unbound: Add support for DLV (DNSSEC Lookaside Validation)
authorTobias Brunner <tobias@strongswan.org>
Thu, 29 Aug 2013 07:04:36 +0000 (09:04 +0200)
committerTobias Brunner <tobias@strongswan.org>
Fri, 11 Oct 2013 13:45:25 +0000 (15:45 +0200)
Fixes #392.

man/strongswan.conf.5.in
src/libstrongswan/plugins/unbound/unbound_resolver.c

index e8dbe63..0fb239a 100644 (file)
@@ -886,7 +886,15 @@ File to read pseudo random bytes from, instead of @urandom_device@
 File to read DNS resolver configuration from
 .TP
 .BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
-File to read DNSSEC trust anchors from (usually root zone KSK)
+File to read DNSSEC trust anchors from (usually root zone KSK). The format of
+the file is the standard DNS Zone file format, anchors can be stored as DS or
+DNSKEY entries in the file.
+.TP
+.BR libstrongswan.plugins.unbound.dlv_anchors
+File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It uses
+the same format as \fItrust_anchors\fR. Only one DLV can be configured, which
+is then used as a root trusted DLV, this means that it is a lookaside for
+the root.
 .SS libtls section
 .TP
 .BR libtls.cipher
index 44a2c76..42cdbc6 100644 (file)
@@ -94,16 +94,17 @@ resolver_t *unbound_resolver_create(void)
 {
        private_resolver_t *this;
        int ub_retval = 0;
-       char *resolv_conf_file;
-       char *trust_anchor_file;
+       char *resolv_conf, *trust_anchors, *dlv_anchors;
 
-       resolv_conf_file = lib->settings->get_str(lib->settings,
+       resolv_conf = lib->settings->get_str(lib->settings,
                                                "libstrongswan.plugins.unbound.resolv_conf",
                                                RESOLV_CONF_FILE);
-
-       trust_anchor_file = lib->settings->get_str(lib->settings,
+       trust_anchors = lib->settings->get_str(lib->settings,
                                                "libstrongswan.plugins.unbound.trust_anchors",
                                                TRUST_ANCHOR_FILE);
+       dlv_anchors = lib->settings->get_str(lib->settings,
+                                               "libstrongswan.plugins.unbound.dlv_anchors",
+                                               NULL);
 
        INIT(this,
                .public = {
@@ -120,24 +121,34 @@ resolver_t *unbound_resolver_create(void)
                return NULL;
        }
 
-       DBG1(DBG_CFG, "loading unbound resolver config from '%s'", resolv_conf_file);
-       ub_retval = ub_ctx_resolvconf(this->ctx, resolv_conf_file);
+       DBG2(DBG_CFG, "loading unbound resolver config from '%s'", resolv_conf);
+       ub_retval = ub_ctx_resolvconf(this->ctx, resolv_conf);
        if (ub_retval)
        {
                DBG1(DBG_CFG, "failed to read the resolver config: %s (%s)",
-                                          ub_strerror(ub_retval), strerror(errno));
+                        ub_strerror(ub_retval), strerror(errno));
                destroy(this);
                return NULL;
        }
 
-       DBG1(DBG_CFG, "loading unbound trust anchors from '%s'", trust_anchor_file);
-       ub_retval = ub_ctx_add_ta_file(this->ctx, trust_anchor_file);
+       DBG2(DBG_CFG, "loading unbound trust anchors from '%s'", trust_anchors);
+       ub_retval = ub_ctx_add_ta_file(this->ctx, trust_anchors);
        if (ub_retval)
        {
                DBG1(DBG_CFG, "failed to load trust anchors: %s (%s)",
-                                          ub_strerror(ub_retval), strerror(errno));
+                        ub_strerror(ub_retval), strerror(errno));
        }
 
+       if (dlv_anchors)
+       {
+               DBG2(DBG_CFG, "loading trusted keys for DLV from '%s'", dlv_anchors);
+               ub_retval = ub_ctx_set_option(this->ctx, "dlv-anchor-file:",
+                                                                         dlv_anchors);
+               if (ub_retval)
+               {
+                       DBG1(DBG_CFG, "failed to load trusted keys for DLV: %s (%s)",
+                                ub_strerror(ub_retval), strerror(errno));
+               }
+       }
        return &this->public;
 }
-