Description
Albert Holm
2006-03-31 06:16:25 UTC
Created attachment 83501 [details]
Ebuild for latest stable nsd.
Created attachment 83502 [details]
/files/nsd.initd, initscript for controlling nsd
Created attachment 83503 [details]
files/nsd.cron, script for cron.hourly for updating from master server
- Remove RESTRICT="nomirror" - Please don't add no* use flags. The existing ones need to be changed some day. - einstall is a hack for very broken install scripts, use "make DESTDIR=${D} install" if possible - When you don't define RDEPEND, then RDEPEND==DEPEND, autoconf would be a runtime dependency. Since both groff and autoconf are in the base profile anyways, just can remove them from DEPEND. Created attachment 83525 [details]
nsd-2.3.3.ebuild
This ebuild fixes all comments but "- einstall is a hack for very broken install scripts, use "make DESTDIR=${D} install" if possible". The install scripts are indeed very broken.
Created attachment 86164 [details, diff]
Solves the bug if -ipv6 use flag is used on NSD 2.3.4
This patch is for the latest stable NSD 2.3.4 where -ipv6 use flag is being used.
Created attachment 88177 [details]
Ebuild updated for recently released 2.3.5
The new 2.3.5 version that was released today fixes the ipv6 build bug and cleans up the makefile. It is now possible to install with "make DESTDIR=${D} install" instead of messing with einstall.
This is now in the sunrise overlay. You can find it at: http://gentoo-sunrise.org/svn/reviewed/net-dns/nsd Add Bugs, Comments and everything here! regards Martin What about version 3 of nsd, which has been out for six months? Created attachment 115976 [details]
nsd-3.0.5.ebuild
Here is an ebuild which seems to work with the latest nsd, 3.0.5.
I'd be glad to see this in portage, or at least in an overlay. Note that the 3.0.5 ebuild sets a default difffile and xfrdfile in /etc/nsd. They should probably be in /var/lib/nsd. zonesdir should probably also be in /var, so they can be updated, but I'm less certain of this. > zonesdir should probably also be in
> /var, so they can be updated, but I'm less certain of this.
I'm not sure either. Zone files for the secondary name service in /var, OK but for the primary, /etc seems more reasonable. Who BIND does in Gentoo?
Created attachment 127685 [details]
nsd-3.0.5-r1.ebuild
Slightly modified ebuild for nsd 3.0.5, based on the ebuild in this bug and the ebuild in the Sunrise overlay for nsd 3.0.4.
* added nsec3 use flag
* removed plugins use flag from nsd 3.0.4 ebuild, since this functionality has already been removed upstream in 2006
* fixed installation of docs
Created attachment 127687 [details]
files/nsd.initd
Slightly modified initscript.
* added check, if /etc/nsd/nsd.conf exists
> I'm not sure either. Zone files for the secondary name service in /var, OK but
> for the primary, /etc seems more reasonable. Who BIND does in Gentoo?
The zonefiles for BIND are also located in /var. /etc/bind/pri is just a symlink to /var/bind/pri. So /var/lib/nsd should be fine for the zonefiles used by nsd.
Created attachment 127863 [details]
nsd-3.0.5.ebuild
Fixed another small typo (--with-xfrdfile).
Created attachment 135197 [details]
nsd-3.0.6.ebuild
new version, also some minor fixes and cleanups of non-existant use flags
Created attachment 136154 [details]
nsd-3.0.7.ebuild
Version bump to NSD 3.0.7 and some minor syntactical fixes in the ebuild.
Created attachment 144536 [details]
Modified ebuild
ssl flag - there is no support for ssl in DNS. Only TSIG, but it is served by separate flags. --with-ssl option needed only to specify especially where openssl libraries located. So it was removed.
I don't know about tcpd - there is no internal support for it, as I see, why it should be in USE flags?
Also I modified installation to place slave and master zones separately, as it done in BIND ebuild.
Also there was error in cron script. There is no need to update secondary zones especially - server will do it automatically on TTL-expire or master server notification. But, as README says, NSD places all updates in temporary database .diff file, to prevent data corruption, so we need to provide cron.script which will patch database with diff ('nsdc patch' command). I place this script in docs, to make user choose when to patch (or patch at all).
Also I modified init.d script adding config syntax checking for every major command (reload/rebuild/start/update) and state-check (status command was renamed to state to prevent conflict with baselayout internal) after start.
But my English is very bad (you see), so I tried to write some notifications about cron/old config file converter/bind2nsd util, but it needed to be rewriten.
Also there is problem with bind -> nsd conversion. There is three ways:
1) Copy bind zone-file and try to modify it. But there is no examples! Who uses it - please, make examples of zone files.
2) Use nsd-xfer util - but output is very ugly and need some work to make it usable.
3) Use bind2nsd util. But there is no ebuild for it.
Sorry for bad English. Please, someone, check and rewrite ebuild's texts =).
Created attachment 144540 [details]
Cron file. Patch agains update
Created attachment 144542 [details]
Init.d script
(In reply to comment #19) > Also I modified installation to place slave and master zones separately, as it > done in BIND ebuild. Can 'zonesdir:' in nsd.conf have multiple values? If not, maybe rethink this. > Also I modified init.d script adding config syntax checking for every major > command (reload/rebuild/start/update) and state-check (status command was > renamed to state to prevent conflict with baselayout internal) after start. Wondering about the use of "provide dns" in the init script. I'm wildly guessing that the "use dns" in other init scripts is more likely is relying on a dnscache/resolver instead of an authoritative name server. Also 3.0.8 is out. Now we have: http://unbound.net/ version 1.0.0 first public release at: http://www.unbound.net/download.html Would be nice to get an ebuild/maintainer for both of these NLNet apps. Created attachment 160549 [details]
nsd-3.1.0.ebuild
New ebuild for nsd. Changes are:
- some ideas incorporated from ebuild by Night Nord
- new default locations for database and zone files as used by upstream
Created attachment 160560 [details]
nsd.initd
nsd init script, modifications:
- stripped down to bare minimum, this is no replacement nor a wrapper for nsdc, so provide only stuff is actually needed for a initd script
- ready for openrc/baselayout-2 (added descriptions etc)
According to nsd-3.1.0 release notes "NSD is now NSEC3 enabled by default. You can disable it by configuring NSD with --disable-nsec." Thus the USE flag nsec3 no longer works as expected in nsd-3.1.0.ebuild. Please consider the following changes to the latest nsd-3.1.0.ebuild to correct the nsec3 USE flag logic: --- nsd-3.1.0.ebuild.orig 2008-07-16 21:06:53.000000000 +0300 +++ nsd-3.1.0.ebuild 2008-07-16 21:10:49.000000000 +0300 @@ -27,6 +27,10 @@ } src_compile() { + if ! use nsec3; then + myconf="${myconf} --disable-nsec3" + fi + econf \ --with-dbfile=/var/db/nsd/nsd.db \ --with-difffile=/var/db/nsd/ixfr.db \ @@ -37,11 +41,11 @@ $(use_enable dnssec) \ $(use_enable largefile) \ $(use_enable ipv6) \ - $(use_enable nsec3) \ $(use_enable nsid) \ $(use_enable root-server) \ $(use_enable runtime-checks checking) \ - $(use_enable tsig) || die "econf failed" + $(use_enable tsig) \ + ${myconf} || die "econf failed" emake || die "emake failed" } I tested around a bit, but this doesn't change anything, since a USE flag is either set or unset (but never undefined). Because nsec3 USE flag is by default unset, this would (just like my ebuild) disable nsec3 support without USE flag fiddling. Enabling the USE flag leaves nsec3 support up to the defaults of the upstream developers, but when they change this again, the user cannot change this behaviour by setting the USE flag, so the ebuild would need work again. To reflect the defaults of the upstream developers we would have to rename the flag to 'no-nsec3' or remove it altogether, and leave the user no choice. AFAIK dnssec was activated by default by upstream in the same way in some earlier release, so this USE flag would need the same treatment. As far as I'm concerned, leaving the current USE flag setup is sane, since nsd users (should) know when to enable these features, and nsd works great without nsec3 (and dnssec, for that matter). Created attachment 160738 [details]
nsd svn ebuild
nsd svn ebuild - nsd-9999.ebuild - based on Tom's new 3.1.0 ebuild
Created attachment 160739 [details, diff]
adds new "provides dnssrv" flag to nsd.initd depend
I use this in combination with a patched unbound initd file which adds "use dnssrv" to the depend section. It assists to make sure that nsd starts before unbound which in my case also has a "provides dns" as inspection seems to indicate that the "dns" depend flag means resolving/caching server and not authoritative (which is why the intro of "dnssrv").
In a small home or business network where you don't have 2 DNS servers and your authoritative server only handles your internal network you would want nsd to start before the caching/resolver.
OpenRC users may need to run "/lib/rc/bin/rc-depend -u" after making such changes.
Created attachment 160741 [details, diff]
oops...patch was backward
(In reply to comment #30) > Created an attachment (id=160741) [edit] See bug #223103 for unbound,initd patch. There has been a vulnerability report for nsd: http://www.nlnetlabs.nl/publications/NSD_vulnerability_announcement.html Version 3.2.2 is said to fix this vulnerability. Please verify that this issue is fixed before adding this package to gentoo-x86 and make sure it gets fixed in sunrise. (In reply to comment #32) > There has been a vulnerability report for nsd: > http://www.nlnetlabs.nl/publications/NSD_vulnerability_announcement.html > > Version 3.2.2 is said to fix this vulnerability. I attach a tested (on AMD64) ebuild for 3.2.2, as well as the patch you need to apply. Created attachment 191948 [details]
A ebuild for nsd 3.2.2, tested on AMD64
Created attachment 191950 [details, diff]
A mandatory patch to nsd 3.2.2 (otherwise, installation fails)
From reports on the nsd mailing list, it is also necessary, at least for Fedora and OpenBSD.
There is an updated ebuild in sunrise, including mentioned patch. (In reply to comment #36) > There is an updated ebuild in sunrise, including mentioned patch. Works like a charm! Unlike the attached patch, which does not install an init script. NSD 3.2.4 Jan 6, 2010 Features * Support DLV records. * New option 'tcp-query-count:', to limit the maximum number of DNS queries on a single tcp connection. * New option 'tcp-timeout:', to override the default tcp timeout. The option can also be set at build time, --with-tcp-timeout. * New option 'notify-retry:', to configure how many times NSD should retry a NOTIFY message. * New options 'ipv4-edns-size:' and 'ipv6-edns-size:', to set your preferred EDNS buffer size. Bugfixes * Bugfix #269: Additional c99 syntax. * Bugfix #276: Zonec prints debug data to stderr. * Bugfix #286: Document verbosity levels in nsd.conf manual page. * Bugfix #288: Ignore SIGHUP to child processes. * Fix typo in include file for setusercontext. Operational notes * UDP/IPv4 sockets have new options set that will disable the DF flag in IP packets. Download: nsd-3.2.4.tar.gz Checksum sha1: ca94d6c1e53c3ff9d46d3fc7ca56d43590a91a8f Created attachment 216909 [details]
net-dns/nsd-3.2.4.ebuild
NSD 3.2.4.ebuild, as available in sunrise overlay.
Created attachment 216910 [details]
files/nsd.confd
Created attachment 216911 [details]
files/nsd.cron
Created attachment 216912 [details]
files/nsd.initd
Created attachment 260798 [details]
net-dns/nsd-3.2.7.ebuild
Latest version of NSD ebuild for nsd 3.2.7, as available in sunrise overlay.
Created attachment 260800 [details]
files/nsd.cron
Going to play with this some. Been using PowerDNS w/ LDAP, but as of 3.0, that is no longer supported/maintained and reverse IPv6 lookups are failing. Been looking for something else to try out. (In reply to comment #45) > Going to play with this some. Feel free to grab latest version (3.2.10) from sunrise. I'll update the version posted here later, maintaining updates in 2 locations is hard :/ Created attachment 305891 [details]
net-dns/nsd/nsd-3.2.10.ebuild
Created attachment 305893 [details]
files/nsd.initd
Created attachment 305945 [details]
nsd-3.2.10, modified for EAPI4, etc..
Attaching the version I've tweaked from your original 3.2.x one here. Major changes are: - EAPI="4" and dropping the || die statements from internal ebuild commands - Added dnssec-tools local USE to be used with nsec3 USE that makes ldns-utils required with USE examples, so that you get ldns-keygen, ldns-signzone, etc. I believe this wiki page is yours?: http://whyscream.net/wiki/index.php/Dnssec_howto_with_NSD_and_ldns - Added USE mmap to use --enable-mmap if desired. - Made nsec3 USE on by default (+nsec3 in IUSE, req EAPI4). Seems to work well. I see you caught the deprecated $opts var in the init.d file, which I had in my local copy. Got most of my zone info converted from LDAP to the BIND format. Just doing research on using A6/DNAME over AAAA/PTR, then getting Unbound to work. Should nsd's initd script provide dns? I figure it and unbound should be able to talk to each other. (In reply to comment #50) > Attaching the version I've tweaked from your original 3.2.x one here. Major > changes are: > > - Added dnssec-tools local USE to be used with nsec3 USE that makes > ldns-utils required with USE examples, so that you get ldns-keygen, > ldns-signzone, etc. I believe this wiki page is yours?: > http://whyscream.net/wiki/index.php/Dnssec_howto_with_NSD_and_ldns Yes, the page is mine, but it is just an example. You can use any tool for DNSSEC support, even manual zone editing. (my own setup currently has manual edited zone files, that get signed by opendnssec, the result is served by nsd). IMHO, defaulting to / advocating some sort of setup that encourages manual DNSSEC management is the wrong way to go: it's too complicated and too error-prone. Use opendnssec for signing, or some dns server that has dnssec features builtin/included (f.i. pdns). > > Seems to work well. I see you caught the deprecated $opts var in the init.d > file, which I had in my local copy. Got most of my zone info converted from > LDAP to the BIND format. Just doing research on using A6/DNAME over > AAAA/PTR, then getting Unbound to work. > > Should nsd's initd script provide dns? I figure it and unbound should be > able to talk to each other. I was never satisfied with the opaque 'provide dns', since there is a major difference between providing resolving/caching dns (f.i. unbound), and authorative dns (f.i. nsd). The latter provides no dns functionality whatsoever to the os, the former does. If you regard 'provide dns' as 'providing resolving/caching dns service to the current machine/os', then nsd should not have that in its init script. This is why I set the (bogus) 'provide auth-dns'. I'm not sure this is the right place to report this, but nsd 3.2.10 is vulnerable to CVE-2012-2978. Updating the ebuild to 3.2.12 should fix this. The modified/bumped ebuild has already been commited to sunrise, but it needs to be reviewed. The CVE was mentioned in the commit message. I'll see if I can find a dev to take this up a bit faster. NSD 3.2.13 is available in sunrise. This resolves the security issues reported in VU#517036 / CVE-2012-2979 Also note that most changes from comment #50 are incorporated in the sunrise ebuild. @kumba maybe you can consider moving the nsd ebuild to the main portage tree now? Hope to see this get into the official portage tree soon I'll add nsd-4.0.0_beta3 to portage now, proxy-maintaining for Tom Hendrikx. nsd-4.0.0_beta3 is in portage now. please test :) |