CHANGELOG

version 2.76
            Include 0.0.0.0/8 in DNS rebind checks. This range 
	    translates to hosts on  the local network, or, at 
	    least, 0.0.0.0 accesses the local host, so could
	    be targets for DNS rebinding. See RFC 5735 section 3 
	    for details. Thanks to Stephen Röttger for the bug report.

	    Enhance --add-subnet to allow arbitrary subnet addresses.
            Thanks to Ed Barsley for the patch.

	    Respect the --no-resolv flag in inotify code. Fixes bug
	    which caused dnsmasq to fail to start if a resolv-file 
	    was a dangling symbolic link, even of --no-resolv set.
	    Thanks to Alexander Kurtz for spotting the problem.

	    Fix crash when an A or AAAA record is defined locally,
	    in a hosts file, and an upstream server sends a reply
	    that the same name is empty. Thanks to Edwin Török for
	    the patch.

	
version 2.75
            Fix reversion on 2.74 which caused 100% CPU use when a 
	    dhcp-script is configured. Thanks to Adrian Davey for
	    reporting the bug and testing the fix.

	
version 2.74
            Fix reversion in 2.73 where --conf-file would attempt to
	    read the default file, rather than no file.

	    Fix inotify code to handle dangling symlinks better and
	    not SEGV in some circumstances.

	    DNSSEC fix. In the case of a signed CNAME generated by a
	    wildcard which pointed to an unsigned domain, the wrong
            status would be logged, and some necessary checks omitted.
	

version 2.73
            Fix crash at startup when an empty suffix is supplied to
	    --conf-dir, also trivial memory leak. Thanks to 
	    Tomas Hozza for spotting this.

	    Remove floor of 4096 on advertised EDNS0 packet size when 
	    DNSSEC in use, the original rationale for this has long gone.
	    Thanks to Anders Kaseorg for spotting this.

	    Use inotify for checking on updates to /etc/resolv.conf and
	    friends under Linux. This fixes race conditions when the files are 
	    updated rapidly and saves CPU by noy polling. To build
	    a binary that runs on old Linux kernels without inotify,
	    use make COPTS=-DNO_INOTIFY

	    Fix breakage of --domain=<domain>,<subnet>,local - only reverse
	    queries were intercepted. THis appears to have been broken 
	    since 2.69. Thanks to Josh Stone for finding the bug.

	    Eliminate IPv6 privacy addresses and deprecated addresses from
	    the answers given by --interface-name. Note that reverse queries
	    (ie looking for names, given addresses) are not affected. 
	    Thanks to Michael Gorbach for the suggestion.

	    Fix crash in DNSSEC code with long RRs. Thanks to Marco Davids
	    for the bug report.
	    
	    Add --ignore-address option. Ignore replies to A-record 
	    queries which include the specified address. No error is
	    generated, dnsmasq simply continues to listen for another 
	    reply. This is useful to defeat blocking strategies which
	    rely on quickly supplying a forged answer to a DNS 
	    request for certain domains, before the correct answer can
            arrive. Thanks to Glen Huang for the patch.
	
	    Revisit the part of DNSSEC validation which determines if an 
	    unsigned answer is legit, or is in some part of the DNS 
	    tree which should be signed. Dnsmasq now works from the 
	    DNS root downward looking for the limit of signed 
	    delegations, rather than working bottom up. This is 
	    both more correct, and less likely to trip over broken 
	    nameservers in the unsigned parts of the DNS tree 
	    which don't respond well to DNSSEC queries.

	    Add --log-queries=extra option, which makes logs easier
	    to search automatically.

	    Add --min-cache-ttl option. I've resisted this for a long 
	    time, on the grounds that disbelieving TTLs is never a 
	    good idea, but I've been persuaded that there are 
	    sometimes reasons to do it. (Step forward, GFW).
	    To avoid misuse, there's a hard limit on the TTL 
	    floor of one hour. Thansk to RinSatsuki for the patch.

	    Cope with multiple interfaces with the same link-local 
	    address. (IPv6 addresses are scoped, so this is allowed.)
	    Thanks to Cory Benfield for help with this.

	    Add --dhcp-hostsdir. This allows addition of new host
	    configurations to a running dnsmasq instance much more 
	    cheaply than having dnsmasq re-read all its existing
	    configuration each time. 
	
	    Don't reply to DHCPv6 SOLICIT messages if we're not 
	    configured to do stateful DHCPv6. Thanks to Win King Wan 
	    for the patch.

	    Fix broken DNSSEC validation of ECDSA signatures.

	    Add --dnssec-timestamp option, which provides an automatic
	    way to detect when the system time becomes valid after 
	    boot on systems without an RTC, whilst allowing DNS 
	    queries before the clock is valid so that NTP can run. 
	    Thanks to Kevin Darbyshire-Bryant for developing this idea.

	    Add --tftp-no-fail option. Thanks to Stefan Tomanek for
	    the patch.

	    Fix crash caused by looking up servers.bind, CHAOS text 
	    record, when more than about five --servers= lines are 
	    in the dnsmasq config. This causes memory corruption 
	    which causes a crash later. Thanks to Matt Coddington for 
	    sterling work chasing this down.

	    Fix crash on receipt of certain malformed DNS requests.
	    Thanks to Nick Sampanis for spotting the problem.
	    Note that this is could allow the dnsmasq process's
	    memory to be read by an attacker under certain
	    circumstances, so it has a CVE, CVE-2015-3294 

            Fix crash in authoritative DNS code, if a .arpa zone 
	    is declared as authoritative, and then a PTR query which
	    is not to be treated as authoritative arrived. Normally, 
	    directly declaring .arpa zone as authoritative is not 
	    done, so this crash wouldn't be seen. Instead the 
	    relevant .arpa zone should be specified as a subnet
	    in the auth-zone declaration. Thanks to Johnny S. Lee
	    for the bugreport and initial patch.

	    Fix authoritative DNS code to correctly reply to NS 
	    and SOA queries for .arpa zones for which we are 
	    declared authoritative by means of a subnet in auth-zone.
	    Previously we provided correct answers to PTR queries
	    in such zones (including NS and SOA) but not direct
	    NS and SOA queries. Thanks to Johnny S. Lee for 
 	    pointing out the problem.

	    Fix logging of DHCPREPLY which should be suppressed 
	    by quiet-dhcp6. Thanks to J. Pablo Abonia for 
	    spotting the problem.

	    Try and handle net connections with broken fragmentation 
	    that lose large UDP packets. If a server times out, 
            reduce the maximum UDP packet size field in the EDNS0
	    header to 1280 bytes. If it then answers, make that
	    change permanent.

	    Check IPv4-mapped IPv6 addresses when --stop-rebind
	    is active. Thanks to Jordan Milne for spotting this.

	    Allow DHCPv4 options T1 and T2 to be set using --dhcp-option.
	    Thanks to Kevin Benton for patches and work on this.

            Fix code for DHCPCONFIRM DHCPv6 messages to confirm addresses
	    in the correct subnet, even of not in dynamic address 
	    allocation range. Thanks to Steve Hirsch for spotting
	    the problem.

	    Add AddDhcpLease and DeleteDhcpLease DBus methods. Thanks
	    to Nicolas Cavallari for the patch.

	    Allow configuration of router advertisements without the 
	    "on-link" bit set. Thanks to Neil Jerram for the patch.

	    Extend --bridge-interface to DHCPv6 and router 
	    advertisements. Thanks to Neil Jerram for the patch.
	
	
version 2.72
            Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.

	    Add support for "ipsets" in *BSD, using pf. Thanks to 
	    Sven Falempim for the patch.

	    Fix race condition which could lock up dnsmasq when an 
	    interface goes down and up rapidly. Thanks to Conrad 
	    Kostecki for helping to chase this down.

	    Add DBus methods SetFilterWin2KOption and SetBogusPrivOption
	    Thanks to the Smoothwall project for the patch.

	    Fix failure to build against Nettle-3.0. Thanks to Steven 
	    Barth for spotting this and finding the fix. 
	    
	    When assigning existing DHCP leases to intefaces by comparing 
	    networks, handle the case that two or more interfaces have the
	    same network part, but different prefix lengths (favour the
	    longer prefix length.) Thanks to Lung-Pin Chang for the 
	    patch.
	    
	    Add a mode which detects and removes DNS forwarding loops, ie 
	    a query sent to an upstream server returns as a new query to 
	    dnsmasq, and would therefore be forwarded again, resulting in 
	    a query which loops many times before being dropped. Upstream
	    servers which loop back are disabled and this event is logged.
	    Thanks to Smoothwall for their sponsorship of this feature.

	    Extend --conf-dir to allow filtering of files. So
	    --conf-dir=/etc/dnsmasq.d,\*.conf
	    will load all the files in /etc/dnsmasq.d which end in .conf
 
            Fix bug when resulted in NXDOMAIN answers instead of NODATA in
            some circumstances.

	    Fix bug which caused dnsmasq to become unresponsive if it 
	    failed to send packets due to a network interface disappearing.
	    Thanks to Niels Peen for spotting this.
	    	    
            Fix problem with --local-service option on big-endian platforms
	    Thanks to Richard Genoud for the patch.

	
version 2.71
            Subtle change to error handling to help DNSSEC validation 
	    when servers fail to provide NODATA answers for 
	    non-existent DS records.

	    Tweak code which removes DNSSEC records from answers when
	    not required. Fixes broken answers when additional section
	    has real records in it. Thanks to Marco Davids for the bug 
	    report.

	    Fix DNSSEC validation of ANY queries. Thanks to Marco Davids
	    for spotting that too.

	    Fix total DNS failure and 100% CPU use if cachesize set to zero,
	    regression introduced in 2.69. Thanks to James Hunt and
	    the Ubuntu crowd for assistance in fixing this.


version 2.70
            Fix crash, introduced in 2.69, on TCP request when dnsmasq
	    compiled with DNSSEC support, but running without DNSSEC
	    enabled. Thanks to Manish Sing for spotting that one.

	    Fix regression which broke ipset functionality. Thanks to 
	    Wang Jian for the bug report.


version 2.69
	    Implement dynamic interface discovery on *BSD. This allows
	    the contructor: syntax to be used in dhcp-range for DHCPv6
	    on the BSD platform. Thanks to Matthias Andree for
	    valuable research on how to implement this.

	    Fix infinite loop associated with some --bogus-nxdomain
	    configs. Thanks fogobogo for the bug report.

	    Fix missing RA RDNS option with configuration like
	    --dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer
	    for spotting the problem.

	    Add [fd00::] and [fe80::] as special addresses in DHCPv6
	    options, analogous to [::]. [fd00::] is replaced with the
	    actual ULA of the interface on the machine running
	    dnsmasq, [fe80::] with the link-local address. 
	    Thanks to Tsachi Kimeldorfer for championing this.

	    DNSSEC validation and caching. Dnsmasq needs to be
	    compiled with this enabled, with 
	    
	    make dnsmasq COPTS=-DHAVE_DNSSEC
	    
	    this add dependencies on the nettle crypto library and the 
	    gmp maths library. It's possible to have these linked
	    statically with
	    
	    make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC'
	    
	    which bloats the dnsmasq binary, but saves the size of 
	    the shared libraries which are much bigger.

	    To enable, DNSSEC, you will need a set of
	    trust-anchors. Now that the TLDs are signed, this can be
	    the keys for the root zone, and for convenience they are
	    included in trust-anchors.conf in the dnsmasq
	    distribution. You should of course check that these are
	    legitimate and up-to-date. So, adding
	    
	    conf-file=/path/to/trust-anchors.conf
	    dnssec

	    to your config is all thats needed to get things
	    working. The upstream nameservers have to be DNSSEC-capable
	    too, of course. Many ISP nameservers aren't, but the
	    Google public nameservers (8.8.8.8 and 8.8.4.4) are.
	    When DNSSEC is configured, dnsmasq validates any queries 
	    for domains which are signed. Query results which are 
	    bogus are replaced with SERVFAIL replies, and results 
	    which are correctly signed have the AD bit set. In 
	    addition, and just as importantly, dnsmasq supplies 
	    correct DNSSEC information to clients which are doing 
	    their own validation, and caches DNSKEY, DS and RRSIG
	    records, which significantly improve the performance of 
	    downstream validators. Setting --log-queries will show 
	    DNSSEC in action.

	    If a domain is returned from an upstream nameserver without 
	    DNSSEC signature, dnsmasq by default trusts this. This 
	    means that for unsigned zone (still the majority) there 
	    is effectively no cost for having DNSSEC enabled. Of course
	    this allows an attacker to replace a signed record with a 
	    false unsigned record. This is addressed by the 
	    --dnssec-check-unsigned flag, which instructs dnsmasq
	    to prove that an unsigned record is legitimate, by finding  
	    a secure proof that the zone containing the record is not
	    signed. Doing this has costs (typically one or two extra
	    upstream queries). It also has a nasty failure mode if
	    dnsmasq's upstream nameservers are not DNSSEC capable. 
	    Without --dnssec-check-unsigned using such an upstream
	    server will simply result in not queries being validated; 
	    with --dnssec-check-unsigned enabled and a 
	    DNSSEC-ignorant upstream server, _all_ queries will fail.

	    Note that DNSSEC requires that the local time is valid and 
	    accurate, if not then DNSSEC validation will fail. NTP 
	    should be running. This presents a problem for routers
	    without a battery-backed clock. To set the time needs NTP 
	    to do DNS lookups, but lookups will fail until NTP has run.
	    To address this, there's a flag, --dnssec-no-timecheck 
	    which disables the time checks (only) in DNSSEC. When dnsmasq
	    is started and the clock is not synced, this flag should
	    be used. As soon as the clock is synced, SIGHUP dnsmasq. 
	    The SIGHUP clears the cache of partially-validated data and
	    resets the no-timecheck flag, so that all DNSSEC checks 
	    henceforward will be complete.
	    
	    The development of DNSSEC in dnsmasq was started by 
	    Giovanni Bajo, to whom huge thanks are owed. It has been
	    supported by Comcast, whose techfund grant has allowed for 
	    an invaluable period of full-time work to get it to 
	    a workable state.
 
	    Add --rev-server. Thanks to Dave Taht for suggesting this.
	    
	    Add --servers-file. Allows dynamic update of upstream servers 
	    full access to configuration. 

	    Add --local-service. Accept DNS queries only from hosts 
            whose address is on a local subnet, ie a subnet for which 
            an interface exists on the server. This option
            only has effect if there are no --interface --except-interface,
            --listen-address or --auth-server options. It is intended 
            to be set as a default on installation, to allow
            unconfigured installations to be useful but also safe from 
	    being used for DNS amplification attacks.

	    Fix crashes in cache_get_cname_target() when dangling CNAMEs
	    encountered. Thanks to Andy and the rt-n56u project for
	    find this and helping to chase it down.

	    Fix wrong RCODE in authoritative DNS replies to PTR queries. The
	    correct answer was included, but the RCODE was set to NXDOMAIN.
	    Thanks to Craig McQueen for spotting this.

	    Make statistics available as DNS queries in the .bind TLD as 
	    well as logging them.


version 2.68
            Use random addresses for DHCPv6 temporary address
            allocations, instead of algorithmically determined stable
            addresses.

	    Fix bug which meant that the DHCPv6 DUID was not available
	    in DHCP script runs during the lifetime of the dnsmasq
	    process which created the DUID de-novo. Once the DUID was
	    created and stored in the lease file and dnsmasq
	    restarted, this bug disappeared.

	    Fix bug introduced in 2.67 which could result in erroneous
	    NXDOMAIN returns to CNAME queries.

	    Fix build failures on MacOS X and openBSD.

	    Allow subnet specifications in --auth-zone to be interface 
	    names as well as address literals. This makes it possible
	    to configure authoritative DNS when local address ranges
	    are dynamic and works much better than the previous
	    work-around which exempted contructed DHCP ranges from the
	    IP address filtering. As a consequence, that work-around
	    is removed. Under certain circumstances, this change wil
	    break existing configuration: if you're relying on the
	    contructed-range exception, you need to change --auth-zone
	    to specify the same interface as is used to construct your
	    DHCP ranges, probably with a trailing "/6" like this: 
	    --auth-zone=example.com,eth0/6 to limit the addresses to
	    IPv6 addresses of eth0.

	    Fix problems when advertising deleted IPv6 prefixes. If
	    the prefix is deleted (rather than replaced), it doesn't
	    get advertised with zero preferred time. Thanks to Tsachi
	    for the bug report. 

	    Fix segfault with some locally configured CNAMEs. Thanks
	    to Andrew Childs for spotting the problem.

	    Fix memory leak on re-reading /etc/hosts and friends,
	    introduced in 2.67.

	    Check the arrival interface of incoming DNS and TFTP
	    requests via IPv6, even in --bind-interfaces mode. This
	    isn't possible for IPv4 and can generate scary warnings,
	    but as it's always possible for IPv6 (the API always
	    exists) then we should do it always. 
	    
	    Tweak the rules on prefix-lengths in --dhcp-range for
	    IPv6. The new rule is that the specified prefix length
	    must be larger than or equal to the prefix length of the
	    corresponding address on the local interface. 


version 2.67
	    Fix crash if upstream server returns SERVFAIL when
	    --conntrack in use. Thanks to Giacomo Tazzari for finding
	    this and supplying the patch. 

	    Repair regression in 2.64. That release stopped sending
	    lease-time information in the reply to DHCPINFORM
	    requests, on the correct grounds that it was a standards
	    violation. However, this broke the dnsmasq-specific
	    dhcp_lease_time utility. Now, DHCPINFORM returns
	    lease-time only if it's specifically requested
	    (maintaining standards) and the dhcp_lease_time utility
	    has been taught to ask for it (restoring functionality). 

	    Fix --dhcp-match, --dhcp-vendorclass and --dhcp-userclass
	    to work with BOOTP and well as DHCP. Thanks to Peter
	    Korsgaard for spotting the problem. 

	    Add --synth-domain. Thanks to Vishvananda Ishaya for
	    suggesting this.

	    Fix failure to compile ipset.c if old kernel headers are
	    in use. Thanks to Eugene Rudoy for pointing this out.

	    Handle IPv4 interface-address labels in Linux. These are
	    often used to emulate the old IP-alias addresses. Before,
	    using --interface=eth0 would service all the addresses of
	    eth0, including ones configured as aliases, which appear
	    in ifconfig as eth0:0. Now, only addresses with the label
	    eth0 are active. This is not backwards compatible: if you
	    want to continue to bind the aliases too, you need to add
	    eg. --interface=eth0:0 to the config. 
	
	    Fix "failed to set SO_BINDTODEVICE on DHCP socket: Socket 
	    operation on non-socket" error on startup with
	    configurations which have exactly one --interface option
	    and do RA but _not_ DHCPv6. Thanks to Trever Adams for the
	    bug report.

	    Generalise --interface-name to cope with IPv6 addresses
	    and multiple addresses per interface per address family.

	    Fix option parsing for --dhcp-host, which was generating a
	    spurious error when all seven possible items were
	    included. Thanks to Zhiqiang Wang for the bug report.

	    Remove restriction on prefix-length in --auth-zone. Thanks
	    to Toke Hoiland-Jorgensen for suggesting this.

	    Log when the maximum number of concurrent DNS queries is
	    reached. Thanks to Marcelo Salhab Brogliato for the patch.

	    If wildcards are used in --interface, don't assume that 
	    there will only ever be one available interface for DHCP
	    just because there is one at start-up. More may appear, so
	    we can't use SO_BINDTODEVICE. Thanks to Natrio for the bug
	    report. 

	    Increase timeout/number of retries in TFTP to accomodate
	    AudioCodes Voice Gateways doing streaming writes to flash.
	    Thanks to Damian Kaczkowski for spotting the problem.

	    Fix crash with empty DHCP string options when adding zero
	    terminator. Thanks to Patrick McLean for the bug report.

	    Allow hostnames to start with a number, as allowed in
	    RFC-1123. Thanks to Kyle Mestery for the patch. 

	    Fixes to DHCP FQDN option handling: don't terminate FQDN
	    if domain not known and allow a FQDN option with blank
	    name to request that a FQDN option is returned in the
	    reply. Thanks to Roy Marples for the patch.

	    Make --clear-on-reload apply to setting upstream servers
	    via DBus too.

	    When the address which triggered the construction of an
	    advertised IPv6 prefix disappears, continue to advertise 
	    the prefix for up to 2 hours, with the preferred lifetime
	    set to zero. This satisfies RFC 6204 4.3 L-13 and makes
	    things work better if a prefix disappears without being
	    deprecated first. Thanks to Uwe Schindler for persuasively
	    arguing for this.

	    Fix MAC address enumeration on *BSD. Thanks to Brad Smith
	    for the bug report.

	    Support RFC-4242 information-refresh-time options in the 
	    reply to DHCPv6 information-request. The lease time of the
            smallest valid dhcp-range is sent. Thanks to Uwe Schindler 
	    for suggesting this.

	    Make --listen-address higher priority than --except-interface
	    in all circumstances. Thanks to Thomas Hood for the bugreport.

	    Provide independent control over which interfaces get TFTP 
	    service. If enable-tftp is given a list of interfaces, then TFTP 
	    is provided on those. Without the list, the previous behaviour
	    (provide TFTP to the same interfaces we provide DHCP to) 
	    is retained. Thanks to Lonnie Abelbeck for the suggestion.

	    Add --dhcp-relay config option. Many thanks to vtsl.net
	    for sponsoring this development.

	    Fix crash with empty tag: in --dhcp-range. Thanks to
	    Kaspar Schleiser for the bug report.

	    Add "baseline" and "bloatcheck" makefile targets, for 
	    revealing size changes during development. Thanks to
	    Vladislav Grishenko for the patch. 

	    Cope with DHCPv6 clients which send REQUESTs without
	    address options - treat them as SOLICIT with rapid commit.

	    Support identification of clients by MAC address in
	    DHCPv6. When using a relay, the relay must support RFC
	    6939 for this to work. It always works for directly
	    connected clients. Thanks to Vladislav Grishenko
	    for prompting this feature.
	    
	    Remove the rule for constructed DHCP ranges that the local
	    address must be either the first or last address in the
	    range. This was originally to avoid SLAAC addresses, but
	    we now explicitly autoconfig and privacy addresses instead.  

	    Update Polish translation. Thanks to Jan Psota.

	    Fix problem in DHCPv6 vendorclass/userclass matching
	    code. Thanks to Tanguy Bouzeloc for the patch.

 	    Update Spanish transalation. Thanks to Vicente Soriano.

	    Add --ra-param option. Thanks to Vladislav Grishenko for
	    inspiration on this.

	    Add --add-subnet configuration, to tell upstream DNS
	    servers where the original client is. Thanks to DNSthingy
	    for sponsoring this feature.

	    Add --quiet-dhcp, --quiet-dhcp6 and --quiet-ra. Thanks to
	    Kevin Darbyshire-Bryant for the initial patch.

	    Allow A/AAAA records created by --interface-name to be the
	    target of --cname. Thanks to Hadmut Danisch for the
	    suggestion. 

	    Avoid treating a --dhcp-host which has an IPv6 address
	    as eligable for use with DHCPv4 on the grounds that it has
	    no address, and vice-versa. Thanks to Yury Konovalov for
	    spotting the problem.

	    Do a better job caching dangling CNAMEs. Thanks to Yves
	    Dorfsman for spotting the problem.

 
version 2.66
            Add the ability to act as an authoritative DNS
            server. Dnsmasq can now answer queries from the wider 'net
            with local data, as long as the correct NS records are set
            up. Only local data is provided, to avoid creating an open
            DNS relay. Zone transfer is supported, to allow secondary
            servers to be configured.

	    Add "constructed DHCP ranges" for DHCPv6. This is intended
	    for IPv6 routers which get prefixes dynamically via prefix
	    delegation. With suitable configuration, stateful DHCPv6
	    and RA can happen automatically as prefixes are delegated
	    and then deprecated, without having  to re-write the
	    dnsmasq configuration file or restart the daemon. Thanks to
	    Steven Barth for extensive testing and development work on
	    this idea.

	    Fix crash on startup on Solaris 11. Regression probably
	    introduced in 2.61.  Thanks to Geoff Johnstone for the
	    patch.

	    Add code to make behaviour for TCP DNS requests that same
	    as for UDP requests, when a request arrives for an allowed 
	    address, but via a banned interface. This change is only
	    active on Linux, since the relevant API is missing (AFAIK)
	    on other platforms. Many thanks to Tomas Hozza for
	    spotting the problem, and doing invaluable discovery of
	    the obscure and undocumented API required for the solution.

	    Don't send the default DHCP option advertising dnsmasq as
	    the local DNS server if dnsmasq is configured to not act
	    as DNS server, or it's configured to a non-standard port.
 
            Add DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBCRIBER_ID,
            DNSMASQ_REMOTE_ID variables to the environment of the
            lease-change script (and the corresponding Lua). These hold
            information inserted into the DHCP request by a DHCP relay
            agent. Thanks to Lakefield Communications for providing a
            bounty for this addition.
 
	    Fixed crash, introduced in 2.64, whilst handling DHCPv6
	    information-requests with some common configurations.
	    Thanks to Robert M. Albrecht for the bug report and 
	    chasing the problem.

	    Add --ipset option. Thanks to Jason A. Donenfeld for the 
	    patch.

	    Don't erroneously reject some option names in --dhcp-match
	    options. Thanks to Benedikt Hochstrasser for the bug report.
	    
	    Allow a trailing '*' wildcard in all interface-name
	    configurations. Thanks to Christian Parpart for the patch.

	    Handle the situation where libc headers define
	    SO_REUSEPORT, but the kernel in use doesn't, to cope with
	    the introduction of this option to Linux. Thanks to Rich
	    Felker for the bug report.

	    Update Polish translation. Thanks to Jan Psota.

	    Fix crash if the configured DHCP lease limit is
	    reached. Regression occurred in 2.61. Thanks to Tsachi for
	    the bug report. 
	    
	    Update the French translation. Thanks to Gildas le Nadan.

  
version 2.65
	    Fix regression which broke forwarding of queries sent via
	    TCP which are not for A and AAAA and which were directed to
	    non-default servers. Thanks to Niax for the bug report.

	    Fix failure to build with DHCP support excluded. Thanks to 
	    Gustavo Zacarias for the patch.
	    
	    Fix nasty regression in 2.64 which completely broke cacheing.


version 2.64
            Handle DHCP FQDN options with all flag bits zero and
            --dhcp-client-update set. Thanks to Bernd Krumbroeck for
            spotting the problem.

	    Finesse the check for /etc/hosts names which conflict with
	    DHCP names. Previously a name/address pair in /etc/hosts
	    which didn't match the name/address of a DHCP lease would
	    generate a warning. Now that only happesn if there is not
	    also a match. This allows multiple addresses for a name in 
	    /etc/hosts with one of them assigned via DHCP.

	    Fix broken vendor-option processing for BOOTP. Thanks to
	    Hans-Joachim Baader for the bug report.

	    Don't report spurious netlink errors, regression in
	    2.63. Thanks to Vladislav Grishenko for the patch.

	    Flag DHCP or DHCPv6 in starup logging. Thanks to 
	    Vladislav Grishenko for the patch.

	    Add SetServersEx method in DBus interface. Thanks to Dan
	    Williams for the patch.

	    Add SetDomainServers method in DBus interface. Thanks to
	    Roy Marples for the patch.

	    Fix build with later Lua libraries. Thansk to Cristian
	    Rodriguez for the patch.

	    Add --max-cache-ttl option. Thanks to Dennis Kaarsemaker
	    for the patch.

	    Fix breakage of --host-record parsing, resulting in
	    infinte loop at startup. Regression in 2.63. Thanks to
	    Haim Gelfenbeyn for spotting this.

	    Set SO_REUSEADDRESS and SO_V6ONLY options on the DHCPv6
	    socket, this allows multiple instances of dnsmasq on a
	    single machine, in the same way as for DHCPv4. Thanks to
	    Gene Czarcinski and Vladislav Grishenko for work on this.

	    Fix DHCPv6 to do access control correctly when it's 
	    configured with --listen-address. Thanks to
	    Gene Czarcinski for sorting this out. 

	    Add a "wildcard" dhcp-range which works for any IPv6
	    subnet, --dhcp-range=::,static Useful for Stateless 
	    DHCPv6. Thanks to Vladislav Grishenko for the patch.

	    Don't include lease-time in DHCPACK replies to DHCPINFORM
	    queries, since RFC-2131 says we shouldn't. Thanks to
	    Wouter Ibens for pointing this out.  

	    Makefile tweak to do dependency checking on header files.
	    Thanks to Johan Peeters for the patch.

	    Check interface for outgoing unsolicited router 
	    advertisements, rather than relying on interface address 
	    configuration. Thanks to Gene Czarinski for the patch.

	    Handle better attempts to transmit on interfaces which are
	    still doing DAD, and specifically do not just transmit
	    without setting source address and interface, since this
	    can cause very puzzling effects when a router
	    advertisement goes astray. Thanks again to Gene Czarinski.

	    Get RA timers right when there is more than one
	    dhcp-range on a subnet.
	    

version 2.63
            Do duplicate dhcp-host address check in --test mode.

	    Check that tftp-root directories are accessible before
	    start-up. Thanks to Daniel Veillard for the initial patch.

	    Allow more than one --tfp-root flag. The per-interface
	    stuff is pointless without that.

	    Add --bind-dynamic. A hybrid mode between the default and
	    --bind-interfaces which copes with dynamically created
	    interfaces. 
	    
	    A couple of fixes to the build system for Android. Thanks
	    to Metin Kaya for the patches.

	    Remove the interface:<interface> argument in --dhcp-range, and
	    the interface argument to --enable-tftp. These were a
	    still-born attempt to allow automatic isolated
	    configuration by libvirt, but have never (to my knowledge)
	    been used, had very strange semantics, and have been
	    superceded by other mechanisms. 

	    Fixed bug logging filenames when duplicate dhcp-host
	    addresses are found. Thanks to John Hanks for the patch.

	    Fix regression in 2.61 which broke caching of CNAME
	    chains. Thanks to Atul Gupta for the bug report.

	    Allow the target of a --cname flag to be another --cname.

            Teach DHCPv6 about the RFC 4242 information-refresh-time
	    option, and add parsing if the minutes, hours and days
	    format for options. Thanks to Francois-Xavier Le Bail for
	    the suggestion.

	    Allow "w" (for week) as multiplier in lease times, as well
	    as seconds, minutes, hours and days.  Álvaro Gámez Machado 
	    spotted the ommission.
 
	    Update French translation. Thanks to Gildas Le Nadan.

	    Allow a DBus service name to be given with --enable-dbus
	    which overrides the default,
	    uk.org.thekelleys.dnsmasq. Thanks to Mathieu
	    Trudel-Lapierre for the patch. 

	    Set the "prefix on-link" bit in Router
	    Advertisements. Thanks to Gui Iribarren for the patch.


version 2.62
            Update German translation. Thanks to Conrad Kostecki.

	    Cope with router-solict packets wich don't have a valid 
	    source address. Thanks to Vladislav Grishenko for the patch.

	    Fixed bug which caused missing periodic router
	    advertisements with some configurations. Thanks to
	    Vladislav Grishenko for the patch.

	    Fixed bug which broke DHCPv6/RA with prefix lengths 
	    which are not divisible by 8. Thanks to Andre Coetzee 
	    for spotting this.

	    Fix non-response to router-solicitations when
	    router-advertisement configured, but DHCPv6 not
	    configured. Thanks to Marien Zwart for the patch.

	    Add --dns-rr, to allow arbitrary DNS resource records.

	    Fixed bug which broke RA scheduling when an interface had
	    two addresses in the same network. Thanks to Jim Bos for
	    his help nailing this.

version 2.61
	    Re-write interface discovery code on *BSD to use
	    getifaddrs. This is more portable, more straightforward,
	    and allows us to find the prefix length for IPv6
	    addresses.

	    Add ra-names, ra-stateless and slaac keywords for DHCPv6.
	    Dnsmasq can now synthesise AAAA records for dual-stack 
            hosts which get IPv6 addresses via SLAAC. It is also now 
	    possible to use SLAAC and stateless DHCPv6, and to 
	    tell clients to use SLAAC addresses as well as DHCP ones.
	    Thanks to Dave Taht for help with this.

	    Add --dhcp-duid to allow DUID-EN uids to be used.

	    Explicity send DHCPv6 replies to the correct port, instead
	    of relying on clients to send requests with the correct
	    source address, since at least one client in the wild gets
	    this wrong. Thanks to Conrad Kostecki for help tracking
	    this down.

	    Send a preference value of 255 in DHCPv6 replies when 
	    --dhcp-authoritative is in effect. This tells clients not
	    to wait around for other DHCP servers.

	    Better logging of DHCPv6 options.

	    Add --host-record. Thanks to Rob Zwissler for the
	    suggestion.

	    Invoke the DHCP script with action "tftp" when a TFTP file
	    transfer completes. The size of the file, address to which
	    it was sent and complete pathname are supplied. Note that
	    version 2.60 introduced some script incompatibilties
	    associated with DHCPv6, and this is a further change. To
	    be safe, scripts should ignore unknown actions, and if
	    not IPv6-aware, should exit if the environment
	    variable DNSMASQ_IAID is set. The use-case for this is
	    to track netboot/install.  Suggestion from Shantanu
	    Gadgil.

	    Update contrib/port-forward/dnsmasq-portforward to reflect
	    the above.

	    Set the environment variable DNSMASQ_LOG_DHCP when running
	    the script id --log-dhcp is in effect, so that script can
	    taylor their logging verbosity. Suggestion from Malte
	    Forkel.
	    
	    Arrange that addresses specified with --listen-address
	    work even if there is no interface carrying the
	    address. This is chiefly useful for IPv4 loopback
	    addresses, where any address in 127.0.0.0/8 is a valid
	    loopback address, but normally only 127.0.0.1 appears on
	    the lo interface. Thanks to Mathieu Trudel-Lapierre for
	    the idea and initial patch. 

	    Fix crash, introduced in 2.60, when a DHCPINFORM is
	    received from a network which has no valid dhcp-range.
	    Thanks to Stephane Glondu for the bug report.

	    Add a new DHCP lease time keyword, "deprecated" for
	    --dhcp-range. This is only valid for IPv6, and sets the
	    preffered lease time for both DHCP and RA to zero. The
	    effect is that clients can continue to use the address 
	    for existing connections, but new connections will use
            other addresses, if they exist. This makes hitless
	    renumbering at least possible.

	    Fix bug in address6_available() which caused DHCPv6 lease
	    aquisition to fail if more than one dhcp-range in use.

	    Provide RDNSS and DNSSL data in router advertisements,
	    using the settings provided for DHCP options
	    option6:domain-search and option6:dns-server.

	    Tweak logo/favicon.ico to add some transparency. Thanks to
	    SamLT for work on this.
	    
	    Don't cache data from non-recursive nameservers, since it
	    may erroneously look like a valid CNAME to a non-exitant
	    name. Thanks to Ben Winslow for finding this.

	    Call SO_BINDTODEVICE on the DHCP socket(s) when doing DHCP
	    on exactly one interface and --bind-interfaces is set. This 
	    makes the OpenStack use-case of one dnsmasq per virtual
	    interface work. This is only available on Linux; it's not
	    supported on other platforms. Thanks to Vishvananda Ishaya
	    and the OpenStack team for the suggestion.

	    Updated French translation. Thanks to Gildas Le Nadan.

	    Give correct from-cache answers to explict CNAME queries.
	    Thanks to Rob Zwissler for spotting this.
	    
	    Add --tftp-lowercase option. Thanks to Oliver Rath for the
	    patch. 

	    Ensure that the DBus DhcpLeaseUpdated events are generated
	    when a lease goes through INIT_REBOOT state, even if the
	    dhcp-script is not in use. Thanks to Antoaneta-Ecaterina
	    Ene for the patch.

	    Fix failure of TFTP over IPv4 on OpenBSD platform. Thanks
	    to Brad Smith for spotting this.
	    

version 2.60
            Fix compilation problem in Mac OS X Lion. Thanks to Olaf
            Flebbe for the patch.

	    Fix DHCP when using --listen-address with an IP address
	    which is not the primary address of an interface.

	    Add --dhcp-client-update option.

	    Add Lua integration. Dnsmasq can now execute a DHCP
	    lease-change script written in Lua. This needs to be
	    enabled at compile time by setting HAVE_LUASCRIPT in 
	    src/config.h or running "make COPTS=-DHAVE_LUASCRIPT"
	    Thanks to Jan-Piet Mens for the idea and proof-of-concept 
	    implementation.
	    
	    Tidied src/config.h to distinguish between
	    platform-dependent compile-time options which are selected
	    automatically, and builder-selectable compile time
	    options. Document the latter better, and describe how to
	    set them from the make command line.

	    Tidied up IPPROTO_IP/SOL_IP (and IPv6 equivalent)
	    confusion. IPPROTO_IP works everywhere now.
	    
	    Set TOS on DHCP sockets, this improves things on busy
	    wireless networks. Thanks to Dave Taht for the patch.

	    Determine VERSION automatically based on git magic:
	    release tags or hash values.

	    Improve start-up speed when reading large hosts files 
	    containing many distinct addresses.

	    Fix problem if dnsmasq is started without the stdin,
	    stdout and stderr file descriptors open. This can manifest
	    itself as 100% CPU use. Thanks to Chris Moore for finding
	    this.

	    Fix shell-scripting bug in bld/pkg-wrapper. Thanks to 
	    Mark Mitchell for the patch.

	    Allow the TFP server or boot server in --pxe-service, to
	    be a domain name instead of an IP address. This allows for
	    round-robin	to multiple servers, in the same way as
	    --dhcp-boot. A good suggestion from Cristiano Cumer.

	    Support BUILDDIR variable in the Makefile. Allows builds 
	    for multiple archs from the same source tree with eg.
	    make BUILDDIR=linux             (relative to dnsmasq tree)
	    make BUILDDIR=/tmp/openbsd      (absolute path)
	    If BUILDDIR is not set, compilation happens in the src
	    directory, as before. Suggestion from Mark Mitchell.

	    Support DHCPv6. Support is there for the sort of things
	    the existing v4 server does, including tags, options, 
	    static addresses and relay support. Missing is prefix 
	    delegation, which is probably not required in the dnsmasq
	    niche, and an easy way to accept prefix delegations from
	    an upstream DHCPv6 server, which is. Future plans include
	    support for DHCPv6 router option and MAC address option
	    (to make selecting clients by MAC address work like IPv4).
	    These will be added as the standards mature.
	    This code has been tested, but this is the first release,
	    so don't bet the farm on it just yet. Many thanks to all 
	    testers who have got it this far.

	    Support IPv6 router advertisements. This is a
	    simple-minded implementation, aimed at providing the
	    vestigial RA needed to go alongside IPv6. Is picks up
	    configuration from the DHCPv6 conf, and should just need
	    enabling with --enable-ra.   

	    Fix long-standing wrinkle with --localise-queries that
	    could result in wrong answers when DNS packets arrive
	    via an interface other than the expected one. Thanks to 
	    Lorenzo Milesi and John Hanks for spotting this one.
 
            Update French translation. Thanks to Gildas Le Nadan.

	    Update Polish translation. Thanks to Jan Psota.


version 2.59
            Fix regression in 2.58 which caused failure to start up
            with some combinations of dnsmasq config and IPv6 kernel
            network config. Thanks to Brielle Bruns for the bug
            report.

            Improve dnsmasq's behaviour when network interfaces are
            still doing duplicate address detection (DAD). Previously,
            dnsmasq would wait up to 20 seconds at start-up for the
            DAD state to terminate. This is broken for bridge
            interfaces on recent Linux kernels, which don't start DAD
            until the bridge comes up, and so can take arbitrary
            time. The new behaviour lets dnsmasq poll for an arbitrary
            time whilst providing service on other interfaces. Thanks
            to Stephen Hemminger for pointing out the problem.


version 2.58
	    Provide a definition of the SA_SIZE macro where it's 
	    missing. Fixes build failure on openBSD.

	    Don't include a zero terminator at the end of messages
	    sent to /dev/log when /dev/log is a datagram socket.
	    Thanks to Didier Rabound for spotting the problem.

	    Add --dhcp-sequential-ip flag, to force allocation of IP
	    addresses in ascending order. Note that the default
	    pseudo-random mode is in general better but some
	    server-deployment applications need this.

	    Fix problem where a server-id of 0.0.0.0 is sent to a
	    client when a dhcp-relay is in use if a client renews a
	    lease after dnsmasq restart and before any clients on the
	    subnet get a new lease. Thanks to Mike Ruiz for assistance
	    in chasing this one down. 

	    Don't return NXDOMAIN to an AAAA query if we have CNAME
	    which points to an A record only: NODATA is the correct
	    reply in this case. Thanks to Tom Fernandes for spotting
	    the problem.

	    Relax the need to supply a netmask in --dhcp-range for
	    networks which use a DHCP relay. Whilst this is still
	    desireable, in the absence of a netmask dnsmasq will use
	    a default based on the class (A, B, or C) of the address. 
	    This should at least remove a cause of mysterious failure 
	    for people using RFC1918 addresses and relays.

	    Add support for Linux conntrack connection marking. If 
	    enabled with --conntrack, the connection mark for incoming
	    DNS queries will be copied  to the outgoing connections
	    used to answer those queries. This allows clever firewall
	    and accounting stuff. Only available if dnsmasq is
	    compiled with HAVE_CONNTRACK and adds a dependency on 
	    libnetfilter-conntrack. Thanks to Ed Wildgoose for the
	    initial idea, testing and sponsorship of this function.

	    Provide a sane error message when someone attempts to 
	    match a tag in --dhcp-host.

	    Tweak the behaviour of --domain-needed, to avoid problems
	    with recursive nameservers downstream of dnsmasq. The new
	    behaviour only stops A and AAAA queries, and returns
	    NODATA rather than NXDOMAIN replies. 

	    Efficiency fix for very large DHCP configurations, thanks
	    to James Gartrell and Mike Ruiz for help with this. 

	    Allow the TFTP-server address in --dhcp-boot to be a
	    domain-name which is looked up in /etc/hosts. This can 
	    give multiple IP addresses which are used round-robin,
	    thus doing TFTP server load-balancing. Thanks to Sushil
	    Agrawal for the patch.

	    When two tagged dhcp-options for a particular option
	    number are both valid, use the one which is valid without
	    a tag from the dhcp-range. Allows overriding of the value
	    of a DHCP option for a particular host as well as
	    per-network values.  So 
	    --dhcp-range=set:interface1,......
	    --dhcp-host=set:myhost,.....  
	    --dhcp-option=tag:interface1,option:nis-domain,"domain1" 
	    --dhcp-option=tag:myhost,option:nis-domain,"domain2" 
	    will set the NIS-domain to domain1 for hosts in the range, but
       	    override that to domain2 for a particular host.

	    Fix bug which resulted in truncated files and timeouts for
	    some TFTP transfers. The bug only occurs with netascii
	    transfers and needs an unfortunate relationship between
	    file size, blocksize and the number of newlines in the
	    last block before it manifests itself. Many thanks to 
	    Alkis Georgopoulos for spotting the problem and providing
	    a comprehensive test-case. 

	    Fix regression in TFTP server on *BSD platforms introduced
	    in version 2.56, due to confusion with sockaddr
	    length. Many thanks to Loic Pefferkorn for finding this.

	    Support scope-ids in IPv6 addresses of nameservers from
	    /etc/resolv.conf and in --server options. Eg
	    nameserver fe80::202:a412:4512:7bbf%eth0 or
	    server=fe80::202:a412:4512:7bbf%eth0. Thanks to 
	    Michael Stapelberg for the suggestion.

	    Update Polish translation, thanks to Jan Psota.

	    Update French translation. Thanks to Gildas Le Nadan.


version 2.57
	    Add patches to allow build under Android.

	    Provide our own header for the DNS protocol, rather than
	    relying on arpa/nameser.h. This has proved more or less
	    defective over the years and the final straw is that it's
	    effectively empty on Android.

	    Fix regression in 2.56 which caused hex constants in
	    configuration to be rejected if they contain the '*'
	    wildcard.

	    Correct wrong casts of arguments to ctype.h functions,
	    isdigit(), isxdigit() etc. Thanks to Matthias Andree for
	    spotting this.

	    Allow build with IDN support independently from i18n. 
            IDN support continues to be included automatically 
	    when i18n is included. 
            'make COPTS=-DHAVE_IDN' is the magic incantation. 

	    Modify check on extraneous command line junk (added in
	    2.56) so that it doesn't complain about extra _empty_ 
	    arguments. Otherwise this breaks libvirt.


version 2.56
            Add a patch to allow dnsmasq to get interface names right in a
            Solaris zone. Thanks to Dj Padzensky for this.

	    Improve data-type parsing heuristics so that
	    --dhcp-option=option:domain-search,. 
	    treats the value as a string and not an IP address.
	    Thanks to Clemens Fischer for spotting that.

	    Add IPv6 support to the TFTP server. Many thanks to Jan 
	    'RedBully' Seiffert for the patches.
	    
	    Log DNS queries at level LOG_INFO, rather then
	    LOG_DEBUG. This makes things consistent with DHCP
	    logging. Thanks to Adam Pribyl for spotting the problem.

            Ensure that dnsmasq terminates cleanly when using
            --syslog-async even if it cannot make a connection to the
            syslogd.

	    Add --add-mac option. This is to support currently 
	    experimental DNS filtering facilities. Thanks to Benjamin
	    Petrin for the orignal patch. 

	    Fix bug which meant that tags were ignored in dhcp-range
	    configuration specifying PXE-proxy service. Thanks to
	    Cristiano Cumer for spotting this.

	    Raise an error if there is extra junk, not part of an
 	    option, on the command line.

	    Flag a couple of log messages in cache.c as coming from
	    the DHCP subsystem. Thanks to Olaf Westrik for the patch.

	    Omit timestamps from logs when a) logging to stderr and 
	    b) --keep-in-forground is set. The logging facility on the
	    other end of stderr can be assumned to supply them. Thanks
	    to John Hallam for the patch.

	    Don't complain about strings longer than 255 characters in
	    --txt-record, just split the long strings into 255
	    character chunks instead.

	    Fix crash on double-free. This bug can only happen when
	    dhcp-script is in use and then only in rare circumstances
	    triggered by high DHCP transaction rate and a slow
	    script. Thanks to Ferenc Wagner for finding the problem.

	    Only log that a file has been sent by TFTP after the
	    transfer has completed succesfully. 

	    A good suggestion from Ferenc Wagner: extend
	    the --domain option to allow this sort of thing:
            --domain=thekelleys.org.uk,192.168.0.0/24,local
	    which automatically creates
	    --local=/thekelleys.org.uk/
	    --local=/0.168.192.in-addr.arpa/ 

	    Tighten up syntax checking of hex contants in the config
	    file.  Thanks to Fred Damen for spotting this.

	    Add dnsmasq logo/icon, contributed by Justin Swift. Many
	    thanks for that.

	    Never cache DNS replies which have the 'cd' bit set, or
	    which result from queries forwarded with the 'cd' bit
	    set. The 'cd' bit instructs a DNSSEC validating server
	    upstream to ignore signature failures and return replies
	    anyway. Without this change it's possible to pollute the
	    dnsmasq cache with bad data by making a query with the
	    'cd' bit set and subsequent queries would return this data
	    without its being marked as suspect. Thanks to Anders
	    Kaseorg for pointing out this problem.

	    Add --proxy-dnssec flag, for compliance with RFC
	    4035. Dnsmasq will now clear the 'ad' bit in answers returned
	    from upstream validating nameservers unless this option is
	    set.

	    Allow a filename of "-" for --conf-file to read
	    stdin. Suggestion from Timothy Redaelli.

	    Rotate the order of SRV records in replies, to provide
	    round-robin load balancing when all the priorities are
	    equal. Thanks to Peter McKinney for the suggestion.	

	    Edit
	    contrib/MacOSX-launchd/uk.org.thekelleys.dnsmasq.plist 
	    so that it doesn't log all queries to a file by
	    default. Thanks again to Peter McKinney.    

	    By default, setting an IPv4 address for a domain but not
	    an IPv6 address causes dnsmasq to return
	    an NODATA reply for IPv6 (or vice-versa). So
	    --address=/google.com/1.2.3.4 stops IPv6 queries for
	    *google.com from being forwarded. Make it possible to
	    override this behaviour by defining the sematics if the
	    same domain appears in  both --server and --address.
	    In that case, the --address has priority for the address
	    family in which is appears, but the --server has priority
	    of the address family which doesn't appear in --adddress  
	    So:
	    --address=/google.com/1.2.3.4
	    --server=/google.com/#
	    will return 1.2.3.4 for IPv4 queries for *.google.com but
	    forward IPv6 queries to the normal upstream nameserver.
	    Similarly when setting an IPv6 address
	    only this will allow forwarding of IPv4 queries. Thanks to
	    William for pointing out the need for this.

	    Allow more than one --dhcp-optsfile and --dhcp-hostsfile
	    and make them understand directories as arguments in the
	    same way as --addn-hosts. Suggestion from John Hanks. 

	    Ignore rebinding requests for leases we don't know
	    about. Rebind is broadcast, so we might get to overhear a
	    request meant for another DHCP server. NAKing this is
	    wrong. Thanks to Brad D'Hondt for assistance with this.

            Fix cosmetic bug which produced strange output when
            dumping cache statistics with some configurations. Thanks
            to Fedor Kozhevnikov for spotting this.


version 2.55
            Fix crash when /etc/ethers is in use. Thanks to 
	    Gianluigi Tiesi for finding this.

	    Fix crash in netlink_multicast(). Thanks to Arno Wald for
	    finding this one.

	    Allow the empty domain "." in dhcp domain-search (119)
	    options. 


version 2.54
            There is no version 2.54 to avoid confusion with 2.53,
            which incorrectly identifies itself as 2.54.


version 2.53
            Fix failure to compile on Debian/kFreeBSD. Thanks to 
	    Axel Beckert and Petr Salinger.

	    Fix code to avoid scary strict-aliasing warnings
	    generated by gcc 4.4.
	    
	    Added FAQ entry warning about DHCP failures with Vista
	    when firewalls block 255.255.255.255.
	    
	    Fixed bug which caused bad things to happen if a 
	    resolv.conf file which exists is subsequently removed.
	    Thanks to Nikolai Saoukh for the patch.

	    Rationalised the DHCP tag system. Every configuration item
	    which can set a tag does so by adding "set:<tag>" and
	    every configuration item which is conditional on a tag is
	    made so by "tag:<tag>". The NOT operator changes to '!',
	    which is a bit more intuitive too. Dhcp-host directives
	    can set more than one tag now. The old '#' NOT, 
	    "net:" prefix and no-prefixes are still honoured, so 
	    no existing config file needs to be changed, but 
	    the documentation and new-style config files should be 
	    much less confusing. 

	    Added --tag-if to allow boolean operations on tags. 
	    This allows complicated logic to be clearer and more 
	    general. A great suggestion from Richard Voigt. 

	    Add broadcast/unicast information to DHCP logging.

	    Allow --dhcp-broadcast to be unconditional.

	    Fixed incorrect behaviour with NOT <tag> conditionals in
	    dhcp-options. Thanks to Max Turkewitz for assistance
	    finding this.

	    If we send vendor-class encapsulated options based on the
	    vendor-class supplied by the client, and no explicit 
	    vendor-class option is given, echo back the vendor-class
	    from the client.
 
	    Fix bug which stopped dnsmasq from matching both a
	    circuitid and a remoteid. Thanks to Ignacio Bravo for
	    finding this.

	    Add --dhcp-proxy, which makes it possible to configure
	    dnsmasq to use a DHCP relay agent as a full proxy, with
	    all DHCP messages passing through the proxy. This is
	    useful if the relay adds extra information to the packets
	    it forwards, but cannot be configured with the RFC 5107 
	    server-override option.

	    Added interface:<iface name> part to dhcp-range. The
	    semantics of this are very odd at first sight, but it
	    allows a single line  of the form
	        dhcp-range=interface:virt0,192.168.0.4,192.168.0.200
	    to be added to dnsmasq configuration which then supplies
	    DHCP and DNS services to that interface, without affecting
	    what services are supplied to other interfaces and 
	    irrespective of the existance or lack of 
                interface=<interface> 
            lines elsewhere in the dnsmasq configuration. The idea is
	    that such a line can be added automatically by libvirt
	    or equivalent systems, without disturbing any manual
	    configuration.

	    Similarly to the above, allow --enable-tftp=<interface>

	    Allow a TFTP root to be set separately for requests via
	    different interfaces, --tftp-root=<path>,<interface>	     

	    Correctly handle and log clashes between CNAMES and 
	    DNS names being given to DHCP leases. This fixes a bug 
	    which caused nonsense IP addresses to be logged. Thanks to 
            Sergei Zhirikov for finding and analysing the problem.

	    Tweak flush_log so as to avoid leaving the log
	    file in non-blocking mode. O_NONBLOCK is a property of the
	    file, not the process/descriptor.

	    Fix contrib/Solaris10/create_package
	    (/usr/man -> /usr/share/man) Thanks to Vita Batrla.

	    Fix a problem where, if a client got a lease, then went
	    to another subnet and got another lease, then moved back,
	    it couldn't resume the old lease, but would instead get 
	    a new address. Thanks to Leonardo Rodrigues for spotting
	    this and testing the fix.
	    
	    Fix weird bug which sometimes omitted certain characters
	    from the start of quoted strings in dhcp-options. Thanks
	    to Dayton Turner for spotting the problem.

	    Add facility to redirect some domains to the standard
	    upstream servers: this allows something like 
	    --server=/google.com/1.2.3.4 --server=/www.google.com/#
	    which will send queries for *.google.com to 1.2.3.4,
	    except *www.google.com which will be forwarded as usual.
	    Thanks to AJ Weber for prompting this addition.
 
	    Improve the hash-algorithm used to generate IP addresses
	    from MAC addresses during initial DHCP address
	    allocation. This improves performance when large numbers
	    of hosts with similar MAC addresses all try and get an IP
	    address at the same time. Thanks to Paul Smith for his
	    work on this.

	    Tweak DHCP code so that --bridge-interface can be used to
	    select which IP alias of an interface should be used for
	    DHCP purposes on Linux. If eth0 has an alias eth0:dhcp
	    then adding  --bridge-interface=eth0:dhcp,eth0 will use 
	    the address of eth0:dhcp to determine the correct subnet 
	    for DHCP address allocation. Thanks to Pawel Golaszewski 
            for prompting this and Eric Cooper for further testing.

	    Add --dhcp-generate-names. Suggestion by Ferenc Wagner.

	    Tweak DNS server selection algorithm when there is more
	    than one server available for a domain, eg.
            --server=/mydomain/1.1.1.1
            --server=/mydomain/2.2.2.2
	    Thanks to Alberto Cuesta-Canada for spotting a weakness
	    here.

	    Add --max-ttl. Thanks to Fredrik Ringertz for the patch.

	    Allow --log-facility=- to force all logging to
	    stderr. Suggestion from Clemens Fischer.

	    Fix regression which caused configuration like
	    --address=/.domain.com/1.2.3.4 to be rejected. The dot to the 
	    left of the domain has been implied and not required for a
	    long time, but it should be accepted for backward
	    compatibility. Thanks to Andrew Burcin for spotting this.
    
            Add --rebind-domain-ok and --rebind-localhost-ok.
	    Suggestion from Clemens Fischer.

	    Log replies to queries of type TXT, when --log-queries 
	    is set.

	    Fix compiler warnings when compiled with -DNO_DHCP. Thanks
	    to Shantanu Gadgil for the patch.

            Updated French translation. Thanks to Gildas Le Nadan.

	    Updated Polish translation. Thanks to Jan Psota.

	    Updated German translation. Thanks to Matthias Andree.

	    Added contrib/static-arp, thanks to Darren Hoo.
 
	    Fix corruption of the domain when a name from /etc/hosts
	    overrides one supplied by a DHCP client. Thanks to Fedor
	    Kozhevnikov for spotting the problem.

            Updated Spanish translation. Thanks to Chris Chatham.


version 2.52
            Work around a Linux kernel bug which insists that the 
	    length of the option passed to setsockopt must be at least
            sizeof(int) bytes, even if we're calling SO_BINDTODEVICE
            and the device name is "lo".  Note that this is fixed 
	    in kernel 2.6.31, but the workaround is harmless and 
	    allows earlier kernels to be used. Also fix dnsmasq 
	    bug which reported the wrong address when this failed. 
	    Thanks to Fedor for finding this.

	    The API for IPv6 PKTINFO changed around Linux kernel
	    2.6.14. Workaround the case where dnsmasq is compiled
	    against newer headers, but then run on an old kernel:
	    necessary for some *WRT distros.

	    Re-read the set of network interfaces when re-loading
	    /etc/resolv.conf if --bind-interfaces is not set. This
	    handles the case that loopback interfaces do not exist
	    when dnsmasq is first started.

	    Tweak the PXE code to support port 4011. This should
	    reduce broadcasts and make things more reliable when other
	    servers are around. It also improves inter-operability
	    with certain clients.

	    Make a pxe-service configuration with no filename or boot 
	    service type legal: this does a local boot. eg.
	    pxe-service=x86PC, "Local boot" 

	    Be more conservative in detecting "A for A"
	    queries. Dnsmasq checks if the name in a type=A query looks
	    like a dotted-quad IP address and answers the query itself
	    if so, rather than forwarding it. Previously dnsmasq
	    relied in the library function inet_addr() to convert
	    addresses, and that will accept some things which are
	    confusing in this context, like 1.2.3 or even just
	    1234. Now we only do A for A processing for four decimal
	    numbers delimited by dots.

	    A couple of tweaks to fix compilation on Solaris. Thanks
	    to Joel Macklow for help with this.

	    Another Solaris compilation tweak, needed for Solaris
	    2009.06. Thanks to Lee Essen for that.

	    Added extract packaging stuff from Lee Essen to 
	    contrib/Solaris10.
          
            Increased the default limit on number of leases to 1000
            (from 150). This is mainly a defence against DoS attacks,
            and for the average "one for two class C networks"
            installation, IP address exhaustion does that just as
            well. Making the limit greater than the number of IP
            addresses available in such an installation removes a
            surprise which otherwise can catch people out.

	    Removed extraneous trailing space in the value of the
	    DNSMASQ_TIME_REMAINING DNSMASQ_LEASE_LENGTH and
	    DNSMASQ_LEASE_EXPIRES environment variables. Thanks to
	    Gildas Le Nadan for spotting this.

	    Provide the network-id tags for a DHCP transaction to 
	    the lease-change script in the environment variable
	    DNSMASQ_TAGS. A good suggestion from Gildas Le Nadan.  

	    Add support for RFC3925 "Vendor-Identifying Vendor
	    Options". The syntax looks like this:  
	    --dhcp-option=vi-encap:<enterprise number>, .........

	    Add support to --dhcp-match to allow matching against
	    RFC3925 "Vendor-Identifying Vendor Classes". The syntax
	    looks like this:
	    --dhcp-match=tag,vi-encap<enterprise number>, <value>
	    
	    Add some application specific code to assist in
	    implementing the Broadband forum TR069 CPE-WAN
	    specification. The details are in contrib/CPE-WAN/README

	    Increase the default DNS packet size limit to 4096, as
	    recommended by RFC5625 section 4.4.3. This can be
	    reconfigured using --edns-packet-max if needed. Thanks to
	    Francis Dupont for pointing this out.

	    Rewrite query-ids even for TSIG signed packets, since
	    this is allowed by RFC5625 section 4.5.
	    
	    Use getopt_long by default on OS X. It has been supported
	    since version 10.3.0. Thanks to Arek Dreyer for spotting
	    this.

	    Added up-to-date startup configuration for MacOSX/launchd
	    in contrib/MacOSX-launchd. Thanks to Arek Dreyer for
	    providing this.

	    Fix link error when including Dbus but excluding DHCP. 
	    Thanks to Oschtan for the bug report.

            Updated French translation. Thanks to Gildas Le Nadan.
 
            Updated Polish translation. Thanks to Jan Psota.

	    Updated Spanish translation. Thanks to Chris Chatham.

	    Fixed confusion about domains, when looking up DHCP hosts
	    in /etc/hosts. This could cause spurious "Ignoring
	    domain..." messages. Thanks to Fedor Kozhevnikov for
	    finding and analysing the problem.

	    
version 2.51
            Add support for internationalised DNS. Non-ASCII characters
            in domain names found in /etc/hosts, /etc/ethers and 
	    /etc/dnsmasq.conf will be correctly handled by translation to
            punycode, as specified in RFC3490. This function is only
            available if dnsmasq is compiled with internationalisation
            support, and adds a dependency on GNU libidn. Without i18n
            support, dnsmasq continues to be compilable with just
            standard tools. Thanks to Yves Dorfsman for the
            suggestion. 

            Add two more environment variables for lease-change scripts:
	    First, DNSMASQ_SUPPLIED_HOSTNAME; this is set to the hostname
	    supplied by a client, even if the actual hostname used is
	    over-ridden by dhcp-host or dhcp-ignore-names directives.
	    Also DNSMASQ_RELAY_ADDRESS which gives the address of 
            a DHCP relay, if used.
	    Suggestions from Michael Rack.

	    Fix regression which broke echo of relay-agent
	    options. Thanks to Michael Rack for spotting this.
          
            Don't treat option 67 as being interchangeable with
            dhcp-boot parameters if it's specified as
            dhcp-option-force.

	    Make the code to call scripts on lease-change compile-time
	    optional. It can be switched off by editing src/config.h
	    or building with "make COPTS=-DNO_SCRIPT".
 
	    Make the TFTP server cope with filenames from Windows/DOS
	    which use '\' as pathname separator. Thanks to Ralf for
	    the patch.

	    Updated Polish translation. Thanks to Jan Psota.
 
	    Warn if an IP address is duplicated in /etc/ethers. Thanks
	    to Felix Schwarz for pointing this out.

	    Teach --conf-dir to take an option list of file suffices
	    which will be ignored when scanning the directory. Useful
	    for backup files etc. Thanks to Helmut Hullen for the
	    suggestion. 

	    Add new DHCP option named tftpserver-address, which
	    corresponds to the third argument of dhcp-boot. This
	    allows the complete functionality of dhcp-boot to be
	    replicated with dhcp-option. Useful when using 
	    dhcp-optsfile.

	    Test which upstream nameserver to use every 10 seconds
            or 50 queries and not just when a query times out and 
            is retried. This should improve performance when there
            is a slow nameserver in the list. Thanks to Joe for the
            suggestion. 

	    Don't do any PXE processing, even for clients with the 
	    correct vendorclass, unless at least one pxe-prompt or 
            pxe-service option is given. This stops dnsmasq 
            interfering with proxy PXE subsystems when it is just 
            the DHCP server. Thanks to Spencer Clark for spotting this.

	    Limit the blocksize used for TFTP transfers to a value
	    which avoids packet fragmentation, based on the MTU of the
	    local interface. Many netboot ROMs can't cope with
	    fragmented packets.

	    Honour dhcp-ignore configuration for PXE and proxy-PXE 
	    requests. Thanks to Niels Basjes for the bug report.

            Updated French translation. Thanks to Gildas Le Nadan.


version 2.50
	    Fix security problem which allowed any host permitted to 
            do TFTP to possibly compromise dnsmasq by remote buffer 
            overflow when TFTP enabled. Thanks to Core Security 
	    Technologies and Iván Arce, Pablo Hernán Jorge, Alejandro 
	    Pablo Rodriguez, Martín Coco, Alberto Soliño Testa and
	    Pablo Annetta. This problem has Bugtraq id: 36121 
            and CVE: 2009-2957

            Fix a problem which allowed a malicious TFTP client to 
            crash dnsmasq. Thanks to Steve Grubb at Red Hat for 
            spotting this. This problem has Bugtraq id: 36120 and 
            CVE: 2009-2958


version 2.49
            Fix regression in 2.48 which disables the lease-change
            script. Thanks to Jose Luis Duran for spotting this.

	    Log TFTP "file not found" errors. These were not logged,
	    since a normal PXELinux boot generates many of them, but
	    the lack of the messages seems to be more confusing than
	    routinely seeing them when there is no real error.

	    Update Spanish translation. Thanks to Chris Chatham.
 

version 2.48
            Archived the extensive, backwards, changelog to
            CHANGELOG.archive. The current changelog now runs from
            version 2.43 and runs conventionally.

	    Fixed bug which broke binding of servers to physical
	    interfaces when interface names were longer than four
	    characters. Thanks to MURASE Katsunori for the patch.

	    Fixed netlink code to check that messages come from the
	    correct source, and not another userspace process. Thanks
	    to Steve Grubb for the patch.

	    Maintainability drive: removed bug and missing feature
	    workarounds for some old platforms. Solaris 9, OpenBSD
	    older than 4.1, Glibc older than 2.2, Linux 2.2.x and 
            DBus older than 1.1.x are no longer supported. 

	    Don't read included configuration files more than once:
	    allows complex configuration structures without problems.

	    Mark log messages from the various subsystems in dnsmasq:
	    messages from the DHCP subsystem now have the ident string
	    "dnsmasq-dhcp" and messages from TFTP have ident
	    "dnsmasq-tftp". Thanks to Olaf Westrik for the patch.

	    Fix possible infinite DHCP protocol loop when an IP
	    address nailed to a hostname (not a MAC address)  and a 
	    host sometimes provides the name, sometimes not.

	    Allow --addn-hosts to take a directory: all the files 
	    in the directory are read. Thanks to Phil Cornelius for 
	    the suggestion. 

	    Support --bridge-interface on all platforms, not just BSD.
 
            Added support for advanced PXE functions. It's now
            possible to define a prompt and menu options which will
            be displayed when a client PXE boots. It's also possible to
            hand-off booting to other boot servers. Proxy-DHCP, where
            dnsmasq just supplies the PXE information and another DHCP
            server does address allocation, is also allowed. See the
            --pxe-prompt and --pxe-service keywords. Thanks to 
	    Alkis Georgopoulos for the suggestion and Guilherme Moro
            and Michael Brown for assistance.

	    Improvements to DHCP logging. Thanks to Tom Metro for
	    useful suggestions.
	    
	    Add ability to build dnsmasq without DHCP support. To do
	    this, edit src/config.h or build with
	    "make COPTS=-DNO_DHCP". Thanks to Mahavir Jain for the patch. 
	    
	    Added --test command-line switch - syntax check
	    configuration files only.
 
            Updated French translation. Thanks to Gildas Le Nadan.


version 2.47
	    Updated French translation. Thanks to Gildas Le Nadan.

	    Fixed interface enumeration code to work on NetBSD
	    5.0. Thanks to Roy Marples for the patch. 

	    Updated config.h to use the same location for the lease
	    file on NetBSD as the other *BSD variants. Also allow
	    LEASEFILE and CONFFILE symbols to be overriden in CFLAGS.  

            Handle duplicate address detection on IPv6 more
            intelligently. In IPv6, an interface can have an address
            which is not usable, because it is still undergoing DAD
            (such addresses are marked "tentative"). Attempting to
            bind to an address in this state returns an error,
            EADDRNOTAVAIL. Previously, on getting such an error,
            dnsmasq would silently abandon the address, and never
            listen on it. Now, it retries once per second for 20
            seconds before generating a fatal error. 20 seconds should
            be long enough for any DAD process to complete, but can be
            adjusted in src/config.h if necessary. Thanks to Martin
            Krafft for the bug report.

	    Add DBus introspection. Patch from Jeremy Laine.

	    Update Dbus configuration file. Patch from Colin Walters.
	    Fix for this bug:
            http://bugs.freedesktop.org/show_bug.cgi?id=18961

	    Support arbitrarily encapsulated DHCP options, suggestion
	    and initial patch from Samium Gromoff. This is useful for
	    (eg) gPXE, which expect all its private options to be
	    encapsulated inside a single option 175. So, eg, 

            dhcp-option = encap:175, 190, "iscsi-client0"
            dhcp-option = encap:175, 191, "iscsi-client0-secret"
	    
	    will provide iSCSI parameters to gPXE.

	    Enhance --dhcp-match to allow testing of the contents of a
	    client-sent option, as well as its presence. This
	    application in mind for this is RFC 4578
	    client-architecture specifiers, but it's generally useful.
	    Joey Korkames suggested the enhancement. 

	    Move from using the IP_XMIT_IF ioctl to IP_BOUND_IF on
	    OpenSolaris. Thanks to Bastian Machek for the heads-up.

	    No longer complain about blank lines in
	    /etc/ethers. Thanks to Jon Nelson for the patch.

	    Fix binding of servers to physical devices, eg
	    --server=/domain/1.2.3.4@eth0 which was broken from 2.43
	    onwards unless --query-port=0 set. Thanks to Peter Naulls
	    for the bug report.

	    Reply to DHCPINFORM requests even when the supplied ciaddr
	    doesn't fall in any dhcp-range. In this case it's not
	    possible to supply a complete configuration, but
	    individually-configured options (eg PAC) may be useful.

	    Allow the source address of an alias to be a range:
	    --alias=192.168.0.0,10.0.0.0,255.255.255.0 maps the whole
	    subnet 192.168.0.0->192.168.0.255 to 10.0.0.0->10.0.0.255,
	    as before.
	    --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
	    maps only the 192.168.0.10->192.168.0.40 region. Thanks to
	    Ib Uhrskov for the suggestion.

	    Don't dynamically allocate DHCP addresses which may break
	    Windows.  Addresses which end in .255 or .0 are broken in
	    Windows even when using supernetting.
	    --dhcp-range=192.168.0.1,192.168.1.254,255,255,254.0 means 
	    192.168.0.255 is a valid IP address, but not for Windows. 
	    See Microsoft KB281579. We therefore no longer allocate 
	    these addresses to avoid hard-to-diagnose problems. 

	    Update Polish translation. Thanks to Jan Psota.

	    Delete the PID-file when dnsmasq shuts down. Note that by
	    this time, dnsmasq is normally not running as root, so
	    this will fail if the PID-file is stored in a root-owned
	    directory; such failure is silently ignored. To take
	    advantage of this feature, the PID-file must be stored in a
	    directory owned and write-able by the user running
	    dnsmasq.


version 2.46
	    Allow --bootp-dynamic to take a netid tag, so that it may
	    be selectively enabled. Thanks to Olaf Westrik for the
	    suggestion. 

	    Remove ISC-leasefile reading code. This has been
	    deprecated for a long time, and last time I removed it, it
	    ended up going back by request of one user. This time,
	    it's gone for good; otherwise it would need to be
	    re-worked to support multiple domains (see below).

	    Support DHCP clients in multiple DNS domains. This is a
	    long-standing request. Clients are assigned to a domain
	    based in their IP address.  

            Add --dhcp-fqdn flag, which changes behaviour if DNS names
            assigned to DHCP clients. When this is set, there must be
            a domain associated with each client, and only
            fully-qualified domain names are added to the DNS. The
            advantage is that the only the FQDN needs to be unique,
            so that two or more DHCP clients can share a hostname, as
            long as they are in different domains.

	    Set environment variable DNSMASQ_DOMAIN when invoking
	    lease-change script. This may be useful information to
	    have now that it's variable.

	    Tighten up data-checking code for DNS packet
	    handling. Thanks to Steve Dodd who found certain illegal
	    packets which could crash dnsmasq. No memory overwrite was
	    possible, so this is not a security issue beyond the DoS
	    potential.  

	    Update example config dhcp option 47, the previous
	    suggestion generated an illegal, zero-length,
	    option. Thanks to Matthias Andree for finding this.

	    Rewrite hosts-file reading code to remove the limit of
	    1024 characters per line. John C Meuser found this.

	    Create a net-id tag with the name of the interface on
	    which the DHCP request was received.

	    Fixed minor memory leak in DBus code, thanks to Jeremy
	    Laine for the patch.

	    Emit DBus signals as the DHCP lease database
	    changes. Thanks to Jeremy Laine for the patch.

	    Allow for more that one MAC address in a dhcp-host
	    line. This configuration tells dnsmasq that it's OK to
	    abandon a DHCP lease of the fixed address to one MAC
	    address, if another MAC address in the dhcp-host statement 
	    asks for an address. This is useful to give a fixed
	    address to a host which has two network interfaces
	    (say, a laptop with wired and wireless interfaces.) 
            It's very important to ensure that only one interface 
	    at a time is up, since dnsmasq abandons the first lease 
	    and re-uses the address before the leased time has
	    elapsed. John Gray suggested this.

	    Tweak the response to a DHCP request packet with a wrong
	    server-id when --dhcp-authoritative is set; dnsmasq now
	    returns a DHCPNAK, rather than silently ignoring the
	    packet. Thanks to Chris Marget for spotting this
	    improvement.

	    Add --cname option. This provides a limited alias
	    function, usable for DHCP names. Thanks to AJ Weber for
	    suggestions on this.

	    Updated contrib/webmin with latest version from Neil
	    Fisher.

	    Updated Polish translation. Thanks to Jan Psota.
	    
	    Correct the text names for DHCP options 64 and 65 to be
	    "nis+-domain" and "nis+-servers".

	    Updated Spanish translation. Thanks to Chris Chatham.

	    Force re-reading of /etc/resolv.conf when an "interface
	    up" event occurs.


version 2.45
            Fix total DNS failure in release 2.44 unless --min-port 
            specified. Thanks to Steven Barth and Grant Coady for
            bugreport. Also reject out-of-range port spec, which could
            break things too: suggestion from Gilles Espinasse.
	    

version 2.44
            Fix  crash when unknown client attempts to renew a DHCP
            lease, problem introduced in version 2.43. Thanks to
            Carlos Carvalho for help chasing this down.

	    Fix potential crash when a host which doesn't have a lease
	    does DHCPINFORM. Again introduced in 2.43. This bug has
	    never been reported in the wild.

            Fix crash in netlink code introduced in 2.43. Thanks to
            Jean Wolter for finding this.

	    Change implementation of min_port to work even if min-port
	    is large.

	    Patch to enable compilation of latest Mac OS X. Thanks to
	    David Gilman.

	    Update Spanish translation. Thanks to Christopher Chatham.


version 2.43
	    Updated Polish translation. Thanks to Jan Psota.

	    Flag errors when configuration options are repeated
	    illegally.

	    Further tweaks for GNU/kFreeBSD

	    Add --no-wrap to msgmerge call - provides nicer .po file
	    format.

	    Honour lease-time spec in dhcp-host lines even for
	    BOOTP. The user is assumed to known what they are doing in
	    this case. (Hosts without the time spec still get infinite
	    leases for BOOTP, over-riding the default in the
	    dhcp-range.) Thanks to Peter Katzmann for uncovering this.

	    Fix problem matching relay-agent ids. Thanks to Michael
	    Rack for the bug report.

	    Add --naptr-record option. Suggestion from Johan
	    Bergquist.

	    Implement RFC 5107 server-id-override DHCP relay agent
	    option.

	    Apply patches from Stefan Kruger for compilation on
	    Solaris 10 under Sun studio.

	    Yet more tweaking of Linux capability code, to suppress
	    pointless wingeing from kernel 2.6.25 and above.

	    Improve error checking during startup. Previously, some
	    errors which occurred during startup would be worked
	    around, with dnsmasq still starting up. Some were logged,
            some silent. Now, they all cause a fatal error and dnsmasq 
            terminates with a non-zero exit code. The errors are those
            associated with changing uid and gid, setting process 
            capabilities and writing the pidfile. Thanks to Uwe
	    Gansert and the Suse security team for pointing out 
	    this improvement, and Bill Reimers for good implementation
	    suggestions.

	    Provide NO_LARGEFILE compile option to switch off largefile
	    support when compiling against versions of uclibc which
	    don't support it. Thanks to Stephane Billiart for the patch.
  
            Implement random source ports for interactions with
            upstream nameservers. New spoofing attacks have been found
            against nameservers which do not do this, though it is not
            clear if dnsmasq is vulnerable, since to doesn't implement
            recursion. By default dnsmasq will now use a different
            source port (and socket) for each query it sends
            upstream. This behaviour can suppressed using the
            --query-port option, and the old default behaviour
            restored using --query-port=0. Explicit source-port
            specifications in --server configs are still honoured.

	    Replace the random number generator, for better
	    security. On most BSD systems, dnsmasq uses the
	    arc4random() RNG, which is secure, but on other platforms,
	    it relied on the C-library RNG, which may be
	    guessable and therefore allow spoofing. This release
	    replaces the libc RNG with the SURF RNG, from Daniel
	    J. Berstein's DJBDNS package.  

	    Don't attempt to change user or group or set capabilities
	    if dnsmasq is run as a non-root user. Without this, the
	    change from soft to hard errors when these fail causes
	    problems for non-root daemons listening on high
	    ports. Thanks to Patrick McLean for spotting this.

	    Updated French translation. Thanks to Gildas Le Nadan.


version 2.42
            The changelog for version 2.42 and earlier is 
            available in CHANGELOG.archive.