--- /dev/null
+. IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
local ffi = require('ffi')
+-- count warning messages
+warn_msg = {}
+overriding_msg="[ ta ] warning: overriding previously set trust anchors for ."
+warn_msg[overriding_msg] = 0
+function warn(fmt, ...)
+ msg = string.format(fmt, ...)
+ if warn_msg[msg] ~= nil then
+ warn_msg[msg] = warn_msg[msg] + 1
+ end
+end
+
-- Test that adding a revoked DNSKEY is refused.
local function test_revoked_key()
local ta_c = kres.context().trust_anchors
same(root_ta == nil, true, 'C interface does not have the removed key')
end
+local function test_add_file()
+ boom(trust_anchors.add_file, {'nonwriteable/root.keys', false},
+ "Managed trust anchor in non-writeable directory")
+
+ boom(trust_anchors.add_file, {'nonexist.keys', true},
+ "Nonexist unmanaged trust anchor file")
+
+ is(warn_msg[overriding_msg], 0, "No override warning messages at start of test")
+ trust_anchors.add_file('root.keys', true)
+ trust_anchors.add_file('root.keys', true)
+ is(warn_msg[overriding_msg], 1, "Warning message when override trust anchors")
+
+ is(trust_anchors.keysets['\0'][1].key_tag, 20326,
+ "Loaded KeyTag from root.keys")
+end
+
return {
test_revoked_key,
test_remove,
+ test_add_file,
}
addr_array_t tls_set;
fd_array_t fd_set;
fd_array_t tls_fd_set;
- char *keyfile;
- int keyfile_unmanaged;
const char *config;
int control_fd;
const char *rundir;
bool tty_binary_output;
};
-/* lua_pcall helper function */
-static inline char *lua_strerror(int lua_err) {
- switch (lua_err) {
- case LUA_ERRRUN: return "a runtime error";
- case LUA_ERRMEM: return "memory allocation error.";
- case LUA_ERRERR: return "error while running the error handler function.";
- default: return "a unknown error";
- }
-}
-
/**
* TTY control: process input and free() the buffer.
*
" -S, --fd=[fd] Listen on given fd (handed out by supervisor).\n"
" -T, --tlsfd=[fd] Listen using TLS on given fd (handed out by supervisor).\n"
" -c, --config=[path] Config file path (relative to [rundir]) (default: config).\n"
- " -k, --keyfile=[path] File with root domain trust anchors (DS or DNSKEY), automatically updated.\n"
- " -K, --keyfile-ro=[path] File with read-only root domain trust anchors, for use with an external updater.\n"
" -f, --forks=N Start N forks sharing the configuration.\n"
" -q, --quiet No command prompt in interactive mode.\n"
" -v, --verbose Run in verbose mode."
}
#endif
-static int set_keyfile(struct engine *engine, char *keyfile, bool unmanaged)
-{
- assert(keyfile != NULL);
- auto_free char *cmd = afmt("trust_anchors.config('%s',%s)",
- keyfile, unmanaged ? "true" : "nil");
- if (!cmd) {
- kr_log_error("[system] not enough memory\n");
- return kr_error(ENOMEM);
- }
- int lua_ret = engine_cmd(engine->L, cmd, false);
- if (lua_ret != 0) {
- if (lua_gettop(engine->L) > 0) {
- kr_log_error("%s\n", lua_tostring(engine->L, -1));
- } else {
- kr_log_error("[ ta ] keyfile '%s': failed to load (%s)\n",
- keyfile, lua_strerror(lua_ret));
- }
- return lua_ret;
- }
-
- lua_settop(engine->L, 0);
- return kr_ok();
-}
-
-
static void args_init(struct args *args)
{
memset(args, 0, sizeof(struct args));
{"fd", required_argument, 0, 'S'},
{"tlsfd", required_argument, 0, 'T'},
{"config", required_argument, 0, 'c'},
- {"keyfile", required_argument, 0, 'k'},
- {"keyfile-ro", required_argument, 0, 'K'},
{"forks", required_argument, 0, 'f'},
{"verbose", no_argument, 0, 'v'},
{"quiet", no_argument, 0, 'q'},
return EXIT_FAILURE;
}
break;
- case 'K':
- args->keyfile_unmanaged = 1;
- case 'k':
- if (args->keyfile != NULL) {
- kr_log_error("[system] error only one of '--keyfile' and '--keyfile-ro' allowed\n");
- return EXIT_FAILURE;
- }
- args->keyfile = optarg;
- break;
case 'v':
kr_verbose_set(true);
#ifdef NOVERBOSELOG
}
lua_settop(engine.L, 0);
}
- if (args.keyfile != NULL && set_keyfile(&engine, args.keyfile, args.keyfile_unmanaged) != 0) {
- ret = EXIT_FAILURE;
- goto cleanup;
- }
if (args.config == NULL || strcmp(args.config, "-") !=0) {
if(engine_load_defaults(&engine) != 0) {
ret = EXIT_FAILURE;
.IR fd ]
.RB [ \-c | \-\-config
.IR config ]
-.RB [ \-k | \-\-keyfile
-.IR keyfile ]
-.RB [ \-K | \-\-keyfile\-ro
-.IR keyfile ]
.RB [ \-f | \-\-forks
.IR N ]
.RB [ \-q | \-\-quiet ]
.PP
.nf
.RS 6n
-$ kresd -a 127.0.0.1 -k root.keys
+$ kresd -a 127.0.0.1
[system] interactive mode
>
.RE
$ cat << EOF > config
modules = { 'policy' }
policy.add(policy.all(policy.FORWARD('192.168.1.1')))
-$ kresd -a 127.0.0.1 -k root.keys
+$ kresd -a 127.0.0.1
EOF
.RE
.fi
file at the default location (\fIconfig\fR). The syntax is
described in \fIdaemon/README.md\fR.
.TP
-.B \-k\fI keyfile\fR, \fB\-\-keyfile=\fI<keyfile>
-(Recommended!) Automatically managed root trust anchors file.
-Root trust anchors in this file are managed using standard RFC 5011 (Automated Updates of DNS Security Trust Anchors).
-Kresd needs write access to the directory containing the keyfile.
-
-If the file does not exist, it will be automatically boostrapped from IANA using HTTPS protocol
-and warning that you need to to check the key before trusting it will be issued.
-
-The file contains DNSKEY/DS records in presentation format,
-and is compatible with Unbound and BIND 9 root key files.
-@man_managed_keyfile_default@
-.TP
-.B \-K\fI keyfile\fR, \fB\-\-keyfile\-ro=\fI<keyfile>
-(Discouraged) Static root trust anchors file. The file is not updated by kresd. Use of this option is discouraged because it will break your installation when the trust anchor key changes!
-@man_unmanaged_keyfile_default@
-.TP
.B \-f\fI N\fR, \fB\-\-forks=\fI<N>
With this option, the daemon is started in non-interactive mode and instead creates a
UNIX socket in \fIrundir\fR that the operator can connect to for interactive session.
+++ /dev/null
--- test fixtures
-
--- count warning message, fail with other than allowed message
-warn_msg = {}
-overriding_msg="[ ta ] warning: overriding previously set trust anchors for ."
-warn_msg[overriding_msg] = 0
-function warn(fmt, ...)
- msg = string.format(fmt, ...)
- if warn_msg[msg] == nil then
- fail(string.format("Not allowed warn message: %s", msg))
- else
- warn_msg[msg] = warn_msg[msg] + 1
- end
-end
-
--- tests
-
-boom(trust_anchors.add_file, {'nonwriteable/root.keys', false},
- "Managed trust anchor in non-writeable directory")
-
-boom(trust_anchors.add_file, {'nonexist.keys', true},
- "Nonexist unmanaged trust anchor file")
-
-trust_anchors.add_file('root2.keys', true)
-trust_anchors.add_file('root1.keys', true)
-is(warn_msg[overriding_msg], 1, "Warning message when override trust anchors")
-
-is(trust_anchors.keysets['\0'][1].key_tag, 19036,
- "Loaded KeyTag from root1.keys")
-
-local function test_loading_from_cmdline()
- is(trust_anchors.keysets['\0'][1].key_tag , 20326,
- "Loaded KeyTag from cmdline file root2.keys")
- is(warn_msg[overriding_msg], 2, "Warning message when override trust anchors")
-end
-
-return {test_loading_from_cmdline}
+++ /dev/null
--- simulate building without keyfile_default
-trust_anchors.keyfile_default = nil
+++ /dev/null
--- simulate building with keyfile_default
-trust_anchors.keyfile_default = "../../../../tests/config/keyfile/root1.keys"
+++ /dev/null
-. 172800 DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ; Valid: ; KeyTag:19036
+++ /dev/null
-. 172800 DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ; Valid: ; KeyTag:20326
config_tests += [
['basic', files('basic.test.lua'), [], false, ['skip_asan']],
['cache', files('cache.test.lua'), [], false, ['skip_asan']],
- ['keyfile.bad_args', files('keyfile/bad_args.test.lua'),
- ['--keyfile-ro', 'root.keys',
- '--keyfile', 'root.keys'],
- true,
- ],
- ['keyfile.load_ta', files('keyfile/load_ta.test.lua'),
- ['--keyfile-ro', files('keyfile/root2.keys')]
- ],
- ['keyfile.nonexist1', files('keyfile/nonexist1.test.lua'),
- ['--keyfile-ro', 'nonexist'],
- true,
- ],
- ['keyfile.nonexist2', files('keyfile/nonexist2.test.lua'),
- ['--keyfile-ro', 'nonexist'],
- true,
- ],
['lru', files('lru.test.lua')],
['tls', files('tls.test.lua')],
['worker', files('worker.test.lua')],
projects / thirdparty / knot-resolver.git / commitdiff
