commit a6918530ce23aa8ebc4789b876260d65c4271488
author Simon Kelley <simon@thekelleys.org.uk> Sun Apr 15 16:20:52 2018 +0100
committer Simon Kelley <simon@thekelleys.org.uk> Sun Apr 15 16:20:52 2018 +0100
tree cc7bda7dd66914c0868a72f2c4a062dde41336f4
parent 4e72fec660afdf3f648bb980a431d3a631433aa9

Change default for dnssec-check-unsigned.

CHANGELOG

diff --git a/CHANGELOG b/CHANGELOG
index 955405b..a9136ea 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -2,6 +2,20 @@
 	Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method
 	for the initial patch and motivation.
 
+	Alter the default for dnssec-check-unsigned. Versions of
+	dnsmasq prior to 2.80 defaulted to not checking unsigned
+	replies, and used --dnssec-check-unsigned to switch
+        this on. Such configurations will continue to work as before,
+        but those which used the default of no checking will need to be
+        altered to explicitly select no checking. The new default is
+        because switching off checking for unsigned replies is
+	inherently dangerous. Not only does it open the possiblity of forged
+        replies, but it allows everything to appear to be working even
+        when the upstream namesevers do not support DNSSEC, and in this
+        case no DNSSEC validation at all is occuring.
+
+
+
 
 version 2.79
 	Fix parsing of CNAME arguments, which are confused by extra spaces.