DoT for libunbound

Mon Jan 28 08:26:42 UTC 2019

Hi Florian,

Thank you for the patch.  The code looks fine and I have fixed up the
build system for the added library function symbol.

Best regards, Wouter

On 1/27/19 6:32 PM, Florian Obser via Unbound-users wrote:
> Hi,
> 
> I'd like to use DoT in libunbound but it doesn't look like I can
> enable it short of loading a whole unbound.conf via ub_ctx_config().
> 
> I came up with the following, does this look reasonable? Should this
> be done a different way maybe via ub_ctx_set_option()?
> 
> This needs a lib bump if it goes in, but I'm not too familiar with the
> build system and wouldn't know how to do that.
> 
> Thanks,
> Florian
> 
> diff --git doc/libunbound.3.in doc/libunbound.3.in
> index 62d5f045490..69b09174dd0 100644
> --- doc/libunbound.3.in
> +++ doc/libunbound.3.in
> @@ -20,6 +20,7 @@
>  .B ub_ctx_config,
>  .B ub_ctx_set_fwd,
>  .B ub_ctx_set_stub,
> +.B ub_ctx_set_tls,
>  .B ub_ctx_resolvconf,
>  .B ub_ctx_hosts,
>  .B ub_ctx_add_ta,
> @@ -72,6 +73,9 @@
>  		\fIint\fR isprime);
>  .LP
>  \fIint\fR
> +\fBub_ctx_set_tls\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR tls);
> +.LP
> +\fIint\fR
>  \fBub_ctx_resolvconf\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
>  .LP
>  \fIint\fR
> @@ -227,6 +231,12 @@ for different zones, or to add multiple addresses for a particular zone.
>  At this time it is only possible to set configuration before the
>  first resolve is done.
>  .TP
> +.B ub_ctx_set_tls
> +Enable DNS over TLS (DoT) for machines set with 
> +.B ub_ctx_set_fwd.
> +At this time it is only possible to set configuration before the
> +first resolve is done.
> +.TP
>  .B ub_ctx_resolvconf
>  By default the root servers are queried and full resolver mode is used, but
>  you can use this call to read the list of nameservers to use from the
> diff --git libunbound/libunbound.c libunbound/libunbound.c
> index 31adbd54dcd..ee7ef4a9a76 100644
> --- libunbound/libunbound.c
> +++ libunbound/libunbound.c
> @@ -966,6 +966,19 @@ ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr)
>  	return UB_NOERROR;
>  }
>  
> +int ub_ctx_set_tls(struct ub_ctx* ctx, int tls)
> +{
> +	lock_basic_lock(&ctx->cfglock);
> +	if(ctx->finalized) {
> +		lock_basic_unlock(&ctx->cfglock);
> +		errno=EINVAL;
> +		return UB_AFTERFINAL;
> +	}
> +	ctx->env->cfg->ssl_upstream = tls;
> +	lock_basic_unlock(&ctx->cfglock);
> +	return UB_NOERROR;
> +}
> +
>  int ub_ctx_set_stub(struct ub_ctx* ctx, const char* zone, const char* addr,
>  	int isprime)
>  {
> diff --git libunbound/ubsyms.def libunbound/ubsyms.def
> index 0d8e6af91ee..0ace984fa30 100644
> --- libunbound/ubsyms.def
> +++ libunbound/ubsyms.def
> @@ -20,6 +20,7 @@ ub_ctx_set_event
>  ub_ctx_set_fwd
>  ub_ctx_set_option
>  ub_ctx_set_stub
> +ub_ctx_set_tls
>  ub_ctx_trustedkeys
>  ub_ctx_zone_add
>  ub_ctx_zone_remove
> diff --git libunbound/unbound.h libunbound/unbound.h
> index 90766b06236..8074e3ac5ba 100644
> --- libunbound/unbound.h
> +++ libunbound/unbound.h
> @@ -309,6 +309,17 @@ int ub_ctx_config(struct ub_ctx* ctx, const char* fname);
>   */
>  int ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr);
>  
> +/**
> + * Use DNS over TLS to send queries to machines set with ub_ctx_set_fwd().
> + *
> + * @param ctx: context.
> + *	At this time it is only possible to set configuration before the
> + *	first resolve is done.
> + * @param tls: enable or disable DNS over TLS
> + * @return 0 if OK, else error.
> + */
> +int ub_ctx_set_tls(struct ub_ctx* ctx, int tls);
> +
>  /**
>   * Add a stub zone, with given address to send to.  This is for custom
>   * root hints or pointing to a local authoritative dns server.
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190128/494f0e3d/attachment.bin>