* add anchor support and more flexible config directories

root.anchor

@@ -0,0 +1 @@
+.	98799	IN	DNSKEY	257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b}

unbound.conf

@@ -6,7 +6,7 @@
 #Use this to include other text into the file.
 #include: "otherfile.conf"
 
-# The server clause sets the main parameters. 
+# The server clause sets the main parameters.
 server:
 	# whitespace is not necessary, but looks cleaner.
 
@@ -17,7 +17,7 @@ server:
 	# Set to "" or 0 to disable. Default is disabled.
 	# Needed for munin plugin
 	statistics-interval: 0
-	
+
 	# enable cumulative statistics, without clearing them after printing.
 	# Needed for munin plugin
 	statistics-cumulative: no
@@ -41,17 +41,17 @@ server:
 	# interface: 192.0.2.154
 	# interface: 2001:DB8::5
 	#
-	# for dns over tls and raw dns over port 80 
+	# for dns over tls and raw dns over port 80
 	# interface: 0.0.0.0@443
 	# interface: ::0@443
 	# interface: 0.0.0.0@80
 	# interface: ::0@80
-	
+
 	# enable this feature to copy the source address of queries to reply.
-	# Socket options are not supported on all platforms. experimental. 
+	# Socket options are not supported on all platforms. experimental.
 	# interface-automatic: yes
 	#
-	# NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 
+	# NOTE: Enable this option when specifying interface 0.0.0.0 or ::0
 	# NOTE: Disabled per Fedora policy not to listen to * on default install
 	# NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled
 	interface-automatic: no
@@ -67,9 +67,9 @@ server:
 	# outgoing-interface: 2001:DB8::6
 
 	# number of ports to allocate per thread, determines the size of the
-	# port range that can be open simultaneously. 
+	# port range that can be open simultaneously.
 	# outgoing-range: 4096
-	
+
 	# permit unbound to use this port number or port range for
 	# making outgoing queries, using an outgoing interface.
 	# outgoing-port-permit: 32768
@@ -98,13 +98,13 @@ server:
 	# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
 	# is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
 	# edns-buffer-size: 4096
-       
+
 	# buffer size for handling DNS data. No messages larger than this
 	# size can be sent or received, by UDP or TCP. In bytes.
 	# msg-buffer-size: 65552
 
 	# the amount of memory to use for the message cache.
-	# plain value in bytes or you can append k, m or G. default is "4Mb". 
+	# plain value in bytes or you can append k, m or G. default is "4Mb".
 	# msg-cache-size: 4m
 
 	# the number of slabs to use for the message cache.
@@ -119,7 +119,7 @@ server:
 	# jostle-timeout: 200
 
 	# the amount of memory to use for the RRset cache.
-	# plain value in bytes or you can append k, m or G. default is "4Mb". 
+	# plain value in bytes or you can append k, m or G. default is "4Mb".
 	# rrset-cache-size: 4m
 
 	# the number of slabs to use for the RRset cache.
@@ -185,8 +185,8 @@ server:
 	#
 	# If chroot is enabled, you should pass the configfile (from the
 	# commandline) as a full path from the original root. After the
-	# chroot has been performed the now defunct portion of the config 
+	# chroot has been performed the now defunct portion of the config
-	# file path is removed to be able to reread the config after a reload. 
+	# file path is removed to be able to reread the config after a reload.
 	#
 	# All other file paths (working dir, logfile, roothints, and
 	# key files) can be specified in several ways:
@@ -195,7 +195,7 @@ server:
 	# 	o as an absolute path relative to the original root.
 	# In the last case the path is adjusted to remove the unused portion.
 	#
-	# The pid file can be absolute and outside of the chroot, it is 
+	# The pid file can be absolute and outside of the chroot, it is
 	# written just prior to performing the chroot and dropping permissions.
 	#
 	# Additionally, unbound may need to access /dev/random (for entropy).
@@ -210,62 +210,62 @@ server:
 	# If you give "" no privileges are dropped.
 	username: "unbound"
 
-	# the working directory. The relative files in this config are 
+	# the working directory. The relative files in this config are
 	# relative to this directory. If you give "" the working directory
 	# is not changed.
 	directory: "/etc/unbound"
 
-	# the log file, "" means log to stderr. 
+	# the log file, "" means log to stderr.
 	# Use of this option sets use-syslog to "no".
 	# logfile: ""
-	
+
-	# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to 
+	# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
 	# log to, with identity "unbound". If yes, it overrides the logfile.
-	# use-syslog: yes 
+	# use-syslog: yes
 
 	# print UTC timestamp in ascii to logfile, default is epoch in seconds.
 	log-time-ascii: yes
 
 	# the pid file. Can be an absolute path outside of chroot/work dir.
 	pidfile: "/var/run/unbound/unbound.pid"
-	
+
 	# file to read root hints from.
 	# get one from ftp://FTP.INTERNIC.NET/domain/named.cache
 	# root-hints: ""
-	
+
 	# enable to not answer id.server and hostname.bind queries.
 	# hide-identity: no
-	
+
 	# enable to not answer version.server and version.bind queries.
 	# hide-version: no
-	
+
 	# the identity to report. Leave "" or default to return hostname.
 	# identity: ""
-	
+
 	# the version to report. Leave "" or default to return package version.
 	# version: ""
-	
+
 	# the target fetch policy.
-	# series of integers describing the policy per dependency depth. 
+	# series of integers describing the policy per dependency depth.
-	# The number of values in the list determines the maximum dependency 
+	# The number of values in the list determines the maximum dependency
 	# depth the recursor will pursue before giving up. Each integer means:
 	# 	-1 : fetch all targets opportunistically,
 	# 	0: fetch on demand,
 	#	positive value: fetch that many targets opportunistically.
 	# Enclose the list of numbers between quotes ("").
 	# target-fetch-policy: "3 2 1 0 0"
-	
+
-	# Harden against very small EDNS buffer sizes. 
+	# Harden against very small EDNS buffer sizes.
 	# harden-short-bufsize: no
-	
+
 	# Harden against unseemly large queries.
 	# harden-large-queries: no
-	
+
-	# Harden against out of zone rrsets, to avoid spoofing attempts. 
+	# Harden against out of zone rrsets, to avoid spoofing attempts.
 	harden-glue: yes
-	
+
 	# Harden against receiving dnssec-stripped data. If you turn it
-	# off, failing to validate dnskey data for a trustanchor will 
+	# off, failing to validate dnskey data for a trustanchor will
 	# trigger insecure mode for that zone (like without a trustanchor).
 	# Default on, which insists on dnssec data for trust-anchored zones.
 	harden-dnssec-stripped: yes
@@ -273,9 +273,9 @@ server:
 	# Harden against queries that fall under dnssec-signed nxdomain names.
 	harden-below-nxdomain: yes
 
-        # Harden the referral path by performing additional queries for
+	# Harden the referral path by performing additional queries for
 	# infrastructure data.  Validates the replies (if possible).
-	# Default off, because the lookups burden the server.  Experimental 
+	# Default off, because the lookups burden the server.  Experimental
 	# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
 	harden-referral-path: yes
 
@@ -283,11 +283,11 @@ server:
 	# This feature is an experimental implementation of draft dns-0x20.
 	# (this now fails on all GoDaddy customer domains, so disabled)
 	use-caps-for-id: no
-	
+
-	# Enforce privacy of these addresses. Strips them away from answers. 
+	# Enforce privacy of these addresses. Strips them away from answers.
-	# It may cause DNSSEC validation to additionally mark it as bogus. 
+	# It may cause DNSSEC validation to additionally mark it as bogus.
-	# Protects against 'DNS Rebinding' (uses browser as network proxy). 
+	# Protects against 'DNS Rebinding' (uses browser as network proxy).
-	# Only 'private-domain' and 'local-data' names are allowed to have 
+	# Only 'private-domain' and 'local-data' names are allowed to have
 	# these private addresses. No default.
 	# private-address: 10.0.0.0/8
 	# private-address: 172.16.0.0/12
@@ -299,7 +299,7 @@ server:
 	# Allow the domain (and its subdomains) to contain private addresses.
 	# local-data statements are allowed to contain private addresses too.
 	# private-domain: "example.com"
-	
+
 	# If nonzero, unwanted replies are not only reported in statistics,
 	# but also a running total is kept per thread. If it reaches the
 	# threshold, a warning is printed and a defensive action is taken,
@@ -311,7 +311,7 @@ server:
 	# List one address per entry. List classless netblocks with /size,
 	# do-not-query-address: 127.0.0.1/8
 	# do-not-query-address: ::1
-	
+
 	# if yes, the above default do-not-query-address entries are present.
 	# if no, localhost can be queried (for testing and debugging).
 	# do-not-query-localhost: yes
@@ -322,17 +322,17 @@ server:
 	# if yes, perform key lookups adjacent to normal lookups.
 	prefetch-key: yes
 
-        # if yes, Unbound rotates RRSet order in response.
+	# if yes, Unbound rotates RRSet order in response.
-        # rrset-roundrobin: no
+	# rrset-roundrobin: no
 
-        # if yes, Unbound doesn't insert authority/additional sections
+	# if yes, Unbound doesn't insert authority/additional sections
-        # into response messages when those sections are not required.
+	# into response messages when those sections are not required.
-        # minimal-responses: no
+	# minimal-responses: no
 
 	# module configuration of the server. A string with identifiers
 	# separated by spaces. "iterator" or "validator iterator"
 	# module-config: "validator iterator"
-	
+
 	# File with DLV trusted keys. Same format as trust-anchor-file.
 	# There can be only one DLV configured, it is trusted from root down.
 	# Downloaded from https://secure.isc.org/ops/dlv/dlv.isc.org.key
@@ -356,20 +356,22 @@ server:
 
 	# File with trusted keys for validation. Specify more than one file
 	# with several entries, one file per entry. Like trust-anchor-file
-	# but has a different file format. Format is BIND-9 style format, 
+	# but has a different file format. Format is BIND-9 style format,
 	# the trusted-keys { name flag proto algo "key"; }; clauses are read.
 	# trusted-keys-file: ""
-	trusted-keys-file: /etc/unbound/root.key
+	#
+	# trusted-keys-file: /etc/unbound/rootkey.bind
 	trusted-keys-file: /etc/unbound/keys.d/*.key
+	auto-trust-anchor-file: "/etc/unbound/root.anchor"
 
 	# Ignore chain of trust. Domain is treated as insecure.
 	# domain-insecure: "example.com"
 
 	# Override the date for validation with a specific fixed date.
 	# Do not set this unless you are debugging signature inception
-	# and expiration. "" or "0" turns the feature off. 
+	# and expiration. "" or "0" turns the feature off.
 	# val-override-date: ""
-	
+
 	# The time to live for bogus data, rrsets and messages. This avoids
 	# some of the revalidation, until the time interval expires. in secs.
 	# val-bogus-ttl: 60
@@ -382,10 +384,10 @@ server:
 
 	# Should additional section of secure message also be kept clean of
 	# unsecure data. Useful to shield the users of this validator from
-	# potential bogus data in the additional section. All unsigned data 
+	# potential bogus data in the additional section. All unsigned data
 	# in the additional section is removed from secure messages.
 	val-clean-additional: yes
-	
+
 	# Turn permissive mode on to permit bogus messages. Thus, messages
 	# for which security checks failed will be returned to clients,
 	# instead of SERVFAIL. It still performs the security checks, which
@@ -397,7 +399,7 @@ server:
 	# Have the validator log failed validations for your diagnosis.
 	# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
 	val-log-level: 1
-	
+
 	# It is possible to configure NSEC3 maximum iteration counts per
 	# keysize. Keep this table very short, as linear search is done.
 	# A message with an NSEC3 with larger count is marked insecure.
@@ -415,22 +417,22 @@ server:
 	# keep-missing: 31622400 # 366 days
 
 	# the amount of memory to use for the key cache.
-	# plain value in bytes or you can append k, m or G. default is "4Mb". 
+	# plain value in bytes or you can append k, m or G. default is "4Mb".
 	# key-cache-size: 4m
 
 	# the number of slabs to use for the key cache.
 	# the number of slabs must be a power of 2.
 	# more slabs reduce lock contention, but fragment memory usage.
 	# key-cache-slabs: 4
-	
+
 	# the amount of memory to use for the negative cache (used for DLV).
-	# plain value in bytes or you can append k, m or G. default is "1Mb". 
+	# plain value in bytes or you can append k, m or G. default is "1Mb".
 	# neg-cache-size: 1m
 
 	# a number of locally served zones can be configured.
 	# 	local-zone: <zone> <type>
 	# 	local-data: "<resource record string>"
-	# o deny serves local data (if any), else, drops queries. 
+	# o deny serves local data (if any), else, drops queries.
 	# o refuse serves local data (if any), else, replies with error.
 	# o static serves local data, else, nxdomain or nodata answer.
 	# o transparent serves local data, but resolves normally for other names
@@ -441,7 +443,7 @@ server:
 	# defaults are localhost address, reverse for 127.0.0.1 and ::1
 	# and nxdomain for AS112 zones. If you configure one of these zones
 	# the default content is omitted, or you can omit it with 'nodefault'.
-	# 
+	#
 	# If you configure local-data without specifying local-zone, by
 	# default a transparent local-zone is created for the data.
 	#
@@ -485,7 +487,7 @@ server:
 #	# python-script: "/etc/unbound/ubmodule-tst.py"
 
 
-# Remote control config section. 
+# Remote control config section.
 remote-control:
 	# Enable remote control with unbound-control(8) here.
 	# set up the keys and certificates with unbound-control-setup.
@@ -517,9 +519,9 @@ remote-control:
 include: /etc/unbound/conf.d/*.conf
 
 # Stub zones.
-# Create entries like below, to make all queries for 'example.com' and 
+# Create entries like below, to make all queries for 'example.com' and
-# 'example.org' go to the given list of nameservers. list zero or more 
+# 'example.org' go to the given list of nameservers. list zero or more
-# nameservers by hostname or by ipaddress. If you set stub-prime to yes, 
+# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
 # the list is treated as priming hints (default is no).
 # stub-zone:
 #	name: "example.com"

unbound.spec

@@ -23,12 +23,15 @@ Source2: unbound.conf
 Source3: unbound.munin
 Source4: unbound_munin_
 Source5: root.key
+Source13: root.anchor
 Source6: dlv.isc.org.key
 Source7: unbound-keygen.service
 Source8: tmpfiles-unbound.conf
 Source9: example.com.key
 Source10: example.com.conf
 Source11: block-example.com.conf
+# From http://data.iana.org/root-anchors/icannbundle.pem
+Source12: icannbundle.pem
 Patch1: unbound-1.2-glob.patch
 Patch2: unbound-1.4.18-openssl_threads.patch
 Patch3: unbound-1.4.18-includeglob.patch
@@ -125,15 +128,16 @@ Python modules and extensions for unbound
 %install
 %{__make} DESTDIR=%{buildroot} install
 install -d 0755 %{buildroot}%{_unitdir}
-install -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service
+install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service
-install -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/unbound-keygen.service
+install -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/unbound-keygen.service
-install -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound
+install -p -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound
+install -p -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/unbound
 %if %{munin}
 # Install munin plugin and its softlinks
 install -d 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d
-install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/munin/plugin-conf.d/unbound
+install -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/munin/plugin-conf.d/unbound
 install -d 0755 %{buildroot}%{_datadir}/munin/plugins/
-install -m 0755 %{SOURCE4} %{buildroot}%{_datadir}/munin/plugins/unbound
+install -p -m 0755 %{SOURCE4} %{buildroot}%{_datadir}/munin/plugins/unbound
 for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unbound_munin_by_type unbound_munin_by_class unbound_munin_by_opcode unbound_munin_by_rcode unbound_munin_by_flags unbound_munin_histogram; do
     ln -s unbound %{buildroot}%{_datadir}/munin/plugins/$plugin
 done
@@ -147,7 +151,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d/
 install -m 0644 %{SOURCE8} %{buildroot}%{_sysconfdir}/tmpfiles.d/unbound.conf
 
 # install root and DLV key
-install -m 0644 %{SOURCE5} %{SOURCE6} %{buildroot}%{_sysconfdir}/unbound/
+install -m 0644 %{SOURCE5} %{SOURCE6} %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/
 
 # remove static library from install (fedora packaging guidelines)
 rm %{buildroot}%{_libdir}/*.la
@@ -178,8 +182,6 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
 %attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name}
 %config(noreplace) %{_sysconfdir}/tmpfiles.d/unbound.conf
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key
 %attr(0775,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d
 %attr(0775,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d
 %attr(0775,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/local.d
@@ -188,6 +190,7 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
 %{_mandir}/man5/*
 %{_mandir}/man8/*
 
+
 %if %{with_python}
 %files python
 %{python_sitearch}/*
@@ -209,6 +212,10 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
 
 %files libs
 %{_libdir}/libunbound.so.*
+%{_sysconfdir}/%{name}/icannbundle.pem
+%{_sysconfdir}/%{name}/root.anchor
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key
 %doc doc/README doc/LICENSE
 
 %pre
@@ -221,16 +228,19 @@ exit 0
 %post
 %systemd_post unbound.service
 %systemd_post unbound-keygen.service
+%systemd_post unbound-rootkey.service
 
 %post libs -p /sbin/ldconfig
 
 %preun
 %systemd_preun unbound.service
 %systemd_preun unbound-keygen.service
+%systemd_preun unbound-rootkey.service
 
 %postun 
 %systemd_postun_with_restart unbound.service
 %systemd_postun unbound-keygen.service
+%systemd_postun unbound-rootkey.service
 
 %postun libs -p /sbin/ldconfig