rpms/unbound/devel unbound.conf, 1.4, 1.5 unbound.init, 1.3, 1.4 unbound.spec, 1.5, 1.6
Paul Wouters
pwouters at fedoraproject.org
Wed Nov 19 23:12:21 UTC 2008
Author: pwouters
Update of /cvs/extras/rpms/unbound/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv23037
Modified Files:
unbound.conf unbound.init unbound.spec
Log Message:
* Wed Nov 19 2008 Paul Wouters <paul at xelerance.com> - 1.1.0-3
- Remove the chroot, obsoleted by SElinux
- Add additional munin plugin links supported by unbound plugin
- Move configuration directory from /var/lib/unbound to /etc/unbound
- Modified unbound.init and unbound.conf to account for chroot changes
- Updated unbound.conf with new available options
- Enabled dns-0x20 protection per default
Index: unbound.conf
===================================================================
RCS file: /cvs/extras/rpms/unbound/devel/unbound.conf,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- unbound.conf 19 Nov 2008 15:39:16 -0000 1.4
+++ unbound.conf 19 Nov 2008 23:11:51 -0000 1.5
@@ -1,5 +1,4 @@
#
-#
# See unbound.conf(5) man page.
#
# this is a comment.
@@ -7,26 +6,35 @@
#Use this to include other text into the file.
#include: "otherfile.conf"
-#
# The server clause sets the main parameters.
server:
# whitespace is not necessary, but looks cleaner.
# To enable DNSSEC trust anchors, install the dnssec-keys package and
- # uncomment the line below - note chroot breaks this
- # trusted-keys-file: "/etc/pki/dnssec/allkeys.conf"
+ # uncomment the line below, or run dnssec-configure -h for more options
+ # trusted-keys-file: "/etc/pki/dnssec/production.conf"
+
+ # To enable DLV trust anchor with DLV, install the dnssec-keys package
+ # and uncomment the line below, or run dnssec-configure -h for more
+ # options
+ # dlv-anchor-file: "/etc/pki/dnssec-dlv/dlv.isc.org.key"
# verbosity number, 0 is least verbose. 1 is default.
verbosity: 1
# print statistics to the log (for every thread) every N seconds.
# Set to "" or 0 to disable. Default is disabled.
+ # Needed for munin plugin
statistics-interval: 0
# enable cumulative statistics, without clearing them after printing.
+ # Needed for munin plugin
statistics-cumulative: no
- extended-statistics: yes
+ # enable extended statistics (query types, answer codes, status)
+ # printed from unbound-control. default off, because of speed.
+ # Needed for munin plugin
+ extended-statistics: yes
# number of threads to create. 1 disables threading.
num-threads: 2
@@ -36,17 +44,18 @@
# specify 0.0.0.0 and ::0 to bind to all available interfaces.
# specify every interface on a new 'interface:' labelled line.
# The listen interfaces are not changed on reload, only on restart.
+ # interface: 0.0.0.0
+ # interface: ::0
# interface: 192.0.2.153
# interface: 192.0.2.154
# interface: 2001:DB8::5
- #
- # interface: 0.0.0.0
- # interface: ::0
# enable this feature to copy the source address of queries to reply.
- # Socket options not be supported on all platforms. experimental.
+ # Socket options are not supported on all platforms. experimental.
# NOTE: Enable this option when specifying interface 0.0.0.0 or ::0
+ # NOTE: Disabled per Fedora policy not to listen to * on default install
# interface-automatic: yes
+ interface-automatic: no
# port to answer queries from
# port: 53
@@ -95,6 +104,9 @@
# the number of queries that a thread gets to service.
# num-queries-per-thread: 1024
+ # if very busy, 50% queries run to completion, 50% get timeout in msec
+ # jostle-timeout: 200
+
# the amount of memory to use for the RRset cache.
# plain value in bytes or you can append k, m or G. default is "4Mb".
# rrset-cache-size: 4m
@@ -144,13 +156,14 @@
# control which clients are allowed to make (recursive) queries
# to this server. Specify classless netblocks with /size and action.
# By default everything is refused, except for localhost.
- # Choose deny (drop message), refuse (polite error reply), allow.
+ # Choose deny (drop message), refuse (polite error reply),
+ # allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
# access-control: 0.0.0.0/0 refuse
# access-control: 127.0.0.0/8 allow
# access-control: ::0/0 refuse
# access-control: ::1 allow
# access-control: ::ffff:127.0.0.1 allow
-
+
# if given, a chroot(2) is done to the given directory.
# i.e. you can chroot to the working directory, for example,
# for extra security, but make sure all files are in that directory.
@@ -160,19 +173,22 @@
# chroot has been performed the now defunct portion of the config
# file path is removed to be able to reread the config after a reload.
#
- # All other file paths (working dir, pidfile, logfile, roothints,
+ # All other file paths (working dir, logfile, roothints, and
# key files) can be specified in several ways:
# o as an absolute path relative to the new root.
# o as a relative path to the working directory.
# o as an absolute path relative to the original root.
# In the last case the path is adjusted to remove the unused portion.
#
- # Additionally, unbound may need to access /dev/random (for entropy)
- # and to /dev/log (if you use syslog) from inside the chroot.
+ # The pid file can be absolute and outside of the chroot, it is
+ # written just prior to performing the chroot and dropping permissions.
+ #
+ # Additionally, unbound may need to access /dev/random (for entropy).
# How to do this is specific to your OS.
#
# If you give "" no chroot is performed. The path must not end in a /.
- chroot: "/var/lib/unbound"
+ # chroot: "/var/lib/unbound"
+ chroot: ""
# if given, user privileges are dropped (after binding port),
# and the given username is assumed. Default is user "unbound".
@@ -182,7 +198,7 @@
# the working directory. The relative files in this config are
# relative to this directory. If you give "" the working directory
# is not changed.
- # directory: "/var/lib/unbound"
+ directory: "/etc/unbound"
# the log file, "" means log to stderr.
# Use of this option sets use-syslog to "no".
@@ -192,7 +208,7 @@
# log to, with identity "unbound". If yes, it overrides the logfile.
# use-syslog: yes
- # the pid file.
+ # the pid file. Can be an absolute path outside of chroot/work dir.
pidfile: "/var/run/unbound/unbound.pid"
# file to read root hints from.
@@ -235,15 +251,40 @@
# trigger insecure mode for that zone (like without a trustanchor).
# Default on, which insists on dnssec data for trust-anchored zones.
harden-dnssec-stripped: yes
-
+
+ # Harden the referral path by performing additional queries for
+ # infrastructure data. Validates the replies (if possible).
+ # Default off, because the lookups burden the server. Experimental
+ # implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
+ # harden-referral-path: no
+
# Use 0x20-encoded random bits in the query to foil spoof attempts.
- # Disabled by default, because some caching forwarders may not
- # support this (if you have forward-zones). Most authority servers do.
# This feature is an experimental implementation of draft dns-0x20.
- # It is known that some authority servers do not support 0x20, and
- # resolution will fail for them. A solution is on the TODO list.
- use-caps-for-id: no
+ use-caps-for-id: yes
+ # Enforce privacy of these addresses. Strips them away from answers.
+ # It may cause DNSSEC validation to additionally mark it as bogus.
+ # Protects against 'DNS Rebinding' (uses browser as network proxy).
+ # Only 'private-domain' and 'local-data' names are allowed to have
+ # these private addresses. No default.
+ # private-address: 10.0.0.0/8
+ # private-address: 172.16.0.0/12
+ # private-address: 192.168.0.0/16
+ # private-address: 192.254.0.0/16
+ # private-address: fd00::/8
+ # private-address: fe80::/10
+
+ # Allow the domain (and its subdomains) to contain private addresses.
+ # local-data statements are allowed to contain private addresses too.
+ # private-domain: "example.com"
+
+ # If nonzero, unwanted replies are not only reported in statistics,
+ # but also a running total is kept per thread. If it reaches the
+ # threshold, a warning is printed and a defensive action is taken,
+ # the cache is cleared to flush potential poison out of it.
+ # A suggested value is 10000000, the default is 0 (turned off).
+ # unwanted-reply-threshold: 0
+
# Do not query the following addresses. No DNS queries are sent there.
# List one address per entry. List classless netblocks with /size,
# do-not-query-address: 127.0.0.1/8
@@ -257,11 +298,16 @@
# separated by spaces. "iterator" or "validator iterator"
# module-config: "validator iterator"
+ # File with DLV trusted keys. Same format as trust-anchor-file.
+ # There can be only one DLV configured, it is trusted from root down.
+ # Download https://secure.isc.org/ops/dlv/dlv.isc.org.key
+ # dlv-anchor-file: "/etc/pki/dnssec-dlv/dlv.isc.org.key"
+
# File with trusted keys for validation. Specify more than one file
# with several entries, one file per entry.
# Zone file format, with DS and DNSKEY entries.
# trust-anchor-file: ""
-
+XXX
# Trusted key for validation. DS or DNSKEY. specify the RR on a
# single line, surrounded by "". TTL is ignored. class is IN default.
# (These examples are from August 2007 and may not be valid anymore).
@@ -273,7 +319,7 @@
# but has a different file format. Format is BIND-9 style format,
# the trusted-keys { name flag proto algo "key"; }; clauses are read.
# trusted-keys-file: ""
-
+
# Override the date for validation with a specific fixed date.
# Do not set this unless you are debugging signature inception
# and expiration. "" or "0" turns the feature off.
@@ -281,7 +327,7 @@
# The time to live for bogus data, rrsets and messages. This avoids
# some of the revalidation, until the time interval expires. in secs.
- # val-bogus-ttl: 900
+ # val-bogus-ttl: 60
# Should additional section of secure message also be kept clean of
# unsecure data. Useful to shield the users of this validator from
@@ -294,6 +340,7 @@
# instead of SERVFAIL. It still performs the security checks, which
# result in interesting log files and possibly the AD bit in
# replies if the message is found secure. The default is off.
+ # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
val-permissive-mode: no
# It is possible to configure NSEC3 maximum iteration counts per
@@ -310,6 +357,10 @@
# the number of slabs must be a power of 2.
# more slabs reduce lock contention, but fragment memory usage.
# key-cache-slabs: 4
+
+ # the amount of memory to use for the negative cache (used for DLV).
+ # plain value in bytes or you can append k, m or G. default is "1Mb".
+ # neg-cache-size: 1m
# a number of locally served zones can be configured.
# local-zone: <zone> <type>
@@ -340,11 +391,17 @@
# (this makes example.com, www.example.com, etc, all go to 192.0.2.3)
# local-zone: "example.com" redirect
# local-data: "example.com A 192.0.2.3"
+ #
+ # Shorthand to make PTR records, "IPv4 name" or "IPv6 name".
+ # You can also add PTR records using local-data directly, but then
+ # you need to do the reverse notation yourself.
+ # local-data-ptr: "192.0.2.3 www.example.com"
+# Remote control config section.
remote-control:
# Enable remote control with unbound-control(8) here.
# set up the keys and certificates with unbound-control-setup.
- # reqiured for munin monitoring plugin
+ # Note: required for unbound-munin package
control-enable: yes
# what interfaces are listened to for remote control.
@@ -356,24 +413,26 @@
# control-port: 953
# unbound server key file.
- server-key-file: "/var/lib/unbound/unbound_server.key"
+ server-key-file: "/etc/unbound/unbound_server.key"
# unbound server certificate file.
- server-cert-file: "/var/lib/unbound/unbound_server.pem"
+ server-cert-file: "/etc/unbound/unbound_server.pem"
# unbound-control key file.
- control-key-file: "/var/lib/unbound/unbound_control.key"
+ control-key-file: "/etc/unbound/unbound_control.key"
# unbound-control certificate file.
- control-cert-file: "/var/lib/unbound/unbound_control.pem"
+ control-cert-file: "/etc/unbound/unbound_control.pem"
# Stub zones.
# Create entries like below, to make all queries for 'example.com' and
# 'example.org' go to the given list of nameservers. list zero or more
-# nameservers by hostname or by ipaddress.
+# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
+# the list is treated as priming hints (default is no).
# stub-zone:
# name: "example.com"
# stub-addr: 192.0.2.68
+# stub-prime: "no"
# stub-zone:
# name: "example.org"
# stub-host: ns.example.com.
Index: unbound.init
===================================================================
RCS file: /cvs/extras/rpms/unbound/devel/unbound.init,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- unbound.init 19 Nov 2008 15:39:16 -0000 1.3
+++ unbound.init 19 Nov 2008 23:11:51 -0000 1.4
@@ -22,7 +22,7 @@
. /etc/rc.d/init.d/functions
exec="/usr/sbin/unbound"
-config="/var/lib/unbound/unbound.conf"
+config="/etc/unbound/unbound.conf"
rootdir="/var/lib/unbound"
pidfile="/var/run/unbound/unbound.pid"
@@ -34,17 +34,15 @@
[ -x $exec ] || exit 5
[ -f $config ] || exit 6
- if [ ! -f /var/lib/unbound/unbound_control.key ]
+ if [ ! -f /etc/unbound/unbound_control.key ]
then
echo -n $"Generating unbound control key and certificate: "
- /usr/sbin/unbound-control-setup > /dev/null 2> /dev/null
+ /usr/sbin/unbound-control-setup -d /etc/unbound/ > /dev/null 2> /dev/null
echo
fi
echo -n $"Starting unbound: "
- [ -s ${rootdir}/etc/localtime ] || cp -fp /etc/localtime ${rootdir}/etc/localtime
-
# if not running, start it up here
daemon $exec
retval=$?
Index: unbound.spec
===================================================================
RCS file: /cvs/extras/rpms/unbound/devel/unbound.spec,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- unbound.spec 19 Nov 2008 15:39:16 -0000 1.5
+++ unbound.spec 19 Nov 2008 23:11:51 -0000 1.6
@@ -3,7 +3,7 @@
Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound
Version: 1.1.0
-Release: 2%{?dist}
+Release: 3%{?dist}
License: BSD
Url: http://www.nlnetlabs.nl/unbound/
Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
@@ -71,7 +71,7 @@
%configure --with-ldns= --with-libevent --with-pthreads --with-ssl \
--disable-rpath --enable-debug --disable-static \
--with-run-dir=%{rootdir} \
- --with-conf-file=%{rootdir}/unbound.conf \
+ --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \
--with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid
%{__make} CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE" QUIET=no %{?_smp_mflags}
@@ -80,25 +80,20 @@
%{__make} DESTDIR=%{buildroot} install
install -d 0755 %{buildroot}%{rootdir}
install -d 0755 %{buildroot}%{_initrddir}
-#install -m 0755 contrib/unbound.init %{buildroot}%{_initrddir}/unbound
install -m 0755 %{SOURCE1} %{buildroot}%{_initrddir}/unbound
-#overwrite stock unbound.conf with our own
-install -m 0755 %{SOURCE2} %{buildroot}%{rootdir}
+install -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound
+# Install munin plugin and its softlinks
install -d 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d
install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/munin/plugin-conf.d/unbound
install -d 0755 %{buildroot}%{_datadir}/munin/plugins/
install -m 0755 contrib/unbound_munin_ %{buildroot}%{_datadir}/munin/plugins/unbound
+for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unbound_munin_by_type unbound_munin_by_class unbound_munin_by_opcode unbound_munin_by_rcode unbound_munin_by_flags unbound_munin_histogram; do
+ ln -s unbound %{buildroot}%{_datadir}/munin/plugins/$plugin
+done
-# add symbolic link from /etc/unbound.conf -> /var/unbound/unbound.conf
-
-( cd %{buildroot}%{_sysconfdir}/ ; ln -s ..%{rootdir}/unbound.conf )
# remove static library from install (fedora packaging guidelines)
rm -rf %{buildroot}%{_libdir}/*.la
-# The chroot needs /dev/random and /etc/localtime
-# but the init script uses mount --bind, so just create empty files
-mkdir -p %{buildroot}%{rootdir}/{dev,etc}
-touch %{buildroot}%{rootdir}/{etc/localtime,dev/random}
mkdir -p %{buildroot}%{_localstatedir}/run/unbound
%clean
@@ -109,21 +104,16 @@
%doc doc/README doc/CREDITS doc/LICENSE doc/FEATURES
%attr(0755,root,root) %{_initrddir}/%{name}
%attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name}
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/unbound.conf
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
# the chroot env
%attr(0755,root,root) %dir %{rootdir}
-%attr(0755,root,root) %dir %{rootdir}/dev
-%attr(0755,root,root) %dir %{rootdir}/etc
-%attr(0644,root,root) %config(noreplace) %{rootdir}/unbound.conf
-%attr(0644,root,root) %ghost %{rootdir}/dev/random
-%attr(0644,root,root) %ghost %{rootdir}/etc/localtime
%{_sbindir}/*
%{_mandir}/*/*
%files munin
%defattr(-,root,root,-)
%config(noreplace) %{_sysconfdir}/munin/plugin-conf.d/unbound
-%{_datadir}/munin/plugins/unbound
+%{_datadir}/munin/plugins/unbound*
%files devel
%defattr(-,root,root,-)
@@ -146,9 +136,18 @@
%post
/sbin/chkconfig --add %{name}
-# Add chroot stuff
-[ -e %{rootdir}/dev/random ] || /bin/mknod %{rootdir}/dev/random c 1 8
-[ -s %{rootdir}/etc/localtime ] || cp -fp {,%{rootdir}}/etc/localtime
+# if our config lives in /var/lib/unbound, move it to /etc/unbound/unbound.conf
+if [ -f %{_localstatedir}/lib/%{name}/unbound.conf ]; then
+ rm -f %{_sysconfdir}/unbound.conf.rpmnew
+ mv %{_sysconfdir}/unbound.conf %{_sysconfdir}/unbound.conf.rpmnew
+ mv %{_localstatedir}/lib/%{name}/unbound.conf %{_sysconfdir}/unbound.conf
+ if [ -L %{_sysconfdir}/unbound.conf ]; then
+ rm -f %{_sysconfdir}/unbound.conf
+ fi
+fi
+# Remove old chroot stuff - not using rootdir in purpose in case it changes
+rm -rf %{_localstatedir}/lib/%{name}/dev %{_localstatedir}/lib/%{name}/etc \
+ %{_localstatedir}/lib/%{name}/var
%post libs -p /sbin/ldconfig
@@ -157,8 +156,6 @@
if [ "$1" -eq 0 ]; then
/sbin/service %{name} stop >/dev/null 2>&1
/sbin/chkconfig --del %{name}
- rm -f %{rootdir}/dev/random
- rm -f %{rootdir}/etc/localtime
fi
%postun
@@ -169,6 +166,14 @@
%postun libs -p /sbin/ldconfig
%changelog
+* Wed Nov 19 2008 Paul Wouters <paul at xelerance.com> - 1.1.0-3
+- Remove the chroot, obsoleted by SElinux
+- Add additional munin plugin links supported by unbound plugin
+- Move configuration directory from /var/lib/unbound to /etc/unbound
+- Modified unbound.init and unbound.conf to account for chroot changes
+- Updated unbound.conf with new available options
+- Enabled dns-0x20 protection per default
+
* Wed Nov 19 2008 Adam Tkac <atkac redhat com> - 1.1.0-2
- unbound-1.1.0-log_open.patch
- make sure log is opened before chroot call
More information about the fedora-extras-commits
mailing list