From c4f62ca05eb9a893ea4bf81f7175b9effe062d51 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Sat, 3 Nov 2012 12:59:54 -0400 Subject: [PATCH] * add anchor support and more flexible config directories --- root.anchor | 1 + unbound.conf | 132 ++++++++++++++++++++++++++------------------------- unbound.spec | 26 ++++++---- 3 files changed, 86 insertions(+), 73 deletions(-) create mode 100644 root.anchor diff --git a/root.anchor b/root.anchor new file mode 100644 index 0000000..18367f8 --- /dev/null +++ b/root.anchor @@ -0,0 +1 @@ +. 98799 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} diff --git a/unbound.conf b/unbound.conf index b06e6be..2bb28a0 100644 --- a/unbound.conf +++ b/unbound.conf @@ -6,7 +6,7 @@ #Use this to include other text into the file. #include: "otherfile.conf" -# The server clause sets the main parameters. +# The server clause sets the main parameters. server: # whitespace is not necessary, but looks cleaner. @@ -17,7 +17,7 @@ server: # Set to "" or 0 to disable. Default is disabled. # Needed for munin plugin statistics-interval: 0 - + # enable cumulative statistics, without clearing them after printing. # Needed for munin plugin statistics-cumulative: no @@ -41,17 +41,17 @@ server: # interface: 192.0.2.154 # interface: 2001:DB8::5 # - # for dns over tls and raw dns over port 80 + # for dns over tls and raw dns over port 80 # interface: 0.0.0.0@443 # interface: ::0@443 # interface: 0.0.0.0@80 # interface: ::0@80 - + # enable this feature to copy the source address of queries to reply. - # Socket options are not supported on all platforms. experimental. + # Socket options are not supported on all platforms. experimental. # interface-automatic: yes # - # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 + # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 # NOTE: Disabled per Fedora policy not to listen to * on default install # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled interface-automatic: no @@ -67,9 +67,9 @@ server: # outgoing-interface: 2001:DB8::6 # number of ports to allocate per thread, determines the size of the - # port range that can be open simultaneously. + # port range that can be open simultaneously. # outgoing-range: 4096 - + # permit unbound to use this port number or port range for # making outgoing queries, using an outgoing interface. # outgoing-port-permit: 32768 @@ -98,13 +98,13 @@ server: # EDNS reassembly buffer to advertise to UDP peers (the actual buffer # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts). # edns-buffer-size: 4096 - + # buffer size for handling DNS data. No messages larger than this # size can be sent or received, by UDP or TCP. In bytes. # msg-buffer-size: 65552 # the amount of memory to use for the message cache. - # plain value in bytes or you can append k, m or G. default is "4Mb". + # plain value in bytes or you can append k, m or G. default is "4Mb". # msg-cache-size: 4m # the number of slabs to use for the message cache. @@ -119,7 +119,7 @@ server: # jostle-timeout: 200 # the amount of memory to use for the RRset cache. - # plain value in bytes or you can append k, m or G. default is "4Mb". + # plain value in bytes or you can append k, m or G. default is "4Mb". # rrset-cache-size: 4m # the number of slabs to use for the RRset cache. @@ -185,8 +185,8 @@ server: # # If chroot is enabled, you should pass the configfile (from the # commandline) as a full path from the original root. After the - # chroot has been performed the now defunct portion of the config - # file path is removed to be able to reread the config after a reload. + # chroot has been performed the now defunct portion of the config + # file path is removed to be able to reread the config after a reload. # # All other file paths (working dir, logfile, roothints, and # key files) can be specified in several ways: @@ -195,7 +195,7 @@ server: # o as an absolute path relative to the original root. # In the last case the path is adjusted to remove the unused portion. # - # The pid file can be absolute and outside of the chroot, it is + # The pid file can be absolute and outside of the chroot, it is # written just prior to performing the chroot and dropping permissions. # # Additionally, unbound may need to access /dev/random (for entropy). @@ -210,62 +210,62 @@ server: # If you give "" no privileges are dropped. username: "unbound" - # the working directory. The relative files in this config are + # the working directory. The relative files in this config are # relative to this directory. If you give "" the working directory # is not changed. directory: "/etc/unbound" - # the log file, "" means log to stderr. + # the log file, "" means log to stderr. # Use of this option sets use-syslog to "no". # logfile: "" - - # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to + + # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to # log to, with identity "unbound". If yes, it overrides the logfile. - # use-syslog: yes + # use-syslog: yes # print UTC timestamp in ascii to logfile, default is epoch in seconds. log-time-ascii: yes # the pid file. Can be an absolute path outside of chroot/work dir. pidfile: "/var/run/unbound/unbound.pid" - + # file to read root hints from. # get one from ftp://FTP.INTERNIC.NET/domain/named.cache # root-hints: "" - + # enable to not answer id.server and hostname.bind queries. # hide-identity: no - + # enable to not answer version.server and version.bind queries. # hide-version: no - + # the identity to report. Leave "" or default to return hostname. # identity: "" - + # the version to report. Leave "" or default to return package version. # version: "" - + # the target fetch policy. - # series of integers describing the policy per dependency depth. - # The number of values in the list determines the maximum dependency + # series of integers describing the policy per dependency depth. + # The number of values in the list determines the maximum dependency # depth the recursor will pursue before giving up. Each integer means: # -1 : fetch all targets opportunistically, # 0: fetch on demand, # positive value: fetch that many targets opportunistically. # Enclose the list of numbers between quotes (""). # target-fetch-policy: "3 2 1 0 0" - - # Harden against very small EDNS buffer sizes. + + # Harden against very small EDNS buffer sizes. # harden-short-bufsize: no - + # Harden against unseemly large queries. # harden-large-queries: no - - # Harden against out of zone rrsets, to avoid spoofing attempts. + + # Harden against out of zone rrsets, to avoid spoofing attempts. harden-glue: yes - + # Harden against receiving dnssec-stripped data. If you turn it - # off, failing to validate dnskey data for a trustanchor will + # off, failing to validate dnskey data for a trustanchor will # trigger insecure mode for that zone (like without a trustanchor). # Default on, which insists on dnssec data for trust-anchored zones. harden-dnssec-stripped: yes @@ -273,9 +273,9 @@ server: # Harden against queries that fall under dnssec-signed nxdomain names. harden-below-nxdomain: yes - # Harden the referral path by performing additional queries for + # Harden the referral path by performing additional queries for # infrastructure data. Validates the replies (if possible). - # Default off, because the lookups burden the server. Experimental + # Default off, because the lookups burden the server. Experimental # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. harden-referral-path: yes @@ -283,11 +283,11 @@ server: # This feature is an experimental implementation of draft dns-0x20. # (this now fails on all GoDaddy customer domains, so disabled) use-caps-for-id: no - - # Enforce privacy of these addresses. Strips them away from answers. - # It may cause DNSSEC validation to additionally mark it as bogus. - # Protects against 'DNS Rebinding' (uses browser as network proxy). - # Only 'private-domain' and 'local-data' names are allowed to have + + # Enforce privacy of these addresses. Strips them away from answers. + # It may cause DNSSEC validation to additionally mark it as bogus. + # Protects against 'DNS Rebinding' (uses browser as network proxy). + # Only 'private-domain' and 'local-data' names are allowed to have # these private addresses. No default. # private-address: 10.0.0.0/8 # private-address: 172.16.0.0/12 @@ -299,7 +299,7 @@ server: # Allow the domain (and its subdomains) to contain private addresses. # local-data statements are allowed to contain private addresses too. # private-domain: "example.com" - + # If nonzero, unwanted replies are not only reported in statistics, # but also a running total is kept per thread. If it reaches the # threshold, a warning is printed and a defensive action is taken, @@ -311,7 +311,7 @@ server: # List one address per entry. List classless netblocks with /size, # do-not-query-address: 127.0.0.1/8 # do-not-query-address: ::1 - + # if yes, the above default do-not-query-address entries are present. # if no, localhost can be queried (for testing and debugging). # do-not-query-localhost: yes @@ -322,17 +322,17 @@ server: # if yes, perform key lookups adjacent to normal lookups. prefetch-key: yes - # if yes, Unbound rotates RRSet order in response. - # rrset-roundrobin: no + # if yes, Unbound rotates RRSet order in response. + # rrset-roundrobin: no - # if yes, Unbound doesn't insert authority/additional sections - # into response messages when those sections are not required. - # minimal-responses: no + # if yes, Unbound doesn't insert authority/additional sections + # into response messages when those sections are not required. + # minimal-responses: no # module configuration of the server. A string with identifiers # separated by spaces. "iterator" or "validator iterator" # module-config: "validator iterator" - + # File with DLV trusted keys. Same format as trust-anchor-file. # There can be only one DLV configured, it is trusted from root down. # Downloaded from https://secure.isc.org/ops/dlv/dlv.isc.org.key @@ -356,20 +356,22 @@ server: # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry. Like trust-anchor-file - # but has a different file format. Format is BIND-9 style format, + # but has a different file format. Format is BIND-9 style format, # the trusted-keys { name flag proto algo "key"; }; clauses are read. # trusted-keys-file: "" - trusted-keys-file: /etc/unbound/root.key + # + # trusted-keys-file: /etc/unbound/rootkey.bind trusted-keys-file: /etc/unbound/keys.d/*.key + auto-trust-anchor-file: "/etc/unbound/root.anchor" # Ignore chain of trust. Domain is treated as insecure. # domain-insecure: "example.com" # Override the date for validation with a specific fixed date. # Do not set this unless you are debugging signature inception - # and expiration. "" or "0" turns the feature off. + # and expiration. "" or "0" turns the feature off. # val-override-date: "" - + # The time to live for bogus data, rrsets and messages. This avoids # some of the revalidation, until the time interval expires. in secs. # val-bogus-ttl: 60 @@ -382,10 +384,10 @@ server: # Should additional section of secure message also be kept clean of # unsecure data. Useful to shield the users of this validator from - # potential bogus data in the additional section. All unsigned data + # potential bogus data in the additional section. All unsigned data # in the additional section is removed from secure messages. val-clean-additional: yes - + # Turn permissive mode on to permit bogus messages. Thus, messages # for which security checks failed will be returned to clients, # instead of SERVFAIL. It still performs the security checks, which @@ -397,7 +399,7 @@ server: # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. val-log-level: 1 - + # It is possible to configure NSEC3 maximum iteration counts per # keysize. Keep this table very short, as linear search is done. # A message with an NSEC3 with larger count is marked insecure. @@ -415,22 +417,22 @@ server: # keep-missing: 31622400 # 366 days # the amount of memory to use for the key cache. - # plain value in bytes or you can append k, m or G. default is "4Mb". + # plain value in bytes or you can append k, m or G. default is "4Mb". # key-cache-size: 4m # the number of slabs to use for the key cache. # the number of slabs must be a power of 2. # more slabs reduce lock contention, but fragment memory usage. # key-cache-slabs: 4 - + # the amount of memory to use for the negative cache (used for DLV). - # plain value in bytes or you can append k, m or G. default is "1Mb". + # plain value in bytes or you can append k, m or G. default is "1Mb". # neg-cache-size: 1m # a number of locally served zones can be configured. # local-zone: # local-data: "" - # o deny serves local data (if any), else, drops queries. + # o deny serves local data (if any), else, drops queries. # o refuse serves local data (if any), else, replies with error. # o static serves local data, else, nxdomain or nodata answer. # o transparent serves local data, but resolves normally for other names @@ -441,7 +443,7 @@ server: # defaults are localhost address, reverse for 127.0.0.1 and ::1 # and nxdomain for AS112 zones. If you configure one of these zones # the default content is omitted, or you can omit it with 'nodefault'. - # + # # If you configure local-data without specifying local-zone, by # default a transparent local-zone is created for the data. # @@ -485,7 +487,7 @@ server: # # python-script: "/etc/unbound/ubmodule-tst.py" -# Remote control config section. +# Remote control config section. remote-control: # Enable remote control with unbound-control(8) here. # set up the keys and certificates with unbound-control-setup. @@ -517,9 +519,9 @@ remote-control: include: /etc/unbound/conf.d/*.conf # Stub zones. -# Create entries like below, to make all queries for 'example.com' and -# 'example.org' go to the given list of nameservers. list zero or more -# nameservers by hostname or by ipaddress. If you set stub-prime to yes, +# Create entries like below, to make all queries for 'example.com' and +# 'example.org' go to the given list of nameservers. list zero or more +# nameservers by hostname or by ipaddress. If you set stub-prime to yes, # the list is treated as priming hints (default is no). # stub-zone: # name: "example.com" diff --git a/unbound.spec b/unbound.spec index 188470b..264bd4b 100644 --- a/unbound.spec +++ b/unbound.spec @@ -23,12 +23,15 @@ Source2: unbound.conf Source3: unbound.munin Source4: unbound_munin_ Source5: root.key +Source13: root.anchor Source6: dlv.isc.org.key Source7: unbound-keygen.service Source8: tmpfiles-unbound.conf Source9: example.com.key Source10: example.com.conf Source11: block-example.com.conf +# From http://data.iana.org/root-anchors/icannbundle.pem +Source12: icannbundle.pem Patch1: unbound-1.2-glob.patch Patch2: unbound-1.4.18-openssl_threads.patch Patch3: unbound-1.4.18-includeglob.patch @@ -125,15 +128,16 @@ Python modules and extensions for unbound %install %{__make} DESTDIR=%{buildroot} install install -d 0755 %{buildroot}%{_unitdir} -install -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service -install -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/unbound-keygen.service -install -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound +install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service +install -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/unbound-keygen.service +install -p -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound +install -p -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/unbound %if %{munin} # Install munin plugin and its softlinks install -d 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d -install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/munin/plugin-conf.d/unbound +install -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/munin/plugin-conf.d/unbound install -d 0755 %{buildroot}%{_datadir}/munin/plugins/ -install -m 0755 %{SOURCE4} %{buildroot}%{_datadir}/munin/plugins/unbound +install -p -m 0755 %{SOURCE4} %{buildroot}%{_datadir}/munin/plugins/unbound for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unbound_munin_by_type unbound_munin_by_class unbound_munin_by_opcode unbound_munin_by_rcode unbound_munin_by_flags unbound_munin_histogram; do ln -s unbound %{buildroot}%{_datadir}/munin/plugins/$plugin done @@ -147,7 +151,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d/ install -m 0644 %{SOURCE8} %{buildroot}%{_sysconfdir}/tmpfiles.d/unbound.conf # install root and DLV key -install -m 0644 %{SOURCE5} %{SOURCE6} %{buildroot}%{_sysconfdir}/unbound/ +install -m 0644 %{SOURCE5} %{SOURCE6} %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/ # remove static library from install (fedora packaging guidelines) rm %{buildroot}%{_libdir}/*.la @@ -178,8 +182,6 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ %attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name} %config(noreplace) %{_sysconfdir}/tmpfiles.d/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf -%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key -%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key %attr(0775,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d %attr(0775,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d %attr(0775,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/local.d @@ -188,6 +190,7 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ %{_mandir}/man5/* %{_mandir}/man8/* + %if %{with_python} %files python %{python_sitearch}/* @@ -209,6 +212,10 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ %files libs %{_libdir}/libunbound.so.* +%{_sysconfdir}/%{name}/icannbundle.pem +%{_sysconfdir}/%{name}/root.anchor +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key %doc doc/README doc/LICENSE %pre @@ -221,16 +228,19 @@ exit 0 %post %systemd_post unbound.service %systemd_post unbound-keygen.service +%systemd_post unbound-rootkey.service %post libs -p /sbin/ldconfig %preun %systemd_preun unbound.service %systemd_preun unbound-keygen.service +%systemd_preun unbound-rootkey.service %postun %systemd_postun_with_restart unbound.service %systemd_postun unbound-keygen.service +%systemd_postun unbound-rootkey.service %postun libs -p /sbin/ldconfig