[net-dns/bind] sync with tree, hopefully not breaking anything

2024-09-02 16:47:24 +02:00
parent 6d4b7f8bba
commit 9a851e23bd
7 changed files with 486 additions and 71 deletions
--- a/net-dns/bind/files/named.conf-r8
+++ b/net-dns/bind/files/named.conf-r8
@@ -0,0 +1,166 @@
+/*
+ * Refer to the named.conf(5) and named(8) man pages, and the documentation
+ * in /usr/share/doc/bind-* for more details.
+ * Online versions of the documentation can be found here:
+ * https://kb.isc.org/article/AA-01031
+ *
+ * If you are going to set up an authoritative server, make sure you
+ * understand the hairy details of how DNS works. Even with simple mistakes,
+ * you can break connectivity for affected parties, or cause huge amounts of
+ * useless Internet traffic.
+ */
+
+acl "xfer" {
+	/* Deny transfers by default except for the listed hosts.
+	 * If we have other name servers, place them here.
+	 */
+	none;
+};
+
+/*
+ * You might put in here some ips which are allowed to use the cache or
+ * recursive queries
+ */
+acl "trusted" {
+	127.0.0.0/8;
+	::1/128;
+};
+
+options {
+	directory "/var/bind";
+	pid-file "/run/named/named.pid";
+
+	/* https://www.isc.org/solutions/dlv >=bind-9.7.x only */
+	//bindkeys-file "/etc/bind/bind.keys";
+
+	listen-on-v6 { ::1; };
+	listen-on { 127.0.0.1; };
+
+	allow-query {
+		/*
+		 * Accept queries from our "trusted" ACL.  We will
+		 * allow anyone to query our master zones below.
+		 * This prevents us from becoming a free DNS server
+		 * to the masses.
+		 */
+		trusted;
+	};
+
+	allow-query-cache {
+		/* Use the cache for the "trusted" ACL. */
+		trusted;
+	};
+
+	allow-recursion {
+		/* Only trusted addresses are allowed to use recursion. */
+		trusted;
+	};
+
+	allow-transfer {
+		/* Zone tranfers are denied by default. */
+		none;
+	};
+
+	allow-update {
+		/* Don't allow updates, e.g. via nsupdate. */
+		none;
+	};
+
+	/*
+	* If you've got a DNS server around at your upstream provider, enter its
+	* IP address here, and enable the line below. This will make you benefit
+	* from its cache, thus reduce overall DNS traffic in the Internet.
+	*
+	* Uncomment the following lines to turn on DNS forwarding, and change
+	*  and/or update the forwarding ip address(es):
+	*/
+/*
+	forward first;
+	forwarders {
+	//	123.123.123.123;	// Your ISP NS
+	//	124.124.124.124;	// Your ISP NS
+	//	4.2.2.1;		// Level3 Public DNS
+	//	4.2.2.2;		// Level3 Public DNS
+		8.8.8.8;		// Google Open DNS
+		8.8.4.4;		// Google Open DNS
+	};
+
+*/
+
+	dnssec-enable yes;
+	//dnssec-validation yes;
+
+	/*
+	 * As of bind 9.8.0:
+	 * "If the root key provided has expired,
+	 * named will log the expiration and validation will not work."
+	 */
+	dnssec-validation auto;
+
+	/* if you have problems and are behind a firewall: */
+	//query-source address * port 53;
+};
+
+/*
+logging {
+	channel default_log {
+		file "/var/log/named/named.log" versions 5 size 50M;
+		print-time yes;
+		print-severity yes;
+		print-category yes;
+	};
+
+	category default { default_log; };
+	category general { default_log; };
+};
+*/
+
+include "/etc/bind/rndc.key";
+controls {
+	inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };
+};
+
+zone "." in {
+	type hint;
+	file "/var/bind/named.cache";
+};
+
+zone "localhost" IN {
+	type master;
+	file "pri/localhost.zone";
+	notify no;
+};
+
+/*
+ * Briefly, a zone which has been declared delegation-only will be effectively
+ * limited to containing NS RRs for subdomains, but no actual data beyond its
+ * own apex (for example, its SOA RR and apex NS RRset). This can be used to
+ * filter out "wildcard" or "synthesized" data from NAT boxes or from
+ * authoritative name servers whose undelegated (in-zone) data is of no
+ * interest.
+ * See http://www.isc.org/software/bind/delegation-only for more info
+ */
+
+//zone "COM" { type delegation-only; };
+//zone "NET" { type delegation-only; };
+
+//zone "YOUR-DOMAIN.TLD" {
+//	type master;
+//	file "/var/bind/pri/YOUR-DOMAIN.TLD.zone";
+//	allow-query { any; };
+//	allow-transfer { xfer; };
+//};
+
+//zone "YOUR-SLAVE.TLD" {
+//	type slave;
+//	file "/var/bind/sec/YOUR-SLAVE.TLD.zone";
+//	masters { <MASTER>; };
+
+	/* Anybody is allowed to query but transfer should be controlled by the master. */
+//	allow-query { any; };
+//	allow-transfer { none; };
+
+	/* The master should be the only one who notifies the slaves, shouldn't it? */
+//	allow-notify { <MASTER>; };
+//	notify no;
+//};
--- a/net-dns/bind/files/named.conf.auth
+++ b/net-dns/bind/files/named.conf.auth
@@ -3,7 +3,7 @@
 //};

 options {
-	directory "/var/bind";
+	directory "/var/cache/bind";
 	pid-file "/run/named/named.pid";

 	listen-on { 127.0.0.1; };
--- a/net-dns/bind/files/named.confd-r8
+++ b/net-dns/bind/files/named.confd-r8
@@ -9,6 +9,28 @@ NAMED_CONF="/etc/bind/named.conf"
 # Leave this unchanged if you want bind to automatically detect the number
 #CPU="1"

+# If you wish to run bind in a chroot:
+# 1) un-comment the CHROOT= assignment, below. You may use
+#    a different chroot directory but MAKE SURE it's empty.
+# 2) run: emerge --config =<bind-version>
+#
+#CHROOT="/chroot/dns"
+
+# Uncomment to enable binmount of /usr/share/GeoIP
+#CHROOT_GEOIP="1"
+
+# Uncomment the line below to avoid that the init script mounts the needed paths
+# into the chroot directory.
+# You have to copy all needed config files by hand if you say CHROOT_NOMOUNT="1".
+#CHROOT_NOMOUNT="1"
+
+# Uncomment this option if you have setup your own chroot environment and you
+# don't want/need the chroot consistency check
+#CHROOT_NOCHECK=1
+
+# Default pid file location
+# use named.conf to specify pid-file location
+
 # Scheduling priority: 19 is the lowest and -20 is the highest.
 # Default: 0
 #NAMED_NICELEVEL="0"
--- a/net-dns/bind/files/named.init-r15
+++ b/net-dns/bind/files/named.init-r15
@@ -11,13 +11,83 @@ depend() {
 	provide dns
 }

-NAMED_CONF=${NAMED_CONF:-/etc/bind/named.conf}
+NAMED_CONF=${NAMED_CONF:-${CHROOT}/etc/bind/named.conf}
+
+OPENSSL_LIBGOST=${OPENSSL_LIBGOST:-0}
+MOUNT_CHECK_TIMEOUT=${MOUNT_CHECK_TIMEOUT:-60}
+
+_mount() {
+	local from
+	local to
+	local opts
+	local ret=0
+
+	if [ "${#}" -lt 3 ]; then
+		eerror "_mount(): to few arguments"
+		return 1
+	fi
+
+	from=$1
+	to=$2
+	shift 2
+
+	opts="${*}"
+	shift $#
+
+	if [ -z "$(awk "\$2 == \"${to}\" { print \$2 }" /proc/mounts)" ]; then
+		einfo "mounting ${from} to ${to}"
+		mount ${from} ${to} ${opts}
+		ret=$?
+
+		eend $ret
+		return $ret
+	fi
+
+	return 0
+}
+
+_umount() {
+	local dir=$1
+	local ret=0
+
+	if [ -n "$(awk "\$2 == \"${dir}\" { print \$2 }" /proc/mounts)" ]; then
+		ebegin "umounting ${dir}"
+		umount ${dir}
+		ret=$?
+
+		eend $ret
+		return $ret
+	fi
+
+	return 0
+}

 _get_pidfile() {
 	# as suggested in bug #107724, bug 335398#c17
-	[ -n "${PIDFILE}" ] || PIDFILE=$(\
-			/usr/bin/named-checkconf -p ${NAMED_CONF} | grep 'pid-file' | cut -d\" -f2)
-	[ -z "${PIDFILE}" ] && PIDFILE="/run/named/named.pid"
+	[ -n "${PIDFILE}" ] || PIDFILE=${CHROOT}$(\
+			/usr/sbin/named-checkconf -p ${CHROOT:+-t} ${CHROOT} ${NAMED_CONF#${CHROOT}} | grep 'pid-file' | cut -d\" -f2)
+	[ -z "${PIDFILE}" ] && PIDFILE=${CHROOT}/run/named/named.pid
+}
+
+check_chroot() {
+	if [ -n "${CHROOT}" ]; then
+		[ ! -d "${CHROOT}" ] && return 1
+		[ ! -d "${CHROOT}/dev" ] || [ ! -d "${CHROOT}/etc" ] || [ ! -d "${CHROOT}/var" ] && return 1
+		[ ! -d "${CHROOT}/run" ] || [ ! -d "${CHROOT}/var/log" ] && return 1
+		[ ! -d "${CHROOT}/etc/bind" ] || [ ! -d "${CHROOT}/var/bind" ] && return 1
+		[ ! -d "${CHROOT}/var/log/named" ] && return 1
+		[ ! -c "${CHROOT}/dev/null" ] || [ ! -c "${CHROOT}/dev/zero" ] && return 1
+		[ "${CHROOT_GEOIP:-0}" -eq 1 ] && [ ! -d "${CHROOT}/usr/share/GeoIP" ] && return 1
+		if [ ${OPENSSL_LIBGOST:-0} -eq 1 ]; then
+			if [ -d "/usr/lib64" ]; then
+				[ ! -d "${CHROOT}/usr/lib64/engines" ] && return 1
+			elif [ -d "/usr/lib" ]; then
+				[ ! -d "${CHROOT}/usr/lib/engines" ] && return 1
+			fi
+		fi
+	fi
+
+	return 0
 }

 checkconfig() {
@@ -27,23 +97,65 @@ checkconfig() {
 		eerror "No ${NAMED_CONF} file exists!"
 		return 1
 	fi
-	/usr/bin/named-checkconf ${NAMED_CONF} || {
+
+	/usr/sbin/named-checkconf ${CHROOT:+-t} ${CHROOT} ${NAMED_CONF#${CHROOT}} || {
 		eerror "named-checkconf failed! Please fix your config first."
 		return 1
 	}
+
 	eend 0
+	return 0
 }

 checkzones() {
 	ebegin "Checking named configuration and zones"
-	/usr/bin/named-checkconf -z ${NAMED_CONF}
+	/usr/sbin/named-checkconf -z -j ${CHROOT:+-t} ${CHROOT} ${NAMED_CONF#${CHROOT}}
 	eend $?
 }

 start() {
 	local piddir

-	ebegin "Starting named"
+	ebegin "Starting ${CHROOT:+chrooted }named"
+
+	if [ -n "${CHROOT}" ]; then
+		if [ ${CHROOT_NOCHECK:-0} -eq 0 ]; then
+			check_chroot || {
+				eend 1
+				eerror "Your chroot dir ${CHROOT} is inconsistent, please run 'emerge --config net-dns/bind' first"
+				return 1
+			}
+		fi
+
+		if [ ${OPENSSL_LIBGOST:-0} -eq 1 ]; then
+			if [ ! -e /usr/lib/engines/libgost.so ]; then
+				eend 1
+				eerror "Couldn't find /usr/lib/engines/libgost.so but bind has been built with openssl and libgost support"
+				return 1
+			fi
+			cp -Lp /usr/lib/engines/libgost.so "${CHROOT}/usr/lib/engines/libgost.so" || {
+				eend 1
+				eerror "Couldn't copy /usr/lib/engines/libgost.so into '${CHROOT}/usr/lib/engines/'"
+				return 1
+			}
+		fi
+		cp -Lp /etc/localtime "${CHROOT}/etc/localtime"
+
+		if [ "${CHROOT_NOMOUNT:-0}" -eq 0 ]; then
+			einfo "Mounting chroot dirs"
+			_mount /etc/bind ${CHROOT}/etc/bind -o bind
+			_mount /var/bind ${CHROOT}/var/bind -o bind
+			_mount /var/log/named ${CHROOT}/var/log/named -o bind
+			if [ "${CHROOT_GEOIP:-0}" -eq 1 ]; then
+				_mount /usr/share/GeoIP ${CHROOT}/usr/share/GeoIP -o bind
+			fi
+		fi
+
+		# On initial startup, if piddir inside the chroot /var/run/named
+		# Then the .../var/run part might not exist yet
+		checkpath -q -d -o root:root -m 0755 "${piddir}/.."
+	fi
+
 	checkconfig || { eend 1; return 1; }

 	# create piddir (usually /run/named) if necessary, bug 334535
@@ -63,16 +175,56 @@ start() {
 	start-stop-daemon --start --pidfile ${PIDFILE} \
 		--nicelevel ${NAMED_NICELEVEL:-0} \
 		--exec /usr/sbin/named \
-		-- -u named -c ${NAMED_CONF} ${CPU} ${OPTIONS}
+		-- -u named ${CPU} ${OPTIONS} ${CHROOT:+-t} ${CHROOT}
 	eend $?
 }

 stop() {
-	ebegin "Stopping named"
+	local reported=0
+
+	ebegin "Stopping ${CHROOT:+chrooted }named"
+
+	# Workaround for now, until openrc's restart has been fixed.
+	# openrc doesn't care about a restart() function in init scripts.
+	if [ "${RC_CMD}" = "restart" ]; then
+		if [ -n "${CHROOT}" -a ${CHROOT_NOCHECK:-0} -eq 0 ]; then
+			check_chroot || {
+				eend 1
+				eerror "Your chroot dir ${CHROOT} is inconsistent, please run 'emerge --config net-dns/bind' first"
+				return 1
+			}
+		fi
+
+		checkconfig || { eend 1; return 1; }
+	fi
+
 	# -R 10, bug 335398
 	_get_pidfile
 	start-stop-daemon --stop --retry 10 --pidfile $PIDFILE \
 		--exec /usr/sbin/named
+
+	if [ -n "${CHROOT}" ] && [ "${CHROOT_NOMOUNT:-0}" -eq 0 ]; then
+		ebegin "Umounting chroot dirs"
+
+		# just to be sure everything gets clean
+		while fuser -s ${CHROOT} 2>/dev/null; do
+			if [ "${reported}" -eq 0 ]; then
+				einfo "Waiting until all named processes are stopped (max. ${MOUNT_CHECK_TIMEOUT} seconds)"
+			elif [ "${reported}" -eq "${MOUNT_CHECK_TIMEOUT}" ]; then
+				eerror "Waiting until all named processes are stopped failed!"
+				eend 1
+				break
+			fi
+			sleep 1
+			reported=$((reported+1))
+		done
+
+		[ "${CHROOT_GEOIP:-0}" -eq 1 ] && _umount ${CHROOT}/usr/share/GeoIP
+		_umount ${CHROOT}/etc/bind
+		_umount ${CHROOT}/var/log/named
+		_umount ${CHROOT}/var/bind
+	fi
+
 	eend $?
 }