configure options for unbound-anchor files

git-svn-id: file:///svn/unbound/trunk@2257 be551aaa-1e26-0410-a405-d3ace91eadb9

config.h.in

@@ -430,6 +430,12 @@
 /* Define as the return type of signal handlers (`int' or `void'). */
 #undef RETSIGTYPE
 
+/* default rootkey location */
+#undef ROOT_ANCHOR_FILE
+
+/* default rootcert location */
+#undef ROOT_CERT_FILE
+
 /* version number for resource files */
 #undef RSRC_PACKAGE_VERSION
 

configure

@@ -797,6 +797,8 @@ LEX
 debug_enabled
 DEPFLAG
 UNBOUND_USERNAME
+UNBOUND_ROOTCERT_FILE
+UNBOUND_ROOTKEY_FILE
 UNBOUND_PIDFILE
 UNBOUND_SHARE_DIR
 UNBOUND_CHROOT_DIR
@@ -873,6 +875,8 @@ with_run_dir
 with_chroot_dir
 with_share_dir
 with_pidfile
+with_rootkey_file
+with_rootcert_file
 with_username
 enable_checking
 enable_debug
@@ -892,6 +896,7 @@ with_ssl
 enable_sha2
 enable_gost
 with_libevent
+with_libexpat
 enable_staticexe
 enable_lock_checks
 enable_alloc_checks
@@ -1563,6 +1568,13 @@ Optional Packages:
                           same as share/unbound)
   --with-pidfile=filename set default pathname to unbound pidfile (default
                           run-dir/unbound.pid)
+  --with-rootkey-file=filename
+                          set default pathname to root key file (default
+                          run-dir/root.key). This file is read and written.
+  --with-rootcert-file=filename
+                          set default pathname to root update certificate file
+                          (default run-dir/icannbundle.pem). This file need
+                          not exist if you are content with the builtin.
   --with-username=user    set default user that unbound changes to (default
                           user is unbound)
   --with-pic              try to use only PIC/non-PIC objects [default=use
@@ -1583,6 +1595,7 @@ Optional Packages:
                           /usr/lib /usr/pkg /usr/sfw /usr or you can specify
                           an explicit path). Slower, but allows use of large
                           outgoing port ranges.
+  --with-libexpat=path    specify explicit path for libexpat.
   --with-ldns=PATH        specify prefix of path of ldns library to use
   --with-ldns-builtin     forces use of package included with this one
 
@@ -4060,6 +4073,50 @@ _ACEOF
 
 
 
+# Check whether --with-rootkey-file was given.
+if test "${with_rootkey_file+set}" = set; then :
+  withval=$with_rootkey_file; UNBOUND_ROOTKEY_FILE="$withval"
+else
+  if test $on_mingw = no; then
+    UNBOUND_ROOTKEY_FILE="$UNBOUND_RUN_DIR/root.key"
+else
+    UNBOUND_ROOTKEY_FILE=""
+fi
+
+fi
+
+
+hdr_rkey="`echo $UNBOUND_ROOTKEY_FILE | sed -e 's/\\\\/\\\\\\\\/g'`"
+
+
+cat >>confdefs.h <<_ACEOF
+#define ROOT_ANCHOR_FILE "$hdr_rkey"
+_ACEOF
+
+
+
+# Check whether --with-rootcert-file was given.
+if test "${with_rootcert_file+set}" = set; then :
+  withval=$with_rootcert_file; UNBOUND_ROOTCERT_FILE="$withval"
+else
+  if test $on_mingw = no; then
+    UNBOUND_ROOTCERT_FILE="$UNBOUND_RUN_DIR/icannbundle.pem"
+else
+    UNBOUND_ROOTCERT_FILE=""
+fi
+
+fi
+
+
+hdr_rpem="`echo $UNBOUND_ROOTCERT_FILE | sed -e 's/\\\\/\\\\\\\\/g'`"
+
+
+cat >>confdefs.h <<_ACEOF
+#define ROOT_CERT_FILE "$hdr_rpem"
+_ACEOF
+
+
+
 # Check whether --with-username was given.
 if test "${with_username+set}" = set; then :
   withval=$with_username; UNBOUND_USERNAME="$withval"
@@ -6755,13 +6812,13 @@ if test "${lt_cv_nm_interface+set}" = set; then :
 else
   lt_cv_nm_interface="BSD nm"
   echo "int some_variable = 0;" > conftest.$ac_ext
-  (eval echo "\"\$as_me:6758: $ac_compile\"" >&5)
+  (eval echo "\"\$as_me:6815: $ac_compile\"" >&5)
   (eval "$ac_compile" 2>conftest.err)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:6761: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+  (eval echo "\"\$as_me:6818: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
   (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:6764: output\"" >&5)
+  (eval echo "\"\$as_me:6821: output\"" >&5)
   cat conftest.out >&5
   if $GREP 'External.*some_variable' conftest.out > /dev/null; then
     lt_cv_nm_interface="MS dumpbin"
@@ -7966,7 +8023,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 7969 "configure"' > conftest.$ac_ext
+  echo '#line 8026 "configure"' > conftest.$ac_ext
   if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -9226,11 +9283,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9229: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9286: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:9233: \$? = $ac_status" >&5
+   echo "$as_me:9290: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9565,11 +9622,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9568: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9625: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:9572: \$? = $ac_status" >&5
+   echo "$as_me:9629: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9670,11 +9727,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9673: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9730: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:9677: \$? = $ac_status" >&5
+   echo "$as_me:9734: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -9725,11 +9782,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9728: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9785: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:9732: \$? = $ac_status" >&5
+   echo "$as_me:9789: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -12095,7 +12152,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12098 "configure"
+#line 12155 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -12191,7 +12248,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12194 "configure"
+#line 12251 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -15602,10 +15659,18 @@ $as_echo "#define USE_MINI_EVENT 1" >>confdefs.h
 fi
 
 # check for libexpat
+
+# Check whether --with-libexpat was given.
+if test "${with_libexpat+set}" = set; then :
+  withval=$with_libexpat;
+else
+   withval="/usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr"
+fi
+
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for libexpat" >&5
 $as_echo_n "checking for libexpat... " >&6; }
 found_libexpat="no"
-for dir in /usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr; do
+for dir in $withval ; do
             if test -f "$dir/include/expat.h"; then
 		found_libexpat="yes"
 				if test "$dir" != "/usr"; then

configure.ac

@@ -154,6 +154,34 @@ AC_SUBST(UNBOUND_PIDFILE)
 ACX_ESCAPE_BACKSLASH($UNBOUND_PIDFILE, hdr_pid)
 AC_DEFINE_UNQUOTED(PIDFILE, ["$hdr_pid"], [default pidfile location])
 
+AC_ARG_WITH(rootkey-file, 
+    AC_HELP_STRING([--with-rootkey-file=filename], 
+    [set default pathname to root key file (default run-dir/root.key). This file is read and written.]), 
+    UNBOUND_ROOTKEY_FILE="$withval", 
+if test $on_mingw = no; then
+    UNBOUND_ROOTKEY_FILE="$UNBOUND_RUN_DIR/root.key"
+else
+    UNBOUND_ROOTKEY_FILE=""
+fi
+)
+AC_SUBST(UNBOUND_ROOTKEY_FILE)
+ACX_ESCAPE_BACKSLASH($UNBOUND_ROOTKEY_FILE, hdr_rkey)
+AC_DEFINE_UNQUOTED(ROOT_ANCHOR_FILE, ["$hdr_rkey"], [default rootkey location])
+
+AC_ARG_WITH(rootcert-file, 
+    AC_HELP_STRING([--with-rootcert-file=filename], 
+    [set default pathname to root update certificate file (default run-dir/icannbundle.pem).  This file need not exist if you are content with the builtin.]), 
+    UNBOUND_ROOTCERT_FILE="$withval", 
+if test $on_mingw = no; then
+    UNBOUND_ROOTCERT_FILE="$UNBOUND_RUN_DIR/icannbundle.pem"
+else
+    UNBOUND_ROOTCERT_FILE=""
+fi
+)
+AC_SUBST(UNBOUND_ROOTCERT_FILE)
+ACX_ESCAPE_BACKSLASH($UNBOUND_ROOTCERT_FILE, hdr_rpem)
+AC_DEFINE_UNQUOTED(ROOT_CERT_FILE, ["$hdr_rpem"], [default rootcert location])
+
 AC_ARG_WITH(username, 
     AC_HELP_STRING([--with-username=user], 
     [set default user that unbound changes to (default user is unbound)]), 
@@ -529,9 +557,12 @@ else
 fi
 
 # check for libexpat
+AC_ARG_WITH(libexpat, AC_HELP_STRING([--with-libexpat=path],
+    [specify explicit path for libexpat.]),
+    [ ],[ withval="/usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr" ])
 AC_MSG_CHECKING(for libexpat)
 found_libexpat="no"
-for dir in /usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr; do
+for dir in $withval ; do
             if test -f "$dir/include/expat.h"; then
 		found_libexpat="yes"
 		dnl assume /usr is in default path.

doc/README

@@ -28,6 +28,8 @@ This software is under BSD license, see LICENSE for details.
 	of outgoing ports. This improves randomization and spoof 
 	resistance. For the default of 16 ports the builtin alternative 
 	works well and is a little faster.
+  * --with-libexpat=/path/to/libexpat
+  	Can be set to the install directory of libexpat.
   * --without-pthreads 
 	This disables pthreads. Without this option the pthreads library 
 	is detected automatically. Use this option to disable threading
@@ -59,6 +61,13 @@ This software is under BSD license, see LICENSE for details.
   * --with-chroot-dir=path
   	Set default chroot directory,
 	the default is /usr/local/etc/unbound.
+  * --with-rootkey-file=path
+  	Set the default root.key path.  This file is read and written.
+	the default is /usr/local/etc/unbound/root.key
+  * --with-rootcert-file=path
+  	Set the default root update certificate path.  A builtin certificate
+	is used if this file is empty or does not exist.
+	the default is /usr/local/etc/unbound/icannbundle.pem
   * --with-username=user
   	Set default user name to change to,
 	the default is the "unbound" user.

doc/unbound-anchor.8.in

@@ -25,10 +25,10 @@ Suggested usage:
 .nf
 	# in the init scripts.
 	# provide or update the root anchor (if necessary)
-	unbound-anchor -a "/usr/local/etc/unbound/root.key"
+	unbound-anchor -a "@UNBOUND_ROOTKEY_FILE@"
 	# start validating resolver
 	# the unbound.conf contains:
-	#   auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
+	#   auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
 	unbound -c unbound.conf
 .fi
 .P
@@ -49,12 +49,12 @@ The available options are:
 .TP
 .B \-a \fIfile
 The root anchor key file, that is read in and written out.
-Default is /usr/local/etc/unbound/root.key.
+Default is @UNBOUND_ROOTKEY_FILE@.
 If the file does not exist, or is empty, a builtin root key is written to it.
 .TP
 .B \-c \fIfile
 The root update certificate file, that is read in.
-Default is /usr/local/etc/unbound/icannbundle.pem.
+Default is @UNBOUND_ROOTCERT_FILE@.
 If the file does not exist, or is empty, a builtin certificate is used.
 .TP
 .B \-u \fIname
@@ -139,21 +139,21 @@ You can do this by checking the exit value.  In this manner:
 Or something more suitable for your operational environment.
 .SH "FILES"
 .TP
-.I /usr/local/etc/unbound/root.key
+.I @UNBOUND_ROOTKEY_FILE@
 The root anchor file, updated with 5011 tracking, and read and written to.
+The file is created if it does not exist.
 .TP
-.I /usr/local/etc/unbound/icannbundle.pem
+.I @UNBOUND_ROOTCERT_FILE@
 The trusted self\-signed certificate that is used to verify the downloaded
-DNSSEC root trust anchor.
+DNSSEC root trust anchor.  You can update it by fetching it from
+https://data.iana.org/root\-anchors/icannbundle.pem (and validate it).
+If the file does not exist or is empty, a builtin version is used.
 .TP
 .I https://data.iana.org/root\-anchors/root\-anchors.xml
 Source for the root key information.
 .TP
 .I https://data.iana.org/root\-anchors/root\-anchors.p7s
 Signature on the root key information.
-.TP
-.I https://data.iana.org/root\-anchors/icannbundle.pem
-Source for the certificate used.
 .SH "SEE ALSO"
 \fIunbound.conf\fR(5), 
 \fIunbound\fR(8).

smallapp/unbound-anchor.c

@@ -131,11 +131,6 @@
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 
-/* TODO configure defines with prefix */
-/** root key file, 5011 tracked */
-#define ROOT_ANCHOR_FILE "/usr/local/etc/unbound/root.key"
-/** root update cert file */
-#define ROOT_CERT_FILE "/usr/local/etc/unbound/icannbundle.pem"
 /** name of server in URL to fetch HTTPS from */
 #define URLNAME "data.iana.org"
 /** path on HTTPS server to xml file */