[openwrt/openwrt] dnsmasq: abort when dnssec requested but not available
LEDE Commits
lede-commits at lists.infradead.org
Fri Aug 7 03:57:19 EDT 2020
yousong pushed a commit to openwrt/openwrt.git, branch master:
https://git.openwrt.org/064dc1e81bc85f6ef8becc38854292853a59d2c2
commit 064dc1e81bc85f6ef8becc38854292853a59d2c2
Author: Yousong Zhou <yszhou4tech at gmail.com>
AuthorDate: Tue Aug 4 12:00:22 2020 +0800
dnsmasq: abort when dnssec requested but not available
Before this commit, if uci option "dnssec" was set, we pass "--dnssec"
and friends to dnsmasq, let it start and decide whether to quit and
whether to emit message for diagnosis
# dnsmasq --dnssec; echo $?
dnsmasq: DNSSEC not available: set HAVE_DNSSEC in src/config.h
1
DNSSEC as a feature is different from others like dhcp, tftp in that
it's a security feature. Better be explicit. With this change
committed, we make it so by not allowing it in the first in the
initscript, should dnsmasq later decides to not quit (not likely) or
quit without above explicit error (unlikely but less so ;)
So this is just being proactive. on/off choices with uci option
"dnssec" are still available like before
Link: https://github.com/openwrt/openwrt/pull/3265#issuecomment-667795302
Signed-off-by: Yousong Zhou <yszhou4tech at gmail.com>
---
package/network/services/dnsmasq/Makefile | 2 +-
package/network/services/dnsmasq/files/dnsmasq.init | 8 ++++++--
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile
index 22ecd12f07..ab3f4fd8d0 100644
--- a/package/network/services/dnsmasq/Makefile
+++ b/package/network/services/dnsmasq/Makefile
@@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=dnsmasq
PKG_UPSTREAM_VERSION:=2.82
PKG_VERSION:=$(subst test,~~test,$(subst rc,~rc,$(PKG_UPSTREAM_VERSION)))
-PKG_RELEASE:=3
+PKG_RELEASE:=4
PKG_SOURCE:=$(PKG_NAME)-$(PKG_UPSTREAM_VERSION).tar.xz
PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq
diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init
index 9288971426..932103d8b5 100644
--- a/package/network/services/dnsmasq/files/dnsmasq.init
+++ b/package/network/services/dnsmasq/files/dnsmasq.init
@@ -42,9 +42,13 @@ dnsmasq_ignore_opt() {
bootp-*|\
pxe-*)
[ -z "$dnsmasq_has_dhcp" ] ;;
- dnssec-*|\
+ dnssec*|\
trust-anchor)
- [ -z "$dnsmasq_has_dnssec" ] ;;
+ if [ -z "$dnsmasq_has_dnssec" ]; then
+ echo "dnsmasq: \"$opt\" requested, but dnssec support is not available" >&2
+ exit 1
+ fi
+ ;;
tftp-*)
[ -z "$dnsmasq_has_tftp" ] ;;
ipset)
More information about the lede-commits
mailing list