Raspberry pi, NTP, DNSSEC, dnsmasqv2.79, pihole-FTL: signal changed!


In the past, I wrote or commented on two topics, here and here, regarding the use of dnssec-no-timecheck, as a dnsmasq option to avoid the chicken-and-egg problem for machines which don't have a hardware real time clock, as explained in the dnsmasq man page (search for dnssec-no-timecheck)

Due to a change in dnsmasqv2.79 (and thus pihole-FTL, wich is dnsmasq2.79 + extras), this doesn’t work any more.
From the change log:
Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC time validation when --dnssec-no-timecheck is in use. Note that this is an incompatible change from earlier releases.

Here are the updated steps (tested on Raspbian), to activate this solution, using dnsmasqv2.79 OR pihole-FTL (used as of pihole v4 instead of dnsmasq). If you’re using another OS, you’ll need to verify the parameter required to send the SIGINT signal (raspian signals explained here - search for Signals):

  1. Create a dnsmasq configuration file in /etc/dnsmasq.d, I’m using 05-dnssec.conf, this to avoid undoing my additional configuration by pihole -up or pihole -r. You can use any name you want.
    I don’t enable DNSSEC, using the settings page, but put all the necessary settings in this file. If you enabled DNSSEC using the settings page, the first 3 lines will already be in 01-pihole.conf, don’t repeat these lines!

content of /etc/dnsmasq.d/05-dnssec.conf:

  1. Create the following script in /home/pi. I’m using ntpcheck.sh.
    content of /home/pi/ntpcheck.sh:
echo "Waiting for Time Synchronization (NTP)..."
if [[ $EUID -ne 0 ]]; then
	# you are NOT root (not @reboot), no sleep, system already initialized...
	# you are root (@reboot), sleep, let the system initialize...
	while [ $(/sbin/runlevel | cut -d " " -f 2) != 5 ]
		sleep 5
/usr/sbin/ntp-wait -s 10

if [ "$RETVAL" != "0" ];then
	echo "Time NOT synchronized (NTP)!!!"
	exit 1
	echo "Time synchronized established (NTP)."
	if [ "$(id -u)" = "0" ]; then
		pid=$(ps -e | grep 'dnsmasq' | awk '{print $1}')
		if ! [ -z "$pid" ]; then
			echo "Sending SIGINT to dnsmasq"
			/bin/kill -2 $pid
		pid=$(ps -e | grep 'pihole-FTL' | awk '{print $1}')
		if ! [ -z "$pid" ]; then
			echo "Sending SIGINT to pihole-FTL"
			/bin/kill -2 $pid

Make the script executable (sudo chmod +x /home/pi/ntpcheck.sh)

  1. Create a new file, containing a cron job in /etc/cron.d, I’m using ntpcheck.
    content of /etc/cron.d/ntpcheck:
@reboot root PATH="$PATH:/home/pi/" /home/pi/ntpcheck.sh

When the system reboots, you will find the following lines in /var/log/pihole.log:

DNSSEC validation enabled
DNSSEC signature timestamps not checked until receipt of SIGINT

After a reboot, while time isn’t synchronized yet, you can see that the script is running by entering ps aux | grep sh. ntpcheck.sh will be there twice.

As soon as time is synchronized, you will find the following line in /var/log/pihole.log:

now checking DNSSEC signature timestamps

It’s pointless to run ntpcheck.sh from the command line, if it has already done it’s work, using cron. dnsmasq (and pihole-FTL) will respond only once on SIGINT.

There are several problems with DNSSEC in dnsmasqv2.79 (and thus pihole-FTL). Most of these problems have been resolved in dnsmasqv2.80, but it hasn’t been released yet (I’ve been using test versions).

Due to these unresolved problems, I’ve been using unbound to evaluate DNSSEC (disabled DNSSEC for dnsmasq), and didn’t notice the signal change in the dnsmasq changelog until @L0nkFromPA and @Crazycat36 submitted the feature request. The down side of using unbound is of course the lack of DNSSEC info in the web interface.

Allow NTP sync before enforcing DNSSEC time check