diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile index f26f819a34..0a8ae5d03a 100644 --- a/package/network/services/dnsmasq/Makefile +++ b/package/network/services/dnsmasq/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dnsmasq PKG_VERSION:=2.80test2 -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/test-releases diff --git a/package/network/services/dnsmasq/patches/0001-Be-persistent-with-broken-upstream-DNSSEC-warnings.patch b/package/network/services/dnsmasq/patches/0001-Be-persistent-with-broken-upstream-DNSSEC-warnings.patch index 0924a92e33..7f3c55b290 100644 --- a/package/network/services/dnsmasq/patches/0001-Be-persistent-with-broken-upstream-DNSSEC-warnings.patch +++ b/package/network/services/dnsmasq/patches/0001-Be-persistent-with-broken-upstream-DNSSEC-warnings.patch @@ -1,7 +1,7 @@ From f84e674d8aa2316fea8d2145a40fcef0441e3856 Mon Sep 17 00:00:00 2001 From: Simon Kelley Date: Fri, 4 May 2018 16:29:57 +0100 -Subject: [PATCH 01/10] Be persistent with broken-upstream-DNSSEC warnings. +Subject: [PATCH 01/17] Be persistent with broken-upstream-DNSSEC warnings. Signed-off-by: Kevin Darbyshire-Bryant --- diff --git a/package/network/services/dnsmasq/patches/0002-Fix-DHCP-broken-ness-when-no-ping-AND-dhcp-sequentia.patch b/package/network/services/dnsmasq/patches/0002-Fix-DHCP-broken-ness-when-no-ping-AND-dhcp-sequentia.patch index 12c405945d..e5018e00aa 100644 --- a/package/network/services/dnsmasq/patches/0002-Fix-DHCP-broken-ness-when-no-ping-AND-dhcp-sequentia.patch +++ b/package/network/services/dnsmasq/patches/0002-Fix-DHCP-broken-ness-when-no-ping-AND-dhcp-sequentia.patch @@ -1,7 +1,7 @@ From 0669ee7a69a004ce34fed41e50aa575f8e04427b Mon Sep 17 00:00:00 2001 From: Simon Kelley Date: Fri, 4 May 2018 16:46:24 +0100 -Subject: [PATCH 02/10] Fix DHCP broken-ness when --no-ping AND +Subject: [PATCH 02/17] Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip are set. Signed-off-by: Kevin Darbyshire-Bryant diff --git a/package/network/services/dnsmasq/patches/0003-Add-logging-for-DNS-error-returns-from-upstream-and-.patch b/package/network/services/dnsmasq/patches/0003-Add-logging-for-DNS-error-returns-from-upstream-and-.patch index 150cd91c6a..72f259f31e 100644 --- a/package/network/services/dnsmasq/patches/0003-Add-logging-for-DNS-error-returns-from-upstream-and-.patch +++ b/package/network/services/dnsmasq/patches/0003-Add-logging-for-DNS-error-returns-from-upstream-and-.patch @@ -1,7 +1,7 @@ From 07ed585c38d8f7c0a18470d2e79cf46ea92ea96a Mon Sep 17 00:00:00 2001 From: Simon Kelley Date: Fri, 4 May 2018 21:52:22 +0100 -Subject: [PATCH 03/10] Add logging for DNS error returns from upstream and +Subject: [PATCH 03/17] Add logging for DNS error returns from upstream and local configuration. Signed-off-by: Kevin Darbyshire-Bryant diff --git a/package/network/services/dnsmasq/patches/0004-Add-packet-dump-debugging-facility.patch b/package/network/services/dnsmasq/patches/0004-Add-packet-dump-debugging-facility.patch index af4020b50b..e1c55f029d 100644 --- a/package/network/services/dnsmasq/patches/0004-Add-packet-dump-debugging-facility.patch +++ b/package/network/services/dnsmasq/patches/0004-Add-packet-dump-debugging-facility.patch @@ -1,7 +1,7 @@ From 6b17335209639a56f214d011eaed4ebcde8dd276 Mon Sep 17 00:00:00 2001 From: Simon Kelley Date: Tue, 8 May 2018 18:32:14 +0100 -Subject: [PATCH 04/10] Add packet-dump debugging facility. +Subject: [PATCH 04/17] Add packet-dump debugging facility. Signed-off-by: Kevin Darbyshire-Bryant --- diff --git a/package/network/services/dnsmasq/patches/0005-Retry-query-to-other-servers-on-receipt-of-SERVFAIL-.patch b/package/network/services/dnsmasq/patches/0005-Retry-query-to-other-servers-on-receipt-of-SERVFAIL-.patch index d21f9d4320..6458bec5ae 100644 --- a/package/network/services/dnsmasq/patches/0005-Retry-query-to-other-servers-on-receipt-of-SERVFAIL-.patch +++ b/package/network/services/dnsmasq/patches/0005-Retry-query-to-other-servers-on-receipt-of-SERVFAIL-.patch @@ -1,7 +1,7 @@ From 34e26e14c5e0fb2d5f05f67858319c9db2058333 Mon Sep 17 00:00:00 2001 From: Simon Kelley Date: Thu, 10 May 2018 20:54:57 +0100 -Subject: [PATCH 05/10] Retry query to other servers on receipt of SERVFAIL +Subject: [PATCH 05/17] Retry query to other servers on receipt of SERVFAIL rcode. Signed-off-by: Kevin Darbyshire-Bryant diff --git a/package/network/services/dnsmasq/patches/0006-Handle-query-retry-on-REFUSED-or-SERVFAIL-for-DNSSEC.patch b/package/network/services/dnsmasq/patches/0006-Handle-query-retry-on-REFUSED-or-SERVFAIL-for-DNSSEC.patch index b4681af4ff..595694ed20 100644 --- a/package/network/services/dnsmasq/patches/0006-Handle-query-retry-on-REFUSED-or-SERVFAIL-for-DNSSEC.patch +++ b/package/network/services/dnsmasq/patches/0006-Handle-query-retry-on-REFUSED-or-SERVFAIL-for-DNSSEC.patch @@ -1,7 +1,7 @@ From a0088e83640d7d1544127dd668660462e9f78e52 Mon Sep 17 00:00:00 2001 From: Simon Kelley Date: Thu, 10 May 2018 21:43:14 +0100 -Subject: [PATCH 06/10] Handle query retry on REFUSED or SERVFAIL for +Subject: [PATCH 06/17] Handle query retry on REFUSED or SERVFAIL for DNSSEC-generated queries. Signed-off-by: Kevin Darbyshire-Bryant diff --git a/package/network/services/dnsmasq/patches/0007-Retry-SERVFAIL-DNSSEC-queries-to-a-different-server-.patch b/package/network/services/dnsmasq/patches/0007-Retry-SERVFAIL-DNSSEC-queries-to-a-different-server-.patch index 5756717340..3ceaf523e6 100644 --- a/package/network/services/dnsmasq/patches/0007-Retry-SERVFAIL-DNSSEC-queries-to-a-different-server-.patch +++ b/package/network/services/dnsmasq/patches/0007-Retry-SERVFAIL-DNSSEC-queries-to-a-different-server-.patch @@ -1,7 +1,7 @@ From 1f60a18ea1c64beb8b6cffa0650a2bfad95ac352 Mon Sep 17 00:00:00 2001 From: Simon Kelley Date: Fri, 11 May 2018 16:44:16 +0100 -Subject: [PATCH 07/10] Retry SERVFAIL DNSSEC queries to a different server, if +Subject: [PATCH 07/17] Retry SERVFAIL DNSSEC queries to a different server, if possible. Signed-off-by: Kevin Darbyshire-Bryant diff --git a/package/network/services/dnsmasq/patches/0008-Fix-logging-in-previous.patch b/package/network/services/dnsmasq/patches/0008-Fix-logging-in-previous.patch index d5735a25d5..718cf9de64 100644 --- a/package/network/services/dnsmasq/patches/0008-Fix-logging-in-previous.patch +++ b/package/network/services/dnsmasq/patches/0008-Fix-logging-in-previous.patch @@ -1,7 +1,7 @@ From e27825b0ef1e79ab05b1752c8c838cb43ad39d79 Mon Sep 17 00:00:00 2001 From: Simon Kelley Date: Fri, 11 May 2018 17:20:47 +0100 -Subject: [PATCH 08/10] Fix logging in previous. +Subject: [PATCH 08/17] Fix logging in previous. Signed-off-by: Kevin Darbyshire-Bryant --- diff --git a/package/network/services/dnsmasq/patches/0009-Do-unsolicited-RAs-for-interfaces-which-appear-after.patch b/package/network/services/dnsmasq/patches/0009-Do-unsolicited-RAs-for-interfaces-which-appear-after.patch index 0aaec7edf4..ed8a6e6197 100644 --- a/package/network/services/dnsmasq/patches/0009-Do-unsolicited-RAs-for-interfaces-which-appear-after.patch +++ b/package/network/services/dnsmasq/patches/0009-Do-unsolicited-RAs-for-interfaces-which-appear-after.patch @@ -1,7 +1,7 @@ From 0a496f059c1e9d75c33cce4c1211d58422ba4f62 Mon Sep 17 00:00:00 2001 From: Maarten de Vries Date: Fri, 11 May 2018 23:20:58 +0100 -Subject: [PATCH 09/10] Do unsolicited RAs for interfaces which appear after +Subject: [PATCH 09/17] Do unsolicited RAs for interfaces which appear after dnsmasq startup. I noticed that dnsmasq often wasn't sending any unsolicited RAs for me. diff --git a/package/network/services/dnsmasq/patches/0010-Log-warning-on-very-large-cachesize-config-instead-o.patch b/package/network/services/dnsmasq/patches/0010-Log-warning-on-very-large-cachesize-config-instead-o.patch index 98df4520a2..177b2dcc01 100644 --- a/package/network/services/dnsmasq/patches/0010-Log-warning-on-very-large-cachesize-config-instead-o.patch +++ b/package/network/services/dnsmasq/patches/0010-Log-warning-on-very-large-cachesize-config-instead-o.patch @@ -1,7 +1,7 @@ From 1f1873aadd092a0fab505dd278a484d887ba0ec3 Mon Sep 17 00:00:00 2001 From: Simon Kelley Date: Fri, 11 May 2018 23:38:23 +0100 -Subject: [PATCH 10/10] Log warning on very large cachesize config, instead of +Subject: [PATCH 10/17] Log warning on very large cachesize config, instead of truncating it. Signed-off-by: Kevin Darbyshire-Bryant diff --git a/package/network/services/dnsmasq/patches/0011-Handle-standard-and-contructed-dhcp-ranges-on-the-sa.patch b/package/network/services/dnsmasq/patches/0011-Handle-standard-and-contructed-dhcp-ranges-on-the-sa.patch new file mode 100644 index 0000000000..5ded822efe --- /dev/null +++ b/package/network/services/dnsmasq/patches/0011-Handle-standard-and-contructed-dhcp-ranges-on-the-sa.patch @@ -0,0 +1,70 @@ +From c488b68e75ee5304007eef37203c4fc10193d191 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Sat, 2 Jun 2018 13:06:00 +0100 +Subject: [PATCH 11/17] Handle standard and contructed dhcp-ranges on the same + interface. + +Signed-off-by: Kevin Darbyshire-Bryant +--- + CHANGELOG | 6 ++++++ + src/dhcp6.c | 29 +++++++++++++++++------------ + 2 files changed, 23 insertions(+), 12 deletions(-) + +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -23,6 +23,12 @@ version 2.80 + which packets should be dumped is given by the --dumpmask + option. + ++ Handle the case of both standard and constructed dhcp-ranges on the ++ same interface better. We don't now contruct a dhcp-range if there's ++ already one specified. This allows the specified interface to ++ have different parameters and avoids advertising the same ++ prefix twice. Thanks to Luis Marsano for spotting this case. ++ + + version 2.79 + Fix parsing of CNAME arguments, which are confused by extra spaces. +--- a/src/dhcp6.c ++++ b/src/dhcp6.c +@@ -667,23 +667,28 @@ static int construct_worker(struct in6_a + end6 = *local; + setaddr6part(&end6, addr6part(&template->end6)); + ++ /* If there's an absolute address context covering this address ++ then don't contruct one as well. */ + for (context = daemon->dhcp6; context; context = context->next) +- if ((context->flags & CONTEXT_CONSTRUCTED) && ++ if (!(context->flags & CONTEXT_TEMPLATE) && + IN6_ARE_ADDR_EQUAL(&start6, &context->start6) && + IN6_ARE_ADDR_EQUAL(&end6, &context->end6)) + { +- int flags = context->flags; +- context->flags &= ~(CONTEXT_GC | CONTEXT_OLD); +- if (flags & CONTEXT_OLD) ++ if (context->flags & CONTEXT_CONSTRUCTED) + { +- /* address went, now it's back */ +- log_context(AF_INET6, context); +- /* fast RAs for a while */ +- ra_start_unsolicited(param->now, context); +- param->newone = 1; +- /* Add address to name again */ +- if (context->flags & CONTEXT_RA_NAME) +- param->newname = 1; ++ int cflags = context->flags; ++ context->flags &= ~(CONTEXT_GC | CONTEXT_OLD); ++ if (cflags & CONTEXT_OLD) ++ { ++ /* address went, now it's back */ ++ log_context(AF_INET6, context); ++ /* fast RAs for a while */ ++ ra_start_unsolicited(param->now, context); ++ param->newone = 1; ++ /* Add address to name again */ ++ if (context->flags & CONTEXT_RA_NAME) ++ param->newname = 1; ++ } + } + break; + } diff --git a/package/network/services/dnsmasq/patches/0012-Sane-error-message-when-pcap-file-header-is-wrong.patch b/package/network/services/dnsmasq/patches/0012-Sane-error-message-when-pcap-file-header-is-wrong.patch new file mode 100644 index 0000000000..fb2d2d7a4a --- /dev/null +++ b/package/network/services/dnsmasq/patches/0012-Sane-error-message-when-pcap-file-header-is-wrong.patch @@ -0,0 +1,25 @@ +From cc5cc8f1e0b4deaaea4cbefe677989b186c84837 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Sat, 2 Jun 2018 14:45:17 +0100 +Subject: [PATCH 12/17] Sane error message when pcap file header is wrong. + +Signed-off-by: Kevin Darbyshire-Bryant +--- + src/dump.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/src/dump.c ++++ b/src/dump.c +@@ -64,9 +64,10 @@ void dump_init(void) + die(_("cannot create %s: %s"), daemon->dump_file, EC_FILE); + } + else if ((daemon->dumpfd = open(daemon->dump_file, O_APPEND | O_RDWR)) == -1 || +- !read_write(daemon->dumpfd, (void *)&header, sizeof(header), 1) || +- header.magic_number != 0xa1b2c3d4) ++ !read_write(daemon->dumpfd, (void *)&header, sizeof(header), 1)) + die(_("cannot access %s: %s"), daemon->dump_file, EC_FILE); ++ else if (header.magic_number != 0xa1b2c3d4) ++ die(_("bad header in %s"), daemon->dump_file, EC_FILE); + else + { + /* count existing records */ diff --git a/package/network/services/dnsmasq/patches/0013-Allow-zone-transfer-in-authoritative-mode-whenever-a.patch b/package/network/services/dnsmasq/patches/0013-Allow-zone-transfer-in-authoritative-mode-whenever-a.patch new file mode 100644 index 0000000000..cc16680686 --- /dev/null +++ b/package/network/services/dnsmasq/patches/0013-Allow-zone-transfer-in-authoritative-mode-whenever-a.patch @@ -0,0 +1,55 @@ +From 090856c7e6d483bc4d7ec41f55208a9842769c45 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Sat, 2 Jun 2018 18:37:07 +0100 +Subject: [PATCH 13/17] Allow zone transfer in authoritative mode whenever + auth-peer is specified. + +Signed-off-by: Kevin Darbyshire-Bryant +--- + CHANGELOG | 4 ++++ + man/dnsmasq.8 | 6 +++++- + src/auth.c | 5 +++-- + 3 files changed, 12 insertions(+), 3 deletions(-) + +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -29,6 +29,10 @@ version 2.80 + have different parameters and avoids advertising the same + prefix twice. Thanks to Luis Marsano for spotting this case. + ++ Allow zone transfer in authoritative mode if auth-peer is specified, ++ even if auth-sec-servers is not. Thanks to Raphaël Halimi for ++ the suggestion. ++ + + version 2.79 + Fix parsing of CNAME arguments, which are confused by extra spaces. +--- a/man/dnsmasq.8 ++++ b/man/dnsmasq.8 +@@ -817,7 +817,11 @@ authoritative zones as dnsmasq. + Specify the addresses of secondary servers which are allowed to + initiate zone transfer (AXFR) requests for zones for which dnsmasq is + authoritative. If this option is not given, then AXFR requests will be +-accepted from any secondary. ++accepted from any secondary. Specifying ++.B auth-peer ++without ++.B auth-sec-servers ++enables zone transfer but does not advertise the secondary in NS records returned by dnsmasq. + .TP + .B --conntrack + Read the Linux connection track mark associated with incoming DNS +--- a/src/auth.c ++++ b/src/auth.c +@@ -436,8 +436,9 @@ size_t answer_auth(struct dns_header *he + if (sockaddr_isequal(peer_addr, &peers->addr)) + break; + +- /* Refuse all AXFR unless --auth-sec-servers is set */ +- if ((!peers && daemon->auth_peers) || !daemon->secondary_forward_server) ++ /* Refuse all AXFR unless --auth-sec-servers or auth-peers is set */ ++ if ((!daemon->secondary_forward_server && !daemon->auth_peers) || ++ (daemon->auth_peers && !peers)) + { + if (peer_addr->sa.sa_family == AF_INET) + inet_ntop(AF_INET, &peer_addr->in.sin_addr, daemon->addrbuff, ADDRSTRLEN); diff --git a/package/network/services/dnsmasq/patches/0014-Warn-about-the-impact-of-cache-size-on-performance.patch b/package/network/services/dnsmasq/patches/0014-Warn-about-the-impact-of-cache-size-on-performance.patch new file mode 100644 index 0000000000..5316dea15d --- /dev/null +++ b/package/network/services/dnsmasq/patches/0014-Warn-about-the-impact-of-cache-size-on-performance.patch @@ -0,0 +1,47 @@ +From 7dcca6c62211e60905e2252a185bede909391877 Mon Sep 17 00:00:00 2001 +From: Geert Stappers +Date: Sat, 2 Jun 2018 18:54:04 +0100 +Subject: [PATCH 14/17] Warn about the impact of cache-size on performance. + +Signed-off-by: Kevin Darbyshire-Bryant +--- + man/dnsmasq.8 | 2 +- + man/es/dnsmasq.8 | 3 ++- + man/fr/dnsmasq.8 | 3 ++- + 3 files changed, 5 insertions(+), 3 deletions(-) + +--- a/man/dnsmasq.8 ++++ b/man/dnsmasq.8 +@@ -692,7 +692,7 @@ will add 1.2.3.0/24 for both IPv4 and IP + + .TP + .B \-c, --cache-size= +-Set the size of dnsmasq's cache. The default is 150 names. Setting the cache size to zero disables caching. ++Set the size of dnsmasq's cache. The default is 150 names. Setting the cache size to zero disables caching. Note: huge cache size impacts performance. + .TP + .B \-N, --no-negcache + Disable negative caching. Negative caching allows dnsmasq to remember +--- a/man/es/dnsmasq.8 ++++ b/man/es/dnsmasq.8 +@@ -478,7 +478,8 @@ la traza reversa dirección-a-nombre. + .TP + .B \-c, --cache-size= + Fijar el tamaño del caché de dnsmasq. El predeterminado es 150 nombres. +-Fijar el tamaño a cero deshabilita el caché. ++Fijar el tamaño a cero deshabilita el caché. Nota: el gran tamaño de ++caché afecta el rendimiento. + .TP + .B \-N, --no-negcache + Deshabilitar caché negativo. El caché negativo le permite a dnsmasq +--- a/man/fr/dnsmasq.8 ++++ b/man/fr/dnsmasq.8 +@@ -666,7 +666,8 @@ différentes pourraient-être rencontré + .TP + .B \-c, --cache-size= + Définit la taille du cache de Dnsmasq. La valeur par défaut est de 150 noms. +-Définir une valeur de zéro désactive le cache. ++Définir une valeur de zéro désactive le cache. Remarque: la taille importante ++du cache a un impact sur les performances. + .TP + .B \-N, --no-negcache + Désactive le "cache négatif". Le "cache négatif" permet à Dnsmasq de se souvenir diff --git a/package/network/services/dnsmasq/patches/0015-Handle-some-corner-cases-in-RA-contructed-interfaces.patch b/package/network/services/dnsmasq/patches/0015-Handle-some-corner-cases-in-RA-contructed-interfaces.patch new file mode 100644 index 0000000000..ce9ce4af5a --- /dev/null +++ b/package/network/services/dnsmasq/patches/0015-Handle-some-corner-cases-in-RA-contructed-interfaces.patch @@ -0,0 +1,64 @@ +From db0f488ea8f5ded7c57400c9108ec3c9367d75c5 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Thu, 7 Jun 2018 21:37:02 +0100 +Subject: [PATCH 15/17] Handle some corner cases in RA contructed interfaces + with addresses changing interface. + +Thanks to Vladislav Grishenko for work on this. + +Signed-off-by: Kevin Darbyshire-Bryant +--- + src/dhcp6.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +--- a/src/dhcp6.c ++++ b/src/dhcp6.c +@@ -640,7 +640,7 @@ static int construct_worker(struct in6_a + return 0; + + for (template = daemon->dhcp6; template; template = template->next) +- if (!(template->flags & CONTEXT_TEMPLATE)) ++ if (!(template->flags & (CONTEXT_TEMPLATE | CONTEXT_CONSTRUCTED))) + { + /* non-template entries, just fill in interface and local addresses */ + if (prefix <= template->prefix && +@@ -667,20 +667,23 @@ static int construct_worker(struct in6_a + end6 = *local; + setaddr6part(&end6, addr6part(&template->end6)); + +- /* If there's an absolute address context covering this address +- then don't contruct one as well. */ + for (context = daemon->dhcp6; context; context = context->next) + if (!(context->flags & CONTEXT_TEMPLATE) && + IN6_ARE_ADDR_EQUAL(&start6, &context->start6) && + IN6_ARE_ADDR_EQUAL(&end6, &context->end6)) + { +- if (context->flags & CONTEXT_CONSTRUCTED) ++ /* If there's an absolute address context covering this address ++ then don't construct one as well. */ ++ if (!(context->flags & CONTEXT_CONSTRUCTED)) ++ break; ++ ++ if (context->if_index == if_index) + { + int cflags = context->flags; + context->flags &= ~(CONTEXT_GC | CONTEXT_OLD); + if (cflags & CONTEXT_OLD) + { +- /* address went, now it's back */ ++ /* address went, now it's back, and on the same interface */ + log_context(AF_INET6, context); + /* fast RAs for a while */ + ra_start_unsolicited(param->now, context); +@@ -688,9 +691,10 @@ static int construct_worker(struct in6_a + /* Add address to name again */ + if (context->flags & CONTEXT_RA_NAME) + param->newname = 1; ++ ++ break; + } + } +- break; + } + + if (!context && (context = whine_malloc(sizeof (struct dhcp_context)))) diff --git a/package/network/services/dnsmasq/patches/0016-Fix-stupid-infinite-loop-introduced-by-preceding-com.patch b/package/network/services/dnsmasq/patches/0016-Fix-stupid-infinite-loop-introduced-by-preceding-com.patch new file mode 100644 index 0000000000..07f2a62c69 --- /dev/null +++ b/package/network/services/dnsmasq/patches/0016-Fix-stupid-infinite-loop-introduced-by-preceding-com.patch @@ -0,0 +1,23 @@ +From 05ff659a3c0d95be6d41fae755243988a1bb3387 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Tue, 12 Jun 2018 16:03:09 +0100 +Subject: [PATCH 16/17] Fix stupid infinite loop introduced by preceding + commit. + +Signed-off-by: Kevin Darbyshire-Bryant +--- + src/dhcp6.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/src/dhcp6.c ++++ b/src/dhcp6.c +@@ -692,8 +692,8 @@ static int construct_worker(struct in6_a + if (context->flags & CONTEXT_RA_NAME) + param->newname = 1; + +- break; + } ++ break; + } + } + diff --git a/package/network/services/dnsmasq/patches/0017-Fix-address-dependent-domains-for-IPv6.patch b/package/network/services/dnsmasq/patches/0017-Fix-address-dependent-domains-for-IPv6.patch new file mode 100644 index 0000000000..300ffa1041 --- /dev/null +++ b/package/network/services/dnsmasq/patches/0017-Fix-address-dependent-domains-for-IPv6.patch @@ -0,0 +1,24 @@ +From 51e4eeeb04b8dd8510ed267d580751525e77cb77 Mon Sep 17 00:00:00 2001 +From: Paul Maddock +Date: Tue, 12 Jun 2018 16:37:40 +0100 +Subject: [PATCH 17/17] Fix address-dependent domains for IPv6. + +Thanks to Paul Maddock for spotting this. +It seems to have been broken forever. + +Signed-off-by: Kevin Darbyshire-Bryant +--- + src/lease.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/src/lease.c ++++ b/src/lease.c +@@ -87,7 +87,7 @@ static int read_leases(time_t now, FILE + if ((lease = lease6_allocate(&addr.addr.addr6, lease_type))) + { + lease_set_iaid(lease, strtoul(s, NULL, 10)); +- domain = get_domain6((struct in6_addr *)lease->hwaddr); ++ domain = get_domain6(&lease->addr6); + } + } + #endif diff --git a/package/network/services/dnsmasq/patches/0018-Fix-sometimes-missing-DNSSEC-RRs-when-DNSSEC-validat.patch b/package/network/services/dnsmasq/patches/0018-Fix-sometimes-missing-DNSSEC-RRs-when-DNSSEC-validat.patch new file mode 100644 index 0000000000..1d75418d07 --- /dev/null +++ b/package/network/services/dnsmasq/patches/0018-Fix-sometimes-missing-DNSSEC-RRs-when-DNSSEC-validat.patch @@ -0,0 +1,87 @@ +From a997ca0da044719a0ce8a232d14da8b30022592b Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Fri, 29 Jun 2018 14:39:41 +0100 +Subject: [PATCH 18/18] Fix sometimes missing DNSSEC RRs when DNSSEC validation + not enabled. + +Dnsmasq does pass on the do-bit, and return DNSSEC RRs, irrespective +of of having DNSSEC validation compiled in or enabled. + +The thing to understand here is that the cache does not store all the +DNSSEC RRs, and dnsmasq doesn't have the (very complex) logic required +to determine the set of DNSSEC RRs required in an answer. Therefore if +the client wants the DNSSEC RRs, the query can not be answered from +the cache. When DNSSEC validation is enabled, any query with the +do-bit set is never answered from the cache, unless the domain is +known not to be signed: the query is always forwarded. This ensures +that the DNSEC RRs are included. + +The same thing should be true when DNSSEC validation is not enabled, +but there's a bug in the logic. + +line 1666 of src/rfc1035.c looks like this + + if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !do_bit || !(crecp->flags & F_DNSSECOK)) + +{ ...answer from cache ... } + +So local stuff (hosts, DHCP, ) get answered. If the do_bit is not set +then the query is answered, and if the domain is known not to be +signed, the query is answered. + +Unfortunately, if DNSSEC validation is not turned on then the +F_DNSSECOK bit is not valid, and it's always zero, so the question +always gets answered from the cache, even when the do-bit is set. + +This code should look like that at line 1468, dealing with PTR queries + + if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || + !do_bit || + (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK))) + +where the F_DNSSECOK bit is only used when validation is enabled. + +Signed-off-by: Kevin Darbyshire-Bryant +--- + CHANGELOG | 7 ++++++- + src/rfc1035.c | 6 ++++-- + 2 files changed, 10 insertions(+), 3 deletions(-) + +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -33,7 +33,12 @@ version 2.80 + even if auth-sec-servers is not. Thanks to Raphaël Halimi for + the suggestion. + +- ++ Fix bug which sometimes caused dnsmasq to wrongly return answers ++ without DNSSEC RRs to queries with the do-bit set, but only when ++ DNSSEC validation was not enabled. ++ Thanks to Petr Menšík for spotting this. ++ ++ + version 2.79 + Fix parsing of CNAME arguments, which are confused by extra spaces. + Thanks to Diego Aguirre for spotting the bug. +--- a/src/rfc1035.c ++++ b/src/rfc1035.c +@@ -1663,7 +1663,9 @@ size_t answer_request(struct dns_header + } + + /* If the client asked for DNSSEC don't use cached data. */ +- if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !do_bit || !(crecp->flags & F_DNSSECOK)) ++ if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || ++ !do_bit || ++ (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK))) + do + { + /* don't answer wildcard queries with data not from /etc/hosts +@@ -1747,7 +1749,7 @@ size_t answer_request(struct dns_header + { + if ((crecp = cache_find_by_name(NULL, name, now, F_CNAME | (dryrun ? F_NO_RR : 0))) && + (qtype == T_CNAME || (crecp->flags & F_CONFIG)) && +- ((crecp->flags & F_CONFIG) || !do_bit || !(crecp->flags & F_DNSSECOK))) ++ ((crecp->flags & F_CONFIG) || !do_bit || (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))) + { + if (!(crecp->flags & F_DNSSECOK)) + sec_data = 0;