From eb696dc3856ed7a0e42d6514fdc0c2b56cdd9652 Mon Sep 17 00:00:00 2001 From: Wouter Wijngaards Date: Tue, 28 Sep 2010 10:27:49 +0000 Subject: [PATCH] configure options for unbound-anchor files git-svn-id: file:///svn/unbound/trunk@2257 be551aaa-1e26-0410-a405-d3ace91eadb9 --- config.h.in | 6 +++ configure | 95 ++++++++++++++++++++++++++++++++------- configure.ac | 33 +++++++++++++- doc/README | 9 ++++ doc/unbound-anchor.8.in | 20 ++++----- smallapp/unbound-anchor.c | 5 --- 6 files changed, 137 insertions(+), 31 deletions(-) diff --git a/config.h.in b/config.h.in index 7eddf74a4..81c0c7ba6 100644 --- a/config.h.in +++ b/config.h.in @@ -430,6 +430,12 @@ /* Define as the return type of signal handlers (`int' or `void'). */ #undef RETSIGTYPE +/* default rootkey location */ +#undef ROOT_ANCHOR_FILE + +/* default rootcert location */ +#undef ROOT_CERT_FILE + /* version number for resource files */ #undef RSRC_PACKAGE_VERSION diff --git a/configure b/configure index 7d2de0a4d..1ea15a57b 100755 --- a/configure +++ b/configure @@ -797,6 +797,8 @@ LEX debug_enabled DEPFLAG UNBOUND_USERNAME +UNBOUND_ROOTCERT_FILE +UNBOUND_ROOTKEY_FILE UNBOUND_PIDFILE UNBOUND_SHARE_DIR UNBOUND_CHROOT_DIR @@ -873,6 +875,8 @@ with_run_dir with_chroot_dir with_share_dir with_pidfile +with_rootkey_file +with_rootcert_file with_username enable_checking enable_debug @@ -892,6 +896,7 @@ with_ssl enable_sha2 enable_gost with_libevent +with_libexpat enable_staticexe enable_lock_checks enable_alloc_checks @@ -1563,6 +1568,13 @@ Optional Packages: same as share/unbound) --with-pidfile=filename set default pathname to unbound pidfile (default run-dir/unbound.pid) + --with-rootkey-file=filename + set default pathname to root key file (default + run-dir/root.key). This file is read and written. + --with-rootcert-file=filename + set default pathname to root update certificate file + (default run-dir/icannbundle.pem). This file need + not exist if you are content with the builtin. --with-username=user set default user that unbound changes to (default user is unbound) --with-pic try to use only PIC/non-PIC objects [default=use @@ -1583,6 +1595,7 @@ Optional Packages: /usr/lib /usr/pkg /usr/sfw /usr or you can specify an explicit path). Slower, but allows use of large outgoing port ranges. + --with-libexpat=path specify explicit path for libexpat. --with-ldns=PATH specify prefix of path of ldns library to use --with-ldns-builtin forces use of package included with this one @@ -4060,6 +4073,50 @@ _ACEOF +# Check whether --with-rootkey-file was given. +if test "${with_rootkey_file+set}" = set; then : + withval=$with_rootkey_file; UNBOUND_ROOTKEY_FILE="$withval" +else + if test $on_mingw = no; then + UNBOUND_ROOTKEY_FILE="$UNBOUND_RUN_DIR/root.key" +else + UNBOUND_ROOTKEY_FILE="" +fi + +fi + + +hdr_rkey="`echo $UNBOUND_ROOTKEY_FILE | sed -e 's/\\\\/\\\\\\\\/g'`" + + +cat >>confdefs.h <<_ACEOF +#define ROOT_ANCHOR_FILE "$hdr_rkey" +_ACEOF + + + +# Check whether --with-rootcert-file was given. +if test "${with_rootcert_file+set}" = set; then : + withval=$with_rootcert_file; UNBOUND_ROOTCERT_FILE="$withval" +else + if test $on_mingw = no; then + UNBOUND_ROOTCERT_FILE="$UNBOUND_RUN_DIR/icannbundle.pem" +else + UNBOUND_ROOTCERT_FILE="" +fi + +fi + + +hdr_rpem="`echo $UNBOUND_ROOTCERT_FILE | sed -e 's/\\\\/\\\\\\\\/g'`" + + +cat >>confdefs.h <<_ACEOF +#define ROOT_CERT_FILE "$hdr_rpem" +_ACEOF + + + # Check whether --with-username was given. if test "${with_username+set}" = set; then : withval=$with_username; UNBOUND_USERNAME="$withval" @@ -6755,13 +6812,13 @@ if test "${lt_cv_nm_interface+set}" = set; then : else lt_cv_nm_interface="BSD nm" echo "int some_variable = 0;" > conftest.$ac_ext - (eval echo "\"\$as_me:6758: $ac_compile\"" >&5) + (eval echo "\"\$as_me:6815: $ac_compile\"" >&5) (eval "$ac_compile" 2>conftest.err) cat conftest.err >&5 - (eval echo "\"\$as_me:6761: $NM \\\"conftest.$ac_objext\\\"\"" >&5) + (eval echo "\"\$as_me:6818: $NM \\\"conftest.$ac_objext\\\"\"" >&5) (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) cat conftest.err >&5 - (eval echo "\"\$as_me:6764: output\"" >&5) + (eval echo "\"\$as_me:6821: output\"" >&5) cat conftest.out >&5 if $GREP 'External.*some_variable' conftest.out > /dev/null; then lt_cv_nm_interface="MS dumpbin" @@ -7966,7 +8023,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 7969 "configure"' > conftest.$ac_ext + echo '#line 8026 "configure"' > conftest.$ac_ext if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -9226,11 +9283,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9229: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9286: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:9233: \$? = $ac_status" >&5 + echo "$as_me:9290: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -9565,11 +9622,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9568: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9625: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:9572: \$? = $ac_status" >&5 + echo "$as_me:9629: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -9670,11 +9727,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9673: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9730: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:9677: \$? = $ac_status" >&5 + echo "$as_me:9734: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -9725,11 +9782,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9728: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9785: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:9732: \$? = $ac_status" >&5 + echo "$as_me:9789: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -12095,7 +12152,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 12098 "configure" +#line 12155 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -12191,7 +12248,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 12194 "configure" +#line 12251 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -15602,10 +15659,18 @@ $as_echo "#define USE_MINI_EVENT 1" >>confdefs.h fi # check for libexpat + +# Check whether --with-libexpat was given. +if test "${with_libexpat+set}" = set; then : + withval=$with_libexpat; +else + withval="/usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr" +fi + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for libexpat" >&5 $as_echo_n "checking for libexpat... " >&6; } found_libexpat="no" -for dir in /usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr; do +for dir in $withval ; do if test -f "$dir/include/expat.h"; then found_libexpat="yes" if test "$dir" != "/usr"; then diff --git a/configure.ac b/configure.ac index eedc2f5d6..dd6d3a48b 100644 --- a/configure.ac +++ b/configure.ac @@ -154,6 +154,34 @@ AC_SUBST(UNBOUND_PIDFILE) ACX_ESCAPE_BACKSLASH($UNBOUND_PIDFILE, hdr_pid) AC_DEFINE_UNQUOTED(PIDFILE, ["$hdr_pid"], [default pidfile location]) +AC_ARG_WITH(rootkey-file, + AC_HELP_STRING([--with-rootkey-file=filename], + [set default pathname to root key file (default run-dir/root.key). This file is read and written.]), + UNBOUND_ROOTKEY_FILE="$withval", +if test $on_mingw = no; then + UNBOUND_ROOTKEY_FILE="$UNBOUND_RUN_DIR/root.key" +else + UNBOUND_ROOTKEY_FILE="" +fi +) +AC_SUBST(UNBOUND_ROOTKEY_FILE) +ACX_ESCAPE_BACKSLASH($UNBOUND_ROOTKEY_FILE, hdr_rkey) +AC_DEFINE_UNQUOTED(ROOT_ANCHOR_FILE, ["$hdr_rkey"], [default rootkey location]) + +AC_ARG_WITH(rootcert-file, + AC_HELP_STRING([--with-rootcert-file=filename], + [set default pathname to root update certificate file (default run-dir/icannbundle.pem). This file need not exist if you are content with the builtin.]), + UNBOUND_ROOTCERT_FILE="$withval", +if test $on_mingw = no; then + UNBOUND_ROOTCERT_FILE="$UNBOUND_RUN_DIR/icannbundle.pem" +else + UNBOUND_ROOTCERT_FILE="" +fi +) +AC_SUBST(UNBOUND_ROOTCERT_FILE) +ACX_ESCAPE_BACKSLASH($UNBOUND_ROOTCERT_FILE, hdr_rpem) +AC_DEFINE_UNQUOTED(ROOT_CERT_FILE, ["$hdr_rpem"], [default rootcert location]) + AC_ARG_WITH(username, AC_HELP_STRING([--with-username=user], [set default user that unbound changes to (default user is unbound)]), @@ -529,9 +557,12 @@ else fi # check for libexpat +AC_ARG_WITH(libexpat, AC_HELP_STRING([--with-libexpat=path], + [specify explicit path for libexpat.]), + [ ],[ withval="/usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr" ]) AC_MSG_CHECKING(for libexpat) found_libexpat="no" -for dir in /usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr; do +for dir in $withval ; do if test -f "$dir/include/expat.h"; then found_libexpat="yes" dnl assume /usr is in default path. diff --git a/doc/README b/doc/README index b1dba6427..5f133847c 100644 --- a/doc/README +++ b/doc/README @@ -28,6 +28,8 @@ This software is under BSD license, see LICENSE for details. of outgoing ports. This improves randomization and spoof resistance. For the default of 16 ports the builtin alternative works well and is a little faster. + * --with-libexpat=/path/to/libexpat + Can be set to the install directory of libexpat. * --without-pthreads This disables pthreads. Without this option the pthreads library is detected automatically. Use this option to disable threading @@ -59,6 +61,13 @@ This software is under BSD license, see LICENSE for details. * --with-chroot-dir=path Set default chroot directory, the default is /usr/local/etc/unbound. + * --with-rootkey-file=path + Set the default root.key path. This file is read and written. + the default is /usr/local/etc/unbound/root.key + * --with-rootcert-file=path + Set the default root update certificate path. A builtin certificate + is used if this file is empty or does not exist. + the default is /usr/local/etc/unbound/icannbundle.pem * --with-username=user Set default user name to change to, the default is the "unbound" user. diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in index 8b5d942ac..df7b01425 100644 --- a/doc/unbound-anchor.8.in +++ b/doc/unbound-anchor.8.in @@ -25,10 +25,10 @@ Suggested usage: .nf # in the init scripts. # provide or update the root anchor (if necessary) - unbound-anchor -a "/usr/local/etc/unbound/root.key" + unbound-anchor -a "@UNBOUND_ROOTKEY_FILE@" # start validating resolver # the unbound.conf contains: - # auto-trust-anchor-file: "/usr/local/etc/unbound/root.key" + # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" unbound -c unbound.conf .fi .P @@ -49,12 +49,12 @@ The available options are: .TP .B \-a \fIfile The root anchor key file, that is read in and written out. -Default is /usr/local/etc/unbound/root.key. +Default is @UNBOUND_ROOTKEY_FILE@. If the file does not exist, or is empty, a builtin root key is written to it. .TP .B \-c \fIfile The root update certificate file, that is read in. -Default is /usr/local/etc/unbound/icannbundle.pem. +Default is @UNBOUND_ROOTCERT_FILE@. If the file does not exist, or is empty, a builtin certificate is used. .TP .B \-u \fIname @@ -139,21 +139,21 @@ You can do this by checking the exit value. In this manner: Or something more suitable for your operational environment. .SH "FILES" .TP -.I /usr/local/etc/unbound/root.key +.I @UNBOUND_ROOTKEY_FILE@ The root anchor file, updated with 5011 tracking, and read and written to. +The file is created if it does not exist. .TP -.I /usr/local/etc/unbound/icannbundle.pem +.I @UNBOUND_ROOTCERT_FILE@ The trusted self\-signed certificate that is used to verify the downloaded -DNSSEC root trust anchor. +DNSSEC root trust anchor. You can update it by fetching it from +https://data.iana.org/root\-anchors/icannbundle.pem (and validate it). +If the file does not exist or is empty, a builtin version is used. .TP .I https://data.iana.org/root\-anchors/root\-anchors.xml Source for the root key information. .TP .I https://data.iana.org/root\-anchors/root\-anchors.p7s Signature on the root key information. -.TP -.I https://data.iana.org/root\-anchors/icannbundle.pem -Source for the certificate used. .SH "SEE ALSO" \fIunbound.conf\fR(5), \fIunbound\fR(8). diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c index c632488e8..3fd2c1647 100644 --- a/smallapp/unbound-anchor.c +++ b/smallapp/unbound-anchor.c @@ -131,11 +131,6 @@ #include #include -/* TODO configure defines with prefix */ -/** root key file, 5011 tracked */ -#define ROOT_ANCHOR_FILE "/usr/local/etc/unbound/root.key" -/** root update cert file */ -#define ROOT_CERT_FILE "/usr/local/etc/unbound/icannbundle.pem" /** name of server in URL to fetch HTTPS from */ #define URLNAME "data.iana.org" /** path on HTTPS server to xml file */ -- 2.47.2