diff options
| author | Wojciech Kosior <kwojtus@protonmail.com> | 2020-04-30 19:57:55 +0200 |
|---|---|---|
| committer | Wojciech Kosior <kwojtus@protonmail.com> | 2020-04-30 19:57:55 +0200 |
| commit | 0255b17ec5dc51e1da81f976f342385dce709a83 (patch) | |
| tree | 3730d2b4c89b673a32d4006281772d8ce0d92014 /src | |
| parent | 4b40dabe45118fd4c2fd1a5f9cad89913c09b10e (diff) | |
| download | 0tdns-0255b17ec5dc51e1da81f976f342385dce709a83.tar.gz 0tdns-0255b17ec5dc51e1da81f976f342385dce709a83.zip | |
add (incomplete) TLS usage for forwarded queries
Diffstat (limited to 'src')
| -rw-r--r-- | src/0tDNS.c | 26 |
1 files changed, 21 insertions, 5 deletions
diff --git a/src/0tDNS.c b/src/0tDNS.c index 0a03004..92c6bd9 100644 --- a/src/0tDNS.c +++ b/src/0tDNS.c @@ -7,6 +7,13 @@ #define DEFAULT_DEBUGLEVEL 0 +/* + * This is the path in Debian - in other systems it will be different + * and we will need to either somehow find it dynamically or get the path + * from the user. + */ +#define CA_BUNDLE_FILE "/etc/ssl/certs/ca-certificates.crt" + /* In the long run me might rename this file to somewhere else... */ #define TRUST_ANCHOR_FILE "./root.key" @@ -77,24 +84,33 @@ struct ub_ctx *ztdns_create_ub_context(enum resolution_mode mode, } if (mode == RECURSIVE) { - rc = ub_ctx_set_fwd(ctx, resolver_addr); error_message_format = "Couldn't set forward server: %s\n"; + rc = ub_ctx_set_fwd(ctx, resolver_addr); + if (rc) + goto out; + /* Make DNS over TLS mandatory for recursive resolvers */ + /* TODO tls not working for some reason - this has to be fixed */ + /* error_message_format = "Couldn't enable DNS over TLS: %s\n"; */ + /* rc = ub_ctx_set_tls(ctx, 1); */ + /* if (rc) */ + /* goto out; */ + /* rc = ub_ctx_set_option(ctx, "tls-cert-bundle:", CA_BUNDLE_FILE); */ } else if (mode == FULL) { /* TODO use root_hints here for better reliability */ /* For iterative queries we use DNSSEC if possible */ - rc = ub_ctx_add_ta_autr(ctx, TRUST_ANCHOR_FILE); error_message_format = "Couldn't set trust anchors: %s\n"; + rc = ub_ctx_add_ta_autr(ctx, TRUST_ANCHOR_FILE); } else /* if (mode == RESOLV_CONF) */ { - /* NULL can be passed to use system's default resolv.conf*/ - rc = ub_ctx_resolvconf(ctx, NULL); + /* NULL can be passed to use system's default resolv.conf */ error_message_format = "Couldn't use system resolv.conf: %s\n"; + rc = ub_ctx_resolvconf(ctx, NULL); } if (rc) goto out; - rc = ub_ctx_debuglevel(ctx, debuglevel); error_message_format = "Couldn't set debuglevel: %s\n"; + rc = ub_ctx_debuglevel(ctx, debuglevel); out: if (rc) { |