--- /dev/null
+../../../common/dnsmasq
\ No newline at end of file
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0069-Whitespace-fixes.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0070-Return-INSECURE-rather-than-BOGUS-when-DS-proved-not.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0071-Fix-compiler-warning-when-not-including-DNSSEC.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0072-Fix-crash-caused-by-looking-up-servers.bind-when-man.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0073-Fix-crash-on-receipt-of-certain-malformed-DNS-reques.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0074-Fix-crash-in-auth-code-with-odd-configuration.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0075-Auth-correct-replies-to-NS-and-SOA-in-.arpa-zones.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0076-Fix-srk-induced-crash-in-new-tftp_no_fail-code.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0077-Note-CVE-2015-3294.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0078-Log-domain-when-reporting-DNSSEC-validation-failure.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
cd $(DIR_APP) && sed -i src/config.h \
-e 's|/\* #define HAVE_IDN \*/|#define HAVE_IDN|g' \
From f2658275b25ebfe691cdcb9fede85a3088cca168 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Thu, 25 Sep 2014 21:51:25 +0100
-Subject: [PATCH 01/71] Add newline at the end of example config file.
+Subject: [PATCH 01/78] Add newline at the end of example config file.
---
dnsmasq.conf.example | 2 +-
From 00cd9d551998307225312fd21f761cfa8868bd2c Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Thu, 2 Oct 2014 21:44:21 +0100
-Subject: [PATCH 02/71] crash at startup when an empty suffix is supplied to
+Subject: [PATCH 02/78] crash at startup when an empty suffix is supplied to
--conf-dir
---
From 6ac3bc0452a74e16e3d620a0757b0f8caab182ec Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 3 Oct 2014 08:48:11 +0100
-Subject: [PATCH 03/71] Debian build fixes for kFreeBSD
+Subject: [PATCH 03/78] Debian build fixes for kFreeBSD
---
src/tables.c | 6 +++++-
From e9828b6f66b22ce8873f8d30a773137d1aef1b92 Mon Sep 17 00:00:00 2001
From: Karl Vogel <karl.vogel@gmail.com>
Date: Fri, 3 Oct 2014 21:45:15 +0100
-Subject: [PATCH 04/71] Set conntrack mark before connect() call.
+Subject: [PATCH 04/78] Set conntrack mark before connect() call.
SO_MARK has to be done before issuing the connect() call on the
TCP socket.
From 17b475912f6a4e72797a543dad59d4d5dde6bb1b Mon Sep 17 00:00:00 2001
From: Daniel Collins <daniel.collins@smoothwall.net>
Date: Fri, 3 Oct 2014 21:58:43 +0100
-Subject: [PATCH 05/71] Fix typo in new Dbus code.
+Subject: [PATCH 05/78] Fix typo in new Dbus code.
Simon's fault.
---
From 3d9d2dd0018603a2ae4b9cd65ac6ff959f4fd8c7 Mon Sep 17 00:00:00 2001
From: Tomas Hozza <thozza@redhat.com>
Date: Mon, 6 Oct 2014 10:46:48 +0100
-Subject: [PATCH 06/71] Fit example conf file typo.
+Subject: [PATCH 06/78] Fit example conf file typo.
---
dnsmasq.conf.example | 2 +-
From b9ff5c8f435173cfa616e3c398bdc089ef690a07 Mon Sep 17 00:00:00 2001
From: Vladislav Grishenko <themiron@mail.ru>
Date: Mon, 6 Oct 2014 14:34:24 +0100
-Subject: [PATCH 07/71] Improve RFC-compliance when unable to supply addresses
+Subject: [PATCH 07/78] Improve RFC-compliance when unable to supply addresses
in DHCPv6
While testing https://github.com/sbyx/odhcp6c client I have noticed it
From 98906275a02ae260fe3f82133bd79054f8315f06 Mon Sep 17 00:00:00 2001
From: Hans Dedecker <dedeckeh@gmail.com>
Date: Tue, 9 Dec 2014 22:22:53 +0000
-Subject: [PATCH 08/71] Fix conntrack with --bind-interfaces
+Subject: [PATCH 08/78] Fix conntrack with --bind-interfaces
Make sure dst_addr is assigned the correct address in receive_query when OPTNOWILD is
enabled so the assigned mark can be correctly retrieved and set in forward_query when
From 193de4abf59e49c6b70d54cfe9720fcb95ca2f71 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed, 10 Dec 2014 17:32:16 +0000
-Subject: [PATCH 09/71] Use inotify instead of polling on Linux.
+Subject: [PATCH 09/78] Use inotify instead of polling on Linux.
This should solve problems people are seeing when a file changes
twice within a second and thus is missed for polling.
From 857973e6f7e0a3d03535a9df7f9373fd7a0b65cc Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 15 Dec 2014 15:58:13 +0000
-Subject: [PATCH 10/71] Teach the new inotify code about symlinks.
+Subject: [PATCH 10/78] Teach the new inotify code about symlinks.
---
src/inotify.c | 43 +++++++++++++++++++++++++++----------------
From 800c5cc1e7438818fd80f08c2d472df249a6942d Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 15 Dec 2014 17:50:15 +0000
-Subject: [PATCH 11/71] Remove floor on EDNS0 packet size with DNSSEC.
+Subject: [PATCH 11/78] Remove floor on EDNS0 packet size with DNSSEC.
---
CHANGELOG | 6 +++++-
From ad946d555dce44eb690c7699933b6ff40ab85bb6 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 15 Dec 2014 17:52:22 +0000
-Subject: [PATCH 12/71] CHANGELOG re. inotify.
+Subject: [PATCH 12/78] CHANGELOG re. inotify.
---
CHANGELOG | 4 ++++
From 3ad3f3bbd4ee716a7d2fb1e115cf89bd1b1a5de9 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Tue, 16 Dec 2014 18:25:17 +0000
-Subject: [PATCH 13/71] Fix breakage of --domain=<domain>,<subnet>,local
+Subject: [PATCH 13/78] Fix breakage of --domain=<domain>,<subnet>,local
---
CHANGELOG | 4 ++++
From bd9520b7ade7098ee423acc38965376aa57feb07 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Tue, 16 Dec 2014 20:41:29 +0000
-Subject: [PATCH 14/71] Remove redundant IN6_IS_ADDR_ULA(a) macro defn.
+Subject: [PATCH 14/78] Remove redundant IN6_IS_ADDR_ULA(a) macro defn.
---
src/network.c | 4 ----
From 476693678e778886b64d0b56e27eb7695cbcca99 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed, 17 Dec 2014 12:41:56 +0000
-Subject: [PATCH 15/71] Eliminate IPv6 privacy addresses from --interface-name
+Subject: [PATCH 15/78] Eliminate IPv6 privacy addresses from --interface-name
answers.
---
From 3267804598047bd1781cab91508d1bc516e5ddbb Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed, 17 Dec 2014 20:38:20 +0000
-Subject: [PATCH 16/71] Tweak field width in cache dump to avoid truncating
+Subject: [PATCH 16/78] Tweak field width in cache dump to avoid truncating
IPv6 addresses.
---
From 094b5c3d904bae9aeb3206d9f3b8348926b84975 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sun, 21 Dec 2014 16:11:52 +0000
-Subject: [PATCH 17/71] Fix crash in DNSSEC code when attempting to verify
+Subject: [PATCH 17/78] Fix crash in DNSSEC code when attempting to verify
large RRs.
---
From cbc652423403e3cef00e00240f6beef713142246 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sun, 21 Dec 2014 21:21:53 +0000
-Subject: [PATCH 18/71] Make caching work for CNAMEs pointing to A/AAAA records
+Subject: [PATCH 18/78] Make caching work for CNAMEs pointing to A/AAAA records
shadowed in /etc/hosts
If the answer to an upstream query is a CNAME which points to an
From fbc5205702c7f6f431d9f1043c553d7fb62ddfdb Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Tue, 23 Dec 2014 15:46:08 +0000
-Subject: [PATCH 19/71] Fix problems validating NSEC3 and wildcards.
+Subject: [PATCH 19/78] Fix problems validating NSEC3 and wildcards.
---
src/dnssec.c | 253 ++++++++++++++++++++++++++++++-----------------------------
From 83d2ed09fc0216b567d7fb2197e4ff3eae150b0d Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Tue, 23 Dec 2014 18:42:38 +0000
-Subject: [PATCH 20/71] Initialise return value.
+Subject: [PATCH 20/78] Initialise return value.
---
src/dnssec.c | 7 +++++--
From 32fc6dbe03569d70dd394420ceb73532cf303c33 Mon Sep 17 00:00:00 2001
From: Glen Huang <curvedmark@gmail.com>
Date: Sat, 27 Dec 2014 15:28:12 +0000
-Subject: [PATCH 21/71] Add --ignore-address option.
+Subject: [PATCH 21/78] Add --ignore-address option.
---
CHANGELOG | 8 ++++++++
From 0b1008d367d44e77352134a4c5178f896f0db3e7 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 27 Dec 2014 15:33:32 +0000
-Subject: [PATCH 22/71] Bad packet protection.
+Subject: [PATCH 22/78] Bad packet protection.
---
src/dnssec.c | 2 +-
From d310ab7ecbffce79d3d90debba621e0222f9bced Mon Sep 17 00:00:00 2001
From: Matthias Andree <matthias.andree@gmx.de>
Date: Sat, 27 Dec 2014 15:36:38 +0000
-Subject: [PATCH 23/71] Fix build failure in new inotify code on BSD.
+Subject: [PATCH 23/78] Fix build failure in new inotify code on BSD.
---
src/inotify.c | 4 ++--
From 81c538efcebfce2ce4a1d3a420b6c885b8f08df9 Mon Sep 17 00:00:00 2001
From: Yousong Zhou <yszhou4tech@gmail.com>
Date: Sat, 3 Jan 2015 16:36:14 +0000
-Subject: [PATCH 24/71] Implement makefile dependencies on COPTS variable.
+Subject: [PATCH 24/78] Implement makefile dependencies on COPTS variable.
---
.gitignore | 2 +-
From d8dbd903d024f84a149dac2f8a674a68dfed47a3 Mon Sep 17 00:00:00 2001
From: Yousong Zhou <yszhou4tech@gmail.com>
Date: Mon, 5 Jan 2015 17:03:35 +0000
-Subject: [PATCH 25/71] Fix race condition issue in makefile.
+Subject: [PATCH 25/78] Fix race condition issue in makefile.
---
Makefile | 4 +++-
From 97e618a0e3f29465acc689d87288596b006f197e Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed, 7 Jan 2015 21:55:43 +0000
-Subject: [PATCH 26/71] DNSSEC: do top-down search for limit of secure
+Subject: [PATCH 26/78] DNSSEC: do top-down search for limit of secure
delegation.
---
From 25cf5e373eb41c088d4ee5e625209c4cf6a5659e Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 9 Jan 2015 15:53:03 +0000
-Subject: [PATCH 27/71] Add --log-queries=extra option for more complete
+Subject: [PATCH 27/78] Add --log-queries=extra option for more complete
logging.
---
From 28de38768e2c7d763b9aa5b7a4d251d5e56bab0b Mon Sep 17 00:00:00 2001
From: RinSatsuki <aa65535@live.com>
Date: Sat, 10 Jan 2015 15:22:21 +0000
-Subject: [PATCH 28/71] Add --min-cache-ttl option.
+Subject: [PATCH 28/78] Add --min-cache-ttl option.
---
CHANGELOG | 7 +++++++
From 9f79ee4ae34886c0319f06d8f162b81ef79d62fb Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 12 Jan 2015 20:18:18 +0000
-Subject: [PATCH 29/71] Log port of requestor when doing extra logging.
+Subject: [PATCH 29/78] Log port of requestor when doing extra logging.
---
src/cache.c | 6 +++---
From 5e321739db381a1d7b5964d76e9c81471d2564c9 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 12 Jan 2015 23:16:56 +0000
-Subject: [PATCH 30/71] Don't answer from cache RRsets from wildcards, as we
+Subject: [PATCH 30/78] Don't answer from cache RRsets from wildcards, as we
don't have NSECs.
---
From ae4624bf46b5e37ff1a9a2ba3c927e0dede95adb Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 12 Jan 2015 23:22:08 +0000
-Subject: [PATCH 31/71] Logs for DS records consistent.
+Subject: [PATCH 31/78] Logs for DS records consistent.
---
src/rfc1035.c | 2 +-
From 393415597c8b5b09558b789ab9ac238dbe3db65d Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sun, 18 Jan 2015 22:11:10 +0000
-Subject: [PATCH 32/71] Cope with multiple interfaces with the same LL address.
+Subject: [PATCH 32/78] Cope with multiple interfaces with the same LL address.
---
CHANGELOG | 4 ++++
From 2ae195f5a71f7c5a75717845de1bd72fc7dd67f3 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sun, 18 Jan 2015 22:20:48 +0000
-Subject: [PATCH 33/71] Don't treat SERVFAIL as a recoverable error.....
+Subject: [PATCH 33/78] Don't treat SERVFAIL as a recoverable error.....
---
src/forward.c | 2 +-
From 5f4dc5c6ca50655ab14f572c7e30815ed74cd51a Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Tue, 20 Jan 2015 20:51:02 +0000
-Subject: [PATCH 34/71] Add --dhcp-hostsdir config option.
+Subject: [PATCH 34/78] Add --dhcp-hostsdir config option.
---
CHANGELOG | 5 +++
From fbf01f7046e75f9aa73fd4aab2a94e43386d9052 Mon Sep 17 00:00:00 2001
From: Conrad Kostecki <ck@conrad-kostecki.de>
Date: Tue, 20 Jan 2015 21:07:56 +0000
-Subject: [PATCH 35/71] Update German translation.
+Subject: [PATCH 35/78] Update German translation.
---
po/de.po | 101 +++++++++++++++++++++++++++++----------------------------------
From 61b838dd574c51d96fef100285a0d225824534f9 Mon Sep 17 00:00:00 2001
From: Win King Wan <pinwing+dnsmasq@gmail.com>
Date: Wed, 21 Jan 2015 20:41:48 +0000
-Subject: [PATCH 36/71] Don't reply to DHCPv6 SOLICIT messages when not
+Subject: [PATCH 36/78] Don't reply to DHCPv6 SOLICIT messages when not
configured for statefull DHCPv6.
---
From 0491805d2ff6e7727f0272c94fd97d9897d1e22c Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 26 Jan 2015 11:23:43 +0000
-Subject: [PATCH 37/71] Allow inotify to be disabled at compile time on Linux.
+Subject: [PATCH 37/78] Allow inotify to be disabled at compile time on Linux.
---
CHANGELOG | 4 +++-
From 70d1873dd9e70041ed4bb88c69d5b886b7cc634c Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 31 Jan 2015 19:59:29 +0000
-Subject: [PATCH 38/71] Expand inotify code to dhcp-hostsdir, dhcp-optsdir and
+Subject: [PATCH 38/78] Expand inotify code to dhcp-hostsdir, dhcp-optsdir and
hostsdir.
---
From aff3396280e944833f0e23d834aa6acd5fe2605a Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 31 Jan 2015 20:13:40 +0000
-Subject: [PATCH 39/71] Update copyrights for dawn of 2015.
+Subject: [PATCH 39/78] Update copyrights for dawn of 2015.
---
Makefile | 2 +-
From 3d04f46334d0e345f589eda1372e638b946fe637 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 31 Jan 2015 21:59:13 +0000
-Subject: [PATCH 40/71] inotify documentation updates.
+Subject: [PATCH 40/78] inotify documentation updates.
---
man/dnsmasq.8 | 11 +++++++++--
From 6ef15b34ca83c62a939f69356d5c3f7a6bfef3d0 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 31 Jan 2015 22:44:26 +0000
-Subject: [PATCH 41/71] Fix broken ECDSA DNSSEC signatures.
+Subject: [PATCH 41/78] Fix broken ECDSA DNSSEC signatures.
---
CHANGELOG | 2 ++
From 106266761828a0acb006346ae47bf031dee46a5d Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sun, 1 Feb 2015 00:15:16 +0000
-Subject: [PATCH 42/71] BSD make support
+Subject: [PATCH 42/78] BSD make support
---
Makefile | 6 ++++--
From 8d8a54ec79d9f96979fabbd97b1dd2ddebc7d78f Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sun, 1 Feb 2015 21:48:46 +0000
-Subject: [PATCH 43/71] Fix build failure on openBSD.
+Subject: [PATCH 43/78] Fix build failure on openBSD.
---
src/tables.c | 2 +-
From d36b732c4cfa91ea09af64b5dc0f3a85a075e5bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= <thiebaud@weksteen.fr>
Date: Mon, 2 Feb 2015 21:37:27 +0000
-Subject: [PATCH 44/71] Manpage typo fix.
+Subject: [PATCH 44/78] Manpage typo fix.
---
man/dnsmasq.8 | 2 +-
From 2941d3ac898cf84b544e47c9735c5e4111711db1 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 2 Feb 2015 22:36:42 +0000
-Subject: [PATCH 45/71] Fixup dhcp-configs after reading extra hostfiles with
+Subject: [PATCH 45/78] Fixup dhcp-configs after reading extra hostfiles with
inotify.
---
From f9c863708c6b0aea31ff7a466647685dc739de50 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Tue, 3 Feb 2015 21:52:48 +0000
-Subject: [PATCH 46/71] Extra logging for inotify code.
+Subject: [PATCH 46/78] Extra logging for inotify code.
---
src/cache.c | 9 ++++-----
From efb8b5566aafc1f3ce18514a2df93af5a2e4998c Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 7 Feb 2015 22:36:34 +0000
-Subject: [PATCH 47/71] man page typo.
+Subject: [PATCH 47/78] man page typo.
---
man/dnsmasq.8 | 1 +
From f4f400776b3c1aa303d1a0fcd500f0ab5bc970f2 Mon Sep 17 00:00:00 2001
From: Shantanu Gadgil <shantanugadgil@yahoo.com>
Date: Wed, 11 Feb 2015 20:16:59 +0000
-Subject: [PATCH 48/71] Fix get-version script which returned wrong tag in some
+Subject: [PATCH 48/78] Fix get-version script which returned wrong tag in some
situations.
---
From 8ff70de618eb7de9147dbfbd4deca4a2dd62f0cb Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 14 Feb 2015 20:02:37 +0000
-Subject: [PATCH 49/71] Typos.
+Subject: [PATCH 49/78] Typos.
---
src/inotify.c | 3 ++-
From caeea190f12efd20139f694aac4942d1ac00019f Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 14 Feb 2015 20:08:56 +0000
-Subject: [PATCH 50/71] Make dynamic hosts files work when --no-hosts set.
+Subject: [PATCH 50/78] Make dynamic hosts files work when --no-hosts set.
---
src/cache.c | 21 +++++++++++----------
From 28b879ac47b872af6e8c5e86d76806c69338434d Mon Sep 17 00:00:00 2001
From: Chen Wei <weichen302@icloud.com>
Date: Tue, 17 Feb 2015 22:07:35 +0000
-Subject: [PATCH 51/71] Fix trivial memory leaks to quieten valgrind.
+Subject: [PATCH 51/78] Fix trivial memory leaks to quieten valgrind.
---
src/dnsmasq.c | 2 ++
From 0705a7e2d57654b27c7e14f35ca77241c1821f4d Mon Sep 17 00:00:00 2001
From: Tomas Hozza <thozza@redhat.com>
Date: Mon, 23 Feb 2015 21:26:26 +0000
-Subject: [PATCH 52/71] Fix uninitialized value used in get_client_mac()
+Subject: [PATCH 52/78] Fix uninitialized value used in get_client_mac()
---
src/dhcp6.c | 4 +++-
From 47b9ac59c715827252ae6e6732903c3dabb697fb Mon Sep 17 00:00:00 2001
From: Joachim Zobel <jz-2014@heute-morgen.de>
Date: Mon, 23 Feb 2015 21:38:11 +0000
-Subject: [PATCH 53/71] Log parsing utils in contrib/reverse-dns
+Subject: [PATCH 53/78] Log parsing utils in contrib/reverse-dns
---
contrib/reverse-dns/README | 18 ++++++++++++++++++
From f6e62e2af96f5fa0d1e3d93167a93a8f09bf6e61 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sun, 1 Mar 2015 18:17:54 +0000
-Subject: [PATCH 54/71] Add --dnssec-timestamp option and facility.
+Subject: [PATCH 54/78] Add --dnssec-timestamp option and facility.
---
CHANGELOG | 6 +++++
From 9003b50b13da624ca45f3e0cf99abb623b8d026b Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 2 Mar 2015 22:47:23 +0000
-Subject: [PATCH 55/71] Fix last commit to not crash if uid changing not
+Subject: [PATCH 55/78] Fix last commit to not crash if uid changing not
configured.
---
From 4c960fa90a975d20f75a1ecabd217247f1922c8f Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed, 4 Mar 2015 20:32:26 +0000
-Subject: [PATCH 56/71] New version of contrib/reverse-dns
+Subject: [PATCH 56/78] New version of contrib/reverse-dns
---
contrib/reverse-dns/README | 22 +++---
From 360f2513ab12a9bf1e262d388dd2ea8a566590a3 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 7 Mar 2015 18:28:06 +0000
-Subject: [PATCH 57/71] Tweak DNSSEC timestamp code to create file later,
+Subject: [PATCH 57/78] Tweak DNSSEC timestamp code to create file later,
removing need to chown it.
---
From ff841ebf5a5d6864ff48571f607c32ce80dbb75a Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed, 11 Mar 2015 21:36:30 +0000
-Subject: [PATCH 58/71] Fix boilerplate code for re-running system calls on
+Subject: [PATCH 58/78] Fix boilerplate code for re-running system calls on
EINTR and EAGAIN etc.
The nasty code with static variable in retry_send() which
From 979fe86bc8693f660eddea232ae39cbbb50b294c Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Thu, 19 Mar 2015 22:50:22 +0000
-Subject: [PATCH 59/71] Make --address=/example.com/ equivalent to
+Subject: [PATCH 59/78] Make --address=/example.com/ equivalent to
--server=/example.com/
---
From 65c721200023ef0023114459a8d12f8b0a24cfd8 Mon Sep 17 00:00:00 2001
From: Lung-Pin Chang <changlp@cs.nctu.edu.tw>
Date: Thu, 19 Mar 2015 23:22:21 +0000
-Subject: [PATCH 60/71] dhcp: set outbound interface via cmsg in unicast reply
+Subject: [PATCH 60/78] dhcp: set outbound interface via cmsg in unicast reply
If multiple routes to the same network exist, Linux blindly picks
the first interface (route) based on destination address, which might not be
From 8805283088d670baecb92569252c01cf754cda51 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Thu, 26 Mar 2015 21:15:43 +0000
-Subject: [PATCH 61/71] Don't fail DNSSEC when a signed CNAME dangles into an
+Subject: [PATCH 61/78] Don't fail DNSSEC when a signed CNAME dangles into an
unsigned zone.
---
From 150162bc37170a6edae9d488435e836b1e4e3a4e Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 27 Mar 2015 09:58:26 +0000
-Subject: [PATCH 62/71] Return SERVFAIL when validation abandoned.
+Subject: [PATCH 62/78] Return SERVFAIL when validation abandoned.
---
src/forward.c | 11 +++++++++--
From 0b8a5a30a77331974ba24a04e43e720585dfbc61 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 27 Mar 2015 11:44:55 +0000
-Subject: [PATCH 63/71] Protect against broken DNSSEC upstreams.
+Subject: [PATCH 63/78] Protect against broken DNSSEC upstreams.
---
src/dnssec.c | 7 +++++--
From 1e153945def3c50d1e59ceea6a768db0ac770f98 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 28 Mar 2015 21:34:07 +0000
-Subject: [PATCH 64/71] DNSSEC fix for non-ascii characters in labels.
+Subject: [PATCH 64/78] DNSSEC fix for non-ascii characters in labels.
---
src/dnssec.c | 34 +++++++++++++++++-----------------
From 394ff492da6af5da7e7d356be9586683bc5fc011 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sun, 29 Mar 2015 22:17:14 +0100
-Subject: [PATCH 65/71] Allow control characters in names in the cache, handle
+Subject: [PATCH 65/78] Allow control characters in names in the cache, handle
when logging.
---
From 794fccca7ffebfba4468bfffc6276b68bbf6afd9 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sun, 29 Mar 2015 22:35:44 +0100
-Subject: [PATCH 66/71] Fix crash in last commit.
+Subject: [PATCH 66/78] Fix crash in last commit.
---
src/cache.c | 7 ++++---
From fd6ad9e481ab7c812a6b1515244908818cbb0442 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 30 Mar 2015 07:52:21 +0100
-Subject: [PATCH 67/71] Merge message translations.
+Subject: [PATCH 67/78] Merge message translations.
---
po/de.po | 803 +++++++++++++++++++++++++++++++++--------------------------
From 30d0879ed55cb67b1b735beab3d93f3bb3ef1dd2 Mon Sep 17 00:00:00 2001
From: Stefan Tomanek <stefan.tomanek+dnsmasq@wertarbyte.de>
Date: Tue, 31 Mar 2015 22:32:11 +0100
-Subject: [PATCH 68/71] add --tftp-no-fail to ignore missing tftp root
+Subject: [PATCH 68/78] add --tftp-no-fail to ignore missing tftp root
---
CHANGELOG | 3 +++
From 7aa970e2c7043201663d86a4b5d8cd5c592cef39 Mon Sep 17 00:00:00 2001
From: Stefan Tomanek <stefan.tomanek+dnsmasq@wertarbyte.de>
Date: Wed, 1 Apr 2015 17:55:07 +0100
-Subject: [PATCH 69/71] Whitespace fixes.
+Subject: [PATCH 69/78] Whitespace fixes.
---
src/dnsmasq.c | 14 +++++++-------
From fe3992f9fa69fa975ea31919c53933b5f6a63527 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 3 Apr 2015 21:25:05 +0100
-Subject: [PATCH 70/71] Return INSECURE, rather than BOGUS when DS proved not
+Subject: [PATCH 70/78] Return INSECURE, rather than BOGUS when DS proved not
to exist.
Return INSECURE when validating DNS replies which have RRSIGs, but
From 982faf402487e265ed11ac03524531d42b03c966 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 3 Apr 2015 21:42:30 +0100
-Subject: [PATCH 71/71] Fix compiler warning when not including DNSSEC.
+Subject: [PATCH 71/78] Fix compiler warning when not including DNSSEC.
---
src/forward.c | 3 ++-
--- /dev/null
+From 04b0ac05377936d121a36873bb63d492cde292c9 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Mon, 6 Apr 2015 17:19:13 +0100
+Subject: [PATCH 72/78] Fix crash caused by looking up servers.bind when many
+ servers defined.
+
+---
+ CHANGELOG | 7 ++++++-
+ src/cache.c | 4 ++--
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 34432ae4807f..6aa3d851a297 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -75,7 +75,12 @@ version 2.73
+
+ Add --tftp-no-fail option. Thanks to Stefan Tomanek for
+ the patch.
+-
++
++ Fix crash caused by looking up servers.bind, CHAOS text record,
++ when more than about five --servers= lines are in the dnsmasq
++ config. This causes memory corruption which causes a crash later.
++ Thanks to Matt Coddington for sterling work chasing this down.
++
+
+ version 2.72
+ Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.
+diff --git a/src/cache.c b/src/cache.c
+index d7bea574c0d8..178d654ca92e 100644
+--- a/src/cache.c
++++ b/src/cache.c
+@@ -1367,7 +1367,7 @@ int cache_make_stat(struct txt_record *t)
+ }
+ port = prettyprint_addr(&serv->addr, daemon->addrbuff);
+ lenp = p++; /* length */
+- bytes_avail = (p - buff) + bufflen;
++ bytes_avail = bufflen - (p - buff );
+ bytes_needed = snprintf(p, bytes_avail, "%s#%d %u %u", daemon->addrbuff, port, queries, failed_queries);
+ if (bytes_needed >= bytes_avail)
+ {
+@@ -1381,7 +1381,7 @@ int cache_make_stat(struct txt_record *t)
+ lenp = p - 1;
+ buff = new;
+ bufflen = newlen;
+- bytes_avail = (p - buff) + bufflen;
++ bytes_avail = bufflen - (p - buff );
+ bytes_needed = snprintf(p, bytes_avail, "%s#%d %u %u", daemon->addrbuff, port, queries, failed_queries);
+ }
+ *lenp = bytes_needed;
+--
+2.1.0
+
--- /dev/null
+From ad4a8ff7d9097008d7623df8543df435bfddeac8 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Thu, 9 Apr 2015 21:48:00 +0100
+Subject: [PATCH 73/78] Fix crash on receipt of certain malformed DNS requests.
+
+---
+ CHANGELOG | 3 +++
+ src/rfc1035.c | 9 ++++++---
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 6aa3d851a297..9af617056f1f 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -125,6 +125,9 @@ version 2.72
+ Fix problem with --local-service option on big-endian platforms
+ Thanks to Richard Genoud for the patch.
+
++ Fix crash on receipt of certain malformed DNS requests. Thanks
++ to Nick Sampanis for spotting the problem.
++
+
+ version 2.71
+ Subtle change to error handling to help DNSSEC validation
+diff --git a/src/rfc1035.c b/src/rfc1035.c
+index 7a07b0cee906..a995ab50d74a 100644
+--- a/src/rfc1035.c
++++ b/src/rfc1035.c
+@@ -1198,7 +1198,10 @@ unsigned int extract_request(struct dns_header *header, size_t qlen, char *name,
+ size_t setup_reply(struct dns_header *header, size_t qlen,
+ struct all_addr *addrp, unsigned int flags, unsigned long ttl)
+ {
+- unsigned char *p = skip_questions(header, qlen);
++ unsigned char *p;
++
++ if (!(p = skip_questions(header, qlen)))
++ return 0;
+
+ /* clear authoritative and truncated flags, set QR flag */
+ header->hb3 = (header->hb3 & ~(HB3_AA | HB3_TC)) | HB3_QR;
+@@ -1214,7 +1217,7 @@ size_t setup_reply(struct dns_header *header, size_t qlen,
+ SET_RCODE(header, NOERROR); /* empty domain */
+ else if (flags == F_NXDOMAIN)
+ SET_RCODE(header, NXDOMAIN);
+- else if (p && flags == F_IPV4)
++ else if (flags == F_IPV4)
+ { /* we know the address */
+ SET_RCODE(header, NOERROR);
+ header->ancount = htons(1);
+@@ -1222,7 +1225,7 @@ size_t setup_reply(struct dns_header *header, size_t qlen,
+ add_resource_record(header, NULL, NULL, sizeof(struct dns_header), &p, ttl, NULL, T_A, C_IN, "4", addrp);
+ }
+ #ifdef HAVE_IPV6
+- else if (p && flags == F_IPV6)
++ else if (flags == F_IPV6)
+ {
+ SET_RCODE(header, NOERROR);
+ header->ancount = htons(1);
+--
+2.1.0
+
--- /dev/null
+From 38440b204db65f9be16c4c3daa7e991e4356f6ed Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Sun, 12 Apr 2015 21:52:47 +0100
+Subject: [PATCH 74/78] Fix crash in auth code with odd configuration.
+
+---
+ CHANGELOG | 32 +++++++++++++++++++++-----------
+ src/auth.c | 13 ++++++++-----
+ 2 files changed, 29 insertions(+), 16 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 9af617056f1f..f2142c71cbdc 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -68,18 +68,31 @@ version 2.73
+ Fix broken DNSSEC validation of ECDSA signatures.
+
+ Add --dnssec-timestamp option, which provides an automatic
+- way to detect when the system time becomes valid after boot
+- on systems without an RTC, whilst allowing DNS queries before the
+- clock is valid so that NTP can run. Thanks to
+- Kevin Darbyshire-Bryant for developing this idea.
++ way to detect when the system time becomes valid after
++ boot on systems without an RTC, whilst allowing DNS
++ queries before the clock is valid so that NTP can run.
++ Thanks to Kevin Darbyshire-Bryant for developing this idea.
+
+ Add --tftp-no-fail option. Thanks to Stefan Tomanek for
+ the patch.
+
+- Fix crash caused by looking up servers.bind, CHAOS text record,
+- when more than about five --servers= lines are in the dnsmasq
+- config. This causes memory corruption which causes a crash later.
+- Thanks to Matt Coddington for sterling work chasing this down.
++ Fix crash caused by looking up servers.bind, CHAOS text
++ record, when more than about five --servers= lines are
++ in the dnsmasq config. This causes memory corruption
++ which causes a crash later. Thanks to Matt Coddington for
++ sterling work chasing this down.
++
++ Fix crash on receipt of certain malformed DNS requests.
++ Thanks to Nick Sampanis for spotting the problem.
++
++ Fix crash in authoritative DNS code, if a .arpa zone
++ is declared as authoritative, and then a PTR query which
++ is not to be treated as authoritative arrived. Normally,
++ directly declaring .arpa zone as authoritative is not
++ done, so this crash wouldn't be seen. Instead the
++ relevant .arpa zone should be specified as a subnet
++ in the auth-zone declaration. Thanks to Johnny S. Lee
++ for the bugreport and initial patch.
+
+
+ version 2.72
+@@ -125,10 +138,7 @@ version 2.72
+ Fix problem with --local-service option on big-endian platforms
+ Thanks to Richard Genoud for the patch.
+
+- Fix crash on receipt of certain malformed DNS requests. Thanks
+- to Nick Sampanis for spotting the problem.
+
+-
+ version 2.71
+ Subtle change to error handling to help DNSSEC validation
+ when servers fail to provide NODATA answers for
+diff --git a/src/auth.c b/src/auth.c
+index 15721e52793f..4a5c39fc5c07 100644
+--- a/src/auth.c
++++ b/src/auth.c
+@@ -141,7 +141,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
+ for (zone = daemon->auth_zones; zone; zone = zone->next)
+ if ((subnet = find_subnet(zone, flag, &addr)))
+ break;
+-
++
+ if (!zone)
+ {
+ auth = 0;
+@@ -186,7 +186,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
+
+ if (intr)
+ {
+- if (in_zone(zone, intr->name, NULL))
++ if (local_query || in_zone(zone, intr->name, NULL))
+ {
+ found = 1;
+ log_query(flag | F_REVERSE | F_CONFIG, intr->name, &addr, NULL);
+@@ -208,8 +208,11 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
+ *p = 0; /* must be bare name */
+
+ /* add external domain */
+- strcat(name, ".");
+- strcat(name, zone->domain);
++ if (zone)
++ {
++ strcat(name, ".");
++ strcat(name, zone->domain);
++ }
+ log_query(flag | F_DHCP | F_REVERSE, name, &addr, record_source(crecp->uid));
+ found = 1;
+ if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
+@@ -217,7 +220,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
+ T_PTR, C_IN, "d", name))
+ anscount++;
+ }
+- else if (crecp->flags & (F_DHCP | F_HOSTS) && in_zone(zone, name, NULL))
++ else if (crecp->flags & (F_DHCP | F_HOSTS) && (local_query || in_zone(zone, name, NULL)))
+ {
+ log_query(crecp->flags & ~F_FORWARD, name, &addr, record_source(crecp->uid));
+ found = 1;
+--
+2.1.0
+
--- /dev/null
+From 78c6184752dce27849e36cce4360abc27b8d76d2 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Thu, 16 Apr 2015 15:05:30 +0100
+Subject: [PATCH 75/78] Auth: correct replies to NS and SOA in .arpa zones.
+
+---
+ CHANGELOG | 8 ++++++++
+ src/auth.c | 51 ++++++++++++++++++++++++++++++---------------------
+ 2 files changed, 38 insertions(+), 21 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index f2142c71cbdc..0619788e9cef 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -94,6 +94,14 @@ version 2.73
+ in the auth-zone declaration. Thanks to Johnny S. Lee
+ for the bugreport and initial patch.
+
++ Fix authoritative DNS code to correctly reply to NS
++ and SOA queries for .arpa zones for which we are
++ declared authoritative by means of a subnet in auth-zone.
++ Previously we provided correct answers to PTR queries
++ in such zones (including NS and SOA) but not direct
++ NS and SOA queries. Thanks to Johnny S. Lee for
++ pointing out the problem.
++
+
+ version 2.72
+ Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.
+diff --git a/src/auth.c b/src/auth.c
+index 4a5c39fc5c07..2b0b7d6b052d 100644
+--- a/src/auth.c
++++ b/src/auth.c
+@@ -131,24 +131,27 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
+ continue;
+ }
+
+- if (qtype == T_PTR)
++ if ((qtype == T_PTR || qtype == T_SOA || qtype == T_NS) &&
++ (flag = in_arpa_name_2_addr(name, &addr)) &&
++ !local_query)
+ {
+- if (!(flag = in_arpa_name_2_addr(name, &addr)))
+- continue;
+-
+- if (!local_query)
++ for (zone = daemon->auth_zones; zone; zone = zone->next)
++ if ((subnet = find_subnet(zone, flag, &addr)))
++ break;
++
++ if (!zone)
+ {
+- for (zone = daemon->auth_zones; zone; zone = zone->next)
+- if ((subnet = find_subnet(zone, flag, &addr)))
+- break;
+-
+- if (!zone)
+- {
+- auth = 0;
+- continue;
+- }
++ auth = 0;
++ continue;
+ }
++ else if (qtype == T_SOA)
++ soa = 1, found = 1;
++ else if (qtype == T_NS)
++ ns = 1, found = 1;
++ }
+
++ if (qtype == T_PTR && flag)
++ {
+ intr = NULL;
+
+ if (flag == F_IPV4)
+@@ -243,14 +246,20 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
+ }
+
+ cname_restart:
+- for (zone = daemon->auth_zones; zone; zone = zone->next)
+- if (in_zone(zone, name, &cut))
+- break;
+-
+- if (!zone)
++ if (found)
++ /* NS and SOA .arpa requests have set found above. */
++ cut = NULL;
++ else
+ {
+- auth = 0;
+- continue;
++ for (zone = daemon->auth_zones; zone; zone = zone->next)
++ if (in_zone(zone, name, &cut))
++ break;
++
++ if (!zone)
++ {
++ auth = 0;
++ continue;
++ }
+ }
+
+ for (rec = daemon->mxnames; rec; rec = rec->next)
+--
+2.1.0
+
--- /dev/null
+From b4c0f092d8ce63ea4763c0ac17aa8d24318ad301 Mon Sep 17 00:00:00 2001
+From: Stefan Tomanek <stefan.tomanek+dnsmasq@wertarbyte.de>
+Date: Thu, 16 Apr 2015 15:20:59 +0100
+Subject: [PATCH 76/78] Fix (srk induced) crash in new tftp_no_fail code.
+
+---
+ src/dnsmasq.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/dnsmasq.c b/src/dnsmasq.c
+index a7c5da8fbd01..20b15c05103a 100644
+--- a/src/dnsmasq.c
++++ b/src/dnsmasq.c
+@@ -655,7 +655,8 @@ int main (int argc, char **argv)
+ _exit(0);
+ }
+ }
+- closedir(dir);
++ else
++ closedir(dir);
+ }
+
+ for (p = daemon->if_prefix; p; p = p->next)
+@@ -670,7 +671,8 @@ int main (int argc, char **argv)
+ _exit(0);
+ }
+ }
+- closedir(dir);
++ else
++ closedir(dir);
+ }
+ }
+ #endif
+--
+2.1.0
+
--- /dev/null
+From 0df29f5e23fd2f16181847db1fcf3a8b392d869a Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Thu, 16 Apr 2015 15:24:52 +0100
+Subject: [PATCH 77/78] Note CVE-2015-3294
+
+---
+ CHANGELOG | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 0619788e9cef..7f2b1e002e9e 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -84,6 +84,9 @@ version 2.73
+
+ Fix crash on receipt of certain malformed DNS requests.
+ Thanks to Nick Sampanis for spotting the problem.
++ Note that this is could allow the dnsmasq process's
++ memory to be read by an attacker under certain
++ circumstances, so it has a CVE, CVE-2015-3294
+
+ Fix crash in authoritative DNS code, if a .arpa zone
+ is declared as authoritative, and then a PTR query which
+--
+2.1.0
+
--- /dev/null
+From 554b580e970275d5a869cb4fbfb2716f92b2f664 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Fri, 17 Apr 2015 22:50:20 +0100
+Subject: [PATCH 78/78] Log domain when reporting DNSSEC validation failure.
+
+---
+ src/forward.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/src/forward.c b/src/forward.c
+index 3f6b9a23b6ab..1c7da3f5655c 100644
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -1014,7 +1014,7 @@ void reply_query(int fd, int family, time_t now)
+ header->hb3 |= HB3_TC;
+ else
+ {
+- char *result;
++ char *result, *domain = "result";
+
+ if (forward->work_counter == 0)
+ {
+@@ -1024,7 +1024,10 @@ void reply_query(int fd, int family, time_t now)
+ else
+ result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
+
+- log_query(F_KEYTAG | F_SECSTAT, "result", NULL, result);
++ if (status == STAT_BOGUS && extract_request(header, n, daemon->namebuff, NULL))
++ domain = daemon->namebuff;
++
++ log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result);
+ }
+
+ if (status == STAT_SECURE)
+@@ -1975,7 +1978,7 @@ unsigned char *tcp_request(int confd, time_t now,
+ {
+ int keycount = DNSSEC_WORK; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */
+ int status = tcp_key_recurse(now, STAT_TRUNCATED, header, m, 0, daemon->namebuff, daemon->keyname, last_server, &keycount);
+- char *result;
++ char *result, *domain = "result";
+
+ if (status == STAT_INSECURE_DS)
+ {
+@@ -1993,8 +1996,10 @@ unsigned char *tcp_request(int confd, time_t now,
+ }
+ else
+ result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
+-
+- log_query(F_KEYTAG | F_SECSTAT, "result", NULL, result);
++ if (status == STAT_BOGUS && extract_request(header, m, daemon->namebuff, NULL))
++ domain = daemon->namebuff;
++
++ log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result);
+
+ if (status == STAT_BOGUS)
+ {
+--
+2.1.0
+
projects / people / pmueller / ipfire-2.x.git / commitdiff
