[LEDE-DEV,v1] dnsmasq: use SIGINT for dnssec time valid

Message ID	20180115124521.43778-1-ldir@darbyshire-bryant.me.uk
State	Accepted
Headers	show Return-Path: <lede-dev-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> From: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> To: lede-dev@lists.infradead.org Date: Mon, 15 Jan 2018 12:45:21 +0000 Message-Id: <20180115124521.43778-1-ldir@darbyshire-bryant.me.uk> MIME-Version: 1.0 Received-SPF: None (protection.outlook.com: darbyshire-bryant.me.uk does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; VI1PR0702MB3743; 23:7LG2UGJileryCzK5IA1dMSB2z2iRr40ypSsAYUi?= 7gkq7p+FhjZl0pQy2YUNFFzZpdpT6bRjN5oZrV+XW1ZXetAytvMCgJpipi7mCuV47YVoPOI1UidDpRv8V+DPSRqny2oIICxJJzHZg2HJ/kQfHxKkJ1vQWun2uVUq5u7Gebr8kSd6ow7gUcQIaGK93hpKWYHJ+q5lZeKJuxC0BVzlvRUqtwYrtoHHHTqkjUTRiCbxJ6R7aSIOA3feTjBOpn/rUiS/6BUjHHN+RD4bLxoEtG/gv5xZ80DWVpjTluoEENmJt4CEU+++hcDSBQY24G0gJGJGlw8pV961JZWSYuuPvAJ4VeBcB/YJBgeL7CYmbV3vMafiainScYcXM65fNKzEUaXo6qiiRgkI28IYI2x/c4ikEfQ7+0w5hJWLa4Js1AlGslNICnkjmJzz+TiUXAlmOhFIG28Cxk+mIdcB+QsU0XMeANmx9Bs8+cRsHVVRcVEMsB1CRrPBP+FX4ylXUx7Sj3UIfzNSabmvhTfrFbR1Hzq51e8Xc/3mNY42ZH0/WJuzgTcBvrVCnfWNP0CAgm9l6IQss2YZqhhq4IoO5fRSpfsw0AoDMrkqUx5zBKKVD/HmuufQYkB2XNo7YlXKV4ma1h/I460LFsXGJLf1d4z484NFXOoYano5xQA71SKhpwwjLLGOetBmT2Zv25ewdqguUt0gzvrH66NGoktYxGkOmF8iiqTubNL2IZBoueA6+lzJ4LeLwWaFObYFGj+9fayN49sfXlSgLapzsbJk5q/XrX9whYYUPvUl9RSOsfSwMpa7jcnFNTXXgm6XQvbbufethABt3NaGAs+9AlcJOVw4/765DRfI7mlLRZkc5dQcSQRXsDL+EKgAbq757uVxS5xOIbnVmVXCwibh27+ohF7zlABnfbkUGfAVTZxP31hb1nZTTMc6G/zVey9AyRffX4TV3bL9cy2iBToGtV52vmhTnZD6begoviJzdNbxPhJZvD2/HqD+SrD8WUD3VCxYz+7diXfIyMk1yKS5WV0FGIcrhBHMqSCB36Lj+O/E7Whs1H5QEdCeegVm5N7IfCQpCVrm1vERLfBcwc7ewEJVvNqByPUX/wY3AAE2shrfmT/ose8cmSyqDpMRp49TWwnjeG9vmV177TF+XP6cfbGXJNLDMfLNMYsYHhdb7PVnqb+JswwPqohUb765bKJpk72TZnH+Jf6KlvPyuo6EhlQwYdBMscA== X-Microsoft-Exchange-Diagnostics: 1; VI1PR0702MB3743; 6:svLCMq1LEWK/Bmhcq9C1+EA/9ZNakE47V3eRWQxZHxoKo3v6irsQ3PfvGzrRIlg4bzcF/NVAXOyMNJM1zM/USh5DBr/+dmXoVWW6qkjJDP5sxWj5mJBfP3dTz/+8wK3m8mJC3DGibCQfI6JOFgwIwh2gWcjGgzQE+9bdHj48nqiPC1bMvV23n7j8B2glMkzb8xOnNvplXmJv8cai7OhkqqKGHuBd+hORw0hk4kzbKl2LV4VZzcxwKdHTpENcvZwF/uLFqinMdUSzAO4tROdXCn2UDWuvV/048u6Pg46pYoIXoGFQTD+NVhZskPdxLT7fIE305ZicjQB7ZBr2FewiEApz02UAjXq/SVXjzgYQ10w=; 5:vA0aZCjm4t5YUlG5nGYx6bV2lKxfU883wg8kAOvCSyO2CIn/5FAEWWnSc9Rj/7ZHy7wHED0BfUqzsEIlqnjaR7606GGEjhjZx6qpfb7dvhzhzvNP4oYLZ5L3W1XXdrYaMOnL0u9f4xe421Tyfzf6tUxvGiWM4FUkYjYmobbRars=; 24:DzPkr7puWy4cEHSwWEq35QNMfAKjeIJTK+Tw6vx7jKqU+UwV9Rq7ecDrvBPz7WCUnxYygREJDeIWHGSnwe1nVndKFBKTEZMjCvjR+S/Z7Bc=; 7:bk5OO8cLpE6e4BojpVgqcviifq9CvTAcNSovkDdKwznwBptWI/q3S2DJDvBrJ5GSDagRJgEYP8GGSIAkR/kahW8vg8WPBaAVSK8eJTFcGPjE+q6qVrG8jJVohcfGpso8HPAPpPn6lU2AleWB8lcZlNd7HkaHVK9gU1R3WYDcKBoFX+ArUSGf7It9hKYAQdP4IFjDF9/iwwE70nvQ46ryzyCX0Q9zxy6H0zuSpSq85A5vwBscIS7yTVFs3AhlQztf SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM summary: Content analysis details: (-2.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [2a01:111:f400:fe1f:0:0:0:621 listed in] [list.dnswl.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature Subject: [LEDE-DEV] [PATCH v1] dnsmasq: use SIGINT for dnssec time valid Precedence: list Cc: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Lede-dev" <lede-dev-bounces@lists.infradead.org> Errors-To: lede-dev-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org
Series	[LEDE-DEV,v1] dnsmasq: use SIGINT for dnssec time valid \| expand [LEDE-DEV,v1] dnsmasq: use SIGINT for dnssec time valid

Message ID

20180115124521.43778-1-ldir@darbyshire-bryant.me.uk

State

Accepted

Headers

From: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
To: lede-dev@lists.infradead.org
Date: Mon, 15 Jan 2018 12:45:21 +0000
Message-Id: <20180115124521.43778-1-ldir@darbyshire-bryant.me.uk>
MIME-Version: 1.0
Received-SPF: None (protection.outlook.com: darbyshire-bryant.me.uk does not
	designate permitted sender hosts)
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Jan 2018 12:45:29.1402
	(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 0f8fb7fc-82cf-4a75-1552-08d55c15dbb3
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 9151708b-c553-406f-8e56-694f435154a4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0702MB3743
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20180115_044545_954618_BEE7172A 
X-CRM114-Status: GOOD (  16.49  )
X-Spam-Score: -2.0 (--)
X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary:
	Content analysis details:   (-2.0 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/,
	no
	trust [2a01:111:f400:fe1f:0:0:0:621 listed in] [list.dnswl.org]
	-0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
	-0.0 SPF_PASS               SPF: sender matches SPF record
	-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
	[score: 0.0000]
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
Subject: [LEDE-DEV] [PATCH v1] dnsmasq: use SIGINT for dnssec time valid
X-BeenThere: lede-dev@lists.infradead.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <lede-dev.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/lede-dev>,
	<mailto:lede-dev-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/lede-dev/>
List-Post: <mailto:lede-dev@lists.infradead.org>
List-Help: <mailto:lede-dev-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/lede-dev>,
	<mailto:lede-dev-request@lists.infradead.org?subject=subscribe>
Cc: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "Lede-dev" <lede-dev-bounces@lists.infradead.org>
Errors-To: lede-dev-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Series

[LEDE-DEV,v1] dnsmasq: use SIGINT for dnssec time valid | expand

Commit Message

Kevin 'ldir' Darbyshire-Bryant Jan. 15, 2018, 12:45 p.m. UTC

Dnsmasq used SIGHUP to do too many things: 1) set dnssec time validation
enabled, 2) bump SOA zone serial, 3) clear dns cache, 4) reload hosts
files, 5) reload resolvers/servers files.

Many subsystems within LEDE can send SIGHUP to dnsmasq: 1) ntpd hotplug
(to indicate time is valid for dnssec) 2) odhcpd (to indicate a
new/removed host - typically DHCPv6 leases) 3) procd on interface state
changes 4) procd on system config state changes, 5) service reload.

If dnssec time validation is enabled before the system clock has been
set to a sensible time, name resolution will fail.  Because name
resolution fails, ntpd is unable to resolve time server names to
addresses, so is unable to set time.  Classic chicken/egg.

Since commits 23bba9cb330cd298739a16e350b0029ed9429eef (service reload) &
4f02285d8b4a66359a8fa46f22a3efde391b5419 (system config)  make it more
likely a SIGHUP will be sent for events other than 'ntpd has set time'
it is more likely that an errant 'name resolution is failing for
everything' situation will be encountered.

Fortunately the upstream dnsmasq people agree and have moved 'check
dnssec timestamp enable' from SIGHUP handler to SIGINT.

Backport the upstream patch to use SIGINT.
ntpd hotplug script updated to use SIGINT.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
---
 package/network/services/dnsmasq/Makefile          |   2 +-
 .../services/dnsmasq/files/dnsmasqsec.hotplug      |   2 +-
 .../dnsmasq/patches/260-dnssec-SIGINT.patch        | 120 +++++++++++++++++++++
 3 files changed, 122 insertions(+), 2 deletions(-)
 create mode 100644 package/network/services/dnsmasq/patches/260-dnssec-SIGINT.patch

Comments

Hans Dedecker Jan. 15, 2018, 9:50 p.m. UTC | #1

On Mon, Jan 15, 2018 at 1:45 PM, Kevin Darbyshire-Bryant
<ldir@darbyshire-bryant.me.uk> wrote:
> Dnsmasq used SIGHUP to do too many things: 1) set dnssec time validation
> enabled, 2) bump SOA zone serial, 3) clear dns cache, 4) reload hosts
> files, 5) reload resolvers/servers files.
>
> Many subsystems within LEDE can send SIGHUP to dnsmasq: 1) ntpd hotplug
> (to indicate time is valid for dnssec) 2) odhcpd (to indicate a
> new/removed host - typically DHCPv6 leases) 3) procd on interface state
> changes 4) procd on system config state changes, 5) service reload.
>
> If dnssec time validation is enabled before the system clock has been
> set to a sensible time, name resolution will fail.  Because name
> resolution fails, ntpd is unable to resolve time server names to
> addresses, so is unable to set time.  Classic chicken/egg.
>
> Since commits 23bba9cb330cd298739a16e350b0029ed9429eef (service reload) &
> 4f02285d8b4a66359a8fa46f22a3efde391b5419 (system config)  make it more
> likely a SIGHUP will be sent for events other than 'ntpd has set time'
> it is more likely that an errant 'name resolution is failing for
> everything' situation will be encountered.
>
> Fortunately the upstream dnsmasq people agree and have moved 'check
> dnssec timestamp enable' from SIGHUP handler to SIGINT.
>
> Backport the upstream patch to use SIGINT.
> ntpd hotplug script updated to use SIGINT.
>
> Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
> ---
>  package/network/services/dnsmasq/Makefile          |   2 +-
>  .../services/dnsmasq/files/dnsmasqsec.hotplug      |   2 +-
>  .../dnsmasq/patches/260-dnssec-SIGINT.patch        | 120 +++++++++++++++++++++
>  3 files changed, 122 insertions(+), 2 deletions(-)
>  create mode 100644 package/network/services/dnsmasq/patches/260-dnssec-SIGINT.patch
>
> diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile
> index c6d2739f03..1224ad86f8 100644
> --- a/package/network/services/dnsmasq/Makefile
> +++ b/package/network/services/dnsmasq/Makefile
> @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
>
>  PKG_NAME:=dnsmasq
>  PKG_VERSION:=2.78
> -PKG_RELEASE:=7
> +PKG_RELEASE:=8
>
>  PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
>  PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/
> diff --git a/package/network/services/dnsmasq/files/dnsmasqsec.hotplug b/package/network/services/dnsmasq/files/dnsmasqsec.hotplug
> index a155eb0f6e..781d533734 100644
> --- a/package/network/services/dnsmasq/files/dnsmasqsec.hotplug
> +++ b/package/network/services/dnsmasq/files/dnsmasqsec.hotplug
> @@ -9,6 +9,6 @@ TIMEVALIDFILE="/var/state/dnsmasqsec"
>  [ -f "$TIMEVALIDFILE" ] || {
>         echo "ntpd says time is valid" >$TIMEVALIDFILE
>         /etc/init.d/dnsmasq enabled && {
> -               procd_send_signal dnsmasq
> +               procd_send_signal dnsmasq '*' INT
>         }
>  }
> diff --git a/package/network/services/dnsmasq/patches/260-dnssec-SIGINT.patch b/package/network/services/dnsmasq/patches/260-dnssec-SIGINT.patch
> new file mode 100644
> index 0000000000..e280142f75
> --- /dev/null
> +++ b/package/network/services/dnsmasq/patches/260-dnssec-SIGINT.patch
> @@ -0,0 +1,120 @@
> +From 3c973ad92d317df736d5a8fde67baba6b102d91e Mon Sep 17 00:00:00 2001
> +From: Simon Kelley <simon@thekelleys.org.uk>
> +Date: Sun, 14 Jan 2018 21:05:37 +0000
> +Subject: [PATCH] Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC
> + time validation.
> +
> +---
> + src/dnsmasq.c |   36 +++++++++++++++++++++++++-----------
> + src/dnsmasq.h |    1 +
> + src/helper.c  |    3 ++-
> + 5 files changed, 38 insertions(+), 14 deletions(-)
> +
> +--- a/src/dnsmasq.c
> ++++ b/src/dnsmasq.c
> +@@ -137,7 +137,8 @@ int main (int argc, char **argv)
> +   sigaction(SIGTERM, &sigact, NULL);
> +   sigaction(SIGALRM, &sigact, NULL);
> +   sigaction(SIGCHLD, &sigact, NULL);
> +-
> ++  sigaction(SIGINT, &sigact, NULL);
> ++
> +   /* ignore SIGPIPE */
> +   sigact.sa_handler = SIG_IGN;
> +   sigaction(SIGPIPE, &sigact, NULL);
> +@@ -815,7 +816,7 @@ int main (int argc, char **argv)
> +
> +       daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME);
> +       if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future)
> +-      my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until first cache reload"));
> ++      my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until receipt of SIGINT"));
> +
> +       if (rc == 1)
> +       my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until system time valid"));
> +@@ -1142,7 +1143,7 @@ static void sig_handler(int sig)
> +     {
> +       /* ignore anything other than TERM during startup
> +        and in helper proc. (helper ignore TERM too) */
> +-      if (sig == SIGTERM)
> ++      if (sig == SIGTERM || sig == SIGINT)
> +       exit(EC_MISC);
> +     }
> +   else if (pid != getpid())
> +@@ -1168,6 +1169,15 @@ static void sig_handler(int sig)
> +       event = EVENT_DUMP;
> +       else if (sig == SIGUSR2)
> +       event = EVENT_REOPEN;
> ++      else if (sig == SIGINT)
> ++      {
> ++        /* Handle SIGINT normally in debug mode, so
> ++           ctrl-c continues to operate. */
> ++        if (option_bool(OPT_DEBUG))
> ++          exit(EC_MISC);
> ++        else
> ++          event = EVENT_TIME;
> ++      }
> +       else
> +       return;
> +
> +@@ -1295,14 +1305,7 @@ static void async_event(int pipe, time_t
> +       {
> +       case EVENT_RELOAD:
> +       daemon->soa_sn++; /* Bump zone serial, as it may have changed. */
> +-
> +-#ifdef HAVE_DNSSEC
> +-      if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME))
> +-        {
> +-          my_syslog(LOG_INFO, _("now checking DNSSEC signature timestamps"));
> +-          daemon->dnssec_no_time_check = 0;
> +-        }
> +-#endif
> ++
> +       /* fall through */
> +
> +       case EVENT_INIT:
> +@@ -1411,6 +1414,17 @@ static void async_event(int pipe, time_t
> +       poll_resolv(0, 1, now);
> +       break;
> +
> ++      case EVENT_TIME:
> ++#ifdef HAVE_DNSSEC
> ++      if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME))
> ++        {
> ++          my_syslog(LOG_INFO, _("now checking DNSSEC signature timestamps"));
> ++          daemon->dnssec_no_time_check = 0;
> ++          clear_cache_and_reload(now);
> ++        }
> ++#endif
> ++      break;
> ++
> +       case EVENT_TERM:
> +       /* Knock all our children on the head. */
> +       for (i = 0; i < MAX_PROCS; i++)
> +--- a/src/dnsmasq.h
> ++++ b/src/dnsmasq.h
> +@@ -175,6 +175,7 @@ struct event_desc {
> + #define EVENT_NEWROUTE   23
> + #define EVENT_TIME_ERR   24
> + #define EVENT_SCRIPT_LOG 25
> ++#define EVENT_TIME       26
> +
> + /* Exit codes. */
> + #define EC_GOOD        0
> +--- a/src/helper.c
> ++++ b/src/helper.c
> +@@ -97,13 +97,14 @@ int create_helper(int event_fd, int err_
> +       return pipefd[1];
> +     }
> +
> +-  /* ignore SIGTERM, so that we can clean up when the main process gets hit
> ++  /* ignore SIGTERM and SIGINT, so that we can clean up when the main process gets hit
> +      and SIGALRM so that we can use sleep() */
> +   sigact.sa_handler = SIG_IGN;
> +   sigact.sa_flags = 0;
> +   sigemptyset(&sigact.sa_mask);
> +   sigaction(SIGTERM, &sigact, NULL);
> +   sigaction(SIGALRM, &sigact, NULL);
> ++  sigaction(SIGINT, &sigact, NULL);
> +
> +   if (!option_bool(OPT_DEBUG) && uid != 0)
> +     {
> --
> 2.14.3 (Apple Git-98)
>
>
> _______________________________________________
> Lede-dev mailing list
> Lede-dev@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/lede-dev

Thanks; patch applied in commit
https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=aba3b1c6a3639bf821d2cf305de22ec276fbff33

Hans

diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile
index c6d2739f03..1224ad86f8 100644
--- a/package/network/services/dnsmasq/Makefile
+++ b/package/network/services/dnsmasq/Makefile
@@ -9,7 +9,7 @@  include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dnsmasq
 PKG_VERSION:=2.78
-PKG_RELEASE:=7
+PKG_RELEASE:=8
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/
diff --git a/package/network/services/dnsmasq/files/dnsmasqsec.hotplug b/package/network/services/dnsmasq/files/dnsmasqsec.hotplug
index a155eb0f6e..781d533734 100644
--- a/package/network/services/dnsmasq/files/dnsmasqsec.hotplug
+++ b/package/network/services/dnsmasq/files/dnsmasqsec.hotplug
@@ -9,6 +9,6 @@  TIMEVALIDFILE="/var/state/dnsmasqsec"
 [ -f "$TIMEVALIDFILE" ] || {
 	echo "ntpd says time is valid" >$TIMEVALIDFILE
 	/etc/init.d/dnsmasq enabled && {
-		procd_send_signal dnsmasq
+		procd_send_signal dnsmasq '*' INT
 	}
 }
diff --git a/package/network/services/dnsmasq/patches/260-dnssec-SIGINT.patch b/package/network/services/dnsmasq/patches/260-dnssec-SIGINT.patch
new file mode 100644
index 0000000000..e280142f75
--- /dev/null
+++ b/package/network/services/dnsmasq/patches/260-dnssec-SIGINT.patch
@@ -0,0 +1,120 @@ 
+From 3c973ad92d317df736d5a8fde67baba6b102d91e Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Sun, 14 Jan 2018 21:05:37 +0000
+Subject: [PATCH] Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC
+ time validation.
+
+---
+ src/dnsmasq.c |   36 +++++++++++++++++++++++++-----------
+ src/dnsmasq.h |    1 +
+ src/helper.c  |    3 ++-
+ 5 files changed, 38 insertions(+), 14 deletions(-)
+
+--- a/src/dnsmasq.c
++++ b/src/dnsmasq.c
+@@ -137,7 +137,8 @@ int main (int argc, char **argv)
+   sigaction(SIGTERM, &sigact, NULL);
+   sigaction(SIGALRM, &sigact, NULL);
+   sigaction(SIGCHLD, &sigact, NULL);
+-
++  sigaction(SIGINT, &sigact, NULL);
++  
+   /* ignore SIGPIPE */
+   sigact.sa_handler = SIG_IGN;
+   sigaction(SIGPIPE, &sigact, NULL);
+@@ -815,7 +816,7 @@ int main (int argc, char **argv)
+       
+       daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME);
+       if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future)
+-	my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until first cache reload"));
++	my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until receipt of SIGINT"));
+       
+       if (rc == 1)
+ 	my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until system time valid"));
+@@ -1142,7 +1143,7 @@ static void sig_handler(int sig)
+     {
+       /* ignore anything other than TERM during startup
+ 	 and in helper proc. (helper ignore TERM too) */
+-      if (sig == SIGTERM)
++      if (sig == SIGTERM || sig == SIGINT)
+ 	exit(EC_MISC);
+     }
+   else if (pid != getpid())
+@@ -1168,6 +1169,15 @@ static void sig_handler(int sig)
+ 	event = EVENT_DUMP;
+       else if (sig == SIGUSR2)
+ 	event = EVENT_REOPEN;
++      else if (sig == SIGINT)
++	{
++	  /* Handle SIGINT normally in debug mode, so
++	     ctrl-c continues to operate. */
++	  if (option_bool(OPT_DEBUG))
++	    exit(EC_MISC);
++	  else
++	    event = EVENT_TIME;
++	}
+       else
+ 	return;
+ 
+@@ -1295,14 +1305,7 @@ static void async_event(int pipe, time_t
+       {
+       case EVENT_RELOAD:
+ 	daemon->soa_sn++; /* Bump zone serial, as it may have changed. */
+-
+-#ifdef HAVE_DNSSEC
+-	if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME))
+-	  {
+-	    my_syslog(LOG_INFO, _("now checking DNSSEC signature timestamps"));
+-	    daemon->dnssec_no_time_check = 0;
+-	  } 
+-#endif
++	
+ 	/* fall through */
+ 	
+       case EVENT_INIT:
+@@ -1411,6 +1414,17 @@ static void async_event(int pipe, time_t
+ 	poll_resolv(0, 1, now);
+ 	break;
+ 
++      case EVENT_TIME:
++#ifdef HAVE_DNSSEC
++	if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME))
++	  {
++	    my_syslog(LOG_INFO, _("now checking DNSSEC signature timestamps"));
++	    daemon->dnssec_no_time_check = 0;
++	    clear_cache_and_reload(now);
++	  }
++#endif
++	break;
++	
+       case EVENT_TERM:
+ 	/* Knock all our children on the head. */
+ 	for (i = 0; i < MAX_PROCS; i++)
+--- a/src/dnsmasq.h
++++ b/src/dnsmasq.h
+@@ -175,6 +175,7 @@ struct event_desc {
+ #define EVENT_NEWROUTE   23
+ #define EVENT_TIME_ERR   24
+ #define EVENT_SCRIPT_LOG 25
++#define EVENT_TIME       26
+ 
+ /* Exit codes. */
+ #define EC_GOOD        0
+--- a/src/helper.c
++++ b/src/helper.c
+@@ -97,13 +97,14 @@ int create_helper(int event_fd, int err_
+       return pipefd[1];
+     }
+ 
+-  /* ignore SIGTERM, so that we can clean up when the main process gets hit
++  /* ignore SIGTERM and SIGINT, so that we can clean up when the main process gets hit
+      and SIGALRM so that we can use sleep() */
+   sigact.sa_handler = SIG_IGN;
+   sigact.sa_flags = 0;
+   sigemptyset(&sigact.sa_mask);
+   sigaction(SIGTERM, &sigact, NULL);
+   sigaction(SIGALRM, &sigact, NULL);
++  sigaction(SIGINT, &sigact, NULL);
+ 
+   if (!option_bool(OPT_DEBUG) && uid != 0)
+     {

[LEDE-DEV,v1] dnsmasq: use SIGINT for dnssec time valid

Commit Message

Comments

Patch