diff options
| author | Christian Grothoff <christian@grothoff.org> | 2013-10-23 12:01:31 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2013-10-23 18:47:25 +0200 |
| commit | a960a0fd4ab2aa6166c9f42914442c7e6630dcfb (patch) | |
| tree | d46f2ff916a41ec2b92b01bf3add4765ac8da1e7 /libdane | |
| parent | f934a60a65d54b907296ec18e6413e9ec0f4eb45 (diff) | |
| download | gnutls-a960a0fd4ab2aa6166c9f42914442c7e6630dcfb.tar.gz | |
Adding option DANE_F_IGNORE_DNSSEC to disable loading of the DNSSEC root key entirely when initializing a dane_state_t.
This is a useful optimization if the DANE/TLSA data is initialized
from a source other than libunbound/DNS, as then the DNSSEC root key
would not be used anyway. Worse, if we failed to read the DNSSEC
root key, this would create a failure even though for applications
that do not use DNSSEC (but do use DANE/TLSA) such a failure would
be totally harmless.
Diffstat (limited to 'libdane')
| -rw-r--r-- | libdane/dane.c | 11 | ||||
| -rw-r--r-- | libdane/includes/gnutls/dane.h | 2 |
2 files changed, 9 insertions, 4 deletions
diff --git a/libdane/dane.c b/libdane/dane.c index 4f278eca6d..04e6823d30 100644 --- a/libdane/dane.c +++ b/libdane/dane.c @@ -172,10 +172,13 @@ int dane_state_init(dane_state_t* s, unsigned int flags) } /* read public keys for DNSSEC verification */ - if( (ret=ub_ctx_add_ta_file(ctx, (char*)UNBOUND_ROOT_KEY_FILE)) != 0) { - gnutls_assert(); - ret = DANE_E_INITIALIZATION_ERROR; - goto cleanup; + if (!(flags & DANE_F_IGNORE_DNSSEC)) + { + if( (ret=ub_ctx_add_ta_file(ctx, (char*)UNBOUND_ROOT_KEY_FILE)) != 0) { + gnutls_assert(); + ret = DANE_E_INITIALIZATION_ERROR; + goto cleanup; + } } (*s)->ctx = ctx; diff --git a/libdane/includes/gnutls/dane.h b/libdane/includes/gnutls/dane.h index 21413ea14c..3ce56fb808 100644 --- a/libdane/includes/gnutls/dane.h +++ b/libdane/includes/gnutls/dane.h @@ -96,6 +96,7 @@ typedef struct dane_query_st *dane_query_t; * dane_state_flags_t: * @DANE_F_IGNORE_LOCAL_RESOLVER: Many systems are not DNSSEC-ready. In that case the local resolver is ignored, and a direct recursive resolve occurs. * @DANE_F_INSECURE: Ignore any DNSSEC signature verification errors. + * @DANE_F_IGNORE_DNSSEC: Do not try to initialize DNSSEC as we will not use it (will then not try to load the DNSSEC root certificate). Useful if the TLSA data does not come from DNS. * * Enumeration of different verification flags. */ @@ -103,6 +104,7 @@ typedef enum dane_state_flags_t { DANE_F_IGNORE_LOCAL_RESOLVER = 1, DANE_F_INSECURE=2, + DANE_F_IGNORE_DNSSEC=4 } dane_state_flags_t; int dane_state_init (dane_state_t* s, unsigned int flags); |