Re: [patch] insecure-lan-zones
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Dag-Erling, On 07/02/16 00:29, Dag-Erling Smørgrav via Unbound-users wrote: > Dag-Erling Smørgrav writes: >> When using unblock-lan-zones, you will more likely than not also >> need to disable validation for these zones. The attached patch >> adds a new configuration option, insecure-lan-zones, which adds >> all AS112 zones to the list of insecure domains. Note that it >> moves the list of AS112 zones, which is currently hardcoded in >> services/localzone.c, into an array in util/as112.c. Thank you for the patch, I have applied it to the source code! I like the as112 array separation; makes it easier to maintain. > > I just found an error in the patch: to avoid "cast discards > qualifier" warnings, as112_zones should be declared as "const > char**" and not const "char* const*" (the definition of "equivalent > types" in C makes it hard to use the correct type for const arrays > of pointers to const objects, so the simplest solution is to not > declare them as const). Your compiler may or may not care. I'll go for portable, thank you for the hint. > > BTW, you consistently use "type* ptr" , but * is right-associative, > so the correct notation would be "type *ptr". It makes no > difference to the compiler, but to the human reader, it indicates > that the * applies to the identifier and not to the type. For > instance, "type* p1, p2" incorrectly suggests that both p1 and p2 > are pointers, when in fact only p1 is a pointer; "type *p1, p2" > makes the difference clearer. Yes, you are correct, I simply used this notation while writing it. The code sometimes also uses your notation in places, depending on the author. Automake, tried it, but getting all the conditional options configured into automake is hard, and the initial automake-file that I ended up with lost too much (most of the-) functionality of the original Makefile. I thereafter rewrote the Makefile system to no longer depend on gnu-make, but be portably compatible with bsd-make (and sun-make). This resolved the practical necessity. But now we still do not use automake. Best regards, Wouter -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWueq1AAoJEJ9vHC1+BF+NE6UP/0R/x/f3l7nDEmJkY2528Jbd ujq0foZIBdzQmOP+NdCiFODIR8azoRdjBIKY6QYMNbZzmO8VN9Ayz92mEz5UGa+5 x5qZGZggrUUEUp6JdLtzsopyukCbpU/9iLAYW3eClwqHPPVFwQUuYlYPdJl5oCrs gFD0msncN8XWnsW7jlmJeaE0DFvUTWg6CZMniY5qmEQLyy38qjFg2R7JldDMgeQe 9xlbC3DOqpoO9tdYwtdcJuRAzE+NfE0Z7GF4ruU6yybrhzjkgH0mE3a0U7/byNH3 jrbOcrf+6B/aSz82YPFZgvyXO1H33H0wEAPd2vQbS9Us8fzUsXSKAZPmuW1OPwLK DQ5O8FvWP8U6tsrfQv1JUWasb9Pwd7jlDq0Ga4eS1OL0nwR2/1luiiDheVeKVlzz oR3qm2oCbbdg5o3MhGZDdMckiUaendpGmPQAVmoXIIYB7Z7ZJA5QiJkYsfuyb9Ae mmeyB5CEaH5olYclLcHvOqjhnSCNkjtrwiG3LmSxwVcSQQ6QW0av5ZM2auMG4KPp TSBs7KmzuFP4RDIpYlnBxYy0YFNG5kPz41h2bm8kUx/d9RklMut+Po4EYD9pCDSq r8FR+n/m8J0W/e6uMqfmONY/gtIK105kmvqPG6DtHJ11EWCxsCgDMMLozKBwBdAf FTU+O8pxKAGMEG7xC8Z5 =vjxe -END PGP SIGNATURE-
Re: [patch] insecure-lan-zones
Dag-Erling Smørgrav writes: > When using unblock-lan-zones, you will more likely than not also need to > disable validation for these zones. The attached patch adds a new > configuration option, insecure-lan-zones, which adds all AS112 zones to > the list of insecure domains. Note that it moves the list of AS112 > zones, which is currently hardcoded in services/localzone.c, into an > array in util/as112.c. I just found an error in the patch: to avoid "cast discards qualifier" warnings, as112_zones should be declared as "const char**" and not const "char* const*" (the definition of "equivalent types" in C makes it hard to use the correct type for const arrays of pointers to const objects, so the simplest solution is to not declare them as const). Your compiler may or may not care. BTW, you consistently use "type* ptr" , but * is right-associative, so the correct notation would be "type *ptr". It makes no difference to the compiler, but to the human reader, it indicates that the * applies to the identifier and not to the type. For instance, "type* p1, p2" incorrectly suggests that both p1 and p2 are pointers, when in fact only p1 is a pointer; "type *p1, p2" makes the difference clearer. DES -- Dag-Erling Smørgrav - d...@des.no
Re: [patch] insecure-lan-zones
Dag-Erling Smørgrav via Unbound-users wrote: > I hope I got the Makefile.in part right - it's pretty gross. Why don't > you use automake? +1 to Automake :-) Hacking on Unbound's Makefile.in is not fun. -- Robert Edmonds edmo...@debian.org
[patch] insecure-lan-zones
When using unblock-lan-zones, you will more likely than not also need to disable validation for these zones. The attached patch adds a new configuration option, insecure-lan-zones, which adds all AS112 zones to the list of insecure domains. Note that it moves the list of AS112 zones, which is currently hardcoded in services/localzone.c, into an array in util/as112.c. I hope I got the Makefile.in part right - it's pretty gross. Why don't you use automake? DES -- Dag-Erling Smørgrav - d...@des.no Index: Makefile.in === --- Makefile.in (revision 3613) +++ Makefile.in (working copy) @@ -96,7 +96,7 @@ # libunbound_wrap.lo if python libunbound wrapper enabled. PYUNBOUND_OBJ=@PYUNBOUND_OBJ@ COMMON_SRC=services/cache/dns.c services/cache/infra.c services/cache/rrset.c \ -util/data/dname.c util/data/msgencode.c util/data/msgparse.c \ +util/as112.c util/data/dname.c util/data/msgencode.c util/data/msgparse.c \ util/data/msgreply.c util/data/packed_rrset.c iterator/iterator.c \ iterator/iter_delegpt.c iterator/iter_donotq.c iterator/iter_fwd.c \ iterator/iter_hints.c iterator/iter_priv.c iterator/iter_resptype.c \ @@ -114,7 +114,7 @@ validator/val_secalgo.c validator/val_sigcrypt.c \ validator/val_utils.c dns64/dns64.c $(CHECKLOCK_SRC) $(DNSTAP_SRC) COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \ -msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \ +as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \ iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \ iter_scrub.lo iter_utils.lo localzone.lo mesh.lo modstack.lo \ outbound_list.lo alloc.lo config_file.lo configlexer.lo configparser.lo \ @@ -596,6 +596,7 @@ rm -f $(DEPEND_TMP) $(DEPEND_TMP2) # Dependencies +as112.lo as112.o: $(srcdir)/util/as112.c $(srcdir)/util/as112.h dns.lo dns.o: $(srcdir)/services/cache/dns.c config.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \ $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/locks.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/msgreply.h \ @@ -703,7 +704,7 @@ $(srcdir)/sldns/sbuffer.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \ $(srcdir)/util/net_help.h $(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/as112.h mesh.lo mesh.o: $(srcdir)/services/mesh.c config.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/netevent.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \ @@ -822,7 +823,7 @@ $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_sigcrypt.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/autotrust.h \ $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h + $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h $(srcdir}/util/as112.h validator.lo validator.o: $(srcdir)/validator/validator.c config.h $(srcdir)/validator/validator.h \ $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ Index: doc/example.conf.in === --- doc/example.conf.in (revision 3613) +++ doc/example.conf.in (working copy) @@ -517,7 +517,7 @@ # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa. - # if unbound is running service for the local host then it is useful + # If unbound is running service for the local host then it is useful # to perform lan-wide lookups to the upstream, and unblock the # long list of local-zones above. If this unbound is a dns server # for a network of computers, disabled is better and stops information @@ -524,6 +524,10 @@ # leakage of local lan information. # unblock-lan-zones: no + # The insecure-lan-zones option disables validation for + # these zones, as if they were all listed as domain-insecure. + # insecure-lan-zones: no + # a number of locally served zones can be configured. # local-zone: # local-data: "" Index: doc/unbound.conf.5.in === --- doc/unbound.conf.5.in (revision 3613) +++ doc/unbound.conf.5.in (working copy) @@ -857,6 +857,11 @@ lookups should be fil