aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/services/dnsmasq/Makefile
Commit message (Collapse)AuthorAgeFilesLines
* dnsmasq: backport latest pre2.81 patchesKevin Darbyshire-Bryant2019-01-161-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | f52bb5b fix previous commit 18eac67 Fix entries in /etc/hosts disabling static leases. f8c77ed Fix removal of DHCP_CLIENT_MAC options from DHCPv6 relay replies. 4bf62f6 Tidy cache_blockdata_free() 9c0d445 Fix e7bfd556c079c8b5e7425aed44abc35925b24043 to actually work. 2896e24 Check for not(DS or DNSKEY) in is_outdated_cname_pointer() a90f09d Fix crash freeing negative SRV cache entries. 5b99eae Cache SRV records. 2daca52 Fix typo in ra-param man page section. 2c59473 File logic bug in cache-marshalling code. Introduced a couple of commits back. cc921df Remove nested struct/union in cache records and all_addr. ab194ed Futher address union tidying. 65a01b7 Tidy address-union handling: move class into explicit argument. bde4647 Tidy all_addr union, merge log and rcode fields. e7bfd55 Alter DHCP address selection after DECLINE in consec-addr mode. Avoid offering the same address after a recieving a DECLINE message to stop an infinite protocol loop. This has long been done in default address allocation mode: this adds similar behaviour when allocaing addresses consecutively. The most relevant fix for openwrt is 18eac67 (& my own local f52bb5b which fixes a missing bracket silly) To quote the patch: It is possible for a config entry to have one address family specified by a dhcp-host directive and the other added from /etc/hosts. This is especially common on OpenWrt because it uses odhcpd for DHCPv6 and IPv6 leases are imported into dnsmasq via a hosts file. To handle this case there need to be separate *_HOSTS flags for IPv4 and IPv6. Otherwise when the hosts file is reloaded it will clear the CONFIG_ADDR(6) flag which was set by the dhcp-host directive. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: Fix dhcp-boot, dhcp-reply-delay and pxe-prompt regressionsKevin Darbyshire-Bryant2018-12-141-1/+1
| | | | | | | The above options were incorrectly changed to required tags. Make them optional again. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: fix ipv6 ipset bugKevin Darbyshire-Bryant2018-12-121-1/+1
| | | | | | | | | During upstream removal of conditional ipv6 support an order swap error was made in a ternary operator usage. This patch sent upstream. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: follow upstream dnsmasq pre-v2.81 v2Kevin Darbyshire-Bryant2018-12-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Backport upstream commits. Most interesting 122392e which changes how SERVFAIL is handled especially in event of genuine server down/failure scenarios with multiple servers. a799ca0 also interesting in that answered received via TCP are now cached, DNSSEC typically using TCP meant until now answers weren't cached, hence reducing performance. 59e4703 Free config file values on parsing errors. 48d12f1 Remove the NO_FORK compile-time option, and support for uclinux. 122392e Revert 68f6312d4bae30b78daafcd6f51dc441b8685b1e 3a5a84c Fix Makefile lines generating UBUS linker config. 24b8760 Do not rely on dead code elimination, use array instead. Make options bits derived from size and count. Use size of option bits and last supported bit in computation. No new change would be required when new options are added. Just change OPT_LAST constant. 6f7812d Fix spurious AD flags in some DNS replies from local config. cbb5b17 Fix logging in cf5984367bc6a949e3803a576512c5a7bc48ebab cf59843 Don't forward *.bind/*.server queries upstream ee87504 Remove ability to compile without IPv6 support. a220545 Ensure that AD bit is reset on answers from --address=/<domain>/<address>. a799ca0 Impove cache behaviour for TCP connections. Along with an additional patch to fix compilation without DHCPv6, sent upstream. I've been running this for aaaages without obvious issue hence brave step of opening to wider openwrt community. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* Revert "dnsmasq: follow upstream dnsmasq pre-v2.81"Kevin Darbyshire-Bryant2018-12-101-1/+1
| | | | | | | | | | | | | This reverts commit a6a8fe0be5cd2edb1560bfc3f3094c3d34f2d2b0. buildbot found an error option.c: In function 'dhcp_context_free': option.c:1042:15: error: 'struct dhcp_context' has no member named 'template_interface' free(ctx->template_interface); revert for the moment Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: follow upstream dnsmasq pre-v2.81Kevin Darbyshire-Bryant2018-12-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | Backport upstream commits. Most interesting 122392e which changes how SERVFAIL is handled especially in event of genuine server down/failure scenarios with multiple servers. a799ca0 also interesting in that answered received via TCP are now cached, DNSSEC typically using TCP meant until now answers weren't cached, hence reducing performance. 59e4703 Free config file values on parsing errors. 48d12f1 Remove the NO_FORK compile-time option, and support for uclinux. 122392e Revert 68f6312d4bae30b78daafcd6f51dc441b8685b1e 3a5a84c Fix Makefile lines generating UBUS linker config. 24b8760 Do not rely on dead code elimination, use array instead. Make options bits derived from size and count. Use size of option bits and last supported bit in computation. No new change would be required when new options are added. Just change OPT_LAST constant. 6f7812d Fix spurious AD flags in some DNS replies from local config. cbb5b17 Fix logging in cf5984367bc6a949e3803a576512c5a7bc48ebab cf59843 Don't forward *.bind/*.server queries upstream ee87504 Remove ability to compile without IPv6 support. a220545 Ensure that AD bit is reset on answers from --address=/<domain>/<address>. a799ca0 Impove cache behaviour for TCP connections. I've been running this for aaaages without obvious issue hence brave step of opening to wider openwrt community. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: drop dnssec timestamp file patchKevin Darbyshire-Bryant2018-12-101-1/+1
| | | | | | | | | | | | Openwrt no longer uses and has not used since 5acfe55d71 Jun 2016 the timestamp file (/etc/dnsmasq.time) method of resolving the dnssec/ntp dnslookup chicken/egg problem, having used signals from ntp since that change. Drop the 'dnssec-improve-timestamp-heuristic' patch since it is neither used nor sent upstream. One less thing to refresh & maintain. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: tighten config file permissionsKevin Darbyshire-Bryant2018-10-301-6/+6
| | | | | | | | | | | | | | | | | | Install following as config files (600) perms instead of as data (644) /usr/share/dnsmasq/dhcpbogushostname.conf /usr/share/dnsmasq/trust-anchors.conf /usr/share/dnsmasq/rfc6761.conf /etc/hotplug.d/ntp/25-dnsmasqsec /etc/config/dhcp /etc/dnsmasq.conf dnsmasq reads relevant config files before dropping root privilege and running as dnsmasq:dnsmasq ntpd runs as root so the hotplug script is still accessible Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: bump to v2.80Kevin Darbyshire-Bryant2018-10-191-4/+4
| | | | | | | | | | dnsmasq v2.80 release Change from rc1: 91421cb Fix compiler warning. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: fix dnsmasq failure to start when ujail'dChristian Lamparter2018-10-161-1/+1
| | | | | | | | | | | | | | This patch fixes jailed dnsmasq running into the following issue: |dnsmasq[1]: cannot read /usr/share/dnsmasq/dhcpbogushostname.conf: No such file or directory |dnsmasq[1]: FAILED to start up |procd: Instance dnsmasq::cfg01411c s in a crash loop 6 crashes, 0 seconds since last crash Fixes: a45f4f50e16 ("dnsmasq: add dhcp-ignore-names support - CERT VU#598349") Signed-off-by: Christian Lamparter <chunkeey@gmail.com> [bump package release] Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: bump to v2.80rc1Kevin Darbyshire-Bryant2018-10-161-4/+4
| | | | | | | | | | | | 53792c9 fix typo df07182 Update German translation. Remove local patch 001-fix-typo which is a backport of the above 53792c9 There is no practical difference between our test8 release and this rc release, but this does at least say 'release candidate' Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: add dhcp-ignore-names support - CERT VU#598349Kevin Darbyshire-Bryant2018-10-091-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | dnsmasq v2.80test8 adds the ability to ignore dhcp client's requests for specific hostnames. Clients claiming certain hostnames and thus claiming DNS namespace represent a potential security risk. e.g. a malicious host could claim 'wpad' for itself and redirect other web client requests to it for nefarious purpose. See CERT VU#598349 for more details. Some Samsung TVs are claiming the hostname 'localhost', it is believed not (yet) for nefarious purposes. /usr/share/dnsmasq/dhcpbogushostname.conf contains a list of hostnames in correct syntax to be excluded. e.g. dhcp-name-match=set:dhcp_bogus_hostname,localhost Inclusion of this file is controlled by uci option dhcpbogushostname which is enabled by default. To be absolutely clear, DHCP leases to these requesting hosts are still permitted, but they do NOT get to claim ownership of the hostname itself and hence put into DNS for other hosts to be confused/manipulate by. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: bump to v2.80test8Kevin Darbyshire-Bryant2018-10-071-2/+2
| | | | | | | | | | | e1791f3 Fix logging of DNSSEC queries in TCP mode. Destination server address was misleading. 0fdf3c1 Fix dhcp-match-name to match hostname, not complete FQDN. ee1df06 Tweak strategy for confirming SLAAC addresses. 1e87eba Clarify manpage for --auth-sec-servers 0893347 Make interface spec optional in --auth-server. 7cbf497 Example config file fix for CERT Vulnerability VU#598349. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: bump to v2.80test7Kevin Darbyshire-Bryant2018-09-271-3/+3
| | | | | | | | | | | | | | | | | | | Bump to latest test release: 3a610a0 Finesse allocation of memory for "struct crec" cache entries. 48b090c Fix b6f926fbefcd2471699599e44f32b8d25b87b471 to not SEGV on startup (rarely). 4139298 Change behavior when RD bit unset in queries. 51cc10f Add warning about 0.0.0.0 and :: addresses to man page. ea6cc33 Handle memory allocation failure in make_non_terminals() ad03967 Add debian/tmpfiles.conf f4fd07d Debian bugfix. e3c08a3 Debian packaging fix. (restorecon) 118011f Debian packaging fix. (tmpfiles.d) Delete our own backports of ea6cc33 & 4139298, so the only real changes here, since we don't care about the Debian stuff are 48b090c & 3a610a0 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: Change behavior when RD bit unset in queries.Kevin Darbyshire-Bryant2018-09-211-1/+1
| | | | | | | | | | | Backport upstream commit Change anti cache-snooping behaviour with queries with the recursion-desired bit unset. Instead to returning SERVFAIL, we now always forward, and never answer from the cache. This allows "dig +trace" command to work. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: Handle memory allocation failure in make_non_terminals()Kevin Darbyshire-Bryant2018-09-191-1/+1
| | | | | | | | Backport upstream commit: ea6cc33 Handle memory allocation failure in make_non_terminals() Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: bump to dnsmasq 2.80test6Hans Dedecker2018-09-091-3/+3
| | | | | | | | | | | | | | | | Refresh patches Changes since latest bump: af3bd07 Man page typo. d682099 Picky changes to 47b45b2967c931fed3c89a2e6a8df9f9183a5789 47b45b2 Fix lengths of interface names 2b38e38 Minor improvements in lease-tools 282eab7 Mark die function as never returning c346f61 Handle ANY queries in context of da8b6517decdac593e7ce24bde2824dd841725c8 03212e5 Manpage typo. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: allow dnsmasq variants to be included in imageHenrique de Moraes Holschuh2018-09-061-0/+2
| | | | | | | | | | | The dnsmasq variants should provide dnsmasq, otherwise it is impossible to include them in the image. This change allows one to have CONFIG_PACKAGE_dnsmasq=m and CONFIG_PACKAGE_dnsmasq-full=y, e.g. because you want DNSSEC support, or IPSETs suport on your 3000-devices fleet ;-) Signed-off-by: Henrique de Moraes Holschuh <henrique@nic.br>
* dnsmasq: bump to dnsmasq v2.80test5Hans Dedecker2018-09-061-3/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Refresh patches Remove 240-ubus patch as upstream accepted. Add uci option ubus which allows to enable/disable ubus support (enabled by default) Upstream commits since last bump: da8b651 Implement --address=/example.com/# c5db8f9 Tidy 7f876b64c22b2b18412e2e3d8506ee33e42db7c 974a6d0 Add --caa-record b758b67 Improve logging of RRs from --dns-rr. 9bafdc6 Tidy up file parsing code. 97f876b Properly deal with unaligned addresses in DHCPv6 packets. cbfbd17 Fix broken DNSSEC records in previous. b6f926f Don't return NXDOMAIN to empty non-terminals. c822620 Add --dhcp-name-match 397c050 Handle case of --auth-zone but no --auth-server. 1682d15 Add missing EDNS0 section. EDNS0 section missing in replies to EDNS0-containing queries where answer generated from --local=/<domain>/ dd33e98 Fix crash parsing a --synth-domain with no prefix. Problem introduced in 2.79/6b2b564ac34cb3c862f168e6b1457f9f0b9ca69c c16d966 Add copyright to src/metrics.h 1dfed16 Remove C99 only code. 6f835ed Format fixes - ubus.c 9d6fd17 dnsmasq.c fix OPT_UBUS option usage 8c1b6a5 New metrics and ubus files. 8dcdb33 Add --enable-ubus option. aba8bbb Add collection of metrics caf4d57 Add OpenWRT ubus patch Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: remove creation of /etc/ethersHans Dedecker2018-08-211-1/+1
| | | | | | | | Remove creation of file /etc/ethers in dnsmasq init script as the file is now created by default in the base-files package by commit fa3301a28e Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: bump to dnsmasq v2.80test3Kevin Darbyshire-Bryant2018-07-281-3/+3
| | | | | | | | | | | | | | | | | Refresh patches Upstream commits since last bump: 3b6eb19 Log DNSSEC trust anchors at startup. f3e5787 Trivial comment change. c851c69 Log failure to confirm an address in DHCPv6. a3bd7e7 Fix missing fatal errors when parsing some command-line/config options. ab5ceaf Document the --help option in the french manual 1f2f69d Fix recurrent minor spelling mistake in french manual f361b39 Fix some mistakes in french translation of the manual eb1fe15 When replacing cache entries, preserve CNAMES which target them. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: don't use network functions at boottime (FS#1542)Hans Dedecker2018-07-171-1/+1
| | | | | | | | | | | | As dnsmasq is started earlier than netifd usage of network.sh functions at boottime will fail; therefore don't call at boottime the functions which construct the dhcp pool/relay info. As interface triggers are installed the dhcp pool/relay info will be constructed when the interface gets reported as up by netifd. At the same time also register interface triggers based on DHCP relay config. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: bump to latest patches on 2.80rc2Kevin Darbyshire-Bryant2018-07-031-1/+1
| | | | | | | | | | | | | | | Refresh patches and backport upstream to current HEAD: a997ca0 Fix sometimes missing DNSSEC RRs when DNSSEC validation not enabled. 51e4eee Fix address-dependent domains for IPv6. 05ff659 Fix stupid infinite loop introduced by preceding commit. db0f488 Handle some corner cases in RA contructed interfaces with addresses changing interface. 7dcca6c Warn about the impact of cache-size on performance. 090856c Allow zone transfer in authoritative mode whenever auth-peer is specified. cc5cc8f Sane error message when pcap file header is wrong. c488b68 Handle standard and contructed dhcp-ranges on the same interface. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: fix dnsmasq startup issueHans Dedecker2018-06-201-1/+1
| | | | | | | | | | | Commit ecd954d530 installs specific interface triggers which rewrites the dnsmasq config file and restarts dnsmasq if the network interface becomes active for which a trigger has been installed. In case no dhcp sections are specified or ignore is set to 1 dnsmasq will not be started at startup which breaks DNS resolving. Fix this by ditching the BOOT check in start_service and always start dnsmasq at startup. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: fix confdir option processing (FS#1572)Hans Dedecker2018-06-111-1/+1
| | | | | | | | Fix condir option processing allowing to use the format "<directory>[,<file-extension>......]," as documented on the dnsmasq man page which previously resulted into bogus dir being created. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: bump to 2.80test2Kevin Darbyshire-Bryant2018-05-121-4/+4
| | | | | | | | | | | | | | | | | | | Refresh patches and backport upstream to current HEAD: 1f1873a Log warning on very large cachesize config, instead of truncating it. 0a496f0 Do unsolicited RAs for interfaces which appear after dnsmasq startup. e27825b Fix logging in previous. 1f60a18 Retry SERVFAIL DNSSEC queries to a different server, if possible. a0088e8 Handle query retry on REFUSED or SERVFAIL for DNSSEC-generated queries. 34e26e1 Retry query to other servers on receipt of SERVFAIL rcode. 6b17335 Add packet-dump debugging facility. 07ed585 Add logging for DNS error returns from upstream and local configuration. 0669ee7 Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip are set. f84e674 Be persistent with broken-upstream-DNSSEC warnings. Compile & run tested: ar71xx Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: add specific interface procd triggershux2018-05-111-1/+1
| | | | | | | | | | | | | | | | | | Right now interface.update events are sent out by netifd upon interface state, route, address (lifetime), prefix lifetime changes. Dnsmasq is only interested in interface state changes and currently adds an interface trigger for all the "interface.*" events. In combination with commit 23bba9cb330, which triggers a SIGHUP signal to dnsmasq, IPv6 address/prefix lifetime changes on the wan will trigger dnsmasq reloads which can become frequent in case of shorter lifetimes. To avoid frequent dnsmasq reload, this patch adds specific interface triggers. During dnsmasq init it loops dhcp uci section; if the value of the ignore option is set to 0, then the corresponding interface trigger is not installed. Otherwise, if the ignore option value is 1, then procd_add_interface_trigger is called which adds the interface trigger. Signed-off-by: hux <xinxing.huchn@gmail.com>
* dnsmasq: remove example domains from rfc6761.conf (FS#1447)Hans Dedecker2018-04-091-1/+1
| | | | | | | | | | | | RFC6771 does not exclude the forwarding of the example domain as it states : "Caching DNS servers SHOULD NOT recognize example names as special and SHOULD resolve them normally." Example domains cannot be assigned to any user or person by DNS registrars as they're registered in perpetuity to IANA meaning they can be resolved; therefore let's remove the example domains from the rfc6761.conf file. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: improve init script portability (FS#1446)Hans Dedecker2018-03-241-1/+1
| | | | | | | | | | | | | Improve portability of init script by declaring resolvfile as local in dnsmasq_stop function. Fixes resolvfile being set for older busybox versions in dnsmasq_start in a multi dnsmasq instance config when doing restart; this happens when the last instance has a resolvfile configured while the first instance being started has noresolv set to 1. Base on a patch by "Phil" Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: bump to 2.79 releaseKevin Darbyshire-Bryant2018-03-191-3/+3
| | | | | | | 94b6878 Tidy crypto.c of old library compat. Now need libnettle 3. 8b96552 Fix compiler warning. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: bump to 2.79rc2Hans Dedecker2018-03-131-2/+2
| | | | | | | | | | | | | | | | | | ae29065 Fix debian/changelog syntax. 6b2b564 Enhance --synth-domain to allow names with sequential integers. 4f7bb57 Fix deletion of dhcp-options from inotify dynamic files. 56f0623 Allow trailing dot in CNAME. f3223fb Fix nettle_hash() function to avoid ABI incompatibilities. 4c4f4c2 Debian dependency tweaking for new dnsmasq-base-lua package. 773af30 Man page typo fix. 4cc944b Merge branch 'master' of ssh://thekelleys.org.uk/var/local/git/dnsmasq 87e00fe Compiler warning fixes. e7a4af8 Compiler warning fixes. 2d69d61 Add liblua-dev to Debian build-depends. 30e4a94 Debian package: add dnsmasq-base-lua binary package. 232a8f3 Merge messages for release. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: bump to 2.79rc1Kevin Darbyshire-Bryant2018-02-181-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 1721453 Remove special handling of A-for-A queries. 499d8dd Fix boundary for test introduced in 3e3f1029c9ec6c63e430ff51063a6301d4b2262 6f1cbfd Fix debian/readme typo. 55ecde7 Inotify: Ignore backup files created by editors 6b54d69 Make failure to chown() pidfile a warning. 246a31c Change ownership of pid file, to keep systemd happy. 83e4b73 Remove confusion between --user and --script-user. 6340ca7 Tweak heuristic for initial DNSSEC memory allocation. baf553d Default min-port to 1024 to avoid reserved ports. 486bcd5 Simplify and correct bindtodevice(). be9a74d Close Debian bug for CVE-2017-15107. ffcbc0f Example config typo fixes. a969ba6 Special case NSEC processing for root DS record, to avoid spurious BOGUS. f178172 Add homepage to Debian control file. cd7df61 Fix DNSSEC validation errors introduced in 4fe6744a220eddd3f1749b40cac3dfc510787de6 c1a4e25 Try to be a little more clever at falling back to smaller DNS packet sizes. 4fe6744 DNSSEC fix for wildcard NSEC records. CVE-2017-15107 applies. 3bd4c47 Remove limit on length of command-line options. 98196c4 Typo fix. 22cd860 Allow more than one --bridge-interface option to refer to an interface. 3c973ad Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC time validation. faaf306 Spelling fixes. c7e6aea Change references to gPXE to iPXE. Development of EtherBoot gPXE was always development of iPXE core developer Michael Brown. e541245 Handle duplicate RRs in DNSSEC validation. 84a01be Bump year in Debian copyright notice. d1ced3a Update copyrights to 2018. a6cee69 Fix exit code from dhcp_release6. 0039920 Severely fix code formating of contrib/lease-tools/dhcp_release6.c 39d8550 Run Debian startup regex in "C" locale. ef3d137 Fix infinite retries in strict-order mode. 8c707e1 Make 373e91738929a3d416e6292e65824184ba8428a6 compile without DNSSEC. 373e917 Fix a6004d7f17687ac2455f724d0b57098c413f128d to cope with >256 RRs in answer section. 74f0f9a Commment language tweaks. ed6bdb0 Man page typos. c88af04 Modify doc.html to mention git-over-http is now available. ae0187d Fix trust-anchor regexp in Debian init script. 0c50e3d Bump version in Debian package. 075366a Open inotify socket only when used. 8e8b2d6 Release notes update. 087eb76 Always return a SERVFAIL response to DNS queries with RD=0. ebedcba Typo in printf format string added in 22dee512f3738f87539a79aeb52b9e670b3bd104 0954a97 Remove RSA/MD5 DNSSEC algorithm. b77efc1 Tidy DNSSEC algorithm table use. 3b0cb34 Fix manpage which said ZSK but meant KSK. aa6f832 Add a few DNS RRs to the table. ad9c6f0 Add support for Ed25519 DNSSEC signature algorithm. a6004d7 Fix caching logic for validated answers. c366717 Tidy up add_resource_record() buffer size checks. 22dee51 Log DNS server max packet size reduction. 6fd5d79 Fix logic on EDNS0 headers. 9d6918d Use IP[V6]_UNICAST_IF socket option instead of SO_BINDTODEVICE for DNS. a49c5c2 Fix search_servers() segfault with DNSSEC. 30858e3 Spaces in CNAME options break parsing. Refresh patches. Remove upstreamed patches: 250-Fix-infinite-retries-in-strict-order-mode.patch 260-dnssec-SIGINT.patch 270-dnssec-wildcards.patch Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: backport validation fix in dnssec security fixKevin Darbyshire-Bryant2018-01-201-1/+1
| | | | | | | | A DNSSEC validation error was introduced in the fix for CVE-2017-15107 Backport the upstream fix to the fix (a simple typo) Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: backport dnssec security fixKevin Darbyshire-Bryant2018-01-191-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | CVE-2017-15107 An interesting problem has turned up in DNSSEC validation. It turns out that NSEC records expanded from wildcards are allowed, so a domain can include an NSEC record for *.example.org and an actual query reply could expand that to anything in example.org and still have it signed by the signature for the wildcard. So, for example !.example.org NSEC zz.example.org is fine. The problem is that most implementers (your author included, but also the Google public DNS people, powerdns and Unbound) then took that record to prove the nothing exists between !.example.org and zz.example.org, whereas in fact it only provides that proof between *.example.org and zz.example.org. This gives an attacker a way to prove that anything between !.example.org and *.example.org doesn't exists, when it may well do so. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: use SIGINT for dnssec time validKevin Darbyshire-Bryant2018-01-151-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Dnsmasq used SIGHUP to do too many things: 1) set dnssec time validation enabled, 2) bump SOA zone serial, 3) clear dns cache, 4) reload hosts files, 5) reload resolvers/servers files. Many subsystems within LEDE can send SIGHUP to dnsmasq: 1) ntpd hotplug (to indicate time is valid for dnssec) 2) odhcpd (to indicate a new/removed host - typically DHCPv6 leases) 3) procd on interface state changes 4) procd on system config state changes, 5) service reload. If dnssec time validation is enabled before the system clock has been set to a sensible time, name resolution will fail. Because name resolution fails, ntpd is unable to resolve time server names to addresses, so is unable to set time. Classic chicken/egg. Since commits 23bba9cb330cd298739a16e350b0029ed9429eef (service reload) & 4f02285d8b4a66359a8fa46f22a3efde391b5419 (system config) make it more likely a SIGHUP will be sent for events other than 'ntpd has set time' it is more likely that an errant 'name resolution is failing for everything' situation will be encountered. Fortunately the upstream dnsmasq people agree and have moved 'check dnssec timestamp enable' from SIGHUP handler to SIGINT. Backport the upstream patch to use SIGINT. ntpd hotplug script updated to use SIGINT. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: send procd signal on service reloadFlorian Eckert2017-12-261-1/+1
| | | | | | | Send a SIGHUP signal via procd to the dnsmasq service so the instance(s) re-read(s) the /tmp/hosts/dhcp config. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* dnsmasq: add DHCP build switch support in full variantHans Dedecker2017-12-101-5/+10
| | | | | | | | Add config option which allows to enable/disable DHCP support at compile time. Make DHCPv6 support dependant on DHCP support as DHCPv6 support implies having DHCP support. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: write atomic host fileHans Dedecker2017-12-071-1/+1
| | | | | | | | | | | Different invocations of the dnsmasq init script (e.g. at startup by procd) will rewrite the dhcp host file which might result into dnsmasq reading an empty dhcp host file as it is being rewritten by the dnsmasq init script. Let the dnsmasq init script first write to a temp dhcp host file so it does not overwrite the contents of the existing dhcp host file. Reported-by: Hartmut Birr <e9hack@gmail.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: backport infinite dns retries fixHans Dedecker2017-12-061-1/+1
| | | | | | | | | | If all configured dns servers return refused in response to a query in strict mode; dnsmasq will end up in an infinite loop retransmitting the dns query resulting into high CPU load. Problem is fixed by checking for the end of a dns server list iteration in strict mode. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* packages: dnsmasq: remove unused stamp fileRoman Yeryomin2017-12-021-1/+1
| | | | | Signed-off-by: Roman Yeryomin <roman@advem.lv> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
* dnsmasq: load instance-specific conf-file if existsEmerson Pinter2017-11-191-1/+1
| | | | | | | Without this change, the instance-specific conf-file is being added to procd_add_jail_mount, but not used by dnsmasq. Signed-off-by: Emerson Pinter <dev@pinter.com.br>
* add PKG_CPE_ID ids to package and toolsAlexander Couzens2017-11-171-0/+1
| | | | | | | | | | | CPE ids helps to tracks CVE in packages. https://cpe.mitre.org/specification/ Thanks to swalker for CPE to package mapping and keep tracking CVEs. Acked-by: Jo-Philipp Wich <jo@mein.io> Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
* dnsmasq: add listen_address parameterChristian Lamparter2017-10-131-1/+1
| | | | | | | | | | | | | | | | | | | | | | | This patch adds a parser for the uci representation of dnsmasq's "-a | --listen-address" option. In summary, this option forces dnsmasq to listen on the given IP address(es). Both interface and listen-address options may be given, in which case the set of both interfaces and addresses is used. Note that if no interface option is given, but listen_address is, dnsmasq will not automatically listen on the loopback interface. To achieve this, the loopback IP addresses, 127.0.0.1 and/or ::1 must be explicitly added. This option is useful for ujailed dnsmasq instances, that would otherwise fail to work properly, because listening to the "This host on this network" address (aka 0.0.0.0 see rfc1700 page 4) may not be allowed. Signed-off-by: Christian Lamparter <chunkeey@gmail.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (PKG_RELEASE increase)
* dnsmasq: bump to v2.78Kevin Darbyshire-Bryant2017-10-021-3/+3
| | | | | | Fixes CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, 2017-CVE-14495, 2017-CVE-14496 Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
* dnsmasq: fix dhcp "ignore" option on wwan interfacesMarcin Jurkowski2017-09-181-1/+1
| | | | | | | | | | | | | | Init script won't append --no-dhcp-interface option if interface protocol is one of: ncm, directip, qmi, mbim. This is caused by IP address assigned to dynamically created netifd interfaces. As a result there's no netmask assigned to the main interface and dhcp_add() function returns prematurely. By moving network subnet check we can ensure that --no-dhcp-interface is properly generated for wwan interfaces. Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase; move network checks]
* dnsmasq: Pass TARGET_CPPFLAGS to MakefileFlorian Fainelli2017-09-161-1/+1
| | | | | | | | | With the introduction of the ubus notifications, we would now fail building dnsmasq with external toolchains that don't automatically search for headers. Pass TARGET_CPPFLAGS to the Makefile to resolve that. Fixes: 34a206bc1194 ("dnsmasq: add ubus notifications for new leases") Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
* dnsmasq: backport arcount edns0 fixKevin Darbyshire-Bryant2017-09-081-1/+1
| | | | | | | | | Don't return arcount=1 if EDNS0 RR won't fit in the packet. Omitting the EDNS0 RR but setting arcount gives a malformed packet. Also, don't accept UDP packet size less than 512 in received EDNS0. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: backport official fix for CVE-2017-13704Kevin Darbyshire-Bryant2017-09-071-1/+1
| | | | | | | | | Remove LEDE partial fix for CVE-2017-13704. Backport official fix from upstream. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (PKG_RELEASE increase)
* dnsmasq: forward.c: fix CVE-2017-13704Kevin Darbyshire-Bryant2017-08-301-1/+1
| | | | | | | | | | | | | | | | Fix SIGSEGV in rfc1035.c answer_request() line 1228 where memset() is called with header & limit pointing at the same address and thus tries to clear memory from before the buffer begins. answer_request() is called with an invalid edns packet size provided by the client. Ensure the udp_size provided by the client is bounded by 512 and configured maximum as per RFC 6891 6.2.3 "Values lower than 512 MUST be treated as equal to 512" The client that exposed the problem provided a payload udp size of 0. Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> Acked-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: add support for multiple tags for each host.Kuang Rufan2017-08-251-1/+1
| | | | | | | | | | | | | | | | | | | | | | | Currently, dnsmasq support assigning multiple tags to a host record (--dhcp-host), but we only support only 1 tag for a host. The commit makes the following config to be valid: config host option name 'computer' option mac '00:11:22:33:44:55' option ip '192.168.1.100' list tag 'vendor_class' list tag 'vendor_id' config tag 'vendor_class' list dhcp_option 'option:vendor-class,00:...<omitted>' config tag 'vendor_id' option force '1' list dhcp_option 'option:vendor-id-encap,00:...<omitted>' Signed-off-by: Kuang Rufan <kuangrufan@pset.suntec.net> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>