This is a useful optimization if the DANE/TLSA data is initialized
from a source other than libunbound/DNS, as then the DNSSEC root key
would not be used anyway. Worse, if we failed to read the DNSSEC
root key, this would create a failure even though for applications
that do not use DNSSEC (but do use DANE/TLSA) such a failure would
be totally harmless.
}
/* read public keys for DNSSEC verification */
- if( (ret=ub_ctx_add_ta_file(ctx, (char*)UNBOUND_ROOT_KEY_FILE)) != 0) {
- gnutls_assert();
- ret = DANE_E_INITIALIZATION_ERROR;
- goto cleanup;
+ if (!(flags & DANE_F_IGNORE_DNSSEC))
+ {
+ if( (ret=ub_ctx_add_ta_file(ctx, (char*)UNBOUND_ROOT_KEY_FILE)) != 0) {
+ gnutls_assert();
+ ret = DANE_E_INITIALIZATION_ERROR;
+ goto cleanup;
+ }
}
(*s)->ctx = ctx;
* dane_state_flags_t:
* @DANE_F_IGNORE_LOCAL_RESOLVER: Many systems are not DNSSEC-ready. In that case the local resolver is ignored, and a direct recursive resolve occurs.
* @DANE_F_INSECURE: Ignore any DNSSEC signature verification errors.
+ * @DANE_F_IGNORE_DNSSEC: Do not try to initialize DNSSEC as we will not use it (will then not try to load the DNSSEC root certificate). Useful if the TLSA data does not come from DNS.
*
* Enumeration of different verification flags.
*/
{
DANE_F_IGNORE_LOCAL_RESOLVER = 1,
DANE_F_INSECURE=2,
+ DANE_F_IGNORE_DNSSEC=4
} dane_state_flags_t;
int dane_state_init (dane_state_t* s, unsigned int flags);