diff options
| author | Simon Kelley <simon@thekelleys.org.uk> | 2014-03-28 20:41:23 +0000 |
|---|---|---|
| committer | Simon Kelley <simon@thekelleys.org.uk> | 2014-03-28 20:41:23 +0000 |
| commit | e98bd52e253d0f75bcfd014c59054babd65a8a8e (patch) | |
| tree | 7b893c86c81fa99dc2873de6a265ea9c22d31919 | |
| parent | 8a8bbad0cf12f95fc7459a39a940242906c41c9d (diff) | |
| download | dnsmasq-e98bd52e253d0f75bcfd014c59054babd65a8a8e.tar.gz | |
Add --dnssec-no-timecheck
| -rw-r--r-- | man/dnsmasq.8 | 9 | ||||
| -rw-r--r-- | src/dnsmasq.c | 20 | ||||
| -rw-r--r-- | src/dnsmasq.h | 3 | ||||
| -rw-r--r-- | src/dnssec.c | 8 | ||||
| -rw-r--r-- | src/option.c | 159 |
5 files changed, 116 insertions, 83 deletions
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 index b339b79..d5a17fb 100644 --- a/man/dnsmasq.8 +++ b/man/dnsmasq.8 @@ -636,6 +636,15 @@ performance. See also the warning about upstream servers in the section on .B --dnssec .TP +.B --dnssec-no-timecheck +DNSSEC signatures are only valid for specified time windows, and should be rejected outside those windows. This generates an +interesting chicken-and-egg problem for machines which don't have a hardware real time clock. For these machines to determine the correct +time typically requires use of NTP and therefore DNS, but validating DNS requires that the correct time is already known. Setting this flag +removes the time-window checks (but not other DNSSEC validation.) only until the dnsmasq process receives SIGHUP. The intention is +that dnsmasq should be started with this flag when the platform determines that reliable time is not currently available. As soon as +reliable time is established, a SIGHUP should be sent to dnsmasq, which enables time checking, and purges the cache of DNS records +which have not been throughly checked. +.TP .B --proxy-dnssec Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients and cache it. This is an alternative to having dnsmasq validate DNSSEC, but it depends on the security of the network between diff --git a/src/dnsmasq.c b/src/dnsmasq.c index 9ac1a37..1c96a0e 100644 --- a/src/dnsmasq.c +++ b/src/dnsmasq.c @@ -397,7 +397,7 @@ int main (int argc, char **argv) piperead = pipefd[0]; pipewrite = pipefd[1]; /* prime the pipe to load stuff first time. */ - send_event(pipewrite, EVENT_RELOAD, 0, NULL); + send_event(pipewrite, EVENT_INIT, 0, NULL); err_pipe[1] = -1; @@ -667,7 +667,11 @@ int main (int argc, char **argv) #ifdef HAVE_DNSSEC if (option_bool(OPT_DNSSEC_VALID)) - my_syslog(LOG_INFO, _("DNSSEC validation enabled")); + { + my_syslog(LOG_INFO, _("DNSSEC validation enabled")); + if (option_bool(OPT_DNSSEC_TIME)) + my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until first cache reload")); + } #endif if (log_err != 0) @@ -1130,8 +1134,18 @@ static void async_event(int pipe, time_t now) switch (ev.event) { case EVENT_RELOAD: +#ifdef HAVE_DNSSEC + if (option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME)) + { + my_syslog(LOG_INFO, _("now checking DNSSEC signature timestamps")); + reset_option_bool(OPT_DNSSEC_TIME); + } +#endif + /* fall through */ + + case EVENT_INIT: clear_cache_and_reload(now); - + if (daemon->port != 0) { if (daemon->resolv_files && option_bool(OPT_NO_POLL)) diff --git a/src/dnsmasq.h b/src/dnsmasq.h index 9c541eb..589461d 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -164,6 +164,7 @@ struct event_desc { #define EVENT_FORK_ERR 18 #define EVENT_LUA_ERR 19 #define EVENT_TFTP_ERR 20 +#define EVENT_INIT 21 /* Exit codes. */ #define EC_GOOD 0 @@ -230,7 +231,7 @@ struct event_desc { #define OPT_QUIET_DHCP6 43 #define OPT_QUIET_RA 44 #define OPT_DNSSEC_VALID 45 -#define OPT_DNSSEC_PERMISS 46 +#define OPT_DNSSEC_TIME 46 #define OPT_DNSSEC_DEBUG 47 #define OPT_DNSSEC_NO_SIGN 48 #define OPT_LOCAL_SERVICE 49 diff --git a/src/dnssec.c b/src/dnssec.c index 6640c46..a6dd6d5 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -390,7 +390,13 @@ static int serial_compare_32(unsigned long s1, unsigned long s2) /* Check whether today/now is between date_start and date_end */ static int check_date_range(unsigned long date_start, unsigned long date_end) { - unsigned long curtime = time(0); + unsigned long curtime; + + /* Checking timestamps may be temporarily disabled */ + if (option_bool(OPT_DNSSEC_TIME)) + return 1; + + curtime = time(0); /* We must explicitly check against wanted values, because of SERIAL_UNDEF */ return serial_compare_32(curtime, date_start) == SERIAL_GT diff --git a/src/option.c b/src/option.c index 049060b..daa728f 100644 --- a/src/option.c +++ b/src/option.c @@ -64,87 +64,88 @@ struct myoption { #define OPTSTRING "951yZDNLERKzowefnbvhdkqr:m:p:c:l:s:i:t:u:g:a:x:S:C:A:T:H:Q:I:B:F:G:O:M:X:V:U:j:P:J:W:Y:2:4:6:7:8:0:3:" /* options which don't have a one-char version */ -#define LOPT_RELOAD 256 -#define LOPT_NO_NAMES 257 -#define LOPT_TFTP 258 -#define LOPT_SECURE 259 -#define LOPT_PREFIX 260 -#define LOPT_PTR 261 -#define LOPT_BRIDGE 262 -#define LOPT_TFTP_MAX 263 -#define LOPT_FORCE 264 -#define LOPT_NOBLOCK 265 -#define LOPT_LOG_OPTS 266 -#define LOPT_MAX_LOGS 267 -#define LOPT_CIRCUIT 268 -#define LOPT_REMOTE 269 -#define LOPT_SUBSCR 270 -#define LOPT_INTNAME 271 -#define LOPT_BANK 272 -#define LOPT_DHCP_HOST 273 -#define LOPT_APREF 274 -#define LOPT_OVERRIDE 275 -#define LOPT_TFTPPORTS 276 -#define LOPT_REBIND 277 -#define LOPT_NOLAST 278 -#define LOPT_OPTS 279 -#define LOPT_DHCP_OPTS 280 -#define LOPT_MATCH 281 -#define LOPT_BROADCAST 282 -#define LOPT_NEGTTL 283 -#define LOPT_ALTPORT 284 -#define LOPT_SCRIPTUSR 285 -#define LOPT_LOCAL 286 -#define LOPT_NAPTR 287 -#define LOPT_MINPORT 288 -#define LOPT_DHCP_FQDN 289 -#define LOPT_CNAME 290 -#define LOPT_PXE_PROMT 291 -#define LOPT_PXE_SERV 292 -#define LOPT_TEST 293 -#define LOPT_TAG_IF 294 -#define LOPT_PROXY 295 -#define LOPT_GEN_NAMES 296 -#define LOPT_MAXTTL 297 -#define LOPT_NO_REBIND 298 -#define LOPT_LOC_REBND 299 -#define LOPT_ADD_MAC 300 -#define LOPT_DNSSEC 301 -#define LOPT_INCR_ADDR 302 -#define LOPT_CONNTRACK 303 -#define LOPT_FQDN 304 -#define LOPT_LUASCRIPT 305 -#define LOPT_RA 306 -#define LOPT_DUID 307 -#define LOPT_HOST_REC 308 -#define LOPT_TFTP_LC 309 -#define LOPT_RR 310 -#define LOPT_CLVERBIND 311 -#define LOPT_MAXCTTL 312 -#define LOPT_AUTHZONE 313 -#define LOPT_AUTHSERV 314 -#define LOPT_AUTHTTL 315 -#define LOPT_AUTHSOA 316 -#define LOPT_AUTHSFS 317 -#define LOPT_AUTHPEER 318 -#define LOPT_IPSET 319 -#define LOPT_SYNTH 320 +#define LOPT_RELOAD 256 +#define LOPT_NO_NAMES 257 +#define LOPT_TFTP 258 +#define LOPT_SECURE 259 +#define LOPT_PREFIX 260 +#define LOPT_PTR 261 +#define LOPT_BRIDGE 262 +#define LOPT_TFTP_MAX 263 +#define LOPT_FORCE 264 +#define LOPT_NOBLOCK 265 +#define LOPT_LOG_OPTS 266 +#define LOPT_MAX_LOGS 267 +#define LOPT_CIRCUIT 268 +#define LOPT_REMOTE 269 +#define LOPT_SUBSCR 270 +#define LOPT_INTNAME 271 +#define LOPT_BANK 272 +#define LOPT_DHCP_HOST 273 +#define LOPT_APREF 274 +#define LOPT_OVERRIDE 275 +#define LOPT_TFTPPORTS 276 +#define LOPT_REBIND 277 +#define LOPT_NOLAST 278 +#define LOPT_OPTS 279 +#define LOPT_DHCP_OPTS 280 +#define LOPT_MATCH 281 +#define LOPT_BROADCAST 282 +#define LOPT_NEGTTL 283 +#define LOPT_ALTPORT 284 +#define LOPT_SCRIPTUSR 285 +#define LOPT_LOCAL 286 +#define LOPT_NAPTR 287 +#define LOPT_MINPORT 288 +#define LOPT_DHCP_FQDN 289 +#define LOPT_CNAME 290 +#define LOPT_PXE_PROMT 291 +#define LOPT_PXE_SERV 292 +#define LOPT_TEST 293 +#define LOPT_TAG_IF 294 +#define LOPT_PROXY 295 +#define LOPT_GEN_NAMES 296 +#define LOPT_MAXTTL 297 +#define LOPT_NO_REBIND 298 +#define LOPT_LOC_REBND 299 +#define LOPT_ADD_MAC 300 +#define LOPT_DNSSEC 301 +#define LOPT_INCR_ADDR 302 +#define LOPT_CONNTRACK 303 +#define LOPT_FQDN 304 +#define LOPT_LUASCRIPT 305 +#define LOPT_RA 306 +#define LOPT_DUID 307 +#define LOPT_HOST_REC 308 +#define LOPT_TFTP_LC 309 +#define LOPT_RR 310 +#define LOPT_CLVERBIND 311 +#define LOPT_MAXCTTL 312 +#define LOPT_AUTHZONE 313 +#define LOPT_AUTHSERV 314 +#define LOPT_AUTHTTL 315 +#define LOPT_AUTHSOA 316 +#define LOPT_AUTHSFS 317 +#define LOPT_AUTHPEER 318 +#define LOPT_IPSET 319 +#define LOPT_SYNTH 320 #ifdef OPTION6_PREFIX_CLASS -#define LOPT_PREF_CLSS 321 +#define LOPT_PREF_CLSS 321 #endif -#define LOPT_RELAY 323 -#define LOPT_RA_PARAM 324 -#define LOPT_ADD_SBNET 325 -#define LOPT_QUIET_DHCP 326 -#define LOPT_QUIET_DHCP6 327 -#define LOPT_QUIET_RA 328 -#define LOPT_SEC_VALID 329 -#define LOPT_TRUST_ANCHOR 330 -#define LOPT_DNSSEC_DEBUG 331 -#define LOPT_REV_SERV 332 -#define LOPT_SERVERS_FILE 333 -#define LOPT_DNSSEC_CHECK 334 +#define LOPT_RELAY 323 +#define LOPT_RA_PARAM 324 +#define LOPT_ADD_SBNET 325 +#define LOPT_QUIET_DHCP 326 +#define LOPT_QUIET_DHCP6 327 +#define LOPT_QUIET_RA 328 +#define LOPT_SEC_VALID 329 +#define LOPT_TRUST_ANCHOR 330 +#define LOPT_DNSSEC_DEBUG 331 +#define LOPT_REV_SERV 332 +#define LOPT_SERVERS_FILE 333 +#define LOPT_DNSSEC_CHECK 334 #define LOPT_LOCAL_SERVICE 335 +#define LOPT_DNSSEC_TIME 336 #ifdef HAVE_GETOPT_LONG static const struct option opts[] = @@ -287,6 +288,7 @@ static const struct myoption opts[] = { "trust-anchor", 1, 0, LOPT_TRUST_ANCHOR }, { "dnssec-debug", 0, 0, LOPT_DNSSEC_DEBUG }, { "dnssec-check-unsigned", 0, 0, LOPT_DNSSEC_CHECK }, + { "dnssec-no-timecheck", 0, 0, LOPT_DNSSEC_TIME }, #ifdef OPTION6_PREFIX_CLASS { "dhcp-prefix-class", 1, 0, LOPT_PREF_CLSS }, #endif @@ -443,6 +445,7 @@ static struct { { LOPT_TRUST_ANCHOR, ARG_DUP, "<domain>,[<class>],...", gettext_noop("Specify trust anchor key digest."), NULL }, { LOPT_DNSSEC_DEBUG, OPT_DNSSEC_DEBUG, NULL, gettext_noop("Disable upstream checking for DNSSEC debugging."), NULL }, { LOPT_DNSSEC_CHECK, OPT_DNSSEC_NO_SIGN, NULL, gettext_noop("Ensure answers without DNSSEC are in unsigned zones."), NULL }, + { LOPT_DNSSEC_TIME, OPT_DNSSEC_TIME, NULL, gettext_noop("Don't check DNSSEC signature timestamps until first cache-reload"), NULL }, #ifdef OPTION6_PREFIX_CLASS { LOPT_PREF_CLSS, ARG_DUP, "set:tag,<class>", gettext_noop("Specify DHCPv6 prefix class"), NULL }, #endif |