sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-06 00:00:47 -04:00
Code Issues Projects Releases Wiki Activity

unbound: Add support for DLV (DNSSEC Lookaside Validation)

Browse Source 
Fixes #392.
This commit is contained in:
Tobias Brunner 2013-08-29 09:04:36 +02:00
parent 1ff63f153e
commit 6ecf1aab35
2 changed files with 32 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
man/strongswan.conf.5.in
View File

@ -886,7 +886,15 @@ File to read pseudo random bytes from, instead of @urandom_device@
File to read DNS resolver configuration from File to read DNS resolver configuration from
.TP .TP
.BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]" .BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
File to read DNSSEC trust anchors from (usually root zone KSK) File to read DNSSEC trust anchors from (usually root zone KSK). The format of
the file is the standard DNS Zone file format, anchors can be stored as DS or
DNSKEY entries in the file.
.TP
.BR libstrongswan.plugins.unbound.dlv_anchors
File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It uses
the same format as \fItrust_anchors\fR. Only one DLV can be configured, which
is then used as a root trusted DLV, this means that it is a lookaside for
the root.
.SS libtls section .SS libtls section
.TP .TP
.BR libtls.cipher .BR libtls.cipher

35
src/libstrongswan/plugins/unbound/unbound_resolver.c
View File

@ -94,16 +94,17 @@ resolver_t *unbound_resolver_create(void)
{ {
private_resolver_t *this; private_resolver_t *this;
int ub_retval = 0; int ub_retval = 0;
char *resolv_conf_file; char *resolv_conf, *trust_anchors, *dlv_anchors;
char *trust_anchor_file;
resolv_conf_file = lib->settings->get_str(lib->settings, resolv_conf = lib->settings->get_str(lib->settings,
"libstrongswan.plugins.unbound.resolv_conf", "libstrongswan.plugins.unbound.resolv_conf",
RESOLV_CONF_FILE); RESOLV_CONF_FILE);
trust_anchors = lib->settings->get_str(lib->settings,
trust_anchor_file = lib->settings->get_str(lib->settings,
"libstrongswan.plugins.unbound.trust_anchors", "libstrongswan.plugins.unbound.trust_anchors",
TRUST_ANCHOR_FILE); TRUST_ANCHOR_FILE);
dlv_anchors = lib->settings->get_str(lib->settings,
"libstrongswan.plugins.unbound.dlv_anchors",
NULL);
INIT(this, INIT(this,
.public = { .public = {
@ -120,24 +121,34 @@ resolver_t *unbound_resolver_create(void)
return NULL; return NULL;
} }
DBG1(DBG_CFG, "loading unbound resolver config from '%s'", resolv_conf_file); DBG2(DBG_CFG, "loading unbound resolver config from '%s'", resolv_conf);
ub_retval = ub_ctx_resolvconf(this->ctx, resolv_conf_file); ub_retval = ub_ctx_resolvconf(this->ctx, resolv_conf);
if (ub_retval) if (ub_retval)
{ {
DBG1(DBG_CFG, "failed to read the resolver config: %s (%s)", DBG1(DBG_CFG, "failed to read the resolver config: %s (%s)",
ub_strerror(ub_retval), strerror(errno)); ub_strerror(ub_retval), strerror(errno));
destroy(this); destroy(this);
return NULL; return NULL;
} }
DBG1(DBG_CFG, "loading unbound trust anchors from '%s'", trust_anchor_file); DBG2(DBG_CFG, "loading unbound trust anchors from '%s'", trust_anchors);
ub_retval = ub_ctx_add_ta_file(this->ctx, trust_anchor_file); ub_retval = ub_ctx_add_ta_file(this->ctx, trust_anchors);
if (ub_retval) if (ub_retval)
{ {
DBG1(DBG_CFG, "failed to load trust anchors: %s (%s)", DBG1(DBG_CFG, "failed to load trust anchors: %s (%s)",
ub_strerror(ub_retval), strerror(errno)); ub_strerror(ub_retval), strerror(errno));
} }
if (dlv_anchors)
{
DBG2(DBG_CFG, "loading trusted keys for DLV from '%s'", dlv_anchors);
ub_retval = ub_ctx_set_option(this->ctx, "dlv-anchor-file:",
dlv_anchors);
if (ub_retval)
{
DBG1(DBG_CFG, "failed to load trusted keys for DLV: %s (%s)",
ub_strerror(ub_retval), strerror(errno));
}
}
return &this->public; return &this->public;
} }