From: git@ipfire.org
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, master, updated. 7ebc0a16e23b438fb79e981be0fda612cf17fdcb
Date: Fri, 04 Nov 2016 17:47:10 +0000 [thread overview]
Message-ID: <20161104174716.4C5171081BA5@git01.ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 4344 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, master has been updated
via 7ebc0a16e23b438fb79e981be0fda612cf17fdcb (commit)
via 3ddad158cd5fd4a311812bdcd52a46cbb9ca4866 (commit)
from a6dcc5bb77760d887f1bee7271590b78437b85f4 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 7ebc0a16e23b438fb79e981be0fda612cf17fdcb
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Nov 4 17:43:05 2016 +0000
unbound: Allow list of INSECURE_ZONES being set in sysconfig
A list of DNS zones can be given for which DNSSEC validation
will be disabled.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 3ddad158cd5fd4a311812bdcd52a46cbb9ca4866
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Nov 4 17:00:24 2016 +0000
unbound: Allow recursion from everywhere
Users use the IPFire DNS service from VPNs and other
routed networks.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/core/107/update.sh | 1 +
config/unbound/unbound.conf | 12 +++---------
src/initscripts/init.d/unbound | 21 ++-------------------
3 files changed, 6 insertions(+), 28 deletions(-)
Difference in files:
diff --git a/config/rootfiles/core/107/update.sh b/config/rootfiles/core/107/update.sh
index b8987b0..dd6b33e 100644
--- a/config/rootfiles/core/107/update.sh
+++ b/config/rootfiles/core/107/update.sh
@@ -138,6 +138,7 @@ esac
tar xavf /opt/pakfire/tmp/files* --no-overwrite-dir -p --numeric-owner -C /
# Remove some old files
+rm -f /etc/unbound/interfaces.conf
# update linker config
ldconfig
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index 5193dd9..a6cdc4d 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -62,21 +62,15 @@ server:
use-caps-for-id: no
# Listen on all interfaces
+ interface-automatic: no
interface: 0.0.0.0
- # Deny access from everywhere
- access-control: 0.0.0.0/0 refuse
-
- # Allow access from localhost
- access-control: 127.0.0.0/8 allow
+ # Allow access from everywhere
+ access-control: 0.0.0.0/0 allow
# Bootstrap root servers
root-hints: "/etc/unbound/root.hints"
- # IPFire interface configuration
- include: "/etc/unbound/interfaces.conf"
- interface-automatic: no
-
# Include DHCP leases
include: "/etc/unbound/dhcp-leases.conf"
diff --git a/src/initscripts/init.d/unbound b/src/initscripts/init.d/unbound
index a7952fc..01a560d 100644
--- a/src/initscripts/init.d/unbound
+++ b/src/initscripts/init.d/unbound
@@ -12,6 +12,7 @@ TEST_DOMAIN="ipfire.org"
# This domain will never validate
TEST_DOMAIN_FAIL="dnssec-failed.org"
+INSECURE_ZONES=
USE_FORWARDERS=1
# Cache any local zones for 60 seconds
@@ -147,28 +148,11 @@ update_hosts() {
done < /var/ipfire/main/hosts
}
-write_interfaces_conf() {
- (
- config_header
-
- # 1.1.1.1 is reserved for unused green
- if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
- echo "# allow access from GREEN"
- echo "access-control: $(cidr ${GREEN_NETADDRESS} ${GREEN_NETMASK}) allow"
- fi
-
- if [ -n "${BLUE_ADDRESS}" ]; then
- echo "# allow access from BLUE"
- echo "access-control: $(cidr ${BLUE_NETADDRESS} ${BLUE_NETMASK}) allow"
- fi
- ) > /etc/unbound/interfaces.conf
-}
-
write_forward_conf() {
(
config_header
- local insecure_zones
+ local insecure_zones="${INSECURE_ZONES}"
local enabled zone server remark
while IFS="," read -r enabled zone server remark; do
@@ -351,7 +335,6 @@ case "$1" in
# Update configuration files
write_tuning_conf
- write_interfaces_conf
write_forward_conf
boot_mesg "Starting Unbound DNS Proxy..."
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2016-11-04 17:47 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161104174716.4C5171081BA5@git01.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox