View | Details | Raw Unified | Return to bug 4112
Collapse All | Expand All

(-)b/doc/unbound-anchor.8.in (+5 lines)
 Lines 109-114   It does so, because the tool when used for bootstrapping the recursive Link Here 
109
resolver, cannot use that recursive resolver itself because it is bootstrapping
109
resolver, cannot use that recursive resolver itself because it is bootstrapping
110
that server.
110
that server.
111
.TP
111
.TP
112
.B \-R
113
Allow fallback from \-f resolv.conf file to direct root servers query.
114
It allows you to prefer local resolvers, but fallback automatically
115
to direct root query if they do not respond or do not support DNSSEC.
116
.TP
112
.B \-v
117
.B \-v
113
More verbose. Once prints informational messages, multiple times may enable
118
More verbose. Once prints informational messages, multiple times may enable
114
large debug amounts (such as full certificates or byte\-dumps of downloaded
119
large debug amounts (such as full certificates or byte\-dumps of downloaded
(-)b/smallapp/unbound-anchor.c (-19 / +48 lines)
 Lines 192-200   usage(void) Link Here 
192
	printf("-n name		signer's subject emailAddress, default %s\n", P7SIGNER);
192
	printf("-n name		signer's subject emailAddress, default %s\n", P7SIGNER);
193
	printf("-4		work using IPv4 only\n");
193
	printf("-4		work using IPv4 only\n");
194
	printf("-6		work using IPv6 only\n");
194
	printf("-6		work using IPv6 only\n");
195
	printf("-f resolv.conf	use given resolv.conf to resolve -u name\n");
195
	printf("-f resolv.conf	use given resolv.conf\n");
196
	printf("-r root.hints	use given root.hints to resolve -u name\n"
196
	printf("-r root.hints	use given root.hints\n"
197
		"		builtin root hints are used by default\n");
197
		"		builtin root hints are used by default\n");
198
	printf("-R		fallback from -f to root query on error\n");
198
	printf("-v		more verbose\n");
199
	printf("-v		more verbose\n");
199
	printf("-C conf		debug, read config\n");
200
	printf("-C conf		debug, read config\n");
200
	printf("-P port		use port for https connect, default 443\n");
201
	printf("-P port		use port for https connect, default 443\n");
 Lines 1920-1927   static int Link Here 
1920
do_certupdate(const char* root_anchor_file, const char* root_cert_file,
1921
do_certupdate(const char* root_anchor_file, const char* root_cert_file,
1921
	const char* urlname, const char* xmlname, const char* p7sname,
1922
	const char* urlname, const char* xmlname, const char* p7sname,
1922
	const char* p7signer, const char* res_conf, const char* root_hints,
1923
	const char* p7signer, const char* res_conf, const char* root_hints,
1923
	const char* debugconf, int ip4only, int ip6only, int port,
1924
	const char* debugconf, int ip4only, int ip6only, int port)
1924
	struct ub_result* dnskey)
1925
{
1925
{
1926
	STACK_OF(X509)* cert;
1926
	STACK_OF(X509)* cert;
1927
	BIO *xml, *p7s;
1927
	BIO *xml, *p7s;
 Lines 1961-1967   do_certupdate(const char* root_anchor_file, const char* root_cert_file, Link Here 
1961
#ifndef S_SPLINT_S
1961
#ifndef S_SPLINT_S
1962
	sk_X509_pop_free(cert, X509_free);
1962
	sk_X509_pop_free(cert, X509_free);
1963
#endif
1963
#endif
1964
	ub_resolve_free(dnskey);
1965
	ip_list_free(ip_list);
1964
	ip_list_free(ip_list);
1966
	return 1;
1965
	return 1;
1967
}
1966
}
 Lines 2199-2214   probe_date_allows_certupdate(const char* root_anchor_file) Link Here 
2199
	return 0;
2198
	return 0;
2200
}
2199
}
2201
2200
2201
static struct ub_result *
2202
fetch_root_key(const char* root_anchor_file, const char* res_conf,
2203
	const char* root_hints, const char* debugconf,
2204
	int ip4only, int ip6only)
2205
{
2206
	struct ub_ctx* ctx;
2207
	struct ub_result* dnskey;
2208
2209
	ctx = create_unbound_context(res_conf, root_hints, debugconf,
2210
		ip4only, ip6only);
2211
	add_5011_probe_root(ctx, root_anchor_file);
2212
	dnskey = prime_root_key(ctx);
2213
	ub_ctx_delete(ctx);
2214
	return dnskey;
2215
}
2216
2202
/** perform the unbound-anchor work */
2217
/** perform the unbound-anchor work */
2203
static int
2218
static int
2204
do_root_update_work(const char* root_anchor_file, const char* root_cert_file,
2219
do_root_update_work(const char* root_anchor_file, const char* root_cert_file,
2205
	const char* urlname, const char* xmlname, const char* p7sname,
2220
	const char* urlname, const char* xmlname, const char* p7sname,
2206
	const char* p7signer, const char* res_conf, const char* root_hints,
2221
	const char* p7signer, const char* res_conf, const char* root_hints,
2207
	const char* debugconf, int ip4only, int ip6only, int force, int port)
2222
	const char* debugconf, int ip4only, int ip6only, int force,
2223
	int res_conf_fallback, int port)
2208
{
2224
{
2209
	struct ub_ctx* ctx;
2210
	struct ub_result* dnskey;
2225
	struct ub_result* dnskey;
2211
	int used_builtin = 0;
2226
	int used_builtin = 0;
2227
	int rcode;
2212
2228
2213
	/* see if builtin rootanchor needs to be provided, or if
2229
	/* see if builtin rootanchor needs to be provided, or if
2214
	 * rootanchor is 'revoked-trust-point' */
2230
	 * rootanchor is 'revoked-trust-point' */
 Lines 2217-2228   do_root_update_work(const char* root_anchor_file, const char* root_cert_file, Link Here 
2217
2233
2218
	/* make unbound context with 5011-probe for root anchor,
2234
	/* make unbound context with 5011-probe for root anchor,
2219
	 * and probe . DNSKEY */
2235
	 * and probe . DNSKEY */
2220
	ctx = create_unbound_context(res_conf, root_hints, debugconf,
2236
	dnskey = fetch_root_key(root_anchor_file, res_conf,
2221
		ip4only, ip6only);
2237
		root_hints, debugconf, ip4only, ip6only);
2222
	add_5011_probe_root(ctx, root_anchor_file);
2238
	rcode = dnskey->rcode;
2223
	dnskey = prime_root_key(ctx);
2239
2224
	ub_ctx_delete(ctx);
2240
	if (res_conf_fallback && res_conf && !dnskey->secure) {
2225
	
2241
		if (verb) printf("%s failed, retrying direct\n", res_conf);
2242
		ub_resolve_free(dnskey);
2243
		/* try direct query without res_conf */
2244
		dnskey = fetch_root_key(root_anchor_file, NULL,
2245
			root_hints, debugconf, ip4only, ip6only);
2246
		if (rcode != 0 && dnskey->rcode == 0) {
2247
			res_conf = NULL;
2248
			rcode = 0;
2249
		}
2250
	}
2251
2226
	/* if secure: exit */
2252
	/* if secure: exit */
2227
	if(dnskey->secure && !force) {
2253
	if(dnskey->secure && !force) {
2228
		if(verb) printf("success: the anchor is ok\n");
2254
		if(verb) printf("success: the anchor is ok\n");
 Lines 2230-2247   do_root_update_work(const char* root_anchor_file, const char* root_cert_file, Link Here 
2230
		return used_builtin;
2256
		return used_builtin;
2231
	}
2257
	}
2232
	if(force && verb) printf("debug cert update forced\n");
2258
	if(force && verb) printf("debug cert update forced\n");
2259
	ub_resolve_free(dnskey);
2233
2260
2234
	/* if not (and NOERROR): check date and do certupdate */
2261
	/* if not (and NOERROR): check date and do certupdate */
2235
	if((dnskey->rcode == 0 &&
2262
	if((rcode == 0 &&
2236
		probe_date_allows_certupdate(root_anchor_file)) || force) {
2263
		probe_date_allows_certupdate(root_anchor_file)) || force) {
2237
		if(do_certupdate(root_anchor_file, root_cert_file, urlname,
2264
		if(do_certupdate(root_anchor_file, root_cert_file, urlname,
2238
			xmlname, p7sname, p7signer, res_conf, root_hints,
2265
			xmlname, p7sname, p7signer, res_conf, root_hints,
2239
			debugconf, ip4only, ip6only, port, dnskey))
2266
			debugconf, ip4only, ip6only, port))
2240
			return 1;
2267
			return 1;
2241
		return used_builtin;
2268
		return used_builtin;
2242
	}
2269
	}
2243
	if(verb) printf("fail: the anchor is NOT ok and could not be fixed\n");
2270
	if(verb) printf("fail: the anchor is NOT ok and could not be fixed\n");
2244
	ub_resolve_free(dnskey);
2245
	return used_builtin;
2271
	return used_builtin;
2246
}
2272
}
2247
2273
 Lines 2264-2271   int main(int argc, char* argv[]) Link Here 
2264
	const char* root_hints = NULL;
2290
	const char* root_hints = NULL;
2265
	const char* debugconf = NULL;
2291
	const char* debugconf = NULL;
2266
	int dolist=0, ip4only=0, ip6only=0, force=0, port = HTTPS_PORT;
2292
	int dolist=0, ip4only=0, ip6only=0, force=0, port = HTTPS_PORT;
2293
	int res_conf_fallback = 0;
2267
	/* parse the options */
2294
	/* parse the options */
2268
	while( (c=getopt(argc, argv, "46C:FP:a:c:f:hln:r:s:u:vx:")) != -1) {
2295
	while( (c=getopt(argc, argv, "46C:FRP:a:c:f:hln:r:s:u:vx:")) != -1) {
2269
		switch(c) {
2296
		switch(c) {
2270
		case 'l':
2297
		case 'l':
2271
			dolist = 1;
2298
			dolist = 1;
 Lines 2300-2305   int main(int argc, char* argv[]) Link Here 
2300
		case 'r':
2327
		case 'r':
2301
			root_hints = optarg;
2328
			root_hints = optarg;
2302
			break;
2329
			break;
2330
		case 'R':
2331
			res_conf_fallback = 1;
2332
			break;
2303
		case 'C':
2333
		case 'C':
2304
			debugconf = optarg;
2334
			debugconf = optarg;
2305
			break;
2335
			break;
 Lines 2346-2350   int main(int argc, char* argv[]) Link Here 
2346
2376
2347
	return do_root_update_work(root_anchor_file, root_cert_file, urlname,
2377
	return do_root_update_work(root_anchor_file, root_cert_file, urlname,
2348
		xmlname, p7sname, p7signer, res_conf, root_hints, debugconf,
2378
		xmlname, p7sname, p7signer, res_conf, root_hints, debugconf,
2349
		ip4only, ip6only, force, port);
2379
		ip4only, ip6only, force, res_conf_fallback, port);
2350
}
2380
}
2351
- 

Return to bug 4112