Hello community, here is the log from the commit of package unbound.12992 for openSUSE:Leap:15.2:Update checked in at 2020-06-29 20:20:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2:Update/unbound.12992 (Old) and /work/SRC/openSUSE:Leap:15.2:Update/.unbound.12992.new.3060 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "unbound.12992" Mon Jun 29 20:20:30 2020 rev:1 rq:817251 version:1.6.8 Changes: -------- New Changes file: --- /dev/null 2020-06-25 10:56:43.568241769 +0200 +++ /work/SRC/openSUSE:Leap:15.2:Update/.unbound.12992.new.3060/libunbound-devel-mini.changes 2020-06-29 20:20:31.155090385 +0200 @@ -0,0 +1,1296 @@ +------------------------------------------------------------------- +Tue Oct 16 13:08:24 UTC 2018 - Karol Babioch <kbabi...@suse.com> + +- Disabled DLV configuration by default (bsc#1055060) +- Updated the DNSSEC root trust anchor due to KSK roll over (bsc#1112009) + +------------------------------------------------------------------- +Fri Jan 19 10:34:41 UTC 2018 - mich...@stroeder.com + +- update to 1.6.8 + patch for CVE-2017-15105: vulnerability in the processing of + wildcard synthesized NSEC records. + +------------------------------------------------------------------- +Tue Oct 10 08:20:16 UTC 2017 - mich...@stroeder.com + +- update to 1.6.7 + +Features: +- Set trust-anchor-signaling default to yes +- Fix #1440: [dnscrypt] client nonce cache. +- Fix #1435: Please allow UDP to be disabled separately upstream and + downstream. + +Bug fixes: +- Fix that looping modules always stop the query, and don't pass + control. +- Fix unbound-host to report error for DNSSEC state of failed lookups. +- Spelling fixes, from Josh Soref. +- Fix #1400: allowing use of global cache on ECS-forwarding unless + always-forward. +- use a cachedb answer even if it's "expired" when serve-expired is yes + (patch from Jinmei Tatuya). +- trigger refetching of the answer in that case (this will bypass + cachedb lookup) +- allow storing a 0-TTL answer from cachedb in the in-memory message + cache when serve-expired is yes +- Fix DNSCACHE_STORE_ZEROTTL to be bigger than 0xffff. +- Log name of looping module +- Fix #1450: Generate again patch contrib/aaaa-filter-iterator.patch + (by Danilo G. Baio). +- Fix param unused warning for windows exportsymbol compile. +- Use RCODE from A query on DNS64 synthesized answer. +- Fix trust-anchor-signaling works in libunbound. +- Fix spelling in unbound-control man page. + +------------------------------------------------------------------- +Mon Sep 4 16:17:44 UTC 2017 - mich...@stroeder.com + +- update to 1.6.6 + +Features: +- unbound-control dump_infra prints port number for address if not 53. +- Fix #1344: RFC6761-reserved domains: test. and invalid. +- Fix #1349: allow suppression of pidfiles (from Daniel Kahn Gillmor). + With the -p option unbound does not create a pidfile. +- Added stats for queries that have been ratelimited by domain + recursion. +- Patch to show DNSCrypt status in help output, from Carsten + Strotmann. +- Fix #1407: Add ECS options check to unbound-checkconf. +- Fix #1415: [dnscrypt] shared secret cache, patch from + Manu Bretelle. + +Bug Fixes: +- fixup of dnscrypt_cert_chacha test (from Manu Bretelle). +- First fix for zero b64 and hex text zone format in sldns. +- Better fixup of dnscrypt_cert_chacha test for different escapes. +- Fix that infra cache host hash does not change after reconfig. +- Fix python example0 return module wait instead of error for pass. +- enhancement for hardened-tls for DNS over TLS. Removed duplicated + security settings. +- Fix for unbound-checkconf, check ipsecmod-hook if ipsecmod is turned + on. +- Fix #1331: libunbound segfault in threaded mode when context is + deleted. +- Fix pythonmod link line option flag. +- Fix openssl 1.1.0 load of ssl error strings from ssl init. +- Fix 1332: Bump verbosity of failed chown'ing of the control socket. +- Redirect all localhost names to localhost address for RFC6761. +- Fix #1350: make cachedb backend configurable (from JINMEI Tatuya). +- Fix tests to use .tdir (from Manu Bretelle) instead of .tpkg. +- upgrade aclocal(pkg.m4 0.29.1), config.guess(2016-10-02), + config.sub(2016-09-05). +- annotate case statement fallthrough for gcc 7.1.1. +- flex output from flex 2.6.1. +- snprintf of thread number does not warn about truncated string. +- squelch TCP fast open error on FreeBSD when kernel has it disabled, + unless verbosity is high. +- remove warning from windows compile. +- Fix compile with libnettle +- Fix DSA configure switch (--disable dsa) for libnettle and libnss. +- Fix #1365: Add Ed25519 support using libnettle. +- Fix #1394: mix of serve-expired and response-ip could cause a crash. +- Remove unused iter_env member (ip6arpa_dname) +- Do not reset rrset.bogus stats when called using stats_noreset. +- Do not add rrset_bogus and query ratelimiting stats per thread, these + module stats are global. +- Fix #1397: Recursive DS lookups for AS112 zones names should recurse. +- Fix #1398: make cachedb secret configurable. +- Remove spaces from Makefile. +- Fix issue on macOX 10.10 where TCP fast open is detected but not + implemented causing TCP to fail. The fix allows fallback to regular + TCP in this case and is also more robust for cases where connectx() + fails for some reason. +- Fix #1402: squelch invalid argument error for fd_set_block on windows. +- Fix to reclaim tcp handler when it is closed due to dnscrypt buffer + allocation failure. +- Fix #1415: patch to free dnscrypt environment on reload. +- iana portlist update +- Small fixes for the shared secret cache patch. +- Fix WKS records on kvm autobuild host, with default protobyname + entries for udp and tcp. +- Fix #1414: fix segfault on parse failure and log_replies. +- zero qinfo in handle_request, this zeroes local_alias and also the + qname member. +- new keys and certs for dnscrypt tests. +- fixup WKS test on buildhost without servicebyname. +- updated contrib/fastrpz.patch to apply with configparser changes. +- Fix 1416: qname-minimisation breaks TLSA lookups with CNAMEs. +- Fix #1424: cachedb:testframe is not thread safe. +- Fix #1417: [dnscrypt] shared secret cache counters, and works when + dnscrypt is not enabled. And cache size configuration option. +- Fix #1418: [ip ratelimit] initialize slabhash using + ip-ratelimit-slabs. +- Recommend 1472 buffer size in unbound.conf + +------------------------------------------------------------------- +Mon Aug 21 10:38:49 UTC 2017 - mich...@stroeder.com + +- update to 1.6.5 + * Fix install of trust anchor when two anchors are present, makes both + valid. Checks hash of DS but not signature of new key. This fixes + installs between sep11 and oct11 2017. + +------------------------------------------------------------------- +Tue Aug 8 19:02:38 UTC 2017 - jeng...@inai.de + +- RPM group fix. Do not suppress user/group creation problems. + Replace %__ type macro indirections. + +------------------------------------------------------------------- +Tue Jun 27 11:13:31 UTC 2017 - mich...@stroeder.com + +- update to 1.6.4 + +Features: +- Implemented trust anchor signaling using key tag query. +- unbound-checkconf -o allows query of dnstap config variables. + Also unbound-control get_option. Also for dnscrypt. +- unbound.h exports the shm stats structures. They use + type long long and no ifdefs, and ub_ before the typenames. +- Implemented opportunistic IPsec support module (ipsecmod). +- Added redirect-bogus.patch to contrib directory. +- Support for the ED25519 algorithm with openssl (from openssl 1.1.1). +- renumbering B-Root's IPv6 address to 2001:500:200::b. +- Fix #1276: [dnscrypt] add XChaCha20-Poly1305 cipher. +- Fix #1277: disable domain ratelimit by setting value to 0. +- Added fastrpz patch to contrib + +Bug Fixes: +- Added ECS unit test (from Manu Bretelle). +- ECS documentation fix (from Manu Bretelle). +- Fix #1252: more indentation inconsistencies. +- Fix #1253: unused variable in edns-subnet/addrtree.c:getbit(). +- Fix #1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle). +- iana portlist update +- Based on #1257: check parse limit before t increment in sldns RR + string parse routine. +- Fix #1258: Windows 10 X64 unbound 1.6.2 service will not start. + and fix that 64bit getting installed in C:\Program Files (x86). +- Fix #1259: "--disable-ecdsa" argument overwritten + by "#ifdef SHA256_DIGEST_LENGTH@daemon/remote.c". +- iana portlist update +- Added test for leak of stub information. +- Fix sldns wire2str printout of RR type CAA tags. +- Fix sldns int16_data parse. +- Fix sldns parse and printout of TSIG RRs. +- sldns SMIMEA and AVC definitions, same as getdns definitions. +- Fix tcp-mss failure printout text. +- Set SO_REUSEADDR on outgoing tcp connections to fix the bind before + connect limited tcp connections. With the option tcp connections + can share the same source port (for different destinations). +- Add 'c' to getopt() in testbound. +- Adjust servfail by iterator to not store in cache when serve-expired + is enabled, to avoid overwriting useful information there. +- Fix queries for nameservers under a stub leaking to the internet. +- document trust-anchor-signaling in example config file. +- updated configure, dependencies and flex output. +- better module memory lookup, fix of unbound-control shm names for + module memory printout of statistics. +- Fix type AVC sldns rrdef. +- Some whitespace fixup. +- Fix #1265: contrib/unbound.service contains hardcoded path. +- Fix #1265 to use /bin/kill. +- Fix #1267: Libunbound validator/val_secalgo.c uses obsolete APIs, + and compatibility with BoringSSL. ++++ 1099 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:Leap:15.2:Update/.unbound.12992.new.3060/libunbound-devel-mini.changes New Changes file: --- /dev/null 2020-06-25 10:56:43.568241769 +0200 +++ /work/SRC/openSUSE:Leap:15.2:Update/.unbound.12992.new.3060/unbound.changes 2020-06-29 20:20:31.555091567 +0200 @@ -0,0 +1,1343 @@ +------------------------------------------------------------------- +Tue Jun 23 15:16:02 UTC 2020 - Rubén Torrero Marijnissen <rtorreromarijnis...@suse.com> + +- Avoid shell code execution after receiving a specially crafted answer + Resolves CVE-2019-18934 (bsc#1157268) + [ + patch_cve_2019-18934.patch ] + +------------------------------------------------------------------- +Tue Jun 23 09:53:18 UTC 2020 - Rubén Torrero Marijnissen <rtorreromarijnis...@suse.com> + +- Avoid amplifying an incoming query to a large number of queries + Resolves CVE-2020-12662 CVE-2020-12663 (bsc#1171889) + [ + unbound-1.6.8-amplifying-an-incoming-query.patch ] + +------------------------------------------------------------------- +Tue Apr 23 15:33:22 UTC 2019 - Rubén Torrero Marijnissen <rtorreromarijnis...@suse.com> + +- Add systemd require in unbound-anchor to reflect new dependency (due to systemd-timers) + +------------------------------------------------------------------- +Thu Mar 7 09:36:47 UTC 2019 - Rubén Torrero Marijnissen <rtorreromarijnis...@suse.com> + +- Remove old pwdutils dependency and add shadow to cover both useradd + and groupadd as suggested in (bsc#1126757) + +------------------------------------------------------------------- +Fri Jan 4 15:47:57 UTC 2019 - Rubén Torrero Marijnissen <rtorreromarijnis...@suse.com> + +- Use systemd-tmpfiles to create /var/lib/unbound/root.key + to avoid transactional update breakage (bsc#1111383) + +------------------------------------------------------------------- +Thu Nov 15 16:47:24 UTC 2018 - Rubén Torrero Marijnissen <rtorreromarijnis...@suse.com> + +- Migrated from cron to systemd timers (bsc#1115417) + +------------------------------------------------------------------- +Tue Oct 16 13:08:24 UTC 2018 - Karol Babioch <kbabi...@suse.com> + +- Disabled DLV configuration by default (bsc#1055060) +- Updated the DNSSEC root trust anchor due to KSK roll over (bsc#1112009) + +------------------------------------------------------------------- +Fri Jan 19 10:34:41 UTC 2018 - mich...@stroeder.com + +- update to 1.6.8 + patch for CVE-2017-15105: vulnerability in the processing of + wildcard synthesized NSEC records. + +------------------------------------------------------------------- +Fri Dec 1 09:31:03 UTC 2017 - cbosdon...@suse.com + +- Use python3 instead of python2 (fate#323526) + +------------------------------------------------------------------- +Thu Nov 23 13:49:02 UTC 2017 - rbr...@suse.com + +- Replace references to /var/adm/fillup-templates with new + %_fillupdir macro (boo#1069468) + +------------------------------------------------------------------- +Tue Oct 10 08:20:16 UTC 2017 - mich...@stroeder.com + +- update to 1.6.7 + +Features: +- Set trust-anchor-signaling default to yes +- Fix #1440: [dnscrypt] client nonce cache. +- Fix #1435: Please allow UDP to be disabled separately upstream and + downstream. + +Bug fixes: +- Fix that looping modules always stop the query, and don't pass + control. +- Fix unbound-host to report error for DNSSEC state of failed lookups. +- Spelling fixes, from Josh Soref. +- Fix #1400: allowing use of global cache on ECS-forwarding unless + always-forward. +- use a cachedb answer even if it's "expired" when serve-expired is yes + (patch from Jinmei Tatuya). +- trigger refetching of the answer in that case (this will bypass + cachedb lookup) +- allow storing a 0-TTL answer from cachedb in the in-memory message + cache when serve-expired is yes +- Fix DNSCACHE_STORE_ZEROTTL to be bigger than 0xffff. +- Log name of looping module +- Fix #1450: Generate again patch contrib/aaaa-filter-iterator.patch + (by Danilo G. Baio). +- Fix param unused warning for windows exportsymbol compile. +- Use RCODE from A query on DNS64 synthesized answer. +- Fix trust-anchor-signaling works in libunbound. +- Fix spelling in unbound-control man page. + +------------------------------------------------------------------- +Mon Sep 4 16:17:44 UTC 2017 - mich...@stroeder.com + +- update to 1.6.6 + +Features: +- unbound-control dump_infra prints port number for address if not 53. +- Fix #1344: RFC6761-reserved domains: test. and invalid. +- Fix #1349: allow suppression of pidfiles (from Daniel Kahn Gillmor). + With the -p option unbound does not create a pidfile. +- Added stats for queries that have been ratelimited by domain + recursion. +- Patch to show DNSCrypt status in help output, from Carsten + Strotmann. +- Fix #1407: Add ECS options check to unbound-checkconf. +- Fix #1415: [dnscrypt] shared secret cache, patch from + Manu Bretelle. + +Bug Fixes: +- fixup of dnscrypt_cert_chacha test (from Manu Bretelle). +- First fix for zero b64 and hex text zone format in sldns. +- Better fixup of dnscrypt_cert_chacha test for different escapes. +- Fix that infra cache host hash does not change after reconfig. +- Fix python example0 return module wait instead of error for pass. +- enhancement for hardened-tls for DNS over TLS. Removed duplicated + security settings. +- Fix for unbound-checkconf, check ipsecmod-hook if ipsecmod is turned + on. +- Fix #1331: libunbound segfault in threaded mode when context is + deleted. +- Fix pythonmod link line option flag. +- Fix openssl 1.1.0 load of ssl error strings from ssl init. +- Fix 1332: Bump verbosity of failed chown'ing of the control socket. +- Redirect all localhost names to localhost address for RFC6761. +- Fix #1350: make cachedb backend configurable (from JINMEI Tatuya). +- Fix tests to use .tdir (from Manu Bretelle) instead of .tpkg. +- upgrade aclocal(pkg.m4 0.29.1), config.guess(2016-10-02), + config.sub(2016-09-05). +- annotate case statement fallthrough for gcc 7.1.1. +- flex output from flex 2.6.1. +- snprintf of thread number does not warn about truncated string. +- squelch TCP fast open error on FreeBSD when kernel has it disabled, + unless verbosity is high. +- remove warning from windows compile. +- Fix compile with libnettle +- Fix DSA configure switch (--disable dsa) for libnettle and libnss. +- Fix #1365: Add Ed25519 support using libnettle. +- Fix #1394: mix of serve-expired and response-ip could cause a crash. +- Remove unused iter_env member (ip6arpa_dname) +- Do not reset rrset.bogus stats when called using stats_noreset. +- Do not add rrset_bogus and query ratelimiting stats per thread, these + module stats are global. +- Fix #1397: Recursive DS lookups for AS112 zones names should recurse. +- Fix #1398: make cachedb secret configurable. +- Remove spaces from Makefile. +- Fix issue on macOX 10.10 where TCP fast open is detected but not + implemented causing TCP to fail. The fix allows fallback to regular + TCP in this case and is also more robust for cases where connectx() + fails for some reason. +- Fix #1402: squelch invalid argument error for fd_set_block on windows. +- Fix to reclaim tcp handler when it is closed due to dnscrypt buffer + allocation failure. +- Fix #1415: patch to free dnscrypt environment on reload. +- iana portlist update +- Small fixes for the shared secret cache patch. +- Fix WKS records on kvm autobuild host, with default protobyname + entries for udp and tcp. +- Fix #1414: fix segfault on parse failure and log_replies. +- zero qinfo in handle_request, this zeroes local_alias and also the + qname member. +- new keys and certs for dnscrypt tests. +- fixup WKS test on buildhost without servicebyname. +- updated contrib/fastrpz.patch to apply with configparser changes. +- Fix 1416: qname-minimisation breaks TLSA lookups with CNAMEs. +- Fix #1424: cachedb:testframe is not thread safe. +- Fix #1417: [dnscrypt] shared secret cache counters, and works when + dnscrypt is not enabled. And cache size configuration option. +- Fix #1418: [ip ratelimit] initialize slabhash using + ip-ratelimit-slabs. +- Recommend 1472 buffer size in unbound.conf + +------------------------------------------------------------------- +Mon Aug 21 10:38:49 UTC 2017 - mich...@stroeder.com + +- update to 1.6.5 + * Fix install of trust anchor when two anchors are present, makes both + valid. Checks hash of DS but not signature of new key. This fixes + installs between sep11 and oct11 2017. + +------------------------------------------------------------------- +Tue Aug 8 19:02:38 UTC 2017 - jeng...@inai.de + +- RPM group fix. Do not suppress user/group creation problems. + Replace %__ type macro indirections. + +------------------------------------------------------------------- +Tue Jun 27 11:13:31 UTC 2017 - mich...@stroeder.com + +- update to 1.6.4 + +Features: +- Implemented trust anchor signaling using key tag query. +- unbound-checkconf -o allows query of dnstap config variables. + Also unbound-control get_option. Also for dnscrypt. ++++ 1146 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:Leap:15.2:Update/.unbound.12992.new.3060/unbound.changes New: ---- block-example.com.conf dlv.isc.org.key example.com.conf example.com.key icannbundle.pem libunbound-devel-mini-rpmlintrc libunbound-devel-mini.changes libunbound-devel-mini.spec patch_cve_2019-18934.patch root.anchor root.key tmpfiles-unbound-anchor.conf tmpfiles-unbound.conf unbound-1.6.8-amplifying-an-incoming-query.patch unbound-1.6.8.tar.gz unbound-anchor.service unbound-anchor.timer unbound-keygen.service unbound-munin.README unbound.changes unbound.conf unbound.firewall unbound.munin unbound.service unbound.spec unbound.sysconfig unbound_munin_ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libunbound-devel-mini.spec ++++++ # # spec file for package libunbound-devel-mini # # Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %bcond_without python %bcond_without munin %bcond_without hardened_build %define ldns_version 1.6.16 # Name: libunbound-devel-mini Version: 1.6.8 Release: 0 # # BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: flex BuildRequires: ldns-devel >= %{ldns_version} BuildRequires: libevent-devel BuildRequires: libexpat-devel BuildRequires: libsodium-devel BuildRequires: openssl-devel Requires: this-is-only-for-build-envs Conflicts: unbound-devel Conflicts: libunbound2 Provides: libunbound-devel = %{version}-%{release} # Url: https://www.unbound.net/ Source: https://www.unbound.net/downloads/unbound-%{version}.tar.gz Source1: libunbound-devel-mini-rpmlintrc Source5: root.key Source6: dlv.isc.org.key # From http://data.iana.org/root-anchors/icannbundle.pem Source12: icannbundle.pem Source13: root.anchor Summary: Just a devel package for build loops License: BSD-3-Clause Group: Productivity/Networking/DNS/Servers %description Unbound is a validating, recursive, and caching DNS(SEC) resolver. The C implementation of Unbound is developed and maintained by NLnet Labs. It is based on ideas and algorithms taken from a java prototype developed by Verisign labs, Nominet, Kirei and ep.net. Unbound is designed as a set of modular components, so that also DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible. %prep %setup -n unbound-%version %build export CFLAGS="%{optflags}" export CXXFLAGS="%{optflags}" %configure \ --disable-rpath \ --with-libevent \ --with-pthreads \ --disable-static \ --with-ldns=%{_prefix} \ --enable-sha2 \ --enable-gost \ --enable-ecdsa \ --enable-event-api \ --enable-pie \ --enable-relro-now \ --enable-dnscrypt \ --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \ --with-pidfile=%{piddir}%{name}/%{name}.pid \ --without-pythonmodule --without-pyunbound \ --with-libunbound-only \ --with-rootkey-file=%{_sharedstatedir}/unbound/root.key %{__make} %{?_smp_mflags} %install make install DESTDIR="%{buildroot}" rm -rf %{buildroot}%{_mandir} %{buildroot}%{_libdir}/*.la %check # it currently fails in the ldns unit test. which is weird as both come from the same project make check ||: %post -p /sbin/ldconfig %postun -p /sbin/ldconfig %files %defattr(-,root,root,-) %{_libdir}/libunbound.so.* %{_includedir}/unbound.h %{_includedir}/unbound-event.h %{_libdir}/libunbound.so %changelog ++++++ unbound.spec ++++++ # # spec file for package unbound # # Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # #Compat macro for new _fillupdir macro introduced in Nov 2017 %if ! %{defined _fillupdir} %define _fillupdir /var/adm/fillup-templates %endif %bcond_without python %bcond_without munin %bcond_without hardened_build %if 0%{?suse_version} > 1320 %bcond_without dnstap %else %bcond_with dnstap %endif %if 0%{?suse_version} >= 1230 %bcond_without systemd %else %bcond_with systemd %endif # only needed for < 1310 %{!?_tmpfilesdir:%global _tmpfilesdir /usr/lib/tmpfiles.d} # %define _sharedstatedir /var/lib/ %define ldns_version 1.6.16 %define fwdir /etc/sysconfig/SuSEfirewall2.d/services # %if 0%{?suse_version} > 1220 %define piddir /run %else %define piddir %{_localstatedir}/run %endif %if 0%{?suse_version} < 1330 && %{with python} %{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} %{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} %endif Name: unbound Version: 1.6.8 Release: 0 # # BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: flex BuildRequires: ldns-devel >= %{ldns_version} BuildRequires: libevent-devel BuildRequires: libexpat-devel BuildRequires: libsodium-devel BuildRequires: openssl-devel %if 0%{?suse_version} < 1330 BuildRequires: python-devel %else BuildRequires: python-rpm-macros BuildRequires: python3-devel %endif %if %{with dnstap} BuildRequires: libfstrm-devel BuildRequires: libprotobuf-c-devel >= 1.0.0 BuildRequires: protobuf-c >= 1.0.0 %endif %if %{with python} BuildRequires: swig %endif Requires: ldns >= %{ldns_version} # until we figured something else out for the unbound-anchor part in the systemd unit file Requires: sudo %if %{with systemd} BuildRequires: systemd-devel %{?systemd_requires} %endif # Url: https://www.unbound.net/ Source: https://www.unbound.net/downloads/unbound-%{version}.tar.gz Source1: unbound.service Source2: unbound.conf Source3: unbound.munin Source4: unbound_munin_ Source5: root.key Source6: dlv.isc.org.key Source7: unbound-keygen.service Source8: tmpfiles-unbound.conf Source9: example.com.key Source10: example.com.conf Source11: block-example.com.conf # From http://data.iana.org/root-anchors/icannbundle.pem Source12: icannbundle.pem Source13: root.anchor Source14: unbound.sysconfig Source15: unbound-anchor.timer Source16: unbound-munin.README Source17: unbound.firewall Source18: unbound-anchor.service Source19: tmpfiles-unbound-anchor.conf Patch1: unbound-1.6.8-amplifying-an-incoming-query.patch Patch2: patch_cve_2019-18934.patch Summary: Validating, recursive, and caching DNS(SEC) resolver License: BSD-3-Clause Group: Productivity/Networking/DNS/Servers %description Unbound is a validating, recursive, and caching DNS(SEC) resolver. The C implementation of Unbound is developed and maintained by NLnet Labs. It is based on ideas and algorithms taken from a java prototype developed by Verisign labs, Nominet, Kirei and ep.net. Unbound is designed as a set of modular components, so that also DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible. %define libname libunbound2 %package -n %{libname} Requires: %{name}-anchor >= %{version} # Summary: Shared library from unbound Group: Development/Libraries/C and C++ %description -n %{libname} Unbound is a validating, recursive, and caching DNS(SEC) resolver. This package holds the shared library from unbound. %if %{with_munin} %package munin Summary: Plugin for the munin / munin-node monitoring package Group: System/Daemons Requires: %{name} = %{version} Requires: bc Requires: munin-node BuildArch: noarch %description munin Unbound is a validating, recursive, and caching DNS(SEC) resolver. This package holds the plugin for the munin / munin-node monitoring package %endif %package devel Requires: %{libname} = %{version} Requires: ldns-devel >= %{ldns_version} Requires: openssl-devel Provides: libunbound-devel = %{version}-%{release} # Summary: Development files for libunbound Group: Development/Libraries/C and C++ %description devel Unbound is a validating, recursive, and caching DNS(SEC) resolver. This package holds the development files to work with libunbound. %package anchor # Summary: Unbound Anchor cert management tools Group: Productivity/Networking/DNS/Servers Requires(pre): shadow %if %{with systemd} Requires(pre): systemd %endif %description anchor Unbound is a validating, recursive, and caching DNS(SEC) resolver. This package contains the tools to manage the anchor certs. %if %{with python} %package python Summary: Python modules and extensions for unbound Group: Applications/System Requires: %{libname} = %{version} %description python Unbound is a validating, recursive, and caching DNS(SEC) resolver. This package holds the Python modules and extensions for unbound. %endif %prep %setup %patch1 -p1 -b .amplifying-an-incoming-query %patch2 -p1 %build export CFLAGS="%{optflags}" export CXXFLAGS="%{optflags}" %configure \ --disable-rpath \ --with-libevent \ --with-pthreads \ --disable-static \ --with-ldns=%{_prefix} \ --enable-sha2 \ --enable-gost \ --enable-ecdsa \ --enable-event-api \ --enable-pie \ --enable-relro-now \ --enable-dnscrypt \ %if %{with dnstap} --enable-dnstap \ %endif --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \ --with-pidfile=%{piddir}%{name}/%{name}.pid \ %if %{with python} %if 0%{?suse_version} < 1330 --with-pythonmodule --with-pyunbound\ %else --with-pythonmodule --with-pyunbound PYTHON=%{__python3}\ %endif %endif --with-rootkey-file=%{_sharedstatedir}/unbound/root.key make %{?_smp_mflags} make %{?_smp_mflags} streamtcp %install make install DESTDIR="%{buildroot}" install -d -m 0750 %{buildroot}/var/lib/unbound install -d 0755 %{buildroot}%{_unitdir} install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service install -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/unbound-keygen.service install -p -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound install -p -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/unbound install -D -p -m 0644 %{SOURCE14} %{buildroot}%{_fillupdir}/sysconfig.%{name} ln -sf /usr/sbin/service %{buildroot}%{_sbindir}/rcunbound ln -sf /usr/sbin/service %{buildroot}%{_sbindir}/rcunbound-keygen install -p -m 0644 %{SOURCE15} %{buildroot}%{_unitdir}/unbound-anchor.timer install -p -m 0644 %{SOURCE18} %{buildroot}%{_unitdir}/unbound-anchor.service install -p -m 0644 %{SOURCE16} . install -d 0755 %{buildroot}%{fwdir} install -p -m 0644 %{SOURCE17} %{buildroot}%{fwdir}/%{name} %if %{with munin} # Install munin plugin and its softlinks install -d 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d install -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/munin/plugin-conf.d/unbound install -d 0755 %{buildroot}%{_datadir}/munin/plugins/ install -p -m 0755 %{SOURCE4} %{buildroot}%{_datadir}/munin/plugins/unbound for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unbound_munin_by_type unbound_munin_by_class unbound_munin_by_opcode unbound_munin_by_rcode unbound_munin_by_flags unbound_munin_histogram; do ln -s unbound %{buildroot}%{_datadir}/munin/plugins/$plugin done %endif # install streamtcp used for monitoring / debugging unbound's port 80/443 modes install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp # install streamtcp man page install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1 # Install tmpfiles.d config install -d -m 0755 %{buildroot}%{_tmpfilesdir}/ \ %{buildroot}%{_sharedstatedir}/unbound install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf install -m 0644 %{SOURCE19} %{buildroot}%{_tmpfilesdir}/unbound-anchor.conf # install root and DLV key - we keep a copy of the root key in old location, # in case user has changed the configuration and we wouldn't update it there install -m 0644 %{SOURCE5} %{SOURCE6} %{buildroot}%{_sysconfdir}/unbound/ # we dont write directly to /var/lib/unbound anymore as it breaks transactional updates # instead we use systemd-tmpfiles to copy it there when it doesn't exist (or hasnt been updated by unbound-anchor) mkdir -p %{buildroot}/%{_datadir}/%{name} install -m 0644 -p %{SOURCE13} %{buildroot}/%{_datadir}/%{name}/root.key # remove static library from install (fedora packaging guidelines) rm %{buildroot}%{_libdir}/*.la %if %{with python} %if 0%{?suse_version} < 1330 rm %{buildroot}%{python_sitearch}/*.la %else rm %{buildroot}%{python3_sitearch}/*.la %endif %endif # create softlink for all functions of libunbound man pages for mpage in ub_ctx ub_result ub_ctx_create ub_ctx_delete ub_ctx_set_option ub_ctx_get_option ub_ctx_config ub_ctx_set_fwd ub_ctx_resolvconf ub_ctx_hosts ub_ctx_add_ta ub_ctx_add_ta_file ub_ctx_trustedkeys ub_ctx_debugout ub_ctx_debuglevel ub_ctx_async ub_poll ub_wait ub_fd ub_process ub_resolve ub_resolve_async ub_cancel ub_resolve_free ub_strerror ub_ctx_print_local_zones ub_ctx_zone_add ub_ctx_zone_remove ub_ctx_data_add ub_ctx_data_remove; do echo ".so man3/libunbound.3" > %{buildroot}%{_mandir}/man3/${mpage}.3 ; done mkdir -p %{buildroot}%{piddir}/%{name} # Install directories for easier config file drop in mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d} install -m 0640 -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/ install -m 0640 -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ install -m 0640 -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ # Link unbound-control-setup.8 manpage to unbound-control.8 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 %check # it currently fails in the ldns unit test. which is weird as both come from the same project make check ||: %pre anchor %service_add_pre unbound-anchor.service unbound-anchor.timer getent group unbound >/dev/null || groupadd -r unbound getent passwd unbound >/dev/null || \ useradd -g unbound -s /bin/false -r -c "unbound caching DNS server" \ -d /var/lib/unbound unbound %pre %if %{with systemd} %service_add_pre unbound-keygen.service unbound.service %endif %post anchor %if %{with systemd} systemd-tmpfiles --create %{_tmpfilesdir}/unbound-anchor.conf || : %service_add_post unbound-anchor.service unbound-anchor.timer %endif %post %fillup_only %{name} %if %{with systemd} systemd-tmpfiles --create %{_tmpfilesdir}/unbound.conf || : %service_add_post unbound-keygen.service unbound.service %endif %preun anchor %if %{with systemd} %service_del_preun unbound-anchor.service unbound-anchor.timer %endif %preun %if %{with systemd} %service_del_preun unbound-keygen.service unbound.service %else %stop_on_removal %{name} %endif %postun anchor %if %{with systemd} %service_del_postun unbound-anchor.service unbound-anchor.timer %endif %postun %if %{with systemd} %service_del_postun unbound-keygen.service unbound.service %else %restart_on_update %{name} %{insserv_cleanup} %endif %post -n %{libname} -p /sbin/ldconfig %postun -n %{libname} -p /sbin/ldconfig %files %defattr(-,root,root,-) %doc doc/README doc/CREDITS doc/LICENSE doc/FEATURES %attr(0755,unbound,unbound) %ghost %dir %{piddir}/%{name} %attr(0640,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf %dir %attr(-,root,unbound) %{_sysconfdir}/%{name}/keys.d %attr(0660,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d/*.key %dir %attr(-,root,unbound) %{_sysconfdir}/%{name}/conf.d %attr(0660,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d/*.conf %dir %attr(-,root,unbound) %{_sysconfdir}/%{name}/local.d %attr(0660,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/local.d/*.conf %{_sbindir}/unbound %{_sbindir}/unbound-checkconf %{_sbindir}/unbound-host %{_sbindir}/unbound-control %{_sbindir}/unbound-control-setup %{_sbindir}/unbound-streamtcp %{_mandir}/man1/unbound-host.1* %{_mandir}/man5/unbound.conf.5* %{_mandir}/man8/unbound.8* %{_mandir}/man8/unbound-checkconf.8* %{_mandir}/man8/unbound-control-setup.8* %{_mandir}/man8/unbound-control.8* %{_mandir}/man1/unbound-streamtcp.1* %{_fillupdir}/sysconfig.%{name} %if %{with systemd} %{_tmpfilesdir}/unbound.conf %{_unitdir}/unbound-keygen.service %{_unitdir}/unbound.service %endif %{_sbindir}/rcunbound %{_sbindir}/rcunbound-keygen %dir %{fwdir} %config %{fwdir}/%{name} %files -n %{libname} %defattr(-,root,root,-) %{_libdir}/libunbound.so.* %if %{with python} %files python %defattr(-,root,root,-) %if 0%{?suse_version} < 1330 %{python_sitearch}/* %else %{python3_sitearch}/* %endif %doc libunbound/python/examples/* %doc pythonmod/examples/* %endif %if %{with munin} %files munin %defattr(-,root,root,-) %dir %{_sysconfdir}/munin/ %dir %{_sysconfdir}/munin/plugin-conf.d/ %config(noreplace) %{_sysconfdir}/munin/plugin-conf.d/unbound %dir %{_datadir}/munin/ %dir %{_datadir}/munin/plugins/ %{_datadir}/munin/plugins/unbound* %doc unbound-munin.README %endif %files devel %defattr(-,root,root,-) %{_includedir}/unbound.h %{_includedir}/unbound-event.h %{_libdir}/libunbound.so %{_mandir}/man3/libunbound.3* %{_mandir}/man3/ub_*.3* %files anchor %defattr(-,root,root,-) %dir %{_sysconfdir}/%{name}/ %{_sbindir}/unbound-anchor %config %{_sysconfdir}/%{name}/icannbundle.pem %if %{with systemd} %{_tmpfilesdir}/unbound-anchor.conf %{_unitdir}/unbound-anchor.timer %{_unitdir}/unbound-anchor.service %endif %dir %attr(-,unbound,unbound) %{_sharedstatedir}/%{name} %dir %attr(-,unbound,unbound) %{_datadir}/%{name} %attr(0640,unbound,unbound) %config(noreplace) %{_datadir}/%{name}/root.key %attr(0640,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key # just left for backwards compat with user changed unbound.conf files - format is different! %attr(0640,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/root.key %{_mandir}/man8/unbound-anchor.8* %doc doc/README doc/LICENSE %changelog ++++++ block-example.com.conf ++++++ # entries in this file override toe global DNS # # Example blocking email going out to example.com # # local-data: "example.com. 3600 IN MX 5 127.0.0.1" # local-data: "example.com. 3600 IN A 127.0.0.1" # This can also be done dynamically using: unbound-control local-data [...] # For more complicated redirection, use conf.d/ with stub-add: or forward-add: ++++++ dlv.isc.org.key ++++++ ; https://secure.isc.org/ops/dlv/dlv.isc.org.key dlv.isc.org. IN DNSKEY 257 3 5 BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh ++++++ example.com.conf ++++++ # Example of an override of the "public DNS tree" with an "internal view" # override, for example to add an internal-only corporate DNS zone. # # The stub-zone/stub-addr must point to AUTHORITATIVE servers. If you want to # point to an internal RECURSIVE server, use forward-zone/forward-addr instead. #stub-zone: # name: example.com # stub-prime: no # # if you could trust a lookup, use: # stub-host: a.iana-servers.net. # stub-host: b.iana-servers.net. # # else specify the IP's using: # stub-addr: 199.43.132.53 # stub-addr: 2001:500:8c::53 # stub-addr: 199.43.133.53 # stub-addr: 2001:500:8d::53 ++++++ example.com.key ++++++ ; // format is BIND trusted-keys format ; // Ensure to only put KSKs (usually 257) here, not ZSKs (usually 256) ; // trusted-keys { ; // "example.com." 257 3 8 "AwEAAawt7HplI5M8GGAsxuyCyjF0l+QlcgVN11CRZ4vP66qbDCX0BnShZ11BGb//4zSG/8mmBHirL2FLg+mVuIIxig+iroZYjh4iTKVOhv2hZftRwyrQHK++qXvCCWN3ki51RG/e8R4kOEV71rZ8OgQvPWx6F91qroqOPpcf7PPxippeHOn+PxnP0hpyLyo1mx1rPs/cMpL3jOMufGP+LJYh+fBU7lt0sP5i09HaJPruzyZML9BPtpv8ZAdQhwtXVG0+MnET2qT/1+TljpxZn6yeegFRCFRHBjMo6iiRJnUWra/klkrgEn2Q+BXGTOMTTKQdYz4OxYEa1z7apu3a09dYNBM="; // key id = 51605 ; // "example.com." 257 3 8 "AwEAAeikvxboZpn9VCxm3YDLHo40SvA9EmRwJHHQyJ0OCzrQSRBSipojrW7yESXWiDDyzflS8rgzDs7M3fIdSduOdyNi55DmXPdkS8HYORTMNyzFsSOg+xx6tUySK2p4WAhlbsJNLz4IkQCek59NoDBOLyQ15npsr7Tgfb/HHU7zmCMvnxh0SqO2lyhnQfk29Thc3nC4KNJNb3drjWKOuCw5mg+2GrEZYc/VqdeGvrOCQ2el8jWZpSU5cxb7EdEy4B9nEeZiBpHXaZ5XJ+ewi4vmcUK5/445mGJqV4rDeicy5/ShC/BJ81v3bIRPWebvDRJmDbjr2d9MnLXUE7yyETrQd18="; // key id = 31589 ; // }; ++++++ icannbundle.pem ++++++ Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US Validity Not Before: Dec 23 04:19:12 2009 GMT Not After : Dec 18 04:19:12 2029 GMT Subject: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:a0:db:70:b8:4f:34:da:9c:d4:d0:7e:bb:ea:15: bc:e9:c9:11:2a:1f:61:2f:6a:b9:bd:3f:3d:76:a0: 9a:0a:f7:ee:93:6e:6e:55:53:84:8c:f2:2c:f1:82: 27:c8:0f:9a:cf:52:1b:54:da:28:d2:2c:30:8e:dd: fb:92:20:33:2d:d6:c8:f1:0e:10:21:88:71:fa:84: 22:4b:5d:47:56:16:7c:9b:9f:5d:c3:11:79:9c:14: e2:ff:c0:74:ac:dd:39:d7:e0:38:d8:b0:73:aa:fb: d1:db:84:af:52:22:a8:f6:d5:9b:94:f4:e6:5d:5e: e8:3f:87:90:0b:c7:1a:77:f5:2e:d3:8f:1a:ce:02: 1d:07:69:21:47:32:da:46:ae:00:4c:b6:a5:a2:9c: 39:c1:c0:4a:f6:d3:1c:ae:d3:6d:bb:c7:18:f0:7e: ed:f6:80:ce:d0:01:2e:89:de:12:ba:ee:11:cb:a6: 7a:d7:0d:7c:f3:08:8d:72:9d:bf:55:75:13:70:bb: 31:22:4a:cb:e8:c0:aa:a4:09:aa:36:68:40:60:74: 9d:e7:19:81:43:22:52:fe:c9:2b:52:0f:41:13:36: 09:72:65:95:cc:89:ae:6f:56:17:16:34:73:52:a3: 04:ed:bd:88:82:8a:eb:d7:dc:82:52:9c:06:e1:52: 85:41 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign X509v3 Subject Key Identifier: BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 Signature Algorithm: sha256WithRSAEncryption 0f:f1:e9:82:a2:0a:87:9f:2d:94:60:5a:b2:c0:4b:a1:2f:2b: 3b:47:d5:0a:99:86:38:b2:ec:c6:3b:89:e4:6e:07:cf:14:c7: c7:e8:cf:99:8f:aa:30:c3:19:70:b9:e6:6d:d6:3f:c8:68:26: b2:a0:a5:37:42:ca:d8:62:80:d1:a2:5a:48:2e:1f:85:3f:0c: 7b:c2:c7:94:11:5f:19:2a:95:ac:a0:3a:03:d8:91:5b:2e:0d: 9c:7c:1f:2e:fc:e9:44:e1:16:26:73:1c:45:4a:65:c1:83:4c: 90:f3:f2:28:42:df:db:c4:e7:04:12:18:62:43:5e:bc:1f:6c: 84:e6:bc:49:32:df:61:d7:99:ee:e4:90:52:7b:0a:c2:91:8a: 98:62:66:b1:c8:e0:b7:5a:b5:46:7c:76:71:54:8e:cc:a4:81: 5c:19:db:d2:6f:66:b5:bb:2b:ae:6b:c9:74:04:a8:24:de:e8: c5:d3:fc:2c:1c:d7:8f:db:6a:8d:c9:53:be:5d:50:73:ac:cf: 1f:93:c0:52:50:5b:a2:4f:fe:ad:65:36:17:46:d1:2d:e5:a2: 90:66:05:db:29:4e:5d:50:5d:e3:4f:da:a0:8f:f0:6b:e4:16: 70:dd:7f:f3:77:7d:b9:4e:f9:ec:c3:33:02:d7:e9:63:2f:31: e7:40:61:a4 -----BEGIN CERTIFICATE----- MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2 paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7 MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29 iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3 DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH 6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD 2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h 15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF 0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha256WithRSAEncryption Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US Validity Not Before: Dec 23 04:45:04 2009 GMT Not After : Dec 22 04:45:04 2014 GMT Subject: O=ICANN, CN=ICANN DNSSEC CA/emailAddress=dns...@icann.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:c0:bf:e2:b4:ee:12:46:36:3b:7c:d2:46:21:64: 5a:93:e1:e3:02:10:25:bb:a5:30:70:19:89:98:7e: 9e:db:8e:0f:ac:c8:48:66:0e:1a:f8:81:e5:2d:3c: 7b:39:39:76:28:8f:ee:0a:a7:dd:64:e9:5f:87:25: b1:64:e5:59:03:fc:bc:29:3b:63:37:c8:d7:46:9a: b6:ce:87:55:cd:cf:e2:ab:e9:c7:8a:53:2e:25:87: b0:98:d6:20:a3:a8:ec:87:b0:39:a3:c4:c5:75:59: 3c:fb:91:03:fa:ee:7f:e9:2b:b6:70:88:69:2c:e6: f1:4f:fc:d0:47:b4:e9:a0:2c:fa:0c:c3:84:eb:be: 73:5a:bc:16:ed:d0:83:02:2d:eb:6a:21:02:51:70: 29:1e:4f:c9:69:03:9f:91:32:5c:2c:1a:9f:5e:45: 48:2a:50:ee:72:14:ec:17:29:fc:20:95:7d:22:6a: c6:6f:83:a2:58:8e:b1:64:c8:73:23:54:6c:69:1d: 66:1f:df:f8:4f:24:a1:a8:ae:00:7f:e9:89:41:a6: e3:88:1d:3a:e1:b3:3a:ef:29:45:32:9b:94:2e:b7: 6c:1e:fe:31:40:13:e1:bd:52:67:d0:d8:c3:3e:03: 84:48:72:9d:bd:8a:48:a0:f2:72:35:b6:03:4b:c6: e9:05 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign X509v3 Authority Key Identifier: keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 X509v3 Subject Key Identifier: 8F:B2:42:69:C3:9D:E4:3C:FA:13:B9:FF:F2:C0:A4:EF:D8:0F:E8:22 Signature Algorithm: sha256WithRSAEncryption 4a:78:a2:47:7e:3f:2e:4d:78:68:ab:06:5c:ff:da:01:04:45: 92:20:20:88:f3:dc:4e:70:01:9b:cb:f3:13:61:34:04:09:15: d0:be:99:1c:be:fc:97:e9:2d:73:e1:b3:2b:a6:b9:3a:41:33: f3:83:3d:64:1b:64:95:bf:ae:cd:20:df:18:e0:62:8d:fa:9c: f7:d8:a9:3c:25:2b:8e:cf:10:e5:29:b9:af:1a:7f:62:64:75: e7:c6:fd:9b:6d:71:c0:a9:b3:0f:9a:b7:7a:fe:53:04:18:cd: 04:06:d9:bf:01:0e:cc:04:84:84:51:a3:e9:06:2a:a3:25:73: 4e:8d:62:19:13:25:5b:de:0b:dc:d0:69:01:ca:41:0a:96:13: cf:6a:11:fe:2b:9a:3f:fd:56:3d:73:3d:58:49:c2:71:83:20: 23:6d:46:99:6e:37:91:9f:76:2a:9c:b0:69:3f:64:9f:05:bb: 38:c8:1e:ca:d8:6c:fd:56:3e:a6:85:a2:53:80:c6:42:b6:79: c6:43:0b:e0:6c:ea:9f:cf:b0:2a:2c:01:50:c3:d8:0f:a0:7e: a1:73:a8:5c:84:27:5b:c9:4b:5a:13:e9:69:25:1c:59:11:d2: 01:dc:da:e7:c8:44:34:a2:e4:99:25:b4:c3:23:b5:f8:2d:48: e5:8d:06:73 -----BEGIN CERTIFICATE----- MIIDhjCCAm6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0NDUwNFoX DTE0MTIyMjA0NDUwNFowSzEOMAwGA1UEChMFSUNBTk4xGDAWBgNVBAMTD0lDQU5O IEROU1NFQyBDQTEfMB0GCSqGSIb3DQEJARMQZG5zc2VjQGljYW5uLm9yZzCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMC/4rTuEkY2O3zSRiFkWpPh4wIQ JbulMHAZiZh+ntuOD6zISGYOGviB5S08ezk5diiP7gqn3WTpX4clsWTlWQP8vCk7 YzfI10aats6HVc3P4qvpx4pTLiWHsJjWIKOo7IewOaPExXVZPPuRA/ruf+krtnCI aSzm8U/80Ee06aAs+gzDhOu+c1q8Fu3QgwIt62ohAlFwKR5PyWkDn5EyXCwan15F SCpQ7nIU7Bcp/CCVfSJqxm+DoliOsWTIcyNUbGkdZh/f+E8koaiuAH/piUGm44gd OuGzOu8pRTKblC63bB7+MUAT4b1SZ9DYwz4DhEhynb2KSKDycjW2A0vG6QUCAwEA AaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAf4wHwYDVR0jBBgw FoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFI+yQmnDneQ8+hO5//LA pO/YD+giMA0GCSqGSIb3DQEBCwUAA4IBAQBKeKJHfj8uTXhoqwZc/9oBBEWSICCI 89xOcAGby/MTYTQECRXQvpkcvvyX6S1z4bMrprk6QTPzgz1kG2SVv67NIN8Y4GKN +pz32Kk8JSuOzxDlKbmvGn9iZHXnxv2bbXHAqbMPmrd6/lMEGM0EBtm/AQ7MBISE UaPpBiqjJXNOjWIZEyVb3gvc0GkBykEKlhPPahH+K5o//VY9cz1YScJxgyAjbUaZ bjeRn3YqnLBpP2SfBbs4yB7K2Gz9Vj6mhaJTgMZCtnnGQwvgbOqfz7AqLAFQw9gP oH6hc6hchCdbyUtaE+lpJRxZEdIB3NrnyEQ0ouSZJbTDI7X4LUjljQZz -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: 6 (0x6) Signature Algorithm: sha256WithRSAEncryption Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US Validity Not Before: Dec 23 05:21:16 2009 GMT Not After : Dec 22 05:21:16 2014 GMT Subject: O=ICANN, CN=ICANN EMAIL CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:d2:19:1e:22:69:33:f6:a4:d2:76:c5:80:11:75: 8e:d0:e8:6f:bf:89:f8:2a:6a:da:8a:85:28:40:ba: c5:23:5f:47:ed:72:e2:8e:d3:5c:c8:8a:3a:99:a9: 57:2c:0a:2b:22:f3:54:7b:8b:f7:8c:21:a2:50:01: 4f:8b:af:34:df:72:fc:78:31:d0:1d:eb:bc:9b:e6: fa:c1:84:d0:05:07:8a:74:53:a5:60:9e:eb:75:9e: a8:5d:32:c8:02:32:e4:bf:cb:97:9b:7a:fa:2c:f6: 6a:1d:b8:57:ad:e3:03:22:93:d0:f4:4f:a8:b8:01: db:82:33:98:b6:87:ed:3d:67:40:00:27:2e:d5:95: d2:ad:36:46:14:c6:17:79:65:7f:65:f3:88:80:65: 7c:22:67:08:23:3c:cf:a5:10:38:72:30:97:92:6f: 20:4a:ba:24:4c:4a:c8:4a:a5:dc:2a:44:a1:29:78: b4:9f:fe:84:ff:27:5b:3a:72:ea:31:c1:ad:06:22: d6:44:a0:4a:57:32:9c:f2:46:47:d0:89:6e:20:23: 2c:ea:b0:83:7e:c1:f3:ea:da:dd:e3:63:59:97:21: fa:1b:11:39:27:cf:82:8b:56:15:d4:36:92:0c:a5: 7e:80:e0:18:c9:50:08:42:0a:df:97:3c:9c:b8:0a: 4d:b1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign X509v3 Authority Key Identifier: keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 X509v3 Subject Key Identifier: 7B:3F:BA:CE:A1:B3:A6:13:2E:5A:82:84:D4:D2:EA:A5:24:F1:CD:B4 Signature Algorithm: sha256WithRSAEncryption 50:07:a5:61:39:e4:3b:e3:bc:1c:b4:a7:b2:ab:a1:fb:47:bf: b4:1c:32:ac:3c:46:b0:02:26:2f:16:3e:89:70:e2:87:e9:76: 99:61:0b:91:c5:48:7a:e5:aa:24:0b:39:e0:4f:26:03:d4:5b: 01:8a:4d:b6:98:cc:16:fa:e2:12:4a:88:b9:53:bb:50:2d:c7: 37:b8:a3:82:2d:52:05:3e:46:a7:db:97:82:73:8d:7d:ed:dd: 9e:37:73:68:6b:90:cd:62:d8:77:ff:32:53:bb:d3:a1:b9:cb: 7d:32:29:70:fb:2e:90:4b:27:12:6d:99:a5:e6:d4:ef:13:32: c1:2f:b5:ae:6e:11:0e:50:56:a4:56:5b:76:b0:c0:99:2e:5a: 94:17:ee:2b:c1:b6:9c:8b:68:ac:55:95:31:8c:66:2b:35:43: a5:13:04:1b:50:44:1c:55:7f:4c:d0:1a:50:80:53:45:a8:e3: d3:a8:74:ad:7d:6a:d6:e9:9a:d3:25:7d:83:e2:57:64:1a:94: 7e:bc:cb:ef:79:b5:54:6a:f1:b0:c3:81:26:90:e5:40:87:ed: 75:7d:83:63:5b:ab:45:c0:34:04:27:e8:d8:12:26:7c:5e:c0: 48:b6:33:7d:4b:db:23:8a:f7:13:24:bc:be:7b:74:cb:c4:ed: ed:42:eb:2f -----BEGIN CERTIFICATE----- MIIDZDCCAkygAwIBAgIBBjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA1MjExNloX DTE0MTIyMjA1MjExNlowKTEOMAwGA1UEChMFSUNBTk4xFzAVBgNVBAMTDklDQU5O IEVNQUlMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0hkeImkz 9qTSdsWAEXWO0Ohvv4n4KmraioUoQLrFI19H7XLijtNcyIo6malXLAorIvNUe4v3 jCGiUAFPi68033L8eDHQHeu8m+b6wYTQBQeKdFOlYJ7rdZ6oXTLIAjLkv8uXm3r6 LPZqHbhXreMDIpPQ9E+ouAHbgjOYtoftPWdAACcu1ZXSrTZGFMYXeWV/ZfOIgGV8 ImcIIzzPpRA4cjCXkm8gSrokTErISqXcKkShKXi0n/6E/ydbOnLqMcGtBiLWRKBK VzKc8kZH0IluICMs6rCDfsHz6trd42NZlyH6GxE5J8+Ci1YV1DaSDKV+gOAYyVAI QgrflzycuApNsQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE AwIB/jAfBgNVHSMEGDAWgBS6UulJgySGUi/Hmc38jWtpCE3AUDAdBgNVHQ4EFgQU ez+6zqGzphMuWoKE1NLqpSTxzbQwDQYJKoZIhvcNAQELBQADggEBAFAHpWE55Dvj vBy0p7KroftHv7QcMqw8RrACJi8WPolw4ofpdplhC5HFSHrlqiQLOeBPJgPUWwGK TbaYzBb64hJKiLlTu1Atxze4o4ItUgU+Rqfbl4JzjX3t3Z43c2hrkM1i2Hf/MlO7 06G5y30yKXD7LpBLJxJtmaXm1O8TMsEvta5uEQ5QVqRWW3awwJkuWpQX7ivBtpyL aKxVlTGMZis1Q6UTBBtQRBxVf0zQGlCAU0Wo49OodK19atbpmtMlfYPiV2QalH68 y+95tVRq8bDDgSaQ5UCH7XV9g2Nbq0XANAQn6NgSJnxewEi2M31L2yOK9xMkvL57 dMvE7e1C6y8= -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: 3 (0x3) Signature Algorithm: sha256WithRSAEncryption Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US Validity Not Before: Dec 23 05:07:29 2009 GMT Not After : Dec 22 05:07:29 2014 GMT Subject: O=ICANN, CN=ICANN SSL CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:dd:c6:ab:bf:7c:66:9d:b3:2b:96:00:14:c7:60: 7a:8d:62:5b:26:4b:30:d7:b3:4c:82:69:c6:4d:4d: 73:f3:d4:91:21:5d:ab:35:f0:c8:04:0e:f4:a3:35: e2:e1:18:a9:98:12:03:58:f8:9f:eb:77:54:5b:89: 81:26:c9:aa:c2:f4:c9:0c:82:57:2a:5e:05:e9:61: 17:cc:19:18:71:eb:35:83:c1:86:9d:ec:f1:6b:ca: dd:a1:96:0b:95:d4:e1:0f:9e:24:6f:dc:3c:d0:28: 9e:f2:53:47:2b:a1:ad:32:03:c8:3f:0d:80:80:7d: f0:02:d2:6e:5a:2c:44:21:9b:09:50:15:3f:a1:3d: d3:c9:c8:24:e7:ea:4e:92:2f:94:90:2e:de:e7:68: f6:c6:b3:90:1f:bc:c9:7b:a2:65:d7:11:e9:8b:f0: 3a:5a:b7:17:07:df:69:e3:6e:b9:54:6a:8e:3a:aa: 94:7f:2c:0a:a1:ad:ba:b7:d9:60:62:27:a7:71:40: 3b:8e:b0:84:7b:b8:c8:67:ef:66:ba:3d:ac:c3:85: e5:86:bb:a7:9c:fd:b6:e1:c0:10:53:3d:d4:7e:1b: 09:e6:9f:22:5c:a7:27:09:7e:27:12:33:fa:df:9b: 20:2f:14:f7:17:c0:e4:1e:07:91:1f:f9:9a:cd:a8: e2:c5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign X509v3 Authority Key Identifier: keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 X509v3 Subject Key Identifier: 6E:77:A8:40:10:4A:D8:9C:0C:F2:B7:5A:3A:A5:2F:79:4A:61:14:D8 Signature Algorithm: sha256WithRSAEncryption 18:42:62:df:aa:8e:44:e6:87:10:4d:d9:a6:b2:c3:97:37:43: 2e:ce:f3:e0:3c:c2:2f:e1:78:60:41:a9:2b:5d:f4:24:f5:f6: 57:a2:08:ec:9c:89:e5:54:50:a8:30:c6:20:e5:8a:c7:8b:bd: fd:98:b6:0c:7d:1a:1f:01:a1:4a:4e:ec:0d:2a:aa:9f:fd:a9: 20:0d:b3:5c:0f:36:c0:2c:2b:c6:75:22:29:66:a3:34:bd:93: 3d:f6:28:da:90:d5:7e:91:df:d3:06:f6:69:8b:80:9b:a5:34: af:6a:02:5b:e4:52:7d:56:4d:99:6e:fe:e9:d0:36:99:58:d9: af:cd:79:9b:e5:d2:4c:35:90:d3:e0:68:b2:88:2b:18:39:2e: bc:0b:d9:82:84:7f:24:12:92:d2:b9:13:4f:64:bc:46:e1:5c: 6a:ed:f7:b0:d4:66:27:25:21:86:b4:3a:5e:19:a3:c7:8b:4b: 93:b9:2e:37:e2:6d:8b:46:ee:68:39:21:75:e8:fe:2a:a7:85: fd:68:26:96:bd:dd:f9:f1:fe:99:5f:b4:a4:97:1b:50:18:fa: 21:90:54:0c:8b:30:28:94:70:19:34:9e:5c:e1:e5:48:93:af: aa:a3:b4:95:b2:f5:4c:97:50:44:58:97:e1:ff:e7:b2:10:dd: 2c:fe:c0:ed -----BEGIN CERTIFICATE----- MIIDYjCCAkqgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA1MDcyOVoX DTE0MTIyMjA1MDcyOVowJzEOMAwGA1UEChMFSUNBTk4xFTATBgNVBAMTDElDQU5O IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN3Gq798Zp2z K5YAFMdgeo1iWyZLMNezTIJpxk1Nc/PUkSFdqzXwyAQO9KM14uEYqZgSA1j4n+t3 VFuJgSbJqsL0yQyCVypeBelhF8wZGHHrNYPBhp3s8WvK3aGWC5XU4Q+eJG/cPNAo nvJTRyuhrTIDyD8NgIB98ALSblosRCGbCVAVP6E908nIJOfqTpIvlJAu3udo9saz kB+8yXuiZdcR6YvwOlq3FwffaeNuuVRqjjqqlH8sCqGturfZYGInp3FAO46whHu4 yGfvZro9rMOF5Ya7p5z9tuHAEFM91H4bCeafIlynJwl+JxIz+t+bIC8U9xfA5B4H kR/5ms2o4sUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC Af4wHwYDVR0jBBgwFoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFG53 qEAQSticDPK3WjqlL3lKYRTYMA0GCSqGSIb3DQEBCwUAA4IBAQAYQmLfqo5E5ocQ TdmmssOXN0MuzvPgPMIv4XhgQakrXfQk9fZXogjsnInlVFCoMMYg5YrHi739mLYM fRofAaFKTuwNKqqf/akgDbNcDzbALCvGdSIpZqM0vZM99ijakNV+kd/TBvZpi4Cb pTSvagJb5FJ9Vk2Zbv7p0DaZWNmvzXmb5dJMNZDT4GiyiCsYOS68C9mChH8kEpLS uRNPZLxG4Vxq7few1GYnJSGGtDpeGaPHi0uTuS434m2LRu5oOSF16P4qp4X9aCaW vd358f6ZX7SklxtQGPohkFQMizAolHAZNJ5c4eVIk6+qo7SVsvVMl1BEWJfh/+ey EN0s/sDt -----END CERTIFICATE----- ++++++ libunbound-devel-mini-rpmlintrc ++++++ addFilter('shlib-policy-name-error') ++++++ patch_cve_2019-18934.patch ++++++ diff --git a/ipsecmod/ipsecmod.c b/ipsecmod/ipsecmod.c index c8400c6..9e916d6 100644 --- a/ipsecmod/ipsecmod.c +++ b/ipsecmod/ipsecmod.c @@ -162,6 +162,71 @@ generate_request(struct module_qstate* qstate, int id, uint8_t* name, } /** + * Check if the string passed is a valid domain name with safe characters to + * pass to a shell. + * This will only allow: + * - digits + * - alphas + * - hyphen (not at the start) + * - dot (not at the start, or the only character) + * - underscore + * @param s: pointer to the string. + * @param slen: string's length. + * @return true if s only contains safe characters; false otherwise. + */ +static int +domainname_has_safe_characters(char* s, size_t slen) { + size_t i; + for(i = 0; i < slen; i++) { + if(s[i] == '\0') return 1; + if((s[i] == '-' && i != 0) + || (s[i] == '.' && (i != 0 || s[1] == '\0')) + || (s[i] == '_') || (s[i] >= '0' && s[i] <= '9') + || (s[i] >= 'A' && s[i] <= 'Z') + || (s[i] >= 'a' && s[i] <= 'z')) { + continue; + } + return 0; + } + return 1; +} + +/** + * Check if the stringified IPSECKEY RDATA contains safe characters to pass to + * a shell. + * This is only relevant for checking the gateway when the gateway type is 3 + * (domainname). + * @param s: pointer to the string. + * @param slen: string's length. + * @return true if s contains only safe characters; false otherwise. + */ +static int +ipseckey_has_safe_characters(char* s, size_t slen) { + int precedence, gateway_type, algorithm; + char* gateway; + gateway = (char*)calloc(slen, sizeof(char)); + if(!gateway) { + log_err("ipsecmod: out of memory when calling the hook"); + return 0; + } + if(sscanf(s, "%d %d %d %s ", + &precedence, &gateway_type, &algorithm, gateway) != 4) { + free(gateway); + return 0; + } + if(gateway_type != 3) { + free(gateway); + return 1; + } + if(domainname_has_safe_characters(gateway, slen)) { + free(gateway); + return 1; + } + free(gateway); + return 0; +} + +/** * Prepare the data and call the hook. * * @param qstate: query state. @@ -175,7 +240,7 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq, { size_t slen, tempdata_len, tempstring_len, i; char str[65535], *s, *tempstring; - int w; + int w = 0, w_temp, qtype; struct ub_packed_rrset_key* rrset_key; struct packed_rrset_data* rrset_data; uint8_t *tempdata; @@ -192,9 +257,9 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq, memset(s, 0, slen); /* Copy the hook into the buffer. */ - sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook); + w += sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook); /* Put space into the buffer. */ - sldns_str_print(&s, &slen, " "); + w += sldns_str_print(&s, &slen, " "); /* Copy the qname into the buffer. */ tempstring = sldns_wire2str_dname(qstate->qinfo.qname, qstate->qinfo.qname_len); @@ -202,68 +267,96 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq, log_err("ipsecmod: out of memory when calling the hook"); return 0; } - sldns_str_print(&s, &slen, "\"%s\"", tempstring); + if(!domainname_has_safe_characters(tempstring, strlen(tempstring))) { + log_err("ipsecmod: qname has unsafe characters"); + free(tempstring); + return 0; + } + w += sldns_str_print(&s, &slen, "\"%s\"", tempstring); free(tempstring); /* Put space into the buffer. */ - sldns_str_print(&s, &slen, " "); + w += sldns_str_print(&s, &slen, " "); /* Copy the IPSECKEY TTL into the buffer. */ rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data; - sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl); + w += sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl); /* Put space into the buffer. */ - sldns_str_print(&s, &slen, " "); - /* Copy the A/AAAA record(s) into the buffer. Start and end this section - * with a double quote. */ + w += sldns_str_print(&s, &slen, " "); rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo, qstate->return_msg->rep); + /* Double check that the records are indeed A/AAAA. + * This should never happen as this function is only executed for A/AAAA + * queries but make sure we don't pass anything other than A/AAAA to the + * shell. */ + qtype = ntohs(rrset_key->rk.type); + if(qtype != LDNS_RR_TYPE_AAAA && qtype != LDNS_RR_TYPE_A) { + log_err("ipsecmod: Answer is not of A or AAAA type"); + return 0; + } rrset_data = (struct packed_rrset_data*)rrset_key->entry.data; - sldns_str_print(&s, &slen, "\""); + /* Copy the A/AAAA record(s) into the buffer. Start and end this section + * with a double quote. */ + w += sldns_str_print(&s, &slen, "\""); for(i=0; i<rrset_data->count; i++) { if(i > 0) { /* Put space into the buffer. */ - sldns_str_print(&s, &slen, " "); + w += sldns_str_print(&s, &slen, " "); } /* Ignore the first two bytes, they are the rr_data len. */ - w = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2, + w_temp = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2, rrset_data->rr_len[i] - 2, s, slen, qstate->qinfo.qtype); - if(w < 0) { + if(w_temp < 0) { /* Error in printout. */ - return -1; - } else if((size_t)w >= slen) { + log_err("ipsecmod: Error in printing IP address"); + return 0; + } else if((size_t)w_temp >= slen) { s = NULL; /* We do not want str to point outside of buffer. */ slen = 0; - return -1; + log_err("ipsecmod: shell command too long"); + return 0; } else { - s += w; - slen -= w; + s += w_temp; + slen -= w_temp; + w += w_temp; } } - sldns_str_print(&s, &slen, "\""); + w += sldns_str_print(&s, &slen, "\""); /* Put space into the buffer. */ - sldns_str_print(&s, &slen, " "); + w += sldns_str_print(&s, &slen, " "); /* Copy the IPSECKEY record(s) into the buffer. Start and end this section * with a double quote. */ - sldns_str_print(&s, &slen, "\""); + w += sldns_str_print(&s, &slen, "\""); rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data; for(i=0; i<rrset_data->count; i++) { if(i > 0) { /* Put space into the buffer. */ - sldns_str_print(&s, &slen, " "); + w += sldns_str_print(&s, &slen, " "); } /* Ignore the first two bytes, they are the rr_data len. */ tempdata = rrset_data->rr_data[i] + 2; tempdata_len = rrset_data->rr_len[i] - 2; /* Save the buffer pointers. */ tempstring = s; tempstring_len = slen; - w = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s, &slen, - NULL, 0); + w_temp = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s, + &slen, NULL, 0); /* There was an error when parsing the IPSECKEY; reset the buffer * pointers to their previous values. */ - if(w == -1){ + if(w_temp == -1) { s = tempstring; slen = tempstring_len; + } else if(w_temp > 0) { + if(!ipseckey_has_safe_characters( + tempstring, tempstring_len - slen)) { + log_err("ipsecmod: ipseckey has unsafe characters"); + return 0; + } + w += w_temp; } } - sldns_str_print(&s, &slen, "\""); - verbose(VERB_ALGO, "ipsecmod: hook command: '%s'", str); + w += sldns_str_print(&s, &slen, "\""); + if(w >= (int)sizeof(str)) { + log_err("ipsecmod: shell command too long"); + return 0; + } + verbose(VERB_ALGO, "ipsecmod: shell command: '%s'", str); /* ipsecmod-hook should return 0 on success. */ if(system(str) != 0) return 0; ++++++ root.anchor ++++++ . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} . 98799 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ++++++ root.key ++++++ ; https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11 ; // The root key in bind format. This can be read by most tools, including ; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this ; // first key 19036 (2010), second key 20326 (key-rollover 2017/2018) trusted-keys { "." 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0="; // key id = 19036 "." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326 }; ++++++ tmpfiles-unbound-anchor.conf ++++++ C /var/lib/unbound/root.key - - - - /usr/share/unbound/root.key ++++++ tmpfiles-unbound.conf ++++++ D /var/run/unbound 0755 unbound unbound - ++++++ unbound-1.6.8-amplifying-an-incoming-query.patch ++++++ ++++ 906 lines (skipped) ++++++ unbound-anchor.service ++++++ [Unit] Description=update of the root trust anchor for DNSSEC validation in unbound Documentation=man:unbound-anchor(8) [Service] Type=oneshot User=unbound ExecStart=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem SuccessExitStatus=1 ++++++ unbound-anchor.timer ++++++ [Unit] Description=daily update of the root trust anchor for DNSSEC Documentation=man:unbound-anchor(8) [Timer] # Current DNSKEY TTL in root zone is 172800 seconds, i.e. 172800/60/60/24 = 2 days. # It means that unboud-anchor should be run at least once a day. OnCalendar=daily Persistent=true AccuracySec=24h [Install] WantedBy=timers.target ++++++ unbound-keygen.service ++++++ [Unit] Description=Unbound Control Key And Certificate Generator After=syslog.target Before=unbound.service ConditionPathExists=!/etc/unbound/unbound_control.key [Service] Type=oneshot Group=unbound ExecStart=/usr/sbin/unbound-control-setup -d /etc/unbound/ ExecStart=/sbin/restorecon /etc/unbound/* RemainAfterExit=yes [Install] WantedBy=multi-user.target ++++++ unbound-munin.README ++++++ To activate the munin plugins, run (as root): cd /etc/munin/plugins for i in /usr/share/munin/plugins/unbound_*; do ln -s $i; done ++++++ unbound.conf ++++++ # # See unbound.conf(5) man page. # # this is a comment. #Use this to include other text into the file. #include: "otherfile.conf" # The server clause sets the main parameters. server: # whitespace is not necessary, but looks cleaner. # verbosity number, 0 is least verbose. 1 is default. verbosity: 1 # print statistics to the log (for every thread) every N seconds. # Set to "" or 0 to disable. Default is disabled. # Needed for munin plugin statistics-interval: 0 # enable cumulative statistics, without clearing them after printing. # Needed for munin plugin statistics-cumulative: yes # enable extended statistics (query types, answer codes, status) # printed from unbound-control. default off, because of speed. # Needed for munin plugin extended-statistics: yes # number of threads to create. 1 disables threading. num-threads: 2 # specify the interfaces to answer queries from by ip-address. # The default is to listen to localhost (127.0.0.1 and ::1). # specify 0.0.0.0 and ::0 to bind to all available interfaces. # specify every interface on a new 'interface:' labelled line. # The listen interfaces are not changed on reload, only on restart. # interface: 0.0.0.0 # interface: ::0 # interface: 192.0.2.153 # interface: 192.0.2.154 # interface: 2001:DB8::5 # # for dns over tls and raw dns over port 80 # interface: 0.0.0.0@443 # interface: ::0@443 # interface: 0.0.0.0@80 # interface: ::0@80 # enable this feature to copy the source address of queries to reply. # Socket options are not supported on all platforms. experimental. # interface-automatic: yes # # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 # NOTE: Disabled per Fedora policy not to listen to * on default install # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled interface-automatic: no # port to answer queries from # port: 53 # specify the interfaces to send outgoing queries to authoritative # server from by ip-address. If none, the default (all) interface # is used. Specify every interface on a 'outgoing-interface:' line. # outgoing-interface: 192.0.2.153 # outgoing-interface: 2001:DB8::5 # outgoing-interface: 2001:DB8::6 # number of ports to allocate per thread, determines the size of the # port range that can be open simultaneously. # outgoing-range: 4096 # permit unbound to use this port number or port range for # making outgoing queries, using an outgoing interface. # Only ephemeral ports are allowed by SElinux outgoing-port-permit: 32768-65535 # deny unbound the use this of port number or port range for # making outgoing queries, using an outgoing interface. # Use this to make sure unbound does not grab a UDP port that some # other server on this computer needs. The default is to avoid # IANA-assigned port numbers. # Our SElinux policy does not allow non-ephemeral ports to be used outgoing-port-avoid: 0-32767 # number of outgoing simultaneous tcp buffers to hold per thread. # outgoing-num-tcp: 10 # number of incoming simultaneous tcp buffers to hold per thread. # incoming-num-tcp: 10 # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). # 0 is system default. Use 4m to catch query spikes for busy servers. # so-rcvbuf: 0 # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option). # 0 is system default. Use 4m to handle spikes on very busy servers. # so-sndbuf: 0 # EDNS reassembly buffer to advertise to UDP peers (the actual buffer # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts). # edns-buffer-size: 4096 # Maximum UDP response size (not applied to TCP response). # Suggested values are 512 to 4096. Default is 4096. 65536 disables it. # 3072 causes +dnssec any isc.org queries to need TC=1. Helps mitigating DDOS max-udp-size: 3072 # buffer size for handling DNS data. No messages larger than this # size can be sent or received, by UDP or TCP. In bytes. # msg-buffer-size: 65552 # the amount of memory to use for the message cache. # plain value in bytes or you can append k, m or G. default is "4Mb". # msg-cache-size: 4m # the number of slabs to use for the message cache. # the number of slabs must be a power of 2. # more slabs reduce lock contention, but fragment memory usage. # msg-cache-slabs: 4 # the number of queries that a thread gets to service. # num-queries-per-thread: 1024 # if very busy, 50% queries run to completion, 50% get timeout in msec # jostle-timeout: 200 # the amount of memory to use for the RRset cache. # plain value in bytes or you can append k, m or G. default is "4Mb". # rrset-cache-size: 4m # the number of slabs to use for the RRset cache. # the number of slabs must be a power of 2. # more slabs reduce lock contention, but fragment memory usage. # rrset-cache-slabs: 4 # the time to live (TTL) value lower bound, in seconds. Default 0. # If more than an hour could easily give trouble due to stale data. # cache-min-ttl: 0 # the time to live (TTL) value cap for RRsets and messages in the # cache. Items are not cached for longer. In seconds. # cache-max-ttl: 86400 # the time to live (TTL) value for cached roundtrip times, lameness # and EDNS version information for hosts. In seconds. # infra-host-ttl: 900 # the number of slabs to use for the Infrastructure cache. # the number of slabs must be a power of 2. # more slabs reduce lock contention, but fragment memory usage. # infra-cache-slabs: 4 # the maximum number of hosts that are cached (roundtrip, EDNS, lame). # infra-cache-numhosts: 10000 # Enable IPv4, "yes" or "no". # do-ip4: yes # Enable IPv6, "yes" or "no". # do-ip6: yes # Enable UDP, "yes" or "no". # NOTE: if setting up an unbound on tls443 for public use, you might want to # disable UDP to avoid being used in DNS amplification attacks. # do-udp: yes # Enable TCP, "yes" or "no". # do-tcp: yes # upstream connections use TCP only (and no UDP), "yes" or "no" # useful for tunneling scenarios, default no. # tcp-upstream: no # Detach from the terminal, run in background, "yes" or "no". # do-daemonize: yes # control which clients are allowed to make (recursive) queries # to this server. Specify classless netblocks with /size and action. # By default everything is refused, except for localhost. # Choose deny (drop message), refuse (polite error reply), # allow (recursive ok), allow_snoop (recursive and nonrecursive ok) # access-control: 0.0.0.0/0 refuse # access-control: 127.0.0.0/8 allow # access-control: ::0/0 refuse # access-control: ::1 allow # access-control: ::ffff:127.0.0.1 allow # if given, a chroot(2) is done to the given directory. # i.e. you can chroot to the working directory, for example, # for extra security, but make sure all files are in that directory. # # If chroot is enabled, you should pass the configfile (from the # commandline) as a full path from the original root. After the # chroot has been performed the now defunct portion of the config # file path is removed to be able to reread the config after a reload. # # All other file paths (working dir, logfile, roothints, and # key files) can be specified in several ways: # o as an absolute path relative to the new root. # o as a relative path to the working directory. # o as an absolute path relative to the original root. # In the last case the path is adjusted to remove the unused portion. # # The pid file can be absolute and outside of the chroot, it is # written just prior to performing the chroot and dropping permissions. # # Additionally, unbound may need to access /dev/random (for entropy). # How to do this is specific to your OS. # # If you give "" no chroot is performed. The path must not end in a /. # chroot: "/var/lib/unbound" chroot: "" # if given, user privileges are dropped (after binding port), # and the given username is assumed. Default is user "unbound". # If you give "" no privileges are dropped. username: "unbound" # the working directory. The relative files in this config are # relative to this directory. If you give "" the working directory # is not changed. directory: "/etc/unbound" # the log file, "" means log to stderr. # Use of this option sets use-syslog to "no". # logfile: "" # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to # log to, with identity "unbound". If yes, it overrides the logfile. # use-syslog: yes # print UTC timestamp in ascii to logfile, default is epoch in seconds. log-time-ascii: yes # print one line with time, IP, name, type, class for every query. # log-queries: no # the pid file. Can be an absolute path outside of chroot/work dir. pidfile: "/var/run/unbound/unbound.pid" # file to read root hints from. # get one from ftp://FTP.INTERNIC.NET/domain/named.cache # root-hints: "" # enable to not answer id.server and hostname.bind queries. # hide-identity: no # enable to not answer version.server and version.bind queries. # hide-version: no # the identity to report. Leave "" or default to return hostname. # identity: "" # the version to report. Leave "" or default to return package version. # version: "" # the target fetch policy. # series of integers describing the policy per dependency depth. # The number of values in the list determines the maximum dependency # depth the recursor will pursue before giving up. Each integer means: # -1 : fetch all targets opportunistically, # 0: fetch on demand, # positive value: fetch that many targets opportunistically. # Enclose the list of numbers between quotes (""). # target-fetch-policy: "3 2 1 0 0" # Harden against very small EDNS buffer sizes. # harden-short-bufsize: no # Harden against unseemly large queries. # harden-large-queries: no # Harden against out of zone rrsets, to avoid spoofing attempts. harden-glue: yes # Harden against receiving dnssec-stripped data. If you turn it # off, failing to validate dnskey data for a trustanchor will # trigger insecure mode for that zone (like without a trustanchor). # Default on, which insists on dnssec data for trust-anchored zones. harden-dnssec-stripped: yes # Harden against queries that fall under dnssec-signed nxdomain names. harden-below-nxdomain: yes # Harden the referral path by performing additional queries for # infrastructure data. Validates the replies (if possible). # Default off, because the lookups burden the server. Experimental # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. harden-referral-path: yes # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. # (this now fails on all GoDaddy customer domains, so disabled) use-caps-for-id: no # Enforce privacy of these addresses. Strips them away from answers. # It may cause DNSSEC validation to additionally mark it as bogus. # Protects against 'DNS Rebinding' (uses browser as network proxy). # Only 'private-domain' and 'local-data' names are allowed to have # these private addresses. No default. # private-address: 10.0.0.0/8 # private-address: 172.16.0.0/12 # private-address: 192.168.0.0/16 # private-address: 192.254.0.0/16 # private-address: fd00::/8 # private-address: fe80::/10 # Allow the domain (and its subdomains) to contain private addresses. # local-data statements are allowed to contain private addresses too. # private-domain: "example.com" # If nonzero, unwanted replies are not only reported in statistics, # but also a running total is kept per thread. If it reaches the # threshold, a warning is printed and a defensive action is taken, # the cache is cleared to flush potential poison out of it. # A suggested value is 10000000, the default is 0 (turned off). unwanted-reply-threshold: 10000000 # Do not query the following addresses. No DNS queries are sent there. # List one address per entry. List classless netblocks with /size, # do-not-query-address: 127.0.0.1/8 # do-not-query-address: ::1 # if yes, the above default do-not-query-address entries are present. # if no, localhost can be queried (for testing and debugging). # do-not-query-localhost: yes # if yes, perform prefetching of almost expired message cache entries. prefetch: yes # if yes, perform key lookups adjacent to normal lookups. prefetch-key: yes # if yes, Unbound rotates RRSet order in response. rrset-roundrobin: yes # if yes, Unbound doesn't insert authority/additional sections # into response messages when those sections are not required. minimal-responses: yes # module configuration of the server. A string with identifiers # separated by spaces. "iterator" or "validator iterator" # module-config: "validator iterator" # File with DLV trusted keys. Same format as trust-anchor-file. # There can be only one DLV configured, it is trusted from root down. # Downloaded from https://secure.isc.org/ops/dlv/dlv.isc.org.key # dlv-anchor-file: "/etc/unbound/dlv.isc.org.key" # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry. # Zone file format, with DS and DNSKEY entries. # trust-anchor-file: "" # File with trusted keys, kept uptodate using RFC5011 probes, # initial file like trust-anchor-file, then it stores metadata. # Use several entries, one per domain name, to track multiple zones. # auto-trust-anchor-file: "" # Trusted key for validation. DS or DNSKEY. specify the RR on a # single line, surrounded by "". TTL is ignored. class is IN default. # (These examples are from August 2007 and may not be valid anymore). # trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ==" # trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A" # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry. Like trust-anchor-file # but has a different file format. Format is BIND-9 style format, # the trusted-keys { name flag proto algo "key"; }; clauses are read. # trusted-keys-file: "" # # trusted-keys-file: /etc/unbound/rootkey.bind trusted-keys-file: /etc/unbound/keys.d/*.key auto-trust-anchor-file: "/var/lib/unbound/root.key" # Ignore chain of trust. Domain is treated as insecure. # domain-insecure: "example.com" # Override the date for validation with a specific fixed date. # Do not set this unless you are debugging signature inception # and expiration. "" or "0" turns the feature off. # val-override-date: "" # The time to live for bogus data, rrsets and messages. This avoids # some of the revalidation, until the time interval expires. in secs. # val-bogus-ttl: 60 # The signature inception and expiration dates are allowed to be off # by 10% of the lifetime of the signature from our local clock. # This leeway is capped with a minimum and a maximum. In seconds. # val-sig-skew-min: 3600 # val-sig-skew-max: 86400 # Should additional section of secure message also be kept clean of # unsecure data. Useful to shield the users of this validator from # potential bogus data in the additional section. All unsigned data # in the additional section is removed from secure messages. val-clean-additional: yes # Turn permissive mode on to permit bogus messages. Thus, messages # for which security checks failed will be returned to clients, # instead of SERVFAIL. It still performs the security checks, which # result in interesting log files and possibly the AD bit in # replies if the message is found secure. The default is off. # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY val-permissive-mode: no # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. val-log-level: 1 # It is possible to configure NSEC3 maximum iteration counts per # keysize. Keep this table very short, as linear search is done. # A message with an NSEC3 with larger count is marked insecure. # List in ascending order the keysize and count values. # val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500" # instruct the auto-trust-anchor-file probing to add anchors after ttl. # add-holddown: 2592000 # 30 days # instruct the auto-trust-anchor-file probing to del anchors after ttl. # del-holddown: 2592000 # 30 days # auto-trust-anchor-file probing removes missing anchors after ttl. # If the value 0 is given, missing anchors are not removed. # keep-missing: 31622400 # 366 days # the amount of memory to use for the key cache. # plain value in bytes or you can append k, m or G. default is "4Mb". # key-cache-size: 4m # the number of slabs to use for the key cache. # the number of slabs must be a power of 2. # more slabs reduce lock contention, but fragment memory usage. # key-cache-slabs: 4 # the amount of memory to use for the negative cache (used for DLV). # plain value in bytes or you can append k, m or G. default is "1Mb". # neg-cache-size: 1m # a number of locally served zones can be configured. # local-zone: <zone> <type> # local-data: "<resource record string>" # o deny serves local data (if any), else, drops queries. # o refuse serves local data (if any), else, replies with error. # o static serves local data, else, nxdomain or nodata answer. # o transparent serves local data, but resolves normally for other names # o redirect serves the zone data for any subdomain in the zone. # o nodefault can be used to normally resolve AS112 zones. # o typetransparent resolves normally for other types and other names # # defaults are localhost address, reverse for 127.0.0.1 and ::1 # and nxdomain for AS112 zones. If you configure one of these zones # the default content is omitted, or you can omit it with 'nodefault'. # # If you configure local-data without specifying local-zone, by # default a transparent local-zone is created for the data. # # You can add locally served data with # local-zone: "local." static # local-data: "mycomputer.local. IN A 192.0.2.51" # local-data: 'mytext.local TXT "content of text record"' # # You can override certain queries with # local-data: "adserver.example.com A 127.0.0.1" # # You can redirect a domain to a fixed address with # (this makes example.com, www.example.com, etc, all go to 192.0.2.3) # local-zone: "example.com" redirect # local-data: "example.com A 192.0.2.3" # # Shorthand to make PTR records, "IPv4 name" or "IPv6 name". # You can also add PTR records using local-data directly, but then # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" include: /etc/unbound/local.d/*.conf # service clients over SSL (on the TCP sockets), with plain DNS inside # the SSL stream. Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. # ssl-service-key: "/etc/unbound/unbound_server.key" # ssl-service-pem: "/etc/unbound/unbound_server.pem" # ssl-port: 443 # request upstream over SSL (with plain DNS inside the SSL stream). # Default is no. Can be turned on and off with unbound-control. # ssl-upstream: no ## Python config section. To enable: ## o use --with-pythonmodule to configure before compiling. ## o list python in the module-config string (above) to enable. ## o and give a python-script to run. #python: # # Script file to load # # python-script: "/etc/unbound/ubmodule-tst.py" # Remote control config section. remote-control: # Enable remote control with unbound-control(8) here. # set up the keys and certificates with unbound-control-setup. # Note: required for unbound-munin package control-enable: yes # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. # control-interface: 127.0.0.1 # control-interface: ::1 # port number for remote control operations. # control-port: 953 # unbound server key file. server-key-file: "/etc/unbound/unbound_server.key" # unbound server certificate file. server-cert-file: "/etc/unbound/unbound_server.pem" # unbound-control key file. control-key-file: "/etc/unbound/unbound_control.key" # unbound-control certificate file. control-cert-file: "/etc/unbound/unbound_control.pem" # Stub and Forward zones include: /etc/unbound/conf.d/*.conf # Stub zones. # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of nameservers. list zero or more # nameservers by hostname or by ipaddress. If you set stub-prime to yes, # the list is treated as priming hints (default is no). # stub-zone: # name: "example.com" # stub-addr: 192.0.2.68 # stub-prime: "no" # stub-zone: # name: "example.org" # stub-host: ns.example.com. # You can now also dynamically create and delete stub-zone's using # unbound-control stub_add domain.com 1.2.3.4 5.6.7.8 # unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8 # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle # recursion to other nameservers. List zero or more nameservers by hostname # or by ipaddress. Use an entry with name "." to forward all queries. # If you enable forward-first, it attempts without the forward if it fails. # forward-zone: # name: "example.com" # forward-addr: 192.0.2.68 # forward-addr: 192.0.2.73@5355 # forward to port 5355. # forward-first: no # forward-zone: # name: "example.org" # forward-host: fwd.example.com # # You can now also dynamically create and delete forward-zone's using # unbound-control forward_add domain.com 1.2.3.4 5.6.7.8 # unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8 ++++++ unbound.firewall ++++++ # Only the variables TCP, UDP, RPC, IP and BROADCAST are allowed. # More may be supported in the future. # # For a more detailed description of the individual variables see # the comments for FW_SERVICES_*_EXT in /etc/sysconfig/SuSEfirewall2 # ## Name: bind DNS server ## Description: Open ports for the bind DNS server # space separated list of allowed TCP ports TCP="domain" # space separated list of allowed UDP ports UDP="domain" # space separated list of allowed RPC services RPC="" # space separated list of allowed IP protocols IP="" # space separated list of allowed UDP broadcast ports BROADCAST="" ++++++ unbound.munin ++++++ # # For this plugin to work, unbound.conf needs to have: # remote-control: control-enable: yes # [unbound*] user root env.statefile /var/lib/munin/plugin-state/unbound-state env.unbound_conf /etc/unbound/unbound.conf env.unbound_control /usr/sbin/unbound-control env.spoof_warn 1000 env.spoof_crit 100000 ++++++ unbound.service ++++++ [Unit] Description=Unbound recursive Domain Name Server After=syslog.target network.target After=unbound-keygen.service Wants=unbound-keygen.service Wants=unbound-anchor.timer Before=nss-lookup.target Wants=nss-lookup.target [Service] Type=simple EnvironmentFile=-/etc/sysconfig/unbound #ExecStartPre=/sbin/runuser --shell /bin/sh -c "/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem" unbound ExecStartPre=/usr/bin/sudo -u unbound /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem ExecStartPre=/usr/sbin/unbound-checkconf ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS [Install] WantedBy=multi-user.target ++++++ unbound.sysconfig ++++++ # for extra debug, add "-v -v" or change verbosity: in unbound.conf UNBOUND_OPTIONS="" ++++++ unbound_munin_ ++++++ #!/bin/sh # # plugin for munin to monitor usage of unbound servers. # # (C) 2008 W.C.A. Wijngaards. BSD Licensed. # # To install; enable statistics and unbound-control in unbound.conf # server: extended-statistics: yes # statistics-cumulative: no # statistics-interval: 0 # remote-control: control-enable: yes # Run the command unbound-control-setup to generate the key files. # # Environment variables for this script # statefile - where to put temporary statefile. # unbound_conf - where the unbound.conf file is located. # unbound_control - where to find unbound-control executable. # spoof_warn - what level to warn about spoofing # spoof_crit - what level to crit about spoofing # # You can set them in your munin/plugin-conf.d/plugins.conf file # with: # [unbound*] # user root # env.statefile /usr/local/var/munin/plugin-state/unbound-state # env.unbound_conf /usr/local/etc/unbound/unbound.conf # env.unbound_control /usr/local/sbin/unbound-control # env.spoof_warn 1000 # env.spoof_crit 100000 # # This plugin can create different graphs depending on what name # you link it as (with ln -s) into the plugins directory # You can link it multiple times. # If you are only a casual user, the _hits and _by_type are most interesting, # possibly followed by _by_rcode. # # unbound_munin_hits - base volume, cache hits, unwanted traffic # unbound_munin_queue - to monitor the internal requestlist # unbound_munin_memory - memory usage # unbound_munin_by_type - incoming queries by type # unbound_munin_by_class - incoming queries by class # unbound_munin_by_opcode - incoming queries by opcode # unbound_munin_by_rcode - answers by rcode, validation status # unbound_munin_by_flags - incoming queries by flags # unbound_munin_histogram - histogram of query resolving times # # Magic markers - optional - used by installation scripts and # munin-config: # #%# family=contrib #%# capabilities=autoconf suggest # POD documentation : <<=cut =head1 NAME unbound_munin_ - Munin plugin to monitor the Unbound DNS resolver. =head1 APPLICABLE SYSTEMS System with unbound daemon. =head1 CONFIGURATION [unbound*] user root env.statefile /var/lib/munin/plugin-state/unbound-state env.unbound_conf /etc/unbound/unbound.conf env.unbound_control /usr/sbin/unbound-control env.spoof_warn 1000 env.spoof_crit 100000 Use the .env settings to override the defaults. =head1 USAGE Can be used to present different graphs. Use ln -s for that name in the plugins directory to enable the graph. unbound_munin_hits - base volume, cache hits, unwanted traffic unbound_munin_queue - to monitor the internal requestlist unbound_munin_memory - memory usage unbound_munin_by_type - incoming queries by type unbound_munin_by_class - incoming queries by class unbound_munin_by_opcode - incoming queries by opcode unbound_munin_by_rcode - answers by rcode, validation status unbound_munin_by_flags - incoming queries by flags unbound_munin_histogram - histogram of query resolving times =head1 AUTHOR Copyright 2008 W.C.A. Wijngaards =head1 LICENSE BSD =cut state=${statefile:-/var/lib/munin/plugin-state/unbound-state} conf=${unbound_conf:-/etc/unbound/unbound.conf} ctrl=${unbound_control:-/usr/sbin/unbound-control} warn=${spoof_warn:-1000} crit=${spoof_crit:-100000} lock=$state.lock # number of seconds between polling attempts. # makes the statefile hang around for at least this many seconds, # so that multiple links of this script can share the results. lee=55 # to keep things within 19 characters ABBREV="-e s/total/t/ -e s/thread/t/ -e s/num/n/ -e s/query/q/ -e s/answer/a/ -e s/unwanted/u/ -e s/requestlist/ql/ -e s/type/t/ -e s/class/c/ -e s/opcode/o/ -e s/rcode/r/ -e s/edns/e/ -e s/mem/m/ -e s/cache/c/ -e s/mod/m/" # get value from $1 into return variable $value get_value ( ) { value="`grep '^'$1'=' $state | sed -e 's/^.*=//'`" if test "$value"x = ""x; then value="0" fi } # download the state from the unbound server. get_state ( ) { # obtain lock for fetching the state # because there is a race condition in fetching and writing to file # see if the lock is stale, if so, take it if test -f $lock ; then pid="`cat $lock 2>&1`" kill -0 "$pid" >/dev/null 2>&1 if test $? -ne 0 -a "$pid" != $$ ; then echo $$ >$lock fi fi i=0 while test ! -f $lock || test "`cat $lock 2>&1`" != $$; do while test -f $lock; do # wait i=`expr $i + 1` if test $i -gt 1000; then sleep 1; fi if test $i -gt 1500; then echo "error locking $lock" "=" `cat $lock` rm -f $lock exit 1 fi done # try to get it echo $$ >$lock done # do not refetch if the file exists and only LEE seconds old if test -f $state; then now=`date +%s` get_value "time.now" value="`echo $value | sed -e 's/\..*$//'`" if test $now -lt `expr $value + $lee`; then rm -f $lock return fi fi $ctrl -c $conf stats > $state if test $? -ne 0; then echo "error retrieving data from unbound server" rm -f $lock exit 1 fi rm -f $lock } if test "$1" = "autoconf" ; then if test ! -f $conf; then echo no "($conf does not exist)" exit 1 fi if test ! -d `dirname $state`; then echo no "($state directory does not exist)" exit 1 fi echo yes exit 0 fi if test "$1" = "suggest" ; then echo "hits" echo "queue" echo "memory" echo "by_type" echo "by_class" echo "by_opcode" echo "by_rcode" echo "by_flags" echo "histogram" exit 0 fi # determine my type, by name id=`echo $0 | sed -e 's/^.*unbound_munin_//'` if test "$id"x = ""x; then # some default to keep people sane. id="hits" fi # if $1 exists in statefile, config is echoed with label $2 exist_config ( ) { mn=`echo $1 | sed $ABBREV | tr . _` if grep '^'$1'=' $state >/dev/null 2>&1; then echo "$mn.label $2" echo "$mn.min 0" fi } # print label and min 0 for a name $1 in unbound format p_config ( ) { mn=`echo $1 | sed $ABBREV | tr . _` echo $mn.label "$2" echo $mn.min 0 } if test "$1" = "config" ; then if test ! -f $state; then get_state fi case $id in hits) echo "graph_title Unbound DNS traffic and cache hits" echo "graph_args --base 1000 -l 0" echo "graph_vlabel queries / second" echo "graph_category DNS" for x in thread0.num.queries thread1.num.queries \ thread2.num.queries thread3.num.queries thread4.num.queries \ thread5.num.queries thread6.num.queries thread7.num.queries; do exist_config $x "queries handled by `basename $x .num.queries`" done p_config "total.num.queries" "total queries from clients" p_config "total.num.cachehits" "cache hits" p_config "total.num.prefetch" "cache prefetch" p_config "num.query.tcp" "TCP queries" p_config "num.query.ipv6" "IPv6 queries" p_config "unwanted.queries" "queries that failed acl" p_config "unwanted.replies" "unwanted or unsolicited replies" echo "u_replies.warning $warn" echo "u_replies.critical $crit" echo "graph_info DNS queries to the recursive resolver. The unwanted replies could be innocent duplicate packets, late replies, or spoof threats." ;; queue) echo "graph_title Unbound requestlist size" echo "graph_args --base 1000 -l 0" echo "graph_vlabel number of queries" echo "graph_category DNS" p_config "total.requestlist.avg" "Average size of queue on insert" p_config "total.requestlist.max" "Max size of queue (in 5 min)" p_config "total.requestlist.overwritten" "Number of queries replaced by new ones" p_config "total.requestlist.exceeded" "Number of queries dropped due to lack of space" echo "graph_info The queries that did not hit the cache and need recursion service take up space in the requestlist. If there are too many queries, first queries get overwritten, and at last resort dropped." ;; memory) echo "graph_title Unbound memory usage" echo "graph_args --base 1024 -l 0" echo "graph_vlabel memory used in bytes" echo "graph_category DNS" p_config "mem.total.sbrk" "Total memory" p_config "mem.cache.rrset" "RRset cache memory" p_config "mem.cache.message" "Message cache memory" p_config "mem.mod.iterator" "Iterator module memory" p_config "mem.mod.validator" "Validator module and key cache memory" echo "graph_info The memory used by unbound." ;; by_type) echo "graph_title Unbound DNS queries by type" echo "graph_args --base 1000 -l 0" echo "graph_vlabel queries / second" echo "graph_category DNS" for x in `grep "^num.query.type" $state`; do nm=`echo $x | sed -e 's/=.*$//'` tp=`echo $nm | sed -e s/num.query.type.//` p_config "$nm" "$tp" done echo "graph_info queries by DNS RR type queried for" ;; by_class) echo "graph_title Unbound DNS queries by class" echo "graph_args --base 1000 -l 0" echo "graph_vlabel queries / second" echo "graph_category DNS" for x in `grep "^num.query.class" $state`; do nm=`echo $x | sed -e 's/=.*$//'` tp=`echo $nm | sed -e s/num.query.class.//` p_config "$nm" "$tp" done echo "graph_info queries by DNS RR class queried for." ;; by_opcode) echo "graph_title Unbound DNS queries by opcode" echo "graph_args --base 1000 -l 0" echo "graph_vlabel queries / second" echo "graph_category DNS" for x in `grep "^num.query.opcode" $state`; do nm=`echo $x | sed -e 's/=.*$//'` tp=`echo $nm | sed -e s/num.query.opcode.//` p_config "$nm" "$tp" done echo "graph_info queries by opcode in the query packet." ;; by_rcode) echo "graph_title Unbound DNS answers by return code" echo "graph_args --base 1000 -l 0" echo "graph_vlabel answer packets / second" echo "graph_category DNS" for x in `grep "^num.answer.rcode" $state`; do nm=`echo $x | sed -e 's/=.*$//'` tp=`echo $nm | sed -e s/num.answer.rcode.//` p_config "$nm" "$tp" done p_config "num.answer.secure" "answer secure" p_config "num.answer.bogus" "answer bogus" p_config "num.rrset.bogus" "num rrsets marked bogus" echo "graph_info answers sorted by return value. rrsets bogus is the number of rrsets marked bogus per second by the validator" ;; by_flags) echo "graph_title Unbound DNS incoming queries by flags" echo "graph_args --base 1000 -l 0" echo "graph_vlabel queries / second" echo "graph_category DNS" p_config "num.query.flags.QR" "QR (query reply) flag" p_config "num.query.flags.AA" "AA (auth answer) flag" p_config "num.query.flags.TC" "TC (truncated) flag" p_config "num.query.flags.RD" "RD (recursion desired) flag" p_config "num.query.flags.RA" "RA (rec avail) flag" p_config "num.query.flags.Z" "Z (zero) flag" p_config "num.query.flags.AD" "AD (auth data) flag" p_config "num.query.flags.CD" "CD (check disabled) flag" p_config "num.query.edns.present" "EDNS OPT present" p_config "num.query.edns.DO" "DO (DNSSEC OK) flag" echo "graph_info This graphs plots the flags inside incoming queries. For example, if QR, AA, TC, RA, Z flags are set, the query can be rejected. RD, AD, CD and DO are legitimately set by some software." ;; histogram) echo "graph_title Unbound DNS histogram of reply time" echo "graph_args --base 1000 -l 0" echo "graph_vlabel queries / second" echo "graph_category DNS" echo hcache.label "cache hits" echo hcache.min 0 echo hcache.draw AREA echo hcache.colour 999999 echo h64ms.label "0 msec - 66 msec" echo h64ms.min 0 echo h64ms.draw STACK echo h64ms.colour 0000FF echo h128ms.label "66 msec - 131 msec" echo h128ms.min 0 echo h128ms.colour 1F00DF echo h128ms.draw STACK echo h256ms.label "131 msec - 262 msec" echo h256ms.min 0 echo h256ms.draw STACK echo h256ms.colour 3F00BF echo h512ms.label "262 msec - 524 msec" echo h512ms.min 0 echo h512ms.draw STACK echo h512ms.colour 5F009F echo h1s.label "524 msec - 1 sec" echo h1s.min 0 echo h1s.draw STACK echo h1s.colour 7F007F echo h2s.label "1 sec - 2 sec" echo h2s.min 0 echo h2s.draw STACK echo h2s.colour 9F005F echo h4s.label "2 sec - 4 sec" echo h4s.min 0 echo h4s.draw STACK echo h4s.colour BF003F echo h8s.label "4 sec - 8 sec" echo h8s.min 0 echo h8s.draw STACK echo h8s.colour DF001F echo h16s.label "8 sec - ..." echo h16s.min 0 echo h16s.draw STACK echo h16s.colour FF0000 echo "graph_info Histogram of the reply times for queries." ;; esac exit 0 fi # do the stats itself get_state # get the time elapsed get_value "time.elapsed" if test $value = 0 || test $value = "0.000000"; then echo "error: time elapsed 0 or could not retrieve data" exit 1 fi elapsed="$value" # print value for $1 / elapsed print_qps ( ) { mn=`echo $1 | sed $ABBREV | tr . _` get_value $1 echo "$mn.value" `echo scale=6';' $value / $elapsed | bc ` } # print qps if line already found in $2 print_qps_line ( ) { mn=`echo $1 | sed $ABBREV | tr . _` value="`echo $2 | sed -e 's/^.*=//'`" echo "$mn.value" `echo scale=6';' $value / $elapsed | bc ` } # print value for $1 print_value ( ) { mn=`echo $1 | sed $ABBREV | tr . _` get_value $1 echo "$mn.value" $value } case $id in hits) for x in thread0.num.queries thread1.num.queries thread2.num.queries \ thread3.num.queries thread4.num.queries thread5.num.queries \ thread6.num.queries thread7.num.queries total.num.queries \ total.num.cachehits total.num.prefetch num.query.tcp \ num.query.ipv6 unwanted.queries unwanted.replies; do if grep "^"$x"=" $state >/dev/null 2>&1; then print_qps $x fi done ;; queue) for x in total.requestlist.avg total.requestlist.max \ total.requestlist.overwritten total.requestlist.exceeded; do print_value $x done ;; memory) mn=`echo mem.total.sbrk | sed $ABBREV | tr . _` get_value 'mem.total.sbrk' if test $value -eq 0; then chk=`echo $ctrl | sed -e 's/-control$/-checkconf/'` pidf=`$chk -o pidfile $conf 2>&1` pid=`cat $pidf 2>&1` value=`ps -p "$pid" -o rss= 2>&1` if test "`expr $value + 1 - 1 2>&1`" -eq "$value" 2>&1; then value=`expr $value \* 1024` else value=0 fi fi echo "$mn.value" $value for x in mem.cache.rrset mem.cache.message \ mem.mod.iterator mem.mod.validator; do print_value $x done ;; by_type) for x in `grep "^num.query.type" $state`; do nm=`echo $x | sed -e 's/=.*$//'` print_qps_line $nm $x done ;; by_class) for x in `grep "^num.query.class" $state`; do nm=`echo $x | sed -e 's/=.*$//'` print_qps_line $nm $x done ;; by_opcode) for x in `grep "^num.query.opcode" $state`; do nm=`echo $x | sed -e 's/=.*$//'` print_qps_line $nm $x done ;; by_rcode) for x in `grep "^num.answer.rcode" $state`; do nm=`echo $x | sed -e 's/=.*$//'` print_qps_line $nm $x done print_qps "num.answer.secure" print_qps "num.answer.bogus" print_qps "num.rrset.bogus" ;; by_flags) for x in num.query.flags.QR num.query.flags.AA num.query.flags.TC num.query.flags.RD num.query.flags.RA num.query.flags.Z num.query.flags.AD num.query.flags.CD num.query.edns.present num.query.edns.DO; do print_qps $x done ;; histogram) get_value total.num.cachehits echo hcache.value `echo scale=6';' $value / $elapsed | bc ` r=0 for x in histogram.000000.000000.to.000000.000001 \ histogram.000000.000001.to.000000.000002 \ histogram.000000.000002.to.000000.000004 \ histogram.000000.000004.to.000000.000008 \ histogram.000000.000008.to.000000.000016 \ histogram.000000.000016.to.000000.000032 \ histogram.000000.000032.to.000000.000064 \ histogram.000000.000064.to.000000.000128 \ histogram.000000.000128.to.000000.000256 \ histogram.000000.000256.to.000000.000512 \ histogram.000000.000512.to.000000.001024 \ histogram.000000.001024.to.000000.002048 \ histogram.000000.002048.to.000000.004096 \ histogram.000000.004096.to.000000.008192 \ histogram.000000.008192.to.000000.016384 \ histogram.000000.016384.to.000000.032768 \ histogram.000000.032768.to.000000.065536; do get_value $x r=`expr $r + $value` done echo h64ms.value `echo scale=6';' $r / $elapsed | bc ` get_value histogram.000000.065536.to.000000.131072 echo h128ms.value `echo scale=6';' $value / $elapsed | bc ` get_value histogram.000000.131072.to.000000.262144 echo h256ms.value `echo scale=6';' $value / $elapsed | bc ` get_value histogram.000000.262144.to.000000.524288 echo h512ms.value `echo scale=6';' $value / $elapsed | bc ` get_value histogram.000000.524288.to.000001.000000 echo h1s.value `echo scale=6';' $value / $elapsed | bc ` get_value histogram.000001.000000.to.000002.000000 echo h2s.value `echo scale=6';' $value / $elapsed | bc ` get_value histogram.000002.000000.to.000004.000000 echo h4s.value `echo scale=6';' $value / $elapsed | bc ` get_value histogram.000004.000000.to.000008.000000 echo h8s.value `echo scale=6';' $value / $elapsed | bc ` r=0 for x in histogram.000008.000000.to.000016.000000 \ histogram.000016.000000.to.000032.000000 \ histogram.000032.000000.to.000064.000000 \ histogram.000064.000000.to.000128.000000 \ histogram.000128.000000.to.000256.000000 \ histogram.000256.000000.to.000512.000000 \ histogram.000512.000000.to.001024.000000 \ histogram.001024.000000.to.002048.000000 \ histogram.002048.000000.to.004096.000000 \ histogram.004096.000000.to.008192.000000 \ histogram.008192.000000.to.016384.000000 \ histogram.016384.000000.to.032768.000000 \ histogram.032768.000000.to.065536.000000 \ histogram.065536.000000.to.131072.000000 \ histogram.131072.000000.to.262144.000000 \ histogram.262144.000000.to.524288.000000; do get_value $x r=`expr $r + $value` done echo h16s.value `echo scale=6';' $r / $elapsed | bc ` ;; esac