Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 10 Oct 2017 17:23:22 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-ports-bugs@FreeBSD.org
Subject:   [Bug 222907] unbound-1.6.6 make install error line 77 plus problem with using service command
Message-ID:  <bug-222907-13@https.bugs.freebsd.org/bugzilla/>

next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D222907

            Bug ID: 222907
           Summary: unbound-1.6.6 make install error line 77 plus problem
                    with using service command
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: freebsd-ports-bugs@FreeBSD.org
          Reporter: joeb1@a1poweruser.com

Created attachment 187054
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D187054&action=
=3Dedit
sample quick-start file

1. Get error msg make: "/usr/ports/MK/Users/ssl.mk" line 77: You are using =
an
unsupported SSL provider openssl

openssl is valid. This is an bug in your make file. The make structure hand=
les
this for you automatically.

2. The "service unbound restart" command is not working correctly. It leave=
s my
host in a compromised state. Getting entries in /var/log/auth.log about
unsuccessfull ftp and ssh logins even though those inbound ports are blocke=
d by
firewall rules.

When unbound started by using this console command=20
/usr/local/sbin/unbound -c /usr/local/etc/unbound/unbound.conf
no longer having problems with unsuccessfull ftp and ssh login entries in
/var/log/auth.log.=20=20

Local_unbound and unbound should be pretty much configured the same way. But
comparing /usr/local/etc/rc.d/unbound  to /etc/rc.d/local_unbound it's very
easy to see their completely different.

/usr/local/etc/rc.d/unbound should check the unbound.conf file looking for =
the
auto-trust-anchor-file parameter and if there then do the fetch anchor func=
tion
otherwise skip it.

3. This port is very user un-friendly. The ports system provides the files =
to
simply change this.

 A. Create a file named quick-start and populate with this text

   Quick unbound setup instructions=20=20=20=20=20=20=20=20=20

   1. In the /etc/rc.conf file
      comment out this if it's there  local_unbound_enable=3D"YES"
      add unbound_enable=3D"YES"
      The built-in local_unbound version can not co-exist with the port
      version of unbound. Select one or the other.
      You will need one host re-boot to enable unbound after completing the
      following steps

   2. Delete the contents of the /etc/resolv.conf and add this line
      nameserver 127.0.0.1
      Then make it immutable using "chflags -R schg /etc/resolv.conf"
      This makes it un-writable by anyone, Contents will never change.
      Use "ls -lo /etc/resolv.conf" to see its flags.
      Use "chflags -R noschg /etc/resolv.conf" to return to normal.
      This stops /etc/resolv.conf being refreshed at boot time with DNS
      information from your ISP over riding the nameserver 127.0.0.1
      statement needed to drive host dns requests to unbound.

   3. If you have a LAN behind this host and want those LAN device's
      DNS requests to also go through the hosts unbound server.
      Change the hosts DHCP server conf file DNS IP address to the
      LAN IP address assigned to the host network adapter the LAN is on.

   4. unbound comes with a built-in "root zone" which negates the need=20
      for a "forward-zone: section" all together. This built-in=20
      "root zone" sends DNS requests to the up-stream public DSN
      servers. Verify that your host firewall doesn't have rules
      restricting port 53 to using only your ISP's DNS IP addresses.=20

   5. Use  service unbound restart  command after making changes to the=20
      content of your unbound.conf file. Note: Any unbound.conf content=20
      errors causes the unbound server to not start. This means ALL DNS=20
      requests go un-serviced, basically your host system and LAN users=20
      are dead in the water until you fix things.
      The  service unbound stop  command results in the same thing.=20

   6. Take note: The unbound man pages are not FreeBSD specific.=20
      Unbound is open source software that runs on many different
      platforms. Some statements and ideas expressed are incorrect based
      on the FreeBSD way of doing things.

   7. The /usr/local/etc/unbound/unbound.conf.sample file shows all the
      possible options available in the unbound.conf file. The defaults=20
      are designed to create a running unbound server. In most all cases
      the following working unbound.conf file contains the default over
      rides necessary for a working unbound server.=20

      Copy the following unbound.conf content to=20
      /usr/local/etc/unbound/unbound.conf

  # Start of the working unbound.conf file.
  # Server config section.

  server:

  # For the unbound port/package version use this
      directory: /usr/local/etc/unbound
      chroot: "/usr/local/etc/unbound"
      chroot: ""    # disable chroot
      pidfile: /usr/local/etc/unbound/unbound.pid

  # Specify the interfaces to answer queries from by ip-address.
  # The default is to listen to localhost (127.0.0.1 and ::1) only.
  # Specify 0.0.0.0 and ::0 to bind to all available interfaces.
      interface: ::0        # listen on all ipv6 interfaces
      interface: 0.0.0.0    # listen on all ipv4 interfaces

  # Control which clients are allowed to make (recursive) queries
  # to this server. Specify classless netblocks with /size and action.
  # By default everything is refused, except for localhost.
  # Example 10.0.0.0/8 is the ip address block assigned to the LAN.
      access-control: 10.0.0.0/8 allow
      access-control: 127.0.0.0/8 allow=20

  # Remote control config section.
  # Remote control must be enabled before the unbound-control(8)
  # command can be used to send commands to the running unbound server.
  # To enable security, execute the unbound-control-setup command=20
  # to set up the keys and certificates.
  # This remote-control: section enables remote-control with
  # security disabled for use on this host only.

  remote-control:
      control-enable: yes
      control-interface: /var/run/unbound.ctl
      control-use-cert: no

 B. Change the Makefile to install the quick-start file into=20
    /usr/local/share/doc/unbound/quick-start

 C. Add a pkg-message file to the make files containing this content:
#########################################################################

     For unbound quick setup instructions read;
     /usr/local/share/doc/unbound/quick-start

#########################################################################

Item 3.A.7 above, you may want to just change the Make file to install that
unbound.conf file directly into /usr/local/etc/unbound/unbound.conf

--=20
You are receiving this mail because:
You are the assignee for the bug.=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-222907-13>