int engine_init(struct engine *engine, knot_mm_t *pool);
void engine_deinit(struct engine *engine);
-/** @warning This function leaves 1 string result on stack. */
+
+/** Perform a lua command within the sandbox.
+ *
+ * @return zero on success.
+ * The result will be returned on the lua stack - an error message in case of failure.
+ * http://www.lua.org/manual/5.1/manual.html#lua_pcall */
int engine_cmd(struct lua_State *L, const char *str, bool raw);
+
+/** Execute current chunk in the sandbox */
+int engine_pcall(struct lua_State *L, int argc);
+
int engine_ipc(struct engine *engine, const char *expr);
int engine_start(struct engine *engine, const char *config_path);
void engine_stop(struct engine *engine);
int engine_unregister(struct engine *engine, const char *module);
void engine_lualib(struct engine *engine, const char *name, int (*lib_cb) (struct lua_State *));
-/** Execute current chunk in the sandbox */
-int engine_pcall(struct lua_State *L, int argc);
-
/** Return engine light userdata. */
struct engine *engine_luaget(struct lua_State *L);
return resp[1]
end
--- Fetch root anchors in XML over HTTPS, returning a zone-file-style string.
+-- Fetch root anchors in XML over HTTPS, returning a zone-file-style string
+-- or false in case of error, and a message.
local function bootstrap(url, ca)
-- RFC 7958, sec. 2, but we don't do precise XML parsing.
-- @todo ICANN certificate is verified against current CA
rr = rr .. '\n' .. string.format('. 0 IN DS %s %s %s %s',
fields.KeyTag, fields.Algorithm, fields.DigestType, fields.Digest)
end)
- -- Add to key set, create an empty keyset file to be filled
- print('[ ta ] warning: root anchor bootstrapped, you SHOULD check the key manually, see: '..
- 'https://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.html#sigs')
- return rr
+ if rr == '' then
+ return false, string.format('[ ta ] failed to get any record from "%s"', url)
+ end
+ local msg = '[ ta ] Root trust anchors bootstrapped over https with pinned certificate.\n'
+ .. ' You may want to verify them manually, as described on:\n'
+ .. ' https://data.iana.org/root-anchors/old/draft-icann-dnssec-trust-anchor.html#sigs'
+ return rr, msg
end
-- Load the module
if not io.open(path, 'r') then
local rr, msg = bootstrap(trust_anchors.bootstrap_url, trust_anchors.bootstrap_ca)
if not rr then
- error('you MUST obtain the root TA manually, see: '..
- 'https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec')
+ msg = msg .. '\n'
+ .. '[ ta ] Failed to bootstrap root trust anchors; see:\n'
+ .. ' https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec'
+ error(msg)
end
+ print(msg)
trustanchor(rr)
-- Fetch DNSKEY immediately
trust_anchors.file_current = path
ret = EXIT_FAILURE;
goto cleanup;
}
- int lua_ret = 0;
- if ((lua_ret = engine_cmd(engine.L, cmd, false)) != 0) {
- kr_log_error("[ ta ] keyfile '%s': failed to load (%s)\n", keyfile_path, lua_strerror(lua_ret));
+ int lua_ret = engine_cmd(engine.L, cmd, false);
+ if (lua_ret != 0) {
+ if (lua_gettop(engine.L) > 0) {
+ kr_log_error("%s", lua_tostring(engine.L, -1));
+ } else {
+ kr_log_error("[ ta ] keyfile '%s': failed to load (%s)\n",
+ keyfile_path, lua_strerror(lua_ret));
+ }
ret = EXIT_FAILURE;
goto cleanup;
}
return kr_error(ENOMEM);
}
WITH_VERBOSE {
- kr_rrset_print(ta_rr, "[ ta ]: new trust anchor state:\n");
+ kr_rrset_print(ta_rr, "[ ta ] new state of root trust anchors:\n");
}
if (is_new_key) {
return map_set(trust_anchors, (const char *)name, ta_rr);
projects / thirdparty / knot-resolver.git / commitdiff
