- Removed dependancy for dnssec-conf

- Added ISC DLV key (formerly in dnssec-conf)
- Fixup old DLV locations in unbound.conf file via %post

dlv.isc.org.key

@@ -0,0 +1,2 @@
+; https://secure.isc.org/ops/dlv/dlv.isc.org.key
+dlv.isc.org. IN DNSKEY 257 3 5 BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh

unbound-lame-r1953.patch

@@ -0,0 +1,348 @@
+Index: iterator/iter_delegpt.c
+===================================================================
+--- iterator/iter_delegpt.c	(revision 1952)
++++ iterator/iter_delegpt.c	(revision 1953)
+@@ -154,11 +154,13 @@
+ 		/* ignore it */
+ 		return 1;
+ 	}
+-	if(addr_is_ip6(addr, addrlen))
+-		ns->got6 = 1;
+-	else	ns->got4 = 1;
+-	if(ns->got4 && ns->got6)
+-		ns->resolved = 1;
++	if(!lame) {
++		if(addr_is_ip6(addr, addrlen))
++			ns->got6 = 1;
++		else	ns->got4 = 1;
++		if(ns->got4 && ns->got6)
++			ns->resolved = 1;
++	}
+ 	return delegpt_add_addr(dp, region, addr, addrlen, bogus, lame, nodup);
+ }
+ 
+@@ -254,10 +256,11 @@
+ 			(dp->bogus?" BOGUS":"") );
+ 		}
+ 		for(a = dp->target_list; a; a = a->next_target) {
+-			if(a->bogus) 
+-				log_addr(VERB_ALGO, "  BOGUS ", 
+-					&a->addr, a->addrlen);
+-			else log_addr(VERB_ALGO, "  ", &a->addr, a->addrlen);
++			const char* str = "  ";
++			if(a->bogus && a->lame) str = "  BOGUS ADDR_LAME ";
++			else if(a->bogus) str = "  BOGUS ";
++			else if(a->lame) str = "  ADDR_LAME ";
++			log_addr(VERB_ALGO, str, &a->addr, a->addrlen);
+ 		}
+ 	}
+ }
+@@ -448,3 +451,13 @@
+ 		}
+ 	}
+ }
++
++void delegpt_no_ipv6(struct delegpt* dp)
++{
++	struct delegpt_ns* ns;
++	for(ns = dp->nslist; ns; ns = ns->next) {
++		/* no ipv6, so only ipv4 is enough to resolve a nameserver */
++		if(ns->got4)
++			ns->resolved = 1;
++	}
++}
+Index: iterator/iter_delegpt.h
+===================================================================
+--- iterator/iter_delegpt.h	(revision 1952)
++++ iterator/iter_delegpt.h	(revision 1953)
+@@ -314,4 +314,11 @@
+  */
+ void delegpt_add_neg_msg(struct delegpt* dp, struct msgreply_entry* msg);
+ 
++/**
++ * Register the fact that there is no ipv6 and thus AAAAs are not going 
++ * to be queried for or be useful.
++ * @param dp: the delegation point. Updated to reflect no ipv6.
++ */
++void delegpt_no_ipv6(struct delegpt* dp);
++
+ #endif /* ITERATOR_ITER_DELEGPT_H */
+Index: iterator/iterator.c
+===================================================================
+--- iterator/iterator.c	(revision 1952)
++++ iterator/iterator.c	(revision 1953)
+@@ -1305,6 +1305,8 @@
+ 		verbose(VERB_QUERY, "Failed to get a delegation, giving up");
+ 		return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+ 	}
++	if(!ie->supports_ipv6)
++		delegpt_no_ipv6(iq->dp);
+ 	delegpt_log(VERB_ALGO, iq->dp);
+ 
+ 	if(iq->num_current_queries>0) {
+Index: doc/Changelog
+===================================================================
+--- doc/Changelog	(revision 1952)
++++ doc/Changelog	(revision 1953)
+@@ -1,3 +1,11 @@
++8 January 2010: Wouter
++	- Fix for parent-child disagreement code which could have trouble
++	  when (a) ipv6 was disabled and (b) the TTL for parent and child
++	  were different.  There were two bugs, the parent-side information
++	  is fixed to no longer block lookup of child side information and
++	  the iterator is fixed to no longer attempt to get ipv6 when it is
++	  not enabled and then give up in failure.
++
+ 7 January 2010: Wouter
+ 	- Fixup python documentation (thanks Leo Vandewoestijne).
+ 	- Work on cache prefetch feature.
+Index: testdata/iter_pcttl.rpl
+===================================================================
+--- testdata/iter_pcttl.rpl	(revision 0)
++++ testdata/iter_pcttl.rpl	(revision 1953)
+@@ -0,0 +1,245 @@
++; config options
++server:
++	target-fetch-policy: "0 0 0 0 0"
++	do-ip6: no
++
++stub-zone:
++	name: "."
++	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
++CONFIG_END
++
++SCENARIO_BEGIN Test cache ttls where parent child differ in ttl
++; and the lameness for parent suddenly becomes the only information point.
++
++; K.ROOT-SERVERS.NET.
++RANGE_BEGIN 0 100
++	ADDRESS 193.0.14.129 
++ENTRY_BEGIN
++MATCH opcode qtype qname
++ADJUST copy_id
++REPLY QR NOERROR
++SECTION QUESTION
++. IN NS
++SECTION ANSWER
++. IN NS	K.ROOT-SERVERS.NET.
++SECTION ADDITIONAL
++K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
++ENTRY_END
++
++ENTRY_BEGIN
++MATCH opcode subdomain
++ADJUST copy_id copy_query
++REPLY QR NOERROR
++SECTION QUESTION
++com. IN NS
++SECTION AUTHORITY
++com.	IN NS	a.gtld-servers.net.
++SECTION ADDITIONAL
++a.gtld-servers.net.	IN 	A	192.5.6.30
++ENTRY_END
++
++ENTRY_BEGIN
++MATCH opcode subdomain
++ADJUST copy_id copy_query
++REPLY QR NOERROR
++SECTION QUESTION
++net. IN NS
++SECTION AUTHORITY
++net.	IN NS	e.gtld-servers.net.
++SECTION ADDITIONAL
++e.gtld-servers.net.	IN 	A	192.12.94.30
++ENTRY_END
++
++RANGE_END
++
++; a.gtld-servers.net.
++RANGE_BEGIN 0 100
++	ADDRESS 192.5.6.30
++ENTRY_BEGIN
++MATCH opcode qtype qname
++ADJUST copy_id
++REPLY QR NOERROR
++SECTION QUESTION
++com. IN NS
++SECTION ANSWER
++com.	IN NS	a.gtld-servers.net.
++SECTION ADDITIONAL
++a.gtld-servers.net.	IN 	A	192.5.6.30
++ENTRY_END
++
++ENTRY_BEGIN
++MATCH opcode subdomain
++ADJUST copy_id copy_query
++REPLY QR NOERROR
++SECTION QUESTION
++example.com. IN NS
++SECTION AUTHORITY
++example.com.	IN NS	ns.foo.com.
++SECTION ADDITIONAL
++;ns.foo.com.	200 	IN 	A	1.2.3.44
++ENTRY_END
++
++ENTRY_BEGIN
++MATCH opcode subdomain
++ADJUST copy_id copy_query
++REPLY QR NOERROR
++SECTION QUESTION
++foo.com. IN NS
++SECTION AUTHORITY
++foo.com.	200 IN NS	ns.foo.com.
++SECTION ADDITIONAL
++ns.foo.com.	200 	IN 	A	1.2.3.44
++ENTRY_END
++
++RANGE_END
++
++; e.gtld-servers.net.
++RANGE_BEGIN 0 100
++	ADDRESS 192.12.94.30
++ENTRY_BEGIN
++MATCH opcode qtype qname
++ADJUST copy_id
++REPLY QR NOERROR
++SECTION QUESTION
++net. IN NS
++SECTION ANSWER
++net.	IN NS	e.gtld-servers.net.
++SECTION ADDITIONAL
++e.gtld-servers.net.	IN 	A	192.12.94.30
++ENTRY_END
++
++RANGE_END
++
++; ns.foo.com.
++; The parent-IP version
++RANGE_BEGIN 0 100
++	ADDRESS 1.2.3.44
++ENTRY_BEGIN
++MATCH opcode qtype qname
++ADJUST copy_id
++REPLY AA QR NOERROR
++SECTION QUESTION
++foo.com. IN NS
++SECTION ANSWER
++foo.com.	200 IN NS	ns.foo.com.
++SECTION ADDITIONAL
++ns.foo.com.	100 	IN 	A	1.2.3.44
++ENTRY_END
++
++ENTRY_BEGIN
++MATCH opcode qtype qname
++ADJUST copy_id
++REPLY AA QR NOERROR
++SECTION QUESTION
++ns.foo.com. IN A
++SECTION ANSWER
++ns.foo.com. 100 IN A	1.2.3.44
++SECTION AUTHORITY
++foo.com.	200 IN NS	ns.foo.com.
++ENTRY_END
++
++ENTRY_BEGIN
++MATCH opcode qtype qname
++ADJUST copy_id
++REPLY AA QR NOERROR
++SECTION QUESTION
++ns.foo.com. IN AAAA
++SECTION AUTHORITY
++foo.com.    100 IN SOA . . 1 2 3 4 5
++ENTRY_END
++
++ENTRY_BEGIN
++MATCH opcode qtype qname
++ADJUST copy_id
++REPLY AA QR NOERROR
++SECTION QUESTION
++example.com. IN NS
++SECTION ANSWER
++example.com.	200 IN NS	ns.foo.com.
++ENTRY_END
++
++ENTRY_BEGIN
++MATCH opcode qtype qname
++ADJUST copy_id
++REPLY AA QR NOERROR
++SECTION QUESTION
++www.example.com. IN A
++SECTION ANSWER
++www.example.com. 100 IN A	10.20.30.40
++SECTION AUTHORITY
++example.com.	200 IN NS	ns.foo.com.
++SECTION ADDITIONAL
++ns.foo.com 	100 IN A 	1.2.3.44
++ENTRY_END
++RANGE_END
++
++; NOT USED.  The parent side equals child side but not in the cache.
++; and they have different TTLs only.
++; ns.foo.com
++; The child IP version.   Does not respond to anything (servfail instead
++; of timeouts since this is easier to encode in .rpl file format).
++RANGE_BEGIN 0 100
++	ADDRESS 1.2.3.55
++ENTRY_BEGIN
++MATCH opcode 
++ADJUST copy_id copy_query
++REPLY QR SERVFAIL
++SECTION QUESTION
++foo.com. IN NS
++SECTION ANSWER
++ENTRY_END
++
++RANGE_END
++
++STEP 1 QUERY
++ENTRY_BEGIN
++REPLY RD
++SECTION QUESTION
++www.example.com. IN A
++ENTRY_END
++
++; recursion happens here.
++STEP 20 CHECK_ANSWER
++ENTRY_BEGIN
++MATCH all
++REPLY QR RD RA NOERROR
++SECTION QUESTION
++www.example.com. IN A
++SECTION ANSWER
++www.example.com. 100 IN A	10.20.30.40
++SECTION AUTHORITY
++example.com.	100 IN NS	ns.foo.com.
++; scrubbed off
++;SECTION ADDITIONAL
++;ns.foo.com 	IN A 	1.2.3.44
++ENTRY_END
++
++; Now we wait 101 seconds, and the child data is gone,
++; but the parent-side was cached for 200 and it still there.
++
++STEP 30 TIME_PASSES ELAPSE 101
++
++STEP 40 QUERY
++ENTRY_BEGIN
++REPLY RD
++SECTION QUESTION
++www.example.com. IN A
++ENTRY_END
++
++; recursion happens here.
++STEP 50 CHECK_ANSWER
++ENTRY_BEGIN
++MATCH all
++REPLY QR RD RA NOERROR
++SECTION QUESTION
++www.example.com. IN A
++SECTION ANSWER
++www.example.com. 100 IN A	10.20.30.40
++SECTION AUTHORITY
++example.com.	100 IN NS	ns.foo.com.
++; scrubbed off
++;SECTION ADDITIONAL
++;ns.foo.com 	IN A 	1.2.3.44
++ENTRY_END
++
++SCENARIO_END

unbound.conf

@@ -10,15 +10,6 @@
 server:
 	# whitespace is not necessary, but looks cleaner.
 
-	# To enable DNSSEC trust anchors, install the dnssec-keys package and
-	# uncomment the line below, or run dnssec-configure -h for more options
-	# trusted-keys-file: "/etc/pki/dnssec/production.conf"
-
-	# To enable DLV trust anchor with DLV, install the dnssec-keys package
-	# and uncomment the line below, or run dnssec-configure -h for more
-	# options
-	# dlv-anchor-file: "/etc/pki/dnssec-keys/dlv/dlv.isc.org.key"
-
 	# verbosity number, 0 is least verbose. 1 is default.
 	verbosity: 1
 
@@ -300,8 +291,8 @@ server:
 	
 	# File with DLV trusted keys. Same format as trust-anchor-file.
 	# There can be only one DLV configured, it is trusted from root down.
-	# Download https://secure.isc.org/ops/dlv/dlv.isc.org.key
+	# Downloaded from https://secure.isc.org/ops/dlv/dlv.isc.org.key
-	# dlv-anchor-file: "/etc/pki/dnssec-keys/dlv.isc.org.key"
+	dlv-anchor-file: "/etc/unbound/dlv.isc.org.key"
 
 	# File with trusted keys for validation. Specify more than one file
 	# with several entries, one file per entry.

unbound.spec

@@ -9,18 +9,15 @@
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
 Version: 1.4.1
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: BSD
 Url: http://www.nlnetlabs.nl/unbound/
 Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
 Source1: unbound.init
 Source2: unbound.conf
 Source3: unbound.munin
-# See the unbound svn repository for further documentation on these
+Source4: dlv.isc.org.key
-#Patch1: unbound-r1657.patch
+Patch1: unbound-1.2-glob.patch
-#Patch2: unbound-r1670.patch
-#Patch3: unbound-r1677.patch
-Patch4: unbound-1.2-glob.patch
 
 Group: System Environment/Daemons
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -34,9 +31,8 @@ Requires(post): chkconfig
 Requires(preun): chkconfig
 Requires(preun): initscripts
 Requires(postun): initscripts
-Requires: ldns >= 1.5.0, dnssec-conf >= 1.19
+Requires: ldns >= 1.5.0
 Requires(pre): shadow-utils
-Requires: dnssec-conf
 
 %description
 Unbound is a validating, recursive, and caching DNS(SEC) resolver.
@@ -88,10 +84,7 @@ Python modules and extensions for unbound
 
 %prep
 %setup -q 
-#%patch1
+%patch1 -p1
-#%patch2
-#%patch3
-%patch4 -p1
 
 %build
 %configure  --with-ldns= --with-libevent --with-pthreads --with-ssl \
@@ -119,6 +112,9 @@ for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unboun
     ln -s unbound %{buildroot}%{_datadir}/munin/plugins/$plugin
 done 
 
+# install DLV key
+install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/unbound/
+
 # remove static library from install (fedora packaging guidelines)
 rm -rf %{buildroot}%{_libdir}/*.la
 
@@ -134,6 +130,7 @@ rm -rf ${RPM_BUILD_ROOT}
 %attr(0755,root,root) %dir %{_sysconfdir}/%{name}
 %attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name}
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key
 %{_sbindir}/*
 %{_mandir}/*/*
 
@@ -167,15 +164,11 @@ exit 0
 
 %post
 /sbin/chkconfig --add %{name}
-# Check DNSSEC settings if this is a fresh install
+# dnssec-conf used to contain our DLV key, but now we include it via unbound
-if [ "$1" -eq 1 ]; then
+# If unbound had previously been configured with dnssec-configure, we need
-  if [ -r /etc/sysconfig/dnssec ]; then
+# to migrate the location of the DLV key file (to keep DLV enabled, and because
-    . /etc/sysconfig/dnssec
+# unbound won't start with a bad location for a DLV key file.
-    [ -x /usr/sbin/dnssec-configure ] && \
+sed -i "s:/etc/pki/dnssec-keys[/]*dlv:/etc/unbound:" %{_sysconfdir}/unbound/unbound.conf
-      dnssec-configure -u --norestart --nocheck --dnssec="$DNSSEC" --dlv="$DLV" > \
-        /dev/null 2>&1
-  fi;
-fi
 
 %post libs -p /sbin/ldconfig
 
@@ -193,6 +186,11 @@ fi
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Thu Feb 18 2010 Paul Wouters <paul@xelerance.com> - 1.4.1-2
+- Removed dependancy for dnssec-conf
+- Added ISC DLV key (formerly in dnssec-conf)
+- Fixup old DLV locations in unbound.conf file via %%post
+
 * Tue Jan 05 2010 Paul Wouters <paul@xelerance.com> - 1.4.1-1
 - Updated to 1.4.1
 - Changed %%define to %%global