From 5d0b31108ea13de1f7165c8c2a919c6de2189665 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 03 2021 14:20:16 +0000 Subject: import opendnssec-2.1.8-4.el9 --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8939755 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/opendnssec-2.1.8.tar.gz diff --git a/.opendnssec.metadata b/.opendnssec.metadata new file mode 100644 index 0000000..88f4de0 --- /dev/null +++ b/.opendnssec.metadata @@ -0,0 +1 @@ +d425f79f1378fc78d073097c02faf2b11a7bc2d1 SOURCES/opendnssec-2.1.8.tar.gz diff --git a/SOURCES/conf.xml b/SOURCES/conf.xml new file mode 100644 index 0000000..8b42a62 --- /dev/null +++ b/SOURCES/conf.xml @@ -0,0 +1,87 @@ + + + + + + + + /usr/lib64/softhsm/libsofthsm.so + OpenDNSSEC + 1234 + + + + + + + + + + local0 + + + /etc/opendnssec/kasp.xml + /etc/opendnssec/zonelist.xml + + + + + + + ods + ods + + + /var/opendnssec/kasp.db + + + + + + + + + + ods + ods + + + /var/opendnssec/tmp + 4 + + + + + + + + + diff --git a/SOURCES/ods-enforcerd.service b/SOURCES/ods-enforcerd.service new file mode 100644 index 0000000..6a629c2 --- /dev/null +++ b/SOURCES/ods-enforcerd.service @@ -0,0 +1,16 @@ +[Unit] +Description=OpenDNSSEC Enforcer daemon +After=syslog.target network.target + +[Service] +Type=forking +User=ods +Group=ods +PIDFile=/run/opendnssec/enforcerd.pid +EnvironmentFile=-/etc/sysconfig/ods +ExecStart=/usr/sbin/ods-enforcerd $ODS_ENFORCERD_OPT +ExecStartPost=/bin/bash -c 'while [ ! -S /run/opendnssec/enforcer.sock ]; do sleep 1; echo "Waiting for socket"; done' +TimeoutStartSec=20 + +[Install] +WantedBy=multi-user.target diff --git a/SOURCES/ods-signerd.service b/SOURCES/ods-signerd.service new file mode 100644 index 0000000..49b50b5 --- /dev/null +++ b/SOURCES/ods-signerd.service @@ -0,0 +1,14 @@ +[Unit] +Description=OpenDNSSEC signer daemon +After=syslog.target network.target ods-enforcerd.service + +[Service] +Type=simple +User=ods +Group=ods +PIDFile=/run/opendnssec/signerd.pid +EnvironmentFile=-/etc/sysconfig/ods +ExecStart=/usr/sbin/ods-signerd -d $ODS_SIGNERD_OPT + +[Install] +WantedBy=multi-user.target diff --git a/SOURCES/ods.sysconfig b/SOURCES/ods.sysconfig new file mode 100644 index 0000000..1cf67f2 --- /dev/null +++ b/SOURCES/ods.sysconfig @@ -0,0 +1,2 @@ +ODS_SIGNERD_OPT="" +ODS_ENFORCERD_OPT="" diff --git a/SOURCES/opendnssec-2.1.sqlite_convert.sql b/SOURCES/opendnssec-2.1.sqlite_convert.sql new file mode 100644 index 0000000..aed4d8f --- /dev/null +++ b/SOURCES/opendnssec-2.1.sqlite_convert.sql @@ -0,0 +1,842 @@ +INSERT INTO databaseVersion VALUES (NULL, 1, 1); + +-- ~ ************ +-- ~ ** policy table +-- ~ ** +-- ~ ** +-- ~ ** +-- ~ ** +-- ~ ************ + +INSERT INTO policy +SELECT id, 1, name, description, +0, 0, 0, +0, 0, 0, 0, +86400, 0, 0, +0, 0, 0, +0, 0, 0, +0, 0, 0, +0, 0, 0, +0, 0, 0, +0, 0, 0, +0, 0, 0, +0 +FROM REMOTE.policies; + +UPDATE policy +SET signaturesResign = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policy.id + AND REMOTE.parameters.category_id = 1 + AND REMOTE.parameters.name = 'resign'); + +UPDATE policy +SET signaturesRefresh = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policy.id + AND REMOTE.parameters.category_id = 1 + AND REMOTE.parameters.name = 'refresh') ; + +UPDATE policy +SET signaturesJitter = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policy.id + AND REMOTE.parameters.category_id = 1 + AND REMOTE.parameters.name = 'jitter'); + +UPDATE policy +SET signaturesInceptionOffset = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policy.id + AND REMOTE.parameters.category_id = 1 + AND REMOTE.parameters.name = 'clockskew'); + +UPDATE policy +SET signaturesValidityDefault = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policy.id + AND REMOTE.parameters.category_id = 1 + AND REMOTE.parameters.name = 'valdefault'); + +UPDATE policy +SET signaturesValidityDenial = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policy.id + AND REMOTE.parameters.category_id = 1 + AND REMOTE.parameters.name = 'valdenial'); + +--MaxZoneTTL default 86400 + +-- We need the following mapping 1.4 -> 2.0 for denialType +-- 0 -> 1 +-- 3 -> 0 + +UPDATE policy +SET denialType = ( + SELECT (~value)&1 + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policy.id + AND REMOTE.parameters.category_id = 2 + AND REMOTE.parameters.name = 'version'); + +-- I'm pretty sure this is not the correct way to do it. It is aweful but +-- I can't figure it out how it would work for sqlite. +UPDATE policy +SET denialOptout = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policy.id + AND REMOTE.parameters.category_id = 2 + AND REMOTE.parameters.name = 'optout') +WHERE null != ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policy.id + AND REMOTE.parameters.category_id = 2 + AND REMOTE.parameters.name = 'optout'); + +UPDATE policy +SET denialTtl = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policy.id + AND REMOTE.parameters.category_id = 2 + AND REMOTE.parameters.name = 'ttl') +WHERE null != ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policy.id + AND REMOTE.parameters.category_id = 2 + AND REMOTE.parameters.name = 'ttl'); + +UPDATE policy +SET denialResalt = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policy.id + AND REMOTE.parameters.category_id = 2 + AND REMOTE.parameters.name = 'resalt') +WHERE null != ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policy.id + AND REMOTE.parameters.category_id = 2 + AND REMOTE.parameters.name = 'resalt'); + +UPDATE policy +SET denialAlgorithm = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policy.id + AND REMOTE.parameters.category_id = 2 + AND REMOTE.parameters.name = 'algorithm') +WHERE null != ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policy.id + AND REMOTE.parameters.category_id = 2 + AND REMOTE.parameters.name = 'algorithm'); + +UPDATE policy +SET denialIterations = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policy.id + AND REMOTE.parameters.category_id = 2 + AND REMOTE.parameters.name = 'iterations') +WHERE null != ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policy.id + AND REMOTE.parameters.category_id = 2 + AND REMOTE.parameters.name = 'iterations'); + +UPDATE policy +SET denialSaltLength = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policy.id + AND REMOTE.parameters.category_id = 2 + AND REMOTE.parameters.name = 'saltlength') +WHERE null != ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policy.id + AND REMOTE.parameters.category_id = 2 + AND REMOTE.parameters.name = 'saltlength'); + +-- clumsy salt update. salt is optional in 1.4 but required in 2.0 +-- sqlite is limited in what it can do in an update. I hope there is a +-- better way for this? + +UPDATE policy +SET denialSalt = ( + SELECT salt + FROM REMOTE.policies + WHERE REMOTE.policies.id = policy.id) +WHERE ( + SELECT salt + FROM REMOTE.policies + WHERE REMOTE.policies.id = policy.id) != null; + +UPDATE policy +SET denialSaltLastChange = ( + SELECT salt_stamp + FROM REMOTE.policies + WHERE REMOTE.policies.id = policy.id) +WHERE ( + SELECT salt_stamp + FROM REMOTE.policies + WHERE REMOTE.policies.id = policy.id) != null; + +UPDATE policy +SET keysTtl = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policy.id + AND REMOTE.parameters.category_id = 5 + AND REMOTE.parameters.name = 'ttl'); + +UPDATE policy +SET keysRetireSafety = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policy.id + AND REMOTE.parameters.category_id = 5 + AND REMOTE.parameters.name = 'retiresafety'); + +UPDATE policy +SET keysPublishSafety = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policy.id + AND REMOTE.parameters.category_id = 5 + AND REMOTE.parameters.name = 'publishsafety'); + +UPDATE policy +SET keysShared = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policy.id + AND REMOTE.parameters.category_id = 5 + AND REMOTE.parameters.name = 'zones_share_keys'); + +UPDATE policy +SET keysPurgeAfter = COALESCE(( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policy.id + AND REMOTE.parameters.category_id = 5 + AND REMOTE.parameters.name = 'purge'), 0); + +UPDATE policy +SET zonePropagationDelay = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policy.id + AND REMOTE.parameters.category_id = 7 + AND REMOTE.parameters.name = 'propagationdelay'); + +UPDATE policy +SET zoneSoaTtl = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policy.id + AND REMOTE.parameters.category_id = 7 + AND REMOTE.parameters.name = 'ttl'); + +UPDATE policy +SET zoneSoaMinimum = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policy.id + AND REMOTE.parameters.category_id = 7 + AND REMOTE.parameters.name = 'min'); + +-- Temporary mapping table between 1.4 and 2.0 SOA serial strategy +CREATE TABLE mapping ( + soa14 INTEGER, + soa20 INTEGER +); +INSERT INTO mapping SELECT 1, 2; +INSERT INTO mapping SELECT 2, 0; +INSERT INTO mapping SELECT 3, 1; +INSERT INTO mapping SELECT 4, 3; + +UPDATE policy +SET zoneSoaSerial = ( + SELECT mapping.soa20 + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + INNER JOIN mapping + ON REMOTE.parameters_policies.value = mapping.soa14 + WHERE REMOTE.parameters_policies.policy_id = policy.id + AND REMOTE.parameters.category_id = 7 + AND REMOTE.parameters.name = 'serial'); + +DROP TABLE mapping; + +-- parentRegistrationDelay = 0 on 1.4 + +UPDATE policy +SET parentPropagationDelay = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policy.id + AND REMOTE.parameters.category_id = 8 + AND REMOTE.parameters.name = 'propagationdelay'); + +UPDATE policy +SET parentDsTtl = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policy.id + AND REMOTE.parameters.category_id = 8 + AND REMOTE.parameters.name = 'ttlds'); + +UPDATE policy +SET parentSoaTtl = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policy.id + AND REMOTE.parameters.category_id = 8 + AND REMOTE.parameters.name = 'ttl'); + +UPDATE policy +SET parentSoaMinimum = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policy.id + AND REMOTE.parameters.category_id = 8 + AND REMOTE.parameters.name = 'min'); + +-- passthrough = 0 + +-- ~ ************ +-- ~ ** policyKey table +-- ~ ** +-- ~ ** For each policy in 1.4 add two keys: KSK and ZSK +-- ~ ** +-- ~ ** +-- ~ ************ + +-- Insert each KSK +INSERT INTO policyKey +SELECT null, 1, id, + 1, 0, 0, + 0, 0, 0, + 0, 0, 4 +FROM REMOTE.policies; + +-- Insert each ZSK +INSERT INTO policyKey +SELECT null, 1, id, + 2, 0, 0, + 0, 0, 0, + 0, 0, 1 +FROM REMOTE.policies; + +UPDATE policyKey +SET algorithm = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId + AND REMOTE.parameters.category_id = 3 + AND REMOTE.parameters.name = 'algorithm') +WHERE policyKey.role = 1; + +UPDATE policyKey +SET algorithm = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId + AND REMOTE.parameters.category_id = 4 + AND REMOTE.parameters.name = 'algorithm') +WHERE policyKey.role = 2; + +UPDATE policyKey +SET bits = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId + AND REMOTE.parameters.category_id = 3 + AND REMOTE.parameters.name = 'bits') +WHERE policyKey.role = 1; + +UPDATE policyKey +SET bits = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId + AND REMOTE.parameters.category_id = 4 + AND REMOTE.parameters.name = 'bits') +WHERE policyKey.role = 2; + +UPDATE policyKey +SET lifetime = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId + AND REMOTE.parameters.category_id = 3 + AND REMOTE.parameters.name = 'lifetime') +WHERE policyKey.role = 1; + +UPDATE policyKey +SET lifetime = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId + AND REMOTE.parameters.category_id = 4 + AND REMOTE.parameters.name = 'lifetime') +WHERE policyKey.role = 2; + +UPDATE policyKey +SET repository = ( + SELECT REMOTE.securitymodules.name + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + INNER JOIN REMOTE.securitymodules + ON REMOTE.parameters_policies.value = REMOTE.securitymodules.id + WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId + AND REMOTE.parameters.category_id = 3 + AND REMOTE.parameters.name = 'repository') +WHERE policyKey.role = 1; + +UPDATE policyKey +SET repository = ( + SELECT REMOTE.securitymodules.name + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + INNER JOIN REMOTE.securitymodules + ON REMOTE.parameters_policies.value = REMOTE.securitymodules.id + WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId + AND REMOTE.parameters.category_id = 4 + AND REMOTE.parameters.name = 'repository') +WHERE policyKey.role = 2; + +UPDATE policyKey +SET standby = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId + AND REMOTE.parameters.category_id = 3 + AND REMOTE.parameters.name = 'standby') +WHERE policyKey.role = 1; + +UPDATE policyKey +SET standby = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId + AND REMOTE.parameters.category_id = 4 + AND REMOTE.parameters.name = 'standby') +WHERE policyKey.role = 2; + +UPDATE policyKey +SET manualRollover = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId + AND REMOTE.parameters.category_id = 3 + AND REMOTE.parameters.name = 'manual_rollover') +WHERE policyKey.role = 1; + +UPDATE policyKey +SET manualRollover = ( + SELECT value + FROM REMOTE.parameters_policies + INNER JOIN REMOTE.parameters + ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id + WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId + AND REMOTE.parameters.category_id = 4 + AND REMOTE.parameters.name = 'manual_rollover') +WHERE policyKey.role = 2; + +-- rfc5011 = 0. 2.0 has no support +-- minimize already set + +-- ~ ************ +-- ~ ** hsmKey table +-- ~ ** +-- ~ ** get from keypairs and dnsseckeys +-- ~ ** +-- ~ ** +-- ~ ************ + +INSERT INTO hsmKey +SELECT DISTINCT REMOTE.keypairs.id, 1, REMOTE.keypairs.policy_id, +REMOTE.keypairs.HSMkey_id, 2, REMOTE.keypairs.size, +REMOTE.keypairs.algorithm, (~(REMOTE.dnsseckeys.keytype)&1)+1, +CASE WHEN REMOTE.keypairs.generate IS NOT NULL THEN + strftime('%s', REMOTE.keypairs.generate) + ELSE strftime("%s", "now") END, +0, +1, --only RSA supported + REMOTE.securitymodules.name, +0 --assume no backup +FROM REMOTE.keypairs +JOIN REMOTE.dnsseckeys + ON REMOTE.keypairs.id = REMOTE.dnsseckeys.keypair_id +JOIN REMOTE.securitymodules + ON REMOTE.securitymodules.id = REMOTE.keypairs.securitymodule_id; + +-- For some policies put the keys in a shared state +UPDATE hsmKey +SET state = 3 +WHERE EXISTS + (SELECT * FROM hsmKey AS h + JOIN policy ON policy.id = h.policyId + WHERE policy.keysShared AND hsmKey.id = h.id); + +-- ~ ************ +-- ~ ** zone table +-- ~ ** +-- ~ ** +-- ~ ** +-- ~ ** +-- ~ ************ + +INSERT INTO zone +SELECT zones.id, 1, zones.policy_id, + zones.name, 1, zones.signconf, 0, + 0,0,0, + 0,0,0, + zones.in_type, zones.input, + zones.out_type, zones.output, + 0,0,0 + FROM REMOTE.zones; + +-- ~ ************ +-- ~ ** keyData table +-- ~ ** +-- ~ ** +-- ~ ** +-- ~ ** +-- ~ ************ + +-- Temporary mapping table between 1.4 states and 2.0 ds_at_parent states +-- We are ignoring the fact this may set a DS state for a ZSK; We don't care +CREATE TABLE mapping ( + state INTEGER, + ds_state INTEGER +); +INSERT INTO mapping SELECT 1, 0; +INSERT INTO mapping SELECT 2, 0; +INSERT INTO mapping SELECT 3, 1; +INSERT INTO mapping SELECT 4, 3; +INSERT INTO mapping SELECT 5, 5; +INSERT INTO mapping SELECT 6, 5; +INSERT INTO mapping SELECT 7, 5; +INSERT INTO mapping SELECT 8, 5; +INSERT INTO mapping SELECT 9, 5; +INSERT INTO mapping SELECT 10, 5; + +INSERT INTO keyData +SELECT + NULL, 1, REMOTE.dnsseckeys.zone_id, + REMOTE.dnsseckeys.keypair_id, REMOTE.keypairs.algorithm, + CASE WHEN REMOTE.dnsseckeys.publish IS NOT NULL THEN + strftime('%s', REMOTE.dnsseckeys.publish) + ELSE strftime("%s", "now") END, + (~REMOTE.dnsseckeys.keytype&1)+1, + REMOTE.dnsseckeys.state <= 4, -- introducing + 0, -- should revoke, not used + 0, -- standby + REMOTE.dnsseckeys.state = 4 AND REMOTE.dnsseckeys.keytype = 256, --activeZSK: + REMOTE.dnsseckeys.state >= 2 AND REMOTE.dnsseckeys.state <= 5, --publish + REMOTE.dnsseckeys.state = 4 AND REMOTE.dnsseckeys.keytype = 257, --activeKSK: + mapping.ds_state, --dsatparent + 1<<16, --keytag (crap, will 2.0 regenerate this?) + (REMOTE.dnsseckeys.keytype&1)*3+1 --minimize +FROM REMOTE.dnsseckeys +JOIN REMOTE.keypairs + ON REMOTE.dnsseckeys.keypair_id = REMOTE.keypairs.id +JOIN mapping + ON REMOTE.dnsseckeys.state = mapping.state +WHERE EXISTS(select REMOTE.zones.id FROM REMOTE.zones WHERE REMOTE.zones.id = REMOTE.dnsseckeys.zone_id); + +-- Everything that is just a ZSK must not have dsatparent set. +UPDATE keyData +SET dsatparent = 0 +WHERE role = 2; + +DROP TABLE mapping; + +-- If a active time is set for a ready KSK dsAtParent is submitted +-- instead of submit +UPDATE keyData +SET dsatparent = 2 +WHERE keyData.dsAtParent = 1 AND keyData.id IN ( + SELECT keyData.id + FROM keyData + JOIN REMOTE.dnsseckeys + ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid + WHERE REMOTE.dnsseckeys.active IS NOT NULL); + + +-- ~ ************ +-- ~ ** Keystate table +-- ~ ** +-- ~ ** +-- ~ ** +-- ~ ** +-- ~ ************ + +CREATE TABLE mapping ( + state INTEGER, + ds INTEGER, + dk INTEGER, + ks INTEGER, + rs INTEGER +); +INSERT INTO mapping SELECT 1, 0, 0, 0, 0; +INSERT INTO mapping SELECT 2, 0, 1, 1, 1; +INSERT INTO mapping SELECT 3, 0, 2, 2, 1; +INSERT INTO mapping SELECT 4, 2, 2, 2, 1; +INSERT INTO mapping SELECT 5, 3, 2, 2, 3; +INSERT INTO mapping SELECT 6, 0, 3, 3, 0; +INSERT INTO mapping SELECT 7, 3, 0, 0, 0; +INSERT INTO mapping SELECT 8, 3, 0, 0, 0; +INSERT INTO mapping SELECT 9, 3, 0, 0, 0; +INSERT INTO mapping SELECT 10, 3, 0, 0, 0; + +-- DS RECORDS +INSERT INTO keyState +SELECT NULL, 1, keyData.id, 0, mapping.ds, strftime("%s", "now"), (keyData.minimize>>2)&1, policy.parentDsTtl +FROM keyData +JOIN zone + ON zone.id = keyData.zoneId +JOIN policy + ON policy.id = zone.policyId +JOIN REMOTE.dnsseckeys + ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid +JOIN mapping + ON mapping.state = REMOTE.dnsseckeys.state; + +UPDATE keyState +SET state = 1 +WHERE keyState.state = 0 AND keyState.type = 0 AND keyState.id IN ( + SELECT keyState.id + FROM keyState + JOIN keyData + ON keyData.id = keyState.keydataId + JOIN REMOTE.dnsseckeys + ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid + WHERE REMOTE.dnsseckeys.active IS NOT NULL); + +-- DNSKEY RECORDS +INSERT INTO keyState +SELECT NULL, 1, keyData.id, 2, mapping.dk, strftime("%s", "now"), (keyData.minimize>>1)&1, policy.keysTtl +FROM keyData +JOIN zone + ON zone.id = keyData.zoneId +JOIN policy + ON policy.id = zone.policyId +JOIN REMOTE.dnsseckeys + ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid +JOIN mapping + ON mapping.state = REMOTE.dnsseckeys.state; + +-- RRSIG DNSKEY RECORDS +INSERT INTO keyState +SELECT NULL, 1, keyData.id, 3, mapping.ks, strftime("%s", "now"), (keyData.minimize>>1)&1, policy.keysTtl +FROM keyData +JOIN zone + ON zone.id = keyData.zoneId +JOIN policy + ON policy.id = zone.policyId +JOIN REMOTE.dnsseckeys + ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid +JOIN mapping + ON mapping.state = REMOTE.dnsseckeys.state; + +-- RRSIG RECORDS +INSERT INTO keyState +SELECT NULL, 1, keyData.id, 1, mapping.rs, strftime("%s", "now"), (keyData.minimize>>0)&1, policy.signaturesMaxZoneTtl +FROM keyData +JOIN zone + ON zone.id = keyData.zoneId +JOIN policy + ON policy.id = zone.policyId +JOIN REMOTE.dnsseckeys + ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid +JOIN mapping + ON mapping.state = REMOTE.dnsseckeys.state; + +--Set to OMN if Tactive + Dttl < Tnow +UPDATE keyState +SET state = 2 +WHERE keyState.state = 1 AND keyState.type = 1 AND keyState.id IN ( + SELECT keyState.id + FROM keyState + JOIN keyData + ON keyData.id = keyState.keydataId + JOIN REMOTE.dnsseckeys + ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid + JOIN zone + ON keyData.zoneId = zone.id + JOIN policy + ON policy.id = zone.policyId + WHERE CAST(strftime("%s", REMOTE.dnsseckeys.active) + policy.signaturesValidityDefault as INTEGER) < strftime("%s", "now")); + +--Force the RRSIG state in omnipresent if rumoured and there is no old ZSK +-- unretentive +UPDATE keyState +SET state = 2 +WHERE keyState.id IN ( +SELECT rs.id FROM keyState AS rs +JOIN keystate AS dk ON dk.keyDataId == rs.keyDataId +WHERE rs.type == 1 AND dk.type == 2 AND rs.state == 1 AND dk.state == 2 +AND NOT EXISTS( + SELECT* FROM keystate AS rs2 + JOIN keystate AS dk2 ON dk2.keyDataId == rs2.keyDataId + WHERE rs2.type == 1 AND dk2.type == 2 AND rs2.state == 3 AND dk2.state == 2 +)); + +DROP TABLE mapping; + +-- We need to create records in the keydependency table in case we are in a +-- rollover. Only done for ZSK. For every introducing ZSK with RRSIG rumoured +-- that has an outroducing ZSK with RRSIG unretentive, we add a record. +INSERT INTO keyDependency +SELECT NULL, 0, keyData.zoneID, SUB.IDout, keyData.id, 1 +FROM keyData +JOIN keyState AS KS1 + ON KS1.keyDataId == keyData.id +JOIN keyState AS KS2 + ON KS2.keyDataId == keyData.id +JOIN ( + SELECT keyData.id AS IDout, keyData.zoneID + FROM keyData + JOIN keyState AS KS1 + ON KS1.keyDataId == keyData.id + JOIN keyState AS KS2 + ON KS2.keyDataId == keyData.id + WHERE KS1.type == 2 + AND ks1.state = 2 + AND KS2.type == 1 + AND KS2.state == 3 + AND keyData.introducing == 0 + AND keyData.role == 2 +) AS SUB + ON SUB.zoneId == keyData.zoneId +WHERE + KS1.type == 2 + AND ks1.state = 2 + AND KS2.type == 1 + AND KS2.state == 1 + AND keyData.introducing == 1 + AND keyData.role == 2; + +-- ZSK +UPDATE keyState +SET state = 4 +WHERE (keyState.type = 0 OR keyState.type = 3) AND keyDataId IN ( + SELECT keyData.id + FROM keyData + WHERE keyData.role = 2); + +--KSK +UPDATE keyState +SET state = 4 +WHERE keyState.type = 1 AND keyDataId IN ( + SELECT keyData.id + FROM keyData + WHERE keyData.role = 1); + +-- For rpm based systems to see if db was migrated already. store opendnssec major minor version +CREATE TABLE rpm_migration ( + major INTEGER, + minor INTEGER +); +INSERT INTO rpm_migration VALUES(2, 1); + diff --git a/SOURCES/opendnssec-2.1.sqlite_rpmversion.sql b/SOURCES/opendnssec-2.1.sqlite_rpmversion.sql new file mode 100644 index 0000000..4107157 --- /dev/null +++ b/SOURCES/opendnssec-2.1.sqlite_rpmversion.sql @@ -0,0 +1,7 @@ +-- For rpm based systems to see if db was migrated already. store opendnssec major minor version +CREATE TABLE rpm_migration ( + major INTEGER, + minor INTEGER +); +INSERT INTO rpm_migration VALUES(2, 1); + diff --git a/SOURCES/opendnssec.cron b/SOURCES/opendnssec.cron new file mode 100644 index 0000000..776de9b --- /dev/null +++ b/SOURCES/opendnssec.cron @@ -0,0 +1,4 @@ +# Ensure multiple ods-enforcerd's on different system roll at the same time +# independant of when the daemon was started. Since TLDs often update their +# zone "on the hour" we do the key rollover checks just before the hour. +50,20 * * * * root test -f /var/lock/subsys/ods-enforcerd && kill -s SIGHUP `cat /var/run/opendnssec/enforcerd.pid` > /dev/null 2> /dev/null diff --git a/SOURCES/tmpfiles-opendnssec.conf b/SOURCES/tmpfiles-opendnssec.conf new file mode 100644 index 0000000..56795e1 --- /dev/null +++ b/SOURCES/tmpfiles-opendnssec.conf @@ -0,0 +1 @@ +D /run/opendnssec 0755 ods ods - diff --git a/SPECS/opendnssec.spec b/SPECS/opendnssec.spec new file mode 100644 index 0000000..1869534 --- /dev/null +++ b/SPECS/opendnssec.spec @@ -0,0 +1,419 @@ +#global prever rcX +%global _hardened_build 1 + +Summary: DNSSEC key and zone management software +Name: opendnssec +Version: 2.1.8 +Release: 4%{?dist} +License: BSD +Url: http://www.opendnssec.org/ +Source0: http://www.opendnssec.org/files/source/%{?prever:testing/}%{name}-%{version}%{?prever}.tar.gz +Source1: ods-enforcerd.service +Source2: ods-signerd.service +Source3: ods.sysconfig +Source4: conf.xml +Source5: tmpfiles-opendnssec.conf +Source6: opendnssec.cron +Source7: opendnssec-2.1.sqlite_convert.sql +Source8: opendnssec-2.1.sqlite_rpmversion.sql + +Requires: opencryptoki, softhsm >= 2.5.0 , systemd-units +Requires: libxml2, libxslt sqlite +BuildRequires: make +BuildRequires: gcc +BuildRequires: ldns-devel >= 1.6.12, sqlite-devel >= 3.0.0, openssl-devel +BuildRequires: libxml2-devel CUnit-devel, doxygen +# It tests for pkill/killall and would use /bin/false if not found +BuildRequires: procps-ng +BuildRequires: perl-interpreter +BuildRequires: libmicrohttpd-devel jansson-devel libyaml-devel + +BuildRequires: systemd-units +Requires(pre): shadow-utils +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units +%if 0%{?prever:1} +# For building development snapshots +Buildrequires: autoconf, automake, libtool, java +%endif + +%description +OpenDNSSEC was created as an open-source turn-key solution for DNSSEC. +It secures zone data just before it is published in an authoritative +name server. It requires a PKCS#11 crypto module library, such as softhsm + +%prep +%setup -q -n %{name}-%{version}%{?prever} +# bump default policy ZSK keysize to 2048 +sed -i "s/1024/2048/" conf/kasp.xml.in + +%build +export LDFLAGS="-Wl,-z,relro,-z,now -pie -specs=/usr/lib/rpm/redhat/redhat-hardened-ld" +export CFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wextra -Wformat -Wformat-nonliteral -Wformat-security" +export CXXFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wformat-nonliteral -Wformat-security" +%if 0%{?prever:1} +# for development snapshots +sh ./autogen.sh +%endif +%configure --with-ldns=%{_libdir} +%make_build + +%check +# Requires sample db not shipped with upstream +# make check + +%install +rm -rf %{buildroot} +%make_install +mkdir -p %{buildroot}%{_localstatedir}/opendnssec/{tmp,signed,signconf,enforcer} +install -d -m 0755 %{buildroot}%{_initrddir} %{buildroot}%{_sysconfdir}/cron.d/ +install -m 0644 %{SOURCE6} %{buildroot}/%{_sysconfdir}/cron.d/opendnssec +rm -f %{buildroot}/%{_sysconfdir}/opendnssec/*.sample +install -d -m 0755 %{buildroot}/%{_sysconfdir}/sysconfig +install -d -m 0755 %{buildroot}%{_unitdir} +install -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/ +install -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/ +install -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/sysconfig/ods +install -m 0644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/opendnssec/ +mkdir -p %{buildroot}%{_tmpfilesdir}/ +install -m 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/opendnssec.conf +mkdir -p %{buildroot}%{_localstatedir}/run/opendnssec +mkdir -p %{buildroot}%{_datadir}/opendnssec/ +cp -a enforcer/utils %{buildroot}%{_datadir}/opendnssec/migration +cp -a enforcer/src/db/schema.* %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/ +# fixup path for mysql/sqlite. Use our replacement sqlite_convert.sql to detect previous migration +cp -a %{SOURCE7} %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/sqlite_convert.sql +cp -a %{SOURCE8} %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/rpmversion.sql +sed -i "s:^SCHEMA=.*schema:SCHEMA=%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/schema:" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_sqlite +sed -i "s:find_problematic_zones.sql:%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/find_problematic_zones.sql:g" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_sqlite +sed -i "s:^SCHEMA=.*schema:SCHEMA=%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/schema:" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_mysql +sed -i "s:find_problematic_zones.sql:%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/find_problematic_zones.sql:g" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_mysql +sed -i "s:sqlite_convert.sql:%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/sqlite_convert.sql:g" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_sqlite + + +%files +%{_unitdir}/ods-enforcerd.service +%{_unitdir}/ods-signerd.service +%config(noreplace) %{_tmpfilesdir}/opendnssec.conf +%attr(0770,root,ods) %dir %{_sysconfdir}/opendnssec +%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec +%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/tmp +%attr(0775,root,ods) %dir %{_localstatedir}/opendnssec/signed +%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/signconf +%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/enforcer +%attr(0660,root,ods) %config(noreplace) %{_sysconfdir}/opendnssec/*.xml +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ods +%attr(0770,root,ods) %dir %{_localstatedir}/run/opendnssec +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/cron.d/opendnssec +%doc NEWS README.md +%license LICENSE +%{_mandir}/*/* +%{_sbindir}/* +%{_bindir}/* +%attr(0755,root,root) %dir %{_datadir}/opendnssec +%{_datadir}/opendnssec/* + +%pre +getent group ods >/dev/null || groupadd -r ods +getent passwd ods >/dev/null || \ +useradd -r -g ods -d /etc/opendnssec -s /sbin/nologin \ +-c "opendnssec daemon account" ods +exit 0 + +%post +# Initialise a slot on the softhsm on first install +if [ "$1" -eq 1 ]; then + %{_sbindir}/runuser -u ods -- %{_bindir}/softhsm2-util --init-token \ + --free --label "OpenDNSSEC" --pin 1234 --so-pin 1234 + if [ ! -s %{_localstatedir}/opendnssec/kasp.db ]; then + echo y | %{_sbindir}/ods-enforcer-db-setup + %{_bindir}/sqlite3 -batch %{_localstatedir}/opendnssec/kasp.db < %{_datadir}/opendnssec/migration/1.4-2.0_db_convert/rpmversion.sql + fi + +elif [ -z "$(%{_bindir}/sqlite3 %{_localstatedir}/opendnssec/kasp.db 'select * from rpm_migration;')" ]; then + # Migrate version 1.4 db to version 2.1 db + if [ -e %{_localstatedir}/opendnssec/rpm-migration-in-progress ]; then + echo "previous (partial?) migration found - human intervention is needed" + else + echo "opendnssec 1.4 database found, migrating to 2.x" + touch %{_localstatedir}/opendnssec/rpm-migration-in-progress + mv -n %{_localstatedir}/opendnssec/kasp.db %{_localstatedir}/opendnssec/kasp.db-1.4 + echo "migrating conf.xml from 1.4 to 2.1 schema" + cp -n %{_sysconfdir}/opendnssec/conf.xml %{_sysconfdir}/opendnssec/conf.xml-1.4 + # fixup incompatibilities inflicted upon us by upstream :( + sed -i "/.*Interval>/d" %{_sysconfdir}/opendnssec/conf.xml + echo "Converting kasp.db" + ERR="" + %{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_sqlite -i %{_localstatedir}/opendnssec/kasp.db-1.4 -o %{_localstatedir}/opendnssec/kasp.db || ERR="convert_sqlite error" + chown ods.ods %{_localstatedir}/opendnssec/kasp.db + cp -n %{_sysconfdir}/opendnssec/zonelist.xml %{_localstatedir}/opendnssec/enforcer/zones.xml + if [ -z "$ERR" ]; then + echo "calling ods-migrate" + ods-migrate || ERR="ods-migrate failed" + if [ -z "$ERR" ]; then + echo "opendnssec 1.4 to 2.x migration completed" + rm %{_localstatedir}/opendnssec/rpm-migration-in-progress + else + echo "ods-migrate process failed - human intervention is needed" + fi + else + echo "%{_localstatedir}/opendnssec/kasp.db conversion failed - not calling ods-migrate to complete migration. human intervention is needed" + fi + fi +fi + +# in case we update any xml conf file +ods-enforcer update all >/dev/null 2>/dev/null ||: + +%systemd_post ods-enforcerd.service +%systemd_post ods-signerd.service + +%preun +%systemd_preun ods-enforcerd.service +%systemd_preun ods-signerd.service + +%postun +%systemd_postun_with_restart ods-enforcerd.service +%systemd_postun_with_restart ods-signerd.service + +%changelog +* Mon Aug 09 2021 Mohan Boddu - 2.1.8-4 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Wed Jun 16 2021 Mohan Boddu - 2.1.8-3 +- Rebuilt for RHEL 9 BETA for openssl 3.0 + Related: rhbz#1971065 + +* Fri Apr 16 2021 Mohan Boddu - 2.1.8-2 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Sat Feb 20 2021 Fedora Release Monitoring - 2.1.8-1 +- Update to 2.1.8 (#1931143) + +* Tue Jan 26 2021 Fedora Release Engineering - 2.1.7-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Sat Dec 19 10:13:50 PST 2020 awilliam@redhat.com - 2.1.7-3 +- Rebuild for libldns soname bump + +* Tue Dec 8 21:09:23 EST 2020 Paul Wouters - 2.1.7-2 +- Resolves rhbz#1826233 ods-enforcerd.service should wait until socket is ready + +* Fri Dec 04 2020 Alexander Bokovoy - 2.1.7-1 +- Upstream release 2.1.7 + +* Tue Jul 28 2020 Fedora Release Engineering - 2.1.6-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jul 14 2020 Tom Stellard - 2.1.6-7 +- Use make macros +- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro + +* Thu May 28 2020 Paul Wouters - 2.1.6-6 +- Resolves: rhbz#1833718 ods-signerd.service missing .service + +* Mon Apr 20 2020 Paul Wouters - 2.1.6-5 +- Resolves: rhbz#1825812 AVC avc: denied { dac_override } for comm="ods-enforcerd + +* Wed Mar 11 2020 Paul Wouters - 2.1.6-4 +- Fix migration check to not attempt to check on first install with no db + +* Tue Mar 03 2020 Alexander Bokovoy - 2.1.6-3 +- Create and manage /var/opendnssec/enforcer directory +- Resolves rhbz#1809492 + +* Wed Feb 19 2020 Paul Wouters - 2.1.6-2 +- Update to 2.1.6 (major upgrade, supports migration from 1.4.x) +- gcc10 compile fixups +- Fix trying to use unversioned libsqlite3.so file + +* Wed Jan 29 2020 Fedora Release Engineering - 1.4.14-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Thu Jul 25 2019 Fedora Release Engineering - 1.4.14-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri Feb 01 2019 Fedora Release Engineering - 1.4.14-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jul 13 2018 Fedora Release Engineering - 1.4.14-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Feb 08 2018 Fedora Release Engineering - 1.4.14-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Tue Dec 12 2017 Paul Wouters - 1.4.14-1 +- Update to 1.4.14 as first steop to migrating to 2.x +- Resolves: rhbz#1413254 Move tmpfiles.d config to %%{_tmpfilesdir}, install LICENSE as %%license + +* Thu Aug 03 2017 Fedora Release Engineering - 1.4.9-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1.4.9-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Wed Mar 08 2017 Tomas Hozza - 1.4.9-5 +- Fix FTBFS (#1424019) in order to rebuild against new ldns + +* Sat Feb 11 2017 Fedora Release Engineering - 1.4.9-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Feb 18 2016 Paul Wouters - 1.4.9-3 +- Resolves: rbz#1303965 upgrade to opendnssec-1.4.9-1.fc23 breaks old installations +- On initial install, after token init, also run ods-ksmutil setup + +* Thu Feb 04 2016 Fedora Release Engineering - 1.4.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Mon Feb 01 2016 Paul Wouters - 1.4.9-1 +- Updated to 1.4.9 +- Removed merged in patch + +* Wed Jun 17 2015 Fedora Release Engineering - 1.4.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue Jun 09 2015 Paul Wouters - 1.4.7-2 +- Resolves rhbz#1219746 ods-signerd.service misplaced After= in section Service +- Resolves rhbz#1220443 OpenDNSSEC fails to initialise a slot in softhsm on first install + +* Tue Dec 09 2014 Paul Wouters - 1.4.7-1 +- Updated to 1.4.7 (fix zone update can get stuck, crash on retransfer cmd) + +* Wed Oct 15 2014 Paul Wouters - 1.4.6-4 +- Change /etc/opendnssec to be ods group writable + +* Wed Oct 08 2014 Paul Wouters - 1.4.6-3 +- Added Petr Spacek's patch that adds the config option (rhbz#1123354) + +* Sun Aug 17 2014 Fedora Release Engineering - 1.4.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Mon Jul 28 2014 Paul Wouters - 1.4.6-1 +- Updated to 1.4.6 +- Removed incorporated patch upstream +- Remove Wants= from ods-signerd.service (rhbz#1098205) + +* Sat Jun 07 2014 Fedora Release Engineering - 1.4.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Fri Apr 18 2014 Paul Wouters - 1.4.5-2 +- Updated to 1.4.5 +- Added patch for serial 0 bug in XFR adapter + +* Tue Apr 01 2014 Paul Wouters - 1.4.4-3 +- Add buildrequires for ods-kasp2html (rhbz#1073313) + +* Sat Mar 29 2014 Paul Wouters - 1.4.4-2 +- Add requires for ods-kasp2html (rhbz#1073313) + +* Thu Mar 27 2014 Paul Wouters - 1.4.4-1 +- Updated to 1.4.4 (compatibility with non RFC 5155 errata 3441) +- Change the default ZSK policy from 1024 to 2048 bit RSA keys +- Fix post to be quiet when upgrading opendnssec + +* Thu Jan 09 2014 Paul Wouters - 1.4.3-1 +- Updated to 1.4.3 (rhel#1048449) - minor bugfixes, minor feature enhancements +- rhel#1025985 OpenDNSSEC signer cannot be started due to a typo in service file + +* Wed Sep 11 2013 Paul Wouters - 1.4.2-1 +- Updated to 1.4.2, bugfix release + +* Sat Aug 03 2013 Fedora Release Engineering - 1.4.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Fri Jun 28 2013 Paul Wouters - 1.4.1-1 +- Updated to 1.4.1. NSEC3 handling and serial number handling fixes +- Add BuildRequire for systemd-units + +* Sat May 11 2013 Paul Wouters - 1.4.0-1 +- Updated to 1.4.0 + +* Fri Apr 12 2013 Paul Wouters - 1.4.20-0.8.rc3 +- Updated to 1.4.0rc3 +- Enabled hardened compile, full relzo/pie + +* Fri Jan 25 2013 Patrick Uiterwijk - 1.4.0-0.7.rc2 +- Updated to 1.4.0rc2, which includes svn r6952 + +* Fri Jan 18 2013 Patrick Uiterwijk - 1.4.0-0.6.rc1 +- Updated to 1.4.0rc1 +- Applied opendnssec-ksk-premature-retirement.patch (svn r6952) + +* Tue Dec 18 2012 Paul Wouters - 1.4.0-0.5.b2 +- Updated to 1.4.0b2 +- All patches have been merged upstream +- cron job should be marked as config file + +* Tue Oct 30 2012 Paul Wouters - 1.4.0-0.4.b1 +- Added BuildRequires: procps-ng for bug OPENDNSSEC-345 +- Change RRSIG inception offset to -2h to avoid possible + daylight saving issues on resolvers +- Patch to prevent removal of occluded data + +* Wed Sep 26 2012 Paul Wouters - 1.4.0-0.3.b1 +- Just an EVR fix to the proper standard +- Cleanup of spec file +- Introduce new systemd-rpm macros (rhbz#850242) + +* Wed Sep 12 2012 Paul Wouters - 1.4.0-0.b1.1 +- Updated to 1.4.0b1 +- Patch for NSEC3PARAM TTL +- Cron job to assist narrowing ods-enforcerd timing differences + +* Wed Aug 29 2012 Paul Wouters - 1.4.0-0.a3.1 +- Updated to 1.4.0a3 +- Patch to more aggressively try to resign +- Patch to fix locking issue eating up cpu + +* Fri Jul 20 2012 Fedora Release Engineering - 1.4.0-0.a2.2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Tue Jun 12 2012 Paul Wouters - 1.4.0-0.a2.1 +- Updated to 1.4.0a2 +- ksm-utils patch for ods-ksmutil to die sooner when it can't lock + the HSM. + +* Wed May 16 2012 Paul Wouters - 1.4.0-0.a1.3 +- Patch for crasher with deleted RRsets and NSEC3/OPTOUT chains + +* Mon Mar 26 2012 Paul Wouters - 1.4.0-0.a1.2 +- Added opendnssec LICENSE file from trunk (Thanks Jakob!) + +* Mon Mar 26 2012 Paul Wouters - 1.4.0-0.a1.1 +- Fix macros in comment +- Added missing -m to install target + +* Sun Mar 25 2012 Paul Wouters - 1.4.0-0.a1 +- The 1.4.x branch no longer needs ruby, as the auditor has been removed +- Added missing openssl-devel BuildRequire +- Comment out so keys generated by ods can be used by bind + +* Fri Feb 24 2012 Paul Wouters - 1.3.6-3 +- Requires rubygem-soap4r when using ruby-1.9 +- Don't ghost /var/run/opendnssec +- Converted initd to systemd + +* Thu Nov 24 2011 root - 1.3.2-6 +- Added rubygem-dnsruby requires as rpm does not pick it up automatically + +* Tue Nov 22 2011 root - 1.3.2-5 +- Added /var/opendnssec/signconf/ /as this temp dir is needed + +* Mon Nov 21 2011 Paul Wouters - 1.3.2-4 +- Added /var/opendnssec/signed/ as this is the default output dir + +* Sun Nov 20 2011 Paul Wouters - 1.3.2-3 +- Add ods user for opendnssec tasks +- Added initscripts and services for ods-signerd and ods-enforcerd +- Initialise OpenDNSSEC softhsm token on first install + +* Wed Oct 05 2011 Paul Wouters - 1.3.2-1 +- Updated to 1.3.2 +- Added dependancies on opencryptoki and softhsm +- Don't install duplicate unreadable .sample files +- Fix upstream conf.xml to point to actually used library paths + +* Thu Mar 3 2011 Paul Wouters - 1.2.0-1 +- Initial package for Fedora