rpms
/
dnsmasq
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to 2.81 (#1823139)

This commit is contained in:
Petr Menšík 2020-04-16 21:13:46 +02:00
parent 8cb7aff90a
commit e8e451a80c
4 changed files with 10 additions and 98 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -30,3 +30,5 @@ dnsmasq-2.52.tar.lzma
/dnsmasq-2.80.tar.xz
/dnsmasq-2.81rc3.tar.xz
/dnsmasq-2.81rc3.tar.xz.asc
/dnsmasq-2.81.tar.xz
/dnsmasq-2.81.tar.xz.asc

91
dnsmasq-2.81-restore-ability-to-answer-non-recursive-requests.patch
View File

@ -1,91 +0,0 @@
From bb7adef44c20e4271b0b8a6e55dac4e986c02fef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Fri, 12 Apr 2019 15:29:00 +0200
Subject: [PATCH] Restore ability to answer non-recursive requests
Instead, check only local configured entries are answered without
rdbit set. All cached replies are still denied, but locally configured
names are available with both recursion and without it.
Fixes commit 4139298d287eb5c57f4aa53c459cb02fc5be2495 unintended
behaviour.
(cherry-picked from 29ae3083981ea82f535f77ea54bbd538f1224a9e)
---
src/rfc1035.c | 23 ++++++++++++++---------
1 file changed, 14 insertions(+), 9 deletions(-)
diff --git a/src/rfc1035.c b/src/rfc1035.c
index a943ecb..74befef 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -1273,7 +1273,11 @@ static unsigned long crec_ttl(struct crec *crecp, time_t now)
else
return daemon->max_ttl;
}
-
+
+static int cache_validated(const struct crec *crecp)
+{
+ return (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK));
+}
/* return zero if we can't answer from cache, or packet size if we can */
size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
@@ -1292,17 +1296,20 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
int nxdomain = 0, auth = 1, trunc = 0, sec_data = 1;
struct mx_srv_record *rec;
size_t len;
+ int rd_bit;
+
// Make sure we do not underflow here too.
if (qlen > (limit - ((char *)header))) return 0;
/* never answer queries with RD unset, to avoid cache snooping. */
- if (!(header->hb3 & HB3_RD) ||
- ntohs(header->ancount) != 0 ||
+ if (ntohs(header->ancount) != 0 ||
ntohs(header->nscount) != 0 ||
ntohs(header->qdcount) == 0 ||
OPCODE(header) != QUERY )
return 0;
+ rd_bit = (header->hb3 & HB3_RD);
+
/* Don't return AD set if checking disabled. */
if (header->hb4 & HB4_CD)
sec_data = 0;
@@ -1467,9 +1474,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
/* Don't use cache when DNSSEC data required, unless we know that
the zone is unsigned, which implies that we're doing
validation. */
- if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
- !do_bit ||
- (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
+ if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
+ (rd_bit && (!do_bit || cache_validated(crecp)) ))
{
do
{
@@ -1666,8 +1672,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
/* If the client asked for DNSSEC don't use cached data. */
if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
- !do_bit ||
- (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
+ (rd_bit && (!do_bit || cache_validated(crecp)) ))
do
{
/* don't answer wildcard queries with data not from /etc/hosts
@@ -1751,7 +1756,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
{
if ((crecp = cache_find_by_name(NULL, name, now, F_CNAME | (dryrun ? F_NO_RR : 0))) &&
(qtype == T_CNAME || (crecp->flags & F_CONFIG)) &&
- ((crecp->flags & F_CONFIG) || !do_bit || (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK))))
+ ((crecp->flags & F_CONFIG) || (rd_bit && (!do_bit || (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK))))))
{
if (!(crecp->flags & F_DNSSECOK))
sec_data = 0;
--
2.21.1

11
dnsmasq.spec
View File

@ -1,5 +1,5 @@
%define testrelease 0
%define releasecandidate 3
%define releasecandidate 0
%if 0%{testrelease}
%define extrapath test-releases/
%define extraversion test%{testrelease}
@ -13,7 +13,7 @@
Name: dnsmasq
Version: 2.81
Release: 1%{?extraversion:.%{extraversion}}%{?dist}
Release: 2%{?extraversion:.%{extraversion}}%{?dist}
Summary: A lightweight DHCP/caching DNS server
License: GPLv2 or GPLv3
@ -35,9 +35,6 @@ Patch3: dnsmasq-2.78-fips.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1728701
Patch7: dnsmasq-2.80-rh1728701.patch
Patch9: dnsmasq-2.80-SIOCGSTAMP.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1647464
# http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=29ae3083981ea82f535f77ea54bbd538f1224a9e
Patch15: dnsmasq-2.81-restore-ability-to-answer-non-recursive-requests.patch
# This is workaround to nettle bug #1549190
# https://bugzilla.redhat.com/show_bug.cgi?id=1549190
@ -174,8 +171,12 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf
%{_mandir}/man1/dhcp_*
%changelog
* Thu Apr 16 2020 Petr Menšík <pemensik@redhat.com> - 2.81-2
- Update to 2.81 (#1823139)
* Mon Mar 23 2020 Petr Menšík <pemensik@redhat.com> - 2.81-1.rc3
- Update to 2.81rc3
* Mon Mar 23 2020 Petr Menšík <pemensik@redhat.com> - 2.80-14
- Fix last build breakage of DNS (#1814468)

4
sources
View File

@ -1,2 +1,2 @@
SHA512 (dnsmasq-2.81rc3.tar.xz) = 2bac2e01550c58f86c5f4be772eaeea59cc0c88531d425797efeedf146991d8d9ed0fe53977e6e6263b63f7441aafd90ccc3e64057e9a0959d7af15850bb05f1
SHA512 (dnsmasq-2.81rc3.tar.xz.asc) = 9835b94f919d8750b667dc92584b5634e5dbd5e672f3337946d4ed5541a26358cbabf04dff4ae6f5ba380d4170889252587dbc704b9b40f56c86440e8b157264
SHA512 (dnsmasq-2.81.tar.xz) = 85550c9782fef9b0710d0e233523ed1fe26e877a8bc53fcea3f7cf1fb17c3a79c46f284a99dab2bdaf6a107ea3f1a71cec476ab6d4e1b936da6591aaef42c88e
SHA512 (dnsmasq-2.81.tar.xz.asc) = 8f102efb3f9ccf5509db60e81ef9fe2515cd4813dafdc7bb24a8f3246a3ededd62ca37171abbba3ef5b547313d344778d922ab8fd91bacd6351f4ab73ced74ef