"Fossies" - the Fresh Open Source Software Archive

Member "dnsmasq-2.85/CHANGELOG" (7 Apr 2021, 103369 Bytes) of package /linux/misc/dns/dnsmasq-2.85.tar.xz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "CHANGELOG": 2.84_vs_2.85.

    1 version 2.85
    2         Fix problem with DNS retries in 2.83/2.84.
    3         The new logic in 2.83/2.84 which merges distinct requests
    4 	for the same domain causes problems with clients which do
    5 	retries as distinct requests (differing IDs and/or source ports.)
    6 	The retries just get piggy-backed on the first, failed, request.
    7         The logic is now changed so that distinct requests for repeated
    8         queries still get merged into a single ID/source port, but
    9 	they now always trigger a re-try upstream.
   10         Thanks to Nicholas Mu for his analysis.
   11 
   12 	Tweak sort order of tags in get-version. v2.84 sorts
   13 	before v2.83, but v2.83 sorts before v2.83rc1 and 2.83rc1
   14 	sorts before v2.83test1. This fixes the problem which lead
   15 	to 2.84 announcing itself as 2.84rc2.
   16 
   17  	Avoid treating a --dhcp-host which has an IPv6 address
   18 	as eligible for use with DHCPv4 on the grounds that it has
   19 	no address, and vice-versa. Thanks to Viktor Papp for
   20 	spotting the problem. (This bug was fixed was back in 2.67, and
   21 	then regressed in 2.81).
   22 
   23 	Add --dynamic-host option: A and AAAA records which take their
   24 	network part from the network of a local interface. Useful
   25 	for routers with dynamically prefixes. Thanks
   26 	to Fred F for the suggestion.
   27 
   28 	Teach --bogus-nxdomain and --ignore-address to take an IPv4 subnet.
   29 
   30 	Use random source ports where possible if source
   31 	addresses/interfaces in use.
   32 	CVE-2021-3448 applies. Thanks to Petr Menšík for spotting this.
   33 	It's possible to specify the source address or interface to be
   34 	used when contacting upstream name servers: server=8.8.8.8@1.2.3.4
   35 	or server=8.8.8.8@1.2.3.4#66 or server=8.8.8.8@eth0, and all of
   36 	these have, until now, used a single socket, bound to a fixed
   37 	port. This was originally done to allow an error (non-existent
   38 	interface, or non-local address) to be detected at start-up. This
   39 	means that any upstream servers specified in such a way don't use
   40 	random source ports, and are more susceptible to cache-poisoning
   41 	attacks.
   42 	We now use random ports where possible, even when the
   43 	source is specified, so server=8.8.8.8@1.2.3.4 or
   44 	server=8.8.8.8@eth0 will use random source
   45 	ports. server=8.8.8.8@1.2.3.4#66 or any use of --query-port will
   46 	use the explicitly configured port, and should only be done with
   47 	understanding of the security implications.
   48 	Note that this change changes non-existing interface, or non-local
   49 	source address errors from fatal to run-time. The error will be
   50 	logged and communication with the server not possible.
   51 
   52 	Change the method of allocation of random source ports for DNS.
   53 	Previously, without min-port or max-port configured, dnsmasq would
   54 	default to the compiled in defaults for those, which are 1024 and
   55 	65535. Now, when neither are configured, it defaults instead to
   56 	the kernel's ephemeral port range, which is typically
   57 	32768 to 60999 on Linux systems. This change eliminates the
   58 	possibility that dnsmasq may be using a registered port > 1024
   59 	when a long-running daemon starts up and wishes to claim it.
   60 	This change does likely slightly reduce the number of random ports
   61 	and therefore the protection from reply spoofing. The older
   62 	behaviour can be restored using the min-port and max-port config
   63 	switches should that be a concern.
   64 
   65 	Scale the size of the DNS random-port pool based on the
   66 	value of the --dns-forward-max configuration.
   67 
   68 	Tweak TFTP code to check sender of all received packets, as
   69 	specified in RFC 1350 para 4.
   70 
   71 	
   72 version 2.84
   73 	Fix a problem, introduced in 2.83, which could see DNS replies
   74 	being sent via the wrong socket. On machines running both
   75 	IPv4 and IPv6 this could result in sporadic messages of
   76 	the form "failed to send packet: Network is unreachable" and
   77 	the lost of the query. Since the error is sporadic and of
   78 	low probability, the client retry would normally succeed.
   79 
   80 	Change HAVE_NETTLEHASH compile-time to HAVE_CRYPTOHASH.
   81 
   82 
   83 version 2.83
   84 	Use the values of --min-port and --max-port in outgoing
   85 	TCP connections to upstream DNS servers.
   86 
   87 	Fix a remote buffer overflow problem in the DNSSEC code. Any
   88 	dnsmasq with DNSSEC compiled in and enabled is vulnerable to this,
   89 	referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683
   90 	CVE-2020-25687.
   91 
   92 	Be sure to only accept UDP DNS query replies at the address
   93 	from which the query was originated. This keeps as much entropy
   94 	in the {query-ID, random-port} tuple as possible, to help defeat
   95 	cache poisoning attacks. Refer: CVE-2020-25684.
   96 
   97 	Use the SHA-256 hash function to verify that DNS answers
   98 	received are for the questions originally asked. This replaces
   99 	the slightly insecure SHA-1 (when compiled with DNSSEC) or
  100 	the very insecure CRC32 (otherwise). Refer: CVE-2020-25685.
  101 
  102 	Handle multiple identical near simultaneous DNS queries better.
  103 	Previously, such queries would all be forwarded
  104 	independently. This is, in theory, inefficient but in practise
  105 	not a problem, _except_ that is means that an answer for any
  106 	of the forwarded queries will be accepted and cached.
  107 	An attacker can send a query multiple times, and for each repeat,
  108 	another {port, ID} becomes capable of accepting the answer he is
  109 	sending in the blind, to random IDs and ports. The chance of a
  110 	successful attack is therefore multiplied by the number of repeats
  111 	of the query. The new behaviour detects repeated queries and
  112 	merely stores the clients sending repeats so that when the
  113 	first query completes, the answer can be sent to all the
  114 	clients who asked. Refer: CVE-2020-25686.
  115 	
  116 
  117 version 2.82
  118 	Improve behaviour in the face of network interfaces which come
  119 	and go and change index. Thanks to Petr Mensik for the patch.
  120 
  121 	Convert hard startup failure on NETLINK_NO_ENOBUFS under qemu-user
  122 	to a warning.
  123 
  124 	Allow IPv6 addresses ofthe form [::ffff:1.2.3.4] in --dhcp-option.
  125 
  126 	Fix crash under heavy TCP connection load introduced in 2.81.
  127 	Thanks to Frank for good work chasing this down.
  128 
  129 	Change default lease time for DHCPv6 to one day.
  130 
  131 	Alter calculation of preferred and valid times in router
  132 	advertisements, so that these do not have a floor applied
  133 	of the lease time in the dhcp-range if this is not explicitly
  134 	specified and is merely the default.
  135 	Thanks to Martin-Éric Racine for suggestions on this.
  136 
  137 	
  138 version 2.81
  139 	Improve cache behaviour for TCP connections. For ease of
  140 	implementation, dnsmasq has always forked a new process to handle
  141 	each incoming TCP connection. A side-effect of this is that
  142 	any DNS queries answered from TCP connections are not cached:
  143 	when TCP connections were rare, this was not a problem.
  144 	With the coming of DNSSEC, it is now the case that some
  145 	DNSSEC queries have answers which spill to TCP, and if,
  146 	for instance, this applies to the keys for the root, then
  147 	those never get cached, and performance is very bad.
  148 	This fix passes cache entries back from the TCP child process to
  149 	the main server process, and fixes the problem.
  150 
  151 	Remove the NO_FORK compile-time option, and support for uclinux.
  152 	In an era where everything has an MMU, this looks like
  153 	an anachronism, and it adds to (Ok, multiplies!) the
  154 	combinatorial explosion of compile-time options. Thanks to
  155 	Kevin Darbyshire-Bryant for the patch.
  156 
  157 	Fix line-counting when reading /etc/hosts and friends; for
  158 	correct error messages. Thanks to Christian Rosentreter
  159 	for reporting this.
  160 
  161 	Fix bug in DNS non-terminal code, added in 2.80, which could
  162 	sometimes cause a NODATA rather than an NXDOMAIN reply.
  163 	Thanks to Norman Rasmussen, Sven Mueller and Maciej Żenczykowski
  164 	for spotting and diagnosing the bug and providing patches.
  165 
  166 	Support TCP-fastopen (RFC-7413) on both incoming and
  167 	outgoing TCP connections, if supported and enabled in the OS.
  168 
  169 	Improve kernel-capability manipulation code under Linux. Dnsmasq
  170 	now fails early if a required capability is not available, and
  171 	tries not to request capabilities not required by its
  172 	configuration.
  173 
  174 	Add --shared-network config. This enables allocation of addresses
  175 	by the DHCP server in subnets where the server (or relay) does not
  176 	have an interface on the network in that subnet. Many thanks to
  177 	kamp.de for sponsoring this feature.
  178 	
  179 	Fix broken contrib/lease_tools/dhcp_lease_time.c. A packet
  180 	validation check got borked in commit 2b38e382 and release 2.80.
  181 	Thanks to Tomasz Szajner for spotting this.
  182 
  183 	Fix compilation against nettle version 3.5 and later.
  184 
  185 	Fix spurious DNSSEC validation failures when the auth section
  186 	of a reply contains unsigned RRs from a signed zone, 
  187 	with the exception that NSEC and NSEC3 RRs must always be signed.
  188         Thanks to Tore Anderson for spotting and diagnosing the bug.
  189 
  190 	Add --dhcp-ignore-clid. This disables reading of DHCP client
  191 	identifier option (option 61), so clients are only identified by
  192 	MAC addresses.
  193 
  194 	Fix a bug which stopped --dhcp-name-match from working when a hostname
  195 	is supplied in --dhcp-host. Thanks to James Feeney for spotting this.
  196 
  197 	Fix bug which caused very rarely caused zero-length DHCPv6 packets.
  198 	Thanks to Dereck Higgins for spotting this.
  199 
  200 	Add --tftp-single-port option.
  201 
  202 	Enhance --conf-dir to load files in a deterministic order. Thanks to
  203 	Evgenii Seliavka for the suggestion and initial patch.
  204 
  205 	In the router advert code, handle case where we have two
  206 	different interfaces on the same IPv6 net, and we are doing
  207 	RA/DHCP service on only one of them. Thanks to NIIBE Yutaka
  208 	for spotting this case and making the initial patch.
  209 
  210 	Support prefixed ranges of ipv6 addresses in dhcp-host.
  211 	This eases problems chain-netbooting, where each link in the
  212 	chain requests an address using a different UID. With a single
  213 	address, only one gets the "static" address, but with this
  214 	fix, enough addresses can be reserved for all the stages of the
  215 	boot. Many thanks to Harald Jensås for his work on this idea and
  216 	earlier patches.
  217 
  218 	Add filtering by tag of --dhcp-host directives. Based on a patch
  219 	by Harald Jensås.
  220 
  221 	Allow empty server spec in --rev-server, to match --server.
  222 	
  223 	Remove DSA signature verification from DNSSEC, as specified in
  224 	RFC 8624. Thanks to Loganaden Velvindron for the original patch.
  225 
  226 	Add --script-on-renewal option.
  227 
  228 	
  229 version 2.80
  230 	Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method
  231 	for the initial patch and motivation.
  232 
  233 	Alter the default for dnssec-check-unsigned. Versions of
  234 	dnsmasq prior to 2.80 defaulted to not checking unsigned
  235 	replies, and used --dnssec-check-unsigned to switch
  236         this on. Such configurations will continue to work as before,
  237         but those which used the default of no checking will need to be
  238         altered to explicitly select no checking. The new default is
  239         because switching off checking for unsigned replies is
  240 	inherently dangerous. Not only does it open the possiblity of forged
  241         replies, but it allows everything to appear to be working even
  242         when the upstream namesevers do not support DNSSEC, and in this
  243         case no DNSSEC validation at all is occuring.
  244 
  245         Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip
  246 	are set. Thanks to Daniel Miess for help with this.
  247 
  248 	Add a facilty to store DNS packets sent/recieved in a
  249 	pcap-format file for later debugging. The file location
  250 	is given by the --dumpfile option, and a bitmap controlling
  251 	which packets should be dumped is given by the --dumpmask
  252 	option.
  253 
  254 	Handle the case of both standard and constructed dhcp-ranges on the
  255 	same interface better. We don't now contruct a dhcp-range if there's
  256 	already one specified. This allows the specified interface to
  257 	have different parameters and avoids advertising the same
  258 	prefix twice. Thanks to Luis Marsano for spotting this case.
  259 
  260 	Allow zone transfer in authoritative mode if auth-peer is specified,
  261 	even if auth-sec-servers is not. Thanks to Raphaël Halimi for
  262 	the suggestion.
  263 
  264 	Fix bug which sometimes caused dnsmasq to wrongly return answers
  265 	without DNSSEC RRs to queries with the do-bit set, but only when
  266 	DNSSEC validation was not enabled.
  267 	Thanks to Petr Menšík for spotting this.
  268 
  269 	Fix missing fatal errors with some malformed options
  270 	(server, local, address, rebind-domain-ok, ipset, alias).
  271 	Thanks to Eugene Lozovoy for spotting the problem.
  272 
  273 	Fix crash on startup with a --synth-domain which has no prefix.
  274 	Introduced in 2.79. Thanks to Andreas Engel for the bug report.
  275 
  276 	Fix missing EDNS0 section in some replies generated by local
  277 	DNS configuration which confused systemd-resolvd. Thanks to
  278 	Steve Dodd for characterising the problem.
  279 
  280 	Add --dhcp-name-match config option. 
  281 
  282 	Add --caa-record config option.
  283 
  284 	Implement --address=/example.com/# as (more efficient) syntactic
  285 	sugar for --address=/example.com/0.0.0.0 and
  286 	--address=/example.com/::
  287 	Returning null addresses is a useful technique for ad-blocking.
  288 	Thanks to Peter Russell for the suggestion.
  289 	
  290 	Change anti cache-snooping behaviour with queries with the
  291 	recursion-desired bit unset. Instead to returning SERVFAIL, we
  292 	now always forward, and never answer from the cache. This
  293 	allows "dig +trace" command to work. 
  294 	
  295 	Include in the example config file a formulation which
  296 	stops DHCP clients from claiming the DNS name "wpad".
  297 	This is a fix for the CERT Vulnerability VU#598349.
  298 
  299 	
  300 version 2.79
  301 	Fix parsing of CNAME arguments, which are confused by extra spaces.
  302 	Thanks to Diego Aguirre for spotting the bug.
  303 
  304 	Where available, use IP_UNICAST_IF or IPV6_UNICAST_IF to bind
  305 	upstream servers to an interface, rather than SO_BINDTODEVICE.
  306 	Thanks to Beniamino Galvani for the patch.
  307 
  308 	Always return a SERVFAIL answer to DNS queries without the
  309 	recursion desired bit set, UNLESS acting as an authoritative
  310 	DNS server. This avoids a potential route to cache snooping.
  311 
  312 	Add support for Ed25519 signatures in DNSSEC validation.
  313 
  314 	No longer support RSA/MD5 signatures in DNSSEC validation,
  315 	since these are not secure. This behaviour is mandated in
  316 	RFC-6944.
  317 
  318 	Fix incorrect error exit code from dhcp_release6 utility.
  319 	Thanks Gaudenz Steinlin for the bug report.
  320 
  321 	Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC
  322 	time validation when --dnssec-no-timecheck is in use.
  323 	Note that this is an incompatible change from earlier releases.
  324 
  325 	Allow more than one --bridge-interface option to refer to an
  326 	interface, so that we can use
  327 	--bridge-interface=int1,alias1
  328 	--bridge-interface=int1,alias2
  329 	as an alternative to
  330 	--bridge-interface=int1,alias1,alias2
  331 	Thanks to Neil Jerram for work on this.
  332 
  333 	Fix for DNSSEC with wildcard-derived NSEC records.
  334 	It's OK for NSEC records to be expanded from wildcards,
  335 	but in that case, the proof of non-existence is only valid
  336 	starting at the wildcard name, *.<domain> NOT the name expanded
  337 	from the wildcard. Without this check it's possible for an
  338 	attacker to craft an NSEC which wrongly proves non-existence.
  339 	Thanks to Ralph Dolmans for finding this, and co-ordinating 
  340 	the vulnerability tracking and fix release.
  341 	CVE-2017-15107 applies.
  342 
  343 	Remove special handling of A-for-A DNS queries. These
  344 	are no longer a significant problem in the global DNS.
  345 	http://cs.northwestern.edu/~ychen/Papers/DNS_ToN15.pdf
  346 	Thanks to Mattias Hellström for the initial patch.
  347 
  348 	Fix failure to delete dynamically created dhcp options
  349 	from files in -dhcp-optsdir directories. Thanks to
  350 	Lindgren Fredrik for the bug report.
  351 
  352 	Add to --synth-domain the ability to create names using
  353 	sequential numbers, as well as encodings of IP addresses.
  354 	For instance,
  355 	--synth-domain=thekelleys.org.uk,192.168.0.50,192.168.0.70,internal-*
  356 	creates 21 domain names of the form
  357 	internal-4.thekelleys.org.uk over the address range given, with
  358 	internal-0.thekelleys.org.uk being 192.168.0.50 and
  359 	internal-20.thekelleys.org.uk being 192.168.0.70
  360 	Thanks to Andy Hawkins for the suggestion.
  361 
  362 	Tidy up Crypto code, removing workarounds for ancient
  363 	versions of libnettle. We now require libnettle 3.
  364 
  365 
  366 version 2.78
  367         Fix logic of appending ".<layer>" to PXE basename. Thanks to Chris
  368 	Novakovic for the patch.
  369 
  370 	Revert ping-check of address in DHCPDISCOVER if there
  371 	already exists a lease for the address. Under some
  372 	circumstances, and netbooted windows installation can reply
  373 	to pings before if has a DHCP lease and block allocation
  374 	of the address it already used during netboot. Thanks to
  375 	Jan Psota for spotting this.
  376 
  377 	Fix DHCP relaying, broken in 2.76 and 2.77 by commit
  378 	ff325644c7afae2588583f935f4ea9b9694eb52e. Thanks to
  379 	John Fitzgibbon for the diagnosis and patch.
  380 
  381         Try other servers if first returns REFUSED when
  382 	--strict-order active. Thanks to Hans Dedecker
  383 	for the patch
  384 
  385 	Fix regression in 2.77, ironically added as a security
  386 	improvement, which resulted in a crash when a DNS
  387 	query exceeded 512 bytes (or the EDNS0 packet size,
  388 	if different.) Thanks to Christian Kujau, Arne Woerner
  389 	Juan Manuel Fernandez and Kevin Darbyshire-Bryant for
  390 	chasing this one down.  CVE-2017-13704 applies.
  391 
  392 	Fix heap overflow in DNS code. This is a potentially serious
  393 	security hole. It allows an attacker who can make DNS
  394 	requests to dnsmasq, and who controls the contents of
  395 	a domain, which is thereby queried, to overflow
  396 	(by 2 bytes) a heap buffer and either crash, or
  397 	even take control of, dnsmasq.
  398 	CVE-2017-14491 applies.
  399 	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
  400 	Kevin Hamacher and Ron Bowes of the Google Security Team for
  401 	finding this.
  402 
  403 	Fix heap overflow in IPv6 router advertisement code.
  404 	This is a potentially serious security hole, as a
  405 	crafted RA request can overflow a buffer and crash or
  406 	control dnsmasq. Attacker must be on the local network.
  407 	CVE-2017-14492 applies.
  408         Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
  409 	and Kevin Hamacher of the Google Security Team for
  410 	finding this.
  411 
  412 	Fix stack overflow in DHCPv6 code. An attacker who can send
  413 	a DHCPv6 request to dnsmasq can overflow the stack frame and
  414 	crash or control dnsmasq.
  415 	CVE-2017-14493 applies.
  416 	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
  417 	Kevin Hamacher and Ron Bowes of the Google Security Team for
  418 	finding this.
  419 
  420 	Fix information leak in DHCPv6. A crafted DHCPv6 packet can
  421 	cause dnsmasq to forward memory from outside the packet
  422 	buffer to a DHCPv6 server when acting as a relay.
  423 	CVE-2017-14494 applies.
  424 	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
  425 	Kevin Hamacher and Ron Bowes of the Google Security Team for
  426 	finding this.
  427 
  428 	Fix DoS in DNS. Invalid boundary checks in the
  429 	add_pseudoheader function allows a memcpy call with negative
  430 	size An attacker which can send malicious DNS queries
  431 	to dnsmasq can trigger a DoS remotely.
  432 	dnsmasq is vulnerable only if one of the following option is
  433 	specified: --add-mac, --add-cpe-id or --add-subnet.
  434 	CVE-2017-14496 applies.
  435 	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
  436 	Kevin Hamacher and Ron Bowes of the Google Security Team for
  437 	finding this.
  438 
  439 	Fix out-of-memory Dos vulnerability. An attacker which can
  440 	send malicious DNS queries to dnsmasq can trigger memory
  441 	allocations in the add_pseudoheader function
  442 	The allocated memory is never freed which leads to a DoS
  443 	through memory exhaustion. dnsmasq is vulnerable only
  444 	if one of the following option is specified:
  445 	--add-mac, --add-cpe-id or --add-subnet.
  446 	CVE-2017-14495 applies.
  447 	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
  448 	Kevin Hamacher and Ron Bowes of the Google Security Team for
  449 	finding this.
  450 
  451 
  452 version 2.77
  453 	Generate an error when configured with a CNAME loop,
  454 	rather than a crash. Thanks to George Metz for
  455 	spotting this problem.
  456 
  457 	Calculate the length of TFTP error reply packet 
  458 	correctly. This fixes a problem when the error 
  459 	message in a TFTP packet exceeds the arbitrary 
  460 	limit of 500 characters. The message was correctly
  461 	truncated, but not the packet length, so 
  462 	extra data was appended. This is a possible
  463 	security risk, since the extra data comes from
  464 	a buffer which is also used for DNS, so that
  465 	previous DNS queries or replies may be leaked.
  466 	Thanks to Mozilla for funding the security audit 
  467 	which spotted this bug.
  468 
  469 	Fix logic error in Linux netlink code. This could
  470 	cause dnsmasq to enter a tight loop on systems
  471 	with a very large number of network interfaces.
  472 	Thanks to Ivan Kokshaysky for the diagnosis and
  473 	patch.
  474 
  475 	Fix problem with --dnssec-timestamp whereby receipt
  476 	of SIGHUP would erroneously engage timestamp checking.
  477 	Thanks to Kevin Darbyshire-Bryant for this work.
  478 
  479 	Bump zone serial on reloading /etc/hosts and friends
  480 	when providing authoritative DNS. Thanks to Harrald
  481 	Dunkel for spotting this.
  482 
  483 	Handle v4-mapped IPv6 addresses sanely in --synth-domain.
  484 	These have standard representation like ::ffff:1.2.3.4
  485 	and are now converted to names like
  486 	<prefix>--ffff-1-2-3-4.<domain>
  487 
  488 	Handle binding upstream servers to an interface 
  489 	(--server=1.2.3.4@eth0) when the named interface
  490 	is destroyed and recreated in the kernel. Thanks to 
  491 	Beniamino Galvani for the patch.
  492 
  493 	Allow wildcard CNAME records in authoritative zones.
  494 	For example --cname=*.example.com,default.example.com
  495 	Thanks to Pro Backup for sponsoring this development.
  496 
  497 	Bump the allowed backlog of TCP connections from 5 to 32,
  498 	and make this a compile-time configurable option. Thanks
  499 	to Donatas Abraitis for diagnosing this as a potential
  500 	problem.
  501 
  502 	Add DNSMASQ_REQUESTED_OPTIONS environment variable to the 
  503 	lease-change script. Thanks to ZHAO Yu for the patch.
  504 
  505 	Fix foobar in rrfilter code, that could cause malformed 
  506 	replies, especially when DNSSEC validation on, and 
  507 	the upstream server returns answer with the RRs in a 
  508 	particular order. The only DNS server known to tickle
  509 	this is Nominum's. Thanks to Dave Täht for spotting the
  510 	bug and assisting in the fix.
  511 
  512 	Fix the manpage which lied that only the primary address
  513 	of an interface is used by --interface-name.
  514 
  515 	Make --localise-queries apply to names from --interface-name.
  516 	Thanks to Kevin Darbyshire-Bryant and Eric Luehrsen
  517 	for pushing this.
  518 
  519 	Improve connection handling when talking to TCP upstream 
  520 	servers. Specifically, be prepared to open a new TCP
  521 	connection when we want to make multiple queries
  522 	but the upstream server accepts fewer queries per connection.
  523 
  524 	Improve logging of upstream servers when there are a lot
  525 	of "local addresses only" entries. Thanks to Hannu Nyman for
  526 	the patch.
  527 
  528 	Make --bogus-priv apply to IPv6, for the prefixes specified
  529 	in RFC6303. Thanks to Kevin Darbyshire-Bryant for work on this.
  530 
  531 	Allow use of MAC addresses with --tftp-unique-root. Thanks
  532 	to Floris Bos for the patch.
  533 
  534 	Add --dhcp-reply-delay option. Thanks to Floris Bos
  535 	for the patch.
  536 
  537 	Add mtu setting facility to --ra-param. Thanks to David
  538 	Flamand for the patch.
  539 
  540 	Capture STDOUT and STDERR output from dhcp-script and log
  541 	it as part of the dnsmasq log stream. Makes life easier
  542 	for diagnosing unexpected problems in scripts.
  543 	Thanks to Petr Mensik for the patch.
  544 
  545 	Generate fatal errors when failing to parse the output
  546 	of the dhcp-script in "init" mode. Avoids strange errors
  547 	when the script accidentally emits error messages.
  548 	Thanks to Petr Mensik for the patch.
  549 
  550 	Make --rev-server for an RFC1918 subnet work even in the
  551 	presence of the --bogus-priv flag. Thanks to
  552 	Vladislav Grishenko for the patch.
  553 
  554 	Extend --ra-param mtu: field to allow an interface name.
  555 	This allows the MTU of a WAN interface to be advertised on
  556 	the internal interfaces of a router. Thanks to
  557 	Vladislav Grishenko for the patch.
  558 
  559 	Do ICMP-ping check for address-in-use for DHCPv4 when
  560 	the client specifies an address in DHCPDISCOVER, and when
  561 	an address in configured locally. Thanks to Alin Năstac
  562 	for spotting the problem.
  563 
  564 	Add new DHCP tag "known-othernet" which is set when only a
  565 	dhcp-host exists for another subnet. Can be used to ensure
  566 	that privileged hosts are not given "guest" addresses by
  567 	accident. Thanks to Todd Sanket for the suggestion.
  568 
  569 	Remove historic automatic inclusion of IDN support when
  570 	building internationalisation support. This doesn't
  571 	fit now there is a choice of IDN libraries. Be sure
  572 	to include either -DHAVE_IDN or -DHAVE_LIBIDN2 for
  573 	IDN support.
  574 
  575 
  576 version 2.76
  577 	Include 0.0.0.0/8 in DNS rebind checks. This range 
  578 	translates to hosts on  the local network, or, at 
  579 	least, 0.0.0.0 accesses the local host, so could
  580 	be targets for DNS rebinding. See RFC 5735 section 3 
  581 	for details. Thanks to Stephen Röttger for the bug report.
  582 
  583 	Enhance --add-subnet to allow arbitrary subnet addresses.
  584 	Thanks to Ed Barsley for the patch.
  585 
  586 	Respect the --no-resolv flag in inotify code. Fixes bug
  587 	which caused dnsmasq to fail to start if a resolv-file 
  588 	was a dangling symbolic link, even of --no-resolv set.
  589 	Thanks to Alexander Kurtz for spotting the problem.
  590 
  591 	Fix crash when an A or AAAA record is defined locally,
  592 	in a hosts file, and an upstream server sends a reply
  593 	that the same name is empty. Thanks to Edwin Török for
  594 	the patch.
  595 
  596 	Fix failure to correctly calculate cache-size when 
  597 	reading a hosts-file fails. Thanks to André Glüpker 
  598 	for the patch.
  599 
  600 	Fix wrong answer to simple name query when --domain-needed
  601 	set, but no upstream servers configured. Dnsmasq returned
  602 	REFUSED, in this case, when it should be the same as when
  603 	upstream servers are configured - NOERROR. Thanks to 
  604 	Allain Legacy for spotting the problem.
  605 
  606 	Return REFUSED when running out of forwarding table slots,
  607 	not SERVFAIL.
  608 
  609 	Add --max-port configuration. Thanks to Hans Dedecker for
  610 	the patch.
  611 
  612 	Add --script-arp and two new functions for the dhcp-script.
  613 	These are "arp" and "arp-old" which announce the arrival and
  614 	removal of entries in the ARP or neighbour tables.
  615 
  616 	Extend --add-mac to allow a new encoding of the MAC address 
  617 	as base64, by configuring --add-mac=base64
  618 
  619 	Add --add-cpe-id option.
  620 
  621 	Don't crash with divide-by-zero if an IPv6 dhcp-range
  622 	is declared as a whole /64.
  623 	(ie xx::0 to xx::ffff:ffff:ffff:ffff) 
  624 	Thanks to Laurent Bendel for spotting this problem.
  625 
  626 	Add support for a TTL parameter in --host-record and
  627 	--cname.
  628 
  629 	Add --dhcp-ttl option.
  630 
  631 	Add --tftp-mtu option. Thanks to Patrick McLean for the 
  632 	initial patch.
  633 
  634 	Check return-code of inet_pton() when parsing dhcp-option.
  635 	Bad addresses could fail to generate errors and result in
  636 	garbage dhcp-options being sent. Thanks to Marc Branchaud 
  637 	for spotting this.
  638 
  639 	Fix wrong value for EDNS UDP packet size when using 
  640 	--servers-file to define upstream DNS servers. Thanks to
  641 	Scott Bonar for the bug report.
  642 
  643 	Move the dhcp_release and dhcp_lease_time tools from 
  644 	contrib/wrt to contrib/lease-tools.
  645 
  646 	Add dhcp_release6 to contrib/lease-tools. Many thanks 
  647 	to Sergey Nechaev for this code.
  648 
  649 	To avoid filling logs in configurations which define
  650 	many upstream nameservers, don't log more that 30 servers.
  651 	The number to be logged can be changed as SERVERS_LOGGED
  652 	in src/config.h.
  653 
  654 	Swap the values if BC_EFI and x86-64_EFI in --pxe-service. 
  655 	These were previously wrong due to an error in RFC 4578.
  656 	If you're using BC_EFI to boot 64-bit EFI machines, you
  657 	will need to update your config.
  658 
  659 	Add ARM32_EFI and ARM64_EFI as valid architectures in
  660 	--pxe-service.
  661 
  662 	Fix PXE booting for UEFI architectures. Modify PXE boot
  663 	sequence in this case to force the client to talk to dnsmasq
  664 	over port 4011. This makes PXE and especially proxy-DHCP PXE
  665 	work with these architectures.
  666 
  667 	Workaround problems with UEFI PXE clients. There exist
  668 	in the wild PXE clients which have problems with PXE
  669 	boot menus. To work around this, when there's a single
  670 	--pxe-service which applies to client, then that target
  671 	will be booted directly, rather then sending a
  672 	single-item boot menu.
  673 
  674 	Many thanks to Jarek Polok, Michael Kuron and Dreamcat4 
  675 	for their work on the long-standing UEFI PXE problem.
  676 
  677 	Subtle change in the semantics of "basename" in
  678 	--pxe-service. The historical behaviour has always been
  679 	that the actual filename downloaded from the TFTP server
  680 	is <basename>.<layer> where <layer> is an integer which
  681 	corresponds to the layer parameter supplied by the client.
  682 	It's not clear what the function of the "layer" 
  683 	actually is in the PXE protocol, and in practise layer 
  684 	is always zero, so the filename is <basename>.0
  685 	The new behaviour is the same as the old, except when
  686 	<basename> includes a file suffix, in which case
  687 	the layer suffix is no longer added. This allows
  688 	sensible suffices to be used, rather then the
  689 	meaningless ".0". Only in the unlikely event that you
  690 	have a config with a basename which already has a
  691 	suffix, is this an incompatible change, since the file
  692 	downloaded will change from name.suffix.0 to just 
  693 	name.suffix
  694 
  695 
  696 version 2.75
  697 	Fix reversion on 2.74 which caused 100% CPU use when a 
  698 	dhcp-script is configured. Thanks to Adrian Davey for
  699 	reporting the bug and testing the fix.
  700 
  701 
  702 version 2.74
  703 	Fix reversion in 2.73 where --conf-file would attempt to
  704 	read the default file, rather than no file.
  705 
  706 	Fix inotify code to handle dangling symlinks better and
  707 	not SEGV in some circumstances.
  708 
  709 	DNSSEC fix. In the case of a signed CNAME generated by a
  710 	wildcard which pointed to an unsigned domain, the wrong
  711 	status would be logged, and some necessary checks omitted.
  712 
  713 
  714 version 2.73
  715 	Fix crash at startup when an empty suffix is supplied to
  716 	--conf-dir, also trivial memory leak. Thanks to 
  717 	Tomas Hozza for spotting this.
  718 
  719 	Remove floor of 4096 on advertised EDNS0 packet size when 
  720 	DNSSEC in use, the original rationale for this has long gone.
  721 	Thanks to Anders Kaseorg for spotting this.
  722 
  723 	Use inotify for checking on updates to /etc/resolv.conf and
  724 	friends under Linux. This fixes race conditions when the files are 
  725 	updated rapidly and saves CPU by noy polling. To build
  726 	a binary that runs on old Linux kernels without inotify,
  727 	use make COPTS=-DNO_INOTIFY
  728 
  729 	Fix breakage of --domain=<domain>,<subnet>,local - only reverse
  730 	queries were intercepted. THis appears to have been broken 
  731 	since 2.69. Thanks to Josh Stone for finding the bug.
  732 
  733 	Eliminate IPv6 privacy addresses and deprecated addresses from
  734 	the answers given by --interface-name. Note that reverse queries
  735 	(ie looking for names, given addresses) are not affected. 
  736 	Thanks to Michael Gorbach for the suggestion.
  737 
  738 	Fix crash in DNSSEC code with long RRs. Thanks to Marco Davids
  739 	for the bug report.
  740 
  741 	Add --ignore-address option. Ignore replies to A-record 
  742 	queries which include the specified address. No error is
  743 	generated, dnsmasq simply continues to listen for another 
  744 	reply. This is useful to defeat blocking strategies which
  745 	rely on quickly supplying a forged answer to a DNS 
  746 	request for certain domains, before the correct answer can
  747 	arrive. Thanks to Glen Huang for the patch.
  748 
  749 	Revisit the part of DNSSEC validation which determines if an 
  750 	unsigned answer is legit, or is in some part of the DNS 
  751 	tree which should be signed. Dnsmasq now works from the 
  752 	DNS root downward looking for the limit of signed 
  753 	delegations, rather than working bottom up. This is 
  754 	both more correct, and less likely to trip over broken 
  755 	nameservers in the unsigned parts of the DNS tree 
  756 	which don't respond well to DNSSEC queries.
  757 
  758 	Add --log-queries=extra option, which makes logs easier
  759 	to search automatically.
  760 
  761 	Add --min-cache-ttl option. I've resisted this for a long 
  762 	time, on the grounds that disbelieving TTLs is never a 
  763 	good idea, but I've been persuaded that there are 
  764 	sometimes reasons to do it. (Step forward, GFW).
  765 	To avoid misuse, there's a hard limit on the TTL 
  766 	floor of one hour. Thanks to RinSatsuki for the patch.
  767 
  768 	Cope with multiple interfaces with the same link-local 
  769 	address. (IPv6 addresses are scoped, so this is allowed.)
  770 	Thanks to Cory Benfield for help with this.
  771 
  772 	Add --dhcp-hostsdir. This allows addition of new host
  773 	configurations to a running dnsmasq instance much more 
  774 	cheaply than having dnsmasq re-read all its existing
  775 	configuration each time. 
  776 
  777 	Don't reply to DHCPv6 SOLICIT messages if we're not 
  778 	configured to do stateful DHCPv6. Thanks to Win King Wan 
  779 	for the patch.
  780 
  781 	Fix broken DNSSEC validation of ECDSA signatures.
  782 
  783 	Add --dnssec-timestamp option, which provides an automatic
  784 	way to detect when the system time becomes valid after 
  785 	boot on systems without an RTC, whilst allowing DNS 
  786 	queries before the clock is valid so that NTP can run. 
  787 	Thanks to Kevin Darbyshire-Bryant for developing this idea.
  788 
  789 	Add --tftp-no-fail option. Thanks to Stefan Tomanek for
  790 	the patch.
  791 
  792 	Fix crash caused by looking up servers.bind, CHAOS text 
  793 	record, when more than about five --servers= lines are 
  794 	in the dnsmasq config. This causes memory corruption 
  795 	which causes a crash later. Thanks to Matt Coddington for 
  796 	sterling work chasing this down.
  797 
  798 	Fix crash on receipt of certain malformed DNS requests.
  799 	Thanks to Nick Sampanis for spotting the problem.
  800 	Note that this is could allow the dnsmasq process's
  801 	memory to be read by an attacker under certain
  802 	circumstances, so it has a CVE, CVE-2015-3294 
  803 
  804 	Fix crash in authoritative DNS code, if a .arpa zone 
  805 	is declared as authoritative, and then a PTR query which
  806 	is not to be treated as authoritative arrived. Normally, 
  807 	directly declaring .arpa zone as authoritative is not 
  808 	done, so this crash wouldn't be seen. Instead the 
  809 	relevant .arpa zone should be specified as a subnet
  810 	in the auth-zone declaration. Thanks to Johnny S. Lee
  811 	for the bugreport and initial patch.
  812 
  813 	Fix authoritative DNS code to correctly reply to NS 
  814 	and SOA queries for .arpa zones for which we are 
  815 	declared authoritative by means of a subnet in auth-zone.
  816 	Previously we provided correct answers to PTR queries
  817 	in such zones (including NS and SOA) but not direct
  818 	NS and SOA queries. Thanks to Johnny S. Lee for 
  819 	pointing out the problem.
  820 
  821 	Fix logging of DHCPREPLY which should be suppressed 
  822 	by quiet-dhcp6. Thanks to J. Pablo Abonia for 
  823 	spotting the problem.
  824 
  825 	Try and handle net connections with broken fragmentation 
  826 	that lose large UDP packets. If a server times out, 
  827 	reduce the maximum UDP packet size field in the EDNS0
  828 	header to 1280 bytes. If it then answers, make that
  829 	change permanent.
  830 
  831 	Check IPv4-mapped IPv6 addresses when --stop-rebind
  832 	is active. Thanks to Jordan Milne for spotting this.
  833 
  834 	Allow DHCPv4 options T1 and T2 to be set using --dhcp-option.
  835 	Thanks to Kevin Benton for patches and work on this.
  836 
  837 	Fix code for DHCPCONFIRM DHCPv6 messages to confirm addresses
  838 	in the correct subnet, even of not in dynamic address 
  839 	allocation range. Thanks to Steve Hirsch for spotting
  840 	the problem.
  841 
  842 	Add AddDhcpLease and DeleteDhcpLease DBus methods. Thanks
  843 	to Nicolas Cavallari for the patch.
  844 
  845 	Allow configuration of router advertisements without the 
  846 	"on-link" bit set. Thanks to Neil Jerram for the patch.
  847 
  848 	Extend --bridge-interface to DHCPv6 and router 
  849 	advertisements. Thanks to Neil Jerram for the patch.
  850 
  851 
  852 version 2.72
  853 	Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.
  854 
  855 	Add support for "ipsets" in *BSD, using pf. Thanks to 
  856 	Sven Falempin for the patch.
  857 
  858 	Fix race condition which could lock up dnsmasq when an 
  859 	interface goes down and up rapidly. Thanks to Conrad 
  860 	Kostecki for helping to chase this down.
  861 
  862 	Add DBus methods SetFilterWin2KOption and SetBogusPrivOption
  863 	Thanks to the Smoothwall project for the patch.
  864 
  865 	Fix failure to build against Nettle-3.0. Thanks to Steven 
  866 	Barth for spotting this and finding the fix. 
  867 
  868 	When assigning existing DHCP leases to interfaces by comparing 
  869 	networks, handle the case that two or more interfaces have the
  870 	same network part, but different prefix lengths (favour the
  871 	longer prefix length.) Thanks to Lung-Pin Chang for the 
  872 	patch.
  873 
  874 	Add a mode which detects and removes DNS forwarding loops, ie 
  875 	a query sent to an upstream server returns as a new query to 
  876 	dnsmasq, and would therefore be forwarded again, resulting in 
  877 	a query which loops many times before being dropped. Upstream
  878 	servers which loop back are disabled and this event is logged.
  879 	Thanks to Smoothwall for their sponsorship of this feature.
  880 
  881 	Extend --conf-dir to allow filtering of files. So
  882 	--conf-dir=/etc/dnsmasq.d,\*.conf
  883 	will load all the files in /etc/dnsmasq.d which end in .conf
  884 
  885 	Fix bug when resulted in NXDOMAIN answers instead of NODATA in
  886 	some circumstances.
  887 
  888 	Fix bug which caused dnsmasq to become unresponsive if it 
  889 	failed to send packets due to a network interface disappearing.
  890 	Thanks to Niels Peen for spotting this.
  891 
  892 	Fix problem with --local-service option on big-endian platforms
  893 	Thanks to Richard Genoud for the patch.
  894 
  895 
  896 version 2.71
  897 	Subtle change to error handling to help DNSSEC validation 
  898 	when servers fail to provide NODATA answers for 
  899 	non-existent DS records.
  900 
  901 	Tweak code which removes DNSSEC records from answers when
  902 	not required. Fixes broken answers when additional section
  903 	has real records in it. Thanks to Marco Davids for the bug 
  904 	report.
  905 
  906 	Fix DNSSEC validation of ANY queries. Thanks to Marco Davids
  907 	for spotting that too.
  908 
  909 	Fix total DNS failure and 100% CPU use if cachesize set to zero,
  910 	regression introduced in 2.69. Thanks to James Hunt and
  911 	the Ubuntu crowd for assistance in fixing this.
  912 
  913 
  914 version 2.70
  915 	Fix crash, introduced in 2.69, on TCP request when dnsmasq
  916 	compiled with DNSSEC support, but running without DNSSEC
  917 	enabled. Thanks to Manish Sing for spotting that one.
  918 
  919 	Fix regression which broke ipset functionality. Thanks to 
  920 	Wang Jian for the bug report.
  921 
  922 
  923 version 2.69
  924 	Implement dynamic interface discovery on *BSD. This allows
  925 	the constructor: syntax to be used in dhcp-range for DHCPv6
  926 	on the BSD platform. Thanks to Matthias Andree for
  927 	valuable research on how to implement this.
  928 
  929 	Fix infinite loop associated with some --bogus-nxdomain
  930 	configs. Thanks fogobogo for the bug report.
  931 
  932 	Fix missing RA RDNS option with configuration like
  933 	--dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer
  934 	for spotting the problem.
  935 
  936 	Add [fd00::] and [fe80::] as special addresses in DHCPv6
  937 	options, analogous to [::]. [fd00::] is replaced with the
  938 	actual ULA of the interface on the machine running
  939 	dnsmasq, [fe80::] with the link-local address. 
  940 	Thanks to Tsachi Kimeldorfer for championing this.
  941 
  942 	DNSSEC validation and caching. Dnsmasq needs to be
  943 	compiled with this enabled, with 
  944 
  945 	make dnsmasq COPTS=-DHAVE_DNSSEC
  946 
  947 	this adds dependencies on the nettle crypto library and the 
  948 	gmp maths library. It's possible to have these linked
  949 	statically with
  950 
  951 	make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC'
  952 
  953 	which bloats the dnsmasq binary, but saves the size of 
  954 	the shared libraries which are much bigger.
  955 
  956 	To enable, DNSSEC, you will need a set of
  957 	trust-anchors. Now that the TLDs are signed, this can be
  958 	the keys for the root zone, and for convenience they are
  959 	included in trust-anchors.conf in the dnsmasq
  960 	distribution. You should of course check that these are
  961 	legitimate and up-to-date. So, adding
  962 
  963 	conf-file=/path/to/trust-anchors.conf
  964 	dnssec
  965 
  966 	to your config is all that's needed to get things
  967 	working. The upstream nameservers have to be DNSSEC-capable
  968 	too, of course. Many ISP nameservers aren't, but the
  969 	Google public nameservers (8.8.8.8 and 8.8.4.4) are.
  970 	When DNSSEC is configured, dnsmasq validates any queries 
  971 	for domains which are signed. Query results which are 
  972 	bogus are replaced with SERVFAIL replies, and results 
  973 	which are correctly signed have the AD bit set. In 
  974 	addition, and just as importantly, dnsmasq supplies 
  975 	correct DNSSEC information to clients which are doing 
  976 	their own validation, and caches DNSKEY, DS and RRSIG
  977 	records, which significantly improve the performance of 
  978 	downstream validators. Setting --log-queries will show 
  979 	DNSSEC in action.
  980 
  981 	If a domain is returned from an upstream nameserver without 
  982 	DNSSEC signature, dnsmasq by default trusts this. This 
  983 	means that for unsigned zone (still the majority) there 
  984 	is effectively no cost for having DNSSEC enabled. Of course
  985 	this allows an attacker to replace a signed record with a 
  986 	false unsigned record. This is addressed by the 
  987 	--dnssec-check-unsigned flag, which instructs dnsmasq
  988 	to prove that an unsigned record is legitimate, by finding  
  989 	a secure proof that the zone containing the record is not
  990 	signed. Doing this has costs (typically one or two extra
  991 	upstream queries). It also has a nasty failure mode if
  992 	dnsmasq's upstream nameservers are not DNSSEC capable. 
  993 	Without --dnssec-check-unsigned using such an upstream
  994 	server will simply result in not queries being validated; 
  995 	with --dnssec-check-unsigned enabled and a 
  996 	DNSSEC-ignorant upstream server, _all_ queries will fail.
  997 
  998 	Note that DNSSEC requires that the local time is valid and 
  999 	accurate, if not then DNSSEC validation will fail. NTP 
 1000 	should be running. This presents a problem for routers
 1001 	without a battery-backed clock. To set the time needs NTP 
 1002 	to do DNS lookups, but lookups will fail until NTP has run.
 1003 	To address this, there's a flag, --dnssec-no-timecheck 
 1004 	which disables the time checks (only) in DNSSEC. When dnsmasq
 1005 	is started and the clock is not synced, this flag should
 1006 	be used. As soon as the clock is synced, SIGHUP dnsmasq. 
 1007 	The SIGHUP clears the cache of partially-validated data and
 1008 	resets the no-timecheck flag, so that all DNSSEC checks 
 1009 	henceforward will be complete.
 1010 
 1011 	The development of DNSSEC in dnsmasq was started by 
 1012 	Giovanni Bajo, to whom huge thanks are owed. It has been
 1013 	supported by Comcast, whose techfund grant has allowed for 
 1014 	an invaluable period of full-time work to get it to 
 1015 	a workable state.
 1016 
 1017 	Add --rev-server. Thanks to Dave Taht for suggesting this.
 1018 
 1019 	Add --servers-file. Allows dynamic update of upstream servers 
 1020 	full access to configuration. 
 1021 
 1022 	Add --local-service. Accept DNS queries only from hosts 
 1023 	whose address is on a local subnet, ie a subnet for which 
 1024 	an interface exists on the server. This option
 1025 	only has effect if there are no --interface --except-interface,
 1026 	--listen-address or --auth-server options. It is intended 
 1027 	to be set as a default on installation, to allow
 1028 	unconfigured installations to be useful but also safe from 
 1029 	being used for DNS amplification attacks.
 1030 
 1031 	Fix crashes in cache_get_cname_target() when dangling CNAMEs
 1032 	encountered. Thanks to Andy and the rt-n56u project for
 1033 	find this and helping to chase it down.
 1034 
 1035 	Fix wrong RCODE in authoritative DNS replies to PTR queries. The
 1036 	correct answer was included, but the RCODE was set to NXDOMAIN.
 1037 	Thanks to Craig McQueen for spotting this.
 1038 
 1039 	Make statistics available as DNS queries in the .bind TLD as 
 1040 	well as logging them.
 1041 
 1042 
 1043 version 2.68
 1044 	Use random addresses for DHCPv6 temporary address
 1045 	allocations, instead of algorithmically determined stable
 1046 	addresses.
 1047 
 1048 	Fix bug which meant that the DHCPv6 DUID was not available
 1049 	in DHCP script runs during the lifetime of the dnsmasq
 1050 	process which created the DUID de-novo. Once the DUID was
 1051 	created and stored in the lease file and dnsmasq
 1052 	restarted, this bug disappeared.
 1053 
 1054 	Fix bug introduced in 2.67 which could result in erroneous
 1055 	NXDOMAIN returns to CNAME queries.
 1056 
 1057 	Fix build failures on MacOS X and openBSD.
 1058 
 1059 	Allow subnet specifications in --auth-zone to be interface 
 1060 	names as well as address literals. This makes it possible
 1061 	to configure authoritative DNS when local address ranges
 1062 	are dynamic and works much better than the previous
 1063 	work-around which exempted constructed DHCP ranges from the
 1064 	IP address filtering. As a consequence, that work-around
 1065 	is removed. Under certain circumstances, this change wil
 1066 	break existing configuration: if you're relying on the
 1067 	constructed-range exception, you need to change --auth-zone
 1068 	to specify the same interface as is used to construct your
 1069 	DHCP ranges, probably with a trailing "/6" like this: 
 1070 	--auth-zone=example.com,eth0/6 to limit the addresses to
 1071 	IPv6 addresses of eth0.
 1072 
 1073 	Fix problems when advertising deleted IPv6 prefixes. If
 1074 	the prefix is deleted (rather than replaced), it doesn't
 1075 	get advertised with zero preferred time. Thanks to Tsachi
 1076 	for the bug report. 
 1077 
 1078 	Fix segfault with some locally configured CNAMEs. Thanks
 1079 	to Andrew Childs for spotting the problem.
 1080 
 1081 	Fix memory leak on re-reading /etc/hosts and friends,
 1082 	introduced in 2.67.
 1083 
 1084 	Check the arrival interface of incoming DNS and TFTP
 1085 	requests via IPv6, even in --bind-interfaces mode. This
 1086 	isn't possible for IPv4 and can generate scary warnings,
 1087 	but as it's always possible for IPv6 (the API always
 1088 	exists) then we should do it always. 
 1089 
 1090 	Tweak the rules on prefix-lengths in --dhcp-range for
 1091 	IPv6. The new rule is that the specified prefix length
 1092 	must be larger than or equal to the prefix length of the
 1093 	corresponding address on the local interface. 
 1094 
 1095 
 1096 version 2.67
 1097 	Fix crash if upstream server returns SERVFAIL when
 1098 	--conntrack in use. Thanks to Giacomo Tazzari for finding
 1099 	this and supplying the patch. 
 1100 
 1101 	Repair regression in 2.64. That release stopped sending
 1102 	lease-time information in the reply to DHCPINFORM
 1103 	requests, on the correct grounds that it was a standards
 1104 	violation. However, this broke the dnsmasq-specific
 1105 	dhcp_lease_time utility. Now, DHCPINFORM returns
 1106 	lease-time only if it's specifically requested
 1107 	(maintaining standards) and the dhcp_lease_time utility
 1108 	has been taught to ask for it (restoring functionality). 
 1109 
 1110 	Fix --dhcp-match, --dhcp-vendorclass and --dhcp-userclass
 1111 	to work with BOOTP and well as DHCP. Thanks to Peter
 1112 	Korsgaard for spotting the problem. 
 1113 
 1114 	Add --synth-domain. Thanks to Vishvananda Ishaya for
 1115 	suggesting this.
 1116 
 1117 	Fix failure to compile ipset.c if old kernel headers are
 1118 	in use. Thanks to Eugene Rudoy for pointing this out.
 1119 
 1120 	Handle IPv4 interface-address labels in Linux. These are
 1121 	often used to emulate the old IP-alias addresses. Before,
 1122 	using --interface=eth0 would service all the addresses of
 1123 	eth0, including ones configured as aliases, which appear
 1124 	in ifconfig as eth0:0. Now, only addresses with the label
 1125 	eth0 are active. This is not backwards compatible: if you
 1126 	want to continue to bind the aliases too, you need to add
 1127 	eg. --interface=eth0:0 to the config. 
 1128 
 1129 	Fix "failed to set SO_BINDTODEVICE on DHCP socket: Socket 
 1130 	operation on non-socket" error on startup with
 1131 	configurations which have exactly one --interface option
 1132 	and do RA but _not_ DHCPv6. Thanks to Trever Adams for the
 1133 	bug report.
 1134 
 1135 	Generalise --interface-name to cope with IPv6 addresses
 1136 	and multiple addresses per interface per address family.
 1137 
 1138 	Fix option parsing for --dhcp-host, which was generating a
 1139 	spurious error when all seven possible items were
 1140 	included. Thanks to Zhiqiang Wang for the bug report.
 1141 
 1142 	Remove restriction on prefix-length in --auth-zone. Thanks
 1143 	to Toke Hoiland-Jorgensen for suggesting this.
 1144 
 1145 	Log when the maximum number of concurrent DNS queries is
 1146 	reached. Thanks to Marcelo Salhab Brogliato for the patch.
 1147 
 1148 	If wildcards are used in --interface, don't assume that 
 1149 	there will only ever be one available interface for DHCP
 1150 	just because there is one at start-up. More may appear, so
 1151 	we can't use SO_BINDTODEVICE. Thanks to Natrio for the bug
 1152 	report. 
 1153 
 1154 	Increase timeout/number of retries in TFTP to accommodate
 1155 	AudioCodes Voice Gateways doing streaming writes to flash.
 1156 	Thanks to Damian Kaczkowski for spotting the problem.
 1157 
 1158 	Fix crash with empty DHCP string options when adding zero
 1159 	terminator. Thanks to Patrick McLean for the bug report.
 1160 
 1161 	Allow hostnames to start with a number, as allowed in
 1162 	RFC-1123. Thanks to Kyle Mestery for the patch. 
 1163 
 1164 	Fixes to DHCP FQDN option handling: don't terminate FQDN
 1165 	if domain not known and allow a FQDN option with blank
 1166 	name to request that a FQDN option is returned in the
 1167 	reply. Thanks to Roy Marples for the patch.
 1168 
 1169 	Make --clear-on-reload apply to setting upstream servers
 1170 	via DBus too.
 1171 
 1172 	When the address which triggered the construction of an
 1173 	advertised IPv6 prefix disappears, continue to advertise 
 1174 	the prefix for up to 2 hours, with the preferred lifetime
 1175 	set to zero. This satisfies RFC 6204 4.3 L-13 and makes
 1176 	things work better if a prefix disappears without being
 1177 	deprecated first. Thanks to Uwe Schindler for persuasively
 1178 	arguing for this.
 1179 
 1180 	Fix MAC address enumeration on *BSD. Thanks to Brad Smith
 1181 	for the bug report.
 1182 
 1183 	Support RFC-4242 information-refresh-time options in the 
 1184 	reply to DHCPv6 information-request. The lease time of the
 1185 	smallest valid dhcp-range is sent. Thanks to Uwe Schindler 
 1186 	for suggesting this.
 1187 
 1188 	Make --listen-address higher priority than --except-interface
 1189 	in all circumstances. Thanks to Thomas Hood for the bugreport.
 1190 
 1191 	Provide independent control over which interfaces get TFTP 
 1192 	service. If enable-tftp is given a list of interfaces, then TFTP 
 1193 	is provided on those. Without the list, the previous behaviour
 1194 	(provide TFTP to the same interfaces we provide DHCP to) 
 1195 	is retained. Thanks to Lonnie Abelbeck for the suggestion.
 1196 
 1197 	Add --dhcp-relay config option. Many thanks to vtsl.net
 1198 	for sponsoring this development.
 1199 
 1200 	Fix crash with empty tag: in --dhcp-range. Thanks to
 1201 	Kaspar Schleiser for the bug report.
 1202 
 1203 	Add "baseline" and "bloatcheck" makefile targets, for 
 1204 	revealing size changes during development. Thanks to
 1205 	Vladislav Grishenko for the patch. 
 1206 
 1207 	Cope with DHCPv6 clients which send REQUESTs without
 1208 	address options - treat them as SOLICIT with rapid commit.
 1209 
 1210 	Support identification of clients by MAC address in
 1211 	DHCPv6. When using a relay, the relay must support RFC
 1212 	6939 for this to work. It always works for directly
 1213 	connected clients. Thanks to Vladislav Grishenko
 1214 	for prompting this feature.
 1215 
 1216 	Remove the rule for constructed DHCP ranges that the local
 1217 	address must be either the first or last address in the
 1218 	range. This was originally to avoid SLAAC addresses, but
 1219 	we now explicitly autoconfig and privacy addresses instead.  
 1220 
 1221 	Update Polish translation. Thanks to Jan Psota.
 1222 
 1223 	Fix problem in DHCPv6 vendorclass/userclass matching
 1224 	code. Thanks to Tanguy Bouzeloc for the patch.
 1225 
 1226 	Update Spanish translation. Thanks to Vicente Soriano.
 1227 
 1228 	Add --ra-param option. Thanks to Vladislav Grishenko for
 1229 	inspiration on this.
 1230 
 1231 	Add --add-subnet configuration, to tell upstream DNS
 1232 	servers where the original client is. Thanks to DNSthingy
 1233 	for sponsoring this feature.
 1234 
 1235 	Add --quiet-dhcp, --quiet-dhcp6 and --quiet-ra. Thanks to
 1236 	Kevin Darbyshire-Bryant for the initial patch.
 1237 
 1238 	Allow A/AAAA records created by --interface-name to be the
 1239 	target of --cname. Thanks to Hadmut Danisch for the
 1240 	suggestion. 
 1241 
 1242 	Avoid treating a --dhcp-host which has an IPv6 address
 1243 	as eligible for use with DHCPv4 on the grounds that it has
 1244 	no address, and vice-versa. Thanks to Yury Konovalov for
 1245 	spotting the problem.
 1246 
 1247 	Do a better job caching dangling CNAMEs. Thanks to Yves
 1248 	Dorfsman for spotting the problem.
 1249 
 1250 
 1251 version 2.66
 1252 	Add the ability to act as an authoritative DNS
 1253 	server. Dnsmasq can now answer queries from the wider 'net
 1254 	with local data, as long as the correct NS records are set
 1255 	up. Only local data is provided, to avoid creating an open
 1256 	DNS relay. Zone transfer is supported, to allow secondary
 1257 	servers to be configured.
 1258 
 1259 	Add "constructed DHCP ranges" for DHCPv6. This is intended
 1260 	for IPv6 routers which get prefixes dynamically via prefix
 1261 	delegation. With suitable configuration, stateful DHCPv6
 1262 	and RA can happen automatically as prefixes are delegated
 1263 	and then deprecated, without having  to re-write the
 1264 	dnsmasq configuration file or restart the daemon. Thanks to
 1265 	Steven Barth for extensive testing and development work on
 1266 	this idea.
 1267 
 1268 	Fix crash on startup on Solaris 11. Regression probably
 1269 	introduced in 2.61.  Thanks to Geoff Johnstone for the
 1270 	patch.
 1271 
 1272 	Add code to make behaviour for TCP DNS requests that same
 1273 	as for UDP requests, when a request arrives for an allowed 
 1274 	address, but via a banned interface. This change is only
 1275 	active on Linux, since the relevant API is missing (AFAIK)
 1276 	on other platforms. Many thanks to Tomas Hozza for
 1277 	spotting the problem, and doing invaluable discovery of
 1278 	the obscure and undocumented API required for the solution.
 1279 
 1280 	Don't send the default DHCP option advertising dnsmasq as
 1281 	the local DNS server if dnsmasq is configured to not act
 1282 	as DNS server, or it's configured to a non-standard port.
 1283 
 1284 	Add DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBSCRIBER_ID,
 1285 	DNSMASQ_REMOTE_ID variables to the environment of the
 1286 	lease-change script (and the corresponding Lua). These hold
 1287 	information inserted into the DHCP request by a DHCP relay
 1288 	agent. Thanks to Lakefield Communications for providing a
 1289 	bounty for this addition.
 1290 
 1291 	Fixed crash, introduced in 2.64, whilst handling DHCPv6
 1292 	information-requests with some common configurations.
 1293 	Thanks to Robert M. Albrecht for the bug report and 
 1294 	chasing the problem.
 1295 
 1296 	Add --ipset option. Thanks to Jason A. Donenfeld for the 
 1297 	patch.
 1298 
 1299 	Don't erroneously reject some option names in --dhcp-match
 1300 	options. Thanks to Benedikt Hochstrasser for the bug report.
 1301 
 1302 	Allow a trailing '*' wildcard in all interface-name
 1303 	configurations. Thanks to Christian Parpart for the patch.
 1304 
 1305 	Handle the situation where libc headers define
 1306 	SO_REUSEPORT, but the kernel in use doesn't, to cope with
 1307 	the introduction of this option to Linux. Thanks to Rich
 1308 	Felker for the bug report.
 1309 
 1310 	Update Polish translation. Thanks to Jan Psota.
 1311 
 1312 	Fix crash if the configured DHCP lease limit is
 1313 	reached. Regression occurred in 2.61. Thanks to Tsachi for
 1314 	the bug report. 
 1315 
 1316 	Update the French translation. Thanks to Gildas le Nadan.
 1317 
 1318 
 1319 version 2.65
 1320 	Fix regression which broke forwarding of queries sent via
 1321 	TCP which are not for A and AAAA and which were directed to
 1322 	non-default servers. Thanks to Niax for the bug report.
 1323 
 1324 	Fix failure to build with DHCP support excluded. Thanks to 
 1325 	Gustavo Zacarias for the patch.
 1326 
 1327 	Fix nasty regression in 2.64 which completely broke caching.
 1328 
 1329 
 1330 version 2.64
 1331 	Handle DHCP FQDN options with all flag bits zero and
 1332 	--dhcp-client-update set. Thanks to Bernd Krumbroeck for
 1333 	spotting the problem.
 1334 
 1335 	Finesse the check for /etc/hosts names which conflict with
 1336 	DHCP names. Previously a name/address pair in /etc/hosts
 1337 	which didn't match the name/address of a DHCP lease would
 1338 	generate a warning. Now that only happens if there is not
 1339 	also a match. This allows multiple addresses for a name in 
 1340 	/etc/hosts with one of them assigned via DHCP.
 1341 
 1342 	Fix broken vendor-option processing for BOOTP. Thanks to
 1343 	Hans-Joachim Baader for the bug report.
 1344 
 1345 	Don't report spurious netlink errors, regression in
 1346 	2.63. Thanks to Vladislav Grishenko for the patch.
 1347 
 1348 	Flag DHCP or DHCPv6 in startup logging. Thanks to 
 1349 	Vladislav Grishenko for the patch.
 1350 
 1351 	Add SetServersEx method in DBus interface. Thanks to Dan
 1352 	Williams for the patch.
 1353 
 1354 	Add SetDomainServers method in DBus interface. Thanks to
 1355 	Roy Marples for the patch.
 1356 
 1357 	Fix build with later Lua libraries. Thanks to Cristian
 1358 	Rodriguez for the patch.
 1359 
 1360 	Add --max-cache-ttl option. Thanks to Dennis Kaarsemaker
 1361 	for the patch.
 1362 
 1363 	Fix breakage of --host-record parsing, resulting in
 1364 	infinite loop at startup. Regression in 2.63. Thanks to
 1365 	Haim Gelfenbeyn for spotting this.
 1366 
 1367 	Set SO_REUSEADDRESS and SO_V6ONLY options on the DHCPv6
 1368 	socket, this allows multiple instances of dnsmasq on a
 1369 	single machine, in the same way as for DHCPv4. Thanks to
 1370 	Gene Czarcinski and Vladislav Grishenko for work on this.
 1371 
 1372 	Fix DHCPv6 to do access control correctly when it's 
 1373 	configured with --listen-address. Thanks to
 1374 	Gene Czarcinski for sorting this out. 
 1375 
 1376 	Add a "wildcard" dhcp-range which works for any IPv6
 1377 	subnet, --dhcp-range=::,static Useful for Stateless 
 1378 	DHCPv6. Thanks to Vladislav Grishenko for the patch.
 1379 
 1380 	Don't include lease-time in DHCPACK replies to DHCPINFORM
 1381 	queries, since RFC-2131 says we shouldn't. Thanks to
 1382 	Wouter Ibens for pointing this out.  
 1383 
 1384 	Makefile tweak to do dependency checking on header files.
 1385 	Thanks to Johan Peeters for the patch.
 1386 
 1387 	Check interface for outgoing unsolicited router 
 1388 	advertisements, rather than relying on interface address 
 1389 	configuration. Thanks to Gene Czarinski for the patch.
 1390 
 1391 	Handle better attempts to transmit on interfaces which are
 1392 	still doing DAD, and specifically do not just transmit
 1393 	without setting source address and interface, since this
 1394 	can cause very puzzling effects when a router
 1395 	advertisement goes astray. Thanks again to Gene Czarinski.
 1396 
 1397 	Get RA timers right when there is more than one
 1398 	dhcp-range on a subnet.
 1399 
 1400 
 1401 version 2.63
 1402 	Do duplicate dhcp-host address check in --test mode.
 1403 
 1404 	Check that tftp-root directories are accessible before
 1405 	start-up. Thanks to Daniel Veillard for the initial patch.
 1406 
 1407 	Allow more than one --tfp-root flag. The per-interface
 1408 	stuff is pointless without that.
 1409 
 1410 	Add --bind-dynamic. A hybrid mode between the default and
 1411 	--bind-interfaces which copes with dynamically created
 1412 	interfaces. 
 1413 
 1414 	A couple of fixes to the build system for Android. Thanks
 1415 	to Metin Kaya for the patches.
 1416 
 1417 	Remove the interface:<interface> argument in --dhcp-range, and
 1418 	the interface argument to --enable-tftp. These were a
 1419 	still-born attempt to allow automatic isolated
 1420 	configuration by libvirt, but have never (to my knowledge)
 1421 	been used, had very strange semantics, and have been
 1422 	superseded by other mechanisms. 
 1423 
 1424 	Fixed bug logging filenames when duplicate dhcp-host
 1425 	addresses are found. Thanks to John Hanks for the patch.
 1426 
 1427 	Fix regression in 2.61 which broke caching of CNAME
 1428 	chains. Thanks to Atul Gupta for the bug report.
 1429 
 1430 	Allow the target of a --cname flag to be another --cname.
 1431 
 1432 	Teach DHCPv6 about the RFC 4242 information-refresh-time
 1433 	option, and add parsing if the minutes, hours and days
 1434 	format for options. Thanks to Francois-Xavier Le Bail for
 1435 	the suggestion.
 1436 
 1437 	Allow "w" (for week) as multiplier in lease times, as well
 1438 	as seconds, minutes, hours and days.  Álvaro Gámez Machado 
 1439 	spotted the omission.
 1440 
 1441 	Update French translation. Thanks to Gildas Le Nadan.
 1442 
 1443 	Allow a DBus service name to be given with --enable-dbus
 1444 	which overrides the default,
 1445 	uk.org.thekelleys.dnsmasq. Thanks to Mathieu
 1446 	Trudel-Lapierre for the patch. 
 1447 
 1448 	Set the "prefix on-link" bit in Router
 1449 	Advertisements. Thanks to Gui Iribarren for the patch.
 1450 
 1451 
 1452 version 2.62
 1453 	Update German translation. Thanks to Conrad Kostecki.
 1454 
 1455 	Cope with router-solict packets which don't have a valid 
 1456 	source address. Thanks to Vladislav Grishenko for the patch.
 1457 
 1458 	Fixed bug which caused missing periodic router
 1459 	advertisements with some configurations. Thanks to
 1460 	Vladislav Grishenko for the patch.
 1461 
 1462 	Fixed bug which broke DHCPv6/RA with prefix lengths 
 1463 	which are not divisible by 8. Thanks to Andre Coetzee 
 1464 	for spotting this.
 1465 
 1466 	Fix non-response to router-solicitations when
 1467 	router-advertisement configured, but DHCPv6 not
 1468 	configured. Thanks to Marien Zwart for the patch.
 1469 
 1470 	Add --dns-rr, to allow arbitrary DNS resource records.
 1471 
 1472 	Fixed bug which broke RA scheduling when an interface had
 1473 	two addresses in the same network. Thanks to Jim Bos for
 1474 	his help nailing this.
 1475 
 1476 version 2.61
 1477 	Re-write interface discovery code on *BSD to use
 1478 	getifaddrs. This is more portable, more straightforward,
 1479 	and allows us to find the prefix length for IPv6
 1480 	addresses.
 1481 
 1482 	Add ra-names, ra-stateless and slaac keywords for DHCPv6.
 1483 	Dnsmasq can now synthesise AAAA records for dual-stack 
 1484 	hosts which get IPv6 addresses via SLAAC. It is also now 
 1485 	possible to use SLAAC and stateless DHCPv6, and to 
 1486 	tell clients to use SLAAC addresses as well as DHCP ones.
 1487 	Thanks to Dave Taht for help with this.
 1488 
 1489 	Add --dhcp-duid to allow DUID-EN uids to be used.
 1490 
 1491 	Explicitly send DHCPv6 replies to the correct port, instead
 1492 	of relying on clients to send requests with the correct
 1493 	source address, since at least one client in the wild gets
 1494 	this wrong. Thanks to Conrad Kostecki for help tracking
 1495 	this down.
 1496 
 1497 	Send a preference value of 255 in DHCPv6 replies when 
 1498 	--dhcp-authoritative is in effect. This tells clients not
 1499 	to wait around for other DHCP servers.
 1500 
 1501 	Better logging of DHCPv6 options.
 1502 
 1503 	Add --host-record. Thanks to Rob Zwissler for the
 1504 	suggestion.
 1505 
 1506 	Invoke the DHCP script with action "tftp" when a TFTP file
 1507 	transfer completes. The size of the file, address to which
 1508 	it was sent and complete pathname are supplied. Note that
 1509 	version 2.60 introduced some script incompatibilities
 1510 	associated with DHCPv6, and this is a further change. To
 1511 	be safe, scripts should ignore unknown actions, and if
 1512 	not IPv6-aware, should exit if the environment
 1513 	variable DNSMASQ_IAID is set. The use-case for this is
 1514 	to track netboot/install.  Suggestion from Shantanu
 1515 	Gadgil.
 1516 
 1517 	Update contrib/port-forward/dnsmasq-portforward to reflect
 1518 	the above.
 1519 
 1520 	Set the environment variable DNSMASQ_LOG_DHCP when running
 1521 	the script id --log-dhcp is in effect, so that script can
 1522 	taylor their logging verbosity. Suggestion from Malte
 1523 	Forkel.
 1524 
 1525 	Arrange that addresses specified with --listen-address
 1526 	work even if there is no interface carrying the
 1527 	address. This is chiefly useful for IPv4 loopback
 1528 	addresses, where any address in 127.0.0.0/8 is a valid
 1529 	loopback address, but normally only 127.0.0.1 appears on
 1530 	the lo interface. Thanks to Mathieu Trudel-Lapierre for
 1531 	the idea and initial patch. 
 1532 
 1533 	Fix crash, introduced in 2.60, when a DHCPINFORM is
 1534 	received from a network which has no valid dhcp-range.
 1535 	Thanks to Stephane Glondu for the bug report.
 1536 
 1537 	Add a new DHCP lease time keyword, "deprecated" for
 1538 	--dhcp-range. This is only valid for IPv6, and sets the
 1539 	preferred lease time for both DHCP and RA to zero. The
 1540 	effect is that clients can continue to use the address 
 1541 	for existing connections, but new connections will use
 1542 	other addresses, if they exist. This makes hitless
 1543 	renumbering at least possible.
 1544 
 1545 	Fix bug in address6_available() which caused DHCPv6 lease
 1546 	acquisition to fail if more than one dhcp-range in use.
 1547 
 1548 	Provide RDNSS and DNSSL data in router advertisements,
 1549 	using the settings provided for DHCP options
 1550 	option6:domain-search and option6:dns-server.
 1551 
 1552 	Tweak logo/favicon.ico to add some transparency. Thanks to
 1553 	SamLT for work on this.
 1554 
 1555 	Don't cache data from non-recursive nameservers, since it
 1556 	may erroneously look like a valid CNAME to a non-existent
 1557 	name. Thanks to Ben Winslow for finding this.
 1558 
 1559 	Call SO_BINDTODEVICE on the DHCP socket(s) when doing DHCP
 1560 	on exactly one interface and --bind-interfaces is set. This 
 1561 	makes the OpenStack use-case of one dnsmasq per virtual
 1562 	interface work. This is only available on Linux; it's not
 1563 	supported on other platforms. Thanks to Vishvananda Ishaya
 1564 	and the OpenStack team for the suggestion.
 1565 
 1566 	Updated French translation. Thanks to Gildas Le Nadan.
 1567 
 1568 	Give correct from-cache answers to explicit CNAME queries.
 1569 	Thanks to Rob Zwissler for spotting this.
 1570 
 1571 	Add --tftp-lowercase option. Thanks to Oliver Rath for the
 1572 	patch. 
 1573 
 1574 	Ensure that the DBus DhcpLeaseUpdated events are generated
 1575 	when a lease goes through INIT_REBOOT state, even if the
 1576 	dhcp-script is not in use. Thanks to Antoaneta-Ecaterina
 1577 	Ene for the patch.
 1578 
 1579 	Fix failure of TFTP over IPv4 on OpenBSD platform. Thanks
 1580 	to Brad Smith for spotting this.
 1581 
 1582 
 1583 version 2.60
 1584 	Fix compilation problem in Mac OS X Lion. Thanks to Olaf
 1585 	Flebbe for the patch.
 1586 
 1587 	Fix DHCP when using --listen-address with an IP address
 1588 	which is not the primary address of an interface.
 1589 
 1590 	Add --dhcp-client-update option.
 1591 
 1592 	Add Lua integration. Dnsmasq can now execute a DHCP
 1593 	lease-change script written in Lua. This needs to be
 1594 	enabled at compile time by setting HAVE_LUASCRIPT in 
 1595 	src/config.h or running "make COPTS=-DHAVE_LUASCRIPT"
 1596 	Thanks to Jan-Piet Mens for the idea and proof-of-concept 
 1597 	implementation.
 1598 
 1599 	Tidied src/config.h to distinguish between
 1600 	platform-dependent compile-time options which are selected
 1601 	automatically, and builder-selectable compile time
 1602 	options. Document the latter better, and describe how to
 1603 	set them from the make command line.
 1604 
 1605 	Tidied up IPPROTO_IP/SOL_IP (and IPv6 equivalent)
 1606 	confusion. IPPROTO_IP works everywhere now.
 1607 
 1608 	Set TOS on DHCP sockets, this improves things on busy
 1609 	wireless networks. Thanks to Dave Taht for the patch.
 1610 
 1611 	Determine VERSION automatically based on git magic:
 1612 	release tags or hash values.
 1613 
 1614 	Improve start-up speed when reading large hosts files 
 1615 	containing many distinct addresses.
 1616 
 1617 	Fix problem if dnsmasq is started without the stdin,
 1618 	stdout and stderr file descriptors open. This can manifest
 1619 	itself as 100% CPU use. Thanks to Chris Moore for finding
 1620 	this.
 1621 
 1622 	Fix shell-scripting bug in bld/pkg-wrapper. Thanks to 
 1623 	Mark Mitchell for the patch.
 1624 
 1625 	Allow the TFP server or boot server in --pxe-service, to
 1626 	be a domain name instead of an IP address. This allows for
 1627 	round-robin to multiple servers, in the same way as
 1628 	--dhcp-boot. A good suggestion from Cristiano Cumer.
 1629 
 1630 	Support BUILDDIR variable in the Makefile. Allows builds 
 1631 	for multiple archs from the same source tree with eg.
 1632 	make BUILDDIR=linux             (relative to dnsmasq tree)
 1633 	make BUILDDIR=/tmp/openbsd      (absolute path)
 1634 	If BUILDDIR is not set, compilation happens in the src
 1635 	directory, as before. Suggestion from Mark Mitchell.
 1636 
 1637 	Support DHCPv6. Support is there for the sort of things
 1638 	the existing v4 server does, including tags, options, 
 1639 	static addresses and relay support. Missing is prefix 
 1640 	delegation, which is probably not required in the dnsmasq
 1641 	niche, and an easy way to accept prefix delegations from
 1642 	an upstream DHCPv6 server, which is. Future plans include
 1643 	support for DHCPv6 router option and MAC address option
 1644 	(to make selecting clients by MAC address work like IPv4).
 1645 	These will be added as the standards mature.
 1646 	This code has been tested, but this is the first release,
 1647 	so don't bet the farm on it just yet. Many thanks to all 
 1648 	testers who have got it this far.
 1649 
 1650 	Support IPv6 router advertisements. This is a
 1651 	simple-minded implementation, aimed at providing the
 1652 	vestigial RA needed to go alongside IPv6. Is picks up
 1653 	configuration from the DHCPv6 conf, and should just need
 1654 	enabling with --enable-ra.   
 1655 
 1656 	Fix long-standing wrinkle with --localise-queries that
 1657 	could result in wrong answers when DNS packets arrive
 1658 	via an interface other than the expected one. Thanks to 
 1659 	Lorenzo Milesi and John Hanks for spotting this one.
 1660 
 1661 	Update French translation. Thanks to Gildas Le Nadan.
 1662 
 1663 	Update Polish translation. Thanks to Jan Psota.
 1664 
 1665 
 1666 version 2.59
 1667 	Fix regression in 2.58 which caused failure to start up
 1668 	with some combinations of dnsmasq config and IPv6 kernel
 1669 	network config. Thanks to Brielle Bruns for the bug
 1670 	report.
 1671 
 1672 	Improve dnsmasq's behaviour when network interfaces are
 1673 	still doing duplicate address detection (DAD). Previously,
 1674 	dnsmasq would wait up to 20 seconds at start-up for the
 1675 	DAD state to terminate. This is broken for bridge
 1676 	interfaces on recent Linux kernels, which don't start DAD
 1677 	until the bridge comes up, and so can take arbitrary
 1678 	time. The new behaviour lets dnsmasq poll for an arbitrary
 1679 	time whilst providing service on other interfaces. Thanks
 1680 	to Stephen Hemminger for pointing out the problem.
 1681 
 1682 
 1683 version 2.58
 1684 	Provide a definition of the SA_SIZE macro where it's 
 1685 	missing. Fixes build failure on openBSD.
 1686 
 1687 	Don't include a zero terminator at the end of messages
 1688 	sent to /dev/log when /dev/log is a datagram socket.
 1689 	Thanks to Didier Rabound for spotting the problem.
 1690 
 1691 	Add --dhcp-sequential-ip flag, to force allocation of IP
 1692 	addresses in ascending order. Note that the default
 1693 	pseudo-random mode is in general better but some
 1694 	server-deployment applications need this.
 1695 
 1696 	Fix problem where a server-id of 0.0.0.0 is sent to a
 1697 	client when a dhcp-relay is in use if a client renews a
 1698 	lease after dnsmasq restart and before any clients on the
 1699 	subnet get a new lease. Thanks to Mike Ruiz for assistance
 1700 	in chasing this one down. 
 1701 
 1702 	Don't return NXDOMAIN to an AAAA query if we have CNAME
 1703 	which points to an A record only: NODATA is the correct
 1704 	reply in this case. Thanks to Tom Fernandes for spotting
 1705 	the problem.
 1706 
 1707 	Relax the need to supply a netmask in --dhcp-range for
 1708 	networks which use a DHCP relay. Whilst this is still
 1709 	desirable, in the absence of a netmask dnsmasq will use
 1710 	a default based on the class (A, B, or C) of the address. 
 1711 	This should at least remove a cause of mysterious failure 
 1712 	for people using RFC1918 addresses and relays.
 1713 
 1714 	Add support for Linux conntrack connection marking. If 
 1715 	enabled with --conntrack, the connection mark for incoming
 1716 	DNS queries will be copied  to the outgoing connections
 1717 	used to answer those queries. This allows clever firewall
 1718 	and accounting stuff. Only available if dnsmasq is
 1719 	compiled with HAVE_CONNTRACK and adds a dependency on 
 1720 	libnetfilter-conntrack. Thanks to Ed Wildgoose for the
 1721 	initial idea, testing and sponsorship of this function.
 1722 
 1723 	Provide a sane error message when someone attempts to 
 1724 	match a tag in --dhcp-host.
 1725 
 1726 	Tweak the behaviour of --domain-needed, to avoid problems
 1727 	with recursive nameservers downstream of dnsmasq. The new
 1728 	behaviour only stops A and AAAA queries, and returns
 1729 	NODATA rather than NXDOMAIN replies. 
 1730 
 1731 	Efficiency fix for very large DHCP configurations, thanks
 1732 	to James Gartrell and Mike Ruiz for help with this. 
 1733 
 1734 	Allow the TFTP-server address in --dhcp-boot to be a
 1735 	domain-name which is looked up in /etc/hosts. This can 
 1736 	give multiple IP addresses which are used round-robin,
 1737 	thus doing TFTP server load-balancing. Thanks to Sushil
 1738 	Agrawal for the patch.
 1739 
 1740 	When two tagged dhcp-options for a particular option
 1741 	number are both valid, use the one which is valid without
 1742 	a tag from the dhcp-range. Allows overriding of the value
 1743 	of a DHCP option for a particular host as well as
 1744 	per-network values.  So 
 1745 	--dhcp-range=set:interface1,......
 1746 	--dhcp-host=set:myhost,.....  
 1747 	--dhcp-option=tag:interface1,option:nis-domain,"domain1" 
 1748 	--dhcp-option=tag:myhost,option:nis-domain,"domain2" 
 1749 	will set the NIS-domain to domain1 for hosts in the range, but
 1750 	override that to domain2 for a particular host.
 1751 
 1752 	Fix bug which resulted in truncated files and timeouts for
 1753 	some TFTP transfers. The bug only occurs with netascii
 1754 	transfers and needs an unfortunate relationship between
 1755 	file size, blocksize and the number of newlines in the
 1756 	last block before it manifests itself. Many thanks to 
 1757 	Alkis Georgopoulos for spotting the problem and providing
 1758 	a comprehensive test-case. 
 1759 
 1760 	Fix regression in TFTP server on *BSD platforms introduced
 1761 	in version 2.56, due to confusion with sockaddr
 1762 	length. Many thanks to Loic Pefferkorn for finding this.
 1763 
 1764 	Support scope-ids in IPv6 addresses of nameservers from
 1765 	/etc/resolv.conf and in --server options. Eg
 1766 	nameserver fe80::202:a412:4512:7bbf%eth0 or
 1767 	server=fe80::202:a412:4512:7bbf%eth0. Thanks to 
 1768 	Michael Stapelberg for the suggestion.
 1769 
 1770 	Update Polish translation, thanks to Jan Psota.
 1771 
 1772 	Update French translation. Thanks to Gildas Le Nadan.
 1773 
 1774 
 1775 version 2.57
 1776 	Add patches to allow build under Android.
 1777 
 1778 	Provide our own header for the DNS protocol, rather than
 1779 	relying on arpa/nameser.h. This has proved more or less
 1780 	defective over the years and the final straw is that it's
 1781 	effectively empty on Android.
 1782 
 1783 	Fix regression in 2.56 which caused hex constants in
 1784 	configuration to be rejected if they contain the '*'
 1785 	wildcard.
 1786 
 1787 	Correct wrong casts of arguments to ctype.h functions,
 1788 	isdigit(), isxdigit() etc. Thanks to Matthias Andree for
 1789 	spotting this.
 1790 
 1791 	Allow build with IDN support independently from i18n. 
 1792 	IDN support continues to be included automatically 
 1793 	when i18n is included. 
 1794 	'make COPTS=-DHAVE_IDN' is the magic incantation. 
 1795 
 1796 	Modify check on extraneous command line junk (added in
 1797 	2.56) so that it doesn't complain about extra _empty_ 
 1798 	arguments. Otherwise this breaks libvirt.
 1799 
 1800 
 1801 version 2.56
 1802 	Add a patch to allow dnsmasq to get interface names right in a
 1803 	Solaris zone. Thanks to Dj Padzensky for this.
 1804 
 1805 	Improve data-type parsing heuristics so that
 1806 	--dhcp-option=option:domain-search,. 
 1807 	treats the value as a string and not an IP address.
 1808 	Thanks to Clemens Fischer for spotting that.
 1809 
 1810 	Add IPv6 support to the TFTP server. Many thanks to Jan 
 1811 	'RedBully' Seiffert for the patches.
 1812 
 1813 	Log DNS queries at level LOG_INFO, rather then
 1814 	LOG_DEBUG. This makes things consistent with DHCP
 1815 	logging. Thanks to Adam Pribyl for spotting the problem.
 1816 
 1817 	Ensure that dnsmasq terminates cleanly when using
 1818 	--syslog-async even if it cannot make a connection to the
 1819 	syslogd.
 1820 
 1821 	Add --add-mac option. This is to support currently 
 1822 	experimental DNS filtering facilities. Thanks to Benjamin
 1823 	Petrin for the original patch. 
 1824 
 1825 	Fix bug which meant that tags were ignored in dhcp-range
 1826 	configuration specifying PXE-proxy service. Thanks to
 1827 	Cristiano Cumer for spotting this.
 1828 
 1829 	Raise an error if there is extra junk, not part of an
 1830 	option, on the command line.
 1831 
 1832 	Flag a couple of log messages in cache.c as coming from
 1833 	the DHCP subsystem. Thanks to Olaf Westrik for the patch.
 1834 
 1835 	Omit timestamps from logs when a) logging to stderr and 
 1836 	b) --keep-in-foreground is set. The logging facility on the
 1837 	other end of stderr can be assumed to supply them. Thanks
 1838 	to John Hallam for the patch.
 1839 
 1840 	Don't complain about strings longer than 255 characters in
 1841 	--txt-record, just split the long strings into 255
 1842 	character chunks instead.
 1843 
 1844 	Fix crash on double-free. This bug can only happen when
 1845 	dhcp-script is in use and then only in rare circumstances
 1846 	triggered by high DHCP transaction rate and a slow
 1847 	script. Thanks to Ferenc Wagner for finding the problem.
 1848 
 1849 	Only log that a file has been sent by TFTP after the
 1850 	transfer has completed successfully. 
 1851 
 1852 	A good suggestion from Ferenc Wagner: extend
 1853 	the --domain option to allow this sort of thing:
 1854 	--domain=thekelleys.org.uk,192.168.0.0/24,local
 1855 	which automatically creates
 1856 	--local=/thekelleys.org.uk/
 1857 	--local=/0.168.192.in-addr.arpa/ 
 1858 
 1859 	Tighten up syntax checking of hex constants in the config
 1860 	file.  Thanks to Fred Damen for spotting this.
 1861 
 1862 	Add dnsmasq logo/icon, contributed by Justin Swift. Many
 1863 	thanks for that.
 1864 
 1865 	Never cache DNS replies which have the 'cd' bit set, or
 1866 	which result from queries forwarded with the 'cd' bit
 1867 	set. The 'cd' bit instructs a DNSSEC validating server
 1868 	upstream to ignore signature failures and return replies
 1869 	anyway. Without this change it's possible to pollute the
 1870 	dnsmasq cache with bad data by making a query with the
 1871 	'cd' bit set and subsequent queries would return this data
 1872 	without its being marked as suspect. Thanks to Anders
 1873 	Kaseorg for pointing out this problem.
 1874 
 1875 	Add --proxy-dnssec flag, for compliance with RFC
 1876 	4035. Dnsmasq will now clear the 'ad' bit in answers returned
 1877 	from upstream validating nameservers unless this option is
 1878 	set.
 1879 
 1880 	Allow a filename of "-" for --conf-file to read
 1881 	stdin. Suggestion from Timothy Redaelli.
 1882 
 1883 	Rotate the order of SRV records in replies, to provide
 1884 	round-robin load balancing when all the priorities are
 1885 	equal. Thanks to Peter McKinney for the suggestion. 
 1886 
 1887 	Edit
 1888 	contrib/MacOSX-launchd/uk.org.thekelleys.dnsmasq.plist 
 1889 	so that it doesn't log all queries to a file by
 1890 	default. Thanks again to Peter McKinney.    
 1891 
 1892 	By default, setting an IPv4 address for a domain but not
 1893 	an IPv6 address causes dnsmasq to return
 1894 	a NODATA reply for IPv6 (or vice-versa). So
 1895 	--address=/google.com/1.2.3.4 stops IPv6 queries for
 1896 	*google.com from being forwarded. Make it possible to
 1897 	override this behaviour by defining the semantics if the
 1898 	same domain appears in  both --server and --address.
 1899 	In that case, the --address has priority for the address
 1900 	family in which is appears, but the --server has priority
 1901 	of the address family which doesn't appear in --address  
 1902 	So:
 1903 	--address=/google.com/1.2.3.4
 1904 	--server=/google.com/#
 1905 	will return 1.2.3.4 for IPv4 queries for *.google.com but
 1906 	forward IPv6 queries to the normal upstream nameserver.
 1907 	Similarly when setting an IPv6 address
 1908 	only this will allow forwarding of IPv4 queries. Thanks to
 1909 	William for pointing out the need for this.
 1910 
 1911 	Allow more than one --dhcp-optsfile and --dhcp-hostsfile
 1912 	and make them understand directories as arguments in the
 1913 	same way as --addn-hosts. Suggestion from John Hanks. 
 1914 
 1915 	Ignore rebinding requests for leases we don't know
 1916 	about. Rebind is broadcast, so we might get to overhear a
 1917 	request meant for another DHCP server. NAKing this is
 1918 	wrong. Thanks to Brad D'Hondt for assistance with this.
 1919 
 1920 	Fix cosmetic bug which produced strange output when
 1921 	dumping cache statistics with some configurations. Thanks
 1922 	to Fedor Kozhevnikov for spotting this.
 1923 
 1924 
 1925 version 2.55
 1926 	Fix crash when /etc/ethers is in use. Thanks to 
 1927 	Gianluigi Tiesi for finding this.
 1928 
 1929 	Fix crash in netlink_multicast(). Thanks to Arno Wald for
 1930 	finding this one.
 1931 
 1932 	Allow the empty domain "." in dhcp domain-search (119)
 1933 	options. 
 1934 
 1935 
 1936 version 2.54
 1937 	There is no version 2.54 to avoid confusion with 2.53,
 1938 	which incorrectly identifies itself as 2.54.
 1939 
 1940 
 1941 version 2.53
 1942 	Fix failure to compile on Debian/kFreeBSD. Thanks to 
 1943 	Axel Beckert and Petr Salinger.
 1944 
 1945 	Fix code to avoid scary strict-aliasing warnings
 1946 	generated by gcc 4.4.
 1947 	
 1948 	Added FAQ entry warning about DHCP failures with Vista
 1949 	when firewalls block 255.255.255.255.
 1950 	
 1951 	Fixed bug which caused bad things to happen if a 
 1952 	resolv.conf file which exists is subsequently removed.
 1953 	Thanks to Nikolai Saoukh for the patch.
 1954 
 1955 	Rationalised the DHCP tag system. Every configuration item
 1956 	which can set a tag does so by adding "set:<tag>" and
 1957 	every configuration item which is conditional on a tag is
 1958 	made so by "tag:<tag>". The NOT operator changes to '!',
 1959 	which is a bit more intuitive too. Dhcp-host directives
 1960 	can set more than one tag now. The old '#' NOT, 
 1961 	"net:" prefix and no-prefixes are still honoured, so 
 1962 	no existing config file needs to be changed, but 
 1963 	the documentation and new-style config files should be 
 1964 	much less confusing. 
 1965 
 1966 	Added --tag-if to allow boolean operations on tags. 
 1967 	This allows complicated logic to be clearer and more 
 1968 	general. A great suggestion from Richard Voigt. 
 1969 
 1970 	Add broadcast/unicast information to DHCP logging.
 1971 
 1972 	Allow --dhcp-broadcast to be unconditional.
 1973 
 1974 	Fixed incorrect behaviour with NOT <tag> conditionals in
 1975 	dhcp-options. Thanks to Max Turkewitz for assistance
 1976 	finding this.
 1977 
 1978 	If we send vendor-class encapsulated options based on the
 1979 	vendor-class supplied by the client, and no explicit 
 1980 	vendor-class option is given, echo back the vendor-class
 1981 	from the client.
 1982 	
 1983 	Fix bug which stopped dnsmasq from matching both a
 1984 	circuitid and a remoteid. Thanks to Ignacio Bravo for
 1985 	finding this.
 1986 
 1987 	Add --dhcp-proxy, which makes it possible to configure
 1988 	dnsmasq to use a DHCP relay agent as a full proxy, with
 1989 	all DHCP messages passing through the proxy. This is
 1990 	useful if the relay adds extra information to the packets
 1991 	it forwards, but cannot be configured with the RFC 5107 
 1992 	server-override option.
 1993 
 1994 	Added interface:<iface name> part to dhcp-range. The
 1995 	semantics of this are very odd at first sight, but it
 1996 	allows a single line  of the form
 1997 	dhcp-range=interface:virt0,192.168.0.4,192.168.0.200
 1998 	to be added to dnsmasq configuration which then supplies
 1999 	DHCP and DNS services to that interface, without affecting
 2000 	what services are supplied to other interfaces and 
 2001 	irrespective of the existence or lack of 
 2002 	interface=<interface> 
 2003 	lines elsewhere in the dnsmasq configuration. The idea is
 2004 	that such a line can be added automatically by libvirt
 2005 	or equivalent systems, without disturbing any manual
 2006 	configuration.
 2007 
 2008 	Similarly to the above, allow --enable-tftp=<interface>
 2009 
 2010 	Allow a TFTP root to be set separately for requests via
 2011 	different interfaces, --tftp-root=<path>,<interface>             
 2012 
 2013 	Correctly handle and log clashes between CNAMES and 
 2014 	DNS names being given to DHCP leases. This fixes a bug 
 2015 	which caused nonsense IP addresses to be logged. Thanks to 
 2016 	Sergei Zhirikov for finding and analysing the problem.
 2017 
 2018 	Tweak flush_log so as to avoid leaving the log
 2019 	file in non-blocking mode. O_NONBLOCK is a property of the
 2020 	file, not the process/descriptor.
 2021 
 2022 	Fix contrib/Solaris10/create_package
 2023 	(/usr/man -> /usr/share/man) Thanks to Vita Batrla.
 2024 
 2025 	Fix a problem where, if a client got a lease, then went
 2026 	to another subnet and got another lease, then moved back,
 2027 	it couldn't resume the old lease, but would instead get 
 2028 	a new address. Thanks to Leonardo Rodrigues for spotting
 2029 	this and testing the fix.
 2030 
 2031 	Fix weird bug which sometimes omitted certain characters
 2032 	from the start of quoted strings in dhcp-options. Thanks
 2033 	to Dayton Turner for spotting the problem.
 2034 
 2035 	Add facility to redirect some domains to the standard
 2036 	upstream servers: this allows something like 
 2037 	--server=/google.com/1.2.3.4 --server=/www.google.com/#
 2038 	which will send queries for *.google.com to 1.2.3.4,
 2039 	except *www.google.com which will be forwarded as usual.
 2040 	Thanks to AJ Weber for prompting this addition.
 2041 
 2042 	Improve the hash-algorithm used to generate IP addresses
 2043 	from MAC addresses during initial DHCP address
 2044 	allocation. This improves performance when large numbers
 2045 	of hosts with similar MAC addresses all try and get an IP
 2046 	address at the same time. Thanks to Paul Smith for his
 2047 	work on this.
 2048 
 2049 	Tweak DHCP code so that --bridge-interface can be used to
 2050 	select which IP alias of an interface should be used for
 2051 	DHCP purposes on Linux. If eth0 has an alias eth0:dhcp
 2052 	then adding  --bridge-interface=eth0:dhcp,eth0 will use 
 2053 	the address of eth0:dhcp to determine the correct subnet 
 2054 	for DHCP address allocation. Thanks to Pawel Golaszewski 
 2055 	for prompting this and Eric Cooper for further testing.
 2056 
 2057 	Add --dhcp-generate-names. Suggestion by Ferenc Wagner.
 2058 
 2059 	Tweak DNS server selection algorithm when there is more
 2060 	than one server available for a domain, eg.
 2061 	--server=/mydomain/1.1.1.1
 2062 	--server=/mydomain/2.2.2.2
 2063 	Thanks to Alberto Cuesta-Canada for spotting a weakness
 2064 	here.
 2065 
 2066 	Add --max-ttl. Thanks to Fredrik Ringertz for the patch.
 2067 
 2068 	Allow --log-facility=- to force all logging to
 2069 	stderr. Suggestion from Clemens Fischer.
 2070 
 2071 	Fix regression which caused configuration like
 2072 	--address=/.domain.com/1.2.3.4 to be rejected. The dot to the 
 2073 	left of the domain has been implied and not required for a
 2074 	long time, but it should be accepted for backward
 2075 	compatibility. Thanks to Andrew Burcin for spotting this.
 2076 
 2077 	Add --rebind-domain-ok and --rebind-localhost-ok.
 2078 	Suggestion from Clemens Fischer.
 2079 
 2080 	Log replies to queries of type TXT, when --log-queries 
 2081 	is set.
 2082 
 2083 	Fix compiler warnings when compiled with -DNO_DHCP. Thanks
 2084 	to Shantanu Gadgil for the patch.
 2085 
 2086 	Updated French translation. Thanks to Gildas Le Nadan.
 2087 
 2088 	Updated Polish translation. Thanks to Jan Psota.
 2089 
 2090 	Updated German translation. Thanks to Matthias Andree.
 2091 
 2092 	Added contrib/static-arp, thanks to Darren Hoo.
 2093 
 2094 	Fix corruption of the domain when a name from /etc/hosts
 2095 	overrides one supplied by a DHCP client. Thanks to Fedor
 2096 	Kozhevnikov for spotting the problem.
 2097 
 2098 	Updated Spanish translation. Thanks to Chris Chatham.
 2099 
 2100 
 2101 version 2.52
 2102 	Work around a Linux kernel bug which insists that the 
 2103 	length of the option passed to setsockopt must be at least
 2104 	sizeof(int) bytes, even if we're calling SO_BINDTODEVICE
 2105 	and the device name is "lo".  Note that this is fixed 
 2106 	in kernel 2.6.31, but the workaround is harmless and 
 2107 	allows earlier kernels to be used. Also fix dnsmasq 
 2108 	bug which reported the wrong address when this failed. 
 2109 	Thanks to Fedor for finding this.
 2110 
 2111 	The API for IPv6 PKTINFO changed around Linux kernel
 2112 	2.6.14. Workaround the case where dnsmasq is compiled
 2113 	against newer headers, but then run on an old kernel:
 2114 	necessary for some *WRT distros.
 2115 
 2116 	Re-read the set of network interfaces when re-loading
 2117 	/etc/resolv.conf if --bind-interfaces is not set. This
 2118 	handles the case that loopback interfaces do not exist
 2119 	when dnsmasq is first started.
 2120 
 2121 	Tweak the PXE code to support port 4011. This should
 2122 	reduce broadcasts and make things more reliable when other
 2123 	servers are around. It also improves inter-operability
 2124 	with certain clients.
 2125 
 2126 	Make a pxe-service configuration with no filename or boot 
 2127 	service type legal: this does a local boot. eg.
 2128 	pxe-service=x86PC, "Local boot" 
 2129 
 2130 	Be more conservative in detecting "A for A"
 2131 	queries. Dnsmasq checks if the name in a type=A query looks
 2132 	like a dotted-quad IP address and answers the query itself
 2133 	if so, rather than forwarding it. Previously dnsmasq
 2134 	relied in the library function inet_addr() to convert
 2135 	addresses, and that will accept some things which are
 2136 	confusing in this context, like 1.2.3 or even just
 2137 	1234. Now we only do A for A processing for four decimal
 2138 	numbers delimited by dots.
 2139 
 2140 	A couple of tweaks to fix compilation on Solaris. Thanks
 2141 	to Joel Macklow for help with this.
 2142 
 2143 	Another Solaris compilation tweak, needed for Solaris
 2144 	2009.06. Thanks to Lee Essen for that.
 2145 
 2146 	Added extract packaging stuff from Lee Essen to 
 2147 	contrib/Solaris10.
 2148 
 2149 	Increased the default limit on number of leases to 1000
 2150 	(from 150). This is mainly a defence against DoS attacks,
 2151 	and for the average "one for two class C networks"
 2152 	installation, IP address exhaustion does that just as
 2153 	well. Making the limit greater than the number of IP
 2154 	addresses available in such an installation removes a
 2155 	surprise which otherwise can catch people out.
 2156 
 2157 	Removed extraneous trailing space in the value of the
 2158 	DNSMASQ_TIME_REMAINING DNSMASQ_LEASE_LENGTH and
 2159 	DNSMASQ_LEASE_EXPIRES environment variables. Thanks to
 2160 	Gildas Le Nadan for spotting this.
 2161 
 2162 	Provide the network-id tags for a DHCP transaction to 
 2163 	the lease-change script in the environment variable
 2164 	DNSMASQ_TAGS. A good suggestion from Gildas Le Nadan.  
 2165 
 2166 	Add support for RFC3925 "Vendor-Identifying Vendor
 2167 	Options". The syntax looks like this:  
 2168 	--dhcp-option=vi-encap:<enterprise number>, .........
 2169 
 2170 	Add support to --dhcp-match to allow matching against
 2171 	RFC3925 "Vendor-Identifying Vendor Classes". The syntax
 2172 	looks like this:
 2173 	--dhcp-match=tag,vi-encap<enterprise number>, <value>
 2174 
 2175 	Add some application specific code to assist in
 2176 	implementing the Broadband forum TR069 CPE-WAN
 2177 	specification. The details are in contrib/CPE-WAN/README
 2178 
 2179 	Increase the default DNS packet size limit to 4096, as
 2180 	recommended by RFC5625 section 4.4.3. This can be
 2181 	reconfigured using --edns-packet-max if needed. Thanks to
 2182 	Francis Dupont for pointing this out.
 2183 
 2184 	Rewrite query-ids even for TSIG signed packets, since
 2185 	this is allowed by RFC5625 section 4.5.
 2186 
 2187 	Use getopt_long by default on OS X. It has been supported
 2188 	since version 10.3.0. Thanks to Arek Dreyer for spotting
 2189 	this.
 2190 
 2191 	Added up-to-date startup configuration for MacOSX/launchd
 2192 	in contrib/MacOSX-launchd. Thanks to Arek Dreyer for
 2193 	providing this.
 2194 
 2195 	Fix link error when including Dbus but excluding DHCP. 
 2196 	Thanks to Oschtan for the bug report.
 2197 
 2198 	Updated French translation. Thanks to Gildas Le Nadan.
 2199 
 2200 	Updated Polish translation. Thanks to Jan Psota.
 2201 
 2202 	Updated Spanish translation. Thanks to Chris Chatham.
 2203 
 2204 	Fixed confusion about domains, when looking up DHCP hosts
 2205 	in /etc/hosts. This could cause spurious "Ignoring
 2206 	domain..." messages. Thanks to Fedor Kozhevnikov for
 2207 	finding and analysing the problem.
 2208 
 2209 
 2210 version 2.51
 2211 	Add support for internationalised DNS. Non-ASCII characters
 2212 	in domain names found in /etc/hosts, /etc/ethers and 
 2213 	/etc/dnsmasq.conf will be correctly handled by translation to
 2214 	punycode, as specified in RFC3490. This function is only
 2215 	available if dnsmasq is compiled with internationalisation
 2216 	support, and adds a dependency on GNU libidn. Without i18n
 2217 	support, dnsmasq continues to be compilable with just
 2218 	standard tools. Thanks to Yves Dorfsman for the
 2219 	suggestion. 
 2220 
 2221 	Add two more environment variables for lease-change scripts:
 2222 	First, DNSMASQ_SUPPLIED_HOSTNAME; this is set to the hostname
 2223 	supplied by a client, even if the actual hostname used is
 2224 	over-ridden by dhcp-host or dhcp-ignore-names directives.
 2225 	Also DNSMASQ_RELAY_ADDRESS which gives the address of 
 2226 	a DHCP relay, if used.
 2227 	Suggestions from Michael Rack.
 2228 
 2229 	Fix regression which broke echo of relay-agent
 2230 	options. Thanks to Michael Rack for spotting this.
 2231 
 2232 	Don't treat option 67 as being interchangeable with
 2233 	dhcp-boot parameters if it's specified as
 2234 	dhcp-option-force.
 2235 
 2236 	Make the code to call scripts on lease-change compile-time
 2237 	optional. It can be switched off by editing src/config.h
 2238 	or building with "make COPTS=-DNO_SCRIPT".
 2239 
 2240 	Make the TFTP server cope with filenames from Windows/DOS
 2241 	which use '\' as pathname separator. Thanks to Ralf for
 2242 	the patch.
 2243 
 2244 	Updated Polish translation. Thanks to Jan Psota.
 2245 
 2246 	Warn if an IP address is duplicated in /etc/ethers. Thanks
 2247 	to Felix Schwarz for pointing this out.
 2248 
 2249 	Teach --conf-dir to take an option list of file suffices
 2250 	which will be ignored when scanning the directory. Useful
 2251 	for backup files etc. Thanks to Helmut Hullen for the
 2252 	suggestion. 
 2253 
 2254 	Add new DHCP option named tftpserver-address, which
 2255 	corresponds to the third argument of dhcp-boot. This
 2256 	allows the complete functionality of dhcp-boot to be
 2257 	replicated with dhcp-option. Useful when using 
 2258 	dhcp-optsfile.
 2259 
 2260 	Test which upstream nameserver to use every 10 seconds
 2261 	or 50 queries and not just when a query times out and 
 2262 	is retried. This should improve performance when there
 2263 	is a slow nameserver in the list. Thanks to Joe for the
 2264 	suggestion. 
 2265 
 2266 	Don't do any PXE processing, even for clients with the 
 2267 	correct vendorclass, unless at least one pxe-prompt or 
 2268 	pxe-service option is given. This stops dnsmasq 
 2269 	interfering with proxy PXE subsystems when it is just 
 2270 	the DHCP server. Thanks to Spencer Clark for spotting this.
 2271 
 2272 	Limit the blocksize used for TFTP transfers to a value
 2273 	which avoids packet fragmentation, based on the MTU of the
 2274 	local interface. Many netboot ROMs can't cope with
 2275 	fragmented packets.
 2276 
 2277 	Honour dhcp-ignore configuration for PXE and proxy-PXE 
 2278 	requests. Thanks to Niels Basjes for the bug report.
 2279 
 2280 	Updated French translation. Thanks to Gildas Le Nadan.
 2281 
 2282 
 2283 version 2.50
 2284 	Fix security problem which allowed any host permitted to 
 2285 	do TFTP to possibly compromise dnsmasq by remote buffer 
 2286 	overflow when TFTP enabled. Thanks to Core Security 
 2287 	Technologies and Iván Arce, Pablo Hernán Jorge, Alejandro 
 2288 	Pablo Rodriguez, Martín Coco, Alberto Soliño Testa and
 2289 	Pablo Annetta. This problem has Bugtraq id: 36121 
 2290 	and CVE: 2009-2957
 2291 
 2292 	Fix a problem which allowed a malicious TFTP client to 
 2293 	crash dnsmasq. Thanks to Steve Grubb at Red Hat for 
 2294 	spotting this. This problem has Bugtraq id: 36120 and 
 2295 	CVE: 2009-2958
 2296 
 2297 
 2298 version 2.49
 2299 	Fix regression in 2.48 which disables the lease-change
 2300 	script. Thanks to Jose Luis Duran for spotting this.
 2301 
 2302 	Log TFTP "file not found" errors. These were not logged,
 2303 	since a normal PXELinux boot generates many of them, but
 2304 	the lack of the messages seems to be more confusing than
 2305 	routinely seeing them when there is no real error.
 2306 
 2307 	Update Spanish translation. Thanks to Chris Chatham.
 2308 
 2309 
 2310 version 2.48
 2311 	Archived the extensive, backwards, changelog to
 2312 	CHANGELOG.archive. The current changelog now runs from
 2313 	version 2.43 and runs conventionally.
 2314 
 2315 	Fixed bug which broke binding of servers to physical
 2316 	interfaces when interface names were longer than four
 2317 	characters. Thanks to MURASE Katsunori for the patch.
 2318 
 2319 	Fixed netlink code to check that messages come from the
 2320 	correct source, and not another userspace process. Thanks
 2321 	to Steve Grubb for the patch.
 2322 
 2323 	Maintainability drive: removed bug and missing feature
 2324 	workarounds for some old platforms. Solaris 9, OpenBSD
 2325 	older than 4.1, Glibc older than 2.2, Linux 2.2.x and 
 2326 	DBus older than 1.1.x are no longer supported. 
 2327 
 2328 	Don't read included configuration files more than once:
 2329 	allows complex configuration structures without problems.
 2330 
 2331 	Mark log messages from the various subsystems in dnsmasq:
 2332 	messages from the DHCP subsystem now have the ident string
 2333 	"dnsmasq-dhcp" and messages from TFTP have ident
 2334 	"dnsmasq-tftp". Thanks to Olaf Westrik for the patch.
 2335 
 2336 	Fix possible infinite DHCP protocol loop when an IP
 2337 	address nailed to a hostname (not a MAC address)  and a 
 2338 	host sometimes provides the name, sometimes not.
 2339 
 2340 	Allow --addn-hosts to take a directory: all the files 
 2341 	in the directory are read. Thanks to Phil Cornelius for 
 2342 	the suggestion. 
 2343 
 2344 	Support --bridge-interface on all platforms, not just BSD.
 2345 
 2346 	Added support for advanced PXE functions. It's now
 2347 	possible to define a prompt and menu options which will
 2348 	be displayed when a client PXE boots. It's also possible to
 2349 	hand-off booting to other boot servers. Proxy-DHCP, where
 2350 	dnsmasq just supplies the PXE information and another DHCP
 2351 	server does address allocation, is also allowed. See the
 2352 	--pxe-prompt and --pxe-service keywords. Thanks to 
 2353 	Alkis Georgopoulos for the suggestion and Guilherme Moro
 2354 	and Michael Brown for assistance.
 2355 
 2356 	Improvements to DHCP logging. Thanks to Tom Metro for
 2357 	useful suggestions.
 2358 
 2359 	Add ability to build dnsmasq without DHCP support. To do
 2360 	this, edit src/config.h or build with
 2361 	"make COPTS=-DNO_DHCP". Thanks to Mahavir Jain for the patch. 
 2362 
 2363 	Added --test command-line switch - syntax check
 2364 	configuration files only.
 2365 
 2366 	Updated French translation. Thanks to Gildas Le Nadan.
 2367 
 2368 
 2369 version 2.47
 2370 	Updated French translation. Thanks to Gildas Le Nadan.
 2371 
 2372 	Fixed interface enumeration code to work on NetBSD
 2373 	5.0. Thanks to Roy Marples for the patch. 
 2374 
 2375 	Updated config.h to use the same location for the lease
 2376 	file on NetBSD as the other *BSD variants. Also allow
 2377 	LEASEFILE and CONFFILE symbols to be overridden in CFLAGS.  
 2378 
 2379 	Handle duplicate address detection on IPv6 more
 2380 	intelligently. In IPv6, an interface can have an address
 2381 	which is not usable, because it is still undergoing DAD
 2382 	(such addresses are marked "tentative"). Attempting to
 2383 	bind to an address in this state returns an error,
 2384 	EADDRNOTAVAIL. Previously, on getting such an error,
 2385 	dnsmasq would silently abandon the address, and never
 2386 	listen on it. Now, it retries once per second for 20
 2387 	seconds before generating a fatal error. 20 seconds should
 2388 	be long enough for any DAD process to complete, but can be
 2389 	adjusted in src/config.h if necessary. Thanks to Martin
 2390 	Krafft for the bug report.
 2391 
 2392 	Add DBus introspection. Patch from Jeremy Laine.
 2393 
 2394 	Update Dbus configuration file. Patch from Colin Walters.
 2395 	Fix for this bug:
 2396 	http://bugs.freedesktop.org/show_bug.cgi?id=18961
 2397 
 2398 	Support arbitrarily encapsulated DHCP options, suggestion
 2399 	and initial patch from Samium Gromoff. This is useful for
 2400 	(eg) iPXE, which expect all its private options to be
 2401 	encapsulated inside a single option 175. So, eg, 
 2402 
 2403 	dhcp-option = encap:175, 190, "iscsi-client0"
 2404 	dhcp-option = encap:175, 191, "iscsi-client0-secret"
 2405 
 2406 	will provide iSCSI parameters to iPXE.
 2407 
 2408 	Enhance --dhcp-match to allow testing of the contents of a
 2409 	client-sent option, as well as its presence. This
 2410 	application in mind for this is RFC 4578
 2411 	client-architecture specifiers, but it's generally useful.
 2412 	Joey Korkames suggested the enhancement. 
 2413 
 2414 	Move from using the IP_XMIT_IF ioctl to IP_BOUND_IF on
 2415 	OpenSolaris. Thanks to Bastian Machek for the heads-up.
 2416 
 2417 	No longer complain about blank lines in
 2418 	/etc/ethers. Thanks to Jon Nelson for the patch.
 2419 
 2420 	Fix binding of servers to physical devices, eg
 2421 	--server=/domain/1.2.3.4@eth0 which was broken from 2.43
 2422 	onwards unless --query-port=0 set. Thanks to Peter Naulls
 2423 	for the bug report.
 2424 
 2425 	Reply to DHCPINFORM requests even when the supplied ciaddr
 2426 	doesn't fall in any dhcp-range. In this case it's not
 2427 	possible to supply a complete configuration, but
 2428 	individually-configured options (eg PAC) may be useful.
 2429 
 2430 	Allow the source address of an alias to be a range:
 2431 	--alias=192.168.0.0,10.0.0.0,255.255.255.0 maps the whole
 2432 	subnet 192.168.0.0->192.168.0.255 to 10.0.0.0->10.0.0.255,
 2433 	as before.
 2434 	--alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
 2435 	maps only the 192.168.0.10->192.168.0.40 region. Thanks to
 2436 	Ib Uhrskov for the suggestion.
 2437 
 2438 	Don't dynamically allocate DHCP addresses which may break
 2439 	Windows.  Addresses which end in .255 or .0 are broken in
 2440 	Windows even when using supernetting.
 2441 	--dhcp-range=192.168.0.1,192.168.1.254,255,255,254.0 means 
 2442 	192.168.0.255 is a valid IP address, but not for Windows. 
 2443 	See Microsoft KB281579. We therefore no longer allocate 
 2444 	these addresses to avoid hard-to-diagnose problems. 
 2445 
 2446 	Update Polish translation. Thanks to Jan Psota.
 2447 
 2448 	Delete the PID-file when dnsmasq shuts down. Note that by
 2449 	this time, dnsmasq is normally not running as root, so
 2450 	this will fail if the PID-file is stored in a root-owned
 2451 	directory; such failure is silently ignored. To take
 2452 	advantage of this feature, the PID-file must be stored in a
 2453 	directory owned and write-able by the user running
 2454 	dnsmasq.
 2455 
 2456 
 2457 version 2.46
 2458 	Allow --bootp-dynamic to take a netid tag, so that it may
 2459 	be selectively enabled. Thanks to Olaf Westrik for the
 2460 	suggestion. 
 2461 
 2462 	Remove ISC-leasefile reading code. This has been
 2463 	deprecated for a long time, and last time I removed it, it
 2464 	ended up going back by request of one user. This time,
 2465 	it's gone for good; otherwise it would need to be
 2466 	re-worked to support multiple domains (see below).
 2467 
 2468 	Support DHCP clients in multiple DNS domains. This is a
 2469 	long-standing request. Clients are assigned to a domain
 2470 	based in their IP address.  
 2471 
 2472 	Add --dhcp-fqdn flag, which changes behaviour if DNS names
 2473 	assigned to DHCP clients. When this is set, there must be
 2474 	a domain associated with each client, and only
 2475 	fully-qualified domain names are added to the DNS. The
 2476 	advantage is that the only the FQDN needs to be unique,
 2477 	so that two or more DHCP clients can share a hostname, as
 2478 	long as they are in different domains.
 2479 
 2480 	Set environment variable DNSMASQ_DOMAIN when invoking
 2481 	lease-change script. This may be useful information to
 2482 	have now that it's variable.
 2483 
 2484 	Tighten up data-checking code for DNS packet
 2485 	handling. Thanks to Steve Dodd who found certain illegal
 2486 	packets which could crash dnsmasq. No memory overwrite was
 2487 	possible, so this is not a security issue beyond the DoS
 2488 	potential.  
 2489 
 2490 	Update example config dhcp option 47, the previous
 2491 	suggestion generated an illegal, zero-length,
 2492 	option. Thanks to Matthias Andree for finding this.
 2493 
 2494 	Rewrite hosts-file reading code to remove the limit of
 2495 	1024 characters per line. John C Meuser found this.
 2496 
 2497 	Create a net-id tag with the name of the interface on
 2498 	which the DHCP request was received.
 2499 
 2500 	Fixed minor memory leak in DBus code, thanks to Jeremy
 2501 	Laine for the patch.
 2502 
 2503 	Emit DBus signals as the DHCP lease database
 2504 	changes. Thanks to Jeremy Laine for the patch.
 2505 
 2506 	Allow for more that one MAC address in a dhcp-host
 2507 	line. This configuration tells dnsmasq that it's OK to
 2508 	abandon a DHCP lease of the fixed address to one MAC
 2509 	address, if another MAC address in the dhcp-host statement 
 2510 	asks for an address. This is useful to give a fixed
 2511 	address to a host which has two network interfaces
 2512 	(say, a laptop with wired and wireless interfaces.) 
 2513 	It's very important to ensure that only one interface 
 2514 	at a time is up, since dnsmasq abandons the first lease 
 2515 	and re-uses the address before the leased time has
 2516 	elapsed. John Gray suggested this.
 2517 
 2518 	Tweak the response to a DHCP request packet with a wrong
 2519 	server-id when --dhcp-authoritative is set; dnsmasq now
 2520 	returns a DHCPNAK, rather than silently ignoring the
 2521 	packet. Thanks to Chris Marget for spotting this
 2522 	improvement.
 2523 
 2524 	Add --cname option. This provides a limited alias
 2525 	function, usable for DHCP names. Thanks to AJ Weber for
 2526 	suggestions on this.
 2527 
 2528 	Updated contrib/webmin with latest version from Neil
 2529 	Fisher.
 2530 
 2531 	Updated Polish translation. Thanks to Jan Psota.
 2532 
 2533 	Correct the text names for DHCP options 64 and 65 to be
 2534 	"nis+-domain" and "nis+-servers".
 2535 
 2536 	Updated Spanish translation. Thanks to Chris Chatham.
 2537 
 2538 	Force re-reading of /etc/resolv.conf when an "interface
 2539 	up" event occurs.
 2540 
 2541 
 2542 version 2.45
 2543 	Fix total DNS failure in release 2.44 unless --min-port 
 2544 	specified. Thanks to Steven Barth and Grant Coady for
 2545 	bugreport. Also reject out-of-range port spec, which could
 2546 	break things too: suggestion from Gilles Espinasse.
 2547 
 2548 
 2549 version 2.44
 2550 	Fix  crash when unknown client attempts to renew a DHCP
 2551 	lease, problem introduced in version 2.43. Thanks to
 2552 	Carlos Carvalho for help chasing this down.
 2553 
 2554 	Fix potential crash when a host which doesn't have a lease
 2555 	does DHCPINFORM. Again introduced in 2.43. This bug has
 2556 	never been reported in the wild.
 2557 
 2558 	Fix crash in netlink code introduced in 2.43. Thanks to
 2559 	Jean Wolter for finding this.
 2560 
 2561 	Change implementation of min_port to work even if min-port
 2562 	is large.
 2563 
 2564 	Patch to enable compilation of latest Mac OS X. Thanks to
 2565 	David Gilman.
 2566 
 2567 	Update Spanish translation. Thanks to Christopher Chatham.
 2568 
 2569 
 2570 version 2.43
 2571 	Updated Polish translation. Thanks to Jan Psota.
 2572 
 2573 	Flag errors when configuration options are repeated
 2574 	illegally.
 2575 
 2576 	Further tweaks for GNU/kFreeBSD
 2577 
 2578 	Add --no-wrap to msgmerge call - provides nicer .po file
 2579 	format.
 2580 
 2581 	Honour lease-time spec in dhcp-host lines even for
 2582 	BOOTP. The user is assumed to known what they are doing in
 2583 	this case. (Hosts without the time spec still get infinite
 2584 	leases for BOOTP, over-riding the default in the
 2585 	dhcp-range.) Thanks to Peter Katzmann for uncovering this.
 2586 
 2587 	Fix problem matching relay-agent ids. Thanks to Michael
 2588 	Rack for the bug report.
 2589 
 2590 	Add --naptr-record option. Suggestion from Johan
 2591 	Bergquist.
 2592 
 2593 	Implement RFC 5107 server-id-override DHCP relay agent
 2594 	option.
 2595 
 2596 	Apply patches from Stefan Kruger for compilation on
 2597 	Solaris 10 under Sun studio.
 2598 
 2599 	Yet more tweaking of Linux capability code, to suppress
 2600 	pointless wingeing from kernel 2.6.25 and above.
 2601 
 2602 	Improve error checking during startup. Previously, some
 2603 	errors which occurred during startup would be worked
 2604 	around, with dnsmasq still starting up. Some were logged,
 2605 	some silent. Now, they all cause a fatal error and dnsmasq 
 2606 	terminates with a non-zero exit code. The errors are those
 2607 	associated with changing uid and gid, setting process 
 2608 	capabilities and writing the pidfile. Thanks to Uwe
 2609 	Gansert and the Suse security team for pointing out 
 2610 	this improvement, and Bill Reimers for good implementation
 2611 	suggestions.
 2612 
 2613 	Provide NO_LARGEFILE compile option to switch off largefile
 2614 	support when compiling against versions of uclibc which
 2615 	don't support it. Thanks to Stephane Billiart for the patch.
 2616 
 2617 	Implement random source ports for interactions with
 2618 	upstream nameservers. New spoofing attacks have been found
 2619 	against nameservers which do not do this, though it is not
 2620 	clear if dnsmasq is vulnerable, since to doesn't implement
 2621 	recursion. By default dnsmasq will now use a different
 2622 	source port (and socket) for each query it sends
 2623 	upstream. This behaviour can suppressed using the
 2624 	--query-port option, and the old default behaviour
 2625 	restored using --query-port=0. Explicit source-port
 2626 	specifications in --server configs are still honoured.
 2627 
 2628 	Replace the random number generator, for better
 2629 	security. On most BSD systems, dnsmasq uses the
 2630 	arc4random() RNG, which is secure, but on other platforms,
 2631 	it relied on the C-library RNG, which may be
 2632 	guessable and therefore allow spoofing. This release
 2633 	replaces the libc RNG with the SURF RNG, from Daniel
 2634 	J. Berstein's DJBDNS package.  
 2635 
 2636 	Don't attempt to change user or group or set capabilities
 2637 	if dnsmasq is run as a non-root user. Without this, the
 2638 	change from soft to hard errors when these fail causes
 2639 	problems for non-root daemons listening on high
 2640 	ports. Thanks to Patrick McLean for spotting this.
 2641 
 2642 	Updated French translation. Thanks to Gildas Le Nadan.
 2643 
 2644 
 2645 version 2.42
 2646 	The changelog for version 2.42 and earlier is 
 2647 	available in CHANGELOG.archive.