diff --git a/.cvsignore b/.cvsignore index e9b2306..a7ddb89 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,3 +1,4 @@ unbound-1.1.1.tar.gz unbound-1.2.0.tar.gz unbound-1.2.1.tar.gz +unbound-1.3.0.tar.gz diff --git a/sources b/sources index 0574b16..b2967cc 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -5437f2a1e698d8aa73ba19a60662a654 unbound-1.2.1.tar.gz +783325c26ae1a47be0e496c94f3e1cca unbound-1.3.0.tar.gz diff --git a/unbound-r1657.patch b/unbound-r1657.patch new file mode 100644 index 0000000..b4e6482 --- /dev/null +++ b/unbound-r1657.patch @@ -0,0 +1,66 @@ +Index: validator/validator.c +=================================================================== +--- validator/validator.c (revision 1656) ++++ validator/validator.c (revision 1657) +@@ -251,9 +251,8 @@ + /** + * Check to see if a given response needs to go through the validation + * process. Typical reasons for this routine to return false are: CD bit was +- * on in the original request, the response was already validated, or the +- * response is a kind of message that is unvalidatable (i.e., SERVFAIL, +- * REFUSED, etc.) ++ * on in the original request, or the response is a kind of message that ++ * is unvalidatable (i.e., SERVFAIL, REFUSED, etc.) + * + * @param qstate: query state. + * @param ret_rc: rcode for this message (if noerror - examine ret_msg). +@@ -292,14 +291,25 @@ + verbose(VERB_ALGO, "cannot validate RRSIG, no sigs on sigs."); + return 0; + } ++ return 1; ++} + ++/** ++ * Check to see if the response has already been validated. ++ * @param ret_msg: return msg, can be NULL ++ * @return true if the response has already been validated ++ */ ++static int ++already_validated(struct dns_msg* ret_msg) ++{ + /* validate unchecked, and re-validate bogus messages */ + if (ret_msg && ret_msg->rep->security > sec_status_bogus) + { +- verbose(VERB_ALGO, "response has already been validated"); +- return 0; ++ verbose(VERB_ALGO, "response has already been validated: %s", ++ sec_status_to_string(ret_msg->rep->security)); ++ return 1; + } +- return 1; ++ return 0; + } + + /** +@@ -1937,6 +1947,10 @@ + qstate->ext_state[id] = module_finished; + return; + } ++ if(already_validated(qstate->return_msg)) { ++ qstate->ext_state[id] = module_finished; ++ return; ++ } + /* create state to start validation */ + qstate->ext_state[id] = module_error; /* override this */ + if(!vq) { +@@ -2397,7 +2411,8 @@ + } + if(msg->rep->security != sec_status_secure) { + vq->dlv_status = dlv_error; +- verbose(VERB_ALGO, "response is not secure"); ++ verbose(VERB_ALGO, "response is not secure, %s", ++ sec_status_to_string(msg->rep->security)); + return; + } + /* was the lookup a success? validated DLV? */ diff --git a/unbound-r1670.patch b/unbound-r1670.patch new file mode 100644 index 0000000..6ad2bd8 --- /dev/null +++ b/unbound-r1670.patch @@ -0,0 +1,77 @@ +Index: validator/validator.c +=================================================================== +--- validator/validator.c (revision 1669) ++++ validator/validator.c (revision 1670) +@@ -479,6 +479,36 @@ + } + + /** ++ * Detect wrong truncated response, by a bad recursor out there. ++ * The positive response has a mangled authority section. ++ * Remove that authority section. ++ * @param rep: reply ++ * @return true if a wrongly truncated response. ++ */ ++static int ++detect_wrongly_truncated(struct reply_info* rep) ++{ ++ size_t i; ++ /* no additional, only NS in authority, and it is bogus */ ++ if(rep->ar_numrrsets != 0 || rep->ns_numrrsets != 1 || ++ rep->an_numrrsets == 0) ++ return 0; ++ if(ntohs(rep->rrsets[ rep->an_numrrsets ]->rk.type) != LDNS_RR_TYPE_NS) ++ return 0; ++ if(((struct packed_rrset_data*)rep->rrsets[ rep->an_numrrsets ] ++ ->entry.data)->security != sec_status_bogus) ++ return 0; ++ /* answer section is present and secure */ ++ for(i=0; ian_numrrsets; i++) { ++ if(((struct packed_rrset_data*)rep->rrsets[ i ] ++ ->entry.data)->security != sec_status_secure) ++ return 0; ++ } ++ return 1; ++} ++ ++ ++/** + * Given a "positive" response -- a response that contains an answer to the + * question, and no CNAME chain, validate this response. + * +@@ -1449,17 +1479,31 @@ + vq->chase_reply->security = sec_status_bogus; + return 1; + } ++ subtype = val_classify_response(qstate->query_flags, &qstate->qinfo, ++ &vq->qchase, vq->orig_msg->rep, vq->rrset_skip); + + /* check signatures in the message; + * answer and authority must be valid, additional is only checked. */ + if(!validate_msg_signatures(qstate->env, ve, &vq->qchase, + vq->chase_reply, vq->key_entry)) { +- verbose(VERB_DETAIL, "Validate: message contains bad rrsets"); +- return 1; ++ /* workaround bad recursor out there that truncates (even ++ * with EDNS4k) to 512 by removing RRSIG from auth section ++ * for positive replies*/ ++ if(subtype == VAL_CLASS_POSITIVE && ++ detect_wrongly_truncated(vq->orig_msg->rep)) { ++ /* truncate the message some more */ ++ vq->orig_msg->rep->ns_numrrsets = 0; ++ vq->orig_msg->rep->rrset_count--; ++ vq->chase_reply->ns_numrrsets = 0; ++ vq->chase_reply->rrset_count--; ++ } ++ else { ++ verbose(VERB_DETAIL, "Validate: message contains " ++ "bad rrsets"); ++ return 1; ++ } + } + +- subtype = val_classify_response(qstate->query_flags, &qstate->qinfo, +- &vq->qchase, vq->orig_msg->rep, vq->rrset_skip); + switch(subtype) { + case VAL_CLASS_POSITIVE: + verbose(VERB_ALGO, "Validating a positive response"); diff --git a/unbound-r1677.patch b/unbound-r1677.patch new file mode 100644 index 0000000..3707085 --- /dev/null +++ b/unbound-r1677.patch @@ -0,0 +1,33 @@ +Index: validator/validator.c +=================================================================== +--- validator/validator.c (revision 1677) ++++ validator/validator.c (working copy) +@@ -479,7 +479,7 @@ + } + + /** +- * Detect wrong truncated response, by a bad recursor out there. ++ * Detect wrong truncated response (from BIND 9.6.1 with minimal-responses). + * The positive response has a mangled authority section. + * Remove that authority section. + * @param rep: reply +Index: iterator/iterator.c +=================================================================== +--- iterator/iterator.c (revision 1677) ++++ iterator/iterator.c (working copy) +@@ -1513,9 +1513,14 @@ + /* we know that all other NS rrsets are scrubbed + * away, thus on referral only one is left. + * see if that equals the query name... */ +- && reply_find_rrset_section_ns(iq->response->rep, ++ && ( /* auth section, but sometimes in answer section*/ ++ reply_find_rrset_section_ns(iq->response->rep, + qstate->qinfo.qname, qstate->qinfo.qname_len, + LDNS_RR_TYPE_NS, qstate->qinfo.qclass) ++ || reply_find_rrset_section_an(iq->response->rep, ++ qstate->qinfo.qname, qstate->qinfo.qname_len, ++ LDNS_RR_TYPE_NS, qstate->qinfo.qclass) ++ ) + )) { + /* Store the referral under the current query */ + if(!iter_dns_store(qstate->env, &iq->response->qinfo, diff --git a/unbound.spec b/unbound.spec index bd399b9..e57982d 100644 --- a/unbound.spec +++ b/unbound.spec @@ -1,19 +1,32 @@ +%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} +%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} +# not ready yet +%{?!with_python: %define with_python 0} + Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.2.1 -Release: 7%{?dist} +Version: 1.3.0 +Release: 1%{?dist} License: BSD Url: http://www.nlnetlabs.nl/unbound/ Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz Source1: unbound.init Source2: unbound.conf Source3: unbound.munin -Patch0: unbound-iterator.patch -Patch1: unbound-initgroups-r1453.patch +# See the unbound svn repository for further documentation on these +Patch1: unbound-r1657.patch +Patch2: unbound-r1670.patch +Patch3: unbound-r1677.patch +Patch4: unbound-1.2-glob.patch + Group: System Environment/Daemons BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -BuildRequires: flex, openssl-devel >= 0.9.8g-12, ldns-devel >= 1.5.0, -BuildRequires: libevent-devel >= 1.4.5 +BuildRequires: flex, openssl-devel , ldns-devel >= 1.5.0, +BuildRequires: libevent-devel +%if %{with_python} +BuildRequires: python-devel +%endif + Requires(post): chkconfig Requires(preun): chkconfig Requires(preun): initscripts @@ -21,8 +34,6 @@ Requires(postun): initscripts Requires: ldns >= 1.5.0, dnssec-conf >= 1.19 Requires(pre): shadow-utils Requires: dnssec-conf -# Is this obsolete? -#Provides: caching-nameserver %description Unbound is a validating, recursive, and caching DNS(SEC) resolver. @@ -62,16 +73,32 @@ Requires: openssl >= 0.9.8g-12 %description libs Contains libraries used by the unbound server and client applications +%if %{with_python} +%package python +Summary: Python modules and extensions for unbound +Group: Applications/System +Requires: %{name}-libs = %{version}-%{release} + +%description python +Python modules and extensions for unbound +%endif + %prep %setup -q -%patch0 -%patch1 -p1 +%patch1 +%patch2 +%patch3 +%patch4 -p1 %build %configure --with-ldns= --with-libevent --with-pthreads --with-ssl \ --disable-rpath --enable-debug --disable-static \ --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \ - --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid + --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \ +%if %{with_python} + --with-pythonmodule --with-pyunbound \ +%endif + --enable-sha2 %{__make} CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE" QUIET=no %{?_smp_mflags} %install @@ -107,6 +134,11 @@ rm -rf ${RPM_BUILD_ROOT} %{_sbindir}/* %{_mandir}/*/* +%if %{with_python} +%files python +%{python_sitelib}/* +%endif + %files munin %defattr(-,root,root,-) %config(noreplace) %{_sysconfdir}/munin/plugin-conf.d/unbound @@ -158,6 +190,16 @@ fi %postun libs -p /sbin/ldconfig %changelog +* Sat Jun 20 2009 Paul Wouters - 1.3.0-1 +- Updated to 1.3.0 +- Added unbound-python sub package. disabled for now +- Patch from svn to fix DLV lookups +- Patches from svn to detect wrong truncated response from BIND 9.6.1 with + minimal-responses) +- Added Default-Start and Default-Stop to unbound.init +- Re-enabled --enable-sha2 +- Re-enabled glob.patch + * Wed May 20 2009 Paul Wouters - 1.2.1-7 - unbound-iterator.patch was not commited