Add DNSSEC integration and GUI using dnsmasq.

release/src/Makefile

@@ -50,6 +50,7 @@ VLAN ?= "n"
 USERPPTP ?= "n"
 PPTPD ?= "n"
 TCPDUMP ?= "n"
+DNSSEC ?= "n"
 
 ifeq ($(NVRAM_SIZE),)
 NVRAM_SIZE = 0
@@ -471,6 +472,10 @@ define RouterOptions
 		sed -i "/TCONFIG_TCPDUMP/d" $(1); \
 		echo "TCONFIG_TCPDUMP=y" >>$(1); \
 	fi; \
+	if [ "$(DNSSEC)" = "y" ]; then \
+		sed -i "/TCONFIG_DNSSEC/d" $(1); \
+		echo "TCONFIG_DNSSEC=y" >>$(1); \
+	fi; \
 	)
 endef
 

release/src/router/Makefile

@@ -693,16 +693,50 @@ bridge-install:
 	install -D bridge/brctl/brctl $(INSTALLDIR)/bridge/usr/sbin/brctl
 	$(STRIP) $(INSTALLDIR)/bridge/usr/sbin/brctl
 
-dnsmasq:
+dnsmasq: $(if $(TCONFIG_DNSSEC),nettle,)
 	@$(SEP)
 	@$(MAKE) -C dnsmasq \
-	COPTS="$(if $(TCONFIG_IPV6),-DUSE_IPV6,-DNO_IPV6 -DNO_IPSET) -DHAVE_BROKEN_RTC -DHAVE_TOMATO $(EXTRACFLAGS) -ffunction-sections -fdata-sections" \
-	LDFLAGS="-ffunction-sections -fdata-sections -Wl,--gc-sections -fPIC"
+	COPTS="$(if $(TCONFIG_DNSSEC),-I$(TOP)/nettle/include -I$(TOP)/gmp -DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC,) $(if $(TCONFIG_IPV6),-DUSE_IPV6,-DNO_IPV6 -DNO_IPSET) -DHAVE_BROKEN_RTC -DHAVE_TOMATO $(EXTRACFLAGS) -ffunction-sections -fdata-sections" \
+	LDFLAGS="$(if $(TCONFIG_DNSSEC),-L$(TOP)/nettle/lib -L$(TOP)/gmp/.libs,) -ffunction-sections -fdata-sections -Wl,--gc-sections -fPIC" \
+	$(if $(TCONFIG_DNSSEC),PKG_CONFIG_PATH="$(TOP)/nettle/lib/pkgconfig",)
 
 dnsmasq-install:
 	install -D dnsmasq/src/dnsmasq $(INSTALLDIR)/dnsmasq/usr/sbin/dnsmasq
 	$(STRIP) $(INSTALLDIR)/dnsmasq/usr/sbin/dnsmasq
 
+nettle/stamp-h1: gmp
+	@cd nettle && CC=$(CC) AR=$(AR) RANLIB=$(RANLIB) LD=$(LD) \
+	CPPFLAGS="-I$(TOP)/gmp" \
+	CFLAGS="-Os -Wall $(EXTRACFLAGS) -fPIC -ffunction-sections -fdata-sections" \
+	LDFLAGS="-L$(TOP)/gmp/.libs -ffunction-sections -fdata-sections -Wl,--gc-sections -fPIC" \
+	$(CONFIGURE) prefix=$(TOP)/nettle
+	@touch nettle/stamp-h1
+
+nettle: nettle/stamp-h1
+	@$(SEP)
+	@$(MAKE) -C nettle
+	@$(MAKE) -C nettle install
+
+nettle-clean:
+	-@$(MAKE) -C nettle clean
+	@rm -f nettle/stamp-h1
+	@rm -rf nettle/include nettle/lib
+
+gmp/stamp-h1:
+	@cd gmp && CC=$(CC) AR=$(AR) RANLIB=$(RANLIB) LD=$(LD) \
+	CFLAGS="-Os -Wall $(EXTRACFLAGS) -fPIC -ffunction-sections -fdata-sections" \
+	LDFLAGS="-ffunction-sections -fdata-sections -Wl,--gc-sections -fPIC" \
+	$(CONFIGURE)
+	@touch gmp/stamp-h1
+
+gmp: gmp/stamp-h1
+	@$(SEP)
+	@$(MAKE) -C gmp
+
+gmp-clean:
+	-@$(MAKE) -C gmp clean
+	@rm -f gmp/stamp-h1
+
 iptables:
 ifeq ($(CONFIG_LINUX26),y)
 	cp -f iptables/extensions/libipt_ipp2p_K26.c iptables/extensions/libipt_ipp2p.c

release/src/router/config/config.in

@@ -141,3 +141,7 @@ config TCONFIG_NVRAM_64K
 config TCONFIG_TCPDUMP
 	bool "TCPDUMP and LIBPCAP utilities"
 	default n
+
+config TCONFIG_DNSSEC
+	bool "DNSSEC"
+	default n

release/src/router/config_base

@@ -34,3 +34,4 @@ TCONFIG_SAMBASRV=y
 # TCONFIG_PPTPD is not set
 # TCONFIG_NVRAM_64K is not set
 # TCONFIG_TCPDUMP is not set
+# TCONFIG_DNSSEC is not set

release/src/router/httpd/tomato.c

@@ -574,6 +574,9 @@ static const nvset_t nvset_list[] = {
 	{ "lan_netmask",		V_IP				},
 	{ "lan_gateway",		V_IP				},
 	{ "wan_dns",			V_LENGTH(0, 50)		},	// ip ip ip
+#ifdef TCONFIG_DNSSEC
+	{ "dnssec_enable",		V_01				},
+#endif
 	{ "lan_proto",			V_WORD				},	// static, dhcp
 	{ "dhcp_start",			V_LENGTH(0, 15)		},	// remove !
 	{ "dhcp_num",			V_LENGTH(0, 4)		},	// remove !

release/src/router/nvram/defaults.c

@@ -87,6 +87,9 @@ const defaults_t defaults[] = {
 	{ "wan_gateway",		"0.0.0.0"			},	// WAN gateway
 	{ "wan_gateway_get",		"0.0.0.0"			},	// default gateway for PPP
 	{ "wan_dns",			""				},	// x.x.x.x x.x.x.x ...
+#ifdef TCONFIG_DNSSEC
+	{ "dnssec_enable",		"0"				},
+#endif
 	{ "wan_wins",			""				},	// x.x.x.x x.x.x.x ...
 	{ "wan_lease",			"86400"				},	// WAN lease time in seconds
 	{ "wan_islan",			"0"				},

release/src/router/rc/services.c

@@ -371,6 +371,14 @@ void start_dnsmasq()
 		fprintf(f, "dhcp-authoritative\n");
 	}
 
+#ifdef TCONFIG_DNSSEC
+	if (nvram_match("dnssec_enable", "1")) {
+		fprintf(f, "conf-file=/etc/trust-anchors.conf\n"
+			   "dnssec\n"
+			   "dnssec-no-timecheck\n");
+	}
+#endif
+
 	//
 
 #ifdef TCONFIG_OPENVPN
@@ -431,6 +439,13 @@ void start_dnsmasq()
 	}
 
 	TRACE_PT("end\n");
+
+#ifdef TCONFIG_DNSSEC
+	if ((time(0) > Y2K) && nvram_match("dnssec_enable", "1")){
+		killall("dnsmasq", SIGHUP);
+	}
+#endif
+
 }
 
 void stop_dnsmasq(void)

release/src/router/rc/wan.c

@@ -989,6 +989,12 @@ void start_wan_done(char *wan_ifname)
 	start_wan6_done(get_wan6face());
 #endif
 
+#ifdef TCONFIG_DNSSEC
+	if (nvram_match("dnssec_enable", "1")) {
+		killall("dnsmasq", SIGHUP);
+	}
+#endif
+
 	stop_upnp();
 	start_upnp();
 

release/src/router/rom/rom/etc/trust-anchors.conf

@@ -0,0 +1 @@
+trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5

release/src/router/www/Makefile

@@ -216,6 +216,12 @@ ifneq ($(TCONFIG_SNMP),y)
 	sed -i $(INSTALLDIR)/www/about.asp -e "/SNMP-BEGIN/,/SNMP-END/d"
 endif
 
+# Only include the dnssec option if is compiled in
+ifneq ($(TCONFIG_DNSSEC),y)
+	sed -i $(INSTALLDIR)/www/basic-network.asp -e "/DNSSEC-BEGIN/,/DNSSEC-END/d"
+	sed -i $(INSTALLDIR)/www/about.asp -e "/LANCETHEPANTS-BEGIN/,/LANCETHEPANTS-END/d"
+endif
+
 # clean up
 	cd $(INSTALLDIR)/www && \
 	for F in $(wildcard *.asp *.js *.jsx *.html); do \

release/src/router/www/about.asp

@@ -158,6 +158,13 @@ Copyright (C) 2010-2011 Jean-Yves Avenard<br>
 <a href='mailto:jean-yves@avenard.org'>jean-yves@avenard.org</a><br>
 <br>
 <!-- JYAVENARD-END -->
+<!-- LANCETHEPANTS-BEGIN -->
+<b>"Lancethepants" Features:</b><br>
+- DNSSEC integration and GUI<br>
+Copyright (C) 2014 Lance Fredrickson<br>
+<a href='mailto:lancethepants@gmail.com'>lancethepants@gmail.com</a><br>
+<br>
+<!-- LANCETHEPANTS-END -->
 <b>"Teaman" Features:</b><br>
 - QOS-detailed & ctrate improved filters<br>
 - Real-time bandwidth monitoring of LAN clients<br>

release/src/router/www/basic-network.asp

@@ -46,7 +46,7 @@
 <script type='text/javascript' src='interfaces.js'></script>
 <script type='text/javascript'>
 
-//	<% nvram("dhcp_lease,dhcp_num,dhcp_start,dhcpd_startip,dhcpd_endip,l2tp_server_ip,lan_gateway,lan_ipaddr,lan_netmask,lan_proto,mtu_enable,ppp_demand,ppp_idletime,pppoe_lei,pppoe_lef,ppp_passwd,ppp_redialperiod,ppp_service,ppp_username,ppp_custom,pptp_server_ip,pptp_dhcp,wl_security_mode,wan_dns,wan_gateway,wan_ipaddr,wan_mtu,wan_netmask,wan_proto,wan_wins,wl_wds_enable,wl_channel,wl_closed,wl_crypto,wl_key,wl_key1,wl_key2,wl_key3,wl_key4,wl_lazywds,wl_mode,wl_net_mode,wl_passphrase,wl_radio,wl_radius_ipaddr,wl_radius_port,wl_ssid,wl_wds,wl_wep_bit,wl_wpa_gtk_rekey,wl_wpa_psk,wl_radius_key,wl_auth,wl_hwaddr,wan_islan,t_features,wl_nbw_cap,wl_nctrlsb,wl_nband,wl_phytype,lan_ifname,lan_stp,lan1_ifname,lan1_ipaddr,lan1_netmask,lan1_proto,lan1_stp,dhcp1_start,dhcp1_num,dhcp1_lease,dhcpd1_startip,dhcpd1_endip,lan2_ifname,lan2_ipaddr,lan2_netmask,lan2_proto,lan2_stp,dhcp2_start,dhcp2_num,dhcp2_lease,dhcpd2_startip,dhcpd2_endip,lan3_ifname,lan3_ipaddr,lan3_netmask,lan3_proto,lan3_stp,dhcp3_start,dhcp3_num,dhcp3_lease,dhcpd3_startip,dhcpd3_endip,ppp_mlppp,modem_ipaddr,modem_pin,modem_dev,modem_init,modem_apn,cstats_enable"); %>
+//	<% nvram("dhcp_lease,dhcp_num,dhcp_start,dhcpd_startip,dhcpd_endip,l2tp_server_ip,lan_gateway,lan_ipaddr,lan_netmask,lan_proto,mtu_enable,ppp_demand,ppp_idletime,pppoe_lei,pppoe_lef,ppp_passwd,ppp_redialperiod,ppp_service,ppp_username,ppp_custom,pptp_server_ip,pptp_dhcp,wl_security_mode,wan_dns,dnssec_enable,wan_gateway,wan_ipaddr,wan_mtu,wan_netmask,wan_proto,wan_wins,wl_wds_enable,wl_channel,wl_closed,wl_crypto,wl_key,wl_key1,wl_key2,wl_key3,wl_key4,wl_lazywds,wl_mode,wl_net_mode,wl_passphrase,wl_radio,wl_radius_ipaddr,wl_radius_port,wl_ssid,wl_wds,wl_wep_bit,wl_wpa_gtk_rekey,wl_wpa_psk,wl_radius_key,wl_auth,wl_hwaddr,wan_islan,t_features,wl_nbw_cap,wl_nctrlsb,wl_nband,wl_phytype,lan_ifname,lan_stp,lan1_ifname,lan1_ipaddr,lan1_netmask,lan1_proto,lan1_stp,dhcp1_start,dhcp1_num,dhcp1_lease,dhcpd1_startip,dhcpd1_endip,lan2_ifname,lan2_ipaddr,lan2_netmask,lan2_proto,lan2_stp,dhcp2_start,dhcp2_num,dhcp2_lease,dhcpd2_startip,dhcpd2_endip,lan3_ifname,lan3_ipaddr,lan3_netmask,lan3_proto,lan3_stp,dhcp3_start,dhcp3_num,dhcp3_lease,dhcpd3_startip,dhcpd3_endip,ppp_mlppp,modem_ipaddr,modem_pin,modem_dev,modem_init,modem_apn,cstats_enable"); %>
 
 /* VLAN-BEGIN */
 var lg = new TomatoGrid();
@@ -738,6 +738,9 @@ function verifyFields(focused, quiet)
 		_f_dns_1: 1,
 		_f_dns_2: 1,
 		_f_dns_3: 1,
+/* DNSSEC-BEGIN */
+		_f_dnssec_enable: 1,
+/* DNSSEC-END */
 		_lan_gateway: 1,
 		_wan_wins: 1,
 		_modem_pin: 1,
@@ -1492,6 +1495,11 @@ function save()
 
 	fom.wan_dns.value = joinAddr([fom.f_dns_1.value, fom.f_dns_2.value, fom.f_dns_3.value]);
 
+/* DNSSEC-BEGIN */
+	fom.dnssec_enable.value = fom.f_dnssec_enable.checked ? 1 : 0;
+/* DNSSEC-END */
+
+
 /* VLAN-BEGIN */
 // initialize/wipe out relevant fields
 	for (var i = 0 ; i <= MAX_BRIDGE_ID ; i++) {
@@ -1619,6 +1627,9 @@ function init()
 <input type='hidden' name='lan_proto'>
 <!-- NOVLAN-END -->
 <input type='hidden' name='wan_dns'>
+<!-- DNSSEC-BEGIN -->
+<input type='hidden' name='dnssec_enable'>
+<!-- DNSSEC-END -->
 <input type='hidden' name='ppp_mlppp'>
 
 <!-- VLAN-BEGIN -->
@@ -1715,6 +1726,9 @@ createFieldTable('', [
 	{ title: 'Static DNS', suffix: '&nbsp; <i>(IP:port)</i>', name: 'f_dns_1', type: 'text', maxlen: 21, size: 25, value: dns[0] || '0.0.0.0' },
 	{ title: '', name: 'f_dns_2', type: 'text', maxlen: 21, size: 25, value: dns[1] || '0.0.0.0' },
 	{ title: '', name: 'f_dns_3', type: 'text', maxlen: 21, size: 25, value: dns[2] || '0.0.0.0' },
+/* DNSSEC-BEGIN */
+	{ title: 'Enable DNSSEC', name: 'f_dnssec_enable', type: 'checkbox', suffix: ' <i>(must be supported by the upstream nameservers)</i>', value: (nvram.dnssec_enable == 1) },
+/* DNSSEC-END */
 /* NOVLAN-BEGIN */
 	{ title: 'DHCP Server', name: 'f_dhcpd_enable', type: 'checkbox', value: (nvram.lan_proto == 'dhcp') },
 	{ title: 'IP Address Range', indent: 2, multi: [