upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2026-01-28 17:37:33 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- disable-edns-do, unbound-checkconf warns about disable-edns-do and DNSSEC

Browse source 
validation that is enabled, and suggests to turn one off.
This commit is contained in:
W.C.A. Wijngaards 2023-10-04 15:28:52 +02:00
parent 39df4f0923
commit 2e7714e80c
1 changed files with 17 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
smallapp/unbound-checkconf.c
View file

@ -707,6 +707,23 @@ morechecks(struct config_file* cfg)
cfg->auto_trust_anchor_file_list, cfg->chrootdir, cfg);
check_chroot_filelist_wild("trusted-keys-file",
cfg->trusted_keys_file_list, cfg->chrootdir, cfg);
if(cfg->disable_edns_do && strstr(cfg->module_conf, "validator")
&& (cfg->trust_anchor_file_list
|| cfg->trust_anchor_list
|| cfg->auto_trust_anchor_file_list
|| cfg->trusted_keys_file_list)) {
char* key = NULL;
if(cfg->auto_trust_anchor_file_list)
key = cfg->auto_trust_anchor_file_list->str;
if(!key && cfg->trust_anchor_file_list)
key = cfg->trust_anchor_file_list->str;
if(!key && cfg->trust_anchor_list)
key = cfg->trust_anchor_list->str;
if(!key && cfg->trusted_keys_file_list)
key = cfg->trusted_keys_file_list->str;
if(!key) key = "";
fatal_exit("disable-edns-do does not allow DNSSEC to work, but the validator module uses a trust anchor %s, turn off disable-edns-do or disable validation", key);
}
#ifdef USE_IPSECMOD
if(cfg->ipsecmod_enabled && strstr(cfg->module_conf, "ipsecmod")) {
/* only check hook if enabled */