- add unbound-control insecure_add and insecure_remove for the

administration of negative trust anchors.


git-svn-id: file:///svn/unbound/trunk@2895 be551aaa-1e26-0410-a405-d3ace91eadb9

daemon/remote.c

@@ -1663,6 +1663,38 @@ do_stub_remove(SSL* ssl, struct worker* worker, char* args)
 	send_ok(ssl);
 }
 
+/** do the insecure_add command */
+static void
+do_insecure_add(SSL* ssl, struct worker* worker, char* arg)
+{
+	size_t nmlen;
+	int nmlabs;
+	uint8_t* nm = NULL;
+	if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
+		return;
+	if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN, nm)) {
+		(void)ssl_printf(ssl, "error out of memory\n");
+		free(nm);
+		return;
+	}
+	free(nm);
+	send_ok(ssl);
+}
+
+/** do the insecure_remove command */
+static void
+do_insecure_remove(SSL* ssl, struct worker* worker, char* arg)
+{
+	size_t nmlen;
+	int nmlabs;
+	uint8_t* nm = NULL;
+	if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
+		return;
+	anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN, nm);
+	free(nm);
+	send_ok(ssl);
+}
+
 /** do the status command */
 static void
 do_status(SSL* ssl, struct worker* worker)
@@ -2050,6 +2082,16 @@ execute_cmd(struct daemon_remote* rc, SSL* ssl, char* cmd,
 		if(rc) distribute_cmd(rc, ssl, cmd);
 		do_forward_remove(ssl, worker, skipwhite(p+14));
 		return;
+	} else if(cmdcmp(p, "insecure_add", 12)) {
+		/* must always distribute this cmd */
+		if(rc) distribute_cmd(rc, ssl, cmd);
+		do_insecure_add(ssl, worker, skipwhite(p+12));
+		return;
+	} else if(cmdcmp(p, "insecure_remove", 15)) {
+		/* must always distribute this cmd */
+		if(rc) distribute_cmd(rc, ssl, cmd);
+		do_insecure_remove(ssl, worker, skipwhite(p+15));
+		return;
 	} else if(cmdcmp(p, "forward", 7)) {
 		/* must always distribute this cmd */
 		if(rc) distribute_cmd(rc, ssl, cmd);

doc/Changelog

@@ -1,3 +1,7 @@
+26 April 2013: Wouter
+	- add unbound-control insecure_add and insecure_remove for the
+	  administration of negative trust anchors.
+
 25 April 2013: Wouter
 	- Implement max-udp-size config option, default 4096 (thanks
 	  Daisuke Higashi).

doc/unbound-control.8.in

@@ -196,6 +196,14 @@ List the local zones in use.  These are printed one per line with zone type.
 .B list_local_data
 List the local data RRs in use.  The resource records are printed.
 .TP
+.B insecure_add \fIzone
+Add a \fBdomain\-insecure\fR for the given zone, like the statement in unbound.conf.
+Adds to the running unbound without affecting the cache contents (which may
+still be bogus, use \fBflush_zone\fR to remove it), does not affect the config file.
+.TP
+.B insecure_remove \fIzone
+Removes domain\-insecure for the given zone.
+.TP
 .B forward_add \fR[\fI+i\fR] \fIzone addr ...
 Add a new forward zone to running unbound.  With +i option also adds a
 \fIdomain\-insecure\fR for the zone (so it can resolve insecurely if you have

smallapp/unbound-control.c

@@ -106,6 +106,8 @@ usage()
 	printf("  list_forwards			list forward-zones in use\n");
 	printf("  list_local_zones		list local-zones in use\n");
 	printf("  list_local_data		list local-data RRs in use\n");
+	printf("  insecure_add zone 		add domain-insecure zone\n");
+	printf("  insecure_remove zone		remove domain-insecure zone\n");
 	printf("  forward_add [+i] zone addr..	add forward-zone with servers\n");
 	printf("  forward_remove [+i] zone	remove forward zone\n");
 	printf("  stub_add [+ip] zone addr..	add stub-zone with servers\n");