CVSROOT: /cvs Module name: src Changes by: flor...@cvs.openbsd.org 2019/03/31 21:31:56
Modified files: sbin/unwind : parse.y printconf.c resolver.c unwind.conf.5 Log message: Implement "Authentication Domain Names" configuration as per RFC 8310 section 7.1 for DoT servers. We are setting the CA cert bundle path (/etc/ssl/cert.pem) directly in libunbound so we need to losen pledge(2) a bit and allow rpath. At the same time we unveil only /etc/ssl/cert.pem. We can drop the chroot(2) since pledge(2) and unveil(2) give us more fine grained isolation. prodding by tb@. p.s. for portable it might be necessary to pass in a file descriptor from the parent, slurp in the file and then use X509_STORE_load_mem() (pointed out by sthen) in the guts of libunbound.