* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 01bec956555de7966990047406cbf417d314c40d
@ 2018-03-05 15:22 git
0 siblings, 0 replies; only message in thread
From: git @ 2018-03-05 15:22 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 3419 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 01bec956555de7966990047406cbf417d314c40d (commit)
via 438da7e0a012cb979e77efcb923ab86b9078fb57 (commit)
from 9d5e5eb01240cad610088fe2ea6b5b68e4f5e5ee (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 01bec956555de7966990047406cbf417d314c40d
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Mar 5 15:21:56 2018 +0000
core120: Ship updated unbound init script
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 438da7e0a012cb979e77efcb923ab86b9078fb57
Author: Peter Müller <peter.mueller(a)link38.eu>
Date: Sun Mar 4 18:26:52 2018 +0100
test if nameservers with DNSSEC support return "ad"-flagged data
DNSSEC-validating nameservers return an "ad" (Authenticated Data)
flag in the DNS response header. This can be used as a negative
indicator for DNSSEC validation: In case a nameserver does not
return the flag, but failes to look up a domain with an invalid
signature, it does not support DNSSEC validation.
This makes it easier to detect nameservers which do not fully
comply to the RFCs or try to tamper DNS queries.
See bug #11595 (https://bugzilla.ipfire.org/show_bug.cgi?id=11595) for further details.
The second version of this patch avoids unnecessary usage of
grep. Thanks to Michael Tremer for the hint.
Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/core/120/filelists/files | 1 +
src/initscripts/system/unbound | 7 ++++++-
2 files changed, 7 insertions(+), 1 deletion(-)
Difference in files:
diff --git a/config/rootfiles/core/120/filelists/files b/config/rootfiles/core/120/filelists/files
index 848d69a97..ad9da24a5 100644
--- a/config/rootfiles/core/120/filelists/files
+++ b/config/rootfiles/core/120/filelists/files
@@ -3,6 +3,7 @@ etc/issue
etc/sysctl.conf
etc/fcron.daily/openvpn-crl-updater
etc/rc.d/init.d/dhcp
+etc/rc.d/init.d/unbound
srv/web/ipfire/cgi-bin/ovpnmain.cgi
srv/web/ipfire/cgi-bin/vpnmain.cgi
usr/lib/python2.7/lib-dynload/_hashlib.so
diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
index a46999992..dcb9653ee 100644
--- a/src/initscripts/system/unbound
+++ b/src/initscripts/system/unbound
@@ -378,7 +378,12 @@ ns_is_validating() {
local ns=${1}
shift
- dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL
+ if ! dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL; then
+ return 1
+ else
+ # Determine if NS replies with "ad" data flag if DNSSEC enabled
+ dig @${ns} +dnssec SOA ${TEST_DOMAIN} $@ | awk -F: '/\;\;\ flags\:/ { s=1; if (/\ ad/) s=0; exit s }'
+ fi
}
# Checks if we can retrieve the DNSKEY for this domain.
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2018-03-05 15:22 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-05 15:22 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 01bec956555de7966990047406cbf417d314c40d git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox