- unbound-host -D enabled dnssec and reads root trust anchor from

the default root key file that was compiled in. git-svn-id: file:///svn/unbound/trunk@3136 be551aaa-1e26-0410-a405-d3ace91eadb9
2025-12-20 23:00:56 -05:00 · 2014-05-23 07:30:02 +00:00 · 2014-05-23 07:30:02 +00:00 · 684fd0aa15
commit 684fd0aa15
parent 1773696a7e
3 changed files with 17 additions and 2 deletions
--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,3 +1,7 @@
+23 May 2014: Wouter
+	- unbound-host -D enabled dnssec and reads root trust anchor from
+	  the default root key file that was compiled in.
+
 20 May 2014: Wouter
 	- Feature, unblock-lan-zones: yesno that you can use to make unbound
 	  perform 10.0.0.0/8 and other reverse lookups normally, for use if
--- a/doc/unbound-host.1.in
+++ b/doc/unbound-host.1.in
@ -14,7 +14,7 @@
 .SH "SYNOPSIS"
 .LP
 .B unbound\-host
-.RB [ \-vdhr46 ]
+.RB [ \-vdhr46D ]
 .RB [ \-c 
 .IR class ]
 .RB [ \-t
@ -74,6 +74,10 @@ of trust that is built up from the trust anchor to the response, in order
 to validate the response message. Can be given as a DS or DNSKEY record.
 For example \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD".
 .TP
+.B \-D
+Enables DNSSEC validation.  Reads the root anchor from the default configured
+root anchor at the default location, \fI@UNBOUND_ROOTKEY_FILE@\fR. 
+.TP
 .B \-f \fIkeyfile
 Reads keys from a file. Every line has a DS or DNSKEY record, in the format
 as for \-y. The zone file format, the same as dig and drill produce.
--- a/smallapp/unbound-host.c
+++ b/smallapp/unbound-host.c
@ -85,6 +85,8 @@ usage()
 	printf("    -c class		what class to look for, if not class IN.\n");
 	printf("    -y 'keystring'	specify trust anchor, DS or DNSKEY, like\n");
 	printf("			-y 'example.com DS 31560 5 1 1CFED8478...'\n");
+	printf("    -D			DNSSEC enable with default root anchor\n");
+	printf("    			from %s\n", ROOT_ANCHOR_FILE);
 	printf("    -f keyfile		read trust anchors from file, with lines as -y.\n");
 	printf("    -F keyfile		read named.conf-style trust anchors.\n");
 	printf("    -C config		use the specified unbound.conf (none read by default)\n");
@ -421,9 +423,11 @@ int main(int argc, char* argv[])
 		fprintf(stderr, "error: out of memory\n");
 		exit(1);
 	}
+	/* no need to fetch additional targets, we only do few lookups */
+	check_ub_res(ub_ctx_set_option(ctx, "target-fetch-policy:", "0 0 0 0 0"));

 	/* parse the options */
-	while( (c=getopt(argc, argv, "46F:c:df:hrt:vy:C:")) != -1) {
+	while( (c=getopt(argc, argv, "46DF:c:df:hrt:vy:C:")) != -1) {
 		switch(c) {
 		case '4':
 			check_ub_res(ub_ctx_set_option(ctx, "do-ip6:", "no"));
@ -437,6 +441,9 @@ int main(int argc, char* argv[])
 		case 'C':
 			check_ub_res(ub_ctx_config(ctx, optarg));
 			break;
+		case 'D':
+			check_ub_res(ub_ctx_add_ta_file(ctx, ROOT_ANCHOR_FILE));
+			break;
 		case 'd':
 			debuglevel++;
 			if(debuglevel < 2)