The motivating change for me included upstream is commit 8ce27433f8b2
("Handle DS queries to auth zones.") which fixes using a subzone of a
DNSSEC'd zone.Two patches are dropped as these are included in the new upstream release, the other two are rebased. Signed-off-by: Uwe Kleine-König <uwe+open...@kleine-koenig.org> --- Hello, I use the domain kk4.kleine-koenig.org for my OpenWrt router. Since kleine-koenig.org is DNSSEC signed, internal resolution in the kk4.kleine-koenig.org zone fails when the resolver uses DNSSEC because only with the above commit the kk4.kleine-koenig.org/DS query gets a properly signed answer. Upstream created this commit in reply of a bug report from me and on the way found a few more fixes for corner cases. So updating to the test release isn't only simpler than a backport but also (IMHO) more sensible. Ideally (for me) this would be fixed in OpenWrt 24.10. Best regards Uwe package/network/services/dnsmasq/Makefile | 8 ++-- ...ous-resource-limit-exceeded-messages.patch | 43 ------------------- ...introduced-in-51471cafa5a4fa44d6fe49.patch | 31 ------------- ...00-remove-old-runtime-kernel-support.patch | 8 ++-- .../dnsmasq/patches/200-ubus_dns.patch | 18 ++++---- 5 files changed, 17 insertions(+), 91 deletions(-) delete mode 100644 package/network/services/dnsmasq/patches/0001-Fix-spurious-resource-limit-exceeded-messages.patch delete mode 100644 package/network/services/dnsmasq/patches/0002-PATCH-Fix-error-introduced-in-51471cafa5a4fa44d6fe49.patch diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile index 0a597c03ce40..3e9f228cdc0d 100644 --- a/package/network/services/dnsmasq/Makefile +++ b/package/network/services/dnsmasq/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dnsmasq -PKG_UPSTREAM_VERSION:=2.90 +PKG_UPSTREAM_VERSION:=2.91test8 PKG_VERSION:=$(subst test,~~test,$(subst rc,~rc,$(PKG_UPSTREAM_VERSION))) -PKG_RELEASE:=3 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_UPSTREAM_VERSION).tar.xz -PKG_SOURCE_URL:=https://thekelleys.org.uk/dnsmasq/ -PKG_HASH:=8e50309bd837bfec9649a812e066c09b6988b73d749b7d293c06c57d46a109e4 +PKG_SOURCE_URL:=https://thekelleys.org.uk/dnsmasq/test-releases +PKG_HASH:=f23fbdf1863872aa864296e38aa114c51c6e990d8a2ca648d21bf003f3aa5e47 PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING diff --git a/package/network/services/dnsmasq/patches/0001-Fix-spurious-resource-limit-exceeded-messages.patch b/package/network/services/dnsmasq/patches/0001-Fix-spurious-resource-limit-exceeded-messages.patch deleted file mode 100644 index f25ee20413fb..000000000000 --- a/package/network/services/dnsmasq/patches/0001-Fix-spurious-resource-limit-exceeded-messages.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 1ed783b8d7343c42910a61f12a8fc6237eb80417 Mon Sep 17 00:00:00 2001 -From: Simon Kelley <si...@thekelleys.org.uk> -Date: Mon, 19 Feb 2024 12:22:43 +0000 -Subject: Fix spurious "resource limit exceeded" messages. - -Replies from upstream with a REFUSED rcode can result in -log messages stating that a resource limit has been exceeded, -which is not the case. - -Thanks to Dominik Derigs and the Pi-hole project for -spotting this. ---- - CHANGELOG | 5 +++++ - src/forward.c | 6 +++--- - 2 files changed, 8 insertions(+), 3 deletions(-) - ---- a/CHANGELOG -+++ b/CHANGELOG -@@ -1,3 +1,8 @@ -+version 2.91 -+ Fix spurious "resource limit exceeded messages". Thanks to -+ Dominik Derigs for the bug report. -+ -+ - version 2.90 - Fix reversion in --rev-server introduced in 2.88 which - caused breakage if the prefix length is not exactly divisible ---- a/src/forward.c -+++ b/src/forward.c -@@ -937,10 +937,10 @@ static void dnssec_validate(struct frec - status = dnssec_validate_reply(now, header, plen, daemon->namebuff, daemon->keyname, &forward->class, - !option_bool(OPT_DNSSEC_IGN_NS) && (forward->sentto->flags & SERV_DO_DNSSEC), - NULL, NULL, NULL, &orig->validate_counter); -- } - -- if (STAT_ISEQUAL(status, STAT_ABANDONED)) -- log_resource = 1; -+ if (STAT_ISEQUAL(status, STAT_ABANDONED)) -+ log_resource = 1; -+ } - - /* Can't validate, as we're missing key data. Put this - answer aside, whilst we get that. */ diff --git a/package/network/services/dnsmasq/patches/0002-PATCH-Fix-error-introduced-in-51471cafa5a4fa44d6fe49.patch b/package/network/services/dnsmasq/patches/0002-PATCH-Fix-error-introduced-in-51471cafa5a4fa44d6fe49.patch deleted file mode 100644 index 5c50ae84463b..000000000000 --- a/package/network/services/dnsmasq/patches/0002-PATCH-Fix-error-introduced-in-51471cafa5a4fa44d6fe49.patch +++ /dev/null @@ -1,31 +0,0 @@ -From ccff85ad72d2f858d9743d40525128e4f62d41a8 Mon Sep 17 00:00:00 2001 -From: renmingshuai <renmingsh...@huawei.com> -Date: Wed, 21 Feb 2024 00:24:25 +0000 -Subject: [PATCH] Fix error introduced in - 51471cafa5a4fa44d6fe490885d9910bd72a5907 - -Signed-off-by: renmingshuai <renmingsh...@huawei.com> ---- - src/dnssec.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/src/dnssec.c -+++ b/src/dnssec.c -@@ -1547,7 +1547,7 @@ static int prove_non_existence_nsec3(str - nsecs[i] = NULL; /* Speculative, will be restored if OK. */ - - if (!(p = skip_name(nsec3p, header, plen, 15))) -- return 0; /* bad packet */ -+ return DNSSEC_FAIL_BADPACKET; /* bad packet */ - - p += 10; /* type, class, TTL, rdlen */ - -@@ -1640,7 +1640,7 @@ static int prove_non_existence_nsec3(str - if (!wildname) - { - if (!(wildcard = strchr(next_closest, '.')) || wildcard == next_closest) -- return 0; -+ return DNSSEC_FAIL_NONSEC; - - wildcard--; - *wildcard = '*'; diff --git a/package/network/services/dnsmasq/patches/100-remove-old-runtime-kernel-support.patch b/package/network/services/dnsmasq/patches/100-remove-old-runtime-kernel-support.patch index 26c1b463b94c..79bf10fa34cd 100644 --- a/package/network/services/dnsmasq/patches/100-remove-old-runtime-kernel-support.patch +++ b/package/network/services/dnsmasq/patches/100-remove-old-runtime-kernel-support.patch @@ -13,7 +13,7 @@ Signed-off-by: Kevin Darbyshire-Bryant <l...@darbyshire-bryant.me.uk> --- a/src/dnsmasq.c +++ b/src/dnsmasq.c -@@ -105,10 +105,6 @@ int main (int argc, char **argv) +@@ -107,10 +107,6 @@ int main (int argc, char **argv) read_opts(argc, argv, compile_opts); @@ -26,7 +26,7 @@ Signed-off-by: Kevin Darbyshire-Bryant <l...@darbyshire-bryant.me.uk> --- a/src/dnsmasq.h +++ b/src/dnsmasq.h -@@ -1277,7 +1277,7 @@ extern struct daemon { +@@ -1278,7 +1278,7 @@ extern struct daemon { int inotifyfd; #endif #if defined(HAVE_LINUX_NETWORK) @@ -35,7 +35,7 @@ Signed-off-by: Kevin Darbyshire-Bryant <l...@darbyshire-bryant.me.uk> #elif defined(HAVE_BSD_NETWORK) int dhcp_raw_fd, dhcp_icmp_fd, routefd; #endif -@@ -1491,9 +1491,6 @@ int read_write(int fd, unsigned char *pa +@@ -1486,9 +1486,6 @@ int read_write(int fd, unsigned char *pa void close_fds(long max_fd, int spare1, int spare2, int spare3); int wildcard_match(const char* wildcard, const char* match); int wildcard_matchn(const char* wildcard, const char* match, int num); @@ -140,7 +140,7 @@ Signed-off-by: Kevin Darbyshire-Bryant <l...@darbyshire-bryant.me.uk> my_syslog(LOG_ERR, _("failed to update ipset %s: %s"), setname, strerror(errno)); --- a/src/util.c +++ b/src/util.c -@@ -866,22 +866,3 @@ int wildcard_matchn(const char* wildcard +@@ -901,22 +901,3 @@ int wildcard_matchn(const char* wildcard return (!num) || (*wildcard == *match); } diff --git a/package/network/services/dnsmasq/patches/200-ubus_dns.patch b/package/network/services/dnsmasq/patches/200-ubus_dns.patch index 72acbaeba934..060251f64962 100644 --- a/package/network/services/dnsmasq/patches/200-ubus_dns.patch +++ b/package/network/services/dnsmasq/patches/200-ubus_dns.patch @@ -1,19 +1,19 @@ --- a/src/dnsmasq.c +++ b/src/dnsmasq.c -@@ -2021,6 +2021,10 @@ static void check_dns_listeners(time_t n - daemon->pipe_to_parent = pipefd[1]; - } +@@ -2097,6 +2097,10 @@ static void do_tcp_connection(struct lis + daemon->pipe_to_parent = pipefd[1]; + } +#ifdef HAVE_UBUS -+ drop_ubus_listeners(); ++ drop_ubus_listeners(); +#endif + - /* start with no upstream connections. */ - for (s = daemon->servers; s; s = s->next) - s->tcpfd = -1; + /* The connected socket inherits non-blocking + attribute from the listening socket. + Reset that here. */ --- a/src/dnsmasq.h +++ b/src/dnsmasq.h -@@ -1670,14 +1670,26 @@ void emit_dbus_signal(int action, struct +@@ -1682,14 +1682,26 @@ void emit_dbus_signal(int action, struct /* ubus.c */ #ifdef HAVE_UBUS @@ -42,7 +42,7 @@ /* ipset.c */ --- a/src/forward.c +++ b/src/forward.c -@@ -803,7 +803,7 @@ static size_t process_reply(struct dns_h +@@ -728,7 +728,7 @@ static size_t process_reply(struct dns_h cache_secure = 0; } base-commit: 99431e315039d7f9689b21a8aa220adadf52a886 -- 2.47.1 _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
