Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild

Related: RHEL-6597

.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -5,3 +5,5 @@
 /dnssec-trigger-0.13_20150714.tar.gz
 /dnssec-trigger-0.13.tar.gz
 /dnssec-trigger-0.15.tar.gz
+/dnssec-trigger-0.17.tar.gz
+/dnssec-trigger-0.17.tar.gz.asc

0001-dnssec-trigger-script-port-to-libnm.patch

@@ -1,108 +0,0 @@
-From ef18b39abdb5e8bf870ada3c108ab7f083405d2c Mon Sep 17 00:00:00 2001
-From: Lubomir Rintel <lkundrak@v3.sk>
-Date: Thu, 15 Feb 2018 17:57:52 +0100
-Subject: [PATCH] dnssec-trigger-script: port to libnm
-
-The libnm-glib is depreacted for a long time already and is eventually
-going away.
----
- dnssec-trigger-script.in | 51 ++++++++++++++----------------------------------
- 1 file changed, 15 insertions(+), 36 deletions(-)
-
-diff --git a/dnssec-trigger-script.in b/dnssec-trigger-script.in
-index 5f70580..14d9278 100644
---- a/dnssec-trigger-script.in
-+++ b/dnssec-trigger-script.in
-@@ -13,14 +13,13 @@ import glob
- import subprocess
- import logging
- import logging.handlers
--import socket
- import struct
- import signal
- 
- import gi
--gi.require_version('NMClient', '1.0')
-+gi.require_version('NM', '1.0')
- 
--from gi.repository import NMClient
-+from gi.repository import NM
- 
- # Python compatibility stuff
- if not hasattr(os, "O_CLOEXEC"):
-@@ -132,7 +131,7 @@ class ConnectionList:
- 
-     def __init__(self, client, only_default=False, only_vpn=False, skip_wifi=False):
-         # Cache the active connection list in the class
--        if not client.get_manager_running():
-+        if not client.get_nm_running():
-             raise UserError("NetworkManager is not running.")
-         if self.nm_connections is None:
-             self.__class__.nm_connections = client.get_active_connections()
-@@ -208,40 +207,20 @@ class Connection:
-         self.uuid = connection.get_uuid()
- 
-         self.zones = []
--        try:
--            self.zones += connection.get_ip4_config().get_domains()
--        except AttributeError:
--            pass
--        try:
--            self.zones += connection.get_ip6_config().get_domains()
--        except AttributeError:
--            pass
--
-         self.servers = []
--        try:
--            self.servers += [self.ip4_to_str(server) for server in connection.get_ip4_config().get_nameservers()]
--        except AttributeError:
--            pass
--        try:
--            self.servers += [self.ip6_to_str(connection.get_ip6_config().get_nameserver(i))
--                for i in range(connection.get_ip6_config().get_num_nameservers())]
--        except AttributeError:
--            pass
--
--    def __repr__(self):
--        return "<Connection(uuid={uuid}, type={type}, default={is_default}, zones={zones}, servers={servers})>".format(**vars(self))
- 
--    @staticmethod
--    def ip4_to_str(ip4):
--        """Converts IPv4 address from integer to string."""
--
--        return socket.inet_ntop(socket.AF_INET, struct.pack("=I", ip4))
-+        ip4_config = connection.get_ip4_config()
-+        if ip4_config is not None:
-+            self.zones += ip4_config.get_domains()
-+            self.servers += ip4_config.get_nameservers()
- 
--    @staticmethod
--    def ip6_to_str(ip6):
--        """Converts IPv6 address from integer to string."""
-+        ip6_config = connection.get_ip6_config()
-+        if ip6_config is not None:
-+            self.zones += ip6_config.get_domains()
-+            self.servers += ip6_config.get_nameservers()
- 
--        return socket.inet_ntop(socket.AF_INET6, ip6)
-+    def __repr__(self):
-+        return "<Connection(uuid={uuid}, type={type}, default={is_default}, zones={zones}, servers={servers})>".format(**vars(self))
- 
-     @property
-     def ignore(self):
-@@ -466,10 +445,10 @@ class Application:
-         except AttributeError:
-             self.usage()
- 
--        self.client = NMClient.Client().new()
-+        self.client = NM.Client().new()
- 
-     def nm_handles_resolv_conf(self):
--        if not self.client.get_manager_running():
-+        if not self.client.get_nm_running():
-             log.debug("NetworkManager is not running")
-             return False
-         try:
--- 
-2.13.6
-

0002-Fix-that-NXDOMAIN-for-_probe.uk.uk-is-deemed-allrigh.patch

@@ -1,27 +0,0 @@
-From 871f36410b93abc2a2e583043665337d25d66c1e Mon Sep 17 00:00:00 2001
-From: Wouter Wijngaards <wouter@nlnetlabs.nl>
-Date: Mon, 26 Feb 2018 13:48:26 +0000
-Subject: [PATCH] - Fix that NXDOMAIN for _probe.uk.uk is deemed allright.
-
-git-svn-id: file:///svn/dnssec-trigger/trunk@764 14dc9c71-5cc2-e011-b339-0019d10b89f4
----
- riggerd/probe.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/riggerd/probe.c b/riggerd/probe.c
-index 4781e01..0954766 100644
---- a/riggerd/probe.c
-+++ b/riggerd/probe.c
-@@ -490,7 +490,8 @@ outq_check_packet(struct outq* outq, uint8_t* wire, size_t len)
- 	}
- 
- 	/* does DNS work? */
--	if(ldns_pkt_get_rcode(p) != LDNS_RCODE_NOERROR) {
-+	if(ldns_pkt_get_rcode(p) != LDNS_RCODE_NOERROR &&
-+		ldns_pkt_get_rcode(p) != LDNS_RCODE_NXDOMAIN) {
- 		char* r = ldns_pkt_rcode2str(ldns_pkt_get_rcode(p));
- 		snprintf(reason, sizeof(reason), "no answer, %s",
- 			r?r:"(out of memory)");
--- 
-2.14.3
-

0003-Move-the-NetworkManager-dispatcher-script-out-of-etc.patch

@@ -0,0 +1,96 @@
+From 6e13ba9b4367fb7867f8a61930bd80b34970aa34 Mon Sep 17 00:00:00 2001
+From: Lubomir Rintel <lkundrak@v3.sk>
+Date: Thu, 22 Aug 2019 16:28:51 +0200
+Subject: [PATCH] Move the NetworkManager dispatcher script out of /etc
+
+It's not user configuration and shouldn't ever have been there. Except for that
+it used to be the only location NetworkManager looked into. With NetworkManager
+1.20 that is no longer the case and the dispatcher scripts can be moved to
+/usr/lib.
+
+Users of older NetworkManager versions can still override this on the
+./configure command line.
+---
+ README       |  2 +-
+ configure    | 10 +++++-----
+ configure.ac |  8 ++++----
+ 3 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/README b/README
+index 1ddc3f4..7093268 100644
+--- a/README
++++ b/README
+@@ -74,7 +74,7 @@ the secure version, but this was fixed in 0.6.
+ 
+ * unix - NetworkManager
+ 
+-In /etc/NetworkManager/dispatcher.d a script sends DHCP changes to
++In /usr/lib/NetworkManager/dispatcher.d a script sends DHCP changes to
+ the daemon.  The script is a networkmanager dhcp hook script and uses
+ dnssec-trigger-control to talk to the daemon.  The script uses nmcli
+ to find the DNS info.
+diff --git a/configure b/configure
+index 16d86fc..1efddd3 100755
+--- a/configure
++++ b/configure
+@@ -1364,8 +1364,8 @@ Optional Packages:
+                           'windows' or 'none'
+   --with-networkmanager-dispatch
+                           Set the networkmanager dhcp dispatcher dir, default
+-                          tests prefix/etc/NetworkManager/dispatcher.d and
+-                          /etc/NetworkManager/dispatcher.d
++                          tests prefix/lib/NetworkManager/dispatcher.d and
++                          /lib/NetworkManager/dispatcher.d
+   --with-netconfig-dispatch
+                           Set the netconfig dhcp dispatcher dir, default tests
+                           prefix/etc/netconfig.d and /etc/netconfig.d
+@@ -6879,7 +6879,7 @@ if test -n "$withval"; then
+ fi
+ 
+ # hook settings
+-networkmanager_dispatcher_dir="$sysconfdir/NetworkManager/dispatcher.d"
++networkmanager_dispatcher_dir="$prefix/lib/NetworkManager/dispatcher.d"
+ 
+ # Check whether --with-networkmanager-dispatch was given.
+ if test "${with_networkmanager_dispatch+set}" = set; then :
+@@ -6938,8 +6938,8 @@ $as_echo_n "checking for NetworkManager dispatch... " >&6; }
+ 	else
+ 		if test -d "$networkmanager_dispatcher_dir" ; then
+ 			:
+-		else if test -d /etc/NetworkManager/dispatcher.d; then
+-			networkmanager_dispatcher_dir="/etc/NetworkManager/dispatcher.d"
++		else if test -d /lib/NetworkManager/dispatcher.d; then
++			networkmanager_dispatcher_dir="/lib/NetworkManager/dispatcher.d"
+ 			fi
+ 		fi
+ 	fi
+diff --git a/configure.ac b/configure.ac
+index f06412f..d1b8556 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -244,9 +244,9 @@ if test -n "$withval"; then
+ fi
+ 
+ # hook settings
+-networkmanager_dispatcher_dir="$sysconfdir/NetworkManager/dispatcher.d"
++networkmanager_dispatcher_dir="$prefix/lib/NetworkManager/dispatcher.d"
+ AC_ARG_WITH([networkmanager-dispatch], AC_HELP_STRING([--with-networkmanager-dispatch],
+-	[Set the networkmanager dhcp dispatcher dir, default tests prefix/etc/NetworkManager/dispatcher.d and /etc/NetworkManager/dispatcher.d]),
++	[Set the networkmanager dhcp dispatcher dir, default tests prefix/lib/NetworkManager/dispatcher.d and /lib/NetworkManager/dispatcher.d]),
+ 	, withval="")
+ with_nm_dispatch="$withval"
+ AC_SUBST(networkmanager_dispatcher_dir)
+@@ -290,8 +290,8 @@ if test "$hooks" = "networkmanager"; then
+ 	else
+ 		if test -d "$networkmanager_dispatcher_dir" ; then
+ 			:
+-		else if test -d /etc/NetworkManager/dispatcher.d; then
+-			networkmanager_dispatcher_dir="/etc/NetworkManager/dispatcher.d"
++		else if test -d /lib/NetworkManager/dispatcher.d; then
++			networkmanager_dispatcher_dir="/lib/NetworkManager/dispatcher.d"
+ 			fi
+ 		fi
+ 	fi
+-- 
+2.23.0
+

0004-Add-options-edns0-and-trust-ad.patch

@@ -0,0 +1,32 @@
+From 96b32c7a3494e214998f53fe69503667ada8ea46 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Mon, 12 Oct 2020 23:25:43 +0200
+Subject: [PATCH 4/5] Add options edns0 and trust-ad
+
+SSH uses AD flag only when edns0 is enabled in resolv.conf. Unbound of
+course supports it, no need to keep it disabled.
+
+Add also trust-ad for more recent libraries, which discard AD flag
+without explicit trust.
+
+Patch: dnssec-trigger-0.15-edns0.patch
+---
+ dnssec-trigger-script.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dnssec-trigger-script.in b/dnssec-trigger-script.in
+index 14d9278..1c6f581 100644
+--- a/dnssec-trigger-script.in
++++ b/dnssec-trigger-script.in
+@@ -421,7 +421,7 @@ class Application:
+     resolvconf_trigger_tmp = resolvconf_trigger + ".tmp"
+     resolvconf_networkmanager = "/var/run/NetworkManager/resolv.conf"
+ 
+-    resolvconf_localhost_contents = "# Generated by dnssec-trigger-script\nnameserver 127.0.0.1\n"
++    resolvconf_localhost_contents = "# Generated by dnssec-trigger-script\nnameserver 127.0.0.1\noptions edns0 trust-ad\n"
+ 
+     rfc1918_reverse_zones = [
+         "c.f.ip6.arpa",
+-- 
+2.26.2
+

changelog

@@ -0,0 +1,313 @@
+* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.17-12
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Thu Jun 15 2023 Todd Zullinger <tmz@pobox.com> - 0.17-11
+- Remove execute bit on ssh_config.d snippet
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.17-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Fri Dec 16 2022 Florian Weimer <fweimer@redhat.com> - 0.17-9
+- Port configure script to C99
+
+* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.17-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.17-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 0.17-6
+- Rebuilt with OpenSSL 3.0.0
+
+* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.17-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 0.17-4
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.17-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Sat Dec 19 2020 Adam Williamson <awilliam@redhat.com> - 0.17-2
+- Rebuild for libldns soname bump
+
+* Tue Oct 13 2020 Petr Menšík <pemensik@redhat.com> - 0.17-1
+- Update to 0.17
+
+* Mon Oct 12 2020 Petr Menšík <pemensik@redhat.com> - 0.15-14
+- Add edns0 option to resolv.conf
+- Add VerifyHostKeyDNS to ssh config
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.15-13
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.15-12
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Mon Jan 06 2020 Jeff Law <law@redhat.com> - 0.15-11
+- Fix typo in last change
+
+* Thu Aug 22 2019 Lubomir Rintel <lkundrak@v3.sk> - 0.15-10
+- Move the NetworkManager dispatcher script out of /etc
+
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.15-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.15-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.15-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 0.15-6
+- Rebuilt for Python 3.7
+
+* Wed Mar 14 2018 Petr Menšík <pemensik@redhat.com> - 0.15-5
+- Accept NXDOMAIN for NSEC probe (#1555355)
+
+* Mon Feb 19 2018 Tomas Hozza <thozza@redhat.com> - 0.15-4
+- Added explicit BuildRequires on gcc as required by packaging guidelines
+- Added explicit Requires on e2fsprogs, so that /usr/bin/chattr is available
+- Remove redundant removal of immutable bit in %%preun scriptlet (#1542400)
+
+* Mon Feb 19 2018 Tomas Hozza <thozza@redhat.com> - 0.15-3
+- use NetworkManager-libnm instead of NetworkManager-glib
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.15-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Mon Dec 11 2017 Tomas Hozza <thozza@redhat.com> - 0.15-1
+- Update to stable 0.15 upstream release
+
+* Fri Aug 18 2017 Petr Menšík <pemensik@redhat.com> - 0.13-6
+- Skip always failing kr.com, update root IPs (#1482939)
+
+* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.13-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.13-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Wed Mar 08 2017 Tomas Hozza <thozza@redhat.com> - 0.13-3
+- Rebuild against new ldns
+
+* Wed Mar 01 2017 Tomas Hozza <thozza@redhat.com> - 0.13-2
+- Include fix for runtime issues with OpenSSL 1.1.0 (#1427561)
+
+* Fri Feb 17 2017 Tomas Hozza <thozza@redhat.com> - 0.13-1
+- Update to stable 0.13 upstream release
+- Dropped merged patches
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.13-0.6.20150714svn
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Mon Dec 19 2016 Miro Hrončok <mhroncok@redhat.com> - 0.13-0.5.20150714svn
+- Rebuild for Python 3.6
+
+* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.13-0.4.20150714svn
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Tue Nov 10 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org>
+- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5
+
+* Mon Jul 20 2015 Tomas Hozza <thozza@redhat.com> - 0.13-0.2.20150714svn
+- Provide Workstation specific configuration
+
+* Wed Jul 15 2015 Tomas Hozza <thozza@redhat.com> - 0.13-0.1.20150714svn
+- split dnssec-trigger panel into separate subpackage (#1236363)
+- SPEC file cleanup based on rpmlint and fedora-review issues
+- implement some suggestions (#1236363)
+- rebase to the latest svn trunk snapshot 0.13_20150714
+- Script is not searching local user directories any more (#1213062)
+- Script now doesn't restart NM if version is >= 1.0.3, but sends just signal
+- Script now specifies the NMClient version for GI (#1242430)
+- Script now sets negative-cache-ttl in unbound to 5 seconds (#1229596)
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.12-21
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Wed Apr 08 2015 Tomas Hozza <thozza@redhat.com> - 0.12-20
+- Fix issue when installing private address range zone without global forwarders (#1205864)
+- Fix configuration of private address range zones (#1128310#c20)
+
+* Fri Mar 13 2015 Tomas Hozza <thozza@redhat.com> - 0.12-19
+- Fix typo in the dnssec-trigger-script (#1187371)
+- Use Python3 by default
+
+* Mon Jan 26 2015 Pavel Šimerda <psimerda@redhat.com> - 0.12-18
+- Resolves: #1185796, #1130502, #1105685, #1128310 – update
+
+* Tue Jan 20 2015 Pavel Šimerda <psimerda@redhat.com> - 0.12-17
+- Resolves: #1183975 - systemd cgroup check fails
+
+* Tue Jan 20 2015 Pavel Šimerda <psimerda@redhat.com> - 0.12-16
+- Resolves: #1165126, #1125267, #1089766, #1112248, #824219 - update
+
+* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.12-15
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Thu Aug 14 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-14
+- Resolves: #1125261 - dnssec-trigger-script: use fcntl.flock instead of
+  lockfile
+
+* Mon Aug 11 2014 Tomas Hozza <thozza@redhat.com> - 0.12-13
+- One Fedora fallback server changed IP address (#1125440)
+
+* Mon Jun 30 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-12
+- Resolves: #1112248 - require a version of NetworkManager with #1113122 fixed
+
+* Tue Jun 24 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-11
+- Resolves: #1112248 - serialize the script instances
+
+* Tue Jun 24 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-10
+- Resolves: #1112248 - fix a typo
+
+* Tue Jun 24 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-9
+- Resolves: #1112248 - fix systemd race condition
+
+* Mon Jun 23 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-8
+- Resolves: #1112248 - don't block on systemctl restart NetworkManager
+
+* Mon Jun 23 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-7
+- Resolves: #1112248, #1111143 - update dnssec-trigger-script and dnssec-triggerd.service
+
+* Fri Jun 20 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-6
+- Resolves: #1111143 - fix for python2
+
+* Fri Jun 20 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-5
+- Related: #842455 - remove a patch that is now redundant
+
+* Fri Jun 20 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-4
+- update dnssec-trigger-script to current development submitted upstream
+
+* Wed Jun 18 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-3
+- Resolves: #1105896 - the new script doesn't call dnssec-trigger-control submit
+
+* Fri Jun 06 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-2
+- fix various dnssec-trigger-script issues
+
+* Fri May 23 2014 Tomas Hozza <thozza@redhat.com> - 0.12-1
+- Update to 0.12 version
+- Drop merged patches
+- Drop downstream files (systemd, dispatcher scripts)
+
+* Tue May 13 2014 Paul Wouters <pwouters@redhat.com> - 0.11-21
+- Enable full hardening (includig PIE)
+- Resolves: rhbz#1045689 dnssec-trigger creates long-time RSA key with inappropriate size
+
+* Wed Feb 19 2014 Tomas Hozza <thozza@redhat.com> - 0.11-20
+- Restart NM on dnssec-trigger shutdown (let NM handle the resolv.conf content)
+- HN-hook: Handle situation when connection does not have a device
+
+* Wed Jan 29 2014 Tomas Hozza <thozza@redhat.com> - 0.11-19
+- Use new Python dispatcher script and ship /etc/dnssec.conf
+
+* Tue Jan 28 2014 Tomas Hozza <thozza@redhat.com> - 0.11-18
+- Use systemd macros instead of directly calling systemctl
+- simplify the systemd unit file for generating keys
+
+* Thu Nov 21 2013 Tomas Hozza <thozza@redhat.com> - 0.11-17
+- Add script to backup and restore resolv.conf on dnssec-trigger start/stop
+
+* Mon Nov 18 2013 Tomas Hozza <thozza@redhat.com> - 0.11-16
+- Improve GUI dialogs texts
+
+* Tue Nov 12 2013 Tomas Hozza <thozza@redhat.com> - 0.11-15
+- Fix NM dispatcher script to work with NM >= 0.9.9.0 (#1029571)
+
+* Mon Aug 26 2013 Tomas Hozza <thozza@redhat.com> - 0.11-14
+- Fix errors found by static analysis of source
+
+* Fri Aug 09 2013 Tomas Hozza <thozza@redhat.com> - 0.11-13
+- Use improved NM dispatcher script from upstream
+- Added tmpfiles.d config due to improved NM dispatcher script
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.11-12
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Mon Mar 04 2013 Adam Tkac <atkac redhat com> - 0.11-11
+- link dnssec-trigger.conf.8 to dnssec-trigger.8
+- build dnssec-triggerd with full RELRO
+
+* Mon Mar 04 2013 Adam Tkac <atkac redhat com> - 0.11-10
+- remove deprecated "Application" keyword from desktop file
+
+* Mon Mar 04 2013 Adam Tkac <atkac redhat com> - 0.11-9
+- install various dnssec-trigger-* symlinks to dnssec-trigger.8 manpage
+
+* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.11-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Tue Jan 08 2013 Paul Wouters <pwouters@redhat.com> - 0.11-7
+- Use full path for systemd (rhbz#842455)
+
+* Tue Jul 24 2012 Paul Wouters <pwouters@redhat.com> - 0.11-6
+- Patched daemon to remove immutable attr (rhbz#842455) as the
+  systemd ExecStopPost= target does not seem to work
+
+* Tue Jul 24 2012 Paul Wouters <pwouters@redhat.com> - 0.11-5
+- On service stop, remove immutable attr from resolv.conf (rhbz#842455)
+
+* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.11-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Thu Jun 28 2012 Paul Wouters <pwouters@redhat.com> - 0.11-3
+- Fix DHCP hook for f17+ version of nmcli (rhbz#835298)
+
+* Sun Jun 17 2012 Paul Wouters <pwouters@redhat.com> - 0.11-2
+- Small textual changes to some popup windows
+
+* Fri Jun 15 2012 Paul Wouters <pwouters@redhat.com> - 0.11-1
+- Updated to 0.11
+- http Hotspot detection via fedoraproject.org/static/hotspot.html
+- http Hotspot Login page via uses hotspot-nocache.fedoraproject.org
+
+* Thu Feb 23 2012 Paul Wouters <pwouters@redhat.com> - 0.10-4
+- Require: unbound
+
+* Wed Feb 22 2012 Paul Wouters <pwouters@redhat.com> - 0.10-3
+- Fix the systemd startup to require unbound
+- dnssec-triggerd no longer forks, giving systemd more control
+- Fire NM dispatcher in ExecStartPost of dnssec-triggerd.service
+- Fix tcp80 entries in dnssec-triggerd.conf
+- symlink dnssec-trigger-panel to dnssec-trigger to supress the
+  "-panel" in the applet name shown in gnome3
+
+
+* Wed Feb 22 2012 Paul Wouters <pwouters@redhat.com> - 0.10-2
+- The NM hook was not modified at the right time during build
+
+* Wed Feb 22 2012 Paul Wouters <pwouters@redhat.com> - 0.10-1
+- Updated to 0.10
+- The NM hook lacks /usr/sbin in path, resulting in empty resolv.conf on hotspot
+
+* Wed Feb 08 2012 Paul Wouters <pwouters@redhat.com> - 0.9-4
+- Updated tls443 / tls80 resolver instances supplied by Fedora Hosted
+
+* Mon Feb 06 2012 Paul Wouters <pwouters@redhat.com> - 0.9-3
+- Convert from SysV to systemd for initial Fedora release
+- Moved configs and pem files to /etc/dnssec-trigger/
+- No more /var/run/dnssec-triggerd/
+- Fix Build-requires
+- Added commented tls443 port80 entries of pwouters resolvers
+- On uninstall ensure there is no immutable bit on /etc/resolv.conf
+
+* Sat Jan 07 2012 Paul Wouters <paul@xelerance.com> - 0.9-2
+- Added LICENCE to doc section
+
+* Mon Dec 19 2011 Paul Wouters <paul@xelerance.com> - 0.9-1
+- Upgraded to 0.9
+
+* Fri Oct 28 2011 Paul Wouters <paul@xelerance.com> - 0.7-1
+- Upgraded to 0.7
+
+* Fri Sep 23 2011 Paul Wouters <paul@xelerance.com> - 0.4-1
+- Upgraded to 0.4
+
+* Sat Sep 17 2011 Paul Wouters <paul@xelerance.com> - 0.3-5
+- Start 01-dnssec-trigger-hook in daemon start
+- Ensure dnssec-triggerd starts after NetworkManager
+
+* Fri Sep 16 2011 Paul Wouters <paul@xelerance.com> - 0.3-4
+- Initial package

dnssec-trigger-0.13-hints-update.patch

@@ -1,49 +0,0 @@
-From fab878a1eba7221c718b74b47ac74fc67066ee57 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
-Date: Fri, 18 Aug 2017 12:04:14 +0200
-Subject: [PATCH 2/2] Update root servers IPs
-
----
- riggerd/probe.c | 11 +++++++----
- 1 file changed, 7 insertions(+), 4 deletions(-)
-
-diff --git a/riggerd/probe.c b/riggerd/probe.c
-index a443d5f..262e618 100644
---- a/riggerd/probe.c
-+++ b/riggerd/probe.c
-@@ -176,7 +176,7 @@ get_random_auth_ip4(void)
- 		"192.203.230.10", /* e */
- 		"192.5.5.241", /* f */
- 		"192.112.36.4", /* g */
--		"128.63.2.53", /* h */
-+		"198.97.190.53", /* h */
- 		"192.36.148.17", /* i */
- 		"192.58.128.30", /* j */
- 		"193.0.14.129", /* k */
-@@ -193,17 +193,20 @@ get_random_auth_ip6(void)
- 	/* list of root servers */
- 	const char* choices[] = {
- 		"2001:503:ba3e::2:30", /* a */
-+		"2001:500:200::b", /* b */
- 		"2001:500:2::c", /* c */
- 		"2001:500:2d::d", /* d */
-+		"2001:500:a8::e", /* e */
- 		"2001:500:2f::f", /* f */
--		"2001:500:1::803f:235", /* h */
-+		"2001:500:12::d0d", /* g */
-+		"2001:500:1::53", /* h */
- 		"2001:7fe::53", /* i */
- 		"2001:503:c27::2:30", /* j */
- 		"2001:7fd::1", /* k */
--		"2001:500:3::42", /* l */
-+		"2001:500:9f::42", /* l */
- 		"2001:dc3::35" /* m */
- 	};
--	return choices[ ldns_get_random() % 10 ];
-+	return choices[ ldns_get_random() % 13 ];
- }
- 
- static const char* get_random_tcp80_ip4(struct cfg* cfg)
--- 
-2.9.5
-

dnssec-trigger-0.13-remove-kr.com-probe.patch

@@ -1,27 +0,0 @@
-From 3ad04ca4b4080e314b9ea05c577e8bfe5e88804f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
-Date: Fri, 18 Aug 2017 12:00:20 +0200
-Subject: [PATCH 1/2] Remove kr.com because of DNSSEC failures
-
----
- riggerd/probe.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/riggerd/probe.c b/riggerd/probe.c
-index dcd83dd..a443d5f 100644
---- a/riggerd/probe.c
-+++ b/riggerd/probe.c
-@@ -156,8 +156,8 @@ get_random_dest(void)
- static const char*
- get_random_nsec3_dest(void)
- {
--	const char* choices[] = { "_probe.us.com.", "_probe.uk.com.", "_probe.kr.com.", "_probe.uk.net." };
--	return choices[ ldns_get_random() % 4 ];
-+	const char* choices[] = { "_probe.us.com.", "_probe.uk.com.", "_probe.uk.net." };
-+	return choices[ ldns_get_random() % 3 ];
- }
- 
- /** the NSEC3 qtype to elicit it (a nodata answer) */
--- 
-2.9.5
-

dnssec-trigger-0.17-allowed-characters.patch

@@ -0,0 +1,30 @@
+From f410871470773c0767f97f86c1bd05074db63081 Mon Sep 17 00:00:00 2001
+From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
+Date: Mon, 3 Feb 2020 10:37:26 +0100
+Subject: [PATCH] - Fix for #3: Allow @ character to make scripts work, which
+ may fix resolv.conf lost in some situation bug.
+
+Changelog:
+3 February 2020: Wouter
+	- Fix for #3: Allow @ character to make scripts work, which may
+	  fix resolv.conf lost in some situation bug.
+---
+ riggerd/ubhook.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/riggerd/ubhook.c b/riggerd/ubhook.c
+index 382eee3..f1ce73c 100644
+--- a/riggerd/ubhook.c
++++ b/riggerd/ubhook.c
+@@ -80,7 +80,7 @@ allowed_arg(const char* arg)
+ 		}
+ 		if( isalnum((unsigned char)*s) || *s == ' ' || *s == ':' ||
+ 			*s == '.' || *s == '_' || *s == '-' || *s == '+' ||
+-			*s == '\t') {
++			*s == '\t' || *s == '@') {
+ 			continue;
+ 		} else 	{
+ 			log_err("command line string argument '%s' fails check on allowed characters", arg);
+-- 
+2.41.0
+

dnssec-trigger-0.17-openssl-3.2.patch

@@ -0,0 +1,34 @@
+From 7c3ff5b59952bc6bf11f988c9dbd961ae3c626ea Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Tue, 10 Sep 2024 16:22:07 +0200
+Subject: [PATCH] Mark explicitly server cert with CA flag
+
+Since OpenSSL 3.2 it did not connect from control to server cert. Create
+server with indication is it CA.
+
+Also use clientAuth trust for CA cert. That allows control cert to be
+used for client authentication.
+---
+ dnssec-trigger-control-setup.sh.in | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/dnssec-trigger-control-setup.sh.in b/dnssec-trigger-control-setup.sh.in
+index 7cc305a..eede665 100644
+--- a/dnssec-trigger-control-setup.sh.in
++++ b/dnssec-trigger-control-setup.sh.in
+@@ -200,9 +200,9 @@ EOF
+ test -f request.cfg || error "could not create request.cfg"
+ 
+ echo "create $SVR_BASE.pem (self signed certificate)"
+-openssl req -key $SVR_BASE.key -config request.cfg  -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
+-# create trusted usage pem
+-openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
++openssl req -key $SVR_BASE.key -config request.cfg  -new -x509 -days $DAYS -addext "basicConstraints=critical,CA:TRUE,pathlen:0" -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
++# create trusted usage pem for CA, what are signed certs allowed to do?
++openssl x509 -in "$SVR_BASE.pem" -addtrust clientAuth -out "${SVR_BASE}_trust.pem"
+ 
+ # create client request and sign it, piped
+ cat >request.cfg <<EOF
+-- 
+2.46.0
+

dnssec-trigger-0.17-server-recipe.patch

@@ -0,0 +1,59 @@
+From f6b4cd17294d8faa8fd4d70110ac9da9916e7d61 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Wed, 20 Nov 2024 16:58:48 +0100
+Subject: [PATCH] Add recipe for adding own server
+
+Until someone adds nice support for using just CA bundle and server
+name, allow specification by fingerprint obtained manually. Do not rely
+only on server provided by upstream.
+---
+ dnssec.conf     | 4 ++--
+ example.conf.in | 6 +++++-
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/dnssec.conf b/dnssec.conf
+index bf896d3..4726ca1 100644
+--- a/dnssec.conf
++++ b/dnssec.conf
+@@ -38,7 +38,7 @@
+ #
+ #  - See also security notes on the `add_wifi_provided_zones` option.
+ #
+-# validate_connection_provided_zones=yes
++# validate_connection_provided_zones=no
+ #
+ #  - Connection provided zones will be configured in Unbound as secure forward
+ #    zones, validated using DNSSEC.
+@@ -63,7 +63,7 @@
+ #    Turning this option off has security implications, See the security
+ #    notice above.
+ #
+-validate_connection_provided_zones=yes
++validate_connection_provided_zones=no
+ 
+ # add_wifi_provided_zones:
+ # ------------------------
+diff --git a/example.conf.in b/example.conf.in
+index dafd35d..f7e8a54 100644
+--- a/example.conf.in
++++ b/example.conf.in
+@@ -79,6 +79,11 @@ tcp80: 2a04:b900::10:0:0:67
+ ssl443: 185.49.140.67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF
+ ssl443: 2a04:b900::10:0:0:67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF
+ 
++# How to add your own record:
++# openssl s_client -connect example.com:443 -showcerts </dev/null > /tmp/dns.crt
++# openssl x509 -noout -in /tmp/dns.crt -fingerprint -sha256
++# Append returned sha256 Fingerprint after ssl443: IP-address section.
++
+ # Use VPN servers for all traffic
+ # use-vpn-forwarders: no
+ 
+@@ -87,4 +92,3 @@ ssl443: 2a04:b900::10:0:0:67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:
+ 
+ # Add domains provided by VPN connections into Unbound forward zones
+ # add-wifi-provided-zones: no
+-
+-- 
+2.47.0
+

dnssec-trigger-config-default.patch

@@ -0,0 +1,53 @@
+From 27bb1f49fe69055e2a5f02e5fe54e71e79d98fdc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Tue, 25 Jul 2023 15:39:15 +0200
+Subject: [PATCH] Make fedora default config changes
+
+Customize upstream example configuration for Fedora.
+---
+ example.conf | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/example.conf b/example.conf
+index 6031c0d..6251c98 100644
+--- a/example.conf
++++ b/example.conf
+@@ -1,5 +1,4 @@
+-# config for dnssec-trigger 0.17.
+-# this is a comment. there must be one statement per line.
++# Fedora/EPEL version of dnssec-trigger.conf
+ 
+ # logging detail, 0=only errors, 1=operations, 2=detail, 3,4 debug detail.
+ # verbosity: 1
+@@ -43,8 +42,8 @@
+ # port number to use for probe daemon.
+ # port: 8955
+ 
+-# these keys and certificates can be generated with the script
+-# dnssec-trigger-control-setup
++# keys and certificates generated by the dnssec-trigger-keygen systemd service
++# (which called dnssec-trigger-control-setup)
+ # server-key-file: "/etc/dnssec-trigger/dnssec_trigger_server.key"
+ # server-cert-file: "/etc/dnssec-trigger/dnssec_trigger_server.pem"
+ # control-key-file: "/etc/dnssec-trigger/dnssec_trigger_control.key"
+@@ -60,7 +59,7 @@
+ 
+ # provided by NLnetLabs
+ # It is provided on a best effort basis, with no service guarantee.
+-url: "http://ster.nlnetlabs.nl/hotspot.txt OK"
++# url: "http://ster.nlnetlabs.nl/hotspot.txt OK"
+ 
+ # provided by FedoraProject
+ url: "http://fedoraproject.org/static/hotspot.txt OK"
+@@ -72,7 +71,7 @@ url: "http://fedoraproject.org/static/hotspot.txt OK"
+ # hash is output of openssl x509 -sha256 -fingerprint -in server.pem
+ # You can add more with extra config lines.
+ 
+-# provided by NLnetLabs
++# provided by NLnetLabs (www.nlnetlabs.nl)
+ # It is provided on a best effort basis, with no service guarantee.
+ tcp80: 185.49.140.67
+ tcp80: 2a04:b900::10:0:0:67
+-- 
+2.41.0
+

dnssec-trigger-config-workstation.patch

@@ -0,0 +1,34 @@
+From d4b08251d816038950b522fc1b003c8d4f1bcc6d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Tue, 25 Jul 2023 15:42:50 +0200
+Subject: [PATCH] Customize workstation only
+
+---
+ dnssec-trigger-workstation.conf | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/dnssec-trigger-workstation.conf b/dnssec-trigger-workstation.conf
+index 6251c98..bb2b5db 100644
+--- a/dnssec-trigger-workstation.conf
++++ b/dnssec-trigger-workstation.conf
+@@ -32,6 +32,7 @@
+ # the command to run to open login pages on hot spots, a web browser.
+ # empty string runs no command.
+ # login-command: "/usr/bin/xdg-open"
++login-command: ""
+ 
+ # the url to open to get hot spot login, it gets overridden by the hotspot.
+ # login-location: "http://hotspot-nocache.fedoraproject.org/"
+@@ -62,7 +63,8 @@
+ # url: "http://ster.nlnetlabs.nl/hotspot.txt OK"
+ 
+ # provided by FedoraProject
+-url: "http://fedoraproject.org/static/hotspot.txt OK"
++# on Workstation, the detection is turned off
++# url: "http://fedoraproject.org/static/hotspot.txt OK"
+ 
+ # fallback open DNSSEC resolvers that run on TCP port 80 and TCP port 443.
+ # These relay incoming DNS traffic on the other port numbers to the usual DNS
+-- 
+2.41.0
+

dnssec-trigger-configure-c99.patch

@@ -0,0 +1,30 @@
+Do not rely on an implicit function declaration for detecting
+the daemon function.  Future compilers may not accept such
+declarations by default, causing the detection result to change.
+
+Submitted upstream: <https://github.com/NLnetLabs/dnssec-trigger/pull/11>
+
+diff --git a/configure b/configure
+index 079ea641e2940515..22c9487fb0d311f8 100755
+--- a/configure
++++ b/configure
+@@ -6757,6 +6757,7 @@ else
+ 
+ echo '
+ #include <stdlib.h>
++#include <unistd.h>
+ ' >conftest.c
+ echo 'void f(){ (void)daemon(0, 0); }' >>conftest.c
+ if test -z "`$CC -c conftest.c 2>&1 | grep deprecated`"; then
+diff --git a/configure.ac b/configure.ac
+index c809367d307f108e..e8095fe7288ba68a 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -225,6 +225,7 @@ AC_CHECK_FUNCS([daemon])
+ if test $ac_cv_func_daemon = yes; then
+         ACX_FUNC_DEPRECATED([daemon], [(void)daemon(0, 0);], [
+ #include <stdlib.h>
++#include <unistd.h>
+ ])
+ fi
+ 

dnssec-trigger-default.conf

@@ -1,99 +0,0 @@
-# Fedora/EPEL version of dnssec-trigger.conf
-
-# logging detail, 0=only errors, 1=operations, 2=detail, 3,4 debug detail.
-# verbosity: 1
-
-# pidfile location
-pidfile: "/var/run/dnssec-triggerd.pid"
-
-# log to a file instead of syslog, default is to syslog
-# logfile: "/var/log/dnssec-trigger.log"
-
-# log to syslog, or (log to to stderr or a logfile if specified). yes or no.
-# use-syslog: yes
-
-# chroot to this directory
-# chroot: ""
-
-# the unbound-control binary if not found in PATH.
-# commandline options can be appended "unbound-control -c my.conf" if you wish.
-# unbound-control: "/usr/sbin/unbound-control"
-
-# where is resolv.conf to edit.
-# resolvconf: "/etc/resolv.conf"
-
-# the domain example.com line (if any) to add to resolv.conf(5). default none.
-# domain: ""
-
-# domain name search path to add to resolv.conf(5). default none.
-# the search path from DHCP is not picked up, it could be used to misdirect.
-# search: ""
-
-# the command to run to open login pages on hot spots, a web browser.
-# empty string runs no command.
-# login-command: "xdg-open"
-
-# the url to open to get hot spot login, it gets overridden by the hotspot.
-# login-location: "http://www.nlnetlabs.nl/projects/dnssec-trigger"
-# should to be a ttl=0 entry
-login-location: "http://hotspot-nocache.fedoraproject.org/"
-
-# do not perform actions (unbound-control or resolv.conf), for a dry-run.
-# noaction: no
-
-# port number to use for probe daemon.
-# port: 8955
-
-# keys and certificates generated by the dnssec-trigger-keygen systemd service
-# (which called dnssec-trigger-control-setup)
-server-key-file: "/etc/dnssec-trigger/dnssec_trigger_server.key"
-server-cert-file: "/etc/dnssec-trigger/dnssec_trigger_server.pem"
-control-key-file: "/etc/dnssec-trigger/dnssec_trigger_control.key"
-control-cert-file: "/etc/dnssec-trigger/dnssec_trigger_control.pem"
-
-# check for updates, download and ask to install them (for Windows, OSX).
-# check-updates: no
-
-# webservers that are probed to see if internet access is possible.
-# They serve a simple static page over HTTP port 80.  It probes a random url:
-# after a space is the content expected on the page, (the page can contain
-# whitespace before and after this code).  Without urls it skips http probes.
-
-# provided by NLnetLabs
-# It is provided on a best effort basis, with no service guarantee.
-# url: "http://ster.nlnetlabs.nl/hotspot.txt OK"
-
-# provided by FedoraProject
-url: "http://fedoraproject.org/static/hotspot.txt OK"
-
-# fallback open DNSSEC resolvers that run on TCP port 80 and TCP port 443.
-# the ssl443 adds an ssl server IP, if you specify a hash it is checked, put
-# the following on one line: ssl443:<space><IP><space><HASHoutput>
-# hash is output of openssl x509 -sha256 -fingerprint -in server.pem
-# You can add more with extra config lines.
-
-# Provided by fedoraproject.org, #fedora-admin
-# It is provided on a best effort basis, with no service guarantee.
-ssl443: 140.211.169.201 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
-tcp80:  140.211.169.201
-ssl443: 66.35.62.163 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
-tcp80:  66.35.62.163 
-ssl443: 152.19.134.150 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
-tcp80:  152.19.134.150 
-ssl443: 2610:28:3090:3001:dead:beef:cafe:fed9 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
-tcp80:  2610:28:3090:3001:dead:beef:cafe:fed9 
-
-# provided by Paul Wouters (pwouters@redhat.com)
-# It is provided on a best effort basis, with no service guarantee.
-# tcp80:  193.110.157.123
-# tcp80:  2001:888:2003:1004::123
-# ssl443: 193.110.157.123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7
-# ssl443: 2001:888:2003:1004::123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7
-
-# provided by NLnetLabs (www.nlnetlabs.nl)
-# It is provided on a best effort basis, with no service guarantee.
-# tcp80: 213.154.224.3
-# tcp80: 2001:7b8:206:1:bb::
-# ssl443: 213.154.224.3 DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
-# ssl443: 2001:7b8:206:1:bb:: DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
-

dnssec-trigger-workstation.conf

@@ -1,101 +0,0 @@
-# Fedora/EPEL version of dnssec-trigger.conf
-
-# logging detail, 0=only errors, 1=operations, 2=detail, 3,4 debug detail.
-# verbosity: 1
-
-# pidfile location
-pidfile: "/var/run/dnssec-triggerd.pid"
-
-# log to a file instead of syslog, default is to syslog
-# logfile: "/var/log/dnssec-trigger.log"
-
-# log to syslog, or (log to to stderr or a logfile if specified). yes or no.
-# use-syslog: yes
-
-# chroot to this directory
-# chroot: ""
-
-# the unbound-control binary if not found in PATH.
-# commandline options can be appended "unbound-control -c my.conf" if you wish.
-# unbound-control: "/usr/sbin/unbound-control"
-
-# where is resolv.conf to edit.
-# resolvconf: "/etc/resolv.conf"
-
-# the domain example.com line (if any) to add to resolv.conf(5). default none.
-# domain: ""
-
-# domain name search path to add to resolv.conf(5). default none.
-# the search path from DHCP is not picked up, it could be used to misdirect.
-# search: ""
-
-# the command to run to open login pages on hot spots, a web browser.
-# empty string runs no command.
-# login-command: "xdg-open"
-login-command: ""
-
-# the url to open to get hot spot login, it gets overridden by the hotspot.
-# login-location: "http://www.nlnetlabs.nl/projects/dnssec-trigger"
-# should to be a ttl=0 entry
-# login-location: "http://hotspot-nocache.fedoraproject.org/"
-
-# do not perform actions (unbound-control or resolv.conf), for a dry-run.
-# noaction: no
-
-# port number to use for probe daemon.
-# port: 8955
-
-# keys and certificates generated by the dnssec-trigger-keygen systemd service
-# (which called dnssec-trigger-control-setup)
-server-key-file: "/etc/dnssec-trigger/dnssec_trigger_server.key"
-server-cert-file: "/etc/dnssec-trigger/dnssec_trigger_server.pem"
-control-key-file: "/etc/dnssec-trigger/dnssec_trigger_control.key"
-control-cert-file: "/etc/dnssec-trigger/dnssec_trigger_control.pem"
-
-# check for updates, download and ask to install them (for Windows, OSX).
-# check-updates: no
-
-# webservers that are probed to see if internet access is possible.
-# They serve a simple static page over HTTP port 80.  It probes a random url:
-# after a space is the content expected on the page, (the page can contain
-# whitespace before and after this code).  Without urls it skips http probes.
-
-# provided by NLnetLabs
-# It is provided on a best effort basis, with no service guarantee.
-# url: "http://ster.nlnetlabs.nl/hotspot.txt OK"
-
-# provided by FedoraProject
-# on Workstation, the detection is turned off
-# url: "http://fedoraproject.org/static/hotspot.txt OK"
-
-# fallback open DNSSEC resolvers that run on TCP port 80 and TCP port 443.
-# the ssl443 adds an ssl server IP, if you specify a hash it is checked, put
-# the following on one line: ssl443:<space><IP><space><HASHoutput>
-# hash is output of openssl x509 -sha256 -fingerprint -in server.pem
-# You can add more with extra config lines.
-
-# Provided by fedoraproject.org, #fedora-admin
-# It is provided on a best effort basis, with no service guarantee.
-ssl443: 140.211.169.201 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
-tcp80:  140.211.169.201
-ssl443: 66.35.62.163 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
-tcp80:  66.35.62.163 
-ssl443: 152.19.134.150 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
-tcp80:  152.19.134.150 
-ssl443: 2610:28:3090:3001:dead:beef:cafe:fed9 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
-tcp80:  2610:28:3090:3001:dead:beef:cafe:fed9 
-
-# provided by Paul Wouters (pwouters@redhat.com)
-# It is provided on a best effort basis, with no service guarantee.
-# tcp80:  193.110.157.123
-# tcp80:  2001:888:2003:1004::123
-# ssl443: 193.110.157.123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7
-# ssl443: 2001:888:2003:1004::123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7
-
-# provided by NLnetLabs (www.nlnetlabs.nl)
-# It is provided on a best effort basis, with no service guarantee.
-# tcp80: 213.154.224.3
-# tcp80: 2001:7b8:206:1:bb::
-# ssl443: 213.154.224.3 DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
-# ssl443: 2001:7b8:206:1:bb:: DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
-

dnssec-trigger.spec

@@ -1,42 +1,56 @@
 %global _hardened_build 1
 
-#%%global svn_snapshot 20150714
+#%%global snapshot 20150714
 
 Summary: Tool for dynamic reconfiguration of validating resolver Unbound
 Name: dnssec-trigger
-Version: 0.15
-Release: 5%{?svn_snapshot:.%{svn_snapshot}svn}%{?dist}
-License: BSD
-Url: http://www.nlnetlabs.nl/downloads/dnssec-trigger/
+Version: 0.17
+Release: %autorelease
+License: BSD-3-clause AND MIT AND ISC
+Url: https://www.nlnetlabs.nl/projects/dnssec-trigger/
 
-%if 0%{?svn_snapshot:1}
+%if 0%{?snapshot:1}
 # generated using './makedist.sh -s' in the cloned upstream trunk
-Source0: %{name}-%{version}_%{svn_snapshot}.tar.gz
+Source0: %{name}-%{version}_%{snapshot}.tar.gz
 %else
-Source0: http://www.nlnetlabs.nl/downloads/dnssec-trigger/%{name}-%{version}.tar.gz
+Source0: https://www.nlnetlabs.nl/downloads/dnssec-trigger/%{name}-%{version}.tar.gz
+Source1: https://www.nlnetlabs.nl/downloads/dnssec-trigger/%{name}-%{version}.tar.gz.asc
+Source2: https://keys.openpgp.org/vks/v1/by-fingerprint/EDFAA3F2CA4E6EB05681AF8E9F6F1C2D7E045F8D#/wouter.asc
 %endif
-Source1: dnssec-trigger.tmpfiles.d
-Source2: dnssec-trigger-default.conf
-Source3: dnssec-trigger-workstation.conf
+Source3: dnssec-trigger.tmpfiles.d
+#Source4: dnssec-trigger-default.conf
+#Source5: dnssec-trigger-workstation.conf
+Source6: ssh_config.conf
 
 # Patches
-Patch1: 0001-dnssec-trigger-script-port-to-libnm.patch
-Patch2: 0002-Fix-that-NXDOMAIN-for-_probe.uk.uk-is-deemed-allrigh.patch
+# Downstream changes to configuration
+Patch1: dnssec-trigger-config-workstation.patch
+# Downstream changes to configuration
+Patch2: dnssec-trigger-config-default.patch
+Patch3: 0003-Move-the-NetworkManager-dispatcher-script-out-of-etc.patch
+# https://github.com/NLnetLabs/dnssec-trigger/pull/7
+Patch4: 0004-Add-options-edns0-and-trust-ad.patch
+Patch5: dnssec-trigger-configure-c99.patch
+# https://github.com/NLnetLabs/dnssec-trigger/commit/f187c2be221a26f3c4ef4d9b16f1df67104ae634
+Patch6: dnssec-trigger-0.17-allowed-characters.patch
+Patch7: dnssec-trigger-0.17-openssl-3.2.patch
+# https://github.com/NLnetLabs/dnssec-trigger/pull/15
+Patch8: dnssec-trigger-0.17-server-recipe.patch
 
 # to obsolete the version in which the panel was in main package
 Obsoletes: %{name} < 0.12-22
 Suggests: %{name}-panel
 # Require a version of NetworkManager that doesn't forget to issue dhcp-change
 # https://bugzilla.redhat.com/show_bug.cgi?id=1112248
-%if 0%{?rhel} >= 7
+%if 0%{?rhel} >= 9 || 0%{?fedora} >= 31
+Requires: NetworkManager >= 1.20
+%elif 0%{?rhel} >= 7
 Requires: NetworkManager >= 0.9.9.1-13
-%else
-%if 0%{?fedora} >= 21
+%elif 0%{?fedora} >= 21
 Requires: NetworkManager >= 0.9.9.95-1
 %else
 Requires: NetworkManager >= 0.9.9.0-40
 %endif
-%endif
 Requires: ldns >= 1.6.10, NetworkManager-libnm, unbound
 # needed by /usr/sbin/dnssec-trigger-control-setup
 # otherwise it ends with error: /usr/sbin/dnssec-trigger-control-setup: line 180: openssl: command not found
@@ -45,11 +59,12 @@ Requires: openssl
 Requires: e2fsprogs
 BuildRequires: openssl-devel, ldns-devel, python3-devel, gcc
 BuildRequires: NetworkManager-libnm-devel
+%if 0%{?fedora} && ! 0%{?snapshot:1}
+BuildRequires: gnupg2
+%endif
 
-BuildRequires: systemd
-Requires(post): systemd
-Requires(preun): systemd
-Requires(postun): systemd
+BuildRequires: systemd-rpm-macros
+%{?systemd_ordering}
 
 # Provides Workstation specific configuration
 # - No captive portal detection and no action available on Captive portal (No UI)
@@ -69,6 +84,7 @@ Requires: %{name} = %{version}-%{release}
 Obsoletes: %{name} < 0.12-22
 Requires: xdg-utils
 BuildRequires: gtk2-devel, desktop-file-utils
+BuildRequires: make
 
 %description panel
 This package provides the GTK panel for interaction between the user
@@ -78,10 +94,11 @@ some user input is needed, the panel creates a dialog window.
 
 
 %prep
-%setup -q %{?svn_snapshot:-n %{name}-%{version}_%{svn_snapshot}}
-
-%patch1 -p1 -b .libnm_port
-%patch2 -p1 -b .nxdomain
+%if 0%{?fedora} && ! 0%{?snapshot:1}
+%gpgverify -d 0 -s 1 -k 2
+%endif
+%autosetup %{?snapshot:-n %{name}-%{version}_%{snapshot}} -N
+%autopatch -m 3 -p1
 
 # don't use DNSSEC for forward zones for now
 sed -i "s/validate_connection_provided_zones=yes/validate_connection_provided_zones=no/" dnssec.conf
@@ -91,27 +108,37 @@ sed -i "s/validate_connection_provided_zones=yes/validate_connection_provided_zo
 %configure  \
     --with-keydir=%{_sysconfdir}/dnssec-trigger \
     --with-hooks=networkmanager \
+%if 0%{?rhel} < 9 && 0%{?fedora} < 31
+    --with-networkmanager-dispatch=%{_sysconfdir}/NetworkManager/dispatcher.d \
+%endif
     --with-python=%{__python3} \
-    --with-pidfile=%{_localstatedir}/run/%{name}d.pid
+    --with-pidfile=%{_rundir}/%{name}d.pid \
+    --with-login-command=%{_bindir}/xdg-open \
+    --with-login-location="http://hotspot-nocache.fedoraproject.org/"
 
-%{__make} %{?_smp_mflags}
+# hotspot-nocache should have TTL=0
+
+%make_build
+
+%autopatch -p1 2
+cp -p example.conf dnssec-trigger-workstation.conf
+%autopatch -p1 1
 
 
 %install
-rm -rf %{buildroot}
-%{__make} DESTDIR=%{buildroot} install
+# https://github.com/NLnetLabs/dnssec-trigger/pull/13
+install -d -m 0755 %{buildroot}%{_libexecdir}
+%make_install
 
 install -d 0755 %{buildroot}%{_unitdir}
-install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/%{name}/
-install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/%{name}/
-
-mkdir -p %{buildroot}%{_libexecdir}
+install -p -m 0644 example.conf %{buildroot}%{_sysconfdir}/%{name}/dnssec-trigger-default.conf
+install -p -m 0644 dnssec-trigger-workstation.conf %{buildroot}%{_sysconfdir}/%{name}/
 
 desktop-file-install --dir=%{buildroot}%{_datadir}/applications dnssec-trigger-panel.desktop
 
 # install the configuration for /var/run/dnssec-trigger into tmpfiles.d dir
 mkdir -p %{buildroot}%{_tmpfilesdir}
-install -m 644 %{SOURCE1} ${RPM_BUILD_ROOT}%{_tmpfilesdir}/%{name}.conf
+install -m 644 %{SOURCE3} ${RPM_BUILD_ROOT}%{_tmpfilesdir}/%{name}.conf
 # we must create the /var/run/dnssec-trigger directory
 mkdir -p %{buildroot}%{_localstatedir}/run
 install -d -m 0755 %{buildroot}%{_localstatedir}/run/%{name}
@@ -122,10 +149,12 @@ ln -s dnssec-trigger-panel %{buildroot}%{_bindir}/dnssec-trigger
 # Make dnssec-trigger.8 manpage available under names of all dnssec-trigger-*
 # executables
 for all in dnssec-trigger-control dnssec-trigger-control-setup dnssec-triggerd; do
-    ln -s %{_mandir}/man8/dnssec-trigger.8 %{buildroot}/%{_mandir}/man8/"$all".8
+    ln -s dnssec-trigger.8 %{buildroot}/%{_mandir}/man8/"$all".8
 done
-ln -s %{_mandir}/man8/dnssec-trigger.8 %{buildroot}/%{_mandir}/man8/dnssec-trigger.conf.8
+ln -s dnssec-trigger.8 %{buildroot}/%{_mandir}/man8/dnssec-trigger.conf.8
 
+install -d -m 0755 %{buildroot}%{_sysconfdir}/ssh/ssh_config.d
+install -m 0644 %{SOURCE6} %{buildroot}%{_sysconfdir}/ssh/ssh_config.d/10-%{name}.conf
 
 %post
 %systemd_post %{name}d.service
@@ -163,12 +192,18 @@ fi
 %{_libexecdir}/dnssec-trigger-script
 %{_unitdir}/%{name}d.service
 %{_unitdir}/%{name}d-keygen.service
+%if 0%{?rhel} >= 9 || 0%{?fedora} >= 31
+%attr(0755,root,root) %{_prefix}/lib/NetworkManager/dispatcher.d/01-dnssec-trigger
+%else
 %attr(0755,root,root) %{_sysconfdir}/NetworkManager/dispatcher.d/01-dnssec-trigger
+%endif
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/dnssec.conf
 %attr(0755,root,root) %dir %{_sysconfdir}/%{name}
 %attr(0644,root,root) %ghost %config(noreplace) %{_sysconfdir}/%{name}/dnssec-trigger.conf
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-trigger-default.conf
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-trigger-workstation.conf
+%attr(0755,root,root) %dir %{_sysconfdir}/ssh/ssh_config.d
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/10-%{name}.conf
 %dir %{_localstatedir}/run/%{name}
 %{_tmpfilesdir}/%{name}.conf
 %{_mandir}/man8/dnssec-trigger*
@@ -182,245 +217,4 @@ fi
 
 
 %changelog
-* Wed Mar 14 2018 Petr Menšík <pemensik@redhat.com> - 0.15-5
-- Accept NXDOMAIN for NSEC probe (#1555355)
-
-* Mon Feb 19 2018 Tomas Hozza <thozza@redhat.com> - 0.15-4
-- Added explicit BuildRequires on gcc as required by packaging guidelines
-- Added explicit Requires on e2fsprogs, so that /usr/bin/chattr is available
-- Remove redundant removal of immutable bit in %%preun scriptlet (#1542400)
-
-* Mon Feb 19 2018 Tomas Hozza <thozza@redhat.com> - 0.15-3
-- use NetworkManager-libnm instead of NetworkManager-glib
-
-* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.15-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
-
-* Mon Dec 11 2017 Tomas Hozza <thozza@redhat.com> - 0.15-1
-- Update to stable 0.15 upstream release
-
-* Fri Aug 18 2017 Petr Menšík <pemensik@redhat.com> - 0.13-4
-- Skip always failing kr.com, update root IPs (#1482939)
-
-* Wed Mar 08 2017 Tomas Hozza <thozza@redhat.com> - 0.13-3
-- Rebuild against new ldns
-
-* Wed Mar 01 2017 Tomas Hozza <thozza@redhat.com> - 0.13-2
-- Include fix for runtime issues with OpenSSL 1.1.0 (#1427561)
-
-* Fri Feb 17 2017 Tomas Hozza <thozza@redhat.com> - 0.13-1
-- Update to stable 0.13 upstream release
-- Dropped merged patches
-
-* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.13-0.6.20150714svn
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
-
-* Mon Dec 19 2016 Miro Hrončok <mhroncok@redhat.com> - 0.13-0.5.20150714svn
-- Rebuild for Python 3.6
-
-* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.13-0.4.20150714svn
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
-
-* Tue Nov 10 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org>
-- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5
-
-* Mon Jul 20 2015 Tomas Hozza <thozza@redhat.com> - 0.13-0.2.20150714svn
-- Provide Workstation specific configuration
-
-* Wed Jul 15 2015 Tomas Hozza <thozza@redhat.com> - 0.13-0.1.20150714svn
-- split dnssec-trigger panel into separate subpackage (#1236363)
-- SPEC file cleanup based on rpmlint and fedora-review issues
-- implement some suggestions (#1236363)
-- rebase to the latest svn trunk snapshot 0.13_20150714
-- Script is not searching local user directories any more (#1213062)
-- Script now doesn't restart NM if version is >= 1.0.3, but sends just signal
-- Script now specifies the NMClient version for GI (#1242430)
-- Script now sets negative-cache-ttl in unbound to 5 seconds (#1229596)
-
-* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.12-21
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
-
-* Wed Apr 08 2015 Tomas Hozza <thozza@redhat.com> - 0.12-20
-- Fix issue when installing private address range zone without global forwarders (#1205864)
-- Fix configuration of private address range zones (#1128310#c20)
-
-* Fri Mar 13 2015 Tomas Hozza <thozza@redhat.com> - 0.12-19
-- Fix typo in the dnssec-trigger-script (#1187371)
-- Use Python3 by default
-
-* Mon Jan 26 2015 Pavel Šimerda <psimerda@redhat.com> - 0.12-18
-- Resolves: #1185796, #1130502, #1105685, #1128310 – update
-
-* Tue Jan 20 2015 Pavel Šimerda <psimerda@redhat.com> - 0.12-17
-- Resolves: #1183975 - systemd cgroup check fails
-
-* Tue Jan 20 2015 Pavel Šimerda <psimerda@redhat.com> - 0.12-16
-- Resolves: #1165126, #1125267, #1089766, #1112248, #824219 - update
-
-* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.12-15
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
-
-* Thu Aug 14 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-14
-- Resolves: #1125261 - dnssec-trigger-script: use fcntl.flock instead of
-  lockfile
-
-* Mon Aug 11 2014 Tomas Hozza <thozza@redhat.com> - 0.12-13
-- One Fedora fallback server changed IP address (#1125440)
-
-* Mon Jun 30 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-12
-- Resolves: #1112248 - require a version of NetworkManager with #1113122 fixed
-
-* Tue Jun 24 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-11
-- Resolves: #1112248 - serialize the script instances
-
-* Tue Jun 24 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-10
-- Resolves: #1112248 - fix a typo
-
-* Tue Jun 24 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-9
-- Resolves: #1112248 - fix systemd race condition
-
-* Mon Jun 23 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-8
-- Resolves: #1112248 - don't block on systemctl restart NetworkManager
-
-* Mon Jun 23 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-7
-- Resolves: #1112248, #1111143 - update dnssec-trigger-script and dnssec-triggerd.service
-
-* Fri Jun 20 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-6
-- Resolves: #1111143 - fix for python2
-
-* Fri Jun 20 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-5
-- Related: #842455 - remove a patch that is now redundant
-
-* Fri Jun 20 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-4
-- update dnssec-trigger-script to current development submitted upstream
-
-* Wed Jun 18 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-3
-- Resolves: #1105896 - the new script doesn't call dnssec-trigger-control submit
-
-* Fri Jun 06 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-2
-- fix various dnssec-trigger-script issues
-
-* Fri May 23 2014 Tomas Hozza <thozza@redhat.com> - 0.12-1
-- Update to 0.12 version
-- Drop merged patches
-- Drop downstream files (systemd, dispatcher scripts)
-
-* Tue May 13 2014 Paul Wouters <pwouters@redhat.com> - 0.11-21
-- Enable full hardening (includig PIE)
-- Resolves: rhbz#1045689 dnssec-trigger creates long-time RSA key with inappropriate size
-
-* Wed Feb 19 2014 Tomas Hozza <thozza@redhat.com> - 0.11-20
-- Restart NM on dnssec-trigger shutdown (let NM handle the resolv.conf content)
-- HN-hook: Handle situation when connection does not have a device
-
-* Wed Jan 29 2014 Tomas Hozza <thozza@redhat.com> - 0.11-19
-- Use new Python dispatcher script and ship /etc/dnssec.conf
-
-* Tue Jan 28 2014 Tomas Hozza <thozza@redhat.com> - 0.11-18
-- Use systemd macros instead of directly calling systemctl
-- simplify the systemd unit file for generating keys
-
-* Thu Nov 21 2013 Tomas Hozza <thozza@redhat.com> - 0.11-17
-- Add script to backup and restore resolv.conf on dnssec-trigger start/stop
-
-* Mon Nov 18 2013 Tomas Hozza <thozza@redhat.com> - 0.11-16
-- Improve GUI dialogs texts
-
-* Tue Nov 12 2013 Tomas Hozza <thozza@redhat.com> - 0.11-15
-- Fix NM dispatcher script to work with NM >= 0.9.9.0 (#1029571)
-
-* Mon Aug 26 2013 Tomas Hozza <thozza@redhat.com> - 0.11-14
-- Fix errors found by static analysis of source
-
-* Fri Aug 09 2013 Tomas Hozza <thozza@redhat.com> - 0.11-13
-- Use improved NM dispatcher script from upstream
-- Added tmpfiles.d config due to improved NM dispatcher script
-
-* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.11-12
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
-
-* Mon Mar 04 2013 Adam Tkac <atkac redhat com> - 0.11-11
-- link dnssec-trigger.conf.8 to dnssec-trigger.8
-- build dnssec-triggerd with full RELRO
-
-* Mon Mar 04 2013 Adam Tkac <atkac redhat com> - 0.11-10
-- remove deprecated "Application" keyword from desktop file
-
-* Mon Mar 04 2013 Adam Tkac <atkac redhat com> - 0.11-9
-- install various dnssec-trigger-* symlinks to dnssec-trigger.8 manpage
-
-* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.11-8
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
-
-* Tue Jan 08 2013 Paul Wouters <pwouters@redhat.com> - 0.11-7
-- Use full path for systemd (rhbz#842455)
-
-* Tue Jul 24 2012 Paul Wouters <pwouters@redhat.com> - 0.11-6
-- Patched daemon to remove immutable attr (rhbz#842455) as the
-  systemd ExecStopPost= target does not seem to work
-
-* Tue Jul 24 2012 Paul Wouters <pwouters@redhat.com> - 0.11-5
-- On service stop, remove immutable attr from resolv.conf (rhbz#842455)
-
-* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.11-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
-
-* Thu Jun 28 2012 Paul Wouters <pwouters@redhat.com> - 0.11-3
-- Fix DHCP hook for f17+ version of nmcli (rhbz#835298)
-
-* Sun Jun 17 2012 Paul Wouters <pwouters@redhat.com> - 0.11-2
-- Small textual changes to some popup windows
-
-* Fri Jun 15 2012 Paul Wouters <pwouters@redhat.com> - 0.11-1
-- Updated to 0.11
-- http Hotspot detection via fedoraproject.org/static/hotspot.html
-- http Hotspot Login page via uses hotspot-nocache.fedoraproject.org
-
-* Thu Feb 23 2012 Paul Wouters <pwouters@redhat.com> - 0.10-4
-- Require: unbound
-
-* Wed Feb 22 2012 Paul Wouters <pwouters@redhat.com> - 0.10-3
-- Fix the systemd startup to require unbound
-- dnssec-triggerd no longer forks, giving systemd more control
-- Fire NM dispatcher in ExecStartPost of dnssec-triggerd.service
-- Fix tcp80 entries in dnssec-triggerd.conf
-- symlink dnssec-trigger-panel to dnssec-trigger to supress the
-  "-panel" in the applet name shown in gnome3
-
-
-* Wed Feb 22 2012 Paul Wouters <pwouters@redhat.com> - 0.10-2
-- The NM hook was not modified at the right time during build
-
-* Wed Feb 22 2012 Paul Wouters <pwouters@redhat.com> - 0.10-1
-- Updated to 0.10
-- The NM hook lacks /usr/sbin in path, resulting in empty resolv.conf on hotspot
-
-* Wed Feb 08 2012 Paul Wouters <pwouters@redhat.com> - 0.9-4
-- Updated tls443 / tls80 resolver instances supplied by Fedora Hosted
-
-* Mon Feb 06 2012 Paul Wouters <pwouters@redhat.com> - 0.9-3
-- Convert from SysV to systemd for initial Fedora release
-- Moved configs and pem files to /etc/dnssec-trigger/
-- No more /var/run/dnssec-triggerd/
-- Fix Build-requires
-- Added commented tls443 port80 entries of pwouters resolvers
-- On uninstall ensure there is no immutable bit on /etc/resolv.conf
-
-* Sat Jan 07 2012 Paul Wouters <paul@xelerance.com> - 0.9-2
-- Added LICENCE to doc section
-
-* Mon Dec 19 2011 Paul Wouters <paul@xelerance.com> - 0.9-1
-- Upgraded to 0.9
-
-* Fri Oct 28 2011 Paul Wouters <paul@xelerance.com> - 0.7-1
-- Upgraded to 0.7
-
-* Fri Sep 23 2011 Paul Wouters <paul@xelerance.com> - 0.4-1
-- Upgraded to 0.4
-
-* Sat Sep 17 2011 Paul Wouters <paul@xelerance.com> - 0.3-5
-- Start 01-dnssec-trigger-hook in daemon start
-- Ensure dnssec-triggerd starts after NetworkManager
-
-* Fri Sep 16 2011 Paul Wouters <paul@xelerance.com> - 0.3-4
-- Initial package
+%autochangelog

dnssec-trigger.tmpfiles.d

@@ -1 +1 @@
-d /var/run/dnssec-trigger 0755 root root -
+d /run/dnssec-trigger 0755 root root -

plans/public.fmf

@@ -0,0 +1,6 @@
+summary: Run all beakerlib tests for dnssec-trigger
+discover:
+  - name: fedora_tests_dnssec-trigger
+    how: fmf
+execute:
+    how: tmt

sources

@@ -1 +1,2 @@
-SHA512 (dnssec-trigger-0.15.tar.gz) = 5ce7d7fe9049f14afbb2075a764ae8f44e773801e6ebd7f4eb2bd4cfc07a338db7aa5b666ccad40da1f1528160bab9706cf8015b800f2e23c4b6e3639793a846
+SHA512 (dnssec-trigger-0.17.tar.gz) = a3f740f9ba49eee820414211d7390d86c991d964af2562b8590b95afb681dcb82a76f232b836ad663ae6181185366fcd63d75dc81789e3331535e3c26bc18e4e
+SHA512 (dnssec-trigger-0.17.tar.gz.asc) = 23efe403ae5638fdce198d38b4b8e3d5ebe8c5630051042a8840adba462fa7a461d892e1f6b049f1da76b920953af8f80c1ab99e6f9d612e8fdb98537ca492c1

ssh_config.conf

@@ -0,0 +1,2 @@
+# Enable SSHFP verification
+VerifyHostKeyDNS yes

tests/.gitignore

@@ -0,0 +1,2 @@
+.testinfo.tmt
+.*.swp

tests/Sanity/basic-functionality/main.fmf

@@ -0,0 +1,9 @@
+summary: Try starting dnssec-triggerd and use fallbacks
+description: |
+  Use configured fallbacks manually by test_tcp and test_http commands.
+  Also check resolutions is actually working.
+test: ./test.sh
+framework: beakerlib
+require:
+  - dnssec-trigger
+  - unbound

tests/Sanity/basic-functionality/test.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+MOVED_RESOLV_CONF=""
+
+wait_for_probe() {
+	while dnssec-trigger-control status | grep -q '^probe is in progress'; do
+		sleep 1
+	done
+}
+
+test_fallback() {
+	local TYPE=$1
+	local HOST=$2
+
+	rlRun "dnssec-trigger-control test_${TYPE}"
+	wait_for_probe
+	sleep 1
+	rlRun "dnssec-trigger-control status"
+	rlRun -s "unbound-host -rvD ${HOST}" 0 "Check dnssec works over ${TYPE} fallback"
+	rlAssertGrep '(secure)' $rlRun_LOG
+}
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlRun "tmp=\$(mktemp -d)" 0 "Create tmp directory"
+	rlAssertRpm dnssec-trigger
+	rlFileBackup --missing-ok /etc/resolv.conf
+	if test -L /etc/resolv.conf; then
+		MOVED_RESOLV_CONF="/etc/resolv-backup-$$.conf"
+		rlRun "mv /etc/resolv.conf ${MOVED_RESOLV_CONF}"
+	fi
+        rlRun "pushd $tmp"
+	rlServiceStart dnssec-triggerd
+    rlPhaseEnd
+
+    rlPhaseStartTest
+    	rlRun "dnssec-trigger-control status"
+	rlRun -s "unbound-host -rvD example.org" 0 "Check dnssec actually works"
+	rlAssertGrep '(secure)' $rlRun_LOG
+
+	test_fallback tcp www.example.org
+	# This variant is not passing
+	#test_fallback http example.net
+	test_fallback ssl www.example.net
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rlServiceRestore dnssec-triggerd
+        rlRun "popd"
+	if [ -n "$MOVED_RESOLV_CONF" ]; then
+		rm -f /etc/resolv.conf
+		rlRun "mv -f ${MOVED_RESOLV_CONF} /etc/resolv.conf"
+	fi
+	rlFileRestore
+        rlRun "rm -r $tmp" 0 "Remove tmp directory"
+    rlPhaseEnd
+rlJournalEnd

wouter.asc

@@ -0,0 +1,123 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xsFNBE2v/RwBEACyQpJlpCeSZBV1QUH7jNEp5xGdo6OnX2h9XoZ4ZPsb+u6OT+xE
+SH45ncnISUh8rPCygbeWOoPR/yOBzh+lYoGxQ5iUHtwRrhHq04sQe/qFpXDO2xs6
+1pTcPU2PnH7Rsr2qp6fZLPHuXLolD7NJfaSib8sVeMM0/ecyl/L2bBg9NpaGDX0x
+TQh95M8o6AFo6UKWApBpgsvEZr2aH/B8b9KnCWFhfJyheEM7DamksdZNsKxXQyq3
+l/ROfdsMLZGF8vPbYV/v11G4keyaLpn8AbBpybIiw9SYDwf2ENk3+e1NFfMaiiyE
+qn9+aaLTKCY87TMUuoN3s3jWOOy5tHXzf6DbKhub4Awsby3DH5YpPhi4N2vj2pAX
+Vpl5+m78cH29JLzT+HAoyZ4tq1r3m0P5QogNqYwqxkKWYOjDilNDBiKiDdgtrLYG
+x+ABovKG/FvToJoaCL4AFaVCzWmL2uHkSgyBN0FPHatCB1UeEkcQit6T8E2NQqmF
+WjUMXSWHHajSMG95+L5PdLHz/Ku0o3Csvlt2pkElYZmzJBfnOM9JevdsmKr/ruJC
+/DCZAn5w2S/9ZF5qfo2F9HUKIwE/dChR29HcN8V4nqZs9oCvEMfFhHmrfwDc5hed
+hvb6mAkvSFFtKIrygLIVeWRj3FE9sGp6sr4VwOLYTFRNk7mAsWD1rZApeQARAQAB
+zSdXLkMuQS4gV2lqbmdhYXJkcyA8d291dGVyQG5sbmV0bGFicy5ubD7CwX4EEwEC
+ACgFAk2v/RwCGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJ9v
+HC1+BF+N3yoQAIynfrvZ/8RNAv9lLcSc2PX3fvG7oRJEJSy9uMyIbMtb/a1BVCeh
+XjR8GhHJ5D/Z3jRWBQKw1rLLvOqbuBGkpKMR100ZVF4z/8e6CWtTAOFy28f1JQw2
+8kilN7K6vjno21S1JJ1XJAdoFdicyb1SW2r+KYod6fjSyF0lb71od+sdnSE9O/xd
+Cqyyu6cX+AwfDcuJ6Y8iOWu8CeWAz41LR1QBUQkCb/08mVfCEu+Cj+M31jjPDZEy
+UAw219vr4QFe0o3t+Msv0AUZvcRkW6+8qP5lO6I5we/33WBLZH70lhFvYtobM7HO
+MCjheRZguSzvRqEETfTjia1uVi3Yz2qM4CFdJIZF6Er79yKcB3jYquultrnlHdXZ
+/IZsHVRk6JfiqFkz9u1T9PkvMoQ452aUomGTg9xQchnKpe1E8osKgLulaY+izTEq
+Z8pH/HWWJ/YT13/n8pxK9EbC/8SkVhyXNehOSAGDZar+tjVBofgzS8r+GDyv+pBT
+SmjitIrVXZNuhigLp1o7Tvs4kjKlcFnLhfDHJ+yb5JyiZd01bVvaqnfRhACqXfWl
+oC0uslRbegoYwJUgX0BOrsOuHGH2SfGjd/QnA0bcEXM2kp1Dp1gqtcEd5Qitm647
+Yz+leWkhrmMmtTwqumXoAcvgzthJFUPcAzuhXZNfqQJMOGRxAGVI0P97wsF+BBMB
+AgAoAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVu+rZAUJDQIVSAAKCRCf
+bxwtfgRfjdrWEACMQK0xYtZtAvLL/8CCcCi92Oi1rtXRGWnRy7JX020hftmWliMq
+4P0F3CJKVLhgZ/ldp8OOqmfDfmwLMVSaCQ86Ubqn7Ofrf8Ku8SGQuIMxY2ODB97h
+ouY4bnDHaM2Cqi6JkBN+G1tgdwqN/kcecF2tq3ql2k7eX91++A+F5ApIu1silzJP
+L4Z8W6MVOdKrtzEM7t61hRlsbpEPj72vbVBZ1hmTiIL4VWwdxQYamxBoOeneskyD
+DG+iMCI3P1GG3EQkk+9Aect/iH9uruE0mxn2aKN8cfuoR93cPF/ozCxS5ItwAVnN
+e39WRO1GT2zYaFgYm0lf9czcpRsRzNbGw938lZ3iPUiZe+ybKgLKkVmvrkM59ljH
+T99SrC14VXxgQwSs4gS3rdzbY9tPps62Z1q+xCVfTx1IY5P4nt59xwQV0Iw+pV9S
+/mVcOnPXl1UKb0ttOdYJErrq3RpF/D2g/NDtL0OWqIa8LvrBlyQYmWPKvKw76vt4
+bJ3NU31jSc0ow/j7EOVjOst86s629zmtnbJjWVr6LOy5EDUPusmqHv1t4Z4RMjf8
+OrJdNbFJoRXZv8FbW4NzXeGtMf8k6vKeejpdMH4+eLuoZG7dchU1JccfgqfwWpy0
+ojmb59drJcaQgVC6Jvw9l0TmGPNIsE4UrIWocaFgv4dOKvHA2hcnMDM8rsLBlQQT
+AQIAPwIbIwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQTt+qPyyk5usFaBr46f
+bxwtfgRfjQUCWaU4BQUJEZjVaQAKCRCfbxwtfgRfjb1YEACjkhtkyZkYURUmSZNL
+2IK/Zencv7DZGRfFrzijROFtHbe//H8o2ZhlyiaFSA/dT1ehjsukkR0oFkYadA+q
+Ui06WpxGmd/jf8hP4yTUZkwOhQAesWoNmnhKePNaVMKY8DP57bA+N2pdCcGu7gUt
+Yzq2JoTAtV+P/PE2w+H9eyBAulv6iUckM5/qvGfJPl8HB9BtgOpGN79otVWO6ebM
+4TQ3cZYI9BDQnt9cF2pviex+z1iLZVJ8UeRxSxYhrBKPJioi0Q1OgcKyO56t7Eot
+zxKl5TzprgvdX4cdls+lehD8StlE2Xv/TScHvdOhJuVBrn3a3QjZPb4qSsz74leW
+5/EIQmozBy+qf8AHcCmTXwb2U7oHOct7cVyS5+bFx+ThpV5OK0rjTH1LMNiuTeAN
+46c1y3prjZRpQUlgVwj06q3Zz/fzDyueUS/r4lW4nAf/VNZy/rTS2HYPoZbHZVCt
+GpDIfag6fV6V97Pd3zfhTf2wmsJsw9Xhktp/o7rMBRSMhvL4oevOXb0JSG2583Q/
+JnCCceB4NxRRxsgkRYHwdnXN9FnOPSa4NyvF4rzpPksLGZrhvm+lBvzVn/e40Q/K
+lxvSlnn2vW/WBM4pBq1jsoJrd/JkTdijZV7mt7HQ2bCLXAPgfZjy7n79WiCQVHg7
+iYnNikiNWR5TR7JcvdkxOdiA/8LBlQQTAQgAPwIbIwYLCQgHAwIGFQgCCQoLBBYC
+AwECHgECF4AWIQTt+qPyyk5usFaBr46fbxwtfgRfjQUCXe4JdQUJGaQN2QAKCRCf
+bxwtfgRfjQ8gEACe+49aDQHRuZdDHK1VCJKzhb+MvfdIjvl8eQxljpG9Uz5Y17Bx
+4SWfuLHCeGlh1m6IOAWeW4g6Wowm1ec1PkVa79TdrkKb0MxfLSat6iDbiuVjDxy2
+bWokW0/cPzJ/FoWDtEC0H9UTAMb5QGBDZUbLuwX7ZjvMkAhH15/hO9Gj4RHoH1RJ
+GJALRtZzjtzsJqL53kW/EV59V1T79Nocyx018iw50Jn02mI8wYJZ9HZc5C7D+K59
+vcqLRZgkrJrObw0sEv3YFOBYp/1DemH2nHPMBSKMmN5RAcr32guUjd4BEWf2Q7Ao
++Qnhdi161W0YKCW4JAmOoQ4bQ0wfE9Q5aUIGhUF52L+ac8Hy7dByaCExCA/WTqQQ
+/iVPybmpJQhFonWt/fmpxbE2wKThSEOHTO67e5e3JfUb0vNKssyZojao4h1MF5nv
+aPNKoybWwKnpNM0ORcyl+aogKwW7E15TEU0TE5//gAsFwRDcCnSEKnksgM0321m1
+7RDfJbCajIv47DHDYE3yvhRZjCJCaw0Gow1sDRWjdOFpmIixD5/vx5uxyqSHPuGA
+sXlEvl+Z3Rdc5bQ7pAWu7UNpR3hnJPfg8KL2xqOF75VKG9/NjLE80yj8wdVoCfDv
+vizrBtOXnHI49gCMCfNqbGIb5yVhmTdeo7li+Te9hlJ2DrHnujGJlFe+p87BTQRN
+r/0cARAApvDKeVLiSazESdTY9KsSWsqoB38pvOsu25M49tEjc5TtY5LwKNckqkeR
+lJ83O8dFG7UBVuGwLKaf/6OR/pe24upZ27eOOWW7sXvQNv5aXlOYfF+mjIhUINqj
+q4pKDmO1c9J7h5d+auOVfzcgfotg3BVCaKn56ucjiQJ059uUMfgWTvVlibnoJ7de
+Zcgt8v7VcLK9jv+P8QJHTIyDzJd+JjdjuHXqC/A37T5G9Z84x8wYrQY6mZmOIYaM
+jwIKdgFeN+nLk5henARUz4MTFUW4j9hHpuyAFomDQ93/wkHZ9IEChTxdZnfvsd//
+Z45vfcX9dQM+tuR8XCYThVsScI1TnwR46hi5NkfmHo3HVxwB8/owJ+FZDsTNBbJd
+7AVy27Xk4L5hLe7BwLDtFMyOp4lOipCM7//mtFB9mTzqnOwiSSyTRlwGUBJkzQFW
+Qa0Z6bfYwA6+y1dn19H519GW49irtl+2+W8W4N8oLriIjPvqrQOyaELFcRfV6FfL
+i09HPhHVbejOqIEbOtfuN0+mjrrGAwortfTBjfw80N+W90BTvta4K2SyjHcJTkDY
+ehfOo/5IMpGtDsOgvsCbDaFRnNJuYtSqQmvWk1KIPIw6CkdJtZa3+q3YA7D7ovOV
+H1OBTKNdBjc+X4W8L5R9MCymXWvgiP+52Sv1VIcZmsnCBrwK490AEQEAAcLBZQQY
+AQIADwUCTa/9HAIbDAUJCWYBgAAKCRCfbxwtfgRfjTY/D/9+kX8LeqBhwDdwy3ud
+V67KmVmytwGMfzBHbAyBdy84X06ip/If/VkjL+2Sv5Uml/cOOzGZT7y/KEt0uXQz
+gOZhGP5Y0OREf4kSzfb7tsGu3ZjTp5uJe7HiJr8uqYGfx94TQG/A3x1C7MlxOGmW
+DK/Eh/eNVeNd+3yyDEzl2p7a0yUhI8LtzllVrEDX+G4rz+mdDw4tfPDqzRPzPvVt
+PfqnfofHP5r2dshGe7+pCTC+o0jHWpaiFkEiIrR3PbZ9tV6+F5LzCUJJP5nepz6C
+ShpLHq9ST6qZiw5ZpdznHW0kVl96YxgynJq9Y4dqD/8nOfTzdHhXXEogGvRfcxat
+xeZF7YNFhUU2p+CswAjRKCUzZAz0hDAu+dJ+fw4Odx7ii8uiwhEnEHoo8rPETkXw
+UK1je4MCzMRSy0Gippzk/oZ7noIml+Njas/UygavUOQm8bcPqGfWeFqvM2C7ZobL
+2iV0fX/bhEmQyosiWJ0nHuKdwDYygYs/4LtZLxwiKli/lm6IDz1028j6/98Z81gG
+oltXWokTYAPEgcBuhyiSLSQ1wojTVMYt9rPKMBakTzP+0FoWqoNafWOlHovP6iUB
+2Igll2ZT3AvrBQ8jAbRbuUl46QpBaKsl+pBo86az0fRkMxv0N4dQv4Q7Z0g71u9N
+Tpaq1vtAZOwc0kl3uGNK18PnV8LBZQQYAQIADwIbDAUCVu+raQUJDQIVTQAKCRCf
+bxwtfgRfjVnYEACZ1E/FfLDi4vLUd9diImmNN/zWDHxTsO/VG3lt50rSoJM5NGB4
+RlwcbUKhah2fD44FFiIqGIvKD9hRgB51dVRIkaR3ozVtXRBKxJJqWj38wf2FDLtU
+XC5/JHYb0sjAc3ad2sA9xEmEBVO1lWK3J6h4gKZiAGlWz3oeOSve3vrTKsBlP0Cu
+rUeb4WTVpw4drBJD7cDh8SJ4/Cq76UFx8lW0xR+pHZHcd0/Ir5v5HnnEgbnut4Ix
+eY3/CGBfQfSQHylK7ifmPWq+dflC/ZdfHY1V96EHKPM44ZLwiczoY3qp5nkmEc3B
+Y6+P8Ch5gddOYaY18wpedarswnpOLQD2Xbsj66Eh0IZuuuZGyfOqJNaWbP33L27e
+g35XQNTgyhuZmDyRKL6yAbhU74TXCCvze/kkfqDn2ouCtM8/kqLX1v0+NkBxlhZU
+kTTVDyclZtwu6Vypus3+j2Zqk8sXeUZI64sjXpzwOcMZxdl3QuyxMktExWzk9Q5D
+YqO+pj/YGt1vp2M0YgSUWNWCvfBcjEPFgaljyqz3BdvR/LYohnXuQL9SWObF+sIF
+c9D0w/yORYQcKP5kSWVC/qwFdC61OGeSDnQ/0o0T5PefhYS82gsIrjQ+HIJ7CLUT
+k7kBNljvtfpoWegH02feR0kSRoCXA6x+YHT4fmB41pW8S1V5a5dEltA/JMLBfAQY
+AQIAJgIbDBYhBO36o/LKTm6wVoGvjp9vHC1+BF+NBQJZpTgKBQkRmNVuAAoJEJ9v
+HC1+BF+NyNQP/A3h+cOOkYUxyKpNHdtlIfCn8db5tHXSCbE19Qi7EK1SiK5atjo+
+VoRtB+L01kH6GCx5oZjeIhUdzYFwEUsdCDgwD6r0dKFwKIGa4TFcfnx+Z5B+HZgL
+Yc6ac5PEHF1qZVXZH9GSGeNw5h2yyqf4yhvetSN6L2id14m5XXJV5e7NfOgmaSnG
+0Z+wQvPSiu+Q00XpENT8HFSTSCjRATjk12rpy6TPeeC52NK1gLhGDRHN0k6m+vm4
+yoC+Nd6iPQpnc+5xs7NDnq2dFuSTp7UTGebzPhhdSQgujEFuYLwzQMZu1h5amtA+
+v9j7BYEJkOMC7bm1PNNA2QQ6QfH8Hf+mJeINyJO8A5KS3ceP+eo3SLR8T0hPzu9g
+ZuZ22Hn3DXQh1VNRshaLKgNvoXpL3dQ48d1SFFKhEDpy2HSXUq2fs5rH0uszFGes
+G7K6EQRAYRcDrCkt9fdfkvCSxAFw9d+472xThzgKcN+MkOec+SaY+xlVULjEfCWy
+RVC8Opam4mTm/XT4mVLxP/qnsy7kEhLoc/ouB+lY/ks06LpZJvCXL6WfA9You1Fi
+1Mg7GhSh9JKg6X6E8Trm+N4dxJGut1xbbGmmKXqfi4pej9KlkdeM9t1df/vWKlPa
+7Hzd8H0btgJx066wC4yt0ghxtsJXBsCDxWLfzaSRZ2/eP16mHqxDjsQQwsF8BBgB
+CAAmAhsMFiEE7fqj8spObrBWga+On28cLX4EX40FAl3uCX0FCRmkDeEACgkQn28c
+LX4EX43TQA/+JV8ReMRJCn3Cfqbe5ycFn8p6dIVnJiQuhiEyu5yzdpSkKyzcVFJO
+bQcqw7s50FJuLUbxdvbcuGIaoTu7dhBoUXO5tOuIQAsKTfGfgoOgelJm+/q2h645
+EnAVINGbMDXrmo4/UFJkNjUMA6SQi/yiam7N0y58eoDC4sGmBKuN2EW2MoWahlXw
+8SS1+Ab9qVBs/RqbSy6f1nJL39aPpPDmvyJOSYtHnNSFlYWVhr0zGAi5rnswlFGr
+ECGbHpr5FajUK7zcmtNPbi7F30K48xfF3XnDIeIBcerrEBQMaPUZcBlddGhmSVVJ
+ZU/YhR35JNgPnmp33gOuZaRiW9lauZFwsMQBIBkLpJWoUtu8QLkyC0HmJzVRep0/
+s1RkzaJ+1G1BzXTQiXaLaUQWG5h3pcMD8fxY5qp9KbG/+10bY0sRbRBXgS6mz7dd
+HaBtg/E8ty2nEB1HDXA9HAHu7KlH9e96sPZjz9C46ZiOXe6ZAOk6wBYts4RG4bCQ
+9pGORJ+P2Jr2pz1NZQbs1AhnjJixTsfZfsGZ5lHxGLjIyxtdGB/irLEqNTIMek2y
+p4CShmWoZwN0V3aGYMe/rC4tSXG79IeKNwF3Vd5MHtB+hcJG2qztBtKQuW29rbRA
+5bNxwTWe8skwOKsxXnP9RC974k0XkPS+VwgmVgNN1ewS/0oHvmEP71Q=
+=Oqje
+-----END PGP PUBLIC KEY BLOCK-----