Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #4095 from EricLuehrsen/unbound_rfc5011

Browse source 
unbound: improve maintenance of trust anchor
This commit is contained in:
Hannu Nyman 2017-03-02 10:03:22 +02:00 committed by GitHub
commit 230ea61043
5 changed files with 23 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
net/unbound/Makefile
View file

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=unbound PKG_NAME:=unbound
PKG_VERSION:=1.6.1 PKG_VERSION:=1.6.1
PKG_RELEASE:=1 PKG_RELEASE:=2
PKG_LICENSE:=BSD-3-Clause PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILES:=LICENSE PKG_LICENSE_FILES:=LICENSE

4
net/unbound/files/README.md
View file

@ -117,7 +117,7 @@ Keep the DNSKEY updated with your choice of flash activity. `root.key` maintenan
config unbound config unbound
option manual_conf '1' option manual_conf '1'
option root_age '30' option root_age '9'
### Hybrid Manual/UCI ### Hybrid Manual/UCI
You like the UCI. Yet, you need to add some difficult to standardize options, or just are not ready to make a UCI request yet. The files `/etc/unbound/unbound_srv.conf` and `/etc/unbound/unbound_ext.conf` will be copied to Unbounds chroot directory and included during auto generation. You like the UCI. Yet, you need to add some difficult to standardize options, or just are not ready to make a UCI request yet. The files `/etc/unbound/unbound_srv.conf` and `/etc/unbound/unbound_ext.conf` will be copied to Unbounds chroot directory and included during auto generation.
@ -230,7 +230,7 @@ The former will be added to the end of the `server:` clause. The later will be a
defaults with a bit of balancing. Tiny is close to the published defaults with a bit of balancing. Tiny is close to the published
memory restricted configuration. Small 1/2 medium, and large 2x. memory restricted configuration. Small 1/2 medium, and large 2x.
option root_age '30' option root_age '9'
Days. >90 Disables. Age limit for Unbound root data like root Days. >90 Disables. Age limit for Unbound root data like root
DNSSEC key. Unbound uses RFC 5011 to manage root key. This could DNSSEC key. Unbound uses RFC 5011 to manage root key. This could
harm flash ROM. This activity is mapped to "tmpfs," but every so harm flash ROM. This activity is mapped to "tmpfs," but every so

2
net/unbound/files/rootzone.sh
View file

@ -26,7 +26,7 @@ rootzone_uci() {
# This will likely be called outside of "start_service()" context # This will likely be called outside of "start_service()" context
config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0 config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1 config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 30 config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 9
} }
############################################################################## ##############################################################################

20
net/unbound/files/unbound.sh
View file

@ -47,7 +47,7 @@ UNBOUND_IP_DNS64="64:ff9b::/96"
UNBOUND_N_EDNS_SIZE=1280 UNBOUND_N_EDNS_SIZE=1280
UNBOUND_N_FWD_PORTS="" UNBOUND_N_FWD_PORTS=""
UNBOUND_N_RX_PORT=53 UNBOUND_N_RX_PORT=53
UNBOUND_N_ROOT_AGE=28 UNBOUND_N_ROOT_AGE=9
UNBOUND_TTL_MIN=120 UNBOUND_TTL_MIN=120
@ -258,6 +258,13 @@ unbound_mkdir() {
fi fi
if [ -f $UNBOUND_KEYFILE ] ; then
# Lets not lose RFC 5011 tracking if we don't have to
cp -p $UNBOUND_KEYFILE $UNBOUND_KEYFILE.keep
fi
# Blind copy /etc/ to /var/lib/
mkdir -p $UNBOUND_VARDIR mkdir -p $UNBOUND_VARDIR
rm -f $UNBOUND_VARDIR/dhcp_* rm -f $UNBOUND_VARDIR/dhcp_*
touch $UNBOUND_CONFFILE touch $UNBOUND_CONFFILE
@ -282,7 +289,7 @@ unbound_mkdir() {
# Debian-like package dns-root-data # Debian-like package dns-root-data
cp -p /usr/share/dns/root.key $UNBOUND_KEYFILE cp -p /usr/share/dns/root.key $UNBOUND_KEYFILE
elif [ -x "$UNBOUND_ANCHOR" ] ; then elif [ -x $UNBOUND_ANCHOR ] ; then
$UNBOUND_ANCHOR -a $UNBOUND_KEYFILE $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
else else
@ -291,6 +298,13 @@ unbound_mkdir() {
fi fi
if [ -f $UNBOUND_KEYFILE.keep ] ; then
# root.key.keep is reused if newest
cp -u $UNBOUND_KEYFILE.keep $UNBOUND_KEYFILE
rm -f $UNBOUND_KEYFILE.keep
fi
# Ensure access and prepare to jail # Ensure access and prepare to jail
chown -R unbound:unbound $UNBOUND_VARDIR chown -R unbound:unbound $UNBOUND_VARDIR
chmod 775 $UNBOUND_VARDIR chmod 775 $UNBOUND_VARDIR
@ -755,7 +769,7 @@ unbound_uci() {
config_get UNBOUND_N_EDNS_SIZE "$cfg" edns_size 1280 config_get UNBOUND_N_EDNS_SIZE "$cfg" edns_size 1280
config_get UNBOUND_N_RX_PORT "$cfg" listen_port 53 config_get UNBOUND_N_RX_PORT "$cfg" listen_port 53
config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 7 config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 9
config_get UNBOUND_D_DOMAIN_TYPE "$cfg" domain_type static config_get UNBOUND_D_DOMAIN_TYPE "$cfg" domain_type static
config_get UNBOUND_D_DHCP_LINK "$cfg" dhcp_link none config_get UNBOUND_D_DHCP_LINK "$cfg" dhcp_link none

2
net/unbound/files/unbound.uci
View file

@ -19,7 +19,7 @@ config unbound
option rebind_protection '1' option rebind_protection '1'
option recursion 'passive' option recursion 'passive'
option resource 'small' option resource 'small'
option root_age '28' option root_age '9'
option ttl_min '120' option ttl_min '120'
option unbound_control '0' option unbound_control '0'
option validator '0' option validator '0'