This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 01bec956555de7966990047406cbf417d314c40d (commit) via 438da7e0a012cb979e77efcb923ab86b9078fb57 (commit) from 9d5e5eb01240cad610088fe2ea6b5b68e4f5e5ee (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 01bec956555de7966990047406cbf417d314c40d Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 5 15:21:56 2018 +0000
core120: Ship updated unbound init script
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 438da7e0a012cb979e77efcb923ab86b9078fb57 Author: Peter Müller peter.mueller@link38.eu Date: Sun Mar 4 18:26:52 2018 +0100
test if nameservers with DNSSEC support return "ad"-flagged data
DNSSEC-validating nameservers return an "ad" (Authenticated Data) flag in the DNS response header. This can be used as a negative indicator for DNSSEC validation: In case a nameserver does not return the flag, but failes to look up a domain with an invalid signature, it does not support DNSSEC validation.
This makes it easier to detect nameservers which do not fully comply to the RFCs or try to tamper DNS queries.
See bug #11595 (https://bugzilla.ipfire.org/show_bug.cgi?id=11595) for further details.
The second version of this patch avoids unnecessary usage of grep. Thanks to Michael Tremer for the hint.
Signed-off-by: Peter Müller peter.mueller@link38.eu Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/core/120/filelists/files | 1 + src/initscripts/system/unbound | 7 ++++++- 2 files changed, 7 insertions(+), 1 deletion(-)
Difference in files: diff --git a/config/rootfiles/core/120/filelists/files b/config/rootfiles/core/120/filelists/files index 848d69a97..ad9da24a5 100644 --- a/config/rootfiles/core/120/filelists/files +++ b/config/rootfiles/core/120/filelists/files @@ -3,6 +3,7 @@ etc/issue etc/sysctl.conf etc/fcron.daily/openvpn-crl-updater etc/rc.d/init.d/dhcp +etc/rc.d/init.d/unbound srv/web/ipfire/cgi-bin/ovpnmain.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi usr/lib/python2.7/lib-dynload/_hashlib.so diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound index a46999992..dcb9653ee 100644 --- a/src/initscripts/system/unbound +++ b/src/initscripts/system/unbound @@ -378,7 +378,12 @@ ns_is_validating() { local ns=${1} shift
- dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL + if ! dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL; then + return 1 + else + # Determine if NS replies with "ad" data flag if DNSSEC enabled + dig @${ns} +dnssec SOA ${TEST_DOMAIN} $@ | awk -F: '/;;\ flags:/ { s=1; if (/\ ad/) s=0; exit s }' + fi }
# Checks if we can retrieve the DNSKEY for this domain.
hooks/post-receive -- IPFire 2.x development tree