diff options
author | Tobias Brunner <tobias@strongswan.org> | 2013-08-29 09:04:36 +0200 |
---|---|---|
committer | Tobias Brunner <tobias@strongswan.org> | 2013-10-11 15:45:25 +0200 |
commit | 6ecf1aab35dbf8d7c245935558570295a0352c83 (patch) | |
tree | fbf2c77e0f5de1b8e342c4b50d1a3b9bd916ebc9 | |
parent | 1ff63f153e5b551ee7ba0670ea4cc8b151432bc5 (diff) | |
download | strongswan-6ecf1aab35dbf8d7c245935558570295a0352c83.tar.bz2 strongswan-6ecf1aab35dbf8d7c245935558570295a0352c83.tar.xz |
unbound: Add support for DLV (DNSSEC Lookaside Validation)
Fixes #392.
-rw-r--r-- | man/strongswan.conf.5.in | 10 | ||||
-rw-r--r-- | src/libstrongswan/plugins/unbound/unbound_resolver.c | 35 |
2 files changed, 32 insertions, 13 deletions
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in index e8dbe63f8..0fb239adc 100644 --- a/man/strongswan.conf.5.in +++ b/man/strongswan.conf.5.in @@ -886,7 +886,15 @@ File to read pseudo random bytes from, instead of @urandom_device@ File to read DNS resolver configuration from .TP .BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]" -File to read DNSSEC trust anchors from (usually root zone KSK) +File to read DNSSEC trust anchors from (usually root zone KSK). The format of +the file is the standard DNS Zone file format, anchors can be stored as DS or +DNSKEY entries in the file. +.TP +.BR libstrongswan.plugins.unbound.dlv_anchors +File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It uses +the same format as \fItrust_anchors\fR. Only one DLV can be configured, which +is then used as a root trusted DLV, this means that it is a lookaside for +the root. .SS libtls section .TP .BR libtls.cipher diff --git a/src/libstrongswan/plugins/unbound/unbound_resolver.c b/src/libstrongswan/plugins/unbound/unbound_resolver.c index 44a2c764b..42cdbc6cc 100644 --- a/src/libstrongswan/plugins/unbound/unbound_resolver.c +++ b/src/libstrongswan/plugins/unbound/unbound_resolver.c @@ -94,16 +94,17 @@ resolver_t *unbound_resolver_create(void) { private_resolver_t *this; int ub_retval = 0; - char *resolv_conf_file; - char *trust_anchor_file; + char *resolv_conf, *trust_anchors, *dlv_anchors; - resolv_conf_file = lib->settings->get_str(lib->settings, + resolv_conf = lib->settings->get_str(lib->settings, "libstrongswan.plugins.unbound.resolv_conf", RESOLV_CONF_FILE); - - trust_anchor_file = lib->settings->get_str(lib->settings, + trust_anchors = lib->settings->get_str(lib->settings, "libstrongswan.plugins.unbound.trust_anchors", TRUST_ANCHOR_FILE); + dlv_anchors = lib->settings->get_str(lib->settings, + "libstrongswan.plugins.unbound.dlv_anchors", + NULL); INIT(this, .public = { @@ -120,24 +121,34 @@ resolver_t *unbound_resolver_create(void) return NULL; } - DBG1(DBG_CFG, "loading unbound resolver config from '%s'", resolv_conf_file); - ub_retval = ub_ctx_resolvconf(this->ctx, resolv_conf_file); + DBG2(DBG_CFG, "loading unbound resolver config from '%s'", resolv_conf); + ub_retval = ub_ctx_resolvconf(this->ctx, resolv_conf); if (ub_retval) { DBG1(DBG_CFG, "failed to read the resolver config: %s (%s)", - ub_strerror(ub_retval), strerror(errno)); + ub_strerror(ub_retval), strerror(errno)); destroy(this); return NULL; } - DBG1(DBG_CFG, "loading unbound trust anchors from '%s'", trust_anchor_file); - ub_retval = ub_ctx_add_ta_file(this->ctx, trust_anchor_file); + DBG2(DBG_CFG, "loading unbound trust anchors from '%s'", trust_anchors); + ub_retval = ub_ctx_add_ta_file(this->ctx, trust_anchors); if (ub_retval) { DBG1(DBG_CFG, "failed to load trust anchors: %s (%s)", - ub_strerror(ub_retval), strerror(errno)); + ub_strerror(ub_retval), strerror(errno)); } + if (dlv_anchors) + { + DBG2(DBG_CFG, "loading trusted keys for DLV from '%s'", dlv_anchors); + ub_retval = ub_ctx_set_option(this->ctx, "dlv-anchor-file:", + dlv_anchors); + if (ub_retval) + { + DBG1(DBG_CFG, "failed to load trusted keys for DLV: %s (%s)", + ub_strerror(ub_retval), strerror(errno)); + } + } return &this->public; } - |