%global _hardened_build 1

# comment out this define using #%% if it is not a pre-release version
# %% define PRERELEASE rc3
Name:           knot-resolver
Version:        1.3.1
Release:        %{?PRERELEASE}%{?PRERELEASE:.}1%{?dist}.1
Summary:        Caching full DNS Resolver

License:        GPLv3
URL:            https://www.knot-resolver.cz/
Source0:        https://secure.nic.cz/files/%{name}/%{name}-%{version}%{?PRERELEASE:-}%{?PRERELEASE}.tar.xz
Source1:        https://secure.nic.cz/files/%{name}/%{name}-%{version}%{?PRERELEASE:-}%{?PRERELEASE}.tar.xz.asc

# LuaJIT only on these arches
ExclusiveArch: %{arm} aarch64 %{ix86} x86_64

Source2:        config
Source3:        root.keys

Source100:      kresd.service
Source101:      kresd.socket
Source102:      kresd-control.socket
Source103:      kresd-tls.socket
Source104:      kresd.tmpfiles

BuildRequires:  pkgconfig(libknot) >= 2.3.1
BuildRequires:  pkgconfig(libzscanner) >= 2.3.1
BuildRequires:  pkgconfig(libdnssec) >= 2.3.1
BuildRequires:  pkgconfig(libuv)
BuildRequires:  pkgconfig(luajit) >= 2.0

BuildRequires:  pkgconfig(libedit)
BuildRequires:  pkgconfig(libmemcached) >= 1.0
BuildRequires:  pkgconfig(hiredis)
BuildRequires:  pkgconfig(libsystemd)

BuildRequires:  pkgconfig(cmocka)

BuildRequires:  systemd
# FIXME: documentation fails to build on Fedora 25
# https://bugzilla.redhat.com/show_bug.cgi?id=1333391
#BuildRequires: doxygen
#BuildRequires: breathe
#BuildRequires: python-sphinx
#BuildRequires: python-sphinx_rtd_theme

# Lua 5.1 version of the libraries have different package names
%if 0%{?rhel}
Requires:       lua-socket
Requires:       lua-sec
%else
Requires:       lua-socket-compat
Requires:       lua-sec-compat
%endif

Requires(pre): shadow-utils
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd

%description
The Knot DNS Resolver is a caching full resolver implementation written in C
and LuaJIT, including both a resolver library and a daemon. Modular
architecture of the library keeps the core tiny and efficient, and provides
a state-machine like API for extensions.

The package is pre-configured as local caching resolver.
To start using it, just start the local DNS socket:
# systemctl start kresd.socket

BEWARE:
Because of https://bugzilla.redhat.com/show_bug.cgi?id=1366968
you need to switch your system to SELinux permissive mode.

%package devel
Summary:        Development headers for Knot DNS Resolver
Requires:       %{name}%{?_isa} = %{version}-%{release}

%description devel
The package contains development headers for Knot DNS Resolver.

%prep
%setup -q -n %{name}-%{version}%{?PRERELEASE:-}%{?PRERELEASE}
rm -v scripts/bootstrap-depends.sh

%build
%global build_paths PREFIX=%{_prefix} BINDIR=%{_bindir} LIBDIR=%{_libdir} INCLUDEDIR=%{_includedir} ETCDIR=%{_sysconfdir}/kresd
%global build_flags V=1 CFLAGS="%{optflags}" LDFLAGS="%{__global_ldflags}" %{build_paths} HAS_go=no
%make_build %{build_flags}

%install
%make_install %{build_flags}

# move sample configuration files to documentation
install -m 0755 -d %{buildroot}%{_pkgdocdir}
mv %{buildroot}%{_sysconfdir}/kresd/config.* %{buildroot}%{_pkgdocdir}
chmod 0644 %{buildroot}%{_pkgdocdir}/config.*
rm -vr %{buildroot}%{_sysconfdir}/kresd

# install configuration files
mkdir -p %{buildroot}%{_sysconfdir}
install -m 0755 -d %{buildroot}%{_sysconfdir}/kresd
install -m 0644 -p %SOURCE2 %{buildroot}%{_sysconfdir}/kresd/config
install -m 0664 -p %SOURCE3 %{buildroot}%{_sysconfdir}/kresd/root.keys

# install systemd units
mkdir -p %{buildroot}%{_unitdir}
install -m 0644 -p %SOURCE100 %{buildroot}%{_unitdir}/kresd.service
install -m 0644 -p %SOURCE101 %{buildroot}%{_unitdir}/kresd.socket
install -m 0644 -p %SOURCE102 %{buildroot}%{_unitdir}/kresd-control.socket
install -m 0644 -p %SOURCE103 %{buildroot}%{_unitdir}/kresd-tls.socket

# install tmpfiles.d
mkdir -p %{buildroot}%{_tmpfilesdir}
install -m 0644 -p %SOURCE104 %{buildroot}%{_tmpfilesdir}/kresd.conf
mkdir -p %{buildroot}%{_rundir}
install -m 0750 -d %{buildroot}%{_rundir}/kresd

# remove module with unsatisfied dependencies
rm -r %{buildroot}%{_libdir}/kdns_modules/{http,http.lua}

%check
LD_PRELOAD=lib/libkres.so make check %{build_flags} LDFLAGS="%{__global_ldflags} -ldl"

%pre
getent group kresd >/dev/null || groupadd -r kresd
getent passwd kresd >/dev/null || useradd -r -g kresd -d %{_sysconfdir}/kresd -s /sbin/nologin -c "Knot DNS Resolver" kresd
exit 0

%post
%systemd_post kresd.service
/sbin/ldconfig

%preun
%systemd_preun kresd.service

%postun
%systemd_postun_with_restart kresd.service
/sbin/ldconfig

%files
%license COPYING
%doc %{_pkgdocdir}
%attr(775,root,kresd) %dir %{_sysconfdir}/kresd
%attr(644,root,kresd) %config(noreplace) %{_sysconfdir}/kresd/config
%attr(664,root,kresd) %config(noreplace) %{_sysconfdir}/kresd/root.keys
%attr(750,kresd,kresd) %dir %{_rundir}/kresd
%{_unitdir}/kresd.service
%{_unitdir}/kresd*.socket
%{_tmpfilesdir}/kresd.conf
%{_sbindir}/kresd
%{_sbindir}/kresc
%{_libdir}/libkres.so.*
%{_libdir}/kdns_modules
%{_mandir}/man8/kresd.*

%files devel
%{_includedir}/libkres
%{_libdir}/pkgconfig/libkres.pc
%{_libdir}/libkres.so

%changelog
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.1-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild

* Tue Jul 11 2017 Petr Spacek <petr.spacek@nic.cz> - 1.3.1-2
- build experimental command line interface "kresc"

* Tue Jul 11 2017 Petr Spacek <petr.spacek@nic.cz> - 1.3.1-1
New upstream release:
Knot Resolver 1.3.1 (2017-06-23)
================================

Bugfixes
--------
- modules/http: fix finding the static files (bug from 1.3.0)
- policy.FORWARD: fix some cases of CNAMEs obstructing search for zone cuts


Knot Resolver 1.3.0 (2017-06-13)
================================

Security
--------
- Refactor handling of AD flag and security status of resource records.
  In some cases it was possible for secure domains to get cached as
  insecure, even for a TLD, leading to disabled validation.
  It also fixes answering with non-authoritative data about nameservers.

Improvements
------------
- major feature: support for forwarding with validation (#112).
  The old policy.FORWARD action now does that; the previous non-validating
  mode is still avaliable as policy.STUB except that also uses caching (#122).
- command line: specify ports via @ but still support # for compatibility
- policy: recognize 100.64.0.0/10 as local addresses
- layer/iterate: *do* retry repeatedly if REFUSED, as we can't yet easily
  retry with other NSs while avoiding retrying with those who REFUSED
- modules: allow changing the directory where modules are found,
  and do not search the default library path anymore.

Bugfixes
--------
- validate: fix insufficient caching for some cases (relatively rare)
- avoid putting "duplicate" record-sets into the answer (#198)


Knot Resolver 1.2.6 (2017-04-24)
================================

Security
--------
- dnssec: don't set AD flag for NODATA answers if wildcard non-existence
  is not guaranteed due to opt-out in NSEC3

Improvements
------------
- layer/iterate: don't retry repeatedly if REFUSED

Bugfixes
--------
- lib/nsrep: revert some changes to NS reputation tracking that caused
  severe problems to some users of 1.2.5 (#178 and #179)
- dnssec: fix verification of wildcarded non-singleton RRsets
- dnssec: allow wildcards located directly under the root
- layer/rrcache: avoid putting answer records into queries in some cases

* Thu Apr 06 2017 Petr Spacek <petr.spacek@nic.cz> - 1.2.5-1
- new upstream relase
 + security: layer/validate: clear AD if closest encloser proof has opt-outed NSEC3 (#169)
 + security: layer/validate: check if NSEC3 records in wildcard expansion proof has an opt-out
 + security: dnssec/nsec: missed wildcard no-data answers validation has been implemented
 + fix: trust anchors: Improve trust anchors storage format (#167)
 + fix: trust anchors: support non-root TAs, one domain per file
 + fix: policy.DENY: set AA flag and clear AD flag
 + fix: lib/resolve: avoid unnecessary DS queries
 + fix: lib/nsrep: don't treat servers with NOIP4 + NOIP6 flags as timeouted
 + fix: layer/iterate: During packet classification (answer vs. referral) don't analyze
        AUTHORITY section in authoritative answer if ANSWER section contains records
        that have been requested
 + enhancement: modules/dnstap: a DNSTAP support module (Contributed by Vicky Shrestha)
 + enhancement: modules/workarounds: a module adding workarounds for known DNS protocol violators
 + enhancement: layer/iterate: fix logging of glue addresses
 + enhancement: kr_bitcmp: allow bits=0 and consequently 0.0.0.0/0 matches in view and renumber modules.
 + enhancement: modules/padding: Improve default padding of responses (Contributed by Daniel Kahn Gillmor)
 + enhancement: New kresc client utility (experimental; don't rely on the API yet)

* Thu Mar 09 2017 Petr Spacek <petr.spacek@nic.cz> - 1.2.4-1
- new upstream release
 + security: Knot Resolver 1.2.0 and higher could return AD flag for insecure
             answer if the daemon received answer with invalid RRSIG several
             times in a row.
 + fix: layer/iterate: some improvements in cname chain unrolling
 + fix: layer/validate: fix duplicate records in AUTHORITY section in case
 + fix: of WC expansion proof
 + fix: lua: do *not* truncate cache size to unsigned
 + fix: forwarding mode: correctly forward +cd flag
 + fix: fix a potential memory leak
 + fix: don't treat answers that contain DS non-existance proof as insecure
 + fix: don't store NSEC3 and their signatures in the cache
 + fix: layer/iterate: when processing delegations,
                       check if qname is at or below new authority
 + enhancement: modules/policy: allow QTRACE policy to be chained
                                with other policies
 + enhancement: hints.add_hosts(path): a new property
 + enhancement: module: document the API and simplify the code
 + enhancement: policy.MIRROR: support IPv6 link-local addresses
 + enhancement: policy.FORWARD: support IPv6 link-local addresses
 + enhancement: add net.outgoing_{v4,v6} to allow specifying address
                to use for connections

* Mon Feb 27 2017 Petr Spacek <petr.spacek@nic.cz> - 1.2.3-1
- new upstream release
 + security: a cached negative answer from a CD query would be reused
   to construct response for non-CD queries, resulting in Insecure status
   instead of Bogus.
 + fix: lua: make the map command check its arguments
 + fix: -k argument processing to avoid out-of-bounds memory accesses
 + fix: lib/resolve: fix zonecut fetching for explicit DS queries
 + fix: hints: more NULL checks
 + fix: TA bootstrapping for multiple TAs in the IANA XML file
 + fix: Disable storing GLUE records into the cache even in the
 + fix: (non-default) QUERY_PERMISSIVE mode
 + fix: iterate: skip answer RRs that don't match the query
 + fix: layer/iterate: some additional processing for referrals
 + fix: lib/resolve: zonecut fetching error was fixed

* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.0-2.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild

* Fri Jan 27 2017 Petr Spacek <petr.spacek@nic.cz> - 1.2.0-2
- rebuild against knot-2.4.0

* Fri Jan 27 2017 Petr Spacek <petr.spacek@nic.cz> - 1.2.0
- new upstream release:
 + fix: reworked DNSSEC Validation, that fixes several know problems with less standard DNS configurations
 + fix: the resolver was setting AD flag when running in a forwarding mode
 + fix: correctly return RCODE=NOTIMPL on meta-queries and non IN class queries
 + fix: crash in hints module when hints file was empty
 + fix: non-lowercase hints
 + features: optional EDNS(0) Padding support for DNS over TLS
 + features: support for debugging DNSSEC with CD bit
 + features: DNS over TLS is now able to create ephemeral certs on the runtime (Thanks Daniel Kahn Gilmore for contributing to DNS over TLS implementation in Knot Resolver.)
 + features: configurable minimum and maximum TTL (default 6 days)
 + features: configurable pseudo-random reordering of RR sets
 + features: new module 'version' that can call home and report new versions and security vulnerabilities to the log file

* Mon Jan 23 2017 Petr Spacek <petr.spacek@nic.cz> - 1.2.0-rc1
- Update to latest upstream version
- Fix packaging bug: depend on proper Lua library versions
- Allow automatic trust anchor management to work

* Sat Nov 19 2016 Peter Robinson <pbrobinson@fedoraproject.org> 1.1.1-3
- Add ExclusiveArch for architectures with LuaJIT

* Mon Aug 29 2016 Igor Gnatenko <ignatenko@redhat.com> - 1.1.1-2
- Rebuild for LuaJIT 2.1.0

* Wed Aug 24 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 1.1.1-1
- new upstream release:
  + fix name server fallback in case some of the servers are unreachable

* Fri Aug 12 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 1.1.0-1
- new upstream release:
  + RFC7873 DNS Cookies
  + RFC7858 DNS over TLS
  + Metrics exported in Prometheus
  + DNS firewall module
  + Explicit CNAME target fetching in strict mode
  + Query minimisation improvements 
  + Improved integration with systemd

* Tue May 31 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 1.0.0-1
- final release

* Thu May 05 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 1.0.0-0.3.4f463d7
- update to latest git version
- re-enable unit-test

* Sat Apr 09 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 1.0.0-0.2.79a8440
- update to latest git version
- fix package review issues

* Tue Feb 02 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 1.0.0-0.1.beta3
- initial package