mischief/openbsd-src
1
0
Fork 0
mirror of https://github.com/openbsd/src.git synced 2025-01-10 06:47:55 -08:00
Code

disable use of bind in base; in the base use nsd/unbound instead.

Browse Source 
a proper & complete bind port will show up.
discussed with many for years
This commit is contained in:
deraadt 2014-08-22 19:19:25 +00:00
parent 0f38b4b37e
commit d750a370d6
16 changed files with 8 additions and 448 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
etc/Makefile
View File

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.388 2014/07/23 11:49:06 reyk Exp $
# $OpenBSD: Makefile,v 1.389 2014/08/22 19:19:25 deraadt Exp $
TZDIR= /usr/share/zoneinfo
LOCALTIME= Canada/Mountain
@ -54,7 +54,7 @@ EXAMPLES_600=bgpd.conf dvmrpd.conf hostapd.conf iked.conf ipsec.conf \
RCDAEMONS= amd apmd bgpd bootparamd cron dhcpd dhcrelay dvmrpd \
ftpd ftpproxy hostapd hotplugd httpd identd ifstated iked \
inetd isakmpd ldapd npppd ldattach ldpd lpd mopd mrouted \
named nginx nsd ntpd ospfd ospf6d portmap pflogd rarpd rbootd \
nginx nsd ntpd ospfd ospf6d portmap pflogd rarpd rbootd \
relayd ripd route6d rtadvd rtsold sasyncd sendmail \
sensorsd slowcgi smtpd snmpd spamd sshd syslogd watchdogd \
wsmoused xdm ypbind ypldap yppasswdd ypserv nfsd mountd lockd \
@ -158,21 +158,6 @@ distribution-etc-root-var: distrib-dirs
cd systrace; \
${INSTALL} -c -o root -g wheel -m 600 usr_sbin_lpd \
${DESTDIR}/etc/systrace; \
${INSTALL} -c -o root -g wheel -m 600 usr_sbin_named \
${DESTDIR}/etc/systrace
cd bind; \
${INSTALL} -c -o root -g named -m 640 named-simple.conf \
${DESTDIR}/var/named/etc/named.conf; \
${INSTALL} -c -o root -g named -m 640 named-*.conf \
${DESTDIR}/var/named/etc; \
${INSTALL} -c -o root -g wheel -m 644 root.hint \
${DESTDIR}/var/named/etc; \
${INSTALL} -c -o root -g wheel -m 644 db.localhost \
${DESTDIR}/var/named/standard/localhost; \
${INSTALL} -c -o root -g wheel -m 644 db.loopback \
${DESTDIR}/var/named/standard/loopback; \
${INSTALL} -c -o root -g wheel -m 644 db.loopback6.arpa \
${DESTDIR}/var/named/standard/loopback6.arpa
ln -fs ${TZDIR}/${LOCALTIME} ${DESTDIR}/etc/localtime
ln -fs /usr/sbin/rmt ${DESTDIR}/etc/rmt
${INSTALL} -c -o root -g wheel -m 644 minfree \

15
etc/bind/db.localhost
View File

@ -1,15 +0,0 @@
; $OpenBSD: db.localhost,v 1.4 2008/01/03 21:20:25 jakob Exp $
$ORIGIN localhost.
$TTL 6h
@ IN SOA localhost. root.localhost. (
1 ; serial
1h ; refresh
30m ; retry
7d ; expiration
1h ) ; minimum
NS localhost.
A 127.0.0.1
AAAA ::1

14
etc/bind/db.loopback
View File

@ -1,14 +0,0 @@
; $OpenBSD: db.loopback,v 1.4 2008/01/03 21:20:25 jakob Exp $
$ORIGIN 127.in-addr.arpa.
$TTL 6h
@ IN SOA localhost. root.localhost. (
1 ; serial
1h ; refresh
30m ; retry
7d ; expiration
1h ) ; minimum
NS localhost.
1.0.0 PTR localhost.

14
etc/bind/db.loopback6.arpa
View File

@ -1,14 +0,0 @@
; $OpenBSD: db.loopback6.arpa,v 1.5 2009/11/02 21:12:56 jakob Exp $
$ORIGIN 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
$TTL 6h
@ IN SOA localhost. root.localhost. (
1 ; serial
1h ; refresh
30m ; retry
7d ; expiration
1h ) ; minimum
NS localhost.
PTR localhost.

79
etc/bind/named-dual.conf
View File

@ -1,79 +0,0 @@
// $OpenBSD: named-dual.conf,v 1.11 2009/11/02 21:12:56 jakob Exp $
//
// Example file for a named configuration with dual views,
// one processing recursive queries only and one processing
// authoritative-only queries.
// Update this list to include only the networks for which you want
// to execute recursive queries. The default setting allows all hosts
// on any IPv4 networks for which the system has an interface, and
// the IPv6 localhost address.
//
acl clients {
localnets;
::1;
};
options {
version ""; // remove this to allow version queries
listen-on { any; };
listen-on-v6 { any; };
empty-zones-enable yes;
};
logging {
category lame-servers { null; };
};
view "recursive" {
match-clients { clients; };
match-recursive-only yes;
allow-recursion { clients; };
zone "." {
type hint;
file "etc/root.hint";
};
zone "localhost" {
type master;
file "standard/localhost";
allow-transfer { localhost; };
};
zone "127.in-addr.arpa" {
type master;
file "standard/loopback";
allow-transfer { localhost; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
type master;
file "standard/loopback6.arpa";
allow-transfer { localhost; };
};
};
view "authoritative" {
recursion no;
additional-from-auth no;
additional-from-cache no;
// Master zones
//
//zone "myzone.net" {
// type master;
// file "master/myzone.net";
//};
// Slave zones
//
//zone "otherzone.net" {
// type slave;
// file "slave/otherzone.net";
// masters { 192.168.1.10; [...;] };
//};
};

71
etc/bind/named-simple.conf
View File

@ -1,71 +0,0 @@
// $OpenBSD: named-simple.conf,v 1.10 2009/11/02 21:12:56 jakob Exp $
//
// Example file for a simple named configuration, processing both
// recursive and authoritative queries using one cache.
// Update this list to include only the networks for which you want
// to execute recursive queries. The default setting allows all hosts
// on any IPv4 networks for which the system has an interface, and
// the IPv6 localhost address.
//
acl clients {
localnets;
::1;
};
options {
version ""; // remove this to allow version queries
listen-on { any; };
listen-on-v6 { any; };
empty-zones-enable yes;
allow-recursion { clients; };
};
logging {
category lame-servers { null; };
};
// Standard zones
//
zone "." {
type hint;
file "etc/root.hint";
};
zone "localhost" {
type master;
file "standard/localhost";
allow-transfer { localhost; };
};
zone "127.in-addr.arpa" {
type master;
file "standard/loopback";
allow-transfer { localhost; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
type master;
file "standard/loopback6.arpa";
allow-transfer { localhost; };
};
// Master zones
//
//zone "myzone.net" {
// type master;
// file "master/myzone.net";
//};
// Slave zones
//
//zone "otherzone.net" {
// type slave;
// file "slave/otherzone.net";
// masters { 192.0.2.1; [...;] };
//};

90
etc/bind/root.hint
View File

@ -1,90 +0,0 @@
; $OpenBSD: root.hint,v 1.10 2013/01/03 18:37:19 gonzalo Exp $
;
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: Jan 3, 2013
; related version of root zone: 2013010300
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30
;
; FORMERLY NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
;
; FORMERLY C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; FORMERLY TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2D::D
;
; FORMERLY NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; FORMERLY NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2F::F
;
; FORMERLY NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; FORMERLY AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235
;
; FORMERLY NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FE::53
;
; OPERATED BY VERISIGN, INC.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30
;
; OPERATED BY RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FD::1
;
; OPERATED BY ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42
;
; OPERATED BY WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35
; End of File

8
etc/changelist
View File

@ -1,4 +1,4 @@
# $OpenBSD: changelist,v 1.98 2014/07/22 21:01:58 ajacoutot Exp $
# $OpenBSD: changelist,v 1.99 2014/08/22 19:19:25 deraadt Exp $
#
# List of files which the security script backs up and checks
# for modifications.
@ -163,12 +163,6 @@
/var/cron/cron.allow
/var/cron/cron.deny
/var/cron/tabs/root
/var/named/etc/named.conf
+/var/named/etc/rndc.key
/var/named/etc/root.hint
/var/named/standard/localhost
/var/named/standard/loopback
/var/named/standard/loopback6.arpa
/var/nsd/etc/nsd.conf
/var/unbound/etc/root.key
/var/unbound/etc/unbound.conf

1
etc/group
View File

@ -32,7 +32,6 @@ crontab:*:66:
www:*:67:
_isakmpd:*:68:
network:*:69:
named:*:70:
proxy:*:71:
authpf:*:72:
_syslogd:*:73:

3
etc/mail/aliases
View File

@ -1,5 +1,5 @@
#
# $OpenBSD: aliases,v 1.45 2014/06/06 16:46:43 gilles Exp $
# $OpenBSD: aliases,v 1.46 2014/08/22 19:19:25 deraadt Exp $
#
# Aliases in this file will NOT be expanded in the header from
# Mail, but WILL be visible over networks or from /usr/libexec/mail.local.
@ -60,7 +60,6 @@ _unbound: /dev/null
_x11: /dev/null
_ypldap: /dev/null
bin: /dev/null
named: /dev/null
nobody: /dev/null
proxy: /dev/null
smmsp: /dev/null

1
etc/master.passwd
View File

@ -15,7 +15,6 @@ _spamd:*:62:62::0:0:Spam Daemon:/var/empty:/sbin/nologin
uucp:*:66:1::0:0:UNIX-to-UNIX Copy:/var/spool/uucppublic:/sbin/nologin
www:*:67:67::0:0:HTTP Server:/var/www:/sbin/nologin
_isakmpd:*:68:68::0:0:isakmpd privsep:/var/empty:/sbin/nologin
named:*:70:70::0:0:BIND Name Service Daemon:/var/named:/sbin/nologin
proxy:*:71:71::0:0:Proxy Services:/nonexistent:/sbin/nologin
_syslogd:*:73:73::0:0:Syslog Daemon:/var/empty:/sbin/nologin
_pflogd:*:74:74::0:0:pflogd privsep:/var/empty:/sbin/nologin

16
etc/mtree/4.4BSD.dist
View File

@ -1,4 +1,4 @@
# $OpenBSD: 4.4BSD.dist,v 1.261 2014/07/18 18:20:42 deraadt Exp $
# $OpenBSD: 4.4BSD.dist,v 1.262 2014/08/22 19:19:25 deraadt Exp $
/set type=dir uname=root gname=wheel mode=0755
@ -769,20 +769,6 @@ var
mail
..
# ./var/named
named
etc uname=root gname=named mode=0750
..
master
..
slave uname=root gname=named mode=0775
..
standard
..
tmp uname=root gname=named mode=0775
..
..
# ./var/nsd
nsd
db uname=root gname=_nsd mode=0775

17
etc/rc
View File

@ -1,4 +1,4 @@
# $OpenBSD: rc,v 1.439 2014/08/17 14:43:34 ajacoutot Exp $
# $OpenBSD: rc,v 1.440 2014/08/22 19:19:25 deraadt Exp $
# System startup script run by init on autoboot
# or after single-user.
@ -144,19 +144,6 @@ start_daemon()
make_keys()
{
if [ X"${named_flags}" != X"NO" ]; then
if ! cmp -s /etc/rndc.key /var/named/etc/rndc.key ; then
echo -n "rndc-confgen: generating shared secret... "
if rndc-confgen -a -t /var/named >/dev/null 2>&1; then
chmod 0640 /var/named/etc/rndc.key \
>/dev/null 2>&1
echo done.
else
echo failed.
fi
fi
fi
if [ ! -f /etc/isakmpd/private/local.key ]; then
echo -n "openssl: generating isakmpd/iked RSA key... "
if openssl genrsa -out /etc/isakmpd/private/local.key 2048 \
@ -400,7 +387,7 @@ dmesg >/var/run/dmesg.boot
make_keys
echo -n 'starting early daemons:'
start_daemon syslogd ldattach pflogd named nsd unbound ntpd
start_daemon syslogd ldattach pflogd nsd unbound ntpd
start_daemon iscsid isakmpd iked sasyncd ldapd npppd
echo '.'

3
etc/rc.conf
View File

@ -1,4 +1,4 @@
# $OpenBSD: rc.conf,v 1.195 2014/07/22 17:37:16 reyk Exp $
# $OpenBSD: rc.conf,v 1.196 2014/08/22 19:19:25 deraadt Exp $
# DO NOT EDIT THIS FILE!!
#
@ -23,7 +23,6 @@ rarpd_flags=NO # for normal use: "-a"
bootparamd_flags=NO # for normal use: ""
rbootd_flags=NO # for normal use: ""
sshd_flags= # for normal use: ""
named_flags=NO # for normal use: ""
nsd_flags=NO # for normal use: "-c /var/nsd/etc/nsd.conf"
unbound_flags=NO # for normal use: "-c /var/unbound/etc/unbound.conf"
ldattach_flags=NO # for normal use: "[options] linedisc cua-device"

11
etc/rc.d/named
View File

@ -1,11 +0,0 @@
#!/bin/sh
#
# $OpenBSD: named,v 1.1 2011/07/06 18:55:36 robert Exp $
daemon="/usr/sbin/named"
. /etc/rc.d/rc.subr
pexp="named: \[priv\]"
rc_cmd $1

94
etc/systrace/usr_sbin_named
View File

@ -1,94 +0,0 @@
# $OpenBSD: usr_sbin_named,v 1.8 2014/07/20 04:29:07 deraadt Exp $
#
# Policy for named that uses named user and chroots to /var/named
# This policy works for the default configuration of named.
#
Policy: /usr/sbin/named, Emulation: native
native-__sysctl: permit
native-accept: permit
native-bind: sockaddr match "inet-*:0" then permit
native-bind: sockaddr match "inet-*:53" then permit
native-bind: sockaddr match "inet-*:953" then permit
native-break: permit
native-chdir: filename eq "/" then permit
native-chroot: filename eq "/var/named" then permit
native-close: permit
native-closefrom: permit
native-connect: sockaddr match "inet-*" then permit
native-dup2: permit
native-exit: permit
native-fcntl: permit
native-fork: permit
native-fsread: filename sub "<non-existent filename>" then deny[enoent]
native-fsread: filename eq "/etc/malloc.conf" then permit
native-fsread: filename eq "/dev/arandom" then permit
native-fsread: filename eq "/etc/group" then permit
native-fsread: filename eq "/etc/named.conf" then permit
native-fsread: filename eq "/etc/named.keys" then permit
native-fsread: filename eq "/etc/pwd.db" then permit
native-fsread: filename eq "/etc/rndc.key" then permit
native-fsread: filename eq "/etc/root.hint" then permit
native-fsread: filename eq "/etc/spwd.db" then deny[eperm]
native-fsread: filename match "/master" then permit
native-fsread: filename match "/slave" then permit
native-fsread: filename match "/standard" then permit
native-fsread: filename match "/usr/lib" then permit
native-fsread: filename eq "/usr/libexec/ld.so" then permit
native-fsread: filename match "/usr/share/nls" then permit
native-fsread: filename match "/usr/share/zoneinfo" then permit
native-fsread: filename eq "/var/run/ld.so.hints" then permit
native-fsread: filename eq "/var/run/named.pid" then permit
native-fstat: permit
native-fswrite: filename sub "<non-existent filename>" then deny[enoent]
native-fswrite: filename eq "/dev/null" then permit
native-fswrite: filename match "/master/*" then permit
native-fswrite: filename match "/slave/*" then permit
native-fswrite: filename eq "/var/run/named.pid" then permit
native-fswrite: filename match "/var/tmp/*" then permit
native-fsync: permit
native-getentropy: permit
native-getpid: permit
native-getppid: permit
native-getrlimit: permit
native-getsockname: permit
native-getsockopt: permit
native-gettimeofday: permit
native-getuid: permit
native-geteuid: permit
native-issetugid: permit
native-kill: permit
native-listen: permit
native-lseek: permit
native-minherit: permit
native-mmap: permit
native-mprotect: permit
native-mquery: permit
native-munmap: permit
native-nanosleep: permit
native-pipe: permit
native-pread: permit
native-read: permit
native-recvmsg: permit
native-rename: filename match "/slave/*" and filename[1] match "/slave/*" then permit
native-select: permit
native-sendmsg: permit
native-sendsyslog: permit
native-sendto: true then permit
native-setegid: gid eq "70" then permit
native-seteuid: uid eq "70" and uname eq "named" then permit
native-setgid: gid eq "70" then permit
native-setgroups: permit
native-setresgid: permit
native-setresuid: permit
native-setrlimit: permit
native-setsid: permit
native-setsockopt: permit
native-setuid: uid eq "70" and uname eq "named" then permit
native-sigaction: permit
native-sigprocmask: permit
native-sigreturn: permit
native-socket: permit
native-socketpair: permit
native-utimes: permit
native-wait4: permit
native-write: permit