This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, core107 has been updated via 34f6a3f1b56e724062897d480d102d81e4e47298 (commit) via 2d646e983864558cbf50a0e2150b080a70976d8b (commit) via d4af85f252c5e1573f548377ea97928adf07c4d0 (commit) via 08fc1aa43b293dccf211b8f961a6d1b7606ed352 (commit) via 7ebc0a16e23b438fb79e981be0fda612cf17fdcb (commit) via 3ddad158cd5fd4a311812bdcd52a46cbb9ca4866 (commit) via a6dcc5bb77760d887f1bee7271590b78437b85f4 (commit) from 2872f345b07eeef2ab9897ac26f06add6f92101e (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 34f6a3f1b56e724062897d480d102d81e4e47298 Merge: 2d646e9 2872f34 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Nov 4 20:52:00 2016 +0100
Merge remote-tracking branch 'origin/core107'
commit 2d646e983864558cbf50a0e2150b080a70976d8b Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Nov 4 19:31:07 2016 +0100
ntp: init with hardcoded ip if dns not work
DNSSec need the correct time to validate the zones so we need a workaround to init the time without dns.
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit d4af85f252c5e1573f548377ea97928adf07c4d0 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Nov 4 18:23:25 2016 +0000
unbound: Send out replies from where they came in
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 08fc1aa43b293dccf211b8f961a6d1b7606ed352 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Nov 4 17:46:24 2016 +0000
core107: Restart unbound to activate configuration changes
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 7ebc0a16e23b438fb79e981be0fda612cf17fdcb Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Nov 4 17:43:05 2016 +0000
unbound: Allow list of INSECURE_ZONES being set in sysconfig
A list of DNS zones can be given for which DNSSEC validation will be disabled.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 3ddad158cd5fd4a311812bdcd52a46cbb9ca4866 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Nov 4 17:00:24 2016 +0000
unbound: Allow recursion from everywhere
Users use the IPFire DNS service from VPNs and other routed networks.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a6dcc5bb77760d887f1bee7271590b78437b85f4 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Nov 2 15:42:40 2016 +0000
unbound: Fix for DNS forwarding of .local zones
These are traditionally used for Windows domains and should not be used for that. However if they are used like this, DNSSEC validation cannot be used.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/core/107/filelists/files | 3 +++ config/rootfiles/core/107/update.sh | 4 ++++ config/unbound/unbound.conf | 12 +++------- src/initscripts/init.d/ntp | 8 +++++++ src/initscripts/init.d/unbound | 37 ++++++++++++++++--------------- 5 files changed, 37 insertions(+), 27 deletions(-)
Difference in files: diff --git a/config/rootfiles/core/107/filelists/files b/config/rootfiles/core/107/filelists/files index b03a86e..94704cf 100644 --- a/config/rootfiles/core/107/filelists/files +++ b/config/rootfiles/core/107/filelists/files @@ -1,5 +1,8 @@ etc/system-release etc/issue +etc/unbound/unbound.conf +etc/rc.d/init.d/unbound +etc/rc.d/init.d/ntp srv/web/ipfire/cgi-bin/logs.cgi/log.dat srv/web/ipfire/cgi-bin/traffic.cgi var/ipfire/langs diff --git a/config/rootfiles/core/107/update.sh b/config/rootfiles/core/107/update.sh index b8987b0..276dae5 100644 --- a/config/rootfiles/core/107/update.sh +++ b/config/rootfiles/core/107/update.sh @@ -138,6 +138,7 @@ esac tar xavf /opt/pakfire/tmp/files* --no-overwrite-dir -p --numeric-owner -C /
# Remove some old files +rm -f /etc/unbound/interfaces.conf
# update linker config ldconfig @@ -177,6 +178,9 @@ if [ `grep "ENABLED=on" /var/ipfire/vpn/settings` ]; then /etc/init.d/ipsec start fi
+# Restart unbound to activate configuration changes +/etc/init.d/unbound restart + # Delete old QoS enabled indicator rm -f /var/ipfire/qos/enable
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 5193dd9..3f724d8 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -62,21 +62,15 @@ server: use-caps-for-id: no
# Listen on all interfaces + interface-automatic: yes interface: 0.0.0.0
- # Deny access from everywhere - access-control: 0.0.0.0/0 refuse - - # Allow access from localhost - access-control: 127.0.0.0/8 allow + # Allow access from everywhere + access-control: 0.0.0.0/0 allow
# Bootstrap root servers root-hints: "/etc/unbound/root.hints"
- # IPFire interface configuration - include: "/etc/unbound/interfaces.conf" - interface-automatic: no - # Include DHCP leases include: "/etc/unbound/dhcp-leases.conf"
diff --git a/src/initscripts/init.d/ntp b/src/initscripts/init.d/ntp index d411ba1..0793927 100644 --- a/src/initscripts/init.d/ntp +++ b/src/initscripts/init.d/ntp @@ -27,6 +27,14 @@ case "$1" in fi if [ -e /var/ipfire/red/active ]; then boot_mesg "" + + host ping.ipfire.org > /dev/null 2>&1 + if [ "${?}" != "0" ]; then + boot_mesg "DNS not work ... init with ntp.ipfire.org at 81.3.27.46 ..." + loadproc /usr/local/bin/settime 81.3.27.46 + boot_mesg "Setting time on boot..." + fi + loadproc /usr/local/bin/settime $(cat /var/ipfire/time/settime.conf) else boot_mesg " ERROR! Not online!" diff --git a/src/initscripts/init.d/unbound b/src/initscripts/init.d/unbound index 4e42477..01a560d 100644 --- a/src/initscripts/init.d/unbound +++ b/src/initscripts/init.d/unbound @@ -12,6 +12,7 @@ TEST_DOMAIN="ipfire.org" # This domain will never validate TEST_DOMAIN_FAIL="dnssec-failed.org"
+INSECURE_ZONES= USE_FORWARDERS=1
# Cache any local zones for 60 seconds @@ -147,37 +148,38 @@ update_hosts() { done < /var/ipfire/main/hosts }
-write_interfaces_conf() { - ( - config_header - - # 1.1.1.1 is reserved for unused green - if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then - echo "# allow access from GREEN" - echo "access-control: $(cidr ${GREEN_NETADDRESS} ${GREEN_NETMASK}) allow" - fi - - if [ -n "${BLUE_ADDRESS}" ]; then - echo "# allow access from BLUE" - echo "access-control: $(cidr ${BLUE_NETADDRESS} ${BLUE_NETMASK}) allow" - fi - ) > /etc/unbound/interfaces.conf -} - write_forward_conf() { ( config_header
+ local insecure_zones="${INSECURE_ZONES}" + local enabled zone server remark while IFS="," read -r enabled zone server remark; do # Line must be enabled. [ "${enabled}" = "on" ] || continue
+ # Zones that end with .local are commonly used for internal + # zones and therefore not signed + case "${zone}" in + *.local) + insecure_zones="${insecure_zones} ${zone}" + ;; + esac + echo "forward-zone:" echo " name: ${zone}" echo " forward-addr: ${server}" echo done < /var/ipfire/dnsforward/config + + if [ -n "${insecure_zones}" ]; then + echo "server:" + + for zone in ${insecure_zones}; do + echo " domain-insecure: ${zone}" + done + fi ) > /etc/unbound/forward.conf }
@@ -333,7 +335,6 @@ case "$1" in
# Update configuration files write_tuning_conf - write_interfaces_conf write_forward_conf
boot_mesg "Starting Unbound DNS Proxy..."
hooks/post-receive -- IPFire 2.x development tree