Hi, On 14 June 2014 23:34, Andre Heider <a.hei...@gmail.com> wrote: > Enabling this compile time option adds a dependency on libnettle. > > Signed-off-by: Andre Heider <a.hei...@gmail.com> > --- > package/network/services/dnsmasq/Config.in | 25 +++++++++++++++++++++++++ > package/network/services/dnsmasq/Makefile | 10 +++++++++- > 2 files changed, 34 insertions(+), 1 deletion(-) > create mode 100644 package/network/services/dnsmasq/Config.in > > diff --git a/package/network/services/dnsmasq/Config.in > b/package/network/services/dnsmasq/Config.in > new file mode 100644 > index 0000000..cf02c5c > --- /dev/null > +++ b/package/network/services/dnsmasq/Config.in > @@ -0,0 +1,25 @@ > +menu "Configuration" > + depends on PACKAGE_dnsmasq > + > +config DNSMASQ_DNSSEC > + bool "DNSSEC support" > + default n > + help > + Enable support to validate DNS replies and cache DNSSEC data. > + > + When forwarding DNS queries, dnsmasq requests the DNSSEC > records needed > + to validate the replies. The replies are validated and the > result > + returned as the Authenticated Data bit in the DNS packet. In > addition > + the DNSSEC records are stored in the cache, making validation > by > + clients more efficient. > + > + Note that validation by clients is the most secure DNSSEC > mode, but for > + clients unable to do validation, use of the AD bit set by > dnsmasq is > + useful, provided that the network between the dnsmasq server > and the > + client is trusted. > + > + The nameservers upstream of dnsmasq must be DNSSEC-capable, > ie capable > + of returning DNSSEC records with data. If they are not, then > dnsmasq > + will not be able to determine the trusted status of answers. > + > +endmenu > diff --git a/package/network/services/dnsmasq/Makefile > b/package/network/services/dnsmasq/Makefile > index 8473656..dfd9c3a 100644 > --- a/package/network/services/dnsmasq/Makefile > +++ b/package/network/services/dnsmasq/Makefile > @@ -23,6 +23,8 @@ > PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSI > PKG_INSTALL:=1 > PKG_BUILD_PARALLEL:=1 > > +PKG_CONFIG_DEPENDS:=CONFIG_DNSMASQ_DNSSEC > + > include $(INCLUDE_DIR)/package.mk > > define Package/dnsmasq/Default > @@ -32,15 +34,20 @@ define Package/dnsmasq/Default > URL:=http://www.thekelleys.org.uk/dnsmasq/ > endef > > +define Package/dnsmasq/config > + source "$(SOURCE)/Config.in" > +endef > +
It will be more complete if dnsmasq-dhcpv6 is also covered by this config option. Even better is letting this option depend on the actual dnsmasq build variant selected. yousong _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel