From mboxrd@z Thu Jan  1 00:00:00 1970
From: git@ipfire.org
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated.
 01bec956555de7966990047406cbf417d314c40d
Date: Mon, 05 Mar 2018 15:22:29 +0000
Message-ID: <20180305152229.7DB82106D063@git01.ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8544866737107189641=="
List-Id: <ipfire-scm.lists.ipfire.org>

--===============8544866737107189641==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, next has been updated
       via  01bec956555de7966990047406cbf417d314c40d (commit)
       via  438da7e0a012cb979e77efcb923ab86b9078fb57 (commit)
      from  9d5e5eb01240cad610088fe2ea6b5b68e4f5e5ee (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 01bec956555de7966990047406cbf417d314c40d
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Mon Mar 5 15:21:56 2018 +0000

    core120: Ship updated unbound init script
   =20
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>

commit 438da7e0a012cb979e77efcb923ab86b9078fb57
Author: Peter M=C3=BCller <peter.mueller(a)link38.eu>
Date:   Sun Mar 4 18:26:52 2018 +0100

    test if nameservers with DNSSEC support return "ad"-flagged data
   =20
    DNSSEC-validating nameservers return an "ad" (Authenticated Data)
    flag in the DNS response header. This can be used as a negative
    indicator for DNSSEC validation: In case a nameserver does not
    return the flag, but failes to look up a domain with an invalid
    signature, it does not support DNSSEC validation.
   =20
    This makes it easier to detect nameservers which do not fully
    comply to the RFCs or try to tamper DNS queries.
   =20
    See bug #11595 (https://bugzilla.ipfire.org/show_bug.cgi?id=3D11595) for =
further details.
   =20
    The second version of this patch avoids unnecessary usage of
    grep. Thanks to Michael Tremer for the hint.
   =20
    Signed-off-by: Peter M=C3=BCller <peter.mueller(a)link38.eu>
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 config/rootfiles/core/120/filelists/files | 1 +
 src/initscripts/system/unbound            | 7 ++++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

Difference in files:
diff --git a/config/rootfiles/core/120/filelists/files b/config/rootfiles/cor=
e/120/filelists/files
index 848d69a97..ad9da24a5 100644
--- a/config/rootfiles/core/120/filelists/files
+++ b/config/rootfiles/core/120/filelists/files
@@ -3,6 +3,7 @@ etc/issue
 etc/sysctl.conf
 etc/fcron.daily/openvpn-crl-updater
 etc/rc.d/init.d/dhcp
+etc/rc.d/init.d/unbound
 srv/web/ipfire/cgi-bin/ovpnmain.cgi
 srv/web/ipfire/cgi-bin/vpnmain.cgi
 usr/lib/python2.7/lib-dynload/_hashlib.so
diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
index a46999992..dcb9653ee 100644
--- a/src/initscripts/system/unbound
+++ b/src/initscripts/system/unbound
@@ -378,7 +378,12 @@ ns_is_validating() {
 	local ns=3D${1}
 	shift
=20
-	dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL
+	if ! dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL; then
+		return 1
+	else
+		# Determine if NS replies with "ad" data flag if DNSSEC enabled
+		dig @${ns} +dnssec SOA ${TEST_DOMAIN} $@ | awk -F: '/\;\;\ flags\:/ { s=3D=
1; if (/\ ad/) s=3D0; exit s }'
+	fi
 }
=20
 # Checks if we can retrieve the DNSKEY for this domain.


hooks/post-receive
--
IPFire 2.x development tree

--===============8544866737107189641==--