[Dnsmasq-discuss] Clarify/Improve DNSSEC related SIGHUP handling
Kevin Darbyshire-Bryant
kevin at darbyshire-bryant.me.uk
Mon Jul 11 08:54:16 BST 2016
Hi Simon,
Please could you consider the attached patch. It solves a problem that
using dnssec-timestamp also effectively enabled dnssec-no-timecheck.
The result of which is that an unfortunately timed SIGHUP could
accidentally enable dnssec timestamp checking. In combination with
dnssec-check-unsigned that could prove 'challenging' :-)
The patch matches the behaviour as is documented in the manpage.
kind regards,
Kevin
-------------- next part --------------
>From f94c6d70aaaea0511ef3c7667093b4b54952804e Mon Sep 17 00:00:00 2001
From: Kevin Darbyshire-Bryant <kevin at darbyshire-bryant.me.uk>
Date: Fri, 27 May 2016 10:23:47 +0100
Subject: [PATCH] Improve dnssec SIGHUP behaviour
Signed-off-by: Kevin Darbyshire-Bryant <kevin at darbyshire-bryant.me.uk>
---
src/dnsmasq.c | 7 ++++---
src/dnsmasq.h | 1 +
src/dnssec.c | 5 +++--
3 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index 045ec53..a47273f 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -750,7 +750,8 @@ int main (int argc, char **argv)
my_syslog(LOG_INFO, _("DNSSEC validation enabled"));
- if (option_bool(OPT_DNSSEC_TIME))
+ daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME);
+ if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future)
my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until first cache reload"));
if (rc == 1)
@@ -1226,10 +1227,10 @@ static void async_event(int pipe, time_t now)
{
case EVENT_RELOAD:
#ifdef HAVE_DNSSEC
- if (option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME))
+ if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME))
{
my_syslog(LOG_INFO, _("now checking DNSSEC signature timestamps"));
- reset_option_bool(OPT_DNSSEC_TIME);
+ daemon->dnssec_no_time_check = 0;
}
#endif
/* fall through */
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index 1896a64..be27ae0 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -992,6 +992,7 @@ extern struct daemon {
#endif
#ifdef HAVE_DNSSEC
struct ds_config *ds;
+ int dnssec_no_time_check;
int back_to_the_future;
char *timestamp_file;
#endif
diff --git a/src/dnssec.c b/src/dnssec.c
index 3c77c7d..64358fa 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -522,15 +522,16 @@ static int check_date_range(u32 date_start, u32 date_end)
if (utime(daemon->timestamp_file, NULL) != 0)
my_syslog(LOG_ERR, _("failed to update mtime on %s: %s"), daemon->timestamp_file, strerror(errno));
+ my_syslog(LOG_INFO, _("system time considered valid, now checking DNSSEC signature timestamps."));
daemon->back_to_the_future = 1;
- set_option_bool(OPT_DNSSEC_TIME);
+ daemon->dnssec_no_time_check = 0;
queue_event(EVENT_RELOAD); /* purge cache */
}
if (daemon->back_to_the_future == 0)
return 1;
}
- else if (option_bool(OPT_DNSSEC_TIME))
+ else if (daemon->dnssec_no_time_check)
return 1;
/* We must explicitly check against wanted values, because of SERIAL_UNDEF */
--
1.9.1
More information about the Dnsmasq-discuss
mailing list