Commit 4f5079e5 authored by Vladimír Čunát's avatar Vladimír Čunát

trust anchors: make bootstrap configurable

... via trust_anchors.{bootstrap_url,bootstrap_ca}
parent 51b59feb
......@@ -30,7 +30,7 @@ INSTALL := install
# Flags
BUILD_LDFLAGS += $(LDFLAGS)
BUILD_CFLAGS := $(CFLAGS) -std=c99 -D_GNU_SOURCE -Wno-unused -Wtype-limits -Wformat -Wformat-security -Wall -I$(abspath .) -I$(abspath lib/generic) -I$(abspath contrib) -I$(abspath contrib/lmdb)
BUILD_CFLAGS += -DPACKAGE_VERSION="\"$(VERSION)\"" -DPREFIX="\"$(PREFIX)\"" -DMODULEDIR="\"$(MODULEDIR)\"" -DETCDIR="\"$(ETCDIR)\""
BUILD_CFLAGS += -DPACKAGE_VERSION="\"$(VERSION)\"" -DPREFIX="\"$(PREFIX)\"" -DMODULEDIR="\"$(MODULEDIR)\""
ifeq (,$(findstring -O,$(CFLAGS)))
BUILD_CFLAGS += -O2
endif
......
......@@ -51,7 +51,10 @@ ifneq ($(SED),)
$(INSTALL) -m 0644 doc/kresd.8 $(DESTDIR)$(MANDIR)/man8/
endif
daemon-clean: kresd-clean
@$(RM) daemon/lua/*.inc
@$(RM) daemon/lua/*.inc daemon/lua/trust_anchors.lua
daemon/lua/trust_anchors.lua: daemon/lua/trust_anchors.lua.in
@$(call quiet,SED,$<) -e "s|@ETCDIR@|$(ETCDIR)|g" $< > $@
daemon/lua/kres-gen.lua: | $(libkres)
@echo "WARNING: regenerating $@"
......
......@@ -550,8 +550,6 @@ static int init_state(struct engine *engine)
lua_setglobal(engine->L, "map");
lua_pushliteral(engine->L, MODULEDIR);
lua_setglobal(engine->L, "moduledir");
lua_pushliteral(engine->L, ETCDIR);
lua_setglobal(engine->L, "etcdir");
lua_pushlightuserdata(engine->L, engine);
lua_setglobal(engine->L, "__engine");
return kr_ok();
......
......@@ -22,8 +22,6 @@ local function bootstrap(url, ca)
-- @todo ICANN certificate is verified against current CA
-- this is not ideal, as it should rather verify .xml signature which
-- is signed by ICANN long-lived cert, but luasec has no PKCS7
ca = ca or etcdir..'/icann-ca.pem'
url = url or 'https://data.iana.org/root-anchors/root-anchors.xml'
local xml, err = https_fetch(url, ca)
if not xml then
return false, string.format('[ ta ] fetch of "%s" failed: %s', url, err)
......@@ -223,6 +221,8 @@ local trust_anchors = {
insecure = {},
hold_down_time = 30 * day,
keep_removed = 0,
bootstrap_url = 'https://data.iana.org/root-anchors/root-anchors.xml',
  • For some reason, trust_anchors.bootstrap_url in interactive mode returns nil and writting to this attribute does not actually change the URL used by bootstrapping mechanism. This is problem for automated testing ...

  • Oh, I'll look into that. EDIT: JFTR it seems it did actually work OK.

    Edited by Vladimír Čunát
Please register or sign in to reply
bootstrap_ca = '@ETCDIR@/icann-ca.pem',
-- Update existing keyset
update = function (new_keys, initial)
if not new_keys then return false end
......@@ -276,7 +276,7 @@ local trust_anchors = {
if trust_anchors.refresh_ev ~= nil then event.cancel(trust_anchors.refresh_ev) end
if not unmanaged then
if not io.open(path, 'r') then
local rr, msg = bootstrap()
local rr, msg = bootstrap(trust_anchors.bootstrap_url, trust_anchors.bootstrap_ca)
if not rr then
error('you MUST obtain the root TA manually, see: '..
'https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec')
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment