diff options
| author | schmonz <schmonz@pkgsrc.org> | 2014-12-06 09:41:04 +0000 |
|---|---|---|
| committer | schmonz <schmonz@pkgsrc.org> | 2014-12-06 09:41:04 +0000 |
| commit | 04270faa5909c17b5a5890905b80b53fc41ae33a (patch) | |
| tree | d0c1f76458982735d900875a480cf94949d78f16 | |
| parent | 4d3fabbd16fec8f248324946a9f9c47471e3e7c7 (diff) | |
| download | pkgsrc-04270faa5909c17b5a5890905b80b53fc41ae33a.tar.gz | |
On rebooting a Xen VPS, dnscache said it started, but failed to
respond to queries and wrote nothing to the logs. This would have
been more fun to debug if my production system hadn't been relying
on it for name resolution. The problem was a blocking read from
/dev/random.
I'm the one who put that there, over 10 years ago. Do we need it?
From my reading of <http://cr.yp.to/djbdns/dnscache-conf.html> and
dnscache-conf.c, the seed needn't consist of top-notch randomness.
A sysadmin following DJB to the letter (rather than using this
djbdns-run package) would run dnscache-conf once to configure a
dnscache instance. dnscache-conf would cook 128 bytes of randomness
-- without direct assistance from any kernel device -- and write
it to a file. dnscache would read the same file on every startup.
Therefore, we...
1. Generate a random seed iff it doesn't exist (not on every startup)
2. Generate it from /dev/urandom instead of /dev/random
...so that the configuration we generate more nearly matches that of
DJB's documented procedure, and the kind of problem I encountered
is much more difficult to trigger.
While here, add LICENSE (2-clause-bsd) and otherwise placate pkglint.
Bump version.
| -rw-r--r-- | net/djbdns-run/Makefile | 6 | ||||
| -rw-r--r-- | net/djbdns-run/files/dnscache.sh | 11 |
2 files changed, 13 insertions, 4 deletions
diff --git a/net/djbdns-run/Makefile b/net/djbdns-run/Makefile index 40445a9def4..a19e5ed3335 100644 --- a/net/djbdns-run/Makefile +++ b/net/djbdns-run/Makefile @@ -1,13 +1,14 @@ -# $NetBSD: Makefile,v 1.23 2014/10/09 14:06:44 wiz Exp $ +# $NetBSD: Makefile,v 1.24 2014/12/06 09:41:04 schmonz Exp $ # -DISTNAME= djbdns-run-20140415 +DISTNAME= djbdns-run-20141206 CATEGORIES= net MASTER_SITES= # empty DISTFILES= # empty MAINTAINER= schmonz@NetBSD.org COMMENT= Configures djbdns to cache and serve queries +LICENSE= 2-clause-bsd DEPENDS_DJBDNS= djbdns>=1.05nb5:../../net/djbdns DEPENDS+= ${DEPENDS_DJBDNS} @@ -16,6 +17,7 @@ DEPENDS+= ucspi-tcp-[0-9]*:../../net/ucspi-tcp WRKSRC= ${WRKDIR} NO_BUILD= yes +NO_CHECKSUM= yes MAKE_DIRS+= ${PKG_SYSCONFDIR}/axfrdns MAKE_DIRS+= ${PKG_SYSCONFDIR}/dnscache/ip diff --git a/net/djbdns-run/files/dnscache.sh b/net/djbdns-run/files/dnscache.sh index f35aebe6d7d..e74dacd148e 100644 --- a/net/djbdns-run/files/dnscache.sh +++ b/net/djbdns-run/files/dnscache.sh @@ -1,6 +1,6 @@ #!@RCD_SCRIPTS_SHELL@ # -# $NetBSD: dnscache.sh,v 1.5 2014/04/15 23:07:21 schmonz Exp $ +# $NetBSD: dnscache.sh,v 1.6 2014/12/06 09:41:04 schmonz Exp $ # # @PKGNAME@ script to control dnscache (caching DNS resolver) # @@ -36,7 +36,14 @@ dnscache_precmd() if [ -f /etc/rc.subr ]; then checkyesno dnscache_log || dnscache_logcmd=${dnscache_nologcmd} fi - command="@SETENV@ - ${dnscache_postenv} ROOT=@PKG_SYSCONFDIR@/dnscache IP=${dnscache_ip} IPSEND=${dnscache_ipsend} CACHESIZE=${dnscache_size} @LOCALBASE@/bin/envuidgid dnscache @LOCALBASE@/bin/softlimit -o250 -d ${dnscache_datalimit} @LOCALBASE@/bin/dnscache </dev/random 2>&1 | @LOCALBASE@/bin/setuidgid dnslog ${dnscache_logcmd}" + if [ ! -f @PKG_SYSCONFDIR@/dnscache/seed ]; then + old_umask=$(umask) + umask 066 + dd if=/dev/urandom bs=128 count=1 of=@PKG_SYSCONFDIR@/dnscache/seed + umask ${old_umask} + fi + required_files="${required_files} @PKG_SYSCONFDIR@/dnscache/seed" + command="@SETENV@ - ${dnscache_postenv} ROOT=@PKG_SYSCONFDIR@/dnscache IP=${dnscache_ip} IPSEND=${dnscache_ipsend} CACHESIZE=${dnscache_size} @LOCALBASE@/bin/envuidgid dnscache @LOCALBASE@/bin/softlimit -o250 -d ${dnscache_datalimit} @LOCALBASE@/bin/dnscache <@PKG_SYSCONFDIR@/dnscache/seed 2>&1 | @LOCALBASE@/bin/setuidgid dnslog ${dnscache_logcmd}" command_args="&" rc_flags="" } |