a proper & complete bind port will show up.
discussed with many for years
-# $OpenBSD: Makefile,v 1.388 2014/07/23 11:49:06 reyk Exp $
+# $OpenBSD: Makefile,v 1.389 2014/08/22 19:19:25 deraadt Exp $
TZDIR= /usr/share/zoneinfo
LOCALTIME= Canada/Mountain
RCDAEMONS= amd apmd bgpd bootparamd cron dhcpd dhcrelay dvmrpd \
ftpd ftpproxy hostapd hotplugd httpd identd ifstated iked \
inetd isakmpd ldapd npppd ldattach ldpd lpd mopd mrouted \
- named nginx nsd ntpd ospfd ospf6d portmap pflogd rarpd rbootd \
+ nginx nsd ntpd ospfd ospf6d portmap pflogd rarpd rbootd \
relayd ripd route6d rtadvd rtsold sasyncd sendmail \
sensorsd slowcgi smtpd snmpd spamd sshd syslogd watchdogd \
wsmoused xdm ypbind ypldap yppasswdd ypserv nfsd mountd lockd \
cd systrace; \
${INSTALL} -c -o root -g wheel -m 600 usr_sbin_lpd \
${DESTDIR}/etc/systrace; \
- ${INSTALL} -c -o root -g wheel -m 600 usr_sbin_named \
- ${DESTDIR}/etc/systrace
- cd bind; \
- ${INSTALL} -c -o root -g named -m 640 named-simple.conf \
- ${DESTDIR}/var/named/etc/named.conf; \
- ${INSTALL} -c -o root -g named -m 640 named-*.conf \
- ${DESTDIR}/var/named/etc; \
- ${INSTALL} -c -o root -g wheel -m 644 root.hint \
- ${DESTDIR}/var/named/etc; \
- ${INSTALL} -c -o root -g wheel -m 644 db.localhost \
- ${DESTDIR}/var/named/standard/localhost; \
- ${INSTALL} -c -o root -g wheel -m 644 db.loopback \
- ${DESTDIR}/var/named/standard/loopback; \
- ${INSTALL} -c -o root -g wheel -m 644 db.loopback6.arpa \
- ${DESTDIR}/var/named/standard/loopback6.arpa
ln -fs ${TZDIR}/${LOCALTIME} ${DESTDIR}/etc/localtime
ln -fs /usr/sbin/rmt ${DESTDIR}/etc/rmt
${INSTALL} -c -o root -g wheel -m 644 minfree \
+++ /dev/null
-; $OpenBSD: db.localhost,v 1.4 2008/01/03 21:20:25 jakob Exp $
-
-$ORIGIN localhost.
-$TTL 6h
-
-@ IN SOA localhost. root.localhost. (
- 1 ; serial
- 1h ; refresh
- 30m ; retry
- 7d ; expiration
- 1h ) ; minimum
-
- NS localhost.
- A 127.0.0.1
- AAAA ::1
+++ /dev/null
-; $OpenBSD: db.loopback,v 1.4 2008/01/03 21:20:25 jakob Exp $
-
-$ORIGIN 127.in-addr.arpa.
-$TTL 6h
-
-@ IN SOA localhost. root.localhost. (
- 1 ; serial
- 1h ; refresh
- 30m ; retry
- 7d ; expiration
- 1h ) ; minimum
-
- NS localhost.
-1.0.0 PTR localhost.
+++ /dev/null
-; $OpenBSD: db.loopback6.arpa,v 1.5 2009/11/02 21:12:56 jakob Exp $
-
-$ORIGIN 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
-$TTL 6h
-
-@ IN SOA localhost. root.localhost. (
- 1 ; serial
- 1h ; refresh
- 30m ; retry
- 7d ; expiration
- 1h ) ; minimum
-
- NS localhost.
- PTR localhost.
+++ /dev/null
-// $OpenBSD: named-dual.conf,v 1.11 2009/11/02 21:12:56 jakob Exp $
-//
-// Example file for a named configuration with dual views,
-// one processing recursive queries only and one processing
-// authoritative-only queries.
-
-
-// Update this list to include only the networks for which you want
-// to execute recursive queries. The default setting allows all hosts
-// on any IPv4 networks for which the system has an interface, and
-// the IPv6 localhost address.
-//
-acl clients {
- localnets;
- ::1;
-};
-
-options {
- version ""; // remove this to allow version queries
-
- listen-on { any; };
- listen-on-v6 { any; };
-
- empty-zones-enable yes;
-};
-
-logging {
- category lame-servers { null; };
-};
-
-view "recursive" {
- match-clients { clients; };
- match-recursive-only yes;
- allow-recursion { clients; };
-
- zone "." {
- type hint;
- file "etc/root.hint";
- };
-
- zone "localhost" {
- type master;
- file "standard/localhost";
- allow-transfer { localhost; };
- };
-
- zone "127.in-addr.arpa" {
- type master;
- file "standard/loopback";
- allow-transfer { localhost; };
- };
-
- zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
- type master;
- file "standard/loopback6.arpa";
- allow-transfer { localhost; };
- };
-};
-
-view "authoritative" {
- recursion no;
- additional-from-auth no;
- additional-from-cache no;
-
- // Master zones
- //
- //zone "myzone.net" {
- // type master;
- // file "master/myzone.net";
- //};
-
- // Slave zones
- //
- //zone "otherzone.net" {
- // type slave;
- // file "slave/otherzone.net";
- // masters { 192.168.1.10; [...;] };
- //};
-};
+++ /dev/null
-// $OpenBSD: named-simple.conf,v 1.10 2009/11/02 21:12:56 jakob Exp $
-//
-// Example file for a simple named configuration, processing both
-// recursive and authoritative queries using one cache.
-
-
-// Update this list to include only the networks for which you want
-// to execute recursive queries. The default setting allows all hosts
-// on any IPv4 networks for which the system has an interface, and
-// the IPv6 localhost address.
-//
-acl clients {
- localnets;
- ::1;
-};
-
-options {
- version ""; // remove this to allow version queries
-
- listen-on { any; };
- listen-on-v6 { any; };
-
- empty-zones-enable yes;
-
- allow-recursion { clients; };
-};
-
-logging {
- category lame-servers { null; };
-};
-
-// Standard zones
-//
-zone "." {
- type hint;
- file "etc/root.hint";
-};
-
-zone "localhost" {
- type master;
- file "standard/localhost";
- allow-transfer { localhost; };
-};
-
-zone "127.in-addr.arpa" {
- type master;
- file "standard/loopback";
- allow-transfer { localhost; };
-};
-
-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
- type master;
- file "standard/loopback6.arpa";
- allow-transfer { localhost; };
-};
-
-
-// Master zones
-//
-//zone "myzone.net" {
-// type master;
-// file "master/myzone.net";
-//};
-
-// Slave zones
-//
-//zone "otherzone.net" {
-// type slave;
-// file "slave/otherzone.net";
-// masters { 192.0.2.1; [...;] };
-//};
+++ /dev/null
-; $OpenBSD: root.hint,v 1.10 2013/01/03 18:37:19 gonzalo Exp $
-;
-; This file holds the information on root name servers needed to
-; initialize cache of Internet domain name servers
-; (e.g. reference this file in the "cache . <file>"
-; configuration file of BIND domain name servers).
-;
-; This file is made available by InterNIC
-; under anonymous FTP as
-; file /domain/named.cache
-; on server FTP.INTERNIC.NET
-; -OR- RS.INTERNIC.NET
-;
-; last update: Jan 3, 2013
-; related version of root zone: 2013010300
-;
-; formerly NS.INTERNIC.NET
-;
-. 3600000 IN NS A.ROOT-SERVERS.NET.
-A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
-A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30
-;
-; FORMERLY NS1.ISI.EDU
-;
-. 3600000 NS B.ROOT-SERVERS.NET.
-B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
-;
-; FORMERLY C.PSI.NET
-;
-. 3600000 NS C.ROOT-SERVERS.NET.
-C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
-;
-; FORMERLY TERP.UMD.EDU
-;
-. 3600000 NS D.ROOT-SERVERS.NET.
-D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
-D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2D::D
-;
-; FORMERLY NS.NASA.GOV
-;
-. 3600000 NS E.ROOT-SERVERS.NET.
-E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
-;
-; FORMERLY NS.ISC.ORG
-;
-. 3600000 NS F.ROOT-SERVERS.NET.
-F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
-F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2F::F
-;
-; FORMERLY NS.NIC.DDN.MIL
-;
-. 3600000 NS G.ROOT-SERVERS.NET.
-G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
-;
-; FORMERLY AOS.ARL.ARMY.MIL
-;
-. 3600000 NS H.ROOT-SERVERS.NET.
-H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
-H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235
-;
-; FORMERLY NIC.NORDU.NET
-;
-. 3600000 NS I.ROOT-SERVERS.NET.
-I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
-I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FE::53
-;
-; OPERATED BY VERISIGN, INC.
-;
-. 3600000 NS J.ROOT-SERVERS.NET.
-J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
-J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30
-;
-; OPERATED BY RIPE NCC
-;
-. 3600000 NS K.ROOT-SERVERS.NET.
-K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
-K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FD::1
-;
-; OPERATED BY ICANN
-;
-. 3600000 NS L.ROOT-SERVERS.NET.
-L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
-L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42
-;
-; OPERATED BY WIDE
-;
-. 3600000 NS M.ROOT-SERVERS.NET.
-M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
-M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35
-; End of File
-# $OpenBSD: changelist,v 1.98 2014/07/22 21:01:58 ajacoutot Exp $
+# $OpenBSD: changelist,v 1.99 2014/08/22 19:19:25 deraadt Exp $
#
# List of files which the security script backs up and checks
# for modifications.
/var/cron/cron.allow
/var/cron/cron.deny
/var/cron/tabs/root
-/var/named/etc/named.conf
-+/var/named/etc/rndc.key
-/var/named/etc/root.hint
-/var/named/standard/localhost
-/var/named/standard/loopback
-/var/named/standard/loopback6.arpa
/var/nsd/etc/nsd.conf
/var/unbound/etc/root.key
/var/unbound/etc/unbound.conf
www:*:67:
_isakmpd:*:68:
network:*:69:
-named:*:70:
proxy:*:71:
authpf:*:72:
_syslogd:*:73:
#
-# $OpenBSD: aliases,v 1.45 2014/06/06 16:46:43 gilles Exp $
+# $OpenBSD: aliases,v 1.46 2014/08/22 19:19:25 deraadt Exp $
#
# Aliases in this file will NOT be expanded in the header from
# Mail, but WILL be visible over networks or from /usr/libexec/mail.local.
_x11: /dev/null
_ypldap: /dev/null
bin: /dev/null
-named: /dev/null
nobody: /dev/null
proxy: /dev/null
smmsp: /dev/null
uucp:*:66:1::0:0:UNIX-to-UNIX Copy:/var/spool/uucppublic:/sbin/nologin
www:*:67:67::0:0:HTTP Server:/var/www:/sbin/nologin
_isakmpd:*:68:68::0:0:isakmpd privsep:/var/empty:/sbin/nologin
-named:*:70:70::0:0:BIND Name Service Daemon:/var/named:/sbin/nologin
proxy:*:71:71::0:0:Proxy Services:/nonexistent:/sbin/nologin
_syslogd:*:73:73::0:0:Syslog Daemon:/var/empty:/sbin/nologin
_pflogd:*:74:74::0:0:pflogd privsep:/var/empty:/sbin/nologin
-# $OpenBSD: 4.4BSD.dist,v 1.261 2014/07/18 18:20:42 deraadt Exp $
+# $OpenBSD: 4.4BSD.dist,v 1.262 2014/08/22 19:19:25 deraadt Exp $
/set type=dir uname=root gname=wheel mode=0755
mail
..
- # ./var/named
- named
- etc uname=root gname=named mode=0750
- ..
- master
- ..
- slave uname=root gname=named mode=0775
- ..
- standard
- ..
- tmp uname=root gname=named mode=0775
- ..
- ..
-
# ./var/nsd
nsd
db uname=root gname=_nsd mode=0775
-# $OpenBSD: rc,v 1.439 2014/08/17 14:43:34 ajacoutot Exp $
+# $OpenBSD: rc,v 1.440 2014/08/22 19:19:25 deraadt Exp $
# System startup script run by init on autoboot
# or after single-user.
make_keys()
{
- if [ X"${named_flags}" != X"NO" ]; then
- if ! cmp -s /etc/rndc.key /var/named/etc/rndc.key ; then
- echo -n "rndc-confgen: generating shared secret... "
- if rndc-confgen -a -t /var/named >/dev/null 2>&1; then
- chmod 0640 /var/named/etc/rndc.key \
- >/dev/null 2>&1
- echo done.
- else
- echo failed.
- fi
- fi
- fi
-
if [ ! -f /etc/isakmpd/private/local.key ]; then
echo -n "openssl: generating isakmpd/iked RSA key... "
if openssl genrsa -out /etc/isakmpd/private/local.key 2048 \
make_keys
echo -n 'starting early daemons:'
-start_daemon syslogd ldattach pflogd named nsd unbound ntpd
+start_daemon syslogd ldattach pflogd nsd unbound ntpd
start_daemon iscsid isakmpd iked sasyncd ldapd npppd
echo '.'
-# $OpenBSD: rc.conf,v 1.195 2014/07/22 17:37:16 reyk Exp $
+# $OpenBSD: rc.conf,v 1.196 2014/08/22 19:19:25 deraadt Exp $
# DO NOT EDIT THIS FILE!!
#
bootparamd_flags=NO # for normal use: ""
rbootd_flags=NO # for normal use: ""
sshd_flags= # for normal use: ""
-named_flags=NO # for normal use: ""
nsd_flags=NO # for normal use: "-c /var/nsd/etc/nsd.conf"
unbound_flags=NO # for normal use: "-c /var/unbound/etc/unbound.conf"
ldattach_flags=NO # for normal use: "[options] linedisc cua-device"
+++ /dev/null
-#!/bin/sh
-#
-# $OpenBSD: named,v 1.1 2011/07/06 18:55:36 robert Exp $
-
-daemon="/usr/sbin/named"
-
-. /etc/rc.d/rc.subr
-
-pexp="named: \[priv\]"
-
-rc_cmd $1
+++ /dev/null
-# $OpenBSD: usr_sbin_named,v 1.8 2014/07/20 04:29:07 deraadt Exp $
-#
-# Policy for named that uses named user and chroots to /var/named
-# This policy works for the default configuration of named.
-#
-Policy: /usr/sbin/named, Emulation: native
- native-__sysctl: permit
- native-accept: permit
- native-bind: sockaddr match "inet-*:0" then permit
- native-bind: sockaddr match "inet-*:53" then permit
- native-bind: sockaddr match "inet-*:953" then permit
- native-break: permit
- native-chdir: filename eq "/" then permit
- native-chroot: filename eq "/var/named" then permit
- native-close: permit
- native-closefrom: permit
- native-connect: sockaddr match "inet-*" then permit
- native-dup2: permit
- native-exit: permit
- native-fcntl: permit
- native-fork: permit
- native-fsread: filename sub "<non-existent filename>" then deny[enoent]
- native-fsread: filename eq "/etc/malloc.conf" then permit
- native-fsread: filename eq "/dev/arandom" then permit
- native-fsread: filename eq "/etc/group" then permit
- native-fsread: filename eq "/etc/named.conf" then permit
- native-fsread: filename eq "/etc/named.keys" then permit
- native-fsread: filename eq "/etc/pwd.db" then permit
- native-fsread: filename eq "/etc/rndc.key" then permit
- native-fsread: filename eq "/etc/root.hint" then permit
- native-fsread: filename eq "/etc/spwd.db" then deny[eperm]
- native-fsread: filename match "/master" then permit
- native-fsread: filename match "/slave" then permit
- native-fsread: filename match "/standard" then permit
- native-fsread: filename match "/usr/lib" then permit
- native-fsread: filename eq "/usr/libexec/ld.so" then permit
- native-fsread: filename match "/usr/share/nls" then permit
- native-fsread: filename match "/usr/share/zoneinfo" then permit
- native-fsread: filename eq "/var/run/ld.so.hints" then permit
- native-fsread: filename eq "/var/run/named.pid" then permit
- native-fstat: permit
- native-fswrite: filename sub "<non-existent filename>" then deny[enoent]
- native-fswrite: filename eq "/dev/null" then permit
- native-fswrite: filename match "/master/*" then permit
- native-fswrite: filename match "/slave/*" then permit
- native-fswrite: filename eq "/var/run/named.pid" then permit
- native-fswrite: filename match "/var/tmp/*" then permit
- native-fsync: permit
- native-getentropy: permit
- native-getpid: permit
- native-getppid: permit
- native-getrlimit: permit
- native-getsockname: permit
- native-getsockopt: permit
- native-gettimeofday: permit
- native-getuid: permit
- native-geteuid: permit
- native-issetugid: permit
- native-kill: permit
- native-listen: permit
- native-lseek: permit
- native-minherit: permit
- native-mmap: permit
- native-mprotect: permit
- native-mquery: permit
- native-munmap: permit
- native-nanosleep: permit
- native-pipe: permit
- native-pread: permit
- native-read: permit
- native-recvmsg: permit
- native-rename: filename match "/slave/*" and filename[1] match "/slave/*" then permit
- native-select: permit
- native-sendmsg: permit
- native-sendsyslog: permit
- native-sendto: true then permit
- native-setegid: gid eq "70" then permit
- native-seteuid: uid eq "70" and uname eq "named" then permit
- native-setgid: gid eq "70" then permit
- native-setgroups: permit
- native-setresgid: permit
- native-setresuid: permit
- native-setrlimit: permit
- native-setsid: permit
- native-setsockopt: permit
- native-setuid: uid eq "70" and uname eq "named" then permit
- native-sigaction: permit
- native-sigprocmask: permit
- native-sigreturn: permit
- native-socket: permit
- native-socketpair: permit
- native-utimes: permit
- native-wait4: permit
- native-write: permit
projects / openbsd / commitdiff