigured installations to be useful but also safe from
            being used for DNS amplification attacks.

            Fix crashes in cache_get_cname_target() when dangling CNAMEs
            encountered. Thanks to Andy and the rt-n56u project for
            find this and helping to chase it down.

More information about the Dnsmasq-discuss mailing list