summaryrefslogtreecommitdiff
path: root/user/bind
diff options
context:
space:
mode:
Diffstat (limited to 'user/bind')
-rw-r--r--user/bind/127.zone11
-rw-r--r--user/bind/APKBUILD149
-rw-r--r--user/bind/bind.pre-install6
-rw-r--r--user/bind/bind.so_bsdcompat.patch11
-rw-r--r--user/bind/localhost.zone11
-rw-r--r--user/bind/named.ca94
-rw-r--r--user/bind/named.conf.authoritative56
-rw-r--r--user/bind/named.conf.recursive104
-rw-r--r--user/bind/named.confd8
-rw-r--r--user/bind/named.initd84
10 files changed, 534 insertions, 0 deletions
diff --git a/user/bind/127.zone b/user/bind/127.zone
new file mode 100644
index 000000000..2ad28de52
--- /dev/null
+++ b/user/bind/127.zone
@@ -0,0 +1,11 @@
+$ORIGIN 127.in-addr.arpa.
+$TTL 1W
+@ 1D IN SOA localhost. root.localhost. (
+ 2002081601 ; serial
+ 3H ; refresh
+ 15M ; retry
+ 1W ; expiry
+ 1D ) ; minimum
+
+ 1D IN NS localhost.
+1 1D IN PTR localhost.
diff --git a/user/bind/APKBUILD b/user/bind/APKBUILD
new file mode 100644
index 000000000..32ff1b23f
--- /dev/null
+++ b/user/bind/APKBUILD
@@ -0,0 +1,149 @@
+# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
+# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
+# Contributor: Carlo Landmeter <clandmeter@gmail.com>
+# Contributor: Natanael Copa <ncopa@alpinelinux.org>
+# Maintainer: Dan Theisen <djt@hxx.in>
+pkgname=bind
+pkgver=9.12.1_p2
+_p=${pkgver#*_p}
+_ver=${pkgver%_p*}
+_major=${pkgver%%.*}
+[ "$_p" != "$pkgver" ] && _ver="${_ver}-P$_p"
+pkgrel=0
+pkgdesc="The ISC DNS server"
+url="https://www.isc.org/downloads/bind/"
+arch="all"
+# NOTE: The tests were not run because they require that
+# the IP addresses 10.53.0.1 through 10.53.0.8 are configured
+# as alias addresses on the loopback interface.
+options="!check"
+license="ISC AND Apache-2.0 AND OpenSSL AND BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause"
+pkgusers="named"
+pkggroups="named"
+makedepends="bash libressl-dev libcap-dev perl linux-headers bsd-compat-headers libxml2-dev json-c-dev"
+install="$pkgname.pre-install"
+subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-openrc $pkgname-tools"
+source="https://ftp.isc.org/isc/${pkgname}${_major}/$_ver/$pkgname-$_ver.tar.gz
+ bind.so_bsdcompat.patch
+ named.initd
+ named.confd
+ named.conf.authoritative
+ named.conf.recursive
+ 127.zone
+ localhost.zone
+ named.ca
+ "
+builddir="$srcdir/$pkgname-$_ver"
+
+# secfixes:
+# 9.12.1_p2-r0:
+# - CVE-2018-5737
+# - CVE-2018-5736
+# 9.11.2_p1-r0:
+# - CVE-2017-3145
+# 9.11.0_p5-r0:
+# - CVE-2017-3136
+# - CVE-2017-3137
+# - CVE-2017-3138
+# 9.10.4_p5-r0:
+# - CVE-2016-9131
+# - CVE-2016-9147
+# - CVE-2016-9444
+
+prepare() {
+ default_prepare
+ cd "$builddir"
+
+ ### http://bugs.gentoo.org/show_bug.cgi?id=227333
+ export CFLAGS="$CFLAGS -D_GNU_SOURCE"
+
+ # Adjusting PATHs in manpages
+ for i in bin/named/named.8 bin/check/named-checkconf.8 bin/rndc/rndc.8; do
+ sed -i \
+ -e 's:/etc/named.conf:/etc/bind/named.conf:g' \
+ -e 's:/etc/rndc.conf:/etc/bind/rndc.conf:g' \
+ -e 's:/etc/rndc.key:/etc/bind/rndc.key:g' \
+ "${i}"
+ done
+}
+
+build() {
+ cd "$builddir"
+ ./configure \
+ --build="$CBUILD" \
+ --host="$CHOST" \
+ --prefix=/usr \
+ --sysconfdir=/etc/bind \
+ --localstatedir=/var \
+ --mandir=/usr/share/man \
+ --infodir=/usr/share/info \
+ --with-openssl=/usr \
+ --with-randomdev=/dev/random \
+ --with-libxml2 \
+ --with-libjson \
+ --enable-linux-caps \
+ --enable-threads \
+ --enable-filter-aaaa \
+ --enable-ipv6 \
+ --enable-shared \
+ --enable-static \
+ --with-libtool
+ make
+}
+
+package() {
+ cd "$builddir"
+ install -d -m0770 -g named -o root "$pkgdir"/var/bind \
+ "$pkgdir"/var/bind/sec \
+ "$pkgdir"/var/bind/dyn \
+ "$pkgdir"/var/run/named
+
+ install -d -m0750 -g named -o root "$pkgdir"/etc/bind \
+ "$pkgdir"/var/bind/pri
+
+ make -j1 DESTDIR="$pkgdir" install
+
+ install -Dm755 "$srcdir"/named.initd \
+ "$pkgdir"/etc/init.d/named
+ install -Dm644 "$srcdir"/named.confd \
+ "$pkgdir"/etc/conf.d/named
+ install -Dm644 "$srcdir"/named.conf.authoritative \
+ "$pkgdir"/etc/bind/named.conf.authoritative
+ install -Dm644 "$srcdir"/named.conf.recursive \
+ "$pkgdir"/etc/bind/named.conf.recursive
+ install -Dm644 "$srcdir"/named.ca \
+ "$pkgdir"/var/bind/named.ca
+ install -Dm644 "$srcdir"/127.zone \
+ "$pkgdir"/var/bind/pri/127.zone
+ install -Dm644 "$srcdir"/localhost.zone \
+ "$pkgdir"/var/bind/pri/localhost.zone
+
+ cd "$pkgdir"/var/bind
+ ln -s named.ca root.cache
+}
+
+tools() {
+ pkgdesc="The ISC DNS tools"
+ install=""
+ depends=""
+
+ mkdir -p "$subpkgdir"/usr/bin
+ for i in dig host nslookup delv nsupdate; do
+ mv "$pkgdir"/usr/bin/${i} "$subpkgdir"/usr/bin/
+ done
+
+ mkdir -p "$subpkgdir"/usr/sbin
+ for i in "$pkgdir"/usr/sbin/dnssec-*; do
+ mv "$i" "$subpkgdir"/usr/sbin
+ done
+}
+
+sha512sums="de47eef272c437316444c4f585a2f98ae9169fc118fd057464a5cd064bb9079ffc07145dabf388cd240f56a5ad6d3ad78cf8d98fc37609681eba5d87e18a4f9a bind-9.12.1-P2.tar.gz
+7167dccdb2833643dfdb92994373d2cc087e52ba23b51bd68bd322ff9aca6744f01fa9d8a4b9cd8c4ce471755a85c03ec956ec0d8a1d4fae02124ddbed6841f6 bind.so_bsdcompat.patch
+196c0a3b43cf89e8e3547d7fb63a93ff9a3306505658dfd9aa78e6861be6b226580b424dd3dd44b955b2d9f682b1dc62c457f3ac29ce86200ef070140608c015 named.initd
+127bdcc0b5079961f0951344bc3fad547450c81aee2149eac8c41a8c0c973ea0ffe3f956684c6fcb735a29c43d2ff48c153b6a71a0f15757819a72c492488ddf named.confd
+d2f61d02d7829af51faf14fbe2bafe8bc90087e6b6697c6275a269ebbddcaa14a234fff5c41da793e945e8ff1de3de0858a40334e0d24289eab98df4bb721ac5 named.conf.authoritative
+3aba9763cfaf0880a89fd01202f41406b465547296ce91373eb999ea7719040bc1ac4e47b0de025a8060f693d3d88774a20d09a43fa7ac6aa43989b58b5ee8fe named.conf.recursive
+eed9886717539399518e011ae5eae6335aed4fae019e1def088c5be26bdc896c99c07adf84ee61babafa31d31ff3b028263d1c88d2eee17ecf4c95a9d77d524c 127.zone
+340e86472a2c2746fe585c0aa5f079d3a9b46e828c1f53d48026533a169b7f77ded7d0a13d291d6962607bb9481456e6fa69df1834603e7555332615fb998f0b localhost.zone
+053060aad3efee7775f1793f86717cfdc085144d4af435a2c552bd41d50cc2210cb7c5cd32891ef70de1ad58aaa3477fdeac0fe6325068eadb78e30177970ea4 named.ca"
diff --git a/user/bind/bind.pre-install b/user/bind/bind.pre-install
new file mode 100644
index 000000000..3f7c36847
--- /dev/null
+++ b/user/bind/bind.pre-install
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+addgroup -S named 2>/dev/null
+adduser -S -D -H -h /etc/bind -s /sbin/nologin -G named -g named named 2>/dev/null
+
+exit 0
diff --git a/user/bind/bind.so_bsdcompat.patch b/user/bind/bind.so_bsdcompat.patch
new file mode 100644
index 000000000..69751e13b
--- /dev/null
+++ b/user/bind/bind.so_bsdcompat.patch
@@ -0,0 +1,11 @@
+--- a/lib/isc/unix/socket.c.orig 2005-11-03 17:08:42.000000000 -0600
++++ b/lib/isc/unix/socket.c 2006-02-18 13:09:15.000000000 -0600
+@@ -245,6 +245,8 @@
+
+ #define SOCK_DEAD(s) ((s)->references == 0)
+
++#undef SO_BSDCOMPAT
++
+ static void
+ manager_log(isc_socketmgr_t *sockmgr,
+ isc_logcategory_t *category, isc_logmodule_t *module, int level,
diff --git a/user/bind/localhost.zone b/user/bind/localhost.zone
new file mode 100644
index 000000000..338d7050c
--- /dev/null
+++ b/user/bind/localhost.zone
@@ -0,0 +1,11 @@
+$TTL 1W
+@ IN SOA ns.localhost. root.localhost. (
+ 2002081601 ; Serial
+ 28800 ; Refresh
+ 14400 ; Retry
+ 604800 ; Expire - 1 week
+ 86400 ) ; Minimum
+@ IN NS ns
+ns IN A 127.0.0.1
+
+ns IN AAAA ::1
diff --git a/user/bind/named.ca b/user/bind/named.ca
new file mode 100644
index 000000000..233b5a3bb
--- /dev/null
+++ b/user/bind/named.ca
@@ -0,0 +1,94 @@
+; File retrieved from https://www.internic.net/domain/named.root
+;
+; This file holds the information on root name servers needed to
+; initialize cache of Internet domain name servers
+; (e.g. reference this file in the "cache . <file>"
+; configuration file of BIND domain name servers).
+;
+; This file is made available by InterNIC
+; under anonymous FTP as
+; file /domain/named.cache
+; on server FTP.INTERNIC.NET
+; -OR- RS.INTERNIC.NET
+;
+; last update: May 31, 2018
+; related version of root zone: 2018053101
+;
+; FORMERLY NS.INTERNIC.NET
+;
+. 3600000 NS A.ROOT-SERVERS.NET.
+A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
+A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30
+;
+; FORMERLY NS1.ISI.EDU
+;
+. 3600000 NS B.ROOT-SERVERS.NET.
+B.ROOT-SERVERS.NET. 3600000 A 199.9.14.201
+B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:200::b
+;
+; FORMERLY C.PSI.NET
+;
+. 3600000 NS C.ROOT-SERVERS.NET.
+C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
+C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c
+;
+; FORMERLY TERP.UMD.EDU
+;
+. 3600000 NS D.ROOT-SERVERS.NET.
+D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
+D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d
+;
+; FORMERLY NS.NASA.GOV
+;
+. 3600000 NS E.ROOT-SERVERS.NET.
+E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
+E.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:a8::e
+;
+; FORMERLY NS.ISC.ORG
+;
+. 3600000 NS F.ROOT-SERVERS.NET.
+F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
+F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f
+;
+; FORMERLY NS.NIC.DDN.MIL
+;
+. 3600000 NS G.ROOT-SERVERS.NET.
+G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
+G.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:12::d0d
+;
+; FORMERLY AOS.ARL.ARMY.MIL
+;
+. 3600000 NS H.ROOT-SERVERS.NET.
+H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53
+H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53
+;
+; FORMERLY NIC.NORDU.NET
+;
+. 3600000 NS I.ROOT-SERVERS.NET.
+I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
+I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53
+;
+; OPERATED BY VERISIGN, INC.
+;
+. 3600000 NS J.ROOT-SERVERS.NET.
+J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
+J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30
+;
+; OPERATED BY RIPE NCC
+;
+. 3600000 NS K.ROOT-SERVERS.NET.
+K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
+K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1
+;
+; OPERATED BY ICANN
+;
+. 3600000 NS L.ROOT-SERVERS.NET.
+L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
+L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:9f::42
+;
+; OPERATED BY WIDE
+;
+. 3600000 NS M.ROOT-SERVERS.NET.
+M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
+M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35
+; End of file \ No newline at end of file
diff --git a/user/bind/named.conf.authoritative b/user/bind/named.conf.authoritative
new file mode 100644
index 000000000..71e98ddc7
--- /dev/null
+++ b/user/bind/named.conf.authoritative
@@ -0,0 +1,56 @@
+// Copy this file to /etc/bind/named.conf if you want to run bind as an
+// authoritative nameserver. If you want to run a recursive DNS resolver
+// instead, see /etc/bind/named.conf.recursive.
+//
+// BIND supports using the same daemon as both authoritative nameserver and
+// recursive resolver; it supports this because it is the oldest and original
+// nameserver and so was designed before it was realized that combining these
+// functions is inadvisable.
+//
+// In actual fact, combining these functions is a very bad idea. It is thus
+// recommended that you run a given instance of BIND as either an authoritative
+// nameserver or recursive resolver, not both. The example configuration herein
+// provides a secure starting point for running an authoritative nameserver.
+
+options {
+ directory "/var/bind";
+
+ // Configure the IPs to listen on here.
+ listen-on { 127.0.0.1; };
+ listen-on-v6 { none; };
+
+ // If you want to allow only specific hosts to use the DNS server:
+ //allow-query {
+ // 127.0.0.1;
+ //};
+
+ // Specify a list of IPs/masks to allow zone transfers to here.
+ //
+ // You can override this on a per-zone basis by specifying this inside a zone
+ // block.
+ //
+ // Warning: Removing this block will cause BIND to revert to its default
+ // behaviour of allowing zone transfers to any host (!).
+ allow-transfer {
+ none;
+ };
+
+ // If you have problems and are behind a firewall:
+ //query-source address * port 53;
+
+ pid-file "/var/run/named/named.pid";
+
+ // Changing this is NOT RECOMMENDED; see the notes above and in
+ // named.conf.recursive.
+ allow-recursion { none; };
+ recursion no;
+};
+
+// Example of how to configure a zone for which this server is the master:
+//zone "example.com" IN {
+// type master;
+// file "/etc/bind/master/example.com";
+//};
+
+// You can include files:
+//include "/etc/bind/example.conf";
diff --git a/user/bind/named.conf.recursive b/user/bind/named.conf.recursive
new file mode 100644
index 000000000..a068b22d7
--- /dev/null
+++ b/user/bind/named.conf.recursive
@@ -0,0 +1,104 @@
+// Copy this file to /etc/bind/named.conf if you want to run bind as a
+// recursive DNS resolver. If you want to run an authoritative nameserver
+// instead, see /etc/bind/named.conf.authoritative.
+//
+// BIND supports using the same daemon as both authoritative nameserver and
+// recursive resolver; it supports this because it is the oldest and original
+// nameserver and so was designed before it was realized that combining these
+// functions is inadvisable.
+//
+// In actual fact, combining these functions is a very bad idea. It is thus
+// recommended that you run a given instance of BIND as either an authoritative
+// nameserver or recursive resolver, not both. The example configuration herein
+// provides a starting point for running a recursive resolver.
+//
+//
+// *** IMPORTANT ***
+// You should note that running an open DNS resolver (that is, a resolver which
+// answers queries from any globally routable IP) makes the resolver vulnerable
+// to abuse in the form of reflected DDoS attacks.
+//
+// These attacks are now widely prevalent on the open internet. Even if
+// unadvertised, attackers can and will find your resolver by portscanning the
+// global IPv4 address space.
+//
+// In one case the traffic generated using such an attack reached 300 Gb/s (!).
+//
+// It is therefore imperative that you take care to configure the resolver to
+// only answer queries from IP address space you trust or control. See the
+// "allow-recursion" directive below.
+//
+// Bear in mind that with these attacks, the "source" of a query will actually
+// be the intended target of a DDoS attack, so this only protects other networks
+// from attack, not your own; ideally therefore you should firewall DNS traffic
+// at the borders of your network to eliminate spoofed traffic.
+//
+// This is a complex issue and some level of understanding of these attacks is
+// advisable before you attempt to configure a resolver.
+
+options {
+ directory "/var/bind";
+
+ // Specify a list of CIDR masks which should be allowed to issue recursive
+ // queries to the DNS server. Do NOT specify 0.0.0.0/0 here; see above.
+ allow-recursion {
+ 127.0.0.1/32;
+ };
+
+ // If you want this resolver to itself resolve via means of another recursive
+ // resolver, uncomment this block and specify the IP addresses of the desired
+ // upstream resolvers.
+ //forwarders {
+ // 123.123.123.123;
+ // 123.123.123.123;
+ //};
+
+ // By default the resolver will attempt to perform recursive resolution itself
+ // if the forwarders are unavailable. If you want this resolver to fail outright
+ // if the upstream resolvers are unavailable, uncomment this directive.
+ //forward only;
+
+ // Configure the IPs to listen on here.
+ listen-on { 127.0.0.1; };
+ listen-on-v6 { none; };
+
+ // If you have problems and are behind a firewall:
+ //query-source address * port 53;
+
+ pid-file "/var/run/named/named.pid";
+
+ // Removing this block will cause BIND to revert to its default behaviour
+ // of allowing zone transfers to any host (!). There is no need to allow zone
+ // transfers when operating as a recursive resolver.
+ allow-transfer { none; };
+};
+
+// Briefly, a zone which has been declared delegation-only will be effectively
+// limited to containing NS RRs for subdomains, but no actual data beyond its
+// own apex (for example, its SOA RR and apex NS RRset). This can be used to
+// filter out "wildcard" or "synthesized" data from NAT boxes or from
+// authoritative name servers whose undelegated (in-zone) data is of no
+// interest.
+// See http://www.isc.org/products/BIND/delegation-only.html for more info
+
+//zone "COM" { type delegation-only; };
+//zone "NET" { type delegation-only; };
+
+zone "." IN {
+ type hint;
+ file "named.ca";
+};
+
+zone "localhost" IN {
+ type master;
+ file "pri/localhost.zone";
+ allow-update { none; };
+ notify no;
+};
+
+zone "127.in-addr.arpa" IN {
+ type master;
+ file "pri/127.zone";
+ allow-update { none; };
+ notify no;
+};
diff --git a/user/bind/named.confd b/user/bind/named.confd
new file mode 100644
index 000000000..a9af5676f
--- /dev/null
+++ b/user/bind/named.confd
@@ -0,0 +1,8 @@
+# Set various named options here.
+OPTS=""
+
+# Set this to the number of processors you have.
+# CPU="1"
+
+# Scheduling priority: 19 is the lowest and -20 is the highest.
+# NICELEVEL="0"
diff --git a/user/bind/named.initd b/user/bind/named.initd
new file mode 100644
index 000000000..a088aa4d3
--- /dev/null
+++ b/user/bind/named.initd
@@ -0,0 +1,84 @@
+#!/sbin/openrc-run
+
+extra_commands="checkconfig checkzones"
+extra_started_commands="reload"
+: ${NAMED_CONF:=/etc/bind/named.conf}
+
+depend() {
+ need net
+ after firewall
+ use logger
+ provide dns
+}
+
+_get_pidfile() {
+ [ -n "${PIDFILE}" ] || PIDFILE=$(\
+ /usr/sbin/named-checkconf -p ${NAMED_CONF} | grep 'pid-file' | cut -d\" -f2)
+ [ -z "${PIDFILE}" ] && PIDFILE=/var/run/named/named.pid
+}
+
+checkconfig() {
+ ebegin "Checking named configuration"
+
+ if [ ! -f "${NAMED_CONF}" ] ; then
+ eerror "No ${NAMED_CONF} file exists! See the examples in /etc/bind."
+ return 1
+ fi
+
+ /usr/sbin/named-checkconf ${NAMED_CONF} || {
+ eerror "named-checkconf failed! Please fix your config first."
+ return 1
+ }
+ eend 0
+ return 0
+}
+
+checkzones() {
+ ebegin "Checking named configuration and zones"
+ /usr/sbin/named-checkconf -z -j ${NAMED_CONF}
+ eend $?
+}
+
+start() {
+ local piddir
+ ebegin "Starting named"
+ _get_pidfile
+ piddir="${PIDFILE%/*}"
+ if [ ! -d "${piddir}" ]; then
+ checkpath -q -d -o root:named -m 0770 "${piddir}" || {
+ eend 1
+ return 1
+ }
+ fi
+
+ checkconfig || { eend 1; return 1; }
+
+ # create piddir (usually /var/run/named) if necessary, bug 334535
+ _get_pidfile
+ piddir="${PIDFILE%/*}"
+ if [ ! -d "${piddir}" ]; then
+ checkpath -q -d -o root:named -m 0770 "${piddir}" || {
+ eend 1
+ return 1
+ }
+ fi
+
+ # In case someone have $CPU set in /etc/conf.d/named
+ if [ -n "${CPU}" ] && [ "${CPU}" -gt 0 ]; then
+ CPU="-n ${CPU}"
+ fi
+
+ start-stop-daemon --start --pidfile ${PIDFILE} \
+ --nicelevel ${NICELEVEL:-0} \
+ --exec /usr/sbin/named \
+ -- -u named ${CPU} ${OPTS}
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping named"
+ _get_pidfile
+ start-stop-daemon --stop --quiet --pidfile $PIDFILE
+ eend $?
+}
+