* Wed Sep 26 2012 Paul Wouters <pwouters@redhat.com> - 1.4.18-4

- Patch to allow wildcards in include: statements
- Add directories /etc/unbound/keys.d,conf.d,local.d with
  example entries

block-example.com.conf

@@ -0,0 +1,10 @@
+# entries in this file override toe global DNS
+#
+# Example blocking email going out to example.com
+#
+#	local-data: "example.com. 3600 IN MX 5 127.0.0.1"
+#	local-data: "example.com. 3600 IN A 127.0.0.1"
+
+# This can also be done dynamically using: unbound-control local-data [...]
+
+# For more complicated redirection, use conf.d/ with stub-add: or forward-add:

example.com.conf

@@ -0,0 +1,17 @@
+# Example of an override of the "public DNS tree" with an "internal view"
+# override, for example to add an internal-only corporate DNS zone.
+#
+# The stub-zone/stub-addr must point to AUTHORITATIVE servers. If you want to
+# point to an internal RECURSIVE server, use forward-zone/forward-addr instead.
+
+#stub-zone:
+#	name: example.com
+#	stub-prime: no
+#	# if you could trust a lookup, use:
+#	stub-host: a.iana-servers.net.
+#	stub-host: b.iana-servers.net.
+#	# else specify the IP's using:
+#	stub-addr: 199.43.132.53
+#	stub-addr: 2001:500:8c::53
+#	stub-addr: 199.43.133.53
+#	stub-addr: 2001:500:8d::53

example.com.key

@@ -0,0 +1,7 @@
+; // format is BIND trusted-keys format
+; // Ensure to only put KSKs (usually 257) here, not ZSKs (usually 256)
+
+; // trusted-keys {
+; // "example.com." 257 3 8 "AwEAAawt7HplI5M8GGAsxuyCyjF0l+QlcgVN11CRZ4vP66qbDCX0BnShZ11BGb//4zSG/8mmBHirL2FLg+mVuIIxig+iroZYjh4iTKVOhv2hZftRwyrQHK++qXvCCWN3ki51RG/e8R4kOEV71rZ8OgQvPWx6F91qroqOPpcf7PPxippeHOn+PxnP0hpyLyo1mx1rPs/cMpL3jOMufGP+LJYh+fBU7lt0sP5i09HaJPruzyZML9BPtpv8ZAdQhwtXVG0+MnET2qT/1+TljpxZn6yeegFRCFRHBjMo6iiRJnUWra/klkrgEn2Q+BXGTOMTTKQdYz4OxYEa1z7apu3a09dYNBM="; // key id = 51605
+; // "example.com." 257 3 8 "AwEAAeikvxboZpn9VCxm3YDLHo40SvA9EmRwJHHQyJ0OCzrQSRBSipojrW7yESXWiDDyzflS8rgzDs7M3fIdSduOdyNi55DmXPdkS8HYORTMNyzFsSOg+xx6tUySK2p4WAhlbsJNLz4IkQCek59NoDBOLyQ15npsr7Tgfb/HHU7zmCMvnxh0SqO2lyhnQfk29Thc3nC4KNJNb3drjWKOuCw5mg+2GrEZYc/VqdeGvrOCQ2el8jWZpSU5cxb7EdEy4B9nEeZiBpHXaZ5XJ+ewi4vmcUK5/445mGJqV4rDeicy5/ShC/BJ81v3bIRPWebvDRJmDbjr2d9MnLXUE7yyETrQd18="; // key id = 31589
+; // };

unbound-1.4.18-includeglob.patch

@@ -0,0 +1,265 @@
+diff -Naur unbound-1.4.18-orig/util/config_file.c unbound-1.4.18/util/config_file.c
+--- unbound-1.4.18-orig/util/config_file.c	2012-06-18 10:22:29.000000000 -0400
++++ unbound-1.4.18/util/config_file.c	2012-09-26 00:45:37.509190970 -0400
+@@ -53,6 +53,10 @@
+ #include "util/regional.h"
+ #include "util/fptr_wlist.h"
+ #include "util/data/dname.h"
++#ifdef HAVE_GLOB_H
++# include <glob.h>
++#endif
++
+ /** global config during parsing */
+ struct config_parser_state* cfg_parser = 0;
+ /** lex in file */
+@@ -689,6 +693,65 @@
+ 	char *fname = (char*)filename;
+ 	if(!fname)
+ 		return 1;
++
++	/* check for wildcards */
++#ifdef HAVE_GLOB
++        glob_t g;
++        size_t i;
++        int r, flags;
++	if(!(!strchr(fname, '*') && !strchr(fname, '?') && !strchr(fname, '[') &&
++                !strchr(fname, '{') && !strchr(fname, '~'))) {
++		verbose(VERB_QUERY, "wildcard found, processing %s", fname);
++        	flags = 0
++#ifdef GLOB_ERR
++                	| GLOB_ERR
++#endif
++#ifdef GLOB_NOSORT
++                	| GLOB_NOSORT
++#endif
++#ifdef GLOB_BRACE
++                	| GLOB_BRACE
++#endif
++#ifdef GLOB_TILDE
++                	| GLOB_TILDE
++#endif
++        	;
++        	memset(&g, 0, sizeof(g));
++        	r = glob(fname, flags, NULL, &g);
++        	if(r) {
++                	/* some error */
++                	if(r == GLOB_NOMATCH) {
++                        	verbose(VERB_QUERY, "include: "
++                                "no matches for %s", fname);
++                        	return 1; 
++                	} else if(r == GLOB_NOSPACE) {
++                        	log_err("include: %s: "
++                                	"fnametern out of memory", fname);
++                	} else if(r == GLOB_ABORTED) {
++                        	log_err("wildcard include: %s: expansion "
++                                	"aborted (%s)", fname, strerror(errno));
++                	} else {
++                        	log_err("wildcard include: %s: expansion "
++                                	"failed (%s)", fname, strerror(errno));
++                	}
++               		/* ignore globs that yield no files */
++                	return 1;
++        	}
++        	/* process files found, if any */
++        	for(i=0; i<(size_t)g.gl_pathc; i++) {
++                	if(!config_read(cfg, g.gl_pathv[i], chroot)) {
++                        	log_err("error reading wildcard "
++                                	"include: %s", g.gl_pathv[i]);
++                        	globfree(&g);
++                        	return 0;
++                	}
++        	}
++        	globfree(&g);
++        	return 1;
++	}
++#endif
++
++
+ 	in = fopen(fname, "r");
+ 	if(!in) {
+ 		log_err("Could not open %s: %s", fname, strerror(errno));
+diff -Naur unbound-1.4.18-orig/util/configlexer.c unbound-1.4.18/util/configlexer.c
+--- unbound-1.4.18-orig/util/configlexer.c	2012-08-02 03:26:14.000000000 -0400
++++ unbound-1.4.18/util/configlexer.c	2012-09-26 00:47:40.856511450 -0400
+@@ -22,6 +22,10 @@
+ #include <string.h>
+ #include <errno.h>
+ #include <stdlib.h>
++#ifdef HAVE_GLOB_H
++# include <glob.h>
++#endif
++
+ 
+ /* end standard C headers. */
+ 
+@@ -1827,7 +1831,7 @@
+ 	}
+ 	input = fopen(filename, "r");
+ 	if(!input) {
+-		ub_c_error_msg("cannot open include file '%s': %s",
++		ub_c_error_msg("(c)cannot open include file '%s': %s",
+ 			filename, strerror(errno));
+ 		return;
+ 	}
+@@ -1841,6 +1845,46 @@
+ 	++config_include_stack_ptr;
+ }
+ 
++static void config_start_include_glob(const char* filename)
++{
++#ifdef HAVE_GLOB
++        glob_t g;
++        size_t i;
++        int r, flags;
++       if(!(!strchr(filename, '*') && !strchr(filename, '?') && !strchr(filename, '[') &&
++                !strchr(filename, '{') && !strchr(filename, '~'))) {
++               /* verbose(VERB_QUERY, "wildcard found, processing %s", filename); */
++               flags = 0
++#ifdef GLOB_ERR
++                       | GLOB_ERR
++#endif
++#ifdef GLOB_NOSORT
++                       | GLOB_NOSORT
++#endif
++#ifdef GLOB_BRACE
++                       | GLOB_BRACE
++#endif
++#ifdef GLOB_TILDE
++                       | GLOB_TILDE
++#endif
++               ;
++               memset(&g, 0, sizeof(g));
++               r = glob(filename, flags, NULL, &g);
++               if(r) {
++                       /* some error */
++                       return;
++               }
++               /* process files found, if any */
++               for(i=0; i<(size_t)g.gl_pathc; i++) {
++                       config_start_include(g.gl_pathv[i]);
++               }
++               globfree(&g);
++               return;
++       }
++#endif
++       config_start_include(filename);
++}
++
+ static void config_end_include(void)
+ {
+ 	--config_include_stack_ptr;
+@@ -2875,7 +2919,7 @@
+ #line 300 "util/configlexer.lex"
+ {
+ 	LEXOUT(("Iunquotedstr(%s) ", yytext));
+-	config_start_include(yytext);
++	config_start_include_glob(yytext);
+ 	BEGIN(inc_prev);
+ }
+ 	YY_BREAK
+@@ -2904,7 +2948,7 @@
+ {
+ 	LEXOUT(("IQE "));
+ 	yytext[yyleng - 1] = '\0';
+-	config_start_include(yytext);
++	config_start_include_glob(yytext);
+ 	BEGIN(inc_prev);
+ }
+ 	YY_BREAK
+diff -Naur unbound-1.4.18-orig/util/configlexer.lex unbound-1.4.18/util/configlexer.lex
+--- unbound-1.4.18-orig/util/configlexer.lex	2012-04-10 05:16:39.000000000 -0400
++++ unbound-1.4.18/util/configlexer.lex	2012-09-26 00:46:59.135064805 -0400
+@@ -11,6 +11,9 @@
+ #include <ctype.h>
+ #include <string.h>
+ #include <strings.h>
++#ifdef HAVE_GLOB_H
++# include <glob.h>
++#endif
+ 
+ #include "util/config_file.h"
+ #include "util/configparser.h"
+@@ -43,6 +46,7 @@
+ static int inc_prev = 0;
+ static int num_args = 0;
+ 
++
+ static void config_start_include(const char* filename)
+ {
+ 	FILE *input;
+@@ -60,7 +64,7 @@
+ 	}
+ 	input = fopen(filename, "r");
+ 	if(!input) {
+-		ub_c_error_msg("cannot open include file '%s': %s",
++		ub_c_error_msg("(lex)cannot open include file '%s': %s",
+ 			filename, strerror(errno));
+ 		return;
+ 	}
+@@ -74,6 +78,48 @@
+ 	++config_include_stack_ptr;
+ }
+ 
++static void config_start_include_glob(const char* filename)
++{
++
++       /* check for wildcards */
++#ifdef HAVE_GLOB
++        glob_t g;
++        size_t i;
++        int r, flags;
++       if(!(!strchr(filename, '*') && !strchr(filename, '?') && !strchr(filename, '[') &&
++                !strchr(filename, '{') && !strchr(filename, '~'))) {
++               /* verbose(VERB_QUERY, "wildcard found, processing %s", filename); */
++               flags = 0
++#ifdef GLOB_ERR
++                       | GLOB_ERR
++#endif
++#ifdef GLOB_NOSORT
++                       | GLOB_NOSORT
++#endif
++#ifdef GLOB_BRACE
++                       | GLOB_BRACE
++#endif
++#ifdef GLOB_TILDE
++                       | GLOB_TILDE
++#endif
++               ;
++               memset(&g, 0, sizeof(g));
++               r = glob(filename, flags, NULL, &g);
++               if(r) {
++                       /* some error */
++                       return config_start_include(filename); /* let original deal with it */
++               }
++               /* process files found, if any */
++               for(i=0; i<(size_t)g.gl_pathc; i++) {
++                       config_start_include(g.gl_pathv[i]);
++               }
++               globfree(&g);
++               return 1;
++       }
++#endif
++
++	config_start_include(filename);
++}
+ static void config_end_include(void)
+ {
+ 	--config_include_stack_ptr;
+@@ -299,7 +345,7 @@
+ <include>\"		{ LEXOUT(("IQS ")); BEGIN(include_quoted); }
+ <include>{UNQUOTEDLETTER}*	{
+ 	LEXOUT(("Iunquotedstr(%s) ", yytext));
+-	config_start_include(yytext);
++	config_start_include_glob(yytext);
+ 	BEGIN(inc_prev);
+ }
+ <include_quoted><<EOF>>	{
+@@ -312,7 +358,7 @@
+ <include_quoted>\"	{
+ 	LEXOUT(("IQE "));
+ 	yytext[yyleng - 1] = '\0';
+-	config_start_include(yytext);
++	config_start_include_glob(yytext);
+ 	BEGIN(inc_prev);
+ }
+ <INITIAL,val><<EOF>>	{

unbound.conf

@@ -360,6 +360,7 @@ server:
 	# the trusted-keys { name flag proto algo "key"; }; clauses are read.
 	# trusted-keys-file: ""
 	trusted-keys-file: /etc/unbound/root.key
+	trusted-keys-file: /etc/unbound/keys.d/*.key
 
 	# Ignore chain of trust. Domain is treated as insecure.
 	# domain-insecure: "example.com"
@@ -462,6 +463,8 @@ server:
 	# you need to do the reverse notation yourself.
 	# local-data-ptr: "192.0.2.3 www.example.com"
 
+	include: /etc/unbound/local.d/*.conf
+
 	# service clients over SSL (on the TCP sockets), with plain DNS inside
 	# the SSL stream.  Give the certificate to use and private key.
 	# default is "" (disabled).  requires restart to take effect.
@@ -509,6 +512,10 @@ remote-control:
 	# unbound-control certificate file.
 	control-cert-file: "/etc/unbound/unbound_control.pem"
 
+# Stub and Forward zones
+
+include: /etc/unbound/conf.d/*.conf
+
 # Stub zones.
 # Create entries like below, to make all queries for 'example.com' and 
 # 'example.org' go to the given list of nameservers. list zero or more 

unbound.spec

@@ -14,7 +14,7 @@
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
 Version: 1.4.18
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: BSD
 Url: http://www.nlnetlabs.nl/unbound/
 Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
@@ -26,10 +26,14 @@ Source5: root.key
 Source6: dlv.isc.org.key
 Source7: unbound-keygen.service
 Source8: tmpfiles-unbound.conf
+Source9: example.com.key
+Source10: example.com.conf
+Source11: block-example.com.conf
 Patch1: unbound-1.2-glob.patch
 Patch2: unbound-1.4.18-openssl_threads.patch
+Patch3: unbound-1.4.18-includeglob.patch
 Group: System Environment/Daemons
-BuildRequires: flex, openssl-devel , ldns-devel >= 1.5.0, 
+BuildRequires: flex, openssl-devel , ldns-devel >= 1.6.13
 BuildRequires: libevent-devel expat-devel
 %if %{with_python}
 BuildRequires:  python-devel swig
@@ -42,7 +46,7 @@ BuildRequires: systemd-units
 Requires(post): systemd-units
 Requires(preun): systemd-units
 Requires(postun): systemd-units
-Requires: ldns >= 1.5.0
+Requires: ldns >= 1.6.13
 Requires(pre): shadow-utils
 # Needed because /usr/sbin/unbound links unbound libs staticly
 Requires: %{name}-libs = %{version}-%{release}
@@ -159,6 +163,13 @@ done
 
 mkdir -p %{buildroot}%{_localstatedir}/run/unbound
 
+# Install directories for easier config file drop in
+
+mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d}
+install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/
+install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/
+install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
+
 %files 
 %doc doc/README doc/CREDITS doc/LICENSE doc/FEATURES
 %{_unitdir}/%{name}.service
@@ -169,6 +180,9 @@ mkdir -p %{buildroot}%{_localstatedir}/run/unbound
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key
+%attr(0775,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d
+%attr(0775,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d
+%attr(0775,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/local.d
 %{_sbindir}/*
 %{_mandir}/man1/*
 %{_mandir}/man5/*
@@ -232,6 +246,11 @@ exit 0
 /bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || :
 
 %changelog
+* Wed Sep 26 2012 Paul Wouters <pwouters@redhat.com> - 1.4.18-4
+- Patch to allow wildcards in include: statements
+- Add directories /etc/unbound/keys.d,conf.d,local.d with
+  example entries
+
 * Tue Sep 04 2012 Paul Wouters <pwouters@redhat.com> - 1.4.18-3
 - Fix openssl thread locking bug under high query load