%global _hardened_build 1
# comment out this define using #%% if it is not a pre-release version
# %% define PRERELEASE rc3
Name: knot-resolver
Version: 1.3.1
Release: %{?PRERELEASE}%{?PRERELEASE:.}1%{?dist}.1
Summary: Caching full DNS Resolver
License: GPLv3
URL: https://www.knot-resolver.cz/
Source0: https://secure.nic.cz/files/%{name}/%{name}-%{version}%{?PRERELEASE:-}%{?PRERELEASE}.tar.xz
Source1: https://secure.nic.cz/files/%{name}/%{name}-%{version}%{?PRERELEASE:-}%{?PRERELEASE}.tar.xz.asc
# LuaJIT only on these arches
ExclusiveArch: %{arm} aarch64 %{ix86} x86_64
Source2: config
Source3: root.keys
Source100: kresd.service
Source101: kresd.socket
Source102: kresd-control.socket
Source103: kresd-tls.socket
Source104: kresd.tmpfiles
BuildRequires: pkgconfig(libknot) >= 2.3.1
BuildRequires: pkgconfig(libzscanner) >= 2.3.1
BuildRequires: pkgconfig(libdnssec) >= 2.3.1
BuildRequires: pkgconfig(libuv)
BuildRequires: pkgconfig(luajit) >= 2.0
BuildRequires: pkgconfig(libedit)
BuildRequires: pkgconfig(libmemcached) >= 1.0
BuildRequires: pkgconfig(hiredis)
BuildRequires: pkgconfig(libsystemd)
BuildRequires: pkgconfig(cmocka)
BuildRequires: systemd
# FIXME: documentation fails to build on Fedora 25
# https://bugzilla.redhat.com/show_bug.cgi?id=1333391
#BuildRequires: doxygen
#BuildRequires: breathe
#BuildRequires: python-sphinx
#BuildRequires: python-sphinx_rtd_theme
# Lua 5.1 version of the libraries have different package names
%if 0%{?rhel}
Requires: lua-socket
Requires: lua-sec
%else
Requires: lua-socket-compat
Requires: lua-sec-compat
%endif
Requires(pre): shadow-utils
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
%description
The Knot DNS Resolver is a caching full resolver implementation written in C
and LuaJIT, including both a resolver library and a daemon. Modular
architecture of the library keeps the core tiny and efficient, and provides
a state-machine like API for extensions.
The package is pre-configured as local caching resolver.
To start using it, just start the local DNS socket:
# systemctl start kresd.socket
BEWARE:
Because of https://bugzilla.redhat.com/show_bug.cgi?id=1366968
you need to switch your system to SELinux permissive mode.
%package devel
Summary: Development headers for Knot DNS Resolver
Requires: %{name}%{?_isa} = %{version}-%{release}
%description devel
The package contains development headers for Knot DNS Resolver.
%prep
%setup -q -n %{name}-%{version}%{?PRERELEASE:-}%{?PRERELEASE}
rm -v scripts/bootstrap-depends.sh
%build
%global build_paths PREFIX=%{_prefix} BINDIR=%{_bindir} LIBDIR=%{_libdir} INCLUDEDIR=%{_includedir} ETCDIR=%{_sysconfdir}/kresd
%global build_flags V=1 CFLAGS="%{optflags}" LDFLAGS="%{__global_ldflags}" %{build_paths} HAS_go=no
%make_build %{build_flags}
%install
%make_install %{build_flags}
# move sample configuration files to documentation
install -m 0755 -d %{buildroot}%{_pkgdocdir}
mv %{buildroot}%{_sysconfdir}/kresd/config.* %{buildroot}%{_pkgdocdir}
chmod 0644 %{buildroot}%{_pkgdocdir}/config.*
rm -vr %{buildroot}%{_sysconfdir}/kresd
# install configuration files
mkdir -p %{buildroot}%{_sysconfdir}
install -m 0755 -d %{buildroot}%{_sysconfdir}/kresd
install -m 0644 -p %SOURCE2 %{buildroot}%{_sysconfdir}/kresd/config
install -m 0664 -p %SOURCE3 %{buildroot}%{_sysconfdir}/kresd/root.keys
# install systemd units
mkdir -p %{buildroot}%{_unitdir}
install -m 0644 -p %SOURCE100 %{buildroot}%{_unitdir}/kresd.service
install -m 0644 -p %SOURCE101 %{buildroot}%{_unitdir}/kresd.socket
install -m 0644 -p %SOURCE102 %{buildroot}%{_unitdir}/kresd-control.socket
install -m 0644 -p %SOURCE103 %{buildroot}%{_unitdir}/kresd-tls.socket
# install tmpfiles.d
mkdir -p %{buildroot}%{_tmpfilesdir}
install -m 0644 -p %SOURCE104 %{buildroot}%{_tmpfilesdir}/kresd.conf
mkdir -p %{buildroot}%{_rundir}
install -m 0750 -d %{buildroot}%{_rundir}/kresd
# remove module with unsatisfied dependencies
rm -r %{buildroot}%{_libdir}/kdns_modules/{http,http.lua}
%check
LD_PRELOAD=lib/libkres.so make check %{build_flags} LDFLAGS="%{__global_ldflags} -ldl"
%pre
getent group kresd >/dev/null || groupadd -r kresd
getent passwd kresd >/dev/null || useradd -r -g kresd -d %{_sysconfdir}/kresd -s /sbin/nologin -c "Knot DNS Resolver" kresd
exit 0
%post
%systemd_post kresd.service
/sbin/ldconfig
%preun
%systemd_preun kresd.service
%postun
%systemd_postun_with_restart kresd.service
/sbin/ldconfig
%files
%license COPYING
%doc %{_pkgdocdir}
%attr(775,root,kresd) %dir %{_sysconfdir}/kresd
%attr(644,root,kresd) %config(noreplace) %{_sysconfdir}/kresd/config
%attr(664,root,kresd) %config(noreplace) %{_sysconfdir}/kresd/root.keys
%attr(750,kresd,kresd) %dir %{_rundir}/kresd
%{_unitdir}/kresd.service
%{_unitdir}/kresd*.socket
%{_tmpfilesdir}/kresd.conf
%{_sbindir}/kresd
%{_sbindir}/kresc
%{_libdir}/libkres.so.*
%{_libdir}/kdns_modules
%{_mandir}/man8/kresd.*
%files devel
%{_includedir}/libkres
%{_libdir}/pkgconfig/libkres.pc
%{_libdir}/libkres.so
%changelog
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.1-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Tue Jul 11 2017 Petr Spacek <petr.spacek@nic.cz> - 1.3.1-2
- build experimental command line interface "kresc"
* Tue Jul 11 2017 Petr Spacek <petr.spacek@nic.cz> - 1.3.1-1
New upstream release:
Knot Resolver 1.3.1 (2017-06-23)
================================
Bugfixes
--------
- modules/http: fix finding the static files (bug from 1.3.0)
- policy.FORWARD: fix some cases of CNAMEs obstructing search for zone cuts
Knot Resolver 1.3.0 (2017-06-13)
================================
Security
--------
- Refactor handling of AD flag and security status of resource records.
In some cases it was possible for secure domains to get cached as
insecure, even for a TLD, leading to disabled validation.
It also fixes answering with non-authoritative data about nameservers.
Improvements
------------
- major feature: support for forwarding with validation (#112).
The old policy.FORWARD action now does that; the previous non-validating
mode is still avaliable as policy.STUB except that also uses caching (#122).
- command line: specify ports via @ but still support # for compatibility
- policy: recognize 100.64.0.0/10 as local addresses
- layer/iterate: *do* retry repeatedly if REFUSED, as we can't yet easily
retry with other NSs while avoiding retrying with those who REFUSED
- modules: allow changing the directory where modules are found,
and do not search the default library path anymore.
Bugfixes
--------
- validate: fix insufficient caching for some cases (relatively rare)
- avoid putting "duplicate" record-sets into the answer (#198)
Knot Resolver 1.2.6 (2017-04-24)
================================
Security
--------
- dnssec: don't set AD flag for NODATA answers if wildcard non-existence
is not guaranteed due to opt-out in NSEC3
Improvements
------------
- layer/iterate: don't retry repeatedly if REFUSED
Bugfixes
--------
- lib/nsrep: revert some changes to NS reputation tracking that caused
severe problems to some users of 1.2.5 (#178 and #179)
- dnssec: fix verification of wildcarded non-singleton RRsets
- dnssec: allow wildcards located directly under the root
- layer/rrcache: avoid putting answer records into queries in some cases
* Thu Apr 06 2017 Petr Spacek <petr.spacek@nic.cz> - 1.2.5-1
- new upstream relase
+ security: layer/validate: clear AD if closest encloser proof has opt-outed NSEC3 (#169)
+ security: layer/validate: check if NSEC3 records in wildcard expansion proof has an opt-out
+ security: dnssec/nsec: missed wildcard no-data answers validation has been implemented
+ fix: trust anchors: Improve trust anchors storage format (#167)
+ fix: trust anchors: support non-root TAs, one domain per file
+ fix: policy.DENY: set AA flag and clear AD flag
+ fix: lib/resolve: avoid unnecessary DS queries
+ fix: lib/nsrep: don't treat servers with NOIP4 + NOIP6 flags as timeouted
+ fix: layer/iterate: During packet classification (answer vs. referral) don't analyze
AUTHORITY section in authoritative answer if ANSWER section contains records
that have been requested
+ enhancement: modules/dnstap: a DNSTAP support module (Contributed by Vicky Shrestha)
+ enhancement: modules/workarounds: a module adding workarounds for known DNS protocol violators
+ enhancement: layer/iterate: fix logging of glue addresses
+ enhancement: kr_bitcmp: allow bits=0 and consequently 0.0.0.0/0 matches in view and renumber modules.
+ enhancement: modules/padding: Improve default padding of responses (Contributed by Daniel Kahn Gillmor)
+ enhancement: New kresc client utility (experimental; don't rely on the API yet)
* Thu Mar 09 2017 Petr Spacek <petr.spacek@nic.cz> - 1.2.4-1
- new upstream release
+ security: Knot Resolver 1.2.0 and higher could return AD flag for insecure
answer if the daemon received answer with invalid RRSIG several
times in a row.
+ fix: layer/iterate: some improvements in cname chain unrolling
+ fix: layer/validate: fix duplicate records in AUTHORITY section in case
+ fix: of WC expansion proof
+ fix: lua: do *not* truncate cache size to unsigned
+ fix: forwarding mode: correctly forward +cd flag
+ fix: fix a potential memory leak
+ fix: don't treat answers that contain DS non-existance proof as insecure
+ fix: don't store NSEC3 and their signatures in the cache
+ fix: layer/iterate: when processing delegations,
check if qname is at or below new authority
+ enhancement: modules/policy: allow QTRACE policy to be chained
with other policies
+ enhancement: hints.add_hosts(path): a new property
+ enhancement: module: document the API and simplify the code
+ enhancement: policy.MIRROR: support IPv6 link-local addresses
+ enhancement: policy.FORWARD: support IPv6 link-local addresses
+ enhancement: add net.outgoing_{v4,v6} to allow specifying address
to use for connections
* Mon Feb 27 2017 Petr Spacek <petr.spacek@nic.cz> - 1.2.3-1
- new upstream release
+ security: a cached negative answer from a CD query would be reused
to construct response for non-CD queries, resulting in Insecure status
instead of Bogus.
+ fix: lua: make the map command check its arguments
+ fix: -k argument processing to avoid out-of-bounds memory accesses
+ fix: lib/resolve: fix zonecut fetching for explicit DS queries
+ fix: hints: more NULL checks
+ fix: TA bootstrapping for multiple TAs in the IANA XML file
+ fix: Disable storing GLUE records into the cache even in the
+ fix: (non-default) QUERY_PERMISSIVE mode
+ fix: iterate: skip answer RRs that don't match the query
+ fix: layer/iterate: some additional processing for referrals
+ fix: lib/resolve: zonecut fetching error was fixed
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.0-2.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Fri Jan 27 2017 Petr Spacek <petr.spacek@nic.cz> - 1.2.0-2
- rebuild against knot-2.4.0
* Fri Jan 27 2017 Petr Spacek <petr.spacek@nic.cz> - 1.2.0
- new upstream release:
+ fix: reworked DNSSEC Validation, that fixes several know problems with less standard DNS configurations
+ fix: the resolver was setting AD flag when running in a forwarding mode
+ fix: correctly return RCODE=NOTIMPL on meta-queries and non IN class queries
+ fix: crash in hints module when hints file was empty
+ fix: non-lowercase hints
+ features: optional EDNS(0) Padding support for DNS over TLS
+ features: support for debugging DNSSEC with CD bit
+ features: DNS over TLS is now able to create ephemeral certs on the runtime (Thanks Daniel Kahn Gilmore for contributing to DNS over TLS implementation in Knot Resolver.)
+ features: configurable minimum and maximum TTL (default 6 days)
+ features: configurable pseudo-random reordering of RR sets
+ features: new module 'version' that can call home and report new versions and security vulnerabilities to the log file
* Mon Jan 23 2017 Petr Spacek <petr.spacek@nic.cz> - 1.2.0-rc1
- Update to latest upstream version
- Fix packaging bug: depend on proper Lua library versions
- Allow automatic trust anchor management to work
* Sat Nov 19 2016 Peter Robinson <pbrobinson@fedoraproject.org> 1.1.1-3
- Add ExclusiveArch for architectures with LuaJIT
* Mon Aug 29 2016 Igor Gnatenko <ignatenko@redhat.com> - 1.1.1-2
- Rebuild for LuaJIT 2.1.0
* Wed Aug 24 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 1.1.1-1
- new upstream release:
+ fix name server fallback in case some of the servers are unreachable
* Fri Aug 12 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 1.1.0-1
- new upstream release:
+ RFC7873 DNS Cookies
+ RFC7858 DNS over TLS
+ Metrics exported in Prometheus
+ DNS firewall module
+ Explicit CNAME target fetching in strict mode
+ Query minimisation improvements
+ Improved integration with systemd
* Tue May 31 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 1.0.0-1
- final release
* Thu May 05 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 1.0.0-0.3.4f463d7
- update to latest git version
- re-enable unit-test
* Sat Apr 09 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 1.0.0-0.2.79a8440
- update to latest git version
- fix package review issues
* Tue Feb 02 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 1.0.0-0.1.beta3
- initial package