[Swan-dev] why remove USERLAND_CFLAGS+=-DDEFAULT_DNSSEC_ROOTKEY_FILE

Paul Wouters paul at nohats.ca
Wed Sep 13 16:31:51 UTC 2017


On Wed, 13 Sep 2017, Antony Antony wrote:

> may be you can do it using smart #ifndef in dnssec.h, I am not sure, test
> it:)

I'll look at doing that.

> If the feature is disabled at compile time ipsec status output with
> "<unset>" is confuses me. It gives the wrong that idea it can be set while
> it is disabled.
>
> However looking further I notice there is "secctx-attr-type=<unsupported>"
> when it is disabled at compile time. That would be better if we really want
> it.

We can use <unsupported> instead of <unset>

> If DNSSEC is enabled it will be at the start of the pluto log.
> In every "ipsec status output" "unsupported" seems a bit overdoing for me.

People often only give partial logs. Asking them for "ipsec status" is
easier and gets us a complete picture.

> Is there a command to get this output via whack?

Yes, "ipsec status" :)

Paul


More information about the Swan-dev mailing list