From c7b9a91398cc991a4c5bfc3c3a55bdac1308cd5c Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 10 Oct 2012 14:32:11 +0000 Subject: [PATCH] use /etc/unbound/root.key as default trusted key --- Makefile.in | 10 +++------ configure.ac | 16 ++++++++------ drill/Makefile.in | 3 ++- drill/configure.ac | 40 +++++++++++++++++++++++------------ drill/{drill.1 => drill.1.in} | 13 +++++++++--- drill/drill.c | 4 ++-- drill/drill.h | 11 ++++------ drill/drill_util.c | 4 ++-- ldns/common.h.in | 2 +- 9 files changed, 60 insertions(+), 43 deletions(-) rename drill/{drill.1 => drill.1.in} (95%) diff --git a/Makefile.in b/Makefile.in index 68831848..6630875a 100644 --- a/Makefile.in +++ b/Makefile.in @@ -23,6 +23,7 @@ pyldns_uninst = @PYLDNSUNINST@ pyldnsx_inst = @PYLDNSXINST@ pyldnsx_uninst = @PYLDNSXUNINST@ libtool = @libtool@ +CONFIG_FILES = @CONFIG_FILES@ # override $U variable which is used by autotools for deansification (for # K&R C compilers), but causes problems if $U is defined in the env). @@ -143,7 +144,7 @@ install-drill: drill/drill $(INSTALL) -m 755 -d $(DESTDIR)$(mandir) $(INSTALL) -m 755 -d $(DESTDIR)$(mandir)/man1 $(LIBTOOL) --mode=install cp drill/drill $(DESTDIR)$(bindir) - $(INSTALL) -m 644 $(srcdir)/drill/drill.1 $(DESTDIR)$(mandir)/man1/drill.1 + $(INSTALL) -m 644 drill/drill.1 $(DESTDIR)$(mandir)/man1/drill.1 uninstall-drill: rm -f $(DESTDIR)$(bindir)/drill $(DESTDIR)$(mandir)/man1/drill.1 @@ -332,13 +333,8 @@ clean: @CLEAN_DRILL@ @CLEAN_EXAMPLES@ clean-manpages clean-lib putdown-builddir realclean: clean docclean rm -f config.status rm -f config.log - rm -f Makefile + rm -f $(CONFIG_FILES) rm -f ldns/config.h - rm -f ldns/util.h - rm -f ldns/common.h - rm -f ldns/net.h - rm -f packaging/ldns-config - rm -f packaging/libldns.pc if test -d packaging -a ! -f packaging/ldns-config.in ; then \ rmdir packaging || : ; fi rm -f libtool diff --git a/configure.ac b/configure.ac index e64a819a..1fae2f37 100644 --- a/configure.ac +++ b/configure.ac @@ -114,12 +114,14 @@ This does not work with the --with-drill option. Please remove the config.h from the drill subdirectory or do not use the --with-drill option.]) fi + DRILL_CONFIG=" drill/drill.1" else AC_SUBST(DRILL,[""]) AC_SUBST(INSTALL_DRILL,[""]) AC_SUBST(UNINSTALL_DRILL,[""]) AC_SUBST(CLEAN_DRILL,[""]) AC_SUBST(LINT_DRILL,[""]) + DRILL_CONFIG="" fi @@ -516,14 +518,14 @@ fi AC_DEFINE([SYSCONFDIR], [sysconfdir], [System configuration dir]) -AC_ARG_WITH(trusted-key, AC_HELP_STRING([--with-trusted-key=[KEYFILE]], - [Default location of the trusted key with drill. [default=SYSCONFDIR/trusted-key.key]]), [ -AC_SUBST(LDNS_TRUSTED_KEY_FILE, [${with_trusted_key}]) +AC_ARG_WITH(trust-anchor, AC_HELP_STRING([--with-trust-anchor=[KEYFILE]], +[Default location of the trust anchor file for drill. [default=SYSCONFDIR/unbound/root.key]]), [ +AC_SUBST(LDNS_TRUST_ANCHOR_FILE, [${with_trust_anchor}]) ],[ if test "x$sysconfdir" = 'x${prefix}/etc' ; then -AC_SUBST(LDNS_TRUSTED_KEY_FILE, [${prefix}/etc/trusted-key.key]) +AC_SUBST(LDNS_TRUST_ANCHOR_FILE, [${prefix}/etc/unbound/root.key]) else -AC_SUBST(LDNS_TRUSTED_KEY_FILE, [${sysconfdir}/trusted-key.key]) +AC_SUBST(LDNS_TRUST_ANCHOR_FILE, [${sysconfdir}/unbound/root.key]) fi ]) @@ -683,7 +685,9 @@ else AC_SUBST(ldns_build_config_have_attr_unused, 0) fi -AC_CONFIG_FILES([Makefile ldns/common.h ldns/net.h ldns/util.h packaging/libldns.pc packaging/ldns-config]) +CONFIG_FILES="Makefile ldns/common.h ldns/net.h ldns/util.h packaging/libldns.pc packaging/ldns-config $DRILL_CONFIG" +AC_SUBST(CONFIG_FILES) +AC_CONFIG_FILES([$CONFIG_FILES]) AC_CONFIG_HEADER([ldns/config.h]) AC_OUTPUT diff --git a/drill/Makefile.in b/drill/Makefile.in index 0f607f2e..9b7f45b2 100644 --- a/drill/Makefile.in +++ b/drill/Makefile.in @@ -90,6 +90,7 @@ realclean: clean docclean rm -f config.h.in rm -f configure rm -f Makefile + rm -f drill.1 rm -f aclocal.m4 doc: @@ -115,4 +116,4 @@ lint: done confclean: clean - rm -rf config.log config.status config.h Makefile + rm -rf config.log config.status config.h Makefile drill.1 diff --git a/drill/configure.ac b/drill/configure.ac index e6bd251a..d2ac1c54 100644 --- a/drill/configure.ac +++ b/drill/configure.ac @@ -177,23 +177,35 @@ fi AC_SUBST(LDNSDIR) -AC_ARG_WITH(trusted-key, AC_HELP_STRING([--with-trusted-key=[KEYFILE]], - [Default location of the trusted key with drill. [default=LDNS_TRUSTED_KEY_FILE or SYSCONFDIR/trusted-key.key]]), [ -AC_DEFINE([HAVE_DRILL_TRUSTED_KEY], [1], [Is the trusted key file explicitely given at configure time]) -AC_DEFINE_UNQUOTED([DRILL_TRUSTED_KEY_FILE], ["$with_trusted_key"], [Default trusted key file]) -],[ -AC_DEFINE([HAVE_DRILL_TRUSTED_KEY], [0], [Is the trusted key file explicitely given at configure time]) -if test "x$sysconfdir" = 'x${prefix}/etc' ; then -if test "x$prefix" = 'xNONE' ; then -AC_DEFINE_UNQUOTED([DRILL_TRUSTED_KEY_FILE], ["/etc/trusted-key.key"], [Default trusted key file]) -else -AC_DEFINE_UNQUOTED([DRILL_TRUSTED_KEY_FILE], ["${prefix}/etc/trusted-key.key"], [Default trusted key file]) -fi +if test -f $LDNSDIR/ldns/common.h && \ + grep LDNS_TRUST_ANCHOR_FILE $LDNSDIR/ldns/common.h >/dev/null; then + LDNS_TRUST_ANCHOR_FILE=`grep LDNS_TRUST_ANCHOR_FILE $LDNSDIR/ldns/common.h | sed -e 's/^.*"\(.*\)".*$/\1/'` else -AC_DEFINE_UNQUOTED([DRILL_TRUSTED_KEY_FILE], ["${sysconfdir}/trusted-key.key"], [Default trusted key file]) + LDNS_TRUST_ANCHOR_FILE="" fi + +AC_ARG_WITH(trust-anchor, AC_HELP_STRING([--with-trust-anchor=[KEYFILE]], +[Default location of the trust anchor file. [default=LDNS_TRUST_ANCHOR_FILE or SYSCONFDIR/unbound/root.key]]), [ + AC_DEFINE([HAVE_DRILL_TRUST_ANCHOR], [1], [Is the trust anchor file explicitely given at configure time]) + LDNS_TRUST_ANCHOR_FILE="$withval" +],[ + AC_DEFINE([HAVE_DRILL_TRUST_ANCHOR], [0], [Is the trust anchor file explicitely given at configure time]) + if test "x$LDNS_TRUST_ANCHOR_FILE" = "x"; then + if test "x$sysconfdir" = 'x${prefix}/etc' ; then + if test "x$prefix" = 'xNONE' ; then + LDNS_TRUST_ANCHOR_FILE="/etc/unbound/root.key" + else + LDNS_TRUST_ANCHOR_FILE="${prefix}/etc/unbound/root.key" + fi + else + LDNS_TRUST_ANCHOR_FILE="${sysconfdir}/unbound/root.key" + fi + fi ]) +AC_DEFINE_UNQUOTED([DRILL_TRUST_ANCHOR_FILE], ["$LDNS_TRUST_ANCHOR_FILE"], [Default trust anchor file]) +AC_SUBST(LDNS_TRUST_ANCHOR_FILE) + AH_BOTTOM([ #include @@ -271,6 +283,6 @@ extern int optind, opterr; #endif ]) -AC_CONFIG_FILES([Makefile]) +AC_CONFIG_FILES([Makefile drill.1]) AC_CONFIG_HEADER([config.h]) AC_OUTPUT diff --git a/drill/drill.1 b/drill/drill.1.in similarity index 95% rename from drill/drill.1 rename to drill/drill.1.in index 1600df44..b49dfb4c 100644 --- a/drill/drill.1 +++ b/drill/drill.1.in @@ -161,9 +161,9 @@ given \fBdrill\fR tries to validate the current answer with this key. No chasing is done. When \fBdrill\fR is doing a secure trace, this key will be used as trust anchor. Can contain a DNSKEY or a DS record. -Alternatively, if \fB-k\fR is not specified, and a default trusted key -exists and contains a valid DNSKEY or DS record, it will be used -as the trust anchor. +Alternatively, if \fB-k\fR is not specified, and a default trust anchor +(@LDNS_TRUST_ANCHOR_FILE@) exists and contains a valid DNSKEY or DS record, +it will be used as the trust anchor. .TP \fB\-o \fImnemonic\fR @@ -216,6 +216,13 @@ specify named base64 tsig key, and optional an algorithm (defaults to hmac-md5.s \fB\-z \fR don't randomize the nameserver list before sending queries. +.SH "FILES" +.TP +@LDNS_TRUST_ANCHOR_FILE@ +The file from which trusted keys are loaded when no \fB-k\fR option is given. +.SH "SEE ALSO" +.LP +unbound-anchor(8) .SH AUTHOR Jelte Jansen and Miek Gieben. Both of NLnet Labs. diff --git a/drill/drill.c b/drill/drill.c index 27ee095f..1de72de7 100644 --- a/drill/drill.c +++ b/drill/drill.c @@ -54,7 +54,7 @@ usage(FILE *stream, const char *progname) fprintf(stream, "\t\t\tused to verify any signatures in the current answer\n"); fprintf(stream, "\t\t\tIf DNSSEC is enabled and no key files are given, keys\n" "\t\t\tare read from %s\n", - DRILL_TRUSTED_KEY_FILE); + LDNS_TRUST_ANCHOR_FILE); fprintf(stream, "\t-o \tset flags to:" "\n\t\t\t[QR|qr][AA|aa][TC|tc][RD|rd][CD|cd][RA|ra][AD|ad]\n"); fprintf(stream, "\t\t\tlowercase: unset bit, uppercase: set bit\n"); @@ -405,7 +405,7 @@ main(int argc, char *argv[]) argv += optind; if (qdnssec && ldns_rr_list_rr_count(key_list) == 0) { - (void) read_key_file(DRILL_TRUSTED_KEY_FILE, key_list, true); + (void) read_key_file(LDNS_TRUST_ANCHOR_FILE, key_list, true); } if (ldns_rr_list_rr_count(key_list) > 0) { printf(";; Number of trusted keys: %d\n", diff --git a/drill/drill.h b/drill/drill.h index 650ad46d..e7eacbc3 100644 --- a/drill/drill.h +++ b/drill/drill.h @@ -12,15 +12,12 @@ #include "drill_util.h" -#define DRILL_VERSION PACKAGE_VERSION - -#if HAVE_DRILL_TRUSTED_KEY == 0 -# ifdef LDNS_TRUSTED_KEY_FILE -# undef DRILL_TRUSTED_KEY_FILE -# define DRILL_TRUSTED_KEY_FILE LDNS_TRUSTED_KEY_FILE -# endif +#ifndef LDNS_TRUST_ANCHOR_FILE +#define LDNS_TRUST_ANCHOR_FILE DRILL_TRUST_ANCHOR_FILE #endif +#define DRILL_VERSION PACKAGE_VERSION + /* what kind of stuff do we allow */ #define DRILL_QUERY 0 #define DRILL_TRACE 1 diff --git a/drill/drill_util.c b/drill/drill_util.c index 4d38a9c5..db0433e7 100644 --- a/drill/drill_util.c +++ b/drill/drill_util.c @@ -14,12 +14,12 @@ #include static int -read_line(FILE *input, char *line, int len) +read_line(FILE *input, char *line, size_t len) { int i; char c; - for (i = 0; i < len-1; i++) { + for (i = 0; i < (int)len-1; i++) { c = (char)getc(input); if (c == EOF) { return -1; diff --git a/ldns/common.h.in b/ldns/common.h.in index beacdbeb..0813e474 100644 --- a/ldns/common.h.in +++ b/ldns/common.h.in @@ -66,7 +66,7 @@ typedef bool _Bool; #define ATTR_UNUSED(x) x #endif /* !LDNS_BUILD_CONFIG_HAVE_ATTR_UNUSED */ -#define LDNS_TRUSTED_KEY_FILE "@LDNS_TRUSTED_KEY_FILE@" +#define LDNS_TRUST_ANCHOR_FILE "@LDNS_TRUST_ANCHOR_FILE@" #if !LDNS_BUILD_CONFIG_HAVE_SOCKLEN_T typedef int socklen_t; -- 2.47.3