dnssec-check: add new package#26941
Conversation
Functional Test Report: dnssec-checkThis report demonstrates how Test Environment
Case 1: Secure (Local resolver validates DNSSEC)/etc/resolv.conf: $ dnssec-check Explanation: The local resolver successfully performs full DNSSEC validation. Case 2: Medium (Upstream validates, local does not)/etc/resolv.conf: If the upstream DNS server is: $ dnssec-check Explanation: The local resolver does not validate DNSSEC, but the upstream resolver blocks domains that fail DNSSEC validation. Case 3: Insecure (Neither local nor upstream validates DNSSEC)/etc/resolv.conf: If the upstream DNS server is: $ dnssec-check Explanation: Both the local and upstream resolvers return unsigned responses without blocking invalid domains. SummaryThe tool accurately distinguishes between the following DNSSEC support levels:
This tool might assist OpenWrt users with elementary DNSSEC validation. |
There was a problem hiding this comment.
Pull Request Overview
Adds a minimal DNSSEC validation tool that queries two reference domains and reports support level via UCI.
- Introduces a UCI defaults script to populate
/etc/config/dnssec-check - Adds a Makefile to build and install the binary and defaults file
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| files/dnssec-check.defaults | New script to initialize UCI configuration with defaults |
| Makefile | Package build/install rules and metadata for dnssec-check |
Comments suppressed due to low confidence (2)
net/dnssec-check/Makefile:25
- [nitpick] The new DNSSEC validation tool currently lacks any automated tests. Consider adding a test suite to verify secure, medium, and insecure outcomes against known domains to ensure future changes don’t break core logic.
define Package/dnssec-check
net/dnssec-check/Makefile:34
- [nitpick] Package description is in the Makefile, but the repository’s README or other user-facing docs aren’t updated to explain how to configure and run the tool. Adding usage examples and config details would help new users.
define Package/dnssec-check/description
98b570d to
a3e5b0a
Compare
104e565 to
ddc699c
Compare
7787662 to
5a18d2f
Compare
wehagy
left a comment
There was a problem hiding this comment.
You know how this works, it's maintained by the community. Hopefully, someone will review it eventually. Unfortunately, it's me this time 😅.
Anyway, you need to fix the build so I can check if the package is working.
| # | ||
| # Copyright (C) 2025 Liu Yu <f78fk@live.com> | ||
| # | ||
| # This is free software, licensed under the GNU General Public License v2.0 or later. | ||
| # See /LICENSE for more information. | ||
| # |
There was a problem hiding this comment.
| # | |
| # Copyright (C) 2025 Liu Yu <f78fk@live.com> | |
| # | |
| # This is free software, licensed under the GNU General Public License v2.0 or later. | |
| # See /LICENSE for more information. | |
| # | |
| # SPDX-License-Identifier: GPL-2.0-only | |
| # | |
| # Copyright (C) 2025 Liu Yu <f78fk@live.com> |
| PKG_LICENSE:=GPL-2.0-or-later | ||
| PKG_MAINTAINER:=Liu Yu <f78fk@live.com> |
There was a problem hiding this comment.
| PKG_LICENSE:=GPL-2.0-or-later | |
| PKG_MAINTAINER:=Liu Yu <f78fk@live.com> | |
| PKG_MAINTAINER:=Liu Yu <f78fk@live.com> | |
| PKG_LICENSE:=GPL-2.0-or-later | |
| PKG_LICENSE_FILES:=LICENSE |
There was a problem hiding this comment.
Leave uci-defaults alone, use a plain config and apk/opkg will take care for this for you.
One more suggestion, you don't want to maintain the config file in your repo? IHMO you have full control there, but is up to you as a maintainer to decide.
5a18d2f to
f97851f
Compare
Thank you for your review. I’ve updated the package according to your suggestions and tested it on the amd64 platform — it works well. The build errors on other platforms are due to a dependency on bind-dig, which currently fails to build on the OpenWrt main branch. However, this issue has already been fixed in the following PR: |
783352e to
b92ff16
Compare
b92ff16 to
c82ae53
Compare
c82ae53 to
b2d5799
Compare
a8d77ad to
3988eb4
Compare
ae55f7b to
5721043
Compare
|
Updated the PKG_HASH to match the official source and rebased onto master. Also manually verified on real hardware:
|
openwrt-ai
left a comment
There was a problem hiding this comment.
Reviewed the current diff (single commit a5f34ec, only net/dnssec-check/Makefile — the C source now ships in the external release tarball). Verified tag v1.0.2 exists in the source repo, matching PKG_VERSION. CI reports no checks on the head commit yet, so nothing to ground there. One inline comment on the link flags.
Generated by Claude Code
| $(TARGET_CC) $(TARGET_CFLAGS) \ | ||
| -o $(PKG_BUILD_DIR)/dnssec-check \ | ||
| $(PKG_BUILD_DIR)/dnssec-check.c -luci |
There was a problem hiding this comment.
The link command omits $(TARGET_LDFLAGS). OpenWrt puts its target link-time settings (staging -L paths and the default hardening flags such as RELRO/-z now) into TARGET_LDFLAGS, so linking -luci without it produces a binary that misses those flags and deviates from the in-tree convention — e.g. package/network/utils/rssileds/Makefile and package/utils/bsdiff/Makefile both pass $(TARGET_LDFLAGS) on the compile+link line.
| $(TARGET_CC) $(TARGET_CFLAGS) \ | |
| -o $(PKG_BUILD_DIR)/dnssec-check \ | |
| $(PKG_BUILD_DIR)/dnssec-check.c -luci | |
| $(TARGET_CC) $(TARGET_CFLAGS) $(TARGET_LDFLAGS) \ | |
| -o $(PKG_BUILD_DIR)/dnssec-check \ | |
| $(PKG_BUILD_DIR)/dnssec-check.c -luci |
Generated by Claude Code
This adds a lightweight tool to check whether the current DNS resolver supports DNSSEC validation. The tool uses dig for DNS queries and supports configuring two reference domains for testing via UCI: - secure domain (default: nic.cz) - broken domain (default: dnssec-failed.org) It determines DNSSEC support based on these queries and reports severity levels: secure, medium, insecure. Co-authored-by: Wesley Gimenes <wehagy+github@gmail.com> Signed-off-by: Liu Yu <f78fk@live.com>
openwrt-ai
left a comment
There was a problem hiding this comment.
Reviewed 1 new commit; no new issues found.
The Build/Compile line now passes $(TARGET_LDFLAGS), which addresses my previous comment about the missing target link flags. The remainder of net/dnssec-check/Makefile is unchanged. CI reports no checks on the head commit yet, so nothing to ground there.
Generated by Claude Code



This adds a lightweight tool to check whether the current DNS resolver supports DNSSEC validation. The tool uses dig for DNS queries and supports configuring two reference domains for testing via UCI:
It determines DNSSEC support based on these queries and reports severity levels: secure, medium, insecure.