Blame SOURCES/unbound-1.7.3-anchor-fallback.patch

dad965
From 81e9f82a8ddd811d7ebafe2fd0ee5af836d0b405 Mon Sep 17 00:00:00 2001
dad965
From: Wouter Wijngaards <wouter@nlnetlabs.nl>
dad965
Date: Wed, 4 Jul 2018 10:02:16 +0000
dad965
Subject: [PATCH] - Fix #4112: Fix that unbound-anchor -f /etc/resolv.conf will
dad965
 not pass   if DNSSEC is not enabled.  New option -R allows fallback from  
dad965
 resolv.conf to direct queries.
dad965
dad965
git-svn-id: file:///svn/unbound/trunk@4770 be551aaa-1e26-0410-a405-d3ace91eadb9
dad965
---
dad965
 doc/unbound-anchor.8.in   |  5 ++++
dad965
 smallapp/unbound-anchor.c | 66 ++++++++++++++++++++++++++++++++++-------------
dad965
 2 files changed, 53 insertions(+), 18 deletions(-)
dad965
dad965
diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in
dad965
index 02a3e781..e114eb25 100644
dad965
--- a/doc/unbound-anchor.8.in
dad965
+++ b/doc/unbound-anchor.8.in
dad965
@@ -109,6 +109,11 @@ It does so, because the tool when used for bootstrapping the recursive
dad965
 resolver, cannot use that recursive resolver itself because it is bootstrapping
dad965
 that server.
dad965
 .TP
dad965
+.B \-R
dad965
+Allow fallback from \-f resolv.conf file to direct root servers query.
dad965
+It allows you to prefer local resolvers, but fallback automatically
dad965
+to direct root query if they do not respond or do not support DNSSEC.
dad965
+.TP
dad965
 .B \-v
dad965
 More verbose. Once prints informational messages, multiple times may enable
dad965
 large debug amounts (such as full certificates or byte\-dumps of downloaded
dad965
diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c
dad965
index b3009108..f3985090 100644
dad965
--- a/smallapp/unbound-anchor.c
dad965
+++ b/smallapp/unbound-anchor.c
dad965
@@ -192,9 +192,10 @@ usage(void)
dad965
 	printf("-n name		signer's subject emailAddress, default %s\n", P7SIGNER);
dad965
 	printf("-4		work using IPv4 only\n");
dad965
 	printf("-6		work using IPv6 only\n");
dad965
-	printf("-f resolv.conf	use given resolv.conf to resolve -u name\n");
dad965
-	printf("-r root.hints	use given root.hints to resolve -u name\n"
dad965
+	printf("-f resolv.conf	use given resolv.conf\n");
dad965
+	printf("-r root.hints	use given root.hints\n"
dad965
 		"		builtin root hints are used by default\n");
dad965
+	printf("-R		fallback from -f to root query on error\n");
dad965
 	printf("-v		more verbose\n");
dad965
 	printf("-C conf		debug, read config\n");
dad965
 	printf("-P port		use port for https connect, default 443\n");
dad965
@@ -1920,8 +1921,7 @@ static int
dad965
 do_certupdate(const char* root_anchor_file, const char* root_cert_file,
dad965
 	const char* urlname, const char* xmlname, const char* p7sname,
dad965
 	const char* p7signer, const char* res_conf, const char* root_hints,
dad965
-	const char* debugconf, int ip4only, int ip6only, int port,
dad965
-	struct ub_result* dnskey)
dad965
+	const char* debugconf, int ip4only, int ip6only, int port)
dad965
 {
dad965
 	STACK_OF(X509)* cert;
dad965
 	BIO *xml, *p7s;
dad965
@@ -1961,7 +1961,6 @@ do_certupdate(const char* root_anchor_file, const char* root_cert_file,
dad965
 #ifndef S_SPLINT_S
dad965
 	sk_X509_pop_free(cert, X509_free);
dad965
 #endif
dad965
-	ub_resolve_free(dnskey);
dad965
 	ip_list_free(ip_list);
dad965
 	return 1;
dad965
 }
dad965
@@ -2199,16 +2198,33 @@ probe_date_allows_certupdate(const char* root_anchor_file)
dad965
 	return 0;
dad965
 }
dad965
 
dad965
+static struct ub_result *
dad965
+fetch_root_key(const char* root_anchor_file, const char* res_conf,
dad965
+	const char* root_hints, const char* debugconf,
dad965
+	int ip4only, int ip6only)
dad965
+{
dad965
+	struct ub_ctx* ctx;
dad965
+	struct ub_result* dnskey;
dad965
+
dad965
+	ctx = create_unbound_context(res_conf, root_hints, debugconf,
dad965
+		ip4only, ip6only);
dad965
+	add_5011_probe_root(ctx, root_anchor_file);
dad965
+	dnskey = prime_root_key(ctx);
dad965
+	ub_ctx_delete(ctx);
dad965
+	return dnskey;
dad965
+}
dad965
+
dad965
 /** perform the unbound-anchor work */
dad965
 static int
dad965
 do_root_update_work(const char* root_anchor_file, const char* root_cert_file,
dad965
 	const char* urlname, const char* xmlname, const char* p7sname,
dad965
 	const char* p7signer, const char* res_conf, const char* root_hints,
dad965
-	const char* debugconf, int ip4only, int ip6only, int force, int port)
dad965
+	const char* debugconf, int ip4only, int ip6only, int force,
dad965
+	int res_conf_fallback, int port)
dad965
 {
dad965
-	struct ub_ctx* ctx;
dad965
 	struct ub_result* dnskey;
dad965
 	int used_builtin = 0;
dad965
+	int rcode;
dad965
 
dad965
 	/* see if builtin rootanchor needs to be provided, or if
dad965
 	 * rootanchor is 'revoked-trust-point' */
dad965
@@ -2217,12 +2233,22 @@ do_root_update_work(const char* root_anchor_file, const char* root_cert_file,
dad965
 
dad965
 	/* make unbound context with 5011-probe for root anchor,
dad965
 	 * and probe . DNSKEY */
dad965
-	ctx = create_unbound_context(res_conf, root_hints, debugconf,
dad965
-		ip4only, ip6only);
dad965
-	add_5011_probe_root(ctx, root_anchor_file);
dad965
-	dnskey = prime_root_key(ctx);
dad965
-	ub_ctx_delete(ctx);
dad965
-	
dad965
+	dnskey = fetch_root_key(root_anchor_file, res_conf,
dad965
+		root_hints, debugconf, ip4only, ip6only);
dad965
+	rcode = dnskey->rcode;
dad965
+
dad965
+	if (res_conf_fallback && res_conf && !dnskey->secure) {
dad965
+		if (verb) printf("%s failed, retrying direct\n", res_conf);
dad965
+		ub_resolve_free(dnskey);
dad965
+		/* try direct query without res_conf */
dad965
+		dnskey = fetch_root_key(root_anchor_file, NULL,
dad965
+			root_hints, debugconf, ip4only, ip6only);
dad965
+		if (rcode != 0 && dnskey->rcode == 0) {
dad965
+			res_conf = NULL;
dad965
+			rcode = 0;
dad965
+		}
dad965
+	}
dad965
+
dad965
 	/* if secure: exit */
dad965
 	if(dnskey->secure && !force) {
dad965
 		if(verb) printf("success: the anchor is ok\n");
dad965
@@ -2230,18 +2256,18 @@ do_root_update_work(const char* root_anchor_file, const char* root_cert_file,
dad965
 		return used_builtin;
dad965
 	}
dad965
 	if(force && verb) printf("debug cert update forced\n");
dad965
+	ub_resolve_free(dnskey);
dad965
 
dad965
 	/* if not (and NOERROR): check date and do certupdate */
dad965
-	if((dnskey->rcode == 0 &&
dad965
+	if((rcode == 0 &&
dad965
 		probe_date_allows_certupdate(root_anchor_file)) || force) {
dad965
 		if(do_certupdate(root_anchor_file, root_cert_file, urlname,
dad965
 			xmlname, p7sname, p7signer, res_conf, root_hints,
dad965
-			debugconf, ip4only, ip6only, port, dnskey))
dad965
+			debugconf, ip4only, ip6only, port))
dad965
 			return 1;
dad965
 		return used_builtin;
dad965
 	}
dad965
 	if(verb) printf("fail: the anchor is NOT ok and could not be fixed\n");
dad965
-	ub_resolve_free(dnskey);
dad965
 	return used_builtin;
dad965
 }
dad965
 
dad965
@@ -2264,8 +2290,9 @@ int main(int argc, char* argv[])
dad965
 	const char* root_hints = NULL;
dad965
 	const char* debugconf = NULL;
dad965
 	int dolist=0, ip4only=0, ip6only=0, force=0, port = HTTPS_PORT;
dad965
+	int res_conf_fallback = 0;
dad965
 	/* parse the options */
dad965
-	while( (c=getopt(argc, argv, "46C:FP:a:c:f:hln:r:s:u:vx:")) != -1) {
dad965
+	while( (c=getopt(argc, argv, "46C:FRP:a:c:f:hln:r:s:u:vx:")) != -1) {
dad965
 		switch(c) {
dad965
 		case 'l':
dad965
 			dolist = 1;
dad965
@@ -2300,6 +2327,9 @@ int main(int argc, char* argv[])
dad965
 		case 'r':
dad965
 			root_hints = optarg;
dad965
 			break;
dad965
+		case 'R':
dad965
+			res_conf_fallback = 1;
dad965
+			break;
dad965
 		case 'C':
dad965
 			debugconf = optarg;
dad965
 			break;
dad965
@@ -2346,5 +2376,5 @@ int main(int argc, char* argv[])
dad965
 
dad965
 	return do_root_update_work(root_anchor_file, root_cert_file, urlname,
dad965
 		xmlname, p7sname, p7signer, res_conf, root_hints, debugconf,
dad965
-		ip4only, ip6only, force, port);
dad965
+		ip4only, ip6only, force, res_conf_fallback, port);
dad965
 }
dad965
-- 
dad965
2.14.4
dad965