upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-24 00:29:58 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

configure options for unbound-anchor files

Browse source 
git-svn-id: file:///svn/unbound/trunk@2257 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards 2010-09-28 10:27:49 +00:00
parent f64d9d0e43
commit eb696dc385
6 changed files with 137 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
config.h.in
View file

@ -430,6 +430,12 @@
/* Define as the return type of signal handlers (`int' or `void'). */ /* Define as the return type of signal handlers (`int' or `void'). */
#undef RETSIGTYPE #undef RETSIGTYPE
/* default rootkey location */
#undef ROOT_ANCHOR_FILE
/* default rootcert location */
#undef ROOT_CERT_FILE
/* version number for resource files */ /* version number for resource files */
#undef RSRC_PACKAGE_VERSION #undef RSRC_PACKAGE_VERSION

95
configure vendored
View file

@ -797,6 +797,8 @@ LEX
debug_enabled debug_enabled
DEPFLAG DEPFLAG
UNBOUND_USERNAME UNBOUND_USERNAME
UNBOUND_ROOTCERT_FILE
UNBOUND_ROOTKEY_FILE
UNBOUND_PIDFILE UNBOUND_PIDFILE
UNBOUND_SHARE_DIR UNBOUND_SHARE_DIR
UNBOUND_CHROOT_DIR UNBOUND_CHROOT_DIR
@ -873,6 +875,8 @@ with_run_dir
with_chroot_dir with_chroot_dir
with_share_dir with_share_dir
with_pidfile with_pidfile
with_rootkey_file
with_rootcert_file
with_username with_username
enable_checking enable_checking
enable_debug enable_debug
@ -892,6 +896,7 @@ with_ssl
enable_sha2 enable_sha2
enable_gost enable_gost
with_libevent with_libevent
with_libexpat
enable_staticexe enable_staticexe
enable_lock_checks enable_lock_checks
enable_alloc_checks enable_alloc_checks
@ -1563,6 +1568,13 @@ Optional Packages:
same as share/unbound) same as share/unbound)
--with-pidfile=filename set default pathname to unbound pidfile (default --with-pidfile=filename set default pathname to unbound pidfile (default
run-dir/unbound.pid) run-dir/unbound.pid)
--with-rootkey-file=filename
set default pathname to root key file (default
run-dir/root.key). This file is read and written.
--with-rootcert-file=filename
set default pathname to root update certificate file
(default run-dir/icannbundle.pem). This file need
not exist if you are content with the builtin.
--with-username=user set default user that unbound changes to (default --with-username=user set default user that unbound changes to (default
user is unbound) user is unbound)
--with-pic try to use only PIC/non-PIC objects [default=use --with-pic try to use only PIC/non-PIC objects [default=use
@ -1583,6 +1595,7 @@ Optional Packages:
/usr/lib /usr/pkg /usr/sfw /usr or you can specify /usr/lib /usr/pkg /usr/sfw /usr or you can specify
an explicit path). Slower, but allows use of large an explicit path). Slower, but allows use of large
outgoing port ranges. outgoing port ranges.
--with-libexpat=path specify explicit path for libexpat.
--with-ldns=PATH specify prefix of path of ldns library to use --with-ldns=PATH specify prefix of path of ldns library to use
--with-ldns-builtin forces use of package included with this one --with-ldns-builtin forces use of package included with this one
@ -4060,6 +4073,50 @@ _ACEOF
# Check whether --with-rootkey-file was given.
if test "${with_rootkey_file+set}" = set; then :
withval=$with_rootkey_file; UNBOUND_ROOTKEY_FILE="$withval"
else
if test $on_mingw = no; then
UNBOUND_ROOTKEY_FILE="$UNBOUND_RUN_DIR/root.key"
else
UNBOUND_ROOTKEY_FILE=""
fi
fi
hdr_rkey="`echo $UNBOUND_ROOTKEY_FILE | sed -e 's/\\\\/\\\\\\\\/g'`"
cat >>confdefs.h <<_ACEOF
#define ROOT_ANCHOR_FILE "$hdr_rkey"
_ACEOF
# Check whether --with-rootcert-file was given.
if test "${with_rootcert_file+set}" = set; then :
withval=$with_rootcert_file; UNBOUND_ROOTCERT_FILE="$withval"
else
if test $on_mingw = no; then
UNBOUND_ROOTCERT_FILE="$UNBOUND_RUN_DIR/icannbundle.pem"
else
UNBOUND_ROOTCERT_FILE=""
fi
fi
hdr_rpem="`echo $UNBOUND_ROOTCERT_FILE | sed -e 's/\\\\/\\\\\\\\/g'`"
cat >>confdefs.h <<_ACEOF
#define ROOT_CERT_FILE "$hdr_rpem"
_ACEOF
# Check whether --with-username was given. # Check whether --with-username was given.
if test "${with_username+set}" = set; then : if test "${with_username+set}" = set; then :
withval=$with_username; UNBOUND_USERNAME="$withval" withval=$with_username; UNBOUND_USERNAME="$withval"
@ -6755,13 +6812,13 @@ if test "${lt_cv_nm_interface+set}" = set; then :
else else
lt_cv_nm_interface="BSD nm" lt_cv_nm_interface="BSD nm"
echo "int some_variable = 0;" > conftest.$ac_ext echo "int some_variable = 0;" > conftest.$ac_ext
(eval echo "\"\$as_me:6758: $ac_compile\"" >&5) (eval echo "\"\$as_me:6815: $ac_compile\"" >&5)
(eval "$ac_compile" 2>conftest.err) (eval "$ac_compile" 2>conftest.err)
cat conftest.err >&5 cat conftest.err >&5
(eval echo "\"\$as_me:6761: $NM \\\"conftest.$ac_objext\\\"\"" >&5) (eval echo "\"\$as_me:6818: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
(eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
cat conftest.err >&5 cat conftest.err >&5
(eval echo "\"\$as_me:6764: output\"" >&5) (eval echo "\"\$as_me:6821: output\"" >&5)
cat conftest.out >&5 cat conftest.out >&5
if $GREP 'External.*some_variable' conftest.out > /dev/null; then if $GREP 'External.*some_variable' conftest.out > /dev/null; then
lt_cv_nm_interface="MS dumpbin" lt_cv_nm_interface="MS dumpbin"
@ -7966,7 +8023,7 @@ ia64-*-hpux*)
;; ;;
*-*-irix6*) *-*-irix6*)
# Find out which ABI we are using. # Find out which ABI we are using.
echo '#line 7969 "configure"' > conftest.$ac_ext echo '#line 8026 "configure"' > conftest.$ac_ext
if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
(eval $ac_compile) 2>&5 (eval $ac_compile) 2>&5
ac_status=$? ac_status=$?
@ -9226,11 +9283,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'` -e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:9229: $lt_compile\"" >&5) (eval echo "\"\$as_me:9286: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err) (eval "$lt_compile" 2>conftest.err)
ac_status=$? ac_status=$?
cat conftest.err >&5 cat conftest.err >&5
echo "$as_me:9233: \$? = $ac_status" >&5 echo "$as_me:9290: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized # The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output. # So say no if there are warnings other than the usual output.
@ -9565,11 +9622,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'` -e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:9568: $lt_compile\"" >&5) (eval echo "\"\$as_me:9625: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err) (eval "$lt_compile" 2>conftest.err)
ac_status=$? ac_status=$?
cat conftest.err >&5 cat conftest.err >&5
echo "$as_me:9572: \$? = $ac_status" >&5 echo "$as_me:9629: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized # The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output. # So say no if there are warnings other than the usual output.
@ -9670,11 +9727,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'` -e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:9673: $lt_compile\"" >&5) (eval echo "\"\$as_me:9730: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err) (eval "$lt_compile" 2>out/conftest.err)
ac_status=$? ac_status=$?
cat out/conftest.err >&5 cat out/conftest.err >&5
echo "$as_me:9677: \$? = $ac_status" >&5 echo "$as_me:9734: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext if (exit $ac_status) && test -s out/conftest2.$ac_objext
then then
# The compiler can only warn and ignore the option if not recognized # The compiler can only warn and ignore the option if not recognized
@ -9725,11 +9782,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'` -e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:9728: $lt_compile\"" >&5) (eval echo "\"\$as_me:9785: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err) (eval "$lt_compile" 2>out/conftest.err)
ac_status=$? ac_status=$?
cat out/conftest.err >&5 cat out/conftest.err >&5
echo "$as_me:9732: \$? = $ac_status" >&5 echo "$as_me:9789: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext if (exit $ac_status) && test -s out/conftest2.$ac_objext
then then
# The compiler can only warn and ignore the option if not recognized # The compiler can only warn and ignore the option if not recognized
@ -12095,7 +12152,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<_LT_EOF cat > conftest.$ac_ext <<_LT_EOF
#line 12098 "configure" #line 12155 "configure"
#include "confdefs.h" #include "confdefs.h"
#if HAVE_DLFCN_H #if HAVE_DLFCN_H
@ -12191,7 +12248,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<_LT_EOF cat > conftest.$ac_ext <<_LT_EOF
#line 12194 "configure" #line 12251 "configure"
#include "confdefs.h" #include "confdefs.h"
#if HAVE_DLFCN_H #if HAVE_DLFCN_H
@ -15602,10 +15659,18 @@ $as_echo "#define USE_MINI_EVENT 1" >>confdefs.h
fi fi
# check for libexpat # check for libexpat
# Check whether --with-libexpat was given.
if test "${with_libexpat+set}" = set; then :
withval=$with_libexpat;
else
withval="/usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr"
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libexpat" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for libexpat" >&5
$as_echo_n "checking for libexpat... " >&6; } $as_echo_n "checking for libexpat... " >&6; }
found_libexpat="no" found_libexpat="no"
for dir in /usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr; do for dir in $withval ; do
if test -f "$dir/include/expat.h"; then if test -f "$dir/include/expat.h"; then
found_libexpat="yes" found_libexpat="yes"
if test "$dir" != "/usr"; then if test "$dir" != "/usr"; then

33
configure.ac
View file

@ -154,6 +154,34 @@ AC_SUBST(UNBOUND_PIDFILE)
ACX_ESCAPE_BACKSLASH($UNBOUND_PIDFILE, hdr_pid) ACX_ESCAPE_BACKSLASH($UNBOUND_PIDFILE, hdr_pid)
AC_DEFINE_UNQUOTED(PIDFILE, ["$hdr_pid"], [default pidfile location]) AC_DEFINE_UNQUOTED(PIDFILE, ["$hdr_pid"], [default pidfile location])
AC_ARG_WITH(rootkey-file,
AC_HELP_STRING([--with-rootkey-file=filename],
[set default pathname to root key file (default run-dir/root.key). This file is read and written.]),
UNBOUND_ROOTKEY_FILE="$withval",
if test $on_mingw = no; then
UNBOUND_ROOTKEY_FILE="$UNBOUND_RUN_DIR/root.key"
else
UNBOUND_ROOTKEY_FILE=""
fi
)
AC_SUBST(UNBOUND_ROOTKEY_FILE)
ACX_ESCAPE_BACKSLASH($UNBOUND_ROOTKEY_FILE, hdr_rkey)
AC_DEFINE_UNQUOTED(ROOT_ANCHOR_FILE, ["$hdr_rkey"], [default rootkey location])
AC_ARG_WITH(rootcert-file,
AC_HELP_STRING([--with-rootcert-file=filename],
[set default pathname to root update certificate file (default run-dir/icannbundle.pem). This file need not exist if you are content with the builtin.]),
UNBOUND_ROOTCERT_FILE="$withval",
if test $on_mingw = no; then
UNBOUND_ROOTCERT_FILE="$UNBOUND_RUN_DIR/icannbundle.pem"
else
UNBOUND_ROOTCERT_FILE=""
fi
)
AC_SUBST(UNBOUND_ROOTCERT_FILE)
ACX_ESCAPE_BACKSLASH($UNBOUND_ROOTCERT_FILE, hdr_rpem)
AC_DEFINE_UNQUOTED(ROOT_CERT_FILE, ["$hdr_rpem"], [default rootcert location])
AC_ARG_WITH(username, AC_ARG_WITH(username,
AC_HELP_STRING([--with-username=user], AC_HELP_STRING([--with-username=user],
[set default user that unbound changes to (default user is unbound)]), [set default user that unbound changes to (default user is unbound)]),
@ -529,9 +557,12 @@ else
fi fi
# check for libexpat # check for libexpat
AC_ARG_WITH(libexpat, AC_HELP_STRING([--with-libexpat=path],
[specify explicit path for libexpat.]),
[ ],[ withval="/usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr" ])
AC_MSG_CHECKING(for libexpat) AC_MSG_CHECKING(for libexpat)
found_libexpat="no" found_libexpat="no"
for dir in /usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr; do for dir in $withval ; do
if test -f "$dir/include/expat.h"; then if test -f "$dir/include/expat.h"; then
found_libexpat="yes" found_libexpat="yes"
dnl assume /usr is in default path. dnl assume /usr is in default path.

9
doc/README
View file

@ -28,6 +28,8 @@ This software is under BSD license, see LICENSE for details.
of outgoing ports. This improves randomization and spoof of outgoing ports. This improves randomization and spoof
resistance. For the default of 16 ports the builtin alternative resistance. For the default of 16 ports the builtin alternative
works well and is a little faster. works well and is a little faster.
* --with-libexpat=/path/to/libexpat
Can be set to the install directory of libexpat.
* --without-pthreads * --without-pthreads
This disables pthreads. Without this option the pthreads library This disables pthreads. Without this option the pthreads library
is detected automatically. Use this option to disable threading is detected automatically. Use this option to disable threading
@ -59,6 +61,13 @@ This software is under BSD license, see LICENSE for details.
* --with-chroot-dir=path * --with-chroot-dir=path
Set default chroot directory, Set default chroot directory,
the default is /usr/local/etc/unbound. the default is /usr/local/etc/unbound.
* --with-rootkey-file=path
Set the default root.key path. This file is read and written.
the default is /usr/local/etc/unbound/root.key
* --with-rootcert-file=path
Set the default root update certificate path. A builtin certificate
is used if this file is empty or does not exist.
the default is /usr/local/etc/unbound/icannbundle.pem
* --with-username=user * --with-username=user
Set default user name to change to, Set default user name to change to,
the default is the "unbound" user. the default is the "unbound" user.

20
doc/unbound-anchor.8.in
View file

@ -25,10 +25,10 @@ Suggested usage:
.nf .nf
# in the init scripts. # in the init scripts.
# provide or update the root anchor (if necessary) # provide or update the root anchor (if necessary)
unbound-anchor -a "/usr/local/etc/unbound/root.key" unbound-anchor -a "@UNBOUND_ROOTKEY_FILE@"
# start validating resolver # start validating resolver
# the unbound.conf contains: # the unbound.conf contains:
# auto-trust-anchor-file: "/usr/local/etc/unbound/root.key" # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
unbound -c unbound.conf unbound -c unbound.conf
.fi .fi
.P .P
@ -49,12 +49,12 @@ The available options are:
.TP .TP
.B \-a \fIfile .B \-a \fIfile
The root anchor key file, that is read in and written out. The root anchor key file, that is read in and written out.
Default is /usr/local/etc/unbound/root.key. Default is @UNBOUND_ROOTKEY_FILE@.
If the file does not exist, or is empty, a builtin root key is written to it. If the file does not exist, or is empty, a builtin root key is written to it.
.TP .TP
.B \-c \fIfile .B \-c \fIfile
The root update certificate file, that is read in. The root update certificate file, that is read in.
Default is /usr/local/etc/unbound/icannbundle.pem. Default is @UNBOUND_ROOTCERT_FILE@.
If the file does not exist, or is empty, a builtin certificate is used. If the file does not exist, or is empty, a builtin certificate is used.
.TP .TP
.B \-u \fIname .B \-u \fIname
@ -139,21 +139,21 @@ You can do this by checking the exit value. In this manner:
Or something more suitable for your operational environment. Or something more suitable for your operational environment.
.SH "FILES" .SH "FILES"
.TP .TP
.I /usr/local/etc/unbound/root.key .I @UNBOUND_ROOTKEY_FILE@
The root anchor file, updated with 5011 tracking, and read and written to. The root anchor file, updated with 5011 tracking, and read and written to.
The file is created if it does not exist.
.TP .TP
.I /usr/local/etc/unbound/icannbundle.pem .I @UNBOUND_ROOTCERT_FILE@
The trusted self\-signed certificate that is used to verify the downloaded The trusted self\-signed certificate that is used to verify the downloaded
DNSSEC root trust anchor. DNSSEC root trust anchor. You can update it by fetching it from
https://data.iana.org/root\-anchors/icannbundle.pem (and validate it).
If the file does not exist or is empty, a builtin version is used.
.TP .TP
.I https://data.iana.org/root\-anchors/root\-anchors.xml .I https://data.iana.org/root\-anchors/root\-anchors.xml
Source for the root key information. Source for the root key information.
.TP .TP
.I https://data.iana.org/root\-anchors/root\-anchors.p7s .I https://data.iana.org/root\-anchors/root\-anchors.p7s
Signature on the root key information. Signature on the root key information.
.TP
.I https://data.iana.org/root\-anchors/icannbundle.pem
Source for the certificate used.
.SH "SEE ALSO" .SH "SEE ALSO"
\fIunbound.conf\fR(5), \fIunbound.conf\fR(5),
\fIunbound\fR(8). \fIunbound\fR(8).

5
smallapp/unbound-anchor.c
View file

@ -131,11 +131,6 @@
#include <openssl/x509.h> #include <openssl/x509.h>
#include <openssl/pem.h> #include <openssl/pem.h>
/* TODO configure defines with prefix */
/** root key file, 5011 tracked */
#define ROOT_ANCHOR_FILE "/usr/local/etc/unbound/root.key"
/** root update cert file */
#define ROOT_CERT_FILE "/usr/local/etc/unbound/icannbundle.pem"
/** name of server in URL to fetch HTTPS from */ /** name of server in URL to fetch HTTPS from */
#define URLNAME "data.iana.org" #define URLNAME "data.iana.org"
/** path on HTTPS server to xml file */ /** path on HTTPS server to xml file */