- Added stub-ssl-upstream and forward-ssl-upstream options.

git-svn-id: file:///svn/unbound/trunk@3923 be551aaa-1e26-0410-a405-d3ace91eadb9

daemon/worker.c

@@ -1421,7 +1421,7 @@ worker_send_query(uint8_t* qname, size_t qnamelen, uint16_t qtype,
 	uint16_t qclass, uint16_t flags, int dnssec, int want_dnssec,
 	int nocaps, struct edns_option* opt_list,
 	struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone,
-	size_t zonelen, struct module_qstate* q)
+	size_t zonelen, uint8_t ssl_upstream, struct module_qstate* q)
 {
 	struct worker* worker = q->env->worker;
 	struct outbound_entry* e = (struct outbound_entry*)regional_alloc(
@@ -1431,7 +1431,7 @@ worker_send_query(uint8_t* qname, size_t qnamelen, uint16_t qtype,
 	e->qstate = q;
 	e->qsent = outnet_serviced_query(worker->back, qname,
 		qnamelen, qtype, qclass, flags, dnssec, want_dnssec, nocaps,
-		q->env->cfg->tcp_upstream, q->env->cfg->ssl_upstream, opt_list,
+		q->env->cfg->tcp_upstream, ssl_upstream, opt_list,
 		addr, addrlen, zone, zonelen, worker_handle_service_reply, e,
 		worker->back->udp_buff);
 	if(!e->qsent) {
@@ -1480,7 +1480,8 @@ struct outbound_entry* libworker_send_query(uint8_t* ATTR_UNUSED(qname),
 	int ATTR_UNUSED(nocaps), struct edns_option* ATTR_UNUSED(opt_list),
 	struct sockaddr_storage* ATTR_UNUSED(addr), 
 	socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone),
-	size_t ATTR_UNUSED(zonelen), struct module_qstate* ATTR_UNUSED(q))
+	size_t ATTR_UNUSED(zonelen), uint8_t ATTR_UNUSED(ssl_upstream),
+	struct module_qstate* ATTR_UNUSED(q))
 {
 	log_assert(0);
 	return 0;

doc/Changelog

@@ -1,3 +1,6 @@
+4 November 2016: Ralph
+	- Added stub-ssl-upstream and forward-ssl-upstream options.
+
 4 November 2016: Wouter
 	- configure detects ssl security level API function in the autoconf
 	  manner.  Every function on its own, so that other libraries (eg.

doc/example.conf.in

@@ -717,6 +717,7 @@ remote-control:
 #	stub-addr: 192.0.2.68
 #	stub-prime: no
 #	stub-first: no
+#	stub-ssl-upstream: no
 # stub-zone:
 #	name: "example.org"
 #	stub-host: ns.example.com.
@@ -732,6 +733,7 @@ remote-control:
 # 	forward-addr: 192.0.2.68
 # 	forward-addr: 192.0.2.73@5355  # forward to port 5355.
 # 	forward-first: no
+# 	forward-ssl-upstream: no
 # forward-zone:
 # 	name: "example.org"
 # 	forward-host: fwd.example.com

doc/unbound.conf.5.in

@@ -1302,6 +1302,10 @@ If enabled, a query is attempted without the stub clause if it fails.
 The data could not be retrieved and would have caused SERVFAIL because
 the servers are unreachable, instead it is tried without this clause.
 The default is no.
+.TP
+.B stub\-ssl\-upstream: \fI<yes or no>
+Enabled or disable whether the queries to this stub use SSL for transport.
+Default is no.
 .SS "Forward Zone Options"
 .LP
 There may be multiple
@@ -1332,6 +1336,10 @@ If enabled, a query is attempted without the forward clause if it fails.
 The data could not be retrieved and would have caused SERVFAIL because
 the servers are unreachable, instead it is tried without this clause.
 The default is no.
+.TP
+.B forward\-ssl\-upstream: \fI<yes or no>
+Enabled or disable whether the queries to this forwarder use SSL for transport.
+Default is no.
 .SS "View Options"
 .LP
 There may be multiple

iterator/iter_delegpt.c

@@ -72,6 +72,7 @@ struct delegpt* delegpt_copy(struct delegpt* dp, struct regional* region)
 		return NULL;
 	copy->bogus = dp->bogus;
 	copy->has_parent_side_NS = dp->has_parent_side_NS;
+	copy->ssl_upstream = dp->ssl_upstream;
 	for(ns = dp->nslist; ns; ns = ns->next) {
 		if(!delegpt_add_ns(copy, region, ns->name, ns->lame))
 			return NULL;

iterator/iter_delegpt.h

@@ -81,6 +81,8 @@ struct delegpt {
 	uint8_t has_parent_side_NS;
 	/** for assertions on type of delegpt */
 	uint8_t dp_type_mlc;
+	/** use SSL for upstream query */
+	uint8_t ssl_upstream;
 };
 
 /**
@@ -355,7 +357,7 @@ void delegpt_no_ipv4(struct delegpt* dp);
 
 /** 
  * create malloced delegation point, with the given name 
- * @param name: uncompressed wireformat of degegpt name.
+ * @param name: uncompressed wireformat of delegpt name.
  * @return NULL on alloc failure
  */
 struct delegpt* delegpt_create_mlc(uint8_t* name);

iterator/iter_fwd.c

@@ -265,6 +265,8 @@ read_forwards(struct iter_forwards* fwd, struct config_file* cfg)
 		 * last resort will ask for parent-side NS record and thus
 		 * fallback to the internet name servers on a failure */
 		dp->has_parent_side_NS = (uint8_t)!s->isfirst;
+		/* use SSL for queries to this forwarder */
+		dp->ssl_upstream = (uint8_t)s->ssl_upstream;
 		verbose(VERB_QUERY, "Forward zone server list:");
 		delegpt_log(VERB_QUERY, dp);
 		if(!forwards_insert(fwd, LDNS_RR_CLASS_IN, dp))

iterator/iter_hints.c

@@ -276,6 +276,8 @@ read_stubs(struct iter_hints* hints, struct config_file* cfg)
 		 * last resort will ask for parent-side NS record and thus
 		 * fallback to the internet name servers on a failure */
 		dp->has_parent_side_NS = (uint8_t)!s->isfirst;
+		/* ssl_upstream */
+		dp->ssl_upstream = (uint8_t)s->ssl_upstream;
 		delegpt_log(VERB_QUERY, dp);
 		if(!hints_insert(hints, LDNS_RR_CLASS_IN, dp, !s->isprime))
 			return 0;

iterator/iterator.c

@@ -2120,7 +2120,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 		&iq->qinfo_out)||target->attempts==1)?0:BIT_CD), 
 		iq->dnssec_expected, iq->caps_fallback || is_caps_whitelisted(
 		ie, iq), opt_list, &target->addr, target->addrlen,
-		iq->dp->name, iq->dp->namelen, qstate);
+		iq->dp->name, iq->dp->namelen,
+		(iq->dp->ssl_upstream || qstate->env->cfg->ssl_upstream), qstate);
 	if(!outq) {
 		log_addr(VERB_DETAIL, "error sending query to auth server", 
 			&target->addr, target->addrlen);

libunbound/libworker.c

@@ -830,7 +830,7 @@ struct outbound_entry* libworker_send_query(uint8_t* qname, size_t qnamelen,
         uint16_t qtype, uint16_t qclass, uint16_t flags, int dnssec,
 	int want_dnssec, int nocaps, struct edns_option* opt_list,
 	struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone,
-	size_t zonelen, struct module_qstate* q)
+	size_t zonelen, uint8_t ssl_upstream, struct module_qstate* q)
 {
 	struct libworker* w = (struct libworker*)q->env->worker;
 	struct outbound_entry* e = (struct outbound_entry*)regional_alloc(
@@ -840,7 +840,7 @@ struct outbound_entry* libworker_send_query(uint8_t* qname, size_t qnamelen,
 	e->qstate = q;
 	e->qsent = outnet_serviced_query(w->back, qname,
 		qnamelen, qtype, qclass, flags, dnssec, want_dnssec, nocaps,
-		q->env->cfg->tcp_upstream, q->env->cfg->ssl_upstream, opt_list,
+		q->env->cfg->tcp_upstream, ssl_upstream, opt_list,
 		addr, addrlen, zone, zonelen, libworker_handle_service_reply,
 		e, w->back->udp_buff);
 	if(!e->qsent) {
@@ -964,7 +964,8 @@ struct outbound_entry* worker_send_query(uint8_t* ATTR_UNUSED(qname),
 	int ATTR_UNUSED(nocaps), struct edns_option* ATTR_UNUSED(opt_list),
 	struct sockaddr_storage* ATTR_UNUSED(addr), 
 	socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone),
-	size_t ATTR_UNUSED(zonelen), struct module_qstate* ATTR_UNUSED(q))
+	size_t ATTR_UNUSED(zonelen), uint8_t ATTR_UNUSED(ssl_upstream),
+	struct module_qstate* ATTR_UNUSED(q))
 {
 	log_assert(0);
 	return 0;

libunbound/libworker.h

@@ -1,5 +1,5 @@
 /*
- * libunbound/worker.h - worker thread or process that resolves
+ * libunbound/libworker.h - worker thread or process that resolves
  *
  * Copyright (c) 2007, NLnet Labs. All rights reserved.
  *

libunbound/worker.h

@@ -65,6 +65,7 @@ struct edns_option;
  * @param addrlen: length of addr.
  * @param zone: delegation point name.
  * @param zonelen: length of zone name wireformat dname.
+ * @param ssl_upstream: use SSL for upstream queries.
  * @param q: wich query state to reactivate upon return.
  * @return: false on failure (memory or socket related). no query was
  *      sent.
@@ -73,7 +74,7 @@ struct outbound_entry* libworker_send_query(uint8_t* qname, size_t qnamelen,
         uint16_t qtype, uint16_t qclass, uint16_t flags, int dnssec,
 	int want_dnssec, int nocaps, struct edns_option* opt_list,
 	struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone,
-	size_t zonelen, struct module_qstate* q);
+	size_t zonelen, uint8_t ssl_upstream, struct module_qstate* q);
 
 /** process incoming replies from the network */
 int libworker_handle_reply(struct comm_point* c, void* arg, int error,
@@ -121,6 +122,7 @@ void worker_sighandler(int sig, void* arg);
  * @param addrlen: length of addr.
  * @param zone: wireformat dname of the zone.
  * @param zonelen: length of zone name.
+ * @param ssl_upstream: use SSL for upstream queries.
  * @param q: wich query state to reactivate upon return.
  * @return: false on failure (memory or socket related). no query was
  *      sent.
@@ -129,7 +131,7 @@ struct outbound_entry* worker_send_query(uint8_t* qname, size_t qnamelen,
 	uint16_t qtype, uint16_t qclass, uint16_t flags, int dnssec, 
 	int want_dnssec, int nocaps, struct edns_option* opt_list,
 	struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone,
-	size_t zonelen, struct module_qstate* q);
+	size_t zonelen, uint8_t ssl_upstream, struct module_qstate* q);
 
 /** 
  * process control messages from the main thread. Frees the control 

smallapp/worker_cb.c

@@ -106,7 +106,8 @@ struct outbound_entry* worker_send_query(uint8_t* ATTR_UNUSED(qname),
 	int ATTR_UNUSED(nocaps), struct edns_option* ATTR_UNUSED(opt_list),
 	struct sockaddr_storage* ATTR_UNUSED(addr), 
 	socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone),
-	size_t ATTR_UNUSED(zonelen), struct module_qstate* ATTR_UNUSED(q))
+	size_t ATTR_UNUSED(zonelen), uint8_t ATTR_UNUSED(ssl_upstream),
+	struct module_qstate* ATTR_UNUSED(q))
 {
 	log_assert(0);
 	return 0;
@@ -139,7 +140,8 @@ struct outbound_entry* libworker_send_query(uint8_t* ATTR_UNUSED(qname),
 	int ATTR_UNUSED(nocaps), struct edns_option* ATTR_UNUSED(opt_list),
 	struct sockaddr_storage* ATTR_UNUSED(addr), 
 	socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone),
-	size_t ATTR_UNUSED(zonelen), struct module_qstate* ATTR_UNUSED(q))
+	size_t ATTR_UNUSED(zonelen), uint8_t ATTR_UNUSED(ssl_upstream),
+	struct module_qstate* ATTR_UNUSED(q))
 {
 	log_assert(0);
 	return 0;

util/config_file.c

@@ -516,8 +516,9 @@ int config_set_option(struct config_file* cfg, const char* opt,
 		/* unknown or unsupported (from the set_option interface):
 		 * interface, outgoing-interface, access-control, 
 		 * stub-zone, name, stub-addr, stub-host, stub-prime
-		 * forward-first, stub-first,
-		 * forward-zone, name, forward-addr, forward-host,
+		 * forward-first, stub-first, forward-ssl-upstream,
+		 * stub-ssl-upstream, forward-zone,
+		 * name, forward-addr, forward-host,
 		 * ratelimit-for-domain, ratelimit-below-domain,
 		 * local-zone-tag, access-control-view */
 		return 0;

util/config_file.h

@@ -433,6 +433,8 @@ struct config_stub {
 	int isprime;
 	/** if forward-first is set (failover to without if fails) */
 	int isfirst;
+	/* use SSL for queries to this stub */
+	int ssl_upstream;
 };
 
 /**

util/configlexer.lex

@@ -288,10 +288,12 @@ stub-addr{COLON}		{ YDVAR(1, VAR_STUB_ADDR) }
 stub-host{COLON}		{ YDVAR(1, VAR_STUB_HOST) }
 stub-prime{COLON}		{ YDVAR(1, VAR_STUB_PRIME) }
 stub-first{COLON}		{ YDVAR(1, VAR_STUB_FIRST) }
+stub-ssl-upstream{COLON}	{ YDVAR(1, VAR_STUB_SSL_UPSTREAM) }
 forward-zone{COLON}		{ YDVAR(0, VAR_FORWARD_ZONE) }
 forward-addr{COLON}		{ YDVAR(1, VAR_FORWARD_ADDR) }
 forward-host{COLON}		{ YDVAR(1, VAR_FORWARD_HOST) }
 forward-first{COLON}		{ YDVAR(1, VAR_FORWARD_FIRST) }
+forward-ssl-upstream{COLON}	{ YDVAR(1, VAR_FORWARD_SSL_UPSTREAM) }
 view{COLON}			{ YDVAR(0, VAR_VIEW) }
 view-first{COLON}		{ YDVAR(1, VAR_VIEW_FIRST) }
 do-not-query-address{COLON}	{ YDVAR(1, VAR_DO_NOT_QUERY_ADDRESS) }

util/configparser.h

@@ -174,56 +174,58 @@ extern int yydebug;
     VAR_SSL_SERVICE_PEM = 384,
     VAR_SSL_PORT = 385,
     VAR_FORWARD_FIRST = 386,
-    VAR_STUB_FIRST = 387,
-    VAR_MINIMAL_RESPONSES = 388,
-    VAR_RRSET_ROUNDROBIN = 389,
-    VAR_MAX_UDP_SIZE = 390,
-    VAR_DELAY_CLOSE = 391,
-    VAR_UNBLOCK_LAN_ZONES = 392,
-    VAR_INSECURE_LAN_ZONES = 393,
-    VAR_INFRA_CACHE_MIN_RTT = 394,
-    VAR_DNS64_PREFIX = 395,
-    VAR_DNS64_SYNTHALL = 396,
-    VAR_DNSTAP = 397,
-    VAR_DNSTAP_ENABLE = 398,
-    VAR_DNSTAP_SOCKET_PATH = 399,
-    VAR_DNSTAP_SEND_IDENTITY = 400,
-    VAR_DNSTAP_SEND_VERSION = 401,
-    VAR_DNSTAP_IDENTITY = 402,
-    VAR_DNSTAP_VERSION = 403,
-    VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 404,
-    VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 405,
-    VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 406,
-    VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 407,
-    VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 408,
-    VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 409,
-    VAR_HARDEN_ALGO_DOWNGRADE = 410,
-    VAR_IP_TRANSPARENT = 411,
-    VAR_DISABLE_DNSSEC_LAME_CHECK = 412,
-    VAR_RATELIMIT = 413,
-    VAR_RATELIMIT_SLABS = 414,
-    VAR_RATELIMIT_SIZE = 415,
-    VAR_RATELIMIT_FOR_DOMAIN = 416,
-    VAR_RATELIMIT_BELOW_DOMAIN = 417,
-    VAR_RATELIMIT_FACTOR = 418,
-    VAR_CAPS_WHITELIST = 419,
-    VAR_CACHE_MAX_NEGATIVE_TTL = 420,
-    VAR_PERMIT_SMALL_HOLDDOWN = 421,
-    VAR_QNAME_MINIMISATION = 422,
-    VAR_QNAME_MINIMISATION_STRICT = 423,
-    VAR_IP_FREEBIND = 424,
-    VAR_DEFINE_TAG = 425,
-    VAR_LOCAL_ZONE_TAG = 426,
-    VAR_ACCESS_CONTROL_TAG = 427,
-    VAR_LOCAL_ZONE_OVERRIDE = 428,
-    VAR_ACCESS_CONTROL_TAG_ACTION = 429,
-    VAR_ACCESS_CONTROL_TAG_DATA = 430,
-    VAR_VIEW = 431,
-    VAR_ACCESS_CONTROL_VIEW = 432,
-    VAR_VIEW_FIRST = 433,
-    VAR_SERVE_EXPIRED = 434,
-    VAR_FAKE_DSA = 435,
-    VAR_LOG_IDENTITY = 436
+    VAR_STUB_SSL_UPSTREAM = 387,
+    VAR_FORWARD_SSL_UPSTREAM = 388,
+    VAR_STUB_FIRST = 389,
+    VAR_MINIMAL_RESPONSES = 390,
+    VAR_RRSET_ROUNDROBIN = 391,
+    VAR_MAX_UDP_SIZE = 392,
+    VAR_DELAY_CLOSE = 393,
+    VAR_UNBLOCK_LAN_ZONES = 394,
+    VAR_INSECURE_LAN_ZONES = 395,
+    VAR_INFRA_CACHE_MIN_RTT = 396,
+    VAR_DNS64_PREFIX = 397,
+    VAR_DNS64_SYNTHALL = 398,
+    VAR_DNSTAP = 399,
+    VAR_DNSTAP_ENABLE = 400,
+    VAR_DNSTAP_SOCKET_PATH = 401,
+    VAR_DNSTAP_SEND_IDENTITY = 402,
+    VAR_DNSTAP_SEND_VERSION = 403,
+    VAR_DNSTAP_IDENTITY = 404,
+    VAR_DNSTAP_VERSION = 405,
+    VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 406,
+    VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 407,
+    VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 408,
+    VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 409,
+    VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 410,
+    VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 411,
+    VAR_HARDEN_ALGO_DOWNGRADE = 412,
+    VAR_IP_TRANSPARENT = 413,
+    VAR_DISABLE_DNSSEC_LAME_CHECK = 414,
+    VAR_RATELIMIT = 415,
+    VAR_RATELIMIT_SLABS = 416,
+    VAR_RATELIMIT_SIZE = 417,
+    VAR_RATELIMIT_FOR_DOMAIN = 418,
+    VAR_RATELIMIT_BELOW_DOMAIN = 419,
+    VAR_RATELIMIT_FACTOR = 420,
+    VAR_CAPS_WHITELIST = 421,
+    VAR_CACHE_MAX_NEGATIVE_TTL = 422,
+    VAR_PERMIT_SMALL_HOLDDOWN = 423,
+    VAR_QNAME_MINIMISATION = 424,
+    VAR_QNAME_MINIMISATION_STRICT = 425,
+    VAR_IP_FREEBIND = 426,
+    VAR_DEFINE_TAG = 427,
+    VAR_LOCAL_ZONE_TAG = 428,
+    VAR_ACCESS_CONTROL_TAG = 429,
+    VAR_LOCAL_ZONE_OVERRIDE = 430,
+    VAR_ACCESS_CONTROL_TAG_ACTION = 431,
+    VAR_ACCESS_CONTROL_TAG_DATA = 432,
+    VAR_VIEW = 433,
+    VAR_ACCESS_CONTROL_VIEW = 434,
+    VAR_VIEW_FIRST = 435,
+    VAR_SERVE_EXPIRED = 436,
+    VAR_FAKE_DSA = 437,
+    VAR_LOG_IDENTITY = 438
   };
 #endif
 /* Tokens.  */
@@ -356,56 +358,58 @@ extern int yydebug;
 #define VAR_SSL_SERVICE_PEM 384
 #define VAR_SSL_PORT 385
 #define VAR_FORWARD_FIRST 386
-#define VAR_STUB_FIRST 387
-#define VAR_MINIMAL_RESPONSES 388
-#define VAR_RRSET_ROUNDROBIN 389
-#define VAR_MAX_UDP_SIZE 390
-#define VAR_DELAY_CLOSE 391
-#define VAR_UNBLOCK_LAN_ZONES 392
-#define VAR_INSECURE_LAN_ZONES 393
-#define VAR_INFRA_CACHE_MIN_RTT 394
-#define VAR_DNS64_PREFIX 395
-#define VAR_DNS64_SYNTHALL 396
-#define VAR_DNSTAP 397
-#define VAR_DNSTAP_ENABLE 398
-#define VAR_DNSTAP_SOCKET_PATH 399
-#define VAR_DNSTAP_SEND_IDENTITY 400
-#define VAR_DNSTAP_SEND_VERSION 401
-#define VAR_DNSTAP_IDENTITY 402
-#define VAR_DNSTAP_VERSION 403
-#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 404
-#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 405
-#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 406
-#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 407
-#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 408
-#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 409
-#define VAR_HARDEN_ALGO_DOWNGRADE 410
-#define VAR_IP_TRANSPARENT 411
-#define VAR_DISABLE_DNSSEC_LAME_CHECK 412
-#define VAR_RATELIMIT 413
-#define VAR_RATELIMIT_SLABS 414
-#define VAR_RATELIMIT_SIZE 415
-#define VAR_RATELIMIT_FOR_DOMAIN 416
-#define VAR_RATELIMIT_BELOW_DOMAIN 417
-#define VAR_RATELIMIT_FACTOR 418
-#define VAR_CAPS_WHITELIST 419
-#define VAR_CACHE_MAX_NEGATIVE_TTL 420
-#define VAR_PERMIT_SMALL_HOLDDOWN 421
-#define VAR_QNAME_MINIMISATION 422
-#define VAR_QNAME_MINIMISATION_STRICT 423
-#define VAR_IP_FREEBIND 424
-#define VAR_DEFINE_TAG 425
-#define VAR_LOCAL_ZONE_TAG 426
-#define VAR_ACCESS_CONTROL_TAG 427
-#define VAR_LOCAL_ZONE_OVERRIDE 428
-#define VAR_ACCESS_CONTROL_TAG_ACTION 429
-#define VAR_ACCESS_CONTROL_TAG_DATA 430
-#define VAR_VIEW 431
-#define VAR_ACCESS_CONTROL_VIEW 432
-#define VAR_VIEW_FIRST 433
-#define VAR_SERVE_EXPIRED 434
-#define VAR_FAKE_DSA 435
-#define VAR_LOG_IDENTITY 436
+#define VAR_STUB_SSL_UPSTREAM 387
+#define VAR_FORWARD_SSL_UPSTREAM 388
+#define VAR_STUB_FIRST 389
+#define VAR_MINIMAL_RESPONSES 390
+#define VAR_RRSET_ROUNDROBIN 391
+#define VAR_MAX_UDP_SIZE 392
+#define VAR_DELAY_CLOSE 393
+#define VAR_UNBLOCK_LAN_ZONES 394
+#define VAR_INSECURE_LAN_ZONES 395
+#define VAR_INFRA_CACHE_MIN_RTT 396
+#define VAR_DNS64_PREFIX 397
+#define VAR_DNS64_SYNTHALL 398
+#define VAR_DNSTAP 399
+#define VAR_DNSTAP_ENABLE 400
+#define VAR_DNSTAP_SOCKET_PATH 401
+#define VAR_DNSTAP_SEND_IDENTITY 402
+#define VAR_DNSTAP_SEND_VERSION 403
+#define VAR_DNSTAP_IDENTITY 404
+#define VAR_DNSTAP_VERSION 405
+#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 406
+#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 407
+#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 408
+#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 409
+#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 410
+#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 411
+#define VAR_HARDEN_ALGO_DOWNGRADE 412
+#define VAR_IP_TRANSPARENT 413
+#define VAR_DISABLE_DNSSEC_LAME_CHECK 414
+#define VAR_RATELIMIT 415
+#define VAR_RATELIMIT_SLABS 416
+#define VAR_RATELIMIT_SIZE 417
+#define VAR_RATELIMIT_FOR_DOMAIN 418
+#define VAR_RATELIMIT_BELOW_DOMAIN 419
+#define VAR_RATELIMIT_FACTOR 420
+#define VAR_CAPS_WHITELIST 421
+#define VAR_CACHE_MAX_NEGATIVE_TTL 422
+#define VAR_PERMIT_SMALL_HOLDDOWN 423
+#define VAR_QNAME_MINIMISATION 424
+#define VAR_QNAME_MINIMISATION_STRICT 425
+#define VAR_IP_FREEBIND 426
+#define VAR_DEFINE_TAG 427
+#define VAR_LOCAL_ZONE_TAG 428
+#define VAR_ACCESS_CONTROL_TAG 429
+#define VAR_LOCAL_ZONE_OVERRIDE 430
+#define VAR_ACCESS_CONTROL_TAG_ACTION 431
+#define VAR_ACCESS_CONTROL_TAG_DATA 432
+#define VAR_VIEW 433
+#define VAR_ACCESS_CONTROL_VIEW 434
+#define VAR_VIEW_FIRST 435
+#define VAR_SERVE_EXPIRED 436
+#define VAR_FAKE_DSA 437
+#define VAR_LOG_IDENTITY 438
 
 /* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@@ -416,7 +420,7 @@ union YYSTYPE
 
 	char*	str;
 
-#line 420 "util/configparser.h" /* yacc.c:1909  */
+#line 424 "util/configparser.h" /* yacc.c:1909  */
 };
 
 typedef union YYSTYPE YYSTYPE;

util/configparser.y

@@ -106,6 +106,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_PREFETCH_KEY VAR_SO_SNDBUF VAR_SO_REUSEPORT VAR_HARDEN_BELOW_NXDOMAIN
 %token VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES VAR_TCP_UPSTREAM VAR_SSL_UPSTREAM
 %token VAR_SSL_SERVICE_KEY VAR_SSL_SERVICE_PEM VAR_SSL_PORT VAR_FORWARD_FIRST
+%token VAR_STUB_SSL_UPSTREAM VAR_FORWARD_SSL_UPSTREAM
 %token VAR_STUB_FIRST VAR_MINIMAL_RESPONSES VAR_RRSET_ROUNDROBIN
 %token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE
 %token VAR_UNBLOCK_LAN_ZONES VAR_INSECURE_LAN_ZONES
@@ -221,7 +222,8 @@ stubstart: VAR_STUB_ZONE
 	;
 contents_stub: contents_stub content_stub 
 	| ;
-content_stub: stub_name | stub_host | stub_addr | stub_prime | stub_first
+content_stub: stub_name | stub_host | stub_addr | stub_prime | stub_first |
+	stub_ssl_upstream
 	;
 forwardstart: VAR_FORWARD_ZONE
 	{
@@ -237,7 +239,8 @@ forwardstart: VAR_FORWARD_ZONE
 	;
 contents_forward: contents_forward content_forward 
 	| ;
-content_forward: forward_name | forward_host | forward_addr | forward_first
+content_forward: forward_name | forward_host | forward_addr | forward_first |
+	forward_ssl_upstream
 	;
 viewstart: VAR_VIEW
 	{
@@ -1595,6 +1598,16 @@ stub_first: VAR_STUB_FIRST STRING_ARG
 		free($2);
 	}
 	;
+stub_ssl_upstream: VAR_STUB_SSL_UPSTREAM STRING_ARG
+	{
+		OUTYY(("P(stub-ssl-upstream:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->stubs->ssl_upstream = 
+			(strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 stub_prime: VAR_STUB_PRIME STRING_ARG
 	{
 		OUTYY(("P(stub-prime:%s)\n", $2));
@@ -1638,6 +1651,16 @@ forward_first: VAR_FORWARD_FIRST STRING_ARG
 		free($2);
 	}
 	;
+forward_ssl_upstream: VAR_FORWARD_SSL_UPSTREAM STRING_ARG
+	{
+		OUTYY(("P(forward-ssl-upstream:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->forwards->ssl_upstream = 
+			(strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 view_name: VAR_NAME STRING_ARG
 	{
 		OUTYY(("P(name:%s)\n", $2));

util/fptr_wlist.c

@@ -270,7 +270,7 @@ fptr_whitelist_modenv_send_query(struct outbound_entry* (*fptr)(
         uint8_t* qname, size_t qnamelen, uint16_t qtype, uint16_t qclass,
         uint16_t flags, int dnssec, int want_dnssec, int nocaps,
 	struct edns_option* opt_list, struct sockaddr_storage* addr,
-	socklen_t addrlen, uint8_t* zone, size_t zonelen,
+	socklen_t addrlen, uint8_t* zone, size_t zonelen, uint8_t ssl_upstream,
 	struct module_qstate* q))
 {
 	if(fptr == &worker_send_query) return 1;

util/fptr_wlist.h

@@ -213,7 +213,7 @@ int fptr_whitelist_modenv_send_query(struct outbound_entry* (*fptr)(
 	uint8_t* qname, size_t qnamelen, uint16_t qtype, uint16_t qclass, 
 	uint16_t flags, int dnssec, int want_dnssec, int nocaps,
 	struct edns_option*, struct sockaddr_storage* addr, socklen_t addrlen, 
-	uint8_t* zone, size_t zonelen,
+	uint8_t* zone, size_t zonelen, uint8_t ssl_upstream,
 	struct module_qstate* q));
 
 /**

util/module.h

@@ -220,6 +220,7 @@ struct module_env {
 	 * @param addrlen: length of addr.
 	 * @param zone: delegation point name.
 	 * @param zonelen: length of zone name.
+	 * @param ssl_upstream: use SSL for upstream queries.
 	 * @param q: wich query state to reactivate upon return.
 	 * @return: false on failure (memory or socket related). no query was
 	 *	sent. Or returns an outbound entry with qsent and qstate set.
@@ -230,7 +231,8 @@ struct module_env {
 		uint16_t qtype, uint16_t qclass, uint16_t flags, int dnssec, 
 		int want_dnssec, int nocaps, struct edns_option* opt_list,
 		struct sockaddr_storage* addr, socklen_t addrlen,
-		uint8_t* zone, size_t zonelen, struct module_qstate* q);
+		uint8_t* zone, size_t zonelen, uint8_t ssl_upstream,
+		struct module_qstate* q);
 
 	/**
 	 * Detach-subqueries.