import dnsmasq-2.85-3.el9

.dnsmasq.metadata

@@ -0,0 +1 @@
+256ec628587ab2b20bba3fc2773046dab8f2874c SOURCES/dnsmasq-2.85.tar.xz

.gitignore

@@ -0,0 +1 @@
+SOURCES/dnsmasq-2.85.tar.xz

SOURCES/dnsmasq-2.77-underflow.patch

@@ -0,0 +1,64 @@
+From 684bede049a006a0a47ce88f017ada9f73bf4430 Mon Sep 17 00:00:00 2001
+From: Doran Moppert <dmoppert@redhat.com>
+Date: Tue, 26 Sep 2017 14:48:20 +0930
+Subject: [PATCH] google patch hand-applied
+
+---
+ src/edns0.c   | 10 +++++-----
+ src/forward.c |  4 ++++
+ src/rfc1035.c |  3 +++
+ 3 files changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/src/edns0.c b/src/edns0.c
+index d75d3cc..7d8cf7f 100644
+--- a/src/edns0.c
++++ b/src/edns0.c
+@@ -212,11 +212,11 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
+       /* Copy back any options */
+       if (buff)
+ 	{
+-          if (p + rdlen > limit)
+-          {
+-            free(buff);
+-            return plen; /* Too big */
+-          }
++	  if (p + rdlen > limit)
++	  {
++	    free(buff);
++	    return plen; /* Too big */
++	  }
+ 	  memcpy(p, buff, rdlen);
+ 	  free(buff);
+ 	  p += rdlen;
+diff --git a/src/forward.c b/src/forward.c
+index ed9c8f6..77059ed 100644
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -1542,6 +1542,10 @@ void receive_query(struct listener *listen, time_t now)
+ 	udp_size = PACKETSZ; /* Sanity check - can't reduce below default. RFC 6891 6.2.3 */
+     }
+ 
++  // Make sure the udp size is not smaller than the incoming message so that we
++  // do not underflow
++  if (udp_size < n) udp_size = n;
++
+ #ifdef HAVE_AUTH
+   if (auth_dns)
+     {
+diff --git a/src/rfc1035.c b/src/rfc1035.c
+index f1edc45..15041cc 100644
+--- a/src/rfc1035.c
++++ b/src/rfc1035.c
+@@ -1326,6 +1326,9 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
+   size_t len;
+   int rd_bit = (header->hb3 & HB3_RD);
+ 
++  // Make sure we do not underflow here too.
++  if (qlen > (limit - ((char *)header))) return 0;
++
+   /* never answer queries with RD unset, to avoid cache snooping. */
+   if (ntohs(header->ancount) != 0 ||
+       ntohs(header->nscount) != 0 ||
+-- 
+2.21.1
+

SOURCES/dnsmasq-2.78-fips.patch

@@ -0,0 +1,37 @@
+From 7b1cce1d0bdb61c09946978d4bdeb05a3cd4202a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Fri, 2 Mar 2018 13:17:04 +0100
+Subject: [PATCH] Print warning on FIPS machine with dnssec enabled. Dnsmasq
+ has no proper FIPS 140-2 compliant implementation.
+
+---
+ src/dnsmasq.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/dnsmasq.c b/src/dnsmasq.c
+index 480c5f9..5fd229e 100644
+--- a/src/dnsmasq.c
++++ b/src/dnsmasq.c
+@@ -187,6 +187,7 @@ int main (int argc, char **argv)
+       
+       if (daemon->cachesize < CACHESIZ)
+ 	die(_("cannot reduce cache size from default when DNSSEC enabled"), NULL, EC_BADCONF);
++           
+ #else 
+       die(_("DNSSEC not available: set HAVE_DNSSEC in src/config.h"), NULL, EC_BADCONF);
+ #endif
+@@ -786,7 +787,10 @@ int main (int argc, char **argv)
+ 	my_syslog(LOG_INFO, _("DNSSEC validation enabled but all unsigned answers are trusted"));
+       else
+ 	my_syslog(LOG_INFO, _("DNSSEC validation enabled"));
+-      
++
++      if (access("/etc/system-fips", F_OK) == 0)
++        my_syslog(LOG_WARNING, _("DNSSEC support is not FIPS 140-2 compliant"));
++
+       daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME);
+       if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future)
+ 	my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until receipt of SIGINT"));
+-- 
+2.14.4
+

SOURCES/dnsmasq-2.79-server-domain-rh1919894.patch

@@ -0,0 +1,471 @@
+From 5747d7b3dffdcd45d4410bb380e466818734cb27 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Mon, 19 Apr 2021 13:56:23 +0200
+Subject: [PATCH] Use load-balancing also for --server=/domains/
+
+Do not (yet) move servers to server_domain structure. Instead use
+separate server_domains to store just last_server and requests count and
+time.
+
+Introduces domain information duplicity, but minimizes required changes
+to daemon->servers usage.
+
+Optimize server domain record
+
+Set pointer to domain record when struct server is created. When
+searching for domain pointer, use this pointer to make it quick.
+---
+ src/dnsmasq.h |  18 +++++++--
+ src/forward.c |  52 ++++++++++++++++----------
+ src/network.c | 101 ++++++++++++++++++++++++++++++++++++++++++++++----
+ src/option.c  |   5 +++
+ 4 files changed, 146 insertions(+), 30 deletions(-)
+
+diff --git a/src/dnsmasq.h b/src/dnsmasq.h
+index 1e21005..b6dcc50 100644
+--- a/src/dnsmasq.h
++++ b/src/dnsmasq.h
+@@ -559,6 +559,17 @@ struct randfd_list {
+   struct randfd_list *next;
+ };
+ 
++/* contains domain specific set of servers.
++ * If domain is NULL, just normal servers. */
++struct server_domain {
++  char *domain;
++  struct server *last_server;
++  time_t forwardtime;
++  int forwardcount;
++  unsigned int flags; /* server.flags alternative */
++  struct server_domain *next;
++};
++
+ struct server {
+   union mysockaddr addr, source_addr;
+   char interface[IF_NAMESIZE+1];
+@@ -571,6 +582,7 @@ struct server {
+ #ifdef HAVE_LOOP
+   u32 uid;
+ #endif
++  struct server_domain *serv_domain;
+   struct server *next; 
+ };
+ 
+@@ -1053,6 +1065,7 @@ extern struct daemon {
+   struct iname *if_names, *if_addrs, *if_except, *dhcp_except, *auth_peers, *tftp_interfaces;
+   struct bogus_addr *bogus_addr, *ignore_addr;
+   struct server *servers;
++  struct server_domain *server_domains;
+   struct ipsets *ipsets;
+   int log_fac; /* log facility */
+   char *log_file; /* optional log file */
+@@ -1121,9 +1134,6 @@ extern struct daemon {
+   struct serverfd *sfds;
+   struct irec *interfaces;
+   struct listener *listeners;
+-  struct server *last_server;
+-  time_t forwardtime;
+-  int forwardcount;
+   struct server *srv_save; /* Used for resend on DoD */
+   size_t packet_len;       /*      "        "        */
+   int    fd_save;          /*      "        "        */
+@@ -1394,6 +1404,8 @@ int label_exception(int index, int family, union all_addr *addr);
+ int fix_fd(int fd);
+ int tcp_interface(int fd, int af);
+ int set_ipv6pktinfo(int fd);
++struct server_domain *server_domain_find_domain(const char *domain);
++struct server_domain *server_domain_new(struct server *serv);
+ #ifdef HAVE_DHCP6
+ void join_multicast(int dienow);
+ #endif
+diff --git a/src/forward.c b/src/forward.c
+index 9322b6a..b09dc96 100644
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -107,7 +107,8 @@ int send_from(int fd, int nowild, char *packet, size_t len,
+ }
+           
+ static unsigned int search_servers(time_t now, union all_addr **addrpp, unsigned int qtype,
+-				   char *qdomain, int *type, char **domain, int *norebind)
++				   char *qdomain, int *type, char **domain, int *norebind,
++				   struct server_domain **serv_domain)
+ 			      
+ {
+   /* If the query ends in the domain in one of our servers, set
+@@ -120,6 +121,9 @@ static unsigned int search_servers(time_t now, union all_addr **addrpp, unsigned
+   unsigned int flags = 0;
+   static union all_addr zero;
+   
++  if (serv_domain)
++    *serv_domain = NULL;
++
+   for (serv = daemon->servers; serv; serv=serv->next)
+     if (qtype == F_DNSSECOK && !(serv->flags & SERV_DO_DNSSEC))
+       continue;
+@@ -187,6 +191,8 @@ static unsigned int search_servers(time_t now, union all_addr **addrpp, unsigned
+ 		  {
+ 		    *type = serv->flags & (SERV_HAS_DOMAIN | SERV_USE_RESOLV | SERV_NO_REBIND | SERV_DO_DNSSEC);
+ 		    *domain = serv->domain;
++		    if (serv_domain)
++		      *serv_domain = serv->serv_domain;
+ 		    matchlen = domainlen;
+ 		    if (serv->flags & SERV_NO_ADDR)
+ 		      flags = F_NXDOMAIN;
+@@ -243,6 +249,8 @@ static unsigned int search_servers(time_t now, union all_addr **addrpp, unsigned
+       *type = 0; /* use normal servers for this domain */
+       *domain = NULL;
+     }
++  if (serv_domain && !*serv_domain)
++    *serv_domain = server_domain_find_domain(*domain);
+   return  flags;
+ }
+ 
+@@ -304,6 +312,7 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
+   unsigned int flags = 0;
+   unsigned int fwd_flags = 0;
+   struct server *start = NULL;
++  struct server_domain *sd = NULL;
+   void *hash = hash_questions(header, plen, daemon->namebuff);
+ #ifdef HAVE_DNSSEC
+   int do_dnssec = 0;
+@@ -422,8 +431,10 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
+       forward->sentto->failed_queries++;
+       if (!option_bool(OPT_ORDER) && old_src)
+ 	{
++	  sd = forward->sentto->serv_domain;
+ 	  forward->forwardall = 1;
+-	  daemon->last_server = NULL;
++	  if (sd)
++	    sd->last_server = NULL;
+ 	}
+       type = forward->sentto->flags & SERV_TYPE;
+ #ifdef HAVE_DNSSEC
+@@ -439,8 +450,8 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
+       /* new query */
+ 
+       if (gotname)
+-	flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
+-      
++	flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind, &sd);
++
+ #ifdef HAVE_DNSSEC
+       do_dnssec = type & SERV_DO_DNSSEC;
+ #endif
+@@ -482,18 +493,18 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
+ 	     always try all the available servers,
+ 	     otherwise, use the one last known to work. */
+ 	  
+-	  if (type == 0)
++	  if (sd)
+ 	    {
+ 	      if (option_bool(OPT_ORDER))
+ 		start = daemon->servers;
+-	      else if (!(start = daemon->last_server) ||
+-		       daemon->forwardcount++ > FORWARD_TEST ||
+-		       difftime(now, daemon->forwardtime) > FORWARD_TIME)
++	      else if (!(start = sd->last_server) ||
++		       sd->forwardcount++ > FORWARD_TEST ||
++		       difftime(now, sd->forwardtime) > FORWARD_TIME)
+ 		{
+ 		  start = daemon->servers;
+ 		  forward->forwardall = 1;
+-		  daemon->forwardcount = 0;
+-		  daemon->forwardtime = now;
++		  sd->forwardcount = 0;
++		  sd->forwardtime = now;
+ 		}
+ 	    }
+ 	  else
+@@ -844,6 +855,7 @@ void reply_query(int fd, time_t now)
+   size_t nn;
+   struct server *server;
+   void *hash;
++  struct server_domain *sd;
+ 
+   /* packet buffer overwritten */
+   daemon->srv_save = NULL;
+@@ -968,7 +980,8 @@ void reply_query(int fd, time_t now)
+     }   
+    
+   server = forward->sentto;
+-  if ((forward->sentto->flags & SERV_TYPE) == 0)
++  sd = server->serv_domain;
++  if (sd)
+     {
+       if (RCODE(header) == REFUSED)
+ 	server = NULL;
+@@ -986,7 +999,7 @@ void reply_query(int fd, time_t now)
+ 	      }
+ 	} 
+       if (!option_bool(OPT_ALL_SERVERS))
+-	daemon->last_server = server;
++	sd->last_server = server;
+     }
+  
+   /* We tried resending to this server with a smaller maximum size and got an answer.
+@@ -1093,7 +1106,7 @@ void reply_query(int fd, time_t now)
+ 		      /* Find server to forward to. This will normally be the 
+ 			 same as for the original query, but may be another if
+ 			 servers for domains are involved. */		      
+-		      if (search_servers(now, NULL, F_DNSSECOK, daemon->keyname, &type, &domain, NULL) == 0)
++		      if (search_servers(now, NULL, F_DNSSECOK, daemon->keyname, &type, &domain, NULL, &sd) == 0)
+ 			{
+ 			  struct server *start, *new_server = NULL;
+ 			  start = server = forward->sentto;
+@@ -1664,7 +1677,7 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
+       /* Find server to forward to. This will normally be the 
+ 	 same as for the original query, but may be another if
+ 	 servers for domains are involved. */		      
+-      if (search_servers(now, NULL, F_DNSSECOK, keyname, &type, &domain, NULL) != 0)
++      if (search_servers(now, NULL, F_DNSSECOK, keyname, &type, &domain, NULL, NULL) != 0)
+ 	{
+ 	  new_status = STAT_ABANDONED;
+ 	  break;
+@@ -1944,12 +1957,13 @@ unsigned char *tcp_request(int confd, time_t now,
+ 	      union all_addr *addrp = NULL;
+ 	      int type = SERV_DO_DNSSEC;
+ 	      char *domain = NULL;
++	      struct server_domain *sd = NULL;
+ 	      unsigned char *oph = find_pseudoheader(header, size, NULL, NULL, NULL, NULL);
+ 
+ 	      size = add_edns0_config(header, size, ((unsigned char *) header) + 65536, &peer_addr, now, &check_subnet, &cacheable);
+ 
+ 	      if (gotname)
+-		flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
++		flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind, &sd);
+ 
+ #ifdef HAVE_DNSSEC
+ 	      if (option_bool(OPT_DNSSEC_VALID) && (type & SERV_DO_DNSSEC))
+@@ -1970,10 +1984,10 @@ unsigned char *tcp_request(int confd, time_t now,
+ 
+ 	      type &= ~SERV_DO_DNSSEC;
+ 	      
+-	      if (type != 0  || option_bool(OPT_ORDER) || !daemon->last_server)
++	      if (!sd  || option_bool(OPT_ORDER) || !sd->last_server)
+ 		last_server = daemon->servers;
+ 	      else
+-		last_server = daemon->last_server;
++		last_server = sd->last_server;
+ 	      
+ 	      if (!flags && last_server)
+ 		{
+@@ -2567,9 +2581,7 @@ void server_gone(struct server *server)
+     if (daemon->randomsocks[i].refcount != 0 && daemon->randomsocks[i].serv == server)
+       daemon->randomsocks[i].serv = NULL;
+   
+-  if (daemon->last_server == server)
+-    daemon->last_server = NULL;
+-  
++  /* last_server cleared by server_domains_cleanup */
+   if (daemon->srv_save == server)
+     daemon->srv_save = NULL;
+ }
+diff --git a/src/network.c b/src/network.c
+index 3600250..1fa81ff 100644
+--- a/src/network.c
++++ b/src/network.c
+@@ -1537,6 +1537,29 @@ void cleanup_servers(void)
+ #endif
+ }
+ 
++static void server_domains_cleanup(void)
++{
++  struct server_domain *sd, *tmp, **up;
++
++  /* unlink and free anything still marked. */
++  for (up = &daemon->server_domains, sd=*up; sd; sd = tmp)
++    {
++      tmp = sd->next;
++      if (sd->flags & SERV_MARK)
++       {
++         *up = sd->next;
++         if (sd->domain)
++	   free(sd->domain);
++	 free(sd);
++       }
++      else {
++        up = &sd->next;
++        if (sd->last_server && (sd->last_server->flags & SERV_MARK))
++	  sd->last_server = NULL;
++      }
++    }
++}
++
+ void add_update_server(int flags,
+ 		       union mysockaddr *addr,
+ 		       union mysockaddr *source_addr,
+@@ -1616,10 +1639,72 @@ void add_update_server(int flags,
+     }
+ }
+ 
++static const char *server_get_domain(const struct server *serv)
++{
++  const char *domain = serv->domain;
++
++  if (serv->flags & SERV_HAS_DOMAIN)
++		  /* .example.com is valid */
++    while (*domain == '.')
++      domain++;
++
++  return domain;
++}
++
++struct server_domain *server_domain_find_domain(const char *domain)
++{
++  struct server_domain *sd;
++  for (sd = daemon->server_domains; sd; sd = sd->next)
++    if ((!domain && sd->domain == domain) || (domain && sd->domain && hostname_isequal(domain, sd->domain)))
++      return sd;
++  return NULL;
++}
++
++/**< Test structure has already set domain pointer.
++ *
++ * If not, create a new record. */
++struct server_domain *server_domain_new(struct server *serv)
++{
++  struct server_domain *sd;
++
++  if ((sd = whine_malloc(sizeof(struct server_domain))))
++    {
++      const char *domain = server_get_domain(serv);
++
++      /* Ensure all serv->domain values have own record in server_domain.
++       * Add a new record. */
++      if (domain)
++	{
++	  size_t len = strlen(domain)+1;
++	  sd->domain = whine_malloc(len);
++	  if (sd->domain)
++	    memcpy(sd->domain, domain, len);
++	}
++      sd->next = daemon->server_domains;
++      serv->serv_domain = sd;
++      daemon->server_domains = sd;
++    }
++  return sd;
++}
++
++/**< Test structure has already set domain pointer.
++ *
++ * If not, create a new record. */
++static void server_domain_check(struct server *serv)
++{
++  struct server_domain *sd = serv->serv_domain;
++
++  if (sd)
++    sd->flags &= (~SERV_MARK); /* found domain, mark active */
++  else
++    server_domain_new(serv);
++}
++
+ void check_servers(void)
+ {
+   struct irec *iface;
+   struct server *serv;
++  struct server_domain *sd;
+   struct serverfd *sfd, *tmp, **up;
+   int port = 0, count;
+   int locals = 0;
+@@ -1632,10 +1717,14 @@ void check_servers(void)
+   for (sfd = daemon->sfds; sfd; sfd = sfd->next)
+     sfd->used = sfd->preallocated;
+ 
++  for (sd = daemon->server_domains; sd; sd = sd->next)
++    sd->flags |= SERV_MARK;
++
+   for (count = 0, serv = daemon->servers; serv; serv = serv->next)
+     {
+       if (!(serv->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR | SERV_USE_RESOLV | SERV_NO_REBIND)))
+ 	{
++
+ 	  /* Init edns_pktsz for newly created server records. */
+ 	  if (serv->edns_pktsz == 0)
+ 	    serv->edns_pktsz = daemon->edns_pktsz;
+@@ -1651,12 +1740,8 @@ void check_servers(void)
+ 	      if (serv->flags & SERV_HAS_DOMAIN)
+ 		{
+ 		  struct ds_config *ds;
+-		  char *domain = serv->domain;
+-		  
+-		  /* .example.com is valid */
+-		  while (*domain == '.')
+-		    domain++;
+-		  
++		  const char *domain = server_get_domain(serv);
++
+ 		  for (ds = daemon->ds; ds; ds = ds->next)
+ 		    if (ds->name[0] != 0 && hostname_isequal(domain, ds->name))
+ 		      break;
+@@ -1666,7 +1751,6 @@ void check_servers(void)
+ 		}
+ 	    }
+ #endif
+-
+ 	  port = prettyprint_addr(&serv->addr, daemon->namebuff);
+ 	  
+ 	  /* 0.0.0.0 is nothing, the stack treats it like 127.0.0.1 */
+@@ -1701,6 +1785,8 @@ void check_servers(void)
+ 	  
+ 	  if (serv->sfd)
+ 	    serv->sfd->used = 1;
++
++	  server_domain_check(serv);
+ 	}
+       
+       if (!(serv->flags & SERV_NO_REBIND) && !(serv->flags & SERV_LITERAL_ADDRESS))
+@@ -1763,6 +1849,7 @@ void check_servers(void)
+ 	up = &sfd->next;
+     }
+   
++  server_domains_cleanup();
+   cleanup_servers();
+ }
+ 
+diff --git a/src/option.c b/src/option.c
+index 6de5914..e4e3182 100644
+--- a/src/option.c
++++ b/src/option.c
+@@ -928,6 +928,7 @@ static struct server *add_rev4(struct in_addr addr, int msize)
+   p += sprintf(p, "in-addr.arpa");
+   
+   serv->flags = SERV_HAS_DOMAIN;
++  server_domain_new(serv);
+   serv->next = daemon->servers;
+   daemon->servers = serv;
+ 
+@@ -952,6 +953,7 @@ static struct server *add_rev6(struct in6_addr *addr, int msize)
+   p += sprintf(p, "ip6.arpa");
+   
+   serv->flags = SERV_HAS_DOMAIN;
++  server_domain_new(serv);
+   serv->next = daemon->servers;
+   daemon->servers = serv;
+   
+@@ -2292,6 +2294,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
+ 				  memset(serv, 0, sizeof(struct server));
+ 				  serv->domain = d;
+ 				  serv->flags = SERV_HAS_DOMAIN | SERV_NO_ADDR;
++				  server_domain_new(serv);
+ 				  serv->next = daemon->servers;
+ 				  daemon->servers = serv;
+ 				}
+@@ -2335,6 +2338,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
+ 				  memset(serv, 0, sizeof(struct server));
+ 				  serv->domain = d;
+ 				  serv->flags = SERV_HAS_DOMAIN | SERV_NO_ADDR;
++				  server_domain_new(serv);
+ 				  serv->next = daemon->servers;
+ 				  daemon->servers = serv;
+ 				}
+@@ -2587,6 +2591,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
+ 		newlist = serv;
+ 		serv->domain = domain;
+ 		serv->flags = domain ? SERV_HAS_DOMAIN : SERV_FOR_NODOTS;
++		server_domain_new(serv);
+ 		arg = end;
+ 		if (rebind)
+ 		  break;
+-- 
+2.34.1
+

SOURCES/dnsmasq-2.81-configuration.patch

@@ -0,0 +1,92 @@
+From 3a593d133f91c5126105efd03246b3f61f103dd4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Tue, 30 Jun 2020 18:06:29 +0200
+Subject: [PATCH] Modify upstream configuration to safe defaults
+
+Most important change would be to listen only on localhost. Default
+configuration should not listen to request from remote hosts. Match also
+user and paths to directories shipped in Fedora.
+---
+ dnsmasq.conf.example | 24 +++++++++++++++++++-----
+ 1 file changed, 19 insertions(+), 5 deletions(-)
+
+diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example
+index bf19424..36fba33 100644
+--- a/dnsmasq.conf.example
++++ b/dnsmasq.conf.example
+@@ -22,7 +22,7 @@
+ 
+ # Uncomment these to enable DNSSEC validation and caching:
+ # (Requires dnsmasq to be built with DNSSEC option.)
+-#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf
++#conf-file=/usr/share/dnsmasq/trust-anchors.conf
+ #dnssec
+ 
+ # Replies which are not DNSSEC signed may be legitimate, because the domain
+@@ -96,14 +96,16 @@
+ 
+ # If you want dnsmasq to change uid and gid to something other
+ # than the default, edit the following lines.
+-#user=
+-#group=
++user=dnsmasq
++group=dnsmasq
+ 
+ # If you want dnsmasq to listen for DHCP and DNS requests only on
+ # specified interfaces (and the loopback) give the name of the
+ # interface (eg eth0) here.
+ # Repeat the line for more than one interface.
+ #interface=
++# Listen only on localhost by default
++interface=lo
+ # Or you can specify which interface _not_ to listen on
+ #except-interface=
+ # Or which to listen on by address (remember to include 127.0.0.1 if
+@@ -114,6 +116,10 @@
+ # disable DHCP and TFTP on it.
+ #no-dhcp-interface=
+ 
++# Serve DNS and DHCP only to networks directly connected to this machine.
++# Any interface= line will override it.
++#local-service
++
+ # On systems which support it, dnsmasq binds the wildcard address,
+ # even when it is listening on only some interfaces. It then discards
+ # requests that it shouldn't reply to. This has the advantage of
+@@ -121,7 +127,11 @@
+ # want dnsmasq to really bind only the interfaces it is listening on,
+ # uncomment this option. About the only time you may need this is when
+ # running another nameserver on the same machine.
+-#bind-interfaces
++#
++# To listen only on localhost and do not receive packets on other
++# interfaces, bind only to lo device. Comment out to bind on single
++# wildcard socket.
++bind-interfaces
+ 
+ # If you don't want dnsmasq to read /etc/hosts, uncomment the
+ # following line.
+@@ -535,7 +545,7 @@
+ # The DHCP server needs somewhere on disk to keep its lease database.
+ # This defaults to a sane location, but if you want to change it, use
+ # the line below.
+-#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
++#dhcp-leasefile=/var/lib/dnsmasq/dnsmasq.leases
+ 
+ # Set the DHCP server to authoritative mode. In this mode it will barge in
+ # and take over the lease for any client which broadcasts on the network,
+@@ -673,7 +683,11 @@
+ # Include all files in a directory which end in .conf
+ #conf-dir=/etc/dnsmasq.d/,*.conf
+ 
++# Include all files in /etc/dnsmasq.d except RPM backup files
++conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig
++
+ # If a DHCP client claims that its name is "wpad", ignore that.
+ # This fixes a security hole. see CERT Vulnerability VU#598349
+ #dhcp-name-match=set:wpad-ignore,wpad
+ #dhcp-ignore-names=tag:wpad-ignore
++
+-- 
+2.26.2
+

SOURCES/dnsmasq-2.85.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEE1urL1u5GuDQkjRESFc3aauGRNaIFAmBuGPsACgkQFc3aauGR
+NaIg6A//Xfcu62aItiHf/jTeFHUSqHrdqanDqLRWSpgdeKO2adk+s66p5CqVHC8K
+JfxPo6eTUj8uX53Idy5oiwUz4d40iiOjfxHs4Nme0ozyIAHGw/Tfwx7/+NV882vi
++rtqhjF83dRsnqIR95FD17tVI+cR0sq6XKzwBtPicjmPt79sQ2UtkBo7I+IS9B5g
+o+i21gGYm34EgY6EavveWfGkKgJLz+cF59h4i16lc1eRGNsy5clURDxiJ65Zz0zb
+ZARLudEclbFNdoUu/4idmOUhZCGWrqf9o+rQDYW3vN85saxCPbTChqqy1VC6OBnX
+VLN3cAJlk1hS5X0HzewhXkOqulzjg81KWRQ8EYATdOQP7u6apv4q87hnmr+uL9E8
+0VZ3ECyhH7n6qNXfqNS2Fp3Yp0sm1hgRy+6bu/IgVTPs/Ro22HqTiw5YXZQkPMbe
+A4acAep59nIV9dEB5DYF1N0S0P6OcVtUsZAFlGS1cD0owFuI44W/lg8w9xA9gyJv
+uqZvZqkQDM8bi9zJ2d7fjf65pjS+7S9ISxDoPHp34lLMB7D/rAuW8GVBkL1KxMWb
+sRHIBDKM01CXZeRBlbxAYHlH7s2QehRk/t57ksTmPtT3IAVMSajEG0+1YElUGg8s
+2gqLtCLdmB6Lwl4RFripSERvPzYOAsd8DiqDL9wYOECBStUGuEw=
+=W3WM
+-----END PGP SIGNATURE-----

SOURCES/dnsmasq-2.86-alternative-lease.patch

@@ -0,0 +1,107 @@
+From 268080fc19990711a1d1e1acd68a50aa2f6cb5fb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Fri, 17 Sep 2021 20:12:21 +0200
+Subject: [PATCH] Offer alternative DHCPv6 address if requested is taken
+
+In some cases multiple requests might arrive from single DUID. It may
+happen just one address is offered to different IAID requests. When
+the first request confirms lease, another would be offered alternative
+address instead of address in use error.
+
+Includes check on such Rapid commit equivalents and returns NotOnLink
+error, required by RFC 8145, if requested address were not on any
+supported prefix.
+---
+ src/rfc3315.c | 39 ++++++++++++++++++++++++++++-----------
+ 1 file changed, 28 insertions(+), 11 deletions(-)
+
+diff --git a/src/rfc3315.c b/src/rfc3315.c
+index 5c2ff97..d1534ad 100644
+--- a/src/rfc3315.c
++++ b/src/rfc3315.c
+@@ -614,7 +614,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+       
+     case DHCP6SOLICIT:
+       {
+-      	int address_assigned = 0;
++	int address_assigned = 0, ia_invalid = 0;
+ 	/* tags without all prefix-class tags */
+ 	struct dhcp_netid *solicit_tags;
+ 	struct dhcp_context *c;
+@@ -697,6 +697,8 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+ 		    get_context_tag(state, c);
+ 		    address_assigned = 1;
+ 		  }
++		else
++		  ia_invalid++;
+ 	      }
+ 	    
+ 	    /* Suggest configured address(es) */
+@@ -782,11 +784,26 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+ 	    tagif = add_options(state, 0);
+ 	  }
+ 	else
+-	  { 
++	  {
++	    char *errmsg;
+ 	    /* no address, return error */
+ 	    o1 = new_opt6(OPTION6_STATUS_CODE);
+-	    put_opt6_short(DHCP6NOADDRS);
+-	    put_opt6_string(_("no addresses available"));
++	    if (state->lease_allocate && ia_invalid)
++	      {
++		/* RFC 8415, Section 18.3.2:
++		   If any of the prefixes of the included addresses are not
++		   appropriate for the link to which the client is connected,
++		   the server MUST return the IA to the client with a Status
++		   Code option with the value NotOnLink. */
++		put_opt6_short(DHCP6NOTONLINK);
++		errmsg = _("not on link");
++	      }
++	    else
++	      {
++		put_opt6_short(DHCP6NOADDRS);
++		errmsg = _("no addresses available");
++	      }
++	    put_opt6_string(errmsg);
+ 	    end_opt6(o1);
+ 
+ 	    /* Some clients will ask repeatedly when we're not giving
+@@ -795,7 +812,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+ 	    for (c = state->context; c; c = c->current)
+ 	      if (!(c->flags & CONTEXT_RA_STATELESS))
+ 		{
+-		  log6_packet(state, state->lease_allocate ? "DHCPREPLY" : "DHCPADVERTISE", NULL, _("no addresses available"));
++		  log6_packet(state, state->lease_allocate ? "DHCPREPLY" : "DHCPADVERTISE", NULL, errmsg);
+ 		  break;
+ 		}
+ 	  }
+@@ -831,7 +848,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+ 		 /* If we get a request with an IA_*A without addresses, treat it exactly like
+ 		    a SOLICT with rapid commit set. */
+ 		 save_counter(start);
+-		 goto request_no_address; 
++		 goto request_no_address;
+ 	       }
+ 
+ 	    o = build_ia(state, &t1cntr);
+@@ -861,11 +878,11 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+ 		      }
+ 		    else if (!check_address(state, &req_addr))
+ 		      {
+-			/* Address leased to another DUID/IAID */
+-			o1 = new_opt6(OPTION6_STATUS_CODE);
+-			put_opt6_short(DHCP6UNSPEC);
+-			put_opt6_string(_("address in use"));
+-			end_opt6(o1);
++			/* Address leased to another DUID/IAID.
++			   Find another address for the client, treat it exactly like
++			   a SOLICT with rapid commit set. */
++			save_counter(start);
++			goto request_no_address;
+ 		      } 
+ 		    else 
+ 		      {
+-- 
+2.31.1
+

SOURCES/dnsmasq-2.86-dhcpv6-client-arch.patch

@@ -0,0 +1,28 @@
+From 4272580bb586180e596e5ed30b68455826acc8c1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Wed, 22 Sep 2021 14:54:01 +0200
+Subject: [PATCH] Add support for option6 names of RFC 5970
+
+Client Network Interface Identifier and Client System Architecture Type
+options were not understood by dnsmasq. Add it to supported option
+types.
+---
+ src/dhcp-common.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/dhcp-common.c b/src/dhcp-common.c
+index 36bc38a..528e8e7 100644
+--- a/src/dhcp-common.c
++++ b/src/dhcp-common.c
+@@ -659,6 +659,8 @@ static const struct opttab_t opttab6[] = {
+   { "ntp-server", 56, 0 /* OT_ADDR_LIST | OT_RFC1035_NAME */ },
+   { "bootfile-url", 59, OT_NAME },
+   { "bootfile-param", 60, OT_CSTRING },
++  { "client-arch", 61, 2 | OT_DEC }, /* RFC 5970 */
++  { "client-interface-id", 62, 1 | OT_DEC }, /* RFC 5970 */
+   { NULL, 0, 0 }
+ };
+ #endif
+-- 
+2.31.1
+

SOURCES/dnsmasq-systemd-sysusers.conf

@@ -0,0 +1 @@
+u dnsmasq - "Dnsmasq DHCP and DNS server" /var/lib/dnsmasq

SOURCES/dnsmasq.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=DNS caching server.
+After=network.target
+
+[Service]
+ExecStart=/usr/sbin/dnsmasq
+Type=forking
+PIDFile=/run/dnsmasq.pid
+
+[Install]
+WantedBy=multi-user.target

SOURCES/srkgpg.txt

@@ -0,0 +1,117 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+mQINBFMbjUMBEACsU1Xk8+uu/EsGVJTh9Tn31C2e0ycd0voBVT7cTdtXpzeiNR+o
+/zUAi95ds7FiecpZJp1nRO4vNzvaaAPZhFsFVLzZYyIVABgTXsskT88xbZvzb4W5
+KKRWVhoTQxVDgj1+dXLUXULTB6rg02WEhqnix/qf/zFdM9I4/3pRHJn9k+3XKygR
+on+nYtljfn3AKBelCo1y28istC6wCncoH11b/qdQtlfxVXaJY4HF27V0MqFFmDMg
+cuhOHR7DnhymeDh7GmLfTHJ4LUFG+TecqCjiYhyWcuv2wuSb0EPXUKHJQVViQ8qg
+KyPm1ly6uFP0CYdVavO7/oJwKFBIChECrj7BQ4GsImMHeuSzfWno7qy6Fxoxx2+g
+0F9cdXWvcxFDGPQsL5vXp8KYNwBrzmijRzQ2ZAnrbG+ilFCkJCbxXcrhzpd4tKwE
+0dgcyPL1Ma/lrznhL4ZuOzjVMgLNne7WiPpBNRqI1GoT0pUn6as4pU3En8B+K7zy
+MLVfHvI1+iH45fP5bZwYSbXCa85v4+xqljYrzs9giaROEsXe/tsXvuc6JPCcmJXk
+CUO3c3QVxqDFt9OYuTHIR8hqehDPLgFgzKqVuoAwMkhTf/zZNGlsy4jvKXQNcZ50
+uD4mWO3e+gykNW/OH+88IoCR0rgjQ6trMLOceZFnrtvxwRL//lMndGCTYQARAQAB
+tCZTaW1vbiBLZWxsZXkgPHNpbW9uQHRoZWtlbGxleXMub3JnLnVrPokCOgQTAQgA
+JAIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAUCUyDDjgIZAQAKCRAVzdpq4ZE1
+otpmD/49HjUnc/uiYa/pcP5OIBd8lChHlF/NCh4s1RASeKv9cG6WDjnbTdxgcS6t
+yESFJOfZ/hZW0WDEmuAh3tcZh1/yghkiMF3zZ+nB0zCFt9y//qKrNYvT7a9o+YGo
+TuLANNq0jzzyrlPJemkZ7wvn9WNfRoG+ZUg/IQT0EVBqz6+/lvJSRTnjYXE8Ckay
+/RbQ/WkppsuXQXsi08U+5oPT4rWTAGtZu4aEEoxX2MYcHip1f/bUUFzOAB/cn3In
+ba+bqisLDCGm3F174NKfu+pk2MO0cauRRYPMoBAHLWDgGZOXoihWBgplcBUEYy1h
+SNL7zRVX5AT2Z5Wqa1fVokkSd/T8FF2/0J4PjqFkCvBfCL8BYWzfTSkR/PBwL71P
+nFzeOVJ1h1bF5ANXtfArZUI6HGMWpOb56E/YaHXhZ+lzfiM32Mwnc6jDHM3mJnEZ
+jOQcsWEz7QgoR5YSPFFY6gmBXk+Y28bsgFvO3w73GjnnSHsmZdlWx9KmQWnMk/LQ
++7PUl7If+eIJ4PAqSEQddBOT/g74Q4NHGu4lvAhgZ47aU18+fYdxvVoe9JyXHsYY
+5gPMjiM3RRxiugmm8dlT7RfYKWkJMBbkiyGAeQ6R1RDVztL7nM9N4ttb6nFOVtYK
+UDQ1gxtKfrz/+L8Myy3IETC1NZgkuaDlXcdbNF3/oHApl8NK64hGBBARCAAGBQJT
+G43BAAoJECj8hpoom4K3QrUAn1VftUxazQQJ/j6HJ/p3Soa60fJyAJ4xLJCBpov9
+duJRuE9rF1OBaMZDeIhGBBARCAAGBQJTIekzAAoJECnhT5k5GzkoyOgAnjreKaWc
+cEpEZSZnjlnc7DEnHuS+AJ4+Xq87WVKj9cJ05o8TRSkKxJYlEIkCHAQQAQgABgUC
+UyHp8gAKCRAC0CBFCPsO9yHSD/9xYHSECwwneMFAO4nEGHyAQnhvyDzX3RutZeX1
+9pc+qOm5iLUD+1EVx8+AvjTw0337yIHOa5nZI3CpgmBhmj18Q9vEgmtZn6EMXaRE
+CvedsRjUSd3Q5+CF0AUbo1JQqZhVUdYLEZYcvfNgEmKl6IoVHwP8moH/cxDFc5Y6
+GdlFAeJylynPdZ3Lb94DEya8VQc2mSG8L6y6ZDW8yf6M8npQG7f1cyJb9lPJJqlH
+ZaFnpK2Df1DvOJXB88FQH1qW++w9uIoszdWjDOSGmwOuazO3GMmpfZPJPkH5lXoF
+XKN5BO/l/gvEQ1jsmp14VZHJqdcO7HRHksLQLvNDQSi3am4ok2xm3Kn2NryJ1K2Q
+mUBGrWu4CtwabgvhoKGxr0GADCQJVlLqRCC+UIp97J0kOsZj8FYjwA3I1U5w8wJi
+SUqw8u+8OCCFGm1rS6XQy/wbGDPwZjCZnaNHICSj8zeXE9YkhTf2fMs/S8NLQUPy
+u1g3/IoIGNnadETzEmAd02FJncUlUo05yDAcVg/IqwgM8atJQqEWLYE0QHrcqOWi
+eaCCJ9+fx2KhxKnRqpKAXSov+M0KYDkIV9OQE+KioGzxdlrN2ZFmbfIKLLYMwH0s
+xMkgJjbbhP8KhfxDIUoSky9gUTwwyrpJVjKkXZ6yNFpSo+Mtn8OHL12nLqzyQONT
+waerx4hGBBARCAAGBQJTL0SDAAoJEBbi9PX8geFZBbUAnR3I/MdzG4kBtCecwePz
+MvKdKS1SAJ9CyGUhzb8coURtMzbIlH9F7jm6L4kCHAQQAQgABgUCUy9EpAAKCRBj
+ziC6xJxBSLhYD/9qBBxVex2nxavrMV4Vd0AhYJa5iI148NbqD7EZLnuCDWwi+wrq
+nfMi0ToUHlh1Lp36vXd06W8JySHIiAxL0zDpq6tdT65f6iOTRZ6W6xuebxKgqC3k
+ZsxcEzceYR1dOCKlRhQAsZ7Q9BJP/ZafSD/NOm2sxdPOneYm8IA4QXwWDVOayrV8
+FOIDBkBLmPhm1BGNErdhCBCYsvqYSN7gFJBNszXciNMJtBmXWNyTsHtNAeKIQuzE
+RgYCC2/LuTOIloeI6z6mM7mVZuPsraqRa5iGITvGI4qeQziTp+xqIu8YPQrE67iQ
+MqSZZCxv3aheiiJd06l4FFpEYEg5H4FMD9JW4rvnaxLwXc8x1/ZVQQhylughetE9
+j7oPQbA353oyUCCAukd4UiNYtULNCbZzfKdKCFCajnIfIY8IqNGuWvmujKViDAk2
+7bIlKQeyNKExIx8Jkr4WPQBLFmXCkT+jYQMJx/R6SoNwrpa50SofTT+y+43GpSQ5
+5e3Kffky0SZk+O/m7oW7gKPjwzh/UmLsOb9INXJ3gYS/CDT3fwA+UsAA+gXneT3I
+ygYqfU8dnk2umV20gIm8q/SQYiyhMM+PZCkKXeHyoeU/SbO72DWKw/ZtZI/1b9xX
+ruc1HBKJ/UXNPJRyoHIi4dZ/ARQ/zk839beBMnGm0AsB1y1+leTlrNZM5rQdU2lt
+b24gS2VsbGV5IDxzcmtAZGViaWFuLm9yZz6JAjcEEwEIACEFAlMgw3QCGwMFCwkI
+BwMFFQoJCAsFFgIDAQACHgECF4AACgkQFc3aauGRNaKhRg//S5G2RYoHNY22ecyG
+5hpBr354lqdZiYRHKYCjX29jDIrtZSlC3HCL31ciGOVg666aD5xy54WAPTlx3MFQ
+AxgWsqFTkICHj6zFdFduLmI1IffvcxkcEKwi6NK5f5dOxih9EtXcQ1HsoSUWGRmB
+Kltvt1wyaiG37A80pjzQso1b6kr5JLdGMrjWx9PnFRKCdUNh5nxIb4HeC5R2Q8oT
+FaipSppZwmvA5ocCvhMsyYCyiE6o8QTtzTqj5mGZafIqy18hwB9bA2n2gcEY1fXD
+V9ky08J98A3VJqAMDM9Y6KYv+tQNJBIJRDWGmvjR/1J6n1jqO64l7mTcBlT/xfyp
+TFfiXVzGN+H3EiEDFpPXKcc4abjiY8IaCu4P8qvKvee/EF7+FUep3R/i3hw0a5th
+bZ4of1LfLp6qg7XjCZ3d2MUitxKe/FoFQS/ctkKNwsimOlUl5bIVmaJMMq8FUvLi
+6iBgFMy8LCk2ItZ5rA2+5kGalGzwcWDdpq66A+z69f1wFfKDccOpfOJ838zmxCrz
+WSxbVnLTaRSV4VobZvwHkAXZGCnDMk68ELfUNFzGClBhNOVPqAHbU74AkSS5bas5
+recjKUz53DZl1aAOWLxFXQlOvxsaZ9wHmvHJAZiKscUGNUBXRK9p78TzQEm5Lxwz
+Q6/V1JSkA6o4Xq7qygSARIigjJyIRgQQEQgABgUCUyHpMwAKCRAp4U+ZORs5KI+v
+AKC2OnBT8TZ5cnTQwleYshUsxJddkQCgpecrsb8ysVtau7lXBgrA/X/Wef2JAhwE
+EAEIAAYFAlMh6fIACgkQAtAgRQj7DvcWsQ//SF+g3zMRYeZ+qNC3m7slibJNCPdM
+Cied05owZfN6oHhfBaRDc7nAC6mSdwFF76ird5/bSg2HzR6Tp4hIy/5M5WXFv4jt
+m+0KXYKnDjHv1297sSALFoYKlm4K4lnE7T/qJknc/mGlLWfWm5Y5jV/QfV9Zwxvy
+kT5Oh5xxzeNiOdvkmV4pCCk+bt15tGD0pII2n/TMPVfDVADLlhrWBrBp7laKyn6Q
+5VvI4GiVBnHSiKsGVEaX0yUuDYzGZSU2RLaJG4BPNHqlHqSQYvsyo6QHPpHg0K6v
+WWZFpgFOXHlLYMNJ91NS+DX7BqlEib2ndWQqCYzZtgRUJK/Dd6G6r2e60/5CPn6H
+CwqQZr1MRdY6vEJS9Lpd5uGIOeQFTEDBZ22pcUAb20cZNdK1J+BgilfVuMvLAs2W
+7fANxLtAHsXdNCvlkqr68odMI8C6w3Zd4R6XL4tfoYXl9emOKiN5SiCpK9HHJNxS
+AuX6vH3lTyR+/sG1haxntu4Tn1T2zBJRgh2DiKuJLH6hnn7F7pf1fZEUUE/A6VSf
+bmp+a6CXfn9mvgnF51QylKkFCauXhV5WsusEtWlNACeJjKXBg+d8LkA6FmJecMbY
+ZzBTdcaN5OwLfXRpAkCsODWk2lXJNlhOntmVfa6MLDnll64S/3j+1wnKOHihf+c2
+exRMy5eQCUKwqVSIRgQQEQgABgUCUy9EgwAKCRAW4vT1/IHhWZwLAJwLPSUf/VMW
+NUJ1hRwNo+7kpUGLdQCeMzNtz3H0smfUn84CSRBFYIJDIhCJAhwEEAEIAAYFAlMv
+RKoACgkQY84gusScQUiSfxAAuNSMXCUGs02xdJvnQRc10HkJxm/wg7YngVa4WZfd
+eqyP2tQOjTdf65OMSIOCIrfpWHPDscJfsP3fjbHojFfx81iJnFmOdxx9aqB9KD15
+FD4Whgq+Eyk8TiPZUEHiVU9RR8N6T/7mIe+lVNJ6GZ1iSk29D1g6+oM56Gox2d3y
+0c8FnCK1Ts6D1peRiIiMq+gjGccdVJyim/yZI3WqzHvul//WmdEFzwgXqh03wbx3
+iQS2zXdvwgyB+gBbVpk+6axOIbYupAvTNXYQV9Hz4imWoDFlXGdYzCMzb6QyH46R
+NgfElAb8UcCknQjLwnawAjXPEHgrH6yaruYR9H1LBLxYIHA4oBYQCUxmn4ArDLOF
+6kZ68eM8efBxVu4uAtklil9X8NUynhyI9DDWJoQET52ekojtOr31NCXHCtUmTkYb
+PEwJxAORMBf3JEPlz2brGRgcSbacJG5RE4Qw2hfKJTOQTiNk4DpLwYrChLK8Ctmn
+RS7jAZth3U2W7Fqc7OFfKs3zuo/2RRRCG3fjOVX7aIOp4Cnobvk0NxXDhEtUpMeP
+0o7qPW8OdxrFyQ3YCoxu94ix1S6da3m143OujdmlM0Gs7Acyeq4bN3FokLzrMxci
+oO6swXzgh9RGCzMkRrBztWgEpXQf8PbcBliF+sDV2aYerGBN9qmbN9FX30IKGaWn
+QsK5Ag0EUyDDoQEQAMfQfa2tw3+OJFGMQEzLJSoXYN8/HnZEgKNlcMuYzhheQLgu
+/MfcQJ7mnCIdn6xdPaalfLmYx63tM47/NGEM1+MSEvovPiRG0OLxzSgwei9DiGeN
+EgsPTLXSZ5EVSXCM1+e9mT1ExT9aGLNnpCd6kIyWIcKCVMot+XC70R9prWLeyKSh
+0FAZ0Pwv9i23osJVGOtJjND+WZ0uCeN29ocfN0b64yF4nPRc9IbcmYIDgNU3RybK
+2Z/dupbthTisRjHRI3iX3/tiymXF3J0sSvsCluWIJWmyltS3Xyk/wfKVJz6OouiJ
+jTj5utXVnCGptCDw+DCcj89vx1N0+0Dhm1cQcNZvXjMbVDTsuU+eVpJbxU6y8N+n
+XpAXjEw4jMi3zNpqKtkyv2YpoqY5HhGLybgrY0zwSQOyMNf9lZ5J7znq5gEmiMXn
+G9OPEw7PPSvm6QfbHPY/jAOgxsu7Fme7k303D5KkyGkkbzQiYyEtMZvbOMH/uECi
+2uHGB72qiGpEYjMtHhihaRCBl+0bY8sH83He690qNQHSdStjaKXcecduE/v5iO0m
+OYIHdsEHhKlWsE1GXXVLofBr68UBhYV6/AGXko4Pr+dXLzauN4kALDx6WltFu3qU
+voD+uEoLq7IXULMo5Pyd7bO4qGQMKykaXTb5o6dqdu4GzWIUw1fr9kLEmo29ABEB
+AAGJAh8EGAEIAAkFAlMgw6ECGwwACgkQFc3aauGRNaIjqA/+PXuaM6JHuudLycmB
+0iKAwyB5csOFGpF3b9FgMR68TC4jzi5J5hJZASl0cO/e0ytQsrDUBbH74y+WaA4l
+dwBVYr0j/2hqzIjrnGMtgWeHFPLV3sKw8DGuNx1/cOoljJXzi1WWSHIwDvaj3uZ9
+CwHt+4/abR7kdvMcnFhQVA4zuzZWFqpp+CDkkJNVwB9zxtAQwGTGF4cQ0IvTkhCo
+6DQhZZVTeyn+nBKxzzWijniWc0LyRsum03MxZ6E7UVIInCTjdXTalnO8wColwIx5
+FV4nTMxdsKKgnIXmLexBdd03bW9TkowWf2C2XfDN+pDS8X3MzO6zAyogqJhAiBFj
+nRzkOw0cw1VTL00o8uiWdMeu7OKOKeQbUilMAn4MweKB57mc582kjeGmwdZgWFA4
+BJ2eiH7HwjxiynwMdZwQEBdOTNLbggHk3/mScF8U1KcJhjAFf7Ne+Z0feG/8GgKl
+5aj3ucl821+dfpzB79lLo+kmd1qkDyDiUR5yN6P8l8k6IAUJz2KUe0BjtO6VFFw0
+xni05dkrXdfo7IO79ictHmEn+g3QO8ZLUGRwdtZ1cMhTkm7FhH8Bdby0y4Soqluv
+Hbri++cC91i1I3a92kHi/8O45rnLhVt+sOfxY1QnSIYh5OFwGMqMCNDTEL7ESiFa
+FhSXkmzzVntlyvOBMlgz3IGh2hA=
+=TM0e
+-----END PGP PUBLIC KEY BLOCK-----

SPECS/dnsmasq.spec

@@ -0,0 +1,720 @@
+%define testrelease 0
+%define releasecandidate 0
+%if 0%{testrelease}
+  %define extrapath test-releases/
+  %define extraversion test%{testrelease}
+%endif
+%if 0%{releasecandidate}
+  %define extrapath release-candidates/
+  %define extraversion rc%{releasecandidate}
+%endif
+
+%define _hardened_build 1
+# path to upstream git repository
+%global git_upstream git://thekelleys.org.uk/dnsmasq.git
+# tag of selected version
+%global gittag v%{version}%{?extraversion}
+
+# Attempt to prepare source-git with downstream repos
+%bcond_with sourcegit
+
+Name:           dnsmasq
+Version:        2.85
+Release:        3%{?extraversion:.%{extraversion}}%{?dist}
+Summary:        A lightweight DHCP/caching DNS server
+
+License:        GPLv2 or GPLv3
+URL:            http://www.thekelleys.org.uk/dnsmasq/
+Source0:        %{url}%{?extrapath}%{name}-%{version}%{?extraversion}.tar.xz
+Source1:        %{name}.service
+Source2:        dnsmasq-systemd-sysusers.conf
+Source3:        %{url}%{?extrapath}%{name}-%{version}%{?extraversion}.tar.xz.asc
+# GPG public key
+%if 0%{?testrelease} || 0%{?releasecandidate}
+Source4:        %{url}%{?extrapath}test-release-public-key
+%else
+Source4:        http://www.thekelleys.org.uk/srkgpg.txt
+%endif
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=1495409
+Patch1:         dnsmasq-2.77-underflow.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1852373
+Patch2:         dnsmasq-2.81-configuration.patch
+Patch3:         dnsmasq-2.78-fips.patch
+# Downstream only patch; https://bugzilla.redhat.com/show_bug.cgi?id=1919894
+# Similar functionality is implemented since 2.86 in upstream, but introduced
+Patch4:        dnsmasq-2.79-server-domain-rh1919894.patch
+# https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q3/015640.html
+Patch5:         dnsmasq-2.86-alternative-lease.patch
+Patch6:         dnsmasq-2.86-dhcpv6-client-arch.patch
+
+# This is workaround to nettle bug #1549190
+# https://bugzilla.redhat.com/show_bug.cgi?id=1549190
+Requires:       nettle >= 3.4
+
+BuildRequires:  dbus-devel
+BuildRequires:  pkgconfig
+BuildRequires:  libidn2-devel
+BuildRequires:  nettle-devel
+Buildrequires:  gcc
+BuildRequires:  gnupg2
+
+BuildRequires:  systemd
+BuildRequires:  systemd-rpm-macros
+%{?systemd_requires}
+%if %{with sourcegit}
+BuildRequires:  git-core
+%endif
+BuildRequires: make
+
+%description
+Dnsmasq is lightweight, easy to configure DNS forwarder and DHCP server.
+It is designed to provide DNS and, optionally, DHCP, to a small network.
+It can serve the names of local machines which are not in the global
+DNS. The DHCP server integrates with the DNS server and allows machines
+with DHCP-allocated addresses to appear in the DNS with names configured
+either in each host or in a central configuration file. Dnsmasq supports
+static and dynamic DHCP leases and BOOTP for network booting of diskless
+machines.
+
+%package        utils
+Summary:        Utilities for manipulating DHCP server leases
+
+%description    utils
+Utilities that use the standard DHCP protocol to query/remove a DHCP
+server's leases.
+
+
+%prep
+%if 0%{?fedora}
+%gpgverify -k 4 -s 3 -d 0
+%endif
+%if %{with sourcegit}
+%autosetup -n %{name}-%{version}%{?extraversion} -N -S git_am
+# If preparing with sourcegit, drop again source directory
+# and clone git repository
+# FIXME: deleting just unpacked sources is dangerous
+# But using %%setup changes used directories in %%build and %%install
+rm -rf %{_builddir}/%{name}-%{version}%{?extraversion}
+cd %{_builddir}
+git clone -b %{gittag} %{git_upstream} %{name}-%{version}%{?extraversion}
+cd %{name}-%{version}%{?extraversion}
+git checkout -b rpmbuild
+%else
+%autosetup -n %{name}-%{version}%{?extraversion} -N
+%endif
+# Apply patches on top
+%autopatch -p1
+
+# use /var/lib/dnsmasq instead of /var/lib/misc
+for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
+    sed -i 's|/var/lib/misc/dnsmasq.leases|/var/lib/dnsmasq/dnsmasq.leases|g' "$file"
+done
+
+#set default user /group in src/config.h
+sed -i 's|#define CHUSER "nobody"|#define CHUSER "dnsmasq"|' src/config.h
+sed -i 's|#define CHGRP "dip"|#define CHGRP "dnsmasq"|' src/config.h
+sed -i "s|\(#\s*define RUNFILE\) \"/var/run/dnsmasq.pid\"|\1 \"%{_rundir}/dnsmasq.pid\"|" src/config.h
+
+# optional parts
+sed -i 's|^COPTS[[:space:]]*=|\0 -DHAVE_DBUS -DHAVE_LIBIDN2 -DHAVE_DNSSEC|' Makefile
+
+%build
+%make_build CFLAGS="$RPM_OPT_FLAGS" LDFLAGS="$RPM_LD_FLAGS"
+%make_build -C contrib/lease-tools CFLAGS="$RPM_OPT_FLAGS" LDFLAGS="$RPM_LD_FLAGS"
+
+
+%install
+# normally i'd do 'make install'...it's a bit messy, though
+mkdir -p $RPM_BUILD_ROOT%{_sbindir} \
+        $RPM_BUILD_ROOT%{_mandir}/man8 \
+        $RPM_BUILD_ROOT%{_var}/lib/dnsmasq \
+        $RPM_BUILD_ROOT%{_sysconfdir}/dnsmasq.d \
+        $RPM_BUILD_ROOT%{_sysconfdir}/dbus-1/system.d
+install src/dnsmasq $RPM_BUILD_ROOT%{_sbindir}/dnsmasq
+install dnsmasq.conf.example $RPM_BUILD_ROOT%{_sysconfdir}/dnsmasq.conf
+install dbus/dnsmasq.conf $RPM_BUILD_ROOT%{_sysconfdir}/dbus-1/system.d/
+install -m 644 man/dnsmasq.8 $RPM_BUILD_ROOT%{_mandir}/man8/
+install -D trust-anchors.conf $RPM_BUILD_ROOT%{_datadir}/%{name}/trust-anchors.conf
+
+# utils sub package
+mkdir -p $RPM_BUILD_ROOT%{_bindir} \
+         $RPM_BUILD_ROOT%{_mandir}/man1
+install -m 755 contrib/lease-tools/dhcp_release $RPM_BUILD_ROOT%{_bindir}/dhcp_release
+install -m 644 contrib/lease-tools/dhcp_release.1 $RPM_BUILD_ROOT%{_mandir}/man1/dhcp_release.1
+install -m 755 contrib/lease-tools/dhcp_release6 $RPM_BUILD_ROOT%{_bindir}/dhcp_release6
+install -m 644 contrib/lease-tools/dhcp_release6.1 $RPM_BUILD_ROOT%{_mandir}/man1/dhcp_release6.1
+install -m 755 contrib/lease-tools/dhcp_lease_time $RPM_BUILD_ROOT%{_bindir}/dhcp_lease_time
+install -m 644 contrib/lease-tools/dhcp_lease_time.1 $RPM_BUILD_ROOT%{_mandir}/man1/dhcp_lease_time.1
+
+# Systemd
+mkdir -p %{buildroot}%{_unitdir}
+install -m644 %{SOURCE1} %{buildroot}%{_unitdir}
+rm -rf %{buildroot}%{_initrddir}
+
+#install systemd sysuser file
+install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf
+
+%pre
+#precreate users so that rpm can install files owned by that user
+%sysusers_create_compat %{SOURCE2}
+
+%post
+%systemd_post dnsmasq.service
+
+%preun
+%systemd_preun dnsmasq.service
+
+%postun
+%systemd_postun_with_restart dnsmasq.service
+
+%files
+%doc CHANGELOG FAQ doc.html setup.html dbus/DBus-interface
+%license COPYING COPYING-v3
+%defattr(0644,root,dnsmasq,0755)
+%config(noreplace) %{_sysconfdir}/dnsmasq.conf
+%dir %{_sysconfdir}/dnsmasq.d
+%dir %{_var}/lib/dnsmasq
+%defattr(-,root,root,-)
+%config(noreplace) %{_sysconfdir}/dbus-1/system.d/dnsmasq.conf
+%{_unitdir}/%{name}.service
+%{_sbindir}/dnsmasq
+%{_mandir}/man8/dnsmasq*
+%dir %{_datadir}/%{name}
+%{_datadir}/%{name}/trust-anchors.conf
+%{_sysusersdir}/dnsmasq.conf
+
+%files utils
+%license COPYING COPYING-v3
+%{_bindir}/dhcp_*
+%{_mandir}/man1/dhcp_*
+
+%changelog
+* Thu Jan 27 2022 Petr Menšík <pemensik@redhat.com> - 2.85-3
+- Send queries only to best domain-specific server (#2047510)
+- Offer alternate DHCPv6 address if requested is already leased (#1998448)
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.85-2
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Thu Apr 15 2021 Petr Menšík <pemensik@redhat.com> - 2.85-1
+- Update to 2.85 (#1978728)
+- Switch systemd unit to forking, reports error on startup (#1774028)
+
+* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2.84-2
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Tue Jan 26 2021 Petr Menšík <pemensik@redhat.com> - 2.84-1
+- Update to 2.84
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.83-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Tue Jan 19 2021 Petr Menšík <pemensik@redhat.com> - 2.83-1
+- Update to 2.83, fix CVE-2020-25681-7
+
+* Fri Oct 09 2020 Petr Menšík <pemensik@redhat.com> - 2.82-4
+- Remove uninitialized condition from downstream patch
+
+* Wed Sep 30 2020 Petr Menšík <pemensik@redhat.com> - 2.82-3
+- Listen only on localhost interface, return port unreachable on all others
+  (#1852373)
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.82-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon Jul 20 2020 Petr Menšík <pemensik@redhat.com> - 2.82-1
+- Update to 2.82
+
+* Tue Jun 30 2020 Petr Menšík <pemensik@redhat.com> - 2.81-4
+- Accept queries only from localhost (CVE-2020-14312)
+
+* Mon May 11 2020 Petr Menšík <pemensik@redhat.com> - 2.81-3
+- Correct multiple entries with the same mac address (#1834454)
+
+* Thu Apr 16 2020 Petr Menšík <pemensik@redhat.com> - 2.81-2
+- Update to 2.81 (#1823139)
+
+* Mon Mar 23 2020 Petr Menšík <pemensik@redhat.com> - 2.81-1.rc3
+- Update to 2.81rc3
+
+* Mon Mar 23 2020 Petr Menšík <pemensik@redhat.com> - 2.80-14
+- Fix last build breakage of DNS (#1814468)
+
+* Tue Mar 10 2020 Petr Menšík <pemensik@redhat.com> - 2.80-13
+- Respond to any local name also withou rd bit set (#1647464)
+
+* Wed Mar 04 2020 Petr Menšík <pemensik@redhat.com> - 2.80-12
+- Support multiple static leases for single mac on IPv6 (#1810172)
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.80-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Wed Aug 28 2019 Petr Menšík <pemensik@redhat.com> - 2.80-10
+- Fix CPU intensive RA flood (#1739797)
+
+* Fri Aug 09 2019 Petr Menšík <pemensik@redhat.com> - 2.80-9
+- Remove SO_TIMESTAMP support, DHCP was broken (#1739081)
+
+* Wed Jul 31 2019 Petr Menšík <pemensik@redhat.com> - 2.80-8
+- Compile with nettle 3.5
+- Support missing SIOCGSTAMP ioctl
+
+* Wed Jul 31 2019 Petr Menšík <pemensik@redhat.com> - 2.80-7
+- Fix TCP listener after interface recreated (#1728701)
+
+* Wed Jul 24 2019 Petr Menšík <pemensik@redhat.com> - 2.80-6
+- Do not return NXDOMAIN on empty non-terminals (#1674067)
+
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.80-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Mon Apr 08 2019 Petr Menšík <pemensik@redhat.com> - 2.80-4
+- Use more recent macro to create dnsmasq user
+
+* Fri Feb 15 2019 Petr Menšík <pemensik@redhat.com> - 2.80-3
+- Apply patches by autosetup
+
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.80-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Mon Aug 20 2018 Petr Menšík <pemensik@redhat.com> - 2.80-1
+- Update to 2.80
+
+* Thu Aug 09 2018 Petr Menšík <pemensik@redhat.com> - 2.79-8
+- Better randomize ports
+
+* Tue Jul 31 2018 Florian Weimer <fweimer@redhat.com> - 2.79-7
+- Rebuild with fixed binutils
+
+* Fri Jul 27 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.79-6
+- Rebuild for new binutils
+
+* Thu Jul 26 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.79-5
+- Fix %%pre scriptlet (#1548050)
+
+* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.79-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Mon Jul 02 2018 Petr Menšík <pemensik@redhat.com> - 2.79-3
+- Make dnsmasq leases writeable by root again (#1554390)
+
+* Mon Jul 02 2018 Petr Menšík <pemensik@redhat.com> - 2.79-2
+- Fix passing of dnssec enabled queries (#1597309)
+
+* Thu Mar 15 2018 Petr Menšík <pemensik@redhat.com> - 2.79-1
+- Rebase to 2.79
+- Stop using nettle_hashes directly, use access function (#1548060)
+- Do not break on cname with spaces (#1498667)
+- Require nettle 3.4+
+- Do not own sysusers.d directory, already depends on systemd providing it
+
+* Fri Mar 02 2018 Petr Menšík <pemensik@redhat.com> - 2.78-7
+- Emit warning with dnssec enabled on FIPS system (#1549507)
+
+* Sun Feb 25 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.78-6
+- Create user before installing files (#1548050)
+
+* Fri Feb 23 2018 Petr Menšík <pemensik@redhat.com> - 2.78-5
+- Create user first and then restart service
+
+* Thu Feb 22 2018 Itamar Reis Peixoto <itamar@ispbrasil.com.br> - 2.78-4
+- add gcc into buildrequires
+- deliver an extra sysusers.d file to create dnsmasq user/group
+- set CHUSER and CHGRP to dnsmasq in src/config.h
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.78-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Mon Jan 22 2018 Petr Menšík <pemensik@redhat.com> - 2.78-2
+- DNSSEC fix for wildcard NSEC records (CVE-2017-15107)
+
+* Tue Oct 03 2017 Petr Menšík <pemensik@redhat.com> - 2.78-1
+- Rebase to 2.78
+
+* Tue Oct 03 2017 Petr Menšík <pemensik@redhat.com> - 2.77-9
+- More patches related to CVE-2017-14491
+
+* Mon Oct 02 2017 Petr Menšík <pemensik@redhat.com> - 2.77-8
+- Security fix, CVE-2017-14491, DNS heap buffer overflow
+- Security fix, CVE-2017-14492, DHCPv6 RA heap overflow
+- Security fix, CVE-2017-14493, DHCPv6 - Stack buffer overflow
+- Security fix, CVE-2017-14494, Infoleak handling DHCPv6
+- Security fix, CVE-2017-14496, Integer underflow in DNS response creation
+- Security fix, CVE-2017-14495, OOM in DNS response creation
+- Misc code cleanups arising from Google analysis
+- Do not include stdio.h before dnsmasq.h
+
+* Thu Sep 14 2017 Petr Menšík <pemensik@redhat.com> - 2.77-7
+- Fix CVE-2017-13704
+
+* Mon Aug 14 2017 Petr Menšík <pemensik@redhat.com> - 2.77-6
+- Own the /usr/share/dnsmasq dir (#1480856)
+
+* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.77-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.77-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Wed Jun 07 2017 Petr Menšík <pemensik@redhat.com> - 2.77-3
+- Update to 2.77
+
+* Fri May 12 2017 Petr Menšík <pemensik@redhat.com> - 2.77-2.rc2
+- Fix dhcp
+
+* Thu May 11 2017 Petr Menšík <pemensik@redhat.com> - 2.77-1
+- Update to 2.77rc2
+
+* Thu May 11 2017 Petr Menšík <pemensik@redhat.com>
+- Include dhcp_release6 tool and license in utils
+- Support for IDN 2008 (#1449150)
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.76-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Wed Oct 19 2016 Pavel Šimerda <psimerda@redhat.com> - 2.76-2
+- Resolves: #1373485 - dns not updated after sleep and resume laptop
+
+* Fri Jul 15 2016 Pavel Šimerda <psimerda@redhat.com> - 2.76-1
+- New version 2.76
+
+* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.75-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Mon Jan 25 2016 Tomas Hozza <thozza@redhat.com> - 2.75-3
+- Fixed minor bug in dnsmasq.conf (#1295143)
+
+* Fri Oct 02 2015 Pavel Šimerda <psimerda@redhat.com> - 2.75-2
+- Resolves: #1239256 - install trust-anchors.conf
+
+* Wed Aug 05 2015 Pavel Šimerda <psimerda@redhat.com> - 2.75-1
+- new version 2.75
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.72-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Mon Oct 06 2014 Nils Philippsen <nils@redhat.com> - 2.72-3
+- don't include /etc/dnsmasq.d in triplicate, ignore RPM backup files instead
+- package is dual-licensed GPL v2 or v3
+- drop %%triggerun, we're not supposed to automatically migrate from SysV to
+  systemd anyway
+
+* Mon Oct 06 2014 Tomas Hozza <thozza@redhat.com> - 2.72-2
+- Fix typo in default configuration (#1149459)
+
+* Thu Sep 25 2014 Tomas Hozza <thozza@redhat.com> - 2.72-1
+- Update to 2.72 stable
+
+* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.71-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.71-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Tue May 20 2014 Tomas Hozza <thozza@redhat.com> - 2.71-1
+- Update to 2.71 stable
+
+* Fri Apr 25 2014 Tomas Hozza <thozza@redhat.com> - 2.70-1
+- Update to 2.70 stable
+
+* Fri Apr 11 2014 Tomas Hozza <thozza@redhat.com> - 2.69-1
+- Update to 2.69 stable
+
+* Mon Mar 24 2014 Tomas Hozza <thozza@redhat.com> - 2.69-0.1.rc1
+- Update to 2.69rc1
+- enable DNSSEC implementation
+
+* Mon Dec 09 2013 Tomas Hozza <thozza@redhat.com> - 2.68-1
+- Update to 2.68 stable
+
+* Tue Nov 26 2013 Tomas Hozza <thozza@redhat.com> - 2.68-0.1.rc3
+- Update to 2.68rc3
+
+* Fri Nov 01 2013 Tomas Hozza <thozza@redhat.com> - 2.67-1
+- Update to 2.67 stable
+- Include one post release upstream fix for CNAME
+
+* Fri Oct 18 2013 Tomas Hozza <thozza@redhat.com> - 2.67-0.9.rc4
+- update to 2.67rc4
+
+* Wed Oct 02 2013 Tomas Hozza <thozza@redhat.com> - 2.67-0.8.rc2
+- update to 2.67rc2
+
+* Thu Sep 12 2013 Tomas Hozza <thozza@redhat.com> - 2.67-0.7.test13
+- update to 2.67test13
+- use .tar.xz upstream archives
+
+* Thu Aug 15 2013 Tomas Hozza <thozza@redhat.com> - 2.67-0.6.test7
+- Use SO_REUSEPORT and SO_REUSEADDR if possible for DHCPv4/6 (#981973)
+
+* Mon Aug 12 2013 Tomas Hozza <thozza@redhat.com> - 2.67-0.5.test7
+- Don't use SO_REUSEPORT on DHCPv4 socket to prevent conflicts with ISC DHCP (#981973)
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.67-0.4.test7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Tue Jun 11 2013 Tomas Hozza <thozza@redhat.com> - 2.67-0.3.test7
+- update to 2.67test7
+- drop merged patch
+- use _hardened_build macro instead of hardcoded flags
+
+* Fri May 17 2013 Tomas Hozza <thozza@redhat.com> - 2.67-0.2.test4
+- Fix failure to start with ENOTSOCK (#962874)
+
+* Wed May 15 2013 Tomas Hozza <thozza@redhat.com> - 2.67-0.1.test4
+- update to the latest testing release 2.67test4 (#962246)
+- drop mergerd patches
+
+* Tue Apr 30 2013 Tomas Hozza <thozza@redhat.com> - 2.66-5
+- dnsmasq unit file cleanup
+  - drop forking Type and PIDfile and rather start dnsmasq with "-k" option
+  - drop After syslog.target as this is by default
+
+* Thu Apr 25 2013 Tomas Hozza <thozza@redhat.com> - 2.66-4
+- include several fixes from upstream repo:
+  - Send TCP DNS messages in one packet
+  - Fix crash on SERVFAIL when using --conntrack option
+  - Fix regression in dhcp_lease_time utility
+  - Man page typos fixes
+  - Note that dhcp_lease_time and dhcp_release work only for IPv4
+  - Fix for --dhcp-match option to work also with BOOTP protocol
+
+* Sat Apr 20 2013 Tomas Hozza <thozza@redhat.com> - 2.66-3
+- Use Full RELRO when linking the daemon
+- compile the daemon with PIE
+- include two fixes from upstream git repo
+
+* Thu Apr 18 2013 Tomas Hozza <thozza@redhat.com> - 2.66-2
+- New stable version dnsmasq-2.66
+- Drop of merged patch
+
+* Fri Apr 12 2013 Tomas Hozza <thozza@redhat.com> - 2.66-1.rc5
+- Update to latest dnsmasq-2.66rc5
+- Include fix for segfault when lease limit is reached
+
+* Fri Mar 22 2013 Tomas Hozza <thozza@redhat.com> - 2.66-1.rc1
+- Update to latest dnsmasq-2.66rc1
+- Dropping unneeded patches
+- Enable IDN support
+
+* Fri Mar 15 2013 Tomas Hozza <thozza@redhat.com> - 2.65-5
+- Allocate dhcp_buff-ers also if daemon->ra_contexts to prevent SIGSEGV (#920300)
+
+* Thu Jan 31 2013 Tomas Hozza <thozza@redhat.com> - 2.65-4
+- Handle locally-routed DNS Queries (#904940)
+
+* Thu Jan 24 2013 Tomas Hozza <thozza@redhat.com> - 2.65-3
+- build dnsmasq with $RPM_OPT_FLAGS, $RPM_LD_FLAGS explicitly (#903362) 
+
+* Tue Jan 22 2013 Tomas Hozza <thozza@redhat.com> - 2.65-2
+- Fix for CVE-2013-0198 (checking of TCP connection interfaces) (#901555)
+
+* Sat Dec 15 2012 Tomas Hozza <thozza@redhat.com> - 2.65-1
+- new version 2.65
+
+* Wed Dec 05 2012 Tomas Hozza <thozza@redhat.com> - 2.64-1
+- New version 2.64
+- Merged patches dropped
+
+* Tue Nov 20 2012 Tomas Hozza <thozza@redhat.com> - 2.63-4
+- Remove EnvironmentFile from service file (#878343)
+
+* Mon Nov 19 2012 Tomas Hozza <thozza@redhat.com> - 2.63-3
+- dhcp6 support fixes (#867054)
+- removed "-s $HOSTNAME" from .service file (#753656, #822797)
+
+* Tue Oct 23 2012 Tomas Hozza <thozza@redhat.com> - 2.63-2
+- Introduce new systemd-rpm macros in dnsmasq spec file (#850096)
+
+* Thu Aug 23 2012 Douglas Schilling Landgraf <dougsland@redhat.com> - 2.63-1
+- Use .tar.gz compression, in upstream site there is no .lzma anymore
+- New version 2.63
+
+* Sat Feb 11 2012 Pádraig Brady <P@draigBrady.com> - 2.59-5
+- Compile DHCP lease management utils with RPM_OPT_FLAGS
+
+* Thu Feb  9 2012 Pádraig Brady <P@draigBrady.com> - 2.59-4
+- Include DHCP lease management utils in a subpackage
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.59-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Fri Aug 26 2011 Douglas Schilling Landgraf <dougsland@redhat.com> - 2.59-2
+- do not enable service by default
+
+* Fri Aug 26 2011 Douglas Schilling Landgraf <dougsland@redhat.com> - 2.59-1
+- New version 2.59
+- Fix regression in 2.58 (IPv6 issue) - bz 744814
+
+* Fri Aug 26 2011 Douglas Schilling Landgraf <dougsland@redhat.com> - 2.58-1
+- Fixed License
+- New version 2.58
+
+* Mon Aug 08 2011 Patrick "Jima" Laughton <jima@fedoraproject.org> - 2.52-5
+- Include systemd unit file
+
+* Mon Aug 08 2011 Patrick "Jima" Laughton <jima@fedoraproject.org> - 2.52-3
+- Applied Jóhann's patch, minor cleanup
+
+* Tue Jul 26 2011 Jóhann B. Guðmundsson <johannbg@gmail.com> - 2.52-3
+- Introduce systemd unit file, drop SysV support
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.52-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Tue Jan 26 2010 Itamar Reis Peixoto <itamar@ispbrasil.com.br> - 2.52-1
+- New Version 2.52
+- fix condrestart() in initscript bz 547605
+- fix sed to enable DBUS(the '*' need some escaping) bz 553161
+
+* Sun Nov 22 2009 Itamar Reis Peixoto <itamar@ispbrasil.com.br> - 2.51-2
+- fix bz 512664
+
+* Sat Oct 17 2009 Itamar Reis Peixoto <itamar@ispbrasil.com.br> - 2.51-1
+- move initscript from patch to a plain text file
+- drop (dnsmasq-configuration.patch) and use sed instead
+- enable /etc/dnsmasq.d fix bz 526703
+- change requires to package name instead of file
+- new version 2.51
+
+* Mon Oct  5 2009 Mark McLoughlin <markmc@redhat.com> - 2.48-4
+- Fix multiple TFTP server vulnerabilities (CVE-2009-2957, CVE-2009-2958)
+
+* Wed Aug 12 2009 Ville Skyttä <ville.skytta@iki.fi> - 2.48-3
+- Use lzma compressed upstream tarball.
+
+* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.48-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Wed Jun 10 2009 Patrick "Jima" Laughton <jima@beer.tclug.org> 2.48-1
+- Bugfix/feature enhancement update
+- Fixing BZ#494094
+
+* Fri May 29 2009 Patrick "Jima" Laughton <jima@beer.tclug.org> 2.47-1
+- Bugfix/feature enhancement update
+
+* Tue Feb 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.46-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Mon Dec 29 2008 Matěj Cepl <mcepl@redhat.com> - 2.45-2
+- rebuilt
+
+* Mon Jul 21 2008 Patrick "Jima" Laughton <jima@beer.tclug.org> 2.45-1
+- Upstream release (bugfixes)
+
+* Wed Jul 16 2008 Patrick "Jima" Laughton <jima@beer.tclug.org> 2.43-2
+- New upstream release, contains fixes for CVE-2008-1447/CERT VU#800113
+- Dropped patch for newer glibc (merged upstream)
+
+* Wed Feb 13 2008 Patrick "Jima" Laughton <jima@beer.tclug.org> 2.41-0.8
+- Added upstream-authored patch for newer glibc (thanks Simon!)
+
+* Wed Feb 13 2008 Patrick "Jima" Laughton <jima@beer.tclug.org> 2.41-0.7
+- New upstream release
+
+* Wed Jan 30 2008 Patrick "Jima" Laughton <jima@beer.tclug.org> 2.41-0.6.rc1
+- Release candidate
+- Happy Birthday Isaac!
+
+* Wed Jan 23 2008 Patrick "Jima" Laughton <jima@beer.tclug.org> 2.41-0.5.test30
+- Bugfix update
+
+* Mon Dec 31 2007 Patrick "Jima" Laughton <jima@beer.tclug.org> 2.41-0.4.test26
+- Bugfix/feature enhancement update
+
+* Thu Dec 13 2007 Patrick "Jima" Laughton <jima@beer.tclug.org> 2.41-0.3.test24
+- Upstream fix for fairly serious regression
+
+* Tue Dec 04 2007 Patrick "Jima" Laughton <jima@beer.tclug.org> 2.41-0.2.test20
+- New upstream test release
+- Moving dnsmasq.leases to /var/lib/dnsmasq/ as per BZ#407901
+- Ignoring dangerous-command-in-%%post rpmlint warning (as per above fix)
+- Patch consolidation/cleanup
+- Removed conditionals for Fedora <= 3 and Aurora 2.0
+
+* Tue Sep 18 2007 Patrick "Jima" Laughton <jima@beer.tclug.org> 2.40-1
+- Finalized upstream release
+- Removing URLs from patch lines (CVS is the authoritative source)
+- Added more magic to make spinning rc/test packages more seamless
+
+* Sun Aug 26 2007 Patrick "Jima" Laughton <jima@beer.tclug.org> 2.40-0.1.rc2
+- New upstream release candidate (feature-frozen), thanks Simon!
+- License clarification
+
+* Tue May 29 2007 Patrick "Jima" Laughton <jima@beer.tclug.org> 2.39-1
+- New upstream version (bugfixes, enhancements)
+
+* Mon Feb 12 2007 Patrick "Jima" Laughton <jima@beer.tclug.org> 2.38-1
+- New upstream version with bugfix for potential hang
+
+* Tue Feb 06 2007 Patrick "Jima" Laughton <jima@beer.tclug.org> 2.37-1
+- New upstream version
+
+* Wed Jan 24 2007 Patrick "Jima" Laughton <jima@beer.tclug.org> 2.36-1
+- New upstream version
+
+* Mon Nov 06 2006 Patrick "Jima" Laughton <jima@beer.tclug.org> 2.35-2
+- Stop creating /etc/sysconfig on %%install
+- Create /etc/dnsmasq.d on %%install
+
+* Mon Nov 06 2006 Patrick "Jima" Laughton <jima@beer.tclug.org> 2.35-1
+- Update to 2.35
+- Removed UPGRADING_to_2.0 from %%doc as per upstream change
+- Enabled conf-dir in default config as per RFE BZ#214220 (thanks Chris!)
+- Added %%dir /etc/dnsmasq.d to %%files as per above RFE
+
+* Tue Oct 24 2006 Patrick "Jima" Laughton <jima@beer.tclug.org> 2.34-2
+- Fixed BZ#212005
+- Moved %%postun scriptlet to %%post, where it made more sense
+- Render scriptlets safer
+- Minor cleanup for consistency
+
+* Thu Oct 19 2006 Patrick "Jima" Laughton <jima@beer.tclug.org> 2.34-1
+- Hardcoded version in patches, as I'm getting tired of updating them
+- Update to 2.34
+
+* Mon Aug 28 2006 Patrick "Jima" Laughton <jima@beer.tclug.org> 2.33-2
+- Rebuild for FC6
+
+* Tue Aug 15 2006 Patrick "Jima" Laughton <jima@beer.tclug.org> 2.33-1
+- Update
+
+* Sat Jul 22 2006 Patrick "Jima" Laughton <jima@beer.tclug.org> 2.32-3
+- Added pkgconfig BuildReq due to reduced buildroot
+
+* Thu Jul 20 2006 Patrick "Jima" Laughton <jima@beer.tclug.org> 2.32-2
+- Forced update due to dbus version bump
+
+* Mon Jun 12 2006 Patrick "Jima" Laughton <jima@beer.tclug.org> 2.32-1
+- Update from upstream
+- Patch from Dennis Gilmore fixed the conditionals to detect Aurora Linux
+
+* Mon May  8 2006 Patrick "Jima" Laughton <jima@auroralinux.org> 2.31-1
+- Removed dbus config patch (now provided upstream)
+- Patched in init script (no longer provided upstream)
+- Added DBus-interface to docs
+
+* Tue May  2 2006 Patrick "Jima" Laughton <jima@auroralinux.org> 2.30-4.2
+- More upstream-recommended cleanups :)
+- Killed sysconfig file (provides unneeded functionality)
+- Tweaked init script a little more
+
+* Tue May  2 2006 Patrick "Jima" Laughton <jima@auroralinux.org> 2.30-4
+- Moved options out of init script and into /etc/sysconfig/dnsmasq
+- Disabled DHCP_LEASE in sysconfig file, fixing bug #190379
+- Simon Kelley provided dbus/dnsmasq.conf, soon to be part of the tarball
+
+* Thu Apr 27 2006 Patrick "Jima" Laughton <jima@auroralinux.org> 2.30-3
+- Un-enabled HAVE_ISC_READER, a hack to enable a deprecated feature (request)
+- Split initscript & enable-dbus patches, conditionalized dbus for FC3
+- Tweaked name field in changelog entries (trying to be consistent)
+
+* Mon Apr 24 2006 Patrick "Jima" Laughton <jima@auroralinux.org> 2.30-2
+- Disabled stripping of binary while installing (oops)
+- Enabled HAVE_ISC_READER/HAVE_DBUS via patch
+- Added BuildReq for dbus-devel
+
+* Mon Apr 24 2006 Patrick "Jima" Laughton <jima@auroralinux.org> 2.30-1
+- Initial Fedora Extras RPM