struct itkacl_config {
char nszone[256];
+ int require_dnssec;
+ char dnssec_public_key[256];
};
#define CONFIG_FILENAME "/etc/itkacl.conf"
FILE *fp;
int lineno = 0;
+ /* Defaults. */
strcpy(config->nszone, "");
+ config->require_dnssec = 0;
+ strcpy(config->dnssec_public_key, "");
fp = fopen(CONFIG_FILENAME, "r");
if (fp == NULL) {
strcpy(config->nszone, arg);
continue;
}
+ if (strcmp(line, "require-dnssec") == 0) {
+ config->require_dnssec = 1;
+ continue;
+ }
+ if (sscanf(line, "dnssec-public-key %255s", arg) == 1) {
+ strcpy(config->dnssec_public_key, arg);
+ continue;
+ }
if (errmsg)
snprintf(errmsg, errmsg_size, "%s: Could not parse line %d",
return -1;
}
+ if (strlen(config.dnssec_public_key) != 0) {
+ ret = ub_ctx_add_ta_file(ctx, config.dnssec_public_key);
+ if (ret != 0) {
+ if (errmsg)
+ snprintf(errmsg, errmsg_size,
+ "Host name lookup failure: Error adding keys from %s "
+ "(resolver error: %s) (system error: %s)",
+ config.dnssec_public_key,
+ ub_strerror(ret), strerror(errno));
+ ub_ctx_delete(ctx);
+ return -1;
+ }
+ }
+
/* Do the actual DNS lookup (TYPE A, CLASS IN). */
ret = ub_resolve(ctx, nszone, 1, 1, &result);
if (ret != 0) {
return -1;
}
+ /* Verify DNSSEC. */
+ if (result->bogus) {
+ if (errmsg)
+ snprintf(errmsg, errmsg_size,
+ "Host name lookup failure: Bogus DNSSEC result (security failure)");
+ ub_resolve_free(result);
+ ub_ctx_delete(ctx);
+ return -1;
+ }
+ if (config.require_dnssec && !result->secure) {
+ if (errmsg)
+ snprintf(errmsg, errmsg_size,
+ "Host name lookup failure: Result was not secured with DNSSEC");
+ ub_resolve_free(result);
+ ub_ctx_delete(ctx);
+ return -1;
+ }
+
nxdomain = result->nxdomain;
ub_resolve_free(result);