diff options
| author | Dag-Erling Smørgrav <des@FreeBSD.org> | 2012-07-04 14:24:26 +0000 |
|---|---|---|
| committer | Dag-Erling Smørgrav <des@FreeBSD.org> | 2012-07-04 14:24:26 +0000 |
| commit | afb79913ce00d885b8b43f7478e1e054edadb567 (patch) | |
| tree | b9037afac70edd3c6342318cedbbadc648b799ca /contrib | |
| download | src-afb79913ce00d885b8b43f7478e1e054edadb567.tar.gz src-afb79913ce00d885b8b43f7478e1e054edadb567.zip | |
import unbound 1.4.17vendor/unbound/1.4.17
Notes
Notes:
svn path=/vendor/unbound/dist/; revision=238106
svn path=/vendor/unbound/1.4.17/; revision=238107; tag=vendor/unbound/1.4.17
Diffstat (limited to 'contrib')
| -rw-r--r-- | contrib/README | 17 | ||||
| -rwxr-xr-x | contrib/build-unbound-localzone-from-hosts.pl | 67 | ||||
| -rwxr-xr-x | contrib/parseunbound.pl | 140 | ||||
| -rwxr-xr-x | contrib/rc_d_unbound | 25 | ||||
| -rw-r--r-- | contrib/selinux/unbound.fc | 4 | ||||
| -rw-r--r-- | contrib/selinux/unbound.te | 42 | ||||
| -rw-r--r-- | contrib/unbound-host.nagios.patch | 134 | ||||
| -rw-r--r-- | contrib/unbound.init | 139 | ||||
| -rw-r--r-- | contrib/unbound.init_fedora | 119 | ||||
| -rw-r--r-- | contrib/unbound.plist | 42 | ||||
| -rw-r--r-- | contrib/unbound.spec | 112 | ||||
| -rw-r--r-- | contrib/unbound.spec_fedora | 440 | ||||
| -rw-r--r-- | contrib/unbound_cacti.tar.gz | bin | 0 -> 71269 bytes | |||
| -rwxr-xr-x | contrib/unbound_munin_ | 555 | ||||
| -rwxr-xr-x | contrib/update-anchor.sh | 158 | ||||
| -rwxr-xr-x | contrib/validation-reporter.sh | 117 |
16 files changed, 2111 insertions, 0 deletions
diff --git a/contrib/README b/contrib/README new file mode 100644 index 000000000000..f5123fc6c8a1 --- /dev/null +++ b/contrib/README @@ -0,0 +1,17 @@ +These files are contributed to unbound, and are not part of the official +distribution but may be helpful. + +* rc_d_unbound: FreeBSD compatible /etc/rc.d script. +* parseunbound.pl: perl script to run from cron that parses statistics from + the log file and stores them. +* unbound.spec and unbound.init: RPM specfile and Linux rc.d initfile. +* update-anchor.sh: shell script that uses unbound-host to update a set + of trust anchor files. Run from cron twice a month. +* unbound_munin_ : plugin for munin statistics report +* unbound_cacti.tar.gz : setup files for cacti statistics report +* selinux: the .fc and .te files for SElinux protection of the unbound daemon +* unbound.plist: launchd configuration file for MacOSX. +* build-unbound-localzone-from-hosts.pl: perl script to turn /etc/hosts into + a local-zone and local-data include file for unbound.conf. +* unbound-host.nagios.patch: makes unbound-host return status that fits right + in with the nagios monitoring framework. Contributed by Migiel de Vos. diff --git a/contrib/build-unbound-localzone-from-hosts.pl b/contrib/build-unbound-localzone-from-hosts.pl new file mode 100755 index 000000000000..c11bbc330795 --- /dev/null +++ b/contrib/build-unbound-localzone-from-hosts.pl @@ -0,0 +1,67 @@ +#!/usr/bin/perl -WT + +use strict; +use warnings; + +my $hostsfile = '/etc/hosts'; +my $localzonefile = '/etc/unbound/localzone.conf.new'; + +my $localzone = 'example.com'; + +open( HOSTS,"<${hostsfile}" ) or die( "Could not open ${hostsfile}: $!" ); +open( ZONE,">${localzonefile}" ) or die( "Could not open ${localzonefile}: $!" ); + +print ZONE "server:\n\n"; +print ZONE "local-zone: \"${localzone}\" transparent\n\n"; + +my %ptrhash; + +while ( my $hostline = <HOSTS> ) { + + # Skip comments + if ( $hostline !~ "^#" and $hostline !~ '^\s+$' ) { + + my @entries = split( /\s+/, $hostline ); + + my $ip; + + my $count = 0; + foreach my $entry ( @entries ) { + if ( $count == 0 ) { + $ip = $entry; + } else { + + if ( $count == 1) { + + # Only return localhost for 127.0.0.1 and ::1 + if ( ($ip ne '127.0.0.1' and $ip ne '::1') or $entry =~ 'localhost' ) { + if ( ! defined $ptrhash{$ip} ) { + $ptrhash{$ip} = $entry; + print ZONE "local-data-ptr: \"$ip $entry\"\n"; + } + } + + } + + # Use AAAA for IPv6 addresses + my $a = 'A'; + if ( $ip =~ ':' ) { + $a = 'AAAA'; + } + + print ZONE "local-data: \"$entry ${a} $ip\"\n"; + + } + $count++; + } + print ZONE "\n"; + + + } +} + + + + +__END__ + diff --git a/contrib/parseunbound.pl b/contrib/parseunbound.pl new file mode 100755 index 000000000000..6a6a76d6fb21 --- /dev/null +++ b/contrib/parseunbound.pl @@ -0,0 +1,140 @@ +#!/usr/local/bin/perl -w +# +# Script to parse the output from the unbound namedaemon. +# Unbound supports a threading model, and outputs a multiline log-blob for +# every thread. +# +# This script should parse all threads of the once, and store it +# in a local cached file for speedy results when queried lots. +# +use strict; +use POSIX qw(SEEK_END); +use Storable; +use FileHandle; +use Carp qw(croak carp); +use constant UNBOUND_CACHE => "/var/tmp/unbound-cache.stor"; + +my $run_from_cron = @ARGV && $ARGV[0] eq "--cron" && shift; +my $DEBUG = -t STDERR; + +# NB. VERY IMPORTANTES: set this when running this script. +my $numthreads = 4; + +### if cache exists, read it in. and is newer than 3 minutes +if ( -r UNBOUND_CACHE ) { + my $result = retrieve(UNBOUND_CACHE); + if (-M _ < 3/24/60 && !$run_from_cron ) { + print STDERR "Cached results:\n" if $DEBUG; + print join("\n", @$result), "\n"; + exit; + } +} +my $logfile = shift or die "Usage: parseunbound.pl --cron unboundlogfile"; +my $in = new FileHandle $logfile or die "Cannot open $logfile: $!\n"; + +# there is a special key 'thread' that indicates the thread. its not used, but returned anyway. +my @records = ('thread', 'queries', 'cachehits', 'recursions', 'recursionavg', + 'outstandingmax', 'outstandingavg', 'outstandingexc', + 'median25', 'median50', 'median75', + 'us_0', 'us_1', 'us_2', 'us_4', 'us_8', 'us_16', 'us_32', + 'us_64', 'us_128', 'us_256', 'us_512', 'us_1024', 'us_2048', + 'us_4096', 'us_8192', 'us_16384', 'us_32768', 'us_65536', + 'us_131072', 'us_262144', 'us_524288', 's_1', 's_2', 's_4', + 's_8', 's_16', 's_32', 's_64', 's_128', 's_256', 's_512'); +# Stats hash containing one or more keys. for every thread, 1 key. +my %allstats = (); # key="$threadid", stats={key => value} +my %startstats = (); # when we got a queries entry for this thread +my %donestats = (); # same, but only when we got a histogram entry for it +# stats hash contains name/value pairs of the actual numbers for that thread. +my $offset = 0; +my $inthread=0; +my $inpid; + +# We should continue looping untill we meet these conditions: +# a) more total queries than the previous run (which defaults to 0) AND +# b) parsed all $numthreads threads in the log. +my $numqueries = $previousresult ? $previousresult->[1] : 0; + +# Main loop +while ( scalar keys %startstats < $numthreads || scalar keys %donestats < $numthreads) { + $offset += 10000; + if ( $offset > -s $logfile or $offset > 10_000_000 ) { + die "Cannot find stats in $logfile\n"; + } + $in->seek(-$offset, SEEK_END) or croak "cannot seek $logfile: $!\n"; + + for my $line ( <$in> ) { + chomp($line); + + #[1208777234] unbound[6705:0] + if ($line =~ m/^\[\d+\] unbound\[\d+:(\d+)\]/) { + $inthread = $1; + if ($inthread + 1 > $numthreads) { + die "Hey. lazy. change \$numthreads in this script to ($inthread)\n"; + } + } + # this line doesn't contain a pid:thread. skip. + else { + next; + } + + if ( $line =~ m/info: server stats for thread \d+: (\d+) queries, (\d+) answers from cache, (\d+) recursions/ ) { + $startstats{$inthread} = 1; + $allstats{$inthread}->{thread} = $inthread; + $allstats{$inthread}->{queries} = $1; + $allstats{$inthread}->{cachehits} = $2; + $allstats{$inthread}->{recursions} = $3; + } + elsif ( $line =~ m/info: server stats for thread (\d+): requestlist max (\d+) avg ([0-9\.]+) exceeded (\d+)/ ) { + $allstats{$inthread}->{outstandingmax} = $2; + $allstats{$inthread}->{outstandingavg} = int($3); # This is a float; rrdtool only handles ints. + $allstats{$inthread}->{outstandingexc} = $4; + } + elsif ( $line =~ m/info: average recursion processing time ([0-9\.]+) sec/ ) { + $allstats{$inthread}->{recursionavg} = int($1 * 1000); # change sec to milisec. + } + elsif ( $line =~ m/info: histogram of recursion processing times/ ) { + next; + } + elsif ( $line =~ m/info: \[25%\]=([0-9\.]+) median\[50%\]=([0-9\.]+) \[75%\]=([0-9\.]+)/ ) { + $allstats{$inthread}->{median25} = int($1 * 1000000); # change seconds to usec + $allstats{$inthread}->{median50} = int($2 * 1000000); + $allstats{$inthread}->{median75} = int($3 * 1000000); + } + elsif ( $line =~ m/info: lower\(secs\) upper\(secs\) recursions/ ) { + # since after this line we're unsure if we get these numbers + # at all, we sould consider this marker as the end of the + # block. Chances that we're parsing a file halfway written + # at this stage are small. Bold statement. + $donestats{$inthread} = 1; + next; + } + elsif ( $line =~ m/info:\s+(\d+)\.(\d+)\s+(\d+)\.(\d+)\s+(\d+)/ ) { + my ($froms, $fromus, $toms, $tous, $counter) = ($1, $2, $3, $4, $5); + my $prefix = ''; + if ($froms > 0) { + $allstats{$inthread}->{'s_' . int($froms)} = $counter; + } else { + $allstats{$inthread}->{'us_' . int($fromus)} = $counter; + } + } + } +} + +my @result; +# loop on the records we want to store +for my $key ( @records ) { + my $sum = 0; + # these are the different threads parsed + foreach my $thread ( 0 .. $numthreads - 1 ) { + $sum += ($allstats{$thread}->{$key} || 0); + } + print STDERR "$key = " . $sum . "\n" if $DEBUG; + push @result, $sum; +} +print join("\n", @result), "\n"; +store \@result, UNBOUND_CACHE; + +if ($DEBUG) { + print STDERR "Threads: " . (scalar keys %allstats) . "\n"; +} diff --git a/contrib/rc_d_unbound b/contrib/rc_d_unbound new file mode 100755 index 000000000000..56516147f230 --- /dev/null +++ b/contrib/rc_d_unbound @@ -0,0 +1,25 @@ +#!/bin/sh +# +# unbound freebsd startup rc.d script, modified from the named script. +# uses the default unbound installation path and pidfile location. +# copy this to /etc/rc.d/unbound +# and put unbound_enable="YES" into rc.conf +# + +# PROVIDE: unbound +# REQUIRE: SERVERS cleanvar +# KEYWORD: shutdown + +. /etc/rc.subr + +name="unbound" +rcvar=`set_rcvar` + +load_rc_config $name + +command="/usr/local/sbin/unbound" +pidfile=${unbound_pidfile:-"/usr/local/etc/unbound/unbound.pid"} +command_args=${unbound_flags:-"-c /usr/local/etc/unbound/unbound.conf"} +extra_commands="reload" + +run_rc_command "$1" diff --git a/contrib/selinux/unbound.fc b/contrib/selinux/unbound.fc new file mode 100644 index 000000000000..f7e63eada112 --- /dev/null +++ b/contrib/selinux/unbound.fc @@ -0,0 +1,4 @@ +/etc/unbound(/.*)? system_u:object_r:unbound_conf_t:s0 +/etc/rc\.d/init\.d/unbound -- system_u:object_r:unbound_initrc_exec_t:s0 +/usr/sbin/unbound -- system_u:object_r:unbound_exec_t:s0 +/var/run/unbound(/.*)? system_u:object_r:unbound_var_run_t:s0 diff --git a/contrib/selinux/unbound.te b/contrib/selinux/unbound.te new file mode 100644 index 000000000000..d407ed351f42 --- /dev/null +++ b/contrib/selinux/unbound.te @@ -0,0 +1,42 @@ +policy_module(unbound, 0.1.0) + +type unbound_t; +type unbound_conf_t; +type unbound_exec_t; +type unbound_initrc_exec_t; +type unbound_var_run_t; + +init_daemon_domain(unbound_t, unbound_exec_t) +init_script_file(unbound_initrc_exec_t) + +role system_r types unbound_t; + +# XXX +# unbound-{checkconf,control} are not protected. Do we need protect them? + +# Unbound daemon + +auth_use_nsswitch(unbound_t) +dev_read_urand(unbound_t) +corenet_all_recvfrom_unlabeled(unbound_t) +corenet_tcp_bind_all_nodes(unbound_t) +corenet_tcp_bind_dns_port(unbound_t) +corenet_tcp_bind_rndc_port(unbound_t) +corenet_udp_bind_all_nodes(unbound_t) +corenet_udp_bind_all_unreserved_ports(unbound_t) +corenet_udp_bind_dns_port(unbound_t) +files_read_etc_files(unbound_t) +files_pid_file(unbound_var_run_t) +files_type(unbound_conf_t) +libs_use_ld_so(unbound_t) +libs_use_shared_libs(unbound_t) +logging_send_syslog_msg(unbound_t) +manage_files_pattern(unbound_t, unbound_var_run_t, unbound_var_run_t) +miscfiles_read_localization(unbound_t) +read_files_pattern(unbound_t, unbound_conf_t, unbound_conf_t) + +allow unbound_t self:capability { setuid chown net_bind_service setgid dac_override }; +allow unbound_t self:tcp_socket create_stream_socket_perms; +allow unbound_t self:udp_socket create_socket_perms; + +################################################### diff --git a/contrib/unbound-host.nagios.patch b/contrib/unbound-host.nagios.patch new file mode 100644 index 000000000000..5b249b636b11 --- /dev/null +++ b/contrib/unbound-host.nagios.patch @@ -0,0 +1,134 @@ +Index: smallapp/unbound-host.c +=================================================================== +--- smallapp/unbound-host.c (revision 2115) ++++ smallapp/unbound-host.c (working copy) +@@ -62,9 +62,18 @@ + #include "libunbound/unbound.h" + #include <ldns/ldns.h> + ++/** status variable ala nagios */ ++#define FINAL_STATUS_OK 0 ++#define FINAL_STATUS_WARNING 1 ++#define FINAL_STATUS_CRITICAL 2 ++#define FINAL_STATUS_UNKNOWN 3 ++ + /** verbosity for unbound-host app */ + static int verb = 0; + ++/** variable to determine final output */ ++static int final_status = FINAL_STATUS_UNKNOWN; ++ + /** Give unbound-host usage, and exit (1). */ + static void + usage() +@@ -93,7 +102,7 @@ + printf("Version %s\n", PACKAGE_VERSION); + printf("BSD licensed, see LICENSE in source package for details.\n"); + printf("Report bugs to %s\n", PACKAGE_BUGREPORT); +- exit(1); ++ exit(FINAL_STATUS_UNKNOWN); + } + + /** determine if str is ip4 and put into reverse lookup format */ +@@ -138,7 +147,7 @@ + *res = strdup(buf); + if(!*res) { + fprintf(stderr, "error: out of memory\n"); +- exit(1); ++ exit(FINAL_STATUS_UNKNOWN); + } + return 1; + } +@@ -158,7 +167,7 @@ + } + if(!res) { + fprintf(stderr, "error: out of memory\n"); +- exit(1); ++ exit(FINAL_STATUS_UNKNOWN); + } + return res; + } +@@ -172,7 +181,7 @@ + if(r == 0 && strcasecmp(t, "TYPE0") != 0 && + strcmp(t, "") != 0) { + fprintf(stderr, "error unknown type %s\n", t); +- exit(1); ++ exit(FINAL_STATUS_UNKNOWN); + } + return r; + } +@@ -191,7 +200,7 @@ + if(r == 0 && strcasecmp(c, "CLASS0") != 0 && + strcmp(c, "") != 0) { + fprintf(stderr, "error unknown class %s\n", c); +- exit(1); ++ exit(FINAL_STATUS_UNKNOWN); + } + return r; + } +@@ -207,6 +216,19 @@ + return "(insecure)"; + } + ++/** update the final status for the exit code */ ++void ++update_final_status(struct ub_result* result) ++{ ++ if (final_status == FINAL_STATUS_UNKNOWN || final_status == FINAL_STATUS_OK) { ++ if (result->secure) final_status = FINAL_STATUS_OK; ++ else if (result->bogus) final_status = FINAL_STATUS_CRITICAL; ++ else final_status = FINAL_STATUS_WARNING; ++ } ++ else if (final_status == FINAL_STATUS_WARNING && result->bogus) ++ final_status = FINAL_STATUS_CRITICAL; ++} ++ + /** nice string for type */ + static void + pretty_type(char* s, size_t len, int t) +@@ -353,7 +375,7 @@ + } else { + fprintf(stderr, "could not parse " + "reply packet to ANY query\n"); +- exit(1); ++ exit(FINAL_STATUS_UNKNOWN); + } + ldns_pkt_free(p); + +@@ -388,9 +410,10 @@ + ret = ub_resolve(ctx, q, t, c, &result); + if(ret != 0) { + fprintf(stderr, "resolve error: %s\n", ub_strerror(ret)); +- exit(1); ++ exit(FINAL_STATUS_UNKNOWN); + } + pretty_output(q, t, c, result, docname); ++ update_final_status(result); + ret = result->nxdomain; + ub_resolve_free(result); + return ret; +@@ -427,7 +450,7 @@ + { + if(r != 0) { + fprintf(stderr, "error: %s\n", ub_strerror(r)); +- exit(1); ++ exit(FINAL_STATUS_UNKNOWN); + } + } + +@@ -448,7 +471,7 @@ + ctx = ub_ctx_create(); + if(!ctx) { + fprintf(stderr, "error: out of memory\n"); +- exit(1); ++ exit(FINAL_STATUS_UNKNOWN); + } + + /* parse the options */ +@@ -509,5 +532,5 @@ + usage(); + + lookup(ctx, argv[0], qtype, qclass); +- return 0; ++ return final_status; + } diff --git a/contrib/unbound.init b/contrib/unbound.init new file mode 100644 index 000000000000..747f94e932dd --- /dev/null +++ b/contrib/unbound.init @@ -0,0 +1,139 @@ +#!/bin/sh +# +# unbound This shell script takes care of starting and stopping +# unbound (DNS server). +# +# chkconfig: - 14 86 +# description: unbound is a Domain Name Server (DNS) \ +# that is used to resolve host names to IP addresses. + +### BEGIN INIT INFO +# Provides: $named unbound +# Required-Start: $network $local_fs +# Required-Stop: $network $local_fs +# Should-Start: $syslog +# Should-Stop: $syslog +# Short-Description: unbound recursive Domain Name Server. +# Description: unbound is a Domain Name Server (DNS) +# that is used to resolve host names to IP addresses. +### END INIT INFO + +# Source function library. +. /etc/rc.d/init.d/functions + +exec="/usr/sbin/unbound" +prog="unbound" +config="/var/unbound/unbound.conf" +pidfile="/var/unbound/unbound.pid" +rootdir="/var/unbound" + +[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog + +lockfile=/var/lock/subsys/$prog + +start() { + [ -x $exec ] || exit 5 + [ -f $config ] || exit 6 + echo -n $"Starting $prog: " + + # setup root jail + if [ -s /etc/localtime ]; then + [ -d ${rootdir}/etc ] || mkdir -p ${rootdir}/etc ; + if [ ! -e ${rootdir}/etc/localtime ] || /usr/bin/cmp -s /etc/localtime ${rootdir}/etc/localtime; then + cp -fp /etc/localtime ${rootdir}/etc/localtime + fi; + fi; + if [ -s /etc/resolv.conf ]; then + [ -d ${rootdir}/etc ] || mkdir -p ${rootdir}/etc ; + if [ ! -e ${rootdir}/etc/resolv.conf ] || /usr/bin/cmp -s /etc/resolv.conf ${rootdir}/etc/resolv.conf; then + cp -fp /etc/resolv.conf ${rootdir}/etc/resolv.conf + fi; + fi; + if ! egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/log' /proc/mounts; then + [ -d ${rootdir}/dev ] || mkdir -p ${rootdir}/dev ; + [ -e ${rootdir}/dev/log ] || touch ${rootdir}/dev/log + mount --bind -n /dev/log ${rootdir}/dev/log >/dev/null 2>&1; + fi; + if ! egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/random' /proc/mounts; then + [ -d ${rootdir}/dev ] || mkdir -p ${rootdir}/dev ; + [ -e ${rootdir}/dev/random ] || touch ${rootdir}/dev/random + mount --bind -n /dev/random ${rootdir}/dev/random >/dev/null 2>&1; + fi; + + # if not running, start it up here + daemon $exec + retval=$? + echo + [ $retval -eq 0 ] && touch $lockfile + return $retval +} + +stop() { + echo -n $"Stopping $prog: " + # stop it here, often "killproc $prog" + killproc -p $pidfile $prog + retval=$? + echo + [ $retval -eq 0 ] && rm -f $lockfile + if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/log' /proc/mounts; then + umount ${rootdir}/dev/log >/dev/null 2>&1 + fi; + if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/random' /proc/mounts; then + umount ${rootdir}/dev/random >/dev/null 2>&1 + fi; + return $retval +} + +restart() { + stop + start +} + +reload() { + kill -HUP `cat $pidfile` +} + +force_reload() { + restart +} + +rh_status() { + # run checks to determine if the service is running or use generic status + status -p $pidfile $prog +} + +rh_status_q() { + rh_status -p $pidfile >/dev/null 2>&1 +} + +case "$1" in + start) + rh_status_q && exit 0 + $1 + ;; + stop) + rh_status_q || exit 0 + $1 + ;; + restart) + $1 + ;; + reload) + rh_status_q || exit 7 + $1 + ;; + force-reload) + force_reload + ;; + status) + rh_status + ;; + condrestart|try-restart) + rh_status_q || exit 0 + restart + ;; + *) + echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}" + exit 2 +esac +exit $? diff --git a/contrib/unbound.init_fedora b/contrib/unbound.init_fedora new file mode 100644 index 000000000000..9f7e4422b21e --- /dev/null +++ b/contrib/unbound.init_fedora @@ -0,0 +1,119 @@ +#!/bin/sh +# +# unbound This shell script takes care of starting and stopping +# unbound (DNS server). +# +# chkconfig: - 14 86 +# description: unbound is a Domain Name Server (DNS) \ +# that is used to resolve host names to IP addresses. + +### BEGIN INIT INFO +# Provides: unbound +# Required-Start: $network $local_fs +# Required-Stop: $network $local_fs +# Should-Start: $syslog +# Should-Stop: $syslog +# Short-Description: unbound recursive Domain Name Server. +# Description: unbound is a Domain Name Server (DNS) +# that is used to resolve host names to IP addresses. +### END INIT INFO + +# Source function library. +. /etc/rc.d/init.d/functions + +exec="/usr/sbin/unbound" +config="/var/lib/unbound/unbound.conf" +rootdir="/var/lib/unbound" +pidfile="/var/run/unbound/unbound.pid" + +[ -e /etc/sysconfig/unbound ] && . /etc/sysconfig/unbound + +lockfile=/var/lock/subsys/unbound + +start() { + [ -x $exec ] || exit 5 + [ -f $config ] || exit 6 + echo -n $"Starting unbound: " + + if [ ! -e ${rootdir}/etc/resolv.conf ] || /usr/bin/cmp -s /etc/resolv.conf ${rootdir}/etc/resolv.conf; then + cp -fp /etc/resolv.conf ${rootdir}/etc/resolv.conf + fi; + if [ ! -e ${rootdir}/etc/localtime ] || /usr/bin/cmp -s /etc/localtime ${rootdir}/etc/localtime; then + cp -fp /etc/localtime ${rootdir}/etc/localtime + fi; + mount --bind -n /dev/log ${rootdir}/dev/log >/dev/null 2>&1; + mount --bind -n /dev/random ${rootdir}/dev/random >/dev/null 2>&1; + mount --bind -n /var/run/unbound ${rootdir}/var/run/unbound >/dev/null 2>&1; + + # if not running, start it up here + daemon $exec + retval=$? + [ $retval -eq 0 ] && touch $lockfile + echo +} + +stop() { + echo -n $"Stopping unbound: " + # stop it here, often "killproc unbound" + killproc -p $pidfile unbound + retval=$? + [ $retval -eq 0 ] && rm -f $lockfile + for mountfile in /dev/log /dev/random /etc/localtime /etc/resolv.conf /var/run/unbound + do + if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}''${mountfile}'' /proc/mounts; then + umount ${rootdir}$mountfile >/dev/null 2>&1 + fi; + done + echo +} + +restart() { + stop + start +} + +reload() { + kill -HUP `cat $pidfile` +} + +force_reload() { + restart +} + +rh_status() { + # run checks to determine if the service is running or use generic status + status -p $pidfile unbound +} + +rh_status_q() { + rh_status -p $pidfile >/dev/null 2>&1 +} + +case "$1" in + start) + start + ;; + stop) + stop + ;; + restart) + restart + ;; + reload) + reload + ;; + force-reload) + force_reload + ;; + status) + rh_status + ;; + condrestart|try-restart) + rh_status_q || exit 0 + restart + ;; + *) + echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}" + exit 2 +esac +exit $? diff --git a/contrib/unbound.plist b/contrib/unbound.plist new file mode 100644 index 000000000000..15e1162be23a --- /dev/null +++ b/contrib/unbound.plist @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC -//Apple Computer//DTD PLIST 1.0//EN http://www.apple.com/DTDs/PropertyList-1.0.dtd > +<plist version="1.0"> +<!-- +Unbound plist file for use by MacOSX launchd(8) using launchctl(1). +Copy this file to /Library/LaunchDaemons. Launchd keeps unbound running. + +Setup your unbound.conf with the following additional settings. +server: + do-daemonize: no + username: "" + chroot: "" + directory: "" +These actions are performed by launchd (for the option values, see below). + +--> +<dict> + <key>Label</key> + <string>unbound</string> + + <key>ProgramArguments</key> + <array> + <string>unbound</string> + </array> + + <key>UserName</key> + <string>unbound</string> + + <key>RootDirectory</key> + <string>/usr/local/etc/unbound</string> + + <key>WorkingDirectory</key> + <string>/usr/local/etc/unbound</string> + + <key>KeepAlive</key> + <true/> + + <key>RunAtLoad</key> + <true/> + +</dict> +</plist> diff --git a/contrib/unbound.spec b/contrib/unbound.spec new file mode 100644 index 000000000000..606430273938 --- /dev/null +++ b/contrib/unbound.spec @@ -0,0 +1,112 @@ +Summary: Validating, recursive, and caching DNS resolver +Name: unbound +Version: 1.4.8 +Release: 1%{?dist} +License: BSD +Url: http://www.nlnetlabs.nl/unbound/ +Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz +#Source1: unbound.init +Group: System Environment/Daemons +Requires: ldns +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +BuildRequires: flex, openssl-devel, expat-devel, ldns-devel + +%description +Unbound is a validating, recursive, and caching DNS resolver. + +The C implementation of Unbound is developed and maintained by NLnet +Labs. It is based on ideas and algorithms taken from a java prototype +developed by Verisign labs, Nominet, Kirei and ep.net. + +Unbound is designed as a set of modular components, so that also +DNSSEC (secure DNS) validation and stub-resolvers (that do not run +as a server, but are linked into an application) are easily possible. + +The source code is under a BSD License. + +%prep +%setup -q + +# configure with /var/unbound/unbound.conf so that all default chroot, +# pidfile and config file are in /var/unbound, ready for chroot jail set up. +%configure --with-conf-file=%{_localstatedir}/%{name}/unbound.conf --disable-rpath + +%build +#%{__make} %{?_smp_mflags} +make + +%install +rm -rf %{buildroot} +%{__make} DESTDIR=%{buildroot} install +install -d 0700 %{buildroot}%{_localstatedir}/%{name} +install -d 0755 %{buildroot}%{_initrddir} +install -m 0755 contrib/unbound.init %{buildroot}%{_initrddir}/unbound +# add symbolic link from /etc/unbound.conf -> /var/unbound/unbound.conf +ln -s %{_localstatedir}/unbound/unbound.conf %{buildroot}%{_sysconfdir}/unbound.conf +# remove static library from install (fedora packaging guidelines) +rm -f %{buildroot}%{_libdir}/libunbound.a %{buildroot}%{_libdir}/libunbound.la + +%clean +rm -rf ${RPM_BUILD_ROOT} + +%files +%defattr(-,root,root,-) +%doc doc/README doc/CREDITS doc/LICENSE doc/FEATURES +%attr(0755,root,root) %{_initrddir}/%{name} +%attr(0700,%{name},%{name}) %dir %{_localstatedir}/%{name} +%attr(0644,%{name},%{name}) %config(noreplace) %{_localstatedir}/%{name}/unbound.conf +%attr(0644,%{name},%{name}) %config(noreplace) %{_sysconfdir}/unbound.conf +%{_sbindir}/* +%{_mandir}/*/* +%{_includedir}/* +%{_libdir}/libunbound* + +%pre +getent group unbound >/dev/null || groupadd -r unbound +getent passwd unbound >/dev/null || \ +useradd -r -g unbound -d /var/unbound -s /sbin/nologin \ + -c "unbound name daemon" unbound +exit 0 + +%post +# This adds the proper /etc/rc*.d links for the script +/sbin/chkconfig --add %{name} + +%preun +if [ $1 -eq 0 ]; then + /sbin/service %{name} stop >/dev/null 2>&1 + /sbin/chkconfig --del %{name} + # remove root jail + rm -f /var/unbound/dev/log /var/unbound/dev/random /var/unbound/etc/localtime /var/unbound/etc/resolv.conf >/dev/null 2>&1 + rmdir /var/unbound/dev >/dev/null 2>&1 || : + rmdir /var/unbound/etc >/dev/null 2>&1 || : + rmdir /var/unbound >/dev/null 2>&1 || : +fi + +%postun +if [ "$1" -ge "1" ]; then + /sbin/service %{name} condrestart >/dev/null 2>&1 || : +fi + +%changelog +* Thu Jul 13 2011 Wouter Wijngaards <wouter@nlnetlabs.nl> - 1.4.8 +- ldns required and ldns-devel required for build, no more ldns-builtin. + +* Thu Mar 17 2011 Wouter Wijngaards <wouter@nlnetlabs.nl> - 1.4.8 +- removed --disable-gost, assume recent openssl on the destination platform. + +* Wed Mar 16 2011 Harold Jones <hajones@verisign.com> - 1.4.8 +- Bump version number to latest +- Add expat-devel to BuildRequires +- Added --disable-gost for building on CentOS 5.x +- Added --with-ldns-builtin for CentOS 5.x + +* Thu May 22 2008 Wouter Wijngaards <wouter@nlnetlabs.nl> - 1.0.0 +- contrib changes from Patrick Vande Walle. + +* Thu Apr 25 2008 Wouter Wijngaards <wouter@nlnetlabs.nl> - 0.12 +- Using parts from ports collection entry by Jaap Akkerhuis. +- Using Fedoraproject wiki guidelines. + +* Wed Apr 23 2008 Wouter Wijngaards <wouter@nlnetlabs.nl> - 0.11 +- Initial version. diff --git a/contrib/unbound.spec_fedora b/contrib/unbound.spec_fedora new file mode 100644 index 000000000000..6e02a0964c43 --- /dev/null +++ b/contrib/unbound.spec_fedora @@ -0,0 +1,440 @@ +# not ready yet +%{?!with_python: %global with_python 1} + +%if %{with_python} +%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} +%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} +%endif + +Summary: Validating, recursive, and caching DNS(SEC) resolver +Name: unbound +Version: 1.4.13 +Release: 1%{?dist} +License: BSD +Url: http://www.nlnetlabs.nl/unbound/ +Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz +Source1: unbound.init +Source2: unbound.conf +Source3: unbound.munin +Source4: unbound_munin_ +Source5: root.key +Source6: dlv.isc.org.key +Patch1: unbound-1.2-glob.patch + +Group: System Environment/Daemons +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +BuildRequires: flex, openssl-devel , ldns-devel >= 1.5.0, +BuildRequires: libevent-devel expat-devel +%if %{with_python} +BuildRequires: python-devel swig +%endif +# Required for SVN versions +# BuildRequires: bison + +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts +Requires: ldns >= 1.5.0 +Requires(pre): shadow-utils + +Obsoletes: dnssec-conf < 1.27-2 +Provides: dnssec-conf = 1.27-1 + +%description +Unbound is a validating, recursive, and caching DNS(SEC) resolver. + +The C implementation of Unbound is developed and maintained by NLnet +Labs. It is based on ideas and algorithms taken from a java prototype +developed by Verisign labs, Nominet, Kirei and ep.net. + +Unbound is designed as a set of modular components, so that also +DNSSEC (secure DNS) validation and stub-resolvers (that do not run +as a server, but are linked into an application) are easily possible. + +%package munin +Summary: Plugin for the munin / munin-node monitoring package +Group: System Environment/Daemons +Requires: munin-node +Requires: %{name} = %{version}-%{release}, bc + +%description munin +Plugin for the munin / munin-node monitoring package + +%package devel +Summary: Development package that includes the unbound header files +Group: Development/Libraries +Requires: %{name}-libs = %{version}-%{release}, openssl-devel, ldns-devel + +%description devel +The devel package contains the unbound library and the include files + +%package libs +Summary: Libraries used by the unbound server and client applications +Group: Applications/System +Requires(post): /sbin/ldconfig +Requires(postun): /sbin/ldconfig +Requires: openssl + +%description libs +Contains libraries used by the unbound server and client applications + +%if %{with_python} +%package python +Summary: Python modules and extensions for unbound +Group: Applications/System +Requires: %{name}-libs = %{version}-%{release} + +%description python +Python modules and extensions for unbound +%endif + +%prep +%setup -q +%patch1 -p1 + +%build +%configure --with-ldns= --with-libevent --with-pthreads --with-ssl \ + --disable-rpath --disable-static \ + --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \ + --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \ +%if %{with_python} + --with-pythonmodule --with-pyunbound \ +%endif + --enable-sha2 --disable-gost +%{__make} %{?_smp_mflags} + +%install +rm -rf %{buildroot} +%{__make} DESTDIR=%{buildroot} install +install -d 0755 %{buildroot}%{_initrddir} +install -m 0755 %{SOURCE1} %{buildroot}%{_initrddir}/unbound +install -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound +# Install munin plugin and its softlinks +install -d 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d +install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/munin/plugin-conf.d/unbound +install -d 0755 %{buildroot}%{_datadir}/munin/plugins/ +install -m 0755 %{SOURCE4} %{buildroot}%{_datadir}/munin/plugins/unbound +for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unbound_munin_by_type unbound_munin_by_class unbound_munin_by_opcode unbound_munin_by_rcode unbound_munin_by_flags unbound_munin_histogram; do + ln -s unbound %{buildroot}%{_datadir}/munin/plugins/$plugin +done + +# install root and DLV key +install -m 0644 %{SOURCE5} %{SOURCE6} %{buildroot}%{_sysconfdir}/unbound/ + +# remove static library from install (fedora packaging guidelines) +rm %{buildroot}%{_libdir}/*.la +%if %{with_python} +rm %{buildroot}%{python_sitearch}/*.la +%endif + +mkdir -p %{buildroot}%{_localstatedir}/run/unbound + +%clean +rm -rf ${RPM_BUILD_ROOT} + +%files +%defattr(-,root,root,-) +%doc doc/README doc/CREDITS doc/LICENSE doc/FEATURES +%attr(0755,root,root) %{_initrddir}/%{name} +%attr(0755,root,root) %dir %{_sysconfdir}/%{name} +%ghost %attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name} +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key +%{_sbindir}/* +%{_mandir}/*/* + +%if %{with_python} +%files python +%defattr(-,root,root,-) +%{python_sitearch}/* +%doc libunbound/python/examples/* +%doc pythonmod/examples/* +%endif + +%files munin +%defattr(-,root,root,-) +%config(noreplace) %{_sysconfdir}/munin/plugin-conf.d/unbound +%{_datadir}/munin/plugins/unbound* + +%files devel +%defattr(-,root,root,-) +%{_libdir}/libunbound.so +%{_includedir}/unbound.h +%doc README + +%files libs +%defattr(-,root,root,-) +%{_libdir}/libunbound.so.* +%doc doc/README doc/LICENSE + +%pre +getent group unbound >/dev/null || groupadd -r unbound +getent passwd unbound >/dev/null || \ +useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \ +-c "Unbound DNS resolver" unbound +exit 0 + +%post +/sbin/chkconfig --add %{name} +# dnssec-conf used to contain our DLV key, but now we include it via unbound +# If unbound had previously been configured with dnssec-configure, we need +# to migrate the location of the DLV key file (to keep DLV enabled, and because +# unbound won't start with a bad location for a DLV key file. +sed -i "s:/etc/pki/dnssec-keys[/]*dlv:/etc/unbound:" %{_sysconfdir}/unbound/unbound.conf + +%post libs -p /sbin/ldconfig + +%preun +if [ "$1" -eq 0 ]; then + /sbin/service %{name} stop >/dev/null 2>&1 + /sbin/chkconfig --del %{name} +fi + +%postun +if [ "$1" -ge "1" ]; then + /sbin/service %{name} condrestart >/dev/null 2>&1 || : +fi + +%postun libs -p /sbin/ldconfig + +%changelog +* Tue Sep 06 2011 Paul Wouters <paul@xelerance.com> - 1.4.13-1 +- Updated to 1.4.13 +- Fix install location of pythonmod from sitelib to sitearch +- Removed patches merged in by upstream +- Removed versioned openssl dep, it differs per branch + +* Mon Aug 08 2011 Paul Wouters <paul@xelerance.com> - 1.4.12-3 +- Added pythonmod docs and examples +- Fix for python module load in the server (Tom Hendrikx) +- No longer enable --enable-debug as it causes degraded performance + under load. + +* Mon Jul 18 2011 Paul Wouters <paul@xelerance.com> - 1.4.12-1 +- Updated to 1.4.12 + +* Sun Jul 03 2011 Paul Wouters <paul@xelerance.com> - 1.4.11-1 +- Updated to 1.4.11 +- removed integrated CVE patch +- updated stock unbound.conf for new options introduced + +* Mon Jun 06 2011 Paul Wouters <paul@xelerance.com> - 1.4.10-1 +- Added ghost for /var/run/unbound (bz#656710) + +* Mon Jun 06 2011 Paul Wouters <paul@xelerance.com> - 1.4.9-3 +- rebuilt + +* Wed May 25 2011 Paul Wouters <paul@xelerance.com> - 1.4.9-2 +- Applied patch for CVE-2011-1922 DoS vulnerability + +* Sun Mar 27 2011 Paul Wouters <paul@xelerance.com> - 1.4.9-1 +- Updated to 1.4.9 + +* Sat Feb 12 2011 Paul Wouters <paul@xelerance.com> - 1.4.8-2 +- rebuilt + +* Tue Jan 25 2011 Paul Wouters <paul@xelerance.com> - 1.4.8-1 +- Updated to 1.4.8 +- Enable root key for DNSSEC +- Fix unbound-munin to use proper file (could cause excessive logging) +- Build unbound-python per default +- Disable gost as Fedora/EPEL does not allow ECC and has mangled openssl + +* Tue Oct 26 2010 Paul Wouters <paul@xelerance.com> - 1.4.5-4 +- Revert last build - it was on the wrong branch + +* Tue Oct 26 2010 Paul Wouters <paul@xelerance.com> - 1.4.5-3 +- Disable do-ipv6 per default - causes severe degradation on non-ipv6 machines + (see comments in inbound.conf) + +* Tue Jun 15 2010 Paul Wouters <paul@xelerance.com> - 1.4.5-2 +- Bump release - forgot to upload the new tar ball. + +* Tue Jun 15 2010 Paul Wouters <paul@xelerance.com> - 1.4.5-1 +- Upgraded to 1.4.5 + +* Mon May 31 2010 Paul Wouters <paul@xelerance.com> - 1.4.4-2 +- Added accidentally omitted svn patches to cvs + +* Mon May 31 2010 Paul Wouters <paul@xelerance.com> - 1.4.4-1 +- Upgraded to 1.4.4 with svn patches +- Obsolete dnssec-conf to ensure it is de-installed + +* Thu Mar 11 2010 Paul Wouters <paul@xelerance.com> - 1.4.3-1 +- Update to 1.4.3 that fixes 64bit crasher + +* Tue Mar 09 2010 Paul Wouters <paul@xelerance.com> - 1.4.2-1 +- Updated to 1.4.2 +- Updated unbound.conf with new options +- Enabled pre-fetching DNSKEY records (DNSSEC speedup) +- Enabled re-fetching popular records before they expire +- Enabled logging of DNSSEC validation errors + +* Mon Mar 01 2010 Paul Wouters <paul@xelerance.com> - 1.4.1-5 +- Overriding -D_GNU_SOURCE is no longer needed. This fixes DSO issues + with pthreads + +* Wed Feb 24 2010 Paul Wouters <paul@xelerance.com> - 1.4.1-3 +- Change make/configure lines to attempt to fix -lphtread linking issue + +* Thu Feb 18 2010 Paul Wouters <paul@xelerance.com> - 1.4.1-2 +- Removed dependancy for dnssec-conf +- Added ISC DLV key (formerly in dnssec-conf) +- Fixup old DLV locations in unbound.conf file via %%post +- Fix parent child disagreement handling and no-ipv6 present [svn r1953] + +* Tue Jan 05 2010 Paul Wouters <paul@xelerance.com> - 1.4.1-1 +- Updated to 1.4.1 +- Changed %%define to %%global + +* Thu Oct 08 2009 Paul Wouters <paul@xelerance.com> - 1.3.4-2 +- Bump version + +* Thu Oct 08 2009 Paul Wouters <paul@xelerance.com> - 1.3.4-1 +- Upgraded to 1.3.4. Security fix with validating NSEC3 records + +* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 1.3.3-2 +- rebuilt with new openssl + +* Mon Aug 17 2009 Paul Wouters <paul@xelerance.com> - 1.3.3-1 +- Updated to 1.3.3 + +* Sun Jul 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Sat Jun 20 2009 Paul Wouters <paul@xelerance.com> - 1.3.0-2 +- Added missing glob patch to cvs +- Place python macros within the %%with_python check + +* Sat Jun 20 2009 Paul Wouters <paul@xelerance.com> - 1.3.0-1 +- Updated to 1.3.0 +- Added unbound-python sub package. disabled for now +- Patch from svn to fix DLV lookups +- Patches from svn to detect wrong truncated response from BIND 9.6.1 with + minimal-responses) +- Added Default-Start and Default-Stop to unbound.init +- Re-enabled --enable-sha2 +- Re-enabled glob.patch + +* Wed May 20 2009 Paul Wouters <paul@xelerance.com> - 1.2.1-7 +- unbound-iterator.patch was not commited + +* Wed May 20 2009 Paul Wouters <paul@xelerance.com> - 1.2.1-6 +- Fix for https://bugzilla.redhat.com/show_bug.cgi?id=499793 + +* Tue Mar 17 2009 Paul Wouters <paul@xelerance.com> - 1.2.1-5 +- Use --nocheck to avoid giving an error on missing unbound-remote certs/keys + +* Tue Mar 10 2009 Adam Tkac <atkac redhat com> - 1.2.1-4 +- enable DNSSEC only if it is enabled in sysconfig/dnssec + +* Mon Mar 09 2009 Adam Tkac <atkac redhat com> - 1.2.1-3 +- add DNSSEC support to initscript and enabled it per default +- add requires dnssec-conf + +* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Tue Feb 10 2009 Paul Wouters <paul@xelerance.com - 1.2.1-1 +- updated to 1.2.1 + +* Sun Jan 18 2009 Tomas Mraz <tmraz@redhat.com> - 1.2.0-2 +- rebuild with new openssl + +* Wed Jan 14 2009 Paul Wouters <paul@xelerance.com - 1.2.0-1 +- Updated to 1.2.0 +- Added dependancy on minimum SSL for CVE-2008-5077 +- Added dependancy on bc for unbound-munin +- Added minimum requirement of libevent 1.4.5. Crashes with older versions + (note: libevent is stale in EL-4 and not in EL-5, needs fixing there) +- Removed dependancy on selinux-policy (will get used when available) +- Enable options as per draft-wijngaards-dnsext-resolver-side-mitigation-00.txt +- Enable unwanted-reply-threshold to mitigate against a Kaminsky attack +- Enable val-clean-additional to drop addition unsigned data from signed + response. +- Removed patches (got merged into upstream) + +* Mon Jan 5 2009 Paul Wouters <paul@xelerance.com> - 1.1.1-7 +- Modified scandir patch to silently fail when wildcard matches nothing +- Patch to allow unbound-checkconf to find empty wildcard matches + +* Mon Jan 5 2009 Paul Wouters <paul@xelerance.com> - 1.1.1-6 +- Added scandir patch for trusted-keys-file: option, which + is used to load multiple dnssec keys in bind file format + +* Mon Dec 8 2008 Paul Wouters <paul@xelerance.com> - 1.1.1-4 +- Added Requires: for selinux-policy >= 3.5.13-33 for proper SElinux rules. + +* Mon Dec 1 2008 Paul Wouters <paul@xelerance.com> - 1.1.1-3 +- We did not own the /etc/unbound directory (#474020) +- Fixed cvs anomalies + +* Fri Nov 28 2008 Adam Tkac <atkac redhat com> - 1.1.1-2 +- removed all obsolete chroot related stuff +- label control certs after generation correctly + +* Thu Nov 20 2008 Paul Wouters <paul@xelerance.com> - 1.1.1-1 +- Updated to unbound 1.1.1 which fixes a crasher and + addresses nlnetlabs bug #219 + +* Wed Nov 19 2008 Paul Wouters <paul@xelerance.com> - 1.1.0-3 +- Remove the chroot, obsoleted by SElinux +- Add additional munin plugin links supported by unbound plugin +- Move configuration directory from /var/lib/unbound to /etc/unbound +- Modified unbound.init and unbound.conf to account for chroot changes +- Updated unbound.conf with new available options +- Enabled dns-0x20 protection per default + +* Wed Nov 19 2008 Adam Tkac <atkac redhat com> - 1.1.0-2 +- unbound-1.1.0-log_open.patch + - make sure log is opened before chroot call + - tracked as http://www.nlnetlabs.nl/bugs/show_bug.cgi?id=219 +- removed /dev/log and /var/run/unbound and /etc/resolv.conf from + chroot, not needed +- don't mount files in chroot, it causes problems during updates +- fixed typo in default config file + +* Fri Nov 14 2008 Paul Wouters <paul@xelerance.com> - 1.1.0-1 +- Updated to version 1.1.0 +- Updated unbound.conf's statistics options and remote-control + to work properly for munin +- Added unbound-munin package +- Generate unbound remote-control key/certs on first startup +- Required ldns is now 1.4.0 + +* Wed Oct 22 2008 Paul Wouters <paul@xelerance.com> - 1.0.2-5 +- Only call ldconfig in -libs package +- Move configure into build section +- devel subpackage should only depend on libs subpackage + +* Tue Oct 21 2008 Paul Wouters <paul@xelerance.com> - 1.0.2-4 +- Fix CFLAGS getting lost in build +- Don't enable interface-automatic:yes because that + causes unbound to listen on 0.0.0.0 instead of 127.0.0.1 + +* Sun Oct 19 2008 Paul Wouters <paul@xelerance.com> - 1.0.2-3 +- Split off unbound-libs, make build verbose + +* Thu Oct 9 2008 Paul Wouters <paul@xelerance.com> - 1.0.2-2 +- FSB compliance, chroot fixes, initscript fixes + +* Thu Sep 11 2008 Paul Wouters <paul@xelerance.com> - 1.0.2-1 +- Upgraded to 1.0.2 + +* Wed Jul 16 2008 Paul Wouters <paul@xelerance.com> - 1.0.1-1 +- upgraded to new release + +* Wed May 21 2008 Paul Wouters <paul@xelerance.com> - 1.0.0-2 +- Build against ldns-1.3.0 + +* Wed May 21 2008 Paul Wouters <paul@xelerance.com> - 1.0.0-1 +- Split of -devel package, fixed dependancies, make rpmlint happy + +* Thu Apr 25 2008 Wouter Wijngaards <wouter@nlnetlabs.nl> - 0.12 +- Using parts from ports collection entry by Jaap Akkerhuis. +- Using Fedoraproject wiki guidelines. + +* Wed Apr 23 2008 Wouter Wijngaards <wouter@nlnetlabs.nl> - 0.11 +- Initial version. diff --git a/contrib/unbound_cacti.tar.gz b/contrib/unbound_cacti.tar.gz Binary files differnew file mode 100644 index 000000000000..b4d0a79c114e --- /dev/null +++ b/contrib/unbound_cacti.tar.gz diff --git a/contrib/unbound_munin_ b/contrib/unbound_munin_ new file mode 100755 index 000000000000..db6c33f38af4 --- /dev/null +++ b/contrib/unbound_munin_ @@ -0,0 +1,555 @@ +#!/bin/sh +# +# plugin for munin to monitor usage of unbound servers. +# To install copy this to /usr/local/share/munin/plugins/unbound_munin_ +# and use munin-node-configure (--suggest, --shell). +# +# (C) 2008 W.C.A. Wijngaards. BSD Licensed. +# +# To install; enable statistics and unbound-control in unbound.conf +# server: extended-statistics: yes +# statistics-cumulative: no +# statistics-interval: 0 +# remote-control: control-enable: yes +# Run the command unbound-control-setup to generate the key files. +# +# Environment variables for this script +# statefile - where to put temporary statefile. +# unbound_conf - where the unbound.conf file is located. +# unbound_control - where to find unbound-control executable. +# spoof_warn - what level to warn about spoofing +# spoof_crit - what level to crit about spoofing +# +# You can set them in your munin/plugin-conf.d/plugins.conf file +# with: +# [unbound*] +# user root +# env.statefile /usr/local/var/munin/plugin-state/unbound-state +# env.unbound_conf /usr/local/etc/unbound/unbound.conf +# env.unbound_control /usr/local/sbin/unbound-control +# env.spoof_warn 1000 +# env.spoof_crit 100000 +# +# This plugin can create different graphs depending on what name +# you link it as (with ln -s) into the plugins directory +# You can link it multiple times. +# If you are only a casual user, the _hits and _by_type are most interesting, +# possibly followed by _by_rcode. +# +# unbound_munin_hits - base volume, cache hits, unwanted traffic +# unbound_munin_queue - to monitor the internal requestlist +# unbound_munin_memory - memory usage +# unbound_munin_by_type - incoming queries by type +# unbound_munin_by_class - incoming queries by class +# unbound_munin_by_opcode - incoming queries by opcode +# unbound_munin_by_rcode - answers by rcode, validation status +# unbound_munin_by_flags - incoming queries by flags +# unbound_munin_histogram - histogram of query resolving times +# +# Magic markers - optional - used by installation scripts and +# munin-config: (originally contrib family but munin-node-configure ignores it) +# +#%# family=auto +#%# capabilities=autoconf suggest + +# POD documentation +: <<=cut +=head1 NAME + +unbound_munin_ - Munin plugin to monitor the Unbound DNS resolver. + +=head1 APPLICABLE SYSTEMS + +System with unbound daemon. + +=head1 CONFIGURATION + + [unbound*] + user root + env.statefile /usr/local/var/munin/plugin-state/unbound-state + env.unbound_conf /usr/local/etc/unbound/unbound.conf + env.unbound_control /usr/local/sbin/unbound-control + env.spoof_warn 1000 + env.spoof_crit 100000 + +Use the .env settings to override the defaults. + +=head1 USAGE + +Can be used to present different graphs. Use ln -s for that name in +the plugins directory to enable the graph. +unbound_munin_hits - base volume, cache hits, unwanted traffic +unbound_munin_queue - to monitor the internal requestlist +unbound_munin_memory - memory usage +unbound_munin_by_type - incoming queries by type +unbound_munin_by_class - incoming queries by class +unbound_munin_by_opcode - incoming queries by opcode +unbound_munin_by_rcode - answers by rcode, validation status +unbound_munin_by_flags - incoming queries by flags +unbound_munin_histogram - histogram of query resolving times + +=head1 AUTHOR + +Copyright 2008 W.C.A. Wijngaards + +=head1 LICENSE + +BSD + +=cut + +state=${statefile:-/usr/local/var/munin/plugin-state/unbound-state} +conf=${unbound_conf:-/usr/local/etc/unbound/unbound.conf} +ctrl=${unbound_control:-/usr/local/sbin/unbound-control} +warn=${spoof_warn:-1000} +crit=${spoof_crit:-100000} +lock=$state.lock + +# number of seconds between polling attempts. +# makes the statefile hang around for at least this many seconds, +# so that multiple links of this script can share the results. +lee=55 + +# to keep things within 19 characters +ABBREV="-e s/total/t/ -e s/thread/t/ -e s/num/n/ -e s/query/q/ -e s/answer/a/ -e s/unwanted/u/ -e s/requestlist/ql/ -e s/type/t/ -e s/class/c/ -e s/opcode/o/ -e s/rcode/r/ -e s/edns/e/ -e s/mem/m/ -e s/cache/c/ -e s/mod/m/" + +# get value from $1 into return variable $value +get_value ( ) { + value="`grep '^'$1'=' $state | sed -e 's/^.*=//'`" + if test "$value"x = ""x; then + value="0" + fi +} + +# download the state from the unbound server. +get_state ( ) { + # obtain lock for fetching the state + # because there is a race condition in fetching and writing to file + + # see if the lock is stale, if so, take it + if test -f $lock ; then + pid="`cat $lock 2>&1`" + kill -0 "$pid" >/dev/null 2>&1 + if test $? -ne 0 -a "$pid" != $$ ; then + echo $$ >$lock + fi + fi + + i=0 + while test ! -f $lock || test "`cat $lock 2>&1`" != $$; do + while test -f $lock; do + # wait + i=`expr $i + 1` + if test $i -gt 1000; then + sleep 1; + fi + if test $i -gt 1500; then + echo "error locking $lock" "=" `cat $lock` + rm -f $lock + exit 1 + fi + done + # try to get it + echo $$ >$lock + done + # do not refetch if the file exists and only LEE seconds old + if test -f $state; then + now=`date +%s` + get_value "time.now" + value="`echo $value | sed -e 's/\..*$//'`" + if test $now -lt `expr $value + $lee`; then + rm -f $lock + return + fi + fi + $ctrl -c $conf stats > $state + if test $? -ne 0; then + echo "error retrieving data from unbound server" + rm -f $lock + exit 1 + fi + rm -f $lock +} + +if test "$1" = "autoconf" ; then + if test ! -f $conf; then + echo no "($conf does not exist)" + exit 1 + fi + if test ! -d `dirname $state`; then + echo no "(`dirname $state` directory does not exist)" + exit 1 + fi + echo yes + exit 0 +fi + +if test "$1" = "suggest" ; then + echo "hits" + echo "queue" + echo "memory" + echo "by_type" + echo "by_class" + echo "by_opcode" + echo "by_rcode" + echo "by_flags" + echo "histogram" + exit 0 +fi + +# determine my type, by name +id=`echo $0 | sed -e 's/^.*unbound_munin_//'` +if test "$id"x = ""x; then + # some default to keep people sane. + id="hits" +fi + +# if $1 exists in statefile, config is echoed with label $2 +exist_config ( ) { + mn=`echo $1 | sed $ABBREV | tr . _` + if grep '^'$1'=' $state >/dev/null 2>&1; then + echo "$mn.label $2" + echo "$mn.min 0" + fi +} + +# print label and min 0 for a name $1 in unbound format +p_config ( ) { + mn=`echo $1 | sed $ABBREV | tr . _` + echo $mn.label "$2" + echo $mn.min 0 +} + +if test "$1" = "config" ; then + if test ! -f $state; then + get_state + fi + case $id in + hits) + echo "graph_title Unbound DNS traffic and cache hits" + echo "graph_args --base 1000 -l 0" + echo "graph_vlabel queries / second" + echo "graph_category DNS" + for x in thread0.num.queries thread1.num.queries \ + thread2.num.queries thread3.num.queries thread4.num.queries \ + thread5.num.queries thread6.num.queries thread7.num.queries; do + exist_config $x "queries handled by `basename $x .num.queries`" + done + p_config "total.num.queries" "total queries from clients" + p_config "total.num.cachehits" "cache hits" + p_config "total.num.prefetch" "cache prefetch" + p_config "num.query.tcp" "TCP queries" + p_config "num.query.ipv6" "IPv6 queries" + p_config "unwanted.queries" "queries that failed acl" + p_config "unwanted.replies" "unwanted or unsolicited replies" + echo "u_replies.warning $warn" + echo "u_replies.critical $crit" + echo "graph_info DNS queries to the recursive resolver. The unwanted replies could be innocent duplicate packets, late replies, or spoof threats." + ;; + queue) + echo "graph_title Unbound requestlist size" + echo "graph_args --base 1000 -l 0" + echo "graph_vlabel number of queries" + echo "graph_category DNS" + p_config "total.requestlist.avg" "Average size of queue on insert" + p_config "total.requestlist.max" "Max size of queue (in 5 min)" + p_config "total.requestlist.overwritten" "Number of queries replaced by new ones" + p_config "total.requestlist.exceeded" "Number of queries dropped due to lack of space" + echo "graph_info The queries that did not hit the cache and need recursion service take up space in the requestlist. If there are too many queries, first queries get overwritten, and at last resort dropped." + ;; + memory) + echo "graph_title Unbound memory usage" + echo "graph_args --base 1024 -l 0" + echo "graph_vlabel memory used in bytes" + echo "graph_category DNS" + p_config "mem.total.sbrk" "Total memory" + p_config "mem.cache.rrset" "RRset cache memory" + p_config "mem.cache.message" "Message cache memory" + p_config "mem.mod.iterator" "Iterator module memory" + p_config "mem.mod.validator" "Validator module and key cache memory" + echo "graph_info The memory used by unbound." + ;; + by_type) + echo "graph_title Unbound DNS queries by type" + echo "graph_args --base 1000 -l 0" + echo "graph_vlabel queries / second" + echo "graph_category DNS" + for x in `grep "^num.query.type" $state`; do + nm=`echo $x | sed -e 's/=.*$//'` + tp=`echo $nm | sed -e s/num.query.type.//` + p_config "$nm" "$tp" + done + echo "graph_info queries by DNS RR type queried for" + ;; + by_class) + echo "graph_title Unbound DNS queries by class" + echo "graph_args --base 1000 -l 0" + echo "graph_vlabel queries / second" + echo "graph_category DNS" + for x in `grep "^num.query.class" $state`; do + nm=`echo $x | sed -e 's/=.*$//'` + tp=`echo $nm | sed -e s/num.query.class.//` + p_config "$nm" "$tp" + done + echo "graph_info queries by DNS RR class queried for." + ;; + by_opcode) + echo "graph_title Unbound DNS queries by opcode" + echo "graph_args --base 1000 -l 0" + echo "graph_vlabel queries / second" + echo "graph_category DNS" + for x in `grep "^num.query.opcode" $state`; do + nm=`echo $x | sed -e 's/=.*$//'` + tp=`echo $nm | sed -e s/num.query.opcode.//` + p_config "$nm" "$tp" + done + echo "graph_info queries by opcode in the query packet." + ;; + by_rcode) + echo "graph_title Unbound DNS answers by return code" + echo "graph_args --base 1000 -l 0" + echo "graph_vlabel answer packets / second" + echo "graph_category DNS" + for x in `grep "^num.answer.rcode" $state`; do + nm=`echo $x | sed -e 's/=.*$//'` + tp=`echo $nm | sed -e s/num.answer.rcode.//` + p_config "$nm" "$tp" + done + p_config "num.answer.secure" "answer secure" + p_config "num.answer.bogus" "answer bogus" + p_config "num.rrset.bogus" "num rrsets marked bogus" + echo "graph_info answers sorted by return value. rrsets bogus is the number of rrsets marked bogus per second by the validator" + ;; + by_flags) + echo "graph_title Unbound DNS incoming queries by flags" + echo "graph_args --base 1000 -l 0" + echo "graph_vlabel queries / second" + echo "graph_category DNS" + p_config "num.query.flags.QR" "QR (query reply) flag" + p_config "num.query.flags.AA" "AA (auth answer) flag" + p_config "num.query.flags.TC" "TC (truncated) flag" + p_config "num.query.flags.RD" "RD (recursion desired) flag" + p_config "num.query.flags.RA" "RA (rec avail) flag" + p_config "num.query.flags.Z" "Z (zero) flag" + p_config "num.query.flags.AD" "AD (auth data) flag" + p_config "num.query.flags.CD" "CD (check disabled) flag" + p_config "num.query.edns.present" "EDNS OPT present" + p_config "num.query.edns.DO" "DO (DNSSEC OK) flag" + echo "graph_info This graphs plots the flags inside incoming queries. For example, if QR, AA, TC, RA, Z flags are set, the query can be rejected. RD, AD, CD and DO are legitimately set by some software." + ;; + histogram) + echo "graph_title Unbound DNS histogram of reply time" + echo "graph_args --base 1000 -l 0" + echo "graph_vlabel queries / second" + echo "graph_category DNS" + echo hcache.label "cache hits" + echo hcache.min 0 + echo hcache.draw AREA + echo hcache.colour 999999 + echo h64ms.label "0 msec - 66 msec" + echo h64ms.min 0 + echo h64ms.draw STACK + echo h64ms.colour 0000FF + echo h128ms.label "66 msec - 131 msec" + echo h128ms.min 0 + echo h128ms.colour 1F00DF + echo h128ms.draw STACK + echo h256ms.label "131 msec - 262 msec" + echo h256ms.min 0 + echo h256ms.draw STACK + echo h256ms.colour 3F00BF + echo h512ms.label "262 msec - 524 msec" + echo h512ms.min 0 + echo h512ms.draw STACK + echo h512ms.colour 5F009F + echo h1s.label "524 msec - 1 sec" + echo h1s.min 0 + echo h1s.draw STACK + echo h1s.colour 7F007F + echo h2s.label "1 sec - 2 sec" + echo h2s.min 0 + echo h2s.draw STACK + echo h2s.colour 9F005F + echo h4s.label "2 sec - 4 sec" + echo h4s.min 0 + echo h4s.draw STACK + echo h4s.colour BF003F + echo h8s.label "4 sec - 8 sec" + echo h8s.min 0 + echo h8s.draw STACK + echo h8s.colour DF001F + echo h16s.label "8 sec - ..." + echo h16s.min 0 + echo h16s.draw STACK + echo h16s.colour FF0000 + echo "graph_info Histogram of the reply times for queries." + ;; + esac + + exit 0 +fi + +# do the stats itself +get_state + +# get the time elapsed +get_value "time.elapsed" +if test $value = 0 || test $value = "0.000000"; then + echo "error: time elapsed 0 or could not retrieve data" + exit 1 +fi +elapsed="$value" + +# print value for $1 / elapsed +print_qps ( ) { + mn=`echo $1 | sed $ABBREV | tr . _` + get_value $1 + echo "$mn.value" `echo scale=6';' $value / $elapsed | bc ` +} + +# print qps if line already found in $2 +print_qps_line ( ) { + mn=`echo $1 | sed $ABBREV | tr . _` + value="`echo $2 | sed -e 's/^.*=//'`" + echo "$mn.value" `echo scale=6';' $value / $elapsed | bc ` +} + +# print value for $1 +print_value ( ) { + mn=`echo $1 | sed $ABBREV | tr . _` + get_value $1 + echo "$mn.value" $value +} + +case $id in +hits) + for x in thread0.num.queries thread1.num.queries thread2.num.queries \ + thread3.num.queries thread4.num.queries thread5.num.queries \ + thread6.num.queries thread7.num.queries total.num.queries \ + total.num.cachehits total.num.prefetch num.query.tcp \ + num.query.ipv6 unwanted.queries unwanted.replies; do + if grep "^"$x"=" $state >/dev/null 2>&1; then + print_qps $x + fi + done + ;; +queue) + for x in total.requestlist.avg total.requestlist.max \ + total.requestlist.overwritten total.requestlist.exceeded; do + print_value $x + done + ;; +memory) + mn=`echo mem.total.sbrk | sed $ABBREV | tr . _` + get_value 'mem.total.sbrk' + if test $value -eq 0; then + chk=`echo $ctrl | sed -e 's/-control$/-checkconf/'` + pidf=`$chk -o pidfile $conf 2>&1` + pid=`cat $pidf 2>&1` + value=`ps -p "$pid" -o rss= 2>&1` + if test "`expr $value + 1 - 1 2>&1`" -eq "$value" 2>&1; then + value=`expr $value \* 1024` + else + value=0 + fi + fi + echo "$mn.value" $value + for x in mem.cache.rrset mem.cache.message \ + mem.mod.iterator mem.mod.validator; do + print_value $x + done + ;; +by_type) + for x in `grep "^num.query.type" $state`; do + nm=`echo $x | sed -e 's/=.*$//'` + print_qps_line $nm $x + done + ;; +by_class) + for x in `grep "^num.query.class" $state`; do + nm=`echo $x | sed -e 's/=.*$//'` + print_qps_line $nm $x + done + ;; +by_opcode) + for x in `grep "^num.query.opcode" $state`; do + nm=`echo $x | sed -e 's/=.*$//'` + print_qps_line $nm $x + done + ;; +by_rcode) + for x in `grep "^num.answer.rcode" $state`; do + nm=`echo $x | sed -e 's/=.*$//'` + print_qps_line $nm $x + done + print_qps "num.answer.secure" + print_qps "num.answer.bogus" + print_qps "num.rrset.bogus" + ;; +by_flags) + for x in num.query.flags.QR num.query.flags.AA num.query.flags.TC num.query.flags.RD num.query.flags.RA num.query.flags.Z num.query.flags.AD num.query.flags.CD num.query.edns.present num.query.edns.DO; do + print_qps $x + done + ;; +histogram) + get_value total.num.cachehits + echo hcache.value `echo scale=6';' $value / $elapsed | bc ` + r=0 + for x in histogram.000000.000000.to.000000.000001 \ + histogram.000000.000001.to.000000.000002 \ + histogram.000000.000002.to.000000.000004 \ + histogram.000000.000004.to.000000.000008 \ + histogram.000000.000008.to.000000.000016 \ + histogram.000000.000016.to.000000.000032 \ + histogram.000000.000032.to.000000.000064 \ + histogram.000000.000064.to.000000.000128 \ + histogram.000000.000128.to.000000.000256 \ + histogram.000000.000256.to.000000.000512 \ + histogram.000000.000512.to.000000.001024 \ + histogram.000000.001024.to.000000.002048 \ + histogram.000000.002048.to.000000.004096 \ + histogram.000000.004096.to.000000.008192 \ + histogram.000000.008192.to.000000.016384 \ + histogram.000000.016384.to.000000.032768 \ + histogram.000000.032768.to.000000.065536; do + get_value $x + r=`expr $r + $value` + done + echo h64ms.value `echo scale=6';' $r / $elapsed | bc ` + get_value histogram.000000.065536.to.000000.131072 + echo h128ms.value `echo scale=6';' $value / $elapsed | bc ` + get_value histogram.000000.131072.to.000000.262144 + echo h256ms.value `echo scale=6';' $value / $elapsed | bc ` + get_value histogram.000000.262144.to.000000.524288 + echo h512ms.value `echo scale=6';' $value / $elapsed | bc ` + get_value histogram.000000.524288.to.000001.000000 + echo h1s.value `echo scale=6';' $value / $elapsed | bc ` + get_value histogram.000001.000000.to.000002.000000 + echo h2s.value `echo scale=6';' $value / $elapsed | bc ` + get_value histogram.000002.000000.to.000004.000000 + echo h4s.value `echo scale=6';' $value / $elapsed | bc ` + get_value histogram.000004.000000.to.000008.000000 + echo h8s.value `echo scale=6';' $value / $elapsed | bc ` + r=0 + for x in histogram.000008.000000.to.000016.000000 \ + histogram.000016.000000.to.000032.000000 \ + histogram.000032.000000.to.000064.000000 \ + histogram.000064.000000.to.000128.000000 \ + histogram.000128.000000.to.000256.000000 \ + histogram.000256.000000.to.000512.000000 \ + histogram.000512.000000.to.001024.000000 \ + histogram.001024.000000.to.002048.000000 \ + histogram.002048.000000.to.004096.000000 \ + histogram.004096.000000.to.008192.000000 \ + histogram.008192.000000.to.016384.000000 \ + histogram.016384.000000.to.032768.000000 \ + histogram.032768.000000.to.065536.000000 \ + histogram.065536.000000.to.131072.000000 \ + histogram.131072.000000.to.262144.000000 \ + histogram.262144.000000.to.524288.000000; do + get_value $x + r=`expr $r + $value` + done + echo h16s.value `echo scale=6';' $r / $elapsed | bc ` + ;; +esac diff --git a/contrib/update-anchor.sh b/contrib/update-anchor.sh new file mode 100755 index 000000000000..95032a082c63 --- /dev/null +++ b/contrib/update-anchor.sh @@ -0,0 +1,158 @@ +#!/bin/sh +# update-anchor.sh, update a trust anchor. +# Copyright 2008, W.C.A. Wijngaards +# This file is BSD licensed, see doc/LICENSE. + +# which validating lookup to use. +ubhost=unbound-host + +usage ( ) +{ + echo "usage: update-anchor [-r hs] [-b] <zone name> <trust anchor file>" + echo " performs an update of trust anchor file" + echo " the trust anchor file is overwritten with the latest keys" + echo " the trust anchor file should contain only keys for one zone" + echo " -b causes keyfile to be made in bind format." + echo " without -b the file is made in unbound format." + echo " " + echo "alternate:" + echo " update-anchor [-r hints] [-b] -d directory" + echo " update all <zone>.anchor files in the directory." + echo " " + echo " name the files br.anchor se.anchor ..., and include them in" + echo " the validating resolver config file." + echo " put keys for the root in a file with the name root.anchor." + echo "" + echo "-r root.hints use different root hints. Strict option order." + echo "" + echo "Exit code 0 means anchors updated, 1 no changes, others are errors." + exit 2 +} + +if test $# -eq 0; then + usage +fi +bindformat="no" +filearg='-f' +roothints="" +if test X"$1" = "X-r"; then + shift + roothints="$1" + shift +fi +if test X"$1" = "X-b"; then + shift + bindformat="yes" + filearg='-F' +fi +if test $# -ne 2; then + echo "arguments wrong." + usage +fi + +do_update ( ) { + # arguments: <zonename> <keyfile> + zonename="$1" + keyfile="$2" + tmpfile="/tmp/update-anchor.$$" + tmp2=$tmpfile.2 + tmp3=$tmpfile.3 + rh="" + if test -n "$roothints"; then + echo "server: root-hints: '$roothints'" > $tmp3 + rh="-C $tmp3" + fi + $ubhost -v $rh $filearg "$keyfile" -t DNSKEY "$zonename" >$tmpfile + if test $? -ne 0; then + rm -f $tmpfile + echo "Error: Could not update zone $zonename anchor file $keyfile" + echo "Cause: $ubhost lookup failed" + echo " (Is the domain decommissioned? Is connectivity lost?)" + return 2 + fi + + # has the lookup been DNSSEC validated? + if grep '(secure)$' $tmpfile >/dev/null 2>&1; then + : + else + rm -f $tmpfile + echo "Error: Could not update zone $zonename anchor file $keyfile" + echo "Cause: result of lookup was not secure" + echo " (keys too far out of date? domain changed ownership? need root hints?)" + return 3 + fi + + if test $bindformat = "yes"; then + # are there any KSK keys on board? + echo 'trusted-keys {' > "$tmp2" + if grep ' has DNSKEY record 257' $tmpfile >/dev/null 2>&1; then + # store KSK keys in anchor file + grep '(secure)$' $tmpfile | \ + grep ' has DNSKEY record 257' | \ + sed -e 's/ (secure)$/";/' | \ + sed -e 's/ has DNSKEY record \([0-9]*\) \([0-9]*\) \([0-9]*\) /. \1 \2 \3 "/' | \ + sed -e 's/^\.\././' | sort >> "$tmp2" + else + # store all keys in the anchor file + grep '(secure)$' $tmpfile | \ + sed -e 's/ (secure)$/";/' | \ + sed -e 's/ has DNSKEY record \([0-9]*\) \([0-9]*\) \([0-9]*\) /. \1 \2 \3 "/' | \ + sed -e 's/^\.\././' | sort >> "$tmp2" + fi + echo '};' >> "$tmp2" + else #not bindformat + # are there any KSK keys on board? + if grep ' has DNSKEY record 257' $tmpfile >/dev/null 2>&1; then + # store KSK keys in anchor file + grep '(secure)$' $tmpfile | \ + grep ' has DNSKEY record 257' | \ + sed -e 's/ (secure)$//' | \ + sed -e 's/ has DNSKEY record /. IN DNSKEY /' | \ + sed -e 's/^\.\././' | sort > "$tmp2" + else + # store all keys in the anchor file + grep '(secure)$' $tmpfile | \ + sed -e 's/ (secure)$//' | \ + sed -e 's/ has DNSKEY record /. IN DNSKEY /' | \ + sed -e 's/^\.\././' | sort > "$tmp2" + fi + fi # endif-bindformat + + # copy over if changed + diff $tmp2 $keyfile >/dev/null 2>&1 + if test $? -eq 1; then # 0 means no change, 2 means trouble. + cat $tmp2 > $keyfile + no_updated=0 + echo "$zonename key file $keyfile updated." + else + echo "$zonename key file $keyfile unchanged." + fi + + rm -f $tmpfile $tmp2 $tmp3 +} + +no_updated=1 +if test X"$1" = "X-d"; then + tdir="$2" + echo "start updating in $2" + for x in $tdir/*.anchor; do + if test `basename "$x"` = "root.anchor"; then + zname="." + else + zname=`basename "$x" .anchor` + fi + do_update "$zname" "$x" + done + echo "done updating in $2" +else + # regular invocation + if test X"$1" = "X."; then + zname="$1" + else + # strip trailing dot from zone name + zname="`echo $1 | sed -e 's/\.$//'`" + fi + kfile="$2" + do_update $zname $kfile +fi +exit $no_updated diff --git a/contrib/validation-reporter.sh b/contrib/validation-reporter.sh new file mode 100755 index 000000000000..7c1a4218bd14 --- /dev/null +++ b/contrib/validation-reporter.sh @@ -0,0 +1,117 @@ +#!/bin/sh +# validation reporter - reports validation failures to a collection server. +# Copyright NLnet Labs, 2010 +# BSD license. + + +### +# Here is the configuration for the validation reporter +# it greps the failure lines out of the log and sends them to a server. + +# The pidfile for the reporter daemon. +pidfile="/var/run/validation-reporter.pid" + +# The logfile to watch for logged validation failures. +logfile="/var/log/unbound.log" + +# how to notify the upstream +# nc is netcat, it sends tcp to given host port. It makes a tcp connection +# and writes one log-line to it (grepped from the logfile). +# the notify command can be: "nc the.server.name.org 1234" +# the listening daemon could be: nc -lk 127.0.0.1 1234 >> outputfile & +notify_cmd="nc localhost 1234" + + +### +# Below this line is the code for the validation reporter, +# first the daemon itself, then the controller for the daemon. +reporter_daemon() { + trap "rm -f \"$pidfile\"" EXIT + tail -F $logfile | grep --line-buffered "unbound.*info: validation failure" | \ + while read x; do + echo "$x" | $notify_cmd + done +} + + +### +# controller for daemon. +start_daemon() { + echo "starting reporter" + nohup $0 rundaemon </dev/null >/dev/null 2>&1 & + echo $! > "$pidfile" +} + +kill_daemon() { + echo "stopping reporter" + if test -s "$pidfile"; then + kill `cat "$pidfile"` + # check it is really dead + if kill -0 `cat "$pidfile"` >/dev/null 2>&1; then + sleep 1 + while kill -0 `cat "$pidfile"` >/dev/null 2>&1; do + kill `cat "$pidfile"` >/dev/null 2>&1 + echo "waiting for reporter to stop" + sleep 1 + done + fi + fi +} + +get_status_daemon() { + if test -s "$pidfile"; then + if kill -0 `cat "$pidfile"`; then + return 0; + fi + fi + return 1; +} + +restart_daemon() { + kill_daemon + start_daemon +} + +condrestart_daemon() { + if get_status_daemon; then + echo "reporter ("`cat "$pidfile"`") is running" + exit 0 + fi + start_daemon + exit 0 +} + +status_daemon() { + if get_status_daemon; then + echo "reporter ("`cat "$pidfile"`") is running" + exit 0 + fi + echo "reporter is not running" + exit 1 +} + +case "$1" in + rundaemon) + reporter_daemon + ;; + start) + start_daemon + ;; + stop) + kill_daemon + ;; + restart) + restart_daemon + ;; + condrestart) + condrestart_daemon + ;; + status) + status_daemon + ;; + *) + echo "Usage: $0 {start|stop|restart|condrestart|status}" + exit 2 + ;; +esac +exit $? |