CVSROOT: /cvs
Module name: src
Changes by: flor...@cvs.openbsd.org 2019/03/31 21:31:56
Modified files:
sbin/unwind : parse.y printconf.c resolver.c unwind.conf.5
Log message:
Implement "Authentication Domain Names" configuration as per RFC 8310
section 7.1 for DoT servers.
We are setting the CA cert bundle path (/etc/ssl/cert.pem) directly in
libunbound so we need to losen pledge(2) a bit and allow rpath. At the
same time we unveil only /etc/ssl/cert.pem. We can drop the chroot(2)
since pledge(2) and unveil(2) give us more fine grained isolation.
prodding by tb@.
p.s. for portable it might be necessary to pass in a file descriptor
from the parent, slurp in the file and then use X509_STORE_load_mem()
(pointed out by sthen) in the guts of libunbound.
