turned on, but there are trust anchors, and then turns off disable-edns-do.
free(taglist);
return 0;
}
+
+struct trust_anchor*
+anchors_find_any_noninsecure(struct val_anchors* anchors)
+{
+ struct trust_anchor* ta, *next;
+ lock_basic_lock(&anchors->lock);
+ ta=(struct trust_anchor*)rbtree_first(anchors->tree);
+ while((rbnode_type*)ta != RBTREE_NULL) {
+ next = (struct trust_anchor*)rbtree_next(&ta->node);
+ lock_basic_lock(&ta->lock);
+ if(ta->numDS != 0 || ta->numDNSKEY != 0) {
+ /* not an insecurepoint */
+ lock_basic_unlock(&anchors->lock);
+ return ta;
+ }
+ lock_basic_unlock(&ta->lock);
+ ta = next;
+ }
+ lock_basic_unlock(&anchors->lock);
+ return NULL;
+}
int anchor_has_keytag(struct val_anchors* anchors, uint8_t* name, int namelabs,
size_t namelen, uint16_t dclass, uint16_t keytag);
+/**
+ * Find an anchor that is not an insecure point, if any, or there are no
+ * DNSSEC verification anchors if none.
+ * @param anchors: anchor storage
+ * @return trust anchor or NULL. It is locked.
+ */
+struct trust_anchor* anchors_find_any_noninsecure(struct val_anchors* anchors);
+
#endif /* VALIDATOR_VAL_ANCHOR_H */
log_err("validator: could not apply configuration settings.");
return 0;
}
+ if(env->cfg->disable_edns_do) {
+ struct trust_anchor* anchor = anchors_find_any_noninsecure(
+ env->anchors);
+ if(anchor) {
+ char b[257];
+ dname_str(anchor->name, b);
+ log_warn("validator: disable-edns-do is enabled, but there is a trust anchor for '%s'. Since DNSSEC could not work, the disable-edns-do setting is turned off. Continuing without it.", b);
+ lock_basic_unlock(&anchor->lock);
+ env->cfg->disable_edns_do = 0;
+ }
+ }
return 1;
}
projects / thirdparty / unbound.git / commitdiff
