- ub_ctx_set_tls call for libunbound that enables DoT for the machines

  set with ub_ctx_set_fwd.  Patch from Florian Obser.

git-svn-id: file:///svn/unbound/trunk@5080 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index 63edd482400c50f54688d12cff8213fb7cb59ff2..2130b481945696fcef6719d4bf08d3e85c87ec07 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+28 January 2019: Wouter
+       - ub_ctx_set_tls call for libunbound that enables DoT for the machines
+         set with ub_ctx_set_fwd.  Patch from Florian Obser.
+
 25 January 2019: Wouter
        - Fix that tcp for auth zone and outgoing does not remove and
          then gets the ssl read again applied to the deleted commpoint.

diff --git a/doc/libunbound.3.in b/doc/libunbound.3.in
index 1f48d9de6be18764ad0790e62d7d75ca733b4435..5bd4ad8a1c933d36b09dcc5340badf5955cde58e 100644 (file)
--- a/doc/libunbound.3.in
+++ b/doc/libunbound.3.in
@@ -20,6 +20,7 @@
 .B ub_ctx_config,
 .B ub_ctx_set_fwd,
 .B ub_ctx_set_stub,
+.B ub_ctx_set_tls,
 .B ub_ctx_resolvconf,
 .B ub_ctx_hosts,
 .B ub_ctx_add_ta,
@@ -72,6 +73,9 @@
                \fIint\fR isprime);
 .LP
 \fIint\fR
+\fBub_ctx_set_tls\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR tls);
+.LP
+\fIint\fR
 \fBub_ctx_resolvconf\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
 .LP
 \fIint\fR
@@ -227,6 +231,12 @@ for different zones, or to add multiple addresses for a particular zone.
 At this time it is only possible to set configuration before the
 first resolve is done.
 .TP
+.B ub_ctx_set_tls
+Enable DNS over TLS (DoT) for machines set with 
+.B ub_ctx_set_fwd.
+At this time it is only possible to set configuration before the
+first resolve is done.
+.TP
 .B ub_ctx_resolvconf
 By default the root servers are queried and full resolver mode is used, but
 you can use this call to read the list of nameservers to use from the

diff --git a/libunbound/libunbound.c b/libunbound/libunbound.c
index 0e59364d5220783807bfb4f168c69febcdd8b190..5f5a8a10265ca0adbbb8efc7bb8542f1c4218b49 100644 (file)
--- a/libunbound/libunbound.c
+++ b/libunbound/libunbound.c
@@ -966,6 +966,19 @@ ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr)
        return UB_NOERROR;
 }
 
+int ub_ctx_set_tls(struct ub_ctx* ctx, int tls)
+{
+       lock_basic_lock(&ctx->cfglock);
+       if(ctx->finalized) {
+               lock_basic_unlock(&ctx->cfglock);
+               errno=EINVAL;
+               return UB_AFTERFINAL;
+       }
+       ctx->env->cfg->ssl_upstream = tls;
+       lock_basic_unlock(&ctx->cfglock);
+       return UB_NOERROR;
+}
+
 int ub_ctx_set_stub(struct ub_ctx* ctx, const char* zone, const char* addr,
        int isprime)
 {

diff --git a/libunbound/ubsyms.def b/libunbound/ubsyms.def
index 0d8e6af91ee2f7f6233126b53dddc64fa8fab9da..0ace984fa300abd2bb1e95e3a9414ad0f0add2b2 100644 (file)
--- a/libunbound/ubsyms.def
+++ b/libunbound/ubsyms.def
@@ -20,6 +20,7 @@ ub_ctx_set_event
 ub_ctx_set_fwd
 ub_ctx_set_option
 ub_ctx_set_stub
+ub_ctx_set_tls
 ub_ctx_trustedkeys
 ub_ctx_zone_add
 ub_ctx_zone_remove

diff --git a/libunbound/unbound.h b/libunbound/unbound.h
index a290e3e6ccb6de34fe64c39e0cfd8d18c2d0eb56..682ba55308c6e09ad3491ca12f0098848dab3093 100644 (file)
--- a/libunbound/unbound.h
+++ b/libunbound/unbound.h
@@ -309,6 +309,17 @@ int ub_ctx_config(struct ub_ctx* ctx, const char* fname);
  */
 int ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr);
 
+/**
+ * Use DNS over TLS to send queries to machines set with ub_ctx_set_fwd().
+ *
+ * @param ctx: context.
+ *     At this time it is only possible to set configuration before the
+ *     first resolve is done.
+ * @param tls: enable or disable DNS over TLS
+ * @return 0 if OK, else error.
+ */
+int ub_ctx_set_tls(struct ub_ctx* ctx, int tls);
+
 /**
  * Add a stub zone, with given address to send to.  This is for custom
  * root hints or pointing to a local authoritative dns server.