Further to my previous email I've cobbled something together, and it even appears to work. There's quite a bit of coding guesswork going on here and I really shouldn't be let anywhere near a C compiler. Either way a new option '-dnssec_tvalid=integer' where integer is number of seconds since 1970 (epoch) is implemented. If current system clock exceeds this time then dnssec timestamps will be checked, until that time they are not.
Kevin diff --git a/src/dnsmasq.h b/src/dnsmasq.h index 40323ed..1687305 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -239,7 +239,8 @@ struct event_desc { #define OPT_LOCAL_SERVICE 49 #define OPT_LOOP_DETECT 50 #define OPT_EXTRALOG 51 -#define OPT_LAST 52 +#define OPT_DNSSEC_TVALID 52 +#define OPT_LAST 53 /* extra flags for my_syslog, we use a couple of facilities since they are known not to occupy the same bits as priorities, no matter how syslog.h is set up. */ @@ -986,6 +987,7 @@ extern struct daemon { #endif #ifdef HAVE_DNSSEC struct ds_config *ds; + time_t dnssec_tvalid; #endif /* globally used stuff for DNS */ diff --git a/src/dnssec.c b/src/dnssec.c index 2693237..3a350c0 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -401,9 +401,15 @@ static int check_date_range(unsigned long date_start, unsigned long date_end) /* Checking timestamps may be temporarily disabled */ if (option_bool(OPT_DNSSEC_TIME)) - return 1; - - curtime = time(0); + if (daemon->dnssec_tvalid) { + curtime = time(0); + if (curtime > daemon->dnssec_tvalid) { + reset_option_bool(OPT_DNSSEC_TIME); + my_syslog(LOG_INFO, _("time is valid. Now checking DNSSEC signature timestamps")); + } + } + else return 1; + else curtime = time(0); /* We must explicitly check against wanted values, because of SERIAL_UNDEF */ return serial_compare_32(curtime, date_start) == SERIAL_GT diff --git a/src/option.c b/src/option.c index e4b4865..20bec3c 100644 --- a/src/option.c +++ b/src/option.c @@ -152,6 +152,7 @@ struct myoption { #define LOPT_DHCP_INOTIFY 340 #define LOPT_DHOPT_INOTIFY 341 #define LOPT_HOST_INOTIFY 342 +#define LOPT_DNSSEC_TVALID 343 #ifdef HAVE_GETOPT_LONG static const struct option opts[] = @@ -309,6 +310,7 @@ static const struct myoption opts[] = { "quiet-dhcp6", 0, 0, LOPT_QUIET_DHCP6 }, { "quiet-ra", 0, 0, LOPT_QUIET_RA }, { "dns-loop-detect", 0, 0, LOPT_LOOP_DETECT }, + { "dnssec-tvalid", 1, 0, LOPT_DNSSEC_TVALID }, { NULL, 0, 0, 0 } }; @@ -463,6 +465,7 @@ static struct { { LOPT_DNSSEC_DEBUG, OPT_DNSSEC_DEBUG, NULL, gettext_noop("Disable upstream checking for DNSSEC debugging."), NULL }, { LOPT_DNSSEC_CHECK, OPT_DNSSEC_NO_SIGN, NULL, gettext_noop("Ensure answers without DNSSEC are in unsigned zones."), NULL }, { LOPT_DNSSEC_TIME, OPT_DNSSEC_TIME, NULL, gettext_noop("Don't check DNSSEC signature timestamps until first cache-reload"), NULL }, + { LOPT_DNSSEC_TVALID, ARG_ONE, "=seconds since epoch", gettext_noop("Don't check DNSSEC signature timestamps until time exceeds given time since epoch"), NULL }, #ifdef OPTION6_PREFIX_CLASS { LOPT_PREF_CLSS, ARG_DUP, "set:tag,<class>", gettext_noop("Specify DHCPv6 prefix class"), NULL }, #endif @@ -2463,6 +2466,23 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma daemon->max_logs = 100; break; +#ifdef HAVE_DNSSEC + case LOPT_DNSSEC_TIME: + { + daemon->dnssec_tvalid = 0; /* default */ + break; + } + case LOPT_DNSSEC_TVALID: /* --log-async */ + { + int tvalid; + if (!atoi_check(arg, &tvalid)) + ret_err(gen_err); + set_option_bool(OPT_DNSSEC_TIME); + daemon->dnssec_tvalid = (time_t)tvalid; + break; + } +#endif + case 'P': /* --edns-packet-max */ { int i;
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss