Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 18:28:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC time validation.

Browse Source
This commit is contained in:
Simon Kelley
2018-01-14 21:05:37 +00:00
parent faaf306a63
commit 3c973ad92d
5 changed files with 38 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGELOG
View File

@@ -19,6 +19,10 @@ version 2.79
Fix incorrect error exit code from dhcp_release6 utility. Fix incorrect error exit code from dhcp_release6 utility.
Thanks Gaudenz Steinlin for the bug report. Thanks Gaudenz Steinlin for the bug report.
Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC
time validation when --dnssec-no-timecheck is in use.
Note that this is an incompatible change from earlier releases.
version 2.78 version 2.78
Fix logic of appending ".<layer>" to PXE basename. Thanks to Chris Fix logic of appending ".<layer>" to PXE basename. Thanks to Chris

8
man/dnsmasq.8
View File

@@ -736,10 +736,14 @@ section on
DNSSEC signatures are only valid for specified time windows, and should be rejected outside those windows. This generates an DNSSEC signatures are only valid for specified time windows, and should be rejected outside those windows. This generates an
interesting chicken-and-egg problem for machines which don't have a hardware real time clock. For these machines to determine the correct interesting chicken-and-egg problem for machines which don't have a hardware real time clock. For these machines to determine the correct
time typically requires use of NTP and therefore DNS, but validating DNS requires that the correct time is already known. Setting this flag time typically requires use of NTP and therefore DNS, but validating DNS requires that the correct time is already known. Setting this flag
removes the time-window checks (but not other DNSSEC validation.) only until the dnsmasq process receives SIGHUP. The intention is removes the time-window checks (but not other DNSSEC validation.) only until the dnsmasq process receives SIGINT. The intention is
that dnsmasq should be started with this flag when the platform determines that reliable time is not currently available. As soon as that dnsmasq should be started with this flag when the platform determines that reliable time is not currently available. As soon as
reliable time is established, a SIGHUP should be sent to dnsmasq, which enables time checking, and purges the cache of DNS records reliable time is established, a SIGINT should be sent to dnsmasq, which enables time checking, and purges the cache of DNS records
which have not been thoroughly checked. which have not been thoroughly checked.
Earlier versions of dnsmasq overloaded SIGHUP (which re-reads much configuration) to also enable time validation.
If dnsmasq is run in debug mode (-d flag) then SIGINT retains its usual meaning of terminating the dnsmasq process.
.TP .TP
.B --dnssec-timestamp=<path> .B --dnssec-timestamp=<path>
Enables an alternative way of checking the validity of the system time for DNSSEC (see --dnssec-no-timecheck). In this case, the Enables an alternative way of checking the validity of the system time for DNSSEC (see --dnssec-no-timecheck). In this case, the

36
src/dnsmasq.c
View File

@@ -77,7 +77,8 @@ int main (int argc, char **argv)
sigaction(SIGTERM, &sigact, NULL); sigaction(SIGTERM, &sigact, NULL);
sigaction(SIGALRM, &sigact, NULL); sigaction(SIGALRM, &sigact, NULL);
sigaction(SIGCHLD, &sigact, NULL); sigaction(SIGCHLD, &sigact, NULL);
sigaction(SIGINT, &sigact, NULL);
/* ignore SIGPIPE */ /* ignore SIGPIPE */
sigact.sa_handler = SIG_IGN; sigact.sa_handler = SIG_IGN;
sigaction(SIGPIPE, &sigact, NULL); sigaction(SIGPIPE, &sigact, NULL);
@@ -759,7 +760,7 @@ int main (int argc, char **argv)
daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME); daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME);
if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future) if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future)
my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until first cache reload")); my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until receipt of SIGINT"));
if (rc == 1) if (rc == 1)
my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until system time valid")); my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until system time valid"));
@@ -1083,7 +1084,7 @@ static void sig_handler(int sig)
{ {
/* ignore anything other than TERM during startup /* ignore anything other than TERM during startup
and in helper proc. (helper ignore TERM too) */ and in helper proc. (helper ignore TERM too) */
if (sig == SIGTERM) if (sig == SIGTERM || sig == SIGINT)
exit(EC_MISC); exit(EC_MISC);
} }
else if (pid != getpid()) else if (pid != getpid())
@@ -1109,6 +1110,15 @@ static void sig_handler(int sig)
event = EVENT_DUMP; event = EVENT_DUMP;
else if (sig == SIGUSR2) else if (sig == SIGUSR2)
event = EVENT_REOPEN; event = EVENT_REOPEN;
else if (sig == SIGINT)
{
/* Handle SIGINT normally in debug mode, so
ctrl-c continues to operate. */
if (option_bool(OPT_DEBUG))
exit(EC_MISC);
else
event = EVENT_TIME;
}
else else
return; return;
@@ -1236,14 +1246,7 @@ static void async_event(int pipe, time_t now)
{ {
case EVENT_RELOAD: case EVENT_RELOAD:
daemon->soa_sn++; /* Bump zone serial, as it may have changed. */ daemon->soa_sn++; /* Bump zone serial, as it may have changed. */
#ifdef HAVE_DNSSEC
if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME))
{
my_syslog(LOG_INFO, _("now checking DNSSEC signature timestamps"));
daemon->dnssec_no_time_check = 0;
}
#endif
/* fall through */ /* fall through */
case EVENT_INIT: case EVENT_INIT:
@@ -1352,6 +1355,17 @@ static void async_event(int pipe, time_t now)
poll_resolv(0, 1, now); poll_resolv(0, 1, now);
break; break;
case EVENT_TIME:
#ifdef HAVE_DNSSEC
if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME))
{
my_syslog(LOG_INFO, _("now checking DNSSEC signature timestamps"));
daemon->dnssec_no_time_check = 0;
clear_cache_and_reload(now);
}
#endif
break;
case EVENT_TERM: case EVENT_TERM:
/* Knock all our children on the head. */ /* Knock all our children on the head. */
for (i = 0; i < MAX_PROCS; i++) for (i = 0; i < MAX_PROCS; i++)

1
src/dnsmasq.h
View File

@@ -179,6 +179,7 @@ struct event_desc {
#define EVENT_NEWROUTE 23 #define EVENT_NEWROUTE 23
#define EVENT_TIME_ERR 24 #define EVENT_TIME_ERR 24
#define EVENT_SCRIPT_LOG 25 #define EVENT_SCRIPT_LOG 25
#define EVENT_TIME 26
/* Exit codes. */ /* Exit codes. */
#define EC_GOOD 0 #define EC_GOOD 0

3
src/helper.c
View File

@@ -97,13 +97,14 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
return pipefd[1]; return pipefd[1];
} }
/* ignore SIGTERM, so that we can clean up when the main process gets hit /* ignore SIGTERM and SIGINT, so that we can clean up when the main process gets hit
and SIGALRM so that we can use sleep() */ and SIGALRM so that we can use sleep() */
sigact.sa_handler = SIG_IGN; sigact.sa_handler = SIG_IGN;
sigact.sa_flags = 0; sigact.sa_flags = 0;
sigemptyset(&sigact.sa_mask); sigemptyset(&sigact.sa_mask);
sigaction(SIGTERM, &sigact, NULL); sigaction(SIGTERM, &sigact, NULL);
sigaction(SIGALRM, &sigact, NULL); sigaction(SIGALRM, &sigact, NULL);
sigaction(SIGINT, &sigact, NULL);
if (!option_bool(OPT_DEBUG) && uid != 0) if (!option_bool(OPT_DEBUG) && uid != 0)
{ {