diff options
Diffstat (limited to 'repo/unbound')
-rw-r--r-- | repo/unbound/conf.patch | 46 | ||||
-rw-r--r-- | repo/unbound/migrate-dnscache-to-unbound | 147 | ||||
-rw-r--r-- | repo/unbound/unbound.confd | 11 | ||||
-rw-r--r-- | repo/unbound/unbound.initd | 48 | ||||
-rw-r--r-- | repo/unbound/unbound.pre-install | 7 | ||||
-rw-r--r-- | repo/unbound/unbound.xibuild | 64 |
6 files changed, 323 insertions, 0 deletions
diff --git a/repo/unbound/conf.patch b/repo/unbound/conf.patch new file mode 100644 index 0000000..e92cc37 --- /dev/null +++ b/repo/unbound/conf.patch @@ -0,0 +1,46 @@ +diff -upr unbound-1.13.0.orig/doc/example.conf.in unbound-1.13.0/doc/example.conf.in +--- unbound-1.13.0.orig/doc/example.conf.in 2020-12-21 09:58:04.154390497 +0100 ++++ unbound-1.13.0/doc/example.conf.in 2020-12-21 09:58:53.094583255 +0100 +@@ -355,9 +355,6 @@ server: + # print log lines that say why queries return SERVFAIL to clients. + # log-servfail: no + +- # the pid file. Can be an absolute path outside of chroot/work dir. +- # pidfile: "@UNBOUND_PIDFILE@" +- + # file to read root hints from. + # get one from https://www.internic.net/domain/named.cache + # root-hints: "" +@@ -507,7 +504,7 @@ server: + # you start unbound (i.e. in the system boot scripts). And enable: + # Please note usage of unbound-anchor root anchor is at your own risk + # and under the terms of our LICENSE (see that file in the source). +- # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" ++ # auto-trust-anchor-file: "" + + # trust anchor signaling sends a RFC8145 key tag query after priming. + # trust-anchor-signaling: yes +@@ -519,7 +516,7 @@ server: + # with several entries, one file per entry. + # Zone file format, with DS and DNSKEY entries. + # Note this gets out of date, use auto-trust-anchor-file please. +- # trust-anchor-file: "" ++ trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" + + # Trusted key for validation. DS or DNSKEY. specify the RR on a + # single line, surrounded by "". TTL is ignored. class is IN default. +@@ -900,12 +897,13 @@ dynlib: + remote-control: + # Enable remote control with unbound-control(8) here. + # set up the keys and certificates with unbound-control-setup. +- # control-enable: no ++ control-enable: yes + + # what interfaces are listened to for remote control. + # give 0.0.0.0 and ::0 to listen to all interfaces. + # set to an absolute path to use a unix local name pipe, certificates + # are not used for that, so key and cert files need not be present. ++ control-interface: /run/unbound.control.sock + # control-interface: 127.0.0.1 + # control-interface: ::1 + diff --git a/repo/unbound/migrate-dnscache-to-unbound b/repo/unbound/migrate-dnscache-to-unbound new file mode 100644 index 0000000..03b34cd --- /dev/null +++ b/repo/unbound/migrate-dnscache-to-unbound @@ -0,0 +1,147 @@ +#!/bin/sh + + +to_subnet() { + pref=$1 + case "$pref" in + *.*.*.*) echo $pref/32;; + *.*.*) echo $pref.0/24;; + *.*) echo $pref.0.0/16;; + *) echo $pref.0.0.0/8;; + esac +} + +gen_config() { + echo "# Config generated by $0, $(date)" + echo "server:" + + [ -n "$IP" ] && echo -e "\tinterface: $IP\n" + [ -n "$IPSEND" ] && echo -e "\toutgoing-interface: $IPSEND\n" + + for i in $access_control; do + echo -e "\taccess-control: $i allow" + done + echo "" + + # stub zones + local zonefile ip + local fwdtype="stub" + if [ -n "$FORWARDONLY" ]; then + fwdtype="forward" + fi + for zonefile in "$root"/etc/dnscache/servers/*; do + local zone=${zonefile##*/} + case "$zone" in + '@'|'*'|*.apk-new) continue;; + esac + echo "${fwdtype}-zone:" + echo -e "\tname: ${zone}" + for ip in $(cat $zonefile); do + echo -e "\t${fwdtype}-addr: $ip" + done + echo "" + done +} + +usage() { + cat >&2 <<EOF +usage: $0 [-h] [-r ROOT] +Migrate dnscache configuration to unbound + +This tool will install unbound, migrate the configuration, stop dnscache +and start unbound and remove traces of dnscache. + +Options: + -c Only dump the config to stdout and exit + -h Show this help + -k Keep unbound.conf.backup and keep dnscache config + -r Look for dnscache config in ROOT/etc/dnscache + +EOF +} + +root=${ROOT:-/} +dump_config=false +quiet=false +keep_backup=false +while getopts "chr:" opt; do + case "$opt" in + 'c') dump_config=true;; + 'h') usage; exit;; + 'k') keep_backup=true;; + 'r') root="$OPTARG";; + 'q') quiet=true; quiet_opt=--quiet;; + esac +done +unbound_conf=${UNBOUND_CONF:-${root%/}/etc/unbound/unbound.conf} + +# read dnscache config +if ! [ -f "$root"/etc/conf.d/dnscache ] && ! [ -d "$root"/etc/dnscache ]; then + echo "No dnscache config found" + exit 1 +fi + +confd="$root"/etc/conf.d/dnscache +if [ -r "$confd" ]; then + . "$confd" +fi + +interface="$IP" +outgoing_interface="$IPSEND" + +for i in "$root"/etc/dnscache/ip/*; do + [ -f "$i" ] || continue + access_control="$access_control $(to_subnet ${i##*/})" +done + +if $dump_config; then + gen_config + exit 0 +fi + +# install unbound if needed +if ! apk info -e unbound; then + apk add $quiet_opt unbound +fi + +# generate config +if [ -f "$unbound_conf" ]; then + $quiet || echo "Backing up $unbound_conf" >&2 + mv "$unbound_conf" "${unbound_conf}".backup +fi + +$quiet || echo "Generating $unbound_conf" >&2 +gen_config > "$unbound_conf" + +# stop dnscache and start unbound +if /etc/init.d/dnscache --quiet status 2>/dev/null; then + /etc/init.d/dnscache $quiet_opt stop + if ! /etc/init.d/unbound $quiet_opt start; then + echo "Failed to start unbound. Starting up dnscache again" + /etc/init.d/dnscache $quiet_opt start + exit 1 + fi +fi + +# update runlevels +errors=0 +if rc-update | grep -q -w dnscache; then + runlevels=$(rc-update | awk '$1 == "dnscache" { FS="|"; $0 = $0; print $2 }') + for level in $runlevels; do + rc-update $quiet_opt add unbound $level \ + || errors=$(($errors + 1)) + rc-update $quiet_opt del dnscache $level \ + || errors=$(($errors + 1)) + done +fi + +# cleanup if requested +if [ $errors -eq 0 ] && ! $keep_backup ; then + $quiet || echo "Purging dnscache and dnscache config" >&2 + apk del --purge $quiet_opt dnscache + rm -rf $root/etc/dnscache $root/etc/conf.d/dnscache + $quiet || echo "Purging ${unbound_conf}.backup" >&2 + rm -rf ${unbound_conf}.backup +fi + +exit $errors diff --git a/repo/unbound/unbound.confd b/repo/unbound/unbound.confd new file mode 100644 index 0000000..275081b --- /dev/null +++ b/repo/unbound/unbound.confd @@ -0,0 +1,11 @@ +# Configuration for /etc/init.d/unbound + +# Path of the configuration file. +#cfgfile="/etc/unbound/$RC_SVCNAME.conf" + +# Additional arguments for the unbound command. +# Add "-v" to enable verbose logging (more times to increase verbosity). +#command_args="" + +# Uncomment to use process supervisor. +#supervisor=supervise-daemon diff --git a/repo/unbound/unbound.initd b/repo/unbound/unbound.initd new file mode 100644 index 0000000..c5c6d70 --- /dev/null +++ b/repo/unbound/unbound.initd @@ -0,0 +1,48 @@ +#!/sbin/openrc-run + +extra_commands="checkconfig" +extra_started_commands="reload" + +name="unbound daemon" +description="unbound is a Domain Name Server (DNS) that is used to resolve host names to IP address." +description_checkconfig="Run syntax tests for configuration files only." +description_reload="Kills all children and reloads the configuration." + +# Upper case variables are here only for backward compatibility. +: ${cfgfile:=${UNBOUND_CONFFILE:-/etc/unbound/$RC_SVCNAME.conf}} + +command=/usr/sbin/unbound +command_args="-d $command_args" +command_background=yes +pidfile="/run/$RC_SVCNAME.pid" + +required_files="$cfgfile" + +depend() { + need net + use logger + provide dns + after auth-dns entropy +} + +checkconfig() { + ebegin "Checking $cfgfile" + /usr/sbin/unbound-checkconf -f "$cfgfile" >/dev/null + eend $? +} + +start_pre() { + checkconfig +} + +reload() { + start_pre || return $? + + ebegin "Reloading $name" + if [ "$supervisor" ]; then + $supervisor "$RC_SVCNAME" --signal HUP + else + start-stop-daemon --signal HUP --pidfile "$pidfile" + fi + eend $? +} diff --git a/repo/unbound/unbound.pre-install b/repo/unbound/unbound.pre-install new file mode 100644 index 0000000..94144c7 --- /dev/null +++ b/repo/unbound/unbound.pre-install @@ -0,0 +1,7 @@ +#!/bin/sh + +addgroup -S unbound 2>/dev/null +adduser -S -D -H -h /etc/unbound -s /sbin/nologin -G unbound \ + -g "Unbound user" unbound 2>/dev/null + +exit 0 diff --git a/repo/unbound/unbound.xibuild b/repo/unbound/unbound.xibuild new file mode 100644 index 0000000..8805e1a --- /dev/null +++ b/repo/unbound/unbound.xibuild @@ -0,0 +1,64 @@ +#!/bin/sh + +NAME="unbound" +DESC="Unbound is a validating, recursive, and caching DNS resolver" + +MAKEDEPS=" expat libevent openssl python swig linux-headers" + +PKG_VER=1.15.0 +SOURCE="https://unbound.net/downloads/unbound-$PKG_VER.tar.gz" + +ADDITIONAL=" +conf.patch +migrate-dnscache-to-unbound +unbound.confd +unbound.initd +" + +prepare () { + apply_patches +} + +build() { + PYTHON_VERSION=3 ./configure \ + --prefix=/usr \ + --sysconfdir=/etc \ + --mandir=/usr/share/man \ + --localstatedir=/var \ + --with-username=unbound \ + --with-run-dir="" \ + --with-pidfile="" \ + --with-rootkey-file=/usr/share/dnssec-root/trusted-key.key \ + --with-libevent \ + --with-pthreads \ + --disable-static \ + --disable-rpath \ + --with-ssl \ + --without-pythonmodule \ + --with-pyunbound + + # do not link to libpython + sed -i -e '/^LIBS=/s/-lpython.*[[:space:]]/ /' Makefile + + make +} + +check() { + make test +} + +package() { + make DESTDIR="$PKG_DEST" install + make DESTDIR="$PKG_DEST" unbound-event-install + + install -Dm755 contrib/update-anchor.sh \ + "$PKG_DEST"/usr/share/unbound/update-anchor.sh + + mkdir -p "$PKG_DEST"/usr/share/doc/unbound/ + install -m644 doc/CREDITS doc/Changelog doc/FEATURES \ + doc/README doc/TODO "$PKG_DEST"/usr/share/doc/unbound/ + + install -Dm755 "$BUILD_ROOT"/unbound.initd $PKG_DEST/etc/init.d/unbound + install -Dm644 "$BUILD_ROOT"/unbound.confd $PKG_DEST/etc/conf.d/unbound +} + |