From 973f7a2225f107683103c6b172a30e09d1a61662 Mon Sep 17 00:00:00 2001 From: Wouter Wijngaards Date: Tue, 4 Nov 2014 09:11:59 +0000 Subject: [PATCH] - Add ub_ctx_add_ta_autr function to add a RFC5011 automatically tracked trust anchor to libunbound. git-svn-id: file:///svn/unbound/trunk@3251 be551aaa-1e26-0410-a405-d3ace91eadb9 --- configure | 6 +++--- configure.ac | 6 +++--- doc/Changelog | 4 ++++ doc/libunbound.3.in | 13 +++++++++++++ libunbound/libunbound.c | 20 ++++++++++++++++++++ libunbound/ubsyms.def | 1 + libunbound/unbound.h | 15 +++++++++++++++ 7 files changed, 59 insertions(+), 6 deletions(-) diff --git a/configure b/configure index d2f12c7aa..db23ce606 100755 --- a/configure +++ b/configure @@ -2691,9 +2691,9 @@ UNBOUND_VERSION_MINOR=4 UNBOUND_VERSION_MICRO=23 -LIBUNBOUND_CURRENT=4 +LIBUNBOUND_CURRENT=5 LIBUNBOUND_REVISION=3 -LIBUNBOUND_AGE=2 +LIBUNBOUND_AGE=3 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 # 1.0.2 had 0:14:0 @@ -2731,7 +2731,7 @@ LIBUNBOUND_AGE=2 # 1.4.20 had 4:0:2 # adds libunbound.ttl # but shipped 3:5:1 # 1.4.21 had 4:1:2 # 1.4.22 had 4:1:2 -# 1.4.23 had 4:3:2 +# 1.4.23 had 5:3:3 # adds ub_ctx_add_ta_autr # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary diff --git a/configure.ac b/configure.ac index 7741a9998..23b72140d 100644 --- a/configure.ac +++ b/configure.ac @@ -16,9 +16,9 @@ AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR]) AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR]) AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO]) -LIBUNBOUND_CURRENT=4 +LIBUNBOUND_CURRENT=5 LIBUNBOUND_REVISION=3 -LIBUNBOUND_AGE=2 +LIBUNBOUND_AGE=3 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 # 1.0.2 had 0:14:0 @@ -56,7 +56,7 @@ LIBUNBOUND_AGE=2 # 1.4.20 had 4:0:2 # adds libunbound.ttl # but shipped 3:5:1 # 1.4.21 had 4:1:2 # 1.4.22 had 4:1:2 -# 1.4.23 had 4:3:2 +# 1.4.23 had 5:3:3 # adds ub_ctx_add_ta_autr # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary diff --git a/doc/Changelog b/doc/Changelog index f4ab1039c..47e564973 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +4 November 2014: Wouter + - Add ub_ctx_add_ta_autr function to add a RFC5011 automatically + tracked trust anchor to libunbound. + 27 October 2014: Wouter - Disabled use of SSLv3 in remote-control and ssl-upstream. - iana portlist update. diff --git a/doc/libunbound.3.in b/doc/libunbound.3.in index 14e2a059f..7f693e950 100644 --- a/doc/libunbound.3.in +++ b/doc/libunbound.3.in @@ -22,6 +22,7 @@ .B ub_ctx_resolvconf, .B ub_ctx_hosts, .B ub_ctx_add_ta, +.B ub_ctx_add_ta_autr, .B ub_ctx_add_ta_file, .B ub_ctx_trustedkeys, .B ub_ctx_debugout, @@ -73,6 +74,9 @@ \fBub_ctx_add_ta\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR ta); .LP \fIint\fR +\fBub_ctx_add_ta_autr\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname); +.LP +\fIint\fR \fBub_ctx_add_ta_file\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname); .LP \fIint\fR @@ -231,6 +235,15 @@ first resolve is done. The format is a string, similar to the zone\-file format, [domainname] [type] [rdata contents]. Both DS and DNSKEY records are accepted. .TP +.B ub_ctx_add_ta_autr +Add filename with automatically tracked trust anchor to the given context. +Pass name of a file with the managed trust anchor. You can create this +file with \fIunbound\-anchor\fR(8) for the root anchor. You can also +create it with an initial file with one line with a DNSKEY or DS record. +If the file is writable, it is updated when the trust anchor changes. +At this time it is only possible to add trusted keys before the +first resolve is done. +.TP .B ub_ctx_add_ta_file Add trust anchors to the given context. Pass name of a file with DS and DNSKEY records in zone file format. diff --git a/libunbound/libunbound.c b/libunbound/libunbound.c index 31c55fad9..91a663a77 100644 --- a/libunbound/libunbound.c +++ b/libunbound/libunbound.c @@ -363,6 +363,26 @@ ub_ctx_add_ta_file(struct ub_ctx* ctx, const char* fname) return UB_NOERROR; } +int ub_ctx_add_ta_autr(struct ub_ctx* ctx, const char* fname) +{ + char* dup = strdup(fname); + if(!dup) return UB_NOMEM; + lock_basic_lock(&ctx->cfglock); + if(ctx->finalized) { + lock_basic_unlock(&ctx->cfglock); + free(dup); + return UB_AFTERFINAL; + } + if(!cfg_strlist_insert(&ctx->env->cfg->auto_trust_anchor_file_list, + dup)) { + lock_basic_unlock(&ctx->cfglock); + free(dup); + return UB_NOMEM; + } + lock_basic_unlock(&ctx->cfglock); + return UB_NOERROR; +} + int ub_ctx_trustedkeys(struct ub_ctx* ctx, const char* fname) { diff --git a/libunbound/ubsyms.def b/libunbound/ubsyms.def index 866c1764c..ff3d9587b 100644 --- a/libunbound/ubsyms.def +++ b/libunbound/ubsyms.def @@ -8,6 +8,7 @@ ub_ctx_set_fwd ub_ctx_resolvconf ub_ctx_hosts ub_ctx_add_ta +ub_ctx_add_ta_autr ub_ctx_add_ta_file ub_ctx_trustedkeys ub_ctx_debugout diff --git a/libunbound/unbound.h b/libunbound/unbound.h index a0b16af7d..567f48271 100644 --- a/libunbound/unbound.h +++ b/libunbound/unbound.h @@ -356,6 +356,21 @@ int ub_ctx_add_ta(struct ub_ctx* ctx, const char* ta); */ int ub_ctx_add_ta_file(struct ub_ctx* ctx, const char* fname); +/** + * Add trust anchor to the give context that is tracked with RFC5011 + * automated trust anchor maintenance. The file is written to when the + * trust anchor is changed. + * Pass the name of a file that was output from eg. unbound-anchor, + * or you can start it by providing a trusted DNSKEY or DS record on one + * line in the file. + * @param ctx: context. + * At this time it is only possible to add trusted keys before the + * first resolve is done. + * @param fname: filename of file with trust anchor. + * @return 0 if OK, else error. + */ +int ub_ctx_add_ta_autr(struct ub_ctx* ctx, const char* fname); + /** * Add trust anchors to the given context. * Pass the name of a bind-style config file with trusted-keys{}. -- 2.47.2