i8c-beta-stream-client
changed/i8c-beta-stream-client/opendnssec-2.1.7-1.module_el8+420+fb751951
MSVSphere Packaging Team
11 months ago
commit
993d0c11e3
@ -0,0 +1 @@
|
||||
SOURCES/opendnssec-2.1.7.tar.gz
|
||||
@ -0,0 +1 @@
|
||||
0277e4f54098bea74809e3d8e6cad1a435570349 SOURCES/opendnssec-2.1.7.tar.gz
|
||||
@ -0,0 +1,87 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
|
||||
<Configuration>
|
||||
|
||||
<RepositoryList>
|
||||
|
||||
<Repository name="SoftHSM">
|
||||
<Module>/usr/lib64/softhsm/libsofthsm.so</Module>
|
||||
<TokenLabel>OpenDNSSEC</TokenLabel>
|
||||
<PIN>1234</PIN>
|
||||
<!--
|
||||
# Disabled so it stores the public key in the HSM too,
|
||||
# so bind's dnssec-signzone can be used as well
|
||||
<SkipPublicKey/>
|
||||
-->
|
||||
</Repository>
|
||||
|
||||
<!--
|
||||
<Repository name="sca6000">
|
||||
<Module>/usr/lib64/opencryptoki/PKCS11_API.so</Module>
|
||||
<TokenLabel>Sun Metaslot</TokenLabel>
|
||||
<PIN>test:1234</PIN>
|
||||
<Capacity>255</Capacity>
|
||||
<RequireBackup/>
|
||||
<SkipPublicKey/>
|
||||
</Repository>
|
||||
-->
|
||||
|
||||
</RepositoryList>
|
||||
|
||||
<Common>
|
||||
<Logging>
|
||||
<Syslog><Facility>local0</Facility></Syslog>
|
||||
</Logging>
|
||||
|
||||
<PolicyFile>/etc/opendnssec/kasp.xml</PolicyFile>
|
||||
<ZoneListFile>/etc/opendnssec/zonelist.xml</ZoneListFile>
|
||||
|
||||
<!--
|
||||
<ZoneFetchFile>/etc/opendnssec/zonefetch.xml</ZoneFetchFile>
|
||||
-->
|
||||
</Common>
|
||||
|
||||
<Enforcer>
|
||||
<Privileges>
|
||||
<User>ods</User>
|
||||
<Group>ods</Group>
|
||||
</Privileges>
|
||||
|
||||
<Datastore><SQLite>/var/opendnssec/kasp.db</SQLite></Datastore>
|
||||
<!-- <ManualKeyGeneration/> -->
|
||||
<!-- <RolloverNotification>P14D</RolloverNotification> -->
|
||||
|
||||
<!-- the <DelegationSignerSubmitCommand> will get all current
|
||||
DNSKEYs (as a RRset) on standard input
|
||||
-->
|
||||
<!-- <DelegationSignerSubmitCommand>/usr/sbin/eppclient</DelegationSignerSubmitCommand> -->
|
||||
</Enforcer>
|
||||
|
||||
<Signer>
|
||||
<Privileges>
|
||||
<User>ods</User>
|
||||
<Group>ods</Group>
|
||||
</Privileges>
|
||||
|
||||
<WorkingDirectory>/var/opendnssec/tmp</WorkingDirectory>
|
||||
<WorkerThreads>4</WorkerThreads>
|
||||
<!-- <SignerThreads>4</SignerThreads> -->
|
||||
|
||||
<!--
|
||||
<Listener>
|
||||
<Interface><Port>53</Port></Interface>
|
||||
</Listener>
|
||||
-->
|
||||
|
||||
<!-- the <NotifyCommmand> will expand the following variables:
|
||||
|
||||
%zone the name of the zone that was signed
|
||||
%zonefile the filename of the signed zone
|
||||
<NotifyCommand>sudo systemctl reload nsd.service</NotifyCommand>
|
||||
-->
|
||||
<!--
|
||||
<NotifyCommand>/usr/sbin/rndc reload %zone</NotifyCommand>
|
||||
-->
|
||||
</Signer>
|
||||
|
||||
</Configuration>
|
||||
@ -0,0 +1,16 @@
|
||||
[Unit]
|
||||
Description=OpenDNSSEC Enforcer daemon
|
||||
After=syslog.target network.target
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
User=ods
|
||||
Group=ods
|
||||
PIDFile=/run/opendnssec/enforcerd.pid
|
||||
EnvironmentFile=-/etc/sysconfig/ods
|
||||
ExecStart=/usr/sbin/ods-enforcerd $ODS_ENFORCERD_OPT
|
||||
ExecStartPost=/bin/bash -c 'while [ ! -S /run/opendnssec/enforcer.sock ]; do sleep 1; echo "Waiting for socket"; done'
|
||||
TimeoutStartSec=20
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@ -0,0 +1,14 @@
|
||||
[Unit]
|
||||
Description=OpenDNSSEC signer daemon
|
||||
After=syslog.target network.target ods-enforcerd
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=ods
|
||||
Group=ods
|
||||
PIDFile=/run/opendnssec/signerd.pid
|
||||
EnvironmentFile=-/etc/sysconfig/ods
|
||||
ExecStart=/usr/sbin/ods-signerd -d $ODS_SIGNERD_OPT
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@ -0,0 +1,2 @@
|
||||
ODS_SIGNERD_OPT=""
|
||||
ODS_ENFORCERD_OPT=""
|
||||
@ -0,0 +1,842 @@
|
||||
INSERT INTO databaseVersion VALUES (NULL, 1, 1);
|
||||
|
||||
-- ~ ************
|
||||
-- ~ ** policy table
|
||||
-- ~ **
|
||||
-- ~ **
|
||||
-- ~ **
|
||||
-- ~ **
|
||||
-- ~ ************
|
||||
|
||||
INSERT INTO policy
|
||||
SELECT id, 1, name, description,
|
||||
0, 0, 0,
|
||||
0, 0, 0, 0,
|
||||
86400, 0, 0,
|
||||
0, 0, 0,
|
||||
0, 0, 0,
|
||||
0, 0, 0,
|
||||
0, 0, 0,
|
||||
0, 0, 0,
|
||||
0, 0, 0,
|
||||
0, 0, 0,
|
||||
0
|
||||
FROM REMOTE.policies;
|
||||
|
||||
UPDATE policy
|
||||
SET signaturesResign = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policy.id
|
||||
AND REMOTE.parameters.category_id = 1
|
||||
AND REMOTE.parameters.name = 'resign');
|
||||
|
||||
UPDATE policy
|
||||
SET signaturesRefresh = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policy.id
|
||||
AND REMOTE.parameters.category_id = 1
|
||||
AND REMOTE.parameters.name = 'refresh') ;
|
||||
|
||||
UPDATE policy
|
||||
SET signaturesJitter = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policy.id
|
||||
AND REMOTE.parameters.category_id = 1
|
||||
AND REMOTE.parameters.name = 'jitter');
|
||||
|
||||
UPDATE policy
|
||||
SET signaturesInceptionOffset = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policy.id
|
||||
AND REMOTE.parameters.category_id = 1
|
||||
AND REMOTE.parameters.name = 'clockskew');
|
||||
|
||||
UPDATE policy
|
||||
SET signaturesValidityDefault = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policy.id
|
||||
AND REMOTE.parameters.category_id = 1
|
||||
AND REMOTE.parameters.name = 'valdefault');
|
||||
|
||||
UPDATE policy
|
||||
SET signaturesValidityDenial = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policy.id
|
||||
AND REMOTE.parameters.category_id = 1
|
||||
AND REMOTE.parameters.name = 'valdenial');
|
||||
|
||||
--MaxZoneTTL default 86400
|
||||
|
||||
-- We need the following mapping 1.4 -> 2.0 for denialType
|
||||
-- 0 -> 1
|
||||
-- 3 -> 0
|
||||
|
||||
UPDATE policy
|
||||
SET denialType = (
|
||||
SELECT (~value)&1
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policy.id
|
||||
AND REMOTE.parameters.category_id = 2
|
||||
AND REMOTE.parameters.name = 'version');
|
||||
|
||||
-- I'm pretty sure this is not the correct way to do it. It is aweful but
|
||||
-- I can't figure it out how it would work for sqlite.
|
||||
UPDATE policy
|
||||
SET denialOptout = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policy.id
|
||||
AND REMOTE.parameters.category_id = 2
|
||||
AND REMOTE.parameters.name = 'optout')
|
||||
WHERE null != (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policy.id
|
||||
AND REMOTE.parameters.category_id = 2
|
||||
AND REMOTE.parameters.name = 'optout');
|
||||
|
||||
UPDATE policy
|
||||
SET denialTtl = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policy.id
|
||||
AND REMOTE.parameters.category_id = 2
|
||||
AND REMOTE.parameters.name = 'ttl')
|
||||
WHERE null != (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policy.id
|
||||
AND REMOTE.parameters.category_id = 2
|
||||
AND REMOTE.parameters.name = 'ttl');
|
||||
|
||||
UPDATE policy
|
||||
SET denialResalt = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policy.id
|
||||
AND REMOTE.parameters.category_id = 2
|
||||
AND REMOTE.parameters.name = 'resalt')
|
||||
WHERE null != (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policy.id
|
||||
AND REMOTE.parameters.category_id = 2
|
||||
AND REMOTE.parameters.name = 'resalt');
|
||||
|
||||
UPDATE policy
|
||||
SET denialAlgorithm = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policy.id
|
||||
AND REMOTE.parameters.category_id = 2
|
||||
AND REMOTE.parameters.name = 'algorithm')
|
||||
WHERE null != (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policy.id
|
||||
AND REMOTE.parameters.category_id = 2
|
||||
AND REMOTE.parameters.name = 'algorithm');
|
||||
|
||||
UPDATE policy
|
||||
SET denialIterations = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policy.id
|
||||
AND REMOTE.parameters.category_id = 2
|
||||
AND REMOTE.parameters.name = 'iterations')
|
||||
WHERE null != (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policy.id
|
||||
AND REMOTE.parameters.category_id = 2
|
||||
AND REMOTE.parameters.name = 'iterations');
|
||||
|
||||
UPDATE policy
|
||||
SET denialSaltLength = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policy.id
|
||||
AND REMOTE.parameters.category_id = 2
|
||||
AND REMOTE.parameters.name = 'saltlength')
|
||||
WHERE null != (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policy.id
|
||||
AND REMOTE.parameters.category_id = 2
|
||||
AND REMOTE.parameters.name = 'saltlength');
|
||||
|
||||
-- clumsy salt update. salt is optional in 1.4 but required in 2.0
|
||||
-- sqlite is limited in what it can do in an update. I hope there is a
|
||||
-- better way for this?
|
||||
|
||||
UPDATE policy
|
||||
SET denialSalt = (
|
||||
SELECT salt
|
||||
FROM REMOTE.policies
|
||||
WHERE REMOTE.policies.id = policy.id)
|
||||
WHERE (
|
||||
SELECT salt
|
||||
FROM REMOTE.policies
|
||||
WHERE REMOTE.policies.id = policy.id) != null;
|
||||
|
||||
UPDATE policy
|
||||
SET denialSaltLastChange = (
|
||||
SELECT salt_stamp
|
||||
FROM REMOTE.policies
|
||||
WHERE REMOTE.policies.id = policy.id)
|
||||
WHERE (
|
||||
SELECT salt_stamp
|
||||
FROM REMOTE.policies
|
||||
WHERE REMOTE.policies.id = policy.id) != null;
|
||||
|
||||
UPDATE policy
|
||||
SET keysTtl = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policy.id
|
||||
AND REMOTE.parameters.category_id = 5
|
||||
AND REMOTE.parameters.name = 'ttl');
|
||||
|
||||
UPDATE policy
|
||||
SET keysRetireSafety = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policy.id
|
||||
AND REMOTE.parameters.category_id = 5
|
||||
AND REMOTE.parameters.name = 'retiresafety');
|
||||
|
||||
UPDATE policy
|
||||
SET keysPublishSafety = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policy.id
|
||||
AND REMOTE.parameters.category_id = 5
|
||||
AND REMOTE.parameters.name = 'publishsafety');
|
||||
|
||||
UPDATE policy
|
||||
SET keysShared = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policy.id
|
||||
AND REMOTE.parameters.category_id = 5
|
||||
AND REMOTE.parameters.name = 'zones_share_keys');
|
||||
|
||||
UPDATE policy
|
||||
SET keysPurgeAfter = COALESCE((
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policy.id
|
||||
AND REMOTE.parameters.category_id = 5
|
||||
AND REMOTE.parameters.name = 'purge'), 0);
|
||||
|
||||
UPDATE policy
|
||||
SET zonePropagationDelay = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policy.id
|
||||
AND REMOTE.parameters.category_id = 7
|
||||
AND REMOTE.parameters.name = 'propagationdelay');
|
||||
|
||||
UPDATE policy
|
||||
SET zoneSoaTtl = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policy.id
|
||||
AND REMOTE.parameters.category_id = 7
|
||||
AND REMOTE.parameters.name = 'ttl');
|
||||
|
||||
UPDATE policy
|
||||
SET zoneSoaMinimum = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policy.id
|
||||
AND REMOTE.parameters.category_id = 7
|
||||
AND REMOTE.parameters.name = 'min');
|
||||
|
||||
-- Temporary mapping table between 1.4 and 2.0 SOA serial strategy
|
||||
CREATE TABLE mapping (
|
||||
soa14 INTEGER,
|
||||
soa20 INTEGER
|
||||
);
|
||||
INSERT INTO mapping SELECT 1, 2;
|
||||
INSERT INTO mapping SELECT 2, 0;
|
||||
INSERT INTO mapping SELECT 3, 1;
|
||||
INSERT INTO mapping SELECT 4, 3;
|
||||
|
||||
UPDATE policy
|
||||
SET zoneSoaSerial = (
|
||||
SELECT mapping.soa20
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
INNER JOIN mapping
|
||||
ON REMOTE.parameters_policies.value = mapping.soa14
|
||||
WHERE REMOTE.parameters_policies.policy_id = policy.id
|
||||
AND REMOTE.parameters.category_id = 7
|
||||
AND REMOTE.parameters.name = 'serial');
|
||||
|
||||
DROP TABLE mapping;
|
||||
|
||||
-- parentRegistrationDelay = 0 on 1.4
|
||||
|
||||
UPDATE policy
|
||||
SET parentPropagationDelay = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policy.id
|
||||
AND REMOTE.parameters.category_id = 8
|
||||
AND REMOTE.parameters.name = 'propagationdelay');
|
||||
|
||||
UPDATE policy
|
||||
SET parentDsTtl = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policy.id
|
||||
AND REMOTE.parameters.category_id = 8
|
||||
AND REMOTE.parameters.name = 'ttlds');
|
||||
|
||||
UPDATE policy
|
||||
SET parentSoaTtl = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policy.id
|
||||
AND REMOTE.parameters.category_id = 8
|
||||
AND REMOTE.parameters.name = 'ttl');
|
||||
|
||||
UPDATE policy
|
||||
SET parentSoaMinimum = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policy.id
|
||||
AND REMOTE.parameters.category_id = 8
|
||||
AND REMOTE.parameters.name = 'min');
|
||||
|
||||
-- passthrough = 0
|
||||
|
||||
-- ~ ************
|
||||
-- ~ ** policyKey table
|
||||
-- ~ **
|
||||
-- ~ ** For each policy in 1.4 add two keys: KSK and ZSK
|
||||
-- ~ **
|
||||
-- ~ **
|
||||
-- ~ ************
|
||||
|
||||
-- Insert each KSK
|
||||
INSERT INTO policyKey
|
||||
SELECT null, 1, id,
|
||||
1, 0, 0,
|
||||
0, 0, 0,
|
||||
0, 0, 4
|
||||
FROM REMOTE.policies;
|
||||
|
||||
-- Insert each ZSK
|
||||
INSERT INTO policyKey
|
||||
SELECT null, 1, id,
|
||||
2, 0, 0,
|
||||
0, 0, 0,
|
||||
0, 0, 1
|
||||
FROM REMOTE.policies;
|
||||
|
||||
UPDATE policyKey
|
||||
SET algorithm = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
|
||||
AND REMOTE.parameters.category_id = 3
|
||||
AND REMOTE.parameters.name = 'algorithm')
|
||||
WHERE policyKey.role = 1;
|
||||
|
||||
UPDATE policyKey
|
||||
SET algorithm = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
|
||||
AND REMOTE.parameters.category_id = 4
|
||||
AND REMOTE.parameters.name = 'algorithm')
|
||||
WHERE policyKey.role = 2;
|
||||
|
||||
UPDATE policyKey
|
||||
SET bits = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
|
||||
AND REMOTE.parameters.category_id = 3
|
||||
AND REMOTE.parameters.name = 'bits')
|
||||
WHERE policyKey.role = 1;
|
||||
|
||||
UPDATE policyKey
|
||||
SET bits = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
|
||||
AND REMOTE.parameters.category_id = 4
|
||||
AND REMOTE.parameters.name = 'bits')
|
||||
WHERE policyKey.role = 2;
|
||||
|
||||
UPDATE policyKey
|
||||
SET lifetime = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
|
||||
AND REMOTE.parameters.category_id = 3
|
||||
AND REMOTE.parameters.name = 'lifetime')
|
||||
WHERE policyKey.role = 1;
|
||||
|
||||
UPDATE policyKey
|
||||
SET lifetime = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
|
||||
AND REMOTE.parameters.category_id = 4
|
||||
AND REMOTE.parameters.name = 'lifetime')
|
||||
WHERE policyKey.role = 2;
|
||||
|
||||
UPDATE policyKey
|
||||
SET repository = (
|
||||
SELECT REMOTE.securitymodules.name
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
INNER JOIN REMOTE.securitymodules
|
||||
ON REMOTE.parameters_policies.value = REMOTE.securitymodules.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
|
||||
AND REMOTE.parameters.category_id = 3
|
||||
AND REMOTE.parameters.name = 'repository')
|
||||
WHERE policyKey.role = 1;
|
||||
|
||||
UPDATE policyKey
|
||||
SET repository = (
|
||||
SELECT REMOTE.securitymodules.name
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
INNER JOIN REMOTE.securitymodules
|
||||
ON REMOTE.parameters_policies.value = REMOTE.securitymodules.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
|
||||
AND REMOTE.parameters.category_id = 4
|
||||
AND REMOTE.parameters.name = 'repository')
|
||||
WHERE policyKey.role = 2;
|
||||
|
||||
UPDATE policyKey
|
||||
SET standby = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
|
||||
AND REMOTE.parameters.category_id = 3
|
||||
AND REMOTE.parameters.name = 'standby')
|
||||
WHERE policyKey.role = 1;
|
||||
|
||||
UPDATE policyKey
|
||||
SET standby = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
|
||||
AND REMOTE.parameters.category_id = 4
|
||||
AND REMOTE.parameters.name = 'standby')
|
||||
WHERE policyKey.role = 2;
|
||||
|
||||
UPDATE policyKey
|
||||
SET manualRollover = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
|
||||
AND REMOTE.parameters.category_id = 3
|
||||
AND REMOTE.parameters.name = 'manual_rollover')
|
||||
WHERE policyKey.role = 1;
|
||||
|
||||
UPDATE policyKey
|
||||
SET manualRollover = (
|
||||
SELECT value
|
||||
FROM REMOTE.parameters_policies
|
||||
INNER JOIN REMOTE.parameters
|
||||
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
|
||||
WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
|
||||
AND REMOTE.parameters.category_id = 4
|
||||
AND REMOTE.parameters.name = 'manual_rollover')
|
||||
WHERE policyKey.role = 2;
|
||||
|
||||
-- rfc5011 = 0. 2.0 has no support
|
||||
-- minimize already set
|
||||
|
||||
-- ~ ************
|
||||
-- ~ ** hsmKey table
|
||||
-- ~ **
|
||||
-- ~ ** get from keypairs and dnsseckeys
|
||||
-- ~ **
|
||||
-- ~ **
|
||||
-- ~ ************
|
||||
|
||||
INSERT INTO hsmKey
|
||||
SELECT DISTINCT REMOTE.keypairs.id, 1, REMOTE.keypairs.policy_id,
|
||||
REMOTE.keypairs.HSMkey_id, 2, REMOTE.keypairs.size,
|
||||
REMOTE.keypairs.algorithm, (~(REMOTE.dnsseckeys.keytype)&1)+1,
|
||||
CASE WHEN REMOTE.keypairs.generate IS NOT NULL THEN
|
||||
strftime('%s', REMOTE.keypairs.generate)
|
||||
ELSE strftime("%s", "now") END,
|
||||
0,
|
||||
1, --only RSA supported
|
||||
REMOTE.securitymodules.name,
|
||||
0 --assume no backup
|
||||
FROM REMOTE.keypairs
|
||||
JOIN REMOTE.dnsseckeys
|
||||
ON REMOTE.keypairs.id = REMOTE.dnsseckeys.keypair_id
|
||||
JOIN REMOTE.securitymodules
|
||||
ON REMOTE.securitymodules.id = REMOTE.keypairs.securitymodule_id;
|
||||
|
||||
-- For some policies put the keys in a shared state
|
||||
UPDATE hsmKey
|
||||
SET state = 3
|
||||
WHERE EXISTS
|
||||
(SELECT * FROM hsmKey AS h
|
||||
JOIN policy ON policy.id = h.policyId
|
||||
WHERE policy.keysShared AND hsmKey.id = h.id);
|
||||
|
||||
-- ~ ************
|
||||
-- ~ ** zone table
|
||||
-- ~ **
|
||||
-- ~ **
|
||||
-- ~ **
|
||||
-- ~ **
|
||||
-- ~ ************
|
||||
|
||||
INSERT INTO zone
|
||||
SELECT zones.id, 1, zones.policy_id,
|
||||
zones.name, 1, zones.signconf, 0,
|
||||
0,0,0,
|
||||
0,0,0,
|
||||
zones.in_type, zones.input,
|
||||
zones.out_type, zones.output,
|
||||
0,0,0
|
||||
FROM REMOTE.zones;
|
||||
|
||||
-- ~ ************
|
||||
-- ~ ** keyData table
|
||||
-- ~ **
|
||||
-- ~ **
|
||||
-- ~ **
|
||||
-- ~ **
|
||||
-- ~ ************
|
||||
|
||||
-- Temporary mapping table between 1.4 states and 2.0 ds_at_parent states
|
||||
-- We are ignoring the fact this may set a DS state for a ZSK; We don't care
|
||||
CREATE TABLE mapping (
|
||||
state INTEGER,
|
||||
ds_state INTEGER
|
||||
);
|
||||
INSERT INTO mapping SELECT 1, 0;
|
||||
INSERT INTO mapping SELECT 2, 0;
|
||||
INSERT INTO mapping SELECT 3, 1;
|
||||
INSERT INTO mapping SELECT 4, 3;
|
||||
INSERT INTO mapping SELECT 5, 5;
|
||||
INSERT INTO mapping SELECT 6, 5;
|
||||
INSERT INTO mapping SELECT 7, 5;
|
||||
INSERT INTO mapping SELECT 8, 5;
|
||||
INSERT INTO mapping SELECT 9, 5;
|
||||
INSERT INTO mapping SELECT 10, 5;
|
||||
|
||||
INSERT INTO keyData
|
||||
SELECT
|
||||
NULL, 1, REMOTE.dnsseckeys.zone_id,
|
||||
REMOTE.dnsseckeys.keypair_id, REMOTE.keypairs.algorithm,
|
||||
CASE WHEN REMOTE.dnsseckeys.publish IS NOT NULL THEN
|
||||
strftime('%s', REMOTE.dnsseckeys.publish)
|
||||
ELSE strftime("%s", "now") END,
|
||||
(~REMOTE.dnsseckeys.keytype&1)+1,
|
||||
REMOTE.dnsseckeys.state <= 4, -- introducing
|
||||
0, -- should revoke, not used
|
||||
0, -- standby
|
||||
REMOTE.dnsseckeys.state = 4 AND REMOTE.dnsseckeys.keytype = 256, --activeZSK:
|
||||
REMOTE.dnsseckeys.state >= 2 AND REMOTE.dnsseckeys.state <= 5, --publish
|
||||
REMOTE.dnsseckeys.state = 4 AND REMOTE.dnsseckeys.keytype = 257, --activeKSK:
|
||||
mapping.ds_state, --dsatparent
|
||||
1<<16, --keytag (crap, will 2.0 regenerate this?)
|
||||
(REMOTE.dnsseckeys.keytype&1)*3+1 --minimize
|
||||
FROM REMOTE.dnsseckeys
|
||||
JOIN REMOTE.keypairs
|
||||
ON REMOTE.dnsseckeys.keypair_id = REMOTE.keypairs.id
|
||||
JOIN mapping
|
||||
ON REMOTE.dnsseckeys.state = mapping.state
|
||||
WHERE EXISTS(select REMOTE.zones.id FROM REMOTE.zones WHERE REMOTE.zones.id = REMOTE.dnsseckeys.zone_id);
|
||||
|
||||
-- Everything that is just a ZSK must not have dsatparent set.
|
||||
UPDATE keyData
|
||||
SET dsatparent = 0
|
||||
WHERE role = 2;
|
||||
|
||||
DROP TABLE mapping;
|
||||
|
||||
-- If a active time is set for a ready KSK dsAtParent is submitted
|
||||
-- instead of submit
|
||||
UPDATE keyData
|
||||
SET dsatparent = 2
|
||||
WHERE keyData.dsAtParent = 1 AND keyData.id IN (
|
||||
SELECT keyData.id
|
||||
FROM keyData
|
||||
JOIN REMOTE.dnsseckeys
|
||||
ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
|
||||
WHERE REMOTE.dnsseckeys.active IS NOT NULL);
|
||||
|
||||
|
||||
-- ~ ************
|
||||
-- ~ ** Keystate table
|
||||
-- ~ **
|
||||
-- ~ **
|
||||
-- ~ **
|
||||
-- ~ **
|
||||
-- ~ ************
|
||||
|
||||
CREATE TABLE mapping (
|
||||
state INTEGER,
|
||||
ds INTEGER,
|
||||
dk INTEGER,
|
||||
ks INTEGER,
|
||||
rs INTEGER
|
||||
);
|
||||
INSERT INTO mapping SELECT 1, 0, 0, 0, 0;
|
||||
INSERT INTO mapping SELECT 2, 0, 1, 1, 1;
|
||||
INSERT INTO mapping SELECT 3, 0, 2, 2, 1;
|
||||
INSERT INTO mapping SELECT 4, 2, 2, 2, 1;
|
||||
INSERT INTO mapping SELECT 5, 3, 2, 2, 3;
|
||||
INSERT INTO mapping SELECT 6, 0, 3, 3, 0;
|
||||
INSERT INTO mapping SELECT 7, 3, 0, 0, 0;
|
||||
INSERT INTO mapping SELECT 8, 3, 0, 0, 0;
|
||||
INSERT INTO mapping SELECT 9, 3, 0, 0, 0;
|
||||
INSERT INTO mapping SELECT 10, 3, 0, 0, 0;
|
||||
|
||||
-- DS RECORDS
|
||||
INSERT INTO keyState
|
||||
SELECT NULL, 1, keyData.id, 0, mapping.ds, strftime("%s", "now"), (keyData.minimize>>2)&1, policy.parentDsTtl
|
||||
FROM keyData
|
||||
JOIN zone
|
||||
ON zone.id = keyData.zoneId
|
||||
JOIN policy
|
||||
ON policy.id = zone.policyId
|
||||
JOIN REMOTE.dnsseckeys
|
||||
ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
|
||||
JOIN mapping
|
||||
ON mapping.state = REMOTE.dnsseckeys.state;
|
||||
|
||||
UPDATE keyState
|
||||
SET state = 1
|
||||
WHERE keyState.state = 0 AND keyState.type = 0 AND keyState.id IN (
|
||||
SELECT keyState.id
|
||||
FROM keyState
|
||||
JOIN keyData
|
||||
ON keyData.id = keyState.keydataId
|
||||
JOIN REMOTE.dnsseckeys
|
||||
ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
|
||||
WHERE REMOTE.dnsseckeys.active IS NOT NULL);
|
||||
|
||||
-- DNSKEY RECORDS
|
||||
INSERT INTO keyState
|
||||
SELECT NULL, 1, keyData.id, 2, mapping.dk, strftime("%s", "now"), (keyData.minimize>>1)&1, policy.keysTtl
|
||||
FROM keyData
|
||||
JOIN zone
|
||||
ON zone.id = keyData.zoneId
|
||||
JOIN policy
|
||||
ON policy.id = zone.policyId
|
||||
JOIN REMOTE.dnsseckeys
|
||||
ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
|
||||
JOIN mapping
|
||||
ON mapping.state = REMOTE.dnsseckeys.state;
|
||||
|
||||
-- RRSIG DNSKEY RECORDS
|
||||
INSERT INTO keyState
|
||||
SELECT NULL, 1, keyData.id, 3, mapping.ks, strftime("%s", "now"), (keyData.minimize>>1)&1, policy.keysTtl
|
||||
FROM keyData
|
||||
JOIN zone
|
||||
ON zone.id = keyData.zoneId
|
||||
JOIN policy
|
||||
ON policy.id = zone.policyId
|
||||
JOIN REMOTE.dnsseckeys
|
||||
ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
|
||||
JOIN mapping
|
||||
ON mapping.state = REMOTE.dnsseckeys.state;
|
||||
|
||||
-- RRSIG RECORDS
|
||||
INSERT INTO keyState
|
||||
SELECT NULL, 1, keyData.id, 1, mapping.rs, strftime("%s", "now"), (keyData.minimize>>0)&1, policy.signaturesMaxZoneTtl
|
||||
FROM keyData
|
||||
JOIN zone
|
||||
ON zone.id = keyData.zoneId
|
||||
JOIN policy
|
||||
ON policy.id = zone.policyId
|
||||
JOIN REMOTE.dnsseckeys
|
||||
ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
|
||||
JOIN mapping
|
||||
ON mapping.state = REMOTE.dnsseckeys.state;
|
||||
|
||||
--Set to OMN if Tactive + Dttl < Tnow
|
||||
UPDATE keyState
|
||||
SET state = 2
|
||||
WHERE keyState.state = 1 AND keyState.type = 1 AND keyState.id IN (
|
||||
SELECT keyState.id
|
||||
FROM keyState
|
||||
JOIN keyData
|
||||
ON keyData.id = keyState.keydataId
|
||||
JOIN REMOTE.dnsseckeys
|
||||
ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
|
||||
JOIN zone
|
||||
ON keyData.zoneId = zone.id
|
||||
JOIN policy
|
||||
ON policy.id = zone.policyId
|
||||
WHERE CAST(strftime("%s", REMOTE.dnsseckeys.active) + policy.signaturesValidityDefault as INTEGER) < strftime("%s", "now"));
|
||||
|
||||
--Force the RRSIG state in omnipresent if rumoured and there is no old ZSK
|
||||
-- unretentive
|
||||
UPDATE keyState
|
||||
SET state = 2
|
||||
WHERE keyState.id IN (
|
||||
SELECT rs.id FROM keyState AS rs
|
||||
JOIN keystate AS dk ON dk.keyDataId == rs.keyDataId
|
||||
WHERE rs.type == 1 AND dk.type == 2 AND rs.state == 1 AND dk.state == 2
|
||||
AND NOT EXISTS(
|
||||
SELECT* FROM keystate AS rs2
|
||||
JOIN keystate AS dk2 ON dk2.keyDataId == rs2.keyDataId
|
||||
WHERE rs2.type == 1 AND dk2.type == 2 AND rs2.state == 3 AND dk2.state == 2
|
||||
));
|
||||
|
||||
DROP TABLE mapping;
|
||||
|
||||
-- We need to create records in the keydependency table in case we are in a
|
||||
-- rollover. Only done for ZSK. For every introducing ZSK with RRSIG rumoured
|
||||
-- that has an outroducing ZSK with RRSIG unretentive, we add a record.
|
||||
INSERT INTO keyDependency
|
||||
SELECT NULL, 0, keyData.zoneID, SUB.IDout, keyData.id, 1
|
||||
FROM keyData
|
||||
JOIN keyState AS KS1
|
||||
ON KS1.keyDataId == keyData.id
|
||||
JOIN keyState AS KS2
|
||||
ON KS2.keyDataId == keyData.id
|
||||
JOIN (
|
||||
SELECT keyData.id AS IDout, keyData.zoneID
|
||||
FROM keyData
|
||||
JOIN keyState AS KS1
|
||||
ON KS1.keyDataId == keyData.id
|
||||
JOIN keyState AS KS2
|
||||
ON KS2.keyDataId == keyData.id
|
||||
WHERE KS1.type == 2
|
||||
AND ks1.state = 2
|
||||
AND KS2.type == 1
|
||||
AND KS2.state == 3
|
||||
AND keyData.introducing == 0
|
||||
AND keyData.role == 2
|
||||
) AS SUB
|
||||
ON SUB.zoneId == keyData.zoneId
|
||||
WHERE
|
||||
KS1.type == 2
|
||||
AND ks1.state = 2
|
||||
AND KS2.type == 1
|
||||
AND KS2.state == 1
|
||||
AND keyData.introducing == 1
|
||||
AND keyData.role == 2;
|
||||
|
||||
-- ZSK
|
||||
UPDATE keyState
|
||||
SET state = 4
|
||||
WHERE (keyState.type = 0 OR keyState.type = 3) AND keyDataId IN (
|
||||
SELECT keyData.id
|
||||
FROM keyData
|
||||
WHERE keyData.role = 2);
|
||||
|
||||
--KSK
|
||||
UPDATE keyState
|
||||
SET state = 4
|
||||
WHERE keyState.type = 1 AND keyDataId IN (
|
||||
SELECT keyData.id
|
||||
FROM keyData
|
||||
WHERE keyData.role = 1);
|
||||
|
||||
-- For rpm based systems to see if db was migrated already. store opendnssec major minor version
|
||||
CREATE TABLE rpm_migration (
|
||||
major INTEGER,
|
||||
minor INTEGER
|
||||
);
|
||||
INSERT INTO rpm_migration VALUES(2, 1);
|
||||
|
||||
@ -0,0 +1,7 @@
|
||||
-- For rpm based systems to see if db was migrated already. store opendnssec major minor version
|
||||
CREATE TABLE rpm_migration (
|
||||
major INTEGER,
|
||||
minor INTEGER
|
||||
);
|
||||
INSERT INTO rpm_migration VALUES(2, 1);
|
||||
|
||||
@ -0,0 +1,4 @@
|
||||
# Ensure multiple ods-enforcerd's on different system roll at the same time
|
||||
# independant of when the daemon was started. Since TLDs often update their
|
||||
# zone "on the hour" we do the key rollover checks just before the hour.
|
||||
50,20 * * * * root test -f /var/lock/subsys/ods-enforcerd && kill -s SIGHUP `cat /var/run/opendnssec/enforcerd.pid` > /dev/null 2> /dev/null
|
||||
@ -0,0 +1 @@
|
||||
D /run/opendnssec 0755 ods ods -
|
||||
@ -0,0 +1,365 @@
|
||||
#global prever rcX
|
||||
%global _hardened_build 1
|
||||
|
||||
Summary: DNSSEC key and zone management software
|
||||
Name: opendnssec
|
||||
Version: 2.1.7
|
||||
Release: 1%{?prever}%{?dist}
|
||||
License: BSD
|
||||
Url: http://www.opendnssec.org/
|
||||
Source0: http://www.opendnssec.org/files/source/%{?prever:testing/}%{name}-%{version}%{?prever}.tar.gz
|
||||
Source1: ods-enforcerd.service
|
||||
Source2: ods-signerd.service
|
||||
Source3: ods.sysconfig
|
||||
Source4: conf.xml
|
||||
Source5: tmpfiles-opendnssec.conf
|
||||
Source6: opendnssec.cron
|
||||
Source7: opendnssec-2.1.sqlite_convert.sql
|
||||
Source8: opendnssec-2.1.sqlite_rpmversion.sql
|
||||
|
||||
Requires: opencryptoki, softhsm >= 2.5.0 , systemd-units
|
||||
Requires: libxml2, libxslt sqlite
|
||||
BuildRequires: gcc
|
||||
BuildRequires: ldns-devel >= 1.6.12, sqlite-devel >= 3.0.0, openssl-devel
|
||||
BuildRequires: libxml2-devel CUnit-devel, doxygen
|
||||
# It tests for pkill/killall and would use /bin/false if not found
|
||||
BuildRequires: procps-ng
|
||||
BuildRequires: perl-interpreter
|
||||
BuildRequires: libmicrohttpd-devel jansson-devel libyaml-devel
|
||||
|
||||
BuildRequires: systemd-units
|
||||
Requires(pre): shadow-utils
|
||||
Requires(post): systemd-units
|
||||
Requires(preun): systemd-units
|
||||
Requires(postun): systemd-units
|
||||
%if 0%{?prever:1}
|
||||
# For building development snapshots
|
||||
Buildrequires: autoconf, automake, libtool, java
|
||||
%endif
|
||||
|
||||
%description
|
||||
OpenDNSSEC was created as an open-source turn-key solution for DNSSEC.
|
||||
It secures zone data just before it is published in an authoritative
|
||||
name server. It requires a PKCS#11 crypto module library, such as softhsm
|
||||
|
||||
%prep
|
||||
%setup -q -n %{name}-%{version}%{?prever}
|
||||
# bump default policy ZSK keysize to 2048
|
||||
sed -i "s/1024/2048/" conf/kasp.xml.in
|
||||
|
||||
%build
|
||||
#export LDFLAGS="-Wl,-z,relro,-z,now -pie -specs=/usr/lib/rpm/redhat/redhat-hardened-ld"
|
||||
#export CFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wextra -Wformat -Wformat-nonliteral -Wformat-security"
|
||||
#export CXXFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wformat-nonliteral -Wformat-security"
|
||||
%if 0%{?prever:1}
|
||||
# for development snapshots
|
||||
sh ./autogen.sh
|
||||
%endif
|
||||
%configure --with-ldns=%{_libdir}
|
||||
make %{?_smp_mflags}
|
||||
|
||||
%check
|
||||
# Requires sample db not shipped with upstream
|
||||
# make check
|
||||
|
||||
%install
|
||||
rm -rf %{buildroot}
|
||||
make DESTDIR=%{buildroot} install
|
||||
mkdir -p %{buildroot}%{_localstatedir}/opendnssec/{tmp,signed,signconf,enforcer}
|
||||
install -d -m 0755 %{buildroot}%{_initrddir} %{buildroot}%{_sysconfdir}/cron.d/
|
||||
install -m 0644 %{SOURCE6} %{buildroot}/%{_sysconfdir}/cron.d/opendnssec
|
||||
rm -f %{buildroot}/%{_sysconfdir}/opendnssec/*.sample
|
||||
install -d -m 0755 %{buildroot}/%{_sysconfdir}/sysconfig
|
||||
install -d -m 0755 %{buildroot}%{_unitdir}
|
||||
install -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/
|
||||
install -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/
|
||||
install -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/sysconfig/ods
|
||||
install -m 0644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/opendnssec/
|
||||
mkdir -p %{buildroot}%{_tmpfilesdir}/
|
||||
install -m 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/opendnssec.conf
|
||||
mkdir -p %{buildroot}%{_localstatedir}/run/opendnssec
|
||||
mkdir -p %{buildroot}%{_datadir}/opendnssec/
|
||||
cp -a enforcer/utils %{buildroot}%{_datadir}/opendnssec/migration
|
||||
cp -a enforcer/src/db/schema.* %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/
|
||||
# fixup path for mysql/sqlite. Use our replacement sqlite_convert.sql to detect previous migration
|
||||
cp -a %{SOURCE7} %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/sqlite_convert.sql
|
||||
cp -a %{SOURCE8} %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/rpmversion.sql
|
||||
sed -i "s:^SCHEMA=.*schema:SCHEMA=%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/schema:" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_sqlite
|
||||
sed -i "s:find_problematic_zones.sql:%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/find_problematic_zones.sql:g" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_sqlite
|
||||
sed -i "s:^SCHEMA=.*schema:SCHEMA=%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/schema:" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_mysql
|
||||
sed -i "s:find_problematic_zones.sql:%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/find_problematic_zones.sql:g" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_mysql
|
||||
sed -i "s:sqlite_convert.sql:%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/sqlite_convert.sql:g" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_sqlite
|
||||
|
||||
|
||||
%files
|
||||
%{_unitdir}/ods-enforcerd.service
|
||||
%{_unitdir}/ods-signerd.service
|
||||
%config(noreplace) %{_tmpfilesdir}/opendnssec.conf
|
||||
%attr(0770,root,ods) %dir %{_sysconfdir}/opendnssec
|
||||
%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec
|
||||
%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/tmp
|
||||
%attr(0775,root,ods) %dir %{_localstatedir}/opendnssec/signed
|
||||
%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/signconf
|
||||
%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/enforcer
|
||||
%attr(0660,root,ods) %config(noreplace) %{_sysconfdir}/opendnssec/*.xml
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ods
|
||||
%attr(0770,root,ods) %dir %{_localstatedir}/run/opendnssec
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/cron.d/opendnssec
|
||||
%doc NEWS README.md
|
||||
%license LICENSE
|
||||
%{_mandir}/*/*
|
||||
%{_sbindir}/*
|
||||
%{_bindir}/*
|
||||
%attr(0755,root,root) %dir %{_datadir}/opendnssec
|
||||
%{_datadir}/opendnssec/*
|
||||
|
||||
%pre
|
||||
getent group ods >/dev/null || groupadd -r ods
|
||||
getent passwd ods >/dev/null || \
|
||||
useradd -r -g ods -d /etc/opendnssec -s /sbin/nologin \
|
||||
-c "opendnssec daemon account" ods
|
||||
exit 0
|
||||
|
||||
%post
|
||||
# Initialise a slot on the softhsm on first install
|
||||
if [ "$1" -eq 1 ]; then
|
||||
%{_sbindir}/runuser -u ods -- %{_bindir}/softhsm2-util --init-token \
|
||||
--free --label "OpenDNSSEC" --pin 1234 --so-pin 1234
|
||||
if [ ! -s %{_localstatedir}/opendnssec/kasp.db ]; then
|
||||
echo y | %{_sbindir}/ods-enforcer-db-setup
|
||||
%{_bindir}/sqlite3 -batch %{_localstatedir}/opendnssec/kasp.db < %{_datadir}/opendnssec/migration/1.4-2.0_db_convert/rpmversion.sql
|
||||
fi
|
||||
|
||||
elif [ -z "$(%{_bindir}/sqlite3 %{_localstatedir}/opendnssec/kasp.db 'select * from rpm_migration;')" ]; then
|
||||
# Migrate version 1.4 db to version 2.1 db
|
||||
if [ -e %{_localstatedir}/opendnssec/rpm-migration-in-progress ]; then
|
||||
echo "previous (partial?) migration found - human intervention is needed"
|
||||
else
|
||||
echo "opendnssec 1.4 database found, migrating to 2.x"
|
||||
touch %{_localstatedir}/opendnssec/rpm-migration-in-progress
|
||||
mv -n %{_localstatedir}/opendnssec/kasp.db %{_localstatedir}/opendnssec/kasp.db-1.4
|
||||
echo "migrating conf.xml from 1.4 to 2.1 schema"
|
||||
cp -n %{_sysconfdir}/opendnssec/conf.xml %{_sysconfdir}/opendnssec/conf.xml-1.4
|
||||
# fixup incompatibilities inflicted upon us by upstream :(
|
||||
sed -i "/<Interval>.*Interval>/d" %{_sysconfdir}/opendnssec/conf.xml
|
||||
echo "Converting kasp.db"
|
||||
ERR=""
|
||||
%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_sqlite -i %{_localstatedir}/opendnssec/kasp.db-1.4 -o %{_localstatedir}/opendnssec/kasp.db || ERR="convert_sqlite error"
|
||||
chown ods.ods %{_localstatedir}/opendnssec/kasp.db
|
||||
cp -n %{_sysconfdir}/opendnssec/zonelist.xml %{_localstatedir}/opendnssec/enforcer/zones.xml
|
||||
if [ -z "$ERR" ]; then
|
||||
echo "calling ods-migrate"
|
||||
ods-migrate || ERR="ods-migrate failed"
|
||||
if [ -z "$ERR" ]; then
|
||||
echo "opendnssec 1.4 to 2.x migration completed"
|
||||
rm %{_localstatedir}/opendnssec/rpm-migration-in-progress
|
||||
else
|
||||
echo "ods-migrate process failed - human intervention is needed"
|
||||
fi
|
||||
else
|
||||
echo "%{_localstatedir}/opendnssec/kasp.db conversion failed - not calling ods-migrate to complete migration. human intervention is needed"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
# in case we update any xml conf file
|
||||
ods-enforcer update all >/dev/null 2>/dev/null ||:
|
||||
|
||||
%systemd_post ods-enforcerd.service
|
||||
%systemd_post ods-signerd.service
|
||||
|
||||
%preun
|
||||
%systemd_preun ods-enforcerd.service
|
||||
%systemd_preun ods-signerd.service
|
||||
|
||||
%postun
|
||||
%systemd_postun_with_restart ods-enforcerd.service
|
||||
%systemd_postun_with_restart ods-signerd.service
|
||||
|
||||
%changelog
|
||||
* Wed Apr 03 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 2.1.7-1
|
||||
- Rebuilt for MSVSphere 8.10 beta
|
||||
|
||||
* Fri Dec 04 2020 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.7-1
|
||||
- Upstream release 2.1.7
|
||||
- Resolves: rhbz#1904484
|
||||
|
||||
* Fri May 08 2020 Paul Wouters <pwouters@redhat.com> - 2.1.6-2
|
||||
- Resolves: rhbz#1831732 AVC avc: denied { dac_override } for comm="ods-enforcerd
|
||||
|
||||
* Wed Apr 15 2020 Paul Wouters <pwouters@redhat.com> - 2.1.6-1
|
||||
- Resolves: rhbz#1759888 Rebase OpenDNSSEC to 2.1
|
||||
|
||||
* Tue Dec 12 2017 Paul Wouters <pwouters@redhat.com> - 1.4.14-1
|
||||
- Update to 1.4.14 as first steop to migrating to 2.x
|
||||
- Resolves: rhbz#1413254 Move tmpfiles.d config to %%{_tmpfilesdir}, install LICENSE as %%license
|
||||
|
||||
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.9-7
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
||||
|
||||
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.9-6
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
||||
|
||||
* Wed Mar 08 2017 Tomas Hozza <thozza@redhat.com> - 1.4.9-5
|
||||
- Fix FTBFS (#1424019) in order to rebuild against new ldns
|
||||
|
||||
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.9-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
||||
|
||||
* Thu Feb 18 2016 Paul Wouters <pwouters@redhat.com> - 1.4.9-3
|
||||
- Resolves: rbz#1303965 upgrade to opendnssec-1.4.9-1.fc23 breaks old installations
|
||||
- On initial install, after token init, also run ods-ksmutil setup
|
||||
|
||||
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.9-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||
|
||||
* Mon Feb 01 2016 Paul Wouters <pwouters@redhat.com> - 1.4.9-1
|
||||
- Updated to 1.4.9
|
||||
- Removed merged in patch
|
||||
|
||||
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.7-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
||||
|
||||
* Tue Jun 09 2015 Paul Wouters <pwouters@redhat.com> - 1.4.7-2
|
||||
- Resolves rhbz#1219746 ods-signerd.service misplaced After= in section Service
|
||||
- Resolves rhbz#1220443 OpenDNSSEC fails to initialise a slot in softhsm on first install
|
||||
|
||||
* Tue Dec 09 2014 Paul Wouters <pwouters@redhat.com> - 1.4.7-1
|
||||
- Updated to 1.4.7 (fix zone update can get stuck, crash on retransfer cmd)
|
||||
|
||||
* Wed Oct 15 2014 Paul Wouters <pwouters@redhat.com> - 1.4.6-4
|
||||
- Change /etc/opendnssec to be ods group writable
|
||||
|
||||
* Wed Oct 08 2014 Paul Wouters <pwouters@redhat.com> - 1.4.6-3
|
||||
- Added Petr Spacek's patch that adds the config option <AllowExtraction/> (rhbz#1123354)
|
||||
|
||||
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.6-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
|
||||
|
||||
* Mon Jul 28 2014 Paul Wouters <pwouters@redhat.com> - 1.4.6-1
|
||||
- Updated to 1.4.6
|
||||
- Removed incorporated patch upstream
|
||||
- Remove Wants= from ods-signerd.service (rhbz#1098205)
|
||||
|
||||
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.5-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
||||
|
||||
* Fri Apr 18 2014 Paul Wouters <pwouters@redhat.com> - 1.4.5-2
|
||||
- Updated to 1.4.5
|
||||
- Added patch for serial 0 bug in XFR adapter
|
||||
|
||||
* Tue Apr 01 2014 Paul Wouters <pwouters@redhat.com> - 1.4.4-3
|
||||
- Add buildrequires for ods-kasp2html (rhbz#1073313)
|
||||
|
||||
* Sat Mar 29 2014 Paul Wouters <pwouters@redhat.com> - 1.4.4-2
|
||||
- Add requires for ods-kasp2html (rhbz#1073313)
|
||||
|
||||
* Thu Mar 27 2014 Paul Wouters <pwouters@redhat.com> - 1.4.4-1
|
||||
- Updated to 1.4.4 (compatibility with non RFC 5155 errata 3441)
|
||||
- Change the default ZSK policy from 1024 to 2048 bit RSA keys
|
||||
- Fix post to be quiet when upgrading opendnssec
|
||||
|
||||
* Thu Jan 09 2014 Paul Wouters <pwouters@redhat.com> - 1.4.3-1
|
||||
- Updated to 1.4.3 (rhel#1048449) - minor bugfixes, minor feature enhancements
|
||||
- rhel#1025985 OpenDNSSEC signer cannot be started due to a typo in service file
|
||||
|
||||
* Wed Sep 11 2013 Paul Wouters <pwouters@redhat.com> - 1.4.2-1
|
||||
- Updated to 1.4.2, bugfix release
|
||||
|
||||
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.1-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
|
||||
|
||||
* Fri Jun 28 2013 Paul Wouters <pwouters@redhat.com> - 1.4.1-1
|
||||
- Updated to 1.4.1. NSEC3 handling and serial number handling fixes
|
||||
- Add BuildRequire for systemd-units
|
||||
|
||||
* Sat May 11 2013 Paul Wouters <pwouters@redhat.com> - 1.4.0-1
|
||||
- Updated to 1.4.0
|
||||
|
||||
* Fri Apr 12 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-0.8.rc3
|
||||
- Updated to 1.4.0rc3
|
||||
- Enabled hardened compile, full relzo/pie
|
||||
|
||||
* Fri Jan 25 2013 Patrick Uiterwijk <puiterwijk@gmail.com> - 1.4.0-0.7.rc2
|
||||
- Updated to 1.4.0rc2, which includes svn r6952
|
||||
|
||||
* Fri Jan 18 2013 Patrick Uiterwijk <puiterwijk@gmail.com> - 1.4.0-0.6.rc1
|
||||
- Updated to 1.4.0rc1
|
||||
- Applied opendnssec-ksk-premature-retirement.patch (svn r6952)
|
||||
|
||||
* Tue Dec 18 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.5.b2
|
||||
- Updated to 1.4.0b2
|
||||
- All patches have been merged upstream
|
||||
- cron job should be marked as config file
|
||||
|
||||
* Tue Oct 30 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.4.b1
|
||||
- Added BuildRequires: procps-ng for bug OPENDNSSEC-345
|
||||
- Change RRSIG inception offset to -2h to avoid possible
|
||||
daylight saving issues on resolvers
|
||||
- Patch to prevent removal of occluded data
|
||||
|
||||
* Wed Sep 26 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.3.b1
|
||||
- Just an EVR fix to the proper standard
|
||||
- Cleanup of spec file
|
||||
- Introduce new systemd-rpm macros (rhbz#850242)
|
||||
|
||||
* Wed Sep 12 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.b1.1
|
||||
- Updated to 1.4.0b1
|
||||
- Patch for NSEC3PARAM TTL
|
||||
- Cron job to assist narrowing ods-enforcerd timing differences
|
||||
|
||||
* Wed Aug 29 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a3.1
|
||||
- Updated to 1.4.0a3
|
||||
- Patch to more aggressively try to resign
|
||||
- Patch to fix locking issue eating up cpu
|
||||
|
||||
* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.0-0.a2.2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
|
||||
|
||||
* Tue Jun 12 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a2.1
|
||||
- Updated to 1.4.0a2
|
||||
- ksm-utils patch for ods-ksmutil to die sooner when it can't lock
|
||||
the HSM.
|
||||
|
||||
* Wed May 16 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a1.3
|
||||
- Patch for crasher with deleted RRsets and NSEC3/OPTOUT chains
|
||||
|
||||
* Mon Mar 26 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a1.2
|
||||
- Added opendnssec LICENSE file from trunk (Thanks Jakob!)
|
||||
|
||||
* Mon Mar 26 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a1.1
|
||||
- Fix macros in comment
|
||||
- Added missing -m to install target
|
||||
|
||||
* Sun Mar 25 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a1
|
||||
- The 1.4.x branch no longer needs ruby, as the auditor has been removed
|
||||
- Added missing openssl-devel BuildRequire
|
||||
- Comment out <SkipPublicKey/> so keys generated by ods can be used by bind
|
||||
|
||||
* Fri Feb 24 2012 Paul Wouters <pwouters@redhat.com> - 1.3.6-3
|
||||
- Requires rubygem-soap4r when using ruby-1.9
|
||||
- Don't ghost /var/run/opendnssec
|
||||
- Converted initd to systemd
|
||||
|
||||
* Thu Nov 24 2011 root - 1.3.2-6
|
||||
- Added rubygem-dnsruby requires as rpm does not pick it up automatically
|
||||
|
||||
* Tue Nov 22 2011 root - 1.3.2-5
|
||||
- Added /var/opendnssec/signconf/ /as this temp dir is needed
|
||||
|
||||
* Mon Nov 21 2011 Paul Wouters <paul@xelerance.com> - 1.3.2-4
|
||||
- Added /var/opendnssec/signed/ as this is the default output dir
|
||||
|
||||
* Sun Nov 20 2011 Paul Wouters <paul@xelerance.com> - 1.3.2-3
|
||||
- Add ods user for opendnssec tasks
|
||||
- Added initscripts and services for ods-signerd and ods-enforcerd
|
||||
- Initialise OpenDNSSEC softhsm token on first install
|
||||
|
||||
* Wed Oct 05 2011 Paul Wouters <paul@xelerance.com> - 1.3.2-1
|
||||
- Updated to 1.3.2
|
||||
- Added dependancies on opencryptoki and softhsm
|
||||
- Don't install duplicate unreadable .sample files
|
||||
- Fix upstream conf.xml to point to actually used library paths
|
||||
|
||||
* Thu Mar 3 2011 Paul Wouters <paul@xelerance.com> - 1.2.0-1
|
||||
- Initial package for Fedora
|
||||
Loading…
Reference in new issue