subject:"\[patch\] insecure\-lan\-zones"

Re: [patch] insecure-lan-zones

2016-02-09 Thread W.C.A. Wijngaards via Unbound-users

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi Dag-Erling,

On 07/02/16 00:29, Dag-Erling Smørgrav via Unbound-users wrote:
> Dag-Erling Smørgrav  writes:
>> When using unblock-lan-zones, you will more likely than not also
>> need to disable validation for these zones.  The attached patch
>> adds a new configuration option, insecure-lan-zones, which adds
>> all AS112 zones to the list of insecure domains.  Note that it
>> moves the list of AS112 zones, which is currently hardcoded in
>> services/localzone.c, into an array in util/as112.c.

Thank you for the patch, I have applied it to the source code!  I like
the as112 array separation; makes it easier to maintain.

> 
> I just found an error in the patch: to avoid "cast discards
> qualifier" warnings, as112_zones should be declared as "const
> char**" and not const "char* const*" (the definition of "equivalent
> types" in C makes it hard to use the correct type for const arrays
> of pointers to const objects, so the simplest solution is to not
> declare them as const).  Your compiler may or may not care.

I'll go for portable, thank you for the hint.

> 
> BTW, you consistently use "type* ptr" , but * is right-associative,
> so the correct notation would be "type *ptr".  It makes no
> difference to the compiler, but to the human reader, it indicates
> that the * applies to the identifier and not to the type.  For
> instance, "type* p1, p2" incorrectly suggests that both p1 and p2
> are pointers, when in fact only p1 is a pointer; "type *p1, p2"
> makes the difference clearer.

Yes, you are correct, I simply used this notation while writing it.
The code sometimes also uses your notation in places, depending on the
author.

Automake, tried it, but getting all the conditional options configured
into automake is hard, and the initial automake-file that I ended up
with lost too much (most of the-) functionality of the original
Makefile.  I thereafter rewrote the Makefile system to no longer
depend on gnu-make, but be portably compatible with bsd-make (and
sun-make).  This resolved the practical necessity.  But now we still
do not use automake.

Best regards, Wouter
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJWueq1AAoJEJ9vHC1+BF+NE6UP/0R/x/f3l7nDEmJkY2528Jbd
ujq0foZIBdzQmOP+NdCiFODIR8azoRdjBIKY6QYMNbZzmO8VN9Ayz92mEz5UGa+5
x5qZGZggrUUEUp6JdLtzsopyukCbpU/9iLAYW3eClwqHPPVFwQUuYlYPdJl5oCrs
gFD0msncN8XWnsW7jlmJeaE0DFvUTWg6CZMniY5qmEQLyy38qjFg2R7JldDMgeQe
9xlbC3DOqpoO9tdYwtdcJuRAzE+NfE0Z7GF4ruU6yybrhzjkgH0mE3a0U7/byNH3
jrbOcrf+6B/aSz82YPFZgvyXO1H33H0wEAPd2vQbS9Us8fzUsXSKAZPmuW1OPwLK
DQ5O8FvWP8U6tsrfQv1JUWasb9Pwd7jlDq0Ga4eS1OL0nwR2/1luiiDheVeKVlzz
oR3qm2oCbbdg5o3MhGZDdMckiUaendpGmPQAVmoXIIYB7Z7ZJA5QiJkYsfuyb9Ae
mmeyB5CEaH5olYclLcHvOqjhnSCNkjtrwiG3LmSxwVcSQQ6QW0av5ZM2auMG4KPp
TSBs7KmzuFP4RDIpYlnBxYy0YFNG5kPz41h2bm8kUx/d9RklMut+Po4EYD9pCDSq
r8FR+n/m8J0W/e6uMqfmONY/gtIK105kmvqPG6DtHJ11EWCxsCgDMMLozKBwBdAf
FTU+O8pxKAGMEG7xC8Z5
=vjxe
-END PGP SIGNATURE-

Re: [patch] insecure-lan-zones

2016-02-06 Thread Dag-Erling Smørgrav via Unbound-users

Dag-Erling Smørgrav  writes:
> When using unblock-lan-zones, you will more likely than not also need to
> disable validation for these zones.  The attached patch adds a new
> configuration option, insecure-lan-zones, which adds all AS112 zones to
> the list of insecure domains.  Note that it moves the list of AS112
> zones, which is currently hardcoded in services/localzone.c, into an
> array in util/as112.c.

I just found an error in the patch: to avoid "cast discards qualifier"
warnings, as112_zones should be declared as "const char**" and not const
"char* const*" (the definition of "equivalent types" in C makes it hard
to use the correct type for const arrays of pointers to const objects,
so the simplest solution is to not declare them as const).  Your
compiler may or may not care.

BTW, you consistently use "type* ptr" , but * is right-associative, so
the correct notation would be "type *ptr".  It makes no difference to
the compiler, but to the human reader, it indicates that the * applies
to the identifier and not to the type.  For instance, "type* p1, p2"
incorrectly suggests that both p1 and p2 are pointers, when in fact only
p1 is a pointer; "type *p1, p2" makes the difference clearer.

DES
-- 
Dag-Erling Smørgrav - d...@des.no

[patch] insecure-lan-zones

2016-02-06 Thread Dag-Erling Smørgrav via Unbound-users

When using unblock-lan-zones, you will more likely than not also need to
disable validation for these zones.  The attached patch adds a new
configuration option, insecure-lan-zones, which adds all AS112 zones to
the list of insecure domains.  Note that it moves the list of AS112
zones, which is currently hardcoded in services/localzone.c, into an
array in util/as112.c.

I hope I got the Makefile.in part right - it's pretty gross.  Why don't
you use automake?

DES
-- 
Dag-Erling Smørgrav - d...@des.no

Index: Makefile.in
===
--- Makefile.in	(revision 3613)
+++ Makefile.in	(working copy)
@@ -96,7 +96,7 @@
 # libunbound_wrap.lo if python libunbound wrapper enabled.
 PYUNBOUND_OBJ=@PYUNBOUND_OBJ@
 COMMON_SRC=services/cache/dns.c services/cache/infra.c services/cache/rrset.c \
-util/data/dname.c util/data/msgencode.c util/data/msgparse.c \
+util/as112.c util/data/dname.c util/data/msgencode.c util/data/msgparse.c \
 util/data/msgreply.c util/data/packed_rrset.c iterator/iterator.c \
 iterator/iter_delegpt.c iterator/iter_donotq.c iterator/iter_fwd.c \
 iterator/iter_hints.c iterator/iter_priv.c iterator/iter_resptype.c \
@@ -114,7 +114,7 @@
 validator/val_secalgo.c validator/val_sigcrypt.c \
 validator/val_utils.c dns64/dns64.c $(CHECKLOCK_SRC) $(DNSTAP_SRC)
 COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \
-msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
+as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
 iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \
 iter_scrub.lo iter_utils.lo localzone.lo mesh.lo modstack.lo \
 outbound_list.lo alloc.lo config_file.lo configlexer.lo configparser.lo \
@@ -596,6 +596,7 @@
 	rm -f $(DEPEND_TMP) $(DEPEND_TMP2)
 
 # Dependencies
+as112.lo as112.o: $(srcdir)/util/as112.c $(srcdir)/util/as112.h
 dns.lo dns.o: $(srcdir)/services/cache/dns.c config.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \
  $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/msgreply.h \
@@ -703,7 +704,7 @@
  $(srcdir)/sldns/sbuffer.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \
  $(srcdir)/util/net_help.h $(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/as112.h
 mesh.lo mesh.o: $(srcdir)/services/mesh.c config.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/netevent.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
  $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \
@@ -822,7 +823,7 @@
  $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_sigcrypt.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/autotrust.h \
  $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h $(srcdir}/util/as112.h
 validator.lo validator.o: $(srcdir)/validator/validator.c config.h $(srcdir)/validator/validator.h \
  $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
Index: doc/example.conf.in
===
--- doc/example.conf.in	(revision 3613)
+++ doc/example.conf.in	(working copy)
@@ -517,7 +517,7 @@
 	# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
 	# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
 
-	# if unbound is running service for the local host then it is useful
+	# If unbound is running service for the local host then it is useful
 	# to perform lan-wide lookups to the upstream, and unblock the
 	# long list of local-zones above.  If this unbound is a dns server
 	# for a network of computers, disabled is better and stops information
@@ -524,6 +524,10 @@
 	# leakage of local lan information.
 	# unblock-lan-zones: no
 
+	# The insecure-lan-zones option disables validation for
+	# these zones, as if they were all listed as domain-insecure.
+	# insecure-lan-zones: no
+
 	# a number of locally served zones can be configured.
 	# 	local-zone:  
 	# 	local-data: ""
Index: doc/unbound.conf.5.in
===
--- doc/unbound.conf.5.in	(revision 3613)
+++ doc/unbound.conf.5.in	(working copy)
@@ -857,6 +857,11 @@
 lookups should be

Re: [patch] insecure-lan-zones

2016-02-06 Thread Robert Edmonds via Unbound-users

Dag-Erling Smørgrav via Unbound-users wrote:
> I hope I got the Makefile.in part right - it's pretty gross.  Why don't
> you use automake?

+1 to Automake :-)  Hacking on Unbound's Makefile.in is not fun.

-- 
Robert Edmonds
edmo...@debian.org

Re: [patch] insecure-lan-zones

Re: [patch] insecure-lan-zones

[patch] insecure-lan-zones

Re: [patch] insecure-lan-zones

4 matches

Site Navigation

Mail list logo

Footer information