* add anchor support and more flexible config directories
This commit is contained in:
parent
95ed9b464e
commit
c4f62ca05e
1
root.anchor
Normal file
1
root.anchor
Normal file
@ -0,0 +1 @@
|
|||||||
|
. 98799 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b}
|
16
unbound.conf
16
unbound.conf
@ -273,7 +273,7 @@ server:
|
|||||||
# Harden against queries that fall under dnssec-signed nxdomain names.
|
# Harden against queries that fall under dnssec-signed nxdomain names.
|
||||||
harden-below-nxdomain: yes
|
harden-below-nxdomain: yes
|
||||||
|
|
||||||
# Harden the referral path by performing additional queries for
|
# Harden the referral path by performing additional queries for
|
||||||
# infrastructure data. Validates the replies (if possible).
|
# infrastructure data. Validates the replies (if possible).
|
||||||
# Default off, because the lookups burden the server. Experimental
|
# Default off, because the lookups burden the server. Experimental
|
||||||
# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
|
# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
|
||||||
@ -322,12 +322,12 @@ server:
|
|||||||
# if yes, perform key lookups adjacent to normal lookups.
|
# if yes, perform key lookups adjacent to normal lookups.
|
||||||
prefetch-key: yes
|
prefetch-key: yes
|
||||||
|
|
||||||
# if yes, Unbound rotates RRSet order in response.
|
# if yes, Unbound rotates RRSet order in response.
|
||||||
# rrset-roundrobin: no
|
# rrset-roundrobin: no
|
||||||
|
|
||||||
# if yes, Unbound doesn't insert authority/additional sections
|
# if yes, Unbound doesn't insert authority/additional sections
|
||||||
# into response messages when those sections are not required.
|
# into response messages when those sections are not required.
|
||||||
# minimal-responses: no
|
# minimal-responses: no
|
||||||
|
|
||||||
# module configuration of the server. A string with identifiers
|
# module configuration of the server. A string with identifiers
|
||||||
# separated by spaces. "iterator" or "validator iterator"
|
# separated by spaces. "iterator" or "validator iterator"
|
||||||
@ -359,8 +359,10 @@ server:
|
|||||||
# but has a different file format. Format is BIND-9 style format,
|
# but has a different file format. Format is BIND-9 style format,
|
||||||
# the trusted-keys { name flag proto algo "key"; }; clauses are read.
|
# the trusted-keys { name flag proto algo "key"; }; clauses are read.
|
||||||
# trusted-keys-file: ""
|
# trusted-keys-file: ""
|
||||||
trusted-keys-file: /etc/unbound/root.key
|
#
|
||||||
|
# trusted-keys-file: /etc/unbound/rootkey.bind
|
||||||
trusted-keys-file: /etc/unbound/keys.d/*.key
|
trusted-keys-file: /etc/unbound/keys.d/*.key
|
||||||
|
auto-trust-anchor-file: "/etc/unbound/root.anchor"
|
||||||
|
|
||||||
# Ignore chain of trust. Domain is treated as insecure.
|
# Ignore chain of trust. Domain is treated as insecure.
|
||||||
# domain-insecure: "example.com"
|
# domain-insecure: "example.com"
|
||||||
|
26
unbound.spec
26
unbound.spec
@ -23,12 +23,15 @@ Source2: unbound.conf
|
|||||||
Source3: unbound.munin
|
Source3: unbound.munin
|
||||||
Source4: unbound_munin_
|
Source4: unbound_munin_
|
||||||
Source5: root.key
|
Source5: root.key
|
||||||
|
Source13: root.anchor
|
||||||
Source6: dlv.isc.org.key
|
Source6: dlv.isc.org.key
|
||||||
Source7: unbound-keygen.service
|
Source7: unbound-keygen.service
|
||||||
Source8: tmpfiles-unbound.conf
|
Source8: tmpfiles-unbound.conf
|
||||||
Source9: example.com.key
|
Source9: example.com.key
|
||||||
Source10: example.com.conf
|
Source10: example.com.conf
|
||||||
Source11: block-example.com.conf
|
Source11: block-example.com.conf
|
||||||
|
# From http://data.iana.org/root-anchors/icannbundle.pem
|
||||||
|
Source12: icannbundle.pem
|
||||||
Patch1: unbound-1.2-glob.patch
|
Patch1: unbound-1.2-glob.patch
|
||||||
Patch2: unbound-1.4.18-openssl_threads.patch
|
Patch2: unbound-1.4.18-openssl_threads.patch
|
||||||
Patch3: unbound-1.4.18-includeglob.patch
|
Patch3: unbound-1.4.18-includeglob.patch
|
||||||
@ -125,15 +128,16 @@ Python modules and extensions for unbound
|
|||||||
%install
|
%install
|
||||||
%{__make} DESTDIR=%{buildroot} install
|
%{__make} DESTDIR=%{buildroot} install
|
||||||
install -d 0755 %{buildroot}%{_unitdir}
|
install -d 0755 %{buildroot}%{_unitdir}
|
||||||
install -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service
|
install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service
|
||||||
install -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/unbound-keygen.service
|
install -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/unbound-keygen.service
|
||||||
install -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound
|
install -p -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound
|
||||||
|
install -p -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/unbound
|
||||||
%if %{munin}
|
%if %{munin}
|
||||||
# Install munin plugin and its softlinks
|
# Install munin plugin and its softlinks
|
||||||
install -d 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d
|
install -d 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d
|
||||||
install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/munin/plugin-conf.d/unbound
|
install -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/munin/plugin-conf.d/unbound
|
||||||
install -d 0755 %{buildroot}%{_datadir}/munin/plugins/
|
install -d 0755 %{buildroot}%{_datadir}/munin/plugins/
|
||||||
install -m 0755 %{SOURCE4} %{buildroot}%{_datadir}/munin/plugins/unbound
|
install -p -m 0755 %{SOURCE4} %{buildroot}%{_datadir}/munin/plugins/unbound
|
||||||
for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unbound_munin_by_type unbound_munin_by_class unbound_munin_by_opcode unbound_munin_by_rcode unbound_munin_by_flags unbound_munin_histogram; do
|
for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unbound_munin_by_type unbound_munin_by_class unbound_munin_by_opcode unbound_munin_by_rcode unbound_munin_by_flags unbound_munin_histogram; do
|
||||||
ln -s unbound %{buildroot}%{_datadir}/munin/plugins/$plugin
|
ln -s unbound %{buildroot}%{_datadir}/munin/plugins/$plugin
|
||||||
done
|
done
|
||||||
@ -147,7 +151,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d/
|
|||||||
install -m 0644 %{SOURCE8} %{buildroot}%{_sysconfdir}/tmpfiles.d/unbound.conf
|
install -m 0644 %{SOURCE8} %{buildroot}%{_sysconfdir}/tmpfiles.d/unbound.conf
|
||||||
|
|
||||||
# install root and DLV key
|
# install root and DLV key
|
||||||
install -m 0644 %{SOURCE5} %{SOURCE6} %{buildroot}%{_sysconfdir}/unbound/
|
install -m 0644 %{SOURCE5} %{SOURCE6} %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/
|
||||||
|
|
||||||
# remove static library from install (fedora packaging guidelines)
|
# remove static library from install (fedora packaging guidelines)
|
||||||
rm %{buildroot}%{_libdir}/*.la
|
rm %{buildroot}%{_libdir}/*.la
|
||||||
@ -178,8 +182,6 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
|
|||||||
%attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name}
|
%attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name}
|
||||||
%config(noreplace) %{_sysconfdir}/tmpfiles.d/unbound.conf
|
%config(noreplace) %{_sysconfdir}/tmpfiles.d/unbound.conf
|
||||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
|
||||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key
|
|
||||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key
|
|
||||||
%attr(0775,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d
|
%attr(0775,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d
|
||||||
%attr(0775,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d
|
%attr(0775,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d
|
||||||
%attr(0775,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/local.d
|
%attr(0775,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/local.d
|
||||||
@ -188,6 +190,7 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
|
|||||||
%{_mandir}/man5/*
|
%{_mandir}/man5/*
|
||||||
%{_mandir}/man8/*
|
%{_mandir}/man8/*
|
||||||
|
|
||||||
|
|
||||||
%if %{with_python}
|
%if %{with_python}
|
||||||
%files python
|
%files python
|
||||||
%{python_sitearch}/*
|
%{python_sitearch}/*
|
||||||
@ -209,6 +212,10 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
|
|||||||
|
|
||||||
%files libs
|
%files libs
|
||||||
%{_libdir}/libunbound.so.*
|
%{_libdir}/libunbound.so.*
|
||||||
|
%{_sysconfdir}/%{name}/icannbundle.pem
|
||||||
|
%{_sysconfdir}/%{name}/root.anchor
|
||||||
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key
|
||||||
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key
|
||||||
%doc doc/README doc/LICENSE
|
%doc doc/README doc/LICENSE
|
||||||
|
|
||||||
%pre
|
%pre
|
||||||
@ -221,16 +228,19 @@ exit 0
|
|||||||
%post
|
%post
|
||||||
%systemd_post unbound.service
|
%systemd_post unbound.service
|
||||||
%systemd_post unbound-keygen.service
|
%systemd_post unbound-keygen.service
|
||||||
|
%systemd_post unbound-rootkey.service
|
||||||
|
|
||||||
%post libs -p /sbin/ldconfig
|
%post libs -p /sbin/ldconfig
|
||||||
|
|
||||||
%preun
|
%preun
|
||||||
%systemd_preun unbound.service
|
%systemd_preun unbound.service
|
||||||
%systemd_preun unbound-keygen.service
|
%systemd_preun unbound-keygen.service
|
||||||
|
%systemd_preun unbound-rootkey.service
|
||||||
|
|
||||||
%postun
|
%postun
|
||||||
%systemd_postun_with_restart unbound.service
|
%systemd_postun_with_restart unbound.service
|
||||||
%systemd_postun unbound-keygen.service
|
%systemd_postun unbound-keygen.service
|
||||||
|
%systemd_postun unbound-rootkey.service
|
||||||
|
|
||||||
%postun libs -p /sbin/ldconfig
|
%postun libs -p /sbin/ldconfig
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user