dnsmasq: Enable DNSSEC timestamp feature
authorMichael Tremer <michael.tremer@ipfire.org>
Tue, 10 Mar 2015 15:22:09 +0000 (16:22 +0100)
committerMichael Tremer <michael.tremer@ipfire.org>
Thu, 12 Mar 2015 11:59:24 +0000 (12:59 +0100)
This disables DNSSEC until the system clock has been set correctly.
There is a circular dependency on working DNS and being able to
resolve DNS records in order to reach a time server. Systems without
a RTC or empty RTC battery will start up with time way in the past
in which all DNSSEC signatures are invalid.

src/initscripts/init.d/dnsmasq

index 48b9d19..4e37925 100644 (file)
@@ -26,7 +26,7 @@ SHOW_SRV=1
 TRUST_ANCHOR=".,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5"
 
 function dnssec_args() {
-       local cmdline="--dnssec"
+       local cmdline="--dnssec --dnssec-timestamp"
 
        if [ -n "${TRUST_ANCHOR}" ]; then
                cmdline="${cmdline} --trust-anchor=${TRUST_ANCHOR}"