CVSROOT:        /cvs
Module name:    src
Changes by:     flor...@cvs.openbsd.org 2019/03/31 21:31:56

Modified files:
        sbin/unwind    : parse.y printconf.c resolver.c unwind.conf.5 

Log message:
Implement "Authentication Domain Names" configuration as per RFC 8310
section 7.1 for DoT servers.

We are setting the CA cert bundle path (/etc/ssl/cert.pem) directly in
libunbound so we need to losen pledge(2) a bit and allow rpath. At the
same time we unveil only /etc/ssl/cert.pem. We can drop the chroot(2)
since pledge(2) and unveil(2) give us more fine grained isolation.

prodding by tb@.

p.s. for portable it might be necessary to pass in a file descriptor
from the parent, slurp in the file and then use X509_STORE_load_mem()
(pointed out by sthen) in the guts of libunbound.

Reply via email to