rpms/unbound/devel unbound-r1657.patch, NONE, 1.1 unbound-r1670.patch, NONE, 1.1 unbound-r1677.patch, NONE, 1.1 .cvsignore, 1.7, 1.8 sources, 1.10, 1.11 unbound.spec, 1.28, 1.29

Sun Jun 21 04:15:24 UTC 2009

Author: pwouters

Update of /cvs/extras/rpms/unbound/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv14593

Modified Files:
	.cvsignore sources unbound.spec 
Added Files:
	unbound-r1657.patch unbound-r1670.patch unbound-r1677.patch 
Log Message:
* Sat Jun 20 2009 Paul Wouters <paul at xelerance.com> - 1.3.0-1
- Updated to 1.3.0
- Added unbound-python sub package. disabled for now
- Patch from svn to fix DLV lookups
- Patches from svn to detect wrong truncated response from BIND 9.6.1 with
  minimal-responses
- Added Default-Start and Default-Stop to unbound.init
- Re-enabled --enable-sha2
- Re-enabled glob.patch


unbound-r1657.patch:

--- NEW FILE unbound-r1657.patch ---
Index: validator/validator.c
===================================================================
--- validator/validator.c	(revision 1656)
+++ validator/validator.c	(revision 1657)
@@ -251,9 +251,8 @@
 /** 
  * Check to see if a given response needs to go through the validation
  * process. Typical reasons for this routine to return false are: CD bit was
- * on in the original request, the response was already validated, or the
- * response is a kind of message that is unvalidatable (i.e., SERVFAIL,
- * REFUSED, etc.)
+ * on in the original request, or the response is a kind of message that 
+ * is unvalidatable (i.e., SERVFAIL, REFUSED, etc.)
  *
  * @param qstate: query state.
  * @param ret_rc: rcode for this message (if noerror - examine ret_msg).
@@ -292,14 +291,25 @@
 		verbose(VERB_ALGO, "cannot validate RRSIG, no sigs on sigs.");
 		return 0;
 	}
+	return 1;
+}
 
+/**
+ * Check to see if the response has already been validated.
+ * @param ret_msg: return msg, can be NULL
+ * @return true if the response has already been validated
+ */
+static int
+already_validated(struct dns_msg* ret_msg)
+{
 	/* validate unchecked, and re-validate bogus messages */
 	if (ret_msg && ret_msg->rep->security > sec_status_bogus)
 	{
-		verbose(VERB_ALGO, "response has already been validated");
-		return 0;
+		verbose(VERB_ALGO, "response has already been validated: %s",
+			sec_status_to_string(ret_msg->rep->security));
+		return 1;
 	}
-	return 1;
+	return 0;
 }
 
 /**
@@ -1937,6 +1947,10 @@
 			qstate->ext_state[id] = module_finished;
 			return;
 		}
+		if(already_validated(qstate->return_msg)) {
+			qstate->ext_state[id] = module_finished;
+			return;
+		}
 		/* create state to start validation */
 		qstate->ext_state[id] = module_error; /* override this */
 		if(!vq) {
@@ -2397,7 +2411,8 @@
 	}
 	if(msg->rep->security != sec_status_secure) {
 		vq->dlv_status = dlv_error;
-		verbose(VERB_ALGO, "response is not secure");
+		verbose(VERB_ALGO, "response is not secure, %s",
+			sec_status_to_string(msg->rep->security));
 		return;
 	}
 	/* was the lookup a success? validated DLV? */

unbound-r1670.patch:

--- NEW FILE unbound-r1670.patch ---
Index: validator/validator.c
===================================================================
--- validator/validator.c	(revision 1669)
+++ validator/validator.c	(revision 1670)
@@ -479,6 +479,36 @@
 }
 
 /**
+ * Detect wrong truncated response, by a bad recursor out there.
+ * The positive response has a mangled authority section.
+ * Remove that authority section.
+ * @param rep: reply
+ * @return true if a wrongly truncated response.
+ */
+static int
+detect_wrongly_truncated(struct reply_info* rep)
+{
+	size_t i;
+	/* no additional, only NS in authority, and it is bogus */
+	if(rep->ar_numrrsets != 0 || rep->ns_numrrsets != 1 ||
+		rep->an_numrrsets == 0)
+		return 0;
+	if(ntohs(rep->rrsets[ rep->an_numrrsets ]->rk.type) != LDNS_RR_TYPE_NS)
+		return 0;
+	if(((struct packed_rrset_data*)rep->rrsets[ rep->an_numrrsets ]
+		->entry.data)->security != sec_status_bogus)
+		return 0;
+	/* answer section is present and secure */
+	for(i=0; i<rep->an_numrrsets; i++) {
+		if(((struct packed_rrset_data*)rep->rrsets[ i ]
+			->entry.data)->security != sec_status_secure)
+			return 0;
+	}
+	return 1;
+}
+
+
+/**
  * Given a "positive" response -- a response that contains an answer to the
  * question, and no CNAME chain, validate this response. 
  *
@@ -1449,17 +1479,31 @@
 		vq->chase_reply->security = sec_status_bogus;
 		return 1;
 	}
+	subtype = val_classify_response(qstate->query_flags, &qstate->qinfo,
+		&vq->qchase, vq->orig_msg->rep, vq->rrset_skip);
 
 	/* check signatures in the message; 
 	 * answer and authority must be valid, additional is only checked. */
 	if(!validate_msg_signatures(qstate->env, ve, &vq->qchase, 
 		vq->chase_reply, vq->key_entry)) {
-		verbose(VERB_DETAIL, "Validate: message contains bad rrsets");
-		return 1;
+		/* workaround bad recursor out there that truncates (even
+		 * with EDNS4k) to 512 by removing RRSIG from auth section
+		 * for positive replies*/
+		if(subtype == VAL_CLASS_POSITIVE &&
+			detect_wrongly_truncated(vq->orig_msg->rep)) {
+			/* truncate the message some more */
+			vq->orig_msg->rep->ns_numrrsets = 0;
+			vq->orig_msg->rep->rrset_count--;
+			vq->chase_reply->ns_numrrsets = 0;
+			vq->chase_reply->rrset_count--;
+		}
+		else {
+			verbose(VERB_DETAIL, "Validate: message contains "
+				"bad rrsets");
+			return 1;
+		}
 	}
 
-	subtype = val_classify_response(qstate->query_flags, &qstate->qinfo,
-		&vq->qchase, vq->orig_msg->rep, vq->rrset_skip);
 	switch(subtype) {
 		case VAL_CLASS_POSITIVE:
 			verbose(VERB_ALGO, "Validating a positive response");

unbound-r1677.patch:

--- NEW FILE unbound-r1677.patch ---
Index: validator/validator.c
===================================================================
--- validator/validator.c	(revision 1677)
+++ validator/validator.c	(working copy)
@@ -479,7 +479,7 @@
 }
 
 /**
- * Detect wrong truncated response, by a bad recursor out there.
+ * Detect wrong truncated response (from BIND 9.6.1 with minimal-responses).
  * The positive response has a mangled authority section.
  * Remove that authority section.
  * @param rep: reply
Index: iterator/iterator.c
===================================================================
--- iterator/iterator.c	(revision 1677)
+++ iterator/iterator.c	(working copy)
@@ -1513,9 +1513,14 @@
 			   /* we know that all other NS rrsets are scrubbed
 			    * away, thus on referral only one is left.
 			    * see if that equals the query name... */
-			&& reply_find_rrset_section_ns(iq->response->rep,
+			&& ( /* auth section, but sometimes in answer section*/
+			  reply_find_rrset_section_ns(iq->response->rep,
 				qstate->qinfo.qname, qstate->qinfo.qname_len,
 				LDNS_RR_TYPE_NS, qstate->qinfo.qclass)
+			  || reply_find_rrset_section_an(iq->response->rep,
+				qstate->qinfo.qname, qstate->qinfo.qname_len,
+				LDNS_RR_TYPE_NS, qstate->qinfo.qclass)
+			  )
 		    )) {
 			/* Store the referral under the current query */
 			if(!iter_dns_store(qstate->env, &iq->response->qinfo,


Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/unbound/devel/.cvsignore,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -p -r1.7 -r1.8
--- .cvsignore	10 Feb 2009 15:19:33 -0000	1.7
+++ .cvsignore	21 Jun 2009 04:14:53 -0000	1.8
@@ -1,3 +1,4 @@
 unbound-1.1.1.tar.gz
 unbound-1.2.0.tar.gz
 unbound-1.2.1.tar.gz
+unbound-1.3.0.tar.gz


Index: sources
===================================================================
RCS file: /cvs/extras/rpms/unbound/devel/sources,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -p -r1.10 -r1.11
--- sources	20 May 2009 16:15:09 -0000	1.10
+++ sources	21 Jun 2009 04:14:53 -0000	1.11
@@ -1 +1 @@
-5437f2a1e698d8aa73ba19a60662a654  unbound-1.2.1.tar.gz
+783325c26ae1a47be0e496c94f3e1cca  unbound-1.3.0.tar.gz


Index: unbound.spec
===================================================================
RCS file: /cvs/extras/rpms/unbound/devel/unbound.spec,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -p -r1.28 -r1.29
--- unbound.spec	20 May 2009 16:43:09 -0000	1.28
+++ unbound.spec	21 Jun 2009 04:14:54 -0000	1.29
@@ -1,19 +1,32 @@
+%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")}
+%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
+# not ready yet
+%{?!with_python:      %define with_python      0}
+
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
-Version: 1.2.1
-Release: 7%{?dist}
+Version: 1.3.0
+Release: 1%{?dist}
 License: BSD
 Url: http://www.nlnetlabs.nl/unbound/
 Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
 Source1: unbound.init
 Source2: unbound.conf
 Source3: unbound.munin
-Patch0: unbound-iterator.patch
-Patch1: unbound-initgroups-r1453.patch
+# See the unbound svn repository for further documentation on these
+Patch1: unbound-r1657.patch
+Patch2: unbound-r1670.patch
+Patch3: unbound-r1677.patch
+Patch4: unbound-1.2-glob.patch
+
 Group: System Environment/Daemons
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-BuildRequires: flex, openssl-devel >= 0.9.8g-12, ldns-devel >= 1.5.0, 
-BuildRequires: libevent-devel >= 1.4.5
+BuildRequires: flex, openssl-devel , ldns-devel >= 1.5.0, 
+BuildRequires: libevent-devel 
+%if %{with_python}
+BuildRequires:  python-devel
+%endif
+
 Requires(post): chkconfig
 Requires(preun): chkconfig
 Requires(preun): initscripts
@@ -21,8 +34,6 @@ Requires(postun): initscripts
 Requires: ldns >= 1.5.0, dnssec-conf >= 1.19
 Requires(pre): shadow-utils
 Requires: dnssec-conf
-# Is this obsolete?
-#Provides: caching-nameserver
 
 %description
 Unbound is a validating, recursive, and caching DNS(SEC) resolver.
@@ -62,16 +73,32 @@ Requires: openssl >= 0.9.8g-12
 %description libs
 Contains libraries used by the unbound server and client applications
 
+%if %{with_python}
+%package python
+Summary: Python modules and extensions for unbound
+Group: Applications/System
+Requires: %{name}-libs = %{version}-%{release}
+
+%description python
+Python modules and extensions for unbound
+%endif
+
 %prep
 %setup -q 
-%patch0 
-%patch1 -p1
+%patch1
+%patch2
+%patch3
+%patch4 -p1
 
 %build
 %configure  --with-ldns= --with-libevent --with-pthreads --with-ssl \
             --disable-rpath --enable-debug --disable-static \
             --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \
-            --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid
+            --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \
+%if %{with_python}
+            --with-pythonmodule --with-pyunbound \
+%endif
+            --enable-sha2 
 %{__make} CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE" QUIET=no %{?_smp_mflags}
 
 %install
@@ -107,6 +134,11 @@ rm -rf ${RPM_BUILD_ROOT}
 %{_sbindir}/*
 %{_mandir}/*/*
 
+%if %{with_python}
+%files python
+%{python_sitelib}/*
+%endif
+
 %files munin
 %defattr(-,root,root,-)
 %config(noreplace) %{_sysconfdir}/munin/plugin-conf.d/unbound
@@ -158,6 +190,16 @@ fi
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Sat Jun 20 2009 Paul Wouters <paul at xelerance.com> - 1.3.0-1
+- Updated to 1.3.0
+- Added unbound-python sub package. disabled for now
+- Patch from svn to fix DLV lookups
+- Patches from svn to detect wrong truncated response from BIND 9.6.1 with
+  minimal-responses)
+- Added Default-Start and Default-Stop to unbound.init
+- Re-enabled --enable-sha2
+- Re-enabled glob.patch
+
 * Wed May 20 2009 Paul Wouters <paul at xelerance.com> - 1.2.1-7
 - unbound-iterator.patch was not commited
 


