%global _hardened_build 1

%{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}}

Summary: High-performance authoritative DNS server

Name: knot

Version: 2.3.3

Release: 1%{?dist}

License: GPLv3

Group: System Environment/Daemons

URL: http://www.knot-dns.cz

Source0: http://public.nic.cz/files/knot-dns/%{name}-%{version}.tar.xz

Source1: %{name}.service

Source2: %{name}.conf

Source3: %{name}.tmpfiles

# Required dependencies

BuildRequires: pkgconfig(liburcu) pkgconfig(gnutls) >= 3.0 pkgconfig(nettle) pkgconfig(jansson) lmdb-devel pkgconfig(libedit)

# Optional dependencies

BuildRequires: pkgconfig(libcap-ng) pkgconfig(libidn) pkgconfig(libsystemd) pkgconfig(libfstrm) pkgconfig(libprotobuf-c)

BuildRequires: systemd

Requires(post): systemd %{_sbindir}/runuser

Requires(preun): systemd

Requires(postun): systemd

Requires: %{name}-libs%{?_isa} = %{version}-%{release}

%description

Knot DNS is a high-performance authoritative DNS server implementation.

%package libs

Summary: Libraries used by the Knot DNS server and client applications

%description libs

The package contains shared libraries used by the Knot DNS server and

utilities.

%package devel

Summary: Development header files for the Knot DNS libraries

Requires: %{name}-libs%{?_isa} = %{version}-%{release}

%description devel

The package contains development header files for the Knot DNS libraries

included in knot-libs package.

%package utils

Summary: DNS client utilities shipped with the Knot DNS server

Requires: %{name}-libs%{?_isa} = %{version}-%{release}

%description utils

The package contains DNS client utilities shipped with the Knot DNS server.

%package doc

Summary: Documentation for the Knot DNS server

License: GPLv3 and BSD and MIT

BuildArch: noarch

BuildRequires: python3-sphinx

Provides: bundled(jquery)

%description doc

The package contains documentation for the Knot DNS server.

%prep

%setup -q

# make sure embedded LMDB library is not used

rm -vr src/contrib/lmdb

%build

# disable debug code (causes unused warnings)

CFLAGS="%{optflags} -DNDEBUG -Wno-unused"

%configure

make %{?_smp_mflags}

make html

%install

make install DESTDIR=%{buildroot}

# install documentation

mkdir -p %{buildroot}%{_pkgdocdir}

cp -av doc/_build/html %{buildroot}%{_pkgdocdir}

[ -r %{buildroot}%{_pkgdocdir}/html/index.html ] || exit 1

rm -f %{buildroot}%{_pkgdocdir}/html/.buildinfo

# install shell completion scripts

install -p -m 0644 -D samples/keymgr-completion.sh %{buildroot}%{_datadir}/bash-completion/completions/keymgr

install -p -m 0644 -D samples/keymgr-completion.zsh %{buildroot}%{_datadir}/zsh/site-functions/_keymgr

# install customized configuration file

rm %{buildroot}%{_sysconfdir}/%{name}/*

install -p -m 0644 -D %{SOURCE2} %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf

# install service file and create rundir

install -p -m 0644 -D %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service

install -p -m 0644 -D %{SOURCE3} %{buildroot}%{_tmpfilesdir}/%{name}.conf

install -d -m 0755 %{buildroot}%{_localstatedir}/run/%{name}

# create storage dir and key dir

mkdir -p %{buildroot}%{_sharedstatedir}

install -d -m 0775 %{buildroot}%{_sharedstatedir}/%{name}

install -d -m 0770 %{buildroot}%{_sharedstatedir}/%{name}/keys

# install config samples into docdir

install -d -m 0755 %{buildroot}%{_pkgdocdir}/samples

for sample_file in knot.sample.conf example.com.zone; do

    install -p -m 0644 samples/${sample_file} %{buildroot}%{_pkgdocdir}/samples

done

# remove static libraries and libarchive files

rm %{buildroot}%{_libdir}/*.a

rm %{buildroot}%{_libdir}/*.la

%check

make check

%pre

getent group knot >/dev/null || groupadd -r knot

getent passwd knot >/dev/null || useradd -r -g knot -d %{_sysconfdir}/knot -s /sbin/nologin -c "Knot DNS server" knot

exit 0

%post

%systemd_post knot.service

# initialize/upgrade KASP database

%{_sbindir}/runuser -u knot -- %{_sbindir}/keymgr --dir %{_sharedstatedir}/%{name}/keys --legacy init

%preun

%systemd_preun knot.service

%postun

%systemd_postun_with_restart knot.service

%post libs -p /sbin/ldconfig

%postun libs -p /sbin/ldconfig

%files

%{_pkgdocdir}/samples

%dir %attr(750,root,knot) %{_sysconfdir}/%{name}

%config(noreplace) %attr(640,root,knot) %{_sysconfdir}/%{name}/%{name}.conf

%dir %attr(775,root,knot) %{_sharedstatedir}/%{name}

%dir %attr(770,root,knot) %{_sharedstatedir}/%{name}/keys

%dir %attr(-,knot,knot) %{_localstatedir}/run/%{name}

%{_unitdir}/%{name}.service

%{_tmpfilesdir}/%{name}.conf

%{_libexecdir}/knot1to2

%{_bindir}/kjournalprint

%{_bindir}/kzonecheck

%{_sbindir}/keymgr

%{_sbindir}/knotc

%{_sbindir}/knotd

%{_mandir}/man1/knot1to2.*

%{_mandir}/man1/kjournalprint.*

%{_mandir}/man1/kzonecheck.*

%{_mandir}/man5/knot.conf.*

%{_mandir}/man8/keymgr.*

%{_mandir}/man8/knotc.*

%{_mandir}/man8/knotd.*

%{_datadir}/bash-completion/completions/keymgr

%{_datadir}/zsh/site-functions/_keymgr

%files utils

%{_bindir}/kdig

%{_bindir}/khost

%{_bindir}/knsec3hash

%{_bindir}/knsupdate

%{_mandir}/man1/kdig.*

%{_mandir}/man1/khost.*

%{_mandir}/man1/knsec3hash.*

%{_mandir}/man1/knsupdate.*

%files libs

%doc COPYING AUTHORS NEWS THANKS

%{_libdir}/libdnssec.so.*

%{_libdir}/libknot.so.*

%{_libdir}/libzscanner.so.*

%files devel

%{_includedir}/dnssec

%{_includedir}/libknot

%{_includedir}/zscanner

%{_libdir}/libdnssec.so

%{_libdir}/libknot.so

%{_libdir}/libzscanner.so

%{_libdir}/pkgconfig/libdnssec.pc

%{_libdir}/pkgconfig/libknot.pc

%{_libdir}/pkgconfig/libzscanner.pc

%files doc

%dir %{_pkgdocdir}

%{_pkgdocdir}/html

%changelog

* Fri Dec 09 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.3.3-1

- new upstream release:

  + fix: double free when failed to apply zone journal

  + fix: zone bootstrap retry interval not preserved upon zone reload

  + fix: DNSSEC related records not flushed if not signed

  + fix: false semantic checks warning about incorrect type in NSEC bitmap

  + fix: memory leak in kzonecheck

  + improvement: all zone names are fully-qualified in log

  + features: new kjournalprint utility

* Thu Nov 17 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.3.2-1

- new upstream release:

  + fix: missing glue in some responses

  + fix: knsupdate prompt printing on non-terminal

  + fix: configuration policy item names in documentation

  + fix: segfault on OS X Sierra

  + fix: incorrect %s expansion for the root zone

  + fix: refresh not existing slave zone after restart

  + fix: immediate zone refresh upon restart if refresh already scheduled

  + fix: early zone transfer after restart if transfer already scheduled

  + fix: not ignoring empty non-terminal parents during delegation lookup

  + fix: CD bit clearing in responses

  + fix: compilation error on GNU/kFreeBSD

  + fix: server crash after double zone-commit if journal error

  + improvement: significant speed-up of conf-commit and conf-diff operations

  + improvement: new EDNS Client Subnet API

  + improvement: better semantic-checks error messages

  + improvement: speed-up of knotc if control operation and known socket

  + improvement: zone purge operation purges also zone timers

  + feature: print TLS certificate hierarchy in kdig verbose mode

  + feature: new +subnet alias for +client

  + feature: new mod-whoami and mod-noudp modules

  + feature: new zone-purge control command

  + feature: new log-queries and log-responses options for mod-dnstap

  + feature: simple modules don't require empty configuration section

  + feature: new zone journal path configuration option

  + feature: new timeout configuration option for module dnsproxy

* Mon Aug 29 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.3.0-3

- fix post-installation scriptlet (RHBZ #1370939)

* Thu Aug 11 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.3.0-2

- endian independent DNS cookies (fixes build on ppc64 and s390x)

* Tue Aug 09 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.3.0-1

- new upstream release:

  + fix: No wildcard expansion below empty non-terminal for NSEC signed zone

  + fix: Don't ignore non-existing records to be removed in IXFR

  + fix: Fix kdig IXFR response processing if the transfer content is empty

  + fix: Avoid multiple loads of the same PKCS #11 module

  + improvement: Refactored semantic checks and better error messages

  + improvement: Set TC flag in delegation only if mandatory glue doesn't fit the response

  + improvement: Separate EDNS(0) payload size configuration for IPv4 and IPv6

  + feature: Zone size limit restriction for DDNS, AXFR, and IXFR (CVE-2016-6171)

  + feature: DNS-over-TLS support in kdig (RFC 7858)

  + feature: EDNS(0) padding and alignment support in kdig (RFC 7830)

* Fri Jun 24 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.2.1-2

- rebuild for updated userspace-rcu

* Mon May 30 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.2.1-1

- new upstream release:

  + fix: Separate logging of server and zone events

  + fix: Concurrent zone file flushing with many zones

  + fix: Control timeout parsing in knotc

  + fix: "Environment maxreaders limit reached" error in knotc

  + fix: Don't apply journal changes on modified zone file

  + fix: Enable multiple zone names completion in interactive knotc

  + fix: Set the TC flag in a response if a glue doesn't fit the response

  + fix: Disallow server reload when there is an active configuration transaction

  + improvement: Distinguish unavailable zones from zones with zero serial in log messages

  + improvement: Log warning and error messages to standard error output in all utilities

  + improvement: Document tested PKCS #11 devices

  + improvement: Extended Python configuration interface

- update requirements for Fedora 25

* Sun May 29 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.2.0-3

- update default configuration file

* Sun May 08 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.2.0-2

- fix: systemd service starting

* Tue Apr 26 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.2.0-1

- new upstream release:

  + fix: Query/response message type setting in dnstap module

  + fix: Remote address retrieval from dnstap capture in kdig

  + fix: Global modules execution for queries hitting existing zones

  + fix: Execution of semantic checks after an IXFR transfer

  + fix: kdig failure when the first AXFR message contains just the SOA record

  + fix: Exclude non-authoritative types from NSEC/NSEC3 bitmap at a delegation

  + fix: Mark PKCS#11 generated keys as sensitive

  + fix: Error when removing the only zone from the server

  + fix: Don't abort knotc transaction when some check fails

  + feature: URI and CAA resource record types support

  + feature: RRL client address based white list

  + feature: knotc interactive mode

  + improvement: Consistent IXFR error messages

  + improvement: Various fixes for better compatibility with PKCS#11 devices

  + improvement: Various keymgr user interface improvements

  + improvement: Better zone event scheduler performance with many zones

  + improvement: New server control interface

  + improvement: kdig uses local resolver if resolv.conf is empty

* Wed Feb 10 2016 Jan Vcelak <jvcelak@fedoraproject.org> 2.1.1-1

- new upstream release:

  + fix: Allow import of duplicate private key into the KASP

  + fix: Avoid duplicate NSEC for Wildcard No Data answer

  + fix: Server crash when an incomming transfer is in progress and reload is issued

  + fix: Socket polling when configured with many interfaces and threads

  + improvement: Use correct source address for UDP messages recieved on ANY address

  + improvement: Extend documentation of knotc commands

* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild

* Thu Jan 14 2016 Jan Vcelak <jvcelak@fedoraproject.org> 2.1.0-1

- new upstream release:

  + improvement: Remove implementation limit for the number of network interfaces

  + improvement: Remove possibly insecure server control over a network socket

  + fix: Schedule zone bootstrap after slave zone fails to load from disk

* Sun Dec 20 2015 Jan Vcelak <jvcelak@fedoraproject.org> 2.1.0-0.1.rc1

- new upstream pre-release:

  + feature: Per-thread UDP socket binding using SO_REUSEPORT

  + feature: Support for dynamic configuration database

  + feature: DNSSEC, Support for cryptographic tokens via PKCS #11 interface

  + feature: DNSSEC, Experimental support for online signing

  + improvement: Support for zone file name patterns

  + improvement: Configurable location of zone timer database

  + improvement: Non-blocking network operations and better timeout handling

  + improvement: Caching of Critical configuration values for better performance

  + improvement: Logging of ACL failures

  + improvement: RRL: Add rate-limit-slip zero support to drop all responses

  + improvement: RRL: Document behavior for different rate-limit-slip options

  + improvement: kdig: Warning instead of error on TSIG validation failure

  + improvement: Cleanup of support libraries interfaces (libknot, libzscanner, libdnssec)

  + fix: synth-record module: Fix application of default configuration options

  + fix: TSIG: Allow compressed TSIG name when forwarding DDNS updates

* Wed Nov 25 2015 Jan Vcelak <jvcelak@fedoraproject.org> 2.0.2-1

- new upstream release:

  + security fix: out-of-bound read in packet parser for malformed NAPTR record

* Thu Sep 03 2015 Jan Vcelak <jvcelak@fedoraproject.org> 2.0.1-1

- new upstream release:

  + fix: do not reload expired zones on 'knotc reload' and server startup

  + fix: rare race-condition in event scheduling causing delayed event execution

  + fix: skipping of non-authoritative nodes in NSEC proofs

  + fix: TC flag setting in RRL slipped answers

  + fix: disable domain name compression for root label

  + fix: fix CNAME following when quering for NSEC RR type

  + fix: fix refreshing of DNSSEC signatures for zone keys

  + fix: fix binding an unavailable IPv6 address (IP_FREEBIND)

  + fix: fix infinite loop in knotc zonestatus and memstats

  + fix: fix memory leak in configuration on server shutdown

  + fix: fix broken dnsproxy module

  + fix: fix multi value parsing on big-endian

  + fix: adapt to Nettle 3 API break causing base64 decoding failures on big-endian

  + feature: add 'keymgr zone key ds' to show key's DS record

  + feature: add 'keymgr tsig generate' to generate TSIG keys

  + feature: add query module scoping to process either all queries or zone queries only

  + feature: add support for file name globbing in config file includes

  + feature: add 'request-edns-option' config option to add custom EDNS0 option into server initiated queries

  + improvement: send minimal responses (remove NS from Authority section for NOERROR)

  + improvement: update persistent timers only on shutdown for better performance

  + improvement: allow change of RR TTL over DDNS

  + improvement: documentation fixes, updates, and improvements in formatting

  + improvement: install yparser and zscanner header files

* Mon Jul 20 2015 Jan Vcelak <jvcelak@fedoraproject.org> 2.0.0-1

- new upstream release:

  + feature: possibility to disable zone file synchronization

  + feature: knsupdate, add input prompt in interactive mode

  + feature: knsupdate, TSIG algorithm specification in interactive mode

* Thu Jun 18 2015 Jan Vcelak <jvcelak@fedoraproject.org> 2.0.0-0.1.rc1

- new upstream pre-release:

  + fix: lost NOTIFY message if received during zone transfer

  + fix: kdig, record correct dnstap SocketProtocol when retrying over TCP

  + fix: kdig, hide TSIG section with +noall

  + fix: do not set AA flag for AXFR/IXFR queries

  + feature: new configuration format in YAML, binary store im LMDB

  + feature: DNSSEC, separate library, switch to GnuTLS, new utilities

  + feature: DNSSEC, basic KASP support (generate initial keys, ZSK rollover)

  + feature: zone parser, split long TXT/SPF strings into multiple strings

  + feature: kdig, add generic dump style option (+generic)

  + feature: try all master servers on failure in multi-master environment

  + feature: improved remotes and ACLs (multiple addresses, multiple keys)

  + feature: basic support for zone file patterns (%s to substitute zone name)

  + improvement: do not write class for SOA record (unified with other RR types)

  + improvement: do not write master server address into the zone file

  + documentation: manual pages also in HTML and PDF format

* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.99.1-4

- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild

* Mon May 04 2015 Kalev Lember <kalevlember@gmail.com> - 1.99.1-3

- Rebuilt for nettle soname bump

* Fri Feb 13 2015 Jan Vcelak <jvcelak@fedoraproject.org> 1.99.1-2

- fix BuildRequires for systemd integration

* Fri Feb 13 2015 Jan Vcelak <jvcelak@fedoraproject.org> 1.99.1-1

- new upstream pre-release version:

  + DNSSEC: switch from OpenSSL to GnuTLS

  + DNSSEC: initial support for KASP

- split package into subpackages

- add documentation building

- restart daemon on updated