From: Yousong Zhou Date: Tue, 4 Aug 2020 04:00:22 +0000 (+0800) Subject: dnsmasq: abort when dnssec requested but not available X-Git-Tag: v21.02.0-rc1~1975 X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=064dc1e81bc85f6ef8becc38854292853a59d2c2;p=openwrt%2Fstaging%2Fpepe2k.git dnsmasq: abort when dnssec requested but not available Before this commit, if uci option "dnssec" was set, we pass "--dnssec" and friends to dnsmasq, let it start and decide whether to quit and whether to emit message for diagnosis # dnsmasq --dnssec; echo $? dnsmasq: DNSSEC not available: set HAVE_DNSSEC in src/config.h 1 DNSSEC as a feature is different from others like dhcp, tftp in that it's a security feature. Better be explicit. With this change committed, we make it so by not allowing it in the first in the initscript, should dnsmasq later decides to not quit (not likely) or quit without above explicit error (unlikely but less so ;) So this is just being proactive. on/off choices with uci option "dnssec" are still available like before Link: https://github.com/openwrt/openwrt/pull/3265#issuecomment-667795302 Signed-off-by: Yousong Zhou --- diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile index 22ecd12f07..ab3f4fd8d0 100644 --- a/package/network/services/dnsmasq/Makefile +++ b/package/network/services/dnsmasq/Makefile @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dnsmasq PKG_UPSTREAM_VERSION:=2.82 PKG_VERSION:=$(subst test,~~test,$(subst rc,~rc,$(PKG_UPSTREAM_VERSION))) -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_SOURCE:=$(PKG_NAME)-$(PKG_UPSTREAM_VERSION).tar.xz PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init index 9288971426..932103d8b5 100644 --- a/package/network/services/dnsmasq/files/dnsmasq.init +++ b/package/network/services/dnsmasq/files/dnsmasq.init @@ -42,9 +42,13 @@ dnsmasq_ignore_opt() { bootp-*|\ pxe-*) [ -z "$dnsmasq_has_dhcp" ] ;; - dnssec-*|\ + dnssec*|\ trust-anchor) - [ -z "$dnsmasq_has_dnssec" ] ;; + if [ -z "$dnsmasq_has_dnssec" ]; then + echo "dnsmasq: \"$opt\" requested, but dnssec support is not available" >&2 + exit 1 + fi + ;; tftp-*) [ -z "$dnsmasq_has_tftp" ] ;; ipset)