diff --git a/.fmf/version b/.fmf/version deleted file mode 100644 index d00491f..0000000 --- a/.fmf/version +++ /dev/null @@ -1 +0,0 @@ -1 diff --git a/.gitignore b/.gitignore index fd77f51..3550079 100644 --- a/.gitignore +++ b/.gitignore @@ -5,5 +5,3 @@ /dnssec-trigger-0.13_20150714.tar.gz /dnssec-trigger-0.13.tar.gz /dnssec-trigger-0.15.tar.gz -/dnssec-trigger-0.17.tar.gz -/dnssec-trigger-0.17.tar.gz.asc diff --git a/0001-dnssec-trigger-script-port-to-libnm.patch b/0001-dnssec-trigger-script-port-to-libnm.patch new file mode 100644 index 0000000..5891c2b --- /dev/null +++ b/0001-dnssec-trigger-script-port-to-libnm.patch @@ -0,0 +1,108 @@ +From ef18b39abdb5e8bf870ada3c108ab7f083405d2c Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Thu, 15 Feb 2018 17:57:52 +0100 +Subject: [PATCH] dnssec-trigger-script: port to libnm + +The libnm-glib is depreacted for a long time already and is eventually +going away. +--- + dnssec-trigger-script.in | 51 ++++++++++++++---------------------------------- + 1 file changed, 15 insertions(+), 36 deletions(-) + +diff --git a/dnssec-trigger-script.in b/dnssec-trigger-script.in +index 5f70580..14d9278 100644 +--- a/dnssec-trigger-script.in ++++ b/dnssec-trigger-script.in +@@ -13,14 +13,13 @@ import glob + import subprocess + import logging + import logging.handlers +-import socket + import struct + import signal + + import gi +-gi.require_version('NMClient', '1.0') ++gi.require_version('NM', '1.0') + +-from gi.repository import NMClient ++from gi.repository import NM + + # Python compatibility stuff + if not hasattr(os, "O_CLOEXEC"): +@@ -132,7 +131,7 @@ class ConnectionList: + + def __init__(self, client, only_default=False, only_vpn=False, skip_wifi=False): + # Cache the active connection list in the class +- if not client.get_manager_running(): ++ if not client.get_nm_running(): + raise UserError("NetworkManager is not running.") + if self.nm_connections is None: + self.__class__.nm_connections = client.get_active_connections() +@@ -208,40 +207,20 @@ class Connection: + self.uuid = connection.get_uuid() + + self.zones = [] +- try: +- self.zones += connection.get_ip4_config().get_domains() +- except AttributeError: +- pass +- try: +- self.zones += connection.get_ip6_config().get_domains() +- except AttributeError: +- pass +- + self.servers = [] +- try: +- self.servers += [self.ip4_to_str(server) for server in connection.get_ip4_config().get_nameservers()] +- except AttributeError: +- pass +- try: +- self.servers += [self.ip6_to_str(connection.get_ip6_config().get_nameserver(i)) +- for i in range(connection.get_ip6_config().get_num_nameservers())] +- except AttributeError: +- pass +- +- def __repr__(self): +- return "".format(**vars(self)) + +- @staticmethod +- def ip4_to_str(ip4): +- """Converts IPv4 address from integer to string.""" +- +- return socket.inet_ntop(socket.AF_INET, struct.pack("=I", ip4)) ++ ip4_config = connection.get_ip4_config() ++ if ip4_config is not None: ++ self.zones += ip4_config.get_domains() ++ self.servers += ip4_config.get_nameservers() + +- @staticmethod +- def ip6_to_str(ip6): +- """Converts IPv6 address from integer to string.""" ++ ip6_config = connection.get_ip6_config() ++ if ip6_config is not None: ++ self.zones += ip6_config.get_domains() ++ self.servers += ip6_config.get_nameservers() + +- return socket.inet_ntop(socket.AF_INET6, ip6) ++ def __repr__(self): ++ return "".format(**vars(self)) + + @property + def ignore(self): +@@ -466,10 +445,10 @@ class Application: + except AttributeError: + self.usage() + +- self.client = NMClient.Client().new() ++ self.client = NM.Client().new() + + def nm_handles_resolv_conf(self): +- if not self.client.get_manager_running(): ++ if not self.client.get_nm_running(): + log.debug("NetworkManager is not running") + return False + try: +-- +2.13.6 + diff --git a/0002-Fix-that-NXDOMAIN-for-_probe.uk.uk-is-deemed-allrigh.patch b/0002-Fix-that-NXDOMAIN-for-_probe.uk.uk-is-deemed-allrigh.patch new file mode 100644 index 0000000..de56106 --- /dev/null +++ b/0002-Fix-that-NXDOMAIN-for-_probe.uk.uk-is-deemed-allrigh.patch @@ -0,0 +1,27 @@ +From 871f36410b93abc2a2e583043665337d25d66c1e Mon Sep 17 00:00:00 2001 +From: Wouter Wijngaards +Date: Mon, 26 Feb 2018 13:48:26 +0000 +Subject: [PATCH] - Fix that NXDOMAIN for _probe.uk.uk is deemed allright. + +git-svn-id: file:///svn/dnssec-trigger/trunk@764 14dc9c71-5cc2-e011-b339-0019d10b89f4 +--- + riggerd/probe.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/riggerd/probe.c b/riggerd/probe.c +index 4781e01..0954766 100644 +--- a/riggerd/probe.c ++++ b/riggerd/probe.c +@@ -490,7 +490,8 @@ outq_check_packet(struct outq* outq, uint8_t* wire, size_t len) + } + + /* does DNS work? */ +- if(ldns_pkt_get_rcode(p) != LDNS_RCODE_NOERROR) { ++ if(ldns_pkt_get_rcode(p) != LDNS_RCODE_NOERROR && ++ ldns_pkt_get_rcode(p) != LDNS_RCODE_NXDOMAIN) { + char* r = ldns_pkt_rcode2str(ldns_pkt_get_rcode(p)); + snprintf(reason, sizeof(reason), "no answer, %s", + r?r:"(out of memory)"); +-- +2.14.3 + diff --git a/0003-Move-the-NetworkManager-dispatcher-script-out-of-etc.patch b/0003-Move-the-NetworkManager-dispatcher-script-out-of-etc.patch deleted file mode 100644 index 73745bc..0000000 --- a/0003-Move-the-NetworkManager-dispatcher-script-out-of-etc.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 6e13ba9b4367fb7867f8a61930bd80b34970aa34 Mon Sep 17 00:00:00 2001 -From: Lubomir Rintel -Date: Thu, 22 Aug 2019 16:28:51 +0200 -Subject: [PATCH] Move the NetworkManager dispatcher script out of /etc - -It's not user configuration and shouldn't ever have been there. Except for that -it used to be the only location NetworkManager looked into. With NetworkManager -1.20 that is no longer the case and the dispatcher scripts can be moved to -/usr/lib. - -Users of older NetworkManager versions can still override this on the -./configure command line. ---- - README | 2 +- - configure | 10 +++++----- - configure.ac | 8 ++++---- - 3 files changed, 10 insertions(+), 10 deletions(-) - -diff --git a/README b/README -index 1ddc3f4..7093268 100644 ---- a/README -+++ b/README -@@ -74,7 +74,7 @@ the secure version, but this was fixed in 0.6. - - * unix - NetworkManager - --In /etc/NetworkManager/dispatcher.d a script sends DHCP changes to -+In /usr/lib/NetworkManager/dispatcher.d a script sends DHCP changes to - the daemon. The script is a networkmanager dhcp hook script and uses - dnssec-trigger-control to talk to the daemon. The script uses nmcli - to find the DNS info. -diff --git a/configure b/configure -index 16d86fc..1efddd3 100755 ---- a/configure -+++ b/configure -@@ -1364,8 +1364,8 @@ Optional Packages: - 'windows' or 'none' - --with-networkmanager-dispatch - Set the networkmanager dhcp dispatcher dir, default -- tests prefix/etc/NetworkManager/dispatcher.d and -- /etc/NetworkManager/dispatcher.d -+ tests prefix/lib/NetworkManager/dispatcher.d and -+ /lib/NetworkManager/dispatcher.d - --with-netconfig-dispatch - Set the netconfig dhcp dispatcher dir, default tests - prefix/etc/netconfig.d and /etc/netconfig.d -@@ -6879,7 +6879,7 @@ if test -n "$withval"; then - fi - - # hook settings --networkmanager_dispatcher_dir="$sysconfdir/NetworkManager/dispatcher.d" -+networkmanager_dispatcher_dir="$prefix/lib/NetworkManager/dispatcher.d" - - # Check whether --with-networkmanager-dispatch was given. - if test "${with_networkmanager_dispatch+set}" = set; then : -@@ -6938,8 +6938,8 @@ $as_echo_n "checking for NetworkManager dispatch... " >&6; } - else - if test -d "$networkmanager_dispatcher_dir" ; then - : -- else if test -d /etc/NetworkManager/dispatcher.d; then -- networkmanager_dispatcher_dir="/etc/NetworkManager/dispatcher.d" -+ else if test -d /lib/NetworkManager/dispatcher.d; then -+ networkmanager_dispatcher_dir="/lib/NetworkManager/dispatcher.d" - fi - fi - fi -diff --git a/configure.ac b/configure.ac -index f06412f..d1b8556 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -244,9 +244,9 @@ if test -n "$withval"; then - fi - - # hook settings --networkmanager_dispatcher_dir="$sysconfdir/NetworkManager/dispatcher.d" -+networkmanager_dispatcher_dir="$prefix/lib/NetworkManager/dispatcher.d" - AC_ARG_WITH([networkmanager-dispatch], AC_HELP_STRING([--with-networkmanager-dispatch], -- [Set the networkmanager dhcp dispatcher dir, default tests prefix/etc/NetworkManager/dispatcher.d and /etc/NetworkManager/dispatcher.d]), -+ [Set the networkmanager dhcp dispatcher dir, default tests prefix/lib/NetworkManager/dispatcher.d and /lib/NetworkManager/dispatcher.d]), - , withval="") - with_nm_dispatch="$withval" - AC_SUBST(networkmanager_dispatcher_dir) -@@ -290,8 +290,8 @@ if test "$hooks" = "networkmanager"; then - else - if test -d "$networkmanager_dispatcher_dir" ; then - : -- else if test -d /etc/NetworkManager/dispatcher.d; then -- networkmanager_dispatcher_dir="/etc/NetworkManager/dispatcher.d" -+ else if test -d /lib/NetworkManager/dispatcher.d; then -+ networkmanager_dispatcher_dir="/lib/NetworkManager/dispatcher.d" - fi - fi - fi --- -2.23.0 - diff --git a/0004-Add-options-edns0-and-trust-ad.patch b/0004-Add-options-edns0-and-trust-ad.patch deleted file mode 100644 index 5d59b87..0000000 --- a/0004-Add-options-edns0-and-trust-ad.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 96b32c7a3494e214998f53fe69503667ada8ea46 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Mon, 12 Oct 2020 23:25:43 +0200 -Subject: [PATCH 4/5] Add options edns0 and trust-ad - -SSH uses AD flag only when edns0 is enabled in resolv.conf. Unbound of -course supports it, no need to keep it disabled. - -Add also trust-ad for more recent libraries, which discard AD flag -without explicit trust. - -Patch: dnssec-trigger-0.15-edns0.patch ---- - dnssec-trigger-script.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/dnssec-trigger-script.in b/dnssec-trigger-script.in -index 14d9278..1c6f581 100644 ---- a/dnssec-trigger-script.in -+++ b/dnssec-trigger-script.in -@@ -421,7 +421,7 @@ class Application: - resolvconf_trigger_tmp = resolvconf_trigger + ".tmp" - resolvconf_networkmanager = "/var/run/NetworkManager/resolv.conf" - -- resolvconf_localhost_contents = "# Generated by dnssec-trigger-script\nnameserver 127.0.0.1\n" -+ resolvconf_localhost_contents = "# Generated by dnssec-trigger-script\nnameserver 127.0.0.1\noptions edns0 trust-ad\n" - - rfc1918_reverse_zones = [ - "c.f.ip6.arpa", --- -2.26.2 - diff --git a/changelog b/changelog deleted file mode 100644 index ca93ebf..0000000 --- a/changelog +++ /dev/null @@ -1,313 +0,0 @@ -* Wed Jul 19 2023 Fedora Release Engineering - 0.17-12 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - -* Thu Jun 15 2023 Todd Zullinger - 0.17-11 -- Remove execute bit on ssh_config.d snippet - -* Thu Jan 19 2023 Fedora Release Engineering - 0.17-10 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - -* Fri Dec 16 2022 Florian Weimer - 0.17-9 -- Port configure script to C99 - -* Thu Jul 21 2022 Fedora Release Engineering - 0.17-8 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - -* Thu Jan 20 2022 Fedora Release Engineering - 0.17-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Tue Sep 14 2021 Sahana Prasad - 0.17-6 -- Rebuilt with OpenSSL 3.0.0 - -* Wed Jul 21 2021 Fedora Release Engineering - 0.17-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 0.17-4 -- Rebuilt for updated systemd-rpm-macros - See https://pagure.io/fesco/issue/2583. - -* Tue Jan 26 2021 Fedora Release Engineering - 0.17-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Sat Dec 19 2020 Adam Williamson - 0.17-2 -- Rebuild for libldns soname bump - -* Tue Oct 13 2020 Petr Menšík - 0.17-1 -- Update to 0.17 - -* Mon Oct 12 2020 Petr Menšík - 0.15-14 -- Add edns0 option to resolv.conf -- Add VerifyHostKeyDNS to ssh config - -* Mon Jul 27 2020 Fedora Release Engineering - 0.15-13 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Tue Jan 28 2020 Fedora Release Engineering - 0.15-12 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Mon Jan 06 2020 Jeff Law - 0.15-11 -- Fix typo in last change - -* Thu Aug 22 2019 Lubomir Rintel - 0.15-10 -- Move the NetworkManager dispatcher script out of /etc - -* Wed Jul 24 2019 Fedora Release Engineering - 0.15-9 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Thu Jan 31 2019 Fedora Release Engineering - 0.15-8 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Thu Jul 12 2018 Fedora Release Engineering - 0.15-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Tue Jun 19 2018 Miro Hrončok - 0.15-6 -- Rebuilt for Python 3.7 - -* Wed Mar 14 2018 Petr Menšík - 0.15-5 -- Accept NXDOMAIN for NSEC probe (#1555355) - -* Mon Feb 19 2018 Tomas Hozza - 0.15-4 -- Added explicit BuildRequires on gcc as required by packaging guidelines -- Added explicit Requires on e2fsprogs, so that /usr/bin/chattr is available -- Remove redundant removal of immutable bit in %%preun scriptlet (#1542400) - -* Mon Feb 19 2018 Tomas Hozza - 0.15-3 -- use NetworkManager-libnm instead of NetworkManager-glib - -* Wed Feb 07 2018 Fedora Release Engineering - 0.15-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Mon Dec 11 2017 Tomas Hozza - 0.15-1 -- Update to stable 0.15 upstream release - -* Fri Aug 18 2017 Petr Menšík - 0.13-6 -- Skip always failing kr.com, update root IPs (#1482939) - -* Wed Aug 02 2017 Fedora Release Engineering - 0.13-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Wed Jul 26 2017 Fedora Release Engineering - 0.13-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Wed Mar 08 2017 Tomas Hozza - 0.13-3 -- Rebuild against new ldns - -* Wed Mar 01 2017 Tomas Hozza - 0.13-2 -- Include fix for runtime issues with OpenSSL 1.1.0 (#1427561) - -* Fri Feb 17 2017 Tomas Hozza - 0.13-1 -- Update to stable 0.13 upstream release -- Dropped merged patches - -* Fri Feb 10 2017 Fedora Release Engineering - 0.13-0.6.20150714svn -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Mon Dec 19 2016 Miro Hrončok - 0.13-0.5.20150714svn -- Rebuild for Python 3.6 - -* Wed Feb 03 2016 Fedora Release Engineering - 0.13-0.4.20150714svn -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - -* Tue Nov 10 2015 Fedora Release Engineering -- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 - -* Mon Jul 20 2015 Tomas Hozza - 0.13-0.2.20150714svn -- Provide Workstation specific configuration - -* Wed Jul 15 2015 Tomas Hozza - 0.13-0.1.20150714svn -- split dnssec-trigger panel into separate subpackage (#1236363) -- SPEC file cleanup based on rpmlint and fedora-review issues -- implement some suggestions (#1236363) -- rebase to the latest svn trunk snapshot 0.13_20150714 -- Script is not searching local user directories any more (#1213062) -- Script now doesn't restart NM if version is >= 1.0.3, but sends just signal -- Script now specifies the NMClient version for GI (#1242430) -- Script now sets negative-cache-ttl in unbound to 5 seconds (#1229596) - -* Wed Jun 17 2015 Fedora Release Engineering - 0.12-21 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild - -* Wed Apr 08 2015 Tomas Hozza - 0.12-20 -- Fix issue when installing private address range zone without global forwarders (#1205864) -- Fix configuration of private address range zones (#1128310#c20) - -* Fri Mar 13 2015 Tomas Hozza - 0.12-19 -- Fix typo in the dnssec-trigger-script (#1187371) -- Use Python3 by default - -* Mon Jan 26 2015 Pavel Šimerda - 0.12-18 -- Resolves: #1185796, #1130502, #1105685, #1128310 – update - -* Tue Jan 20 2015 Pavel Šimerda - 0.12-17 -- Resolves: #1183975 - systemd cgroup check fails - -* Tue Jan 20 2015 Pavel Šimerda - 0.12-16 -- Resolves: #1165126, #1125267, #1089766, #1112248, #824219 - update - -* Sat Aug 16 2014 Fedora Release Engineering - 0.12-15 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild - -* Thu Aug 14 2014 Pavel Šimerda - 0.12-14 -- Resolves: #1125261 - dnssec-trigger-script: use fcntl.flock instead of - lockfile - -* Mon Aug 11 2014 Tomas Hozza - 0.12-13 -- One Fedora fallback server changed IP address (#1125440) - -* Mon Jun 30 2014 Pavel Šimerda - 0.12-12 -- Resolves: #1112248 - require a version of NetworkManager with #1113122 fixed - -* Tue Jun 24 2014 Pavel Šimerda - 0.12-11 -- Resolves: #1112248 - serialize the script instances - -* Tue Jun 24 2014 Pavel Šimerda - 0.12-10 -- Resolves: #1112248 - fix a typo - -* Tue Jun 24 2014 Pavel Šimerda - 0.12-9 -- Resolves: #1112248 - fix systemd race condition - -* Mon Jun 23 2014 Pavel Šimerda - 0.12-8 -- Resolves: #1112248 - don't block on systemctl restart NetworkManager - -* Mon Jun 23 2014 Pavel Šimerda - 0.12-7 -- Resolves: #1112248, #1111143 - update dnssec-trigger-script and dnssec-triggerd.service - -* Fri Jun 20 2014 Pavel Šimerda - 0.12-6 -- Resolves: #1111143 - fix for python2 - -* Fri Jun 20 2014 Pavel Šimerda - 0.12-5 -- Related: #842455 - remove a patch that is now redundant - -* Fri Jun 20 2014 Pavel Šimerda - 0.12-4 -- update dnssec-trigger-script to current development submitted upstream - -* Wed Jun 18 2014 Pavel Šimerda - 0.12-3 -- Resolves: #1105896 - the new script doesn't call dnssec-trigger-control submit - -* Fri Jun 06 2014 Pavel Šimerda - 0.12-2 -- fix various dnssec-trigger-script issues - -* Fri May 23 2014 Tomas Hozza - 0.12-1 -- Update to 0.12 version -- Drop merged patches -- Drop downstream files (systemd, dispatcher scripts) - -* Tue May 13 2014 Paul Wouters - 0.11-21 -- Enable full hardening (includig PIE) -- Resolves: rhbz#1045689 dnssec-trigger creates long-time RSA key with inappropriate size - -* Wed Feb 19 2014 Tomas Hozza - 0.11-20 -- Restart NM on dnssec-trigger shutdown (let NM handle the resolv.conf content) -- HN-hook: Handle situation when connection does not have a device - -* Wed Jan 29 2014 Tomas Hozza - 0.11-19 -- Use new Python dispatcher script and ship /etc/dnssec.conf - -* Tue Jan 28 2014 Tomas Hozza - 0.11-18 -- Use systemd macros instead of directly calling systemctl -- simplify the systemd unit file for generating keys - -* Thu Nov 21 2013 Tomas Hozza - 0.11-17 -- Add script to backup and restore resolv.conf on dnssec-trigger start/stop - -* Mon Nov 18 2013 Tomas Hozza - 0.11-16 -- Improve GUI dialogs texts - -* Tue Nov 12 2013 Tomas Hozza - 0.11-15 -- Fix NM dispatcher script to work with NM >= 0.9.9.0 (#1029571) - -* Mon Aug 26 2013 Tomas Hozza - 0.11-14 -- Fix errors found by static analysis of source - -* Fri Aug 09 2013 Tomas Hozza - 0.11-13 -- Use improved NM dispatcher script from upstream -- Added tmpfiles.d config due to improved NM dispatcher script - -* Sat Aug 03 2013 Fedora Release Engineering - 0.11-12 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild - -* Mon Mar 04 2013 Adam Tkac - 0.11-11 -- link dnssec-trigger.conf.8 to dnssec-trigger.8 -- build dnssec-triggerd with full RELRO - -* Mon Mar 04 2013 Adam Tkac - 0.11-10 -- remove deprecated "Application" keyword from desktop file - -* Mon Mar 04 2013 Adam Tkac - 0.11-9 -- install various dnssec-trigger-* symlinks to dnssec-trigger.8 manpage - -* Wed Feb 13 2013 Fedora Release Engineering - 0.11-8 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild - -* Tue Jan 08 2013 Paul Wouters - 0.11-7 -- Use full path for systemd (rhbz#842455) - -* Tue Jul 24 2012 Paul Wouters - 0.11-6 -- Patched daemon to remove immutable attr (rhbz#842455) as the - systemd ExecStopPost= target does not seem to work - -* Tue Jul 24 2012 Paul Wouters - 0.11-5 -- On service stop, remove immutable attr from resolv.conf (rhbz#842455) - -* Wed Jul 18 2012 Fedora Release Engineering - 0.11-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild - -* Thu Jun 28 2012 Paul Wouters - 0.11-3 -- Fix DHCP hook for f17+ version of nmcli (rhbz#835298) - -* Sun Jun 17 2012 Paul Wouters - 0.11-2 -- Small textual changes to some popup windows - -* Fri Jun 15 2012 Paul Wouters - 0.11-1 -- Updated to 0.11 -- http Hotspot detection via fedoraproject.org/static/hotspot.html -- http Hotspot Login page via uses hotspot-nocache.fedoraproject.org - -* Thu Feb 23 2012 Paul Wouters - 0.10-4 -- Require: unbound - -* Wed Feb 22 2012 Paul Wouters - 0.10-3 -- Fix the systemd startup to require unbound -- dnssec-triggerd no longer forks, giving systemd more control -- Fire NM dispatcher in ExecStartPost of dnssec-triggerd.service -- Fix tcp80 entries in dnssec-triggerd.conf -- symlink dnssec-trigger-panel to dnssec-trigger to supress the - "-panel" in the applet name shown in gnome3 - - -* Wed Feb 22 2012 Paul Wouters - 0.10-2 -- The NM hook was not modified at the right time during build - -* Wed Feb 22 2012 Paul Wouters - 0.10-1 -- Updated to 0.10 -- The NM hook lacks /usr/sbin in path, resulting in empty resolv.conf on hotspot - -* Wed Feb 08 2012 Paul Wouters - 0.9-4 -- Updated tls443 / tls80 resolver instances supplied by Fedora Hosted - -* Mon Feb 06 2012 Paul Wouters - 0.9-3 -- Convert from SysV to systemd for initial Fedora release -- Moved configs and pem files to /etc/dnssec-trigger/ -- No more /var/run/dnssec-triggerd/ -- Fix Build-requires -- Added commented tls443 port80 entries of pwouters resolvers -- On uninstall ensure there is no immutable bit on /etc/resolv.conf - -* Sat Jan 07 2012 Paul Wouters - 0.9-2 -- Added LICENCE to doc section - -* Mon Dec 19 2011 Paul Wouters - 0.9-1 -- Upgraded to 0.9 - -* Fri Oct 28 2011 Paul Wouters - 0.7-1 -- Upgraded to 0.7 - -* Fri Sep 23 2011 Paul Wouters - 0.4-1 -- Upgraded to 0.4 - -* Sat Sep 17 2011 Paul Wouters - 0.3-5 -- Start 01-dnssec-trigger-hook in daemon start -- Ensure dnssec-triggerd starts after NetworkManager - -* Fri Sep 16 2011 Paul Wouters - 0.3-4 -- Initial package diff --git a/dnssec-trigger-0.17-allowed-characters.patch b/dnssec-trigger-0.17-allowed-characters.patch deleted file mode 100644 index e9cb86d..0000000 --- a/dnssec-trigger-0.17-allowed-characters.patch +++ /dev/null @@ -1,30 +0,0 @@ -From f410871470773c0767f97f86c1bd05074db63081 Mon Sep 17 00:00:00 2001 -From: "W.C.A. Wijngaards" -Date: Mon, 3 Feb 2020 10:37:26 +0100 -Subject: [PATCH] - Fix for #3: Allow @ character to make scripts work, which - may fix resolv.conf lost in some situation bug. - -Changelog: -3 February 2020: Wouter - - Fix for #3: Allow @ character to make scripts work, which may - fix resolv.conf lost in some situation bug. ---- - riggerd/ubhook.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/riggerd/ubhook.c b/riggerd/ubhook.c -index 382eee3..f1ce73c 100644 ---- a/riggerd/ubhook.c -+++ b/riggerd/ubhook.c -@@ -80,7 +80,7 @@ allowed_arg(const char* arg) - } - if( isalnum((unsigned char)*s) || *s == ' ' || *s == ':' || - *s == '.' || *s == '_' || *s == '-' || *s == '+' || -- *s == '\t') { -+ *s == '\t' || *s == '@') { - continue; - } else { - log_err("command line string argument '%s' fails check on allowed characters", arg); --- -2.41.0 - diff --git a/dnssec-trigger-0.17-openssl-3.2.patch b/dnssec-trigger-0.17-openssl-3.2.patch deleted file mode 100644 index d1b9474..0000000 --- a/dnssec-trigger-0.17-openssl-3.2.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 7c3ff5b59952bc6bf11f988c9dbd961ae3c626ea Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Tue, 10 Sep 2024 16:22:07 +0200 -Subject: [PATCH] Mark explicitly server cert with CA flag - -Since OpenSSL 3.2 it did not connect from control to server cert. Create -server with indication is it CA. - -Also use clientAuth trust for CA cert. That allows control cert to be -used for client authentication. ---- - dnssec-trigger-control-setup.sh.in | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/dnssec-trigger-control-setup.sh.in b/dnssec-trigger-control-setup.sh.in -index 7cc305a..eede665 100644 ---- a/dnssec-trigger-control-setup.sh.in -+++ b/dnssec-trigger-control-setup.sh.in -@@ -200,9 +200,9 @@ EOF - test -f request.cfg || error "could not create request.cfg" - - echo "create $SVR_BASE.pem (self signed certificate)" --openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem" --# create trusted usage pem --openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem" -+openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -addext "basicConstraints=critical,CA:TRUE,pathlen:0" -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem" -+# create trusted usage pem for CA, what are signed certs allowed to do? -+openssl x509 -in "$SVR_BASE.pem" -addtrust clientAuth -out "${SVR_BASE}_trust.pem" - - # create client request and sign it, piped - cat >request.cfg < -Date: Wed, 20 Nov 2024 16:58:48 +0100 -Subject: [PATCH] Add recipe for adding own server - -Until someone adds nice support for using just CA bundle and server -name, allow specification by fingerprint obtained manually. Do not rely -only on server provided by upstream. ---- - dnssec.conf | 4 ++-- - example.conf.in | 6 +++++- - 2 files changed, 7 insertions(+), 3 deletions(-) - -diff --git a/dnssec.conf b/dnssec.conf -index bf896d3..4726ca1 100644 ---- a/dnssec.conf -+++ b/dnssec.conf -@@ -38,7 +38,7 @@ - # - # - See also security notes on the `add_wifi_provided_zones` option. - # --# validate_connection_provided_zones=yes -+# validate_connection_provided_zones=no - # - # - Connection provided zones will be configured in Unbound as secure forward - # zones, validated using DNSSEC. -@@ -63,7 +63,7 @@ - # Turning this option off has security implications, See the security - # notice above. - # --validate_connection_provided_zones=yes -+validate_connection_provided_zones=no - - # add_wifi_provided_zones: - # ------------------------ -diff --git a/example.conf.in b/example.conf.in -index dafd35d..f7e8a54 100644 ---- a/example.conf.in -+++ b/example.conf.in -@@ -79,6 +79,11 @@ tcp80: 2a04:b900::10:0:0:67 - ssl443: 185.49.140.67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF - ssl443: 2a04:b900::10:0:0:67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF - -+# How to add your own record: -+# openssl s_client -connect example.com:443 -showcerts /tmp/dns.crt -+# openssl x509 -noout -in /tmp/dns.crt -fingerprint -sha256 -+# Append returned sha256 Fingerprint after ssl443: IP-address section. -+ - # Use VPN servers for all traffic - # use-vpn-forwarders: no - -@@ -87,4 +92,3 @@ ssl443: 2a04:b900::10:0:0:67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD: - - # Add domains provided by VPN connections into Unbound forward zones - # add-wifi-provided-zones: no -- --- -2.47.0 - diff --git a/dnssec-trigger-config-default.patch b/dnssec-trigger-config-default.patch deleted file mode 100644 index a3ca483..0000000 --- a/dnssec-trigger-config-default.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 27bb1f49fe69055e2a5f02e5fe54e71e79d98fdc Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Tue, 25 Jul 2023 15:39:15 +0200 -Subject: [PATCH] Make fedora default config changes - -Customize upstream example configuration for Fedora. ---- - example.conf | 11 +++++------ - 1 file changed, 5 insertions(+), 6 deletions(-) - -diff --git a/example.conf b/example.conf -index 6031c0d..6251c98 100644 ---- a/example.conf -+++ b/example.conf -@@ -1,5 +1,4 @@ --# config for dnssec-trigger 0.17. --# this is a comment. there must be one statement per line. -+# Fedora/EPEL version of dnssec-trigger.conf - - # logging detail, 0=only errors, 1=operations, 2=detail, 3,4 debug detail. - # verbosity: 1 -@@ -43,8 +42,8 @@ - # port number to use for probe daemon. - # port: 8955 - --# these keys and certificates can be generated with the script --# dnssec-trigger-control-setup -+# keys and certificates generated by the dnssec-trigger-keygen systemd service -+# (which called dnssec-trigger-control-setup) - # server-key-file: "/etc/dnssec-trigger/dnssec_trigger_server.key" - # server-cert-file: "/etc/dnssec-trigger/dnssec_trigger_server.pem" - # control-key-file: "/etc/dnssec-trigger/dnssec_trigger_control.key" -@@ -60,7 +59,7 @@ - - # provided by NLnetLabs - # It is provided on a best effort basis, with no service guarantee. --url: "http://ster.nlnetlabs.nl/hotspot.txt OK" -+# url: "http://ster.nlnetlabs.nl/hotspot.txt OK" - - # provided by FedoraProject - url: "http://fedoraproject.org/static/hotspot.txt OK" -@@ -72,7 +71,7 @@ url: "http://fedoraproject.org/static/hotspot.txt OK" - # hash is output of openssl x509 -sha256 -fingerprint -in server.pem - # You can add more with extra config lines. - --# provided by NLnetLabs -+# provided by NLnetLabs (www.nlnetlabs.nl) - # It is provided on a best effort basis, with no service guarantee. - tcp80: 185.49.140.67 - tcp80: 2a04:b900::10:0:0:67 --- -2.41.0 - diff --git a/dnssec-trigger-config-workstation.patch b/dnssec-trigger-config-workstation.patch deleted file mode 100644 index 6458a92..0000000 --- a/dnssec-trigger-config-workstation.patch +++ /dev/null @@ -1,34 +0,0 @@ -From d4b08251d816038950b522fc1b003c8d4f1bcc6d Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Tue, 25 Jul 2023 15:42:50 +0200 -Subject: [PATCH] Customize workstation only - ---- - dnssec-trigger-workstation.conf | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/dnssec-trigger-workstation.conf b/dnssec-trigger-workstation.conf -index 6251c98..bb2b5db 100644 ---- a/dnssec-trigger-workstation.conf -+++ b/dnssec-trigger-workstation.conf -@@ -32,6 +32,7 @@ - # the command to run to open login pages on hot spots, a web browser. - # empty string runs no command. - # login-command: "/usr/bin/xdg-open" -+login-command: "" - - # the url to open to get hot spot login, it gets overridden by the hotspot. - # login-location: "http://hotspot-nocache.fedoraproject.org/" -@@ -62,7 +63,8 @@ - # url: "http://ster.nlnetlabs.nl/hotspot.txt OK" - - # provided by FedoraProject --url: "http://fedoraproject.org/static/hotspot.txt OK" -+# on Workstation, the detection is turned off -+# url: "http://fedoraproject.org/static/hotspot.txt OK" - - # fallback open DNSSEC resolvers that run on TCP port 80 and TCP port 443. - # These relay incoming DNS traffic on the other port numbers to the usual DNS --- -2.41.0 - diff --git a/dnssec-trigger-configure-c99.patch b/dnssec-trigger-configure-c99.patch deleted file mode 100644 index cccecad..0000000 --- a/dnssec-trigger-configure-c99.patch +++ /dev/null @@ -1,30 +0,0 @@ -Do not rely on an implicit function declaration for detecting -the daemon function. Future compilers may not accept such -declarations by default, causing the detection result to change. - -Submitted upstream: - -diff --git a/configure b/configure -index 079ea641e2940515..22c9487fb0d311f8 100755 ---- a/configure -+++ b/configure -@@ -6757,6 +6757,7 @@ else - - echo ' - #include -+#include - ' >conftest.c - echo 'void f(){ (void)daemon(0, 0); }' >>conftest.c - if test -z "`$CC -c conftest.c 2>&1 | grep deprecated`"; then -diff --git a/configure.ac b/configure.ac -index c809367d307f108e..e8095fe7288ba68a 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -225,6 +225,7 @@ AC_CHECK_FUNCS([daemon]) - if test $ac_cv_func_daemon = yes; then - ACX_FUNC_DEPRECATED([daemon], [(void)daemon(0, 0);], [ - #include -+#include - ]) - fi - diff --git a/dnssec-trigger-default.conf b/dnssec-trigger-default.conf new file mode 100644 index 0000000..cc18335 --- /dev/null +++ b/dnssec-trigger-default.conf @@ -0,0 +1,99 @@ +# Fedora/EPEL version of dnssec-trigger.conf + +# logging detail, 0=only errors, 1=operations, 2=detail, 3,4 debug detail. +# verbosity: 1 + +# pidfile location +pidfile: "/var/run/dnssec-triggerd.pid" + +# log to a file instead of syslog, default is to syslog +# logfile: "/var/log/dnssec-trigger.log" + +# log to syslog, or (log to to stderr or a logfile if specified). yes or no. +# use-syslog: yes + +# chroot to this directory +# chroot: "" + +# the unbound-control binary if not found in PATH. +# commandline options can be appended "unbound-control -c my.conf" if you wish. +# unbound-control: "/usr/sbin/unbound-control" + +# where is resolv.conf to edit. +# resolvconf: "/etc/resolv.conf" + +# the domain example.com line (if any) to add to resolv.conf(5). default none. +# domain: "" + +# domain name search path to add to resolv.conf(5). default none. +# the search path from DHCP is not picked up, it could be used to misdirect. +# search: "" + +# the command to run to open login pages on hot spots, a web browser. +# empty string runs no command. +# login-command: "xdg-open" + +# the url to open to get hot spot login, it gets overridden by the hotspot. +# login-location: "http://www.nlnetlabs.nl/projects/dnssec-trigger" +# should to be a ttl=0 entry +login-location: "http://hotspot-nocache.fedoraproject.org/" + +# do not perform actions (unbound-control or resolv.conf), for a dry-run. +# noaction: no + +# port number to use for probe daemon. +# port: 8955 + +# keys and certificates generated by the dnssec-trigger-keygen systemd service +# (which called dnssec-trigger-control-setup) +server-key-file: "/etc/dnssec-trigger/dnssec_trigger_server.key" +server-cert-file: "/etc/dnssec-trigger/dnssec_trigger_server.pem" +control-key-file: "/etc/dnssec-trigger/dnssec_trigger_control.key" +control-cert-file: "/etc/dnssec-trigger/dnssec_trigger_control.pem" + +# check for updates, download and ask to install them (for Windows, OSX). +# check-updates: no + +# webservers that are probed to see if internet access is possible. +# They serve a simple static page over HTTP port 80. It probes a random url: +# after a space is the content expected on the page, (the page can contain +# whitespace before and after this code). Without urls it skips http probes. + +# provided by NLnetLabs +# It is provided on a best effort basis, with no service guarantee. +# url: "http://ster.nlnetlabs.nl/hotspot.txt OK" + +# provided by FedoraProject +url: "http://fedoraproject.org/static/hotspot.txt OK" + +# fallback open DNSSEC resolvers that run on TCP port 80 and TCP port 443. +# the ssl443 adds an ssl server IP, if you specify a hash it is checked, put +# the following on one line: ssl443: +# hash is output of openssl x509 -sha256 -fingerprint -in server.pem +# You can add more with extra config lines. + +# Provided by fedoraproject.org, #fedora-admin +# It is provided on a best effort basis, with no service guarantee. +ssl443: 140.211.169.201 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2 +tcp80: 140.211.169.201 +ssl443: 66.35.62.163 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2 +tcp80: 66.35.62.163 +ssl443: 152.19.134.150 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2 +tcp80: 152.19.134.150 +ssl443: 2610:28:3090:3001:dead:beef:cafe:fed9 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2 +tcp80: 2610:28:3090:3001:dead:beef:cafe:fed9 + +# provided by Paul Wouters (pwouters@redhat.com) +# It is provided on a best effort basis, with no service guarantee. +# tcp80: 193.110.157.123 +# tcp80: 2001:888:2003:1004::123 +# ssl443: 193.110.157.123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7 +# ssl443: 2001:888:2003:1004::123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7 + +# provided by NLnetLabs (www.nlnetlabs.nl) +# It is provided on a best effort basis, with no service guarantee. +# tcp80: 213.154.224.3 +# tcp80: 2001:7b8:206:1:bb:: +# ssl443: 213.154.224.3 DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F +# ssl443: 2001:7b8:206:1:bb:: DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F + diff --git a/dnssec-trigger-workstation.conf b/dnssec-trigger-workstation.conf new file mode 100644 index 0000000..78b0cc6 --- /dev/null +++ b/dnssec-trigger-workstation.conf @@ -0,0 +1,101 @@ +# Fedora/EPEL version of dnssec-trigger.conf + +# logging detail, 0=only errors, 1=operations, 2=detail, 3,4 debug detail. +# verbosity: 1 + +# pidfile location +pidfile: "/var/run/dnssec-triggerd.pid" + +# log to a file instead of syslog, default is to syslog +# logfile: "/var/log/dnssec-trigger.log" + +# log to syslog, or (log to to stderr or a logfile if specified). yes or no. +# use-syslog: yes + +# chroot to this directory +# chroot: "" + +# the unbound-control binary if not found in PATH. +# commandline options can be appended "unbound-control -c my.conf" if you wish. +# unbound-control: "/usr/sbin/unbound-control" + +# where is resolv.conf to edit. +# resolvconf: "/etc/resolv.conf" + +# the domain example.com line (if any) to add to resolv.conf(5). default none. +# domain: "" + +# domain name search path to add to resolv.conf(5). default none. +# the search path from DHCP is not picked up, it could be used to misdirect. +# search: "" + +# the command to run to open login pages on hot spots, a web browser. +# empty string runs no command. +# login-command: "xdg-open" +login-command: "" + +# the url to open to get hot spot login, it gets overridden by the hotspot. +# login-location: "http://www.nlnetlabs.nl/projects/dnssec-trigger" +# should to be a ttl=0 entry +# login-location: "http://hotspot-nocache.fedoraproject.org/" + +# do not perform actions (unbound-control or resolv.conf), for a dry-run. +# noaction: no + +# port number to use for probe daemon. +# port: 8955 + +# keys and certificates generated by the dnssec-trigger-keygen systemd service +# (which called dnssec-trigger-control-setup) +server-key-file: "/etc/dnssec-trigger/dnssec_trigger_server.key" +server-cert-file: "/etc/dnssec-trigger/dnssec_trigger_server.pem" +control-key-file: "/etc/dnssec-trigger/dnssec_trigger_control.key" +control-cert-file: "/etc/dnssec-trigger/dnssec_trigger_control.pem" + +# check for updates, download and ask to install them (for Windows, OSX). +# check-updates: no + +# webservers that are probed to see if internet access is possible. +# They serve a simple static page over HTTP port 80. It probes a random url: +# after a space is the content expected on the page, (the page can contain +# whitespace before and after this code). Without urls it skips http probes. + +# provided by NLnetLabs +# It is provided on a best effort basis, with no service guarantee. +# url: "http://ster.nlnetlabs.nl/hotspot.txt OK" + +# provided by FedoraProject +# on Workstation, the detection is turned off +# url: "http://fedoraproject.org/static/hotspot.txt OK" + +# fallback open DNSSEC resolvers that run on TCP port 80 and TCP port 443. +# the ssl443 adds an ssl server IP, if you specify a hash it is checked, put +# the following on one line: ssl443: +# hash is output of openssl x509 -sha256 -fingerprint -in server.pem +# You can add more with extra config lines. + +# Provided by fedoraproject.org, #fedora-admin +# It is provided on a best effort basis, with no service guarantee. +ssl443: 140.211.169.201 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2 +tcp80: 140.211.169.201 +ssl443: 66.35.62.163 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2 +tcp80: 66.35.62.163 +ssl443: 152.19.134.150 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2 +tcp80: 152.19.134.150 +ssl443: 2610:28:3090:3001:dead:beef:cafe:fed9 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2 +tcp80: 2610:28:3090:3001:dead:beef:cafe:fed9 + +# provided by Paul Wouters (pwouters@redhat.com) +# It is provided on a best effort basis, with no service guarantee. +# tcp80: 193.110.157.123 +# tcp80: 2001:888:2003:1004::123 +# ssl443: 193.110.157.123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7 +# ssl443: 2001:888:2003:1004::123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7 + +# provided by NLnetLabs (www.nlnetlabs.nl) +# It is provided on a best effort basis, with no service guarantee. +# tcp80: 213.154.224.3 +# tcp80: 2001:7b8:206:1:bb:: +# ssl443: 213.154.224.3 DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F +# ssl443: 2001:7b8:206:1:bb:: DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F + diff --git a/dnssec-trigger.spec b/dnssec-trigger.spec index 9928104..631f545 100644 --- a/dnssec-trigger.spec +++ b/dnssec-trigger.spec @@ -1,56 +1,42 @@ %global _hardened_build 1 -#%%global snapshot 20150714 +#%%global svn_snapshot 20150714 Summary: Tool for dynamic reconfiguration of validating resolver Unbound Name: dnssec-trigger -Version: 0.17 -Release: %autorelease -License: BSD-3-clause AND MIT AND ISC -Url: https://www.nlnetlabs.nl/projects/dnssec-trigger/ +Version: 0.15 +Release: 5%{?svn_snapshot:.%{svn_snapshot}svn}%{?dist} +License: BSD +Url: http://www.nlnetlabs.nl/downloads/dnssec-trigger/ -%if 0%{?snapshot:1} +%if 0%{?svn_snapshot:1} # generated using './makedist.sh -s' in the cloned upstream trunk -Source0: %{name}-%{version}_%{snapshot}.tar.gz +Source0: %{name}-%{version}_%{svn_snapshot}.tar.gz %else -Source0: https://www.nlnetlabs.nl/downloads/dnssec-trigger/%{name}-%{version}.tar.gz -Source1: https://www.nlnetlabs.nl/downloads/dnssec-trigger/%{name}-%{version}.tar.gz.asc -Source2: https://keys.openpgp.org/vks/v1/by-fingerprint/EDFAA3F2CA4E6EB05681AF8E9F6F1C2D7E045F8D#/wouter.asc +Source0: http://www.nlnetlabs.nl/downloads/dnssec-trigger/%{name}-%{version}.tar.gz %endif -Source3: dnssec-trigger.tmpfiles.d -#Source4: dnssec-trigger-default.conf -#Source5: dnssec-trigger-workstation.conf -Source6: ssh_config.conf +Source1: dnssec-trigger.tmpfiles.d +Source2: dnssec-trigger-default.conf +Source3: dnssec-trigger-workstation.conf # Patches -# Downstream changes to configuration -Patch1: dnssec-trigger-config-workstation.patch -# Downstream changes to configuration -Patch2: dnssec-trigger-config-default.patch -Patch3: 0003-Move-the-NetworkManager-dispatcher-script-out-of-etc.patch -# https://github.com/NLnetLabs/dnssec-trigger/pull/7 -Patch4: 0004-Add-options-edns0-and-trust-ad.patch -Patch5: dnssec-trigger-configure-c99.patch -# https://github.com/NLnetLabs/dnssec-trigger/commit/f187c2be221a26f3c4ef4d9b16f1df67104ae634 -Patch6: dnssec-trigger-0.17-allowed-characters.patch -Patch7: dnssec-trigger-0.17-openssl-3.2.patch -# https://github.com/NLnetLabs/dnssec-trigger/pull/15 -Patch8: dnssec-trigger-0.17-server-recipe.patch +Patch1: 0001-dnssec-trigger-script-port-to-libnm.patch +Patch2: 0002-Fix-that-NXDOMAIN-for-_probe.uk.uk-is-deemed-allrigh.patch # to obsolete the version in which the panel was in main package Obsoletes: %{name} < 0.12-22 Suggests: %{name}-panel # Require a version of NetworkManager that doesn't forget to issue dhcp-change # https://bugzilla.redhat.com/show_bug.cgi?id=1112248 -%if 0%{?rhel} >= 9 || 0%{?fedora} >= 31 -Requires: NetworkManager >= 1.20 -%elif 0%{?rhel} >= 7 +%if 0%{?rhel} >= 7 Requires: NetworkManager >= 0.9.9.1-13 -%elif 0%{?fedora} >= 21 +%else +%if 0%{?fedora} >= 21 Requires: NetworkManager >= 0.9.9.95-1 %else Requires: NetworkManager >= 0.9.9.0-40 %endif +%endif Requires: ldns >= 1.6.10, NetworkManager-libnm, unbound # needed by /usr/sbin/dnssec-trigger-control-setup # otherwise it ends with error: /usr/sbin/dnssec-trigger-control-setup: line 180: openssl: command not found @@ -59,12 +45,11 @@ Requires: openssl Requires: e2fsprogs BuildRequires: openssl-devel, ldns-devel, python3-devel, gcc BuildRequires: NetworkManager-libnm-devel -%if 0%{?fedora} && ! 0%{?snapshot:1} -BuildRequires: gnupg2 -%endif -BuildRequires: systemd-rpm-macros -%{?systemd_ordering} +BuildRequires: systemd +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd # Provides Workstation specific configuration # - No captive portal detection and no action available on Captive portal (No UI) @@ -84,7 +69,6 @@ Requires: %{name} = %{version}-%{release} Obsoletes: %{name} < 0.12-22 Requires: xdg-utils BuildRequires: gtk2-devel, desktop-file-utils -BuildRequires: make %description panel This package provides the GTK panel for interaction between the user @@ -94,11 +78,10 @@ some user input is needed, the panel creates a dialog window. %prep -%if 0%{?fedora} && ! 0%{?snapshot:1} -%gpgverify -d 0 -s 1 -k 2 -%endif -%autosetup %{?snapshot:-n %{name}-%{version}_%{snapshot}} -N -%autopatch -m 3 -p1 +%setup -q %{?svn_snapshot:-n %{name}-%{version}_%{svn_snapshot}} + +%patch1 -p1 -b .libnm_port +%patch2 -p1 -b .nxdomain # don't use DNSSEC for forward zones for now sed -i "s/validate_connection_provided_zones=yes/validate_connection_provided_zones=no/" dnssec.conf @@ -108,37 +91,27 @@ sed -i "s/validate_connection_provided_zones=yes/validate_connection_provided_zo %configure \ --with-keydir=%{_sysconfdir}/dnssec-trigger \ --with-hooks=networkmanager \ -%if 0%{?rhel} < 9 && 0%{?fedora} < 31 - --with-networkmanager-dispatch=%{_sysconfdir}/NetworkManager/dispatcher.d \ -%endif --with-python=%{__python3} \ - --with-pidfile=%{_rundir}/%{name}d.pid \ - --with-login-command=%{_bindir}/xdg-open \ - --with-login-location="http://hotspot-nocache.fedoraproject.org/" + --with-pidfile=%{_localstatedir}/run/%{name}d.pid -# hotspot-nocache should have TTL=0 - -%make_build - -%autopatch -p1 2 -cp -p example.conf dnssec-trigger-workstation.conf -%autopatch -p1 1 +%{__make} %{?_smp_mflags} %install -# https://github.com/NLnetLabs/dnssec-trigger/pull/13 -install -d -m 0755 %{buildroot}%{_libexecdir} -%make_install +rm -rf %{buildroot} +%{__make} DESTDIR=%{buildroot} install install -d 0755 %{buildroot}%{_unitdir} -install -p -m 0644 example.conf %{buildroot}%{_sysconfdir}/%{name}/dnssec-trigger-default.conf -install -p -m 0644 dnssec-trigger-workstation.conf %{buildroot}%{_sysconfdir}/%{name}/ +install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/%{name}/ +install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/%{name}/ + +mkdir -p %{buildroot}%{_libexecdir} desktop-file-install --dir=%{buildroot}%{_datadir}/applications dnssec-trigger-panel.desktop # install the configuration for /var/run/dnssec-trigger into tmpfiles.d dir mkdir -p %{buildroot}%{_tmpfilesdir} -install -m 644 %{SOURCE3} ${RPM_BUILD_ROOT}%{_tmpfilesdir}/%{name}.conf +install -m 644 %{SOURCE1} ${RPM_BUILD_ROOT}%{_tmpfilesdir}/%{name}.conf # we must create the /var/run/dnssec-trigger directory mkdir -p %{buildroot}%{_localstatedir}/run install -d -m 0755 %{buildroot}%{_localstatedir}/run/%{name} @@ -149,12 +122,10 @@ ln -s dnssec-trigger-panel %{buildroot}%{_bindir}/dnssec-trigger # Make dnssec-trigger.8 manpage available under names of all dnssec-trigger-* # executables for all in dnssec-trigger-control dnssec-trigger-control-setup dnssec-triggerd; do - ln -s dnssec-trigger.8 %{buildroot}/%{_mandir}/man8/"$all".8 + ln -s %{_mandir}/man8/dnssec-trigger.8 %{buildroot}/%{_mandir}/man8/"$all".8 done -ln -s dnssec-trigger.8 %{buildroot}/%{_mandir}/man8/dnssec-trigger.conf.8 +ln -s %{_mandir}/man8/dnssec-trigger.8 %{buildroot}/%{_mandir}/man8/dnssec-trigger.conf.8 -install -d -m 0755 %{buildroot}%{_sysconfdir}/ssh/ssh_config.d -install -m 0644 %{SOURCE6} %{buildroot}%{_sysconfdir}/ssh/ssh_config.d/10-%{name}.conf %post %systemd_post %{name}d.service @@ -192,18 +163,12 @@ fi %{_libexecdir}/dnssec-trigger-script %{_unitdir}/%{name}d.service %{_unitdir}/%{name}d-keygen.service -%if 0%{?rhel} >= 9 || 0%{?fedora} >= 31 -%attr(0755,root,root) %{_prefix}/lib/NetworkManager/dispatcher.d/01-dnssec-trigger -%else %attr(0755,root,root) %{_sysconfdir}/NetworkManager/dispatcher.d/01-dnssec-trigger -%endif %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/dnssec.conf %attr(0755,root,root) %dir %{_sysconfdir}/%{name} %attr(0644,root,root) %ghost %config(noreplace) %{_sysconfdir}/%{name}/dnssec-trigger.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-trigger-default.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-trigger-workstation.conf -%attr(0755,root,root) %dir %{_sysconfdir}/ssh/ssh_config.d -%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/10-%{name}.conf %dir %{_localstatedir}/run/%{name} %{_tmpfilesdir}/%{name}.conf %{_mandir}/man8/dnssec-trigger* @@ -217,4 +182,251 @@ fi %changelog -%autochangelog +* Wed Mar 14 2018 Petr Menšík - 0.15-5 +- Accept NXDOMAIN for NSEC probe (#1555355) + +* Mon Feb 19 2018 Tomas Hozza - 0.15-4 +- Added explicit BuildRequires on gcc as required by packaging guidelines +- Added explicit Requires on e2fsprogs, so that /usr/bin/chattr is available +- Remove redundant removal of immutable bit in %%preun scriptlet (#1542400) + +* Mon Feb 19 2018 Tomas Hozza - 0.15-3 +- use NetworkManager-libnm instead of NetworkManager-glib + +* Wed Feb 07 2018 Fedora Release Engineering - 0.15-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Mon Dec 11 2017 Tomas Hozza - 0.15-1 +- Update to stable 0.15 upstream release + +* Fri Aug 18 2017 Petr Menšík - 0.13-6 +- Skip always failing kr.com, update root IPs (#1482939) + +* Wed Aug 02 2017 Fedora Release Engineering - 0.13-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 0.13-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Wed Mar 08 2017 Tomas Hozza - 0.13-3 +- Rebuild against new ldns + +* Wed Mar 01 2017 Tomas Hozza - 0.13-2 +- Include fix for runtime issues with OpenSSL 1.1.0 (#1427561) + +* Fri Feb 17 2017 Tomas Hozza - 0.13-1 +- Update to stable 0.13 upstream release +- Dropped merged patches + +* Fri Feb 10 2017 Fedora Release Engineering - 0.13-0.6.20150714svn +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Dec 19 2016 Miro Hrončok - 0.13-0.5.20150714svn +- Rebuild for Python 3.6 + +* Wed Feb 03 2016 Fedora Release Engineering - 0.13-0.4.20150714svn +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Nov 10 2015 Fedora Release Engineering +- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 + +* Mon Jul 20 2015 Tomas Hozza - 0.13-0.2.20150714svn +- Provide Workstation specific configuration + +* Wed Jul 15 2015 Tomas Hozza - 0.13-0.1.20150714svn +- split dnssec-trigger panel into separate subpackage (#1236363) +- SPEC file cleanup based on rpmlint and fedora-review issues +- implement some suggestions (#1236363) +- rebase to the latest svn trunk snapshot 0.13_20150714 +- Script is not searching local user directories any more (#1213062) +- Script now doesn't restart NM if version is >= 1.0.3, but sends just signal +- Script now specifies the NMClient version for GI (#1242430) +- Script now sets negative-cache-ttl in unbound to 5 seconds (#1229596) + +* Wed Jun 17 2015 Fedora Release Engineering - 0.12-21 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Wed Apr 08 2015 Tomas Hozza - 0.12-20 +- Fix issue when installing private address range zone without global forwarders (#1205864) +- Fix configuration of private address range zones (#1128310#c20) + +* Fri Mar 13 2015 Tomas Hozza - 0.12-19 +- Fix typo in the dnssec-trigger-script (#1187371) +- Use Python3 by default + +* Mon Jan 26 2015 Pavel Šimerda - 0.12-18 +- Resolves: #1185796, #1130502, #1105685, #1128310 – update + +* Tue Jan 20 2015 Pavel Šimerda - 0.12-17 +- Resolves: #1183975 - systemd cgroup check fails + +* Tue Jan 20 2015 Pavel Šimerda - 0.12-16 +- Resolves: #1165126, #1125267, #1089766, #1112248, #824219 - update + +* Sat Aug 16 2014 Fedora Release Engineering - 0.12-15 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Thu Aug 14 2014 Pavel Šimerda - 0.12-14 +- Resolves: #1125261 - dnssec-trigger-script: use fcntl.flock instead of + lockfile + +* Mon Aug 11 2014 Tomas Hozza - 0.12-13 +- One Fedora fallback server changed IP address (#1125440) + +* Mon Jun 30 2014 Pavel Šimerda - 0.12-12 +- Resolves: #1112248 - require a version of NetworkManager with #1113122 fixed + +* Tue Jun 24 2014 Pavel Šimerda - 0.12-11 +- Resolves: #1112248 - serialize the script instances + +* Tue Jun 24 2014 Pavel Šimerda - 0.12-10 +- Resolves: #1112248 - fix a typo + +* Tue Jun 24 2014 Pavel Šimerda - 0.12-9 +- Resolves: #1112248 - fix systemd race condition + +* Mon Jun 23 2014 Pavel Šimerda - 0.12-8 +- Resolves: #1112248 - don't block on systemctl restart NetworkManager + +* Mon Jun 23 2014 Pavel Šimerda - 0.12-7 +- Resolves: #1112248, #1111143 - update dnssec-trigger-script and dnssec-triggerd.service + +* Fri Jun 20 2014 Pavel Šimerda - 0.12-6 +- Resolves: #1111143 - fix for python2 + +* Fri Jun 20 2014 Pavel Šimerda - 0.12-5 +- Related: #842455 - remove a patch that is now redundant + +* Fri Jun 20 2014 Pavel Šimerda - 0.12-4 +- update dnssec-trigger-script to current development submitted upstream + +* Wed Jun 18 2014 Pavel Šimerda - 0.12-3 +- Resolves: #1105896 - the new script doesn't call dnssec-trigger-control submit + +* Fri Jun 06 2014 Pavel Šimerda - 0.12-2 +- fix various dnssec-trigger-script issues + +* Fri May 23 2014 Tomas Hozza - 0.12-1 +- Update to 0.12 version +- Drop merged patches +- Drop downstream files (systemd, dispatcher scripts) + +* Tue May 13 2014 Paul Wouters - 0.11-21 +- Enable full hardening (includig PIE) +- Resolves: rhbz#1045689 dnssec-trigger creates long-time RSA key with inappropriate size + +* Wed Feb 19 2014 Tomas Hozza - 0.11-20 +- Restart NM on dnssec-trigger shutdown (let NM handle the resolv.conf content) +- HN-hook: Handle situation when connection does not have a device + +* Wed Jan 29 2014 Tomas Hozza - 0.11-19 +- Use new Python dispatcher script and ship /etc/dnssec.conf + +* Tue Jan 28 2014 Tomas Hozza - 0.11-18 +- Use systemd macros instead of directly calling systemctl +- simplify the systemd unit file for generating keys + +* Thu Nov 21 2013 Tomas Hozza - 0.11-17 +- Add script to backup and restore resolv.conf on dnssec-trigger start/stop + +* Mon Nov 18 2013 Tomas Hozza - 0.11-16 +- Improve GUI dialogs texts + +* Tue Nov 12 2013 Tomas Hozza - 0.11-15 +- Fix NM dispatcher script to work with NM >= 0.9.9.0 (#1029571) + +* Mon Aug 26 2013 Tomas Hozza - 0.11-14 +- Fix errors found by static analysis of source + +* Fri Aug 09 2013 Tomas Hozza - 0.11-13 +- Use improved NM dispatcher script from upstream +- Added tmpfiles.d config due to improved NM dispatcher script + +* Sat Aug 03 2013 Fedora Release Engineering - 0.11-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Mon Mar 04 2013 Adam Tkac - 0.11-11 +- link dnssec-trigger.conf.8 to dnssec-trigger.8 +- build dnssec-triggerd with full RELRO + +* Mon Mar 04 2013 Adam Tkac - 0.11-10 +- remove deprecated "Application" keyword from desktop file + +* Mon Mar 04 2013 Adam Tkac - 0.11-9 +- install various dnssec-trigger-* symlinks to dnssec-trigger.8 manpage + +* Wed Feb 13 2013 Fedora Release Engineering - 0.11-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Tue Jan 08 2013 Paul Wouters - 0.11-7 +- Use full path for systemd (rhbz#842455) + +* Tue Jul 24 2012 Paul Wouters - 0.11-6 +- Patched daemon to remove immutable attr (rhbz#842455) as the + systemd ExecStopPost= target does not seem to work + +* Tue Jul 24 2012 Paul Wouters - 0.11-5 +- On service stop, remove immutable attr from resolv.conf (rhbz#842455) + +* Wed Jul 18 2012 Fedora Release Engineering - 0.11-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu Jun 28 2012 Paul Wouters - 0.11-3 +- Fix DHCP hook for f17+ version of nmcli (rhbz#835298) + +* Sun Jun 17 2012 Paul Wouters - 0.11-2 +- Small textual changes to some popup windows + +* Fri Jun 15 2012 Paul Wouters - 0.11-1 +- Updated to 0.11 +- http Hotspot detection via fedoraproject.org/static/hotspot.html +- http Hotspot Login page via uses hotspot-nocache.fedoraproject.org + +* Thu Feb 23 2012 Paul Wouters - 0.10-4 +- Require: unbound + +* Wed Feb 22 2012 Paul Wouters - 0.10-3 +- Fix the systemd startup to require unbound +- dnssec-triggerd no longer forks, giving systemd more control +- Fire NM dispatcher in ExecStartPost of dnssec-triggerd.service +- Fix tcp80 entries in dnssec-triggerd.conf +- symlink dnssec-trigger-panel to dnssec-trigger to supress the + "-panel" in the applet name shown in gnome3 + + +* Wed Feb 22 2012 Paul Wouters - 0.10-2 +- The NM hook was not modified at the right time during build + +* Wed Feb 22 2012 Paul Wouters - 0.10-1 +- Updated to 0.10 +- The NM hook lacks /usr/sbin in path, resulting in empty resolv.conf on hotspot + +* Wed Feb 08 2012 Paul Wouters - 0.9-4 +- Updated tls443 / tls80 resolver instances supplied by Fedora Hosted + +* Mon Feb 06 2012 Paul Wouters - 0.9-3 +- Convert from SysV to systemd for initial Fedora release +- Moved configs and pem files to /etc/dnssec-trigger/ +- No more /var/run/dnssec-triggerd/ +- Fix Build-requires +- Added commented tls443 port80 entries of pwouters resolvers +- On uninstall ensure there is no immutable bit on /etc/resolv.conf + +* Sat Jan 07 2012 Paul Wouters - 0.9-2 +- Added LICENCE to doc section + +* Mon Dec 19 2011 Paul Wouters - 0.9-1 +- Upgraded to 0.9 + +* Fri Oct 28 2011 Paul Wouters - 0.7-1 +- Upgraded to 0.7 + +* Fri Sep 23 2011 Paul Wouters - 0.4-1 +- Upgraded to 0.4 + +* Sat Sep 17 2011 Paul Wouters - 0.3-5 +- Start 01-dnssec-trigger-hook in daemon start +- Ensure dnssec-triggerd starts after NetworkManager + +* Fri Sep 16 2011 Paul Wouters - 0.3-4 +- Initial package diff --git a/dnssec-trigger.tmpfiles.d b/dnssec-trigger.tmpfiles.d index 9dd701f..000d918 100644 --- a/dnssec-trigger.tmpfiles.d +++ b/dnssec-trigger.tmpfiles.d @@ -1 +1 @@ -d /run/dnssec-trigger 0755 root root - +d /var/run/dnssec-trigger 0755 root root - diff --git a/plans/public.fmf b/plans/public.fmf deleted file mode 100644 index e92437c..0000000 --- a/plans/public.fmf +++ /dev/null @@ -1,6 +0,0 @@ -summary: Run all beakerlib tests for dnssec-trigger -discover: - - name: fedora_tests_dnssec-trigger - how: fmf -execute: - how: tmt diff --git a/sources b/sources index 0986b4d..c7b5358 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -SHA512 (dnssec-trigger-0.17.tar.gz) = a3f740f9ba49eee820414211d7390d86c991d964af2562b8590b95afb681dcb82a76f232b836ad663ae6181185366fcd63d75dc81789e3331535e3c26bc18e4e -SHA512 (dnssec-trigger-0.17.tar.gz.asc) = 23efe403ae5638fdce198d38b4b8e3d5ebe8c5630051042a8840adba462fa7a461d892e1f6b049f1da76b920953af8f80c1ab99e6f9d612e8fdb98537ca492c1 +SHA512 (dnssec-trigger-0.15.tar.gz) = 5ce7d7fe9049f14afbb2075a764ae8f44e773801e6ebd7f4eb2bd4cfc07a338db7aa5b666ccad40da1f1528160bab9706cf8015b800f2e23c4b6e3639793a846 diff --git a/ssh_config.conf b/ssh_config.conf deleted file mode 100644 index df077d5..0000000 --- a/ssh_config.conf +++ /dev/null @@ -1,2 +0,0 @@ -# Enable SSHFP verification -VerifyHostKeyDNS yes diff --git a/tests/.gitignore b/tests/.gitignore deleted file mode 100644 index f53babb..0000000 --- a/tests/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -.testinfo.tmt -.*.swp diff --git a/tests/Sanity/basic-functionality/main.fmf b/tests/Sanity/basic-functionality/main.fmf deleted file mode 100644 index 0bb8c12..0000000 --- a/tests/Sanity/basic-functionality/main.fmf +++ /dev/null @@ -1,9 +0,0 @@ -summary: Try starting dnssec-triggerd and use fallbacks -description: | - Use configured fallbacks manually by test_tcp and test_http commands. - Also check resolutions is actually working. -test: ./test.sh -framework: beakerlib -require: - - dnssec-trigger - - unbound diff --git a/tests/Sanity/basic-functionality/test.sh b/tests/Sanity/basic-functionality/test.sh deleted file mode 100755 index f014084..0000000 --- a/tests/Sanity/basic-functionality/test.sh +++ /dev/null @@ -1,59 +0,0 @@ -#!/bin/bash -# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k -. /usr/share/beakerlib/beakerlib.sh || exit 1 - -MOVED_RESOLV_CONF="" - -wait_for_probe() { - while dnssec-trigger-control status | grep -q '^probe is in progress'; do - sleep 1 - done -} - -test_fallback() { - local TYPE=$1 - local HOST=$2 - - rlRun "dnssec-trigger-control test_${TYPE}" - wait_for_probe - sleep 1 - rlRun "dnssec-trigger-control status" - rlRun -s "unbound-host -rvD ${HOST}" 0 "Check dnssec works over ${TYPE} fallback" - rlAssertGrep '(secure)' $rlRun_LOG -} - -rlJournalStart - rlPhaseStartSetup - rlRun "tmp=\$(mktemp -d)" 0 "Create tmp directory" - rlAssertRpm dnssec-trigger - rlFileBackup --missing-ok /etc/resolv.conf - if test -L /etc/resolv.conf; then - MOVED_RESOLV_CONF="/etc/resolv-backup-$$.conf" - rlRun "mv /etc/resolv.conf ${MOVED_RESOLV_CONF}" - fi - rlRun "pushd $tmp" - rlServiceStart dnssec-triggerd - rlPhaseEnd - - rlPhaseStartTest - rlRun "dnssec-trigger-control status" - rlRun -s "unbound-host -rvD example.org" 0 "Check dnssec actually works" - rlAssertGrep '(secure)' $rlRun_LOG - - test_fallback tcp www.example.org - # This variant is not passing - #test_fallback http example.net - test_fallback ssl www.example.net - rlPhaseEnd - - rlPhaseStartCleanup - rlServiceRestore dnssec-triggerd - rlRun "popd" - if [ -n "$MOVED_RESOLV_CONF" ]; then - rm -f /etc/resolv.conf - rlRun "mv -f ${MOVED_RESOLV_CONF} /etc/resolv.conf" - fi - rlFileRestore - rlRun "rm -r $tmp" 0 "Remove tmp directory" - rlPhaseEnd -rlJournalEnd diff --git a/wouter.asc b/wouter.asc deleted file mode 100644 index 603e620..0000000 --- a/wouter.asc +++ /dev/null @@ -1,123 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -xsFNBE2v/RwBEACyQpJlpCeSZBV1QUH7jNEp5xGdo6OnX2h9XoZ4ZPsb+u6OT+xE -SH45ncnISUh8rPCygbeWOoPR/yOBzh+lYoGxQ5iUHtwRrhHq04sQe/qFpXDO2xs6 -1pTcPU2PnH7Rsr2qp6fZLPHuXLolD7NJfaSib8sVeMM0/ecyl/L2bBg9NpaGDX0x -TQh95M8o6AFo6UKWApBpgsvEZr2aH/B8b9KnCWFhfJyheEM7DamksdZNsKxXQyq3 -l/ROfdsMLZGF8vPbYV/v11G4keyaLpn8AbBpybIiw9SYDwf2ENk3+e1NFfMaiiyE -qn9+aaLTKCY87TMUuoN3s3jWOOy5tHXzf6DbKhub4Awsby3DH5YpPhi4N2vj2pAX -Vpl5+m78cH29JLzT+HAoyZ4tq1r3m0P5QogNqYwqxkKWYOjDilNDBiKiDdgtrLYG -x+ABovKG/FvToJoaCL4AFaVCzWmL2uHkSgyBN0FPHatCB1UeEkcQit6T8E2NQqmF -WjUMXSWHHajSMG95+L5PdLHz/Ku0o3Csvlt2pkElYZmzJBfnOM9JevdsmKr/ruJC -/DCZAn5w2S/9ZF5qfo2F9HUKIwE/dChR29HcN8V4nqZs9oCvEMfFhHmrfwDc5hed -hvb6mAkvSFFtKIrygLIVeWRj3FE9sGp6sr4VwOLYTFRNk7mAsWD1rZApeQARAQAB -zSdXLkMuQS4gV2lqbmdhYXJkcyA8d291dGVyQG5sbmV0bGFicy5ubD7CwX4EEwEC -ACgFAk2v/RwCGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJ9v -HC1+BF+N3yoQAIynfrvZ/8RNAv9lLcSc2PX3fvG7oRJEJSy9uMyIbMtb/a1BVCeh -XjR8GhHJ5D/Z3jRWBQKw1rLLvOqbuBGkpKMR100ZVF4z/8e6CWtTAOFy28f1JQw2 -8kilN7K6vjno21S1JJ1XJAdoFdicyb1SW2r+KYod6fjSyF0lb71od+sdnSE9O/xd -Cqyyu6cX+AwfDcuJ6Y8iOWu8CeWAz41LR1QBUQkCb/08mVfCEu+Cj+M31jjPDZEy -UAw219vr4QFe0o3t+Msv0AUZvcRkW6+8qP5lO6I5we/33WBLZH70lhFvYtobM7HO -MCjheRZguSzvRqEETfTjia1uVi3Yz2qM4CFdJIZF6Er79yKcB3jYquultrnlHdXZ -/IZsHVRk6JfiqFkz9u1T9PkvMoQ452aUomGTg9xQchnKpe1E8osKgLulaY+izTEq -Z8pH/HWWJ/YT13/n8pxK9EbC/8SkVhyXNehOSAGDZar+tjVBofgzS8r+GDyv+pBT -SmjitIrVXZNuhigLp1o7Tvs4kjKlcFnLhfDHJ+yb5JyiZd01bVvaqnfRhACqXfWl -oC0uslRbegoYwJUgX0BOrsOuHGH2SfGjd/QnA0bcEXM2kp1Dp1gqtcEd5Qitm647 -Yz+leWkhrmMmtTwqumXoAcvgzthJFUPcAzuhXZNfqQJMOGRxAGVI0P97wsF+BBMB -AgAoAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVu+rZAUJDQIVSAAKCRCf -bxwtfgRfjdrWEACMQK0xYtZtAvLL/8CCcCi92Oi1rtXRGWnRy7JX020hftmWliMq -4P0F3CJKVLhgZ/ldp8OOqmfDfmwLMVSaCQ86Ubqn7Ofrf8Ku8SGQuIMxY2ODB97h -ouY4bnDHaM2Cqi6JkBN+G1tgdwqN/kcecF2tq3ql2k7eX91++A+F5ApIu1silzJP -L4Z8W6MVOdKrtzEM7t61hRlsbpEPj72vbVBZ1hmTiIL4VWwdxQYamxBoOeneskyD -DG+iMCI3P1GG3EQkk+9Aect/iH9uruE0mxn2aKN8cfuoR93cPF/ozCxS5ItwAVnN -e39WRO1GT2zYaFgYm0lf9czcpRsRzNbGw938lZ3iPUiZe+ybKgLKkVmvrkM59ljH -T99SrC14VXxgQwSs4gS3rdzbY9tPps62Z1q+xCVfTx1IY5P4nt59xwQV0Iw+pV9S -/mVcOnPXl1UKb0ttOdYJErrq3RpF/D2g/NDtL0OWqIa8LvrBlyQYmWPKvKw76vt4 -bJ3NU31jSc0ow/j7EOVjOst86s629zmtnbJjWVr6LOy5EDUPusmqHv1t4Z4RMjf8 -OrJdNbFJoRXZv8FbW4NzXeGtMf8k6vKeejpdMH4+eLuoZG7dchU1JccfgqfwWpy0 -ojmb59drJcaQgVC6Jvw9l0TmGPNIsE4UrIWocaFgv4dOKvHA2hcnMDM8rsLBlQQT -AQIAPwIbIwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQTt+qPyyk5usFaBr46f -bxwtfgRfjQUCWaU4BQUJEZjVaQAKCRCfbxwtfgRfjb1YEACjkhtkyZkYURUmSZNL -2IK/Zencv7DZGRfFrzijROFtHbe//H8o2ZhlyiaFSA/dT1ehjsukkR0oFkYadA+q -Ui06WpxGmd/jf8hP4yTUZkwOhQAesWoNmnhKePNaVMKY8DP57bA+N2pdCcGu7gUt -Yzq2JoTAtV+P/PE2w+H9eyBAulv6iUckM5/qvGfJPl8HB9BtgOpGN79otVWO6ebM -4TQ3cZYI9BDQnt9cF2pviex+z1iLZVJ8UeRxSxYhrBKPJioi0Q1OgcKyO56t7Eot -zxKl5TzprgvdX4cdls+lehD8StlE2Xv/TScHvdOhJuVBrn3a3QjZPb4qSsz74leW -5/EIQmozBy+qf8AHcCmTXwb2U7oHOct7cVyS5+bFx+ThpV5OK0rjTH1LMNiuTeAN -46c1y3prjZRpQUlgVwj06q3Zz/fzDyueUS/r4lW4nAf/VNZy/rTS2HYPoZbHZVCt -GpDIfag6fV6V97Pd3zfhTf2wmsJsw9Xhktp/o7rMBRSMhvL4oevOXb0JSG2583Q/ -JnCCceB4NxRRxsgkRYHwdnXN9FnOPSa4NyvF4rzpPksLGZrhvm+lBvzVn/e40Q/K -lxvSlnn2vW/WBM4pBq1jsoJrd/JkTdijZV7mt7HQ2bCLXAPgfZjy7n79WiCQVHg7 -iYnNikiNWR5TR7JcvdkxOdiA/8LBlQQTAQgAPwIbIwYLCQgHAwIGFQgCCQoLBBYC -AwECHgECF4AWIQTt+qPyyk5usFaBr46fbxwtfgRfjQUCXe4JdQUJGaQN2QAKCRCf -bxwtfgRfjQ8gEACe+49aDQHRuZdDHK1VCJKzhb+MvfdIjvl8eQxljpG9Uz5Y17Bx -4SWfuLHCeGlh1m6IOAWeW4g6Wowm1ec1PkVa79TdrkKb0MxfLSat6iDbiuVjDxy2 -bWokW0/cPzJ/FoWDtEC0H9UTAMb5QGBDZUbLuwX7ZjvMkAhH15/hO9Gj4RHoH1RJ -GJALRtZzjtzsJqL53kW/EV59V1T79Nocyx018iw50Jn02mI8wYJZ9HZc5C7D+K59 -vcqLRZgkrJrObw0sEv3YFOBYp/1DemH2nHPMBSKMmN5RAcr32guUjd4BEWf2Q7Ao -+Qnhdi161W0YKCW4JAmOoQ4bQ0wfE9Q5aUIGhUF52L+ac8Hy7dByaCExCA/WTqQQ -/iVPybmpJQhFonWt/fmpxbE2wKThSEOHTO67e5e3JfUb0vNKssyZojao4h1MF5nv -aPNKoybWwKnpNM0ORcyl+aogKwW7E15TEU0TE5//gAsFwRDcCnSEKnksgM0321m1 -7RDfJbCajIv47DHDYE3yvhRZjCJCaw0Gow1sDRWjdOFpmIixD5/vx5uxyqSHPuGA -sXlEvl+Z3Rdc5bQ7pAWu7UNpR3hnJPfg8KL2xqOF75VKG9/NjLE80yj8wdVoCfDv -vizrBtOXnHI49gCMCfNqbGIb5yVhmTdeo7li+Te9hlJ2DrHnujGJlFe+p87BTQRN -r/0cARAApvDKeVLiSazESdTY9KsSWsqoB38pvOsu25M49tEjc5TtY5LwKNckqkeR -lJ83O8dFG7UBVuGwLKaf/6OR/pe24upZ27eOOWW7sXvQNv5aXlOYfF+mjIhUINqj -q4pKDmO1c9J7h5d+auOVfzcgfotg3BVCaKn56ucjiQJ059uUMfgWTvVlibnoJ7de -Zcgt8v7VcLK9jv+P8QJHTIyDzJd+JjdjuHXqC/A37T5G9Z84x8wYrQY6mZmOIYaM -jwIKdgFeN+nLk5henARUz4MTFUW4j9hHpuyAFomDQ93/wkHZ9IEChTxdZnfvsd// -Z45vfcX9dQM+tuR8XCYThVsScI1TnwR46hi5NkfmHo3HVxwB8/owJ+FZDsTNBbJd -7AVy27Xk4L5hLe7BwLDtFMyOp4lOipCM7//mtFB9mTzqnOwiSSyTRlwGUBJkzQFW -Qa0Z6bfYwA6+y1dn19H519GW49irtl+2+W8W4N8oLriIjPvqrQOyaELFcRfV6FfL -i09HPhHVbejOqIEbOtfuN0+mjrrGAwortfTBjfw80N+W90BTvta4K2SyjHcJTkDY -ehfOo/5IMpGtDsOgvsCbDaFRnNJuYtSqQmvWk1KIPIw6CkdJtZa3+q3YA7D7ovOV -H1OBTKNdBjc+X4W8L5R9MCymXWvgiP+52Sv1VIcZmsnCBrwK490AEQEAAcLBZQQY -AQIADwUCTa/9HAIbDAUJCWYBgAAKCRCfbxwtfgRfjTY/D/9+kX8LeqBhwDdwy3ud -V67KmVmytwGMfzBHbAyBdy84X06ip/If/VkjL+2Sv5Uml/cOOzGZT7y/KEt0uXQz -gOZhGP5Y0OREf4kSzfb7tsGu3ZjTp5uJe7HiJr8uqYGfx94TQG/A3x1C7MlxOGmW -DK/Eh/eNVeNd+3yyDEzl2p7a0yUhI8LtzllVrEDX+G4rz+mdDw4tfPDqzRPzPvVt -PfqnfofHP5r2dshGe7+pCTC+o0jHWpaiFkEiIrR3PbZ9tV6+F5LzCUJJP5nepz6C -ShpLHq9ST6qZiw5ZpdznHW0kVl96YxgynJq9Y4dqD/8nOfTzdHhXXEogGvRfcxat -xeZF7YNFhUU2p+CswAjRKCUzZAz0hDAu+dJ+fw4Odx7ii8uiwhEnEHoo8rPETkXw -UK1je4MCzMRSy0Gippzk/oZ7noIml+Njas/UygavUOQm8bcPqGfWeFqvM2C7ZobL -2iV0fX/bhEmQyosiWJ0nHuKdwDYygYs/4LtZLxwiKli/lm6IDz1028j6/98Z81gG -oltXWokTYAPEgcBuhyiSLSQ1wojTVMYt9rPKMBakTzP+0FoWqoNafWOlHovP6iUB -2Igll2ZT3AvrBQ8jAbRbuUl46QpBaKsl+pBo86az0fRkMxv0N4dQv4Q7Z0g71u9N -Tpaq1vtAZOwc0kl3uGNK18PnV8LBZQQYAQIADwIbDAUCVu+raQUJDQIVTQAKCRCf -bxwtfgRfjVnYEACZ1E/FfLDi4vLUd9diImmNN/zWDHxTsO/VG3lt50rSoJM5NGB4 -RlwcbUKhah2fD44FFiIqGIvKD9hRgB51dVRIkaR3ozVtXRBKxJJqWj38wf2FDLtU -XC5/JHYb0sjAc3ad2sA9xEmEBVO1lWK3J6h4gKZiAGlWz3oeOSve3vrTKsBlP0Cu -rUeb4WTVpw4drBJD7cDh8SJ4/Cq76UFx8lW0xR+pHZHcd0/Ir5v5HnnEgbnut4Ix -eY3/CGBfQfSQHylK7ifmPWq+dflC/ZdfHY1V96EHKPM44ZLwiczoY3qp5nkmEc3B -Y6+P8Ch5gddOYaY18wpedarswnpOLQD2Xbsj66Eh0IZuuuZGyfOqJNaWbP33L27e -g35XQNTgyhuZmDyRKL6yAbhU74TXCCvze/kkfqDn2ouCtM8/kqLX1v0+NkBxlhZU -kTTVDyclZtwu6Vypus3+j2Zqk8sXeUZI64sjXpzwOcMZxdl3QuyxMktExWzk9Q5D -YqO+pj/YGt1vp2M0YgSUWNWCvfBcjEPFgaljyqz3BdvR/LYohnXuQL9SWObF+sIF -c9D0w/yORYQcKP5kSWVC/qwFdC61OGeSDnQ/0o0T5PefhYS82gsIrjQ+HIJ7CLUT -k7kBNljvtfpoWegH02feR0kSRoCXA6x+YHT4fmB41pW8S1V5a5dEltA/JMLBfAQY -AQIAJgIbDBYhBO36o/LKTm6wVoGvjp9vHC1+BF+NBQJZpTgKBQkRmNVuAAoJEJ9v -HC1+BF+NyNQP/A3h+cOOkYUxyKpNHdtlIfCn8db5tHXSCbE19Qi7EK1SiK5atjo+ -VoRtB+L01kH6GCx5oZjeIhUdzYFwEUsdCDgwD6r0dKFwKIGa4TFcfnx+Z5B+HZgL -Yc6ac5PEHF1qZVXZH9GSGeNw5h2yyqf4yhvetSN6L2id14m5XXJV5e7NfOgmaSnG -0Z+wQvPSiu+Q00XpENT8HFSTSCjRATjk12rpy6TPeeC52NK1gLhGDRHN0k6m+vm4 -yoC+Nd6iPQpnc+5xs7NDnq2dFuSTp7UTGebzPhhdSQgujEFuYLwzQMZu1h5amtA+ -v9j7BYEJkOMC7bm1PNNA2QQ6QfH8Hf+mJeINyJO8A5KS3ceP+eo3SLR8T0hPzu9g -ZuZ22Hn3DXQh1VNRshaLKgNvoXpL3dQ48d1SFFKhEDpy2HSXUq2fs5rH0uszFGes -G7K6EQRAYRcDrCkt9fdfkvCSxAFw9d+472xThzgKcN+MkOec+SaY+xlVULjEfCWy -RVC8Opam4mTm/XT4mVLxP/qnsy7kEhLoc/ouB+lY/ks06LpZJvCXL6WfA9You1Fi -1Mg7GhSh9JKg6X6E8Trm+N4dxJGut1xbbGmmKXqfi4pej9KlkdeM9t1df/vWKlPa -7Hzd8H0btgJx066wC4yt0ghxtsJXBsCDxWLfzaSRZ2/eP16mHqxDjsQQwsF8BBgB -CAAmAhsMFiEE7fqj8spObrBWga+On28cLX4EX40FAl3uCX0FCRmkDeEACgkQn28c -LX4EX43TQA/+JV8ReMRJCn3Cfqbe5ycFn8p6dIVnJiQuhiEyu5yzdpSkKyzcVFJO -bQcqw7s50FJuLUbxdvbcuGIaoTu7dhBoUXO5tOuIQAsKTfGfgoOgelJm+/q2h645 -EnAVINGbMDXrmo4/UFJkNjUMA6SQi/yiam7N0y58eoDC4sGmBKuN2EW2MoWahlXw -8SS1+Ab9qVBs/RqbSy6f1nJL39aPpPDmvyJOSYtHnNSFlYWVhr0zGAi5rnswlFGr -ECGbHpr5FajUK7zcmtNPbi7F30K48xfF3XnDIeIBcerrEBQMaPUZcBlddGhmSVVJ -ZU/YhR35JNgPnmp33gOuZaRiW9lauZFwsMQBIBkLpJWoUtu8QLkyC0HmJzVRep0/ -s1RkzaJ+1G1BzXTQiXaLaUQWG5h3pcMD8fxY5qp9KbG/+10bY0sRbRBXgS6mz7dd -HaBtg/E8ty2nEB1HDXA9HAHu7KlH9e96sPZjz9C46ZiOXe6ZAOk6wBYts4RG4bCQ -9pGORJ+P2Jr2pz1NZQbs1AhnjJixTsfZfsGZ5lHxGLjIyxtdGB/irLEqNTIMek2y -p4CShmWoZwN0V3aGYMe/rC4tSXG79IeKNwF3Vd5MHtB+hcJG2qztBtKQuW29rbRA -5bNxwTWe8skwOKsxXnP9RC974k0XkPS+VwgmVgNN1ewS/0oHvmEP71Q= -=Oqje ------END PGP PUBLIC KEY BLOCK-----