- 18 Mar, 2017 2 commits
- 
- 
James Bottomley authoredThe man page says that we don't do DNSSEC on forwarded domains, but if you turn on dnssec_check_signatures this turns out to be untrue, because we try to build up a DS chain to them. Since forwarded domains are usually used for split DNS to hidden domains, they're unlikely to verify to the DNS root anyway, so the way to do DNSSEC for them (as the manual says) is to provide a trust anchor for each forwarder. The problem I've run into is a split DNS setup where I want DNSSEC to work mostly, but one of the forwarding domains doesn't have an internal DNSSEC capable resolver. Without this patch the entire domain goes unresolvable because the DS record query to the internal resolver returns a failure which is interpreted as the domain being BOGUS. The fix is not to do the DS record chase for forwarded domains. 
- 
Petr Menšík authored
 
- 
- 07 Mar, 2017 3 commits
- 
- 
Bert Gijsbers authored
- 
Olivier Gayot authoredThe rev-server directive only handles the following CIDR prefixes properly: /8, /16, /24, /32. Any other value was silently converted to /16 which could result in unexpected behaviour. This patch rejects any other value instead of making a silent conversion. 
- 
Olivier Gayot authored[ excerpt from the man page ] The rev-server directive provides a syntactic sugar to make specifying address-to-name queries easier. For example --rev-server=1.2.3.0/24,192.168.0.1 is exactly equivalent to --server=/3.2.1.in-addr.arpa/192.168.0.1 It is not mentioned in the man page but the only prefixes that the directive properly handles when dealing with IPv4 are /8, /16 and /24. Specifying anything else as the same effect as specifying /16. It is not a big deal for subnets on non-octet boundaries since they cannot be represented using a single in-addr.arpa address. However, it is unconvenient for /32 prefix while the analogous server directive behaves as expected. E.g. the following server directive work as expected: server=/42.10.168.192.in-addr.arpa/1.2.3.4 but the following does not: rev-server=192.168.10.42/32,1.2.3.4 and, in practice, the later behaves the same as: server=/168.192.in-addr.arpa/1.2.3.4 This strange behaviour is fixed by accepting /32 CIDR prefixes as a valid value. Any other value will still be considered the same as /16.
 
- 
- 01 Mar, 2017 2 commits
- 
- 
Simon Kelley authored
- 
Simon Kelley authored
 
- 
- 20 Feb, 2017 3 commits
- 
- 
Simon Kelley authoredA domain can only have a CNAME if it has not other records. Don't return a CNAME when there are records of other types on the name. 
- 
Simon Kelley authoredThanks to Federico Bianchi for reporting this. 
- 
Simon Kelley authored
 
- 
- 19 Feb, 2017 1 commit
- 
- 
klemens authored
 
- 
- 12 Feb, 2017 1 commit
- 
- 
Simon Kelley authored
 
- 
- 11 Feb, 2017 3 commits
- 
- 
Hannu Nyman authoredBy default 30 first servers are listed individually to system log, and then a count of the remaining items. With e.g. a NXDOMAIN based adblock service, dnsmasq lists 30 unnecessary ad sites every time when dnsmasq evaluates the list. But the actual nameservers in use are evaluated last and are not displayed as they get included in the "remaining items" total. Handle the "local addresses only" separately and list only a few of them. Remove the "local addresses only" from the general count. 
- 
Simon Kelley authored
- 
Simon Kelley authoredSpecifically, be prepared to open a new connection when we want to make multiple queries but the upstream server accepts fewer queries per connection. 
 
- 
- 07 Feb, 2017 2 commits
- 
- 
Baptiste Jonglez authoredThis effectively reverts most of 51967f98 ("SERVFAIL is an expected error return, don't try all servers.") and 4ace25c5 ("Treat REFUSED (not SERVFAIL) as an unsuccessful upstream response"). With the current behaviour, as soon as dnsmasq receives a SERVFAIL from an upstream server, it stops trying to resolve the query and simply returns SERVFAIL to the client. With this commit, dnsmasq will instead try to query other upstream servers upon receiving a SERVFAIL response. According to RFC 1034 and 1035, the semantic of SERVFAIL is that of a temporary error condition. Recursive resolvers are expected to encounter network or resources issues from time to time, and will respond with SERVFAIL in this case. Similarly, if a validating DNSSEC resolver [RFC 4033] encounters issues when checking signatures (unknown signing algorithm, missing signatures, expired signatures because of a wrong system clock, etc), it will respond with SERVFAIL. Note that all those behaviours are entirely different from a negative response, which would provide a definite indication that the requested name does not exist. In our case, if an upstream server responds with SERVFAIL, another upstream server may well provide a positive answer for the same query. Thus, this commit will increase robustness whenever some upstream servers encounter temporary issues or are misconfigured. Quoting RFC 1034, Section 4.3.1. "Queries and responses": If recursive service is requested and available, the recursive response to a query will be one of the following: - The answer to the query, possibly preface by one or more CNAME RRs that specify aliases encountered on the way to an answer. - A name error indicating that the name does not exist. This may include CNAME RRs that indicate that the original query name was an alias for a name which does not exist. - A temporary error indication. Here is Section 5.2.3. of RFC 1034, "Temporary failures": In a less than perfect world, all resolvers will occasionally be unable to resolve a particular request. This condition can be caused by a resolver which becomes separated from the rest of the network due to a link failure or gateway problem, or less often by coincident failure or unavailability of all servers for a particular domain. And finally, RFC 1035 specifies RRCODE 2 for this usage, which is now more widely known as SERVFAIL (RFC 1035, Section 4.1.1. "Header section format"): RCODE Response code - this 4 bit field is set as part of responses. The values have the following interpretation: (...) 2 Server failure - The name server was unable to process this query due to a problem with the name server. For the DNSSEC-related usage of SERVFAIL, here is RFC 4033 Section 5. "Scope of the DNSSEC Document Set and Last Hop Issues": A validating resolver can determine the following 4 states: (...) Insecure: The validating resolver has a trust anchor, a chain of trust, and, at some delegation point, signed proof of the non-existence of a DS record. This indicates that subsequent branches in the tree are provably insecure. A validating resolver may have a local policy to mark parts of the domain space as insecure. Bogus: The validating resolver has a trust anchor and a secure delegation indicating that subsidiary data is signed, but the response fails to validate for some reason: missing signatures, expired signatures, signatures with unsupported algorithms, data missing that the relevant NSEC RR says should be present, and so forth. (...) This specification only defines how security-aware name servers can signal non-validating stub resolvers that data was found to be bogus (using RCODE=2, "Server Failure"; see [RFC4035]). Notice the difference between a definite negative answer ("Insecure" state), and an indefinite error condition ("Bogus" state). The second type of error may be specific to a recursive resolver, for instance because its system clock has been incorrectly set, or because it does not implement newer cryptographic primitives. Another recursive resolver may succeed for the same query. There are other similar situations in which the specified behaviour is similar to the one implemented by this commit. For instance, RFC 2136 specifies the behaviour of a "requestor" that wants to update a zone using the DNS UPDATE mechanism. The requestor tries to contact all authoritative name servers for the zone, with the following behaviour specified in RFC 2136, Section 4: 4.6. If a response is received whose RCODE is SERVFAIL or NOTIMP, or if no response is received within an implementation dependent timeout period, or if an ICMP error is received indicating that the server's port is unreachable, then the requestor will delete the unusable server from its internal name server list and try the next one, repeating until the name server list is empty. If the requestor runs out of servers to try, an appropriate error will be returned to the requestor's caller. 
- 
Josh Soref authoredThanks to Josh Soref for generating these fixes. 
 
- 
- 03 Feb, 2017 1 commit
- 
- 
Simon Kelley authored
 
- 
- 27 Jan, 2017 1 commit
- 
- 
Simon Kelley authoredBug tickled by Nominum upstream when DNSSEC enabled, due to unusual order of RRs in reply from upstream server. 
 
- 
- 20 Jan, 2017 1 commit
- 
- 
Simon Kelley authored
 
- 
- 16 Jan, 2017 1 commit
- 
- 
Simon Kelley authored
 
- 
- 09 Jan, 2017 1 commit
- 
- 
Reiter Wolfgang authored
 
- 
- 02 Jan, 2017 2 commits
- 
- 
Simon Kelley authored
- 
 
- 
- 23 Dec, 2016 3 commits
- 
- 
ZHAO Yu authored
- 
Simon Kelley authored
- 
Simon Kelley authored
 
- 
- 15 Dec, 2016 1 commit
- 
- 
Simon Kelley authored
 
- 
- 14 Dec, 2016 1 commit
- 
- 
Simon Kelley authored
 
- 
- 10 Sep, 2016 1 commit
- 
- 
Kevin Darbyshire-Bryant authoredSome consider it good practice to obscure software version numbers to clients. Compiling with -DNO_ID removes the *.bind info structure. This includes: version, author, copyright, cachesize, cache insertions, evictions, misses & hits, auth & servers. 
 
- 
- 01 Sep, 2016 1 commit
- 
- 
Simon Kelley authored
 
- 
- 31 Aug, 2016 1 commit
- 
- 
Simon Kelley authored
 
- 
- 29 Aug, 2016 4 commits
- 
- 
Simon Kelley authored
- 
Peter Wu authoredManual page: clarify that the --address and --ipset options take one or more domains rather than just two. Clarify that --ipset puts addresses in all ipsets, it is not a 1:1 mapping from addresses. Also increase the width for options output in --help, some options were truncated leading to confusing output. Almost all options and descriptions are now within the 120 colums limit. 
- 
Beniamino Galvani authored(--server=1.2.3.4@eth0) when the named interface is destroyed and recreated in the kernel. 
- 
Simon Kelley authoredThis only makes sense for interfaces which we're configured to listen on. Thanks to Andrew Shadura for bug report. 
 
- 
- 14 Aug, 2016 2 commits
- 
- 
Simon Kelley authored
- 
Simon Kelley authored
 
- 
- 12 Aug, 2016 1 commit
- 
- 
Simon Kelley authored
 
- 
- 05 Aug, 2016 1 commit
- 
- 
Simon Kelley authored
 
- 
