This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via cc60329d88d647a425812b8fb1ff31bb6752f576 (commit) via b29c97b1685c4eafdbc30841f5eae358befc8343 (commit) via f58002a83f279246cdd58bfb5e9dfbf9d5aa99c7 (commit) via 9f50355a8c192e453998b6bd15c26b94eabcc72f (commit) from a1de9f6fc9cd011cc33708bae31a731394b6d26a (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit cc60329d88d647a425812b8fb1ff31bb6752f576 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Oct 2 15:32:14 2016 +0200
Add search domain to /etc/resolv.conf at boot time
unbound does not append the local domain to the request any more (like dnsmasq did). Therefore, the client needs to do that if desired.
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit b29c97b1685c4eafdbc30841f5eae358befc8343 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Oct 2 15:25:23 2016 +0200
unbound: Test upstream name servers before using
unbound has some trouble with validating DNSSEC-enabled domains when the upstream name server is stripping signatures from the authoritative responses.
This script now checks that, removes any broken upstream name servers from the list and prints a warning.
If all name servers fail the test, unbound falls back into recursor mode.
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit f58002a83f279246cdd58bfb5e9dfbf9d5aa99c7 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Oct 2 13:36:07 2016 +0200
core106: Add DNS root key to exclude list
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 9f50355a8c192e453998b6bd15c26b94eabcc72f Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Oct 2 13:35:45 2016 +0200
unbound: Update to 1.5.10
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/common/unbound | 2 +- config/rootfiles/core/106/exclude | 1 + config/rootfiles/core/106/filelists/files | 1 + lfs/unbound | 4 +- src/initscripts/init.d/localnet | 10 ++ src/initscripts/init.d/unbound | 151 ++++++++++++++++++++++++++++-- 6 files changed, 157 insertions(+), 12 deletions(-)
Difference in files: diff --git a/config/rootfiles/common/unbound b/config/rootfiles/common/unbound index 463f5dc..722d730 100644 --- a/config/rootfiles/common/unbound +++ b/config/rootfiles/common/unbound @@ -10,7 +10,7 @@ etc/unbound/unbound.conf #usr/lib/libunbound.la #usr/lib/libunbound.so usr/lib/libunbound.so.2 -usr/lib/libunbound.so.2.4.1 +usr/lib/libunbound.so.2.4.2 usr/sbin/unbound usr/sbin/unbound-anchor usr/sbin/unbound-checkconf diff --git a/config/rootfiles/core/106/exclude b/config/rootfiles/core/106/exclude index 7ddeae0..1d8d74e 100644 --- a/config/rootfiles/core/106/exclude +++ b/config/rootfiles/core/106/exclude @@ -23,6 +23,7 @@ var/ipfire/dma var/ipfire/time var/ipfire/ovpn var/lib/alternatives +var/lib/unbound/root.key var/log/cache var/state/dhcp/dhcpd.leases var/updatecache diff --git a/config/rootfiles/core/106/filelists/files b/config/rootfiles/core/106/filelists/files index 1d5d4df..3d8cf8d 100644 --- a/config/rootfiles/core/106/filelists/files +++ b/config/rootfiles/core/106/filelists/files @@ -2,6 +2,7 @@ etc/system-release etc/issue etc/login.defs etc/rc.d/init.d/dhcp +etc/rc.d/init.d/localnet etc/rc.d/init.d/network etc/rc.d/init.d/networking/red.down/05-update-dns-forwarders etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders diff --git a/lfs/unbound b/lfs/unbound index 9c85893..b2ef6ac 100644 --- a/lfs/unbound +++ b/lfs/unbound @@ -24,7 +24,7 @@
include Config
-VER = 1.5.9 +VER = 1.5.10
THISAPP = unbound-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 0cefa62c1690b4db18583db84bff00e3 +$(DL_FILE)_MD5 = 0a3a236811f1ab5c1dc31974fa74e047
install : $(TARGET)
diff --git a/src/initscripts/init.d/localnet b/src/initscripts/init.d/localnet index c1e5b29..ff374bb 100644 --- a/src/initscripts/init.d/localnet +++ b/src/initscripts/init.d/localnet @@ -15,6 +15,13 @@ . /etc/sysconfig/rc . ${rc_functions}
+write_resolv_conf() { + ( + [ -n "${DOMAINNAME}" ] && echo "search ${DOMAINNAME}" + echo "nameserver 127.0.0.1" + ) > /etc/resolv.conf +} + case "${1}" in start) eval $(/usr/local/bin/readhash /var/ipfire/main/settings) @@ -32,6 +39,9 @@ case "${1}" in domainname ${DOMAINNAME} evaluate_retval fi + + # Update resolv.conf + write_resolv_conf ;;
stop) diff --git a/src/initscripts/init.d/unbound b/src/initscripts/init.d/unbound index 1b2649f..4d2b266 100644 --- a/src/initscripts/init.d/unbound +++ b/src/initscripts/init.d/unbound @@ -7,6 +7,11 @@ . /etc/sysconfig/rc . ${rc_functions}
+TEST_DOMAIN="ipfire.org" + +# This domain will never validate +TEST_DOMAIN_FAIL="dnssec-failed.org" + USE_FORWARDERS=1
# Cache any local zones for 60 seconds @@ -53,18 +58,45 @@ config_header() { }
update_forwarders() { - local forwarders="$(read_name_servers)" + if [ "${USE_FORWARDERS}" = "1" -a -e "/var/ipfire/red/active" ]; then + local forwarders + local broken_forwarders + + local ns + for ns in $(read_name_servers); do + test_name_server ${ns} &>/dev/null + case "$?" in + # Only use DNSSEC-validating or DNSSEC-aware name servers + 0|2) + forwarders="${forwarders} ${ns}" + ;; + *) + broken_forwarders="${broken_forwarders} ${ns}" + ;; + esac + done + + # Show warning for any broken upstream name servers + if [ -n "${broken_forwarders}" ]; then + boot_mesg "Ignoring broken upstream name server(s): ${broken_forwarders:1}" ${WARNING} + echo_warning + fi
- if [ "${USE_FORWARDERS}" = "1" ] && [ -n "${forwarders}" ]; then - boot_mesg "Using Name Server(s): ${forwarders}" - boot_mesg_flush + if [ -n "${broken_forwarders}" -a -z "${forwarders}" ]; then + boot_mesg "Falling back to recursor mode" ${WARNING} + echo_warning
- unbound-control -q forward ${forwarders} + elif [ -n "${forwarders}" ]; then + boot_mesg "Configuring upstream name server(s): ${forwarders:1}" ${INFO} + echo_ok
- # If forwarders cannot be used we run in recursor mode - else - unbound-control -q forward off + unbound-control -q forward ${forwarders} + return 0 + fi fi + + # If forwarders cannot be used we run in recursor mode + unbound-control -q forward off }
update_hosts() { @@ -179,6 +211,77 @@ get_memory_amount() { done < /proc/meminfo }
+test_name_server() { + local ns=${1} + + # Return codes: + # 0 DNSSEC validating + # 1 Error: unreachable, etc. + # 2 DNSSEC aware + # 3 NOT DNSSEC-aware + + # Exit when the server is not reachable + ns_is_online ${ns} || return 1 + + # Return 0 if validating + ns_is_validating ${ns} && return 0 + + local errors + for rr in DNSKEY DS RRSIG; do + if ! ns_forwards_${rr} ${ns}; then + errors="${errors} ${rr}" + fi + done + + if [ -n "${errors}" ]; then + echo >&2 "Unable to retrieve the following resource records from ${ns}: ${errors:1}" + return 3 + fi + + # Is DNSSEC-aware + return 2 +} + +# Sends an A query to the nameserver w/o DNSSEC +ns_is_online() { + local ns=${1} + + dig @${ns} +nodnssec A ${TEST_DOMAIN} >/dev/null +} + +# Resolving ${TEST_DOMAIN_FAIL} will fail if the nameserver is validating +ns_is_validating() { + local ns=${1} + + dig @${ns} A ${TEST_DOMAIN_FAIL} | grep -q SERVFAIL +} + +# Checks if we can retrieve the DNSKEY for this domain. +# dig will print the SOA if nothing was found +ns_forwards_DNSKEY() { + local ns=${1} + + dig @${ns} DNSKEY ${TEST_DOMAIN} | grep -qv SOA +} + +ns_forwards_DS() { + local ns=${1} + + dig @${ns} DS ${TEST_DOMAIN} | grep -qv SOA +} + +ns_forwards_RRSIG() { + local ns=${1} + + dig @${ns} +dnssec A ${TEST_DOMAIN} | grep -q RRSIG +} + +ns_supports_tcp() { + local ns=${1} + + dig @${ns} +tcp A ${TEST_DOMAIN} >/dev/null || return 1 +} + case "$1" in start) # Print a nicer messagen when unbound is already running @@ -228,8 +331,38 @@ case "$1" in update_forwarders ;;
+ test-name-server) + ns=${2} + + test_name_server ${ns} + ret=${?} + + case "${ret}" in + 0) + echo "${ns} is validating" + ;; + 2) + echo "${ns} is DNSSEC-aware" + ;; + 3) + echo "${ns} is NOT DNSSEC-aware" + ;; + *) + echo "Test failed for an unknown reason" + ;; + esac + + if ns_supports_tcp ${ns}; then + echo "${ns} supports TCP fallback" + else + echo "${ns} does not support TCP fallback" + fi + + exit ${ret} + ;; + *) - echo "Usage: $0 {start|stop|restart|status|update-forwarders}" + echo "Usage: $0 {start|stop|restart|status|update-forwarders|test-name-server}" exit 1 ;; esac
hooks/post-receive -- IPFire 2.x development tree