[net-dns/bind] sync with tree, hopefully not breaking anything
This commit is contained in:
parent
6d4b7f8bba
commit
9a851e23bd
@ -1,3 +1,2 @@
|
|||||||
DIST bind-9.18.27.tar.xz 5524000 BLAKE2B 720b1677606c27768af7799f4a36cebcbebea2f4ddf42421bc9cba29d48b8f3bc9616c691c1b7e1897635984d01099ea40c1c7346908aa3652b1347794139e25 SHA512 d0c89821fef38e531d65b465adeb5946589775e6a4d5e2068e969f1106c961d3b202af19247b9e20f9fbde645be10d610478edf89ed0d83b39d38fb4353c693a
|
DIST bind-9.18.29.tar.xz 5562720 BLAKE2B f3e7de6936362bcce4993e401ed8fdd9d597459e82ad908a918fff1da619f91ef4896595ea210b43f2b492d763d7be2b71105495858da55431b60874c7fd2312 SHA512 6c2676e2e2cb90f3bd73afb367813c54d1c961e12df1e12e41b9d0ee5a1d5cdf368d81410469753eaef37e43358b56796f078f3b2f20c3b247c4bef91d56c716
|
||||||
DIST bind-9.18.27.tar.xz.asc 833 BLAKE2B 8621991724e19b0b987cf82c8d6bbf31ef2440c9e133d06925c982f60d69587770dc4560c34050243da0bbe59d8180bdc910ca661cec9a0cd11d525ef4110fa2 SHA512 0da73d14dd8db8e55fcfe47e597fe242f7889b64e3cb383e24f90bed95b13cf38771cf7513bf621e308e5a6d10d83ae333ddd09f266fa7b1bd031192ec698404
|
DIST bind-9.18.29.tar.xz.asc 833 BLAKE2B afb127b5431f5e05eb1849335a692bf3a072bfc6182a8052316728a11f2f63f9f3c67a820a1d75f8d4cf3fe50e142f286f06f5392378bb64854402d3496061aa SHA512 6612c7151c4c1736e0237b8219cefbafbc1dcd4b04ad9b12b99cba703e6debde90d2f9838dd1465a47b9a002a598d9b8f3221dfe1a3bdc41436a92e6d06db472
|
||||||
DIST dyndns-samples.tbz2 22866 BLAKE2B 409890653c6536cb9c0e3ba809d2bfde0e0ae73a2a101b4f229b46c01568466bc022bbbc37712171adbd08c572733e93630feab95a0fcd1ac50a7d37da1d1108 SHA512 83b0bf99f8e9ff709e8e9336d8c5231b98a4b5f0c60c10792f34931e32cc638d261967dfa5a83151ec3740977d94ddd6e21e9ce91267b3e279b88affdbc18cac
|
|
||||||
|
@ -3,73 +3,61 @@
|
|||||||
|
|
||||||
EAPI=8
|
EAPI=8
|
||||||
|
|
||||||
PYTHON_COMPAT=( python3_{10..12} )
|
|
||||||
|
|
||||||
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/isc.asc
|
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/isc.asc
|
||||||
inherit python-any-r1 systemd tmpfiles verify-sig
|
inherit multiprocessing systemd tmpfiles verify-sig
|
||||||
|
|
||||||
MY_PV="${PV/_p/-P}"
|
MY_PV="${PV/_p/-P}"
|
||||||
MY_PV="${MY_PV/_rc/rc}"
|
MY_PV="${MY_PV/_rc/rc}"
|
||||||
MY_P="${PN}-${MY_PV}"
|
|
||||||
|
|
||||||
RRL_PV="${MY_PV}"
|
|
||||||
|
|
||||||
DESCRIPTION="Berkeley Internet Name Domain - Name Server"
|
DESCRIPTION="Berkeley Internet Name Domain - Name Server"
|
||||||
HOMEPAGE="https://www.isc.org/software/bind https://gitlab.isc.org/isc-projects/bind9"
|
HOMEPAGE="https://www.isc.org/software/bind"
|
||||||
SRC_URI="
|
SRC_URI="
|
||||||
https://downloads.isc.org/isc/bind9/${PV}/${P}.tar.xz
|
https://downloads.isc.org/isc/bind9/${PV}/${P}.tar.xz
|
||||||
doc? ( mirror://gentoo/dyndns-samples.tbz2 )
|
|
||||||
verify-sig? ( https://downloads.isc.org/isc/bind9/${PV}/${P}.tar.xz.asc )
|
verify-sig? ( https://downloads.isc.org/isc/bind9/${PV}/${P}.tar.xz.asc )
|
||||||
"
|
"
|
||||||
S="${WORKDIR}/${MY_P}"
|
S="${WORKDIR}/${PN}-${MY_PV}"
|
||||||
|
|
||||||
LICENSE="MPL-2.0"
|
LICENSE="MPL-2.0"
|
||||||
SLOT="0"
|
SLOT="0"
|
||||||
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~x86 ~amd64-linux ~x86-linux"
|
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux"
|
||||||
IUSE="+caps dnsrps dnstap doc doh fixed-rrset idn geoip gssapi lmdb selinux static-libs test xml"
|
IUSE="+caps dnsrps dnstap doc doh fixed-rrset idn +jemalloc geoip gssapi lmdb selinux static-libs test xml"
|
||||||
|
RESTRICT="!test? ( test )"
|
||||||
|
|
||||||
# libuv lower bound should be the highest value seen at
|
|
||||||
# https://gitlab.isc.org/isc-projects/bind9/-/blob/bind-9.18/lib/isc/netmgr/netmgr.c?ref_type=heads#L203
|
|
||||||
# to avoid issues with matching stable/testing, etc
|
|
||||||
DEPEND="
|
DEPEND="
|
||||||
acct-group/named
|
acct-group/named
|
||||||
acct-user/named
|
acct-user/named
|
||||||
dev-libs/jemalloc
|
|
||||||
dev-libs/json-c:=
|
dev-libs/json-c:=
|
||||||
>=dev-libs/libuv-1.42.0:=
|
>=dev-libs/libuv-1.37.0:=
|
||||||
sys-libs/zlib
|
sys-libs/zlib:=
|
||||||
dev-libs/openssl:=[-bindist(-)]
|
dev-libs/openssl:=[-bindist(-)]
|
||||||
caps? ( >=sys-libs/libcap-2.1.0 )
|
caps? ( >=sys-libs/libcap-2.1.0 )
|
||||||
dnstap? ( dev-libs/fstrm dev-libs/protobuf-c )
|
dnstap? (
|
||||||
doh? ( net-libs/nghttp2 )
|
dev-libs/fstrm
|
||||||
|
dev-libs/protobuf-c
|
||||||
|
)
|
||||||
|
doh? ( net-libs/nghttp2:= )
|
||||||
geoip? ( dev-libs/libmaxminddb )
|
geoip? ( dev-libs/libmaxminddb )
|
||||||
gssapi? ( virtual/krb5 )
|
gssapi? ( virtual/krb5 )
|
||||||
idn? ( net-dns/libidn2 )
|
idn? ( net-dns/libidn2 )
|
||||||
|
jemalloc? ( dev-libs/jemalloc:= )
|
||||||
lmdb? ( dev-db/lmdb )
|
lmdb? ( dev-db/lmdb )
|
||||||
xml? ( dev-libs/libxml2 )
|
xml? ( dev-libs/libxml2 )
|
||||||
"
|
"
|
||||||
|
RDEPEND="
|
||||||
# optionally for testing dnssec
|
${DEPEND}
|
||||||
# dev-python/dnspython[dnssec]
|
|
||||||
BDEPEND="
|
|
||||||
test? (
|
|
||||||
${PYTHON_DEPS}
|
|
||||||
dev-python/pytest
|
|
||||||
dev-python/requests
|
|
||||||
dev-python/requests-toolbelt
|
|
||||||
dev-python/dnspython
|
|
||||||
dev-perl/Net-DNS-SEC
|
|
||||||
dev-util/cmocka
|
|
||||||
)
|
|
||||||
"
|
|
||||||
|
|
||||||
RDEPEND="${DEPEND}
|
|
||||||
selinux? ( sec-policy/selinux-bind )
|
selinux? ( sec-policy/selinux-bind )
|
||||||
sys-process/psmisc
|
sys-process/psmisc
|
||||||
!net-dns/bind-tools
|
!<net-dns/bind-tools-9.18.0
|
||||||
|
"
|
||||||
|
# sphinx required for man-page and html creation
|
||||||
|
BDEPEND="
|
||||||
|
virtual/pkgconfig
|
||||||
|
doc? ( dev-python/sphinx )
|
||||||
|
test? (
|
||||||
|
dev-util/cmocka
|
||||||
|
dev-util/kyua
|
||||||
|
)
|
||||||
"
|
"
|
||||||
|
|
||||||
RESTRICT="!test? ( test )"
|
|
||||||
|
|
||||||
src_configure() {
|
src_configure() {
|
||||||
local myeconfargs=(
|
local myeconfargs=(
|
||||||
@ -79,7 +67,6 @@ src_configure() {
|
|||||||
--enable-full-report
|
--enable-full-report
|
||||||
--without-readline
|
--without-readline
|
||||||
--with-openssl="${ESYSROOT}"/usr
|
--with-openssl="${ESYSROOT}"/usr
|
||||||
--with-jemalloc
|
|
||||||
--with-json-c
|
--with-json-c
|
||||||
--with-zlib
|
--with-zlib
|
||||||
$(use_enable caps linux-caps)
|
$(use_enable caps linux-caps)
|
||||||
@ -93,25 +80,18 @@ src_configure() {
|
|||||||
$(use_with geoip maxminddb)
|
$(use_with geoip maxminddb)
|
||||||
$(use_with gssapi)
|
$(use_with gssapi)
|
||||||
$(use_with idn libidn2)
|
$(use_with idn libidn2)
|
||||||
|
$(use_with jemalloc)
|
||||||
$(use_with lmdb)
|
$(use_with lmdb)
|
||||||
$(use_with xml libxml2)
|
$(use_with xml libxml2)
|
||||||
"${@}"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
econf "${myeconfargs[@]}"
|
econf "${myeconfargs[@]}"
|
||||||
}
|
}
|
||||||
|
|
||||||
src_test() {
|
src_test() {
|
||||||
# "${WORKDIR}/${P}"/bin/tests/system/README
|
# system tests ('emake test') require network configuration for IPs etc
|
||||||
# as root:
|
# so we run the unit tests instead.
|
||||||
# sh bin/tests/system/ifconfig.sh up
|
TEST_PARALLEL_JOBS="$(makeopts_jobs)" emake unit
|
||||||
# as portage:
|
|
||||||
# make check
|
|
||||||
# as root:
|
|
||||||
# sh bin/tests/system/ifconfig.sh down
|
|
||||||
|
|
||||||
# just run the tests that dont mock around with IP addresses
|
|
||||||
emake -C tests/ check
|
|
||||||
}
|
}
|
||||||
|
|
||||||
src_install() {
|
src_install() {
|
||||||
@ -134,7 +114,8 @@ src_install() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
insinto /etc/bind
|
insinto /etc/bind
|
||||||
newins "${FILESDIR}"/named.conf-r9 named.conf
|
newins "${FILESDIR}"/named.conf-r8 named.conf
|
||||||
|
newins "${FILESDIR}"/named.conf.auth named.conf.auth
|
||||||
newins "${FILESDIR}"/redhat/named.rfc1912.zones named.rfc1912.zones.conf
|
newins "${FILESDIR}"/redhat/named.rfc1912.zones named.rfc1912.zones.conf
|
||||||
|
|
||||||
insinto /var/bind/pri
|
insinto /var/bind/pri
|
||||||
@ -145,16 +126,18 @@ src_install() {
|
|||||||
|
|
||||||
newenvd "${FILESDIR}"/10bind.env 10bind
|
newenvd "${FILESDIR}"/10bind.env 10bind
|
||||||
|
|
||||||
use static-libs || find "${ED}"/usr/lib* -name '*.la' -delete
|
if ! use static-libs ; then
|
||||||
|
find "${ED}"/usr/lib* -name '*.la' -delete || die
|
||||||
|
fi
|
||||||
|
|
||||||
dosym ../../var/bind/pri /etc/bind/pri
|
dosym -r /var/bind/pri /etc/bind/pri
|
||||||
dosym ../../var/bind/sec /etc/bind/sec
|
dosym -r /var/bind/sec /etc/bind/sec
|
||||||
dosym ../../var/bind/dyn /etc/bind/dyn
|
dosym -r /var/bind/dyn /etc/bind/dyn
|
||||||
keepdir /var/bind/{pri,sec,dyn} /var/log/named
|
keepdir /var/bind/{pri,sec,dyn} /var/log/named
|
||||||
|
|
||||||
fowners root:named /{etc,var}/bind /var/log/named /var/bind/{sec,pri,dyn}
|
fowners root:named /{etc,var}/bind /var/log/named /var/bind/{sec,pri,dyn}
|
||||||
fowners root:named /var/bind/pri/named.{empty,localhost,loopback} /etc/bind/{bind.keys,named.conf,named.rfc1912.zones.conf}
|
fowners root:named /var/bind/pri/named.{empty,localhost,loopback} /etc/bind/{bind.keys,named.conf.auth,named.rfc1912.zones.conf}
|
||||||
fperms 0640 /var/bind/pri/named.{empty,localhost,loopback} /etc/bind/{bind.keys,named.conf,named.rfc1912.zones.conf}
|
fperms 0640 /var/bind/pri/named.{empty,localhost,loopback} /etc/bind/{bind.keys,named.conf.auth,named.rfc1912.zones.conf}
|
||||||
fperms 0750 /etc/bind /var/bind/pri
|
fperms 0750 /etc/bind /var/bind/pri
|
||||||
fperms 0770 /var/log/named /var/bind/{,sec,dyn}
|
fperms 0770 /var/log/named /var/bind/{,sec,dyn}
|
||||||
|
|
||||||
@ -173,4 +156,97 @@ pkg_postinst() {
|
|||||||
chown root:named /etc/bind/rndc.key || die
|
chown root:named /etc/bind/rndc.key || die
|
||||||
chmod 0640 /etc/bind/rndc.key || die
|
chmod 0640 /etc/bind/rndc.key || die
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
einfo
|
||||||
|
einfo "You can edit /etc/conf.d/named to customize named settings"
|
||||||
|
einfo
|
||||||
|
|
||||||
|
einfo "If you'd like to run bind in a chroot AND this is a new"
|
||||||
|
einfo "install OR your bind doesn't already run in a chroot:"
|
||||||
|
einfo "1) Uncomment and set the CHROOT variable in /etc/conf.d/named."
|
||||||
|
einfo "2) Run \`emerge --config '=${CATEGORY}/${PF}'\`"
|
||||||
|
einfo
|
||||||
|
|
||||||
|
CHROOT=$(source /etc/conf.d/named 2>/dev/null; echo ${CHROOT})
|
||||||
|
if [[ -n ${CHROOT} ]]; then
|
||||||
|
elog "NOTE: As of net-dns/bind-9.4.3_p5-r1 the chroot part of the init-script got some major changes!"
|
||||||
|
elog "To enable the old behaviour (without using mount) uncomment the"
|
||||||
|
elog "CHROOT_NOMOUNT option in your /etc/conf.d/named config."
|
||||||
|
elog "If you decide to use the new/default method, ensure to make backup"
|
||||||
|
elog "first and merge your existing configs/zones to /etc/bind and"
|
||||||
|
elog "/var/bind because bind will now mount the needed directories into"
|
||||||
|
elog "the chroot dir."
|
||||||
|
fi
|
||||||
|
|
||||||
|
# show only when upgrading to 9.18
|
||||||
|
if [[ -n "${REPLACING_VERSIONS}" ]] && ver_test "${REPLACING_VERSIONS}" -lt 9.18; then
|
||||||
|
elog "As this is a major bind version upgrade, please read:"
|
||||||
|
elog " https://kb.isc.org/docs/changes-to-be-aware-of-when-moving-from-bind-916-to-918"
|
||||||
|
elog "for differences in functionality."
|
||||||
|
elog ""
|
||||||
|
ewarn "In particular, please note that bind-9.18 does not need a root hints file anymore"
|
||||||
|
ewarn "and we only ship with one as a stop-gap. If your current configuration specifies a"
|
||||||
|
ewarn "root hints file - usually called named.cache - bind will not start as it will not be able"
|
||||||
|
ewarn "to find the specified file. Best practice is to delete the offending lines that"
|
||||||
|
ewarn "reference named.cache file from your configuration."
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
pkg_config() {
|
||||||
|
CHROOT=$(source /etc/conf.d/named; echo ${CHROOT})
|
||||||
|
CHROOT_NOMOUNT=$(source /etc/conf.d/named; echo ${CHROOT_NOMOUNT})
|
||||||
|
CHROOT_GEOIP=$(source /etc/conf.d/named; echo ${CHROOT_GEOIP})
|
||||||
|
|
||||||
|
if [[ -z "${CHROOT}" ]]; then
|
||||||
|
eerror "This config script is designed to automate setting up"
|
||||||
|
eerror "a chrooted bind/named. To do so, please first uncomment"
|
||||||
|
eerror "and set the CHROOT variable in '/etc/conf.d/named'."
|
||||||
|
die "Unset CHROOT"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ -d "${CHROOT}" ]]; then
|
||||||
|
ewarn "NOTE: As of net-dns/bind-9.4.3_p5-r1 the chroot part of the init-script got some major changes!"
|
||||||
|
ewarn "To enable the old behaviour (without using mount) uncomment the"
|
||||||
|
ewarn "CHROOT_NOMOUNT option in your /etc/conf.d/named config."
|
||||||
|
ewarn
|
||||||
|
ewarn "${CHROOT} already exists... some things might become overridden"
|
||||||
|
ewarn "press CTRL+C if you don't want to continue"
|
||||||
|
sleep 10
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo; einfo "Setting up the chroot directory..."
|
||||||
|
|
||||||
|
mkdir -m 0750 -p ${CHROOT} || die
|
||||||
|
mkdir -m 0755 -p ${CHROOT}/{dev,etc,var/log,run} || die
|
||||||
|
mkdir -m 0750 -p ${CHROOT}/etc/bind || die
|
||||||
|
mkdir -m 0770 -p ${CHROOT}/var/{bind,log/named} ${CHROOT}/run/named/ || die
|
||||||
|
|
||||||
|
chown root:named \
|
||||||
|
${CHROOT} \
|
||||||
|
${CHROOT}/var/{bind,log/named} \
|
||||||
|
${CHROOT}/run/named/ \
|
||||||
|
${CHROOT}/etc/bind \
|
||||||
|
|| die
|
||||||
|
|
||||||
|
mknod ${CHROOT}/dev/null c 1 3 || die
|
||||||
|
chmod 0666 ${CHROOT}/dev/null || die
|
||||||
|
|
||||||
|
mknod ${CHROOT}/dev/zero c 1 5 || die
|
||||||
|
chmod 0666 ${CHROOT}/dev/zero || die
|
||||||
|
|
||||||
|
if [[ "${CHROOT_NOMOUNT:-0}" -ne 0 ]]; then
|
||||||
|
cp -a /etc/bind ${CHROOT}/etc/ || die
|
||||||
|
cp -a /var/bind ${CHROOT}/var/ || die
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ "${CHROOT_GEOIP:-0}" -eq 1 ]]; then
|
||||||
|
if use geoip; then
|
||||||
|
mkdir -m 0755 -p ${CHROOT}/usr/share/GeoIP || die
|
||||||
|
elif use geoip2; then
|
||||||
|
mkdir -m 0755 -p ${CHROOT}/usr/share/GeoIP2 || die
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
elog "You may need to add the following line to your syslog-ng.conf:"
|
||||||
|
elog "source jail { unix-stream(\"${CHROOT}/dev/log\"); };"
|
||||||
}
|
}
|
||||||
|
166
net-dns/bind/files/named.conf-r8
Normal file
166
net-dns/bind/files/named.conf-r8
Normal file
@ -0,0 +1,166 @@
|
|||||||
|
/*
|
||||||
|
* Refer to the named.conf(5) and named(8) man pages, and the documentation
|
||||||
|
* in /usr/share/doc/bind-* for more details.
|
||||||
|
* Online versions of the documentation can be found here:
|
||||||
|
* https://kb.isc.org/article/AA-01031
|
||||||
|
*
|
||||||
|
* If you are going to set up an authoritative server, make sure you
|
||||||
|
* understand the hairy details of how DNS works. Even with simple mistakes,
|
||||||
|
* you can break connectivity for affected parties, or cause huge amounts of
|
||||||
|
* useless Internet traffic.
|
||||||
|
*/
|
||||||
|
|
||||||
|
acl "xfer" {
|
||||||
|
/* Deny transfers by default except for the listed hosts.
|
||||||
|
* If we have other name servers, place them here.
|
||||||
|
*/
|
||||||
|
none;
|
||||||
|
};
|
||||||
|
|
||||||
|
/*
|
||||||
|
* You might put in here some ips which are allowed to use the cache or
|
||||||
|
* recursive queries
|
||||||
|
*/
|
||||||
|
acl "trusted" {
|
||||||
|
127.0.0.0/8;
|
||||||
|
::1/128;
|
||||||
|
};
|
||||||
|
|
||||||
|
options {
|
||||||
|
directory "/var/bind";
|
||||||
|
pid-file "/run/named/named.pid";
|
||||||
|
|
||||||
|
/* https://www.isc.org/solutions/dlv >=bind-9.7.x only */
|
||||||
|
//bindkeys-file "/etc/bind/bind.keys";
|
||||||
|
|
||||||
|
listen-on-v6 { ::1; };
|
||||||
|
listen-on { 127.0.0.1; };
|
||||||
|
|
||||||
|
allow-query {
|
||||||
|
/*
|
||||||
|
* Accept queries from our "trusted" ACL. We will
|
||||||
|
* allow anyone to query our master zones below.
|
||||||
|
* This prevents us from becoming a free DNS server
|
||||||
|
* to the masses.
|
||||||
|
*/
|
||||||
|
trusted;
|
||||||
|
};
|
||||||
|
|
||||||
|
allow-query-cache {
|
||||||
|
/* Use the cache for the "trusted" ACL. */
|
||||||
|
trusted;
|
||||||
|
};
|
||||||
|
|
||||||
|
allow-recursion {
|
||||||
|
/* Only trusted addresses are allowed to use recursion. */
|
||||||
|
trusted;
|
||||||
|
};
|
||||||
|
|
||||||
|
allow-transfer {
|
||||||
|
/* Zone tranfers are denied by default. */
|
||||||
|
none;
|
||||||
|
};
|
||||||
|
|
||||||
|
allow-update {
|
||||||
|
/* Don't allow updates, e.g. via nsupdate. */
|
||||||
|
none;
|
||||||
|
};
|
||||||
|
|
||||||
|
/*
|
||||||
|
* If you've got a DNS server around at your upstream provider, enter its
|
||||||
|
* IP address here, and enable the line below. This will make you benefit
|
||||||
|
* from its cache, thus reduce overall DNS traffic in the Internet.
|
||||||
|
*
|
||||||
|
* Uncomment the following lines to turn on DNS forwarding, and change
|
||||||
|
* and/or update the forwarding ip address(es):
|
||||||
|
*/
|
||||||
|
/*
|
||||||
|
forward first;
|
||||||
|
forwarders {
|
||||||
|
// 123.123.123.123; // Your ISP NS
|
||||||
|
// 124.124.124.124; // Your ISP NS
|
||||||
|
// 4.2.2.1; // Level3 Public DNS
|
||||||
|
// 4.2.2.2; // Level3 Public DNS
|
||||||
|
8.8.8.8; // Google Open DNS
|
||||||
|
8.8.4.4; // Google Open DNS
|
||||||
|
};
|
||||||
|
|
||||||
|
*/
|
||||||
|
|
||||||
|
dnssec-enable yes;
|
||||||
|
//dnssec-validation yes;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* As of bind 9.8.0:
|
||||||
|
* "If the root key provided has expired,
|
||||||
|
* named will log the expiration and validation will not work."
|
||||||
|
*/
|
||||||
|
dnssec-validation auto;
|
||||||
|
|
||||||
|
/* if you have problems and are behind a firewall: */
|
||||||
|
//query-source address * port 53;
|
||||||
|
};
|
||||||
|
|
||||||
|
/*
|
||||||
|
logging {
|
||||||
|
channel default_log {
|
||||||
|
file "/var/log/named/named.log" versions 5 size 50M;
|
||||||
|
print-time yes;
|
||||||
|
print-severity yes;
|
||||||
|
print-category yes;
|
||||||
|
};
|
||||||
|
|
||||||
|
category default { default_log; };
|
||||||
|
category general { default_log; };
|
||||||
|
};
|
||||||
|
*/
|
||||||
|
|
||||||
|
include "/etc/bind/rndc.key";
|
||||||
|
controls {
|
||||||
|
inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };
|
||||||
|
};
|
||||||
|
|
||||||
|
zone "." in {
|
||||||
|
type hint;
|
||||||
|
file "/var/bind/named.cache";
|
||||||
|
};
|
||||||
|
|
||||||
|
zone "localhost" IN {
|
||||||
|
type master;
|
||||||
|
file "pri/localhost.zone";
|
||||||
|
notify no;
|
||||||
|
};
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Briefly, a zone which has been declared delegation-only will be effectively
|
||||||
|
* limited to containing NS RRs for subdomains, but no actual data beyond its
|
||||||
|
* own apex (for example, its SOA RR and apex NS RRset). This can be used to
|
||||||
|
* filter out "wildcard" or "synthesized" data from NAT boxes or from
|
||||||
|
* authoritative name servers whose undelegated (in-zone) data is of no
|
||||||
|
* interest.
|
||||||
|
* See http://www.isc.org/software/bind/delegation-only for more info
|
||||||
|
*/
|
||||||
|
|
||||||
|
//zone "COM" { type delegation-only; };
|
||||||
|
//zone "NET" { type delegation-only; };
|
||||||
|
|
||||||
|
//zone "YOUR-DOMAIN.TLD" {
|
||||||
|
// type master;
|
||||||
|
// file "/var/bind/pri/YOUR-DOMAIN.TLD.zone";
|
||||||
|
// allow-query { any; };
|
||||||
|
// allow-transfer { xfer; };
|
||||||
|
//};
|
||||||
|
|
||||||
|
//zone "YOUR-SLAVE.TLD" {
|
||||||
|
// type slave;
|
||||||
|
// file "/var/bind/sec/YOUR-SLAVE.TLD.zone";
|
||||||
|
// masters { <MASTER>; };
|
||||||
|
|
||||||
|
/* Anybody is allowed to query but transfer should be controlled by the master. */
|
||||||
|
// allow-query { any; };
|
||||||
|
// allow-transfer { none; };
|
||||||
|
|
||||||
|
/* The master should be the only one who notifies the slaves, shouldn't it? */
|
||||||
|
// allow-notify { <MASTER>; };
|
||||||
|
// notify no;
|
||||||
|
//};
|
@ -3,7 +3,7 @@
|
|||||||
//};
|
//};
|
||||||
|
|
||||||
options {
|
options {
|
||||||
directory "/var/bind";
|
directory "/var/cache/bind";
|
||||||
pid-file "/run/named/named.pid";
|
pid-file "/run/named/named.pid";
|
||||||
|
|
||||||
listen-on { 127.0.0.1; };
|
listen-on { 127.0.0.1; };
|
@ -9,6 +9,28 @@ NAMED_CONF="/etc/bind/named.conf"
|
|||||||
# Leave this unchanged if you want bind to automatically detect the number
|
# Leave this unchanged if you want bind to automatically detect the number
|
||||||
#CPU="1"
|
#CPU="1"
|
||||||
|
|
||||||
|
# If you wish to run bind in a chroot:
|
||||||
|
# 1) un-comment the CHROOT= assignment, below. You may use
|
||||||
|
# a different chroot directory but MAKE SURE it's empty.
|
||||||
|
# 2) run: emerge --config =<bind-version>
|
||||||
|
#
|
||||||
|
#CHROOT="/chroot/dns"
|
||||||
|
|
||||||
|
# Uncomment to enable binmount of /usr/share/GeoIP
|
||||||
|
#CHROOT_GEOIP="1"
|
||||||
|
|
||||||
|
# Uncomment the line below to avoid that the init script mounts the needed paths
|
||||||
|
# into the chroot directory.
|
||||||
|
# You have to copy all needed config files by hand if you say CHROOT_NOMOUNT="1".
|
||||||
|
#CHROOT_NOMOUNT="1"
|
||||||
|
|
||||||
|
# Uncomment this option if you have setup your own chroot environment and you
|
||||||
|
# don't want/need the chroot consistency check
|
||||||
|
#CHROOT_NOCHECK=1
|
||||||
|
|
||||||
|
# Default pid file location
|
||||||
|
# use named.conf to specify pid-file location
|
||||||
|
|
||||||
# Scheduling priority: 19 is the lowest and -20 is the highest.
|
# Scheduling priority: 19 is the lowest and -20 is the highest.
|
||||||
# Default: 0
|
# Default: 0
|
||||||
#NAMED_NICELEVEL="0"
|
#NAMED_NICELEVEL="0"
|
||||||
|
@ -11,13 +11,83 @@ depend() {
|
|||||||
provide dns
|
provide dns
|
||||||
}
|
}
|
||||||
|
|
||||||
NAMED_CONF=${NAMED_CONF:-/etc/bind/named.conf}
|
NAMED_CONF=${NAMED_CONF:-${CHROOT}/etc/bind/named.conf}
|
||||||
|
|
||||||
|
OPENSSL_LIBGOST=${OPENSSL_LIBGOST:-0}
|
||||||
|
MOUNT_CHECK_TIMEOUT=${MOUNT_CHECK_TIMEOUT:-60}
|
||||||
|
|
||||||
|
_mount() {
|
||||||
|
local from
|
||||||
|
local to
|
||||||
|
local opts
|
||||||
|
local ret=0
|
||||||
|
|
||||||
|
if [ "${#}" -lt 3 ]; then
|
||||||
|
eerror "_mount(): to few arguments"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
from=$1
|
||||||
|
to=$2
|
||||||
|
shift 2
|
||||||
|
|
||||||
|
opts="${*}"
|
||||||
|
shift $#
|
||||||
|
|
||||||
|
if [ -z "$(awk "\$2 == \"${to}\" { print \$2 }" /proc/mounts)" ]; then
|
||||||
|
einfo "mounting ${from} to ${to}"
|
||||||
|
mount ${from} ${to} ${opts}
|
||||||
|
ret=$?
|
||||||
|
|
||||||
|
eend $ret
|
||||||
|
return $ret
|
||||||
|
fi
|
||||||
|
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
_umount() {
|
||||||
|
local dir=$1
|
||||||
|
local ret=0
|
||||||
|
|
||||||
|
if [ -n "$(awk "\$2 == \"${dir}\" { print \$2 }" /proc/mounts)" ]; then
|
||||||
|
ebegin "umounting ${dir}"
|
||||||
|
umount ${dir}
|
||||||
|
ret=$?
|
||||||
|
|
||||||
|
eend $ret
|
||||||
|
return $ret
|
||||||
|
fi
|
||||||
|
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
_get_pidfile() {
|
_get_pidfile() {
|
||||||
# as suggested in bug #107724, bug 335398#c17
|
# as suggested in bug #107724, bug 335398#c17
|
||||||
[ -n "${PIDFILE}" ] || PIDFILE=$(\
|
[ -n "${PIDFILE}" ] || PIDFILE=${CHROOT}$(\
|
||||||
/usr/bin/named-checkconf -p ${NAMED_CONF} | grep 'pid-file' | cut -d\" -f2)
|
/usr/sbin/named-checkconf -p ${CHROOT:+-t} ${CHROOT} ${NAMED_CONF#${CHROOT}} | grep 'pid-file' | cut -d\" -f2)
|
||||||
[ -z "${PIDFILE}" ] && PIDFILE="/run/named/named.pid"
|
[ -z "${PIDFILE}" ] && PIDFILE=${CHROOT}/run/named/named.pid
|
||||||
|
}
|
||||||
|
|
||||||
|
check_chroot() {
|
||||||
|
if [ -n "${CHROOT}" ]; then
|
||||||
|
[ ! -d "${CHROOT}" ] && return 1
|
||||||
|
[ ! -d "${CHROOT}/dev" ] || [ ! -d "${CHROOT}/etc" ] || [ ! -d "${CHROOT}/var" ] && return 1
|
||||||
|
[ ! -d "${CHROOT}/run" ] || [ ! -d "${CHROOT}/var/log" ] && return 1
|
||||||
|
[ ! -d "${CHROOT}/etc/bind" ] || [ ! -d "${CHROOT}/var/bind" ] && return 1
|
||||||
|
[ ! -d "${CHROOT}/var/log/named" ] && return 1
|
||||||
|
[ ! -c "${CHROOT}/dev/null" ] || [ ! -c "${CHROOT}/dev/zero" ] && return 1
|
||||||
|
[ "${CHROOT_GEOIP:-0}" -eq 1 ] && [ ! -d "${CHROOT}/usr/share/GeoIP" ] && return 1
|
||||||
|
if [ ${OPENSSL_LIBGOST:-0} -eq 1 ]; then
|
||||||
|
if [ -d "/usr/lib64" ]; then
|
||||||
|
[ ! -d "${CHROOT}/usr/lib64/engines" ] && return 1
|
||||||
|
elif [ -d "/usr/lib" ]; then
|
||||||
|
[ ! -d "${CHROOT}/usr/lib/engines" ] && return 1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
checkconfig() {
|
checkconfig() {
|
||||||
@ -27,23 +97,65 @@ checkconfig() {
|
|||||||
eerror "No ${NAMED_CONF} file exists!"
|
eerror "No ${NAMED_CONF} file exists!"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
/usr/bin/named-checkconf ${NAMED_CONF} || {
|
|
||||||
|
/usr/sbin/named-checkconf ${CHROOT:+-t} ${CHROOT} ${NAMED_CONF#${CHROOT}} || {
|
||||||
eerror "named-checkconf failed! Please fix your config first."
|
eerror "named-checkconf failed! Please fix your config first."
|
||||||
return 1
|
return 1
|
||||||
}
|
}
|
||||||
|
|
||||||
eend 0
|
eend 0
|
||||||
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
checkzones() {
|
checkzones() {
|
||||||
ebegin "Checking named configuration and zones"
|
ebegin "Checking named configuration and zones"
|
||||||
/usr/bin/named-checkconf -z ${NAMED_CONF}
|
/usr/sbin/named-checkconf -z -j ${CHROOT:+-t} ${CHROOT} ${NAMED_CONF#${CHROOT}}
|
||||||
eend $?
|
eend $?
|
||||||
}
|
}
|
||||||
|
|
||||||
start() {
|
start() {
|
||||||
local piddir
|
local piddir
|
||||||
|
|
||||||
ebegin "Starting named"
|
ebegin "Starting ${CHROOT:+chrooted }named"
|
||||||
|
|
||||||
|
if [ -n "${CHROOT}" ]; then
|
||||||
|
if [ ${CHROOT_NOCHECK:-0} -eq 0 ]; then
|
||||||
|
check_chroot || {
|
||||||
|
eend 1
|
||||||
|
eerror "Your chroot dir ${CHROOT} is inconsistent, please run 'emerge --config net-dns/bind' first"
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ${OPENSSL_LIBGOST:-0} -eq 1 ]; then
|
||||||
|
if [ ! -e /usr/lib/engines/libgost.so ]; then
|
||||||
|
eend 1
|
||||||
|
eerror "Couldn't find /usr/lib/engines/libgost.so but bind has been built with openssl and libgost support"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
cp -Lp /usr/lib/engines/libgost.so "${CHROOT}/usr/lib/engines/libgost.so" || {
|
||||||
|
eend 1
|
||||||
|
eerror "Couldn't copy /usr/lib/engines/libgost.so into '${CHROOT}/usr/lib/engines/'"
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
fi
|
||||||
|
cp -Lp /etc/localtime "${CHROOT}/etc/localtime"
|
||||||
|
|
||||||
|
if [ "${CHROOT_NOMOUNT:-0}" -eq 0 ]; then
|
||||||
|
einfo "Mounting chroot dirs"
|
||||||
|
_mount /etc/bind ${CHROOT}/etc/bind -o bind
|
||||||
|
_mount /var/bind ${CHROOT}/var/bind -o bind
|
||||||
|
_mount /var/log/named ${CHROOT}/var/log/named -o bind
|
||||||
|
if [ "${CHROOT_GEOIP:-0}" -eq 1 ]; then
|
||||||
|
_mount /usr/share/GeoIP ${CHROOT}/usr/share/GeoIP -o bind
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# On initial startup, if piddir inside the chroot /var/run/named
|
||||||
|
# Then the .../var/run part might not exist yet
|
||||||
|
checkpath -q -d -o root:root -m 0755 "${piddir}/.."
|
||||||
|
fi
|
||||||
|
|
||||||
checkconfig || { eend 1; return 1; }
|
checkconfig || { eend 1; return 1; }
|
||||||
|
|
||||||
# create piddir (usually /run/named) if necessary, bug 334535
|
# create piddir (usually /run/named) if necessary, bug 334535
|
||||||
@ -63,16 +175,56 @@ start() {
|
|||||||
start-stop-daemon --start --pidfile ${PIDFILE} \
|
start-stop-daemon --start --pidfile ${PIDFILE} \
|
||||||
--nicelevel ${NAMED_NICELEVEL:-0} \
|
--nicelevel ${NAMED_NICELEVEL:-0} \
|
||||||
--exec /usr/sbin/named \
|
--exec /usr/sbin/named \
|
||||||
-- -u named -c ${NAMED_CONF} ${CPU} ${OPTIONS}
|
-- -u named ${CPU} ${OPTIONS} ${CHROOT:+-t} ${CHROOT}
|
||||||
eend $?
|
eend $?
|
||||||
}
|
}
|
||||||
|
|
||||||
stop() {
|
stop() {
|
||||||
ebegin "Stopping named"
|
local reported=0
|
||||||
|
|
||||||
|
ebegin "Stopping ${CHROOT:+chrooted }named"
|
||||||
|
|
||||||
|
# Workaround for now, until openrc's restart has been fixed.
|
||||||
|
# openrc doesn't care about a restart() function in init scripts.
|
||||||
|
if [ "${RC_CMD}" = "restart" ]; then
|
||||||
|
if [ -n "${CHROOT}" -a ${CHROOT_NOCHECK:-0} -eq 0 ]; then
|
||||||
|
check_chroot || {
|
||||||
|
eend 1
|
||||||
|
eerror "Your chroot dir ${CHROOT} is inconsistent, please run 'emerge --config net-dns/bind' first"
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
fi
|
||||||
|
|
||||||
|
checkconfig || { eend 1; return 1; }
|
||||||
|
fi
|
||||||
|
|
||||||
# -R 10, bug 335398
|
# -R 10, bug 335398
|
||||||
_get_pidfile
|
_get_pidfile
|
||||||
start-stop-daemon --stop --retry 10 --pidfile $PIDFILE \
|
start-stop-daemon --stop --retry 10 --pidfile $PIDFILE \
|
||||||
--exec /usr/sbin/named
|
--exec /usr/sbin/named
|
||||||
|
|
||||||
|
if [ -n "${CHROOT}" ] && [ "${CHROOT_NOMOUNT:-0}" -eq 0 ]; then
|
||||||
|
ebegin "Umounting chroot dirs"
|
||||||
|
|
||||||
|
# just to be sure everything gets clean
|
||||||
|
while fuser -s ${CHROOT} 2>/dev/null; do
|
||||||
|
if [ "${reported}" -eq 0 ]; then
|
||||||
|
einfo "Waiting until all named processes are stopped (max. ${MOUNT_CHECK_TIMEOUT} seconds)"
|
||||||
|
elif [ "${reported}" -eq "${MOUNT_CHECK_TIMEOUT}" ]; then
|
||||||
|
eerror "Waiting until all named processes are stopped failed!"
|
||||||
|
eend 1
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
sleep 1
|
||||||
|
reported=$((reported+1))
|
||||||
|
done
|
||||||
|
|
||||||
|
[ "${CHROOT_GEOIP:-0}" -eq 1 ] && _umount ${CHROOT}/usr/share/GeoIP
|
||||||
|
_umount ${CHROOT}/etc/bind
|
||||||
|
_umount ${CHROOT}/var/log/named
|
||||||
|
_umount ${CHROOT}/var/bind
|
||||||
|
fi
|
||||||
|
|
||||||
eend $?
|
eend $?
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user