mirror of
https://github.com/NLnetLabs/unbound.git
synced 2026-01-15 19:22:55 -05:00
Exit code can do manual check output.
git-svn-id: file:///svn/unbound/trunk@2249 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards
parent
023c2b7dd9
commit
a29d966678
2 changed files with 33 additions and 11 deletions
|
|
@ -32,8 +32,8 @@ Suggested usage:
|
|||
unbound -c unbound.conf
|
||||
.fi
|
||||
.P
|
||||
It provides builtin default contents for the root anchor and root update
|
||||
certificate files.
|
||||
This tool provides builtin default contents for the root anchor and root
|
||||
update certificate files.
|
||||
.P
|
||||
It tests if the root anchor file works, and if not, and an update is possible,
|
||||
attempts to update the root anchor using the root update certificate.
|
||||
|
|
@ -128,11 +128,22 @@ Show the version and commandline option help.
|
|||
.TP
|
||||
.B \-v
|
||||
More verbose. Prints output detailing what happens.
|
||||
.SH "EXIT CODE"
|
||||
This tool exits with value 1 if the root anchor was updated using the
|
||||
certificate or if the builtin root-anchor was used. It exits with code
|
||||
0 if no update was necessary, if the update was possible with RFC5011
|
||||
tracking, or if an error occurred.
|
||||
.SH "TRUST"
|
||||
We provide builtin root keys and update certificates to be trustworthy,
|
||||
in our opinion. But that does not mean the results from running this
|
||||
tool may be trustworthy for you, or that this tool works perfectly.
|
||||
If you want to make sure, you have to check the output manually.
|
||||
.P
|
||||
You can do this by checking the exit value. In this manner:
|
||||
.nf
|
||||
unbound-anchor -a "root.key" || logger "Please check root.key"
|
||||
.fi
|
||||
Or something more suitable for your operational environment.
|
||||
.SH "FILES"
|
||||
.TP
|
||||
.I /usr/local/etc/unbound/root.key
|
||||
|
|
|
|||
|
|
@ -252,6 +252,8 @@ write_cert_file(char* file, STACK_OF(X509)* sk)
|
|||
{
|
||||
FILE* out;
|
||||
int i, num = sk_X509_num(sk);
|
||||
if(file == NULL || strcmp(file, "") == 0)
|
||||
return 1;
|
||||
out = fopen(file, "w");
|
||||
if(!out) {
|
||||
if(verb) printf("write %s: %s\n", file, strerror(errno));
|
||||
|
|
@ -295,9 +297,13 @@ read_cert_bio(BIO* bio)
|
|||
static STACK_OF(X509)*
|
||||
read_cert_file(char* file)
|
||||
{
|
||||
STACK_OF(X509)* sk = sk_X509_new_null();
|
||||
STACK_OF(X509)* sk;
|
||||
FILE* in;
|
||||
int content = 0;
|
||||
if(file == NULL || strcmp(file, "") == 0) {
|
||||
return NULL;
|
||||
}
|
||||
sk = sk_X509_new_null();
|
||||
if(!sk) {
|
||||
if(verb) printf("out of memory\n");
|
||||
exit(0);
|
||||
|
|
@ -1174,7 +1180,7 @@ do_certupdate(char* root_anchor_file, char* root_cert_file,
|
|||
#endif
|
||||
ub_resolve_free(dnskey);
|
||||
ip_list_free(ip_list);
|
||||
return 0;
|
||||
return 1;
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -1253,13 +1259,14 @@ write_builtin_anchor(char* file)
|
|||
* If trust-point-revoked-5011 file: make the program exit.
|
||||
*/
|
||||
static int
|
||||
provide_builtin(char* root_anchor_file)
|
||||
provide_builtin(char* root_anchor_file, int* used_builtin)
|
||||
{
|
||||
/* try to read it */
|
||||
switch(try_read_anchor(root_anchor_file))
|
||||
{
|
||||
case 0: /* no exist or empty */
|
||||
write_builtin_anchor(root_anchor_file);
|
||||
*used_builtin = 1;
|
||||
break;
|
||||
case 1: /* revoked tp */
|
||||
return 0;
|
||||
|
|
@ -1380,10 +1387,11 @@ do_root_update_work(char* root_anchor_file, char* root_cert_file,
|
|||
{
|
||||
struct ub_ctx* ctx;
|
||||
struct ub_result* dnskey;
|
||||
int used_builtin = 0;
|
||||
|
||||
/* see if builtin rootanchor needs to be provided, or if
|
||||
* rootanchor is 'revoked-trust-point' */
|
||||
if(!provide_builtin(root_anchor_file))
|
||||
if(!provide_builtin(root_anchor_file, &used_builtin))
|
||||
return 0;
|
||||
|
||||
/* make unbound context with 5011-probe for root anchor,
|
||||
|
|
@ -1398,20 +1406,23 @@ do_root_update_work(char* root_anchor_file, char* root_cert_file,
|
|||
if(dnskey->secure && !force) {
|
||||
if(verb) printf("success: the anchor is ok\n");
|
||||
ub_resolve_free(dnskey);
|
||||
return 0;
|
||||
return used_builtin;
|
||||
}
|
||||
if(force && verb) printf("debug cert update forced\n");
|
||||
|
||||
/* if not (and NOERROR): check date and do certupdate */
|
||||
if((dnskey->rcode == 0 && probe_date_allows_certupdate(root_anchor_file,
|
||||
debugconf)) || force)
|
||||
return do_certupdate(root_anchor_file, root_cert_file,
|
||||
debugconf)) || force) {
|
||||
if(do_certupdate(root_anchor_file, root_cert_file,
|
||||
urlname, xmlname, p7sname, pemname,
|
||||
res_conf, root_hints, debugconf, ip4only, ip6only,
|
||||
dnskey);
|
||||
dnskey))
|
||||
return 1;
|
||||
return used_builtin;
|
||||
}
|
||||
if(verb) printf("fail: the anchor is NOT ok and could not be fixed\n");
|
||||
ub_resolve_free(dnskey);
|
||||
return 0;
|
||||
return used_builtin;
|
||||
}
|
||||
|
||||
/** getopt global, in case header files fail to declare it. */
|
||||
|
|
|
|||
Loading…
Reference in a new issue