rpms/unbound
5
0
Fork 0
Code Issues Pull Requests Releases Activity
c9s
unbound/unbound-1.16-control-t-flag.patch
Tomas Korbar aa29997235 Backport +t flag to forward_add and stub_add control commands 
+t flag allows unbound-control to add servers which are to be
contacted through dns-over-tls protocol.

Resolves: RHEL-77791
2025-02-05 16:21:31 +01:00

130 lines
5.5 KiB
Diff
Raw Permalink Blame History

commit 6d1e61173bbf44dae458c361be63217f7e9e5599
Author: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Thu Mar 28 09:58:03 2024 +0100
- Fix #1034: DoT forward-zone via unbound-control.
diff --git a/unbound-1.16.2/daemon/remote.c b/unbound-1.16.2/daemon/remote.c
index 5d79eafd..cbce1198 100644
--- a/unbound-1.16.2/daemon/remote.c
+++ b/unbound-1.16.2/daemon/remote.c
@@ -2097,7 +2097,7 @@ do_forward(RES* ssl, struct worker* worker, char* args)
static int
parse_fs_args(RES* ssl, char* args, uint8_t** nm, struct delegpt** dp,
- int* insecure, int* prime)
+ int* insecure, int* prime, int* tls)
{
char* zonename;
char* rest;
@@ -2112,6 +2112,8 @@ parse_fs_args(RES* ssl, char* args, uint8_t** nm, struct delegpt** dp,
*insecure = 1;
else if(*args == 'p' && prime)
*prime = 1;
+ else if(*args == 't' && tls)
+ *tls = 1;
else {
(void)ssl_printf(ssl, "error: unknown option %s\n", args);
return 0;
@@ -2144,11 +2146,13 @@ static void
do_forward_add(RES* ssl, struct worker* worker, char* args)
{
struct iter_forwards* fwd = worker->env.fwds;
- int insecure = 0;
+ int insecure = 0, tls = 0;
uint8_t* nm = NULL;
struct delegpt* dp = NULL;
- if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, NULL))
+ if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, NULL, &tls))
return;
+ if(tls)
+ dp->ssl_upstream = 1;
if(insecure && worker->env.anchors) {
if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
nm)) {
@@ -2174,7 +2178,7 @@ do_forward_remove(RES* ssl, struct worker* worker, char* args)
struct iter_forwards* fwd = worker->env.fwds;
int insecure = 0;
uint8_t* nm = NULL;
- if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL))
+ if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL, NULL))
return;
if(insecure && worker->env.anchors)
anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
@@ -2189,11 +2193,13 @@ static void
do_stub_add(RES* ssl, struct worker* worker, char* args)
{
struct iter_forwards* fwd = worker->env.fwds;
- int insecure = 0, prime = 0;
+ int insecure = 0, prime = 0, tls = 0;
uint8_t* nm = NULL;
struct delegpt* dp = NULL;
- if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, &prime))
+ if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, &prime, &tls))
return;
+ if(tls)
+ dp->ssl_upstream = 1;
if(insecure && worker->env.anchors) {
if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
nm)) {
@@ -2232,7 +2238,7 @@ do_stub_remove(RES* ssl, struct worker* worker, char* args)
struct iter_forwards* fwd = worker->env.fwds;
int insecure = 0;
uint8_t* nm = NULL;
- if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL))
+ if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL, NULL))
return;
if(insecure && worker->env.anchors)
anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
diff --git a/unbound-1.16.2/doc/unbound-control.8.in b/unbound-1.16.2/doc/unbound-control.8.in
index 7823de3a..642b4c94 100644
--- a/unbound-1.16.2/doc/unbound-control.8.in
+++ b/unbound-1.16.2/doc/unbound-control.8.in
@@ -239,22 +239,24 @@ still be bogus, use \fBflush_zone\fR to remove it), does not affect the config f
.B insecure_remove \fIzone
Removes domain\-insecure for the given zone.
.TP
-.B forward_add \fR[\fI+i\fR] \fIzone addr ...
+.B forward_add \fR[\fI+it\fR] \fIzone addr ...
Add a new forward zone to running Unbound. With +i option also adds a
\fIdomain\-insecure\fR for the zone (so it can resolve insecurely if you have
a DNSSEC root trust anchor configured for other names).
The addr can be IP4, IP6 or nameserver names, like \fIforward-zone\fR config
in unbound.conf.
+The +t option sets it to use tls upstream, like \fIforward\-tls\-upstream\fR: yes.
.TP
.B forward_remove \fR[\fI+i\fR] \fIzone
Remove a forward zone from running Unbound. The +i also removes a
\fIdomain\-insecure\fR for the zone.
.TP
-.B stub_add \fR[\fI+ip\fR] \fIzone addr ...
+.B stub_add \fR[\fI+ipt\fR] \fIzone addr ...
Add a new stub zone to running Unbound. With +i option also adds a
\fIdomain\-insecure\fR for the zone. With +p the stub zone is set to prime,
without it it is set to notprime. The addr can be IP4, IP6 or nameserver
names, like the \fIstub-zone\fR config in unbound.conf.
+The +t option sets it to use tls upstream, like \fIstub\-tls\-upstream\fR: yes.
.TP
.B stub_remove \fR[\fI+i\fR] \fIzone
Remove a stub zone from running Unbound. The +i also removes a
diff --git a/unbound-1.16.2/smallapp/unbound-control.c b/unbound-1.16.2/smallapp/unbound-control.c
index c4f73006..57b0787d 100644
--- a/unbound-1.16.2/smallapp/unbound-control.c
+++ b/unbound-1.16.2/smallapp/unbound-control.c
@@ -150,12 +150,13 @@ usage(void)
printf(" list_local_data list local-data RRs in use\n");
printf(" insecure_add zone add domain-insecure zone\n");
printf(" insecure_remove zone remove domain-insecure zone\n");
- printf(" forward_add [+i] zone addr.. add forward-zone with servers\n");
+ printf(" forward_add [+it] zone addr.. add forward-zone with servers\n");
printf(" forward_remove [+i] zone remove forward zone\n");
- printf(" stub_add [+ip] zone addr.. add stub-zone with servers\n");
+ printf(" stub_add [+ipt] zone addr.. add stub-zone with servers\n");
printf(" stub_remove [+i] zone remove stub zone\n");
printf(" +i also do dnssec insecure point\n");
printf(" +p set stub to use priming\n");
+ printf(" +t set to use tls upstream\n");
printf(" forward [off | addr ...] without arg show forward setup\n");
printf(" or off to turn off root forwarding\n");
printf(" or give list of ip addresses\n");
Reference in New Issue View Git Blame Copy Permalink