]>
Commit | Line | Data |
---|---|---|
a4fdc176 MF |
1 | From 06093a9a845bb597005d892d5d1bc7859933ada4 Mon Sep 17 00:00:00 2001 |
2 | From: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> | |
3 | Date: Mon, 11 Jul 2016 21:03:27 +0100 | |
4 | Subject: [PATCH] Fix problem with --dnssec-timestamp whereby receipt of | |
5 | SIGHUP would erroneously engage timestamp checking. | |
6 | ||
7 | --- | |
8 | CHANGELOG | 4 ++++ | |
9 | src/dnsmasq.c | 7 ++++--- | |
10 | src/dnsmasq.h | 1 + | |
11 | src/dnssec.c | 5 +++-- | |
12 | 4 files changed, 12 insertions(+), 5 deletions(-) | |
13 | ||
14 | diff --git a/CHANGELOG b/CHANGELOG | |
15 | index 59c9c49..9f1e404 100644 | |
16 | --- a/CHANGELOG | |
17 | +++ b/CHANGELOG | |
18 | @@ -17,6 +17,10 @@ version 2.77 | |
19 | Thanks to Ivan Kokshaysky for the diagnosis and | |
20 | patch. | |
21 | ||
22 | + Fix problem with --dnssec-timestamp whereby receipt | |
23 | + of SIGHUP would erroneously engage timestamp checking. | |
24 | + Thanks to Kevin Darbyshire-Bryant for this work. | |
25 | + | |
26 | ||
27 | version 2.76 | |
28 | Include 0.0.0.0/8 in DNS rebind checks. This range | |
29 | diff --git a/src/dnsmasq.c b/src/dnsmasq.c | |
30 | index 045ec53..a47273f 100644 | |
31 | --- a/src/dnsmasq.c | |
32 | +++ b/src/dnsmasq.c | |
33 | @@ -750,7 +750,8 @@ int main (int argc, char **argv) | |
34 | ||
35 | my_syslog(LOG_INFO, _("DNSSEC validation enabled")); | |
36 | ||
37 | - if (option_bool(OPT_DNSSEC_TIME)) | |
38 | + daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME); | |
39 | + if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future) | |
40 | my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until first cache reload")); | |
41 | ||
42 | if (rc == 1) | |
43 | @@ -1226,10 +1227,10 @@ static void async_event(int pipe, time_t now) | |
44 | { | |
45 | case EVENT_RELOAD: | |
46 | #ifdef HAVE_DNSSEC | |
47 | - if (option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME)) | |
48 | + if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME)) | |
49 | { | |
50 | my_syslog(LOG_INFO, _("now checking DNSSEC signature timestamps")); | |
51 | - reset_option_bool(OPT_DNSSEC_TIME); | |
52 | + daemon->dnssec_no_time_check = 0; | |
53 | } | |
54 | #endif | |
55 | /* fall through */ | |
56 | diff --git a/src/dnsmasq.h b/src/dnsmasq.h | |
57 | index 1896a64..be27ae0 100644 | |
58 | --- a/src/dnsmasq.h | |
59 | +++ b/src/dnsmasq.h | |
60 | @@ -992,6 +992,7 @@ extern struct daemon { | |
61 | #endif | |
62 | #ifdef HAVE_DNSSEC | |
63 | struct ds_config *ds; | |
64 | + int dnssec_no_time_check; | |
65 | int back_to_the_future; | |
66 | char *timestamp_file; | |
67 | #endif | |
68 | diff --git a/src/dnssec.c b/src/dnssec.c | |
69 | index 3c77c7d..64358fa 100644 | |
70 | --- a/src/dnssec.c | |
71 | +++ b/src/dnssec.c | |
72 | @@ -522,15 +522,16 @@ static int check_date_range(u32 date_start, u32 date_end) | |
73 | if (utime(daemon->timestamp_file, NULL) != 0) | |
74 | my_syslog(LOG_ERR, _("failed to update mtime on %s: %s"), daemon->timestamp_file, strerror(errno)); | |
75 | ||
76 | + my_syslog(LOG_INFO, _("system time considered valid, now checking DNSSEC signature timestamps.")); | |
77 | daemon->back_to_the_future = 1; | |
78 | - set_option_bool(OPT_DNSSEC_TIME); | |
79 | + daemon->dnssec_no_time_check = 0; | |
80 | queue_event(EVENT_RELOAD); /* purge cache */ | |
81 | } | |
82 | ||
83 | if (daemon->back_to_the_future == 0) | |
84 | return 1; | |
85 | } | |
86 | - else if (option_bool(OPT_DNSSEC_TIME)) | |
87 | + else if (daemon->dnssec_no_time_check) | |
88 | return 1; | |
89 | ||
90 | /* We must explicitly check against wanted values, because of SERIAL_UNDEF */ | |
91 | -- | |
92 | 1.7.10.4 | |
93 |