+23 May 2014: Wouter
+ - unbound-host -D enabled dnssec and reads root trust anchor from
+ the default root key file that was compiled in.
+
20 May 2014: Wouter
- Feature, unblock-lan-zones: yesno that you can use to make unbound
perform 10.0.0.0/8 and other reverse lookups normally, for use if
.SH "SYNOPSIS"
.LP
.B unbound\-host
-.RB [ \-vdhr46 ]
+.RB [ \-vdhr46D ]
.RB [ \-c
.IR class ]
.RB [ \-t
to validate the response message. Can be given as a DS or DNSKEY record.
For example \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD".
.TP
+.B \-D
+Enables DNSSEC validation. Reads the root anchor from the default configured
+root anchor at the default location, \fI@UNBOUND_ROOTKEY_FILE@\fR.
+.TP
.B \-f \fIkeyfile
Reads keys from a file. Every line has a DS or DNSKEY record, in the format
as for \-y. The zone file format, the same as dig and drill produce.
printf(" -c class what class to look for, if not class IN.\n");
printf(" -y 'keystring' specify trust anchor, DS or DNSKEY, like\n");
printf(" -y 'example.com DS 31560 5 1 1CFED8478...'\n");
+ printf(" -D DNSSEC enable with default root anchor\n");
+ printf(" from %s\n", ROOT_ANCHOR_FILE);
printf(" -f keyfile read trust anchors from file, with lines as -y.\n");
printf(" -F keyfile read named.conf-style trust anchors.\n");
printf(" -C config use the specified unbound.conf (none read by default)\n");
fprintf(stderr, "error: out of memory\n");
exit(1);
}
+ /* no need to fetch additional targets, we only do few lookups */
+ check_ub_res(ub_ctx_set_option(ctx, "target-fetch-policy:", "0 0 0 0 0"));
/* parse the options */
- while( (c=getopt(argc, argv, "46F:c:df:hrt:vy:C:")) != -1) {
+ while( (c=getopt(argc, argv, "46DF:c:df:hrt:vy:C:")) != -1) {
switch(c) {
case '4':
check_ub_res(ub_ctx_set_option(ctx, "do-ip6:", "no"));
case 'C':
check_ub_res(ub_ctx_config(ctx, optarg));
break;
+ case 'D':
+ check_ub_res(ub_ctx_add_ta_file(ctx, ROOT_ANCHOR_FILE));
+ break;
case 'd':
debuglevel++;
if(debuglevel < 2)
projects / thirdparty / unbound.git / commitdiff
