@@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=dnsmasq
-PKG_VERSION:=2.79
-PKG_RELEASE:=3
+PKG_VERSION:=2.80test2
+PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/
-PKG_HASH:=78ad74f5ca14fd85a8bac93f764cd9d60b27579e90eabd3687ca7b030e67861f
+PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/test-releases
+PKG_HASH:=e731666094699afcbad947f89f7f8afbf92e5ddc3c915459d4936159d81116f0
PKG_LICENSE:=GPL-2.0
PKG_LICENSE_FILES:=COPYING
new file mode 100644
@@ -0,0 +1,26 @@
+From f84e674d8aa2316fea8d2145a40fcef0441e3856 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Fri, 4 May 2018 16:29:57 +0100
+Subject: [PATCH 1/3] Be persistent with broken-upstream-DNSSEC warnings.
+
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ src/dnssec.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+--- a/src/dnssec.c
++++ b/src/dnssec.c
+@@ -876,12 +876,7 @@ int dnssec_validate_ds(time_t now, struc
+
+ if (rc == STAT_INSECURE)
+ {
+- static int reported = 0;
+- if (!reported)
+- {
+- reported = 1;
+- my_syslog(LOG_WARNING, _("Insecure DS reply received, do upstream DNS servers support DNSSEC?"));
+- }
++ my_syslog(LOG_WARNING, _("Insecure DS reply received, do upstream DNS servers support DNSSEC?"));
+ rc = STAT_BOGUS;
+ }
+
new file mode 100644
@@ -0,0 +1,35 @@
+From 0669ee7a69a004ce34fed41e50aa575f8e04427b Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Fri, 4 May 2018 16:46:24 +0100
+Subject: [PATCH 2/3] Fix DHCP broken-ness when --no-ping AND
+ --dhcp-sequential-ip are set.
+
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ CHANGELOG | 3 ++-
+ src/dhcp.c | 2 +-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -14,7 +14,8 @@ version 2.80
+ when the upstream namesevers do not support DNSSEC, and in this
+ case no DNSSEC validation at all is occuring.
+
+-
++ Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip
++ are set. Thanks to Daniel Miess for help with this.
+
+
+ version 2.79
+--- a/src/dhcp.c
++++ b/src/dhcp.c
+@@ -678,7 +678,7 @@ struct ping_result *do_icmp_ping(time_t
+ if ((count >= max) || option_bool(OPT_NO_PING) || loopback)
+ {
+ /* overloaded, or configured not to check, loopback interface, return "not in use" */
+- dummy.hash = 0;
++ dummy.hash = hash;
+ return &dummy;
+ }
+ else if (icmp_ping(addr))
new file mode 100644
@@ -0,0 +1,184 @@
+From 07ed585c38d8f7c0a18470d2e79cf46ea92ea96a Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Fri, 4 May 2018 21:52:22 +0100
+Subject: [PATCH 3/3] Add logging for DNS error returns from upstream and local
+ configuration.
+
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ src/cache.c | 13 +++++++++++++
+ src/dnsmasq.h | 7 ++++++-
+ src/forward.c | 25 +++++++++++++++++++------
+ src/rfc1035.c | 19 ++++++++++++++-----
+ 4 files changed, 52 insertions(+), 12 deletions(-)
+
+--- a/src/cache.c
++++ b/src/cache.c
+@@ -1598,6 +1598,19 @@ void log_query(unsigned int flags, char
+ {
+ if (flags & F_KEYTAG)
+ sprintf(daemon->addrbuff, arg, addr->addr.log.keytag, addr->addr.log.algo, addr->addr.log.digest);
++ else if (flags & F_RCODE)
++ {
++ unsigned int rcode = addr->addr.rcode.rcode;
++
++ if (rcode == SERVFAIL)
++ dest = "SERVFAIL";
++ else if (rcode == REFUSED)
++ dest = "REFUSED";
++ else if (rcode == NOTIMP)
++ dest = "not implemented";
++ else
++ sprintf(daemon->addrbuff, "%u", rcode);
++ }
+ else
+ {
+ #ifdef HAVE_IPV6
+--- a/src/dnsmasq.h
++++ b/src/dnsmasq.h
+@@ -268,7 +268,11 @@ struct all_addr {
+ /* for log_query */
+ struct {
+ unsigned short keytag, algo, digest;
+- } log;
++ } log;
++ /* for log_query */
++ struct {
++ unsigned int rcode;
++ } rcode;
+ /* for cache_insert of DNSKEY, DS */
+ struct {
+ unsigned short class, type;
+@@ -459,6 +463,7 @@ struct crec {
+ #define F_IPSET (1u<<26)
+ #define F_NOEXTRA (1u<<27)
+ #define F_SERVFAIL (1u<<28)
++#define F_RCODE (1u<<29)
+
+ /* Values of uid in crecs with F_CONFIG bit set. */
+ #define SRC_INTERFACE 0
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -563,6 +563,7 @@ static size_t process_reply(struct dns_h
+ unsigned char *pheader, *sizep;
+ char **sets = 0;
+ int munged = 0, is_sign;
++ unsigned int rcode = RCODE(header);
+ size_t plen;
+
+ (void)ad_reqd;
+@@ -593,6 +594,9 @@ static size_t process_reply(struct dns_h
+
+ if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign, NULL)))
+ {
++ /* Get extended RCODE. */
++ rcode |= sizep[2] << 4;
++
+ if (check_subnet && !check_source(header, plen, pheader, query_source))
+ {
+ my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
+@@ -641,11 +645,20 @@ static size_t process_reply(struct dns_h
+ if (!is_sign && !option_bool(OPT_DNSSEC_PROXY))
+ header->hb4 &= ~HB4_AD;
+
+- if (OPCODE(header) != QUERY || (RCODE(header) != NOERROR && RCODE(header) != NXDOMAIN))
++ if (OPCODE(header) != QUERY)
+ return resize_packet(header, n, pheader, plen);
++
++ if (rcode != NOERROR && rcode != NXDOMAIN)
++ {
++ struct all_addr a;
++ a.addr.rcode.rcode = rcode;
++ log_query(F_UPSTREAM | F_RCODE, "error", &a, NULL);
++
++ return resize_packet(header, n, pheader, plen);
++ }
+
+ /* Complain loudly if the upstream server is non-recursive. */
+- if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR &&
++ if (!(header->hb4 & HB4_RA) && rcode == NOERROR &&
+ server && !(server->flags & SERV_WARNED_RECURSIVE))
+ {
+ prettyprint_addr(&server->addr, daemon->namebuff);
+@@ -654,7 +667,7 @@ static size_t process_reply(struct dns_h
+ server->flags |= SERV_WARNED_RECURSIVE;
+ }
+
+- if (daemon->bogus_addr && RCODE(header) != NXDOMAIN &&
++ if (daemon->bogus_addr && rcode != NXDOMAIN &&
+ check_for_bogus_wildcard(header, n, daemon->namebuff, daemon->bogus_addr, now))
+ {
+ munged = 1;
+@@ -666,7 +679,7 @@ static size_t process_reply(struct dns_h
+ {
+ int doctored = 0;
+
+- if (RCODE(header) == NXDOMAIN &&
++ if (rcode == NXDOMAIN &&
+ extract_request(header, n, daemon->namebuff, NULL) &&
+ check_for_local_domain(daemon->namebuff, now))
+ {
+@@ -1090,7 +1103,7 @@ void reply_query(int fd, int family, tim
+ if (status == STAT_BOGUS && extract_request(header, n, daemon->namebuff, NULL))
+ domain = daemon->namebuff;
+
+- log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result);
++ log_query(F_SECSTAT, domain, NULL, result);
+ }
+
+ if (status == STAT_SECURE)
+@@ -1948,7 +1961,7 @@ unsigned char *tcp_request(int confd, ti
+ if (status == STAT_BOGUS && extract_request(header, m, daemon->namebuff, NULL))
+ domain = daemon->namebuff;
+
+- log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result);
++ log_query(F_SECSTAT, domain, NULL, result);
+
+ if (status == STAT_BOGUS)
+ {
+--- a/src/rfc1035.c
++++ b/src/rfc1035.c
+@@ -926,12 +926,11 @@ unsigned int extract_request(struct dns_
+ return F_QUERY;
+ }
+
+-
+ size_t setup_reply(struct dns_header *header, size_t qlen,
+ struct all_addr *addrp, unsigned int flags, unsigned long ttl)
+ {
+ unsigned char *p;
+-
++
+ if (!(p = skip_questions(header, qlen)))
+ return 0;
+
+@@ -948,7 +947,12 @@ size_t setup_reply(struct dns_header *he
+ else if (flags == F_NXDOMAIN)
+ SET_RCODE(header, NXDOMAIN);
+ else if (flags == F_SERVFAIL)
+- SET_RCODE(header, SERVFAIL);
++ {
++ struct all_addr a;
++ a.addr.rcode.rcode = SERVFAIL;
++ log_query(F_CONFIG | F_RCODE, "error", &a, NULL);
++ SET_RCODE(header, SERVFAIL);
++ }
+ else if (flags == F_IPV4)
+ { /* we know the address */
+ SET_RCODE(header, NOERROR);
+@@ -966,8 +970,13 @@ size_t setup_reply(struct dns_header *he
+ }
+ #endif
+ else /* nowhere to forward to */
+- SET_RCODE(header, REFUSED);
+-
++ {
++ struct all_addr a;
++ a.addr.rcode.rcode = REFUSED;
++ log_query(F_CONFIG | F_RCODE, "error", &a, NULL);
++ SET_RCODE(header, REFUSED);
++ }
++
+ return p - (unsigned char *)header;
+ }
+
@@ -74,7 +74,7 @@
int main (int argc, char **argv)
{
int bind_fallback = 0;
-@@ -928,6 +988,7 @@ int main (int argc, char **argv)
+@@ -931,6 +991,7 @@ int main (int argc, char **argv)
set_dbus_listeners();
#endif
@@ -82,7 +82,7 @@
#ifdef HAVE_DHCP
if (daemon->dhcp || daemon->relay4)
{
-@@ -1058,6 +1119,8 @@ int main (int argc, char **argv)
+@@ -1061,6 +1122,8 @@ int main (int argc, char **argv)
check_dbus_listeners();
#endif
@@ -104,7 +104,7 @@
mostly_clean :
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
-@@ -1415,6 +1415,8 @@ void emit_dbus_signal(int action, struct
+@@ -1421,6 +1421,8 @@ void emit_dbus_signal(int action, struct
# endif
#endif
@@ -115,7 +115,7 @@
void ipset_init(void);
--- a/src/rfc2131.c
+++ b/src/rfc2131.c
-@@ -1621,6 +1621,10 @@ static void log_packet(char *type, void
+@@ -1636,6 +1636,10 @@ static void log_packet(char *type, void
daemon->namebuff,
string ? string : "",
err ? err : "");
The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. Refresh patches and backport: Be persistent with broken-upstream-DNSSEC warnings. Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip are set. Add logging for DNS error returns from upstream and local configuration. Compile & run tested: ar71xx Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> --- package/network/services/dnsmasq/Makefile | 8 +- ...tent-with-broken-upstream-DNSSEC-warnings.patch | 26 +++ ...oken-ness-when-no-ping-AND-dhcp-sequentia.patch | 35 ++++ ...-for-DNS-error-returns-from-upstream-and-.patch | 184 +++++++++++++++++++++ .../services/dnsmasq/patches/240-ubus.patch | 8 +- 5 files changed, 253 insertions(+), 8 deletions(-) create mode 100644 package/network/services/dnsmasq/patches/0001-Be-persistent-with-broken-upstream-DNSSEC-warnings.patch create mode 100644 package/network/services/dnsmasq/patches/0002-Fix-DHCP-broken-ness-when-no-ping-AND-dhcp-sequentia.patch create mode 100644 package/network/services/dnsmasq/patches/0003-Add-logging-for-DNS-error-returns-from-upstream-and-.patch