mirror of
https://github.com/NLnetLabs/unbound.git
synced 2026-01-20 13:42:54 -05:00
- DLV is going to be decommissioned. Advice to stop using it, and
put text in the example configuration and man page to that effect. git-svn-id: file:///svn/unbound/trunk@3424 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards
parent
bfd78a8c23
commit
b5f391d845
6 changed files with 13 additions and 46 deletions
|
|
@ -18,7 +18,6 @@ Source2: unbound.conf
|
|||
Source3: unbound.munin
|
||||
Source4: unbound_munin_
|
||||
Source5: root.key
|
||||
Source6: dlv.isc.org.key
|
||||
Patch1: unbound-1.2-glob.patch
|
||||
|
||||
Group: System Environment/Daemons
|
||||
|
|
@ -140,7 +139,6 @@ rm -rf ${RPM_BUILD_ROOT}
|
|||
%attr(0755,root,root) %dir %{_sysconfdir}/%{name}
|
||||
%ghost %attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name}
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key
|
||||
%{_sbindir}/*
|
||||
%{_mandir}/*/*
|
||||
|
|
@ -178,11 +176,6 @@ exit 0
|
|||
|
||||
%post
|
||||
/sbin/chkconfig --add %{name}
|
||||
# dnssec-conf used to contain our DLV key, but now we include it via unbound
|
||||
# If unbound had previously been configured with dnssec-configure, we need
|
||||
# to migrate the location of the DLV key file (to keep DLV enabled, and because
|
||||
# unbound won't start with a bad location for a DLV key file.
|
||||
sed -i "s:/etc/pki/dnssec-keys[/]*dlv:/etc/unbound:" %{_sysconfdir}/unbound/unbound.conf
|
||||
|
||||
%post libs -p /sbin/ldconfig
|
||||
|
||||
|
|
|
|||
|
|
@ -1,3 +1,7 @@
|
|||
20 May 2015: Wouter
|
||||
- DLV is going to be decommissioned. Advice to stop using it, and
|
||||
put text in the example configuration and man page to that effect.
|
||||
|
||||
10 May 2015: Wouter
|
||||
- Change syntax of particular validator error to be easier for
|
||||
machine parse, swap rrset and ip adres info so it looks like:
|
||||
|
|
|
|||
|
|
@ -362,7 +362,7 @@ server:
|
|||
|
||||
# File with DLV trusted keys. Same format as trust-anchor-file.
|
||||
# There can be only one DLV configured, it is trusted from root down.
|
||||
# Download http://ftp.isc.org/www/dlv/dlv.isc.org.key
|
||||
# DLV is going to be decommissioned. Please do not use it any more.
|
||||
# dlv-anchor-file: "dlv.isc.org.key"
|
||||
|
||||
# File with trusted keys for validation. Specify more than one file
|
||||
|
|
|
|||
|
|
@ -680,14 +680,19 @@ It is possible to use wildcards with this statement, the wildcard is
|
|||
expanded on start and on reload.
|
||||
.TP
|
||||
.B dlv\-anchor\-file: \fI<filename>
|
||||
This option was used during early days DNSSEC deployment when no parent-side
|
||||
DS record registrations were easily available. Nowadays, it is best to have
|
||||
DS records registered with the parent zone (many top level zones are signed).
|
||||
File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and
|
||||
DNSKEY entries can be used in the file, in the same format as for
|
||||
\fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more
|
||||
would be slow. The DLV configured is used as a root trusted DLV, this
|
||||
means that it is a lookaside for the root. Default is "", or no dlv anchor file.
|
||||
DLV is going to be decommissioned. Please do not use it any more.
|
||||
.TP
|
||||
.B dlv\-anchor: \fI<"Resource Record">
|
||||
Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline.
|
||||
DLV is going to be decommissioned. Please do not use it any more.
|
||||
.TP
|
||||
.B domain\-insecure: \fI<domain name>
|
||||
Sets domain name to be insecure, DNSSEC chain of trust is ignored towards
|
||||
|
|
|
|||
|
|
@ -1815,6 +1815,8 @@ processValidate(struct module_qstate* qstate, struct val_qstate* vq,
|
|||
|
||||
/**
|
||||
* Init DLV check.
|
||||
* DLV is going to be decommissioned, but the code is still here for some time.
|
||||
*
|
||||
* Called when a query is determined by other trust anchors to be insecure
|
||||
* (or indeterminate). Then we look if there is a key in the DLV.
|
||||
* Performs aggressive negative cache check to see if there is no key.
|
||||
|
|
|
|||
|
|
@ -75,25 +75,6 @@ section "Root anchor - DNSSEC" SectionRootKey
|
|||
AddSize 2
|
||||
sectionEnd
|
||||
|
||||
# the /o means it is not selected by default.
|
||||
section /o "DLV - dlv.isc.org" SectionDLV
|
||||
# add estimated size for key (Kb)
|
||||
AddSize 2
|
||||
SetOutPath $INSTDIR
|
||||
|
||||
# libgcc exception lib used by NSISdl plugin (in crosscompile).
|
||||
File /nonfatal "/oname=$PLUGINSDIR\libgcc_s_sjlj-1.dll" "/usr/i686-w64-mingw32/sys-root/mingw/bin/libgcc_s_sjlj-1.dll"
|
||||
|
||||
NSISdl::download "http://ftp.isc.org/www/dlv/dlv.isc.org.key" "$INSTDIR\dlv.isc.org.key"
|
||||
Pop $R0 # result from Inetc::get
|
||||
${If} $R0 != "success"
|
||||
MessageBox MB_OK|MB_ICONEXCLAMATION "Download error (ftp.isc.org: $R0), click OK to abort installation" /SD IDOK
|
||||
SetOutPath "C:\"
|
||||
RMDir "$INSTDIR" # doesnt work directory in use by us ...
|
||||
Abort
|
||||
${EndIf}
|
||||
sectionEnd
|
||||
|
||||
section "-hidden.postinstall"
|
||||
# copy files
|
||||
setOutPath $INSTDIR
|
||||
|
|
@ -128,25 +109,10 @@ section "-hidden.postinstall"
|
|||
WriteRegStr HKLM "Software\Unbound" "RootAnchor" ""
|
||||
${EndIf}
|
||||
|
||||
# Store DLV choice
|
||||
SectionGetFlags ${SectionDLV} $R0
|
||||
IntOp $R0 $R0 & ${SF_SELECTED}
|
||||
${If} $R0 == ${SF_SELECTED}
|
||||
ClearErrors
|
||||
FileOpen $R1 "$INSTDIR\service.conf" a
|
||||
IfErrors done_dlv
|
||||
FileSeek $R1 0 END
|
||||
FileWrite $R1 "$\nserver: dlv-anchor-file: $\"$INSTDIR\dlv.isc.org.key$\"$\n"
|
||||
FileClose $R1
|
||||
done_dlv:
|
||||
WriteRegStr HKLM "Software\Unbound" "CronAction" "$\"$INSTDIR\anchor-update.exe$\" dlv.isc.org $\"$INSTDIR\dlv.isc.org.key$\""
|
||||
${Else}
|
||||
WriteRegStr HKLM "Software\Unbound" "CronAction" ""
|
||||
${EndIf}
|
||||
|
||||
# store installation folder
|
||||
WriteRegStr HKLM "Software\Unbound" "InstallLocation" "$INSTDIR"
|
||||
WriteRegStr HKLM "Software\Unbound" "ConfigFile" "$INSTDIR\service.conf"
|
||||
WriteRegStr HKLM "Software\Unbound" "CronAction" ""
|
||||
WriteRegDWORD HKLM "Software\Unbound" "CronTime" 86400
|
||||
|
||||
# uninstaller
|
||||
|
|
@ -177,12 +143,10 @@ sectionEnd
|
|||
# set section descriptions
|
||||
LangString DESC_unbound ${LANG_ENGLISH} "The base unbound DNS(SEC) validating caching resolver. $\r$\n$\r$\nStarted at boot from the Services control panel, logs to the Application Log, and the config file is its Program Files folder."
|
||||
LangString DESC_rootkey ${LANG_ENGLISH} "Set up to use the DNSSEC root trust anchor. It is automatically updated. $\r$\n$\r$\nThis provides the main key that is used for security verification."
|
||||
LangString DESC_dlv ${LANG_ENGLISH} "Set up to use DLV with dlv.isc.org. Downloads the key during install. $\r$\n$\r$\nIt fetches additional public keys that are used for security verification by querying the isc.org server with names encountered."
|
||||
|
||||
!insertmacro MUI_FUNCTION_DESCRIPTION_BEGIN
|
||||
!insertmacro MUI_DESCRIPTION_TEXT ${SectionUnbound} $(DESC_unbound)
|
||||
!insertmacro MUI_DESCRIPTION_TEXT ${SectionRootKey} $(DESC_rootkey)
|
||||
!insertmacro MUI_DESCRIPTION_TEXT ${SectionDLV} $(DESC_dlv)
|
||||
!insertmacro MUI_FUNCTION_DESCRIPTION_END
|
||||
|
||||
# setup macros for uninstall functions.
|
||||
|
|
@ -214,7 +178,6 @@ section "un.Unbound"
|
|||
Delete "$INSTDIR\unbound-website.url"
|
||||
Delete "$INSTDIR\service.conf"
|
||||
Delete "$INSTDIR\example.conf"
|
||||
Delete "$INSTDIR\dlv.isc.org.key"
|
||||
Delete "$INSTDIR\root.key"
|
||||
RMDir "$INSTDIR"
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue