Index | Thread | Search

From:
Brad Smith <brad@comstyle.com>
Subject:
UPDATE: dnsmasq 2.92
To:
ports@openbsd.org
Date:
Thu, 15 Jan 2026 12:16:31 -0500

Download raw body.

Thread 
Here is an update to dnsmasq 2.92.


version 2.92
        Redesign the interaction between DNSSEC validation and per-domain
	servers, specified as --server=/<domain>/<ip-address>. This should
	just work in all cases now. If the normal chain-of-trust exists into
	the delegated domain then whether the domain is signed or not, DNSSEC
	validation will function normally. In the case the delegated domain
	is an "overlay" on top of the global DNS and no NS and/or DS records
	exist connecting it to the global dns, then if the domain is
	unsigned the situation will be handled by synthesising a
	proof-of-non-existence-of-DS for the domain and queries will be
	answered unvalidated; this action will be logged. A signed domain
	without chain-of-trust can be validated if a suitable trust-anchor
	is provided using --trust-anchor. This change should be backwards
	compatible for all existing working configurations; it extends the
	space of possible configurations which are functional.

	Fix a couple of problems with DNSSEC validation and DNAME. One
	could cause validation failure on correct domains, and the other
	would fail to spot an invalid domain. Thanks to Graham Clinch
	for spotting the problem.

	Add --log-queries=auth option to only log replies from the auth DNS
	facility.

	Fix some edge-cases with domains and --address and --server. There
	has been some regressions with this in previous releases. This change
	fixes the priority order from lower to highest as:
	--address with a IPv4 or IPv6 address (as long as the query matches the type)
        --address with # for all-zeros, as long as the query is A or AAAA)
        --address with no address, which returns NXDOMAIN or NOERROR for all types.
        --server with address set to # to use the unqualified servers.
        --server with matching domain.
        --server without domain or from /etc/resolv.conf.

	Fix problems with ipset or nftset and TCP DNS transport. Previously
	this was racy, and insertion of addresses could fail on a busy server
	when DNS-over-TCP transport was involved.

	DNSSEC validation change for reverse lookups in RFC-1918 ranges and friends.
    	The large public DNS services seem not to return proof-of-nonexistence
	for DS records at the start of RFC-1918 in-addr.arpa domains and the their
	IPv6 equivalents. 10.in-addr.arpa, 168.192.in-addr.arpa etc.
	Since dnsmasq already has an option which instructs it not bother
	upstream servers with pointless queries about these address ranges,
	namely --bogus-priv, we extend that to enable behaviour which allows
	dnsmasq to assume that insecure NXDOMAIN replies for these domains
	are expected and to assume that the domains are legitimately unsigned.
	This behaviour only matters when some address range is directed to
	another upstream server using --rev-server. In that case it allows
	replies from that server to pass DNSSEC validation. Without such a
	server configured, queries are never sent upstream so they are never
	validated and the new behaviour is moot.

	Add support for leasequery to the dnsmasq DHCPv4 server.
	This has to be specifically enabled with the --leasequery option.
	Many thanks to JAXPORT, Jacksonville Port Authority for sponsoring
	this enhancement to dnsmasq.

	Fix failure to cache PTR RRs when a reply contains more than one answer.
	Thanks to Dmitry for spotting this.

	Add TFTP options windowsize (RFC 7440) and timeout (RFC 2349).
	
	Change the behaviour of the DHCPv6 server when a REBIND message
	is received but no lease exists. Under these circumstances a new
	lease is created _only_ when the --dhcp-authoritative option is
	set. This matches the behavior of the DHCPv4 server.

	Add --dhcp-split-relay option. This makes a DHCPv4 relay which
	is functional when client and server networks aren't mutually
	route-able.

	Fix failure to add client MAC address to queries in TCP mode.
	The options which cause	dnsmasq	to decorate a DNS query	with the MAC
	address	on the originating client can fail when the query is sent
	using TCP. Thanks to Bruno Ravara for spotting and
	characterising this bug.


Index: Makefile
===================================================================
RCS file: /cvs/ports/net/dnsmasq/Makefile,v
retrieving revision 1.70
diff -u -p -u -p -r1.70 Makefile
--- Makefile	21 Mar 2025 11:59:14 -0000	1.70
+++ Makefile	15 Jan 2026 17:12:40 -0000
@@ -1,6 +1,6 @@
 COMMENT=	lightweight caching DNS forwarder, DHCP and TFTP server
 
-DISTNAME=	dnsmasq-2.91
+DISTNAME=	dnsmasq-2.92
 CATEGORIES=	net
 SITES=		https://thekelleys.org.uk/dnsmasq/
 EXTRACT_SUFX=	.tar.xz
Index: distinfo
===================================================================
RCS file: /cvs/ports/net/dnsmasq/distinfo,v
retrieving revision 1.46
diff -u -p -u -p -r1.46 distinfo
--- distinfo	21 Mar 2025 11:59:14 -0000	1.46
+++ distinfo	15 Jan 2026 17:12:40 -0000
@@ -1,2 +1,2 @@
-SHA256 (dnsmasq-2.91.tar.xz) = 9iJoKEizNnetsratCCZGGKKuCgHaSGqT/YzZEYaz0VM=
-SIZE (dnsmasq-2.91.tar.xz) = 576820
+SHA256 (dnsmasq-2.92.tar.xz) = S/UMLBAY+fvCYDffUbkOzqDLc9RhYoRnY7kt8NbDpFg=
+SIZE (dnsmasq-2.92.tar.xz) = 637752
Index: patches/patch-man_dnsmasq_8
===================================================================
RCS file: /cvs/ports/net/dnsmasq/patches/patch-man_dnsmasq_8,v
retrieving revision 1.35
diff -u -p -u -p -r1.35 patch-man_dnsmasq_8
--- patches/patch-man_dnsmasq_8	21 Mar 2025 11:59:14 -0000	1.35
+++ patches/patch-man_dnsmasq_8	15 Jan 2026 17:12:40 -0000
@@ -1,7 +1,7 @@
 Index: man/dnsmasq.8
 --- man/dnsmasq.8.orig
 +++ man/dnsmasq.8
-@@ -167,13 +167,12 @@ Specify an alternate path for dnsmasq to record its pr
+@@ -168,13 +168,12 @@ Specify an alternate path for dnsmasq to record its pr
  .TP
  .B \-u, --user=<username>
  Specify the userid to which dnsmasq will change after startup. Dnsmasq must normally be started as root, but it will drop root 
@@ -17,7 +17,7 @@ Index: man/dnsmasq.8
  .TP
  .B \-v, --version
  Print the version number.
-@@ -2294,7 +2293,7 @@ handle each TCP request. The default maximum is 20.
+@@ -2337,7 +2336,7 @@ handle each TCP request. The default maximum is 20.
  
  .SH CONFIG FILE
  At startup, dnsmasq reads
@@ -26,7 +26,7 @@ Index: man/dnsmasq.8
  if it exists. (On
  FreeBSD, the file is 
  .I /usr/local/etc/dnsmasq.conf
-@@ -2763,7 +2762,7 @@ dnsmasq has no direct way of determining the charset i
+@@ -2806,7 +2805,7 @@ dnsmasq has no direct way of determining the charset i
  assume that it is the system default. 
   
  .SH FILES
Index: patches/patch-src_config_h
===================================================================
RCS file: /cvs/ports/net/dnsmasq/patches/patch-src_config_h,v
retrieving revision 1.31
diff -u -p -u -p -r1.31 patch-src_config_h
--- patches/patch-src_config_h	21 Mar 2025 11:59:14 -0000	1.31
+++ patches/patch-src_config_h	15 Jan 2026 17:12:40 -0000
@@ -1,7 +1,7 @@
 Index: src/config.h
 --- src/config.h.orig
 +++ src/config.h
-@@ -48,8 +48,8 @@
+@@ -49,8 +49,8 @@
  #define ETHERSFILE "/etc/ethers"
  #define DEFLEASE 3600 /* default DHCPv4 lease time, one hour */
  #define DEFLEASE6 (3600*24) /* default lease time for DHCPv6. One day. */
@@ -10,9 +10,9 @@ Index: src/config.h
 +#define CHUSER "_dnsmasq"
 +#define CHGRP "_dnsmasq"
  #define TFTP_MAX_CONNECTIONS 50 /* max simultaneous connections */
- #define LOG_MAX 5 /* log-queue length */
- #define RANDFILE "/dev/urandom"
-@@ -218,7 +218,7 @@ RESOLVFILE
+ #define TFTP_MAX_WINDOW 32 /* max window size to negotiate */
+ #define TFTP_TRANSFER_TIME 120 /* Abandon TFTP transfers after this long. Two mins. */
+@@ -222,7 +222,7 @@ RESOLVFILE
  #   if defined(__FreeBSD__)
  #      define CONFFILE "/usr/local/etc/dnsmasq.conf"
  #   else