[Dnsmasq-discuss] dnssec-no-timecheck enhancement idea
Kevin Darbyshire-Bryant
kevin at darbyshire-bryant.me.uk
Mon Feb 9 13:21:55 GMT 2015
Further to my previous email I've cobbled something together, and it
even appears to work. There's quite a bit of coding guesswork going on
here and I really shouldn't be let anywhere near a C compiler. Either
way a new option '-dnssec_tvalid=integer' where integer is number of
seconds since 1970 (epoch) is implemented. If current system clock
exceeds this time then dnssec timestamps will be checked, until that
time they are not.
Kevin
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index 40323ed..1687305 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -239,7 +239,8 @@ struct event_desc {
#define OPT_LOCAL_SERVICE 49
#define OPT_LOOP_DETECT 50
#define OPT_EXTRALOG 51
-#define OPT_LAST 52
+#define OPT_DNSSEC_TVALID 52
+#define OPT_LAST 53
/* extra flags for my_syslog, we use a couple of facilities since they
are known
not to occupy the same bits as priorities, no matter how syslog.h is
set up. */
@@ -986,6 +987,7 @@ extern struct daemon {
#endif
#ifdef HAVE_DNSSEC
struct ds_config *ds;
+ time_t dnssec_tvalid;
#endif
/* globally used stuff for DNS */
diff --git a/src/dnssec.c b/src/dnssec.c
index 2693237..3a350c0 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -401,9 +401,15 @@ static int check_date_range(unsigned long
date_start, unsigned long date_end)
/* Checking timestamps may be temporarily disabled */
if (option_bool(OPT_DNSSEC_TIME))
- return 1;
-
- curtime = time(0);
+ if (daemon->dnssec_tvalid) {
+ curtime = time(0);
+ if (curtime > daemon->dnssec_tvalid) {
+ reset_option_bool(OPT_DNSSEC_TIME);
+ my_syslog(LOG_INFO, _("time is valid. Now checking DNSSEC
signature timestamps"));
+ }
+ }
+ else return 1;
+ else curtime = time(0);
/* We must explicitly check against wanted values, because of
SERIAL_UNDEF */
return serial_compare_32(curtime, date_start) == SERIAL_GT
diff --git a/src/option.c b/src/option.c
index e4b4865..20bec3c 100644
--- a/src/option.c
+++ b/src/option.c
@@ -152,6 +152,7 @@ struct myoption {
#define LOPT_DHCP_INOTIFY 340
#define LOPT_DHOPT_INOTIFY 341
#define LOPT_HOST_INOTIFY 342
+#define LOPT_DNSSEC_TVALID 343
#ifdef HAVE_GETOPT_LONG
static const struct option opts[] =
@@ -309,6 +310,7 @@ static const struct myoption opts[] =
{ "quiet-dhcp6", 0, 0, LOPT_QUIET_DHCP6 },
{ "quiet-ra", 0, 0, LOPT_QUIET_RA },
{ "dns-loop-detect", 0, 0, LOPT_LOOP_DETECT },
+ { "dnssec-tvalid", 1, 0, LOPT_DNSSEC_TVALID },
{ NULL, 0, 0, 0 }
};
@@ -463,6 +465,7 @@ static struct {
{ LOPT_DNSSEC_DEBUG, OPT_DNSSEC_DEBUG, NULL, gettext_noop("Disable
upstream checking for DNSSEC debugging."), NULL },
{ LOPT_DNSSEC_CHECK, OPT_DNSSEC_NO_SIGN, NULL, gettext_noop("Ensure
answers without DNSSEC are in unsigned zones."), NULL },
{ LOPT_DNSSEC_TIME, OPT_DNSSEC_TIME, NULL, gettext_noop("Don't check
DNSSEC signature timestamps until first cache-reload"), NULL },
+ { LOPT_DNSSEC_TVALID, ARG_ONE, "=seconds since epoch",
gettext_noop("Don't check DNSSEC signature timestamps until time exceeds
given time since epoch"), NULL },
#ifdef OPTION6_PREFIX_CLASS
{ LOPT_PREF_CLSS, ARG_DUP, "set:tag,<class>", gettext_noop("Specify
DHCPv6 prefix class"), NULL },
#endif
@@ -2463,6 +2466,23 @@ static int one_opt(int option, char *arg, char
*errstr, char *gen_err, int comma
daemon->max_logs = 100;
break;
+#ifdef HAVE_DNSSEC
+ case LOPT_DNSSEC_TIME:
+ {
+ daemon->dnssec_tvalid = 0; /* default */
+ break;
+ }
+ case LOPT_DNSSEC_TVALID: /* --log-async */
+ {
+ int tvalid;
+ if (!atoi_check(arg, &tvalid))
+ ret_err(gen_err);
+ set_option_bool(OPT_DNSSEC_TIME);
+ daemon->dnssec_tvalid = (time_t)tvalid;
+ break;
+ }
+#endif
+
case 'P': /* --edns-packet-max */
{
int i;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4791 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150209/38d9ab9c/attachment.bin>
More information about the Dnsmasq-discuss
mailing list