CVS commit: pkgsrc/net/dnsmasq

["Adam Ciarcinski" <adam%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   adam
Date:           Thu Jan 15 18:30:21 UTC 2026

Modified Files:
        pkgsrc/net/dnsmasq: Makefile distinfo

Log Message:
dnsmasq: updated to 2.92

version 2.92
Redesign the interaction between DNSSEC validation and per-domain
servers, specified as --server=/<domain>/<ip-address>. This should
just work in all cases now. If the normal chain-of-trust exists into
the delegated domain then whether the domain is signed or not, DNSSEC
validation will function normally. In the case the delegated domain
is an "overlay" on top of the global DNS and no NS and/or DS records
exist connecting it to the global dns, then if the domain is
unsigned the situation will be handled by synthesising a
proof-of-non-existence-of-DS for the domain and queries will be
answered unvalidated; this action will be logged. A signed domain
without chain-of-trust can be validated if a suitable trust-anchor
is provided using --trust-anchor. This change should be backwards
compatible for all existing working configurations; it extends the
space of possible configurations which are functional.

Fix a couple of problems with DNSSEC validation and DNAME. One
could cause validation failure on correct domains, and the other
would fail to spot an invalid domain. Thanks to Graham Clinch
for spotting the problem.

Add --log-queries=auth option to only log replies from the auth DNS
facility.

Fix some edge-cases with domains and --address and --server. There
has been some regressions with this in previous releases. This change
fixes the priority order from lower to highest as:
--address with a IPv4 or IPv6 address (as long as the query matches the type)
--address with # for all-zeros, as long as the query is A or AAAA)
--address with no address, which returns NXDOMAIN or NOERROR for all types.
--server with address set to # to use the unqualified servers.
--server with matching domain.
--server without domain or from /etc/resolv.conf.

Fix problems with ipset or nftset and TCP DNS transport. Previously
this was racy, and insertion of addresses could fail on a busy server
when DNS-over-TCP transport was involved.

DNSSEC validation change for reverse lookups in RFC-1918 ranges and friends.
The large public DNS services seem not to return proof-of-nonexistence
for DS records at the start of RFC-1918 in-addr.arpa domains and the their
IPv6 equivalents. 10.in-addr.arpa, 168.192.in-addr.arpa etc.
Since dnsmasq already has an option which instructs it not bother
upstream servers with pointless queries about these address ranges,
namely --bogus-priv, we extend that to enable behaviour which allows
dnsmasq to assume that insecure NXDOMAIN replies for these domains
are expected and to assume that the domains are legitimately unsigned.
This behaviour only matters when some address range is directed to
another upstream server using --rev-server. In that case it allows
replies from that server to pass DNSSEC validation. Without such a
server configured, queries are never sent upstream so they are never
validated and the new behaviour is moot.

Add support for leasequery to the dnsmasq DHCPv4 server.
This has to be specifically enabled with the --leasequery option.
Many thanks to JAXPORT, Jacksonville Port Authority for sponsoring
this enhancement to dnsmasq.

Fix failure to cache PTR RRs when a reply contains more than one answer.
Thanks to Dmitry for spotting this.

Add TFTP options windowsize (RFC 7440) and timeout (RFC 2349).

Change the behaviour of the DHCPv6 server when a REBIND message
is received but no lease exists. Under these circumstances a new
lease is created _only_ when the --dhcp-authoritative option is
set. This matches the behavior of the DHCPv4 server.

Add --dhcp-split-relay option. This makes a DHCPv4 relay which
is functional when client and server networks aren't mutually
route-able.

Fix failure to add client MAC address to queries in TCP mode.
The options which cause dnsmasq to decorate a DNS query with the MAC
address on the originating client can fail when the query is sent
using TCP. Thanks to Bruno Ravara for spotting and
characterising this bug.


To generate a diff of this commit:
cvs rdiff -u -r1.53 -r1.54 pkgsrc/net/dnsmasq/Makefile
cvs rdiff -u -r1.50 -r1.51 pkgsrc/net/dnsmasq/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/dnsmasq/Makefile
diff -u pkgsrc/net/dnsmasq/Makefile:1.53 pkgsrc/net/dnsmasq/Makefile:1.54
--- pkgsrc/net/dnsmasq/Makefile:1.53    Mon Apr 21 21:01:39 2025
+++ pkgsrc/net/dnsmasq/Makefile Thu Jan 15 18:30:21 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.53 2025/04/21 21:01:39 wiz Exp $
+# $NetBSD: Makefile,v 1.54 2026/01/15 18:30:21 adam Exp $
 
-DISTNAME=      dnsmasq-2.91
+DISTNAME=      dnsmasq-2.92
 CATEGORIES=    net
 MASTER_SITES=  https://thekelleys.org.uk/dnsmasq/
 EXTRACT_SUFX=  .tar.xz

Index: pkgsrc/net/dnsmasq/distinfo
diff -u pkgsrc/net/dnsmasq/distinfo:1.50 pkgsrc/net/dnsmasq/distinfo:1.51
--- pkgsrc/net/dnsmasq/distinfo:1.50    Tue Apr  8 09:09:16 2025
+++ pkgsrc/net/dnsmasq/distinfo Thu Jan 15 18:30:21 2026
@@ -1,7 +1,7 @@
-$NetBSD: distinfo,v 1.50 2025/04/08 09:09:16 adam Exp $
+$NetBSD: distinfo,v 1.51 2026/01/15 18:30:21 adam Exp $
 
-BLAKE2s (dnsmasq-2.91.tar.xz) = a86badd4a272826e1124ea2fbb9c60d42c3263800cbacbc6455a0ed9bb6c525f
-SHA512 (dnsmasq-2.91.tar.xz) = d8b062d28f32d0e499e551aeebba75d3ea9f6a5173d78f45292cb1ef28a5d0f7c86982d987fe25c3cee9f139023b1fd023130dddd0dc849fb0cfbd969c3b0c7f
-Size (dnsmasq-2.91.tar.xz) = 576820 bytes
+BLAKE2s (dnsmasq-2.92.tar.xz) = 3dc5d967d1fc258298e3bcc245f38d7f647e444f94718f1f79e2ce1066434ef1
+SHA512 (dnsmasq-2.92.tar.xz) = 14a4638f4819c88c1214f38ca66622ce618b800dcc0d271d4eec6fd97639611f2317b711f6342c62b1f132acc7c2dec657fbf26c004d0d55ef10786944ad0ad1
+Size (dnsmasq-2.92.tar.xz) = 637752 bytes
 SHA1 (patch-src_bpf.c) = 4115a5391f57564663bbfc448fbb865c370318a6
 SHA1 (patch-src_dump.c) = e5788d9e3112b1e5b2ef7ce500b0262b95c375c6