unbound: update to 1.4.7, enable DNSSEC as default

6 files changed, 41 insertions, 5 deletions

diff --git a/unbound/.footprint b/unbound/.footprint
index 3d691f1b3..eef3d1558 100644
--- a/unbound/.footprint
+++ b/unbound/.footprint
@@ -2,6 +2,7 @@ drwxr-xr-x	root/root	etc/
 drwxr-xr-x	root/root	etc/rc.d/
 -rwxr-xr-x	root/root	etc/rc.d/unbound
 drwxr-xr-x	root/root	etc/unbound/
+-rw-r--r--	unbound/root	etc/unbound/root.key (EMPTY)
 -rw-r--r--	root/root	etc/unbound/unbound.conf
 drwxr-xr-x	root/root	usr/
 drwxr-xr-x	root/root	usr/man/
@@ -10,11 +11,13 @@ drwxr-xr-x	root/root	usr/man/man1/
 drwxr-xr-x	root/root	usr/man/man5/
 -rw-r--r--	root/root	usr/man/man5/unbound.conf.5.gz
 drwxr-xr-x	root/root	usr/man/man8/
+-rw-r--r--	root/root	usr/man/man8/unbound-anchor.8.gz
 -rw-r--r--	root/root	usr/man/man8/unbound-checkconf.8.gz
 -rw-r--r--	root/root	usr/man/man8/unbound-control.8.gz
 -rw-r--r--	root/root	usr/man/man8/unbound.8.gz
 drwxr-xr-x	root/root	usr/sbin/
 -rwxr-xr-x	root/root	usr/sbin/unbound
+-rwxr-xr-x	root/root	usr/sbin/unbound-anchor
 -rwxr-xr-x	root/root	usr/sbin/unbound-checkconf
 -rwxr-xr-x	root/root	usr/sbin/unbound-control
 -rwxr-xr-x	root/root	usr/sbin/unbound-control-setup
diff --git a/unbound/.md5sum b/unbound/.md5sum
index 1166b9ea4..01e7cee4c 100644
--- a/unbound/.md5sum
+++ b/unbound/.md5sum
@@ -1,2 +1,2 @@
-c6f00a730330cb5a47a72538817aea78  unbound
-2cdcfe0ca45373c6b22e274560ae9943  unbound-1.4.6.tar.gz
+20a8c112ea3ce0049dfe16f92614185e  unbound
+97ee3c4a9877ff725fad23e31ecadfe0  unbound-1.4.7.tar.gz
diff --git a/unbound/Pkgfile b/unbound/Pkgfile
index 7d561c507..73c387b50 100644
--- a/unbound/Pkgfile
+++ b/unbound/Pkgfile
@@ -1,10 +1,10 @@
 # Description: Validating, recursive, and caching DNS resolver
 # URL:         http://unbound.net/index.html
 # Maintainer:  Juergen Daubert, jue at crux dot nu
-# Depends on:  openssl
+# Depends on:  openssl expat
 
 name=unbound
-version=1.4.6
+version=1.4.7
 release=1
 source=(http://unbound.net/downloads/$name-$version.tar.gz
         unbound)
@@ -17,12 +17,18 @@ build () {
                 --sysconfdir=/etc \
                 --with-pidfile=/var/run/unbound.pid \
                 --disable-shared \
-                --with-username=nobody
+                --with-username=unbound \
+                --with-ldns-builtin
 
     make -C ldns-src
     make
     make DESTDIR=$PKG install
 
     rm -r $PKG/usr/{lib,include,man/man3}
+
+    sed -i '314s/# //' $PKG/etc/unbound/unbound.conf
+    touch $PKG/etc/unbound/root.key
+    chown unbound $PKG/etc/unbound/root.key
+
     install -D -m 755 $SRC/unbound $PKG/etc/rc.d/unbound
 }
diff --git a/unbound/README b/unbound/README
new file mode 100644
index 000000000..0239d0bc6
--- /dev/null
+++ b/unbound/README
@@ -0,0 +1,20 @@
+README for unbound 1.*
+
+REQUIREMENTS
+
+PRE/POST-INSTALL
+
+1. Create a user/group unbound with a unused id < 99 or run the
+   provided pre-install script:
+
+   'groupadd -g 41 unbound'
+   'useradd -u 41 -g unbound -d /etc/unbound -s /bin/false unbound'
+   'passwd -l unbound'
+
+PRECAUTION
+
+The effective user unbound is running as (default: unbound) needs
+write access for /etc/unbound/root.key to update the trust anchor
+for DNSSEC validation. Adjust the user of that file if you run
+unbound as a different user.
+
diff --git a/unbound/pre-install b/unbound/pre-install
new file mode 100644
index 000000000..7fe762d1f
--- /dev/null
+++ b/unbound/pre-install
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+getent group unbound || /usr/sbin/groupadd -g 41 unbound
+getent passwd unbound || /usr/sbin/useradd -g unbound -u 41 -d /etc/unbound -s /bin/false unbound
+/usr/bin/passwd -l unbound
+
diff --git a/unbound/unbound b/unbound/unbound
index 206f95f6e..990b6b1d3 100644
--- a/unbound/unbound
+++ b/unbound/unbound
@@ -5,6 +5,7 @@
 
 case $1 in
 start)
+	/usr/sbin/unbound-anchor
 	/usr/sbin/unbound
 	;;
 stop)