[openwrt/openwrt] dnsmasq: bump release to 2.91
LEDE Commits
lede-commits at lists.infradead.org
Sun Apr 13 12:29:50 PDT 2025
robimarko pushed a commit to openwrt/openwrt.git, branch main:
https://git.openwrt.org/b0d43be2f3ab56b7f5359cc7f86922db22c09590
commit b0d43be2f3ab56b7f5359cc7f86922db22c09590
Author: Rudy Andram <rmandrad at gmail.com>
AuthorDate: Thu Mar 27 10:55:59 2025 +0000
dnsmasq: bump release to 2.91
updated 200-ubus_dns.patch
all remaining patches not required
Changelog for version 2.91 - https://thekelleys.org.uk/dnsmasq/CHANGELOG
version 2.91
Fix spurious "resource limit exceeded messages". Thanks to
Dominik Derigs for the bug report.
Fix out-of-bounds heap read in order_qsort().
We only need to order two server records on the ->serial field.
Literal address records are smaller and don't have
this field and don't need to be ordered on it.
To actually provoke this bug seems to need the same server-literal
to be repeated twice, e.g., --address=/a/1.1.1.1 --address-/a/1.1.1.1
which is clearly rare in the wild, but if it did exist it could
provoke a SIGSEGV. Thanks to Daniel Rhea for fuzzing this one.
Fix buffer overflow when configured lease-change script name
is too long.
Thanks to Daniel Rhea for finding this one.
Improve behaviour in the face of non-responsive upstream TCP DNS
servers. Without shorter timeouts, clients are blocked for too long
and fail with their own timeouts.
Set --fast-dns-retries by default when doing DNSSEC. A single
downstream query can trigger many upstream queries. On an
unreliable network, there may not be enough downstream retries
to ensure that all these queries complete.
Improve behaviour in the face of truncated answers to queries
for DNSSEC records. Getting these answers by TCP doesn't now
involve a faked truncated answer to the downstream client to
force it to move to TCP. This improves performance and robustness
in the face of broken clients which can't fall back to TCP.
No longer remove data from truncated upstream answers. If an
upstream replies with a truncated answer, but the answer has some
RRs included, return those RRs, rather than returning and
empty answer.
Fix handling of EDNS0 UDP packet sizes.
When talking upstream we always add a pseudo header, and set the
UDP packet size to --edns-packet-max. Answering queries from
downstream, we get the answer (either from upstream or local
data) If local data won't fit the advertised size (or 512 if
there's not an EDNS0 header) return truncated. If upstream
returns truncated, do likewise. If upstream is OK, but the
answer is too big for downstream, truncate the answer.
Modify the behaviour of --synth-domain for IPv6.
When deriving a domain name from an IPv6 address, an address
such as 1234:: would become 1234--.example.com, which is
not legal in IDNA2008. Stop using the :: compression method,
so 1234:: becomes
1234-0000-0000-0000-0000-0000-0000-0000.example.com
Fix broken dhcp-relay on *BSD. Thanks to Harold for finding
this problem.
Add --dhcp-option-pxe config. This acts almost exactly like
--dhcp-option except that the defined option is only sent when
replying to PXE clients. More importantly, these options are sent
in reply PXE clients when dnsmasq in acting in PXE proxy mode. In
PXE proxy mode, the set of options sent is defined by the PXE standard
and the normal set of options is not sent. This config allows arbitrary
options in PXE-proxy replies. A typical use-case is to send option
175 to iPXE. Thanks to Jason Berry for finding the requirement for
this.
Support PXE proxy-DHCP and DHCP-relay at the same time.
When using PXE proxy-DHCP, dnsmasq supplies PXE information to
the client, which also talks to another "normal" DHCP server
for address allocation and similar. The normal DHCP server may
be on the local network, but it may also be remote, and accessed via
a DHCP relay. This change allows dnsmasq to act as both a
PXE proxy-DHCP server AND a DHCP relay for the same network.
Fix erroneous "DNSSEC validated" state with non-DNSSEC
upstream servers. Thanks to Dominik Derigs for the bug report.
Handle queries with EDNS client subnet fields better. If dnsmasq
is configured to add an EDNS client subnet to a query, it is careful
to suppress use of the cache, since a cached answer may not be valid
for a query with a different client subnet. Extend this behaviour
to queries which arrive a dnsmasq already carrying an EDNS client
subnet.
Handle DS queries to auth zones. When dnsmasq is configured to
act as an authoritative server and has an authoritative zone
configured, and receives a query for that zone _as_forwarder_
it answers the query directly rather than forwarding it. This
doesn't affect the answer, but it saves dnsmasq forwarding the
query to the recursor upstream, which then bounces it back to dnsmasq
in auth mode. The exception should be when the query is for the root
of zone, for a DS RR. The answer to that has to come from the parent,
via the recursor, and will typically be a proof-of-non-existence
since dnsmasq doesn't support signed zones. This patch suppresses
local answers and forces forwarding to the upstream recursor for such
queries. It stops breakage when a DNSSEC validating client makes
queries to dnsmasq acting as forwarder for a zone for which it is
authoritative.
Implement "DNS-0x20 encoding", for extra protection against
reply-spoof attacks. Since DNS queries are case-insensitive,
it's possible to randomly flip the case of letters in a query
and still get the correct answer back.
This adds an extra dimension for a cache-poisoning attacker
to guess when sending replies in-the-blind since it's expected
that the legitimate answer will have the same pattern of upper
and lower case as the query, so any replies which don't can be
ignored as malicious. The amount of extra entropy clearly depends
on the number of a-z and A-Z characters in the query, and this
implementation puts a hard limit of 32 bits to make resource
allocation easy. This about doubles entropy over the standard
random ID and random port combination. This technique can interact
badly with rare broken DNS servers which don't preserve the case
of the query in their reply. The first time a reply is returned
which matches the query in all respects except case, a warning
will be logged. In this release, 0x020-encoding is default-off
and must be explicitly enabled with --do-0x20-encoding. In future
releases it may default on. You can avoid a future release
changing the behaviour of an installation with --no-x20-encode.
Fix a long-standing problem when two queries which are identical
in every repect _except_ case, get combined by dnsmasq. If
dnsmasq gets eg, two queries for example.com and Example.com
in quick succession it will get the answer for example.com from
upstream and send that answer to both requestors. This means that
the query for Example.com will get an answer for example.com, and
in the modern DNS, that answer may not be accepted.
Signed-off-by: Rudy Andram <rmandrad at gmail.com>
Link: https://github.com/openwrt/openwrt/pull/18357
Signed-off-by: Robert Marko <robimarko at gmail.com>
---
package/network/services/dnsmasq/Makefile | 6 +-
...spurious-resource-limit-exceeded-messages.patch | 43 ----------
...rror-introduced-in-51471cafa5a4fa44d6fe49.patch | 31 -------
.../0003-Handle-DS-queries-to-auth-zones.patch | 98 ----------------------
.../services/dnsmasq/patches/200-ubus_dns.patch | 14 ++--
5 files changed, 10 insertions(+), 182 deletions(-)
diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile
index 47a5ae54ae..5290f1e468 100644
--- a/package/network/services/dnsmasq/Makefile
+++ b/package/network/services/dnsmasq/Makefile
@@ -8,13 +8,13 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=dnsmasq
-PKG_UPSTREAM_VERSION:=2.90
+PKG_UPSTREAM_VERSION:=2.91
PKG_VERSION:=$(subst test,~~test,$(subst rc,~rc,$(PKG_UPSTREAM_VERSION)))
-PKG_RELEASE:=4
+PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_UPSTREAM_VERSION).tar.xz
PKG_SOURCE_URL:=https://thekelleys.org.uk/dnsmasq/
-PKG_HASH:=8e50309bd837bfec9649a812e066c09b6988b73d749b7d293c06c57d46a109e4
+PKG_HASH:=f622682848b33677adb2b6ad08264618a2ae0a01da486a93fd8cd91186b3d153
PKG_LICENSE:=GPL-2.0
PKG_LICENSE_FILES:=COPYING
diff --git a/package/network/services/dnsmasq/patches/0001-Fix-spurious-resource-limit-exceeded-messages.patch b/package/network/services/dnsmasq/patches/0001-Fix-spurious-resource-limit-exceeded-messages.patch
deleted file mode 100644
index f25ee20413..0000000000
--- a/package/network/services/dnsmasq/patches/0001-Fix-spurious-resource-limit-exceeded-messages.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 1ed783b8d7343c42910a61f12a8fc6237eb80417 Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon at thekelleys.org.uk>
-Date: Mon, 19 Feb 2024 12:22:43 +0000
-Subject: Fix spurious "resource limit exceeded" messages.
-
-Replies from upstream with a REFUSED rcode can result in
-log messages stating that a resource limit has been exceeded,
-which is not the case.
-
-Thanks to Dominik Derigs and the Pi-hole project for
-spotting this.
----
- CHANGELOG | 5 +++++
- src/forward.c | 6 +++---
- 2 files changed, 8 insertions(+), 3 deletions(-)
-
---- a/CHANGELOG
-+++ b/CHANGELOG
-@@ -1,3 +1,8 @@
-+version 2.91
-+ Fix spurious "resource limit exceeded messages". Thanks to
-+ Dominik Derigs for the bug report.
-+
-+
- version 2.90
- Fix reversion in --rev-server introduced in 2.88 which
- caused breakage if the prefix length is not exactly divisible
---- a/src/forward.c
-+++ b/src/forward.c
-@@ -937,10 +937,10 @@ static void dnssec_validate(struct frec
- status = dnssec_validate_reply(now, header, plen, daemon->namebuff, daemon->keyname, &forward->class,
- !option_bool(OPT_DNSSEC_IGN_NS) && (forward->sentto->flags & SERV_DO_DNSSEC),
- NULL, NULL, NULL, &orig->validate_counter);
-- }
-
-- if (STAT_ISEQUAL(status, STAT_ABANDONED))
-- log_resource = 1;
-+ if (STAT_ISEQUAL(status, STAT_ABANDONED))
-+ log_resource = 1;
-+ }
-
- /* Can't validate, as we're missing key data. Put this
- answer aside, whilst we get that. */
diff --git a/package/network/services/dnsmasq/patches/0002-PATCH-Fix-error-introduced-in-51471cafa5a4fa44d6fe49.patch b/package/network/services/dnsmasq/patches/0002-PATCH-Fix-error-introduced-in-51471cafa5a4fa44d6fe49.patch
deleted file mode 100644
index 5c50ae8446..0000000000
--- a/package/network/services/dnsmasq/patches/0002-PATCH-Fix-error-introduced-in-51471cafa5a4fa44d6fe49.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From ccff85ad72d2f858d9743d40525128e4f62d41a8 Mon Sep 17 00:00:00 2001
-From: renmingshuai <renmingshuai at huawei.com>
-Date: Wed, 21 Feb 2024 00:24:25 +0000
-Subject: [PATCH] Fix error introduced in
- 51471cafa5a4fa44d6fe490885d9910bd72a5907
-
-Signed-off-by: renmingshuai <renmingshuai at huawei.com>
----
- src/dnssec.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/src/dnssec.c
-+++ b/src/dnssec.c
-@@ -1547,7 +1547,7 @@ static int prove_non_existence_nsec3(str
- nsecs[i] = NULL; /* Speculative, will be restored if OK. */
-
- if (!(p = skip_name(nsec3p, header, plen, 15)))
-- return 0; /* bad packet */
-+ return DNSSEC_FAIL_BADPACKET; /* bad packet */
-
- p += 10; /* type, class, TTL, rdlen */
-
-@@ -1640,7 +1640,7 @@ static int prove_non_existence_nsec3(str
- if (!wildname)
- {
- if (!(wildcard = strchr(next_closest, '.')) || wildcard == next_closest)
-- return 0;
-+ return DNSSEC_FAIL_NONSEC;
-
- wildcard--;
- *wildcard = '*';
diff --git a/package/network/services/dnsmasq/patches/0003-Handle-DS-queries-to-auth-zones.patch b/package/network/services/dnsmasq/patches/0003-Handle-DS-queries-to-auth-zones.patch
deleted file mode 100644
index bd7270c904..0000000000
--- a/package/network/services/dnsmasq/patches/0003-Handle-DS-queries-to-auth-zones.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From 8ce27433f8b2e17c557cb55e4f16941d309deeac Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon at thekelleys.org.uk>
-Date: Fri, 17 Jan 2025 17:49:29 +0000
-Subject: [PATCH] Handle DS queries to auth zones.
-Origin: upstream, v2.91test8
-
-When dnsmasq is configured to act as an authoritative server and has
-an authoritative zone configured, and recieves a query for
-that zone _as_forwarder_ it answers the query directly rather
-than forwarding it. This doesn't affect the answer, but it
-saves dnsmasq forwarding the query to the recusor upstream,
-whch then bounces it back to dnsmasq in auth mode. The
-exception should be when the query is for the root of zone, for a DS
-RR. The answer to that has to come from the parent, via the
-recursor, and will typically be a proof-of-nonexistence since
-dnsmasq doesn't support signed zones. This patch suppresses
-local answers and forces forwarding to the upstream recursor
-for such queries. It stops breakage when a DNSSEC validating
-client makes queries to dnsmasq acting as forwarder for a zone
-for which it is authoritative.
-
-[ukleinek: drop changes to CHANGELOG to prevent conflicts]
----
- src/forward.c | 52 +++++++++++++++++++++++++++++++++++++--------------
- 1 file changed, 38 insertions(+), 14 deletions(-)
-
---- a/src/forward.c
-+++ b/src/forward.c
-@@ -1744,15 +1744,27 @@ void receive_query(struct listener *list
- #endif
-
- #ifdef HAVE_AUTH
-- /* find queries for zones we're authoritative for, and answer them directly */
-+ /* Find queries for zones we're authoritative for, and answer them directly.
-+ The exception to this is DS queries for the zone route. They
-+ have to come from the parent zone. Since dnsmasq's auth server
-+ can't do DNSSEC, the zone will be unsigned, and anything using
-+ dnsmasq as a forwarder and doing validation will be expecting to
-+ see the proof of non-existence from the parent. */
- if (!auth_dns && !option_bool(OPT_LOCALISE))
- for (zone = daemon->auth_zones; zone; zone = zone->next)
-- if (in_zone(zone, daemon->namebuff, NULL))
-- {
-- auth_dns = 1;
-- local_auth = 1;
-- break;
-- }
-+ {
-+ char *cut;
-+
-+ if (in_zone(zone, daemon->namebuff, &cut))
-+ {
-+ if (type != T_DS || cut)
-+ {
-+ auth_dns = 1;
-+ local_auth = 1;
-+ }
-+ break;
-+ }
-+ }
- #endif
-
- #ifdef HAVE_LOOP
-@@ -2268,15 +2280,27 @@ unsigned char *tcp_request(int confd, ti
- &peer_addr, auth_dns ? "auth" : "query", qtype);
-
- #ifdef HAVE_AUTH
-- /* find queries for zones we're authoritative for, and answer them directly */
-+ /* Find queries for zones we're authoritative for, and answer them directly.
-+ The exception to this is DS queries for the zone route. They
-+ have to come from the parent zone. Since dnsmasq's auth server
-+ can't do DNSSEC, the zone will be unsigned, and anything using
-+ dnsmasq as a forwarder and doing validation will be expecting to
-+ see the proof of non-existence from the parent. */
- if (!auth_dns && !option_bool(OPT_LOCALISE))
- for (zone = daemon->auth_zones; zone; zone = zone->next)
-- if (in_zone(zone, daemon->namebuff, NULL))
-- {
-- auth_dns = 1;
-- local_auth = 1;
-- break;
-- }
-+ {
-+ char *cut;
-+
-+ if (in_zone(zone, daemon->namebuff, &cut))
-+ {
-+ if (qtype != T_DS || cut)
-+ {
-+ auth_dns = 1;
-+ local_auth = 1;
-+ }
-+ break;
-+ }
-+ }
- #endif
- }
- }
diff --git a/package/network/services/dnsmasq/patches/200-ubus_dns.patch b/package/network/services/dnsmasq/patches/200-ubus_dns.patch
index 72acbaeba9..a1a668818e 100644
--- a/package/network/services/dnsmasq/patches/200-ubus_dns.patch
+++ b/package/network/services/dnsmasq/patches/200-ubus_dns.patch
@@ -1,16 +1,16 @@
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
-@@ -2021,6 +2021,10 @@ static void check_dns_listeners(time_t n
- daemon->pipe_to_parent = pipefd[1];
- }
+@@ -2097,6 +2097,10 @@
+ daemon->pipe_to_parent = pipefd[1];
+ }
+#ifdef HAVE_UBUS
-+ drop_ubus_listeners();
++ drop_ubus_listeners();
+#endif
+
- /* start with no upstream connections. */
- for (s = daemon->servers; s; s = s->next)
- s->tcpfd = -1;
+ /* The connected socket inherits non-blocking
+ attribute from the listening socket.
+ Reset that here. */
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -1670,14 +1670,26 @@ void emit_dbus_signal(int action, struct
More information about the lede-commits
mailing list