From 6f8d333aaeb5508fee8c9c9ad3733e18cc31d8a6 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Wed, 26 Sep 2012 12:38:51 -0400 Subject: [PATCH] * Wed Sep 26 2012 Paul Wouters - 1.4.18-4 - Patch to allow wildcards in include: statements - Add directories /etc/unbound/keys.d,conf.d,local.d with example entries --- block-example.com.conf | 10 ++ example.com.conf | 17 ++ example.com.key | 7 + unbound-1.4.18-includeglob.patch | 265 +++++++++++++++++++++++++++++++ unbound.conf | 7 + unbound.spec | 25 ++- 6 files changed, 328 insertions(+), 3 deletions(-) create mode 100644 block-example.com.conf create mode 100644 example.com.conf create mode 100644 example.com.key create mode 100644 unbound-1.4.18-includeglob.patch diff --git a/block-example.com.conf b/block-example.com.conf new file mode 100644 index 0000000..4807448 --- /dev/null +++ b/block-example.com.conf @@ -0,0 +1,10 @@ +# entries in this file override toe global DNS +# +# Example blocking email going out to example.com +# +# local-data: "example.com. 3600 IN MX 5 127.0.0.1" +# local-data: "example.com. 3600 IN A 127.0.0.1" + +# This can also be done dynamically using: unbound-control local-data [...] + +# For more complicated redirection, use conf.d/ with stub-add: or forward-add: diff --git a/example.com.conf b/example.com.conf new file mode 100644 index 0000000..30f7f03 --- /dev/null +++ b/example.com.conf @@ -0,0 +1,17 @@ +# Example of an override of the "public DNS tree" with an "internal view" +# override, for example to add an internal-only corporate DNS zone. +# +# The stub-zone/stub-addr must point to AUTHORITATIVE servers. If you want to +# point to an internal RECURSIVE server, use forward-zone/forward-addr instead. + +#stub-zone: +# name: example.com +# stub-prime: no +# # if you could trust a lookup, use: +# stub-host: a.iana-servers.net. +# stub-host: b.iana-servers.net. +# # else specify the IP's using: +# stub-addr: 199.43.132.53 +# stub-addr: 2001:500:8c::53 +# stub-addr: 199.43.133.53 +# stub-addr: 2001:500:8d::53 diff --git a/example.com.key b/example.com.key new file mode 100644 index 0000000..a70c13f --- /dev/null +++ b/example.com.key @@ -0,0 +1,7 @@ +; // format is BIND trusted-keys format +; // Ensure to only put KSKs (usually 257) here, not ZSKs (usually 256) + +; // trusted-keys { +; // "example.com." 257 3 8 "AwEAAawt7HplI5M8GGAsxuyCyjF0l+QlcgVN11CRZ4vP66qbDCX0BnShZ11BGb//4zSG/8mmBHirL2FLg+mVuIIxig+iroZYjh4iTKVOhv2hZftRwyrQHK++qXvCCWN3ki51RG/e8R4kOEV71rZ8OgQvPWx6F91qroqOPpcf7PPxippeHOn+PxnP0hpyLyo1mx1rPs/cMpL3jOMufGP+LJYh+fBU7lt0sP5i09HaJPruzyZML9BPtpv8ZAdQhwtXVG0+MnET2qT/1+TljpxZn6yeegFRCFRHBjMo6iiRJnUWra/klkrgEn2Q+BXGTOMTTKQdYz4OxYEa1z7apu3a09dYNBM="; // key id = 51605 +; // "example.com." 257 3 8 "AwEAAeikvxboZpn9VCxm3YDLHo40SvA9EmRwJHHQyJ0OCzrQSRBSipojrW7yESXWiDDyzflS8rgzDs7M3fIdSduOdyNi55DmXPdkS8HYORTMNyzFsSOg+xx6tUySK2p4WAhlbsJNLz4IkQCek59NoDBOLyQ15npsr7Tgfb/HHU7zmCMvnxh0SqO2lyhnQfk29Thc3nC4KNJNb3drjWKOuCw5mg+2GrEZYc/VqdeGvrOCQ2el8jWZpSU5cxb7EdEy4B9nEeZiBpHXaZ5XJ+ewi4vmcUK5/445mGJqV4rDeicy5/ShC/BJ81v3bIRPWebvDRJmDbjr2d9MnLXUE7yyETrQd18="; // key id = 31589 +; // }; diff --git a/unbound-1.4.18-includeglob.patch b/unbound-1.4.18-includeglob.patch new file mode 100644 index 0000000..7811754 --- /dev/null +++ b/unbound-1.4.18-includeglob.patch @@ -0,0 +1,265 @@ +diff -Naur unbound-1.4.18-orig/util/config_file.c unbound-1.4.18/util/config_file.c +--- unbound-1.4.18-orig/util/config_file.c 2012-06-18 10:22:29.000000000 -0400 ++++ unbound-1.4.18/util/config_file.c 2012-09-26 00:45:37.509190970 -0400 +@@ -53,6 +53,10 @@ + #include "util/regional.h" + #include "util/fptr_wlist.h" + #include "util/data/dname.h" ++#ifdef HAVE_GLOB_H ++# include ++#endif ++ + /** global config during parsing */ + struct config_parser_state* cfg_parser = 0; + /** lex in file */ +@@ -689,6 +693,65 @@ + char *fname = (char*)filename; + if(!fname) + return 1; ++ ++ /* check for wildcards */ ++#ifdef HAVE_GLOB ++ glob_t g; ++ size_t i; ++ int r, flags; ++ if(!(!strchr(fname, '*') && !strchr(fname, '?') && !strchr(fname, '[') && ++ !strchr(fname, '{') && !strchr(fname, '~'))) { ++ verbose(VERB_QUERY, "wildcard found, processing %s", fname); ++ flags = 0 ++#ifdef GLOB_ERR ++ | GLOB_ERR ++#endif ++#ifdef GLOB_NOSORT ++ | GLOB_NOSORT ++#endif ++#ifdef GLOB_BRACE ++ | GLOB_BRACE ++#endif ++#ifdef GLOB_TILDE ++ | GLOB_TILDE ++#endif ++ ; ++ memset(&g, 0, sizeof(g)); ++ r = glob(fname, flags, NULL, &g); ++ if(r) { ++ /* some error */ ++ if(r == GLOB_NOMATCH) { ++ verbose(VERB_QUERY, "include: " ++ "no matches for %s", fname); ++ return 1; ++ } else if(r == GLOB_NOSPACE) { ++ log_err("include: %s: " ++ "fnametern out of memory", fname); ++ } else if(r == GLOB_ABORTED) { ++ log_err("wildcard include: %s: expansion " ++ "aborted (%s)", fname, strerror(errno)); ++ } else { ++ log_err("wildcard include: %s: expansion " ++ "failed (%s)", fname, strerror(errno)); ++ } ++ /* ignore globs that yield no files */ ++ return 1; ++ } ++ /* process files found, if any */ ++ for(i=0; i<(size_t)g.gl_pathc; i++) { ++ if(!config_read(cfg, g.gl_pathv[i], chroot)) { ++ log_err("error reading wildcard " ++ "include: %s", g.gl_pathv[i]); ++ globfree(&g); ++ return 0; ++ } ++ } ++ globfree(&g); ++ return 1; ++ } ++#endif ++ ++ + in = fopen(fname, "r"); + if(!in) { + log_err("Could not open %s: %s", fname, strerror(errno)); +diff -Naur unbound-1.4.18-orig/util/configlexer.c unbound-1.4.18/util/configlexer.c +--- unbound-1.4.18-orig/util/configlexer.c 2012-08-02 03:26:14.000000000 -0400 ++++ unbound-1.4.18/util/configlexer.c 2012-09-26 00:47:40.856511450 -0400 +@@ -22,6 +22,10 @@ + #include + #include + #include ++#ifdef HAVE_GLOB_H ++# include ++#endif ++ + + /* end standard C headers. */ + +@@ -1827,7 +1831,7 @@ + } + input = fopen(filename, "r"); + if(!input) { +- ub_c_error_msg("cannot open include file '%s': %s", ++ ub_c_error_msg("(c)cannot open include file '%s': %s", + filename, strerror(errno)); + return; + } +@@ -1841,6 +1845,46 @@ + ++config_include_stack_ptr; + } + ++static void config_start_include_glob(const char* filename) ++{ ++#ifdef HAVE_GLOB ++ glob_t g; ++ size_t i; ++ int r, flags; ++ if(!(!strchr(filename, '*') && !strchr(filename, '?') && !strchr(filename, '[') && ++ !strchr(filename, '{') && !strchr(filename, '~'))) { ++ /* verbose(VERB_QUERY, "wildcard found, processing %s", filename); */ ++ flags = 0 ++#ifdef GLOB_ERR ++ | GLOB_ERR ++#endif ++#ifdef GLOB_NOSORT ++ | GLOB_NOSORT ++#endif ++#ifdef GLOB_BRACE ++ | GLOB_BRACE ++#endif ++#ifdef GLOB_TILDE ++ | GLOB_TILDE ++#endif ++ ; ++ memset(&g, 0, sizeof(g)); ++ r = glob(filename, flags, NULL, &g); ++ if(r) { ++ /* some error */ ++ return; ++ } ++ /* process files found, if any */ ++ for(i=0; i<(size_t)g.gl_pathc; i++) { ++ config_start_include(g.gl_pathv[i]); ++ } ++ globfree(&g); ++ return; ++ } ++#endif ++ config_start_include(filename); ++} ++ + static void config_end_include(void) + { + --config_include_stack_ptr; +@@ -2875,7 +2919,7 @@ + #line 300 "util/configlexer.lex" + { + LEXOUT(("Iunquotedstr(%s) ", yytext)); +- config_start_include(yytext); ++ config_start_include_glob(yytext); + BEGIN(inc_prev); + } + YY_BREAK +@@ -2904,7 +2948,7 @@ + { + LEXOUT(("IQE ")); + yytext[yyleng - 1] = '\0'; +- config_start_include(yytext); ++ config_start_include_glob(yytext); + BEGIN(inc_prev); + } + YY_BREAK +diff -Naur unbound-1.4.18-orig/util/configlexer.lex unbound-1.4.18/util/configlexer.lex +--- unbound-1.4.18-orig/util/configlexer.lex 2012-04-10 05:16:39.000000000 -0400 ++++ unbound-1.4.18/util/configlexer.lex 2012-09-26 00:46:59.135064805 -0400 +@@ -11,6 +11,9 @@ + #include + #include + #include ++#ifdef HAVE_GLOB_H ++# include ++#endif + + #include "util/config_file.h" + #include "util/configparser.h" +@@ -43,6 +46,7 @@ + static int inc_prev = 0; + static int num_args = 0; + ++ + static void config_start_include(const char* filename) + { + FILE *input; +@@ -60,7 +64,7 @@ + } + input = fopen(filename, "r"); + if(!input) { +- ub_c_error_msg("cannot open include file '%s': %s", ++ ub_c_error_msg("(lex)cannot open include file '%s': %s", + filename, strerror(errno)); + return; + } +@@ -74,6 +78,48 @@ + ++config_include_stack_ptr; + } + ++static void config_start_include_glob(const char* filename) ++{ ++ ++ /* check for wildcards */ ++#ifdef HAVE_GLOB ++ glob_t g; ++ size_t i; ++ int r, flags; ++ if(!(!strchr(filename, '*') && !strchr(filename, '?') && !strchr(filename, '[') && ++ !strchr(filename, '{') && !strchr(filename, '~'))) { ++ /* verbose(VERB_QUERY, "wildcard found, processing %s", filename); */ ++ flags = 0 ++#ifdef GLOB_ERR ++ | GLOB_ERR ++#endif ++#ifdef GLOB_NOSORT ++ | GLOB_NOSORT ++#endif ++#ifdef GLOB_BRACE ++ | GLOB_BRACE ++#endif ++#ifdef GLOB_TILDE ++ | GLOB_TILDE ++#endif ++ ; ++ memset(&g, 0, sizeof(g)); ++ r = glob(filename, flags, NULL, &g); ++ if(r) { ++ /* some error */ ++ return config_start_include(filename); /* let original deal with it */ ++ } ++ /* process files found, if any */ ++ for(i=0; i<(size_t)g.gl_pathc; i++) { ++ config_start_include(g.gl_pathv[i]); ++ } ++ globfree(&g); ++ return 1; ++ } ++#endif ++ ++ config_start_include(filename); ++} + static void config_end_include(void) + { + --config_include_stack_ptr; +@@ -299,7 +345,7 @@ + \" { LEXOUT(("IQS ")); BEGIN(include_quoted); } + {UNQUOTEDLETTER}* { + LEXOUT(("Iunquotedstr(%s) ", yytext)); +- config_start_include(yytext); ++ config_start_include_glob(yytext); + BEGIN(inc_prev); + } + <> { +@@ -312,7 +358,7 @@ + \" { + LEXOUT(("IQE ")); + yytext[yyleng - 1] = '\0'; +- config_start_include(yytext); ++ config_start_include_glob(yytext); + BEGIN(inc_prev); + } + <> { diff --git a/unbound.conf b/unbound.conf index 52a48fc..b06e6be 100644 --- a/unbound.conf +++ b/unbound.conf @@ -360,6 +360,7 @@ server: # the trusted-keys { name flag proto algo "key"; }; clauses are read. # trusted-keys-file: "" trusted-keys-file: /etc/unbound/root.key + trusted-keys-file: /etc/unbound/keys.d/*.key # Ignore chain of trust. Domain is treated as insecure. # domain-insecure: "example.com" @@ -462,6 +463,8 @@ server: # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" + include: /etc/unbound/local.d/*.conf + # service clients over SSL (on the TCP sockets), with plain DNS inside # the SSL stream. Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. @@ -509,6 +512,10 @@ remote-control: # unbound-control certificate file. control-cert-file: "/etc/unbound/unbound_control.pem" +# Stub and Forward zones + +include: /etc/unbound/conf.d/*.conf + # Stub zones. # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of nameservers. list zero or more diff --git a/unbound.spec b/unbound.spec index 86152d7..eb0d86a 100644 --- a/unbound.spec +++ b/unbound.spec @@ -14,7 +14,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.4.18 -Release: 3%{?dist} +Release: 4%{?dist} License: BSD Url: http://www.nlnetlabs.nl/unbound/ Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz @@ -26,10 +26,14 @@ Source5: root.key Source6: dlv.isc.org.key Source7: unbound-keygen.service Source8: tmpfiles-unbound.conf +Source9: example.com.key +Source10: example.com.conf +Source11: block-example.com.conf Patch1: unbound-1.2-glob.patch Patch2: unbound-1.4.18-openssl_threads.patch +Patch3: unbound-1.4.18-includeglob.patch Group: System Environment/Daemons -BuildRequires: flex, openssl-devel , ldns-devel >= 1.5.0, +BuildRequires: flex, openssl-devel , ldns-devel >= 1.6.13 BuildRequires: libevent-devel expat-devel %if %{with_python} BuildRequires: python-devel swig @@ -42,7 +46,7 @@ BuildRequires: systemd-units Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units -Requires: ldns >= 1.5.0 +Requires: ldns >= 1.6.13 Requires(pre): shadow-utils # Needed because /usr/sbin/unbound links unbound libs staticly Requires: %{name}-libs = %{version}-%{release} @@ -159,6 +163,13 @@ done mkdir -p %{buildroot}%{_localstatedir}/run/unbound +# Install directories for easier config file drop in + +mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d} +install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/ +install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ +install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ + %files %doc doc/README doc/CREDITS doc/LICENSE doc/FEATURES %{_unitdir}/%{name}.service @@ -169,6 +180,9 @@ mkdir -p %{buildroot}%{_localstatedir}/run/unbound %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key +%attr(0775,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d +%attr(0775,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d +%attr(0775,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/local.d %{_sbindir}/* %{_mandir}/man1/* %{_mandir}/man5/* @@ -232,6 +246,11 @@ exit 0 /bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || : %changelog +* Wed Sep 26 2012 Paul Wouters - 1.4.18-4 +- Patch to allow wildcards in include: statements +- Add directories /etc/unbound/keys.d,conf.d,local.d with + example entries + * Tue Sep 04 2012 Paul Wouters - 1.4.18-3 - Fix openssl thread locking bug under high query load