From 5acfe55d7139a5294192bddf10fe3a1de3180e8d Mon Sep 17 00:00:00 2001 From: Kevin Darbyshire-Bryant Date: Tue, 14 Jun 2016 11:00:21 +0100 Subject: dnsmasq: dnssec time handling uses ntpd hotplug Change dnsmasq's dnssec time check handling to use time validity indicated by ntpd rather than maintaining a cross boot/upgrade /etc/dnsmasq.time timestamp file. This saves flash device wear. If ntpd client is configured in uci and you're using dnssec, then dnsmasq will not check dnssec timestamp validity until ntpd hotplug indicates sync via a stratum change. The ntpd hotplug leaves a status flag file to indicate to dnsmasq.init that time is valid and that it should now start in 'check dnssec timestamp valid' mode. If ntpd client is not configured and you're using dnssec, then it is presumed you're using an alternate time sync mechanism and that time is correct, thus dnsmasq checks dnssec timestamps are valid from 1st start. Signed-off-by: Kevin Darbyshire-Bryant V2 - stratum & step ntp changes indicate time is valid V3 - on initial flag file step signal dnsmasq with SIGHUP if running V4 - only accept step ntp changes. Accepting both stratum & step could result in unpleasant script race conditions V5 - Actually only accepting stratum is the correct thing to do after further testing V6 - improve handling of non busybox ntpd if sysntpd not executable dnsmasq checks dnssec timestamps else sysntp script disabled - look for timestamp file - allows external mechanism to use hotplug flag file sysntp script enabled & uci ntp enabled - look for timestamp file sysntp script enabled & uci ntp disabled - dnsmasq checks dnssec timestamps fi --- package/network/services/dnsmasq/files/dnsmasq.init | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) (limited to 'package/network/services/dnsmasq/files/dnsmasq.init') diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init index 1a9903e..5f7afdb 100644 --- a/package/network/services/dnsmasq/files/dnsmasq.init +++ b/package/network/services/dnsmasq/files/dnsmasq.init @@ -16,6 +16,7 @@ CONFIGFILE="/var/etc/dnsmasq.conf" HOSTFILE="/tmp/hosts/dhcp" TRUSTANCHORSFILE="/usr/share/dnsmasq/trust-anchors.conf" TIMESTAMPFILE="/etc/dnsmasq.time" +TIMEVALIDFILE="/var/state/dnsmasqsec" xappend() { local value="$1" @@ -235,7 +236,12 @@ dnsmasq() { [ "$dnssec" -gt 0 ] && { xappend "--conf-file=$TRUSTANCHORSFILE" xappend "--dnssec" - xappend "--dnssec-timestamp=$TIMESTAMPFILE" + [ -x /etc/init.d/sysntpd ] && { + /etc/init.d/sysntpd enabled + [ "$?" -ne 0 -o "$(uci_get system.ntp.enabled)" = "1" ] && { + [ -f "$TIMEVALIDFILE" ] || xappend "--dnssec-no-timecheck" + } + } append_bool "$cfg" dnsseccheckunsigned "--dnssec-check-unsigned" } @@ -627,10 +633,7 @@ start_service() { mkdir -p /var/lib/misc touch /tmp/dhcp.leases - if [ ! -f "$TIMESTAMPFILE" ]; then - touch "$TIMESTAMPFILE" - chown dnsmasq.dnsmasq "$TIMESTAMPFILE" - fi + [ -f "$TIMESTAMPFILE" ] && rm -f "$TIMESTAMPFILE" echo "# auto-generated config file from /etc/config/dhcp" > $CONFIGFILE echo "# auto-generated config file from /etc/config/dhcp" > $HOSTFILE @@ -709,7 +712,7 @@ start_service() { procd_add_jail dnsmasq ubus log procd_add_jail_mount $CONFIGFILE $TRUSTANCHORSFILE $HOSTFILE /etc/passwd /etc/group /etc/TZ /dev/null /dev/urandom /etc/dnsmasq.conf /tmp/dnsmasq.d /tmp/resolv.conf.auto /etc/hosts /etc/ethers $EXTRA_MOUNT - procd_add_jail_mount_rw /var/run/dnsmasq/ /tmp/dhcp.leases $TIMESTAMPFILE + procd_add_jail_mount_rw /var/run/dnsmasq/ /tmp/dhcp.leases procd_close_instance } -- cgit v1.1