+version 2.73
+ Fix crash at startup when an empty suffix is supplied to
+ --conf-dir, also trivial memory leak. Thanks to
+ Tomas Hozza for spotting this.
+
+ Remove floor of 4096 on advertised EDNS0 packet size when
+ DNSSEC in use, the original rationale for this has long gone.
+ Thanks to Anders Kaseorg for spotting this.
+
+ Use inotify for checking on updates to /etc/resolv.conf and
+ friends under Linux. This fixes race conditions when the files are
+ updated rapidly and saves CPU by noy polling. To build
+ a binary that runs on old Linux kernels without inotify,
+ use make COPTS=-DNO_INOTIFY
+
+ Fix breakage of --domain=<domain>,<subnet>,local - only reverse
+ queries were intercepted. THis appears to have been broken
+ since 2.69. Thanks to Josh Stone for finding the bug.
+
+ Eliminate IPv6 privacy addresses and deprecated addresses from
+ the answers given by --interface-name. Note that reverse queries
+ (ie looking for names, given addresses) are not affected.
+ Thanks to Michael Gorbach for the suggestion.
+
+ Fix crash in DNSSEC code with long RRs. Thanks to Marco Davids
+ for the bug report.
+
+ Add --ignore-address option. Ignore replies to A-record
+ queries which include the specified address. No error is
+ generated, dnsmasq simply continues to listen for another
+ reply. This is useful to defeat blocking strategies which
+ rely on quickly supplying a forged answer to a DNS
+ request for certain domains, before the correct answer can
+ arrive. Thanks to Glen Huang for the patch.
+
+ Revisit the part of DNSSEC validation which determines if an
+ unsigned answer is legit, or is in some part of the DNS
+ tree which should be signed. Dnsmasq now works from the
+ DNS root downward looking for the limit of signed
+ delegations, rather than working bottom up. This is
+ both more correct, and less likely to trip over broken
+ nameservers in the unsigned parts of the DNS tree
+ which don't respond well to DNSSEC queries.
+
+ Add --log-queries=extra option, which makes logs easier
+ to search automatically.
+
+ Add --min-cache-ttl option. I've resisted this for a long
+ time, on the grounds that disbelieving TTLs is never a
+ good idea, but I've been persuaded that there are
+ sometimes reasons to do it. (Step forward, GFW).
+ To avoid misuse, there's a hard limit on the TTL
+ floor of one hour. Thansk to RinSatsuki for the patch.
+
+ Cope with multiple interfaces with the same link-local
+ address. (IPv6 addresses are scoped, so this is allowed.)
+ Thanks to Cory Benfield for help with this.
+
+ Add --dhcp-hostsdir. This allows addition of new host
+ configurations to a running dnsmasq instance much more
+ cheaply than having dnsmasq re-read all its existing
+ configuration each time.
+
+ Don't reply to DHCPv6 SOLICIT messages if we're not
+ configured to do stateful DHCPv6. Thanks to Win King Wan
+ for the patch.
+
+ Fix broken DNSSEC validation of ECDSA signatures.
+
+ Add --dnssec-timestamp option, which provides an automatic
+ way to detect when the system time becomes valid after
+ boot on systems without an RTC, whilst allowing DNS
+ queries before the clock is valid so that NTP can run.
+ Thanks to Kevin Darbyshire-Bryant for developing this idea.
+
+ Add --tftp-no-fail option. Thanks to Stefan Tomanek for
+ the patch.
+
+ Fix crash caused by looking up servers.bind, CHAOS text
+ record, when more than about five --servers= lines are
+ in the dnsmasq config. This causes memory corruption
+ which causes a crash later. Thanks to Matt Coddington for
+ sterling work chasing this down.
+
+ Fix crash on receipt of certain malformed DNS requests.
+ Thanks to Nick Sampanis for spotting the problem.
+
+ Fix crash in authoritative DNS code, if a .arpa zone
+ is declared as authoritative, and then a PTR query which
+ is not to be treated as authoritative arrived. Normally,
+ directly declaring .arpa zone as authoritative is not
+ done, so this crash wouldn't be seen. Instead the
+ relevant .arpa zone should be specified as a subnet
+ in the auth-zone declaration. Thanks to Johnny S. Lee
+ for the bugreport and initial patch.
+
+ Fix authoritative DNS code to correctly reply to NS
+ and SOA queries for .arpa zones for which we are
+ declared authoritative by means of a subnet in auth-zone.
+ Previously we provided correct answers to PTR queries
+ in such zones (including NS and SOA) but not direct
+ NS and SOA queries. Thanks to Johnny S. Lee for
+ pointing out the problem.
+
+
+version 2.72
+ Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.
+
+ Add support for "ipsets" in *BSD, using pf. Thanks to
+ Sven Falempim for the patch.
+
+ Fix race condition which could lock up dnsmasq when an
+ interface goes down and up rapidly. Thanks to Conrad
+ Kostecki for helping to chase this down.
+
+ Add DBus methods SetFilterWin2KOption and SetBogusPrivOption
+ Thanks to the Smoothwall project for the patch.
+
+ Fix failure to build against Nettle-3.0. Thanks to Steven
+ Barth for spotting this and finding the fix.
+
+ When assigning existing DHCP leases to intefaces by comparing
+ networks, handle the case that two or more interfaces have the
+ same network part, but different prefix lengths (favour the
+ longer prefix length.) Thanks to Lung-Pin Chang for the
+ patch.
+
+ Add a mode which detects and removes DNS forwarding loops, ie
+ a query sent to an upstream server returns as a new query to
+ dnsmasq, and would therefore be forwarded again, resulting in
+ a query which loops many times before being dropped. Upstream
+ servers which loop back are disabled and this event is logged.
+ Thanks to Smoothwall for their sponsorship of this feature.
+
+ Extend --conf-dir to allow filtering of files. So
+ --conf-dir=/etc/dnsmasq.d,\*.conf
+ will load all the files in /etc/dnsmasq.d which end in .conf
+
+ Fix bug when resulted in NXDOMAIN answers instead of NODATA in
+ some circumstances.
+
+ Fix bug which caused dnsmasq to become unresponsive if it
+ failed to send packets due to a network interface disappearing.
+ Thanks to Niels Peen for spotting this.
+
+ Fix problem with --local-service option on big-endian platforms
+ Thanks to Richard Genoud for the patch.
+
+
+version 2.71
+ Subtle change to error handling to help DNSSEC validation
+ when servers fail to provide NODATA answers for
+ non-existent DS records.
+
+ Tweak code which removes DNSSEC records from answers when
+ not required. Fixes broken answers when additional section
+ has real records in it. Thanks to Marco Davids for the bug
+ report.
+
+ Fix DNSSEC validation of ANY queries. Thanks to Marco Davids
+ for spotting that too.
+
+ Fix total DNS failure and 100% CPU use if cachesize set to zero,
+ regression introduced in 2.69. Thanks to James Hunt and
+ the Ubuntu crowd for assistance in fixing this.
+
+
+version 2.70
+ Fix crash, introduced in 2.69, on TCP request when dnsmasq
+ compiled with DNSSEC support, but running without DNSSEC
+ enabled. Thanks to Manish Sing for spotting that one.
+
+ Fix regression which broke ipset functionality. Thanks to
+ Wang Jian for the bug report.
+
+
+version 2.69
+ Implement dynamic interface discovery on *BSD. This allows
+ the contructor: syntax to be used in dhcp-range for DHCPv6
+ on the BSD platform. Thanks to Matthias Andree for
+ valuable research on how to implement this.
+
+ Fix infinite loop associated with some --bogus-nxdomain
+ configs. Thanks fogobogo for the bug report.
+
+ Fix missing RA RDNS option with configuration like
+ --dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer
+ for spotting the problem.
+
+ Add [fd00::] and [fe80::] as special addresses in DHCPv6
+ options, analogous to [::]. [fd00::] is replaced with the
+ actual ULA of the interface on the machine running
+ dnsmasq, [fe80::] with the link-local address.
+ Thanks to Tsachi Kimeldorfer for championing this.
+
+ DNSSEC validation and caching. Dnsmasq needs to be
+ compiled with this enabled, with
+
+ make dnsmasq COPTS=-DHAVE_DNSSEC
+
+ this add dependencies on the nettle crypto library and the
+ gmp maths library. It's possible to have these linked
+ statically with
+
+ make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC'
+
+ which bloats the dnsmasq binary, but saves the size of
+ the shared libraries which are much bigger.
+
+ To enable, DNSSEC, you will need a set of
+ trust-anchors. Now that the TLDs are signed, this can be
+ the keys for the root zone, and for convenience they are
+ included in trust-anchors.conf in the dnsmasq
+ distribution. You should of course check that these are
+ legitimate and up-to-date. So, adding
+
+ conf-file=/path/to/trust-anchors.conf
+ dnssec
+
+ to your config is all thats needed to get things
+ working. The upstream nameservers have to be DNSSEC-capable
+ too, of course. Many ISP nameservers aren't, but the
+ Google public nameservers (8.8.8.8 and 8.8.4.4) are.
+ When DNSSEC is configured, dnsmasq validates any queries
+ for domains which are signed. Query results which are
+ bogus are replaced with SERVFAIL replies, and results
+ which are correctly signed have the AD bit set. In
+ addition, and just as importantly, dnsmasq supplies
+ correct DNSSEC information to clients which are doing
+ their own validation, and caches DNSKEY, DS and RRSIG
+ records, which significantly improve the performance of
+ downstream validators. Setting --log-queries will show
+ DNSSEC in action.
+
+ If a domain is returned from an upstream nameserver without
+ DNSSEC signature, dnsmasq by default trusts this. This
+ means that for unsigned zone (still the majority) there
+ is effectively no cost for having DNSSEC enabled. Of course
+ this allows an attacker to replace a signed record with a
+ false unsigned record. This is addressed by the
+ --dnssec-check-unsigned flag, which instructs dnsmasq
+ to prove that an unsigned record is legitimate, by finding
+ a secure proof that the zone containing the record is not
+ signed. Doing this has costs (typically one or two extra
+ upstream queries). It also has a nasty failure mode if
+ dnsmasq's upstream nameservers are not DNSSEC capable.
+ Without --dnssec-check-unsigned using such an upstream
+ server will simply result in not queries being validated;
+ with --dnssec-check-unsigned enabled and a
+ DNSSEC-ignorant upstream server, _all_ queries will fail.
+
+ Note that DNSSEC requires that the local time is valid and
+ accurate, if not then DNSSEC validation will fail. NTP
+ should be running. This presents a problem for routers
+ without a battery-backed clock. To set the time needs NTP
+ to do DNS lookups, but lookups will fail until NTP has run.
+ To address this, there's a flag, --dnssec-no-timecheck
+ which disables the time checks (only) in DNSSEC. When dnsmasq
+ is started and the clock is not synced, this flag should
+ be used. As soon as the clock is synced, SIGHUP dnsmasq.
+ The SIGHUP clears the cache of partially-validated data and
+ resets the no-timecheck flag, so that all DNSSEC checks
+ henceforward will be complete.
+
+ The development of DNSSEC in dnsmasq was started by
+ Giovanni Bajo, to whom huge thanks are owed. It has been
+ supported by Comcast, whose techfund grant has allowed for
+ an invaluable period of full-time work to get it to
+ a workable state.
+
+ Add --rev-server. Thanks to Dave Taht for suggesting this.
+
+ Add --servers-file. Allows dynamic update of upstream servers
+ full access to configuration.
+
+ Add --local-service. Accept DNS queries only from hosts
+ whose address is on a local subnet, ie a subnet for which
+ an interface exists on the server. This option
+ only has effect if there are no --interface --except-interface,
+ --listen-address or --auth-server options. It is intended
+ to be set as a default on installation, to allow
+ unconfigured installations to be useful but also safe from
+ being used for DNS amplification attacks.
+
+ Fix crashes in cache_get_cname_target() when dangling CNAMEs
+ encountered. Thanks to Andy and the rt-n56u project for
+ find this and helping to chase it down.
+
+ Fix wrong RCODE in authoritative DNS replies to PTR queries. The
+ correct answer was included, but the RCODE was set to NXDOMAIN.
+ Thanks to Craig McQueen for spotting this.
+
+ Make statistics available as DNS queries in the .bind TLD as
+ well as logging them.
+
+
version 2.68
Use random addresses for DHCPv6 temporary address
allocations, instead of algorithmically determined stable
isn't possible for IPv4 and can generate scary warnings,
but as it's always possible for IPv6 (the API always
exists) then we should do it always.
-
+
+ Tweak the rules on prefix-lengths in --dhcp-range for
+ IPv6. The new rule is that the specified prefix length
+ must be larger than or equal to the prefix length of the
+ corresponding address on the local interface.
+
version 2.67
Fix crash if upstream server returns SERVFAIL when