summaryrefslogtreecommitdiff
path: root/examples
diff options
context:
space:
mode:
authorWillem Toorop <willem@NLnetLabs.nl>2012-10-16 13:59:41 +0200
committerWillem Toorop <willem@NLnetLabs.nl>2012-10-16 13:59:41 +0200
commit25b494b756647bb06755e305c6eddaf7f1819aab (patch)
treef2e5cb9d3af62f1c6fa60c62069adc84d9409c34 /examples
parent864ca5b149f6c9e8abe6293ae0b8c816d2e8914a (diff)
downloadldns-25b494b756647bb06755e305c6eddaf7f1819aab.tar.gz
Merge in 1.6.14rc2 changes:
- Paul Wouter's suggestion to have a create and a verify option to ldns-dane and configurable CAfile and CApath and configurable trust anchor and - Get rid of doxygen-1.8 warnings
Diffstat (limited to 'examples')
-rw-r--r--examples/Makefile.in7
-rw-r--r--examples/configure.ac42
-rw-r--r--examples/ldns-dane.1.in (renamed from examples/ldns-dane.1)40
-rw-r--r--examples/ldns-dane.c203
-rw-r--r--examples/ldns-test-edns.c24
-rw-r--r--examples/ldns-verify-zone.1.in (renamed from examples/ldns-verify-zone.1)13
-rw-r--r--examples/ldns-verify-zone.c27
7 files changed, 273 insertions, 83 deletions
diff --git a/examples/Makefile.in b/examples/Makefile.in
index e17f2181..4d867ca6 100644
--- a/examples/Makefile.in
+++ b/examples/Makefile.in
@@ -157,11 +157,12 @@ clean:
realclean: clean
rm -rf autom4te.cache/
- rm -f config.log config.status aclocal.m4 config.h.in configure Makefile
- rm -f config.h
+ rm -f config.log config.status aclocal.m4 config.h.in configure
+ rm -f config.h ldns-dane.1 ldns-verify-zone.1 Makefile
confclean: clean
- rm -rf config.log config.status config.h Makefile
+ rm -rf config.log config.status
+ rm -f config.h ldns-dane.1 ldns-verify-zone.1 Makefile
install: $(PROGRAMS) $(SSL_PROGRAMS)
$(INSTALL) -d -m 755 $(DESTDIR)$(bindir)
diff --git a/examples/configure.ac b/examples/configure.ac
index 0e27eecd..3fbf5bf5 100644
--- a/examples/configure.ac
+++ b/examples/configure.ac
@@ -315,13 +315,51 @@ if test -f $ldns_dev_dir/ldns/util.h && \
else
AC_MSG_RESULT([no])
AC_CHECK_LIB(ldns, ldns_rr_new,, [
- AC_MSG_ERROR([Can't find ldns library])
+ AC_MSG_ERROR([Can't find ldns library])dnl'
]
)
fi
AC_SUBST(LDNSDIR)
+AC_ARG_WITH(trust-anchor, AC_HELP_STRING([--with-trust-anchor=KEYFILE], [Default location of the trust anchor file for drill and ldns-dane. [default=SYSCONFDIR/unbound/root.key]]), [
+ LDNS_TRUST_ANCHOR_FILE="$withval"
+],[
+ if test "x$LDNS_TRUST_ANCHOR_FILE" = "x"; then
+ if test "x$sysconfdir" = 'x${prefix}/etc' ; then
+ if test "x$prefix" = 'xNONE' ; then
+ LDNS_TRUST_ANCHOR_FILE="/etc/unbound/root.key"
+ else
+ LDNS_TRUST_ANCHOR_FILE="${prefix}/etc/unbound/root.key"
+ fi
+ else
+ LDNS_TRUST_ANCHOR_FILE="${sysconfdir}/unbound/root.key"
+ fi
+ fi
+])
+AC_DEFINE_UNQUOTED([LDNS_TRUST_ANCHOR_FILE], ["$LDNS_TRUST_ANCHOR_FILE"], [Default trust anchor file])
+AC_SUBST(LDNS_TRUST_ANCHOR_FILE)
+AC_MSG_NOTICE([Default trust anchor: $LDNS_TRUST_ANCHOR_FILE])
+
+AC_ARG_WITH(ca-file, AC_HELP_STRING([--with-ca-file=CAFILE], [File containing CA certificates for ldns-dane]), [
+ AC_DEFINE([HAVE_DANE_CA_FILE], [1], [Is a CAFILE given at configure time])
+ AC_DEFINE_UNQUOTED([LDNS_DANE_CA_FILE], ["$withval"], [Is a CAFILE given at configure time])
+ AC_MSG_NOTICE([Using CAfile: $withval])
+ AC_SUBST(DEFAULT_CAFILE, ["Default is $withval"])
+],[
+ AC_DEFINE([HAVE_DANE_CA_FILE], [0], [Is a CAFILE given at configure time])
+ AC_SUBST(DEFAULT_CAFILE, [])
+])
+
+AC_ARG_WITH(ca-path, AC_HELP_STRING([--with-ca-path=CAPATH], [Directory containing CA certificate files for ldns-dane]), [
+ AC_DEFINE([HAVE_DANE_CA_PATH], [1], [Is a CAPATH given at configure time])
+ AC_DEFINE_UNQUOTED([LDNS_DANE_CA_PATH], ["$withval"], [Is a CAPATH given at configure time])
+ AC_MSG_NOTICE([Using CApath: $withval])
+ AC_SUBST(DEFAULT_CAPATH, ["Default is $withval"])
+],[
+ AC_DEFINE([HAVE_DANE_CA_PATH], [0], [Is a CAPATH given at configure time])
+ AC_SUBST(DEFAULT_CAPATH, [])
+])
AH_BOTTOM([
@@ -418,6 +456,6 @@ extern int optind, opterr;
#endif
])
-AC_CONFIG_FILES([Makefile])
+AC_CONFIG_FILES([Makefile ldns-dane.1 ldns-verify-zone.1])
AC_CONFIG_HEADER([config.h])
AC_OUTPUT
diff --git a/examples/ldns-dane.1 b/examples/ldns-dane.1.in
index 52472302..8f05d7f6 100644
--- a/examples/ldns-dane.1
+++ b/examples/ldns-dane.1.in
@@ -5,6 +5,7 @@ ldns-dane \- verify or create TLS authentication with DANE (RFC6698)
.PD 0
.B ldns-dane
.IR [OPTIONS]
+.IR verify
.IR name
.IR port
.PP
@@ -12,14 +13,21 @@ ldns-dane \- verify or create TLS authentication with DANE (RFC6698)
.IR [OPTIONS]
.IR -t
.IR tlsafile
+.IR verify
.B ldns-dane
.IR [OPTIONS]
.IR name
.IR port
+.IR create
+.PP
+ [
.IR Certificate-usage
+[
.IR Selector
+[
.IR Matching-type
+] ] ]
.B ldns-dane
.IR -h
@@ -54,13 +62,13 @@ Service certificate constraint
.IP 2
Trust anchor assertion
.IP 3
-Domain-issued certificate
+Domain-issued certificate (default)
.RE
.I Selector\fR:
.RS
.IP 0
-Full certificate
+Full certificate (default)
.IP 1
SubjectPublicKeyInfo
.RE
@@ -70,7 +78,7 @@ SubjectPublicKeyInfo
.IP 0
No hash used
.IP 1
-SHA-256
+SHA-256 (default)
.IP 2
SHA-512
.RE
@@ -98,17 +106,20 @@ TLSA records) for the certificate (chain) in \fIcertfile\fR instead.
Assume DNSSEC validity even when the TLSA records were acquired insecure
or were bogus.
.IP "-f \fICAfile\fR"
-Use CAfile to validate.
+Use CAfile to validate. @DEFAULT_CAFILE@
.IP -h
Print short usage help
.IP -i
Interact after connecting.
.IP "-k \fIkeyfile\fR"
Specify a file that contains a trusted DNSKEY or DS rr.
-Without a trusted DNSKEY, the local network is trusted to provide
-a DNSSEC resolver (i.e. AD bit is checked).
+Key(s) are used when chasing signatures (i.e. \fI-S\fR is given).
This option may be given more than once.
+
+Alternatively, if \fB-k\fR is not specified, and a default trust anchor
+(@LDNS_TRUST_ANCHOR_FILE@) exists and contains a valid DNSKEY or DS record,
+it will be used as the trust anchor.
.IP -n
Do \fBnot\fR verify server name in certificate.
.IP "-o \fIoffset\fR"
@@ -122,7 +133,7 @@ is used (like with 0) that MUST be self-signed. This can help to make
sure that the intended (self signed) trust anchor is actually present
in the server certificate chain (which is a DANE requirement).
.IP "-p \fICApath\fR"
-Use certificates in the \fICApath\fR directory to validate.
+Use certificates in the \fICApath\fR directory to validate. @DEFAULT_CAPATH@
.IP -s
When creating TLSA resource records with the "CA Constraint" and the
"Service Certificate Constraint" certificate usage, do not validate and
@@ -130,6 +141,11 @@ assume PKIX is valid.
For "CA Constraint" this means that verification should end with a
self-signed certificate.
+.IP -S
+Chase signature(s) to a known key.
+
+Without this option, the local network is trusted to provide
+a DNSSEC resolver (i.e. AD bit is checked).
.IP "-t \fItlsafile\fR"
Read TLSA record(s) from \fItlsafile\fR. When \fIname\fR and \fIport\fR
are also given, only TLSA records that match the \fIname\fR, \fIport\fR and
@@ -140,6 +156,16 @@ Use UDP transport instead of TCP.
.IP -v
Show version and exit.
+.SH "FILES"
+.TP
+@LDNS_TRUST_ANCHOR_FILE@
+The file from which trusted keys are loaded for signature chasing,
+when no \fB-k\fR option is given.
+
+.SH "SEE ALSO"
+.LP
+unbound-anchor(8)
+
.SH AUTHOR
Written by the ldns team as an example for ldns usage.
diff --git a/examples/ldns-dane.c b/examples/ldns-dane.c
index 9f38c3c8..f5c86b4e 100644
--- a/examples/ldns-dane.c
+++ b/examples/ldns-dane.c
@@ -42,28 +42,28 @@
void
print_usage(const char* progname)
{
- printf("Usage: %s [OPTIONS] <name> <port>\n", progname);
- printf(" or: %s [OPTIONS] -t <tlsafile>\n", progname);
+ printf("Usage: %s [OPTIONS] verify <name> <port>\n", progname);
+ printf(" or: %s [OPTIONS] -t <tlsafile> verify\n", progname);
printf("\n\tVerify the TLS connection at <name>:<port> or"
"\n\tuse TLSA record(s) from <tlsafile> to verify the\n"
"\tTLS service they reference.\n");
- printf("\n or: %s [OPTIONS] <name> <port> <cert usage> <selector> "
- "<match type>\n", progname);
+ printf("\n or: %s [OPTIONS] create <name> <port> [<usage> "
+ "[<selector> [<type>]]]\n", progname);
printf("\n\tUse the TLS connection(s) to <name> <port> "
"to create the TLSA\n\t"
"resource record(s) that would "
"authenticate the connection.\n");
- printf("\n\t<cert usage>"
- "\t0: CA constraint\n"
+ printf("\n\t<usage>"
+ "\t\t0: CA constraint\n"
"\t\t\t1: Service certificate constraint\n"
"\t\t\t2: Trust anchor assertion\n"
- "\t\t\t3: Domain-issued certificate\n");
+ "\t\t\t3: Domain-issued certificate (default)\n");
printf("\n\t<selector>"
- "\t0: Full certificate\n"
+ "\t0: Full certificate (default)\n"
"\t\t\t1: SubjectPublicKeyInfo\n");
- printf("\n\t<match type>"
- "\t0: No hash used\n"
- "\t\t\t1: SHA-256\n"
+ printf("\n\t<type>"
+ "\t\t0: No hash used\n"
+ "\t\t\t1: SHA-256 (default)\n"
"\t\t\t2: SHA-512\n");
printf("OPTIONS:\n");
@@ -81,10 +81,15 @@ print_usage(const char* progname)
);
printf("\t-d\t\tassume DNSSEC validity even when insecure or bogus\n");
printf("\t-f <CAfile>\tuse CAfile to validate\n");
+#if HAVE_DANE_CA_FILE
+ printf("\t\t\tDefault is %s\n", LDNS_DANE_CA_FILE);
+#endif
printf("\t-i\t\tinteract after connecting\n");
printf("\t-k <keyfile>\t"
"use DNSKEY/DS rr(s) in <keyfile> to validate TLSAs\n"
+ "\t\t\twhen signature chasing (i.e. -S)\n"
);
+ printf("\t\t\tDefault is %s\n", LDNS_TRUST_ANCHOR_FILE);
printf("\t-n\t\tdo *not* verify server name in certificate\n");
printf("\t-o <offset>\t"
"select <offset>th certificate from the end of\n"
@@ -93,7 +98,11 @@ print_usage(const char* progname)
printf("\t-p <CApath>\t"
"use certificates in the <CApath> directory to validate\n"
);
+#if HAVE_DANE_CA_PATH
+ printf("\t\t\tDefaults is %s\n", LDNS_DANE_CA_PATH);
+#endif
printf("\t-s\t\tassume PKIX validity\n");
+ printf("\t-S\t\tChase signature(s) to a known key\n");
printf("\t-t <tlsafile>\tdo not use DNS, "
"but read TLSA record(s) from <tlsafile>\n"
);
@@ -501,8 +510,6 @@ read_key_file(const char *filename, ldns_rr_list *keys)
int line_nr;
if (!(fp = fopen(filename, "r"))) {
- fprintf(stderr, "Error opening %s: %s\n", filename,
- strerror(errno));
return LDNS_STATUS_FILE_ERR;
}
while (!feof(fp)) {
@@ -668,7 +675,8 @@ dane_lookup_addresses(ldns_resolver* res, ldns_rdf* dname,
} else if (s != LDNS_STATUS_OK) {
LDNS_ERR(s, "dane_query");
- } else if (! ldns_rr_list_push_rr_list(r, as)) {
+ }
+ if (! ldns_rr_list_push_rr_list(r, as)) {
MEMERR("ldns_rr_list_push_rr_list");
}
}
@@ -685,7 +693,8 @@ dane_lookup_addresses(ldns_resolver* res, ldns_rdf* dname,
} else if (s != LDNS_STATUS_OK) {
LDNS_ERR(s, "dane_query");
- } else if (! ldns_rr_list_push_rr_list(r, aaas)) {
+ }
+ if (! ldns_rr_list_push_rr_list(r, aaas)) {
MEMERR("ldns_rr_list_push_rr_list");
}
}
@@ -1035,7 +1044,7 @@ dane_verify(ldns_rr_list* tlsas, ldns_rdf* address,
int
-main(int argc, char** argv)
+main(int argc, char* const* argv)
{
int c;
enum { UNDETERMINED, VERIFY, CREATE } mode = UNDETERMINED;
@@ -1049,14 +1058,23 @@ main(int argc, char** argv)
bool verify_server_name = true;
bool interact = false;
- char* CAfile = NULL;
- char* CApath = NULL;
+#if HAVE_DANE_CA_FILE
+ const char* CAfile = LDNS_DANE_CA_FILE;
+#else
+ const char* CAfile = NULL;
+#endif
+#if HAVE_DANE_CA_PATH
+ const char* CApath = LDNS_DANE_CA_PATH;
+#else
+ const char* CApath = NULL;
+#endif
char* cert_file = NULL;
X509* cert = NULL;
STACK_OF(X509)* extra_certs = NULL;
- ldns_rr_list* keys = ldns_rr_list_new();
- size_t nkeys = 0;
+ ldns_rr_list* keys = ldns_rr_list_new();
+ size_t nkeys = 0;
+ bool do_sigchase = false;
ldns_rr_list* addresses = ldns_rr_list_new();
ldns_rr* address_rr;
@@ -1102,7 +1120,7 @@ main(int argc, char** argv)
if (! keys || ! addresses) {
MEMERR("ldns_rr_list_new");
}
- while((c = getopt(argc, argv, "46a:bc:df:hik:no:p:st:uvV:")) != -1) {
+ while((c = getopt(argc, argv, "46a:bc:df:hik:no:p:sSt:uvV:")) != -1) {
switch(c) {
case 'h':
print_usage("ldns-dane");
@@ -1164,10 +1182,14 @@ main(int argc, char** argv)
break;
case 'k':
s = read_key_file(optarg, keys);
+ if (s == LDNS_STATUS_FILE_ERR) {
+ fprintf(stderr, "Error opening %s: %s\n",
+ optarg, strerror(errno));
+ }
LDNS_ERR(s, "Could not parse key file");
if (ldns_rr_list_rr_count(keys) == nkeys) {
- fprintf(stderr, "No keys found in file %s\n",
- optarg);
+ fprintf(stderr, "No keys found in file"
+ " %s\n", optarg);
exit(EXIT_FAILURE);
}
nkeys = ldns_rr_list_rr_count(keys);
@@ -1184,6 +1206,9 @@ main(int argc, char** argv)
case 's':
assume_pkix_validity = true;
break;
+ case 'S':
+ do_sigchase = true;
+ break;
case 't':
tlsas_file = optarg;
break;
@@ -1222,13 +1247,51 @@ main(int argc, char** argv)
}
}
+ if (do_sigchase) {
+ if (nkeys == 0) {
+ (void) read_key_file(LDNS_TRUST_ANCHOR_FILE, keys);
+ nkeys = ldns_rr_list_rr_count(keys);
+
+ if (nkeys == 0) {
+ fprintf(stderr, "Unable to chase "
+ "signature without keys.\n");
+ exit(EXIT_FAILURE);
+ }
+ }
+ } else {
+ keys = NULL;
+ }
+
argc -= optind;
argv += optind;
- if (argc == 0 && tlsas_file != NULL) {
+ if (argc == 0) {
+
+ print_usage("ldns-dane");
+ }
+ if (strncasecmp(*argv, "create", strlen(*argv)) == 0) {
+
+ mode = CREATE;
+ argc--;
+ argv++;
+
+ } else if (strncasecmp(*argv, "verify", strlen(*argv)) == 0) {
mode = VERIFY;
+ argc--;
+ argv++;
+
+ } else {
+ fprintf(stderr, "Specify create or verify mode\n");
+ exit(EXIT_FAILURE);
+ }
+ if (mode == VERIFY && argc == 0) {
+
+ if (! tlsas_file) {
+ fprintf(stderr, "ERROR! Nothing given to verify\n");
+ exit(EXIT_FAILURE);
+ }
s = dane_read_tlsas_from_file(&tlsas, tlsas_file, NULL);
LDNS_ERR(s, "could not read tlas from file");
@@ -1321,16 +1384,18 @@ main(int argc, char** argv)
MEMERR("ldns_rdf2str");
}
+
} else if (argc < 2) {
print_usage("ldns-dane");
} else {
- name_str = argv[0];
+ name_str = *argv++; argc--;
s = ldns_str2rdf_dname(&name, name_str);
LDNS_ERR(s, "could not ldns_str2rdf_dname");
- port = (uint16_t)dane_int_within_range(argv[1], 65535, "port");
+ port = (uint16_t)dane_int_within_range(*argv++, 65535, "port");
+ --argc;
s = ldns_dane_create_tlsa_owner(&tlsa_owner,
name, port, transport);
@@ -1341,10 +1406,12 @@ main(int argc, char** argv)
}
}
- if (argc == 2) {
-
- mode = VERIFY;
+ switch (mode) {
+ case VERIFY:
+ if (argc > 0) {
+ print_usage("ldns-dane");
+ }
if (tlsas_file) {
s = dane_read_tlsas_from_file(&tlsas, tlsas_file,
@@ -1391,39 +1458,57 @@ main(int argc, char** argv)
tlsas = dane_no_pkix_transform(originals);
}
- } else if (argc == 5) {
-
- mode = CREATE;
-
- tlsas = ldns_rr_list_new();
-
- certificate_usage = dane_int_within_range_table(
- argv[2], 3, "certificate usage",
- dane_certificate_usage_table);
- selector = dane_int_within_range_table(
- argv[3], 1, "selector",
- dane_selector_table);
+ break;
- if (*argv[4] && /* strlen(argv[4]) > 0 */
- (strncasecmp(argv[4], "no-hash-used",
- strlen(argv[4])) == 0 ||
- strncasecmp(argv[4], "no hash used",
- strlen(argv[4])) == 0 )) {
- matching_type = 0;
+ case CREATE:
+ if (argc > 0) {
+ certificate_usage = dane_int_within_range_table(
+ *argv++, 3, "certificate usage",
+ dane_certificate_usage_table);
+ argc--;
+ } else {
+ certificate_usage =
+ LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE;
+ }
+ if (argc > 0) {
+ selector = dane_int_within_range_table(
+ *argv++, 1, "selector",
+ dane_selector_table);
+ argc--;
+ } else {
+ selector = LDNS_TLSA_SELECTOR_FULL_CERTIFICATE;
+ }
+ if (argc > 0) {
+ if (*argv && /* strlen(argv) > 0 */
+ (strncasecmp(*argv, "no-hash-used",
+ strlen(*argv)) == 0 ||
+ strncasecmp(*argv, "no hash used",
+ strlen(*argv)) == 0 )) {
+ matching_type =
+ LDNS_TLSA_MATCHING_TYPE_NO_HASH_USED;
- } else if (strcasecmp(argv[4], "sha256") == 0 ||
- strcasecmp(argv[4], "sha-256") == 0) {
+ } else if (strcasecmp(*argv, "sha256") == 0 ||
+ strcasecmp(*argv, "sha-256") == 0) {
- matching_type = 1;
+ matching_type = LDNS_TLSA_MATCHING_TYPE_SHA256;
- } else if (strcasecmp(argv[4], "sha512") == 0 ||
- strcasecmp(argv[4], "sha-512") == 0) {
+ } else if (strcasecmp(*argv, "sha512") == 0 ||
+ strcasecmp(*argv, "sha-512") == 0) {
- matching_type = 2;
+ matching_type = LDNS_TLSA_MATCHING_TYPE_SHA512;
+ } else {
+ matching_type = dane_int_within_range(
+ *argv, 2, "matching type");
+ }
+ argv++;
+ argc--;
} else {
- matching_type = dane_int_within_range(argv[4], 2,
- "matching type");
+ matching_type = LDNS_TLSA_MATCHING_TYPE_SHA256;
+ }
+ if (argc > 0) {
+
+ print_usage("ldns-dane");
}
if ((certificate_usage == LDNS_TLSA_USAGE_CA_CONSTRAINT ||
certificate_usage ==
@@ -1444,9 +1529,11 @@ main(int argc, char** argv)
exit(EXIT_FAILURE);
}
- } else if (mode == UNDETERMINED) {
-
- print_usage("ldns-dane");
+ tlsas = ldns_rr_list_new();
+ break;
+ default:
+ fprintf(stderr, "Unreachable code\n");
+ assert(0);
}
/* ssl inititalize */
diff --git a/examples/ldns-test-edns.c b/examples/ldns-test-edns.c
index d9d708c7..b4292a0f 100644
--- a/examples/ldns-test-edns.c
+++ b/examples/ldns-test-edns.c
@@ -15,6 +15,18 @@
/** print error details */
static int verb = 1;
+struct sockaddr_in6* cast_sockaddr_storage2sockaddr_in6(
+ struct sockaddr_storage* s)
+{
+ return (struct sockaddr_in6*)s;
+}
+
+struct sockaddr_in* cast_sockaddr_storage2sockaddr_in(
+ struct sockaddr_storage* s)
+{
+ return (struct sockaddr_in*)s;
+}
+
/** parse IP address */
static int
convert_addr(char* str, int p, struct sockaddr_storage* addr, socklen_t* len)
@@ -22,8 +34,10 @@ convert_addr(char* str, int p, struct sockaddr_storage* addr, socklen_t* len)
#ifdef AF_INET6
if(strchr(str, ':')) {
*len = (socklen_t)sizeof(struct sockaddr_in6);
- ((struct sockaddr_in6*)addr)->sin6_family = AF_INET6;
- ((struct sockaddr_in6*)addr)->sin6_port = htons((uint16_t)p);
+ cast_sockaddr_storage2sockaddr_in6(addr)->sin6_family =
+ AF_INET6;
+ cast_sockaddr_storage2sockaddr_in6(addr)->sin6_port =
+ htons((uint16_t)p);
if(inet_pton(AF_INET6, str,
&((struct sockaddr_in6*)addr)->sin6_addr) == 1)
return 1;
@@ -31,9 +45,11 @@ convert_addr(char* str, int p, struct sockaddr_storage* addr, socklen_t* len)
#endif
*len = (socklen_t)sizeof(struct sockaddr_in);
#ifndef S_SPLINT_S
- ((struct sockaddr_in*)addr)->sin_family = AF_INET;
+ cast_sockaddr_storage2sockaddr_in(addr)->sin_family =
+ AF_INET;
#endif
- ((struct sockaddr_in*)addr)->sin_port = htons((uint16_t)p);
+ cast_sockaddr_storage2sockaddr_in(addr)->sin_port =
+ htons((uint16_t)p);
if(inet_pton(AF_INET, str,
&((struct sockaddr_in*)addr)->sin_addr) == 1)
return 1;
diff --git a/examples/ldns-verify-zone.1 b/examples/ldns-verify-zone.1.in
index a4cb767d..e03b7003 100644
--- a/examples/ldns-verify-zone.1
+++ b/examples/ldns-verify-zone.1.in
@@ -37,6 +37,9 @@ Default signatures should just be valid now.
A file that contains a trusted DNSKEY or DS rr.
This option may be given more than once.
+Alternatively, if \fB-k\fR is not specified, and a default trust anchor
+(@LDNS_TRUST_ANCHOR_FILE@) exists and contains a valid DNSKEY or DS record,
+it will be used as the trust anchor.
.TP
\fB-p\fR \fI[0-100]\fR
Only check this percentage of the zone.
@@ -77,6 +80,16 @@ P[n]Y[n]M[n]DT[n]H[n]M[n]S
.LP
If no file is given standard input is read.
+.SH "FILES"
+.TP
+@LDNS_TRUST_ANCHOR_FILE@
+The file from which trusted keys are loaded for signature chasing,
+when no \fB-k\fR option is given.
+
+.SH "SEE ALSO"
+.LP
+unbound-anchor(8)
+
.SH AUTHOR
Written by the ldns team as an example for ldns usage.
diff --git a/examples/ldns-verify-zone.c b/examples/ldns-verify-zone.c
index 9a8e13f9..0bbb97f4 100644
--- a/examples/ldns-verify-zone.c
+++ b/examples/ldns-verify-zone.c
@@ -66,10 +66,6 @@ read_key_file(const char *filename, ldns_rr_list *keys)
int line_nr;
if (!(fp = fopen(filename, "r"))) {
- if (verbosity > 0) {
- fprintf(myerr, "Error opening %s: %s\n", filename,
- strerror(errno));
- }
return LDNS_STATUS_FILE_ERR;
}
while (!feof(fp)) {
@@ -754,7 +750,8 @@ main(int argc, char **argv)
"now)\n");
printf("\t-k <file>\tspecify a file that contains a "
"trusted DNSKEY or DS rr.\n\t\t\t"
- "This option may be given more than once.\n");
+ "This option may be given more than once.\n"
+ "\t\t\tDefault is %s", LDNS_TRUST_ANCHOR_FILE);
printf("\t-p [0-100]\tonly checks this percentage of "
"the zone.\n\t\t\tDefaults to 100\n");
printf("\t-S\t\tchase signature(s) to a known key. "
@@ -799,6 +796,13 @@ main(int argc, char **argv)
break;
case 'k':
s = read_key_file(optarg, keys);
+ if (s == LDNS_STATUS_FILE_ERR) {
+ if (verbosity > 0) {
+ fprintf(myerr,
+ "Error opening %s: %s\n",
+ optarg, strerror(errno));
+ }
+ }
if (s != LDNS_STATUS_OK) {
if (verbosity > 0) {
fprintf(myerr,
@@ -860,11 +864,16 @@ main(int argc, char **argv)
}
}
if (do_sigchase && nkeys == 0) {
- if (verbosity > 0) {
- fprintf(myerr,
- "Unable to chase signature without keys.\n");
+ (void) read_key_file(LDNS_TRUST_ANCHOR_FILE, keys);
+ nkeys = ldns_rr_list_rr_count(keys);
+
+ if (nkeys == 0) {
+ if (verbosity > 0) {
+ fprintf(myerr, "Unable to chase "
+ "signature without keys.\n");
+ }
+ exit(EXIT_FAILURE);
}
- exit(EXIT_FAILURE);
}
argc -= optind;