Re: UPDATE: dnsmasq 2.92

ping.

On 2026-01-15 12:16 p.m., Brad Smith wrote:
> Here is an update to dnsmasq 2.92.
>
>
> version 2.92
> Redesign the interaction between DNSSEC validation and per-domain
> servers, specified as --server=/<domain>/<ip-address>. This should
> just work in all cases now. If the normal chain-of-trust exists into
> the delegated domain then whether the domain is signed or not, DNSSEC
> validation will function normally. In the case the delegated domain
> is an "overlay" on top of the global DNS and no NS and/or DS records
> exist connecting it to the global dns, then if the domain is
> unsigned the situation will be handled by synthesising a
> proof-of-non-existence-of-DS for the domain and queries will be
> answered unvalidated; this action will be logged. A signed domain
> without chain-of-trust can be validated if a suitable trust-anchor
> is provided using --trust-anchor. This change should be backwards
> compatible for all existing working configurations; it extends the
> space of possible configurations which are functional.
>
> Fix a couple of problems with DNSSEC validation and DNAME. One
> could cause validation failure on correct domains, and the other
> would fail to spot an invalid domain. Thanks to Graham Clinch
> for spotting the problem.
>
> Add --log-queries=auth option to only log replies from the auth DNS
> facility.
>
> Fix some edge-cases with domains and --address and --server. There
> has been some regressions with this in previous releases. This change
> fixes the priority order from lower to highest as:
> --address with a IPv4 or IPv6 address (as long as the query matches the type)
> --address with # for all-zeros, as long as the query is A or AAAA)
> --address with no address, which returns NXDOMAIN or NOERROR for all types.
> --server with address set to # to use the unqualified servers.
> --server with matching domain.
> --server without domain or from /etc/resolv.conf.
>
> Fix problems with ipset or nftset and TCP DNS transport. Previously
> this was racy, and insertion of addresses could fail on a busy server
> when DNS-over-TCP transport was involved.
>
> DNSSEC validation change for reverse lookups in RFC-1918 ranges and friends.
> The large public DNS services seem not to return proof-of-nonexistence
> for DS records at the start of RFC-1918 in-addr.arpa domains and the their
> IPv6 equivalents. 10.in-addr.arpa, 168.192.in-addr.arpa etc.
> Since dnsmasq already has an option which instructs it not bother
> upstream servers with pointless queries about these address ranges,
> namely --bogus-priv, we extend that to enable behaviour which allows
> dnsmasq to assume that insecure NXDOMAIN replies for these domains
> are expected and to assume that the domains are legitimately unsigned.
> This behaviour only matters when some address range is directed to
> another upstream server using --rev-server. In that case it allows
> replies from that server to pass DNSSEC validation. Without such a
> server configured, queries are never sent upstream so they are never
> validated and the new behaviour is moot.
>
> Add support for leasequery to the dnsmasq DHCPv4 server.
> This has to be specifically enabled with the --leasequery option.
> Many thanks to JAXPORT, Jacksonville Port Authority for sponsoring
> this enhancement to dnsmasq.
>
> Fix failure to cache PTR RRs when a reply contains more than one answer.
> Thanks to Dmitry for spotting this.
>
> Add TFTP options windowsize (RFC 7440) and timeout (RFC 2349).
>
> Change the behaviour of the DHCPv6 server when a REBIND message
> is received but no lease exists. Under these circumstances a new
> lease is created _only_ when the --dhcp-authoritative option is
> set. This matches the behavior of the DHCPv4 server.
>
> Add --dhcp-split-relay option. This makes a DHCPv4 relay which
> is functional when client and server networks aren't mutually
> route-able.
>
> Fix failure to add client MAC address to queries in TCP mode.
> The options which cause dnsmasq to decorate a DNS query with the MAC
> address on the originating client can fail when the query is sent
> using TCP. Thanks to Bruno Ravara for spotting and
> characterising this bug.
>
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/net/dnsmasq/Makefile,v
> retrieving revision 1.70
> diff -u -p -u -p -r1.70 Makefile
> --- Makefile 21 Mar 2025 11:59:14 -0000 1.70
> +++ Makefile 15 Jan 2026 17:12:40 -0000
> @@ -1,6 +1,6 @@
> COMMENT= lightweight caching DNS forwarder, DHCP and TFTP server
>
> -DISTNAME= dnsmasq-2.91
> +DISTNAME= dnsmasq-2.92
> CATEGORIES= net
> SITES= https://thekelleys.org.uk/dnsmasq/
> EXTRACT_SUFX= .tar.xz
> Index: distinfo
> ===================================================================
> RCS file: /cvs/ports/net/dnsmasq/distinfo,v
> retrieving revision 1.46
> diff -u -p -u -p -r1.46 distinfo
> --- distinfo 21 Mar 2025 11:59:14 -0000 1.46
> +++ distinfo 15 Jan 2026 17:12:40 -0000
> @@ -1,2 +1,2 @@
> -SHA256 (dnsmasq-2.91.tar.xz) = 9iJoKEizNnetsratCCZGGKKuCgHaSGqT/YzZEYaz0VM=
> -SIZE (dnsmasq-2.91.tar.xz) = 576820
> +SHA256 (dnsmasq-2.92.tar.xz) = S/UMLBAY+fvCYDffUbkOzqDLc9RhYoRnY7kt8NbDpFg=
> +SIZE (dnsmasq-2.92.tar.xz) = 637752
> Index: patches/patch-man_dnsmasq_8
> ===================================================================
> RCS file: /cvs/ports/net/dnsmasq/patches/patch-man_dnsmasq_8,v
> retrieving revision 1.35
> diff -u -p -u -p -r1.35 patch-man_dnsmasq_8
> --- patches/patch-man_dnsmasq_8 21 Mar 2025 11:59:14 -0000 1.35
> +++ patches/patch-man_dnsmasq_8 15 Jan 2026 17:12:40 -0000
> @@ -1,7 +1,7 @@
> Index: man/dnsmasq.8
> --- man/dnsmasq.8.orig
> +++ man/dnsmasq.8
> -@@ -167,13 +167,12 @@ Specify an alternate path for dnsmasq to record its pr
> +@@ -168,13 +168,12 @@ Specify an alternate path for dnsmasq to record its pr
> .TP
> .B \-u, --user=<username>
> Specify the userid to which dnsmasq will change after startup. Dnsmasq must normally be started as root, but it will drop root
> @@ -17,7 +17,7 @@ Index: man/dnsmasq.8
> .TP
> .B \-v, --version
> Print the version number.
> -@@ -2294,7 +2293,7 @@ handle each TCP request. The default maximum is 20.
> +@@ -2337,7 +2336,7 @@ handle each TCP request. The default maximum is 20.
>
> .SH CONFIG FILE
> At startup, dnsmasq reads
> @@ -26,7 +26,7 @@ Index: man/dnsmasq.8
> if it exists. (On
> FreeBSD, the file is
> .I /usr/local/etc/dnsmasq.conf
> -@@ -2763,7 +2762,7 @@ dnsmasq has no direct way of determining the charset i
> +@@ -2806,7 +2805,7 @@ dnsmasq has no direct way of determining the charset i
> assume that it is the system default.
>
> .SH FILES
> Index: patches/patch-src_config_h
> ===================================================================
> RCS file: /cvs/ports/net/dnsmasq/patches/patch-src_config_h,v
> retrieving revision 1.31
> diff -u -p -u -p -r1.31 patch-src_config_h
> --- patches/patch-src_config_h 21 Mar 2025 11:59:14 -0000 1.31
> +++ patches/patch-src_config_h 15 Jan 2026 17:12:40 -0000
> @@ -1,7 +1,7 @@
> Index: src/config.h
> --- src/config.h.orig
> +++ src/config.h
> -@@ -48,8 +48,8 @@
> +@@ -49,8 +49,8 @@
> #define ETHERSFILE "/etc/ethers"
> #define DEFLEASE 3600 /* default DHCPv4 lease time, one hour */
> #define DEFLEASE6 (3600*24) /* default lease time for DHCPv6. One day. */
> @@ -10,9 +10,9 @@ Index: src/config.h
> +#define CHUSER "_dnsmasq"
> +#define CHGRP "_dnsmasq"
> #define TFTP_MAX_CONNECTIONS 50 /* max simultaneous connections */
> - #define LOG_MAX 5 /* log-queue length */
> - #define RANDFILE "/dev/urandom"
> -@@ -218,7 +218,7 @@ RESOLVFILE
> + #define TFTP_MAX_WINDOW 32 /* max window size to negotiate */
> + #define TFTP_TRANSFER_TIME 120 /* Abandon TFTP transfers after this long. Two mins. */
> +@@ -222,7 +222,7 @@ RESOLVFILE
> # if defined(__FreeBSD__)
> # define CONFFILE "/usr/local/etc/dnsmasq.conf"
> # else