Hi,
this set adds DNSSEC validation to dnsmasq, tested on ar71xx.
The set is pretty small and should be self explanatory.
There's room for improvement though:
- compilation will fail under CONFIG_LIBNETTLE_MINI. I failed to express the
dependencies so that this combination is not allowed... Hints?
- the "Configuration" submenu shows up between the two variants but influences
both. Is there a recommended way how to handle compile time options for
variants?
To test:
1) use a DNSSEC-capable upstream DNS server
2) add to /etc/config/dhcp:
config dnsmasq
...
# Activate DNSSEC validation
option dnssec '1'
# Ensure answers without DNSSEC are in unsigned zones
option dnsseccheckunsigned '1'
setting the latter option to '1' without fullfilling 1) will break
all queries!
- `dig +dnssec +multi +tcp posteo.de` should resolve with 'ad' in flags
- `dig +dnssec +multi +tcp dnssec-failed.org` should not resolve
Thanks,
Andre
Andre Heider (4):
dnsmasq: use COPTS for compile time options
dnsmasq: respect target's LDFLAGS
dnsmasq: Add config option to enable DNSSEC validation
dnsmasq: add UCI DNSSEC runtime support
package/network/services/dnsmasq/Config.in | 25 ++++++++++++++++++++++
package/network/services/dnsmasq/Makefile | 24 +++++++++++++++------
.../network/services/dnsmasq/files/dnsmasq.init | 8 +++++++
3 files changed, 51 insertions(+), 6 deletions(-)
create mode 100644 package/network/services/dnsmasq/Config.in
--
2.0.0
_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
