From 5d8eb8cf1dd9cedcefd679a00d2ff66153be04b3 Mon Sep 17 00:00:00 2001
From: Petr Menšík <pemensik@redhat.com>
Date: Wed, 16 Aug 2017 22:47:09 +0200
Subject: Update named.ca, move named.conf out of config archive

---
 .gitignore |  1 +
 bind.spec  |  6 ++++--
 named.conf | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 sources    |  2 +-
 4 files changed, 63 insertions(+), 3 deletions(-)
 create mode 100644 named.conf

diff --git a/.gitignore b/.gitignore
index 0d58acc..c60a96d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -77,3 +77,4 @@ bind-9.7.2b1.tar.gz
 /bind-9.11.1-P3.tar.gz
 /bind-9.11.2b1.tar.gz
 /bind-9.11.2.tar.gz
+/config-17.tar.bz2
diff --git a/bind.spec b/bind.spec
index 450b032..42aac62 100644
--- a/bind.spec
+++ b/bind.spec
@@ -40,7 +40,8 @@ Source7:  bind-9.3.1rc1-sdb_tools-Makefile.in
 Source8:  dnszone.schema
 Source12: README.sdb_pgsql
 Source25: named.conf.sample
-Source28: config-16.tar.bz2
+Source26: named.conf
+Source28: config-17.tar.bz2
 Source30: ldap2zone.c
 Source31: ldap2zone.1
 Source32: named-sdb.8
@@ -671,6 +672,7 @@ touch ${RPM_BUILD_ROOT}%{_localstatedir}/log/named.log
 
 # configuration files:
 tar -C ${RPM_BUILD_ROOT} -xjf %{SOURCE28}
+install -m 640 %{SOURCE26} ${RPM_BUILD_ROOT}/etc/named.conf
 touch ${RPM_BUILD_ROOT}/etc/rndc.key
 touch ${RPM_BUILD_ROOT}/etc/rndc.conf
 mkdir ${RPM_BUILD_ROOT}/etc/named
@@ -681,7 +683,7 @@ install -m 644 %{SOURCE36} ${RPM_BUILD_ROOT}/etc/trusted-key.key
 mkdir -p sample/etc sample/var/named/{data,slaves}
 install -m 644 %{SOURCE25} sample/etc/named.conf
 # Copy default configuration to %%doc to make it usable from system-config-bind
-install -m 644 ${RPM_BUILD_ROOT}/etc/named.conf named.conf.default
+install -m 644 %{SOURCE26} named.conf.default
 install -m 644 ${RPM_BUILD_ROOT}/etc/named.rfc1912.zones sample/etc/named.rfc1912.zones
 install -m 644 ${RPM_BUILD_ROOT}/var/named/{named.ca,named.localhost,named.loopback,named.empty}  sample/var/named
 for f in my.internal.zone.db slaves/my.slave.internal.zone.db slaves/my.ddns.internal.zone.db my.external.zone.db; do 
diff --git a/named.conf b/named.conf
new file mode 100644
index 0000000..487007a
--- /dev/null
+++ b/named.conf
@@ -0,0 +1,57 @@
+//
+// named.conf
+//
+// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
+// server as a caching only nameserver (as a localhost DNS resolver only).
+//
+// See /usr/share/doc/bind*/sample/ for example named configuration files.
+//
+
+options {
+	listen-on port 53 { 127.0.0.1; };
+	listen-on-v6 port 53 { ::1; };
+	directory 	"/var/named";
+	dump-file 	"/var/named/data/cache_dump.db";
+	statistics-file "/var/named/data/named_stats.txt";
+	memstatistics-file "/var/named/data/named_mem_stats.txt";
+	allow-query     { localhost; };
+
+	/* 
+	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
+	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
+	   recursion. 
+	 - If your recursive DNS server has a public IP address, you MUST enable access 
+	   control to limit queries to your legitimate users. Failing to do so will
+	   cause your server to become part of large scale DNS amplification 
+	   attacks. Implementing BCP38 within your network would greatly
+	   reduce such attack surface 
+	*/
+	recursion yes;
+
+	dnssec-enable yes;
+	dnssec-validation yes;
+
+	managed-keys-directory "/var/named/dynamic";
+
+	pid-file "/run/named/named.pid";
+	session-keyfile "/run/named/session.key";
+
+	/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
+	include "/etc/crypto-policies/back-ends/bind.config";
+};
+
+logging {
+        channel default_debug {
+                file "data/named.run";
+                severity dynamic;
+        };
+};
+
+zone "." IN {
+	type hint;
+	file "named.ca";
+};
+
+include "/etc/named.rfc1912.zones";
+include "/etc/named.root.key";
+
diff --git a/sources b/sources
index e6fb492..270c38c 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 SHA512 (bind-9.11.2.tar.gz) = c837c0a360049b0077b155eede9b6a71f63d1caca2ddf20a8ab7860a1033a3750e49cd2804dcf8c43b0aef04bcea99422d1302b4eae1646eb69a5ae6d64625b9
-SHA512 (config-16.tar.bz2) = 983e0a8de3bb0c16fb21331894cc97ea516233796158eb5d1c932608227b31889496d0467c3e43953bf504dbf8b5f19210d2c9f8e0e3742aea2c7609245bf3f7
+SHA512 (config-17.tar.bz2) = 93d864be83a2aeaec3f4e150909bee21b0fc4761562928ee075f09e8fce28bc82735ed7d7a93e8dfff4fcf8e06f2aa9a04046fc3e538a6bf5cb380f2a3528729
-- 
cgit