mbox

[v2] unbound: New package

Message ID 1445191999-18125-1-git-send-email-stefan.schantl@ipfire.org
State Accepted
Commit 23621ada010ee2916cf6aeebb0438414d38dfbb1
Headers

Message

Stefan Schantl Oct. 19, 2015, 5:13 a.m. UTC
  Unbound is a validating, recursive, and caching DNS resolver.

The package comes with libraries that are used by many other packages
to resolve DNS records and validate those by using DNSSEC.

Fixes #10943.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
 unbound/dlv.isc.org.key                |   2 +
 unbound/icannbundle.pem                | 317 ++++++++++++++++
 unbound/root.anchor                    |   1 +
 unbound/root.key                       |   6 +
 unbound/systemd/unbound-anchor.service |   9 +
 unbound/systemd/unbound-anchor.timer   |  14 +
 unbound/systemd/unbound-keygen.service |  14 +
 unbound/systemd/unbound.service        |  18 +
 unbound/unbound.conf                   | 655 +++++++++++++++++++++++++++++++++
 unbound/unbound.nm                     | 162 ++++++++
 unbound/unbound.tmpfiles               |   1 +
 11 files changed, 1199 insertions(+)
 create mode 100644 unbound/dlv.isc.org.key
 create mode 100644 unbound/icannbundle.pem
 create mode 100644 unbound/root.anchor
 create mode 100644 unbound/root.key
 create mode 100644 unbound/systemd/unbound-anchor.service
 create mode 100644 unbound/systemd/unbound-anchor.timer
 create mode 100644 unbound/systemd/unbound-keygen.service
 create mode 100644 unbound/systemd/unbound.service
 create mode 100644 unbound/unbound.conf
 create mode 100644 unbound/unbound.nm
 create mode 100644 unbound/unbound.tmpfiles
  

Comments

Michael Tremer Oct. 19, 2015, 10:02 a.m. UTC | #1
Merged. I also built ldns, so this set of libraries should be complete.

-Michael

On Sun, 2015-10-18 at 20:13 +0200, Stefan Schantl wrote:
> Unbound is a validating, recursive, and caching DNS resolver.
> 
> The package comes with libraries that are used by many other packages
> to resolve DNS records and validate those by using DNSSEC.
> 
> Fixes #10943.
> 
> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
> ---
>  unbound/dlv.isc.org.key                |   2 +
>  unbound/icannbundle.pem                | 317 ++++++++++++++++
>  unbound/root.anchor                    |   1 +
>  unbound/root.key                       |   6 +
>  unbound/systemd/unbound-anchor.service |   9 +
>  unbound/systemd/unbound-anchor.timer   |  14 +
>  unbound/systemd/unbound-keygen.service |  14 +
>  unbound/systemd/unbound.service        |  18 +
>  unbound/unbound.conf                   | 655
> +++++++++++++++++++++++++++++++++
>  unbound/unbound.nm                     | 162 ++++++++
>  unbound/unbound.tmpfiles               |   1 +
>  11 files changed, 1199 insertions(+)
>  create mode 100644 unbound/dlv.isc.org.key
>  create mode 100644 unbound/icannbundle.pem
>  create mode 100644 unbound/root.anchor
>  create mode 100644 unbound/root.key
>  create mode 100644 unbound/systemd/unbound-anchor.service
>  create mode 100644 unbound/systemd/unbound-anchor.timer
>  create mode 100644 unbound/systemd/unbound-keygen.service
>  create mode 100644 unbound/systemd/unbound.service
>  create mode 100644 unbound/unbound.conf
>  create mode 100644 unbound/unbound.nm
>  create mode 100644 unbound/unbound.tmpfiles
> 
> diff --git a/unbound/dlv.isc.org.key b/unbound/dlv.isc.org.key
> new file mode 100644
> index 0000000..c73944f
> --- /dev/null
> +++ b/unbound/dlv.isc.org.key
> @@ -0,0 +1,2 @@
> +; https://secure.isc.org/ops/dlv/dlv.isc.org.key
> +dlv.isc.org. IN DNSKEY 257 3 5
> BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
> brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
> 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
> ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
> Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
> QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh
> diff --git a/unbound/icannbundle.pem b/unbound/icannbundle.pem
> new file mode 100644
> index 0000000..48941de
> --- /dev/null
> +++ b/unbound/icannbundle.pem
> @@ -0,0 +1,317 @@
> +Certificate:
> +    Data:
> +        Version: 3 (0x2)
> +        Serial Number: 1 (0x1)
> +        Signature Algorithm: sha256WithRSAEncryption
> +        Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN
> Root CA, C=US
> +        Validity
> +            Not Before: Dec 23 04:19:12 2009 GMT
> +            Not After : Dec 18 04:19:12 2029 GMT
> +        Subject: O=ICANN, OU=ICANN Certification Authority, CN=ICANN
> Root CA, C=US
> +        Subject Public Key Info:
> +            Public Key Algorithm: rsaEncryption
> +            RSA Public Key: (2048 bit)
> +                Modulus (2048 bit):
> +                    00:a0:db:70:b8:4f:34:da:9c:d4:d0:7e:bb:ea:15:
> +                    bc:e9:c9:11:2a:1f:61:2f:6a:b9:bd:3f:3d:76:a0:
> +                    9a:0a:f7:ee:93:6e:6e:55:53:84:8c:f2:2c:f1:82:
> +                    27:c8:0f:9a:cf:52:1b:54:da:28:d2:2c:30:8e:dd:
> +                    fb:92:20:33:2d:d6:c8:f1:0e:10:21:88:71:fa:84:
> +                    22:4b:5d:47:56:16:7c:9b:9f:5d:c3:11:79:9c:14:
> +                    e2:ff:c0:74:ac:dd:39:d7:e0:38:d8:b0:73:aa:fb:
> +                    d1:db:84:af:52:22:a8:f6:d5:9b:94:f4:e6:5d:5e:
> +                    e8:3f:87:90:0b:c7:1a:77:f5:2e:d3:8f:1a:ce:02:
> +                    1d:07:69:21:47:32:da:46:ae:00:4c:b6:a5:a2:9c:
> +                    39:c1:c0:4a:f6:d3:1c:ae:d3:6d:bb:c7:18:f0:7e:
> +                    ed:f6:80:ce:d0:01:2e:89:de:12:ba:ee:11:cb:a6:
> +                    7a:d7:0d:7c:f3:08:8d:72:9d:bf:55:75:13:70:bb:
> +                    31:22:4a:cb:e8:c0:aa:a4:09:aa:36:68:40:60:74:
> +                    9d:e7:19:81:43:22:52:fe:c9:2b:52:0f:41:13:36:
> +                    09:72:65:95:cc:89:ae:6f:56:17:16:34:73:52:a3:
> +                    04:ed:bd:88:82:8a:eb:d7:dc:82:52:9c:06:e1:52:
> +                    85:41
> +                Exponent: 65537 (0x10001)
> +        X509v3 extensions:
> +            X509v3 Basic Constraints: critical
> +                CA:TRUE
> +            X509v3 Key Usage: critical
> +                Digital Signature, Non Repudiation, Key
> Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL
> Sign
> +            X509v3 Subject Key Identifier: 
> +               
>  BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
> +    Signature Algorithm: sha256WithRSAEncryption
> +        0f:f1:e9:82:a2:0a:87:9f:2d:94:60:5a:b2:c0:4b:a1:2f:2b:
> +        3b:47:d5:0a:99:86:38:b2:ec:c6:3b:89:e4:6e:07:cf:14:c7:
> +        c7:e8:cf:99:8f:aa:30:c3:19:70:b9:e6:6d:d6:3f:c8:68:26:
> +        b2:a0:a5:37:42:ca:d8:62:80:d1:a2:5a:48:2e:1f:85:3f:0c:
> +        7b:c2:c7:94:11:5f:19:2a:95:ac:a0:3a:03:d8:91:5b:2e:0d:
> +        9c:7c:1f:2e:fc:e9:44:e1:16:26:73:1c:45:4a:65:c1:83:4c:
> +        90:f3:f2:28:42:df:db:c4:e7:04:12:18:62:43:5e:bc:1f:6c:
> +        84:e6:bc:49:32:df:61:d7:99:ee:e4:90:52:7b:0a:c2:91:8a:
> +        98:62:66:b1:c8:e0:b7:5a:b5:46:7c:76:71:54:8e:cc:a4:81:
> +        5c:19:db:d2:6f:66:b5:bb:2b:ae:6b:c9:74:04:a8:24:de:e8:
> +        c5:d3:fc:2c:1c:d7:8f:db:6a:8d:c9:53:be:5d:50:73:ac:cf:
> +        1f:93:c0:52:50:5b:a2:4f:fe:ad:65:36:17:46:d1:2d:e5:a2:
> +        90:66:05:db:29:4e:5d:50:5d:e3:4f:da:a0:8f:f0:6b:e4:16:
> +        70:dd:7f:f3:77:7d:b9:4e:f9:ec:c3:33:02:d7:e9:63:2f:31:
> +        e7:40:61:a4
> +-----BEGIN CERTIFICATE-----
> +MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
> +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
> +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX
> +DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O
> +IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB
> +MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb
> +cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S
> +G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg
> +ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2
> +paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7
> +MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29
> +iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B
> +Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3
> +DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH
> +6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD
> +2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h
> +15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF
> +0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg
> +j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk
> +-----END CERTIFICATE-----
> +Certificate:
> +    Data:
> +        Version: 3 (0x2)
> +        Serial Number: 2 (0x2)
> +        Signature Algorithm: sha256WithRSAEncryption
> +        Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN
> Root CA, C=US
> +        Validity
> +            Not Before: Dec 23 04:45:04 2009 GMT
> +            Not After : Dec 22 04:45:04 2014 GMT
> +        Subject: O=ICANN, CN=ICANN DNSSEC 
> CA/emailAddress=dnssec@icann.org
> +        Subject Public Key Info:
> +            Public Key Algorithm: rsaEncryption
> +            RSA Public Key: (2048 bit)
> +                Modulus (2048 bit):
> +                    00:c0:bf:e2:b4:ee:12:46:36:3b:7c:d2:46:21:64:
> +                    5a:93:e1:e3:02:10:25:bb:a5:30:70:19:89:98:7e:
> +                    9e:db:8e:0f:ac:c8:48:66:0e:1a:f8:81:e5:2d:3c:
> +                    7b:39:39:76:28:8f:ee:0a:a7:dd:64:e9:5f:87:25:
> +                    b1:64:e5:59:03:fc:bc:29:3b:63:37:c8:d7:46:9a:
> +                    b6:ce:87:55:cd:cf:e2:ab:e9:c7:8a:53:2e:25:87:
> +                    b0:98:d6:20:a3:a8:ec:87:b0:39:a3:c4:c5:75:59:
> +                    3c:fb:91:03:fa:ee:7f:e9:2b:b6:70:88:69:2c:e6:
> +                    f1:4f:fc:d0:47:b4:e9:a0:2c:fa:0c:c3:84:eb:be:
> +                    73:5a:bc:16:ed:d0:83:02:2d:eb:6a:21:02:51:70:
> +                    29:1e:4f:c9:69:03:9f:91:32:5c:2c:1a:9f:5e:45:
> +                    48:2a:50:ee:72:14:ec:17:29:fc:20:95:7d:22:6a:
> +                    c6:6f:83:a2:58:8e:b1:64:c8:73:23:54:6c:69:1d:
> +                    66:1f:df:f8:4f:24:a1:a8:ae:00:7f:e9:89:41:a6:
> +                    e3:88:1d:3a:e1:b3:3a:ef:29:45:32:9b:94:2e:b7:
> +                    6c:1e:fe:31:40:13:e1:bd:52:67:d0:d8:c3:3e:03:
> +                    84:48:72:9d:bd:8a:48:a0:f2:72:35:b6:03:4b:c6:
> +                    e9:05
> +                Exponent: 65537 (0x10001)
> +        X509v3 extensions:
> +            X509v3 Basic Constraints: critical
> +                CA:TRUE
> +            X509v3 Key Usage: critical
> +                Digital Signature, Non Repudiation, Key
> Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL
> Sign
> +            X509v3 Authority Key Identifier: 
> +               
>  keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
> +
> +            X509v3 Subject Key Identifier: 
> +               
>  8F:B2:42:69:C3:9D:E4:3C:FA:13:B9:FF:F2:C0:A4:EF:D8:0F:E8:22
> +    Signature Algorithm: sha256WithRSAEncryption
> +        4a:78:a2:47:7e:3f:2e:4d:78:68:ab:06:5c:ff:da:01:04:45:
> +        92:20:20:88:f3:dc:4e:70:01:9b:cb:f3:13:61:34:04:09:15:
> +        d0:be:99:1c:be:fc:97:e9:2d:73:e1:b3:2b:a6:b9:3a:41:33:
> +        f3:83:3d:64:1b:64:95:bf:ae:cd:20:df:18:e0:62:8d:fa:9c:
> +        f7:d8:a9:3c:25:2b:8e:cf:10:e5:29:b9:af:1a:7f:62:64:75:
> +        e7:c6:fd:9b:6d:71:c0:a9:b3:0f:9a:b7:7a:fe:53:04:18:cd:
> +        04:06:d9:bf:01:0e:cc:04:84:84:51:a3:e9:06:2a:a3:25:73:
> +        4e:8d:62:19:13:25:5b:de:0b:dc:d0:69:01:ca:41:0a:96:13:
> +        cf:6a:11:fe:2b:9a:3f:fd:56:3d:73:3d:58:49:c2:71:83:20:
> +        23:6d:46:99:6e:37:91:9f:76:2a:9c:b0:69:3f:64:9f:05:bb:
> +        38:c8:1e:ca:d8:6c:fd:56:3e:a6:85:a2:53:80:c6:42:b6:79:
> +        c6:43:0b:e0:6c:ea:9f:cf:b0:2a:2c:01:50:c3:d8:0f:a0:7e:
> +        a1:73:a8:5c:84:27:5b:c9:4b:5a:13:e9:69:25:1c:59:11:d2:
> +        01:dc:da:e7:c8:44:34:a2:e4:99:25:b4:c3:23:b5:f8:2d:48:
> +        e5:8d:06:73
> +-----BEGIN CERTIFICATE-----
> +MIIDhjCCAm6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
> +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
> +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0NDUwNFoX
> +DTE0MTIyMjA0NDUwNFowSzEOMAwGA1UEChMFSUNBTk4xGDAWBgNVBAMTD0lDQU5O
> +IEROU1NFQyBDQTEfMB0GCSqGSIb3DQEJARMQZG5zc2VjQGljYW5uLm9yZzCCASIw
> +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMC/4rTuEkY2O3zSRiFkWpPh4wIQ
> +JbulMHAZiZh+ntuOD6zISGYOGviB5S08ezk5diiP7gqn3WTpX4clsWTlWQP8vCk7
> +YzfI10aats6HVc3P4qvpx4pTLiWHsJjWIKOo7IewOaPExXVZPPuRA/ruf+krtnCI
> +aSzm8U/80Ee06aAs+gzDhOu+c1q8Fu3QgwIt62ohAlFwKR5PyWkDn5EyXCwan15F
> +SCpQ7nIU7Bcp/CCVfSJqxm+DoliOsWTIcyNUbGkdZh/f+E8koaiuAH/piUGm44gd
> +OuGzOu8pRTKblC63bB7+MUAT4b1SZ9DYwz4DhEhynb2KSKDycjW2A0vG6QUCAwEA
> +AaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAf4wHwYDVR0jBBgw
> +FoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFI+yQmnDneQ8+hO5//LA
> +pO/YD+giMA0GCSqGSIb3DQEBCwUAA4IBAQBKeKJHfj8uTXhoqwZc/9oBBEWSICCI
> +89xOcAGby/MTYTQECRXQvpkcvvyX6S1z4bMrprk6QTPzgz1kG2SVv67NIN8Y4GKN
> ++pz32Kk8JSuOzxDlKbmvGn9iZHXnxv2bbXHAqbMPmrd6/lMEGM0EBtm/AQ7MBISE
> +UaPpBiqjJXNOjWIZEyVb3gvc0GkBykEKlhPPahH+K5o//VY9cz1YScJxgyAjbUaZ
> +bjeRn3YqnLBpP2SfBbs4yB7K2Gz9Vj6mhaJTgMZCtnnGQwvgbOqfz7AqLAFQw9gP
> +oH6hc6hchCdbyUtaE+lpJRxZEdIB3NrnyEQ0ouSZJbTDI7X4LUjljQZz
> +-----END CERTIFICATE-----
> +Certificate:
> +    Data:
> +        Version: 3 (0x2)
> +        Serial Number: 6 (0x6)
> +        Signature Algorithm: sha256WithRSAEncryption
> +        Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN
> Root CA, C=US
> +        Validity
> +            Not Before: Dec 23 05:21:16 2009 GMT
> +            Not After : Dec 22 05:21:16 2014 GMT
> +        Subject: O=ICANN, CN=ICANN EMAIL CA
> +        Subject Public Key Info:
> +            Public Key Algorithm: rsaEncryption
> +            RSA Public Key: (2048 bit)
> +                Modulus (2048 bit):
> +                    00:d2:19:1e:22:69:33:f6:a4:d2:76:c5:80:11:75:
> +                    8e:d0:e8:6f:bf:89:f8:2a:6a:da:8a:85:28:40:ba:
> +                    c5:23:5f:47:ed:72:e2:8e:d3:5c:c8:8a:3a:99:a9:
> +                    57:2c:0a:2b:22:f3:54:7b:8b:f7:8c:21:a2:50:01:
> +                    4f:8b:af:34:df:72:fc:78:31:d0:1d:eb:bc:9b:e6:
> +                    fa:c1:84:d0:05:07:8a:74:53:a5:60:9e:eb:75:9e:
> +                    a8:5d:32:c8:02:32:e4:bf:cb:97:9b:7a:fa:2c:f6:
> +                    6a:1d:b8:57:ad:e3:03:22:93:d0:f4:4f:a8:b8:01:
> +                    db:82:33:98:b6:87:ed:3d:67:40:00:27:2e:d5:95:
> +                    d2:ad:36:46:14:c6:17:79:65:7f:65:f3:88:80:65:
> +                    7c:22:67:08:23:3c:cf:a5:10:38:72:30:97:92:6f:
> +                    20:4a:ba:24:4c:4a:c8:4a:a5:dc:2a:44:a1:29:78:
> +                    b4:9f:fe:84:ff:27:5b:3a:72:ea:31:c1:ad:06:22:
> +                    d6:44:a0:4a:57:32:9c:f2:46:47:d0:89:6e:20:23:
> +                    2c:ea:b0:83:7e:c1:f3:ea:da:dd:e3:63:59:97:21:
> +                    fa:1b:11:39:27:cf:82:8b:56:15:d4:36:92:0c:a5:
> +                    7e:80:e0:18:c9:50:08:42:0a:df:97:3c:9c:b8:0a:
> +                    4d:b1
> +                Exponent: 65537 (0x10001)
> +        X509v3 extensions:
> +            X509v3 Basic Constraints: critical
> +                CA:TRUE
> +            X509v3 Key Usage: critical
> +                Digital Signature, Non Repudiation, Key
> Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL
> Sign
> +            X509v3 Authority Key Identifier: 
> +               
>  keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
> +
> +            X509v3 Subject Key Identifier: 
> +               
>  7B:3F:BA:CE:A1:B3:A6:13:2E:5A:82:84:D4:D2:EA:A5:24:F1:CD:B4
> +    Signature Algorithm: sha256WithRSAEncryption
> +        50:07:a5:61:39:e4:3b:e3:bc:1c:b4:a7:b2:ab:a1:fb:47:bf:
> +        b4:1c:32:ac:3c:46:b0:02:26:2f:16:3e:89:70:e2:87:e9:76:
> +        99:61:0b:91:c5:48:7a:e5:aa:24:0b:39:e0:4f:26:03:d4:5b:
> +        01:8a:4d:b6:98:cc:16:fa:e2:12:4a:88:b9:53:bb:50:2d:c7:
> +        37:b8:a3:82:2d:52:05:3e:46:a7:db:97:82:73:8d:7d:ed:dd:
> +        9e:37:73:68:6b:90:cd:62:d8:77:ff:32:53:bb:d3:a1:b9:cb:
> +        7d:32:29:70:fb:2e:90:4b:27:12:6d:99:a5:e6:d4:ef:13:32:
> +        c1:2f:b5:ae:6e:11:0e:50:56:a4:56:5b:76:b0:c0:99:2e:5a:
> +        94:17:ee:2b:c1:b6:9c:8b:68:ac:55:95:31:8c:66:2b:35:43:
> +        a5:13:04:1b:50:44:1c:55:7f:4c:d0:1a:50:80:53:45:a8:e3:
> +        d3:a8:74:ad:7d:6a:d6:e9:9a:d3:25:7d:83:e2:57:64:1a:94:
> +        7e:bc:cb:ef:79:b5:54:6a:f1:b0:c3:81:26:90:e5:40:87:ed:
> +        75:7d:83:63:5b:ab:45:c0:34:04:27:e8:d8:12:26:7c:5e:c0:
> +        48:b6:33:7d:4b:db:23:8a:f7:13:24:bc:be:7b:74:cb:c4:ed:
> +        ed:42:eb:2f
> +-----BEGIN CERTIFICATE-----
> +MIIDZDCCAkygAwIBAgIBBjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
> +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
> +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA1MjExNloX
> +DTE0MTIyMjA1MjExNlowKTEOMAwGA1UEChMFSUNBTk4xFzAVBgNVBAMTDklDQU5O
> +IEVNQUlMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0hkeImkz
> +9qTSdsWAEXWO0Ohvv4n4KmraioUoQLrFI19H7XLijtNcyIo6malXLAorIvNUe4v3
> +jCGiUAFPi68033L8eDHQHeu8m+b6wYTQBQeKdFOlYJ7rdZ6oXTLIAjLkv8uXm3r6
> +LPZqHbhXreMDIpPQ9E+ouAHbgjOYtoftPWdAACcu1ZXSrTZGFMYXeWV/ZfOIgGV8
> +ImcIIzzPpRA4cjCXkm8gSrokTErISqXcKkShKXi0n/6E/ydbOnLqMcGtBiLWRKBK
> +VzKc8kZH0IluICMs6rCDfsHz6trd42NZlyH6GxE5J8+Ci1YV1DaSDKV+gOAYyVAI
> +QgrflzycuApNsQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
> +AwIB/jAfBgNVHSMEGDAWgBS6UulJgySGUi/Hmc38jWtpCE3AUDAdBgNVHQ4EFgQU
> +ez+6zqGzphMuWoKE1NLqpSTxzbQwDQYJKoZIhvcNAQELBQADggEBAFAHpWE55Dvj
> +vBy0p7KroftHv7QcMqw8RrACJi8WPolw4ofpdplhC5HFSHrlqiQLOeBPJgPUWwGK
> +TbaYzBb64hJKiLlTu1Atxze4o4ItUgU+Rqfbl4JzjX3t3Z43c2hrkM1i2Hf/MlO7
> +06G5y30yKXD7LpBLJxJtmaXm1O8TMsEvta5uEQ5QVqRWW3awwJkuWpQX7ivBtpyL
> +aKxVlTGMZis1Q6UTBBtQRBxVf0zQGlCAU0Wo49OodK19atbpmtMlfYPiV2QalH68
> +y+95tVRq8bDDgSaQ5UCH7XV9g2Nbq0XANAQn6NgSJnxewEi2M31L2yOK9xMkvL57
> +dMvE7e1C6y8=
> +-----END CERTIFICATE-----
> +Certificate:
> +    Data:
> +        Version: 3 (0x2)
> +        Serial Number: 3 (0x3)
> +        Signature Algorithm: sha256WithRSAEncryption
> +        Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN
> Root CA, C=US
> +        Validity
> +            Not Before: Dec 23 05:07:29 2009 GMT
> +            Not After : Dec 22 05:07:29 2014 GMT
> +        Subject: O=ICANN, CN=ICANN SSL CA
> +        Subject Public Key Info:
> +            Public Key Algorithm: rsaEncryption
> +            RSA Public Key: (2048 bit)
> +                Modulus (2048 bit):
> +                    00:dd:c6:ab:bf:7c:66:9d:b3:2b:96:00:14:c7:60:
> +                    7a:8d:62:5b:26:4b:30:d7:b3:4c:82:69:c6:4d:4d:
> +                    73:f3:d4:91:21:5d:ab:35:f0:c8:04:0e:f4:a3:35:
> +                    e2:e1:18:a9:98:12:03:58:f8:9f:eb:77:54:5b:89:
> +                    81:26:c9:aa:c2:f4:c9:0c:82:57:2a:5e:05:e9:61:
> +                    17:cc:19:18:71:eb:35:83:c1:86:9d:ec:f1:6b:ca:
> +                    dd:a1:96:0b:95:d4:e1:0f:9e:24:6f:dc:3c:d0:28:
> +                    9e:f2:53:47:2b:a1:ad:32:03:c8:3f:0d:80:80:7d:
> +                    f0:02:d2:6e:5a:2c:44:21:9b:09:50:15:3f:a1:3d:
> +                    d3:c9:c8:24:e7:ea:4e:92:2f:94:90:2e:de:e7:68:
> +                    f6:c6:b3:90:1f:bc:c9:7b:a2:65:d7:11:e9:8b:f0:
> +                    3a:5a:b7:17:07:df:69:e3:6e:b9:54:6a:8e:3a:aa:
> +                    94:7f:2c:0a:a1:ad:ba:b7:d9:60:62:27:a7:71:40:
> +                    3b:8e:b0:84:7b:b8:c8:67:ef:66:ba:3d:ac:c3:85:
> +                    e5:86:bb:a7:9c:fd:b6:e1:c0:10:53:3d:d4:7e:1b:
> +                    09:e6:9f:22:5c:a7:27:09:7e:27:12:33:fa:df:9b:
> +                    20:2f:14:f7:17:c0:e4:1e:07:91:1f:f9:9a:cd:a8:
> +                    e2:c5
> +                Exponent: 65537 (0x10001)
> +        X509v3 extensions:
> +            X509v3 Basic Constraints: critical
> +                CA:TRUE
> +            X509v3 Key Usage: critical
> +                Digital Signature, Non Repudiation, Key
> Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL
> Sign
> +            X509v3 Authority Key Identifier: 
> +               
>  keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
> +
> +            X509v3 Subject Key Identifier: 
> +               
>  6E:77:A8:40:10:4A:D8:9C:0C:F2:B7:5A:3A:A5:2F:79:4A:61:14:D8
> +    Signature Algorithm: sha256WithRSAEncryption
> +        18:42:62:df:aa:8e:44:e6:87:10:4d:d9:a6:b2:c3:97:37:43:
> +        2e:ce:f3:e0:3c:c2:2f:e1:78:60:41:a9:2b:5d:f4:24:f5:f6:
> +        57:a2:08:ec:9c:89:e5:54:50:a8:30:c6:20:e5:8a:c7:8b:bd:
> +        fd:98:b6:0c:7d:1a:1f:01:a1:4a:4e:ec:0d:2a:aa:9f:fd:a9:
> +        20:0d:b3:5c:0f:36:c0:2c:2b:c6:75:22:29:66:a3:34:bd:93:
> +        3d:f6:28:da:90:d5:7e:91:df:d3:06:f6:69:8b:80:9b:a5:34:
> +        af:6a:02:5b:e4:52:7d:56:4d:99:6e:fe:e9:d0:36:99:58:d9:
> +        af:cd:79:9b:e5:d2:4c:35:90:d3:e0:68:b2:88:2b:18:39:2e:
> +        bc:0b:d9:82:84:7f:24:12:92:d2:b9:13:4f:64:bc:46:e1:5c:
> +        6a:ed:f7:b0:d4:66:27:25:21:86:b4:3a:5e:19:a3:c7:8b:4b:
> +        93:b9:2e:37:e2:6d:8b:46:ee:68:39:21:75:e8:fe:2a:a7:85:
> +        fd:68:26:96:bd:dd:f9:f1:fe:99:5f:b4:a4:97:1b:50:18:fa:
> +        21:90:54:0c:8b:30:28:94:70:19:34:9e:5c:e1:e5:48:93:af:
> +        aa:a3:b4:95:b2:f5:4c:97:50:44:58:97:e1:ff:e7:b2:10:dd:
> +        2c:fe:c0:ed
> +-----BEGIN CERTIFICATE-----
> +MIIDYjCCAkqgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
> +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
> +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA1MDcyOVoX
> +DTE0MTIyMjA1MDcyOVowJzEOMAwGA1UEChMFSUNBTk4xFTATBgNVBAMTDElDQU5O
> +IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN3Gq798Zp2z
> +K5YAFMdgeo1iWyZLMNezTIJpxk1Nc/PUkSFdqzXwyAQO9KM14uEYqZgSA1j4n+t3
> +VFuJgSbJqsL0yQyCVypeBelhF8wZGHHrNYPBhp3s8WvK3aGWC5XU4Q+eJG/cPNAo
> +nvJTRyuhrTIDyD8NgIB98ALSblosRCGbCVAVP6E908nIJOfqTpIvlJAu3udo9saz
> +kB+8yXuiZdcR6YvwOlq3FwffaeNuuVRqjjqqlH8sCqGturfZYGInp3FAO46whHu4
> +yGfvZro9rMOF5Ya7p5z9tuHAEFM91H4bCeafIlynJwl+JxIz+t+bIC8U9xfA5B4H
> +kR/5ms2o4sUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
> +Af4wHwYDVR0jBBgwFoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFG53
> +qEAQSticDPK3WjqlL3lKYRTYMA0GCSqGSIb3DQEBCwUAA4IBAQAYQmLfqo5E5ocQ
> +TdmmssOXN0MuzvPgPMIv4XhgQakrXfQk9fZXogjsnInlVFCoMMYg5YrHi739mLYM
> +fRofAaFKTuwNKqqf/akgDbNcDzbALCvGdSIpZqM0vZM99ijakNV+kd/TBvZpi4Cb
> +pTSvagJb5FJ9Vk2Zbv7p0DaZWNmvzXmb5dJMNZDT4GiyiCsYOS68C9mChH8kEpLS
> +uRNPZLxG4Vxq7few1GYnJSGGtDpeGaPHi0uTuS434m2LRu5oOSF16P4qp4X9aCaW
> +vd358f6ZX7SklxtQGPohkFQMizAolHAZNJ5c4eVIk6+qo7SVsvVMl1BEWJfh/+ey
> +EN0s/sDt
> +-----END CERTIFICATE-----
> diff --git a/unbound/root.anchor b/unbound/root.anchor
> new file mode 100644
> index 0000000..18367f8
> --- /dev/null
> +++ b/unbound/root.anchor
> @@ -0,0 +1 @@
> +.	98799	IN	DNSKEY	257 3 8
> AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLj
> wBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnM
> VDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEhe
> X7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57
> relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ih
> z0= ;{id = 19036 (ksk), size = 2048b}
> diff --git a/unbound/root.key b/unbound/root.key
> new file mode 100644
> index 0000000..e340ed0
> --- /dev/null
> +++ b/unbound/root.key
> @@ -0,0 +1,6 @@
> +; // The root key in bind format. This can be read by most tools,
> including
> +; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to
> load this
> +trusted-keys {
> +"." 257 3 8
> "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fL
> jwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9Vn
> MVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEh
> eX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ5
> 7relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1i
> hz0="; // key id = 19036
> +
> +};
> diff --git a/unbound/systemd/unbound-anchor.service
> b/unbound/systemd/unbound-anchor.service
> new file mode 100644
> index 0000000..26656b3
> --- /dev/null
> +++ b/unbound/systemd/unbound-anchor.service
> @@ -0,0 +1,9 @@
> +[Unit]
> +Description=update of the root trust anchor for DNSSEC validation in
> unbound
> +Documentation=man:unbound-anchor(8)
> +
> +[Service]
> +Type=oneshot
> +User=unbound
> +ExecStart=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c
> /etc/unbound/icannbundle.pem
> +SuccessExitStatus=1
> diff --git a/unbound/systemd/unbound-anchor.timer
> b/unbound/systemd/unbound-anchor.timer
> new file mode 100644
> index 0000000..a87bf5c
> --- /dev/null
> +++ b/unbound/systemd/unbound-anchor.timer
> @@ -0,0 +1,14 @@
> +[Unit]
> +Description=daily update of the root trust anchor for DNSSEC
> +Documentation=man:unbound-anchor(8)
> +
> +[Timer]
> +# Current DNSKEY TTL in root zone is 172800 seconds, i.e.
> 172800/60/60/24 = 2 days.
> +# It means that unboud-anchor should be run at least once a day.
> +OnCalendar=daily
> +Persistent=true
> +AccuracySec=24h
> +
> +[Install]
> +WantedBy=timers.target
> +
> diff --git a/unbound/systemd/unbound-keygen.service
> b/unbound/systemd/unbound-keygen.service
> new file mode 100644
> index 0000000..576408a
> --- /dev/null
> +++ b/unbound/systemd/unbound-keygen.service
> @@ -0,0 +1,14 @@
> +[Unit]
> +Description=Unbound Control Key And Certificate Generator
> +After=syslog.target 
> +Before=unbound.service
> +ConditionPathExists=!/etc/unbound/unbound_control.key
> +
> +[Service]
> +Type=oneshot
> +Group=unbound
> +ExecStart=/usr/sbin/unbound-control-setup -d /etc/unbound/
> +RemainAfterExit=yes
> +
> +[Install]
> +WantedBy=multi-user.target
> diff --git a/unbound/systemd/unbound.service
> b/unbound/systemd/unbound.service
> new file mode 100644
> index 0000000..d225389
> --- /dev/null
> +++ b/unbound/systemd/unbound.service
> @@ -0,0 +1,18 @@
> +[Unit]
> +Description=Unbound recursive Domain Name Server
> +After=network.target
> +After=unbound-keygen.service
> +Wants=unbound-keygen.service
> +Wants=unbound-anchor.timer
> +Before=nss-lookup.target
> +Wants=nss-lookup.target
> +
> +[Service]
> +Type=simple
> +ExecStartPre=/usr/sbin/unbound-checkconf
> +ExecStartPre=-/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key 
> -c /etc/unbound/icannbundle.pem
> +ExecStart=/usr/sbin/unbound -d
> +ExecReload=/usr/sbin/unbound-control reload
> +
> +[Install]
> +WantedBy=multi-user.target
> diff --git a/unbound/unbound.conf b/unbound/unbound.conf
> new file mode 100644
> index 0000000..4a97148
> --- /dev/null
> +++ b/unbound/unbound.conf
> @@ -0,0 +1,655 @@
> +#
> +# See unbound.conf(5) man page.
> +#
> +# this is a comment.
> +
> +#Use this to include other text into the file.
> +#include: "otherfile.conf"
> +
> +# The server clause sets the main parameters.
> +server:
> +	# whitespace is not necessary, but looks cleaner.
> +
> +	# verbosity number, 0 is least verbose. 1 is default.
> +	verbosity: 1
> +
> +	# print statistics to the log (for every thread) every N
> seconds.
> +	# Set to "" or 0 to disable. Default is disabled.
> +	# Needed for munin plugin
> +	statistics-interval: 0
> +
> +	# enable cumulative statistics, without clearing them after
> printing.
> +	# Needed for munin plugin
> +	statistics-cumulative: yes
> +
> +	# enable extended statistics (query types, answer codes,
> status)
> +	# printed from unbound-control. default off, because of
> speed.
> +	# Needed for munin plugin
> +	extended-statistics: yes
> +
> +	# number of threads to create. 1 disables threading.
> +	num-threads: 2
> +
> +	# specify the interfaces to answer queries from by ip
> -address.
> +	# The default is to listen to localhost (127.0.0.1 and ::1).
> +	# specify 0.0.0.0 and ::0 to bind to all available
> interfaces.
> +	# specify every interface on a new 'interface:' labelled
> line.
> +	# The listen interfaces are not changed on reload, only on
> restart.
> +	# interface: 0.0.0.0
> +	# interface: ::0
> +	# interface: 192.0.2.153
> +	# interface: 192.0.2.154
> +	# interface: 2001:DB8::5
> +	#
> +	# for dns over tls and raw dns over port 80
> +	# interface: 0.0.0.0@443
> +	# interface: ::0@443
> +	# interface: 0.0.0.0@80
> +	# interface: ::0@80
> +
> +	# enable this feature to copy the source address of queries
> to reply.
> +	# Socket options are not supported on all platforms.
> experimental.
> +	# interface-automatic: yes
> +	#
> +	# NOTE: Enable this option when specifying interface 0.0.0.0
> or ::0
> +	# NOTE: Disabled per Fedora policy not to listen to * on
> default install
> +	# NOTE: If deploying on non-default port, eg 80/443, this
> needs to be disabled
> +	interface-automatic: no
> +
> +	# port to answer queries from
> +	# port: 53
> +
> +	# specify the interfaces to send outgoing queries to
> authoritative
> +	# server from by ip-address. If none, the default (all)
> interface
> +	# is used. Specify every interface on a 'outgoing
> -interface:' line.
> +	# outgoing-interface: 192.0.2.153
> +	# outgoing-interface: 2001:DB8::5
> +	# outgoing-interface: 2001:DB8::6
> +
> +	# number of ports to allocate per thread, determines the
> size of the
> +	# port range that can be open simultaneously.  About double
> the
> +	# num-queries-per-thread, or, use as many as the OS will
> allow you.
> +	# outgoing-range: 4096
> +
> +	# permit unbound to use this port number or port range for
> +	# making outgoing queries, using an outgoing interface.
> +	# Only ephemeral ports are allowed by SElinux
> +	outgoing-port-permit: 32768-65535
> +
> +	# deny unbound the use this of port number or port range for
> +	# making outgoing queries, using an outgoing interface.
> +	# Use this to make sure unbound does not grab a UDP port
> that some
> +	# other server on this computer needs. The default is to
> avoid
> +	# IANA-assigned port numbers.
> +	# Our SElinux policy does not allow non-ephemeral ports to
> be used
> +	outgoing-port-avoid: 0-32767
> +
> +	# number of outgoing simultaneous tcp buffers to hold per
> thread.
> +	# outgoing-num-tcp: 10
> +
> +	# number of incoming simultaneous tcp buffers to hold per
> thread.
> +	# incoming-num-tcp: 10
> +
> +	# buffer size for UDP port 53 incoming (SO_RCVBUF socket
> option).
> +	# 0 is system default.  Use 4m to catch query spikes for
> busy servers.
> +	# so-rcvbuf: 0
> +
> +	# buffer size for UDP port 53 outgoing (SO_SNDBUF socket
> option).
> +	# 0 is system default.  Use 4m to handle spikes on very busy
> servers.
> +	# so-sndbuf: 0
> +
> +	# use SO_REUSEPORT to distribute queries over threads.
> +	# so-reuseport: no
> +
> +	# EDNS reassembly buffer to advertise to UDP peers (the
> actual buffer
> +	# is set with msg-buffer-size). 1480 can solve fragmentation
> (timeouts).
> +	# edns-buffer-size: 4096
> +
> +	# Maximum UDP response size (not applied to TCP response).
> +	# Suggested values are 512 to 4096. Default is 4096. 65536
> disables it.
> +	# 3072 causes +dnssec any isc.org queries to need TC=1.
> Helps mitigating DDOS
> +	max-udp-size: 3072
> +
> +	# buffer size for handling DNS data. No messages larger than
> this
> +	# size can be sent or received, by UDP or TCP. In bytes.
> +	# msg-buffer-size: 65552
> +
> +	# the amount of memory to use for the message cache.
> +	# plain value in bytes or you can append k, m or G. default
> is "4Mb".
> +	# msg-cache-size: 4m
> +
> +	# the number of slabs to use for the message cache.
> +	# the number of slabs must be a power of 2.
> +	# more slabs reduce lock contention, but fragment memory
> usage.
> +	# msg-cache-slabs: 4
> +
> +	# the number of queries that a thread gets to service.
> +	# num-queries-per-thread: 1024
> +
> +	# if very busy, 50% queries run to completion, 50% get
> timeout in msec
> +	# jostle-timeout: 200
> +
> +	# msec to wait before close of port on timeout UDP. 0
> disables.
> +	# delay-close: 0
> +
> +	# the amount of memory to use for the RRset cache.
> +	# plain value in bytes or you can append k, m or G. default
> is "4Mb".
> +	# rrset-cache-size: 4m
> +
> +	# the number of slabs to use for the RRset cache.
> +	# the number of slabs must be a power of 2.
> +	# more slabs reduce lock contention, but fragment memory
> usage.
> +	# rrset-cache-slabs: 4
> +
> +	# the time to live (TTL) value lower bound, in seconds.
> Default 0.
> +	# If more than an hour could easily give trouble due to
> stale data.
> +	# cache-min-ttl: 0
> +
> +	# the time to live (TTL) value cap for RRsets and messages
> in the
> +	# cache. Items are not cached for longer. In seconds.
> +	# cache-max-ttl: 86400
> +
> +	# the time to live (TTL) value cap for negative responses in
> the cache
> +	# cache-max-negative-ttl: 3600
> +
> +	# the time to live (TTL) value for cached roundtrip times,
> lameness and
> +	# EDNS version information for hosts. In seconds.
> +	# infra-host-ttl: 900
> +
> +	# minimum wait time for responses, increase if uplink is
> long. In msec.
> +	# infra-cache-min-rtt: 50
> +
> +	# the number of slabs to use for the Infrastructure cache.
> +	# the number of slabs must be a power of 2.
> +	# more slabs reduce lock contention, but fragment memory
> usage.
> +	# infra-cache-slabs: 4
> +
> +	# the maximum number of hosts that are cached (roundtrip,
> EDNS, lame).
> +	# infra-cache-numhosts: 10000
> +
> +	# Enable IPv4, "yes" or "no".
> +	# do-ip4: yes
> +
> +	# Enable IPv6, "yes" or "no".
> +	# do-ip6: yes
> +
> +	# Enable UDP, "yes" or "no".
> +	# NOTE: if setting up an unbound on tls443 for public use,
> you might want to
> +	# disable UDP to avoid being used in DNS amplification
> attacks.
> +	# do-udp: yes
> +
> +	# Enable TCP, "yes" or "no".
> +	# do-tcp: yes
> +
> +	# upstream connections use TCP only (and no UDP), "yes" or
> "no"
> +	# useful for tunneling scenarios, default no.
> +	# tcp-upstream: no
> +
> +	# Detach from the terminal, run in background, "yes" or
> "no".
> +	# do-daemonize: yes
> +
> +	# control which clients are allowed to make (recursive)
> queries
> +	# to this server. Specify classless netblocks with /size and
> action.
> +	# By default everything is refused, except for localhost.
> +	# Choose deny (drop message), refuse (polite error reply),
> +	# allow (recursive ok), allow_snoop (recursive and
> nonrecursive ok)
> +	# deny_non_local (drop queries unless can be answered from
> local-data)
> +	# refuse_non_local (like deny_non_local but polite error
> reply).
> +	# access-control: 0.0.0.0/0 refuse
> +	# access-control: 127.0.0.0/8 allow
> +	# access-control: ::0/0 refuse
> +	# access-control: ::1 allow
> +	# access-control: ::ffff:127.0.0.1 allow
> +
> +	# if given, a chroot(2) is done to the given directory.
> +	# i.e. you can chroot to the working directory, for example,
> +	# for extra security, but make sure all files are in that
> directory.
> +	#
> +	# If chroot is enabled, you should pass the configfile (from
> the
> +	# commandline) as a full path from the original root. After
> the
> +	# chroot has been performed the now defunct portion of the
> config
> +	# file path is removed to be able to reread the config after
> a reload.
> +	#
> +	# All other file paths (working dir, logfile, roothints, and
> +	# key files) can be specified in several ways:
> +	# 	o as an absolute path relative to the new root.
> +	# 	o as a relative path to the working directory.
> +	# 	o as an absolute path relative to the original
> root.
> +	# In the last case the path is adjusted to remove the unused
> portion.
> +	#
> +	# The pid file can be absolute and outside of the chroot, it
> is
> +	# written just prior to performing the chroot and dropping
> permissions.
> +	#
> +	# Additionally, unbound may need to access /dev/random (for
> entropy).
> +	# How to do this is specific to your OS.
> +	#
> +	# If you give "" no chroot is performed. The path must not
> end in a /.
> +	# chroot: "/var/lib/unbound"
> +	chroot: ""
> +
> +	# if given, user privileges are dropped (after binding
> port),
> +	# and the given username is assumed. Default is user
> "unbound".
> +	# If you give "" no privileges are dropped.
> +	username: "unbound"
> +
> +	# the working directory. The relative files in this config
> are
> +	# relative to this directory. If you give "" the working
> directory
> +	# is not changed.
> +	directory: "/etc/unbound"
> +
> +	# the log file, "" means log to stderr.
> +	# Use of this option sets use-syslog to "no".
> +	# logfile: ""
> +
> +	# Log to syslog(3) if yes. The log facility LOG_DAEMON is
> used to
> +	# log to, with identity "unbound". If yes, it overrides the
> logfile.
> +	# use-syslog: yes
> +
> +	# print UTC timestamp in ascii to logfile, default is epoch
> in seconds.
> +	log-time-ascii: yes
> +
> +	# print one line with time, IP, name, type, class for every
> query.
> +	# log-queries: no
> +
> +	# the pid file. Can be an absolute path outside of
> chroot/work dir.
> +	pidfile: "/var/run/unbound/unbound.pid"
> +
> +	# file to read root hints from.
> +	# get one from ftp://FTP.INTERNIC.NET/domain/named.cache
> +	# root-hints: ""
> +
> +	# enable to not answer id.server and hostname.bind queries.
> +	# hide-identity: no
> +
> +	# enable to not answer version.server and version.bind
> queries.
> +	# hide-version: no
> +
> +	# the identity to report. Leave "" or default to return
> hostname.
> +	# identity: ""
> +
> +	# the version to report. Leave "" or default to return
> package version.
> +	# version: ""
> +
> +	# the target fetch policy.
> +	# series of integers describing the policy per dependency
> depth.
> +	# The number of values in the list determines the maximum
> dependency
> +	# depth the recursor will pursue before giving up. Each
> integer means:
> +	# 	-1 : fetch all targets opportunistically,
> +	# 	0: fetch on demand,
> +	#	positive value: fetch that many targets
> opportunistically.
> +	# Enclose the list of numbers between quotes ("").
> +	# target-fetch-policy: "3 2 1 0 0"
> +
> +	# Harden against very small EDNS buffer sizes.
> +	# harden-short-bufsize: no
> +
> +	# Harden against unseemly large queries.
> +	# harden-large-queries: no
> +
> +	# Harden against out of zone rrsets, to avoid spoofing
> attempts.
> +	harden-glue: yes
> +
> +	# Harden against receiving dnssec-stripped data. If you turn
> it
> +	# off, failing to validate dnskey data for a trustanchor
> will
> +	# trigger insecure mode for that zone (like without a
> trustanchor).
> +	# Default on, which insists on dnssec data for trust
> -anchored zones.
> +	harden-dnssec-stripped: yes
> +
> +	# Harden against queries that fall under dnssec-signed
> nxdomain names.
> +	harden-below-nxdomain: yes
> +
> +	# Harden the referral path by performing additional queries
> for
> +	# infrastructure data.  Validates the replies (if possible).
> +	# Default off, because the lookups burden the server. 
>  Experimental
> +	# implementation of draft-wijngaards-dnsext-resolver-side
> -mitigation.
> +	harden-referral-path: yes
> +
> +	# Use 0x20-encoded random bits in the query to foil spoof
> attempts.
> +	# This feature is an experimental implementation of draft
> dns-0x20.
> +	# (this now fails on all GoDaddy customer domains, so
> disabled)
> +	use-caps-for-id: no
> +
> +	# Enforce privacy of these addresses. Strips them away from
> answers.
> +	# It may cause DNSSEC validation to additionally mark it as
> bogus.
> +	# Protects against 'DNS Rebinding' (uses browser as network
> proxy).
> +	# Only 'private-domain' and 'local-data' names are allowed
> to have
> +	# these private addresses. No default.
> +	# private-address: 10.0.0.0/8
> +	# private-address: 172.16.0.0/12
> +	# private-address: 192.168.0.0/16
> +	# private-address: 169.254.0.0/16
> +	# private-address: fd00::/8
> +	# private-address: fe80::/10
> +
> +	# Allow the domain (and its subdomains) to contain private
> addresses.
> +	# local-data statements are allowed to contain private
> addresses too.
> +	# private-domain: "example.com"
> +
> +	# If nonzero, unwanted replies are not only reported in
> statistics,
> +	# but also a running total is kept per thread. If it reaches
> the
> +	# threshold, a warning is printed and a defensive action is
> taken,
> +	# the cache is cleared to flush potential poison out of it.
> +	# A suggested value is 10000000, the default is 0 (turned
> off).
> +	unwanted-reply-threshold: 10000000
> +
> +	# Do not query the following addresses. No DNS queries are
> sent there.
> +	# List one address per entry. List classless netblocks with
> /size,
> +	# do-not-query-address: 127.0.0.1/8
> +	# do-not-query-address: ::1
> +
> +	# if yes, the above default do-not-query-address entries are
> present.
> +	# if no, localhost can be queried (for testing and
> debugging).
> +	# do-not-query-localhost: yes
> +
> +	# if yes, perform prefetching of almost expired message
> cache entries.
> +	prefetch: yes
> +
> +	# if yes, perform key lookups adjacent to normal lookups.
> +	prefetch-key: yes
> +
> +	# if yes, Unbound rotates RRSet order in response.
> +	rrset-roundrobin: yes
> +
> +	# if yes, Unbound doesn't insert authority/additional
> sections
> +	# into response messages when those sections are not
> required.
> +	minimal-responses: yes
> +
> +	# module configuration of the server. A string with
> identifiers
> +	# separated by spaces. "iterator" or "validator iterator"
> +	# module-config: "validator iterator"
> +
> +	# File with trusted keys, kept uptodate using RFC5011
> probes,
> +	# initial file like trust-anchor-file, then it stores
> metadata.
> +	# Use several entries, one per domain name, to track
> multiple zones.
> +	#
> +	# If you want to perform DNSSEC validation, run unbound
> -anchor before
> +	# you start unbound (i.e. in the system boot scripts).  And
> enable:
> +	# Please note usage of unbound-anchor root anchor is at your
> own risk
> +	# and under the terms of our LICENSE (see that file in the
> source).
> +	# auto-trust-anchor-file: "/var/lib/unbound/root.key"
> +
> +	# File with DLV trusted keys. Same format as trust-anchor
> -file.
> +	# There can be only one DLV configured, it is trusted from
> root down.
> +	# Downloaded from 
> https://secure.isc.org/ops/dlv/dlv.isc.org.key
> +	#
> +	# ISC's DLV registry is being deprecated in the near future,
> therefore
> +	# it is not used in the default configuration. The use of
> ISC's DLV
> +	# registry is discouraged.
> +	# dlv-anchor-file: "/etc/unbound/dlv.isc.org.key"
> +
> +	# File with trusted keys for validation. Specify more than
> one file
> +	# with several entries, one file per entry.
> +	# Zone file format, with DS and DNSKEY entries.
> +	# trust-anchor-file: ""
> +
> +	# File with trusted keys, kept uptodate using RFC5011
> probes,
> +	# initial file like trust-anchor-file, then it stores
> metadata.
> +	# Use several entries, one per domain name, to track
> multiple zones.
> +	# auto-trust-anchor-file: ""
> +
> +	# Trusted key for validation. DS or DNSKEY. specify the RR
> on a
> +	# single line, surrounded by "". TTL is ignored. class is IN
> default.
> +	# (These examples are from August 2007 and may not be valid
> anymore).
> +	# trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5
> AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N
> Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW
> 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ=="
> +	# trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1
> 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A"
> +
> +	# File with trusted keys for validation. Specify more than
> one file
> +	# with several entries, one file per entry. Like trust
> -anchor-file
> +	# but has a different file format. Format is BIND-9 style
> format,
> +	# the trusted-keys { name flag proto algo "key"; }; clauses
> are read.
> +	# trusted-keys-file: ""
> +	#
> +	# trusted-keys-file: /etc/unbound/rootkey.bind
> +	trusted-keys-file: /etc/unbound/keys.d/*.key
> +	auto-trust-anchor-file: "/var/lib/unbound/root.key"
> +
> +	# Ignore chain of trust. Domain is treated as insecure.
> +	# domain-insecure: "example.com"
> +
> +	# Override the date for validation with a specific fixed
> date.
> +	# Do not set this unless you are debugging signature
> inception
> +	# and expiration. "" or "0" turns the feature off.
> +	# val-override-date: ""
> +
> +	# The time to live for bogus data, rrsets and messages. This
> avoids
> +	# some of the revalidation, until the time interval expires.
> in secs.
> +	# val-bogus-ttl: 60
> +
> +	# The signature inception and expiration dates are allowed
> to be off
> +	# by 10% of the lifetime of the signature from our local
> clock.
> +	# This leeway is capped with a minimum and a maximum.  In
> seconds.
> +	# val-sig-skew-min: 3600
> +	# val-sig-skew-max: 86400
> +
> +	# Should additional section of secure message also be kept
> clean of
> +	# unsecure data. Useful to shield the users of this
> validator from
> +	# potential bogus data in the additional section. All
> unsigned data
> +	# in the additional section is removed from secure messages.
> +	val-clean-additional: yes
> +
> +	# Turn permissive mode on to permit bogus messages. Thus,
> messages
> +	# for which security checks failed will be returned to
> clients,
> +	# instead of SERVFAIL. It still performs the security
> checks, which
> +	# result in interesting log files and possibly the AD bit in
> +	# replies if the message is found secure. The default is
> off.
> +	# NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
> +	val-permissive-mode: no
> +
> +	# Ignore the CD flag in incoming queries and refuse them
> bogus data.
> +	# Enable it if the only clients of unbound are legacy
> servers (w2008)
> +	# that set CD but cannot validate themselves.
> +	# ignore-cd-flag: no
> +
> +	# Have the validator log failed validations for your
> diagnosis.
> +	# 0: off. 1: A line per failed user query. 2: With reason
> and bad IP.
> +	val-log-level: 1
> +
> +	# It is possible to configure NSEC3 maximum iteration counts
> per
> +	# keysize. Keep this table very short, as linear search is
> done.
> +	# A message with an NSEC3 with larger count is marked
> insecure.
> +	# List in ascending order the keysize and count values.
> +	# val-nsec3-keysize-iterations: "1024 150 2048 500 4096
> 2500"
> +
> +	# instruct the auto-trust-anchor-file probing to add anchors
> after ttl.
> +	# add-holddown: 2592000 # 30 days
> +
> +	# instruct the auto-trust-anchor-file probing to del anchors
> after ttl.
> +	# del-holddown: 2592000 # 30 days
> +
> +	# auto-trust-anchor-file probing removes missing anchors
> after ttl.
> +	# If the value 0 is given, missing anchors are not removed.
> +	# keep-missing: 31622400 # 366 days
> +
> +	# the amount of memory to use for the key cache.
> +	# plain value in bytes or you can append k, m or G. default
> is "4Mb".
> +	# key-cache-size: 4m
> +
> +	# the number of slabs to use for the key cache.
> +	# the number of slabs must be a power of 2.
> +	# more slabs reduce lock contention, but fragment memory
> usage.
> +	# key-cache-slabs: 4
> +
> +	# the amount of memory to use for the negative cache (used
> for DLV).
> +	# plain value in bytes or you can append k, m or G. default
> is "1Mb".
> +	# neg-cache-size: 1m
> +
> +	# By default, for a number of zones a small default 'nothing
> here'
> +	# reply is built-in.  Query traffic is thus blocked.  If you
> +	# wish to serve such zone you can unblock them by
> uncommenting one
> +	# of the nodefault statements below.
> +	# You may also have to use domain-insecure: zone to make
> DNSSEC work,
> +	# unless you have your own trust anchors for this zone.
> +	# local-zone: "localhost." nodefault
> +	# local-zone: "127.in-addr.arpa." nodefault
> +	# local-zone:
> "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.
> arpa." nodefault
> +	# local-zone: "10.in-addr.arpa." nodefault
> +	# local-zone: "16.172.in-addr.arpa." nodefault
> +	# local-zone: "17.172.in-addr.arpa." nodefault
> +	# local-zone: "18.172.in-addr.arpa." nodefault
> +	# local-zone: "19.172.in-addr.arpa." nodefault
> +	# local-zone: "20.172.in-addr.arpa." nodefault
> +	# local-zone: "21.172.in-addr.arpa." nodefault
> +	# local-zone: "22.172.in-addr.arpa." nodefault
> +	# local-zone: "23.172.in-addr.arpa." nodefault
> +	# local-zone: "24.172.in-addr.arpa." nodefault
> +	# local-zone: "25.172.in-addr.arpa." nodefault
> +	# local-zone: "26.172.in-addr.arpa." nodefault
> +	# local-zone: "27.172.in-addr.arpa." nodefault
> +	# local-zone: "28.172.in-addr.arpa." nodefault
> +	# local-zone: "29.172.in-addr.arpa." nodefault
> +	# local-zone: "30.172.in-addr.arpa." nodefault
> +	# local-zone: "31.172.in-addr.arpa." nodefault
> +	# local-zone: "168.192.in-addr.arpa." nodefault
> +	# local-zone: "0.in-addr.arpa." nodefault
> +	# local-zone: "254.169.in-addr.arpa." nodefault
> +	# local-zone: "2.0.192.in-addr.arpa." nodefault
> +	# local-zone: "100.51.198.in-addr.arpa." nodefault
> +	# local-zone: "113.0.203.in-addr.arpa." nodefault
> +	# local-zone: "255.255.255.255.in-addr.arpa." nodefault
> +	# local-zone:
> "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.
> arpa." nodefault
> +	# local-zone: "d.f.ip6.arpa." nodefault
> +	# local-zone: "8.e.f.ip6.arpa." nodefault
> +	# local-zone: "9.e.f.ip6.arpa." nodefault
> +	# local-zone: "a.e.f.ip6.arpa." nodefault
> +	# local-zone: "b.e.f.ip6.arpa." nodefault
> +	# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
> +	# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
> +
> +	# if unbound is running service for the local host then it
> is useful
> +	# to perform lan-wide lookups to the upstream, and unblock
> the
> +	# long list of local-zones above.  If this unbound is a dns
> server
> +	# for a network of computers, disabled is better and stops
> information
> +	# leakage of local lan information.
> +	# unblock-lan-zones: no
> +
> +	# a number of locally served zones can be configured.
> +	# 	local-zone: <zone> <type>
> +	# 	local-data: "<resource record string>"
> +	# o deny serves local data (if any), else, drops queries. 
> +	# o refuse serves local data (if any), else, replies with
> error.
> +	# o static serves local data, else, nxdomain or nodata
> answer.
> +	# o transparent gives local data, but resolves normally for
> other names
> +	# o redirect serves the zone data for any subdomain in the
> zone.
> +	# o nodefault can be used to normally resolve AS112 zones.
> +	# o typetransparent resolves normally for other types and
> other names
> +	# o inform resolves normally, but logs client IP address
> +	#
> +	# defaults are localhost address, reverse for 127.0.0.1 and
> ::1
> +	# and nxdomain for AS112 zones. If you configure one of
> these zones
> +	# the default content is omitted, or you can omit it with
> 'nodefault'.
> +	#
> +	# If you configure local-data without specifying local-zone,
> by
> +	# default a transparent local-zone is created for the data.
> +	#
> +	# You can add locally served data with
> +	# local-zone: "local." static
> +	# local-data: "mycomputer.local. IN A 192.0.2.51"
> +	# local-data: 'mytext.local TXT "content of text record"'
> +	#
> +	# You can override certain queries with
> +	# local-data: "adserver.example.com A 127.0.0.1"
> +	#
> +	# You can redirect a domain to a fixed address with
> +	# (this makes example.com, www.example.com, etc, all go to
> 192.0.2.3)
> +	# local-zone: "example.com" redirect
> +	# local-data: "example.com A 192.0.2.3"
> +	#
> +	# Shorthand to make PTR records, "IPv4 name" or "IPv6 name".
> +	# You can also add PTR records using local-data directly,
> but then
> +	# you need to do the reverse notation yourself.
> +	# local-data-ptr: "192.0.2.3 www.example.com"
> +
> +	include: /etc/unbound/local.d/*.conf
> +
> +	# service clients over SSL (on the TCP sockets), with plain
> DNS inside
> +	# the SSL stream.  Give the certificate to use and private
> key.
> +	# default is "" (disabled).  requires restart to take
> effect.
> +	# ssl-service-key: "/etc/unbound/unbound_server.key"
> +	# ssl-service-pem: "/etc/unbound/unbound_server.pem"
> +	# ssl-port: 443
> +
> +	# request upstream over SSL (with plain DNS inside the SSL
> stream).
> +	# Default is no.  Can be turned on and off with unbound
> -control.
> +	# ssl-upstream: no
> +
> +	# DNS64 prefix. Must be specified when DNS64 is use.
> +	# Enable dns64 in module-config.  Used to synthesize IPv6
> from IPv4.
> +	# dns64-prefix: 64:ff9b::0/96
> +
> +# Python config section. To enable:
> +# o use --with-pythonmodule to configure before compiling.
> +# o list python in the module-config string (above) to enable.
> +# o and give a python-script to run.
> +python:
> +	# Script file to load
> +	# python-script: "/etc/unbound/ubmodule-tst.py"
> +
> +# Remote control config section.
> +remote-control:
> +	# Enable remote control with unbound-control(8) here.
> +	# set up the keys and certificates with unbound-control
> -setup.
> +	# Note: required for unbound-munin package
> +	control-enable: yes
> +
> +	# Set to no and use an absolute path as control-interface to
> use
> +	# a unix local named pipe for unbound-control.
> +	# control-use-cert: yes
> +
> +	# what interfaces are listened to for remote control.
> +	# give 0.0.0.0 and ::0 to listen to all interfaces.
> +	# control-interface: 127.0.0.1
> +	# control-interface: ::1
> +
> +	# port number for remote control operations.
> +	# control-port: 953
> +
> +	# unbound server key file.
> +	server-key-file: "/etc/unbound/unbound_server.key"
> +
> +	# unbound server certificate file.
> +	server-cert-file: "/etc/unbound/unbound_server.pem"
> +
> +	# unbound-control key file.
> +	control-key-file: "/etc/unbound/unbound_control.key"
> +
> +	# unbound-control certificate file.
> +	control-cert-file: "/etc/unbound/unbound_control.pem"
> +
> +# Stub and Forward zones
> +
> +include: /etc/unbound/conf.d/*.conf
> +
> +# Stub zones.
> +# Create entries like below, to make all queries for 'example.com'
> and
> +# 'example.org' go to the given list of nameservers. list zero or
> more
> +# nameservers by hostname or by ipaddress. If you set stub-prime to
> yes,
> +# the list is treated as priming hints (default is no).
> +# stub-zone:
> +#	name: "example.com"
> +#	stub-addr: 192.0.2.68
> +#	stub-prime: "no"
> +# stub-zone:
> +#	name: "example.org"
> +#	stub-host: ns.example.com.
> +# You can now also dynamically create and delete stub-zone's using
> +# unbound-control stub_add domain.com 1.2.3.4 5.6.7.8
> +# unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8
> +
> +# Forward zones
> +# Create entries like below, to make all queries for 'example.com'
> and
> +# 'example.org' go to the given list of servers. These servers have
> to handle
> +# recursion to other nameservers. List zero or more nameservers by
> hostname
> +# or by ipaddress. Use an entry with name "." to forward all
> queries.
> +# If you enable forward-first, it attempts without the forward if it
> fails.
> +# forward-zone:
> +# 	name: "example.com"
> +# 	forward-addr: 192.0.2.68
> +# 	forward-addr: 192.0.2.73@5355  # forward to port 5355.
> +# 	forward-first: no
> +# forward-zone:
> +# 	name: "example.org"
> +# 	forward-host: fwd.example.com
> +#
> +# You can now also dynamically create and delete forward-zone's
> using
> +# unbound-control forward_add domain.com 1.2.3.4 5.6.7.8
> +# unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8
> diff --git a/unbound/unbound.nm b/unbound/unbound.nm
> new file mode 100644
> index 0000000..c8a0d09
> --- /dev/null
> +++ b/unbound/unbound.nm
> @@ -0,0 +1,162 @@
> +####################################################################
> ###########
> +# IPFire.org    - An Open Source Firewall Solution                  
>           #
> +# Copyright (C) - IPFire Development Team <info@ipfire.org>         
>           #
> +####################################################################
> ###########
> +
> +name       = unbound
> +version    = 1.5.5
> +release    = 1
> +
> +groups     = System/Daemons
> +url        = http://www.nlnetlabs.nl/unbound/
> +license    = BSD
> +summary    = A validating, recursive, and caching DNS(SEC) resolver.
> +
> +description
> +	Unbound is a validating, recursive, and caching DNS(SEC)
> resolver.
> +	The C implementation of Unbound is developed and maintained
> by NLnet
> +	Labs and is based on ideas and algorithms taken from a java
> prototype
> +	developed by Verisign labs, Nominet, Kirei and ep.net.
> Unbound is
> +	designed as a set of modular components, so that also
> +	DNSSEC (secure DNS) validation and stub-resolvers are easily
> possible.
> +end
> +
> +source_dl  = http://www.unbound.net/downloads/
> +
> +build
> +	requires
> +		expat-devel
> +		libevent-devel
> +		openssl-devel >= 1.0.1h-2
> +		python3-devel >= 3.4
> +		swig
> +	end
> +
> +	configure_options += \
> +		--with-conf-file=%{sysconfdir}/%{name}/unbound.conf
> \
> +		--with
> -pidfile=%{localstatedir}/run/%{name}/%{name}.pid \
> +		--with-rootkey
> -file=%{sharedstatedir}/unbound/root.key \
> +		--with-libevent \
> +		--with-pthreads \
> +		--disable-rpath \
> +		--disable-static \
> +		--with-ssl \
> +		--enable-sha2 \
> +		--with-pythonmodule \
> +		--with-pyunbound PYTHON=%{python3}
> +
> +	prepare_cmds
> +		%{create_user}
> +	end
> +
> +	test
> +		make check
> +	end
> +
> +	install_cmds
> +		# Create directories.
> +		mkdir -pv %{BUILDROOT}%{localstatedir}/run/%{name}
> +		mkdir -pv %{BUILDROOT}%{sharedstatedir}/%{name}
> +
> +		# Directory for user specified and additional config
> files.
> +		mkdir -pv %{BUILDROOT}%{sysconfdir}/%{name}/conf.d/
> +
> +		# Directory for stub and forward zones.
> +		mkdir -pv %{BUILDROOT}%{sysconfdir}/%{name}/local.d/
> +
> +		# Directory for trusted-keys-file.
> +		mkdir -pv %{BUILDROOT}%{sysconfdir}/%{name}/keys.d/
> +
> +		# Install unbound config file.
> +		install -p -m 0664 %{DIR_SOURCE}/%{name}.conf \
> +			%{BUILDROOT}%{sysconfdir}/%{name}/
> +
> +		# Install pem file for icannbundle.
> +		install -p -m 0664 %{DIR_SOURCE}/icannbundle.pem \
> +			%{BUILDROOT}%{sysconfdir}/%{name}/
> +
> +		# Install root and DLV keys.
> +		install -p -m 0644 %{DIR_SOURCE}/root.key \
> +			%{BUILDROOT}%{sysconfdir}/%{name}/
> +		install -p -m 0664 %{DIR_SOURCE}/dlv.isc.org.key \
> +			%{BUILDROOT}%{sysconfdir}/%{name}/
> +		install -p -m 0664 %{DIR_SOURCE}/root.anchor \
> +			%{BUILDROOT}%{sharedstatedir}/%{name}/root.k
> ey
> +
> +		# Fix ownership.
> +		chown -R unbound:unbound
> %{BUILDROOT}%{sharedstatedir}/%{name}/
> +	end
> +end
> +
> +create_user
> +	getent group unound >/dev/null || /usr/sbin/groupadd -r
> unbound
> +	getent passwd unbound >/dev/null || /usr/sbin/useradd -r -g
> unbound \
> +		-d %{sysconfdir}/%{name} -s /sbin/nologin unbound
> +end
> +
> +packages
> +	package %{name}
> +		prerequires
> +			shadow-utils
> +			systemd-units
> +		end
> +
> +		requires += \
> +			openssl >= 1.0.1h-2
> +
> +		configfiles
> +			%{sysconfdir}/%{name}.conf
> +		end
> +
> +		datafiles
> +			%{sysconfdir}/%{name}/conf.d/
> +			%{sysconfdir}/%{name}/local.d/
> +			%{sysconfdir}/%{name}/keys.d/
> +		end
> +
> +		script prein
> +			%{create_user}
> +		end
> +
> +		script postin
> +			/bin/systemctl daemon-reload >/dev/null 2>&1
> || :
> +
> +			# Enable root anchor for DNSSEC validation.
> +			systemctl enable unbound-anchor.timer
> >/dev/null 2>&1 || :
> +		end
> +
> +		script preun
> +			systemctl --no-reload disable unbound
> -anchor.timer >/dev/null 2>&1 || :
> +			systemctl --no-reload disable unbound
> -keygen.service >/dev/null 2>&1 || :
> +			systemctl --no-reload disable
> unbound.service >/dev/null 2>&1 || :
> +			systemctl stop unbound.service >/dev/null
> 2>&1 || :
> +			systemctl stop unbound-keygen.service
> >/dev/null 2>&1 || :
> +		end
> +
> +		script postun
> +			systemctl daemon-reload >/dev/null 2>&1 || :
> +		end
> +
> +		script postup
> +			systemctl daemon-reload >/dev/null 2>&1 || :
> +			systemctl try-restart unbound-keygen.service
> >/dev/null 2>&1 || :
> +			systemctl try-restart unbound.service
> >/dev/null 2>&1 || :
> +		end
> +	end
> +
> +	package %{name}-libs
> +		template LIBS
> +	end
> +
> +	package python3-%{name}
> +		template PYTHON3
> +	end
> +
> +	package %{name}-devel
> +		template DEVEL
> +	end
> +
> +	package %{name}-debuginfo
> +		template DEBUGINFO
> +	end
> +end
> diff --git a/unbound/unbound.tmpfiles b/unbound/unbound.tmpfiles
> new file mode 100644
> index 0000000..d625589
> --- /dev/null
> +++ b/unbound/unbound.tmpfiles
> @@ -0,0 +1 @@
> +D /var/run/unbound 0755 unbound unbound -