version 2.78
        Fix logic of appending ".<layer>" to PXE basename. Thanks to Chris
	Novakovic for the patch.

	Revert ping-check of address in DHCPDISCOVER if there
	already exists a lease for the address. Under some
	circumstances, and netbooted windows installation can reply
	to pings before if has a DHCP lease and block allocation
	of the address it already used during netboot. Thanks to
	Jan Psota for spotting this.

	Fix DHCP relaying, broken in 2.76 and 2.77 by commit
	ff325644c7afae2588583f935f4ea9b9694eb52e. Thanks to
	John Fitzgibbon for the diagnosis and patch.

        Try other servers if first returns REFUSED when
	--strict-order active. Thanks to Hans Dedecker
	for the patch

	Fix regression in 2.77, ironically added as a security
	improvement, which resulted in a crash when a DNS
	query exceeded 512 bytes (or the EDNS0 packet size,
	if different.) Thanks to Christian Kujau, Arne Woerner
	Juan Manuel Fernandez and Kevin Darbyshire-Bryant for
	chasing this one down.  CVE-2017-13704 applies.

	Fix heap overflow in DNS code. This is a potentially serious
	security hole. It allows an attacker who can make DNS
	requests to dnsmasq, and who controls the contents of
	a domain, which is thereby queried, to overflow
	(by 2 bytes) a heap buffer and either crash, or
	even take control of, dnsmasq.
	CVE-2017-14491 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

	Fix heap overflow in IPv6 router advertisement code.
	This is a potentially serious security hole, as a
	crafted RA request can overflow a buffer and crash or
	control dnsmasq. Attacker must be on the local network.
	CVE-2017-14492 applies.
        Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	and Kevin Hamacher of the Google Security Team for
	finding this.

	Fix stack overflow in DHCPv6 code. An attacker who can send
	a DHCPv6 request to dnsmasq can overflow the stack frame and
	crash or control dnsmasq.
	CVE-2017-14493 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

	Fix information leak in DHCPv6. A crafted DHCPv6 packet can
	cause dnsmasq to forward memory from outside the packet
	buffer to a DHCPv6 server when acting as a relay.
	CVE-2017-14494 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

	Fix DoS in DNS. Invalid boundary checks in the
	add_pseudoheader function allows a memcpy call with negative
	size An attacker which can send malicious DNS queries
	to dnsmasq can trigger a DoS remotely.
	dnsmasq is vulnerable only if one of the following option is
	specified: --add-mac, --add-cpe-id or --add-subnet.
	CVE-2017-14496 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

	Fix out-of-memory Dos vulnerability. An attacker which can
	send malicious DNS queries to dnsmasq can trigger memory
	allocations in the add_pseudoheader function
	The allocated memory is never freed which leads to a DoS
	through memory exhaustion. dnsmasq is vulnerable only
	if one of the following option is specified:
	--add-mac, --add-cpe-id or --add-subnet.
	CVE-2017-14495 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.


version 2.77
	Generate an error when configured with a CNAME loop,
	rather than a crash. Thanks to George Metz for
	spotting this problem.

	Calculate the length of TFTP error reply packet 
	correctly. This fixes a problem when the error 
	message in a TFTP packet exceeds the arbitrary 
	limit of 500 characters. The message was correctly
	truncated, but not the packet length, so 
	extra data was appended. This is a possible
	security risk, since the extra data comes from
	a buffer which is also used for DNS, so that
	previous DNS queries or replies may be leaked.
	Thanks to Mozilla for funding the security audit 
	which spotted this bug.

	Fix logic error in Linux netlink code. This could
	cause dnsmasq to enter a tight loop on systems
	with a very large number of network interfaces.
	Thanks to Ivan Kokshaysky for the diagnosis and
	patch.

	Fix problem with --dnssec-timestamp whereby receipt
	of SIGHUP would erroneously engage timestamp checking.
	Thanks to Kevin Darbyshire-Bryant for this work.

	Bump zone serial on reloading /etc/hosts and friends
	when providing authoritative DNS. Thanks to Harrald
	Dunkel for spotting this.

	Handle v4-mapped IPv6 addresses sanely in --synth-domain.
	These have standard representation like ::ffff:1.2.3.4
	and are now converted to names like
	<prefix>--ffff-1-2-3-4.<domain>

	Handle binding upstream servers to an interface 
	(--server=1.2.3.4@eth0) when the named interface
	is destroyed and recreated in the kernel. Thanks to 
	Beniamino Galvani for the patch.

	Allow wildcard CNAME records in authoritative zones.
	For example --cname=*.example.com,default.example.com
	Thanks to Pro Backup for sponsoring this development.

	Bump the allowed backlog of TCP connections from 5 to 32,
	and make this a compile-time configurable option. Thanks
	to Donatas Abraitis for diagnosing this as a potential
	problem.

	Add DNSMASQ_REQUESTED_OPTIONS environment variable to the 
	lease-change script. Thanks to ZHAO Yu for the patch.

	Fix foobar in rrfilter code, that could cause malformed 
	replies, especially when DNSSEC validation on, and 
	the upstream server returns answer with the RRs in a 
	particular order. The only DNS server known to tickle
	this is Nominum's. Thanks to Dave Täht for spotting the
	bug and assisting in the fix.

	Fix the manpage which lied that only the primary address
	of an interface is used by --interface-name.

	Make --localise-queries apply to names from --interface-name.
	Thanks to Kevin Darbyshire-Bryant and Eric Luehrsen
	for pushing this.

	Improve connection handling when talking to TCP upstream 
	servers. Specifically, be prepared to open a new TCP
	connection when we want to make multiple queries
	but the upstream server accepts fewer queries per connection.

	Improve logging of upstream servers when there are a lot
	of "local addresses only" entries. Thanks to Hannu Nyman for
	the patch.

	Make --bogus-priv apply to IPv6, for the prefixes specified
	in RFC6303. Thanks to Kevin Darbyshire-Bryant for work on this.

	Allow use of MAC addresses with --tftp-unique-root. Thanks
	to Floris Bos for the patch.

	Add --dhcp-reply-delay option. Thanks to Floris Bos
	for the patch.

	Add mtu setting facility to --ra-param. Thanks to David
	Flamand for the patch.

	Capture STDOUT and STDERR output from dhcp-script and log
	it as part of the dnsmasq log stream. Makes life easier
	for diagnosing unexpected problems in scripts.
	Thanks to Petr Mensik for the patch.

	Generate fatal errors when failing to parse the output
	of the dhcp-script in "init" mode. Avoids strange errors
	when the script accidentally emits error messages.
	Thanks to Petr Mensik for the patch.

	Make --rev-server for an RFC1918 subnet work even in the
	presence of the --bogus-priv flag. Thanks to
	Vladislav Grishenko for the patch.

	Extend --ra-param mtu: field to allow an interface name.
	This allows the MTU of a WAN interface to be advertised on
	the internal interfaces of a router. Thanks to
	Vladislav Grishenko for the patch.

	Do ICMP-ping check for address-in-use for DHCPv4 when
	the client specifies an address in DHCPDISCOVER, and when
	an address in configured locally. Thanks to Alin Năstac
	for spotting the problem.

	Add new DHCP tag "known-othernet" which is set when only a
	dhcp-host exists for another subnet. Can be used to ensure
	that privileged hosts are not given "guest" addresses by
	accident. Thanks to Todd Sanket for the suggestion.

	Remove historic automatic inclusion of IDN support when
	building internationalisation support. This doesn't
	fit now there is a choice of IDN libraries. Be sure
	to include either -DHAVE_IDN or -DHAVE_LIBIDN2 for
	IDN support.


version 2.76
	Include 0.0.0.0/8 in DNS rebind checks. This range 
	translates to hosts on  the local network, or, at 
	least, 0.0.0.0 accesses the local host, so could
	be targets for DNS rebinding. See RFC 5735 section 3 
	for details. Thanks to Stephen Röttger for the bug report.

	Enhance --add-subnet to allow arbitrary subnet addresses.
	Thanks to Ed Barsley for the patch.

	Respect the --no-resolv flag in inotify code. Fixes bug
	which caused dnsmasq to fail to start if a resolv-file 
	was a dangling symbolic link, even of --no-resolv set.
	Thanks to Alexander Kurtz for spotting the problem.

	Fix crash when an A or AAAA record is defined locally,
	in a hosts file, and an upstream server sends a reply
	that the same name is empty. Thanks to Edwin Török for
	the patch.

	Fix failure to correctly calculate cache-size when 
	reading a hosts-file fails. Thanks to André Glüpker 
	for the patch.

	Fix wrong answer to simple name query when --domain-needed
	set, but no upstream servers configured. Dnsmasq returned
	REFUSED, in this case, when it should be the same as when
	upstream servers are configured - NOERROR. Thanks to 
	Allain Legacy for spotting the problem.

	Return REFUSED when running out of forwarding table slots,
	not SERVFAIL.

	Add --max-port configuration. Thanks to Hans Dedecker for
	the patch.

	Add --script-arp and two new functions for the dhcp-script.
	These are "arp" and "arp-old" which announce the arrival and
	removal of entries in the ARP or neighbour tables.

	Extend --add-mac to allow a new encoding of the MAC address 
	as base64, by configuring --add-mac=base64

	Add --add-cpe-id option.

	Don't crash with divide-by-zero if an IPv6 dhcp-range
	is declared as a whole /64.
	(ie xx::0 to xx::ffff:ffff:ffff:ffff) 
	Thanks to Laurent Bendel for spotting this problem.

	Add support for a TTL parameter in --host-record and
	--cname.

	Add --dhcp-ttl option.

	Add --tftp-mtu option. Thanks to Patrick McLean for the 
	initial patch.

	Check return-code of inet_pton() when parsing dhcp-option.
	Bad addresses could fail to generate errors and result in
	garbage dhcp-options being sent. Thanks to Marc Branchaud 
	for spotting this.

	Fix wrong value for EDNS UDP packet size when using 
	--servers-file to define upstream DNS servers. Thanks to
	Scott Bonar for the bug report.

	Move the dhcp_release and dhcp_lease_time tools from 
	contrib/wrt to contrib/lease-tools.

	Add dhcp_release6 to contrib/lease-tools. Many thanks 
	to Sergey Nechaev for this code.

	To avoid filling logs in configurations which define
	many upstream nameservers, don't log more that 30 servers.
	The number to be logged can be changed as SERVERS_LOGGED
	in src/config.h.

	Swap the values if BC_EFI and x86-64_EFI in --pxe-service. 
	These were previously wrong due to an error in RFC 4578.
	If you're using BC_EFI to boot 64-bit EFI machines, you
	will need to update your config.

	Add ARM32_EFI and ARM64_EFI as valid architectures in
	--pxe-service.

	Fix PXE booting for UEFI architectures. Modify PXE boot
	sequence in this case to force the client to talk to dnsmasq
	over port 4011. This makes PXE and especially proxy-DHCP PXE
	work with these architectures.

	Workaround problems with UEFI PXE clients. There exist
	in the wild PXE clients which have problems with PXE
	boot menus. To work around this, when there's a single
	--pxe-service which applies to client, then that target
	will be booted directly, rather then sending a
	single-item boot menu.

	Many thanks to Jarek Polok, Michael Kuron and Dreamcat4 
	for their work on the long-standing UEFI PXE problem.

	Subtle change in the semantics of "basename" in
	--pxe-service. The historical behaviour has always been
	that the actual filename downloaded from the TFTP server
	is <basename>.<layer> where <layer> is an integer which
	corresponds to the layer parameter supplied by the client.
	It's not clear what the function of the "layer" 
	actually is in the PXE protocol, and in practise layer 
	is always zero, so the filename is <basename>.0
	The new behaviour is the same as the old, except when
	<basename> includes a file suffix, in which case
	the layer suffix is no longer added. This allows
	sensible suffices to be used, rather then the
	meaningless ".0". Only in the unlikely event that you
	have a config with a basename which already has a
	suffix, is this an incompatible change, since the file
	downloaded will change from name.suffix.0 to just 
	name.suffix


version 2.75
	Fix reversion on 2.74 which caused 100% CPU use when a 
	dhcp-script is configured. Thanks to Adrian Davey for
	reporting the bug and testing the fix.


version 2.74
	Fix reversion in 2.73 where --conf-file would attempt to
	read the default file, rather than no file.

	Fix inotify code to handle dangling symlinks better and
	not SEGV in some circumstances.

	DNSSEC fix. In the case of a signed CNAME generated by a
	wildcard which pointed to an unsigned domain, the wrong
	status would be logged, and some necessary checks omitted.


version 2.73
	Fix crash at startup when an empty suffix is supplied to
	--conf-dir, also trivial memory leak. Thanks to 
	Tomas Hozza for spotting this.

	Remove floor of 4096 on advertised EDNS0 packet size when 
	DNSSEC in use, the original rationale for this has long gone.
	Thanks to Anders Kaseorg for spotting this.

	Use inotify for checking on updates to /etc/resolv.conf and
	friends under Linux. This fixes race conditions when the files are 
	updated rapidly and saves CPU by noy polling. To build
	a binary that runs on old Linux kernels without inotify,
	use make COPTS=-DNO_INOTIFY

	Fix breakage of --domain=<domain>,<subnet>,local - only reverse
	queries were intercepted. THis appears to have been broken 
	since 2.69. Thanks to Josh Stone for finding the bug.

	Eliminate IPv6 privacy addresses and deprecated addresses from
	the answers given by --interface-name. Note that reverse queries
	(ie looking for names, given addresses) are not affected. 
	Thanks to Michael Gorbach for the suggestion.

	Fix crash in DNSSEC code with long RRs. Thanks to Marco Davids
	for the bug report.

	Add --ignore-address option. Ignore replies to A-record 
	queries which include the specified address. No error is
	generated, dnsmasq simply continues to listen for another 
	reply. This is useful to defeat blocking strategies which
	rely on quickly supplying a forged answer to a DNS 
	request for certain domains, before the correct answer can
	arrive. Thanks to Glen Huang for the patch.

	Revisit the part of DNSSEC validation which determines if an 
	unsigned answer is legit, or is in some part of the DNS 
	tree which should be signed. Dnsmasq now works from the 
	DNS root downward looking for the limit of signed 
	delegations, rather than working bottom up. This is 
	both more correct, and less likely to trip over broken 
	nameservers in the unsigned parts of the DNS tree 
	which don't respond well to DNSSEC queries.

	Add --log-queries=extra option, which makes logs easier
	to search automatically.

	Add --min-cache-ttl option. I've resisted this for a long 
	time, on the grounds that disbelieving TTLs is never a 
	good idea, but I've been persuaded that there are 
	sometimes reasons to do it. (Step forward, GFW).
	To avoid misuse, there's a hard limit on the TTL 
	floor of one hour. Thanks to RinSatsuki for the patch.

	Cope with multiple interfaces with the same link-local 
	address. (IPv6 addresses are scoped, so this is allowed.)
	Thanks to Cory Benfield for help with this.

	Add --dhcp-hostsdir. This allows addition of new host
	configurations to a running dnsmasq instance much more 
	cheaply than having dnsmasq re-read all its existing
	configuration each time. 

	Don't reply to DHCPv6 SOLICIT messages if we're not 
	configured to do stateful DHCPv6. Thanks to Win King Wan 
	for the patch.

	Fix broken DNSSEC validation of ECDSA signatures.

	Add --dnssec-timestamp option, which provides an automatic
	way to detect when the system time becomes valid after 
	boot on systems without an RTC, whilst allowing DNS 
	queries before the clock is valid so that NTP can run. 
	Thanks to Kevin Darbyshire-Bryant for developing this idea.

	Add --tftp-no-fail option. Thanks to Stefan Tomanek for
	the patch.

	Fix crash caused by looking up servers.bind, CHAOS text 
	record, when more than about five --servers= lines are 
	in the dnsmasq config. This causes memory corruption 
	which causes a crash later. Thanks to Matt Coddington for 
	sterling work chasing this down.

	Fix crash on receipt of certain malformed DNS requests.
	Thanks to Nick Sampanis for spotting the problem.
	Note that this is could allow the dnsmasq process's
	memory to be read by an attacker under certain
	circumstances, so it has a CVE, CVE-2015-3294 

	Fix crash in authoritative DNS code, if a .arpa zone 
	is declared as authoritative, and then a PTR query which
	is not to be treated as authoritative arrived. Normally, 
	directly declaring .arpa zone as authoritative is not 
	done, so this crash wouldn't be seen. Instead the 
	relevant .arpa zone should be specified as a subnet
	in the auth-zone declaration. Thanks to Johnny S. Lee
	for the bugreport and initial patch.

	Fix authoritative DNS code to correctly reply to NS 
	and SOA queries for .arpa zones for which we are 
	declared authoritative by means of a subnet in auth-zone.
	Previously we provided correct answers to PTR queries
	in such zones (including NS and SOA) but not direct
	NS and SOA queries. Thanks to Johnny S. Lee for 
	pointing out the problem.

	Fix logging of DHCPREPLY which should be suppressed 
	by quiet-dhcp6. Thanks to J. Pablo Abonia for 
	spotting the problem.

	Try and handle net connections with broken fragmentation 
	that lose large UDP packets. If a server times out, 
	reduce the maximum UDP packet size field in the EDNS0
	header to 1280 bytes. If it then answers, make that
	change permanent.

	Check IPv4-mapped IPv6 addresses when --stop-rebind
	is active. Thanks to Jordan Milne for spotting this.

	Allow DHCPv4 options T1 and T2 to be set using --dhcp-option.
	Thanks to Kevin Benton for patches and work on this.

	Fix code for DHCPCONFIRM DHCPv6 messages to confirm addresses
	in the correct subnet, even of not in dynamic address 
	allocation range. Thanks to Steve Hirsch for spotting
	the problem.

	Add AddDhcpLease and DeleteDhcpLease DBus methods. Thanks
	to Nicolas Cavallari for the patch.

	Allow configuration of router advertisements without the 
	"on-link" bit set. Thanks to Neil Jerram for the patch.

	Extend --bridge-interface to DHCPv6 and router 
	advertisements. Thanks to Neil Jerram for the patch.


version 2.72
	Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.

	Add support for "ipsets" in *BSD, using pf. Thanks to 
	Sven Falempin for the patch.

	Fix race condition which could lock up dnsmasq when an 
	interface goes down and up rapidly. Thanks to Conrad 
	Kostecki for helping to chase this down.

	Add DBus methods SetFilterWin2KOption and SetBogusPrivOption
	Thanks to the Smoothwall project for the patch.

	Fix failure to build against Nettle-3.0. Thanks to Steven 
	Barth for spotting this and finding the fix. 

	When assigning existing DHCP leases to interfaces by comparing 
	networks, handle the case that two or more interfaces have the
	same network part, but different prefix lengths (favour the
	longer prefix length.) Thanks to Lung-Pin Chang for the 
	patch.

	Add a mode which detects and removes DNS forwarding loops, ie 
	a query sent to an upstream server returns as a new query to 
	dnsmasq, and would therefore be forwarded again, resulting in 
	a query which loops many times before being dropped. Upstream
	servers which loop back are disabled and this event is logged.
	Thanks to Smoothwall for their sponsorship of this feature.

	Extend --conf-dir to allow filtering of files. So
	--conf-dir=/etc/dnsmasq.d,\*.conf
	will load all the files in /etc/dnsmasq.d which end in .conf

	Fix bug when resulted in NXDOMAIN answers instead of NODATA in
	some circumstances.

	Fix bug which caused dnsmasq to become unresponsive if it 
	failed to send packets due to a network interface disappearing.
	Thanks to Niels Peen for spotting this.

	Fix problem with --local-service option on big-endian platforms
	Thanks to Richard Genoud for the patch.


version 2.71
	Subtle change to error handling to help DNSSEC validation 
	when servers fail to provide NODATA answers for 
	non-existent DS records.

	Tweak code which removes DNSSEC records from answers when
	not required. Fixes broken answers when additional section
	has real records in it. Thanks to Marco Davids for the bug 
	report.

	Fix DNSSEC validation of ANY queries. Thanks to Marco Davids
	for spotting that too.

	Fix total DNS failure and 100% CPU use if cachesize set to zero,
	regression introduced in 2.69. Thanks to James Hunt and
	the Ubuntu crowd for assistance in fixing this.


version 2.70
	Fix crash, introduced in 2.69, on TCP request when dnsmasq
	compiled with DNSSEC support, but running without DNSSEC
	enabled. Thanks to Manish Sing for spotting that one.

	Fix regression which broke ipset functionality. Thanks to 
	Wang Jian for the bug report.


version 2.69
	Implement dynamic interface discovery on *BSD. This allows
	the constructor: syntax to be used in dhcp-range for DHCPv6
	on the BSD platform. Thanks to Matthias Andree for
	valuable research on how to implement this.

	Fix infinite loop associated with some --bogus-nxdomain
	configs. Thanks fogobogo for the bug report.

	Fix missing RA RDNS option with configuration like
	--dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer
	for spotting the problem.

	Add [fd00::] and [fe80::] as special addresses in DHCPv6
	options, analogous to [::]. [fd00::] is replaced with the
	actual ULA of the interface on the machine running
	dnsmasq, [fe80::] with the link-local address. 
	Thanks to Tsachi Kimeldorfer for championing this.

	DNSSEC validation and caching. Dnsmasq needs to be
	compiled with this enabled, with 

	make dnsmasq COPTS=-DHAVE_DNSSEC

	this adds dependencies on the nettle crypto library and the 
	gmp maths library. It's possible to have these linked
	statically with

	make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC'

	which bloats the dnsmasq binary, but saves the size of 
	the shared libraries which are much bigger.

	To enable, DNSSEC, you will need a set of
	trust-anchors. Now that the TLDs are signed, this can be
	the keys for the root zone, and for convenience they are
	included in trust-anchors.conf in the dnsmasq
	distribution. You should of course check that these are
	legitimate and up-to-date. So, adding

	conf-file=/path/to/trust-anchors.conf
	dnssec

	to your config is all that's needed to get things
	working. The upstream nameservers have to be DNSSEC-capable
	too, of course. Many ISP nameservers aren't, but the
	Google public nameservers (8.8.8.8 and 8.8.4.4) are.
	When DNSSEC is configured, dnsmasq validates any queries 
	for domains which are signed. Query results which are 
	bogus are replaced with SERVFAIL replies, and results 
	which are correctly signed have the AD bit set. In 
	addition, and just as importantly, dnsmasq supplies 
	correct DNSSEC information to clients which are doing 
	their own validation, and caches DNSKEY, DS and RRSIG
	records, which significantly improve the performance of 
	downstream validators. Setting --log-queries will show 
	DNSSEC in action.

	If a domain is returned from an upstream nameserver without 
	DNSSEC signature, dnsmasq by default trusts this. This 
	means that for unsigned zone (still the majority) there 
	is effectively no cost for having DNSSEC enabled. Of course
	this allows an attacker to replace a signed record with a 
	false unsigned record. This is addressed by the 
	--dnssec-check-unsigned flag, which instructs dnsmasq
	to prove that an unsigned record is legitimate, by finding  
	a secure proof that the zone containing the record is not
	signed. Doing this has costs (typically one or two extra
	upstream queries). It also has a nasty failure mode if
	dnsmasq's upstream nameservers are not DNSSEC capable. 
	Without --dnssec-check-unsigned using such an upstream
	server will simply result in not queries being validated; 
	with --dnssec-check-unsigned enabled and a 
	DNSSEC-ignorant upstream server, _all_ queries will fail.

	Note that DNSSEC requires that the local time is valid and 
	accurate, if not then DNSSEC validation will fail. NTP 
	should be running. This presents a problem for routers
	without a battery-backed clock. To set the time needs NTP 
	to do DNS lookups, but lookups will fail until NTP has run.
	To address this, there's a flag, --dnssec-no-timecheck 
	which disables the time checks (only) in DNSSEC. When dnsmasq
	is started and the clock is not synced, this flag should
	be used. As soon as the clock is synced, SIGHUP dnsmasq. 
	The SIGHUP clears the cache of partially-validated data and
	resets the no-timecheck flag, so that all DNSSEC checks 
	henceforward will be complete.

	The development of DNSSEC in dnsmasq was started by 
	Giovanni Bajo, to whom huge thanks are owed. It has been
	supported by Comcast, whose techfund grant has allowed for 
	an invaluable period of full-time work to get it to 
	a workable state.

	Add --rev-server. Thanks to Dave Taht for suggesting this.

	Add --servers-file. Allows dynamic update of upstream servers 
	full access to configuration. 

	Add --local-service. Accept DNS queries only from hosts 
	whose address is on a local subnet, ie a subnet for which 
	an interface exists on the server. This option
	only has effect if there are no --interface --except-interface,
	--listen-address or --auth-server options. It is intended 
	to be set as a default on installation, to allow
	unconfigured installations to be useful but also safe from 
	being used for DNS amplification attacks.

	Fix crashes in cache_get_cname_target() when dangling CNAMEs
	encountered. Thanks to Andy and the rt-n56u project for
	find this and helping to chase it down.

	Fix wrong RCODE in authoritative DNS replies to PTR queries. The
	correct answer was included, but the RCODE was set to NXDOMAIN.
	Thanks to Craig McQueen for spotting this.

	Make statistics available as DNS queries in the .bind TLD as 
	well as logging them.


version 2.68
	Use random addresses for DHCPv6 temporary address
	allocations, instead of algorithmically determined stable
	addresses.

	Fix bug which meant that the DHCPv6 DUID was not available
	in DHCP script runs during the lifetime of the dnsmasq
	process which created the DUID de-novo. Once the DUID was
	created and stored in the lease file and dnsmasq
	restarted, this bug disappeared.

	Fix bug introduced in 2.67 which could result in erroneous
	NXDOMAIN returns to CNAME queries.

	Fix build failures on MacOS X and openBSD.

	Allow subnet specifications in --auth-zone to be interface 
	names as well as address literals. This makes it possible
	to configure authoritative DNS when local address ranges
	are dynamic and works much better than the previous
	work-around which exempted constructed DHCP ranges from the
	IP address filtering. As a consequence, that work-around
	is removed. Under certain circumstances, this change wil
	break existing configuration: if you're relying on the
	constructed-range exception, you need to change --auth-zone
	to specify the same interface as is used to construct your
	DHCP ranges, probably with a trailing "/6" like this: 
	--auth-zone=example.com,eth0/6 to limit the addresses to
	IPv6 addresses of eth0.

	Fix problems when advertising deleted IPv6 prefixes. If
	the prefix is deleted (rather than replaced), it doesn't
	get advertised with zero preferred time. Thanks to Tsachi
	for the bug report. 

	Fix segfault with some locally configured CNAMEs. Thanks
	to Andrew Childs for spotting the problem.

	Fix memory leak on re-reading /etc/hosts and friends,
	introduced in 2.67.

	Check the arrival interface of incoming DNS and TFTP
	requests via IPv6, even in --bind-interfaces mode. This
	isn't possible for IPv4 and can generate scary warnings,
	but as it's always possible for IPv6 (the API always
	exists) then we should do it always. 

	Tweak the rules on prefix-lengths in --dhcp-range for
	IPv6. The new rule is that the specified prefix length
	must be larger than or equal to the prefix length of the
	corresponding address on the local interface. 


version 2.67
	Fix crash if upstream server returns SERVFAIL when
	--conntrack in use. Thanks to Giacomo Tazzari for finding
	this and supplying the patch. 

	Repair regression in 2.64. That release stopped sending
	lease-time information in the reply to DHCPINFORM
	requests, on the correct grounds that it was a standards
	violation. However, this broke the dnsmasq-specific
	dhcp_lease_time utility. Now, DHCPINFORM returns
	lease-time only if it's specifically requested
	(maintaining standards) and the dhcp_lease_time utility
	has been taught to ask for it (restoring functionality). 

	Fix --dhcp-match, --dhcp-vendorclass and --dhcp-userclass
	to work with BOOTP and well as DHCP. Thanks to Peter
	Korsgaard for spotting the problem. 

	Add --synth-domain. Thanks to Vishvananda Ishaya for
	suggesting this.

	Fix failure to compile ipset.c if old kernel headers are
	in use. Thanks to Eugene Rudoy for pointing this out.

	Handle IPv4 interface-address labels in Linux. These are
	often used to emulate the old IP-alias addresses. Before,
	using --interface=eth0 would service all the addresses of
	eth0, including ones configured as aliases, which appear
	in ifconfig as eth0:0. Now, only addresses with the label
	eth0 are active. This is not backwards compatible: if you
	want to continue to bind the aliases too, you need to add
	eg. --interface=eth0:0 to the config. 

	Fix "failed to set SO_BINDTODEVICE on DHCP socket: Socket 
	operation on non-socket" error on startup with
	configurations which have exactly one --interface option
	and do RA but _not_ DHCPv6. Thanks to Trever Adams for the
	bug report.

	Generalise --interface-name to cope with IPv6 addresses
	and multiple addresses per interface per address family.

	Fix option parsing for --dhcp-host, which was generating a
	spurious error when all seven possible items were
	included. Thanks to Zhiqiang Wang for the bug report.

	Remove restriction on prefix-length in --auth-zone. Thanks
	to Toke Hoiland-Jorgensen for suggesting this.

	Log when the maximum number of concurrent DNS queries is
	reached. Thanks to Marcelo Salhab Brogliato for the patch.

	If wildcards are used in --interface, don't assume that 
	there will only ever be one available interface for DHCP
	just because there is one at start-up. More may appear, so
	we can't use SO_BINDTODEVICE. Thanks to Natrio for the bug
	report. 

	Increase timeout/number of retries in TFTP to accommodate
	AudioCodes Voice Gateways doing streaming writes to flash.
	Thanks to Damian Kaczkowski for spotting the problem.

	Fix crash with empty DHCP string options when adding zero
	terminator. Thanks to Patrick McLean for the bug report.

	Allow hostnames to start with a number, as allowed in
	RFC-1123. Thanks to Kyle Mestery for the patch. 

	Fixes to DHCP FQDN option handling: don't terminate FQDN
	if domain not known and allow a FQDN option with blank
	name to request that a FQDN option is returned in the
	reply. Thanks to Roy Marples for the patch.

	Make --clear-on-reload apply to setting upstream servers
	via DBus too.

	When the address which triggered the construction of an
	advertised IPv6 prefix disappears, continue to advertise 
	the prefix for up to 2 hours, with the preferred lifetime
	set to zero. This satisfies RFC 6204 4.3 L-13 and makes
	things work better if a prefix disappears without being
	deprecated first. Thanks to Uwe Schindler for persuasively
	arguing for this.

	Fix MAC address enumeration on *BSD. Thanks to Brad Smith
	for the bug report.

	Support RFC-4242 information-refresh-time options in the 
	reply to DHCPv6 information-request. The lease time of the
	smallest valid dhcp-range is sent. Thanks to Uwe Schindler 
	for suggesting this.

	Make --listen-address higher priority than --except-interface
	in all circumstances. Thanks to Thomas Hood for the bugreport.

	Provide independent control over which interfaces get TFTP 
	service. If enable-tftp is given a list of interfaces, then TFTP 
	is provided on those. Without the list, the previous behaviour
	(provide TFTP to the same interfaces we provide DHCP to) 
	is retained. Thanks to Lonnie Abelbeck for the suggestion.

	Add --dhcp-relay config option. Many thanks to vtsl.net
	for sponsoring this development.

	Fix crash with empty tag: in --dhcp-range. Thanks to
	Kaspar Schleiser for the bug report.

	Add "baseline" and "bloatcheck" makefile targets, for 
	revealing size changes during development. Thanks to
	Vladislav Grishenko for the patch. 

	Cope with DHCPv6 clients which send REQUESTs without
	address options - treat them as SOLICIT with rapid commit.

	Support identification of clients by MAC address in
	DHCPv6. When using a relay, the relay must support RFC
	6939 for this to work. It always works for directly
	connected clients. Thanks to Vladislav Grishenko
	for prompting this feature.

	Remove the rule for constructed DHCP ranges that the local
	address must be either the first or last address in the
	range. This was originally to avoid SLAAC addresses, but
	we now explicitly autoconfig and privacy addresses instead.  

	Update Polish translation. Thanks to Jan Psota.

	Fix problem in DHCPv6 vendorclass/userclass matching
	code. Thanks to Tanguy Bouzeloc for the patch.

	Update Spanish translation. Thanks to Vicente Soriano.

	Add --ra-param option. Thanks to Vladislav Grishenko for
	inspiration on this.

	Add --add-subnet configuration, to tell upstream DNS
	servers where the original client is. Thanks to DNSthingy
	for sponsoring this feature.

	Add --quiet-dhcp, --quiet-dhcp6 and --quiet-ra. Thanks to
	Kevin Darbyshire-Bryant for the initial patch.

	Allow A/AAAA records created by --interface-name to be the
	target of --cname. Thanks to Hadmut Danisch for the
	suggestion. 

	Avoid treating a --dhcp-host which has an IPv6 address
	as eligible for use with DHCPv4 on the grounds that it has
	no address, and vice-versa. Thanks to Yury Konovalov for
	spotting the problem.

	Do a better job caching dangling CNAMEs. Thanks to Yves
	Dorfsman for spotting the problem.


version 2.66
	Add the ability to act as an authoritative DNS
	server. Dnsmasq can now answer queries from the wider 'net
	with local data, as long as the correct NS records are set
	up. Only local data is provided, to avoid creating an open
	DNS relay. Zone transfer is supported, to allow secondary
	servers to be configured.

	Add "constructed DHCP ranges" for DHCPv6. This is intended
	for IPv6 routers which get prefixes dynamically via prefix
	delegation. With suitable configuration, stateful DHCPv6
	and RA can happen automatically as prefixes are delegated
	and then deprecated, without having  to re-write the
	dnsmasq configuration file or restart the daemon. Thanks to
	Steven Barth for extensive testing and development work on
	this idea.

	Fix crash on startup on Solaris 11. Regression probably
	introduced in 2.61.  Thanks to Geoff Johnstone for the
	patch.

	Add code to make behaviour for TCP DNS requests that same
	as for UDP requests, when a request arrives for an allowed 
	address, but via a banned interface. This change is only
	active on Linux, since the relevant API is missing (AFAIK)
	on other platforms. Many thanks to Tomas Hozza for
	spotting the problem, and doing invaluable discovery of
	the obscure and undocumented API required for the solution.

	Don't send the default DHCP option advertising dnsmasq as
	the local DNS server if dnsmasq is configured to not act
	as DNS server, or it's configured to a non-standard port.

	Add DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBSCRIBER_ID,
	DNSMASQ_REMOTE_ID variables to the environment of the
	lease-change script (and the corresponding Lua). These hold
	information inserted into the DHCP request by a DHCP relay
	agent. Thanks to Lakefield Communications for providing a
	bounty for this addition.

	Fixed crash, introduced in 2.64, whilst handling DHCPv6
	information-requests with some common configurations.
	Thanks to Robert M. Albrecht for the bug report and 
	chasing the problem.

	Add --ipset option. Thanks to Jason A. Donenfeld for the 
	patch.

	Don't erroneously reject some option names in --dhcp-match
	options. Thanks to Benedikt Hochstrasser for the bug report.

	Allow a trailing '*' wildcard in all interface-name
	configurations. Thanks to Christian Parpart for the patch.

	Handle the situation where libc headers define
	SO_REUSEPORT, but the kernel in use doesn't, to cope with
	the introduction of this option to Linux. Thanks to Rich
	Felker for the bug report.

	Update Polish translation. Thanks to Jan Psota.

	Fix crash if the configured DHCP lease limit is
	reached. Regression occurred in 2.61. Thanks to Tsachi for
	the bug report. 

	Update the French translation. Thanks to Gildas le Nadan.


version 2.65
	Fix regression which broke forwarding of queries sent via
	TCP which are not for A and AAAA and which were directed to
	non-default servers. Thanks to Niax for the bug report.

	Fix failure to build with DHCP support excluded. Thanks to 
	Gustavo Zacarias for the patch.

	Fix nasty regression in 2.64 which completely broke caching.


version 2.64
	Handle DHCP FQDN options with all flag bits zero and
	--dhcp-client-update set. Thanks to Bernd Krumbroeck for
	spotting the problem.

	Finesse the check for /etc/hosts names which conflict with
	DHCP names. Previously a name/address pair in /etc/hosts
	which didn't match the name/address of a DHCP lease would
	generate a warning. Now that only happens if there is not
	also a match. This allows multiple addresses for a name in 
	/etc/hosts with one of them assigned via DHCP.

	Fix broken vendor-option processing for BOOTP. Thanks to
	Hans-Joachim Baader for the bug report.

	Don't report spurious netlink errors, regression in
	2.63. Thanks to Vladislav Grishenko for the patch.

	Flag DHCP or DHCPv6 in startup logging. Thanks to 
	Vladislav Grishenko for the patch.

	Add SetServersEx method in DBus interface. Thanks to Dan
	Williams for the patch.

	Add SetDomainServers method in DBus interface. Thanks to
	Roy Marples for the patch.

	Fix build with later Lua libraries. Thanks to Cristian
	Rodriguez for the patch.

	Add --max-cache-ttl option. Thanks to Dennis Kaarsemaker
	for the patch.

	Fix breakage of --host-record parsing, resulting in
	infinite loop at startup. Regression in 2.63. Thanks to
	Haim Gelfenbeyn for spotting this.
