pool/unbound
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add workaround for bug https://github.com/NLnetLabs/unbound/issues/509

Browse Source 
OBS-URL: https://build.opensuse.org/package/show/server:dns/unbound?expand=0&rev=188
This commit is contained in:
Jorik Cronenberg 2024-11-27 12:13:17 +00:00 committed by Git OBS Bridge
commit 3a8f3aea57
35 changed files with 10701 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

4
_multibuild Normal file
View File

@ -0,0 +1,4 @@
<multibuild>
<package>libunbound-devel-mini</package>
</multibuild>

10
block-example.com.conf Normal file
View File

@ -0,0 +1,10 @@
# entries in this file override toe global DNS
#
# Example blocking email going out to example.com
#
# local-data: "example.com. 3600 IN MX 5 127.0.0.1"
# local-data: "example.com. 3600 IN A 127.0.0.1"
# This can also be done dynamically using: unbound-control local-data [...]
# For more complicated redirection, use conf.d/ with stub-add: or forward-add:

3
dlv.isc.org.key Normal file
View File

@ -0,0 +1,3 @@
; https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11
; or call: dig dlv.isc.org. dnskey|grep "257 "
dlv.isc.org. IN DNSKEY 257 3 5 BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh

17
example.com.conf Normal file
View File

@ -0,0 +1,17 @@
# Example of an override of the "public DNS tree" with an "internal view"
# override, for example to add an internal-only corporate DNS zone.
#
# The stub-zone/stub-addr must point to AUTHORITATIVE servers. If you want to
# point to an internal RECURSIVE server, use forward-zone/forward-addr instead.
#stub-zone:
# name: example.com
# stub-prime: no
# # if you could trust a lookup, use:
# stub-host: a.iana-servers.net.
# stub-host: b.iana-servers.net.
# # else specify the IP's using:
# stub-addr: 199.43.132.53
# stub-addr: 2001:500:8c::53
# stub-addr: 199.43.133.53
# stub-addr: 2001:500:8d::53

7
example.com.key Normal file
View File

@ -0,0 +1,7 @@
; // format is BIND trusted-keys format
; // Ensure to only put KSKs (usually 257) here, not ZSKs (usually 256)
; // trusted-keys {
; // "example.com." 257 3 8 "AwEAAawt7HplI5M8GGAsxuyCyjF0l+QlcgVN11CRZ4vP66qbDCX0BnShZ11BGb//4zSG/8mmBHirL2FLg+mVuIIxig+iroZYjh4iTKVOhv2hZftRwyrQHK++qXvCCWN3ki51RG/e8R4kOEV71rZ8OgQvPWx6F91qroqOPpcf7PPxippeHOn+PxnP0hpyLyo1mx1rPs/cMpL3jOMufGP+LJYh+fBU7lt0sP5i09HaJPruzyZML9BPtpv8ZAdQhwtXVG0+MnET2qT/1+TljpxZn6yeegFRCFRHBjMo6iiRJnUWra/klkrgEn2Q+BXGTOMTTKQdYz4OxYEa1z7apu3a09dYNBM="; // key id = 51605
; // "example.com." 257 3 8 "AwEAAeikvxboZpn9VCxm3YDLHo40SvA9EmRwJHHQyJ0OCzrQSRBSipojrW7yESXWiDDyzflS8rgzDs7M3fIdSduOdyNi55DmXPdkS8HYORTMNyzFsSOg+xx6tUySK2p4WAhlbsJNLz4IkQCek59NoDBOLyQ15npsr7Tgfb/HHU7zmCMvnxh0SqO2lyhnQfk29Thc3nC4KNJNb3drjWKOuCw5mg+2GrEZYc/VqdeGvrOCQ2el8jWZpSU5cxb7EdEy4B9nEeZiBpHXaZ5XJ+ewi4vmcUK5/445mGJqV4rDeicy5/ShC/BJ81v3bIRPWebvDRJmDbjr2d9MnLXUE7yyETrQd18="; // key id = 31589
; // };

77
icannbundle.pem Normal file
View File

@ -0,0 +1,77 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
Validity
Not Before: Dec 23 04:19:12 2009 GMT
Not After : Dec 18 04:19:12 2029 GMT
Subject: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:a0:db:70:b8:4f:34:da:9c:d4:d0:7e:bb:ea:15:
bc:e9:c9:11:2a:1f:61:2f:6a:b9:bd:3f:3d:76:a0:
9a:0a:f7:ee:93:6e:6e:55:53:84:8c:f2:2c:f1:82:
27:c8:0f:9a:cf:52:1b:54:da:28:d2:2c:30:8e:dd:
fb:92:20:33:2d:d6:c8:f1:0e:10:21:88:71:fa:84:
22:4b:5d:47:56:16:7c:9b:9f:5d:c3:11:79:9c:14:
e2:ff:c0:74:ac:dd:39:d7:e0:38:d8:b0:73:aa:fb:
d1:db:84:af:52:22:a8:f6:d5:9b:94:f4:e6:5d:5e:
e8:3f:87:90:0b:c7:1a:77:f5:2e:d3:8f:1a:ce:02:
1d:07:69:21:47:32:da:46:ae:00:4c:b6:a5:a2:9c:
39:c1:c0:4a:f6:d3:1c:ae:d3:6d:bb:c7:18:f0:7e:
ed:f6:80:ce:d0:01:2e:89:de:12:ba:ee:11:cb:a6:
7a:d7:0d:7c:f3:08:8d:72:9d:bf:55:75:13:70:bb:
31:22:4a:cb:e8:c0:aa:a4:09:aa:36:68:40:60:74:
9d:e7:19:81:43:22:52:fe:c9:2b:52:0f:41:13:36:
09:72:65:95:cc:89:ae:6f:56:17:16:34:73:52:a3:
04:ed:bd:88:82:8a:eb:d7:dc:82:52:9c:06:e1:52:
85:41
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
Signature Algorithm: sha256WithRSAEncryption
0f:f1:e9:82:a2:0a:87:9f:2d:94:60:5a:b2:c0:4b:a1:2f:2b:
3b:47:d5:0a:99:86:38:b2:ec:c6:3b:89:e4:6e:07:cf:14:c7:
c7:e8:cf:99:8f:aa:30:c3:19:70:b9:e6:6d:d6:3f:c8:68:26:
b2:a0:a5:37:42:ca:d8:62:80:d1:a2:5a:48:2e:1f:85:3f:0c:
7b:c2:c7:94:11:5f:19:2a:95:ac:a0:3a:03:d8:91:5b:2e:0d:
9c:7c:1f:2e:fc:e9:44:e1:16:26:73:1c:45:4a:65:c1:83:4c:
90:f3:f2:28:42:df:db:c4:e7:04:12:18:62:43:5e:bc:1f:6c:
84:e6:bc:49:32:df:61:d7:99:ee:e4:90:52:7b:0a:c2:91:8a:
98:62:66:b1:c8:e0:b7:5a:b5:46:7c:76:71:54:8e:cc:a4:81:
5c:19:db:d2:6f:66:b5:bb:2b:ae:6b:c9:74:04:a8:24:de:e8:
c5:d3:fc:2c:1c:d7:8f:db:6a:8d:c9:53:be:5d:50:73:ac:cf:
1f:93:c0:52:50:5b:a2:4f:fe:ad:65:36:17:46:d1:2d:e5:a2:
90:66:05:db:29:4e:5d:50:5d:e3:4f:da:a0:8f:f0:6b:e4:16:
70:dd:7f:f3:77:7d:b9:4e:f9:ec:c3:33:02:d7:e9:63:2f:31:
e7:40:61:a4
-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX
DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O
IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB
MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb
cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S
G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg
ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2
paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7
MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29
iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B
Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3
DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH
6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD
2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h
15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF
0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg
j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk
-----END CERTIFICATE-----

1
libunbound-devel-mini-rpmlintrc Normal file
View File

@ -0,0 +1 @@
addFilter('shlib-policy-name-error')

4247
libunbound-devel-mini.changes Normal file
View File

File diff suppressed because it is too large Load Diff

112
libunbound-devel-mini.spec Normal file
View File

@ -0,0 +1,112 @@
#
# spec file for package libunbound-devel-mini
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define ldns_version 1.6.16
%bcond_without python
%bcond_without munin
%bcond_without hardened_build
#
Name: libunbound-devel-mini
Version: 1.22.0
#!BcntSyncTag: unbound
Release: 0
Summary: Just a devel package for build loops
License: BSD-3-Clause
Group: Productivity/Networking/DNS/Servers
#
URL: https://www.unbound.net/
Source: https://www.unbound.net/downloads/unbound-%{version}.tar.gz
Source100: https://www.unbound.net/downloads/unbound-%{version}.tar.gz.asc
Source101: unbound.keyring
Source1: libunbound-devel-mini-rpmlintrc
Source5: root.key
Source6: dlv.isc.org.key
# From http://data.iana.org/root-anchors/icannbundle.pem
Source12: icannbundle.pem
Source13: root.anchor
#
#
BuildRequires: flex
BuildRequires: ldns-devel >= %{ldns_version}
BuildRequires: libevent-devel
BuildRequires: libexpat-devel
BuildRequires: libsodium-devel
BuildRequires: openssl-devel
Requires: this-is-only-for-build-envs
Conflicts: libunbound8
Conflicts: unbound-devel
Provides: libunbound-devel = %{version}-%{release}
%description
Unbound is a validating, recursive, and caching DNS(SEC) resolver.
The C implementation of Unbound is developed and maintained by NLnet
Labs. It is based on ideas and algorithms taken from a java prototype
developed by Verisign labs, Nominet, Kirei and ep.net.
Unbound is designed as a set of modular components, so that also
DNSSEC (secure DNS) validation and stub-resolvers (that do not run
as a server, but are linked into an application) are easily possible.
%prep
%setup -q -n unbound-%{version}
%build
export CFLAGS="%{optflags}"
export CXXFLAGS="%{optflags}"
%configure \
--disable-rpath \
--with-libevent \
--with-pthreads \
--disable-static \
--with-ldns=%{_prefix} \
--enable-sha2 \
--enable-gost \
--enable-ecdsa \
--enable-event-api \
--enable-pie \
--enable-relro-now \
--enable-dnscrypt \
--with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \
--with-pidfile=%{piddir}/%{name}/%{name}.pid \
--without-pythonmodule --without-pyunbound \
--with-libunbound-only \
--with-rootkey-file=%{_sharedstatedir}/unbound/root.key \
--disable-explicit-port-randomisation
%make_build
%install
%make_install
rm -rf %{buildroot}%{_mandir} %{buildroot}%{_libdir}/*.la
%check
# it currently fails in the ldns unit test. which is weird as both come from the same project
%make_build check ||:
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%files
%{_libdir}/libunbound.so.*
%{_includedir}/unbound.h
%{_includedir}/unbound-event.h
%{_libdir}/libunbound.so
%{_libdir}/pkgconfig/libunbound.pc
%changelog

1
root.anchor Normal file
View File

@ -0,0 +1 @@
. 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}

7
root.key Normal file
View File

@ -0,0 +1,7 @@
; https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11
; // The root key in bind format. This can be read by most tools, including
; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this
; // key 20326 (key-rollover 2017/2018)
trusted-keys {
"." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326
};

1
tmpfiles-unbound.conf Normal file
View File

@ -0,0 +1 @@
D /run/unbound 0755 unbound unbound -

3
unbound-1.20.0.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:56b4ceed33639522000fd96775576ddf8782bb3617610715d7f1e777c5ec1dbf
size 6550938

16
unbound-1.20.0.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAmY7MtIACgkQn28cLX4E
X43TZw//UOLWFXCT36DydXV2gi8vAB9xIFOGj7LbfOSIu8mg2gOvxaBFcC3qb8iB
Wh4prktm+ANRyrmaDq5jlhG2JS0JGYCAGXntN8O09IZt8cx5s1N4UWOOOHp/XEcF
spQpohJlJMnDl+WuIW0rGUnME4mytEBd/HwIM2Q4XyhXOEQj4hEW1tGlNF1qNq5b
8KV5AbRa1OMPeaOaLUb3rg4Wll90twKnlVsdAga1GzYHYHIjbrvso8TbEAZQOzk1
Vu20zwNV1mFNRQcBhhkRBSirmZQ3p73HDT3j3yZZ7D2VaZyi1TQSNxCKAkBpM7NX
ZXBXHpYjf/9kei8vMeQBE4pIoXgcSAASyHh1FNZ8vzyklR8lP8grNtgn1R7ACryN
U1W+0Mh4gjZLjK4sgfouunqpuDpKnpb7a/b19D4fqGBYen+V/BBwARbdxPABs2fK
Y5kMnSIM3eZPZD2PnLEL8uqfuES1QZ9OkhGvEX9jhO3plYWzUDa7J/5eFqyUEpPc
zkAlQvJySW1T18U7YWPLM7ipsVIZc7XPkvEHpit6cSj7f4wUPurJio2glOHwXafZ
+mmzb7nFahTE6tmvOF3dBbvxRpzYtHI6qa1tNTVR9EFJsc8Bm9a8dcI6Jd4e6M2i
XWA32DOSppyEdLz3aEmpIQLT3VpSPRHuLB+slfi+xsBcwNJHL4w=
=mEBa
-----END PGP SIGNATURE-----

BIN
unbound-1.21.0.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

16
unbound-1.21.0.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAma9sjoACgkQn28cLX4E
X43OQhAApRqRpVAILKhqBjf2ilKLqEFgCxyT4cXiMVBTMtlx9/bTxec/JeXVdO7h
nA4oFb7HwRPkOJnTfwk7kWk8SFBoGv+lb2YVdgSgaftqgFR3dmoyACIf9QqyFUuO
kLiIpNer6f1rRmGs850t+XE9YS+Adn3jPi6r5vnuXekoXjY8h18cSRSlWL42At2j
V7NpCbRUshwCP71PS1AVE1SHtHsxD5yCrCzuMDTZIroCiAPu4k0JkqKri7ie4cqf
rjvqsVN7fngXj3bLShJcjcnBRxMoEMJ5ubY7d9SZBm8kvREy1ILAmlwejhhcZzC7
Yc14v+wreaEYte1KmVwtgFDwvwbJqho2OwRJgPmUVVyJ8F15ESsl5ahgZJhZ893o
BCbapmEMJEPsIzITbvJg+WOwpFZQp6VZu+NQqd12WTanZuIwnp54Q/YQo0RqTfK4
qyMLKFmKXmaKNmgqtXcs2Bn6NVeDZpO/f0B1/fDkUot4xSGHWIEQGK/u5DHbemyS
/3DaTvUQVLke9E3pDDP6J5qvc7tRZK6qQ4GXwkc7FFocHzos54aCusyUQw22K7k4
MEOwlQBqcof5UeLRkGVhianOsxzFGIiNC/LNI4pJlKT13u20YiBpweNJBC+jMIJI
Ohz4vCE74OgT3M74I+dmKzEk6Xvor0id7eKsLpbiJuaof+j4oUQ=
=1ZET
-----END PGP SIGNATURE-----

BIN
unbound-1.21.1.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

17
unbound-1.21.1.tar.gz.asc Normal file
View File

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
iQJIBAABCAAyFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmb+oYkUHGdlb3JnZUBu
bG5ldGxhYnMubmwACgkQz/M0TZCHpJCSFg//UCvlmqfk8YoEdUCeQ33pq0qHD3Sq
t4ZktdfQ8irZ/RbKw4vbdooMWheiMqnpW6YC9V5ROGC3kW6eM3e3rR6pgXEROjnv
HvOgMEZ3t3yL70Fb7JkabklUK9nN4kzMY6MU2DMRxUBUshglSwb6e5j7QBihmGbg
cZHHrtvPcYheCA3fHHFmr7VKluX+jbQpv6uz5JEmkNw5rNxACfla6l2QADuaCS2m
a9DOdt0NJFhnO/J/GxaVdqwAAH8vLb+SGzLgTH26zIfJyvoqhrowM3X2i/sIgcQ6
0+B2xtuOkpRIqyx0lEf0ShnoyGlW57VJyOBwlmI1RWWBph+KctptvncIH1EVjGbU
yZ5ywPSYVJvT5Z7DVYgRsITKCdLcj7OcfToGGLO3ebmQJDGknpCecgZtRbiPplO0
Irk45ydwN+g1+dxj5XGip86cEJd0/RlBFg7+iDmWSv8xmrs5mMtB8MM4AifyBR8n
Qa27QhM4bKhWpRZjTnvkLz+nZHfPZGpCr+9lSimFrm51htmjLGU6VD25Bk/7mj6j
Ck5I/1tZLl36+waCDaO3bug+tymrwcPDjWiL9M0Ffl9R/XEtiXotpTWuGzMG7qV5
tvlYDWnBki+fScSb/ceWhnNyoPbg2XhQk+xuIwTRQpZ8AcK/iOIXDinGRzcrWM98
lGFgpm3+wJbOGFs=
=TrGe
-----END PGP SIGNATURE-----

BIN
unbound-1.22.0.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

16
unbound-1.22.0.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAmcQu3AACgkQn28cLX4E
X406WxAApGHTdne/RVrQq/v+lUz6CDkkm5r5AXFsmKBGvPJZm+CAEVECq4mKXa5E
X1SqlZCQx/LCcqPqdffEVSlmFiI219rEo2z/wCNJzCJXqzx9B1/daW8vv8k+N2TZ
La2NxlOG2zeyiitxoGCBb5Y3aZgyD9ZIEW/nB7kkt0V41Z60ssLA6zzXAlqxhxp5
HIMRRzfvPwguDKkEFm390ob+oWiqDGIZTTBRyjJAaGa46o3WBLUYIz1yB51X+v+E
TCpbVV29ZmC4V7G0B96zxg+tnqw2fpkL2DgHTnyKbKaWXwo7aGhxHMux2PuiZKxR
eXeJ0Mz5Np/E0TgVPD33g3idbr6dHzsT+lZ9BuAG+RBJ49iMH/tSDGUTw3/GJvQb
XPWJeRsWSn2MSMNX45n6FH2azBZJ4+VA9tWR2Q5zm2fLzzUVhvhtkwl3fYsmzsam
Lccj9Okp9xFxGohFO4d9NxMP57Tvzi1ur5Fp4dsCH9rfGIzKJTQP1AWAEB1ga9+5
g+himRGuzpRVoqCXeKp6MBf8kZJIhXxX/94vSyiiWuCTaJQYvMi0+p1dF3TcWEnH
Tpce+9nj9gddrrOXnSs+2Mljt9pm0A8fWSsqsObf+SGt8QGbpHVkCX74HGbNY5Yz
tun/VDN/tkbOhLX6ibivqAfjKsk8gjlfNme1HbCD3cPUmPrlG54=
=5pYC
-----END PGP SIGNATURE-----

9
unbound-anchor.service Normal file
View File

@ -0,0 +1,9 @@
[Unit]
Description=update of the root trust anchor for DNSSEC validation in unbound
Documentation=man:unbound-anchor(8)
[Service]
Type=oneshot
User=unbound
ExecStart=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem
SuccessExitStatus=1

13
unbound-anchor.timer Normal file
View File

@ -0,0 +1,13 @@
[Unit]
Description=daily update of the root trust anchor for DNSSEC
Documentation=man:unbound-anchor(8)
[Timer]
# Current DNSKEY TTL in root zone is 172800 seconds, i.e. 172800/60/60/24 = 2 days.
# It means that unboud-anchor should be run at least once a day.
OnCalendar=daily
Persistent=true
AccuracySec=24h
[Install]
WantedBy=timers.target

15
unbound-keygen.service Normal file
View File

@ -0,0 +1,15 @@
[Unit]
Description=Unbound Control Key And Certificate Generator
After=syslog.target
Before=unbound.service
ConditionPathExists=!/etc/unbound/unbound_control.key
[Service]
Type=oneshot
Group=unbound
ExecStart=/usr/sbin/unbound-control-setup -d /etc/unbound/
ExecStart=/sbin/restorecon /etc/unbound/*
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

5
unbound-munin.README Normal file
View File

@ -0,0 +1,5 @@
To activate the munin plugins, run (as root):
cd /etc/munin/plugins
for i in /usr/share/munin/plugins/unbound_*; do ln -s $i; done

4437
unbound.changes Normal file
View File

File diff suppressed because it is too large Load Diff

551
unbound.conf Normal file
View File

@ -0,0 +1,551 @@
#
# See unbound.conf(5) man page.
#
# this is a comment.
#Use this to include other text into the file.
#include: "otherfile.conf"
# The server clause sets the main parameters.
server:
# whitespace is not necessary, but looks cleaner.
# verbosity number, 0 is least verbose. 1 is default.
verbosity: 1
# print statistics to the log (for every thread) every N seconds.
# Set to "" or 0 to disable. Default is disabled.
# Needed for munin plugin
statistics-interval: 0
# enable cumulative statistics, without clearing them after printing.
# Needed for munin plugin
statistics-cumulative: yes
# enable extended statistics (query types, answer codes, status)
# printed from unbound-control. default off, because of speed.
# Needed for munin plugin
extended-statistics: yes
# number of threads to create. 1 disables threading.
num-threads: 2
# specify the interfaces to answer queries from by ip-address.
# The default is to listen to localhost (127.0.0.1 and ::1).
# specify 0.0.0.0 and ::0 to bind to all available interfaces.
# specify every interface on a new 'interface:' labelled line.
# The listen interfaces are not changed on reload, only on restart.
# interface: 0.0.0.0
# interface: ::0
# interface: 192.0.2.153
# interface: 192.0.2.154
# interface: 2001:DB8::5
#
# for dns over tls and raw dns over port 80
# interface: 0.0.0.0@443
# interface: ::0@443
# interface: 0.0.0.0@80
# interface: ::0@80
# enable this feature to copy the source address of queries to reply.
# Socket options are not supported on all platforms. experimental.
# interface-automatic: yes
#
# NOTE: Enable this option when specifying interface 0.0.0.0 or ::0
# NOTE: Disabled per Fedora policy not to listen to * on default install
# NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled
interface-automatic: no
# port to answer queries from
# port: 53
# specify the interfaces to send outgoing queries to authoritative
# server from by ip-address. If none, the default (all) interface
# is used. Specify every interface on a 'outgoing-interface:' line.
# outgoing-interface: 192.0.2.153
# outgoing-interface: 2001:DB8::5
# outgoing-interface: 2001:DB8::6
# number of ports to allocate per thread, determines the size of the
# port range that can be open simultaneously.
# outgoing-range: 4096
# number of outgoing simultaneous tcp buffers to hold per thread.
# outgoing-num-tcp: 10
# number of incoming simultaneous tcp buffers to hold per thread.
# incoming-num-tcp: 10
# buffer size for UDP port 53 incoming (SO_RCVBUF socket option).
# 0 is system default. Use 4m to catch query spikes for busy servers.
# so-rcvbuf: 0
# buffer size for UDP port 53 outgoing (SO_SNDBUF socket option).
# 0 is system default. Use 4m to handle spikes on very busy servers.
# so-sndbuf: 0
# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
# is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
# edns-buffer-size: 4096
# Maximum UDP response size (not applied to TCP response).
# Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
# 3072 causes +dnssec any isc.org queries to need TC=1. Helps mitigating DDOS
max-udp-size: 3072
# buffer size for handling DNS data. No messages larger than this
# size can be sent or received, by UDP or TCP. In bytes.
# msg-buffer-size: 65552
# the amount of memory to use for the message cache.
# plain value in bytes or you can append k, m or G. default is "4Mb".
# msg-cache-size: 4m
# the number of slabs to use for the message cache.
# the number of slabs must be a power of 2.
# more slabs reduce lock contention, but fragment memory usage.
# msg-cache-slabs: 4
# the number of queries that a thread gets to service.
# num-queries-per-thread: 1024
# if very busy, 50% queries run to completion, 50% get timeout in msec
# jostle-timeout: 200
# the amount of memory to use for the RRset cache.
# plain value in bytes or you can append k, m or G. default is "4Mb".
# rrset-cache-size: 4m
# the number of slabs to use for the RRset cache.
# the number of slabs must be a power of 2.
# more slabs reduce lock contention, but fragment memory usage.
# rrset-cache-slabs: 4
# the time to live (TTL) value lower bound, in seconds. Default 0.
# If more than an hour could easily give trouble due to stale data.
# cache-min-ttl: 0
# the time to live (TTL) value cap for RRsets and messages in the
# cache. Items are not cached for longer. In seconds.
# cache-max-ttl: 86400
# the time to live (TTL) value for cached roundtrip times, lameness
# and EDNS version information for hosts. In seconds.
# infra-host-ttl: 900
# the number of slabs to use for the Infrastructure cache.
# the number of slabs must be a power of 2.
# more slabs reduce lock contention, but fragment memory usage.
# infra-cache-slabs: 4
# the maximum number of hosts that are cached (roundtrip, EDNS, lame).
# infra-cache-numhosts: 10000
# Enable IPv4, "yes" or "no".
# do-ip4: yes
# Enable IPv6, "yes" or "no".
# do-ip6: yes
# Enable UDP, "yes" or "no".
# NOTE: if setting up an unbound on tls443 for public use, you might want to
# disable UDP to avoid being used in DNS amplification attacks.
# do-udp: yes
# Enable TCP, "yes" or "no".
# do-tcp: yes
# upstream connections use TCP only (and no UDP), "yes" or "no"
# useful for tunneling scenarios, default no.
# tcp-upstream: no
# Detach from the terminal, run in background, "yes" or "no".
# do-daemonize: yes
# control which clients are allowed to make (recursive) queries
# to this server. Specify classless netblocks with /size and action.
# By default everything is refused, except for localhost.
# Choose deny (drop message), refuse (polite error reply),
# allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
# access-control: 0.0.0.0/0 refuse
# access-control: 127.0.0.0/8 allow
# access-control: ::0/0 refuse
# access-control: ::1 allow
# access-control: ::ffff:127.0.0.1 allow
# if given, a chroot(2) is done to the given directory.
# i.e. you can chroot to the working directory, for example,
# for extra security, but make sure all files are in that directory.
#
# If chroot is enabled, you should pass the configfile (from the
# commandline) as a full path from the original root. After the
# chroot has been performed the now defunct portion of the config
# file path is removed to be able to reread the config after a reload.
#
# All other file paths (working dir, logfile, roothints, and
# key files) can be specified in several ways:
# o as an absolute path relative to the new root.
# o as a relative path to the working directory.
# o as an absolute path relative to the original root.
# In the last case the path is adjusted to remove the unused portion.
#
# The pid file can be absolute and outside of the chroot, it is
# written just prior to performing the chroot and dropping permissions.
#
# Additionally, unbound may need to access /dev/random (for entropy).
# How to do this is specific to your OS.
#
# If you give "" no chroot is performed. The path must not end in a /.
# chroot: "/var/lib/unbound"
chroot: ""
# if given, user privileges are dropped (after binding port),
# and the given username is assumed. Default is user "unbound".
# If you give "" no privileges are dropped.
username: "unbound"
# the working directory. The relative files in this config are
# relative to this directory. If you give "" the working directory
# is not changed.
directory: "/etc/unbound"
# the log file, "" means log to stderr.
# Use of this option sets use-syslog to "no".
# logfile: ""
# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
# log to, with identity "unbound". If yes, it overrides the logfile.
# use-syslog: yes
# print UTC timestamp in ascii to logfile, default is epoch in seconds.
log-time-ascii: yes
# print one line with time, IP, name, type, class for every query.
# log-queries: no
# the pid file. Can be an absolute path outside of chroot/work dir.
pidfile: "/var/run/unbound/unbound.pid"
# file to read root hints from.
# get one from ftp://FTP.INTERNIC.NET/domain/named.cache
# root-hints: ""
# enable to not answer id.server and hostname.bind queries.
# hide-identity: no
# enable to not answer version.server and version.bind queries.
# hide-version: no
# the identity to report. Leave "" or default to return hostname.
# identity: ""
# the version to report. Leave "" or default to return package version.
# version: ""
# the target fetch policy.
# series of integers describing the policy per dependency depth.
# The number of values in the list determines the maximum dependency
# depth the recursor will pursue before giving up. Each integer means:
# -1 : fetch all targets opportunistically,
# 0: fetch on demand,
# positive value: fetch that many targets opportunistically.
# Enclose the list of numbers between quotes ("").
# target-fetch-policy: "3 2 1 0 0"
# Harden against very small EDNS buffer sizes.
# harden-short-bufsize: no
# Harden against unseemly large queries.
# harden-large-queries: no
# Harden against out of zone rrsets, to avoid spoofing attempts.
harden-glue: yes
# Harden against receiving dnssec-stripped data. If you turn it
# off, failing to validate dnskey data for a trustanchor will
# trigger insecure mode for that zone (like without a trustanchor).
# Default on, which insists on dnssec data for trust-anchored zones.
harden-dnssec-stripped: yes
# Harden against queries that fall under dnssec-signed nxdomain names.
harden-below-nxdomain: yes
# Harden the referral path by performing additional queries for
# infrastructure data. Validates the replies (if possible).
# Default off, because the lookups burden the server. Experimental
# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
harden-referral-path: yes
# Use 0x20-encoded random bits in the query to foil spoof attempts.
# This feature is an experimental implementation of draft dns-0x20.
# (this now fails on all GoDaddy customer domains, so disabled)
use-caps-for-id: no
# Enforce privacy of these addresses. Strips them away from answers.
# It may cause DNSSEC validation to additionally mark it as bogus.
# Protects against 'DNS Rebinding' (uses browser as network proxy).
# Only 'private-domain' and 'local-data' names are allowed to have
# these private addresses. No default.
# private-address: 10.0.0.0/8
# private-address: 172.16.0.0/12
# private-address: 192.168.0.0/16
# private-address: 192.254.0.0/16
# private-address: fd00::/8
# private-address: fe80::/10
# Allow the domain (and its subdomains) to contain private addresses.
# local-data statements are allowed to contain private addresses too.
# private-domain: "example.com"
# If nonzero, unwanted replies are not only reported in statistics,
# but also a running total is kept per thread. If it reaches the
# threshold, a warning is printed and a defensive action is taken,
# the cache is cleared to flush potential poison out of it.
# A suggested value is 10000000, the default is 0 (turned off).
unwanted-reply-threshold: 10000000
# Do not query the following addresses. No DNS queries are sent there.
# List one address per entry. List classless netblocks with /size,
# do-not-query-address: 127.0.0.1/8
# do-not-query-address: ::1
# if yes, the above default do-not-query-address entries are present.
# if no, localhost can be queried (for testing and debugging).
# do-not-query-localhost: yes
# if yes, perform prefetching of almost expired message cache entries.
prefetch: yes
# if yes, perform key lookups adjacent to normal lookups.
prefetch-key: yes
# if yes, Unbound rotates RRSet order in response.
rrset-roundrobin: yes
# if yes, Unbound doesn't insert authority/additional sections
# into response messages when those sections are not required.
minimal-responses: yes
# module configuration of the server. A string with identifiers
# separated by spaces. "iterator" or "validator iterator"
# module-config: "validator iterator"
# File with DLV trusted keys. Same format as trust-anchor-file.
# There can be only one DLV configured, it is trusted from root down.
# Downloaded from https://secure.isc.org/ops/dlv/dlv.isc.org.key
# dlv-anchor-file: "/etc/unbound/dlv.isc.org.key"
# File with trusted keys for validation. Specify more than one file
# with several entries, one file per entry.
# Zone file format, with DS and DNSKEY entries.
# trust-anchor-file: ""
# File with trusted keys, kept uptodate using RFC5011 probes,
# initial file like trust-anchor-file, then it stores metadata.
# Use several entries, one per domain name, to track multiple zones.
# auto-trust-anchor-file: ""
# Trusted key for validation. DS or DNSKEY. specify the RR on a
# single line, surrounded by "". TTL is ignored. class is IN default.
# (These examples are from August 2007 and may not be valid anymore).
# trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ=="
# trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A"
# File with trusted keys for validation. Specify more than one file
# with several entries, one file per entry. Like trust-anchor-file
# but has a different file format. Format is BIND-9 style format,
# the trusted-keys { name flag proto algo "key"; }; clauses are read.
# trusted-keys-file: ""
#
# trusted-keys-file: /etc/unbound/rootkey.bind
trusted-keys-file: /etc/unbound/keys.d/*.key
auto-trust-anchor-file: "/var/lib/unbound/root.key"
# Ignore chain of trust. Domain is treated as insecure.
# domain-insecure: "example.com"
# Override the date for validation with a specific fixed date.
# Do not set this unless you are debugging signature inception
# and expiration. "" or "0" turns the feature off.
# val-override-date: ""
# The time to live for bogus data, rrsets and messages. This avoids
# some of the revalidation, until the time interval expires. in secs.
# val-bogus-ttl: 60
# The signature inception and expiration dates are allowed to be off
# by 10% of the lifetime of the signature from our local clock.
# This leeway is capped with a minimum and a maximum. In seconds.
# val-sig-skew-min: 3600
# val-sig-skew-max: 86400
# Should additional section of secure message also be kept clean of
# unsecure data. Useful to shield the users of this validator from
# potential bogus data in the additional section. All unsigned data
# in the additional section is removed from secure messages.
val-clean-additional: yes
# Turn permissive mode on to permit bogus messages. Thus, messages
# for which security checks failed will be returned to clients,
# instead of SERVFAIL. It still performs the security checks, which
# result in interesting log files and possibly the AD bit in
# replies if the message is found secure. The default is off.
# NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
val-permissive-mode: no
# Have the validator log failed validations for your diagnosis.
# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
val-log-level: 1
# It is possible to configure NSEC3 maximum iteration counts per
# keysize. Keep this table very short, as linear search is done.
# A message with an NSEC3 with larger count is marked insecure.
# List in ascending order the keysize and count values.
# val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
# instruct the auto-trust-anchor-file probing to add anchors after ttl.
# add-holddown: 2592000 # 30 days
# instruct the auto-trust-anchor-file probing to del anchors after ttl.
# del-holddown: 2592000 # 30 days
# auto-trust-anchor-file probing removes missing anchors after ttl.
# If the value 0 is given, missing anchors are not removed.
# keep-missing: 31622400 # 366 days
# the amount of memory to use for the key cache.
# plain value in bytes or you can append k, m or G. default is "4Mb".
# key-cache-size: 4m
# the number of slabs to use for the key cache.
# the number of slabs must be a power of 2.
# more slabs reduce lock contention, but fragment memory usage.
# key-cache-slabs: 4
# the amount of memory to use for the negative cache (used for DLV).
# plain value in bytes or you can append k, m or G. default is "1Mb".
# neg-cache-size: 1m
# a number of locally served zones can be configured.
# local-zone: <zone> <type>
# local-data: "<resource record string>"
# o deny serves local data (if any), else, drops queries.
# o refuse serves local data (if any), else, replies with error.
# o static serves local data, else, nxdomain or nodata answer.
# o transparent serves local data, but resolves normally for other names
# o redirect serves the zone data for any subdomain in the zone.
# o nodefault can be used to normally resolve AS112 zones.
# o typetransparent resolves normally for other types and other names
#
# defaults are localhost address, reverse for 127.0.0.1 and ::1
# and nxdomain for AS112 zones. If you configure one of these zones
# the default content is omitted, or you can omit it with 'nodefault'.
#
# If you configure local-data without specifying local-zone, by
# default a transparent local-zone is created for the data.
#
# You can add locally served data with
# local-zone: "local." static
# local-data: "mycomputer.local. IN A 192.0.2.51"
# local-data: 'mytext.local TXT "content of text record"'
#
# You can override certain queries with
# local-data: "adserver.example.com A 127.0.0.1"
#
# You can redirect a domain to a fixed address with
# (this makes example.com, www.example.com, etc, all go to 192.0.2.3)
# local-zone: "example.com" redirect
# local-data: "example.com A 192.0.2.3"
#
# Shorthand to make PTR records, "IPv4 name" or "IPv6 name".
# You can also add PTR records using local-data directly, but then
# you need to do the reverse notation yourself.
# local-data-ptr: "192.0.2.3 www.example.com"
include: /etc/unbound/local.d/*.conf
# service clients over SSL (on the TCP sockets), with plain DNS inside
# the SSL stream. Give the certificate to use and private key.
# default is "" (disabled). requires restart to take effect.
# ssl-service-key: "/etc/unbound/unbound_server.key"
# ssl-service-pem: "/etc/unbound/unbound_server.pem"
# ssl-port: 443
# request upstream over SSL (with plain DNS inside the SSL stream).
# Default is no. Can be turned on and off with unbound-control.
# ssl-upstream: no
## Python config section. To enable:
## o use --with-pythonmodule to configure before compiling.
## o list python in the module-config string (above) to enable.
## o and give a python-script to run.
#python:
# # Script file to load
# # python-script: "/etc/unbound/ubmodule-tst.py"
# Remote control config section.
remote-control:
# Enable remote control with unbound-control(8) here.
# set up the keys and certificates with unbound-control-setup.
# Note: required for unbound-munin package
control-enable: yes
# what interfaces are listened to for remote control.
# give 0.0.0.0 and ::0 to listen to all interfaces.
# control-interface: 127.0.0.1
# control-interface: ::1
# port number for remote control operations.
# control-port: 953
# unbound server key file.
server-key-file: "/etc/unbound/unbound_server.key"
# unbound server certificate file.
server-cert-file: "/etc/unbound/unbound_server.pem"
# unbound-control key file.
control-key-file: "/etc/unbound/unbound_control.key"
# unbound-control certificate file.
control-cert-file: "/etc/unbound/unbound_control.pem"
# Stub and Forward zones
include: /etc/unbound/conf.d/*.conf
# Stub zones.
# Create entries like below, to make all queries for 'example.com' and
# 'example.org' go to the given list of nameservers. list zero or more
# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
# the list is treated as priming hints (default is no).
# stub-zone:
# name: "example.com"
# stub-addr: 192.0.2.68
# stub-prime: "no"
# stub-zone:
# name: "example.org"
# stub-host: ns.example.com.
# You can now also dynamically create and delete stub-zone's using
# unbound-control stub_add domain.com 1.2.3.4 5.6.7.8
# unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8
# Forward zones
# Create entries like below, to make all queries for 'example.com' and
# 'example.org' go to the given list of servers. These servers have to handle
# recursion to other nameservers. List zero or more nameservers by hostname
# or by ipaddress. Use an entry with name "." to forward all queries.
# If you enable forward-first, it attempts without the forward if it fails.
# forward-zone:
# name: "example.com"
# forward-addr: 192.0.2.68
# forward-addr: 192.0.2.73@5355 # forward to port 5355.
# forward-first: no
# forward-zone:
# name: "example.org"
# forward-host: fwd.example.com
#
# You can now also dynamically create and delete forward-zone's using
# unbound-control forward_add domain.com 1.2.3.4 5.6.7.8
# unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8

57
unbound.keyring Normal file
View File

@ -0,0 +1,57 @@
pub rsa4096 2011-04-21 [SCA] [expires: 2024-12-07]
EDFAA3F2CA4E6EB05681AF8E9F6F1C2D7E045F8D
uid W.C.A. Wijngaards <wouter@nlnetlabs.nl>
sub rsa4096 2011-04-21 [E] [expires: 2024-12-07]
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBE2v/RwBEACyQpJlpCeSZBV1QUH7jNEp5xGdo6OnX2h9XoZ4ZPsb+u6OT+xE
SH45ncnISUh8rPCygbeWOoPR/yOBzh+lYoGxQ5iUHtwRrhHq04sQe/qFpXDO2xs6
1pTcPU2PnH7Rsr2qp6fZLPHuXLolD7NJfaSib8sVeMM0/ecyl/L2bBg9NpaGDX0x
TQh95M8o6AFo6UKWApBpgsvEZr2aH/B8b9KnCWFhfJyheEM7DamksdZNsKxXQyq3
l/ROfdsMLZGF8vPbYV/v11G4keyaLpn8AbBpybIiw9SYDwf2ENk3+e1NFfMaiiyE
qn9+aaLTKCY87TMUuoN3s3jWOOy5tHXzf6DbKhub4Awsby3DH5YpPhi4N2vj2pAX
Vpl5+m78cH29JLzT+HAoyZ4tq1r3m0P5QogNqYwqxkKWYOjDilNDBiKiDdgtrLYG
x+ABovKG/FvToJoaCL4AFaVCzWmL2uHkSgyBN0FPHatCB1UeEkcQit6T8E2NQqmF
WjUMXSWHHajSMG95+L5PdLHz/Ku0o3Csvlt2pkElYZmzJBfnOM9JevdsmKr/ruJC
/DCZAn5w2S/9ZF5qfo2F9HUKIwE/dChR29HcN8V4nqZs9oCvEMfFhHmrfwDc5hed
hvb6mAkvSFFtKIrygLIVeWRj3FE9sGp6sr4VwOLYTFRNk7mAsWD1rZApeQARAQAB
tCdXLkMuQS4gV2lqbmdhYXJkcyA8d291dGVyQG5sbmV0bGFicy5ubD6JAlUEEwEI
AD8CGyMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAFiEE7fqj8spObrBWga+On28c
LX4EX40FAl3uCXUFCRmkDdkACgkQn28cLX4EX40PIBAAnvuPWg0B0bmXQxytVQiS
s4W/jL33SI75fHkMZY6RvVM+WNewceEln7ixwnhpYdZuiDgFnluIOlqMJtXnNT5F
Wu/U3a5Cm9DMXy0mreog24rlYw8ctm1qJFtP3D8yfxaFg7RAtB/VEwDG+UBgQ2VG
y7sF+2Y7zJAIR9ef4TvRo+ER6B9USRiQC0bWc47c7Cai+d5FvxFefVdU+/TaHMsd
NfIsOdCZ9NpiPMGCWfR2XOQuw/iufb3Ki0WYJKyazm8NLBL92BTgWKf9Q3ph9pxz
zAUijJjeUQHK99oLlI3eARFn9kOwKPkJ4XYtetVtGCgluCQJjqEOG0NMHxPUOWlC
BoVBedi/mnPB8u3QcmghMQgP1k6kEP4lT8m5qSUIRaJ1rf35qcWxNsCk4UhDh0zu
u3uXtyX1G9LzSrLMmaI2qOIdTBeZ72jzSqMm1sCp6TTNDkXMpfmqICsFuxNeUxFN
ExOf/4ALBcEQ3Ap0hCp5LIDNN9tZte0Q3yWwmoyL+Owxw2BN8r4UWYwiQmsNBqMN
bA0Vo3ThaZiIsQ+f78ebscqkhz7hgLF5RL5fmd0XXOW0O6QFru1DaUd4ZyT34PCi
9sajhe+VShvfzYyxPNMo/MHVaAnw774s6wbTl5xyOPYAjAnzamxiG+clYZk3XqO5
Yvk3vYZSdg6x57oxiZRXvqe5Ag0ETa/9HAEQAKbwynlS4kmsxEnU2PSrElrKqAd/
KbzrLtuTOPbRI3OU7WOS8CjXJKpHkZSfNzvHRRu1AVbhsCymn/+jkf6XtuLqWdu3
jjllu7F70Db+Wl5TmHxfpoyIVCDao6uKSg5jtXPSe4eXfmrjlX83IH6LYNwVQmip
+ernI4kCdOfblDH4Fk71ZYm56Ce3XmXILfL+1XCyvY7/j/ECR0yMg8yXfiY3Y7h1
6gvwN+0+RvWfOMfMGK0GOpmZjiGGjI8CCnYBXjfpy5OYXpwEVM+DExVFuI/YR6bs
gBaJg0Pd/8JB2fSBAoU8XWZ377Hf/2eOb33F/XUDPrbkfFwmE4VbEnCNU58EeOoY
uTZH5h6Nx1ccAfP6MCfhWQ7EzQWyXewFctu15OC+YS3uwcCw7RTMjqeJToqQjO//
5rRQfZk86pzsIkksk0ZcBlASZM0BVkGtGem32MAOvstXZ9fR+dfRluPYq7Zftvlv
FuDfKC64iIz76q0DsmhCxXEX1ehXy4tPRz4R1W3ozqiBGzrX7jdPpo66xgMKK7X0
wY38PNDflvdAU77WuCtksox3CU5A2HoXzqP+SDKRrQ7DoL7Amw2hUZzSbmLUqkJr
1pNSiDyMOgpHSbWWt/qt2AOw+6LzlR9TgUyjXQY3Pl+FvC+UfTAspl1r4Ij/udkr
9VSHGZrJwga8CuPdABEBAAGJAjwEGAEIACYCGwwWIQTt+qPyyk5usFaBr46fbxwt
fgRfjQUCXe4JfQUJGaQN4QAKCRCfbxwtfgRfjdNAD/4lXxF4xEkKfcJ+pt7nJwWf
ynp0hWcmJC6GITK7nLN2lKQrLNxUUk5tByrDuznQUm4tRvF29ty4YhqhO7t2EGhR
c7m064hACwpN8Z+Cg6B6Umb7+raHrjkScBUg0ZswNeuajj9QUmQ2NQwDpJCL/KJq
bs3TLnx6gMLiwaYEq43YRbYyhZqGVfDxJLX4Bv2pUGz9GptLLp/Wckvf1o+k8Oa/
Ik5Ji0ec1IWVhZWGvTMYCLmuezCUUasQIZsemvkVqNQrvNya009uLsXfQrjzF8Xd
ecMh4gFx6usQFAxo9RlwGV10aGZJVUllT9iFHfkk2A+eanfeA65lpGJb2Vq5kXCw
xAEgGQuklahS27xAuTILQeYnNVF6nT+zVGTNon7UbUHNdNCJdotpRBYbmHelwwPx
/Fjmqn0psb/7XRtjSxFtEFeBLqbPt10doG2D8Ty3LacQHUcNcD0cAe7sqUf173qw
9mPP0LjpmI5d7pkA6TrAFi2zhEbhsJD2kY5En4/YmvanPU1lBuzUCGeMmLFOx9l+
wZnmUfEYuMjLG10YH+KssSo1Mgx6TbKngJKGZahnA3RXdoZgx7+sLi1Jcbv0h4o3
AXdV3kwe0H6FwkbarO0G0pC5bb2ttEDls3HBNZ7yyTA4qzFec/1EL3viTReQ9L5X
CCZWA03V7BL/Sge+YQ/vVA==
=Sy7Z
-----END PGP PUBLIC KEY BLOCK-----

11
unbound.munin Normal file
View File

@ -0,0 +1,11 @@
#
# For this plugin to work, unbound.conf needs to have:
# remote-control: control-enable: yes
#
[unbound*]
user root
env.statefile /var/lib/munin/plugin-state/unbound-state
env.unbound_conf /etc/unbound/unbound.conf
env.unbound_control /usr/sbin/unbound-control
env.spoof_warn 1000
env.spoof_crit 100000

22
unbound.service Normal file
View File

@ -0,0 +1,22 @@
[Unit]
Description=Unbound recursive Domain Name Server
After=syslog.target network.target
After=unbound-keygen.service
Wants=unbound-keygen.service
Wants=unbound-anchor.timer
Before=nss-lookup.target
Wants=nss-lookup.target
[Service]
Type=simple
User=unbound
Group=unbound
EnvironmentFile=-/etc/sysconfig/unbound
#ExecStartPre=/sbin/runuser --shell /bin/sh -c "/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem" unbound
# https://github.com/NLnetLabs/unbound/issues/509
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_UNBOUND_ANCHOR" == "yes" ]; then /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -R; else echo "Updates of root keys with unbound-anchor is disabled"; fi'
ExecStartPre=/usr/sbin/unbound-checkconf
ExecStart=!/usr/sbin/unbound -d $UNBOUND_OPTIONS
[Install]
WantedBy=multi-user.target

432
unbound.spec Normal file
View File

@ -0,0 +1,432 @@
#
# spec file for package unbound
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
#Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir}
%define _fillupdir /var/adm/fillup-templates
%endif
%bcond_without python3
%bcond_without munin
%bcond_without hardened_build
%bcond_without dnstap
%bcond_without systemd
%define _sharedstatedir /var/lib/
%define ldns_version 1.6.16
%define piddir /run
Name: unbound
Version: 1.22.0
Release: 0
BuildRequires: flex
BuildRequires: ldns-devel >= %{ldns_version}
BuildRequires: libevent-devel
BuildRequires: libexpat-devel
BuildRequires: libsodium-devel
BuildRequires: openssl-devel
BuildRequires: sysuser-tools
%if %{with dnstap}
BuildRequires: libfstrm-devel
BuildRequires: libprotobuf-c-devel >= 1.0.0
BuildRequires: protobuf-c >= 1.0.0
%endif
%if %{with python3}
BuildRequires: python-rpm-macros
BuildRequires: python3-devel
BuildRequires: swig
%endif
# needed for dns over https
BuildRequires: pkgconfig(libnghttp2)
Requires: ldns >= %{ldns_version}
# until we figured something else out for the unbound-anchor part in the systemd unit file
Requires: sudo
# unbound-control-setup depends on /usr/bin/openssl
Requires: openssl
%if %{with systemd}
BuildRequires: pkgconfig(libsystemd)
%{?systemd_requires}
%endif
URL: https://www.unbound.net/
Source: https://www.unbound.net/downloads/unbound-%{version}.tar.gz
Source100: https://www.unbound.net/downloads/unbound-%{version}.tar.gz.asc
Source101: unbound.keyring
Source1: unbound.service
Source2: unbound.conf
Source3: unbound.munin
Source4: unbound_munin_
Source5: root.key
Source6: dlv.isc.org.key
Source7: unbound-keygen.service
Source8: tmpfiles-unbound.conf
Source9: example.com.key
Source10: example.com.conf
Source11: block-example.com.conf
# From http://data.iana.org/root-anchors/icannbundle.pem
Source12: icannbundle.pem
Source13: root.anchor
Source14: unbound.sysconfig
Source15: unbound-anchor.timer
Source16: unbound-munin.README
Source18: unbound-anchor.service
Source19: unbound.sysusers
Summary: Validating, recursive, and caching DNS(SEC) resolver
License: BSD-3-Clause
Group: Productivity/Networking/DNS/Servers
%description
Unbound is a validating, recursive, and caching DNS(SEC) resolver.
The C implementation of Unbound is developed and maintained by NLnet
Labs. It is based on ideas and algorithms taken from a java prototype
developed by Verisign labs, Nominet, Kirei and ep.net.
Unbound is designed as a set of modular components, so that also
DNSSEC (secure DNS) validation and stub-resolvers (that do not run
as a server, but are linked into an application) are easily possible.
%define libname libunbound8
%package -n %{libname}
Requires: %{name}-anchor >= %{version}
#
Summary: Shared library from unbound
Group: Development/Libraries/C and C++
%description -n %{libname}
Unbound is a validating, recursive, and caching DNS(SEC) resolver.
This package holds the shared library from unbound.
%if %{with_munin}
%package munin
Summary: Plugin for the munin / munin-node monitoring package
Group: System/Daemons
Requires: %{name} = %{version}
Requires: bc
Requires: munin-node
BuildArch: noarch
%description munin
Unbound is a validating, recursive, and caching DNS(SEC) resolver.
This package holds the plugin for the munin / munin-node monitoring package
%endif
%package devel
Requires: %{libname} = %{version}
Requires: ldns-devel >= %{ldns_version}
Requires: openssl-devel
Provides: libunbound-devel = %{version}-%{release}
#
Summary: Development files for libunbound
Group: Development/Libraries/C and C++
%description devel
Unbound is a validating, recursive, and caching DNS(SEC) resolver.
This package holds the development files to work with libunbound.
%package anchor
#
Summary: Unbound Anchor cert management tools
Group: Productivity/Networking/DNS/Servers
%sysusers_requires
%description anchor
Unbound is a validating, recursive, and caching DNS(SEC) resolver.
This package contains the tools to manage the anchor certs.
%if %{with python3}
%package -n python3-unbound
Summary: Python modules and extensions for unbound
Group: Applications/System
Requires: %{libname} = %{version}
Obsoletes: unbound-python
Provides: unbound-python
%description -n python3-unbound
Unbound is a validating, recursive, and caching DNS(SEC) resolver.
This package holds the Python modules and extensions for unbound.
%endif
%prep
%setup
%build
%sysusers_generate_pre %{SOURCE19} anchor unbound.conf
export CFLAGS="%{optflags}"
export CXXFLAGS="%{optflags}"
%if %{with python2}
pushd ../p2
%configure \
--disable-rpath \
--with-libevent \
--with-pthreads \
--disable-static \
--with-ldns=%{_prefix} \
--with-libnghttp2 \
--enable-sha2 \
--enable-gost \
--enable-ecdsa \
--enable-event-api \
--enable-pie \
--enable-relro-now \
--enable-dnscrypt \
%if %{with dnstap}
--enable-dnstap \
%endif
--with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \
--with-pidfile=%{piddir}/%{name}/%{name}.pid \
--with-pythonmodule --with-pyunbound PYTHON=%{__python2}\
--with-rootkey-file=%{_sharedstatedir}/unbound/root.key \
--disable-explicit-port-randomisation
make %{?_smp_mflags} all streamtcp
popd
%endif
%configure \
--disable-rpath \
--with-libevent \
--with-pthreads \
--disable-static \
--with-ldns=%{_prefix} \
--with-libnghttp2 \
--enable-sha2 \
--enable-gost \
--enable-ecdsa \
--enable-event-api \
--enable-pie \
--enable-relro-now \
--enable-dnscrypt \
%if %{with dnstap}
--enable-dnstap \
%endif
--with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \
--with-pidfile=%{piddir}/%{name}/%{name}.pid \
%if %{with python3}
--with-pythonmodule --with-pyunbound PYTHON=%{__python3}\
%endif
--with-rootkey-file=%{_sharedstatedir}/unbound/root.key \
--disable-explicit-port-randomisation
make %{?_smp_mflags} all streamtcp
%install
%make_install
install -d -m 0750 %{buildroot}/var/lib/unbound
install -d 0755 %{buildroot}%{_unitdir}
install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service
install -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/unbound-keygen.service
install -p -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound
install -p -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/unbound
install -D -p -m 0644 %{SOURCE14} %{buildroot}%{_fillupdir}/sysconfig.%{name}
ln -sf /usr/sbin/service %{buildroot}%{_sbindir}/rcunbound
ln -sf /usr/sbin/service %{buildroot}%{_sbindir}/rcunbound-keygen
install -p -m 0644 %{SOURCE15} %{buildroot}%{_unitdir}/unbound-anchor.timer
install -p -m 0644 %{SOURCE18} %{buildroot}%{_unitdir}/unbound-anchor.service
install -p -m 0644 %{SOURCE16} .
%if %{with munin}
# Install munin plugin and its softlinks
install -d 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d
install -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/munin/plugin-conf.d/unbound
install -d 0755 %{buildroot}%{_datadir}/munin/plugins/
install -p -m 0755 %{SOURCE4} %{buildroot}%{_datadir}/munin/plugins/unbound
for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unbound_munin_by_type unbound_munin_by_class unbound_munin_by_opcode unbound_munin_by_rcode unbound_munin_by_flags unbound_munin_histogram; do
ln -s unbound %{buildroot}%{_datadir}/munin/plugins/$plugin
done
%endif
# install streamtcp used for monitoring / debugging unbound's port 80/443 modes
install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp
# install streamtcp man page
install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1
# Install tmpfiles.d config
install -d -m 0755 %{buildroot}%{_tmpfilesdir}/ \
%{buildroot}%{_sharedstatedir}/unbound
install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf
# install root and DLV key - we keep a copy of the root key in old location,
# in case user has changed the configuration and we wouldn't update it there
install -m 0644 %{SOURCE5} %{SOURCE6} %{buildroot}%{_sysconfdir}/unbound/
install -m 0644 %{SOURCE13} %{buildroot}%{_sharedstatedir}/unbound/root.key
# create softlink for all functions of libunbound man pages
for mpage in ub_ctx ub_result ub_ctx_create ub_ctx_delete ub_ctx_set_option ub_ctx_get_option ub_ctx_config ub_ctx_set_fwd ub_ctx_resolvconf ub_ctx_hosts ub_ctx_add_ta ub_ctx_add_ta_file ub_ctx_trustedkeys ub_ctx_debugout ub_ctx_debuglevel ub_ctx_async ub_poll ub_wait ub_fd ub_process ub_resolve ub_resolve_async ub_cancel ub_resolve_free ub_strerror ub_ctx_print_local_zones ub_ctx_zone_add ub_ctx_zone_remove ub_ctx_data_add ub_ctx_data_remove;
do
echo ".so man3/libunbound.3" > %{buildroot}%{_mandir}/man3/${mpage}.3 ;
done
mkdir -p %{buildroot}%{piddir}/%{name}
# Install directories for easier config file drop in
mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d}
install -m 0640 -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/
install -m 0640 -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/
install -m 0640 -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
# Link unbound-control-setup.8 manpage to unbound-control.8
echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8
# sysusers.d
install -Dm0644 %{SOURCE19} %{buildroot}%{_sysusersdir}/unbound.conf
%check
# it currently fails in the ldns unit test. which is weird as both come from the same project
make check ||:
%pre anchor -f anchor.pre
%service_add_pre unbound-anchor.service unbound-anchor.timer
%if %{with systemd}
%pre
%service_add_pre unbound-keygen.service unbound.service
%endif
%if %{with systemd}
%post anchor
%service_add_post unbound-anchor.service unbound-anchor.timer
%endif
%post
%fillup_only %{name}
%if %{with systemd}
systemd-tmpfiles --create %{_tmpfilesdir}/unbound.conf || :
%service_add_post unbound-keygen.service unbound.service
%endif
%if %{with systemd}
%preun anchor
%service_del_preun unbound-anchor.service unbound-anchor.timer
%endif
%preun
%if %{with systemd}
%service_del_preun unbound-keygen.service unbound.service
%else
%stop_on_removal %{name}
%endif
%postun anchor
%if %{with systemd}
%service_del_postun unbound-anchor.service unbound-anchor.timer
%endif
%postun
%if %{with systemd}
%service_del_postun unbound-keygen.service unbound.service
%else
%restart_on_update %{name}
%{insserv_cleanup}
%endif
%post -n %{libname} -p /sbin/ldconfig
%postun -n %{libname} -p /sbin/ldconfig
%files
%license doc/LICENSE
%doc doc/README doc/CREDITS doc/FEATURES
%attr(0755,unbound,unbound) %ghost %dir %{piddir}/%{name}
%attr(0640,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
%dir %attr(-,root,unbound) %{_sysconfdir}/%{name}/keys.d
%attr(0640,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d/*.key
%dir %attr(-,root,unbound) %{_sysconfdir}/%{name}/conf.d
%attr(0640,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d/*.conf
%dir %attr(-,root,unbound) %{_sysconfdir}/%{name}/local.d
%attr(0640,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/local.d/*.conf
%{_sbindir}/unbound
%{_sbindir}/unbound-checkconf
%{_sbindir}/unbound-host
%{_sbindir}/unbound-control
%{_sbindir}/unbound-control-setup
%{_sbindir}/unbound-streamtcp
%{_mandir}/man1/unbound-host.1*
%{_mandir}/man5/unbound.conf.5*
%{_mandir}/man8/unbound.8*
%{_mandir}/man8/unbound-checkconf.8*
%{_mandir}/man8/unbound-control-setup.8*
%{_mandir}/man8/unbound-control.8*
%{_mandir}/man1/unbound-streamtcp.1*
%{_fillupdir}/sysconfig.%{name}
%if %{with systemd}
%{_tmpfilesdir}/unbound.conf
%{_unitdir}/unbound-keygen.service
%{_unitdir}/unbound.service
%endif
%{_sbindir}/rcunbound
%{_sbindir}/rcunbound-keygen
%files -n %{libname}
%defattr(-,root,root,-)
%{_libdir}/libunbound.so.*
%if %{with python3}
%files -n python3-unbound
%{python3_sitearch}/*
%doc libunbound/python/examples/*
%doc pythonmod/examples/*
%endif
%if %{with munin}
%files munin
%dir %{_sysconfdir}/munin/
%dir %{_sysconfdir}/munin/plugin-conf.d/
%config(noreplace) %{_sysconfdir}/munin/plugin-conf.d/unbound
%dir %{_datadir}/munin/
%dir %{_datadir}/munin/plugins/
%{_datadir}/munin/plugins/unbound*
%doc unbound-munin.README
%endif
%files devel
%{_includedir}/unbound.h
%{_includedir}/unbound-event.h
%{_libdir}/libunbound.so
%exclude %{_libdir}/libunbound.la
%{_libdir}/pkgconfig/libunbound.pc
%{_mandir}/man3/libunbound.3*
%{_mandir}/man3/ub_*.3*
%files anchor
%dir %{_sysconfdir}/%{name}/
%{_sbindir}/unbound-anchor
%config %{_sysconfdir}/%{name}/icannbundle.pem
%{_unitdir}/unbound-anchor.timer
%{_unitdir}/unbound-anchor.service
%{_sysusersdir}/unbound.conf
%dir %attr(-,unbound,unbound) %{_sharedstatedir}/%{name}
%attr(0644,unbound,unbound) %config(noreplace) %{_sharedstatedir}/%{name}/root.key
%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key
# just left for backwards compat with user changed unbound.conf files - format is different!
%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/root.key
%{_mandir}/man8/unbound-anchor.8*
%doc doc/README doc/LICENSE
%changelog

6
unbound.sysconfig Normal file
View File

@ -0,0 +1,6 @@
# for extra debug, add "-v -v" or change verbosity: in unbound.conf
UNBOUND_OPTIONS=""
# to disable the anchor update, set this to 'yes'
DISABLE_UNBOUND_ANCHOR="no"

2
unbound.sysusers Normal file
View File

@ -0,0 +1,2 @@
#Type Name ID GECOS Home directory Shell
u unbound - "unbound caching DNS server" /var/lib/unbound -

553
unbound_munin_ Normal file
View File

@ -0,0 +1,553 @@
#!/bin/sh
#
# plugin for munin to monitor usage of unbound servers.
#
# (C) 2008 W.C.A. Wijngaards. BSD Licensed.
#
# To install; enable statistics and unbound-control in unbound.conf
# server: extended-statistics: yes
# statistics-cumulative: no
# statistics-interval: 0
# remote-control: control-enable: yes
# Run the command unbound-control-setup to generate the key files.
#
# Environment variables for this script
# statefile - where to put temporary statefile.
# unbound_conf - where the unbound.conf file is located.
# unbound_control - where to find unbound-control executable.
# spoof_warn - what level to warn about spoofing
# spoof_crit - what level to crit about spoofing
#
# You can set them in your munin/plugin-conf.d/plugins.conf file
# with:
# [unbound*]
# user root
# env.statefile /usr/local/var/munin/plugin-state/unbound-state
# env.unbound_conf /usr/local/etc/unbound/unbound.conf
# env.unbound_control /usr/local/sbin/unbound-control
# env.spoof_warn 1000
# env.spoof_crit 100000
#
# This plugin can create different graphs depending on what name
# you link it as (with ln -s) into the plugins directory
# You can link it multiple times.
# If you are only a casual user, the _hits and _by_type are most interesting,
# possibly followed by _by_rcode.
#
# unbound_munin_hits - base volume, cache hits, unwanted traffic
# unbound_munin_queue - to monitor the internal requestlist
# unbound_munin_memory - memory usage
# unbound_munin_by_type - incoming queries by type
# unbound_munin_by_class - incoming queries by class
# unbound_munin_by_opcode - incoming queries by opcode
# unbound_munin_by_rcode - answers by rcode, validation status
# unbound_munin_by_flags - incoming queries by flags
# unbound_munin_histogram - histogram of query resolving times
#
# Magic markers - optional - used by installation scripts and
# munin-config:
#
#%# family=contrib
#%# capabilities=autoconf suggest
# POD documentation
: <<=cut
=head1 NAME
unbound_munin_ - Munin plugin to monitor the Unbound DNS resolver.
=head1 APPLICABLE SYSTEMS
System with unbound daemon.
=head1 CONFIGURATION
[unbound*]
user root
env.statefile /var/lib/munin/plugin-state/unbound-state
env.unbound_conf /etc/unbound/unbound.conf
env.unbound_control /usr/sbin/unbound-control
env.spoof_warn 1000
env.spoof_crit 100000
Use the .env settings to override the defaults.
=head1 USAGE
Can be used to present different graphs. Use ln -s for that name in
the plugins directory to enable the graph.
unbound_munin_hits - base volume, cache hits, unwanted traffic
unbound_munin_queue - to monitor the internal requestlist
unbound_munin_memory - memory usage
unbound_munin_by_type - incoming queries by type
unbound_munin_by_class - incoming queries by class
unbound_munin_by_opcode - incoming queries by opcode
unbound_munin_by_rcode - answers by rcode, validation status
unbound_munin_by_flags - incoming queries by flags
unbound_munin_histogram - histogram of query resolving times
=head1 AUTHOR
Copyright 2008 W.C.A. Wijngaards
=head1 LICENSE
BSD
=cut
state=${statefile:-/var/lib/munin/plugin-state/unbound-state}
conf=${unbound_conf:-/etc/unbound/unbound.conf}
ctrl=${unbound_control:-/usr/sbin/unbound-control}
warn=${spoof_warn:-1000}
crit=${spoof_crit:-100000}
lock=$state.lock
# number of seconds between polling attempts.
# makes the statefile hang around for at least this many seconds,
# so that multiple links of this script can share the results.
lee=55
# to keep things within 19 characters
ABBREV="-e s/total/t/ -e s/thread/t/ -e s/num/n/ -e s/query/q/ -e s/answer/a/ -e s/unwanted/u/ -e s/requestlist/ql/ -e s/type/t/ -e s/class/c/ -e s/opcode/o/ -e s/rcode/r/ -e s/edns/e/ -e s/mem/m/ -e s/cache/c/ -e s/mod/m/"
# get value from $1 into return variable $value
get_value ( ) {
value="`grep '^'$1'=' $state | sed -e 's/^.*=//'`"
if test "$value"x = ""x; then
value="0"
fi
}
# download the state from the unbound server.
get_state ( ) {
# obtain lock for fetching the state
# because there is a race condition in fetching and writing to file
# see if the lock is stale, if so, take it
if test -f $lock ; then
pid="`cat $lock 2>&1`"
kill -0 "$pid" >/dev/null 2>&1
if test $? -ne 0 -a "$pid" != $$ ; then
echo $$ >$lock
fi
fi
i=0
while test ! -f $lock || test "`cat $lock 2>&1`" != $$; do
while test -f $lock; do
# wait
i=`expr $i + 1`
if test $i -gt 1000; then
sleep 1;
fi
if test $i -gt 1500; then
echo "error locking $lock" "=" `cat $lock`
rm -f $lock
exit 1
fi
done
# try to get it
echo $$ >$lock
done
# do not refetch if the file exists and only LEE seconds old
if test -f $state; then
now=`date +%s`
get_value "time.now"
value="`echo $value | sed -e 's/\..*$//'`"
if test $now -lt `expr $value + $lee`; then
rm -f $lock
return
fi
fi
$ctrl -c $conf stats > $state
if test $? -ne 0; then
echo "error retrieving data from unbound server"
rm -f $lock
exit 1
fi
rm -f $lock
}
if test "$1" = "autoconf" ; then
if test ! -f $conf; then
echo no "($conf does not exist)"
exit 1
fi
if test ! -d `dirname $state`; then
echo no "($state directory does not exist)"
exit 1
fi
echo yes
exit 0
fi
if test "$1" = "suggest" ; then
echo "hits"
echo "queue"
echo "memory"
echo "by_type"
echo "by_class"
echo "by_opcode"
echo "by_rcode"
echo "by_flags"
echo "histogram"
exit 0
fi
# determine my type, by name
id=`echo $0 | sed -e 's/^.*unbound_munin_//'`
if test "$id"x = ""x; then
# some default to keep people sane.
id="hits"
fi
# if $1 exists in statefile, config is echoed with label $2
exist_config ( ) {
mn=`echo $1 | sed $ABBREV | tr . _`
if grep '^'$1'=' $state >/dev/null 2>&1; then
echo "$mn.label $2"
echo "$mn.min 0"
fi
}
# print label and min 0 for a name $1 in unbound format
p_config ( ) {
mn=`echo $1 | sed $ABBREV | tr . _`
echo $mn.label "$2"
echo $mn.min 0
}
if test "$1" = "config" ; then
if test ! -f $state; then
get_state
fi
case $id in
hits)
echo "graph_title Unbound DNS traffic and cache hits"
echo "graph_args --base 1000 -l 0"
echo "graph_vlabel queries / second"
echo "graph_category DNS"
for x in thread0.num.queries thread1.num.queries \
thread2.num.queries thread3.num.queries thread4.num.queries \
thread5.num.queries thread6.num.queries thread7.num.queries; do
exist_config $x "queries handled by `basename $x .num.queries`"
done
p_config "total.num.queries" "total queries from clients"
p_config "total.num.cachehits" "cache hits"
p_config "total.num.prefetch" "cache prefetch"
p_config "num.query.tcp" "TCP queries"
p_config "num.query.ipv6" "IPv6 queries"
p_config "unwanted.queries" "queries that failed acl"
p_config "unwanted.replies" "unwanted or unsolicited replies"
echo "u_replies.warning $warn"
echo "u_replies.critical $crit"
echo "graph_info DNS queries to the recursive resolver. The unwanted replies could be innocent duplicate packets, late replies, or spoof threats."
;;
queue)
echo "graph_title Unbound requestlist size"
echo "graph_args --base 1000 -l 0"
echo "graph_vlabel number of queries"
echo "graph_category DNS"
p_config "total.requestlist.avg" "Average size of queue on insert"
p_config "total.requestlist.max" "Max size of queue (in 5 min)"
p_config "total.requestlist.overwritten" "Number of queries replaced by new ones"
p_config "total.requestlist.exceeded" "Number of queries dropped due to lack of space"
echo "graph_info The queries that did not hit the cache and need recursion service take up space in the requestlist. If there are too many queries, first queries get overwritten, and at last resort dropped."
;;
memory)
echo "graph_title Unbound memory usage"
echo "graph_args --base 1024 -l 0"
echo "graph_vlabel memory used in bytes"
echo "graph_category DNS"
p_config "mem.total.sbrk" "Total memory"
p_config "mem.cache.rrset" "RRset cache memory"
p_config "mem.cache.message" "Message cache memory"
p_config "mem.mod.iterator" "Iterator module memory"
p_config "mem.mod.validator" "Validator module and key cache memory"
echo "graph_info The memory used by unbound."
;;
by_type)
echo "graph_title Unbound DNS queries by type"
echo "graph_args --base 1000 -l 0"
echo "graph_vlabel queries / second"
echo "graph_category DNS"
for x in `grep "^num.query.type" $state`; do
nm=`echo $x | sed -e 's/=.*$//'`
tp=`echo $nm | sed -e s/num.query.type.//`
p_config "$nm" "$tp"
done
echo "graph_info queries by DNS RR type queried for"
;;
by_class)
echo "graph_title Unbound DNS queries by class"
echo "graph_args --base 1000 -l 0"
echo "graph_vlabel queries / second"
echo "graph_category DNS"
for x in `grep "^num.query.class" $state`; do
nm=`echo $x | sed -e 's/=.*$//'`
tp=`echo $nm | sed -e s/num.query.class.//`
p_config "$nm" "$tp"
done
echo "graph_info queries by DNS RR class queried for."
;;
by_opcode)
echo "graph_title Unbound DNS queries by opcode"
echo "graph_args --base 1000 -l 0"
echo "graph_vlabel queries / second"
echo "graph_category DNS"
for x in `grep "^num.query.opcode" $state`; do
nm=`echo $x | sed -e 's/=.*$//'`
tp=`echo $nm | sed -e s/num.query.opcode.//`
p_config "$nm" "$tp"
done
echo "graph_info queries by opcode in the query packet."
;;
by_rcode)
echo "graph_title Unbound DNS answers by return code"
echo "graph_args --base 1000 -l 0"
echo "graph_vlabel answer packets / second"
echo "graph_category DNS"
for x in `grep "^num.answer.rcode" $state`; do
nm=`echo $x | sed -e 's/=.*$//'`
tp=`echo $nm | sed -e s/num.answer.rcode.//`
p_config "$nm" "$tp"
done
p_config "num.answer.secure" "answer secure"
p_config "num.answer.bogus" "answer bogus"
p_config "num.rrset.bogus" "num rrsets marked bogus"
echo "graph_info answers sorted by return value. rrsets bogus is the number of rrsets marked bogus per second by the validator"
;;
by_flags)
echo "graph_title Unbound DNS incoming queries by flags"
echo "graph_args --base 1000 -l 0"
echo "graph_vlabel queries / second"
echo "graph_category DNS"
p_config "num.query.flags.QR" "QR (query reply) flag"
p_config "num.query.flags.AA" "AA (auth answer) flag"
p_config "num.query.flags.TC" "TC (truncated) flag"
p_config "num.query.flags.RD" "RD (recursion desired) flag"
p_config "num.query.flags.RA" "RA (rec avail) flag"
p_config "num.query.flags.Z" "Z (zero) flag"
p_config "num.query.flags.AD" "AD (auth data) flag"
p_config "num.query.flags.CD" "CD (check disabled) flag"
p_config "num.query.edns.present" "EDNS OPT present"
p_config "num.query.edns.DO" "DO (DNSSEC OK) flag"
echo "graph_info This graphs plots the flags inside incoming queries. For example, if QR, AA, TC, RA, Z flags are set, the query can be rejected. RD, AD, CD and DO are legitimately set by some software."
;;
histogram)
echo "graph_title Unbound DNS histogram of reply time"
echo "graph_args --base 1000 -l 0"
echo "graph_vlabel queries / second"
echo "graph_category DNS"
echo hcache.label "cache hits"
echo hcache.min 0
echo hcache.draw AREA
echo hcache.colour 999999
echo h64ms.label "0 msec - 66 msec"
echo h64ms.min 0
echo h64ms.draw STACK
echo h64ms.colour 0000FF
echo h128ms.label "66 msec - 131 msec"
echo h128ms.min 0
echo h128ms.colour 1F00DF
echo h128ms.draw STACK
echo h256ms.label "131 msec - 262 msec"
echo h256ms.min 0
echo h256ms.draw STACK
echo h256ms.colour 3F00BF
echo h512ms.label "262 msec - 524 msec"
echo h512ms.min 0
echo h512ms.draw STACK
echo h512ms.colour 5F009F
echo h1s.label "524 msec - 1 sec"
echo h1s.min 0
echo h1s.draw STACK
echo h1s.colour 7F007F
echo h2s.label "1 sec - 2 sec"
echo h2s.min 0
echo h2s.draw STACK
echo h2s.colour 9F005F
echo h4s.label "2 sec - 4 sec"
echo h4s.min 0
echo h4s.draw STACK
echo h4s.colour BF003F
echo h8s.label "4 sec - 8 sec"
echo h8s.min 0
echo h8s.draw STACK
echo h8s.colour DF001F
echo h16s.label "8 sec - ..."
echo h16s.min 0
echo h16s.draw STACK
echo h16s.colour FF0000
echo "graph_info Histogram of the reply times for queries."
;;
esac
exit 0
fi
# do the stats itself
get_state
# get the time elapsed
get_value "time.elapsed"
if test $value = 0 || test $value = "0.000000"; then
echo "error: time elapsed 0 or could not retrieve data"
exit 1
fi
elapsed="$value"
# print value for $1 / elapsed
print_qps ( ) {
mn=`echo $1 | sed $ABBREV | tr . _`
get_value $1
echo "$mn.value" `echo scale=6';' $value / $elapsed | bc `
}
# print qps if line already found in $2
print_qps_line ( ) {
mn=`echo $1 | sed $ABBREV | tr . _`
value="`echo $2 | sed -e 's/^.*=//'`"
echo "$mn.value" `echo scale=6';' $value / $elapsed | bc `
}
# print value for $1
print_value ( ) {
mn=`echo $1 | sed $ABBREV | tr . _`
get_value $1
echo "$mn.value" $value
}
case $id in
hits)
for x in thread0.num.queries thread1.num.queries thread2.num.queries \
thread3.num.queries thread4.num.queries thread5.num.queries \
thread6.num.queries thread7.num.queries total.num.queries \
total.num.cachehits total.num.prefetch num.query.tcp \
num.query.ipv6 unwanted.queries unwanted.replies; do
if grep "^"$x"=" $state >/dev/null 2>&1; then
print_qps $x
fi
done
;;
queue)
for x in total.requestlist.avg total.requestlist.max \
total.requestlist.overwritten total.requestlist.exceeded; do
print_value $x
done
;;
memory)
mn=`echo mem.total.sbrk | sed $ABBREV | tr . _`
get_value 'mem.total.sbrk'
if test $value -eq 0; then
chk=`echo $ctrl | sed -e 's/-control$/-checkconf/'`
pidf=`$chk -o pidfile $conf 2>&1`
pid=`cat $pidf 2>&1`
value=`ps -p "$pid" -o rss= 2>&1`
if test "`expr $value + 1 - 1 2>&1`" -eq "$value" 2>&1; then
value=`expr $value \* 1024`
else
value=0
fi
fi
echo "$mn.value" $value
for x in mem.cache.rrset mem.cache.message \
mem.mod.iterator mem.mod.validator; do
print_value $x
done
;;
by_type)
for x in `grep "^num.query.type" $state`; do
nm=`echo $x | sed -e 's/=.*$//'`
print_qps_line $nm $x
done
;;
by_class)
for x in `grep "^num.query.class" $state`; do
nm=`echo $x | sed -e 's/=.*$//'`
print_qps_line $nm $x
done
;;
by_opcode)
for x in `grep "^num.query.opcode" $state`; do
nm=`echo $x | sed -e 's/=.*$//'`
print_qps_line $nm $x
done
;;
by_rcode)
for x in `grep "^num.answer.rcode" $state`; do
nm=`echo $x | sed -e 's/=.*$//'`
print_qps_line $nm $x
done
print_qps "num.answer.secure"
print_qps "num.answer.bogus"
print_qps "num.rrset.bogus"
;;
by_flags)
for x in num.query.flags.QR num.query.flags.AA num.query.flags.TC num.query.flags.RD num.query.flags.RA num.query.flags.Z num.query.flags.AD num.query.flags.CD num.query.edns.present num.query.edns.DO; do
print_qps $x
done
;;
histogram)
get_value total.num.cachehits
echo hcache.value `echo scale=6';' $value / $elapsed | bc `
r=0
for x in histogram.000000.000000.to.000000.000001 \
histogram.000000.000001.to.000000.000002 \
histogram.000000.000002.to.000000.000004 \
histogram.000000.000004.to.000000.000008 \
histogram.000000.000008.to.000000.000016 \
histogram.000000.000016.to.000000.000032 \
histogram.000000.000032.to.000000.000064 \
histogram.000000.000064.to.000000.000128 \
histogram.000000.000128.to.000000.000256 \
histogram.000000.000256.to.000000.000512 \
histogram.000000.000512.to.000000.001024 \
histogram.000000.001024.to.000000.002048 \
histogram.000000.002048.to.000000.004096 \
histogram.000000.004096.to.000000.008192 \
histogram.000000.008192.to.000000.016384 \
histogram.000000.016384.to.000000.032768 \
histogram.000000.032768.to.000000.065536; do
get_value $x
r=`expr $r + $value`
done
echo h64ms.value `echo scale=6';' $r / $elapsed | bc `
get_value histogram.000000.065536.to.000000.131072
echo h128ms.value `echo scale=6';' $value / $elapsed | bc `
get_value histogram.000000.131072.to.000000.262144
echo h256ms.value `echo scale=6';' $value / $elapsed | bc `
get_value histogram.000000.262144.to.000000.524288
echo h512ms.value `echo scale=6';' $value / $elapsed | bc `
get_value histogram.000000.524288.to.000001.000000
echo h1s.value `echo scale=6';' $value / $elapsed | bc `
get_value histogram.000001.000000.to.000002.000000
echo h2s.value `echo scale=6';' $value / $elapsed | bc `
get_value histogram.000002.000000.to.000004.000000
echo h4s.value `echo scale=6';' $value / $elapsed | bc `
get_value histogram.000004.000000.to.000008.000000
echo h8s.value `echo scale=6';' $value / $elapsed | bc `
r=0
for x in histogram.000008.000000.to.000016.000000 \
histogram.000016.000000.to.000032.000000 \
histogram.000032.000000.to.000064.000000 \
histogram.000064.000000.to.000128.000000 \
histogram.000128.000000.to.000256.000000 \
histogram.000256.000000.to.000512.000000 \
histogram.000512.000000.to.001024.000000 \
histogram.001024.000000.to.002048.000000 \
histogram.002048.000000.to.004096.000000 \
histogram.004096.000000.to.008192.000000 \
histogram.008192.000000.to.016384.000000 \
histogram.016384.000000.to.032768.000000 \
histogram.032768.000000.to.065536.000000 \
histogram.065536.000000.to.131072.000000 \
histogram.131072.000000.to.262144.000000 \
histogram.262144.000000.to.524288.000000; do
get_value $x
r=`expr $r + $value`
done
echo h16s.value `echo scale=6';' $r / $elapsed | bc `
;;
esac