Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC time validation.
diff --git a/CHANGELOG b/CHANGELOG
index e97d237..0b76ecd 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -19,6 +19,10 @@
Fix incorrect error exit code from dhcp_release6 utility.
Thanks Gaudenz Steinlin for the bug report.
+ Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC
+ time validation when --dnssec-no-timecheck is in use.
+ Note that this is an incompatible change from earlier releases.
+
version 2.78
Fix logic of appending ".<layer>" to PXE basename. Thanks to Chris
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index a2d5743..ac70974 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -736,10 +736,14 @@
DNSSEC signatures are only valid for specified time windows, and should be rejected outside those windows. This generates an
interesting chicken-and-egg problem for machines which don't have a hardware real time clock. For these machines to determine the correct
time typically requires use of NTP and therefore DNS, but validating DNS requires that the correct time is already known. Setting this flag
-removes the time-window checks (but not other DNSSEC validation.) only until the dnsmasq process receives SIGHUP. The intention is
+removes the time-window checks (but not other DNSSEC validation.) only until the dnsmasq process receives SIGINT. The intention is
that dnsmasq should be started with this flag when the platform determines that reliable time is not currently available. As soon as
-reliable time is established, a SIGHUP should be sent to dnsmasq, which enables time checking, and purges the cache of DNS records
+reliable time is established, a SIGINT should be sent to dnsmasq, which enables time checking, and purges the cache of DNS records
which have not been thoroughly checked.
+
+Earlier versions of dnsmasq overloaded SIGHUP (which re-reads much configuration) to also enable time validation.
+
+If dnsmasq is run in debug mode (-d flag) then SIGINT retains its usual meaning of terminating the dnsmasq process.
.TP
.B --dnssec-timestamp=<path>
Enables an alternative way of checking the validity of the system time for DNSSEC (see --dnssec-no-timecheck). In this case, the
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index 0c899a3..b3b9ed0 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -77,7 +77,8 @@
sigaction(SIGTERM, &sigact, NULL);
sigaction(SIGALRM, &sigact, NULL);
sigaction(SIGCHLD, &sigact, NULL);
-
+ sigaction(SIGINT, &sigact, NULL);
+
/* ignore SIGPIPE */
sigact.sa_handler = SIG_IGN;
sigaction(SIGPIPE, &sigact, NULL);
@@ -759,7 +760,7 @@
daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME);
if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future)
- my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until first cache reload"));
+ my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until receipt of SIGINT"));
if (rc == 1)
my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until system time valid"));
@@ -1083,7 +1084,7 @@
{
/* ignore anything other than TERM during startup
and in helper proc. (helper ignore TERM too) */
- if (sig == SIGTERM)
+ if (sig == SIGTERM || sig == SIGINT)
exit(EC_MISC);
}
else if (pid != getpid())
@@ -1109,6 +1110,15 @@
event = EVENT_DUMP;
else if (sig == SIGUSR2)
event = EVENT_REOPEN;
+ else if (sig == SIGINT)
+ {
+ /* Handle SIGINT normally in debug mode, so
+ ctrl-c continues to operate. */
+ if (option_bool(OPT_DEBUG))
+ exit(EC_MISC);
+ else
+ event = EVENT_TIME;
+ }
else
return;
@@ -1236,14 +1246,7 @@
{
case EVENT_RELOAD:
daemon->soa_sn++; /* Bump zone serial, as it may have changed. */
-
-#ifdef HAVE_DNSSEC
- if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME))
- {
- my_syslog(LOG_INFO, _("now checking DNSSEC signature timestamps"));
- daemon->dnssec_no_time_check = 0;
- }
-#endif
+
/* fall through */
case EVENT_INIT:
@@ -1352,6 +1355,17 @@
poll_resolv(0, 1, now);
break;
+ case EVENT_TIME:
+#ifdef HAVE_DNSSEC
+ if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME))
+ {
+ my_syslog(LOG_INFO, _("now checking DNSSEC signature timestamps"));
+ daemon->dnssec_no_time_check = 0;
+ clear_cache_and_reload(now);
+ }
+#endif
+ break;
+
case EVENT_TERM:
/* Knock all our children on the head. */
for (i = 0; i < MAX_PROCS; i++)
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index 65c63ce..0ee4c04 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -179,6 +179,7 @@
#define EVENT_NEWROUTE 23
#define EVENT_TIME_ERR 24
#define EVENT_SCRIPT_LOG 25
+#define EVENT_TIME 26
/* Exit codes. */
#define EC_GOOD 0
diff --git a/src/helper.c b/src/helper.c
index d143a01..c134071 100644
--- a/src/helper.c
+++ b/src/helper.c
@@ -97,13 +97,14 @@
return pipefd[1];
}
- /* ignore SIGTERM, so that we can clean up when the main process gets hit
+ /* ignore SIGTERM and SIGINT, so that we can clean up when the main process gets hit
and SIGALRM so that we can use sleep() */
sigact.sa_handler = SIG_IGN;
sigact.sa_flags = 0;
sigemptyset(&sigact.sa_mask);
sigaction(SIGTERM, &sigact, NULL);
sigaction(SIGALRM, &sigact, NULL);
+ sigaction(SIGINT, &sigact, NULL);
if (!option_bool(OPT_DEBUG) && uid != 0)
{