* [git.ipfire.org] IPFire 2.x development tree branch, core107, updated. 34f6a3f1b56e724062897d480d102d81e4e47298
@ 2016-11-04 19:58 git
0 siblings, 0 replies; only message in thread
From: git @ 2016-11-04 19:58 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 8378 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, core107 has been updated
via 34f6a3f1b56e724062897d480d102d81e4e47298 (commit)
via 2d646e983864558cbf50a0e2150b080a70976d8b (commit)
via d4af85f252c5e1573f548377ea97928adf07c4d0 (commit)
via 08fc1aa43b293dccf211b8f961a6d1b7606ed352 (commit)
via 7ebc0a16e23b438fb79e981be0fda612cf17fdcb (commit)
via 3ddad158cd5fd4a311812bdcd52a46cbb9ca4866 (commit)
via a6dcc5bb77760d887f1bee7271590b78437b85f4 (commit)
from 2872f345b07eeef2ab9897ac26f06add6f92101e (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 34f6a3f1b56e724062897d480d102d81e4e47298
Merge: 2d646e9 2872f34
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Fri Nov 4 20:52:00 2016 +0100
Merge remote-tracking branch 'origin/core107'
commit 2d646e983864558cbf50a0e2150b080a70976d8b
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Fri Nov 4 19:31:07 2016 +0100
ntp: init with hardcoded ip if dns not work
DNSSec need the correct time to validate the zones so we need
a workaround to init the time without dns.
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit d4af85f252c5e1573f548377ea97928adf07c4d0
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Nov 4 18:23:25 2016 +0000
unbound: Send out replies from where they came in
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 08fc1aa43b293dccf211b8f961a6d1b7606ed352
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Nov 4 17:46:24 2016 +0000
core107: Restart unbound to activate configuration changes
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 7ebc0a16e23b438fb79e981be0fda612cf17fdcb
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Nov 4 17:43:05 2016 +0000
unbound: Allow list of INSECURE_ZONES being set in sysconfig
A list of DNS zones can be given for which DNSSEC validation
will be disabled.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 3ddad158cd5fd4a311812bdcd52a46cbb9ca4866
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Nov 4 17:00:24 2016 +0000
unbound: Allow recursion from everywhere
Users use the IPFire DNS service from VPNs and other
routed networks.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit a6dcc5bb77760d887f1bee7271590b78437b85f4
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Nov 2 15:42:40 2016 +0000
unbound: Fix for DNS forwarding of .local zones
These are traditionally used for Windows domains and should not
be used for that. However if they are used like this, DNSSEC
validation cannot be used.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/core/107/filelists/files | 3 +++
config/rootfiles/core/107/update.sh | 4 ++++
config/unbound/unbound.conf | 12 +++-------
src/initscripts/init.d/ntp | 8 +++++++
src/initscripts/init.d/unbound | 37 ++++++++++++++++---------------
5 files changed, 37 insertions(+), 27 deletions(-)
Difference in files:
diff --git a/config/rootfiles/core/107/filelists/files b/config/rootfiles/core/107/filelists/files
index b03a86e..94704cf 100644
--- a/config/rootfiles/core/107/filelists/files
+++ b/config/rootfiles/core/107/filelists/files
@@ -1,5 +1,8 @@
etc/system-release
etc/issue
+etc/unbound/unbound.conf
+etc/rc.d/init.d/unbound
+etc/rc.d/init.d/ntp
srv/web/ipfire/cgi-bin/logs.cgi/log.dat
srv/web/ipfire/cgi-bin/traffic.cgi
var/ipfire/langs
diff --git a/config/rootfiles/core/107/update.sh b/config/rootfiles/core/107/update.sh
index b8987b0..276dae5 100644
--- a/config/rootfiles/core/107/update.sh
+++ b/config/rootfiles/core/107/update.sh
@@ -138,6 +138,7 @@ esac
tar xavf /opt/pakfire/tmp/files* --no-overwrite-dir -p --numeric-owner -C /
# Remove some old files
+rm -f /etc/unbound/interfaces.conf
# update linker config
ldconfig
@@ -177,6 +178,9 @@ if [ `grep "ENABLED=on" /var/ipfire/vpn/settings` ]; then
/etc/init.d/ipsec start
fi
+# Restart unbound to activate configuration changes
+/etc/init.d/unbound restart
+
# Delete old QoS enabled indicator
rm -f /var/ipfire/qos/enable
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index 5193dd9..3f724d8 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -62,21 +62,15 @@ server:
use-caps-for-id: no
# Listen on all interfaces
+ interface-automatic: yes
interface: 0.0.0.0
- # Deny access from everywhere
- access-control: 0.0.0.0/0 refuse
-
- # Allow access from localhost
- access-control: 127.0.0.0/8 allow
+ # Allow access from everywhere
+ access-control: 0.0.0.0/0 allow
# Bootstrap root servers
root-hints: "/etc/unbound/root.hints"
- # IPFire interface configuration
- include: "/etc/unbound/interfaces.conf"
- interface-automatic: no
-
# Include DHCP leases
include: "/etc/unbound/dhcp-leases.conf"
diff --git a/src/initscripts/init.d/ntp b/src/initscripts/init.d/ntp
index d411ba1..0793927 100644
--- a/src/initscripts/init.d/ntp
+++ b/src/initscripts/init.d/ntp
@@ -27,6 +27,14 @@ case "$1" in
fi
if [ -e /var/ipfire/red/active ]; then
boot_mesg ""
+
+ host ping.ipfire.org > /dev/null 2>&1
+ if [ "${?}" != "0" ]; then
+ boot_mesg "DNS not work ... init with ntp.ipfire.org at 81.3.27.46 ..."
+ loadproc /usr/local/bin/settime 81.3.27.46
+ boot_mesg "Setting time on boot..."
+ fi
+
loadproc /usr/local/bin/settime $(cat /var/ipfire/time/settime.conf)
else
boot_mesg " ERROR! Not online!"
diff --git a/src/initscripts/init.d/unbound b/src/initscripts/init.d/unbound
index 4e42477..01a560d 100644
--- a/src/initscripts/init.d/unbound
+++ b/src/initscripts/init.d/unbound
@@ -12,6 +12,7 @@ TEST_DOMAIN="ipfire.org"
# This domain will never validate
TEST_DOMAIN_FAIL="dnssec-failed.org"
+INSECURE_ZONES=
USE_FORWARDERS=1
# Cache any local zones for 60 seconds
@@ -147,37 +148,38 @@ update_hosts() {
done < /var/ipfire/main/hosts
}
-write_interfaces_conf() {
- (
- config_header
-
- # 1.1.1.1 is reserved for unused green
- if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
- echo "# allow access from GREEN"
- echo "access-control: $(cidr ${GREEN_NETADDRESS} ${GREEN_NETMASK}) allow"
- fi
-
- if [ -n "${BLUE_ADDRESS}" ]; then
- echo "# allow access from BLUE"
- echo "access-control: $(cidr ${BLUE_NETADDRESS} ${BLUE_NETMASK}) allow"
- fi
- ) > /etc/unbound/interfaces.conf
-}
-
write_forward_conf() {
(
config_header
+ local insecure_zones="${INSECURE_ZONES}"
+
local enabled zone server remark
while IFS="," read -r enabled zone server remark; do
# Line must be enabled.
[ "${enabled}" = "on" ] || continue
+ # Zones that end with .local are commonly used for internal
+ # zones and therefore not signed
+ case "${zone}" in
+ *.local)
+ insecure_zones="${insecure_zones} ${zone}"
+ ;;
+ esac
+
echo "forward-zone:"
echo " name: ${zone}"
echo " forward-addr: ${server}"
echo
done < /var/ipfire/dnsforward/config
+
+ if [ -n "${insecure_zones}" ]; then
+ echo "server:"
+
+ for zone in ${insecure_zones}; do
+ echo " domain-insecure: ${zone}"
+ done
+ fi
) > /etc/unbound/forward.conf
}
@@ -333,7 +335,6 @@ case "$1" in
# Update configuration files
write_tuning_conf
- write_interfaces_conf
write_forward_conf
boot_mesg "Starting Unbound DNS Proxy..."
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2016-11-04 19:58 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-11-04 19:58 [git.ipfire.org] IPFire 2.x development tree branch, core107, updated. 34f6a3f1b56e724062897d480d102d81e4e47298 git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox