commit 6d1e61173bbf44dae458c361be63217f7e9e5599 Author: W.C.A. Wijngaards Date: Thu Mar 28 09:58:03 2024 +0100 - Fix #1034: DoT forward-zone via unbound-control. diff --git a/unbound-1.16.2/daemon/remote.c b/unbound-1.16.2/daemon/remote.c index 5d79eafd..cbce1198 100644 --- a/unbound-1.16.2/daemon/remote.c +++ b/unbound-1.16.2/daemon/remote.c @@ -2097,7 +2097,7 @@ do_forward(RES* ssl, struct worker* worker, char* args) static int parse_fs_args(RES* ssl, char* args, uint8_t** nm, struct delegpt** dp, - int* insecure, int* prime) + int* insecure, int* prime, int* tls) { char* zonename; char* rest; @@ -2112,6 +2112,8 @@ parse_fs_args(RES* ssl, char* args, uint8_t** nm, struct delegpt** dp, *insecure = 1; else if(*args == 'p' && prime) *prime = 1; + else if(*args == 't' && tls) + *tls = 1; else { (void)ssl_printf(ssl, "error: unknown option %s\n", args); return 0; @@ -2144,11 +2146,13 @@ static void do_forward_add(RES* ssl, struct worker* worker, char* args) { struct iter_forwards* fwd = worker->env.fwds; - int insecure = 0; + int insecure = 0, tls = 0; uint8_t* nm = NULL; struct delegpt* dp = NULL; - if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, NULL)) + if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, NULL, &tls)) return; + if(tls) + dp->ssl_upstream = 1; if(insecure && worker->env.anchors) { if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN, nm)) { @@ -2174,7 +2178,7 @@ do_forward_remove(RES* ssl, struct worker* worker, char* args) struct iter_forwards* fwd = worker->env.fwds; int insecure = 0; uint8_t* nm = NULL; - if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL)) + if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL, NULL)) return; if(insecure && worker->env.anchors) anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN, @@ -2189,11 +2193,13 @@ static void do_stub_add(RES* ssl, struct worker* worker, char* args) { struct iter_forwards* fwd = worker->env.fwds; - int insecure = 0, prime = 0; + int insecure = 0, prime = 0, tls = 0; uint8_t* nm = NULL; struct delegpt* dp = NULL; - if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, &prime)) + if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, &prime, &tls)) return; + if(tls) + dp->ssl_upstream = 1; if(insecure && worker->env.anchors) { if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN, nm)) { @@ -2232,7 +2238,7 @@ do_stub_remove(RES* ssl, struct worker* worker, char* args) struct iter_forwards* fwd = worker->env.fwds; int insecure = 0; uint8_t* nm = NULL; - if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL)) + if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL, NULL)) return; if(insecure && worker->env.anchors) anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN, diff --git a/unbound-1.16.2/doc/unbound-control.8.in b/unbound-1.16.2/doc/unbound-control.8.in index 7823de3a..642b4c94 100644 --- a/unbound-1.16.2/doc/unbound-control.8.in +++ b/unbound-1.16.2/doc/unbound-control.8.in @@ -239,22 +239,24 @@ still be bogus, use \fBflush_zone\fR to remove it), does not affect the config f .B insecure_remove \fIzone Removes domain\-insecure for the given zone. .TP -.B forward_add \fR[\fI+i\fR] \fIzone addr ... +.B forward_add \fR[\fI+it\fR] \fIzone addr ... Add a new forward zone to running Unbound. With +i option also adds a \fIdomain\-insecure\fR for the zone (so it can resolve insecurely if you have a DNSSEC root trust anchor configured for other names). The addr can be IP4, IP6 or nameserver names, like \fIforward-zone\fR config in unbound.conf. +The +t option sets it to use tls upstream, like \fIforward\-tls\-upstream\fR: yes. .TP .B forward_remove \fR[\fI+i\fR] \fIzone Remove a forward zone from running Unbound. The +i also removes a \fIdomain\-insecure\fR for the zone. .TP -.B stub_add \fR[\fI+ip\fR] \fIzone addr ... +.B stub_add \fR[\fI+ipt\fR] \fIzone addr ... Add a new stub zone to running Unbound. With +i option also adds a \fIdomain\-insecure\fR for the zone. With +p the stub zone is set to prime, without it it is set to notprime. The addr can be IP4, IP6 or nameserver names, like the \fIstub-zone\fR config in unbound.conf. +The +t option sets it to use tls upstream, like \fIstub\-tls\-upstream\fR: yes. .TP .B stub_remove \fR[\fI+i\fR] \fIzone Remove a stub zone from running Unbound. The +i also removes a diff --git a/unbound-1.16.2/smallapp/unbound-control.c b/unbound-1.16.2/smallapp/unbound-control.c index c4f73006..57b0787d 100644 --- a/unbound-1.16.2/smallapp/unbound-control.c +++ b/unbound-1.16.2/smallapp/unbound-control.c @@ -150,12 +150,13 @@ usage(void) printf(" list_local_data list local-data RRs in use\n"); printf(" insecure_add zone add domain-insecure zone\n"); printf(" insecure_remove zone remove domain-insecure zone\n"); - printf(" forward_add [+i] zone addr.. add forward-zone with servers\n"); + printf(" forward_add [+it] zone addr.. add forward-zone with servers\n"); printf(" forward_remove [+i] zone remove forward zone\n"); - printf(" stub_add [+ip] zone addr.. add stub-zone with servers\n"); + printf(" stub_add [+ipt] zone addr.. add stub-zone with servers\n"); printf(" stub_remove [+i] zone remove stub zone\n"); printf(" +i also do dnssec insecure point\n"); printf(" +p set stub to use priming\n"); + printf(" +t set to use tls upstream\n"); printf(" forward [off | addr ...] without arg show forward setup\n"); printf(" or off to turn off root forwarding\n"); printf(" or give list of ip addresses\n");