[openwrt/openwrt] dnsmasq: abort when dnssec requested but not available

LEDE Commits lede-commits at lists.infradead.org
Fri Aug 7 03:57:19 EDT 2020


yousong pushed a commit to openwrt/openwrt.git, branch master:
https://git.openwrt.org/064dc1e81bc85f6ef8becc38854292853a59d2c2

commit 064dc1e81bc85f6ef8becc38854292853a59d2c2
Author: Yousong Zhou <yszhou4tech at gmail.com>
AuthorDate: Tue Aug 4 12:00:22 2020 +0800

    dnsmasq: abort when dnssec requested but not available
    
    Before this commit, if uci option "dnssec" was set, we pass "--dnssec"
    and friends to dnsmasq, let it start and decide whether to quit and
    whether to emit message for diagnosis
    
      # dnsmasq --dnssec; echo $?
      dnsmasq: DNSSEC not available: set HAVE_DNSSEC in src/config.h
      1
    
    DNSSEC as a feature is different from others like dhcp, tftp in that
    it's a security feature.  Better be explicit.  With this change
    committed, we make it so by not allowing it in the first in the
    initscript, should dnsmasq later decides to not quit (not likely) or
    quit without above explicit error (unlikely but less so ;)
    
    So this is just being proactive.  on/off choices with uci option
    "dnssec" are still available like before
    
    Link: https://github.com/openwrt/openwrt/pull/3265#issuecomment-667795302
    Signed-off-by: Yousong Zhou <yszhou4tech at gmail.com>
---
 package/network/services/dnsmasq/Makefile           | 2 +-
 package/network/services/dnsmasq/files/dnsmasq.init | 8 ++++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile
index 22ecd12f07..ab3f4fd8d0 100644
--- a/package/network/services/dnsmasq/Makefile
+++ b/package/network/services/dnsmasq/Makefile
@@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=dnsmasq
 PKG_UPSTREAM_VERSION:=2.82
 PKG_VERSION:=$(subst test,~~test,$(subst rc,~rc,$(PKG_UPSTREAM_VERSION)))
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_UPSTREAM_VERSION).tar.xz
 PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq
diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init
index 9288971426..932103d8b5 100644
--- a/package/network/services/dnsmasq/files/dnsmasq.init
+++ b/package/network/services/dnsmasq/files/dnsmasq.init
@@ -42,9 +42,13 @@ dnsmasq_ignore_opt() {
 		bootp-*|\
 		pxe-*)
 			[ -z "$dnsmasq_has_dhcp" ] ;;
-		dnssec-*|\
+		dnssec*|\
 		trust-anchor)
-			[ -z "$dnsmasq_has_dnssec" ] ;;
+			if [ -z "$dnsmasq_has_dnssec" ]; then
+				echo "dnsmasq: \"$opt\" requested, but dnssec support is not available" >&2
+				exit 1
+			fi
+			;;
 		tftp-*)
 			[ -z "$dnsmasq_has_tftp" ] ;;
 		ipset)



More information about the lede-commits mailing list