disable use of bind in base; in the base use nsd/unbound instead.

a proper & complete bind port will show up. discussed with many for years
10 years ago · b0315aca81
--- a/src/etc/Makefile
+++ b/src/etc/Makefile
@ -1,4 +1,4 @@
 #	$OpenBSD: Makefile,v 1.388 2014/07/23 11:49:06 reyk Exp $
 #	$OpenBSD: Makefile,v 1.389 2014/08/22 19:19:25 deraadt Exp $

 TZDIR=		/usr/share/zoneinfo
 LOCALTIME=	Canada/Mountain
@ -54,7 +54,7 @@ EXAMPLES_600=bgpd.conf dvmrpd.conf hostapd.conf iked.conf ipsec.conf \
 RCDAEMONS=	amd apmd bgpd bootparamd cron dhcpd dhcrelay dvmrpd \
 		ftpd ftpproxy hostapd hotplugd httpd identd ifstated iked \
 		inetd isakmpd ldapd npppd ldattach ldpd lpd mopd mrouted \
 		named nginx nsd ntpd ospfd ospf6d portmap pflogd rarpd rbootd \
 		nginx nsd ntpd ospfd ospf6d portmap pflogd rarpd rbootd \
 		relayd ripd route6d rtadvd rtsold sasyncd sendmail \
 		sensorsd slowcgi smtpd snmpd spamd sshd syslogd watchdogd \
 		wsmoused xdm ypbind ypldap yppasswdd ypserv nfsd mountd lockd \
@ -158,21 +158,6 @@ distribution-etc-root-var: distrib-dirs
 	cd systrace; \
 		${INSTALL} -c -o root -g wheel -m 600 usr_sbin_lpd \
 		    ${DESTDIR}/etc/systrace; \
 		${INSTALL} -c -o root -g wheel -m 600 usr_sbin_named \
 		    ${DESTDIR}/etc/systrace
 	cd bind; \
 		${INSTALL} -c -o root -g named -m 640 named-simple.conf \
 		    ${DESTDIR}/var/named/etc/named.conf; \
 		${INSTALL} -c -o root -g named -m 640 named-*.conf \
 		    ${DESTDIR}/var/named/etc; \
 		${INSTALL} -c -o root -g wheel -m 644 root.hint \
 		    ${DESTDIR}/var/named/etc; \
 		${INSTALL} -c -o root -g wheel -m 644 db.localhost \
 		    ${DESTDIR}/var/named/standard/localhost; \
 		${INSTALL} -c -o root -g wheel -m 644 db.loopback \
 		    ${DESTDIR}/var/named/standard/loopback; \
 		${INSTALL} -c -o root -g wheel -m 644 db.loopback6.arpa \
 		    ${DESTDIR}/var/named/standard/loopback6.arpa
 	ln -fs ${TZDIR}/${LOCALTIME} ${DESTDIR}/etc/localtime
 	ln -fs /usr/sbin/rmt ${DESTDIR}/etc/rmt
 	${INSTALL} -c -o root -g wheel -m 644 minfree \
--- a/src/etc/bind/db.localhost
+++ b/src/etc/bind/db.localhost
@ -1,15 +0,0 @@
 ; $OpenBSD: db.localhost,v 1.4 2008/01/03 21:20:25 jakob Exp $

 $ORIGIN localhost.
 $TTL 6h

@	IN	SOA	localhost. root.localhost. (
 			1	; serial
 			1h	; refresh
 			30m	; retry
 			7d	; expiration
 			1h )	; minimum

 		NS	localhost.
 		A	127.0.0.1
 		AAAA	::1
--- a/src/etc/bind/db.loopback
+++ b/src/etc/bind/db.loopback
@ -1,14 +0,0 @@
 ; $OpenBSD: db.loopback,v 1.4 2008/01/03 21:20:25 jakob Exp $

 $ORIGIN 127.in-addr.arpa.
 $TTL 6h

@	IN	SOA	localhost. root.localhost. (
 			1	; serial
 			1h	; refresh
 			30m	; retry
 			7d	; expiration
 			1h )	; minimum

 		NS	localhost.
 1.0.0		PTR	localhost.
--- a/src/etc/bind/db.loopback6.arpa
+++ b/src/etc/bind/db.loopback6.arpa
@ -1,14 +0,0 @@
 ; $OpenBSD: db.loopback6.arpa,v 1.5 2009/11/02 21:12:56 jakob Exp $

 $ORIGIN 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
 $TTL 6h

@	IN	SOA	localhost. root.localhost. (
 			1	; serial
 			1h	; refresh
 			30m	; retry
 			7d	; expiration
 			1h )	; minimum

 		NS	localhost.
 		PTR	localhost.
--- a/src/etc/bind/named-dual.conf
+++ b/src/etc/bind/named-dual.conf
@ -1,79 +0,0 @@
 // $OpenBSD: named-dual.conf,v 1.11 2009/11/02 21:12:56 jakob Exp $
 //
 // Example file for a named configuration with dual views,
 // one processing recursive queries only and one processing
 // authoritative-only queries.


 // Update this list to include only the networks for which you want
 // to execute recursive queries. The default setting allows all hosts
 // on any IPv4 networks for which the system has an interface, and
 // the IPv6 localhost address.
 //
 acl clients {
 	localnets;
 	::1;
 };

 options {
 	version "";	// remove this to allow version queries

 	listen-on    { any; };
 	listen-on-v6 { any; };

 	empty-zones-enable yes;
 };

 logging {
 	category lame-servers { null; };
 };

 view "recursive" {
 	match-clients { clients; };
 	match-recursive-only yes;
 	allow-recursion { clients; };

 	zone "." {
 		type hint;
 		file "etc/root.hint";
 	};

 	zone "localhost" {
 		type master;
 		file "standard/localhost";
 		allow-transfer { localhost; };
 	};

 	zone "127.in-addr.arpa" {
 		type master;
 		file "standard/loopback";
 		allow-transfer { localhost; };
 	};

 	zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
 		type master;
 		file "standard/loopback6.arpa";
 		allow-transfer { localhost; };
 	};
 };

 view "authoritative" {
 	recursion no;
 	additional-from-auth no;
 	additional-from-cache no;

 	// Master zones
 	//
 	//zone "myzone.net" {
 	//	type master;
 	//	file "master/myzone.net";
 	//};

 	// Slave zones
 	//
 	//zone "otherzone.net" {
 	//	type slave;
 	//	file "slave/otherzone.net";
 	//	masters { 192.168.1.10; [...;] };
 	//};
 };
--- a/src/etc/bind/named-simple.conf
+++ b/src/etc/bind/named-simple.conf
@ -1,71 +0,0 @@
 // $OpenBSD: named-simple.conf,v 1.10 2009/11/02 21:12:56 jakob Exp $
 //
 // Example file for a simple named configuration, processing both
 // recursive and authoritative queries using one cache.


 // Update this list to include only the networks for which you want
 // to execute recursive queries. The default setting allows all hosts
 // on any IPv4 networks for which the system has an interface, and
 // the IPv6 localhost address.
 //
 acl clients {
 	localnets;
 	::1;
 };

 options {
 	version "";	// remove this to allow version queries

 	listen-on    { any; };
 	listen-on-v6 { any; };

 	empty-zones-enable yes;

 	allow-recursion { clients; };
 };

 logging {
 	category lame-servers { null; };
 };

 // Standard zones
 //
 zone "." {
 	type hint;
 	file "etc/root.hint";
 };

 zone "localhost" {
 	type master;
 	file "standard/localhost";
 	allow-transfer { localhost; };
 };

 zone "127.in-addr.arpa" {
 	type master;
 	file "standard/loopback";
 	allow-transfer { localhost; };
 };

 zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
 	type master;
 	file "standard/loopback6.arpa";
 	allow-transfer { localhost; };
 };


 // Master zones
 //
 //zone "myzone.net" {
 //	type master;
 //	file "master/myzone.net";
 //};

 // Slave zones
 //
 //zone "otherzone.net" {
 //	type slave;
 //	file "slave/otherzone.net";
 //	masters { 192.0.2.1; [...;] };
 //};
--- a/src/etc/bind/root.hint
+++ b/src/etc/bind/root.hint
@ -1,90 +0,0 @@
 ;	$OpenBSD: root.hint,v 1.10 2013/01/03 18:37:19 gonzalo Exp $
 ;
 ;       This file holds the information on root name servers needed to
 ;       initialize cache of Internet domain name servers
 ;       (e.g. reference this file in the "cache  .  <file>"
 ;       configuration file of BIND domain name servers).
 ;
 ;       This file is made available by InterNIC 
 ;       under anonymous FTP as
 ;           file                /domain/named.cache
 ;           on server           FTP.INTERNIC.NET
 ;       -OR-                    RS.INTERNIC.NET
 ;
 ;       last update:    Jan 3, 2013
 ;       related version of root zone:   2013010300
 ;
 ; formerly NS.INTERNIC.NET
 ;
 .                        3600000  IN  NS    A.ROOT-SERVERS.NET.
 A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
 A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:BA3E::2:30
 ;
 ; FORMERLY NS1.ISI.EDU
 ;
 .                        3600000      NS    B.ROOT-SERVERS.NET.
 B.ROOT-SERVERS.NET.      3600000      A     192.228.79.201
 ;
 ; FORMERLY C.PSI.NET
 ;
 .                        3600000      NS    C.ROOT-SERVERS.NET.
 C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
 ;
 ; FORMERLY TERP.UMD.EDU
 ;
 .                        3600000      NS    D.ROOT-SERVERS.NET.
 D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13
 D.ROOT-SERVERS.NET.	 3600000      AAAA  2001:500:2D::D
 ;
 ; FORMERLY NS.NASA.GOV
 ;
 .                        3600000      NS    E.ROOT-SERVERS.NET.
 E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
 ;
 ; FORMERLY NS.ISC.ORG
 ;
 .                        3600000      NS    F.ROOT-SERVERS.NET.
 F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
 F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2F::F
 ;
 ; FORMERLY NS.NIC.DDN.MIL
 ;
 .                        3600000      NS    G.ROOT-SERVERS.NET.
 G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
 ;
 ; FORMERLY AOS.ARL.ARMY.MIL
 ;
 .                        3600000      NS    H.ROOT-SERVERS.NET.
 H.ROOT-SERVERS.NET.      3600000      A     128.63.2.53
 H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::803F:235
 ;
 ; FORMERLY NIC.NORDU.NET
 ;
 .                        3600000      NS    I.ROOT-SERVERS.NET.
 I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
 I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7FE::53
 ;
 ; OPERATED BY VERISIGN, INC.
 ;
 .                        3600000      NS    J.ROOT-SERVERS.NET.
 J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
 J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:C27::2:30
 ;
 ; OPERATED BY RIPE NCC
 ;
 .                        3600000      NS    K.ROOT-SERVERS.NET.
 K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
 K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7FD::1
 ;
 ; OPERATED BY ICANN
 ;
 .                        3600000      NS    L.ROOT-SERVERS.NET.
 L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
 L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:3::42
 ;
 ; OPERATED BY WIDE
 ;
 .                        3600000      NS    M.ROOT-SERVERS.NET.
 M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
 M.ROOT-SERVERS.NET.      3600000      AAAA  2001:DC3::35
 ; End of File
--- a/src/etc/changelist
+++ b/src/etc/changelist
@ -1,4 +1,4 @@
 #	$OpenBSD: changelist,v 1.98 2014/07/22 21:01:58 ajacoutot Exp $
 #	$OpenBSD: changelist,v 1.99 2014/08/22 19:19:25 deraadt Exp $
 #
 # List of files which the security script backs up and checks
 # for modifications.
@ -163,12 +163,6 @@
 /var/cron/cron.allow
 /var/cron/cron.deny
 /var/cron/tabs/root
 /var/named/etc/named.conf
 +/var/named/etc/rndc.key
 /var/named/etc/root.hint
 /var/named/standard/localhost
 /var/named/standard/loopback
 /var/named/standard/loopback6.arpa
 /var/nsd/etc/nsd.conf
 /var/unbound/etc/root.key
 /var/unbound/etc/unbound.conf
--- a/src/etc/group
+++ b/src/etc/group
@ -32,7 +32,6 @@ crontab:*:66:
 www:*:67:
 _isakmpd:*:68:
 network:*:69:
 named:*:70:
 proxy:*:71:
 authpf:*:72:
 _syslogd:*:73:
--- a/src/etc/mail/aliases
+++ b/src/etc/mail/aliases
@ -1,5 +1,5 @@
 #
 #	$OpenBSD: aliases,v 1.45 2014/06/06 16:46:43 gilles Exp $
 #	$OpenBSD: aliases,v 1.46 2014/08/22 19:19:25 deraadt Exp $
 #
 #  Aliases in this file will NOT be expanded in the header from
 #  Mail, but WILL be visible over networks or from /usr/libexec/mail.local.
@ -60,7 +60,6 @@ _unbound: /dev/null
 _x11:   /dev/null
 _ypldap: /dev/null
 bin:	/dev/null
 named:	/dev/null
 nobody:	/dev/null
 proxy:  /dev/null
 smmsp:  /dev/null
--- a/src/etc/master.passwd
+++ b/src/etc/master.passwd
@ -15,7 +15,6 @@ _spamd:*:62:62::0:0:Spam Daemon:/var/empty:/sbin/nologin
 uucp:*:66:1::0:0:UNIX-to-UNIX Copy:/var/spool/uucppublic:/sbin/nologin
 www:*:67:67::0:0:HTTP Server:/var/www:/sbin/nologin
 _isakmpd:*:68:68::0:0:isakmpd privsep:/var/empty:/sbin/nologin
 named:*:70:70::0:0:BIND Name Service Daemon:/var/named:/sbin/nologin
 proxy:*:71:71::0:0:Proxy Services:/nonexistent:/sbin/nologin
 _syslogd:*:73:73::0:0:Syslog Daemon:/var/empty:/sbin/nologin
 _pflogd:*:74:74::0:0:pflogd privsep:/var/empty:/sbin/nologin
--- a/src/etc/mtree/4.4BSD.dist
+++ b/src/etc/mtree/4.4BSD.dist
@ -1,4 +1,4 @@
 #	$OpenBSD: 4.4BSD.dist,v 1.261 2014/07/18 18:20:42 deraadt Exp $
 #	$OpenBSD: 4.4BSD.dist,v 1.262 2014/08/22 19:19:25 deraadt Exp $

 /set type=dir uname=root gname=wheel mode=0755

@ -769,20 +769,6 @@ var
    mail
    ..

    # ./var/named
    named
        etc			uname=root gname=named mode=0750
        ..
        master
        ..
        slave			uname=root gname=named mode=0775
        ..
        standard
        ..
        tmp			uname=root gname=named mode=0775
        ..
    ..

    # ./var/nsd
    nsd
        db			uname=root gname=_nsd mode=0775
--- a/src/etc/rc
+++ b/src/etc/rc
@ -1,4 +1,4 @@
 #	$OpenBSD: rc,v 1.439 2014/08/17 14:43:34 ajacoutot Exp $
 #	$OpenBSD: rc,v 1.440 2014/08/22 19:19:25 deraadt Exp $

 # System startup script run by init on autoboot
 # or after single-user.
@ -144,19 +144,6 @@ start_daemon()

 make_keys()
 {
 	if [ X"${named_flags}" != X"NO" ]; then
 		if ! cmp -s /etc/rndc.key /var/named/etc/rndc.key ; then
 			echo -n "rndc-confgen: generating shared secret... "
 			if rndc-confgen -a -t /var/named >/dev/null 2>&1; then
 				chmod 0640 /var/named/etc/rndc.key \
 				    >/dev/null 2>&1
 				echo done.
 			else
 				echo failed.
 			fi
 		fi
 	fi

 	if [ ! -f /etc/isakmpd/private/local.key ]; then
 		echo -n "openssl: generating isakmpd/iked RSA key... "
 		if openssl genrsa -out /etc/isakmpd/private/local.key 2048 \
@ -400,7 +387,7 @@ dmesg >/var/run/dmesg.boot
 make_keys

 echo -n 'starting early daemons:'
 start_daemon syslogd ldattach pflogd named nsd unbound ntpd
 start_daemon syslogd ldattach pflogd nsd unbound ntpd
 start_daemon iscsid isakmpd iked sasyncd ldapd npppd
 echo '.'

--- a/src/etc/rc.conf
+++ b/src/etc/rc.conf
@ -1,4 +1,4 @@
 #	$OpenBSD: rc.conf,v 1.195 2014/07/22 17:37:16 reyk Exp $
 #	$OpenBSD: rc.conf,v 1.196 2014/08/22 19:19:25 deraadt Exp $

 # DO NOT EDIT THIS FILE!!
 #
@ -23,7 +23,6 @@ rarpd_flags=NO		# for normal use: "-a"
 bootparamd_flags=NO	# for normal use: ""
 rbootd_flags=NO		# for normal use: ""
 sshd_flags=		# for normal use: ""
 named_flags=NO		# for normal use: ""
 nsd_flags=NO		# for normal use: "-c /var/nsd/etc/nsd.conf"
 unbound_flags=NO	# for normal use: "-c /var/unbound/etc/unbound.conf"
 ldattach_flags=NO	# for normal use: "[options] linedisc cua-device"
--- a/src/etc/rc.d/named
+++ b/src/etc/rc.d/named
@ -1,11 +0,0 @@
 #!/bin/sh
 #
 # $OpenBSD: named,v 1.1 2011/07/06 18:55:36 robert Exp $

 daemon="/usr/sbin/named"

 . /etc/rc.d/rc.subr

 pexp="named: \[priv\]"

 rc_cmd $1
--- a/src/etc/systrace/usr_sbin_named
+++ b/src/etc/systrace/usr_sbin_named
@ -1,94 +0,0 @@
 # $OpenBSD: usr_sbin_named,v 1.8 2014/07/20 04:29:07 deraadt Exp $
 #
 # Policy for named that uses named user and chroots to /var/named
 # This policy works for the default configuration of named.
 #
 Policy: /usr/sbin/named, Emulation: native
 	native-__sysctl: permit
 	native-accept: permit
 	native-bind: sockaddr match "inet-*:0" then permit
 	native-bind: sockaddr match "inet-*:53" then permit
 	native-bind: sockaddr match "inet-*:953" then permit
 	native-break: permit
 	native-chdir: filename eq "/" then permit
 	native-chroot: filename eq "/var/named" then permit
 	native-close: permit
 	native-closefrom: permit
 	native-connect: sockaddr match "inet-*" then permit
 	native-dup2: permit
 	native-exit: permit
 	native-fcntl: permit
 	native-fork: permit
 	native-fsread: filename sub "<non-existent filename>" then deny[enoent]
 	native-fsread: filename eq "/etc/malloc.conf" then permit
 	native-fsread: filename eq "/dev/arandom" then permit
 	native-fsread: filename eq "/etc/group" then permit
 	native-fsread: filename eq "/etc/named.conf" then permit
 	native-fsread: filename eq "/etc/named.keys" then permit
 	native-fsread: filename eq "/etc/pwd.db" then permit
 	native-fsread: filename eq "/etc/rndc.key" then permit
 	native-fsread: filename eq "/etc/root.hint" then permit
 	native-fsread: filename eq "/etc/spwd.db" then deny[eperm]
 	native-fsread: filename match "/master" then permit
 	native-fsread: filename match "/slave" then permit
 	native-fsread: filename match "/standard" then permit
 	native-fsread: filename match "/usr/lib" then permit
 	native-fsread: filename eq "/usr/libexec/ld.so" then permit
 	native-fsread: filename match "/usr/share/nls" then permit
 	native-fsread: filename match "/usr/share/zoneinfo" then permit
 	native-fsread: filename eq "/var/run/ld.so.hints" then permit
 	native-fsread: filename eq "/var/run/named.pid" then permit
 	native-fstat: permit
 	native-fswrite: filename sub "<non-existent filename>" then deny[enoent]
 	native-fswrite: filename eq "/dev/null" then permit
 	native-fswrite: filename match "/master/*" then permit
 	native-fswrite: filename match "/slave/*" then permit
 	native-fswrite: filename eq "/var/run/named.pid" then permit
 	native-fswrite: filename match "/var/tmp/*" then permit
 	native-fsync: permit
 	native-getentropy: permit
 	native-getpid: permit
 	native-getppid: permit
 	native-getrlimit: permit
 	native-getsockname: permit
 	native-getsockopt: permit
 	native-gettimeofday: permit
 	native-getuid: permit
 	native-geteuid: permit
 	native-issetugid: permit
 	native-kill: permit
 	native-listen: permit
 	native-lseek: permit
 	native-minherit: permit
 	native-mmap: permit
 	native-mprotect: permit
 	native-mquery: permit
 	native-munmap: permit
 	native-nanosleep: permit
 	native-pipe: permit
 	native-pread: permit
 	native-read: permit
 	native-recvmsg: permit
 	native-rename: filename match "/slave/*" and filename[1] match "/slave/*" then permit
 	native-select: permit
 	native-sendmsg: permit
 	native-sendsyslog: permit
 	native-sendto: true then permit
 	native-setegid: gid eq "70" then permit
 	native-seteuid: uid eq "70" and uname eq "named" then permit
 	native-setgid: gid eq "70" then permit
 	native-setgroups: permit
 	native-setresgid: permit
 	native-setresuid: permit
 	native-setrlimit: permit
 	native-setsid: permit
 	native-setsockopt: permit
 	native-setuid: uid eq "70" and uname eq "named" then permit
 	native-sigaction: permit
 	native-sigprocmask: permit
 	native-sigreturn: permit
 	native-socket: permit
 	native-socketpair: permit
 	native-utimes: permit
 	native-wait4: permit
 	native-write: permit