* Wed Sep 12 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.b1.1

- Updated to 1.4.0b1
- Patch for NSEC3PARAM TTL
- Cron job to assist narrowing ods-enforcerd timing differences

opendnssec-1.4.0a3-aggressive-retry.patch

@@ -0,0 +1,15 @@
+diff -Naur opendnssec-1.4.0a3-orig/signer/src/daemon/worker.c opendnssec-1.4.0a3/signer/src/daemon/worker.c
+--- opendnssec-1.4.0a3-orig/signer/src/daemon/worker.c	2012-08-02 16:57:01.000000000 -0400
++++ opendnssec-1.4.0a3/signer/src/daemon/worker.c	2012-08-20 15:41:34.665175565 -0400
+@@ -173,7 +173,11 @@
+          * lets take a small break to not hog CPU.
+          */
+         if (status == ODS_STATUS_UNCHANGED) {
++#if 0
+             worker_wait_timeout_locked(&q->q_lock, &q->q_nonfull, 60);
++#else
++            worker_wait_timeout_locked(&q->q_lock, &q->q_nonfull, 5);
++#endif
+         }
+         lock_basic_unlock(&q->q_lock);
+     }

opendnssec-1.4.0a3-cpu.patch

@@ -0,0 +1,68 @@
+Modified: trunk/OpenDNSSEC/signer/src/signer/namedb.c
+===================================================================
+- --- trunk/OpenDNSSEC/signer/src/signer/namedb.c	2012-08-09 09:36:35
+UTC (rev 6514)
++++ trunk/OpenDNSSEC/signer/src/signer/namedb.c	2012-08-09 14:19:56
+UTC (rev 6515)
+@@ -215,9 +215,11 @@
+     } else if (ods_strcmp(format, "datecounter") == 0) {
+         soa = (uint32_t) time_datestamp(0, "%Y%m%d", NULL) * 100;
+         if (!util_serial_gt(soa, prev)) {
+- -            ods_log_warning("[%s] unable to use datecounter as serial: %u "
+- -                "does not increase %u. Serial set to %u", db_str, soa, prev,
+- -                (prev+1));
++            if (!db->is_initialized) {
++                ods_log_warning("[%s] unable to use datecounter as serial: %u "
++                    "does not increase %u. Serial set to %u", db_str, soa, prev,
++                    (prev+1));
++            }
+             soa = prev + 1;
+         }
+     } else if (ods_strcmp(format, "counter") == 0) {
+
+Modified: trunk/OpenDNSSEC/signer/src/signer/tools.c
+===================================================================
+- --- trunk/OpenDNSSEC/signer/src/signer/tools.c	2012-08-09 09:36:35 UTC
+(rev 6514)
++++ trunk/OpenDNSSEC/signer/src/signer/tools.c	2012-08-09 14:19:56 UTC
+(rev 6515)
+@@ -39,6 +39,7 @@
+ #include "signer/tools.h"
+ #include "signer/zone.h"
+
++#include <errno.h>
+ #include <sys/types.h>
+ #include <sys/wait.h>
+ #include <unistd.h>
+@@ -213,7 +214,7 @@
+     /* kick the nameserver */
+     if (zone->notify_ns) {
+         int status;
+- -        pid_t pid;
++        pid_t pid, wpid;
+         ods_log_verbose("[%s] notify nameserver: %s", tools_str,
+             zone->notify_ns);
+ 	/** fork */
+@@ -236,9 +237,20 @@
+                 ods_log_debug("[%s] notify nameserver process forked",
+                     tools_str);
+                 /** wait for completion  */
+- -                while (wait(&status) != pid) {
+- -                    ;
++                while((wpid = waitpid(pid, &status, 0)) <= 0) {
++                    if (errno != EINTR) {
++                        break;
++                    }
+                 }
++                if (wpid == -1) {
++                    ods_log_error("[%s] notify nameserver failed: waitpid() ",
++                        "failed (%s)", tools_str, strerror(errno));
++                } else if (!WIFEXITED(status)) {
++                    ods_log_error("[%s] notify nameserver failed: notify ",
++                        "command did not terminate normally", tools_str);
++                } else {
++                    ods_log_verbose("[%s] notify nameserver ok", tools_str);
++                }
+                 break;
+         }
+     }

opendnssec-1.4.0a3-nsec3param.patch

@@ -0,0 +1,12 @@
+diff -Naur opendnssec-1.4.0a3-orig/signer/src/signer/zone.c opendnssec-1.4.0a3/signer/src/signer/zone.c
+--- opendnssec-1.4.0a3-orig/signer/src/signer/zone.c	2012-08-06 06:52:03.000000000 -0400
++++ opendnssec-1.4.0a3/signer/src/signer/zone.c	2012-09-12 17:00:01.813426466 -0400
+@@ -355,7 +355,7 @@
+             return ODS_STATUS_MALLOC_ERR;
+         }
+         ldns_rr_set_class(rr, zone->klass);
+-        ldns_rr_set_ttl(rr, zone->default_ttl);
++        ldns_rr_set_ttl(rr, 0); /* special case */
+         ldns_rr_set_owner(rr, ldns_rdf_clone(zone->apex));
+         ldns_nsec3_add_param_rdfs(rr,
+             zone->signconf->nsec3params->algorithm, 0,

opendnssec.cron

@@ -0,0 +1,4 @@
+# Ensure multiple ods-enforcerd's on different system roll at the same time
+# independant of when the daemon was started. Since TLDs often update their
+# zone "on the hour" we do the key rollover checks just before the hour.
+50,20 * * * * root kill -s SIGHUP `cat /var/run/opendnssec/enforcerd.pid` > /dev/null 2> /dev/null

opendnssec.spec

@@ -1,17 +1,19 @@
 Summary: DNSSEC key and zone management software
 Name: opendnssec
 Version: 1.4.0
-Release: 0.a2%{?dist}.2
+Release: 0.b1%{?dist}.1
 License: BSD
 Url: http://www.opendnssec.org/
-#Source: http://www.opendnssec.org/files/source/% {name}-% {version}a1.tar.gz
-Source: http://www.opendnssec.org/files/source/testing/%{name}-%{version}a2.tar.gz
+#Source: http://www.opendnssec.org/files/source/% {name}-% {version}.tar.gz
+Source: http://www.opendnssec.org/files/source/testing/%{name}-%{version}b1.tar.gz
 Source1: ods-enforcerd.service
 Source2: ods-signerd.service
 Source3: ods.sysconfig
 Source4: conf.xml
 Source5: tmpfiles-opendnssec.conf
-Patch1: opendnssec-1.4.0-ksmutil.patch
+Source6: opendnssec.cron
+PAtch1: opendnssec-1.4.0a3-aggressive-retry.patch
+Patch2: opendnssec-1.4.0a3-nsec3param.patch
 Group: Applications/System
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: opencryptoki, softhsm, systemd-units
@@ -31,12 +33,14 @@ It secures zone data just before it is published in an authoritative
 name server. It requires a PKCS#11 crypto module library, such as softhsm
 
 %prep
-%setup -q -n %{name}-%{version}a2
-%patch1 -p1 -b .ksmutil
+%setup -q -n %{name}-%{version}b1
+%patch1 -p1 -b .aggressive-retry
+%patch2 -p1 -b .nsec3param
 
 %build
 # for snapshots enable below
-sh ./autogen.sh
+# sh ./autogen.sh
+
 %configure --with-ldns=%{_libdir}
 make %{?_smp_mflags}
 
@@ -49,6 +53,9 @@ rm -rf %{buildroot}
 make DESTDIR=%{buildroot} install
 mkdir -p %{buildroot}/var/opendnssec/{tmp,signed,signconf}
 
+install -d -m 0755 %{buildroot}%{_initrddir} %{buildroot}%{_sysconfdir}/cron.d/
+install -m 0644 %{SOURCE7} %{buildroot}/%{_sysconfdir}/cron.d/opendnssec
+
 # cleanup sample files
 rm -f %{buildroot}/%{_sysconfdir}/opendnssec/*.sample
 install -d -m 0755 %{buildroot}/%{_sysconfdir}/sysconfig 
@@ -80,6 +87,7 @@ rm -rf %{buildroot}
 %attr(0660,root,ods) %config(noreplace) %{_sysconfdir}/opendnssec/*.xml
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ods
 %attr(0770,root,ods) %dir %{_localstatedir}/run/opendnssec
+%attr(0644,root,root) %{_sysconfdir}/cron.d/opendnssec
 %doc NEWS README LICENSE
 %{_mandir}/*/*
 %{_sbindir}/*
@@ -122,6 +130,16 @@ if [ $1 -ge 1 ] ; then
 fi
 
 %changelog
+* Wed Sep 12 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.b1.1
+- Updated to 1.4.0b1
+- Patch for NSEC3PARAM TTL
+- Cron job to assist narrowing ods-enforcerd timing differences
+
+* Wed Aug 29 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a3.1
+- Updated to 1.4.0a3
+- Patch to more aggressively try to resign
+- Patch to fix locking issue eating up cpu
+
 * Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.0-0.a2.2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild