Package: unbound Version: 1.5.8-1 Dear maintainers,
On March 23rd, L-Root will stop responding on the old IPv6. Only the new IPv6 address will remain functional, see [1],[2] for details. Unbound upstream updated the builtin root.hints and I attached that patch for your convenience. Since those root.hints changes happen from time to time, I think Unbound could use the data provided by the dns-root-data package as it already does for the root.key file. Please find a patch that does that. One drawback of this is if Unbound has a fresher builtin list than what's provided by dns-root-data, the builtin list would be ignored. It could be mitigated by editing the config file to use the builtin list if the unbound binary is more recent than the root.hints file. This violates the principle of least surprise so probably not a viable solution. Lastly, since I'm proposing to depend on dns-root-data, I also filled a bug against it regarding the L-Root IPv6 address change. Regards, Simon 1: http://seclists.org/nanog/2016/Mar/255 2: https://unbound.nlnetlabs.nl/pipermail/unbound- users/2016-March/004262.html
commit edb30a7f747fc0e4e784810b863e3822359ef6f6
Author: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Thu Mar 10 08:23:46 2016 +0000
- Updated L root IPv6 address.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@3652 be551aaa-1e26-0410-a405-d3ace91eadb9
diff --git a/doc/Changelog b/doc/Changelog
index 86408ad..9715218 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -3,6 +3,7 @@
09 March 2016: Wouter
- Updated configure and ltmain.sh.
+ - Updated L root IPv6 address.
07 March 2016: Wouter
- Fix #747: assert in outnet_serviced_query_stop.
diff --git a/iterator/iter_hints.c b/iterator/iter_hints.c
index d7f8158..217dfa2 100644
--- a/iterator/iter_hints.c
+++ b/iterator/iter_hints.c
@@ -152,7 +152,7 @@ compile_time_root_prime(int do_ip4, int do_ip6)
if(!ah(dp, "I.ROOT-SERVERS.NET.", "2001:7fe::53")) goto failed;
if(!ah(dp, "J.ROOT-SERVERS.NET.", "2001:503:c27::2:30")) goto failed;
if(!ah(dp, "K.ROOT-SERVERS.NET.", "2001:7fd::1")) goto failed;
- if(!ah(dp, "L.ROOT-SERVERS.NET.", "2001:500:3::42")) goto failed;
+ if(!ah(dp, "L.ROOT-SERVERS.NET.", "2001:500:9f::42")) goto failed;
if(!ah(dp, "M.ROOT-SERVERS.NET.", "2001:dc3::35")) goto failed;
}
return dp;
--- /etc/init.d/unbound.orig 2016-03-15 12:09:30.958531716 -0400
+++ /etc/init.d/unbound 2016-03-15 12:37:10.875478269 -0400
@@ -30,6 +30,7 @@
start)
log_daemon_msg "Starting $DESC" "$NAME"
$HELPER chroot_setup
+ $HELPER root_hints_update 2>&1 | logger -p daemon.info -t unbound-helper
$HELPER root_trust_anchor_update 2>&1 | logger -p daemon.info -t unbound-anchor
if start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --name $NAME --startas $DAEMON -- $DAEMON_OPTS; then
$HELPER resolvconf_start
--- /usr/lib/unbound/package-helper.orig 2016-03-15 11:32:27.588251277 -0400
+++ /usr/lib/unbound/package-helper 2016-03-15 12:26:42.102740430 -0400
@@ -7,9 +7,13 @@
DNS_ROOT_KEY_FILE="/usr/share/dns/root.key"
ROOT_TRUST_ANCHOR_FILE="/var/lib/unbound/root.key"
+DNS_ROOT_HINTS_FILE="/usr/share/dns/root.hints"
+ROOT_HINTS_FILE="/var/lib/unbound/root.hints"
+
# Override these variables by editing or creating /etc/default/unbound.
RESOLVCONF="true"
ROOT_TRUST_ANCHOR_UPDATE="true"
+ROOT_HINTS_UPDATE="true"
if [ -f /etc/default/unbound ]; then
. /etc/default/unbound
@@ -83,6 +87,23 @@
fi
}
+do_root_hints_update() {
+ if $ROOT_HINTS_UPDATE; then
+ if [ -n "$ROOT_HINTS_FILE" ]; then
+ if [ -r "$DNS_ROOT_HINTS_FILE" ]; then
+ if [ ! -e "$ROOT_HINTS_FILE" -o "$DNS_ROOT_HINTS_FILE" -nt "$ROOT_HINTS_FILE" ]; then
+ if [ ! -e "$ROOT_HINTS_FILE" ]; then
+ echo "$ROOT_HINTS_FILE does not exist, copying from $DNS_ROOT_HINTS_FILE"
+ elif [ "$DNS_ROOT_HINTS_FILE" -nt "$ROOT_HINTS_FILE" ]; then
+ echo "Overwriting older file $ROOT_HINTS_FILE with newer file $DNS_ROOT_HINTS_FILE"
+ fi
+ install -m 0644 "$DNS_ROOT_HINTS_FILE" "$ROOT_HINTS_FILE"
+ fi
+ fi
+ fi
+ fi
+}
+
case "$1" in
resolvconf_start)
do_resolvconf_start
@@ -96,12 +117,16 @@
do_chroot_setup
;;
+ root_hints_update)
+ do_root_hints_update
+ ;;
+
root_trust_anchor_update)
do_root_trust_anchor_update
;;
*)
- echo "Usage: $0 {resolvconf_start|resolvconf_stop|chroot_setup|root_trust_anchor_update}" >&2
+ echo "Usage: $0 {resolvconf_start|resolvconf_stop|chroot_setup|root_hints_update|root_trust_anchor_update}" >&2
exit 1
;;
esac
--- /dev/null 2016-03-12 15:14:31.994972547 -0500
+++ /etc/unbound/unbound.conf.d/root-hints-file.conf 2016-03-15 12:34:06.474041351 -0400
@@ -0,0 +1,3 @@
+server:
+ # Set to "" to use the builtin hints
+ root-hints: "/var/lib/unbound/root.hints"
signature.asc
Description: OpenPGP digital signature
