upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- Fix #1034: DoT forward-zone via unbound-control.

Browse source
This commit is contained in:
W.C.A. Wijngaards 2024-03-28 09:58:03 +01:00
parent 6f82b5be4a
commit 6d1e61173b
4 changed files with 23 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
daemon/remote.c
View file

@ -2097,7 +2097,7 @@ do_forward(RES* ssl, struct worker* worker, char* args)
static int static int
parse_fs_args(RES* ssl, char* args, uint8_t** nm, struct delegpt** dp, parse_fs_args(RES* ssl, char* args, uint8_t** nm, struct delegpt** dp,
int* insecure, int* prime) int* insecure, int* prime, int* tls)
{ {
char* zonename; char* zonename;
char* rest; char* rest;
@ -2112,6 +2112,8 @@ parse_fs_args(RES* ssl, char* args, uint8_t** nm, struct delegpt** dp,
*insecure = 1; *insecure = 1;
else if(*args == 'p' && prime) else if(*args == 'p' && prime)
*prime = 1; *prime = 1;
else if(*args == 't' && tls)
*tls = 1;
else { else {
(void)ssl_printf(ssl, "error: unknown option %s\n", args); (void)ssl_printf(ssl, "error: unknown option %s\n", args);
return 0; return 0;
@ -2144,11 +2146,13 @@ static void
do_forward_add(RES* ssl, struct worker* worker, char* args) do_forward_add(RES* ssl, struct worker* worker, char* args)
{ {
struct iter_forwards* fwd = worker->env.fwds; struct iter_forwards* fwd = worker->env.fwds;
int insecure = 0; int insecure = 0, tls = 0;
uint8_t* nm = NULL; uint8_t* nm = NULL;
struct delegpt* dp = NULL; struct delegpt* dp = NULL;
if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, NULL)) if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, NULL, &tls))
return; return;
if(tls)
dp->ssl_upstream = 1;
if(insecure && worker->env.anchors) { if(insecure && worker->env.anchors) {
if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN, if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
nm)) { nm)) {
@ -2174,7 +2178,7 @@ do_forward_remove(RES* ssl, struct worker* worker, char* args)
struct iter_forwards* fwd = worker->env.fwds; struct iter_forwards* fwd = worker->env.fwds;
int insecure = 0; int insecure = 0;
uint8_t* nm = NULL; uint8_t* nm = NULL;
if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL)) if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL, NULL))
return; return;
if(insecure && worker->env.anchors) if(insecure && worker->env.anchors)
anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN, anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
@ -2189,11 +2193,13 @@ static void
do_stub_add(RES* ssl, struct worker* worker, char* args) do_stub_add(RES* ssl, struct worker* worker, char* args)
{ {
struct iter_forwards* fwd = worker->env.fwds; struct iter_forwards* fwd = worker->env.fwds;
int insecure = 0, prime = 0; int insecure = 0, prime = 0, tls = 0;
uint8_t* nm = NULL; uint8_t* nm = NULL;
struct delegpt* dp = NULL; struct delegpt* dp = NULL;
if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, &prime)) if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, &prime, &tls))
return; return;
if(tls)
dp->ssl_upstream = 1;
if(insecure && worker->env.anchors) { if(insecure && worker->env.anchors) {
if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN, if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
nm)) { nm)) {
@ -2232,7 +2238,7 @@ do_stub_remove(RES* ssl, struct worker* worker, char* args)
struct iter_forwards* fwd = worker->env.fwds; struct iter_forwards* fwd = worker->env.fwds;
int insecure = 0; int insecure = 0;
uint8_t* nm = NULL; uint8_t* nm = NULL;
if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL)) if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL, NULL))
return; return;
if(insecure && worker->env.anchors) if(insecure && worker->env.anchors)
anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN, anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,

3
doc/Changelog
View file

@ -1,3 +1,6 @@
28 March 2024: Wouter
- Fix #1034: DoT forward-zone via unbound-control.
27 March 2024: Wouter 27 March 2024: Wouter
- Fix name of unit test for subnet cache response. - Fix name of unit test for subnet cache response.
- Fix #1032: The size of subnet_msg_cache calculation mistake cause - Fix #1032: The size of subnet_msg_cache calculation mistake cause

6
doc/unbound-control.8.in
View file

@ -239,22 +239,24 @@ still be bogus, use \fBflush_zone\fR to remove it), does not affect the config f
.B insecure_remove \fIzone .B insecure_remove \fIzone
Removes domain\-insecure for the given zone. Removes domain\-insecure for the given zone.
.TP .TP
.B forward_add \fR[\fI+i\fR] \fIzone addr ... .B forward_add \fR[\fI+it\fR] \fIzone addr ...
Add a new forward zone to running Unbound. With +i option also adds a Add a new forward zone to running Unbound. With +i option also adds a
\fIdomain\-insecure\fR for the zone (so it can resolve insecurely if you have \fIdomain\-insecure\fR for the zone (so it can resolve insecurely if you have
a DNSSEC root trust anchor configured for other names). a DNSSEC root trust anchor configured for other names).
The addr can be IP4, IP6 or nameserver names, like \fIforward-zone\fR config The addr can be IP4, IP6 or nameserver names, like \fIforward-zone\fR config
in unbound.conf. in unbound.conf.
The +t option sets it to use tls upstream, like \fIforward\-tls\-upstream\fR: yes.
.TP .TP
.B forward_remove \fR[\fI+i\fR] \fIzone .B forward_remove \fR[\fI+i\fR] \fIzone
Remove a forward zone from running Unbound. The +i also removes a Remove a forward zone from running Unbound. The +i also removes a
\fIdomain\-insecure\fR for the zone. \fIdomain\-insecure\fR for the zone.
.TP .TP
.B stub_add \fR[\fI+ip\fR] \fIzone addr ... .B stub_add \fR[\fI+ipt\fR] \fIzone addr ...
Add a new stub zone to running Unbound. With +i option also adds a Add a new stub zone to running Unbound. With +i option also adds a
\fIdomain\-insecure\fR for the zone. With +p the stub zone is set to prime, \fIdomain\-insecure\fR for the zone. With +p the stub zone is set to prime,
without it it is set to notprime. The addr can be IP4, IP6 or nameserver without it it is set to notprime. The addr can be IP4, IP6 or nameserver
names, like the \fIstub-zone\fR config in unbound.conf. names, like the \fIstub-zone\fR config in unbound.conf.
The +t option sets it to use tls upstream, like \fIstub\-tls\-upstream\fR: yes.
.TP .TP
.B stub_remove \fR[\fI+i\fR] \fIzone .B stub_remove \fR[\fI+i\fR] \fIzone
Remove a stub zone from running Unbound. The +i also removes a Remove a stub zone from running Unbound. The +i also removes a

5
smallapp/unbound-control.c
View file

@ -150,12 +150,13 @@ usage(void)
printf(" list_local_data list local-data RRs in use\n"); printf(" list_local_data list local-data RRs in use\n");
printf(" insecure_add zone add domain-insecure zone\n"); printf(" insecure_add zone add domain-insecure zone\n");
printf(" insecure_remove zone remove domain-insecure zone\n"); printf(" insecure_remove zone remove domain-insecure zone\n");
printf(" forward_add [+i] zone addr.. add forward-zone with servers\n"); printf(" forward_add [+it] zone addr.. add forward-zone with servers\n");
printf(" forward_remove [+i] zone remove forward zone\n"); printf(" forward_remove [+i] zone remove forward zone\n");
printf(" stub_add [+ip] zone addr.. add stub-zone with servers\n"); printf(" stub_add [+ipt] zone addr.. add stub-zone with servers\n");
printf(" stub_remove [+i] zone remove stub zone\n"); printf(" stub_remove [+i] zone remove stub zone\n");
printf(" +i also do dnssec insecure point\n"); printf(" +i also do dnssec insecure point\n");
printf(" +p set stub to use priming\n"); printf(" +p set stub to use priming\n");
printf(" +t set to use tls upstream\n");
printf(" forward [off | addr ...] without arg show forward setup\n"); printf(" forward [off | addr ...] without arg show forward setup\n");
printf(" or off to turn off root forwarding\n"); printf(" or off to turn off root forwarding\n");
printf(" or give list of ip addresses\n"); printf(" or give list of ip addresses\n");