Ship keys for the root zone and add two uci options to enable DNSSEC checks:
Option 'dnssec': Activate DNSSEC validation Option 'dnsseccheckunsigned': Ensure answers without DNSSEC are in unsigned zones Signed-off-by: Andre Heider <a.hei...@gmail.com> --- package/network/services/dnsmasq/Makefile | 2 ++ package/network/services/dnsmasq/files/dnsmasq.init | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile index dfd9c3a..6250a8a 100644 --- a/package/network/services/dnsmasq/Makefile +++ b/package/network/services/dnsmasq/Makefile @@ -91,6 +91,8 @@ define Package/dnsmasq/install $(INSTALL_DIR) $(1)/etc/config $(INSTALL_DATA) ./files/dhcp.conf $(1)/etc/config/dhcp $(INSTALL_DATA) ./files/dnsmasq.conf $(1)/etc/dnsmasq.conf + $(INSTALL_DIR) $(1)/usr/share/dnsmasq + $(INSTALL_DATA) $(PKG_BUILD_DIR)/trust-anchors.conf $(1)/usr/share/dnsmasq $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./files/dnsmasq.init $(1)/etc/init.d/dnsmasq $(INSTALL_DIR) $(1)/etc/hotplug.d/iface diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init index f7edb28..9f16d5f 100644 --- a/package/network/services/dnsmasq/files/dnsmasq.init +++ b/package/network/services/dnsmasq/files/dnsmasq.init @@ -14,6 +14,7 @@ ADD_LOCAL_HOSTNAME=1 CONFIGFILE="/var/etc/dnsmasq.conf" HOSTFILE="/tmp/hosts/dhcp" +TRUSTANCHORSFILE="/usr/share/dnsmasq/trust-anchors.conf" xappend() { local value="$1" @@ -186,6 +187,13 @@ dnsmasq() { config_list_foreach "$cfg" rebind_domain append_rebind_domain } + config_get dnssec "$cfg" dnssec + [ "$dnssec" -gt 0 ] && { + xappend "--conf-file=$TRUSTANCHORSFILE" + xappend "--dnssec" + append_bool "$cfg" dnsseccheckunsigned "--dnssec-check-unsigned" + } + dhcp_option_add "$cfg" "" 0 xappend "--dhcp-broadcast=tag:needs-broadcast" -- 2.0.0 _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel