1.6.14
* DANE support (RFC6698), including ldns-dane example tool.
+ * A default key for drill when none is given
* bugfix #473: Dead code removal and resource leak fix in drill
* bugfix #471: Let ldns_resolver_push_dnssec_anchor accept DS RR's too.
* Various bugfixes from code reviews from CZ.NIC and Paul Wouters
AC_SUBST(PYLDNSXUNINST, "")
fi
-
# Use libtool
ACX_LIBTOOL_C_ONLY
AC_DEFINE([SYSCONFDIR], [sysconfdir], [System configuration dir])
+AC_ARG_WITH(trusted-key, AC_HELP_STRING([--with-trusted-key=[KEYFILE]],
+ [Default location of the trusted key with drill. [default=SYSCONFDIR/trusted-key.key]]), [
+AC_SUBST(LDNS_TRUSTED_KEY_FILE, [${with_trusted_key}])
+],[
+if test "x$sysconfdir" = 'x${prefix}/etc' ; then
+AC_SUBST(LDNS_TRUSTED_KEY_FILE, [${prefix}/etc/trusted-key.key])
+else
+AC_SUBST(LDNS_TRUSTED_KEY_FILE, [${sysconfdir}/trusted-key.key])
+fi
+])
+
AH_BOTTOM([
#include <stdio.h>
#include <string.h>
bindir = @bindir@
mandir = @mandir@
includedir = @includedir@
+datarootdir = @datarootdir@
CC = @CC@
CFLAGS = -I. @CFLAGS@
distclean: clean docclean
rm -f config.h
- rm -f drill.h
realclean: clean docclean
rm -f tags
rm -rf autom4te.cache
rm -f config.h
rm -f config.h.in
- rm -f drill.h
rm -f configure
rm -f Makefile
rm -f aclocal.m4
else
AC_MSG_RESULT([no])
AC_CHECK_LIB(ldns, ldns_rr_new, , [
- AC_MSG_ERROR([Can't find ldns library])
+ AC_MSG_ERROR([Can't find ldns library])dnl '
]
)
fi
AC_SUBST(LDNSDIR)
+AC_ARG_WITH(trusted-key, AC_HELP_STRING([--with-trusted-key=[KEYFILE]],
+ [Default location of the trusted key with drill. [default=LDNS_TRUSTED_KEY_FILE or SYSCONFDIR/trusted-key.key]]), [
+AC_DEFINE([HAVE_DRILL_TRUSTED_KEY], [1], [Is the trusted key file explicitely given at configure time])
+AC_DEFINE_UNQUOTED([DRILL_TRUSTED_KEY_FILE], ["$with_trusted_key"], [Default trusted key file])
+],[
+AC_DEFINE([HAVE_DRILL_TRUSTED_KEY], [0], [Is the trusted key file explicitely given at configure time])
+if test "x$sysconfdir" = 'x${prefix}/etc' ; then
+if test "x$prefix" = 'xNONE' ; then
+AC_DEFINE_UNQUOTED([DRILL_TRUSTED_KEY_FILE], ["/etc/trusted-key.key"], [Default trusted key file])
+else
+AC_DEFINE_UNQUOTED([DRILL_TRUSTED_KEY_FILE], ["${prefix}/etc/trusted-key.key"], [Default trusted key file])
+fi
+else
+AC_DEFINE_UNQUOTED([DRILL_TRUSTED_KEY_FILE], ["${sysconfdir}/trusted-key.key"], [Default trusted key file])
+fi
+])
+
AH_BOTTOM([
#include <stdio.h>
key. No chasing is done. When \fBdrill\fR is doing a secure trace, this
key will be used as trust anchor. Can contain a DNSKEY or a DS record.
+Alternatively, if \fB-k\fR is not specified, and a default trusted key
+exists and contains a valid DNSKEY or DS record, it will be used
+as the trust anchor.
+
.TP
\fB\-o \fImnemonic\fR
Use this option to set or unset specific header bits. A bit is
fprintf(stream, "\t-6\t\tstay on ip6\n");
fprintf(stream, "\t-a\t\tfallback to EDNS0 and TCP if the answer is truncated\n");
fprintf(stream, "\t-b <bufsize>\tuse <bufsize> as the buffer size (defaults to 512 b)\n");
- fprintf(stream, "\t-c <file>\t\tuse file for rescursive nameserver configuration (/etc/resolv.conf)\n");
- fprintf(stream, "\t-k <file>\tspecify a file that contains a trusted DNSSEC key (DNSKEY|DS) [**]\n");
+ fprintf(stream, "\t-c <file>\tuse file for rescursive nameserver configuration"
+ "\n\t\t\t(/etc/resolv.conf)\n");
+ fprintf(stream, "\t-k <file>\tspecify a file that contains a trusted DNSSEC key"
+ "\n\t\t\t(DNSKEY|DS) [**]\n");
fprintf(stream, "\t\t\tused to verify any signatures in the current answer\n");
- fprintf(stream, "\t-o <mnemonic>\tset flags to: [QR|qr][AA|aa][TC|tc][RD|rd][CD|cd][RA|ra][AD|ad]\n");
+ fprintf(stream, "\t\t\tIf DNSSEC is enabled and no key files are given, keys\n"
+ "\t\t\tare read from %s\n",
+ DRILL_TRUSTED_KEY_FILE);
+ fprintf(stream, "\t-o <mnemonic>\tset flags to:"
+ "\n\t\t\t[QR|qr][AA|aa][TC|tc][RD|rd][CD|cd][RA|ra][AD|ad]\n");
fprintf(stream, "\t\t\tlowercase: unset bit, uppercase: set bit\n");
fprintf(stream, "\t-p <port>\tuse <port> as remote port number\n");
fprintf(stream, "\t-s\t\tshow the DS RR for each key in a packet\n");
fprintf(stream, "\t-u\t\tsend the query with udp (the default)\n");
fprintf(stream, "\t-x\t\tdo a reverse lookup\n");
fprintf(stream, "\twhen doing a secure trace:\n");
- fprintf(stream, "\t-r <file>\t\tuse file as root servers hint file\n");
+ fprintf(stream, "\t-r <file>\tuse file as root servers hint file\n");
fprintf(stream, "\t-t\t\tsend the query with tcp (connected)\n");
- fprintf(stream, "\t-d <domain>\t\tuse domain as the start point for the trace\n");
+ fprintf(stream, "\t-d <domain>\tuse domain as the start point for the trace\n");
fprintf(stream, "\t-y <name:key[:algo]>\tspecify named base64 tsig key, and optional an\n\t\t\talgorithm (defaults to hmac-md5.sig-alg.reg.int)\n");
fprintf(stream, "\t-z\t\tdon't randomize the nameservers before use\n");
fprintf(stream, "\n [*] = enables/implies DNSSEC\n");
qusevc = true;
break;
case 'k':
- status = read_key_file(optarg, key_list);
+ status = read_key_file(optarg,
+ key_list, false);
if (status != LDNS_STATUS_OK) {
error("Could not parse the key file %s: %s", optarg, ldns_get_errorstr_by_id(status));
}
argc -= optind;
argv += optind;
+ if (qdnssec && ldns_rr_list_rr_count(key_list) == 0) {
+ (void) read_key_file(DRILL_TRUSTED_KEY_FILE, key_list, true);
+ }
+ if (ldns_rr_list_rr_count(key_list) > 0) {
+ printf(";; Number of trusted keys: %d\n",
+ (int) ldns_rr_list_rr_count(key_list));
+ }
/* do a secure trace when requested */
if (PURPOSE == DRILL_TRACE && qdnssec) {
#ifdef HAVE_SSL
#define DRILL_VERSION PACKAGE_VERSION
+#if HAVE_DRILL_TRUSTED_KEY == 0
+# ifdef LDNS_TRUSTED_KEY_FILE
+# undef DRILL_TRUSTED_KEY_FILE
+# define DRILL_TRUSTED_KEY_FILE LDNS_TRUSTED_KEY_FILE
+# endif
+#endif
+
/* what kind of stuff do we allow */
#define DRILL_QUERY 0
#define DRILL_TRACE 1
ldns_rr_list **nsec_rrs,
ldns_rr_list **nsec_rr_sigs);
-ldns_status read_key_file(const char *filename, ldns_rr_list *key_list);
ldns_pkt *read_hex_pkt(char *filename);
ldns_buffer *read_hex_buffer(char *filename);
void init_root(void);
/* key_list must be initialized with ldns_rr_list_new() */
ldns_status
-read_key_file(const char *filename, ldns_rr_list *key_list)
+read_key_file(const char *filename, ldns_rr_list *key_list, bool silently)
{
int line_len = 0;
int line_nr = 0;
input_file = fopen(filename, "r");
if (!input_file) {
- fprintf(stderr, "Error opening %s: %s\n",
- filename, strerror(errno));
+ if (! silently) {
+ fprintf(stderr, "Error opening %s: %s\n",
+ filename, strerror(errno));
+ }
return LDNS_STATUS_ERR;
}
while (line_len >= 0) {
if (line_len > 0 && line[0] != ';') {
status = ldns_rr_new_frm_str(&rr, line, 0, NULL, NULL);
if (status != LDNS_STATUS_OK) {
- fprintf(stderr,
- "Error parsing DNSKEY RR in line %d: %s\n",
- line_nr,
- ldns_get_errorstr_by_id(status));
+ if (! silently) {
+ fprintf(stderr,
+ "Error parsing DNSKEY RR "
+ "in line %d: %s\n", line_nr,
+ ldns_get_errorstr_by_id(status)
+ );
+ }
} else if (ldns_rr_get_type(rr) == LDNS_RR_TYPE_DNSKEY ||
ldns_rr_get_type(rr) == LDNS_RR_TYPE_DS) {
ldns_rr_list_push_rr(key_list, rr);
}
}
}
- printf(";; Number of trusted keys: %d\n", key_count);
fclose(input_file);
if (key_count > 0) {
return LDNS_STATUS_OK;
#define _DRILL_UTIL_H_
#include <ldns/ldns.h>
+
+/**
+ * Read keys from filename and append to key_list.
+ */
+ldns_status read_key_file(const char *filename, ldns_rr_list *key_list,
+ bool silently);
+
/**
* return a address rdf, either A or AAAA
* NULL if anything goes wrong
#define ATTR_UNUSED(x) x
#endif /* !LDNS_BUILD_CONFIG_HAVE_ATTR_UNUSED */
+#define LDNS_TRUSTED_KEY_FILE "@LDNS_TRUSTED_KEY_FILE@"
+
#endif /* LDNS_COMMON_H */
projects / thirdparty / ldns.git / commitdiff
