Backport +t flag to forward_add and stub_add control commands
+t flag allows unbound-control to add servers which are to be contacted through dns-over-tls protocol. Resolves: RHEL-77791
This commit is contained in:
Tomas Korbar
parent
0112876df6
commit
aa29997235
129
unbound-1.16-control-t-flag.patch
Normal file
129
unbound-1.16-control-t-flag.patch
Normal file
@ -0,0 +1,129 @@
|
||||
commit 6d1e61173bbf44dae458c361be63217f7e9e5599
|
||||
Author: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
|
||||
Date: Thu Mar 28 09:58:03 2024 +0100
|
||||
|
||||
- Fix #1034: DoT forward-zone via unbound-control.
|
||||
|
||||
diff --git a/unbound-1.16.2/daemon/remote.c b/unbound-1.16.2/daemon/remote.c
|
||||
index 5d79eafd..cbce1198 100644
|
||||
--- a/unbound-1.16.2/daemon/remote.c
|
||||
+++ b/unbound-1.16.2/daemon/remote.c
|
||||
@@ -2097,7 +2097,7 @@ do_forward(RES* ssl, struct worker* worker, char* args)
|
||||
|
||||
static int
|
||||
parse_fs_args(RES* ssl, char* args, uint8_t** nm, struct delegpt** dp,
|
||||
- int* insecure, int* prime)
|
||||
+ int* insecure, int* prime, int* tls)
|
||||
{
|
||||
char* zonename;
|
||||
char* rest;
|
||||
@@ -2112,6 +2112,8 @@ parse_fs_args(RES* ssl, char* args, uint8_t** nm, struct delegpt** dp,
|
||||
*insecure = 1;
|
||||
else if(*args == 'p' && prime)
|
||||
*prime = 1;
|
||||
+ else if(*args == 't' && tls)
|
||||
+ *tls = 1;
|
||||
else {
|
||||
(void)ssl_printf(ssl, "error: unknown option %s\n", args);
|
||||
return 0;
|
||||
@@ -2144,11 +2146,13 @@ static void
|
||||
do_forward_add(RES* ssl, struct worker* worker, char* args)
|
||||
{
|
||||
struct iter_forwards* fwd = worker->env.fwds;
|
||||
- int insecure = 0;
|
||||
+ int insecure = 0, tls = 0;
|
||||
uint8_t* nm = NULL;
|
||||
struct delegpt* dp = NULL;
|
||||
- if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, NULL))
|
||||
+ if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, NULL, &tls))
|
||||
return;
|
||||
+ if(tls)
|
||||
+ dp->ssl_upstream = 1;
|
||||
if(insecure && worker->env.anchors) {
|
||||
if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
|
||||
nm)) {
|
||||
@@ -2174,7 +2178,7 @@ do_forward_remove(RES* ssl, struct worker* worker, char* args)
|
||||
struct iter_forwards* fwd = worker->env.fwds;
|
||||
int insecure = 0;
|
||||
uint8_t* nm = NULL;
|
||||
- if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL))
|
||||
+ if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL, NULL))
|
||||
return;
|
||||
if(insecure && worker->env.anchors)
|
||||
anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
|
||||
@@ -2189,11 +2193,13 @@ static void
|
||||
do_stub_add(RES* ssl, struct worker* worker, char* args)
|
||||
{
|
||||
struct iter_forwards* fwd = worker->env.fwds;
|
||||
- int insecure = 0, prime = 0;
|
||||
+ int insecure = 0, prime = 0, tls = 0;
|
||||
uint8_t* nm = NULL;
|
||||
struct delegpt* dp = NULL;
|
||||
- if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, &prime))
|
||||
+ if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, &prime, &tls))
|
||||
return;
|
||||
+ if(tls)
|
||||
+ dp->ssl_upstream = 1;
|
||||
if(insecure && worker->env.anchors) {
|
||||
if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
|
||||
nm)) {
|
||||
@@ -2232,7 +2238,7 @@ do_stub_remove(RES* ssl, struct worker* worker, char* args)
|
||||
struct iter_forwards* fwd = worker->env.fwds;
|
||||
int insecure = 0;
|
||||
uint8_t* nm = NULL;
|
||||
- if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL))
|
||||
+ if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL, NULL))
|
||||
return;
|
||||
if(insecure && worker->env.anchors)
|
||||
anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
|
||||
diff --git a/unbound-1.16.2/doc/unbound-control.8.in b/unbound-1.16.2/doc/unbound-control.8.in
|
||||
index 7823de3a..642b4c94 100644
|
||||
--- a/unbound-1.16.2/doc/unbound-control.8.in
|
||||
+++ b/unbound-1.16.2/doc/unbound-control.8.in
|
||||
@@ -239,22 +239,24 @@ still be bogus, use \fBflush_zone\fR to remove it), does not affect the config f
|
||||
.B insecure_remove \fIzone
|
||||
Removes domain\-insecure for the given zone.
|
||||
.TP
|
||||
-.B forward_add \fR[\fI+i\fR] \fIzone addr ...
|
||||
+.B forward_add \fR[\fI+it\fR] \fIzone addr ...
|
||||
Add a new forward zone to running Unbound. With +i option also adds a
|
||||
\fIdomain\-insecure\fR for the zone (so it can resolve insecurely if you have
|
||||
a DNSSEC root trust anchor configured for other names).
|
||||
The addr can be IP4, IP6 or nameserver names, like \fIforward-zone\fR config
|
||||
in unbound.conf.
|
||||
+The +t option sets it to use tls upstream, like \fIforward\-tls\-upstream\fR: yes.
|
||||
.TP
|
||||
.B forward_remove \fR[\fI+i\fR] \fIzone
|
||||
Remove a forward zone from running Unbound. The +i also removes a
|
||||
\fIdomain\-insecure\fR for the zone.
|
||||
.TP
|
||||
-.B stub_add \fR[\fI+ip\fR] \fIzone addr ...
|
||||
+.B stub_add \fR[\fI+ipt\fR] \fIzone addr ...
|
||||
Add a new stub zone to running Unbound. With +i option also adds a
|
||||
\fIdomain\-insecure\fR for the zone. With +p the stub zone is set to prime,
|
||||
without it it is set to notprime. The addr can be IP4, IP6 or nameserver
|
||||
names, like the \fIstub-zone\fR config in unbound.conf.
|
||||
+The +t option sets it to use tls upstream, like \fIstub\-tls\-upstream\fR: yes.
|
||||
.TP
|
||||
.B stub_remove \fR[\fI+i\fR] \fIzone
|
||||
Remove a stub zone from running Unbound. The +i also removes a
|
||||
diff --git a/unbound-1.16.2/smallapp/unbound-control.c b/unbound-1.16.2/smallapp/unbound-control.c
|
||||
index c4f73006..57b0787d 100644
|
||||
--- a/unbound-1.16.2/smallapp/unbound-control.c
|
||||
+++ b/unbound-1.16.2/smallapp/unbound-control.c
|
||||
@@ -150,12 +150,13 @@ usage(void)
|
||||
printf(" list_local_data list local-data RRs in use\n");
|
||||
printf(" insecure_add zone add domain-insecure zone\n");
|
||||
printf(" insecure_remove zone remove domain-insecure zone\n");
|
||||
- printf(" forward_add [+i] zone addr.. add forward-zone with servers\n");
|
||||
+ printf(" forward_add [+it] zone addr.. add forward-zone with servers\n");
|
||||
printf(" forward_remove [+i] zone remove forward zone\n");
|
||||
- printf(" stub_add [+ip] zone addr.. add stub-zone with servers\n");
|
||||
+ printf(" stub_add [+ipt] zone addr.. add stub-zone with servers\n");
|
||||
printf(" stub_remove [+i] zone remove stub zone\n");
|
||||
printf(" +i also do dnssec insecure point\n");
|
||||
printf(" +p set stub to use priming\n");
|
||||
+ printf(" +t set to use tls upstream\n");
|
||||
printf(" forward [off | addr ...] without arg show forward setup\n");
|
||||
printf(" or off to turn off root forwarding\n");
|
||||
printf(" or give list of ip addresses\n");
|
||||
@ -30,7 +30,7 @@
|
||||
Summary: Validating, recursive, and caching DNS(SEC) resolver
|
||||
Name: unbound
|
||||
Version: 1.16.2
|
||||
Release: 11%{?extra_version:.%{extra_version}}%{?dist}
|
||||
Release: 12%{?extra_version:.%{extra_version}}%{?dist}
|
||||
License: BSD
|
||||
Url: https://nlnetlabs.nl/projects/unbound/
|
||||
Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
|
||||
@ -61,6 +61,8 @@ Source24: unbound-initrd.conf
|
||||
Patch1: unbound-1.16-CVE-2022-3204.patch
|
||||
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2023-50387_CVE-2023-50868.diff
|
||||
Patch4: unbound-1.16-CVE-2023-50387-CVE-2023-50868.patch
|
||||
# https://github.com/NLnetLabs/unbound/commit/6d1e61173
|
||||
Patch5: unbound-1.16-control-t-flag.patch
|
||||
|
||||
BuildRequires: gcc, make
|
||||
BuildRequires: flex, openssl-devel
|
||||
@ -479,6 +481,10 @@ popd
|
||||
%{_prefix}/lib/dracut/modules.d/99unbound
|
||||
|
||||
%changelog
|
||||
* Tue Feb 04 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-12
|
||||
- Backport +t flag to forward_add and stub_add control commands
|
||||
- Resolves: RHEL-77791
|
||||
|
||||
* Tue Feb 04 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-11
|
||||
- Enabled libsystemd and change unbound service type to notify-reload
|
||||
- Resolves: RHEL-77790
|
||||
|
||||
Loading…
Reference in New Issue
Block a user