pool/unbound
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
cdd3f40e20
unbound/unbound.spec
Marcus Rueckert cdd3f40e20 Accepting request 974920 from home:dirkmueller:Factory 
- spec-cleaner
- update to 1.15.0 

- drop python2 packages
- update to 1.15.0:
  This release has bug fixes for crashes that happened on heavy network
  usage. The default for the aggressive-nsec option has changed, it is now
  enabled.
  The ratelimit logic had to be reworked for the crash fixes. As a result,
  there are new options to control the behaviour of ratelimiting.
  The ratelimit-backoff and ip-ratelimit-backoff options can be used to
  control how severe the backoff is when the ratelimit is exceeded.
  The rpz-signal-nxdomain-ra option can be used to unset the RA flag, for
  NXDOMAIN answers from RPZ. That is used by some clients to detect that
  the domain is externally blocked. The RPZ option for-downstream can be
  used like for auth zones, this allows the RPZ zone information to be queried.
  That can be useful for monitoring scripts.
  Features
  - Fix #596: unset the RA bit when a query is blocked by an unbound
    RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to
    signal that a domain is externally blocked to clients when it
    is blocked with NXDOMAIN by unsetting RA.
  - Add rpz: for-downstream: yesno option, where the RPZ zone is
    authoritatively answered for, so the RPZ zone contents can be
    checked with DNS queries directed at the RPZ zone.
  - Merge PR #616: Update ratelimit logic. It also introduces
    ratelimit-backoff and ip-ratelimit-backoff configuration options.
  - Change aggressive-nsec default to yes.
  Bug Fixes
  - Fix compile warning for if_nametoindex on windows 64bit.

OBS-URL: https://build.opensuse.org/request/show/974920
OBS-URL: https://build.opensuse.org/package/show/server:dns/unbound?expand=0&rev=145
2022-05-04 13:05:55 +00:00

428 lines
14 KiB
RPMSpec
Raw Blame History

#
# spec file for package unbound
#
# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
#Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir}
%define _fillupdir /var/adm/fillup-templates
%endif
%bcond_without python3
%bcond_without munin
%bcond_without hardened_build
%bcond_without dnstap
%bcond_without systemd
%define _sharedstatedir /var/lib/
%define ldns_version 1.6.16
%define piddir /run
Name: unbound
Version: 1.15.0
Release: 0
BuildRequires: flex
BuildRequires: ldns-devel >= %{ldns_version}
BuildRequires: libevent-devel
BuildRequires: libexpat-devel
BuildRequires: libsodium-devel
BuildRequires: openssl-devel
BuildRequires: sysuser-tools
%if %{with dnstap}
BuildRequires: libfstrm-devel
BuildRequires: libprotobuf-c-devel >= 1.0.0
BuildRequires: protobuf-c >= 1.0.0
%endif
%if %{with python3}
BuildRequires: python-rpm-macros
BuildRequires: python3-devel
BuildRequires: swig
%endif
# needed for dns over https
BuildRequires: pkgconfig(libnghttp2)
Requires: ldns >= %{ldns_version}
# until we figured something else out for the unbound-anchor part in the systemd unit file
Requires: sudo
%if %{with systemd}
BuildRequires: pkgconfig(libsystemd)
%{?systemd_requires}
%endif
URL: https://www.unbound.net/
Source: https://www.unbound.net/downloads/unbound-%{version}.tar.gz
Source1: unbound.service
Source2: unbound.conf
Source3: unbound.munin
Source4: unbound_munin_
Source5: root.key
Source6: dlv.isc.org.key
Source7: unbound-keygen.service
Source8: tmpfiles-unbound.conf
Source9: example.com.key
Source10: example.com.conf
Source11: block-example.com.conf
# From http://data.iana.org/root-anchors/icannbundle.pem
Source12: icannbundle.pem
Source13: root.anchor
Source14: unbound.sysconfig
Source15: unbound-anchor.timer
Source16: unbound-munin.README
Source18: unbound-anchor.service
Source19: unbound.sysusers
Summary: Validating, recursive, and caching DNS(SEC) resolver
License: BSD-3-Clause
Group: Productivity/Networking/DNS/Servers
%description
Unbound is a validating, recursive, and caching DNS(SEC) resolver.
The C implementation of Unbound is developed and maintained by NLnet
Labs. It is based on ideas and algorithms taken from a java prototype
developed by Verisign labs, Nominet, Kirei and ep.net.
Unbound is designed as a set of modular components, so that also
DNSSEC (secure DNS) validation and stub-resolvers (that do not run
as a server, but are linked into an application) are easily possible.
%define libname libunbound8
%package -n %{libname}
Requires: %{name}-anchor >= %{version}
#
Summary: Shared library from unbound
Group: Development/Libraries/C and C++
%description -n %{libname}
Unbound is a validating, recursive, and caching DNS(SEC) resolver.
This package holds the shared library from unbound.
%if %{with_munin}
%package munin
Summary: Plugin for the munin / munin-node monitoring package
Group: System/Daemons
Requires: %{name} = %{version}
Requires: bc
Requires: munin-node
BuildArch: noarch
%description munin
Unbound is a validating, recursive, and caching DNS(SEC) resolver.
This package holds the plugin for the munin / munin-node monitoring package
%endif
%package devel
Requires: %{libname} = %{version}
Requires: ldns-devel >= %{ldns_version}
Requires: openssl-devel
Provides: libunbound-devel = %{version}-%{release}
#
Summary: Development files for libunbound
Group: Development/Libraries/C and C++
%description devel
Unbound is a validating, recursive, and caching DNS(SEC) resolver.
This package holds the development files to work with libunbound.
%package anchor
#
Summary: Unbound Anchor cert management tools
Group: Productivity/Networking/DNS/Servers
%sysusers_requires
%description anchor
Unbound is a validating, recursive, and caching DNS(SEC) resolver.
This package contains the tools to manage the anchor certs.
%if %{with python3}
%package -n python3-unbound
Summary: Python modules and extensions for unbound
Group: Applications/System
Requires: %{libname} = %{version}
Obsoletes: unbound-python
Provides: unbound-python
%description -n python3-unbound
Unbound is a validating, recursive, and caching DNS(SEC) resolver.
This package holds the Python modules and extensions for unbound.
%endif
%prep
%setup
%build
%sysusers_generate_pre %{SOURCE19} anchor unbound.conf
export CFLAGS="%{optflags}"
export CXXFLAGS="%{optflags}"
%if %{with python2}
pushd ../p2
%configure \
--disable-rpath \
--with-libevent \
--with-pthreads \
--disable-static \
--with-ldns=%{_prefix} \
--with-libnghttp2 \
--enable-sha2 \
--enable-gost \
--enable-ecdsa \
--enable-event-api \
--enable-pie \
--enable-relro-now \
--enable-dnscrypt \
%if %{with dnstap}
--enable-dnstap \
%endif
--with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \
--with-pidfile=%{piddir}/%{name}/%{name}.pid \
--with-pythonmodule --with-pyunbound PYTHON=%{__python2}\
--with-rootkey-file=%{_sharedstatedir}/unbound/root.key \
--disable-explicit-port-randomisation
make %{?_smp_mflags} all streamtcp
popd
%endif
%configure \
--disable-rpath \
--with-libevent \
--with-pthreads \
--disable-static \
--with-ldns=%{_prefix} \
--with-libnghttp2 \
--enable-sha2 \
--enable-gost \
--enable-ecdsa \
--enable-event-api \
--enable-pie \
--enable-relro-now \
--enable-dnscrypt \
%if %{with dnstap}
--enable-dnstap \
%endif
--with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \
--with-pidfile=%{piddir}/%{name}/%{name}.pid \
%if %{with python3}
--with-pythonmodule --with-pyunbound PYTHON=%{__python3}\
%endif
--with-rootkey-file=%{_sharedstatedir}/unbound/root.key \
--disable-explicit-port-randomisation
make %{?_smp_mflags} all streamtcp
%install
%make_install
install -d -m 0750 %{buildroot}/var/lib/unbound
install -d 0755 %{buildroot}%{_unitdir}
install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service
install -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/unbound-keygen.service
install -p -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound
install -p -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/unbound
install -D -p -m 0644 %{SOURCE14} %{buildroot}%{_fillupdir}/sysconfig.%{name}
ln -sf /usr/sbin/service %{buildroot}%{_sbindir}/rcunbound
ln -sf /usr/sbin/service %{buildroot}%{_sbindir}/rcunbound-keygen
install -p -m 0644 %{SOURCE15} %{buildroot}%{_unitdir}/unbound-anchor.timer
install -p -m 0644 %{SOURCE18} %{buildroot}%{_unitdir}/unbound-anchor.service
install -p -m 0644 %{SOURCE16} .
%if %{with munin}
# Install munin plugin and its softlinks
install -d 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d
install -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/munin/plugin-conf.d/unbound
install -d 0755 %{buildroot}%{_datadir}/munin/plugins/
install -p -m 0755 %{SOURCE4} %{buildroot}%{_datadir}/munin/plugins/unbound
for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unbound_munin_by_type unbound_munin_by_class unbound_munin_by_opcode unbound_munin_by_rcode unbound_munin_by_flags unbound_munin_histogram; do
ln -s unbound %{buildroot}%{_datadir}/munin/plugins/$plugin
done
%endif
# install streamtcp used for monitoring / debugging unbound's port 80/443 modes
install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp
# install streamtcp man page
install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1
# Install tmpfiles.d config
install -d -m 0755 %{buildroot}%{_tmpfilesdir}/ \
%{buildroot}%{_sharedstatedir}/unbound
install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf
# install root and DLV key - we keep a copy of the root key in old location,
# in case user has changed the configuration and we wouldn't update it there
install -m 0644 %{SOURCE5} %{SOURCE6} %{buildroot}%{_sysconfdir}/unbound/
install -m 0644 %{SOURCE13} %{buildroot}%{_sharedstatedir}/unbound/root.key
# create softlink for all functions of libunbound man pages
for mpage in ub_ctx ub_result ub_ctx_create ub_ctx_delete ub_ctx_set_option ub_ctx_get_option ub_ctx_config ub_ctx_set_fwd ub_ctx_resolvconf ub_ctx_hosts ub_ctx_add_ta ub_ctx_add_ta_file ub_ctx_trustedkeys ub_ctx_debugout ub_ctx_debuglevel ub_ctx_async ub_poll ub_wait ub_fd ub_process ub_resolve ub_resolve_async ub_cancel ub_resolve_free ub_strerror ub_ctx_print_local_zones ub_ctx_zone_add ub_ctx_zone_remove ub_ctx_data_add ub_ctx_data_remove;
do
echo ".so man3/libunbound.3" > %{buildroot}%{_mandir}/man3/${mpage}.3 ;
done
mkdir -p %{buildroot}%{piddir}/%{name}
# Install directories for easier config file drop in
mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d}
install -m 0640 -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/
install -m 0640 -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/
install -m 0640 -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
# Link unbound-control-setup.8 manpage to unbound-control.8
echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8
# sysusers.d
install -Dm0644 %{SOURCE19} %{buildroot}%{_sysusersdir}/unbound.conf
%check
# it currently fails in the ldns unit test. which is weird as both come from the same project
make check ||:
%pre anchor -f anchor.pre
%service_add_pre unbound-anchor.service unbound-anchor.timer
%if %{with systemd}
%pre
%service_add_pre unbound-keygen.service unbound.service
%endif
%if %{with systemd}
%post anchor
%service_add_post unbound-anchor.service unbound-anchor.timer
%endif
%post
%fillup_only %{name}
%if %{with systemd}
systemd-tmpfiles --create %{_tmpfilesdir}/unbound.conf || :
%service_add_post unbound-keygen.service unbound.service
%endif
%if %{with systemd}
%preun anchor
%service_del_preun unbound-anchor.service unbound-anchor.timer
%endif
%preun
%if %{with systemd}
%service_del_preun unbound-keygen.service unbound.service
%else
%stop_on_removal %{name}
%endif
%postun anchor
%if %{with systemd}
%service_del_postun unbound-anchor.service unbound-anchor.timer
%endif
%postun
%if %{with systemd}
%service_del_postun unbound-keygen.service unbound.service
%else
%restart_on_update %{name}
%{insserv_cleanup}
%endif
%post -n %{libname} -p /sbin/ldconfig
%postun -n %{libname} -p /sbin/ldconfig
%files
%license doc/LICENSE
%doc doc/README doc/CREDITS doc/FEATURES
%attr(0755,unbound,unbound) %ghost %dir %{piddir}/%{name}
%attr(0640,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
%dir %attr(-,root,unbound) %{_sysconfdir}/%{name}/keys.d
%attr(0660,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d/*.key
%dir %attr(-,root,unbound) %{_sysconfdir}/%{name}/conf.d
%attr(0660,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d/*.conf
%dir %attr(-,root,unbound) %{_sysconfdir}/%{name}/local.d
%attr(0660,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/local.d/*.conf
%{_sbindir}/unbound
%{_sbindir}/unbound-checkconf
%{_sbindir}/unbound-host
%{_sbindir}/unbound-control
%{_sbindir}/unbound-control-setup
%{_sbindir}/unbound-streamtcp
%{_mandir}/man1/unbound-host.1*
%{_mandir}/man5/unbound.conf.5*
%{_mandir}/man8/unbound.8*
%{_mandir}/man8/unbound-checkconf.8*
%{_mandir}/man8/unbound-control-setup.8*
%{_mandir}/man8/unbound-control.8*
%{_mandir}/man1/unbound-streamtcp.1*
%{_fillupdir}/sysconfig.%{name}
%if %{with systemd}
%{_tmpfilesdir}/unbound.conf
%{_unitdir}/unbound-keygen.service
%{_unitdir}/unbound.service
%endif
%{_sbindir}/rcunbound
%{_sbindir}/rcunbound-keygen
%files -n %{libname}
%defattr(-,root,root,-)
%{_libdir}/libunbound.so.*
%if %{with python3}
%files -n python3-unbound
%{python3_sitearch}/*
%doc libunbound/python/examples/*
%doc pythonmod/examples/*
%endif
%if %{with munin}
%files munin
%dir %{_sysconfdir}/munin/
%dir %{_sysconfdir}/munin/plugin-conf.d/
%config(noreplace) %{_sysconfdir}/munin/plugin-conf.d/unbound
%dir %{_datadir}/munin/
%dir %{_datadir}/munin/plugins/
%{_datadir}/munin/plugins/unbound*
%doc unbound-munin.README
%endif
%files devel
%{_includedir}/unbound.h
%{_includedir}/unbound-event.h
%{_libdir}/libunbound.so
%exclude %{_libdir}/libunbound.la
%{_libdir}/pkgconfig/libunbound.pc
%{_mandir}/man3/libunbound.3*
%{_mandir}/man3/ub_*.3*
%files anchor
%dir %{_sysconfdir}/%{name}/
%{_sbindir}/unbound-anchor
%config %{_sysconfdir}/%{name}/icannbundle.pem
%{_unitdir}/unbound-anchor.timer
%{_unitdir}/unbound-anchor.service
%{_sysusersdir}/unbound.conf
%dir %attr(-,unbound,unbound) %{_sharedstatedir}/%{name}
%attr(0644,unbound,unbound) %config(noreplace) %{_sharedstatedir}/%{name}/root.key
%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key
# just left for backwards compat with user changed unbound.conf files - format is different!
%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/root.key
%{_mandir}/man8/unbound-anchor.8*
%doc doc/README doc/LICENSE
%changelog
Reference in New Issue View Git Blame Copy Permalink