- Fix #1034: DoT forward-zone via unbound-control.

diff --git a/daemon/remote.c b/daemon/remote.c
index 5d79eafd23be12c0ff1dd8c5469d00eb6393a49f..cbce1198b27dd3119832ee51af9c9098368a4621 100644 (file)
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -2097,7 +2097,7 @@ do_forward(RES* ssl, struct worker* worker, char* args)
 
 static int
 parse_fs_args(RES* ssl, char* args, uint8_t** nm, struct delegpt** dp,
-       int* insecure, int* prime)
+       int* insecure, int* prime, int* tls)
 {
        char* zonename;
        char* rest;
@@ -2112,6 +2112,8 @@ parse_fs_args(RES* ssl, char* args, uint8_t** nm, struct delegpt** dp,
                                *insecure = 1;
                        else if(*args == 'p' && prime)
                                *prime = 1;
+                       else if(*args == 't' && tls)
+                               *tls = 1;
                        else {
                                (void)ssl_printf(ssl, "error: unknown option %s\n", args);
                                return 0;
@@ -2144,11 +2146,13 @@ static void
 do_forward_add(RES* ssl, struct worker* worker, char* args)
 {
        struct iter_forwards* fwd = worker->env.fwds;
-       int insecure = 0;
+       int insecure = 0, tls = 0;
        uint8_t* nm = NULL;
        struct delegpt* dp = NULL;
-       if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, NULL))
+       if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, NULL, &tls))
                return;
+       if(tls)
+               dp->ssl_upstream = 1;
        if(insecure && worker->env.anchors) {
                if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
                        nm)) {
@@ -2174,7 +2178,7 @@ do_forward_remove(RES* ssl, struct worker* worker, char* args)
        struct iter_forwards* fwd = worker->env.fwds;
        int insecure = 0;
        uint8_t* nm = NULL;
-       if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL))
+       if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL, NULL))
                return;
        if(insecure && worker->env.anchors)
                anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
@@ -2189,11 +2193,13 @@ static void
 do_stub_add(RES* ssl, struct worker* worker, char* args)
 {
        struct iter_forwards* fwd = worker->env.fwds;
-       int insecure = 0, prime = 0;
+       int insecure = 0, prime = 0, tls = 0;
        uint8_t* nm = NULL;
        struct delegpt* dp = NULL;
-       if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, &prime))
+       if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, &prime, &tls))
                return;
+       if(tls)
+               dp->ssl_upstream = 1;
        if(insecure && worker->env.anchors) {
                if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
                        nm)) {
@@ -2232,7 +2238,7 @@ do_stub_remove(RES* ssl, struct worker* worker, char* args)
        struct iter_forwards* fwd = worker->env.fwds;
        int insecure = 0;
        uint8_t* nm = NULL;
-       if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL))
+       if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL, NULL))
                return;
        if(insecure && worker->env.anchors)
                anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,

diff --git a/doc/Changelog b/doc/Changelog
index 64b1bcf4958c78b1a2c5400f3be22f44f03d6a39..0c43e2a5e20a599ae8ea535338a6dfec85ed3c35 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+28 March 2024: Wouter
+       - Fix #1034: DoT forward-zone via unbound-control.
+
 27 March 2024: Wouter
        - Fix name of unit test for subnet cache response.
        - Fix #1032: The size of subnet_msg_cache calculation mistake cause

diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in
index 7823de3aade4816485edb12fe53a27389214c60a..642b4c946d35ab54b7b54ed8dc79ad5cefeefdaa 100644 (file)
--- a/doc/unbound-control.8.in
+++ b/doc/unbound-control.8.in
@@ -239,22 +239,24 @@ still be bogus, use \fBflush_zone\fR to remove it), does not affect the config f
 .B insecure_remove \fIzone
 Removes domain\-insecure for the given zone.
 .TP
-.B forward_add \fR[\fI+i\fR] \fIzone addr ...
+.B forward_add \fR[\fI+it\fR] \fIzone addr ...
 Add a new forward zone to running Unbound.  With +i option also adds a
 \fIdomain\-insecure\fR for the zone (so it can resolve insecurely if you have
 a DNSSEC root trust anchor configured for other names).
 The addr can be IP4, IP6 or nameserver names, like \fIforward-zone\fR config
 in unbound.conf.
+The +t option sets it to use tls upstream, like \fIforward\-tls\-upstream\fR: yes.
 .TP
 .B forward_remove \fR[\fI+i\fR] \fIzone
 Remove a forward zone from running Unbound.  The +i also removes a
 \fIdomain\-insecure\fR for the zone.
 .TP
-.B stub_add \fR[\fI+ip\fR] \fIzone addr ...
+.B stub_add \fR[\fI+ipt\fR] \fIzone addr ...
 Add a new stub zone to running Unbound.  With +i option also adds a
 \fIdomain\-insecure\fR for the zone.  With +p the stub zone is set to prime,
 without it it is set to notprime.  The addr can be IP4, IP6 or nameserver
 names, like the \fIstub-zone\fR config in unbound.conf.
+The +t option sets it to use tls upstream, like \fIstub\-tls\-upstream\fR: yes.
 .TP
 .B stub_remove \fR[\fI+i\fR] \fIzone
 Remove a stub zone from running Unbound.  The +i also removes a

diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c
index c4f73006196619009be4bc9eabe6a9e172674b30..57b0787dbeeb2a8a376afcab13aa8468e6bd5ff1 100644 (file)
--- a/smallapp/unbound-control.c
+++ b/smallapp/unbound-control.c
@@ -150,12 +150,13 @@ usage(void)
        printf("  list_local_data               list local-data RRs in use\n");
        printf("  insecure_add zone             add domain-insecure zone\n");
        printf("  insecure_remove zone          remove domain-insecure zone\n");
-       printf("  forward_add [+i] zone addr..  add forward-zone with servers\n");
+       printf("  forward_add [+it] zone addr.. add forward-zone with servers\n");
        printf("  forward_remove [+i] zone      remove forward zone\n");
-       printf("  stub_add [+ip] zone addr..    add stub-zone with servers\n");
+       printf("  stub_add [+ipt] zone addr..   add stub-zone with servers\n");
        printf("  stub_remove [+i] zone         remove stub zone\n");
        printf("                +i              also do dnssec insecure point\n");
        printf("                +p              set stub to use priming\n");
+       printf("                +t              set to use tls upstream\n");
        printf("  forward [off | addr ...]      without arg show forward setup\n");
        printf("                                or off to turn off root forwarding\n");
        printf("                                or give list of ip addresses\n");