dnsmasq: dnssec time handling uses ntpd hotplug

Change dnsmasq's dnssec time check handling to use time validity
indicated by ntpd rather than maintaining a cross boot/upgrade
/etc/dnsmasq.time timestamp file.  This saves flash device wear.

If ntpd client is configured in uci and you're using dnssec, then
dnsmasq will not check dnssec timestamp validity until ntpd hotplug
indicates sync via a stratum change. The ntpd hotplug leaves a status
flag file to indicate to dnsmasq.init that time is valid and that it
should now start in 'check dnssec timestamp valid' mode.

If ntpd client is not configured and you're using dnssec, then it is
presumed you're using an alternate time sync mechanism and that time is
correct, thus dnsmasq checks dnssec timestamps are valid from 1st start.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>

V2 - stratum & step ntp changes indicate time is valid
V3 - on initial flag file step signal dnsmasq with SIGHUP if running
V4 - only accept step ntp changes. Accepting both stratum & step could
result in unpleasant script race conditions
V5 - Actually only accepting stratum is the correct thing to do after
further testing
V6 - improve handling of non busybox ntpd
if sysntpd not executable
  dnsmasq checks dnssec timestamps
else
  sysntp script disabled - look for timestamp file - allows external mechanism to use hotplug flag file
  sysntp script enabled & uci ntp enabled  - look for timestamp file
  sysntp script enabled & uci ntp disabled - dnsmasq checks dnssec
timestamps
fi
master
Kevin Darbyshire-Bryant 9 years ago committed by Jo-Philipp Wich
parent f954f4337b
commit 5acfe55d71
  1. 6
      package/network/services/dnsmasq/Makefile
  2. 15
      package/network/services/dnsmasq/files/dnsmasq.init
  3. 16
      package/network/services/dnsmasq/files/dnsmasqsec-add-conffiles.sh
  4. 14
      package/network/services/dnsmasq/files/dnsmasqsec.hotplug

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=dnsmasq
PKG_VERSION:=2.76
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq
@ -142,6 +142,8 @@ define Package/dnsmasq/install
$(INSTALL_BIN) ./files/dnsmasq.init $(1)/etc/init.d/dnsmasq
$(INSTALL_DIR) $(1)/etc/hotplug.d/iface
$(INSTALL_DATA) ./files/dnsmasq.hotplug $(1)/etc/hotplug.d/iface/25-dnsmasq
$(INSTALL_DIR) $(1)/etc/hotplug.d/ntp
$(INSTALL_DATA) ./files/dnsmasqsec.hotplug $(1)/etc/hotplug.d/ntp/25-dnsmasqsec
endef
Package/dnsmasq-dhcpv6/install = $(Package/dnsmasq/install)
@ -151,8 +153,6 @@ $(call Package/dnsmasq/install,$(1))
ifneq ($(CONFIG_PACKAGE_dnsmasq_full_dnssec),)
$(INSTALL_DIR) $(1)/usr/share/dnsmasq
$(INSTALL_DATA) $(PKG_BUILD_DIR)/trust-anchors.conf $(1)/usr/share/dnsmasq
$(INSTALL_DIR) $(1)/lib/upgrade
$(INSTALL_BIN) ./files/dnsmasqsec-add-conffiles.sh $(1)/lib/upgrade
endif
endef

@ -16,6 +16,7 @@ CONFIGFILE="/var/etc/dnsmasq.conf"
HOSTFILE="/tmp/hosts/dhcp"
TRUSTANCHORSFILE="/usr/share/dnsmasq/trust-anchors.conf"
TIMESTAMPFILE="/etc/dnsmasq.time"
TIMEVALIDFILE="/var/state/dnsmasqsec"
xappend() {
local value="$1"
@ -235,7 +236,12 @@ dnsmasq() {
[ "$dnssec" -gt 0 ] && {
xappend "--conf-file=$TRUSTANCHORSFILE"
xappend "--dnssec"
xappend "--dnssec-timestamp=$TIMESTAMPFILE"
[ -x /etc/init.d/sysntpd ] && {
/etc/init.d/sysntpd enabled
[ "$?" -ne 0 -o "$(uci_get system.ntp.enabled)" = "1" ] && {
[ -f "$TIMEVALIDFILE" ] || xappend "--dnssec-no-timecheck"
}
}
append_bool "$cfg" dnsseccheckunsigned "--dnssec-check-unsigned"
}
@ -627,10 +633,7 @@ start_service() {
mkdir -p /var/lib/misc
touch /tmp/dhcp.leases
if [ ! -f "$TIMESTAMPFILE" ]; then
touch "$TIMESTAMPFILE"
chown dnsmasq.dnsmasq "$TIMESTAMPFILE"
fi
[ -f "$TIMESTAMPFILE" ] && rm -f "$TIMESTAMPFILE"
echo "# auto-generated config file from /etc/config/dhcp" > $CONFIGFILE
echo "# auto-generated config file from /etc/config/dhcp" > $HOSTFILE
@ -709,7 +712,7 @@ start_service() {
procd_add_jail dnsmasq ubus log
procd_add_jail_mount $CONFIGFILE $TRUSTANCHORSFILE $HOSTFILE /etc/passwd /etc/group /etc/TZ /dev/null /dev/urandom /etc/dnsmasq.conf /tmp/dnsmasq.d /tmp/resolv.conf.auto /etc/hosts /etc/ethers $EXTRA_MOUNT
procd_add_jail_mount_rw /var/run/dnsmasq/ /tmp/dhcp.leases $TIMESTAMPFILE
procd_add_jail_mount_rw /var/run/dnsmasq/ /tmp/dhcp.leases
procd_close_instance
}

@ -1,16 +0,0 @@
add_dnsmasqsec_conffiles()
{
local filelist="$1"
# do NOT include timestamp in a backup, only system upgrade
# dnsmasq restart ensures file timestamp is up to date
if [ -z $NEED_IMAGE ]; then
if [ $(ubus call service list '{"name":"dnsmasq"}' | jsonfilter -e '@.*.instances.instance1.running') = "true" ]; then
/etc/init.d/dnsmasq restart
sleep 1
echo "/etc/dnsmasq.time" >>$filelist
fi
fi
}
sysupgrade_init_conffiles="$sysupgrade_init_conffiles add_dnsmasqsec_conffiles"

@ -0,0 +1,14 @@
#!/bin/sh
TIMEVALIDFILE="/var/state/dnsmasqsec"
[ "$ACTION" = stratum ] || exit 0
[ -f "$TIMEVALIDFILE" ] || {
echo "ntpd says time is valid" >$TIMEVALIDFILE
/etc/init.d/dnsmasq enabled && {
pid=$(pidof dnsmasq)
[ "$(readlink /proc/$pid/exe)" = "/usr/sbin/dnsmasq" ] && kill -SIGHUP $pid \
|| /etc/init.d/dnsmasq restart
}
}
Loading…
Cancel
Save