import unbound 1.4.11 from rawhide

9 files changed, 1645 insertions, 0 deletions

diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..1e65467
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,4 @@
+SRCDIR := $(shell pwd)
+NAME := $(shell basename $(SRCDIR))
+include ../common/Makefile
+
diff --git a/dlv.isc.org.key b/dlv.isc.org.key
new file mode 100644
index 0000000..c73944f
--- /dev/null
+++ b/dlv.isc.org.key
@@ -0,0 +1,2 @@
+; https://secure.isc.org/ops/dlv/dlv.isc.org.key
+dlv.isc.org. IN DNSKEY 257 3 5 BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh
diff --git a/root.key b/root.key
new file mode 100644
index 0000000..f9ce549
--- /dev/null
+++ b/root.key
@@ -0,0 +1,4 @@
+trusted-keys {
+"." 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0="; // key id = 19036
+
+};
diff --git a/unbound-1.2-glob.patch b/unbound-1.2-glob.patch
new file mode 100644
index 0000000..996ceac
--- /dev/null
+++ b/unbound-1.2-glob.patch
@@ -0,0 +1,13 @@
+diff -Naur unbound-1.2.0/validator/val_anchor.c unbound-1.2.0.new/validator/val_anchor.c
+--- unbound-1.2.0/validator/val_anchor.c	2009-01-07 07:24:34.000000000 -0500
++++ unbound-1.2.0.new/validator/val_anchor.c	2009-01-20 17:31:43.000000000 -0500
+@@ -718,7 +718,8 @@
+ 			log_err("wildcard trusted-keys-file %s: expansion "
+ 				"failed (%s)", pat, strerror(errno));
+ 		}
+-		return 0;
++		/* ignore globs that yield no files */
++		return 1;
+ 	}
+ 	/* process files found, if any */
+ 	for(i=0; i<(size_t)g.gl_pathc; i++) {
diff --git a/unbound.conf b/unbound.conf
new file mode 100644
index 0000000..5d73c55
--- /dev/null
+++ b/unbound.conf
@@ -0,0 +1,501 @@
+#
+# See unbound.conf(5) man page.
+#
+# this is a comment.
+
+#Use this to include other text into the file.
+#include: "otherfile.conf"
+
+# The server clause sets the main parameters. 
+server:
+	# whitespace is not necessary, but looks cleaner.
+
+	# verbosity number, 0 is least verbose. 1 is default.
+	verbosity: 1
+
+	# print statistics to the log (for every thread) every N seconds.
+	# Set to "" or 0 to disable. Default is disabled.
+	# Needed for munin plugin
+	statistics-interval: 0
+	
+	# enable cumulative statistics, without clearing them after printing.
+	# Needed for munin plugin
+	statistics-cumulative: no
+
+	# enable extended statistics (query types, answer codes, status)
+	# printed from unbound-control. default off, because of speed.
+	# Needed for munin plugin
+	extended-statistics: yes
+
+	# number of threads to create. 1 disables threading.
+	num-threads: 2
+
+	# specify the interfaces to answer queries from by ip-address.
+	# The default is to listen to localhost (127.0.0.1 and ::1).
+	# specify 0.0.0.0 and ::0 to bind to all available interfaces.
+	# specify every interface on a new 'interface:' labelled line.
+	# The listen interfaces are not changed on reload, only on restart.
+	# interface: 0.0.0.0
+	# interface: ::0
+	# interface: 192.0.2.153
+	# interface: 192.0.2.154
+	# interface: 2001:DB8::5
+	
+	# enable this feature to copy the source address of queries to reply.
+	# Socket options are not supported on all platforms. experimental. 
+	# NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 
+	# NOTE: Disabled per Fedora policy not to listen to * on default install
+	# interface-automatic: yes
+	interface-automatic: no
+
+	# port to answer queries from
+	# port: 53
+
+	# specify the interfaces to send outgoing queries to authoritative
+	# server from by ip-address. If none, the default (all) interface
+	# is used. Specify every interface on a 'outgoing-interface:' line.
+	# outgoing-interface: 192.0.2.153
+	# outgoing-interface: 2001:DB8::5
+	# outgoing-interface: 2001:DB8::6
+
+	# number of ports to allocate per thread, determines the size of the
+	# port range that can be open simultaneously. 
+	# outgoing-range: 256
+	
+	# permit unbound to use this port number or port range for
+	# making outgoing queries, using an outgoing interface.
+	# outgoing-port-permit: 32768
+
+	# deny unbound the use this of port number or port range for
+	# making outgoing queries, using an outgoing interface.
+	# Use this to make sure unbound does not grab a UDP port that some
+	# other server on this computer needs. The default is to avoid
+	# IANA-assigned port numbers.
+	# outgoing-port-avoid: "3200-3208"
+
+	# number of outgoing simultaneous tcp buffers to hold per thread.
+	# outgoing-num-tcp: 10
+
+	# number of incoming simultaneous tcp buffers to hold per thread.
+	# incoming-num-tcp: 10
+
+	# buffer size for UDP port 53 incoming (SO_RCVBUF socket option).
+	# 0 is system default.  Use 4m to catch query spikes for busy servers.
+	# so-rcvbuf: 0
+
+	# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
+	# is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
+	# edns-buffer-size: 4096
+       
+	# buffer size for handling DNS data. No messages larger than this
+	# size can be sent or received, by UDP or TCP. In bytes.
+	# msg-buffer-size: 65552
+
+	# the amount of memory to use for the message cache.
+	# plain value in bytes or you can append k, m or G. default is "4Mb". 
+	# msg-cache-size: 4m
+
+	# the number of slabs to use for the message cache.
+	# the number of slabs must be a power of 2.
+	# more slabs reduce lock contention, but fragment memory usage.
+	# msg-cache-slabs: 4
+
+	# the number of queries that a thread gets to service.
+	# num-queries-per-thread: 1024
+
+	# if very busy, 50% queries run to completion, 50% get timeout in msec
+	# jostle-timeout: 200
+
+	# the amount of memory to use for the RRset cache.
+	# plain value in bytes or you can append k, m or G. default is "4Mb". 
+	# rrset-cache-size: 4m
+
+	# the number of slabs to use for the RRset cache.
+	# the number of slabs must be a power of 2.
+	# more slabs reduce lock contention, but fragment memory usage.
+	# rrset-cache-slabs: 4
+
+	# the time to live (TTL) value lower bound, in seconds. Default 0.
+	# If more than an hour could easily give trouble due to stale data.
+	# cache-min-ttl: 0
+
+	# the time to live (TTL) value cap for RRsets and messages in the
+	# cache. Items are not cached for longer. In seconds.
+	# cache-max-ttl: 86400
+
+	# the time to live (TTL) value for cached roundtrip times and
+	# EDNS version information for hosts. In seconds.
+	# infra-host-ttl: 900
+
+	# the time to live (TTL) value for cached lame delegations. In sec.
+	# infra-lame-ttl: 900
+
+	# the number of slabs to use for the Infrastructure cache.
+	# the number of slabs must be a power of 2.
+	# more slabs reduce lock contention, but fragment memory usage.
+	# infra-cache-slabs: 4
+
+	# the maximum number of hosts that are cached (roundtrip times, EDNS).
+	# infra-cache-numhosts: 10000
+
+	# the maximum size of the lame zones cached per host. in bytes.
+	# infra-cache-lame-size: 10k
+
+	# Enable IPv4, "yes" or "no".
+	# do-ip4: yes
+
+	# Enable IPv6, "yes" or "no".
+	# do-ip6: yes
+
+	# Enable UDP, "yes" or "no".
+	# do-udp: yes
+
+	# Enable TCP, "yes" or "no".
+	# do-tcp: yes
+
+	# Detach from the terminal, run in background, "yes" or "no".
+	# do-daemonize: yes
+
+	# control which clients are allowed to make (recursive) queries
+	# to this server. Specify classless netblocks with /size and action.
+	# By default everything is refused, except for localhost.
+	# Choose deny (drop message), refuse (polite error reply),
+	# allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
+	# access-control: 0.0.0.0/0 refuse
+	# access-control: 127.0.0.0/8 allow
+	# access-control: ::0/0 refuse
+	# access-control: ::1 allow
+	# access-control: ::ffff:127.0.0.1 allow
+
+	# if given, a chroot(2) is done to the given directory.
+	# i.e. you can chroot to the working directory, for example,
+	# for extra security, but make sure all files are in that directory.
+	#
+	# If chroot is enabled, you should pass the configfile (from the
+	# commandline) as a full path from the original root. After the
+	# chroot has been performed the now defunct portion of the config 
+	# file path is removed to be able to reread the config after a reload. 
+	#
+	# All other file paths (working dir, logfile, roothints, and
+	# key files) can be specified in several ways:
+	# 	o as an absolute path relative to the new root.
+	# 	o as a relative path to the working directory.
+	# 	o as an absolute path relative to the original root.
+	# In the last case the path is adjusted to remove the unused portion.
+	#
+	# The pid file can be absolute and outside of the chroot, it is 
+	# written just prior to performing the chroot and dropping permissions.
+	#
+	# Additionally, unbound may need to access /dev/random (for entropy).
+	# How to do this is specific to your OS.
+	#
+	# If you give "" no chroot is performed. The path must not end in a /.
+	# chroot: "/var/lib/unbound"
+	chroot: ""
+
+	# if given, user privileges are dropped (after binding port),
+	# and the given username is assumed. Default is user "unbound".
+	# If you give "" no privileges are dropped.
+	username: "unbound"
+
+	# the working directory. The relative files in this config are 
+	# relative to this directory. If you give "" the working directory
+	# is not changed.
+	directory: "/etc/unbound"
+
+	# the log file, "" means log to stderr. 
+	# Use of this option sets use-syslog to "no".
+	# logfile: ""
+	
+	# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to 
+	# log to, with identity "unbound". If yes, it overrides the logfile.
+	# use-syslog: yes 
+
+	# print UTC timestamp in ascii to logfile, default is epoch in seconds.
+	log-time-ascii: yes
+
+	# the pid file. Can be an absolute path outside of chroot/work dir.
+	pidfile: "/var/run/unbound/unbound.pid"
+	
+	# file to read root hints from.
+	# get one from ftp://FTP.INTERNIC.NET/domain/named.cache
+	# root-hints: ""
+	
+	# enable to not answer id.server and hostname.bind queries.
+	# hide-identity: no
+	
+	# enable to not answer version.server and version.bind queries.
+	# hide-version: no
+	
+	# the identity to report. Leave "" or default to return hostname.
+	# identity: ""
+	
+	# the version to report. Leave "" or default to return package version.
+	# version: ""
+	
+	# the target fetch policy.
+	# series of integers describing the policy per dependency depth. 
+	# The number of values in the list determines the maximum dependency 
+	# depth the recursor will pursue before giving up. Each integer means:
+	# 	-1 : fetch all targets opportunistically,
+	# 	0: fetch on demand,
+	#	positive value: fetch that many targets opportunistically.
+	# Enclose the list of numbers between quotes ("").
+	# target-fetch-policy: "3 2 1 0 0"
+	
+	# Harden against very small EDNS buffer sizes. 
+	# harden-short-bufsize: no
+	
+	# Harden against unseemly large queries.
+	# harden-large-queries: no
+	
+	# Harden against out of zone rrsets, to avoid spoofing attempts. 
+	harden-glue: yes
+	
+	# Harden against receiving dnssec-stripped data. If you turn it
+	# off, failing to validate dnskey data for a trustanchor will 
+	# trigger insecure mode for that zone (like without a trustanchor).
+	# Default on, which insists on dnssec data for trust-anchored zones.
+	harden-dnssec-stripped: yes
+
+        # Harden the referral path by performing additional queries for
+	# infrastructure data.  Validates the replies (if possible).
+	# Default off, because the lookups burden the server.  Experimental 
+	# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
+	harden-referral-path: yes
+
+	# Use 0x20-encoded random bits in the query to foil spoof attempts.
+	# This feature is an experimental implementation of draft dns-0x20.
+	use-caps-for-id: yes
+	
+	# Enforce privacy of these addresses. Strips them away from answers. 
+	# It may cause DNSSEC validation to additionally mark it as bogus. 
+	# Protects against 'DNS Rebinding' (uses browser as network proxy). 
+	# Only 'private-domain' and 'local-data' names are allowed to have 
+	# these private addresses. No default.
+	# private-address: 10.0.0.0/8
+	# private-address: 172.16.0.0/12
+	# private-address: 192.168.0.0/16
+	# private-address: 192.254.0.0/16
+	# private-address: fd00::/8
+	# private-address: fe80::/10
+
+	# Allow the domain (and its subdomains) to contain private addresses.
+	# local-data statements are allowed to contain private addresses too.
+	# private-domain: "example.com"
+	
+	# If nonzero, unwanted replies are not only reported in statistics,
+	# but also a running total is kept per thread. If it reaches the
+	# threshold, a warning is printed and a defensive action is taken,
+	# the cache is cleared to flush potential poison out of it.
+	# A suggested value is 10000000, the default is 0 (turned off).
+	unwanted-reply-threshold: 10000000
+
+	# Do not query the following addresses. No DNS queries are sent there.
+	# List one address per entry. List classless netblocks with /size,
+	# do-not-query-address: 127.0.0.1/8
+	# do-not-query-address: ::1
+	
+	# if yes, the above default do-not-query-address entries are present.
+	# if no, localhost can be queried (for testing and debugging).
+	# do-not-query-localhost: yes
+
+	# if yes, perform prefetching of almost expired message cache entries.
+	prefetch: yes
+
+	# if yes, perform key lookups adjacent to normal lookups.
+	prefetch-key: yes
+
+	# module configuration of the server. A string with identifiers
+	# separated by spaces. "iterator" or "validator iterator"
+	# module-config: "validator iterator"
+	
+	# File with DLV trusted keys. Same format as trust-anchor-file.
+	# There can be only one DLV configured, it is trusted from root down.
+	# Downloaded from https://secure.isc.org/ops/dlv/dlv.isc.org.key
+	dlv-anchor-file: "/etc/unbound/dlv.isc.org.key"
+
+	# File with trusted keys for validation. Specify more than one file
+	# with several entries, one file per entry.
+	# Zone file format, with DS and DNSKEY entries.
+	# trust-anchor-file: ""
+
+	# File with trusted keys, kept uptodate using RFC5011 probes,
+	# initial file like trust-anchor-file, then it stores metadata.
+	# Use several entries, one per domain name, to track multiple zones.
+	# auto-trust-anchor-file: ""
+
+	# Trusted key for validation. DS or DNSKEY. specify the RR on a
+	# single line, surrounded by "". TTL is ignored. class is IN default.
+	# (These examples are from August 2007 and may not be valid anymore).
+	# trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ=="
+	# trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A"
+
+	# File with trusted keys for validation. Specify more than one file
+	# with several entries, one file per entry. Like trust-anchor-file
+	# but has a different file format. Format is BIND-9 style format, 
+	# the trusted-keys { name flag proto algo "key"; }; clauses are read.
+	# trusted-keys-file: ""
+	trusted-keys-file: /etc/unbound/root.key
+
+	# Ignore chain of trust. Domain is treated as insecure.
+	# domain-insecure: "example.com"
+
+	# Override the date for validation with a specific fixed date.
+	# Do not set this unless you are debugging signature inception
+	# and expiration. "" or "0" turns the feature off. 
+	# val-override-date: ""
+	
+	# The time to live for bogus data, rrsets and messages. This avoids
+	# some of the revalidation, until the time interval expires. in secs.
+	# val-bogus-ttl: 60
+
+	# The signature inception and expiration dates are allowed to be off
+	# by 10% of the lifetime of the signature from our local clock.
+	# This leeway is capped with a minimum and a maximum.  In seconds.
+	# val-sig-skew-min: 3600
+	# val-sig-skew-max: 86400
+
+	# Should additional section of secure message also be kept clean of
+	# unsecure data. Useful to shield the users of this validator from
+	# potential bogus data in the additional section. All unsigned data 
+	# in the additional section is removed from secure messages.
+	val-clean-additional: yes
+	
+	# Turn permissive mode on to permit bogus messages. Thus, messages
+	# for which security checks failed will be returned to clients,
+	# instead of SERVFAIL. It still performs the security checks, which
+	# result in interesting log files and possibly the AD bit in
+	# replies if the message is found secure. The default is off.
+	# NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
+	val-permissive-mode: no
+
+	# Have the validator log failed validations for your diagnosis.
+	# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
+	val-log-level: 1
+	
+	# It is possible to configure NSEC3 maximum iteration counts per
+	# keysize. Keep this table very short, as linear search is done.
+	# A message with an NSEC3 with larger count is marked insecure.
+	# List in ascending order the keysize and count values.
+	# val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
+
+	# instruct the auto-trust-anchor-file probing to add anchors after ttl.
+	# add-holddown: 2592000 # 30 days
+
+	# instruct the auto-trust-anchor-file probing to del anchors after ttl.
+	# del-holddown: 2592000 # 30 days
+
+	# auto-trust-anchor-file probing removes missing anchors after ttl.
+	# If the value 0 is given, missing anchors are not removed.
+	# keep-missing: 31622400 # 366 days
+
+	# the amount of memory to use for the key cache.
+	# plain value in bytes or you can append k, m or G. default is "4Mb". 
+	# key-cache-size: 4m
+
+	# the number of slabs to use for the key cache.
+	# the number of slabs must be a power of 2.
+	# more slabs reduce lock contention, but fragment memory usage.
+	# key-cache-slabs: 4
+	
+	# the amount of memory to use for the negative cache (used for DLV).
+	# plain value in bytes or you can append k, m or G. default is "1Mb". 
+	# neg-cache-size: 1m
+
+	# a number of locally served zones can be configured.
+	# 	local-zone: <zone> <type>
+	# 	local-data: "<resource record string>"
+	# o deny serves local data (if any), else, drops queries. 
+	# o refuse serves local data (if any), else, replies with error.
+	# o static serves local data, else, nxdomain or nodata answer.
+	# o transparent serves local data, but resolves normally for other names
+	# o redirect serves the zone data for any subdomain in the zone.
+	# o nodefault can be used to normally resolve AS112 zones.
+	#
+	# defaults are localhost address, reverse for 127.0.0.1 and ::1
+	# and nxdomain for AS112 zones. If you configure one of these zones
+	# the default content is omitted, or you can omit it with 'nodefault'.
+	# 
+	# If you configure local-data without specifying local-zone, by
+	# default a transparent local-zone is created for the data.
+	#
+	# You can add locally served data with
+	# local-zone: "local." static
+	# local-data: "mycomputer.local. IN A 192.0.2.51"
+	# local-data: 'mytext.local TXT "content of text record"'
+	#
+	# You can override certain queries with
+	# local-data: "adserver.example.com A 127.0.0.1"
+	#
+	# You can redirect a domain to a fixed address with
+	# (this makes example.com, www.example.com, etc, all go to 192.0.2.3)
+	# local-zone: "example.com" redirect
+	# local-data: "example.com A 192.0.2.3"
+	#
+	# Shorthand to make PTR records, "IPv4 name" or "IPv6 name".
+	# You can also add PTR records using local-data directly, but then
+	# you need to do the reverse notation yourself.
+	# local-data-ptr: "192.0.2.3 www.example.com"
+
+## Python config section. To enable:
+## o use --with-pythonmodule to configure before compiling.
+## o list python in the module-config string (above) to enable.
+## o and give a python-script to run.
+#python:
+#	# Script file to load
+#	# python-script: "/etc/unbound/ubmodule-tst.py"
+
+
+# Remote control config section. 
+remote-control:
+	# Enable remote control with unbound-control(8) here.
+	# set up the keys and certificates with unbound-control-setup.
+	# Note: required for unbound-munin package
+	control-enable: yes
+
+	# what interfaces are listened to for remote control.
+	# give 0.0.0.0 and ::0 to listen to all interfaces.
+	# control-interface: 127.0.0.1
+	# control-interface: ::1
+
+	# port number for remote control operations.
+	# control-port: 953
+
+	# unbound server key file.
+	server-key-file: "/etc/unbound/unbound_server.key"
+
+	# unbound server certificate file.
+	server-cert-file: "/etc/unbound/unbound_server.pem"
+
+	# unbound-control key file.
+	control-key-file: "/etc/unbound/unbound_control.key"
+
+	# unbound-control certificate file.
+	control-cert-file: "/etc/unbound/unbound_control.pem"
+
+# Stub zones.
+# Create entries like below, to make all queries for 'example.com' and 
+# 'example.org' go to the given list of nameservers. list zero or more 
+# nameservers by hostname or by ipaddress. If you set stub-prime to yes, 
+# the list is treated as priming hints (default is no).
+# stub-zone:
+#	name: "example.com"
+#	stub-addr: 192.0.2.68
+#	stub-prime: "no"
+# stub-zone:
+#	name: "example.org"
+#	stub-host: ns.example.com.
+
+# Forward zones
+# Create entries like below, to make all queries for 'example.com' and
+# 'example.org' go to the given list of servers. These servers have to handle
+# recursion to other nameservers. List zero or more nameservers by hostname
+# or by ipaddress. Use an entry with name "." to forward all queries.
+# forward-zone:
+# 	name: "example.com"
+# 	forward-addr: 192.0.2.68
+# 	forward-addr: 192.0.2.73@5355  # forward to port 5355.
+# forward-zone:
+# 	name: "example.org"
+# 	forward-host: fwd.example.com
diff --git a/unbound.init b/unbound.init
new file mode 100644
index 0000000..9fb6a8e
--- /dev/null
+++ b/unbound.init
@@ -0,0 +1,133 @@
+#!/bin/sh
+#
+# unbound	This shell script takes care of starting and stopping
+#		unbound (DNS server).
+#
+# chkconfig:   - 14 86
+# description:	unbound is a Domain Name Server (DNS) \
+#		that is used to resolve host names to IP addresses.
+
+### BEGIN INIT INFO
+# Provides: unbound
+# Required-Start: $network $local_fs
+# Required-Stop: $network $local_fs
+# Default-Start:
+# Default-Stop: 0 1 2 3 4 5 6
+# Should-Start: $syslog
+# Should-Stop: $syslog
+# Short-Description: unbound recursive Domain Name Server.
+# Description:  unbound is a Domain Name Server (DNS) 
+#		that is used to resolve host names to IP addresses.
+### END INIT INFO
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+exec="/usr/sbin/unbound"
+config="/etc/unbound/unbound.conf"
+rootdir="/var/lib/unbound"
+pidfile="/var/run/unbound/unbound.pid"
+piddir=`dirname $pidfile`
+
+[ -e /etc/sysconfig/unbound ] && . /etc/sysconfig/unbound
+[ -e /etc/sysconfig/dnssec ] && . /etc/sysconfig/dnssec
+
+lockfile=/var/lock/subsys/unbound
+
+[ -x /usr/sbin/dnssec-configure ] && [ -r "$config" ] &&
+  [ /etc/sysconfig/dnssec -nt "$config" ] && \
+    /usr/sbin/dnssec-configure -u --norestart --dnssec="$DNSSEC" --dlv="$DLV"
+
+start() {
+    [ -x $exec ] || exit 5
+    [ -f $config ] || exit 6
+    # /var/run could (and should) be tmpfs
+    [ -d $piddir ] || mkdir $piddir
+
+    if [ ! -f /etc/unbound/unbound_control.key ]
+    then
+	echo -n $"Generating unbound control key and certificate: "
+	/usr/sbin/unbound-control-setup -d /etc/unbound/ > /dev/null 2> /dev/null
+	chgrp unbound /etc/unbound/unbound_*key /etc/unbound/unbound_*pem
+	[ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled && \
+	    [ -x /sbin/restorecon ] && /sbin/restorecon /etc/unbound/*
+	echo
+    else
+	# old init script created these as root instead of unbound.
+	if [ -G /etc/unbound/unbound_control.key ]
+	then
+	    chgrp unbound /etc/unbound/unbound_*key /etc/unbound/unbound_*pem
+	    [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled && \
+		[ -x /sbin/restorecon ] && /sbin/restorecon /etc/unbound/*
+	    echo
+	fi
+    fi
+
+    echo -n $"Starting unbound: "
+
+    # if not running, start it up here
+    daemon --pidfile=$pidfile $exec
+    retval=$?
+    [ $retval -eq 0 ] && touch $lockfile
+    echo
+}
+
+stop() {
+    echo -n $"Stopping unbound: "
+    # stop it here, often "killproc unbound"
+    killproc -p $pidfile unbound
+    retval=$?
+    [ $retval -eq 0 ] && rm -f $lockfile
+    echo
+}
+
+restart() {
+    stop
+    start
+}
+
+reload() {
+    kill -HUP `cat $pidfile`
+}
+
+force_reload() {
+    restart
+}
+
+rh_status() {
+    # run checks to determine if the service is running or use generic status
+    status -p $pidfile unbound
+}
+
+rh_status_q() {
+    rh_status -p $pidfile >/dev/null 2>&1
+}
+
+case "$1" in
+    start)
+        start
+        ;;
+    stop)
+        stop
+        ;;
+    restart)
+        restart
+        ;;
+    reload)
+        reload
+        ;;
+    force-reload)
+        force_reload
+        ;;
+    status)
+        rh_status
+        ;;
+    condrestart|try-restart)
+        rh_status_q || exit 0
+        restart
+        ;;
+    *)
+        echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
+        exit 2
+esac
+exit $?
diff --git a/unbound.munin b/unbound.munin
new file mode 100644
index 0000000..9056575
--- /dev/null
+++ b/unbound.munin
@@ -0,0 +1,11 @@
+#
+# For this plugin to work, unbound.conf needs to have:
+# remote-control:	control-enable: yes
+# 
+[unbound*]
+user root
+env.statefile /var/lib/munin/plugin-state/unbound-state
+env.unbound_conf /etc/unbound/unbound.conf
+env.unbound_control /usr/sbin/unbound-control
+env.spoof_warn 1000
+env.spoof_crit 100000
diff --git a/unbound.spec b/unbound.spec
new file mode 100644
index 0000000..eb2fe0c
--- /dev/null
+++ b/unbound.spec
@@ -0,0 +1,424 @@
+# not ready yet
+%{?!with_python:      %global with_python      1}
+
+%if %{with_python}
+%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")}
+%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
+%endif
+
+Summary: Validating, recursive, and caching DNS(SEC) resolver
+Name: unbound
+Version: 1.4.11
+Release: 1%{?dist}
+License: BSD
+Url: http://www.nlnetlabs.nl/unbound/
+Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
+Source1: unbound.init
+Source2: unbound.conf
+Source3: unbound.munin
+Source4: unbound_munin_
+Source5: root.key
+Source6: dlv.isc.org.key
+Patch1: unbound-1.2-glob.patch
+
+Group: System Environment/Daemons
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+BuildRequires: flex, openssl-devel , ldns-devel >= 1.5.0, 
+BuildRequires: libevent-devel expat-devel
+%if %{with_python}
+BuildRequires:  python-devel swig
+%endif
+# Required for SVN versions
+BuildRequires: bison
+
+
+Requires(post): chkconfig
+Requires(preun): chkconfig
+Requires(preun): initscripts
+Requires(postun): initscripts
+Requires: ldns >= 1.5.0
+Requires(pre): shadow-utils
+
+Obsoletes:      dnssec-conf < 1.27-2
+Provides:       dnssec-conf = 1.27-1
+
+%description
+Unbound is a validating, recursive, and caching DNS(SEC) resolver.
+
+The C implementation of Unbound is developed and maintained by NLnet
+Labs. It is based on ideas and algorithms taken from a java prototype
+developed by Verisign labs, Nominet, Kirei and ep.net.
+
+Unbound is designed as a set of modular components, so that also
+DNSSEC (secure DNS) validation and stub-resolvers (that do not run
+as a server, but are linked into an application) are easily possible.
+
+%package munin
+Summary: Plugin for the munin / munin-node monitoring package
+Group:     System Environment/Daemons
+Requires: munin-node
+Requires: %{name} = %{version}-%{release}, bc
+
+%description munin
+Plugin for the munin / munin-node monitoring package
+
+%package devel
+Summary: Development package that includes the unbound header files
+Group: Development/Libraries
+Requires: %{name}-libs = %{version}-%{release}, openssl-devel, ldns-devel
+
+%description devel
+The devel package contains the unbound library and the include files
+
+%package libs
+Summary: Libraries used by the unbound server and client applications
+Group: Applications/System
+Requires(post): /sbin/ldconfig
+Requires(postun): /sbin/ldconfig
+Requires: openssl >= 0.9.8g-12
+
+%description libs
+Contains libraries used by the unbound server and client applications
+
+%if %{with_python}
+%package python
+Summary: Python modules and extensions for unbound
+Group: Applications/System
+Requires: %{name}-libs = %{version}-%{release}
+
+%description python
+Python modules and extensions for unbound
+%endif
+
+%prep
+%setup -q 
+%patch1 -p1
+
+%build
+%configure  --with-ldns= --with-libevent --with-pthreads --with-ssl \
+            --disable-rpath --enable-XXXdebug --disable-static \
+            --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \
+            --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \
+%if %{with_python}
+            --with-pythonmodule --with-pyunbound \
+%endif
+            --enable-sha2 --disable-gost
+%{__make} %{?_smp_mflags}
+
+%install
+rm -rf %{buildroot}
+%{__make} DESTDIR=%{buildroot} install
+install -d 0755 %{buildroot}%{_initrddir}
+install -m 0755 %{SOURCE1} %{buildroot}%{_initrddir}/unbound
+install -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound
+# Install munin plugin and its softlinks
+install -d 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d
+install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/munin/plugin-conf.d/unbound
+install -d 0755 %{buildroot}%{_datadir}/munin/plugins/
+install -m 0755 %{SOURCE4} %{buildroot}%{_datadir}/munin/plugins/unbound
+for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unbound_munin_by_type unbound_munin_by_class unbound_munin_by_opcode unbound_munin_by_rcode unbound_munin_by_flags unbound_munin_histogram; do
+    ln -s unbound %{buildroot}%{_datadir}/munin/plugins/$plugin
+done 
+
+# install root and DLV key
+install -m 0644 %{SOURCE5} %{SOURCE6} %{buildroot}%{_sysconfdir}/unbound/
+
+# remove static library from install (fedora packaging guidelines)
+rm %{buildroot}%{_libdir}/*.la
+%if %{with_python}
+rm %{buildroot}%{python_sitelib}/*.la
+%endif
+
+mkdir -p %{buildroot}%{_localstatedir}/run/unbound
+
+%clean
+rm -rf ${RPM_BUILD_ROOT}
+
+%files 
+%defattr(-,root,root,-)
+%doc doc/README doc/CREDITS doc/LICENSE doc/FEATURES
+%attr(0755,root,root) %{_initrddir}/%{name}
+%attr(0755,root,root) %dir %{_sysconfdir}/%{name}
+%ghost %attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name}
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key
+%{_sbindir}/*
+%{_mandir}/*/*
+
+%if %{with_python}
+%files python
+%defattr(-,root,root,-)
+%{python_sitelib}/*
+%endif
+
+%files munin
+%defattr(-,root,root,-)
+%config(noreplace) %{_sysconfdir}/munin/plugin-conf.d/unbound
+%{_datadir}/munin/plugins/unbound*
+
+%files devel
+%defattr(-,root,root,-)
+%{_libdir}/libunbound.so
+%{_includedir}/unbound.h
+%doc README
+
+%files libs
+%defattr(-,root,root,-)
+%{_libdir}/libunbound.so.*
+%doc doc/README doc/LICENSE
+
+%pre
+getent group unbound >/dev/null || groupadd -r unbound
+getent passwd unbound >/dev/null || \
+useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \
+-c "Unbound DNS resolver" unbound
+exit 0
+
+%post
+/sbin/chkconfig --add %{name}
+# dnssec-conf used to contain our DLV key, but now we include it via unbound
+# If unbound had previously been configured with dnssec-configure, we need
+# to migrate the location of the DLV key file (to keep DLV enabled, and because
+# unbound won't start with a bad location for a DLV key file.
+sed -i "s:/etc/pki/dnssec-keys[/]*dlv:/etc/unbound:" %{_sysconfdir}/unbound/unbound.conf
+
+%post libs -p /sbin/ldconfig
+
+%preun
+if [ "$1" -eq 0 ]; then
+        /sbin/service %{name} stop >/dev/null 2>&1
+        /sbin/chkconfig --del %{name} 
+fi
+
+%postun 
+if [ "$1" -ge "1" ]; then
+  /sbin/service %{name} condrestart >/dev/null 2>&1 || :
+fi
+
+%postun libs -p /sbin/ldconfig
+
+%changelog
+* Sun Jul 03 2011 Paul Wouters <paul@xelerance.com> - 1.4.11-1
+- Updated to 1.4.11
+- removed integrated CVE patch
+- updated stock unbound.conf for new options introduced
+
+* Mon Jun 06 2011 Paul Wouters <paul@xelerance.com> - 1.4.10-1
+- Added ghost for /var/run/unbound (bz#656710)
+
+* Mon Jun 06 2011 Paul Wouters <paul@xelerance.com> - 1.4.9-3
+- rebuilt
+
+* Wed May 25 2011 Paul Wouters <paul@xelerance.com> - 1.4.9-2
+- Applied patch for CVE-2011-1922 DoS vulnerability
+
+* Sun Mar 27 2011 Paul Wouters <paul@xelerance.com> - 1.4.9-1
+- Updated to 1.4.9
+
+* Sat Feb 12 2011 Paul Wouters <paul@xelerance.com> - 1.4.8-2
+- rebuilt
+
+* Tue Jan 25 2011 Paul Wouters <paul@xelerance.com> - 1.4.8-1
+- Updated to 1.4.8
+- Enable root key for DNSSEC
+- Fix unbound-munin to use proper file (could cause excessive logging)
+- Build unbound-python per default
+- Disable gost as Fedora/EPEL does not allow ECC and has mangled openssl
+
+* Tue Oct 26 2010 Paul Wouters <paul@xelerance.com> - 1.4.5-4
+- Revert last build - it was on the wrong branch
+
+* Tue Oct 26 2010 Paul Wouters <paul@xelerance.com> - 1.4.5-3
+- Disable do-ipv6 per default - causes severe degradation on non-ipv6 machines
+  (see comments in inbound.conf)
+
+* Tue Jun 15 2010 Paul Wouters <paul@xelerance.com> - 1.4.5-2
+- Bump release - forgot to upload the new tar ball.
+
+* Tue Jun 15 2010 Paul Wouters <paul@xelerance.com> - 1.4.5-1
+- Upgraded to 1.4.5
+
+* Mon May 31 2010 Paul Wouters <paul@xelerance.com> - 1.4.4-2
+- Added accidentally omitted svn patches to cvs 
+
+* Mon May 31 2010 Paul Wouters <paul@xelerance.com> - 1.4.4-1
+- Upgraded to 1.4.4 with svn patches
+- Obsolete dnssec-conf to ensure it is de-installed
+
+* Thu Mar 11 2010 Paul Wouters <paul@xelerance.com> - 1.4.3-1
+- Update to 1.4.3 that fixes 64bit crasher
+
+* Tue Mar 09 2010 Paul Wouters <paul@xelerance.com> - 1.4.2-1
+- Updated to 1.4.2 
+- Updated unbound.conf with new options
+- Enabled pre-fetching DNSKEY records (DNSSEC speedup)
+- Enabled re-fetching popular records before they expire
+- Enabled logging of DNSSEC validation errors
+
+* Mon Mar 01 2010 Paul Wouters <paul@xelerance.com> - 1.4.1-5
+- Overriding -D_GNU_SOURCE is no longer needed. This fixes DSO issues
+  with pthreads
+
+* Wed Feb 24 2010 Paul Wouters <paul@xelerance.com> - 1.4.1-3
+- Change make/configure lines to attempt to fix -lphtread linking issue
+
+* Thu Feb 18 2010 Paul Wouters <paul@xelerance.com> - 1.4.1-2
+- Removed dependancy for dnssec-conf
+- Added ISC DLV key (formerly in dnssec-conf)
+- Fixup old DLV locations in unbound.conf file via %%post
+- Fix parent child disagreement handling and no-ipv6 present [svn r1953]
+
+* Tue Jan 05 2010 Paul Wouters <paul@xelerance.com> - 1.4.1-1
+- Updated to 1.4.1
+- Changed %%define to %%global
+
+* Thu Oct 08 2009 Paul Wouters <paul@xelerance.com> - 1.3.4-2
+- Bump version
+
+* Thu Oct 08 2009 Paul Wouters <paul@xelerance.com> - 1.3.4-1
+- Upgraded to 1.3.4. Security fix with validating NSEC3 records
+
+* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 1.3.3-2
+- rebuilt with new openssl
+
+* Mon Aug 17 2009 Paul Wouters <paul@xelerance.com> - 1.3.3-1
+- Updated to 1.3.3
+
+* Sun Jul 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Sat Jun 20 2009 Paul Wouters <paul@xelerance.com> - 1.3.0-2
+- Added missing glob patch to cvs
+- Place python macros within the %%with_python check
+
+* Sat Jun 20 2009 Paul Wouters <paul@xelerance.com> - 1.3.0-1
+- Updated to 1.3.0
+- Added unbound-python sub package. disabled for now
+- Patch from svn to fix DLV lookups
+- Patches from svn to detect wrong truncated response from BIND 9.6.1 with
+  minimal-responses)
+- Added Default-Start and Default-Stop to unbound.init
+- Re-enabled --enable-sha2
+- Re-enabled glob.patch
+
+* Wed May 20 2009 Paul Wouters <paul@xelerance.com> - 1.2.1-7
+- unbound-iterator.patch was not commited
+
+* Wed May 20 2009 Paul Wouters <paul@xelerance.com> - 1.2.1-6
+- Fix for https://bugzilla.redhat.com/show_bug.cgi?id=499793
+
+* Tue Mar 17 2009 Paul Wouters <paul@xelerance.com> - 1.2.1-5
+- Use --nocheck to avoid giving an error on missing unbound-remote certs/keys
+
+* Tue Mar 10 2009 Adam Tkac <atkac redhat com> - 1.2.1-4
+- enable DNSSEC only if it is enabled in sysconfig/dnssec
+
+* Mon Mar 09 2009 Adam Tkac <atkac redhat com> - 1.2.1-3
+- add DNSSEC support to initscript and enabled it per default
+- add requires dnssec-conf
+
+* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Tue Feb 10 2009 Paul Wouters <paul@xelerance.com - 1.2.1-1
+- updated to 1.2.1
+
+* Sun Jan 18 2009 Tomas Mraz <tmraz@redhat.com> - 1.2.0-2
+- rebuild with new openssl
+
+* Wed Jan 14 2009 Paul Wouters <paul@xelerance.com - 1.2.0-1
+- Updated to 1.2.0
+- Added dependancy on minimum SSL for CVE-2008-5077
+- Added dependancy on bc for unbound-munin
+- Added minimum requirement of libevent 1.4.5. Crashes with older versions
+  (note: libevent is stale in EL-4 and not in EL-5, needs fixing there)
+- Removed dependancy on selinux-policy (will get used when available)
+- Enable options as per draft-wijngaards-dnsext-resolver-side-mitigation-00.txt
+- Enable unwanted-reply-threshold to mitigate against a Kaminsky attack
+- Enable val-clean-additional to drop addition unsigned data from signed
+  response.
+- Removed patches (got merged into upstream)
+
+* Mon Jan  5 2009 Paul Wouters <paul@xelerance.com> - 1.1.1-7
+- Modified scandir patch to silently fail when wildcard matches nothing
+- Patch to allow unbound-checkconf to find empty wildcard matches
+
+* Mon Jan  5 2009 Paul Wouters <paul@xelerance.com> - 1.1.1-6
+- Added scandir patch for trusted-keys-file: option, which
+  is used to load multiple dnssec keys in bind file format
+
+* Mon Dec  8 2008 Paul Wouters <paul@xelerance.com> - 1.1.1-4
+- Added Requires: for selinux-policy >= 3.5.13-33 for proper SElinux rules.
+
+* Mon Dec  1 2008 Paul Wouters <paul@xelerance.com> - 1.1.1-3
+- We did not own the /etc/unbound directory (#474020)
+- Fixed cvs anomalies
+
+* Fri Nov 28 2008 Adam Tkac <atkac redhat com> - 1.1.1-2
+- removed all obsolete chroot related stuff
+- label control certs after generation correctly
+
+* Thu Nov 20 2008 Paul Wouters <paul@xelerance.com> - 1.1.1-1
+- Updated to unbound 1.1.1 which fixes a crasher and
+  addresses nlnetlabs bug #219
+
+* Wed Nov 19 2008 Paul Wouters <paul@xelerance.com> - 1.1.0-3
+- Remove the chroot, obsoleted by SElinux
+- Add additional munin plugin links supported by unbound plugin
+- Move configuration directory from /var/lib/unbound to /etc/unbound
+- Modified unbound.init and unbound.conf to account for chroot changes
+- Updated unbound.conf with new available options
+- Enabled dns-0x20 protection per default
+
+* Wed Nov 19 2008 Adam Tkac <atkac redhat com> - 1.1.0-2
+- unbound-1.1.0-log_open.patch
+  - make sure log is opened before chroot call
+  - tracked as http://www.nlnetlabs.nl/bugs/show_bug.cgi?id=219
+- removed /dev/log and /var/run/unbound and /etc/resolv.conf from
+  chroot, not needed
+- don't mount files in chroot, it causes problems during updates
+- fixed typo in default config file
+
+* Fri Nov 14 2008 Paul Wouters <paul@xelerance.com> - 1.1.0-1
+- Updated to version 1.1.0
+- Updated unbound.conf's statistics options and remote-control
+  to work properly for munin
+- Added unbound-munin package
+- Generate unbound remote-control  key/certs on first startup
+- Required ldns is now 1.4.0
+
+* Wed Oct 22 2008 Paul Wouters <paul@xelerance.com> - 1.0.2-5
+- Only call ldconfig in -libs package
+- Move configure into build section
+- devel subpackage should only depend on libs subpackage
+
+* Tue Oct 21 2008 Paul Wouters <paul@xelerance.com> - 1.0.2-4
+- Fix CFLAGS getting lost in build
+- Don't enable interface-automatic:yes because that
+  causes unbound to listen on 0.0.0.0 instead of 127.0.0.1
+
+* Sun Oct 19 2008 Paul Wouters <paul@xelerance.com> - 1.0.2-3
+- Split off unbound-libs, make build verbose 
+
+* Thu Oct  9 2008 Paul Wouters <paul@xelerance.com> - 1.0.2-2
+- FSB compliance, chroot fixes, initscript fixes
+
+* Thu Sep 11 2008 Paul Wouters <paul@xelerance.com> - 1.0.2-1
+- Upgraded to 1.0.2
+
+* Wed Jul 16 2008 Paul Wouters <paul@xelerance.com> - 1.0.1-1
+- upgraded to new release
+
+* Wed May 21 2008 Paul Wouters <paul@xelerance.com> - 1.0.0-2
+- Build against ldns-1.3.0
+
+* Wed May 21 2008 Paul Wouters <paul@xelerance.com> - 1.0.0-1
+- Split of -devel package, fixed dependancies, make rpmlint happy
+
+* Thu Apr 25 2008 Wouter Wijngaards <wouter@nlnetlabs.nl> - 0.12
+- Using parts from ports collection entry by Jaap Akkerhuis.
+- Using Fedoraproject wiki guidelines.
+
+* Wed Apr 23 2008 Wouter Wijngaards <wouter@nlnetlabs.nl> - 0.11
+- Initial version.
diff --git a/unbound_munin_ b/unbound_munin_
new file mode 100644
index 0000000..779532d
--- /dev/null
+++ b/unbound_munin_
@@ -0,0 +1,553 @@
+#!/bin/sh
+#
+# plugin for munin to monitor usage of unbound servers.
+#
+# (C) 2008 W.C.A. Wijngaards.  BSD Licensed.
+#
+# To install; enable statistics and unbound-control in unbound.conf
+#	server:		extended-statistics: yes
+#			statistics-cumulative: no
+#			statistics-interval: 0
+#	remote-control:	control-enable: yes
+# Run the command unbound-control-setup to generate the key files.
+#
+# Environment variables for this script
+#	statefile	- where to put temporary statefile.
+#	unbound_conf	- where the unbound.conf file is located.
+#	unbound_control	- where to find unbound-control executable.
+#	spoof_warn	- what level to warn about spoofing
+#	spoof_crit	- what level to crit about spoofing
+#
+# You can set them in your munin/plugin-conf.d/plugins.conf file
+# with:
+# [unbound*]
+# user root
+# env.statefile /usr/local/var/munin/plugin-state/unbound-state
+# env.unbound_conf /usr/local/etc/unbound/unbound.conf
+# env.unbound_control /usr/local/sbin/unbound-control
+# env.spoof_warn 1000
+# env.spoof_crit 100000
+#
+# This plugin can create different graphs depending on what name
+# you link it as (with ln -s) into the plugins directory
+# You can link it multiple times.
+# If you are only a casual user, the _hits and _by_type are most interesting,
+# possibly followed by _by_rcode.
+#
+#	unbound_munin_hits	- base volume, cache hits, unwanted traffic
+#	unbound_munin_queue	- to monitor the internal requestlist
+#	unbound_munin_memory	- memory usage
+#	unbound_munin_by_type	- incoming queries by type
+#	unbound_munin_by_class	- incoming queries by class
+#	unbound_munin_by_opcode	- incoming queries by opcode
+#	unbound_munin_by_rcode	- answers by rcode, validation status
+#	unbound_munin_by_flags	- incoming queries by flags
+#	unbound_munin_histogram	- histogram of query resolving times
+#
+# Magic markers - optional - used by installation scripts and
+# munin-config:
+#
+#%# family=contrib
+#%# capabilities=autoconf suggest
+
+# POD documentation
+: <<=cut
+=head1 NAME
+
+unbound_munin_ - Munin plugin to monitor the Unbound DNS resolver.
+
+=head1 APPLICABLE SYSTEMS
+
+System with unbound daemon.
+
+=head1 CONFIGURATION
+
+  [unbound*]
+  user root
+  env.statefile /var/lib/munin/plugin-state/unbound-state
+  env.unbound_conf /etc/unbound/unbound.conf
+  env.unbound_control /usr/sbin/unbound-control
+  env.spoof_warn 1000
+  env.spoof_crit 100000
+
+Use the .env settings to override the defaults.
+
+=head1 USAGE
+
+Can be used to present different graphs. Use ln -s for that name in
+the plugins directory to enable the graph.
+unbound_munin_hits	- base volume, cache hits, unwanted traffic
+unbound_munin_queue	- to monitor the internal requestlist
+unbound_munin_memory	- memory usage
+unbound_munin_by_type	- incoming queries by type
+unbound_munin_by_class	- incoming queries by class
+unbound_munin_by_opcode	- incoming queries by opcode
+unbound_munin_by_rcode	- answers by rcode, validation status
+unbound_munin_by_flags	- incoming queries by flags
+unbound_munin_histogram - histogram of query resolving times
+
+=head1 AUTHOR
+
+Copyright 2008 W.C.A. Wijngaards
+
+=head1 LICENSE
+
+BSD
+
+=cut
+
+state=${statefile:-/var/lib/munin/plugin-state/unbound-state}
+conf=${unbound_conf:-/etc/unbound/unbound.conf}
+ctrl=${unbound_control:-/usr/sbin/unbound-control}
+warn=${spoof_warn:-1000}
+crit=${spoof_crit:-100000}
+lock=$state.lock
+
+# number of seconds between polling attempts.
+# makes the statefile hang around for at least this many seconds,
+# so that multiple links of this script can share the results.
+lee=55
+
+# to keep things within 19 characters
+ABBREV="-e s/total/t/ -e s/thread/t/ -e s/num/n/ -e s/query/q/ -e s/answer/a/ -e s/unwanted/u/ -e s/requestlist/ql/ -e s/type/t/ -e s/class/c/ -e s/opcode/o/ -e s/rcode/r/ -e s/edns/e/ -e s/mem/m/ -e s/cache/c/ -e s/mod/m/"
+
+# get value from $1 into return variable $value
+get_value ( ) {
+	value="`grep '^'$1'=' $state | sed -e 's/^.*=//'`"
+	if test "$value"x = ""x; then
+		value="0"
+	fi
+}
+
+# download the state from the unbound server.
+get_state ( ) {
+	# obtain lock for fetching the state
+	# because there is a race condition in fetching and writing to file
+
+	# see if the lock is stale, if so, take it 
+	if test -f $lock ; then
+		pid="`cat $lock 2>&1`"
+		kill -0 "$pid" >/dev/null 2>&1
+		if test $? -ne 0 -a "$pid" != $$ ; then
+			echo $$ >$lock
+		fi
+	fi
+
+	i=0
+	while test ! -f $lock || test "`cat $lock 2>&1`" != $$; do
+		while test -f $lock; do
+			# wait
+			i=`expr $i + 1`
+			if test $i -gt 1000; then
+				sleep 1;
+			fi
+			if test $i -gt 1500; then
+				echo "error locking $lock" "=" `cat $lock`
+				rm -f $lock
+				exit 1
+			fi
+		done
+		# try to get it
+		echo $$ >$lock
+	done
+	# do not refetch if the file exists and only LEE seconds old
+	if test -f $state; then
+		now=`date +%s`
+		get_value "time.now"
+		value="`echo $value | sed -e 's/\..*$//'`"
+		if test $now -lt `expr $value + $lee`; then
+			rm -f $lock
+			return
+		fi
+	fi
+	$ctrl -c $conf stats > $state
+	if test $? -ne 0; then
+		echo "error retrieving data from unbound server"
+		rm -f $lock
+		exit 1
+	fi
+	rm -f $lock
+}
+
+if test "$1" = "autoconf" ; then
+	if test ! -f $conf; then
+		echo no "($conf does not exist)"
+		exit 1
+	fi
+	if test ! -d `dirname $state`; then
+		echo no "($state directory does not exist)"
+		exit 1
+	fi
+	echo yes
+	exit 0
+fi
+
+if test "$1" = "suggest" ; then
+	echo "hits"
+	echo "queue"
+	echo "memory"
+	echo "by_type"
+	echo "by_class"
+	echo "by_opcode"
+	echo "by_rcode"
+	echo "by_flags"
+	echo "histogram"
+	exit 0
+fi
+
+# determine my type, by name
+id=`echo $0 | sed -e 's/^.*unbound_munin_//'`
+if test "$id"x = ""x; then
+	# some default to keep people sane.
+	id="hits"
+fi
+
+# if $1 exists in statefile, config is echoed with label $2
+exist_config ( ) {
+	mn=`echo $1 | sed $ABBREV | tr . _`
+	if grep '^'$1'=' $state >/dev/null 2>&1; then
+		echo "$mn.label $2"
+		echo "$mn.min 0"
+	fi
+}
+
+# print label and min 0 for a name $1 in unbound format
+p_config ( ) {
+	mn=`echo $1 | sed $ABBREV | tr . _`
+	echo $mn.label "$2"
+	echo $mn.min 0
+}
+
+if test "$1" = "config" ; then
+	if test ! -f $state; then
+		get_state
+	fi
+	case $id in
+	hits)
+		echo "graph_title Unbound DNS traffic and cache hits"
+		echo "graph_args --base 1000 -l 0"
+		echo "graph_vlabel queries / second"
+		echo "graph_category DNS"
+		for x in thread0.num.queries thread1.num.queries \
+		thread2.num.queries thread3.num.queries thread4.num.queries \
+		thread5.num.queries thread6.num.queries thread7.num.queries; do
+			exist_config $x "queries handled by `basename $x .num.queries`"
+		done
+		p_config "total.num.queries" "total queries from clients"
+		p_config "total.num.cachehits" "cache hits"
+		p_config "total.num.prefetch" "cache prefetch"
+		p_config "num.query.tcp" "TCP queries"
+		p_config "num.query.ipv6" "IPv6 queries"
+		p_config "unwanted.queries" "queries that failed acl"
+		p_config "unwanted.replies" "unwanted or unsolicited replies"
+		echo "u_replies.warning $warn"
+		echo "u_replies.critical $crit"
+		echo "graph_info DNS queries to the recursive resolver. The unwanted replies could be innocent duplicate packets, late replies, or spoof threats."
+		;;
+	queue)
+		echo "graph_title Unbound requestlist size"
+		echo "graph_args --base 1000 -l 0"
+		echo "graph_vlabel number of queries"
+		echo "graph_category DNS"
+		p_config "total.requestlist.avg" "Average size of queue on insert"
+		p_config "total.requestlist.max" "Max size of queue (in 5 min)"
+		p_config "total.requestlist.overwritten" "Number of queries replaced by new ones"
+		p_config "total.requestlist.exceeded" "Number of queries dropped due to lack of space"
+		echo "graph_info The queries that did not hit the cache and need recursion service take up space in the requestlist. If there are too many queries, first queries get overwritten, and at last resort dropped."
+		;;
+	memory)
+		echo "graph_title Unbound memory usage"
+		echo "graph_args --base 1024 -l 0"
+		echo "graph_vlabel memory used in bytes"
+		echo "graph_category DNS"
+		p_config "mem.total.sbrk" "Total memory"
+		p_config "mem.cache.rrset" "RRset cache memory"
+		p_config "mem.cache.message" "Message cache memory"
+		p_config "mem.mod.iterator" "Iterator module memory"
+		p_config "mem.mod.validator" "Validator module and key cache memory"
+		echo "graph_info The memory used by unbound."
+		;;
+	by_type)
+		echo "graph_title Unbound DNS queries by type"
+		echo "graph_args --base 1000 -l 0"
+		echo "graph_vlabel queries / second"
+		echo "graph_category DNS"
+		for x in `grep "^num.query.type" $state`; do
+			nm=`echo $x | sed -e 's/=.*$//'`
+			tp=`echo $nm | sed -e s/num.query.type.//`
+			p_config "$nm" "$tp"
+		done
+		echo "graph_info queries by DNS RR type queried for"
+		;;
+	by_class)
+		echo "graph_title Unbound DNS queries by class"
+		echo "graph_args --base 1000 -l 0"
+		echo "graph_vlabel queries / second"
+		echo "graph_category DNS"
+		for x in `grep "^num.query.class" $state`; do
+			nm=`echo $x | sed -e 's/=.*$//'`
+			tp=`echo $nm | sed -e s/num.query.class.//`
+			p_config "$nm" "$tp"
+		done
+		echo "graph_info queries by DNS RR class queried for."
+		;;
+	by_opcode)
+		echo "graph_title Unbound DNS queries by opcode"
+		echo "graph_args --base 1000 -l 0"
+		echo "graph_vlabel queries / second"
+		echo "graph_category DNS"
+		for x in `grep "^num.query.opcode" $state`; do
+			nm=`echo $x | sed -e 's/=.*$//'`
+			tp=`echo $nm | sed -e s/num.query.opcode.//`
+			p_config "$nm" "$tp"
+		done
+		echo "graph_info queries by opcode in the query packet."
+		;;
+	by_rcode)
+		echo "graph_title Unbound DNS answers by return code"
+		echo "graph_args --base 1000 -l 0"
+		echo "graph_vlabel answer packets / second"
+		echo "graph_category DNS"
+		for x in `grep "^num.answer.rcode" $state`; do
+			nm=`echo $x | sed -e 's/=.*$//'`
+			tp=`echo $nm | sed -e s/num.answer.rcode.//`
+			p_config "$nm" "$tp"
+		done
+		p_config "num.answer.secure" "answer secure"
+		p_config "num.answer.bogus" "answer bogus"
+		p_config "num.rrset.bogus" "num rrsets marked bogus"
+		echo "graph_info answers sorted by return value. rrsets bogus is the number of rrsets marked bogus per second by the validator"
+		;;
+	by_flags)
+		echo "graph_title Unbound DNS incoming queries by flags"
+		echo "graph_args --base 1000 -l 0"
+		echo "graph_vlabel queries / second"
+		echo "graph_category DNS"
+		p_config "num.query.flags.QR" "QR (query reply) flag"
+		p_config "num.query.flags.AA" "AA (auth answer) flag"
+		p_config "num.query.flags.TC" "TC (truncated) flag"
+		p_config "num.query.flags.RD" "RD (recursion desired) flag"
+		p_config "num.query.flags.RA" "RA (rec avail) flag"
+		p_config "num.query.flags.Z" "Z (zero) flag"
+		p_config "num.query.flags.AD" "AD (auth data) flag"
+		p_config "num.query.flags.CD" "CD (check disabled) flag"
+		p_config "num.query.edns.present" "EDNS OPT present"
+		p_config "num.query.edns.DO" "DO (DNSSEC OK) flag"
+		echo "graph_info This graphs plots the flags inside incoming queries. For example, if QR, AA, TC, RA, Z flags are set, the query can be rejected. RD, AD, CD and DO are legitimately set by some software."
+		;;
+	histogram)
+		echo "graph_title Unbound DNS histogram of reply time"
+		echo "graph_args --base 1000 -l 0"
+		echo "graph_vlabel queries / second"
+		echo "graph_category DNS"
+		echo hcache.label "cache hits"
+		echo hcache.min 0
+		echo hcache.draw AREA
+		echo hcache.colour 999999
+		echo h64ms.label "0 msec - 66 msec"
+		echo h64ms.min 0
+		echo h64ms.draw STACK
+		echo h64ms.colour 0000FF
+		echo h128ms.label "66 msec - 131 msec"
+		echo h128ms.min 0
+		echo h128ms.colour 1F00DF
+		echo h128ms.draw STACK
+		echo h256ms.label "131 msec - 262 msec"
+		echo h256ms.min 0
+		echo h256ms.draw STACK
+		echo h256ms.colour 3F00BF
+		echo h512ms.label "262 msec - 524 msec"
+		echo h512ms.min 0
+		echo h512ms.draw STACK
+		echo h512ms.colour 5F009F
+		echo h1s.label "524 msec - 1 sec"
+		echo h1s.min 0
+		echo h1s.draw STACK
+		echo h1s.colour 7F007F
+		echo h2s.label "1 sec - 2 sec"
+		echo h2s.min 0
+		echo h2s.draw STACK
+		echo h2s.colour 9F005F
+		echo h4s.label "2 sec - 4 sec"
+		echo h4s.min 0
+		echo h4s.draw STACK
+		echo h4s.colour BF003F
+		echo h8s.label "4 sec - 8 sec"
+		echo h8s.min 0
+		echo h8s.draw STACK
+		echo h8s.colour DF001F
+		echo h16s.label "8 sec - ..."
+		echo h16s.min 0
+		echo h16s.draw STACK
+		echo h16s.colour FF0000
+		echo "graph_info Histogram of the reply times for queries."
+		;;
+	esac
+
+	exit 0
+fi
+
+# do the stats itself
+get_state
+
+# get the time elapsed
+get_value "time.elapsed"
+if test $value = 0 || test $value = "0.000000"; then
+	echo "error: time elapsed 0 or could not retrieve data"
+	exit 1
+fi
+elapsed="$value"
+
+# print value for $1 / elapsed
+print_qps ( ) {
+	mn=`echo $1 | sed $ABBREV | tr . _`
+	get_value $1
+	echo "$mn.value" `echo scale=6';' $value / $elapsed | bc `
+}
+
+# print qps if line already found in $2
+print_qps_line ( ) {
+	mn=`echo $1 | sed $ABBREV | tr . _`
+	value="`echo $2 | sed -e 's/^.*=//'`"
+	echo "$mn.value" `echo scale=6';' $value / $elapsed | bc `
+}
+
+# print value for $1
+print_value ( ) {
+	mn=`echo $1 | sed $ABBREV | tr . _`
+	get_value $1
+	echo "$mn.value" $value
+}
+
+case $id in
+hits)
+	for x in thread0.num.queries thread1.num.queries thread2.num.queries \
+		thread3.num.queries thread4.num.queries thread5.num.queries \
+		thread6.num.queries thread7.num.queries total.num.queries \
+		total.num.cachehits total.num.prefetch num.query.tcp \
+		num.query.ipv6 unwanted.queries unwanted.replies; do
+		if grep "^"$x"=" $state >/dev/null 2>&1; then
+			print_qps $x
+		fi
+	done
+	;;
+queue)
+	for x in total.requestlist.avg total.requestlist.max \
+		total.requestlist.overwritten total.requestlist.exceeded; do
+		print_value $x
+	done
+	;;
+memory)
+	mn=`echo mem.total.sbrk | sed $ABBREV | tr . _`
+	get_value 'mem.total.sbrk'
+	if test $value -eq 0; then
+		chk=`echo $ctrl | sed -e 's/-control$/-checkconf/'`
+		pidf=`$chk -o pidfile $conf 2>&1`
+		pid=`cat $pidf 2>&1`
+		value=`ps -p "$pid" -o rss= 2>&1`
+		if test "`expr $value + 1 - 1 2>&1`" -eq "$value" 2>&1; then
+			value=`expr $value \* 1024` 
+		else
+			value=0
+		fi
+	fi
+	echo "$mn.value" $value
+	for x in mem.cache.rrset mem.cache.message \
+		mem.mod.iterator mem.mod.validator; do
+		print_value $x
+	done
+	;;
+by_type)
+	for x in `grep "^num.query.type" $state`; do
+		nm=`echo $x | sed -e 's/=.*$//'`
+		print_qps_line $nm $x
+	done
+	;;
+by_class)
+	for x in `grep "^num.query.class" $state`; do
+		nm=`echo $x | sed -e 's/=.*$//'`
+		print_qps_line $nm $x
+	done
+	;;
+by_opcode)
+	for x in `grep "^num.query.opcode" $state`; do
+		nm=`echo $x | sed -e 's/=.*$//'`
+		print_qps_line $nm $x
+	done
+	;;
+by_rcode)
+	for x in `grep "^num.answer.rcode" $state`; do
+		nm=`echo $x | sed -e 's/=.*$//'`
+		print_qps_line $nm $x
+	done
+	print_qps "num.answer.secure"
+	print_qps "num.answer.bogus"
+	print_qps "num.rrset.bogus"
+	;;
+by_flags)
+	for x in num.query.flags.QR num.query.flags.AA num.query.flags.TC num.query.flags.RD num.query.flags.RA num.query.flags.Z num.query.flags.AD num.query.flags.CD num.query.edns.present num.query.edns.DO; do
+		print_qps $x
+	done
+	;;
+histogram)
+	get_value total.num.cachehits
+	echo hcache.value `echo scale=6';' $value / $elapsed | bc `
+	r=0
+	for x in histogram.000000.000000.to.000000.000001 \
+		histogram.000000.000001.to.000000.000002 \
+		histogram.000000.000002.to.000000.000004 \
+		histogram.000000.000004.to.000000.000008 \
+		histogram.000000.000008.to.000000.000016 \
+		histogram.000000.000016.to.000000.000032 \
+		histogram.000000.000032.to.000000.000064 \
+		histogram.000000.000064.to.000000.000128 \
+		histogram.000000.000128.to.000000.000256 \
+		histogram.000000.000256.to.000000.000512 \
+		histogram.000000.000512.to.000000.001024 \
+		histogram.000000.001024.to.000000.002048 \
+		histogram.000000.002048.to.000000.004096 \
+		histogram.000000.004096.to.000000.008192 \
+		histogram.000000.008192.to.000000.016384 \
+		histogram.000000.016384.to.000000.032768 \
+		histogram.000000.032768.to.000000.065536; do
+		get_value $x
+		r=`expr $r + $value`
+	done
+	echo h64ms.value `echo scale=6';' $r / $elapsed | bc `
+	get_value histogram.000000.065536.to.000000.131072
+	echo h128ms.value `echo scale=6';' $value / $elapsed | bc `
+	get_value histogram.000000.131072.to.000000.262144
+	echo h256ms.value `echo scale=6';' $value / $elapsed | bc `
+	get_value histogram.000000.262144.to.000000.524288
+	echo h512ms.value `echo scale=6';' $value / $elapsed | bc `
+	get_value histogram.000000.524288.to.000001.000000
+	echo h1s.value `echo scale=6';' $value / $elapsed | bc `
+	get_value histogram.000001.000000.to.000002.000000
+	echo h2s.value `echo scale=6';' $value / $elapsed | bc `
+	get_value histogram.000002.000000.to.000004.000000
+	echo h4s.value `echo scale=6';' $value / $elapsed | bc `
+	get_value histogram.000004.000000.to.000008.000000
+	echo h8s.value `echo scale=6';' $value / $elapsed | bc `
+	r=0
+	for x in histogram.000008.000000.to.000016.000000 \
+		histogram.000016.000000.to.000032.000000 \
+		histogram.000032.000000.to.000064.000000 \
+		histogram.000064.000000.to.000128.000000 \
+		histogram.000128.000000.to.000256.000000 \
+		histogram.000256.000000.to.000512.000000 \
+		histogram.000512.000000.to.001024.000000 \
+		histogram.001024.000000.to.002048.000000 \
+		histogram.002048.000000.to.004096.000000 \
+		histogram.004096.000000.to.008192.000000 \
+		histogram.008192.000000.to.016384.000000 \
+		histogram.016384.000000.to.032768.000000 \
+		histogram.032768.000000.to.065536.000000 \
+		histogram.065536.000000.to.131072.000000 \
+		histogram.131072.000000.to.262144.000000 \
+		histogram.262144.000000.to.524288.000000; do
+		get_value $x
+		r=`expr $r + $value`
+	done
+	echo h16s.value `echo scale=6';' $r / $elapsed | bc `
+	;;
+esac