[Dnsmasq-discuss] Announce: dnsmasq-2.69rc1
sven falempin
sven.falempin at gmail.com
Mon Mar 24 19:49:50 UTC 2014
On Mon, Mar 24, 2014 at 2:07 PM, Dave Taht <dave.taht at gmail.com> wrote:
> On Mon, Mar 24, 2014 at 10:45 AM, sven falempin <sven.falempin at gmail.com> wrote:
>> openbsd 5.4: pkg_add libnettle (ewwwwwwwww)
>> [make]
>> $ ./src/dnsmasq --version
>> Dnsmasq version 2.69rc1 Copyright (c) 2000-2014 Simon Kelley
>> Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP
>> DHCPv6 no-Lua TFTP no-conntrack no-ipset auth DNSSEC
>>
>> Would you please explain why the dependencies with <nettle> , cant we
>> use the crypto of openSSH ?
>
> Openssl has a lousy API. Libnettle is much better, and (if staticlly linked)
> doesn't add much size to the dnsmasq binary.
>
how far is the nettle code audited ? openSSH is high quality software.
>>
>> Here's the running setup :
>> - - - - - - - - - -
>> root 31974 0.0 0.1 992 1304 p5 I+ 6:40PM 0:00.01
>> dnsmasq -d -C /etc/dnsmasq.conf --log-queries
>> # cat /etc/dnsmasq.conf
>> domain-needed
>> bogus-priv
>> # Uncomment these to enable DNSSEC validation and caching:
>> # (Requires dnsmasq to be built with DNSSEC option.)
>> conf-file=/etc/trust-anchors.conf
>> dnssec
>> filterwin2k
>>
>> # cat /etc/trust-anchors.conf
>> # The root DNSSEC trust anchor, valid as at 30/01/2014
>>
>> # Note that this is a DS record (ie a hash of the root Zone Signing Key)
>> # If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml
>>
>> trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
>>
>>
>>
>> - - - - - - - - - -
>>
>> and a request output :
>>
>> dnsmasq: query[A] google.fr from 10.0.0.42
>> dnsmasq: forwarded google.fr to 8.8.8.8
>> dnsmasq: validation result is INSECURE
>> dnsmasq: reply google.fr is 173.194.34.183
>> dnsmasq: reply google.fr is 173.194.34.191
>> dnsmasq: reply google.fr is 173.194.34.184
>> dnsmasq: query[AAAA] google.fr from 10.0.0.42
>> dnsmasq: forwarded google.fr to 8.8.8.8
>> dnsmasq: validation result is INSECURE
>> dnsmasq: reply google.fr is 2a00:1450:4009:805::1017
>> dnsmasq: query[MX] google.fr from 10.0.0.42
>> dnsmasq: forwarded google.fr to 8.8.8.8
>> dnsmasq: validation result is INSECURE
>> dnsmasq: forwarded thekelleys.org to 8.8.8.8
>> dnsmasq: validation result is INSECURE
>> dnsmasq: reply thekelleys.org is 216.239.32.21
>> dnsmasq: reply thekelleys.org is 216.239.34.21
>> dnsmasq: reply thekelleys.org is 216.239.36.21
>> dnsmasq: reply thekelleys.org is 216.239.38.21
>> dnsmasq: query[AAAA] thekelleys.org from 10.0.0.42
>> dnsmasq: forwarded thekelleys.org to 8.8.8.8
>> dnsmasq: validation result is INSECURE
>> dnsmasq: reply thekelleys.org is NODATA-IPv6
>> dnsmasq: query[MX] thekelleys.org from 10.0.0.42
>> dnsmasq: forwarded thekelleys.org to 8.8.8.8
>> dnsmasq: validation result is INSECURE
>>
>>
>> Best regards,
>>
>>
>> On Sat, Mar 22, 2014 at 4:03 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
>>> It's time to start the release process for 2.69
>>>
>>> The big new for this release is DNSSEC validation. I've made a first
>>> release-candidate, available at
>>>
>>> http://www.thekelleys.org.uk/dnsmasq/release-candidates/dnsmasq-2.69rc1.tar.gz
>>>
>>> Please run it if you can, and report any problems. If you can configure
>>> DNSSEC and test that, all the better. CHANGELOG attached below.
>>>
>>>
>>> Cheers,
>>>
>>>
>>> Simon.
>>>
>>> -----------------------------------------------------------------------------
>>>
>>> Implement dynamic interface discovery on *BSD. This allows
>>> the contructor: syntax to be used in dhcp-range for DHCPv6
>>> on the BSD platform. Thanks to Matthias Andree for
>>> valuable research on how to implement this.
>>>
>>> Fix infinite loop associated with some --bogus-nxdomain
>>> configs. Thanks fogobogo for the bug report.
>>>
>>> Fix missing RA RDNS option with configuration like
>>> --dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer
>>> for spotting the problem.
>>>
>>> Add [fd00::] and [fe80::] as special addresses in DHCPv6
>>> options, analogous to [::]. [fd00::] is replaced with the
>>> actual ULA of the interface on the machine running
>>> dnsmasq, [fe80::] with the link-local address.
>>> Thanks to Tsachi Kimeldorfer for championing this.
>>>
>>> DNSSEC validation and caching. Dnsmasq needs to be
>>> compiled with this enabled, with
>>>
>>> make dnsmasq COPTS=-DHAVE_DNSSEC
>>>
>>> this add dependencies on the nettle crypto library and the
>>> gmp maths library. It's possible to have these linked
>>> statically with
>>>
>>> make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC'
>>>
>>> which bloats the dnsmasq binary to over a megabyte, but
>>> saves the size of the shared libraries which are five
>>> times that size.
>>> To enable, DNSSEC, you will need a set of
>>> trust-anchors. Now that the TLDs are signed, this can be
>>> the keys for the root zone, and for convenience they are
>>> included in trust-anchors.conf in the dnsmasq
>>> distribution. You should of course check that these are
>>> legitimate and up-to-date. So, adding
>>>
>>> conf-file=/path/to/trust-anchors.conf
>>> dnssec
>>>
>>> to your config is all thats needed to get things
>>> working. The upstream nameservers have to be DNSSEC-capable
>>> too, of course. Many ISP nameservers aren't, but the
>>> Google public nameservers (8.8.8.8 and 8.8.4.4) are.
>>> When DNSSEC is configured, dnsmasq validates any queries
>>> for domains which are signed. Query results which are
>>> bogus are replaced with SERVFAIL replies, and results
>>> which are correctly signed have the AD bit set. In
>>> addition, and just as importantly, dnsmasq supplies
>>> correct DNSSEC information to clients which are doing
>>> their own validation, and caches DNSKEY, DS and RRSIG
>>> records, which significantly improve the performance of
>>> downstream validators. Setting --log-queries will show
>>> DNSSEC in action.
>>>
>>> The development of DNSSEC in dnsmasq was started by
>>> Giovanni Bajo, to whom huge thanks are owed. It has been
>>> supported by Comcast, whose techfund grant has allowed for
>>> an invaluable period of full-time work to get it to
>>> a workable state.
>>>
>>> Add --rev-server. Thanks to Dave Taht for suggesting this.
>>>
>>> Add --servers-file. Allows dynamic update of upstream
>>> servers full access to configuration.
>>>
>>> Add --local-service. Accept DNS queries only from hosts
>>> whose address is on a local subnet, ie a subnet for which
>>> an interface exists on the server. This option
>>> only has effect if there are no --interface --except-
>>> interface, --listen-address or --auth-server options. It is
>>> intended to be set as a default on installation, to allow
>>> unconfigured installations to be useful but also safe from
>>> being used for DNS amplification attacks.
>>>
>>> Fix crashes in cache_get_cname_target() when dangling CNAMEs
>>> encountered. Thanks to Andy and the rt-n56u project for
>>> find this and helping to chase it down.
>>>
>>>
>>>
>>> _______________________________________________
>>> Dnsmasq-discuss mailing list
>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>
>>
>>
>> --
>> ---------------------------------------------------------------------------------------------------------------------
>> () ascii ribbon campaign - against html e-mail
>> /\
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
>
>
> --
> Dave Täht
>
> Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html
--
---------------------------------------------------------------------------------------------------------------------
() ascii ribbon campaign - against html e-mail
/\
More information about the Dnsmasq-discuss
mailing list