rpms/unbound
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Backport +t flag to forward_add and stub_add control commands

Browse Source 
+t flag allows unbound-control to add servers which are to be
contacted through dns-over-tls protocol.

Resolves: RHEL-77791
This commit is contained in:
Tomas Korbar 2025-02-04 16:47:25 +01:00
parent 0112876df6
commit aa29997235
2 changed files with 136 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

129
unbound-1.16-control-t-flag.patch Normal file
View File

@ -0,0 +1,129 @@
commit 6d1e61173bbf44dae458c361be63217f7e9e5599
Author: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Thu Mar 28 09:58:03 2024 +0100
- Fix #1034: DoT forward-zone via unbound-control.
diff --git a/unbound-1.16.2/daemon/remote.c b/unbound-1.16.2/daemon/remote.c
index 5d79eafd..cbce1198 100644
--- a/unbound-1.16.2/daemon/remote.c
+++ b/unbound-1.16.2/daemon/remote.c
@@ -2097,7 +2097,7 @@ do_forward(RES* ssl, struct worker* worker, char* args)
static int
parse_fs_args(RES* ssl, char* args, uint8_t** nm, struct delegpt** dp,
- int* insecure, int* prime)
+ int* insecure, int* prime, int* tls)
{
char* zonename;
char* rest;
@@ -2112,6 +2112,8 @@ parse_fs_args(RES* ssl, char* args, uint8_t** nm, struct delegpt** dp,
*insecure = 1;
else if(*args == 'p' && prime)
*prime = 1;
+ else if(*args == 't' && tls)
+ *tls = 1;
else {
(void)ssl_printf(ssl, "error: unknown option %s\n", args);
return 0;
@@ -2144,11 +2146,13 @@ static void
do_forward_add(RES* ssl, struct worker* worker, char* args)
{
struct iter_forwards* fwd = worker->env.fwds;
- int insecure = 0;
+ int insecure = 0, tls = 0;
uint8_t* nm = NULL;
struct delegpt* dp = NULL;
- if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, NULL))
+ if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, NULL, &tls))
return;
+ if(tls)
+ dp->ssl_upstream = 1;
if(insecure && worker->env.anchors) {
if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
nm)) {
@@ -2174,7 +2178,7 @@ do_forward_remove(RES* ssl, struct worker* worker, char* args)
struct iter_forwards* fwd = worker->env.fwds;
int insecure = 0;
uint8_t* nm = NULL;
- if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL))
+ if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL, NULL))
return;
if(insecure && worker->env.anchors)
anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
@@ -2189,11 +2193,13 @@ static void
do_stub_add(RES* ssl, struct worker* worker, char* args)
{
struct iter_forwards* fwd = worker->env.fwds;
- int insecure = 0, prime = 0;
+ int insecure = 0, prime = 0, tls = 0;
uint8_t* nm = NULL;
struct delegpt* dp = NULL;
- if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, &prime))
+ if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, &prime, &tls))
return;
+ if(tls)
+ dp->ssl_upstream = 1;
if(insecure && worker->env.anchors) {
if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
nm)) {
@@ -2232,7 +2238,7 @@ do_stub_remove(RES* ssl, struct worker* worker, char* args)
struct iter_forwards* fwd = worker->env.fwds;
int insecure = 0;
uint8_t* nm = NULL;
- if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL))
+ if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL, NULL))
return;
if(insecure && worker->env.anchors)
anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
diff --git a/unbound-1.16.2/doc/unbound-control.8.in b/unbound-1.16.2/doc/unbound-control.8.in
index 7823de3a..642b4c94 100644
--- a/unbound-1.16.2/doc/unbound-control.8.in
+++ b/unbound-1.16.2/doc/unbound-control.8.in
@@ -239,22 +239,24 @@ still be bogus, use \fBflush_zone\fR to remove it), does not affect the config f
.B insecure_remove \fIzone
Removes domain\-insecure for the given zone.
.TP
-.B forward_add \fR[\fI+i\fR] \fIzone addr ...
+.B forward_add \fR[\fI+it\fR] \fIzone addr ...
Add a new forward zone to running Unbound. With +i option also adds a
\fIdomain\-insecure\fR for the zone (so it can resolve insecurely if you have
a DNSSEC root trust anchor configured for other names).
The addr can be IP4, IP6 or nameserver names, like \fIforward-zone\fR config
in unbound.conf.
+The +t option sets it to use tls upstream, like \fIforward\-tls\-upstream\fR: yes.
.TP
.B forward_remove \fR[\fI+i\fR] \fIzone
Remove a forward zone from running Unbound. The +i also removes a
\fIdomain\-insecure\fR for the zone.
.TP
-.B stub_add \fR[\fI+ip\fR] \fIzone addr ...
+.B stub_add \fR[\fI+ipt\fR] \fIzone addr ...
Add a new stub zone to running Unbound. With +i option also adds a
\fIdomain\-insecure\fR for the zone. With +p the stub zone is set to prime,
without it it is set to notprime. The addr can be IP4, IP6 or nameserver
names, like the \fIstub-zone\fR config in unbound.conf.
+The +t option sets it to use tls upstream, like \fIstub\-tls\-upstream\fR: yes.
.TP
.B stub_remove \fR[\fI+i\fR] \fIzone
Remove a stub zone from running Unbound. The +i also removes a
diff --git a/unbound-1.16.2/smallapp/unbound-control.c b/unbound-1.16.2/smallapp/unbound-control.c
index c4f73006..57b0787d 100644
--- a/unbound-1.16.2/smallapp/unbound-control.c
+++ b/unbound-1.16.2/smallapp/unbound-control.c
@@ -150,12 +150,13 @@ usage(void)
printf(" list_local_data list local-data RRs in use\n");
printf(" insecure_add zone add domain-insecure zone\n");
printf(" insecure_remove zone remove domain-insecure zone\n");
- printf(" forward_add [+i] zone addr.. add forward-zone with servers\n");
+ printf(" forward_add [+it] zone addr.. add forward-zone with servers\n");
printf(" forward_remove [+i] zone remove forward zone\n");
- printf(" stub_add [+ip] zone addr.. add stub-zone with servers\n");
+ printf(" stub_add [+ipt] zone addr.. add stub-zone with servers\n");
printf(" stub_remove [+i] zone remove stub zone\n");
printf(" +i also do dnssec insecure point\n");
printf(" +p set stub to use priming\n");
+ printf(" +t set to use tls upstream\n");
printf(" forward [off | addr ...] without arg show forward setup\n");
printf(" or off to turn off root forwarding\n");
printf(" or give list of ip addresses\n");

8
unbound.spec
View File

@ -30,7 +30,7 @@
Summary: Validating, recursive, and caching DNS(SEC) resolver Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound Name: unbound
Version: 1.16.2 Version: 1.16.2
Release: 11%{?extra_version:.%{extra_version}}%{?dist} Release: 12%{?extra_version:.%{extra_version}}%{?dist}
License: BSD License: BSD
Url: https://nlnetlabs.nl/projects/unbound/ Url: https://nlnetlabs.nl/projects/unbound/
Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
@ -61,6 +61,8 @@ Source24: unbound-initrd.conf
Patch1: unbound-1.16-CVE-2022-3204.patch Patch1: unbound-1.16-CVE-2022-3204.patch
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2023-50387_CVE-2023-50868.diff # https://nlnetlabs.nl/downloads/unbound/patch_CVE-2023-50387_CVE-2023-50868.diff
Patch4: unbound-1.16-CVE-2023-50387-CVE-2023-50868.patch Patch4: unbound-1.16-CVE-2023-50387-CVE-2023-50868.patch
# https://github.com/NLnetLabs/unbound/commit/6d1e61173
Patch5: unbound-1.16-control-t-flag.patch
BuildRequires: gcc, make BuildRequires: gcc, make
BuildRequires: flex, openssl-devel BuildRequires: flex, openssl-devel
@ -479,6 +481,10 @@ popd
%{_prefix}/lib/dracut/modules.d/99unbound %{_prefix}/lib/dracut/modules.d/99unbound
%changelog %changelog
* Tue Feb 04 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-12
- Backport +t flag to forward_add and stub_add control commands
- Resolves: RHEL-77791
* Tue Feb 04 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-11 * Tue Feb 04 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-11
- Enabled libsystemd and change unbound service type to notify-reload - Enabled libsystemd and change unbound service type to notify-reload
- Resolves: RHEL-77790 - Resolves: RHEL-77790