Use static dnssec-root.key with link from lib

Points to static data, which would be overwritten by unbound-anchor.service. Makes default key kept intact and dynamic data put instead of symlink. Ignore most of file properties of %_localstatedir/unbound/root.key, default symlink is replaced with anchor maintained regular file. Resolves: rhbz#2132103
2022-12-01 18:09:12 +01:00 · 2022-12-01 18:09:12 +01:00 · 00b1b0c570
commit 00b1b0c570
parent 0953d81204
1 changed files with 9 additions and 2 deletions
--- a/unbound.spec
+++ b/unbound.spec
@ -317,7 +317,12 @@ install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf
 # install root - we keep a copy of the root key in old location,
 # in case user has changed the configuration and we wouldn't update it there
 install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/
-install -m 0644 %{SOURCE13} %{buildroot}%{_sharedstatedir}/unbound/root.key
+install -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/dnssec-root.key
+# make initial key static
+pushd %{buildroot}%{_sharedstatedir}/unbound
+  KEYPATH=$(realpath --relative-to="%{buildroot}%{_sharedstatedir}/unbound" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key")
+  ln -s "$KEYPATH" root.key
+popd

 # remove static library from install (fedora packaging guidelines)
 rm %{buildroot}%{_libdir}/*.la
@ -455,9 +460,10 @@ popd
 %{_sysusersdir}/%{name}.sysusers
 %{_libdir}/libunbound.so.8*
 %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name}
-%attr(0644,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key
+%verify(not size mtime filedigest link mode user group) %{_sharedstatedir}/%{name}/root.key
 # just left for backwards compat with user changed unbound.conf files - format is different!
 %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
+%attr(0644,root,root) %config %{_sysconfdir}/%{name}/dnssec-root.key

 %files anchor
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name}
@ -478,6 +484,7 @@ popd
 * Thu Dec 01 2022 Petr Menšík <pemensik@redhat.com> - 1.17.0-2
 - Move unbound user creation to libs (#2149036)
 - Use systemd-sysusers for user creation (#2105416)
+- Keep original DNSSEC root key as config (#2132103)

 * Tue Nov 01 2022 Petr Menšík <pemensik@redhat.com> - 1.17.0-1
 - Update to 1.17.0 (#2134348)