From 297a400d1cffba03b910db271751a2058cee2f71 Mon Sep 17 00:00:00 2001
From: Todd Zullinger <tmz@pobox.com>
Date: Thu, 15 Jun 2023 23:59:16 -0400
Subject: [PATCH 1/5] Remove execute bit on ssh_config.d snippet

There is no need for the file to be executable.  It's installed without
the execute bit but the %attr() overrides that, unintentionally, I
presume.
---
 dnssec-trigger.spec | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/dnssec-trigger.spec b/dnssec-trigger.spec
index 80ee81c..c63f923 100644
--- a/dnssec-trigger.spec
+++ b/dnssec-trigger.spec
@@ -5,7 +5,7 @@
 Summary: Tool for dynamic reconfiguration of validating resolver Unbound
 Name: dnssec-trigger
 Version: 0.17
-Release: 8%{?snapshot:.%{snapshot}git}%{?dist}
+Release: 9%{?snapshot:.%{snapshot}git}%{?dist}
 License: BSD
 Url: https://www.nlnetlabs.nl/projects/dnssec-trigger/
 
@@ -187,7 +187,7 @@ fi
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-trigger-default.conf
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-trigger-workstation.conf
 %attr(0755,root,root) %dir %{_sysconfdir}/ssh/ssh_config.d
-%attr(0755,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/10-%{name}.conf
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/10-%{name}.conf
 %dir %{_localstatedir}/run/%{name}
 %{_tmpfilesdir}/%{name}.conf
 %{_mandir}/man8/dnssec-trigger*
@@ -201,6 +201,9 @@ fi
 
 
 %changelog
+* Thu Jun 15 2023 Todd Zullinger <tmz@pobox.com> - 0.17-9
+- Remove execute bit on ssh_config.d snippet
+
 * Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.17-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
 

From 6e7ba4030ce7b52e5fa33229c14d717bac040b6b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Mon, 24 Jul 2023 16:18:20 +0200
Subject: [PATCH 2/5] Remove fedora specific servers

These servers had not been actively maintained for years. Because we
even haven't found some of them had too strict firewall. Direct few
users that need them to upstream provided servers.

(cherry picked from commit 1c7856199c916919f2534c04921a22b6a3403446)
---
 dnssec-trigger-default.conf     | 19 ++++---------------
 dnssec-trigger-workstation.conf | 19 ++++---------------
 2 files changed, 8 insertions(+), 30 deletions(-)

diff --git a/dnssec-trigger-default.conf b/dnssec-trigger-default.conf
index 337ee34..e9c70f3 100644
--- a/dnssec-trigger-default.conf
+++ b/dnssec-trigger-default.conf
@@ -72,17 +72,6 @@ url: "http://fedoraproject.org/static/hotspot.txt OK"
 # hash is output of openssl x509 -sha256 -fingerprint -in server.pem
 # You can add more with extra config lines.
 
-# Provided by fedoraproject.org, #fedora-admin
-# It is provided on a best effort basis, with no service guarantee.
-ssl443: 140.211.169.201 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
-tcp80:  140.211.169.201
-ssl443: 8.43.85.74 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
-tcp80:  8.43.85.74
-ssl443: 152.19.134.150 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
-tcp80:  152.19.134.150 
-ssl443: 2610:28:3090:3001:dead:beef:cafe:fed9 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
-tcp80:  2610:28:3090:3001:dead:beef:cafe:fed9 
-
 # provided by Paul Wouters (pwouters@redhat.com)
 # It is provided on a best effort basis, with no service guarantee.
 # tcp80:  193.110.157.123
@@ -92,8 +81,8 @@ tcp80:  2610:28:3090:3001:dead:beef:cafe:fed9
 
 # provided by NLnetLabs (www.nlnetlabs.nl)
 # It is provided on a best effort basis, with no service guarantee.
-# tcp80: 213.154.224.3
-# tcp80: 2001:7b8:206:1:bb::
-# ssl443: 213.154.224.3 DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
-# ssl443: 2001:7b8:206:1:bb:: DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
+tcp80: 213.154.224.3
+tcp80: 2001:7b8:206:1:bb::
+ssl443: 213.154.224.3 DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
+ssl443: 2001:7b8:206:1:bb:: DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
 
diff --git a/dnssec-trigger-workstation.conf b/dnssec-trigger-workstation.conf
index 2ffe0ca..8e20671 100644
--- a/dnssec-trigger-workstation.conf
+++ b/dnssec-trigger-workstation.conf
@@ -74,17 +74,6 @@ control-cert-file: "/etc/dnssec-trigger/dnssec_trigger_control.pem"
 # hash is output of openssl x509 -sha256 -fingerprint -in server.pem
 # You can add more with extra config lines.
 
-# Provided by fedoraproject.org, #fedora-admin
-# It is provided on a best effort basis, with no service guarantee.
-ssl443: 140.211.169.201 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
-tcp80:  140.211.169.201
-ssl443: 8.43.85.74 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
-tcp80:  8.43.85.74
-ssl443: 152.19.134.150 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
-tcp80:  152.19.134.150 
-ssl443: 2610:28:3090:3001:dead:beef:cafe:fed9 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
-tcp80:  2610:28:3090:3001:dead:beef:cafe:fed9 
-
 # provided by Paul Wouters (pwouters@redhat.com)
 # It is provided on a best effort basis, with no service guarantee.
 # tcp80:  193.110.157.123
@@ -94,8 +83,8 @@ tcp80:  2610:28:3090:3001:dead:beef:cafe:fed9
 
 # provided by NLnetLabs (www.nlnetlabs.nl)
 # It is provided on a best effort basis, with no service guarantee.
-# tcp80: 213.154.224.3
-# tcp80: 2001:7b8:206:1:bb::
-# ssl443: 213.154.224.3 DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
-# ssl443: 2001:7b8:206:1:bb:: DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
+tcp80: 213.154.224.3
+tcp80: 2001:7b8:206:1:bb::
+ssl443: 213.154.224.3 DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
+ssl443: 2001:7b8:206:1:bb:: DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
 

From c39ba6da7b9ed9c422ce638369e5dcbe183e4ad8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Mon, 24 Jul 2023 17:14:50 +0200
Subject: [PATCH 3/5] Remove Paul's servers

They seem to be offline as well.

(cherry picked from commit 417bf7426ec9d221cff9623c683fbc32fb26c9a1)
---
 dnssec-trigger-default.conf     | 7 -------
 dnssec-trigger-workstation.conf | 7 -------
 2 files changed, 14 deletions(-)

diff --git a/dnssec-trigger-default.conf b/dnssec-trigger-default.conf
index e9c70f3..cbb1c21 100644
--- a/dnssec-trigger-default.conf
+++ b/dnssec-trigger-default.conf
@@ -72,13 +72,6 @@ url: "http://fedoraproject.org/static/hotspot.txt OK"
 # hash is output of openssl x509 -sha256 -fingerprint -in server.pem
 # You can add more with extra config lines.
 
-# provided by Paul Wouters (pwouters@redhat.com)
-# It is provided on a best effort basis, with no service guarantee.
-# tcp80:  193.110.157.123
-# tcp80:  2001:888:2003:1004::123
-# ssl443: 193.110.157.123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7
-# ssl443: 2001:888:2003:1004::123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7
-
 # provided by NLnetLabs (www.nlnetlabs.nl)
 # It is provided on a best effort basis, with no service guarantee.
 tcp80: 213.154.224.3
diff --git a/dnssec-trigger-workstation.conf b/dnssec-trigger-workstation.conf
index 8e20671..738d6c6 100644
--- a/dnssec-trigger-workstation.conf
+++ b/dnssec-trigger-workstation.conf
@@ -74,13 +74,6 @@ control-cert-file: "/etc/dnssec-trigger/dnssec_trigger_control.pem"
 # hash is output of openssl x509 -sha256 -fingerprint -in server.pem
 # You can add more with extra config lines.
 
-# provided by Paul Wouters (pwouters@redhat.com)
-# It is provided on a best effort basis, with no service guarantee.
-# tcp80:  193.110.157.123
-# tcp80:  2001:888:2003:1004::123
-# ssl443: 193.110.157.123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7
-# ssl443: 2001:888:2003:1004::123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7
-
 # provided by NLnetLabs (www.nlnetlabs.nl)
 # It is provided on a best effort basis, with no service guarantee.
 tcp80: 213.154.224.3

From 0cbfae322a0255164ecfd0d4bd5b25fd3b24ec0c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 25 Jul 2023 09:24:21 +0200
Subject: [PATCH 4/5] Remove fedora specific servers, fallback to upstream
 server

---
 dnssec-trigger.spec | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/dnssec-trigger.spec b/dnssec-trigger.spec
index c63f923..af79c78 100644
--- a/dnssec-trigger.spec
+++ b/dnssec-trigger.spec
@@ -5,7 +5,7 @@
 Summary: Tool for dynamic reconfiguration of validating resolver Unbound
 Name: dnssec-trigger
 Version: 0.17
-Release: 9%{?snapshot:.%{snapshot}git}%{?dist}
+Release: 10%{?snapshot:.%{snapshot}git}%{?dist}
 License: BSD
 Url: https://www.nlnetlabs.nl/projects/dnssec-trigger/
 
@@ -201,6 +201,9 @@ fi
 
 
 %changelog
+* Tue Jul 25 2023 Petr Menšík <pemensik@redhat.com> - 0.17-10
+- Remove fedora specific servers, fallback to upstream server
+
 * Thu Jun 15 2023 Todd Zullinger <tmz@pobox.com> - 0.17-9
 - Remove execute bit on ssh_config.d snippet
 

From 83370a1698106435382443766a856f2716dd2e1b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 25 Jul 2023 10:42:50 +0200
Subject: [PATCH 5/5] Update upstream servers to zus.nlnetlabs.nl.

Upstream servers no longer have the original IP addresses or that hash.
Fix addresses to working set actually instead of uncommenting the very
old set. The set were changed in 2014 by upstream commit bafdcd5.
---
 dnssec-trigger-default.conf     | 8 ++++----
 dnssec-trigger-workstation.conf | 9 ++++-----
 dnssec-trigger.spec             | 5 ++++-
 3 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/dnssec-trigger-default.conf b/dnssec-trigger-default.conf
index cbb1c21..4c03dbe 100644
--- a/dnssec-trigger-default.conf
+++ b/dnssec-trigger-default.conf
@@ -74,8 +74,8 @@ url: "http://fedoraproject.org/static/hotspot.txt OK"
 
 # provided by NLnetLabs (www.nlnetlabs.nl)
 # It is provided on a best effort basis, with no service guarantee.
-tcp80: 213.154.224.3
-tcp80: 2001:7b8:206:1:bb::
-ssl443: 213.154.224.3 DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
-ssl443: 2001:7b8:206:1:bb:: DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
+tcp80: 185.49.140.67
+tcp80: 2a04:b900::10:0:0:67
+ssl443: 185.49.140.67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF
+ssl443: 2a04:b900::10:0:0:67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF
 
diff --git a/dnssec-trigger-workstation.conf b/dnssec-trigger-workstation.conf
index 738d6c6..ef0604a 100644
--- a/dnssec-trigger-workstation.conf
+++ b/dnssec-trigger-workstation.conf
@@ -76,8 +76,7 @@ control-cert-file: "/etc/dnssec-trigger/dnssec_trigger_control.pem"
 
 # provided by NLnetLabs (www.nlnetlabs.nl)
 # It is provided on a best effort basis, with no service guarantee.
-tcp80: 213.154.224.3
-tcp80: 2001:7b8:206:1:bb::
-ssl443: 213.154.224.3 DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
-ssl443: 2001:7b8:206:1:bb:: DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
-
+tcp80: 185.49.140.67
+tcp80: 2a04:b900::10:0:0:67
+ssl443: 185.49.140.67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF
+ssl443: 2a04:b900::10:0:0:67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF
diff --git a/dnssec-trigger.spec b/dnssec-trigger.spec
index af79c78..29d2fc1 100644
--- a/dnssec-trigger.spec
+++ b/dnssec-trigger.spec
@@ -5,7 +5,7 @@
 Summary: Tool for dynamic reconfiguration of validating resolver Unbound
 Name: dnssec-trigger
 Version: 0.17
-Release: 10%{?snapshot:.%{snapshot}git}%{?dist}
+Release: 11%{?snapshot:.%{snapshot}git}%{?dist}
 License: BSD
 Url: https://www.nlnetlabs.nl/projects/dnssec-trigger/
 
@@ -201,6 +201,9 @@ fi
 
 
 %changelog
+* Tue Jul 25 2023 Petr Menšík <pemensik@redhat.com> - 0.17-11
+- Update upstream servers to zus.nlnetlabs.nl.
+
 * Tue Jul 25 2023 Petr Menšík <pemensik@redhat.com> - 0.17-10
 - Remove fedora specific servers, fallback to upstream server