git.ipfire.org Git - thirdparty/systemd.git/commit

resolved: add negative trust anchro support, and add trust anchor configuration files

This adds negative trust anchor support and allows reading trust anchor
data from disk, from files
/etc/systemd/dnssec-trust-anchors.d/*.positive and
/etc/systemd/dnssec-trust-anchros.d/*.negative, as well as the matching
counterparts in /usr/lib and /run.

The positive trust anchor files are more or less compatible to normal
DNS zone files containing DNSKEY and DS RRs. The negative trust anchor
files contain only new-line separated hostnames for which to require no
signing.

By default no trust anchor files are installed, in which case the
compiled-in root domain DS RR is used, as before. As soon as at least
one positive root anchor for the root is defined via trust anchor files
this buil-in DS RR is not added though.

author	Lennart Poettering <lennart@poettering.net>
	Sat, 2 Jan 2016 21:12:13 +0000 (22:12 +0100)
committer	Lennart Poettering <lennart@poettering.net>
	Sun, 3 Jan 2016 11:59:26 +0000 (12:59 +0100)
commit	8e54f5d90a6b9dd1ff672fb97ea98de66c49e332
tree	62f9c69d04c8925d7ff78aabf9755482c3e24ee7	tree \| snapshot
parent	e48b9a6490222f59201615a1be25c0a46d7d79b5	commit \| diff

src/resolve/resolved-dns-dnssec.c		diff \| blob \| blame \| history
src/resolve/resolved-dns-rr.c		diff \| blob \| blame \| history
src/resolve/resolved-dns-rr.h		diff \| blob \| blame \| history
src/resolve/resolved-dns-transaction.c		diff \| blob \| blame \| history
src/resolve/resolved-dns-trust-anchor.c		diff \| blob \| blame \| history
src/resolve/resolved-dns-trust-anchor.h		diff \| blob \| blame \| history