]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
Adding option DANE_F_IGNORE_DNSSEC to disable loading of the DNSSEC root key entirely...
authorChristian Grothoff <christian@grothoff.org>
Wed, 23 Oct 2013 10:01:31 +0000 (12:01 +0200)
committerNikos Mavrogiannopoulos <nmav@gnutls.org>
Wed, 23 Oct 2013 16:47:25 +0000 (18:47 +0200)
This is a useful optimization if the DANE/TLSA data is initialized
from a source other than libunbound/DNS, as then the DNSSEC root key
would not be used anyway.  Worse, if we failed to read the DNSSEC
root key, this would create a failure even though for applications
that do not use DNSSEC (but do use DANE/TLSA) such a failure would
be totally harmless.

libdane/dane.c
libdane/includes/gnutls/dane.h

index 4f278eca6d2666ae3220979c376214da165a39b1..04e6823d30c2dbeac68013e323ec64fc73fbba67 100644 (file)
@@ -172,10 +172,13 @@ int dane_state_init(dane_state_t* s, unsigned int flags)
        }
 
        /* read public keys for DNSSEC verification */
-       if( (ret=ub_ctx_add_ta_file(ctx, (char*)UNBOUND_ROOT_KEY_FILE)) != 0) {
-               gnutls_assert();
-               ret = DANE_E_INITIALIZATION_ERROR;
-               goto cleanup;
+        if (!(flags & DANE_F_IGNORE_DNSSEC))
+        {
+                if( (ret=ub_ctx_add_ta_file(ctx, (char*)UNBOUND_ROOT_KEY_FILE)) != 0) {
+                       gnutls_assert();
+                       ret = DANE_E_INITIALIZATION_ERROR;
+                       goto cleanup;
+                }
        }
 
        (*s)->ctx = ctx;
index 21413ea14c5f95156c23f138c7dacfff825b4713..3ce56fb80871713a8e83a58282c63d18b13eddf5 100644 (file)
@@ -96,6 +96,7 @@ typedef struct dane_query_st *dane_query_t;
  * dane_state_flags_t:
  * @DANE_F_IGNORE_LOCAL_RESOLVER: Many systems are not DNSSEC-ready. In that case the local resolver is ignored, and a direct recursive resolve occurs.
  * @DANE_F_INSECURE: Ignore any DNSSEC signature verification errors.
+ * @DANE_F_IGNORE_DNSSEC: Do not try to initialize DNSSEC as we will not use it (will then not try to load the DNSSEC root certificate).  Useful if the TLSA data does not come from DNS.
  *
  * Enumeration of different verification flags.
  */
@@ -103,6 +104,7 @@ typedef enum dane_state_flags_t
 {
   DANE_F_IGNORE_LOCAL_RESOLVER = 1,
   DANE_F_INSECURE=2,
+  DANE_F_IGNORE_DNSSEC=4
 } dane_state_flags_t;
 
 int dane_state_init (dane_state_t* s, unsigned int flags);