| | 1 | From 06093a9a845bb597005d892d5d1bc7859933ada4 Mon Sep 17 00:00:00 2001 |
| | 2 | From: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> |
| | 3 | Date: Mon, 11 Jul 2016 21:03:27 +0100 |
| | 4 | Subject: [PATCH] Fix problem with --dnssec-timestamp whereby receipt of |
| | 5 | SIGHUP would erroneously engage timestamp checking. |
| | 6 | |
| | 7 | --- |
| | 8 | CHANGELOG | 4 ++++ |
| | 9 | src/dnsmasq.c | 7 ++++--- |
| | 10 | src/dnsmasq.h | 1 + |
| | 11 | src/dnssec.c | 5 +++-- |
| | 12 | 4 files changed, 12 insertions(+), 5 deletions(-) |
| | 13 | |
| | 14 | diff --git a/CHANGELOG b/CHANGELOG |
| | 15 | index 59c9c49..9f1e404 100644 |
| | 16 | --- a/CHANGELOG |
| | 17 | +++ b/CHANGELOG |
| | 18 | @@ -17,6 +17,10 @@ version 2.77 |
| | 19 | Thanks to Ivan Kokshaysky for the diagnosis and |
| | 20 | patch. |
| | 21 | |
| | 22 | + Fix problem with --dnssec-timestamp whereby receipt |
| | 23 | + of SIGHUP would erroneously engage timestamp checking. |
| | 24 | + Thanks to Kevin Darbyshire-Bryant for this work. |
| | 25 | + |
| | 26 | |
| | 27 | version 2.76 |
| | 28 | Include 0.0.0.0/8 in DNS rebind checks. This range |
| | 29 | diff --git a/src/dnsmasq.c b/src/dnsmasq.c |
| | 30 | index 045ec53..a47273f 100644 |
| | 31 | --- a/src/dnsmasq.c |
| | 32 | +++ b/src/dnsmasq.c |
| | 33 | @@ -750,7 +750,8 @@ int main (int argc, char **argv) |
| | 34 | |
| | 35 | my_syslog(LOG_INFO, _("DNSSEC validation enabled")); |
| | 36 | |
| | 37 | - if (option_bool(OPT_DNSSEC_TIME)) |
| | 38 | + daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME); |
| | 39 | + if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future) |
| | 40 | my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until first cache reload")); |
| | 41 | |
| | 42 | if (rc == 1) |
| | 43 | @@ -1226,10 +1227,10 @@ static void async_event(int pipe, time_t now) |
| | 44 | { |
| | 45 | case EVENT_RELOAD: |
| | 46 | #ifdef HAVE_DNSSEC |
| | 47 | - if (option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME)) |
| | 48 | + if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME)) |
| | 49 | { |
| | 50 | my_syslog(LOG_INFO, _("now checking DNSSEC signature timestamps")); |
| | 51 | - reset_option_bool(OPT_DNSSEC_TIME); |
| | 52 | + daemon->dnssec_no_time_check = 0; |
| | 53 | } |
| | 54 | #endif |
| | 55 | /* fall through */ |
| | 56 | diff --git a/src/dnsmasq.h b/src/dnsmasq.h |
| | 57 | index 1896a64..be27ae0 100644 |
| | 58 | --- a/src/dnsmasq.h |
| | 59 | +++ b/src/dnsmasq.h |
| | 60 | @@ -992,6 +992,7 @@ extern struct daemon { |
| | 61 | #endif |
| | 62 | #ifdef HAVE_DNSSEC |
| | 63 | struct ds_config *ds; |
| | 64 | + int dnssec_no_time_check; |
| | 65 | int back_to_the_future; |
| | 66 | char *timestamp_file; |
| | 67 | #endif |
| | 68 | diff --git a/src/dnssec.c b/src/dnssec.c |
| | 69 | index 3c77c7d..64358fa 100644 |
| | 70 | --- a/src/dnssec.c |
| | 71 | +++ b/src/dnssec.c |
| | 72 | @@ -522,15 +522,16 @@ static int check_date_range(u32 date_start, u32 date_end) |
| | 73 | if (utime(daemon->timestamp_file, NULL) != 0) |
| | 74 | my_syslog(LOG_ERR, _("failed to update mtime on %s: %s"), daemon->timestamp_file, strerror(errno)); |
| | 75 | |
| | 76 | + my_syslog(LOG_INFO, _("system time considered valid, now checking DNSSEC signature timestamps.")); |
| | 77 | daemon->back_to_the_future = 1; |
| | 78 | - set_option_bool(OPT_DNSSEC_TIME); |
| | 79 | + daemon->dnssec_no_time_check = 0; |
| | 80 | queue_event(EVENT_RELOAD); /* purge cache */ |
| | 81 | } |
| | 82 | |
| | 83 | if (daemon->back_to_the_future == 0) |
| | 84 | return 1; |
| | 85 | } |
| | 86 | - else if (option_bool(OPT_DNSSEC_TIME)) |
| | 87 | + else if (daemon->dnssec_no_time_check) |
| | 88 | return 1; |
| | 89 | |
| | 90 | /* We must explicitly check against wanted values, because of SERIAL_UNDEF */ |
| | 91 | -- |
| | 92 | 1.7.10.4 |
| | 93 | |
projects / ipfire-2.x.git / blame_incremental