trust anchors: make bootstrap configurable

... via trust_anchors.{bootstrap_url,bootstrap_ca}

diff --git a/config.mk b/config.mk
index 0b5e7569cfcc00fe9ae21ad9b12ef0bab6603598..ad531b4605833971f2d4751257d492710d5e9a6e 100644 (file)
--- a/config.mk
+++ b/config.mk
@@ -30,7 +30,7 @@ INSTALL := install
 # Flags
 BUILD_LDFLAGS += $(LDFLAGS)
 BUILD_CFLAGS := $(CFLAGS) -std=c99 -D_GNU_SOURCE -Wno-unused -Wtype-limits -Wformat -Wformat-security -Wall -I$(abspath .) -I$(abspath lib/generic) -I$(abspath contrib) -I$(abspath contrib/lmdb)
-BUILD_CFLAGS += -DPACKAGE_VERSION="\"$(VERSION)\"" -DPREFIX="\"$(PREFIX)\"" -DMODULEDIR="\"$(MODULEDIR)\"" -DETCDIR="\"$(ETCDIR)\""
+BUILD_CFLAGS += -DPACKAGE_VERSION="\"$(VERSION)\"" -DPREFIX="\"$(PREFIX)\"" -DMODULEDIR="\"$(MODULEDIR)\""
 ifeq (,$(findstring -O,$(CFLAGS)))
        BUILD_CFLAGS += -O2
 endif

diff --git a/daemon/daemon.mk b/daemon/daemon.mk
index 2ab212133471a1a5ef04eb531e927b4d07658096..23a219480d79032da2b2b54c3bdd417ce62b3177 100644 (file)
--- a/daemon/daemon.mk
+++ b/daemon/daemon.mk
@@ -51,7 +51,10 @@ ifneq ($(SED),)
        $(INSTALL) -m 0644 doc/kresd.8 $(DESTDIR)$(MANDIR)/man8/
 endif
 daemon-clean: kresd-clean
-       @$(RM) daemon/lua/*.inc
+       @$(RM) daemon/lua/*.inc daemon/lua/trust_anchors.lua
+
+daemon/lua/trust_anchors.lua: daemon/lua/trust_anchors.lua.in
+       @$(call quiet,SED,$<) -e "s|@ETCDIR@|$(ETCDIR)|g" $< > $@
 
 daemon/lua/kres-gen.lua: | $(libkres)
        @echo "WARNING: regenerating $@"

diff --git a/daemon/engine.c b/daemon/engine.c
index 23d03986381b060015e8a49f6a3371dd1aa65e8a..f1abe179cb169e427d1b210a080ed4ca24c652ce 100644 (file)
--- a/daemon/engine.c
+++ b/daemon/engine.c
@@ -550,8 +550,6 @@ static int init_state(struct engine *engine)
        lua_setglobal(engine->L, "map");
        lua_pushliteral(engine->L, MODULEDIR);
        lua_setglobal(engine->L, "moduledir");
-       lua_pushliteral(engine->L, ETCDIR);
-       lua_setglobal(engine->L, "etcdir");
        lua_pushlightuserdata(engine->L, engine);
        lua_setglobal(engine->L, "__engine");
        return kr_ok();

diff --git a/daemon/lua/trust_anchors.lua b/daemon/lua/trust_anchors.lua.in
similarity index 98%
rename from daemon/lua/trust_anchors.lua
rename to daemon/lua/trust_anchors.lua.in
index b219e6a007ba68c2c35055adb16d02940e8fc4af..efc296b82a9ffdbb721af7a8f894c5e1f1323c2b 100644 (file)
--- a/daemon/lua/trust_anchors.lua
+++ b/daemon/lua/trust_anchors.lua.in
@@ -22,8 +22,6 @@ local function bootstrap(url, ca)
        -- @todo ICANN certificate is verified against current CA
        --       this is not ideal, as it should rather verify .xml signature which
        --       is signed by ICANN long-lived cert, but luasec has no PKCS7
-       ca = ca or etcdir..'/icann-ca.pem'
-       url = url or 'https://data.iana.org/root-anchors/root-anchors.xml'
        local xml, err = https_fetch(url, ca)
        if not xml then
                return false, string.format('[ ta ] fetch of "%s" failed: %s', url, err)
@@ -223,6 +221,8 @@ local trust_anchors = {
        insecure = {},
        hold_down_time = 30 * day,
        keep_removed = 0,
+       bootstrap_url = 'https://data.iana.org/root-anchors/root-anchors.xml',
+       bootstrap_ca = '@ETCDIR@/icann-ca.pem',
        -- Update existing keyset
        update = function (new_keys, initial)
                if not new_keys then return false end
@@ -276,7 +276,7 @@ local trust_anchors = {
                if trust_anchors.refresh_ev ~= nil then event.cancel(trust_anchors.refresh_ev) end
                if not unmanaged then
                        if not io.open(path, 'r') then
-                               local rr, msg = bootstrap()
+                               local rr, msg = bootstrap(trust_anchors.bootstrap_url, trust_anchors.bootstrap_ca)
                                if not rr then
                                        error('you MUST obtain the root TA manually, see: '..
                                              'https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec')