ENABLE_DNSCRYPT_XCHACHA20
DNSTAP_OBJ
DNSTAP_SRC
+DNSTAP_SOCKET_PATH
opt_dnstap_socket_path
ENABLE_DNSTAP
PROTOC_C
#define DNSTAP_SOCKET_PATH "$hdr_dnstap_socket_path"
_ACEOF
+ DNSTAP_SOCKET_PATH="$hdr_dnstap_socket_path"
+
DNSTAP_SRC="dnstap/dnstap.c dnstap/dnstap.pb-c.c dnstap/dnstap_fstrm.c dnstap/dtstream.c"
ACX_ESCAPE_BACKSLASH($opt_dnstap_socket_path, hdr_dnstap_socket_path)
AC_DEFINE_UNQUOTED(DNSTAP_SOCKET_PATH,
["$hdr_dnstap_socket_path"], [default dnstap socket path])
+ AC_SUBST(DNSTAP_SOCKET_PATH,["$hdr_dnstap_socket_path"])
AC_SUBST([DNSTAP_SRC], ["dnstap/dnstap.c dnstap/dnstap.pb-c.c dnstap/dnstap_fstrm.c dnstap/dtstream.c"])
AC_SUBST([DNSTAP_OBJ], ["dnstap.lo dnstap.pb-c.lo dnstap_fstrm.lo dtstream.lo"])
int dt_io_thread_apply_cfg(struct dt_io_thread* dtio, struct config_file *cfg)
{
- /*
- dtio->upstream_is_tcp = 1;
- dtio->ip_str = strdup("127.0.0.1@1234");
- */
-#ifdef HAVE_SSL
- dtio->upstream_is_tls = 1;
- dtio->ip_str = strdup("127.0.0.1@1234");
- //dtio->tls_server_name;
- dtio->use_client_certs = 0;
- if(dtio->use_client_certs) {
- //dtio->client_key_file = NULL;
- //dtio->client_cert_file = NULL;
- } else {
- free(dtio->client_key_file);
- dtio->client_key_file = NULL;
- free(dtio->client_cert_file);
- dtio->client_cert_file = NULL;
- }
- dtio->ssl_ctx = connect_sslctx_create(dtio->client_key_file,
- dtio->client_cert_file, cfg->tls_cert_bundle,
- cfg->tls_win_cert);
- if(!dtio->ssl_ctx) {
- log_err("could not setup SSL CTX");
+ if(!cfg->dnstap) {
+ log_warn("cannot setup dnstap because dnstap-enable is no");
return 0;
}
- /* DEBUG */
- return 1;
-#endif
- if(cfg->dnstap_socket_path && cfg->dnstap_socket_path[0]) {
+
+ /* what type of connectivity do we have */
+ if(cfg->dnstap_ip && cfg->dnstap_ip[0]) {
+ if(cfg->dnstap_tls)
+ dtio->upstream_is_tls = 1;
+ else dtio->upstream_is_tcp = 1;
+ } else {
+ dtio->upstream_is_unix = 1;
+ }
+
+ if(dtio->upstream_is_unix) {
+ if(!cfg->dnstap_socket_path ||
+ cfg->dnstap_socket_path[0]==0) {
+ log_err("dnstap setup failed, because dnstap is "
+ "enabled, but no dnstap-ip and no "
+ "dnstap-socket-path are given");
+ return 0;
+ }
+ free(dtio->socket_path);
dtio->socket_path = strdup(cfg->dnstap_socket_path);
if(!dtio->socket_path) {
- log_err("malloc failure");
+ log_err("dnstap setup: malloc failure");
return 0;
}
- dtio->upstream_is_unix = 1;
+ }
+
+ if(dtio->upstream_is_tcp || dtio->upstream_is_tls) {
+ free(dtio->ip_str);
+ dtio->ip_str = strdup(cfg->dnstap_ip);
+ if(!dtio->ip_str) {
+ log_err("dnstap setup: malloc failure");
+ return 0;
+ }
+ }
+
+ if(dtio->upstream_is_tls) {
+#ifdef HAVE_SSL
+ if(cfg->dnstap_tls_server_name &&
+ cfg->dnstap_tls_server_name[0]) {
+ free(dtio->tls_server_name);
+ dtio->tls_server_name = strdup(
+ cfg->dnstap_tls_server_name);
+ if(!dtio->tls_server_name) {
+ log_err("dnstap setup: malloc failure");
+ return 0;
+ }
+ }
+ if(cfg->dnstap_tls_client_key_file &&
+ cfg->dnstap_tls_client_key_file[0]) {
+ dtio->use_client_certs = 1;
+ free(dtio->client_key_file);
+ dtio->client_key_file = strdup(
+ cfg->dnstap_tls_client_key_file);
+ if(!dtio->client_key_file) {
+ log_err("dnstap setup: malloc failure");
+ return 0;
+ }
+ if(!cfg->dnstap_tls_client_cert_file ||
+ cfg->dnstap_tls_client_cert_file[0]==0) {
+ log_err("dnstap setup: client key "
+ "authentication enabled with "
+ "dnstap-tls-client-key-file, but "
+ "no dnstap-tls-client-cert-file "
+ "is given");
+ return 0;
+ }
+ free(dtio->client_cert_file);
+ dtio->client_cert_file = strdup(
+ cfg->dnstap_tls_client_cert_file);
+ if(!dtio->client_cert_file) {
+ log_err("dnstap setup: malloc failure");
+ return 0;
+ }
+ } else {
+ dtio->use_client_certs = 0;
+ dtio->client_key_file = NULL;
+ dtio->client_cert_file = NULL;
+ }
+
+ if(cfg->dnstap_tls_cert_bundle) {
+ dtio->ssl_ctx = connect_sslctx_create(
+ dtio->client_key_file,
+ dtio->client_cert_file,
+ cfg->dnstap_tls_cert_bundle, 0);
+ } else {
+ dtio->ssl_ctx = connect_sslctx_create(
+ dtio->client_key_file,
+ dtio->client_cert_file,
+ cfg->tls_cert_bundle, cfg->tls_win_cert);
+ }
+ if(!dtio->ssl_ctx) {
+ log_err("could not setup SSL CTX");
+ return 0;
+ }
+#endif /* HAVE_SSL */
}
return 1;
}
# name-v6: "list-v6"
#
+# Dnstap logging support, if compiled in. To enable, set the dnstap-enable
+# to yes and also some of dnstap-log-..-messages to yes. And select an
+# upstream log destination, by socket path, TCP or TLS destination.
+# dnstap:
+# dnstap-enable: no
+# dnstap-socket-path: "@DNSTAP_SOCKET_PATH@"
+# # if "" use the unix socket in dnstap-socket-path, otherwise,
+# # set it to "IPaddress[@port]" of the destination.
+# dnstap-ip: ""
+# # if set to yes if you want to use TLS to dnstap-ip, no for TCP.
+# dnstap-tls: no
+# # name for authenticating the upstream server. or "" disabled.
+# dnstap-tls-server-name: ""
+# # if "", it uses the cert bundle from the main unbound config.
+# dnstap-tls-cert-bundle: ""
+# # key file for client authentication, or "" disabled.
+# dnstap-tls-client-key-file: ""
+# # cert file for client authentication, or "" disabled.
+# dnstap-tls-client-cert-file: ""
+# dnstap-send-identity: no
+# dnstap-send-version: no
+# # if "" it uses the hostname.
+# dnstap-identity: ""
+# # if "" it uses the package version.
+# dnstap-version: ""
+# dnstap-log-resolver-query-messages: no
+# dnstap-log-resolver-response-messages: no
+# dnstap-log-client-query-messages: no
+# dnstap-log-client-response-messages: no
+# dnstap-log-forwarder-query-messages: no
+# dnstap-log-forwarder-response-messages: no
+
# Response Policy Zones
# RPZ policies. Applied in order of configuration. QNAME and Response IP
# Address trigger are the only supported triggers. Supported actions are:
#ifdef USE_DNSTAP
else S_YNO("dnstap-enable:", dnstap)
else S_STR("dnstap-socket-path:", dnstap_socket_path)
+ else S_STR("dnstap-ip:", dnstap_ip)
+ else S_YNO("dnstap-tls:", dnstap_tls)
+ else S_STR("dnstap-tls-server-name:", dnstap_tls_server_name)
+ else S_STR("dnstap-tls-cert-bundle:", dnstap_tls_cert_bundle)
+ else S_STR("dnstap-tls-client-key-file:", dnstap_tls_client_key_file)
+ else S_STR("dnstap-tls-client-cert-file:",
+ dnstap_tls_client_cert_file)
else S_YNO("dnstap-send-identity:", dnstap_send_identity)
else S_YNO("dnstap-send-version:", dnstap_send_version)
else S_STR("dnstap-identity:", dnstap_identity)
#ifdef USE_DNSTAP
else O_YNO(opt, "dnstap-enable", dnstap)
else O_STR(opt, "dnstap-socket-path", dnstap_socket_path)
+ else O_STR(opt, "dnstap-ip", dnstap_ip)
+ else O_YNO(opt, "dnstap-tls", dnstap_tls)
+ else O_STR(opt, "dnstap-tls-server-name", dnstap_tls_server_name)
+ else O_STR(opt, "dnstap-tls-cert-bundle", dnstap_tls_cert_bundle)
+ else O_STR(opt, "dnstap-tls-client-key-file",
+ dnstap_tls_client_key_file)
+ else O_STR(opt, "dnstap-tls-client-cert-file",
+ dnstap_tls_client_cert_file)
else O_YNO(opt, "dnstap-send-identity", dnstap_send_identity)
else O_YNO(opt, "dnstap-send-version", dnstap_send_version)
else O_STR(opt, "dnstap-identity", dnstap_identity)
free(cfg->dns64_prefix);
config_delstrlist(cfg->dns64_ignore_aaaa);
free(cfg->dnstap_socket_path);
+ free(cfg->dnstap_ip);
+ free(cfg->dnstap_tls_server_name);
+ free(cfg->dnstap_tls_cert_bundle);
+ free(cfg->dnstap_tls_client_key_file);
+ free(cfg->dnstap_tls_client_cert_file);
free(cfg->dnstap_identity);
free(cfg->dnstap_version);
config_deldblstrlist(cfg->ratelimit_for_domain);
int dnstap;
/** dnstap socket path */
char* dnstap_socket_path;
+ /** dnstap IP */
+ char* dnstap_ip;
+ /** dnstap TLS enable */
+ int dnstap_tls;
+ /** dnstap tls server authentication name */
+ char* dnstap_tls_server_name;
+ /** dnstap server cert bundle */
+ char* dnstap_tls_cert_bundle;
+ /** dnstap client key for client authentication */
+ char* dnstap_tls_client_key_file;
+ /** dnstap client cert for client authentication */
+ char* dnstap_tls_client_cert_file;
/** true to send "identity" via dnstap */
int dnstap_send_identity;
/** true to send "version" via dnstap */
projects / thirdparty / unbound.git / commitdiff
