dnsmasq: add UCI DNSSEC runtime support

Ship keys for the root zone and add two uci options to enable
DNSSEC checks:

Option 'dnssec': Activate DNSSEC validation
Option 'dnsseccheckunsigned': Ensure answers without DNSSEC are in
unsigned zones.

Signed-off-by: Andre Heider <a.heider@gmail.com>

SVN-Revision: 41245
owl
Steven Barth 2014-06-18 10:04:29 +00:00
parent 5f64a3e7ce
commit 132cbe5e29
1 changed files with 8 additions and 0 deletions

View File

@ -14,6 +14,7 @@ ADD_LOCAL_HOSTNAME=1
CONFIGFILE="/var/etc/dnsmasq.conf" CONFIGFILE="/var/etc/dnsmasq.conf"
HOSTFILE="/tmp/hosts/dhcp" HOSTFILE="/tmp/hosts/dhcp"
TRUSTANCHORSFILE="/usr/share/dnsmasq/trust-anchors.conf"
xappend() { xappend() {
local value="$1" local value="$1"
@ -186,6 +187,13 @@ dnsmasq() {
config_list_foreach "$cfg" rebind_domain append_rebind_domain config_list_foreach "$cfg" rebind_domain append_rebind_domain
} }
config_get dnssec "$cfg" dnssec
[ "$dnssec" -gt 0 ] && {
xappend "--conf-file=$TRUSTANCHORSFILE"
xappend "--dnssec"
append_bool "$cfg" dnsseccheckunsigned "--dnssec-check-unsigned"
}
dhcp_option_add "$cfg" "" 0 dhcp_option_add "$cfg" "" 0
xappend "--dhcp-broadcast=tag:needs-broadcast" xappend "--dhcp-broadcast=tag:needs-broadcast"