[OpenWrt-Devel] [PATCH v2 5/5] dnsmasq: add UCI DNSSEC runtime support
Andre Heider
a.heider at gmail.com
Tue Jun 17 18:05:52 EDT 2014
Ship keys for the root zone and add two uci options to enable
DNSSEC checks:
Option 'dnssec': Activate DNSSEC validation
Option 'dnsseccheckunsigned': Ensure answers without DNSSEC are in
unsigned zones.
Signed-off-by: Andre Heider <a.heider at gmail.com>
---
package/network/services/dnsmasq/files/dnsmasq.init | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init
index f7edb28..9f16d5f 100644
--- a/package/network/services/dnsmasq/files/dnsmasq.init
+++ b/package/network/services/dnsmasq/files/dnsmasq.init
@@ -14,6 +14,7 @@ ADD_LOCAL_HOSTNAME=1
CONFIGFILE="/var/etc/dnsmasq.conf"
HOSTFILE="/tmp/hosts/dhcp"
+TRUSTANCHORSFILE="/usr/share/dnsmasq/trust-anchors.conf"
xappend() {
local value="$1"
@@ -186,6 +187,13 @@ dnsmasq() {
config_list_foreach "$cfg" rebind_domain append_rebind_domain
}
+ config_get dnssec "$cfg" dnssec
+ [ "$dnssec" -gt 0 ] && {
+ xappend "--conf-file=$TRUSTANCHORSFILE"
+ xappend "--dnssec"
+ append_bool "$cfg" dnsseccheckunsigned "--dnssec-check-unsigned"
+ }
+
dhcp_option_add "$cfg" "" 0
xappend "--dhcp-broadcast=tag:needs-broadcast"
--
2.0.0
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list