diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/.fmf/version @@ -0,0 +1 @@ +1 diff --git a/changelog b/changelog new file mode 100644 index 0000000..ca93ebf --- /dev/null +++ b/changelog @@ -0,0 +1,313 @@ +* Wed Jul 19 2023 Fedora Release Engineering - 0.17-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Thu Jun 15 2023 Todd Zullinger - 0.17-11 +- Remove execute bit on ssh_config.d snippet + +* Thu Jan 19 2023 Fedora Release Engineering - 0.17-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Fri Dec 16 2022 Florian Weimer - 0.17-9 +- Port configure script to C99 + +* Thu Jul 21 2022 Fedora Release Engineering - 0.17-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Thu Jan 20 2022 Fedora Release Engineering - 0.17-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Tue Sep 14 2021 Sahana Prasad - 0.17-6 +- Rebuilt with OpenSSL 3.0.0 + +* Wed Jul 21 2021 Fedora Release Engineering - 0.17-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 0.17-4 +- Rebuilt for updated systemd-rpm-macros + See https://pagure.io/fesco/issue/2583. + +* Tue Jan 26 2021 Fedora Release Engineering - 0.17-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Sat Dec 19 2020 Adam Williamson - 0.17-2 +- Rebuild for libldns soname bump + +* Tue Oct 13 2020 Petr Menšík - 0.17-1 +- Update to 0.17 + +* Mon Oct 12 2020 Petr Menšík - 0.15-14 +- Add edns0 option to resolv.conf +- Add VerifyHostKeyDNS to ssh config + +* Mon Jul 27 2020 Fedora Release Engineering - 0.15-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jan 28 2020 Fedora Release Engineering - 0.15-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Mon Jan 06 2020 Jeff Law - 0.15-11 +- Fix typo in last change + +* Thu Aug 22 2019 Lubomir Rintel - 0.15-10 +- Move the NetworkManager dispatcher script out of /etc + +* Wed Jul 24 2019 Fedora Release Engineering - 0.15-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu Jan 31 2019 Fedora Release Engineering - 0.15-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Thu Jul 12 2018 Fedora Release Engineering - 0.15-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Tue Jun 19 2018 Miro Hrončok - 0.15-6 +- Rebuilt for Python 3.7 + +* Wed Mar 14 2018 Petr Menšík - 0.15-5 +- Accept NXDOMAIN for NSEC probe (#1555355) + +* Mon Feb 19 2018 Tomas Hozza - 0.15-4 +- Added explicit BuildRequires on gcc as required by packaging guidelines +- Added explicit Requires on e2fsprogs, so that /usr/bin/chattr is available +- Remove redundant removal of immutable bit in %%preun scriptlet (#1542400) + +* Mon Feb 19 2018 Tomas Hozza - 0.15-3 +- use NetworkManager-libnm instead of NetworkManager-glib + +* Wed Feb 07 2018 Fedora Release Engineering - 0.15-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Mon Dec 11 2017 Tomas Hozza - 0.15-1 +- Update to stable 0.15 upstream release + +* Fri Aug 18 2017 Petr Menšík - 0.13-6 +- Skip always failing kr.com, update root IPs (#1482939) + +* Wed Aug 02 2017 Fedora Release Engineering - 0.13-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 0.13-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Wed Mar 08 2017 Tomas Hozza - 0.13-3 +- Rebuild against new ldns + +* Wed Mar 01 2017 Tomas Hozza - 0.13-2 +- Include fix for runtime issues with OpenSSL 1.1.0 (#1427561) + +* Fri Feb 17 2017 Tomas Hozza - 0.13-1 +- Update to stable 0.13 upstream release +- Dropped merged patches + +* Fri Feb 10 2017 Fedora Release Engineering - 0.13-0.6.20150714svn +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Dec 19 2016 Miro Hrončok - 0.13-0.5.20150714svn +- Rebuild for Python 3.6 + +* Wed Feb 03 2016 Fedora Release Engineering - 0.13-0.4.20150714svn +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Nov 10 2015 Fedora Release Engineering +- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 + +* Mon Jul 20 2015 Tomas Hozza - 0.13-0.2.20150714svn +- Provide Workstation specific configuration + +* Wed Jul 15 2015 Tomas Hozza - 0.13-0.1.20150714svn +- split dnssec-trigger panel into separate subpackage (#1236363) +- SPEC file cleanup based on rpmlint and fedora-review issues +- implement some suggestions (#1236363) +- rebase to the latest svn trunk snapshot 0.13_20150714 +- Script is not searching local user directories any more (#1213062) +- Script now doesn't restart NM if version is >= 1.0.3, but sends just signal +- Script now specifies the NMClient version for GI (#1242430) +- Script now sets negative-cache-ttl in unbound to 5 seconds (#1229596) + +* Wed Jun 17 2015 Fedora Release Engineering - 0.12-21 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Wed Apr 08 2015 Tomas Hozza - 0.12-20 +- Fix issue when installing private address range zone without global forwarders (#1205864) +- Fix configuration of private address range zones (#1128310#c20) + +* Fri Mar 13 2015 Tomas Hozza - 0.12-19 +- Fix typo in the dnssec-trigger-script (#1187371) +- Use Python3 by default + +* Mon Jan 26 2015 Pavel Šimerda - 0.12-18 +- Resolves: #1185796, #1130502, #1105685, #1128310 – update + +* Tue Jan 20 2015 Pavel Šimerda - 0.12-17 +- Resolves: #1183975 - systemd cgroup check fails + +* Tue Jan 20 2015 Pavel Šimerda - 0.12-16 +- Resolves: #1165126, #1125267, #1089766, #1112248, #824219 - update + +* Sat Aug 16 2014 Fedora Release Engineering - 0.12-15 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Thu Aug 14 2014 Pavel Šimerda - 0.12-14 +- Resolves: #1125261 - dnssec-trigger-script: use fcntl.flock instead of + lockfile + +* Mon Aug 11 2014 Tomas Hozza - 0.12-13 +- One Fedora fallback server changed IP address (#1125440) + +* Mon Jun 30 2014 Pavel Šimerda - 0.12-12 +- Resolves: #1112248 - require a version of NetworkManager with #1113122 fixed + +* Tue Jun 24 2014 Pavel Šimerda - 0.12-11 +- Resolves: #1112248 - serialize the script instances + +* Tue Jun 24 2014 Pavel Šimerda - 0.12-10 +- Resolves: #1112248 - fix a typo + +* Tue Jun 24 2014 Pavel Šimerda - 0.12-9 +- Resolves: #1112248 - fix systemd race condition + +* Mon Jun 23 2014 Pavel Šimerda - 0.12-8 +- Resolves: #1112248 - don't block on systemctl restart NetworkManager + +* Mon Jun 23 2014 Pavel Šimerda - 0.12-7 +- Resolves: #1112248, #1111143 - update dnssec-trigger-script and dnssec-triggerd.service + +* Fri Jun 20 2014 Pavel Šimerda - 0.12-6 +- Resolves: #1111143 - fix for python2 + +* Fri Jun 20 2014 Pavel Šimerda - 0.12-5 +- Related: #842455 - remove a patch that is now redundant + +* Fri Jun 20 2014 Pavel Šimerda - 0.12-4 +- update dnssec-trigger-script to current development submitted upstream + +* Wed Jun 18 2014 Pavel Šimerda - 0.12-3 +- Resolves: #1105896 - the new script doesn't call dnssec-trigger-control submit + +* Fri Jun 06 2014 Pavel Šimerda - 0.12-2 +- fix various dnssec-trigger-script issues + +* Fri May 23 2014 Tomas Hozza - 0.12-1 +- Update to 0.12 version +- Drop merged patches +- Drop downstream files (systemd, dispatcher scripts) + +* Tue May 13 2014 Paul Wouters - 0.11-21 +- Enable full hardening (includig PIE) +- Resolves: rhbz#1045689 dnssec-trigger creates long-time RSA key with inappropriate size + +* Wed Feb 19 2014 Tomas Hozza - 0.11-20 +- Restart NM on dnssec-trigger shutdown (let NM handle the resolv.conf content) +- HN-hook: Handle situation when connection does not have a device + +* Wed Jan 29 2014 Tomas Hozza - 0.11-19 +- Use new Python dispatcher script and ship /etc/dnssec.conf + +* Tue Jan 28 2014 Tomas Hozza - 0.11-18 +- Use systemd macros instead of directly calling systemctl +- simplify the systemd unit file for generating keys + +* Thu Nov 21 2013 Tomas Hozza - 0.11-17 +- Add script to backup and restore resolv.conf on dnssec-trigger start/stop + +* Mon Nov 18 2013 Tomas Hozza - 0.11-16 +- Improve GUI dialogs texts + +* Tue Nov 12 2013 Tomas Hozza - 0.11-15 +- Fix NM dispatcher script to work with NM >= 0.9.9.0 (#1029571) + +* Mon Aug 26 2013 Tomas Hozza - 0.11-14 +- Fix errors found by static analysis of source + +* Fri Aug 09 2013 Tomas Hozza - 0.11-13 +- Use improved NM dispatcher script from upstream +- Added tmpfiles.d config due to improved NM dispatcher script + +* Sat Aug 03 2013 Fedora Release Engineering - 0.11-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Mon Mar 04 2013 Adam Tkac - 0.11-11 +- link dnssec-trigger.conf.8 to dnssec-trigger.8 +- build dnssec-triggerd with full RELRO + +* Mon Mar 04 2013 Adam Tkac - 0.11-10 +- remove deprecated "Application" keyword from desktop file + +* Mon Mar 04 2013 Adam Tkac - 0.11-9 +- install various dnssec-trigger-* symlinks to dnssec-trigger.8 manpage + +* Wed Feb 13 2013 Fedora Release Engineering - 0.11-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Tue Jan 08 2013 Paul Wouters - 0.11-7 +- Use full path for systemd (rhbz#842455) + +* Tue Jul 24 2012 Paul Wouters - 0.11-6 +- Patched daemon to remove immutable attr (rhbz#842455) as the + systemd ExecStopPost= target does not seem to work + +* Tue Jul 24 2012 Paul Wouters - 0.11-5 +- On service stop, remove immutable attr from resolv.conf (rhbz#842455) + +* Wed Jul 18 2012 Fedora Release Engineering - 0.11-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu Jun 28 2012 Paul Wouters - 0.11-3 +- Fix DHCP hook for f17+ version of nmcli (rhbz#835298) + +* Sun Jun 17 2012 Paul Wouters - 0.11-2 +- Small textual changes to some popup windows + +* Fri Jun 15 2012 Paul Wouters - 0.11-1 +- Updated to 0.11 +- http Hotspot detection via fedoraproject.org/static/hotspot.html +- http Hotspot Login page via uses hotspot-nocache.fedoraproject.org + +* Thu Feb 23 2012 Paul Wouters - 0.10-4 +- Require: unbound + +* Wed Feb 22 2012 Paul Wouters - 0.10-3 +- Fix the systemd startup to require unbound +- dnssec-triggerd no longer forks, giving systemd more control +- Fire NM dispatcher in ExecStartPost of dnssec-triggerd.service +- Fix tcp80 entries in dnssec-triggerd.conf +- symlink dnssec-trigger-panel to dnssec-trigger to supress the + "-panel" in the applet name shown in gnome3 + + +* Wed Feb 22 2012 Paul Wouters - 0.10-2 +- The NM hook was not modified at the right time during build + +* Wed Feb 22 2012 Paul Wouters - 0.10-1 +- Updated to 0.10 +- The NM hook lacks /usr/sbin in path, resulting in empty resolv.conf on hotspot + +* Wed Feb 08 2012 Paul Wouters - 0.9-4 +- Updated tls443 / tls80 resolver instances supplied by Fedora Hosted + +* Mon Feb 06 2012 Paul Wouters - 0.9-3 +- Convert from SysV to systemd for initial Fedora release +- Moved configs and pem files to /etc/dnssec-trigger/ +- No more /var/run/dnssec-triggerd/ +- Fix Build-requires +- Added commented tls443 port80 entries of pwouters resolvers +- On uninstall ensure there is no immutable bit on /etc/resolv.conf + +* Sat Jan 07 2012 Paul Wouters - 0.9-2 +- Added LICENCE to doc section + +* Mon Dec 19 2011 Paul Wouters - 0.9-1 +- Upgraded to 0.9 + +* Fri Oct 28 2011 Paul Wouters - 0.7-1 +- Upgraded to 0.7 + +* Fri Sep 23 2011 Paul Wouters - 0.4-1 +- Upgraded to 0.4 + +* Sat Sep 17 2011 Paul Wouters - 0.3-5 +- Start 01-dnssec-trigger-hook in daemon start +- Ensure dnssec-triggerd starts after NetworkManager + +* Fri Sep 16 2011 Paul Wouters - 0.3-4 +- Initial package diff --git a/dnssec-trigger-0.17-allowed-characters.patch b/dnssec-trigger-0.17-allowed-characters.patch new file mode 100644 index 0000000..e9cb86d --- /dev/null +++ b/dnssec-trigger-0.17-allowed-characters.patch @@ -0,0 +1,30 @@ +From f410871470773c0767f97f86c1bd05074db63081 Mon Sep 17 00:00:00 2001 +From: "W.C.A. Wijngaards" +Date: Mon, 3 Feb 2020 10:37:26 +0100 +Subject: [PATCH] - Fix for #3: Allow @ character to make scripts work, which + may fix resolv.conf lost in some situation bug. + +Changelog: +3 February 2020: Wouter + - Fix for #3: Allow @ character to make scripts work, which may + fix resolv.conf lost in some situation bug. +--- + riggerd/ubhook.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/riggerd/ubhook.c b/riggerd/ubhook.c +index 382eee3..f1ce73c 100644 +--- a/riggerd/ubhook.c ++++ b/riggerd/ubhook.c +@@ -80,7 +80,7 @@ allowed_arg(const char* arg) + } + if( isalnum((unsigned char)*s) || *s == ' ' || *s == ':' || + *s == '.' || *s == '_' || *s == '-' || *s == '+' || +- *s == '\t') { ++ *s == '\t' || *s == '@') { + continue; + } else { + log_err("command line string argument '%s' fails check on allowed characters", arg); +-- +2.41.0 + diff --git a/dnssec-trigger-0.17-openssl-3.2.patch b/dnssec-trigger-0.17-openssl-3.2.patch new file mode 100644 index 0000000..d1b9474 --- /dev/null +++ b/dnssec-trigger-0.17-openssl-3.2.patch @@ -0,0 +1,34 @@ +From 7c3ff5b59952bc6bf11f988c9dbd961ae3c626ea Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Tue, 10 Sep 2024 16:22:07 +0200 +Subject: [PATCH] Mark explicitly server cert with CA flag + +Since OpenSSL 3.2 it did not connect from control to server cert. Create +server with indication is it CA. + +Also use clientAuth trust for CA cert. That allows control cert to be +used for client authentication. +--- + dnssec-trigger-control-setup.sh.in | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/dnssec-trigger-control-setup.sh.in b/dnssec-trigger-control-setup.sh.in +index 7cc305a..eede665 100644 +--- a/dnssec-trigger-control-setup.sh.in ++++ b/dnssec-trigger-control-setup.sh.in +@@ -200,9 +200,9 @@ EOF + test -f request.cfg || error "could not create request.cfg" + + echo "create $SVR_BASE.pem (self signed certificate)" +-openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem" +-# create trusted usage pem +-openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem" ++openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -addext "basicConstraints=critical,CA:TRUE,pathlen:0" -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem" ++# create trusted usage pem for CA, what are signed certs allowed to do? ++openssl x509 -in "$SVR_BASE.pem" -addtrust clientAuth -out "${SVR_BASE}_trust.pem" + + # create client request and sign it, piped + cat >request.cfg < +Date: Wed, 20 Nov 2024 16:58:48 +0100 +Subject: [PATCH] Add recipe for adding own server + +Until someone adds nice support for using just CA bundle and server +name, allow specification by fingerprint obtained manually. Do not rely +only on server provided by upstream. +--- + dnssec.conf | 4 ++-- + example.conf.in | 6 +++++- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/dnssec.conf b/dnssec.conf +index bf896d3..4726ca1 100644 +--- a/dnssec.conf ++++ b/dnssec.conf +@@ -38,7 +38,7 @@ + # + # - See also security notes on the `add_wifi_provided_zones` option. + # +-# validate_connection_provided_zones=yes ++# validate_connection_provided_zones=no + # + # - Connection provided zones will be configured in Unbound as secure forward + # zones, validated using DNSSEC. +@@ -63,7 +63,7 @@ + # Turning this option off has security implications, See the security + # notice above. + # +-validate_connection_provided_zones=yes ++validate_connection_provided_zones=no + + # add_wifi_provided_zones: + # ------------------------ +diff --git a/example.conf.in b/example.conf.in +index dafd35d..f7e8a54 100644 +--- a/example.conf.in ++++ b/example.conf.in +@@ -79,6 +79,11 @@ tcp80: 2a04:b900::10:0:0:67 + ssl443: 185.49.140.67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF + ssl443: 2a04:b900::10:0:0:67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF + ++# How to add your own record: ++# openssl s_client -connect example.com:443 -showcerts /tmp/dns.crt ++# openssl x509 -noout -in /tmp/dns.crt -fingerprint -sha256 ++# Append returned sha256 Fingerprint after ssl443: IP-address section. ++ + # Use VPN servers for all traffic + # use-vpn-forwarders: no + +@@ -87,4 +92,3 @@ ssl443: 2a04:b900::10:0:0:67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD: + + # Add domains provided by VPN connections into Unbound forward zones + # add-wifi-provided-zones: no +- +-- +2.47.0 + diff --git a/dnssec-trigger-config-default.patch b/dnssec-trigger-config-default.patch new file mode 100644 index 0000000..a3ca483 --- /dev/null +++ b/dnssec-trigger-config-default.patch @@ -0,0 +1,53 @@ +From 27bb1f49fe69055e2a5f02e5fe54e71e79d98fdc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Tue, 25 Jul 2023 15:39:15 +0200 +Subject: [PATCH] Make fedora default config changes + +Customize upstream example configuration for Fedora. +--- + example.conf | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/example.conf b/example.conf +index 6031c0d..6251c98 100644 +--- a/example.conf ++++ b/example.conf +@@ -1,5 +1,4 @@ +-# config for dnssec-trigger 0.17. +-# this is a comment. there must be one statement per line. ++# Fedora/EPEL version of dnssec-trigger.conf + + # logging detail, 0=only errors, 1=operations, 2=detail, 3,4 debug detail. + # verbosity: 1 +@@ -43,8 +42,8 @@ + # port number to use for probe daemon. + # port: 8955 + +-# these keys and certificates can be generated with the script +-# dnssec-trigger-control-setup ++# keys and certificates generated by the dnssec-trigger-keygen systemd service ++# (which called dnssec-trigger-control-setup) + # server-key-file: "/etc/dnssec-trigger/dnssec_trigger_server.key" + # server-cert-file: "/etc/dnssec-trigger/dnssec_trigger_server.pem" + # control-key-file: "/etc/dnssec-trigger/dnssec_trigger_control.key" +@@ -60,7 +59,7 @@ + + # provided by NLnetLabs + # It is provided on a best effort basis, with no service guarantee. +-url: "http://ster.nlnetlabs.nl/hotspot.txt OK" ++# url: "http://ster.nlnetlabs.nl/hotspot.txt OK" + + # provided by FedoraProject + url: "http://fedoraproject.org/static/hotspot.txt OK" +@@ -72,7 +71,7 @@ url: "http://fedoraproject.org/static/hotspot.txt OK" + # hash is output of openssl x509 -sha256 -fingerprint -in server.pem + # You can add more with extra config lines. + +-# provided by NLnetLabs ++# provided by NLnetLabs (www.nlnetlabs.nl) + # It is provided on a best effort basis, with no service guarantee. + tcp80: 185.49.140.67 + tcp80: 2a04:b900::10:0:0:67 +-- +2.41.0 + diff --git a/dnssec-trigger-config-workstation.patch b/dnssec-trigger-config-workstation.patch new file mode 100644 index 0000000..6458a92 --- /dev/null +++ b/dnssec-trigger-config-workstation.patch @@ -0,0 +1,34 @@ +From d4b08251d816038950b522fc1b003c8d4f1bcc6d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Tue, 25 Jul 2023 15:42:50 +0200 +Subject: [PATCH] Customize workstation only + +--- + dnssec-trigger-workstation.conf | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/dnssec-trigger-workstation.conf b/dnssec-trigger-workstation.conf +index 6251c98..bb2b5db 100644 +--- a/dnssec-trigger-workstation.conf ++++ b/dnssec-trigger-workstation.conf +@@ -32,6 +32,7 @@ + # the command to run to open login pages on hot spots, a web browser. + # empty string runs no command. + # login-command: "/usr/bin/xdg-open" ++login-command: "" + + # the url to open to get hot spot login, it gets overridden by the hotspot. + # login-location: "http://hotspot-nocache.fedoraproject.org/" +@@ -62,7 +63,8 @@ + # url: "http://ster.nlnetlabs.nl/hotspot.txt OK" + + # provided by FedoraProject +-url: "http://fedoraproject.org/static/hotspot.txt OK" ++# on Workstation, the detection is turned off ++# url: "http://fedoraproject.org/static/hotspot.txt OK" + + # fallback open DNSSEC resolvers that run on TCP port 80 and TCP port 443. + # These relay incoming DNS traffic on the other port numbers to the usual DNS +-- +2.41.0 + diff --git a/dnssec-trigger-configure-c99.patch b/dnssec-trigger-configure-c99.patch new file mode 100644 index 0000000..cccecad --- /dev/null +++ b/dnssec-trigger-configure-c99.patch @@ -0,0 +1,30 @@ +Do not rely on an implicit function declaration for detecting +the daemon function. Future compilers may not accept such +declarations by default, causing the detection result to change. + +Submitted upstream: + +diff --git a/configure b/configure +index 079ea641e2940515..22c9487fb0d311f8 100755 +--- a/configure ++++ b/configure +@@ -6757,6 +6757,7 @@ else + + echo ' + #include ++#include + ' >conftest.c + echo 'void f(){ (void)daemon(0, 0); }' >>conftest.c + if test -z "`$CC -c conftest.c 2>&1 | grep deprecated`"; then +diff --git a/configure.ac b/configure.ac +index c809367d307f108e..e8095fe7288ba68a 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -225,6 +225,7 @@ AC_CHECK_FUNCS([daemon]) + if test $ac_cv_func_daemon = yes; then + ACX_FUNC_DEPRECATED([daemon], [(void)daemon(0, 0);], [ + #include ++#include + ]) + fi + diff --git a/dnssec-trigger-default.conf b/dnssec-trigger-default.conf deleted file mode 100644 index 337ee34..0000000 --- a/dnssec-trigger-default.conf +++ /dev/null @@ -1,99 +0,0 @@ -# Fedora/EPEL version of dnssec-trigger.conf - -# logging detail, 0=only errors, 1=operations, 2=detail, 3,4 debug detail. -# verbosity: 1 - -# pidfile location -pidfile: "/var/run/dnssec-triggerd.pid" - -# log to a file instead of syslog, default is to syslog -# logfile: "/var/log/dnssec-trigger.log" - -# log to syslog, or (log to to stderr or a logfile if specified). yes or no. -# use-syslog: yes - -# chroot to this directory -# chroot: "" - -# the unbound-control binary if not found in PATH. -# commandline options can be appended "unbound-control -c my.conf" if you wish. -# unbound-control: "/usr/sbin/unbound-control" - -# where is resolv.conf to edit. -# resolvconf: "/etc/resolv.conf" - -# the domain example.com line (if any) to add to resolv.conf(5). default none. -# domain: "" - -# domain name search path to add to resolv.conf(5). default none. -# the search path from DHCP is not picked up, it could be used to misdirect. -# search: "" - -# the command to run to open login pages on hot spots, a web browser. -# empty string runs no command. -# login-command: "xdg-open" - -# the url to open to get hot spot login, it gets overridden by the hotspot. -# login-location: "http://www.nlnetlabs.nl/projects/dnssec-trigger" -# should to be a ttl=0 entry -login-location: "http://hotspot-nocache.fedoraproject.org/" - -# do not perform actions (unbound-control or resolv.conf), for a dry-run. -# noaction: no - -# port number to use for probe daemon. -# port: 8955 - -# keys and certificates generated by the dnssec-trigger-keygen systemd service -# (which called dnssec-trigger-control-setup) -server-key-file: "/etc/dnssec-trigger/dnssec_trigger_server.key" -server-cert-file: "/etc/dnssec-trigger/dnssec_trigger_server.pem" -control-key-file: "/etc/dnssec-trigger/dnssec_trigger_control.key" -control-cert-file: "/etc/dnssec-trigger/dnssec_trigger_control.pem" - -# check for updates, download and ask to install them (for Windows, OSX). -# check-updates: no - -# webservers that are probed to see if internet access is possible. -# They serve a simple static page over HTTP port 80. It probes a random url: -# after a space is the content expected on the page, (the page can contain -# whitespace before and after this code). Without urls it skips http probes. - -# provided by NLnetLabs -# It is provided on a best effort basis, with no service guarantee. -# url: "http://ster.nlnetlabs.nl/hotspot.txt OK" - -# provided by FedoraProject -url: "http://fedoraproject.org/static/hotspot.txt OK" - -# fallback open DNSSEC resolvers that run on TCP port 80 and TCP port 443. -# the ssl443 adds an ssl server IP, if you specify a hash it is checked, put -# the following on one line: ssl443: -# hash is output of openssl x509 -sha256 -fingerprint -in server.pem -# You can add more with extra config lines. - -# Provided by fedoraproject.org, #fedora-admin -# It is provided on a best effort basis, with no service guarantee. -ssl443: 140.211.169.201 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2 -tcp80: 140.211.169.201 -ssl443: 8.43.85.74 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2 -tcp80: 8.43.85.74 -ssl443: 152.19.134.150 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2 -tcp80: 152.19.134.150 -ssl443: 2610:28:3090:3001:dead:beef:cafe:fed9 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2 -tcp80: 2610:28:3090:3001:dead:beef:cafe:fed9 - -# provided by Paul Wouters (pwouters@redhat.com) -# It is provided on a best effort basis, with no service guarantee. -# tcp80: 193.110.157.123 -# tcp80: 2001:888:2003:1004::123 -# ssl443: 193.110.157.123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7 -# ssl443: 2001:888:2003:1004::123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7 - -# provided by NLnetLabs (www.nlnetlabs.nl) -# It is provided on a best effort basis, with no service guarantee. -# tcp80: 213.154.224.3 -# tcp80: 2001:7b8:206:1:bb:: -# ssl443: 213.154.224.3 DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F -# ssl443: 2001:7b8:206:1:bb:: DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F - diff --git a/dnssec-trigger-workstation.conf b/dnssec-trigger-workstation.conf deleted file mode 100644 index 2ffe0ca..0000000 --- a/dnssec-trigger-workstation.conf +++ /dev/null @@ -1,101 +0,0 @@ -# Fedora/EPEL version of dnssec-trigger.conf - -# logging detail, 0=only errors, 1=operations, 2=detail, 3,4 debug detail. -# verbosity: 1 - -# pidfile location -pidfile: "/var/run/dnssec-triggerd.pid" - -# log to a file instead of syslog, default is to syslog -# logfile: "/var/log/dnssec-trigger.log" - -# log to syslog, or (log to to stderr or a logfile if specified). yes or no. -# use-syslog: yes - -# chroot to this directory -# chroot: "" - -# the unbound-control binary if not found in PATH. -# commandline options can be appended "unbound-control -c my.conf" if you wish. -# unbound-control: "/usr/sbin/unbound-control" - -# where is resolv.conf to edit. -# resolvconf: "/etc/resolv.conf" - -# the domain example.com line (if any) to add to resolv.conf(5). default none. -# domain: "" - -# domain name search path to add to resolv.conf(5). default none. -# the search path from DHCP is not picked up, it could be used to misdirect. -# search: "" - -# the command to run to open login pages on hot spots, a web browser. -# empty string runs no command. -# login-command: "xdg-open" -login-command: "" - -# the url to open to get hot spot login, it gets overridden by the hotspot. -# login-location: "http://www.nlnetlabs.nl/projects/dnssec-trigger" -# should to be a ttl=0 entry -# login-location: "http://hotspot-nocache.fedoraproject.org/" - -# do not perform actions (unbound-control or resolv.conf), for a dry-run. -# noaction: no - -# port number to use for probe daemon. -# port: 8955 - -# keys and certificates generated by the dnssec-trigger-keygen systemd service -# (which called dnssec-trigger-control-setup) -server-key-file: "/etc/dnssec-trigger/dnssec_trigger_server.key" -server-cert-file: "/etc/dnssec-trigger/dnssec_trigger_server.pem" -control-key-file: "/etc/dnssec-trigger/dnssec_trigger_control.key" -control-cert-file: "/etc/dnssec-trigger/dnssec_trigger_control.pem" - -# check for updates, download and ask to install them (for Windows, OSX). -# check-updates: no - -# webservers that are probed to see if internet access is possible. -# They serve a simple static page over HTTP port 80. It probes a random url: -# after a space is the content expected on the page, (the page can contain -# whitespace before and after this code). Without urls it skips http probes. - -# provided by NLnetLabs -# It is provided on a best effort basis, with no service guarantee. -# url: "http://ster.nlnetlabs.nl/hotspot.txt OK" - -# provided by FedoraProject -# on Workstation, the detection is turned off -# url: "http://fedoraproject.org/static/hotspot.txt OK" - -# fallback open DNSSEC resolvers that run on TCP port 80 and TCP port 443. -# the ssl443 adds an ssl server IP, if you specify a hash it is checked, put -# the following on one line: ssl443: -# hash is output of openssl x509 -sha256 -fingerprint -in server.pem -# You can add more with extra config lines. - -# Provided by fedoraproject.org, #fedora-admin -# It is provided on a best effort basis, with no service guarantee. -ssl443: 140.211.169.201 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2 -tcp80: 140.211.169.201 -ssl443: 8.43.85.74 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2 -tcp80: 8.43.85.74 -ssl443: 152.19.134.150 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2 -tcp80: 152.19.134.150 -ssl443: 2610:28:3090:3001:dead:beef:cafe:fed9 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2 -tcp80: 2610:28:3090:3001:dead:beef:cafe:fed9 - -# provided by Paul Wouters (pwouters@redhat.com) -# It is provided on a best effort basis, with no service guarantee. -# tcp80: 193.110.157.123 -# tcp80: 2001:888:2003:1004::123 -# ssl443: 193.110.157.123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7 -# ssl443: 2001:888:2003:1004::123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7 - -# provided by NLnetLabs (www.nlnetlabs.nl) -# It is provided on a best effort basis, with no service guarantee. -# tcp80: 213.154.224.3 -# tcp80: 2001:7b8:206:1:bb:: -# ssl443: 213.154.224.3 DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F -# ssl443: 2001:7b8:206:1:bb:: DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F - diff --git a/dnssec-trigger.spec b/dnssec-trigger.spec index cfe5a71..9928104 100644 --- a/dnssec-trigger.spec +++ b/dnssec-trigger.spec @@ -5,8 +5,8 @@ Summary: Tool for dynamic reconfiguration of validating resolver Unbound Name: dnssec-trigger Version: 0.17 -Release: 1%{?snapshot:.%{snapshot}git}%{?dist} -License: BSD +Release: %autorelease +License: BSD-3-clause AND MIT AND ISC Url: https://www.nlnetlabs.nl/projects/dnssec-trigger/ %if 0%{?snapshot:1} @@ -18,14 +18,24 @@ Source1: https://www.nlnetlabs.nl/downloads/dnssec-trigger/%{name}-%{version}.ta Source2: https://keys.openpgp.org/vks/v1/by-fingerprint/EDFAA3F2CA4E6EB05681AF8E9F6F1C2D7E045F8D#/wouter.asc %endif Source3: dnssec-trigger.tmpfiles.d -Source4: dnssec-trigger-default.conf -Source5: dnssec-trigger-workstation.conf +#Source4: dnssec-trigger-default.conf +#Source5: dnssec-trigger-workstation.conf Source6: ssh_config.conf # Patches +# Downstream changes to configuration +Patch1: dnssec-trigger-config-workstation.patch +# Downstream changes to configuration +Patch2: dnssec-trigger-config-default.patch Patch3: 0003-Move-the-NetworkManager-dispatcher-script-out-of-etc.patch # https://github.com/NLnetLabs/dnssec-trigger/pull/7 Patch4: 0004-Add-options-edns0-and-trust-ad.patch +Patch5: dnssec-trigger-configure-c99.patch +# https://github.com/NLnetLabs/dnssec-trigger/commit/f187c2be221a26f3c4ef4d9b16f1df67104ae634 +Patch6: dnssec-trigger-0.17-allowed-characters.patch +Patch7: dnssec-trigger-0.17-openssl-3.2.patch +# https://github.com/NLnetLabs/dnssec-trigger/pull/15 +Patch8: dnssec-trigger-0.17-server-recipe.patch # to obsolete the version in which the panel was in main package Obsoletes: %{name} < 0.12-22 @@ -53,10 +63,8 @@ BuildRequires: NetworkManager-libnm-devel BuildRequires: gnupg2 %endif -BuildRequires: systemd -Requires(post): systemd -Requires(preun): systemd -Requires(postun): systemd +BuildRequires: systemd-rpm-macros +%{?systemd_ordering} # Provides Workstation specific configuration # - No captive portal detection and no action available on Captive portal (No UI) @@ -76,6 +84,7 @@ Requires: %{name} = %{version}-%{release} Obsoletes: %{name} < 0.12-22 Requires: xdg-utils BuildRequires: gtk2-devel, desktop-file-utils +BuildRequires: make %description panel This package provides the GTK panel for interaction between the user @@ -88,7 +97,8 @@ some user input is needed, the panel creates a dialog window. %if 0%{?fedora} && ! 0%{?snapshot:1} %gpgverify -d 0 -s 1 -k 2 %endif -%autosetup %{?snapshot:-n %{name}-%{version}_%{snapshot}} -p1 +%autosetup %{?snapshot:-n %{name}-%{version}_%{snapshot}} -N +%autopatch -m 3 -p1 # don't use DNSSEC for forward zones for now sed -i "s/validate_connection_provided_zones=yes/validate_connection_provided_zones=no/" dnssec.conf @@ -102,20 +112,27 @@ sed -i "s/validate_connection_provided_zones=yes/validate_connection_provided_zo --with-networkmanager-dispatch=%{_sysconfdir}/NetworkManager/dispatcher.d \ %endif --with-python=%{__python3} \ - --with-pidfile=%{_rundir}/%{name}d.pid + --with-pidfile=%{_rundir}/%{name}d.pid \ + --with-login-command=%{_bindir}/xdg-open \ + --with-login-location="http://hotspot-nocache.fedoraproject.org/" -%{__make} %{?_smp_mflags} +# hotspot-nocache should have TTL=0 + +%make_build + +%autopatch -p1 2 +cp -p example.conf dnssec-trigger-workstation.conf +%autopatch -p1 1 %install -rm -rf %{buildroot} -%{__make} DESTDIR=%{buildroot} install +# https://github.com/NLnetLabs/dnssec-trigger/pull/13 +install -d -m 0755 %{buildroot}%{_libexecdir} +%make_install install -d 0755 %{buildroot}%{_unitdir} -install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/%{name}/ -install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/%{name}/ - -mkdir -p %{buildroot}%{_libexecdir} +install -p -m 0644 example.conf %{buildroot}%{_sysconfdir}/%{name}/dnssec-trigger-default.conf +install -p -m 0644 dnssec-trigger-workstation.conf %{buildroot}%{_sysconfdir}/%{name}/ desktop-file-install --dir=%{buildroot}%{_datadir}/applications dnssec-trigger-panel.desktop @@ -132,9 +149,9 @@ ln -s dnssec-trigger-panel %{buildroot}%{_bindir}/dnssec-trigger # Make dnssec-trigger.8 manpage available under names of all dnssec-trigger-* # executables for all in dnssec-trigger-control dnssec-trigger-control-setup dnssec-triggerd; do - ln -s %{_mandir}/man8/dnssec-trigger.8 %{buildroot}/%{_mandir}/man8/"$all".8 + ln -s dnssec-trigger.8 %{buildroot}/%{_mandir}/man8/"$all".8 done -ln -s %{_mandir}/man8/dnssec-trigger.8 %{buildroot}/%{_mandir}/man8/dnssec-trigger.conf.8 +ln -s dnssec-trigger.8 %{buildroot}/%{_mandir}/man8/dnssec-trigger.conf.8 install -d -m 0755 %{buildroot}%{_sysconfdir}/ssh/ssh_config.d install -m 0644 %{SOURCE6} %{buildroot}%{_sysconfdir}/ssh/ssh_config.d/10-%{name}.conf @@ -186,7 +203,7 @@ fi %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-trigger-default.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-trigger-workstation.conf %attr(0755,root,root) %dir %{_sysconfdir}/ssh/ssh_config.d -%attr(0755,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/10-%{name}.conf +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/10-%{name}.conf %dir %{_localstatedir}/run/%{name} %{_tmpfilesdir}/%{name}.conf %{_mandir}/man8/dnssec-trigger* @@ -200,282 +217,4 @@ fi %changelog -* Tue Oct 13 2020 Petr Menšík - 0.17-1 -- Update to 0.17 - -* Mon Oct 12 2020 Petr Menšík - 0.15-14 -- Add edns0 option to resolv.conf -- Add VerifyHostKeyDNS to ssh config - -* Mon Jul 27 2020 Fedora Release Engineering - 0.15-13 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Tue Jan 28 2020 Fedora Release Engineering - 0.15-12 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Mon Jan 06 2020 Jeff Law - 0.15-11 -- Fix typo in last change - -* Thu Aug 22 2019 Lubomir Rintel - 0.15-10 -- Move the NetworkManager dispatcher script out of /etc - -* Wed Jul 24 2019 Fedora Release Engineering - 0.15-9 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Thu Jan 31 2019 Fedora Release Engineering - 0.15-8 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Thu Jul 12 2018 Fedora Release Engineering - 0.15-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Tue Jun 19 2018 Miro Hrončok - 0.15-6 -- Rebuilt for Python 3.7 - -* Wed Mar 14 2018 Petr Menšík - 0.15-5 -- Accept NXDOMAIN for NSEC probe (#1555355) - -* Mon Feb 19 2018 Tomas Hozza - 0.15-4 -- Added explicit BuildRequires on gcc as required by packaging guidelines -- Added explicit Requires on e2fsprogs, so that /usr/bin/chattr is available -- Remove redundant removal of immutable bit in %%preun scriptlet (#1542400) - -* Mon Feb 19 2018 Tomas Hozza - 0.15-3 -- use NetworkManager-libnm instead of NetworkManager-glib - -* Wed Feb 07 2018 Fedora Release Engineering - 0.15-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Mon Dec 11 2017 Tomas Hozza - 0.15-1 -- Update to stable 0.15 upstream release - -* Fri Aug 18 2017 Petr Menšík - 0.13-6 -- Skip always failing kr.com, update root IPs (#1482939) - -* Wed Aug 02 2017 Fedora Release Engineering - 0.13-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Wed Jul 26 2017 Fedora Release Engineering - 0.13-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Wed Mar 08 2017 Tomas Hozza - 0.13-3 -- Rebuild against new ldns - -* Wed Mar 01 2017 Tomas Hozza - 0.13-2 -- Include fix for runtime issues with OpenSSL 1.1.0 (#1427561) - -* Fri Feb 17 2017 Tomas Hozza - 0.13-1 -- Update to stable 0.13 upstream release -- Dropped merged patches - -* Fri Feb 10 2017 Fedora Release Engineering - 0.13-0.6.20150714svn -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Mon Dec 19 2016 Miro Hrončok - 0.13-0.5.20150714svn -- Rebuild for Python 3.6 - -* Wed Feb 03 2016 Fedora Release Engineering - 0.13-0.4.20150714svn -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - -* Tue Nov 10 2015 Fedora Release Engineering -- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 - -* Mon Jul 20 2015 Tomas Hozza - 0.13-0.2.20150714svn -- Provide Workstation specific configuration - -* Wed Jul 15 2015 Tomas Hozza - 0.13-0.1.20150714svn -- split dnssec-trigger panel into separate subpackage (#1236363) -- SPEC file cleanup based on rpmlint and fedora-review issues -- implement some suggestions (#1236363) -- rebase to the latest svn trunk snapshot 0.13_20150714 -- Script is not searching local user directories any more (#1213062) -- Script now doesn't restart NM if version is >= 1.0.3, but sends just signal -- Script now specifies the NMClient version for GI (#1242430) -- Script now sets negative-cache-ttl in unbound to 5 seconds (#1229596) - -* Wed Jun 17 2015 Fedora Release Engineering - 0.12-21 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild - -* Wed Apr 08 2015 Tomas Hozza - 0.12-20 -- Fix issue when installing private address range zone without global forwarders (#1205864) -- Fix configuration of private address range zones (#1128310#c20) - -* Fri Mar 13 2015 Tomas Hozza - 0.12-19 -- Fix typo in the dnssec-trigger-script (#1187371) -- Use Python3 by default - -* Mon Jan 26 2015 Pavel Šimerda - 0.12-18 -- Resolves: #1185796, #1130502, #1105685, #1128310 – update - -* Tue Jan 20 2015 Pavel Šimerda - 0.12-17 -- Resolves: #1183975 - systemd cgroup check fails - -* Tue Jan 20 2015 Pavel Šimerda - 0.12-16 -- Resolves: #1165126, #1125267, #1089766, #1112248, #824219 - update - -* Sat Aug 16 2014 Fedora Release Engineering - 0.12-15 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild - -* Thu Aug 14 2014 Pavel Šimerda - 0.12-14 -- Resolves: #1125261 - dnssec-trigger-script: use fcntl.flock instead of - lockfile - -* Mon Aug 11 2014 Tomas Hozza - 0.12-13 -- One Fedora fallback server changed IP address (#1125440) - -* Mon Jun 30 2014 Pavel Šimerda - 0.12-12 -- Resolves: #1112248 - require a version of NetworkManager with #1113122 fixed - -* Tue Jun 24 2014 Pavel Šimerda - 0.12-11 -- Resolves: #1112248 - serialize the script instances - -* Tue Jun 24 2014 Pavel Šimerda - 0.12-10 -- Resolves: #1112248 - fix a typo - -* Tue Jun 24 2014 Pavel Šimerda - 0.12-9 -- Resolves: #1112248 - fix systemd race condition - -* Mon Jun 23 2014 Pavel Šimerda - 0.12-8 -- Resolves: #1112248 - don't block on systemctl restart NetworkManager - -* Mon Jun 23 2014 Pavel Šimerda - 0.12-7 -- Resolves: #1112248, #1111143 - update dnssec-trigger-script and dnssec-triggerd.service - -* Fri Jun 20 2014 Pavel Šimerda - 0.12-6 -- Resolves: #1111143 - fix for python2 - -* Fri Jun 20 2014 Pavel Šimerda - 0.12-5 -- Related: #842455 - remove a patch that is now redundant - -* Fri Jun 20 2014 Pavel Šimerda - 0.12-4 -- update dnssec-trigger-script to current development submitted upstream - -* Wed Jun 18 2014 Pavel Šimerda - 0.12-3 -- Resolves: #1105896 - the new script doesn't call dnssec-trigger-control submit - -* Fri Jun 06 2014 Pavel Šimerda - 0.12-2 -- fix various dnssec-trigger-script issues - -* Fri May 23 2014 Tomas Hozza - 0.12-1 -- Update to 0.12 version -- Drop merged patches -- Drop downstream files (systemd, dispatcher scripts) - -* Tue May 13 2014 Paul Wouters - 0.11-21 -- Enable full hardening (includig PIE) -- Resolves: rhbz#1045689 dnssec-trigger creates long-time RSA key with inappropriate size - -* Wed Feb 19 2014 Tomas Hozza - 0.11-20 -- Restart NM on dnssec-trigger shutdown (let NM handle the resolv.conf content) -- HN-hook: Handle situation when connection does not have a device - -* Wed Jan 29 2014 Tomas Hozza - 0.11-19 -- Use new Python dispatcher script and ship /etc/dnssec.conf - -* Tue Jan 28 2014 Tomas Hozza - 0.11-18 -- Use systemd macros instead of directly calling systemctl -- simplify the systemd unit file for generating keys - -* Thu Nov 21 2013 Tomas Hozza - 0.11-17 -- Add script to backup and restore resolv.conf on dnssec-trigger start/stop - -* Mon Nov 18 2013 Tomas Hozza - 0.11-16 -- Improve GUI dialogs texts - -* Tue Nov 12 2013 Tomas Hozza - 0.11-15 -- Fix NM dispatcher script to work with NM >= 0.9.9.0 (#1029571) - -* Mon Aug 26 2013 Tomas Hozza - 0.11-14 -- Fix errors found by static analysis of source - -* Fri Aug 09 2013 Tomas Hozza - 0.11-13 -- Use improved NM dispatcher script from upstream -- Added tmpfiles.d config due to improved NM dispatcher script - -* Sat Aug 03 2013 Fedora Release Engineering - 0.11-12 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild - -* Mon Mar 04 2013 Adam Tkac - 0.11-11 -- link dnssec-trigger.conf.8 to dnssec-trigger.8 -- build dnssec-triggerd with full RELRO - -* Mon Mar 04 2013 Adam Tkac - 0.11-10 -- remove deprecated "Application" keyword from desktop file - -* Mon Mar 04 2013 Adam Tkac - 0.11-9 -- install various dnssec-trigger-* symlinks to dnssec-trigger.8 manpage - -* Wed Feb 13 2013 Fedora Release Engineering - 0.11-8 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild - -* Tue Jan 08 2013 Paul Wouters - 0.11-7 -- Use full path for systemd (rhbz#842455) - -* Tue Jul 24 2012 Paul Wouters - 0.11-6 -- Patched daemon to remove immutable attr (rhbz#842455) as the - systemd ExecStopPost= target does not seem to work - -* Tue Jul 24 2012 Paul Wouters - 0.11-5 -- On service stop, remove immutable attr from resolv.conf (rhbz#842455) - -* Wed Jul 18 2012 Fedora Release Engineering - 0.11-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild - -* Thu Jun 28 2012 Paul Wouters - 0.11-3 -- Fix DHCP hook for f17+ version of nmcli (rhbz#835298) - -* Sun Jun 17 2012 Paul Wouters - 0.11-2 -- Small textual changes to some popup windows - -* Fri Jun 15 2012 Paul Wouters - 0.11-1 -- Updated to 0.11 -- http Hotspot detection via fedoraproject.org/static/hotspot.html -- http Hotspot Login page via uses hotspot-nocache.fedoraproject.org - -* Thu Feb 23 2012 Paul Wouters - 0.10-4 -- Require: unbound - -* Wed Feb 22 2012 Paul Wouters - 0.10-3 -- Fix the systemd startup to require unbound -- dnssec-triggerd no longer forks, giving systemd more control -- Fire NM dispatcher in ExecStartPost of dnssec-triggerd.service -- Fix tcp80 entries in dnssec-triggerd.conf -- symlink dnssec-trigger-panel to dnssec-trigger to supress the - "-panel" in the applet name shown in gnome3 - - -* Wed Feb 22 2012 Paul Wouters - 0.10-2 -- The NM hook was not modified at the right time during build - -* Wed Feb 22 2012 Paul Wouters - 0.10-1 -- Updated to 0.10 -- The NM hook lacks /usr/sbin in path, resulting in empty resolv.conf on hotspot - -* Wed Feb 08 2012 Paul Wouters - 0.9-4 -- Updated tls443 / tls80 resolver instances supplied by Fedora Hosted - -* Mon Feb 06 2012 Paul Wouters - 0.9-3 -- Convert from SysV to systemd for initial Fedora release -- Moved configs and pem files to /etc/dnssec-trigger/ -- No more /var/run/dnssec-triggerd/ -- Fix Build-requires -- Added commented tls443 port80 entries of pwouters resolvers -- On uninstall ensure there is no immutable bit on /etc/resolv.conf - -* Sat Jan 07 2012 Paul Wouters - 0.9-2 -- Added LICENCE to doc section - -* Mon Dec 19 2011 Paul Wouters - 0.9-1 -- Upgraded to 0.9 - -* Fri Oct 28 2011 Paul Wouters - 0.7-1 -- Upgraded to 0.7 - -* Fri Sep 23 2011 Paul Wouters - 0.4-1 -- Upgraded to 0.4 - -* Sat Sep 17 2011 Paul Wouters - 0.3-5 -- Start 01-dnssec-trigger-hook in daemon start -- Ensure dnssec-triggerd starts after NetworkManager - -* Fri Sep 16 2011 Paul Wouters - 0.3-4 -- Initial package +%autochangelog diff --git a/plans/public.fmf b/plans/public.fmf new file mode 100644 index 0000000..e92437c --- /dev/null +++ b/plans/public.fmf @@ -0,0 +1,6 @@ +summary: Run all beakerlib tests for dnssec-trigger +discover: + - name: fedora_tests_dnssec-trigger + how: fmf +execute: + how: tmt diff --git a/tests/.gitignore b/tests/.gitignore new file mode 100644 index 0000000..f53babb --- /dev/null +++ b/tests/.gitignore @@ -0,0 +1,2 @@ +.testinfo.tmt +.*.swp diff --git a/tests/Sanity/basic-functionality/main.fmf b/tests/Sanity/basic-functionality/main.fmf new file mode 100644 index 0000000..0bb8c12 --- /dev/null +++ b/tests/Sanity/basic-functionality/main.fmf @@ -0,0 +1,9 @@ +summary: Try starting dnssec-triggerd and use fallbacks +description: | + Use configured fallbacks manually by test_tcp and test_http commands. + Also check resolutions is actually working. +test: ./test.sh +framework: beakerlib +require: + - dnssec-trigger + - unbound diff --git a/tests/Sanity/basic-functionality/test.sh b/tests/Sanity/basic-functionality/test.sh new file mode 100755 index 0000000..f014084 --- /dev/null +++ b/tests/Sanity/basic-functionality/test.sh @@ -0,0 +1,59 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +MOVED_RESOLV_CONF="" + +wait_for_probe() { + while dnssec-trigger-control status | grep -q '^probe is in progress'; do + sleep 1 + done +} + +test_fallback() { + local TYPE=$1 + local HOST=$2 + + rlRun "dnssec-trigger-control test_${TYPE}" + wait_for_probe + sleep 1 + rlRun "dnssec-trigger-control status" + rlRun -s "unbound-host -rvD ${HOST}" 0 "Check dnssec works over ${TYPE} fallback" + rlAssertGrep '(secure)' $rlRun_LOG +} + +rlJournalStart + rlPhaseStartSetup + rlRun "tmp=\$(mktemp -d)" 0 "Create tmp directory" + rlAssertRpm dnssec-trigger + rlFileBackup --missing-ok /etc/resolv.conf + if test -L /etc/resolv.conf; then + MOVED_RESOLV_CONF="/etc/resolv-backup-$$.conf" + rlRun "mv /etc/resolv.conf ${MOVED_RESOLV_CONF}" + fi + rlRun "pushd $tmp" + rlServiceStart dnssec-triggerd + rlPhaseEnd + + rlPhaseStartTest + rlRun "dnssec-trigger-control status" + rlRun -s "unbound-host -rvD example.org" 0 "Check dnssec actually works" + rlAssertGrep '(secure)' $rlRun_LOG + + test_fallback tcp www.example.org + # This variant is not passing + #test_fallback http example.net + test_fallback ssl www.example.net + rlPhaseEnd + + rlPhaseStartCleanup + rlServiceRestore dnssec-triggerd + rlRun "popd" + if [ -n "$MOVED_RESOLV_CONF" ]; then + rm -f /etc/resolv.conf + rlRun "mv -f ${MOVED_RESOLV_CONF} /etc/resolv.conf" + fi + rlFileRestore + rlRun "rm -r $tmp" 0 "Remove tmp directory" + rlPhaseEnd +rlJournalEnd