rpms/unbound/F-9 unbound.munin, NONE, 1.1 sources, 1.2, 1.3 unbound.conf, 1.2, 1.3 unbound.spec, 1.1, 1.2
Paul Wouters
pwouters at fedoraproject.org
Tue Jan 20 21:56:42 UTC 2009
Author: pwouters
Update of /cvs/extras/rpms/unbound/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv3650
Modified Files:
sources unbound.conf unbound.spec
Added Files:
unbound.munin
Log Message:
* Tue Jan 20 2009 Paul Wouters <paul at xelerance.com - 1.2.0-1
- Updated to 1.2.0
- Added dependancy on minimum SSL for CVE-2008-5077
- Added munin package and dependancies
- Compile without libevent, as the version in F-9 causes crashes
- Enable options as per draft-wijngaards-dnsext-resolver-side-mitigation-00.txt
- Enable unwanted-reply-threshold to mitigate against a Kaminsky attack
- Enable val-clean-additional to drop addition unsigned data from signed
response.
--- NEW FILE unbound.munin ---
#
# For this plugin to work, unbound.conf needs to have:
# remote-control: control-enable: yes
#
[unbound*]
user root
env.statefile /var/lib/munin/plugin-state/unbound-state
env.unbound_conf /etc/unbound/unbound.conf
env.unbound_control /usr/sbin/unbound-control
env.spoof_warn 1000
env.spoof_crit 100000
Index: sources
===================================================================
RCS file: /cvs/extras/rpms/unbound/F-9/sources,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- sources 1 Nov 2008 16:58:24 -0000 1.2
+++ sources 20 Jan 2009 21:56:11 -0000 1.3
@@ -1 +1 @@
-01b08a9c0d24be981de64b6e4e25ecbe unbound-1.0.2.tar.gz
+2517f811ec4939c0ea602c99a6fdea23 unbound-1.2.0.tar.gz
Index: unbound.conf
===================================================================
RCS file: /cvs/extras/rpms/unbound/F-9/unbound.conf,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- unbound.conf 15 Nov 2008 05:46:06 -0000 1.2
+++ unbound.conf 20 Jan 2009 21:56:11 -0000 1.3
@@ -1,5 +1,4 @@
#
-#
# See unbound.conf(5) man page.
#
# this is a comment.
@@ -7,26 +6,35 @@
#Use this to include other text into the file.
#include: "otherfile.conf"
-#
# The server clause sets the main parameters.
server:
# whitespace is not necessary, but looks cleaner.
# To enable DNSSEC trust anchors, install the dnssec-keys package and
- # uncomment the line below - note chroot breaks this
- # trusted-keys-file: "/etc/pki/dnssec/allkeys.conf"
+ # uncomment the line below, or run dnssec-configure -h for more options
+ # trusted-keys-file: "/etc/pki/dnssec/production.conf"
+
+ # To enable DLV trust anchor with DLV, install the dnssec-keys package
+ # and uncomment the line below, or run dnssec-configure -h for more
+ # options
+ # dlv-anchor-file: "/etc/pki/dnssec-keys/dlv/dlv.isc.org.key"
# verbosity number, 0 is least verbose. 1 is default.
verbosity: 1
# print statistics to the log (for every thread) every N seconds.
# Set to "" or 0 to disable. Default is disabled.
+ # Needed for munin plugin
statistics-interval: 0
# enable cumulative statistics, without clearing them after printing.
+ # Needed for munin plugin
statistics-cumulative: no
- extended-statistics: yes
+ # enable extended statistics (query types, answer codes, status)
+ # printed from unbound-control. default off, because of speed.
+ # Needed for munin plugin
+ extended-statistics: yes
# number of threads to create. 1 disables threading.
num-threads: 2
@@ -36,17 +44,18 @@
# specify 0.0.0.0 and ::0 to bind to all available interfaces.
# specify every interface on a new 'interface:' labelled line.
# The listen interfaces are not changed on reload, only on restart.
+ # interface: 0.0.0.0
+ # interface: ::0
# interface: 192.0.2.153
# interface: 192.0.2.154
# interface: 2001:DB8::5
- #
- # interface: 0.0.0.0
- # interface: ::0
# enable this feature to copy the source address of queries to reply.
- # Socket options not be supported on all platforms. experimental.
+ # Socket options are not supported on all platforms. experimental.
# NOTE: Enable this option when specifying interface 0.0.0.0 or ::0
+ # NOTE: Disabled per Fedora policy not to listen to * on default install
# interface-automatic: yes
+ interface-automatic: no
# port to answer queries from
# port: 53
@@ -95,6 +104,9 @@
# the number of queries that a thread gets to service.
# num-queries-per-thread: 1024
+ # if very busy, 50% queries run to completion, 50% get timeout in msec
+ # jostle-timeout: 200
+
# the amount of memory to use for the RRset cache.
# plain value in bytes or you can append k, m or G. default is "4Mb".
# rrset-cache-size: 4m
@@ -144,13 +156,14 @@
# control which clients are allowed to make (recursive) queries
# to this server. Specify classless netblocks with /size and action.
# By default everything is refused, except for localhost.
- # Choose deny (drop message), refuse (polite error reply), allow.
+ # Choose deny (drop message), refuse (polite error reply),
+ # allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
# access-control: 0.0.0.0/0 refuse
# access-control: 127.0.0.0/8 allow
# access-control: ::0/0 refuse
# access-control: ::1 allow
# access-control: ::ffff:127.0.0.1 allow
-
+
# if given, a chroot(2) is done to the given directory.
# i.e. you can chroot to the working directory, for example,
# for extra security, but make sure all files are in that directory.
@@ -160,19 +173,22 @@
# chroot has been performed the now defunct portion of the config
# file path is removed to be able to reread the config after a reload.
#
- # All other file paths (working dir, pidfile, logfile, roothints,
+ # All other file paths (working dir, logfile, roothints, and
# key files) can be specified in several ways:
# o as an absolute path relative to the new root.
# o as a relative path to the working directory.
# o as an absolute path relative to the original root.
# In the last case the path is adjusted to remove the unused portion.
#
- # Additionally, unbound may need to access /dev/random (for entropy)
- # and to /dev/log (if you use syslog) from inside the chroot.
+ # The pid file can be absolute and outside of the chroot, it is
+ # written just prior to performing the chroot and dropping permissions.
+ #
+ # Additionally, unbound may need to access /dev/random (for entropy).
# How to do this is specific to your OS.
#
# If you give "" no chroot is performed. The path must not end in a /.
- chroot: "/var/lib/unbound"
+ # chroot: "/var/lib/unbound"
+ chroot: ""
# if given, user privileges are dropped (after binding port),
# and the given username is assumed. Default is user "unbound".
@@ -182,7 +198,7 @@
# the working directory. The relative files in this config are
# relative to this directory. If you give "" the working directory
# is not changed.
- # directory: "/var/lib/unbound"
+ directory: "/etc/unbound"
# the log file, "" means log to stderr.
# Use of this option sets use-syslog to "no".
@@ -192,7 +208,7 @@
# log to, with identity "unbound". If yes, it overrides the logfile.
# use-syslog: yes
- # the pid file.
+ # the pid file. Can be an absolute path outside of chroot/work dir.
pidfile: "/var/run/unbound/unbound.pid"
# file to read root hints from.
@@ -235,15 +251,40 @@
# trigger insecure mode for that zone (like without a trustanchor).
# Default on, which insists on dnssec data for trust-anchored zones.
harden-dnssec-stripped: yes
-
+
+ # Harden the referral path by performing additional queries for
+ # infrastructure data. Validates the replies (if possible).
+ # Default off, because the lookups burden the server. Experimental
+ # implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
+ harden-referral-path: yes
+
# Use 0x20-encoded random bits in the query to foil spoof attempts.
- # Disabled by default, because some caching forwarders may not
- # support this (if you have forward-zones). Most authority servers do.
# This feature is an experimental implementation of draft dns-0x20.
- # It is known that some authority servers do not support 0x20, and
- # resolution will fail for them. A solution is on the TODO list.
- use-caps-for-id: no
+ use-caps-for-id: yes
+ # Enforce privacy of these addresses. Strips them away from answers.
+ # It may cause DNSSEC validation to additionally mark it as bogus.
+ # Protects against 'DNS Rebinding' (uses browser as network proxy).
+ # Only 'private-domain' and 'local-data' names are allowed to have
+ # these private addresses. No default.
+ # private-address: 10.0.0.0/8
+ # private-address: 172.16.0.0/12
+ # private-address: 192.168.0.0/16
+ # private-address: 192.254.0.0/16
+ # private-address: fd00::/8
+ # private-address: fe80::/10
+
+ # Allow the domain (and its subdomains) to contain private addresses.
+ # local-data statements are allowed to contain private addresses too.
+ # private-domain: "example.com"
+
+ # If nonzero, unwanted replies are not only reported in statistics,
+ # but also a running total is kept per thread. If it reaches the
+ # threshold, a warning is printed and a defensive action is taken,
+ # the cache is cleared to flush potential poison out of it.
+ # A suggested value is 10000000, the default is 0 (turned off).
+ unwanted-reply-threshold: 10000000
+
# Do not query the following addresses. No DNS queries are sent there.
# List one address per entry. List classless netblocks with /size,
# do-not-query-address: 127.0.0.1/8
@@ -257,11 +298,16 @@
# separated by spaces. "iterator" or "validator iterator"
# module-config: "validator iterator"
+ # File with DLV trusted keys. Same format as trust-anchor-file.
+ # There can be only one DLV configured, it is trusted from root down.
+ # Download https://secure.isc.org/ops/dlv/dlv.isc.org.key
+ # dlv-anchor-file: "/etc/pki/dnssec-keys/dlv.isc.org.key"
+
# File with trusted keys for validation. Specify more than one file
# with several entries, one file per entry.
# Zone file format, with DS and DNSKEY entries.
# trust-anchor-file: ""
-
+
# Trusted key for validation. DS or DNSKEY. specify the RR on a
# single line, surrounded by "". TTL is ignored. class is IN default.
# (These examples are from August 2007 and may not be valid anymore).
@@ -273,7 +319,7 @@
# but has a different file format. Format is BIND-9 style format,
# the trusted-keys { name flag proto algo "key"; }; clauses are read.
# trusted-keys-file: ""
-
+
# Override the date for validation with a specific fixed date.
# Do not set this unless you are debugging signature inception
# and expiration. "" or "0" turns the feature off.
@@ -281,19 +327,20 @@
# The time to live for bogus data, rrsets and messages. This avoids
# some of the revalidation, until the time interval expires. in secs.
- # val-bogus-ttl: 900
+ # val-bogus-ttl: 60
# Should additional section of secure message also be kept clean of
# unsecure data. Useful to shield the users of this validator from
# potential bogus data in the additional section. All unsigned data
# in the additional section is removed from secure messages.
- # val-clean-additional: yes
+ val-clean-additional: yes
# Turn permissive mode on to permit bogus messages. Thus, messages
# for which security checks failed will be returned to clients,
# instead of SERVFAIL. It still performs the security checks, which
# result in interesting log files and possibly the AD bit in
# replies if the message is found secure. The default is off.
+ # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
val-permissive-mode: no
# It is possible to configure NSEC3 maximum iteration counts per
@@ -310,6 +357,10 @@
# the number of slabs must be a power of 2.
# more slabs reduce lock contention, but fragment memory usage.
# key-cache-slabs: 4
+
+ # the amount of memory to use for the negative cache (used for DLV).
+ # plain value in bytes or you can append k, m or G. default is "1Mb".
+ # neg-cache-size: 1m
# a number of locally served zones can be configured.
# local-zone: <zone> <type>
@@ -340,15 +391,48 @@
# (this makes example.com, www.example.com, etc, all go to 192.0.2.3)
# local-zone: "example.com" redirect
# local-data: "example.com A 192.0.2.3"
+ #
+ # Shorthand to make PTR records, "IPv4 name" or "IPv6 name".
+ # You can also add PTR records using local-data directly, but then
+ # you need to do the reverse notation yourself.
+ # local-data-ptr: "192.0.2.3 www.example.com"
+
+# Remote control config section.
+remote-control:
+ # Enable remote control with unbound-control(8) here.
+ # set up the keys and certificates with unbound-control-setup.
+ # Note: required for unbound-munin package
+ control-enable: yes
+
+ # what interfaces are listened to for remote control.
+ # give 0.0.0.0 and ::0 to listen to all interfaces.
+ # control-interface: 127.0.0.1
+ # control-interface: ::1
+
+ # port number for remote control operations.
+ # control-port: 953
+
+ # unbound server key file.
+ server-key-file: "/etc/unbound/unbound_server.key"
+
+ # unbound server certificate file.
+ server-cert-file: "/etc/unbound/unbound_server.pem"
+
+ # unbound-control key file.
+ control-key-file: "/etc/unbound/unbound_control.key"
+ # unbound-control certificate file.
+ control-cert-file: "/etc/unbound/unbound_control.pem"
# Stub zones.
# Create entries like below, to make all queries for 'example.com' and
# 'example.org' go to the given list of nameservers. list zero or more
-# nameservers by hostname or by ipaddress.
+# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
+# the list is treated as priming hints (default is no).
# stub-zone:
# name: "example.com"
# stub-addr: 192.0.2.68
+# stub-prime: "no"
# stub-zone:
# name: "example.org"
# stub-host: ns.example.com.
Index: unbound.spec
===================================================================
RCS file: /cvs/extras/rpms/unbound/F-9/unbound.spec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- unbound.spec 1 Nov 2008 16:58:24 -0000 1.1
+++ unbound.spec 20 Jan 2009 21:56:11 -0000 1.2
@@ -7,14 +7,15 @@
Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
Source1: unbound.init
Source2: unbound.conf
+Source3: unbound.munin
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-BuildRequires: flex, openssl-devel, ldns-devel >= 1.3.0, libevent-devel
+BuildRequires: flex, openssl-devel >= 0.9.8g-9.12, ldns-devel >= 1.4.0
Requires(post): chkconfig
Requires(preun): chkconfig
Requires(preun): initscripts
Requires(postun): initscripts
-Requires: ldns >= 1.3.0
+Requires: ldns >= 1.4.0
Requires(pre): shadow-utils
# Is this obsolete?
#Provides: caching-nameserver
@@ -30,11 +31,20 @@
DNSSEC (secure DNS) validation and stub-resolvers (that do not run
as a server, but are linked into an application) are easily possible.
+%package munin
+Summary: Plugin for the munin / munin-node monitoring package
+Group: System Environment/Daemons
+Requires: munin-node
+Requires: %{name} = %{version}-%{release}, bc
+
+%description munin
+Plugin for the munin / munin-node monitoring package
+
+
%package devel
Summary: Development package that includes the unbound header files
Group: Development/Libraries
Requires: %{name}-libs = %{version}-%{release}, openssl-devel, ldns-devel
-Requires: libevent-devel
%description devel
The devel package contains the unbound library and the include files
@@ -52,38 +62,30 @@
%setup -q
%build
-%configure --with-ldns= --with-libevent --with-pthreads --with-ssl \
+%configure --with-ldns= --without-libevent --with-pthreads --with-ssl \
--disable-rpath --enable-debug --disable-static \
- --with-run-dir=%{_localstatedir}/lib/%{name}\
- --with-conf-file=%{_localstatedir}/lib/%{name}/unbound.conf \
+ --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \
--with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid
%{__make} CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE" QUIET=no %{?_smp_mflags}
%install
rm -rf %{buildroot}
%{__make} DESTDIR=%{buildroot} install
-install -d 0755 %{buildroot}%{_localstatedir}/lib/%{name}
install -d 0755 %{buildroot}%{_initrddir}
-#install -m 0755 contrib/unbound.init %{buildroot}%{_initrddir}/unbound
install -m 0755 %{SOURCE1} %{buildroot}%{_initrddir}/unbound
-#overwrite stock unbound.conf with our own
-install -m 0755 %{SOURCE2} %{buildroot}%{_localstatedir}/lib/%{name}
-
-# add symbolic link from /etc/unbound.conf -> /var/unbound/unbound.conf
+install -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound
+# Install munin plugin and its softlinks
+install -d 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d
+install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/munin/plugin-conf.d/unbound
+install -d 0755 %{buildroot}%{_datadir}/munin/plugins/
+install -m 0755 contrib/unbound_munin_ %{buildroot}%{_datadir}/munin/plugins/unbound
+for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unbound_munin_by_type unbound_munin_by_class unbound_munin_by_opcode unbound_munin_by_rcode unbound_munin_by_flags unbound_munin_histogram; do
+ ln -s unbound %{buildroot}%{_datadir}/munin/plugins/$plugin
+done
-( cd %{buildroot}%{_sysconfdir}/ ; ln -s ..%{_localstatedir}/lib/unbound/unbound.conf )
# remove static library from install (fedora packaging guidelines)
rm -rf %{buildroot}%{_libdir}/*.la
-# The chroot needs /dev/log, /dev/random, /etc/resolv.conf and /etc/localtime
-# but the init script uses mount --bind, so just create empty files
-mkdir -p %{buildroot}%{_localstatedir}/lib/unbound/etc \
- %{buildroot}%{_localstatedir}/lib/unbound/dev
-echo "Used for mount --bind in initscript" > %{buildroot}%{_localstatedir}/lib/unbound/etc/resolv.conf
-echo "Used for mount --bind in initscript" > %{buildroot}%{_localstatedir}/lib/unbound/etc/localtime
-echo "Used for mount --bind in initscript" > %{buildroot}%{_localstatedir}/lib/unbound/dev/log
-echo "Used for mount --bind in initscript" > %{buildroot}%{_localstatedir}/lib/unbound/dev/random
-mkdir -p %{buildroot}%{_localstatedir}/lib/unbound/var/run/unbound
mkdir -p %{buildroot}%{_localstatedir}/run/unbound
%clean
@@ -93,21 +95,17 @@
%defattr(-,root,root,-)
%doc doc/README doc/CREDITS doc/LICENSE doc/FEATURES
%attr(0755,root,root) %{_initrddir}/%{name}
-# the chroot env
-%attr(0755,root,root) %dir %{_localstatedir}/lib/%{name}
+%attr(0755,root,root) %dir %{_sysconfdir}/%{name}
%attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name}
-%attr(0755,root,root) %dir %{_localstatedir}/lib/%{name}/dev
-%attr(0755,root,root) %dir %{_localstatedir}/lib/%{name}/etc
-%attr(0755,root,root) %dir %{_localstatedir}/lib/%{name}/var
-%attr(0755,root,root) %dir %{_localstatedir}/lib/%{name}/var/run
-%attr(0755,root,root) %dir %{_localstatedir}/lib/%{name}/var/run/unbound
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/unbound.conf
-%attr(0644,root,root) %config(noreplace) %{_localstatedir}/lib/%{name}/unbound.conf
-%attr(0644,root,root) %{_localstatedir}/lib/%{name}/dev/*
-%attr(0644,root,root) %{_localstatedir}/lib/%{name}/etc/*
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
%{_sbindir}/*
%{_mandir}/*/*
+%files munin
+%defattr(-,root,root,-)
+%config(noreplace) %{_sysconfdir}/munin/plugin-conf.d/unbound
+%{_datadir}/munin/plugins/unbound*
+
%files devel
%defattr(-,root,root,-)
%{_libdir}/libunbound.so
@@ -133,7 +131,7 @@
%preun
-if [ $1 -eq 0 ]; then
+if [ "$1" -eq 0 ]; then
/sbin/service %{name} stop >/dev/null 2>&1
/sbin/chkconfig --del %{name}
fi
@@ -146,6 +144,16 @@
%postun libs -p /sbin/ldconfig
%changelog
+* Tue Jan 20 2009 Paul Wouters <paul at xelerance.com - 1.2.0-1
+- Updated to 1.2.0
+- Added dependancy on minimum SSL for CVE-2008-5077
+- Added munin package and dependancies
+- Compile without libevent, as the version in F-9 causes crashes
+- Enable options as per draft-wijngaards-dnsext-resolver-side-mitigation-00.txt
+- Enable unwanted-reply-threshold to mitigate against a Kaminsky attack
+- Enable val-clean-additional to drop addition unsigned data from signed
+ response.
+
* Wed Oct 22 2008 Paul Wouters <paul at xelerance.com> - 1.0.2-5
- Only call ldconfig in -libs package
- Move configure into build section
More information about the fedora-extras-commits
mailing list