[Swan-dev] why remove USERLAND_CFLAGS+=-DDEFAULT_DNSSEC_ROOTKEY_FILE

Antony Antony antony at phenome.org
Wed Sep 13 16:22:20 UTC 2017 

On Tue, Sep 12, 2017 at 10:26:36AM -0400, Paul Wouters wrote:
> On Tue, 12 Sep 2017, Antony Antony wrote:
> 
> > > It is now set using DEFAULT_DNSSEC_ROOTKEY_FILE which has a builtin
> > > default? So you can still set it to build on debian, but you don't have
> > > to tweak USERLAND_CFLAGS for it.
> > 
> > Just setting in the make file without
> > USERLAND_CFLAGS+=-DDEFAULT_DNSSEC_ROOTKEY_FILE=\"${DEFAULT_DNSSEC_ROOTKEY_FILE}\" has no effect.
> > > > After the commit e0a15de DEFAULT_DNSSEC_ROOTKEY_FILE seems to be unused.
> > > > It breaks on Debian default settings.
> > > 
> > > That should not happen. I'll look into that today.
> > 
> > It was still broken, so I pushed a fix!
> 
> I was trying to have it defined by default in an include file, and only
> define it using make to override. That way it does not show up as a huge
> line in the build for every gcc invocation. I can look at changing it
> using an #ifndef in dnssec.h 

may be you can do it using smart #ifndef in dnssec.h, I am not sure, test 
it:) 

> > If you are missing some features  please report it. Now,  
> > dnssec-rootkey-file is printed only when libreswan
> > is compiled with USE_DNSSEC=true
> 
> That is not what I wanted. I want it to always print all the things,
> even if <unset> so we can tell the difference in output between old and
> new versions that do or don't contain a feature. People on the list often
> don't tell us the version they are using, or giving incorrect information
> by mistake. Therefor it is better to have the output confirm those things.

If the feature is disabled at compile time ipsec status output with 
"<unset>" is confuses me. It gives the wrong that idea it can be set while 
it is disabled.

However looking further I notice there is "secctx-attr-type=<unsupported>"
when it is disabled at compile time. That would be better if we really want 
it.

If DNSSEC is enabled it will be at the start of the pluto log.
In every "ipsec status output" "unsupported" seems a bit overdoing for me. 

Is there a command to get this output via whack?

Starting Pluto (Libreswan Version 
v3.21-178-g147d986b0-147d986b0d2086d404b477222f98407bf47f98db XFRM(netkey) 
KLIPS FORK PTHREAD_SETSCHEDPRIO NSS DNSSEC SYSTEMD_WATCHDOG LIBCAP_NG 
XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) 

-antony

More information about the Swan-dev mailing list