5 files changed, 236 insertions, 34 deletions

diff --git a/network/unbound/doinst.sh b/network/unbound/doinst.sh
index f7243783f5..a1aece44fe 100644
--- a/network/unbound/doinst.sh
+++ b/network/unbound/doinst.sh
@@ -26,20 +26,27 @@ preserve_perms etc/rc.d/rc.unbound.new
 config etc/unbound/unbound.conf.new
 config etc/logrotate.d/unbound.new
 
-# MD5SUM d837bf4c42abb7048c90d720a579f829 is a file hash from the previous initscript.
-
-if [ $(md5sum /etc/rc.d/rc.unbound | cut -f 1 -d " ") == "d837bf4c42abb7048c90d720a579f829" ]
-then
-  echo ""
-  echo "Warning! Red Hat style init script detected at /etc/rc.d/rc.unbound !"
-  echo "It's likely from your previous Unbound installation."
-  echo "The init script will probably work just fine but the script has since been rewritten"
-  echo "as of Unbound version 1.16.2 and it's no longer supported by this SlackBuild."
-  echo ""
-  echo "Simply run the following commands to install the new Unbound init script:"
-  echo "# cd /etc/rc.d && mv rc.unbound.new rc.unbound"
-  echo ""
-  echo "...or if you use slackpkg:"
-  echo "# slackpkg new-config"
-  echo ""
+if [ -r /etc/logrotate.d/unbound ] && [ $(stat -c "%U:%G" "/etc/logrotate.d/unbound") != "root:root" ]; then
+ echo "Incorrect permissions detected on /etc/logrotate.d/unbound !"
+ echo "This will prevent Unbound logrotate script from working."
+ echo ""
+ echo "Previous Unbound SlackBuild scripts didn't set this correctly."
+ echo ""
+ echo "To fix it, simply run:"
+ echo "# chown root:root /etc/logrotate.d/unbound"
 fi
+
+echo "----------------------------"
+echo "As of Unbound SlackBuild 1.18.0-2 DNSSEC is enabled by default."
+echo
+echo "You have two options:"
+echo
+echo "1) Run the following command to setup the root trust anchor (RECOMMENDED!)"
+echo "# sudo -u unbound unbound-anchor -f /etc/resolv.conf -R -a /var/lib/unbound/root.key"
+echo
+echo "2) Disable DNSSEC and unbound-anchor functionality."
+echo "Edit /etc/unbound/unbound.conf, and erase or comment the following line:"
+echo 'auto-trust-anchor-file: "/var/lib/unbound/root.key"'
+echo
+echo "This is a suitable option if you plan to use Unbound simply as a forwarding resolver."
+echo "----------------------------"
diff --git a/network/unbound/rc.unbound b/network/unbound/rc.unbound
index d45d6ff255..3c31faf4ef 100644
--- a/network/unbound/rc.unbound
+++ b/network/unbound/rc.unbound
@@ -5,32 +5,97 @@
 
 UNBOUND=/usr/sbin/unbound
 CONFIG=/etc/unbound/unbound.conf
-PIDFILE=/var/run/unbound/unbound.pid
+PIDFILE=/run/unbound/unbound.pid
+LOGDIR=/var/log/unbound
+KEYFILE=/var/lib/unbound/root.key
 
 # Unbound-control is useful but I'm not going to cram it
 # down your throat. Set this to "yes" to disable unbound-control
-# initial setup.
+# initial setup. Note that you'll need to disable control port
+# in unbound.conf so Unbound will actually start.
 DISABLE_UNBOUND_CONTROL="no"
 
+# As part of the initial checks, the script makes sure that
+# $LOGDIR exists. It's mostly for cases where admin accidentally
+# deletes the entire log folder rather than individual logs.
+# If you don't use logging at all, have a custom setup or
+# just want to skip these checks, set this to "yes".
+DISABLE_LOGDIR_CHECKS="no"
+
 initchecks() {
+   # If auto-trust-anchor-file is enabled and the keyfile doesn't exists in
+   # /var/lib/unbound, we won't start the daemon. Most(?) errors can be caught
+   # by /usr/sbin/unbound executable but this one actually allows Unbound to start -
+   # - only for it to crash a moment later. Running unbound-checkconf on every start up
+   # would be useful, but it would make noise every time the daemon starts up.
+   if [ ! -z "$(unbound-checkconf -o auto-trust-anchor-file)" ] && [ ! -e "$KEYFILE" ]; then
+     echo "ERROR: $KEYFILE not found, yet auto-trust-anchor-file is enabled in $CONFIG"
+     echo "ERROR: Refusing to start because Unbound would crash."
+     echo "ERROR: Please generate Unbound Anchor file with the following command:"
+     echo "       # sh /etc/rc.d/rc.unbound generate-key"
+     echo
+     echo "...or comment out auto-trust-anchor-file in $CONFIG."
+     exit 1
+   fi
+   # Look out for a stale pidfile. If there's one, remove it.
+   # This shouldn't be necessary unless the system was shutdown uncleanly
+   # or if Unbound crashes.
+   if [ -e $PIDFILE ] && [ ! $(pidof unbound) ]; then
+      echo "Looks like Unbound isn't running but there's a stale pid file."
+      echo "Removing $PIDFILE"
+      rm -vf $PIDFILE
+   fi
+   # Check that /run/unbound exists. If not, create and chown it.
     if [ ! -e $(dirname $PIDFILE) ]; then
         mkdir -p $(dirname $PIDFILE)
         chown unbound:unbound $(dirname $PIDFILE)
     fi
+    # Run the initial setup for unbound-control unless it's disabled.
+    # Mostly relevant for the first time run.
     if [ ! -e $(dirname $CONFIG)/unbound_server.pem ] && [ "$DISABLE_UNBOUND_CONTROL" == "no" ]; then
         echo "Unbound-control: unbound_server.pem not found."
-        echo "Running initial setup: /usr/sbin/unbound-control-setup"
+        echo "This is normal for the first run."
+        echo "Running initial setup to generate certificates: /usr/sbin/unbound-control-setup"
         /usr/sbin/unbound-control-setup || exit 1
+        echo "Actually... no need to do anything. It's enabled by default on Slackware :-)"
+    fi
+    # Deleted the entire log directory by accident? Oh well, bound to happen.
+    # Let's fix that right away.
+    if [ "$DISABLE_LOGDIR_CHECKS" == "no" ]
+    then
+        if [ ! -d "$LOGDIR" ]; then
+        echo -n "Unbound log directory not found. Attempting to recreate it... "
+        mkdir $LOGDIR && echo "Success!"
+        fi
+        if [ $(stat -c "%U:%G" "$LOGDIR") != "unbound:unbound" ]; then
+        echo -n "Fixing permissions on the log folder $LOGDIR... "
+        chown -R unbound:unbound $LOGDIR && echo "Success!"
+        fi
     fi
 }
 
+anchorkeygen() {
+     echo "Generating Unbound Anchor keyfile..."
+     sudo -u unbound unbound-anchor -f /etc/resolv.conf -R -a /var/lib/unbound/root.key
+     echo "Done"
+}
+
+checkconfig() {
+    echo "Checking Unbound configuration file: $CONFIG"
+    echo "This will run the command: /usr/sbin/unbound-checkconf"
+    echo "-----START unbound-checkconf output-----"
+    /usr/sbin/unbound-checkconf
+    echo "-----END unbound-checkconf output-----"
+
+}
+
 start() {
     initchecks
     if [ -r $PIDFILE ]; then
         echo 'Unbound is already running!'
         return
     else
-	echo "Starting Unbound DNS validating resolver..."
+	echo "Starting Unbound..."
         $UNBOUND -c $CONFIG || echo "Failed to start! The error messages above might help."
     fi
 }
@@ -40,7 +105,7 @@ stop() {
         echo 'Unbound is not running.'
         return
     fi
-    echo "Stopping Unbound DNS validating resolver..."
+    echo "Stopping Unbound..."
     kill `cat $PIDFILE`
     rm -f $PIDFILE
 }
@@ -66,11 +131,17 @@ case "$1" in
 	sleep 1
         start
         ;;
+    'generate-key')
+        anchorkeygen
+        ;;
+    'check-config')
+        checkconfig
+        ;;
     'reload')
         reload
         ;;
     *)
-        echo "Usage: $0 {start|stop|reload|restart}"
+        echo "Usage: $0 {start|stop|reload|restart|generate-key|check-config}"
         exit 1
         ;;
 esac
diff --git a/network/unbound/root.hints b/network/unbound/root.hints
new file mode 100644
index 0000000000..280ab06683
--- /dev/null
+++ b/network/unbound/root.hints
@@ -0,0 +1,92 @@
+;       This file holds the information on root name servers needed to 
+;       initialize cache of Internet domain name servers
+;       (e.g. reference this file in the "cache  .  <file>"
+;       configuration file of BIND domain name servers). 
+; 
+;       This file is made available by InterNIC 
+;       under anonymous FTP as
+;           file                /domain/named.cache 
+;           on server           FTP.INTERNIC.NET
+;       -OR-                    RS.INTERNIC.NET
+;
+;       last update:     March 25, 2024
+;       related version of root zone:     2024032501
+; 
+; FORMERLY NS.INTERNIC.NET 
+;
+.                        3600000      NS    A.ROOT-SERVERS.NET.
+A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
+A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30
+; 
+; FORMERLY NS1.ISI.EDU 
+;
+.                        3600000      NS    B.ROOT-SERVERS.NET.
+B.ROOT-SERVERS.NET.      3600000      A     170.247.170.2
+B.ROOT-SERVERS.NET.      3600000      AAAA  2801:1b8:10::b
+; 
+; FORMERLY C.PSI.NET 
+;
+.                        3600000      NS    C.ROOT-SERVERS.NET.
+C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
+C.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2::c
+; 
+; FORMERLY TERP.UMD.EDU 
+;
+.                        3600000      NS    D.ROOT-SERVERS.NET.
+D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13
+D.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2d::d
+; 
+; FORMERLY NS.NASA.GOV
+;
+.                        3600000      NS    E.ROOT-SERVERS.NET.
+E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
+E.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:a8::e
+; 
+; FORMERLY NS.ISC.ORG
+;
+.                        3600000      NS    F.ROOT-SERVERS.NET.
+F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
+F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2f::f
+; 
+; FORMERLY NS.NIC.DDN.MIL
+;
+.                        3600000      NS    G.ROOT-SERVERS.NET.
+G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
+G.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:12::d0d
+; 
+; FORMERLY AOS.ARL.ARMY.MIL
+;
+.                        3600000      NS    H.ROOT-SERVERS.NET.
+H.ROOT-SERVERS.NET.      3600000      A     198.97.190.53
+H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::53
+; 
+; FORMERLY NIC.NORDU.NET
+;
+.                        3600000      NS    I.ROOT-SERVERS.NET.
+I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
+I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fe::53
+; 
+; OPERATED BY VERISIGN, INC.
+;
+.                        3600000      NS    J.ROOT-SERVERS.NET.
+J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
+J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:c27::2:30
+; 
+; OPERATED BY RIPE NCC
+;
+.                        3600000      NS    K.ROOT-SERVERS.NET.
+K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
+K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fd::1
+; 
+; OPERATED BY ICANN
+;
+.                        3600000      NS    L.ROOT-SERVERS.NET.
+L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
+L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:9f::42
+; 
+; OPERATED BY WIDE
+;
+.                        3600000      NS    M.ROOT-SERVERS.NET.
+M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
+M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35
+; End of file
\ No newline at end of file
diff --git a/network/unbound/unbound.SlackBuild b/network/unbound/unbound.SlackBuild
index 7bec9a1b1f..9a2dc3ce59 100644
--- a/network/unbound/unbound.SlackBuild
+++ b/network/unbound/unbound.SlackBuild
@@ -2,7 +2,7 @@
 
 # Slackware build script for Unbound
 
-# Copyright 2022 Badchay <badchay@protonmail.com>
+# Copyright 2024 Badchay <badchay@protonmail.com>
 # All rights reserved.
 # Copyright 2020 Gerardo Zamudio <gerardo.zamudio@linux.com> Mexico City, Mexico
 # All rights reserved.
@@ -27,8 +27,8 @@
 cd $(dirname $0) ; CWD=$(pwd)
 
 PRGNAM=unbound
-VERSION=${VERSION:-1.16.3}
-BUILD=${BUILD:-1}
+VERSION=${VERSION:-1.19.3}
+BUILD=${BUILD:-2}
 TAG=${TAG:-_SBo}
 PKGTYPE=${PKGTYPE:-tgz}
 
@@ -83,6 +83,12 @@ if ! grep -q ^"$UB_USER": /etc/passwd ; then
   exit 1
 fi
 
+# This needs to be set. Otherwise Unbound will build
+# against Python 2 on Slackware 15.0.
+# Setting this to "3" allows Unbound to build with
+# Python 3.9 and 3.11, depending which one is installed.
+UNB_PY_VERSION=${UNB_PY_VERSION:-3}
+
 set -e
 
 rm -rf $PKG
@@ -100,6 +106,7 @@ find -L . \
 
 CFLAGS="$SLKCFLAGS" \
 CXXFLAGS="$SLKCFLAGS" \
+PYTHON_VERSION="$UNB_PY_VERSION" \
 ./configure \
   --prefix=/usr \
   --libdir=/usr/lib${LIBDIRSUFFIX} \
@@ -111,9 +118,15 @@ CXXFLAGS="$SLKCFLAGS" \
   --with-ssl \
   --enable-dnscrypt \
   --disable-static \
+  --enable-sha2 \
+  --enable-subnet \
+  --with-pythonmodule \
+  --with-pyunbound \
   --with-username=$UB_USER \
-  --with-pidfile=/var/run/unbound/unbound.pid \
+  --with-pidfile=/run/unbound/unbound.pid \
+  --with-rootkey-file=/var/lib/unbound/root.key \
   --build=$ARCH-slackware-linux \
+  --host=$ARCH-slackware-linux \
 
 make
 make install DESTDIR=$PKG
@@ -130,7 +143,7 @@ mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
 cp -a doc/README* doc/FEATURES doc/CREDITS doc/TODO $PKG/usr/doc/$PRGNAM-$VERSION
 
 # Shorten the Changelog and restore its timestamp
-head -n 1000 doc/Changelog > $PKG/usr/doc/$PRGNAM-$VERSION/Changelog
+head -n 500 doc/Changelog > $PKG/usr/doc/$PRGNAM-$VERSION/Changelog
 touch -r doc/Changelog $PKG/usr/doc/$PRGNAM-$VERSION/Changelog
 
 # Save the upstream unbound.conf and set some reasonable defaults:
@@ -142,7 +155,13 @@ touch -r doc/Changelog $PKG/usr/doc/$PRGNAM-$VERSION/Changelog
 # 3) Change timestamps to ASCII format (from Epoch).
 # 4) Turn off chroot.
 # 5) Disable systemd socket activation.
-# 6) Set num-threads to $(nproc). Still disabled by default.
+# 6) Set num-threads to $(nproc).
+# 7) Use root-hints file.
+# 8) Set DNS prefetch to "yes".
+# 9) Harden against out of zone rrsets (harden-glue).
+# 10) Harden against receiving dnssec-stripped data (harden-dnssec-stripped).
+# 11) Enable aggressive NSEC, root-key-sentinel and RFC8145 (trust anchor
+# signaling).
 cp -a $PKG/etc/unbound/unbound.conf $PKG/etc/unbound/unbound.conf.upstream
 sed -i \
 -e 's/# control-interface:/control-interface:/g' \
@@ -151,17 +170,30 @@ sed -i \
 -e 's/# use-systemd: no/use-systemd: no/g' \
 -e 's/# logfile: ""/logfile: "\/var\/log\/unbound\/unbound.log"/g' \
 -e 's/# chroot: "\/etc\/unbound"/chroot: ""/g' \
--e 's/# num-threads: 1/# num-threads: '$(nproc)' # Set to nproc by SlackBuild. Uncomment to enable threading/g' \
+-e 's/# num-threads: 1/num-threads: '$(nproc)' # Set to the value of nproc by SlackBuild/g' \
+-e 's/# root-hints: ""/root-hints: "\/var\/lib\/unbound\/root.hints"/g' \
+-e 's/# prefetch: no/prefetch: yes/g' \
+-e 's/# harden-glue: yes/harden-glue: yes/g' \
+-e 's/# harden-dnssec-stripped: yes/harden-dnssec-stripped: yes/g' \
+-e 's/# aggressive-nsec: yes/aggressive-nsec: yes/g' \
+-e 's/# trust-anchor-signaling: yes/trust-anchor-signaling: yes/g' \
+-e 's/# root-key-sentinel: yes/root-key-sentinel: yes/g' \
+-e '/# auto-trust-anchor-file: ".*/a\        auto-trust-anchor-file: "/var/lib/unbound/root.key"' \
 $PKG/etc/unbound/unbound.conf \
 
-mkdir -p $PKG/var/run/unbound
+mkdir -p $PKG/run/unbound
 mkdir -p $PKG/var/log/unbound
+mkdir -p $PKG/var/lib/unbound
 mkdir -p $PKG/etc/logrotate.d
 
-chown $UB_USER:$UB_GROUP $PKG/var/run/unbound/
+chown $UB_USER:$UB_GROUP $PKG/run/unbound/
 chown $UB_USER:$UB_GROUP $PKG/var/log/unbound/
+chown $UB_USER:$UB_GROUP $PKG/var/lib/unbound/
 
 cp -a $CWD/unbound.logrotate $PKG/etc/logrotate.d/unbound.new
+cp -a $CWD/root.hints $PKG/var/lib/unbound/root.hints
+chown $UB_USER:$UB_GROUP $PKG/var/lib/unbound/root.hints
+chown root:root $PKG/etc/logrotate.d/unbound.new
 mv $PKG/etc/unbound/unbound.conf $PKG/etc/unbound/unbound.conf.new
 install -m 0644 -D $CWD/rc.unbound $PKG/etc/rc.d/rc.unbound.new
 
diff --git a/network/unbound/unbound.info b/network/unbound/unbound.info
index 55c07938aa..d17666a509 100644
--- a/network/unbound/unbound.info
+++ b/network/unbound/unbound.info
@@ -1,8 +1,8 @@
 PRGNAM="unbound"
-VERSION="1.16.3"
+VERSION="1.19.3"
 HOMEPAGE="https://nlnetlabs.nl/projects/unbound/about/"
-DOWNLOAD="https://www.nlnetlabs.nl/downloads/unbound/unbound-1.16.3.tar.gz"
-MD5SUM="f0a767b32058ae67311e5d3665139d15"
+DOWNLOAD="https://www.nlnetlabs.nl/downloads/unbound/unbound-1.19.3.tar.gz"
+MD5SUM="00bf61460c87c2542bcb68d52a2e5195"
 DOWNLOAD_x86_64=""
 MD5SUM_x86_64=""
 REQUIRES=""