dnsmasq: fix dnssec+ntp chicken-and-egg workaround (FS#2574)

Fix the test for an enabled sysntp initscript in dnsmasq.init, and get
rid of "test -o" while at it.

Issue reproduced on openwrt-19.07 with the help of pool.ntp.br and an
RTC-less ath79 router.  dnssec-no-timecheck would be clearly missing
from /var/etc/dnsmasq.conf.* while the router was still a few days in
the past due to non-working DNSSEC + DNS-based NTP server config.

The fix was tested with the router in the "DNSSEC broken state": it
properly started dnsmasq in dnssec-no-timecheck mode, and eventually ntp
was able to resolve the server name to an IP address, and set the system
time.  DNSSEC was then enabled by SIGINT through the ntp hotplug hook,
as expected.

A missing system.ntp.enabled UCI node is required for the bug to show
up.  The reasons for why it would be missing in the first place were not
investigated.

Signed-off-by: Henrique de Moraes Holschuh <henrique@nic.br>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
This commit is contained in:
Henrique de Moraes Holschuh 2020-03-01 00:08:43 -03:00 committed by Hans Dedecker
parent f81403c433
commit 556b8581a1
2 changed files with 3 additions and 4 deletions

View File

@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=dnsmasq
PKG_UPSTREAM_VERSION:=2.81rc3
PKG_VERSION:=$(subst test,~~test,$(subst rc,~rc,$(PKG_UPSTREAM_VERSION)))
PKG_RELEASE:=2
PKG_RELEASE:=3
PKG_SOURCE:=$(PKG_NAME)-$(PKG_UPSTREAM_VERSION).tar.xz
PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/release-candidates

View File

@ -964,10 +964,9 @@ dnsmasq_start()
xappend "--conf-file=$TRUSTANCHORSFILE"
xappend "--dnssec"
[ -x /etc/init.d/sysntpd ] && {
/etc/init.d/sysntpd enabled
[ "$?" -ne 0 -o "$(uci_get system.ntp.enabled)" = "1" ] && {
if /etc/init.d/sysntpd enabled || [ "$(uci_get system.ntp.enabled)" = "1" ] ; then
[ -f "$TIMEVALIDFILE" ] || xappend "--dnssec-no-timecheck"
}
fi
}
config_get_bool dnsseccheckunsigned "$cfg" dnsseccheckunsigned 1
[ "$dnsseccheckunsigned" -eq 0 ] && xappend "--dnssec-check-unsigned=no"