From patchwork Tue Jan 2 15:29:01 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kevin 'ldir' Darbyshire-Bryant X-Patchwork-Id: 854585 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=65.50.211.133; helo=bombadil.infradead.org; envelope-from=lede-dev-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="WI8otCad"; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=darbyshire-bryant.me.uk header.i=@darbyshire-bryant.me.uk header.b="pL3IzheQ"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3z9yfJ1fy5z9sRW for ; Wed, 3 Jan 2018 02:29:28 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Subject:MIME-Version:Message-Id:Date:To :From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=Pl/+CWcjQys/+05BP/nXyL8mgvdV7MUxcI+siuPUQmk=; b=WI8otCadh+RhCf TpHlFuDE5mBXx4Kljsuhj0NpYkEwvfv8pbC+ZQWCP9rpXRvklyxfGjDuDfZnWVp92lBRqgrJN8ddD mABdYKTzeIseVkHj6jcS962ZFWcjkSoCdrM8WuE9l/JABainsg9M0qALOSxKbtzFYZNEtBgM14o0p V+6F6BsEQR7lm9Kf8ZIVsoydSLj8W5eguNRf2m05JSAFMsCTZG7fuBJ2p41Nczhu44C0TgPAP+76W xbSTtAK5WxHow+pEKud1wTmXmCDH63Xr5/6qEuUF8UaZL13uWXGc2bw+YX9nuVi35EkTEqJAF7xTo BcpPhovamkrmF+xD3IsA==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.89 #1 (Red Hat Linux)) id 1eWOVJ-0003RC-F3; Tue, 02 Jan 2018 15:29:25 +0000 Received: from mail-eopbgr60077.outbound.protection.outlook.com ([40.107.6.77] helo=EUR01-DB5-obe.outbound.protection.outlook.com) by bombadil.infradead.org with esmtps (Exim 4.89 #1 (Red Hat Linux)) id 1eWOVE-0003LG-Il for lede-dev@lists.infradead.org; Tue, 02 Jan 2018 15:29:23 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=darbyshire-bryant.me.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=niH6l5VqIPtpvG7Km417u0rUxohgEjnhcQzdbYek4ho=; b=pL3IzheQNNJ5VQG57SRAGY0KWoMo31dwOnjCFqqmml9HYx4HKe9B6IFuarhTTwDu2yXh99FexPXDyYrREaOkvlr7aEu7S00vB1+yQ96SwugB2kCNHKyRCx4JN8/bAhHbXKmlBzYnLuC7jYgyVODK/tQ5Oq3lVPppl7jsbc+4iu0= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=kevin@darbyshire-bryant.me.uk; Received: from Rowlf.darbyshire-bryant.me.uk (151.227.238.51) by VI1PR0702MB3742.eurprd07.prod.outlook.com (2603:10a6:803:7::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.386.4; Tue, 2 Jan 2018 15:29:06 +0000 From: Kevin Darbyshire-Bryant To: lede-dev@lists.infradead.org Date: Tue, 2 Jan 2018 15:29:01 +0000 Message-Id: <20180102152901.27154-1-ldir@darbyshire-bryant.me.uk> X-Mailer: git-send-email 2.14.3 (Apple Git-98) MIME-Version: 1.0 X-Originating-IP: [151.227.238.51] X-ClientProxiedBy: LNXP265CA0037.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:5c::25) To VI1PR0702MB3742.eurprd07.prod.outlook.com (2603:10a6:803:7::32) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: bc7be2fd-27bf-48fc-8537-08d551f58ff1 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(4534020)(4602075)(4603075)(4627115)(201702281549075)(5600026)(4604075)(2017052603307)(7153060); SRVR:VI1PR0702MB3742; X-Microsoft-Exchange-Diagnostics: 1; VI1PR0702MB3742; 3:x2Fld1W1QO2XSk34l9jpdhffeuN6brvwYMQopbTxyGve2j/WIKKoOgpj39X5801mYRe+LVDDYEVke7u4A5eAqQsmVVMtdHnqiugQ1Ax9UVPCbwmE+lTIylhkW/h2NAxwVNulV2rZWXD7g+Yci5UEova6cIeDN9D4aI6B/PqzmqyG2xP/RdJcLoMGimzdSZXmVVksdQONK8suH+RQDXo4MXE3YmhqdNLDghhZWiwM/k74HGm4SgNPB4vEGub/pqj8; 25:wL9ZaD3pjWOBOeax5LwcTttUUKpLVVXMj2p93quI2asH8W+tz7wxGnAAbjqF8XaNVG7n47mTEAjBfrwL9Xpy2t/F1PhOr77XlkOA/EBvpuwDEwzjtNJJt3nSmj0bDYQ6u+8DRMBIm4pFMT/p9uW51u4NZTlyXhfGB5jwR5ZSbu7/X2GF27Lebazl+itoBmwvTTymn/EBsptpYf6ZsjBojqBUMDfJFrqDRHVe1oP0PYk0YZFTiJ9MnagHKaFBQxzoodNpQ84PsYHnusRx8n9ixKndQX/d0etNjkVZvQ+NbsFtG6rKC2qM/Mcg+Xh5sCRcGxWXbaHNBLvnbEVtS+x4gQ==; 31:Wz22BtuPpp62DWji1J3arZzVIn6UbAVDvxQW3h+dEnZp62c85OkbyxtYciqhbZnkrZxc8y62mfQWlWzq0UseMdPWGqkGCb5eWp+aauR7hrlvxWp18GDhq5/L+TG7zd7MTYHBWCtcIOGluCimE8lCgv4B+uJiZPAG4Z3Kzfi1Yuqpu4hdYaEwZnQKAZASI3Dw2Uv1qb3lx10ail4TEt2HE0DlalyBjv2t1VMUifnVeR0= X-MS-TrafficTypeDiagnostic: VI1PR0702MB3742: X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(158342451672863); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040470)(2401047)(5005006)(8121501046)(3231023)(944501075)(93006095)(93001095)(3002001)(10201501046)(6041268)(2016111802025)(20161123562045)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(6043046)(6072148)(201708071742011); SRVR:VI1PR0702MB3742; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:VI1PR0702MB3742; X-Microsoft-Exchange-Diagnostics: 1; VI1PR0702MB3742; 4:VqjaIxsUteRKsjCJiXB7TbKZrLtd2pmCgO//cNNVJHptueo89V3KBgFLkgfEr384kLNlxdZS5RWtQoyrWFK4o+TIHr0XUoS2kP9u4b/nyvCPpOk04TI6VV7DdR3ZI0uxYIJZ7oqvNn1FQV2dJZF451FLygkpogFJZ8DpcFY35WWmyBId6eMcepJbHODQCMmDICG5lTAFAJEKg9VYvKRoZfQ0amF7Hxcs7SdxnNApp8tyG3d5b5/zj9ta4y+eOM3l4Ct5cAl2yRhe7IBrlT4AUfEsPT24vrOrlMb2qax7TkRgbow2mudu01HFAih/Pqh4 X-Forefront-PRVS: 0540846A1D X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(979002)(39830400003)(366004)(39380400002)(346002)(396003)(376002)(189003)(288314003)(199004)(68736007)(386003)(16586007)(6916009)(42882006)(316002)(69596002)(7696005)(2906002)(52116002)(51416003)(2361001)(97736004)(50466002)(16526018)(48376002)(8676002)(575784001)(6666003)(6116002)(1076002)(3846002)(81166006)(81156014)(5660300001)(8936002)(107886003)(6486002)(105586002)(53936002)(305945005)(106356001)(66066001)(47776003)(25786009)(2351001)(4326008)(36756003)(74482002)(478600001)(53416004)(7736002)(50226002)(6306002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0702MB3742; H:Rowlf.darbyshire-bryant.me.uk; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; Received-SPF: None (protection.outlook.com: darbyshire-bryant.me.uk does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; VI1PR0702MB3742; 23:cYa/xzcNzbPrQs/PoVnb4l94SlJC/297ndYzyMM?= 58OQK1bOpnrCjwaITy7S9KcD5v3SkxAQK5CMmKxYGpCi/LgwWLS6p4BukUkZXJRT+nAXLYXJE8kChU+J1cuwN/xj2Orv43Sv/BOO7erXN1hJUJEyLjnF1IRO2i4HnP0EM+KiVn+WlPr2HOd91i0KeiDDkixP/Erm2drsXUj5JfxHnLBqHmPIDWB2idefdxwkLqvvT39EdiyTagSCmbXP/MHO83tRADnqJca07LaKToWuh6eixGV+sNyVZF3CdTcGcF03m7RxDzS5kCw8QHAQ4HmLEYPFePy4wlTLnenkA9SK6ZH7O6bziOH+Quv8BJYSF22wsbZOoNKUhTu7V1dATn8ZbSU8YrPJ6rpvado0ql8O9DBuuQsb1wlqwrnfirTewyhKqWMoTaKe3/xdaU+lmVHNWsCwtDcgE+JM6RAPLa2lndAdkGpU8ifergch/hUVZqW11g7DD2KxJBVxyBn43jLA4QxhnylMlMcn0HYzF0LQ905f40Ls9eJc2+/3gzkGog4hyJm2Povaq9+S38AcXCZvcVchZBuZ54AlF2ctVcFLpeV87JWSoabyF6waez6n8PIORw1lSAQkyLsnV5XLbWsAGM2zAYZVCx7cB98cpjZ7A6skOp5/mzayInCeBrhbMdHX+eLEcniAZkOu7hEsftLwuBZxjuIaE0Ow9bZ+g0KZQ67Ec7FGcN+Mnrnu6n73twcRTywcNoiNrIQWY2zALfHK2qCrDFFlffpvu/Ko0Z7qtmuwbOY6EZKQr/wx8HpfA/ArPueIb6u7U5As4LEvppgBp3ufrOn5UzN1Phk6zHSZqbIEAgwSyyg8SHMlrA3QsQ2hVOLW05cSLe1tGuYg4r17SKetzXtlFAFsb8ecqsUpXbvNzPlaBEJ5M/DY1Di0cC+ieK1UysfRp/x5XcMVezIbsnFBOpEAYCDnoASn4SRyM6vVJ3RVPau6Z0/cWOn+U0VrQcHZ2h0ZvdkVM+2kNgiKSys8ZWsQXRJfXw3htkau7IOn+kYtoXCViQsbQpginIX99W7nIJFyyrdJ6Rd5BtN7RtIsmoORJxMOCBO7eZpQEmRWzQcgbiEN2R7Y6do/8jb0LAxMDWGZMGdf0P/66FbMNUNLWc+waNMnuGGIdNxbalVc0NN8sNMf69MV5QrWdame2s06UCIEmZPB26t0g/lRIb0XmDq33qBJo0q7iR3pu3zT3Sl7dgkAI2pv5VXktN5djHFJsGqAi3+QP9lxfAkM23ay9j4ObvU2DloeFaPAZY8KguS1uE2BY07bPItLOSBU= X-Microsoft-Exchange-Diagnostics: 1; VI1PR0702MB3742; 6:zHOj3nybCjY8TxLyyVUSx5A0Y66zPnIBhWWZNyRvOisLlUM3U3znJp3MBfiOMpuAvkzEibhn70uw27rCdIwZxPKRsDrH1tPcClsL3M8lWKjmEwhyvFIufn+OZg9xgyzxD62amO2A0XHZBCIbQCnXHpKbmFN3HgFYjlVjsXZO/3xyx+sYlOPRJmWgUjKJJQZLqySbCAI2nwjClzBylNVCMUE9t9orjt0pVKCYVNuKwYCqWSpRUOSDLIbhsNwKl588V0bU3D6eRwJdrC9UUigrvYB0oJJuh4/h+qUCVZ8j0mbZeAfLAcN03oB0e5NF4iNdwe8f82CK+3KM2XfBMOG7hyxm9u02kJw7GjLC77r3L1A=; 5:CGYIQOcM/ycRbwWPNDixtqjRcjhgpxnjhGwRqruLzznY8xBfNXpl5HQpqtwH0VqLM67LaezhySdh/NYPK4nhBU8djAx53lic+lwuZQQxWHuZuLtjRnuQ/NBxlYaMUJq5RzfsonPrHhXOD/L+RnITezFiLmgH5+bUEbJ2VVUu6o4=; 24:k/GzVg1T9ZSyuZbWaU0fhD36qlnc7VYOvfv23cqQXzCW1PRwIRpAoDLU7z/hRq7COEdV+PT9UmGeOnIEfiz4K8OX14UD0tQUm45orM6a5Lc=; 7:/A6ZAkOzfSP/aaSY834rtS6XD9W2YTk61tVtfKy9ZrOVrt9NOpEl03QxOtyjU/abjvZlHivczqiJ8QBEX2rZECntN3yZsZ5W29pCVbpCzhI1LmyxRavxuYzfWS7c6OaW4yD/aqVr+WjncFot0XdHHfcNRJOguZkGxi9QxPawwHoavGeW84j+dSqMt03NuTWn2JpNntQZOi9d+wz0/SNT5gO0Q5F+qS2nY0dCiosIrH6LKmP+RaNRGKpNP5ngjNPG SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: darbyshire-bryant.me.uk X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Jan 2018 15:29:06.5194 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: bc7be2fd-27bf-48fc-8537-08d551f58ff1 X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 9151708b-c553-406f-8e56-694f435154a4 X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0702MB3742 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20180102_072920_975428_BA319046 X-CRM114-Status: GOOD ( 10.55 ) X-Spam-Score: -2.0 (--) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-2.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [40.107.6.77 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4) [40.107.6.77 listed in wl.mailspike.net] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders Subject: [LEDE-DEV] [PATCH v1] dnsmasq: use SIGUSR2 for dnssec time valid X-BeenThere: lede-dev@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Darbyshire-Bryant Sender: "Lede-dev" Errors-To: lede-dev-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Move 'check dnssec timestamp enable' from SIGHUP handler to SIGUSR2. Dnsmasq uses SIGHUP to do too many things: 1) set dnssec time validation enabled, 2) bump SOA zone serial, 3) clear dns cache, 4) reload hosts files, 5) reload resolvers/servers files. SIGUSR2 is used to re-open/re-start the logfile. Default LEDE does not use logfile functionality. Many subsystems within LEDE can send SIGHUP to dnsmasq: 1) ntpd hotplug (to indicate time is valid for dnssec) 2) odhcpd (to indicate a new/removed host - typically DHCPv6 leases) 3) procd on interface state changes 4) procd on system config state changes, 5) service reload. If dnssec time validation is enabled before the system clock has been set to a sensible time, name resolution will fail. Because name resolution fails, ntpd is unable to resolve time server names to addresses, so is unable to set time. Classic chicken/egg. Since commits 23bba9cb330cd298739a16e350b0029ed9429eef (service reload) & 4f02285d8b4a66359a8fa46f22a3efde391b5419 (system config) make it more likely a SIGHUP will be sent for events other than 'ntpd has set time' it is more likely that an errant 'name resolution is failing for everything' situation will be encountered. Ideally dnsmasq would have some other IPC mechanism for indicating 'time is valid, go check dnssec timestamps', but until that time (implementation is left as an exercise for the interested/competent reader/bikeshedder) the next best thing is to move functionality from the overloaded SIGHUP signal to the under-utilised SIGUSR2. ntpd hotplug script updated to use SIGUSR2. Signed-off-by: Kevin Darbyshire-Bryant --- package/network/services/dnsmasq/Makefile | 2 +- .../services/dnsmasq/files/dnsmasqsec.hotplug | 2 +- .../dnsmasq/patches/250-dnssec-SIGUSR2.patch | 32 ++++++++++++++++++++++ 3 files changed, 34 insertions(+), 2 deletions(-) create mode 100644 package/network/services/dnsmasq/patches/250-dnssec-SIGUSR2.patch diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile index c6d2739f03..1224ad86f8 100644 --- a/package/network/services/dnsmasq/Makefile +++ b/package/network/services/dnsmasq/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dnsmasq PKG_VERSION:=2.78 -PKG_RELEASE:=7 +PKG_RELEASE:=8 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/ diff --git a/package/network/services/dnsmasq/files/dnsmasqsec.hotplug b/package/network/services/dnsmasq/files/dnsmasqsec.hotplug index a155eb0f6e..f9fb4b533d 100644 --- a/package/network/services/dnsmasq/files/dnsmasqsec.hotplug +++ b/package/network/services/dnsmasq/files/dnsmasqsec.hotplug @@ -9,6 +9,6 @@ TIMEVALIDFILE="/var/state/dnsmasqsec" [ -f "$TIMEVALIDFILE" ] || { echo "ntpd says time is valid" >$TIMEVALIDFILE /etc/init.d/dnsmasq enabled && { - procd_send_signal dnsmasq + procd_send_signal dnsmasq '*' USR2 } } diff --git a/package/network/services/dnsmasq/patches/250-dnssec-SIGUSR2.patch b/package/network/services/dnsmasq/patches/250-dnssec-SIGUSR2.patch new file mode 100644 index 0000000000..1c7ffa5123 --- /dev/null +++ b/package/network/services/dnsmasq/patches/250-dnssec-SIGUSR2.patch @@ -0,0 +1,32 @@ +--- a/src/dnsmasq.c ++++ b/src/dnsmasq.c +@@ -1296,13 +1296,6 @@ static void async_event(int pipe, time_t + case EVENT_RELOAD: + daemon->soa_sn++; /* Bump zone serial, as it may have changed. */ + +-#ifdef HAVE_DNSSEC +- if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME)) +- { +- my_syslog(LOG_INFO, _("now checking DNSSEC signature timestamps")); +- daemon->dnssec_no_time_check = 0; +- } +-#endif + /* fall through */ + + case EVENT_INIT: +@@ -1399,6 +1392,15 @@ static void async_event(int pipe, time_t + we leave them logging to the old file. */ + if (daemon->log_file != NULL) + log_reopen(daemon->log_file); ++ ++#ifdef HAVE_DNSSEC ++ if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME)) ++ { ++ my_syslog(LOG_INFO, _("now checking DNSSEC signature timestamps")); ++ daemon->dnssec_no_time_check = 0; ++ clear_cache_and_reload(now); ++ } ++#endif + break; + + case EVENT_NEWADDR: