|
|
512b369 |
#global prever rc3
|
|
|
512b369 |
%global _hardened_build 1
|
|
|
512b369 |
|
|
Paul Wouters |
1b5392c |
Summary: DNSSEC key and zone management software
|
|
|
7dba5ea |
Name: opendnssec
|
|
|
7dba5ea |
Version: 1.4.0
|
|
|
512b369 |
Release: 1%{?prever}%{?dist}
|
|
|
7dba5ea |
License: BSD
|
|
|
7dba5ea |
Url: http://www.opendnssec.org/
|
|
|
424a1e1 |
Source0: http://www.opendnssec.org/files/source/%{?prever:testing/}%{name}-%{version}%{?prever}.tar.gz
|
|
|
7dba5ea |
Source1: ods-enforcerd.init
|
|
|
7dba5ea |
Source2: ods-signerd.init
|
|
|
7dba5ea |
Source3: ods.sysconfig
|
|
|
7dba5ea |
Source4: conf.xml
|
|
|
4d395df |
Source5: opendnssec.cron
|
|
|
859e03c |
Source6: kasp.xml
|
|
|
7dba5ea |
Group: Applications/System
|
|
|
ac57231 |
Requires: opencryptoki, softhsm
|
|
|
4d395df |
BuildRequires: ldns-devel >= 1.6.13, sqlite-devel , openssl-devel
|
|
|
7dba5ea |
BuildRequires: libxml2-devel CUnit-devel, doxygen
|
|
|
ce79f0a |
# It tests for pkill/killall and would use /bin/false if not found
|
|
|
ce79f0a |
BuildRequires: procps
|
|
|
ce79f0a |
|
|
|
7dba5ea |
Requires(pre): shadow-utils
|
|
|
424a1e1 |
%if 0%{?prever:1}
|
|
|
424a1e1 |
# For building snapshots
|
|
|
424a1e1 |
Buildrequires: autoconf, automake, libtool, java
|
|
|
424a1e1 |
%endif
|
|
|
7dba5ea |
|
|
|
7dba5ea |
%description
|
|
|
7dba5ea |
OpenDNSSEC was created as an open-source turn-key solution for DNSSEC.
|
|
|
7dba5ea |
It secures zone data just before it is published in an authoritative
|
|
|
7dba5ea |
name server. It requires a PKCS#11 crypto module library, such as softhsm
|
|
|
7dba5ea |
|
|
|
7dba5ea |
%prep
|
|
|
424a1e1 |
%setup -q -n %{name}-%{version}%{?prever}
|
|
|
7dba5ea |
|
|
|
7dba5ea |
%build
|
|
|
512b369 |
export LDFLAGS="-Wl,-z,relro,-z,now -pie"
|
|
|
512b369 |
export CFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wextra -Wformat -Wformat-nonliteral -Wformat-security"
|
|
|
512b369 |
|
|
|
7dba5ea |
%configure --with-ldns=%{_libdir}
|
|
|
7dba5ea |
make %{?_smp_mflags}
|
|
|
7dba5ea |
|
|
|
7dba5ea |
%check
|
|
|
7dba5ea |
# Requires sample db not shipped with upstream
|
|
|
7dba5ea |
# make check
|
|
|
7dba5ea |
|
|
|
7dba5ea |
%install
|
|
|
7dba5ea |
rm -rf %{buildroot}
|
|
|
7dba5ea |
make DESTDIR=%{buildroot} install
|
|
|
7dba5ea |
mkdir -p %{buildroot}/var/opendnssec/{tmp,signed,signconf}
|
|
|
4d395df |
mkdir -p %{buildroot}/%{_initrddir}
|
|
|
859e03c |
install -p -m 0755 %{SOURCE1} %{buildroot}/%{_initrddir}/ods-enforcerd
|
|
|
859e03c |
install -p -m 0755 %{SOURCE2} %{buildroot}/%{_initrddir}/ods-signerd
|
|
|
b2b6b57 |
install -d -m 0755 %{buildroot}%{_initrddir} %{buildroot}%{_sysconfdir}/cron.d/
|
|
|
859e03c |
install -p -m 0644 %{SOURCE5} %{buildroot}/%{_sysconfdir}/cron.d/opendnssec
|
|
|
7dba5ea |
|
|
|
7dba5ea |
# cleanup sample files
|
|
|
7dba5ea |
rm -f %{buildroot}/%{_sysconfdir}/opendnssec/*.sample
|
|
|
7dba5ea |
install -d -m 0755 %{buildroot}/%{_sysconfdir}/sysconfig
|
|
|
859e03c |
install -p -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/sysconfig/ods
|
|
|
859e03c |
install -p -m 0644 %{SOURCE4} %{SOURCE6} %{buildroot}/%{_sysconfdir}/opendnssec/
|
|
|
7dba5ea |
mkdir -p %{buildroot}%{_localstatedir}/run/opendnssec
|
|
|
7dba5ea |
|
|
|
7dba5ea |
%files
|
|
|
7dba5ea |
%attr(0755,root,root) %{_initrddir}/ods-enforcerd
|
|
|
7dba5ea |
%attr(0755,root,root) %{_initrddir}/ods-signerd
|
|
|
7dba5ea |
%attr(0750,root,ods) %dir %{_sysconfdir}/opendnssec
|
|
|
7dba5ea |
%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec
|
|
|
7dba5ea |
%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/tmp
|
|
|
7dba5ea |
%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/signed
|
|
|
7dba5ea |
%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/signconf
|
|
|
7dba5ea |
%attr(0660,root,ods) %config(noreplace) %{_sysconfdir}/opendnssec/*.xml
|
|
|
7dba5ea |
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ods
|
|
|
7dba5ea |
%attr(0770,root,ods) %dir %{_localstatedir}/run/opendnssec
|
|
|
4d395df |
%attr(0644,root,root) %{_sysconfdir}/cron.d/opendnssec
|
|
|
7dba5ea |
%doc NEWS README LICENSE
|
|
|
7dba5ea |
%{_mandir}/*/*
|
|
|
7dba5ea |
%{_sbindir}/*
|
|
|
7dba5ea |
%{_bindir}/*
|
|
|
424a1e1 |
%attr(0755,root,root) %dir %{_datadir}/%{name}
|
|
|
424a1e1 |
%{_datadir}/%{name}/*
|
|
|
7dba5ea |
|
|
|
7dba5ea |
%pre
|
|
|
7dba5ea |
getent group ods >/dev/null || groupadd -r ods
|
|
|
7dba5ea |
getent passwd ods >/dev/null || \
|
|
|
7dba5ea |
useradd -r -g ods -d /etc/opendnssec -s /sbin/nologin \
|
|
|
7dba5ea |
-c "opendnssec daemon account" ods
|
|
|
7dba5ea |
exit 0
|
|
|
7dba5ea |
|
|
|
7dba5ea |
%post
|
|
|
7dba5ea |
/sbin/chkconfig --add ods-enforcerd
|
|
|
7dba5ea |
/sbin/chkconfig --add ods-signerd
|
|
|
7dba5ea |
# Initialise a slot on the softhsm on first install
|
|
|
7dba5ea |
if [ "$1" -eq 1 ]; then
|
|
|
b2b6b57 |
if [ ! -f /var/softhsm/slot0.db ]; then
|
|
|
7dba5ea |
softhsm --init-token --slot 0 --label "OpenDNSSEC" --pin 1234 --so-pin 1234
|
|
|
b2b6b57 |
fi
|
|
|
7dba5ea |
fi
|
|
|
7dba5ea |
|
|
|
7dba5ea |
%preun
|
|
|
7dba5ea |
if [ $1 -eq 0 ]; then
|
|
|
7dba5ea |
/sbin/service ods-signerd stop >/dev/null 2>&1
|
|
|
7dba5ea |
/sbin/service ods-enforcerd stop >/dev/null 2>&1
|
|
|
7dba5ea |
/sbin/chkconfig --del ods-enforcerd
|
|
|
7dba5ea |
/sbin/chkconfig --del ods-signerd
|
|
|
7dba5ea |
fi
|
|
|
7dba5ea |
|
|
|
7dba5ea |
%postun
|
|
|
7dba5ea |
if [ "$1" -ge "1" ]; then
|
|
|
b7e0073 |
ods-ksmutil update all ||: >/dev/null 2>/dev/null
|
|
|
7dba5ea |
/sbin/service ods-enforcerd condrestart >/dev/null 2>&1 || :
|
|
|
7dba5ea |
/sbin/service ods-signerd condrestart >/dev/null 2>&1 || :
|
|
|
7dba5ea |
fi
|
|
|
7dba5ea |
|
|
|
7dba5ea |
%changelog
|
|
|
512b369 |
* Sat May 11 2013 Paul Wouters <pwouters@redhat.com> - 1.4.0-1
|
|
|
512b369 |
- Updated to 1.4.0
|
|
|
512b369 |
- Enabled full relro/pie protection
|
|
|
512b369 |
|
|
|
bd02f3b |
* Mon Apr 15 2013 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.8.rc3
|
|
|
e440db7 |
- Updated to 1.4.0rc3
|
|
|
e440db7 |
|
|
|
b8dacaf |
* Mon Jan 28 2013 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.7.rc2
|
|
|
b8dacaf |
- Updaed to 1.4.0rc2
|
|
|
b8dacaf |
- This merges in r6952
|
|
|
b8dacaf |
|
|
Patrick Uiterwijk |
e86b6e9 |
* Fri Jan 18 2013 Patrick Uiterwijk <puiterwijk@gmail.com> - 1.4.0-0.6.rc1
|
|
Patrick Uiterwijk |
e86b6e9 |
- Updated to 1.4.0rc1
|
|
Patrick Uiterwijk |
e86b6e9 |
- Applied opendnssec-ksk-premature-retirement.patch (svn r6952)
|
|
Patrick Uiterwijk |
e86b6e9 |
|
|
|
f910073 |
* Tue Dec 18 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.6.b2
|
|
|
f910073 |
- Updated to 1.4.0b2
|
|
|
f910073 |
- All patches synced to/from with new release
|
|
|
f910073 |
|
|
|
35f76dc |
* Fri Nov 23 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.6.b1
|
|
|
35f76dc |
- Patch for empty nonterminal NSEC3 records
|
|
|
35f76dc |
|
|
|
9b702c2 |
* Sat Nov 10 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.5.b1
|
|
|
9b702c2 |
- Patch r6816 fixes enforcer/signer communication
|
|
|
9b702c2 |
- Patch r6817 Don't add double RRSIGs generated by same key for DNSKEY RRset
|
|
|
9b702c2 |
|
|
|
b7e0073 |
* Tue Oct 30 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.4.b1
|
|
|
b7e0073 |
- Added BuildRequires: procps-ng for bug OPENDNSSEC-345
|
|
|
b7e0073 |
- Change RRSIG inception offset to -2h to avoid possible
|
|
|
b7e0073 |
daylight saving issues on resolvers
|
|
|
b7e0073 |
- Patch to prevent removal of occluded data
|
|
|
ce79f0a |
|
|
|
424a1e1 |
* Wed Sep 26 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.2.b1
|
|
|
424a1e1 |
- Just an EVR fix to the proper standard
|
|
|
424a1e1 |
- Remove accidentally added (but not released) Epoch:
|
|
|
424a1e1 |
- Minor spec file cleanup
|
|
|
424a1e1 |
|
|
|
424a1e1 |
* Wed Sep 12 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.b1.1
|
|
|
4d395df |
- Updated to 1.4.0b1
|
|
|
4d395df |
- Patch to more aggressively try to take lock for resigning
|
|
|
4d395df |
- Patch to give NSEC3PARAM record a TTL=0
|
|
|
4d395df |
|
|
|
b2b6b57 |
* Tue Aug 07 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a3.2
|
|
|
b2b6b57 |
- Updated to 1.4.0a3
|
|
|
4d395df |
- Added opendnssec.cron to sync key rollovers over multiple servers
|
|
|
b2b6b57 |
- Removed merged in patch.
|
|
|
b2b6b57 |
- Added patch for cpu lock from trunk
|
|
|
b2b6b57 |
- Don't re-init softhsm on remove+install of opendnssec (as opposed to upgrade)
|
|
|
b2b6b57 |
|
|
|
ea882ee |
* Wed May 16 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a1.4
|
|
|
ea882ee |
- Missed the actual patch line, so previous build did not have the patch
|
|
|
ea882ee |
|
|
|
ac57231 |
* Tue Apr 17 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a1.3
|
|
|
ac57231 |
- Remove bad artifact dependancy on systemd-units from Fedora branch
|
|
|
ac57231 |
|
|
|
7dba5ea |
* Thu Mar 29 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a1.2
|
|
|
7dba5ea |
- Added opendnssec LICENSE file from trunk (Thanks Jakob!)
|
|
|
7dba5ea |
- Convert back to sysv for EL5/EL6 repos
|
|
|
7dba5ea |
|
|
|
7dba5ea |
* Mon Mar 26 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a1.1
|
|
|
7dba5ea |
- Fix macros in comment
|
|
|
7dba5ea |
- Added missing -m to install target
|
|
|
7dba5ea |
|
|
|
7dba5ea |
* Sun Mar 25 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a1
|
|
|
7dba5ea |
- The 1.4.x branch no longer needs ruby, as the auditor has been removed
|
|
|
7dba5ea |
- Added missing openssl-devel BuildRequire
|
|
|
7dba5ea |
- Comment out <SkipPublicKey/> so keys generated by ods can be used by bind
|
|
|
7dba5ea |
|
|
|
7dba5ea |
* Fri Feb 24 2012 Paul Wouters <pwouters@redhat.com> - 1.3.6-3
|
|
|
7dba5ea |
- Requires rubygem-soap4r when using ruby-1.9
|
|
|
7dba5ea |
- Don't ghost /var/run/opendnssec
|
|
|
7dba5ea |
- Converted initd to systemd
|
|
|
7dba5ea |
|
|
|
7dba5ea |
* Thu Nov 24 2011 root - 1.3.2-6
|
|
|
7dba5ea |
- Added rubygem-dnsruby requires as rpm does not pick it up automatically
|
|
|
7dba5ea |
|
|
|
7dba5ea |
* Tue Nov 22 2011 root - 1.3.2-5
|
|
|
7dba5ea |
- Added /var/opendnssec/signconf/ /as this temp dir is needed
|
|
|
7dba5ea |
|
|
|
7dba5ea |
* Mon Nov 21 2011 Paul Wouters <paul@xelerance.com> - 1.3.2-4
|
|
|
7dba5ea |
- Added /var/opendnssec/signed/ as this is the default output dir
|
|
|
7dba5ea |
|
|
|
7dba5ea |
* Sun Nov 20 2011 Paul Wouters <paul@xelerance.com> - 1.3.2-3
|
|
|
7dba5ea |
- Add ods user for opendnssec tasks
|
|
|
7dba5ea |
- Added initscripts and services for ods-signerd and ods-enforcerd
|
|
|
7dba5ea |
- Initialise OpenDNSSEC softhsm token on first install
|
|
|
7dba5ea |
|
|
|
7dba5ea |
* Wed Oct 05 2011 Paul Wouters <paul@xelerance.com> - 1.3.2-1
|
|
|
7dba5ea |
- Updated to 1.3.2
|
|
|
7dba5ea |
- Added dependancies on opencryptoki and softhsm
|
|
|
7dba5ea |
- Don't install duplicate unreadable .sample files
|
|
|
7dba5ea |
- Fix upstream conf.xml to point to actually used library paths
|
|
|
7dba5ea |
|
|
|
7dba5ea |
* Thu Mar 3 2011 Paul Wouters <paul@xelerance.com> - 1.2.0-1
|
|
|
7dba5ea |
- Initial package for Fedora
|