From: Wouter Wijngaards Date: Fri, 23 May 2014 07:30:02 +0000 (+0000) Subject: - unbound-host -D enabled dnssec and reads root trust anchor from X-Git-Tag: release-1.5.0rc1~124 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=684fd0aa15d791a18f8ac25757034f321e7b6889;p=thirdparty%2Funbound.git - unbound-host -D enabled dnssec and reads root trust anchor from the default root key file that was compiled in. git-svn-id: file:///svn/unbound/trunk@3136 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index ce1298ec3..762dcd1b3 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +23 May 2014: Wouter + - unbound-host -D enabled dnssec and reads root trust anchor from + the default root key file that was compiled in. + 20 May 2014: Wouter - Feature, unblock-lan-zones: yesno that you can use to make unbound perform 10.0.0.0/8 and other reverse lookups normally, for use if diff --git a/doc/unbound-host.1.in b/doc/unbound-host.1.in index 47eca3b34..29865217f 100644 --- a/doc/unbound-host.1.in +++ b/doc/unbound-host.1.in @@ -14,7 +14,7 @@ .SH "SYNOPSIS" .LP .B unbound\-host -.RB [ \-vdhr46 ] +.RB [ \-vdhr46D ] .RB [ \-c .IR class ] .RB [ \-t @@ -74,6 +74,10 @@ of trust that is built up from the trust anchor to the response, in order to validate the response message. Can be given as a DS or DNSKEY record. For example \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD". .TP +.B \-D +Enables DNSSEC validation. Reads the root anchor from the default configured +root anchor at the default location, \fI@UNBOUND_ROOTKEY_FILE@\fR. +.TP .B \-f \fIkeyfile Reads keys from a file. Every line has a DS or DNSKEY record, in the format as for \-y. The zone file format, the same as dig and drill produce. diff --git a/smallapp/unbound-host.c b/smallapp/unbound-host.c index 12c60f406..8020ad8c8 100644 --- a/smallapp/unbound-host.c +++ b/smallapp/unbound-host.c @@ -85,6 +85,8 @@ usage() printf(" -c class what class to look for, if not class IN.\n"); printf(" -y 'keystring' specify trust anchor, DS or DNSKEY, like\n"); printf(" -y 'example.com DS 31560 5 1 1CFED8478...'\n"); + printf(" -D DNSSEC enable with default root anchor\n"); + printf(" from %s\n", ROOT_ANCHOR_FILE); printf(" -f keyfile read trust anchors from file, with lines as -y.\n"); printf(" -F keyfile read named.conf-style trust anchors.\n"); printf(" -C config use the specified unbound.conf (none read by default)\n"); @@ -421,9 +423,11 @@ int main(int argc, char* argv[]) fprintf(stderr, "error: out of memory\n"); exit(1); } + /* no need to fetch additional targets, we only do few lookups */ + check_ub_res(ub_ctx_set_option(ctx, "target-fetch-policy:", "0 0 0 0 0")); /* parse the options */ - while( (c=getopt(argc, argv, "46F:c:df:hrt:vy:C:")) != -1) { + while( (c=getopt(argc, argv, "46DF:c:df:hrt:vy:C:")) != -1) { switch(c) { case '4': check_ub_res(ub_ctx_set_option(ctx, "do-ip6:", "no")); @@ -437,6 +441,9 @@ int main(int argc, char* argv[]) case 'C': check_ub_res(ub_ctx_config(ctx, optarg)); break; + case 'D': + check_ub_res(ub_ctx_add_ta_file(ctx, ROOT_ANCHOR_FILE)); + break; case 'd': debuglevel++; if(debuglevel < 2)