[Dnsmasq-discuss] dnssec-no-timecheck enhancement idea
Kevin Darbyshire-Bryant
kevin at darbyshire-bryant.me.uk
Mon Feb 9 14:02:38 GMT 2015
Sorry, I told you I shouldn't be let anywhere near a C compiler. Here's
a patch that actually works! (previously missing a return in dnssec.c)
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index 40323ed..1687305 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -239,7 +239,8 @@ struct event_desc {
#define OPT_LOCAL_SERVICE 49
#define OPT_LOOP_DETECT 50
#define OPT_EXTRALOG 51
-#define OPT_LAST 52
+#define OPT_DNSSEC_TVALID 52
+#define OPT_LAST 53
/* extra flags for my_syslog, we use a couple of facilities since they
are known
not to occupy the same bits as priorities, no matter how syslog.h is
set up. */
@@ -986,6 +987,7 @@ extern struct daemon {
#endif
#ifdef HAVE_DNSSEC
struct ds_config *ds;
+ time_t dnssec_tvalid;
#endif
/* globally used stuff for DNS */
diff --git a/src/dnssec.c b/src/dnssec.c
index 2693237..137f350 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -401,9 +401,16 @@ static int check_date_range(unsigned long
date_start, unsigned long date_end)
/* Checking timestamps may be temporarily disabled */
if (option_bool(OPT_DNSSEC_TIME))
- return 1;
-
- curtime = time(0);
+ if (daemon->dnssec_tvalid) {
+ curtime = time(0);
+ if (curtime > daemon->dnssec_tvalid) {
+ reset_option_bool(OPT_DNSSEC_TIME);
+ my_syslog(LOG_INFO, _("time is valid. Now checking DNSSEC
signature timestamps"));
+ }
+ else return 1;
+ }
+ else return 1;
+ else curtime = time(0);
/* We must explicitly check against wanted values, because of
SERIAL_UNDEF */
return serial_compare_32(curtime, date_start) == SERIAL_GT
diff --git a/src/option.c b/src/option.c
index e4b4865..20bec3c 100644
--- a/src/option.c
+++ b/src/option.c
@@ -152,6 +152,7 @@ struct myoption {
#define LOPT_DHCP_INOTIFY 340
#define LOPT_DHOPT_INOTIFY 341
#define LOPT_HOST_INOTIFY 342
+#define LOPT_DNSSEC_TVALID 343
#ifdef HAVE_GETOPT_LONG
static const struct option opts[] =
@@ -309,6 +310,7 @@ static const struct myoption opts[] =
{ "quiet-dhcp6", 0, 0, LOPT_QUIET_DHCP6 },
{ "quiet-ra", 0, 0, LOPT_QUIET_RA },
{ "dns-loop-detect", 0, 0, LOPT_LOOP_DETECT },
+ { "dnssec-tvalid", 1, 0, LOPT_DNSSEC_TVALID },
{ NULL, 0, 0, 0 }
};
@@ -463,6 +465,7 @@ static struct {
{ LOPT_DNSSEC_DEBUG, OPT_DNSSEC_DEBUG, NULL, gettext_noop("Disable
upstream checking for DNSSEC debugging."), NULL },
{ LOPT_DNSSEC_CHECK, OPT_DNSSEC_NO_SIGN, NULL, gettext_noop("Ensure
answers without DNSSEC are in unsigned zones."), NULL },
{ LOPT_DNSSEC_TIME, OPT_DNSSEC_TIME, NULL, gettext_noop("Don't check
DNSSEC signature timestamps until first cache-reload"), NULL },
+ { LOPT_DNSSEC_TVALID, ARG_ONE, "=seconds since epoch",
gettext_noop("Don't check DNSSEC signature timestamps until time exceeds
given time since epoch"), NULL },
#ifdef OPTION6_PREFIX_CLASS
{ LOPT_PREF_CLSS, ARG_DUP, "set:tag,<class>", gettext_noop("Specify
DHCPv6 prefix class"), NULL },
#endif
@@ -2463,6 +2466,23 @@ static int one_opt(int option, char *arg, char
*errstr, char *gen_err, int comma
daemon->max_logs = 100;
break;
+#ifdef HAVE_DNSSEC
+ case LOPT_DNSSEC_TIME:
+ {
+ daemon->dnssec_tvalid = 0; /* default */
+ break;
+ }
+ case LOPT_DNSSEC_TVALID: /* --log-async */
+ {
+ int tvalid;
+ if (!atoi_check(arg, &tvalid))
+ ret_err(gen_err);
+ set_option_bool(OPT_DNSSEC_TIME);
+ daemon->dnssec_tvalid = (time_t)tvalid;
+ break;
+ }
+#endif
+
case 'P': /* --edns-packet-max */
{
int i;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4791 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150209/027e67cf/attachment.bin>
More information about the Dnsmasq-discuss
mailing list