Raspberry pi, NTP, DNSSEC, dnsmasqv2.79, pihole-FTL: signal changed!


#1

In the past, I wrote or commented on two topics, here and here, regarding the use of dnssec-no-timecheck, as a dnsmasq option to avoid the chicken-and-egg problem for machines which don't have a hardware real time clock, as explained in the dnsmasq man page (search for dnssec-no-timecheck)

Due to a change in dnsmasqv2.79 (and thus pihole-FTL, wich is dnsmasq2.79 + extras), this doesn’t work any more.
From the change log:
Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC time validation when --dnssec-no-timecheck is in use. Note that this is an incompatible change from earlier releases.

Here are the updated steps (tested on Raspbian), to activate this solution, using dnsmasqv2.79 OR pihole-FTL (used as of pihole v4 instead of dnsmasq). If you’re using another OS, you’ll need to verify the parameter required to send the SIGINT signal (raspian signals explained here - search for Signals):

  1. Create a dnsmasq configuration file in /etc/dnsmasq.d, I’m using 05-dnssec.conf, this to avoid undoing my additional configuration by pihole -up or pihole -r. You can use any name you want.
    I don’t enable DNSSEC, using the settings page, but put all the necessary settings in this file. If you enabled DNSSEC using the settings page, the first 3 lines will already be in 01-pihole.conf, don’t repeat these lines!

content of /etc/dnsmasq.d/05-dnssec.conf:

dnssec
trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
dnssec-no-timecheck
  1. Create the following script in /home/pi. I’m using ntpcheck.sh.
    content of /home/pi/ntpcheck.sh:
#!/bin/bash
echo "Waiting for Time Synchronization (NTP)..."
if [[ $EUID -ne 0 ]]; then
	# you are NOT root (not @reboot), no sleep, system already initialized...
	:
else
	# you are root (@reboot), sleep, let the system initialize...
	while [ $(/sbin/runlevel | cut -d " " -f 2) != 5 ]
	do
		sleep 5
	done
fi
/usr/sbin/ntp-wait -s 10
RETVAL=$?

if [ "$RETVAL" != "0" ];then
	echo "Time NOT synchronized (NTP)!!!"
	exit 1
else
	echo "Time synchronized established (NTP)."
	if [ "$(id -u)" = "0" ]; then
		pid=$(ps -e | grep 'dnsmasq' | awk '{print $1}')
		if ! [ -z "$pid" ]; then
			echo "Sending SIGINT to dnsmasq"
			/bin/kill -2 $pid
		fi
		pid=$(ps -e | grep 'pihole-FTL' | awk '{print $1}')
		if ! [ -z "$pid" ]; then
			echo "Sending SIGINT to pihole-FTL"
			/bin/kill -2 $pid
		fi
	fi
fi

Make the script executable (sudo chmod +x /home/pi/ntpcheck.sh)

  1. Create a new file, containing a cron job in /etc/cron.d, I’m using ntpcheck.
    content of /etc/cron.d/ntpcheck:
@reboot root PATH="$PATH:/home/pi/" /home/pi/ntpcheck.sh

When the system reboots, you will find the following lines in /var/log/pihole.log:

DNSSEC validation enabled
DNSSEC signature timestamps not checked until receipt of SIGINT

After a reboot, while time isn’t synchronized yet, you can see that the script is running by entering ps aux | grep sh. ntpcheck.sh will be there twice.

As soon as time is synchronized, you will find the following line in /var/log/pihole.log:

now checking DNSSEC signature timestamps

It’s pointless to run ntpcheck.sh from the command line, if it has already done it’s work, using cron. dnsmasq (and pihole-FTL) will respond only once on SIGINT.

There are several problems with DNSSEC in dnsmasqv2.79 (and thus pihole-FTL). Most of these problems have been resolved in dnsmasqv2.80, but it hasn’t been released yet (I’ve been using test versions).

Due to these unresolved problems, I’ve been using unbound to evaluate DNSSEC (disabled DNSSEC for dnsmasq), and didn’t notice the signal change in the dnsmasq changelog until @L0nkFromPA and @Crazycat36 submitted the feature request. The down side of using unbound is of course the lack of DNSSEC info in the web interface.


Allow NTP sync before enforcing DNSSEC time check