user/bind: import, take, clean up, update root zone

10 files changed, 534 insertions, 0 deletions

diff --git a/user/bind/127.zone b/user/bind/127.zone
new file mode 100644
index 000000000..2ad28de52
--- /dev/null
+++ b/user/bind/127.zone
@@ -0,0 +1,11 @@
+$ORIGIN 127.in-addr.arpa.
+$TTL 1W
+@			1D IN SOA	localhost. root.localhost. (
+					2002081601	; serial
+					3H		; refresh
+					15M		; retry
+					1W		; expiry
+					1D )		; minimum
+
+			1D IN NS	localhost.
+1			1D IN PTR	localhost.
diff --git a/user/bind/APKBUILD b/user/bind/APKBUILD
new file mode 100644
index 000000000..32ff1b23f
--- /dev/null
+++ b/user/bind/APKBUILD
@@ -0,0 +1,149 @@
+# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
+# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
+# Contributor: Carlo Landmeter <clandmeter@gmail.com>
+# Contributor: Natanael Copa <ncopa@alpinelinux.org>
+# Maintainer: Dan Theisen <djt@hxx.in>
+pkgname=bind
+pkgver=9.12.1_p2
+_p=${pkgver#*_p}
+_ver=${pkgver%_p*}
+_major=${pkgver%%.*}
+[ "$_p" != "$pkgver" ] && _ver="${_ver}-P$_p"
+pkgrel=0
+pkgdesc="The ISC DNS server"
+url="https://www.isc.org/downloads/bind/"
+arch="all"
+# NOTE: The tests were not run because they require that
+# the IP addresses 10.53.0.1 through 10.53.0.8 are configured
+#  as alias addresses on the loopback interface.
+options="!check"
+license="ISC AND Apache-2.0 AND OpenSSL AND BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause"
+pkgusers="named"
+pkggroups="named"
+makedepends="bash libressl-dev libcap-dev perl linux-headers bsd-compat-headers libxml2-dev json-c-dev"
+install="$pkgname.pre-install"
+subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-openrc $pkgname-tools"
+source="https://ftp.isc.org/isc/${pkgname}${_major}/$_ver/$pkgname-$_ver.tar.gz
+	bind.so_bsdcompat.patch
+	named.initd
+	named.confd
+	named.conf.authoritative
+	named.conf.recursive
+	127.zone
+	localhost.zone
+	named.ca
+	"
+builddir="$srcdir/$pkgname-$_ver"
+
+# secfixes:
+#   9.12.1_p2-r0:
+#     - CVE-2018-5737
+#     - CVE-2018-5736
+#   9.11.2_p1-r0:
+#     - CVE-2017-3145
+#   9.11.0_p5-r0:
+#     - CVE-2017-3136
+#     - CVE-2017-3137
+#     - CVE-2017-3138
+#   9.10.4_p5-r0:
+#     - CVE-2016-9131
+#     - CVE-2016-9147
+#     - CVE-2016-9444
+
+prepare() {
+	default_prepare
+	cd "$builddir"
+
+	### http://bugs.gentoo.org/show_bug.cgi?id=227333
+	export CFLAGS="$CFLAGS -D_GNU_SOURCE"
+
+	# Adjusting PATHs in manpages
+	for i in bin/named/named.8 bin/check/named-checkconf.8 bin/rndc/rndc.8; do
+		sed -i \
+			-e 's:/etc/named.conf:/etc/bind/named.conf:g' \
+			-e 's:/etc/rndc.conf:/etc/bind/rndc.conf:g' \
+			-e 's:/etc/rndc.key:/etc/bind/rndc.key:g' \
+			"${i}"
+	done
+}
+
+build() {
+	cd "$builddir"
+	./configure \
+		--build="$CBUILD" \
+		--host="$CHOST" \
+		--prefix=/usr \
+		--sysconfdir=/etc/bind \
+		--localstatedir=/var \
+		--mandir=/usr/share/man \
+		--infodir=/usr/share/info \
+		--with-openssl=/usr \
+                --with-randomdev=/dev/random \
+		--with-libxml2 \
+		--with-libjson \
+                --enable-linux-caps \
+		--enable-threads \
+		--enable-filter-aaaa \
+		--enable-ipv6 \
+		--enable-shared \
+		--enable-static \
+		--with-libtool
+	make
+}
+
+package() {
+	cd "$builddir"
+	install -d -m0770 -g named -o root "$pkgdir"/var/bind \
+		"$pkgdir"/var/bind/sec \
+		"$pkgdir"/var/bind/dyn \
+		"$pkgdir"/var/run/named
+
+	install -d -m0750 -g named -o root "$pkgdir"/etc/bind \
+		"$pkgdir"/var/bind/pri
+
+	make -j1 DESTDIR="$pkgdir" install
+
+	install -Dm755 "$srcdir"/named.initd \
+		"$pkgdir"/etc/init.d/named
+	install -Dm644 "$srcdir"/named.confd \
+		"$pkgdir"/etc/conf.d/named
+	install -Dm644 "$srcdir"/named.conf.authoritative \
+		"$pkgdir"/etc/bind/named.conf.authoritative
+	install -Dm644 "$srcdir"/named.conf.recursive \
+		"$pkgdir"/etc/bind/named.conf.recursive
+	install -Dm644 "$srcdir"/named.ca \
+		"$pkgdir"/var/bind/named.ca
+	install -Dm644 "$srcdir"/127.zone \
+		"$pkgdir"/var/bind/pri/127.zone
+	install -Dm644 "$srcdir"/localhost.zone \
+		"$pkgdir"/var/bind/pri/localhost.zone
+
+	cd "$pkgdir"/var/bind
+	ln -s named.ca root.cache
+}
+
+tools() {
+	pkgdesc="The ISC DNS tools"
+	install=""
+	depends=""
+
+	mkdir -p "$subpkgdir"/usr/bin
+	for i in dig host nslookup delv nsupdate; do
+		mv "$pkgdir"/usr/bin/${i} "$subpkgdir"/usr/bin/
+	done
+
+	mkdir -p "$subpkgdir"/usr/sbin
+	for i in "$pkgdir"/usr/sbin/dnssec-*; do
+		mv "$i" "$subpkgdir"/usr/sbin
+	done
+}
+
+sha512sums="de47eef272c437316444c4f585a2f98ae9169fc118fd057464a5cd064bb9079ffc07145dabf388cd240f56a5ad6d3ad78cf8d98fc37609681eba5d87e18a4f9a  bind-9.12.1-P2.tar.gz
+7167dccdb2833643dfdb92994373d2cc087e52ba23b51bd68bd322ff9aca6744f01fa9d8a4b9cd8c4ce471755a85c03ec956ec0d8a1d4fae02124ddbed6841f6  bind.so_bsdcompat.patch
+196c0a3b43cf89e8e3547d7fb63a93ff9a3306505658dfd9aa78e6861be6b226580b424dd3dd44b955b2d9f682b1dc62c457f3ac29ce86200ef070140608c015  named.initd
+127bdcc0b5079961f0951344bc3fad547450c81aee2149eac8c41a8c0c973ea0ffe3f956684c6fcb735a29c43d2ff48c153b6a71a0f15757819a72c492488ddf  named.confd
+d2f61d02d7829af51faf14fbe2bafe8bc90087e6b6697c6275a269ebbddcaa14a234fff5c41da793e945e8ff1de3de0858a40334e0d24289eab98df4bb721ac5  named.conf.authoritative
+3aba9763cfaf0880a89fd01202f41406b465547296ce91373eb999ea7719040bc1ac4e47b0de025a8060f693d3d88774a20d09a43fa7ac6aa43989b58b5ee8fe  named.conf.recursive
+eed9886717539399518e011ae5eae6335aed4fae019e1def088c5be26bdc896c99c07adf84ee61babafa31d31ff3b028263d1c88d2eee17ecf4c95a9d77d524c  127.zone
+340e86472a2c2746fe585c0aa5f079d3a9b46e828c1f53d48026533a169b7f77ded7d0a13d291d6962607bb9481456e6fa69df1834603e7555332615fb998f0b  localhost.zone
+053060aad3efee7775f1793f86717cfdc085144d4af435a2c552bd41d50cc2210cb7c5cd32891ef70de1ad58aaa3477fdeac0fe6325068eadb78e30177970ea4  named.ca"
diff --git a/user/bind/bind.pre-install b/user/bind/bind.pre-install
new file mode 100644
index 000000000..3f7c36847
--- /dev/null
+++ b/user/bind/bind.pre-install
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+addgroup -S named 2>/dev/null
+adduser -S -D -H -h /etc/bind -s /sbin/nologin -G named -g named named 2>/dev/null
+
+exit 0
diff --git a/user/bind/bind.so_bsdcompat.patch b/user/bind/bind.so_bsdcompat.patch
new file mode 100644
index 000000000..69751e13b
--- /dev/null
+++ b/user/bind/bind.so_bsdcompat.patch
@@ -0,0 +1,11 @@
+--- a/lib/isc/unix/socket.c.orig	2005-11-03 17:08:42.000000000 -0600
++++ b/lib/isc/unix/socket.c	2006-02-18 13:09:15.000000000 -0600
+@@ -245,6 +245,8 @@
+ 
+ #define SOCK_DEAD(s)			((s)->references == 0)
+ 
++#undef SO_BSDCOMPAT
++
+ static void
+ manager_log(isc_socketmgr_t *sockmgr,
+ 	    isc_logcategory_t *category, isc_logmodule_t *module, int level,
diff --git a/user/bind/localhost.zone b/user/bind/localhost.zone
new file mode 100644
index 000000000..338d7050c
--- /dev/null
+++ b/user/bind/localhost.zone
@@ -0,0 +1,11 @@
+$TTL 1W
+@       IN      SOA     ns.localhost. root.localhost.  (
+                                      2002081601 ; Serial
+                                      28800      ; Refresh
+                                      14400      ; Retry
+                                      604800     ; Expire - 1 week
+                                      86400 )    ; Minimum
+@		IN      NS      ns
+ns		IN	A	127.0.0.1
+
+ns		IN	AAAA	::1
diff --git a/user/bind/named.ca b/user/bind/named.ca
new file mode 100644
index 000000000..233b5a3bb
--- /dev/null
+++ b/user/bind/named.ca
@@ -0,0 +1,94 @@
+;  File retrieved from https://www.internic.net/domain/named.root
+;
+;       This file holds the information on root name servers needed to 
+;       initialize cache of Internet domain name servers
+;       (e.g. reference this file in the "cache  .  <file>"
+;       configuration file of BIND domain name servers). 
+; 
+;       This file is made available by InterNIC 
+;       under anonymous FTP as
+;           file                /domain/named.cache 
+;           on server           FTP.INTERNIC.NET
+;       -OR-                    RS.INTERNIC.NET
+; 
+;       last update:     May 31, 2018 
+;       related version of root zone:     2018053101
+; 
+; FORMERLY NS.INTERNIC.NET 
+;
+.                        3600000      NS    A.ROOT-SERVERS.NET.
+A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
+A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30
+; 
+; FORMERLY NS1.ISI.EDU 
+;
+.                        3600000      NS    B.ROOT-SERVERS.NET.
+B.ROOT-SERVERS.NET.      3600000      A     199.9.14.201
+B.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:200::b
+; 
+; FORMERLY C.PSI.NET 
+;
+.                        3600000      NS    C.ROOT-SERVERS.NET.
+C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
+C.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2::c
+; 
+; FORMERLY TERP.UMD.EDU 
+;
+.                        3600000      NS    D.ROOT-SERVERS.NET.
+D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13
+D.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2d::d
+; 
+; FORMERLY NS.NASA.GOV
+;
+.                        3600000      NS    E.ROOT-SERVERS.NET.
+E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
+E.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:a8::e
+; 
+; FORMERLY NS.ISC.ORG
+;
+.                        3600000      NS    F.ROOT-SERVERS.NET.
+F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
+F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2f::f
+; 
+; FORMERLY NS.NIC.DDN.MIL
+;
+.                        3600000      NS    G.ROOT-SERVERS.NET.
+G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
+G.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:12::d0d
+; 
+; FORMERLY AOS.ARL.ARMY.MIL
+;
+.                        3600000      NS    H.ROOT-SERVERS.NET.
+H.ROOT-SERVERS.NET.      3600000      A     198.97.190.53
+H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::53
+; 
+; FORMERLY NIC.NORDU.NET
+;
+.                        3600000      NS    I.ROOT-SERVERS.NET.
+I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
+I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fe::53
+; 
+; OPERATED BY VERISIGN, INC.
+;
+.                        3600000      NS    J.ROOT-SERVERS.NET.
+J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
+J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:c27::2:30
+; 
+; OPERATED BY RIPE NCC
+;
+.                        3600000      NS    K.ROOT-SERVERS.NET.
+K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
+K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fd::1
+; 
+; OPERATED BY ICANN
+;
+.                        3600000      NS    L.ROOT-SERVERS.NET.
+L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
+L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:9f::42
+; 
+; OPERATED BY WIDE
+;
+.                        3600000      NS    M.ROOT-SERVERS.NET.
+M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
+M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35
+; End of file
\ No newline at end of file
diff --git a/user/bind/named.conf.authoritative b/user/bind/named.conf.authoritative
new file mode 100644
index 000000000..71e98ddc7
--- /dev/null
+++ b/user/bind/named.conf.authoritative
@@ -0,0 +1,56 @@
+// Copy this file to /etc/bind/named.conf if you want to run bind as an
+// authoritative nameserver. If you want to run a recursive DNS resolver
+// instead, see /etc/bind/named.conf.recursive.
+//
+// BIND supports using the same daemon as both authoritative nameserver and
+// recursive resolver; it supports this because it is the oldest and original
+// nameserver and so was designed before it was realized that combining these
+// functions is inadvisable.
+//
+// In actual fact, combining these functions is a very bad idea. It is thus
+// recommended that you run a given instance of BIND as either an authoritative
+// nameserver or recursive resolver, not both. The example configuration herein
+// provides a secure starting point for running an authoritative nameserver.
+
+options {
+	directory "/var/bind";
+
+	// Configure the IPs to listen on here.
+	listen-on { 127.0.0.1; };
+	listen-on-v6 { none; };
+
+	// If you want to allow only specific hosts to use the DNS server:
+	//allow-query {
+	//	127.0.0.1;
+	//};
+
+	// Specify a list of IPs/masks to allow zone transfers to here.
+	//
+	// You can override this on a per-zone basis by specifying this inside a zone
+	// block.
+	//
+	// Warning: Removing this block will cause BIND to revert to its default
+	//          behaviour of allowing zone transfers to any host (!).
+	allow-transfer {
+		none;
+	};
+
+	// If you have problems and are behind a firewall:
+	//query-source address * port 53;
+
+	pid-file "/var/run/named/named.pid";
+
+	// Changing this is NOT RECOMMENDED; see the notes above and in
+	// named.conf.recursive.
+	allow-recursion { none; };
+	recursion no;
+};
+
+// Example of how to configure a zone for which this server is the master:
+//zone "example.com" IN {
+//	type master;
+//	file "/etc/bind/master/example.com";
+//};
+
+// You can include files:
+//include "/etc/bind/example.conf";
diff --git a/user/bind/named.conf.recursive b/user/bind/named.conf.recursive
new file mode 100644
index 000000000..a068b22d7
--- /dev/null
+++ b/user/bind/named.conf.recursive
@@ -0,0 +1,104 @@
+// Copy this file to /etc/bind/named.conf if you want to run bind as a
+// recursive DNS resolver. If you want to run an authoritative nameserver
+// instead, see /etc/bind/named.conf.authoritative.
+//
+// BIND supports using the same daemon as both authoritative nameserver and
+// recursive resolver; it supports this because it is the oldest and original
+// nameserver and so was designed before it was realized that combining these
+// functions is inadvisable.
+//
+// In actual fact, combining these functions is a very bad idea. It is thus
+// recommended that you run a given instance of BIND as either an authoritative
+// nameserver or recursive resolver, not both. The example configuration herein
+// provides a starting point for running a recursive resolver.
+//
+//
+// *** IMPORTANT ***
+// You should note that running an open DNS resolver (that is, a resolver which
+// answers queries from any globally routable IP) makes the resolver vulnerable
+// to abuse in the form of reflected DDoS attacks.
+//
+// These attacks are now widely prevalent on the open internet. Even if
+// unadvertised, attackers can and will find your resolver by portscanning the
+// global IPv4 address space.
+//
+// In one case the traffic generated using such an attack reached 300 Gb/s (!).
+//
+// It is therefore imperative that you take care to configure the resolver to
+// only answer queries from IP address space you trust or control. See the
+// "allow-recursion" directive below.
+//
+// Bear in mind that with these attacks, the "source" of a query will actually
+// be the intended target of a DDoS attack, so this only protects other networks
+// from attack, not your own; ideally therefore you should firewall DNS traffic
+// at the borders of your network to eliminate spoofed traffic.
+//
+// This is a complex issue and some level of understanding of these attacks is
+// advisable before you attempt to configure a resolver.
+
+options {
+	directory "/var/bind";
+
+	// Specify a list of CIDR masks which should be allowed to issue recursive
+	// queries to the DNS server. Do NOT specify 0.0.0.0/0 here; see above.
+	allow-recursion {
+		127.0.0.1/32;
+	};
+
+	// If you want this resolver to itself resolve via means of another recursive
+	// resolver, uncomment this block and specify the IP addresses of the desired
+	// upstream resolvers.
+	//forwarders {
+	//	123.123.123.123;
+	//	123.123.123.123;
+	//};
+
+	// By default the resolver will attempt to perform recursive resolution itself
+	// if the forwarders are unavailable. If you want this resolver to fail outright
+	// if the upstream resolvers are unavailable, uncomment this directive.
+	//forward only;
+
+	// Configure the IPs to listen on here.
+	listen-on { 127.0.0.1; };
+	listen-on-v6 { none; };
+
+	// If you have problems and are behind a firewall:
+	//query-source address * port 53;
+
+	pid-file "/var/run/named/named.pid";
+
+	// Removing this block will cause BIND to revert to its default behaviour
+	// of allowing zone transfers to any host (!). There is no need to allow zone
+	// transfers when operating as a recursive resolver.
+	allow-transfer { none; };
+};
+
+// Briefly, a zone which has been declared delegation-only will be effectively
+// limited to containing NS RRs for subdomains, but no actual data beyond its
+// own apex (for example, its SOA RR and apex NS RRset). This can be used to
+// filter out "wildcard" or "synthesized" data from NAT boxes or from
+// authoritative name servers whose undelegated (in-zone) data is of no
+// interest.
+// See http://www.isc.org/products/BIND/delegation-only.html for more info
+
+//zone "COM" { type delegation-only; };
+//zone "NET" { type delegation-only; };
+
+zone "." IN {
+	type hint;
+	file "named.ca";
+};
+
+zone "localhost" IN {
+	type master;
+	file "pri/localhost.zone";
+	allow-update { none; };
+	notify no;
+};
+
+zone "127.in-addr.arpa" IN {
+	type master;
+	file "pri/127.zone";
+	allow-update { none; };
+	notify no;
+};
diff --git a/user/bind/named.confd b/user/bind/named.confd
new file mode 100644
index 000000000..a9af5676f
--- /dev/null
+++ b/user/bind/named.confd
@@ -0,0 +1,8 @@
+# Set various named options here.
+OPTS=""
+
+# Set this to the number of processors you have.
+# CPU="1"
+
+# Scheduling priority: 19 is the lowest and -20 is the highest.
+# NICELEVEL="0"
diff --git a/user/bind/named.initd b/user/bind/named.initd
new file mode 100644
index 000000000..a088aa4d3
--- /dev/null
+++ b/user/bind/named.initd
@@ -0,0 +1,84 @@
+#!/sbin/openrc-run
+
+extra_commands="checkconfig checkzones"
+extra_started_commands="reload"
+: ${NAMED_CONF:=/etc/bind/named.conf}
+
+depend() {
+	need net
+	after firewall
+	use logger
+	provide dns
+}
+
+_get_pidfile() {
+	[ -n "${PIDFILE}" ] || PIDFILE=$(\
+		/usr/sbin/named-checkconf -p ${NAMED_CONF} | grep 'pid-file' | cut -d\" -f2)
+	[ -z "${PIDFILE}" ] && PIDFILE=/var/run/named/named.pid
+}
+
+checkconfig() {
+	ebegin "Checking named configuration"
+
+	if [ ! -f "${NAMED_CONF}" ] ; then
+		eerror "No ${NAMED_CONF} file exists! See the examples in /etc/bind."
+		return 1
+	fi
+
+	/usr/sbin/named-checkconf ${NAMED_CONF} || {
+		eerror "named-checkconf failed! Please fix your config first."
+		return 1
+	}
+	eend 0
+	return 0
+}
+
+checkzones() {
+	ebegin "Checking named configuration and zones"
+	/usr/sbin/named-checkconf -z -j ${NAMED_CONF}
+	eend $?
+}
+
+start() {
+	local piddir
+	ebegin "Starting named"
+	_get_pidfile
+	piddir="${PIDFILE%/*}"
+	if [ ! -d "${piddir}" ]; then
+		checkpath -q -d -o root:named -m 0770 "${piddir}" || {
+			eend 1
+			return 1
+		}
+	fi
+
+	checkconfig || { eend 1; return 1; }
+
+	# create piddir (usually /var/run/named) if necessary, bug 334535
+	_get_pidfile
+	piddir="${PIDFILE%/*}"
+	if [ ! -d "${piddir}" ]; then
+		checkpath -q -d -o root:named -m 0770 "${piddir}" || {
+			eend 1
+			return 1
+		}
+	fi
+
+	# In case someone have $CPU set in /etc/conf.d/named
+	if [ -n "${CPU}" ] && [ "${CPU}" -gt 0 ]; then
+		CPU="-n ${CPU}"
+	fi
+
+	start-stop-daemon --start --pidfile ${PIDFILE} \
+		--nicelevel ${NICELEVEL:-0} \
+		--exec /usr/sbin/named \
+		-- -u named ${CPU} ${OPTS}
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping named"
+	_get_pidfile
+	start-stop-daemon --stop --quiet --pidfile $PIDFILE
+	eend $?
+}
+