diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/.fmf/version @@ -0,0 +1 @@ +1 diff --git a/.gitignore b/.gitignore index 3550079..fd77f51 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,5 @@ /dnssec-trigger-0.13_20150714.tar.gz /dnssec-trigger-0.13.tar.gz /dnssec-trigger-0.15.tar.gz +/dnssec-trigger-0.17.tar.gz +/dnssec-trigger-0.17.tar.gz.asc diff --git a/0001-dnssec-trigger-script-port-to-libnm.patch b/0001-dnssec-trigger-script-port-to-libnm.patch deleted file mode 100644 index 5891c2b..0000000 --- a/0001-dnssec-trigger-script-port-to-libnm.patch +++ /dev/null @@ -1,108 +0,0 @@ -From ef18b39abdb5e8bf870ada3c108ab7f083405d2c Mon Sep 17 00:00:00 2001 -From: Lubomir Rintel -Date: Thu, 15 Feb 2018 17:57:52 +0100 -Subject: [PATCH] dnssec-trigger-script: port to libnm - -The libnm-glib is depreacted for a long time already and is eventually -going away. ---- - dnssec-trigger-script.in | 51 ++++++++++++++---------------------------------- - 1 file changed, 15 insertions(+), 36 deletions(-) - -diff --git a/dnssec-trigger-script.in b/dnssec-trigger-script.in -index 5f70580..14d9278 100644 ---- a/dnssec-trigger-script.in -+++ b/dnssec-trigger-script.in -@@ -13,14 +13,13 @@ import glob - import subprocess - import logging - import logging.handlers --import socket - import struct - import signal - - import gi --gi.require_version('NMClient', '1.0') -+gi.require_version('NM', '1.0') - --from gi.repository import NMClient -+from gi.repository import NM - - # Python compatibility stuff - if not hasattr(os, "O_CLOEXEC"): -@@ -132,7 +131,7 @@ class ConnectionList: - - def __init__(self, client, only_default=False, only_vpn=False, skip_wifi=False): - # Cache the active connection list in the class -- if not client.get_manager_running(): -+ if not client.get_nm_running(): - raise UserError("NetworkManager is not running.") - if self.nm_connections is None: - self.__class__.nm_connections = client.get_active_connections() -@@ -208,40 +207,20 @@ class Connection: - self.uuid = connection.get_uuid() - - self.zones = [] -- try: -- self.zones += connection.get_ip4_config().get_domains() -- except AttributeError: -- pass -- try: -- self.zones += connection.get_ip6_config().get_domains() -- except AttributeError: -- pass -- - self.servers = [] -- try: -- self.servers += [self.ip4_to_str(server) for server in connection.get_ip4_config().get_nameservers()] -- except AttributeError: -- pass -- try: -- self.servers += [self.ip6_to_str(connection.get_ip6_config().get_nameserver(i)) -- for i in range(connection.get_ip6_config().get_num_nameservers())] -- except AttributeError: -- pass -- -- def __repr__(self): -- return "".format(**vars(self)) - -- @staticmethod -- def ip4_to_str(ip4): -- """Converts IPv4 address from integer to string.""" -- -- return socket.inet_ntop(socket.AF_INET, struct.pack("=I", ip4)) -+ ip4_config = connection.get_ip4_config() -+ if ip4_config is not None: -+ self.zones += ip4_config.get_domains() -+ self.servers += ip4_config.get_nameservers() - -- @staticmethod -- def ip6_to_str(ip6): -- """Converts IPv6 address from integer to string.""" -+ ip6_config = connection.get_ip6_config() -+ if ip6_config is not None: -+ self.zones += ip6_config.get_domains() -+ self.servers += ip6_config.get_nameservers() - -- return socket.inet_ntop(socket.AF_INET6, ip6) -+ def __repr__(self): -+ return "".format(**vars(self)) - - @property - def ignore(self): -@@ -466,10 +445,10 @@ class Application: - except AttributeError: - self.usage() - -- self.client = NMClient.Client().new() -+ self.client = NM.Client().new() - - def nm_handles_resolv_conf(self): -- if not self.client.get_manager_running(): -+ if not self.client.get_nm_running(): - log.debug("NetworkManager is not running") - return False - try: --- -2.13.6 - diff --git a/0002-Fix-that-NXDOMAIN-for-_probe.uk.uk-is-deemed-allrigh.patch b/0002-Fix-that-NXDOMAIN-for-_probe.uk.uk-is-deemed-allrigh.patch deleted file mode 100644 index de56106..0000000 --- a/0002-Fix-that-NXDOMAIN-for-_probe.uk.uk-is-deemed-allrigh.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 871f36410b93abc2a2e583043665337d25d66c1e Mon Sep 17 00:00:00 2001 -From: Wouter Wijngaards -Date: Mon, 26 Feb 2018 13:48:26 +0000 -Subject: [PATCH] - Fix that NXDOMAIN for _probe.uk.uk is deemed allright. - -git-svn-id: file:///svn/dnssec-trigger/trunk@764 14dc9c71-5cc2-e011-b339-0019d10b89f4 ---- - riggerd/probe.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/riggerd/probe.c b/riggerd/probe.c -index 4781e01..0954766 100644 ---- a/riggerd/probe.c -+++ b/riggerd/probe.c -@@ -490,7 +490,8 @@ outq_check_packet(struct outq* outq, uint8_t* wire, size_t len) - } - - /* does DNS work? */ -- if(ldns_pkt_get_rcode(p) != LDNS_RCODE_NOERROR) { -+ if(ldns_pkt_get_rcode(p) != LDNS_RCODE_NOERROR && -+ ldns_pkt_get_rcode(p) != LDNS_RCODE_NXDOMAIN) { - char* r = ldns_pkt_rcode2str(ldns_pkt_get_rcode(p)); - snprintf(reason, sizeof(reason), "no answer, %s", - r?r:"(out of memory)"); --- -2.14.3 - diff --git a/0003-Move-the-NetworkManager-dispatcher-script-out-of-etc.patch b/0003-Move-the-NetworkManager-dispatcher-script-out-of-etc.patch new file mode 100644 index 0000000..73745bc --- /dev/null +++ b/0003-Move-the-NetworkManager-dispatcher-script-out-of-etc.patch @@ -0,0 +1,96 @@ +From 6e13ba9b4367fb7867f8a61930bd80b34970aa34 Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Thu, 22 Aug 2019 16:28:51 +0200 +Subject: [PATCH] Move the NetworkManager dispatcher script out of /etc + +It's not user configuration and shouldn't ever have been there. Except for that +it used to be the only location NetworkManager looked into. With NetworkManager +1.20 that is no longer the case and the dispatcher scripts can be moved to +/usr/lib. + +Users of older NetworkManager versions can still override this on the +./configure command line. +--- + README | 2 +- + configure | 10 +++++----- + configure.ac | 8 ++++---- + 3 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/README b/README +index 1ddc3f4..7093268 100644 +--- a/README ++++ b/README +@@ -74,7 +74,7 @@ the secure version, but this was fixed in 0.6. + + * unix - NetworkManager + +-In /etc/NetworkManager/dispatcher.d a script sends DHCP changes to ++In /usr/lib/NetworkManager/dispatcher.d a script sends DHCP changes to + the daemon. The script is a networkmanager dhcp hook script and uses + dnssec-trigger-control to talk to the daemon. The script uses nmcli + to find the DNS info. +diff --git a/configure b/configure +index 16d86fc..1efddd3 100755 +--- a/configure ++++ b/configure +@@ -1364,8 +1364,8 @@ Optional Packages: + 'windows' or 'none' + --with-networkmanager-dispatch + Set the networkmanager dhcp dispatcher dir, default +- tests prefix/etc/NetworkManager/dispatcher.d and +- /etc/NetworkManager/dispatcher.d ++ tests prefix/lib/NetworkManager/dispatcher.d and ++ /lib/NetworkManager/dispatcher.d + --with-netconfig-dispatch + Set the netconfig dhcp dispatcher dir, default tests + prefix/etc/netconfig.d and /etc/netconfig.d +@@ -6879,7 +6879,7 @@ if test -n "$withval"; then + fi + + # hook settings +-networkmanager_dispatcher_dir="$sysconfdir/NetworkManager/dispatcher.d" ++networkmanager_dispatcher_dir="$prefix/lib/NetworkManager/dispatcher.d" + + # Check whether --with-networkmanager-dispatch was given. + if test "${with_networkmanager_dispatch+set}" = set; then : +@@ -6938,8 +6938,8 @@ $as_echo_n "checking for NetworkManager dispatch... " >&6; } + else + if test -d "$networkmanager_dispatcher_dir" ; then + : +- else if test -d /etc/NetworkManager/dispatcher.d; then +- networkmanager_dispatcher_dir="/etc/NetworkManager/dispatcher.d" ++ else if test -d /lib/NetworkManager/dispatcher.d; then ++ networkmanager_dispatcher_dir="/lib/NetworkManager/dispatcher.d" + fi + fi + fi +diff --git a/configure.ac b/configure.ac +index f06412f..d1b8556 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -244,9 +244,9 @@ if test -n "$withval"; then + fi + + # hook settings +-networkmanager_dispatcher_dir="$sysconfdir/NetworkManager/dispatcher.d" ++networkmanager_dispatcher_dir="$prefix/lib/NetworkManager/dispatcher.d" + AC_ARG_WITH([networkmanager-dispatch], AC_HELP_STRING([--with-networkmanager-dispatch], +- [Set the networkmanager dhcp dispatcher dir, default tests prefix/etc/NetworkManager/dispatcher.d and /etc/NetworkManager/dispatcher.d]), ++ [Set the networkmanager dhcp dispatcher dir, default tests prefix/lib/NetworkManager/dispatcher.d and /lib/NetworkManager/dispatcher.d]), + , withval="") + with_nm_dispatch="$withval" + AC_SUBST(networkmanager_dispatcher_dir) +@@ -290,8 +290,8 @@ if test "$hooks" = "networkmanager"; then + else + if test -d "$networkmanager_dispatcher_dir" ; then + : +- else if test -d /etc/NetworkManager/dispatcher.d; then +- networkmanager_dispatcher_dir="/etc/NetworkManager/dispatcher.d" ++ else if test -d /lib/NetworkManager/dispatcher.d; then ++ networkmanager_dispatcher_dir="/lib/NetworkManager/dispatcher.d" + fi + fi + fi +-- +2.23.0 + diff --git a/0004-Add-options-edns0-and-trust-ad.patch b/0004-Add-options-edns0-and-trust-ad.patch new file mode 100644 index 0000000..5d59b87 --- /dev/null +++ b/0004-Add-options-edns0-and-trust-ad.patch @@ -0,0 +1,32 @@ +From 96b32c7a3494e214998f53fe69503667ada8ea46 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Mon, 12 Oct 2020 23:25:43 +0200 +Subject: [PATCH 4/5] Add options edns0 and trust-ad + +SSH uses AD flag only when edns0 is enabled in resolv.conf. Unbound of +course supports it, no need to keep it disabled. + +Add also trust-ad for more recent libraries, which discard AD flag +without explicit trust. + +Patch: dnssec-trigger-0.15-edns0.patch +--- + dnssec-trigger-script.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/dnssec-trigger-script.in b/dnssec-trigger-script.in +index 14d9278..1c6f581 100644 +--- a/dnssec-trigger-script.in ++++ b/dnssec-trigger-script.in +@@ -421,7 +421,7 @@ class Application: + resolvconf_trigger_tmp = resolvconf_trigger + ".tmp" + resolvconf_networkmanager = "/var/run/NetworkManager/resolv.conf" + +- resolvconf_localhost_contents = "# Generated by dnssec-trigger-script\nnameserver 127.0.0.1\n" ++ resolvconf_localhost_contents = "# Generated by dnssec-trigger-script\nnameserver 127.0.0.1\noptions edns0 trust-ad\n" + + rfc1918_reverse_zones = [ + "c.f.ip6.arpa", +-- +2.26.2 + diff --git a/changelog b/changelog new file mode 100644 index 0000000..ca93ebf --- /dev/null +++ b/changelog @@ -0,0 +1,313 @@ +* Wed Jul 19 2023 Fedora Release Engineering - 0.17-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Thu Jun 15 2023 Todd Zullinger - 0.17-11 +- Remove execute bit on ssh_config.d snippet + +* Thu Jan 19 2023 Fedora Release Engineering - 0.17-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Fri Dec 16 2022 Florian Weimer - 0.17-9 +- Port configure script to C99 + +* Thu Jul 21 2022 Fedora Release Engineering - 0.17-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Thu Jan 20 2022 Fedora Release Engineering - 0.17-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Tue Sep 14 2021 Sahana Prasad - 0.17-6 +- Rebuilt with OpenSSL 3.0.0 + +* Wed Jul 21 2021 Fedora Release Engineering - 0.17-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 0.17-4 +- Rebuilt for updated systemd-rpm-macros + See https://pagure.io/fesco/issue/2583. + +* Tue Jan 26 2021 Fedora Release Engineering - 0.17-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Sat Dec 19 2020 Adam Williamson - 0.17-2 +- Rebuild for libldns soname bump + +* Tue Oct 13 2020 Petr Menšík - 0.17-1 +- Update to 0.17 + +* Mon Oct 12 2020 Petr Menšík - 0.15-14 +- Add edns0 option to resolv.conf +- Add VerifyHostKeyDNS to ssh config + +* Mon Jul 27 2020 Fedora Release Engineering - 0.15-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jan 28 2020 Fedora Release Engineering - 0.15-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Mon Jan 06 2020 Jeff Law - 0.15-11 +- Fix typo in last change + +* Thu Aug 22 2019 Lubomir Rintel - 0.15-10 +- Move the NetworkManager dispatcher script out of /etc + +* Wed Jul 24 2019 Fedora Release Engineering - 0.15-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu Jan 31 2019 Fedora Release Engineering - 0.15-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Thu Jul 12 2018 Fedora Release Engineering - 0.15-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Tue Jun 19 2018 Miro Hrončok - 0.15-6 +- Rebuilt for Python 3.7 + +* Wed Mar 14 2018 Petr Menšík - 0.15-5 +- Accept NXDOMAIN for NSEC probe (#1555355) + +* Mon Feb 19 2018 Tomas Hozza - 0.15-4 +- Added explicit BuildRequires on gcc as required by packaging guidelines +- Added explicit Requires on e2fsprogs, so that /usr/bin/chattr is available +- Remove redundant removal of immutable bit in %%preun scriptlet (#1542400) + +* Mon Feb 19 2018 Tomas Hozza - 0.15-3 +- use NetworkManager-libnm instead of NetworkManager-glib + +* Wed Feb 07 2018 Fedora Release Engineering - 0.15-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Mon Dec 11 2017 Tomas Hozza - 0.15-1 +- Update to stable 0.15 upstream release + +* Fri Aug 18 2017 Petr Menšík - 0.13-6 +- Skip always failing kr.com, update root IPs (#1482939) + +* Wed Aug 02 2017 Fedora Release Engineering - 0.13-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 0.13-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Wed Mar 08 2017 Tomas Hozza - 0.13-3 +- Rebuild against new ldns + +* Wed Mar 01 2017 Tomas Hozza - 0.13-2 +- Include fix for runtime issues with OpenSSL 1.1.0 (#1427561) + +* Fri Feb 17 2017 Tomas Hozza - 0.13-1 +- Update to stable 0.13 upstream release +- Dropped merged patches + +* Fri Feb 10 2017 Fedora Release Engineering - 0.13-0.6.20150714svn +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Dec 19 2016 Miro Hrončok - 0.13-0.5.20150714svn +- Rebuild for Python 3.6 + +* Wed Feb 03 2016 Fedora Release Engineering - 0.13-0.4.20150714svn +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Nov 10 2015 Fedora Release Engineering +- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 + +* Mon Jul 20 2015 Tomas Hozza - 0.13-0.2.20150714svn +- Provide Workstation specific configuration + +* Wed Jul 15 2015 Tomas Hozza - 0.13-0.1.20150714svn +- split dnssec-trigger panel into separate subpackage (#1236363) +- SPEC file cleanup based on rpmlint and fedora-review issues +- implement some suggestions (#1236363) +- rebase to the latest svn trunk snapshot 0.13_20150714 +- Script is not searching local user directories any more (#1213062) +- Script now doesn't restart NM if version is >= 1.0.3, but sends just signal +- Script now specifies the NMClient version for GI (#1242430) +- Script now sets negative-cache-ttl in unbound to 5 seconds (#1229596) + +* Wed Jun 17 2015 Fedora Release Engineering - 0.12-21 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Wed Apr 08 2015 Tomas Hozza - 0.12-20 +- Fix issue when installing private address range zone without global forwarders (#1205864) +- Fix configuration of private address range zones (#1128310#c20) + +* Fri Mar 13 2015 Tomas Hozza - 0.12-19 +- Fix typo in the dnssec-trigger-script (#1187371) +- Use Python3 by default + +* Mon Jan 26 2015 Pavel Šimerda - 0.12-18 +- Resolves: #1185796, #1130502, #1105685, #1128310 – update + +* Tue Jan 20 2015 Pavel Šimerda - 0.12-17 +- Resolves: #1183975 - systemd cgroup check fails + +* Tue Jan 20 2015 Pavel Šimerda - 0.12-16 +- Resolves: #1165126, #1125267, #1089766, #1112248, #824219 - update + +* Sat Aug 16 2014 Fedora Release Engineering - 0.12-15 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Thu Aug 14 2014 Pavel Šimerda - 0.12-14 +- Resolves: #1125261 - dnssec-trigger-script: use fcntl.flock instead of + lockfile + +* Mon Aug 11 2014 Tomas Hozza - 0.12-13 +- One Fedora fallback server changed IP address (#1125440) + +* Mon Jun 30 2014 Pavel Šimerda - 0.12-12 +- Resolves: #1112248 - require a version of NetworkManager with #1113122 fixed + +* Tue Jun 24 2014 Pavel Šimerda - 0.12-11 +- Resolves: #1112248 - serialize the script instances + +* Tue Jun 24 2014 Pavel Šimerda - 0.12-10 +- Resolves: #1112248 - fix a typo + +* Tue Jun 24 2014 Pavel Šimerda - 0.12-9 +- Resolves: #1112248 - fix systemd race condition + +* Mon Jun 23 2014 Pavel Šimerda - 0.12-8 +- Resolves: #1112248 - don't block on systemctl restart NetworkManager + +* Mon Jun 23 2014 Pavel Šimerda - 0.12-7 +- Resolves: #1112248, #1111143 - update dnssec-trigger-script and dnssec-triggerd.service + +* Fri Jun 20 2014 Pavel Šimerda - 0.12-6 +- Resolves: #1111143 - fix for python2 + +* Fri Jun 20 2014 Pavel Šimerda - 0.12-5 +- Related: #842455 - remove a patch that is now redundant + +* Fri Jun 20 2014 Pavel Šimerda - 0.12-4 +- update dnssec-trigger-script to current development submitted upstream + +* Wed Jun 18 2014 Pavel Šimerda - 0.12-3 +- Resolves: #1105896 - the new script doesn't call dnssec-trigger-control submit + +* Fri Jun 06 2014 Pavel Šimerda - 0.12-2 +- fix various dnssec-trigger-script issues + +* Fri May 23 2014 Tomas Hozza - 0.12-1 +- Update to 0.12 version +- Drop merged patches +- Drop downstream files (systemd, dispatcher scripts) + +* Tue May 13 2014 Paul Wouters - 0.11-21 +- Enable full hardening (includig PIE) +- Resolves: rhbz#1045689 dnssec-trigger creates long-time RSA key with inappropriate size + +* Wed Feb 19 2014 Tomas Hozza - 0.11-20 +- Restart NM on dnssec-trigger shutdown (let NM handle the resolv.conf content) +- HN-hook: Handle situation when connection does not have a device + +* Wed Jan 29 2014 Tomas Hozza - 0.11-19 +- Use new Python dispatcher script and ship /etc/dnssec.conf + +* Tue Jan 28 2014 Tomas Hozza - 0.11-18 +- Use systemd macros instead of directly calling systemctl +- simplify the systemd unit file for generating keys + +* Thu Nov 21 2013 Tomas Hozza - 0.11-17 +- Add script to backup and restore resolv.conf on dnssec-trigger start/stop + +* Mon Nov 18 2013 Tomas Hozza - 0.11-16 +- Improve GUI dialogs texts + +* Tue Nov 12 2013 Tomas Hozza - 0.11-15 +- Fix NM dispatcher script to work with NM >= 0.9.9.0 (#1029571) + +* Mon Aug 26 2013 Tomas Hozza - 0.11-14 +- Fix errors found by static analysis of source + +* Fri Aug 09 2013 Tomas Hozza - 0.11-13 +- Use improved NM dispatcher script from upstream +- Added tmpfiles.d config due to improved NM dispatcher script + +* Sat Aug 03 2013 Fedora Release Engineering - 0.11-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Mon Mar 04 2013 Adam Tkac - 0.11-11 +- link dnssec-trigger.conf.8 to dnssec-trigger.8 +- build dnssec-triggerd with full RELRO + +* Mon Mar 04 2013 Adam Tkac - 0.11-10 +- remove deprecated "Application" keyword from desktop file + +* Mon Mar 04 2013 Adam Tkac - 0.11-9 +- install various dnssec-trigger-* symlinks to dnssec-trigger.8 manpage + +* Wed Feb 13 2013 Fedora Release Engineering - 0.11-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Tue Jan 08 2013 Paul Wouters - 0.11-7 +- Use full path for systemd (rhbz#842455) + +* Tue Jul 24 2012 Paul Wouters - 0.11-6 +- Patched daemon to remove immutable attr (rhbz#842455) as the + systemd ExecStopPost= target does not seem to work + +* Tue Jul 24 2012 Paul Wouters - 0.11-5 +- On service stop, remove immutable attr from resolv.conf (rhbz#842455) + +* Wed Jul 18 2012 Fedora Release Engineering - 0.11-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu Jun 28 2012 Paul Wouters - 0.11-3 +- Fix DHCP hook for f17+ version of nmcli (rhbz#835298) + +* Sun Jun 17 2012 Paul Wouters - 0.11-2 +- Small textual changes to some popup windows + +* Fri Jun 15 2012 Paul Wouters - 0.11-1 +- Updated to 0.11 +- http Hotspot detection via fedoraproject.org/static/hotspot.html +- http Hotspot Login page via uses hotspot-nocache.fedoraproject.org + +* Thu Feb 23 2012 Paul Wouters - 0.10-4 +- Require: unbound + +* Wed Feb 22 2012 Paul Wouters - 0.10-3 +- Fix the systemd startup to require unbound +- dnssec-triggerd no longer forks, giving systemd more control +- Fire NM dispatcher in ExecStartPost of dnssec-triggerd.service +- Fix tcp80 entries in dnssec-triggerd.conf +- symlink dnssec-trigger-panel to dnssec-trigger to supress the + "-panel" in the applet name shown in gnome3 + + +* Wed Feb 22 2012 Paul Wouters - 0.10-2 +- The NM hook was not modified at the right time during build + +* Wed Feb 22 2012 Paul Wouters - 0.10-1 +- Updated to 0.10 +- The NM hook lacks /usr/sbin in path, resulting in empty resolv.conf on hotspot + +* Wed Feb 08 2012 Paul Wouters - 0.9-4 +- Updated tls443 / tls80 resolver instances supplied by Fedora Hosted + +* Mon Feb 06 2012 Paul Wouters - 0.9-3 +- Convert from SysV to systemd for initial Fedora release +- Moved configs and pem files to /etc/dnssec-trigger/ +- No more /var/run/dnssec-triggerd/ +- Fix Build-requires +- Added commented tls443 port80 entries of pwouters resolvers +- On uninstall ensure there is no immutable bit on /etc/resolv.conf + +* Sat Jan 07 2012 Paul Wouters - 0.9-2 +- Added LICENCE to doc section + +* Mon Dec 19 2011 Paul Wouters - 0.9-1 +- Upgraded to 0.9 + +* Fri Oct 28 2011 Paul Wouters - 0.7-1 +- Upgraded to 0.7 + +* Fri Sep 23 2011 Paul Wouters - 0.4-1 +- Upgraded to 0.4 + +* Sat Sep 17 2011 Paul Wouters - 0.3-5 +- Start 01-dnssec-trigger-hook in daemon start +- Ensure dnssec-triggerd starts after NetworkManager + +* Fri Sep 16 2011 Paul Wouters - 0.3-4 +- Initial package diff --git a/dnssec-trigger-0.17-allowed-characters.patch b/dnssec-trigger-0.17-allowed-characters.patch new file mode 100644 index 0000000..e9cb86d --- /dev/null +++ b/dnssec-trigger-0.17-allowed-characters.patch @@ -0,0 +1,30 @@ +From f410871470773c0767f97f86c1bd05074db63081 Mon Sep 17 00:00:00 2001 +From: "W.C.A. Wijngaards" +Date: Mon, 3 Feb 2020 10:37:26 +0100 +Subject: [PATCH] - Fix for #3: Allow @ character to make scripts work, which + may fix resolv.conf lost in some situation bug. + +Changelog: +3 February 2020: Wouter + - Fix for #3: Allow @ character to make scripts work, which may + fix resolv.conf lost in some situation bug. +--- + riggerd/ubhook.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/riggerd/ubhook.c b/riggerd/ubhook.c +index 382eee3..f1ce73c 100644 +--- a/riggerd/ubhook.c ++++ b/riggerd/ubhook.c +@@ -80,7 +80,7 @@ allowed_arg(const char* arg) + } + if( isalnum((unsigned char)*s) || *s == ' ' || *s == ':' || + *s == '.' || *s == '_' || *s == '-' || *s == '+' || +- *s == '\t') { ++ *s == '\t' || *s == '@') { + continue; + } else { + log_err("command line string argument '%s' fails check on allowed characters", arg); +-- +2.41.0 + diff --git a/dnssec-trigger-0.17-openssl-3.2.patch b/dnssec-trigger-0.17-openssl-3.2.patch new file mode 100644 index 0000000..d1b9474 --- /dev/null +++ b/dnssec-trigger-0.17-openssl-3.2.patch @@ -0,0 +1,34 @@ +From 7c3ff5b59952bc6bf11f988c9dbd961ae3c626ea Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Tue, 10 Sep 2024 16:22:07 +0200 +Subject: [PATCH] Mark explicitly server cert with CA flag + +Since OpenSSL 3.2 it did not connect from control to server cert. Create +server with indication is it CA. + +Also use clientAuth trust for CA cert. That allows control cert to be +used for client authentication. +--- + dnssec-trigger-control-setup.sh.in | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/dnssec-trigger-control-setup.sh.in b/dnssec-trigger-control-setup.sh.in +index 7cc305a..eede665 100644 +--- a/dnssec-trigger-control-setup.sh.in ++++ b/dnssec-trigger-control-setup.sh.in +@@ -200,9 +200,9 @@ EOF + test -f request.cfg || error "could not create request.cfg" + + echo "create $SVR_BASE.pem (self signed certificate)" +-openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem" +-# create trusted usage pem +-openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem" ++openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -addext "basicConstraints=critical,CA:TRUE,pathlen:0" -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem" ++# create trusted usage pem for CA, what are signed certs allowed to do? ++openssl x509 -in "$SVR_BASE.pem" -addtrust clientAuth -out "${SVR_BASE}_trust.pem" + + # create client request and sign it, piped + cat >request.cfg < +Date: Wed, 20 Nov 2024 16:58:48 +0100 +Subject: [PATCH] Add recipe for adding own server + +Until someone adds nice support for using just CA bundle and server +name, allow specification by fingerprint obtained manually. Do not rely +only on server provided by upstream. +--- + dnssec.conf | 4 ++-- + example.conf.in | 6 +++++- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/dnssec.conf b/dnssec.conf +index bf896d3..4726ca1 100644 +--- a/dnssec.conf ++++ b/dnssec.conf +@@ -38,7 +38,7 @@ + # + # - See also security notes on the `add_wifi_provided_zones` option. + # +-# validate_connection_provided_zones=yes ++# validate_connection_provided_zones=no + # + # - Connection provided zones will be configured in Unbound as secure forward + # zones, validated using DNSSEC. +@@ -63,7 +63,7 @@ + # Turning this option off has security implications, See the security + # notice above. + # +-validate_connection_provided_zones=yes ++validate_connection_provided_zones=no + + # add_wifi_provided_zones: + # ------------------------ +diff --git a/example.conf.in b/example.conf.in +index dafd35d..f7e8a54 100644 +--- a/example.conf.in ++++ b/example.conf.in +@@ -79,6 +79,11 @@ tcp80: 2a04:b900::10:0:0:67 + ssl443: 185.49.140.67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF + ssl443: 2a04:b900::10:0:0:67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF + ++# How to add your own record: ++# openssl s_client -connect example.com:443 -showcerts /tmp/dns.crt ++# openssl x509 -noout -in /tmp/dns.crt -fingerprint -sha256 ++# Append returned sha256 Fingerprint after ssl443: IP-address section. ++ + # Use VPN servers for all traffic + # use-vpn-forwarders: no + +@@ -87,4 +92,3 @@ ssl443: 2a04:b900::10:0:0:67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD: + + # Add domains provided by VPN connections into Unbound forward zones + # add-wifi-provided-zones: no +- +-- +2.47.0 + diff --git a/dnssec-trigger-config-default.patch b/dnssec-trigger-config-default.patch new file mode 100644 index 0000000..a3ca483 --- /dev/null +++ b/dnssec-trigger-config-default.patch @@ -0,0 +1,53 @@ +From 27bb1f49fe69055e2a5f02e5fe54e71e79d98fdc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Tue, 25 Jul 2023 15:39:15 +0200 +Subject: [PATCH] Make fedora default config changes + +Customize upstream example configuration for Fedora. +--- + example.conf | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/example.conf b/example.conf +index 6031c0d..6251c98 100644 +--- a/example.conf ++++ b/example.conf +@@ -1,5 +1,4 @@ +-# config for dnssec-trigger 0.17. +-# this is a comment. there must be one statement per line. ++# Fedora/EPEL version of dnssec-trigger.conf + + # logging detail, 0=only errors, 1=operations, 2=detail, 3,4 debug detail. + # verbosity: 1 +@@ -43,8 +42,8 @@ + # port number to use for probe daemon. + # port: 8955 + +-# these keys and certificates can be generated with the script +-# dnssec-trigger-control-setup ++# keys and certificates generated by the dnssec-trigger-keygen systemd service ++# (which called dnssec-trigger-control-setup) + # server-key-file: "/etc/dnssec-trigger/dnssec_trigger_server.key" + # server-cert-file: "/etc/dnssec-trigger/dnssec_trigger_server.pem" + # control-key-file: "/etc/dnssec-trigger/dnssec_trigger_control.key" +@@ -60,7 +59,7 @@ + + # provided by NLnetLabs + # It is provided on a best effort basis, with no service guarantee. +-url: "http://ster.nlnetlabs.nl/hotspot.txt OK" ++# url: "http://ster.nlnetlabs.nl/hotspot.txt OK" + + # provided by FedoraProject + url: "http://fedoraproject.org/static/hotspot.txt OK" +@@ -72,7 +71,7 @@ url: "http://fedoraproject.org/static/hotspot.txt OK" + # hash is output of openssl x509 -sha256 -fingerprint -in server.pem + # You can add more with extra config lines. + +-# provided by NLnetLabs ++# provided by NLnetLabs (www.nlnetlabs.nl) + # It is provided on a best effort basis, with no service guarantee. + tcp80: 185.49.140.67 + tcp80: 2a04:b900::10:0:0:67 +-- +2.41.0 + diff --git a/dnssec-trigger-config-workstation.patch b/dnssec-trigger-config-workstation.patch new file mode 100644 index 0000000..6458a92 --- /dev/null +++ b/dnssec-trigger-config-workstation.patch @@ -0,0 +1,34 @@ +From d4b08251d816038950b522fc1b003c8d4f1bcc6d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Tue, 25 Jul 2023 15:42:50 +0200 +Subject: [PATCH] Customize workstation only + +--- + dnssec-trigger-workstation.conf | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/dnssec-trigger-workstation.conf b/dnssec-trigger-workstation.conf +index 6251c98..bb2b5db 100644 +--- a/dnssec-trigger-workstation.conf ++++ b/dnssec-trigger-workstation.conf +@@ -32,6 +32,7 @@ + # the command to run to open login pages on hot spots, a web browser. + # empty string runs no command. + # login-command: "/usr/bin/xdg-open" ++login-command: "" + + # the url to open to get hot spot login, it gets overridden by the hotspot. + # login-location: "http://hotspot-nocache.fedoraproject.org/" +@@ -62,7 +63,8 @@ + # url: "http://ster.nlnetlabs.nl/hotspot.txt OK" + + # provided by FedoraProject +-url: "http://fedoraproject.org/static/hotspot.txt OK" ++# on Workstation, the detection is turned off ++# url: "http://fedoraproject.org/static/hotspot.txt OK" + + # fallback open DNSSEC resolvers that run on TCP port 80 and TCP port 443. + # These relay incoming DNS traffic on the other port numbers to the usual DNS +-- +2.41.0 + diff --git a/dnssec-trigger-configure-c99.patch b/dnssec-trigger-configure-c99.patch new file mode 100644 index 0000000..cccecad --- /dev/null +++ b/dnssec-trigger-configure-c99.patch @@ -0,0 +1,30 @@ +Do not rely on an implicit function declaration for detecting +the daemon function. Future compilers may not accept such +declarations by default, causing the detection result to change. + +Submitted upstream: + +diff --git a/configure b/configure +index 079ea641e2940515..22c9487fb0d311f8 100755 +--- a/configure ++++ b/configure +@@ -6757,6 +6757,7 @@ else + + echo ' + #include ++#include + ' >conftest.c + echo 'void f(){ (void)daemon(0, 0); }' >>conftest.c + if test -z "`$CC -c conftest.c 2>&1 | grep deprecated`"; then +diff --git a/configure.ac b/configure.ac +index c809367d307f108e..e8095fe7288ba68a 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -225,6 +225,7 @@ AC_CHECK_FUNCS([daemon]) + if test $ac_cv_func_daemon = yes; then + ACX_FUNC_DEPRECATED([daemon], [(void)daemon(0, 0);], [ + #include ++#include + ]) + fi + diff --git a/dnssec-trigger-default.conf b/dnssec-trigger-default.conf deleted file mode 100644 index cc18335..0000000 --- a/dnssec-trigger-default.conf +++ /dev/null @@ -1,99 +0,0 @@ -# Fedora/EPEL version of dnssec-trigger.conf - -# logging detail, 0=only errors, 1=operations, 2=detail, 3,4 debug detail. -# verbosity: 1 - -# pidfile location -pidfile: "/var/run/dnssec-triggerd.pid" - -# log to a file instead of syslog, default is to syslog -# logfile: "/var/log/dnssec-trigger.log" - -# log to syslog, or (log to to stderr or a logfile if specified). yes or no. -# use-syslog: yes - -# chroot to this directory -# chroot: "" - -# the unbound-control binary if not found in PATH. -# commandline options can be appended "unbound-control -c my.conf" if you wish. -# unbound-control: "/usr/sbin/unbound-control" - -# where is resolv.conf to edit. -# resolvconf: "/etc/resolv.conf" - -# the domain example.com line (if any) to add to resolv.conf(5). default none. -# domain: "" - -# domain name search path to add to resolv.conf(5). default none. -# the search path from DHCP is not picked up, it could be used to misdirect. -# search: "" - -# the command to run to open login pages on hot spots, a web browser. -# empty string runs no command. -# login-command: "xdg-open" - -# the url to open to get hot spot login, it gets overridden by the hotspot. -# login-location: "http://www.nlnetlabs.nl/projects/dnssec-trigger" -# should to be a ttl=0 entry -login-location: "http://hotspot-nocache.fedoraproject.org/" - -# do not perform actions (unbound-control or resolv.conf), for a dry-run. -# noaction: no - -# port number to use for probe daemon. -# port: 8955 - -# keys and certificates generated by the dnssec-trigger-keygen systemd service -# (which called dnssec-trigger-control-setup) -server-key-file: "/etc/dnssec-trigger/dnssec_trigger_server.key" -server-cert-file: "/etc/dnssec-trigger/dnssec_trigger_server.pem" -control-key-file: "/etc/dnssec-trigger/dnssec_trigger_control.key" -control-cert-file: "/etc/dnssec-trigger/dnssec_trigger_control.pem" - -# check for updates, download and ask to install them (for Windows, OSX). -# check-updates: no - -# webservers that are probed to see if internet access is possible. -# They serve a simple static page over HTTP port 80. It probes a random url: -# after a space is the content expected on the page, (the page can contain -# whitespace before and after this code). Without urls it skips http probes. - -# provided by NLnetLabs -# It is provided on a best effort basis, with no service guarantee. -# url: "http://ster.nlnetlabs.nl/hotspot.txt OK" - -# provided by FedoraProject -url: "http://fedoraproject.org/static/hotspot.txt OK" - -# fallback open DNSSEC resolvers that run on TCP port 80 and TCP port 443. -# the ssl443 adds an ssl server IP, if you specify a hash it is checked, put -# the following on one line: ssl443: -# hash is output of openssl x509 -sha256 -fingerprint -in server.pem -# You can add more with extra config lines. - -# Provided by fedoraproject.org, #fedora-admin -# It is provided on a best effort basis, with no service guarantee. -ssl443: 140.211.169.201 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2 -tcp80: 140.211.169.201 -ssl443: 66.35.62.163 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2 -tcp80: 66.35.62.163 -ssl443: 152.19.134.150 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2 -tcp80: 152.19.134.150 -ssl443: 2610:28:3090:3001:dead:beef:cafe:fed9 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2 -tcp80: 2610:28:3090:3001:dead:beef:cafe:fed9 - -# provided by Paul Wouters (pwouters@redhat.com) -# It is provided on a best effort basis, with no service guarantee. -# tcp80: 193.110.157.123 -# tcp80: 2001:888:2003:1004::123 -# ssl443: 193.110.157.123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7 -# ssl443: 2001:888:2003:1004::123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7 - -# provided by NLnetLabs (www.nlnetlabs.nl) -# It is provided on a best effort basis, with no service guarantee. -# tcp80: 213.154.224.3 -# tcp80: 2001:7b8:206:1:bb:: -# ssl443: 213.154.224.3 DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F -# ssl443: 2001:7b8:206:1:bb:: DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F - diff --git a/dnssec-trigger-workstation.conf b/dnssec-trigger-workstation.conf deleted file mode 100644 index 78b0cc6..0000000 --- a/dnssec-trigger-workstation.conf +++ /dev/null @@ -1,101 +0,0 @@ -# Fedora/EPEL version of dnssec-trigger.conf - -# logging detail, 0=only errors, 1=operations, 2=detail, 3,4 debug detail. -# verbosity: 1 - -# pidfile location -pidfile: "/var/run/dnssec-triggerd.pid" - -# log to a file instead of syslog, default is to syslog -# logfile: "/var/log/dnssec-trigger.log" - -# log to syslog, or (log to to stderr or a logfile if specified). yes or no. -# use-syslog: yes - -# chroot to this directory -# chroot: "" - -# the unbound-control binary if not found in PATH. -# commandline options can be appended "unbound-control -c my.conf" if you wish. -# unbound-control: "/usr/sbin/unbound-control" - -# where is resolv.conf to edit. -# resolvconf: "/etc/resolv.conf" - -# the domain example.com line (if any) to add to resolv.conf(5). default none. -# domain: "" - -# domain name search path to add to resolv.conf(5). default none. -# the search path from DHCP is not picked up, it could be used to misdirect. -# search: "" - -# the command to run to open login pages on hot spots, a web browser. -# empty string runs no command. -# login-command: "xdg-open" -login-command: "" - -# the url to open to get hot spot login, it gets overridden by the hotspot. -# login-location: "http://www.nlnetlabs.nl/projects/dnssec-trigger" -# should to be a ttl=0 entry -# login-location: "http://hotspot-nocache.fedoraproject.org/" - -# do not perform actions (unbound-control or resolv.conf), for a dry-run. -# noaction: no - -# port number to use for probe daemon. -# port: 8955 - -# keys and certificates generated by the dnssec-trigger-keygen systemd service -# (which called dnssec-trigger-control-setup) -server-key-file: "/etc/dnssec-trigger/dnssec_trigger_server.key" -server-cert-file: "/etc/dnssec-trigger/dnssec_trigger_server.pem" -control-key-file: "/etc/dnssec-trigger/dnssec_trigger_control.key" -control-cert-file: "/etc/dnssec-trigger/dnssec_trigger_control.pem" - -# check for updates, download and ask to install them (for Windows, OSX). -# check-updates: no - -# webservers that are probed to see if internet access is possible. -# They serve a simple static page over HTTP port 80. It probes a random url: -# after a space is the content expected on the page, (the page can contain -# whitespace before and after this code). Without urls it skips http probes. - -# provided by NLnetLabs -# It is provided on a best effort basis, with no service guarantee. -# url: "http://ster.nlnetlabs.nl/hotspot.txt OK" - -# provided by FedoraProject -# on Workstation, the detection is turned off -# url: "http://fedoraproject.org/static/hotspot.txt OK" - -# fallback open DNSSEC resolvers that run on TCP port 80 and TCP port 443. -# the ssl443 adds an ssl server IP, if you specify a hash it is checked, put -# the following on one line: ssl443: -# hash is output of openssl x509 -sha256 -fingerprint -in server.pem -# You can add more with extra config lines. - -# Provided by fedoraproject.org, #fedora-admin -# It is provided on a best effort basis, with no service guarantee. -ssl443: 140.211.169.201 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2 -tcp80: 140.211.169.201 -ssl443: 66.35.62.163 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2 -tcp80: 66.35.62.163 -ssl443: 152.19.134.150 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2 -tcp80: 152.19.134.150 -ssl443: 2610:28:3090:3001:dead:beef:cafe:fed9 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2 -tcp80: 2610:28:3090:3001:dead:beef:cafe:fed9 - -# provided by Paul Wouters (pwouters@redhat.com) -# It is provided on a best effort basis, with no service guarantee. -# tcp80: 193.110.157.123 -# tcp80: 2001:888:2003:1004::123 -# ssl443: 193.110.157.123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7 -# ssl443: 2001:888:2003:1004::123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7 - -# provided by NLnetLabs (www.nlnetlabs.nl) -# It is provided on a best effort basis, with no service guarantee. -# tcp80: 213.154.224.3 -# tcp80: 2001:7b8:206:1:bb:: -# ssl443: 213.154.224.3 DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F -# ssl443: 2001:7b8:206:1:bb:: DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F - diff --git a/dnssec-trigger.spec b/dnssec-trigger.spec index bf759e7..9928104 100644 --- a/dnssec-trigger.spec +++ b/dnssec-trigger.spec @@ -1,42 +1,56 @@ %global _hardened_build 1 -#%%global svn_snapshot 20150714 +#%%global snapshot 20150714 Summary: Tool for dynamic reconfiguration of validating resolver Unbound Name: dnssec-trigger -Version: 0.15 -Release: 7%{?svn_snapshot:.%{svn_snapshot}svn}%{?dist} -License: BSD -Url: http://www.nlnetlabs.nl/downloads/dnssec-trigger/ +Version: 0.17 +Release: %autorelease +License: BSD-3-clause AND MIT AND ISC +Url: https://www.nlnetlabs.nl/projects/dnssec-trigger/ -%if 0%{?svn_snapshot:1} +%if 0%{?snapshot:1} # generated using './makedist.sh -s' in the cloned upstream trunk -Source0: %{name}-%{version}_%{svn_snapshot}.tar.gz +Source0: %{name}-%{version}_%{snapshot}.tar.gz %else -Source0: http://www.nlnetlabs.nl/downloads/dnssec-trigger/%{name}-%{version}.tar.gz +Source0: https://www.nlnetlabs.nl/downloads/dnssec-trigger/%{name}-%{version}.tar.gz +Source1: https://www.nlnetlabs.nl/downloads/dnssec-trigger/%{name}-%{version}.tar.gz.asc +Source2: https://keys.openpgp.org/vks/v1/by-fingerprint/EDFAA3F2CA4E6EB05681AF8E9F6F1C2D7E045F8D#/wouter.asc %endif -Source1: dnssec-trigger.tmpfiles.d -Source2: dnssec-trigger-default.conf -Source3: dnssec-trigger-workstation.conf +Source3: dnssec-trigger.tmpfiles.d +#Source4: dnssec-trigger-default.conf +#Source5: dnssec-trigger-workstation.conf +Source6: ssh_config.conf # Patches -Patch1: 0001-dnssec-trigger-script-port-to-libnm.patch -Patch2: 0002-Fix-that-NXDOMAIN-for-_probe.uk.uk-is-deemed-allrigh.patch +# Downstream changes to configuration +Patch1: dnssec-trigger-config-workstation.patch +# Downstream changes to configuration +Patch2: dnssec-trigger-config-default.patch +Patch3: 0003-Move-the-NetworkManager-dispatcher-script-out-of-etc.patch +# https://github.com/NLnetLabs/dnssec-trigger/pull/7 +Patch4: 0004-Add-options-edns0-and-trust-ad.patch +Patch5: dnssec-trigger-configure-c99.patch +# https://github.com/NLnetLabs/dnssec-trigger/commit/f187c2be221a26f3c4ef4d9b16f1df67104ae634 +Patch6: dnssec-trigger-0.17-allowed-characters.patch +Patch7: dnssec-trigger-0.17-openssl-3.2.patch +# https://github.com/NLnetLabs/dnssec-trigger/pull/15 +Patch8: dnssec-trigger-0.17-server-recipe.patch # to obsolete the version in which the panel was in main package Obsoletes: %{name} < 0.12-22 Suggests: %{name}-panel # Require a version of NetworkManager that doesn't forget to issue dhcp-change # https://bugzilla.redhat.com/show_bug.cgi?id=1112248 -%if 0%{?rhel} >= 7 +%if 0%{?rhel} >= 9 || 0%{?fedora} >= 31 +Requires: NetworkManager >= 1.20 +%elif 0%{?rhel} >= 7 Requires: NetworkManager >= 0.9.9.1-13 -%else -%if 0%{?fedora} >= 21 +%elif 0%{?fedora} >= 21 Requires: NetworkManager >= 0.9.9.95-1 %else Requires: NetworkManager >= 0.9.9.0-40 %endif -%endif Requires: ldns >= 1.6.10, NetworkManager-libnm, unbound # needed by /usr/sbin/dnssec-trigger-control-setup # otherwise it ends with error: /usr/sbin/dnssec-trigger-control-setup: line 180: openssl: command not found @@ -45,11 +59,12 @@ Requires: openssl Requires: e2fsprogs BuildRequires: openssl-devel, ldns-devel, python3-devel, gcc BuildRequires: NetworkManager-libnm-devel +%if 0%{?fedora} && ! 0%{?snapshot:1} +BuildRequires: gnupg2 +%endif -BuildRequires: systemd -Requires(post): systemd -Requires(preun): systemd -Requires(postun): systemd +BuildRequires: systemd-rpm-macros +%{?systemd_ordering} # Provides Workstation specific configuration # - No captive portal detection and no action available on Captive portal (No UI) @@ -69,6 +84,7 @@ Requires: %{name} = %{version}-%{release} Obsoletes: %{name} < 0.12-22 Requires: xdg-utils BuildRequires: gtk2-devel, desktop-file-utils +BuildRequires: make %description panel This package provides the GTK panel for interaction between the user @@ -78,10 +94,11 @@ some user input is needed, the panel creates a dialog window. %prep -%setup -q %{?svn_snapshot:-n %{name}-%{version}_%{svn_snapshot}} - -%patch1 -p1 -b .libnm_port -%patch2 -p1 -b .nxdomain +%if 0%{?fedora} && ! 0%{?snapshot:1} +%gpgverify -d 0 -s 1 -k 2 +%endif +%autosetup %{?snapshot:-n %{name}-%{version}_%{snapshot}} -N +%autopatch -m 3 -p1 # don't use DNSSEC for forward zones for now sed -i "s/validate_connection_provided_zones=yes/validate_connection_provided_zones=no/" dnssec.conf @@ -91,27 +108,37 @@ sed -i "s/validate_connection_provided_zones=yes/validate_connection_provided_zo %configure \ --with-keydir=%{_sysconfdir}/dnssec-trigger \ --with-hooks=networkmanager \ +%if 0%{?rhel} < 9 && 0%{?fedora} < 31 + --with-networkmanager-dispatch=%{_sysconfdir}/NetworkManager/dispatcher.d \ +%endif --with-python=%{__python3} \ - --with-pidfile=%{_localstatedir}/run/%{name}d.pid + --with-pidfile=%{_rundir}/%{name}d.pid \ + --with-login-command=%{_bindir}/xdg-open \ + --with-login-location="http://hotspot-nocache.fedoraproject.org/" -%{__make} %{?_smp_mflags} +# hotspot-nocache should have TTL=0 + +%make_build + +%autopatch -p1 2 +cp -p example.conf dnssec-trigger-workstation.conf +%autopatch -p1 1 %install -rm -rf %{buildroot} -%{__make} DESTDIR=%{buildroot} install +# https://github.com/NLnetLabs/dnssec-trigger/pull/13 +install -d -m 0755 %{buildroot}%{_libexecdir} +%make_install install -d 0755 %{buildroot}%{_unitdir} -install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/%{name}/ -install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/%{name}/ - -mkdir -p %{buildroot}%{_libexecdir} +install -p -m 0644 example.conf %{buildroot}%{_sysconfdir}/%{name}/dnssec-trigger-default.conf +install -p -m 0644 dnssec-trigger-workstation.conf %{buildroot}%{_sysconfdir}/%{name}/ desktop-file-install --dir=%{buildroot}%{_datadir}/applications dnssec-trigger-panel.desktop # install the configuration for /var/run/dnssec-trigger into tmpfiles.d dir mkdir -p %{buildroot}%{_tmpfilesdir} -install -m 644 %{SOURCE1} ${RPM_BUILD_ROOT}%{_tmpfilesdir}/%{name}.conf +install -m 644 %{SOURCE3} ${RPM_BUILD_ROOT}%{_tmpfilesdir}/%{name}.conf # we must create the /var/run/dnssec-trigger directory mkdir -p %{buildroot}%{_localstatedir}/run install -d -m 0755 %{buildroot}%{_localstatedir}/run/%{name} @@ -122,10 +149,12 @@ ln -s dnssec-trigger-panel %{buildroot}%{_bindir}/dnssec-trigger # Make dnssec-trigger.8 manpage available under names of all dnssec-trigger-* # executables for all in dnssec-trigger-control dnssec-trigger-control-setup dnssec-triggerd; do - ln -s %{_mandir}/man8/dnssec-trigger.8 %{buildroot}/%{_mandir}/man8/"$all".8 + ln -s dnssec-trigger.8 %{buildroot}/%{_mandir}/man8/"$all".8 done -ln -s %{_mandir}/man8/dnssec-trigger.8 %{buildroot}/%{_mandir}/man8/dnssec-trigger.conf.8 +ln -s dnssec-trigger.8 %{buildroot}/%{_mandir}/man8/dnssec-trigger.conf.8 +install -d -m 0755 %{buildroot}%{_sysconfdir}/ssh/ssh_config.d +install -m 0644 %{SOURCE6} %{buildroot}%{_sysconfdir}/ssh/ssh_config.d/10-%{name}.conf %post %systemd_post %{name}d.service @@ -163,12 +192,18 @@ fi %{_libexecdir}/dnssec-trigger-script %{_unitdir}/%{name}d.service %{_unitdir}/%{name}d-keygen.service +%if 0%{?rhel} >= 9 || 0%{?fedora} >= 31 +%attr(0755,root,root) %{_prefix}/lib/NetworkManager/dispatcher.d/01-dnssec-trigger +%else %attr(0755,root,root) %{_sysconfdir}/NetworkManager/dispatcher.d/01-dnssec-trigger +%endif %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/dnssec.conf %attr(0755,root,root) %dir %{_sysconfdir}/%{name} %attr(0644,root,root) %ghost %config(noreplace) %{_sysconfdir}/%{name}/dnssec-trigger.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-trigger-default.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-trigger-workstation.conf +%attr(0755,root,root) %dir %{_sysconfdir}/ssh/ssh_config.d +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/10-%{name}.conf %dir %{_localstatedir}/run/%{name} %{_tmpfilesdir}/%{name}.conf %{_mandir}/man8/dnssec-trigger* @@ -182,257 +217,4 @@ fi %changelog -* Thu Jul 12 2018 Fedora Release Engineering - 0.15-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Tue Jun 19 2018 Miro Hrončok - 0.15-6 -- Rebuilt for Python 3.7 - -* Wed Mar 14 2018 Petr Menšík - 0.15-5 -- Accept NXDOMAIN for NSEC probe (#1555355) - -* Mon Feb 19 2018 Tomas Hozza - 0.15-4 -- Added explicit BuildRequires on gcc as required by packaging guidelines -- Added explicit Requires on e2fsprogs, so that /usr/bin/chattr is available -- Remove redundant removal of immutable bit in %%preun scriptlet (#1542400) - -* Mon Feb 19 2018 Tomas Hozza - 0.15-3 -- use NetworkManager-libnm instead of NetworkManager-glib - -* Wed Feb 07 2018 Fedora Release Engineering - 0.15-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Mon Dec 11 2017 Tomas Hozza - 0.15-1 -- Update to stable 0.15 upstream release - -* Fri Aug 18 2017 Petr Menšík - 0.13-6 -- Skip always failing kr.com, update root IPs (#1482939) - -* Wed Aug 02 2017 Fedora Release Engineering - 0.13-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Wed Jul 26 2017 Fedora Release Engineering - 0.13-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Wed Mar 08 2017 Tomas Hozza - 0.13-3 -- Rebuild against new ldns - -* Wed Mar 01 2017 Tomas Hozza - 0.13-2 -- Include fix for runtime issues with OpenSSL 1.1.0 (#1427561) - -* Fri Feb 17 2017 Tomas Hozza - 0.13-1 -- Update to stable 0.13 upstream release -- Dropped merged patches - -* Fri Feb 10 2017 Fedora Release Engineering - 0.13-0.6.20150714svn -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Mon Dec 19 2016 Miro Hrončok - 0.13-0.5.20150714svn -- Rebuild for Python 3.6 - -* Wed Feb 03 2016 Fedora Release Engineering - 0.13-0.4.20150714svn -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - -* Tue Nov 10 2015 Fedora Release Engineering -- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 - -* Mon Jul 20 2015 Tomas Hozza - 0.13-0.2.20150714svn -- Provide Workstation specific configuration - -* Wed Jul 15 2015 Tomas Hozza - 0.13-0.1.20150714svn -- split dnssec-trigger panel into separate subpackage (#1236363) -- SPEC file cleanup based on rpmlint and fedora-review issues -- implement some suggestions (#1236363) -- rebase to the latest svn trunk snapshot 0.13_20150714 -- Script is not searching local user directories any more (#1213062) -- Script now doesn't restart NM if version is >= 1.0.3, but sends just signal -- Script now specifies the NMClient version for GI (#1242430) -- Script now sets negative-cache-ttl in unbound to 5 seconds (#1229596) - -* Wed Jun 17 2015 Fedora Release Engineering - 0.12-21 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild - -* Wed Apr 08 2015 Tomas Hozza - 0.12-20 -- Fix issue when installing private address range zone without global forwarders (#1205864) -- Fix configuration of private address range zones (#1128310#c20) - -* Fri Mar 13 2015 Tomas Hozza - 0.12-19 -- Fix typo in the dnssec-trigger-script (#1187371) -- Use Python3 by default - -* Mon Jan 26 2015 Pavel Šimerda - 0.12-18 -- Resolves: #1185796, #1130502, #1105685, #1128310 – update - -* Tue Jan 20 2015 Pavel Šimerda - 0.12-17 -- Resolves: #1183975 - systemd cgroup check fails - -* Tue Jan 20 2015 Pavel Šimerda - 0.12-16 -- Resolves: #1165126, #1125267, #1089766, #1112248, #824219 - update - -* Sat Aug 16 2014 Fedora Release Engineering - 0.12-15 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild - -* Thu Aug 14 2014 Pavel Šimerda - 0.12-14 -- Resolves: #1125261 - dnssec-trigger-script: use fcntl.flock instead of - lockfile - -* Mon Aug 11 2014 Tomas Hozza - 0.12-13 -- One Fedora fallback server changed IP address (#1125440) - -* Mon Jun 30 2014 Pavel Šimerda - 0.12-12 -- Resolves: #1112248 - require a version of NetworkManager with #1113122 fixed - -* Tue Jun 24 2014 Pavel Šimerda - 0.12-11 -- Resolves: #1112248 - serialize the script instances - -* Tue Jun 24 2014 Pavel Šimerda - 0.12-10 -- Resolves: #1112248 - fix a typo - -* Tue Jun 24 2014 Pavel Šimerda - 0.12-9 -- Resolves: #1112248 - fix systemd race condition - -* Mon Jun 23 2014 Pavel Šimerda - 0.12-8 -- Resolves: #1112248 - don't block on systemctl restart NetworkManager - -* Mon Jun 23 2014 Pavel Šimerda - 0.12-7 -- Resolves: #1112248, #1111143 - update dnssec-trigger-script and dnssec-triggerd.service - -* Fri Jun 20 2014 Pavel Šimerda - 0.12-6 -- Resolves: #1111143 - fix for python2 - -* Fri Jun 20 2014 Pavel Šimerda - 0.12-5 -- Related: #842455 - remove a patch that is now redundant - -* Fri Jun 20 2014 Pavel Šimerda - 0.12-4 -- update dnssec-trigger-script to current development submitted upstream - -* Wed Jun 18 2014 Pavel Šimerda - 0.12-3 -- Resolves: #1105896 - the new script doesn't call dnssec-trigger-control submit - -* Fri Jun 06 2014 Pavel Šimerda - 0.12-2 -- fix various dnssec-trigger-script issues - -* Fri May 23 2014 Tomas Hozza - 0.12-1 -- Update to 0.12 version -- Drop merged patches -- Drop downstream files (systemd, dispatcher scripts) - -* Tue May 13 2014 Paul Wouters - 0.11-21 -- Enable full hardening (includig PIE) -- Resolves: rhbz#1045689 dnssec-trigger creates long-time RSA key with inappropriate size - -* Wed Feb 19 2014 Tomas Hozza - 0.11-20 -- Restart NM on dnssec-trigger shutdown (let NM handle the resolv.conf content) -- HN-hook: Handle situation when connection does not have a device - -* Wed Jan 29 2014 Tomas Hozza - 0.11-19 -- Use new Python dispatcher script and ship /etc/dnssec.conf - -* Tue Jan 28 2014 Tomas Hozza - 0.11-18 -- Use systemd macros instead of directly calling systemctl -- simplify the systemd unit file for generating keys - -* Thu Nov 21 2013 Tomas Hozza - 0.11-17 -- Add script to backup and restore resolv.conf on dnssec-trigger start/stop - -* Mon Nov 18 2013 Tomas Hozza - 0.11-16 -- Improve GUI dialogs texts - -* Tue Nov 12 2013 Tomas Hozza - 0.11-15 -- Fix NM dispatcher script to work with NM >= 0.9.9.0 (#1029571) - -* Mon Aug 26 2013 Tomas Hozza - 0.11-14 -- Fix errors found by static analysis of source - -* Fri Aug 09 2013 Tomas Hozza - 0.11-13 -- Use improved NM dispatcher script from upstream -- Added tmpfiles.d config due to improved NM dispatcher script - -* Sat Aug 03 2013 Fedora Release Engineering - 0.11-12 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild - -* Mon Mar 04 2013 Adam Tkac - 0.11-11 -- link dnssec-trigger.conf.8 to dnssec-trigger.8 -- build dnssec-triggerd with full RELRO - -* Mon Mar 04 2013 Adam Tkac - 0.11-10 -- remove deprecated "Application" keyword from desktop file - -* Mon Mar 04 2013 Adam Tkac - 0.11-9 -- install various dnssec-trigger-* symlinks to dnssec-trigger.8 manpage - -* Wed Feb 13 2013 Fedora Release Engineering - 0.11-8 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild - -* Tue Jan 08 2013 Paul Wouters - 0.11-7 -- Use full path for systemd (rhbz#842455) - -* Tue Jul 24 2012 Paul Wouters - 0.11-6 -- Patched daemon to remove immutable attr (rhbz#842455) as the - systemd ExecStopPost= target does not seem to work - -* Tue Jul 24 2012 Paul Wouters - 0.11-5 -- On service stop, remove immutable attr from resolv.conf (rhbz#842455) - -* Wed Jul 18 2012 Fedora Release Engineering - 0.11-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild - -* Thu Jun 28 2012 Paul Wouters - 0.11-3 -- Fix DHCP hook for f17+ version of nmcli (rhbz#835298) - -* Sun Jun 17 2012 Paul Wouters - 0.11-2 -- Small textual changes to some popup windows - -* Fri Jun 15 2012 Paul Wouters - 0.11-1 -- Updated to 0.11 -- http Hotspot detection via fedoraproject.org/static/hotspot.html -- http Hotspot Login page via uses hotspot-nocache.fedoraproject.org - -* Thu Feb 23 2012 Paul Wouters - 0.10-4 -- Require: unbound - -* Wed Feb 22 2012 Paul Wouters - 0.10-3 -- Fix the systemd startup to require unbound -- dnssec-triggerd no longer forks, giving systemd more control -- Fire NM dispatcher in ExecStartPost of dnssec-triggerd.service -- Fix tcp80 entries in dnssec-triggerd.conf -- symlink dnssec-trigger-panel to dnssec-trigger to supress the - "-panel" in the applet name shown in gnome3 - - -* Wed Feb 22 2012 Paul Wouters - 0.10-2 -- The NM hook was not modified at the right time during build - -* Wed Feb 22 2012 Paul Wouters - 0.10-1 -- Updated to 0.10 -- The NM hook lacks /usr/sbin in path, resulting in empty resolv.conf on hotspot - -* Wed Feb 08 2012 Paul Wouters - 0.9-4 -- Updated tls443 / tls80 resolver instances supplied by Fedora Hosted - -* Mon Feb 06 2012 Paul Wouters - 0.9-3 -- Convert from SysV to systemd for initial Fedora release -- Moved configs and pem files to /etc/dnssec-trigger/ -- No more /var/run/dnssec-triggerd/ -- Fix Build-requires -- Added commented tls443 port80 entries of pwouters resolvers -- On uninstall ensure there is no immutable bit on /etc/resolv.conf - -* Sat Jan 07 2012 Paul Wouters - 0.9-2 -- Added LICENCE to doc section - -* Mon Dec 19 2011 Paul Wouters - 0.9-1 -- Upgraded to 0.9 - -* Fri Oct 28 2011 Paul Wouters - 0.7-1 -- Upgraded to 0.7 - -* Fri Sep 23 2011 Paul Wouters - 0.4-1 -- Upgraded to 0.4 - -* Sat Sep 17 2011 Paul Wouters - 0.3-5 -- Start 01-dnssec-trigger-hook in daemon start -- Ensure dnssec-triggerd starts after NetworkManager - -* Fri Sep 16 2011 Paul Wouters - 0.3-4 -- Initial package +%autochangelog diff --git a/dnssec-trigger.tmpfiles.d b/dnssec-trigger.tmpfiles.d index 000d918..9dd701f 100644 --- a/dnssec-trigger.tmpfiles.d +++ b/dnssec-trigger.tmpfiles.d @@ -1 +1 @@ -d /var/run/dnssec-trigger 0755 root root - +d /run/dnssec-trigger 0755 root root - diff --git a/plans/public.fmf b/plans/public.fmf new file mode 100644 index 0000000..e92437c --- /dev/null +++ b/plans/public.fmf @@ -0,0 +1,6 @@ +summary: Run all beakerlib tests for dnssec-trigger +discover: + - name: fedora_tests_dnssec-trigger + how: fmf +execute: + how: tmt diff --git a/sources b/sources index c7b5358..0986b4d 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ -SHA512 (dnssec-trigger-0.15.tar.gz) = 5ce7d7fe9049f14afbb2075a764ae8f44e773801e6ebd7f4eb2bd4cfc07a338db7aa5b666ccad40da1f1528160bab9706cf8015b800f2e23c4b6e3639793a846 +SHA512 (dnssec-trigger-0.17.tar.gz) = a3f740f9ba49eee820414211d7390d86c991d964af2562b8590b95afb681dcb82a76f232b836ad663ae6181185366fcd63d75dc81789e3331535e3c26bc18e4e +SHA512 (dnssec-trigger-0.17.tar.gz.asc) = 23efe403ae5638fdce198d38b4b8e3d5ebe8c5630051042a8840adba462fa7a461d892e1f6b049f1da76b920953af8f80c1ab99e6f9d612e8fdb98537ca492c1 diff --git a/ssh_config.conf b/ssh_config.conf new file mode 100644 index 0000000..df077d5 --- /dev/null +++ b/ssh_config.conf @@ -0,0 +1,2 @@ +# Enable SSHFP verification +VerifyHostKeyDNS yes diff --git a/tests/.gitignore b/tests/.gitignore new file mode 100644 index 0000000..f53babb --- /dev/null +++ b/tests/.gitignore @@ -0,0 +1,2 @@ +.testinfo.tmt +.*.swp diff --git a/tests/Sanity/basic-functionality/main.fmf b/tests/Sanity/basic-functionality/main.fmf new file mode 100644 index 0000000..0bb8c12 --- /dev/null +++ b/tests/Sanity/basic-functionality/main.fmf @@ -0,0 +1,9 @@ +summary: Try starting dnssec-triggerd and use fallbacks +description: | + Use configured fallbacks manually by test_tcp and test_http commands. + Also check resolutions is actually working. +test: ./test.sh +framework: beakerlib +require: + - dnssec-trigger + - unbound diff --git a/tests/Sanity/basic-functionality/test.sh b/tests/Sanity/basic-functionality/test.sh new file mode 100755 index 0000000..f014084 --- /dev/null +++ b/tests/Sanity/basic-functionality/test.sh @@ -0,0 +1,59 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +MOVED_RESOLV_CONF="" + +wait_for_probe() { + while dnssec-trigger-control status | grep -q '^probe is in progress'; do + sleep 1 + done +} + +test_fallback() { + local TYPE=$1 + local HOST=$2 + + rlRun "dnssec-trigger-control test_${TYPE}" + wait_for_probe + sleep 1 + rlRun "dnssec-trigger-control status" + rlRun -s "unbound-host -rvD ${HOST}" 0 "Check dnssec works over ${TYPE} fallback" + rlAssertGrep '(secure)' $rlRun_LOG +} + +rlJournalStart + rlPhaseStartSetup + rlRun "tmp=\$(mktemp -d)" 0 "Create tmp directory" + rlAssertRpm dnssec-trigger + rlFileBackup --missing-ok /etc/resolv.conf + if test -L /etc/resolv.conf; then + MOVED_RESOLV_CONF="/etc/resolv-backup-$$.conf" + rlRun "mv /etc/resolv.conf ${MOVED_RESOLV_CONF}" + fi + rlRun "pushd $tmp" + rlServiceStart dnssec-triggerd + rlPhaseEnd + + rlPhaseStartTest + rlRun "dnssec-trigger-control status" + rlRun -s "unbound-host -rvD example.org" 0 "Check dnssec actually works" + rlAssertGrep '(secure)' $rlRun_LOG + + test_fallback tcp www.example.org + # This variant is not passing + #test_fallback http example.net + test_fallback ssl www.example.net + rlPhaseEnd + + rlPhaseStartCleanup + rlServiceRestore dnssec-triggerd + rlRun "popd" + if [ -n "$MOVED_RESOLV_CONF" ]; then + rm -f /etc/resolv.conf + rlRun "mv -f ${MOVED_RESOLV_CONF} /etc/resolv.conf" + fi + rlFileRestore + rlRun "rm -r $tmp" 0 "Remove tmp directory" + rlPhaseEnd +rlJournalEnd diff --git a/wouter.asc b/wouter.asc new file mode 100644 index 0000000..603e620 --- /dev/null +++ b/wouter.asc @@ -0,0 +1,123 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +xsFNBE2v/RwBEACyQpJlpCeSZBV1QUH7jNEp5xGdo6OnX2h9XoZ4ZPsb+u6OT+xE +SH45ncnISUh8rPCygbeWOoPR/yOBzh+lYoGxQ5iUHtwRrhHq04sQe/qFpXDO2xs6 +1pTcPU2PnH7Rsr2qp6fZLPHuXLolD7NJfaSib8sVeMM0/ecyl/L2bBg9NpaGDX0x +TQh95M8o6AFo6UKWApBpgsvEZr2aH/B8b9KnCWFhfJyheEM7DamksdZNsKxXQyq3 +l/ROfdsMLZGF8vPbYV/v11G4keyaLpn8AbBpybIiw9SYDwf2ENk3+e1NFfMaiiyE +qn9+aaLTKCY87TMUuoN3s3jWOOy5tHXzf6DbKhub4Awsby3DH5YpPhi4N2vj2pAX +Vpl5+m78cH29JLzT+HAoyZ4tq1r3m0P5QogNqYwqxkKWYOjDilNDBiKiDdgtrLYG +x+ABovKG/FvToJoaCL4AFaVCzWmL2uHkSgyBN0FPHatCB1UeEkcQit6T8E2NQqmF +WjUMXSWHHajSMG95+L5PdLHz/Ku0o3Csvlt2pkElYZmzJBfnOM9JevdsmKr/ruJC +/DCZAn5w2S/9ZF5qfo2F9HUKIwE/dChR29HcN8V4nqZs9oCvEMfFhHmrfwDc5hed +hvb6mAkvSFFtKIrygLIVeWRj3FE9sGp6sr4VwOLYTFRNk7mAsWD1rZApeQARAQAB +zSdXLkMuQS4gV2lqbmdhYXJkcyA8d291dGVyQG5sbmV0bGFicy5ubD7CwX4EEwEC +ACgFAk2v/RwCGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJ9v +HC1+BF+N3yoQAIynfrvZ/8RNAv9lLcSc2PX3fvG7oRJEJSy9uMyIbMtb/a1BVCeh +XjR8GhHJ5D/Z3jRWBQKw1rLLvOqbuBGkpKMR100ZVF4z/8e6CWtTAOFy28f1JQw2 +8kilN7K6vjno21S1JJ1XJAdoFdicyb1SW2r+KYod6fjSyF0lb71od+sdnSE9O/xd +Cqyyu6cX+AwfDcuJ6Y8iOWu8CeWAz41LR1QBUQkCb/08mVfCEu+Cj+M31jjPDZEy +UAw219vr4QFe0o3t+Msv0AUZvcRkW6+8qP5lO6I5we/33WBLZH70lhFvYtobM7HO +MCjheRZguSzvRqEETfTjia1uVi3Yz2qM4CFdJIZF6Er79yKcB3jYquultrnlHdXZ +/IZsHVRk6JfiqFkz9u1T9PkvMoQ452aUomGTg9xQchnKpe1E8osKgLulaY+izTEq +Z8pH/HWWJ/YT13/n8pxK9EbC/8SkVhyXNehOSAGDZar+tjVBofgzS8r+GDyv+pBT +SmjitIrVXZNuhigLp1o7Tvs4kjKlcFnLhfDHJ+yb5JyiZd01bVvaqnfRhACqXfWl +oC0uslRbegoYwJUgX0BOrsOuHGH2SfGjd/QnA0bcEXM2kp1Dp1gqtcEd5Qitm647 +Yz+leWkhrmMmtTwqumXoAcvgzthJFUPcAzuhXZNfqQJMOGRxAGVI0P97wsF+BBMB +AgAoAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVu+rZAUJDQIVSAAKCRCf +bxwtfgRfjdrWEACMQK0xYtZtAvLL/8CCcCi92Oi1rtXRGWnRy7JX020hftmWliMq +4P0F3CJKVLhgZ/ldp8OOqmfDfmwLMVSaCQ86Ubqn7Ofrf8Ku8SGQuIMxY2ODB97h +ouY4bnDHaM2Cqi6JkBN+G1tgdwqN/kcecF2tq3ql2k7eX91++A+F5ApIu1silzJP +L4Z8W6MVOdKrtzEM7t61hRlsbpEPj72vbVBZ1hmTiIL4VWwdxQYamxBoOeneskyD +DG+iMCI3P1GG3EQkk+9Aect/iH9uruE0mxn2aKN8cfuoR93cPF/ozCxS5ItwAVnN +e39WRO1GT2zYaFgYm0lf9czcpRsRzNbGw938lZ3iPUiZe+ybKgLKkVmvrkM59ljH +T99SrC14VXxgQwSs4gS3rdzbY9tPps62Z1q+xCVfTx1IY5P4nt59xwQV0Iw+pV9S +/mVcOnPXl1UKb0ttOdYJErrq3RpF/D2g/NDtL0OWqIa8LvrBlyQYmWPKvKw76vt4 +bJ3NU31jSc0ow/j7EOVjOst86s629zmtnbJjWVr6LOy5EDUPusmqHv1t4Z4RMjf8 +OrJdNbFJoRXZv8FbW4NzXeGtMf8k6vKeejpdMH4+eLuoZG7dchU1JccfgqfwWpy0 +ojmb59drJcaQgVC6Jvw9l0TmGPNIsE4UrIWocaFgv4dOKvHA2hcnMDM8rsLBlQQT +AQIAPwIbIwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQTt+qPyyk5usFaBr46f +bxwtfgRfjQUCWaU4BQUJEZjVaQAKCRCfbxwtfgRfjb1YEACjkhtkyZkYURUmSZNL +2IK/Zencv7DZGRfFrzijROFtHbe//H8o2ZhlyiaFSA/dT1ehjsukkR0oFkYadA+q +Ui06WpxGmd/jf8hP4yTUZkwOhQAesWoNmnhKePNaVMKY8DP57bA+N2pdCcGu7gUt +Yzq2JoTAtV+P/PE2w+H9eyBAulv6iUckM5/qvGfJPl8HB9BtgOpGN79otVWO6ebM +4TQ3cZYI9BDQnt9cF2pviex+z1iLZVJ8UeRxSxYhrBKPJioi0Q1OgcKyO56t7Eot +zxKl5TzprgvdX4cdls+lehD8StlE2Xv/TScHvdOhJuVBrn3a3QjZPb4qSsz74leW +5/EIQmozBy+qf8AHcCmTXwb2U7oHOct7cVyS5+bFx+ThpV5OK0rjTH1LMNiuTeAN +46c1y3prjZRpQUlgVwj06q3Zz/fzDyueUS/r4lW4nAf/VNZy/rTS2HYPoZbHZVCt +GpDIfag6fV6V97Pd3zfhTf2wmsJsw9Xhktp/o7rMBRSMhvL4oevOXb0JSG2583Q/ +JnCCceB4NxRRxsgkRYHwdnXN9FnOPSa4NyvF4rzpPksLGZrhvm+lBvzVn/e40Q/K +lxvSlnn2vW/WBM4pBq1jsoJrd/JkTdijZV7mt7HQ2bCLXAPgfZjy7n79WiCQVHg7 +iYnNikiNWR5TR7JcvdkxOdiA/8LBlQQTAQgAPwIbIwYLCQgHAwIGFQgCCQoLBBYC +AwECHgECF4AWIQTt+qPyyk5usFaBr46fbxwtfgRfjQUCXe4JdQUJGaQN2QAKCRCf +bxwtfgRfjQ8gEACe+49aDQHRuZdDHK1VCJKzhb+MvfdIjvl8eQxljpG9Uz5Y17Bx +4SWfuLHCeGlh1m6IOAWeW4g6Wowm1ec1PkVa79TdrkKb0MxfLSat6iDbiuVjDxy2 +bWokW0/cPzJ/FoWDtEC0H9UTAMb5QGBDZUbLuwX7ZjvMkAhH15/hO9Gj4RHoH1RJ +GJALRtZzjtzsJqL53kW/EV59V1T79Nocyx018iw50Jn02mI8wYJZ9HZc5C7D+K59 +vcqLRZgkrJrObw0sEv3YFOBYp/1DemH2nHPMBSKMmN5RAcr32guUjd4BEWf2Q7Ao ++Qnhdi161W0YKCW4JAmOoQ4bQ0wfE9Q5aUIGhUF52L+ac8Hy7dByaCExCA/WTqQQ +/iVPybmpJQhFonWt/fmpxbE2wKThSEOHTO67e5e3JfUb0vNKssyZojao4h1MF5nv +aPNKoybWwKnpNM0ORcyl+aogKwW7E15TEU0TE5//gAsFwRDcCnSEKnksgM0321m1 +7RDfJbCajIv47DHDYE3yvhRZjCJCaw0Gow1sDRWjdOFpmIixD5/vx5uxyqSHPuGA +sXlEvl+Z3Rdc5bQ7pAWu7UNpR3hnJPfg8KL2xqOF75VKG9/NjLE80yj8wdVoCfDv +vizrBtOXnHI49gCMCfNqbGIb5yVhmTdeo7li+Te9hlJ2DrHnujGJlFe+p87BTQRN +r/0cARAApvDKeVLiSazESdTY9KsSWsqoB38pvOsu25M49tEjc5TtY5LwKNckqkeR +lJ83O8dFG7UBVuGwLKaf/6OR/pe24upZ27eOOWW7sXvQNv5aXlOYfF+mjIhUINqj +q4pKDmO1c9J7h5d+auOVfzcgfotg3BVCaKn56ucjiQJ059uUMfgWTvVlibnoJ7de +Zcgt8v7VcLK9jv+P8QJHTIyDzJd+JjdjuHXqC/A37T5G9Z84x8wYrQY6mZmOIYaM +jwIKdgFeN+nLk5henARUz4MTFUW4j9hHpuyAFomDQ93/wkHZ9IEChTxdZnfvsd// +Z45vfcX9dQM+tuR8XCYThVsScI1TnwR46hi5NkfmHo3HVxwB8/owJ+FZDsTNBbJd +7AVy27Xk4L5hLe7BwLDtFMyOp4lOipCM7//mtFB9mTzqnOwiSSyTRlwGUBJkzQFW +Qa0Z6bfYwA6+y1dn19H519GW49irtl+2+W8W4N8oLriIjPvqrQOyaELFcRfV6FfL +i09HPhHVbejOqIEbOtfuN0+mjrrGAwortfTBjfw80N+W90BTvta4K2SyjHcJTkDY +ehfOo/5IMpGtDsOgvsCbDaFRnNJuYtSqQmvWk1KIPIw6CkdJtZa3+q3YA7D7ovOV +H1OBTKNdBjc+X4W8L5R9MCymXWvgiP+52Sv1VIcZmsnCBrwK490AEQEAAcLBZQQY +AQIADwUCTa/9HAIbDAUJCWYBgAAKCRCfbxwtfgRfjTY/D/9+kX8LeqBhwDdwy3ud +V67KmVmytwGMfzBHbAyBdy84X06ip/If/VkjL+2Sv5Uml/cOOzGZT7y/KEt0uXQz +gOZhGP5Y0OREf4kSzfb7tsGu3ZjTp5uJe7HiJr8uqYGfx94TQG/A3x1C7MlxOGmW +DK/Eh/eNVeNd+3yyDEzl2p7a0yUhI8LtzllVrEDX+G4rz+mdDw4tfPDqzRPzPvVt +PfqnfofHP5r2dshGe7+pCTC+o0jHWpaiFkEiIrR3PbZ9tV6+F5LzCUJJP5nepz6C +ShpLHq9ST6qZiw5ZpdznHW0kVl96YxgynJq9Y4dqD/8nOfTzdHhXXEogGvRfcxat +xeZF7YNFhUU2p+CswAjRKCUzZAz0hDAu+dJ+fw4Odx7ii8uiwhEnEHoo8rPETkXw +UK1je4MCzMRSy0Gippzk/oZ7noIml+Njas/UygavUOQm8bcPqGfWeFqvM2C7ZobL +2iV0fX/bhEmQyosiWJ0nHuKdwDYygYs/4LtZLxwiKli/lm6IDz1028j6/98Z81gG +oltXWokTYAPEgcBuhyiSLSQ1wojTVMYt9rPKMBakTzP+0FoWqoNafWOlHovP6iUB +2Igll2ZT3AvrBQ8jAbRbuUl46QpBaKsl+pBo86az0fRkMxv0N4dQv4Q7Z0g71u9N +Tpaq1vtAZOwc0kl3uGNK18PnV8LBZQQYAQIADwIbDAUCVu+raQUJDQIVTQAKCRCf +bxwtfgRfjVnYEACZ1E/FfLDi4vLUd9diImmNN/zWDHxTsO/VG3lt50rSoJM5NGB4 +RlwcbUKhah2fD44FFiIqGIvKD9hRgB51dVRIkaR3ozVtXRBKxJJqWj38wf2FDLtU +XC5/JHYb0sjAc3ad2sA9xEmEBVO1lWK3J6h4gKZiAGlWz3oeOSve3vrTKsBlP0Cu +rUeb4WTVpw4drBJD7cDh8SJ4/Cq76UFx8lW0xR+pHZHcd0/Ir5v5HnnEgbnut4Ix +eY3/CGBfQfSQHylK7ifmPWq+dflC/ZdfHY1V96EHKPM44ZLwiczoY3qp5nkmEc3B +Y6+P8Ch5gddOYaY18wpedarswnpOLQD2Xbsj66Eh0IZuuuZGyfOqJNaWbP33L27e +g35XQNTgyhuZmDyRKL6yAbhU74TXCCvze/kkfqDn2ouCtM8/kqLX1v0+NkBxlhZU +kTTVDyclZtwu6Vypus3+j2Zqk8sXeUZI64sjXpzwOcMZxdl3QuyxMktExWzk9Q5D +YqO+pj/YGt1vp2M0YgSUWNWCvfBcjEPFgaljyqz3BdvR/LYohnXuQL9SWObF+sIF +c9D0w/yORYQcKP5kSWVC/qwFdC61OGeSDnQ/0o0T5PefhYS82gsIrjQ+HIJ7CLUT +k7kBNljvtfpoWegH02feR0kSRoCXA6x+YHT4fmB41pW8S1V5a5dEltA/JMLBfAQY +AQIAJgIbDBYhBO36o/LKTm6wVoGvjp9vHC1+BF+NBQJZpTgKBQkRmNVuAAoJEJ9v +HC1+BF+NyNQP/A3h+cOOkYUxyKpNHdtlIfCn8db5tHXSCbE19Qi7EK1SiK5atjo+ +VoRtB+L01kH6GCx5oZjeIhUdzYFwEUsdCDgwD6r0dKFwKIGa4TFcfnx+Z5B+HZgL +Yc6ac5PEHF1qZVXZH9GSGeNw5h2yyqf4yhvetSN6L2id14m5XXJV5e7NfOgmaSnG +0Z+wQvPSiu+Q00XpENT8HFSTSCjRATjk12rpy6TPeeC52NK1gLhGDRHN0k6m+vm4 +yoC+Nd6iPQpnc+5xs7NDnq2dFuSTp7UTGebzPhhdSQgujEFuYLwzQMZu1h5amtA+ +v9j7BYEJkOMC7bm1PNNA2QQ6QfH8Hf+mJeINyJO8A5KS3ceP+eo3SLR8T0hPzu9g +ZuZ22Hn3DXQh1VNRshaLKgNvoXpL3dQ48d1SFFKhEDpy2HSXUq2fs5rH0uszFGes +G7K6EQRAYRcDrCkt9fdfkvCSxAFw9d+472xThzgKcN+MkOec+SaY+xlVULjEfCWy +RVC8Opam4mTm/XT4mVLxP/qnsy7kEhLoc/ouB+lY/ks06LpZJvCXL6WfA9You1Fi +1Mg7GhSh9JKg6X6E8Trm+N4dxJGut1xbbGmmKXqfi4pej9KlkdeM9t1df/vWKlPa +7Hzd8H0btgJx066wC4yt0ghxtsJXBsCDxWLfzaSRZ2/eP16mHqxDjsQQwsF8BBgB +CAAmAhsMFiEE7fqj8spObrBWga+On28cLX4EX40FAl3uCX0FCRmkDeEACgkQn28c +LX4EX43TQA/+JV8ReMRJCn3Cfqbe5ycFn8p6dIVnJiQuhiEyu5yzdpSkKyzcVFJO +bQcqw7s50FJuLUbxdvbcuGIaoTu7dhBoUXO5tOuIQAsKTfGfgoOgelJm+/q2h645 +EnAVINGbMDXrmo4/UFJkNjUMA6SQi/yiam7N0y58eoDC4sGmBKuN2EW2MoWahlXw +8SS1+Ab9qVBs/RqbSy6f1nJL39aPpPDmvyJOSYtHnNSFlYWVhr0zGAi5rnswlFGr +ECGbHpr5FajUK7zcmtNPbi7F30K48xfF3XnDIeIBcerrEBQMaPUZcBlddGhmSVVJ +ZU/YhR35JNgPnmp33gOuZaRiW9lauZFwsMQBIBkLpJWoUtu8QLkyC0HmJzVRep0/ +s1RkzaJ+1G1BzXTQiXaLaUQWG5h3pcMD8fxY5qp9KbG/+10bY0sRbRBXgS6mz7dd +HaBtg/E8ty2nEB1HDXA9HAHu7KlH9e96sPZjz9C46ZiOXe6ZAOk6wBYts4RG4bCQ +9pGORJ+P2Jr2pz1NZQbs1AhnjJixTsfZfsGZ5lHxGLjIyxtdGB/irLEqNTIMek2y +p4CShmWoZwN0V3aGYMe/rC4tSXG79IeKNwF3Vd5MHtB+hcJG2qztBtKQuW29rbRA +5bNxwTWe8skwOKsxXnP9RC974k0XkPS+VwgmVgNN1ewS/0oHvmEP71Q= +=Oqje +-----END PGP PUBLIC KEY BLOCK-----