diff --git a/dns/bind9-devel/Makefile b/dns/bind9-devel/Makefile index a30713ccc3fa..ee6d9e53b2c6 100644 --- a/dns/bind9-devel/Makefile +++ b/dns/bind9-devel/Makefile @@ -1,248 +1,248 @@ # pkg-help formatted with fmt 59 63 PORTNAME= bind PORTVERSION= ${ISCVERSION:S/-P/P/:S/b/.b/:S/a/.a/:S/rc/.rc/} .if defined(BIND_TOOLS_SLAVE) # dns/bind-tools here PORTREVISION= 0 .else # XXX: correct version # dns/bind9xx here -PORTREVISION= 0 +PORTREVISION= 1 .endif CATEGORIES= dns net # XXX: put the ISC master_site #MASTER_SITES= ISC/bind9/${ISCVERSION} MASTER_SITES= LOCAL/mat/bind .if defined(BIND_TOOLS_SLAVE) PKGNAMESUFFIX= -tools .else # XXX: correct SUFFIX. PKGNAMESUFFIX= 9-devel .endif # XXX: correct DISTNAME. #DISTNAME= ${PORTNAME}-${ISCVERSION} MAINTAINER= mat@FreeBSD.org WWW= https://www.isc.org/bind/ .if defined(BIND_TOOLS_SLAVE) COMMENT= Command line tools from BIND: delv, dig, host, nslookup... .else COMMENT= BIND DNS suite with updated DNSSEC and DNS64 .endif # Uncomment when bind9xx comes of age. +3 years if ESV, +1year otherwise, see # https://kb.isc.org/docs/aa-00896 # DEPRECATED= End of life, please migrate to a newer version of BIND9 # EXPIRATION_DATE= XXX-12-31 LICENSE= MPL20 LICENSE_FILE= ${WRKSRC}/COPYRIGHT LIB_DEPENDS= libuv.so:devel/libuv \ libnghttp2.so:www/libnghttp2 \ libxml2.so:textproc/libxml2 .if !defined(BIND_TOOLS_SLAVE) RUN_DEPENDS= bind-tools>0:dns/bind-tools .endif # XXX: remove tar:bz2 USES= autoreconf compiler:c11 cpe libedit libtool pkgconfig ssl tar:bz2 # ISC releases things like 9.8.0-P1, which our versioning doesn't like ISCVERSION= 9.19.3.2022.06.16 # XXX: Remove gitlab USE_GITLAB= yes GL_SITE= https://gitlab.isc.org GL_ACCOUNT= isc-projects GL_PROJECT= bind9 GL_COMMIT= 84854b3f22b885ba4cfbf34697de4fbed1cad0a2 CPE_VENDOR= isc CPE_VERSION= ${ISCVERSION:C/-.*//} .if ${ISCVERSION:M*-*} CPE_UPDATE= ${ISCVERSION:C/.*-//:tl} .endif GNU_CONFIGURE= yes CONFIGURE_ARGS= --disable-linux-caps \ --localstatedir=/var \ --sysconfdir=${ETCDIR} \ --with-dlopen=yes \ --with-libxml2 \ --with-openssl=${OPENSSLBASE} \ --enable-dnsrps \ --with-readline=libedit CONFIGURE_ENV= READLINE_CFLAGS="-L${LOCALBASE}/lib" ETCDIR= ${PREFIX}/etc/namedb .if defined(BIND_TOOLS_SLAVE) EXTRA_PATCHES= ${PATCHDIR}/extrapatch-bind-tools CONFIGURE_ARGS+= --libdir=${PREFIX}/lib/bind-tools .else USE_RC_SUBR= named # XXX: remove the big warning about it being a development version from pkg-message SUB_FILES= named.conf pkg-message EXTRA_PATCHES= ${PATCHDIR}/extrapatch-no-bind-tools PORTDOCS= * # XXX: Add -devel CONFLICTS= bind9[0-9][0-9] .endif # BIND_TOOLS_SLAVE MAKE_JOBS_UNSAFE= yes OPTIONS_DEFAULT= GSSAPI_NONE IDN JSON LMDB MANPAGES \ TCP_FASTOPEN DNSTAP OPTIONS_DEFINE= DNSTAP DOCS FIXED_RRSET GEOIP IDN JSON LARGE_FILE LMDB \ MANPAGES OVERRIDECACHE QUERYTRACE \ START_LATE TCP_FASTOPEN OPTIONS_SINGLE= GSSAPI OPTIONS_SINGLE_GSSAPI= GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT GSSAPI_NONE .if defined(BIND_TOOLS_SLAVE) OPTIONS_EXCLUDE= DNSTAP DOCS GEOIP LMDB \ OVERRIDECACHE QUERYTRACE START_LATE \ TCP_FASTOPEN .endif # BIND_TOOLS_SLAVE OPTIONS_SUB= yes DNSTAP_DESC= Provides fast passive logging of DNS messages FIXED_RRSET_DESC= Enable fixed rrset ordering GSSAPI_BASE_DESC= Using Heimdal in base GSSAPI_HEIMDAL_DESC= Using security/heimdal GSSAPI_MIT_DESC= Using security/krb5 GSSAPI_NONE_DESC= Disable LARGE_FILE_DESC= 64-bit file support LMDB_DESC= Use LMDB for zone management OVERRIDECACHE_DESC= Use the override-cache patch QUERYTRACE_DESC= Enable the very verbose query tracelogging START_LATE_DESC= Start BIND late in the boot process (see help) TCP_FASTOPEN_DESC= RFC 7413 support DOCS_ALL_TARGET= all html DOCS_BUILD_DEPENDS= sphinx-build:textproc/py-sphinx \ ${PYTHON_PKGNAMEPREFIX}sphinx_rtd_theme>0:textproc/py-sphinx_rtd_theme@${PY_FLAVOR} DOCS_USES= gmake python:env DNSTAP_CONFIGURE_ENABLE= dnstap DNSTAP_LIB_DEPENDS= libfstrm.so:devel/fstrm \ libprotobuf-c.so:devel/protobuf-c FIXED_RRSET_CONFIGURE_ENABLE= fixed-rrset GEOIP_CONFIGURE_ENABLE= geoip GEOIP_CONFIGURE_WITH= maxminddb GEOIP_LIB_DEPENDS= libmaxminddb.so:net/libmaxminddb GSSAPI_BASE_CONFIGURE_ON= --with-gssapi="${KRB5CONFIG}" \ ${GSSAPI_CONFIGURE_ARGS} GSSAPI_BASE_USES= gssapi GSSAPI_HEIMDAL_CONFIGURE_ON= --with-gssapi="${KRB5CONFIG}" \ ${GSSAPI_CONFIGURE_ARGS} GSSAPI_HEIMDAL_USES= gssapi:heimdal GSSAPI_MIT_CONFIGURE_ON= --with-gssapi="${KRB5CONFIG}" \ ${GSSAPI_CONFIGURE_ARGS} GSSAPI_MIT_USES= gssapi:mit GSSAPI_NONE_CONFIGURE_ON= --without-gssapi IDN_CONFIGURE_OFF= --without-libidn2 IDN_CONFIGURE_ON= ${ICONV_CONFIGURE_BASE} \ --with-libidn2=${LOCALBASE} IDN_LIB_DEPENDS= libidn2.so:dns/libidn2 IDN_USES= iconv JSON_CONFIGURE_WITH= json-c JSON_LIB_DEPENDS= libjson-c.so:devel/json-c JSON_LDFLAGS= -L${LOCALBASE}/lib -ljson-c LARGE_FILE_CONFIGURE_ENABLE= largefile LMDB_CONFIGURE_WITH= lmdb=${LOCALBASE} LMDB_LIB_DEPENDS= liblmdb.so:databases/lmdb MANPAGES_BUILD_DEPENDS= sphinx-build:textproc/py-sphinx MANPAGES_USES= gmake OVERRIDECACHE_EXTRA_PATCHES= ${FILESDIR}/extrapatch-bind-min-override-ttl QUERYTRACE_CONFIGURE_ENABLE= querytrace START_LATE_SUB_LIST= NAMED_BEFORE="LOGIN" \ NAMED_REQUIRE="SERVERS cleanvar" START_LATE_SUB_LIST_OFF= NAMED_BEFORE="SERVERS" \ NAMED_REQUIRE="NETWORKING ldconfig syslogd" TCP_FASTOPEN_CONFIGURE_ENABLE= tcp-fastopen .include .if defined(WITH_DEBUG) CONFIGURE_ARGS+= --enable-developer \ --enable-symtable USES+= perl5 USE_PERL5= build BUILD_DEPENDS+= cmocka>0:sysutils/cmocka .endif .include .if ${SSL_DEFAULT} == base SUB_LIST+= ENGINES=/usr/lib/engines .else SUB_LIST+= ENGINES=${LOCALBASE}/lib/engines .endif # XXX: Remove first REINPLACE_CMD post-patch: @${REINPLACE_CMD} -e '/^m4_define(\[bind_SRCID/s/\[m4.*\]/${GL_COMMIT}/' \ ${WRKSRC}/configure.ac .for FILE in check/named-checkconf.rst named/named.rst nsupdate/nsupdate.rst \ rndc/rndc.rst @${REINPLACE_CMD} -e 's#/etc/named.conf#${ETCDIR}/named.conf#g' \ -e 's#/etc/rndc.conf#${ETCDIR}/rndc.conf#g' \ -e "s#/var\/run\/named\/named.pid#/var/run/named/pid#" \ ${WRKSRC}/bin/${FILE} .endfor .if !defined(BIND_TOOLS_SLAVE) post-install: ${MKDIR} ${STAGEDIR}${PREFIX}/etc/mtree ${MKDIR} ${STAGEDIR}${ETCDIR} . for i in dynamic primary secondary working @${MKDIR} ${STAGEDIR}${ETCDIR}/$i . endfor ${INSTALL_DATA} ${WRKDIR}/named.conf ${STAGEDIR}${ETCDIR}/named.conf.sample ${INSTALL_DATA} ${FILESDIR}/named.root ${STAGEDIR}${ETCDIR} ${INSTALL_DATA} ${FILESDIR}/empty.db ${STAGEDIR}${ETCDIR}/primary ${INSTALL_DATA} ${FILESDIR}/localhost-forward.db ${STAGEDIR}${ETCDIR}/primary ${INSTALL_DATA} ${FILESDIR}/localhost-reverse.db ${STAGEDIR}${ETCDIR}/primary ${INSTALL_DATA} ${FILESDIR}/BIND.chroot.dist ${STAGEDIR}${PREFIX}/etc/mtree/BIND.chroot.dist.sample ${INSTALL_DATA} ${FILESDIR}/BIND.chroot.local.dist ${STAGEDIR}${PREFIX}/etc/mtree/BIND.chroot.local.dist.sample ${INSTALL_DATA} ${WRKSRC}/bin/rndc/rndc.conf \ ${STAGEDIR}${ETCDIR}/rndc.conf.sample # FIXME: this is strange. @${RM} -rf ${STAGEDIR}/wrkdirs post-install-DOCS-on: ${MKDIR} ${STAGEDIR}${DOCSDIR}/arm ${INSTALL_DATA} ${WRKSRC}/CHANGES* \ ${WRKSRC}/README.md ${STAGEDIR}${DOCSDIR} cd ${WRKSRC}/doc/arm/_build/html && ${COPYTREE_SHARE} . ${STAGEDIR}${DOCSDIR}/arm .else do-install: for dir in bin lib doc/man; do \ (cd ${INSTALL_WRKSRC}/$$dir && ${SETENV} ${MAKE_ENV} ${FAKEROOT} ${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} ${INSTALL_TARGET}) ; \ done @${RM} -r ${STAGEDIR}${PREFIX}/include .endif # BIND_TOOLS_SLAVE .include diff --git a/dns/bind9-devel/files/named.in b/dns/bind9-devel/files/named.in index 0d19435000cc..ee2fbcb821a7 100644 --- a/dns/bind9-devel/files/named.in +++ b/dns/bind9-devel/files/named.in @@ -1,452 +1,452 @@ #!/bin/sh # PROVIDE: named # REQUIRE: %%NAMED_REQUIRE%% # BEFORE: %%NAMED_BEFORE%% # KEYWORD: shutdown # # Add the following lines to /etc/rc.conf to enable BIND: # named_enable (bool): Run named, the DNS server (or NO). # named_program (str): Path to named, if you want a different one. # named_conf (str): Path to the configuration file # named_flags (str): Use this for flags OTHER than -u and -c # named_uid (str): User to run named as # named_chrootdir (str): Chroot directory (or "" not to auto-chroot it) # Historically, was /var/named # named_chroot_autoupdate (bool): Automatically install/update chrooted # components of named. # named_symlink_enable (bool): Symlink the chrooted pid file # named_wait (bool): Wait for working name service before exiting # named_wait_host (str): Hostname to check if named_wait is enabled # named_auto_forward (str): Set up forwarders from /etc/resolv.conf # named_auto_forward_only (str): Do "forward only" instead of "forward first" # . /etc/rc.subr name=named desc="named BIND startup script" rcvar=named_enable load_rc_config ${name} extra_commands=reload start_precmd=named_prestart start_postcmd=named_poststart reload_cmd=named_reload stop_cmd=named_stop stop_postcmd=named_poststop named_enable=${named_enable:-"NO"} named_program=${named_program:-"%%PREFIX%%/sbin/named"} named_conf=${named_conf:-"%%ETCDIR%%/named.conf"} named_flags=${named_flags:-""} named_uid=${named_uid:-"bind"} named_chrootdir=${named_chrootdir:-""} named_chroot_autoupdate=${named_chroot_autoupdate:-"YES"} named_symlink_enable=${named_symlink_enable:-"YES"} named_wait=${named_wait:-"NO"} named_wait_host=${named_wait_host:-"localhost"} named_auto_forward=${named_auto_forward:-"NO"} named_auto_forward_only=${named_auto_forward_only:-"NO"} # Not configuration variables but having them here keeps rclint happy required_dirs="${named_chrootdir}" _named_confdirroot="${named_conf%/*}" _named_confdir="${named_chrootdir}${_named_confdirroot}" _named_program_root="${named_program%/sbin/named}" _openssl_engines="%%ENGINES%%" # Needed if named.conf and rndc.conf are moved or if rndc.conf is used rndc_conf=${rndc_conf:-"$_named_confdir/rndc.conf"} rndc_key=${rndc_key:-"$_named_confdir/rndc.key"} # If running in a chroot cage, ensure that the appropriate files # exist inside the cage, as well as helper symlinks into the cage # from outside. # # As this is called after the is_running and required_dir checks # are made in run_rc_command(), we can safely assume ${named_chrootdir} # exists and named isn't running at this point (unless forcestart # is used). # chroot_autoupdate() { local file # If it's the first time around, fiddle with things and move the # current configuration to the chroot. if [ -d ${_named_confdirroot} -a ! -d ${_named_confdir} ]; then warn "named chroot: Moving current configuration in the chroot!" install -d ${_named_confdir%/*} mv ${_named_confdirroot} ${_named_confdir} fi # Create (or update) the chroot directory structure # if [ -r %%PREFIX%%/etc/mtree/BIND.chroot.dist ]; then mtree -deU -f %%PREFIX%%/etc/mtree/BIND.chroot.dist \ -p ${named_chrootdir} else warn "%%PREFIX%%/etc/mtree/BIND.chroot.dist missing," warn "${named_chrootdir} directory structure not updated" fi if [ -r %%PREFIX%%/etc/mtree/BIND.chroot.local.dist ]; then mkdir -p ${named_chrootdir}%%PREFIX%% mtree -deU -f %%PREFIX%%/etc/mtree/BIND.chroot.local.dist \ -p ${named_chrootdir}%%PREFIX%% else warn "%%PREFIX%%/etc/mtree/BIND.chroot.local.dist missing," warn "${named_chrootdir}%%PREFIX%% directory structure not updated" fi # Create (or update) the configuration directory symlink # if [ ! -L "${_named_confdirroot}" ]; then if [ -d "${_named_confdirroot}" ]; then warn "named chroot: ${_named_confdirroot} is a directory!" elif [ -e "${_named_confdirroot}" ]; then warn "named chroot: ${_named_confdirroot} exists!" else ln -s ${_named_confdir} ${_named_confdirroot} fi else # Make sure it points to the right place. ln -shf ${_named_confdir} ${_named_confdirroot} fi # Mount a devfs in the chroot directory if needed # if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then umount ${named_chrootdir}/dev 2>/dev/null devfs_domount ${named_chrootdir}/dev devfsrules_hide_all devfs -m ${named_chrootdir}/dev rule apply path null unhide devfs -m ${named_chrootdir}/dev rule apply path random unhide else if [ -c ${named_chrootdir}/dev/null -a \ -c ${named_chrootdir}/dev/random ]; then info "named chroot: using pre-mounted devfs." else err 1 "named chroot: devfs cannot be mounted from " \ "within a jail. Thus a chrooted named cannot " \ "be run from within a jail. Either mount the " \ "devfs with null and random from the host, or " \ "run named without chrooting it, set " \ "named_chrootdir=\"\" in /etc/rc.conf." fi fi # The OpenSSL engines and BIND9 plugins should be present in the # chroot, named loads them after chrooting. null_mount_or_copy ${_openssl_engines} null_mount_or_copy %%PREFIX%%/lib/named # Copy and/or update key files to the chroot /etc # for file in localtime protocols services; do if [ -r /etc/${file} ] && \ ! cmp -s /etc/${file} "${named_chrootdir}/etc/${file}"; then cp -p /etc/${file} "${named_chrootdir}/etc/${file}" fi done } # Make symlinks to the correct pid file # make_symlinks() { checkyesno named_symlink_enable && ln -fs "${named_chrootdir}${pidfile}" ${pidfile} && ln -fs "${named_chrootdir}${sessionkeyfile}" ${sessionkeyfile} } named_poststart() { make_symlinks if checkyesno named_wait; then until ${_named_program_root}/bin/host ${named_wait_host} >/dev/null 2>&1; do echo " Waiting for nameserver to resolve ${named_wait_host}" sleep 1 done fi } named_reload() { # This is a one line function, but ${named_program} is not defined early # enough to be there when the reload_cmd variable is defined up there. rndc reload } find_pidfile() { if get_pidfile_from_conf pid-file ${named_conf}; then pidfile="${_pidfile_from_conf}" else pidfile="/var/run/named/pid" fi } find_sessionkeyfile() { if get_pidfile_from_conf session-keyfile ${named_conf}; then sessionkeyfile="${_pidfile_from_conf}" else sessionkeyfile="/var/run/named/session.key" fi } named_stop() { find_pidfile # This duplicates an undesirably large amount of code from the stop # routine in rc.subr in order to use rndc to shut down the process, # and to give it a second chance in case rndc fails. rc_pid=$(check_pidfile ${pidfile} ${command}) if [ -z "${rc_pid}" ]; then [ -n "${rc_fast}" ] && return 0 _run_rc_notrunning return 1 fi echo 'Stopping named.' if rndc stop; then wait_for_pids ${rc_pid} else echo -n 'rndc failed, trying kill: ' kill -TERM ${rc_pid} wait_for_pids ${rc_pid} fi } named_poststop() { if [ -n "${named_chrootdir}" ]; then null_umount %%PREFIX%%/lib/named null_umount ${_openssl_engines} if [ -c ${named_chrootdir}/dev/null ]; then # unmount /dev if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then umount ${named_chrootdir}/dev 2>/dev/null || true else warn "named chroot:" \ "cannot unmount devfs from inside jail!" fi fi fi } can_mount() { local kld kld=$1 if ! load_kld $kld; then return 1 fi if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ] || [ `${SYSCTL_N} security.jail.mount_allowed` -eq 1 ] || [ `${SYSCTL_N} security.jail.mount_${kld}_allowed` -eq 1 ] ; then return 0 fi return 1 } null_mount_or_copy() { local dir dir=$1 if [ -d ${dir} ]; then mkdir -p ${named_chrootdir}${dir} if can_mount nullfs ; then mount -t nullfs ${dir} ${named_chrootdir}${dir} else warn "named chroot: cannot nullfs mount OpenSSL" \ "engines into the chroot, will copy the shared" \ "libraries instead." cp -f ${dir}/*.so ${named_chrootdir}${dir} fi fi } null_umount() { local dir dir=$1 if [ -d ${dir} ]; then if can_mount nullfs; then umount ${named_chrootdir}${dir} fi fi } create_file() { if [ -e "$1" ]; then unlink $1 fi install -o root -g wheel -m 0644 /dev/null $1 } rndc() { if [ -z "${rndc_flags}" ]; then if [ -s "${rndc_conf}" ] ; then rndc_flags="-c ${rndc_conf}" elif [ -s "${rndc_key}" ] ; then rndc_flags="-k ${rndc_key}" else rndc_flags="" fi fi ${_named_program_root}/sbin/rndc ${rndc_flags} "$@" } named_prestart() { + # Is the user using a sandbox? + # + if [ -n "${named_chrootdir}" ]; then + rc_flags="${rc_flags} -t ${named_chrootdir}" + checkyesno named_chroot_autoupdate && chroot_autoupdate + + case "${altlog_proglist}" in + *named*) + ;; + *) + warn 'Using chroot without setting altlog_proglist, logging may not' + warn 'work correctly. Run sysrc altlog_proglist+=named' + ;; + esac + else + named_symlink_enable=NO + fi + find_pidfile find_sessionkeyfile if [ -n "${named_pidfile}" ]; then warn 'named_pidfile: now determined from the conf file' fi if [ -n "${named_sessionkeyfile}" ]; then warn 'named_sessionkeyfile: now determined from the conf file' fi piddir=`/usr/bin/dirname ${pidfile}` if [ ! -d ${piddir} ]; then install -d -o ${named_uid} -g ${named_uid} ${piddir} fi sessionkeydir=`/usr/bin/dirname ${sessionkeyfile}` if [ ! -d ${sessionkeydir} ]; then install -d -o ${named_uid} -g ${named_uid} ${sessionkeydir} fi command_args="-u ${named_uid:=root} -c ${named_conf} ${command_args}" local line nsip firstns - # Is the user using a sandbox? - # - if [ -n "${named_chrootdir}" ]; then - rc_flags="${rc_flags} -t ${named_chrootdir}" - checkyesno named_chroot_autoupdate && chroot_autoupdate - - case "${altlog_proglist}" in - *named*) - ;; - *) - warn 'Using chroot without setting altlog_proglist, logging may not' - warn 'work correctly. Run sysrc altlog_proglist+=named' - ;; - esac - else - named_symlink_enable=NO - fi - # Create an rndc.key file for the user if none exists # confgen_command="${_named_program_root}/sbin/rndc-confgen -a -b256 -u ${named_uid} \ -c ${_named_confdir}/rndc.key" if [ -s "${_named_confdir}/rndc.conf" ]; then unset confgen_command fi if [ -s "${_named_confdir}/rndc.key" ]; then case `stat -f%Su ${_named_confdir}/rndc.key` in root|${named_uid}) ;; *) ${confgen_command} ;; esac else ${confgen_command} fi local checkconf checkconf="${_named_program_root}/bin/named-checkconf" if ! checkyesno named_chroot_autoupdate && [ -n "${named_chrootdir}" ]; then checkconf="${checkconf} -t ${named_chrootdir}" fi # Create a forwarder configuration based on /etc/resolv.conf if checkyesno named_auto_forward; then if [ ! -s /etc/resolv.conf ]; then warn "named_auto_forward enabled, but no /etc/resolv.conf" # Empty the file in case it is included in named.conf [ -s "${_named_confdir}/auto_forward.conf" ] && create_file ${_named_confdir}/auto_forward.conf ${checkconf} ${named_conf} || err 3 'named-checkconf for ${named_conf} failed' return fi create_file /var/run/naf-resolv.conf create_file /var/run/auto_forward.conf echo ' forwarders {' > /var/run/auto_forward.conf while read line; do case "${line}" in 'nameserver '*|'nameserver '*) nsip=${line##nameserver[ ]} if [ -z "${firstns}" ]; then if [ ! "${nsip}" = '127.0.0.1' ]; then echo 'nameserver 127.0.0.1' echo " ${nsip};" >> /var/run/auto_forward.conf fi firstns=1 else [ "${nsip}" = '127.0.0.1' ] && continue echo " ${nsip};" >> /var/run/auto_forward.conf fi ;; esac echo ${line} done < /etc/resolv.conf > /var/run/naf-resolv.conf echo ' };' >> /var/run/auto_forward.conf echo '' >> /var/run/auto_forward.conf if checkyesno named_auto_forward_only; then echo " forward only;" >> /var/run/auto_forward.conf else echo " forward first;" >> /var/run/auto_forward.conf fi if cmp -s /etc/resolv.conf /var/run/naf-resolv.conf; then unlink /var/run/naf-resolv.conf else [ -e /etc/resolv.conf ] && unlink /etc/resolv.conf mv /var/run/naf-resolv.conf /etc/resolv.conf fi if cmp -s ${_named_confdir}/auto_forward.conf \ /var/run/auto_forward.conf; then unlink /var/run/auto_forward.conf else [ -e "${_named_confdir}/auto_forward.conf" ] && unlink ${_named_confdir}/auto_forward.conf mv /var/run/auto_forward.conf \ ${_named_confdir}/auto_forward.conf fi else # Empty the file in case it is included in named.conf [ -s "${_named_confdir}/auto_forward.conf" ] && create_file ${_named_confdir}/auto_forward.conf fi ${checkconf} ${named_conf} || err 3 "named-checkconf for ${named_conf} failed" } run_rc_command "$1" diff --git a/dns/bind916/Makefile b/dns/bind916/Makefile index d7ece0342c51..ffae4aad8fe7 100644 --- a/dns/bind916/Makefile +++ b/dns/bind916/Makefile @@ -1,231 +1,231 @@ # pkg-help formatted with fmt 59 63 PORTNAME= bind PORTVERSION= ${ISCVERSION:S/-P/P/:S/b/.b/:S/a/.a/:S/rc/.rc/} -PORTREVISION= 0 +PORTREVISION= 1 CATEGORIES= dns net MASTER_SITES= ISC/bind9/${ISCVERSION} PKGNAMESUFFIX= 916 DISTNAME= ${PORTNAME}-${ISCVERSION} MAINTAINER= mat@FreeBSD.org COMMENT= BIND DNS suite with updated DNSSEC and DNS64 WWW= https://www.isc.org/bind/ # Uncomment when bind920 comes of age. # DEPRECATED= End of life, please migrate to a newer version of BIND9 # EXPIRATION_DATE= 2023-12-31 LICENSE= MPL20 LICENSE_FILE= ${WRKSRC}/LICENSE LIB_DEPENDS= libuv.so:devel/libuv \ libxml2.so:textproc/libxml2 RUN_DEPENDS= bind-tools>0:dns/bind-tools USES= compiler:c11 cpe libedit pkgconfig ssl tar:xz # ISC releases things like 9.8.0-P1, which our versioning doesn't like ISCVERSION= 9.16.33 CPE_VENDOR= isc CPE_VERSION= ${ISCVERSION:C/-.*//} .if ${ISCVERSION:M*-*} CPE_UPDATE= ${ISCVERSION:C/.*-//:tl} .endif GNU_CONFIGURE= yes CONFIGURE_ARGS= --disable-linux-caps \ --localstatedir=/var \ --sysconfdir=${ETCDIR} \ --with-dlopen=yes \ --without-python \ --with-libxml2 \ --with-openssl=${OPENSSLBASE} \ --with-readline="-L${LOCALBASE}/lib -ledit" ETCDIR= ${PREFIX}/etc/namedb USE_RC_SUBR= named SUB_FILES= named.conf pkg-message PORTDOCS= * CONFLICTS= bind9[0-9][0-9] bind9-devel MAKE_JOBS_UNSAFE= yes OPTIONS_DEFAULT= DLZ_FILESYSTEM GSSAPI_NONE IDN JSON LMDB \ TCP_FASTOPEN MANPAGES DNSTAP OPTIONS_DEFINE= DNSTAP DOCS FIXED_RRSET GEOIP IDN JSON LARGE_FILE LMDB \ OVERRIDECACHE PORTREVISION QUERYTRACE \ START_LATE TCP_FASTOPEN MANPAGES OPTIONS_RADIO= CRYPTO OPTIONS_RADIO_CRYPTO= NATIVE_PKCS11 OPTIONS_GROUP= DLZ OPTIONS_GROUP_DLZ= DLZ_BDB DLZ_FILESYSTEM DLZ_LDAP DLZ_MYSQL \ DLZ_POSTGRESQL DLZ_STUB OPTIONS_SINGLE= GSSAPI OPTIONS_SINGLE_GSSAPI= GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT GSSAPI_NONE OPTIONS_SUB= yes CRYPTO_DESC= Choose which crypto engine to use DLZ_BDB_DESC= DLZ BDB driver DLZ_DESC= Dynamically Loadable Zones DLZ_FILESYSTEM_DESC= DLZ filesystem driver DLZ_LDAP_DESC= DLZ LDAP driver DLZ_MYSQL_DESC= DLZ MySQL driver (no threading) DLZ_POSTGRESQL_DESC= DLZ Postgres driver DLZ_STUB_DESC= DLZ stub driver DNSTAP_DESC= Provides fast passive logging of DNS messages FIXED_RRSET_DESC= Enable fixed rrset ordering GSSAPI_BASE_DESC= Using Heimdal in base GSSAPI_HEIMDAL_DESC= Using security/heimdal GSSAPI_MIT_DESC= Using security/krb5 GSSAPI_NONE_DESC= Disable LARGE_FILE_DESC= 64-bit file support LMDB_DESC= Use LMDB for zone management OVERRIDECACHE_DESC= Use the override-cache patch NATIVE_PKCS11_DESC= Use PKCS\#11 native API (**READ HELP**) PORTREVISION_DESC= Show PORTREVISION in the version string QUERYTRACE_DESC= Enable the very verbose query tracelogging START_LATE_DESC= Start BIND late in the boot process (see help) TCP_FASTOPEN_DESC= RFC 7413 support DLZ_BDB_CONFIGURE_ON= --with-dlz-bdb=yes DLZ_BDB_USES= bdb DLZ_FILESYSTEM_CONFIGURE_ON= --with-dlz-filesystem=yes DLZ_LDAP_CONFIGURE_ON= --with-dlz-ldap=yes DLZ_LDAP_USE= OPENLDAP=yes DLZ_MYSQL_CONFIGURE_ON= --with-dlz-mysql=yes DLZ_MYSQL_USES= mysql DLZ_POSTGRESQL_CONFIGURE_ON= --with-dlz-postgres=yes DLZ_POSTGRESQL_USES= pgsql DLZ_STUB_CONFIGURE_ON= --with-dlz-stub=yes DOCS_BUILD_DEPENDS= sphinx-build:textproc/py-sphinx \ ${PYTHON_PKGNAMEPREFIX}sphinx_rtd_theme>0:textproc/py-sphinx_rtd_theme@${PY_FLAVOR} DOCS_USES= python:env DNSTAP_CONFIGURE_ENABLE= dnstap DNSTAP_LIB_DEPENDS= libfstrm.so:devel/fstrm \ libprotobuf-c.so:devel/protobuf-c FIXED_RRSET_CONFIGURE_ENABLE= fixed-rrset GEOIP_CONFIGURE_ENABLE= geoip GEOIP_CONFIGURE_WITH= maxminddb GEOIP_LIB_DEPENDS= libmaxminddb.so:net/libmaxminddb GSSAPI_BASE_CONFIGURE_ON= --with-gssapi=${GSSAPIBASEDIR} \ ${GSSAPI_CONFIGURE_ARGS} GSSAPI_BASE_USES= gssapi GSSAPI_HEIMDAL_CONFIGURE_ON= --with-gssapi=${GSSAPIBASEDIR} \ ${GSSAPI_CONFIGURE_ARGS} GSSAPI_HEIMDAL_USES= gssapi:heimdal GSSAPI_MIT_CONFIGURE_ON= --with-gssapi=${GSSAPIBASEDIR} \ ${GSSAPI_CONFIGURE_ARGS} GSSAPI_MIT_USES= gssapi:mit GSSAPI_NONE_CONFIGURE_ON= --without-gssapi IDN_CONFIGURE_OFF= --without-libidn2 IDN_CONFIGURE_ON= ${ICONV_CONFIGURE_BASE} \ --with-libidn2=${LOCALBASE} IDN_LIB_DEPENDS= libidn2.so:dns/libidn2 IDN_USES= iconv JSON_CONFIGURE_WITH= json-c JSON_LIB_DEPENDS= libjson-c.so:devel/json-c JSON_LDFLAGS= -L${LOCALBASE}/lib -ljson-c LARGE_FILE_CONFIGURE_ENABLE= largefile LMDB_CONFIGURE_WITH= lmdb=${LOCALBASE} LMDB_LIB_DEPENDS= liblmdb.so:databases/lmdb MANPAGES_BUILD_DEPENDS= sphinx-build:textproc/py-sphinx OVERRIDECACHE_EXTRA_PATCHES= ${FILESDIR}/extrapatch-bind-min-override-ttl NATIVE_PKCS11_CONFIGURE_ENABLE= native-pkcs11 QUERYTRACE_CONFIGURE_ENABLE= querytrace START_LATE_SUB_LIST= NAMED_BEFORE="LOGIN" \ NAMED_REQUIRE="SERVERS cleanvar" START_LATE_SUB_LIST_OFF= NAMED_BEFORE="SERVERS" \ NAMED_REQUIRE="NETWORKING ldconfig syslogd" TCP_FASTOPEN_CONFIGURE_ENABLE= tcp-fastopen .include .if defined(WITH_DEBUG) CONFIGURE_ARGS+= --enable-developer \ --enable-symtable USES+= perl5 USE_PERL5= build BUILD_DEPENDS+= cmocka>0:sysutils/cmocka .else CONFIGURE_ARGS+= --disable-symtable .endif .include .if ${SSL_DEFAULT} == base SUB_LIST+= ENGINES=/usr/lib/engines .else SUB_LIST+= ENGINES=${LOCALBASE}/lib/engines .endif post-patch: .for FILE in named-checkconf.8 named.8 nsupdate.1 \ rndc.8 @${REINPLACE_CMD} -e 's#/etc/named.conf#${ETCDIR}/named.conf#g' \ -e 's#/etc/rndc.conf#${ETCDIR}/rndc.conf#g' \ -e "s#/var\/run\/named\/named.pid#/var/run/named/pid#" \ ${WRKSRC}/doc/man/${FILE}in .endfor . if ${PORTREVISION:N0} post-patch-PORTREVISION-on: @${REINPLACE_CMD} -e '/EXTENSIONS/s#=$$#=_${PORTREVISION}#' \ ${WRKSRC}/version . endif post-build-DOCS-on: cd ${WRKSRC}/doc/arm && ${MAKE} html post-install: ${MKDIR} ${STAGEDIR}${PREFIX}/etc/mtree ${MKDIR} ${STAGEDIR}${ETCDIR} . for i in dynamic master slave working @${MKDIR} ${STAGEDIR}${ETCDIR}/$i . endfor ${INSTALL_DATA} ${WRKDIR}/named.conf ${STAGEDIR}${ETCDIR}/named.conf.sample ${INSTALL_DATA} ${FILESDIR}/named.root ${STAGEDIR}${ETCDIR} ${INSTALL_DATA} ${FILESDIR}/empty.db ${STAGEDIR}${ETCDIR}/master ${INSTALL_DATA} ${FILESDIR}/localhost-forward.db ${STAGEDIR}${ETCDIR}/master ${INSTALL_DATA} ${FILESDIR}/localhost-reverse.db ${STAGEDIR}${ETCDIR}/master ${INSTALL_DATA} ${FILESDIR}/BIND.chroot.dist ${STAGEDIR}${PREFIX}/etc/mtree/BIND.chroot.dist.sample ${INSTALL_DATA} ${FILESDIR}/BIND.chroot.local.dist ${STAGEDIR}${PREFIX}/etc/mtree/BIND.chroot.local.dist.sample ${INSTALL_DATA} ${WRKSRC}/bin/rndc/rndc.conf \ ${STAGEDIR}${ETCDIR}/rndc.conf.sample post-install-DOCS-on: ${MKDIR} ${STAGEDIR}${DOCSDIR}/arm ${INSTALL_DATA} ${WRKSRC}/CHANGES* ${WRKSRC}/HISTORY.md \ ${WRKSRC}/README.md ${STAGEDIR}${DOCSDIR} cd ${WRKSRC}/doc/arm/_build/html && ${COPYTREE_SHARE} . ${STAGEDIR}${DOCSDIR}/arm .include diff --git a/dns/bind916/files/named.in b/dns/bind916/files/named.in index 48681ca12f3b..6e225efe0733 100644 --- a/dns/bind916/files/named.in +++ b/dns/bind916/files/named.in @@ -1,464 +1,464 @@ #!/bin/sh # PROVIDE: named # REQUIRE: %%NAMED_REQUIRE%% # BEFORE: %%NAMED_BEFORE%% # KEYWORD: shutdown # # Add the following lines to /etc/rc.conf to enable BIND: # named_enable (bool): Run named, the DNS server (or NO). # named_program (str): Path to named, if you want a different one. # named_conf (str): Path to the configuration file # named_flags (str): Use this for flags OTHER than -u and -c # named_uid (str): User to run named as # named_chrootdir (str): Chroot directory (or "" not to auto-chroot it) # Historically, was /var/named # named_chroot_autoupdate (bool): Automatically install/update chrooted # components of named. # named_symlink_enable (bool): Symlink the chrooted pid file # named_wait (bool): Wait for working name service before exiting # named_wait_host (str): Hostname to check if named_wait is enabled # named_auto_forward (str): Set up forwarders from /etc/resolv.conf # named_auto_forward_only (str): Do "forward only" instead of "forward first" %%NATIVE_PKCS11%%# named_pkcs11_engine (str): Path to the PKCS#11 library to use. # . /etc/rc.subr name=named desc="named BIND startup script" rcvar=named_enable load_rc_config ${name} extra_commands=reload start_precmd=named_prestart start_postcmd=named_poststart reload_cmd=named_reload stop_cmd=named_stop stop_postcmd=named_poststop named_enable=${named_enable:-"NO"} named_program=${named_program:-"%%PREFIX%%/sbin/named"} named_conf=${named_conf:-"%%ETCDIR%%/named.conf"} named_flags=${named_flags:-""} named_uid=${named_uid:-"bind"} named_chrootdir=${named_chrootdir:-""} named_chroot_autoupdate=${named_chroot_autoupdate:-"YES"} named_symlink_enable=${named_symlink_enable:-"YES"} named_wait=${named_wait:-"NO"} named_wait_host=${named_wait_host:-"localhost"} named_auto_forward=${named_auto_forward:-"NO"} named_auto_forward_only=${named_auto_forward_only:-"NO"} %%NATIVE_PKCS11%%named_pkcs11_engine=${named_pkcs11_engine:-""} # Not configuration variables but having them here keeps rclint happy required_dirs="${named_chrootdir}" _named_confdirroot="${named_conf%/*}" _named_confdir="${named_chrootdir}${_named_confdirroot}" _named_program_root="${named_program%/sbin/named}" _openssl_engines="%%ENGINES%%" # Needed if named.conf and rndc.conf are moved or if rndc.conf is used rndc_conf=${rndc_conf:-"$_named_confdir/rndc.conf"} rndc_key=${rndc_key:-"$_named_confdir/rndc.key"} # If running in a chroot cage, ensure that the appropriate files # exist inside the cage, as well as helper symlinks into the cage # from outside. # # As this is called after the is_running and required_dir checks # are made in run_rc_command(), we can safely assume ${named_chrootdir} # exists and named isn't running at this point (unless forcestart # is used). # chroot_autoupdate() { local file # If it's the first time around, fiddle with things and move the # current configuration to the chroot. if [ -d ${_named_confdirroot} -a ! -d ${_named_confdir} ]; then warn "named chroot: Moving current configuration in the chroot!" install -d ${_named_confdir%/*} mv ${_named_confdirroot} ${_named_confdir} fi # Create (or update) the chroot directory structure # if [ -r %%PREFIX%%/etc/mtree/BIND.chroot.dist ]; then mtree -deU -f %%PREFIX%%/etc/mtree/BIND.chroot.dist \ -p ${named_chrootdir} else warn "%%PREFIX%%/etc/mtree/BIND.chroot.dist missing," warn "${named_chrootdir} directory structure not updated" fi if [ -r %%PREFIX%%/etc/mtree/BIND.chroot.local.dist ]; then mkdir -p ${named_chrootdir}%%PREFIX%% mtree -deU -f %%PREFIX%%/etc/mtree/BIND.chroot.local.dist \ -p ${named_chrootdir}%%PREFIX%% else warn "%%PREFIX%%/etc/mtree/BIND.chroot.local.dist missing," warn "${named_chrootdir}%%PREFIX%% directory structure not updated" fi # Create (or update) the configuration directory symlink # if [ ! -L "${_named_confdirroot}" ]; then if [ -d "${_named_confdirroot}" ]; then warn "named chroot: ${_named_confdirroot} is a directory!" elif [ -e "${_named_confdirroot}" ]; then warn "named chroot: ${_named_confdirroot} exists!" else ln -s ${_named_confdir} ${_named_confdirroot} fi else # Make sure it points to the right place. ln -shf ${_named_confdir} ${_named_confdirroot} fi # Mount a devfs in the chroot directory if needed # if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then umount ${named_chrootdir}/dev 2>/dev/null devfs_domount ${named_chrootdir}/dev devfsrules_hide_all devfs -m ${named_chrootdir}/dev rule apply path null unhide devfs -m ${named_chrootdir}/dev rule apply path random unhide else if [ -c ${named_chrootdir}/dev/null -a \ -c ${named_chrootdir}/dev/random ]; then info "named chroot: using pre-mounted devfs." else err 1 "named chroot: devfs cannot be mounted from " \ "within a jail. Thus a chrooted named cannot " \ "be run from within a jail. Either mount the " \ "devfs with null and random from the host, or " \ "run named without chrooting it, set " \ "named_chrootdir=\"\" in /etc/rc.conf." fi fi # The OpenSSL engines and BIND9 plugins should be present in the # chroot, named loads them after chrooting. null_mount_or_copy ${_openssl_engines} null_mount_or_copy %%PREFIX%%/lib/named # Copy and/or update key files to the chroot /etc # for file in localtime protocols services; do if [ -r /etc/${file} ] && \ ! cmp -s /etc/${file} "${named_chrootdir}/etc/${file}"; then cp -p /etc/${file} "${named_chrootdir}/etc/${file}" fi done } # Make symlinks to the correct pid file # make_symlinks() { checkyesno named_symlink_enable && ln -fs "${named_chrootdir}${pidfile}" ${pidfile} && ln -fs "${named_chrootdir}${sessionkeyfile}" ${sessionkeyfile} } named_poststart() { make_symlinks if checkyesno named_wait; then until ${_named_program_root}/bin/host ${named_wait_host} >/dev/null 2>&1; do echo " Waiting for nameserver to resolve ${named_wait_host}" sleep 1 done fi } named_reload() { # This is a one line function, but ${named_program} is not defined early # enough to be there when the reload_cmd variable is defined up there. rndc reload } find_pidfile() { if get_pidfile_from_conf pid-file ${named_conf}; then pidfile="${_pidfile_from_conf}" else pidfile="/var/run/named/pid" fi } find_sessionkeyfile() { if get_pidfile_from_conf session-keyfile ${named_conf}; then sessionkeyfile="${_pidfile_from_conf}" else sessionkeyfile="/var/run/named/session.key" fi } named_stop() { find_pidfile # This duplicates an undesirably large amount of code from the stop # routine in rc.subr in order to use rndc to shut down the process, # and to give it a second chance in case rndc fails. rc_pid=$(check_pidfile ${pidfile} ${command}) if [ -z "${rc_pid}" ]; then [ -n "${rc_fast}" ] && return 0 _run_rc_notrunning return 1 fi echo 'Stopping named.' if rndc stop; then wait_for_pids ${rc_pid} else echo -n 'rndc failed, trying kill: ' kill -TERM ${rc_pid} wait_for_pids ${rc_pid} fi } named_poststop() { if [ -n "${named_chrootdir}" ]; then null_umount %%PREFIX%%/lib/named null_umount ${_openssl_engines} if [ -c ${named_chrootdir}/dev/null ]; then # unmount /dev if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then umount ${named_chrootdir}/dev 2>/dev/null || true else warn "named chroot:" \ "cannot unmount devfs from inside jail!" fi fi fi } can_mount() { local kld kld=$1 if ! load_kld $kld; then return 1 fi if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ] || [ `${SYSCTL_N} security.jail.mount_allowed` -eq 1 ] || [ `${SYSCTL_N} security.jail.mount_${kld}_allowed` -eq 1 ] ; then return 0 fi return 1 } null_mount_or_copy() { local dir dir=$1 if [ -d ${dir} ]; then mkdir -p ${named_chrootdir}${dir} if can_mount nullfs ; then mount -t nullfs ${dir} ${named_chrootdir}${dir} else warn "named chroot: cannot nullfs mount OpenSSL" \ "engines into the chroot, will copy the shared" \ "libraries instead." cp -f ${dir}/*.so ${named_chrootdir}${dir} fi fi } null_umount() { local dir dir=$1 if [ -d ${dir} ]; then if can_mount nullfs; then umount ${named_chrootdir}${dir} fi fi } create_file() { if [ -e "$1" ]; then unlink $1 fi install -o root -g wheel -m 0644 /dev/null $1 } rndc() { if [ -z "${rndc_flags}" ]; then if [ -s "${rndc_conf}" ] ; then rndc_flags="-c ${rndc_conf}" elif [ -s "${rndc_key}" ] ; then rndc_flags="-k ${rndc_key}" else rndc_flags="" fi fi ${_named_program_root}/sbin/rndc ${rndc_flags} "$@" } named_prestart() { + # Is the user using a sandbox? + # + if [ -n "${named_chrootdir}" ]; then + rc_flags="${rc_flags} -t ${named_chrootdir}" + checkyesno named_chroot_autoupdate && chroot_autoupdate + + case "${altlog_proglist}" in + *named*) + ;; + *) + warn 'Using chroot without setting altlog_proglist, logging may not' + warn 'work correctly. Run sysrc altlog_proglist+=named' + ;; + esac + else + named_symlink_enable=NO + fi + find_pidfile find_sessionkeyfile if [ -n "${named_pidfile}" ]; then warn 'named_pidfile: now determined from the conf file' fi if [ -n "${named_sessionkeyfile}" ]; then warn 'named_sessionkeyfile: now determined from the conf file' fi piddir=`/usr/bin/dirname ${pidfile}` if [ ! -d ${piddir} ]; then install -d -o ${named_uid} -g ${named_uid} ${piddir} fi sessionkeydir=`/usr/bin/dirname ${sessionkeyfile}` if [ ! -d ${sessionkeydir} ]; then install -d -o ${named_uid} -g ${named_uid} ${sessionkeydir} fi command_args="-u ${named_uid:=root} -c ${named_conf} ${command_args}" %%NATIVE_PKCS11%% if [ -z "${named_pkcs11_engine}"]; then %%NATIVE_PKCS11%% err 3 "named_pkcs11_engine has to be set to the PKCS#11 engine's library you want to use" %%NATIVE_PKCS11%% elif [ ! -f ${named_pkcs11_engine} ]; then %%NATIVE_PKCS11%% err 3 "named_pkcs11_engine the PKCS#11 engine's library you want to use doesn't exist" %%NATIVE_PKCS11%% else %%NATIVE_PKCS11%% mkdir -p ${named_chrootdir}${named_pkcs11_engine%/*} %%NATIVE_PKCS11%% cp -p ${named_pkcs11_engine} ${named_chrootdir}${named_pkcs11_engine} %%NATIVE_PKCS11%% command_args="-E ${named_pkcs11_engine} ${command_args}" %%NATIVE_PKCS11%% fi local line nsip firstns - # Is the user using a sandbox? - # - if [ -n "${named_chrootdir}" ]; then - rc_flags="${rc_flags} -t ${named_chrootdir}" - checkyesno named_chroot_autoupdate && chroot_autoupdate - - case "${altlog_proglist}" in - *named*) - ;; - *) - warn 'Using chroot without setting altlog_proglist, logging may not' - warn 'work correctly. Run sysrc altlog_proglist+=named' - ;; - esac - else - named_symlink_enable=NO - fi - # Create an rndc.key file for the user if none exists # confgen_command="${_named_program_root}/sbin/rndc-confgen -a -b256 -u ${named_uid} \ -c ${_named_confdir}/rndc.key" if [ -s "${_named_confdir}/rndc.conf" ]; then unset confgen_command fi if [ -s "${_named_confdir}/rndc.key" ]; then case `stat -f%Su ${_named_confdir}/rndc.key` in root|${named_uid}) ;; *) ${confgen_command} ;; esac else ${confgen_command} fi local checkconf checkconf="${_named_program_root}/sbin/named-checkconf" if ! checkyesno named_chroot_autoupdate && [ -n "${named_chrootdir}" ]; then checkconf="${checkconf} -t ${named_chrootdir}" fi # Create a forwarder configuration based on /etc/resolv.conf if checkyesno named_auto_forward; then if [ ! -s /etc/resolv.conf ]; then warn "named_auto_forward enabled, but no /etc/resolv.conf" # Empty the file in case it is included in named.conf [ -s "${_named_confdir}/auto_forward.conf" ] && create_file ${_named_confdir}/auto_forward.conf ${checkconf} ${named_conf} || err 3 'named-checkconf for ${named_conf} failed' return fi create_file /var/run/naf-resolv.conf create_file /var/run/auto_forward.conf echo ' forwarders {' > /var/run/auto_forward.conf while read line; do case "${line}" in 'nameserver '*|'nameserver '*) nsip=${line##nameserver[ ]} if [ -z "${firstns}" ]; then if [ ! "${nsip}" = '127.0.0.1' ]; then echo 'nameserver 127.0.0.1' echo " ${nsip};" >> /var/run/auto_forward.conf fi firstns=1 else [ "${nsip}" = '127.0.0.1' ] && continue echo " ${nsip};" >> /var/run/auto_forward.conf fi ;; esac echo ${line} done < /etc/resolv.conf > /var/run/naf-resolv.conf echo ' };' >> /var/run/auto_forward.conf echo '' >> /var/run/auto_forward.conf if checkyesno named_auto_forward_only; then echo " forward only;" >> /var/run/auto_forward.conf else echo " forward first;" >> /var/run/auto_forward.conf fi if cmp -s /etc/resolv.conf /var/run/naf-resolv.conf; then unlink /var/run/naf-resolv.conf else [ -e /etc/resolv.conf ] && unlink /etc/resolv.conf mv /var/run/naf-resolv.conf /etc/resolv.conf fi if cmp -s ${_named_confdir}/auto_forward.conf \ /var/run/auto_forward.conf; then unlink /var/run/auto_forward.conf else [ -e "${_named_confdir}/auto_forward.conf" ] && unlink ${_named_confdir}/auto_forward.conf mv /var/run/auto_forward.conf \ ${_named_confdir}/auto_forward.conf fi else # Empty the file in case it is included in named.conf [ -s "${_named_confdir}/auto_forward.conf" ] && create_file ${_named_confdir}/auto_forward.conf fi ${checkconf} ${named_conf} || err 3 "named-checkconf for ${named_conf} failed" } run_rc_command "$1" diff --git a/dns/bind918/Makefile b/dns/bind918/Makefile index 7e8706f62ca2..1e9a31a9ab57 100644 --- a/dns/bind918/Makefile +++ b/dns/bind918/Makefile @@ -1,231 +1,231 @@ # pkg-help formatted with fmt 59 63 PORTNAME= bind PORTVERSION= ${ISCVERSION:S/-P/P/:S/b/.b/:S/a/.a/:S/rc/.rc/} .if defined(BIND_TOOLS_SLAVE) # dns/bind-tools here PORTREVISION= 0 .else # dns/bind918 here -PORTREVISION= 0 +PORTREVISION= 1 .endif CATEGORIES= dns net MASTER_SITES= ISC/bind9/${ISCVERSION} .if defined(BIND_TOOLS_SLAVE) PKGNAMESUFFIX= -tools .else PKGNAMESUFFIX= 918 .endif DISTNAME= ${PORTNAME}-${ISCVERSION} MAINTAINER= mat@FreeBSD.org WWW= https://www.isc.org/bind/ .if defined(BIND_TOOLS_SLAVE) COMMENT= Command line tools from BIND: delv, dig, host, nslookup... .else COMMENT= BIND DNS suite with updated DNSSEC and DNS64 .endif # Uncomment when bind920 comes of age. +3 years if ESV, +1year otherwise, see # https://kb.isc.org/docs/aa-00896 # DEPRECATED= End of life, please migrate to a newer version of BIND9 # EXPIRATION_DATE= 2023-12-31 LICENSE= MPL20 LICENSE_FILE= ${WRKSRC}/LICENSE LIB_DEPENDS= libuv.so:devel/libuv \ libnghttp2.so:www/libnghttp2 \ libxml2.so:textproc/libxml2 .if !defined(BIND_TOOLS_SLAVE) RUN_DEPENDS= bind-tools>0:dns/bind-tools .endif USES= autoreconf compiler:c11 cpe libedit libtool pkgconfig ssl tar:xz # ISC releases things like 9.8.0-P1, which our versioning doesn't like ISCVERSION= 9.18.7 CPE_VENDOR= isc CPE_VERSION= ${ISCVERSION:C/-.*//} .if ${ISCVERSION:M*-*} CPE_UPDATE= ${ISCVERSION:C/.*-//:tl} .endif GNU_CONFIGURE= yes CONFIGURE_ARGS= --disable-linux-caps \ --localstatedir=/var \ --sysconfdir=${ETCDIR} \ --with-dlopen=yes \ --with-libxml2 \ --with-openssl=${OPENSSLBASE} \ --enable-dnsrps \ --with-readline=libedit CONFIGURE_ENV= READLINE_CFLAGS="-L${LOCALBASE}/lib" ETCDIR= ${PREFIX}/etc/namedb .if defined(BIND_TOOLS_SLAVE) EXTRA_PATCHES= ${PATCHDIR}/extrapatch-bind-tools CONFIGURE_ARGS+= --libdir=${PREFIX}/lib/bind-tools .else USE_RC_SUBR= named SUB_FILES= named.conf pkg-message EXTRA_PATCHES= ${PATCHDIR}/extrapatch-no-bind-tools PORTDOCS= * CONFLICTS= bind911 bind916 bind9-devel .endif # BIND_TOOLS_SLAVE MAKE_JOBS_UNSAFE= yes OPTIONS_DEFAULT= GSSAPI_NONE IDN JSON LMDB MANPAGES \ TCP_FASTOPEN DNSTAP OPTIONS_DEFINE= DNSTAP DOCS FIXED_RRSET GEOIP IDN JSON LARGE_FILE LMDB \ MANPAGES OVERRIDECACHE QUERYTRACE \ START_LATE TCP_FASTOPEN OPTIONS_SINGLE= GSSAPI OPTIONS_SINGLE_GSSAPI= GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT GSSAPI_NONE .if defined(BIND_TOOLS_SLAVE) OPTIONS_EXCLUDE= DNSTAP DOCS GEOIP LMDB \ OVERRIDECACHE QUERYTRACE START_LATE \ TCP_FASTOPEN .endif # BIND_TOOLS_SLAVE OPTIONS_SUB= yes DNSTAP_DESC= Provides fast passive logging of DNS messages FIXED_RRSET_DESC= Enable fixed rrset ordering GSSAPI_BASE_DESC= Using Heimdal in base GSSAPI_HEIMDAL_DESC= Using security/heimdal GSSAPI_MIT_DESC= Using security/krb5 GSSAPI_NONE_DESC= Disable LARGE_FILE_DESC= 64-bit file support LMDB_DESC= Use LMDB for zone management OVERRIDECACHE_DESC= Use the override-cache patch QUERYTRACE_DESC= Enable the very verbose query tracelogging START_LATE_DESC= Start BIND late in the boot process (see help) TCP_FASTOPEN_DESC= RFC 7413 support DOCS_ALL_TARGET= all html DOCS_BUILD_DEPENDS= sphinx-build:textproc/py-sphinx \ ${PYTHON_PKGNAMEPREFIX}sphinx_rtd_theme>0:textproc/py-sphinx_rtd_theme@${PY_FLAVOR} DOCS_USES= gmake python:env DNSTAP_CONFIGURE_ENABLE= dnstap DNSTAP_LIB_DEPENDS= libfstrm.so:devel/fstrm \ libprotobuf-c.so:devel/protobuf-c FIXED_RRSET_CONFIGURE_ENABLE= fixed-rrset GEOIP_CONFIGURE_ENABLE= geoip GEOIP_CONFIGURE_WITH= maxminddb GEOIP_LIB_DEPENDS= libmaxminddb.so:net/libmaxminddb GSSAPI_BASE_CONFIGURE_ON= --with-gssapi="${KRB5CONFIG}" \ ${GSSAPI_CONFIGURE_ARGS} GSSAPI_BASE_USES= gssapi GSSAPI_HEIMDAL_CONFIGURE_ON= --with-gssapi="${KRB5CONFIG}" \ ${GSSAPI_CONFIGURE_ARGS} GSSAPI_HEIMDAL_USES= gssapi:heimdal GSSAPI_MIT_CONFIGURE_ON= --with-gssapi="${KRB5CONFIG}" \ ${GSSAPI_CONFIGURE_ARGS} GSSAPI_MIT_USES= gssapi:mit GSSAPI_NONE_CONFIGURE_ON= --without-gssapi IDN_CONFIGURE_OFF= --without-libidn2 IDN_CONFIGURE_ON= ${ICONV_CONFIGURE_BASE} \ --with-libidn2=${LOCALBASE} IDN_LIB_DEPENDS= libidn2.so:dns/libidn2 IDN_USES= iconv JSON_CONFIGURE_WITH= json-c JSON_LIB_DEPENDS= libjson-c.so:devel/json-c JSON_LDFLAGS= -L${LOCALBASE}/lib -ljson-c LARGE_FILE_CONFIGURE_ENABLE= largefile LMDB_CONFIGURE_WITH= lmdb=${LOCALBASE} LMDB_LIB_DEPENDS= liblmdb.so:databases/lmdb MANPAGES_BUILD_DEPENDS= sphinx-build:textproc/py-sphinx MANPAGES_USES= gmake OVERRIDECACHE_EXTRA_PATCHES= ${FILESDIR}/extrapatch-bind-min-override-ttl QUERYTRACE_CONFIGURE_ENABLE= querytrace START_LATE_SUB_LIST= NAMED_BEFORE="LOGIN" \ NAMED_REQUIRE="SERVERS cleanvar" START_LATE_SUB_LIST_OFF= NAMED_BEFORE="SERVERS" \ NAMED_REQUIRE="NETWORKING ldconfig syslogd" TCP_FASTOPEN_CONFIGURE_ENABLE= tcp-fastopen .include .if defined(WITH_DEBUG) CONFIGURE_ARGS+= --enable-developer \ --enable-symtable USES+= perl5 USE_PERL5= build BUILD_DEPENDS+= cmocka>0:sysutils/cmocka .endif .if !${PORT_OPTIONS:MMANMAGES} && !${PORT_OPTIONS:MDOCS} CONFIGURE_ENV+= ac_cv_path_SPHINX_BUILD=no .endif .include .if ${SSL_DEFAULT} == base SUB_LIST+= ENGINES=/usr/lib/engines .else SUB_LIST+= ENGINES=${LOCALBASE}/lib/engines .endif post-patch: .for FILE in check/named-checkconf.rst named/named.rst nsupdate/nsupdate.rst \ rndc/rndc.rst @${REINPLACE_CMD} -e 's#/etc/named.conf#${ETCDIR}/named.conf#g' \ -e 's#/etc/rndc.conf#${ETCDIR}/rndc.conf#g' \ -e "s#/var\/run\/named\/named.pid#/var/run/named/pid#" \ ${WRKSRC}/bin/${FILE} .endfor .if !defined(BIND_TOOLS_SLAVE) post-install: ${MKDIR} ${STAGEDIR}${PREFIX}/etc/mtree ${MKDIR} ${STAGEDIR}${ETCDIR} . for i in dynamic primary secondary working @${MKDIR} ${STAGEDIR}${ETCDIR}/$i . endfor ${INSTALL_DATA} ${WRKDIR}/named.conf ${STAGEDIR}${ETCDIR}/named.conf.sample ${INSTALL_DATA} ${FILESDIR}/named.root ${STAGEDIR}${ETCDIR} ${INSTALL_DATA} ${FILESDIR}/empty.db ${STAGEDIR}${ETCDIR}/primary ${INSTALL_DATA} ${FILESDIR}/localhost-forward.db ${STAGEDIR}${ETCDIR}/primary ${INSTALL_DATA} ${FILESDIR}/localhost-reverse.db ${STAGEDIR}${ETCDIR}/primary ${INSTALL_DATA} ${FILESDIR}/BIND.chroot.dist ${STAGEDIR}${PREFIX}/etc/mtree/BIND.chroot.dist.sample ${INSTALL_DATA} ${FILESDIR}/BIND.chroot.local.dist ${STAGEDIR}${PREFIX}/etc/mtree/BIND.chroot.local.dist.sample post-install-DOCS-on: ${MKDIR} ${STAGEDIR}${DOCSDIR}/arm ${INSTALL_DATA} ${WRKSRC}/CHANGES* \ ${WRKSRC}/README.md ${STAGEDIR}${DOCSDIR} cd ${WRKSRC}/doc/arm/_build/html && ${COPYTREE_SHARE} . ${STAGEDIR}${DOCSDIR}/arm .else do-install: for dir in bin lib doc/man; do \ (cd ${INSTALL_WRKSRC}/$$dir && ${SETENV} ${MAKE_ENV} ${FAKEROOT} ${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} ${INSTALL_TARGET}) ; \ done @${RM} -r ${STAGEDIR}${PREFIX}/include .endif # BIND_TOOLS_SLAVE .include diff --git a/dns/bind918/files/named.in b/dns/bind918/files/named.in index 8a614f6256a5..fb2a9453ad42 100644 --- a/dns/bind918/files/named.in +++ b/dns/bind918/files/named.in @@ -1,452 +1,452 @@ #!/bin/sh # PROVIDE: named # REQUIRE: %%NAMED_REQUIRE%% # BEFORE: %%NAMED_BEFORE%% # KEYWORD: shutdown # # Add the following lines to /etc/rc.conf to enable BIND: # named_enable (bool): Run named, the DNS server (or NO). # named_program (str): Path to named, if you want a different one. # named_conf (str): Path to the configuration file # named_flags (str): Use this for flags OTHER than -u and -c # named_uid (str): User to run named as # named_chrootdir (str): Chroot directory (or "" not to auto-chroot it) # Historically, was /var/named # named_chroot_autoupdate (bool): Automatically install/update chrooted # components of named. # named_symlink_enable (bool): Symlink the chrooted pid file # named_wait (bool): Wait for working name service before exiting # named_wait_host (str): Hostname to check if named_wait is enabled # named_auto_forward (str): Set up forwarders from /etc/resolv.conf # named_auto_forward_only (str): Do "forward only" instead of "forward first" # . /etc/rc.subr name=named desc="named BIND startup script" rcvar=named_enable load_rc_config ${name} extra_commands=reload start_precmd=named_prestart start_postcmd=named_poststart reload_cmd=named_reload stop_cmd=named_stop stop_postcmd=named_poststop named_enable=${named_enable:-"NO"} named_program=${named_program:-"%%PREFIX%%/sbin/named"} named_conf=${named_conf:-"%%ETCDIR%%/named.conf"} named_flags=${named_flags:-""} named_uid=${named_uid:-"bind"} named_chrootdir=${named_chrootdir:-""} named_chroot_autoupdate=${named_chroot_autoupdate:-"YES"} named_symlink_enable=${named_symlink_enable:-"YES"} named_wait=${named_wait:-"NO"} named_wait_host=${named_wait_host:-"localhost"} named_auto_forward=${named_auto_forward:-"NO"} named_auto_forward_only=${named_auto_forward_only:-"NO"} # Not configuration variables but having them here keeps rclint happy required_dirs="${named_chrootdir}" _named_confdirroot="${named_conf%/*}" _named_confdir="${named_chrootdir}${_named_confdirroot}" _named_program_root="${named_program%/sbin/named}" _openssl_engines="%%ENGINES%%" # Needed if named.conf and rndc.conf are moved or if rndc.conf is used rndc_conf=${rndc_conf:-"$_named_confdir/rndc.conf"} rndc_key=${rndc_key:-"$_named_confdir/rndc.key"} # If running in a chroot cage, ensure that the appropriate files # exist inside the cage, as well as helper symlinks into the cage # from outside. # # As this is called after the is_running and required_dir checks # are made in run_rc_command(), we can safely assume ${named_chrootdir} # exists and named isn't running at this point (unless forcestart # is used). # chroot_autoupdate() { local file # If it's the first time around, fiddle with things and move the # current configuration to the chroot. if [ -d ${_named_confdirroot} -a ! -d ${_named_confdir} ]; then warn "named chroot: Moving current configuration in the chroot!" install -d ${_named_confdir%/*} mv ${_named_confdirroot} ${_named_confdir} fi # Create (or update) the chroot directory structure # if [ -r %%PREFIX%%/etc/mtree/BIND.chroot.dist ]; then mtree -deU -f %%PREFIX%%/etc/mtree/BIND.chroot.dist \ -p ${named_chrootdir} else warn "%%PREFIX%%/etc/mtree/BIND.chroot.dist missing," warn "${named_chrootdir} directory structure not updated" fi if [ -r %%PREFIX%%/etc/mtree/BIND.chroot.local.dist ]; then mkdir -p ${named_chrootdir}%%PREFIX%% mtree -deU -f %%PREFIX%%/etc/mtree/BIND.chroot.local.dist \ -p ${named_chrootdir}%%PREFIX%% else warn "%%PREFIX%%/etc/mtree/BIND.chroot.local.dist missing," warn "${named_chrootdir}%%PREFIX%% directory structure not updated" fi # Create (or update) the configuration directory symlink # if [ ! -L "${_named_confdirroot}" ]; then if [ -d "${_named_confdirroot}" ]; then warn "named chroot: ${_named_confdirroot} is a directory!" elif [ -e "${_named_confdirroot}" ]; then warn "named chroot: ${_named_confdirroot} exists!" else ln -s ${_named_confdir} ${_named_confdirroot} fi else # Make sure it points to the right place. ln -shf ${_named_confdir} ${_named_confdirroot} fi # Mount a devfs in the chroot directory if needed # if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then umount ${named_chrootdir}/dev 2>/dev/null devfs_domount ${named_chrootdir}/dev devfsrules_hide_all devfs -m ${named_chrootdir}/dev rule apply path null unhide devfs -m ${named_chrootdir}/dev rule apply path random unhide else if [ -c ${named_chrootdir}/dev/null -a \ -c ${named_chrootdir}/dev/random ]; then info "named chroot: using pre-mounted devfs." else err 1 "named chroot: devfs cannot be mounted from " \ "within a jail. Thus a chrooted named cannot " \ "be run from within a jail. Either mount the " \ "devfs with null and random from the host, or " \ "run named without chrooting it, set " \ "named_chrootdir=\"\" in /etc/rc.conf." fi fi # The OpenSSL engines and BIND9 plugins should be present in the # chroot, named loads them after chrooting. null_mount_or_copy ${_openssl_engines} null_mount_or_copy %%PREFIX%%/lib/bind # Copy and/or update key files to the chroot /etc # for file in localtime protocols services; do if [ -r /etc/${file} ] && \ ! cmp -s /etc/${file} "${named_chrootdir}/etc/${file}"; then cp -p /etc/${file} "${named_chrootdir}/etc/${file}" fi done } # Make symlinks to the correct pid file # make_symlinks() { checkyesno named_symlink_enable && ln -fs "${named_chrootdir}${pidfile}" ${pidfile} && ln -fs "${named_chrootdir}${sessionkeyfile}" ${sessionkeyfile} } named_poststart() { make_symlinks if checkyesno named_wait; then until ${_named_program_root}/bin/host ${named_wait_host} >/dev/null 2>&1; do echo " Waiting for nameserver to resolve ${named_wait_host}" sleep 1 done fi } named_reload() { # This is a one line function, but ${named_program} is not defined early # enough to be there when the reload_cmd variable is defined up there. rndc reload } find_pidfile() { if get_pidfile_from_conf pid-file ${named_conf}; then pidfile="${_pidfile_from_conf}" else pidfile="/var/run/named/pid" fi } find_sessionkeyfile() { if get_pidfile_from_conf session-keyfile ${named_conf}; then sessionkeyfile="${_pidfile_from_conf}" else sessionkeyfile="/var/run/named/session.key" fi } named_stop() { find_pidfile # This duplicates an undesirably large amount of code from the stop # routine in rc.subr in order to use rndc to shut down the process, # and to give it a second chance in case rndc fails. rc_pid=$(check_pidfile ${pidfile} ${command}) if [ -z "${rc_pid}" ]; then [ -n "${rc_fast}" ] && return 0 _run_rc_notrunning return 1 fi echo 'Stopping named.' if rndc stop; then wait_for_pids ${rc_pid} else echo -n 'rndc failed, trying kill: ' kill -TERM ${rc_pid} wait_for_pids ${rc_pid} fi } named_poststop() { if [ -n "${named_chrootdir}" ]; then null_umount %%PREFIX%%/lib/bind null_umount ${_openssl_engines} if [ -c ${named_chrootdir}/dev/null ]; then # unmount /dev if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then umount ${named_chrootdir}/dev 2>/dev/null || true else warn "named chroot:" \ "cannot unmount devfs from inside jail!" fi fi fi } can_mount() { local kld kld=$1 if ! load_kld $kld; then return 1 fi if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ] || [ `${SYSCTL_N} security.jail.mount_allowed` -eq 1 ] || [ `${SYSCTL_N} security.jail.mount_${kld}_allowed` -eq 1 ] ; then return 0 fi return 1 } null_mount_or_copy() { local dir dir=$1 if [ -d ${dir} ]; then mkdir -p ${named_chrootdir}${dir} if can_mount nullfs ; then mount -t nullfs ${dir} ${named_chrootdir}${dir} else warn "named chroot: cannot nullfs mount OpenSSL" \ "engines into the chroot, will copy the shared" \ "libraries instead." cp -f ${dir}/*.so ${named_chrootdir}${dir} fi fi } null_umount() { local dir dir=$1 if [ -d ${dir} ]; then if can_mount nullfs; then umount ${named_chrootdir}${dir} fi fi } create_file() { if [ -e "$1" ]; then unlink $1 fi install -o root -g wheel -m 0644 /dev/null $1 } rndc() { if [ -z "${rndc_flags}" ]; then if [ -s "${rndc_conf}" ] ; then rndc_flags="-c ${rndc_conf}" elif [ -s "${rndc_key}" ] ; then rndc_flags="-k ${rndc_key}" else rndc_flags="" fi fi ${_named_program_root}/sbin/rndc ${rndc_flags} "$@" } named_prestart() { + # Is the user using a sandbox? + # + if [ -n "${named_chrootdir}" ]; then + rc_flags="${rc_flags} -t ${named_chrootdir}" + checkyesno named_chroot_autoupdate && chroot_autoupdate + + case "${altlog_proglist}" in + *named*) + ;; + *) + warn 'Using chroot without setting altlog_proglist, logging may not' + warn 'work correctly. Run sysrc altlog_proglist+=named' + ;; + esac + else + named_symlink_enable=NO + fi + find_pidfile find_sessionkeyfile if [ -n "${named_pidfile}" ]; then warn 'named_pidfile: now determined from the conf file' fi if [ -n "${named_sessionkeyfile}" ]; then warn 'named_sessionkeyfile: now determined from the conf file' fi piddir=`/usr/bin/dirname ${pidfile}` if [ ! -d ${piddir} ]; then install -d -o ${named_uid} -g ${named_uid} ${piddir} fi sessionkeydir=`/usr/bin/dirname ${sessionkeyfile}` if [ ! -d ${sessionkeydir} ]; then install -d -o ${named_uid} -g ${named_uid} ${sessionkeydir} fi command_args="-u ${named_uid:=root} -c ${named_conf} ${command_args}" local line nsip firstns - # Is the user using a sandbox? - # - if [ -n "${named_chrootdir}" ]; then - rc_flags="${rc_flags} -t ${named_chrootdir}" - checkyesno named_chroot_autoupdate && chroot_autoupdate - - case "${altlog_proglist}" in - *named*) - ;; - *) - warn 'Using chroot without setting altlog_proglist, logging may not' - warn 'work correctly. Run sysrc altlog_proglist+=named' - ;; - esac - else - named_symlink_enable=NO - fi - # Create an rndc.key file for the user if none exists # confgen_command="${_named_program_root}/sbin/rndc-confgen -a -b256 -u ${named_uid} \ -c ${_named_confdir}/rndc.key" if [ -s "${_named_confdir}/rndc.conf" ]; then unset confgen_command fi if [ -s "${_named_confdir}/rndc.key" ]; then case `stat -f%Su ${_named_confdir}/rndc.key` in root|${named_uid}) ;; *) ${confgen_command} ;; esac else ${confgen_command} fi local checkconf checkconf="${_named_program_root}/bin/named-checkconf" if ! checkyesno named_chroot_autoupdate && [ -n "${named_chrootdir}" ]; then checkconf="${checkconf} -t ${named_chrootdir}" fi # Create a forwarder configuration based on /etc/resolv.conf if checkyesno named_auto_forward; then if [ ! -s /etc/resolv.conf ]; then warn "named_auto_forward enabled, but no /etc/resolv.conf" # Empty the file in case it is included in named.conf [ -s "${_named_confdir}/auto_forward.conf" ] && create_file ${_named_confdir}/auto_forward.conf ${checkconf} ${named_conf} || err 3 'named-checkconf for ${named_conf} failed' return fi create_file /var/run/naf-resolv.conf create_file /var/run/auto_forward.conf echo ' forwarders {' > /var/run/auto_forward.conf while read line; do case "${line}" in 'nameserver '*|'nameserver '*) nsip=${line##nameserver[ ]} if [ -z "${firstns}" ]; then if [ ! "${nsip}" = '127.0.0.1' ]; then echo 'nameserver 127.0.0.1' echo " ${nsip};" >> /var/run/auto_forward.conf fi firstns=1 else [ "${nsip}" = '127.0.0.1' ] && continue echo " ${nsip};" >> /var/run/auto_forward.conf fi ;; esac echo ${line} done < /etc/resolv.conf > /var/run/naf-resolv.conf echo ' };' >> /var/run/auto_forward.conf echo '' >> /var/run/auto_forward.conf if checkyesno named_auto_forward_only; then echo " forward only;" >> /var/run/auto_forward.conf else echo " forward first;" >> /var/run/auto_forward.conf fi if cmp -s /etc/resolv.conf /var/run/naf-resolv.conf; then unlink /var/run/naf-resolv.conf else [ -e /etc/resolv.conf ] && unlink /etc/resolv.conf mv /var/run/naf-resolv.conf /etc/resolv.conf fi if cmp -s ${_named_confdir}/auto_forward.conf \ /var/run/auto_forward.conf; then unlink /var/run/auto_forward.conf else [ -e "${_named_confdir}/auto_forward.conf" ] && unlink ${_named_confdir}/auto_forward.conf mv /var/run/auto_forward.conf \ ${_named_confdir}/auto_forward.conf fi else # Empty the file in case it is included in named.conf [ -s "${_named_confdir}/auto_forward.conf" ] && create_file ${_named_confdir}/auto_forward.conf fi ${checkconf} ${named_conf} || err 3 "named-checkconf for ${named_conf} failed" } run_rc_command "$1"