[Dnsmasq-discuss] Announce: dnsmasq-2.80

Simon Kelley simon at thekelleys.org.uk
Thu Oct 18 19:48:07 BST 2018

I just published dnsmasq-2.80, available at


Changelog attached below.



version 2.80
        Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram
        Method for the initial patch and motivation.

        Alter the default for dnssec-check-unsigned. Versions of
        dnsmasq prior to 2.80 defaulted to not checking unsigned
        replies, and used --dnssec-check-unsigned to switch
        this on. Such configurations will continue to work as before,
        but those which used the default of no checking will need to be
        altered to explicitly select no checking. The new default is
        because switching off checking for unsigned replies is
        inherently dangerous. Not only does it open the possiblity of 	
        forged replies, but it allows everything to appear to be working
        even when the upstream namesevers do not support DNSSEC, and in
        this case no DNSSEC validation at all is occuring.

        Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip
        are set. Thanks to Daniel Miess for help with this.

        Add a facilty to store DNS packets sent/recieved in a
        pcap-format file for later debugging. The file location
        is given by the --dumpfile option, and a bitmap controlling
        which packets should be dumped is given by the --dumpmask

        Handle the case of both standard and constructed dhcp-ranges on
        the same interface better. We don't now contruct a dhcp-range if
        there's already one specified. This allows the specified
        interface to have different parameters and avoids advertising
        the same prefix twice. Thanks to Luis Marsano for spotting this

        Allow zone transfer in authoritative mode if auth-peer is
        specified, even if auth-sec-servers is not. Thanks to Raphaël
        Halimi for the suggestion.

        Fix bug which sometimes caused dnsmasq to wrongly return answers
        without DNSSEC RRs to queries with the do-bit set, but only when
        DNSSEC validation was not enabled.
        Thanks to Petr Menšík for spotting this.

        Fix missing fatal errors with some malformed options
        (server, local, address, rebind-domain-ok, ipset, alias).
        Thanks to Eugene Lozovoy for spotting the problem.

        Fix crash on startup with a --synth-domain which has no prefix.
        Introduced in 2.79. Thanks to Andreas Engel for the bug report.

        Fix missing EDNS0 section in some replies generated by local
        DNS configuration which confused systemd-resolvd. Thanks to
        Steve Dodd for characterising the problem.

        Add --dhcp-name-match config option.

        Add --caa-record config option.

        Implement --address=/example.com/# as (more efficient) syntactic
        sugar for --address=/example.com/ and
        Returning null addresses is a useful technique for ad-blocking.
        Thanks to Peter Russell for the suggestion.

        Change anti cache-snooping behaviour with queries with the
        recursion-desired bit unset. Instead to returning SERVFAIL, we
        now always forward, and never answer from the cache. This
        allows "dig +trace" command to work.

        Include in the example config file a formulation which
        stops DHCP clients from claiming the DNS name "wpad".
        This is a fix for the CERT Vulnerability VU#598349.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20181018/4a543838/attachment.sig>

More information about the Dnsmasq-discuss mailing list