From df1a5e501763e44127dc660b01fd036de5b94112 Mon Sep 17 00:00:00 2001 From: Dan Theisen Date: Fri, 6 Jul 2018 00:13:54 -0700 Subject: user/bind: import, take, clean up, update root zone --- user/bind/127.zone | 11 +++ user/bind/APKBUILD | 149 +++++++++++++++++++++++++++++++++++++ user/bind/bind.pre-install | 6 ++ user/bind/bind.so_bsdcompat.patch | 11 +++ user/bind/localhost.zone | 11 +++ user/bind/named.ca | 94 +++++++++++++++++++++++ user/bind/named.conf.authoritative | 56 ++++++++++++++ user/bind/named.conf.recursive | 104 ++++++++++++++++++++++++++ user/bind/named.confd | 8 ++ user/bind/named.initd | 84 +++++++++++++++++++++ 10 files changed, 534 insertions(+) create mode 100644 user/bind/127.zone create mode 100644 user/bind/APKBUILD create mode 100644 user/bind/bind.pre-install create mode 100644 user/bind/bind.so_bsdcompat.patch create mode 100644 user/bind/localhost.zone create mode 100644 user/bind/named.ca create mode 100644 user/bind/named.conf.authoritative create mode 100644 user/bind/named.conf.recursive create mode 100644 user/bind/named.confd create mode 100644 user/bind/named.initd diff --git a/user/bind/127.zone b/user/bind/127.zone new file mode 100644 index 000000000..2ad28de52 --- /dev/null +++ b/user/bind/127.zone @@ -0,0 +1,11 @@ +$ORIGIN 127.in-addr.arpa. +$TTL 1W +@ 1D IN SOA localhost. root.localhost. ( + 2002081601 ; serial + 3H ; refresh + 15M ; retry + 1W ; expiry + 1D ) ; minimum + + 1D IN NS localhost. +1 1D IN PTR localhost. diff --git a/user/bind/APKBUILD b/user/bind/APKBUILD new file mode 100644 index 000000000..32ff1b23f --- /dev/null +++ b/user/bind/APKBUILD @@ -0,0 +1,149 @@ +# Contributor: Sergei Lukin +# Contributor: Sören Tempel +# Contributor: Carlo Landmeter +# Contributor: Natanael Copa +# Maintainer: Dan Theisen +pkgname=bind +pkgver=9.12.1_p2 +_p=${pkgver#*_p} +_ver=${pkgver%_p*} +_major=${pkgver%%.*} +[ "$_p" != "$pkgver" ] && _ver="${_ver}-P$_p" +pkgrel=0 +pkgdesc="The ISC DNS server" +url="https://www.isc.org/downloads/bind/" +arch="all" +# NOTE: The tests were not run because they require that +# the IP addresses 10.53.0.1 through 10.53.0.8 are configured +# as alias addresses on the loopback interface. +options="!check" +license="ISC AND Apache-2.0 AND OpenSSL AND BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause" +pkgusers="named" +pkggroups="named" +makedepends="bash libressl-dev libcap-dev perl linux-headers bsd-compat-headers libxml2-dev json-c-dev" +install="$pkgname.pre-install" +subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-openrc $pkgname-tools" +source="https://ftp.isc.org/isc/${pkgname}${_major}/$_ver/$pkgname-$_ver.tar.gz + bind.so_bsdcompat.patch + named.initd + named.confd + named.conf.authoritative + named.conf.recursive + 127.zone + localhost.zone + named.ca + " +builddir="$srcdir/$pkgname-$_ver" + +# secfixes: +# 9.12.1_p2-r0: +# - CVE-2018-5737 +# - CVE-2018-5736 +# 9.11.2_p1-r0: +# - CVE-2017-3145 +# 9.11.0_p5-r0: +# - CVE-2017-3136 +# - CVE-2017-3137 +# - CVE-2017-3138 +# 9.10.4_p5-r0: +# - CVE-2016-9131 +# - CVE-2016-9147 +# - CVE-2016-9444 + +prepare() { + default_prepare + cd "$builddir" + + ### http://bugs.gentoo.org/show_bug.cgi?id=227333 + export CFLAGS="$CFLAGS -D_GNU_SOURCE" + + # Adjusting PATHs in manpages + for i in bin/named/named.8 bin/check/named-checkconf.8 bin/rndc/rndc.8; do + sed -i \ + -e 's:/etc/named.conf:/etc/bind/named.conf:g' \ + -e 's:/etc/rndc.conf:/etc/bind/rndc.conf:g' \ + -e 's:/etc/rndc.key:/etc/bind/rndc.key:g' \ + "${i}" + done +} + +build() { + cd "$builddir" + ./configure \ + --build="$CBUILD" \ + --host="$CHOST" \ + --prefix=/usr \ + --sysconfdir=/etc/bind \ + --localstatedir=/var \ + --mandir=/usr/share/man \ + --infodir=/usr/share/info \ + --with-openssl=/usr \ + --with-randomdev=/dev/random \ + --with-libxml2 \ + --with-libjson \ + --enable-linux-caps \ + --enable-threads \ + --enable-filter-aaaa \ + --enable-ipv6 \ + --enable-shared \ + --enable-static \ + --with-libtool + make +} + +package() { + cd "$builddir" + install -d -m0770 -g named -o root "$pkgdir"/var/bind \ + "$pkgdir"/var/bind/sec \ + "$pkgdir"/var/bind/dyn \ + "$pkgdir"/var/run/named + + install -d -m0750 -g named -o root "$pkgdir"/etc/bind \ + "$pkgdir"/var/bind/pri + + make -j1 DESTDIR="$pkgdir" install + + install -Dm755 "$srcdir"/named.initd \ + "$pkgdir"/etc/init.d/named + install -Dm644 "$srcdir"/named.confd \ + "$pkgdir"/etc/conf.d/named + install -Dm644 "$srcdir"/named.conf.authoritative \ + "$pkgdir"/etc/bind/named.conf.authoritative + install -Dm644 "$srcdir"/named.conf.recursive \ + "$pkgdir"/etc/bind/named.conf.recursive + install -Dm644 "$srcdir"/named.ca \ + "$pkgdir"/var/bind/named.ca + install -Dm644 "$srcdir"/127.zone \ + "$pkgdir"/var/bind/pri/127.zone + install -Dm644 "$srcdir"/localhost.zone \ + "$pkgdir"/var/bind/pri/localhost.zone + + cd "$pkgdir"/var/bind + ln -s named.ca root.cache +} + +tools() { + pkgdesc="The ISC DNS tools" + install="" + depends="" + + mkdir -p "$subpkgdir"/usr/bin + for i in dig host nslookup delv nsupdate; do + mv "$pkgdir"/usr/bin/${i} "$subpkgdir"/usr/bin/ + done + + mkdir -p "$subpkgdir"/usr/sbin + for i in "$pkgdir"/usr/sbin/dnssec-*; do + mv "$i" "$subpkgdir"/usr/sbin + done +} + +sha512sums="de47eef272c437316444c4f585a2f98ae9169fc118fd057464a5cd064bb9079ffc07145dabf388cd240f56a5ad6d3ad78cf8d98fc37609681eba5d87e18a4f9a bind-9.12.1-P2.tar.gz +7167dccdb2833643dfdb92994373d2cc087e52ba23b51bd68bd322ff9aca6744f01fa9d8a4b9cd8c4ce471755a85c03ec956ec0d8a1d4fae02124ddbed6841f6 bind.so_bsdcompat.patch +196c0a3b43cf89e8e3547d7fb63a93ff9a3306505658dfd9aa78e6861be6b226580b424dd3dd44b955b2d9f682b1dc62c457f3ac29ce86200ef070140608c015 named.initd +127bdcc0b5079961f0951344bc3fad547450c81aee2149eac8c41a8c0c973ea0ffe3f956684c6fcb735a29c43d2ff48c153b6a71a0f15757819a72c492488ddf named.confd +d2f61d02d7829af51faf14fbe2bafe8bc90087e6b6697c6275a269ebbddcaa14a234fff5c41da793e945e8ff1de3de0858a40334e0d24289eab98df4bb721ac5 named.conf.authoritative +3aba9763cfaf0880a89fd01202f41406b465547296ce91373eb999ea7719040bc1ac4e47b0de025a8060f693d3d88774a20d09a43fa7ac6aa43989b58b5ee8fe named.conf.recursive +eed9886717539399518e011ae5eae6335aed4fae019e1def088c5be26bdc896c99c07adf84ee61babafa31d31ff3b028263d1c88d2eee17ecf4c95a9d77d524c 127.zone +340e86472a2c2746fe585c0aa5f079d3a9b46e828c1f53d48026533a169b7f77ded7d0a13d291d6962607bb9481456e6fa69df1834603e7555332615fb998f0b localhost.zone +053060aad3efee7775f1793f86717cfdc085144d4af435a2c552bd41d50cc2210cb7c5cd32891ef70de1ad58aaa3477fdeac0fe6325068eadb78e30177970ea4 named.ca" diff --git a/user/bind/bind.pre-install b/user/bind/bind.pre-install new file mode 100644 index 000000000..3f7c36847 --- /dev/null +++ b/user/bind/bind.pre-install @@ -0,0 +1,6 @@ +#!/bin/sh + +addgroup -S named 2>/dev/null +adduser -S -D -H -h /etc/bind -s /sbin/nologin -G named -g named named 2>/dev/null + +exit 0 diff --git a/user/bind/bind.so_bsdcompat.patch b/user/bind/bind.so_bsdcompat.patch new file mode 100644 index 000000000..69751e13b --- /dev/null +++ b/user/bind/bind.so_bsdcompat.patch @@ -0,0 +1,11 @@ +--- a/lib/isc/unix/socket.c.orig 2005-11-03 17:08:42.000000000 -0600 ++++ b/lib/isc/unix/socket.c 2006-02-18 13:09:15.000000000 -0600 +@@ -245,6 +245,8 @@ + + #define SOCK_DEAD(s) ((s)->references == 0) + ++#undef SO_BSDCOMPAT ++ + static void + manager_log(isc_socketmgr_t *sockmgr, + isc_logcategory_t *category, isc_logmodule_t *module, int level, diff --git a/user/bind/localhost.zone b/user/bind/localhost.zone new file mode 100644 index 000000000..338d7050c --- /dev/null +++ b/user/bind/localhost.zone @@ -0,0 +1,11 @@ +$TTL 1W +@ IN SOA ns.localhost. root.localhost. ( + 2002081601 ; Serial + 28800 ; Refresh + 14400 ; Retry + 604800 ; Expire - 1 week + 86400 ) ; Minimum +@ IN NS ns +ns IN A 127.0.0.1 + +ns IN AAAA ::1 diff --git a/user/bind/named.ca b/user/bind/named.ca new file mode 100644 index 000000000..233b5a3bb --- /dev/null +++ b/user/bind/named.ca @@ -0,0 +1,94 @@ +; File retrieved from https://www.internic.net/domain/named.root +; +; This file holds the information on root name servers needed to +; initialize cache of Internet domain name servers +; (e.g. reference this file in the "cache . " +; configuration file of BIND domain name servers). +; +; This file is made available by InterNIC +; under anonymous FTP as +; file /domain/named.cache +; on server FTP.INTERNIC.NET +; -OR- RS.INTERNIC.NET +; +; last update: May 31, 2018 +; related version of root zone: 2018053101 +; +; FORMERLY NS.INTERNIC.NET +; +. 3600000 NS A.ROOT-SERVERS.NET. +A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 +A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30 +; +; FORMERLY NS1.ISI.EDU +; +. 3600000 NS B.ROOT-SERVERS.NET. +B.ROOT-SERVERS.NET. 3600000 A 199.9.14.201 +B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:200::b +; +; FORMERLY C.PSI.NET +; +. 3600000 NS C.ROOT-SERVERS.NET. +C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 +C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c +; +; FORMERLY TERP.UMD.EDU +; +. 3600000 NS D.ROOT-SERVERS.NET. +D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13 +D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d +; +; FORMERLY NS.NASA.GOV +; +. 3600000 NS E.ROOT-SERVERS.NET. +E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 +E.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:a8::e +; +; FORMERLY NS.ISC.ORG +; +. 3600000 NS F.ROOT-SERVERS.NET. +F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 +F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f +; +; FORMERLY NS.NIC.DDN.MIL +; +. 3600000 NS G.ROOT-SERVERS.NET. +G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 +G.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:12::d0d +; +; FORMERLY AOS.ARL.ARMY.MIL +; +. 3600000 NS H.ROOT-SERVERS.NET. +H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53 +H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53 +; +; FORMERLY NIC.NORDU.NET +; +. 3600000 NS I.ROOT-SERVERS.NET. +I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 +I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53 +; +; OPERATED BY VERISIGN, INC. +; +. 3600000 NS J.ROOT-SERVERS.NET. +J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 +J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30 +; +; OPERATED BY RIPE NCC +; +. 3600000 NS K.ROOT-SERVERS.NET. +K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 +K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1 +; +; OPERATED BY ICANN +; +. 3600000 NS L.ROOT-SERVERS.NET. +L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42 +L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:9f::42 +; +; OPERATED BY WIDE +; +. 3600000 NS M.ROOT-SERVERS.NET. +M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 +M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35 +; End of file \ No newline at end of file diff --git a/user/bind/named.conf.authoritative b/user/bind/named.conf.authoritative new file mode 100644 index 000000000..71e98ddc7 --- /dev/null +++ b/user/bind/named.conf.authoritative @@ -0,0 +1,56 @@ +// Copy this file to /etc/bind/named.conf if you want to run bind as an +// authoritative nameserver. If you want to run a recursive DNS resolver +// instead, see /etc/bind/named.conf.recursive. +// +// BIND supports using the same daemon as both authoritative nameserver and +// recursive resolver; it supports this because it is the oldest and original +// nameserver and so was designed before it was realized that combining these +// functions is inadvisable. +// +// In actual fact, combining these functions is a very bad idea. It is thus +// recommended that you run a given instance of BIND as either an authoritative +// nameserver or recursive resolver, not both. The example configuration herein +// provides a secure starting point for running an authoritative nameserver. + +options { + directory "/var/bind"; + + // Configure the IPs to listen on here. + listen-on { 127.0.0.1; }; + listen-on-v6 { none; }; + + // If you want to allow only specific hosts to use the DNS server: + //allow-query { + // 127.0.0.1; + //}; + + // Specify a list of IPs/masks to allow zone transfers to here. + // + // You can override this on a per-zone basis by specifying this inside a zone + // block. + // + // Warning: Removing this block will cause BIND to revert to its default + // behaviour of allowing zone transfers to any host (!). + allow-transfer { + none; + }; + + // If you have problems and are behind a firewall: + //query-source address * port 53; + + pid-file "/var/run/named/named.pid"; + + // Changing this is NOT RECOMMENDED; see the notes above and in + // named.conf.recursive. + allow-recursion { none; }; + recursion no; +}; + +// Example of how to configure a zone for which this server is the master: +//zone "example.com" IN { +// type master; +// file "/etc/bind/master/example.com"; +//}; + +// You can include files: +//include "/etc/bind/example.conf"; diff --git a/user/bind/named.conf.recursive b/user/bind/named.conf.recursive new file mode 100644 index 000000000..a068b22d7 --- /dev/null +++ b/user/bind/named.conf.recursive @@ -0,0 +1,104 @@ +// Copy this file to /etc/bind/named.conf if you want to run bind as a +// recursive DNS resolver. If you want to run an authoritative nameserver +// instead, see /etc/bind/named.conf.authoritative. +// +// BIND supports using the same daemon as both authoritative nameserver and +// recursive resolver; it supports this because it is the oldest and original +// nameserver and so was designed before it was realized that combining these +// functions is inadvisable. +// +// In actual fact, combining these functions is a very bad idea. It is thus +// recommended that you run a given instance of BIND as either an authoritative +// nameserver or recursive resolver, not both. The example configuration herein +// provides a starting point for running a recursive resolver. +// +// +// *** IMPORTANT *** +// You should note that running an open DNS resolver (that is, a resolver which +// answers queries from any globally routable IP) makes the resolver vulnerable +// to abuse in the form of reflected DDoS attacks. +// +// These attacks are now widely prevalent on the open internet. Even if +// unadvertised, attackers can and will find your resolver by portscanning the +// global IPv4 address space. +// +// In one case the traffic generated using such an attack reached 300 Gb/s (!). +// +// It is therefore imperative that you take care to configure the resolver to +// only answer queries from IP address space you trust or control. See the +// "allow-recursion" directive below. +// +// Bear in mind that with these attacks, the "source" of a query will actually +// be the intended target of a DDoS attack, so this only protects other networks +// from attack, not your own; ideally therefore you should firewall DNS traffic +// at the borders of your network to eliminate spoofed traffic. +// +// This is a complex issue and some level of understanding of these attacks is +// advisable before you attempt to configure a resolver. + +options { + directory "/var/bind"; + + // Specify a list of CIDR masks which should be allowed to issue recursive + // queries to the DNS server. Do NOT specify 0.0.0.0/0 here; see above. + allow-recursion { + 127.0.0.1/32; + }; + + // If you want this resolver to itself resolve via means of another recursive + // resolver, uncomment this block and specify the IP addresses of the desired + // upstream resolvers. + //forwarders { + // 123.123.123.123; + // 123.123.123.123; + //}; + + // By default the resolver will attempt to perform recursive resolution itself + // if the forwarders are unavailable. If you want this resolver to fail outright + // if the upstream resolvers are unavailable, uncomment this directive. + //forward only; + + // Configure the IPs to listen on here. + listen-on { 127.0.0.1; }; + listen-on-v6 { none; }; + + // If you have problems and are behind a firewall: + //query-source address * port 53; + + pid-file "/var/run/named/named.pid"; + + // Removing this block will cause BIND to revert to its default behaviour + // of allowing zone transfers to any host (!). There is no need to allow zone + // transfers when operating as a recursive resolver. + allow-transfer { none; }; +}; + +// Briefly, a zone which has been declared delegation-only will be effectively +// limited to containing NS RRs for subdomains, but no actual data beyond its +// own apex (for example, its SOA RR and apex NS RRset). This can be used to +// filter out "wildcard" or "synthesized" data from NAT boxes or from +// authoritative name servers whose undelegated (in-zone) data is of no +// interest. +// See http://www.isc.org/products/BIND/delegation-only.html for more info + +//zone "COM" { type delegation-only; }; +//zone "NET" { type delegation-only; }; + +zone "." IN { + type hint; + file "named.ca"; +}; + +zone "localhost" IN { + type master; + file "pri/localhost.zone"; + allow-update { none; }; + notify no; +}; + +zone "127.in-addr.arpa" IN { + type master; + file "pri/127.zone"; + allow-update { none; }; + notify no; +}; diff --git a/user/bind/named.confd b/user/bind/named.confd new file mode 100644 index 000000000..a9af5676f --- /dev/null +++ b/user/bind/named.confd @@ -0,0 +1,8 @@ +# Set various named options here. +OPTS="" + +# Set this to the number of processors you have. +# CPU="1" + +# Scheduling priority: 19 is the lowest and -20 is the highest. +# NICELEVEL="0" diff --git a/user/bind/named.initd b/user/bind/named.initd new file mode 100644 index 000000000..a088aa4d3 --- /dev/null +++ b/user/bind/named.initd @@ -0,0 +1,84 @@ +#!/sbin/openrc-run + +extra_commands="checkconfig checkzones" +extra_started_commands="reload" +: ${NAMED_CONF:=/etc/bind/named.conf} + +depend() { + need net + after firewall + use logger + provide dns +} + +_get_pidfile() { + [ -n "${PIDFILE}" ] || PIDFILE=$(\ + /usr/sbin/named-checkconf -p ${NAMED_CONF} | grep 'pid-file' | cut -d\" -f2) + [ -z "${PIDFILE}" ] && PIDFILE=/var/run/named/named.pid +} + +checkconfig() { + ebegin "Checking named configuration" + + if [ ! -f "${NAMED_CONF}" ] ; then + eerror "No ${NAMED_CONF} file exists! See the examples in /etc/bind." + return 1 + fi + + /usr/sbin/named-checkconf ${NAMED_CONF} || { + eerror "named-checkconf failed! Please fix your config first." + return 1 + } + eend 0 + return 0 +} + +checkzones() { + ebegin "Checking named configuration and zones" + /usr/sbin/named-checkconf -z -j ${NAMED_CONF} + eend $? +} + +start() { + local piddir + ebegin "Starting named" + _get_pidfile + piddir="${PIDFILE%/*}" + if [ ! -d "${piddir}" ]; then + checkpath -q -d -o root:named -m 0770 "${piddir}" || { + eend 1 + return 1 + } + fi + + checkconfig || { eend 1; return 1; } + + # create piddir (usually /var/run/named) if necessary, bug 334535 + _get_pidfile + piddir="${PIDFILE%/*}" + if [ ! -d "${piddir}" ]; then + checkpath -q -d -o root:named -m 0770 "${piddir}" || { + eend 1 + return 1 + } + fi + + # In case someone have $CPU set in /etc/conf.d/named + if [ -n "${CPU}" ] && [ "${CPU}" -gt 0 ]; then + CPU="-n ${CPU}" + fi + + start-stop-daemon --start --pidfile ${PIDFILE} \ + --nicelevel ${NICELEVEL:-0} \ + --exec /usr/sbin/named \ + -- -u named ${CPU} ${OPTS} + eend $? +} + +stop() { + ebegin "Stopping named" + _get_pidfile + start-stop-daemon --stop --quiet --pidfile $PIDFILE + eend $? +} + -- cgit v1.2.3-70-g09d2