From: Michael Tremer Date: Thu, 8 Sep 2016 18:50:45 +0000 (+0100) Subject: Merge branch 'unbound' into next X-Git-Tag: v2.19-core106~100 X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff_plain;h=5fba8a0b1ebcb29340e225707193c0147c4cb64a;hp=3364c93e37c65ed8544066ed55afe1941b2b6f8d Merge branch 'unbound' into next --- diff --git a/config/cron/crontab b/config/cron/crontab index c42c650808..c6d8a725c7 100644 --- a/config/cron/crontab +++ b/config/cron/crontab @@ -67,3 +67,6 @@ HOME=/ # Cleanup the mail spool directory %weekly * * /usr/sbin/dma-cleanup-spool + +# Update DNS trust anchor +%daily,random * * @runas(nobody) /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem diff --git a/config/etc/group b/config/etc/group index 51334aafbc..e4897db257 100644 --- a/config/etc/group +++ b/config/etc/group @@ -30,7 +30,6 @@ nobody:x:99: users:x:100: snort:x:101: logwatch:x:102: -dnsmasq:x:103: cron:x:104: syslogd:x:105: klogd:x:106: diff --git a/config/etc/passwd b/config/etc/passwd index 0c2527ca39..542e3bf94e 100644 --- a/config/etc/passwd +++ b/config/etc/passwd @@ -14,7 +14,6 @@ nobody:x:99:99:Nobody:/home/nobody:/bin/false postfix:x:100:100::/var/spool/postfix:/bin/false snort:x:101:101:ftp:/var/log/snort:/bin/false logwatch:x:102:102::/var/log/logwatch:/bin/false -dnsmasq:x:103:103::/:/bin/false cron:x:104:104::/:/bin/false syslogd:x:105:105:/var/empty:/bin/false klogd:x:106:106:/var/empty:/bin/false diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts index 29b3290194..a429d2c90f 100644 --- a/config/rootfiles/common/armv5tel/initscripts +++ b/config/rootfiles/common/armv5tel/initscripts @@ -26,7 +26,6 @@ etc/rc.d/init.d/console etc/rc.d/init.d/dhcp etc/rc.d/init.d/dhcrelay #etc/rc.d/init.d/dnsdist -etc/rc.d/init.d/dnsmasq etc/rc.d/init.d/fcron #etc/rc.d/init.d/fetchmail etc/rc.d/init.d/fireinfo @@ -76,7 +75,7 @@ etc/rc.d/init.d/networking/green etc/rc.d/init.d/networking/orange etc/rc.d/init.d/networking/red #etc/rc.d/init.d/networking/red.down -etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq +etc/rc.d/init.d/networking/red.down/05-update-dns-forwarders etc/rc.d/init.d/networking/red.down/10-ipsec etc/rc.d/init.d/networking/red.down/10-miniupnpd etc/rc.d/init.d/networking/red.down/10-ovpn @@ -84,7 +83,7 @@ etc/rc.d/init.d/networking/red.down/10-static-routes etc/rc.d/init.d/networking/red.down/20-firewall #etc/rc.d/init.d/networking/red.up etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup -etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq +etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders etc/rc.d/init.d/networking/red.up/10-miniupnpd etc/rc.d/init.d/networking/red.up/10-multicast etc/rc.d/init.d/networking/red.up/10-static-routes diff --git a/config/rootfiles/common/dnsmasq b/config/rootfiles/common/dnsmasq deleted file mode 100644 index 1e900122dc..0000000000 --- a/config/rootfiles/common/dnsmasq +++ /dev/null @@ -1,2 +0,0 @@ -usr/sbin/dnsmasq -#usr/share/man/man8/dnsmasq.8 diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts index ee5a4ab6f2..2053bd97a9 100644 --- a/config/rootfiles/common/i586/initscripts +++ b/config/rootfiles/common/i586/initscripts @@ -27,7 +27,6 @@ etc/rc.d/init.d/console etc/rc.d/init.d/dhcp etc/rc.d/init.d/dhcrelay #etc/rc.d/init.d/dnsdist -etc/rc.d/init.d/dnsmasq etc/rc.d/init.d/fcron #etc/rc.d/init.d/fetchmail etc/rc.d/init.d/fireinfo @@ -78,7 +77,7 @@ etc/rc.d/init.d/networking/green etc/rc.d/init.d/networking/orange etc/rc.d/init.d/networking/red #etc/rc.d/init.d/networking/red.down -etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq +etc/rc.d/init.d/networking/red.down/05-update-dns-forwarders etc/rc.d/init.d/networking/red.down/10-ipsec etc/rc.d/init.d/networking/red.down/10-miniupnpd etc/rc.d/init.d/networking/red.down/10-ovpn @@ -86,7 +85,7 @@ etc/rc.d/init.d/networking/red.down/10-static-routes etc/rc.d/init.d/networking/red.down/20-firewall #etc/rc.d/init.d/networking/red.up etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup -etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq +etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders etc/rc.d/init.d/networking/red.up/10-miniupnpd etc/rc.d/init.d/networking/red.up/10-multicast etc/rc.d/init.d/networking/red.up/10-static-routes diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs index 191788460a..63a005129c 100644 --- a/config/rootfiles/common/misc-progs +++ b/config/rootfiles/common/misc-progs @@ -5,7 +5,6 @@ usr/local/bin/backupctrl usr/local/bin/collectdctrl usr/local/bin/ddnsctrl usr/local/bin/dhcpctrl -usr/local/bin/dnsmasqctrl usr/local/bin/extrahdctrl usr/local/bin/fireinfoctrl usr/local/bin/getconntracktable @@ -33,6 +32,7 @@ usr/local/bin/sshctrl usr/local/bin/syslogdctrl usr/local/bin/timectrl #usr/local/bin/torctrl +usr/local/bin/unboundctrl usr/local/bin/updxlratorctrl usr/local/bin/upnpctrl usr/local/bin/urlfilterctrl diff --git a/config/rootfiles/common/python-daemon b/config/rootfiles/common/python-daemon new file mode 100644 index 0000000000..34d36a463d --- /dev/null +++ b/config/rootfiles/common/python-daemon @@ -0,0 +1,19 @@ +#usr/lib/python2.7/site-packages/daemon +usr/lib/python2.7/site-packages/daemon/__init__.py +usr/lib/python2.7/site-packages/daemon/__init__.pyc +usr/lib/python2.7/site-packages/daemon/_metadata.py +usr/lib/python2.7/site-packages/daemon/_metadata.pyc +usr/lib/python2.7/site-packages/daemon/daemon.py +usr/lib/python2.7/site-packages/daemon/daemon.pyc +usr/lib/python2.7/site-packages/daemon/pidfile.py +usr/lib/python2.7/site-packages/daemon/pidfile.pyc +usr/lib/python2.7/site-packages/daemon/runner.py +usr/lib/python2.7/site-packages/daemon/runner.pyc +#usr/lib/python2.7/site-packages/python_daemon-2.1.1-py2.7.egg-info +#usr/lib/python2.7/site-packages/python_daemon-2.1.1-py2.7.egg-info/PKG-INFO +#usr/lib/python2.7/site-packages/python_daemon-2.1.1-py2.7.egg-info/SOURCES.txt +#usr/lib/python2.7/site-packages/python_daemon-2.1.1-py2.7.egg-info/dependency_links.txt +#usr/lib/python2.7/site-packages/python_daemon-2.1.1-py2.7.egg-info/not-zip-safe +#usr/lib/python2.7/site-packages/python_daemon-2.1.1-py2.7.egg-info/requires.txt +#usr/lib/python2.7/site-packages/python_daemon-2.1.1-py2.7.egg-info/top_level.txt +#usr/lib/python2.7/site-packages/python_daemon-2.1.1-py2.7.egg-info/version_info.json diff --git a/config/rootfiles/common/python-docutils b/config/rootfiles/common/python-docutils new file mode 100644 index 0000000000..45038dde24 --- /dev/null +++ b/config/rootfiles/common/python-docutils @@ -0,0 +1,320 @@ +#usr/bin/rst2html.py +#usr/bin/rst2latex.py +#usr/bin/rst2man.py +#usr/bin/rst2odt.py +#usr/bin/rst2odt_prepstyles.py +#usr/bin/rst2pseudoxml.py +#usr/bin/rst2s5.py +#usr/bin/rst2xetex.py +#usr/bin/rst2xml.py +#usr/bin/rstpep2html.py +#usr/lib/python2.7/site-packages/docutils +#usr/lib/python2.7/site-packages/docutils-0.12-py2.7.egg-info +#usr/lib/python2.7/site-packages/docutils/__init__.py +#usr/lib/python2.7/site-packages/docutils/__init__.pyc +#usr/lib/python2.7/site-packages/docutils/_compat.py +#usr/lib/python2.7/site-packages/docutils/_compat.pyc +#usr/lib/python2.7/site-packages/docutils/core.py +#usr/lib/python2.7/site-packages/docutils/core.pyc +#usr/lib/python2.7/site-packages/docutils/examples.py +#usr/lib/python2.7/site-packages/docutils/examples.pyc +#usr/lib/python2.7/site-packages/docutils/frontend.py +#usr/lib/python2.7/site-packages/docutils/frontend.pyc +#usr/lib/python2.7/site-packages/docutils/io.py +#usr/lib/python2.7/site-packages/docutils/io.pyc +#usr/lib/python2.7/site-packages/docutils/languages +#usr/lib/python2.7/site-packages/docutils/languages/__init__.py +#usr/lib/python2.7/site-packages/docutils/languages/__init__.pyc +#usr/lib/python2.7/site-packages/docutils/languages/af.py +#usr/lib/python2.7/site-packages/docutils/languages/af.pyc +#usr/lib/python2.7/site-packages/docutils/languages/ca.py +#usr/lib/python2.7/site-packages/docutils/languages/ca.pyc +#usr/lib/python2.7/site-packages/docutils/languages/cs.py +#usr/lib/python2.7/site-packages/docutils/languages/cs.pyc +#usr/lib/python2.7/site-packages/docutils/languages/da.py +#usr/lib/python2.7/site-packages/docutils/languages/da.pyc +#usr/lib/python2.7/site-packages/docutils/languages/de.py +#usr/lib/python2.7/site-packages/docutils/languages/de.pyc +#usr/lib/python2.7/site-packages/docutils/languages/en.py +#usr/lib/python2.7/site-packages/docutils/languages/en.pyc +#usr/lib/python2.7/site-packages/docutils/languages/eo.py +#usr/lib/python2.7/site-packages/docutils/languages/eo.pyc +#usr/lib/python2.7/site-packages/docutils/languages/es.py +#usr/lib/python2.7/site-packages/docutils/languages/es.pyc +#usr/lib/python2.7/site-packages/docutils/languages/fi.py +#usr/lib/python2.7/site-packages/docutils/languages/fi.pyc +#usr/lib/python2.7/site-packages/docutils/languages/fr.py +#usr/lib/python2.7/site-packages/docutils/languages/fr.pyc +#usr/lib/python2.7/site-packages/docutils/languages/gl.py +#usr/lib/python2.7/site-packages/docutils/languages/gl.pyc +#usr/lib/python2.7/site-packages/docutils/languages/he.py +#usr/lib/python2.7/site-packages/docutils/languages/he.pyc +#usr/lib/python2.7/site-packages/docutils/languages/it.py +#usr/lib/python2.7/site-packages/docutils/languages/it.pyc +#usr/lib/python2.7/site-packages/docutils/languages/ja.py +#usr/lib/python2.7/site-packages/docutils/languages/ja.pyc +#usr/lib/python2.7/site-packages/docutils/languages/lt.py +#usr/lib/python2.7/site-packages/docutils/languages/lt.pyc +#usr/lib/python2.7/site-packages/docutils/languages/nl.py +#usr/lib/python2.7/site-packages/docutils/languages/nl.pyc +#usr/lib/python2.7/site-packages/docutils/languages/pl.py +#usr/lib/python2.7/site-packages/docutils/languages/pl.pyc +#usr/lib/python2.7/site-packages/docutils/languages/pt_br.py +#usr/lib/python2.7/site-packages/docutils/languages/pt_br.pyc +#usr/lib/python2.7/site-packages/docutils/languages/ru.py +#usr/lib/python2.7/site-packages/docutils/languages/ru.pyc +#usr/lib/python2.7/site-packages/docutils/languages/sk.py +#usr/lib/python2.7/site-packages/docutils/languages/sk.pyc +#usr/lib/python2.7/site-packages/docutils/languages/sv.py +#usr/lib/python2.7/site-packages/docutils/languages/sv.pyc +#usr/lib/python2.7/site-packages/docutils/languages/zh_cn.py +#usr/lib/python2.7/site-packages/docutils/languages/zh_cn.pyc +#usr/lib/python2.7/site-packages/docutils/languages/zh_tw.py +#usr/lib/python2.7/site-packages/docutils/languages/zh_tw.pyc +#usr/lib/python2.7/site-packages/docutils/nodes.py +#usr/lib/python2.7/site-packages/docutils/nodes.pyc +#usr/lib/python2.7/site-packages/docutils/parsers +#usr/lib/python2.7/site-packages/docutils/parsers/__init__.py +#usr/lib/python2.7/site-packages/docutils/parsers/__init__.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/null.py +#usr/lib/python2.7/site-packages/docutils/parsers/null.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst +#usr/lib/python2.7/site-packages/docutils/parsers/rst/__init__.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/__init__.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/__init__.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/__init__.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/admonitions.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/admonitions.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/body.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/body.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/html.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/html.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/images.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/images.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/misc.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/misc.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/parts.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/parts.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/references.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/references.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/tables.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/tables.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/README.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isoamsa.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isoamsb.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isoamsc.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isoamsn.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isoamso.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isoamsr.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isobox.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isocyr1.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isocyr2.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isodia.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isogrk1.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isogrk2.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isogrk3.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isogrk4-wide.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isogrk4.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isolat1.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isolat2.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isomfrk-wide.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isomfrk.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isomopf-wide.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isomopf.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isomscr-wide.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isomscr.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isonum.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isopub.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isotech.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/mmlalias.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/mmlextra-wide.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/mmlextra.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/s5defs.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/xhtml1-lat1.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/xhtml1-special.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/xhtml1-symbol.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/__init__.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/__init__.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/af.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/af.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/ca.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/ca.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/cs.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/cs.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/da.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/da.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/de.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/de.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/en.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/en.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/eo.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/eo.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/es.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/es.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/fi.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/fi.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/fr.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/fr.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/gl.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/gl.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/he.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/he.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/it.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/it.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/ja.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/ja.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/lt.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/lt.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/nl.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/nl.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/pl.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/pl.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/pt_br.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/pt_br.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/ru.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/ru.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/sk.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/sk.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/sv.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/sv.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/zh_cn.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/zh_cn.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/zh_tw.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/zh_tw.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/roles.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/roles.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/states.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/states.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/tableparser.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/tableparser.pyc +#usr/lib/python2.7/site-packages/docutils/readers +#usr/lib/python2.7/site-packages/docutils/readers/__init__.py +#usr/lib/python2.7/site-packages/docutils/readers/__init__.pyc +#usr/lib/python2.7/site-packages/docutils/readers/doctree.py +#usr/lib/python2.7/site-packages/docutils/readers/doctree.pyc +#usr/lib/python2.7/site-packages/docutils/readers/pep.py +#usr/lib/python2.7/site-packages/docutils/readers/pep.pyc +#usr/lib/python2.7/site-packages/docutils/readers/standalone.py +#usr/lib/python2.7/site-packages/docutils/readers/standalone.pyc +#usr/lib/python2.7/site-packages/docutils/statemachine.py +#usr/lib/python2.7/site-packages/docutils/statemachine.pyc +#usr/lib/python2.7/site-packages/docutils/transforms +#usr/lib/python2.7/site-packages/docutils/transforms/__init__.py +#usr/lib/python2.7/site-packages/docutils/transforms/__init__.pyc +#usr/lib/python2.7/site-packages/docutils/transforms/components.py +#usr/lib/python2.7/site-packages/docutils/transforms/components.pyc +#usr/lib/python2.7/site-packages/docutils/transforms/frontmatter.py +#usr/lib/python2.7/site-packages/docutils/transforms/frontmatter.pyc +#usr/lib/python2.7/site-packages/docutils/transforms/misc.py +#usr/lib/python2.7/site-packages/docutils/transforms/misc.pyc +#usr/lib/python2.7/site-packages/docutils/transforms/parts.py +#usr/lib/python2.7/site-packages/docutils/transforms/parts.pyc +#usr/lib/python2.7/site-packages/docutils/transforms/peps.py +#usr/lib/python2.7/site-packages/docutils/transforms/peps.pyc +#usr/lib/python2.7/site-packages/docutils/transforms/references.py +#usr/lib/python2.7/site-packages/docutils/transforms/references.pyc +#usr/lib/python2.7/site-packages/docutils/transforms/universal.py +#usr/lib/python2.7/site-packages/docutils/transforms/universal.pyc +#usr/lib/python2.7/site-packages/docutils/transforms/writer_aux.py +#usr/lib/python2.7/site-packages/docutils/transforms/writer_aux.pyc +#usr/lib/python2.7/site-packages/docutils/utils +#usr/lib/python2.7/site-packages/docutils/utils/__init__.py +#usr/lib/python2.7/site-packages/docutils/utils/__init__.pyc +#usr/lib/python2.7/site-packages/docutils/utils/code_analyzer.py +#usr/lib/python2.7/site-packages/docutils/utils/code_analyzer.pyc +#usr/lib/python2.7/site-packages/docutils/utils/error_reporting.py +#usr/lib/python2.7/site-packages/docutils/utils/error_reporting.pyc +#usr/lib/python2.7/site-packages/docutils/utils/math +#usr/lib/python2.7/site-packages/docutils/utils/math/__init__.py +#usr/lib/python2.7/site-packages/docutils/utils/math/__init__.pyc +#usr/lib/python2.7/site-packages/docutils/utils/math/latex2mathml.py +#usr/lib/python2.7/site-packages/docutils/utils/math/latex2mathml.pyc +#usr/lib/python2.7/site-packages/docutils/utils/math/math2html.py +#usr/lib/python2.7/site-packages/docutils/utils/math/math2html.pyc +#usr/lib/python2.7/site-packages/docutils/utils/math/tex2unichar.py +#usr/lib/python2.7/site-packages/docutils/utils/math/tex2unichar.pyc +#usr/lib/python2.7/site-packages/docutils/utils/math/unichar2tex.py +#usr/lib/python2.7/site-packages/docutils/utils/math/unichar2tex.pyc +#usr/lib/python2.7/site-packages/docutils/utils/punctuation_chars.py +#usr/lib/python2.7/site-packages/docutils/utils/punctuation_chars.pyc +#usr/lib/python2.7/site-packages/docutils/utils/roman.py +#usr/lib/python2.7/site-packages/docutils/utils/roman.pyc +#usr/lib/python2.7/site-packages/docutils/utils/smartquotes.py +#usr/lib/python2.7/site-packages/docutils/utils/smartquotes.pyc +#usr/lib/python2.7/site-packages/docutils/utils/urischemes.py +#usr/lib/python2.7/site-packages/docutils/utils/urischemes.pyc +#usr/lib/python2.7/site-packages/docutils/writers +#usr/lib/python2.7/site-packages/docutils/writers/__init__.py +#usr/lib/python2.7/site-packages/docutils/writers/__init__.pyc +#usr/lib/python2.7/site-packages/docutils/writers/docutils_xml.py +#usr/lib/python2.7/site-packages/docutils/writers/docutils_xml.pyc +#usr/lib/python2.7/site-packages/docutils/writers/html4css1 +#usr/lib/python2.7/site-packages/docutils/writers/html4css1/__init__.py +#usr/lib/python2.7/site-packages/docutils/writers/html4css1/__init__.pyc +#usr/lib/python2.7/site-packages/docutils/writers/html4css1/html4css1.css +#usr/lib/python2.7/site-packages/docutils/writers/html4css1/math.css +#usr/lib/python2.7/site-packages/docutils/writers/html4css1/template.txt +#usr/lib/python2.7/site-packages/docutils/writers/latex2e +#usr/lib/python2.7/site-packages/docutils/writers/latex2e/__init__.py +#usr/lib/python2.7/site-packages/docutils/writers/latex2e/__init__.pyc +#usr/lib/python2.7/site-packages/docutils/writers/latex2e/default.tex +#usr/lib/python2.7/site-packages/docutils/writers/latex2e/titlepage.tex +#usr/lib/python2.7/site-packages/docutils/writers/latex2e/xelatex.tex +#usr/lib/python2.7/site-packages/docutils/writers/manpage.py +#usr/lib/python2.7/site-packages/docutils/writers/manpage.pyc +#usr/lib/python2.7/site-packages/docutils/writers/null.py +#usr/lib/python2.7/site-packages/docutils/writers/null.pyc +#usr/lib/python2.7/site-packages/docutils/writers/odf_odt +#usr/lib/python2.7/site-packages/docutils/writers/odf_odt/__init__.py +#usr/lib/python2.7/site-packages/docutils/writers/odf_odt/__init__.pyc +#usr/lib/python2.7/site-packages/docutils/writers/odf_odt/pygmentsformatter.py +#usr/lib/python2.7/site-packages/docutils/writers/odf_odt/pygmentsformatter.pyc +#usr/lib/python2.7/site-packages/docutils/writers/odf_odt/styles.odt +#usr/lib/python2.7/site-packages/docutils/writers/pep_html +#usr/lib/python2.7/site-packages/docutils/writers/pep_html/__init__.py +#usr/lib/python2.7/site-packages/docutils/writers/pep_html/__init__.pyc +#usr/lib/python2.7/site-packages/docutils/writers/pep_html/pep.css +#usr/lib/python2.7/site-packages/docutils/writers/pep_html/template.txt +#usr/lib/python2.7/site-packages/docutils/writers/pseudoxml.py +#usr/lib/python2.7/site-packages/docutils/writers/pseudoxml.pyc +#usr/lib/python2.7/site-packages/docutils/writers/s5_html +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/__init__.py +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/__init__.pyc +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/README.txt +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/big-black +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/big-black/__base__ +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/big-black/framing.css +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/big-black/pretty.css +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/big-white +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/big-white/framing.css +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/big-white/pretty.css +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/blank.gif +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/framing.css +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/iepngfix.htc +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/opera.css +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/outline.css +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/pretty.css +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/print.css +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/s5-core.css +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/slides.css +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/slides.js +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/medium-black +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/medium-black/__base__ +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/medium-black/pretty.css +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/medium-white +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/medium-white/framing.css +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/medium-white/pretty.css +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/small-black +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/small-black/__base__ +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/small-black/pretty.css +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/small-white +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/small-white/framing.css +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/small-white/pretty.css +#usr/lib/python2.7/site-packages/docutils/writers/xetex +#usr/lib/python2.7/site-packages/docutils/writers/xetex/__init__.py +#usr/lib/python2.7/site-packages/docutils/writers/xetex/__init__.pyc diff --git a/config/rootfiles/common/python-inotify b/config/rootfiles/common/python-inotify new file mode 100644 index 0000000000..5fc062a576 --- /dev/null +++ b/config/rootfiles/common/python-inotify @@ -0,0 +1,20 @@ +#usr/lib/python2.7/site-packages/inotify +#usr/lib/python2.7/site-packages/inotify-0.2.7-py2.7.egg-info +#usr/lib/python2.7/site-packages/inotify-0.2.7-py2.7.egg-info/PKG-INFO +#usr/lib/python2.7/site-packages/inotify-0.2.7-py2.7.egg-info/SOURCES.txt +#usr/lib/python2.7/site-packages/inotify-0.2.7-py2.7.egg-info/dependency_links.txt +#usr/lib/python2.7/site-packages/inotify-0.2.7-py2.7.egg-info/not-zip-safe +#usr/lib/python2.7/site-packages/inotify-0.2.7-py2.7.egg-info/top_level.txt +usr/lib/python2.7/site-packages/inotify/__init__.py +usr/lib/python2.7/site-packages/inotify/__init__.pyc +usr/lib/python2.7/site-packages/inotify/adapters.py +usr/lib/python2.7/site-packages/inotify/adapters.pyc +usr/lib/python2.7/site-packages/inotify/calls.py +usr/lib/python2.7/site-packages/inotify/calls.pyc +usr/lib/python2.7/site-packages/inotify/constants.py +usr/lib/python2.7/site-packages/inotify/constants.pyc +usr/lib/python2.7/site-packages/inotify/library.py +usr/lib/python2.7/site-packages/inotify/library.pyc +#usr/lib/python2.7/site-packages/inotify/resources +#usr/lib/python2.7/site-packages/inotify/resources/README.rst +#usr/lib/python2.7/site-packages/inotify/resources/requirements.txt diff --git a/config/rootfiles/common/unbound b/config/rootfiles/common/unbound new file mode 100644 index 0000000000..94eeba777e --- /dev/null +++ b/config/rootfiles/common/unbound @@ -0,0 +1,62 @@ +etc/rc.d/init.d/unbound +#etc/unbound +etc/unbound/dhcp-leases.conf +etc/unbound/forward.conf +etc/unbound/icannbundle.pem +etc/unbound/local.d +etc/unbound/root.hints +etc/unbound/root.key +etc/unbound/unbound.conf +#usr/include/unbound.h +#usr/lib/libunbound.la +#usr/lib/libunbound.so +usr/lib/libunbound.so.2 +usr/lib/libunbound.so.2.4.1 +usr/sbin/unbound +usr/sbin/unbound-anchor +usr/sbin/unbound-checkconf +usr/sbin/unbound-dhcp-leases-bridge +usr/sbin/unbound-control +usr/sbin/unbound-control-setup +usr/sbin/unbound-switch +usr/sbin/unbound-zone +#usr/share/man/man1/unbound-host.1 +#usr/share/man/man3/libunbound.3 +#usr/share/man/man3/ub_cancel.3 +#usr/share/man/man3/ub_ctx.3 +#usr/share/man/man3/ub_ctx_add_ta.3 +#usr/share/man/man3/ub_ctx_add_ta_file.3 +#usr/share/man/man3/ub_ctx_async.3 +#usr/share/man/man3/ub_ctx_config.3 +#usr/share/man/man3/ub_ctx_create.3 +#usr/share/man/man3/ub_ctx_data_add.3 +#usr/share/man/man3/ub_ctx_data_remove.3 +#usr/share/man/man3/ub_ctx_debuglevel.3 +#usr/share/man/man3/ub_ctx_debugout.3 +#usr/share/man/man3/ub_ctx_delete.3 +#usr/share/man/man3/ub_ctx_get_option.3 +#usr/share/man/man3/ub_ctx_hosts.3 +#usr/share/man/man3/ub_ctx_print_local_zones.3 +#usr/share/man/man3/ub_ctx_resolvconf.3 +#usr/share/man/man3/ub_ctx_set_fwd.3 +#usr/share/man/man3/ub_ctx_set_option.3 +#usr/share/man/man3/ub_ctx_trustedkeys.3 +#usr/share/man/man3/ub_ctx_zone_add.3 +#usr/share/man/man3/ub_ctx_zone_remove.3 +#usr/share/man/man3/ub_fd.3 +#usr/share/man/man3/ub_poll.3 +#usr/share/man/man3/ub_process.3 +#usr/share/man/man3/ub_resolve.3 +#usr/share/man/man3/ub_resolve_async.3 +#usr/share/man/man3/ub_resolve_free.3 +#usr/share/man/man3/ub_result.3 +#usr/share/man/man3/ub_strerror.3 +#usr/share/man/man3/ub_wait.3 +#usr/share/man/man5/unbound.conf.5 +#usr/share/man/man8/unbound-anchor.8 +#usr/share/man/man8/unbound-checkconf.8 +#usr/share/man/man8/unbound-control-setup.8 +#usr/share/man/man8/unbound-control.8 +#usr/share/man/man8/unbound.8 +var/lib/unbound +var/lib/unbound/root.key diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts index ee5a4ab6f2..2053bd97a9 100644 --- a/config/rootfiles/common/x86_64/initscripts +++ b/config/rootfiles/common/x86_64/initscripts @@ -27,7 +27,6 @@ etc/rc.d/init.d/console etc/rc.d/init.d/dhcp etc/rc.d/init.d/dhcrelay #etc/rc.d/init.d/dnsdist -etc/rc.d/init.d/dnsmasq etc/rc.d/init.d/fcron #etc/rc.d/init.d/fetchmail etc/rc.d/init.d/fireinfo @@ -78,7 +77,7 @@ etc/rc.d/init.d/networking/green etc/rc.d/init.d/networking/orange etc/rc.d/init.d/networking/red #etc/rc.d/init.d/networking/red.down -etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq +etc/rc.d/init.d/networking/red.down/05-update-dns-forwarders etc/rc.d/init.d/networking/red.down/10-ipsec etc/rc.d/init.d/networking/red.down/10-miniupnpd etc/rc.d/init.d/networking/red.down/10-ovpn @@ -86,7 +85,7 @@ etc/rc.d/init.d/networking/red.down/10-static-routes etc/rc.d/init.d/networking/red.down/20-firewall #etc/rc.d/init.d/networking/red.up etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup -etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq +etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders etc/rc.d/init.d/networking/red.up/10-miniupnpd etc/rc.d/init.d/networking/red.up/10-multicast etc/rc.d/init.d/networking/red.up/10-static-routes diff --git a/config/unbound/icannbundle.pem b/config/unbound/icannbundle.pem new file mode 100644 index 0000000000..48941ded40 --- /dev/null +++ b/config/unbound/icannbundle.pem @@ -0,0 +1,317 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US + Validity + Not Before: Dec 23 04:19:12 2009 GMT + Not After : Dec 18 04:19:12 2029 GMT + Subject: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:a0:db:70:b8:4f:34:da:9c:d4:d0:7e:bb:ea:15: + bc:e9:c9:11:2a:1f:61:2f:6a:b9:bd:3f:3d:76:a0: + 9a:0a:f7:ee:93:6e:6e:55:53:84:8c:f2:2c:f1:82: + 27:c8:0f:9a:cf:52:1b:54:da:28:d2:2c:30:8e:dd: + fb:92:20:33:2d:d6:c8:f1:0e:10:21:88:71:fa:84: + 22:4b:5d:47:56:16:7c:9b:9f:5d:c3:11:79:9c:14: + e2:ff:c0:74:ac:dd:39:d7:e0:38:d8:b0:73:aa:fb: + d1:db:84:af:52:22:a8:f6:d5:9b:94:f4:e6:5d:5e: + e8:3f:87:90:0b:c7:1a:77:f5:2e:d3:8f:1a:ce:02: + 1d:07:69:21:47:32:da:46:ae:00:4c:b6:a5:a2:9c: + 39:c1:c0:4a:f6:d3:1c:ae:d3:6d:bb:c7:18:f0:7e: + ed:f6:80:ce:d0:01:2e:89:de:12:ba:ee:11:cb:a6: + 7a:d7:0d:7c:f3:08:8d:72:9d:bf:55:75:13:70:bb: + 31:22:4a:cb:e8:c0:aa:a4:09:aa:36:68:40:60:74: + 9d:e7:19:81:43:22:52:fe:c9:2b:52:0f:41:13:36: + 09:72:65:95:cc:89:ae:6f:56:17:16:34:73:52:a3: + 04:ed:bd:88:82:8a:eb:d7:dc:82:52:9c:06:e1:52: + 85:41 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 + Signature Algorithm: sha256WithRSAEncryption + 0f:f1:e9:82:a2:0a:87:9f:2d:94:60:5a:b2:c0:4b:a1:2f:2b: + 3b:47:d5:0a:99:86:38:b2:ec:c6:3b:89:e4:6e:07:cf:14:c7: + c7:e8:cf:99:8f:aa:30:c3:19:70:b9:e6:6d:d6:3f:c8:68:26: + b2:a0:a5:37:42:ca:d8:62:80:d1:a2:5a:48:2e:1f:85:3f:0c: + 7b:c2:c7:94:11:5f:19:2a:95:ac:a0:3a:03:d8:91:5b:2e:0d: + 9c:7c:1f:2e:fc:e9:44:e1:16:26:73:1c:45:4a:65:c1:83:4c: + 90:f3:f2:28:42:df:db:c4:e7:04:12:18:62:43:5e:bc:1f:6c: + 84:e6:bc:49:32:df:61:d7:99:ee:e4:90:52:7b:0a:c2:91:8a: + 98:62:66:b1:c8:e0:b7:5a:b5:46:7c:76:71:54:8e:cc:a4:81: + 5c:19:db:d2:6f:66:b5:bb:2b:ae:6b:c9:74:04:a8:24:de:e8: + c5:d3:fc:2c:1c:d7:8f:db:6a:8d:c9:53:be:5d:50:73:ac:cf: + 1f:93:c0:52:50:5b:a2:4f:fe:ad:65:36:17:46:d1:2d:e5:a2: + 90:66:05:db:29:4e:5d:50:5d:e3:4f:da:a0:8f:f0:6b:e4:16: + 70:dd:7f:f3:77:7d:b9:4e:f9:ec:c3:33:02:d7:e9:63:2f:31: + e7:40:61:a4 +-----BEGIN CERTIFICATE----- +MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX +DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O +IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB +MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb +cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S +G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg +ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2 +paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7 +MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29 +iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B +Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3 +DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH +6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD +2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h +15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF +0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg +j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha256WithRSAEncryption + Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US + Validity + Not Before: Dec 23 04:45:04 2009 GMT + Not After : Dec 22 04:45:04 2014 GMT + Subject: O=ICANN, CN=ICANN DNSSEC CA/emailAddress=dnssec@icann.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:c0:bf:e2:b4:ee:12:46:36:3b:7c:d2:46:21:64: + 5a:93:e1:e3:02:10:25:bb:a5:30:70:19:89:98:7e: + 9e:db:8e:0f:ac:c8:48:66:0e:1a:f8:81:e5:2d:3c: + 7b:39:39:76:28:8f:ee:0a:a7:dd:64:e9:5f:87:25: + b1:64:e5:59:03:fc:bc:29:3b:63:37:c8:d7:46:9a: + b6:ce:87:55:cd:cf:e2:ab:e9:c7:8a:53:2e:25:87: + b0:98:d6:20:a3:a8:ec:87:b0:39:a3:c4:c5:75:59: + 3c:fb:91:03:fa:ee:7f:e9:2b:b6:70:88:69:2c:e6: + f1:4f:fc:d0:47:b4:e9:a0:2c:fa:0c:c3:84:eb:be: + 73:5a:bc:16:ed:d0:83:02:2d:eb:6a:21:02:51:70: + 29:1e:4f:c9:69:03:9f:91:32:5c:2c:1a:9f:5e:45: + 48:2a:50:ee:72:14:ec:17:29:fc:20:95:7d:22:6a: + c6:6f:83:a2:58:8e:b1:64:c8:73:23:54:6c:69:1d: + 66:1f:df:f8:4f:24:a1:a8:ae:00:7f:e9:89:41:a6: + e3:88:1d:3a:e1:b3:3a:ef:29:45:32:9b:94:2e:b7: + 6c:1e:fe:31:40:13:e1:bd:52:67:d0:d8:c3:3e:03: + 84:48:72:9d:bd:8a:48:a0:f2:72:35:b6:03:4b:c6: + e9:05 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign + X509v3 Authority Key Identifier: + keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 + + X509v3 Subject Key Identifier: + 8F:B2:42:69:C3:9D:E4:3C:FA:13:B9:FF:F2:C0:A4:EF:D8:0F:E8:22 + Signature Algorithm: sha256WithRSAEncryption + 4a:78:a2:47:7e:3f:2e:4d:78:68:ab:06:5c:ff:da:01:04:45: + 92:20:20:88:f3:dc:4e:70:01:9b:cb:f3:13:61:34:04:09:15: + d0:be:99:1c:be:fc:97:e9:2d:73:e1:b3:2b:a6:b9:3a:41:33: + f3:83:3d:64:1b:64:95:bf:ae:cd:20:df:18:e0:62:8d:fa:9c: + f7:d8:a9:3c:25:2b:8e:cf:10:e5:29:b9:af:1a:7f:62:64:75: + e7:c6:fd:9b:6d:71:c0:a9:b3:0f:9a:b7:7a:fe:53:04:18:cd: + 04:06:d9:bf:01:0e:cc:04:84:84:51:a3:e9:06:2a:a3:25:73: + 4e:8d:62:19:13:25:5b:de:0b:dc:d0:69:01:ca:41:0a:96:13: + cf:6a:11:fe:2b:9a:3f:fd:56:3d:73:3d:58:49:c2:71:83:20: + 23:6d:46:99:6e:37:91:9f:76:2a:9c:b0:69:3f:64:9f:05:bb: + 38:c8:1e:ca:d8:6c:fd:56:3e:a6:85:a2:53:80:c6:42:b6:79: + c6:43:0b:e0:6c:ea:9f:cf:b0:2a:2c:01:50:c3:d8:0f:a0:7e: + a1:73:a8:5c:84:27:5b:c9:4b:5a:13:e9:69:25:1c:59:11:d2: + 01:dc:da:e7:c8:44:34:a2:e4:99:25:b4:c3:23:b5:f8:2d:48: + e5:8d:06:73 +-----BEGIN CERTIFICATE----- +MIIDhjCCAm6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0NDUwNFoX +DTE0MTIyMjA0NDUwNFowSzEOMAwGA1UEChMFSUNBTk4xGDAWBgNVBAMTD0lDQU5O +IEROU1NFQyBDQTEfMB0GCSqGSIb3DQEJARMQZG5zc2VjQGljYW5uLm9yZzCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMC/4rTuEkY2O3zSRiFkWpPh4wIQ +JbulMHAZiZh+ntuOD6zISGYOGviB5S08ezk5diiP7gqn3WTpX4clsWTlWQP8vCk7 +YzfI10aats6HVc3P4qvpx4pTLiWHsJjWIKOo7IewOaPExXVZPPuRA/ruf+krtnCI +aSzm8U/80Ee06aAs+gzDhOu+c1q8Fu3QgwIt62ohAlFwKR5PyWkDn5EyXCwan15F +SCpQ7nIU7Bcp/CCVfSJqxm+DoliOsWTIcyNUbGkdZh/f+E8koaiuAH/piUGm44gd +OuGzOu8pRTKblC63bB7+MUAT4b1SZ9DYwz4DhEhynb2KSKDycjW2A0vG6QUCAwEA +AaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAf4wHwYDVR0jBBgw +FoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFI+yQmnDneQ8+hO5//LA +pO/YD+giMA0GCSqGSIb3DQEBCwUAA4IBAQBKeKJHfj8uTXhoqwZc/9oBBEWSICCI +89xOcAGby/MTYTQECRXQvpkcvvyX6S1z4bMrprk6QTPzgz1kG2SVv67NIN8Y4GKN ++pz32Kk8JSuOzxDlKbmvGn9iZHXnxv2bbXHAqbMPmrd6/lMEGM0EBtm/AQ7MBISE +UaPpBiqjJXNOjWIZEyVb3gvc0GkBykEKlhPPahH+K5o//VY9cz1YScJxgyAjbUaZ +bjeRn3YqnLBpP2SfBbs4yB7K2Gz9Vj6mhaJTgMZCtnnGQwvgbOqfz7AqLAFQw9gP +oH6hc6hchCdbyUtaE+lpJRxZEdIB3NrnyEQ0ouSZJbTDI7X4LUjljQZz +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 6 (0x6) + Signature Algorithm: sha256WithRSAEncryption + Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US + Validity + Not Before: Dec 23 05:21:16 2009 GMT + Not After : Dec 22 05:21:16 2014 GMT + Subject: O=ICANN, CN=ICANN EMAIL CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:d2:19:1e:22:69:33:f6:a4:d2:76:c5:80:11:75: + 8e:d0:e8:6f:bf:89:f8:2a:6a:da:8a:85:28:40:ba: + c5:23:5f:47:ed:72:e2:8e:d3:5c:c8:8a:3a:99:a9: + 57:2c:0a:2b:22:f3:54:7b:8b:f7:8c:21:a2:50:01: + 4f:8b:af:34:df:72:fc:78:31:d0:1d:eb:bc:9b:e6: + fa:c1:84:d0:05:07:8a:74:53:a5:60:9e:eb:75:9e: + a8:5d:32:c8:02:32:e4:bf:cb:97:9b:7a:fa:2c:f6: + 6a:1d:b8:57:ad:e3:03:22:93:d0:f4:4f:a8:b8:01: + db:82:33:98:b6:87:ed:3d:67:40:00:27:2e:d5:95: + d2:ad:36:46:14:c6:17:79:65:7f:65:f3:88:80:65: + 7c:22:67:08:23:3c:cf:a5:10:38:72:30:97:92:6f: + 20:4a:ba:24:4c:4a:c8:4a:a5:dc:2a:44:a1:29:78: + b4:9f:fe:84:ff:27:5b:3a:72:ea:31:c1:ad:06:22: + d6:44:a0:4a:57:32:9c:f2:46:47:d0:89:6e:20:23: + 2c:ea:b0:83:7e:c1:f3:ea:da:dd:e3:63:59:97:21: + fa:1b:11:39:27:cf:82:8b:56:15:d4:36:92:0c:a5: + 7e:80:e0:18:c9:50:08:42:0a:df:97:3c:9c:b8:0a: + 4d:b1 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign + X509v3 Authority Key Identifier: + keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 + + X509v3 Subject Key Identifier: + 7B:3F:BA:CE:A1:B3:A6:13:2E:5A:82:84:D4:D2:EA:A5:24:F1:CD:B4 + Signature Algorithm: sha256WithRSAEncryption + 50:07:a5:61:39:e4:3b:e3:bc:1c:b4:a7:b2:ab:a1:fb:47:bf: + b4:1c:32:ac:3c:46:b0:02:26:2f:16:3e:89:70:e2:87:e9:76: + 99:61:0b:91:c5:48:7a:e5:aa:24:0b:39:e0:4f:26:03:d4:5b: + 01:8a:4d:b6:98:cc:16:fa:e2:12:4a:88:b9:53:bb:50:2d:c7: + 37:b8:a3:82:2d:52:05:3e:46:a7:db:97:82:73:8d:7d:ed:dd: + 9e:37:73:68:6b:90:cd:62:d8:77:ff:32:53:bb:d3:a1:b9:cb: + 7d:32:29:70:fb:2e:90:4b:27:12:6d:99:a5:e6:d4:ef:13:32: + c1:2f:b5:ae:6e:11:0e:50:56:a4:56:5b:76:b0:c0:99:2e:5a: + 94:17:ee:2b:c1:b6:9c:8b:68:ac:55:95:31:8c:66:2b:35:43: + a5:13:04:1b:50:44:1c:55:7f:4c:d0:1a:50:80:53:45:a8:e3: + d3:a8:74:ad:7d:6a:d6:e9:9a:d3:25:7d:83:e2:57:64:1a:94: + 7e:bc:cb:ef:79:b5:54:6a:f1:b0:c3:81:26:90:e5:40:87:ed: + 75:7d:83:63:5b:ab:45:c0:34:04:27:e8:d8:12:26:7c:5e:c0: + 48:b6:33:7d:4b:db:23:8a:f7:13:24:bc:be:7b:74:cb:c4:ed: + ed:42:eb:2f +-----BEGIN CERTIFICATE----- +MIIDZDCCAkygAwIBAgIBBjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA1MjExNloX +DTE0MTIyMjA1MjExNlowKTEOMAwGA1UEChMFSUNBTk4xFzAVBgNVBAMTDklDQU5O +IEVNQUlMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0hkeImkz +9qTSdsWAEXWO0Ohvv4n4KmraioUoQLrFI19H7XLijtNcyIo6malXLAorIvNUe4v3 +jCGiUAFPi68033L8eDHQHeu8m+b6wYTQBQeKdFOlYJ7rdZ6oXTLIAjLkv8uXm3r6 +LPZqHbhXreMDIpPQ9E+ouAHbgjOYtoftPWdAACcu1ZXSrTZGFMYXeWV/ZfOIgGV8 +ImcIIzzPpRA4cjCXkm8gSrokTErISqXcKkShKXi0n/6E/ydbOnLqMcGtBiLWRKBK +VzKc8kZH0IluICMs6rCDfsHz6trd42NZlyH6GxE5J8+Ci1YV1DaSDKV+gOAYyVAI +QgrflzycuApNsQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE +AwIB/jAfBgNVHSMEGDAWgBS6UulJgySGUi/Hmc38jWtpCE3AUDAdBgNVHQ4EFgQU +ez+6zqGzphMuWoKE1NLqpSTxzbQwDQYJKoZIhvcNAQELBQADggEBAFAHpWE55Dvj +vBy0p7KroftHv7QcMqw8RrACJi8WPolw4ofpdplhC5HFSHrlqiQLOeBPJgPUWwGK +TbaYzBb64hJKiLlTu1Atxze4o4ItUgU+Rqfbl4JzjX3t3Z43c2hrkM1i2Hf/MlO7 +06G5y30yKXD7LpBLJxJtmaXm1O8TMsEvta5uEQ5QVqRWW3awwJkuWpQX7ivBtpyL +aKxVlTGMZis1Q6UTBBtQRBxVf0zQGlCAU0Wo49OodK19atbpmtMlfYPiV2QalH68 +y+95tVRq8bDDgSaQ5UCH7XV9g2Nbq0XANAQn6NgSJnxewEi2M31L2yOK9xMkvL57 +dMvE7e1C6y8= +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: sha256WithRSAEncryption + Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US + Validity + Not Before: Dec 23 05:07:29 2009 GMT + Not After : Dec 22 05:07:29 2014 GMT + Subject: O=ICANN, CN=ICANN SSL CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:dd:c6:ab:bf:7c:66:9d:b3:2b:96:00:14:c7:60: + 7a:8d:62:5b:26:4b:30:d7:b3:4c:82:69:c6:4d:4d: + 73:f3:d4:91:21:5d:ab:35:f0:c8:04:0e:f4:a3:35: + e2:e1:18:a9:98:12:03:58:f8:9f:eb:77:54:5b:89: + 81:26:c9:aa:c2:f4:c9:0c:82:57:2a:5e:05:e9:61: + 17:cc:19:18:71:eb:35:83:c1:86:9d:ec:f1:6b:ca: + dd:a1:96:0b:95:d4:e1:0f:9e:24:6f:dc:3c:d0:28: + 9e:f2:53:47:2b:a1:ad:32:03:c8:3f:0d:80:80:7d: + f0:02:d2:6e:5a:2c:44:21:9b:09:50:15:3f:a1:3d: + d3:c9:c8:24:e7:ea:4e:92:2f:94:90:2e:de:e7:68: + f6:c6:b3:90:1f:bc:c9:7b:a2:65:d7:11:e9:8b:f0: + 3a:5a:b7:17:07:df:69:e3:6e:b9:54:6a:8e:3a:aa: + 94:7f:2c:0a:a1:ad:ba:b7:d9:60:62:27:a7:71:40: + 3b:8e:b0:84:7b:b8:c8:67:ef:66:ba:3d:ac:c3:85: + e5:86:bb:a7:9c:fd:b6:e1:c0:10:53:3d:d4:7e:1b: + 09:e6:9f:22:5c:a7:27:09:7e:27:12:33:fa:df:9b: + 20:2f:14:f7:17:c0:e4:1e:07:91:1f:f9:9a:cd:a8: + e2:c5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign + X509v3 Authority Key Identifier: + keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 + + X509v3 Subject Key Identifier: + 6E:77:A8:40:10:4A:D8:9C:0C:F2:B7:5A:3A:A5:2F:79:4A:61:14:D8 + Signature Algorithm: sha256WithRSAEncryption + 18:42:62:df:aa:8e:44:e6:87:10:4d:d9:a6:b2:c3:97:37:43: + 2e:ce:f3:e0:3c:c2:2f:e1:78:60:41:a9:2b:5d:f4:24:f5:f6: + 57:a2:08:ec:9c:89:e5:54:50:a8:30:c6:20:e5:8a:c7:8b:bd: + fd:98:b6:0c:7d:1a:1f:01:a1:4a:4e:ec:0d:2a:aa:9f:fd:a9: + 20:0d:b3:5c:0f:36:c0:2c:2b:c6:75:22:29:66:a3:34:bd:93: + 3d:f6:28:da:90:d5:7e:91:df:d3:06:f6:69:8b:80:9b:a5:34: + af:6a:02:5b:e4:52:7d:56:4d:99:6e:fe:e9:d0:36:99:58:d9: + af:cd:79:9b:e5:d2:4c:35:90:d3:e0:68:b2:88:2b:18:39:2e: + bc:0b:d9:82:84:7f:24:12:92:d2:b9:13:4f:64:bc:46:e1:5c: + 6a:ed:f7:b0:d4:66:27:25:21:86:b4:3a:5e:19:a3:c7:8b:4b: + 93:b9:2e:37:e2:6d:8b:46:ee:68:39:21:75:e8:fe:2a:a7:85: + fd:68:26:96:bd:dd:f9:f1:fe:99:5f:b4:a4:97:1b:50:18:fa: + 21:90:54:0c:8b:30:28:94:70:19:34:9e:5c:e1:e5:48:93:af: + aa:a3:b4:95:b2:f5:4c:97:50:44:58:97:e1:ff:e7:b2:10:dd: + 2c:fe:c0:ed +-----BEGIN CERTIFICATE----- +MIIDYjCCAkqgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA1MDcyOVoX +DTE0MTIyMjA1MDcyOVowJzEOMAwGA1UEChMFSUNBTk4xFTATBgNVBAMTDElDQU5O +IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN3Gq798Zp2z +K5YAFMdgeo1iWyZLMNezTIJpxk1Nc/PUkSFdqzXwyAQO9KM14uEYqZgSA1j4n+t3 +VFuJgSbJqsL0yQyCVypeBelhF8wZGHHrNYPBhp3s8WvK3aGWC5XU4Q+eJG/cPNAo +nvJTRyuhrTIDyD8NgIB98ALSblosRCGbCVAVP6E908nIJOfqTpIvlJAu3udo9saz +kB+8yXuiZdcR6YvwOlq3FwffaeNuuVRqjjqqlH8sCqGturfZYGInp3FAO46whHu4 +yGfvZro9rMOF5Ya7p5z9tuHAEFM91H4bCeafIlynJwl+JxIz+t+bIC8U9xfA5B4H +kR/5ms2o4sUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC +Af4wHwYDVR0jBBgwFoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFG53 +qEAQSticDPK3WjqlL3lKYRTYMA0GCSqGSIb3DQEBCwUAA4IBAQAYQmLfqo5E5ocQ +TdmmssOXN0MuzvPgPMIv4XhgQakrXfQk9fZXogjsnInlVFCoMMYg5YrHi739mLYM +fRofAaFKTuwNKqqf/akgDbNcDzbALCvGdSIpZqM0vZM99ijakNV+kd/TBvZpi4Cb +pTSvagJb5FJ9Vk2Zbv7p0DaZWNmvzXmb5dJMNZDT4GiyiCsYOS68C9mChH8kEpLS +uRNPZLxG4Vxq7few1GYnJSGGtDpeGaPHi0uTuS434m2LRu5oOSF16P4qp4X9aCaW +vd358f6ZX7SklxtQGPohkFQMizAolHAZNJ5c4eVIk6+qo7SVsvVMl1BEWJfh/+ey +EN0s/sDt +-----END CERTIFICATE----- diff --git a/config/unbound/root.hints b/config/unbound/root.hints new file mode 100644 index 0000000000..3c82146215 --- /dev/null +++ b/config/unbound/root.hints @@ -0,0 +1,90 @@ +; This file holds the information on root name servers needed to +; initialize cache of Internet domain name servers +; (e.g. reference this file in the "cache . " +; configuration file of BIND domain name servers). +; +; This file is made available by InterNIC +; under anonymous FTP as +; file /domain/named.cache +; on server FTP.INTERNIC.NET +; -OR- RS.INTERNIC.NET +; +; last update: March 23, 2016 +; related version of root zone: 2016032301 +; +; formerly NS.INTERNIC.NET +; +. 3600000 NS A.ROOT-SERVERS.NET. +A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 +A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30 +; +; FORMERLY NS1.ISI.EDU +; +. 3600000 NS B.ROOT-SERVERS.NET. +B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201 +B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:84::b +; +; FORMERLY C.PSI.NET +; +. 3600000 NS C.ROOT-SERVERS.NET. +C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 +C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c +; +; FORMERLY TERP.UMD.EDU +; +. 3600000 NS D.ROOT-SERVERS.NET. +D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13 +D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d +; +; FORMERLY NS.NASA.GOV +; +. 3600000 NS E.ROOT-SERVERS.NET. +E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 +; +; FORMERLY NS.ISC.ORG +; +. 3600000 NS F.ROOT-SERVERS.NET. +F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 +F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f +; +; FORMERLY NS.NIC.DDN.MIL +; +. 3600000 NS G.ROOT-SERVERS.NET. +G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 +; +; FORMERLY AOS.ARL.ARMY.MIL +; +. 3600000 NS H.ROOT-SERVERS.NET. +H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53 +H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53 +; +; FORMERLY NIC.NORDU.NET +; +. 3600000 NS I.ROOT-SERVERS.NET. +I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 +I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53 +; +; OPERATED BY VERISIGN, INC. +; +. 3600000 NS J.ROOT-SERVERS.NET. +J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 +J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30 +; +; OPERATED BY RIPE NCC +; +. 3600000 NS K.ROOT-SERVERS.NET. +K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 +K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1 +; +; OPERATED BY ICANN +; +. 3600000 NS L.ROOT-SERVERS.NET. +L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42 +L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:9f::42 +; +; OPERATED BY WIDE +; +. 3600000 NS M.ROOT-SERVERS.NET. +M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 +M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35 +; End of file diff --git a/config/unbound/root.key b/config/unbound/root.key new file mode 100644 index 0000000000..0c36abea2a --- /dev/null +++ b/config/unbound/root.key @@ -0,0 +1 @@ +. 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} diff --git a/config/unbound/unbound-dhcp-leases-bridge b/config/unbound/unbound-dhcp-leases-bridge new file mode 100644 index 0000000000..61bd5d0af7 --- /dev/null +++ b/config/unbound/unbound-dhcp-leases-bridge @@ -0,0 +1,354 @@ +#!/usr/bin/python +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2016 Michael Tremer # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +import argparse +import datetime +import daemon +import logging +import logging.handlers +import re +import signal +import subprocess + +import inotify.adapters + +def setup_logging(loglevel=logging.INFO): + log = logging.getLogger("dhcp") + log.setLevel(loglevel) + + handler = logging.handlers.SysLogHandler(address="/dev/log", facility="daemon") + handler.setLevel(loglevel) + + formatter = logging.Formatter("%(name)s[%(process)d]: %(message)s") + handler.setFormatter(formatter) + + log.addHandler(handler) + + return log + +log = logging.getLogger("dhcp") + +class UnboundDHCPLeasesBridge(object): + def __init__(self, dhcp_leases_file, unbound_leases_file): + self.leases_file = dhcp_leases_file + + self.unbound = UnboundConfigWriter(unbound_leases_file) + self.running = False + + def run(self): + log.info("Unbound DHCP Leases Bridge started on %s" % self.leases_file) + self.running = True + + # Initially read leases file + self.update_dhcp_leases() + + i = inotify.adapters.Inotify([self.leases_file]) + + for event in i.event_gen(): + # End if we are requested to terminate + if not self.running: + break + + if event is None: + continue + + header, type_names, watch_path, filename = event + + # Update leases after leases file has been modified + if "IN_MODIFY" in type_names: + self.update_dhcp_leases() + + log.info("Unbound DHCP Leases Bridge terminated") + + def update_dhcp_leases(self): + log.info("Reading DHCP leases from %s" % self.leases_file) + + leases = DHCPLeases(self.leases_file) + self.unbound.update_dhcp_leases(leases) + + def terminate(self): + self.running = False + + +class DHCPLeases(object): + regex_leaseblock = re.compile(r"lease (?P\d+\.\d+\.\d+\.\d+) {(?P[\s\S]+?)\n}") + + def __init__(self, path): + self.path = path + + self._leases = self._parse() + + def __iter__(self): + return iter(self._leases) + + def _parse(self): + leases = [] + + with open(self.path) as f: + # Read entire leases file + data = f.read() + + for match in self.regex_leaseblock.finditer(data): + block = match.groupdict() + + ipaddr = block.get("ipaddr") + config = block.get("config") + + properties = self._parse_block(config) + + # Skip any abandoned leases + if not "hardware" in properties: + continue + + lease = Lease(ipaddr, properties) + + # Check if a lease for this Ethernet address already + # exists in the list of known leases. If so replace + # if with the most recent lease + for i, l in enumerate(leases): + if l.hwaddr == lease.hwaddr: + leases[i] = max(lease, l) + break + + else: + leases.append(lease) + + return leases + + def _parse_block(self, block): + properties = {} + + for line in block.splitlines(): + if not line: + continue + + # Remove trailing ; from line + if line.endswith(";"): + line = line[:-1] + + # Invalid line if it doesn't end with ; + else: + continue + + # Remove any leading whitespace + line = line.lstrip() + + # We skip all options and sets + if line.startswith("option") or line.startswith("set"): + continue + + # Split by first space + key, val = line.split(" ", 1) + properties[key] = val + + return properties + + +class Lease(object): + def __init__(self, ipaddr, properties): + self.ipaddr = ipaddr + self._properties = properties + + def __repr__(self): + return "<%s %s for %s (%s)>" % (self.__class__.__name__, + self.ipaddr, self.hwaddr, self.hostname) + + def __eq__(self, other): + return self.ipaddr == other.ipaddr and self.hwaddr == other.hwaddr + + def __gt__(self, other): + if not self.ipaddr == other.ipaddr: + return + + if not self.hwaddr == other.hwaddr: + return + + return self.time_starts > other.time_starts + + @property + def binding_state(self): + state = self._properties.get("binding") + + if state: + state = state.split(" ", 1) + return state[1] + + @property + def active(self): + return self.binding_state == "active" + + @property + def hwaddr(self): + hardware = self._properties.get("hardware") + + if not hardware: + return + + ethernet, address = hardware.split(" ", 1) + + return address + + @property + def hostname(self): + hostname = self._properties.get("client-hostname") + + # Remove any "" + if hostname: + hostname = hostname.replace("\"", "") + + return hostname + + @property + def domain(self): + return "local" # XXX + + @property + def fqdn(self): + return "%s.%s" % (self.hostname, self.domain) + + @staticmethod + def _parse_time(s): + return datetime.datetime.strptime(s, "%w %Y/%m/%d %H:%M:%S") + + @property + def time_starts(self): + starts = self._properties.get("starts") + + if starts: + return self._parse_time(starts) + + @property + def time_ends(self): + ends = self._properties.get("ends") + + if not ends or ends == "never": + return + + return self._parse_time(ends) + + @property + def expired(self): + if not self.time_ends: + return self.time_starts > datetime.datetime.utcnow() + + return self.time_starts > datetime.datetime.utcnow() > self.time_ends + + @property + def rrset(self): + return [ + # Forward record + (self.fqdn, "IN A", self.ipaddr), + + # Reverse record + (self.ipaddr, "IN PTR", self.fqdn), + ] + + +class UnboundConfigWriter(object): + def __init__(self, path): + self.path = path + + self._cached_leases = [] + + def update_dhcp_leases(self, leases): + # Strip all non-active or expired leases + leases = [l for l in leases if l.active and not l.expired] + + # Find any leases that have expired or do not exist any more + removed_leases = [l for l in self._cached_leases if l.expired or l not in leases] + + # Find any leases that have been added + new_leases = [l for l in leases if l not in self._cached_leases] + + # End here if nothing has changed + if not new_leases and not removed_leases: + return + + self._cached_leases = leases + + # Write out all leases + self.write_dhcp_leases(leases) + + # Update unbound about changes + for l in removed_leases: + self._control("local_data_remove", l.fqdn) + + for l in new_leases: + for rr in l.rrset: + self._control("local_data", *rr) + + + def write_dhcp_leases(self, leases): + with open(self.path, "w") as f: + for l in leases: + for rr in l.rrset: + f.write("local-data: \"%s\"\n" % " ".join(rr)) + + def _control(self, *args): + command = ["unbound-control", "-q"] + command.extend(args) + + try: + subprocess.check_call(command) + + # Log any errors + except subprocess.CalledProcessError as e: + log.critical("Could not run %s, error code: %s: %s" % ( + " ".join(command), e.returncode, e.output)) + + +if __name__ == "__main__": + parser = argparse.ArgumentParser(description="Bridge for DHCP Leases and Unbound DNS") + + # Daemon Stuff + parser.add_argument("--daemon", "-d", action="store_true", + help="Launch as daemon in background") + parser.add_argument("--verbose", "-v", action="count", help="Be more verbose") + + # Paths + parser.add_argument("--dhcp-leases", default="/var/state/dhcp/dhcpd.leases", + metavar="PATH", help="Path to the DHCPd leases file") + parser.add_argument("--unbound-leases", default="/etc/unbound/dhcp-leases.conf", + metavar="PATH", help="Path to the unbound configuration file") + + # Parse command line arguments + args = parser.parse_args() + + # Setup logging + if args.verbose == 1: + loglevel = logging.INFO + elif args.verbose >= 2: + loglevel = logging.DEBUG + else: + loglevel = logging.WARN + + setup_logging(loglevel) + + bridge = UnboundDHCPLeasesBridge(args.dhcp_leases, args.unbound_leases) + + ctx = daemon.DaemonContext(detach_process=args.daemon) + ctx.signal_map = { + signal.SIGHUP : bridge.update_dhcp_leases, + signal.SIGTERM : bridge.terminate, + } + + with ctx: + bridge.run() diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf new file mode 100644 index 0000000000..6d8a7f29c3 --- /dev/null +++ b/config/unbound/unbound.conf @@ -0,0 +1,94 @@ +# +# Unbound configuration file for IPFire +# +# The full documentation is available at: +# https://www.unbound.net/documentation/unbound.conf.html +# + +server: + # Common Server Options + chroot: "" + directory: "/etc/unbound" + username: "nobody" + port: 53 + do-ip4: yes + do-ip6: no + do-udp: yes + do-tcp: yes + so-reuseport: yes + do-not-query-localhost: yes + + # System Tuning + include: "/etc/unbound/tuning.conf" + + # Logging Options + verbosity: 1 + use-syslog: yes + log-time-ascii: yes + log-queries: no + + # Unbound Statistics + statistics-interval: 0 + statistics-cumulative: yes + extended-statistics: yes + + # Prefetching + prefetch: yes + prefetch-key: yes + + # Randomise any cached responses + rrset-roundrobin: yes + + # Privacy Options + hide-identity: yes + hide-version: yes + qname-minimisation: yes + minimal-responses: yes + + # DNSSEC + auto-trust-anchor-file: "/var/lib/unbound/root.key" + val-permissive-mode: no + val-clean-additional: yes + val-log-level: 1 + + # Hardening Options + harden-glue: yes + harden-short-bufsize: no + harden-large-queries: yes + harden-dnssec-stripped: yes + harden-below-nxdomain: yes + harden-referral-path: yes + harden-algo-downgrade: no + use-caps-for-id: no + + # Deny access from everywhere + access-control: 0.0.0.0/0 refuse + + # Listen on localhost + interface: 127.0.0.1 + access-control: 127.0.0.0/8 allow + + # Bootstrap root servers + root-hints: "/etc/unbound/root.hints" + + # IPFire interface configuration + include: "/etc/unbound/interfaces.conf" + interface-automatic: no + + # Include DHCP leases + include: "/etc/unbound/dhcp-leases.conf" + + # Include any forward zones + include: "/etc/unbound/forward.conf" + +remote-control: + control-enable: yes + control-use-cert: yes + control-interface: 127.0.0.1 + server-key-file: "/etc/unbound/unbound_server.key" + server-cert-file: "/etc/unbound/unbound_server.pem" + control-key-file: "/etc/unbound/unbound_control.key" + control-cert-file: "/etc/unbound/unbound_control.pem" + +# Import any local configurations +include: "/etc/unbound/local.d/*.conf" diff --git a/html/cgi-bin/dnsforward.cgi b/html/cgi-bin/dnsforward.cgi index 1afc55f754..ee63c6dd75 100644 --- a/html/cgi-bin/dnsforward.cgi +++ b/html/cgi-bin/dnsforward.cgi @@ -106,8 +106,8 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'add'}) $cgiparams{'ID'} = $cgiparams{'EDITING'}; } } - # Restart dnsmasq. - system('/usr/local/bin/dnsmasqctrl restart >/dev/null'); + # Restart unbound + system('/usr/local/bin/unboundctrl restart >/dev/null'); } ### @@ -124,8 +124,8 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) unless ($cgiparams{'ID'} eq $id) { print FILE "$line"; } } close(FILE); - # Restart dnsmasq. - system('/usr/local/bin/dnsmasqctrl restart >/dev/null'); + # Restart unbound. + system('/usr/local/bin/unboundctrl restart >/dev/null'); } ### @@ -148,8 +148,8 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) } } close(FILE); - # Restart dnsmasq. - system('/usr/local/bin/dnsmasqctrl restart >/dev/null'); + # Restart unbound. + system('/usr/local/bin/unboundctrl restart >/dev/null'); } ### diff --git a/html/cgi-bin/logs.cgi/log.dat b/html/cgi-bin/logs.cgi/log.dat index f954213371..82b6aa055e 100644 --- a/html/cgi-bin/logs.cgi/log.dat +++ b/html/cgi-bin/logs.cgi/log.dat @@ -52,7 +52,7 @@ my %sections = ( 'ipfire' => '(ipfire: )', 'red' => '(red:|pppd\[.*\]: |chat\[.*\]|pppoe\[.*\]|pptp\[.*\]|pppoa\[.*\]|pppoa3\[.*\]|pppoeci\[.*\]|ipppd|ipppd\[.*\]|kernel: ippp\d|kernel: isdn.*|ibod\[.*\]|dhcpcd\[.*\]|modem_run\[.*\])', 'ddns' => '(ddns\[\d+\]:)', - 'dns' => '(dnsmasq\[.*\]: )', + 'dns' => '(dnsmasq\[.*\]: |unbound\[.*\]: )', 'dma' => '(dma\[.*\]: )', 'dhcp' => '(dhcpd: )', 'clamav' => '(clamd\[.*\]: |freshclam\[.*\]: )', diff --git a/html/cgi-bin/services.cgi b/html/cgi-bin/services.cgi index 76bd9edebc..64fdbba05a 100644 --- a/html/cgi-bin/services.cgi +++ b/html/cgi-bin/services.cgi @@ -49,7 +49,7 @@ my %servicenames =( $Lang::tr{'dhcp server'} => 'dhcpd', $Lang::tr{'web server'} => 'httpd', $Lang::tr{'cron server'} => 'fcron', - $Lang::tr{'dns proxy server'} => 'dnsmasq', + $Lang::tr{'dns proxy server'} => 'unbound', $Lang::tr{'logging server'} => 'syslogd', $Lang::tr{'kernel logging server'} => 'klogd', $Lang::tr{'ntp server'} => 'ntpd', diff --git a/lfs/initscripts b/lfs/initscripts index e731d7f6d3..5e2cd24699 100644 --- a/lfs/initscripts +++ b/lfs/initscripts @@ -185,13 +185,11 @@ $(TARGET) : ln -sf ../init.d/wlanclient /etc/rc.d/rc3.d/S19wlanclient ln -sf ../init.d/wlanclient /etc/rc.d/rc6.d/K82wlanclient - ln -sf ../../dnsmasq /etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq ln -sf ../../../../../usr/local/bin/snortctrl \ /etc/rc.d/init.d/networking/red.up/23-RS-snort ln -sf ../../../../../usr/local/bin/qosctrl \ /etc/rc.d/init.d/networking/red.up/24-RS-qos ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/27-RS-squid - ln -sf ../../dnsmasq /etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq for i in green blue orange; do \ ln -sf any /etc/rc.d/init.d/networking/$$i; \ diff --git a/lfs/python-daemon b/lfs/python-daemon new file mode 100644 index 0000000000..c96ec5568a --- /dev/null +++ b/lfs/python-daemon @@ -0,0 +1,75 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2011 IPFire Team # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 2.1.1 + +THISAPP = python-daemon-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = 72e2acf2c3d69c7fa75a6625d06adfd0 + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && python setup.py install --root=/ + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/lfs/python-docutils b/lfs/python-docutils new file mode 100644 index 0000000000..13f7ef17d6 --- /dev/null +++ b/lfs/python-docutils @@ -0,0 +1,75 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2011 IPFire Team # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 0.12 + +THISAPP = docutils-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = 4622263b62c5c771c03502afa3157768 + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && python setup.py install --root=/ + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/lfs/python-inotify b/lfs/python-inotify new file mode 100644 index 0000000000..ea8a960c5b --- /dev/null +++ b/lfs/python-inotify @@ -0,0 +1,75 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2011 IPFire Team # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 0.2.7 + +THISAPP = inotify-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = ced4c0469f9fd64170d9d907e4aec208 + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && python setup.py install --root=/ + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/lfs/dnsmasq b/lfs/unbound similarity index 51% rename from lfs/dnsmasq rename to lfs/unbound index 7a11061dae..9c8589367d 100644 --- a/lfs/dnsmasq +++ b/lfs/unbound @@ -24,17 +24,14 @@ include Config -VER = 2.76 +VER = 1.5.9 -THISAPP = dnsmasq-$(VER) -DL_FILE = $(THISAPP).tar.xz +THISAPP = unbound-$(VER) +DL_FILE = $(THISAPP).tar.gz DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) -# We cannot use INOTIFY because our ISC reader code does not support that -COPTS = -DHAVE_ISC_READER -DNO_INOTIFY - ############################################################################### # Top-level Rules ############################################################################### @@ -43,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 00f5ee66b4e4b7f14538bf62ae3c9461 +$(DL_FILE)_MD5 = 0cefa62c1690b4db18583db84bff00e3 install : $(TARGET) @@ -73,32 +70,40 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/001-Calculate_length_of_TFTP_error_reply_correctly.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/002-Zero_newly_malloc_ed_memory.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/003-Check_return_of_expand_always.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/004-Fix_editing_error_on_man_page.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/005-Manpage_typo.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/006-Fix_bad_behaviour_with_some_DHCP_option_arrangements.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/007-Fix_logic_error_in_Linux_netlink_code.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/008-Fix_problem_with_--dnssec-timestamp.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/009-malloc_memset_calloc_for_efficiency.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/010-Zero_packet_buffers_before_building_output_to_reduce_risk_of_information_leakage.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/011-Dont_reset_packet_length_on_transmission_in_case_of_retransmission.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/012-Compile-time_check_on_buffer_sizes_for_leasefile_parsing_code.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/013-auth-zone_allow_to_exclude_ip_addresses_from_answer.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/014-Bump_auth_zone_serial_when_reloading_etc_hosts_and_friends.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/015-Handle_v4-mapped_IPv6_addresses_sanely_for_--synth-domain.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/016-Refactor_openBSD_pftables_code_to_remove_blatant_copyright_violation.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch - - cd $(DIR_APP) && sed -i src/config.h \ - -e 's|/\* #define HAVE_IDN \*/|#define HAVE_IDN|g' \ - -e 's|/\* #define HAVE_DNSSEC \*/|#define HAVE_DNSSEC|g' \ - -e 's|#define HAVE_DHCP|//#define HAVE_DHCP|g' \ - -e 's|#define HAVE_DHCP6|//#define HAVE_DHCP6|g' \ - -e 's|#define HAVE_TFTP|//#define HAVE_TFTP|g' - - cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" COPTS="$(COPTS)" \ - PREFIX=/usr all install + cd $(DIR_APP) && \ + ./configure \ + --prefix=/usr \ + --sysconfdir=/etc \ + --with-pidfile=/var/run/unbound.pid \ + --with-rootkey-file=/var/lib/unbound/root.key \ + --disable-static \ + --with-libevent + cd $(DIR_APP) && make $(MAKETUNING) + cd $(DIR_APP) && make install + + # Install configuration + install -v -m 644 $(DIR_SRC)/config/unbound/unbound.conf \ + /etc/unbound/unbound.conf + touch /etc/unbound/{dhcp-leases,forward}.conf + -mkdir -pv /etc/unbound/local.d + + # Install root hints + install -v -m 644 $(DIR_SRC)/config/unbound/root.hints \ + /etc/unbound/root.hints + + # Install DHCP leases bridge + install -v -m 755 $(DIR_SRC)/config/unbound/unbound-dhcp-leases-bridge \ + /usr/sbin/unbound-dhcp-leases-bridge + + # Install key + -mkdir -pv /var/lib/unbound + install -v -m 644 $(DIR_SRC)/config/unbound/root.key \ + /var/lib/unbound/root.key + chown -Rv nobody.nobody /var/lib/unbound + + # Ship ICANN's certificates to validate DNS trust anchors + install -v -m 644 $(DIR_SRC)/config/unbound/icannbundle.pem \ + /etc/unbound/icannbundle.pem + @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/make.sh b/make.sh index 1c832d016f..73feacb37d 100755 --- a/make.sh +++ b/make.sh @@ -537,7 +537,9 @@ buildipfire() { ipfiremake beep ipfiremake dvdrtools ipfiremake nettle - ipfiremake dnsmasq + ipfiremake libevent + ipfiremake libevent2 + ipfiremake unbound ipfiremake dosfstools ipfiremake reiserfsprogs ipfiremake xfsprogs @@ -603,6 +605,9 @@ buildipfire() { ipfiremake python-mechanize ipfiremake python-feedparser ipfiremake python-rssdler + ipfiremake python-inotify + ipfiremake python-docutils + ipfiremake python-daemon ipfiremake glib ipfiremake GeoIP ipfiremake fwhits @@ -678,8 +683,6 @@ buildipfire() { ipfiremake gnump3d ipfiremake rsync ipfiremake tcpwrapper - ipfiremake libevent - ipfiremake libevent2 ipfiremake libtirpc ipfiremake rpcbind ipfiremake nfs diff --git a/src/initscripts/init.d/dnsmasq b/src/initscripts/init.d/dnsmasq deleted file mode 100644 index 059ffacdd8..0000000000 --- a/src/initscripts/init.d/dnsmasq +++ /dev/null @@ -1,145 +0,0 @@ -#!/bin/sh -######################################################################## -# Begin $rc_base/init.d/dnsmasq -# -# Description : dnsmasq init script -# -# Authors : Michael Tremer - mitch@ipfire.org -# -# Version : 01.00 -# -# Notes : -# -######################################################################## - -. /etc/sysconfig/rc -. ${rc_functions} - -CACHE_SIZE=2500 -ENABLE_DNSSEC=1 -SHOW_SRV=1 -TRUST_ANCHOR=".,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5" -TIMESTAMP_FILE="/var/ipfire/dns/dnssec-timestamp" - -# Pull custom configuration file -if [ -e "/etc/sysconfig/dnsmasq" ]; then - . /etc/sysconfig/dnsmasq -fi - -function dnssec_args() { - local cmdline="--dnssec --dnssec-timestamp ${TIMESTAMP_FILE}" - - if [ -n "${TRUST_ANCHOR}" ]; then - cmdline="${cmdline} --trust-anchor=${TRUST_ANCHOR}" - fi - - echo "${cmdline}" -} - -function dns_forward_args() { - local file="${1}" - - # Do nothing if file is empty. - [ -s "${file}" ] || return - - local cmdline - - local enabled zone server remark - while IFS="," read -r enabled zone server remark; do - # Line must be enabled. - [ "${enabled}" = "on" ] || continue - - cmdline="${cmdline} --server=/${zone}/${server}" - done < ${file} - - echo "${cmdline}" -} - -function dns_leases_args() { - eval $(/usr/local/bin/readhash /var/ipfire/dhcp/settings) - - # If the DHCP server is enabled and DNS Update (RFC2136) is - # enabled, too, we won't overlay the internal domain with - # the dynamic/static leases. - - if ([ "${ENABLE_GREEN}" = "on" ] || [ "${ENABLE_BLUE}" = "on" ]) \ - && [ "${DNS_UPDATE_ENABLED}" = "on" ]; then - return - fi - - echo "-l /var/state/dhcp/dhcpd.leases" -} - -case "${1}" in - start) - # kill already running copy of dnsmasq... - killproc /usr/sbin/dnsmasq 2>&1 > /dev/null - - boot_mesg "Starting Domain Name Service Proxy..." - - eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) - ARGS="$CUSTOM_ARGS" - [ "$DOMAIN_NAME_GREEN" != "" ] && ARGS="$ARGS -s $DOMAIN_NAME_GREEN" - - # DHCP configuration - ARGS="${ARGS} $(dns_leases_args)" - - echo > /var/ipfire/red/resolv.conf # Clear it - if [ -e "/var/ipfire/red/dns1" ]; then - DNS1=$(cat /var/ipfire/red/dns1 2>/dev/null) - if [ ! -z ${DNS1} ]; then - echo "nameserver ${DNS1}" >> /var/ipfire/red/resolv.conf - fi - fi - if [ -e "/var/ipfire/red/dns2" ]; then - DNS2=$(cat /var/ipfire/red/dns2 2>/dev/null) - if [ ! -z ${DNS2} ]; then - echo "nameserver ${DNS2}" >> /var/ipfire/red/resolv.conf - fi - fi - [ -e "/var/ipfire/red/active" ] && ARGS="$ARGS -r /var/ipfire/red/resolv.conf" - - ARGS="$ARGS --domain=`cat /var/ipfire/main/settings |grep DOMAIN |cut -d = -f 2`" - - # Add custom forward dns zones. - ARGS="${ARGS} $(dns_forward_args /var/ipfire/dnsforward/config)" - - # Enabled DNSSEC validation - if [ "${ENABLE_DNSSEC}" -eq 1 ]; then - ARGS="${ARGS} $(dnssec_args)" - fi - - if [ -n "${CACHE_SIZE}" ]; then - ARGS="${ARGS} --cache-size=${CACHE_SIZE}" - fi - - loadproc /usr/sbin/dnsmasq ${ARGS} - - if [ "${SHOW_SRV}" -eq 1 ] && [ "${DNS1}" != "" -o "${DNS2}" != "" ]; then - boot_mesg "Using DNS server(s): ${DNS1} ${DNS2}" - boot_mesg_flush - fi - ;; - - stop) - boot_mesg "Stopping Domain Name Service Proxy..." - killproc /usr/sbin/dnsmasq - ;; - - restart) - ${0} stop - sleep 1 - ${0} start - ;; - - status) - statusproc /usr/sbin/dnsmasq - ;; - - *) - echo "Usage: ${0} {start|stop|restart|status}" - exit 1 - ;; -esac - -# End $rc_base/init.d/dnsmasq diff --git a/src/initscripts/init.d/network b/src/initscripts/init.d/network index 9182e9801f..b29ca2ca5b 100644 --- a/src/initscripts/init.d/network +++ b/src/initscripts/init.d/network @@ -16,10 +16,6 @@ . ${rc_functions} eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) -init_networking() { - /etc/rc.d/init.d/dnsmasq start -} - DO="${1}" shift @@ -46,8 +42,6 @@ done case "${DO}" in start) - [ "${ALL}" == "1" ] && init_networking - # Starting interfaces... # GREEN [ "$green" == "1" ] && /etc/rc.d/init.d/networking/green start @@ -92,9 +86,6 @@ case "${DO}" in fi fi - # Stopping dnsmasq if network all networks shutdown - [ "${ALL}" == "1" ] && /etc/rc.d/init.d/dnsmasq stop - exit 0 ;; diff --git a/src/initscripts/init.d/networking/red.down/05-update-dns-forwarders b/src/initscripts/init.d/networking/red.down/05-update-dns-forwarders new file mode 100644 index 0000000000..7f35696f58 --- /dev/null +++ b/src/initscripts/init.d/networking/red.down/05-update-dns-forwarders @@ -0,0 +1,4 @@ +#!/bin/bash + +# Update DNS forwarders for unbound +exec /etc/init.d/unbound update-forwarders diff --git a/src/initscripts/init.d/networking/red.up/05-update-dns-forwarders b/src/initscripts/init.d/networking/red.up/05-update-dns-forwarders new file mode 100644 index 0000000000..7f35696f58 --- /dev/null +++ b/src/initscripts/init.d/networking/red.up/05-update-dns-forwarders @@ -0,0 +1,4 @@ +#!/bin/bash + +# Update DNS forwarders for unbound +exec /etc/init.d/unbound update-forwarders diff --git a/src/initscripts/init.d/unbound b/src/initscripts/init.d/unbound new file mode 100644 index 0000000000..f3d35cf488 --- /dev/null +++ b/src/initscripts/init.d/unbound @@ -0,0 +1,226 @@ +#!/bin/sh +# Begin $rc_base/init.d/unbound + +# Description : Unbound DNS resolver boot script for IPfire +# Author : Marcel Lorenz +# +# Comment : This init script additional starts the dhcpd watcher daemon +# if DNS-Update (RFC2136) in web interface enabled + +. /etc/sysconfig/rc +. ${rc_functions} + +USE_FORWARDERS=1 + +# Load optional configuration +[ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound + +function cidr() { + local cidr nbits IFS; + IFS=. read -r i1 i2 i3 i4 <<< ${1} + IFS=. read -r m1 m2 m3 m4 <<< ${2} + cidr=$(printf "%d.%d.%d.%d\n" "$((i1 & m1))" "$((i2 & m2))" "$((i3 & m3))" "$((i4 & m4))") + nbits=0 + IFS=. + for dec in $2 ; do + case $dec in + 255) let nbits+=8;; + 254) let nbits+=7;; + 252) let nbits+=6;; + 248) let nbits+=5;; + 240) let nbits+=4;; + 224) let nbits+=3;; + 192) let nbits+=2;; + 128) let nbits+=1;; + 0);; + *) echo "Error: $dec is not recognised"; exit 1 + esac + done + echo "${cidr}/${nbits}" +} + +read_name_servers() { + local i + for i in 1 2; do + echo "$( /etc/unbound/interfaces.conf +} + +write_forward_conf() { + ( + config_header + + local enabled zone server remark + while IFS="," read -r enabled zone server remark; do + # Line must be enabled. + [ "${enabled}" = "on" ] || continue + + echo "forward-zone:" + echo " name: ${zone}" + echo " forward-addr: ${server}" + echo + done < /var/ipfire/dnsforward/config + ) > /etc/unbound/forward.conf +} + +write_tuning_conf() { + # https://www.unbound.net/documentation/howto_optimise.html + + # Determine number of online processors + local processors=$(getconf _NPROCESSORS_ONLN) + + # Determine number of slabs + local slabs=1 + while [ ${slabs} -lt ${processors} ]; do + slabs=$(( ${slabs} * 2 )) + done + + # Determine amount of system memory + local mem=$(get_memory_amount) + + # In the worst case scenario, unbound can use double the + # amount of memory allocated to a cache due to malloc overhead + + # Large systems with more than 2GB of RAM + if [ ${mem} -ge 2048 ]; then + mem=128 + + # Small systems with less than 256MB of RAM + elif [ ${mem} -le 256 ]; then + mem=8 + + # Everything else + else + mem=32 + fi + + ( + config_header + + # We run one thread per processor + echo "num-threads: ${processors}" + + # Adjust number of slabs + echo "infra-cache-slabs: ${slabs}" + echo "key-cache-slabs: ${slabs}" + echo "msg-cache-slabs: ${slabs}" + echo "rrset-cache-slabs: ${slabs}" + + # Slice up the cache + echo "rrset-cache-size: $(( ${mem} / 2 ))m" + echo "msg-cache-size: $(( ${mem} / 4 ))m" + echo "key-cache-size: $(( ${mem} / 4 ))m" + ) > /etc/unbound/tuning.conf +} + +get_memory_amount() { + local key val unit + + while read -r key val unit; do + case "${key}" in + MemTotal:*) + # Convert to MB + echo "$(( ${val} / 1024 ))" + break + ;; + esac + done < /proc/meminfo +} + +case "$1" in + start) + eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) + eval $(/usr/local/bin/readhash /var/ipfire/dhcp/settings) + + # Create control keys at first run + if [ ! -r "/etc/unbound/unbound_control.key" ]; then + unbound-control-setup -d /etc/unbound &>/dev/null + fi + + # Update configuration files + write_tuning_conf + write_interfaces_conf + write_forward_conf + + boot_mesg "Starting Unbound DNS Proxy..." + loadproc /usr/sbin/unbound || exit $? + + # Update any known forwarding name servers + update_forwarders + + # Start Unbound DHCP Lease Bridge unless RFC2136 is used + if [ "${DNS_UPDATE_ENABLED}" != on ]; then + boot_mesg "Starting Unbound DHCP Leases Bridge..." + loadproc /usr/sbin/unbound-dhcp-leases-bridge -d + fi + ;; + + stop) + boot_mesg "Stopping Unbound DHCP Leases Bridge..." + killproc /usr/sbin/unbound-dhcp-leases-bridge + + boot_mesg "Stopping Unbound DNS Proxy..." + killproc /usr/sbin/unbound + ;; + + restart) + $0 stop + sleep 1 + $0 start + ;; + + status) + statusproc /usr/sbin/unbound + statusproc /usr/sbin/unbound-dhcp-leases-bridge + ;; + + update-forwarders) + update_forwarders + ;; + + *) + echo "Usage: $0 {start|stop|restart|status|update-forwarders}" + exit 1 + ;; +esac + +# End $rc_base/init.d/unbound diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile index ff775da2ae..08a4e37d9c 100644 --- a/src/misc-progs/Makefile +++ b/src/misc-progs/Makefile @@ -31,7 +31,7 @@ SUID_PROGS = squidctrl sshctrl ipfirereboot \ redctrl syslogdctrl extrahdctrl sambactrl upnpctrl \ smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ setaliases urlfilterctrl updxlratorctrl fireinfoctrl rebuildroutes \ - getconntracktable wirelessclient dnsmasqctrl torctrl ddnsctrl + getconntracktable wirelessclient torctrl ddnsctrl unboundctrl SUID_UPDX = updxsetperms OBJS = $(patsubst %,%.o,$(PROGS) $(SUID_PROGS)) diff --git a/src/misc-progs/dnsmasqctrl.c b/src/misc-progs/unboundctrl.c similarity index 74% rename from src/misc-progs/dnsmasqctrl.c rename to src/misc-progs/unboundctrl.c index 8ac3360e06..fea81c6712 100644 --- a/src/misc-progs/dnsmasqctrl.c +++ b/src/misc-progs/unboundctrl.c @@ -19,14 +19,14 @@ int main(int argc, char *argv[]) { exit(1); if (argc < 2) { - fprintf(stderr, "\nNo argument given.\n\ndnsmasqctrl (restart)\n\n"); + fprintf(stderr, "\nNo argument given.\n\nunboundctrl (restart)\n\n"); exit(1); } if (strcmp(argv[1], "restart") == 0) { - safe_system("/etc/rc.d/init.d/dnsmasq restart"); + safe_system("/etc/rc.d/init.d/unbound restart"); } else { - fprintf(stderr, "\nBad argument given.\n\ndnsmasqctrl (restart)\n\n"); + fprintf(stderr, "\nBad argument given.\n\nunboundctrl (restart)\n\n"); exit(1); } diff --git a/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch b/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch deleted file mode 100644 index 97b7749d4c..0000000000 --- a/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch +++ /dev/null @@ -1,363 +0,0 @@ ---- a/src/cache.c Wed Dec 16 19:24:12 2015 -+++ b/src/cache.c Wed Dec 16 19:37:37 2015 -@@ -17,7 +17,7 @@ - #include "dnsmasq.h" - - static struct crec *cache_head = NULL, *cache_tail = NULL, **hash_table = NULL; --#ifdef HAVE_DHCP -+#if (defined HAVE_DHCP) || (defined HAVE_ISC_READER) - static struct crec *dhcp_spare = NULL; - #endif - static struct crec *new_chain = NULL; -@@ -217,6 +217,9 @@ - crecp->flags &= ~F_BIGNAME; - } - -+ if (crecp->flags & F_DHCP) -+ free(crecp->name.namep); -+ - #ifdef HAVE_DNSSEC - cache_blockdata_free(crecp); - #endif -@@ -1138,7 +1141,7 @@ - - } - --#ifdef HAVE_DHCP -+#if (defined HAVE_DHCP) || (defined HAVE_ISC_READER) - struct in_addr a_record_from_hosts(char *name, time_t now) - { - struct crec *crecp = NULL; -@@ -1281,7 +1284,11 @@ - else - crec->ttd = ttd; - crec->addr.addr = *host_address; -+#ifdef HAVE_ISC_READER -+ crec->name.namep = strdup(host_name); -+#else - crec->name.namep = host_name; -+#endif - crec->uid = next_uid(); - cache_hash(crec); - ---- a/src/dnsmasq.c Thu Jul 30 20:59:06 2015 -+++ b/src/dnsmasq.c Wed Dec 16 19:38:32 2015 -@@ -1017,6 +1017,11 @@ - - poll_resolv(0, daemon->last_resolv != 0, now); - daemon->last_resolv = now; -+ -+#ifdef HAVE_ISC_READER -+ if (daemon->lease_file && !daemon->dhcp) -+ load_dhcp(now); -+#endif - } - #endif - ---- a/src/dnsmasq.h Wed Dec 16 19:24:12 2015 -+++ b/src/dnsmasq.h Wed Dec 16 19:40:11 2015 -@@ -1516,6 +1516,11 @@ - void poll_listen(int fd, short event); - int do_poll(int timeout); - -+/* isc.c */ -+#ifdef HAVE_ISC_READER -+void load_dhcp(time_t now); -+#endif -+ - /* rrfilter.c */ - size_t rrfilter(struct dns_header *header, size_t plen, int mode); - u16 *rrfilter_desc(int type); - int expand_workspace(unsigned char ***wkspc, int *szp, int new); -- ---- /dev/null Wed Dec 16 19:48:08 2015 -+++ b/src/isc.c Wed Dec 16 19:41:35 2015 -@@ -0,0 +1,266 @@ -+/* dnsmasq is Copyright (c) 2014 John Volpe, Simon Kelley and -+ Michael Tremer -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; version 2 dated June, 1991, or -+ (at your option) version 3 dated 29 June, 2007. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see . -+ -+ Code in this file is based on contributions by John Volpe and -+ Simon Kelley. Updated for recent versions of dnsmasq by -+ Michael Tremer. -+*/ -+ -+ -+#define _GNU_SOURCE -+ -+#include -+#include -+ -+#include "dnsmasq.h" -+ -+#ifdef HAVE_ISC_READER -+#define MAXTOK 50 -+ -+struct isc_dhcp_lease { -+ char* name; -+ char* fqdn; -+ time_t expires; -+ struct in_addr addr; -+ struct isc_dhcp_lease* next; -+}; -+ -+static struct isc_dhcp_lease* dhcp_lease_new(const char* hostname) { -+ struct isc_dhcp_lease* lease = whine_malloc(sizeof(*lease)); -+ if (!lease) -+ return NULL; -+ -+ lease->name = strdup(hostname); -+ if (daemon->domain_suffix) { -+ int r = asprintf(&lease->fqdn, "%s.%s", hostname, daemon->domain_suffix); -+ -+ // Handle OOM -+ if (r < 0) { -+ free(lease); -+ return NULL; -+ } -+ } -+ lease->expires = 0; -+ lease->next = NULL; -+ -+ return lease; -+} -+ -+static void dhcp_lease_free(struct isc_dhcp_lease* lease) { -+ if (!lease) -+ return; -+ -+ if (lease->name) -+ free(lease->name); -+ if (lease->fqdn) -+ free(lease->fqdn); -+ free(lease); -+} -+ -+static int next_token(char* token, int buffsize, FILE* fp) { -+ int c, count = 0; -+ char* cp = token; -+ -+ while ((c = getc(fp)) != EOF) { -+ if (c == '#') { -+ do { -+ c = getc(fp); -+ } while (c != '\n' && c != EOF); -+ } -+ -+ if (c == ' ' || c == '\t' || c == '\n' || c == ';') { -+ if (count) -+ break; -+ } else if ((c != '"') && (count < buffsize - 1)) { -+ *cp++ = c; -+ count++; -+ } -+ } -+ -+ *cp = 0; -+ return count ? 1 : 0; -+} -+ -+static long get_utc_offset() { -+ time_t t = time(NULL); -+ struct tm* time_struct = localtime(&t); -+ -+ return time_struct->tm_gmtoff; -+} -+ -+static time_t parse_lease_time(const char* token_date, const char* token_time) { -+ time_t time = (time_t)(-1); -+ struct tm lease_time; -+ -+ if (sscanf(token_date, "%d/%d/%d", &lease_time.tm_year, &lease_time.tm_mon, &lease_time.tm_mday) == 3) { -+ lease_time.tm_year -= 1900; -+ lease_time.tm_mon -= 1; -+ -+ if (sscanf(token_time, "%d:%d:%d", &lease_time.tm_hour, &lease_time.tm_min, &lease_time.tm_sec) == 3) { -+ time = mktime(&lease_time) + get_utc_offset(); -+ } -+ } -+ -+ return time; -+} -+ -+static struct isc_dhcp_lease* find_lease(const char* hostname, struct isc_dhcp_lease* leases) { -+ struct isc_dhcp_lease* lease = leases; -+ -+ while (lease) { -+ if (strcmp(hostname, lease->name) == 0) { -+ return lease; -+ } -+ lease = lease->next; -+ } -+ -+ return NULL; -+} -+ -+static off_t lease_file_size = (off_t)0; -+static ino_t lease_file_inode = (ino_t)0; -+ -+void load_dhcp(time_t now) { -+ struct isc_dhcp_lease* leases = NULL; -+ -+ struct stat statbuf; -+ if (stat(daemon->lease_file, &statbuf) == -1) { -+ return; -+ } -+ -+ /* Do nothing if the lease file has not changed. */ -+ if ((statbuf.st_size <= lease_file_size) && (statbuf.st_ino == lease_file_inode)) -+ return; -+ -+ lease_file_size = statbuf.st_size; -+ lease_file_inode = statbuf.st_ino; -+ -+ FILE* fp = fopen(daemon->lease_file, "r"); -+ if (!fp) { -+ my_syslog(LOG_ERR, _("failed to load %s:%s"), daemon->lease_file, strerror(errno)); -+ return; -+ } -+ -+ my_syslog(LOG_INFO, _("reading %s"), daemon->lease_file); -+ -+ char* hostname = daemon->namebuff; -+ struct in_addr host_address; -+ time_t time_starts = -1; -+ time_t time_ends = -1; -+ int nomem; -+ -+ char token[MAXTOK]; -+ while ((next_token(token, MAXTOK, fp))) { -+ if (strcmp(token, "lease") == 0) { -+ hostname[0] = '\0'; -+ -+ if (next_token(token, MAXTOK, fp) && ((host_address.s_addr = inet_addr(token)) != (in_addr_t)-1)) { -+ if (next_token(token, MAXTOK, fp) && *token == '{') { -+ while (next_token(token, MAXTOK, fp) && *token != '}') { -+ if ((strcmp(token, "client-hostname") == 0) || (strcmp(token, "hostname") == 0)) { -+ if (next_token(hostname, MAXDNAME, fp)) { -+ if (!canonicalise(hostname, &nomem)) { -+ *hostname = 0; -+ my_syslog(LOG_ERR, _("bad name in %s"), daemon->lease_file); -+ } -+ } -+ } else if ((strcmp(token, "starts") == 0) || (strcmp(token, "ends") == 0)) { -+ char token_date[MAXTOK]; -+ char token_time[MAXTOK]; -+ -+ int is_starts = strcmp(token, "starts") == 0; -+ -+ // Throw away the weekday and parse the date. -+ if (next_token(token, MAXTOK, fp) && next_token(token_date, MAXTOK, fp) && next_token(token_time, MAXTOK, fp)) { -+ time_t time = parse_lease_time(token_date, token_time); -+ -+ if (is_starts) -+ time_starts = time; -+ else -+ time_ends = time; -+ } -+ } -+ } -+ -+ if (!*hostname) -+ continue; -+ -+ if ((time_starts == -1) || (time_ends == -1)) -+ continue; -+ -+ if (difftime(now, time_ends) > 0) -+ continue; -+ -+ char* dot = strchr(hostname, '.'); -+ if (dot) { -+ if (!daemon->domain_suffix || hostname_isequal(dot + 1, daemon->domain_suffix)) { -+ my_syslog(LOG_WARNING, -+ _("Ignoring DHCP lease for %s because it has an illegal domain part"), -+ hostname); -+ continue; -+ } -+ *dot = 0; -+ } -+ -+ // Search for an existing lease in the list -+ // with the given host name and update the data -+ // if needed. -+ struct isc_dhcp_lease* lease = find_lease(hostname, leases); -+ -+ // If no lease already exists, we create a new one -+ // and append it to the list. -+ if (!lease) { -+ lease = dhcp_lease_new(hostname); -+ assert(lease); -+ -+ lease->next = leases; -+ leases = lease; -+ } -+ -+ // Only update more recent leases. -+ if (lease->expires > time_ends) -+ continue; -+ -+ lease->addr = host_address; -+ lease->expires = time_ends; -+ } -+ } -+ } -+ } -+ -+ fclose(fp); -+ -+ // Drop all entries. -+ cache_unhash_dhcp(); -+ -+ while (leases) { -+ struct isc_dhcp_lease *lease = leases; -+ leases = lease->next; -+ -+ if (lease->fqdn) { -+ cache_add_dhcp_entry(lease->fqdn, AF_INET, (struct all_addr*)&lease->addr.s_addr, lease->expires); -+ } -+ -+ if (lease->name) { -+ cache_add_dhcp_entry(lease->name, AF_INET, (struct all_addr*)&lease->addr.s_addr, lease->expires); -+ } -+ -+ // Cleanup -+ dhcp_lease_free(lease); -+ } -+} -+ -+#endif ---- a/src/option.c Wed Dec 16 19:24:12 2015 -+++ b/src/option.c Wed Dec 16 19:42:48 2015 -@@ -1771,7 +1771,7 @@ - ret_err(_("bad MX target")); - break; - --#ifdef HAVE_DHCP -+#if (defined HAVE_DHCP) || (defined HAVE_ISC_READER) - case 'l': /* --dhcp-leasefile */ - daemon->lease_file = opt_string_alloc(arg); - break; ---- a/Makefile Wed Dec 16 19:24:12 2015 -+++ b/Makefile Wed Dec 16 19:28:45 2015 -@@ -74,7 +74,7 @@ - helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ - dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ - domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ -- poll.o rrfilter.o edns0.o arp.o -+ poll.o rrfilter.o edns0.o arp.o isc.o - - hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \ - dns-protocol.h radv-protocol.h ip6addr.h diff --git a/src/patches/dnsmasq/001-Calculate_length_of_TFTP_error_reply_correctly.patch b/src/patches/dnsmasq/001-Calculate_length_of_TFTP_error_reply_correctly.patch deleted file mode 100644 index 43ac06889f..0000000000 --- a/src/patches/dnsmasq/001-Calculate_length_of_TFTP_error_reply_correctly.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 294d36df4749e01199ab220d44c170e7db2b0c05 Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Wed, 6 Jul 2016 21:30:25 +0100 -Subject: [PATCH] Calculate length of TFTP error reply correctly. - ---- - CHANGELOG | 14 ++++++++++++++ - src/tftp.c | 7 +++++-- - 2 files changed, 19 insertions(+), 2 deletions(-) - -diff --git a/CHANGELOG b/CHANGELOG -index 04ff3f0..0559a6f 100644 ---- a/CHANGELOG -+++ b/CHANGELOG -@@ -1,3 +1,17 @@ -+version 2.77 -+ Calculate the length of TFTP error reply packet -+ correctly. This fixes a problem when the error -+ message in a TFTP packet exceeds the arbitrary -+ limit of 500 characters. The message was correctly -+ truncated, but not the packet length, so -+ extra data was appended. This is a possible -+ security risk, since the extra data comes from -+ a buffer which is also used for DNS, so that -+ previous DNS queries or replies may be leaked. -+ Thanks to Mozilla for funding the security audit -+ which spotted this bug. -+ -+ - version 2.76 - Include 0.0.0.0/8 in DNS rebind checks. This range - translates to hosts on the local network, or, at -diff --git a/src/tftp.c b/src/tftp.c -index 5e4a32a..3e1b5c5 100644 ---- a/src/tftp.c -+++ b/src/tftp.c -@@ -652,20 +652,23 @@ static void sanitise(char *buf) - - } - -+#define MAXMESSAGE 500 /* limit to make packet < 512 bytes and definitely smaller than buffer */ - static ssize_t tftp_err(int err, char *packet, char *message, char *file) - { - struct errmess { - unsigned short op, err; - char message[]; - } *mess = (struct errmess *)packet; -- ssize_t ret = 4; -+ ssize_t len, ret = 4; - char *errstr = strerror(errno); - - sanitise(file); - - mess->op = htons(OP_ERR); - mess->err = htons(err); -- ret += (snprintf(mess->message, 500, message, file, errstr) + 1); -+ len = snprintf(mess->message, MAXMESSAGE, message, file, errstr); -+ ret += (len < MAXMESSAGE) ? len + 1 : MAXMESSAGE; /* include terminating zero */ -+ - my_syslog(MS_TFTP | LOG_ERR, "%s", mess->message); - - return ret; --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/002-Zero_newly_malloc_ed_memory.patch b/src/patches/dnsmasq/002-Zero_newly_malloc_ed_memory.patch deleted file mode 100644 index b748db8b43..0000000000 --- a/src/patches/dnsmasq/002-Zero_newly_malloc_ed_memory.patch +++ /dev/null @@ -1,36 +0,0 @@ -From d55f81f5fd53b1dfc2c4b3249b542f2d9679e236 Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Wed, 6 Jul 2016 21:33:56 +0100 -Subject: [PATCH] Zero newly malloc'ed memory. - ---- - src/util.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/src/util.c b/src/util.c -index 93b24f5..82443c9 100644 ---- a/src/util.c -+++ b/src/util.c -@@ -248,6 +248,8 @@ void *safe_malloc(size_t size) - - if (!ret) - die(_("could not get memory"), NULL, EC_NOMEM); -+ else -+ memset(ret, 0, size); - - return ret; - } -@@ -266,7 +268,9 @@ void *whine_malloc(size_t size) - - if (!ret) - my_syslog(LOG_ERR, _("failed to allocate %d bytes"), (int) size); -- -+ else -+ memset(ret, 0, size); -+ - return ret; - } - --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/003-Check_return_of_expand_always.patch b/src/patches/dnsmasq/003-Check_return_of_expand_always.patch deleted file mode 100644 index a69f4ceb8b..0000000000 --- a/src/patches/dnsmasq/003-Check_return_of_expand_always.patch +++ /dev/null @@ -1,44 +0,0 @@ -From ce7845bf5429bd2962c9b2e7d75e2659f3b5c1a8 Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Wed, 6 Jul 2016 21:42:27 +0100 -Subject: [PATCH] Check return of expand() always. - ---- - src/radv.c | 4 +++- - src/slaac.c | 5 ++++- - 2 files changed, 7 insertions(+), 2 deletions(-) - -diff --git a/src/radv.c b/src/radv.c -index 749b666..faa0f6d 100644 ---- a/src/radv.c -+++ b/src/radv.c -@@ -262,7 +262,9 @@ static void send_ra_alias(time_t now, int iface, char *iface_name, struct in6_ad - parm.prio = calc_prio(ra_param); - - save_counter(0); -- ra = expand(sizeof(struct ra_packet)); -+ -+ if (!(ra = expand(sizeof(struct ra_packet)))) -+ return; - - ra->type = ND_ROUTER_ADVERT; - ra->code = 0; -diff --git a/src/slaac.c b/src/slaac.c -index 8034805..07b8ba4 100644 ---- a/src/slaac.c -+++ b/src/slaac.c -@@ -147,7 +147,10 @@ time_t periodic_slaac(time_t now, struct dhcp_lease *leases) - struct sockaddr_in6 addr; - - save_counter(0); -- ping = expand(sizeof(struct ping_packet)); -+ -+ if (!(ping = expand(sizeof(struct ping_packet)))) -+ continue; -+ - ping->type = ICMP6_ECHO_REQUEST; - ping->code = 0; - ping->identifier = ping_id; --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/004-Fix_editing_error_on_man_page.patch b/src/patches/dnsmasq/004-Fix_editing_error_on_man_page.patch deleted file mode 100644 index f4d0d20037..0000000000 --- a/src/patches/dnsmasq/004-Fix_editing_error_on_man_page.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 5874f3e9222397d82aabd9884d9bf5ce7e4109b0 Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Sun, 10 Jul 2016 22:12:08 +0100 -Subject: [PATCH] Fix editing error on man page. - -Thanks to Eric Westbrook for spotting this. ---- - man/dnsmasq.8 | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 -index 0521534..bd8c0b3 100644 ---- a/man/dnsmasq.8 -+++ b/man/dnsmasq.8 -@@ -1037,6 +1037,10 @@ is given, then read all the files contained in that directory. The advantage of - using this option is the same as for --dhcp-hostsfile: the - dhcp-optsfile will be re-read when dnsmasq receives SIGHUP. Note that - it is possible to encode the information in a -+.B --dhcp-boot -+flag as DHCP options, using the options names bootfile-name, -+server-ip-address and tftp-server. This allows these to be included -+in a dhcp-optsfile. - .TP - .B --dhcp-hostsdir= - This is equivalent to dhcp-hostsfile, except for the following. The path MUST be a -@@ -1048,11 +1052,6 @@ is restarted; ie host records are only added dynamically. - .TP - .B --dhcp-optsdir= - This is equivalent to dhcp-optsfile, with the differences noted for --dhcp-hostsdir. --.TP --.B --dhcp-boot --flag as DHCP options, using the options names bootfile-name, --server-ip-address and tftp-server. This allows these to be included --in a dhcp-optsfile. - .TP - .B \-Z, --read-ethers - Read /etc/ethers for information about hosts for the DHCP server. The --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/005-Manpage_typo.patch b/src/patches/dnsmasq/005-Manpage_typo.patch deleted file mode 100644 index 52f16def7f..0000000000 --- a/src/patches/dnsmasq/005-Manpage_typo.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 907efeb2dc712603271093bce8a93c7c3e6fe64d Mon Sep 17 00:00:00 2001 -From: Kristjan Onu -Date: Sun, 10 Jul 2016 22:37:57 +0100 -Subject: [PATCH] Manpage typo. - ---- - man/dnsmasq.8 | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 -index bd8c0b3..ac8d921 100644 ---- a/man/dnsmasq.8 -+++ b/man/dnsmasq.8 -@@ -242,7 +242,7 @@ addresses associated with the interface. - .B --local-service - Accept DNS queries only from hosts whose address is on a local subnet, - ie a subnet for which an interface exists on the server. This option --only has effect is there are no --interface --except-interface, -+only has effect if there are no --interface --except-interface, - --listen-address or --auth-server options. It is intended to be set as - a default on installation, to allow unconfigured installations to be - useful but also safe from being used for DNS amplification attacks. --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/006-Fix_bad_behaviour_with_some_DHCP_option_arrangements.patch b/src/patches/dnsmasq/006-Fix_bad_behaviour_with_some_DHCP_option_arrangements.patch deleted file mode 100644 index ec17115bd9..0000000000 --- a/src/patches/dnsmasq/006-Fix_bad_behaviour_with_some_DHCP_option_arrangements.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 591ed1e90503817938ccf5f127e677a8dd48b6d8 Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Mon, 11 Jul 2016 18:18:42 +0100 -Subject: [PATCH] Fix bad behaviour with some DHCP option arrangements. - -The check that there's enough space to store the DHCP agent-id -at the end of the packet could succeed when it should fail -if the END option is in either of the oprion-overload areas. -That could overwrite legit options in the request and cause -bad behaviour. It's highly unlikely that any sane DHCP client -would trigger this bug, and it's never been seen, but this -fixes the problem. - -Also fix off-by-one in bounds checking of option processing. -Worst case scenario on that is a read one byte beyond the -end off a buffer with a crafted packet, and maybe therefore -a SIGV crash if the memory after the buffer is not mapped. - -Thanks to Timothy Becker for spotting these. ---- - src/rfc2131.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/src/rfc2131.c b/src/rfc2131.c -index b7c167e..8b99d4b 100644 ---- a/src/rfc2131.c -+++ b/src/rfc2131.c -@@ -186,7 +186,8 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index, - be enough free space at the end of the packet to copy the option. */ - unsigned char *sopt; - unsigned int total = option_len(opt) + 2; -- unsigned char *last_opt = option_find(mess, sz, OPTION_END, 0); -+ unsigned char *last_opt = option_find1(&mess->options[0] + sizeof(u32), ((unsigned char *)mess) + sz, -+ OPTION_END, 0); - if (last_opt && last_opt < end - total) - { - end -= total; -@@ -1606,7 +1607,7 @@ static unsigned char *option_find1(unsigned char *p, unsigned char *end, int opt - { - while (1) - { -- if (p > end) -+ if (p >= end) - return NULL; - else if (*p == OPTION_END) - return opt == OPTION_END ? p : NULL; --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/007-Fix_logic_error_in_Linux_netlink_code.patch b/src/patches/dnsmasq/007-Fix_logic_error_in_Linux_netlink_code.patch deleted file mode 100644 index 6a79eac7b1..0000000000 --- a/src/patches/dnsmasq/007-Fix_logic_error_in_Linux_netlink_code.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 1d07667ac77c55b9de56b1b2c385167e0e0ec27a Mon Sep 17 00:00:00 2001 -From: Ivan Kokshaysky -Date: Mon, 11 Jul 2016 18:36:05 +0100 -Subject: [PATCH] Fix logic error in Linux netlink code. - -This could cause dnsmasq to enter a tight loop on systems -with a very large number of network interfaces. ---- - CHANGELOG | 6 ++++++ - src/netlink.c | 8 +++++++- - 2 files changed, 13 insertions(+), 1 deletion(-) - -diff --git a/CHANGELOG b/CHANGELOG -index 0559a6f..59c9c49 100644 ---- a/CHANGELOG -+++ b/CHANGELOG -@@ -11,6 +11,12 @@ version 2.77 - Thanks to Mozilla for funding the security audit - which spotted this bug. - -+ Fix logic error in Linux netlink code. This could -+ cause dnsmasq to enter a tight loop on systems -+ with a very large number of network interfaces. -+ Thanks to Ivan Kokshaysky for the diagnosis and -+ patch. -+ - - version 2.76 - Include 0.0.0.0/8 in DNS rebind checks. This range -diff --git a/src/netlink.c b/src/netlink.c -index 049247b..8cd51af 100644 ---- a/src/netlink.c -+++ b/src/netlink.c -@@ -188,11 +188,17 @@ int iface_enumerate(int family, void *parm, int (*callback)()) - } - - for (h = (struct nlmsghdr *)iov.iov_base; NLMSG_OK(h, (size_t)len); h = NLMSG_NEXT(h, len)) -- if (h->nlmsg_seq != seq || h->nlmsg_pid != netlink_pid || h->nlmsg_type == NLMSG_ERROR) -+ if (h->nlmsg_pid != netlink_pid || h->nlmsg_type == NLMSG_ERROR) - { - /* May be multicast arriving async */ - nl_async(h); - } -+ else if (h->nlmsg_seq != seq) -+ { -+ /* May be part of incomplete response to previous request after -+ ENOBUFS. Drop it. */ -+ continue; -+ } - else if (h->nlmsg_type == NLMSG_DONE) - return callback_ok; - else if (h->nlmsg_type == RTM_NEWADDR && family != AF_UNSPEC && family != AF_LOCAL) --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/008-Fix_problem_with_--dnssec-timestamp.patch b/src/patches/dnsmasq/008-Fix_problem_with_--dnssec-timestamp.patch deleted file mode 100644 index b32d17a642..0000000000 --- a/src/patches/dnsmasq/008-Fix_problem_with_--dnssec-timestamp.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 06093a9a845bb597005d892d5d1bc7859933ada4 Mon Sep 17 00:00:00 2001 -From: Kevin Darbyshire-Bryant -Date: Mon, 11 Jul 2016 21:03:27 +0100 -Subject: [PATCH] Fix problem with --dnssec-timestamp whereby receipt of - SIGHUP would erroneously engage timestamp checking. - ---- - CHANGELOG | 4 ++++ - src/dnsmasq.c | 7 ++++--- - src/dnsmasq.h | 1 + - src/dnssec.c | 5 +++-- - 4 files changed, 12 insertions(+), 5 deletions(-) - -diff --git a/CHANGELOG b/CHANGELOG -index 59c9c49..9f1e404 100644 ---- a/CHANGELOG -+++ b/CHANGELOG -@@ -17,6 +17,10 @@ version 2.77 - Thanks to Ivan Kokshaysky for the diagnosis and - patch. - -+ Fix problem with --dnssec-timestamp whereby receipt -+ of SIGHUP would erroneously engage timestamp checking. -+ Thanks to Kevin Darbyshire-Bryant for this work. -+ - - version 2.76 - Include 0.0.0.0/8 in DNS rebind checks. This range -diff --git a/src/dnsmasq.c b/src/dnsmasq.c -index 045ec53..a47273f 100644 ---- a/src/dnsmasq.c -+++ b/src/dnsmasq.c -@@ -750,7 +750,8 @@ int main (int argc, char **argv) - - my_syslog(LOG_INFO, _("DNSSEC validation enabled")); - -- if (option_bool(OPT_DNSSEC_TIME)) -+ daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME); -+ if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future) - my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until first cache reload")); - - if (rc == 1) -@@ -1226,10 +1227,10 @@ static void async_event(int pipe, time_t now) - { - case EVENT_RELOAD: - #ifdef HAVE_DNSSEC -- if (option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME)) -+ if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME)) - { - my_syslog(LOG_INFO, _("now checking DNSSEC signature timestamps")); -- reset_option_bool(OPT_DNSSEC_TIME); -+ daemon->dnssec_no_time_check = 0; - } - #endif - /* fall through */ -diff --git a/src/dnsmasq.h b/src/dnsmasq.h -index 1896a64..be27ae0 100644 ---- a/src/dnsmasq.h -+++ b/src/dnsmasq.h -@@ -992,6 +992,7 @@ extern struct daemon { - #endif - #ifdef HAVE_DNSSEC - struct ds_config *ds; -+ int dnssec_no_time_check; - int back_to_the_future; - char *timestamp_file; - #endif -diff --git a/src/dnssec.c b/src/dnssec.c -index 3c77c7d..64358fa 100644 ---- a/src/dnssec.c -+++ b/src/dnssec.c -@@ -522,15 +522,16 @@ static int check_date_range(u32 date_start, u32 date_end) - if (utime(daemon->timestamp_file, NULL) != 0) - my_syslog(LOG_ERR, _("failed to update mtime on %s: %s"), daemon->timestamp_file, strerror(errno)); - -+ my_syslog(LOG_INFO, _("system time considered valid, now checking DNSSEC signature timestamps.")); - daemon->back_to_the_future = 1; -- set_option_bool(OPT_DNSSEC_TIME); -+ daemon->dnssec_no_time_check = 0; - queue_event(EVENT_RELOAD); /* purge cache */ - } - - if (daemon->back_to_the_future == 0) - return 1; - } -- else if (option_bool(OPT_DNSSEC_TIME)) -+ else if (daemon->dnssec_no_time_check) - return 1; - - /* We must explicitly check against wanted values, because of SERIAL_UNDEF */ --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/009-malloc_memset_calloc_for_efficiency.patch b/src/patches/dnsmasq/009-malloc_memset_calloc_for_efficiency.patch deleted file mode 100644 index 0300853b50..0000000000 --- a/src/patches/dnsmasq/009-malloc_memset_calloc_for_efficiency.patch +++ /dev/null @@ -1,46 +0,0 @@ -From d6dce53e08b3a06be16d43e1bf566c6c1988e4a9 Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Mon, 11 Jul 2016 21:34:31 +0100 -Subject: [PATCH] malloc(); memset() -> calloc() for efficiency. - ---- - src/util.c | 10 +++------- - 1 file changed, 3 insertions(+), 7 deletions(-) - -diff --git a/src/util.c b/src/util.c -index 82443c9..211690e 100644 ---- a/src/util.c -+++ b/src/util.c -@@ -244,13 +244,11 @@ unsigned char *do_rfc1035_name(unsigned char *p, char *sval) - /* for use during startup */ - void *safe_malloc(size_t size) - { -- void *ret = malloc(size); -+ void *ret = calloc(1, size); - - if (!ret) - die(_("could not get memory"), NULL, EC_NOMEM); -- else -- memset(ret, 0, size); -- -+ - return ret; - } - -@@ -264,12 +262,10 @@ void safe_pipe(int *fd, int read_noblock) - - void *whine_malloc(size_t size) - { -- void *ret = malloc(size); -+ void *ret = calloc(1, size); - - if (!ret) - my_syslog(LOG_ERR, _("failed to allocate %d bytes"), (int) size); -- else -- memset(ret, 0, size); - - return ret; - } --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/010-Zero_packet_buffers_before_building_output_to_reduce_risk_of_information_leakage.patch b/src/patches/dnsmasq/010-Zero_packet_buffers_before_building_output_to_reduce_risk_of_information_leakage.patch deleted file mode 100644 index a8c10a45e8..0000000000 --- a/src/patches/dnsmasq/010-Zero_packet_buffers_before_building_output_to_reduce_risk_of_information_leakage.patch +++ /dev/null @@ -1,169 +0,0 @@ -From fa78573778cb23337f67f5d0c9de723169919047 Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Fri, 22 Jul 2016 20:56:01 +0100 -Subject: [PATCH] Zero packet buffers before building output, to reduce risk - of information leakage. - ---- - src/auth.c | 5 +++++ - src/dnsmasq.h | 1 + - src/outpacket.c | 10 ++++++++++ - src/radv.c | 2 +- - src/rfc1035.c | 5 +++++ - src/rfc3315.c | 6 +++--- - src/slaac.c | 2 +- - src/tftp.c | 5 ++++- - 8 files changed, 30 insertions(+), 6 deletions(-) - -diff --git a/src/auth.c b/src/auth.c -index 198572d..3c5c37f 100644 ---- a/src/auth.c -+++ b/src/auth.c -@@ -101,6 +101,11 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n - struct all_addr addr; - struct cname *a; - -+ /* Clear buffer beyond request to avoid risk of -+ information disclosure. */ -+ memset(((char *)header) + qlen, 0, -+ (limit - ((char *)header)) - qlen); -+ - if (ntohs(header->qdcount) == 0 || OPCODE(header) != QUERY ) - return 0; - -diff --git a/src/dnsmasq.h b/src/dnsmasq.h -index be27ae0..2bda5d0 100644 ---- a/src/dnsmasq.h -+++ b/src/dnsmasq.h -@@ -1471,6 +1471,7 @@ void log_relay(int family, struct dhcp_relay *relay); - /* outpacket.c */ - #ifdef HAVE_DHCP6 - void end_opt6(int container); -+void reset_counter(void); - int save_counter(int newval); - void *expand(size_t headroom); - int new_opt6(int opt); -diff --git a/src/outpacket.c b/src/outpacket.c -index a414efa..2caacd9 100644 ---- a/src/outpacket.c -+++ b/src/outpacket.c -@@ -29,9 +29,19 @@ void end_opt6(int container) - PUTSHORT(len, p); - } - -+void reset_counter(void) -+{ -+ /* Clear out buffer when starting from begining */ -+ if (daemon->outpacket.iov_base) -+ memset(daemon->outpacket.iov_base, 0, daemon->outpacket.iov_len); -+ -+ save_counter(0); -+} -+ - int save_counter(int newval) - { - int ret = outpacket_counter; -+ - if (newval != -1) - outpacket_counter = newval; - -diff --git a/src/radv.c b/src/radv.c -index faa0f6d..39c9217 100644 ---- a/src/radv.c -+++ b/src/radv.c -@@ -261,7 +261,7 @@ static void send_ra_alias(time_t now, int iface, char *iface_name, struct in6_ad - parm.adv_interval = calc_interval(ra_param); - parm.prio = calc_prio(ra_param); - -- save_counter(0); -+ reset_counter(); - - if (!(ra = expand(sizeof(struct ra_packet)))) - return; -diff --git a/src/rfc1035.c b/src/rfc1035.c -index 24d08c1..9e730a9 100644 ---- a/src/rfc1035.c -+++ b/src/rfc1035.c -@@ -1209,6 +1209,11 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - int nxdomain = 0, auth = 1, trunc = 0, sec_data = 1; - struct mx_srv_record *rec; - size_t len; -+ -+ /* Clear buffer beyond request to avoid risk of -+ information disclosure. */ -+ memset(((char *)header) + qlen, 0, -+ (limit - ((char *)header)) - qlen); - - if (ntohs(header->ancount) != 0 || - ntohs(header->nscount) != 0 || -diff --git a/src/rfc3315.c b/src/rfc3315.c -index 3f4d69c..e1271a1 100644 ---- a/src/rfc3315.c -+++ b/src/rfc3315.c -@@ -89,7 +89,7 @@ unsigned short dhcp6_reply(struct dhcp_context *context, int interface, char *if - for (vendor = daemon->dhcp_vendors; vendor; vendor = vendor->next) - vendor->netid.next = &vendor->netid; - -- save_counter(0); -+ reset_counter(); - state.context = context; - state.interface = interface; - state.iface_name = iface_name; -@@ -2084,7 +2084,7 @@ void relay_upstream6(struct dhcp_relay *relay, ssize_t sz, - if (hopcount > 32) - return; - -- save_counter(0); -+ reset_counter(); - - if ((header = put_opt6(NULL, 34))) - { -@@ -2161,7 +2161,7 @@ unsigned short relay_reply6(struct sockaddr_in6 *peer, ssize_t sz, char *arrival - (!relay->interface || wildcard_match(relay->interface, arrival_interface))) - break; - -- save_counter(0); -+ reset_counter(); - - if (relay) - { -diff --git a/src/slaac.c b/src/slaac.c -index 07b8ba4..bd6c9b4 100644 ---- a/src/slaac.c -+++ b/src/slaac.c -@@ -146,7 +146,7 @@ time_t periodic_slaac(time_t now, struct dhcp_lease *leases) - struct ping_packet *ping; - struct sockaddr_in6 addr; - -- save_counter(0); -+ reset_counter(); - - if (!(ping = expand(sizeof(struct ping_packet)))) - continue; -diff --git a/src/tftp.c b/src/tftp.c -index 3e1b5c5..618c406 100644 ---- a/src/tftp.c -+++ b/src/tftp.c -@@ -662,8 +662,9 @@ static ssize_t tftp_err(int err, char *packet, char *message, char *file) - ssize_t len, ret = 4; - char *errstr = strerror(errno); - -+ memset(packet, 0, daemon->packet_buff_sz); - sanitise(file); -- -+ - mess->op = htons(OP_ERR); - mess->err = htons(err); - len = snprintf(mess->message, MAXMESSAGE, message, file, errstr); -@@ -684,6 +685,8 @@ static ssize_t tftp_err_oops(char *packet, char *file) - /* return -1 for error, zero for done. */ - static ssize_t get_block(char *packet, struct tftp_transfer *transfer) - { -+ memset(packet, 0, daemon->packet_buff_sz); -+ - if (transfer->block == 0) - { - /* send OACK */ --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/011-Dont_reset_packet_length_on_transmission_in_case_of_retransmission.patch b/src/patches/dnsmasq/011-Dont_reset_packet_length_on_transmission_in_case_of_retransmission.patch deleted file mode 100644 index ab8ba289c4..0000000000 --- a/src/patches/dnsmasq/011-Dont_reset_packet_length_on_transmission_in_case_of_retransmission.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 6b1c464d6de3d7d2afc9b53afe78cda6d6e3316f Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Fri, 22 Jul 2016 20:59:16 +0100 -Subject: [PATCH] Don't reset packet length on transmission, in case of - retransmission. - ---- - src/radv.c | 2 +- - src/rfc3315.c | 2 +- - src/slaac.c | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/radv.c b/src/radv.c -index 39c9217..ffc37f2 100644 ---- a/src/radv.c -+++ b/src/radv.c -@@ -528,7 +528,7 @@ static void send_ra_alias(time_t now, int iface, char *iface_name, struct in6_ad - } - - while (retry_send(sendto(daemon->icmp6fd, daemon->outpacket.iov_base, -- save_counter(0), 0, (struct sockaddr *)&addr, -+ save_counter(-1), 0, (struct sockaddr *)&addr, - sizeof(addr)))); - - } -diff --git a/src/rfc3315.c b/src/rfc3315.c -index e1271a1..c7bf46f 100644 ---- a/src/rfc3315.c -+++ b/src/rfc3315.c -@@ -2127,7 +2127,7 @@ void relay_upstream6(struct dhcp_relay *relay, ssize_t sz, - my_syslog(MS_DHCP | LOG_ERR, _("Cannot multicast to DHCPv6 server without correct interface")); - } - -- send_from(daemon->dhcp6fd, 0, daemon->outpacket.iov_base, save_counter(0), &to, &from, 0); -+ send_from(daemon->dhcp6fd, 0, daemon->outpacket.iov_base, save_counter(-1), &to, &from, 0); - - if (option_bool(OPT_LOG_OPTS)) - { -diff --git a/src/slaac.c b/src/slaac.c -index bd6c9b4..7ecf127 100644 ---- a/src/slaac.c -+++ b/src/slaac.c -@@ -164,7 +164,7 @@ time_t periodic_slaac(time_t now, struct dhcp_lease *leases) - addr.sin6_port = htons(IPPROTO_ICMPV6); - addr.sin6_addr = slaac->addr; - -- if (sendto(daemon->icmp6fd, daemon->outpacket.iov_base, save_counter(0), 0, -+ if (sendto(daemon->icmp6fd, daemon->outpacket.iov_base, save_counter(-1), 0, - (struct sockaddr *)&addr, sizeof(addr)) == -1 && - errno == EHOSTUNREACH) - slaac->ping_time = 0; /* Give up */ --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/012-Compile-time_check_on_buffer_sizes_for_leasefile_parsing_code.patch b/src/patches/dnsmasq/012-Compile-time_check_on_buffer_sizes_for_leasefile_parsing_code.patch deleted file mode 100644 index c71f470854..0000000000 --- a/src/patches/dnsmasq/012-Compile-time_check_on_buffer_sizes_for_leasefile_parsing_code.patch +++ /dev/null @@ -1,103 +0,0 @@ -From bf4e62c19e619f7edf8d03d58d33a5752f190bfd Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Fri, 22 Jul 2016 21:37:59 +0100 -Subject: [PATCH] Compile-time check on buffer sizes for leasefile parsing - code. - ---- - src/dhcp-common.c | 16 ++++++++-------- - src/dhcp-protocol.h | 4 ++++ - src/lease.c | 9 ++++++++- - src/rfc3315.c | 2 +- - 4 files changed, 21 insertions(+), 10 deletions(-) - -diff --git a/src/dhcp-common.c b/src/dhcp-common.c -index 08528e8..ecc752b 100644 ---- a/src/dhcp-common.c -+++ b/src/dhcp-common.c -@@ -20,11 +20,11 @@ - - void dhcp_common_init(void) - { -- /* These each hold a DHCP option max size 255 -- and get a terminating zero added */ -- daemon->dhcp_buff = safe_malloc(256); -- daemon->dhcp_buff2 = safe_malloc(256); -- daemon->dhcp_buff3 = safe_malloc(256); -+ /* These each hold a DHCP option max size 255 -+ and get a terminating zero added */ -+ daemon->dhcp_buff = safe_malloc(DHCP_BUFF_SZ); -+ daemon->dhcp_buff2 = safe_malloc(DHCP_BUFF_SZ); -+ daemon->dhcp_buff3 = safe_malloc(DHCP_BUFF_SZ); - - /* dhcp_packet is used by v4 and v6, outpacket only by v6 - sizeof(struct dhcp_packet) is as good an initial size as any, -@@ -855,14 +855,14 @@ void log_context(int family, struct dhcp_context *context) - if (context->flags & CONTEXT_RA_STATELESS) - { - if (context->flags & CONTEXT_TEMPLATE) -- strncpy(daemon->dhcp_buff, context->template_interface, 256); -+ strncpy(daemon->dhcp_buff, context->template_interface, DHCP_BUFF_SZ); - else - strcpy(daemon->dhcp_buff, daemon->addrbuff); - } - else - #endif -- inet_ntop(family, start, daemon->dhcp_buff, 256); -- inet_ntop(family, end, daemon->dhcp_buff3, 256); -+ inet_ntop(family, start, daemon->dhcp_buff, DHCP_BUFF_SZ); -+ inet_ntop(family, end, daemon->dhcp_buff3, DHCP_BUFF_SZ); - my_syslog(MS_DHCP | LOG_INFO, - (context->flags & CONTEXT_RA_STATELESS) ? - _("%s stateless on %s%.0s%.0s%s") : -diff --git a/src/dhcp-protocol.h b/src/dhcp-protocol.h -index a31d829..0ea449b 100644 ---- a/src/dhcp-protocol.h -+++ b/src/dhcp-protocol.h -@@ -19,6 +19,10 @@ - #define DHCP_CLIENT_ALTPORT 1068 - #define PXE_PORT 4011 - -+/* These each hold a DHCP option max size 255 -+ and get a terminating zero added */ -+#define DHCP_BUFF_SZ 256 -+ - #define BOOTREQUEST 1 - #define BOOTREPLY 2 - #define DHCP_COOKIE 0x63825363 -diff --git a/src/lease.c b/src/lease.c -index 20cac90..ca62cc5 100644 ---- a/src/lease.c -+++ b/src/lease.c -@@ -65,7 +65,14 @@ void lease_init(time_t now) - } - - /* client-id max length is 255 which is 255*2 digits + 254 colons -- borrow DNS packet buffer which is always larger than 1000 bytes */ -+ borrow DNS packet buffer which is always larger than 1000 bytes -+ -+ Check various buffers are big enough for the code below */ -+ -+#if (DHCP_BUFF_SZ < 255) || (MAXDNAME < 64) || (PACKETSZ+MAXDNAME+RRFIXEDSZ < 764) -+# error Buffer size breakage in leasfile parsing. -+#endif -+ - if (leasestream) - while (fscanf(leasestream, "%255s %255s", daemon->dhcp_buff3, daemon->dhcp_buff2) == 2) - { -diff --git a/src/rfc3315.c b/src/rfc3315.c -index c7bf46f..568b0c8 100644 ---- a/src/rfc3315.c -+++ b/src/rfc3315.c -@@ -1975,7 +1975,7 @@ static void log6_packet(struct state *state, char *type, struct in6_addr *addr, - - if (addr) - { -- inet_ntop(AF_INET6, addr, daemon->dhcp_buff2, 255); -+ inet_ntop(AF_INET6, addr, daemon->dhcp_buff2, DHCP_BUFF_SZ - 1); - strcat(daemon->dhcp_buff2, " "); - } - else --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/013-auth-zone_allow_to_exclude_ip_addresses_from_answer.patch b/src/patches/dnsmasq/013-auth-zone_allow_to_exclude_ip_addresses_from_answer.patch deleted file mode 100644 index bb5fe5dc9a..0000000000 --- a/src/patches/dnsmasq/013-auth-zone_allow_to_exclude_ip_addresses_from_answer.patch +++ /dev/null @@ -1,184 +0,0 @@ -From 094bfaeb4ff69cae99387bc2ea07ff57632c89f5 Mon Sep 17 00:00:00 2001 -From: Mathias Kresin -Date: Sun, 24 Jul 2016 14:15:22 +0100 -Subject: [PATCH] auth-zone: allow to exclude ip addresses from answer. - ---- - man/dnsmasq.8 | 6 +++++- - src/auth.c | 61 ++++++++++++++++++++++++++++++++++++--------------------- - src/dnsmasq.h | 1 + - src/option.c | 21 ++++++++++++++++++-- - 4 files changed, 64 insertions(+), 25 deletions(-) - -diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 -index ac8d921..8910947 100644 ---- a/man/dnsmasq.8 -+++ b/man/dnsmasq.8 -@@ -739,7 +739,7 @@ a return code of SERVFAIL. Note that - setting this may affect DNS behaviour in bad ways, it is not an - extra-logging flag and should not be set in production. - .TP --.B --auth-zone=[,[/][,[/].....]] -+.B --auth-zone=[,[/][,[/].....][,exclude:[/]].....] - Define a DNS zone for which dnsmasq acts as authoritative server. Locally defined DNS records which are in the domain - will be served. If subnet(s) are given, A and AAAA records must be in one of the - specified subnets. -@@ -756,6 +756,10 @@ appear in the zone, but RFC1918 IPv4 addresses which should not. - Interface-name and address-literal subnet specifications may be used - freely in the same --auth-zone declaration. - -+It's possible to exclude certain IP addresses from responses. It can be -+used, to make sure that answers contain only global routeable IP -+addresses (by excluding loopback, RFC1918 and ULA addresses). -+ - The subnet(s) are also used to define in-addr.arpa and - ip6.arpa domains which are served for reverse-DNS queries. If not - specified, the prefix length defaults to 24 for IPv4 and 64 for IPv6. -diff --git a/src/auth.c b/src/auth.c -index 3c5c37f..f1ca2f5 100644 ---- a/src/auth.c -+++ b/src/auth.c -@@ -18,36 +18,53 @@ - - #ifdef HAVE_AUTH - --static struct addrlist *find_subnet(struct auth_zone *zone, int flag, struct all_addr *addr_u) -+static struct addrlist *find_addrlist(struct addrlist *list, int flag, struct all_addr *addr_u) - { -- struct addrlist *subnet; -- -- for (subnet = zone->subnet; subnet; subnet = subnet->next) -- { -- if (!(subnet->flags & ADDRLIST_IPV6)) -- { -- struct in_addr netmask, addr = addr_u->addr.addr4; -- -- if (!(flag & F_IPV4)) -- continue; -- -- netmask.s_addr = htonl(~(in_addr_t)0 << (32 - subnet->prefixlen)); -- -- if (is_same_net(addr, subnet->addr.addr.addr4, netmask)) -- return subnet; -- } -+ do { -+ if (!(list->flags & ADDRLIST_IPV6)) -+ { -+ struct in_addr netmask, addr = addr_u->addr.addr4; -+ -+ if (!(flag & F_IPV4)) -+ continue; -+ -+ netmask.s_addr = htonl(~(in_addr_t)0 << (32 - list->prefixlen)); -+ -+ if (is_same_net(addr, list->addr.addr.addr4, netmask)) -+ return list; -+ } - #ifdef HAVE_IPV6 -- else if (is_same_net6(&(addr_u->addr.addr6), &subnet->addr.addr.addr6, subnet->prefixlen)) -- return subnet; -+ else if (is_same_net6(&(addr_u->addr.addr6), &list->addr.addr.addr6, list->prefixlen)) -+ return list; - #endif -- -- } -+ -+ } while ((list = list->next)); -+ - return NULL; - } - -+static struct addrlist *find_subnet(struct auth_zone *zone, int flag, struct all_addr *addr_u) -+{ -+ if (!zone->subnet) -+ return NULL; -+ -+ return find_addrlist(zone->subnet, flag, addr_u); -+} -+ -+static struct addrlist *find_exclude(struct auth_zone *zone, int flag, struct all_addr *addr_u) -+{ -+ if (!zone->exclude) -+ return NULL; -+ -+ return find_addrlist(zone->exclude, flag, addr_u); -+} -+ - static int filter_zone(struct auth_zone *zone, int flag, struct all_addr *addr_u) - { -- /* No zones specified, no filter */ -+ if (find_exclude(zone, flag, addr_u)) -+ return 0; -+ -+ /* No subnets specified, no filter */ - if (!zone->subnet) - return 1; - -diff --git a/src/dnsmasq.h b/src/dnsmasq.h -index 2bda5d0..27385a9 100644 ---- a/src/dnsmasq.h -+++ b/src/dnsmasq.h -@@ -340,6 +340,7 @@ struct auth_zone { - struct auth_name_list *next; - } *interface_names; - struct addrlist *subnet; -+ struct addrlist *exclude; - struct auth_zone *next; - }; - -diff --git a/src/option.c b/src/option.c -index d8c57d6..6cedef3 100644 ---- a/src/option.c -+++ b/src/option.c -@@ -1906,6 +1906,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma - new = opt_malloc(sizeof(struct auth_zone)); - new->domain = opt_string_alloc(arg); - new->subnet = NULL; -+ new->exclude = NULL; - new->interface_names = NULL; - new->next = daemon->auth_zones; - daemon->auth_zones = new; -@@ -1913,6 +1914,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma - while ((arg = comma)) - { - int prefixlen = 0; -+ int is_exclude = 0; - char *prefix; - struct addrlist *subnet = NULL; - struct all_addr addr; -@@ -1923,6 +1925,12 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma - if (prefix && !atoi_check(prefix, &prefixlen)) - ret_err(gen_err); - -+ if (strstr(arg, "exclude:") == arg) -+ { -+ is_exclude = 1; -+ arg = arg+8; -+ } -+ - if (inet_pton(AF_INET, arg, &addr.addr.addr4)) - { - subnet = opt_malloc(sizeof(struct addrlist)); -@@ -1960,8 +1968,17 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma - if (subnet) - { - subnet->addr = addr; -- subnet->next = new->subnet; -- new->subnet = subnet; -+ -+ if (is_exclude) -+ { -+ subnet->next = new->exclude; -+ new->exclude = subnet; -+ } -+ else -+ { -+ subnet->next = new->subnet; -+ new->subnet = subnet; -+ } - } - } - break; --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/014-Bump_auth_zone_serial_when_reloading_etc_hosts_and_friends.patch b/src/patches/dnsmasq/014-Bump_auth_zone_serial_when_reloading_etc_hosts_and_friends.patch deleted file mode 100644 index 054323b2fc..0000000000 --- a/src/patches/dnsmasq/014-Bump_auth_zone_serial_when_reloading_etc_hosts_and_friends.patch +++ /dev/null @@ -1,41 +0,0 @@ -From c8328ecde896575b3cb81cf537747df531f90771 Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Fri, 5 Aug 2016 16:54:58 +0100 -Subject: [PATCH] Bump auth zone serial when reloading /etc/hosts and friends. - ---- - CHANGELOG | 4 ++++ - src/dnsmasq.c | 2 ++ - 2 files changed, 6 insertions(+) - -diff --git a/CHANGELOG b/CHANGELOG -index 9f1e404..4f89799 100644 ---- a/CHANGELOG -+++ b/CHANGELOG -@@ -20,6 +20,10 @@ version 2.77 - Fix problem with --dnssec-timestamp whereby receipt - of SIGHUP would erroneously engage timestamp checking. - Thanks to Kevin Darbyshire-Bryant for this work. -+ -+ Bump zone serial on reloading /etc/hosts and friends -+ when providing authoritative DNS. Thanks to Harrald -+ Dunkel for spotting this. - - - version 2.76 -diff --git a/src/dnsmasq.c b/src/dnsmasq.c -index a47273f..3580bea 100644 ---- a/src/dnsmasq.c -+++ b/src/dnsmasq.c -@@ -1226,6 +1226,8 @@ static void async_event(int pipe, time_t now) - switch (ev.event) - { - case EVENT_RELOAD: -+ daemon->soa_sn++; /* Bump zone serial, as it may have changed. */ -+ - #ifdef HAVE_DNSSEC - if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME)) - { --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/015-Handle_v4-mapped_IPv6_addresses_sanely_for_--synth-domain.patch b/src/patches/dnsmasq/015-Handle_v4-mapped_IPv6_addresses_sanely_for_--synth-domain.patch deleted file mode 100644 index 7ebef83781..0000000000 --- a/src/patches/dnsmasq/015-Handle_v4-mapped_IPv6_addresses_sanely_for_--synth-domain.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 6d95099c56a926d672e0407d6017fef9714f40c4 Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Thu, 11 Aug 2016 23:38:54 +0100 -Subject: [PATCH] Handle v4-mapped IPv6 addresses sanely for --synth-domain. - ---- - CHANGELOG | 7 ++++++- - man/dnsmasq.8 | 2 ++ - src/domain.c | 34 ++++++++++++++++++++++++---------- - 3 files changed, 32 insertions(+), 11 deletions(-) - -diff --git a/CHANGELOG b/CHANGELOG -index 4f89799..2731cc4 100644 ---- a/CHANGELOG -+++ b/CHANGELOG -@@ -24,7 +24,12 @@ version 2.77 - Bump zone serial on reloading /etc/hosts and friends - when providing authoritative DNS. Thanks to Harrald - Dunkel for spotting this. -- -+ -+ Handle v4-mapped IPv6 addresses sanely in --synth-domain. -+ These have standard representation like ::ffff:1.2.3.4 -+ and are now converted to names like -+ --ffff-1-2-3-4. -+ - - version 2.76 - Include 0.0.0.0/8 in DNS rebind checks. This range -diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 -index 8910947..91fe672 100644 ---- a/man/dnsmasq.8 -+++ b/man/dnsmasq.8 -@@ -619,6 +619,8 @@ but IPv6 addresses may start with '::' - but DNS labels may not start with '-' so in this case if no prefix is - configured a zero is added in front of the label. ::1 becomes 0--1. - -+V4 mapped IPv6 addresses, which have a representation like ::ffff:1.2.3.4 are handled specially, and become like 0--ffff-1-2-3-4 -+ - The address range can be of the form - , or / - .TP -diff --git a/src/domain.c b/src/domain.c -index 1dd5027..a007acd 100644 ---- a/src/domain.c -+++ b/src/domain.c -@@ -77,18 +77,31 @@ int is_name_synthetic(int flags, char *name, struct all_addr *addr) - - *p = 0; - -- /* swap . or : for - */ -- for (p = tail; *p; p++) -- if (*p == '-') -- { -- if (prot == AF_INET) -+ #ifdef HAVE_IPV6 -+ if (prot == AF_INET6 && strstr(tail, "--ffff-") == tail) -+ { -+ /* special hack for v4-mapped. */ -+ memcpy(tail, "::ffff:", 7); -+ for (p = tail + 7; *p; p++) -+ if (*p == '-') - *p = '.'; -+ } -+ else -+#endif -+ { -+ /* swap . or : for - */ -+ for (p = tail; *p; p++) -+ if (*p == '-') -+ { -+ if (prot == AF_INET) -+ *p = '.'; - #ifdef HAVE_IPV6 -- else -- *p = ':'; -+ else -+ *p = ':'; - #endif -- } -- -+ } -+ } -+ - if (hostname_isequal(c->domain, p+1) && inet_pton(prot, tail, addr)) - { - if (prot == AF_INET) -@@ -169,8 +182,9 @@ int is_rev_synth(int flag, struct all_addr *addr, char *name) - inet_ntop(AF_INET6, &addr->addr.addr6, name+1, ADDRSTRLEN); - } - -+ /* V4-mapped have periods.... */ - for (p = name; *p; p++) -- if (*p == ':') -+ if (*p == ':' || *p == '.') - *p = '-'; - - strncat(name, ".", MAXDNAME); --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/016-Refactor_openBSD_pftables_code_to_remove_blatant_copyright_violation.patch b/src/patches/dnsmasq/016-Refactor_openBSD_pftables_code_to_remove_blatant_copyright_violation.patch deleted file mode 100644 index db27f90434..0000000000 --- a/src/patches/dnsmasq/016-Refactor_openBSD_pftables_code_to_remove_blatant_copyright_violation.patch +++ /dev/null @@ -1,149 +0,0 @@ -From 396750cef533cf72c7e6a72e47a9c93e2e431cb7 Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Sat, 13 Aug 2016 22:34:11 +0100 -Subject: [PATCH] Refactor openBSD pftables code to remove blatant copyright - violation. - ---- - src/tables.c | 90 +++++++++++++++++++++------------------------------------- - 1 file changed, 32 insertions(+), 58 deletions(-) - -diff --git a/src/tables.c b/src/tables.c -index aae1252..4fa3487 100644 ---- a/src/tables.c -+++ b/src/tables.c -@@ -53,52 +53,6 @@ static char *pfr_strerror(int errnum) - } - } - --static int pfr_add_tables(struct pfr_table *tbl, int size, int *nadd, int flags) --{ -- struct pfioc_table io; -- -- if (size < 0 || (size && tbl == NULL)) -- { -- errno = EINVAL; -- return (-1); -- } -- bzero(&io, sizeof io); -- io.pfrio_flags = flags; -- io.pfrio_buffer = tbl; -- io.pfrio_esize = sizeof(*tbl); -- io.pfrio_size = size; -- if (ioctl(dev, DIOCRADDTABLES, &io)) -- return (-1); -- if (nadd != NULL) -- *nadd = io.pfrio_nadd; -- return (0); --} -- --static int fill_addr(const struct all_addr *ipaddr, int flags, struct pfr_addr* addr) { -- if ( !addr || !ipaddr) -- { -- my_syslog(LOG_ERR, _("error: fill_addr missused")); -- return -1; -- } -- bzero(addr, sizeof(*addr)); --#ifdef HAVE_IPV6 -- if (flags & F_IPV6) -- { -- addr->pfra_af = AF_INET6; -- addr->pfra_net = 0x80; -- memcpy(&(addr->pfra_ip6addr), &(ipaddr->addr), sizeof(struct in6_addr)); -- } -- else --#endif -- { -- addr->pfra_af = AF_INET; -- addr->pfra_net = 0x20; -- addr->pfra_ip4addr.s_addr = ipaddr->addr.addr4.s_addr; -- } -- return 1; --} -- --/*****************************************************************************/ - - void ipset_init(void) - { -@@ -111,14 +65,13 @@ void ipset_init(void) - } - - int add_to_ipset(const char *setname, const struct all_addr *ipaddr, -- int flags, int remove) -+ int flags, int remove) - { - struct pfr_addr addr; - struct pfioc_table io; - struct pfr_table table; -- int n = 0, rc = 0; - -- if ( dev == -1 ) -+ if (dev == -1) - { - my_syslog(LOG_ERR, _("warning: no opened pf devices %s"), pf_device); - return -1; -@@ -126,31 +79,52 @@ int add_to_ipset(const char *setname, const struct all_addr *ipaddr, - - bzero(&table, sizeof(struct pfr_table)); - table.pfrt_flags |= PFR_TFLAG_PERSIST; -- if ( strlen(setname) >= PF_TABLE_NAME_SIZE ) -+ if (strlen(setname) >= PF_TABLE_NAME_SIZE) - { - my_syslog(LOG_ERR, _("error: cannot use table name %s"), setname); - errno = ENAMETOOLONG; - return -1; - } - -- if ( strlcpy(table.pfrt_name, setname, -- sizeof(table.pfrt_name)) >= sizeof(table.pfrt_name)) -+ if (strlcpy(table.pfrt_name, setname, -+ sizeof(table.pfrt_name)) >= sizeof(table.pfrt_name)) - { - my_syslog(LOG_ERR, _("error: cannot strlcpy table name %s"), setname); - return -1; - } - -- if ((rc = pfr_add_tables(&table, 1, &n, 0))) -+ bzero(&io, sizeof io); -+ io.pfrio_flags = 0; -+ io.pfrio_buffer = &table; -+ io.pfrio_esize = sizeof(table); -+ io.pfrio_size = 1; -+ if (ioctl(dev, DIOCRADDTABLES, &io)) - { -- my_syslog(LOG_WARNING, _("warning: pfr_add_tables: %s(%d)"), -- pfr_strerror(errno),rc); -+ my_syslog(LOG_WARNING, _("IPset: error:%s"), pfr_strerror(errno)); -+ - return -1; - } -+ - table.pfrt_flags &= ~PFR_TFLAG_PERSIST; -- if (n) -+ if (io.pfrio_nadd) - my_syslog(LOG_INFO, _("info: table created")); -- -- fill_addr(ipaddr,flags,&addr); -+ -+ bzero(&addr, sizeof(addr)); -+#ifdef HAVE_IPV6 -+ if (flags & F_IPV6) -+ { -+ addr.pfra_af = AF_INET6; -+ addr.pfra_net = 0x80; -+ memcpy(&(addr.pfra_ip6addr), &(ipaddr->addr), sizeof(struct in6_addr)); -+ } -+ else -+#endif -+ { -+ addr.pfra_af = AF_INET; -+ addr.pfra_net = 0x20; -+ addr.pfra_ip4addr.s_addr = ipaddr->addr.addr4.s_addr; -+ } -+ - bzero(&io, sizeof(io)); - io.pfrio_flags = 0; - io.pfrio_table = table; --- -1.7.10.4 -