DNSSEC: do top-down search for limit of secure delegation.

commit: 97e618a0e3f29465acc689d87288596b006f197e [log] [tgz]
author: Simon Kelley <simon@thekelleys.org.uk> Wed Jan 07 21:55:43 2015 +0000
committer: Simon Kelley <simon@thekelleys.org.uk> Wed Jan 07 21:55:43 2015 +0000
tree: da82193f5d4bbb079a63db42978825bd76f2bc1f
parent: d310ab7ecbffce79d3d90debba621e0222f9bced [diff] [blame]
diff --git a/CHANGELOG b/CHANGELOG
index 2b6356b..e8bf80f 100644
--- a/CHANGELOG
+++ b/CHANGELOG

@@ -31,7 +31,16 @@
 	    request for certain domains, before the correct answer can
             arrive. Thanks to Glen Huang for the patch.
 	
+	    Revisit the part of DNSSEC validation which determines if an 
+	    unsigned answer is legit, or is in some part of the DNS 
+	    tree which should be signed. Dnsmasq now works from the 
+	    DNS root downward looking for the limit of signed 
+	    delegations, rather than working bottom up. This is 
+	    both more correct, and less likely to trip over broken 
+	    nameservers in the unsigned parts of the DNS tree 
+	    which don't respond well to DNSSEC queries.
 
+	
 version 2.72
             Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.
commit	97e618a0e3f29465acc689d87288596b006f197e	[log] [tgz]
author	Simon Kelley <simon@thekelleys.org.uk>	Wed Jan 07 21:55:43 2015 +0000
committer	Simon Kelley <simon@thekelleys.org.uk>	Wed Jan 07 21:55:43 2015 +0000
tree	da82193f5d4bbb079a63db42978825bd76f2bc1f
parent	d310ab7ecbffce79d3d90debba621e0222f9bced [diff] [blame]