From: Wouter Wijngaards Date: Mon, 28 Jan 2019 08:22:08 +0000 (+0000) Subject: - ub_ctx_set_tls call for libunbound that enables DoT for the machines X-Git-Tag: release-1.9.0rc1~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3d2dfc476994b93e63be89128cbbbe89146cc50b;p=thirdparty%2Funbound.git - ub_ctx_set_tls call for libunbound that enables DoT for the machines set with ub_ctx_set_fwd. Patch from Florian Obser. git-svn-id: file:///svn/unbound/trunk@5080 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index 63edd4824..2130b4819 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +28 January 2019: Wouter + - ub_ctx_set_tls call for libunbound that enables DoT for the machines + set with ub_ctx_set_fwd. Patch from Florian Obser. + 25 January 2019: Wouter - Fix that tcp for auth zone and outgoing does not remove and then gets the ssl read again applied to the deleted commpoint. diff --git a/doc/libunbound.3.in b/doc/libunbound.3.in index 1f48d9de6..5bd4ad8a1 100644 --- a/doc/libunbound.3.in +++ b/doc/libunbound.3.in @@ -20,6 +20,7 @@ .B ub_ctx_config, .B ub_ctx_set_fwd, .B ub_ctx_set_stub, +.B ub_ctx_set_tls, .B ub_ctx_resolvconf, .B ub_ctx_hosts, .B ub_ctx_add_ta, @@ -72,6 +73,9 @@ \fIint\fR isprime); .LP \fIint\fR +\fBub_ctx_set_tls\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR tls); +.LP +\fIint\fR \fBub_ctx_resolvconf\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname); .LP \fIint\fR @@ -227,6 +231,12 @@ for different zones, or to add multiple addresses for a particular zone. At this time it is only possible to set configuration before the first resolve is done. .TP +.B ub_ctx_set_tls +Enable DNS over TLS (DoT) for machines set with +.B ub_ctx_set_fwd. +At this time it is only possible to set configuration before the +first resolve is done. +.TP .B ub_ctx_resolvconf By default the root servers are queried and full resolver mode is used, but you can use this call to read the list of nameservers to use from the diff --git a/libunbound/libunbound.c b/libunbound/libunbound.c index 0e59364d5..5f5a8a102 100644 --- a/libunbound/libunbound.c +++ b/libunbound/libunbound.c @@ -966,6 +966,19 @@ ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr) return UB_NOERROR; } +int ub_ctx_set_tls(struct ub_ctx* ctx, int tls) +{ + lock_basic_lock(&ctx->cfglock); + if(ctx->finalized) { + lock_basic_unlock(&ctx->cfglock); + errno=EINVAL; + return UB_AFTERFINAL; + } + ctx->env->cfg->ssl_upstream = tls; + lock_basic_unlock(&ctx->cfglock); + return UB_NOERROR; +} + int ub_ctx_set_stub(struct ub_ctx* ctx, const char* zone, const char* addr, int isprime) { diff --git a/libunbound/ubsyms.def b/libunbound/ubsyms.def index 0d8e6af91..0ace984fa 100644 --- a/libunbound/ubsyms.def +++ b/libunbound/ubsyms.def @@ -20,6 +20,7 @@ ub_ctx_set_event ub_ctx_set_fwd ub_ctx_set_option ub_ctx_set_stub +ub_ctx_set_tls ub_ctx_trustedkeys ub_ctx_zone_add ub_ctx_zone_remove diff --git a/libunbound/unbound.h b/libunbound/unbound.h index a290e3e6c..682ba5530 100644 --- a/libunbound/unbound.h +++ b/libunbound/unbound.h @@ -309,6 +309,17 @@ int ub_ctx_config(struct ub_ctx* ctx, const char* fname); */ int ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr); +/** + * Use DNS over TLS to send queries to machines set with ub_ctx_set_fwd(). + * + * @param ctx: context. + * At this time it is only possible to set configuration before the + * first resolve is done. + * @param tls: enable or disable DNS over TLS + * @return 0 if OK, else error. + */ +int ub_ctx_set_tls(struct ub_ctx* ctx, int tls); + /** * Add a stub zone, with given address to send to. This is for custom * root hints or pointing to a local authoritative dns server.