From: Steven Barth <cyrus@openwrt.org>
Date: Wed, 18 Jun 2014 10:04:29 +0000 (+0000)
Subject: dnsmasq: add UCI DNSSEC runtime support
X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=132cbe5e29a0f7e4f2b5b80dec42dec974571eac;p=openwrt%2Fstaging%2Fdangole.git

dnsmasq: add UCI DNSSEC runtime support

Ship keys for the root zone and add two uci options to enable
DNSSEC checks:

Option 'dnssec': Activate DNSSEC validation
Option 'dnsseccheckunsigned': Ensure answers without DNSSEC are in
unsigned zones.

Signed-off-by: Andre Heider <a.heider@gmail.com>

SVN-Revision: 41245
---

diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init
index f7edb28806..9f16d5f5d4 100644
--- a/package/network/services/dnsmasq/files/dnsmasq.init
+++ b/package/network/services/dnsmasq/files/dnsmasq.init
@@ -14,6 +14,7 @@ ADD_LOCAL_HOSTNAME=1
 
 CONFIGFILE="/var/etc/dnsmasq.conf"
 HOSTFILE="/tmp/hosts/dhcp"
+TRUSTANCHORSFILE="/usr/share/dnsmasq/trust-anchors.conf"
 
 xappend() {
 	local value="$1"
@@ -186,6 +187,13 @@ dnsmasq() {
 		config_list_foreach "$cfg" rebind_domain append_rebind_domain
 	}
 
+	config_get dnssec "$cfg" dnssec
+	[ "$dnssec" -gt 0 ] && {
+		xappend "--conf-file=$TRUSTANCHORSFILE"
+		xappend "--dnssec"
+		append_bool "$cfg" dnsseccheckunsigned "--dnssec-check-unsigned"
+	}
+
 	dhcp_option_add "$cfg" "" 0
 
 	xappend "--dhcp-broadcast=tag:needs-broadcast"