version 2.90
	Fix reversion in --rev-server introduced in 2.88 which
	caused breakage if the prefix length is not exactly divisible
	by 8 (IPv4) or 4 (IPv6).

	Fix possible SEGV when there server(s) for a particular
	domain are configured, but no server which is not qualified
	for a particular domain. Thanks to Daniel Danzberger for
	spotting this bug.

	Set the default maximum DNS UDP packet sice to 1232. This
	has been the recommended value since 2020 because it's the
	largest value that avoid fragmentation, and fragmentation
	is just not reliable on the modern internet, especially
	for IPv6. It's still possible to override this with
	--edns-packet-max for special circumstances.

	Add --no-dhcpv4-interface and --no-dhcpv6-interface for
	better control over which inetrfaces are providing DHCP service.

	Fix issue with stale caching: After replying with stale data,
	dnsmasq sends the query upstream to refresh the cache asynchronously
	and sometimes sends the wrong packet: packet length can be wrong,
	and if an EDE marking stale data is added to the answer that can
	end up in the query also. This bug only seems to cause problems
	when the usptream server is a DOH/DOT proxy. Thanks to Justin He
	for the bug report.

	Add configurable caching for arbitrary RR-types.

	Add --filter-rr option, to filter arbitrary RR-types.
	--filter-rr=ANY has a special meaning: it filters the
	answers to queries for the ANY RR-type.
	
	Add limits on the resources used to do DNSSEC validation.
	DNSSEC introduces a potential CPU DoS, because a crafted domain
	can force a validator to a large number of cryptographic
	operations whilst attempting to do validation. When using TCP
	transport a DNSKEY RRset contain thousands of members and any
	RRset can have thousands of signatures. The potential number
	of signature validations to follow the RFC for validation
	for one RRset is the cross product of the keys and signatures,
	so millions. In practice, the actual numbers are much lower,
	so attacks can be mitigated by limiting the amount of
	cryptographic "work" to a much lower amount. The actual
	limits are number a signature validation fails per RRset(20),
	number of signature validations and hash computations
	per query(200), number of sub-queries  to fetch  DS and DNSKEY
	RRsets per query(40), and the number of iterations in a
	NSEC3 record(150). These values are sensible, but there is, as yet,
	no standardisation on the values for a "conforming" domain, so a
	new option --dnssec-limit is provided should they need to be altered.
	The algorithm to validate DS records has also been altered to reduce
	the maximum work from cross product of the number of DS records and
	number of DNSKEYs to the cross product of the number of DS records
	and supported DS digest types. As the number of DS digest types
	is in single figures, this reduces the exposure.

	Credit is due to Elias Heftrig, Haya Schulmann, Niklas Vogel,
	and Michael Waidner from the German National Research Center for
	Applied Cybersecurity ATHENE for finding this vulnerability.

	CVE 2023-50387 and CVE 2023-50868 apply.
	Note that the is a security vulnerablity only when DNSSEC validation
	is enabled.
	
	
version 2.89
        Fix bug introduced in 2.88 (commit fe91134b) which can result
	in corruption of the DNS cache internal data structures and
	logging of "cache internal error". This has only been seen
	in one place in the wild, and it took considerable effort
	to even generate a test case to reproduce it, but there's
	no way to be sure it won't strike, and the effect is to break
	the cache badly. Installations with DNSSEC enabled are more
	likely to see the problem, but not running DNSSEC does not
	guarantee that it won't happen. Thanks to Timo van Roermund
	for reporting the bug and for his great efforts in chasing
	it down.


version 2.88
	Fix bug in --dynamic-host when an interface has /16 IPv4
  	address. Thanks to Mark Dietzer for spotting this.

	Add --fast-dns-retry option. This gives dnsmasq the ability
	to originate retries for upstream DNS queries itself, rather
	than relying on the downstream client. This is most useful
	when doing DNSSEC over unreliable upstream networks. It comes
	with some cost in memory usage and network bandwidth.

	Add --use-stale-cache option. When set, if a DNS name exists
	in the cache, but its time-to-live has expired, dnsmasq will
	return the data anyway. (It attempts to refresh the
	data with an upstream query after returning the stale data.)
	This can improve speed and reliability. It comes
	at the expense of sometimes returning out-of-date data and
	less efficient cache utilisation, since old data cannot be
	flushed when its TTL expires, so the cache becomes
	strictly least-recently-used.

	Add --port-limit option which allows tuning for robustness in
	the face of some upstream network errors. Thanks to
	Prashant Kumar Singh, Ravi Nagayach and Mike Danilov,
	all of Amazon Web Services, for their efforts in developing this
	and the stale-cache and fast-retry options.

	Make --hostsdir (but NOT --dhcp-hostsdir and --dhcp-optsdir)
	handle removal of whole files or entries within files.
	Thanks to Dominik Derigs for the initial patches for this.

	Fix bug, introduced in 2.87, which could result in DNS
	servers being removed from the configuration when reloading
	server configuration from DBus, or re-reading /etc/resolv.conf
	Only servers from the same source should be replaced, but some
	servers from other sources (i.e., hard coded or another dynamic source)
	could mysteriously disappear. Thanks to all reporting this,
	but especially Christopher J. Madsen who reduced the problem
	to an easily reproducible case which saved much labour in
	finding it.

	Add --no-round-robin option.

	Allow domain names as well as IP addresses when specifying
	upstream DNS servers. There are some gotchas associated with this
	(it will mysteriously fail to work if the dnsmasq instance
	being started is in the path from the system resolver to the DNS),
	and a seemingly sensible configuration like
	--server=domain.name@1.2.3.4 is unactionable if domain.name
	only resolves to an IPv6 address). There are, however,
	cases where is can be useful. Thanks to Dominik Derigs for
	the patch.

	Handle DS records for unsupported crypto algorithms correctly.
	Such a DS, as long as it is validated, should allow answers
	in the domain it attests to be returned as unvalidated, and not
	as a validation error.

	Optimise reading large numbers of --server options. When re-reading
	upstream servers from /etc/resolv.conf or other sources that
	can change dnsmasq tries to avoid memory fragmentation by re-using
	existing records that are being re-read unchanged. This involves
	seaching all the server records for each new one installed.
	During startup this search is pointless, and can cause long
	start times with thousands of --server options because the work
	needed is O(n^2). Handle this case more intelligently.
	Thanks to Ye Zhou for spotting the problem and an initial patch.
	
	If we detect that a DNS reply from upstream is malformed don't
	return it to the requestor; send a SEVFAIL rcode instead.

	
version 2.87
        Allow arbitrary prefix lengths in --rev-server and
	--domain=....,local

	Replace --address=/#/..... functionality which got
	missed in the 2.86 domain search rewrite.

	Add --nftset option, like --ipset but for the newer nftables.
	Thanks to Chen Zhenge for the patch.
	
	Add --filter-A and --filter-AAAA options, to remove IPv4 or IPv6
	addresses from DNS answers.

	Fix crash doing netbooting when --port is set to zero
	to disable the DNS server. Thanks to Drexl Johannes
	for the bug report.

	Generalise --dhcp-relay. Sending via broadcast/multicast is
	now supported for both IPv4 and IPv6 and the configuration
	syntax made easier (but backwards compatible).
	
	Add snooping of IPv6 prefix-delegations to the DHCP-relay system.

	Finesse parsing of --dhcp-remoteid and --dhcp-subscrid. To be treated
	as hex, the pattern must consist of only hex digits AND contain
	at least one ':'. Thanks to Bengt-Erik Sandstrom who tripped
	over a pattern consisting of a decimal number which was interpreted
	surprisingly.

	Include client address in TFTP file-not-found error reports.
	Thanks to Stefan Rink for the initial patch, which has been
	re-worked by me (srk). All bugs mine.

	Note in manpage the change in behaviour of -address. This behaviour
	actually changed in v2.86, but was undocumented there. From 2.86 on,
	(eg) --address=/example.com/1.2.3.4 ONLY applies to A queries. All other
	types of query will be sent upstream. Pre 2.86, that would catch the
	whole example.com domain and queries for other types would get
	a local NODATA answer. The pre-2.86 behaviour is still available,
	by configuring --address=/example.com/1.2.3.4 --local=/example.com/

        Fix problem with binding DHCP sockets to an individual interface.
	Despite the fact that the system call tales the interface _name_ as
	a parameter, it actually, binds the socket to interface _index_.
	Deleting the interface and creating a new one with the same name
	leaves the socket bound to the old index. (Creating new sockets
	always allocates a fresh index, they are not reused). We now
	take this behaviour into account and keep up with changing indexes.

	Add --conf-script configuration option.

	Enhance --domain to accept, for instance,
	--domain=net2.thekelleys.org.uk,eth2 so that hosts get a domain
	which relects the interface they are attached to in a way which
	doesn't require hard-coding addresses. Thanks to Sten Spans for
	the idea.

	Fix write-after-free error in DHCPv6 server code.
	CVE-2022-0934 refers.
	
	Add the ability to specify destination port in
	DHCP-relay mode. This change also removes a previous bug
	where --dhcp-alternate-port would affect the port used
	to relay _to_ as well as the port being listened on.
	The new feature allows configuration to provide bug-for-bug
	compatibility, if required. Thanks to Damian Kaczkowski 
	for the feature suggestion.

	Bound the value of UDP packet size in the EDNS0 header of
	forwarded queries to the configured or default value of
	edns-packet-max. There's no point letting a client set a larger
	value if we're unable to return the answer. Thanks to Bertie
	Taylor for pointing out the problem and supplying the patch.
	
	Fix problem with the configuration
	
	--server=/some.domain/# --address=/#/<ip> --server=<server_ip>

	This would return <ip> for queries in some.domain, rather than
	forwarding the query via the default server.

	Tweak DHCPv6 relay code so that packets relayed towards a server
	have source address on the server-facing network, not the
	client facing network. Thanks to Luis Thomas for spotting this
	and initial patch.


version 2.86
	Handle DHCPREBIND requests in the DHCPv6 server code.
	Thanks to Aichun Li for spotting this omission, and the initial
	patch.

	Fix bug which caused dnsmasq to lose track of processes forked
	to handle TCP DNS connections under heavy load. The code
	checked that at least one free process table slot was
	available before listening on TCP sockets, but didn't take
	into account that more than one TCP connection could
	arrive, so that check was not sufficient to ensure that
	there would be slots for all new processes. It compounded
	this error by silently failing to store the process when
	it did run out of slots. Even when this bug is triggered,
	all the right things happen, and answers are still returned.
	Only under very exceptional circumstances, does the bug
	manifest itself: see
	https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q2/014976.html
	Thanks to Tijs Van Buggenhout for finding the conditions under
	which the bug manifests itself, and then working out
	exactly what was going on.

	Major rewrite of the DNS server and domain handling code.
	This should be largely transparent, but it drastically
	improves performance and reduces memory foot-print when
	configuring large numbers domains of the form
	local=/adserver.com/
	or
	local=/adserver.com/#
	Lookup times now grow as log-to-base-2 of the number of domains,
	rather than greater than linearly, as before.
	The change makes multiple addresses associated with a domain work
	address=/example.com/1.2.3.4
	address=/example.com/5.6.7.8
	It also handles multiple upstream servers for a domain better; using
	the same try/retry algorithms as non domain-specific servers. This
	also applies to DNSSEC-generated queries.
	Finally, some of the oldest and gnarliest code in dnsmasq has had
	a significant clean-up. It's far from perfect, but it _is_ better.

	Revise resource handling for number of concurrent DNS queries. This
	used to have a global limit, but that has a problem when using
	different servers for different upstream domains. Queries which are
	routed by domain to an upstream server which is not responding will
	build up and trigger the limit, which breaks DNS service for
	all other domains which could be handled by other servers. The
	change is to make the limit per server-group, where a server group
	is the set of servers configured for a particular domain. In the
	common case, where only default servers are declared, there is
	no effective change.

	Improve efficiency of DNSSEC. The sharing point for DNSSEC RR data
	used to be when it entered the cache, having been validated. After
	that queries requiring the KEY or DS records would share the cached
	values. There is a common case in dual-stack hosts that queries for
	A and AAAA records for the same domain are made simultaneously.
	If required keys were not in the cache, this would result in two
	requests being sent upstream for the same key data (and all the
	subsequent chain-of-trust queries.) Now we combine these requests
	and elide the duplicates, resulting in fewer queries upstream
	and better performance. To keep a better handle on what's
	going on, the "extra" logging mode has been modified to associate
	queries and answers  for DNSSEC queries in the same way as ordinary
	queries. The requesting address and port have been removed from
	DNSSEC logging lines, since this is no longer strictly defined.

	Connection track mark based DNS query filtering. Thanks to
	Etan Kissling for implementing this It extends query filtering
	support beyond what is currently possible
	with the `--ipset` configuration option, by adding support for:
	1) Specifying allowlists on a per-client basis, based on their
	   associated Linux connection track mark.
	2) Dynamic configuration of allowlists via Ubus.
	3) Reporting when a DNS query resolves or is rejected via Ubus.
	4) DNS name patterns containing wildcards.
	Disallowed queries are not forwarded; they are rejected
	with a REFUSED error code.

	Allow smaller than 64 prefix lengths in synth-domain, with caveats.
	--synth-domain=1234:4567::/56,example.com is now valid.

	Make domains generated by --synth-domain appear in replies
	when in authoritative mode.

	Ensure CAP_NET_ADMIN capability is available when
	conntrack is configured. Thanks to Yick Xie for spotting
	the lack of this.

	When --dhcp-hostsfile --dhcp-optsfile and --addn-hosts are
	given a directory as argument, define the order in which
	files within that directory are read (alphabetical order
	of filename). Thanks to Ed Wildgoose for the initial patch
	and motivation for this.

	Allow adding IP address to nftables set in addition to
	ipset.

	
version 2.85
        Fix problem with DNS retries in 2.83/2.84.
        The new logic in 2.83/2.84 which merges distinct requests
	for the same domain causes problems with clients which do
	retries as distinct requests (differing IDs and/or source ports.)
	The retries just get piggy-backed on the first, failed, request.
        The logic is now changed so that distinct requests for repeated
        queries still get merged into a single ID/source port, but
	they now always trigger a re-try upstream.
        Thanks to Nicholas Mu for his analysis.

	Tweak sort order of tags in get-version. v2.84 sorts
	before v2.83, but v2.83 sorts before v2.83rc1 and 2.83rc1
	sorts before v2.83test1. This fixes the problem which lead
	to 2.84 announcing itself as 2.84rc2.

 	Avoid treating a --dhcp-host which has an IPv6 address
	as eligible for use with DHCPv4 on the grounds that it has
	no address, and vice-versa. Thanks to Viktor Papp for
	spotting the problem. (This bug was fixed was back in 2.67, and
	then regressed in 2.81).

	Add --dynamic-host option: A and AAAA records which take their
	network part from the network of a local interface. Useful
	for routers with dynamically prefixes. Thanks
	to Fred F for the suggestion.

	Teach --bogus-nxdomain and --ignore-address to take an IPv4 subnet.

	Use random source ports where possible if source
	addresses/interfaces in use.
	CVE-2021-3448 applies. Thanks to Petr Menšík for spotting this.
	It's possible to specify the source address or interface to be
	used when contacting upstream name servers: server=8.8.8.8@1.2.3.4
	or server=8.8.8.8@1.2.3.4#66 or server=8.8.8.8@eth0, and all of
	these have, until now, used a single socket, bound to a fixed
	port. This was originally done to allow an error (non-existent
	interface, or non-local address) to be detected at start-up. This
	means that any upstream servers specified in such a way don't use
	random source ports, and are more susceptible to cache-poisoning
	attacks.
	We now use random ports where possible, even when the
	source is specified, so server=8.8.8.8@1.2.3.4 or
	server=8.8.8.8@eth0 will use random source
	ports. server=8.8.8.8@1.2.3.4#66 or any use of --query-port will
	use the explicitly configured port, and should only be done with
	understanding of the security implications.
	Note that this change changes non-existing interface, or non-local
	source address errors from fatal to run-time. The error will be
	logged and communication with the server not possible.

	Change the method of allocation of random source ports for DNS.
	Previously, without min-port or max-port configured, dnsmasq would
	default to the compiled in defaults for those, which are 1024 and
	65535. Now, when neither are configured, it defaults instead to
	the kernel's ephemeral port range, which is typically
	32768 to 60999 on Linux systems. This change eliminates the
	possibility that dnsmasq may be using a registered port > 1024
	when a long-running daemon starts up and wishes to claim it.
	This change does likely slightly reduce the number of random ports
	and therefore the protection from reply spoofing. The older
	behaviour can be restored using the min-port and max-port config
	switches should that be a concern.

	Scale the size of the DNS random-port pool based on the
	value of the --dns-forward-max configuration.

	Tweak TFTP code to check sender of all received packets, as
	specified in RFC 1350 para 4.

	Support some wildcard matching of input tags to --tag-if.
	Thanks to Geoff Back for the idea and the patch.

	
version 2.84
	Fix a problem, introduced in 2.83, which could see DNS replies
	being sent via the wrong socket. On machines running both
	IPv4 and IPv6 this could result in sporadic messages of
	the form "failed to send packet: Network is unreachable" and
	the lost of the query. Since the error is sporadic and of
	low probability, the client retry would normally succeed.

	Change HAVE_NETTLEHASH compile-time to HAVE_CRYPTOHASH.


version 2.83
	Use the values of --min-port and --max-port in outgoing
	TCP connections to upstream DNS servers.

	Fix a remote buffer overflow problem in the DNSSEC code. Any
	dnsmasq with DNSSEC compiled in and enabled is vulnerable to this,
	referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683
	CVE-2020-25687.

	Be sure to only accept UDP DNS query replies at the address
	from which the query was originated. This keeps as much entropy
	in the {query-ID, random-port} tuple as possible, to help defeat
	cache poisoning attacks. Refer: CVE-2020-25684.

	Use the SHA-256 hash function to verify that DNS answers
	received are for the questions originally asked. This replaces
	the slightly insecure SHA-1 (when compiled with DNSSEC) or
	the very insecure CRC32 (otherwise). Refer: CVE-2020-25685.

	Handle multiple identical near simultaneous DNS queries better.
	Previously, such queries would all be forwarded
	independently. This is, in theory, inefficient but in practise
	not a problem, _except_ that is means that an answer for any
	of the forwarded queries will be accepted and cached.
	An attacker can send a query multiple times, and for each repeat,
	another {port, ID} becomes capable of accepting the answer he is
	sending in the blind, to random IDs and ports. The chance of a
	successful attack is therefore multiplied by the number of repeats
	of the query. The new behaviour detects repeated queries and
	merely stores the clients sending repeats so that when the
	first query completes, the answer can be sent to all the
	clients who asked. Refer: CVE-2020-25686.
	

version 2.82
	Improve behaviour in the face of network interfaces which come
	and go and change index. Thanks to Petr Mensik for the patch.

	Convert hard startup failure on NETLINK_NO_ENOBUFS under qemu-user
	to a warning.

	Allow IPv6 addresses ofthe form [::ffff:1.2.3.4] in --dhcp-option.

	Fix crash under heavy TCP connection load introduced in 2.81.
	Thanks to Frank for good work chasing this down.

	Change default lease time for DHCPv6 to one day.

	Alter calculation of preferred and valid times in router
	advertisements, so that these do not have a floor applied
	of the lease time in the dhcp-range if this is not explicitly
	specified and is merely the default.
	Thanks to Martin-Éric Racine for suggestions on this.

	
version 2.81
	Improve cache behaviour for TCP connections. For ease of
	implementation, dnsmasq has always forked a new process to handle
	each incoming TCP connection. A side-effect of this is that
	any DNS queries answered from TCP connections are not cached:
	when TCP connections were rare, this was not a problem.
	With the coming of DNSSEC, it is now the case that some
	DNSSEC queries have answers which spill to TCP, and if,
	for instance, this applies to the keys for the root, then
	those never get cached, and performance is very bad.
	This fix passes cache entries back from the TCP child process to
	the main server process, and fixes the problem.

	Remove the NO_FORK compile-time option, and support for uclinux.
	In an era where everything has an MMU, this looks like
	an anachronism, and it adds to (Ok, multiplies!) the
	combinatorial explosion of compile-time options. Thanks to
	Kevin Darbyshire-Bryant for the patch.

	Fix line-counting when reading /etc/hosts and friends; for
	correct error messages. Thanks to Christian Rosentreter
	for reporting this.

	Fix bug in DNS non-terminal code, added in 2.80, which could
	sometimes cause a NODATA rather than an NXDOMAIN reply.
	Thanks to Norman Rasmussen, Sven Mueller and Maciej Żenczykowski
	for spotting and diagnosing the bug and providing patches.

	Support TCP-fastopen (RFC-7413) on both incoming and
	outgoing TCP connections, if supported and enabled in the OS.

	Improve kernel-capability manipulation code under Linux. Dnsmasq
	now fails early if a required capability is not available, and
	tries not to request capabilities not required by its
	configuration.

	Add --shared-network config. This enables allocation of addresses
	by the DHCP server in subnets where the server (or relay) does not
	have an interface on the network in that subnet. Many thanks to
	kamp.de for sponsoring this feature.
	
	Fix broken contrib/lease_tools/dhcp_lease_time.c. A packet
	validation check got borked in commit 2b38e382 and release 2.80.
	Thanks to Tomasz Szajner for spotting this.

	Fix compilation against nettle version 3.5 and later.

	Fix spurious DNSSEC validation failures when the auth section
	of a reply contains unsigned RRs from a signed zone, 
	with the exception that NSEC and NSEC3 RRs must always be signed.
        Thanks to Tore Anderson for spotting and diagnosing the bug.

	Add --dhcp-ignore-clid. This disables reading of DHCP client
	identifier option (option 61), so clients are only identified by
	MAC addresses.

	Fix a bug which stopped --dhcp-name-match from working when a hostname
	is supplied in --dhcp-host. Thanks to James Feeney for spotting this.

	Fix bug which caused very rarely caused zero-length DHCPv6 packets.
	Thanks to Dereck Higgins for spotting this.

	Add --tftp-single-port option.

	Enhance --conf-dir to load files in a deterministic order. Thanks to
	Evgenii Seliavka for the suggestion and initial patch.

	In the router advert code, handle case where we have two
	different interfaces on the same IPv6 net, and we are doing
	RA/DHCP service on only one of them. Thanks to NIIBE Yutaka
	for spotting this case and making the initial patch.

	Support prefixed ranges of ipv6 addresses in dhcp-host.
	This eases problems chain-netbooting, where each link in the
	chain requests an address using a different UID. With a single
	address, only one gets the "static" address, but with this
	fix, enough addresses can be reserved for all the stages of the
	boot. Many thanks to Harald Jensås for his work on this idea and
	earlier patches.

	Add filtering by tag of --dhcp-host directives. Based on a patch
	by Harald Jensås.

	Allow empty server spec in --rev-server, to match --server.
	
	Remove DSA signature verification from DNSSEC, as specified in
	RFC 8624. Thanks to Loganaden Velvindron for the original patch.

	Add --script-on-renewal option.

	
version 2.80
	Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method
	for the initial patch and motivation.

	Alter the default for dnssec-check-unsigned. Versions of
	dnsmasq prior to 2.80 defaulted to not checking unsigned
	replies, and used --dnssec-check-unsigned to switch
        this on. Such configurations will continue to work as before,
        but those which used the default of no checking will need to be
        altered to explicitly select no checking. The new default is
        because switching off checking for unsigned replies is
	inherently dangerous. Not only does it open the possiblity of forged
        replies, but it allows everything to appear to be working even
        when the upstream namesevers do not support DNSSEC, and in this
        case no DNSSEC validation at all is occuring.

        Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip
	are set. Thanks to Daniel Miess for help with this.

	Add a facilty to store DNS packets sent/recieved in a
	pcap-format file for later debugging. The file location
	is given by the --dumpfile option, and a bitmap controlling
	which packets should be dumped is given by the --dumpmask
	option.

	Handle the case of both standard and constructed dhcp-ranges on the
	same interface better. We don't now contruct a dhcp-range if there's
	already one specified. This allows the specified interface to
	have different parameters and avoids advertising the same
	prefix twice. Thanks to Luis Marsano for spotting this case.

	Allow zone transfer in authoritative mode if auth-peer is specified,
	even if auth-sec-servers is not. Thanks to Raphaël Halimi for
	the suggestion.

	Fix bug which sometimes caused dnsmasq to wrongly return answers
	without DNSSEC RRs to queries with the do-bit set, but only when
	DNSSEC validation was not enabled.
	Thanks to Petr Menšík for spotting this.

	Fix missing fatal errors with some malformed options
	(server, local, address, rebind-domain-ok, ipset, alias).
	Thanks to Eugene Lozovoy for spotting the problem.

	Fix crash on startup with a --synth-domain which has no prefix.
	Introduced in 2.79. Thanks to Andreas Engel for the bug report.

	Fix missing EDNS0 section in some replies generated by local
	DNS configuration which confused systemd-resolvd. Thanks to
	Steve Dodd for characterising the problem.

	Add --dhcp-name-match config option. 

	Add --caa-record config option.

	Implement --address=/example.com/# as (more efficient) syntactic
	sugar for --address=/example.com/0.0.0.0 and
	--address=/example.com/::
	Returning null addresses is a useful technique for ad-blocking.
	Thanks to Peter Russell for the suggestion.
	
	Change anti cache-snooping behaviour with queries with the
	recursion-desired bit unset. Instead to returning SERVFAIL, we
	now always forward, and never answer from the cache. This
	allows "dig +trace" command to work. 
	
	Include in the example config file a formulation which
	stops DHCP clients from claiming the DNS name "wpad".
	This is a fix for the CERT Vulnerability VU#598349.

	
version 2.79
	Fix parsing of CNAME arguments, which are confused by extra spaces.
	Thanks to Diego Aguirre for spotting the bug.

	Where available, use IP_UNICAST_IF or IPV6_UNICAST_IF to bind
	upstream servers to an interface, rather than SO_BINDTODEVICE.
	Thanks to Beniamino Galvani for the patch.

	Always return a SERVFAIL answer to DNS queries without the
	recursion desired bit set, UNLESS acting as an authoritative
	DNS server. This avoids a potential route to cache snooping.

	Add support for Ed25519 signatures in DNSSEC validation.

	No longer support RSA/MD5 signatures in DNSSEC validation,
	since these are not secure. This behaviour is mandated in
	RFC-6944.

	Fix incorrect error exit code from dhcp_release6 utility.
	Thanks Gaudenz Steinlin for the bug report.

	Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC
	time validation when --dnssec-no-timecheck is in use.
	Note that this is an incompatible change from earlier releases.

	Allow more than one --bridge-interface option to refer to an
	interface, so that we can use
	--bridge-interface=int1,alias1
	--bridge-interface=int1,alias2
	as an alternative to
	--bridge-interface=int1,alias1,alias2
	Thanks to Neil Jerram for work on this.

	Fix for DNSSEC with wildcard-derived NSEC records.
	It's OK for NSEC records to be expanded from wildcards,
	but in that case, the proof of non-existence is only valid
	starting at the wildcard name, *.<domain> NOT the name expanded
	from the wildcard. Without this check it's possible for an
	attacker to craft an NSEC which wrongly proves non-existence.
	Thanks to Ralph Dolmans for finding this, and co-ordinating 
	the vulnerability tracking and fix release.
	CVE-2017-15107 applies.

	Remove special handling of A-for-A DNS queries. These
	are no longer a significant problem in the global DNS.
	http://cs.northwestern.edu/~ychen/Papers/DNS_ToN15.pdf
	Thanks to Mattias Hellström for the initial patch.

	Fix failure to delete dynamically created dhcp options
	from files in -dhcp-optsdir directories. Thanks to
	Lindgren Fredrik for the bug report.

	Add to --synth-domain the ability to create names using
	sequential numbers, as well as encodings of IP addresses.
	For instance,
	--synth-domain=thekelleys.org.uk,192.168.0.50,192.168.0.70,internal-*
	creates 21 domain names of the form
	internal-4.thekelleys.org.uk over the address range given, with
	internal-0.thekelleys.org.uk being 192.168.0.50 and
	internal-20.thekelleys.org.uk being 192.168.0.70
	Thanks to Andy Hawkins for the suggestion.

	Tidy up Crypto code, removing workarounds for ancient
	versions of libnettle. We now require libnettle 3.


version 2.78
        Fix logic of appending ".<layer>" to PXE basename. Thanks to Chris
	Novakovic for the patch.

	Revert ping-check of address in DHCPDISCOVER if there
	already exists a lease for the address. Under some
	circumstances, and netbooted windows installation can reply
	to pings before if has a DHCP lease and block allocation
	of the address it already used during netboot. Thanks to
	Jan Psota for spotting this.

	Fix DHCP relaying, broken in 2.76 and 2.77 by commit
	ff325644c7afae2588583f935f4ea9b9694eb52e. Thanks to
	John Fitzgibbon for the diagnosis and patch.

        Try other servers if first returns REFUSED when
	--strict-order active. Thanks to Hans Dedecker
	for the patch

	Fix regression in 2.77, ironically added as a security
	improvement, which resulted in a crash when a DNS
	query exceeded 512 bytes (or the EDNS0 packet size,
	if different.) Thanks to Christian Kujau, Arne Woerner
	Juan Manuel Fernandez and Kevin Darbyshire-Bryant for
	chasing this one down.  CVE-2017-13704 applies.

	Fix heap overflow in DNS code. This is a potentially serious
	security hole. It allows an attacker who can make DNS
	requests to dnsmasq, and who controls the contents of
	a domain, which is thereby queried, to overflow
	(by 2 bytes) a heap buffer and either crash, or
	even take control of, dnsmasq.
	CVE-2017-14491 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

	Fix heap overflow in IPv6 router advertisement code.
	This is a potentially serious security hole, as a
	crafted RA request can overflow a buffer and crash or
	control dnsmasq. Attacker must be on the local network.
	CVE-2017-14492 applies.
        Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	and Kevin Hamacher of the Google Security Team for
	finding this.

	Fix stack overflow in DHCPv6 code. An attacker who can send
	a DHCPv6 request to dnsmasq can overflow the stack frame and
	crash or control dnsmasq.
	CVE-2017-14493 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

	Fix information leak in DHCPv6. A crafted DHCPv6 packet can
	cause dnsmasq to forward memory from outside the packet
	buffer to a DHCPv6 server when acting as a relay.
	CVE-2017-14494 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

	Fix DoS in DNS. Invalid boundary checks in the
	add_pseudoheader function allows a memcpy call with negative
	size An attacker which can send malicious DNS queries
	to dnsmasq can trigger a DoS remotely.
	dnsmasq is vulnerable only if one of the following option is
	specified: --add-mac, --add-cpe-id or --add-subnet.
	CVE-2017-14496 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

	Fix out-of-memory Dos vulnerability. An attacker which can
	send malicious DNS queries to dnsmasq can trigger memory
	allocations in the add_pseudoheader function
	The allocated memory is never freed which leads to a DoS
	through memory exhaustion. dnsmasq is vulnerable only
	if one of the following option is specified:
	--add-mac, --add-cpe-id or --add-subnet.
	CVE-2017-14495 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.


version 2.77
	Generate an error when configured with a CNAME loop,
	rather than a crash. Thanks to George Metz for
	spotting this problem.

	Calculate the length of TFTP error reply packet 
	correctly. This fixes a problem when the error 
	message in a TFTP packet exceeds the arbitrary 
	limit of 500 characters. The message was correctly
	truncated, but not the packet length, so 
	extra data was appended. This is a possible
	security risk, since the extra data comes from
	a buffer which is also used for DNS, so that
	previous DNS queries or replies may be leaked.
	Thanks to Mozilla for funding the security audit 
	which spotted this bug.

	Fix logic error in Linux netlink code. This could
	cause dnsmasq to enter a tight loop on systems
	with a very large number of network interfaces.
	Thanks to Ivan Kokshaysky for the diagnosis and
	patch.

	Fix problem with --dnssec-timestamp whereby receipt
	of SIGHUP would erroneously engage timestamp checking.
	Thanks to Kevin Darbyshire-Bryant for this work.

	Bump zone serial on reloading /etc/hosts and friends
	when providing authoritative DNS. Thanks to Harrald
	Dunkel for spotting this.

	Handle v4-mapped IPv6 addresses sanely in --synth-domain.
	These have standard representation like ::ffff:1.2.3.4
	and are now converted to names like
	<prefix>--ffff-1-2-3-4.<domain>

	Handle binding upstream servers to an interface 
	(--server=1.2.3.4@eth0) when the named interface
	is destroyed and recreated in the kernel. Thanks to 
	Beniamino Galvani for the patch.

	Allow wildcard CNAME records in authoritative zones.
	For example --cname=*.example.com,default.example.com
	Thanks to Pro Backup for sponsoring this development.

	Bump the allowed backlog of TCP connections from 5 to 32,
	and make this a compile-time configurable option. Thanks
	to Donatas Abraitis for diagnosing this as a potential
	problem.

	Add DNSMASQ_REQUESTED_OPTIONS environment variable to the 
	lease-change script. Thanks to ZHAO Yu for the patch.

	Fix foobar in rrfilter code, that could cause malformed 
	replies, especially when DNSSEC validation on, and 
	the upstream server returns answer with the RRs in a 
	particular order. The only DNS server known to tickle
	this is Nominum's. Thanks to Dave Täht for spotting the
	bug and assisting in the fix.

	Fix the manpage which lied that only the primary address
	of an interface is used by --interface-name.

	Make --localise-queries apply to names from --interface-name.
	Thanks to Kevin Darbyshire-Bryant and Eric Luehrsen
	for pushing this.

	Improve connection handling when talking to TCP upstream 
	servers. Specifically, be prepared to open a new TCP
	connection when we want to make multiple queries
	but the upstream server accepts fewer queries per connection.

	Improve logging of upstream servers when there are a lot
	of "local addresses only" entries. Thanks to Hannu Nyman for
	the patch.

	Make --bogus-priv apply to IPv6, for the prefixes specified
	in RFC6303. Thanks to Kevin Darbyshire-Bryant for work on this.

	Allow use of MAC addresses with --tftp-unique-root. Thanks
	to Floris Bos for the patch.

	Add --dhcp-reply-delay option. Thanks to Floris Bos
	for the patch.

	Add mtu setting facility to --ra-param. Thanks to David
	Flamand for the patch.

	Capture STDOUT and STDERR output from dhcp-script and log
	it as part of the dnsmasq log stream. Makes life easier
	for diagnosing unexpected problems in scripts.
	Thanks to Petr Mensik for the patch.

	Generate fatal errors when failing to parse the output
	of the dhcp-script in "init" mode. Avoids strange errors
	when the script accidentally emits error messages.
	Thanks to Petr Mensik for the patch.

	Make --rev-server for an RFC1918 subnet work even in the
	presence of the --bogus-priv flag. Thanks to
	Vladislav Grishenko for the patch.

	Extend --ra-param mtu: field to allow an interface name.
	This allows the MTU of a WAN interface to be advertised on
	the internal interfaces of a router. Thanks to
	Vladislav Grishenko for the patch.

	Do ICMP-ping check for address-in-use for DHCPv4 when
	the client specifies an address in DHCPDISCOVER, and when
	an address in configured locally. Thanks to Alin Năstac
	for spotting the problem.

	Add new DHCP tag "known-othernet" which is set when only a
	dhcp-host exists for another subnet. Can be used to ensure
	that privileged hosts are not given "guest" addresses by
	accident. Thanks to Todd Sanket for the suggestion.

	Remove historic automatic inclusion of IDN support when
	building internationalisation support. This doesn't
	fit now there is a choice of IDN libraries. Be sure
	to include either -DHAVE_IDN or -DHAVE_LIBIDN2 for
	IDN support.


version 2.76
	Include 0.0.0.0/8 in DNS rebind checks. This range 
	translates to hosts on  the local network, or, at 
	least, 0.0.0.0 accesses the local host, so could
	be targets for DNS rebinding. See RFC 5735 section 3 
	for details. Thanks to Stephen Röttger for the bug report.

	Enhance --add-subnet to allow arbitrary subnet addresses.
	Thanks to Ed Barsley for the patch.

	Respect the --no-resolv flag in inotify code. Fixes bug
	which caused dnsmasq to fail to start if a resolv-file 
	was a dangling symbolic link, even of --no-resolv set.
	Thanks to Alexander Kurtz for spotting the problem.

	Fix crash when an A or AAAA record is defined locally,
	in a hosts file, and an upstream server sends a reply
	that the same name is empty. Thanks to Edwin Török for
	the patch.

	Fix failure to correctly calculate cache-size when 
	reading a hosts-file fails. Thanks to André Glüpker 
	for the patch.

	Fix wrong answer to simple name query when --domain-needed
	set, but no upstream servers configured. Dnsmasq returned
	REFUSED, in this case, when it should be the same as when
	upstream servers are configured - NOERROR. Thanks to 
	Allain Legacy for spotting the problem.

	Return REFUSED when running out of forwarding table slots,
	not SERVFAIL.

	Add --max-port configuration. Thanks to Hans Dedecker for
	the patch.

	Add --script-arp and two new functions for the dhcp-script.
	These are "arp" and "arp-old" which announce the arrival and
	removal of entries in the ARP or neighbour tables.

	Extend --add-mac to allow a new encoding of the MAC address 
	as base64, by configuring --add-mac=base64

	Add --add-cpe-id option.

	Don't crash with divide-by-zero if an IPv6 dhcp-range
	is declared as a whole /64.
	(ie xx::0 to xx::ffff:ffff:ffff:ffff) 
	Thanks to Laurent Bendel for spotting this problem.

	Add support for a TTL parameter in --host-record and
	--cname.

	Add --dhcp-ttl option.

	Add --tftp-mtu option. Thanks to Patrick McLean for the 
	initial patch.

	Check return-code of inet_pton() when parsing dhcp-option.
	Bad addresses could fail to generate errors and result in
	garbage dhcp-options being sent. Thanks to Marc Branchaud 
	for spotting this.

	Fix wrong value for EDNS UDP packet size when using 
	--servers-file to define upstream DNS servers. Thanks to
	Scott Bonar for the bug report.

	Move the dhcp_release and dhcp_lease_time tools from 
	contrib/wrt to contrib/lease-tools.

	Add dhcp_release6 to contrib/lease-tools. Many thanks 
	to Sergey Nechaev for this code.

	To avoid filling logs in configurations which define
	many upstream nameservers, don't log more that 30 servers.
	The number to be logged can be changed as SERVERS_LOGGED
	in src/config.h.

	Swap the values if BC_EFI and x86-64_EFI in --pxe-service. 
	These were previously wrong due to an error in RFC 4578.
	If you're using BC_EFI to boot 64-bit EFI machines, you
	will need to update your config.

	Add ARM32_EFI and ARM64_EFI as valid architectures in
	--pxe-service.
