[Dnsmasq-discuss] Announce : dnsmasq-2.79

Geert Stappers stappers at stappers.nl
Sun Mar 18 17:56:33 GMT 2018


On Sun, Mar 18, 2018 at 04:58:53PM +0000, Simon Kelley wrote:
> I just tagged and push the final 2.79 release.

Cool!

> Release notes below.

Euh, I do miss
 Inotify: Ignore backup files created by editors
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/
 
> Enjoy.
> 
> 
> Simon.
> 
> version 2.79
>         Fix parsing of CNAME arguments, which are confused by extra
>         spaces. Thanks to Diego Aguirre for spotting the bug.
> 
>         Where available, use IP_UNICAST_IF or IPV6_UNICAST_IF to bind
>         upstream servers to an interface, rather than SO_BINDTODEVICE.
>         Thanks to Beniamino Galvani for the patch.
> 
>         Always return a SERVFAIL answer to DNS queries without the
>         recursion desired bit set, UNLESS acting as an authoritative
>         DNS server. This avoids a potential route to cache snooping.
> 
>         Add support for Ed25519 signatures in DNSSEC validation.
> 
>         No longer support RSA/MD5 signatures in DNSSEC validation,
>         since these are not secure. This behaviour is mandated in
>         RFC-6944.
> 
>         Fix incorrect error exit code from dhcp_release6 utility.
>         Thanks Gaudenz Steinlin for the bug report.
> 
>         Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC
>         time validation when --dnssec-no-timecheck is in use.
> 	Note that this is an incompatible change from earlier releases.
> 
>         Allow more than one --bridge-interface option to refer to an
>         interface, so that we can use
>         --bridge-interface=int1,alias1
>         --bridge-interface=int1,alias2
>         as an alternative to
>         --bridge-interface=int1,alias1,alias2
>         Thanks to Neil Jerram for work on this.
> 
>         Fix for DNSSEC with wildcard-derived NSEC records.
>         It's OK for NSEC records to be expanded from wildcards,
>         but in that case, the proof of non-existence is only valid
>         starting at the wildcard name, *.<domain> NOT the name expanded
>         from the wildcard. Without this check it's possible for an
>         attacker to craft an NSEC which wrongly proves non-existence.
>         Thanks to Ralph Dolmans for finding this, and co-ordinating
>         the vulnerability tracking and fix release.
> 	CVE-2017-15107 applies.
> 
>         Remove special handling of A-for-A DNS queries. These
>         are no longer a significant problem in the global DNS.
>         http://cs.northwestern.edu/~ychen/Papers/DNS_ToN15.pdf
>         Thanks to Mattias Hellström for the initial patch.
> 
>         Fix failure to delete dynamically created dhcp options
>         from files in -dhcp-optsdir directories. Thanks to
>         Lindgren Fredrik for the bug report.
> 
> 
>      Add to --synth-domain the ability to create names using
>         sequential numbers, as well as encodings of IP addresses.
>         For instance,
>   --synth-domain=thekelleys.org.uk,192.168.0.50,192.168.0.70,internal-*
>         creates 21 domain names of the form
>         internal-4.thekelleys.org.uk over the address range given, with
>         internal-0.thekelleys.org.uk being 192.168.0.50 and
>         internal-20.thekelleys.org.uk being 192.168.0.70
>         Thanks to Andy Hawkins for the suggestion.
> 
>         Tidy up Crypto code, removing workarounds for ancient
>         versions of libnettle. We now require libnettle 3.
> 
> 

Groeten
Geert Stappers
-- 
Leven en laten leven



More information about the Dnsmasq-discuss mailing list