From: Brad Smith Subject: Re: UPDATE: dnsmasq 2.92 To: ports@openbsd.org Date: Sun, 1 Feb 2026 01:29:14 -0500 ping. On 2026-01-15 12:16 p.m., Brad Smith wrote: > Here is an update to dnsmasq 2.92. > > > version 2.92 > Redesign the interaction between DNSSEC validation and per-domain > servers, specified as --server=//. This should > just work in all cases now. If the normal chain-of-trust exists into > the delegated domain then whether the domain is signed or not, DNSSEC > validation will function normally. In the case the delegated domain > is an "overlay" on top of the global DNS and no NS and/or DS records > exist connecting it to the global dns, then if the domain is > unsigned the situation will be handled by synthesising a > proof-of-non-existence-of-DS for the domain and queries will be > answered unvalidated; this action will be logged. A signed domain > without chain-of-trust can be validated if a suitable trust-anchor > is provided using --trust-anchor. This change should be backwards > compatible for all existing working configurations; it extends the > space of possible configurations which are functional. > > Fix a couple of problems with DNSSEC validation and DNAME. One > could cause validation failure on correct domains, and the other > would fail to spot an invalid domain. Thanks to Graham Clinch > for spotting the problem. > > Add --log-queries=auth option to only log replies from the auth DNS > facility. > > Fix some edge-cases with domains and --address and --server. There > has been some regressions with this in previous releases. This change > fixes the priority order from lower to highest as: > --address with a IPv4 or IPv6 address (as long as the query matches the type) > --address with # for all-zeros, as long as the query is A or AAAA) > --address with no address, which returns NXDOMAIN or NOERROR for all types. > --server with address set to # to use the unqualified servers. > --server with matching domain. > --server without domain or from /etc/resolv.conf. > > Fix problems with ipset or nftset and TCP DNS transport. Previously > this was racy, and insertion of addresses could fail on a busy server > when DNS-over-TCP transport was involved. > > DNSSEC validation change for reverse lookups in RFC-1918 ranges and friends. > The large public DNS services seem not to return proof-of-nonexistence > for DS records at the start of RFC-1918 in-addr.arpa domains and the their > IPv6 equivalents. 10.in-addr.arpa, 168.192.in-addr.arpa etc. > Since dnsmasq already has an option which instructs it not bother > upstream servers with pointless queries about these address ranges, > namely --bogus-priv, we extend that to enable behaviour which allows > dnsmasq to assume that insecure NXDOMAIN replies for these domains > are expected and to assume that the domains are legitimately unsigned. > This behaviour only matters when some address range is directed to > another upstream server using --rev-server. In that case it allows > replies from that server to pass DNSSEC validation. Without such a > server configured, queries are never sent upstream so they are never > validated and the new behaviour is moot. > > Add support for leasequery to the dnsmasq DHCPv4 server. > This has to be specifically enabled with the --leasequery option. > Many thanks to JAXPORT, Jacksonville Port Authority for sponsoring > this enhancement to dnsmasq. > > Fix failure to cache PTR RRs when a reply contains more than one answer. > Thanks to Dmitry for spotting this. > > Add TFTP options windowsize (RFC 7440) and timeout (RFC 2349). > > Change the behaviour of the DHCPv6 server when a REBIND message > is received but no lease exists. Under these circumstances a new > lease is created _only_ when the --dhcp-authoritative option is > set. This matches the behavior of the DHCPv4 server. > > Add --dhcp-split-relay option. This makes a DHCPv4 relay which > is functional when client and server networks aren't mutually > route-able. > > Fix failure to add client MAC address to queries in TCP mode. > The options which cause dnsmasq to decorate a DNS query with the MAC > address on the originating client can fail when the query is sent > using TCP. Thanks to Bruno Ravara for spotting and > characterising this bug. > > > Index: Makefile > =================================================================== > RCS file: /cvs/ports/net/dnsmasq/Makefile,v > retrieving revision 1.70 > diff -u -p -u -p -r1.70 Makefile > --- Makefile 21 Mar 2025 11:59:14 -0000 1.70 > +++ Makefile 15 Jan 2026 17:12:40 -0000 > @@ -1,6 +1,6 @@ > COMMENT= lightweight caching DNS forwarder, DHCP and TFTP server > > -DISTNAME= dnsmasq-2.91 > +DISTNAME= dnsmasq-2.92 > CATEGORIES= net > SITES= https://thekelleys.org.uk/dnsmasq/ > EXTRACT_SUFX= .tar.xz > Index: distinfo > =================================================================== > RCS file: /cvs/ports/net/dnsmasq/distinfo,v > retrieving revision 1.46 > diff -u -p -u -p -r1.46 distinfo > --- distinfo 21 Mar 2025 11:59:14 -0000 1.46 > +++ distinfo 15 Jan 2026 17:12:40 -0000 > @@ -1,2 +1,2 @@ > -SHA256 (dnsmasq-2.91.tar.xz) = 9iJoKEizNnetsratCCZGGKKuCgHaSGqT/YzZEYaz0VM= > -SIZE (dnsmasq-2.91.tar.xz) = 576820 > +SHA256 (dnsmasq-2.92.tar.xz) = S/UMLBAY+fvCYDffUbkOzqDLc9RhYoRnY7kt8NbDpFg= > +SIZE (dnsmasq-2.92.tar.xz) = 637752 > Index: patches/patch-man_dnsmasq_8 > =================================================================== > RCS file: /cvs/ports/net/dnsmasq/patches/patch-man_dnsmasq_8,v > retrieving revision 1.35 > diff -u -p -u -p -r1.35 patch-man_dnsmasq_8 > --- patches/patch-man_dnsmasq_8 21 Mar 2025 11:59:14 -0000 1.35 > +++ patches/patch-man_dnsmasq_8 15 Jan 2026 17:12:40 -0000 > @@ -1,7 +1,7 @@ > Index: man/dnsmasq.8 > --- man/dnsmasq.8.orig > +++ man/dnsmasq.8 > -@@ -167,13 +167,12 @@ Specify an alternate path for dnsmasq to record its pr > +@@ -168,13 +168,12 @@ Specify an alternate path for dnsmasq to record its pr > .TP > .B \-u, --user= > Specify the userid to which dnsmasq will change after startup. Dnsmasq must normally be started as root, but it will drop root > @@ -17,7 +17,7 @@ Index: man/dnsmasq.8 > .TP > .B \-v, --version > Print the version number. > -@@ -2294,7 +2293,7 @@ handle each TCP request. The default maximum is 20. > +@@ -2337,7 +2336,7 @@ handle each TCP request. The default maximum is 20. > > .SH CONFIG FILE > At startup, dnsmasq reads > @@ -26,7 +26,7 @@ Index: man/dnsmasq.8 > if it exists. (On > FreeBSD, the file is > .I /usr/local/etc/dnsmasq.conf > -@@ -2763,7 +2762,7 @@ dnsmasq has no direct way of determining the charset i > +@@ -2806,7 +2805,7 @@ dnsmasq has no direct way of determining the charset i > assume that it is the system default. > > .SH FILES > Index: patches/patch-src_config_h > =================================================================== > RCS file: /cvs/ports/net/dnsmasq/patches/patch-src_config_h,v > retrieving revision 1.31 > diff -u -p -u -p -r1.31 patch-src_config_h > --- patches/patch-src_config_h 21 Mar 2025 11:59:14 -0000 1.31 > +++ patches/patch-src_config_h 15 Jan 2026 17:12:40 -0000 > @@ -1,7 +1,7 @@ > Index: src/config.h > --- src/config.h.orig > +++ src/config.h > -@@ -48,8 +48,8 @@ > +@@ -49,8 +49,8 @@ > #define ETHERSFILE "/etc/ethers" > #define DEFLEASE 3600 /* default DHCPv4 lease time, one hour */ > #define DEFLEASE6 (3600*24) /* default lease time for DHCPv6. One day. */ > @@ -10,9 +10,9 @@ Index: src/config.h > +#define CHUSER "_dnsmasq" > +#define CHGRP "_dnsmasq" > #define TFTP_MAX_CONNECTIONS 50 /* max simultaneous connections */ > - #define LOG_MAX 5 /* log-queue length */ > - #define RANDFILE "/dev/urandom" > -@@ -218,7 +218,7 @@ RESOLVFILE > + #define TFTP_MAX_WINDOW 32 /* max window size to negotiate */ > + #define TFTP_TRANSFER_TIME 120 /* Abandon TFTP transfers after this long. Two mins. */ > +@@ -222,7 +222,7 @@ RESOLVFILE > # if defined(__FreeBSD__) > # define CONFFILE "/usr/local/etc/dnsmasq.conf" > # else