Enabling this compile time option adds a dependency on libnettle. Signed-off-by: Andre Heider <a.hei...@gmail.com> --- package/network/services/dnsmasq/Config.in | 25 +++++++++++++++++++++++++ package/network/services/dnsmasq/Makefile | 10 +++++++++- 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 package/network/services/dnsmasq/Config.in
diff --git a/package/network/services/dnsmasq/Config.in b/package/network/services/dnsmasq/Config.in new file mode 100644 index 0000000..cf02c5c --- /dev/null +++ b/package/network/services/dnsmasq/Config.in @@ -0,0 +1,25 @@ +menu "Configuration" + depends on PACKAGE_dnsmasq + +config DNSMASQ_DNSSEC + bool "DNSSEC support" + default n + help + Enable support to validate DNS replies and cache DNSSEC data. + + When forwarding DNS queries, dnsmasq requests the DNSSEC records needed + to validate the replies. The replies are validated and the result + returned as the Authenticated Data bit in the DNS packet. In addition + the DNSSEC records are stored in the cache, making validation by + clients more efficient. + + Note that validation by clients is the most secure DNSSEC mode, but for + clients unable to do validation, use of the AD bit set by dnsmasq is + useful, provided that the network between the dnsmasq server and the + client is trusted. + + The nameservers upstream of dnsmasq must be DNSSEC-capable, ie capable + of returning DNSSEC records with data. If they are not, then dnsmasq + will not be able to determine the trusted status of answers. + +endmenu diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile index 8473656..dfd9c3a 100644 --- a/package/network/services/dnsmasq/Makefile +++ b/package/network/services/dnsmasq/Makefile @@ -23,6 +23,8 @@ PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSI PKG_INSTALL:=1 PKG_BUILD_PARALLEL:=1 +PKG_CONFIG_DEPENDS:=CONFIG_DNSMASQ_DNSSEC + include $(INCLUDE_DIR)/package.mk define Package/dnsmasq/Default @@ -32,15 +34,20 @@ define Package/dnsmasq/Default URL:=http://www.thekelleys.org.uk/dnsmasq/ endef +define Package/dnsmasq/config + source "$(SOURCE)/Config.in" +endef + define Package/dnsmasq $(call Package/dnsmasq/Default) + DEPENDS:=+DNSMASQ_DNSSEC:libnettle VARIANT:=nodhcpv6 endef define Package/dnsmasq-dhcpv6 $(call Package/dnsmasq/Default) TITLE += (with DHCPv6 support) - DEPENDS:=@IPV6 +kmod-ipv6 + DEPENDS:=@IPV6 +kmod-ipv6 +DNSMASQ_DNSSEC:libnettle VARIANT:=dhcpv6 endef @@ -65,6 +72,7 @@ TARGET_CFLAGS += -ffunction-sections -fdata-sections TARGET_LDFLAGS += -Wl,--gc-sections COPTS = $(if $(CONFIG_IPV6),,-DNO_IPV6) -DNO_IPSET -DNO_AUTH +COPTS += $(if $(CONFIG_DNSMASQ_DNSSEC),-DHAVE_DNSSEC,) ifeq ($(BUILD_VARIANT),nodhcpv6) COPTS += -DNO_DHCP6 -- 2.0.0 _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel