| Message ID | 20191230143128.4656-1-fff@chrisi01.de |
|---|---|
| State | Superseded |
| Headers | show |
diff --git a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns index 20503bf..9299135 100644 --- a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns +++ b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns @@ -1,6 +1,9 @@ configure() { ## dns uci -q del dhcp.@dnsmasq[0].server + uci -q del dhcp.@dnsmasq[0].proxydnssec + uci -q del stubby.global.appdata_dir + uci -q del stubby.global.dnssec_return_status if [ $(uci -q get gateway.@dns[0].dnsdot) == 1 ]; then uci add_list dhcp.@dnsmasq[0].server="::1#5453" uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#5453" @@ -16,7 +19,11 @@ configure() { else echo "WARNING: No DNS servers set!" fi - + if [ $(uci -q get gateway.@dns[0].dnssec_validation) == 1 ]; then + uci set dhcp.@dnsmasq[0].proxydnssec="1" + uci set stubby.global.appdata_dir="/tmp/stubby" + uci set stubby.global.dnssec_return_status="1" + fi else if dnsservers=$(uci -q get gateway.@dns[0].server); then for f in $dnsservers; do
Hallo Christian, warum lassen wir das ganze nicht dnsmasq verifizieren? Dann funktioniert das nämlich auch unabhängig von der DoT Sache, von der ich aktuell ehrlich gesagt eigentlich nicht so wahnsinnig viel halte. Die nötigen Optionen dafür: --dnssec und --trust-anchor=[<class>],<domain>,<key-tag>,<algorithm>,<digest-type>,<digest> Wir brauchen dafür in jedem Fall das dnsmasq-full. Ich weiß nicht, was wir aktuell verwenden. Vorsicht: Der Trust Anchor muss in beiden Fällen aktualisiert werden, wenn es mal wieder so weit ist. Gruß Fabian On 30.12.19 15:31, Christian Dresel wrote: > With this patch it is possible to activate dnssec validation on the layer3 router > > Signed-off-by: Christian Dresel <fff@chrisi01.de> > --- > src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > diff --git a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns > index 20503bf..9299135 100644 > --- a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns > +++ b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns > @@ -1,6 +1,9 @@ > configure() { > ## dns > uci -q del dhcp.@dnsmasq[0].server > + uci -q del dhcp.@dnsmasq[0].proxydnssec > + uci -q del stubby.global.appdata_dir > + uci -q del stubby.global.dnssec_return_status > if [ $(uci -q get gateway.@dns[0].dnsdot) == 1 ]; then > uci add_list dhcp.@dnsmasq[0].server="::1#5453" > uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#5453" > @@ -16,7 +19,11 @@ configure() { > else > echo "WARNING: No DNS servers set!" > fi > - > + if [ $(uci -q get gateway.@dns[0].dnssec_validation) == 1 ]; then > + uci set dhcp.@dnsmasq[0].proxydnssec="1" > + uci set stubby.global.appdata_dir="/tmp/stubby" > + uci set stubby.global.dnssec_return_status="1" > + fi > else > if dnsservers=$(uci -q get gateway.@dns[0].server); then > for f in $dnsservers; do >
With this patch it is possible to activate dnssec validation on the layer3 router Signed-off-by: Christian Dresel <fff@chrisi01.de> --- src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-)