summaryrefslogtreecommitdiff
path: root/repo/unbound
diff options
context:
space:
mode:
Diffstat (limited to 'repo/unbound')
-rw-r--r--repo/unbound/conf.patch46
-rw-r--r--repo/unbound/migrate-dnscache-to-unbound147
-rw-r--r--repo/unbound/unbound.confd11
-rw-r--r--repo/unbound/unbound.initd48
-rw-r--r--repo/unbound/unbound.pre-install7
-rw-r--r--repo/unbound/unbound.xibuild64
6 files changed, 323 insertions, 0 deletions
diff --git a/repo/unbound/conf.patch b/repo/unbound/conf.patch
new file mode 100644
index 0000000..e92cc37
--- /dev/null
+++ b/repo/unbound/conf.patch
@@ -0,0 +1,46 @@
+diff -upr unbound-1.13.0.orig/doc/example.conf.in unbound-1.13.0/doc/example.conf.in
+--- unbound-1.13.0.orig/doc/example.conf.in 2020-12-21 09:58:04.154390497 +0100
++++ unbound-1.13.0/doc/example.conf.in 2020-12-21 09:58:53.094583255 +0100
+@@ -355,9 +355,6 @@ server:
+ # print log lines that say why queries return SERVFAIL to clients.
+ # log-servfail: no
+
+- # the pid file. Can be an absolute path outside of chroot/work dir.
+- # pidfile: "@UNBOUND_PIDFILE@"
+-
+ # file to read root hints from.
+ # get one from https://www.internic.net/domain/named.cache
+ # root-hints: ""
+@@ -507,7 +504,7 @@ server:
+ # you start unbound (i.e. in the system boot scripts). And enable:
+ # Please note usage of unbound-anchor root anchor is at your own risk
+ # and under the terms of our LICENSE (see that file in the source).
+- # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
++ # auto-trust-anchor-file: ""
+
+ # trust anchor signaling sends a RFC8145 key tag query after priming.
+ # trust-anchor-signaling: yes
+@@ -519,7 +516,7 @@ server:
+ # with several entries, one file per entry.
+ # Zone file format, with DS and DNSKEY entries.
+ # Note this gets out of date, use auto-trust-anchor-file please.
+- # trust-anchor-file: ""
++ trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
+
+ # Trusted key for validation. DS or DNSKEY. specify the RR on a
+ # single line, surrounded by "". TTL is ignored. class is IN default.
+@@ -900,12 +897,13 @@ dynlib:
+ remote-control:
+ # Enable remote control with unbound-control(8) here.
+ # set up the keys and certificates with unbound-control-setup.
+- # control-enable: no
++ control-enable: yes
+
+ # what interfaces are listened to for remote control.
+ # give 0.0.0.0 and ::0 to listen to all interfaces.
+ # set to an absolute path to use a unix local name pipe, certificates
+ # are not used for that, so key and cert files need not be present.
++ control-interface: /run/unbound.control.sock
+ # control-interface: 127.0.0.1
+ # control-interface: ::1
+
diff --git a/repo/unbound/migrate-dnscache-to-unbound b/repo/unbound/migrate-dnscache-to-unbound
new file mode 100644
index 0000000..03b34cd
--- /dev/null
+++ b/repo/unbound/migrate-dnscache-to-unbound
@@ -0,0 +1,147 @@
+#!/bin/sh
+
+
+to_subnet() {
+ pref=$1
+ case "$pref" in
+ *.*.*.*) echo $pref/32;;
+ *.*.*) echo $pref.0/24;;
+ *.*) echo $pref.0.0/16;;
+ *) echo $pref.0.0.0/8;;
+ esac
+}
+
+gen_config() {
+ echo "# Config generated by $0, $(date)"
+ echo "server:"
+
+ [ -n "$IP" ] && echo -e "\tinterface: $IP\n"
+ [ -n "$IPSEND" ] && echo -e "\toutgoing-interface: $IPSEND\n"
+
+ for i in $access_control; do
+ echo -e "\taccess-control: $i allow"
+ done
+ echo ""
+
+ # stub zones
+ local zonefile ip
+ local fwdtype="stub"
+ if [ -n "$FORWARDONLY" ]; then
+ fwdtype="forward"
+ fi
+ for zonefile in "$root"/etc/dnscache/servers/*; do
+ local zone=${zonefile##*/}
+ case "$zone" in
+ '@'|'*'|*.apk-new) continue;;
+ esac
+ echo "${fwdtype}-zone:"
+ echo -e "\tname: ${zone}"
+ for ip in $(cat $zonefile); do
+ echo -e "\t${fwdtype}-addr: $ip"
+ done
+ echo ""
+ done
+}
+
+usage() {
+ cat >&2 <<EOF
+usage: $0 [-h] [-r ROOT]
+Migrate dnscache configuration to unbound
+
+This tool will install unbound, migrate the configuration, stop dnscache
+and start unbound and remove traces of dnscache.
+
+Options:
+ -c Only dump the config to stdout and exit
+ -h Show this help
+ -k Keep unbound.conf.backup and keep dnscache config
+ -r Look for dnscache config in ROOT/etc/dnscache
+
+EOF
+}
+
+root=${ROOT:-/}
+dump_config=false
+quiet=false
+keep_backup=false
+while getopts "chr:" opt; do
+ case "$opt" in
+ 'c') dump_config=true;;
+ 'h') usage; exit;;
+ 'k') keep_backup=true;;
+ 'r') root="$OPTARG";;
+ 'q') quiet=true; quiet_opt=--quiet;;
+ esac
+done
+unbound_conf=${UNBOUND_CONF:-${root%/}/etc/unbound/unbound.conf}
+
+# read dnscache config
+if ! [ -f "$root"/etc/conf.d/dnscache ] && ! [ -d "$root"/etc/dnscache ]; then
+ echo "No dnscache config found"
+ exit 1
+fi
+
+confd="$root"/etc/conf.d/dnscache
+if [ -r "$confd" ]; then
+ . "$confd"
+fi
+
+interface="$IP"
+outgoing_interface="$IPSEND"
+
+for i in "$root"/etc/dnscache/ip/*; do
+ [ -f "$i" ] || continue
+ access_control="$access_control $(to_subnet ${i##*/})"
+done
+
+if $dump_config; then
+ gen_config
+ exit 0
+fi
+
+# install unbound if needed
+if ! apk info -e unbound; then
+ apk add $quiet_opt unbound
+fi
+
+# generate config
+if [ -f "$unbound_conf" ]; then
+ $quiet || echo "Backing up $unbound_conf" >&2
+ mv "$unbound_conf" "${unbound_conf}".backup
+fi
+
+$quiet || echo "Generating $unbound_conf" >&2
+gen_config > "$unbound_conf"
+
+# stop dnscache and start unbound
+if /etc/init.d/dnscache --quiet status 2>/dev/null; then
+ /etc/init.d/dnscache $quiet_opt stop
+ if ! /etc/init.d/unbound $quiet_opt start; then
+ echo "Failed to start unbound. Starting up dnscache again"
+ /etc/init.d/dnscache $quiet_opt start
+ exit 1
+ fi
+fi
+
+# update runlevels
+errors=0
+if rc-update | grep -q -w dnscache; then
+ runlevels=$(rc-update | awk '$1 == "dnscache" { FS="|"; $0 = $0; print $2 }')
+ for level in $runlevels; do
+ rc-update $quiet_opt add unbound $level \
+ || errors=$(($errors + 1))
+ rc-update $quiet_opt del dnscache $level \
+ || errors=$(($errors + 1))
+ done
+fi
+
+# cleanup if requested
+if [ $errors -eq 0 ] && ! $keep_backup ; then
+ $quiet || echo "Purging dnscache and dnscache config" >&2
+ apk del --purge $quiet_opt dnscache
+ rm -rf $root/etc/dnscache $root/etc/conf.d/dnscache
+ $quiet || echo "Purging ${unbound_conf}.backup" >&2
+ rm -rf ${unbound_conf}.backup
+fi
+
+exit $errors
diff --git a/repo/unbound/unbound.confd b/repo/unbound/unbound.confd
new file mode 100644
index 0000000..275081b
--- /dev/null
+++ b/repo/unbound/unbound.confd
@@ -0,0 +1,11 @@
+# Configuration for /etc/init.d/unbound
+
+# Path of the configuration file.
+#cfgfile="/etc/unbound/$RC_SVCNAME.conf"
+
+# Additional arguments for the unbound command.
+# Add "-v" to enable verbose logging (more times to increase verbosity).
+#command_args=""
+
+# Uncomment to use process supervisor.
+#supervisor=supervise-daemon
diff --git a/repo/unbound/unbound.initd b/repo/unbound/unbound.initd
new file mode 100644
index 0000000..c5c6d70
--- /dev/null
+++ b/repo/unbound/unbound.initd
@@ -0,0 +1,48 @@
+#!/sbin/openrc-run
+
+extra_commands="checkconfig"
+extra_started_commands="reload"
+
+name="unbound daemon"
+description="unbound is a Domain Name Server (DNS) that is used to resolve host names to IP address."
+description_checkconfig="Run syntax tests for configuration files only."
+description_reload="Kills all children and reloads the configuration."
+
+# Upper case variables are here only for backward compatibility.
+: ${cfgfile:=${UNBOUND_CONFFILE:-/etc/unbound/$RC_SVCNAME.conf}}
+
+command=/usr/sbin/unbound
+command_args="-d $command_args"
+command_background=yes
+pidfile="/run/$RC_SVCNAME.pid"
+
+required_files="$cfgfile"
+
+depend() {
+ need net
+ use logger
+ provide dns
+ after auth-dns entropy
+}
+
+checkconfig() {
+ ebegin "Checking $cfgfile"
+ /usr/sbin/unbound-checkconf -f "$cfgfile" >/dev/null
+ eend $?
+}
+
+start_pre() {
+ checkconfig
+}
+
+reload() {
+ start_pre || return $?
+
+ ebegin "Reloading $name"
+ if [ "$supervisor" ]; then
+ $supervisor "$RC_SVCNAME" --signal HUP
+ else
+ start-stop-daemon --signal HUP --pidfile "$pidfile"
+ fi
+ eend $?
+}
diff --git a/repo/unbound/unbound.pre-install b/repo/unbound/unbound.pre-install
new file mode 100644
index 0000000..94144c7
--- /dev/null
+++ b/repo/unbound/unbound.pre-install
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+addgroup -S unbound 2>/dev/null
+adduser -S -D -H -h /etc/unbound -s /sbin/nologin -G unbound \
+ -g "Unbound user" unbound 2>/dev/null
+
+exit 0
diff --git a/repo/unbound/unbound.xibuild b/repo/unbound/unbound.xibuild
new file mode 100644
index 0000000..8805e1a
--- /dev/null
+++ b/repo/unbound/unbound.xibuild
@@ -0,0 +1,64 @@
+#!/bin/sh
+
+NAME="unbound"
+DESC="Unbound is a validating, recursive, and caching DNS resolver"
+
+MAKEDEPS=" expat libevent openssl python swig linux-headers"
+
+PKG_VER=1.15.0
+SOURCE="https://unbound.net/downloads/unbound-$PKG_VER.tar.gz"
+
+ADDITIONAL="
+conf.patch
+migrate-dnscache-to-unbound
+unbound.confd
+unbound.initd
+"
+
+prepare () {
+ apply_patches
+}
+
+build() {
+ PYTHON_VERSION=3 ./configure \
+ --prefix=/usr \
+ --sysconfdir=/etc \
+ --mandir=/usr/share/man \
+ --localstatedir=/var \
+ --with-username=unbound \
+ --with-run-dir="" \
+ --with-pidfile="" \
+ --with-rootkey-file=/usr/share/dnssec-root/trusted-key.key \
+ --with-libevent \
+ --with-pthreads \
+ --disable-static \
+ --disable-rpath \
+ --with-ssl \
+ --without-pythonmodule \
+ --with-pyunbound
+
+ # do not link to libpython
+ sed -i -e '/^LIBS=/s/-lpython.*[[:space:]]/ /' Makefile
+
+ make
+}
+
+check() {
+ make test
+}
+
+package() {
+ make DESTDIR="$PKG_DEST" install
+ make DESTDIR="$PKG_DEST" unbound-event-install
+
+ install -Dm755 contrib/update-anchor.sh \
+ "$PKG_DEST"/usr/share/unbound/update-anchor.sh
+
+ mkdir -p "$PKG_DEST"/usr/share/doc/unbound/
+ install -m644 doc/CREDITS doc/Changelog doc/FEATURES \
+ doc/README doc/TODO "$PKG_DEST"/usr/share/doc/unbound/
+
+ install -Dm755 "$BUILD_ROOT"/unbound.initd $PKG_DEST/etc/init.d/unbound
+ install -Dm644 "$BUILD_ROOT"/unbound.confd $PKG_DEST/etc/conf.d/unbound
+}
+