Re: Unbound in base, yes, what about ldns?

[Dennis Davis]

On Sun, 23 Mar 2014, Chris Smith wrote:

 From: Chris Smith obsd_m...@chrissmith.org
 To: Stuart Henderson s...@spacehopper.org
 Cc: OpenBSD-Misc misc@openbsd.org
 Date: Sun, 23 Mar 2014 22:09:00
 Subject: Re: Unbound in base, yes, what about ldns?

...

 How about this line added to rc.conf.local when using the package:
  syslogd_flags=${syslogd_flags} -a /var/unbound/dev/log

 Is it still needed or should it be removed?

Probably.  If you're running chrooted and logging to syslog, you
should still need this line.

See the manual page for unbound.conf.  A cursory reading indicates
it doesn't seem to have materially changed from the version in the
port/package.  *But* cursory reading has let me and others down
badly in the past :-(
-- 
Dennis Davis dennisda...@fastmail.fm

Re: Unbound in base, yes, what about ldns?

[Chris Smith]

On Thu, Mar 20, 2014 at 7:39 PM, Stuart Henderson s...@spacehopper.org wrote:
 You can uninstall the package if you don't need it, or you can keep it
 if you do need it (for example, for drill or the ldns-* tools).

How about this line added to rc.conf.local when using the package:
 syslogd_flags=${syslogd_flags} -a /var/unbound/dev/log

Is it still needed or should it be removed?

Thanks,

Chris

Re: Unbound in base, yes, what about ldns?

[Patrik Lundin]

On Fri, Mar 21, 2014 at 01:41:37PM +, Stuart Henderson wrote:
 
 Kind-of; things will work properly if the validator is enabled now, and it's
 less bad than having /var/unbound/etc writable, but would really prefer to not
 have anything at all in the chroot be writable by the unprivileged _unbound
 user. Privilege separation would be desirable for this.
 

Just out of curiosity: how come the shipped unbound.conf file mentions
the module-config: setting? It appears to me that validator iterator
is the default, or am i missing something?

Regards,
Patrik Lundin

Re: Unbound in base, yes, what about ldns?

[Chris Smith]

On Wed, Mar 19, 2014 at 7:44 PM, Chris Smith obsd_m...@chrissmith.org wrote:
 See the thread unbound dnssec revisited I started on 12/30/2013 for
 some hints. Looks like creating a new directory with the proper
 permissions is the best way to go.

Now fixed in -current with a /var/unbound/db directory. Thanks Stuart!

Chris

Re: Unbound in base, yes, what about ldns?

[Stuart Henderson]

On 2014/03/21 09:30, Chris Smith wrote:
 On Wed, Mar 19, 2014 at 7:44 PM, Chris Smith obsd_m...@chrissmith.org wrote:
  See the thread unbound dnssec revisited I started on 12/30/2013 for
  some hints. Looks like creating a new directory with the proper
  permissions is the best way to go.
 
 Now fixed in -current with a /var/unbound/db directory. Thanks Stuart!
 
 Chris

Kind-of; things will work properly if the validator is enabled now, and it's
less bad than having /var/unbound/etc writable, but would really prefer to not
have anything at all in the chroot be writable by the unprivileged _unbound
user. Privilege separation would be desirable for this.

Re: Unbound in base, yes, what about ldns?

[Атанас Владимиров]

Thanks.


2014-03-20 1:44 GMT+02:00 Chris Smith obsd_m...@chrissmith.org:

 See the thread unbound dnssec revisited I started on 12/30/2013 for
 some hints. Looks like creating a new directory with the proper
 permissions is the best way to go.


 On Wed, Mar 19, 2014 at 7:01 PM, Àòàíàñ Âëàäèìèðîâ don.na...@gmail.com
 wrote:
  Hi,
  Sorry for Off-topic, but when you enable DNSSEC validation and fetch a
 root
  key with unbound-anchor(8) (needs root) the following error shows up in
  /var/log/messages:
 
  unbound: [0:0] error: could not open autotrust file for writing,
  /etc/root.key.29136-0: Permission denied
 
  May be this is because _unbound user has no rights to write to
  /var/unbound/etc/ after chroot.
  Am I correct? Any solutions?
 
  Best regards,
  Atanas

Re: Unbound in base, yes, what about ldns?

[Stuart Henderson]

On 2014-03-19, Chris Smith obsd_m...@chrissmith.org wrote:
 On Wed, Mar 19, 2014 at 6:12 PM, Kenneth Westerback
kwesterb...@gmail.com wrote:
 The unbound in base has it's own cut down version of ldns. No need for
 the package.

 Can I just uninstall the package after the fact or do some files need
 to be replaced?

 Thanks,

 Chris



You can uninstall the package if you don't need it, or you can keep it
if you do need it (for example, for drill or the ldns-* tools).

Re: Unbound in base, yes, what about ldns?

[Kenneth Westerback]

On 19 March 2014 18:09, Chris Smith obsd_m...@chrissmith.org wrote:
 Great to see Unbound in base, thanks.

 But what about ldns? I still have that installed as a package -
 removed the unbound package as per the -current instructions, but
 shouldn't the ldns package package be removed as well as I believe
 unbound requires it and therefore it would have to be built by base as
 well. Or am I off-base?

 Thanks,

 Chris


The unbound in base has it's own cut down version of ldns. No need for
the package.

... Ken

Re: Unbound in base, yes, what about ldns?

[Chris Smith]

On Wed, Mar 19, 2014 at 6:12 PM, Kenneth Westerback
kwesterb...@gmail.com wrote:
 The unbound in base has it's own cut down version of ldns. No need for
 the package.

Can I just uninstall the package after the fact or do some files need
to be replaced?

Thanks,

Chris

Re: Unbound in base, yes, what about ldns?

[Атанас Владимиров]

Hi,
Sorry for Off-topic, but when you enable DNSSEC validation and fetch a root
key with unbound-anchor(8) (needs root) the following error shows up in
/var/log/messages:

unbound: [0:0] error: could not open autotrust file for writing,
/etc/root.key.29136-0: Permission denied

May be this is because _unbound user has no rights to write to
/var/unbound/etc/ after chroot.
Am I correct? Any solutions?

Best regards,
Atanas

Re: Unbound in base, yes, what about ldns?

[Chris Smith]

See the thread unbound dnssec revisited I started on 12/30/2013 for
some hints. Looks like creating a new directory with the proper
permissions is the best way to go.


On Wed, Mar 19, 2014 at 7:01 PM, Атанас Владимиров don.na...@gmail.com wrote:
 Hi,
 Sorry for Off-topic, but when you enable DNSSEC validation and fetch a root
 key with unbound-anchor(8) (needs root) the following error shows up in
 /var/log/messages:

 unbound: [0:0] error: could not open autotrust file for writing,
 /etc/root.key.29136-0: Permission denied

 May be this is because _unbound user has no rights to write to
 /var/unbound/etc/ after chroot.
 Am I correct? Any solutions?

 Best regards,
 Atanas

Re: Unbound in base

[Martijn Rijkeboer]

 The primary cause of this is unbound is not a drop-in replacement for
 bind, they use different utilities, like unbound use drill, and bind use
 dig and friends.

Maybe I'm overlooking something, but that could be a problem with replacing
bind by unbound but not with linking unbound to the build. Currently we have
bind/nsd and apache/nginx all linked to the build.

Anyway I'm just curious, so no complaining intended.

Kind regards,


Martijn Rijkeboer

Re: Unbound in base

[Gregory Edigarov]

On 11/23/2013 04:29 PM, Martijn Rijkeboer wrote:

Hi,

Just out of curiosity, what is holding the linking of Unbound to the
build back? I'm not complaining since I'm using Unbound from ports
without issues.


I asked the question before.


The primary cause of this is unbound is not a drop-in replacement for bind, 
they use different utilities, like unbound use drill, and bind use dig and 
friends.


--
With best regards,
 Gregory Edigarov

Re: Unbound in base (review)

[Björn Ketelaars]

2012/3/26 Jakob Schlyter ja...@openbsd.org:
 Any more feedback on this? We need more testing to proceed!

Unbound has been imported to work on in-tree (not yet linked to the
build) [1]. It compiles and functions on amd64 and i386. I can only
guess who is actually working on further integrating this tool in
base. Therefore I'm sending the diff below to everyb...@misc...for
inspiration.

--
Bjvrn Ketelaars

[1] http://marc.info/?l=openbsd-cvsm=133278525113948w=2



Index: distrib/sets/lists/base/mi
===
RCS file: /mnt/cvs/src/distrib/sets/lists/base/mi,v
retrieving revision 1.566
diff -u -r1.566 mi
--- distrib/sets/lists/base/mi  8 Mar 2012 19:28:45 -   1.566
+++ distrib/sets/lists/base/mi  2 Apr 2012 11:33:11 -
@@ -2548,6 +2548,7 @@
 ./usr/sbin/dig
 ./usr/sbin/dnssec-keygen
 ./usr/sbin/dnssec-signzone
+./usr/sbin/drill
 ./usr/sbin/dvmrpctl
 ./usr/sbin/dvmrpd
 ./usr/sbin/editmap
@@ -2699,6 +2700,12 @@
 ./usr/sbin/traceroute
 ./usr/sbin/traceroute6
 ./usr/sbin/trpt
+./usr/sbin/unbound
+./usr/sbin/unbound-anchor
+./usr/sbin/unbound-checkconf
+./usr/sbin/unbound-control
+./usr/sbin/unbound-control-setup
+./usr/sbin/unbound-host
 ./usr/sbin/usbdevs
 ./usr/sbin/user
 ./usr/sbin/useradd
@@ -5152,6 +5159,11 @@
 ./var/spool/uucppublic
 ./var/tmp
 ./var/tmp/vi.recover
+./var/unbound
+./var/unbound/etc
+./var/unbound/var
+./var/unbound/var/dev
+./var/unbound/var/run
 ./var/www
 ./var/www/bin
 ./var/www/bin/bgpctl
Index: distrib/sets/lists/etc/mi
===
RCS file: /mnt/cvs/src/distrib/sets/lists/etc/mi,v
retrieving revision 1.146
diff -u -r1.146 mi
--- distrib/sets/lists/etc/mi   2 Apr 2012 03:08:44 -   1.146
+++ distrib/sets/lists/etc/mi   2 Apr 2012 11:33:11 -
@@ -166,6 +166,7 @@
 ./etc/rc.d/sshd
 ./etc/rc.d/statd
 ./etc/rc.d/syslogd
+./etc/rc.d/unbound
 ./etc/rc.d/tftpd
 ./etc/rc.d/watchdogd
 ./etc/rc.d/wsmoused
@@ -244,6 +245,9 @@
 ./var/named/standard/loopback
 ./var/named/standard/loopback6.arpa
 ./var/run/utmp
+./var/unbound/etc/root.hint
+./var/unbound/etc/unbound.conf
+./var/unbound/var/run/root.key
 ./var/www/cgi-bin/printenv
 ./var/www/cgi-bin/test-cgi
 ./var/www/conf/bgplg.css
Index: distrib/sets/lists/man/mi
===
RCS file: /mnt/cvs/src/distrib/sets/lists/man/mi,v
retrieving revision 1.1128
diff -u -r1.1128 mi
--- distrib/sets/lists/man/mi   29 Mar 2012 11:03:59 -  1.1128
+++ distrib/sets/lists/man/mi   2 Apr 2012 11:33:11 -
@@ -353,6 +353,7 @@
 ./usr/share/man/man1/dirname.1
 ./usr/share/man/man1/domainname.1
 ./usr/share/man/man1/dprofpp.1
+./usr/share/man/man1/drill.1
 ./usr/share/man/man1/du.1
 ./usr/share/man/man1/echo.1
 ./usr/share/man/man1/ed.1
@@ -758,6 +759,7 @@
 ./usr/share/man/man1/uname.1
 ./usr/share/man/man1/uncompress.1
 ./usr/share/man/man1/unexpand.1
+./usr/share/man/man1/unbound-host.1
 ./usr/share/man/man1/unifdef.1
 ./usr/share/man/man1/uniq.1
 ./usr/share/man/man1/units.1
@@ -2537,6 +2539,7 @@
 ./usr/share/man/man5/texinfo.5
 ./usr/share/man/man5/ttys.5
 ./usr/share/man/man5/tzfile.5
+./usr/share/man/man5/unbound.conf.5
 ./usr/share/man/man5/usermgmt.conf.5
 ./usr/share/man/man5/utmp.5
 ./usr/share/man/man5/uuencode.5
@@ -3040,6 +3043,10 @@
 ./usr/share/man/man8/ttyflags.8
 ./usr/share/man/man8/tunefs.8
 ./usr/share/man/man8/umount.8
+./usr/share/man/man8/unbound-anchor.8
+./usr/share/man/man8/unbound-checkconf.8
+./usr/share/man/man8/unbound-control.8
+./usr/share/man/man8/unbound.8
 ./usr/share/man/man8/updatedb.8
 ./usr/share/man/man8/usbdevs.8
 ./usr/share/man/man8/uucpd.8
Index: etc/Makefile
===
RCS file: /mnt/cvs/src/etc/Makefile,v
retrieving revision 1.316
diff -u -r1.316 Makefile
--- etc/Makefile1 Apr 2012 18:32:51 -   1.316
+++ etc/Makefile2 Apr 2012 11:33:11 -
@@ -53,9 +53,9 @@
inetd isakmpd ldapd ldattach ldpd lpd mopd mrouted named nginx \
nsd ntpd ospfd ospf6d portmap pflogd rarpd rbootd relayd ripd \
route6d rtadvd rtsold rwhod sasyncd sendmail sensorsd smtpd \
-   snmpd spamd sshd syslogd watchdogd wsmoused xdm ypbind ypldap \
-   yppasswdd ypserv kdc kadmind kpasswdd nfsd mountd lockd statd \
-   spamlogd sndiod popa3d tftpd
+   snmpd spamd sshd syslogd unbound watchdogd wsmoused xdm ypbind \
+   ypldap yppasswdd ypserv kdc kadmind kpasswdd nfsd mountd lockd \
+   statd spamlogd sndiod popa3d tftpd

 MISETS=base${OSrev}.tgz comp${OSrev}.tgz \
man${OSrev}.tgz game${OSrev}.tgz etc${OSrev}.tgz
@@ -219,6 +219,13 @@
${DESTDIR}/var/named/standard/loopback; \
${INSTALL} -c -o root -g wheel -m 644 db.loopback6.arpa \
${DESTDIR}/var/named/standard/loopback6.arpa
+   cd unbound; 

Re: Unbound in base (review)

[Jakob Schlyter]

Any more feedback on this? We need more testing to proceed!

jakob

Re: Unbound in base

[Björn Ketelaars]

2012/2/15 Ralf r...@ackstorm.de (mailto:r...@ackstorm.de):
 I have briefly tested your tarball on hppa yesterday. It compiles
 and works so far.



Nice to hear :-)

 I haven't gotten the DNSSec to work, so I ran with module-config:
 iterator. But I'm not too familiar with DNSsec, so I might have done
 something wrong on that part. And I cheated a bit when compiling and
 installing, as the machine didn't have the full source tree, so I did
 some steps manually, maybe I left something out.



The supplied unbound.conf should work (mental note to myself: assumption is
the mother of all b). Could you check that there is a root.key in
/var/unbound/etc? If not, please run unbound-anchor manually, do not forget to
set the right permissions on root.key or run as _unbound (this is part of the
current unbound rc.d-script - rc_pre()).

If there is a root.key you could use drill to test:

drill @127.0.0.1 www.nic.cz (http://nic.cz) (rcode: noerror)
drill @127.0.0.1 www.rhybar.cz (http://rhybar.cz) (rcode: servfail)

or use dig:

dig @127.0.0.1 www.nic.cz (http://www.nic.cz) +dnssec (ad flag should be set)

Make sure that unbound is running ...

 There was an issue with the rc.diff patch:

 +   if [ X${unbound_flags} != XNO ]; then
 +   echo -n unbound-control-setup: generating self-signed
certificate and private keys... 
 +   if sudo -u _unbound unbound-control-setup /dev/null
21; then
 +   echo done.
 +   else
 +   echo failed.
 +   fi
 +   fi
 +   fi



You are right! I will correct this. BTW, in the current unbound.conf,
control-enable is not set to 'yes'. Even if there are keys and certificates
unbound-control will not work as it should. The idea is to use unbound-control
for stopping and starting the daemon (rc.d-script), so this has to be changed
as well.

In the meantime I simplified the rc.d-script a bit:

#!/bin/sh
#
# $OpenBSD: unbound

daemon=/usr/sbin/unbound-control
daemon_flags=-c /var/unbound/etc/unbound.conf

. /etc/rc.d/rc.subr

pexp=unbound${daemon_flags:+ ${daemon_flags}}
rc_reload=NO

rc_pre() {
sudo -u _unbound /usr/sbin/unbound-anchor
}

rc_start() {
${daemon} start
}

rc_stop() {
${daemon} stop
}
rc_cmd $1






As you can see rc_pre() runs unbound-anchor. This is still a point of
discussionb

--
BjC6rn Ketelaars

Re: Unbound in base

[Björn Ketelaars]

  From unbound-anchor.8 I understand that unbound-anchor can be run from the
  command line, or run as part of startup scripts _before_ the actual 
  (unbound)
  DNS server is started. So there is no need for DNS. Proposal therefor is to
  run unbound-anchor automatically before starting the unbound daemon (rc_pre 
  in
  unbound rc-script).
 
 
 This (i.e. connecting out to https://data.iana.org from the system startup
 scripts) should *not* happen by default even if unbound is enabled. There
 would need to be a separate option controlling this.

 
How about letting /var/unbound/etc/unbound.conf control this behavior?

In the startup script (rc.d-script): 

rc_pre() {
if ! egrep # *auto-trust-anchor-file: /var/unbound/etc/unbound.conf 
/dev/null; then
sudo -u _unbound /usr/sbin/unbound-anchor
fi
}



The same behavior can be obtained by writing a wrapper. Although these 
'solutions' work, they are not elegant. What say thou?

Re: Unbound in base

[MERIGHI Marcus]

Hello, 

bjorn.ketela...@hydroxide.nl (Bjvrn Ketelaars), 2012.02.15 (Wed) 10:23 (CET):
   From unbound-anchor.8 I understand that unbound-anchor can be run from the
   command line, or run as part of startup scripts _before_ the actual 
   (unbound)
   DNS server is started. So there is no need for DNS. Proposal therefor is 
   to
   run unbound-anchor automatically before starting the unbound daemon 
   (rc_pre in
   unbound rc-script).
  
  
  This (i.e. connecting out to https://data.iana.org from the system startup
  scripts) should *not* happen by default even if unbound is enabled. There
  would need to be a separate option controlling this.
 
  
 How about letting /var/unbound/etc/unbound.conf control this behavior?
 
 In the startup script (rc.d-script): 
 
 rc_pre() {
 if ! egrep # *auto-trust-anchor-file: /var/unbound/etc/unbound.conf 
 /dev/null; then
 sudo -u _unbound /usr/sbin/unbound-anchor

would fail if ``!root_sudo'' is set in sudoers(5). But, quoting
sudoers(5):
Disabling root_sudo provides no real additional security; it exists
purely for historical reasons. This flag is on by default.

Bye, Marcus

 fi
 }
 
 
 
 The same behavior can be obtained by writing a wrapper. Although these
 'solutions' work, they are not elegant. What say thou?

Re: Unbound in base

[Ralf]

* Bjvrn Ketelaars bjorn.ketela...@hydroxide.nl [2012-02-15 18:04]:

 2012/2/15 Ralf r...@ackstorm.de (mailto:r...@ackstorm.de):

  I haven't gotten the DNSSec to work, so I ran with module-config:
  iterator. But I'm not too familiar with DNSsec, so I might have done
  something wrong on that part. And I cheated a bit when compiling and
  installing, as the machine didn't have the full source tree, so I did
  some steps manually, maybe I left something out.

 The supplied unbound.conf should work (mental note to myself: assumption is
 the mother of all b). Could you check that there is a root.key in
 /var/unbound/etc? If not, please run unbound-anchor manually, do not forget
to
 set the right permissions on root.key or run as _unbound (this is part of
the
 current unbound rc.d-script - rc_pre()).

The problem was the clock of this old machine. I had ntpd configured,
but unfortunately without -s. The clock was somewhere around year 2020,
causing some certificate verification in unbound-anchor to fail with
message the PKCS7 signature failed.

After fixing the clock it works now with your default config on hppa.

Cheers,
Ralf

Re: Unbound in base

[Gregory Edigarov]

On Mon, 13 Feb 2012 22:35:15 +0100
BjC6rn Ketelaars bjorn.ketela...@hydroxide.nl wrote:

 Hello,

 After some recent discussions [1, 2] on the topic of unbound in base,
 and (more important) really liking the idea of an alternative for
 BIND in base, I made a start with fitting the different pieces of the
 puzzle. What is finished:

 1.) Integration of ldns 1.6.12 and unbound 1.4.15 and writing of
 relevant Makefile wrappers. Wrapper script also compiles and installs
 drill; 2.) Testing (read: does it compile and work) on AMD64.

 Stuart Henderson had some good remarks on integrating the above [3].
 What do you guys think of the following:

 What to do with the BIND tools (dig/host/nslookup)?

I would live them alone. They are used in most of the scripts all over
the place.
I.e. have a usr.sbin/bind-utils in the source tree.

 Unbound offers drill. From drill.1: The name drill is a pun on dig.
 With drill you should be able get even more information than with
 dig.. Proposal therefore is to replace the BIND tools with drill.

Not, see above.

 Do we run unbound-anchor automatically? if so, how do we handle
 possibly not having working DNS at that time to resolve data.iana.org
 (http://data.iana.org) (http://data.iana.org)?
 From unbound-anchor.8 I understand that unbound-anchor can be run
 from the command line, or run as part of startup scripts _before_ the
 actual (unbound) DNS server is started. So there is no need for DNS.
 Proposal therefor is to run unbound-anchor automatically before
 starting the unbound daemon (rc_pre in unbound rc-script).

Agreed.

 How and when do we automatically generate unbound-control keys? if
 so, where should that be done? b

 From unbound-control.8: The script unbound-control-setup generates
 these control keys in the default run directory. If you change the
 access control permissions on the key files you can decide who can
 use unbound-control. Run the script under the same username as you
 have configured in unbound.conf or as root, so that the daemon is
 permitted to read the files, for example with: sudo -u unbound
 unbound-control-setup. If you have not configured a username in
 unbound.conf, the keys need read permission for the user credentials
 under which the daemon is started. The script preserves private keys
 present in the directory. After running the script as root, turn on
 control-enable in unbound.conf.
 The unbound-control-script can be called from rc-make_keys(). The
 knob 'control-enable' can be set as default.

unbound-control should be renamed to more convenient 'unboundctl'.

 After tar/gzip the source files and Makefile wrappers weigh ~4.6MB. A
 bit to large to send to this list. if anyone feels like looking at
 the workbdo not hesitate to mail me.

 Again, what do you guys think?

 Kind regards,

 BjC6rn


 [1] http://marc.info/?l=openbsd-miscm=132205020820910w=2
 [2] http://marc.info/?l=openbsd-techm=132573371521516w=2
 [3] http://marc.info/?l=openbsd-miscm=132217547525487w=2

Re: Unbound in base

[Peter van Oord van der Vlies]

Hello,

Why replacing bind ?

Kind Regards

Peter

- Oorspronkelijk bericht -
Van: Bjvrn Ketelaars [mailto:bjorn.ketela...@hydroxide.nl]
Verzonden: Monday, February 13, 2012 10:35 PM
Aan: misc@openbsd.org
misc@openbsd.org; t...@openbsd.org t...@openbsd.org
Onderwerp: Unbound in base

Hello,

After some recent discussions [1, 2] on the topic of unbound in base, and
(more important) really liking the idea of an alternative for BIND in base, I
made a start with fitting the different pieces of the puzzle. What is
finished:

1.) Integration of ldns 1.6.12 and unbound 1.4.15 and writing of relevant
Makefile wrappers. Wrapper script also compiles and installs drill;
2.) Testing (read: does it compile and work) on AMD64.

Stuart Henderson had some good remarks on integrating the above [3]. What do
you guys think of the following:

What to do with the BIND tools (dig/host/nslookup)?

Unbound offers drill. From drill.1: The name drill is a pun on dig. With
drill you should be able get even more information than with dig.. Proposal
therefore is to replace the BIND tools with drill.

Do we run unbound-anchor automatically? if so, how do we handle possibly not
having working DNS at that time to resolve data.iana.org
(http://data.iana.org) (http://data.iana.org)?

From unbound-anchor.8 I understand that unbound-anchor can be run from the
command line, or run as part of startup scripts _before_ the actual (unbound)
DNS server is started. So there is no need for DNS. Proposal therefor is to
run unbound-anchor automatically before starting the unbound daemon (rc_pre
in
unbound rc-script).



How and when do we automatically generate unbound-control keys? if so, where
should that be done? b

From unbound-control.8: The script unbound-control-setup generates these
control keys in the default run directory. If you change the access control
permissions on the key files you can decide who can use unbound-control. Run
the script under the same username as you have configured in unbound.conf or
as root, so that the daemon is permitted to read the files, for example with:
sudo -u unbound unbound-control-setup. If you have not configured a username
in unbound.conf, the keys need read permission for the user credentials under
which the daemon is started. The script preserves private keys present in the
directory. After running the script as root, turn on control-enable in
unbound.conf.

The unbound-control-script can be called from rc-make_keys(). The knob
'control-enable' can be set as default.

After tar/gzip the source files and Makefile wrappers weigh ~4.6MB. A bit to
large to send to this list. if anyone feels like looking at the workbdo not
hesitate to mail me.

Again, what do you guys think?

Kind regards,

BjC6rn


[1] http://marc.info/?l=openbsd-miscm=132205020820910w=2
[2] http://marc.info/?l=openbsd-techm=132573371521516w=2
[3] http://marc.info/?l=openbsd-miscm=132217547525487w=2

Re: Unbound in base

[Vitali]

On Tue, Feb 14, 2012 at 10:09 AM, Peter van Oord van der Vlies
peter.vanoordvandervl...@itisit.nl wrote:
 Hello,

 Why replacing bind ?

That's a good question, Peter. Welcome aboard.
https://www.isc.org/software/bind/advisories/cve-2012-1033


 Kind Regards

 Peter


--
### Coonardoo - PQP8P=P8QP:P0 Q QQP=Q / The Well In The Shadow / Le
Puits
Dans L'Ombre ###

Re: Unbound in base

[Gregory Edigarov]

On Tue, 14 Feb 2012 08:09:16 +
Peter van Oord van der Vlies peter.vanoordvandervl...@itisit.nl wrote:

 Hello,
 
 Why replacing bind ?
Because bind is full of security related bugs and a bloatware.

Yours C. O.

 Kind Regards
 
 Peter
 
 - Oorspronkelijk bericht -
 Van: Bjvrn Ketelaars [mailto:bjorn.ketela...@hydroxide.nl]
 Verzonden: Monday, February 13, 2012 10:35 PM
 Aan: misc@openbsd.org
 misc@openbsd.org; t...@openbsd.org t...@openbsd.org
 Onderwerp: Unbound in base
 
 Hello,
 
 After some recent discussions [1, 2] on the topic of unbound in base,
 and (more important) really liking the idea of an alternative for
 BIND in base, I made a start with fitting the different pieces of the
 puzzle. What is finished:
 
 1.) Integration of ldns 1.6.12 and unbound 1.4.15 and writing of
 relevant Makefile wrappers. Wrapper script also compiles and installs
 drill; 2.) Testing (read: does it compile and work) on AMD64.
 
 Stuart Henderson had some good remarks on integrating the above [3].
 What do you guys think of the following:
 
 What to do with the BIND tools (dig/host/nslookup)?
 
 Unbound offers drill. From drill.1: The name drill is a pun on dig.
 With drill you should be able get even more information than with
 dig.. Proposal therefore is to replace the BIND tools with drill.
 
 Do we run unbound-anchor automatically? if so, how do we handle
 possibly not having working DNS at that time to resolve data.iana.org
 (http://data.iana.org) (http://data.iana.org)?
 
 From unbound-anchor.8 I understand that unbound-anchor can be run
 from the command line, or run as part of startup scripts _before_ the
 actual (unbound) DNS server is started. So there is no need for DNS.
 Proposal therefor is to run unbound-anchor automatically before
 starting the unbound daemon (rc_pre in
 unbound rc-script).
 
 
 
 How and when do we automatically generate unbound-control keys? if
 so, where should that be done? b
 
 From unbound-control.8: The script unbound-control-setup generates
 these control keys in the default run directory. If you change the
 access control permissions on the key files you can decide who can
 use unbound-control. Run the script under the same username as you
 have configured in unbound.conf or as root, so that the daemon is
 permitted to read the files, for example with: sudo -u unbound
 unbound-control-setup. If you have not configured a username in
 unbound.conf, the keys need read permission for the user credentials
 under which the daemon is started. The script preserves private keys
 present in the directory. After running the script as root, turn on
 control-enable in unbound.conf.
 
 The unbound-control-script can be called from rc-make_keys(). The
 knob 'control-enable' can be set as default.
 
 After tar/gzip the source files and Makefile wrappers weigh ~4.6MB. A
 bit to large to send to this list. if anyone feels like looking at
 the workbdo not hesitate to mail me.
 
 Again, what do you guys think?
 
 Kind regards,
 
 BjC6rn
 
 
 [1] http://marc.info/?l=openbsd-miscm=132205020820910w=2
 [2] http://marc.info/?l=openbsd-techm=132573371521516w=2
 [3] http://marc.info/?l=openbsd-miscm=132217547525487w=2

Re: Unbound in base

[Björn Ketelaars]

2012/2/13 Stuart Henderson s...@spacehopper.org:
...
 After tar/gzip the source files and Makefile wrappers weigh ~4.6MB. A bit
to
 large to send to this list. if anyone feels like looking at the workbdo
not
 hesitate to mail me.

 Please do. It would be nice to put them on a public server.


WIP can be found here:

http://goo.gl/BIRR5

.tar.gz contains a README which explains the status


--
Bjvrn Ketelaars

Re: Unbound in base

[Stuart Henderson]

Let's not crosspost replies, misc is more suitable for this one.
CCs trimmed.

On 2012/02/14 08:09, Peter van Oord van der Vlies wrote:
 Hello,
 
 Why replacing bind ?

The version we have is in need of an update. Due to some of the design
decisions made for BIND 10 that's not really going to be suitable for
inclusion in base so even if we were to update to a newer BIND 9 now,
we'd still need to look elsewhere in future, so considering that
something fairly suitable is already available, imho rather than
update BIND (which is not just a simple task of importing the code,
we have quite a few local changes which can't be applied directly),
it makes more sense to move directly there,

Re: Unbound in base

[Peter Hessler]

On 2012 Feb 14 (Tue) at 13:23:01 +0400 (+0400), Mo Libden wrote:
:14 QP5P2QP0P;Q 2012, 12:59 PQ Gregory Edigarov
g...@bestnet.kharkov.ua:
: On Tue, 14 Feb 2012 08:09:16 +
: Peter van Oord van der Vlies peter.vanoordvandervl...@itisit.nl wrote:
:
:  Hello,
: 
:  Why replacing bind ?
:
: Because bind is full of security related bugs and a bloatware.
:
:Oh come on!
:They say about the same thing about sendmail for years (decades already?).
:Still it is in the base.

Did you notice that there is lots of work being done to replace sendmail?

Yes, there is an interest in replacing bind (and sendmail).  However, we
are doing it slowly and cautiously, to ensure we do not make the
situation worse.


--
Any sufficiently advanced technology is indistinguishable from a rigged
demo.

Re: Unbound in base

[Gregory Edigarov]

On Tue, 14 Feb 2012 13:23:01 +0400
Mo Libden m0lib...@mail.ru wrote:

 14 QP5P2QP0P;Q 2012, 12:59 PQ Gregory Edigarov
 g...@bestnet.kharkov.ua:
  On Tue, 14 Feb 2012 08:09:16 +
  Peter van Oord van der Vlies peter.vanoordvandervl...@itisit.nl
  wrote:
 
   Hello,
  
   Why replacing bind ?
 
  Because bind is full of security related bugs and a bloatware.

 Oh come on!
 They say about the same thing about sendmail for years (decades
 already?). Still it is in the base.

 Are you spreading FUD here, or there are real cases with the version
 of BIND that is in the base?

well, better answer was just given by stu@.
BIND 10 requires at least Python 3.1

--
With best regards,
Gregory Edigarov

Re: Unbound in base

[Oliver Peter]

On Tue, Feb 14, 2012 at 01:23:01PM +0400, Mo Libden wrote:
 14 QP5P2QP0P;Q 2012, 12:59 PQ Gregory Edigarov
g...@bestnet.kharkov.ua:
  On Tue, 14 Feb 2012 08:09:16 +
  Peter van Oord van der Vlies peter.vanoordvandervl...@itisit.nl wrote:
 
   Hello,
  
   Why replacing bind ?
 
  Because bind is full of security related bugs and a bloatware.

 Oh come on!
 They say about the same thing about sendmail for years (decades already?).
 Still it is in the base.

smtpd(8) is underway. Also there is no proper MTA implementation out
there served under the BSD license (i.e. Postfix has IBM license).

Unbound (and also nsd) is a good and lightweight alternative to
sendmail using the BSD license.  License stuff is more important than
it sounds.

IMO the separate development of a resolver (unbound) and an authoritive
nameserver (nsd) is better than having all functionality within one
server (named).

--
Oliver PETER   oli...@opdns.de   0x456D688F

Re: Unbound in base

[Henning Brauer]

* Peter van Oord van der Vlies peter.vanoordvandervl...@itisit.nl [2012-02-14 
09:11]:
 Why replacing bind ?

1) because it's shit (yes yes vixie, the next release won't be written
   by drunken grad students and fix all design and implementation issues,
   we hear that since bind4 at least)
2) it's a dead end anyway - i have never seen such a dramatic design
   fuckup as the bind10 design docs, and anything depending on PYTHON
   (gimme a break) will never make it into base anyway.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

Re: Unbound in base

[Steffen Daode Nurpmeso]

Henning Brauer wrote [2012-02-14 13:52+0100]:
 anything depending on PYTHON

MY WOMAN!

 (gimme a break)

Aeh.
Man.

 will never make it into base anyway.

If it were true!

--steffen

Re: Unbound in base

[Claus Assmann]

On Tue, Feb 14, 2012, Vitali wrote:
 On Tue, Feb 14, 2012 at 10:09 AM, Peter van Oord van der Vlies

  Why replacing bind ?

 https://www.isc.org/software/bind/advisories/cve-2012-1033

Bad CVE choice...
That's a design issue in DNS, not a vulnerability in BIND.

And if you want to throw CVEs around:
Unbound VU#209659 CVE-2011-4528
   Unbound denial of service vulnerabilities from nonstandard
   redirection and denial of existence

But at least it seems to have less problems than bind(?)

Re: Unbound in base

[Stuart Henderson]

On 2012-02-14, Gregory Edigarov g...@bestnet.kharkov.ua wrote:
 unbound-control should be renamed to more convenient 'unboundctl'.

and break scripts that are meant to work with cross-OS deployments?

Re: Unbound in base

[roberth]

On Tue, 14 Feb 2012 17:16:15 + (UTC)
Stuart Henderson s...@spacehopper.org wrote:

 On 2012-02-14, Gregory Edigarov g...@bestnet.kharkov.ua wrote:
  unbound-control should be renamed to more convenient 'unboundctl'.
 
 and break scripts that are meant to work with cross-OS deployments?

nah, he is talking bout convinience, not sanity, eh?

# grep unbound-control ~/.kshrc
alias ubc=/usr/local/sbin/unbound-control