From 90deaa6495f2f59d20c8a1fc2e0ad17daf57ebbd Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Sat, 3 Nov 2012 12:59:54 -0400 Subject: [PATCH] * add unbound-anchor support and more flexible config directories --- icannbundle.pem | 317 +++++++++++++++++++++++++++++++++++++++++++ root.anchor | 1 + unbound-monthly.cron | 3 + unbound.conf | 132 +++++++++--------- unbound.service | 7 +- unbound.spec | 44 ++++-- unbound.sysconfig | 3 + 7 files changed, 429 insertions(+), 78 deletions(-) create mode 100644 icannbundle.pem create mode 100644 root.anchor create mode 100755 unbound-monthly.cron create mode 100644 unbound.sysconfig diff --git a/icannbundle.pem b/icannbundle.pem new file mode 100644 index 0000000..48941de --- /dev/null +++ b/icannbundle.pem @@ -0,0 +1,317 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US + Validity + Not Before: Dec 23 04:19:12 2009 GMT + Not After : Dec 18 04:19:12 2029 GMT + Subject: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:a0:db:70:b8:4f:34:da:9c:d4:d0:7e:bb:ea:15: + bc:e9:c9:11:2a:1f:61:2f:6a:b9:bd:3f:3d:76:a0: + 9a:0a:f7:ee:93:6e:6e:55:53:84:8c:f2:2c:f1:82: + 27:c8:0f:9a:cf:52:1b:54:da:28:d2:2c:30:8e:dd: + fb:92:20:33:2d:d6:c8:f1:0e:10:21:88:71:fa:84: + 22:4b:5d:47:56:16:7c:9b:9f:5d:c3:11:79:9c:14: + e2:ff:c0:74:ac:dd:39:d7:e0:38:d8:b0:73:aa:fb: + d1:db:84:af:52:22:a8:f6:d5:9b:94:f4:e6:5d:5e: + e8:3f:87:90:0b:c7:1a:77:f5:2e:d3:8f:1a:ce:02: + 1d:07:69:21:47:32:da:46:ae:00:4c:b6:a5:a2:9c: + 39:c1:c0:4a:f6:d3:1c:ae:d3:6d:bb:c7:18:f0:7e: + ed:f6:80:ce:d0:01:2e:89:de:12:ba:ee:11:cb:a6: + 7a:d7:0d:7c:f3:08:8d:72:9d:bf:55:75:13:70:bb: + 31:22:4a:cb:e8:c0:aa:a4:09:aa:36:68:40:60:74: + 9d:e7:19:81:43:22:52:fe:c9:2b:52:0f:41:13:36: + 09:72:65:95:cc:89:ae:6f:56:17:16:34:73:52:a3: + 04:ed:bd:88:82:8a:eb:d7:dc:82:52:9c:06:e1:52: + 85:41 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 + Signature Algorithm: sha256WithRSAEncryption + 0f:f1:e9:82:a2:0a:87:9f:2d:94:60:5a:b2:c0:4b:a1:2f:2b: + 3b:47:d5:0a:99:86:38:b2:ec:c6:3b:89:e4:6e:07:cf:14:c7: + c7:e8:cf:99:8f:aa:30:c3:19:70:b9:e6:6d:d6:3f:c8:68:26: + b2:a0:a5:37:42:ca:d8:62:80:d1:a2:5a:48:2e:1f:85:3f:0c: + 7b:c2:c7:94:11:5f:19:2a:95:ac:a0:3a:03:d8:91:5b:2e:0d: + 9c:7c:1f:2e:fc:e9:44:e1:16:26:73:1c:45:4a:65:c1:83:4c: + 90:f3:f2:28:42:df:db:c4:e7:04:12:18:62:43:5e:bc:1f:6c: + 84:e6:bc:49:32:df:61:d7:99:ee:e4:90:52:7b:0a:c2:91:8a: + 98:62:66:b1:c8:e0:b7:5a:b5:46:7c:76:71:54:8e:cc:a4:81: + 5c:19:db:d2:6f:66:b5:bb:2b:ae:6b:c9:74:04:a8:24:de:e8: + c5:d3:fc:2c:1c:d7:8f:db:6a:8d:c9:53:be:5d:50:73:ac:cf: + 1f:93:c0:52:50:5b:a2:4f:fe:ad:65:36:17:46:d1:2d:e5:a2: + 90:66:05:db:29:4e:5d:50:5d:e3:4f:da:a0:8f:f0:6b:e4:16: + 70:dd:7f:f3:77:7d:b9:4e:f9:ec:c3:33:02:d7:e9:63:2f:31: + e7:40:61:a4 +-----BEGIN CERTIFICATE----- +MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX +DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O +IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB +MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb +cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S +G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg +ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2 +paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7 +MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29 +iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B +Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3 +DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH +6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD +2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h +15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF +0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg +j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha256WithRSAEncryption + Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US + Validity + Not Before: Dec 23 04:45:04 2009 GMT + Not After : Dec 22 04:45:04 2014 GMT + Subject: O=ICANN, CN=ICANN DNSSEC CA/emailAddress=dnssec@icann.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:c0:bf:e2:b4:ee:12:46:36:3b:7c:d2:46:21:64: + 5a:93:e1:e3:02:10:25:bb:a5:30:70:19:89:98:7e: + 9e:db:8e:0f:ac:c8:48:66:0e:1a:f8:81:e5:2d:3c: + 7b:39:39:76:28:8f:ee:0a:a7:dd:64:e9:5f:87:25: + b1:64:e5:59:03:fc:bc:29:3b:63:37:c8:d7:46:9a: + b6:ce:87:55:cd:cf:e2:ab:e9:c7:8a:53:2e:25:87: + b0:98:d6:20:a3:a8:ec:87:b0:39:a3:c4:c5:75:59: + 3c:fb:91:03:fa:ee:7f:e9:2b:b6:70:88:69:2c:e6: + f1:4f:fc:d0:47:b4:e9:a0:2c:fa:0c:c3:84:eb:be: + 73:5a:bc:16:ed:d0:83:02:2d:eb:6a:21:02:51:70: + 29:1e:4f:c9:69:03:9f:91:32:5c:2c:1a:9f:5e:45: + 48:2a:50:ee:72:14:ec:17:29:fc:20:95:7d:22:6a: + c6:6f:83:a2:58:8e:b1:64:c8:73:23:54:6c:69:1d: + 66:1f:df:f8:4f:24:a1:a8:ae:00:7f:e9:89:41:a6: + e3:88:1d:3a:e1:b3:3a:ef:29:45:32:9b:94:2e:b7: + 6c:1e:fe:31:40:13:e1:bd:52:67:d0:d8:c3:3e:03: + 84:48:72:9d:bd:8a:48:a0:f2:72:35:b6:03:4b:c6: + e9:05 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign + X509v3 Authority Key Identifier: + keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 + + X509v3 Subject Key Identifier: + 8F:B2:42:69:C3:9D:E4:3C:FA:13:B9:FF:F2:C0:A4:EF:D8:0F:E8:22 + Signature Algorithm: sha256WithRSAEncryption + 4a:78:a2:47:7e:3f:2e:4d:78:68:ab:06:5c:ff:da:01:04:45: + 92:20:20:88:f3:dc:4e:70:01:9b:cb:f3:13:61:34:04:09:15: + d0:be:99:1c:be:fc:97:e9:2d:73:e1:b3:2b:a6:b9:3a:41:33: + f3:83:3d:64:1b:64:95:bf:ae:cd:20:df:18:e0:62:8d:fa:9c: + f7:d8:a9:3c:25:2b:8e:cf:10:e5:29:b9:af:1a:7f:62:64:75: + e7:c6:fd:9b:6d:71:c0:a9:b3:0f:9a:b7:7a:fe:53:04:18:cd: + 04:06:d9:bf:01:0e:cc:04:84:84:51:a3:e9:06:2a:a3:25:73: + 4e:8d:62:19:13:25:5b:de:0b:dc:d0:69:01:ca:41:0a:96:13: + cf:6a:11:fe:2b:9a:3f:fd:56:3d:73:3d:58:49:c2:71:83:20: + 23:6d:46:99:6e:37:91:9f:76:2a:9c:b0:69:3f:64:9f:05:bb: + 38:c8:1e:ca:d8:6c:fd:56:3e:a6:85:a2:53:80:c6:42:b6:79: + c6:43:0b:e0:6c:ea:9f:cf:b0:2a:2c:01:50:c3:d8:0f:a0:7e: + a1:73:a8:5c:84:27:5b:c9:4b:5a:13:e9:69:25:1c:59:11:d2: + 01:dc:da:e7:c8:44:34:a2:e4:99:25:b4:c3:23:b5:f8:2d:48: + e5:8d:06:73 +-----BEGIN CERTIFICATE----- +MIIDhjCCAm6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0NDUwNFoX +DTE0MTIyMjA0NDUwNFowSzEOMAwGA1UEChMFSUNBTk4xGDAWBgNVBAMTD0lDQU5O +IEROU1NFQyBDQTEfMB0GCSqGSIb3DQEJARMQZG5zc2VjQGljYW5uLm9yZzCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMC/4rTuEkY2O3zSRiFkWpPh4wIQ +JbulMHAZiZh+ntuOD6zISGYOGviB5S08ezk5diiP7gqn3WTpX4clsWTlWQP8vCk7 +YzfI10aats6HVc3P4qvpx4pTLiWHsJjWIKOo7IewOaPExXVZPPuRA/ruf+krtnCI +aSzm8U/80Ee06aAs+gzDhOu+c1q8Fu3QgwIt62ohAlFwKR5PyWkDn5EyXCwan15F +SCpQ7nIU7Bcp/CCVfSJqxm+DoliOsWTIcyNUbGkdZh/f+E8koaiuAH/piUGm44gd +OuGzOu8pRTKblC63bB7+MUAT4b1SZ9DYwz4DhEhynb2KSKDycjW2A0vG6QUCAwEA +AaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAf4wHwYDVR0jBBgw +FoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFI+yQmnDneQ8+hO5//LA +pO/YD+giMA0GCSqGSIb3DQEBCwUAA4IBAQBKeKJHfj8uTXhoqwZc/9oBBEWSICCI +89xOcAGby/MTYTQECRXQvpkcvvyX6S1z4bMrprk6QTPzgz1kG2SVv67NIN8Y4GKN ++pz32Kk8JSuOzxDlKbmvGn9iZHXnxv2bbXHAqbMPmrd6/lMEGM0EBtm/AQ7MBISE +UaPpBiqjJXNOjWIZEyVb3gvc0GkBykEKlhPPahH+K5o//VY9cz1YScJxgyAjbUaZ +bjeRn3YqnLBpP2SfBbs4yB7K2Gz9Vj6mhaJTgMZCtnnGQwvgbOqfz7AqLAFQw9gP +oH6hc6hchCdbyUtaE+lpJRxZEdIB3NrnyEQ0ouSZJbTDI7X4LUjljQZz +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 6 (0x6) + Signature Algorithm: sha256WithRSAEncryption + Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US + Validity + Not Before: Dec 23 05:21:16 2009 GMT + Not After : Dec 22 05:21:16 2014 GMT + Subject: O=ICANN, CN=ICANN EMAIL CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:d2:19:1e:22:69:33:f6:a4:d2:76:c5:80:11:75: + 8e:d0:e8:6f:bf:89:f8:2a:6a:da:8a:85:28:40:ba: + c5:23:5f:47:ed:72:e2:8e:d3:5c:c8:8a:3a:99:a9: + 57:2c:0a:2b:22:f3:54:7b:8b:f7:8c:21:a2:50:01: + 4f:8b:af:34:df:72:fc:78:31:d0:1d:eb:bc:9b:e6: + fa:c1:84:d0:05:07:8a:74:53:a5:60:9e:eb:75:9e: + a8:5d:32:c8:02:32:e4:bf:cb:97:9b:7a:fa:2c:f6: + 6a:1d:b8:57:ad:e3:03:22:93:d0:f4:4f:a8:b8:01: + db:82:33:98:b6:87:ed:3d:67:40:00:27:2e:d5:95: + d2:ad:36:46:14:c6:17:79:65:7f:65:f3:88:80:65: + 7c:22:67:08:23:3c:cf:a5:10:38:72:30:97:92:6f: + 20:4a:ba:24:4c:4a:c8:4a:a5:dc:2a:44:a1:29:78: + b4:9f:fe:84:ff:27:5b:3a:72:ea:31:c1:ad:06:22: + d6:44:a0:4a:57:32:9c:f2:46:47:d0:89:6e:20:23: + 2c:ea:b0:83:7e:c1:f3:ea:da:dd:e3:63:59:97:21: + fa:1b:11:39:27:cf:82:8b:56:15:d4:36:92:0c:a5: + 7e:80:e0:18:c9:50:08:42:0a:df:97:3c:9c:b8:0a: + 4d:b1 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign + X509v3 Authority Key Identifier: + keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 + + X509v3 Subject Key Identifier: + 7B:3F:BA:CE:A1:B3:A6:13:2E:5A:82:84:D4:D2:EA:A5:24:F1:CD:B4 + Signature Algorithm: sha256WithRSAEncryption + 50:07:a5:61:39:e4:3b:e3:bc:1c:b4:a7:b2:ab:a1:fb:47:bf: + b4:1c:32:ac:3c:46:b0:02:26:2f:16:3e:89:70:e2:87:e9:76: + 99:61:0b:91:c5:48:7a:e5:aa:24:0b:39:e0:4f:26:03:d4:5b: + 01:8a:4d:b6:98:cc:16:fa:e2:12:4a:88:b9:53:bb:50:2d:c7: + 37:b8:a3:82:2d:52:05:3e:46:a7:db:97:82:73:8d:7d:ed:dd: + 9e:37:73:68:6b:90:cd:62:d8:77:ff:32:53:bb:d3:a1:b9:cb: + 7d:32:29:70:fb:2e:90:4b:27:12:6d:99:a5:e6:d4:ef:13:32: + c1:2f:b5:ae:6e:11:0e:50:56:a4:56:5b:76:b0:c0:99:2e:5a: + 94:17:ee:2b:c1:b6:9c:8b:68:ac:55:95:31:8c:66:2b:35:43: + a5:13:04:1b:50:44:1c:55:7f:4c:d0:1a:50:80:53:45:a8:e3: + d3:a8:74:ad:7d:6a:d6:e9:9a:d3:25:7d:83:e2:57:64:1a:94: + 7e:bc:cb:ef:79:b5:54:6a:f1:b0:c3:81:26:90:e5:40:87:ed: + 75:7d:83:63:5b:ab:45:c0:34:04:27:e8:d8:12:26:7c:5e:c0: + 48:b6:33:7d:4b:db:23:8a:f7:13:24:bc:be:7b:74:cb:c4:ed: + ed:42:eb:2f +-----BEGIN CERTIFICATE----- +MIIDZDCCAkygAwIBAgIBBjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA1MjExNloX +DTE0MTIyMjA1MjExNlowKTEOMAwGA1UEChMFSUNBTk4xFzAVBgNVBAMTDklDQU5O +IEVNQUlMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0hkeImkz +9qTSdsWAEXWO0Ohvv4n4KmraioUoQLrFI19H7XLijtNcyIo6malXLAorIvNUe4v3 +jCGiUAFPi68033L8eDHQHeu8m+b6wYTQBQeKdFOlYJ7rdZ6oXTLIAjLkv8uXm3r6 +LPZqHbhXreMDIpPQ9E+ouAHbgjOYtoftPWdAACcu1ZXSrTZGFMYXeWV/ZfOIgGV8 +ImcIIzzPpRA4cjCXkm8gSrokTErISqXcKkShKXi0n/6E/ydbOnLqMcGtBiLWRKBK +VzKc8kZH0IluICMs6rCDfsHz6trd42NZlyH6GxE5J8+Ci1YV1DaSDKV+gOAYyVAI +QgrflzycuApNsQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE +AwIB/jAfBgNVHSMEGDAWgBS6UulJgySGUi/Hmc38jWtpCE3AUDAdBgNVHQ4EFgQU +ez+6zqGzphMuWoKE1NLqpSTxzbQwDQYJKoZIhvcNAQELBQADggEBAFAHpWE55Dvj +vBy0p7KroftHv7QcMqw8RrACJi8WPolw4ofpdplhC5HFSHrlqiQLOeBPJgPUWwGK +TbaYzBb64hJKiLlTu1Atxze4o4ItUgU+Rqfbl4JzjX3t3Z43c2hrkM1i2Hf/MlO7 +06G5y30yKXD7LpBLJxJtmaXm1O8TMsEvta5uEQ5QVqRWW3awwJkuWpQX7ivBtpyL +aKxVlTGMZis1Q6UTBBtQRBxVf0zQGlCAU0Wo49OodK19atbpmtMlfYPiV2QalH68 +y+95tVRq8bDDgSaQ5UCH7XV9g2Nbq0XANAQn6NgSJnxewEi2M31L2yOK9xMkvL57 +dMvE7e1C6y8= +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: sha256WithRSAEncryption + Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US + Validity + Not Before: Dec 23 05:07:29 2009 GMT + Not After : Dec 22 05:07:29 2014 GMT + Subject: O=ICANN, CN=ICANN SSL CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:dd:c6:ab:bf:7c:66:9d:b3:2b:96:00:14:c7:60: + 7a:8d:62:5b:26:4b:30:d7:b3:4c:82:69:c6:4d:4d: + 73:f3:d4:91:21:5d:ab:35:f0:c8:04:0e:f4:a3:35: + e2:e1:18:a9:98:12:03:58:f8:9f:eb:77:54:5b:89: + 81:26:c9:aa:c2:f4:c9:0c:82:57:2a:5e:05:e9:61: + 17:cc:19:18:71:eb:35:83:c1:86:9d:ec:f1:6b:ca: + dd:a1:96:0b:95:d4:e1:0f:9e:24:6f:dc:3c:d0:28: + 9e:f2:53:47:2b:a1:ad:32:03:c8:3f:0d:80:80:7d: + f0:02:d2:6e:5a:2c:44:21:9b:09:50:15:3f:a1:3d: + d3:c9:c8:24:e7:ea:4e:92:2f:94:90:2e:de:e7:68: + f6:c6:b3:90:1f:bc:c9:7b:a2:65:d7:11:e9:8b:f0: + 3a:5a:b7:17:07:df:69:e3:6e:b9:54:6a:8e:3a:aa: + 94:7f:2c:0a:a1:ad:ba:b7:d9:60:62:27:a7:71:40: + 3b:8e:b0:84:7b:b8:c8:67:ef:66:ba:3d:ac:c3:85: + e5:86:bb:a7:9c:fd:b6:e1:c0:10:53:3d:d4:7e:1b: + 09:e6:9f:22:5c:a7:27:09:7e:27:12:33:fa:df:9b: + 20:2f:14:f7:17:c0:e4:1e:07:91:1f:f9:9a:cd:a8: + e2:c5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign + X509v3 Authority Key Identifier: + keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 + + X509v3 Subject Key Identifier: + 6E:77:A8:40:10:4A:D8:9C:0C:F2:B7:5A:3A:A5:2F:79:4A:61:14:D8 + Signature Algorithm: sha256WithRSAEncryption + 18:42:62:df:aa:8e:44:e6:87:10:4d:d9:a6:b2:c3:97:37:43: + 2e:ce:f3:e0:3c:c2:2f:e1:78:60:41:a9:2b:5d:f4:24:f5:f6: + 57:a2:08:ec:9c:89:e5:54:50:a8:30:c6:20:e5:8a:c7:8b:bd: + fd:98:b6:0c:7d:1a:1f:01:a1:4a:4e:ec:0d:2a:aa:9f:fd:a9: + 20:0d:b3:5c:0f:36:c0:2c:2b:c6:75:22:29:66:a3:34:bd:93: + 3d:f6:28:da:90:d5:7e:91:df:d3:06:f6:69:8b:80:9b:a5:34: + af:6a:02:5b:e4:52:7d:56:4d:99:6e:fe:e9:d0:36:99:58:d9: + af:cd:79:9b:e5:d2:4c:35:90:d3:e0:68:b2:88:2b:18:39:2e: + bc:0b:d9:82:84:7f:24:12:92:d2:b9:13:4f:64:bc:46:e1:5c: + 6a:ed:f7:b0:d4:66:27:25:21:86:b4:3a:5e:19:a3:c7:8b:4b: + 93:b9:2e:37:e2:6d:8b:46:ee:68:39:21:75:e8:fe:2a:a7:85: + fd:68:26:96:bd:dd:f9:f1:fe:99:5f:b4:a4:97:1b:50:18:fa: + 21:90:54:0c:8b:30:28:94:70:19:34:9e:5c:e1:e5:48:93:af: + aa:a3:b4:95:b2:f5:4c:97:50:44:58:97:e1:ff:e7:b2:10:dd: + 2c:fe:c0:ed +-----BEGIN CERTIFICATE----- +MIIDYjCCAkqgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA1MDcyOVoX +DTE0MTIyMjA1MDcyOVowJzEOMAwGA1UEChMFSUNBTk4xFTATBgNVBAMTDElDQU5O +IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN3Gq798Zp2z +K5YAFMdgeo1iWyZLMNezTIJpxk1Nc/PUkSFdqzXwyAQO9KM14uEYqZgSA1j4n+t3 +VFuJgSbJqsL0yQyCVypeBelhF8wZGHHrNYPBhp3s8WvK3aGWC5XU4Q+eJG/cPNAo +nvJTRyuhrTIDyD8NgIB98ALSblosRCGbCVAVP6E908nIJOfqTpIvlJAu3udo9saz +kB+8yXuiZdcR6YvwOlq3FwffaeNuuVRqjjqqlH8sCqGturfZYGInp3FAO46whHu4 +yGfvZro9rMOF5Ya7p5z9tuHAEFM91H4bCeafIlynJwl+JxIz+t+bIC8U9xfA5B4H +kR/5ms2o4sUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC +Af4wHwYDVR0jBBgwFoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFG53 +qEAQSticDPK3WjqlL3lKYRTYMA0GCSqGSIb3DQEBCwUAA4IBAQAYQmLfqo5E5ocQ +TdmmssOXN0MuzvPgPMIv4XhgQakrXfQk9fZXogjsnInlVFCoMMYg5YrHi739mLYM +fRofAaFKTuwNKqqf/akgDbNcDzbALCvGdSIpZqM0vZM99ijakNV+kd/TBvZpi4Cb +pTSvagJb5FJ9Vk2Zbv7p0DaZWNmvzXmb5dJMNZDT4GiyiCsYOS68C9mChH8kEpLS +uRNPZLxG4Vxq7few1GYnJSGGtDpeGaPHi0uTuS434m2LRu5oOSF16P4qp4X9aCaW +vd358f6ZX7SklxtQGPohkFQMizAolHAZNJ5c4eVIk6+qo7SVsvVMl1BEWJfh/+ey +EN0s/sDt +-----END CERTIFICATE----- diff --git a/root.anchor b/root.anchor new file mode 100644 index 0000000..18367f8 --- /dev/null +++ b/root.anchor @@ -0,0 +1 @@ +. 98799 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} diff --git a/unbound-monthly.cron b/unbound-monthly.cron new file mode 100755 index 0000000..6ad3c2c --- /dev/null +++ b/unbound-monthly.cron @@ -0,0 +1,3 @@ +#!/bin/sh + +/usr/sbin/unbound-anchor -a /etc/unbound/root.anchor -c /etc/unbound/icannbundle.pem diff --git a/unbound.conf b/unbound.conf index b06e6be..2bb28a0 100644 --- a/unbound.conf +++ b/unbound.conf @@ -6,7 +6,7 @@ #Use this to include other text into the file. #include: "otherfile.conf" -# The server clause sets the main parameters. +# The server clause sets the main parameters. server: # whitespace is not necessary, but looks cleaner. @@ -17,7 +17,7 @@ server: # Set to "" or 0 to disable. Default is disabled. # Needed for munin plugin statistics-interval: 0 - + # enable cumulative statistics, without clearing them after printing. # Needed for munin plugin statistics-cumulative: no @@ -41,17 +41,17 @@ server: # interface: 192.0.2.154 # interface: 2001:DB8::5 # - # for dns over tls and raw dns over port 80 + # for dns over tls and raw dns over port 80 # interface: 0.0.0.0@443 # interface: ::0@443 # interface: 0.0.0.0@80 # interface: ::0@80 - + # enable this feature to copy the source address of queries to reply. - # Socket options are not supported on all platforms. experimental. + # Socket options are not supported on all platforms. experimental. # interface-automatic: yes # - # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 + # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 # NOTE: Disabled per Fedora policy not to listen to * on default install # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled interface-automatic: no @@ -67,9 +67,9 @@ server: # outgoing-interface: 2001:DB8::6 # number of ports to allocate per thread, determines the size of the - # port range that can be open simultaneously. + # port range that can be open simultaneously. # outgoing-range: 4096 - + # permit unbound to use this port number or port range for # making outgoing queries, using an outgoing interface. # outgoing-port-permit: 32768 @@ -98,13 +98,13 @@ server: # EDNS reassembly buffer to advertise to UDP peers (the actual buffer # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts). # edns-buffer-size: 4096 - + # buffer size for handling DNS data. No messages larger than this # size can be sent or received, by UDP or TCP. In bytes. # msg-buffer-size: 65552 # the amount of memory to use for the message cache. - # plain value in bytes or you can append k, m or G. default is "4Mb". + # plain value in bytes or you can append k, m or G. default is "4Mb". # msg-cache-size: 4m # the number of slabs to use for the message cache. @@ -119,7 +119,7 @@ server: # jostle-timeout: 200 # the amount of memory to use for the RRset cache. - # plain value in bytes or you can append k, m or G. default is "4Mb". + # plain value in bytes or you can append k, m or G. default is "4Mb". # rrset-cache-size: 4m # the number of slabs to use for the RRset cache. @@ -185,8 +185,8 @@ server: # # If chroot is enabled, you should pass the configfile (from the # commandline) as a full path from the original root. After the - # chroot has been performed the now defunct portion of the config - # file path is removed to be able to reread the config after a reload. + # chroot has been performed the now defunct portion of the config + # file path is removed to be able to reread the config after a reload. # # All other file paths (working dir, logfile, roothints, and # key files) can be specified in several ways: @@ -195,7 +195,7 @@ server: # o as an absolute path relative to the original root. # In the last case the path is adjusted to remove the unused portion. # - # The pid file can be absolute and outside of the chroot, it is + # The pid file can be absolute and outside of the chroot, it is # written just prior to performing the chroot and dropping permissions. # # Additionally, unbound may need to access /dev/random (for entropy). @@ -210,62 +210,62 @@ server: # If you give "" no privileges are dropped. username: "unbound" - # the working directory. The relative files in this config are + # the working directory. The relative files in this config are # relative to this directory. If you give "" the working directory # is not changed. directory: "/etc/unbound" - # the log file, "" means log to stderr. + # the log file, "" means log to stderr. # Use of this option sets use-syslog to "no". # logfile: "" - - # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to + + # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to # log to, with identity "unbound". If yes, it overrides the logfile. - # use-syslog: yes + # use-syslog: yes # print UTC timestamp in ascii to logfile, default is epoch in seconds. log-time-ascii: yes # the pid file. Can be an absolute path outside of chroot/work dir. pidfile: "/var/run/unbound/unbound.pid" - + # file to read root hints from. # get one from ftp://FTP.INTERNIC.NET/domain/named.cache # root-hints: "" - + # enable to not answer id.server and hostname.bind queries. # hide-identity: no - + # enable to not answer version.server and version.bind queries. # hide-version: no - + # the identity to report. Leave "" or default to return hostname. # identity: "" - + # the version to report. Leave "" or default to return package version. # version: "" - + # the target fetch policy. - # series of integers describing the policy per dependency depth. - # The number of values in the list determines the maximum dependency + # series of integers describing the policy per dependency depth. + # The number of values in the list determines the maximum dependency # depth the recursor will pursue before giving up. Each integer means: # -1 : fetch all targets opportunistically, # 0: fetch on demand, # positive value: fetch that many targets opportunistically. # Enclose the list of numbers between quotes (""). # target-fetch-policy: "3 2 1 0 0" - - # Harden against very small EDNS buffer sizes. + + # Harden against very small EDNS buffer sizes. # harden-short-bufsize: no - + # Harden against unseemly large queries. # harden-large-queries: no - - # Harden against out of zone rrsets, to avoid spoofing attempts. + + # Harden against out of zone rrsets, to avoid spoofing attempts. harden-glue: yes - + # Harden against receiving dnssec-stripped data. If you turn it - # off, failing to validate dnskey data for a trustanchor will + # off, failing to validate dnskey data for a trustanchor will # trigger insecure mode for that zone (like without a trustanchor). # Default on, which insists on dnssec data for trust-anchored zones. harden-dnssec-stripped: yes @@ -273,9 +273,9 @@ server: # Harden against queries that fall under dnssec-signed nxdomain names. harden-below-nxdomain: yes - # Harden the referral path by performing additional queries for + # Harden the referral path by performing additional queries for # infrastructure data. Validates the replies (if possible). - # Default off, because the lookups burden the server. Experimental + # Default off, because the lookups burden the server. Experimental # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. harden-referral-path: yes @@ -283,11 +283,11 @@ server: # This feature is an experimental implementation of draft dns-0x20. # (this now fails on all GoDaddy customer domains, so disabled) use-caps-for-id: no - - # Enforce privacy of these addresses. Strips them away from answers. - # It may cause DNSSEC validation to additionally mark it as bogus. - # Protects against 'DNS Rebinding' (uses browser as network proxy). - # Only 'private-domain' and 'local-data' names are allowed to have + + # Enforce privacy of these addresses. Strips them away from answers. + # It may cause DNSSEC validation to additionally mark it as bogus. + # Protects against 'DNS Rebinding' (uses browser as network proxy). + # Only 'private-domain' and 'local-data' names are allowed to have # these private addresses. No default. # private-address: 10.0.0.0/8 # private-address: 172.16.0.0/12 @@ -299,7 +299,7 @@ server: # Allow the domain (and its subdomains) to contain private addresses. # local-data statements are allowed to contain private addresses too. # private-domain: "example.com" - + # If nonzero, unwanted replies are not only reported in statistics, # but also a running total is kept per thread. If it reaches the # threshold, a warning is printed and a defensive action is taken, @@ -311,7 +311,7 @@ server: # List one address per entry. List classless netblocks with /size, # do-not-query-address: 127.0.0.1/8 # do-not-query-address: ::1 - + # if yes, the above default do-not-query-address entries are present. # if no, localhost can be queried (for testing and debugging). # do-not-query-localhost: yes @@ -322,17 +322,17 @@ server: # if yes, perform key lookups adjacent to normal lookups. prefetch-key: yes - # if yes, Unbound rotates RRSet order in response. - # rrset-roundrobin: no + # if yes, Unbound rotates RRSet order in response. + # rrset-roundrobin: no - # if yes, Unbound doesn't insert authority/additional sections - # into response messages when those sections are not required. - # minimal-responses: no + # if yes, Unbound doesn't insert authority/additional sections + # into response messages when those sections are not required. + # minimal-responses: no # module configuration of the server. A string with identifiers # separated by spaces. "iterator" or "validator iterator" # module-config: "validator iterator" - + # File with DLV trusted keys. Same format as trust-anchor-file. # There can be only one DLV configured, it is trusted from root down. # Downloaded from https://secure.isc.org/ops/dlv/dlv.isc.org.key @@ -356,20 +356,22 @@ server: # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry. Like trust-anchor-file - # but has a different file format. Format is BIND-9 style format, + # but has a different file format. Format is BIND-9 style format, # the trusted-keys { name flag proto algo "key"; }; clauses are read. # trusted-keys-file: "" - trusted-keys-file: /etc/unbound/root.key + # + # trusted-keys-file: /etc/unbound/rootkey.bind trusted-keys-file: /etc/unbound/keys.d/*.key + auto-trust-anchor-file: "/etc/unbound/root.anchor" # Ignore chain of trust. Domain is treated as insecure. # domain-insecure: "example.com" # Override the date for validation with a specific fixed date. # Do not set this unless you are debugging signature inception - # and expiration. "" or "0" turns the feature off. + # and expiration. "" or "0" turns the feature off. # val-override-date: "" - + # The time to live for bogus data, rrsets and messages. This avoids # some of the revalidation, until the time interval expires. in secs. # val-bogus-ttl: 60 @@ -382,10 +384,10 @@ server: # Should additional section of secure message also be kept clean of # unsecure data. Useful to shield the users of this validator from - # potential bogus data in the additional section. All unsigned data + # potential bogus data in the additional section. All unsigned data # in the additional section is removed from secure messages. val-clean-additional: yes - + # Turn permissive mode on to permit bogus messages. Thus, messages # for which security checks failed will be returned to clients, # instead of SERVFAIL. It still performs the security checks, which @@ -397,7 +399,7 @@ server: # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. val-log-level: 1 - + # It is possible to configure NSEC3 maximum iteration counts per # keysize. Keep this table very short, as linear search is done. # A message with an NSEC3 with larger count is marked insecure. @@ -415,22 +417,22 @@ server: # keep-missing: 31622400 # 366 days # the amount of memory to use for the key cache. - # plain value in bytes or you can append k, m or G. default is "4Mb". + # plain value in bytes or you can append k, m or G. default is "4Mb". # key-cache-size: 4m # the number of slabs to use for the key cache. # the number of slabs must be a power of 2. # more slabs reduce lock contention, but fragment memory usage. # key-cache-slabs: 4 - + # the amount of memory to use for the negative cache (used for DLV). - # plain value in bytes or you can append k, m or G. default is "1Mb". + # plain value in bytes or you can append k, m or G. default is "1Mb". # neg-cache-size: 1m # a number of locally served zones can be configured. # local-zone: # local-data: "" - # o deny serves local data (if any), else, drops queries. + # o deny serves local data (if any), else, drops queries. # o refuse serves local data (if any), else, replies with error. # o static serves local data, else, nxdomain or nodata answer. # o transparent serves local data, but resolves normally for other names @@ -441,7 +443,7 @@ server: # defaults are localhost address, reverse for 127.0.0.1 and ::1 # and nxdomain for AS112 zones. If you configure one of these zones # the default content is omitted, or you can omit it with 'nodefault'. - # + # # If you configure local-data without specifying local-zone, by # default a transparent local-zone is created for the data. # @@ -485,7 +487,7 @@ server: # # python-script: "/etc/unbound/ubmodule-tst.py" -# Remote control config section. +# Remote control config section. remote-control: # Enable remote control with unbound-control(8) here. # set up the keys and certificates with unbound-control-setup. @@ -517,9 +519,9 @@ remote-control: include: /etc/unbound/conf.d/*.conf # Stub zones. -# Create entries like below, to make all queries for 'example.com' and -# 'example.org' go to the given list of nameservers. list zero or more -# nameservers by hostname or by ipaddress. If you set stub-prime to yes, +# Create entries like below, to make all queries for 'example.com' and +# 'example.org' go to the given list of nameservers. list zero or more +# nameservers by hostname or by ipaddress. If you set stub-prime to yes, # the list is treated as priming hints (default is no). # stub-zone: # name: "example.com" diff --git a/unbound.service b/unbound.service index 381d88a..0532f70 100644 --- a/unbound.service +++ b/unbound.service @@ -5,10 +5,11 @@ After=unbound-keygen.service Wants=unbound-keygen.service [Service] -Type=forking -PIDFile=/var/run/unbound/unbound.pid +Type=simple EnvironmentFile=-/etc/sysconfig/unbound -ExecStart=/usr/sbin/unbound +ExecStartPre=/usr/sbin/unbound-anchor -a /etc/unbound/root.anchor -c /etc/unbound/icannbundle.pem +ExecStartPre=/usr/sbin/unbound-checkconf +ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS [Install] WantedBy=multi-user.target diff --git a/unbound.spec b/unbound.spec index 188470b..2ebaa12 100644 --- a/unbound.spec +++ b/unbound.spec @@ -29,6 +29,11 @@ Source8: tmpfiles-unbound.conf Source9: example.com.key Source10: example.com.conf Source11: block-example.com.conf +# From http://data.iana.org/root-anchors/icannbundle.pem +Source12: icannbundle.pem +Source13: root.anchor +Source14: unbound.sysconfig +Source15: unbound-monthly.cron Patch1: unbound-1.2-glob.patch Patch2: unbound-1.4.18-openssl_threads.patch Patch3: unbound-1.4.18-includeglob.patch @@ -125,15 +130,20 @@ Python modules and extensions for unbound %install %{__make} DESTDIR=%{buildroot} install install -d 0755 %{buildroot}%{_unitdir} -install -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service -install -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/unbound-keygen.service -install -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound +install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service +install -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/unbound-keygen.service +install -p -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound +install -p -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/unbound %if %{munin} # Install munin plugin and its softlinks -install -d 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d -install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/munin/plugin-conf.d/unbound +install -d 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d %{buildroot}%{_sysconfdir}/sysconfig +install -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/munin/plugin-conf.d/unbound +install -p -m 0644 %{SOURCE14} %{buildroot}%{_sysconfdir}/sysconfig/unbound +install -d 0755 %{buildroot}%{_sysconfdir}/cron.monthly +install -p -m 0755 %{SOURCE15} %{buildroot}%{_sysconfdir}/cron.monthly/unbound-anchor + install -d 0755 %{buildroot}%{_datadir}/munin/plugins/ -install -m 0755 %{SOURCE4} %{buildroot}%{_datadir}/munin/plugins/unbound +install -p -m 0755 %{SOURCE4} %{buildroot}%{_datadir}/munin/plugins/unbound for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unbound_munin_by_type unbound_munin_by_class unbound_munin_by_opcode unbound_munin_by_rcode unbound_munin_by_flags unbound_munin_histogram; do ln -s unbound %{buildroot}%{_datadir}/munin/plugins/$plugin done @@ -147,7 +157,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d/ install -m 0644 %{SOURCE8} %{buildroot}%{_sysconfdir}/tmpfiles.d/unbound.conf # install root and DLV key -install -m 0644 %{SOURCE5} %{SOURCE6} %{buildroot}%{_sysconfdir}/unbound/ +install -m 0644 %{SOURCE5} %{SOURCE6} %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/ # remove static library from install (fedora packaging guidelines) rm %{buildroot}%{_libdir}/*.la @@ -178,8 +188,7 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ %attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name} %config(noreplace) %{_sysconfdir}/tmpfiles.d/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf -%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key -%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name} %attr(0775,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d %attr(0775,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d %attr(0775,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/local.d @@ -188,6 +197,7 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ %{_mandir}/man5/* %{_mandir}/man8/* + %if %{with_python} %files python %{python_sitearch}/* @@ -209,6 +219,11 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ %files libs %{_libdir}/libunbound.so.* +%{_sysconfdir}/%{name}/icannbundle.pem +%{_sysconfdir}/cron.monthly/unbound-anchor +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.anchor +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key %doc doc/README doc/LICENSE %pre @@ -222,7 +237,9 @@ exit 0 %systemd_post unbound.service %systemd_post unbound-keygen.service -%post libs -p /sbin/ldconfig +%post libs +/sbin/ldconfig +%{_sysconfdir}/cron.monthly/unbound-anchor %preun %systemd_preun unbound.service @@ -250,6 +267,13 @@ exit 0 - Patch to allow wildcards in include: statements - Add directories /etc/unbound/keys.d,conf.d,local.d with example entries +- Added /etc/unbound/root.anchor, maintained by unbound-anchor + which is installed as monthly cron and PreExec in systemd config + (root.key is unused, but left installed in case people depend on it) +- Native systemd (simple) and /etc/sysconfig/unbound support +- Run unbound-checkconf in PreExec +- Moved trust anchor related files to unbound-libs, as they can + be used without the daemon. * Tue Sep 04 2012 Paul Wouters - 1.4.18-3 - Fix openssl thread locking bug under high query load diff --git a/unbound.sysconfig b/unbound.sysconfig new file mode 100644 index 0000000..6fde947 --- /dev/null +++ b/unbound.sysconfig @@ -0,0 +1,3 @@ +# DEBUG="-v -v" + +UNBOUND_OPTIONS="$DEBUG"