diff options
Diffstat (limited to 'main/unbound')
-rw-r--r-- | main/unbound/APKBUILD | 108 | ||||
-rw-r--r-- | main/unbound/conf.patch | 19 | ||||
-rw-r--r-- | main/unbound/migrate-dnscache-to-unbound | 1 | ||||
-rw-r--r-- | main/unbound/unbound.confd | 3 | ||||
-rw-r--r-- | main/unbound/unbound.initd | 14 |
5 files changed, 86 insertions, 59 deletions
diff --git a/main/unbound/APKBUILD b/main/unbound/APKBUILD index 919d146a4c3..56fce719924 100644 --- a/main/unbound/APKBUILD +++ b/main/unbound/APKBUILD @@ -1,23 +1,45 @@ # Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net> -# Contributor: Carlo Landmeter <clandmeter@gmail.com> -# Maintainer: Natanael Copa <ncopa@alpinelinux.org> +# Contributor: Carlo Landmeter <clandmeter@alpinelinux.org> +# Contributor: Natanael Copa <ncopa@alpinelinux.org> +# Maintainer: Jakub Jirutka <jakub@jirutka.cz> pkgname=unbound -pkgver=1.10.0 -pkgrel=0 +pkgver=1.19.3 +pkgrel=2 pkgdesc="Unbound is a validating, recursive, and caching DNS resolver" -url="http://unbound.net/" +url="https://nlnetlabs.nl/projects/unbound/about/" arch="all" license="BSD-3-Clause" -depends="dns-root-hints dnssec-root" +depends="dnssec-root" depends_dev="expat-dev" -_depends_migrate="/bin/sh apk-tools dns-root-hints openrc" -makedepends="$depends_dev libevent-dev openssl-dev python3-dev swig linux-headers" +_depends_migrate=" + /bin/sh + apk-tools + openrc + " +makedepends="$depends_dev + libevent-dev + linux-headers + openssl-dev>3 + protobuf-c-dev + python3-dev + swig + " +checkdepends=" + bind-tools + ldns-tools + " install="$pkgname.pre-install" -options="!check" pkgusers="unbound" pkggroups="unbound" -subpackages="$pkgname-dev $pkgname-doc $pkgname-libs $pkgname-dbg - $pkgname-openrc py-unbound:py $pkgname-migrate::noarch" +subpackages=" + $pkgname-dbg + $pkgname-dev + $pkgname-doc + $pkgname-libs + $pkgname-openrc + py-unbound:py + $pkgname-migrate::noarch + " source="https://unbound.net/downloads/unbound-$pkgver.tar.gz conf.patch migrate-dnscache-to-unbound @@ -26,12 +48,27 @@ source="https://unbound.net/downloads/unbound-$pkgver.tar.gz " # secfixes: +# 1.19.2-r0: +# - CVE-2024-1931 +# 1.19.1-r0: +# - CVE-2023-50387 +# - CVE-2023-50868 +# 1.16.3-r0: +# - CVE-2022-3204 +# 1.16.2-r0: +# - CVE-2022-30698 +# - CVE-2022-30699 +# 1.10.1-r0: +# - CVE-2020-12662 +# - CVE-2020-12663 # 1.9.5-r0: # - CVE-2019-18934 # 1.9.4-r0: # - CVE-2019-16866 build() { + export CFLAGS="$CFLAGS -flto=auto" + PYTHON_VERSION=3 ./configure \ --build="$CBUILD" \ --host="$CHOST" \ @@ -47,6 +84,7 @@ build() { --with-pthreads \ --disable-static \ --disable-rpath \ + --enable-dnstap \ --with-ssl \ --without-pythonmodule \ --with-pyunbound @@ -57,47 +95,31 @@ build() { make } +check() { + make test +} + package() { make DESTDIR="$pkgdir" install make DESTDIR="$pkgdir" unbound-event-install - install -m755 -D contrib/update-anchor.sh \ + install -Dm755 contrib/update-anchor.sh \ "$pkgdir"/usr/share/$pkgname/update-anchor.sh - mkdir -p "$pkgdir"/usr/share/doc/$pkgname/ - install -m644 doc/CREDITS doc/Changelog doc/FEATURES \ - doc/README doc/TODO "$pkgdir"/usr/share/doc/$pkgname/ + install -D -m644 doc/CREDITS doc/Changelog doc/FEATURES \ + doc/README doc/TODO -t "$pkgdir"/usr/share/doc/$pkgname/ cd "$pkgdir" - mkdir -p ./etc/unbound - rm -f ./etc/unbound/root.hints - ln -s ../../usr/share/dns-root-hints/named.root ./etc/unbound/root.hints - - install -m755 -D "$srcdir"/unbound.initd ./etc/init.d/unbound - install -m755 -D "$srcdir"/unbound.confd ./etc/conf.d/unbound -} - -libs() { - pkgdesc="unbound shared libraries" - depends="$depends_libs" - - mkdir -p "$subpkgdir"/usr/lib - mv "$pkgdir"/usr/lib/lib*.so.* "$subpkgdir"/usr/lib/ -} - -openrc() { - depends="$depends_openrc" - - default_openrc + install -Dm755 "$srcdir"/unbound.initd ./etc/init.d/unbound + install -Dm644 "$srcdir"/unbound.confd ./etc/conf.d/unbound } py() { pkgdesc="Python bindings to libunbound" depends="$depends_py" - mkdir -p "$subpkgdir"/usr/lib/ - mv "$pkgdir"/usr/lib/python* "$subpkgdir"/usr/lib/ + amove usr/lib/python* } migrate() { @@ -108,8 +130,10 @@ migrate() { "$subpkgdir"/usr/bin/migrate-dnscache-to-unbound } -sha512sums="a64514990f5d614d749045a11f5ce9bb33cf856cc31895b4db3503f2b05a98f1ca57945b17dd7ec5befbd0c356fc42a717d3e2bae3d3510a0507d0445b1f6d59 unbound-1.10.0.tar.gz -10e76b0c0e256cf81d55a6f089644693feb94bd2470730bcbcedb5f340397d2316f3a9ee57adc3d5e84e83cc26109c8cb48f6e2e3bfdbd186e40071b7b4284f1 conf.patch -0a5c7b8f2b8c79c5384bce05962c8f8f5f31ce3aeb967b0e897361a24ea7065eb4e7c28ff3acfb0fb0d46be966d4e526e64b231f49b589ec63f576c25433bb59 migrate-dnscache-to-unbound -8ceabe5efcccfa1d9e210a8166de60ce218ea0261b9edf620524f33216786fad64d6cd8551255942091ee171247222a49a99a1a1ca1999d43fff00ccb17b6276 unbound.initd -40c660f275a78f93677761f52bdf7ef151941e8469dd17767a947dbe575880e0d113c320d15c7ea7e12ef636d8ec9453eeae804619678293fa35e3d4c7e75a71 unbound.confd" +sha512sums=" +f860614f090a5a081cceff8ca7f4b3d416c00a251ae14ceb6b4159dc8cd022f025592074d3d78aee2f86c3eeae9d1a314713e4740aa91062579143199accd159 unbound-1.19.3.tar.gz +05fec1829dfb5279f35a76eeab768d88b6dffee4477b1db693360021969bdcc89e309f71ea6cc63e0f921b1fc223a073b97892be2095ed93d7da917a59e09d00 conf.patch +7ab3f57ade3fe8add60bfce208efccc968728fac5c94c759c34aaa09aa71e0da06dd7c24ae0fecf9e2ccc869594226d68b24fe2b0a0b161b833e22c0de1b03b6 migrate-dnscache-to-unbound +7ca4c42c00a86f737fd8f5024efce218c9d0dee8fb8708df60f7b292c25b4d3a35ed46a8a0a32847451bca988b5de2dbdddb7fed352170c03263281fc579582b unbound.initd +0ceae15d69deb24baa16990226de31fe743d84779a2595f31b4910b46ef925fc132cec1683d0a06141f707d9cbe517d731015702c60d9df4958ccfb9abd5a23f unbound.confd +" diff --git a/main/unbound/conf.patch b/main/unbound/conf.patch index d43b3d2dd3e..e92cc373652 100644 --- a/main/unbound/conf.patch +++ b/main/unbound/conf.patch @@ -1,6 +1,7 @@ ---- a/doc/example.conf.in -+++ b/doc/example.conf.in -@@ -337,12 +337,9 @@ +diff -upr unbound-1.13.0.orig/doc/example.conf.in unbound-1.13.0/doc/example.conf.in +--- unbound-1.13.0.orig/doc/example.conf.in 2020-12-21 09:58:04.154390497 +0100 ++++ unbound-1.13.0/doc/example.conf.in 2020-12-21 09:58:53.094583255 +0100 +@@ -355,9 +355,6 @@ server: # print log lines that say why queries return SERVFAIL to clients. # log-servfail: no @@ -9,12 +10,8 @@ - # file to read root hints from. # get one from https://www.internic.net/domain/named.cache -- # root-hints: "" -+ root-hints: /usr/share/dns-root-hints/named.root - - # enable to not answer id.server and hostname.bind queries. - # hide-identity: no -@@ -489,7 +486,7 @@ + # root-hints: "" +@@ -507,7 +504,7 @@ server: # you start unbound (i.e. in the system boot scripts). And enable: # Please note usage of unbound-anchor root anchor is at your own risk # and under the terms of our LICENSE (see that file in the source). @@ -23,7 +20,7 @@ # trust anchor signaling sends a RFC8145 key tag query after priming. # trust-anchor-signaling: yes -@@ -506,7 +503,7 @@ +@@ -519,7 +516,7 @@ server: # with several entries, one file per entry. # Zone file format, with DS and DNSKEY entries. # Note this gets out of date, use auto-trust-anchor-file please. @@ -32,7 +29,7 @@ # Trusted key for validation. DS or DNSKEY. specify the RR on a # single line, surrounded by "". TTL is ignored. class is IN default. -@@ -841,12 +838,13 @@ +@@ -900,12 +897,13 @@ dynlib: remote-control: # Enable remote control with unbound-control(8) here. # set up the keys and certificates with unbound-control-setup. diff --git a/main/unbound/migrate-dnscache-to-unbound b/main/unbound/migrate-dnscache-to-unbound index 368504f7f64..03b34cd9505 100644 --- a/main/unbound/migrate-dnscache-to-unbound +++ b/main/unbound/migrate-dnscache-to-unbound @@ -14,7 +14,6 @@ to_subnet() { gen_config() { echo "# Config generated by $0, $(date)" echo "server:" - echo -e "\troot-hints: /usr/share/dns-root-hints/named.root\n" [ -n "$IP" ] && echo -e "\tinterface: $IP\n" [ -n "$IPSEND" ] && echo -e "\toutgoing-interface: $IPSEND\n" diff --git a/main/unbound/unbound.confd b/main/unbound/unbound.confd index c42106dba8d..275081bfa84 100644 --- a/main/unbound/unbound.confd +++ b/main/unbound/unbound.confd @@ -6,3 +6,6 @@ # Additional arguments for the unbound command. # Add "-v" to enable verbose logging (more times to increase verbosity). #command_args="" + +# Uncomment to use process supervisor. +#supervisor=supervise-daemon diff --git a/main/unbound/unbound.initd b/main/unbound/unbound.initd index 9fba36cff7d..f0955fcda7c 100644 --- a/main/unbound/unbound.initd +++ b/main/unbound/unbound.initd @@ -1,7 +1,6 @@ #!/sbin/openrc-run -supervisor=supervise-daemon -extra_commands="checkconfig configtest" +extra_commands="checkconfig" extra_started_commands="reload" name="unbound daemon" @@ -13,8 +12,9 @@ description_reload="Kills all children and reloads the configuration." : ${cfgfile:=${UNBOUND_CONFFILE:-/etc/unbound/$RC_SVCNAME.conf}} command=/usr/sbin/unbound -command_args="$command_args" -command_args_foreground="-d" +command_args="-d -c $cfgfile $command_args" +command_background=yes +pidfile="/run/$RC_SVCNAME.pid" required_files="$cfgfile" @@ -39,6 +39,10 @@ reload() { start_pre || return $? ebegin "Reloading $name" - $supervisor "$RC_SVCNAME" --signal HUP + if [ "$supervisor" ]; then + $supervisor "$RC_SVCNAME" --signal HUP + else + start-stop-daemon --signal HUP --pidfile "$pidfile" + fi eend $? } |