date:20160206

Re: [patch] insecure-lan-zones

2016-02-06 Thread Dag-Erling Smørgrav via Unbound-users

Dag-Erling Smørgrav  writes:
> When using unblock-lan-zones, you will more likely than not also need to
> disable validation for these zones.  The attached patch adds a new
> configuration option, insecure-lan-zones, which adds all AS112 zones to
> the list of insecure domains.  Note that it moves the list of AS112
> zones, which is currently hardcoded in services/localzone.c, into an
> array in util/as112.c.

I just found an error in the patch: to avoid "cast discards qualifier"
warnings, as112_zones should be declared as "const char**" and not const
"char* const*" (the definition of "equivalent types" in C makes it hard
to use the correct type for const arrays of pointers to const objects,
so the simplest solution is to not declare them as const).  Your
compiler may or may not care.

BTW, you consistently use "type* ptr" , but * is right-associative, so
the correct notation would be "type *ptr".  It makes no difference to
the compiler, but to the human reader, it indicates that the * applies
to the identifier and not to the type.  For instance, "type* p1, p2"
incorrectly suggests that both p1 and p2 are pointers, when in fact only
p1 is a pointer; "type *p1, p2" makes the difference clearer.

DES
-- 
Dag-Erling Smørgrav - d...@des.no

[patch] insecure-lan-zones

2016-02-06 Thread Dag-Erling Smørgrav via Unbound-users

When using unblock-lan-zones, you will more likely than not also need to
disable validation for these zones.  The attached patch adds a new
configuration option, insecure-lan-zones, which adds all AS112 zones to
the list of insecure domains.  Note that it moves the list of AS112
zones, which is currently hardcoded in services/localzone.c, into an
array in util/as112.c.

I hope I got the Makefile.in part right - it's pretty gross.  Why don't
you use automake?

DES
-- 
Dag-Erling Smørgrav - d...@des.no

Index: Makefile.in
===
--- Makefile.in	(revision 3613)
+++ Makefile.in	(working copy)
@@ -96,7 +96,7 @@
 # libunbound_wrap.lo if python libunbound wrapper enabled.
 PYUNBOUND_OBJ=@PYUNBOUND_OBJ@
 COMMON_SRC=services/cache/dns.c services/cache/infra.c services/cache/rrset.c \
-util/data/dname.c util/data/msgencode.c util/data/msgparse.c \
+util/as112.c util/data/dname.c util/data/msgencode.c util/data/msgparse.c \
 util/data/msgreply.c util/data/packed_rrset.c iterator/iterator.c \
 iterator/iter_delegpt.c iterator/iter_donotq.c iterator/iter_fwd.c \
 iterator/iter_hints.c iterator/iter_priv.c iterator/iter_resptype.c \
@@ -114,7 +114,7 @@
 validator/val_secalgo.c validator/val_sigcrypt.c \
 validator/val_utils.c dns64/dns64.c $(CHECKLOCK_SRC) $(DNSTAP_SRC)
 COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \
-msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
+as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
 iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \
 iter_scrub.lo iter_utils.lo localzone.lo mesh.lo modstack.lo \
 outbound_list.lo alloc.lo config_file.lo configlexer.lo configparser.lo \
@@ -596,6 +596,7 @@
 	rm -f $(DEPEND_TMP) $(DEPEND_TMP2)
 
 # Dependencies
+as112.lo as112.o: $(srcdir)/util/as112.c $(srcdir)/util/as112.h
 dns.lo dns.o: $(srcdir)/services/cache/dns.c config.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \
  $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/msgreply.h \
@@ -703,7 +704,7 @@
  $(srcdir)/sldns/sbuffer.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \
  $(srcdir)/util/net_help.h $(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/as112.h
 mesh.lo mesh.o: $(srcdir)/services/mesh.c config.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/netevent.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
  $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \
@@ -822,7 +823,7 @@
  $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_sigcrypt.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/autotrust.h \
  $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h $(srcdir}/util/as112.h
 validator.lo validator.o: $(srcdir)/validator/validator.c config.h $(srcdir)/validator/validator.h \
  $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
Index: doc/example.conf.in
===
--- doc/example.conf.in	(revision 3613)
+++ doc/example.conf.in	(working copy)
@@ -517,7 +517,7 @@
 	# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
 	# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
 
-	# if unbound is running service for the local host then it is useful
+	# If unbound is running service for the local host then it is useful
 	# to perform lan-wide lookups to the upstream, and unblock the
 	# long list of local-zones above.  If this unbound is a dns server
 	# for a network of computers, disabled is better and stops information
@@ -524,6 +524,10 @@
 	# leakage of local lan information.
 	# unblock-lan-zones: no
 
+	# The insecure-lan-zones option disables validation for
+	# these zones, as if they were all listed as domain-insecure.
+	# insecure-lan-zones: no
+
 	# a number of locally served zones can be configured.
 	# 	local-zone:  
 	# 	local-data: ""
Index: doc/unbound.conf.5.in
===
--- doc/unbound.conf.5.in	(revision 3613)
+++ doc/unbound.conf.5.in	(working copy)
@@ -857,6 +857,11 @@
 lookups should be

Re: [patch] insecure-lan-zones

2016-02-06 Thread Robert Edmonds via Unbound-users

Dag-Erling Smørgrav via Unbound-users wrote:
> I hope I got the Makefile.in part right - it's pretty gross.  Why don't
> you use automake?

+1 to Automake :-)  Hacking on Unbound's Makefile.in is not fun.

-- 
Robert Edmonds
edmo...@debian.org

Re: [patch] insecure-lan-zones

[patch] insecure-lan-zones

Re: [patch] insecure-lan-zones

3 matches

Site Navigation

Mail list logo

Footer information