Move the remote-control section above the include directive
so it is possible to override it there, and fix comment

Move dns-root-data from Depends to Recommends.
Nothing is changed for most users (apt installs
Recommends by default). Once unbound is first run
with dns-root-data installed, it is possible to
uninstall it, as unbound will use RFC 5011 trust
anchor tracking to keep this file up to date.

Since the default control-enable is now off as per upstream,
generating the ssl keys is not strictly necessary (in postinst).

Add a check to unbound.postinst whenever openssl is available,
and run unbound-control-setup only if it is.

Add a check to unbound-control-setup whenever openssl is available,
suggesting to install the package it if it is not.

And move openssl dependency from Depends: to Recommends:.  For most
users it will be installed still, but there's a way to uninistall it
if not needed: we use it only once to generate the keys, it is not
used once this is done and the hard dependency is not necessary.

there are multiple problems in there.

1. the systemd notify socket were linked into the chroot
 only when using non-standard chroot directory different
 from the suggested-default /etc/unbound.  If it is set
 to /etc/unbound, the socket is not linked.

 The initial chroot setup - the copying of /etc/unbound/*
 into the chroot - were done here to support non-default
 chroots only, since by default all files are available
 in the chroot directly and there's no need to copy anything.

 But later someone added the systemd notify socket into
 this same place, but apparently the socket should have
 been linked in case chroot is being used _at all_, no
 matter if it is in the default directory or not.

 If was an unsuccessful attempt to fix #828699, now we
 really fix that one and also fix #931583.

 See also https://github.com/systemd/systemd/issues/3544

2. Before checking for $CHROOT_DIR being a directory, it
 is a good idea to see if $CHROOT_DIR is non-empty (since
 -d "" is true), - whenever we do have chroot configured
 in the first place. This hasn't been done.

3. The 2. above means the helper script will happily umount
 the system-wide /run/systemd/notify if it is a mountpoint
 for some reason (eg, running in a container). This is
 gross.

4. in the chroot setup phase, we did chroot_teardown whic
 is unnecessary. We can just skip the socket mounting if
 it is already mounted.

5. we always touch $chroot/run/systemd/nofify file even
 if it is already exist, - in order to create it. This
 fails on a read-only root, - again, even if the file is
 already there. Do it only if the file isn't there.

simplify the conditionals, use tar -C instead of complex expressions

This goes on-par with the current debian guidelines about keeping
various helper binaries in /usr/libexec instead of /usr/lib, and
since we have only single helper binary, there's no need to put
it into a subdir. This also makes things a little more apparent,
like, for example, system logs will be like:

| Oct 09 18:22:44 hosname systemd[1]: Starting Unbound DNS server...
| Oct 09 18:23:35 hosname unbound-helper[1539]: Updating /var/lib/unbound/root.key
| Oct 09 18:23:35 hosname systemd[1]: Started Unbound DNS server.

note the name "unbound-helper" - previously it was "package-helper".

This changes the paths in systemd .service files and in init.d
initscripts.

This function is doing the update of auto-trust-anchor
root.key in unbound directory from the file provided by
dns-root-data.  We should update it only if unbound did
not do it already, having a more recent version.  And
we should do it in a way to ensure the new file is copied
in full before it is being used (#989959).

So first verify if this file in unbound dir is not more
recent than the one provided by dns-root-data.

And next, copy the file being updated to a temp file and
mv it into place only when done.

Use setpriv utility for this instead of doing things as
root in an untrusted directory to eliminate a possibility
for unbound=>root privilege escalations.

Unless disabled in /etc/default/unbound, always check that
/var/lib/unbound/root.key is the same as /usr/share/dns/root.key
and perform a copy if not.

While at it, clean up this deep condition/test set.

Closes: #989959

prebuild-windows-binary dnscrypt/testdata/keys1/public.key - false alarm
script-not-executable etc/resolvconf/update.d/unbound - disabled script

Closes: #973793

remove 0001-Enable-remote-control-by-default.patch which flipped
default value of remote-control:control-enable from "no" to "yes",
which made it confusing, different from the documented behavior.

Also add unbound.NEWS file describing the effect of this change.

Closes: #991017

yes the hook is disabled

Patch taken from Gedalya <gedalya@gedalya.net> in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947771#15


Closes #947771

Signed-off-by: Simon Deziel <simon@sdeziel.info>

Add clarifying description to resolvconf hook

See merge request dns-team/unbound!13