Source3: unbound.munin
Source4: unbound_munin_
Source5: root.key
-Source6: dlv.isc.org.key
Patch1: unbound-1.2-glob.patch
Group: System Environment/Daemons
%attr(0755,root,root) %dir %{_sysconfdir}/%{name}
%ghost %attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name}
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key
%{_sbindir}/*
%{_mandir}/*/*
%post
/sbin/chkconfig --add %{name}
-# dnssec-conf used to contain our DLV key, but now we include it via unbound
-# If unbound had previously been configured with dnssec-configure, we need
-# to migrate the location of the DLV key file (to keep DLV enabled, and because
-# unbound won't start with a bad location for a DLV key file.
-sed -i "s:/etc/pki/dnssec-keys[/]*dlv:/etc/unbound:" %{_sysconfdir}/unbound/unbound.conf
%post libs -p /sbin/ldconfig
+20 May 2015: Wouter
+ - DLV is going to be decommissioned. Advice to stop using it, and
+ put text in the example configuration and man page to that effect.
+
10 May 2015: Wouter
- Change syntax of particular validator error to be easier for
machine parse, swap rrset and ip adres info so it looks like:
# File with DLV trusted keys. Same format as trust-anchor-file.
# There can be only one DLV configured, it is trusted from root down.
- # Download http://ftp.isc.org/www/dlv/dlv.isc.org.key
+ # DLV is going to be decommissioned. Please do not use it any more.
# dlv-anchor-file: "dlv.isc.org.key"
# File with trusted keys for validation. Specify more than one file
expanded on start and on reload.
.TP
.B dlv\-anchor\-file: \fI<filename>
+This option was used during early days DNSSEC deployment when no parent-side
+DS record registrations were easily available. Nowadays, it is best to have
+DS records registered with the parent zone (many top level zones are signed).
File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and
DNSKEY entries can be used in the file, in the same format as for
\fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more
would be slow. The DLV configured is used as a root trusted DLV, this
means that it is a lookaside for the root. Default is "", or no dlv anchor file.
+DLV is going to be decommissioned. Please do not use it any more.
.TP
.B dlv\-anchor: \fI<"Resource Record">
Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline.
+DLV is going to be decommissioned. Please do not use it any more.
.TP
.B domain\-insecure: \fI<domain name>
Sets domain name to be insecure, DNSSEC chain of trust is ignored towards
/**
* Init DLV check.
+ * DLV is going to be decommissioned, but the code is still here for some time.
+ *
* Called when a query is determined by other trust anchors to be insecure
* (or indeterminate). Then we look if there is a key in the DLV.
* Performs aggressive negative cache check to see if there is no key.
AddSize 2
sectionEnd
-# the /o means it is not selected by default.
-section /o "DLV - dlv.isc.org" SectionDLV
- # add estimated size for key (Kb)
- AddSize 2
- SetOutPath $INSTDIR
-
- # libgcc exception lib used by NSISdl plugin (in crosscompile).
- File /nonfatal "/oname=$PLUGINSDIR\libgcc_s_sjlj-1.dll" "/usr/i686-w64-mingw32/sys-root/mingw/bin/libgcc_s_sjlj-1.dll"
-
- NSISdl::download "http://ftp.isc.org/www/dlv/dlv.isc.org.key" "$INSTDIR\dlv.isc.org.key"
- Pop $R0 # result from Inetc::get
- ${If} $R0 != "success"
- MessageBox MB_OK|MB_ICONEXCLAMATION "Download error (ftp.isc.org: $R0), click OK to abort installation" /SD IDOK
- SetOutPath "C:\"
- RMDir "$INSTDIR" # doesnt work directory in use by us ...
- Abort
- ${EndIf}
-sectionEnd
-
section "-hidden.postinstall"
# copy files
setOutPath $INSTDIR
WriteRegStr HKLM "Software\Unbound" "RootAnchor" ""
${EndIf}
- # Store DLV choice
- SectionGetFlags ${SectionDLV} $R0
- IntOp $R0 $R0 & ${SF_SELECTED}
- ${If} $R0 == ${SF_SELECTED}
- ClearErrors
- FileOpen $R1 "$INSTDIR\service.conf" a
- IfErrors done_dlv
- FileSeek $R1 0 END
- FileWrite $R1 "$\nserver: dlv-anchor-file: $\"$INSTDIR\dlv.isc.org.key$\"$\n"
- FileClose $R1
- done_dlv:
- WriteRegStr HKLM "Software\Unbound" "CronAction" "$\"$INSTDIR\anchor-update.exe$\" dlv.isc.org $\"$INSTDIR\dlv.isc.org.key$\""
- ${Else}
- WriteRegStr HKLM "Software\Unbound" "CronAction" ""
- ${EndIf}
-
# store installation folder
WriteRegStr HKLM "Software\Unbound" "InstallLocation" "$INSTDIR"
WriteRegStr HKLM "Software\Unbound" "ConfigFile" "$INSTDIR\service.conf"
+ WriteRegStr HKLM "Software\Unbound" "CronAction" ""
WriteRegDWORD HKLM "Software\Unbound" "CronTime" 86400
# uninstaller
# set section descriptions
LangString DESC_unbound ${LANG_ENGLISH} "The base unbound DNS(SEC) validating caching resolver. $\r$\n$\r$\nStarted at boot from the Services control panel, logs to the Application Log, and the config file is its Program Files folder."
LangString DESC_rootkey ${LANG_ENGLISH} "Set up to use the DNSSEC root trust anchor. It is automatically updated. $\r$\n$\r$\nThis provides the main key that is used for security verification."
-LangString DESC_dlv ${LANG_ENGLISH} "Set up to use DLV with dlv.isc.org. Downloads the key during install. $\r$\n$\r$\nIt fetches additional public keys that are used for security verification by querying the isc.org server with names encountered."
!insertmacro MUI_FUNCTION_DESCRIPTION_BEGIN
!insertmacro MUI_DESCRIPTION_TEXT ${SectionUnbound} $(DESC_unbound)
!insertmacro MUI_DESCRIPTION_TEXT ${SectionRootKey} $(DESC_rootkey)
- !insertmacro MUI_DESCRIPTION_TEXT ${SectionDLV} $(DESC_dlv)
!insertmacro MUI_FUNCTION_DESCRIPTION_END
# setup macros for uninstall functions.
Delete "$INSTDIR\unbound-website.url"
Delete "$INSTDIR\service.conf"
Delete "$INSTDIR\example.conf"
- Delete "$INSTDIR\dlv.isc.org.key"
Delete "$INSTDIR\root.key"
RMDir "$INSTDIR"
projects / thirdparty / unbound.git / commitdiff
