[ldns-users] drill: automatic -k with /etc/trusted-key.key?
Havard Eidnes
he at uninett.no
Mon Oct 8 12:57:30 UTC 2012
Hi,
I had occasion to start looking at "drill" again, after briefly
having looked at "dig +sigchase". Dig compiled with sigchase
support automatically trusts the key in /etc/trusted-key.key if
it exists, so that one can avoid always needing to supply
"+trusted-key=<keyfile>" when using dig to do DNSSEC checking.
Would it not be useful to avoid needing to specify "-k <keyfile>"
as well for drill?
The attached patch does this.
Regards,
- Håvard
-------------- next part --------------
For compatibility with dig, if neither -k <key> nor -D is specified,
read /etc/trusted-key.key if it exists, and if successful, turn on
DNSSEC handling.
--- drill/drill.c.orig 2012-01-20 10:18:41.000000000 +0000
+++ drill/drill.c
@@ -10,6 +10,8 @@
#include "drill.h"
#include <ldns/ldns.h>
+#include <sys/stat.h>
+
#ifdef HAVE_SSL
#include <openssl/err.h>
#endif
@@ -397,6 +399,25 @@ main(int argc, char *argv[])
argc -= optind;
argv += optind;
+ /*
+ * If DNSSEC isn't enabled already, and /etc/trusted-key.key
+ * exists, try to read it and turn on DNSSEC handling if successful.
+ */
+ {
+ struct stat sb;
+
+ if (stat("/etc/trusted-key.key", &sb) == 0) {
+ if (qdnssec != true) {
+ status = read_key_file("/etc/trusted-key.key", key_list);
+ if (status != LDNS_STATUS_OK) {
+ error("Could not parse the key file /etc/trusted-key.key: %s", ldns_get_errorstr_by_id(status));
+ } else {
+ qdnssec = true; /* OK key, turn on DNSSEC */
+ }
+ }
+ }
+ }
+
/* do a secure trace when requested */
if (PURPOSE == DRILL_TRACE && qdnssec) {
#ifdef HAVE_SSL
More information about the ldns-users
mailing list