rpms/unbound/F-9 unbound-r1657.patch, NONE, 1.1 unbound-r1670.patch, NONE, 1.1 unbound-r1677.patch, NONE, 1.1 unbound.init, 1.2, 1.3 unbound.spec, 1.8, 1.9
Paul Wouters
pwouters at fedoraproject.org
Fri Jul 3 05:03:57 UTC 2009
- Previous message (by thread): rpms/python-mutagen/devel .cvsignore, 1.10, 1.11 import.log, 1.2, 1.3 python-mutagen.spec, 1.15, 1.16 sources, 1.10, 1.11
- Next message (by thread): rpms/unbound/F-9 sources,1.3,1.4 unbound.spec,1.9,1.10
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: pwouters
Update of /cvs/extras/rpms/unbound/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9887
Modified Files:
unbound.init unbound.spec
Added Files:
unbound-r1657.patch unbound-r1670.patch unbound-r1677.patch
Log Message:
* Fri Jul 3 2009 Paul Wouters <paul at xelerance.com> - 1.3.0-1
- Updated to 1.3.0
- Patch from svn to fix DLV lookups
- Patches from svn to detect wrong truncated response from BIND 9.6.1 with
minimal-responses)
- Added Default-Start and Default-Stop to unbound.init
- Re-enabled --enable-sha2
- Re-enabled glob.patch
unbound-r1657.patch:
--- NEW FILE unbound-r1657.patch ---
Index: validator/validator.c
===================================================================
--- validator/validator.c (revision 1656)
+++ validator/validator.c (revision 1657)
@@ -251,9 +251,8 @@
/**
* Check to see if a given response needs to go through the validation
* process. Typical reasons for this routine to return false are: CD bit was
- * on in the original request, the response was already validated, or the
- * response is a kind of message that is unvalidatable (i.e., SERVFAIL,
- * REFUSED, etc.)
+ * on in the original request, or the response is a kind of message that
+ * is unvalidatable (i.e., SERVFAIL, REFUSED, etc.)
*
* @param qstate: query state.
* @param ret_rc: rcode for this message (if noerror - examine ret_msg).
@@ -292,14 +291,25 @@
verbose(VERB_ALGO, "cannot validate RRSIG, no sigs on sigs.");
return 0;
}
+ return 1;
+}
+/**
+ * Check to see if the response has already been validated.
+ * @param ret_msg: return msg, can be NULL
+ * @return true if the response has already been validated
+ */
+static int
+already_validated(struct dns_msg* ret_msg)
+{
/* validate unchecked, and re-validate bogus messages */
if (ret_msg && ret_msg->rep->security > sec_status_bogus)
{
- verbose(VERB_ALGO, "response has already been validated");
- return 0;
+ verbose(VERB_ALGO, "response has already been validated: %s",
+ sec_status_to_string(ret_msg->rep->security));
+ return 1;
}
- return 1;
+ return 0;
}
/**
@@ -1937,6 +1947,10 @@
qstate->ext_state[id] = module_finished;
return;
}
+ if(already_validated(qstate->return_msg)) {
+ qstate->ext_state[id] = module_finished;
+ return;
+ }
/* create state to start validation */
qstate->ext_state[id] = module_error; /* override this */
if(!vq) {
@@ -2397,7 +2411,8 @@
}
if(msg->rep->security != sec_status_secure) {
vq->dlv_status = dlv_error;
- verbose(VERB_ALGO, "response is not secure");
+ verbose(VERB_ALGO, "response is not secure, %s",
+ sec_status_to_string(msg->rep->security));
return;
}
/* was the lookup a success? validated DLV? */
unbound-r1670.patch:
--- NEW FILE unbound-r1670.patch ---
Index: validator/validator.c
===================================================================
--- validator/validator.c (revision 1669)
+++ validator/validator.c (revision 1670)
@@ -479,6 +479,36 @@
}
/**
+ * Detect wrong truncated response, by a bad recursor out there.
+ * The positive response has a mangled authority section.
+ * Remove that authority section.
+ * @param rep: reply
+ * @return true if a wrongly truncated response.
+ */
+static int
+detect_wrongly_truncated(struct reply_info* rep)
+{
+ size_t i;
+ /* no additional, only NS in authority, and it is bogus */
+ if(rep->ar_numrrsets != 0 || rep->ns_numrrsets != 1 ||
+ rep->an_numrrsets == 0)
+ return 0;
+ if(ntohs(rep->rrsets[ rep->an_numrrsets ]->rk.type) != LDNS_RR_TYPE_NS)
+ return 0;
+ if(((struct packed_rrset_data*)rep->rrsets[ rep->an_numrrsets ]
+ ->entry.data)->security != sec_status_bogus)
+ return 0;
+ /* answer section is present and secure */
+ for(i=0; i<rep->an_numrrsets; i++) {
+ if(((struct packed_rrset_data*)rep->rrsets[ i ]
+ ->entry.data)->security != sec_status_secure)
+ return 0;
+ }
+ return 1;
+}
+
+
+/**
* Given a "positive" response -- a response that contains an answer to the
* question, and no CNAME chain, validate this response.
*
@@ -1449,17 +1479,31 @@
vq->chase_reply->security = sec_status_bogus;
return 1;
}
+ subtype = val_classify_response(qstate->query_flags, &qstate->qinfo,
+ &vq->qchase, vq->orig_msg->rep, vq->rrset_skip);
/* check signatures in the message;
* answer and authority must be valid, additional is only checked. */
if(!validate_msg_signatures(qstate->env, ve, &vq->qchase,
vq->chase_reply, vq->key_entry)) {
- verbose(VERB_DETAIL, "Validate: message contains bad rrsets");
- return 1;
+ /* workaround bad recursor out there that truncates (even
+ * with EDNS4k) to 512 by removing RRSIG from auth section
+ * for positive replies*/
+ if(subtype == VAL_CLASS_POSITIVE &&
+ detect_wrongly_truncated(vq->orig_msg->rep)) {
+ /* truncate the message some more */
+ vq->orig_msg->rep->ns_numrrsets = 0;
+ vq->orig_msg->rep->rrset_count--;
+ vq->chase_reply->ns_numrrsets = 0;
+ vq->chase_reply->rrset_count--;
+ }
+ else {
+ verbose(VERB_DETAIL, "Validate: message contains "
+ "bad rrsets");
+ return 1;
+ }
}
- subtype = val_classify_response(qstate->query_flags, &qstate->qinfo,
- &vq->qchase, vq->orig_msg->rep, vq->rrset_skip);
switch(subtype) {
case VAL_CLASS_POSITIVE:
verbose(VERB_ALGO, "Validating a positive response");
unbound-r1677.patch:
--- NEW FILE unbound-r1677.patch ---
Index: validator/validator.c
===================================================================
--- validator/validator.c (revision 1677)
+++ validator/validator.c (working copy)
@@ -479,7 +479,7 @@
}
/**
- * Detect wrong truncated response, by a bad recursor out there.
+ * Detect wrong truncated response (from BIND 9.6.1 with minimal-responses).
* The positive response has a mangled authority section.
* Remove that authority section.
* @param rep: reply
Index: iterator/iterator.c
===================================================================
--- iterator/iterator.c (revision 1677)
+++ iterator/iterator.c (working copy)
@@ -1513,9 +1513,14 @@
/* we know that all other NS rrsets are scrubbed
* away, thus on referral only one is left.
* see if that equals the query name... */
- && reply_find_rrset_section_ns(iq->response->rep,
+ && ( /* auth section, but sometimes in answer section*/
+ reply_find_rrset_section_ns(iq->response->rep,
qstate->qinfo.qname, qstate->qinfo.qname_len,
LDNS_RR_TYPE_NS, qstate->qinfo.qclass)
+ || reply_find_rrset_section_an(iq->response->rep,
+ qstate->qinfo.qname, qstate->qinfo.qname_len,
+ LDNS_RR_TYPE_NS, qstate->qinfo.qclass)
+ )
)) {
/* Store the referral under the current query */
if(!iter_dns_store(qstate->env, &iq->response->qinfo,
Index: unbound.init
===================================================================
RCS file: /cvs/extras/rpms/unbound/F-9/unbound.init,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- unbound.init 20 Jan 2009 22:19:10 -0000 1.2
+++ unbound.init 3 Jul 2009 05:03:56 -0000 1.3
@@ -11,6 +11,8 @@
# Provides: unbound
# Required-Start: $network $local_fs
# Required-Stop: $network $local_fs
+# Default-Start:
+# Default-Stop: 0 1 2 3 4 5 6
# Should-Start: $syslog
# Should-Stop: $syslog
# Short-Description: unbound recursive Domain Name Server.
@@ -25,28 +27,46 @@ exec="/usr/sbin/unbound"
config="/etc/unbound/unbound.conf"
rootdir="/var/lib/unbound"
pidfile="/var/run/unbound/unbound.pid"
+piddir=`dirname $pidfile`
[ -e /etc/sysconfig/unbound ] && . /etc/sysconfig/unbound
+[ -e /etc/sysconfig/dnssec ] && . /etc/sysconfig/dnssec
lockfile=/var/lock/subsys/unbound
+[ -x /usr/sbin/dnssec-configure ] && [ -r "$config" ] &&
+ [ /etc/sysconfig/dnssec -nt "$config" ] && \
+ /usr/sbin/dnssec-configure -u --norestart --dnssec="$DNSSEC" --dlv="$DLV"
+
start() {
[ -x $exec ] || exit 5
[ -f $config ] || exit 6
+ # /var/run could (and should) be tmpfs
+ [ -d $piddir ] || mkdir $piddir
if [ ! -f /etc/unbound/unbound_control.key ]
then
echo -n $"Generating unbound control key and certificate: "
/usr/sbin/unbound-control-setup -d /etc/unbound/ > /dev/null 2> /dev/null
+ chgrp unbound /etc/unbound/unbound_*key /etc/unbound/unbound_*pem
[ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled && \
[ -x /sbin/restorecon ] && /sbin/restorecon /etc/unbound/*
echo
+ else
+ # old init script created these as root instead of unbound.
+ if [ -G /etc/unbound/unbound_control.key ]
+ then
+ chgrp unbound /etc/unbound/unbound_*key /etc/unbound/unbound_*pem
+ [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled && \
+ [ -x /sbin/restorecon ] && /sbin/restorecon /etc/unbound/*
+ echo
+ fi
fi
echo -n $"Starting unbound: "
# if not running, start it up here
- daemon $exec
+ daemon --pidfile=$pidfile $exec
retval=$?
[ $retval -eq 0 ] && touch $lockfile
echo
Index: unbound.spec
===================================================================
RCS file: /cvs/extras/rpms/unbound/F-9/unbound.spec,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -p -r1.8 -r1.9
--- unbound.spec 16 Feb 2009 22:01:28 -0000 1.8
+++ unbound.spec 3 Jul 2009 05:03:56 -0000 1.9
@@ -1,24 +1,27 @@
Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound
-Version: 1.2.0
-Release: 3%{?dist}
+Version: 1.3.0
+Release: 2%{?dist}
License: BSD
Url: http://www.nlnetlabs.nl/unbound/
Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
Source1: unbound.init
Source2: unbound.conf
Source3: unbound.munin
-Patch0: unbound-libevent-r1441.patch
-Patch1: unbound-1.2-glob.patch
+# See the unbound svn repository for further documentation on these
+Patch1: unbound-r1657.patch
+Patch2: unbound-r1670.patch
+Patch3: unbound-r1677.patch
+Patch4: unbound-1.2-glob.patch
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-BuildRequires: flex, openssl-devel >= 0.9.8g-10, ldns-devel >= 1.4.0
+BuildRequires: flex, openssl-devel >= 0.9.8g-10, ldns-devel >= 1.5.1
BuildRequires: libevent-devel
Requires(post): chkconfig
Requires(preun): chkconfig
Requires(preun): initscripts
Requires(postun): initscripts
-Requires: ldns >= 1.4.0
+Requires: ldns >= 1.5.1
Requires(pre): shadow-utils
# Is this obsolete?
#Provides: caching-nameserver
@@ -57,6 +60,7 @@ Summary: Libraries used by the unbound s
Group: Applications/System
Requires(post): /sbin/ldconfig
Requires(postun): /sbin/ldconfig
+Requires: openssl >= 0.9.8g-10
%description libs
Contains libraries used by the unbound server and client applications
@@ -68,7 +72,7 @@ Contains libraries used by the unbound s
%build
%configure --with-ldns= --with-libevent --with-pthreads --with-ssl \
- --disable-rpath --enable-debug --disable-static \
+ --disable-rpath --enable-debug --disable-static --enable-sha2 \
--with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \
--with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid
%{__make} CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE" QUIET=no %{?_smp_mflags}
@@ -131,9 +135,18 @@ exit 0
%post
/sbin/chkconfig --add %{name}
+# Check DNSSEC settings if this is a fresh install
+if [ "$1" -eq 1 ]; then
+ if [ -r /etc/sysconfig/dnssec ]; then
+ . /etc/sysconfig/dnssec
+ [ -x /usr/sbin/dnssec-configure ] && \
+ dnssec-configure -u --norestart --nocheck --dnssec="$DNSSEC" --dlv="$DLV" > \
+ /dev/null 2>&1
+ fi;
+fi
%post libs -p /sbin/ldconfig
-
+dd
%preun
if [ "$1" -eq 0 ]; then
@@ -149,6 +162,15 @@ fi
%postun libs -p /sbin/ldconfig
%changelog
+* Fri Jul 3 2009 Paul Wouters <paul at xelerance.com> - 1.3.0-1
+- Updated to 1.3.0
+- Patch from svn to fix DLV lookups
+- Patches from svn to detect wrong truncated response from BIND 9.6.1 with
+ minimal-responses)
+- Added Default-Start and Default-Stop to unbound.init
+- Re-enabled --enable-sha2
+- Re-enabled glob.patch
+
* Tue Jan 20 2009 Paul Wouters <paul at xelerance.com - 1.2.0-3
- Patch to allow missing files from includes using wildcards
- Previous message (by thread): rpms/python-mutagen/devel .cvsignore, 1.10, 1.11 import.log, 1.2, 1.3 python-mutagen.spec, 1.15, 1.16 sources, 1.10, 1.11
- Next message (by thread): rpms/unbound/F-9 sources,1.3,1.4 unbound.spec,1.9,1.10
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list