%global _hardened_build 1
%{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}}
Summary: High-performance authoritative DNS server
Name: knot
Version: 2.4.0
Release: 1%{?dist}
License: GPLv3
Group: System Environment/Daemons
URL: http://www.knot-dns.cz
Source0: http://public.nic.cz/files/knot-dns/%{name}-%{version}.tar.xz
Source1: %{name}.service
Source2: %{name}.conf
Source3: %{name}.tmpfiles
# tests: zone update test compatibility with 32-bit arches
Patch1: test_zone-update_10m.patch
# Required dependencies
BuildRequires: pkgconfig(liburcu) pkgconfig(gnutls) >= 3.0 pkgconfig(nettle) pkgconfig(jansson) lmdb-devel pkgconfig(libedit)
# Optional dependencies
BuildRequires: pkgconfig(libcap-ng) pkgconfig(libidn) pkgconfig(libsystemd) pkgconfig(libfstrm) pkgconfig(libprotobuf-c)
BuildRequires: systemd
Requires(post): systemd %{_sbindir}/runuser
Requires(preun): systemd
Requires(postun): systemd
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%description
Knot DNS is a high-performance authoritative DNS server implementation.
%package libs
Summary: Libraries used by the Knot DNS server and client applications
%description libs
The package contains shared libraries used by the Knot DNS server and
utilities.
%package devel
Summary: Development header files for the Knot DNS libraries
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%description devel
The package contains development header files for the Knot DNS libraries
included in knot-libs package.
%package utils
Summary: DNS client utilities shipped with the Knot DNS server
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%description utils
The package contains DNS client utilities shipped with the Knot DNS server.
%package doc
Summary: Documentation for the Knot DNS server
License: GPLv3 and BSD and MIT
BuildArch: noarch
BuildRequires: python3-sphinx
Provides: bundled(jquery)
%description doc
The package contains documentation for the Knot DNS server.
%prep
%setup -q
%patch1 -p1
# make sure embedded LMDB library is not used
rm -vr src/contrib/lmdb
%build
# disable debug code (causes unused warnings)
CFLAGS="%{optflags} -DNDEBUG -Wno-unused"
%ifarch armv7hl i686
# 32-bit architectures sometimes do not have sufficient amount of
# contiguous address space to handle default values
%define configure_db_sizes --with-conf-mapsize=64 --with-timer-mapsize=16
%endif
%configure %{configure_db_sizes}
make %{?_smp_mflags}
make html
%install
make install DESTDIR=%{buildroot}
# install documentation
mkdir -p %{buildroot}%{_pkgdocdir}
cp -av doc/_build/html %{buildroot}%{_pkgdocdir}
[ -r %{buildroot}%{_pkgdocdir}/html/index.html ] || exit 1
rm -f %{buildroot}%{_pkgdocdir}/html/.buildinfo
# install shell completion scripts
install -p -m 0644 -D samples/keymgr-completion.sh %{buildroot}%{_datadir}/bash-completion/completions/keymgr
install -p -m 0644 -D samples/keymgr-completion.zsh %{buildroot}%{_datadir}/zsh/site-functions/_keymgr
# install customized configuration file
rm %{buildroot}%{_sysconfdir}/%{name}/*
install -p -m 0644 -D %{SOURCE2} %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf
# install service file and create rundir
install -p -m 0644 -D %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service
install -p -m 0644 -D %{SOURCE3} %{buildroot}%{_tmpfilesdir}/%{name}.conf
install -d -m 0755 %{buildroot}%{_localstatedir}/run/%{name}
# create storage dir and key dir
mkdir -p %{buildroot}%{_sharedstatedir}
install -d -m 0775 %{buildroot}%{_sharedstatedir}/%{name}
install -d -m 0770 %{buildroot}%{_sharedstatedir}/%{name}/keys
# install config samples into docdir
install -d -m 0755 %{buildroot}%{_pkgdocdir}/samples
for sample_file in knot.sample.conf example.com.zone; do
install -p -m 0644 samples/${sample_file} %{buildroot}%{_pkgdocdir}/samples
done
# remove static libraries and libarchive files
rm %{buildroot}%{_libdir}/*.a
rm %{buildroot}%{_libdir}/*.la
%check
make check
%pre
getent group knot >/dev/null || groupadd -r knot
getent passwd knot >/dev/null || useradd -r -g knot -d %{_sysconfdir}/knot -s /sbin/nologin -c "Knot DNS server" knot
exit 0
%post
%systemd_post knot.service
# initialize/upgrade KASP database
%{_sbindir}/runuser -u knot -- %{_sbindir}/keymgr --dir %{_sharedstatedir}/%{name}/keys --legacy init
%preun
%systemd_preun knot.service
%postun
%systemd_postun_with_restart knot.service
%post libs -p /sbin/ldconfig
%postun libs -p /sbin/ldconfig
%files
%{_pkgdocdir}/samples
%dir %attr(750,root,knot) %{_sysconfdir}/%{name}
%config(noreplace) %attr(640,root,knot) %{_sysconfdir}/%{name}/%{name}.conf
%dir %attr(775,root,knot) %{_sharedstatedir}/%{name}
%dir %attr(770,root,knot) %{_sharedstatedir}/%{name}/keys
%dir %attr(-,knot,knot) %{_localstatedir}/run/%{name}
%{_unitdir}/%{name}.service
%{_tmpfilesdir}/%{name}.conf
%{_libexecdir}/knot1to2
%{_bindir}/kjournalprint
%{_bindir}/kzonecheck
%{_sbindir}/keymgr
%{_sbindir}/knotc
%{_sbindir}/knotd
%{_mandir}/man1/knot1to2.*
%{_mandir}/man1/kjournalprint.*
%{_mandir}/man1/kzonecheck.*
%{_mandir}/man5/knot.conf.*
%{_mandir}/man8/keymgr.*
%{_mandir}/man8/knotc.*
%{_mandir}/man8/knotd.*
%{_datadir}/bash-completion/completions/keymgr
%{_datadir}/zsh/site-functions/_keymgr
%files utils
%{_bindir}/kdig
%{_bindir}/khost
%{_bindir}/knsec3hash
%{_bindir}/knsupdate
%{_mandir}/man1/kdig.*
%{_mandir}/man1/khost.*
%{_mandir}/man1/knsec3hash.*
%{_mandir}/man1/knsupdate.*
%files libs
%doc COPYING AUTHORS NEWS THANKS
%{_libdir}/libdnssec.so.*
%{_libdir}/libknot.so.*
%{_libdir}/libzscanner.so.*
%files devel
%{_includedir}/dnssec
%{_includedir}/libknot
%{_includedir}/zscanner
%{_libdir}/libdnssec.so
%{_libdir}/libknot.so
%{_libdir}/libzscanner.so
%{_libdir}/pkgconfig/libdnssec.pc
%{_libdir}/pkgconfig/libknot.pc
%{_libdir}/pkgconfig/libzscanner.pc
%files doc
%dir %{_pkgdocdir}
%{_pkgdocdir}/html
%changelog
* Tue Jan 24 2017 Petr Spacek <petr.spacek@nic.cz> - 2.4.0-1
- new upstream release:
+ fix: False positive semantic-check warning about invalid bitmap in NSEC
+ fix: Unnecessary SOA queries upon notify with up to date serial
+ fix: Timers for expired zones are reset on reload
+ fix: Zone doesn't expire when the server is down
+ fix: Failed to handle keys with duplicate keytags
+ fix: Per zone module and global module insconsistency
+ fix: Obsolete online signing module configuration
+ fix: Malformed output from kjournalprint
+ fix: Redundant SO_REUSEPORT activation on the TCP socket
+ fix: Failed to use higher number of background workers
+ improvement: Lower memory consumption with qp-trie
+ improvement: Zone events and zone timers improvements
+ improvement: Print all zone names in the FQDN format
+ improvement: Simplified query module interface
+ improvement: Shared TCP connection between SOA query and transfer
+ improvement: Response Rate Limiting as a module with statistics support
+ improvement: Key filters in keymgr
+ features: New unified LMDB-based zone journal
+ features: Server statistics support
+ features: New statistics module for traffic measuring
+ features: Automatic deletion of retired DNSSEC keys
+ features: New control logging category
* Fri Dec 09 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.3.3-1
- new upstream release:
+ fix: double free when failed to apply zone journal
+ fix: zone bootstrap retry interval not preserved upon zone reload
+ fix: DNSSEC related records not flushed if not signed
+ fix: false semantic checks warning about incorrect type in NSEC bitmap
+ fix: memory leak in kzonecheck
+ improvement: all zone names are fully-qualified in log
+ features: new kjournalprint utility
* Thu Nov 17 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.3.2-1
- new upstream release:
+ fix: missing glue in some responses
+ fix: knsupdate prompt printing on non-terminal
+ fix: configuration policy item names in documentation
+ fix: segfault on OS X Sierra
+ fix: incorrect %s expansion for the root zone
+ fix: refresh not existing slave zone after restart
+ fix: immediate zone refresh upon restart if refresh already scheduled
+ fix: early zone transfer after restart if transfer already scheduled
+ fix: not ignoring empty non-terminal parents during delegation lookup
+ fix: CD bit clearing in responses
+ fix: compilation error on GNU/kFreeBSD
+ fix: server crash after double zone-commit if journal error
+ improvement: significant speed-up of conf-commit and conf-diff operations
+ improvement: new EDNS Client Subnet API
+ improvement: better semantic-checks error messages
+ improvement: speed-up of knotc if control operation and known socket
+ improvement: zone purge operation purges also zone timers
+ feature: print TLS certificate hierarchy in kdig verbose mode
+ feature: new +subnet alias for +client
+ feature: new mod-whoami and mod-noudp modules
+ feature: new zone-purge control command
+ feature: new log-queries and log-responses options for mod-dnstap
+ feature: simple modules don't require empty configuration section
+ feature: new zone journal path configuration option
+ feature: new timeout configuration option for module dnsproxy
* Mon Aug 29 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.3.0-3
- fix post-installation scriptlet (RHBZ #1370939)
* Thu Aug 11 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.3.0-2
- endian independent DNS cookies (fixes build on ppc64 and s390x)
* Tue Aug 09 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.3.0-1
- new upstream release:
+ fix: No wildcard expansion below empty non-terminal for NSEC signed zone
+ fix: Don't ignore non-existing records to be removed in IXFR
+ fix: Fix kdig IXFR response processing if the transfer content is empty
+ fix: Avoid multiple loads of the same PKCS #11 module
+ improvement: Refactored semantic checks and better error messages
+ improvement: Set TC flag in delegation only if mandatory glue doesn't fit the response
+ improvement: Separate EDNS(0) payload size configuration for IPv4 and IPv6
+ feature: Zone size limit restriction for DDNS, AXFR, and IXFR (CVE-2016-6171)
+ feature: DNS-over-TLS support in kdig (RFC 7858)
+ feature: EDNS(0) padding and alignment support in kdig (RFC 7830)
* Fri Jun 24 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.2.1-2
- rebuild for updated userspace-rcu
* Mon May 30 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.2.1-1
- new upstream release:
+ fix: Separate logging of server and zone events
+ fix: Concurrent zone file flushing with many zones
+ fix: Control timeout parsing in knotc
+ fix: "Environment maxreaders limit reached" error in knotc
+ fix: Don't apply journal changes on modified zone file
+ fix: Enable multiple zone names completion in interactive knotc
+ fix: Set the TC flag in a response if a glue doesn't fit the response
+ fix: Disallow server reload when there is an active configuration transaction
+ improvement: Distinguish unavailable zones from zones with zero serial in log messages
+ improvement: Log warning and error messages to standard error output in all utilities
+ improvement: Document tested PKCS #11 devices
+ improvement: Extended Python configuration interface
- update requirements for Fedora 25
* Sun May 29 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.2.0-3
- update default configuration file
* Sun May 08 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.2.0-2
- fix: systemd service starting
* Tue Apr 26 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.2.0-1
- new upstream release:
+ fix: Query/response message type setting in dnstap module
+ fix: Remote address retrieval from dnstap capture in kdig
+ fix: Global modules execution for queries hitting existing zones
+ fix: Execution of semantic checks after an IXFR transfer
+ fix: kdig failure when the first AXFR message contains just the SOA record
+ fix: Exclude non-authoritative types from NSEC/NSEC3 bitmap at a delegation
+ fix: Mark PKCS#11 generated keys as sensitive
+ fix: Error when removing the only zone from the server
+ fix: Don't abort knotc transaction when some check fails
+ feature: URI and CAA resource record types support
+ feature: RRL client address based white list
+ feature: knotc interactive mode
+ improvement: Consistent IXFR error messages
+ improvement: Various fixes for better compatibility with PKCS#11 devices
+ improvement: Various keymgr user interface improvements
+ improvement: Better zone event scheduler performance with many zones
+ improvement: New server control interface
+ improvement: kdig uses local resolver if resolv.conf is empty
* Wed Feb 10 2016 Jan Vcelak <jvcelak@fedoraproject.org> 2.1.1-1
- new upstream release:
+ fix: Allow import of duplicate private key into the KASP
+ fix: Avoid duplicate NSEC for Wildcard No Data answer
+ fix: Server crash when an incomming transfer is in progress and reload is issued
+ fix: Socket polling when configured with many interfaces and threads
+ improvement: Use correct source address for UDP messages recieved on ANY address
+ improvement: Extend documentation of knotc commands
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Thu Jan 14 2016 Jan Vcelak <jvcelak@fedoraproject.org> 2.1.0-1
- new upstream release:
+ improvement: Remove implementation limit for the number of network interfaces
+ improvement: Remove possibly insecure server control over a network socket
+ fix: Schedule zone bootstrap after slave zone fails to load from disk
* Sun Dec 20 2015 Jan Vcelak <jvcelak@fedoraproject.org> 2.1.0-0.1.rc1
- new upstream pre-release:
+ feature: Per-thread UDP socket binding using SO_REUSEPORT
+ feature: Support for dynamic configuration database
+ feature: DNSSEC, Support for cryptographic tokens via PKCS #11 interface
+ feature: DNSSEC, Experimental support for online signing
+ improvement: Support for zone file name patterns
+ improvement: Configurable location of zone timer database
+ improvement: Non-blocking network operations and better timeout handling
+ improvement: Caching of Critical configuration values for better performance
+ improvement: Logging of ACL failures
+ improvement: RRL: Add rate-limit-slip zero support to drop all responses
+ improvement: RRL: Document behavior for different rate-limit-slip options
+ improvement: kdig: Warning instead of error on TSIG validation failure
+ improvement: Cleanup of support libraries interfaces (libknot, libzscanner, libdnssec)
+ fix: synth-record module: Fix application of default configuration options
+ fix: TSIG: Allow compressed TSIG name when forwarding DDNS updates
* Wed Nov 25 2015 Jan Vcelak <jvcelak@fedoraproject.org> 2.0.2-1
- new upstream release:
+ security fix: out-of-bound read in packet parser for malformed NAPTR record
* Thu Sep 03 2015 Jan Vcelak <jvcelak@fedoraproject.org> 2.0.1-1
- new upstream release:
+ fix: do not reload expired zones on 'knotc reload' and server startup
+ fix: rare race-condition in event scheduling causing delayed event execution
+ fix: skipping of non-authoritative nodes in NSEC proofs
+ fix: TC flag setting in RRL slipped answers
+ fix: disable domain name compression for root label
+ fix: fix CNAME following when quering for NSEC RR type
+ fix: fix refreshing of DNSSEC signatures for zone keys
+ fix: fix binding an unavailable IPv6 address (IP_FREEBIND)
+ fix: fix infinite loop in knotc zonestatus and memstats
+ fix: fix memory leak in configuration on server shutdown
+ fix: fix broken dnsproxy module
+ fix: fix multi value parsing on big-endian
+ fix: adapt to Nettle 3 API break causing base64 decoding failures on big-endian
+ feature: add 'keymgr zone key ds' to show key's DS record
+ feature: add 'keymgr tsig generate' to generate TSIG keys
+ feature: add query module scoping to process either all queries or zone queries only
+ feature: add support for file name globbing in config file includes
+ feature: add 'request-edns-option' config option to add custom EDNS0 option into server initiated queries
+ improvement: send minimal responses (remove NS from Authority section for NOERROR)
+ improvement: update persistent timers only on shutdown for better performance
+ improvement: allow change of RR TTL over DDNS
+ improvement: documentation fixes, updates, and improvements in formatting
+ improvement: install yparser and zscanner header files
* Mon Jul 20 2015 Jan Vcelak <jvcelak@fedoraproject.org> 2.0.0-1
- new upstream release:
+ feature: possibility to disable zone file synchronization
+ feature: knsupdate, add input prompt in interactive mode
+ feature: knsupdate, TSIG algorithm specification in interactive mode
* Thu Jun 18 2015 Jan Vcelak <jvcelak@fedoraproject.org> 2.0.0-0.1.rc1
- new upstream pre-release:
+ fix: lost NOTIFY message if received during zone transfer
+ fix: kdig, record correct dnstap SocketProtocol when retrying over TCP
+ fix: kdig, hide TSIG section with +noall
+ fix: do not set AA flag for AXFR/IXFR queries
+ feature: new configuration format in YAML, binary store im LMDB
+ feature: DNSSEC, separate library, switch to GnuTLS, new utilities
+ feature: DNSSEC, basic KASP support (generate initial keys, ZSK rollover)
+ feature: zone parser, split long TXT/SPF strings into multiple strings
+ feature: kdig, add generic dump style option (+generic)
+ feature: try all master servers on failure in multi-master environment
+ feature: improved remotes and ACLs (multiple addresses, multiple keys)
+ feature: basic support for zone file patterns (%s to substitute zone name)
+ improvement: do not write class for SOA record (unified with other RR types)
+ improvement: do not write master server address into the zone file
+ documentation: manual pages also in HTML and PDF format
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.99.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Mon May 04 2015 Kalev Lember <kalevlember@gmail.com> - 1.99.1-3
- Rebuilt for nettle soname bump
* Fri Feb 13 2015 Jan Vcelak <jvcelak@fedoraproject.org> 1.99.1-2
- fix BuildRequires for systemd integration
* Fri Feb 13 2015 Jan Vcelak <jvcelak@fedoraproject.org> 1.99.1-1
- new upstream pre-release version:
+ DNSSEC: switch from OpenSSL to GnuTLS
+ DNSSEC: initial support for KASP
- split package into subpackages
- add documentation building
- restart daemon on updated