From d8966ea942ea2cda9d4b1e731d19390a03243573 Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Sun, 18 Oct 2015 01:51:35 +0200 Subject: [PATCH 01/16] bison: Update to 3.0.4. This is a major update to the latest stable version of bison. A short excerpt of the changelog: Several deprecated features were removed, such as support for YYFAIL, yystype, yyltype, YYLEX_PARAM, and YYPARSE_PARAM. The user epilogue is no longer affected by internal #defines. The recently-introduced dependency on stdio.h when locations are enabled was removed. Caret errors, as introduced in 2.7, are now activated by default. The "-Werror" option was enhanced, and categorization of warnings and errors was modified. Many other changes and various bugfixes were made. I also added flex as a build dependency to prevent from errors when running the testsuite. Fixes #10403. Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer --- bison/bison.nm | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/bison/bison.nm b/bison/bison.nm index 8b1a1a994..0a2af3d2a 100644 --- a/bison/bison.nm +++ b/bison/bison.nm @@ -4,7 +4,7 @@ ############################################################################### name = bison -version = 2.7.1 +version = 3.0.4 release = 1 groups = Development/Tools @@ -13,14 +13,16 @@ license = GPLv2+ summary = GNU Bison is a parser generator. description - Bison is a general-purpose parser generator that converts an annotated \ + Bison is a general-purpose parser generator that converts an annotated context-free grammar into an LALR(1) or GLR parser for that grammar. end source_dl = http://ftp.gnu.org/gnu/bison/ +sources = %{thisapp}.tar.xz build requires + flex >= 2.5.37 m4 >= 1.4.16 perl end @@ -43,8 +45,8 @@ build mkdir -pv %{BUILDROOT}%{libdir} cd lib install -v liby.so.%{version} %{BUILDROOT}%{libdir}/liby.so.%{version} - ln -vsf liby.so.%{version} %{BUILDROOT}%{libdir}/liby.so.2 - ln -vsf liby.so.2 %{BUILDROOT}%{libdir}/liby.so + ln -vsf liby.so.%{version} %{BUILDROOT}%{libdir}/liby.so.3 + ln -vsf liby.so.3 %{BUILDROOT}%{libdir}/liby.so end end -- 2.39.2 From 747db4fdcf002ee97c155be7a20429ffc13c613c Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Sun, 18 Oct 2015 12:40:10 +0200 Subject: [PATCH 02/16] systemd: Create missing system groups The system groups input and utmp where missing which are required by udevd to proper work. Fixes #10942. Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer --- systemd/systemd.nm | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/systemd/systemd.nm b/systemd/systemd.nm index 7346c09bb..0b8e604e2 100644 --- a/systemd/systemd.nm +++ b/systemd/systemd.nm @@ -5,7 +5,7 @@ name = systemd version = 221 -release = 2 +release = 3 maintainer = Stefan Schantl groups = System/Base @@ -164,6 +164,8 @@ create_groups getent group tape >/dev/null || groupadd -g 33 tape || : getent group dialout >/dev/null || groupadd -g 18 dialout || : getent group floppy >/dev/null || groupadd -g 19 floppy || : + getent group input >/dev/null || groupadd -r input || : + getent group utmp >/dev/null || groupadd -r -g 22 utmp || : # Create group for journald. getent group systemd-journal >/dev/null || /usr/sbin/groupadd -r systemd-journal -- 2.39.2 From 23621ada010ee2916cf6aeebb0438414d38dfbb1 Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Sun, 18 Oct 2015 20:13:19 +0200 Subject: [PATCH 03/16] unbound: New package Unbound is a validating, recursive, and caching DNS resolver. The package comes with libraries that are used by many other packages to resolve DNS records and validate those by using DNSSEC. Fixes #10943. Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer --- unbound/dlv.isc.org.key | 2 + unbound/icannbundle.pem | 317 ++++++++++++ unbound/root.anchor | 1 + unbound/root.key | 6 + unbound/systemd/unbound-anchor.service | 9 + unbound/systemd/unbound-anchor.timer | 14 + unbound/systemd/unbound-keygen.service | 14 + unbound/systemd/unbound.service | 18 + unbound/unbound.conf | 655 +++++++++++++++++++++++++ unbound/unbound.nm | 162 ++++++ unbound/unbound.tmpfiles | 1 + 11 files changed, 1199 insertions(+) create mode 100644 unbound/dlv.isc.org.key create mode 100644 unbound/icannbundle.pem create mode 100644 unbound/root.anchor create mode 100644 unbound/root.key create mode 100644 unbound/systemd/unbound-anchor.service create mode 100644 unbound/systemd/unbound-anchor.timer create mode 100644 unbound/systemd/unbound-keygen.service create mode 100644 unbound/systemd/unbound.service create mode 100644 unbound/unbound.conf create mode 100644 unbound/unbound.nm create mode 100644 unbound/unbound.tmpfiles diff --git a/unbound/dlv.isc.org.key b/unbound/dlv.isc.org.key new file mode 100644 index 000000000..c73944f35 --- /dev/null +++ b/unbound/dlv.isc.org.key @@ -0,0 +1,2 @@ +; https://secure.isc.org/ops/dlv/dlv.isc.org.key +dlv.isc.org. IN DNSKEY 257 3 5 BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh diff --git a/unbound/icannbundle.pem b/unbound/icannbundle.pem new file mode 100644 index 000000000..48941ded4 --- /dev/null +++ b/unbound/icannbundle.pem @@ -0,0 +1,317 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US + Validity + Not Before: Dec 23 04:19:12 2009 GMT + Not After : Dec 18 04:19:12 2029 GMT + Subject: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:a0:db:70:b8:4f:34:da:9c:d4:d0:7e:bb:ea:15: + bc:e9:c9:11:2a:1f:61:2f:6a:b9:bd:3f:3d:76:a0: + 9a:0a:f7:ee:93:6e:6e:55:53:84:8c:f2:2c:f1:82: + 27:c8:0f:9a:cf:52:1b:54:da:28:d2:2c:30:8e:dd: + fb:92:20:33:2d:d6:c8:f1:0e:10:21:88:71:fa:84: + 22:4b:5d:47:56:16:7c:9b:9f:5d:c3:11:79:9c:14: + e2:ff:c0:74:ac:dd:39:d7:e0:38:d8:b0:73:aa:fb: + d1:db:84:af:52:22:a8:f6:d5:9b:94:f4:e6:5d:5e: + e8:3f:87:90:0b:c7:1a:77:f5:2e:d3:8f:1a:ce:02: + 1d:07:69:21:47:32:da:46:ae:00:4c:b6:a5:a2:9c: + 39:c1:c0:4a:f6:d3:1c:ae:d3:6d:bb:c7:18:f0:7e: + ed:f6:80:ce:d0:01:2e:89:de:12:ba:ee:11:cb:a6: + 7a:d7:0d:7c:f3:08:8d:72:9d:bf:55:75:13:70:bb: + 31:22:4a:cb:e8:c0:aa:a4:09:aa:36:68:40:60:74: + 9d:e7:19:81:43:22:52:fe:c9:2b:52:0f:41:13:36: + 09:72:65:95:cc:89:ae:6f:56:17:16:34:73:52:a3: + 04:ed:bd:88:82:8a:eb:d7:dc:82:52:9c:06:e1:52: + 85:41 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 + Signature Algorithm: sha256WithRSAEncryption + 0f:f1:e9:82:a2:0a:87:9f:2d:94:60:5a:b2:c0:4b:a1:2f:2b: + 3b:47:d5:0a:99:86:38:b2:ec:c6:3b:89:e4:6e:07:cf:14:c7: + c7:e8:cf:99:8f:aa:30:c3:19:70:b9:e6:6d:d6:3f:c8:68:26: + b2:a0:a5:37:42:ca:d8:62:80:d1:a2:5a:48:2e:1f:85:3f:0c: + 7b:c2:c7:94:11:5f:19:2a:95:ac:a0:3a:03:d8:91:5b:2e:0d: + 9c:7c:1f:2e:fc:e9:44:e1:16:26:73:1c:45:4a:65:c1:83:4c: + 90:f3:f2:28:42:df:db:c4:e7:04:12:18:62:43:5e:bc:1f:6c: + 84:e6:bc:49:32:df:61:d7:99:ee:e4:90:52:7b:0a:c2:91:8a: + 98:62:66:b1:c8:e0:b7:5a:b5:46:7c:76:71:54:8e:cc:a4:81: + 5c:19:db:d2:6f:66:b5:bb:2b:ae:6b:c9:74:04:a8:24:de:e8: + c5:d3:fc:2c:1c:d7:8f:db:6a:8d:c9:53:be:5d:50:73:ac:cf: + 1f:93:c0:52:50:5b:a2:4f:fe:ad:65:36:17:46:d1:2d:e5:a2: + 90:66:05:db:29:4e:5d:50:5d:e3:4f:da:a0:8f:f0:6b:e4:16: + 70:dd:7f:f3:77:7d:b9:4e:f9:ec:c3:33:02:d7:e9:63:2f:31: + e7:40:61:a4 +-----BEGIN CERTIFICATE----- +MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX +DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O +IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB +MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb +cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S +G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg +ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2 +paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7 +MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29 +iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B +Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3 +DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH +6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD +2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h +15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF +0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg +j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha256WithRSAEncryption + Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US + Validity + Not Before: Dec 23 04:45:04 2009 GMT + Not After : Dec 22 04:45:04 2014 GMT + Subject: O=ICANN, CN=ICANN DNSSEC CA/emailAddress=dnssec@icann.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:c0:bf:e2:b4:ee:12:46:36:3b:7c:d2:46:21:64: + 5a:93:e1:e3:02:10:25:bb:a5:30:70:19:89:98:7e: + 9e:db:8e:0f:ac:c8:48:66:0e:1a:f8:81:e5:2d:3c: + 7b:39:39:76:28:8f:ee:0a:a7:dd:64:e9:5f:87:25: + b1:64:e5:59:03:fc:bc:29:3b:63:37:c8:d7:46:9a: + b6:ce:87:55:cd:cf:e2:ab:e9:c7:8a:53:2e:25:87: + b0:98:d6:20:a3:a8:ec:87:b0:39:a3:c4:c5:75:59: + 3c:fb:91:03:fa:ee:7f:e9:2b:b6:70:88:69:2c:e6: + f1:4f:fc:d0:47:b4:e9:a0:2c:fa:0c:c3:84:eb:be: + 73:5a:bc:16:ed:d0:83:02:2d:eb:6a:21:02:51:70: + 29:1e:4f:c9:69:03:9f:91:32:5c:2c:1a:9f:5e:45: + 48:2a:50:ee:72:14:ec:17:29:fc:20:95:7d:22:6a: + c6:6f:83:a2:58:8e:b1:64:c8:73:23:54:6c:69:1d: + 66:1f:df:f8:4f:24:a1:a8:ae:00:7f:e9:89:41:a6: + e3:88:1d:3a:e1:b3:3a:ef:29:45:32:9b:94:2e:b7: + 6c:1e:fe:31:40:13:e1:bd:52:67:d0:d8:c3:3e:03: + 84:48:72:9d:bd:8a:48:a0:f2:72:35:b6:03:4b:c6: + e9:05 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign + X509v3 Authority Key Identifier: + keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 + + X509v3 Subject Key Identifier: + 8F:B2:42:69:C3:9D:E4:3C:FA:13:B9:FF:F2:C0:A4:EF:D8:0F:E8:22 + Signature Algorithm: sha256WithRSAEncryption + 4a:78:a2:47:7e:3f:2e:4d:78:68:ab:06:5c:ff:da:01:04:45: + 92:20:20:88:f3:dc:4e:70:01:9b:cb:f3:13:61:34:04:09:15: + d0:be:99:1c:be:fc:97:e9:2d:73:e1:b3:2b:a6:b9:3a:41:33: + f3:83:3d:64:1b:64:95:bf:ae:cd:20:df:18:e0:62:8d:fa:9c: + f7:d8:a9:3c:25:2b:8e:cf:10:e5:29:b9:af:1a:7f:62:64:75: + e7:c6:fd:9b:6d:71:c0:a9:b3:0f:9a:b7:7a:fe:53:04:18:cd: + 04:06:d9:bf:01:0e:cc:04:84:84:51:a3:e9:06:2a:a3:25:73: + 4e:8d:62:19:13:25:5b:de:0b:dc:d0:69:01:ca:41:0a:96:13: + cf:6a:11:fe:2b:9a:3f:fd:56:3d:73:3d:58:49:c2:71:83:20: + 23:6d:46:99:6e:37:91:9f:76:2a:9c:b0:69:3f:64:9f:05:bb: + 38:c8:1e:ca:d8:6c:fd:56:3e:a6:85:a2:53:80:c6:42:b6:79: + c6:43:0b:e0:6c:ea:9f:cf:b0:2a:2c:01:50:c3:d8:0f:a0:7e: + a1:73:a8:5c:84:27:5b:c9:4b:5a:13:e9:69:25:1c:59:11:d2: + 01:dc:da:e7:c8:44:34:a2:e4:99:25:b4:c3:23:b5:f8:2d:48: + e5:8d:06:73 +-----BEGIN CERTIFICATE----- +MIIDhjCCAm6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0NDUwNFoX +DTE0MTIyMjA0NDUwNFowSzEOMAwGA1UEChMFSUNBTk4xGDAWBgNVBAMTD0lDQU5O +IEROU1NFQyBDQTEfMB0GCSqGSIb3DQEJARMQZG5zc2VjQGljYW5uLm9yZzCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMC/4rTuEkY2O3zSRiFkWpPh4wIQ +JbulMHAZiZh+ntuOD6zISGYOGviB5S08ezk5diiP7gqn3WTpX4clsWTlWQP8vCk7 +YzfI10aats6HVc3P4qvpx4pTLiWHsJjWIKOo7IewOaPExXVZPPuRA/ruf+krtnCI +aSzm8U/80Ee06aAs+gzDhOu+c1q8Fu3QgwIt62ohAlFwKR5PyWkDn5EyXCwan15F +SCpQ7nIU7Bcp/CCVfSJqxm+DoliOsWTIcyNUbGkdZh/f+E8koaiuAH/piUGm44gd +OuGzOu8pRTKblC63bB7+MUAT4b1SZ9DYwz4DhEhynb2KSKDycjW2A0vG6QUCAwEA +AaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAf4wHwYDVR0jBBgw +FoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFI+yQmnDneQ8+hO5//LA +pO/YD+giMA0GCSqGSIb3DQEBCwUAA4IBAQBKeKJHfj8uTXhoqwZc/9oBBEWSICCI +89xOcAGby/MTYTQECRXQvpkcvvyX6S1z4bMrprk6QTPzgz1kG2SVv67NIN8Y4GKN ++pz32Kk8JSuOzxDlKbmvGn9iZHXnxv2bbXHAqbMPmrd6/lMEGM0EBtm/AQ7MBISE +UaPpBiqjJXNOjWIZEyVb3gvc0GkBykEKlhPPahH+K5o//VY9cz1YScJxgyAjbUaZ +bjeRn3YqnLBpP2SfBbs4yB7K2Gz9Vj6mhaJTgMZCtnnGQwvgbOqfz7AqLAFQw9gP +oH6hc6hchCdbyUtaE+lpJRxZEdIB3NrnyEQ0ouSZJbTDI7X4LUjljQZz +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 6 (0x6) + Signature Algorithm: sha256WithRSAEncryption + Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US + Validity + Not Before: Dec 23 05:21:16 2009 GMT + Not After : Dec 22 05:21:16 2014 GMT + Subject: O=ICANN, CN=ICANN EMAIL CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:d2:19:1e:22:69:33:f6:a4:d2:76:c5:80:11:75: + 8e:d0:e8:6f:bf:89:f8:2a:6a:da:8a:85:28:40:ba: + c5:23:5f:47:ed:72:e2:8e:d3:5c:c8:8a:3a:99:a9: + 57:2c:0a:2b:22:f3:54:7b:8b:f7:8c:21:a2:50:01: + 4f:8b:af:34:df:72:fc:78:31:d0:1d:eb:bc:9b:e6: + fa:c1:84:d0:05:07:8a:74:53:a5:60:9e:eb:75:9e: + a8:5d:32:c8:02:32:e4:bf:cb:97:9b:7a:fa:2c:f6: + 6a:1d:b8:57:ad:e3:03:22:93:d0:f4:4f:a8:b8:01: + db:82:33:98:b6:87:ed:3d:67:40:00:27:2e:d5:95: + d2:ad:36:46:14:c6:17:79:65:7f:65:f3:88:80:65: + 7c:22:67:08:23:3c:cf:a5:10:38:72:30:97:92:6f: + 20:4a:ba:24:4c:4a:c8:4a:a5:dc:2a:44:a1:29:78: + b4:9f:fe:84:ff:27:5b:3a:72:ea:31:c1:ad:06:22: + d6:44:a0:4a:57:32:9c:f2:46:47:d0:89:6e:20:23: + 2c:ea:b0:83:7e:c1:f3:ea:da:dd:e3:63:59:97:21: + fa:1b:11:39:27:cf:82:8b:56:15:d4:36:92:0c:a5: + 7e:80:e0:18:c9:50:08:42:0a:df:97:3c:9c:b8:0a: + 4d:b1 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign + X509v3 Authority Key Identifier: + keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 + + X509v3 Subject Key Identifier: + 7B:3F:BA:CE:A1:B3:A6:13:2E:5A:82:84:D4:D2:EA:A5:24:F1:CD:B4 + Signature Algorithm: sha256WithRSAEncryption + 50:07:a5:61:39:e4:3b:e3:bc:1c:b4:a7:b2:ab:a1:fb:47:bf: + b4:1c:32:ac:3c:46:b0:02:26:2f:16:3e:89:70:e2:87:e9:76: + 99:61:0b:91:c5:48:7a:e5:aa:24:0b:39:e0:4f:26:03:d4:5b: + 01:8a:4d:b6:98:cc:16:fa:e2:12:4a:88:b9:53:bb:50:2d:c7: + 37:b8:a3:82:2d:52:05:3e:46:a7:db:97:82:73:8d:7d:ed:dd: + 9e:37:73:68:6b:90:cd:62:d8:77:ff:32:53:bb:d3:a1:b9:cb: + 7d:32:29:70:fb:2e:90:4b:27:12:6d:99:a5:e6:d4:ef:13:32: + c1:2f:b5:ae:6e:11:0e:50:56:a4:56:5b:76:b0:c0:99:2e:5a: + 94:17:ee:2b:c1:b6:9c:8b:68:ac:55:95:31:8c:66:2b:35:43: + a5:13:04:1b:50:44:1c:55:7f:4c:d0:1a:50:80:53:45:a8:e3: + d3:a8:74:ad:7d:6a:d6:e9:9a:d3:25:7d:83:e2:57:64:1a:94: + 7e:bc:cb:ef:79:b5:54:6a:f1:b0:c3:81:26:90:e5:40:87:ed: + 75:7d:83:63:5b:ab:45:c0:34:04:27:e8:d8:12:26:7c:5e:c0: + 48:b6:33:7d:4b:db:23:8a:f7:13:24:bc:be:7b:74:cb:c4:ed: + ed:42:eb:2f +-----BEGIN CERTIFICATE----- +MIIDZDCCAkygAwIBAgIBBjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA1MjExNloX +DTE0MTIyMjA1MjExNlowKTEOMAwGA1UEChMFSUNBTk4xFzAVBgNVBAMTDklDQU5O +IEVNQUlMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0hkeImkz +9qTSdsWAEXWO0Ohvv4n4KmraioUoQLrFI19H7XLijtNcyIo6malXLAorIvNUe4v3 +jCGiUAFPi68033L8eDHQHeu8m+b6wYTQBQeKdFOlYJ7rdZ6oXTLIAjLkv8uXm3r6 +LPZqHbhXreMDIpPQ9E+ouAHbgjOYtoftPWdAACcu1ZXSrTZGFMYXeWV/ZfOIgGV8 +ImcIIzzPpRA4cjCXkm8gSrokTErISqXcKkShKXi0n/6E/ydbOnLqMcGtBiLWRKBK +VzKc8kZH0IluICMs6rCDfsHz6trd42NZlyH6GxE5J8+Ci1YV1DaSDKV+gOAYyVAI +QgrflzycuApNsQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE +AwIB/jAfBgNVHSMEGDAWgBS6UulJgySGUi/Hmc38jWtpCE3AUDAdBgNVHQ4EFgQU +ez+6zqGzphMuWoKE1NLqpSTxzbQwDQYJKoZIhvcNAQELBQADggEBAFAHpWE55Dvj +vBy0p7KroftHv7QcMqw8RrACJi8WPolw4ofpdplhC5HFSHrlqiQLOeBPJgPUWwGK +TbaYzBb64hJKiLlTu1Atxze4o4ItUgU+Rqfbl4JzjX3t3Z43c2hrkM1i2Hf/MlO7 +06G5y30yKXD7LpBLJxJtmaXm1O8TMsEvta5uEQ5QVqRWW3awwJkuWpQX7ivBtpyL +aKxVlTGMZis1Q6UTBBtQRBxVf0zQGlCAU0Wo49OodK19atbpmtMlfYPiV2QalH68 +y+95tVRq8bDDgSaQ5UCH7XV9g2Nbq0XANAQn6NgSJnxewEi2M31L2yOK9xMkvL57 +dMvE7e1C6y8= +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: sha256WithRSAEncryption + Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US + Validity + Not Before: Dec 23 05:07:29 2009 GMT + Not After : Dec 22 05:07:29 2014 GMT + Subject: O=ICANN, CN=ICANN SSL CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:dd:c6:ab:bf:7c:66:9d:b3:2b:96:00:14:c7:60: + 7a:8d:62:5b:26:4b:30:d7:b3:4c:82:69:c6:4d:4d: + 73:f3:d4:91:21:5d:ab:35:f0:c8:04:0e:f4:a3:35: + e2:e1:18:a9:98:12:03:58:f8:9f:eb:77:54:5b:89: + 81:26:c9:aa:c2:f4:c9:0c:82:57:2a:5e:05:e9:61: + 17:cc:19:18:71:eb:35:83:c1:86:9d:ec:f1:6b:ca: + dd:a1:96:0b:95:d4:e1:0f:9e:24:6f:dc:3c:d0:28: + 9e:f2:53:47:2b:a1:ad:32:03:c8:3f:0d:80:80:7d: + f0:02:d2:6e:5a:2c:44:21:9b:09:50:15:3f:a1:3d: + d3:c9:c8:24:e7:ea:4e:92:2f:94:90:2e:de:e7:68: + f6:c6:b3:90:1f:bc:c9:7b:a2:65:d7:11:e9:8b:f0: + 3a:5a:b7:17:07:df:69:e3:6e:b9:54:6a:8e:3a:aa: + 94:7f:2c:0a:a1:ad:ba:b7:d9:60:62:27:a7:71:40: + 3b:8e:b0:84:7b:b8:c8:67:ef:66:ba:3d:ac:c3:85: + e5:86:bb:a7:9c:fd:b6:e1:c0:10:53:3d:d4:7e:1b: + 09:e6:9f:22:5c:a7:27:09:7e:27:12:33:fa:df:9b: + 20:2f:14:f7:17:c0:e4:1e:07:91:1f:f9:9a:cd:a8: + e2:c5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign + X509v3 Authority Key Identifier: + keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 + + X509v3 Subject Key Identifier: + 6E:77:A8:40:10:4A:D8:9C:0C:F2:B7:5A:3A:A5:2F:79:4A:61:14:D8 + Signature Algorithm: sha256WithRSAEncryption + 18:42:62:df:aa:8e:44:e6:87:10:4d:d9:a6:b2:c3:97:37:43: + 2e:ce:f3:e0:3c:c2:2f:e1:78:60:41:a9:2b:5d:f4:24:f5:f6: + 57:a2:08:ec:9c:89:e5:54:50:a8:30:c6:20:e5:8a:c7:8b:bd: + fd:98:b6:0c:7d:1a:1f:01:a1:4a:4e:ec:0d:2a:aa:9f:fd:a9: + 20:0d:b3:5c:0f:36:c0:2c:2b:c6:75:22:29:66:a3:34:bd:93: + 3d:f6:28:da:90:d5:7e:91:df:d3:06:f6:69:8b:80:9b:a5:34: + af:6a:02:5b:e4:52:7d:56:4d:99:6e:fe:e9:d0:36:99:58:d9: + af:cd:79:9b:e5:d2:4c:35:90:d3:e0:68:b2:88:2b:18:39:2e: + bc:0b:d9:82:84:7f:24:12:92:d2:b9:13:4f:64:bc:46:e1:5c: + 6a:ed:f7:b0:d4:66:27:25:21:86:b4:3a:5e:19:a3:c7:8b:4b: + 93:b9:2e:37:e2:6d:8b:46:ee:68:39:21:75:e8:fe:2a:a7:85: + fd:68:26:96:bd:dd:f9:f1:fe:99:5f:b4:a4:97:1b:50:18:fa: + 21:90:54:0c:8b:30:28:94:70:19:34:9e:5c:e1:e5:48:93:af: + aa:a3:b4:95:b2:f5:4c:97:50:44:58:97:e1:ff:e7:b2:10:dd: + 2c:fe:c0:ed +-----BEGIN CERTIFICATE----- +MIIDYjCCAkqgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA1MDcyOVoX +DTE0MTIyMjA1MDcyOVowJzEOMAwGA1UEChMFSUNBTk4xFTATBgNVBAMTDElDQU5O +IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN3Gq798Zp2z +K5YAFMdgeo1iWyZLMNezTIJpxk1Nc/PUkSFdqzXwyAQO9KM14uEYqZgSA1j4n+t3 +VFuJgSbJqsL0yQyCVypeBelhF8wZGHHrNYPBhp3s8WvK3aGWC5XU4Q+eJG/cPNAo +nvJTRyuhrTIDyD8NgIB98ALSblosRCGbCVAVP6E908nIJOfqTpIvlJAu3udo9saz +kB+8yXuiZdcR6YvwOlq3FwffaeNuuVRqjjqqlH8sCqGturfZYGInp3FAO46whHu4 +yGfvZro9rMOF5Ya7p5z9tuHAEFM91H4bCeafIlynJwl+JxIz+t+bIC8U9xfA5B4H +kR/5ms2o4sUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC +Af4wHwYDVR0jBBgwFoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFG53 +qEAQSticDPK3WjqlL3lKYRTYMA0GCSqGSIb3DQEBCwUAA4IBAQAYQmLfqo5E5ocQ +TdmmssOXN0MuzvPgPMIv4XhgQakrXfQk9fZXogjsnInlVFCoMMYg5YrHi739mLYM +fRofAaFKTuwNKqqf/akgDbNcDzbALCvGdSIpZqM0vZM99ijakNV+kd/TBvZpi4Cb +pTSvagJb5FJ9Vk2Zbv7p0DaZWNmvzXmb5dJMNZDT4GiyiCsYOS68C9mChH8kEpLS +uRNPZLxG4Vxq7few1GYnJSGGtDpeGaPHi0uTuS434m2LRu5oOSF16P4qp4X9aCaW +vd358f6ZX7SklxtQGPohkFQMizAolHAZNJ5c4eVIk6+qo7SVsvVMl1BEWJfh/+ey +EN0s/sDt +-----END CERTIFICATE----- diff --git a/unbound/root.anchor b/unbound/root.anchor new file mode 100644 index 000000000..18367f864 --- /dev/null +++ b/unbound/root.anchor @@ -0,0 +1 @@ +. 98799 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} diff --git a/unbound/root.key b/unbound/root.key new file mode 100644 index 000000000..e340ed08f --- /dev/null +++ b/unbound/root.key @@ -0,0 +1,6 @@ +; // The root key in bind format. This can be read by most tools, including +; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this +trusted-keys { +"." 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0="; // key id = 19036 + +}; diff --git a/unbound/systemd/unbound-anchor.service b/unbound/systemd/unbound-anchor.service new file mode 100644 index 000000000..26656b36b --- /dev/null +++ b/unbound/systemd/unbound-anchor.service @@ -0,0 +1,9 @@ +[Unit] +Description=update of the root trust anchor for DNSSEC validation in unbound +Documentation=man:unbound-anchor(8) + +[Service] +Type=oneshot +User=unbound +ExecStart=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem +SuccessExitStatus=1 diff --git a/unbound/systemd/unbound-anchor.timer b/unbound/systemd/unbound-anchor.timer new file mode 100644 index 000000000..a87bf5c84 --- /dev/null +++ b/unbound/systemd/unbound-anchor.timer @@ -0,0 +1,14 @@ +[Unit] +Description=daily update of the root trust anchor for DNSSEC +Documentation=man:unbound-anchor(8) + +[Timer] +# Current DNSKEY TTL in root zone is 172800 seconds, i.e. 172800/60/60/24 = 2 days. +# It means that unboud-anchor should be run at least once a day. +OnCalendar=daily +Persistent=true +AccuracySec=24h + +[Install] +WantedBy=timers.target + diff --git a/unbound/systemd/unbound-keygen.service b/unbound/systemd/unbound-keygen.service new file mode 100644 index 000000000..576408a5c --- /dev/null +++ b/unbound/systemd/unbound-keygen.service @@ -0,0 +1,14 @@ +[Unit] +Description=Unbound Control Key And Certificate Generator +After=syslog.target +Before=unbound.service +ConditionPathExists=!/etc/unbound/unbound_control.key + +[Service] +Type=oneshot +Group=unbound +ExecStart=/usr/sbin/unbound-control-setup -d /etc/unbound/ +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/unbound/systemd/unbound.service b/unbound/systemd/unbound.service new file mode 100644 index 000000000..d22538961 --- /dev/null +++ b/unbound/systemd/unbound.service @@ -0,0 +1,18 @@ +[Unit] +Description=Unbound recursive Domain Name Server +After=network.target +After=unbound-keygen.service +Wants=unbound-keygen.service +Wants=unbound-anchor.timer +Before=nss-lookup.target +Wants=nss-lookup.target + +[Service] +Type=simple +ExecStartPre=/usr/sbin/unbound-checkconf +ExecStartPre=-/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem +ExecStart=/usr/sbin/unbound -d +ExecReload=/usr/sbin/unbound-control reload + +[Install] +WantedBy=multi-user.target diff --git a/unbound/unbound.conf b/unbound/unbound.conf new file mode 100644 index 000000000..4a97148b4 --- /dev/null +++ b/unbound/unbound.conf @@ -0,0 +1,655 @@ +# +# See unbound.conf(5) man page. +# +# this is a comment. + +#Use this to include other text into the file. +#include: "otherfile.conf" + +# The server clause sets the main parameters. +server: + # whitespace is not necessary, but looks cleaner. + + # verbosity number, 0 is least verbose. 1 is default. + verbosity: 1 + + # print statistics to the log (for every thread) every N seconds. + # Set to "" or 0 to disable. Default is disabled. + # Needed for munin plugin + statistics-interval: 0 + + # enable cumulative statistics, without clearing them after printing. + # Needed for munin plugin + statistics-cumulative: yes + + # enable extended statistics (query types, answer codes, status) + # printed from unbound-control. default off, because of speed. + # Needed for munin plugin + extended-statistics: yes + + # number of threads to create. 1 disables threading. + num-threads: 2 + + # specify the interfaces to answer queries from by ip-address. + # The default is to listen to localhost (127.0.0.1 and ::1). + # specify 0.0.0.0 and ::0 to bind to all available interfaces. + # specify every interface on a new 'interface:' labelled line. + # The listen interfaces are not changed on reload, only on restart. + # interface: 0.0.0.0 + # interface: ::0 + # interface: 192.0.2.153 + # interface: 192.0.2.154 + # interface: 2001:DB8::5 + # + # for dns over tls and raw dns over port 80 + # interface: 0.0.0.0@443 + # interface: ::0@443 + # interface: 0.0.0.0@80 + # interface: ::0@80 + + # enable this feature to copy the source address of queries to reply. + # Socket options are not supported on all platforms. experimental. + # interface-automatic: yes + # + # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 + # NOTE: Disabled per Fedora policy not to listen to * on default install + # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled + interface-automatic: no + + # port to answer queries from + # port: 53 + + # specify the interfaces to send outgoing queries to authoritative + # server from by ip-address. If none, the default (all) interface + # is used. Specify every interface on a 'outgoing-interface:' line. + # outgoing-interface: 192.0.2.153 + # outgoing-interface: 2001:DB8::5 + # outgoing-interface: 2001:DB8::6 + + # number of ports to allocate per thread, determines the size of the + # port range that can be open simultaneously. About double the + # num-queries-per-thread, or, use as many as the OS will allow you. + # outgoing-range: 4096 + + # permit unbound to use this port number or port range for + # making outgoing queries, using an outgoing interface. + # Only ephemeral ports are allowed by SElinux + outgoing-port-permit: 32768-65535 + + # deny unbound the use this of port number or port range for + # making outgoing queries, using an outgoing interface. + # Use this to make sure unbound does not grab a UDP port that some + # other server on this computer needs. The default is to avoid + # IANA-assigned port numbers. + # Our SElinux policy does not allow non-ephemeral ports to be used + outgoing-port-avoid: 0-32767 + + # number of outgoing simultaneous tcp buffers to hold per thread. + # outgoing-num-tcp: 10 + + # number of incoming simultaneous tcp buffers to hold per thread. + # incoming-num-tcp: 10 + + # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). + # 0 is system default. Use 4m to catch query spikes for busy servers. + # so-rcvbuf: 0 + + # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option). + # 0 is system default. Use 4m to handle spikes on very busy servers. + # so-sndbuf: 0 + + # use SO_REUSEPORT to distribute queries over threads. + # so-reuseport: no + + # EDNS reassembly buffer to advertise to UDP peers (the actual buffer + # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts). + # edns-buffer-size: 4096 + + # Maximum UDP response size (not applied to TCP response). + # Suggested values are 512 to 4096. Default is 4096. 65536 disables it. + # 3072 causes +dnssec any isc.org queries to need TC=1. Helps mitigating DDOS + max-udp-size: 3072 + + # buffer size for handling DNS data. No messages larger than this + # size can be sent or received, by UDP or TCP. In bytes. + # msg-buffer-size: 65552 + + # the amount of memory to use for the message cache. + # plain value in bytes or you can append k, m or G. default is "4Mb". + # msg-cache-size: 4m + + # the number of slabs to use for the message cache. + # the number of slabs must be a power of 2. + # more slabs reduce lock contention, but fragment memory usage. + # msg-cache-slabs: 4 + + # the number of queries that a thread gets to service. + # num-queries-per-thread: 1024 + + # if very busy, 50% queries run to completion, 50% get timeout in msec + # jostle-timeout: 200 + + # msec to wait before close of port on timeout UDP. 0 disables. + # delay-close: 0 + + # the amount of memory to use for the RRset cache. + # plain value in bytes or you can append k, m or G. default is "4Mb". + # rrset-cache-size: 4m + + # the number of slabs to use for the RRset cache. + # the number of slabs must be a power of 2. + # more slabs reduce lock contention, but fragment memory usage. + # rrset-cache-slabs: 4 + + # the time to live (TTL) value lower bound, in seconds. Default 0. + # If more than an hour could easily give trouble due to stale data. + # cache-min-ttl: 0 + + # the time to live (TTL) value cap for RRsets and messages in the + # cache. Items are not cached for longer. In seconds. + # cache-max-ttl: 86400 + + # the time to live (TTL) value cap for negative responses in the cache + # cache-max-negative-ttl: 3600 + + # the time to live (TTL) value for cached roundtrip times, lameness and + # EDNS version information for hosts. In seconds. + # infra-host-ttl: 900 + + # minimum wait time for responses, increase if uplink is long. In msec. + # infra-cache-min-rtt: 50 + + # the number of slabs to use for the Infrastructure cache. + # the number of slabs must be a power of 2. + # more slabs reduce lock contention, but fragment memory usage. + # infra-cache-slabs: 4 + + # the maximum number of hosts that are cached (roundtrip, EDNS, lame). + # infra-cache-numhosts: 10000 + + # Enable IPv4, "yes" or "no". + # do-ip4: yes + + # Enable IPv6, "yes" or "no". + # do-ip6: yes + + # Enable UDP, "yes" or "no". + # NOTE: if setting up an unbound on tls443 for public use, you might want to + # disable UDP to avoid being used in DNS amplification attacks. + # do-udp: yes + + # Enable TCP, "yes" or "no". + # do-tcp: yes + + # upstream connections use TCP only (and no UDP), "yes" or "no" + # useful for tunneling scenarios, default no. + # tcp-upstream: no + + # Detach from the terminal, run in background, "yes" or "no". + # do-daemonize: yes + + # control which clients are allowed to make (recursive) queries + # to this server. Specify classless netblocks with /size and action. + # By default everything is refused, except for localhost. + # Choose deny (drop message), refuse (polite error reply), + # allow (recursive ok), allow_snoop (recursive and nonrecursive ok) + # deny_non_local (drop queries unless can be answered from local-data) + # refuse_non_local (like deny_non_local but polite error reply). + # access-control: 0.0.0.0/0 refuse + # access-control: 127.0.0.0/8 allow + # access-control: ::0/0 refuse + # access-control: ::1 allow + # access-control: ::ffff:127.0.0.1 allow + + # if given, a chroot(2) is done to the given directory. + # i.e. you can chroot to the working directory, for example, + # for extra security, but make sure all files are in that directory. + # + # If chroot is enabled, you should pass the configfile (from the + # commandline) as a full path from the original root. After the + # chroot has been performed the now defunct portion of the config + # file path is removed to be able to reread the config after a reload. + # + # All other file paths (working dir, logfile, roothints, and + # key files) can be specified in several ways: + # o as an absolute path relative to the new root. + # o as a relative path to the working directory. + # o as an absolute path relative to the original root. + # In the last case the path is adjusted to remove the unused portion. + # + # The pid file can be absolute and outside of the chroot, it is + # written just prior to performing the chroot and dropping permissions. + # + # Additionally, unbound may need to access /dev/random (for entropy). + # How to do this is specific to your OS. + # + # If you give "" no chroot is performed. The path must not end in a /. + # chroot: "/var/lib/unbound" + chroot: "" + + # if given, user privileges are dropped (after binding port), + # and the given username is assumed. Default is user "unbound". + # If you give "" no privileges are dropped. + username: "unbound" + + # the working directory. The relative files in this config are + # relative to this directory. If you give "" the working directory + # is not changed. + directory: "/etc/unbound" + + # the log file, "" means log to stderr. + # Use of this option sets use-syslog to "no". + # logfile: "" + + # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to + # log to, with identity "unbound". If yes, it overrides the logfile. + # use-syslog: yes + + # print UTC timestamp in ascii to logfile, default is epoch in seconds. + log-time-ascii: yes + + # print one line with time, IP, name, type, class for every query. + # log-queries: no + + # the pid file. Can be an absolute path outside of chroot/work dir. + pidfile: "/var/run/unbound/unbound.pid" + + # file to read root hints from. + # get one from ftp://FTP.INTERNIC.NET/domain/named.cache + # root-hints: "" + + # enable to not answer id.server and hostname.bind queries. + # hide-identity: no + + # enable to not answer version.server and version.bind queries. + # hide-version: no + + # the identity to report. Leave "" or default to return hostname. + # identity: "" + + # the version to report. Leave "" or default to return package version. + # version: "" + + # the target fetch policy. + # series of integers describing the policy per dependency depth. + # The number of values in the list determines the maximum dependency + # depth the recursor will pursue before giving up. Each integer means: + # -1 : fetch all targets opportunistically, + # 0: fetch on demand, + # positive value: fetch that many targets opportunistically. + # Enclose the list of numbers between quotes (""). + # target-fetch-policy: "3 2 1 0 0" + + # Harden against very small EDNS buffer sizes. + # harden-short-bufsize: no + + # Harden against unseemly large queries. + # harden-large-queries: no + + # Harden against out of zone rrsets, to avoid spoofing attempts. + harden-glue: yes + + # Harden against receiving dnssec-stripped data. If you turn it + # off, failing to validate dnskey data for a trustanchor will + # trigger insecure mode for that zone (like without a trustanchor). + # Default on, which insists on dnssec data for trust-anchored zones. + harden-dnssec-stripped: yes + + # Harden against queries that fall under dnssec-signed nxdomain names. + harden-below-nxdomain: yes + + # Harden the referral path by performing additional queries for + # infrastructure data. Validates the replies (if possible). + # Default off, because the lookups burden the server. Experimental + # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. + harden-referral-path: yes + + # Use 0x20-encoded random bits in the query to foil spoof attempts. + # This feature is an experimental implementation of draft dns-0x20. + # (this now fails on all GoDaddy customer domains, so disabled) + use-caps-for-id: no + + # Enforce privacy of these addresses. Strips them away from answers. + # It may cause DNSSEC validation to additionally mark it as bogus. + # Protects against 'DNS Rebinding' (uses browser as network proxy). + # Only 'private-domain' and 'local-data' names are allowed to have + # these private addresses. No default. + # private-address: 10.0.0.0/8 + # private-address: 172.16.0.0/12 + # private-address: 192.168.0.0/16 + # private-address: 169.254.0.0/16 + # private-address: fd00::/8 + # private-address: fe80::/10 + + # Allow the domain (and its subdomains) to contain private addresses. + # local-data statements are allowed to contain private addresses too. + # private-domain: "example.com" + + # If nonzero, unwanted replies are not only reported in statistics, + # but also a running total is kept per thread. If it reaches the + # threshold, a warning is printed and a defensive action is taken, + # the cache is cleared to flush potential poison out of it. + # A suggested value is 10000000, the default is 0 (turned off). + unwanted-reply-threshold: 10000000 + + # Do not query the following addresses. No DNS queries are sent there. + # List one address per entry. List classless netblocks with /size, + # do-not-query-address: 127.0.0.1/8 + # do-not-query-address: ::1 + + # if yes, the above default do-not-query-address entries are present. + # if no, localhost can be queried (for testing and debugging). + # do-not-query-localhost: yes + + # if yes, perform prefetching of almost expired message cache entries. + prefetch: yes + + # if yes, perform key lookups adjacent to normal lookups. + prefetch-key: yes + + # if yes, Unbound rotates RRSet order in response. + rrset-roundrobin: yes + + # if yes, Unbound doesn't insert authority/additional sections + # into response messages when those sections are not required. + minimal-responses: yes + + # module configuration of the server. A string with identifiers + # separated by spaces. "iterator" or "validator iterator" + # module-config: "validator iterator" + + # File with trusted keys, kept uptodate using RFC5011 probes, + # initial file like trust-anchor-file, then it stores metadata. + # Use several entries, one per domain name, to track multiple zones. + # + # If you want to perform DNSSEC validation, run unbound-anchor before + # you start unbound (i.e. in the system boot scripts). And enable: + # Please note usage of unbound-anchor root anchor is at your own risk + # and under the terms of our LICENSE (see that file in the source). + # auto-trust-anchor-file: "/var/lib/unbound/root.key" + + # File with DLV trusted keys. Same format as trust-anchor-file. + # There can be only one DLV configured, it is trusted from root down. + # Downloaded from https://secure.isc.org/ops/dlv/dlv.isc.org.key + # + # ISC's DLV registry is being deprecated in the near future, therefore + # it is not used in the default configuration. The use of ISC's DLV + # registry is discouraged. + # dlv-anchor-file: "/etc/unbound/dlv.isc.org.key" + + # File with trusted keys for validation. Specify more than one file + # with several entries, one file per entry. + # Zone file format, with DS and DNSKEY entries. + # trust-anchor-file: "" + + # File with trusted keys, kept uptodate using RFC5011 probes, + # initial file like trust-anchor-file, then it stores metadata. + # Use several entries, one per domain name, to track multiple zones. + # auto-trust-anchor-file: "" + + # Trusted key for validation. DS or DNSKEY. specify the RR on a + # single line, surrounded by "". TTL is ignored. class is IN default. + # (These examples are from August 2007 and may not be valid anymore). + # trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ==" + # trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A" + + # File with trusted keys for validation. Specify more than one file + # with several entries, one file per entry. Like trust-anchor-file + # but has a different file format. Format is BIND-9 style format, + # the trusted-keys { name flag proto algo "key"; }; clauses are read. + # trusted-keys-file: "" + # + # trusted-keys-file: /etc/unbound/rootkey.bind + trusted-keys-file: /etc/unbound/keys.d/*.key + auto-trust-anchor-file: "/var/lib/unbound/root.key" + + # Ignore chain of trust. Domain is treated as insecure. + # domain-insecure: "example.com" + + # Override the date for validation with a specific fixed date. + # Do not set this unless you are debugging signature inception + # and expiration. "" or "0" turns the feature off. + # val-override-date: "" + + # The time to live for bogus data, rrsets and messages. This avoids + # some of the revalidation, until the time interval expires. in secs. + # val-bogus-ttl: 60 + + # The signature inception and expiration dates are allowed to be off + # by 10% of the lifetime of the signature from our local clock. + # This leeway is capped with a minimum and a maximum. In seconds. + # val-sig-skew-min: 3600 + # val-sig-skew-max: 86400 + + # Should additional section of secure message also be kept clean of + # unsecure data. Useful to shield the users of this validator from + # potential bogus data in the additional section. All unsigned data + # in the additional section is removed from secure messages. + val-clean-additional: yes + + # Turn permissive mode on to permit bogus messages. Thus, messages + # for which security checks failed will be returned to clients, + # instead of SERVFAIL. It still performs the security checks, which + # result in interesting log files and possibly the AD bit in + # replies if the message is found secure. The default is off. + # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY + val-permissive-mode: no + + # Ignore the CD flag in incoming queries and refuse them bogus data. + # Enable it if the only clients of unbound are legacy servers (w2008) + # that set CD but cannot validate themselves. + # ignore-cd-flag: no + + # Have the validator log failed validations for your diagnosis. + # 0: off. 1: A line per failed user query. 2: With reason and bad IP. + val-log-level: 1 + + # It is possible to configure NSEC3 maximum iteration counts per + # keysize. Keep this table very short, as linear search is done. + # A message with an NSEC3 with larger count is marked insecure. + # List in ascending order the keysize and count values. + # val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500" + + # instruct the auto-trust-anchor-file probing to add anchors after ttl. + # add-holddown: 2592000 # 30 days + + # instruct the auto-trust-anchor-file probing to del anchors after ttl. + # del-holddown: 2592000 # 30 days + + # auto-trust-anchor-file probing removes missing anchors after ttl. + # If the value 0 is given, missing anchors are not removed. + # keep-missing: 31622400 # 366 days + + # the amount of memory to use for the key cache. + # plain value in bytes or you can append k, m or G. default is "4Mb". + # key-cache-size: 4m + + # the number of slabs to use for the key cache. + # the number of slabs must be a power of 2. + # more slabs reduce lock contention, but fragment memory usage. + # key-cache-slabs: 4 + + # the amount of memory to use for the negative cache (used for DLV). + # plain value in bytes or you can append k, m or G. default is "1Mb". + # neg-cache-size: 1m + + # By default, for a number of zones a small default 'nothing here' + # reply is built-in. Query traffic is thus blocked. If you + # wish to serve such zone you can unblock them by uncommenting one + # of the nodefault statements below. + # You may also have to use domain-insecure: zone to make DNSSEC work, + # unless you have your own trust anchors for this zone. + # local-zone: "localhost." nodefault + # local-zone: "127.in-addr.arpa." nodefault + # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault + # local-zone: "10.in-addr.arpa." nodefault + # local-zone: "16.172.in-addr.arpa." nodefault + # local-zone: "17.172.in-addr.arpa." nodefault + # local-zone: "18.172.in-addr.arpa." nodefault + # local-zone: "19.172.in-addr.arpa." nodefault + # local-zone: "20.172.in-addr.arpa." nodefault + # local-zone: "21.172.in-addr.arpa." nodefault + # local-zone: "22.172.in-addr.arpa." nodefault + # local-zone: "23.172.in-addr.arpa." nodefault + # local-zone: "24.172.in-addr.arpa." nodefault + # local-zone: "25.172.in-addr.arpa." nodefault + # local-zone: "26.172.in-addr.arpa." nodefault + # local-zone: "27.172.in-addr.arpa." nodefault + # local-zone: "28.172.in-addr.arpa." nodefault + # local-zone: "29.172.in-addr.arpa." nodefault + # local-zone: "30.172.in-addr.arpa." nodefault + # local-zone: "31.172.in-addr.arpa." nodefault + # local-zone: "168.192.in-addr.arpa." nodefault + # local-zone: "0.in-addr.arpa." nodefault + # local-zone: "254.169.in-addr.arpa." nodefault + # local-zone: "2.0.192.in-addr.arpa." nodefault + # local-zone: "100.51.198.in-addr.arpa." nodefault + # local-zone: "113.0.203.in-addr.arpa." nodefault + # local-zone: "255.255.255.255.in-addr.arpa." nodefault + # local-zone: "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault + # local-zone: "d.f.ip6.arpa." nodefault + # local-zone: "8.e.f.ip6.arpa." nodefault + # local-zone: "9.e.f.ip6.arpa." nodefault + # local-zone: "a.e.f.ip6.arpa." nodefault + # local-zone: "b.e.f.ip6.arpa." nodefault + # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault + # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa. + + # if unbound is running service for the local host then it is useful + # to perform lan-wide lookups to the upstream, and unblock the + # long list of local-zones above. If this unbound is a dns server + # for a network of computers, disabled is better and stops information + # leakage of local lan information. + # unblock-lan-zones: no + + # a number of locally served zones can be configured. + # local-zone: + # local-data: "" + # o deny serves local data (if any), else, drops queries. + # o refuse serves local data (if any), else, replies with error. + # o static serves local data, else, nxdomain or nodata answer. + # o transparent gives local data, but resolves normally for other names + # o redirect serves the zone data for any subdomain in the zone. + # o nodefault can be used to normally resolve AS112 zones. + # o typetransparent resolves normally for other types and other names + # o inform resolves normally, but logs client IP address + # + # defaults are localhost address, reverse for 127.0.0.1 and ::1 + # and nxdomain for AS112 zones. If you configure one of these zones + # the default content is omitted, or you can omit it with 'nodefault'. + # + # If you configure local-data without specifying local-zone, by + # default a transparent local-zone is created for the data. + # + # You can add locally served data with + # local-zone: "local." static + # local-data: "mycomputer.local. IN A 192.0.2.51" + # local-data: 'mytext.local TXT "content of text record"' + # + # You can override certain queries with + # local-data: "adserver.example.com A 127.0.0.1" + # + # You can redirect a domain to a fixed address with + # (this makes example.com, www.example.com, etc, all go to 192.0.2.3) + # local-zone: "example.com" redirect + # local-data: "example.com A 192.0.2.3" + # + # Shorthand to make PTR records, "IPv4 name" or "IPv6 name". + # You can also add PTR records using local-data directly, but then + # you need to do the reverse notation yourself. + # local-data-ptr: "192.0.2.3 www.example.com" + + include: /etc/unbound/local.d/*.conf + + # service clients over SSL (on the TCP sockets), with plain DNS inside + # the SSL stream. Give the certificate to use and private key. + # default is "" (disabled). requires restart to take effect. + # ssl-service-key: "/etc/unbound/unbound_server.key" + # ssl-service-pem: "/etc/unbound/unbound_server.pem" + # ssl-port: 443 + + # request upstream over SSL (with plain DNS inside the SSL stream). + # Default is no. Can be turned on and off with unbound-control. + # ssl-upstream: no + + # DNS64 prefix. Must be specified when DNS64 is use. + # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. + # dns64-prefix: 64:ff9b::0/96 + +# Python config section. To enable: +# o use --with-pythonmodule to configure before compiling. +# o list python in the module-config string (above) to enable. +# o and give a python-script to run. +python: + # Script file to load + # python-script: "/etc/unbound/ubmodule-tst.py" + +# Remote control config section. +remote-control: + # Enable remote control with unbound-control(8) here. + # set up the keys and certificates with unbound-control-setup. + # Note: required for unbound-munin package + control-enable: yes + + # Set to no and use an absolute path as control-interface to use + # a unix local named pipe for unbound-control. + # control-use-cert: yes + + # what interfaces are listened to for remote control. + # give 0.0.0.0 and ::0 to listen to all interfaces. + # control-interface: 127.0.0.1 + # control-interface: ::1 + + # port number for remote control operations. + # control-port: 953 + + # unbound server key file. + server-key-file: "/etc/unbound/unbound_server.key" + + # unbound server certificate file. + server-cert-file: "/etc/unbound/unbound_server.pem" + + # unbound-control key file. + control-key-file: "/etc/unbound/unbound_control.key" + + # unbound-control certificate file. + control-cert-file: "/etc/unbound/unbound_control.pem" + +# Stub and Forward zones + +include: /etc/unbound/conf.d/*.conf + +# Stub zones. +# Create entries like below, to make all queries for 'example.com' and +# 'example.org' go to the given list of nameservers. list zero or more +# nameservers by hostname or by ipaddress. If you set stub-prime to yes, +# the list is treated as priming hints (default is no). +# stub-zone: +# name: "example.com" +# stub-addr: 192.0.2.68 +# stub-prime: "no" +# stub-zone: +# name: "example.org" +# stub-host: ns.example.com. +# You can now also dynamically create and delete stub-zone's using +# unbound-control stub_add domain.com 1.2.3.4 5.6.7.8 +# unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8 + +# Forward zones +# Create entries like below, to make all queries for 'example.com' and +# 'example.org' go to the given list of servers. These servers have to handle +# recursion to other nameservers. List zero or more nameservers by hostname +# or by ipaddress. Use an entry with name "." to forward all queries. +# If you enable forward-first, it attempts without the forward if it fails. +# forward-zone: +# name: "example.com" +# forward-addr: 192.0.2.68 +# forward-addr: 192.0.2.73@5355 # forward to port 5355. +# forward-first: no +# forward-zone: +# name: "example.org" +# forward-host: fwd.example.com +# +# You can now also dynamically create and delete forward-zone's using +# unbound-control forward_add domain.com 1.2.3.4 5.6.7.8 +# unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8 diff --git a/unbound/unbound.nm b/unbound/unbound.nm new file mode 100644 index 000000000..c8a0d0966 --- /dev/null +++ b/unbound/unbound.nm @@ -0,0 +1,162 @@ +############################################################################### +# IPFire.org - An Open Source Firewall Solution # +# Copyright (C) - IPFire Development Team # +############################################################################### + +name = unbound +version = 1.5.5 +release = 1 + +groups = System/Daemons +url = http://www.nlnetlabs.nl/unbound/ +license = BSD +summary = A validating, recursive, and caching DNS(SEC) resolver. + +description + Unbound is a validating, recursive, and caching DNS(SEC) resolver. + The C implementation of Unbound is developed and maintained by NLnet + Labs and is based on ideas and algorithms taken from a java prototype + developed by Verisign labs, Nominet, Kirei and ep.net. Unbound is + designed as a set of modular components, so that also + DNSSEC (secure DNS) validation and stub-resolvers are easily possible. +end + +source_dl = http://www.unbound.net/downloads/ + +build + requires + expat-devel + libevent-devel + openssl-devel >= 1.0.1h-2 + python3-devel >= 3.4 + swig + end + + configure_options += \ + --with-conf-file=%{sysconfdir}/%{name}/unbound.conf \ + --with-pidfile=%{localstatedir}/run/%{name}/%{name}.pid \ + --with-rootkey-file=%{sharedstatedir}/unbound/root.key \ + --with-libevent \ + --with-pthreads \ + --disable-rpath \ + --disable-static \ + --with-ssl \ + --enable-sha2 \ + --with-pythonmodule \ + --with-pyunbound PYTHON=%{python3} + + prepare_cmds + %{create_user} + end + + test + make check + end + + install_cmds + # Create directories. + mkdir -pv %{BUILDROOT}%{localstatedir}/run/%{name} + mkdir -pv %{BUILDROOT}%{sharedstatedir}/%{name} + + # Directory for user specified and additional config files. + mkdir -pv %{BUILDROOT}%{sysconfdir}/%{name}/conf.d/ + + # Directory for stub and forward zones. + mkdir -pv %{BUILDROOT}%{sysconfdir}/%{name}/local.d/ + + # Directory for trusted-keys-file. + mkdir -pv %{BUILDROOT}%{sysconfdir}/%{name}/keys.d/ + + # Install unbound config file. + install -p -m 0664 %{DIR_SOURCE}/%{name}.conf \ + %{BUILDROOT}%{sysconfdir}/%{name}/ + + # Install pem file for icannbundle. + install -p -m 0664 %{DIR_SOURCE}/icannbundle.pem \ + %{BUILDROOT}%{sysconfdir}/%{name}/ + + # Install root and DLV keys. + install -p -m 0644 %{DIR_SOURCE}/root.key \ + %{BUILDROOT}%{sysconfdir}/%{name}/ + install -p -m 0664 %{DIR_SOURCE}/dlv.isc.org.key \ + %{BUILDROOT}%{sysconfdir}/%{name}/ + install -p -m 0664 %{DIR_SOURCE}/root.anchor \ + %{BUILDROOT}%{sharedstatedir}/%{name}/root.key + + # Fix ownership. + chown -R unbound:unbound %{BUILDROOT}%{sharedstatedir}/%{name}/ + end +end + +create_user + getent group unound >/dev/null || /usr/sbin/groupadd -r unbound + getent passwd unbound >/dev/null || /usr/sbin/useradd -r -g unbound \ + -d %{sysconfdir}/%{name} -s /sbin/nologin unbound +end + +packages + package %{name} + prerequires + shadow-utils + systemd-units + end + + requires += \ + openssl >= 1.0.1h-2 + + configfiles + %{sysconfdir}/%{name}.conf + end + + datafiles + %{sysconfdir}/%{name}/conf.d/ + %{sysconfdir}/%{name}/local.d/ + %{sysconfdir}/%{name}/keys.d/ + end + + script prein + %{create_user} + end + + script postin + /bin/systemctl daemon-reload >/dev/null 2>&1 || : + + # Enable root anchor for DNSSEC validation. + systemctl enable unbound-anchor.timer >/dev/null 2>&1 || : + end + + script preun + systemctl --no-reload disable unbound-anchor.timer >/dev/null 2>&1 || : + systemctl --no-reload disable unbound-keygen.service >/dev/null 2>&1 || : + systemctl --no-reload disable unbound.service >/dev/null 2>&1 || : + systemctl stop unbound.service >/dev/null 2>&1 || : + systemctl stop unbound-keygen.service >/dev/null 2>&1 || : + end + + script postun + systemctl daemon-reload >/dev/null 2>&1 || : + end + + script postup + systemctl daemon-reload >/dev/null 2>&1 || : + systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || : + systemctl try-restart unbound.service >/dev/null 2>&1 || : + end + end + + package %{name}-libs + template LIBS + end + + package python3-%{name} + template PYTHON3 + end + + package %{name}-devel + template DEVEL + end + + package %{name}-debuginfo + template DEBUGINFO + end +end diff --git a/unbound/unbound.tmpfiles b/unbound/unbound.tmpfiles new file mode 100644 index 000000000..d6255896c --- /dev/null +++ b/unbound/unbound.tmpfiles @@ -0,0 +1 @@ +D /var/run/unbound 0755 unbound unbound - -- 2.39.2 From d5ef2ba9efbe7d046409d612d5ed191b0646d77c Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sun, 18 Oct 2015 22:49:20 +0100 Subject: [PATCH 04/16] ldns: New package This is a low-level DNS(SEC) library that is used by many other packages to resolve and validate DNS records. Signed-off-by: Michael Tremer --- ldns/ldns.nm | 80 +++++++++++++++++++ .../ldns-1.6.16-dsa-key-failures.patch | 28 +++++++ .../ldns-1.6.17-doxyparse-perl-5-22-fix.patch | 13 +++ ldns/patches/ldns-1.6.17-multilib.patch | 75 +++++++++++++++++ 4 files changed, 196 insertions(+) create mode 100644 ldns/ldns.nm create mode 100644 ldns/patches/ldns-1.6.16-dsa-key-failures.patch create mode 100644 ldns/patches/ldns-1.6.17-doxyparse-perl-5-22-fix.patch create mode 100644 ldns/patches/ldns-1.6.17-multilib.patch diff --git a/ldns/ldns.nm b/ldns/ldns.nm new file mode 100644 index 000000000..d79d48c08 --- /dev/null +++ b/ldns/ldns.nm @@ -0,0 +1,80 @@ +############################################################################### +# IPFire.org - An Open Source Firewall Solution # +# Copyright (C) - IPFire Development Team # +############################################################################### + +name = ldns +version = 1.6.17 +release = 1 + +groups = Networking/DNS +url = http://www.nlnetlabs.nl/projects/ldns/ +license = BSD +summary = Low-level DNS(SEC) library with API + +description + The flex program generates scanners. Scanners are programs which can + recognize lexical patterns in text. Flex takes pairs of regular + expressions and C code as input and generates a C source file as + output. The output file is compiled and linked with a library to + produce an executable. The executable searches through its input for + occurrences of the regular expressions. When a match is found, it + executes the corresponding C code. Flex was designed to work with + both Yacc and Bison, and is used by many programs as part of their + build process. +end + +source_dl = http://www.nlnetlabs.nl/downloads/%{name}/ + +build + requires + ca-certificates + doxygen + gcc-c++ + libpcap-devel + openssl-devel + end + + prepare_cmds + sed -i "s/@includedir@/@includedir@\/ldns/" \ + packaging/libldns.pc.in + end + + configure_options += \ + --enable-gost \ + --enable-ecdsa \ + --with-ca-file=/etc/pki/tls/certs/ca-bundle.trust.crt \ + --with-ca-path=/etc/pki/tls/certs/ \ + --with-trust-anchor=%{sharedstatedir}/unbound/root.key \ + --enable-rrtype-cds \ + --enable-rrtype-uri + + build_cmds + pushd drill + ./configure %{configure_options} + make %{PARALLELISMFLAGS} + popd + end + + install_cmds + install -D -m644 packaging/libldns.pc \ + %{BUILDROOT}%{libdir}/pkgconfig/ldns.pc + + make -C drill DESTDIR=%{BUILDROOT} install + end +end + +packages + package %{name} + + package %{name}-devel + template DEVEL + + files += %{bindir}/ldns-config + files += %{mandir}/man1/ldns-config.1* + end + + package %{name}-debuginfo + template DEBUGINFO + end +end diff --git a/ldns/patches/ldns-1.6.16-dsa-key-failures.patch b/ldns/patches/ldns-1.6.16-dsa-key-failures.patch new file mode 100644 index 000000000..93e8a73c8 --- /dev/null +++ b/ldns/patches/ldns-1.6.16-dsa-key-failures.patch @@ -0,0 +1,28 @@ +diff -up ldns-1.6.17/keys.c.dsa ldns-1.6.17/keys.c +--- ldns-1.6.17/keys.c.dsa 2014-01-10 22:04:41.000000000 +0100 ++++ ldns-1.6.17/keys.c 2014-03-18 17:54:34.751742493 +0100 +@@ -1324,7 +1324,6 @@ ldns_key_dsa2bin(unsigned char *data, DS + /* See RFC2536 */ + *size = (uint16_t)BN_num_bytes(k->p); + T = (*size - 64) / 8; +- memcpy(data, &T, 1); + + if (T > 8) { + #ifdef STDERR_MSGS +@@ -1335,12 +1334,13 @@ ldns_key_dsa2bin(unsigned char *data, DS + } + + /* size = 64 + (T * 8); */ ++ memset(data, 0, 21 + *size * 3); + data[0] = (unsigned char)T; + BN_bn2bin(k->q, data + 1 ); /* 20 octects */ + BN_bn2bin(k->p, data + 21 ); /* offset octects */ +- BN_bn2bin(k->g, data + 21 + *size); /* offset octets */ +- BN_bn2bin(k->pub_key, data + 21 + *size + *size); /* offset octets */ +- *size = 21 + (*size * 3); ++ BN_bn2bin(k->g, data + 21 + *size * 2 - BN_num_bytes(k->g)); ++ BN_bn2bin(k->pub_key,data + 21 + *size * 3 - BN_num_bytes(k->pub_key)); ++ *size = 21 + *size * 3; + return true; + } + diff --git a/ldns/patches/ldns-1.6.17-doxyparse-perl-5-22-fix.patch b/ldns/patches/ldns-1.6.17-doxyparse-perl-5-22-fix.patch new file mode 100644 index 000000000..2140ff5c0 --- /dev/null +++ b/ldns/patches/ldns-1.6.17-doxyparse-perl-5-22-fix.patch @@ -0,0 +1,13 @@ +diff --git a/doc/doxyparse.pl b/doc/doxyparse.pl +index 96a1732..745d564 100755 +--- a/doc/doxyparse.pl ++++ b/doc/doxyparse.pl +@@ -273,7 +273,7 @@ foreach (keys %manpages) { + + print MAN $MAN_MIDDLE; + +- if (defined(@$also)) { ++ if (@$also) { + print MAN "\n.SH SEE ALSO\n\\fI"; + print MAN join "\\fR, \\fI", @$also; + print MAN "\\fR.\nAnd "; diff --git a/ldns/patches/ldns-1.6.17-multilib.patch b/ldns/patches/ldns-1.6.17-multilib.patch new file mode 100644 index 000000000..5c7440a32 --- /dev/null +++ b/ldns/patches/ldns-1.6.17-multilib.patch @@ -0,0 +1,75 @@ +diff -Naur ldns-1.6.17-orig/configure ldns-1.6.17/configure +--- ldns-1.6.17-orig/configure 2014-01-10 16:04:50.000000000 -0500 ++++ ldns-1.6.17/configure 2014-01-10 20:22:39.138190093 -0500 +@@ -662,6 +662,7 @@ + PYTHON_LDFLAGS + PYTHON_CPPFLAGS + PYTHON ++PYTHON_LIB + PYTHON_VERSION + UNINSTALL_CONFIG_MANPAGE + UNINSTALL_CONFIG +@@ -13599,6 +13600,7 @@ + # use the official shared library + ac_python_library=`echo "$ac_python_library" | sed "s/^lib//"` + PYTHON_LDFLAGS="-L$ac_python_libdir -l$ac_python_library" ++ PYTHON_LIB="$ac_python_library" + else + # old way: use libpython from python_configdir + ac_python_libdir=`$PYTHON -c \ +@@ -13606,6 +13608,7 @@ + import os; \ + print (os.path.join(f(plat_specific=1, standard_lib=1), 'config'));"` + PYTHON_LDFLAGS="-L$ac_python_libdir -lpython$ac_python_version" ++ PYTHON_LIB="python$ac_python_version" + fi + + if test -z "PYTHON_LDFLAGS"; then +diff -Naur ldns-1.6.17-orig/packaging/ldns-config.in ldns-1.6.17/packaging/ldns-config.in +--- ldns-1.6.17-orig/packaging/ldns-config.in 2014-01-10 16:04:41.000000000 -0500 ++++ ldns-1.6.17/packaging/ldns-config.in 2014-01-10 20:33:13.033665804 -0500 +@@ -3,13 +3,25 @@ + prefix="@prefix@" + exec_prefix="@exec_prefix@" + VERSION="@PACKAGE_VERSION@" +-CFLAGS="@CFLAGS@" +-CPPFLAGS="@CPPFLAGS@ @LIBSSL_CPPFLAGS@ @PYTHON_CPPFLAGS@" +-LDFLAGS="@LDFLAGS@ @LIBSSL_LDFLAGS@ @PYTHON_LDFLAGS@" + LIBS="@LIBS@ @LIBSSL_LIBS@" +-LIBDIR="@libdir@" + INCLUDEDIR="@includedir@" + LIBVERSION="@LIBLDNS_CURRENT@.@LIBLDNS_REVISION@.@LIBLDNS_AGE@" ++ARCH="`uname -m`" ++ ++case $ARCH in ++ x86_64 | amd64 | sparc64 | s390x | ppc64) ++ ++ LIBDIR="/usr/lib64" ++ LIBDIR_SEC="/usr/lib" ++ ;; ++ * ) ++ LIBDIR="/usr/lib" ++ LIBDIR_SEC="/usr/lib64" ++ ;; ++esac ++ ++LDFLAGS="@LDFLAGS@ @LIBSSL_LDFLAGS@ -L$LIBDIR -l@PYTHON_LIB@" ++LDFLAGS_SEC="@LDFLAGS@ @LIBSSL_LDFLAGS@ -L$LIBDIR_SEC -l@PYTHON_LIB@" + + for arg in $@ + do +@@ -21,9 +33,13 @@ + then + echo "${LDFLAGS} -L${LIBDIR} ${LIBS} -lldns" + fi ++ if [ $arg = "--libs_sec" ] ++ then ++ echo "${LDFLAGS_SEC} -L${LIBDIR_SEC} ${LIBS} -lldns" ++ fi + if [ $arg = "-h" ] || [ $arg = "--help" ] + then +- echo "Usage: $0 [--cflags] [--libs] [--version]" ++ echo "Usage: $0 [--cflags] [--libs] [--libs_sec] [--version]" + fi + if [ $arg = "--version" ] + then -- 2.39.2 From f8758f368d6ce5c26ab067ef4bd12d5a99225a70 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sun, 18 Oct 2015 23:16:54 +0100 Subject: [PATCH 05/16] strongswan: Disable swanctl and enable unbound plugin The swanctl feature is not needed in IPFire right now, but we want to use IPSECKEY in the future. Signed-off-by: Michael Tremer --- strongswan/strongswan.nm | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/strongswan/strongswan.nm b/strongswan/strongswan.nm index e861c250e..b8488e4dd 100644 --- a/strongswan/strongswan.nm +++ b/strongswan/strongswan.nm @@ -5,7 +5,7 @@ name = strongswan version = 5.3.3 -release = 2 +release = 3 groups = Networking/VPN url = http://www.strongswan.org/ @@ -30,6 +30,7 @@ build flex gmp-devel gperf + ldns-devel libcap-devel libcurl-devel libgcrypt-devel @@ -39,6 +40,7 @@ build perl sqlite-devel systemd-devel >= 221-2 + unbound-devel end configure_options += \ @@ -62,7 +64,7 @@ build --enable-eap-mschapv2 \ --enable-eap-identity \ --with-capabilities=libcap \ - --enable-swanctl \ + --enable-unbound \ --enable-systemd if "%{DISTRO_ARCH}" == "i686" @@ -93,14 +95,11 @@ packages script postup systemctl daemon-reload >/dev/null 2>&1 || : systemctl reload-or-try-restart strongswan.service >/dev/null 2>&1 || : - systemctl reload-or-try-restart strongswan-swanctl.service >/dev/null 2>&1 || : end script preun systemctl disable --no-reload strongswan.service >/dev/null 2>&1 || : - systemctl disable --no-reload strongswan-swanctl.service >/dev/null 2>&1 || : systemctl stop strongswan.service >/dev/null 2>&1 || : - systemctl stop strongswan-swanctl.service >/dev/null 2>&1 || : end script postun -- 2.39.2 From bef6465a923f71647b2b0b9a06725035e05a03af Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sun, 18 Oct 2015 23:23:06 +0100 Subject: [PATCH 06/16] network: Update to version 007 Signed-off-by: Michael Tremer --- network/network.nm | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/network/network.nm b/network/network.nm index 17e7c04ec..be3c641f8 100644 --- a/network/network.nm +++ b/network/network.nm @@ -5,9 +5,8 @@ name = network epoch = 1 -version = 006 -release = 2 -arch = noarch +version = 007 +release = 1 maintainer = Michael Tremer groups = Base Networking/Tools @@ -32,8 +31,8 @@ build install_cmds # Create some dummy configuration files. - mkdir -pv %{BUILDROOT}%{sysconfdir}/{firewall,network} - touch %{BUILDROOT}%{sysconfdir}/network/{config,dns-servers,routes} + mkdir -pv %{BUILDROOT}%{sysconfdir}/network + touch %{BUILDROOT}%{sysconfdir}/network/{settings,dns-servers,routes} end end @@ -60,7 +59,6 @@ packages systemd-units tunctl wpa_supplicant >= 1.0-2 - /usr/bin/ipcalc /usr/bin/logger end -- 2.39.2 From ca468b64bb442c1556bd5ebbfe60f1ae606ca81d Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Fri, 23 Oct 2015 16:31:15 +0100 Subject: [PATCH 07/16] network: Fix build on 32 architectures Signed-off-by: Michael Tremer --- network/network.nm | 21 ++- ...-Allow-build-on-64-bit-architectures.patch | 127 ++++++++++++++++++ network/systemd/network.service | 13 -- 3 files changed, 141 insertions(+), 20 deletions(-) create mode 100644 network/patches/0001-inetcalc-Allow-build-on-64-bit-architectures.patch delete mode 100644 network/systemd/network.service diff --git a/network/network.nm b/network/network.nm index be3c641f8..7228a6575 100644 --- a/network/network.nm +++ b/network/network.nm @@ -6,7 +6,7 @@ name = network epoch = 1 version = 007 -release = 1 +release = 1.1 maintainer = Michael Tremer groups = Base Networking/Tools @@ -25,8 +25,15 @@ source_dl = http://source.ipfire.org/releases/network/ build requires + autoconf + automake docbook-xsl libxslt + systemd-devel + end + + prepare_cmds + [ -e "configure" ] || ./autogen.sh end install_cmds @@ -63,23 +70,23 @@ packages end configfiles - /etc/firewall /etc/network end - # Enable network service, so it starts at the first boot. script postin systemctl daemon-reload >/dev/null 2>&1 || : - systemctl --no-reload enable network.service >/dev/null 2>&1 || : end - script preun - systemctl --no-reload disable network.service >/dev/null 2>&1 || : - systemctl stop network.service >/dev/null 2>&1 || : + script postun + systemctl daemon-reload >/dev/null 2>&1 || : end script postup systemctl daemon-reload >/dev/null 2>&1 || : end end + + package %{name}-debuginfo + template DEBUGINFO + end end diff --git a/network/patches/0001-inetcalc-Allow-build-on-64-bit-architectures.patch b/network/patches/0001-inetcalc-Allow-build-on-64-bit-architectures.patch new file mode 100644 index 000000000..fec5b2c74 --- /dev/null +++ b/network/patches/0001-inetcalc-Allow-build-on-64-bit-architectures.patch @@ -0,0 +1,127 @@ +From cf3fb03ccc299b1233fa1a3cc4ce66520c324e70 Mon Sep 17 00:00:00 2001 +From: Michael Tremer +Date: Wed, 21 Oct 2015 18:42:06 +0200 +Subject: [PATCH] inetcalc: Allow build on 64 bit architectures + +inetcalc previously used a GCC extension that was only +available on 64 bit platforms. This patch changes the +code to use struct in6_addr instead of __uint128_t for +storing IP addresses. + +Signed-off-by: Michael Tremer +--- + src/inetcalc.c | 47 +++++++++++++++++++++++++++++++++-------------- + 1 file changed, 33 insertions(+), 14 deletions(-) + +diff --git a/src/inetcalc.c b/src/inetcalc.c +index f821d6ed41a6..ba692542aba7 100644 +--- a/src/inetcalc.c ++++ b/src/inetcalc.c +@@ -30,17 +30,26 @@ + + typedef struct ip_address { + int family; +- __uint128_t addr; ++ struct in6_addr addr; + int prefix; + } ip_address_t; + +-static __uint128_t prefix_to_bitmask(int prefix) { +- __uint128_t bitmask = ~0; ++static struct in6_addr prefix_to_bitmask(int prefix) { ++ assert(prefix <= 128); + +- for (int i = 0; i < 128 - prefix; i++) +- bitmask >>= 1; ++ struct in6_addr bitmask; + +- return bitmask; ++ for (int i = 0; i < 16; i++) ++ bitmask.s6_addr[i] = 0; ++ ++ for (int i = prefix, j = 0; i > 0; i -= 8, j++) { ++ if (i >= 8) ++ bitmask.s6_addr[j] = 0xff; ++ else ++ bitmask.s6_addr[j] = 0xff << (8 - i); ++ } ++ ++ return bitmask; + } + + static int bitmask_to_prefix(uint32_t bits) { +@@ -171,7 +180,7 @@ static int ip_address_eq(const ip_address_t* a1, const ip_address_t* a2) { + if (a1->family != a2->family) + return 1; + +- if (a1->addr != a2->addr) ++ if (a1->addr.s6_addr != a2->addr.s6_addr) + return 1; + + if (a1->prefix != a2->prefix) +@@ -184,7 +193,7 @@ static int ip_address_gt(const ip_address_t* a1, const ip_address_t* a2) { + if (a1->family != a2->family || a1->prefix != a2->prefix) + return -1; + +- if (a1->addr > a2->addr) ++ if (a1->addr.s6_addr > a2->addr.s6_addr) + return 0; + + return 1; +@@ -193,7 +202,7 @@ static int ip_address_gt(const ip_address_t* a1, const ip_address_t* a2) { + static int ip_address_format_string(char* buffer, size_t size, const ip_address_t* ip) { + assert(ip->family == AF_INET || ip->family == AF_INET6); + +- const char* p = inet_ntop(ip->family, &ip->addr, buffer, size); ++ const char* p = inet_ntop(ip->family, &ip->addr.s6_addr, buffer, size); + if (!p) + return errno; + +@@ -218,21 +227,25 @@ static void ip_address_print(const ip_address_t* ip) { + static void ip_address_make_network(ip_address_t* net, const ip_address_t* ip) { + assert(ip->prefix >= 0); + +- __uint128_t mask = prefix_to_bitmask(ip->prefix); ++ struct in6_addr mask = prefix_to_bitmask(ip->prefix); + + net->family = ip->family; + net->prefix = ip->prefix; +- net->addr = ip->addr & mask; ++ ++ for (int i = 0; i < 16; i++) ++ net->addr.s6_addr[i] = ip->addr.s6_addr[i] & mask.s6_addr[i]; + } + + static void ip_address_make_broadcast(ip_address_t* broadcast, const ip_address_t* ip) { + assert(ip->family == AF_INET && ip->prefix >= 0); + +- __uint128_t mask = prefix_to_bitmask(ip->prefix); ++ struct in6_addr mask = prefix_to_bitmask(ip->prefix); + + broadcast->family = ip->family; + broadcast->prefix = ip->prefix; +- broadcast->addr = ip->addr | ~mask; ++ ++ for (int i = 0; i < 16; i++) ++ broadcast->addr.s6_addr[i] = ip->addr.s6_addr[i] | ~mask.s6_addr[i]; + } + + static int action_check(const int family, const char* address) { +@@ -342,7 +355,13 @@ static int action_prefix(const int family, const char* addr1, const char* addr2) + if (r) + return r; + +- uint32_t mask = ntohl(network.addr ^ broadcast.addr); ++ struct in6_addr netmask; ++ for (int i = 0; i < 16; i++) ++ netmask.s6_addr[i] = network.addr.s6_addr[i] ^ broadcast.addr.s6_addr[i]; ++ ++ uint32_t mask = netmask.s6_addr[0] << 24 | netmask.s6_addr[1] << 16 | ++ netmask.s6_addr[2] << 8 | netmask.s6_addr[3]; ++ + int prefix = bitmask_to_prefix(~mask); + if (prefix < 0) + return 1; +-- +2.4.3 + diff --git a/network/systemd/network.service b/network/systemd/network.service deleted file mode 100644 index 4509a3514..000000000 --- a/network/systemd/network.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=Network Connectivity -Before=network.target - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStartPre=/sbin/network init -ExecStart=/sbin/network start -ExecStop=/sbin/network stop - -[Install] -WantedBy=multi-user.target -- 2.39.2 From de1c22041dbacbe5fda9b6e5b493fd1db99b0002 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Fri, 23 Oct 2015 17:47:15 +0100 Subject: [PATCH 08/16] flex: Fix broken lex The $ character was incorrectly escaped and the broken lex script was not able to run properly. Fixes #10952 Signed-off-by: Michael Tremer --- flex/flex.nm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/flex/flex.nm b/flex/flex.nm index a2593c911..7bff15107 100644 --- a/flex/flex.nm +++ b/flex/flex.nm @@ -5,7 +5,7 @@ name = flex version = 2.5.39 -release = 1 +release = 2 groups = Development/Tools url = http://flex.sourceforge.net/ @@ -41,7 +41,7 @@ build install_cmds echo "#!/bin/sh" > %{BUILDROOT}/usr/bin/lex - echo "exec /usr/bin/flex -l \"$$@\"" >> %{BUILDROOT}/usr/bin/lex + echo "exec /usr/bin/flex -l \"\$@\"" >> %{BUILDROOT}/usr/bin/lex chmod 755 %{BUILDROOT}/usr/bin/lex end end -- 2.39.2 From ea7896a5e457dbc633415f9275fd071c42809057 Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Fri, 23 Oct 2015 19:25:59 +0200 Subject: [PATCH 09/16] flex: Fix broken testsuite with bison 3.0 In Bison 3.0, support for YYLEX_PARAM and YYPARSE_PARAM has been removed (deprecated in Bison 1.875): use %lex-param, %parse-param, or %param. This commit adds a patch to fix the tests so they still work. Fixes #10951. Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer --- flex/flex.nm | 2 +- ...-Do-not-use-obsolete-bison-construct.patch | 79 +++++++++++++++++++ 2 files changed, 80 insertions(+), 1 deletion(-) create mode 100644 flex/patches/0001-bison-test-fixes-Do-not-use-obsolete-bison-construct.patch diff --git a/flex/flex.nm b/flex/flex.nm index 7bff15107..4c5b55559 100644 --- a/flex/flex.nm +++ b/flex/flex.nm @@ -5,7 +5,7 @@ name = flex version = 2.5.39 -release = 2 +release = 2.1 groups = Development/Tools url = http://flex.sourceforge.net/ diff --git a/flex/patches/0001-bison-test-fixes-Do-not-use-obsolete-bison-construct.patch b/flex/patches/0001-bison-test-fixes-Do-not-use-obsolete-bison-construct.patch new file mode 100644 index 000000000..eb46be34e --- /dev/null +++ b/flex/patches/0001-bison-test-fixes-Do-not-use-obsolete-bison-construct.patch @@ -0,0 +1,79 @@ +From 35aba3d6e3c99fcd527c677bef8efeb59963fe8a Mon Sep 17 00:00:00 2001 +Message-Id: <35aba3d6e3c99fcd527c677bef8efeb59963fe8a.1397340102.git.srivasta@golden-gryphon.com> +From: Manoj Srivastava +Date: Wed, 9 Apr 2014 00:23:07 -0700 +Subject: [PATCH 1/1] [bison-test-fixes] Do not use obsolete bison constructs in tests. + +In Bison 3.0, support for YYLEX_PARAM and YYPARSE_PARAM has been +removed (deprecated in Bison 1.875): use %lex-param, %parse-param, or +%param. This commit fixes the tests so they still work. + +Signed-off-by: Manoj Srivastava +--- + tests/test-bison-yylloc/parser.y | 4 ++-- + tests/test-bison-yylval/parser.y | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + 50.0% tests/test-bison-yylloc/ + 50.0% tests/test-bison-yylval/ + +diff --git a/tests/test-bison-yylloc/parser.y b/tests/test-bison-yylloc/parser.y +index e8f4e56..224d252 100644 +--- a/tests/test-bison-yylloc/parser.y ++++ b/tests/test-bison-yylloc/parser.y +@@ -22,6 +22,7 @@ + */ + + %parse-param { void* scanner } ++%lex-param { void* scanner } + + /* + How to compile: +@@ -34,7 +35,6 @@ + #include "config.h" + + #define YYERROR_VERBOSE 1 +-#define YYLEX_PARAM scanner + + extern int testget_lineno(void*); + +@@ -52,7 +52,7 @@ int process_text(char* s) { + + %} + +-%pure_parser ++%pure-parser + + %union { + int lineno; +diff --git a/tests/test-bison-yylval/parser.y b/tests/test-bison-yylval/parser.y +index 0ffdb89..626c5e7 100644 +--- a/tests/test-bison-yylval/parser.y ++++ b/tests/test-bison-yylval/parser.y +@@ -26,6 +26,7 @@ + bison --defines --output-file="parser.c" --name-prefix="test" parser.y + */ + %parse-param { void* scanner } ++%lex-param { void* scanner } + %{ + #include + #include +@@ -33,7 +34,6 @@ + #include "config.h" + + #define YYERROR_VERBOSE 1 +-#define YYLEX_PARAM scanner + + + /* A dummy function. A check against seg-faults in yylval->str. */ +@@ -49,7 +49,7 @@ int process_text(char* s) { + + %} + +-%pure_parser ++%pure-parser + + %union { + long unused; +-- +1.9.2 + -- 2.39.2 From 1502d4578799bf994032c7be5003a42280070c05 Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Mon, 26 Oct 2015 10:48:53 +0100 Subject: [PATCH 10/16] automake: Update to 1.15 Update to the latest available version of automake. Required to build util-linux 2.27. Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer --- automake/automake.nm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/automake/automake.nm b/automake/automake.nm index 128ba2c59..ca553c1a1 100644 --- a/automake/automake.nm +++ b/automake/automake.nm @@ -4,8 +4,8 @@ ############################################################################### name = automake -version = 1.13.2 -release = 2 +version = 1.15 +release = 1 arch = noarch groups = Development/Tools -- 2.39.2 From f8aad48b12ddb9ae88b56d9571bc10014b5658c5 Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Mon, 26 Oct 2015 10:48:54 +0100 Subject: [PATCH 11/16] python-lxml: New package lxml provides a Python binding to the libxslt and libxml2 libraries. It follows the ElementTree API as much as possible in order to provide a more Pythonic interface to libxml2 and libxslt than the default bindings. Build dependency for systemd python bindings. Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer --- python-lxml/python-lxml.nm | 65 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 python-lxml/python-lxml.nm diff --git a/python-lxml/python-lxml.nm b/python-lxml/python-lxml.nm new file mode 100644 index 000000000..82c07c57a --- /dev/null +++ b/python-lxml/python-lxml.nm @@ -0,0 +1,65 @@ +############################################################################### +# IPFire.org - An Open Source Firewall Solution # +# Copyright (C) - IPFire Development Team # +############################################################################### + +name = python-lxml +version = 3.4.4 +release = 1 +thisapp = lxml-%{version} + +groups = Development/Languages +url = http://lxml.de +license = BSD +summary = ElementTree-like Python bindings for libxml2 and libxslt. + +description + lxml provides a Python binding to the libxslt and libxml2 libraries. + It follows the ElementTree API as much as possible in order to provide + a more Pythonic interface to libxml2 and libxslt than the default + bindings. +end + +source_dl = http://lxml.de/files/ +sources = %{thisapp}.tgz + +build + requires + libxml2-devel + libxslt-devel + python3-devel + zlib-devel + end + + build + CFLAGS="%{CFLAGS}" %{python3} setup.py build + end + + test + # Setup test environment. + BUILD_LIB_DIR=$(find $(pwd) -name "*.so" | head -n 1 | xargs dirname) + cp $BUILD_LIB_DIR/*.so src/lxml + export LANG=en_US.utf8 + + # Run tests. + %{python3} test.py -p -v + + # Launch more tests. + export PYTHONPATH=src + %{python3} selftest.py + %{python3} selftest2.py + end + + install + %{python3} setup.py install --skip-build -O1 \ + --root=%{BUILDROOT} + end +end + +packages + package python3-lxml + + package python3-lxml-debuginfo + template DEBUGINFO + end +end -- 2.39.2 From 63af7a712dffce481c1771e74ccba245a8f50486 Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Mon, 26 Oct 2015 10:48:55 +0100 Subject: [PATCH 12/16] systemd: Enable python bindings Enable the build of systemd python bindings for python3. Requires python-lxml and python development headers to be present. Fixes #10969. Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer --- systemd/systemd.nm | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/systemd/systemd.nm b/systemd/systemd.nm index 0b8e604e2..35d2b0bef 100644 --- a/systemd/systemd.nm +++ b/systemd/systemd.nm @@ -5,7 +5,7 @@ name = systemd version = 221 -release = 3 +release = 4 maintainer = Stefan Schantl groups = System/Base @@ -49,6 +49,8 @@ build m4 pam-devel pciutils-devel + python3-devel + python3-lxml usbutils vala xz-devel @@ -56,6 +58,7 @@ build end configure_options += \ + PYTHON=%{python3} \ --with-sysvinit-path= \ --with-sysvrcnd-path= \ --enable-introspection \ @@ -429,6 +432,10 @@ packages end end + package python3-%{name} + template PYTHON3 + end + package %{name}-debuginfo template DEBUGINFO end -- 2.39.2 From d4314e5aced9723fc80d683a381b11ad5742cfda Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Mon, 26 Oct 2015 10:48:56 +0100 Subject: [PATCH 13/16] util-linux: Update to 2.27 This is a major update to the latest stable version of util-linux. Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer --- util-linux/util-linux.nm | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/util-linux/util-linux.nm b/util-linux/util-linux.nm index 68c0ef9d7..4d14b857c 100644 --- a/util-linux/util-linux.nm +++ b/util-linux/util-linux.nm @@ -4,10 +4,11 @@ ############################################################################### name = util-linux -major_ver = 2.25 -minor_ver = 2 -version = %{major_ver}.%{minor_ver} -release = 2 +major_ver = 2.27 +minor_ver = +version = %{major_ver} +#version = %{major_ver}.%{minor_ver} +release = 1 maintainer = Stefan Schantl groups = System/Base @@ -27,7 +28,7 @@ source_dl = ftp://ftp.kernel.org/pub/linux/utils/util-linux/v%{major_ver}/ build requires audit-devel - automake >= 1.13 + automake >= 1.15 coreutils >= 8.19 gettext libcap-devel -- 2.39.2 From 35c86ab7c7abd3ed85b5ba36b5ecd34d2226aa59 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Mon, 26 Oct 2015 12:47:15 +0100 Subject: [PATCH 14/16] rrdtool: Update to version 1.5.4 Includes minor bugfixes Signed-off-by: Michael Tremer --- rrdtool/rrdtool.nm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rrdtool/rrdtool.nm b/rrdtool/rrdtool.nm index 993baeb08..c9e514155 100644 --- a/rrdtool/rrdtool.nm +++ b/rrdtool/rrdtool.nm @@ -4,7 +4,7 @@ ############################################################################### name = rrdtool -version = 1.5.2 +version = 1.5.4 release = 1 groups = Applications/Databases -- 2.39.2 From 9896be8714769816c50305711bd64a9e13bfb92b Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sat, 31 Oct 2015 23:13:28 +0000 Subject: [PATCH 15/16] network: Depend on crda The crda package is required to make wireless usable. Signed-off-by: Michael Tremer --- network/network.nm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/network/network.nm b/network/network.nm index 7228a6575..ab315390a 100644 --- a/network/network.nm +++ b/network/network.nm @@ -6,7 +6,7 @@ name = network epoch = 1 version = 007 -release = 1.1 +release = 2 maintainer = Michael Tremer groups = Base Networking/Tools @@ -49,6 +49,7 @@ packages aiccu bash >= 4.0 batctl + crda curl dhclient >= 4.2.4-2 dhcp >= 4.2.4-1 -- 2.39.2 From 1c6d545816cd0ad5117bde16b8d78b4368c072d4 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 3 Nov 2015 23:39:27 +0000 Subject: [PATCH 16/16] pdns: Update to version 3.4.7 Ths patch also enables the testsuite. Signed-off-by: Michael Tremer --- pdns/pdns.nm | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/pdns/pdns.nm b/pdns/pdns.nm index 3c25e9d46..21e9984f1 100644 --- a/pdns/pdns.nm +++ b/pdns/pdns.nm @@ -4,8 +4,8 @@ ############################################################################### name = pdns -version = 3.3.1 -release = 2 +version = 3.4.7 +release = 1 groups = Networking/DNS url = http://powerdns.com/ @@ -20,6 +20,7 @@ description end source_dl = http://downloads.powerdns.com/releases/ +sources = %{thisapp}.tar.bz2 build requires @@ -38,18 +39,22 @@ build configure_options += \ --sysconfdir=%{sysconfdir}/pdns \ - --libdir=%{libdir}/powerdns \ --with-system-polarssl \ --with-modules="" \ --with-dynmodules="pipe geo gsqlite3" \ --with-lua \ --enable-tools \ - --disable-static + --disable-static \ + --enable-unit-tests prepare_cmds %{create_user} end + test + make -C pdns check + end + install_cmds # Create directories for pdns sqlite db. mkdir -p %{BUILDROOT}%{datadir}/pdns/ @@ -78,7 +83,7 @@ build chrpath --delete %{BUILDROOT}/usr/bin/pdns_control chrpath --delete %{BUILDROOT}/usr/bin/zone2sql chrpath --delete %{BUILDROOT}/usr/sbin/pdns_server - chrpath --delete %{BUILDROOT}%{libdir}/powerdns/*.so + chrpath --delete %{BUILDROOT}%{libdir}/pdns/*.so chrpath --delete %{BUILDROOT}/usr/bin/dnsreplay chrpath --delete %{BUILDROOT}/usr/bin/pdnssec end -- 2.39.2