[PR PATCH] dnsmasq: enable dnssec build option by default

[PR PATCH] dnsmasq: enable dnssec build option by default

[rvighne]

[-- Attachment #1: Type: text/plain, Size: 755 bytes --]

There is a new pull request by rvighne against master on the void-packages repository

https://github.com/rvighne/void-packages dnsmasq/enable-dnssec
https://github.com/void-linux/void-packages/pull/41786

dnsmasq: enable dnssec build option by default
#### Testing the changes
- I tested the changes in this PR: **YES**

#### Local build testing
- I built this PR locally for my native architecture, x86_64-musl

#### Notes
I uncommented these lines in `/etc/dnsmasq.conf`;
```
conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec
```

Logs show it worked:
```
DNSSEC validation enabled
configured with trust anchor for <root> keytag 20326
```

A patch file from https://github.com/void-linux/void-packages/pull/41786.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-dnsmasq/enable-dnssec-41786.patch --]
[-- Type: text/x-diff, Size: 969 bytes --]

From 38e1e3b10a427d631541cef5f58b95d6baf8a351 Mon Sep 17 00:00:00 2001
From: Rohit Vighne <rohit.vighne@gmail.com>
Date: Fri, 20 Jan 2023 21:19:53 -0500
Subject: [PATCH] dnsmasq: enable dnssec build option by default

---
 srcpkgs/dnsmasq/template | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/srcpkgs/dnsmasq/template b/srcpkgs/dnsmasq/template
index ce8536b96140..df39285ca940 100644
--- a/srcpkgs/dnsmasq/template
+++ b/srcpkgs/dnsmasq/template
@@ -16,6 +16,7 @@ system_accounts="dnsmasq"
 dnsmasq_homedir="/var/chroot"
 
 build_options="dnssec"
+build_options_default="dnssec"
 desc_option_dnssec="Enable DNSSEC support via nettle"
 
 do_build() {
@@ -31,6 +32,8 @@ do_install() {
 	make PREFIX=/usr BINDIR=/usr/bin DESTDIR=${DESTDIR} install
 
 	vsv dnsmasq
+	vsconf dnsmasq.conf.example dnsmasq.conf
 	vconf dnsmasq.conf.example dnsmasq.conf
 	vinstall ${FILESDIR}/dbus.conf 644 etc/dbus-1/system.d
+	vinstall trust-anchors.conf 644 usr/share/dnsmasq
 }

Re: [PR PATCH] [Updated] dnsmasq: enable dnssec build option by default

[rvighne]

[-- Attachment #1: Type: text/plain, Size: 760 bytes --]

There is an updated pull request by rvighne against master on the void-packages repository

https://github.com/rvighne/void-packages dnsmasq/enable-dnssec
https://github.com/void-linux/void-packages/pull/41786

dnsmasq: enable dnssec build option by default
#### Testing the changes
- I tested the changes in this PR: **YES**

#### Local build testing
- I built this PR locally for my native architecture, x86_64-musl

#### Notes
I uncommented these lines in `/etc/dnsmasq.conf`;
```
conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec
```

Logs show it worked:
```
DNSSEC validation enabled
configured with trust anchor for <root> keytag 20326
```

A patch file from https://github.com/void-linux/void-packages/pull/41786.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-dnsmasq/enable-dnssec-41786.patch --]
[-- Type: text/x-diff, Size: 969 bytes --]

From 38e1e3b10a427d631541cef5f58b95d6baf8a351 Mon Sep 17 00:00:00 2001
From: Rohit Vighne <rohit.vighne@gmail.com>
Date: Fri, 20 Jan 2023 21:19:53 -0500
Subject: [PATCH] dnsmasq: enable dnssec build option by default

---
 srcpkgs/dnsmasq/template | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/srcpkgs/dnsmasq/template b/srcpkgs/dnsmasq/template
index ce8536b96140..df39285ca940 100644
--- a/srcpkgs/dnsmasq/template
+++ b/srcpkgs/dnsmasq/template
@@ -16,6 +16,7 @@ system_accounts="dnsmasq"
 dnsmasq_homedir="/var/chroot"
 
 build_options="dnssec"
+build_options_default="dnssec"
 desc_option_dnssec="Enable DNSSEC support via nettle"
 
 do_build() {
@@ -31,6 +32,8 @@ do_install() {
 	make PREFIX=/usr BINDIR=/usr/bin DESTDIR=${DESTDIR} install
 
 	vsv dnsmasq
+	vsconf dnsmasq.conf.example dnsmasq.conf
 	vconf dnsmasq.conf.example dnsmasq.conf
 	vinstall ${FILESDIR}/dbus.conf 644 etc/dbus-1/system.d
+	vinstall trust-anchors.conf 644 usr/share/dnsmasq
 }

Re: [PR PATCH] [Updated] dnsmasq: enable dnssec build option by default

[rvighne]

[-- Attachment #1: Type: text/plain, Size: 760 bytes --]

There is an updated pull request by rvighne against master on the void-packages repository

https://github.com/rvighne/void-packages dnsmasq/enable-dnssec
https://github.com/void-linux/void-packages/pull/41786

dnsmasq: enable dnssec build option by default
#### Testing the changes
- I tested the changes in this PR: **YES**

#### Local build testing
- I built this PR locally for my native architecture, x86_64-musl

#### Notes
I uncommented these lines in `/etc/dnsmasq.conf`;
```
conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec
```

Logs show it worked:
```
DNSSEC validation enabled
configured with trust anchor for <root> keytag 20326
```

A patch file from https://github.com/void-linux/void-packages/pull/41786.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-dnsmasq/enable-dnssec-41786.patch --]
[-- Type: text/x-diff, Size: 969 bytes --]

From 69b34e3349c074d98a097f8d1cc975832049eb6e Mon Sep 17 00:00:00 2001
From: Rohit Vighne <rohit.vighne@gmail.com>
Date: Fri, 20 Jan 2023 21:19:53 -0500
Subject: [PATCH] dnsmasq: enable dnssec build option by default

---
 srcpkgs/dnsmasq/template | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/srcpkgs/dnsmasq/template b/srcpkgs/dnsmasq/template
index b1c984f7dc4f..a11dd9f08e2a 100644
--- a/srcpkgs/dnsmasq/template
+++ b/srcpkgs/dnsmasq/template
@@ -16,6 +16,7 @@ system_accounts="dnsmasq"
 dnsmasq_homedir="/var/chroot"
 
 build_options="dnssec"
+build_options_default="dnssec"
 desc_option_dnssec="Enable DNSSEC support via nettle"
 
 do_build() {
@@ -31,6 +32,8 @@ do_install() {
 	make PREFIX=/usr BINDIR=/usr/bin DESTDIR=${DESTDIR} install
 
 	vsv dnsmasq
+	vsconf dnsmasq.conf.example dnsmasq.conf
 	vconf dnsmasq.conf.example dnsmasq.conf
 	vinstall ${FILESDIR}/dbus.conf 644 etc/dbus-1/system.d
+	vinstall trust-anchors.conf 644 usr/share/dnsmasq
 }

Re: dnsmasq: enable dnssec build option by default

[rvighne]

[-- Attachment #1: Type: text/plain, Size: 328 bytes --]

New comment by rvighne on void-packages repository

https://github.com/void-linux/void-packages/pull/41786#issuecomment-1427127356

Comment:
Not sure why this PR is being ignored; can I get a code review on this? @ahesford @paper42 since I see you most recently modified this file. @pullmoll since you added this build option. 

Re: [PR REVIEW] dnsmasq: enable dnssec build option by default

[ahesford]

[-- Attachment #1: Type: text/plain, Size: 220 bytes --]

New review comment by ahesford on void-packages repository

https://github.com/void-linux/void-packages/pull/41786#discussion_r1103887742

Comment:
What is the value of this? We already ship the default config in`/etc`.

Re: [PR REVIEW] dnsmasq: enable dnssec build option by default

[rvighne]

[-- Attachment #1: Type: text/plain, Size: 424 bytes --]

New review comment by rvighne on void-packages repository

https://github.com/void-linux/void-packages/pull/41786#discussion_r1133319617

Comment:
The file in /etc is meant to be modified, so you don't get to keep the original settings around unless you copied it out. It seems like there's an established pattern of storing the default settings for a package in /usr/share/examples which this `vsconf` directive automates.

Re: dnsmasq: enable dnssec build option by default

[rvighne]

[-- Attachment #1: Type: text/plain, Size: 1708 bytes --]

New comment by rvighne on void-packages repository

https://github.com/void-linux/void-packages/pull/41786#issuecomment-1465298617

Comment:
> Don't ping people just because they touched a template. We're a small, volunteer group without strict procedures for review and acceptance. People get to things when they get to them. When somebody comes along that has an interest in this package and in your change to the default build options, that person will likely comment or merge the changes.

Understood. Though I don't see how a new contributor could tell the difference between "reviewers have seen this but they're busy so they'll get to it eventually" and "there's something wrong with this PR so nobody's reviewing it".

> I have no idea whether enabling this option by default will break somebody's workflow. You show that the option works when you enable it, but offer no comments about what impact this change might have in existing users.

This option enables a feature that is disabled by default unless you have `dnssec` in the config file. It's not possible that someone already had this option enabled and their dnsmasq instance will suddenly start to behave differently, because non-dnssec-capable builds of dnsmasq will fail to start up if given that flag.

Enabling the dnssec build option also has the side effect of adding `nettle` as a dependency, which is tiny (600KB).

Also, it's pretty unlikely in 2023 that you would want to set up a DNS resolver that ignores DNSSEC. I don't know if Void has any guidelines for this type of thing, but having secure defaults (and not making users build their own package just to get a basic security feature) seems like a good idea to me.

Re: dnsmasq: enable dnssec build option by default

[github-actions]

[-- Attachment #1: Type: text/plain, Size: 305 bytes --]

New comment by github-actions[bot] on void-packages repository

https://github.com/void-linux/void-packages/pull/41786#issuecomment-1585973935

Comment:
Pull Requests become stale 90 days after last activity and are closed 14 days after that.  If this pull request is still relevant bump it or assign it.

Re: [PR PATCH] [Closed]: dnsmasq: enable dnssec build option by default

[github-actions]

[-- Attachment #1: Type: text/plain, Size: 590 bytes --]

There's a closed pull request on the void-packages repository

dnsmasq: enable dnssec build option by default
https://github.com/void-linux/void-packages/pull/41786

Description:
#### Testing the changes
- I tested the changes in this PR: **YES**

#### Local build testing
- I built this PR locally for my native architecture, x86_64-musl

#### Notes
I uncommented these lines in `/etc/dnsmasq.conf`;
```
conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec
```

Logs show it worked:
```
DNSSEC validation enabled
configured with trust anchor for <root> keytag 20326
```

Re: [PR REVIEW] dnsmasq: enable dnssec build option by default

[abenson]

[-- Attachment #1: Type: text/plain, Size: 249 bytes --]

New review comment by abenson on void-packages repository

https://github.com/void-linux/void-packages/pull/41786#discussion_r1241001929

Comment:
If the config is modified, the new default file will be placed at `/etc/dnsmasq.conf.new.${version}`.