RXT0112/Exheredrey
1
0
Fork 0
Code Issues Pull Requests Releases Activity
master
Exheredrey/packages/net-dns/bind/bind.exher
Jacob Hrbek d71f462f46
Experiment 
Signed-off-by: Jacob Hrbek <kreyren@rixotstudio.cz>
2020-10-22 04:47:22 +02:00

571 lines
25 KiB
Plaintext
Raw Permalink Blame History

# This file is a rewrote of 'bind.exlib' <https://gitlab.exherbo.org/exherbo/arbor/-/blob/895c462a12394ab984bdcd2808745023826300db/packages/net-dns/bind/bind.exlib> originally licensed under GPLv2 <https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html> with copyright:
# - Copyright 2008 Ingmar Vanhassel <ingmar@exherbo.org>
# - Copyright 2008-2016 Wulf C. Krueger <philantrop@exherbo.org>
# Changes made to this file in relation to mentioned original file are licensed under:
# Copyright (C) All rights reserved by Jacob Hrbek identified by GPG identifier assigned to the electronic mail <kreyren@rixotstudio.cz> according to the keyserver <https://keys.openpgp.org> in 19/10/2020-EU 13:30:08 CEST
# shellcheck shell=sh # Written to comply with POXIS IEEE 1003.1-2017
# shellcheck disable=SC2034 # FIXME(Krey): Provide source directory to metadata variables
export_exlib_phases pkg_setup src_prepare src_configure src_install pkg_postinst
BUGS_TO="kreyren+exheredrey@rixotstudio.cz"
SUMMARY="Berkeley Internet Name Domain"
DESCRIPTION="
The Berkeley Internet Name Domain (BIND) implements an Internet name server for
Unix operating systems. BIND consists of a server (or \`daemon') called \`named'
and a resolver library.
A name server is a network service that enables clients to name resources or objects
and share this information with other objects in the network.
"
DOMAIN="isc.org"
HOMEPAGE="https://www.$DOMAIN/software/$PN"
# NOTE(Krey): Matching agains 'https://downloads.isc.org/isc/bind9/9.16.7/bind-9.16.7.tar.xz'
# FIXME(Krey): Implement checksum checking
# NOTE(Krey): Upstream supports ftp on <https://ftp.isc.org/>
DOWNLOADS="
https://downloads.$DOMAIN/isc/$PN${PV%%.*}/${MY_PV}/${MY_PNV}.tar.xz -> $PN-$PV.tar.xz
https://www.internic.net/domain/named.cache"
UPSTREAM_DOCUMENTATION="
${HOMEPAGE%%/software/$PN}/downloads/$PN/doc [[ lang = en description = [ User manuals ] ]]
https://downloads.$DOMAIN/isc/bind9/$PV/doc/arm/Bv9ARM.pdf [[ lang = en description = [ Administrator Reference Manual (ARM) ] ]]"
UPSTREAM_RELEASE_NOTES="https://ftp.isc.org/isc/$PN${PV%%.*}/$PV/doc/arm/html/notes.html"
LICENCES="MPL-2.0"
SLOT="0"
MYOPTIONS="
authoritative [[ description = [ Setup as authoritative server for provided domain(s) ] ]]
berkdb
caps
chroot [[ description = [ Configure to run in chroot() ] ]]
dane [[ description = [ Configure for DNS-based Authentication of Named Entities ] ]]
dnssec [[ description = [ Configure for DNSSEC ] ]]
geoip [[ description = [ ACLs can also be used for geographic access restrictions. ] ]]
idn
kerberos
recursive [[ description = [ Setup as recursive server (used as nameserver) ] ]]
ldap
mysql
postgresql
kerberos? ( ( providers: heimdal krb5 ) [[ number-selected = exactly-one ]] )
( providers: libressl openssl ) [[ number-selected = exactly-one ]]
"
# DNM(Krey): Process
# Tons of sandbox violations.
RESTRICT="test"
DEPENDENCIES="
build:
virtual/pkg-config
build+run:
dev-libs/json-c:=[>=0.11]
dev-libs/libuv[>=1.0.0]
dev-libs/libxml2:2.0[>=2.6.0]
sys-libs/zlib
berkdb? ( sys-libs/db:= )
caps? ( sys-libs/libcap[>=2.1.0] )
geoip? ( net-libs/libmaxminddb )
idn? ( net-dns/libidn2:= )
kerberos? (
providers:heimdal? ( app-crypt/heimdal )
providers:krb5? ( app-crypt/krb5 )
)
ldap? ( net-directory/openldap )
mysql? ( virtual/mysql )
postgresql? ( dev-db/postgresql-client )
providers:libressl? ( dev-libs/libressl:= )
providers:openssl? ( dev-libs/openssl[>=1.0.0] )
group/bind
user/bind
run:
net-dns/bind-tools[~${PV}][geoip=][idn=][kerberos=][providers:*=]
suggestion:
postgresql? ( dev-db/postgresql:* )
"
# Parallel make is not supported upstream
# FIXME-POSIX(Krey): Arrays are undefined in POSIX sh
DEFAULT_SRC_COMPILE_PARAMS=( -j1 )
# FIXME-POSIX(Krey): Arrays are undefined in POSIX sh
DEFAULT_SRC_INSTALL_EXTRA_DOCS=( KNOWN-DEFECTS )
bind_pkg_setup() {
# Make sure that the expected variabels are set
# DNM: Implement check for used kernel
if true; then
export PALUDIS_BIND_DATA_DIR="${PALUDIS_BIND_DATA_DIR:-/var/named}"
export PALUDIS_BIND_ZONEFILE_DIR="${PALUDIS_BIND_ZONEFILE_DIR:-${PALUDIS_BIND_DATA_DIR}/master}"
export PALUDIS_BIND_CONFDIR="${PALUDIS_BIND_CONFDIR:-/etc/$PN}"
export PALUDIS_BIND_KEYDIR="${PALUDIS_BIND_KEYDIR:-${PALUDIS_BIND_DATA_DIR:-/var/named}/keys}"
export PALUDIS_BIND_USER="${PALUDIS_BIND_USER:-root}"
export PALUDIS_BIND_GROUP="${PALUDIS_BIND_GROUP:-bind}"
! option chroot || export PALUDIS_BIND_CHROOTDIR="${PALUDIS_BIND_CHROOTDIR:-/var/spool/named}"
export PALUDIS_RANDOM_DEVICE="${PALUDIS_RANDOM_DEVICE:-/dev/random}"
export PALUDIS_BIND_RUN_DIR="${PALUDIS_BIND_RUN_DIR:-/run/named}"
export PALUDIS_HOSTNAME="${PALUDIS_HOSTNAME:-$(hostname)}"
else
# FIXME-QA(Krey): This outputs 'Kernel Linux is not implemeted...'
case "$PALUDIS_LANG" in
cs-*) die fixme "Downstream pro kernel '$(uname -s)' není implementován pro balíček '$PC/$PN-$PV::$PO' fáze '${FUNCNAME:-bind_pkg_postinst}'" ;;
en-*|*) die fixme "Downstream for kernel '$(uname -s)' is not implemented to handle '${FUNCNAME:-bind_pkg_postinst}' phase of package $PC/$PN-$PV::$PO"
esac
fi
# FIXME(Krey)
! option dane || printf 'FIXME: %s\n' "Option 'dane' is not yet implemented.."
}
bind_src_prepare() {
default
# FIXME(Krey): Report what upstream?
# TODO: Report upstream
edo sed -i "/AC_PATH_PROG(AR/d" configure.ac
edo sed -i 's/"nm"/"'$(exhost --tool-prefix)'nm"/' util/mksymtbl.pl
eautoconf
}
bind_src_configure() {
# DNM(Krey): What the fuck
myoption() {
if option ${2}; then
echo "--${1}-${3:-$(optionfmt ${2} )}=yes"
else
echo "--${1}-${3:-$(optionfmt ${2} )}=no"
fi
}
# DNM(Krey): paludis_pipe_command returned error 'E' with text 'OPTIONQ ID net-dns/bind-9.16.7:0::arbor has no choice named 'postgresql''
# DNM(Krey): Add more options
# - Should be resolved by adding 'postgresql' in MY_OPTIONS
# --enable-isc-spnego: Bundled kerberos parts
econf \
--includedir="/usr/$(exhost --target)/include" \
--localstatedir=/var \
--sysconfdir="$PALUDIS_BIND_CONFDIR" \
--enable-auto-validation \
--enable-buffer-useinline \
--enable-dnsrps \
--enable-dnsrps-dl \
--enable-isc-spnego=no \
--enable-largefile=yes \
--disable-dnstap \
--disable-fips-mode \
--disable-static \
--with-dlz-filesystem=yes \
--with-dlz-odbc=no \
--with-dlz-stub=yes \
--with-json-c \
--with-libtool=yes \
--with-libxml2=yes \
--with-openssl="/usr/$(exhost --target)" \
--with-pkcs11=no \
--with-zlib \
--without-cmocka \
--without-lmdb \
--without-python \
$(option_enable caps linux-caps) \
$(option_enable geoip) \
$(myoption with berkdb dlz-bdb) \
$(myoption with geoip maxminddb) \
$(myoption with idn libidn2) \
$(myoption with kerberos gssapi) \
$(myoption with ldap dlz-ldap) \
$(myoption with mysql dlz-mysql) \
$(myoption with postgresql dlz-postgres)
}
# Note to self or anyone who's going to work on bind: It will fail with a cryptic
# error ("RUNTIME_CHECK(dst_initialized == isc_boolean_true) failed") if you try
# to disable pkcs11 with either of the following switches:
# --with-pkcs11=no \
# --without-pkcs11 \
# *Not* using any switches turns pkcs11 off, though... Upstreams...
bind_src_install() {
default
# FIXME-QA(Krey): Check if this is needed as previous version was using /var/bind which is wrong
#remove conflicts with bind-tools
local BIND_TOOL BIND_TOOLS=( delv.1 dig.1 host.1 nslookup.1 nsupdate.1 dnssec-keygen.8 )
for BIND_TOOL in "${BIND_TOOLS[@]}"; do
edo rm "${IMAGE}"/usr/$(exhost --target)/bin/${BIND_TOOL%.*}
edo rm "${IMAGE}"/usr/share/man/man${BIND_TOOL#*.}/${BIND_TOOL}
done
keepdir "$PALUDIS_BIND_CONFDIR" "$PALUDIS_BIND_DATA_DIR/pri" "$PALUDIS_BIND_DATA_DIR/sec"
edo chown "$PALUDIS_BIND_USER":"$PALUDIS_BIND_GROUP" "${IMAGE}/$PALUDIS_BIND_DATA_DIR/pri"
edo chown "$PALUDIS_BIND_USER":"$PALUDIS_BIND_GROUP" "${IMAGE}/$PALUDIS_BIND_DATA_DIR/sec"
# Install a basic configuration.
insinto "$PALUDIS_BIND_CONFDIR"
# documentation and a sample with everything bind can do.
dodoc "${WORKBASE}/$PNV/doc/misc/named.conf.rst"
newins "${WORKBASE}/$PNV/bin/tests/named.conf" named.conf.complex_sample
# Install the Administrator Reference Manual (ARM)
docinto Administrator_Reference_Manual
dodoc doc/arm/*.rst
docinto misc
dodoc doc/misc/*
# Creating a CONFIG_PROTECT file for PALUDIS_BIND_DATA_DIR
hereenvd 30bind <<-PROTECT
CONFIG_PROTECT="$PALUDIS_BIND_DATA_DIR"
PROTECT
insinto "/usr/$(exhost --target)/lib/tmpfiles.d"
# DNM(Krey): Process
hereins "$PN.conf" <<-EOF
d /run/named 0755 $PALUDIS_BIND_USER $PALUDIS_BIND_GROUP -
EOF
# FIXME-QA(Krey): On my non-standard system this is a symlink which fails the merge-check
[ ! -d "${IMAGE}/var" ] || { ${RM:-rm} -r "${IMAGE}/var" || die false "Unable to remove directory '${IMAGE}/var'" ;}
# DNM(Krey): Stubbed
#install_systemd_files
# DNM(Krey): Implement
#install_openrc_files
# Install standard zones and root cache
insinto "$PALUDIS_BIND_DATA_DIR" # i.e. /var/named
doins "${FETCHEDDIR}/named.cache"
insinto "$PALUDIS_BIND_DATA_DIR/pri"
doins "${FILES}/127.zone"
doins "${FILES}/localhost.zone"
# FIXME-QA(Krey): Sanitize
# FIXME-QA(Krey): Rename the var to PALUDIS_BIND_CONFDIR_PERMS
${CHMOD:-chmod} "${PALUDIS_BIND_DIR_PERMS:-0777}" "${IMAGE}/$PALUDIS_BIND_CONFDIR"
## Use command 'rndc-confgen' from compiled target unless set by the end-user
# NOTE(Krey): Do not use rndc-confgen from imagedir because it requires preloads.
RNDC_CONFGEN="${RNDC_CONFGEN:-"${WORKBASE}/$PNV/bin/confgen/rndc-confgen"}"
# Create rndc.conf file
# FIXME-QA(Krey): rndc-confgen doesn't support non-shorthand arguments, submit patch upstream for better readability
# FIXME-SECURITY(Krey): Adapt option for threat model to use KEYSIZE
[ -s "${IMAGE}/$PALUDIS_BIND_CONFDIR/rndc.conf" ] || {
{ ${RNDC_CONFGEN:-rndc-confgen} \
-A "${PALUDIS_BIND_CONFGEN_ALGORITHM:-hmac-sha512}" \
-b "${PALUDIS_BIND_CONFGEN_KEYSIZE:-512}" \
-u "${PALUDIS_BIND_USER:-bind}" \
-p "${PALUDIS_BIND_PORT:-953}" \
> "${IMAGE}/$PALUDIS_BIND_CONFDIR/rndc.conf"
} || die 1 "Unable to generate file '${IMAGE}/$PALUDIS_BIND_CONFDIR/rndc.conf' using command '$RNDC_CONFGEN'"
}
# NOTE(Krey): Remove rndc.key file if it exists as we are uding rndc.conf which conflicts with each other
[ ! -f "${IMAGE}/$PALUDIS_BIND_CONFDIR/rndc.key" ] || { ${RM:-rm} "${IMAGE}/$PALUDIS_BIND_CONFDIR/rndc.key" || die 1 "Unable to remove file '${IMAGE}/$PALUDIS_BIND_CONFDIR/rndc.key'" ;}
# NOTE(Krey): We need the rndc-key defined in named.conf which makes it bad idea to expose named.conf for the users so this is a method to make that sane
[ -f "${IMAGE}/$PALUDIS_BIND_CONFDIR/secret.rndc-key" ] || { { ${GREP:-grep} "^#" "${IMAGE}/$PALUDIS_BIND_CONFDIR/rndc.conf" | ${GREP:-grep} "^# key" -A 3 | ${SED:-sed} "s/# //" > "${IMAGE}/$PALUDIS_BIND_CONFDIR/secret.rndc-key" ;} || die false "Unable to generate 'secret.rndc-key'" ;}
# FIXME-QA(Krey): Sanitize
${CHMOD:-chmod} "${PALUDIS_BIND_RNDC_KEY_PERMS:-0640}" "${IMAGE}/$PALUDIS_BIND_CONFDIR/secret.rndc-key"
# FIXME-QA(Krey): Sanitize
${CHOWN:-chown} "${PALUDIS_BIND_USER}":"$PALUDIS_BIND_GROUP" "${IMAGE}/$PALUDIS_BIND_CONFDIR/secret.rndc-key"
# Remove the confidential parts fron rndc.conf
${GREP:-grep} "^# " "${IMAGE}/$PALUDIS_BIND_CONFDIR/rndc.conf" >/dev/null || { ${PRINTF:-printf} 'g/# .*/d\nw\nq\n' | ${ED:-ed} -s "${IMAGE}/$PALUDIS_BIND_CONFDIR/rndc.conf" ;} || die confidential-remove "Unable to remove confidential parts from '${IMAGE}/$PALUDIS_BIND_CONFDIR/rndc.conf'"
# Declare header
${CAT:-cat} <<-CONFIG > "${IMAGE}/$PALUDIS_BIND_CONFDIR/named.conf"
# Comment
// Comment
/* Comment */
# Relevant Administrator Reference Manual (ARM): https://downloads.isc.org/isc/bind9/$PV/doc/arm/Bv9ARM.pdf
# FIXME-DOCS(Krey): Provide best practices reference
// The key has to be included in named.conf
include "$PALUDIS_BIND_CONFDIR/secret.rndc-key"
CONFIG
# Set up options
# shellcheck disable=SC2129 # Krey: Invidual redirects are invalid here as this is by design
${CAT:-cat} <<-CONFIG >> "${IMAGE}/$PALUDIS_BIND_CONFDIR/named.conf"
options {
// Working directory
directory "$PALUDIS_BIND_DATA_DIR";
// Path configuration
dump-file "$PALUDIS_BIND_DATA_DIR/named_dump.db"; // _PATH_DUMPFILE
pid-file "$PALUDIS_BIND_RUN_DIR/named.pid"; // _PATH_PIDFILE
statistics-file "$PALUDIS_BIND_DATA_DIR/named.stats"; // _PATH_STATS
memstatistics-file "$PALUDIS_BIND_DATA_DIR/named.memstats"; // _PATH_MEMSTATS
// uncomment the following lines to turn on DNS forwarding,
// and change the forwarding ip address(es) :
//forward first;
//forwarders {
// 123.123.123.123;
// 123.123.123.123;
//};
listen-on-v6 { none; };
listen-on { 127.0.0.1; };
// to allow only specific hosts to use the DNS server:
//allow-query {
// 127.0.0.1;
//};
// if you have problems and are behind a firewall:
//query-source address * port 53;
// Cache configuration
max-cache-size ${PALUDIS_BIND_MAX_CACHE_SIZE:-2000};
$(! option recursive || printf '%s\n' \
" min-cache-ttl ${PALUDIS_BIND_MIN_CACHE_TTL:-60};" \
" max-cache-ttl ${PALUDIS_BIND_MAX_CACHE_TTL:-600};")
// Set random device
random-device "$PALUDIS_RANDOM_DEVICE";
// Toggle switch for recursion service (allows to be used as a nameserver)
$(! option recursive || ${PRINTF:-printf} '%s\n' "recursion yes;")
$(option recursive || ${PRINTF:-printf} '%s\n' "recursion no;")
$(! option dnssec || ${PRINTF:-printf} ' %s\n' \
"# Enables DNSSEC validation in named" \
"# - If set to auto, DNSSEC validation is enabled and a default trust ancor for the DNS root zone is used" \
"dnssec-validation \"auto\";")
$(! option dnssec || ${PRINTF:-printf} ' %s\n' \
"# Automatically sign zones" \
"auto-dnssec \"${PALUDIS_BIND_AUTO_DNSSEC_OPTION:-maintain}\";")
};
CONFIG
# Set up controls
${CAT:-cat} <<-CONFIG >> "${IMAGE}/$PALUDIS_BIND_CONFDIR/named.conf"
controls {
inet 127.0.0.1 port ${PALUDIS_BIND_PORT:-953}
allow { 127.0.0.1; } keys { "rndc-key"; };
};
CONFIG
# Set up zones
# FIXME-QA(Krey): These are provided by default in the source, regex our lines in?
${CAT:-cat} <<-CONFIG >> "${IMAGE}/$PALUDIS_BIND_CONFDIR/named.conf"
// Briefly, a zone which has been declared delegation-only will be effectively
// limited to containing NS RRs for subdomains, but no actual data beyond its
// own apex (for example, its SOA RR and apex NS RRset). This can be used to
// filter out "wildcard" or "synthesized" data from NAT boxes or from
// authoritative name servers whose undelegated (in-zone) data is of no
// interest.
// See http://www.isc.org/products/BIND/delegation-only.html for more info
zone "COM" { type delegation-only; };
zone "NET" { type delegation-only; };
zone "." IN {
type hint;
file "named.cache";
};
zone "localhost" IN {
type master;
file "pri/localhost.zone";
allow-update { none; };
notify no;
};
zone "127.in-addr.arpa" IN {
type master;
file "pri/127.zone";
allow-update { none; };
notify no;
};
CONFIG
# Set up zone servers
if option authoritative; then
PALUDIS_BIND_AUTH_DOMAIN="rixotstudio.cz" # DNM(Krey): Testing
if [ -n "$PALUDIS_BIND_AUTH_DOMAIN" ]; then
for domain in $PALUDIS_BIND_AUTH_DOMAIN; do
# FIXME-QA(Krey): Make sure that the domain has correct format
${CAT:-cat} <<-CONFIG >> "${IMAGE}/$PALUDIS_BIND_CONFDIR/named.conf"
zone "$domain" {
type master;
$(option dnssec || printf '%s\n' "file \"$PALUDIS_BIND_ZONEFILE_DIR/$domain/$domain\";")
$(! option dnssec || printf ' %s\n' \
"file \"$PALUDIS_BIND_ZONEFILE_DIR/$domain/$domain.signed\";" \
"key-directory \"${PALUDIS_BIND_KEYDIR}/$domain\";")
// To allow zone transfer i.e. used to transfer the zone to secondary DNS
allow-transfer {
${PALUDIS_BIND_ALLOWED_TRANSFER:-127.0.0.1;}
};
// FIXME-DOCS: Info
update-policy local;
};
CONFIG
# Make sure that expected directories are available
[ -d "${IMAGE}/$PALUDIS_BIND_KEYDIR/$domain" ] || { ${MKDIR:-mkdir} --parents "${IMAGE}/$PALUDIS_BIND_KEYDIR/$domain" || die 1 "Unable to create a new directory in '${IMAGE}/$PALUDIS_BIND_KEYDIR/$domain'" ;}
[ -d "${IMAGE}/$PALUDIS_BIND_ZONEFILE_DIR/$domain" ] || { ${MKDIR:-mkdir} --parents "${IMAGE}/$PALUDIS_BIND_ZONEFILE_DIR/$domain" || die 1 "Unable to create a new directory in '${IMAGE}/$PALUDIS_BIND_ZONEFILE_DIR/$domain'";}
# Clear the zonefile
${PRINTF:-printf} "" > "${IMAGE}/$PALUDIS_BIND_ZONEFILE_DIR/$domain/$domain"
# Add note about signing
if option dnssec; then
# DNM(Krey): Make sure that this is the same command used
${PRINTF:-printf} '%s\n' ";; Signed using: ${DNSSEC_SIGNZONE:-dnssec-signzone} -g -K $PALUDIS_BIND_KEYDIR -M ${PALUDIS_BIND_DNSSEC_SIGNZONE_MAXTTL:-300} \"$PALUDIS_BIND_ZONEFILE_DIR/$domain\"" >> "${IMAGE}/$PALUDIS_BIND_ZONEFILE_DIR/$domain/$domain"
else
true
fi
# FIXME-FEATURE(Krey): Allow method to define a function that creates the zonefile
# Add note about verifying zone file
# FIXME-QA(Krey): Add info to shellcheck SC2129
# shellcheck disable=SC2129 # Using this by design to allow further logic implementation
${PRINTF:-printf} '%s\n' ";; Tested using: named-checkzone $domain $PALUDIS_BIND_ZONEFILE_DIR/$domain" >> "${IMAGE}/$PALUDIS_BIND_ZONEFILE_DIR/$domain/$domain"
# Define global Time To Live (TTL)
${PRINTF:-printf} '%s\n' "\$TTL ${PALUDIS_BIND_TTS:-300}" >> "${IMAGE}/$PALUDIS_BIND_ZONEFILE_DIR/$domain/$domain"
# Define global origin
${PRINTF:-printf} '%s\n' "\$ORIGIN $domain." >> "${IMAGE}/$PALUDIS_BIND_ZONEFILE_DIR/$domain/$domain"
# Define nameservers (At least one!)
for nameserver in ${PALUDIS_BIND_NAMESERVER:-ns.$PALUDIS_HOSTNAME.$domain}; do
${PRINTF:-printf} '%s\n' "@ IN NS $nameserver." >> "${IMAGE}/$PALUDIS_BIND_ZONEFILE_DIR/$domain/$domain"
done
# Create SOA record
${CAT:-cat} <<-ZONEFILE >> "${IMAGE}/$PALUDIS_BIND_ZONEFILE_DIR/$domain/$domain"
@ IN SOA (
${PALUDIS_BIND_SOA_MNAME:-ns.$PALUDIS_HOSTNAME.$domain.} ; MNAME
${PALUDIS_BIND_SOA_RNAME:-${PALUDIS_HOSTMASTER_NAME:-hostmaster}.$PALUDIS_HOSTNAME.$domain.} ; RNAME
${PALUDIS_BIND_SOA_SERIAL:-$(date -u +"%Y%m%d%H" || printf 1)} ; SERIAL
${PALUDIS_BIND_SOA_REFRESH:-8H} ; REFRESH
${PALUDIS_BIND_SOA_RETRY:-2H} ; RETRY
${PALUDIS_BIND_SOA_EXPIRY:-1W} ; EXPIRY
${PALUDIS_BIND_SOA_MINIMUM:-2H} ; MINIMUM Negative Cache TTL
)
ZONEFILE
# Define defaults
${PRINTF:-printf} '%s\n' ";; Default" >> "${IMAGE}/$PALUDIS_BIND_ZONEFILE_DIR/$domain/$domain"
# DNM(Krey): Used for testing
PALUDIS_HOST_IP="89.176.197.177"
# FIXME-QA(Krey): This may fail to show the IP Adresses
# - 'ip -j a | jq ...'
# - 'curl ifconfig.me'
# - 'ifconfig | <regex-here>'
# - 'ip a | <regex-here>'
for ip in ${PALUDIS_HOST_IP:-$(hostname --all-ip-addresses 2>/dev/null)}; do
case "$ip" in
*.*.*.*) # IPv4
# NOTE(Krey): On 9.16.7 using '@' causes 'not at top of zone' unless the file is openned in vim changed to '$domain' and/or after changed back to '@' -> Assuming possible upstream bug
${PRINTF:-printf} '%s\n' "$domain IN A $ip" >> "${IMAGE}/$PALUDIS_BIND_ZONEFILE_DIR/$domain/$domain" ;;
*::*:*:*:*) # IPv6
${PRINTF:-printf} '%s\n' "@ IN AAAA $ip" >> "${IMAGE}/$PALUDIS_BIND_ZONEFILE_DIR/$domain/$domain" ;;
*) die bug "Case statement processing defaults for IP adresses triggered bug trap for '$ip', report downstream"
esac
done
# DNM(Krey): Used for testing
PALUDIS_BIND_NAMESERVER_IP="89.176.197.177"
# Create the A/AAAA record for nameserver
case "${PALUDIS_BIND_NAMESERVER_IP:-$(${PRINTF:-printf} '%s\n' "$PALUDIS_HOST_IP" | ${GREP:-grep} -o "^.* " | ${SED:-sed} "s/\ //")}" in
*.*.*.*) # IPv4
${PRINTF:-printf} "ns.$PALUDIS_HOSTNAME.$domain. IN A %s\n" "$PALUDIS_BIND_NAMESERVER_IP" >> "${IMAGE}/$PALUDIS_BIND_ZONEFILE_DIR/$domain/$domain" ;;
*::*:*:*:*) # IPv6
${PRINTF:-printf} "ns.$PALUDIS_HOSTNAME.$domain. IN AAAA %s\n" "$PALUDIS_BIND_NAMESERVER_IP" >> "${IMAGE}/$PALUDIS_BIND_ZONEFILE_DIR/$domain/$domain" ;;
*) die unable-to-create-nameserver-record "Unexpected IP '${PALUDIS_BIND_NAMESERVER_IP:-$(${PRINTF:-printf} '%s\n' "$PALUDIS_HOST_IP" | ${GREP:-grep} -o "^.* " | ${SED:-sed} "s/\ //")}' has been provided in logic that creates the A/AAAA record"
esac
# Set up Keys
# FIXME-QA(Krey): Command 'dnssec-keygen' doesn not support non-shorthands for arguments, submit patch upstream to improve readability
if option dnssec; then
# Create key directory
[ -d "${IMAGE}/$PALUDIS_BIND_KEYDIR/$domain" ] || { ${MKDIR:-mkdir} --parent "${IMAGE}/$PALUDIS_BIND_KEYDIR/$domain" || die false "Unable to create a new directory in '${IMAGE}/$PALUDIS_BIND_KEYDIR/$domain'" ;}
# Use command 'dnssec-keygen' from compiled target unless set by the end-user
DNSSEC_KEYGEN="${DNSSEC_KEYGEN:-"/usr/$(exhost --target)/bin/dnssec-keygen"}"
# Generate Key-Signing Key (KSK)
${DNSSEC_KEYGEN:-dnssec-keygen} -a "${PALUDIS_BIND_PREFFERED_KEYGEN_ALGORITHM_KSK:-ECDSAP384SHA384}" -f KSK -c IN -L "${PALUDIS_BIND_KSK_MINTTL:-300}" -K "${IMAGE}/$PALUDIS_BIND_KEYDIR/$domain" "$domain" || die false "Unable to generate Key-Signing Key (KSK)"
# Generate Zone-Signing Key (ZSK)
${DNSSEC_KEYGEN:-dnssec-keygen} -a "${PALUDIS_BIND_PREFFERED_KEYGEN_ALGORITHM_ZSK:-ECDSAP384SHA384}" -n ZONE -c IN -L "${PALUDIS_BIND_ZSK_MINTTL:-300}" -K "${IMAGE}/$PALUDIS_BIND_KEYDIR/$domain" "$domain" || die false "Unable to generate Zone-Signing Key (ZSK)"
${PRINF:-printf} '%s\n' ";; Include keys as suggested in https://downloads.isc.org/isc/bind9/$PV/doc/arm/html/advanced.html#generating-keys" >> "${IMAGE}/$PALUDIS_BIND_ZONEFILE_DIR/$domain/$domain"
# shellcheck disable=SC2010 # Krey: Do not use 'ls \ grep' use glob expansion is invalid here as we are working with ls output
for keyfile in $(${LS:-ls} "${IMAGE}/$PALUDIS_BIND_KEYDIR/$domain" | ${GREP:-grep} ".*\.key$" | ${TR:-tr} '\n' ' '); do
${PRINTF:-printf} "\$INCLUDE \"/${PALUDIS_BIND_KEYDIR:-${PALUDIS_BIND_DATA_DIR:-/var/named}/keys}/$domain/%s\" $domain\n" "$keyfile" >> "${IMAGE}/$PALUDIS_BIND_ZONEFILE_DIR/$domain/$domain"
done
NAMED_CHECKZONE="${NAMED_CHECKZONE:-"$WORKBASE/$PN-$PV/bin/check/named-checkzone"}"
# Check zonefiles on demand
# FIXME-QA(Krey): This should be probably part of post-install tests
case "$PALUDIS_BIND_CHECK_ZONEFILE" in
check)
$NAMED_CHECKZONE "$domain" "${IMAGE}/$PALUDIS_BIND_ZONEFILE_DIR/$domain/$domain" || die false "Command '$NAMED_CHECKZONE' returned non-true while checking zone-file for zone '$domain' located at '${IMAGE}/$PALUDIS_BIND_ZONEFILE_DIR/$domain/$domain'"
;;
"" | "skip" | *) einfo "Variable 'PALUDIS_BIND_CHECK_ZONEFILE' is storing value '$PALUDIS_BIND_CHECK_ZONEFILE', skipping checking zone files.."
esac
# Use command 'dnssec-signzone' from compiled target unless set by the end-user
DNSSEC_SIGNZONE="${DNSSEC_SIGNZONE:-"${WORKBASE}/$PNV/bin/dnssec/dnssec-signzone"}"
# FIXME-QA: Expand arguments, avoid shorthands
# FIXME(Krey): We are unable to create the signed zones from sandbox which is allegedly not supported, report upstream?
# [ -f "${IMAGE}/$PALUDIS_BIND_ZONEFILE_DIR/$domain/$domain.signed" ] || ${DNSSEC_SIGNZONE:-dnssec-signzone} \
# -g \
# -K "${IMAGE}/$PALUDIS_BIND_KEYDIR/$domain" \
# -T "${PALUDIS_BIND_DNSSEC_SIGNZONE_TTL:-300}" \
# -n "${PALUDIS_BIND_DNSSEC_NCPUS:-$(nproc || printf 1)}" \
# "${IMAGE}/$PALUDIS_BIND_ZONEFILE_DIR/$domain/$domain" || die 1 "Unable to sign zonefile in '${IMAGE}/$PALUDIS_BIND_ZONEFILE_DIR/$domain/$domain'"
else
einfo "Option 'dnssec' is not enabled, skipping creation of keys.."
fi
done
elif [ -z "$PALUDIS_BIND_AUTH_DOMAIN" ]; then
einfo "Variable 'PALUDIS_BIND_AUTH_DOMAIN' is storing '${PALUDIS_BIND_AUTH_DOMAIN:-<BLANK>}', skipping configuration of authoritative server.."
else
# DNM(Krey)
die unexpected "..."
fi
elif ! option authoritative; then
einfo "Option 'authoritative' is not set, skipping configuration of authority server.."
else
# DNM(Krey)
die unexpected "..."
fi
# Transfer ownership to bind
# FIXME-QA(Krey): Sanitize
# FIXME-QA(Krey): Expand arguments
${CHOWN:-chown} -R "$PALUDIS_BIND_USER":"$PALUDIS_BIND_GROUP" "${IMAGE}/$PALUDIS_BIND_CONFDIR"
${CHOWN:-chown} -R "$PALUDIS_BIND_USER":"$PALUDIS_BIND_GROUP" "${IMAGE}/$PALUDIS_BIND_DATA_DIR"
}
bind_pkg_postinst() {
return 0 # DNM(Krey): Process
if [[ ! -f /etc/bind/rndc.key ]]; then
if [[ -c /dev/urandom ]]; then
nonfatal edo /usr/${host}/bin/rndc-confgen -r /dev/urandom -a -u named
else
nonfatal edo /usr/${host}/bin/rndc-confgen -a -u named
fi
fi
}
Reference in New Issue View Git Blame Copy Permalink