* add anchor support and more flexible config directories

2012-11-03 12:59:54 -04:00 · 2012-11-03 12:59:54 -04:00 · c4f62ca05e
commit c4f62ca05e
parent 95ed9b464e
3 changed files with 86 additions and 73 deletions
--- a/root.anchor
+++ b/root.anchor
@ -0,0 +1 @@
+.	98799	IN	DNSKEY	257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b}
--- a/unbound.conf
+++ b/unbound.conf
@ -359,8 +359,10 @@ server:
 	# but has a different file format. Format is BIND-9 style format,
 	# the trusted-keys { name flag proto algo "key"; }; clauses are read.
 	# trusted-keys-file: ""
-	trusted-keys-file: /etc/unbound/root.key
+	#
+	# trusted-keys-file: /etc/unbound/rootkey.bind
 	trusted-keys-file: /etc/unbound/keys.d/*.key
+	auto-trust-anchor-file: "/etc/unbound/root.anchor"

 	# Ignore chain of trust. Domain is treated as insecure.
 	# domain-insecure: "example.com"
--- a/unbound.spec
+++ b/unbound.spec
@ -23,12 +23,15 @@ Source2: unbound.conf
 Source3: unbound.munin
 Source4: unbound_munin_
 Source5: root.key
+Source13: root.anchor
 Source6: dlv.isc.org.key
 Source7: unbound-keygen.service
 Source8: tmpfiles-unbound.conf
 Source9: example.com.key
 Source10: example.com.conf
 Source11: block-example.com.conf
+# From http://data.iana.org/root-anchors/icannbundle.pem
+Source12: icannbundle.pem
 Patch1: unbound-1.2-glob.patch
 Patch2: unbound-1.4.18-openssl_threads.patch
 Patch3: unbound-1.4.18-includeglob.patch
@ -125,15 +128,16 @@ Python modules and extensions for unbound
 %install
 %{__make} DESTDIR=%{buildroot} install
 install -d 0755 %{buildroot}%{_unitdir}
-install -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service
-install -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/unbound-keygen.service
-install -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound
+install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service
+install -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/unbound-keygen.service
+install -p -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound
+install -p -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/unbound
 %if %{munin}
 # Install munin plugin and its softlinks
 install -d 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d
-install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/munin/plugin-conf.d/unbound
+install -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/munin/plugin-conf.d/unbound
 install -d 0755 %{buildroot}%{_datadir}/munin/plugins/
-install -m 0755 %{SOURCE4} %{buildroot}%{_datadir}/munin/plugins/unbound
+install -p -m 0755 %{SOURCE4} %{buildroot}%{_datadir}/munin/plugins/unbound
 for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unbound_munin_by_type unbound_munin_by_class unbound_munin_by_opcode unbound_munin_by_rcode unbound_munin_by_flags unbound_munin_histogram; do
    ln -s unbound %{buildroot}%{_datadir}/munin/plugins/$plugin
 done
@ -147,7 +151,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d/
 install -m 0644 %{SOURCE8} %{buildroot}%{_sysconfdir}/tmpfiles.d/unbound.conf

 # install root and DLV key
-install -m 0644 %{SOURCE5} %{SOURCE6} %{buildroot}%{_sysconfdir}/unbound/
+install -m 0644 %{SOURCE5} %{SOURCE6} %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/

 # remove static library from install (fedora packaging guidelines)
 rm %{buildroot}%{_libdir}/*.la
@ -178,8 +182,6 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
 %attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name}
 %config(noreplace) %{_sysconfdir}/tmpfiles.d/unbound.conf
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key
 %attr(0775,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d
 %attr(0775,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d
 %attr(0775,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/local.d
@ -188,6 +190,7 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
 %{_mandir}/man5/*
 %{_mandir}/man8/*

+
 %if %{with_python}
 %files python
 %{python_sitearch}/*
@ -209,6 +212,10 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/

 %files libs
 %{_libdir}/libunbound.so.*
+%{_sysconfdir}/%{name}/icannbundle.pem
+%{_sysconfdir}/%{name}/root.anchor
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key
 %doc doc/README doc/LICENSE

 %pre
@ -221,16 +228,19 @@ exit 0
 %post
 %systemd_post unbound.service
 %systemd_post unbound-keygen.service
+%systemd_post unbound-rootkey.service

 %post libs -p /sbin/ldconfig

 %preun
 %systemd_preun unbound.service
 %systemd_preun unbound-keygen.service
+%systemd_preun unbound-rootkey.service

 %postun 
 %systemd_postun_with_restart unbound.service
 %systemd_postun unbound-keygen.service
+%systemd_postun unbound-rootkey.service

 %postun libs -p /sbin/ldconfig
				`@ -0,0 +1 @@`
				`. 98799 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b}`