Re: [OpenWrt-Devel] [PATCH 3/4] dnsmasq: Add config option to enable DNSSEC validation

Sat, 14 Jun 2014 15:28:25 -0700 

Hi,

On 14 June 2014 23:34, Andre Heider <a.hei...@gmail.com> wrote:
> Enabling this compile time option adds a dependency on libnettle.
>
> Signed-off-by: Andre Heider <a.hei...@gmail.com>
> ---
>  package/network/services/dnsmasq/Config.in | 25 +++++++++++++++++++++++++
>  package/network/services/dnsmasq/Makefile  | 10 +++++++++-
>  2 files changed, 34 insertions(+), 1 deletion(-)
>  create mode 100644 package/network/services/dnsmasq/Config.in
>
> diff --git a/package/network/services/dnsmasq/Config.in 
> b/package/network/services/dnsmasq/Config.in
> new file mode 100644
> index 0000000..cf02c5c
> --- /dev/null
> +++ b/package/network/services/dnsmasq/Config.in
> @@ -0,0 +1,25 @@
> +menu "Configuration"
> +       depends on PACKAGE_dnsmasq
> +
> +config DNSMASQ_DNSSEC
> +       bool "DNSSEC support"
> +       default n
> +       help
> +               Enable support to validate DNS replies and cache DNSSEC data.
> +
> +               When forwarding DNS queries, dnsmasq requests the DNSSEC 
> records needed
> +               to validate the replies. The replies are validated and the 
> result
> +               returned as the Authenticated Data bit in the DNS packet. In 
> addition
> +               the DNSSEC records are stored in the cache, making validation 
> by
> +               clients more efficient.
> +
> +               Note that validation by clients is the most secure DNSSEC 
> mode, but for
> +               clients unable to do validation, use of the AD bit set by 
> dnsmasq is
> +               useful, provided that the network between the dnsmasq server 
> and the
> +               client is trusted.
> +
> +               The nameservers upstream of dnsmasq must be DNSSEC-capable, 
> ie capable
> +               of returning DNSSEC records with data. If they are not, then 
> dnsmasq
> +               will not be able to determine the trusted status of answers.
> +
> +endmenu
> diff --git a/package/network/services/dnsmasq/Makefile 
> b/package/network/services/dnsmasq/Makefile
> index 8473656..dfd9c3a 100644
> --- a/package/network/services/dnsmasq/Makefile
> +++ b/package/network/services/dnsmasq/Makefile
> @@ -23,6 +23,8 @@ 
> PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSI
>  PKG_INSTALL:=1
>  PKG_BUILD_PARALLEL:=1
>
> +PKG_CONFIG_DEPENDS:=CONFIG_DNSMASQ_DNSSEC
> +
>  include $(INCLUDE_DIR)/package.mk
>
>  define Package/dnsmasq/Default
> @@ -32,15 +34,20 @@ define Package/dnsmasq/Default
>    URL:=http://www.thekelleys.org.uk/dnsmasq/
>  endef
>
> +define Package/dnsmasq/config
> +       source "$(SOURCE)/Config.in"
> +endef
> +

It will be more complete if dnsmasq-dhcpv6 is also covered by this
config option.  Even better is letting this option depend on the
actual dnsmasq build variant selected.

                yousong
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Reply via email to