unbound: New package
| Message ID | 1445161018-31114-1-git-send-email-stefan.schantl@ipfire.org |
|---|---|
| State | Superseded, archived |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.tremer.info [172.28.1.200]) by septima.ipfire.org (Postfix) with ESMTP id B3F0B6201A for <patchwork@ipfire.org>; Sun, 18 Oct 2015 11:37:12 +0200 (CEST) Received: from hedwig.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 5D8AEDDD; Sun, 18 Oct 2015 11:37:12 +0200 (CEST) Received: from tuxedo.stevee (host228-133-28-81.hiway.at [81.28.133.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 34735161; Sun, 18 Oct 2015 11:37:05 +0200 (CEST) From: Stefan Schantl <stefan.schantl@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] unbound: New package Date: Sun, 18 Oct 2015 11:36:58 +0200 Message-Id: <1445161018-31114-1-git-send-email-stefan.schantl@ipfire.org> X-Mailer: git-send-email 2.4.3 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <http://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <http://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Message
Stefan Schantl
Oct. 18, 2015, 8:36 p.m. UTC
Unbound is a validating, recursive, and caching DNS resolver.
The package comes with libraries that are used by many other packages
to resolve DNS records and validate those by using DNSSEC.
Fixes #10943.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
unbound/dlv.isc.org.key | 2 +
unbound/icannbundle.pem | 317 ++++++++++++++++
unbound/root.anchor | 1 +
unbound/root.key | 6 +
unbound/systemd/unbound-anchor.service | 9 +
unbound/systemd/unbound-anchor.timer | 14 +
unbound/systemd/unbound-keygen.service | 14 +
unbound/systemd/unbound.service | 18 +
unbound/unbound.conf | 655 +++++++++++++++++++++++++++++++++
unbound/unbound.nm | 158 ++++++++
unbound/unbound.tmpfiles | 1 +
11 files changed, 1195 insertions(+)
create mode 100644 unbound/dlv.isc.org.key
create mode 100644 unbound/icannbundle.pem
create mode 100644 unbound/root.anchor
create mode 100644 unbound/root.key
create mode 100644 unbound/systemd/unbound-anchor.service
create mode 100644 unbound/systemd/unbound-anchor.timer
create mode 100644 unbound/systemd/unbound-keygen.service
create mode 100644 unbound/systemd/unbound.service
create mode 100644 unbound/unbound.conf
create mode 100644 unbound/unbound.nm
create mode 100644 unbound/unbound.tmpfiles
Comments
Hello, this won't build: + install -p -m 0664 /usr/src/packages/unbound-1.5.5-1.ip3.src/unbound.conf /builddir/unbound-1.5.5-1.ip3/etc/unbound/ + install -p -m 0664 /usr/src/packages/unbound-1.5.5-1.ip3.src/icannbundle.pem /builddir/unbound-1.5.5-1.ip3/etc/unbound/ + install -p -m 0644 /usr/src/packages/unbound-1.5.5-1.ip3.src/root.key /builddir/unbound-1.5.5-1.ip3/etc/unbound/ + install -p -m 0664 /usr/src/packages/unbound-1.5.5-1.ip3.src/dlv.isc.org.key /builddir/unbound-1.5.5-1.ip3/etc/unbound/ + install -p -m 0664 /usr/src/packages/unbound-1.5.5-1.ip3.src/root.anchor /builddir/unbound-1.5.5-1.ip3/var/lib/unbound/root.key + chown -R unbound:unbound /builddir/unbound-1.5.5-1.ip3/var/lib/unbound/ chown: invalid user: ‘unbound:unbound’ Command exited with an error: ['bash', '--login', '-c', '/tmp/tmpnij81f'] Please make sure to check these things before sending your patches. This just makes a lot of noise for all of us. -Michael On Sun, 2015-10-18 at 11:36 +0200, Stefan Schantl wrote: > Unbound is a validating, recursive, and caching DNS resolver. > > The package comes with libraries that are used by many other packages > to resolve DNS records and validate those by using DNSSEC. > > Fixes #10943. > > Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> > --- > unbound/dlv.isc.org.key | 2 + > unbound/icannbundle.pem | 317 ++++++++++++++++ > unbound/root.anchor | 1 + > unbound/root.key | 6 + > unbound/systemd/unbound-anchor.service | 9 + > unbound/systemd/unbound-anchor.timer | 14 + > unbound/systemd/unbound-keygen.service | 14 + > unbound/systemd/unbound.service | 18 + > unbound/unbound.conf | 655 > +++++++++++++++++++++++++++++++++ > unbound/unbound.nm | 158 ++++++++ > unbound/unbound.tmpfiles | 1 + > 11 files changed, 1195 insertions(+) > create mode 100644 unbound/dlv.isc.org.key > create mode 100644 unbound/icannbundle.pem > create mode 100644 unbound/root.anchor > create mode 100644 unbound/root.key > create mode 100644 unbound/systemd/unbound-anchor.service > create mode 100644 unbound/systemd/unbound-anchor.timer > create mode 100644 unbound/systemd/unbound-keygen.service > create mode 100644 unbound/systemd/unbound.service > create mode 100644 unbound/unbound.conf > create mode 100644 unbound/unbound.nm > create mode 100644 unbound/unbound.tmpfiles > > diff --git a/unbound/dlv.isc.org.key b/unbound/dlv.isc.org.key > new file mode 100644 > index 0000000..c73944f > --- /dev/null > +++ b/unbound/dlv.isc.org.key > @@ -0,0 +1,2 @@ > +; https://secure.isc.org/ops/dlv/dlv.isc.org.key > +dlv.isc.org. IN DNSKEY 257 3 5 > BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 > brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ > 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 > ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk > Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM > QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh > diff --git a/unbound/icannbundle.pem b/unbound/icannbundle.pem > new file mode 100644 > index 0000000..48941de > --- /dev/null > +++ b/unbound/icannbundle.pem > @@ -0,0 +1,317 @@ > +Certificate: > + Data: > + Version: 3 (0x2) > + Serial Number: 1 (0x1) > + Signature Algorithm: sha256WithRSAEncryption > + Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN > Root CA, C=US > + Validity > + Not Before: Dec 23 04:19:12 2009 GMT > + Not After : Dec 18 04:19:12 2029 GMT > + Subject: O=ICANN, OU=ICANN Certification Authority, CN=ICANN > Root CA, C=US > + Subject Public Key Info: > + Public Key Algorithm: rsaEncryption > + RSA Public Key: (2048 bit) > + Modulus (2048 bit): > + 00:a0:db:70:b8:4f:34:da:9c:d4:d0:7e:bb:ea:15: > + bc:e9:c9:11:2a:1f:61:2f:6a:b9:bd:3f:3d:76:a0: > + 9a:0a:f7:ee:93:6e:6e:55:53:84:8c:f2:2c:f1:82: > + 27:c8:0f:9a:cf:52:1b:54:da:28:d2:2c:30:8e:dd: > + fb:92:20:33:2d:d6:c8:f1:0e:10:21:88:71:fa:84: > + 22:4b:5d:47:56:16:7c:9b:9f:5d:c3:11:79:9c:14: > + e2:ff:c0:74:ac:dd:39:d7:e0:38:d8:b0:73:aa:fb: > + d1:db:84:af:52:22:a8:f6:d5:9b:94:f4:e6:5d:5e: > + e8:3f:87:90:0b:c7:1a:77:f5:2e:d3:8f:1a:ce:02: > + 1d:07:69:21:47:32:da:46:ae:00:4c:b6:a5:a2:9c: > + 39:c1:c0:4a:f6:d3:1c:ae:d3:6d:bb:c7:18:f0:7e: > + ed:f6:80:ce:d0:01:2e:89:de:12:ba:ee:11:cb:a6: > + 7a:d7:0d:7c:f3:08:8d:72:9d:bf:55:75:13:70:bb: > + 31:22:4a:cb:e8:c0:aa:a4:09:aa:36:68:40:60:74: > + 9d:e7:19:81:43:22:52:fe:c9:2b:52:0f:41:13:36: > + 09:72:65:95:cc:89:ae:6f:56:17:16:34:73:52:a3: > + 04:ed:bd:88:82:8a:eb:d7:dc:82:52:9c:06:e1:52: > + 85:41 > + Exponent: 65537 (0x10001) > + X509v3 extensions: > + X509v3 Basic Constraints: critical > + CA:TRUE > + X509v3 Key Usage: critical > + Digital Signature, Non Repudiation, Key > Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL > Sign > + X509v3 Subject Key Identifier: > + > BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 > + Signature Algorithm: sha256WithRSAEncryption > + 0f:f1:e9:82:a2:0a:87:9f:2d:94:60:5a:b2:c0:4b:a1:2f:2b: > + 3b:47:d5:0a:99:86:38:b2:ec:c6:3b:89:e4:6e:07:cf:14:c7: > + c7:e8:cf:99:8f:aa:30:c3:19:70:b9:e6:6d:d6:3f:c8:68:26: > + b2:a0:a5:37:42:ca:d8:62:80:d1:a2:5a:48:2e:1f:85:3f:0c: > + 7b:c2:c7:94:11:5f:19:2a:95:ac:a0:3a:03:d8:91:5b:2e:0d: > + 9c:7c:1f:2e:fc:e9:44:e1:16:26:73:1c:45:4a:65:c1:83:4c: > + 90:f3:f2:28:42:df:db:c4:e7:04:12:18:62:43:5e:bc:1f:6c: > + 84:e6:bc:49:32:df:61:d7:99:ee:e4:90:52:7b:0a:c2:91:8a: > + 98:62:66:b1:c8:e0:b7:5a:b5:46:7c:76:71:54:8e:cc:a4:81: > + 5c:19:db:d2:6f:66:b5:bb:2b:ae:6b:c9:74:04:a8:24:de:e8: > + c5:d3:fc:2c:1c:d7:8f:db:6a:8d:c9:53:be:5d:50:73:ac:cf: > + 1f:93:c0:52:50:5b:a2:4f:fe:ad:65:36:17:46:d1:2d:e5:a2: > + 90:66:05:db:29:4e:5d:50:5d:e3:4f:da:a0:8f:f0:6b:e4:16: > + 70:dd:7f:f3:77:7d:b9:4e:f9:ec:c3:33:02:d7:e9:63:2f:31: > + e7:40:61:a4 > +-----BEGIN CERTIFICATE----- > +MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO > +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV > +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX > +DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O > +IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB > +MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb > +cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S > +G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg > +ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2 > +paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7 > +MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29 > +iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B > +Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3 > +DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH > +6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD > +2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h > +15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF > +0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg > +j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk > +-----END CERTIFICATE----- > +Certificate: > + Data: > + Version: 3 (0x2) > + Serial Number: 2 (0x2) > + Signature Algorithm: sha256WithRSAEncryption > + Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN > Root CA, C=US > + Validity > + Not Before: Dec 23 04:45:04 2009 GMT > + Not After : Dec 22 04:45:04 2014 GMT > + Subject: O=ICANN, CN=ICANN DNSSEC > CA/emailAddress=dnssec@icann.org > + Subject Public Key Info: > + Public Key Algorithm: rsaEncryption > + RSA Public Key: (2048 bit) > + Modulus (2048 bit): > + 00:c0:bf:e2:b4:ee:12:46:36:3b:7c:d2:46:21:64: > + 5a:93:e1:e3:02:10:25:bb:a5:30:70:19:89:98:7e: > + 9e:db:8e:0f:ac:c8:48:66:0e:1a:f8:81:e5:2d:3c: > + 7b:39:39:76:28:8f:ee:0a:a7:dd:64:e9:5f:87:25: > + b1:64:e5:59:03:fc:bc:29:3b:63:37:c8:d7:46:9a: > + b6:ce:87:55:cd:cf:e2:ab:e9:c7:8a:53:2e:25:87: > + b0:98:d6:20:a3:a8:ec:87:b0:39:a3:c4:c5:75:59: > + 3c:fb:91:03:fa:ee:7f:e9:2b:b6:70:88:69:2c:e6: > + f1:4f:fc:d0:47:b4:e9:a0:2c:fa:0c:c3:84:eb:be: > + 73:5a:bc:16:ed:d0:83:02:2d:eb:6a:21:02:51:70: > + 29:1e:4f:c9:69:03:9f:91:32:5c:2c:1a:9f:5e:45: > + 48:2a:50:ee:72:14:ec:17:29:fc:20:95:7d:22:6a: > + c6:6f:83:a2:58:8e:b1:64:c8:73:23:54:6c:69:1d: > + 66:1f:df:f8:4f:24:a1:a8:ae:00:7f:e9:89:41:a6: > + e3:88:1d:3a:e1:b3:3a:ef:29:45:32:9b:94:2e:b7: > + 6c:1e:fe:31:40:13:e1:bd:52:67:d0:d8:c3:3e:03: > + 84:48:72:9d:bd:8a:48:a0:f2:72:35:b6:03:4b:c6: > + e9:05 > + Exponent: 65537 (0x10001) > + X509v3 extensions: > + X509v3 Basic Constraints: critical > + CA:TRUE > + X509v3 Key Usage: critical > + Digital Signature, Non Repudiation, Key > Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL > Sign > + X509v3 Authority Key Identifier: > + > keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 > + > + X509v3 Subject Key Identifier: > + > 8F:B2:42:69:C3:9D:E4:3C:FA:13:B9:FF:F2:C0:A4:EF:D8:0F:E8:22 > + Signature Algorithm: sha256WithRSAEncryption > + 4a:78:a2:47:7e:3f:2e:4d:78:68:ab:06:5c:ff:da:01:04:45: > + 92:20:20:88:f3:dc:4e:70:01:9b:cb:f3:13:61:34:04:09:15: > + d0:be:99:1c:be:fc:97:e9:2d:73:e1:b3:2b:a6:b9:3a:41:33: > + f3:83:3d:64:1b:64:95:bf:ae:cd:20:df:18:e0:62:8d:fa:9c: > + f7:d8:a9:3c:25:2b:8e:cf:10:e5:29:b9:af:1a:7f:62:64:75: > + e7:c6:fd:9b:6d:71:c0:a9:b3:0f:9a:b7:7a:fe:53:04:18:cd: > + 04:06:d9:bf:01:0e:cc:04:84:84:51:a3:e9:06:2a:a3:25:73: > + 4e:8d:62:19:13:25:5b:de:0b:dc:d0:69:01:ca:41:0a:96:13: > + cf:6a:11:fe:2b:9a:3f:fd:56:3d:73:3d:58:49:c2:71:83:20: > + 23:6d:46:99:6e:37:91:9f:76:2a:9c:b0:69:3f:64:9f:05:bb: > + 38:c8:1e:ca:d8:6c:fd:56:3e:a6:85:a2:53:80:c6:42:b6:79: > + c6:43:0b:e0:6c:ea:9f:cf:b0:2a:2c:01:50:c3:d8:0f:a0:7e: > + a1:73:a8:5c:84:27:5b:c9:4b:5a:13:e9:69:25:1c:59:11:d2: > + 01:dc:da:e7:c8:44:34:a2:e4:99:25:b4:c3:23:b5:f8:2d:48: > + e5:8d:06:73 > +-----BEGIN CERTIFICATE----- > +MIIDhjCCAm6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO > +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV > +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0NDUwNFoX > +DTE0MTIyMjA0NDUwNFowSzEOMAwGA1UEChMFSUNBTk4xGDAWBgNVBAMTD0lDQU5O > +IEROU1NFQyBDQTEfMB0GCSqGSIb3DQEJARMQZG5zc2VjQGljYW5uLm9yZzCCASIw > +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMC/4rTuEkY2O3zSRiFkWpPh4wIQ > +JbulMHAZiZh+ntuOD6zISGYOGviB5S08ezk5diiP7gqn3WTpX4clsWTlWQP8vCk7 > +YzfI10aats6HVc3P4qvpx4pTLiWHsJjWIKOo7IewOaPExXVZPPuRA/ruf+krtnCI > +aSzm8U/80Ee06aAs+gzDhOu+c1q8Fu3QgwIt62ohAlFwKR5PyWkDn5EyXCwan15F > +SCpQ7nIU7Bcp/CCVfSJqxm+DoliOsWTIcyNUbGkdZh/f+E8koaiuAH/piUGm44gd > +OuGzOu8pRTKblC63bB7+MUAT4b1SZ9DYwz4DhEhynb2KSKDycjW2A0vG6QUCAwEA > +AaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAf4wHwYDVR0jBBgw > +FoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFI+yQmnDneQ8+hO5//LA > +pO/YD+giMA0GCSqGSIb3DQEBCwUAA4IBAQBKeKJHfj8uTXhoqwZc/9oBBEWSICCI > +89xOcAGby/MTYTQECRXQvpkcvvyX6S1z4bMrprk6QTPzgz1kG2SVv67NIN8Y4GKN > ++pz32Kk8JSuOzxDlKbmvGn9iZHXnxv2bbXHAqbMPmrd6/lMEGM0EBtm/AQ7MBISE > +UaPpBiqjJXNOjWIZEyVb3gvc0GkBykEKlhPPahH+K5o//VY9cz1YScJxgyAjbUaZ > +bjeRn3YqnLBpP2SfBbs4yB7K2Gz9Vj6mhaJTgMZCtnnGQwvgbOqfz7AqLAFQw9gP > +oH6hc6hchCdbyUtaE+lpJRxZEdIB3NrnyEQ0ouSZJbTDI7X4LUjljQZz > +-----END CERTIFICATE----- > +Certificate: > + Data: > + Version: 3 (0x2) > + Serial Number: 6 (0x6) > + Signature Algorithm: sha256WithRSAEncryption > + Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN > Root CA, C=US > + Validity > + Not Before: Dec 23 05:21:16 2009 GMT > + Not After : Dec 22 05:21:16 2014 GMT > + Subject: O=ICANN, CN=ICANN EMAIL CA > + Subject Public Key Info: > + Public Key Algorithm: rsaEncryption > + RSA Public Key: (2048 bit) > + Modulus (2048 bit): > + 00:d2:19:1e:22:69:33:f6:a4:d2:76:c5:80:11:75: > + 8e:d0:e8:6f:bf:89:f8:2a:6a:da:8a:85:28:40:ba: > + c5:23:5f:47:ed:72:e2:8e:d3:5c:c8:8a:3a:99:a9: > + 57:2c:0a:2b:22:f3:54:7b:8b:f7:8c:21:a2:50:01: > + 4f:8b:af:34:df:72:fc:78:31:d0:1d:eb:bc:9b:e6: > + fa:c1:84:d0:05:07:8a:74:53:a5:60:9e:eb:75:9e: > + a8:5d:32:c8:02:32:e4:bf:cb:97:9b:7a:fa:2c:f6: > + 6a:1d:b8:57:ad:e3:03:22:93:d0:f4:4f:a8:b8:01: > + db:82:33:98:b6:87:ed:3d:67:40:00:27:2e:d5:95: > + d2:ad:36:46:14:c6:17:79:65:7f:65:f3:88:80:65: > + 7c:22:67:08:23:3c:cf:a5:10:38:72:30:97:92:6f: > + 20:4a:ba:24:4c:4a:c8:4a:a5:dc:2a:44:a1:29:78: > + b4:9f:fe:84:ff:27:5b:3a:72:ea:31:c1:ad:06:22: > + d6:44:a0:4a:57:32:9c:f2:46:47:d0:89:6e:20:23: > + 2c:ea:b0:83:7e:c1:f3:ea:da:dd:e3:63:59:97:21: > + fa:1b:11:39:27:cf:82:8b:56:15:d4:36:92:0c:a5: > + 7e:80:e0:18:c9:50:08:42:0a:df:97:3c:9c:b8:0a: > + 4d:b1 > + Exponent: 65537 (0x10001) > + X509v3 extensions: > + X509v3 Basic Constraints: critical > + CA:TRUE > + X509v3 Key Usage: critical > + Digital Signature, Non Repudiation, Key > Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL > Sign > + X509v3 Authority Key Identifier: > + > keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 > + > + X509v3 Subject Key Identifier: > + > 7B:3F:BA:CE:A1:B3:A6:13:2E:5A:82:84:D4:D2:EA:A5:24:F1:CD:B4 > + Signature Algorithm: sha256WithRSAEncryption > + 50:07:a5:61:39:e4:3b:e3:bc:1c:b4:a7:b2:ab:a1:fb:47:bf: > + b4:1c:32:ac:3c:46:b0:02:26:2f:16:3e:89:70:e2:87:e9:76: > + 99:61:0b:91:c5:48:7a:e5:aa:24:0b:39:e0:4f:26:03:d4:5b: > + 01:8a:4d:b6:98:cc:16:fa:e2:12:4a:88:b9:53:bb:50:2d:c7: > + 37:b8:a3:82:2d:52:05:3e:46:a7:db:97:82:73:8d:7d:ed:dd: > + 9e:37:73:68:6b:90:cd:62:d8:77:ff:32:53:bb:d3:a1:b9:cb: > + 7d:32:29:70:fb:2e:90:4b:27:12:6d:99:a5:e6:d4:ef:13:32: > + c1:2f:b5:ae:6e:11:0e:50:56:a4:56:5b:76:b0:c0:99:2e:5a: > + 94:17:ee:2b:c1:b6:9c:8b:68:ac:55:95:31:8c:66:2b:35:43: > + a5:13:04:1b:50:44:1c:55:7f:4c:d0:1a:50:80:53:45:a8:e3: > + d3:a8:74:ad:7d:6a:d6:e9:9a:d3:25:7d:83:e2:57:64:1a:94: > + 7e:bc:cb:ef:79:b5:54:6a:f1:b0:c3:81:26:90:e5:40:87:ed: > + 75:7d:83:63:5b:ab:45:c0:34:04:27:e8:d8:12:26:7c:5e:c0: > + 48:b6:33:7d:4b:db:23:8a:f7:13:24:bc:be:7b:74:cb:c4:ed: > + ed:42:eb:2f > +-----BEGIN CERTIFICATE----- > +MIIDZDCCAkygAwIBAgIBBjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO > +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV > +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA1MjExNloX > +DTE0MTIyMjA1MjExNlowKTEOMAwGA1UEChMFSUNBTk4xFzAVBgNVBAMTDklDQU5O > +IEVNQUlMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0hkeImkz > +9qTSdsWAEXWO0Ohvv4n4KmraioUoQLrFI19H7XLijtNcyIo6malXLAorIvNUe4v3 > +jCGiUAFPi68033L8eDHQHeu8m+b6wYTQBQeKdFOlYJ7rdZ6oXTLIAjLkv8uXm3r6 > +LPZqHbhXreMDIpPQ9E+ouAHbgjOYtoftPWdAACcu1ZXSrTZGFMYXeWV/ZfOIgGV8 > +ImcIIzzPpRA4cjCXkm8gSrokTErISqXcKkShKXi0n/6E/ydbOnLqMcGtBiLWRKBK > +VzKc8kZH0IluICMs6rCDfsHz6trd42NZlyH6GxE5J8+Ci1YV1DaSDKV+gOAYyVAI > +QgrflzycuApNsQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE > +AwIB/jAfBgNVHSMEGDAWgBS6UulJgySGUi/Hmc38jWtpCE3AUDAdBgNVHQ4EFgQU > +ez+6zqGzphMuWoKE1NLqpSTxzbQwDQYJKoZIhvcNAQELBQADggEBAFAHpWE55Dvj > +vBy0p7KroftHv7QcMqw8RrACJi8WPolw4ofpdplhC5HFSHrlqiQLOeBPJgPUWwGK > +TbaYzBb64hJKiLlTu1Atxze4o4ItUgU+Rqfbl4JzjX3t3Z43c2hrkM1i2Hf/MlO7 > +06G5y30yKXD7LpBLJxJtmaXm1O8TMsEvta5uEQ5QVqRWW3awwJkuWpQX7ivBtpyL > +aKxVlTGMZis1Q6UTBBtQRBxVf0zQGlCAU0Wo49OodK19atbpmtMlfYPiV2QalH68 > +y+95tVRq8bDDgSaQ5UCH7XV9g2Nbq0XANAQn6NgSJnxewEi2M31L2yOK9xMkvL57 > +dMvE7e1C6y8= > +-----END CERTIFICATE----- > +Certificate: > + Data: > + Version: 3 (0x2) > + Serial Number: 3 (0x3) > + Signature Algorithm: sha256WithRSAEncryption > + Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN > Root CA, C=US > + Validity > + Not Before: Dec 23 05:07:29 2009 GMT > + Not After : Dec 22 05:07:29 2014 GMT > + Subject: O=ICANN, CN=ICANN SSL CA > + Subject Public Key Info: > + Public Key Algorithm: rsaEncryption > + RSA Public Key: (2048 bit) > + Modulus (2048 bit): > + 00:dd:c6:ab:bf:7c:66:9d:b3:2b:96:00:14:c7:60: > + 7a:8d:62:5b:26:4b:30:d7:b3:4c:82:69:c6:4d:4d: > + 73:f3:d4:91:21:5d:ab:35:f0:c8:04:0e:f4:a3:35: > + e2:e1:18:a9:98:12:03:58:f8:9f:eb:77:54:5b:89: > + 81:26:c9:aa:c2:f4:c9:0c:82:57:2a:5e:05:e9:61: > + 17:cc:19:18:71:eb:35:83:c1:86:9d:ec:f1:6b:ca: > + dd:a1:96:0b:95:d4:e1:0f:9e:24:6f:dc:3c:d0:28: > + 9e:f2:53:47:2b:a1:ad:32:03:c8:3f:0d:80:80:7d: > + f0:02:d2:6e:5a:2c:44:21:9b:09:50:15:3f:a1:3d: > + d3:c9:c8:24:e7:ea:4e:92:2f:94:90:2e:de:e7:68: > + f6:c6:b3:90:1f:bc:c9:7b:a2:65:d7:11:e9:8b:f0: > + 3a:5a:b7:17:07:df:69:e3:6e:b9:54:6a:8e:3a:aa: > + 94:7f:2c:0a:a1:ad:ba:b7:d9:60:62:27:a7:71:40: > + 3b:8e:b0:84:7b:b8:c8:67:ef:66:ba:3d:ac:c3:85: > + e5:86:bb:a7:9c:fd:b6:e1:c0:10:53:3d:d4:7e:1b: > + 09:e6:9f:22:5c:a7:27:09:7e:27:12:33:fa:df:9b: > + 20:2f:14:f7:17:c0:e4:1e:07:91:1f:f9:9a:cd:a8: > + e2:c5 > + Exponent: 65537 (0x10001) > + X509v3 extensions: > + X509v3 Basic Constraints: critical > + CA:TRUE > + X509v3 Key Usage: critical > + Digital Signature, Non Repudiation, Key > Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL > Sign > + X509v3 Authority Key Identifier: > + > keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 > + > + X509v3 Subject Key Identifier: > + > 6E:77:A8:40:10:4A:D8:9C:0C:F2:B7:5A:3A:A5:2F:79:4A:61:14:D8 > + Signature Algorithm: sha256WithRSAEncryption > + 18:42:62:df:aa:8e:44:e6:87:10:4d:d9:a6:b2:c3:97:37:43: > + 2e:ce:f3:e0:3c:c2:2f:e1:78:60:41:a9:2b:5d:f4:24:f5:f6: > + 57:a2:08:ec:9c:89:e5:54:50:a8:30:c6:20:e5:8a:c7:8b:bd: > + fd:98:b6:0c:7d:1a:1f:01:a1:4a:4e:ec:0d:2a:aa:9f:fd:a9: > + 20:0d:b3:5c:0f:36:c0:2c:2b:c6:75:22:29:66:a3:34:bd:93: > + 3d:f6:28:da:90:d5:7e:91:df:d3:06:f6:69:8b:80:9b:a5:34: > + af:6a:02:5b:e4:52:7d:56:4d:99:6e:fe:e9:d0:36:99:58:d9: > + af:cd:79:9b:e5:d2:4c:35:90:d3:e0:68:b2:88:2b:18:39:2e: > + bc:0b:d9:82:84:7f:24:12:92:d2:b9:13:4f:64:bc:46:e1:5c: > + 6a:ed:f7:b0:d4:66:27:25:21:86:b4:3a:5e:19:a3:c7:8b:4b: > + 93:b9:2e:37:e2:6d:8b:46:ee:68:39:21:75:e8:fe:2a:a7:85: > + fd:68:26:96:bd:dd:f9:f1:fe:99:5f:b4:a4:97:1b:50:18:fa: > + 21:90:54:0c:8b:30:28:94:70:19:34:9e:5c:e1:e5:48:93:af: > + aa:a3:b4:95:b2:f5:4c:97:50:44:58:97:e1:ff:e7:b2:10:dd: > + 2c:fe:c0:ed > +-----BEGIN CERTIFICATE----- > +MIIDYjCCAkqgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO > +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV > +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA1MDcyOVoX > +DTE0MTIyMjA1MDcyOVowJzEOMAwGA1UEChMFSUNBTk4xFTATBgNVBAMTDElDQU5O > +IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN3Gq798Zp2z > +K5YAFMdgeo1iWyZLMNezTIJpxk1Nc/PUkSFdqzXwyAQO9KM14uEYqZgSA1j4n+t3 > +VFuJgSbJqsL0yQyCVypeBelhF8wZGHHrNYPBhp3s8WvK3aGWC5XU4Q+eJG/cPNAo > +nvJTRyuhrTIDyD8NgIB98ALSblosRCGbCVAVP6E908nIJOfqTpIvlJAu3udo9saz > +kB+8yXuiZdcR6YvwOlq3FwffaeNuuVRqjjqqlH8sCqGturfZYGInp3FAO46whHu4 > +yGfvZro9rMOF5Ya7p5z9tuHAEFM91H4bCeafIlynJwl+JxIz+t+bIC8U9xfA5B4H > +kR/5ms2o4sUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC > +Af4wHwYDVR0jBBgwFoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFG53 > +qEAQSticDPK3WjqlL3lKYRTYMA0GCSqGSIb3DQEBCwUAA4IBAQAYQmLfqo5E5ocQ > +TdmmssOXN0MuzvPgPMIv4XhgQakrXfQk9fZXogjsnInlVFCoMMYg5YrHi739mLYM > +fRofAaFKTuwNKqqf/akgDbNcDzbALCvGdSIpZqM0vZM99ijakNV+kd/TBvZpi4Cb > +pTSvagJb5FJ9Vk2Zbv7p0DaZWNmvzXmb5dJMNZDT4GiyiCsYOS68C9mChH8kEpLS > +uRNPZLxG4Vxq7few1GYnJSGGtDpeGaPHi0uTuS434m2LRu5oOSF16P4qp4X9aCaW > +vd358f6ZX7SklxtQGPohkFQMizAolHAZNJ5c4eVIk6+qo7SVsvVMl1BEWJfh/+ey > +EN0s/sDt > +-----END CERTIFICATE----- > diff --git a/unbound/root.anchor b/unbound/root.anchor > new file mode 100644 > index 0000000..18367f8 > --- /dev/null > +++ b/unbound/root.anchor > @@ -0,0 +1 @@ > +. 98799 IN DNSKEY 257 3 8 > AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLj > wBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnM > VDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEhe > X7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57 > relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ih > z0= ;{id = 19036 (ksk), size = 2048b} > diff --git a/unbound/root.key b/unbound/root.key > new file mode 100644 > index 0000000..e340ed0 > --- /dev/null > +++ b/unbound/root.key > @@ -0,0 +1,6 @@ > +; // The root key in bind format. This can be read by most tools, > including > +; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to > load this > +trusted-keys { > +"." 257 3 8 > "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fL > jwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9Vn > MVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEh > eX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ5 > 7relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1i > hz0="; // key id = 19036 > + > +}; > diff --git a/unbound/systemd/unbound-anchor.service > b/unbound/systemd/unbound-anchor.service > new file mode 100644 > index 0000000..26656b3 > --- /dev/null > +++ b/unbound/systemd/unbound-anchor.service > @@ -0,0 +1,9 @@ > +[Unit] > +Description=update of the root trust anchor for DNSSEC validation in > unbound > +Documentation=man:unbound-anchor(8) > + > +[Service] > +Type=oneshot > +User=unbound > +ExecStart=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c > /etc/unbound/icannbundle.pem > +SuccessExitStatus=1 > diff --git a/unbound/systemd/unbound-anchor.timer > b/unbound/systemd/unbound-anchor.timer > new file mode 100644 > index 0000000..a87bf5c > --- /dev/null > +++ b/unbound/systemd/unbound-anchor.timer > @@ -0,0 +1,14 @@ > +[Unit] > +Description=daily update of the root trust anchor for DNSSEC > +Documentation=man:unbound-anchor(8) > + > +[Timer] > +# Current DNSKEY TTL in root zone is 172800 seconds, i.e. > 172800/60/60/24 = 2 days. > +# It means that unboud-anchor should be run at least once a day. > +OnCalendar=daily > +Persistent=true > +AccuracySec=24h > + > +[Install] > +WantedBy=timers.target > + > diff --git a/unbound/systemd/unbound-keygen.service > b/unbound/systemd/unbound-keygen.service > new file mode 100644 > index 0000000..576408a > --- /dev/null > +++ b/unbound/systemd/unbound-keygen.service > @@ -0,0 +1,14 @@ > +[Unit] > +Description=Unbound Control Key And Certificate Generator > +After=syslog.target > +Before=unbound.service > +ConditionPathExists=!/etc/unbound/unbound_control.key > + > +[Service] > +Type=oneshot > +Group=unbound > +ExecStart=/usr/sbin/unbound-control-setup -d /etc/unbound/ > +RemainAfterExit=yes > + > +[Install] > +WantedBy=multi-user.target > diff --git a/unbound/systemd/unbound.service > b/unbound/systemd/unbound.service > new file mode 100644 > index 0000000..d225389 > --- /dev/null > +++ b/unbound/systemd/unbound.service > @@ -0,0 +1,18 @@ > +[Unit] > +Description=Unbound recursive Domain Name Server > +After=network.target > +After=unbound-keygen.service > +Wants=unbound-keygen.service > +Wants=unbound-anchor.timer > +Before=nss-lookup.target > +Wants=nss-lookup.target > + > +[Service] > +Type=simple > +ExecStartPre=/usr/sbin/unbound-checkconf > +ExecStartPre=-/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key > -c /etc/unbound/icannbundle.pem > +ExecStart=/usr/sbin/unbound -d > +ExecReload=/usr/sbin/unbound-control reload > + > +[Install] > +WantedBy=multi-user.target > diff --git a/unbound/unbound.conf b/unbound/unbound.conf > new file mode 100644 > index 0000000..4a97148 > --- /dev/null > +++ b/unbound/unbound.conf > @@ -0,0 +1,655 @@ > +# > +# See unbound.conf(5) man page. > +# > +# this is a comment. > + > +#Use this to include other text into the file. > +#include: "otherfile.conf" > + > +# The server clause sets the main parameters. > +server: > + # whitespace is not necessary, but looks cleaner. > + > + # verbosity number, 0 is least verbose. 1 is default. > + verbosity: 1 > + > + # print statistics to the log (for every thread) every N > seconds. > + # Set to "" or 0 to disable. Default is disabled. > + # Needed for munin plugin > + statistics-interval: 0 > + > + # enable cumulative statistics, without clearing them after > printing. > + # Needed for munin plugin > + statistics-cumulative: yes > + > + # enable extended statistics (query types, answer codes, > status) > + # printed from unbound-control. default off, because of > speed. > + # Needed for munin plugin > + extended-statistics: yes > + > + # number of threads to create. 1 disables threading. > + num-threads: 2 > + > + # specify the interfaces to answer queries from by ip > -address. > + # The default is to listen to localhost (127.0.0.1 and ::1). > + # specify 0.0.0.0 and ::0 to bind to all available > interfaces. > + # specify every interface on a new 'interface:' labelled > line. > + # The listen interfaces are not changed on reload, only on > restart. > + # interface: 0.0.0.0 > + # interface: ::0 > + # interface: 192.0.2.153 > + # interface: 192.0.2.154 > + # interface: 2001:DB8::5 > + # > + # for dns over tls and raw dns over port 80 > + # interface: 0.0.0.0@443 > + # interface: ::0@443 > + # interface: 0.0.0.0@80 > + # interface: ::0@80 > + > + # enable this feature to copy the source address of queries > to reply. > + # Socket options are not supported on all platforms. > experimental. > + # interface-automatic: yes > + # > + # NOTE: Enable this option when specifying interface 0.0.0.0 > or ::0 > + # NOTE: Disabled per Fedora policy not to listen to * on > default install > + # NOTE: If deploying on non-default port, eg 80/443, this > needs to be disabled > + interface-automatic: no > + > + # port to answer queries from > + # port: 53 > + > + # specify the interfaces to send outgoing queries to > authoritative > + # server from by ip-address. If none, the default (all) > interface > + # is used. Specify every interface on a 'outgoing > -interface:' line. > + # outgoing-interface: 192.0.2.153 > + # outgoing-interface: 2001:DB8::5 > + # outgoing-interface: 2001:DB8::6 > + > + # number of ports to allocate per thread, determines the > size of the > + # port range that can be open simultaneously. About double > the > + # num-queries-per-thread, or, use as many as the OS will > allow you. > + # outgoing-range: 4096 > + > + # permit unbound to use this port number or port range for > + # making outgoing queries, using an outgoing interface. > + # Only ephemeral ports are allowed by SElinux > + outgoing-port-permit: 32768-65535 > + > + # deny unbound the use this of port number or port range for > + # making outgoing queries, using an outgoing interface. > + # Use this to make sure unbound does not grab a UDP port > that some > + # other server on this computer needs. The default is to > avoid > + # IANA-assigned port numbers. > + # Our SElinux policy does not allow non-ephemeral ports to > be used > + outgoing-port-avoid: 0-32767 > + > + # number of outgoing simultaneous tcp buffers to hold per > thread. > + # outgoing-num-tcp: 10 > + > + # number of incoming simultaneous tcp buffers to hold per > thread. > + # incoming-num-tcp: 10 > + > + # buffer size for UDP port 53 incoming (SO_RCVBUF socket > option). > + # 0 is system default. Use 4m to catch query spikes for > busy servers. > + # so-rcvbuf: 0 > + > + # buffer size for UDP port 53 outgoing (SO_SNDBUF socket > option). > + # 0 is system default. Use 4m to handle spikes on very busy > servers. > + # so-sndbuf: 0 > + > + # use SO_REUSEPORT to distribute queries over threads. > + # so-reuseport: no > + > + # EDNS reassembly buffer to advertise to UDP peers (the > actual buffer > + # is set with msg-buffer-size). 1480 can solve fragmentation > (timeouts). > + # edns-buffer-size: 4096 > + > + # Maximum UDP response size (not applied to TCP response). > + # Suggested values are 512 to 4096. Default is 4096. 65536 > disables it. > + # 3072 causes +dnssec any isc.org queries to need TC=1. > Helps mitigating DDOS > + max-udp-size: 3072 > + > + # buffer size for handling DNS data. No messages larger than > this > + # size can be sent or received, by UDP or TCP. In bytes. > + # msg-buffer-size: 65552 > + > + # the amount of memory to use for the message cache. > + # plain value in bytes or you can append k, m or G. default > is "4Mb". > + # msg-cache-size: 4m > + > + # the number of slabs to use for the message cache. > + # the number of slabs must be a power of 2. > + # more slabs reduce lock contention, but fragment memory > usage. > + # msg-cache-slabs: 4 > + > + # the number of queries that a thread gets to service. > + # num-queries-per-thread: 1024 > + > + # if very busy, 50% queries run to completion, 50% get > timeout in msec > + # jostle-timeout: 200 > + > + # msec to wait before close of port on timeout UDP. 0 > disables. > + # delay-close: 0 > + > + # the amount of memory to use for the RRset cache. > + # plain value in bytes or you can append k, m or G. default > is "4Mb". > + # rrset-cache-size: 4m > + > + # the number of slabs to use for the RRset cache. > + # the number of slabs must be a power of 2. > + # more slabs reduce lock contention, but fragment memory > usage. > + # rrset-cache-slabs: 4 > + > + # the time to live (TTL) value lower bound, in seconds. > Default 0. > + # If more than an hour could easily give trouble due to > stale data. > + # cache-min-ttl: 0 > + > + # the time to live (TTL) value cap for RRsets and messages > in the > + # cache. Items are not cached for longer. In seconds. > + # cache-max-ttl: 86400 > + > + # the time to live (TTL) value cap for negative responses in > the cache > + # cache-max-negative-ttl: 3600 > + > + # the time to live (TTL) value for cached roundtrip times, > lameness and > + # EDNS version information for hosts. In seconds. > + # infra-host-ttl: 900 > + > + # minimum wait time for responses, increase if uplink is > long. In msec. > + # infra-cache-min-rtt: 50 > + > + # the number of slabs to use for the Infrastructure cache. > + # the number of slabs must be a power of 2. > + # more slabs reduce lock contention, but fragment memory > usage. > + # infra-cache-slabs: 4 > + > + # the maximum number of hosts that are cached (roundtrip, > EDNS, lame). > + # infra-cache-numhosts: 10000 > + > + # Enable IPv4, "yes" or "no". > + # do-ip4: yes > + > + # Enable IPv6, "yes" or "no". > + # do-ip6: yes > + > + # Enable UDP, "yes" or "no". > + # NOTE: if setting up an unbound on tls443 for public use, > you might want to > + # disable UDP to avoid being used in DNS amplification > attacks. > + # do-udp: yes > + > + # Enable TCP, "yes" or "no". > + # do-tcp: yes > + > + # upstream connections use TCP only (and no UDP), "yes" or > "no" > + # useful for tunneling scenarios, default no. > + # tcp-upstream: no > + > + # Detach from the terminal, run in background, "yes" or > "no". > + # do-daemonize: yes > + > + # control which clients are allowed to make (recursive) > queries > + # to this server. Specify classless netblocks with /size and > action. > + # By default everything is refused, except for localhost. > + # Choose deny (drop message), refuse (polite error reply), > + # allow (recursive ok), allow_snoop (recursive and > nonrecursive ok) > + # deny_non_local (drop queries unless can be answered from > local-data) > + # refuse_non_local (like deny_non_local but polite error > reply). > + # access-control: 0.0.0.0/0 refuse > + # access-control: 127.0.0.0/8 allow > + # access-control: ::0/0 refuse > + # access-control: ::1 allow > + # access-control: ::ffff:127.0.0.1 allow > + > + # if given, a chroot(2) is done to the given directory. > + # i.e. you can chroot to the working directory, for example, > + # for extra security, but make sure all files are in that > directory. > + # > + # If chroot is enabled, you should pass the configfile (from > the > + # commandline) as a full path from the original root. After > the > + # chroot has been performed the now defunct portion of the > config > + # file path is removed to be able to reread the config after > a reload. > + # > + # All other file paths (working dir, logfile, roothints, and > + # key files) can be specified in several ways: > + # o as an absolute path relative to the new root. > + # o as a relative path to the working directory. > + # o as an absolute path relative to the original > root. > + # In the last case the path is adjusted to remove the unused > portion. > + # > + # The pid file can be absolute and outside of the chroot, it > is > + # written just prior to performing the chroot and dropping > permissions. > + # > + # Additionally, unbound may need to access /dev/random (for > entropy). > + # How to do this is specific to your OS. > + # > + # If you give "" no chroot is performed. The path must not > end in a /. > + # chroot: "/var/lib/unbound" > + chroot: "" > + > + # if given, user privileges are dropped (after binding > port), > + # and the given username is assumed. Default is user > "unbound". > + # If you give "" no privileges are dropped. > + username: "unbound" > + > + # the working directory. The relative files in this config > are > + # relative to this directory. If you give "" the working > directory > + # is not changed. > + directory: "/etc/unbound" > + > + # the log file, "" means log to stderr. > + # Use of this option sets use-syslog to "no". > + # logfile: "" > + > + # Log to syslog(3) if yes. The log facility LOG_DAEMON is > used to > + # log to, with identity "unbound". If yes, it overrides the > logfile. > + # use-syslog: yes > + > + # print UTC timestamp in ascii to logfile, default is epoch > in seconds. > + log-time-ascii: yes > + > + # print one line with time, IP, name, type, class for every > query. > + # log-queries: no > + > + # the pid file. Can be an absolute path outside of > chroot/work dir. > + pidfile: "/var/run/unbound/unbound.pid" > + > + # file to read root hints from. > + # get one from ftp://FTP.INTERNIC.NET/domain/named.cache > + # root-hints: "" > + > + # enable to not answer id.server and hostname.bind queries. > + # hide-identity: no > + > + # enable to not answer version.server and version.bind > queries. > + # hide-version: no > + > + # the identity to report. Leave "" or default to return > hostname. > + # identity: "" > + > + # the version to report. Leave "" or default to return > package version. > + # version: "" > + > + # the target fetch policy. > + # series of integers describing the policy per dependency > depth. > + # The number of values in the list determines the maximum > dependency > + # depth the recursor will pursue before giving up. Each > integer means: > + # -1 : fetch all targets opportunistically, > + # 0: fetch on demand, > + # positive value: fetch that many targets > opportunistically. > + # Enclose the list of numbers between quotes (""). > + # target-fetch-policy: "3 2 1 0 0" > + > + # Harden against very small EDNS buffer sizes. > + # harden-short-bufsize: no > + > + # Harden against unseemly large queries. > + # harden-large-queries: no > + > + # Harden against out of zone rrsets, to avoid spoofing > attempts. > + harden-glue: yes > + > + # Harden against receiving dnssec-stripped data. If you turn > it > + # off, failing to validate dnskey data for a trustanchor > will > + # trigger insecure mode for that zone (like without a > trustanchor). > + # Default on, which insists on dnssec data for trust > -anchored zones. > + harden-dnssec-stripped: yes > + > + # Harden against queries that fall under dnssec-signed > nxdomain names. > + harden-below-nxdomain: yes > + > + # Harden the referral path by performing additional queries > for > + # infrastructure data. Validates the replies (if possible). > + # Default off, because the lookups burden the server. > Experimental > + # implementation of draft-wijngaards-dnsext-resolver-side > -mitigation. > + harden-referral-path: yes > + > + # Use 0x20-encoded random bits in the query to foil spoof > attempts. > + # This feature is an experimental implementation of draft > dns-0x20. > + # (this now fails on all GoDaddy customer domains, so > disabled) > + use-caps-for-id: no > + > + # Enforce privacy of these addresses. Strips them away from > answers. > + # It may cause DNSSEC validation to additionally mark it as > bogus. > + # Protects against 'DNS Rebinding' (uses browser as network > proxy). > + # Only 'private-domain' and 'local-data' names are allowed > to have > + # these private addresses. No default. > + # private-address: 10.0.0.0/8 > + # private-address: 172.16.0.0/12 > + # private-address: 192.168.0.0/16 > + # private-address: 169.254.0.0/16 > + # private-address: fd00::/8 > + # private-address: fe80::/10 > + > + # Allow the domain (and its subdomains) to contain private > addresses. > + # local-data statements are allowed to contain private > addresses too. > + # private-domain: "example.com" > + > + # If nonzero, unwanted replies are not only reported in > statistics, > + # but also a running total is kept per thread. If it reaches > the > + # threshold, a warning is printed and a defensive action is > taken, > + # the cache is cleared to flush potential poison out of it. > + # A suggested value is 10000000, the default is 0 (turned > off). > + unwanted-reply-threshold: 10000000 > + > + # Do not query the following addresses. No DNS queries are > sent there. > + # List one address per entry. List classless netblocks with > /size, > + # do-not-query-address: 127.0.0.1/8 > + # do-not-query-address: ::1 > + > + # if yes, the above default do-not-query-address entries are > present. > + # if no, localhost can be queried (for testing and > debugging). > + # do-not-query-localhost: yes > + > + # if yes, perform prefetching of almost expired message > cache entries. > + prefetch: yes > + > + # if yes, perform key lookups adjacent to normal lookups. > + prefetch-key: yes > + > + # if yes, Unbound rotates RRSet order in response. > + rrset-roundrobin: yes > + > + # if yes, Unbound doesn't insert authority/additional > sections > + # into response messages when those sections are not > required. > + minimal-responses: yes > + > + # module configuration of the server. A string with > identifiers > + # separated by spaces. "iterator" or "validator iterator" > + # module-config: "validator iterator" > + > + # File with trusted keys, kept uptodate using RFC5011 > probes, > + # initial file like trust-anchor-file, then it stores > metadata. > + # Use several entries, one per domain name, to track > multiple zones. > + # > + # If you want to perform DNSSEC validation, run unbound > -anchor before > + # you start unbound (i.e. in the system boot scripts). And > enable: > + # Please note usage of unbound-anchor root anchor is at your > own risk > + # and under the terms of our LICENSE (see that file in the > source). > + # auto-trust-anchor-file: "/var/lib/unbound/root.key" > + > + # File with DLV trusted keys. Same format as trust-anchor > -file. > + # There can be only one DLV configured, it is trusted from > root down. > + # Downloaded from > https://secure.isc.org/ops/dlv/dlv.isc.org.key > + # > + # ISC's DLV registry is being deprecated in the near future, > therefore > + # it is not used in the default configuration. The use of > ISC's DLV > + # registry is discouraged. > + # dlv-anchor-file: "/etc/unbound/dlv.isc.org.key" > + > + # File with trusted keys for validation. Specify more than > one file > + # with several entries, one file per entry. > + # Zone file format, with DS and DNSKEY entries. > + # trust-anchor-file: "" > + > + # File with trusted keys, kept uptodate using RFC5011 > probes, > + # initial file like trust-anchor-file, then it stores > metadata. > + # Use several entries, one per domain name, to track > multiple zones. > + # auto-trust-anchor-file: "" > + > + # Trusted key for validation. DS or DNSKEY. specify the RR > on a > + # single line, surrounded by "". TTL is ignored. class is IN > default. > + # (These examples are from August 2007 and may not be valid > anymore). > + # trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 > AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N > Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW > 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ==" > + # trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 > 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A" > + > + # File with trusted keys for validation. Specify more than > one file > + # with several entries, one file per entry. Like trust > -anchor-file > + # but has a different file format. Format is BIND-9 style > format, > + # the trusted-keys { name flag proto algo "key"; }; clauses > are read. > + # trusted-keys-file: "" > + # > + # trusted-keys-file: /etc/unbound/rootkey.bind > + trusted-keys-file: /etc/unbound/keys.d/*.key > + auto-trust-anchor-file: "/var/lib/unbound/root.key" > + > + # Ignore chain of trust. Domain is treated as insecure. > + # domain-insecure: "example.com" > + > + # Override the date for validation with a specific fixed > date. > + # Do not set this unless you are debugging signature > inception > + # and expiration. "" or "0" turns the feature off. > + # val-override-date: "" > + > + # The time to live for bogus data, rrsets and messages. This > avoids > + # some of the revalidation, until the time interval expires. > in secs. > + # val-bogus-ttl: 60 > + > + # The signature inception and expiration dates are allowed > to be off > + # by 10% of the lifetime of the signature from our local > clock. > + # This leeway is capped with a minimum and a maximum. In > seconds. > + # val-sig-skew-min: 3600 > + # val-sig-skew-max: 86400 > + > + # Should additional section of secure message also be kept > clean of > + # unsecure data. Useful to shield the users of this > validator from > + # potential bogus data in the additional section. All > unsigned data > + # in the additional section is removed from secure messages. > + val-clean-additional: yes > + > + # Turn permissive mode on to permit bogus messages. Thus, > messages > + # for which security checks failed will be returned to > clients, > + # instead of SERVFAIL. It still performs the security > checks, which > + # result in interesting log files and possibly the AD bit in > + # replies if the message is found secure. The default is > off. > + # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY > + val-permissive-mode: no > + > + # Ignore the CD flag in incoming queries and refuse them > bogus data. > + # Enable it if the only clients of unbound are legacy > servers (w2008) > + # that set CD but cannot validate themselves. > + # ignore-cd-flag: no > + > + # Have the validator log failed validations for your > diagnosis. > + # 0: off. 1: A line per failed user query. 2: With reason > and bad IP. > + val-log-level: 1 > + > + # It is possible to configure NSEC3 maximum iteration counts > per > + # keysize. Keep this table very short, as linear search is > done. > + # A message with an NSEC3 with larger count is marked > insecure. > + # List in ascending order the keysize and count values. > + # val-nsec3-keysize-iterations: "1024 150 2048 500 4096 > 2500" > + > + # instruct the auto-trust-anchor-file probing to add anchors > after ttl. > + # add-holddown: 2592000 # 30 days > + > + # instruct the auto-trust-anchor-file probing to del anchors > after ttl. > + # del-holddown: 2592000 # 30 days > + > + # auto-trust-anchor-file probing removes missing anchors > after ttl. > + # If the value 0 is given, missing anchors are not removed. > + # keep-missing: 31622400 # 366 days > + > + # the amount of memory to use for the key cache. > + # plain value in bytes or you can append k, m or G. default > is "4Mb". > + # key-cache-size: 4m > + > + # the number of slabs to use for the key cache. > + # the number of slabs must be a power of 2. > + # more slabs reduce lock contention, but fragment memory > usage. > + # key-cache-slabs: 4 > + > + # the amount of memory to use for the negative cache (used > for DLV). > + # plain value in bytes or you can append k, m or G. default > is "1Mb". > + # neg-cache-size: 1m > + > + # By default, for a number of zones a small default 'nothing > here' > + # reply is built-in. Query traffic is thus blocked. If you > + # wish to serve such zone you can unblock them by > uncommenting one > + # of the nodefault statements below. > + # You may also have to use domain-insecure: zone to make > DNSSEC work, > + # unless you have your own trust anchors for this zone. > + # local-zone: "localhost." nodefault > + # local-zone: "127.in-addr.arpa." nodefault > + # local-zone: > "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6. > arpa." nodefault > + # local-zone: "10.in-addr.arpa." nodefault > + # local-zone: "16.172.in-addr.arpa." nodefault > + # local-zone: "17.172.in-addr.arpa." nodefault > + # local-zone: "18.172.in-addr.arpa." nodefault > + # local-zone: "19.172.in-addr.arpa." nodefault > + # local-zone: "20.172.in-addr.arpa." nodefault > + # local-zone: "21.172.in-addr.arpa." nodefault > + # local-zone: "22.172.in-addr.arpa." nodefault > + # local-zone: "23.172.in-addr.arpa." nodefault > + # local-zone: "24.172.in-addr.arpa." nodefault > + # local-zone: "25.172.in-addr.arpa." nodefault > + # local-zone: "26.172.in-addr.arpa." nodefault > + # local-zone: "27.172.in-addr.arpa." nodefault > + # local-zone: "28.172.in-addr.arpa." nodefault > + # local-zone: "29.172.in-addr.arpa." nodefault > + # local-zone: "30.172.in-addr.arpa." nodefault > + # local-zone: "31.172.in-addr.arpa." nodefault > + # local-zone: "168.192.in-addr.arpa." nodefault > + # local-zone: "0.in-addr.arpa." nodefault > + # local-zone: "254.169.in-addr.arpa." nodefault > + # local-zone: "2.0.192.in-addr.arpa." nodefault > + # local-zone: "100.51.198.in-addr.arpa." nodefault > + # local-zone: "113.0.203.in-addr.arpa." nodefault > + # local-zone: "255.255.255.255.in-addr.arpa." nodefault > + # local-zone: > "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6. > arpa." nodefault > + # local-zone: "d.f.ip6.arpa." nodefault > + # local-zone: "8.e.f.ip6.arpa." nodefault > + # local-zone: "9.e.f.ip6.arpa." nodefault > + # local-zone: "a.e.f.ip6.arpa." nodefault > + # local-zone: "b.e.f.ip6.arpa." nodefault > + # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault > + # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa. > + > + # if unbound is running service for the local host then it > is useful > + # to perform lan-wide lookups to the upstream, and unblock > the > + # long list of local-zones above. If this unbound is a dns > server > + # for a network of computers, disabled is better and stops > information > + # leakage of local lan information. > + # unblock-lan-zones: no > + > + # a number of locally served zones can be configured. > + # local-zone: <zone> <type> > + # local-data: "<resource record string>" > + # o deny serves local data (if any), else, drops queries. > + # o refuse serves local data (if any), else, replies with > error. > + # o static serves local data, else, nxdomain or nodata > answer. > + # o transparent gives local data, but resolves normally for > other names > + # o redirect serves the zone data for any subdomain in the > zone. > + # o nodefault can be used to normally resolve AS112 zones. > + # o typetransparent resolves normally for other types and > other names > + # o inform resolves normally, but logs client IP address > + # > + # defaults are localhost address, reverse for 127.0.0.1 and > ::1 > + # and nxdomain for AS112 zones. If you configure one of > these zones > + # the default content is omitted, or you can omit it with > 'nodefault'. > + # > + # If you configure local-data without specifying local-zone, > by > + # default a transparent local-zone is created for the data. > + # > + # You can add locally served data with > + # local-zone: "local." static > + # local-data: "mycomputer.local. IN A 192.0.2.51" > + # local-data: 'mytext.local TXT "content of text record"' > + # > + # You can override certain queries with > + # local-data: "adserver.example.com A 127.0.0.1" > + # > + # You can redirect a domain to a fixed address with > + # (this makes example.com, www.example.com, etc, all go to > 192.0.2.3) > + # local-zone: "example.com" redirect > + # local-data: "example.com A 192.0.2.3" > + # > + # Shorthand to make PTR records, "IPv4 name" or "IPv6 name". > + # You can also add PTR records using local-data directly, > but then > + # you need to do the reverse notation yourself. > + # local-data-ptr: "192.0.2.3 www.example.com" > + > + include: /etc/unbound/local.d/*.conf > + > + # service clients over SSL (on the TCP sockets), with plain > DNS inside > + # the SSL stream. Give the certificate to use and private > key. > + # default is "" (disabled). requires restart to take > effect. > + # ssl-service-key: "/etc/unbound/unbound_server.key" > + # ssl-service-pem: "/etc/unbound/unbound_server.pem" > + # ssl-port: 443 > + > + # request upstream over SSL (with plain DNS inside the SSL > stream). > + # Default is no. Can be turned on and off with unbound > -control. > + # ssl-upstream: no > + > + # DNS64 prefix. Must be specified when DNS64 is use. > + # Enable dns64 in module-config. Used to synthesize IPv6 > from IPv4. > + # dns64-prefix: 64:ff9b::0/96 > + > +# Python config section. To enable: > +# o use --with-pythonmodule to configure before compiling. > +# o list python in the module-config string (above) to enable. > +# o and give a python-script to run. > +python: > + # Script file to load > + # python-script: "/etc/unbound/ubmodule-tst.py" > + > +# Remote control config section. > +remote-control: > + # Enable remote control with unbound-control(8) here. > + # set up the keys and certificates with unbound-control > -setup. > + # Note: required for unbound-munin package > + control-enable: yes > + > + # Set to no and use an absolute path as control-interface to > use > + # a unix local named pipe for unbound-control. > + # control-use-cert: yes > + > + # what interfaces are listened to for remote control. > + # give 0.0.0.0 and ::0 to listen to all interfaces. > + # control-interface: 127.0.0.1 > + # control-interface: ::1 > + > + # port number for remote control operations. > + # control-port: 953 > + > + # unbound server key file. > + server-key-file: "/etc/unbound/unbound_server.key" > + > + # unbound server certificate file. > + server-cert-file: "/etc/unbound/unbound_server.pem" > + > + # unbound-control key file. > + control-key-file: "/etc/unbound/unbound_control.key" > + > + # unbound-control certificate file. > + control-cert-file: "/etc/unbound/unbound_control.pem" > + > +# Stub and Forward zones > + > +include: /etc/unbound/conf.d/*.conf > + > +# Stub zones. > +# Create entries like below, to make all queries for 'example.com' > and > +# 'example.org' go to the given list of nameservers. list zero or > more > +# nameservers by hostname or by ipaddress. If you set stub-prime to > yes, > +# the list is treated as priming hints (default is no). > +# stub-zone: > +# name: "example.com" > +# stub-addr: 192.0.2.68 > +# stub-prime: "no" > +# stub-zone: > +# name: "example.org" > +# stub-host: ns.example.com. > +# You can now also dynamically create and delete stub-zone's using > +# unbound-control stub_add domain.com 1.2.3.4 5.6.7.8 > +# unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8 > + > +# Forward zones > +# Create entries like below, to make all queries for 'example.com' > and > +# 'example.org' go to the given list of servers. These servers have > to handle > +# recursion to other nameservers. List zero or more nameservers by > hostname > +# or by ipaddress. Use an entry with name "." to forward all > queries. > +# If you enable forward-first, it attempts without the forward if it > fails. > +# forward-zone: > +# name: "example.com" > +# forward-addr: 192.0.2.68 > +# forward-addr: 192.0.2.73@5355 # forward to port 5355. > +# forward-first: no > +# forward-zone: > +# name: "example.org" > +# forward-host: fwd.example.com > +# > +# You can now also dynamically create and delete forward-zone's > using > +# unbound-control forward_add domain.com 1.2.3.4 5.6.7.8 > +# unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8 > diff --git a/unbound/unbound.nm b/unbound/unbound.nm > new file mode 100644 > index 0000000..b32ac2a > --- /dev/null > +++ b/unbound/unbound.nm > @@ -0,0 +1,158 @@ > +#################################################################### > ########### > +# IPFire.org - An Open Source Firewall Solution > # > +# Copyright (C) - IPFire Development Team <info@ipfire.org> > # > +#################################################################### > ########### > + > +name = unbound > +version = 1.5.5 > +release = 1 > + > +groups = System/Daemons > +url = http://www.nlnetlabs.nl/unbound/ > +license = BSD > +summary = A validating, recursive, and caching DNS(SEC) resolver. > + > +description > + Unbound is a validating, recursive, and caching DNS(SEC) > resolver. > + The C implementation of Unbound is developed and maintained > by NLnet > + Labs and is based on ideas and algorithms taken from a java > prototype > + developed by Verisign labs, Nominet, Kirei and ep.net. > Unbound is > + designed as a set of modular components, so that also > + DNSSEC (secure DNS) validation and stub-resolvers are easily > possible. > +end > + > +source_dl = http://www.unbound.net/downloads/ > + > +build > + requires > + expat-devel > + libevent-devel > + openssl-devel >= 1.0.1h-2 > + python3-devel >= 3.4 > + swig > + end > + > + configure_options += \ > + --with-conf-file=%{sysconfdir}/%{name}/unbound.conf > \ > + --with > -pidfile=%{localstatedir}/run/%{name}/%{name}.pid \ > + --with-rootkey > -file=%{sharedstatedir}/unbound/root.key \ > + --with-libevent \ > + --with-pthreads \ > + --disable-rpath \ > + --disable-static \ > + --with-ssl \ > + --enable-sha2 \ > + --with-pythonmodule \ > + --with-pyunbound PYTHON=%{python3} > + > + test > + make check > + end > + > + install_cmds > + # Create directories. > + mkdir -pv %{BUILDROOT}%{localstatedir}/run/%{name} > + mkdir -pv %{BUILDROOT}%{sharedstatedir}/%{name} > + > + # Directory for user specified and additional config > files. > + mkdir -pv %{BUILDROOT}%{sysconfdir}/%{name}/conf.d/ > + > + # Directory for stub and forward zones. > + mkdir -pv %{BUILDROOT}%{sysconfdir}/%{name}/local.d/ > + > + # Directory for trusted-keys-file. > + mkdir -pv %{BUILDROOT}%{sysconfdir}/%{name}/keys.d/ > + > + # Install unbound config file. > + install -p -m 0664 %{DIR_SOURCE}/%{name}.conf \ > + %{BUILDROOT}%{sysconfdir}/%{name}/ > + > + # Install pem file for icannbundle. > + install -p -m 0664 %{DIR_SOURCE}/icannbundle.pem \ > + %{BUILDROOT}%{sysconfdir}/%{name}/ > + > + # Install root and DLV keys. > + install -p -m 0644 %{DIR_SOURCE}/root.key \ > + %{BUILDROOT}%{sysconfdir}/%{name}/ > + install -p -m 0664 %{DIR_SOURCE}/dlv.isc.org.key \ > + %{BUILDROOT}%{sysconfdir}/%{name}/ > + install -p -m 0664 %{DIR_SOURCE}/root.anchor \ > + %{BUILDROOT}%{sharedstatedir}/%{name}/root.k > ey > + > + # Fix ownership. > + chown -R unbound:unbound > %{BUILDROOT}%{sharedstatedir}/%{name}/ > + end > +end > + > +create_user > + getent group unound >/dev/null || /usr/sbin/groupadd -r > unbound > + getent passwd unbound >/dev/null || /usr/sbin/useradd -r -g > unbound \ > + -d %{sysconfdir}/%{name} -s /sbin/nologin unbound > +end > + > +packages > + package %{name} > + prerequires > + shadow-utils > + systemd-units > + end > + > + requires += \ > + openssl >= 1.0.1h-2 > + > + configfiles > + %{sysconfdir}/%{name}.conf > + end > + > + datafiles > + %{sysconfdir}/%{name}/conf.d/ > + %{sysconfdir}/%{name}/local.d/ > + %{sysconfdir}/%{name}/keys.d/ > + end > + > + script prein > + %{create_user} > + end > + > + script postin > + /bin/systemctl daemon-reload >/dev/null 2>&1 > || : > + > + # Enable root anchor for DNSSEC validation. > + systemctl enable unbound-anchor.timer > >/dev/null 2>&1 || : > + end > + > + script preun > + systemctl --no-reload disable unbound > -anchor.timer >/dev/null 2>&1 || : > + systemctl --no-reload disable unbound > -keygen.service >/dev/null 2>&1 || : > + systemctl --no-reload disable > unbound.service >/dev/null 2>&1 || : > + systemctl stop unbound.service >/dev/null > 2>&1 || : > + systemctl stop unbound-keygen.service > >/dev/null 2>&1 || : > + end > + > + script postun > + systemctl daemon-reload >/dev/null 2>&1 || : > + end > + > + script postup > + systemctl daemon-reload >/dev/null 2>&1 || : > + systemctl try-restart unbound-keygen.service > >/dev/null 2>&1 || : > + systemctl try-restart unbound.service > >/dev/null 2>&1 || : > + end > + end > + > + package %{name}-libs > + template LIBS > + end > + > + package python3-%{name} > + template PYTHON3 > + end > + > + package %{name}-devel > + template DEVEL > + end > + > + package %{name}-debuginfo > + template DEBUGINFO > + end > +end > diff --git a/unbound/unbound.tmpfiles b/unbound/unbound.tmpfiles > new file mode 100644 > index 0000000..d625589 > --- /dev/null > +++ b/unbound/unbound.tmpfiles > @@ -0,0 +1 @@ > +D /var/run/unbound 0755 unbound unbound -
Oh, thanks - small change in last minute, huge problems at a later time. I completely missed to create the user and group. I'll send a fixed patch to the list soon. Thanks for reviewing and sorry for the extra noise on the list. Hopefully this will guide me in the future to prevent from such stupid mistakes. -Stefan > Hello, > > this won't build: > > + install -p -m 0664 /usr/src/packages/unbound-1.5.5 > -1.ip3.src/unbound.conf /builddir/unbound-1.5.5-1.ip3/etc/unbound/ > + install -p -m 0664 /usr/src/packages/unbound-1.5.5 > -1.ip3.src/icannbundle.pem /builddir/unbound-1.5.5-1.ip3/etc/unbound/ > + install -p -m 0644 /usr/src/packages/unbound-1.5.5 > -1.ip3.src/root.key /builddir/unbound-1.5.5-1.ip3/etc/unbound/ > + install -p -m 0664 /usr/src/packages/unbound-1.5.5 > -1.ip3.src/dlv.isc.org.key /builddir/unbound-1.5.5-1.ip3/etc/unbound/ > + install -p -m 0664 /usr/src/packages/unbound-1.5.5 > -1.ip3.src/root.anchor /builddir/unbound-1.5.5 > -1.ip3/var/lib/unbound/root.key > + chown -R unbound:unbound /builddir/unbound-1.5.5 > -1.ip3/var/lib/unbound/ > chown: invalid user: ‘unbound:unbound’ > Command exited with an error: ['bash', '--login', '-c', > '/tmp/tmpnij81f'] > > Please make sure to check these things before sending your patches. > This just makes a lot of noise for all of us. > > -Michael > > On Sun, 2015-10-18 at 11:36 +0200, Stefan Schantl wrote: > > Unbound is a validating, recursive, and caching DNS resolver. > > > > The package comes with libraries that are used by many other > > packages > > to resolve DNS records and validate those by using DNSSEC. > > > > Fixes #10943. > > > > Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> > > --- > > unbound/dlv.isc.org.key | 2 + > > unbound/icannbundle.pem | 317 ++++++++++++++++ > > unbound/root.anchor | 1 + > > unbound/root.key | 6 + > > unbound/systemd/unbound-anchor.service | 9 + > > unbound/systemd/unbound-anchor.timer | 14 + > > unbound/systemd/unbound-keygen.service | 14 + > > unbound/systemd/unbound.service | 18 + > > unbound/unbound.conf | 655 > > +++++++++++++++++++++++++++++++++ > > unbound/unbound.nm | 158 ++++++++ > > unbound/unbound.tmpfiles | 1 + > > 11 files changed, 1195 insertions(+) > > create mode 100644 unbound/dlv.isc.org.key > > create mode 100644 unbound/icannbundle.pem > > create mode 100644 unbound/root.anchor > > create mode 100644 unbound/root.key > > create mode 100644 unbound/systemd/unbound-anchor.service > > create mode 100644 unbound/systemd/unbound-anchor.timer > > create mode 100644 unbound/systemd/unbound-keygen.service > > create mode 100644 unbound/systemd/unbound.service > > create mode 100644 unbound/unbound.conf > > create mode 100644 unbound/unbound.nm > > create mode 100644 unbound/unbound.tmpfiles > > > > diff --git a/unbound/dlv.isc.org.key b/unbound/dlv.isc.org.key > > new file mode 100644 > > index 0000000..c73944f > > --- /dev/null > > +++ b/unbound/dlv.isc.org.key > > @@ -0,0 +1,2 @@ > > +; https://secure.isc.org/ops/dlv/dlv.isc.org.key > > +dlv.isc.org. IN DNSKEY 257 3 5 > > BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 > > brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ > > 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 > > ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk > > Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM > > QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt > > TDN0YUuWrBNh > > diff --git a/unbound/icannbundle.pem b/unbound/icannbundle.pem > > new file mode 100644 > > index 0000000..48941de > > --- /dev/null > > +++ b/unbound/icannbundle.pem > > @@ -0,0 +1,317 @@ > > +Certificate: > > + Data: > > + Version: 3 (0x2) > > + Serial Number: 1 (0x1) > > + Signature Algorithm: sha256WithRSAEncryption > > + Issuer: O=ICANN, OU=ICANN Certification Authority, > > CN=ICANN > > Root CA, C=US > > + Validity > > + Not Before: Dec 23 04:19:12 2009 GMT > > + Not After : Dec 18 04:19:12 2029 GMT > > + Subject: O=ICANN, OU=ICANN Certification Authority, > > CN=ICANN > > Root CA, C=US > > + Subject Public Key Info: > > + Public Key Algorithm: rsaEncryption > > + RSA Public Key: (2048 bit) > > + Modulus (2048 bit): > > + 00:a0:db:70:b8:4f:34:da:9c:d4:d0:7e:bb:ea:15: > > + bc:e9:c9:11:2a:1f:61:2f:6a:b9:bd:3f:3d:76:a0: > > + 9a:0a:f7:ee:93:6e:6e:55:53:84:8c:f2:2c:f1:82: > > + 27:c8:0f:9a:cf:52:1b:54:da:28:d2:2c:30:8e:dd: > > + fb:92:20:33:2d:d6:c8:f1:0e:10:21:88:71:fa:84: > > + 22:4b:5d:47:56:16:7c:9b:9f:5d:c3:11:79:9c:14: > > + e2:ff:c0:74:ac:dd:39:d7:e0:38:d8:b0:73:aa:fb: > > + d1:db:84:af:52:22:a8:f6:d5:9b:94:f4:e6:5d:5e: > > + e8:3f:87:90:0b:c7:1a:77:f5:2e:d3:8f:1a:ce:02: > > + 1d:07:69:21:47:32:da:46:ae:00:4c:b6:a5:a2:9c: > > + 39:c1:c0:4a:f6:d3:1c:ae:d3:6d:bb:c7:18:f0:7e: > > + ed:f6:80:ce:d0:01:2e:89:de:12:ba:ee:11:cb:a6: > > + 7a:d7:0d:7c:f3:08:8d:72:9d:bf:55:75:13:70:bb: > > + 31:22:4a:cb:e8:c0:aa:a4:09:aa:36:68:40:60:74: > > + 9d:e7:19:81:43:22:52:fe:c9:2b:52:0f:41:13:36: > > + 09:72:65:95:cc:89:ae:6f:56:17:16:34:73:52:a3: > > + 04:ed:bd:88:82:8a:eb:d7:dc:82:52:9c:06:e1:52: > > + 85:41 > > + Exponent: 65537 (0x10001) > > + X509v3 extensions: > > + X509v3 Basic Constraints: critical > > + CA:TRUE > > + X509v3 Key Usage: critical > > + Digital Signature, Non Repudiation, Key > > Encipherment, Data Encipherment, Key Agreement, Certificate Sign, > > CRL > > Sign > > + X509v3 Subject Key Identifier: > > + > > BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 > > + Signature Algorithm: sha256WithRSAEncryption > > + 0f:f1:e9:82:a2:0a:87:9f:2d:94:60:5a:b2:c0:4b:a1:2f:2b: > > + 3b:47:d5:0a:99:86:38:b2:ec:c6:3b:89:e4:6e:07:cf:14:c7: > > + c7:e8:cf:99:8f:aa:30:c3:19:70:b9:e6:6d:d6:3f:c8:68:26: > > + b2:a0:a5:37:42:ca:d8:62:80:d1:a2:5a:48:2e:1f:85:3f:0c: > > + 7b:c2:c7:94:11:5f:19:2a:95:ac:a0:3a:03:d8:91:5b:2e:0d: > > + 9c:7c:1f:2e:fc:e9:44:e1:16:26:73:1c:45:4a:65:c1:83:4c: > > + 90:f3:f2:28:42:df:db:c4:e7:04:12:18:62:43:5e:bc:1f:6c: > > + 84:e6:bc:49:32:df:61:d7:99:ee:e4:90:52:7b:0a:c2:91:8a: > > + 98:62:66:b1:c8:e0:b7:5a:b5:46:7c:76:71:54:8e:cc:a4:81: > > + 5c:19:db:d2:6f:66:b5:bb:2b:ae:6b:c9:74:04:a8:24:de:e8: > > + c5:d3:fc:2c:1c:d7:8f:db:6a:8d:c9:53:be:5d:50:73:ac:cf: > > + 1f:93:c0:52:50:5b:a2:4f:fe:ad:65:36:17:46:d1:2d:e5:a2: > > + 90:66:05:db:29:4e:5d:50:5d:e3:4f:da:a0:8f:f0:6b:e4:16: > > + 70:dd:7f:f3:77:7d:b9:4e:f9:ec:c3:33:02:d7:e9:63:2f:31: > > + e7:40:61:a4 > > +-----BEGIN CERTIFICATE----- > > +MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO > > +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV > > +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX > > +DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O > > +IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB > > +MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb > > +cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S > > +G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg > > +ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2 > > +paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7 > > +MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29 > > +iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B > > +Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3 > > +DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH > > +6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD > > +2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h > > +15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF > > +0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg > > +j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk > > +-----END CERTIFICATE----- > > +Certificate: > > + Data: > > + Version: 3 (0x2) > > + Serial Number: 2 (0x2) > > + Signature Algorithm: sha256WithRSAEncryption > > + Issuer: O=ICANN, OU=ICANN Certification Authority, > > CN=ICANN > > Root CA, C=US > > + Validity > > + Not Before: Dec 23 04:45:04 2009 GMT > > + Not After : Dec 22 04:45:04 2014 GMT > > + Subject: O=ICANN, CN=ICANN DNSSEC > > CA/emailAddress=dnssec@icann.org > > + Subject Public Key Info: > > + Public Key Algorithm: rsaEncryption > > + RSA Public Key: (2048 bit) > > + Modulus (2048 bit): > > + 00:c0:bf:e2:b4:ee:12:46:36:3b:7c:d2:46:21:64: > > + 5a:93:e1:e3:02:10:25:bb:a5:30:70:19:89:98:7e: > > + 9e:db:8e:0f:ac:c8:48:66:0e:1a:f8:81:e5:2d:3c: > > + 7b:39:39:76:28:8f:ee:0a:a7:dd:64:e9:5f:87:25: > > + b1:64:e5:59:03:fc:bc:29:3b:63:37:c8:d7:46:9a: > > + b6:ce:87:55:cd:cf:e2:ab:e9:c7:8a:53:2e:25:87: > > + b0:98:d6:20:a3:a8:ec:87:b0:39:a3:c4:c5:75:59: > > + 3c:fb:91:03:fa:ee:7f:e9:2b:b6:70:88:69:2c:e6: > > + f1:4f:fc:d0:47:b4:e9:a0:2c:fa:0c:c3:84:eb:be: > > + 73:5a:bc:16:ed:d0:83:02:2d:eb:6a:21:02:51:70: > > + 29:1e:4f:c9:69:03:9f:91:32:5c:2c:1a:9f:5e:45: > > + 48:2a:50:ee:72:14:ec:17:29:fc:20:95:7d:22:6a: > > + c6:6f:83:a2:58:8e:b1:64:c8:73:23:54:6c:69:1d: > > + 66:1f:df:f8:4f:24:a1:a8:ae:00:7f:e9:89:41:a6: > > + e3:88:1d:3a:e1:b3:3a:ef:29:45:32:9b:94:2e:b7: > > + 6c:1e:fe:31:40:13:e1:bd:52:67:d0:d8:c3:3e:03: > > + 84:48:72:9d:bd:8a:48:a0:f2:72:35:b6:03:4b:c6: > > + e9:05 > > + Exponent: 65537 (0x10001) > > + X509v3 extensions: > > + X509v3 Basic Constraints: critical > > + CA:TRUE > > + X509v3 Key Usage: critical > > + Digital Signature, Non Repudiation, Key > > Encipherment, Data Encipherment, Key Agreement, Certificate Sign, > > CRL > > Sign > > + X509v3 Authority Key Identifier: > > + > > keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 > > + > > + X509v3 Subject Key Identifier: > > + > > 8F:B2:42:69:C3:9D:E4:3C:FA:13:B9:FF:F2:C0:A4:EF:D8:0F:E8:22 > > + Signature Algorithm: sha256WithRSAEncryption > > + 4a:78:a2:47:7e:3f:2e:4d:78:68:ab:06:5c:ff:da:01:04:45: > > + 92:20:20:88:f3:dc:4e:70:01:9b:cb:f3:13:61:34:04:09:15: > > + d0:be:99:1c:be:fc:97:e9:2d:73:e1:b3:2b:a6:b9:3a:41:33: > > + f3:83:3d:64:1b:64:95:bf:ae:cd:20:df:18:e0:62:8d:fa:9c: > > + f7:d8:a9:3c:25:2b:8e:cf:10:e5:29:b9:af:1a:7f:62:64:75: > > + e7:c6:fd:9b:6d:71:c0:a9:b3:0f:9a:b7:7a:fe:53:04:18:cd: > > + 04:06:d9:bf:01:0e:cc:04:84:84:51:a3:e9:06:2a:a3:25:73: > > + 4e:8d:62:19:13:25:5b:de:0b:dc:d0:69:01:ca:41:0a:96:13: > > + cf:6a:11:fe:2b:9a:3f:fd:56:3d:73:3d:58:49:c2:71:83:20: > > + 23:6d:46:99:6e:37:91:9f:76:2a:9c:b0:69:3f:64:9f:05:bb: > > + 38:c8:1e:ca:d8:6c:fd:56:3e:a6:85:a2:53:80:c6:42:b6:79: > > + c6:43:0b:e0:6c:ea:9f:cf:b0:2a:2c:01:50:c3:d8:0f:a0:7e: > > + a1:73:a8:5c:84:27:5b:c9:4b:5a:13:e9:69:25:1c:59:11:d2: > > + 01:dc:da:e7:c8:44:34:a2:e4:99:25:b4:c3:23:b5:f8:2d:48: > > + e5:8d:06:73 > > +-----BEGIN CERTIFICATE----- > > +MIIDhjCCAm6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO > > +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV > > +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0NDUwNFoX > > +DTE0MTIyMjA0NDUwNFowSzEOMAwGA1UEChMFSUNBTk4xGDAWBgNVBAMTD0lDQU5O > > +IEROU1NFQyBDQTEfMB0GCSqGSIb3DQEJARMQZG5zc2VjQGljYW5uLm9yZzCCASIw > > +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMC/4rTuEkY2O3zSRiFkWpPh4wIQ > > +JbulMHAZiZh+ntuOD6zISGYOGviB5S08ezk5diiP7gqn3WTpX4clsWTlWQP8vCk7 > > +YzfI10aats6HVc3P4qvpx4pTLiWHsJjWIKOo7IewOaPExXVZPPuRA/ruf+krtnCI > > +aSzm8U/80Ee06aAs+gzDhOu+c1q8Fu3QgwIt62ohAlFwKR5PyWkDn5EyXCwan15F > > +SCpQ7nIU7Bcp/CCVfSJqxm+DoliOsWTIcyNUbGkdZh/f+E8koaiuAH/piUGm44gd > > +OuGzOu8pRTKblC63bB7+MUAT4b1SZ9DYwz4DhEhynb2KSKDycjW2A0vG6QUCAwEA > > +AaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAf4wHwYDVR0jBBgw > > +FoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFI+yQmnDneQ8+hO5//LA > > +pO/YD+giMA0GCSqGSIb3DQEBCwUAA4IBAQBKeKJHfj8uTXhoqwZc/9oBBEWSICCI > > +89xOcAGby/MTYTQECRXQvpkcvvyX6S1z4bMrprk6QTPzgz1kG2SVv67NIN8Y4GKN > > ++pz32Kk8JSuOzxDlKbmvGn9iZHXnxv2bbXHAqbMPmrd6/lMEGM0EBtm/AQ7MBISE > > +UaPpBiqjJXNOjWIZEyVb3gvc0GkBykEKlhPPahH+K5o//VY9cz1YScJxgyAjbUaZ > > +bjeRn3YqnLBpP2SfBbs4yB7K2Gz9Vj6mhaJTgMZCtnnGQwvgbOqfz7AqLAFQw9gP > > +oH6hc6hchCdbyUtaE+lpJRxZEdIB3NrnyEQ0ouSZJbTDI7X4LUjljQZz > > +-----END CERTIFICATE----- > > +Certificate: > > + Data: > > + Version: 3 (0x2) > > + Serial Number: 6 (0x6) > > + Signature Algorithm: sha256WithRSAEncryption > > + Issuer: O=ICANN, OU=ICANN Certification Authority, > > CN=ICANN > > Root CA, C=US > > + Validity > > + Not Before: Dec 23 05:21:16 2009 GMT > > + Not After : Dec 22 05:21:16 2014 GMT > > + Subject: O=ICANN, CN=ICANN EMAIL CA > > + Subject Public Key Info: > > + Public Key Algorithm: rsaEncryption > > + RSA Public Key: (2048 bit) > > + Modulus (2048 bit): > > + 00:d2:19:1e:22:69:33:f6:a4:d2:76:c5:80:11:75: > > + 8e:d0:e8:6f:bf:89:f8:2a:6a:da:8a:85:28:40:ba: > > + c5:23:5f:47:ed:72:e2:8e:d3:5c:c8:8a:3a:99:a9: > > + 57:2c:0a:2b:22:f3:54:7b:8b:f7:8c:21:a2:50:01: > > + 4f:8b:af:34:df:72:fc:78:31:d0:1d:eb:bc:9b:e6: > > + fa:c1:84:d0:05:07:8a:74:53:a5:60:9e:eb:75:9e: > > + a8:5d:32:c8:02:32:e4:bf:cb:97:9b:7a:fa:2c:f6: > > + 6a:1d:b8:57:ad:e3:03:22:93:d0:f4:4f:a8:b8:01: > > + db:82:33:98:b6:87:ed:3d:67:40:00:27:2e:d5:95: > > + d2:ad:36:46:14:c6:17:79:65:7f:65:f3:88:80:65: > > + 7c:22:67:08:23:3c:cf:a5:10:38:72:30:97:92:6f: > > + 20:4a:ba:24:4c:4a:c8:4a:a5:dc:2a:44:a1:29:78: > > + b4:9f:fe:84:ff:27:5b:3a:72:ea:31:c1:ad:06:22: > > + d6:44:a0:4a:57:32:9c:f2:46:47:d0:89:6e:20:23: > > + 2c:ea:b0:83:7e:c1:f3:ea:da:dd:e3:63:59:97:21: > > + fa:1b:11:39:27:cf:82:8b:56:15:d4:36:92:0c:a5: > > + 7e:80:e0:18:c9:50:08:42:0a:df:97:3c:9c:b8:0a: > > + 4d:b1 > > + Exponent: 65537 (0x10001) > > + X509v3 extensions: > > + X509v3 Basic Constraints: critical > > + CA:TRUE > > + X509v3 Key Usage: critical > > + Digital Signature, Non Repudiation, Key > > Encipherment, Data Encipherment, Key Agreement, Certificate Sign, > > CRL > > Sign > > + X509v3 Authority Key Identifier: > > + > > keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 > > + > > + X509v3 Subject Key Identifier: > > + > > 7B:3F:BA:CE:A1:B3:A6:13:2E:5A:82:84:D4:D2:EA:A5:24:F1:CD:B4 > > + Signature Algorithm: sha256WithRSAEncryption > > + 50:07:a5:61:39:e4:3b:e3:bc:1c:b4:a7:b2:ab:a1:fb:47:bf: > > + b4:1c:32:ac:3c:46:b0:02:26:2f:16:3e:89:70:e2:87:e9:76: > > + 99:61:0b:91:c5:48:7a:e5:aa:24:0b:39:e0:4f:26:03:d4:5b: > > + 01:8a:4d:b6:98:cc:16:fa:e2:12:4a:88:b9:53:bb:50:2d:c7: > > + 37:b8:a3:82:2d:52:05:3e:46:a7:db:97:82:73:8d:7d:ed:dd: > > + 9e:37:73:68:6b:90:cd:62:d8:77:ff:32:53:bb:d3:a1:b9:cb: > > + 7d:32:29:70:fb:2e:90:4b:27:12:6d:99:a5:e6:d4:ef:13:32: > > + c1:2f:b5:ae:6e:11:0e:50:56:a4:56:5b:76:b0:c0:99:2e:5a: > > + 94:17:ee:2b:c1:b6:9c:8b:68:ac:55:95:31:8c:66:2b:35:43: > > + a5:13:04:1b:50:44:1c:55:7f:4c:d0:1a:50:80:53:45:a8:e3: > > + d3:a8:74:ad:7d:6a:d6:e9:9a:d3:25:7d:83:e2:57:64:1a:94: > > + 7e:bc:cb:ef:79:b5:54:6a:f1:b0:c3:81:26:90:e5:40:87:ed: > > + 75:7d:83:63:5b:ab:45:c0:34:04:27:e8:d8:12:26:7c:5e:c0: > > + 48:b6:33:7d:4b:db:23:8a:f7:13:24:bc:be:7b:74:cb:c4:ed: > > + ed:42:eb:2f > > +-----BEGIN CERTIFICATE----- > > +MIIDZDCCAkygAwIBAgIBBjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO > > +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV > > +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA1MjExNloX > > +DTE0MTIyMjA1MjExNlowKTEOMAwGA1UEChMFSUNBTk4xFzAVBgNVBAMTDklDQU5O > > +IEVNQUlMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0hkeImkz > > +9qTSdsWAEXWO0Ohvv4n4KmraioUoQLrFI19H7XLijtNcyIo6malXLAorIvNUe4v3 > > +jCGiUAFPi68033L8eDHQHeu8m+b6wYTQBQeKdFOlYJ7rdZ6oXTLIAjLkv8uXm3r6 > > +LPZqHbhXreMDIpPQ9E+ouAHbgjOYtoftPWdAACcu1ZXSrTZGFMYXeWV/ZfOIgGV8 > > +ImcIIzzPpRA4cjCXkm8gSrokTErISqXcKkShKXi0n/6E/ydbOnLqMcGtBiLWRKBK > > +VzKc8kZH0IluICMs6rCDfsHz6trd42NZlyH6GxE5J8+Ci1YV1DaSDKV+gOAYyVAI > > +QgrflzycuApNsQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE > > +AwIB/jAfBgNVHSMEGDAWgBS6UulJgySGUi/Hmc38jWtpCE3AUDAdBgNVHQ4EFgQU > > +ez+6zqGzphMuWoKE1NLqpSTxzbQwDQYJKoZIhvcNAQELBQADggEBAFAHpWE55Dvj > > +vBy0p7KroftHv7QcMqw8RrACJi8WPolw4ofpdplhC5HFSHrlqiQLOeBPJgPUWwGK > > +TbaYzBb64hJKiLlTu1Atxze4o4ItUgU+Rqfbl4JzjX3t3Z43c2hrkM1i2Hf/MlO7 > > +06G5y30yKXD7LpBLJxJtmaXm1O8TMsEvta5uEQ5QVqRWW3awwJkuWpQX7ivBtpyL > > +aKxVlTGMZis1Q6UTBBtQRBxVf0zQGlCAU0Wo49OodK19atbpmtMlfYPiV2QalH68 > > +y+95tVRq8bDDgSaQ5UCH7XV9g2Nbq0XANAQn6NgSJnxewEi2M31L2yOK9xMkvL57 > > +dMvE7e1C6y8= > > +-----END CERTIFICATE----- > > +Certificate: > > + Data: > > + Version: 3 (0x2) > > + Serial Number: 3 (0x3) > > + Signature Algorithm: sha256WithRSAEncryption > > + Issuer: O=ICANN, OU=ICANN Certification Authority, > > CN=ICANN > > Root CA, C=US > > + Validity > > + Not Before: Dec 23 05:07:29 2009 GMT > > + Not After : Dec 22 05:07:29 2014 GMT > > + Subject: O=ICANN, CN=ICANN SSL CA > > + Subject Public Key Info: > > + Public Key Algorithm: rsaEncryption > > + RSA Public Key: (2048 bit) > > + Modulus (2048 bit): > > + 00:dd:c6:ab:bf:7c:66:9d:b3:2b:96:00:14:c7:60: > > + 7a:8d:62:5b:26:4b:30:d7:b3:4c:82:69:c6:4d:4d: > > + 73:f3:d4:91:21:5d:ab:35:f0:c8:04:0e:f4:a3:35: > > + e2:e1:18:a9:98:12:03:58:f8:9f:eb:77:54:5b:89: > > + 81:26:c9:aa:c2:f4:c9:0c:82:57:2a:5e:05:e9:61: > > + 17:cc:19:18:71:eb:35:83:c1:86:9d:ec:f1:6b:ca: > > + dd:a1:96:0b:95:d4:e1:0f:9e:24:6f:dc:3c:d0:28: > > + 9e:f2:53:47:2b:a1:ad:32:03:c8:3f:0d:80:80:7d: > > + f0:02:d2:6e:5a:2c:44:21:9b:09:50:15:3f:a1:3d: > > + d3:c9:c8:24:e7:ea:4e:92:2f:94:90:2e:de:e7:68: > > + f6:c6:b3:90:1f:bc:c9:7b:a2:65:d7:11:e9:8b:f0: > > + 3a:5a:b7:17:07:df:69:e3:6e:b9:54:6a:8e:3a:aa: > > + 94:7f:2c:0a:a1:ad:ba:b7:d9:60:62:27:a7:71:40: > > + 3b:8e:b0:84:7b:b8:c8:67:ef:66:ba:3d:ac:c3:85: > > + e5:86:bb:a7:9c:fd:b6:e1:c0:10:53:3d:d4:7e:1b: > > + 09:e6:9f:22:5c:a7:27:09:7e:27:12:33:fa:df:9b: > > + 20:2f:14:f7:17:c0:e4:1e:07:91:1f:f9:9a:cd:a8: > > + e2:c5 > > + Exponent: 65537 (0x10001) > > + X509v3 extensions: > > + X509v3 Basic Constraints: critical > > + CA:TRUE > > + X509v3 Key Usage: critical > > + Digital Signature, Non Repudiation, Key > > Encipherment, Data Encipherment, Key Agreement, Certificate Sign, > > CRL > > Sign > > + X509v3 Authority Key Identifier: > > + > > keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 > > + > > + X509v3 Subject Key Identifier: > > + > > 6E:77:A8:40:10:4A:D8:9C:0C:F2:B7:5A:3A:A5:2F:79:4A:61:14:D8 > > + Signature Algorithm: sha256WithRSAEncryption > > + 18:42:62:df:aa:8e:44:e6:87:10:4d:d9:a6:b2:c3:97:37:43: > > + 2e:ce:f3:e0:3c:c2:2f:e1:78:60:41:a9:2b:5d:f4:24:f5:f6: > > + 57:a2:08:ec:9c:89:e5:54:50:a8:30:c6:20:e5:8a:c7:8b:bd: > > + fd:98:b6:0c:7d:1a:1f:01:a1:4a:4e:ec:0d:2a:aa:9f:fd:a9: > > + 20:0d:b3:5c:0f:36:c0:2c:2b:c6:75:22:29:66:a3:34:bd:93: > > + 3d:f6:28:da:90:d5:7e:91:df:d3:06:f6:69:8b:80:9b:a5:34: > > + af:6a:02:5b:e4:52:7d:56:4d:99:6e:fe:e9:d0:36:99:58:d9: > > + af:cd:79:9b:e5:d2:4c:35:90:d3:e0:68:b2:88:2b:18:39:2e: > > + bc:0b:d9:82:84:7f:24:12:92:d2:b9:13:4f:64:bc:46:e1:5c: > > + 6a:ed:f7:b0:d4:66:27:25:21:86:b4:3a:5e:19:a3:c7:8b:4b: > > + 93:b9:2e:37:e2:6d:8b:46:ee:68:39:21:75:e8:fe:2a:a7:85: > > + fd:68:26:96:bd:dd:f9:f1:fe:99:5f:b4:a4:97:1b:50:18:fa: > > + 21:90:54:0c:8b:30:28:94:70:19:34:9e:5c:e1:e5:48:93:af: > > + aa:a3:b4:95:b2:f5:4c:97:50:44:58:97:e1:ff:e7:b2:10:dd: > > + 2c:fe:c0:ed > > +-----BEGIN CERTIFICATE----- > > +MIIDYjCCAkqgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO > > +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV > > +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA1MDcyOVoX > > +DTE0MTIyMjA1MDcyOVowJzEOMAwGA1UEChMFSUNBTk4xFTATBgNVBAMTDElDQU5O > > +IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN3Gq798Zp2z > > +K5YAFMdgeo1iWyZLMNezTIJpxk1Nc/PUkSFdqzXwyAQO9KM14uEYqZgSA1j4n+t3 > > +VFuJgSbJqsL0yQyCVypeBelhF8wZGHHrNYPBhp3s8WvK3aGWC5XU4Q+eJG/cPNAo > > +nvJTRyuhrTIDyD8NgIB98ALSblosRCGbCVAVP6E908nIJOfqTpIvlJAu3udo9saz > > +kB+8yXuiZdcR6YvwOlq3FwffaeNuuVRqjjqqlH8sCqGturfZYGInp3FAO46whHu4 > > +yGfvZro9rMOF5Ya7p5z9tuHAEFM91H4bCeafIlynJwl+JxIz+t+bIC8U9xfA5B4H > > +kR/5ms2o4sUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC > > +Af4wHwYDVR0jBBgwFoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFG53 > > +qEAQSticDPK3WjqlL3lKYRTYMA0GCSqGSIb3DQEBCwUAA4IBAQAYQmLfqo5E5ocQ > > +TdmmssOXN0MuzvPgPMIv4XhgQakrXfQk9fZXogjsnInlVFCoMMYg5YrHi739mLYM > > +fRofAaFKTuwNKqqf/akgDbNcDzbALCvGdSIpZqM0vZM99ijakNV+kd/TBvZpi4Cb > > +pTSvagJb5FJ9Vk2Zbv7p0DaZWNmvzXmb5dJMNZDT4GiyiCsYOS68C9mChH8kEpLS > > +uRNPZLxG4Vxq7few1GYnJSGGtDpeGaPHi0uTuS434m2LRu5oOSF16P4qp4X9aCaW > > +vd358f6ZX7SklxtQGPohkFQMizAolHAZNJ5c4eVIk6+qo7SVsvVMl1BEWJfh/+ey > > +EN0s/sDt > > +-----END CERTIFICATE----- > > diff --git a/unbound/root.anchor b/unbound/root.anchor > > new file mode 100644 > > index 0000000..18367f8 > > --- /dev/null > > +++ b/unbound/root.anchor > > @@ -0,0 +1 @@ > > +. 98799 IN DNSKEY 257 3 8 > > AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58f > > Lj > > wBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9V > > nM > > VDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzE > > he > > X7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ > > 57 > > relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1 > > ih > > z0= ;{id = 19036 (ksk), size = 2048b} > > diff --git a/unbound/root.key b/unbound/root.key > > new file mode 100644 > > index 0000000..e340ed0 > > --- /dev/null > > +++ b/unbound/root.key > > @@ -0,0 +1,6 @@ > > +; // The root key in bind format. This can be read by most tools, > > including > > +; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() > > to > > load this > > +trusted-keys { > > +"." 257 3 8 > > "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58 > > fL > > jwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9 > > Vn > > MVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlz > > Eh > > eX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXf > > Z5 > > 7relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk > > 1i > > hz0="; // key id = 19036 > > + > > +}; > > diff --git a/unbound/systemd/unbound-anchor.service > > b/unbound/systemd/unbound-anchor.service > > new file mode 100644 > > index 0000000..26656b3 > > --- /dev/null > > +++ b/unbound/systemd/unbound-anchor.service > > @@ -0,0 +1,9 @@ > > +[Unit] > > +Description=update of the root trust anchor for DNSSEC validation > > in > > unbound > > +Documentation=man:unbound-anchor(8) > > + > > +[Service] > > +Type=oneshot > > +User=unbound > > +ExecStart=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c > > /etc/unbound/icannbundle.pem > > +SuccessExitStatus=1 > > diff --git a/unbound/systemd/unbound-anchor.timer > > b/unbound/systemd/unbound-anchor.timer > > new file mode 100644 > > index 0000000..a87bf5c > > --- /dev/null > > +++ b/unbound/systemd/unbound-anchor.timer > > @@ -0,0 +1,14 @@ > > +[Unit] > > +Description=daily update of the root trust anchor for DNSSEC > > +Documentation=man:unbound-anchor(8) > > + > > +[Timer] > > +# Current DNSKEY TTL in root zone is 172800 seconds, i.e. > > 172800/60/60/24 = 2 days. > > +# It means that unboud-anchor should be run at least once a day. > > +OnCalendar=daily > > +Persistent=true > > +AccuracySec=24h > > + > > +[Install] > > +WantedBy=timers.target > > + > > diff --git a/unbound/systemd/unbound-keygen.service > > b/unbound/systemd/unbound-keygen.service > > new file mode 100644 > > index 0000000..576408a > > --- /dev/null > > +++ b/unbound/systemd/unbound-keygen.service > > @@ -0,0 +1,14 @@ > > +[Unit] > > +Description=Unbound Control Key And Certificate Generator > > +After=syslog.target > > +Before=unbound.service > > +ConditionPathExists=!/etc/unbound/unbound_control.key > > + > > +[Service] > > +Type=oneshot > > +Group=unbound > > +ExecStart=/usr/sbin/unbound-control-setup -d /etc/unbound/ > > +RemainAfterExit=yes > > + > > +[Install] > > +WantedBy=multi-user.target > > diff --git a/unbound/systemd/unbound.service > > b/unbound/systemd/unbound.service > > new file mode 100644 > > index 0000000..d225389 > > --- /dev/null > > +++ b/unbound/systemd/unbound.service > > @@ -0,0 +1,18 @@ > > +[Unit] > > +Description=Unbound recursive Domain Name Server > > +After=network.target > > +After=unbound-keygen.service > > +Wants=unbound-keygen.service > > +Wants=unbound-anchor.timer > > +Before=nss-lookup.target > > +Wants=nss-lookup.target > > + > > +[Service] > > +Type=simple > > +ExecStartPre=/usr/sbin/unbound-checkconf > > +ExecStartPre=-/usr/sbin/unbound-anchor -a > > /var/lib/unbound/root.key > > -c /etc/unbound/icannbundle.pem > > +ExecStart=/usr/sbin/unbound -d > > +ExecReload=/usr/sbin/unbound-control reload > > + > > +[Install] > > +WantedBy=multi-user.target > > diff --git a/unbound/unbound.conf b/unbound/unbound.conf > > new file mode 100644 > > index 0000000..4a97148 > > --- /dev/null > > +++ b/unbound/unbound.conf > > @@ -0,0 +1,655 @@ > > +# > > +# See unbound.conf(5) man page. > > +# > > +# this is a comment. > > + > > +#Use this to include other text into the file. > > +#include: "otherfile.conf" > > + > > +# The server clause sets the main parameters. > > +server: > > + # whitespace is not necessary, but looks cleaner. > > + > > + # verbosity number, 0 is least verbose. 1 is default. > > + verbosity: 1 > > + > > + # print statistics to the log (for every thread) every N > > seconds. > > + # Set to "" or 0 to disable. Default is disabled. > > + # Needed for munin plugin > > + statistics-interval: 0 > > + > > + # enable cumulative statistics, without clearing them > > after > > printing. > > + # Needed for munin plugin > > + statistics-cumulative: yes > > + > > + # enable extended statistics (query types, answer codes, > > status) > > + # printed from unbound-control. default off, because of > > speed. > > + # Needed for munin plugin > > + extended-statistics: yes > > + > > + # number of threads to create. 1 disables threading. > > + num-threads: 2 > > + > > + # specify the interfaces to answer queries from by ip > > -address. > > + # The default is to listen to localhost (127.0.0.1 and > > ::1). > > + # specify 0.0.0.0 and ::0 to bind to all available > > interfaces. > > + # specify every interface on a new 'interface:' labelled > > line. > > + # The listen interfaces are not changed on reload, only on > > restart. > > + # interface: 0.0.0.0 > > + # interface: ::0 > > + # interface: 192.0.2.153 > > + # interface: 192.0.2.154 > > + # interface: 2001:DB8::5 > > + # > > + # for dns over tls and raw dns over port 80 > > + # interface: 0.0.0.0@443 > > + # interface: ::0@443 > > + # interface: 0.0.0.0@80 > > + # interface: ::0@80 > > + > > + # enable this feature to copy the source address of > > queries > > to reply. > > + # Socket options are not supported on all platforms. > > experimental. > > + # interface-automatic: yes > > + # > > + # NOTE: Enable this option when specifying interface > > 0.0.0.0 > > or ::0 > > + # NOTE: Disabled per Fedora policy not to listen to * on > > default install > > + # NOTE: If deploying on non-default port, eg 80/443, this > > needs to be disabled > > + interface-automatic: no > > + > > + # port to answer queries from > > + # port: 53 > > + > > + # specify the interfaces to send outgoing queries to > > authoritative > > + # server from by ip-address. If none, the default (all) > > interface > > + # is used. Specify every interface on a 'outgoing > > -interface:' line. > > + # outgoing-interface: 192.0.2.153 > > + # outgoing-interface: 2001:DB8::5 > > + # outgoing-interface: 2001:DB8::6 > > + > > + # number of ports to allocate per thread, determines the > > size of the > > + # port range that can be open simultaneously. About > > double > > the > > + # num-queries-per-thread, or, use as many as the OS will > > allow you. > > + # outgoing-range: 4096 > > + > > + # permit unbound to use this port number or port range for > > + # making outgoing queries, using an outgoing interface. > > + # Only ephemeral ports are allowed by SElinux > > + outgoing-port-permit: 32768-65535 > > + > > + # deny unbound the use this of port number or port range > > for > > + # making outgoing queries, using an outgoing interface. > > + # Use this to make sure unbound does not grab a UDP port > > that some > > + # other server on this computer needs. The default is to > > avoid > > + # IANA-assigned port numbers. > > + # Our SElinux policy does not allow non-ephemeral ports to > > be used > > + outgoing-port-avoid: 0-32767 > > + > > + # number of outgoing simultaneous tcp buffers to hold per > > thread. > > + # outgoing-num-tcp: 10 > > + > > + # number of incoming simultaneous tcp buffers to hold per > > thread. > > + # incoming-num-tcp: 10 > > + > > + # buffer size for UDP port 53 incoming (SO_RCVBUF socket > > option). > > + # 0 is system default. Use 4m to catch query spikes for > > busy servers. > > + # so-rcvbuf: 0 > > + > > + # buffer size for UDP port 53 outgoing (SO_SNDBUF socket > > option). > > + # 0 is system default. Use 4m to handle spikes on very > > busy > > servers. > > + # so-sndbuf: 0 > > + > > + # use SO_REUSEPORT to distribute queries over threads. > > + # so-reuseport: no > > + > > + # EDNS reassembly buffer to advertise to UDP peers (the > > actual buffer > > + # is set with msg-buffer-size). 1480 can solve > > fragmentation > > (timeouts). > > + # edns-buffer-size: 4096 > > + > > + # Maximum UDP response size (not applied to TCP response). > > + # Suggested values are 512 to 4096. Default is 4096. 65536 > > disables it. > > + # 3072 causes +dnssec any isc.org queries to need TC=1. > > Helps mitigating DDOS > > + max-udp-size: 3072 > > + > > + # buffer size for handling DNS data. No messages larger > > than > > this > > + # size can be sent or received, by UDP or TCP. In bytes. > > + # msg-buffer-size: 65552 > > + > > + # the amount of memory to use for the message cache. > > + # plain value in bytes or you can append k, m or G. > > default > > is "4Mb". > > + # msg-cache-size: 4m > > + > > + # the number of slabs to use for the message cache. > > + # the number of slabs must be a power of 2. > > + # more slabs reduce lock contention, but fragment memory > > usage. > > + # msg-cache-slabs: 4 > > + > > + # the number of queries that a thread gets to service. > > + # num-queries-per-thread: 1024 > > + > > + # if very busy, 50% queries run to completion, 50% get > > timeout in msec > > + # jostle-timeout: 200 > > + > > + # msec to wait before close of port on timeout UDP. 0 > > disables. > > + # delay-close: 0 > > + > > + # the amount of memory to use for the RRset cache. > > + # plain value in bytes or you can append k, m or G. > > default > > is "4Mb". > > + # rrset-cache-size: 4m > > + > > + # the number of slabs to use for the RRset cache. > > + # the number of slabs must be a power of 2. > > + # more slabs reduce lock contention, but fragment memory > > usage. > > + # rrset-cache-slabs: 4 > > + > > + # the time to live (TTL) value lower bound, in seconds. > > Default 0. > > + # If more than an hour could easily give trouble due to > > stale data. > > + # cache-min-ttl: 0 > > + > > + # the time to live (TTL) value cap for RRsets and messages > > in the > > + # cache. Items are not cached for longer. In seconds. > > + # cache-max-ttl: 86400 > > + > > + # the time to live (TTL) value cap for negative responses > > in > > the cache > > + # cache-max-negative-ttl: 3600 > > + > > + # the time to live (TTL) value for cached roundtrip times, > > lameness and > > + # EDNS version information for hosts. In seconds. > > + # infra-host-ttl: 900 > > + > > + # minimum wait time for responses, increase if uplink is > > long. In msec. > > + # infra-cache-min-rtt: 50 > > + > > + # the number of slabs to use for the Infrastructure cache. > > + # the number of slabs must be a power of 2. > > + # more slabs reduce lock contention, but fragment memory > > usage. > > + # infra-cache-slabs: 4 > > + > > + # the maximum number of hosts that are cached (roundtrip, > > EDNS, lame). > > + # infra-cache-numhosts: 10000 > > + > > + # Enable IPv4, "yes" or "no". > > + # do-ip4: yes > > + > > + # Enable IPv6, "yes" or "no". > > + # do-ip6: yes > > + > > + # Enable UDP, "yes" or "no". > > + # NOTE: if setting up an unbound on tls443 for public use, > > you might want to > > + # disable UDP to avoid being used in DNS amplification > > attacks. > > + # do-udp: yes > > + > > + # Enable TCP, "yes" or "no". > > + # do-tcp: yes > > + > > + # upstream connections use TCP only (and no UDP), "yes" or > > "no" > > + # useful for tunneling scenarios, default no. > > + # tcp-upstream: no > > + > > + # Detach from the terminal, run in background, "yes" or > > "no". > > + # do-daemonize: yes > > + > > + # control which clients are allowed to make (recursive) > > queries > > + # to this server. Specify classless netblocks with /size > > and > > action. > > + # By default everything is refused, except for localhost. > > + # Choose deny (drop message), refuse (polite error reply), > > + # allow (recursive ok), allow_snoop (recursive and > > nonrecursive ok) > > + # deny_non_local (drop queries unless can be answered from > > local-data) > > + # refuse_non_local (like deny_non_local but polite error > > reply). > > + # access-control: 0.0.0.0/0 refuse > > + # access-control: 127.0.0.0/8 allow > > + # access-control: ::0/0 refuse > > + # access-control: ::1 allow > > + # access-control: ::ffff:127.0.0.1 allow > > + > > + # if given, a chroot(2) is done to the given directory. > > + # i.e. you can chroot to the working directory, for > > example, > > + # for extra security, but make sure all files are in that > > directory. > > + # > > + # If chroot is enabled, you should pass the configfile > > (from > > the > > + # commandline) as a full path from the original root. > > After > > the > > + # chroot has been performed the now defunct portion of the > > config > > + # file path is removed to be able to reread the config > > after > > a reload. > > + # > > + # All other file paths (working dir, logfile, roothints, > > and > > + # key files) can be specified in several ways: > > + # o as an absolute path relative to the new root. > > + # o as a relative path to the working directory. > > + # o as an absolute path relative to the original > > root. > > + # In the last case the path is adjusted to remove the > > unused > > portion. > > + # > > + # The pid file can be absolute and outside of the chroot, > > it > > is > > + # written just prior to performing the chroot and dropping > > permissions. > > + # > > + # Additionally, unbound may need to access /dev/random > > (for > > entropy). > > + # How to do this is specific to your OS. > > + # > > + # If you give "" no chroot is performed. The path must not > > end in a /. > > + # chroot: "/var/lib/unbound" > > + chroot: "" > > + > > + # if given, user privileges are dropped (after binding > > port), > > + # and the given username is assumed. Default is user > > "unbound". > > + # If you give "" no privileges are dropped. > > + username: "unbound" > > + > > + # the working directory. The relative files in this config > > are > > + # relative to this directory. If you give "" the working > > directory > > + # is not changed. > > + directory: "/etc/unbound" > > + > > + # the log file, "" means log to stderr. > > + # Use of this option sets use-syslog to "no". > > + # logfile: "" > > + > > + # Log to syslog(3) if yes. The log facility LOG_DAEMON is > > used to > > + # log to, with identity "unbound". If yes, it overrides > > the > > logfile. > > + # use-syslog: yes > > + > > + # print UTC timestamp in ascii to logfile, default is > > epoch > > in seconds. > > + log-time-ascii: yes > > + > > + # print one line with time, IP, name, type, class for > > every > > query. > > + # log-queries: no > > + > > + # the pid file. Can be an absolute path outside of > > chroot/work dir. > > + pidfile: "/var/run/unbound/unbound.pid" > > + > > + # file to read root hints from. > > + # get one from ftp://FTP.INTERNIC.NET/domain/named.cache > > + # root-hints: "" > > + > > + # enable to not answer id.server and hostname.bind > > queries. > > + # hide-identity: no > > + > > + # enable to not answer version.server and version.bind > > queries. > > + # hide-version: no > > + > > + # the identity to report. Leave "" or default to return > > hostname. > > + # identity: "" > > + > > + # the version to report. Leave "" or default to return > > package version. > > + # version: "" > > + > > + # the target fetch policy. > > + # series of integers describing the policy per dependency > > depth. > > + # The number of values in the list determines the maximum > > dependency > > + # depth the recursor will pursue before giving up. Each > > integer means: > > + # -1 : fetch all targets opportunistically, > > + # 0: fetch on demand, > > + # positive value: fetch that many targets > > opportunistically. > > + # Enclose the list of numbers between quotes (""). > > + # target-fetch-policy: "3 2 1 0 0" > > + > > + # Harden against very small EDNS buffer sizes. > > + # harden-short-bufsize: no > > + > > + # Harden against unseemly large queries. > > + # harden-large-queries: no > > + > > + # Harden against out of zone rrsets, to avoid spoofing > > attempts. > > + harden-glue: yes > > + > > + # Harden against receiving dnssec-stripped data. If you > > turn > > it > > + # off, failing to validate dnskey data for a trustanchor > > will > > + # trigger insecure mode for that zone (like without a > > trustanchor). > > + # Default on, which insists on dnssec data for trust > > -anchored zones. > > + harden-dnssec-stripped: yes > > + > > + # Harden against queries that fall under dnssec-signed > > nxdomain names. > > + harden-below-nxdomain: yes > > + > > + # Harden the referral path by performing additional > > queries > > for > > + # infrastructure data. Validates the replies (if > > possible). > > + # Default off, because the lookups burden the server. > > Experimental > > + # implementation of draft-wijngaards-dnsext-resolver-side > > -mitigation. > > + harden-referral-path: yes > > + > > + # Use 0x20-encoded random bits in the query to foil spoof > > attempts. > > + # This feature is an experimental implementation of draft > > dns-0x20. > > + # (this now fails on all GoDaddy customer domains, so > > disabled) > > + use-caps-for-id: no > > + > > + # Enforce privacy of these addresses. Strips them away > > from > > answers. > > + # It may cause DNSSEC validation to additionally mark it > > as > > bogus. > > + # Protects against 'DNS Rebinding' (uses browser as > > network > > proxy). > > + # Only 'private-domain' and 'local-data' names are allowed > > to have > > + # these private addresses. No default. > > + # private-address: 10.0.0.0/8 > > + # private-address: 172.16.0.0/12 > > + # private-address: 192.168.0.0/16 > > + # private-address: 169.254.0.0/16 > > + # private-address: fd00::/8 > > + # private-address: fe80::/10 > > + > > + # Allow the domain (and its subdomains) to contain private > > addresses. > > + # local-data statements are allowed to contain private > > addresses too. > > + # private-domain: "example.com" > > + > > + # If nonzero, unwanted replies are not only reported in > > statistics, > > + # but also a running total is kept per thread. If it > > reaches > > the > > + # threshold, a warning is printed and a defensive action > > is > > taken, > > + # the cache is cleared to flush potential poison out of > > it. > > + # A suggested value is 10000000, the default is 0 (turned > > off). > > + unwanted-reply-threshold: 10000000 > > + > > + # Do not query the following addresses. No DNS queries are > > sent there. > > + # List one address per entry. List classless netblocks > > with > > /size, > > + # do-not-query-address: 127.0.0.1/8 > > + # do-not-query-address: ::1 > > + > > + # if yes, the above default do-not-query-address entries > > are > > present. > > + # if no, localhost can be queried (for testing and > > debugging). > > + # do-not-query-localhost: yes > > + > > + # if yes, perform prefetching of almost expired message > > cache entries. > > + prefetch: yes > > + > > + # if yes, perform key lookups adjacent to normal lookups. > > + prefetch-key: yes > > + > > + # if yes, Unbound rotates RRSet order in response. > > + rrset-roundrobin: yes > > + > > + # if yes, Unbound doesn't insert authority/additional > > sections > > + # into response messages when those sections are not > > required. > > + minimal-responses: yes > > + > > + # module configuration of the server. A string with > > identifiers > > + # separated by spaces. "iterator" or "validator iterator" > > + # module-config: "validator iterator" > > + > > + # File with trusted keys, kept uptodate using RFC5011 > > probes, > > + # initial file like trust-anchor-file, then it stores > > metadata. > > + # Use several entries, one per domain name, to track > > multiple zones. > > + # > > + # If you want to perform DNSSEC validation, run unbound > > -anchor before > > + # you start unbound (i.e. in the system boot scripts). > > And > > enable: > > + # Please note usage of unbound-anchor root anchor is at > > your > > own risk > > + # and under the terms of our LICENSE (see that file in the > > source). > > + # auto-trust-anchor-file: "/var/lib/unbound/root.key" > > + > > + # File with DLV trusted keys. Same format as trust-anchor > > -file. > > + # There can be only one DLV configured, it is trusted from > > root down. > > + # Downloaded from > > https://secure.isc.org/ops/dlv/dlv.isc.org.key > > + # > > + # ISC's DLV registry is being deprecated in the near > > future, > > therefore > > + # it is not used in the default configuration. The use of > > ISC's DLV > > + # registry is discouraged. > > + # dlv-anchor-file: "/etc/unbound/dlv.isc.org.key" > > + > > + # File with trusted keys for validation. Specify more than > > one file > > + # with several entries, one file per entry. > > + # Zone file format, with DS and DNSKEY entries. > > + # trust-anchor-file: "" > > + > > + # File with trusted keys, kept uptodate using RFC5011 > > probes, > > + # initial file like trust-anchor-file, then it stores > > metadata. > > + # Use several entries, one per domain name, to track > > multiple zones. > > + # auto-trust-anchor-file: "" > > + > > + # Trusted key for validation. DS or DNSKEY. specify the RR > > on a > > + # single line, surrounded by "". TTL is ignored. class is > > IN > > default. > > + # (These examples are from August 2007 and may not be > > valid > > anymore). > > + # trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 > > AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N > > Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW > > 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ==" > > + # trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 > > 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A" > > + > > + # File with trusted keys for validation. Specify more than > > one file > > + # with several entries, one file per entry. Like trust > > -anchor-file > > + # but has a different file format. Format is BIND-9 style > > format, > > + # the trusted-keys { name flag proto algo "key"; }; > > clauses > > are read. > > + # trusted-keys-file: "" > > + # > > + # trusted-keys-file: /etc/unbound/rootkey.bind > > + trusted-keys-file: /etc/unbound/keys.d/*.key > > + auto-trust-anchor-file: "/var/lib/unbound/root.key" > > + > > + # Ignore chain of trust. Domain is treated as insecure. > > + # domain-insecure: "example.com" > > + > > + # Override the date for validation with a specific fixed > > date. > > + # Do not set this unless you are debugging signature > > inception > > + # and expiration. "" or "0" turns the feature off. > > + # val-override-date: "" > > + > > + # The time to live for bogus data, rrsets and messages. > > This > > avoids > > + # some of the revalidation, until the time interval > > expires. > > in secs. > > + # val-bogus-ttl: 60 > > + > > + # The signature inception and expiration dates are allowed > > to be off > > + # by 10% of the lifetime of the signature from our local > > clock. > > + # This leeway is capped with a minimum and a maximum. In > > seconds. > > + # val-sig-skew-min: 3600 > > + # val-sig-skew-max: 86400 > > + > > + # Should additional section of secure message also be kept > > clean of > > + # unsecure data. Useful to shield the users of this > > validator from > > + # potential bogus data in the additional section. All > > unsigned data > > + # in the additional section is removed from secure > > messages. > > + val-clean-additional: yes > > + > > + # Turn permissive mode on to permit bogus messages. Thus, > > messages > > + # for which security checks failed will be returned to > > clients, > > + # instead of SERVFAIL. It still performs the security > > checks, which > > + # result in interesting log files and possibly the AD bit > > in > > + # replies if the message is found secure. The default is > > off. > > + # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY > > + val-permissive-mode: no > > + > > + # Ignore the CD flag in incoming queries and refuse them > > bogus data. > > + # Enable it if the only clients of unbound are legacy > > servers (w2008) > > + # that set CD but cannot validate themselves. > > + # ignore-cd-flag: no > > + > > + # Have the validator log failed validations for your > > diagnosis. > > + # 0: off. 1: A line per failed user query. 2: With reason > > and bad IP. > > + val-log-level: 1 > > + > > + # It is possible to configure NSEC3 maximum iteration > > counts > > per > > + # keysize. Keep this table very short, as linear search is > > done. > > + # A message with an NSEC3 with larger count is marked > > insecure. > > + # List in ascending order the keysize and count values. > > + # val-nsec3-keysize-iterations: "1024 150 2048 500 4096 > > 2500" > > + > > + # instruct the auto-trust-anchor-file probing to add > > anchors > > after ttl. > > + # add-holddown: 2592000 # 30 days > > + > > + # instruct the auto-trust-anchor-file probing to del > > anchors > > after ttl. > > + # del-holddown: 2592000 # 30 days > > + > > + # auto-trust-anchor-file probing removes missing anchors > > after ttl. > > + # If the value 0 is given, missing anchors are not > > removed. > > + # keep-missing: 31622400 # 366 days > > + > > + # the amount of memory to use for the key cache. > > + # plain value in bytes or you can append k, m or G. > > default > > is "4Mb". > > + # key-cache-size: 4m > > + > > + # the number of slabs to use for the key cache. > > + # the number of slabs must be a power of 2. > > + # more slabs reduce lock contention, but fragment memory > > usage. > > + # key-cache-slabs: 4 > > + > > + # the amount of memory to use for the negative cache (used > > for DLV). > > + # plain value in bytes or you can append k, m or G. > > default > > is "1Mb". > > + # neg-cache-size: 1m > > + > > + # By default, for a number of zones a small default > > 'nothing > > here' > > + # reply is built-in. Query traffic is thus blocked. If > > you > > + # wish to serve such zone you can unblock them by > > uncommenting one > > + # of the nodefault statements below. > > + # You may also have to use domain-insecure: zone to make > > DNSSEC work, > > + # unless you have your own trust anchors for this zone. > > + # local-zone: "localhost." nodefault > > + # local-zone: "127.in-addr.arpa." nodefault > > + # local-zone: > > "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip > > 6. > > arpa." nodefault > > + # local-zone: "10.in-addr.arpa." nodefault > > + # local-zone: "16.172.in-addr.arpa." nodefault > > + # local-zone: "17.172.in-addr.arpa." nodefault > > + # local-zone: "18.172.in-addr.arpa." nodefault > > + # local-zone: "19.172.in-addr.arpa." nodefault > > + # local-zone: "20.172.in-addr.arpa." nodefault > > + # local-zone: "21.172.in-addr.arpa." nodefault > > + # local-zone: "22.172.in-addr.arpa." nodefault > > + # local-zone: "23.172.in-addr.arpa." nodefault > > + # local-zone: "24.172.in-addr.arpa." nodefault > > + # local-zone: "25.172.in-addr.arpa." nodefault > > + # local-zone: "26.172.in-addr.arpa." nodefault > > + # local-zone: "27.172.in-addr.arpa." nodefault > > + # local-zone: "28.172.in-addr.arpa." nodefault > > + # local-zone: "29.172.in-addr.arpa." nodefault > > + # local-zone: "30.172.in-addr.arpa." nodefault > > + # local-zone: "31.172.in-addr.arpa." nodefault > > + # local-zone: "168.192.in-addr.arpa." nodefault > > + # local-zone: "0.in-addr.arpa." nodefault > > + # local-zone: "254.169.in-addr.arpa." nodefault > > + # local-zone: "2.0.192.in-addr.arpa." nodefault > > + # local-zone: "100.51.198.in-addr.arpa." nodefault > > + # local-zone: "113.0.203.in-addr.arpa." nodefault > > + # local-zone: "255.255.255.255.in-addr.arpa." nodefault > > + # local-zone: > > "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip > > 6. > > arpa." nodefault > > + # local-zone: "d.f.ip6.arpa." nodefault > > + # local-zone: "8.e.f.ip6.arpa." nodefault > > + # local-zone: "9.e.f.ip6.arpa." nodefault > > + # local-zone: "a.e.f.ip6.arpa." nodefault > > + # local-zone: "b.e.f.ip6.arpa." nodefault > > + # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault > > + # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa. > > + > > + # if unbound is running service for the local host then it > > is useful > > + # to perform lan-wide lookups to the upstream, and unblock > > the > > + # long list of local-zones above. If this unbound is a > > dns > > server > > + # for a network of computers, disabled is better and stops > > information > > + # leakage of local lan information. > > + # unblock-lan-zones: no > > + > > + # a number of locally served zones can be configured. > > + # local-zone: <zone> <type> > > + # local-data: "<resource record string>" > > + # o deny serves local data (if any), else, drops queries. > > + # o refuse serves local data (if any), else, replies with > > error. > > + # o static serves local data, else, nxdomain or nodata > > answer. > > + # o transparent gives local data, but resolves normally > > for > > other names > > + # o redirect serves the zone data for any subdomain in the > > zone. > > + # o nodefault can be used to normally resolve AS112 zones. > > + # o typetransparent resolves normally for other types and > > other names > > + # o inform resolves normally, but logs client IP address > > + # > > + # defaults are localhost address, reverse for 127.0.0.1 > > and > > ::1 > > + # and nxdomain for AS112 zones. If you configure one of > > these zones > > + # the default content is omitted, or you can omit it with > > 'nodefault'. > > + # > > + # If you configure local-data without specifying local > > -zone, > > by > > + # default a transparent local-zone is created for the > > data. > > + # > > + # You can add locally served data with > > + # local-zone: "local." static > > + # local-data: "mycomputer.local. IN A 192.0.2.51" > > + # local-data: 'mytext.local TXT "content of text record"' > > + # > > + # You can override certain queries with > > + # local-data: "adserver.example.com A 127.0.0.1" > > + # > > + # You can redirect a domain to a fixed address with > > + # (this makes example.com, www.example.com, etc, all go to > > 192.0.2.3) > > + # local-zone: "example.com" redirect > > + # local-data: "example.com A 192.0.2.3" > > + # > > + # Shorthand to make PTR records, "IPv4 name" or "IPv6 > > name". > > + # You can also add PTR records using local-data directly, > > but then > > + # you need to do the reverse notation yourself. > > + # local-data-ptr: "192.0.2.3 www.example.com" > > + > > + include: /etc/unbound/local.d/*.conf > > + > > + # service clients over SSL (on the TCP sockets), with > > plain > > DNS inside > > + # the SSL stream. Give the certificate to use and private > > key. > > + # default is "" (disabled). requires restart to take > > effect. > > + # ssl-service-key: "/etc/unbound/unbound_server.key" > > + # ssl-service-pem: "/etc/unbound/unbound_server.pem" > > + # ssl-port: 443 > > + > > + # request upstream over SSL (with plain DNS inside the SSL > > stream). > > + # Default is no. Can be turned on and off with unbound > > -control. > > + # ssl-upstream: no > > + > > + # DNS64 prefix. Must be specified when DNS64 is use. > > + # Enable dns64 in module-config. Used to synthesize IPv6 > > from IPv4. > > + # dns64-prefix: 64:ff9b::0/96 > > + > > +# Python config section. To enable: > > +# o use --with-pythonmodule to configure before compiling. > > +# o list python in the module-config string (above) to enable. > > +# o and give a python-script to run. > > +python: > > + # Script file to load > > + # python-script: "/etc/unbound/ubmodule-tst.py" > > + > > +# Remote control config section. > > +remote-control: > > + # Enable remote control with unbound-control(8) here. > > + # set up the keys and certificates with unbound-control > > -setup. > > + # Note: required for unbound-munin package > > + control-enable: yes > > + > > + # Set to no and use an absolute path as control-interface > > to > > use > > + # a unix local named pipe for unbound-control. > > + # control-use-cert: yes > > + > > + # what interfaces are listened to for remote control. > > + # give 0.0.0.0 and ::0 to listen to all interfaces. > > + # control-interface: 127.0.0.1 > > + # control-interface: ::1 > > + > > + # port number for remote control operations. > > + # control-port: 953 > > + > > + # unbound server key file. > > + server-key-file: "/etc/unbound/unbound_server.key" > > + > > + # unbound server certificate file. > > + server-cert-file: "/etc/unbound/unbound_server.pem" > > + > > + # unbound-control key file. > > + control-key-file: "/etc/unbound/unbound_control.key" > > + > > + # unbound-control certificate file. > > + control-cert-file: "/etc/unbound/unbound_control.pem" > > + > > +# Stub and Forward zones > > + > > +include: /etc/unbound/conf.d/*.conf > > + > > +# Stub zones. > > +# Create entries like below, to make all queries for 'example.com' > > and > > +# 'example.org' go to the given list of nameservers. list zero or > > more > > +# nameservers by hostname or by ipaddress. If you set stub-prime > > to > > yes, > > +# the list is treated as priming hints (default is no). > > +# stub-zone: > > +# name: "example.com" > > +# stub-addr: 192.0.2.68 > > +# stub-prime: "no" > > +# stub-zone: > > +# name: "example.org" > > +# stub-host: ns.example.com. > > +# You can now also dynamically create and delete stub-zone's using > > +# unbound-control stub_add domain.com 1.2.3.4 5.6.7.8 > > +# unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8 > > + > > +# Forward zones > > +# Create entries like below, to make all queries for 'example.com' > > and > > +# 'example.org' go to the given list of servers. These servers > > have > > to handle > > +# recursion to other nameservers. List zero or more nameservers by > > hostname > > +# or by ipaddress. Use an entry with name "." to forward all > > queries. > > +# If you enable forward-first, it attempts without the forward if > > it > > fails. > > +# forward-zone: > > +# name: "example.com" > > +# forward-addr: 192.0.2.68 > > +# forward-addr: 192.0.2.73@5355 # forward to port 5355. > > +# forward-first: no > > +# forward-zone: > > +# name: "example.org" > > +# forward-host: fwd.example.com > > +# > > +# You can now also dynamically create and delete forward-zone's > > using > > +# unbound-control forward_add domain.com 1.2.3.4 5.6.7.8 > > +# unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8 > > diff --git a/unbound/unbound.nm b/unbound/unbound.nm > > new file mode 100644 > > index 0000000..b32ac2a > > --- /dev/null > > +++ b/unbound/unbound.nm > > @@ -0,0 +1,158 @@ > > +################################################################## > > ## > > ########### > > +# IPFire.org - An Open Source Firewall Solution > > > > # > > +# Copyright (C) - IPFire Development Team <info@ipfire.org> > > > > # > > +################################################################## > > ## > > ########### > > + > > +name = unbound > > +version = 1.5.5 > > +release = 1 > > + > > +groups = System/Daemons > > +url = http://www.nlnetlabs.nl/unbound/ > > +license = BSD > > +summary = A validating, recursive, and caching DNS(SEC) > > resolver. > > + > > +description > > + Unbound is a validating, recursive, and caching DNS(SEC) > > resolver. > > + The C implementation of Unbound is developed and > > maintained > > by NLnet > > + Labs and is based on ideas and algorithms taken from a > > java > > prototype > > + developed by Verisign labs, Nominet, Kirei and ep.net. > > Unbound is > > + designed as a set of modular components, so that also > > + DNSSEC (secure DNS) validation and stub-resolvers are > > easily > > possible. > > +end > > + > > +source_dl = http://www.unbound.net/downloads/ > > + > > +build > > + requires > > + expat-devel > > + libevent-devel > > + openssl-devel >= 1.0.1h-2 > > + python3-devel >= 3.4 > > + swig > > + end > > + > > + configure_options += \ > > + --with-conf > > -file=%{sysconfdir}/%{name}/unbound.conf > > \ > > + --with > > -pidfile=%{localstatedir}/run/%{name}/%{name}.pid \ > > + --with-rootkey > > -file=%{sharedstatedir}/unbound/root.key \ > > + --with-libevent \ > > + --with-pthreads \ > > + --disable-rpath \ > > + --disable-static \ > > + --with-ssl \ > > + --enable-sha2 \ > > + --with-pythonmodule \ > > + --with-pyunbound PYTHON=%{python3} > > + > > + test > > + make check > > + end > > + > > + install_cmds > > + # Create directories. > > + mkdir -pv %{BUILDROOT}%{localstatedir}/run/%{name} > > + mkdir -pv %{BUILDROOT}%{sharedstatedir}/%{name} > > + > > + # Directory for user specified and additional > > config > > files. > > + mkdir -pv > > %{BUILDROOT}%{sysconfdir}/%{name}/conf.d/ > > + > > + # Directory for stub and forward zones. > > + mkdir -pv > > %{BUILDROOT}%{sysconfdir}/%{name}/local.d/ > > + > > + # Directory for trusted-keys-file. > > + mkdir -pv > > %{BUILDROOT}%{sysconfdir}/%{name}/keys.d/ > > + > > + # Install unbound config file. > > + install -p -m 0664 %{DIR_SOURCE}/%{name}.conf \ > > + %{BUILDROOT}%{sysconfdir}/%{name}/ > > + > > + # Install pem file for icannbundle. > > + install -p -m 0664 %{DIR_SOURCE}/icannbundle.pem \ > > + %{BUILDROOT}%{sysconfdir}/%{name}/ > > + > > + # Install root and DLV keys. > > + install -p -m 0644 %{DIR_SOURCE}/root.key \ > > + %{BUILDROOT}%{sysconfdir}/%{name}/ > > + install -p -m 0664 %{DIR_SOURCE}/dlv.isc.org.key \ > > + %{BUILDROOT}%{sysconfdir}/%{name}/ > > + install -p -m 0664 %{DIR_SOURCE}/root.anchor \ > > + %{BUILDROOT}%{sharedstatedir}/%{name}/root > > .k > > ey > > + > > + # Fix ownership. > > + chown -R unbound:unbound > > %{BUILDROOT}%{sharedstatedir}/%{name}/ > > + end > > +end > > + > > +create_user > > + getent group unound >/dev/null || /usr/sbin/groupadd -r > > unbound > > + getent passwd unbound >/dev/null || /usr/sbin/useradd -r > > -g > > unbound \ > > + -d %{sysconfdir}/%{name} -s /sbin/nologin unbound > > +end > > + > > +packages > > + package %{name} > > + prerequires > > + shadow-utils > > + systemd-units > > + end > > + > > + requires += \ > > + openssl >= 1.0.1h-2 > > + > > + configfiles > > + %{sysconfdir}/%{name}.conf > > + end > > + > > + datafiles > > + %{sysconfdir}/%{name}/conf.d/ > > + %{sysconfdir}/%{name}/local.d/ > > + %{sysconfdir}/%{name}/keys.d/ > > + end > > + > > + script prein > > + %{create_user} > > + end > > + > > + script postin > > + /bin/systemctl daemon-reload >/dev/null > > 2>&1 > > > > : > > + > > + # Enable root anchor for DNSSEC > > validation. > > + systemctl enable unbound-anchor.timer > > > /dev/null 2>&1 || : > > + end > > + > > + script preun > > + systemctl --no-reload disable unbound > > -anchor.timer >/dev/null 2>&1 || : > > + systemctl --no-reload disable unbound > > -keygen.service >/dev/null 2>&1 || : > > + systemctl --no-reload disable > > unbound.service >/dev/null 2>&1 || : > > + systemctl stop unbound.service >/dev/null > > 2>&1 || : > > + systemctl stop unbound-keygen.service > > > /dev/null 2>&1 || : > > + end > > + > > + script postun > > + systemctl daemon-reload >/dev/null 2>&1 || > > : > > + end > > + > > + script postup > > + systemctl daemon-reload >/dev/null 2>&1 || > > : > > + systemctl try-restart unbound > > -keygen.service > > > /dev/null 2>&1 || : > > + systemctl try-restart unbound.service > > > /dev/null 2>&1 || : > > + end > > + end > > + > > + package %{name}-libs > > + template LIBS > > + end > > + > > + package python3-%{name} > > + template PYTHON3 > > + end > > + > > + package %{name}-devel > > + template DEVEL > > + end > > + > > + package %{name}-debuginfo > > + template DEBUGINFO > > + end > > +end > > diff --git a/unbound/unbound.tmpfiles b/unbound/unbound.tmpfiles > > new file mode 100644 > > index 0000000..d625589 > > --- /dev/null > > +++ b/unbound/unbound.tmpfiles > > @@ -0,0 +1 @@