* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. cc60329d88d647a425812b8fb1ff31bb6752f576
@ 2016-10-02 13:35 git
0 siblings, 0 replies; only message in thread
From: git @ 2016-10-02 13:35 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 9712 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via cc60329d88d647a425812b8fb1ff31bb6752f576 (commit)
via b29c97b1685c4eafdbc30841f5eae358befc8343 (commit)
via f58002a83f279246cdd58bfb5e9dfbf9d5aa99c7 (commit)
via 9f50355a8c192e453998b6bd15c26b94eabcc72f (commit)
from a1de9f6fc9cd011cc33708bae31a731394b6d26a (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit cc60329d88d647a425812b8fb1ff31bb6752f576
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Sun Oct 2 15:32:14 2016 +0200
Add search domain to /etc/resolv.conf at boot time
unbound does not append the local domain to the request
any more (like dnsmasq did). Therefore, the client needs
to do that if desired.
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit b29c97b1685c4eafdbc30841f5eae358befc8343
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Sun Oct 2 15:25:23 2016 +0200
unbound: Test upstream name servers before using
unbound has some trouble with validating DNSSEC-enabled
domains when the upstream name server is stripping signatures
from the authoritative responses.
This script now checks that, removes any broken upstream
name servers from the list and prints a warning.
If all name servers fail the test, unbound falls back
into recursor mode.
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit f58002a83f279246cdd58bfb5e9dfbf9d5aa99c7
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Sun Oct 2 13:36:07 2016 +0200
core106: Add DNS root key to exclude list
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 9f50355a8c192e453998b6bd15c26b94eabcc72f
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Sun Oct 2 13:35:45 2016 +0200
unbound: Update to 1.5.10
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/common/unbound | 2 +-
config/rootfiles/core/106/exclude | 1 +
config/rootfiles/core/106/filelists/files | 1 +
lfs/unbound | 4 +-
src/initscripts/init.d/localnet | 10 ++
src/initscripts/init.d/unbound | 151 ++++++++++++++++++++++++++++--
6 files changed, 157 insertions(+), 12 deletions(-)
Difference in files:
diff --git a/config/rootfiles/common/unbound b/config/rootfiles/common/unbound
index 463f5dc..722d730 100644
--- a/config/rootfiles/common/unbound
+++ b/config/rootfiles/common/unbound
@@ -10,7 +10,7 @@ etc/unbound/unbound.conf
#usr/lib/libunbound.la
#usr/lib/libunbound.so
usr/lib/libunbound.so.2
-usr/lib/libunbound.so.2.4.1
+usr/lib/libunbound.so.2.4.2
usr/sbin/unbound
usr/sbin/unbound-anchor
usr/sbin/unbound-checkconf
diff --git a/config/rootfiles/core/106/exclude b/config/rootfiles/core/106/exclude
index 7ddeae0..1d8d74e 100644
--- a/config/rootfiles/core/106/exclude
+++ b/config/rootfiles/core/106/exclude
@@ -23,6 +23,7 @@ var/ipfire/dma
var/ipfire/time
var/ipfire/ovpn
var/lib/alternatives
+var/lib/unbound/root.key
var/log/cache
var/state/dhcp/dhcpd.leases
var/updatecache
diff --git a/config/rootfiles/core/106/filelists/files b/config/rootfiles/core/106/filelists/files
index 1d5d4df..3d8cf8d 100644
--- a/config/rootfiles/core/106/filelists/files
+++ b/config/rootfiles/core/106/filelists/files
@@ -2,6 +2,7 @@ etc/system-release
etc/issue
etc/login.defs
etc/rc.d/init.d/dhcp
+etc/rc.d/init.d/localnet
etc/rc.d/init.d/network
etc/rc.d/init.d/networking/red.down/05-update-dns-forwarders
etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders
diff --git a/lfs/unbound b/lfs/unbound
index 9c85893..b2ef6ac 100644
--- a/lfs/unbound
+++ b/lfs/unbound
@@ -24,7 +24,7 @@
include Config
-VER = 1.5.9
+VER = 1.5.10
THISAPP = unbound-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 0cefa62c1690b4db18583db84bff00e3
+$(DL_FILE)_MD5 = 0a3a236811f1ab5c1dc31974fa74e047
install : $(TARGET)
diff --git a/src/initscripts/init.d/localnet b/src/initscripts/init.d/localnet
index c1e5b29..ff374bb 100644
--- a/src/initscripts/init.d/localnet
+++ b/src/initscripts/init.d/localnet
@@ -15,6 +15,13 @@
. /etc/sysconfig/rc
. ${rc_functions}
+write_resolv_conf() {
+ (
+ [ -n "${DOMAINNAME}" ] && echo "search ${DOMAINNAME}"
+ echo "nameserver 127.0.0.1"
+ ) > /etc/resolv.conf
+}
+
case "${1}" in
start)
eval $(/usr/local/bin/readhash /var/ipfire/main/settings)
@@ -32,6 +39,9 @@ case "${1}" in
domainname ${DOMAINNAME}
evaluate_retval
fi
+
+ # Update resolv.conf
+ write_resolv_conf
;;
stop)
diff --git a/src/initscripts/init.d/unbound b/src/initscripts/init.d/unbound
index 1b2649f..4d2b266 100644
--- a/src/initscripts/init.d/unbound
+++ b/src/initscripts/init.d/unbound
@@ -7,6 +7,11 @@
. /etc/sysconfig/rc
. ${rc_functions}
+TEST_DOMAIN="ipfire.org"
+
+# This domain will never validate
+TEST_DOMAIN_FAIL="dnssec-failed.org"
+
USE_FORWARDERS=1
# Cache any local zones for 60 seconds
@@ -53,18 +58,45 @@ config_header() {
}
update_forwarders() {
- local forwarders="$(read_name_servers)"
+ if [ "${USE_FORWARDERS}" = "1" -a -e "/var/ipfire/red/active" ]; then
+ local forwarders
+ local broken_forwarders
+
+ local ns
+ for ns in $(read_name_servers); do
+ test_name_server ${ns} &>/dev/null
+ case "$?" in
+ # Only use DNSSEC-validating or DNSSEC-aware name servers
+ 0|2)
+ forwarders="${forwarders} ${ns}"
+ ;;
+ *)
+ broken_forwarders="${broken_forwarders} ${ns}"
+ ;;
+ esac
+ done
+
+ # Show warning for any broken upstream name servers
+ if [ -n "${broken_forwarders}" ]; then
+ boot_mesg "Ignoring broken upstream name server(s): ${broken_forwarders:1}" ${WARNING}
+ echo_warning
+ fi
- if [ "${USE_FORWARDERS}" = "1" ] && [ -n "${forwarders}" ]; then
- boot_mesg "Using Name Server(s): ${forwarders}"
- boot_mesg_flush
+ if [ -n "${broken_forwarders}" -a -z "${forwarders}" ]; then
+ boot_mesg "Falling back to recursor mode" ${WARNING}
+ echo_warning
- unbound-control -q forward ${forwarders}
+ elif [ -n "${forwarders}" ]; then
+ boot_mesg "Configuring upstream name server(s): ${forwarders:1}" ${INFO}
+ echo_ok
- # If forwarders cannot be used we run in recursor mode
- else
- unbound-control -q forward off
+ unbound-control -q forward ${forwarders}
+ return 0
+ fi
fi
+
+ # If forwarders cannot be used we run in recursor mode
+ unbound-control -q forward off
}
update_hosts() {
@@ -179,6 +211,77 @@ get_memory_amount() {
done < /proc/meminfo
}
+test_name_server() {
+ local ns=${1}
+
+ # Return codes:
+ # 0 DNSSEC validating
+ # 1 Error: unreachable, etc.
+ # 2 DNSSEC aware
+ # 3 NOT DNSSEC-aware
+
+ # Exit when the server is not reachable
+ ns_is_online ${ns} || return 1
+
+ # Return 0 if validating
+ ns_is_validating ${ns} && return 0
+
+ local errors
+ for rr in DNSKEY DS RRSIG; do
+ if ! ns_forwards_${rr} ${ns}; then
+ errors="${errors} ${rr}"
+ fi
+ done
+
+ if [ -n "${errors}" ]; then
+ echo >&2 "Unable to retrieve the following resource records from ${ns}: ${errors:1}"
+ return 3
+ fi
+
+ # Is DNSSEC-aware
+ return 2
+}
+
+# Sends an A query to the nameserver w/o DNSSEC
+ns_is_online() {
+ local ns=${1}
+
+ dig @${ns} +nodnssec A ${TEST_DOMAIN} >/dev/null
+}
+
+# Resolving ${TEST_DOMAIN_FAIL} will fail if the nameserver is validating
+ns_is_validating() {
+ local ns=${1}
+
+ dig @${ns} A ${TEST_DOMAIN_FAIL} | grep -q SERVFAIL
+}
+
+# Checks if we can retrieve the DNSKEY for this domain.
+# dig will print the SOA if nothing was found
+ns_forwards_DNSKEY() {
+ local ns=${1}
+
+ dig @${ns} DNSKEY ${TEST_DOMAIN} | grep -qv SOA
+}
+
+ns_forwards_DS() {
+ local ns=${1}
+
+ dig @${ns} DS ${TEST_DOMAIN} | grep -qv SOA
+}
+
+ns_forwards_RRSIG() {
+ local ns=${1}
+
+ dig @${ns} +dnssec A ${TEST_DOMAIN} | grep -q RRSIG
+}
+
+ns_supports_tcp() {
+ local ns=${1}
+
+ dig @${ns} +tcp A ${TEST_DOMAIN} >/dev/null || return 1
+}
+
case "$1" in
start)
# Print a nicer messagen when unbound is already running
@@ -228,8 +331,38 @@ case "$1" in
update_forwarders
;;
+ test-name-server)
+ ns=${2}
+
+ test_name_server ${ns}
+ ret=${?}
+
+ case "${ret}" in
+ 0)
+ echo "${ns} is validating"
+ ;;
+ 2)
+ echo "${ns} is DNSSEC-aware"
+ ;;
+ 3)
+ echo "${ns} is NOT DNSSEC-aware"
+ ;;
+ *)
+ echo "Test failed for an unknown reason"
+ ;;
+ esac
+
+ if ns_supports_tcp ${ns}; then
+ echo "${ns} supports TCP fallback"
+ else
+ echo "${ns} does not support TCP fallback"
+ fi
+
+ exit ${ret}
+ ;;
+
*)
- echo "Usage: $0 {start|stop|restart|status|update-forwarders}"
+ echo "Usage: $0 {start|stop|restart|status|update-forwarders|test-name-server}"
exit 1
;;
esac
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2016-10-02 13:35 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-10-02 13:35 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. cc60329d88d647a425812b8fb1ff31bb6752f576 git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox