Commit Graph

830 Commits

Author SHA1 Message Date
Petr Menšík
277938ec6c Use just normal variant by default
Testing takes quite long. For now, use by default only normal variant.
SDB variant is not much used and pkcs11 variant is failing now. Keep
ability to enable variants by parameter:
   TEST_VARIANTS="normal sdb pkcs11"
2019-09-25 20:37:03 +02:00
Petr Menšík
339db1a482 Add internal test suite to set of tests 2019-09-25 20:37:03 +02:00
Petr Menšík
7eb2cf5e7b Update and simplify package requirements
bind-devel should now provide all dependencies required. Omit explicitl
requirements for building. Drop atf building support, since upstream
moved to cmocka.
2019-09-25 20:37:03 +02:00
Petr Menšík
54fa84a387 Use also termination logs to measure time
Might use different approach to display grouped results.
2019-09-25 20:37:03 +02:00
Petr Menšík
545e2cb4bc Make tests optional
Make it possible to skip some test using parameter. In some cases, just
single pass is required.
Also fix case when no known defects are specified for a variant.
2019-09-25 20:37:03 +02:00
Petr Menšík
0983c90fb0 Modify test suite to include also variants
Run system tests for each variants.
2019-09-25 20:37:03 +02:00
Petr Menšík
5aee3f1742 Precise timing perl package is required 2019-09-25 20:37:03 +02:00
Petr Menšík
5691e04b76 Fix source fetching 2019-09-25 20:37:03 +02:00
Petr Menšík
841d8832b4 Do not skip gsstsig test in any named variants
Feature was skipped by mistake when moving feature-test into separate
directory.
2019-09-05 21:35:54 +02:00
Petr Menšík
d568c54c25 Share pkcs11-utils and dnssec-utils manuals
Previous build recommended bind-dnssec-utils just to provide manual for
pkcs11 variants. Instead, share the same files between pkcs11-utils and
dnssec-utils. Skip unnecessary manual of non-existent dnssec-coverage-pkcs11 tool.
2019-09-05 21:18:52 +02:00
Petr Menšík
9d1aaa502b Recommend bind-dnssec-utils from bind-pkcs11-utils
Manual pages are just links to pages in bind-dnssec-utils. Do not copy
them, but suggest them for installation is possible. It would be handy
to have them available, but are not required for any function.
2019-09-03 18:34:04 +02:00
Petr Menšík
bf5bc99f81 Add GeoIP to bind-chroot (#1497646)
named can use ACLs defined by GeoIP of request. Such information is not
available by default under named-chroot service. Enable GeoIP databases
under chroot without explicit configuration.
2019-09-03 13:58:49 +02:00
Petr Menšík
0fa39c28ad Move created empty directories to single define
Make it easier to manage list of used directories in chroot. Use
appropriate macros for system directories everywhere in chroot package.
Share common variable with -sdb-chroot and -chroot packages.
2019-09-03 13:58:31 +02:00
Petr Menšík
8cd5c11f0d Move some administration utilities back to utils (#1720380)
Some utilities are not related DNSSEC at all, but are just bind related
tools. Because they do not require additional dependencies, they do not
save any space in containers.
2019-09-03 11:37:26 +02:00
Petr Menšík
c5d9a5c66a Avoid conflicts between OpenSSL and native PKCS#11
Do not set default engine when native module should be used.
2019-08-27 21:39:46 +02:00
Petr Menšík
01dd585828 Fix broken pkcs11 initialization
Broken by commit 2a466330c5
2019-08-27 21:39:46 +02:00
Petr Menšík
1b89e61546 Fix broken system/tsig test
On rebases, md5 keys were accidentally dropped. Put them back.
2019-08-27 21:39:46 +02:00
Petr Menšík
843e5f5094 Update patches to 9.11.10 2019-08-27 21:39:46 +02:00
Petr Menšík
72f1dad845 Update to BIND 9.11.10 2019-08-27 21:39:46 +02:00
Miro Hrončok
c92fe260ae Rebuilt for Python 3.8 2019-08-19 10:10:45 +02:00
Petr Menšík
b75571c4df Add changelog and bump spec 2019-08-09 12:39:58 +02:00
Petr Menšík
23eefd9798 Report errors from rndc reload (#1739441)
Success status has to be ignored until systemd is fixed. Now it would
kill service on reload failure, which is far worse than reload error.
2019-08-09 12:32:48 +02:00
Petr Menšík
963c4b916b Fix rpmlint warnings
Clean whitespace to satisfy rpmlint
2019-08-08 15:08:53 +02:00
Petr Menšík
dab22dd2c2 Permit explicit disabling of RSAMD5 in FIPS mode (#1709553)
When MD5 is disabled in library, it behaved like RSAMD5 were unknown.
But security-policy disables it explicitly. It failed to even start in
FIPS mode, because such algorithm were unknown. Fix disabled algorithm
to return disabled result code. Accept such algorithm only when
disabling it.

Signed-off-by: Petr Menšík <pemensik@redhat.com>
2019-08-08 14:19:59 +02:00
Petr Menšík
fac5ed036c Disable building of export-libs
DHCP no longer needs export libs, stop building them.
2019-08-08 14:19:59 +02:00
Petr Menšík
b4e74efbf2 Enable GeoLite2 support
Make GeoIP support controlled by bcond, defaults to off now.
Instead enable GeoLite2 support.
2019-08-08 12:16:51 +02:00
Petr Menšík
448b6647dc Solve conflicting jsoncpp-devel and json-c-devel 2019-08-08 12:16:51 +02:00
Petr Menšík
371a1e3b7d Update patches to 9.11.9
Maxmind library and defines modifies many patches changing flags.
Conflicts a lot especially with PKCS11 build.
2019-08-08 12:16:51 +02:00
Petr Menšík
afa1fa2af7 Update to 9.11.9 2019-08-08 12:16:51 +02:00
Petr Menšík
1050b1aed6 Use monotonic time in export library (#1732883)
Signed-off-by: Petr Menšík <pemensik@redhat.com>
2019-08-08 12:16:51 +02:00
Fedora Release Engineering
3a67af20ad - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2019-07-24 19:16:14 +00:00
Petr Menšík
16ecf0736f Update to 9.11.8
Contains:
5244.	[security]	Fixed a race condition in dns_dispatch_getnext()
			that could cause an assertion failure if a
			significant number of incoming packets were
			rejected. (CVE-2019-6471) [GL #942]

5241.	[bug]		Fix Ed448 private and public key ASN.1 prefix blobs.
			[GL #225]

5237.	[bug]		Recurse to find the root server list with 'dig +trace'.
			[GL #1028]
2019-07-02 11:10:03 +02:00
Petr Menšík
564c143a1b Fix OpenSSL random generator initialization
Also fix warning in test.
2019-06-17 13:56:47 +02:00
Petr Menšík
ecef966359 Fix libisc so version 2019-06-11 14:56:08 +02:00
Petr Menšík
2a466330c5 Update patches to new sources
Modify current and remove already merged patches.
Adjust versions of so libs.
2019-06-11 12:08:54 +02:00
Petr Menšík
625ca235be Update to BIND 9.11.7
Fixes trusted-keys and managed-keys using the same filename.

https://downloads.isc.org/isc/bind9/9.11.7/RELEASE-NOTES-bind-9.11.7.html
2019-06-10 10:41:28 +02:00
Petr Menšík
e97d036624 Fix also postun script 2019-05-06 14:04:12 +02:00
Petr Menšík
926c8e07af Fix error in scriptlet condition
Selinux boolean is not correctly set, correct syntax of bash condition.
2019-05-06 13:05:44 +02:00
Petr Menšík
4b42a5c162 5200. [security] tcp-clients settings could be exceeded in some cases,
which could lead to exhaustion of file descriptors.
                        (CVE-2018-5743) [GL #615]
2019-05-02 14:49:56 +02:00
Petr Menšík
7232bc0a99 Attempt to use rich dependencies
Selinux boolean should be set only in case given selinux policy is
installed. Do not require it inside containers.
2019-04-09 22:18:22 +02:00
Petr Menšík
e2a32c8eca Revert shell change to /bin/false 2019-04-09 20:27:00 +02:00
Petr Menšík
ae423dfbeb Enable optional features by default 2019-03-15 17:48:06 +01:00
Petr Menšík
16bdca79ba Workaround to broken kyua handling of empty test
Also filter used subdirectories, run tests only for compiled libraries
for export-libs.
2019-03-15 15:46:04 +01:00
Petr Menšík
812f6fb336 Fix dnstap unit test issue with pkcs11 2019-03-14 15:59:22 +01:00
Petr Menšík
395fbedb17 Use libcmocka instead of libatf
Upstream no longer ships bundled libatf library and no longer uses ATF
in sources. kyua and cmocka are mandatory for unit tests now. Removes
--with KYUA, use --with UNITTEST on different builds when cmocka and
kyua are available.
2019-03-14 11:41:44 +01:00
Petr Menšík
bcfdb893b9 So versions change
Requires rebuild of all dependent packages.
2019-03-05 21:50:48 +01:00
Petr Menšík
7bc8b1b992 Atf support was removed
cmocka is used instead. Unfortunately it is not packaged in Fedora yet.
2019-03-05 21:50:22 +01:00
Petr Menšík
1e4169114f Adapted patches for new version
Removed merged upstream.
2019-03-05 21:49:26 +01:00
Petr Menšík
2aa49f0cec Update to 9.11.6
Update lastest release, patches not yet adepted for it.
2019-03-05 14:35:50 +01:00
Petr Menšík
25e332108e Make alternative named builds testable in system tests
Red Hat has alternative variant builds of named, which are not ever
tested by system tests. New variables make it relatively easy to test
alternative variants.

For sdb variant use:
export NAMED_VARIANT=-sdb DNSSEC_VARIANT=

For pkcs variant use:
export NAMED_VARIANT=-pkcs11 DNSSEC_VARIANT=-pkcs11

followed by make test in build directory.

Note: PKCS11 tests are still skipped, it requires SLOT variable
exported. Fails in some cases.
2019-03-04 14:18:15 +01:00