From 8368929d5405c44c78b54c7694c75d7458ea73c6 Mon Sep 17 00:00:00 2001
From: Badchay <badchay@protonmail.com>
Date: Wed, 13 Sep 2023 21:45:15 +0700
Subject: network/unbound: Updated for version 1.18.0.

Signed-off-by: Willy Sudiarto Raharjo <willysr@slackbuilds.org>
---
 network/unbound/doinst.sh          | 15 +++++++++++++++
 network/unbound/root.hints         | 39 ++++++++++++++++++++++++++++++++++++++
 network/unbound/unbound.SlackBuild | 35 +++++++++++++++++++++++++++++++---
 3 files changed, 86 insertions(+), 3 deletions(-)
 create mode 100644 network/unbound/root.hints

(limited to 'network/unbound')

diff --git a/network/unbound/doinst.sh b/network/unbound/doinst.sh
index 9e3a986fd909..a1aece44feee 100644
--- a/network/unbound/doinst.sh
+++ b/network/unbound/doinst.sh
@@ -35,3 +35,18 @@ if [ -r /etc/logrotate.d/unbound ] && [ $(stat -c "%U:%G" "/etc/logrotate.d/unbo
  echo "To fix it, simply run:"
  echo "# chown root:root /etc/logrotate.d/unbound"
 fi
+
+echo "----------------------------"
+echo "As of Unbound SlackBuild 1.18.0-2 DNSSEC is enabled by default."
+echo
+echo "You have two options:"
+echo
+echo "1) Run the following command to setup the root trust anchor (RECOMMENDED!)"
+echo "# sudo -u unbound unbound-anchor -f /etc/resolv.conf -R -a /var/lib/unbound/root.key"
+echo
+echo "2) Disable DNSSEC and unbound-anchor functionality."
+echo "Edit /etc/unbound/unbound.conf, and erase or comment the following line:"
+echo 'auto-trust-anchor-file: "/var/lib/unbound/root.key"'
+echo
+echo "This is a suitable option if you plan to use Unbound simply as a forwarding resolver."
+echo "----------------------------"
diff --git a/network/unbound/root.hints b/network/unbound/root.hints
new file mode 100644
index 000000000000..f752a838f3ea
--- /dev/null
+++ b/network/unbound/root.hints
@@ -0,0 +1,39 @@
+.			3600000	IN	NS	a.root-servers.net.
+.			3600000	IN	NS	b.root-servers.net.
+.			3600000	IN	NS	c.root-servers.net.
+.			3600000	IN	NS	d.root-servers.net.
+.			3600000	IN	NS	e.root-servers.net.
+.			3600000	IN	NS	f.root-servers.net.
+.			3600000	IN	NS	g.root-servers.net.
+.			3600000	IN	NS	h.root-servers.net.
+.			3600000	IN	NS	i.root-servers.net.
+.			3600000	IN	NS	j.root-servers.net.
+.			3600000	IN	NS	k.root-servers.net.
+.			3600000	IN	NS	l.root-servers.net.
+.			3600000	IN	NS	m.root-servers.net.
+a.root-servers.net.	3600000	IN	A	198.41.0.4
+a.root-servers.net.	3600000	IN	AAAA	2001:503:ba3e:0:0:0:2:30
+b.root-servers.net.	3600000	IN	A	199.9.14.201
+b.root-servers.net.	3600000	IN	AAAA	2001:500:200:0:0:0:0:b
+c.root-servers.net.	3600000	IN	A	192.33.4.12
+c.root-servers.net.	3600000	IN	AAAA	2001:500:2:0:0:0:0:c
+d.root-servers.net.	3600000	IN	A	199.7.91.13
+d.root-servers.net.	3600000	IN	AAAA	2001:500:2d:0:0:0:0:d
+e.root-servers.net.	3600000	IN	A	192.203.230.10
+e.root-servers.net.	3600000	IN	AAAA	2001:500:a8:0:0:0:0:e
+f.root-servers.net.	3600000	IN	A	192.5.5.241
+f.root-servers.net.	3600000	IN	AAAA	2001:500:2f:0:0:0:0:f
+g.root-servers.net.	3600000	IN	A	192.112.36.4
+g.root-servers.net.	3600000	IN	AAAA	2001:500:12:0:0:0:0:d0d
+h.root-servers.net.	3600000	IN	A	198.97.190.53
+h.root-servers.net.	3600000	IN	AAAA	2001:500:1:0:0:0:0:53
+i.root-servers.net.	3600000	IN	A	192.36.148.17
+i.root-servers.net.	3600000	IN	AAAA	2001:7fe:0:0:0:0:0:53
+j.root-servers.net.	3600000	IN	A	192.58.128.30
+j.root-servers.net.	3600000	IN	AAAA	2001:503:c27:0:0:0:2:30
+k.root-servers.net.	3600000	IN	A	193.0.14.129
+k.root-servers.net.	3600000	IN	AAAA	2001:7fd:0:0:0:0:0:1
+l.root-servers.net.	3600000	IN	A	199.7.83.42
+l.root-servers.net.	3600000	IN	AAAA	2001:500:9f:0:0:0:0:42
+m.root-servers.net.	3600000	IN	A	202.12.27.33
+m.root-servers.net.	3600000	IN	AAAA	2001:dc3:0:0:0:0:0:35
diff --git a/network/unbound/unbound.SlackBuild b/network/unbound/unbound.SlackBuild
index 19360e9025cf..8f40a61d6e1e 100644
--- a/network/unbound/unbound.SlackBuild
+++ b/network/unbound/unbound.SlackBuild
@@ -28,7 +28,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 
 PRGNAM=unbound
 VERSION=${VERSION:-1.18.0}
-BUILD=${BUILD:-1}
+BUILD=${BUILD:-2}
 TAG=${TAG:-_SBo}
 PKGTYPE=${PKGTYPE:-tgz}
 
@@ -83,6 +83,10 @@ if ! grep -q ^"$UB_USER": /etc/passwd ; then
   exit 1
 fi
 
+# This needs to be set. Otherwise Unbound
+# will build against Python 2.
+UNB_PY_VERSION=${UNB_PY_VERSION:-3.9}
+
 set -e
 
 rm -rf $PKG
@@ -100,6 +104,7 @@ find -L . \
 
 CFLAGS="$SLKCFLAGS" \
 CXXFLAGS="$SLKCFLAGS" \
+PYTHON_VERSION="$UNB_PY_VERSION" \
 ./configure \
   --prefix=/usr \
   --libdir=/usr/lib${LIBDIRSUFFIX} \
@@ -111,9 +116,15 @@ CXXFLAGS="$SLKCFLAGS" \
   --with-ssl \
   --enable-dnscrypt \
   --disable-static \
+  --enable-sha2 \
+  --enable-subnet \
+  --with-pythonmodule \
+  --with-pyunbound \
   --with-username=$UB_USER \
   --with-pidfile=/var/run/unbound/unbound.pid \
+  --with-rootkey-file=/var/lib/unbound/root.key \
   --build=$ARCH-slackware-linux \
+  --host=$ARCH-slackware-linux \
 
 make
 make install DESTDIR=$PKG
@@ -142,7 +153,13 @@ touch -r doc/Changelog $PKG/usr/doc/$PRGNAM-$VERSION/Changelog
 # 3) Change timestamps to ASCII format (from Epoch).
 # 4) Turn off chroot.
 # 5) Disable systemd socket activation.
-# 6) Set num-threads to $(nproc). Still disabled by default.
+# 6) Set num-threads to $(nproc).
+# 7) Use root-hints file.
+# 8) Set DNS prefetch to "yes".
+# 9) Harden against out of zone rrsets (harden-glue).
+# 10) Harden against receiving dnssec-stripped data (harden-dnssec-stripped).
+# 11) Enable aggressive NSEC, root-key-sentinel and RFC8145 (trust anchor
+# signaling).
 cp -a $PKG/etc/unbound/unbound.conf $PKG/etc/unbound/unbound.conf.upstream
 sed -i \
 -e 's/# control-interface:/control-interface:/g' \
@@ -151,17 +168,29 @@ sed -i \
 -e 's/# use-systemd: no/use-systemd: no/g' \
 -e 's/# logfile: ""/logfile: "\/var\/log\/unbound\/unbound.log"/g' \
 -e 's/# chroot: "\/etc\/unbound"/chroot: ""/g' \
--e 's/# num-threads: 1/# num-threads: '$(nproc)' # Set to nproc by SlackBuild. Uncomment to enable threading/g' \
+-e 's/# num-threads: 1/num-threads: '$(nproc)' # Set to the value of nproc by SlackBuild/g' \
+-e 's/# root-hints: ""/root-hints: "\/etc\/unbound\/root.hints"/g' \
+-e 's/# prefetch: no/prefetch: yes/g' \
+-e 's/# harden-glue: yes/harden-glue: yes/g' \
+-e 's/# harden-dnssec-stripped: yes/harden-dnssec-stripped: yes/g' \
+-e 's/# aggressive-nsec: yes/aggressive-nsec: yes/g' \
+-e 's/# trust-anchor-signaling: yes/trust-anchor-signaling: yes/g' \
+-e 's/# root-key-sentinel: yes/root-key-sentinel: yes/g' \
+-e '/# auto-trust-anchor-file: ".*/a\        auto-trust-anchor-file: "/var/lib/unbound/root.key"' \
 $PKG/etc/unbound/unbound.conf \
 
 mkdir -p $PKG/var/run/unbound
 mkdir -p $PKG/var/log/unbound
+mkdir -p $PKG/var/lib/unbound
 mkdir -p $PKG/etc/logrotate.d
 
 chown $UB_USER:$UB_GROUP $PKG/var/run/unbound/
 chown $UB_USER:$UB_GROUP $PKG/var/log/unbound/
+chown $UB_USER:$UB_GROUP $PKG/var/lib/unbound/
 
 cp -a $CWD/unbound.logrotate $PKG/etc/logrotate.d/unbound.new
+cp -a $CWD/root.hints $PKG/etc/unbound/root.hints
+chown root:root $PKG/etc/unbound/root.hints
 chown root:root $PKG/etc/logrotate.d/unbound.new
 mv $PKG/etc/unbound/unbound.conf $PKG/etc/unbound/unbound.conf.new
 install -m 0644 -D $CWD/rc.unbound $PKG/etc/rc.d/rc.unbound.new
-- 
cgit v1.2.3