DNSSEC: do top-down search for limit of secure delegation.unsigned

author: Simon Kelley <simon@thekelleys.org.uk> 2015-01-07 21:55:43 +0000
committer: Simon Kelley <simon@thekelleys.org.uk> 2015-01-07 21:55:43 +0000
commit: 97e618a0e3f29465acc689d87288596b006f197e (patch)
tree: da82193f5d4bbb079a63db42978825bd76f2bc1f /CHANGELOG
parent: d310ab7ecbffce79d3d90debba621e0222f9bced (diff)
download: dnsmasq-unsigned.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/CHANGELOG b/CHANGELOG
index 2b6356b..e8bf80f 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -31,7 +31,16 @@ version 2.73
 	    request for certain domains, before the correct answer can
             arrive. Thanks to Glen Huang for the patch.
 	
+	    Revisit the part of DNSSEC validation which determines if an 
+	    unsigned answer is legit, or is in some part of the DNS 
+	    tree which should be signed. Dnsmasq now works from the 
+	    DNS root downward looking for the limit of signed 
+	    delegations, rather than working bottom up. This is 
+	    both more correct, and less likely to trip over broken 
+	    nameservers in the unsigned parts of the DNS tree 
+	    which don't respond well to DNSSEC queries.
 
+	
 version 2.72
             Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.
author	Simon Kelley <simon@thekelleys.org.uk>	2015-01-07 21:55:43 +0000
committer	Simon Kelley <simon@thekelleys.org.uk>	2015-01-07 21:55:43 +0000
commit	97e618a0e3f29465acc689d87288596b006f197e (patch)
tree	da82193f5d4bbb079a63db42978825bd76f2bc1f /CHANGELOG
parent	d310ab7ecbffce79d3d90debba621e0222f9bced (diff)
download	dnsmasq-unsigned.tar.gz