upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix bug #346: itar is discontinued.

Browse source 
git-svn-id: file:///svn/unbound/trunk@2363 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards 2011-01-04 06:53:57 +00:00
parent c71f33ead4
commit 046143af20
4 changed files with 3 additions and 177 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
contrib/README
View file

@ -7,9 +7,6 @@ distribution but may be helpful.
* unbound.spec and unbound.init: RPM specfile and Linux rc.d initfile. * unbound.spec and unbound.init: RPM specfile and Linux rc.d initfile.
* update-anchor.sh: shell script that uses unbound-host to update a set * update-anchor.sh: shell script that uses unbound-host to update a set
of trust anchor files. Run from cron twice a month. of trust anchor files. Run from cron twice a month.
* update-itar.sh: shell script that updates from itar.iana.org. Run from cron.
* split-itar.sh: shell script to split anchors.mf from itar.iana.org into
multiple key files so it can be used with auto-trust-anchor-file.
* unbound_munin_ : plugin for munin statistics report * unbound_munin_ : plugin for munin statistics report
* unbound_cacti.tar.gz : setup files for cacti statistics report * unbound_cacti.tar.gz : setup files for cacti statistics report
* selinux: the .fc and .te files for SElinux protection of the unbound daemon * selinux: the .fc and .te files for SElinux protection of the unbound daemon

46
contrib/split-itar.sh
View file

@ -1,46 +0,0 @@
#/usr/bin/env bash
# Contributed by Tom Hendrikx <tom@whyscream.net>
PROGNAME=$(basename $0)
usage() {
echo "$PROGNAME: split the anchors.mf file from IANA into separate files." >&2
echo "" >&2
echo "$PROGNAME uses 2 arguments:" >&2
echo " - the path to the anchors.mf, available at: https://itar.iana.org/" >&2
echo " - the directory to leave the files, defaults to '.' (current working dir)" >&2
exit 1
}
if [ -n "$1" ] && [ -r "$1" ]; then
itar="$1"
echo "Reading from: $itar"
else
echo "Error: no anchors file given" >&2
usage
fi
if [ -n "$2" ]; then
dir="$2"
else
dir=$(pwd)
fi
if [ ! -d "$dir" ]; then
echo "Error: $dir is not a directory" >&2
usage
fi
while read cn line; do
if [ $(expr match "$cn" '[a-zA-Z0-9-]*\.') -gt 0 ]; then
# first line of key
out="$dir/$cn"anchor
echo "writing key for $cn to: $out"
echo "$cn $line" > $out
elif [ "$cn" == "DS" ]; then
# second or later line of earlier defined key
echo " $cn $line" >> $out
fi
done < "$itar"
echo "Done."

128
contrib/update-itar.sh
View file

@ -1,128 +0,0 @@
#!/bin/sh
# update-itar.sh - update from the interim trust anchor repository
# Copyright 2009, W.C.A. Wijngaards
# This file is BSD licensed, see doc/LICENSE.
# --- Some settings
# directory where unbound works
thedir="."
# where is the file that unbound is going to read
ub_ta_file="$thedir/anchors.mf"
# where is the itar master file format
itar_url="ftp://ftp.iana.org/itar/anchors.mf"
# where is the itar PGP signature
itar_sig="ftp://ftp.iana.org/itar/anchors.mf.sig"
# which command to fetch urls, cmd $dest $url. "wget -O" "curl -o"
fetch_cmd="wget -O"
# file with pgp public key
pgp_pub_key_file="$thedir/update-itar.key"
# our pgp keyring (goes into .gnupg directory)
pgp_keyring_file="update-itar.ring"
# pgp command to use
pgp_cmd="gpg"
# --- The script is below
usage ( )
{
echo "usage: update-itar"
echo " Updates the trust anchors from the interim trust"
echo " anchor repository, https://itar.iana.org, and checks PGP sig."
echo
echo " Updates $ub_ta_file with the latest keys."
echo " Read that file from the unbound config with"
echo " trust-anchor-file: "'"'"$ub_ta_file"'"'
echo
echo " Exit code 0 means anchors updated, 1 no changes, "
echo " others are errors. So, in a cronjob you can do:"
echo " cd /usr/local/etc/unbound # your unbound work dir"
echo " ./update-itar.sh && unbound-control reload"
exit 2
}
if test $# -ne 0; then
usage
fi
tmpf="/tmp/update-itar.$$"
# one argument: explanation string
error_exit ( )
{
if test -f $tmpf.log; then cat $tmpf.log; fi
rm -f $tmpf $tmpf.sig $tmpf.log
echo "Error updating trust anchors: $1"
exit 2
}
if test ! -f $pgp_pub_key_file || test ! -f $HOME/.gnupg/$pgp_keyring_file || \
test "$pgp_pub_key_file" -nt $HOME/.gnupg/$pgp_keyring_file; then
# default key contents right here
if test ! -f $pgp_pub_key_file; then
echo "creating default IANA ITAR pgp key file"
cat >$pgp_pub_key_file <<EOF
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.5
mQGiBElr2DcRBAC+6YK6eSP7rzstvnMPQXMrpvVfuIR5FeTpGuwae9JP78V/iOXr
N0yW8Dn6kdAztCMuRizL1Ij9IgaD7pjn8h09VgR4cN4LDv75rcQeWLzNxKy4UNRF
aStL77RcIoTblBeCgHAK9FLzd0XfTGZCNaLNy9BYVSLyADOVDIqgBcrvBwCglz03
QhOMIgaSx/XuRh6kYtynZ6kD/2GXx6pFs57b7rww8yOpdurCSOMB1wuEXiIXznTI
06ARiib0G5VDvOdpy0LDU2526Q9f/WAERlhcExTgnTFigG4mRksUiDrrai4GIr+6
JaivcGFVYdZZ4mZ088jcwujS/UY3C0ryGR9ufYUDAnfx6frhSl6o6j5is+jeGndF
JYRAA/9B/1OXNVwFSiIxnP2aPUwsT1li1vaW8dhA/5PcuPLOVvEjPc1Pc16HGLhE
8CRmMn66LqB1ccInE5hLKGGvV3pctjan+IOhaq3OHt/a+buDtTPgykchMZ2k1AzT
RYk+gksxpIl6yTZsBH4hoRt8auxEJW8AiYbNtXXkNuWcoQL40bQsSUFOQSBUcnVz
dCBBbmNob3IgUmVwb3NpdG9yeSA8aXRhckBpYW5hLm9yZz6IYAQTEQIAIAUCSWvY
NwIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEPR9+zCB1GT0GUAAn29/TacF
Teh87dls8pmkjxS4pKf1AKCJS/MvzR54AblO4DNMyc9q0G4frrkCDQRJa9g3EAgA
ywoLxF4HVb9o926UIXw8JxNIzDPkt8galAcKRUmHQMNa/QA80WMl9Ia6DIxavGlV
I5O1fvms297RV2KSSBjKWn6G+0me80A7aw0eHNg7habM5VtzDz5DhJbQFdJV9aYV
DoTSnY6uR6iSSRrdZNaYdlCwDS8lBCnOKoGMArHzVCa2EdCBeCUY/eObOXtu8Gm3
nDkuWeLPv08/0lvtr6d6VoDUEVPEsJAPONEYtpz/D+EZddUraF+3JscWqfRApBOz
/8WHaeTNdzIH+h1ntktiizA6eH40EM6coQQxtIRsxg1DPTxofdovreMkcMI0EUUP
awDn8gDtgG3g6Ud5zCdknwAEDQf/W3rxrEN6OZxJvWti8Iu6KOgxtuINiAsimPPX
qy9KHowyEE9EMPzgADjWC9Reyusr4CwcootjWw7ryUwU0fXvVULKhg32NzLsx/Ci
WtgCPSR58WZ1KKhnoB05+PTrwzhU+u64Cd/vJtFqGxSrANl2FAkPswHJMr8dMwAz
uni7zzLJ+homW1T5AaixwmN3jeDHWshJH9E9JIhr5Y/8AzMl1V10r2u1c2ej0lBJ
Y4GegI5cYAEBerS9d+mrbPlvbJ8AfuAuEf0y/PWJh0z1+Kck5qIbXMn/rpMBYvLJ
Uj5CfqWlh8+hxqSYJDXtLm8hBiQFiMEew0jOc2Tw4F91OZ+jyYhJBBgRAgAJBQJJ
a9g3AhsMAAoJEPR9+zCB1GT0AUwAn2ZtBwAyVxppdeTqilXufUvAkvjbAJ9dUpR1
9a17/5BvDDJcIxSEKTJmDw==
=zCNZ
-----END PGP PUBLIC KEY BLOCK-----
EOF
fi
# import the new key
$pgp_cmd --no-default-keyring --keyring $pgp_keyring_file \
--primary-keyring $pgp_keyring_file \
--import $pgp_pub_key_file >$tmpf.log 2>&1 \
|| error_exit "could not import pgp public key into keyring"
fi
$fetch_cmd $tmpf $itar_url >$tmpf.log 2>&1 \
|| error_exit "fetching $itar_url failed"
tail -2 $tmpf | grep "; End of file" >/dev/null 2>&1 || \
error_exit "The file fetched from $itar_url was partial"
$fetch_cmd $tmpf.sig $itar_sig >$tmpf.log 2>&1 \
|| error_exit "fetching $itar_sig failed"
# check the file with pgp
$pgp_cmd --no-default-keyring --keyring $pgp_keyring_file \
--verify $tmpf.sig $tmpf >$tmpf.log 2>&1 \
|| error_exit "the PGP signature failed!"
# check for differences
val=1
if diff "$ub_ta_file" $tmpf 2>/dev/null ; then
# echo "The interim trust anchor repository did not change."
:
else
echo "Updating $ub_ta_file"
cp $tmpf $ub_ta_file
val=0
fi
rm -f $tmpf $tmpf.sig $tmpf.log
exit $val

3
doc/Changelog
View file

@ -1,3 +1,6 @@
4 January 2011: Wouter
- bug#346: remove ITAR scripts from contrib, the service is discontinued, use the root.
23 December 2010: Wouter 23 December 2010: Wouter
- Fix in infra cache that could cause rto larger than TOP_TIMEOUT kept. - Fix in infra cache that could cause rto larger than TOP_TIMEOUT kept.