version 2.86
	Handle DHCPREBIND requests in the DHCPv6 server code.
	Thanks to Aichun Li for spotting this omission, and the initial
	patch.

	Fix bug which caused dnsmasq to lose track of processes forked
	to handle TCP DNS connections under heavy load. The code
	checked that at least one free process table slot was
	available before listening on TCP sockets, but didn't take
	into account that more than one TCP connection could
	arrive, so that check was not sufficient to ensure that
	there would be slots for all new processes. It compounded
	this error by silently failing to store the process when
	it did run out of slots. Even when this bug is triggered,
	all the right things happen, and answers are still returned.
	Only under very exceptional circumstances, does the bug
	manifest itself: see
	https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q2/014976.html
	Thanks to Tijs Van Buggenhout for finding the conditions under
	which the bug manifests itself, and then working out
	exactly what was going on.

	Major rewrite of the DNS server and domain handling code.
	This should be largely transparent, but it drastically
	improves performance and reduces memory foot-print when
	configuring large numbers domains of the form
	local=/adserver.com/
	or
	local=/adserver.com/#
	Lookup times now grow as log-to-base-2 of the number of domains,
	rather than greater than linearly, as before.
	The change makes multiple addresses associated with a domain work
	address=/example.com/1.2.3.4
	address=/example.com/5.6.7.8
	It also handles multiple upstream servers for a domain better; using
	the same try/retry algorithms as non domain-specific servers. This
	also applies to DNSSEC-generated queries.
	Finally, some of the oldest and gnarliest code in dnsmasq has had
	a significant clean-up. It's far from perfect, but it _is_ better.

	Revise resource handling for number of concurrent DNS queries. This
	used to have a global limit, but that has a problem when using
	different servers for different upstream domains. Queries which are
	routed by domain to an upstream server which is not responding will
	build up and trigger the limit, which breaks DNS service for
	all other domains which could be handled by other servers. The
	change is to make the limit per server-group, where a server group
	is the set of servers configured for a particular domain. In the
	common case, where only default servers are declared, there is
	no effective change.

	Improve efficiency of DNSSEC. The sharing point for DNSSEC RR data
	used to be when it entered the cache, having been validated. After
	that queries requiring the KEY or DS records would share the cached
	values. There is a common case in dual-stack hosts that queries for
	A and AAAA records for the same domain are made simultaneously.
	If required keys were not in the cache, this would result in two
	requests being sent upstream for the same key data (and all the
	subsequent chain-of-trust queries.) Now we combine these requests
	and elide the duplicates, resulting in fewer queries upstream
	and better performance. To keep a better handle on what's
	going on, the "extra" logging mode has been modified to associate
	queries and answers  for DNSSEC queries in the same way as ordinary
	queries. The requesting address and port have been removed from
	DNSSEC logging lines, since this is no longer strictly defined.

	Connection track mark based DNS query filtering. Thanks to
	Etan Kissling for implementing this It extends query filtering
	support beyond what is currently possible
	with the `--ipset` configuration option, by adding support for:
	1) Specifying allowlists on a per-client basis, based on their
	   associated Linux connection track mark.
	2) Dynamic configuration of allowlists via Ubus.
	3) Reporting when a DNS query resolves or is rejected via Ubus.
	4) DNS name patterns containing wildcards.
	Disallowed queries are not forwarded; they are rejected
	with a REFUSED error code.

	Allow smaller than 64 prefix lengths in synth-domain, with caveats.
	--synth-domain=1234:4567::/56,example.com is now valid.

	Make domains generated by --synth-domain appear in replies
	when in authoritative mode.

	Ensure CAP_NET_ADMIN capability is available when
	conntrack is configured. Thanks to Yick Xie for spotting
	the lack of this.

	When --dhcp-hostsfile --dhcp-optsfile and --addn-hosts are
	given a directory as argument, define the order in which
	files within that directory are read (alphabetical order
	of filename). Thanks to Ed Wildgoose for the initial patch
	and motivation for this.

	
version 2.85
        Fix problem with DNS retries in 2.83/2.84.
        The new logic in 2.83/2.84 which merges distinct requests
	for the same domain causes problems with clients which do
	retries as distinct requests (differing IDs and/or source ports.)
	The retries just get piggy-backed on the first, failed, request.
        The logic is now changed so that distinct requests for repeated
        queries still get merged into a single ID/source port, but
	they now always trigger a re-try upstream.
        Thanks to Nicholas Mu for his analysis.

	Tweak sort order of tags in get-version. v2.84 sorts
	before v2.83, but v2.83 sorts before v2.83rc1 and 2.83rc1
	sorts before v2.83test1. This fixes the problem which lead
	to 2.84 announcing itself as 2.84rc2.

 	Avoid treating a --dhcp-host which has an IPv6 address
	as eligible for use with DHCPv4 on the grounds that it has
	no address, and vice-versa. Thanks to Viktor Papp for
	spotting the problem. (This bug was fixed was back in 2.67, and
	then regressed in 2.81).

	Add --dynamic-host option: A and AAAA records which take their
	network part from the network of a local interface. Useful
	for routers with dynamically prefixes. Thanks
	to Fred F for the suggestion.

	Teach --bogus-nxdomain and --ignore-address to take an IPv4 subnet.

	Use random source ports where possible if source
	addresses/interfaces in use.
	CVE-2021-3448 applies. Thanks to Petr Menšík for spotting this.
	It's possible to specify the source address or interface to be
	used when contacting upstream name servers: server=8.8.8.8@1.2.3.4
	or server=8.8.8.8@1.2.3.4#66 or server=8.8.8.8@eth0, and all of
	these have, until now, used a single socket, bound to a fixed
	port. This was originally done to allow an error (non-existent
	interface, or non-local address) to be detected at start-up. This
	means that any upstream servers specified in such a way don't use
	random source ports, and are more susceptible to cache-poisoning
	attacks.
	We now use random ports where possible, even when the
	source is specified, so server=8.8.8.8@1.2.3.4 or
	server=8.8.8.8@eth0 will use random source
	ports. server=8.8.8.8@1.2.3.4#66 or any use of --query-port will
	use the explicitly configured port, and should only be done with
	understanding of the security implications.
	Note that this change changes non-existing interface, or non-local
	source address errors from fatal to run-time. The error will be
	logged and communication with the server not possible.

	Change the method of allocation of random source ports for DNS.
	Previously, without min-port or max-port configured, dnsmasq would
	default to the compiled in defaults for those, which are 1024 and
	65535. Now, when neither are configured, it defaults instead to
	the kernel's ephemeral port range, which is typically
	32768 to 60999 on Linux systems. This change eliminates the
	possibility that dnsmasq may be using a registered port > 1024
	when a long-running daemon starts up and wishes to claim it.
	This change does likely slightly reduce the number of random ports
	and therefore the protection from reply spoofing. The older
	behaviour can be restored using the min-port and max-port config
	switches should that be a concern.

	Scale the size of the DNS random-port pool based on the
	value of the --dns-forward-max configuration.

	Tweak TFTP code to check sender of all received packets, as
	specified in RFC 1350 para 4.

	Support some wildcard matching of input tags to --tag-if.
	Thanks to Geoff Back for the idea and the patch.

	
version 2.84
	Fix a problem, introduced in 2.83, which could see DNS replies
	being sent via the wrong socket. On machines running both
	IPv4 and IPv6 this could result in sporadic messages of
	the form "failed to send packet: Network is unreachable" and
	the lost of the query. Since the error is sporadic and of
	low probability, the client retry would normally succeed.

	Change HAVE_NETTLEHASH compile-time to HAVE_CRYPTOHASH.


version 2.83
	Use the values of --min-port and --max-port in outgoing
	TCP connections to upstream DNS servers.

	Fix a remote buffer overflow problem in the DNSSEC code. Any
	dnsmasq with DNSSEC compiled in and enabled is vulnerable to this,
	referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683
	CVE-2020-25687.

	Be sure to only accept UDP DNS query replies at the address
	from which the query was originated. This keeps as much entropy
	in the {query-ID, random-port} tuple as possible, to help defeat
	cache poisoning attacks. Refer: CVE-2020-25684.

	Use the SHA-256 hash function to verify that DNS answers
	received are for the questions originally asked. This replaces
	the slightly insecure SHA-1 (when compiled with DNSSEC) or
	the very insecure CRC32 (otherwise). Refer: CVE-2020-25685.

	Handle multiple identical near simultaneous DNS queries better.
	Previously, such queries would all be forwarded
	independently. This is, in theory, inefficient but in practise
	not a problem, _except_ that is means that an answer for any
	of the forwarded queries will be accepted and cached.
	An attacker can send a query multiple times, and for each repeat,
	another {port, ID} becomes capable of accepting the answer he is
	sending in the blind, to random IDs and ports. The chance of a
	successful attack is therefore multiplied by the number of repeats
	of the query. The new behaviour detects repeated queries and
	merely stores the clients sending repeats so that when the
	first query completes, the answer can be sent to all the
	clients who asked. Refer: CVE-2020-25686.
	

version 2.82
	Improve behaviour in the face of network interfaces which come
	and go and change index. Thanks to Petr Mensik for the patch.

	Convert hard startup failure on NETLINK_NO_ENOBUFS under qemu-user
	to a warning.

	Allow IPv6 addresses ofthe form [::ffff:1.2.3.4] in --dhcp-option.

	Fix crash under heavy TCP connection load introduced in 2.81.
	Thanks to Frank for good work chasing this down.

	Change default lease time for DHCPv6 to one day.

	Alter calculation of preferred and valid times in router
	advertisements, so that these do not have a floor applied
	of the lease time in the dhcp-range if this is not explicitly
	specified and is merely the default.
	Thanks to Martin-Éric Racine for suggestions on this.

	
version 2.81
	Improve cache behaviour for TCP connections. For ease of
	implementation, dnsmasq has always forked a new process to handle
	each incoming TCP connection. A side-effect of this is that
	any DNS queries answered from TCP connections are not cached:
	when TCP connections were rare, this was not a problem.
	With the coming of DNSSEC, it is now the case that some
	DNSSEC queries have answers which spill to TCP, and if,
	for instance, this applies to the keys for the root, then
	those never get cached, and performance is very bad.
	This fix passes cache entries back from the TCP child process to
	the main server process, and fixes the problem.

	Remove the NO_FORK compile-time option, and support for uclinux.
	In an era where everything has an MMU, this looks like
	an anachronism, and it adds to (Ok, multiplies!) the
	combinatorial explosion of compile-time options. Thanks to
	Kevin Darbyshire-Bryant for the patch.

	Fix line-counting when reading /etc/hosts and friends; for
	correct error messages. Thanks to Christian Rosentreter
	for reporting this.

	Fix bug in DNS non-terminal code, added in 2.80, which could
	sometimes cause a NODATA rather than an NXDOMAIN reply.
	Thanks to Norman Rasmussen, Sven Mueller and Maciej Żenczykowski
	for spotting and diagnosing the bug and providing patches.

	Support TCP-fastopen (RFC-7413) on both incoming and
	outgoing TCP connections, if supported and enabled in the OS.

	Improve kernel-capability manipulation code under Linux. Dnsmasq
	now fails early if a required capability is not available, and
	tries not to request capabilities not required by its
	configuration.

	Add --shared-network config. This enables allocation of addresses
	by the DHCP server in subnets where the server (or relay) does not
	have an interface on the network in that subnet. Many thanks to
	kamp.de for sponsoring this feature.
	
	Fix broken contrib/lease_tools/dhcp_lease_time.c. A packet
	validation check got borked in commit 2b38e382 and release 2.80.
	Thanks to Tomasz Szajner for spotting this.

	Fix compilation against nettle version 3.5 and later.

	Fix spurious DNSSEC validation failures when the auth section
	of a reply contains unsigned RRs from a signed zone, 
	with the exception that NSEC and NSEC3 RRs must always be signed.
        Thanks to Tore Anderson for spotting and diagnosing the bug.

	Add --dhcp-ignore-clid. This disables reading of DHCP client
	identifier option (option 61), so clients are only identified by
	MAC addresses.

	Fix a bug which stopped --dhcp-name-match from working when a hostname
	is supplied in --dhcp-host. Thanks to James Feeney for spotting this.

	Fix bug which caused very rarely caused zero-length DHCPv6 packets.
	Thanks to Dereck Higgins for spotting this.

	Add --tftp-single-port option.

	Enhance --conf-dir to load files in a deterministic order. Thanks to
	Evgenii Seliavka for the suggestion and initial patch.

	In the router advert code, handle case where we have two
	different interfaces on the same IPv6 net, and we are doing
	RA/DHCP service on only one of them. Thanks to NIIBE Yutaka
	for spotting this case and making the initial patch.

	Support prefixed ranges of ipv6 addresses in dhcp-host.
	This eases problems chain-netbooting, where each link in the
	chain requests an address using a different UID. With a single
	address, only one gets the "static" address, but with this
	fix, enough addresses can be reserved for all the stages of the
	boot. Many thanks to Harald Jensås for his work on this idea and
	earlier patches.

	Add filtering by tag of --dhcp-host directives. Based on a patch
	by Harald Jensås.

	Allow empty server spec in --rev-server, to match --server.
	
	Remove DSA signature verification from DNSSEC, as specified in
	RFC 8624. Thanks to Loganaden Velvindron for the original patch.

	Add --script-on-renewal option.

	
version 2.80
	Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method
	for the initial patch and motivation.

	Alter the default for dnssec-check-unsigned. Versions of
	dnsmasq prior to 2.80 defaulted to not checking unsigned
	replies, and used --dnssec-check-unsigned to switch
        this on. Such configurations will continue to work as before,
        but those which used the default of no checking will need to be
        altered to explicitly select no checking. The new default is
        because switching off checking for unsigned replies is
	inherently dangerous. Not only does it open the possiblity of forged
        replies, but it allows everything to appear to be working even
        when the upstream namesevers do not support DNSSEC, and in this
        case no DNSSEC validation at all is occuring.

        Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip
	are set. Thanks to Daniel Miess for help with this.

	Add a facilty to store DNS packets sent/recieved in a
	pcap-format file for later debugging. The file location
	is given by the --dumpfile option, and a bitmap controlling
	which packets should be dumped is given by the --dumpmask
	option.

	Handle the case of both standard and constructed dhcp-ranges on the
	same interface better. We don't now contruct a dhcp-range if there's
	already one specified. This allows the specified interface to
	have different parameters and avoids advertising the same
	prefix twice. Thanks to Luis Marsano for spotting this case.

	Allow zone transfer in authoritative mode if auth-peer is specified,
	even if auth-sec-servers is not. Thanks to Raphaël Halimi for
	the suggestion.

	Fix bug which sometimes caused dnsmasq to wrongly return answers
	without DNSSEC RRs to queries with the do-bit set, but only when
	DNSSEC validation was not enabled.
	Thanks to Petr Menšík for spotting this.

	Fix missing fatal errors with some malformed options
	(server, local, address, rebind-domain-ok, ipset, alias).
	Thanks to Eugene Lozovoy for spotting the problem.

	Fix crash on startup with a --synth-domain which has no prefix.
	Introduced in 2.79. Thanks to Andreas Engel for the bug report.

	Fix missing EDNS0 section in some replies generated by local
	DNS configuration which confused systemd-resolvd. Thanks to
	Steve Dodd for characterising the problem.

	Add --dhcp-name-match config option. 

	Add --caa-record config option.

	Implement --address=/example.com/# as (more efficient) syntactic
	sugar for --address=/example.com/0.0.0.0 and
	--address=/example.com/::
	Returning null addresses is a useful technique for ad-blocking.
	Thanks to Peter Russell for the suggestion.
	
	Change anti cache-snooping behaviour with queries with the
	recursion-desired bit unset. Instead to returning SERVFAIL, we
	now always forward, and never answer from the cache. This
	allows "dig +trace" command to work. 
	
	Include in the example config file a formulation which
	stops DHCP clients from claiming the DNS name "wpad".
	This is a fix for the CERT Vulnerability VU#598349.

	
version 2.79
	Fix parsing of CNAME arguments, which are confused by extra spaces.
	Thanks to Diego Aguirre for spotting the bug.

	Where available, use IP_UNICAST_IF or IPV6_UNICAST_IF to bind
	upstream servers to an interface, rather than SO_BINDTODEVICE.
	Thanks to Beniamino Galvani for the patch.

	Always return a SERVFAIL answer to DNS queries without the
	recursion desired bit set, UNLESS acting as an authoritative
	DNS server. This avoids a potential route to cache snooping.

	Add support for Ed25519 signatures in DNSSEC validation.

	No longer support RSA/MD5 signatures in DNSSEC validation,
	since these are not secure. This behaviour is mandated in
	RFC-6944.

	Fix incorrect error exit code from dhcp_release6 utility.
	Thanks Gaudenz Steinlin for the bug report.

	Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC
	time validation when --dnssec-no-timecheck is in use.
	Note that this is an incompatible change from earlier releases.

	Allow more than one --bridge-interface option to refer to an
	interface, so that we can use
	--bridge-interface=int1,alias1
	--bridge-interface=int1,alias2
	as an alternative to
	--bridge-interface=int1,alias1,alias2
	Thanks to Neil Jerram for work on this.

	Fix for DNSSEC with wildcard-derived NSEC records.
	It's OK for NSEC records to be expanded from wildcards,
	but in that case, the proof of non-existence is only valid
	starting at the wildcard name, *.<domain> NOT the name expanded
	from the wildcard. Without this check it's possible for an
	attacker to craft an NSEC which wrongly proves non-existence.
	Thanks to Ralph Dolmans for finding this, and co-ordinating 
	the vulnerability tracking and fix release.
	CVE-2017-15107 applies.

	Remove special handling of A-for-A DNS queries. These
	are no longer a significant problem in the global DNS.
	http://cs.northwestern.edu/~ychen/Papers/DNS_ToN15.pdf
	Thanks to Mattias Hellström for the initial patch.

	Fix failure to delete dynamically created dhcp options
	from files in -dhcp-optsdir directories. Thanks to
	Lindgren Fredrik for the bug report.

	Add to --synth-domain the ability to create names using
	sequential numbers, as well as encodings of IP addresses.
	For instance,
	--synth-domain=thekelleys.org.uk,192.168.0.50,192.168.0.70,internal-*
	creates 21 domain names of the form
	internal-4.thekelleys.org.uk over the address range given, with
	internal-0.thekelleys.org.uk being 192.168.0.50 and
	internal-20.thekelleys.org.uk being 192.168.0.70
	Thanks to Andy Hawkins for the suggestion.

	Tidy up Crypto code, removing workarounds for ancient
	versions of libnettle. We now require libnettle 3.


version 2.78
        Fix logic of appending ".<layer>" to PXE basename. Thanks to Chris
	Novakovic for the patch.

	Revert ping-check of address in DHCPDISCOVER if there
	already exists a lease for the address. Under some
	circumstances, and netbooted windows installation can reply
	to pings before if has a DHCP lease and block allocation
	of the address it already used during netboot. Thanks to
	Jan Psota for spotting this.

	Fix DHCP relaying, broken in 2.76 and 2.77 by commit
	ff325644c7afae2588583f935f4ea9b9694eb52e. Thanks to
	John Fitzgibbon for the diagnosis and patch.

        Try other servers if first returns REFUSED when
	--strict-order active. Thanks to Hans Dedecker
	for the patch

	Fix regression in 2.77, ironically added as a security
	improvement, which resulted in a crash when a DNS
	query exceeded 512 bytes (or the EDNS0 packet size,
	if different.) Thanks to Christian Kujau, Arne Woerner
	Juan Manuel Fernandez and Kevin Darbyshire-Bryant for
	chasing this one down.  CVE-2017-13704 applies.

	Fix heap overflow in DNS code. This is a potentially serious
	security hole. It allows an attacker who can make DNS
	requests to dnsmasq, and who controls the contents of
	a domain, which is thereby queried, to overflow
	(by 2 bytes) a heap buffer and either crash, or
	even take control of, dnsmasq.
	CVE-2017-14491 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

	Fix heap overflow in IPv6 router advertisement code.
	This is a potentially serious security hole, as a
	crafted RA request can overflow a buffer and crash or
	control dnsmasq. Attacker must be on the local network.
	CVE-2017-14492 applies.
        Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	and Kevin Hamacher of the Google Security Team for
	finding this.

	Fix stack overflow in DHCPv6 code. An attacker who can send
	a DHCPv6 request to dnsmasq can overflow the stack frame and
	crash or control dnsmasq.
	CVE-2017-14493 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

	Fix information leak in DHCPv6. A crafted DHCPv6 packet can
	cause dnsmasq to forward memory from outside the packet
	buffer to a DHCPv6 server when acting as a relay.
	CVE-2017-14494 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

	Fix DoS in DNS. Invalid boundary checks in the
	add_pseudoheader function allows a memcpy call with negative
	size An attacker which can send malicious DNS queries
	to dnsmasq can trigger a DoS remotely.
	dnsmasq is vulnerable only if one of the following option is
	specified: --add-mac, --add-cpe-id or --add-subnet.
	CVE-2017-14496 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

	Fix out-of-memory Dos vulnerability. An attacker which can
	send malicious DNS queries to dnsmasq can trigger memory
	allocations in the add_pseudoheader function
	The allocated memory is never freed which leads to a DoS
	through memory exhaustion. dnsmasq is vulnerable only
	if one of the following option is specified:
	--add-mac, --add-cpe-id or --add-subnet.
	CVE-2017-14495 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.


version 2.77
	Generate an error when configured with a CNAME loop,
	rather than a crash. Thanks to George Metz for
	spotting this problem.

	Calculate the length of TFTP error reply packet 
	correctly. This fixes a problem when the error 
	message in a TFTP packet exceeds the arbitrary 
	limit of 500 characters. The message was correctly
	truncated, but not the packet length, so 
	extra data was appended. This is a possible
	security risk, since the extra data comes from
	a buffer which is also used for DNS, so that
	previous DNS queries or replies may be leaked.
	Thanks to Mozilla for funding the security audit 
	which spotted this bug.

	Fix logic error in Linux netlink code. This could
	cause dnsmasq to enter a tight loop on systems
	with a very large number of network interfaces.
	Thanks to Ivan Kokshaysky for the diagnosis and
	patch.

	Fix problem with --dnssec-timestamp whereby receipt
	of SIGHUP would erroneously engage timestamp checking.
	Thanks to Kevin Darbyshire-Bryant for this work.

	Bump zone serial on reloading /etc/hosts and friends
	when providing authoritative DNS. Thanks to Harrald
	Dunkel for spotting this.

	Handle v4-mapped IPv6 addresses sanely in --synth-domain.
	These have standard representation like ::ffff:1.2.3.4
	and are now converted to names like
	<prefix>--ffff-1-2-3-4.<domain>

	Handle binding upstream servers to an interface 
	(--server=1.2.3.4@eth0) when the named interface
	is destroyed and recreated in the kernel. Thanks to 
	Beniamino Galvani for the patch.

	Allow wildcard CNAME records in authoritative zones.
	For example --cname=*.example.com,default.example.com
	Thanks to Pro Backup for sponsoring this development.

	Bump the allowed backlog of TCP connections from 5 to 32,
	and make this a compile-time configurable option. Thanks
	to Donatas Abraitis for diagnosing this as a potential
	problem.

	Add DNSMASQ_REQUESTED_OPTIONS environment variable to the 
	lease-change script. Thanks to ZHAO Yu for the patch.

	Fix foobar in rrfilter code, that could cause malformed 
	replies, especially when DNSSEC validation on, and 
	the upstream server returns answer with the RRs in a 
	particular order. The only DNS server known to tickle
	this is Nominum's. Thanks to Dave Täht for spotting the
	bug and assisting in the fix.

	Fix the manpage which lied that only the primary address
	of an interface is used by --interface-name.

	Make --localise-queries apply to names from --interface-name.
	Thanks to Kevin Darbyshire-Bryant and Eric Luehrsen
	for pushing this.

	Improve connection handling when talking to TCP upstream 
	servers. Specifically, be prepared to open a new TCP
	connection when we want to make multiple queries
	but the upstream server accepts fewer queries per connection.

	Improve logging of upstream servers when there are a lot
	of "local addresses only" entries. Thanks to Hannu Nyman for
	the patch.

	Make --bogus-priv apply to IPv6, for the prefixes specified
	in RFC6303. Thanks to Kevin Darbyshire-Bryant for work on this.

	Allow use of MAC addresses with --tftp-unique-root. Thanks
	to Floris Bos for the patch.

	Add --dhcp-reply-delay option. Thanks to Floris Bos
	for the patch.

	Add mtu setting facility to --ra-param. Thanks to David
	Flamand for the patch.

	Capture STDOUT and STDERR output from dhcp-script and log
	it as part of the dnsmasq log stream. Makes life easier
	for diagnosing unexpected problems in scripts.
	Thanks to Petr Mensik for the patch.

	Generate fatal errors when failing to parse the output
	of the dhcp-script in "init" mode. Avoids strange errors
	when the script accidentally emits error messages.
	Thanks to Petr Mensik for the patch.

	Make --rev-server for an RFC1918 subnet work even in the
	presence of the --bogus-priv flag. Thanks to
	Vladislav Grishenko for the patch.

	Extend --ra-param mtu: field to allow an interface name.
	This allows the MTU of a WAN interface to be advertised on
	the internal interfaces of a router. Thanks to
	Vladislav Grishenko for the patch.

	Do ICMP-ping check for address-in-use for DHCPv4 when
	the client specifies an address in DHCPDISCOVER, and when
	an address in configured locally. Thanks to Alin Năstac
	for spotting the problem.

	Add new DHCP tag "known-othernet" which is set when only a
	dhcp-host exists for another subnet. Can be used to ensure
	that privileged hosts are not given "guest" addresses by
	accident. Thanks to Todd Sanket for the suggestion.

	Remove historic automatic inclusion of IDN support when
	building internationalisation support. This doesn't
	fit now there is a choice of IDN libraries. Be sure
	to include either -DHAVE_IDN or -DHAVE_LIBIDN2 for
	IDN support.


version 2.76
	Include 0.0.0.0/8 in DNS rebind checks. This range 
	translates to hosts on  the local network, or, at 
	least, 0.0.0.0 accesses the local host, so could
	be targets for DNS rebinding. See RFC 5735 section 3 
	for details. Thanks to Stephen Röttger for the bug report.

	Enhance --add-subnet to allow arbitrary subnet addresses.
	Thanks to Ed Barsley for the patch.

	Respect the --no-resolv flag in inotify code. Fixes bug
	which caused dnsmasq to fail to start if a resolv-file 
	was a dangling symbolic link, even of --no-resolv set.
	Thanks to Alexander Kurtz for spotting the problem.

	Fix crash when an A or AAAA record is defined locally,
	in a hosts file, and an upstream server sends a reply
	that the same name is empty. Thanks to Edwin Török for
	the patch.

	Fix failure to correctly calculate cache-size when 
	reading a hosts-file fails. Thanks to André Glüpker 
	for the patch.

	Fix wrong answer to simple name query when --domain-needed
	set, but no upstream servers configured. Dnsmasq returned
	REFUSED, in this case, when it should be the same as when
	upstream servers are configured - NOERROR. Thanks to 
	Allain Legacy for spotting the problem.

	Return REFUSED when running out of forwarding table slots,
	not SERVFAIL.

	Add --max-port configuration. Thanks to Hans Dedecker for
	the patch.

	Add --script-arp and two new functions for the dhcp-script.
	These are "arp" and "arp-old" which announce the arrival and
	removal of entries in the ARP or neighbour tables.

	Extend --add-mac to allow a new encoding of the MAC address 
	as base64, by configuring --add-mac=base64

	Add --add-cpe-id option.

	Don't crash with divide-by-zero if an IPv6 dhcp-range
	is declared as a whole /64.
	(ie xx::0 to xx::ffff:ffff:ffff:ffff) 
	Thanks to Laurent Bendel for spotting this problem.

	Add support for a TTL parameter in --host-record and
	--cname.

	Add --dhcp-ttl option.

	Add --tftp-mtu option. Thanks to Patrick McLean for the 
	initial patch.

	Check return-code of inet_pton() when parsing dhcp-option.
	Bad addresses could fail to generate errors and result in
	garbage dhcp-options being sent. Thanks to Marc Branchaud 
	for spotting this.

	Fix wrong value for EDNS UDP packet size when using 
	--servers-file to define upstream DNS servers. Thanks to
	Scott Bonar for the bug report.

	Move the dhcp_release and dhcp_lease_time tools from 
	contrib/wrt to contrib/lease-tools.

	Add dhcp_release6 to contrib/lease-tools. Many thanks 
	to Sergey Nechaev for this code.

	To avoid filling logs in configurations which define
	many upstream nameservers, don't log more that 30 servers.
	The number to be logged can be changed as SERVERS_LOGGED
	in src/config.h.

	Swap the values if BC_EFI and x86-64_EFI in --pxe-service. 
	These were previously wrong due to an error in RFC 4578.
	If you're using BC_EFI to boot 64-bit EFI machines, you
	will need to update your config.

	Add ARM32_EFI and ARM64_EFI as valid architectures in
	--pxe-service.

	Fix PXE booting for UEFI architectures. Modify PXE boot
	sequence in this case to force the client to talk to dnsmasq
	over port 4011. This makes PXE and especially proxy-DHCP PXE
	work with these architectures.

	Workaround problems with UEFI PXE clients. There exist
	in the wild PXE clients which have problems with PXE
	boot menus. To work around this, when there's a single
	--pxe-service which applies to client, then that target
	will be booted directly, rather then sending a
	single-item boot menu.

	Many thanks to Jarek Polok, Michael Kuron and Dreamcat4 
	for their work on the long-standing UEFI PXE problem.

	Subtle change in the semantics of "basename" in
	--pxe-service. The historical behaviour has always been
	that the actual filename downloaded from the TFTP server
	is <basename>.<layer> where <layer> is an integer which
	corresponds to the layer parameter supplied by the client.
	It's not clear what the function of the "layer" 
	actually is in the PXE protocol, and in practise layer 
	is always zero, so the filename is <basename>.0
	The new behaviour is the same as the old, except when
	<basename> includes a file suffix, in which case
	the layer suffix is no longer added. This allows
	sensible suffices to be used, rather then the
	meaningless ".0". Only in the unlikely event that you
	have a config with a basename which already has a
	suffix, is this an incompatible change, since the file
	downloaded will change from name.suffix.0 to just 
	name.suffix


version 2.75
	Fix reversion on 2.74 which caused 100% CPU use when a 
	dhcp-script is configured. Thanks to Adrian Davey for
	reporting the bug and testing the fix.


version 2.74
	Fix reversion in 2.73 where --conf-file would attempt to
	read the default file, rather than no file.

	Fix inotify code to handle dangling symlinks better and
	not SEGV in some circumstances.

	DNSSEC fix. In the case of a signed CNAME generated by a
	wildcard which pointed to an unsigned domain, the wrong
	status would be logged, and some necessary checks omitted.


version 2.73
	Fix crash at startup when an empty suffix is supplied to
	--conf-dir, also trivial memory leak. Thanks to 
	Tomas Hozza for spotting this.

	Remove floor of 4096 on advertised EDNS0 packet size when 
	DNSSEC in use, the original rationale for this has long gone.
	Thanks to Anders Kaseorg for spotting this.

	Use inotify for checking on updates to /etc/resolv.conf and
	friends under Linux. This fixes race conditions when the files are 
	updated rapidly and saves CPU by noy polling. To build
	a binary that runs on old Linux kernels without inotify,
	use make COPTS=-DNO_INOTIFY

	Fix breakage of --domain=<domain>,<subnet>,local - only reverse
	queries were intercepted. THis appears to have been broken 
	since 2.69. Thanks to Josh Stone for finding the bug.

	Eliminate IPv6 privacy addresses and deprecated addresses from
	the answers given by --interface-name. Note that reverse queries
	(ie looking for names, given addresses) are not affected. 
	Thanks to Michael Gorbach for the suggestion.

	Fix crash in DNSSEC code with long RRs. Thanks to Marco Davids
	for the bug report.

	Add --ignore-address option. Ignore replies to A-record 
	queries which include the specified address. No error is
	generated, dnsmasq simply continues to listen for another 
	reply. This is useful to defeat blocking strategies which
	rely on quickly supplying a forged answer to a DNS 
	request for certain domains, before the correct answer can
	arrive. Thanks to Glen Huang for the patch.

	Revisit the part of DNSSEC validation which determines if an 
	unsigned answer is legit, or is in some part of the DNS 
	tree which should be signed. Dnsmasq now works from the 
	DNS root downward looking for the limit of signed 
	delegations, rather than working bottom up. This is 
	both more correct, and less likely to trip over broken 
	nameservers in the unsigned parts of the DNS tree 
	which don't respond well to DNSSEC queries.

	Add --log-queries=extra option, which makes logs easier
	to search automatically.

	Add --min-cache-ttl option. I've resisted this for a long 
	time, on the grounds that disbelieving TTLs is never a 
	good idea, but I've been persuaded that there are 
	sometimes reasons to do it. (Step forward, GFW).
	To avoid misuse, there's a hard limit on the TTL 
	floor of one hour. Thanks to RinSatsuki for the patch.

	Cope with multiple interfaces with the same link-local 
	address. (IPv6 addresses are scoped, so this is allowed.)
	Thanks to Cory Benfield for help with this.

	Add --dhcp-hostsdir. This allows addition of new host
	configurations to a running dnsmasq instance much more 
	cheaply than having dnsmasq re-read all its existing
	configuration each time. 

	Don't reply to DHCPv6 SOLICIT messages if we're not 
	configured to do stateful DHCPv6. Thanks to Win King Wan 
	for the patch.

	Fix broken DNSSEC validation of ECDSA signatures.

	Add --dnssec-timestamp option, which provides an automatic
	way to detect when the system time becomes valid after 
	boot on systems without an RTC, whilst allowing DNS 
	queries before the clock is valid so that NTP can run. 
	Thanks to Kevin Darbyshire-Bryant for developing this idea.

	Add --tftp-no-fail option. Thanks to Stefan Tomanek for
	the patch.

	Fix crash caused by looking up servers.bind, CHAOS text 
	record, when more than about five --servers= lines are 
	in the dnsmasq config. This causes memory corruption 
	which causes a crash later. Thanks to Matt Coddington for 
	sterling work chasing this down.

	Fix crash on receipt of certain malformed DNS requests.
	Thanks to Nick Sampanis for spotting the problem.
	Note that this is could allow the dnsmasq process's
	memory to be read by an attacker under certain
	circumstances, so it has a CVE, CVE-2015-3294 

	Fix crash in authoritative DNS code, if a .arpa zone 
	is declared as authoritative, and then a PTR query which
	is not to be treated as authoritative arrived. Normally, 
	directly declaring .arpa zone as authoritative is not 
	done, so this crash wouldn't be seen. Instead the 
	relevant .arpa zone should be specified as a subnet
	in the auth-zone declaration. Thanks to Johnny S. Lee
	for the bugreport and initial patch.

	Fix authoritative DNS code to correctly reply to NS 
	and SOA queries for .arpa zones for which we are 
	declared authoritative by means of a subnet in auth-zone.
	Previously we provided correct answers to PTR queries
	in such zones (including NS and SOA) but not direct
	NS and SOA queries. Thanks to Johnny S. Lee for 
	pointing out the problem.

	Fix logging of DHCPREPLY which should be suppressed 
	by quiet-dhcp6. Thanks to J. Pablo Abonia for 
	spotting the problem.

	Try and handle net connections with broken fragmentation 
	that lose large UDP packets. If a server times out, 
	reduce the maximum UDP packet size field in the EDNS0
	header to 1280 bytes. If it then answers, make that
	change permanent.

	Check IPv4-mapped IPv6 addresses when --stop-rebind
	is active. Thanks to Jordan Milne for spotting this.

	Allow DHCPv4 options T1 and T2 to be set using --dhcp-option.
	Thanks to Kevin Benton for patches and work on this.

	Fix code for DHCPCONFIRM DHCPv6 messages to confirm addresses
	in the correct subnet, even of not in dynamic address 
	allocation range. Thanks to Steve Hirsch for spotting
	the problem.

	Add AddDhcpLease and DeleteDhcpLease DBus methods. Thanks
	to Nicolas Cavallari for the patch.

	Allow configuration of router advertisements without the 
	"on-link" bit set. Thanks to Neil Jerram for the patch.

	Extend --bridge-interface to DHCPv6 and router 
	advertisements. Thanks to Neil Jerram for the patch.


version 2.72
	Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.

	Add support for "ipsets" in *BSD, using pf. Thanks to 
	Sven Falempin for the patch.

	Fix race condition which could lock up dnsmasq when an 
	interface goes down and up rapidly. Thanks to Conrad 
	Kostecki for helping to chase this down.

	Add DBus methods SetFilterWin2KOption and SetBogusPrivOption
	Thanks to the Smoothwall project for the patch.

	Fix failure to build against Nettle-3.0. Thanks to Steven 
	Barth for spotting this and finding the fix. 

	When assigning existing DHCP leases to interfaces by comparing 
	networks, handle the case that two or more interfaces have the
	same network part, but different prefix lengths (favour the
	longer prefix length.) Thanks to Lung-Pin Chang for the 
	patch.

	Add a mode which detects and removes DNS forwarding loops, ie 
	a query sent to an upstream server returns as a new query to 
	dnsmasq, and would therefore be forwarded again, resulting in 
	a query which loops many times before being dropped. Upstream
	servers which loop back are disabled and this event is logged.
	Thanks to Smoothwall for their sponsorship of this feature.

	Extend --conf-dir to allow filtering of files. So
	--conf-dir=/etc/dnsmasq.d,\*.conf
	will load all the files in /etc/dnsmasq.d which end in .conf

	Fix bug when resulted in NXDOMAIN answers instead of NODATA in
	some circumstances.

	Fix bug which caused dnsmasq to become unresponsive if it 
	failed to send packets due to a network interface disappearing.
	Thanks to Niels Peen for spotting this.

	Fix problem with --local-service option on big-endian platforms
	Thanks to Richard Genoud for the patch.


version 2.71
	Subtle change to error handling to help DNSSEC validation 
	when servers fail to provide NODATA answers for 
	non-existent DS records.

	Tweak code which removes DNSSEC records from answers when
	not required. Fixes broken answers when additional section
