Hi,
On 14 June 2014 23:34, Andre Heider <[email protected]> wrote:
> Enabling this compile time option adds a dependency on libnettle.
>
> Signed-off-by: Andre Heider <[email protected]>
> ---
> package/network/services/dnsmasq/Config.in | 25 +++++++++++++++++++++++++
> package/network/services/dnsmasq/Makefile | 10 +++++++++-
> 2 files changed, 34 insertions(+), 1 deletion(-)
> create mode 100644 package/network/services/dnsmasq/Config.in
>
> diff --git a/package/network/services/dnsmasq/Config.in
> b/package/network/services/dnsmasq/Config.in
> new file mode 100644
> index 0000000..cf02c5c
> --- /dev/null
> +++ b/package/network/services/dnsmasq/Config.in
> @@ -0,0 +1,25 @@
> +menu "Configuration"
> + depends on PACKAGE_dnsmasq
> +
> +config DNSMASQ_DNSSEC
> + bool "DNSSEC support"
> + default n
> + help
> + Enable support to validate DNS replies and cache DNSSEC data.
> +
> + When forwarding DNS queries, dnsmasq requests the DNSSEC
> records needed
> + to validate the replies. The replies are validated and the
> result
> + returned as the Authenticated Data bit in the DNS packet. In
> addition
> + the DNSSEC records are stored in the cache, making validation
> by
> + clients more efficient.
> +
> + Note that validation by clients is the most secure DNSSEC
> mode, but for
> + clients unable to do validation, use of the AD bit set by
> dnsmasq is
> + useful, provided that the network between the dnsmasq server
> and the
> + client is trusted.
> +
> + The nameservers upstream of dnsmasq must be DNSSEC-capable,
> ie capable
> + of returning DNSSEC records with data. If they are not, then
> dnsmasq
> + will not be able to determine the trusted status of answers.
> +
> +endmenu
> diff --git a/package/network/services/dnsmasq/Makefile
> b/package/network/services/dnsmasq/Makefile
> index 8473656..dfd9c3a 100644
> --- a/package/network/services/dnsmasq/Makefile
> +++ b/package/network/services/dnsmasq/Makefile
> @@ -23,6 +23,8 @@
> PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSI
> PKG_INSTALL:=1
> PKG_BUILD_PARALLEL:=1
>
> +PKG_CONFIG_DEPENDS:=CONFIG_DNSMASQ_DNSSEC
> +
> include $(INCLUDE_DIR)/package.mk
>
> define Package/dnsmasq/Default
> @@ -32,15 +34,20 @@ define Package/dnsmasq/Default
> URL:=http://www.thekelleys.org.uk/dnsmasq/
> endef
>
> +define Package/dnsmasq/config
> + source "$(SOURCE)/Config.in"
> +endef
> +
It will be more complete if dnsmasq-dhcpv6 is also covered by this
config option. Even better is letting this option depend on the
actual dnsmasq build variant selected.
yousong
_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
