diff options
| author | Lennart Poettering <lennart@poettering.net> | 2016-01-02 22:12:13 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2016-01-03 12:59:26 +0100 |
| commit | 8e54f5d90a6b9dd1ff672fb97ea98de66c49e332 (patch) | |
| tree | 62f9c69d04c8925d7ff78aabf9755482c3e24ee7 /src/resolve/resolved-dns-dnssec.c | |
| parent | e48b9a6490222f59201615a1be25c0a46d7d79b5 (diff) | |
resolved: add negative trust anchro support, and add trust anchor configuration files
This adds negative trust anchor support and allows reading trust anchor
data from disk, from files
/etc/systemd/dnssec-trust-anchors.d/*.positive and
/etc/systemd/dnssec-trust-anchros.d/*.negative, as well as the matching
counterparts in /usr/lib and /run.
The positive trust anchor files are more or less compatible to normal
DNS zone files containing DNSKEY and DS RRs. The negative trust anchor
files contain only new-line separated hostnames for which to require no
signing.
By default no trust anchor files are installed, in which case the
compiled-in root domain DS RR is used, as before. As soon as at least
one positive root anchor for the root is defined via trust anchor files
this buil-in DS RR is not added though.
Diffstat (limited to 'src/resolve/resolved-dns-dnssec.c')
| -rw-r--r-- | src/resolve/resolved-dns-dnssec.c | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c index 7736a67d96..b7c0b5b824 100644 --- a/src/resolve/resolved-dns-dnssec.c +++ b/src/resolve/resolved-dns-dnssec.c @@ -35,7 +35,6 @@ * * TODO: * - * - Make trust anchor store read additional DS+DNSKEY data from disk * - wildcard zones compatibility (NSEC/NSEC3 wildcard check is missing) * - multi-label zone compatibility * - cname/dname compatibility |