rpms / opendnssec

Clone
Source Code
GIT

Files

el5 el6 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 main rawhide
  1.   el6
  2.   opendnssec.spec
Blob Blame History Raw 
#global prever rc3
%global _hardened_build 1

Summary: DNSSEC key and zone management software
Name: opendnssec
Version: 1.4.14
Release: 1%{?prever}%{?dist}
License: BSD
Url: http://www.opendnssec.org/
Source0: http://www.opendnssec.org/files/source/%{?prever:testing/}%{name}-%{version}%{?prever}.tar.gz
Source1: ods-enforcerd.init
Source2: ods-signerd.init
Source3: ods.sysconfig
Source4: conf.xml
Source5: opendnssec.cron
Source6: kasp.xml

Group: Applications/System
Requires: opencryptoki, softhsm
BuildRequires: libxml2, libxslt
Requires: libxml2, libxslt
BuildRequires: ldns-devel >= 1.6.13, sqlite-devel , openssl-devel
BuildRequires: libxml2-devel CUnit-devel, doxygen
# It tests for pkill/killall and would use /bin/false if not found
BuildRequires: procps
# or else no debug package on epel6
BuildRequires: redhat-rpm-config

Requires(pre): shadow-utils
%if 0%{?prever:1}
# For building snapshots
Buildrequires: autoconf, automake, libtool, java
%endif

%description
OpenDNSSEC was created as an open-source turn-key solution for DNSSEC.
It secures zone data just before it is published in an authoritative
name server. It requires a PKCS#11 crypto module library, such as softhsm

%prep
%setup -q -n %{name}-%{version}%{?prever}
# bump default policy ZSK keysize to 2048
sed -i "s/1024/2048/" conf/kasp.xml.in

%build
export LDFLAGS="-Wl,-z,relro,-z,now -pie"
export CFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wextra -Wformat -Wformat-nonliteral -Wformat-security"

%configure --with-ldns=%{_libdir}
make %{?_smp_mflags}

%check
# Requires sample db not shipped with upstream
# make check

%install
rm -rf %{buildroot}
make DESTDIR=%{buildroot} install
mkdir -p %{buildroot}/var/opendnssec/{tmp,signed,signconf}
mkdir -p %{buildroot}/%{_initrddir}
install -p -m 0755 %{SOURCE1} %{buildroot}/%{_initrddir}/ods-enforcerd
install -p -m 0755 %{SOURCE2} %{buildroot}/%{_initrddir}/ods-signerd
install -d -m 0755 %{buildroot}%{_initrddir} %{buildroot}%{_sysconfdir}/cron.d/
install -p -m 0644 %{SOURCE5} %{buildroot}/%{_sysconfdir}/cron.d/opendnssec

# cleanup sample files
rm -f %{buildroot}/%{_sysconfdir}/opendnssec/*.sample
install -d -m 0755 %{buildroot}/%{_sysconfdir}/sysconfig
install -p -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/sysconfig/ods
install -p -m 0644 %{SOURCE4} %{SOURCE6} %{buildroot}/%{_sysconfdir}/opendnssec/
mkdir -p %{buildroot}%{_localstatedir}/run/opendnssec

%files
%attr(0755,root,root) %{_initrddir}/ods-enforcerd
%attr(0755,root,root) %{_initrddir}/ods-signerd
%attr(0750,root,ods) %dir %{_sysconfdir}/opendnssec
%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec
%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/tmp
%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/signed
%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/signconf
%attr(0660,root,ods) %config(noreplace) %{_sysconfdir}/opendnssec/*.xml
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ods
%attr(0770,root,ods) %dir %{_localstatedir}/run/opendnssec
%attr(0644,root,root) %{_sysconfdir}/cron.d/opendnssec
%doc NEWS README.md LICENSE
%{_mandir}/*/*
%{_sbindir}/*
%{_bindir}/*
%attr(0755,root,root) %dir %{_datadir}/%{name}
%{_datadir}/%{name}/*

%pre
getent group ods >/dev/null || groupadd -r ods
getent passwd ods >/dev/null || \
useradd -r -g ods -d /etc/opendnssec -s /sbin/nologin \
-c "opendnssec daemon account" ods
exit 0

%post
/sbin/chkconfig --add ods-enforcerd
/sbin/chkconfig --add ods-signerd
# Initialise a slot on the softhsm on first install
if [ "$1" -eq 1 ]; then
    if [ ! -f /var/softhsm/slot0.db ]; then
        %{_sbindir}/runuser -u ods -- softhsm --init-token --slot 0 --label "OpenDNSSEC" --pin 1234 --so-pin 1234
    fi
fi
# in case we update any xml conf file
ods-ksmutil update all >/dev/null 2>/dev/null ||:

%preun
if [ $1 -eq 0 ]; then
  /sbin/service ods-signerd stop >/dev/null 2>&1 ||:
  /sbin/service ods-enforcerd stop >/dev/null 2>&1 ||:
  /sbin/chkconfig --del ods-enforcerd
  /sbin/chkconfig --del ods-signerd
fi

%postun
if [ "$1" -ge "1" ]; then
  ods-ksmutil update all >/dev/null 2>/dev/null ||:
  /sbin/service ods-enforcerd condrestart >/dev/null 2>&1 ||:
  /sbin/service ods-signerd condrestart >/dev/null 2>&1 ||:
fi

%changelog
* Tue Dec 12 2017 Paul Wouters <pwouters@redhat.com> - 1.4.14-1
- Update to 1.4.14 as first steop to migrating to 2.x
  [this version cannot be build until ldns-1.6.17 appears in el6]

* Mon Feb 01 2016 Paul Wouters <pwouters@redhat.com> - 1.4.9-1
- Updated to 1.4.9
- Removed merged in patch

* Tue Jun 09 2015 Paul Wouters <pwouters@redhat.com> - 1.4.7-1
- Updated to 1.4.7 (fix zone update can get stuck, crash on retransfer cmd)
- Create slot as ods user, not root.
- Added the extract patches from the fedora branch

* Wed Aug 20 2014 Paul Wouters <pwouters@redhat.com> - 1.4.6-1
- Updated to 1.4.6
- Removed merged in patch

* Fri Apr 18 2014 Paul Wouters <pwouters@redhat.com> - 1.4.5-2
- Added patch for serial 0 bug in XFR adapter
- Add redhat-rpm-config buildrequire to ensure debug package

* Fri Apr 18 2014 Paul Wouters <pwouters@redhat.com> - 1.4.5-1
- Updated to 1.4.5

* Tue Apr 01 2014 Paul Wouters <pwouters@redhat.com> - 1.4.4-3
- Add buildrequires for ods-kasp2html (rhbz#1073313)

* Fri Mar 28 2014 Paul Wouters <pwouters@redhat.com> - 1.4.4-2
- Add requires for ods-kasp2html (rhbz#1073313)
- Updated to 1.4.4 (rhbz#1080862)
  (compatibility with non RFC 5155 errata 3441 implementations)
- Change the default ZSK policy from 1024 to 2048 bit RSA keys
- Fix post to be quiet when upgrading opendnssec

* Thu Jan 09 2014 Paul Wouters <pwouters@redhat.com> - 1.4.3-1
- Updated to 1.4.3 (rhel#1048449) - minor bugfixes, minor feature enhancements

* Wed Sep 11 2013 Paul Wouters <pwouters@redhat.com> - 1.4.2-1
- Updated to 1.4.2, bugfix release

* Fri Jun 28 2013 Paul Wouters <pwouters@redhat.com> - 1.4.1-1
- Updated to 1.4.1, bugfixes for NSEC3 and serial handling

* Sat May 11 2013 Paul Wouters <pwouters@redhat.com> - 1.4.0-1
- Updated to 1.4.0
- Enabled full relro/pie protection

* Mon Apr 15 2013 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.8.rc3
- Updated to 1.4.0rc3

* Mon Jan 28 2013 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.7.rc2
- Updaed to 1.4.0rc2
- This merges in r6952

* Fri Jan 18 2013 Patrick Uiterwijk <puiterwijk@gmail.com> - 1.4.0-0.6.rc1
- Updated to 1.4.0rc1
- Applied opendnssec-ksk-premature-retirement.patch (svn r6952)

* Tue Dec 18 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.6.b2
- Updated to 1.4.0b2
- All patches synced to/from with new release

* Fri Nov 23 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.6.b1
- Patch for empty nonterminal NSEC3 records

* Sat Nov 10 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.5.b1
- Patch r6816 fixes enforcer/signer communication
- Patch r6817 Don't add double RRSIGs generated by same key for DNSKEY RRset

* Tue Oct 30 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.4.b1
- Added BuildRequires: procps-ng for bug OPENDNSSEC-345
- Change RRSIG inception offset to -2h to avoid possible
  daylight saving issues on resolvers
- Patch to prevent removal of occluded data

* Wed Sep 26 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.2.b1
- Just an EVR fix to the proper standard
- Remove accidentally added (but not released) Epoch:
- Minor spec file cleanup

* Wed Sep 12 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.b1.1
- Updated to 1.4.0b1
- Patch to more aggressively try to take lock for resigning
- Patch to give NSEC3PARAM record a TTL=0

* Tue Aug 07 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a3.2
- Updated to 1.4.0a3
- Added opendnssec.cron to sync key rollovers over multiple servers
- Removed merged in patch.
- Added patch for cpu lock from trunk
- Don't re-init softhsm on remove+install of opendnssec (as opposed to upgrade)

* Wed May 16 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a1.4
- Missed the actual patch line, so previous build did not have the patch

* Tue Apr 17 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a1.3
- Remove bad artifact dependancy on systemd-units from Fedora branch

* Thu Mar 29 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a1.2
- Added opendnssec LICENSE file from trunk (Thanks Jakob!)
- Convert back to sysv for EL5/EL6 repos

* Mon Mar 26 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a1.1
- Fix macros in comment
- Added missing -m to install target

* Sun Mar 25 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a1
- The 1.4.x branch no longer needs ruby, as the auditor has been removed
- Added missing openssl-devel BuildRequire
- Comment out <SkipPublicKey/> so keys generated by ods can be used by bind

* Fri Feb 24 2012 Paul Wouters <pwouters@redhat.com> - 1.3.6-3
- Requires rubygem-soap4r when using ruby-1.9
- Don't ghost /var/run/opendnssec
- Converted initd to systemd

* Thu Nov 24 2011 root - 1.3.2-6
- Added rubygem-dnsruby requires as rpm does not pick it up automatically

* Tue Nov 22 2011 root - 1.3.2-5
- Added /var/opendnssec/signconf/ /as this temp dir is needed

* Mon Nov 21 2011 Paul Wouters <paul@xelerance.com> - 1.3.2-4
- Added /var/opendnssec/signed/ as this is the default output dir

* Sun Nov 20 2011 Paul Wouters <paul@xelerance.com> - 1.3.2-3
- Add ods user for opendnssec tasks
- Added initscripts and services for ods-signerd and ods-enforcerd
- Initialise OpenDNSSEC softhsm token on first install

* Wed Oct 05 2011 Paul Wouters <paul@xelerance.com> - 1.3.2-1
- Updated to 1.3.2
- Added dependancies on opencryptoki and softhsm
- Don't install duplicate unreadable .sample files
- Fix upstream conf.xml to point to actually used library paths

* Thu Mar  3 2011 Paul Wouters <paul@xelerance.com> - 1.2.0-1
- Initial package for Fedora
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.