From: Willem Toorop Date: Tue, 9 Oct 2012 12:34:03 +0000 (+0000) Subject: Default key for drill when none is given. X-Git-Tag: release-1.6.14rc1~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=888af2cd1fbf6a1864ad884e47e8f667d2eb1afe;p=thirdparty%2Fldns.git Default key for drill when none is given. --- diff --git a/Changelog b/Changelog index 61711d3f..4e6078a3 100644 --- a/Changelog +++ b/Changelog @@ -1,5 +1,6 @@ 1.6.14 * DANE support (RFC6698), including ldns-dane example tool. + * A default key for drill when none is given * bugfix #473: Dead code removal and resource leak fix in drill * bugfix #471: Let ldns_resolver_push_dnssec_anchor accept DS RR's too. * Various bugfixes from code reviews from CZ.NIC and Paul Wouters diff --git a/configure.ac b/configure.ac index b8da0557..32803f62 100644 --- a/configure.ac +++ b/configure.ac @@ -251,7 +251,6 @@ else AC_SUBST(PYLDNSXUNINST, "") fi - # Use libtool ACX_LIBTOOL_C_ONLY @@ -512,6 +511,17 @@ fi AC_DEFINE([SYSCONFDIR], [sysconfdir], [System configuration dir]) +AC_ARG_WITH(trusted-key, AC_HELP_STRING([--with-trusted-key=[KEYFILE]], + [Default location of the trusted key with drill. [default=SYSCONFDIR/trusted-key.key]]), [ +AC_SUBST(LDNS_TRUSTED_KEY_FILE, [${with_trusted_key}]) +],[ +if test "x$sysconfdir" = 'x${prefix}/etc' ; then +AC_SUBST(LDNS_TRUSTED_KEY_FILE, [${prefix}/etc/trusted-key.key]) +else +AC_SUBST(LDNS_TRUSTED_KEY_FILE, [${sysconfdir}/trusted-key.key]) +fi +]) + AH_BOTTOM([ #include #include diff --git a/drill/Makefile.in b/drill/Makefile.in index 5730f080..0f607f2e 100644 --- a/drill/Makefile.in +++ b/drill/Makefile.in @@ -9,6 +9,7 @@ exec_prefix = @exec_prefix@ bindir = @bindir@ mandir = @mandir@ includedir = @includedir@ +datarootdir = @datarootdir@ CC = @CC@ CFLAGS = -I. @CFLAGS@ @@ -77,7 +78,6 @@ docclean: distclean: clean docclean rm -f config.h - rm -f drill.h realclean: clean docclean rm -f tags @@ -88,7 +88,6 @@ realclean: clean docclean rm -rf autom4te.cache rm -f config.h rm -f config.h.in - rm -f drill.h rm -f configure rm -f Makefile rm -f aclocal.m4 diff --git a/drill/configure.ac b/drill/configure.ac index 716ef8df..e6bd251a 100644 --- a/drill/configure.ac +++ b/drill/configure.ac @@ -170,13 +170,30 @@ if test -f $ldns_dev_dir/ldns/util.h && \ else AC_MSG_RESULT([no]) AC_CHECK_LIB(ldns, ldns_rr_new, , [ - AC_MSG_ERROR([Can't find ldns library]) + AC_MSG_ERROR([Can't find ldns library])dnl ' ] ) fi AC_SUBST(LDNSDIR) +AC_ARG_WITH(trusted-key, AC_HELP_STRING([--with-trusted-key=[KEYFILE]], + [Default location of the trusted key with drill. [default=LDNS_TRUSTED_KEY_FILE or SYSCONFDIR/trusted-key.key]]), [ +AC_DEFINE([HAVE_DRILL_TRUSTED_KEY], [1], [Is the trusted key file explicitely given at configure time]) +AC_DEFINE_UNQUOTED([DRILL_TRUSTED_KEY_FILE], ["$with_trusted_key"], [Default trusted key file]) +],[ +AC_DEFINE([HAVE_DRILL_TRUSTED_KEY], [0], [Is the trusted key file explicitely given at configure time]) +if test "x$sysconfdir" = 'x${prefix}/etc' ; then +if test "x$prefix" = 'xNONE' ; then +AC_DEFINE_UNQUOTED([DRILL_TRUSTED_KEY_FILE], ["/etc/trusted-key.key"], [Default trusted key file]) +else +AC_DEFINE_UNQUOTED([DRILL_TRUSTED_KEY_FILE], ["${prefix}/etc/trusted-key.key"], [Default trusted key file]) +fi +else +AC_DEFINE_UNQUOTED([DRILL_TRUSTED_KEY_FILE], ["${sysconfdir}/trusted-key.key"], [Default trusted key file]) +fi +]) + AH_BOTTOM([ #include diff --git a/drill/drill.1 b/drill/drill.1 index 24cfd6da..1600df44 100644 --- a/drill/drill.1 +++ b/drill/drill.1 @@ -161,6 +161,10 @@ given \fBdrill\fR tries to validate the current answer with this key. No chasing is done. When \fBdrill\fR is doing a secure trace, this key will be used as trust anchor. Can contain a DNSKEY or a DS record. +Alternatively, if \fB-k\fR is not specified, and a default trusted key +exists and contains a valid DNSKEY or DS record, it will be used +as the trust anchor. + .TP \fB\-o \fImnemonic\fR Use this option to set or unset specific header bits. A bit is diff --git a/drill/drill.c b/drill/drill.c index 2f779634..27ee095f 100644 --- a/drill/drill.c +++ b/drill/drill.c @@ -47,19 +47,25 @@ usage(FILE *stream, const char *progname) fprintf(stream, "\t-6\t\tstay on ip6\n"); fprintf(stream, "\t-a\t\tfallback to EDNS0 and TCP if the answer is truncated\n"); fprintf(stream, "\t-b \tuse as the buffer size (defaults to 512 b)\n"); - fprintf(stream, "\t-c \t\tuse file for rescursive nameserver configuration (/etc/resolv.conf)\n"); - fprintf(stream, "\t-k \tspecify a file that contains a trusted DNSSEC key (DNSKEY|DS) [**]\n"); + fprintf(stream, "\t-c \tuse file for rescursive nameserver configuration" + "\n\t\t\t(/etc/resolv.conf)\n"); + fprintf(stream, "\t-k \tspecify a file that contains a trusted DNSSEC key" + "\n\t\t\t(DNSKEY|DS) [**]\n"); fprintf(stream, "\t\t\tused to verify any signatures in the current answer\n"); - fprintf(stream, "\t-o \tset flags to: [QR|qr][AA|aa][TC|tc][RD|rd][CD|cd][RA|ra][AD|ad]\n"); + fprintf(stream, "\t\t\tIf DNSSEC is enabled and no key files are given, keys\n" + "\t\t\tare read from %s\n", + DRILL_TRUSTED_KEY_FILE); + fprintf(stream, "\t-o \tset flags to:" + "\n\t\t\t[QR|qr][AA|aa][TC|tc][RD|rd][CD|cd][RA|ra][AD|ad]\n"); fprintf(stream, "\t\t\tlowercase: unset bit, uppercase: set bit\n"); fprintf(stream, "\t-p \tuse as remote port number\n"); fprintf(stream, "\t-s\t\tshow the DS RR for each key in a packet\n"); fprintf(stream, "\t-u\t\tsend the query with udp (the default)\n"); fprintf(stream, "\t-x\t\tdo a reverse lookup\n"); fprintf(stream, "\twhen doing a secure trace:\n"); - fprintf(stream, "\t-r \t\tuse file as root servers hint file\n"); + fprintf(stream, "\t-r \tuse file as root servers hint file\n"); fprintf(stream, "\t-t\t\tsend the query with tcp (connected)\n"); - fprintf(stream, "\t-d \t\tuse domain as the start point for the trace\n"); + fprintf(stream, "\t-d \tuse domain as the start point for the trace\n"); fprintf(stream, "\t-y \tspecify named base64 tsig key, and optional an\n\t\t\talgorithm (defaults to hmac-md5.sig-alg.reg.int)\n"); fprintf(stream, "\t-z\t\tdon't randomize the nameservers before use\n"); fprintf(stream, "\n [*] = enables/implies DNSSEC\n"); @@ -272,7 +278,8 @@ main(int argc, char *argv[]) qusevc = true; break; case 'k': - status = read_key_file(optarg, key_list); + status = read_key_file(optarg, + key_list, false); if (status != LDNS_STATUS_OK) { error("Could not parse the key file %s: %s", optarg, ldns_get_errorstr_by_id(status)); } @@ -397,6 +404,13 @@ main(int argc, char *argv[]) argc -= optind; argv += optind; + if (qdnssec && ldns_rr_list_rr_count(key_list) == 0) { + (void) read_key_file(DRILL_TRUSTED_KEY_FILE, key_list, true); + } + if (ldns_rr_list_rr_count(key_list) > 0) { + printf(";; Number of trusted keys: %d\n", + (int) ldns_rr_list_rr_count(key_list)); + } /* do a secure trace when requested */ if (PURPOSE == DRILL_TRACE && qdnssec) { #ifdef HAVE_SSL diff --git a/drill/drill.h b/drill/drill.h index 69b0396b..650ad46d 100644 --- a/drill/drill.h +++ b/drill/drill.h @@ -14,6 +14,13 @@ #define DRILL_VERSION PACKAGE_VERSION +#if HAVE_DRILL_TRUSTED_KEY == 0 +# ifdef LDNS_TRUSTED_KEY_FILE +# undef DRILL_TRUSTED_KEY_FILE +# define DRILL_TRUSTED_KEY_FILE LDNS_TRUSTED_KEY_FILE +# endif +#endif + /* what kind of stuff do we allow */ #define DRILL_QUERY 0 #define DRILL_TRACE 1 @@ -85,7 +92,6 @@ ldns_status ldns_verify_denial(ldns_pkt *pkt, ldns_rr_list **nsec_rrs, ldns_rr_list **nsec_rr_sigs); -ldns_status read_key_file(const char *filename, ldns_rr_list *key_list); ldns_pkt *read_hex_pkt(char *filename); ldns_buffer *read_hex_buffer(char *filename); void init_root(void); diff --git a/drill/drill_util.c b/drill/drill_util.c index d24d5d96..1783e083 100644 --- a/drill/drill_util.c +++ b/drill/drill_util.c @@ -35,7 +35,7 @@ read_line(FILE *input, char *line, size_t len) /* key_list must be initialized with ldns_rr_list_new() */ ldns_status -read_key_file(const char *filename, ldns_rr_list *key_list) +read_key_file(const char *filename, ldns_rr_list *key_list, bool silently) { int line_len = 0; int line_nr = 0; @@ -47,8 +47,10 @@ read_key_file(const char *filename, ldns_rr_list *key_list) input_file = fopen(filename, "r"); if (!input_file) { - fprintf(stderr, "Error opening %s: %s\n", - filename, strerror(errno)); + if (! silently) { + fprintf(stderr, "Error opening %s: %s\n", + filename, strerror(errno)); + } return LDNS_STATUS_ERR; } while (line_len >= 0) { @@ -57,10 +59,13 @@ read_key_file(const char *filename, ldns_rr_list *key_list) if (line_len > 0 && line[0] != ';') { status = ldns_rr_new_frm_str(&rr, line, 0, NULL, NULL); if (status != LDNS_STATUS_OK) { - fprintf(stderr, - "Error parsing DNSKEY RR in line %d: %s\n", - line_nr, - ldns_get_errorstr_by_id(status)); + if (! silently) { + fprintf(stderr, + "Error parsing DNSKEY RR " + "in line %d: %s\n", line_nr, + ldns_get_errorstr_by_id(status) + ); + } } else if (ldns_rr_get_type(rr) == LDNS_RR_TYPE_DNSKEY || ldns_rr_get_type(rr) == LDNS_RR_TYPE_DS) { ldns_rr_list_push_rr(key_list, rr); @@ -70,7 +75,6 @@ read_key_file(const char *filename, ldns_rr_list *key_list) } } } - printf(";; Number of trusted keys: %d\n", key_count); fclose(input_file); if (key_count > 0) { return LDNS_STATUS_OK; diff --git a/drill/drill_util.h b/drill/drill_util.h index de784411..42b3f32b 100644 --- a/drill/drill_util.h +++ b/drill/drill_util.h @@ -12,6 +12,13 @@ #define _DRILL_UTIL_H_ #include + +/** + * Read keys from filename and append to key_list. + */ +ldns_status read_key_file(const char *filename, ldns_rr_list *key_list, + bool silently); + /** * return a address rdf, either A or AAAA * NULL if anything goes wrong diff --git a/ldns/common.h.in b/ldns/common.h.in index 5d625475..9977b6d9 100644 --- a/ldns/common.h.in +++ b/ldns/common.h.in @@ -65,4 +65,6 @@ typedef bool _Bool; #define ATTR_UNUSED(x) x #endif /* !LDNS_BUILD_CONFIG_HAVE_ATTR_UNUSED */ +#define LDNS_TRUSTED_KEY_FILE "@LDNS_TRUSTED_KEY_FILE@" + #endif /* LDNS_COMMON_H */