install sample configs and switch to running as _bind uid

2014-08-22 20:32:13 +00:00 · 2014-08-22 20:32:13 +00:00 · 2f2ec0320e
commit 2f2ec0320e
parent 04b65240f3
9 changed files with 246 additions and 7 deletions
--- a/net/isc-bind/Makefile
+++ b/net/isc-bind/Makefile
@ -1,8 +1,9 @@
-# $OpenBSD: Makefile,v 1.28 2014/06/11 22:44:05 sthen Exp $
+# $OpenBSD: Makefile,v 1.29 2014/08/22 20:32:13 sthen Exp $

 COMMENT=	Berkeley Internet Name Daemon: DNS server and tools

 V=		9.10.0-P2
+REVISION=	0
 DISTNAME=	bind-$V
 PKGNAME=	isc-bind-${V:S/-P/pl/}

@ -63,4 +64,8 @@ pre-test:
 post-test:
 	cd ${WRKSRC}/bin/tests/system && ${SUDO} ./ifconfig.sh down

+post-install:
+	cd ${FILESDIR}; ${INSTALL_DATA} localhost loopback loopback6.arpa \
+	    named.conf root.hint ${PREFIX}/share/examples/bind9/
+
 .include <bsd.port.mk>
--- a/net/isc-bind/files/localhost
+++ b/net/isc-bind/files/localhost
@ -0,0 +1,15 @@
+; $OpenBSD: localhost,v 1.1 2014/08/22 20:32:13 sthen Exp $
+
+$ORIGIN localhost.
+$TTL 6h
+
+@	IN	SOA	localhost. root.localhost. (
+			1	; serial
+			1h	; refresh
+			30m	; retry
+			7d	; expiration
+			1h )	; minimum
+
+		NS	localhost.
+		A	127.0.0.1
+		AAAA	::1
--- a/net/isc-bind/files/loopback
+++ b/net/isc-bind/files/loopback
@ -0,0 +1,14 @@
+; $OpenBSD: loopback,v 1.1 2014/08/22 20:32:13 sthen Exp $
+
+$ORIGIN 127.in-addr.arpa.
+$TTL 6h
+
+@	IN	SOA	localhost. root.localhost. (
+			1	; serial
+			1h	; refresh
+			30m	; retry
+			7d	; expiration
+			1h )	; minimum
+
+		NS	localhost.
+1.0.0		PTR	localhost.
--- a/net/isc-bind/files/loopback6.arpa
+++ b/net/isc-bind/files/loopback6.arpa
@ -0,0 +1,14 @@
+; $OpenBSD: loopback6.arpa,v 1.1 2014/08/22 20:32:13 sthen Exp $
+
+$ORIGIN 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
+$TTL 6h
+
+@	IN	SOA	localhost. root.localhost. (
+			1	; serial
+			1h	; refresh
+			30m	; retry
+			7d	; expiration
+			1h )	; minimum
+
+		NS	localhost.
+		PTR	localhost.
--- a/net/isc-bind/files/named.conf
+++ b/net/isc-bind/files/named.conf
@ -0,0 +1,71 @@
+// $OpenBSD: named.conf,v 1.1 2014/08/22 20:32:13 sthen Exp $
+//
+// Example file for a simple named configuration, processing both
+// recursive and authoritative queries using one cache.
+
+
+// Update this list to include only the networks for which you want
+// to execute recursive queries. The default setting allows all hosts
+// on any IPv4 networks for which the system has an interface, and
+// the IPv6 localhost address.
+//
+acl clients {
+	localnets;
+	::1;
+};
+
+options {
+	version "";	// remove this to allow version queries
+
+	listen-on    { any; };
+	listen-on-v6 { any; };
+
+	empty-zones-enable yes;
+
+	allow-recursion { clients; };
+};
+
+logging {
+	category lame-servers { null; };
+};
+
+// Standard zones
+//
+zone "." {
+	type hint;
+	file "etc/root.hint";
+};
+
+zone "localhost" {
+	type master;
+	file "standard/localhost";
+	allow-transfer { localhost; };
+};
+
+zone "127.in-addr.arpa" {
+	type master;
+	file "standard/loopback";
+	allow-transfer { localhost; };
+};
+
+zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
+	type master;
+	file "standard/loopback6.arpa";
+	allow-transfer { localhost; };
+};
+
+
+// Master zones
+//
+//zone "myzone.net" {
+//	type master;
+//	file "master/myzone.net";
+//};
+
+// Slave zones
+//
+//zone "otherzone.net" {
+//	type slave;
+//	file "slave/otherzone.net";
+//	masters { 192.0.2.1; [...;] };
+//};
--- a/net/isc-bind/files/root.hint
+++ b/net/isc-bind/files/root.hint
@ -0,0 +1,90 @@
+;       This file holds the information on root name servers needed to
+;       initialize cache of Internet domain name servers
+;       (e.g. reference this file in the "cache  .  <file>"
+;       configuration file of BIND domain name servers).
+;
+;       This file is made available by InterNIC 
+;       under anonymous FTP as
+;           file                /domain/named.cache
+;           on server           FTP.INTERNIC.NET
+;       -OR-                    RS.INTERNIC.NET
+;
+;       last update:    June 2, 2014
+;       related version of root zone:   2014060201
+;
+; formerly NS.INTERNIC.NET
+;
+.                        3600000  IN  NS    A.ROOT-SERVERS.NET.
+A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
+A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:BA3E::2:30
+;
+; FORMERLY NS1.ISI.EDU
+;
+.                        3600000      NS    B.ROOT-SERVERS.NET.
+B.ROOT-SERVERS.NET.      3600000      A     192.228.79.201
+B.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:84::B
+;
+; FORMERLY C.PSI.NET
+;
+.                        3600000      NS    C.ROOT-SERVERS.NET.
+C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
+C.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2::C
+;
+; FORMERLY TERP.UMD.EDU
+;
+.                        3600000      NS    D.ROOT-SERVERS.NET.
+D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13
+D.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2D::D
+;
+; FORMERLY NS.NASA.GOV
+;
+.                        3600000      NS    E.ROOT-SERVERS.NET.
+E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
+;
+; FORMERLY NS.ISC.ORG
+;
+.                        3600000      NS    F.ROOT-SERVERS.NET.
+F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
+F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2F::F
+;
+; FORMERLY NS.NIC.DDN.MIL
+;
+.                        3600000      NS    G.ROOT-SERVERS.NET.
+G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
+;
+; FORMERLY AOS.ARL.ARMY.MIL
+;
+.                        3600000      NS    H.ROOT-SERVERS.NET.
+H.ROOT-SERVERS.NET.      3600000      A     128.63.2.53
+H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::803F:235
+;
+; FORMERLY NIC.NORDU.NET
+;
+.                        3600000      NS    I.ROOT-SERVERS.NET.
+I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
+I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7FE::53
+;
+; OPERATED BY VERISIGN, INC.
+;
+.                        3600000      NS    J.ROOT-SERVERS.NET.
+J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
+J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:C27::2:30
+;
+; OPERATED BY RIPE NCC
+;
+.                        3600000      NS    K.ROOT-SERVERS.NET.
+K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
+K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7FD::1
+;
+; OPERATED BY ICANN
+;
+.                        3600000      NS    L.ROOT-SERVERS.NET.
+L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
+L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:3::42
+;
+; OPERATED BY WIDE
+;
+.                        3600000      NS    M.ROOT-SERVERS.NET.
+M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
+M.ROOT-SERVERS.NET.      3600000      AAAA  2001:DC3::35
+; End of File
--- a/net/isc-bind/patches/patch-bin_named_include_named_globals_h
+++ b/net/isc-bind/patches/patch-bin_named_include_named_globals_h
@ -1,4 +1,4 @@
-$OpenBSD: patch-bin_named_include_named_globals_h,v 1.4 2014/05/01 20:19:25 sthen Exp $
+$OpenBSD: patch-bin_named_include_named_globals_h,v 1.5 2014/08/22 20:32:13 sthen Exp $
 --- bin/named/include/named/globals.h.orig	Mon Apr  7 23:02:19 2014
 +++ bin/named/include/named/globals.h	Sun Apr 13 22:38:25 2014
@@ -147,7 +147,7 @@ EXTERN const char *		lwresd_g_defaultpidfile INIT(NS_L
@ -6,7 +6,7 @@ $OpenBSD: patch-bin_named_include_named_globals_h,v 1.4 2014/05/01 20:19:25 sthe
 #endif
 
 -EXTERN const char *		ns_g_username		INIT(NULL);
-+EXTERN const char *		ns_g_username		INIT("named");
+EXTERN const char *		ns_g_username		INIT("_bind");
 
 #if defined(USE_PKCS11)
 EXTERN const char *		ns_g_engine		INIT(PKCS11_ENGINE);
--- a/net/isc-bind/pkg/PLIST
+++ b/net/isc-bind/pkg/PLIST
@ -1,5 +1,9 @@
-@comment $OpenBSD: PLIST,v 1.7 2014/05/01 20:19:25 sthen Exp $
+@comment $OpenBSD: PLIST,v 1.8 2014/08/22 20:32:13 sthen Exp $
@pkgpath net/isc-bind,ratelimit
+@newgroup _bind:741
+@newuser _bind:741:_bind:daemon:bind user:/nonexistent:/sbin/nologin
+@extra ${SYSCONFDIR}/rndc.key
+@extra ${LOCALSTATEDIR}/named/etc/rndc.key
 bin/bind9-config
@bin bin/delv
@bin bin/dig
@ -425,6 +429,32 @@ sbin/named-compilezone
@bin sbin/rndc-confgen
 sbin/tsig-keygen
 share/examples/bind9/
+@sample ${LOCALSTATEDIR}/named/
+@sample ${LOCALSTATEDIR}/named/master/
+@sample ${LOCALSTATEDIR}/named/standard/
+@group _bind
+@mode 750
+@sample ${LOCALSTATEDIR}/named/etc/
+@mode 775
+@sample ${LOCALSTATEDIR}/named/slave/
+@sample ${LOCALSTATEDIR}/named/tmp/
+@mode
+@group
 share/examples/bind9/bind.keys
@sample ${SYSCONFDIR}/bind.keys
+share/examples/bind9/localhost
+@sample ${LOCALSTATEDIR}/named/standard/localhost
+share/examples/bind9/loopback
+@sample ${LOCALSTATEDIR}/named/standard/loopback
+share/examples/bind9/loopback6.arpa
+@sample ${LOCALSTATEDIR}/named/standard/loopback6.arpa
+share/examples/bind9/named.conf
+@group _bind
+@mode 640
+@sample ${LOCALSTATEDIR}/named/etc/named.conf
+@mode
+share/examples/bind9/root.hint
+@group wheel
+@sample ${LOCALSTATEDIR}/named/etc/root.hint
+@group
@rcscript ${RCDIR}/isc_named
--- a/net/isc-bind/pkg/isc_named.rc
+++ b/net/isc-bind/pkg/isc_named.rc
@ -1,14 +1,14 @@
 #!/bin/sh
 #
-# $OpenBSD: isc_named.rc,v 1.2 2013/04/03 20:17:23 sthen Exp $
+# $OpenBSD: isc_named.rc,v 1.3 2014/08/22 20:32:13 sthen Exp $

 daemon="${TRUEPREFIX}/sbin/named"
-daemon_flags="-t ${LOCALSTATEDIR}/named -u named -U 4"
+daemon_flags="-t ${LOCALSTATEDIR}/named -u _bind -U 4"

 . /etc/rc.d/rc.subr

 rc_pre() {
-	if ! cmp -s /etc/rndc.key ${LOCALSTATEDIR}/named/etc/rndc.key ; then
+	if ! cmp -s ${SYSCONFDIR}/rndc.key ${LOCALSTATEDIR}/named/etc/rndc.key ; then
 		if ${TRUEPREFIX}/sbin/rndc-confgen -a -t ${LOCALSTATEDIR}/named \
 		    >/dev/null 2>&1; then
 			chmod 0640 ${LOCALSTATEDIR}/named/etc/rndc.key \