From d60e0c359bccdbfbd9495fc514ebfc4cbdbad3a4 Mon Sep 17 00:00:00 2001
From: Paul Wouters <pwouters@redhat.com>
Date: Apr 11 2015 05:16:20 +0000
Subject: * Sat Apr 11 2015 Paul Wouters <pwouters@redhat.com> - 4.1.1-1

- Updated to 4.1.1
- Updated cron job for new nsd-control
- Updated nsd.conf
- Updated nsd init script for use of nsd-control
- Renamed --max_interfaces to --max-ips
- Added BuildRequires for libevent-devel
- Fix buglet in nsd user creation's exit command
- Create nsd4 remote-control pem files for nsd-control
- chown /var/lib/nsd/nsd.db to the nsd user required for nsd4
- Add logrotate support

---

diff --git a/nsd.conf b/nsd.conf
index ac59229..2c54dff 100644
--- a/nsd.conf
+++ b/nsd.conf
@@ -8,11 +8,17 @@
 
 # This is a comment.
 # Adapted for Fedora/RHEL settings
+#
+# Sample configuration file
+# include: "file" # include that file's text over here.  Globbed, "*.conf"
 
 # options for the nsd server
 server:
-	# uncomment to specify specific interfaces to bind (default wildcard
-	# interface).
+	# Number of NSD servers to fork.  Put the number of CPUs to use here.
+	# server-count: 1
+
+	# uncomment to specify specific interfaces to bind (default are the
+	# wildcard interfaces 0.0.0.0 and ::0).
 	# ip-address: 1.2.3.4
 	# ip-address: 1.2.3.4@5678
 	# ip-address: 12fe::8ef0
@@ -20,37 +26,66 @@ server:
 	# Allow binding to non local addresses. Default no.
 	# ip-transparent: no
 
-	# don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
-	# hide-version: no
-
 	# enable debug mode, does not fork daemon process into the background.
 	# debug-mode: no
 
-	# listen only on IPv4 connections
-	# ip4-only: no
+	# listen on IPv4 connections
+	# do-ip4: yes
+
+	# listen on IPv6 connections
+	# do-ip6: yes
+
+	# port to answer queries on. default is 53.
+	# port: 53
+
+	# Verbosity level.
+	# verbosity: 0
+
+	# After binding socket, drop user privileges.
+	# can be a username, id or id.gid.
+	username: nsd
 
-	# listen only on IPv6 connections
-	# ip6-only: no
+	# Run NSD in a chroot-jail.
+	# make sure to have pidfile and database reachable from there.
+	# by default, no chroot-jail is used.
+	# chroot: "/etc/nsd"
+
+	# The directory for zonefile: files.  The daemon chdirs here.
+	zonesdir: "/etc/nsd"
 	
+	# the list of dynamically added zones.
+	zonelistfile: "/var/lib/nsd/zone.list"
+
 	# the database to use
-	# database: "/var/lib/nsd/nsd.db"
+	# if set to "" then no disk-database is used, less memory usage.
+	database: "/var/lib/nsd/nsd.db"
+
+	# log messages to file. Default to stderr and syslog (with
+	# facility LOG_DAEMON).  stderr disappears when daemon goes to bg.
+	logfile: "/var/log/nsd.log"
+
+	# File to store pid for nsd in.
+	pidfile: "/var/run/nsd/nsd.pid"
+
+	# The file where secondary zone refresh and expire timeouts are kept.
+	# If you delete this file, all secondary zones are forced to be 
+	# 'refreshing' (as if nsd got a notify).  Set to "" to disable.
+	# xfrdfile: "/var/lib/nsd/ixfr.state"
+
+	# The directory where zone transfers are stored, in a subdir of it.
+	xfrdir: "/var/tmp"
+
+	# don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
+	# hide-version: no
 
 	# identify the server (CH TXT ID.SERVER entry).
 	# identity: "unidentified server"
 
-	# NSID identity (hex string). default disabled.
+	# NSID identity (hex string, or "ascii_somestring"). default disabled.
 	# nsid: "aabbccdd"
 
-	# log messages to file. Default to stderr and syslog (with facility
-	# LOG_DAEMON).
-	# logfile: "/var/log/nsd.log"
-
-	# Number of NSD servers to fork.
-	# server-count: 1
-
 	# Maximum number of concurrent TCP connections per server.
-	# This option should have a value below 1000.
-	# tcp-count: 10
+	# tcp-count: 100
 
 	# Maximum number of queries served on a single TCP connection.
 	# By default 0, which means no maximum.
@@ -65,44 +100,25 @@ server:
 	# Preferred EDNS buffer size for IPv6.
 	# ipv6-edns-size: 4096
 
-	# File to store pid for nsd in.
-	# pidfile: "/var/run/nsd/nsd.pid"
-
-	# port to answer queries on. default is 53.
-	# port: 53
-
-	# statistics are produced every number of seconds.
-	# statistics: 3600
-
-	# if per zone statistics is enabled, file to store statistics.
-	# zone-stats-file: "/var/log/nsd.stats"
-
-	# Run NSD in a chroot-jail.
-	# make sure to have pidfile and database reachable from there.
-	# by default, no chroot-jail is used.
-	# chroot: "/etc/nsd"
-
-	# After binding socket, drop user privileges.
-	# can be a username, id or id.gid.
-	# username: nsd
-
-	# The directory for zonefile: files.
-	# zonesdir: "/etc/nsd"
-
-	# The file where incoming zone transfers are stored.
-	# run nsd-patch to update zone files, then you can safely delete it.
-	# difffile: "/var/lib/nsd/ixfr.db"
-
-	# The file where secondary zone refresh and expire timeouts are kept.
-	# If you delete this file, all secondary zones are forced to be 
-	# 'refreshing' (as if nsd got a notify).
-	# xfrdfile: "/var/lib/nsd/ixfr.state"
+	# statistics are produced every number of seconds. Prints to log.
+	# Default is 0, meaning no statistics are produced.
+	statistics: 3600
 
 	# Number of seconds between reloads triggered by xfrd.
-	# xfrd-reload-timeout: 10
+	# xfrd-reload-timeout: 1
+	
+	# log timestamp in ascii (y-m-d h:m:s.msec), yes is default.
+	# log-time-ascii: yes
 
-	# Verbosity level.
-	# verbosity: 0
+	# round robin rotation of records in the answer.
+	round-robin: yes
+
+	# check mtime of all zone files on start and sighup
+	# zonefiles-check: yes
+	
+	# write changed zonefiles to disk, every N seconds.
+	# default is 0(disabled) or 3600(if database is "").
+	zonefiles-write: 3600
 
 	# RRLconfig
 	# Response Rate Limiting, size of the hashtable. Default 1000000.
@@ -134,4 +150,131 @@ server:
 	# rrl-whitelist-ratelimit: 2000
 	# RRLend
 
+# Remote control config section. 
+remote-control:
+	# Enable remote control with nsd-control(8) here.
+	# set up the keys and certificates with nsd-control-setup.
+	control-enable: yes
+
+	# what interfaces are listened to for control, default is on localhost.
+	# control-interface: 127.0.0.1
+	# control-interface: ::1
+
+	# port number for remote control operations (uses TLS over TCP).
+	# control-port: 8952
+
+	# nsd server key file for remote control.
+	server-key-file: "/etc/nsd/nsd_server.key"
+
+	# nsd server certificate file for remote control.
+	server-cert-file: "/etc/nsd/nsd_server.pem"
+
+	# nsd-control key file.
+	control-key-file: "/etc/nsd/nsd_control.key"
+
+	# nsd-control certificate file.
+	control-cert-file: "/etc/nsd/nsd_control.pem"
+
+
+# Secret keys for TSIGs that secure zone transfers.
+# You could include: "secret.keys" and put the 'key:' statements in there,
+# and give that file special access control permissions.
+#
+# key:
+	# The key name is sent to the other party, it must be the same
+	#name: "keyname"
+	# algorithm hmac-md5, or hmac-sha1, or hmac-sha256 (if compiled in)
+	#algorithm: hmac-sha256
+	# secret material, must be the same as the other party uses.
+	# base64 encoded random number.
+	# e.g. from dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64
+	#secret: "K2tf3TRjvQkVCmJF3/Z9vA=="
+
+
+# Patterns have zone configuration and they are shared by one or more zones.
+# 
+# pattern:
+	# name by which the pattern is referred to
+	#name: "myzones"
+	# the zonefile for the zones that use this pattern.
+	# if relative then from the zonesdir (inside the chroot).
+	# the name is processed: %s - zone name (as appears in zone:name).
+	# %1 - first character of zone name, %2 second, %3 third.
+	# %z - topleveldomain label of zone, %y, %x next labels in name.
+	# if label or character does not exist you get a dot '.'.
+	# for example "%s.zone" or "zones/%1/%2/%3/%s" or "secondary/%z/%s"
+	#zonefile: "%s.zone"
+	
+	# If no master and slave access control elements are provided,
+	# this zone will not be served to/from other servers.
+
+	# A master zone needs notify: and provide-xfr: lists.  A slave
+	# may also allow zone transfer (for debug or other secondaries).
+	# notify these slaves when the master zone changes, address TSIG|NOKEY
+	# IP can be ipv4 and ipv6, with @port for a nondefault port number.
+	#notify: 192.0.2.1 NOKEY
+	# allow these IPs and TSIG to transfer zones, addr TSIG|NOKEY|BLOCKED
+	# address range 192.0.2.0/24, 1.2.3.4&255.255.0.0, 3.0.2.20-3.0.2.40
+	#provide-xfr: 192.0.2.0/24 my_tsig_key_name
+	# set the number of retries for notify.
+	#notify-retry: 5
+
+	# uncomment to provide AXFR to all the world
+	# provide-xfr: 0.0.0.0/0 NOKEY
+	# provide-xfr: ::0/0 NOKEY
+
+	# A slave zone needs allow-notify: and request-xfr: lists.
+	#allow-notify: 2001:db8::0/64 my_tsig_key_name
+	# By default, a slave will request a zone transfer with IXFR/TCP.
+	# If you want to make use of IXFR/UDP use: UDP addr tsigkey
+	# for a master that only speaks AXFR (like NSD) use AXFR addr tsigkey
+	#request-xfr: 192.0.2.2 the_tsig_key_name
+	# Attention: You cannot use UDP and AXFR together. AXFR is always over 
+	# TCP. If you use UDP, we higly recommend you to deploy TSIG.
+	# Allow AXFR fallback if the master does not support IXFR. Default
+	# is yes.
+	#allow-axfr-fallback: yes
+	# set local interface for sending zone transfer requests.
+	# default is let the OS choose.
+	#outgoing-interface: 10.0.0.10
+
+	# if compiled with --enable-zone-stats, give name of stat block for
+	# this zone (or group of zones).  Output from nsd-control stats.
+	# zonestats: "%s"
+
+	# if you give another pattern name here, at this point the settings
+	# from that pattern are inserted into this one (as if it were a 
+	# macro).  The statement can be given in between other statements,
+	# because the order of access control elements can make a difference
+	# (which master to request from first, which slave to notify first).
+	#include-pattern: "common-masters"
+
+
+# Fixed zone entries.  Here you can config zones that cannot be deleted.
+# Zones that are dynamically added and deleted are put in the zonelist file.
+#
+# zone:
+ 	# name: "example.com"
+ 	# you can give a pattern here, all the settings from that pattern
+ 	# are then inserted at this point
+ 	# include-pattern: "master"
+ 	# You can also specify (additional) options directly for this zone.
+ 	# zonefile: "example.com.zone"
+ 	# request-xfr: 192.0.2.1 example.com.key
+
+	# RRLconfig
+	# Response Rate Limiting, whitelist types
+	# rrl-whitelist: nxdomain
+	# rrl-whitelist: error
+	# rrl-whitelist: referral
+	# rrl-whitelist: any
+	# rrl-whitelist: rrsig
+	# rrl-whitelist: wildcard
+	# rrl-whitelist: nodata
+	# rrl-whitelist: dnskey
+	# rrl-whitelist: positive
+	# rrl-whitelist: all
+	# RRLend
+
 # include: "/etc/nsd/other.conf"
+
diff --git a/nsd.cron b/nsd.cron
index c7eb179..1cd275b 100644
--- a/nsd.cron
+++ b/nsd.cron
@@ -3,7 +3,7 @@
 # Paul Wouters <pwouters@redhat.com>
 
 # This folds back zone updates, dynamic updates, etc that nsd records
-# in the ixfr.db and nsd.db files back into the zone files or vice-versa
+# in the nsd.db file back into the zone files
 
 # Only check when nsd is actively running
 # systemd:
@@ -13,7 +13,7 @@ pidof nsd > /dev/null  || exit 0
 
 # Default settings - do not edit these but /etc/sysconfig/nsd instead!
 NSD_CONF="/etc/nsd/nsd.conf"
-NSDC_PROG="/usr/sbin/nsdc"
+NSDC_PROG="/usr/sbin/nsd-control"
 NSD_CHECKCONF_PROG="/usr/sbin/nsd-checkconf"
 NSD_AUTOREBUILD="yes"
 
@@ -23,8 +23,7 @@ NSD_AUTOREBUILD="yes"
 # needed to avoid useless AVC rhbz#989218
 cd ~nsd
 
-# Ideally check if ixfr.db newer then any zones, only then do
-$NSDC_PROG -c $NSD_CONF patch > /dev/null 2>&1
+$NSDC_PROG -c $NSD_CONF write > /dev/null 2>&1
 
 # We try to only rebuild/reload when neccessary. If 1 zone is newer,
 # we need to rebuild the db file.
@@ -49,8 +48,3 @@ case "$NSD_AUTOREBUILD" in
 	*)
 		;;	
 esac
-
-# nsd checks the serial in notify requests, so its better to send an
-# occasional redundant notify, then to miss it.
-# According to the nsd team, this is no longer neccessary
-# $NSDC_PROG -c $NSD_CONF notify > /dev/null 2>&1
diff --git a/nsd.init b/nsd.init
index c402d1d..cf7ad81 100755
--- a/nsd.init
+++ b/nsd.init
@@ -22,7 +22,7 @@ NSD_CONF="/etc/nsd/nsd.conf"
 NSD_PROG="/usr/sbin/nsd"
 NSD_PIDFILE="/var/run/nsd/nsd.pid"
 NSD_XFRDFILE="/var/lib/nsd/xfrd.state"
-NSDC_PROG="/usr/sbin/nsdc"
+NSDC_PROG="/usr/sbin/nsd-control"
 NSD_USER="nsd"
 NSD_PIDDIR="$(dirname ${NSD_PIDFILE})"
 NSD_EXTRA_OPTS=""
@@ -55,7 +55,6 @@ start() {
     }
 
     echo -n $"Starting nsd:"
-    ${NSDC_PROG} -c ${NSD_CONF} rebuild >/dev/null 2>&1
     daemon \
 	--pidfile=${NSD_PIDFILE} \
 	${NSD_PROG} -c ${NSD_CONF} \
@@ -68,14 +67,11 @@ start() {
 stop() {
     echo -n $"Stopping nsd: "
     # save state to zonefiles
-    ${NSDC_PROG} -c ${NSD_CONF} patch > /dev/null 2>&1
-    killproc -p ${NSD_PIDFILE} ${NSD_PROG}
+    ${NSDC_PROG} -c ${NSD_CONF} write > /dev/null 2>&1
+    ${NSDC_PROG} -c ${NSD_CONF} stop > /dev/null 2>&1
     RETVAL=$?
     if [ $RETVAL -eq 0 ] ; then
-	# nsd should do this rm -f ${NSD_PIDFILE}
 	rm -f /var/lock/subsys/nsd
-	# ensure notifies are sent at startup
-	rm -f ${NSD_XFRDFILE}
 	success
     else
 	failure
@@ -106,21 +102,18 @@ case "$1" in
 	[ -f /var/lock/subsys/nsd ] && restart || :
 	;;
     status)
-	status -p ${NSD_PIDFILE} ${NSD_PROG}
+	${NSDC_PROG} -c ${NSD_CONF} status
 	RETVAL=$?
 	;;
-    reload)
-	echo -n $"Rebuilding zonefiles:"
-	${NSDC_PROG} -c ${NSD_CONF} rebuild >/dev/null 2>&1
+    rebuild|reload)
+	echo -n $"Reloading nsd:"
+	kill -SIGHUP $(cat ${NSD_PIDFILE})
 	RETVAL=$?
 	if [ $RETVAL -eq 0 ] ; then
 	    success
 	else
 	    failure
 	fi
-	echo
-	echo -n $"Reloading nsd:"
-	${NSDC_PROG} -c ${NSD_CONF} reload
 	RETVAL=$?
 	${NSDC_PROG} -c ${NSD_CONF} notify >/dev/null 2>&1 </dev/null &
 	if [ $RETVAL -eq 0 ] ; then
@@ -130,11 +123,11 @@ case "$1" in
 	fi
 	echo
 	;;
-    stats|rebuild|running|update|notify)
+    stats|reconf|log_reopen|transfer|notify)
 	${NSDC_PROG} -c ${NSD_CONF} $1
 	;;
     *)
-	echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|stats|notify|reload|rebuild|running|update}"
+	echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|stats|notify|reload|transfer|log_reopen|reconf}"
 	exit 2
 esac
 
diff --git a/nsd.logrotate b/nsd.logrotate
new file mode 100644
index 0000000..6df2b16
--- /dev/null
+++ b/nsd.logrotate
@@ -0,0 +1,13 @@
+/var/log/nsd.log {
+    daily
+    rotate 5
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 0640 nsd nsd
+    sharedscripts
+	postrotate
+        service nsd log_reopen >/dev/null 2>/dev/null || :
+    endscript
+}
diff --git a/nsd.spec b/nsd.spec
index c6b2e7e..147ec3c 100644
--- a/nsd.spec
+++ b/nsd.spec
@@ -1,6 +1,6 @@
 Summary: Fast and lean authoritative DNS Name Server
 Name: nsd
-Version: 3.2.18
+Version: 4.1.1
 Release: 1%{?dist}
 License: BSD
 Url: http://www.nlnetlabs.nl/%{name}/
@@ -9,12 +9,11 @@ Source1: nsd.init
 Source2: nsd.cron
 Source3: nsd.sysconfig
 Source4: nsd.conf
-Patch0: nsd-install.patch
-Patch1: nsd-fixlogfile.patch
+Source5: nsd.logrotate
 Group: System Environment/Daemons
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-BuildRequires: flex, openssl-devel
-Requires(pre): shadow-utils
+BuildRequires: flex, openssl-devel, libevent-devel
+Requires(pre): shadow-utils, logrotate
 
 %global _hardened_build 1
 
@@ -26,8 +25,6 @@ consult the REQUIREMENTS document which is a part of this distribution
 
 %prep
 %setup -q
-%patch0 -p1
-%patch1 -p1
 
 %build
 export LDFLAGS="-Wl,-z,relro,-z,now"
@@ -38,10 +35,9 @@ export CFLAGS="$RPM_OPT_FLAGS -fPIE -pie"
     --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \
     --with-ssl \
     --with-user=nsd \
-    --with-difffile=%{_localstatedir}/lib/%{name}/ixfr.db \
     --with-xfrdfile=%{_localstatedir}/lib/%{name}/ixfr.state \
     --with-dbfile=%{_localstatedir}/lib/%{name}/nsd.db \
-    --enable-ratelimit --with-max_interfaces=1024
+    --enable-ratelimit --with-max-ips=1024
 
 %{__make} %{?_smp_mflags}
 #convert to utf8
@@ -66,13 +62,10 @@ install -m 0755 %{SOURCE3} %{buildroot}/%{_sysconfdir}/sysconfig/%{name}
 rm %{buildroot}%{_sysconfdir}/nsd/nsd.conf.sample 
 cp %{SOURCE4}  %{buildroot}%{_sysconfdir}/nsd/nsd.conf
 
-%clean
-rm -rf ${RPM_BUILD_ROOT}
+install -p -D -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/logrotate.d/nsd
 
 %files 
-%defattr(-,root,root,-)
 %doc doc/*
-%doc contrib/nsd.zones2nsd.conf
 %attr(0750,root,nsd) %dir %{_sysconfdir}/nsd
 %attr(0644,root,nsd) %config(noreplace) %{_sysconfdir}/nsd/nsd.conf
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/nsd
@@ -82,16 +75,18 @@ rm -rf ${RPM_BUILD_ROOT}
 %attr(0755,%{name},%{name}) %dir %{_localstatedir}/lib/%{name}
 %{_sbindir}/*
 %{_mandir}/*/*
+%config(noreplace) %{_sysconfdir}/logrotate.d/nsd
 
 %pre
 getent group nsd >/dev/null || groupadd -r nsd
 getent passwd nsd >/dev/null || \
 useradd -r -g nsd -d /etc/nsd -s /sbin/nologin \
-        -c "nsd daemon account" nsd
-exit 0
+        -c "nsd daemon account" nsd || :
 
 %post
 /sbin/chkconfig --add %{name}
+[ -e %{_sysconfdir}/nsd/nsd_control.key ] || {_sbindir}/nsd-control-setup >/dev/null 2>&1 || :
+[ -e %{_localstatedir}/lib/%{name}/nsd.db ] && chown nsd.nsd %{_localstatedir}/lib/%{name}/nsd.db 
 
 %preun
 if [ $1 -eq 0 ]; then
@@ -105,6 +100,18 @@ if [ "$1" -ge "1" ]; then
 fi
 
 %changelog
+* Sat Apr 11 2015 Paul Wouters <pwouters@redhat.com> - 4.1.1-1
+- Updated to 4.1.1
+- Updated cron job for new nsd-control
+- Updated nsd.conf
+- Updated nsd init script for use of nsd-control
+- Renamed --max_interfaces to --max-ips
+- Added BuildRequires for libevent-devel
+- Fix buglet in nsd user creation's exit command
+- Create nsd4 remote-control pem files for nsd-control
+- chown /var/lib/nsd/nsd.db to the nsd user required for nsd4
+- Add logrotate support
+
 * Mon Jul 28 2014 Paul Wouters <pwouters@redhat.com> - 3.2.18-1
 - Updated to 3.2.18 - improved TXT parsing, new NSID option