rpms/opendnssec
7
0
Fork 0
Code Issues Pull Requests Releases Activity

RHEL 9.0.0 Alpha bootstrap

Browse Source 
The content of this branch was automatically imported from Fedora ELN
with the following as its source:
https://src.fedoraproject.org/rpms/opendnssec#dfb31f8f57b1c5909ab37eda5effb63c58272c64
This commit is contained in:
Petr Šabata 2020-10-15 22:19:27 +02:00
parent 7d72d43719
commit b4e36e5b41
20 changed files with 11699 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
.gitignore vendored
View File

@ -0,0 +1,18 @@
/opendnssec-1.4.0a1.tar.gz
/opendnssec-1.4.0a2.tar.gz
/opendnssec-1.4.0b1.tar.gz
/opendnssec-1.4.0b2.tar.gz
/opendnssec-1.4.0rc1.tar.gz
/opendnssec-1.4.0rc2.tar.gz
/opendnssec-1.4.0rc3.tar.gz
/opendnssec-1.4.0.tar.gz
/opendnssec-1.4.1.tar.gz
/opendnssec-1.4.2.tar.gz
/opendnssec-1.4.3.tar.gz
/opendnssec-1.4.4.tar.gz
/opendnssec-1.4.5.tar.gz
/opendnssec-1.4.6.tar.gz
/opendnssec-1.4.7.tar.gz
/opendnssec-1.4.9.tar.gz
/opendnssec-1.4.14.tar.gz
/opendnssec-2.1.6.tar.gz

87
conf.xml Normal file
View File

@ -0,0 +1,87 @@
<?xml version="1.0" encoding="UTF-8"?>
<Configuration>
<RepositoryList>
<Repository name="SoftHSM">
<Module>/usr/lib64/softhsm/libsofthsm.so</Module>
<TokenLabel>OpenDNSSEC</TokenLabel>
<PIN>1234</PIN>
<!--
# Disabled so it stores the public key in the HSM too,
# so bind's dnssec-signzone can be used as well
<SkipPublicKey/>
-->
</Repository>
<!--
<Repository name="sca6000">
<Module>/usr/lib64/opencryptoki/PKCS11_API.so</Module>
<TokenLabel>Sun Metaslot</TokenLabel>
<PIN>test:1234</PIN>
<Capacity>255</Capacity>
<RequireBackup/>
<SkipPublicKey/>
</Repository>
-->
</RepositoryList>
<Common>
<Logging>
<Syslog><Facility>local0</Facility></Syslog>
</Logging>
<PolicyFile>/etc/opendnssec/kasp.xml</PolicyFile>
<ZoneListFile>/etc/opendnssec/zonelist.xml</ZoneListFile>
<!--
<ZoneFetchFile>/etc/opendnssec/zonefetch.xml</ZoneFetchFile>
-->
</Common>
<Enforcer>
<Privileges>
<User>ods</User>
<Group>ods</Group>
</Privileges>
<Datastore><SQLite>/var/opendnssec/kasp.db</SQLite></Datastore>
<!-- <ManualKeyGeneration/> -->
<!-- <RolloverNotification>P14D</RolloverNotification> -->
<!-- the <DelegationSignerSubmitCommand> will get all current
DNSKEYs (as a RRset) on standard input
-->
<!-- <DelegationSignerSubmitCommand>/usr/sbin/eppclient</DelegationSignerSubmitCommand> -->
</Enforcer>
<Signer>
<Privileges>
<User>ods</User>
<Group>ods</Group>
</Privileges>
<WorkingDirectory>/var/opendnssec/tmp</WorkingDirectory>
<WorkerThreads>4</WorkerThreads>
<!-- <SignerThreads>4</SignerThreads> -->
<!--
<Listener>
<Interface><Port>53</Port></Interface>
</Listener>
-->
<!-- the <NotifyCommmand> will expand the following variables:
%zone the name of the zone that was signed
%zonefile the filename of the signed zone
<NotifyCommand>sudo systemctl reload nsd.service</NotifyCommand>
-->
<!--
<NotifyCommand>/usr/sbin/rndc reload %zone</NotifyCommand>
-->
</Signer>
</Configuration>

106
ods-enforcerd.init Normal file
View File

@ -0,0 +1,106 @@
#!/bin/bash
#
# ods-enforcerd: Starts the OpenDNSSEC Enforcer Daemon
#
# chkconfig: - 13 87
# description: ods-enforcerd is the OpenDNSSEC DNSSEC policy enforcer daemon
# processname: /usr/sbin/ods-enforcerd
# config: /etc/opendnssec/conf.xml
#
### BEGIN INIT INFO
# Provides: ods-enforcerd
# Required-Start: $local_fs $network $syslog
# Required-Stop: $local_fs $network $syslog
# Default-Stop: 0 11 89
# Short-Description: start|stop|status|restart|try-restart| OpenDNSSEC Enforcer Daemon
# Description: control OpenDNSSEC enforcer daemon
### END INIT INFO
# Init script default settings
ODS_ENFORCERD_CONF="/etc/opendnssec/conf.xml"
ODS_ENFORCERD_OPT=""
ODS_ENFORCERD_PROG="/usr/sbin/ods-enforcerd"
ODS_ENFORCERD_PIDFILE="/var/run/opendnssec/enforcerd.pid"
PIDDIR="/var/run/opendnssec"
# Source function library.
. /etc/rc.d/init.d/functions
[ -r /etc/sysconfig/ods ] && . /etc/sysconfig/ods
# Check that networking is configured.
[ "${NETWORKING}" = "no" ] && exit 0
start() {
# Source networking configuration.
[ -r /etc/sysconfig/network ] && . /etc/sysconfig/network
# Check that networking is up
[ "${NETWORKING}" = "no" ] && exit 1
# Sanity checks.
[ -f $ODS_ENFORCERD_CONF ] || exit 5
[ -x $ODS_ENFORCERD_PROG ] || exit 5
# /var/run could (and should) be tmpfs
[ -d $PIDDIR ] || mkdir -p $PIDDIR
echo -n $"Starting ods-enforcerd:"
$ODS_ENFORCERD_PROG -c $ODS_ENFORCERD_CONF $ODS_ENFORCERD_OPT
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
touch /var/lock/subsys/ods-enforcerd;
success
echo
else
failure
echo
exit 7;
fi
return 0;
}
stop() {
echo -n $"Stopping ods-enforcerd: "
killproc -p $ODS_ENFORCERD_PIDFILE $ODS_ENFORCERD_PROG
retval=$?
if [ $retval -eq 0 ] ; then
rm -f $ODS_ENFORCERD_PIDFILE
rm -f /var/lock/subsys/ods-enforcerd
success
else
failure
fi
echo
return $retval
}
restart() {
stop
start
}
RETVAL=0
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
condrestart)
[ -f /var/lock/subsys/ods-enforcerd ] && restart || :
;;
status)
status -p $ODS_ENFORCERD_PIDFILE $ODS_ENFORCERD_PROG
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart}"
exit 1
esac
exit $?

14
ods-enforcerd.service Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=OpenDNSSEC Enforcer daemon
After=syslog.target network.target
[Service]
Type=forking
User=ods
Group=ods
PIDFile=/run/opendnssec/enforcerd.pid
EnvironmentFile=-/etc/sysconfig/ods
ExecStart=/usr/sbin/ods-enforcerd $ODS_ENFORCERD_OPT
[Install]
WantedBy=multi-user.target

112
ods-signerd.init Normal file
View File

@ -0,0 +1,112 @@
#!/bin/bash
#
# ods-signerd: Starts the OpenDNSSEC Signer Daemon
#
# chkconfig: - 13 87
# description: ods-signerd is the OpenDNSSEC DNSSEC zone signer daemon
# processname: /usr/sbin/ods-signerd
# config: /etc/opendnssec/conf.xml
#
### BEGIN INIT INFO
# Provides: ods-signerd
# Required-Start: $local_fs $network $syslog
# Required-Stop: $local_fs $network $syslog
# Default-Stop: 0 11 89
# Short-Description: start|stop|status|restart|try-restart|reload|force-reload OpenDNSSEC Signer Daemon
# Description: control OpenDNSSEC signer daemon
### END INIT INFO
# Init script default settings
ODS_SIGNERD_CONF="/etc/opendnssec/conf.xml"
ODS_SIGNERD_OPT=""
ODS_SIGNERD_PROG="/usr/sbin/ods-signerd"
ODS_SIGNER_PROG="/usr/sbin/ods-signer"
ODS_SIGNERD_PIDFILE="/var/run/opendnssec/signerd.pid"
PIDDIR="/var/run/opendnssec"
# Source function library.
. /etc/rc.d/init.d/functions
[ -r /etc/sysconfig/ods ] && . /etc/sysconfig/ods
# Check that networking is configured.
[ "${NETWORKING}" = "no" ] && exit 0
start() {
# Source networking configuration.
[ -r /etc/sysconfig/network ] && . /etc/sysconfig/network
# Check that networking is up
[ "${NETWORKING}" = "no" ] && exit 1
# Sanity checks.
[ -f $ODS_SIGNERD_CONF ] || exit 5
[ -x $ODS_SIGNERD_PROG ] || exit 5
# /var/run could (and should) be tmpfs
[ -d $PIDDIR ] || mkdir -p $PIDDIR
echo -n $"Starting ods-signerd:"
# ods-signerd is lying about supporting -c conf.file option :(
# $ODS_SIGNERD_PROG -c $ODS_SIGNERD_CONF $ODS_SIGNERD_OPT
$ODS_SIGNERD_PROG $ODS_SIGNERD_OPT
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
touch /var/lock/subsys/ods-signerd;
success
echo
else
failure
echo
exit 7;
fi
return 0;
}
stop() {
echo -n $"Stopping ods-signerd: "
#$ODS_SIGNER_PROG -c $ODS_SIGNERD_CONF stop
# seems that this loses our settings :(
/usr/sbin/ods-signer stop
RETVAL=$?
[ "$RETVAL" -eq 0 ] || killproc $ODS_SIGNERD_PROG -TERM >/dev/null 2>&1
if [ $RETVAL -eq 0 ] ; then
rm -f $ODS_SIGNERD_PIDFILE
rm -f /var/lock/subsys/ods-signerd
success
else
failure
fi
echo
return $RETVAL
}
restart() {
stop
start
}
RETVAL=0
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
condrestart)
[ -f /var/lock/subsys/ods-signerd ] && restart || :
;;
status)
status -p $ODS_SIGNERD_PIDFILE $ODS_SIGNERD_PROG
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart}"
exit 1
esac
exit $?

14
ods-signerd.service Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=OpenDNSSEC signer daemon
After=syslog.target network.target ods-enforcerd.service
[Service]
Type=simple
User=ods
Group=ods
PIDFile=/run/opendnssec/signerd.pid
EnvironmentFile=-/etc/sysconfig/ods
ExecStart=/usr/sbin/ods-signerd -d $ODS_SIGNERD_OPT
[Install]
WantedBy=multi-user.target

2
ods.sysconfig Normal file
View File

@ -0,0 +1,2 @@
ODS_SIGNERD_OPT=""
ODS_ENFORCERD_OPT=""

95
opendnssec-1.4.13-openssl1.1.patch Normal file
View File

@ -0,0 +1,95 @@
From e2bbb899195ea98b6b5f6c972ab764a53b387789 Mon Sep 17 00:00:00 2001
From: Yuri Schaeffer <yuri@nlnetlabs.nl>
Date: Fri, 4 Nov 2016 15:35:06 +0100
Subject: [PATCH] HMAC_CTX_init deprecated in openssl-1.1.0
---
m4/acx_ssl.m4 | 12 +++++++++---
signer/src/Makefile.am | 4 ++--
signer/src/wire/tsig-openssl.c | 15 ++++++++++++---
3 files changed, 23 insertions(+), 8 deletions(-)
diff --git a/m4/acx_ssl.m4 b/m4/acx_ssl.m4
index 1dc6e40..3d64626 100644
--- a/m4/acx_ssl.m4
+++ b/m4/acx_ssl.m4
@@ -35,12 +35,18 @@ AC_DEFUN([ACX_SSL], [
if test x_$ssldir = x_/usr/sfw; then
SSL_LIBS="$SSL_LIBS -R$ssldir/lib";
fi
- AC_CHECK_LIB(crypto, HMAC_CTX_init,, [
- AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 or higher is required])
- ])
+ AC_CHECK_LIB(crypto, HMAC_CTX_reset, [
+ AC_DEFINE_UNQUOTED([HAVE_SSL_NEW_HMAC], [], [Define if you have the SSL libraries with new HMAC related functions.])
+ SSL_LIBS="$SSL_LIBS -lcrypto";
+ ], [
+ AC_CHECK_LIB(crypto, HMAC_CTX_init,, [
+ AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 or higher is required])
+ ])
+ ] )
AC_CHECK_FUNCS([EVP_sha1 EVP_sha256])
fi
AC_SUBST(HAVE_SSL)
+ AC_SUBST(HAVE_SSL_NEW_HMAC)
AC_SUBST(SSL_INCLUDES)
AC_SUBST(SSL_LIBS)
fi
diff --git a/signer/src/Makefile.am b/signer/src/Makefile.am
index 60e8877..b39eac8 100644
--- a/signer/src/Makefile.am
+++ b/signer/src/Makefile.am
@@ -133,7 +133,7 @@ ods_signer_SOURCES= ods-signer.c \
wire/xfrd.c wire/xfrd.h
ods_signer_LDADD= $(LIBHSM)
-ods_signer_LDADD+= @LDNS_LIBS@ @XML2_LIBS@ @RT_LIBS@
+ods_signer_LDADD+= @LDNS_LIBS@ @XML2_LIBS@ @RT_LIBS@ @SSL_LIBS@
ods_signer_LDADD+= $(LIBCOMPAT)
ods_getconf_SOURCES= ods-getconf.c \
@@ -193,5 +193,5 @@ ods_getconf_SOURCES= ods-getconf.c \
wire/xfrd.c wire/xfrd.h
ods_getconf_LDADD= $(LIBHSM)
-ods_getconf_LDADD+= @LDNS_LIBS@ @XML2_LIBS@ @RT_LIBS@
+ods_getconf_LDADD+= @SSL_LIBS@ @LDNS_LIBS@ @XML2_LIBS@ @RT_LIBS@
ods_getconf_LDADD+= $(LIBCOMPAT)
diff --git a/signer/src/wire/tsig-openssl.c b/signer/src/wire/tsig-openssl.c
index c26b1e7..24fd342 100644
--- a/signer/src/wire/tsig-openssl.c
+++ b/signer/src/wire/tsig-openssl.c
@@ -131,8 +131,11 @@ static void
cleanup_context(void *data)
{
HMAC_CTX* context = (HMAC_CTX*) data;
+#ifdef HAVE_SSL_NEW_HMAC
+ HMAC_CTX_free(context);
+#else
HMAC_CTX_cleanup(context);
- return;
+#endif
}
static void
@@ -155,9 +158,15 @@ context_add_cleanup(void* context)
static void*
create_context(allocator_type* allocator)
{
- HMAC_CTX* context = (HMAC_CTX*) allocator_alloc(allocator,
- sizeof(HMAC_CTX));
+ HMAC_CTX* context;
+#ifdef HAVE_SSL_NEW_HMAC
+ context = HMAC_CTX_new();
+ if (!context) return NULL;
+ HMAC_CTX_reset(context);
+#else
+ context = (HMAC_CTX*) allocator_alloc(allocator, sizeof(HMAC_CTX));
HMAC_CTX_init(context);
+#endif
context_add_cleanup(context);
return context;
}
--
2.9.3

13
opendnssec-1.4.5-serial0.patch Normal file
View File

@ -0,0 +1,13 @@
diff -Naur opendnssec-1.4.5-orig/signer/src/adapter/addns.c opendnssec-1.4.5/signer/src/adapter/addns.c
--- opendnssec-1.4.5-orig/signer/src/adapter/addns.c 2014-03-25 06:45:44.000000000 +0000
+++ opendnssec-1.4.5/signer/src/adapter/addns.c 2014-04-18 16:26:39.079974120 +0000
@@ -243,7 +243,8 @@
tmp_serial =
ldns_rdf2native_int32(ldns_rr_rdf(rr, SE_SOA_RDATA_SERIAL));
old_serial = adapi_get_serial(zone);
- if (!util_serial_gt(tmp_serial, old_serial)) {
+ if (!util_serial_gt(tmp_serial, old_serial)
+ && zone->db->is_initialized) {
ods_log_info("[%s] zone %s is already up to date, have "
"serial %u, got serial %u", adapter_str, zone->name,
old_serial, tmp_serial);

168
opendnssec-1.4.6-extract.patch Normal file
View File

@ -0,0 +1,168 @@
commit 672d2c75ccd3cd5f2317bb76af4c9cc4e5aa4a37
Author: Petr Spacek <pspacek@redhat.com>
Date: Fri Jul 18 16:19:36 2014 +0200
add libhsm configuration option <AllowExtraction/>
This option allows user to generate private keys with CKA_EXTRACTABLE
flag set to TRUE. Defaults to FALSE.
diff --git a/NEWS b/NEWS
index 4db7038..2efa176 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,8 @@
+* Enforcer: New repository option <AllowExtraction/> allows to generate keys
+ with CKA_EXTRACTABLE attribute set to TRUE so keys can be wrapped
+ and extracted from HSM.
+
+
OpenDNSSEC 1.4.6 - 2014-07-21
* Signer Engine: Print secondary server address when logging notify reply
diff --git a/conf/conf.rnc b/conf/conf.rnc
index 71d527f..65f837e 100644
--- a/conf/conf.rnc
+++ b/conf/conf.rnc
@@ -50,7 +50,10 @@ start = element Configuration {
element RequireBackup { empty }?,
# Do not maintain public keys in the repository (optional)
- element SkipPublicKey { empty }?
+ element SkipPublicKey { empty }?,
+
+ # Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional)
+ element AllowExtraction { empty }?
}*
},
diff --git a/conf/conf.xml.in b/conf/conf.xml.in
index 0ef2ab9..0536681 100644
--- a/conf/conf.xml.in
+++ b/conf/conf.xml.in
@@ -9,6 +9,9 @@
<TokenLabel>OpenDNSSEC</TokenLabel>
<PIN>1234</PIN>
<SkipPublicKey/>
+ <!--
+ <AllowExtraction/>
+ -->
</Repository>
<!--
diff --git a/libhsm/src/lib/libhsm.c b/libhsm/src/lib/libhsm.c
index d723b31..1f9720e 100644
--- a/libhsm/src/lib/libhsm.c
+++ b/libhsm/src/lib/libhsm.c
@@ -504,6 +504,7 @@ static void
hsm_config_default(hsm_config_t *config)
{
config->use_pubkey = 1;
+ config->allow_extract = 0;
}
/* creates a session_t structure, and automatically adds and initializes
@@ -2054,6 +2055,8 @@ hsm_open(const char *config,
module_pin = (char *) xmlNodeGetContent(curNode);
if (xmlStrEqual(curNode->name, (const xmlChar *)"SkipPublicKey"))
module_config.use_pubkey = 0;
+ if (xmlStrEqual(curNode->name, (const xmlChar *)"AllowExtraction"))
+ module_config.allow_extract = 1;
curNode = curNode->next;
}
@@ -2341,10 +2344,12 @@ hsm_generate_rsa_key(hsm_ctx_t *ctx,
CK_BBOOL ctrue = CK_TRUE;
CK_BBOOL cfalse = CK_FALSE;
CK_BBOOL ctoken = CK_TRUE;
+ CK_BBOOL cextractable = CK_FALSE;
if (!ctx) ctx = _hsm_ctx;
session = hsm_find_repository_session(ctx, repository);
if (!session) return NULL;
+ cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
/* check whether this key doesn't happen to exist already */
do {
@@ -2380,7 +2385,7 @@ hsm_generate_rsa_key(hsm_ctx_t *ctx,
{ CKA_SENSITIVE, &ctrue, sizeof (ctrue) },
{ CKA_TOKEN, &ctrue, sizeof (ctrue) },
{ CKA_PRIVATE, &ctrue, sizeof (ctrue) },
- { CKA_EXTRACTABLE, &cfalse, sizeof (cfalse) }
+ { CKA_EXTRACTABLE, &cextractable, sizeof (cextractable) }
};
rv = ((CK_FUNCTION_LIST_PTR)session->module->sym)->C_GenerateKeyPair(session->session,
@@ -2420,6 +2425,7 @@ hsm_generate_dsa_key(hsm_ctx_t *ctx,
CK_OBJECT_HANDLE domainPar, publicKey, privateKey;
CK_BBOOL ctrue = CK_TRUE;
CK_BBOOL cfalse = CK_FALSE;
+ CK_BBOOL cextractable = CK_FALSE;
/* ids we create are 16 bytes of data */
unsigned char id[16];
@@ -2466,12 +2472,13 @@ hsm_generate_dsa_key(hsm_ctx_t *ctx,
{ CKA_SENSITIVE, &ctrue, sizeof(ctrue) },
{ CKA_TOKEN, &ctrue, sizeof(ctrue) },
{ CKA_PRIVATE, &ctrue, sizeof(ctrue) },
- { CKA_EXTRACTABLE, &cfalse, sizeof(cfalse) }
+ { CKA_EXTRACTABLE, &cextractable, sizeof (cextractable) }
};
if (!ctx) ctx = _hsm_ctx;
session = hsm_find_repository_session(ctx, repository);
if (!session) return NULL;
+ cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
/* check whether this key doesn't happen to exist already */
@@ -2533,6 +2540,7 @@ hsm_generate_gost_key(hsm_ctx_t *ctx,
CK_OBJECT_HANDLE publicKey, privateKey;
CK_BBOOL ctrue = CK_TRUE;
CK_BBOOL cfalse = CK_FALSE;
+ CK_BBOOL cextractable = CK_FALSE;
/* ids we create are 16 bytes of data */
unsigned char id[16];
@@ -2569,12 +2577,13 @@ hsm_generate_gost_key(hsm_ctx_t *ctx,
{ CKA_SENSITIVE, &ctrue, sizeof(ctrue) },
{ CKA_TOKEN, &ctrue, sizeof(ctrue) },
{ CKA_PRIVATE, &ctrue, sizeof(ctrue) },
- { CKA_EXTRACTABLE, &cfalse, sizeof(cfalse) }
+ { CKA_EXTRACTABLE, &cextractable, sizeof (cextractable) }
};
if (!ctx) ctx = _hsm_ctx;
session = hsm_find_repository_session(ctx, repository);
if (!session) return NULL;
+ cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
/* check whether this key doesn't happen to exist already */
diff --git a/libhsm/src/lib/libhsm.h b/libhsm/src/lib/libhsm.h
index 45d110a..08224b8 100644
--- a/libhsm/src/lib/libhsm.h
+++ b/libhsm/src/lib/libhsm.h
@@ -75,6 +75,7 @@
/*! HSM configuration */
typedef struct {
unsigned int use_pubkey; /*!< Maintain public keys in HSM */
+ unsigned int allow_extract; /*!< Generate CKA_EXTRACTABLE private keys */
} hsm_config_t;
/*! Data type to describe an HSM */
--- a/conf/conf.rng
+++ b/conf/conf.rng
@@ -71,6 +71,12 @@
<empty/>
</element>
</optional>
+ <optional>
+ <!-- Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional) -->
+ <element name="AllowExtraction">
+ <empty/>
+ </element>
+ </optional>
</element>
</zeroOrMore>
</element>

156
opendnssec-1.4.7-extract.patch Normal file
View File

@ -0,0 +1,156 @@
diff -Naur opendnssec-1.4.7-orig/conf/conf.rnc opendnssec-1.4.7/conf/conf.rnc
--- opendnssec-1.4.7-orig/conf/conf.rnc 2014-12-04 10:17:40.000000000 -0500
+++ opendnssec-1.4.7/conf/conf.rnc 2014-12-08 22:49:16.100212010 -0500
@@ -50,7 +50,10 @@
element RequireBackup { empty }?,
# Do not maintain public keys in the repository (optional)
- element SkipPublicKey { empty }?
+ element SkipPublicKey { empty }?,
+
+ # Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional)
+ element AllowExtraction { empty }?
}*
},
diff -Naur opendnssec-1.4.7-orig/conf/conf.rng opendnssec-1.4.7/conf/conf.rng
--- opendnssec-1.4.7-orig/conf/conf.rng 2014-12-04 10:18:39.000000000 -0500
+++ opendnssec-1.4.7/conf/conf.rng 2014-12-08 22:49:16.105212137 -0500
@@ -71,6 +71,12 @@
<empty/>
</element>
</optional>
+ <optional>
+ <!-- Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional) -->
+ <element name="AllowExtraction">
+ <empty/>
+ </element>
+ </optional>
</element>
</zeroOrMore>
</element>
diff -Naur opendnssec-1.4.7-orig/conf/conf.xml.in opendnssec-1.4.7/conf/conf.xml.in
--- opendnssec-1.4.7-orig/conf/conf.xml.in 2014-12-04 10:17:40.000000000 -0500
+++ opendnssec-1.4.7/conf/conf.xml.in 2014-12-08 22:49:16.101212036 -0500
@@ -9,6 +9,9 @@
<TokenLabel>OpenDNSSEC</TokenLabel>
<PIN>1234</PIN>
<SkipPublicKey/>
+ <!--
+ <AllowExtraction/>
+ -->
</Repository>
<!--
diff -Naur opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.c opendnssec-1.4.7/libhsm/src/lib/libhsm.c
--- opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.c 2014-12-04 10:17:40.000000000 -0500
+++ opendnssec-1.4.7/libhsm/src/lib/libhsm.c 2014-12-08 22:49:16.102212061 -0500
@@ -504,6 +504,7 @@
hsm_config_default(hsm_config_t *config)
{
config->use_pubkey = 1;
+ config->allow_extract = 0;
}
/* creates a session_t structure, and automatically adds and initializes
@@ -2054,6 +2055,8 @@
module_pin = (char *) xmlNodeGetContent(curNode);
if (xmlStrEqual(curNode->name, (const xmlChar *)"SkipPublicKey"))
module_config.use_pubkey = 0;
+ if (xmlStrEqual(curNode->name, (const xmlChar *)"AllowExtraction"))
+ module_config.allow_extract = 1;
curNode = curNode->next;
}
@@ -2341,10 +2344,12 @@
CK_BBOOL ctrue = CK_TRUE;
CK_BBOOL cfalse = CK_FALSE;
CK_BBOOL ctoken = CK_TRUE;
+ CK_BBOOL cextractable = CK_FALSE;
if (!ctx) ctx = _hsm_ctx;
session = hsm_find_repository_session(ctx, repository);
if (!session) return NULL;
+ cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
/* check whether this key doesn't happen to exist already */
do {
@@ -2380,7 +2385,7 @@
{ CKA_SENSITIVE, &ctrue, sizeof (ctrue) },
{ CKA_TOKEN, &ctrue, sizeof (ctrue) },
{ CKA_PRIVATE, &ctrue, sizeof (ctrue) },
- { CKA_EXTRACTABLE, &cfalse, sizeof (cfalse) }
+ { CKA_EXTRACTABLE, &cextractable, sizeof (cextractable) }
};
rv = ((CK_FUNCTION_LIST_PTR)session->module->sym)->C_GenerateKeyPair(session->session,
@@ -2420,6 +2425,7 @@
CK_OBJECT_HANDLE domainPar, publicKey, privateKey;
CK_BBOOL ctrue = CK_TRUE;
CK_BBOOL cfalse = CK_FALSE;
+ CK_BBOOL cextractable = CK_FALSE;
/* ids we create are 16 bytes of data */
unsigned char id[16];
@@ -2466,12 +2472,13 @@
{ CKA_SENSITIVE, &ctrue, sizeof(ctrue) },
{ CKA_TOKEN, &ctrue, sizeof(ctrue) },
{ CKA_PRIVATE, &ctrue, sizeof(ctrue) },
- { CKA_EXTRACTABLE, &cfalse, sizeof(cfalse) }
+ { CKA_EXTRACTABLE, &cextractable, sizeof (cextractable) }
};
if (!ctx) ctx = _hsm_ctx;
session = hsm_find_repository_session(ctx, repository);
if (!session) return NULL;
+ cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
/* check whether this key doesn't happen to exist already */
@@ -2533,6 +2540,7 @@
CK_OBJECT_HANDLE publicKey, privateKey;
CK_BBOOL ctrue = CK_TRUE;
CK_BBOOL cfalse = CK_FALSE;
+ CK_BBOOL cextractable = CK_FALSE;
/* ids we create are 16 bytes of data */
unsigned char id[16];
@@ -2569,12 +2577,13 @@
{ CKA_SENSITIVE, &ctrue, sizeof(ctrue) },
{ CKA_TOKEN, &ctrue, sizeof(ctrue) },
{ CKA_PRIVATE, &ctrue, sizeof(ctrue) },
- { CKA_EXTRACTABLE, &cfalse, sizeof(cfalse) }
+ { CKA_EXTRACTABLE, &cextractable, sizeof (cextractable) }
};
if (!ctx) ctx = _hsm_ctx;
session = hsm_find_repository_session(ctx, repository);
if (!session) return NULL;
+ cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
/* check whether this key doesn't happen to exist already */
diff -Naur opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.h opendnssec-1.4.7/libhsm/src/lib/libhsm.h
--- opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.h 2014-12-04 10:17:40.000000000 -0500
+++ opendnssec-1.4.7/libhsm/src/lib/libhsm.h 2014-12-08 22:49:16.102212061 -0500
@@ -75,6 +75,7 @@
/*! HSM configuration */
typedef struct {
unsigned int use_pubkey; /*!< Maintain public keys in HSM */
+ unsigned int allow_extract; /*!< Generate CKA_EXTRACTABLE private keys */
} hsm_config_t;
/*! Data type to describe an HSM */
diff -Naur opendnssec-1.4.7-orig/NEWS opendnssec-1.4.7/NEWS
--- opendnssec-1.4.7-orig/NEWS 2014-12-04 10:17:40.000000000 -0500
+++ opendnssec-1.4.7/NEWS 2014-12-08 22:50:00.560342544 -0500
@@ -1,3 +1,9 @@
+
+Fedora patch:
+* Enforcer: New repository option <AllowExtraction/> allows to generate keys
+ with CKA_EXTRACTABLE attribute set to TRUE so keys can be wrapped
+ and extracted from HSM.
+
OpenDNSSEC 1.4.7 - 2014-12-04
Bugfixes:

9616
opendnssec-2.1.6-gcc10-fixups.patch Normal file
View File

File diff suppressed because it is too large Load Diff

21
opendnssec-2.1.6-sqlite.patch Normal file
View File

@ -0,0 +1,21 @@
diff --git a/enforcer/src/ods-migrate.c b/enforcer/src/ods-migrate.c
index aece5058a..c440a36af 100644
--- a/enforcer/src/ods-migrate.c
+++ b/enforcer/src/ods-migrate.c
@@ -97,10 +97,13 @@ dblayer_sqlite3_initialize(void)
char const *error;
dlerror();
- handle = dlopen("libsqlite3.so", RTLD_NOW);
+ handle = dlopen("libsqlite3.so.0", RTLD_NOW);
if ((error = dlerror()) != NULL) {
- printf("Failed to load sqlite3 library. dlerror(): %s\n", error);
- exit(1);
+ handle = dlopen("libsqlite3.so", RTLD_NOW); /* unversioned is a -devel package file on some distros */
+ if ((error = dlerror()) != NULL) {
+ printf("Failed to load sqlite3 library. dlerror(): %s\n", error);
+ exit(1);
+ }
}
dblayer_sqlite3.sqlite3_prepare_v2 = (int(*)(sqlite3*, const char*, int, sqlite3_stmt**, const char **))functioncast(dlsym(handle, "sqlite3_prepare_v2"));

842
opendnssec-2.1.sqlite_convert.sql Normal file
View File

@ -0,0 +1,842 @@
INSERT INTO databaseVersion VALUES (NULL, 1, 1);
-- ~ ************
-- ~ ** policy table
-- ~ **
-- ~ **
-- ~ **
-- ~ **
-- ~ ************
INSERT INTO policy
SELECT id, 1, name, description,
0, 0, 0,
0, 0, 0, 0,
86400, 0, 0,
0, 0, 0,
0, 0, 0,
0, 0, 0,
0, 0, 0,
0, 0, 0,
0, 0, 0,
0, 0, 0,
0
FROM REMOTE.policies;
UPDATE policy
SET signaturesResign = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policy.id
AND REMOTE.parameters.category_id = 1
AND REMOTE.parameters.name = 'resign');
UPDATE policy
SET signaturesRefresh = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policy.id
AND REMOTE.parameters.category_id = 1
AND REMOTE.parameters.name = 'refresh') ;
UPDATE policy
SET signaturesJitter = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policy.id
AND REMOTE.parameters.category_id = 1
AND REMOTE.parameters.name = 'jitter');
UPDATE policy
SET signaturesInceptionOffset = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policy.id
AND REMOTE.parameters.category_id = 1
AND REMOTE.parameters.name = 'clockskew');
UPDATE policy
SET signaturesValidityDefault = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policy.id
AND REMOTE.parameters.category_id = 1
AND REMOTE.parameters.name = 'valdefault');
UPDATE policy
SET signaturesValidityDenial = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policy.id
AND REMOTE.parameters.category_id = 1
AND REMOTE.parameters.name = 'valdenial');
--MaxZoneTTL default 86400
-- We need the following mapping 1.4 -> 2.0 for denialType
-- 0 -> 1
-- 3 -> 0
UPDATE policy
SET denialType = (
SELECT (~value)&1
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policy.id
AND REMOTE.parameters.category_id = 2
AND REMOTE.parameters.name = 'version');
-- I'm pretty sure this is not the correct way to do it. It is aweful but
-- I can't figure it out how it would work for sqlite.
UPDATE policy
SET denialOptout = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policy.id
AND REMOTE.parameters.category_id = 2
AND REMOTE.parameters.name = 'optout')
WHERE null != (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policy.id
AND REMOTE.parameters.category_id = 2
AND REMOTE.parameters.name = 'optout');
UPDATE policy
SET denialTtl = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policy.id
AND REMOTE.parameters.category_id = 2
AND REMOTE.parameters.name = 'ttl')
WHERE null != (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policy.id
AND REMOTE.parameters.category_id = 2
AND REMOTE.parameters.name = 'ttl');
UPDATE policy
SET denialResalt = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policy.id
AND REMOTE.parameters.category_id = 2
AND REMOTE.parameters.name = 'resalt')
WHERE null != (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policy.id
AND REMOTE.parameters.category_id = 2
AND REMOTE.parameters.name = 'resalt');
UPDATE policy
SET denialAlgorithm = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policy.id
AND REMOTE.parameters.category_id = 2
AND REMOTE.parameters.name = 'algorithm')
WHERE null != (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policy.id
AND REMOTE.parameters.category_id = 2
AND REMOTE.parameters.name = 'algorithm');
UPDATE policy
SET denialIterations = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policy.id
AND REMOTE.parameters.category_id = 2
AND REMOTE.parameters.name = 'iterations')
WHERE null != (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policy.id
AND REMOTE.parameters.category_id = 2
AND REMOTE.parameters.name = 'iterations');
UPDATE policy
SET denialSaltLength = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policy.id
AND REMOTE.parameters.category_id = 2
AND REMOTE.parameters.name = 'saltlength')
WHERE null != (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policy.id
AND REMOTE.parameters.category_id = 2
AND REMOTE.parameters.name = 'saltlength');
-- clumsy salt update. salt is optional in 1.4 but required in 2.0
-- sqlite is limited in what it can do in an update. I hope there is a
-- better way for this?
UPDATE policy
SET denialSalt = (
SELECT salt
FROM REMOTE.policies
WHERE REMOTE.policies.id = policy.id)
WHERE (
SELECT salt
FROM REMOTE.policies
WHERE REMOTE.policies.id = policy.id) != null;
UPDATE policy
SET denialSaltLastChange = (
SELECT salt_stamp
FROM REMOTE.policies
WHERE REMOTE.policies.id = policy.id)
WHERE (
SELECT salt_stamp
FROM REMOTE.policies
WHERE REMOTE.policies.id = policy.id) != null;
UPDATE policy
SET keysTtl = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policy.id
AND REMOTE.parameters.category_id = 5
AND REMOTE.parameters.name = 'ttl');
UPDATE policy
SET keysRetireSafety = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policy.id
AND REMOTE.parameters.category_id = 5
AND REMOTE.parameters.name = 'retiresafety');
UPDATE policy
SET keysPublishSafety = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policy.id
AND REMOTE.parameters.category_id = 5
AND REMOTE.parameters.name = 'publishsafety');
UPDATE policy
SET keysShared = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policy.id
AND REMOTE.parameters.category_id = 5
AND REMOTE.parameters.name = 'zones_share_keys');
UPDATE policy
SET keysPurgeAfter = COALESCE((
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policy.id
AND REMOTE.parameters.category_id = 5
AND REMOTE.parameters.name = 'purge'), 0);
UPDATE policy
SET zonePropagationDelay = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policy.id
AND REMOTE.parameters.category_id = 7
AND REMOTE.parameters.name = 'propagationdelay');
UPDATE policy
SET zoneSoaTtl = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policy.id
AND REMOTE.parameters.category_id = 7
AND REMOTE.parameters.name = 'ttl');
UPDATE policy
SET zoneSoaMinimum = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policy.id
AND REMOTE.parameters.category_id = 7
AND REMOTE.parameters.name = 'min');
-- Temporary mapping table between 1.4 and 2.0 SOA serial strategy
CREATE TABLE mapping (
soa14 INTEGER,
soa20 INTEGER
);
INSERT INTO mapping SELECT 1, 2;
INSERT INTO mapping SELECT 2, 0;
INSERT INTO mapping SELECT 3, 1;
INSERT INTO mapping SELECT 4, 3;
UPDATE policy
SET zoneSoaSerial = (
SELECT mapping.soa20
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
INNER JOIN mapping
ON REMOTE.parameters_policies.value = mapping.soa14
WHERE REMOTE.parameters_policies.policy_id = policy.id
AND REMOTE.parameters.category_id = 7
AND REMOTE.parameters.name = 'serial');
DROP TABLE mapping;
-- parentRegistrationDelay = 0 on 1.4
UPDATE policy
SET parentPropagationDelay = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policy.id
AND REMOTE.parameters.category_id = 8
AND REMOTE.parameters.name = 'propagationdelay');
UPDATE policy
SET parentDsTtl = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policy.id
AND REMOTE.parameters.category_id = 8
AND REMOTE.parameters.name = 'ttlds');
UPDATE policy
SET parentSoaTtl = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policy.id
AND REMOTE.parameters.category_id = 8
AND REMOTE.parameters.name = 'ttl');
UPDATE policy
SET parentSoaMinimum = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policy.id
AND REMOTE.parameters.category_id = 8
AND REMOTE.parameters.name = 'min');
-- passthrough = 0
-- ~ ************
-- ~ ** policyKey table
-- ~ **
-- ~ ** For each policy in 1.4 add two keys: KSK and ZSK
-- ~ **
-- ~ **
-- ~ ************
-- Insert each KSK
INSERT INTO policyKey
SELECT null, 1, id,
1, 0, 0,
0, 0, 0,
0, 0, 4
FROM REMOTE.policies;
-- Insert each ZSK
INSERT INTO policyKey
SELECT null, 1, id,
2, 0, 0,
0, 0, 0,
0, 0, 1
FROM REMOTE.policies;
UPDATE policyKey
SET algorithm = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
AND REMOTE.parameters.category_id = 3
AND REMOTE.parameters.name = 'algorithm')
WHERE policyKey.role = 1;
UPDATE policyKey
SET algorithm = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
AND REMOTE.parameters.category_id = 4
AND REMOTE.parameters.name = 'algorithm')
WHERE policyKey.role = 2;
UPDATE policyKey
SET bits = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
AND REMOTE.parameters.category_id = 3
AND REMOTE.parameters.name = 'bits')
WHERE policyKey.role = 1;
UPDATE policyKey
SET bits = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
AND REMOTE.parameters.category_id = 4
AND REMOTE.parameters.name = 'bits')
WHERE policyKey.role = 2;
UPDATE policyKey
SET lifetime = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
AND REMOTE.parameters.category_id = 3
AND REMOTE.parameters.name = 'lifetime')
WHERE policyKey.role = 1;
UPDATE policyKey
SET lifetime = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
AND REMOTE.parameters.category_id = 4
AND REMOTE.parameters.name = 'lifetime')
WHERE policyKey.role = 2;
UPDATE policyKey
SET repository = (
SELECT REMOTE.securitymodules.name
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
INNER JOIN REMOTE.securitymodules
ON REMOTE.parameters_policies.value = REMOTE.securitymodules.id
WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
AND REMOTE.parameters.category_id = 3
AND REMOTE.parameters.name = 'repository')
WHERE policyKey.role = 1;
UPDATE policyKey
SET repository = (
SELECT REMOTE.securitymodules.name
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
INNER JOIN REMOTE.securitymodules
ON REMOTE.parameters_policies.value = REMOTE.securitymodules.id
WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
AND REMOTE.parameters.category_id = 4
AND REMOTE.parameters.name = 'repository')
WHERE policyKey.role = 2;
UPDATE policyKey
SET standby = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
AND REMOTE.parameters.category_id = 3
AND REMOTE.parameters.name = 'standby')
WHERE policyKey.role = 1;
UPDATE policyKey
SET standby = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
AND REMOTE.parameters.category_id = 4
AND REMOTE.parameters.name = 'standby')
WHERE policyKey.role = 2;
UPDATE policyKey
SET manualRollover = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
AND REMOTE.parameters.category_id = 3
AND REMOTE.parameters.name = 'manual_rollover')
WHERE policyKey.role = 1;
UPDATE policyKey
SET manualRollover = (
SELECT value
FROM REMOTE.parameters_policies
INNER JOIN REMOTE.parameters
ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
AND REMOTE.parameters.category_id = 4
AND REMOTE.parameters.name = 'manual_rollover')
WHERE policyKey.role = 2;
-- rfc5011 = 0. 2.0 has no support
-- minimize already set
-- ~ ************
-- ~ ** hsmKey table
-- ~ **
-- ~ ** get from keypairs and dnsseckeys
-- ~ **
-- ~ **
-- ~ ************
INSERT INTO hsmKey
SELECT DISTINCT REMOTE.keypairs.id, 1, REMOTE.keypairs.policy_id,
REMOTE.keypairs.HSMkey_id, 2, REMOTE.keypairs.size,
REMOTE.keypairs.algorithm, (~(REMOTE.dnsseckeys.keytype)&1)+1,
CASE WHEN REMOTE.keypairs.generate IS NOT NULL THEN
strftime('%s', REMOTE.keypairs.generate)
ELSE strftime("%s", "now") END,
0,
1, --only RSA supported
REMOTE.securitymodules.name,
0 --assume no backup
FROM REMOTE.keypairs
JOIN REMOTE.dnsseckeys
ON REMOTE.keypairs.id = REMOTE.dnsseckeys.keypair_id
JOIN REMOTE.securitymodules
ON REMOTE.securitymodules.id = REMOTE.keypairs.securitymodule_id;
-- For some policies put the keys in a shared state
UPDATE hsmKey
SET state = 3
WHERE EXISTS
(SELECT * FROM hsmKey AS h
JOIN policy ON policy.id = h.policyId
WHERE policy.keysShared AND hsmKey.id = h.id);
-- ~ ************
-- ~ ** zone table
-- ~ **
-- ~ **
-- ~ **
-- ~ **
-- ~ ************
INSERT INTO zone
SELECT zones.id, 1, zones.policy_id,
zones.name, 1, zones.signconf, 0,
0,0,0,
0,0,0,
zones.in_type, zones.input,
zones.out_type, zones.output,
0,0,0
FROM REMOTE.zones;
-- ~ ************
-- ~ ** keyData table
-- ~ **
-- ~ **
-- ~ **
-- ~ **
-- ~ ************
-- Temporary mapping table between 1.4 states and 2.0 ds_at_parent states
-- We are ignoring the fact this may set a DS state for a ZSK; We don't care
CREATE TABLE mapping (
state INTEGER,
ds_state INTEGER
);
INSERT INTO mapping SELECT 1, 0;
INSERT INTO mapping SELECT 2, 0;
INSERT INTO mapping SELECT 3, 1;
INSERT INTO mapping SELECT 4, 3;
INSERT INTO mapping SELECT 5, 5;
INSERT INTO mapping SELECT 6, 5;
INSERT INTO mapping SELECT 7, 5;
INSERT INTO mapping SELECT 8, 5;
INSERT INTO mapping SELECT 9, 5;
INSERT INTO mapping SELECT 10, 5;
INSERT INTO keyData
SELECT
NULL, 1, REMOTE.dnsseckeys.zone_id,
REMOTE.dnsseckeys.keypair_id, REMOTE.keypairs.algorithm,
CASE WHEN REMOTE.dnsseckeys.publish IS NOT NULL THEN
strftime('%s', REMOTE.dnsseckeys.publish)
ELSE strftime("%s", "now") END,
(~REMOTE.dnsseckeys.keytype&1)+1,
REMOTE.dnsseckeys.state <= 4, -- introducing
0, -- should revoke, not used
0, -- standby
REMOTE.dnsseckeys.state = 4 AND REMOTE.dnsseckeys.keytype = 256, --activeZSK:
REMOTE.dnsseckeys.state >= 2 AND REMOTE.dnsseckeys.state <= 5, --publish
REMOTE.dnsseckeys.state = 4 AND REMOTE.dnsseckeys.keytype = 257, --activeKSK:
mapping.ds_state, --dsatparent
1<<16, --keytag (crap, will 2.0 regenerate this?)
(REMOTE.dnsseckeys.keytype&1)*3+1 --minimize
FROM REMOTE.dnsseckeys
JOIN REMOTE.keypairs
ON REMOTE.dnsseckeys.keypair_id = REMOTE.keypairs.id
JOIN mapping
ON REMOTE.dnsseckeys.state = mapping.state
WHERE EXISTS(select REMOTE.zones.id FROM REMOTE.zones WHERE REMOTE.zones.id = REMOTE.dnsseckeys.zone_id);
-- Everything that is just a ZSK must not have dsatparent set.
UPDATE keyData
SET dsatparent = 0
WHERE role = 2;
DROP TABLE mapping;
-- If a active time is set for a ready KSK dsAtParent is submitted
-- instead of submit
UPDATE keyData
SET dsatparent = 2
WHERE keyData.dsAtParent = 1 AND keyData.id IN (
SELECT keyData.id
FROM keyData
JOIN REMOTE.dnsseckeys
ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
WHERE REMOTE.dnsseckeys.active IS NOT NULL);
-- ~ ************
-- ~ ** Keystate table
-- ~ **
-- ~ **
-- ~ **
-- ~ **
-- ~ ************
CREATE TABLE mapping (
state INTEGER,
ds INTEGER,
dk INTEGER,
ks INTEGER,
rs INTEGER
);
INSERT INTO mapping SELECT 1, 0, 0, 0, 0;
INSERT INTO mapping SELECT 2, 0, 1, 1, 1;
INSERT INTO mapping SELECT 3, 0, 2, 2, 1;
INSERT INTO mapping SELECT 4, 2, 2, 2, 1;
INSERT INTO mapping SELECT 5, 3, 2, 2, 3;
INSERT INTO mapping SELECT 6, 0, 3, 3, 0;
INSERT INTO mapping SELECT 7, 3, 0, 0, 0;
INSERT INTO mapping SELECT 8, 3, 0, 0, 0;
INSERT INTO mapping SELECT 9, 3, 0, 0, 0;
INSERT INTO mapping SELECT 10, 3, 0, 0, 0;
-- DS RECORDS
INSERT INTO keyState
SELECT NULL, 1, keyData.id, 0, mapping.ds, strftime("%s", "now"), (keyData.minimize>>2)&1, policy.parentDsTtl
FROM keyData
JOIN zone
ON zone.id = keyData.zoneId
JOIN policy
ON policy.id = zone.policyId
JOIN REMOTE.dnsseckeys
ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
JOIN mapping
ON mapping.state = REMOTE.dnsseckeys.state;
UPDATE keyState
SET state = 1
WHERE keyState.state = 0 AND keyState.type = 0 AND keyState.id IN (
SELECT keyState.id
FROM keyState
JOIN keyData
ON keyData.id = keyState.keydataId
JOIN REMOTE.dnsseckeys
ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
WHERE REMOTE.dnsseckeys.active IS NOT NULL);
-- DNSKEY RECORDS
INSERT INTO keyState
SELECT NULL, 1, keyData.id, 2, mapping.dk, strftime("%s", "now"), (keyData.minimize>>1)&1, policy.keysTtl
FROM keyData
JOIN zone
ON zone.id = keyData.zoneId
JOIN policy
ON policy.id = zone.policyId
JOIN REMOTE.dnsseckeys
ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
JOIN mapping
ON mapping.state = REMOTE.dnsseckeys.state;
-- RRSIG DNSKEY RECORDS
INSERT INTO keyState
SELECT NULL, 1, keyData.id, 3, mapping.ks, strftime("%s", "now"), (keyData.minimize>>1)&1, policy.keysTtl
FROM keyData
JOIN zone
ON zone.id = keyData.zoneId
JOIN policy
ON policy.id = zone.policyId
JOIN REMOTE.dnsseckeys
ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
JOIN mapping
ON mapping.state = REMOTE.dnsseckeys.state;
-- RRSIG RECORDS
INSERT INTO keyState
SELECT NULL, 1, keyData.id, 1, mapping.rs, strftime("%s", "now"), (keyData.minimize>>0)&1, policy.signaturesMaxZoneTtl
FROM keyData
JOIN zone
ON zone.id = keyData.zoneId
JOIN policy
ON policy.id = zone.policyId
JOIN REMOTE.dnsseckeys
ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
JOIN mapping
ON mapping.state = REMOTE.dnsseckeys.state;
--Set to OMN if Tactive + Dttl < Tnow
UPDATE keyState
SET state = 2
WHERE keyState.state = 1 AND keyState.type = 1 AND keyState.id IN (
SELECT keyState.id
FROM keyState
JOIN keyData
ON keyData.id = keyState.keydataId
JOIN REMOTE.dnsseckeys
ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
JOIN zone
ON keyData.zoneId = zone.id
JOIN policy
ON policy.id = zone.policyId
WHERE CAST(strftime("%s", REMOTE.dnsseckeys.active) + policy.signaturesValidityDefault as INTEGER) < strftime("%s", "now"));
--Force the RRSIG state in omnipresent if rumoured and there is no old ZSK
-- unretentive
UPDATE keyState
SET state = 2
WHERE keyState.id IN (
SELECT rs.id FROM keyState AS rs
JOIN keystate AS dk ON dk.keyDataId == rs.keyDataId
WHERE rs.type == 1 AND dk.type == 2 AND rs.state == 1 AND dk.state == 2
AND NOT EXISTS(
SELECT* FROM keystate AS rs2
JOIN keystate AS dk2 ON dk2.keyDataId == rs2.keyDataId
WHERE rs2.type == 1 AND dk2.type == 2 AND rs2.state == 3 AND dk2.state == 2
));
DROP TABLE mapping;
-- We need to create records in the keydependency table in case we are in a
-- rollover. Only done for ZSK. For every introducing ZSK with RRSIG rumoured
-- that has an outroducing ZSK with RRSIG unretentive, we add a record.
INSERT INTO keyDependency
SELECT NULL, 0, keyData.zoneID, SUB.IDout, keyData.id, 1
FROM keyData
JOIN keyState AS KS1
ON KS1.keyDataId == keyData.id
JOIN keyState AS KS2
ON KS2.keyDataId == keyData.id
JOIN (
SELECT keyData.id AS IDout, keyData.zoneID
FROM keyData
JOIN keyState AS KS1
ON KS1.keyDataId == keyData.id
JOIN keyState AS KS2
ON KS2.keyDataId == keyData.id
WHERE KS1.type == 2
AND ks1.state = 2
AND KS2.type == 1
AND KS2.state == 3
AND keyData.introducing == 0
AND keyData.role == 2
) AS SUB
ON SUB.zoneId == keyData.zoneId
WHERE
KS1.type == 2
AND ks1.state = 2
AND KS2.type == 1
AND KS2.state == 1
AND keyData.introducing == 1
AND keyData.role == 2;
-- ZSK
UPDATE keyState
SET state = 4
WHERE (keyState.type = 0 OR keyState.type = 3) AND keyDataId IN (
SELECT keyData.id
FROM keyData
WHERE keyData.role = 2);
--KSK
UPDATE keyState
SET state = 4
WHERE keyState.type = 1 AND keyDataId IN (
SELECT keyData.id
FROM keyData
WHERE keyData.role = 1);
-- For rpm based systems to see if db was migrated already. store opendnssec major minor version
CREATE TABLE rpm_migration (
major INTEGER,
minor INTEGER
);
INSERT INTO rpm_migration VALUES(2, 1);

7
opendnssec-2.1.sqlite_rpmversion.sql Normal file
View File

@ -0,0 +1,7 @@
-- For rpm based systems to see if db was migrated already. store opendnssec major minor version
CREATE TABLE rpm_migration (
major INTEGER,
minor INTEGER
);
INSERT INTO rpm_migration VALUES(2, 1);

25
opendnssec-LICENSE Normal file
View File

@ -0,0 +1,25 @@
$Id: LICENSE 6226 2012-03-26 17:25:52Z jakob $
Copyright (c) 2012 OpenDNSSEC AB (svb). All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

4
opendnssec.cron Normal file
View File

@ -0,0 +1,4 @@
# Ensure multiple ods-enforcerd's on different system roll at the same time
# independant of when the daemon was started. Since TLDs often update their
# zone "on the hour" we do the key rollover checks just before the hour.
50,20 * * * * root test -f /var/lock/subsys/ods-enforcerd && kill -s SIGHUP `cat /var/run/opendnssec/enforcerd.pid` > /dev/null 2> /dev/null

397
opendnssec.spec Normal file
View File

@ -0,0 +1,397 @@
#global prever rcX
%global _hardened_build 1
Summary: DNSSEC key and zone management software
Name: opendnssec
Version: 2.1.6
Release: 8%{?prever}%{?dist}
License: BSD
Url: http://www.opendnssec.org/
Source0: http://www.opendnssec.org/files/source/%{?prever:testing/}%{name}-%{version}%{?prever}.tar.gz
Source1: ods-enforcerd.service
Source2: ods-signerd.service
Source3: ods.sysconfig
Source4: conf.xml
Source5: tmpfiles-opendnssec.conf
Source6: opendnssec.cron
Source7: opendnssec-2.1.sqlite_convert.sql
Source8: opendnssec-2.1.sqlite_rpmversion.sql
Patch1: opendnssec-2.1.6-gcc10-fixups.patch
Patch2: opendnssec-2.1.6-sqlite.patch
Requires: opencryptoki, softhsm >= 2.5.0 , systemd-units
Requires: libxml2, libxslt sqlite
BuildRequires: gcc
BuildRequires: ldns-devel >= 1.6.12, sqlite-devel >= 3.0.0, openssl-devel
BuildRequires: libxml2-devel CUnit-devel, doxygen
# It tests for pkill/killall and would use /bin/false if not found
BuildRequires: procps-ng
BuildRequires: perl-interpreter
BuildRequires: libmicrohttpd-devel jansson-devel libyaml-devel
BuildRequires: systemd-units
Requires(pre): shadow-utils
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
%if 0%{?prever:1}
# For building development snapshots
Buildrequires: autoconf, automake, libtool, java
%endif
%description
OpenDNSSEC was created as an open-source turn-key solution for DNSSEC.
It secures zone data just before it is published in an authoritative
name server. It requires a PKCS#11 crypto module library, such as softhsm
%prep
%setup -q -n %{name}-%{version}%{?prever}
# bump default policy ZSK keysize to 2048
sed -i "s/1024/2048/" conf/kasp.xml.in
%patch1 -p1
%patch2 -p1
%build
export LDFLAGS="-Wl,-z,relro,-z,now -pie -specs=/usr/lib/rpm/redhat/redhat-hardened-ld"
export CFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wextra -Wformat -Wformat-nonliteral -Wformat-security"
export CXXFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wformat-nonliteral -Wformat-security"
%if 0%{?prever:1}
# for development snapshots
sh ./autogen.sh
%endif
%configure --with-ldns=%{_libdir}
%make_build
%check
# Requires sample db not shipped with upstream
# make check
%install
rm -rf %{buildroot}
%make_install
mkdir -p %{buildroot}%{_localstatedir}/opendnssec/{tmp,signed,signconf,enforcer}
install -d -m 0755 %{buildroot}%{_initrddir} %{buildroot}%{_sysconfdir}/cron.d/
install -m 0644 %{SOURCE6} %{buildroot}/%{_sysconfdir}/cron.d/opendnssec
rm -f %{buildroot}/%{_sysconfdir}/opendnssec/*.sample
install -d -m 0755 %{buildroot}/%{_sysconfdir}/sysconfig
install -d -m 0755 %{buildroot}%{_unitdir}
install -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/
install -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/
install -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/sysconfig/ods
install -m 0644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/opendnssec/
mkdir -p %{buildroot}%{_tmpfilesdir}/
install -m 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/opendnssec.conf
mkdir -p %{buildroot}%{_localstatedir}/run/opendnssec
mkdir -p %{buildroot}%{_datadir}/opendnssec/
cp -a enforcer/utils %{buildroot}%{_datadir}/opendnssec/migration
cp -a enforcer/src/db/schema.* %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/
# fixup path for mysql/sqlite. Use our replacement sqlite_convert.sql to detect previous migration
cp -a %{SOURCE7} %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/sqlite_convert.sql
cp -a %{SOURCE8} %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/rpmversion.sql
sed -i "s:^SCHEMA=.*schema:SCHEMA=%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/schema:" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_sqlite
sed -i "s:find_problematic_zones.sql:%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/find_problematic_zones.sql:g" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_sqlite
sed -i "s:^SCHEMA=.*schema:SCHEMA=%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/schema:" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_mysql
sed -i "s:find_problematic_zones.sql:%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/find_problematic_zones.sql:g" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_mysql
sed -i "s:sqlite_convert.sql:%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/sqlite_convert.sql:g" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_sqlite
%files
%{_unitdir}/ods-enforcerd.service
%{_unitdir}/ods-signerd.service
%config(noreplace) %{_tmpfilesdir}/opendnssec.conf
%attr(0770,root,ods) %dir %{_sysconfdir}/opendnssec
%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec
%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/tmp
%attr(0775,root,ods) %dir %{_localstatedir}/opendnssec/signed
%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/signconf
%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/enforcer
%attr(0660,root,ods) %config(noreplace) %{_sysconfdir}/opendnssec/*.xml
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ods
%attr(0770,root,ods) %dir %{_localstatedir}/run/opendnssec
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/cron.d/opendnssec
%doc NEWS README.md
%license LICENSE
%{_mandir}/*/*
%{_sbindir}/*
%{_bindir}/*
%attr(0755,root,root) %dir %{_datadir}/opendnssec
%{_datadir}/opendnssec/*
%pre
getent group ods >/dev/null || groupadd -r ods
getent passwd ods >/dev/null || \
useradd -r -g ods -d /etc/opendnssec -s /sbin/nologin \
-c "opendnssec daemon account" ods
exit 0
%post
# Initialise a slot on the softhsm on first install
if [ "$1" -eq 1 ]; then
%{_sbindir}/runuser -u ods -- %{_bindir}/softhsm2-util --init-token \
--free --label "OpenDNSSEC" --pin 1234 --so-pin 1234
if [ ! -s %{_localstatedir}/opendnssec/kasp.db ]; then
echo y | %{_sbindir}/ods-enforcer-db-setup
%{_bindir}/sqlite3 -batch %{_localstatedir}/opendnssec/kasp.db < %{_datadir}/opendnssec/migration/1.4-2.0_db_convert/rpmversion.sql
fi
elif [ -z "$(%{_bindir}/sqlite3 %{_localstatedir}/opendnssec/kasp.db 'select * from rpm_migration;')" ]; then
# Migrate version 1.4 db to version 2.1 db
if [ -e %{_localstatedir}/opendnssec/rpm-migration-in-progress ]; then
echo "previous (partial?) migration found - human intervention is needed"
else
echo "opendnssec 1.4 database found, migrating to 2.x"
touch %{_localstatedir}/opendnssec/rpm-migration-in-progress
mv -n %{_localstatedir}/opendnssec/kasp.db %{_localstatedir}/opendnssec/kasp.db-1.4
echo "migrating conf.xml from 1.4 to 2.1 schema"
cp -n %{_sysconfdir}/opendnssec/conf.xml %{_sysconfdir}/opendnssec/conf.xml-1.4
# fixup incompatibilities inflicted upon us by upstream :(
sed -i "/<Interval>.*Interval>/d" %{_sysconfdir}/opendnssec/conf.xml
echo "Converting kasp.db"
ERR=""
%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_sqlite -i %{_localstatedir}/opendnssec/kasp.db-1.4 -o %{_localstatedir}/opendnssec/kasp.db || ERR="convert_sqlite error"
chown ods.ods %{_localstatedir}/opendnssec/kasp.db
cp -n %{_sysconfdir}/opendnssec/zonelist.xml %{_localstatedir}/opendnssec/enforcer/zones.xml
if [ -z "$ERR" ]; then
echo "calling ods-migrate"
ods-migrate || ERR="ods-migrate failed"
if [ -z "$ERR" ]; then
echo "opendnssec 1.4 to 2.x migration completed"
rm %{_localstatedir}/opendnssec/rpm-migration-in-progress
else
echo "ods-migrate process failed - human intervention is needed"
fi
else
echo "%{_localstatedir}/opendnssec/kasp.db conversion failed - not calling ods-migrate to complete migration. human intervention is needed"
fi
fi
fi
# in case we update any xml conf file
ods-enforcer update all >/dev/null 2>/dev/null ||:
%systemd_post ods-enforcerd.service
%systemd_post ods-signerd.service
%preun
%systemd_preun ods-enforcerd.service
%systemd_preun ods-signerd.service
%postun
%systemd_postun_with_restart ods-enforcerd.service
%systemd_postun_with_restart ods-signerd.service
%changelog
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.6-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 2.1.6-7
- Use make macros
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
* Thu May 28 2020 Paul Wouters <pwouters@redhat.com> - 2.1.6-6
- Resolves: rhbz#1833718 ods-signerd.service missing .service
* Mon Apr 20 2020 Paul Wouters <pwouters@redhat.com> - 2.1.6-5
- Resolves: rhbz#1825812 AVC avc: denied { dac_override } for comm="ods-enforcerd
* Wed Mar 11 2020 Paul Wouters <pwouters@redhat.com> - 2.1.6-4
- Fix migration check to not attempt to check on first install with no db
* Tue Mar 03 2020 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.6-3
- Create and manage /var/opendnssec/enforcer directory
- Resolves rhbz#1809492
* Wed Feb 19 2020 Paul Wouters <pwouters@redhat.com> - 2.1.6-2
- Update to 2.1.6 (major upgrade, supports migration from 1.4.x)
- gcc10 compile fixups
- Fix trying to use unversioned libsqlite3.so file
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.14-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.14-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.14-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.14-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.14-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Tue Dec 12 2017 Paul Wouters <pwouters@redhat.com> - 1.4.14-1
- Update to 1.4.14 as first steop to migrating to 2.x
- Resolves: rhbz#1413254 Move tmpfiles.d config to %%{_tmpfilesdir}, install LICENSE as %%license
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.9-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.9-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Wed Mar 08 2017 Tomas Hozza <thozza@redhat.com> - 1.4.9-5
- Fix FTBFS (#1424019) in order to rebuild against new ldns
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.9-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Thu Feb 18 2016 Paul Wouters <pwouters@redhat.com> - 1.4.9-3
- Resolves: rbz#1303965 upgrade to opendnssec-1.4.9-1.fc23 breaks old installations
- On initial install, after token init, also run ods-ksmutil setup
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.9-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Mon Feb 01 2016 Paul Wouters <pwouters@redhat.com> - 1.4.9-1
- Updated to 1.4.9
- Removed merged in patch
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.7-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Tue Jun 09 2015 Paul Wouters <pwouters@redhat.com> - 1.4.7-2
- Resolves rhbz#1219746 ods-signerd.service misplaced After= in section Service
- Resolves rhbz#1220443 OpenDNSSEC fails to initialise a slot in softhsm on first install
* Tue Dec 09 2014 Paul Wouters <pwouters@redhat.com> - 1.4.7-1
- Updated to 1.4.7 (fix zone update can get stuck, crash on retransfer cmd)
* Wed Oct 15 2014 Paul Wouters <pwouters@redhat.com> - 1.4.6-4
- Change /etc/opendnssec to be ods group writable
* Wed Oct 08 2014 Paul Wouters <pwouters@redhat.com> - 1.4.6-3
- Added Petr Spacek's patch that adds the config option <AllowExtraction/> (rhbz#1123354)
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Mon Jul 28 2014 Paul Wouters <pwouters@redhat.com> - 1.4.6-1
- Updated to 1.4.6
- Removed incorporated patch upstream
- Remove Wants= from ods-signerd.service (rhbz#1098205)
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.5-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Fri Apr 18 2014 Paul Wouters <pwouters@redhat.com> - 1.4.5-2
- Updated to 1.4.5
- Added patch for serial 0 bug in XFR adapter
* Tue Apr 01 2014 Paul Wouters <pwouters@redhat.com> - 1.4.4-3
- Add buildrequires for ods-kasp2html (rhbz#1073313)
* Sat Mar 29 2014 Paul Wouters <pwouters@redhat.com> - 1.4.4-2
- Add requires for ods-kasp2html (rhbz#1073313)
* Thu Mar 27 2014 Paul Wouters <pwouters@redhat.com> - 1.4.4-1
- Updated to 1.4.4 (compatibility with non RFC 5155 errata 3441)
- Change the default ZSK policy from 1024 to 2048 bit RSA keys
- Fix post to be quiet when upgrading opendnssec
* Thu Jan 09 2014 Paul Wouters <pwouters@redhat.com> - 1.4.3-1
- Updated to 1.4.3 (rhel#1048449) - minor bugfixes, minor feature enhancements
- rhel#1025985 OpenDNSSEC signer cannot be started due to a typo in service file
* Wed Sep 11 2013 Paul Wouters <pwouters@redhat.com> - 1.4.2-1
- Updated to 1.4.2, bugfix release
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Fri Jun 28 2013 Paul Wouters <pwouters@redhat.com> - 1.4.1-1
- Updated to 1.4.1. NSEC3 handling and serial number handling fixes
- Add BuildRequire for systemd-units
* Sat May 11 2013 Paul Wouters <pwouters@redhat.com> - 1.4.0-1
- Updated to 1.4.0
* Fri Apr 12 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-0.8.rc3
- Updated to 1.4.0rc3
- Enabled hardened compile, full relzo/pie
* Fri Jan 25 2013 Patrick Uiterwijk <puiterwijk@gmail.com> - 1.4.0-0.7.rc2
- Updated to 1.4.0rc2, which includes svn r6952
* Fri Jan 18 2013 Patrick Uiterwijk <puiterwijk@gmail.com> - 1.4.0-0.6.rc1
- Updated to 1.4.0rc1
- Applied opendnssec-ksk-premature-retirement.patch (svn r6952)
* Tue Dec 18 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.5.b2
- Updated to 1.4.0b2
- All patches have been merged upstream
- cron job should be marked as config file
* Tue Oct 30 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.4.b1
- Added BuildRequires: procps-ng for bug OPENDNSSEC-345
- Change RRSIG inception offset to -2h to avoid possible
daylight saving issues on resolvers
- Patch to prevent removal of occluded data
* Wed Sep 26 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.3.b1
- Just an EVR fix to the proper standard
- Cleanup of spec file
- Introduce new systemd-rpm macros (rhbz#850242)
* Wed Sep 12 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.b1.1
- Updated to 1.4.0b1
- Patch for NSEC3PARAM TTL
- Cron job to assist narrowing ods-enforcerd timing differences
* Wed Aug 29 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a3.1
- Updated to 1.4.0a3
- Patch to more aggressively try to resign
- Patch to fix locking issue eating up cpu
* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.0-0.a2.2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Tue Jun 12 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a2.1
- Updated to 1.4.0a2
- ksm-utils patch for ods-ksmutil to die sooner when it can't lock
the HSM.
* Wed May 16 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a1.3
- Patch for crasher with deleted RRsets and NSEC3/OPTOUT chains
* Mon Mar 26 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a1.2
- Added opendnssec LICENSE file from trunk (Thanks Jakob!)
* Mon Mar 26 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a1.1
- Fix macros in comment
- Added missing -m to install target
* Sun Mar 25 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a1
- The 1.4.x branch no longer needs ruby, as the auditor has been removed
- Added missing openssl-devel BuildRequire
- Comment out <SkipPublicKey/> so keys generated by ods can be used by bind
* Fri Feb 24 2012 Paul Wouters <pwouters@redhat.com> - 1.3.6-3
- Requires rubygem-soap4r when using ruby-1.9
- Don't ghost /var/run/opendnssec
- Converted initd to systemd
* Thu Nov 24 2011 root - 1.3.2-6
- Added rubygem-dnsruby requires as rpm does not pick it up automatically
* Tue Nov 22 2011 root - 1.3.2-5
- Added /var/opendnssec/signconf/ /as this temp dir is needed
* Mon Nov 21 2011 Paul Wouters <paul@xelerance.com> - 1.3.2-4
- Added /var/opendnssec/signed/ as this is the default output dir
* Sun Nov 20 2011 Paul Wouters <paul@xelerance.com> - 1.3.2-3
- Add ods user for opendnssec tasks
- Added initscripts and services for ods-signerd and ods-enforcerd
- Initialise OpenDNSSEC softhsm token on first install
* Wed Oct 05 2011 Paul Wouters <paul@xelerance.com> - 1.3.2-1
- Updated to 1.3.2
- Added dependancies on opencryptoki and softhsm
- Don't install duplicate unreadable .sample files
- Fix upstream conf.xml to point to actually used library paths
* Thu Mar 3 2011 Paul Wouters <paul@xelerance.com> - 1.2.0-1
- Initial package for Fedora

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (opendnssec-2.1.6.tar.gz) = 9dad545d4ec92bb6fc74fd568160f0515cdfa23af4a901ce147f2c82b684224237687461a13c0e37ce6d3813494e4292dfa98cfb17f871d444eb69baf72a1afd

1
tmpfiles-opendnssec.conf Normal file
View File

@ -0,0 +1 @@
D /run/opendnssec 0755 ods ods -