rpms/unbound/EL-5 unbound-r1657.patch, NONE, 1.1 unbound-r1670.patch, NONE, 1.1 unbound-r1677.patch, NONE, 1.1 .cvsignore, 1.2, 1.3 sources, 1.4, 1.5 unbound.init, 1.4, 1.5 unbound.spec, 1.7, 1.8
Paul Wouters
pwouters at fedoraproject.org
Sat Jun 27 18:47:20 UTC 2009
Author: pwouters
Update of /cvs/extras/rpms/unbound/EL-5
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv29208
Modified Files:
.cvsignore sources unbound.init unbound.spec
Added Files:
unbound-r1657.patch unbound-r1670.patch unbound-r1677.patch
Log Message:
* Sat Jun 27 2009 Paul Wouters <paul at xelerance.com> - 1.3.0-1
- Updated to 1.3.0
- Added support for dnssec-conf
- Place python macros within the %with_python check
- Added unbound-python sub package. disabled for now
- Patch from svn to fix DLV lookups
- Patches from svn to detect wrong truncated response from BIND 9.6.1 with
minimal-responses
- Added Default-Start and Default-Stop to unbound.init
- Re-enabled --enable-sha2
- Re-enabled glob.patch
unbound-r1657.patch:
--- NEW FILE unbound-r1657.patch ---
Index: validator/validator.c
===================================================================
--- validator/validator.c (revision 1656)
+++ validator/validator.c (revision 1657)
@@ -251,9 +251,8 @@
/**
* Check to see if a given response needs to go through the validation
* process. Typical reasons for this routine to return false are: CD bit was
- * on in the original request, the response was already validated, or the
- * response is a kind of message that is unvalidatable (i.e., SERVFAIL,
- * REFUSED, etc.)
+ * on in the original request, or the response is a kind of message that
+ * is unvalidatable (i.e., SERVFAIL, REFUSED, etc.)
*
* @param qstate: query state.
* @param ret_rc: rcode for this message (if noerror - examine ret_msg).
@@ -292,14 +291,25 @@
verbose(VERB_ALGO, "cannot validate RRSIG, no sigs on sigs.");
return 0;
}
+ return 1;
+}
+/**
+ * Check to see if the response has already been validated.
+ * @param ret_msg: return msg, can be NULL
+ * @return true if the response has already been validated
+ */
+static int
+already_validated(struct dns_msg* ret_msg)
+{
/* validate unchecked, and re-validate bogus messages */
if (ret_msg && ret_msg->rep->security > sec_status_bogus)
{
- verbose(VERB_ALGO, "response has already been validated");
- return 0;
+ verbose(VERB_ALGO, "response has already been validated: %s",
+ sec_status_to_string(ret_msg->rep->security));
+ return 1;
}
- return 1;
+ return 0;
}
/**
@@ -1937,6 +1947,10 @@
qstate->ext_state[id] = module_finished;
return;
}
+ if(already_validated(qstate->return_msg)) {
+ qstate->ext_state[id] = module_finished;
+ return;
+ }
/* create state to start validation */
qstate->ext_state[id] = module_error; /* override this */
if(!vq) {
@@ -2397,7 +2411,8 @@
}
if(msg->rep->security != sec_status_secure) {
vq->dlv_status = dlv_error;
- verbose(VERB_ALGO, "response is not secure");
+ verbose(VERB_ALGO, "response is not secure, %s",
+ sec_status_to_string(msg->rep->security));
return;
}
/* was the lookup a success? validated DLV? */
unbound-r1670.patch:
--- NEW FILE unbound-r1670.patch ---
Index: validator/validator.c
===================================================================
--- validator/validator.c (revision 1669)
+++ validator/validator.c (revision 1670)
@@ -479,6 +479,36 @@
}
/**
+ * Detect wrong truncated response, by a bad recursor out there.
+ * The positive response has a mangled authority section.
+ * Remove that authority section.
+ * @param rep: reply
+ * @return true if a wrongly truncated response.
+ */
+static int
+detect_wrongly_truncated(struct reply_info* rep)
+{
+ size_t i;
+ /* no additional, only NS in authority, and it is bogus */
+ if(rep->ar_numrrsets != 0 || rep->ns_numrrsets != 1 ||
+ rep->an_numrrsets == 0)
+ return 0;
+ if(ntohs(rep->rrsets[ rep->an_numrrsets ]->rk.type) != LDNS_RR_TYPE_NS)
+ return 0;
+ if(((struct packed_rrset_data*)rep->rrsets[ rep->an_numrrsets ]
+ ->entry.data)->security != sec_status_bogus)
+ return 0;
+ /* answer section is present and secure */
+ for(i=0; i<rep->an_numrrsets; i++) {
+ if(((struct packed_rrset_data*)rep->rrsets[ i ]
+ ->entry.data)->security != sec_status_secure)
+ return 0;
+ }
+ return 1;
+}
+
+
+/**
* Given a "positive" response -- a response that contains an answer to the
* question, and no CNAME chain, validate this response.
*
@@ -1449,17 +1479,31 @@
vq->chase_reply->security = sec_status_bogus;
return 1;
}
+ subtype = val_classify_response(qstate->query_flags, &qstate->qinfo,
+ &vq->qchase, vq->orig_msg->rep, vq->rrset_skip);
/* check signatures in the message;
* answer and authority must be valid, additional is only checked. */
if(!validate_msg_signatures(qstate->env, ve, &vq->qchase,
vq->chase_reply, vq->key_entry)) {
- verbose(VERB_DETAIL, "Validate: message contains bad rrsets");
- return 1;
+ /* workaround bad recursor out there that truncates (even
+ * with EDNS4k) to 512 by removing RRSIG from auth section
+ * for positive replies*/
+ if(subtype == VAL_CLASS_POSITIVE &&
+ detect_wrongly_truncated(vq->orig_msg->rep)) {
+ /* truncate the message some more */
+ vq->orig_msg->rep->ns_numrrsets = 0;
+ vq->orig_msg->rep->rrset_count--;
+ vq->chase_reply->ns_numrrsets = 0;
+ vq->chase_reply->rrset_count--;
+ }
+ else {
+ verbose(VERB_DETAIL, "Validate: message contains "
+ "bad rrsets");
+ return 1;
+ }
}
- subtype = val_classify_response(qstate->query_flags, &qstate->qinfo,
- &vq->qchase, vq->orig_msg->rep, vq->rrset_skip);
switch(subtype) {
case VAL_CLASS_POSITIVE:
verbose(VERB_ALGO, "Validating a positive response");
unbound-r1677.patch:
--- NEW FILE unbound-r1677.patch ---
Index: validator/validator.c
===================================================================
--- validator/validator.c (revision 1677)
+++ validator/validator.c (working copy)
@@ -479,7 +479,7 @@
}
/**
- * Detect wrong truncated response, by a bad recursor out there.
+ * Detect wrong truncated response (from BIND 9.6.1 with minimal-responses).
* The positive response has a mangled authority section.
* Remove that authority section.
* @param rep: reply
Index: iterator/iterator.c
===================================================================
--- iterator/iterator.c (revision 1677)
+++ iterator/iterator.c (working copy)
@@ -1513,9 +1513,14 @@
/* we know that all other NS rrsets are scrubbed
* away, thus on referral only one is left.
* see if that equals the query name... */
- && reply_find_rrset_section_ns(iq->response->rep,
+ && ( /* auth section, but sometimes in answer section*/
+ reply_find_rrset_section_ns(iq->response->rep,
qstate->qinfo.qname, qstate->qinfo.qname_len,
LDNS_RR_TYPE_NS, qstate->qinfo.qclass)
+ || reply_find_rrset_section_an(iq->response->rep,
+ qstate->qinfo.qname, qstate->qinfo.qname_len,
+ LDNS_RR_TYPE_NS, qstate->qinfo.qclass)
+ )
)) {
/* Store the referral under the current query */
if(!iter_dns_store(qstate->env, &iq->response->qinfo,
Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/unbound/EL-5/.cvsignore,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- .cvsignore 20 May 2009 15:43:06 -0000 1.2
+++ .cvsignore 27 Jun 2009 18:46:49 -0000 1.3
@@ -1 +1,2 @@
unbound-1.2.1.tar.gz
+unbound-1.3.0.tar.gz
Index: sources
===================================================================
RCS file: /cvs/extras/rpms/unbound/EL-5/sources,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -p -r1.4 -r1.5
--- sources 20 May 2009 15:43:06 -0000 1.4
+++ sources 27 Jun 2009 18:46:49 -0000 1.5
@@ -1 +1,2 @@
5437f2a1e698d8aa73ba19a60662a654 unbound-1.2.1.tar.gz
+783325c26ae1a47be0e496c94f3e1cca unbound-1.3.0.tar.gz
Index: unbound.init
===================================================================
RCS file: /cvs/extras/rpms/unbound/EL-5/unbound.init,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -p -r1.4 -r1.5
--- unbound.init 20 May 2009 15:59:40 -0000 1.4
+++ unbound.init 27 Jun 2009 18:46:49 -0000 1.5
@@ -11,6 +11,8 @@
# Provides: unbound
# Required-Start: $network $local_fs
# Required-Stop: $network $local_fs
+# Default-Start:
+# Default-Stop: 0 1 2 3 4 5 6
# Should-Start: $syslog
# Should-Stop: $syslog
# Short-Description: unbound recursive Domain Name Server.
@@ -28,9 +30,14 @@ pidfile="/var/run/unbound/unbound.pid"
piddir=`dirname $pidfile`
[ -e /etc/sysconfig/unbound ] && . /etc/sysconfig/unbound
+[ -e /etc/sysconfig/dnssec ] && . /etc/sysconfig/dnssec
lockfile=/var/lock/subsys/unbound
+[ -x /usr/sbin/dnssec-configure ] && [ -r "$config" ] &&
+ [ /etc/sysconfig/dnssec -nt "$config" ] && \
+ /usr/sbin/dnssec-configure -u --norestart --dnssec="$DNSSEC" --dlv="$DLV"
+
start() {
[ -x $exec ] || exit 5
[ -f $config ] || exit 6
@@ -42,7 +49,6 @@ start() {
echo -n $"Generating unbound control key and certificate: "
/usr/sbin/unbound-control-setup -d /etc/unbound/ > /dev/null 2> /dev/null
chgrp unbound /etc/unbound/unbound_*key /etc/unbound/unbound_*pem
-
[ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled && \
[ -x /sbin/restorecon ] && /sbin/restorecon /etc/unbound/*
echo
@@ -59,7 +65,6 @@ start() {
echo -n $"Starting unbound: "
-
# if not running, start it up here
daemon --pidfile=$pidfile $exec
retval=$?
Index: unbound.spec
===================================================================
RCS file: /cvs/extras/rpms/unbound/EL-5/unbound.spec,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -p -r1.7 -r1.8
--- unbound.spec 20 May 2009 15:59:40 -0000 1.7
+++ unbound.spec 27 Jun 2009 18:46:49 -0000 1.8
@@ -1,6 +1,14 @@
+# not ready yet
+%{?!with_python: %define with_python 0}
+
+%if %{with_python}
+%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")}
+%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
+%endif
+
Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound
-Version: 1.2.1
+Version: 1.3.1
Release: 1%{?dist}
License: BSD
Url: http://www.nlnetlabs.nl/unbound/
@@ -8,21 +16,23 @@ Source: http://www.unbound.net/downloads
Source1: unbound.init
Source2: unbound.conf
Source3: unbound.munin
-Patch0: unbound-1.2-glob.patch
-Patch1: unbound-initgroups-r1453.patch
+Patch1: unbound-r1657.patch
+Patch2: unbound-r1670.patch
+Patch3: unbound-r1677.patch
+Patch4: unbound-1.2-glob.patch
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-BuildRequires: flex, openssl-devel, ldns-devel >= 1.4.0, libevent-devel
+BuildRequires: flex, openssl-devel, ldns-devel >= 1.5.0, libevent-devel
+%if %{with_python}
+BuildRequires: python-devel
+%endif
Requires(post): chkconfig
Requires(preun): chkconfig
Requires(preun): initscripts
Requires(postun): initscripts
-Requires: ldns >= 1.5.0
+Requires: ldns >= 1.5.0, dnssec-conf >= 1.19
Requires: openssl >= 0.9.8e-7
-#Requires: openssl >= 0.9.8b-10.el5.1
Requires(pre): shadow-utils
-# Is this obsolete?
-#Provides: caching-nameserver
%description
Unbound is a validating, recursive, and caching DNS(SEC) resolver.
@@ -62,16 +72,32 @@ Requires(postun): /sbin/ldconfig
%description libs
Contains libraries used by the unbound server and client applications
+%if %{with_python}
+%package python
+Summary: Python modules and extensions for unbound
+Group: Applications/System
+Requires: %{name}-libs = %{version}-%{release}
+
+%description python
+Python modules and extensions for unbound
+%endif
+
%prep
%setup -q
-%patch0 -p1
-%patch1 -p1
+%patch1
+%patch2
+%patch3
+%patch4 -p1
%build
%configure --with-ldns= --with-libevent --with-pthreads --with-ssl \
--disable-rpath --enable-debug --disable-static \
--with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \
- --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid
+ --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \
+%if %{with_python}
+ --with-pythonmodule --with-pyunbound \
+%endif
+ --enable-sha2
%{__make} CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE" QUIET=no %{?_smp_mflags}
%install
@@ -105,6 +131,11 @@ rm -rf ${RPM_BUILD_ROOT}
%{_sbindir}/*
%{_mandir}/*/*
+%if %{with_python}
+%files python
+%{python_sitelib}/*
+%endif
+
%files munin
%defattr(-,root,root,-)
%config(noreplace) %{_sysconfdir}/munin/plugin-conf.d/unbound
@@ -130,6 +161,15 @@ exit 0
%post
/sbin/chkconfig --add %{name}
+# Check DNSSEC settings if this is a fresh install
+if [ "$1" -eq 1 ]; then
+ if [ -r /etc/sysconfig/dnssec ]; then
+ . /etc/sysconfig/dnssec
+ [ -x /usr/sbin/dnssec-configure ] && \
+ dnssec-configure -u --norestart --nocheck --dnssec="$DNSSEC" --dlv="$DLV" > \
+ /dev/null 2>&1
+ fi;
+fi
%post libs -p /sbin/ldconfig
@@ -148,6 +188,18 @@ fi
%postun libs -p /sbin/ldconfig
%changelog
+* Sat Jun 27 2009 Paul Wouters <paul at xelerance.com> - 1.3.0-1
+- Updated to 1.3.0
+- Added support for dnssec-conf
+- Place python macros within the %%with_python check
+- Added unbound-python sub package. disabled for now
+- Patch from svn to fix DLV lookups
+- Patches from svn to detect wrong truncated response from BIND 9.6.1 with
+ minimal-responses
+- Added Default-Start and Default-Stop to unbound.init
+- Re-enabled --enable-sha2
+- Re-enabled glob.patch
+
* Wed May 20 2009 Paul Wouters <paul at xelerance.com> - 1.2.1
- Upgraded to 1.2.1
- Properly drop group privs
More information about the fedora-extras-commits
mailing list