Re: [PATCH] unbound: New package

Oh, thanks - small change in last minute, huge problems at a later time. I completely missed to create the user and group.

I'll send a fixed patch to the list soon. Thanks for reviewing and sorry for the extra noise on the list. Hopefully this will guide me in the future to prevent from such stupid mistakes.

-Stefan

Hello,

this won't build:

• install -p -m 0664 /usr/src/packages/unbound-1.5.5

-1.ip3.src/unbound.conf /builddir/unbound-1.5.5-1.ip3/etc/unbound/

• install -p -m 0664 /usr/src/packages/unbound-1.5.5

-1.ip3.src/icannbundle.pem /builddir/unbound-1.5.5-1.ip3/etc/unbound/

• install -p -m 0644 /usr/src/packages/unbound-1.5.5

-1.ip3.src/root.key /builddir/unbound-1.5.5-1.ip3/etc/unbound/

• install -p -m 0664 /usr/src/packages/unbound-1.5.5

-1.ip3.src/dlv.isc.org.key /builddir/unbound-1.5.5-1.ip3/etc/unbound/

• install -p -m 0664 /usr/src/packages/unbound-1.5.5

-1.ip3.src/root.anchor /builddir/unbound-1.5.5 -1.ip3/var/lib/unbound/root.key

• chown -R unbound:unbound /builddir/unbound-1.5.5

-1.ip3/var/lib/unbound/ chown: invalid user: ‘unbound:unbound’ Command exited with an error: ['bash', '--login', '-c', '/tmp/tmpnij81f']

Please make sure to check these things before sending your patches. This just makes a lot of noise for all of us.

-Michael

On Sun, 2015-10-18 at 11:36 +0200, Stefan Schantl wrote:

...

Unbound is a validating, recursive, and caching DNS resolver.

The package comes with libraries that are used by many other packages to resolve DNS records and validate those by using DNSSEC.

Fixes #10943.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

unbound/dlv.isc.org.key | 2 + unbound/icannbundle.pem | 317 ++++++++++++++++ unbound/root.anchor | 1 + unbound/root.key | 6 + unbound/systemd/unbound-anchor.service | 9 + unbound/systemd/unbound-anchor.timer | 14 + unbound/systemd/unbound-keygen.service | 14 + unbound/systemd/unbound.service | 18 + unbound/unbound.conf | 655 +++++++++++++++++++++++++++++++++ unbound/unbound.nm | 158 ++++++++ unbound/unbound.tmpfiles | 1 + 11 files changed, 1195 insertions(+) create mode 100644 unbound/dlv.isc.org.key create mode 100644 unbound/icannbundle.pem create mode 100644 unbound/root.anchor create mode 100644 unbound/root.key create mode 100644 unbound/systemd/unbound-anchor.service create mode 100644 unbound/systemd/unbound-anchor.timer create mode 100644 unbound/systemd/unbound-keygen.service create mode 100644 unbound/systemd/unbound.service create mode 100644 unbound/unbound.conf create mode 100644 unbound/unbound.nm create mode 100644 unbound/unbound.tmpfiles

diff --git a/unbound/dlv.isc.org.key b/unbound/dlv.isc.org.key new file mode 100644 index 0000000..c73944f --- /dev/null +++ b/unbound/dlv.isc.org.key @@ -0,0 +1,2 @@ +; https://secure.isc.org/ops/dlv/dlv.isc.org.key +dlv.isc.org. IN DNSKEY 257 3 5 BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh diff --git a/unbound/icannbundle.pem b/unbound/icannbundle.pem new file mode 100644 index 0000000..48941de --- /dev/null +++ b/unbound/icannbundle.pem @@ -0,0 +1,317 @@ +Certificate:

• Data:

•    Version: 3 (0x2)
  

•    Serial Number: 1 (0x1)
  

•    Signature Algorithm: sha256WithRSAEncryption
  

•    Issuer: O=ICANN, OU=ICANN Certification Authority,
  

CN=ICANN Root CA, C=US

•    Validity
  

•        Not Before: Dec 23 04:19:12 2009 GMT
  

•        Not After : Dec 18 04:19:12 2029 GMT
  

•    Subject: O=ICANN, OU=ICANN Certification Authority,
  

CN=ICANN Root CA, C=US

•    Subject Public Key Info:
  

•        Public Key Algorithm: rsaEncryption
  

•        RSA Public Key: (2048 bit)
  

•            Modulus (2048 bit):
  

•                00:a0:db:70:b8:4f:34:da:9c:d4:d0:7e:bb:ea:15:
  

•                bc:e9:c9:11:2a:1f:61:2f:6a:b9:bd:3f:3d:76:a0:
  

•                9a:0a:f7:ee:93:6e:6e:55:53:84:8c:f2:2c:f1:82:
  

•                27:c8:0f:9a:cf:52:1b:54:da:28:d2:2c:30:8e:dd:
  

•                fb:92:20:33:2d:d6:c8:f1:0e:10:21:88:71:fa:84:
  

•                22:4b:5d:47:56:16:7c:9b:9f:5d:c3:11:79:9c:14:
  

•                e2:ff:c0:74:ac:dd:39:d7:e0:38:d8:b0:73:aa:fb:
  

•                d1:db:84:af:52:22:a8:f6:d5:9b:94:f4:e6:5d:5e:
  

•                e8:3f:87:90:0b:c7:1a:77:f5:2e:d3:8f:1a:ce:02:
  

•                1d:07:69:21:47:32:da:46:ae:00:4c:b6:a5:a2:9c:
  

•                39:c1:c0:4a:f6:d3:1c:ae:d3:6d:bb:c7:18:f0:7e:
  

•                ed:f6:80:ce:d0:01:2e:89:de:12:ba:ee:11:cb:a6:
  

•                7a:d7:0d:7c:f3:08:8d:72:9d:bf:55:75:13:70:bb:
  

•                31:22:4a:cb:e8:c0:aa:a4:09:aa:36:68:40:60:74:
  

•                9d:e7:19:81:43:22:52:fe:c9:2b:52:0f:41:13:36:
  

•                09:72:65:95:cc:89:ae:6f:56:17:16:34:73:52:a3:
  

•                04:ed:bd:88:82:8a:eb:d7:dc:82:52:9c:06:e1:52:
  

•                85:41
  

•            Exponent: 65537 (0x10001)
  

•    X509v3 extensions:
  

•        X509v3 Basic Constraints: critical
  

•            CA:TRUE
  

•        X509v3 Key Usage: critical
  

•            Digital Signature, Non Repudiation, Key
  

Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign

•        X509v3 Subject Key Identifier: 
  

BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50

• Signature Algorithm: sha256WithRSAEncryption

•    0f:f1:e9:82:a2:0a:87:9f:2d:94:60:5a:b2:c0:4b:a1:2f:2b:
  

•    3b:47:d5:0a:99:86:38:b2:ec:c6:3b:89:e4:6e:07:cf:14:c7:
  

•    c7:e8:cf:99:8f:aa:30:c3:19:70:b9:e6:6d:d6:3f:c8:68:26:
  

•    b2:a0:a5:37:42:ca:d8:62:80:d1:a2:5a:48:2e:1f:85:3f:0c:
  

•    7b:c2:c7:94:11:5f:19:2a:95:ac:a0:3a:03:d8:91:5b:2e:0d:
  

•    9c:7c:1f:2e:fc:e9:44:e1:16:26:73:1c:45:4a:65:c1:83:4c:
  

•    90:f3:f2:28:42:df:db:c4:e7:04:12:18:62:43:5e:bc:1f:6c:
  

•    84:e6:bc:49:32:df:61:d7:99:ee:e4:90:52:7b:0a:c2:91:8a:
  

•    98:62:66:b1:c8:e0:b7:5a:b5:46:7c:76:71:54:8e:cc:a4:81:
  

•    5c:19:db:d2:6f:66:b5:bb:2b:ae:6b:c9:74:04:a8:24:de:e8:
  

•    c5:d3:fc:2c:1c:d7:8f:db:6a:8d:c9:53:be:5d:50:73:ac:cf:
  

•    1f:93:c0:52:50:5b:a2:4f:fe:ad:65:36:17:46:d1:2d:e5:a2:
  

•    90:66:05:db:29:4e:5d:50:5d:e3:4f:da:a0:8f:f0:6b:e4:16:
  

•    70:dd:7f:f3:77:7d:b9:4e:f9:ec:c3:33:02:d7:e9:63:2f:31:
  

•    e7:40:61:a4
  

+-----BEGIN CERTIFICATE----- +MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX +DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O +IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB +MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb +cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S +G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg +ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2 +paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7 +MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29 +iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B +Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3 +DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH +6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD +2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h +15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF +0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg +j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk +-----END CERTIFICATE----- +Certificate:

• Data:

•    Version: 3 (0x2)
  

•    Serial Number: 2 (0x2)
  

•    Signature Algorithm: sha256WithRSAEncryption
  

•    Issuer: O=ICANN, OU=ICANN Certification Authority,
  

CN=ICANN Root CA, C=US

•    Validity
  

•        Not Before: Dec 23 04:45:04 2009 GMT
  

•        Not After : Dec 22 04:45:04 2014 GMT
  

•    Subject: O=ICANN, CN=ICANN DNSSEC 
  

CA/emailAddress=dnssec@icann.org

•    Subject Public Key Info:
  

•        Public Key Algorithm: rsaEncryption
  

•        RSA Public Key: (2048 bit)
  

•            Modulus (2048 bit):
  

•                00:c0:bf:e2:b4:ee:12:46:36:3b:7c:d2:46:21:64:
  

•                5a:93:e1:e3:02:10:25:bb:a5:30:70:19:89:98:7e:
  

•                9e:db:8e:0f:ac:c8:48:66:0e:1a:f8:81:e5:2d:3c:
  

•                7b:39:39:76:28:8f:ee:0a:a7:dd:64:e9:5f:87:25:
  

•                b1:64:e5:59:03:fc:bc:29:3b:63:37:c8:d7:46:9a:
  

•                b6:ce:87:55:cd:cf:e2:ab:e9:c7:8a:53:2e:25:87:
  

•                b0:98:d6:20:a3:a8:ec:87:b0:39:a3:c4:c5:75:59:
  

•                3c:fb:91:03:fa:ee:7f:e9:2b:b6:70:88:69:2c:e6:
  

•                f1:4f:fc:d0:47:b4:e9:a0:2c:fa:0c:c3:84:eb:be:
  

•                73:5a:bc:16:ed:d0:83:02:2d:eb:6a:21:02:51:70:
  

•                29:1e:4f:c9:69:03:9f:91:32:5c:2c:1a:9f:5e:45:
  

•                48:2a:50:ee:72:14:ec:17:29:fc:20:95:7d:22:6a:
  

•                c6:6f:83:a2:58:8e:b1:64:c8:73:23:54:6c:69:1d:
  

•                66:1f:df:f8:4f:24:a1:a8:ae:00:7f:e9:89:41:a6:
  

•                e3:88:1d:3a:e1:b3:3a:ef:29:45:32:9b:94:2e:b7:
  

•                6c:1e:fe:31:40:13:e1:bd:52:67:d0:d8:c3:3e:03:
  

•                84:48:72:9d:bd:8a:48:a0:f2:72:35:b6:03:4b:c6:
  

•                e9:05
  

•            Exponent: 65537 (0x10001)
  

•    X509v3 extensions:
  

•        X509v3 Basic Constraints: critical
  

•            CA:TRUE
  

•        X509v3 Key Usage: critical
  

•            Digital Signature, Non Repudiation, Key
  

Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign

•        X509v3 Authority Key Identifier: 
  

keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50

•        X509v3 Subject Key Identifier: 
  

8F:B2:42:69:C3:9D:E4:3C:FA:13:B9:FF:F2:C0:A4:EF:D8:0F:E8:22

• Signature Algorithm: sha256WithRSAEncryption

•    4a:78:a2:47:7e:3f:2e:4d:78:68:ab:06:5c:ff:da:01:04:45:
  

•    92:20:20:88:f3:dc:4e:70:01:9b:cb:f3:13:61:34:04:09:15:
  

•    d0:be:99:1c:be:fc:97:e9:2d:73:e1:b3:2b:a6:b9:3a:41:33:
  

•    f3:83:3d:64:1b:64:95:bf:ae:cd:20:df:18:e0:62:8d:fa:9c:
  

•    f7:d8:a9:3c:25:2b:8e:cf:10:e5:29:b9:af:1a:7f:62:64:75:
  

•    e7:c6:fd:9b:6d:71:c0:a9:b3:0f:9a:b7:7a:fe:53:04:18:cd:
  

•    04:06:d9:bf:01:0e:cc:04:84:84:51:a3:e9:06:2a:a3:25:73:
  

•    4e:8d:62:19:13:25:5b:de:0b:dc:d0:69:01:ca:41:0a:96:13:
  

•    cf:6a:11:fe:2b:9a:3f:fd:56:3d:73:3d:58:49:c2:71:83:20:
  

•    23:6d:46:99:6e:37:91:9f:76:2a:9c:b0:69:3f:64:9f:05:bb:
  

•    38:c8:1e:ca:d8:6c:fd:56:3e:a6:85:a2:53:80:c6:42:b6:79:
  

•    c6:43:0b:e0:6c:ea:9f:cf:b0:2a:2c:01:50:c3:d8:0f:a0:7e:
  

•    a1:73:a8:5c:84:27:5b:c9:4b:5a:13:e9:69:25:1c:59:11:d2:
  

•    01:dc:da:e7:c8:44:34:a2:e4:99:25:b4:c3:23:b5:f8:2d:48:
  

•    e5:8d:06:73
  

+-----BEGIN CERTIFICATE----- +MIIDhjCCAm6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0NDUwNFoX +DTE0MTIyMjA0NDUwNFowSzEOMAwGA1UEChMFSUNBTk4xGDAWBgNVBAMTD0lDQU5O +IEROU1NFQyBDQTEfMB0GCSqGSIb3DQEJARMQZG5zc2VjQGljYW5uLm9yZzCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMC/4rTuEkY2O3zSRiFkWpPh4wIQ +JbulMHAZiZh+ntuOD6zISGYOGviB5S08ezk5diiP7gqn3WTpX4clsWTlWQP8vCk7 +YzfI10aats6HVc3P4qvpx4pTLiWHsJjWIKOo7IewOaPExXVZPPuRA/ruf+krtnCI +aSzm8U/80Ee06aAs+gzDhOu+c1q8Fu3QgwIt62ohAlFwKR5PyWkDn5EyXCwan15F +SCpQ7nIU7Bcp/CCVfSJqxm+DoliOsWTIcyNUbGkdZh/f+E8koaiuAH/piUGm44gd +OuGzOu8pRTKblC63bB7+MUAT4b1SZ9DYwz4DhEhynb2KSKDycjW2A0vG6QUCAwEA +AaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAf4wHwYDVR0jBBgw +FoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFI+yQmnDneQ8+hO5//LA +pO/YD+giMA0GCSqGSIb3DQEBCwUAA4IBAQBKeKJHfj8uTXhoqwZc/9oBBEWSICCI +89xOcAGby/MTYTQECRXQvpkcvvyX6S1z4bMrprk6QTPzgz1kG2SVv67NIN8Y4GKN ++pz32Kk8JSuOzxDlKbmvGn9iZHXnxv2bbXHAqbMPmrd6/lMEGM0EBtm/AQ7MBISE +UaPpBiqjJXNOjWIZEyVb3gvc0GkBykEKlhPPahH+K5o//VY9cz1YScJxgyAjbUaZ +bjeRn3YqnLBpP2SfBbs4yB7K2Gz9Vj6mhaJTgMZCtnnGQwvgbOqfz7AqLAFQw9gP +oH6hc6hchCdbyUtaE+lpJRxZEdIB3NrnyEQ0ouSZJbTDI7X4LUjljQZz +-----END CERTIFICATE----- +Certificate:

• Data:

•    Version: 3 (0x2)
  

•    Serial Number: 6 (0x6)
  

•    Signature Algorithm: sha256WithRSAEncryption
  

•    Issuer: O=ICANN, OU=ICANN Certification Authority,
  

CN=ICANN Root CA, C=US

•    Validity
  

•        Not Before: Dec 23 05:21:16 2009 GMT
  

•        Not After : Dec 22 05:21:16 2014 GMT
  

•    Subject: O=ICANN, CN=ICANN EMAIL CA
  

•    Subject Public Key Info:
  

•        Public Key Algorithm: rsaEncryption
  

•        RSA Public Key: (2048 bit)
  

•            Modulus (2048 bit):
  

•                00:d2:19:1e:22:69:33:f6:a4:d2:76:c5:80:11:75:
  

•                8e:d0:e8:6f:bf:89:f8:2a:6a:da:8a:85:28:40:ba:
  

•                c5:23:5f:47:ed:72:e2:8e:d3:5c:c8:8a:3a:99:a9:
  

•                57:2c:0a:2b:22:f3:54:7b:8b:f7:8c:21:a2:50:01:
  

•                4f:8b:af:34:df:72:fc:78:31:d0:1d:eb:bc:9b:e6:
  

•                fa:c1:84:d0:05:07:8a:74:53:a5:60:9e:eb:75:9e:
  

•                a8:5d:32:c8:02:32:e4:bf:cb:97:9b:7a:fa:2c:f6:
  

•                6a:1d:b8:57:ad:e3:03:22:93:d0:f4:4f:a8:b8:01:
  

•                db:82:33:98:b6:87:ed:3d:67:40:00:27:2e:d5:95:
  

•                d2:ad:36:46:14:c6:17:79:65:7f:65:f3:88:80:65:
  

•                7c:22:67:08:23:3c:cf:a5:10:38:72:30:97:92:6f:
  

•                20:4a:ba:24:4c:4a:c8:4a:a5:dc:2a:44:a1:29:78:
  

•                b4:9f:fe:84:ff:27:5b:3a:72:ea:31:c1:ad:06:22:
  

•                d6:44:a0:4a:57:32:9c:f2:46:47:d0:89:6e:20:23:
  

•                2c:ea:b0:83:7e:c1:f3:ea:da:dd:e3:63:59:97:21:
  

•                fa:1b:11:39:27:cf:82:8b:56:15:d4:36:92:0c:a5:
  

•                7e:80:e0:18:c9:50:08:42:0a:df:97:3c:9c:b8:0a:
  

•                4d:b1
  

•            Exponent: 65537 (0x10001)
  

•    X509v3 extensions:
  

•        X509v3 Basic Constraints: critical
  

•            CA:TRUE
  

•        X509v3 Key Usage: critical
  

•            Digital Signature, Non Repudiation, Key
  

Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign

•        X509v3 Authority Key Identifier: 
  

keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50

•        X509v3 Subject Key Identifier: 
  

7B:3F:BA:CE:A1:B3:A6:13:2E:5A:82:84:D4:D2:EA:A5:24:F1:CD:B4

• Signature Algorithm: sha256WithRSAEncryption

•    50:07:a5:61:39:e4:3b:e3:bc:1c:b4:a7:b2:ab:a1:fb:47:bf:
  

•    b4:1c:32:ac:3c:46:b0:02:26:2f:16:3e:89:70:e2:87:e9:76:
  

•    99:61:0b:91:c5:48:7a:e5:aa:24:0b:39:e0:4f:26:03:d4:5b:
  

•    01:8a:4d:b6:98:cc:16:fa:e2:12:4a:88:b9:53:bb:50:2d:c7:
  

•    37:b8:a3:82:2d:52:05:3e:46:a7:db:97:82:73:8d:7d:ed:dd:
  

•    9e:37:73:68:6b:90:cd:62:d8:77:ff:32:53:bb:d3:a1:b9:cb:
  

•    7d:32:29:70:fb:2e:90:4b:27:12:6d:99:a5:e6:d4:ef:13:32:
  

•    c1:2f:b5:ae:6e:11:0e:50:56:a4:56:5b:76:b0:c0:99:2e:5a:
  

•    94:17:ee:2b:c1:b6:9c:8b:68:ac:55:95:31:8c:66:2b:35:43:
  

•    a5:13:04:1b:50:44:1c:55:7f:4c:d0:1a:50:80:53:45:a8:e3:
  

•    d3:a8:74:ad:7d:6a:d6:e9:9a:d3:25:7d:83:e2:57:64:1a:94:
  

•    7e:bc:cb:ef:79:b5:54:6a:f1:b0:c3:81:26:90:e5:40:87:ed:
  

•    75:7d:83:63:5b:ab:45:c0:34:04:27:e8:d8:12:26:7c:5e:c0:
  

•    48:b6:33:7d:4b:db:23:8a:f7:13:24:bc:be:7b:74:cb:c4:ed:
  

•    ed:42:eb:2f
  

+-----BEGIN CERTIFICATE----- +MIIDZDCCAkygAwIBAgIBBjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA1MjExNloX +DTE0MTIyMjA1MjExNlowKTEOMAwGA1UEChMFSUNBTk4xFzAVBgNVBAMTDklDQU5O +IEVNQUlMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0hkeImkz +9qTSdsWAEXWO0Ohvv4n4KmraioUoQLrFI19H7XLijtNcyIo6malXLAorIvNUe4v3 +jCGiUAFPi68033L8eDHQHeu8m+b6wYTQBQeKdFOlYJ7rdZ6oXTLIAjLkv8uXm3r6 +LPZqHbhXreMDIpPQ9E+ouAHbgjOYtoftPWdAACcu1ZXSrTZGFMYXeWV/ZfOIgGV8 +ImcIIzzPpRA4cjCXkm8gSrokTErISqXcKkShKXi0n/6E/ydbOnLqMcGtBiLWRKBK +VzKc8kZH0IluICMs6rCDfsHz6trd42NZlyH6GxE5J8+Ci1YV1DaSDKV+gOAYyVAI +QgrflzycuApNsQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE +AwIB/jAfBgNVHSMEGDAWgBS6UulJgySGUi/Hmc38jWtpCE3AUDAdBgNVHQ4EFgQU +ez+6zqGzphMuWoKE1NLqpSTxzbQwDQYJKoZIhvcNAQELBQADggEBAFAHpWE55Dvj +vBy0p7KroftHv7QcMqw8RrACJi8WPolw4ofpdplhC5HFSHrlqiQLOeBPJgPUWwGK +TbaYzBb64hJKiLlTu1Atxze4o4ItUgU+Rqfbl4JzjX3t3Z43c2hrkM1i2Hf/MlO7 +06G5y30yKXD7LpBLJxJtmaXm1O8TMsEvta5uEQ5QVqRWW3awwJkuWpQX7ivBtpyL +aKxVlTGMZis1Q6UTBBtQRBxVf0zQGlCAU0Wo49OodK19atbpmtMlfYPiV2QalH68 +y+95tVRq8bDDgSaQ5UCH7XV9g2Nbq0XANAQn6NgSJnxewEi2M31L2yOK9xMkvL57 +dMvE7e1C6y8= +-----END CERTIFICATE----- +Certificate:

• Data:

•    Version: 3 (0x2)
  

•    Serial Number: 3 (0x3)
  

•    Signature Algorithm: sha256WithRSAEncryption
  

•    Issuer: O=ICANN, OU=ICANN Certification Authority,
  

CN=ICANN Root CA, C=US

•    Validity
  

•        Not Before: Dec 23 05:07:29 2009 GMT
  

•        Not After : Dec 22 05:07:29 2014 GMT
  

•    Subject: O=ICANN, CN=ICANN SSL CA
  

•    Subject Public Key Info:
  

•        Public Key Algorithm: rsaEncryption
  

•        RSA Public Key: (2048 bit)
  

•            Modulus (2048 bit):
  

•                00:dd:c6:ab:bf:7c:66:9d:b3:2b:96:00:14:c7:60:
  

•                7a:8d:62:5b:26:4b:30:d7:b3:4c:82:69:c6:4d:4d:
  

•                73:f3:d4:91:21:5d:ab:35:f0:c8:04:0e:f4:a3:35:
  

•                e2:e1:18:a9:98:12:03:58:f8:9f:eb:77:54:5b:89:
  

•                81:26:c9:aa:c2:f4:c9:0c:82:57:2a:5e:05:e9:61:
  

•                17:cc:19:18:71:eb:35:83:c1:86:9d:ec:f1:6b:ca:
  

•                dd:a1:96:0b:95:d4:e1:0f:9e:24:6f:dc:3c:d0:28:
  

•                9e:f2:53:47:2b:a1:ad:32:03:c8:3f:0d:80:80:7d:
  

•                f0:02:d2:6e:5a:2c:44:21:9b:09:50:15:3f:a1:3d:
  

•                d3:c9:c8:24:e7:ea:4e:92:2f:94:90:2e:de:e7:68:
  

•                f6:c6:b3:90:1f:bc:c9:7b:a2:65:d7:11:e9:8b:f0:
  

•                3a:5a:b7:17:07:df:69:e3:6e:b9:54:6a:8e:3a:aa:
  

•                94:7f:2c:0a:a1:ad:ba:b7:d9:60:62:27:a7:71:40:
  

•                3b:8e:b0:84:7b:b8:c8:67:ef:66:ba:3d:ac:c3:85:
  

•                e5:86:bb:a7:9c:fd:b6:e1:c0:10:53:3d:d4:7e:1b:
  

•                09:e6:9f:22:5c:a7:27:09:7e:27:12:33:fa:df:9b:
  

•                20:2f:14:f7:17:c0:e4:1e:07:91:1f:f9:9a:cd:a8:
  

•                e2:c5
  

•            Exponent: 65537 (0x10001)
  

•    X509v3 extensions:
  

•        X509v3 Basic Constraints: critical
  

•            CA:TRUE
  

•        X509v3 Key Usage: critical
  

•            Digital Signature, Non Repudiation, Key
  

Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign

•        X509v3 Authority Key Identifier: 
  

keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50

•        X509v3 Subject Key Identifier: 
  

6E:77:A8:40:10:4A:D8:9C:0C:F2:B7:5A:3A:A5:2F:79:4A:61:14:D8

• Signature Algorithm: sha256WithRSAEncryption

•    18:42:62:df:aa:8e:44:e6:87:10:4d:d9:a6:b2:c3:97:37:43:
  

•    2e:ce:f3:e0:3c:c2:2f:e1:78:60:41:a9:2b:5d:f4:24:f5:f6:
  

•    57:a2:08:ec:9c:89:e5:54:50:a8:30:c6:20:e5:8a:c7:8b:bd:
  

•    fd:98:b6:0c:7d:1a:1f:01:a1:4a:4e:ec:0d:2a:aa:9f:fd:a9:
  

•    20:0d:b3:5c:0f:36:c0:2c:2b:c6:75:22:29:66:a3:34:bd:93:
  

•    3d:f6:28:da:90:d5:7e:91:df:d3:06:f6:69:8b:80:9b:a5:34:
  

•    af:6a:02:5b:e4:52:7d:56:4d:99:6e:fe:e9:d0:36:99:58:d9:
  

•    af:cd:79:9b:e5:d2:4c:35:90:d3:e0:68:b2:88:2b:18:39:2e:
  

•    bc:0b:d9:82:84:7f:24:12:92:d2:b9:13:4f:64:bc:46:e1:5c:
  

•    6a:ed:f7:b0:d4:66:27:25:21:86:b4:3a:5e:19:a3:c7:8b:4b:
  

•    93:b9:2e:37:e2:6d:8b:46:ee:68:39:21:75:e8:fe:2a:a7:85:
  

•    fd:68:26:96:bd:dd:f9:f1:fe:99:5f:b4:a4:97:1b:50:18:fa:
  

•    21:90:54:0c:8b:30:28:94:70:19:34:9e:5c:e1:e5:48:93:af:
  

•    aa:a3:b4:95:b2:f5:4c:97:50:44:58:97:e1:ff:e7:b2:10:dd:
  

•    2c:fe:c0:ed
  

+-----BEGIN CERTIFICATE----- +MIIDYjCCAkqgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA1MDcyOVoX +DTE0MTIyMjA1MDcyOVowJzEOMAwGA1UEChMFSUNBTk4xFTATBgNVBAMTDElDQU5O +IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN3Gq798Zp2z +K5YAFMdgeo1iWyZLMNezTIJpxk1Nc/PUkSFdqzXwyAQO9KM14uEYqZgSA1j4n+t3 +VFuJgSbJqsL0yQyCVypeBelhF8wZGHHrNYPBhp3s8WvK3aGWC5XU4Q+eJG/cPNAo +nvJTRyuhrTIDyD8NgIB98ALSblosRCGbCVAVP6E908nIJOfqTpIvlJAu3udo9saz +kB+8yXuiZdcR6YvwOlq3FwffaeNuuVRqjjqqlH8sCqGturfZYGInp3FAO46whHu4 +yGfvZro9rMOF5Ya7p5z9tuHAEFM91H4bCeafIlynJwl+JxIz+t+bIC8U9xfA5B4H +kR/5ms2o4sUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC +Af4wHwYDVR0jBBgwFoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFG53 +qEAQSticDPK3WjqlL3lKYRTYMA0GCSqGSIb3DQEBCwUAA4IBAQAYQmLfqo5E5ocQ +TdmmssOXN0MuzvPgPMIv4XhgQakrXfQk9fZXogjsnInlVFCoMMYg5YrHi739mLYM +fRofAaFKTuwNKqqf/akgDbNcDzbALCvGdSIpZqM0vZM99ijakNV+kd/TBvZpi4Cb +pTSvagJb5FJ9Vk2Zbv7p0DaZWNmvzXmb5dJMNZDT4GiyiCsYOS68C9mChH8kEpLS +uRNPZLxG4Vxq7few1GYnJSGGtDpeGaPHi0uTuS434m2LRu5oOSF16P4qp4X9aCaW +vd358f6ZX7SklxtQGPohkFQMizAolHAZNJ5c4eVIk6+qo7SVsvVMl1BEWJfh/+ey +EN0s/sDt +-----END CERTIFICATE----- diff --git a/unbound/root.anchor b/unbound/root.anchor new file mode 100644 index 0000000..18367f8 --- /dev/null +++ b/unbound/root.anchor @@ -0,0 +1 @@ +. 98799 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58f Lj wBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9V nM VDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzE he X7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ 57 relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1 ih z0= ;{id = 19036 (ksk), size = 2048b} diff --git a/unbound/root.key b/unbound/root.key new file mode 100644 index 0000000..e340ed0 --- /dev/null +++ b/unbound/root.key @@ -0,0 +1,6 @@ +; // The root key in bind format. This can be read by most tools, including +; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this +trusted-keys { +"." 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58 fL jwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9 Vn MVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlz Eh eX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXf Z5 7relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk 1i hz0="; // key id = 19036

+}; diff --git a/unbound/systemd/unbound-anchor.service b/unbound/systemd/unbound-anchor.service new file mode 100644 index 0000000..26656b3 --- /dev/null +++ b/unbound/systemd/unbound-anchor.service @@ -0,0 +1,9 @@ +[Unit] +Description=update of the root trust anchor for DNSSEC validation in unbound +Documentation=man:unbound-anchor(8)

+[Service] +Type=oneshot +User=unbound +ExecStart=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem +SuccessExitStatus=1 diff --git a/unbound/systemd/unbound-anchor.timer b/unbound/systemd/unbound-anchor.timer new file mode 100644 index 0000000..a87bf5c --- /dev/null +++ b/unbound/systemd/unbound-anchor.timer @@ -0,0 +1,14 @@ +[Unit] +Description=daily update of the root trust anchor for DNSSEC +Documentation=man:unbound-anchor(8)

+[Timer] +# Current DNSKEY TTL in root zone is 172800 seconds, i.e. 172800/60/60/24 = 2 days. +# It means that unboud-anchor should be run at least once a day. +OnCalendar=daily +Persistent=true +AccuracySec=24h

+[Install] +WantedBy=timers.target

diff --git a/unbound/systemd/unbound-keygen.service b/unbound/systemd/unbound-keygen.service new file mode 100644 index 0000000..576408a --- /dev/null +++ b/unbound/systemd/unbound-keygen.service @@ -0,0 +1,14 @@ +[Unit] +Description=Unbound Control Key And Certificate Generator +After=syslog.target +Before=unbound.service +ConditionPathExists=!/etc/unbound/unbound_control.key

+[Service] +Type=oneshot +Group=unbound +ExecStart=/usr/sbin/unbound-control-setup -d /etc/unbound/ +RemainAfterExit=yes

+[Install] +WantedBy=multi-user.target diff --git a/unbound/systemd/unbound.service b/unbound/systemd/unbound.service new file mode 100644 index 0000000..d225389 --- /dev/null +++ b/unbound/systemd/unbound.service @@ -0,0 +1,18 @@ +[Unit] +Description=Unbound recursive Domain Name Server +After=network.target +After=unbound-keygen.service +Wants=unbound-keygen.service +Wants=unbound-anchor.timer +Before=nss-lookup.target +Wants=nss-lookup.target

+[Service] +Type=simple +ExecStartPre=/usr/sbin/unbound-checkconf +ExecStartPre=-/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem +ExecStart=/usr/sbin/unbound -d +ExecReload=/usr/sbin/unbound-control reload

+[Install] +WantedBy=multi-user.target diff --git a/unbound/unbound.conf b/unbound/unbound.conf new file mode 100644 index 0000000..4a97148 --- /dev/null +++ b/unbound/unbound.conf @@ -0,0 +1,655 @@ +# +# See unbound.conf(5) man page. +# +# this is a comment.

+#Use this to include other text into the file. +#include: "otherfile.conf"

+# The server clause sets the main parameters. +server:

• # whitespace is not necessary, but looks cleaner.
• # verbosity number, 0 is least verbose. 1 is default.
• verbosity: 1
• # print statistics to the log (for every thread) every N

seconds.

• # Set to "" or 0 to disable. Default is disabled.
• # Needed for munin plugin
• statistics-interval: 0
• # enable cumulative statistics, without clearing them

after printing.

• # Needed for munin plugin
• statistics-cumulative: yes
• # enable extended statistics (query types, answer codes,

status)

• # printed from unbound-control. default off, because of

speed.

• # Needed for munin plugin
• extended-statistics: yes
• # number of threads to create. 1 disables threading.
• num-threads: 2
• # specify the interfaces to answer queries from by ip

-address.

• # The default is to listen to localhost (127.0.0.1 and

::1).

• # specify 0.0.0.0 and ::0 to bind to all available

interfaces.

• # specify every interface on a new 'interface:' labelled

line.

• # The listen interfaces are not changed on reload, only on

restart.

• # interface: 0.0.0.0
• # interface: ::0
• # interface: 192.0.2.153
• # interface: 192.0.2.154
• # interface: 2001:DB8::5
• #
• # for dns over tls and raw dns over port 80
• # interface: 0.0.0.0@443
• # interface: ::0@443
• # interface: 0.0.0.0@80
• # interface: ::0@80
• # enable this feature to copy the source address of

queries to reply.

• # Socket options are not supported on all platforms.

experimental.

• # interface-automatic: yes
• #
• # NOTE: Enable this option when specifying interface

0.0.0.0 or ::0

• # NOTE: Disabled per Fedora policy not to listen to * on

default install

• # NOTE: If deploying on non-default port, eg 80/443, this

needs to be disabled

• interface-automatic: no
• # port to answer queries from
• # port: 53
• # specify the interfaces to send outgoing queries to

authoritative

• # server from by ip-address. If none, the default (all)

interface

• # is used. Specify every interface on a 'outgoing

-interface:' line.

• # outgoing-interface: 192.0.2.153
• # outgoing-interface: 2001:DB8::5
• # outgoing-interface: 2001:DB8::6
• # number of ports to allocate per thread, determines the

size of the

• # port range that can be open simultaneously. About

double the

• # num-queries-per-thread, or, use as many as the OS will

allow you.

• # outgoing-range: 4096
• # permit unbound to use this port number or port range for
• # making outgoing queries, using an outgoing interface.
• # Only ephemeral ports are allowed by SElinux
• outgoing-port-permit: 32768-65535
• # deny unbound the use this of port number or port range

for

• # making outgoing queries, using an outgoing interface.
• # Use this to make sure unbound does not grab a UDP port

that some

• # other server on this computer needs. The default is to

avoid

• # IANA-assigned port numbers.
• # Our SElinux policy does not allow non-ephemeral ports to

be used

• outgoing-port-avoid: 0-32767
• # number of outgoing simultaneous tcp buffers to hold per

thread.

• # outgoing-num-tcp: 10
• # number of incoming simultaneous tcp buffers to hold per

thread.

• # incoming-num-tcp: 10
• # buffer size for UDP port 53 incoming (SO_RCVBUF socket

option).

• # 0 is system default. Use 4m to catch query spikes for

busy servers.

• # so-rcvbuf: 0
• # buffer size for UDP port 53 outgoing (SO_SNDBUF socket

option).

• # 0 is system default. Use 4m to handle spikes on very

busy servers.

• # so-sndbuf: 0
• # use SO_REUSEPORT to distribute queries over threads.
• # so-reuseport: no
• # EDNS reassembly buffer to advertise to UDP peers (the

actual buffer

• # is set with msg-buffer-size). 1480 can solve

fragmentation (timeouts).

• # edns-buffer-size: 4096
• # Maximum UDP response size (not applied to TCP response).
• # Suggested values are 512 to 4096. Default is 4096. 65536

disables it.

• # 3072 causes +dnssec any isc.org queries to need TC=1.

Helps mitigating DDOS

• max-udp-size: 3072
• # buffer size for handling DNS data. No messages larger

than this

• # size can be sent or received, by UDP or TCP. In bytes.
• # msg-buffer-size: 65552
• # the amount of memory to use for the message cache.
• # plain value in bytes or you can append k, m or G.

default is "4Mb".

• # msg-cache-size: 4m
• # the number of slabs to use for the message cache.
• # the number of slabs must be a power of 2.
• # more slabs reduce lock contention, but fragment memory

usage.

• # msg-cache-slabs: 4
• # the number of queries that a thread gets to service.
• # num-queries-per-thread: 1024
• # if very busy, 50% queries run to completion, 50% get

timeout in msec

• # jostle-timeout: 200
• # msec to wait before close of port on timeout UDP. 0

disables.

• # delay-close: 0
• # the amount of memory to use for the RRset cache.
• # plain value in bytes or you can append k, m or G.

default is "4Mb".

• # rrset-cache-size: 4m
• # the number of slabs to use for the RRset cache.
• # the number of slabs must be a power of 2.
• # more slabs reduce lock contention, but fragment memory

usage.

• # rrset-cache-slabs: 4
• # the time to live (TTL) value lower bound, in seconds.

Default 0.

• # If more than an hour could easily give trouble due to

stale data.

• # cache-min-ttl: 0
• # the time to live (TTL) value cap for RRsets and messages

in the

• # cache. Items are not cached for longer. In seconds.
• # cache-max-ttl: 86400
• # the time to live (TTL) value cap for negative responses

in the cache

• # cache-max-negative-ttl: 3600
• # the time to live (TTL) value for cached roundtrip times,

lameness and

• # EDNS version information for hosts. In seconds.
• # infra-host-ttl: 900
• # minimum wait time for responses, increase if uplink is

long. In msec.

• # infra-cache-min-rtt: 50
• # the number of slabs to use for the Infrastructure cache.
• # the number of slabs must be a power of 2.
• # more slabs reduce lock contention, but fragment memory

usage.

• # infra-cache-slabs: 4
• # the maximum number of hosts that are cached (roundtrip,

EDNS, lame).

• # infra-cache-numhosts: 10000
• # Enable IPv4, "yes" or "no".
• # do-ip4: yes
• # Enable IPv6, "yes" or "no".
• # do-ip6: yes
• # Enable UDP, "yes" or "no".
• # NOTE: if setting up an unbound on tls443 for public use,

you might want to

• # disable UDP to avoid being used in DNS amplification

attacks.

• # do-udp: yes
• # Enable TCP, "yes" or "no".
• # do-tcp: yes
• # upstream connections use TCP only (and no UDP), "yes" or

"no"

• # useful for tunneling scenarios, default no.
• # tcp-upstream: no
• # Detach from the terminal, run in background, "yes" or

"no".

• # do-daemonize: yes
• # control which clients are allowed to make (recursive)

queries

• # to this server. Specify classless netblocks with /size

and action.

• # By default everything is refused, except for localhost.
• # Choose deny (drop message), refuse (polite error reply),
• # allow (recursive ok), allow_snoop (recursive and

nonrecursive ok)

• # deny_non_local (drop queries unless can be answered from

local-data)

• # refuse_non_local (like deny_non_local but polite error

reply).

• # access-control: 0.0.0.0/0 refuse
• # access-control: 127.0.0.0/8 allow
• # access-control: ::0/0 refuse
• # access-control: ::1 allow
• # access-control: ::ffff:127.0.0.1 allow
• # if given, a chroot(2) is done to the given directory.
• # i.e. you can chroot to the working directory, for

example,

• # for extra security, but make sure all files are in that

directory.

• #
• # If chroot is enabled, you should pass the configfile

(from the

• # commandline) as a full path from the original root.

After the

• # chroot has been performed the now defunct portion of the

config

• # file path is removed to be able to reread the config

after a reload.

• #
• # All other file paths (working dir, logfile, roothints,

and

• # key files) can be specified in several ways:
• # o as an absolute path relative to the new root.
• # o as a relative path to the working directory.
• # o as an absolute path relative to the original

root.

• # In the last case the path is adjusted to remove the

unused portion.

• #
• # The pid file can be absolute and outside of the chroot,

it is

• # written just prior to performing the chroot and dropping

permissions.

• #
• # Additionally, unbound may need to access /dev/random

(for entropy).

• # How to do this is specific to your OS.
• #
• # If you give "" no chroot is performed. The path must not

end in a /.

• # chroot: "/var/lib/unbound"
• chroot: ""
• # if given, user privileges are dropped (after binding

port),

• # and the given username is assumed. Default is user

"unbound".

• # If you give "" no privileges are dropped.
• username: "unbound"
• # the working directory. The relative files in this config

are

• # relative to this directory. If you give "" the working

directory

• # is not changed.
• directory: "/etc/unbound"
• # the log file, "" means log to stderr.
• # Use of this option sets use-syslog to "no".
• # logfile: ""
• # Log to syslog(3) if yes. The log facility LOG_DAEMON is

used to

• # log to, with identity "unbound". If yes, it overrides

the logfile.

• # use-syslog: yes
• # print UTC timestamp in ascii to logfile, default is

epoch in seconds.

• log-time-ascii: yes
• # print one line with time, IP, name, type, class for

every query.

• # log-queries: no
• # the pid file. Can be an absolute path outside of

chroot/work dir.

• pidfile: "/var/run/unbound/unbound.pid"
• # file to read root hints from.
• # get one from ftp://FTP.INTERNIC.NET/domain/named.cache
• # root-hints: ""
• # enable to not answer id.server and hostname.bind

queries.

• # hide-identity: no
• # enable to not answer version.server and version.bind

queries.

• # hide-version: no
• # the identity to report. Leave "" or default to return

hostname.

• # identity: ""
• # the version to report. Leave "" or default to return

package version.

• # version: ""
• # the target fetch policy.
• # series of integers describing the policy per dependency

depth.

• # The number of values in the list determines the maximum

dependency

• # depth the recursor will pursue before giving up. Each

integer means:

• # -1 : fetch all targets opportunistically,
• # 0: fetch on demand,
• # positive value: fetch that many targets

opportunistically.

• # Enclose the list of numbers between quotes ("").
• # target-fetch-policy: "3 2 1 0 0"
• # Harden against very small EDNS buffer sizes.
• # harden-short-bufsize: no
• # Harden against unseemly large queries.
• # harden-large-queries: no
• # Harden against out of zone rrsets, to avoid spoofing

attempts.

• harden-glue: yes
• # Harden against receiving dnssec-stripped data. If you

turn it

• # off, failing to validate dnskey data for a trustanchor

will

• # trigger insecure mode for that zone (like without a

trustanchor).

• # Default on, which insists on dnssec data for trust

-anchored zones.

• harden-dnssec-stripped: yes
• # Harden against queries that fall under dnssec-signed

nxdomain names.

• harden-below-nxdomain: yes
• # Harden the referral path by performing additional

queries for

• # infrastructure data. Validates the replies (if

possible).

• # Default off, because the lookups burden the server.

Experimental

• # implementation of draft-wijngaards-dnsext-resolver-side

-mitigation.

• harden-referral-path: yes
• # Use 0x20-encoded random bits in the query to foil spoof

attempts.

• # This feature is an experimental implementation of draft

dns-0x20.

• # (this now fails on all GoDaddy customer domains, so

disabled)

• use-caps-for-id: no
• # Enforce privacy of these addresses. Strips them away

from answers.

• # It may cause DNSSEC validation to additionally mark it

as bogus.

• # Protects against 'DNS Rebinding' (uses browser as

network proxy).

• # Only 'private-domain' and 'local-data' names are allowed

to have

• # these private addresses. No default.
• # private-address: 10.0.0.0/8
• # private-address: 172.16.0.0/12
• # private-address: 192.168.0.0/16
• # private-address: 169.254.0.0/16
• # private-address: fd00::/8
• # private-address: fe80::/10
• # Allow the domain (and its subdomains) to contain private

addresses.

• # local-data statements are allowed to contain private

addresses too.

• # private-domain: "example.com"
• # If nonzero, unwanted replies are not only reported in

statistics,

• # but also a running total is kept per thread. If it

reaches the

• # threshold, a warning is printed and a defensive action

is taken,

• # the cache is cleared to flush potential poison out of

it.

• # A suggested value is 10000000, the default is 0 (turned

off).

• unwanted-reply-threshold: 10000000
• # Do not query the following addresses. No DNS queries are

sent there.

• # List one address per entry. List classless netblocks

with /size,

• # do-not-query-address: 127.0.0.1/8
• # do-not-query-address: ::1
• # if yes, the above default do-not-query-address entries

are present.

• # if no, localhost can be queried (for testing and

debugging).

• # do-not-query-localhost: yes
• # if yes, perform prefetching of almost expired message

cache entries.

• prefetch: yes
• # if yes, perform key lookups adjacent to normal lookups.
• prefetch-key: yes
• # if yes, Unbound rotates RRSet order in response.
• rrset-roundrobin: yes
• # if yes, Unbound doesn't insert authority/additional

sections

• # into response messages when those sections are not

required.

• minimal-responses: yes
• # module configuration of the server. A string with

identifiers

• # separated by spaces. "iterator" or "validator iterator"
• # module-config: "validator iterator"
• # File with trusted keys, kept uptodate using RFC5011

probes,

• # initial file like trust-anchor-file, then it stores

metadata.

• # Use several entries, one per domain name, to track

multiple zones.

• #
• # If you want to perform DNSSEC validation, run unbound

-anchor before

• # you start unbound (i.e. in the system boot scripts).

And enable:

• # Please note usage of unbound-anchor root anchor is at

your own risk

• # and under the terms of our LICENSE (see that file in the

source).

• # auto-trust-anchor-file: "/var/lib/unbound/root.key"
• # File with DLV trusted keys. Same format as trust-anchor

-file.

• # There can be only one DLV configured, it is trusted from

root down.

• # Downloaded from

https://secure.isc.org/ops/dlv/dlv.isc.org.key

• #
• # ISC's DLV registry is being deprecated in the near

future, therefore

• # it is not used in the default configuration. The use of

ISC's DLV

• # registry is discouraged.
• # dlv-anchor-file: "/etc/unbound/dlv.isc.org.key"
• # File with trusted keys for validation. Specify more than

one file

• # with several entries, one file per entry.
• # Zone file format, with DS and DNSKEY entries.
• # trust-anchor-file: ""
• # File with trusted keys, kept uptodate using RFC5011

probes,

• # initial file like trust-anchor-file, then it stores

metadata.

• # Use several entries, one per domain name, to track

multiple zones.

• # auto-trust-anchor-file: ""
• # Trusted key for validation. DS or DNSKEY. specify the RR

on a

• # single line, surrounded by "". TTL is ignored. class is

IN default.

• # (These examples are from August 2007 and may not be

valid anymore).

• # trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5

AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ=="

• # trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1

14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A"

• # File with trusted keys for validation. Specify more than

one file

• # with several entries, one file per entry. Like trust

-anchor-file

• # but has a different file format. Format is BIND-9 style

format,

• # the trusted-keys { name flag proto algo "key"; };

clauses are read.

• # trusted-keys-file: ""
• #
• # trusted-keys-file: /etc/unbound/rootkey.bind
• trusted-keys-file: /etc/unbound/keys.d/*.key
• auto-trust-anchor-file: "/var/lib/unbound/root.key"
• # Ignore chain of trust. Domain is treated as insecure.
• # domain-insecure: "example.com"
• # Override the date for validation with a specific fixed

date.

• # Do not set this unless you are debugging signature

inception

• # and expiration. "" or "0" turns the feature off.
• # val-override-date: ""
• # The time to live for bogus data, rrsets and messages.

This avoids

• # some of the revalidation, until the time interval

expires. in secs.

• # val-bogus-ttl: 60
• # The signature inception and expiration dates are allowed

to be off

• # by 10% of the lifetime of the signature from our local

clock.

• # This leeway is capped with a minimum and a maximum. In

seconds.

• # val-sig-skew-min: 3600
• # val-sig-skew-max: 86400
• # Should additional section of secure message also be kept

clean of

• # unsecure data. Useful to shield the users of this

validator from

• # potential bogus data in the additional section. All

unsigned data

• # in the additional section is removed from secure

messages.

• val-clean-additional: yes
• # Turn permissive mode on to permit bogus messages. Thus,

messages

• # for which security checks failed will be returned to

clients,

• # instead of SERVFAIL. It still performs the security

checks, which

• # result in interesting log files and possibly the AD bit

in

• # replies if the message is found secure. The default is

off.

• # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
• val-permissive-mode: no
• # Ignore the CD flag in incoming queries and refuse them

bogus data.

• # Enable it if the only clients of unbound are legacy

servers (w2008)

• # that set CD but cannot validate themselves.
• # ignore-cd-flag: no
• # Have the validator log failed validations for your

diagnosis.

• # 0: off. 1: A line per failed user query. 2: With reason

and bad IP.

• val-log-level: 1
• # It is possible to configure NSEC3 maximum iteration

counts per

• # keysize. Keep this table very short, as linear search is

done.

• # A message with an NSEC3 with larger count is marked

insecure.

• # List in ascending order the keysize and count values.
• # val-nsec3-keysize-iterations: "1024 150 2048 500 4096

2500"

• # instruct the auto-trust-anchor-file probing to add

anchors after ttl.

• # add-holddown: 2592000 # 30 days
• # instruct the auto-trust-anchor-file probing to del

anchors after ttl.

• # del-holddown: 2592000 # 30 days
• # auto-trust-anchor-file probing removes missing anchors

after ttl.

• # If the value 0 is given, missing anchors are not

removed.

• # keep-missing: 31622400 # 366 days
• # the amount of memory to use for the key cache.
• # plain value in bytes or you can append k, m or G.

default is "4Mb".

• # key-cache-size: 4m
• # the number of slabs to use for the key cache.
• # the number of slabs must be a power of 2.
• # more slabs reduce lock contention, but fragment memory

usage.

• # key-cache-slabs: 4
• # the amount of memory to use for the negative cache (used

for DLV).

• # plain value in bytes or you can append k, m or G.

default is "1Mb".

• # neg-cache-size: 1m
• # By default, for a number of zones a small default

'nothing here'

• # reply is built-in. Query traffic is thus blocked. If

you

• # wish to serve such zone you can unblock them by

uncommenting one

• # of the nodefault statements below.
• # You may also have to use domain-insecure: zone to make

DNSSEC work,

• # unless you have your own trust anchors for this zone.
• # local-zone: "localhost." nodefault
• # local-zone: "127.in-addr.arpa." nodefault
• # local-zone:

"1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip 6. arpa." nodefault

• # local-zone: "10.in-addr.arpa." nodefault
• # local-zone: "16.172.in-addr.arpa." nodefault
• # local-zone: "17.172.in-addr.arpa." nodefault
• # local-zone: "18.172.in-addr.arpa." nodefault
• # local-zone: "19.172.in-addr.arpa." nodefault
• # local-zone: "20.172.in-addr.arpa." nodefault
• # local-zone: "21.172.in-addr.arpa." nodefault
• # local-zone: "22.172.in-addr.arpa." nodefault
• # local-zone: "23.172.in-addr.arpa." nodefault
• # local-zone: "24.172.in-addr.arpa." nodefault
• # local-zone: "25.172.in-addr.arpa." nodefault
• # local-zone: "26.172.in-addr.arpa." nodefault
• # local-zone: "27.172.in-addr.arpa." nodefault
• # local-zone: "28.172.in-addr.arpa." nodefault
• # local-zone: "29.172.in-addr.arpa." nodefault
• # local-zone: "30.172.in-addr.arpa." nodefault
• # local-zone: "31.172.in-addr.arpa." nodefault
• # local-zone: "168.192.in-addr.arpa." nodefault
• # local-zone: "0.in-addr.arpa." nodefault
• # local-zone: "254.169.in-addr.arpa." nodefault
• # local-zone: "2.0.192.in-addr.arpa." nodefault
• # local-zone: "100.51.198.in-addr.arpa." nodefault
• # local-zone: "113.0.203.in-addr.arpa." nodefault
• # local-zone: "255.255.255.255.in-addr.arpa." nodefault
• # local-zone:

"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip 6. arpa." nodefault

• # local-zone: "d.f.ip6.arpa." nodefault
• # local-zone: "8.e.f.ip6.arpa." nodefault
• # local-zone: "9.e.f.ip6.arpa." nodefault
• # local-zone: "a.e.f.ip6.arpa." nodefault
• # local-zone: "b.e.f.ip6.arpa." nodefault
• # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
• # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
• # if unbound is running service for the local host then it

is useful

• # to perform lan-wide lookups to the upstream, and unblock

the

• # long list of local-zones above. If this unbound is a

dns server

• # for a network of computers, disabled is better and stops

information

• # leakage of local lan information.
• # unblock-lan-zones: no
• # a number of locally served zones can be configured.
• # local-zone: <zone> <type>
• # local-data: "<resource record string>"
• # o deny serves local data (if any), else, drops queries.
• # o refuse serves local data (if any), else, replies with

error.

• # o static serves local data, else, nxdomain or nodata

answer.

• # o transparent gives local data, but resolves normally

for other names

• # o redirect serves the zone data for any subdomain in the

zone.

• # o nodefault can be used to normally resolve AS112 zones.
• # o typetransparent resolves normally for other types and

other names

• # o inform resolves normally, but logs client IP address
• #
• # defaults are localhost address, reverse for 127.0.0.1

and ::1

• # and nxdomain for AS112 zones. If you configure one of

these zones

• # the default content is omitted, or you can omit it with

'nodefault'.

• #
• # If you configure local-data without specifying local

-zone, by

• # default a transparent local-zone is created for the

data.

• #
• # You can add locally served data with
• # local-zone: "local." static
• # local-data: "mycomputer.local. IN A 192.0.2.51"
• # local-data: 'mytext.local TXT "content of text record"'
• #
• # You can override certain queries with
• # local-data: "adserver.example.com A 127.0.0.1"
• #
• # You can redirect a domain to a fixed address with
• # (this makes example.com, www.example.com, etc, all go to

192.0.2.3)

• # local-zone: "example.com" redirect
• # local-data: "example.com A 192.0.2.3"
• #
• # Shorthand to make PTR records, "IPv4 name" or "IPv6

name".

• # You can also add PTR records using local-data directly,

but then

• # you need to do the reverse notation yourself.
• # local-data-ptr: "192.0.2.3 www.example.com"
• include: /etc/unbound/local.d/*.conf
• # service clients over SSL (on the TCP sockets), with

plain DNS inside

• # the SSL stream. Give the certificate to use and private

key.

• # default is "" (disabled). requires restart to take

effect.

• # ssl-service-key: "/etc/unbound/unbound_server.key"
• # ssl-service-pem: "/etc/unbound/unbound_server.pem"
• # ssl-port: 443
• # request upstream over SSL (with plain DNS inside the SSL

stream).

• # Default is no. Can be turned on and off with unbound

-control.

• # ssl-upstream: no
• # DNS64 prefix. Must be specified when DNS64 is use.
• # Enable dns64 in module-config. Used to synthesize IPv6

from IPv4.

• # dns64-prefix: 64:ff9b::0/96

+# Python config section. To enable: +# o use --with-pythonmodule to configure before compiling. +# o list python in the module-config string (above) to enable. +# o and give a python-script to run. +python:

• # Script file to load
• # python-script: "/etc/unbound/ubmodule-tst.py"

+# Remote control config section. +remote-control:

• # Enable remote control with unbound-control(8) here.
• # set up the keys and certificates with unbound-control

-setup.

• # Note: required for unbound-munin package
• control-enable: yes
• # Set to no and use an absolute path as control-interface

to use

• # a unix local named pipe for unbound-control.
• # control-use-cert: yes
• # what interfaces are listened to for remote control.
• # give 0.0.0.0 and ::0 to listen to all interfaces.
• # control-interface: 127.0.0.1
• # control-interface: ::1
• # port number for remote control operations.
• # control-port: 953
• # unbound server key file.
• server-key-file: "/etc/unbound/unbound_server.key"
• # unbound server certificate file.
• server-cert-file: "/etc/unbound/unbound_server.pem"
• # unbound-control key file.
• control-key-file: "/etc/unbound/unbound_control.key"
• # unbound-control certificate file.
• control-cert-file: "/etc/unbound/unbound_control.pem"

+# Stub and Forward zones

+include: /etc/unbound/conf.d/*.conf

+# Stub zones. +# Create entries like below, to make all queries for 'example.com' and +# 'example.org' go to the given list of nameservers. list zero or more +# nameservers by hostname or by ipaddress. If you set stub-prime to yes, +# the list is treated as priming hints (default is no). +# stub-zone: +# name: "example.com" +# stub-addr: 192.0.2.68 +# stub-prime: "no" +# stub-zone: +# name: "example.org" +# stub-host: ns.example.com. +# You can now also dynamically create and delete stub-zone's using +# unbound-control stub_add domain.com 1.2.3.4 5.6.7.8 +# unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8

+# Forward zones +# Create entries like below, to make all queries for 'example.com' and +# 'example.org' go to the given list of servers. These servers have to handle +# recursion to other nameservers. List zero or more nameservers by hostname +# or by ipaddress. Use an entry with name "." to forward all queries. +# If you enable forward-first, it attempts without the forward if it fails. +# forward-zone: +# name: "example.com" +# forward-addr: 192.0.2.68 +# forward-addr: 192.0.2.73@5355 # forward to port 5355. +# forward-first: no +# forward-zone: +# name: "example.org" +# forward-host: fwd.example.com +# +# You can now also dynamically create and delete forward-zone's using +# unbound-control forward_add domain.com 1.2.3.4 5.6.7.8 +# unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8 diff --git a/unbound/unbound.nm b/unbound/unbound.nm new file mode 100644 index 0000000..b32ac2a --- /dev/null +++ b/unbound/unbound.nm @@ -0,0 +1,158 @@ +################################################################## ## ########### +# IPFire.org - An Open Source Firewall Solution

      #

+# Copyright (C) - IPFire Development Team info@ipfire.org

      #

+################################################################## ## ###########

+name = unbound +version = 1.5.5 +release = 1

+groups = System/Daemons +url = http://www.nlnetlabs.nl/unbound/ +license = BSD +summary = A validating, recursive, and caching DNS(SEC) resolver.

+description

• Unbound is a validating, recursive, and caching DNS(SEC)

resolver.

• The C implementation of Unbound is developed and

maintained by NLnet

• Labs and is based on ideas and algorithms taken from a

java prototype

• developed by Verisign labs, Nominet, Kirei and ep.net.

Unbound is

• designed as a set of modular components, so that also
• DNSSEC (secure DNS) validation and stub-resolvers are

easily possible. +end

+source_dl = http://www.unbound.net/downloads/

+build

• requires

• expat-devel
  

• libevent-devel
  

• openssl-devel >= 1.0.1h-2
  

• python3-devel >= 3.4
  

• swig
  

• end
• configure_options += \

• --with-conf
  

-file=%{sysconfdir}/%{name}/unbound.conf \

• --with
  

-pidfile=%{localstatedir}/run/%{name}/%{name}.pid \

• --with-rootkey
  

-file=%{sharedstatedir}/unbound/root.key \

• --with-libevent \
  

• --with-pthreads \
  

• --disable-rpath \
  

• --disable-static \
  

• --with-ssl \
  

• --enable-sha2 \
  

• --with-pythonmodule \
  

• --with-pyunbound PYTHON=%{python3}
  

• test

• make check
  

• end
• install_cmds

• # Create directories.
  

• mkdir -pv %{BUILDROOT}%{localstatedir}/run/%{name}
  

• mkdir -pv %{BUILDROOT}%{sharedstatedir}/%{name}
  

• # Directory for user specified and additional
  

config files.

• mkdir -pv
  

%{BUILDROOT}%{sysconfdir}/%{name}/conf.d/

• # Directory for stub and forward zones.
  

• mkdir -pv
  

%{BUILDROOT}%{sysconfdir}/%{name}/local.d/

• # Directory for trusted-keys-file.
  

• mkdir -pv
  

%{BUILDROOT}%{sysconfdir}/%{name}/keys.d/

• # Install unbound config file.
  

• install -p -m 0664 %{DIR_SOURCE}/%{name}.conf \
  

• 	%{BUILDROOT}%{sysconfdir}/%{name}/
  

• # Install pem file for icannbundle.
  

• install -p -m 0664 %{DIR_SOURCE}/icannbundle.pem \
  

• 	%{BUILDROOT}%{sysconfdir}/%{name}/
  

• # Install root and DLV keys.
  

• install -p -m 0644 %{DIR_SOURCE}/root.key \
  

• 	%{BUILDROOT}%{sysconfdir}/%{name}/
  

• install -p -m 0664 %{DIR_SOURCE}/dlv.isc.org.key \
  

• 	%{BUILDROOT}%{sysconfdir}/%{name}/
  

• install -p -m 0664 %{DIR_SOURCE}/root.anchor \
  

• 	%{BUILDROOT}%{sharedstatedir}/%{name}/root
  

.k ey

• # Fix ownership.
  

• chown -R unbound:unbound
  

%{BUILDROOT}%{sharedstatedir}/%{name}/

• end

+end

+create_user

• getent group unound >/dev/null || /usr/sbin/groupadd -r

unbound

• getent passwd unbound >/dev/null || /usr/sbin/useradd -r

-g unbound \

• -d %{sysconfdir}/%{name} -s /sbin/nologin unbound
  

+end

+packages

• package %{name}

• prerequires
  

• 	shadow-utils
  

• 	systemd-units
  

• end
  

• requires += \
  

• 	openssl >= 1.0.1h-2
  

• configfiles
  

• 	%{sysconfdir}/%{name}.conf
  

• end
  

• datafiles
  

• 	%{sysconfdir}/%{name}/conf.d/
  

• 	%{sysconfdir}/%{name}/local.d/
  

• 	%{sysconfdir}/%{name}/keys.d/
  

• end
  

• script prein
  

• 	%{create_user}
  

• end
  

• script postin
  

• 	/bin/systemctl daemon-reload >/dev/null
  

2>&1

...

...

:

• 	# Enable root anchor for DNSSEC
  

validation.

• 	systemctl enable unbound-anchor.timer
  

...

/dev/null 2>&1 || :

• end
  

• script preun
  

• 	systemctl --no-reload disable unbound
  

-anchor.timer >/dev/null 2>&1 || :

• 	systemctl --no-reload disable unbound
  

-keygen.service >/dev/null 2>&1 || :

• 	systemctl --no-reload disable
  

unbound.service >/dev/null 2>&1 || :

• 	systemctl stop unbound.service >/dev/null
  

2>&1 || :

• 	systemctl stop unbound-keygen.service
  

...

/dev/null 2>&1 || :

• end
  

• script postun
  

• 	systemctl daemon-reload >/dev/null 2>&1 ||
  

:

• end
  

• script postup
  

• 	systemctl daemon-reload >/dev/null 2>&1 ||
  

:

• 	systemctl try-restart unbound
  

-keygen.service

...

/dev/null 2>&1 || :

• 	systemctl try-restart unbound.service
  

...

/dev/null 2>&1 || :

• end
  

• end
• package %{name}-libs

• template LIBS
  

• end
• package python3-%{name}

• template PYTHON3
  

• end
• package %{name}-devel

• template DEVEL
  

• end
• package %{name}-debuginfo

• template DEBUGINFO
  

• end

+end diff --git a/unbound/unbound.tmpfiles b/unbound/unbound.tmpfiles new file mode 100644 index 0000000..d625589 --- /dev/null +++ b/unbound/unbound.tmpfiles @@ -0,0 +1 @@