This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, master has been updated via 7ebc0a16e23b438fb79e981be0fda612cf17fdcb (commit) via 3ddad158cd5fd4a311812bdcd52a46cbb9ca4866 (commit) from a6dcc5bb77760d887f1bee7271590b78437b85f4 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 7ebc0a16e23b438fb79e981be0fda612cf17fdcb Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Nov 4 17:43:05 2016 +0000
unbound: Allow list of INSECURE_ZONES being set in sysconfig
A list of DNS zones can be given for which DNSSEC validation will be disabled.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 3ddad158cd5fd4a311812bdcd52a46cbb9ca4866 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Nov 4 17:00:24 2016 +0000
unbound: Allow recursion from everywhere
Users use the IPFire DNS service from VPNs and other routed networks.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/core/107/update.sh | 1 + config/unbound/unbound.conf | 12 +++--------- src/initscripts/init.d/unbound | 21 ++------------------- 3 files changed, 6 insertions(+), 28 deletions(-)
Difference in files: diff --git a/config/rootfiles/core/107/update.sh b/config/rootfiles/core/107/update.sh index b8987b0..dd6b33e 100644 --- a/config/rootfiles/core/107/update.sh +++ b/config/rootfiles/core/107/update.sh @@ -138,6 +138,7 @@ esac tar xavf /opt/pakfire/tmp/files* --no-overwrite-dir -p --numeric-owner -C /
# Remove some old files +rm -f /etc/unbound/interfaces.conf
# update linker config ldconfig diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 5193dd9..a6cdc4d 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -62,21 +62,15 @@ server: use-caps-for-id: no
# Listen on all interfaces + interface-automatic: no interface: 0.0.0.0
- # Deny access from everywhere - access-control: 0.0.0.0/0 refuse - - # Allow access from localhost - access-control: 127.0.0.0/8 allow + # Allow access from everywhere + access-control: 0.0.0.0/0 allow
# Bootstrap root servers root-hints: "/etc/unbound/root.hints"
- # IPFire interface configuration - include: "/etc/unbound/interfaces.conf" - interface-automatic: no - # Include DHCP leases include: "/etc/unbound/dhcp-leases.conf"
diff --git a/src/initscripts/init.d/unbound b/src/initscripts/init.d/unbound index a7952fc..01a560d 100644 --- a/src/initscripts/init.d/unbound +++ b/src/initscripts/init.d/unbound @@ -12,6 +12,7 @@ TEST_DOMAIN="ipfire.org" # This domain will never validate TEST_DOMAIN_FAIL="dnssec-failed.org"
+INSECURE_ZONES= USE_FORWARDERS=1
# Cache any local zones for 60 seconds @@ -147,28 +148,11 @@ update_hosts() { done < /var/ipfire/main/hosts }
-write_interfaces_conf() { - ( - config_header - - # 1.1.1.1 is reserved for unused green - if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then - echo "# allow access from GREEN" - echo "access-control: $(cidr ${GREEN_NETADDRESS} ${GREEN_NETMASK}) allow" - fi - - if [ -n "${BLUE_ADDRESS}" ]; then - echo "# allow access from BLUE" - echo "access-control: $(cidr ${BLUE_NETADDRESS} ${BLUE_NETMASK}) allow" - fi - ) > /etc/unbound/interfaces.conf -} - write_forward_conf() { ( config_header
- local insecure_zones + local insecure_zones="${INSECURE_ZONES}"
local enabled zone server remark while IFS="," read -r enabled zone server remark; do @@ -351,7 +335,6 @@ case "$1" in
# Update configuration files write_tuning_conf - write_interfaces_conf write_forward_conf
boot_mesg "Starting Unbound DNS Proxy..."
hooks/post-receive -- IPFire 2.x development tree