diff options
Diffstat (limited to 'network/unbound')
-rw-r--r-- | network/unbound/doinst.sh | 39 | ||||
-rw-r--r-- | network/unbound/rc.unbound | 83 | ||||
-rw-r--r-- | network/unbound/root.hints | 92 | ||||
-rw-r--r-- | network/unbound/unbound.SlackBuild | 50 | ||||
-rw-r--r-- | network/unbound/unbound.info | 6 |
5 files changed, 236 insertions, 34 deletions
diff --git a/network/unbound/doinst.sh b/network/unbound/doinst.sh index f7243783f5..a1aece44fe 100644 --- a/network/unbound/doinst.sh +++ b/network/unbound/doinst.sh @@ -26,20 +26,27 @@ preserve_perms etc/rc.d/rc.unbound.new config etc/unbound/unbound.conf.new config etc/logrotate.d/unbound.new -# MD5SUM d837bf4c42abb7048c90d720a579f829 is a file hash from the previous initscript. - -if [ $(md5sum /etc/rc.d/rc.unbound | cut -f 1 -d " ") == "d837bf4c42abb7048c90d720a579f829" ] -then - echo "" - echo "Warning! Red Hat style init script detected at /etc/rc.d/rc.unbound !" - echo "It's likely from your previous Unbound installation." - echo "The init script will probably work just fine but the script has since been rewritten" - echo "as of Unbound version 1.16.2 and it's no longer supported by this SlackBuild." - echo "" - echo "Simply run the following commands to install the new Unbound init script:" - echo "# cd /etc/rc.d && mv rc.unbound.new rc.unbound" - echo "" - echo "...or if you use slackpkg:" - echo "# slackpkg new-config" - echo "" +if [ -r /etc/logrotate.d/unbound ] && [ $(stat -c "%U:%G" "/etc/logrotate.d/unbound") != "root:root" ]; then + echo "Incorrect permissions detected on /etc/logrotate.d/unbound !" + echo "This will prevent Unbound logrotate script from working." + echo "" + echo "Previous Unbound SlackBuild scripts didn't set this correctly." + echo "" + echo "To fix it, simply run:" + echo "# chown root:root /etc/logrotate.d/unbound" fi + +echo "----------------------------" +echo "As of Unbound SlackBuild 1.18.0-2 DNSSEC is enabled by default." +echo +echo "You have two options:" +echo +echo "1) Run the following command to setup the root trust anchor (RECOMMENDED!)" +echo "# sudo -u unbound unbound-anchor -f /etc/resolv.conf -R -a /var/lib/unbound/root.key" +echo +echo "2) Disable DNSSEC and unbound-anchor functionality." +echo "Edit /etc/unbound/unbound.conf, and erase or comment the following line:" +echo 'auto-trust-anchor-file: "/var/lib/unbound/root.key"' +echo +echo "This is a suitable option if you plan to use Unbound simply as a forwarding resolver." +echo "----------------------------" diff --git a/network/unbound/rc.unbound b/network/unbound/rc.unbound index d45d6ff255..3c31faf4ef 100644 --- a/network/unbound/rc.unbound +++ b/network/unbound/rc.unbound @@ -5,32 +5,97 @@ UNBOUND=/usr/sbin/unbound CONFIG=/etc/unbound/unbound.conf -PIDFILE=/var/run/unbound/unbound.pid +PIDFILE=/run/unbound/unbound.pid +LOGDIR=/var/log/unbound +KEYFILE=/var/lib/unbound/root.key # Unbound-control is useful but I'm not going to cram it # down your throat. Set this to "yes" to disable unbound-control -# initial setup. +# initial setup. Note that you'll need to disable control port +# in unbound.conf so Unbound will actually start. DISABLE_UNBOUND_CONTROL="no" +# As part of the initial checks, the script makes sure that +# $LOGDIR exists. It's mostly for cases where admin accidentally +# deletes the entire log folder rather than individual logs. +# If you don't use logging at all, have a custom setup or +# just want to skip these checks, set this to "yes". +DISABLE_LOGDIR_CHECKS="no" + initchecks() { + # If auto-trust-anchor-file is enabled and the keyfile doesn't exists in + # /var/lib/unbound, we won't start the daemon. Most(?) errors can be caught + # by /usr/sbin/unbound executable but this one actually allows Unbound to start - + # - only for it to crash a moment later. Running unbound-checkconf on every start up + # would be useful, but it would make noise every time the daemon starts up. + if [ ! -z "$(unbound-checkconf -o auto-trust-anchor-file)" ] && [ ! -e "$KEYFILE" ]; then + echo "ERROR: $KEYFILE not found, yet auto-trust-anchor-file is enabled in $CONFIG" + echo "ERROR: Refusing to start because Unbound would crash." + echo "ERROR: Please generate Unbound Anchor file with the following command:" + echo " # sh /etc/rc.d/rc.unbound generate-key" + echo + echo "...or comment out auto-trust-anchor-file in $CONFIG." + exit 1 + fi + # Look out for a stale pidfile. If there's one, remove it. + # This shouldn't be necessary unless the system was shutdown uncleanly + # or if Unbound crashes. + if [ -e $PIDFILE ] && [ ! $(pidof unbound) ]; then + echo "Looks like Unbound isn't running but there's a stale pid file." + echo "Removing $PIDFILE" + rm -vf $PIDFILE + fi + # Check that /run/unbound exists. If not, create and chown it. if [ ! -e $(dirname $PIDFILE) ]; then mkdir -p $(dirname $PIDFILE) chown unbound:unbound $(dirname $PIDFILE) fi + # Run the initial setup for unbound-control unless it's disabled. + # Mostly relevant for the first time run. if [ ! -e $(dirname $CONFIG)/unbound_server.pem ] && [ "$DISABLE_UNBOUND_CONTROL" == "no" ]; then echo "Unbound-control: unbound_server.pem not found." - echo "Running initial setup: /usr/sbin/unbound-control-setup" + echo "This is normal for the first run." + echo "Running initial setup to generate certificates: /usr/sbin/unbound-control-setup" /usr/sbin/unbound-control-setup || exit 1 + echo "Actually... no need to do anything. It's enabled by default on Slackware :-)" + fi + # Deleted the entire log directory by accident? Oh well, bound to happen. + # Let's fix that right away. + if [ "$DISABLE_LOGDIR_CHECKS" == "no" ] + then + if [ ! -d "$LOGDIR" ]; then + echo -n "Unbound log directory not found. Attempting to recreate it... " + mkdir $LOGDIR && echo "Success!" + fi + if [ $(stat -c "%U:%G" "$LOGDIR") != "unbound:unbound" ]; then + echo -n "Fixing permissions on the log folder $LOGDIR... " + chown -R unbound:unbound $LOGDIR && echo "Success!" + fi fi } +anchorkeygen() { + echo "Generating Unbound Anchor keyfile..." + sudo -u unbound unbound-anchor -f /etc/resolv.conf -R -a /var/lib/unbound/root.key + echo "Done" +} + +checkconfig() { + echo "Checking Unbound configuration file: $CONFIG" + echo "This will run the command: /usr/sbin/unbound-checkconf" + echo "-----START unbound-checkconf output-----" + /usr/sbin/unbound-checkconf + echo "-----END unbound-checkconf output-----" + +} + start() { initchecks if [ -r $PIDFILE ]; then echo 'Unbound is already running!' return else - echo "Starting Unbound DNS validating resolver..." + echo "Starting Unbound..." $UNBOUND -c $CONFIG || echo "Failed to start! The error messages above might help." fi } @@ -40,7 +105,7 @@ stop() { echo 'Unbound is not running.' return fi - echo "Stopping Unbound DNS validating resolver..." + echo "Stopping Unbound..." kill `cat $PIDFILE` rm -f $PIDFILE } @@ -66,11 +131,17 @@ case "$1" in sleep 1 start ;; + 'generate-key') + anchorkeygen + ;; + 'check-config') + checkconfig + ;; 'reload') reload ;; *) - echo "Usage: $0 {start|stop|reload|restart}" + echo "Usage: $0 {start|stop|reload|restart|generate-key|check-config}" exit 1 ;; esac diff --git a/network/unbound/root.hints b/network/unbound/root.hints new file mode 100644 index 0000000000..280ab06683 --- /dev/null +++ b/network/unbound/root.hints @@ -0,0 +1,92 @@ +; This file holds the information on root name servers needed to +; initialize cache of Internet domain name servers +; (e.g. reference this file in the "cache . <file>" +; configuration file of BIND domain name servers). +; +; This file is made available by InterNIC +; under anonymous FTP as +; file /domain/named.cache +; on server FTP.INTERNIC.NET +; -OR- RS.INTERNIC.NET +; +; last update: March 25, 2024 +; related version of root zone: 2024032501 +; +; FORMERLY NS.INTERNIC.NET +; +. 3600000 NS A.ROOT-SERVERS.NET. +A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 +A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30 +; +; FORMERLY NS1.ISI.EDU +; +. 3600000 NS B.ROOT-SERVERS.NET. +B.ROOT-SERVERS.NET. 3600000 A 170.247.170.2 +B.ROOT-SERVERS.NET. 3600000 AAAA 2801:1b8:10::b +; +; FORMERLY C.PSI.NET +; +. 3600000 NS C.ROOT-SERVERS.NET. +C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 +C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c +; +; FORMERLY TERP.UMD.EDU +; +. 3600000 NS D.ROOT-SERVERS.NET. +D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13 +D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d +; +; FORMERLY NS.NASA.GOV +; +. 3600000 NS E.ROOT-SERVERS.NET. +E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 +E.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:a8::e +; +; FORMERLY NS.ISC.ORG +; +. 3600000 NS F.ROOT-SERVERS.NET. +F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 +F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f +; +; FORMERLY NS.NIC.DDN.MIL +; +. 3600000 NS G.ROOT-SERVERS.NET. +G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 +G.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:12::d0d +; +; FORMERLY AOS.ARL.ARMY.MIL +; +. 3600000 NS H.ROOT-SERVERS.NET. +H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53 +H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53 +; +; FORMERLY NIC.NORDU.NET +; +. 3600000 NS I.ROOT-SERVERS.NET. +I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 +I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53 +; +; OPERATED BY VERISIGN, INC. +; +. 3600000 NS J.ROOT-SERVERS.NET. +J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 +J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30 +; +; OPERATED BY RIPE NCC +; +. 3600000 NS K.ROOT-SERVERS.NET. +K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 +K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1 +; +; OPERATED BY ICANN +; +. 3600000 NS L.ROOT-SERVERS.NET. +L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42 +L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:9f::42 +; +; OPERATED BY WIDE +; +. 3600000 NS M.ROOT-SERVERS.NET. +M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 +M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35 +; End of file
\ No newline at end of file diff --git a/network/unbound/unbound.SlackBuild b/network/unbound/unbound.SlackBuild index 7bec9a1b1f..9a2dc3ce59 100644 --- a/network/unbound/unbound.SlackBuild +++ b/network/unbound/unbound.SlackBuild @@ -2,7 +2,7 @@ # Slackware build script for Unbound -# Copyright 2022 Badchay <badchay@protonmail.com> +# Copyright 2024 Badchay <badchay@protonmail.com> # All rights reserved. # Copyright 2020 Gerardo Zamudio <gerardo.zamudio@linux.com> Mexico City, Mexico # All rights reserved. @@ -27,8 +27,8 @@ cd $(dirname $0) ; CWD=$(pwd) PRGNAM=unbound -VERSION=${VERSION:-1.16.3} -BUILD=${BUILD:-1} +VERSION=${VERSION:-1.19.3} +BUILD=${BUILD:-2} TAG=${TAG:-_SBo} PKGTYPE=${PKGTYPE:-tgz} @@ -83,6 +83,12 @@ if ! grep -q ^"$UB_USER": /etc/passwd ; then exit 1 fi +# This needs to be set. Otherwise Unbound will build +# against Python 2 on Slackware 15.0. +# Setting this to "3" allows Unbound to build with +# Python 3.9 and 3.11, depending which one is installed. +UNB_PY_VERSION=${UNB_PY_VERSION:-3} + set -e rm -rf $PKG @@ -100,6 +106,7 @@ find -L . \ CFLAGS="$SLKCFLAGS" \ CXXFLAGS="$SLKCFLAGS" \ +PYTHON_VERSION="$UNB_PY_VERSION" \ ./configure \ --prefix=/usr \ --libdir=/usr/lib${LIBDIRSUFFIX} \ @@ -111,9 +118,15 @@ CXXFLAGS="$SLKCFLAGS" \ --with-ssl \ --enable-dnscrypt \ --disable-static \ + --enable-sha2 \ + --enable-subnet \ + --with-pythonmodule \ + --with-pyunbound \ --with-username=$UB_USER \ - --with-pidfile=/var/run/unbound/unbound.pid \ + --with-pidfile=/run/unbound/unbound.pid \ + --with-rootkey-file=/var/lib/unbound/root.key \ --build=$ARCH-slackware-linux \ + --host=$ARCH-slackware-linux \ make make install DESTDIR=$PKG @@ -130,7 +143,7 @@ mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION cp -a doc/README* doc/FEATURES doc/CREDITS doc/TODO $PKG/usr/doc/$PRGNAM-$VERSION # Shorten the Changelog and restore its timestamp -head -n 1000 doc/Changelog > $PKG/usr/doc/$PRGNAM-$VERSION/Changelog +head -n 500 doc/Changelog > $PKG/usr/doc/$PRGNAM-$VERSION/Changelog touch -r doc/Changelog $PKG/usr/doc/$PRGNAM-$VERSION/Changelog # Save the upstream unbound.conf and set some reasonable defaults: @@ -142,7 +155,13 @@ touch -r doc/Changelog $PKG/usr/doc/$PRGNAM-$VERSION/Changelog # 3) Change timestamps to ASCII format (from Epoch). # 4) Turn off chroot. # 5) Disable systemd socket activation. -# 6) Set num-threads to $(nproc). Still disabled by default. +# 6) Set num-threads to $(nproc). +# 7) Use root-hints file. +# 8) Set DNS prefetch to "yes". +# 9) Harden against out of zone rrsets (harden-glue). +# 10) Harden against receiving dnssec-stripped data (harden-dnssec-stripped). +# 11) Enable aggressive NSEC, root-key-sentinel and RFC8145 (trust anchor +# signaling). cp -a $PKG/etc/unbound/unbound.conf $PKG/etc/unbound/unbound.conf.upstream sed -i \ -e 's/# control-interface:/control-interface:/g' \ @@ -151,17 +170,30 @@ sed -i \ -e 's/# use-systemd: no/use-systemd: no/g' \ -e 's/# logfile: ""/logfile: "\/var\/log\/unbound\/unbound.log"/g' \ -e 's/# chroot: "\/etc\/unbound"/chroot: ""/g' \ --e 's/# num-threads: 1/# num-threads: '$(nproc)' # Set to nproc by SlackBuild. Uncomment to enable threading/g' \ +-e 's/# num-threads: 1/num-threads: '$(nproc)' # Set to the value of nproc by SlackBuild/g' \ +-e 's/# root-hints: ""/root-hints: "\/var\/lib\/unbound\/root.hints"/g' \ +-e 's/# prefetch: no/prefetch: yes/g' \ +-e 's/# harden-glue: yes/harden-glue: yes/g' \ +-e 's/# harden-dnssec-stripped: yes/harden-dnssec-stripped: yes/g' \ +-e 's/# aggressive-nsec: yes/aggressive-nsec: yes/g' \ +-e 's/# trust-anchor-signaling: yes/trust-anchor-signaling: yes/g' \ +-e 's/# root-key-sentinel: yes/root-key-sentinel: yes/g' \ +-e '/# auto-trust-anchor-file: ".*/a\ auto-trust-anchor-file: "/var/lib/unbound/root.key"' \ $PKG/etc/unbound/unbound.conf \ -mkdir -p $PKG/var/run/unbound +mkdir -p $PKG/run/unbound mkdir -p $PKG/var/log/unbound +mkdir -p $PKG/var/lib/unbound mkdir -p $PKG/etc/logrotate.d -chown $UB_USER:$UB_GROUP $PKG/var/run/unbound/ +chown $UB_USER:$UB_GROUP $PKG/run/unbound/ chown $UB_USER:$UB_GROUP $PKG/var/log/unbound/ +chown $UB_USER:$UB_GROUP $PKG/var/lib/unbound/ cp -a $CWD/unbound.logrotate $PKG/etc/logrotate.d/unbound.new +cp -a $CWD/root.hints $PKG/var/lib/unbound/root.hints +chown $UB_USER:$UB_GROUP $PKG/var/lib/unbound/root.hints +chown root:root $PKG/etc/logrotate.d/unbound.new mv $PKG/etc/unbound/unbound.conf $PKG/etc/unbound/unbound.conf.new install -m 0644 -D $CWD/rc.unbound $PKG/etc/rc.d/rc.unbound.new diff --git a/network/unbound/unbound.info b/network/unbound/unbound.info index 55c07938aa..d17666a509 100644 --- a/network/unbound/unbound.info +++ b/network/unbound/unbound.info @@ -1,8 +1,8 @@ PRGNAM="unbound" -VERSION="1.16.3" +VERSION="1.19.3" HOMEPAGE="https://nlnetlabs.nl/projects/unbound/about/" -DOWNLOAD="https://www.nlnetlabs.nl/downloads/unbound/unbound-1.16.3.tar.gz" -MD5SUM="f0a767b32058ae67311e5d3665139d15" +DOWNLOAD="https://www.nlnetlabs.nl/downloads/unbound/unbound-1.19.3.tar.gz" +MD5SUM="00bf61460c87c2542bcb68d52a2e5195" DOWNLOAD_x86_64="" MD5SUM_x86_64="" REQUIRES="" |