Update CHANGELOG/release-notes.
diff --git a/CHANGELOG b/CHANGELOG
index c6a6f20..3df1406 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -28,9 +28,9 @@
make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC'
- which bloats the dnsmasq binary to over a megabyte, but
- saves the size of the shared libraries which are five
- times that size.
+ which bloats the dnsmasq binary, but saves the size of
+ the shared libraries which are much bigger.
+
To enable, DNSSEC, you will need a set of
trust-anchors. Now that the TLDs are signed, this can be
the keys for the root zone, and for convenience they are
@@ -56,6 +56,36 @@
downstream validators. Setting --log-queries will show
DNSSEC in action.
+ If a domain is returned from an upstream nameserver without
+ DNSSEC signature, dnsmasq by default trusts this. This
+ means that for unsigned zone (still the majority) there
+ is effectively no cost for having DNSSEC enabled. Of course
+ this allows an attacker to replace a signed record with a
+ false unsigned record. This is addressed by the
+ --dnssec-check-unsigned flag, which instructs dnsmasq
+ to prove that an unsigned record is legitimate, by finding
+ a secure proof that the zone containing the record is not
+ signed. Doing this has costs (typically one or two extra
+ upstream queries). It also has a nasty failure mode if
+ dnsmasq's upstream nameservers are not DNSSEC capable.
+ Without --dnssec-check-unsigned using such an upstream
+ server will simply result in not queries being validated;
+ with --dnssec-check-unsigned enabled and a
+ DNSSEC-ignorant upstream server, _all_ queries will fail.
+
+ Note that DNSSEC requires that the local time is valid and
+ accurate, if not then DNSSEC validation will fail. NTP
+ should be running. This presents a problem for routers
+ without a battery-backed clock. To set the time needs NTP
+ to do DNS lookups, but lookups will fail until NTP has run.
+ To address this, there's a flag, --dnssec-no-timecheck
+ which disables the time checks (only) in DNSSEC. When dnsmasq
+ is started and the clock is not synced, this flag should
+ be used. As soon as the clock is synced, SIGHUP dnsmasq.
+ The SIGHUP clears the cache of partially-validated data and
+ resets the no-timecheck flag, so that all DNSSEC checks
+ henceforward will be complete.
+
The development of DNSSEC in dnsmasq was started by
Giovanni Bajo, to whom huge thanks are owed. It has been
supported by Comcast, whose techfund grant has allowed for
@@ -84,6 +114,9 @@
correct answer was included, but the RCODE was set to NXDOMAIN.
Thanks to Craig McQueen for spotting this.
+ Make statistics available as DNS queries in the .bind TLD as
+ well as logging them.
+
version 2.68
Use random addresses for DHCPv6 temporary address
