net-dns/unbound: Version bump

Package-Manager: portage-2.2.26

net-dns/unbound/Manifest

@@ -0,0 +1,11 @@
+AUX 0001-fix-fail-to-start-on-Linux-LTS-3.14.X-ignore.patch 2032 SHA256 b5312b80a37501198345214a7eeaf589340ab698dc3390e3addb146c35f2e9b6 SHA512 1a28fca9fa39cf4c07e2f9b75058ca1d00a176ab4f0b96130fbe4773f503f39f7f16518e82f58d289001dd468e53e54f1e208e99eec713fda0efd35517c4bcb3 WHIRLPOOL 7f630f1c7b0be788a4a288501fb47065b31a8afb9b4d462122e01c01f7be9f8575aa141502fc83d57c6f330a0d8a3f8423489452f878fb6314868c6e2586204c
+AUX unbound-1.4.12-gentoo.patch 639 SHA256 8223261764f067355a5c013b2c8b13384480c91782fc42ae339dcc8bed843448 SHA512 81292d898284c27e0b30a90816d283d2fffd5810afb38b5a79ff4acc94d82c91bd5414d177f11745c5ee7e56d1600a67bdc4d7395504ff6266103b4e018baf6c WHIRLPOOL 29fb59e16d8f3f4e4d6029f2b3ec6dfd3665c366f3842b318a80b5721a9770b7fd47ad5e0169ab9539f87ed49d03a282f47507754c09cf17ea0d99705f1860c0
+AUX unbound-1.5.8-trust-anchor-file.patch 632 SHA256 787630b5111e70daa7f6fe2c9a8c8524b94c1ee51b5f2c045cee4e4db778cfe6 SHA512 fe9cb259a17452ab84df98eb8caaaa389e40e149e4de6f1245e78c350d1c6af42d1b094be6779ec19ce5ea11f86e102ae9767c8785d54cfa9746390c73e0f329 WHIRLPOOL 8b044dc717461a8d321394d7668fbd338e957cd3f8dc3e0bb2c4e5b90b8ab83e349edc4a1955080d0724585f8fbe535a4edb5a943e6e36c8188c770b6d215fe5
+AUX unbound-anchor.service 263 SHA256 cbb233e37b5136ab089a909472bfb0b58185f138df974a8abc9121d86cf2ba17 SHA512 c0f8ff2df106d1f05786cf5d69b48cdf69ba2fd42645bf6b7fa2d34d6c3fdd1608fb470c4fb0216164386e8b22977292ae8932c784a6967774e3daae1b8aeb95 WHIRLPOOL 0fa95e2d8113f9940b89c3c26194b37ab99a85f7ffb699240e6bad32213565c614a4f41d88e08d4b0a15e5a8b0b6a81a029d0f8dac9f7b36763ed3c5b18b0b05
+AUX unbound.confd 171 SHA256 7da812ef83f8f8b9351363525ab6bebd5348faed76d0ae424dcbd7cb6a830dfd SHA512 e3e4c7f97c13d133724417a70e4f20dac6f1f4b5a4e2e573c410148059d9f722589249b3dd4668069d4e324abef60f5981f20b1797623f37db9c9422410dc13f WHIRLPOOL d88c7542891ea7420253598c1fb94982a01d378aacf26a75c28650acc6f0093f526e0fab51f8e1b60681809bd253f765f8f73aa205bef5c4949766861f410ca5
+AUX unbound.initd 1376 SHA256 49d23cf94027f0e3ccb5fbc7fb7f1b609972a4abe1ec14fd595495c90d2c325c SHA512 3f12762336218054592edc20e0e0c4848ebde02a9a43852b9ad25feb9f65229217d393f005f011b8acd608710c9d343a60715fa92afc4d3788b3a01003a19468 WHIRLPOOL 335216dce51fd0ee53237985b113ba23e400f30bfa1ca027dc2f1ab0b70ae57c18b48ddc40165050a69dc428936093c110259c504ff306e99d342b66f0fba52b
+AUX unbound.service 247 SHA256 6c12373b61f136edd95bea3dc6b7f56499de83aae7c925aee30e6db99051d72d SHA512 7904225d0e9fb3ea5b97521ed24f24fcc4db650cfff8523b896ddd9edfccbd61e817775ad0449acf30d02dba5f714d633b60cace6010d472f438df7c22381dfc WHIRLPOOL c156a2b96e1c1a6d787ee7c143b8c5cd8bf00b9e8cb00f90a5113ecd502f4d5fa2f0249debd10ef7f15d38d33f5d1c9ac4c15c61485f227fa70cd42af696ee3d
+AUX unbound_at.service 304 SHA256 6d8dfaf740f47af87bf521e871d824aefa10c702f724ae57998656b443fb8675 SHA512 71bd8c422ffe57e448b66f97775075a407671757266d40294a670b41cd1a59f16b65488d30aa74b79b7536f0c4c50adb56e32377e8029fd6c327b85c022c5fe3 WHIRLPOOL c304eec4a9293b92499b6895c57b7553a3d0247a00eed7f8299f4d0b2b7d24a33ca383125270b0616d826f71fa5e800e1a0b32c38316f03d806a2399dfb3cbcd
+DIST unbound-1.5.8.tar.gz 4895649 SHA256 33567a20f73e288f8daa4ec021fbb30fe1824b346b34f12677ad77899ecd09be SHA512 0c296a2e5489fae0fdf0ca2ea11ed72f00498c8499f38f308ff32078665d980a2d5a80ee0e106273dc13a146611a238553857c5f301fe9622072382c06b8434a WHIRLPOOL ca977c88e5dcca80d11a3cf769e002f61b8c6145dea2a79a9d0c142396ff2f19b3452546627ced79e9af74fed3ac2ff72ca9f6fc2395e477076959fef77bd3b1
+EBUILD unbound-1.5.8.ebuild 3467 SHA256 2864cc5a8aee1e8da9b9c0724b6fd7e595b8dd12d009d1857364257b46bf566e SHA512 338133be939c1aaf0d39fc982982b7cec005f03ba680f54f7a26277d81833d90278e3f8952db7f2d3f3581c566a4903e97954c5eaffb2a045d160e2cdf325b63 WHIRLPOOL fab1f5db7e880a1c24e601b8abafa7aaa80801a9d4fff27aaac701d0c37325821bab68d9baa14412e84957bfc324760724b0893812431a958f58fd1dcf26fcaa
+MISC metadata.xml 1260 SHA256 95e9490993cbd5abdf216a83b0d8de7ca9c5ca31deb3af79f639733cddd9e47c SHA512 3bdf0fcfc7e4daf4c79a10a68067e2d271f3f8abc92ee29ddb817a77c0a5206a4215661757cf5bbc019f191453508b4e58835c4384f64994ce700172a3f2c2c8 WHIRLPOOL 1115a5634b3e6ac004449c756570fd1bda61bad3799a3c0c200efe0e582c95019deaf60ef43dd26f129592fb6530be9da751faa8406305eec622a89045799a6b

net-dns/unbound/files/0001-fix-fail-to-start-on-Linux-LTS-3.14.X-ignore.patch

@@ -0,0 +1,72 @@
+From 858da540f70a4411ad8fbe7144cef6ce9da18f89 Mon Sep 17 00:00:00 2001
+From: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
+Date: Mon, 5 Jan 2015 13:51:22 +0000
+Subject: [PATCH] - Fix #634: fix fail to start on Linux LTS 3.14.X, ignores
+ missing   IP_MTU_DISCOVER OMIT option.
+
+--- a/services/listen_dnsport.c
++++ b/services/listen_dnsport.c
+@@ -368,29 +368,47 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
+  * (and also uses the interface mtu to determine the size of the packets).
+  * So there won't be any EMSGSIZE error.  Against DNS fragmentation attacks.
+  * FreeBSD already has same semantics without setting the option. */
+-#    if defined(IP_PMTUDISC_OMIT)
+-		int action = IP_PMTUDISC_OMIT;
+-#    else
+-		int action = IP_PMTUDISC_DONT;
+-#    endif
++		int omit_set = 0;
++		int action;
++#   if defined(IP_PMTUDISC_OMIT)
++		action = IP_PMTUDISC_OMIT;
+ 		if (setsockopt(s, IPPROTO_IP, IP_MTU_DISCOVER, 
+ 			&action, (socklen_t)sizeof(action)) < 0) {
+-			log_err("setsockopt(..., IP_MTU_DISCOVER, "
+-#    if defined(IP_PMTUDISC_OMIT)
+-				"IP_PMTUDISC_OMIT"
++
++			if (errno != EINVAL) {
++				log_err("setsockopt(..., IP_MTU_DISCOVER, IP_PMTUDISC_OMIT...) failed: %s",
++					strerror(errno));
++
++#    ifndef USE_WINSOCK
++				close(s);
+ #    else
+-				"IP_PMTUDISC_DONT"
++				closesocket(s);
+ #    endif
+-				"...) failed: %s",
+-				strerror(errno));
++				*noproto = 0;
++				*inuse = 0;
++				return -1;
++			}
++		}
++		else
++		{
++		    omit_set = 1;
++		}
++#   endif
++		if (omit_set == 0) {
++   			action = IP_PMTUDISC_DONT;
++			if (setsockopt(s, IPPROTO_IP, IP_MTU_DISCOVER,
++				&action, (socklen_t)sizeof(action)) < 0) {
++				log_err("setsockopt(..., IP_MTU_DISCOVER, IP_PMTUDISC_DONT...) failed: %s",
++					strerror(errno));
+ #    ifndef USE_WINSOCK
+-			close(s);
++				close(s);
+ #    else
+-			closesocket(s);
++				closesocket(s);
+ #    endif
+-			*noproto = 0;
+-			*inuse = 0;
+-			return -1;
++				*noproto = 0;
++				*inuse = 0;
++				return -1;
++			}
+ 		}
+ #  elif defined(IP_DONTFRAG)
+ 		int off = 0;

net-dns/unbound/files/unbound-1.4.12-gentoo.patch

@@ -0,0 +1,12 @@
+diff -Naur unbound-1.4.12.orig/doc/example.conf.in unbound-1.4.12/doc/example.conf.in
+--- unbound-1.4.12.orig/doc/example.conf.in	2011-07-14 17:33:37.000000000 +0900
++++ unbound-1.4.12/doc/example.conf.in	2011-07-16 10:01:06.644402341 +0900
+@@ -334,7 +334,7 @@
+ 	# with several entries, one file per entry.
+ 	# Zone file format, with DS and DNSKEY entries.
+ 	# Note this gets out of date, use auto-trust-anchor-file please.
+-	# trust-anchor-file: ""
++	# trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
+ 	
+ 	# Trusted key for validation. DS or DNSKEY. specify the RR on a
+ 	# single line, surrounded by "". TTL is ignored. class is IN default.

net-dns/unbound/files/unbound-1.5.8-trust-anchor-file.patch

@@ -0,0 +1,12 @@
+diff -ur unbound-1.5.7.orig/doc/example.conf.in unbound-1.5.7/doc/example.conf.in
+--- unbound-1.5.7.orig/doc/example.conf.in	2015-12-10 08:59:18.000000000 +0100
++++ unbound-1.5.7/doc/example.conf.in	2016-01-05 04:08:01.666760015 +0100
+@@ -378,7 +378,7 @@
+ 	# with several entries, one file per entry.
+ 	# Zone file format, with DS and DNSKEY entries.
+ 	# Note this gets out of date, use auto-trust-anchor-file please.
+-	# trust-anchor-file: ""
++	# trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
+ 
+ 	# Trusted key for validation. DS or DNSKEY. specify the RR on a
+ 	# single line, surrounded by "". TTL is ignored. class is IN default.

net-dns/unbound/files/unbound-anchor.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Update of the root trust anchor for DNSSEC validation
+After=network.target
+Before=nss-lookup.target
+Wants=nss-lookup.target
+Before=unbound.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/unbound-anchor
+
+[Install]
+WantedBy=multi-user.target

net-dns/unbound/files/unbound.confd

@@ -0,0 +1,4 @@
+# Settings should normally not need any changes.
+
+# Location of the unbound configuration file. Leave empty for the default.
+#UNBOUND_CONFFILE="/etc/unbound/unbound.conf"

net-dns/unbound/files/unbound.initd

@@ -0,0 +1,56 @@
+#!/sbin/runscript
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+name="unbound daemon"
+extra_commands="configtest"
+extra_started_commands="reload"
+description="unbound is a Domain Name Server (DNS) that is used to resolve host names to IP address."
+description_configtest="Run syntax tests for configuration files only."
+description_reload="Kills all children and reloads the configuration."
+
+
+UNBOUND_BINARY=${UNBOUND_BINARY:-/usr/sbin/unbound}
+UNBOUND_CHECKCONF=${UNBOUND_CHECKCONF:-/usr/sbin/unbound-checkconf}
+UNBOUND_CONFFILE=${UNBOUND_CONFFILE:-/etc/unbound/${SVCNAME}.conf}
+
+depend() {
+	need net
+	use logger
+	provide dns
+	after auth-dns
+}
+
+checkconfig() {
+	UNBOUND_PIDFILE=$("${UNBOUND_CHECKCONF}" -o pidfile "${UNBOUND_CONFFILE}")
+	return $?
+}
+
+configtest() {
+	ebegin "Checking ${SVCNAME} configuration"
+	checkconfig
+	eend $?
+}
+
+start() {
+	checkconfig || return $?
+	ebegin "Starting ${SVCNAME}"
+	start-stop-daemon --start --pidfile "${UNBOUND_PIDFILE}" \
+		--exec "${UNBOUND_BINARY}" -- -c "${UNBOUND_CONFFILE}"
+	eend $?
+}
+
+stop() {
+	checkconfig || return $?
+	ebegin "Stopping ${SVCNAME}"
+	start-stop-daemon --stop --pidfile "${UNBOUND_PIDFILE}"
+	eend $?
+}
+
+reload() {
+	checkconfig || return $?
+	ebegin "Reloading ${SVCNAME}"
+	start-stop-daemon --signal HUP --pidfile "${UNBOUND_PIDFILE}"
+	eend $?
+}

net-dns/unbound/files/unbound.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Unbound recursive Domain Name Server
+After=network.target
+Before=nss-lookup.target
+Wants=nss-lookup.target
+
+[Service]
+ExecStartPre=/usr/sbin/unbound-checkconf
+ExecStart=/usr/sbin/unbound -d
+
+[Install]
+WantedBy=multi-user.target

net-dns/unbound/files/unbound_at.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Unbound recursive Domain Name Server
+After=network.target
+Before=nss-lookup.target
+Wants=nss-lookup.target
+
+[Service]
+Type=simple
+ExecStartPre=/usr/sbin/unbound-checkconf /etc/unbound/%i.conf
+ExecStart=/usr/sbin/unbound -d -c /etc/unbound/%i.conf
+
+[Install]
+WantedBy=multi-user.target

net-dns/unbound/metadata.xml

@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+  <maintainer type="person">
+    <email>mschiff@gentoo.org</email>
+    <name>Marc Schiffbauer</name>
+  </maintainer>
+  <maintainer type="person">
+    <email>nabeken@tknetworks.org</email>
+    <description>Proxied developer. Please CC on bugs.</description>
+    <name>TANABE Ken-ichi</name>
+  </maintainer>
+  <maintainer type="project">
+    <email>proxy-maint@gentoo.org</email>
+    <name>Proxy Maintainers</name>
+  </maintainer>
+  <longdescription lang="en">
+  Unbound is a validating, recursive, and caching DNS resolver.
+
+  The C implementation of Unbound is developed and maintained by NLnet
+  Labs. It is based on ideas and algorithms taken from a java prototype
+  developed by Verisign labs, Nominet, Kirei and ep.net.
+
+  Unbound is designed as a set of modular components, so that also
+  DNSSEC (secure DNS) validation and stub-resolvers (that do not run
+  as a server, but are linked into an application) are easily possible.
+  </longdescription>
+  <use>
+    <flag name="dnstap">Enable dnstap support</flag>
+	<flag name="ecdsa">Enable ECDSA support</flag>
+    <flag name="gost">Enable GOST support</flag>
+  </use>
+</pkgmetadata>

net-dns/unbound/unbound-1.5.8.ebuild

@@ -0,0 +1,125 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+PYTHON_COMPAT=( python2_7 )
+
+inherit eutils flag-o-matic multilib-minimal python-single-r1 systemd user
+
+MY_P=${PN}-${PV/_/}
+DESCRIPTION="A validating, recursive and caching DNS resolver"
+HOMEPAGE="http://unbound.net/"
+SRC_URI="http://unbound.net/downloads/${MY_P}.tar.gz"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~hppa ~mips ~ppc ~ppc64 ~x86"
+IUSE="debug dnstap +ecdsa gost libressl python selinux static-libs test threads"
+REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
+
+# Note: expat is needed by executable only but the Makefile is custom
+# and doesn't make it possible to easily install the library without
+# the executables. MULTILIB_USEDEP may be dropped once build system
+# is fixed.
+
+CDEPEND=">=dev-libs/expat-2.1.0-r3[${MULTILIB_USEDEP}]
+	>=dev-libs/libevent-2.0.21[${MULTILIB_USEDEP}]
+	libressl? ( >=dev-libs/libressl-2.2.4:0[${MULTILIB_USEDEP}] )
+	!libressl? ( >=dev-libs/openssl-1.0.1h-r2:0[${MULTILIB_USEDEP}] )
+	dnstap? (
+		dev-libs/fstrm[${MULTILIB_USEDEP}]
+		>=dev-libs/protobuf-c-1.0.2-r1[${MULTILIB_USEDEP}]
+	)
+	ecdsa? (
+		!libressl? ( dev-libs/openssl:0[-bindist] )
+	)
+	python? ( ${PYTHON_DEPS} )"
+
+DEPEND="${CDEPEND}
+	python? ( dev-lang/swig )
+	test? (
+		net-dns/ldns-utils[examples]
+		dev-util/splint
+		app-text/wdiff
+	)"
+
+RDEPEND="${CDEPEND}
+	selinux? ( sec-policy/selinux-bind )"
+
+# bug #347415
+RDEPEND="${RDEPEND}
+	net-dns/dnssec-root"
+
+S=${WORKDIR}/${MY_P}
+
+pkg_setup() {
+	enewgroup unbound
+	enewuser unbound -1 -1 /etc/unbound unbound
+
+	use python && python-single-r1_pkg_setup
+}
+
+src_prepare() {
+	# To avoid below error messages, set 'trust-anchor-file' to same value in
+	# 'auto-trust-anchor-file'.
+	# [23109:0] error: Could not open autotrust file for writing,
+	# /etc/dnssec/root-anchors.txt: Permission denied
+	epatch "${FILESDIR}"/${P}-trust-anchor-file.patch
+
+	# required for the python part
+	multilib_copy_sources
+}
+
+src_configure() {
+	[[ ${CHOST} == *-darwin* ]] || append-ldflags -Wl,-z,noexecstack
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	econf \
+		$(use_enable debug) \
+		$(use_enable gost) \
+		$(use_enable dnstap) \
+		$(use_enable ecdsa) \
+		$(use_enable static-libs static) \
+		$(multilib_native_use_with python pythonmodule) \
+		$(multilib_native_use_with python pyunbound) \
+		$(use_with threads pthreads) \
+		--disable-flto \
+		--disable-rpath \
+		--with-libevent="${EPREFIX}"/usr \
+		--with-pidfile="${EPREFIX}"/var/run/unbound.pid \
+		--with-rootkey-file="${EPREFIX}"/etc/dnssec/root-anchors.txt \
+		--with-ssl="${EPREFIX}"/usr \
+		--with-libexpat="${EPREFIX}"/usr
+
+		# http://unbound.nlnetlabs.nl/pipermail/unbound-users/2011-April/001801.html
+		# $(use_enable debug lock-checks) \
+		# $(use_enable debug alloc-checks) \
+		# $(use_enable debug alloc-lite) \
+		# $(use_enable debug alloc-nonregional) \
+}
+
+multilib_src_install_all() {
+	prune_libtool_files --modules
+	use python && python_optimize
+
+	newinitd "${FILESDIR}"/unbound.initd unbound
+	newconfd "${FILESDIR}"/unbound.confd unbound
+
+	systemd_dounit "${FILESDIR}"/unbound.service
+	systemd_newunit "${FILESDIR}"/unbound_at.service "unbound@.service"
+	systemd_dounit "${FILESDIR}"/unbound-anchor.service
+
+	dodoc doc/{README,CREDITS,TODO,Changelog,FEATURES}
+
+	# bug #315519
+	dodoc contrib/unbound_munin_
+
+	docinto selinux
+	dodoc contrib/selinux/*
+
+	exeinto /usr/share/${PN}
+	doexe contrib/update-anchor.sh
+}