I installed this package yesterday and dnsmasq broke a few minutes ago. About 24 hours.
Strange thing: when I was using the servers you recommended 84.200.69.80, 84.200.70.40 I did not have any problems even though you have been updating very frequently. However, I reverted to the old DNS servers 209.244.0.3 8.8.4.4 and in less than a few days (I think I did it with the 15th or 14th update), it broke again. Those servers are, respectively, resolver1.level3.net and one of the google ones.
Let me know if you want me to use the 84 DNS servers. Hell, I may just decide to build my own caching DNS servers!!!
Rod
On 01/17/2016 08:30 AM, Matthias Fischer wrote:
Again one latecoming patch (DNSSEC).
Download: http://people.ipfire.org/~mfischer/dnsmasq_275_2016_01_16 MD5: a266e4673ed7d218b0477c6b02e3ef4d
This is the compiled binary, nothing more is needed.
Copy to '/usr/sbin' Stop 'dnsmasq' (/etc/init.d/dnsmasq stop) Rename (don't forget backing up the *old* version!) Start 'dnsmasq' (/etc/init.d/dnsmasq start).
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
lfs/dnsmasq | 3 +- ...NSSEC_validation_with_private_DNS_servers.patch | 139 +++++++++++++++++++++ 2 files changed, 141 insertions(+), 1 deletion(-) create mode 100644 src/patches/dnsmasq/050-Complete_work_to_allow_DNSSEC_validation_with_private_DNS_servers.patch
diff --git a/lfs/dnsmasq b/lfs/dnsmasq index bdfb1f8..4e5951f 100644 --- a/lfs/dnsmasq +++ b/lfs/dnsmasq @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2015 Michael Tremer & Christian Schmidt # +# Copyright (C) 2016 Michael Tremer & Christian Schmidt # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -122,6 +122,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/047-Fix_bad_cache-size_calculation_when_hosts-file_read_fails.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/048-Disable_DNSSEC_for_server_domain_servers_unless_trust-anchor_provided.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/049-arp_c_tidy_up.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/050-Complete_work_to_allow_DNSSEC_validation_with_private_DNS_servers.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
cd $(DIR_APP) && sed -i src/config.h \
diff --git a/src/patches/dnsmasq/050-Complete_work_to_allow_DNSSEC_validation_with_private_DNS_servers.patch b/src/patches/dnsmasq/050-Complete_work_to_allow_DNSSEC_validation_with_private_DNS_servers.patch new file mode 100644 index 0000000..b969eee --- /dev/null +++ b/src/patches/dnsmasq/050-Complete_work_to_allow_DNSSEC_validation_with_private_DNS_servers.patch @@ -0,0 +1,139 @@ +From 92be34a4077672f592d47e2991b3530305517a28 Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Sat, 16 Jan 2016 18:39:54 +0000 +Subject: [PATCH] Complete work to allow DNSSEC validation with private DNS
- servers.
+---
- man/dnsmasq.8 | 5 ++++-
- src/forward.c | 34 +++++++++++++++++++++++++++++++---
- src/network.c | 33 +++++++++++++++++++--------------
- 3 files changed, 54 insertions(+), 18 deletions(-)
+diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 +index d51b10f..69acdae 100644 +--- a/man/dnsmasq.8 ++++ b/man/dnsmasq.8 +@@ -405,7 +405,10 @@ xxx.internal.thekelleys.org.uk at 192.168.1.1 then giving the flag
- .B -S /internal.thekelleys.org.uk/192.168.1.1
- will send all queries for
- internal machines to that nameserver, everything else will go to the
+-servers in /etc/resolv.conf. An empty domain specification, ++servers in /etc/resolv.conf. DNSSEC validation is turned off for such ++private nameservers, UNLESS a ++.B --trust-anchor ++is specified for the domain in question. An empty domain specification,
- .B //
- has the special meaning of "unqualified names only" ie names without any
- dots in them. A non-standard port may be specified as
+diff --git a/src/forward.c b/src/forward.c +index 11c0d45..c48fd75 100644 +--- a/src/forward.c ++++ b/src/forward.c +@@ -151,7 +151,7 @@ static unsigned int search_servers(time_t now, struct all_addr **addrpp, unsigne
hostname_isequal(matchstart, serv->domain) &&(domainlen == 0 || namelen == domainlen || *(matchstart-1) == '.' )){+- if (serv->flags & SERV_NO_REBIND) ++ if ((serv->flags & SERV_NO_REBIND) && norebind)
*norebind = 1;else{+@@ -644,7 +644,7 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
return resize_packet(header, n, pheader, plen);- /* Complain loudly if the upstream server is non-recursive. */
+- if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR && ntohs(header->ancount) == 0 && ++ if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR &&
server && !(server->flags & SERV_WARNED_RECURSIVE)){prettyprint_addr(&server->addr, daemon->namebuff);+@@ -923,12 +923,40 @@ void reply_query(int fd, int family, time_t now)
status = STAT_ABANDONED;else{+- int fd; ++ int fd, type;
struct frec *next = new->next;++ char *domain; ++
*new = *forward; /* copy everything, then overwrite */new->next = next;new->blocking_query = NULL;++ ++ /* Find server to forward to. This will normally be the ++ same as for the original query, but may be another if ++ servers for domains are involved. */ ++ if (search_servers(now, NULL, F_QUERY, daemon->keyname, &type, &domain, NULL) == 0) ++ { ++ struct server *start = server; ++ type &= ~SERV_DO_DNSSEC; ++ ++ while (1) ++ { ++ if (type == (start->flags & SERV_TYPE) && ++ (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) && ++ !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP))) ++ { ++ server = start; ++ break; ++ } ++ ++ if (!(start = start->next)) ++ start = daemon->servers; ++ if (start == server) ++ break; ++ } ++ }
new->sentto = server;++
new->rfd4 = NULL;- #ifdef HAVE_IPV6
new->rfd6 = NULL;+diff --git a/src/network.c b/src/network.c +index 303ae50..5451c6c 100644 +--- a/src/network.c ++++ b/src/network.c +@@ -1442,20 +1442,25 @@ void check_servers(void)
if (!(serv->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR | SERV_USE_RESOLV | SERV_NO_REBIND)))- {
- #ifdef HAVE_DNSSEC
+- if (option_bool(OPT_DNSSEC_VALID) && (serv->flags & SERV_HAS_DOMAIN)) +- { +- struct ds_config *ds; +- char *domain = serv->domain; +- +- /* .example.com is valid */ +- while (*domain == '.') +- domain++; +- +- for (ds = daemon->ds; ds; ds = ds->next) +- if (ds->name[0] != 0 && hostname_isequal(domain, ds->name)) +- break; +- +- if (!ds) ++ if (option_bool(OPT_DNSSEC_VALID)) ++ { ++ if (serv->flags & SERV_HAS_DOMAIN) ++ { ++ struct ds_config *ds; ++ char *domain = serv->domain; ++ ++ /* .example.com is valid */ ++ while (*domain == '.') ++ domain++; ++ ++ for (ds = daemon->ds; ds; ds = ds->next) ++ if (ds->name[0] != 0 && hostname_isequal(domain, ds->name)) ++ break; ++ ++ if (!ds) ++ serv->flags &= ~SERV_DO_DNSSEC; ++ } ++ else if (serv->flags & SERV_FOR_NODOTS)
serv->flags &= ~SERV_DO_DNSSEC;}- #endif
+-- +1.7.10.4