Upstream git log since v2.91rc3, changes by Simon Kelley:
* f9f8d19 2025-02-09 | Yet another 0x20 fix.
Upstream has one more fix in Git,
so this isn't going to be the release yet.
MFH: 2025Q1
changes since v2.91rc1:
* 368ceff 2025-02-06 | TFTP off-by-2 bugfix [Helge Deller]
* 77c4e95 2025-02-06 | Fix for case-sensitivity problems in DNS. [Simon Kelley]
* e44165c 2025-02-06 | Fix bug in 0x20 encoding. [Simon Kelley]
CHANGELOG addition:
| Fix a long-standing problem when two queries which are identical in
| every repect _except_ case, get combined by dnsmasq. If dnsmasq gets
| eg, two queries for example.com and Example.com in quick succession it
| will get the answer for example.com from upstream and send that answer
| to both requestors. This means that the query for Example.com will get
| an answer for example.com, and in the modern DNS, that answer may not
| be accepted.
MFH: 2025Q1
Upstream commit history, all changes by Simon Kelley:
* a4569c2 2025-01-20 | Correct BNF for --trust-anchor in manpage.
* 199e65c 2025-01-20 | Remove misleading comment.
* bb8811d 2025-01-20 | Convert DNS names in logs to all lower case.
* 995a16c 2025-01-19 | Implement "DNS-0x20 encoding".
* 65f9c1a 2025-01-19 | Case-sensitive matching of questions and answers.
Upstream CHANGELOG addition:
| Implement "DNS-0x20 encoding", for extra protection against
| reply-spoof attacks. Since DNS queries are case-insensitive, it's
| possible to randomly flip the case of letters in a query and still get
| the correct answer back.
| This adds an extra dimension for a cache-poisoning attacker to guess
| when sending replies in-the-blind since it's expected that the
| legitimate answer will have the same pattern of upper and lower case
| as the query, so any replies which don't can be ignored as malicious.
| The amount of extra entropy clearly depends on the number of a-z and
| A-Z characters in the query, and this implementation puts a hard limit
| of 32 bits to make rescource allocation easy. This about doubles
| entropy over the standard random ID and random port combination.
MFH: 2025Q1
/usr/sbin/service: ERROR: USAGE: load_rc_config_var name var
This is very old and known bug in service(8) from 2016:
https://bugs.freebsd.org/208534https://reviews.freebsd.org/D5833
PR: 284100
Approved by: Leo Vandewoestijne <freebsd@dns.company> (maintainer)
MFH: 2025Q1
Upstream CHANGELOG file addition:
| Handle DS queries to auth zones. When dnsmasq is configured to act as
| an authoritative server and has an authoritative zone configured, and
| recieves a query for that zone _as_forwarder_ it answers the query
| directly rather than forwarding it. This doesn't affect the answer, but
| it saves dnsmasq forwarding the query to the recusor upstream, whch then
| bounces it back to dnsmasq in auth mode. The exception should be when
| the query is for the root of zone, for a DS RR. The answer to that has
| to come from the parent, via the recursor, and will typically be a
| proof-of-nonexistence since dnsmasq doesn't support signed zones. This
| patch suppresses local answers and forces forwarding to the upstream
| recursor for such queries. It stops breakage when a DNSSEC validating
| client makes queries to dnsmasq acting as forwarder for a zone for which
| it is authoritative.
And commits:
* b72ecb3 2025-01-18 | Fix log message fields in wrong order in some auth replies.
* c221030 2025-01-18 | Rename cache_validated() to cache_not_validated().
* 5bbea08 2025-01-18 | Fix subtle bug in arbitrary-RR caching.
* 622cf03 2025-01-18 | Fix fubar that could return unsigned NODATA response when do bit set.
* 8ce2743 2025-01-17 | Handle DS queries to auth zones.
* 5d89462 2025-01-17 | Extend build fingerprinting to include CFLAGS.
ChangeLog: https://www.nlnetlabs.nl/news/2025/Jan/18/nsd-4.11.1-released/
BUG FIXES:
* Fix#415: Fix out of tree builds.
* Fix#414: XoT interoperability with BIND and Knot
* Fix#421: old-main can quit before the reload process received
r* om old-main that it is done on the reload_listener pipe.
h* anks Otto Retter.
* Fix whitespace in comment.
* Fix#424: Stalled updates after corrupt transfer.
PR: 284156
Reported by: jaap@NLnetLabs.nl (maintainer)
Upstream is alive and active, has 1-st class FreeBSD support.
They had switched to mbedtls3 since version 2.4.0.
Using their ready-to-use port with minor changes:
* Fix files/kadnode.in mode (0755 -> 0644)
* Improve pkg-descr
* Some linting
PR: 283954
Reviewed by: diizzy
Approved by: moritzwarning@web.de (maintainer)
