Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild

Related: RHEL-6597

.fmf/version

@@ -0,0 +1 @@
+1

changelog

@@ -0,0 +1,313 @@
+* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.17-12
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Thu Jun 15 2023 Todd Zullinger <tmz@pobox.com> - 0.17-11
+- Remove execute bit on ssh_config.d snippet
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.17-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Fri Dec 16 2022 Florian Weimer <fweimer@redhat.com> - 0.17-9
+- Port configure script to C99
+
+* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.17-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.17-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 0.17-6
+- Rebuilt with OpenSSL 3.0.0
+
+* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.17-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 0.17-4
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.17-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Sat Dec 19 2020 Adam Williamson <awilliam@redhat.com> - 0.17-2
+- Rebuild for libldns soname bump
+
+* Tue Oct 13 2020 Petr Menšík <pemensik@redhat.com> - 0.17-1
+- Update to 0.17
+
+* Mon Oct 12 2020 Petr Menšík <pemensik@redhat.com> - 0.15-14
+- Add edns0 option to resolv.conf
+- Add VerifyHostKeyDNS to ssh config
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.15-13
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.15-12
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Mon Jan 06 2020 Jeff Law <law@redhat.com> - 0.15-11
+- Fix typo in last change
+
+* Thu Aug 22 2019 Lubomir Rintel <lkundrak@v3.sk> - 0.15-10
+- Move the NetworkManager dispatcher script out of /etc
+
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.15-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.15-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.15-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 0.15-6
+- Rebuilt for Python 3.7
+
+* Wed Mar 14 2018 Petr Menšík <pemensik@redhat.com> - 0.15-5
+- Accept NXDOMAIN for NSEC probe (#1555355)
+
+* Mon Feb 19 2018 Tomas Hozza <thozza@redhat.com> - 0.15-4
+- Added explicit BuildRequires on gcc as required by packaging guidelines
+- Added explicit Requires on e2fsprogs, so that /usr/bin/chattr is available
+- Remove redundant removal of immutable bit in %%preun scriptlet (#1542400)
+
+* Mon Feb 19 2018 Tomas Hozza <thozza@redhat.com> - 0.15-3
+- use NetworkManager-libnm instead of NetworkManager-glib
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.15-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Mon Dec 11 2017 Tomas Hozza <thozza@redhat.com> - 0.15-1
+- Update to stable 0.15 upstream release
+
+* Fri Aug 18 2017 Petr Menšík <pemensik@redhat.com> - 0.13-6
+- Skip always failing kr.com, update root IPs (#1482939)
+
+* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.13-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.13-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Wed Mar 08 2017 Tomas Hozza <thozza@redhat.com> - 0.13-3
+- Rebuild against new ldns
+
+* Wed Mar 01 2017 Tomas Hozza <thozza@redhat.com> - 0.13-2
+- Include fix for runtime issues with OpenSSL 1.1.0 (#1427561)
+
+* Fri Feb 17 2017 Tomas Hozza <thozza@redhat.com> - 0.13-1
+- Update to stable 0.13 upstream release
+- Dropped merged patches
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.13-0.6.20150714svn
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Mon Dec 19 2016 Miro Hrončok <mhroncok@redhat.com> - 0.13-0.5.20150714svn
+- Rebuild for Python 3.6
+
+* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.13-0.4.20150714svn
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Tue Nov 10 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org>
+- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5
+
+* Mon Jul 20 2015 Tomas Hozza <thozza@redhat.com> - 0.13-0.2.20150714svn
+- Provide Workstation specific configuration
+
+* Wed Jul 15 2015 Tomas Hozza <thozza@redhat.com> - 0.13-0.1.20150714svn
+- split dnssec-trigger panel into separate subpackage (#1236363)
+- SPEC file cleanup based on rpmlint and fedora-review issues
+- implement some suggestions (#1236363)
+- rebase to the latest svn trunk snapshot 0.13_20150714
+- Script is not searching local user directories any more (#1213062)
+- Script now doesn't restart NM if version is >= 1.0.3, but sends just signal
+- Script now specifies the NMClient version for GI (#1242430)
+- Script now sets negative-cache-ttl in unbound to 5 seconds (#1229596)
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.12-21
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Wed Apr 08 2015 Tomas Hozza <thozza@redhat.com> - 0.12-20
+- Fix issue when installing private address range zone without global forwarders (#1205864)
+- Fix configuration of private address range zones (#1128310#c20)
+
+* Fri Mar 13 2015 Tomas Hozza <thozza@redhat.com> - 0.12-19
+- Fix typo in the dnssec-trigger-script (#1187371)
+- Use Python3 by default
+
+* Mon Jan 26 2015 Pavel Šimerda <psimerda@redhat.com> - 0.12-18
+- Resolves: #1185796, #1130502, #1105685, #1128310 – update
+
+* Tue Jan 20 2015 Pavel Šimerda <psimerda@redhat.com> - 0.12-17
+- Resolves: #1183975 - systemd cgroup check fails
+
+* Tue Jan 20 2015 Pavel Šimerda <psimerda@redhat.com> - 0.12-16
+- Resolves: #1165126, #1125267, #1089766, #1112248, #824219 - update
+
+* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.12-15
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Thu Aug 14 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-14
+- Resolves: #1125261 - dnssec-trigger-script: use fcntl.flock instead of
+  lockfile
+
+* Mon Aug 11 2014 Tomas Hozza <thozza@redhat.com> - 0.12-13
+- One Fedora fallback server changed IP address (#1125440)
+
+* Mon Jun 30 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-12
+- Resolves: #1112248 - require a version of NetworkManager with #1113122 fixed
+
+* Tue Jun 24 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-11
+- Resolves: #1112248 - serialize the script instances
+
+* Tue Jun 24 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-10
+- Resolves: #1112248 - fix a typo
+
+* Tue Jun 24 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-9
+- Resolves: #1112248 - fix systemd race condition
+
+* Mon Jun 23 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-8
+- Resolves: #1112248 - don't block on systemctl restart NetworkManager
+
+* Mon Jun 23 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-7
+- Resolves: #1112248, #1111143 - update dnssec-trigger-script and dnssec-triggerd.service
+
+* Fri Jun 20 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-6
+- Resolves: #1111143 - fix for python2
+
+* Fri Jun 20 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-5
+- Related: #842455 - remove a patch that is now redundant
+
+* Fri Jun 20 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-4
+- update dnssec-trigger-script to current development submitted upstream
+
+* Wed Jun 18 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-3
+- Resolves: #1105896 - the new script doesn't call dnssec-trigger-control submit
+
+* Fri Jun 06 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-2
+- fix various dnssec-trigger-script issues
+
+* Fri May 23 2014 Tomas Hozza <thozza@redhat.com> - 0.12-1
+- Update to 0.12 version
+- Drop merged patches
+- Drop downstream files (systemd, dispatcher scripts)
+
+* Tue May 13 2014 Paul Wouters <pwouters@redhat.com> - 0.11-21
+- Enable full hardening (includig PIE)
+- Resolves: rhbz#1045689 dnssec-trigger creates long-time RSA key with inappropriate size
+
+* Wed Feb 19 2014 Tomas Hozza <thozza@redhat.com> - 0.11-20
+- Restart NM on dnssec-trigger shutdown (let NM handle the resolv.conf content)
+- HN-hook: Handle situation when connection does not have a device
+
+* Wed Jan 29 2014 Tomas Hozza <thozza@redhat.com> - 0.11-19
+- Use new Python dispatcher script and ship /etc/dnssec.conf
+
+* Tue Jan 28 2014 Tomas Hozza <thozza@redhat.com> - 0.11-18
+- Use systemd macros instead of directly calling systemctl
+- simplify the systemd unit file for generating keys
+
+* Thu Nov 21 2013 Tomas Hozza <thozza@redhat.com> - 0.11-17
+- Add script to backup and restore resolv.conf on dnssec-trigger start/stop
+
+* Mon Nov 18 2013 Tomas Hozza <thozza@redhat.com> - 0.11-16
+- Improve GUI dialogs texts
+
+* Tue Nov 12 2013 Tomas Hozza <thozza@redhat.com> - 0.11-15
+- Fix NM dispatcher script to work with NM >= 0.9.9.0 (#1029571)
+
+* Mon Aug 26 2013 Tomas Hozza <thozza@redhat.com> - 0.11-14
+- Fix errors found by static analysis of source
+
+* Fri Aug 09 2013 Tomas Hozza <thozza@redhat.com> - 0.11-13
+- Use improved NM dispatcher script from upstream
+- Added tmpfiles.d config due to improved NM dispatcher script
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.11-12
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Mon Mar 04 2013 Adam Tkac <atkac redhat com> - 0.11-11
+- link dnssec-trigger.conf.8 to dnssec-trigger.8
+- build dnssec-triggerd with full RELRO
+
+* Mon Mar 04 2013 Adam Tkac <atkac redhat com> - 0.11-10
+- remove deprecated "Application" keyword from desktop file
+
+* Mon Mar 04 2013 Adam Tkac <atkac redhat com> - 0.11-9
+- install various dnssec-trigger-* symlinks to dnssec-trigger.8 manpage
+
+* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.11-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Tue Jan 08 2013 Paul Wouters <pwouters@redhat.com> - 0.11-7
+- Use full path for systemd (rhbz#842455)
+
+* Tue Jul 24 2012 Paul Wouters <pwouters@redhat.com> - 0.11-6
+- Patched daemon to remove immutable attr (rhbz#842455) as the
+  systemd ExecStopPost= target does not seem to work
+
+* Tue Jul 24 2012 Paul Wouters <pwouters@redhat.com> - 0.11-5
+- On service stop, remove immutable attr from resolv.conf (rhbz#842455)
+
+* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.11-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Thu Jun 28 2012 Paul Wouters <pwouters@redhat.com> - 0.11-3
+- Fix DHCP hook for f17+ version of nmcli (rhbz#835298)
+
+* Sun Jun 17 2012 Paul Wouters <pwouters@redhat.com> - 0.11-2
+- Small textual changes to some popup windows
+
+* Fri Jun 15 2012 Paul Wouters <pwouters@redhat.com> - 0.11-1
+- Updated to 0.11
+- http Hotspot detection via fedoraproject.org/static/hotspot.html
+- http Hotspot Login page via uses hotspot-nocache.fedoraproject.org
+
+* Thu Feb 23 2012 Paul Wouters <pwouters@redhat.com> - 0.10-4
+- Require: unbound
+
+* Wed Feb 22 2012 Paul Wouters <pwouters@redhat.com> - 0.10-3
+- Fix the systemd startup to require unbound
+- dnssec-triggerd no longer forks, giving systemd more control
+- Fire NM dispatcher in ExecStartPost of dnssec-triggerd.service
+- Fix tcp80 entries in dnssec-triggerd.conf
+- symlink dnssec-trigger-panel to dnssec-trigger to supress the
+  "-panel" in the applet name shown in gnome3
+
+
+* Wed Feb 22 2012 Paul Wouters <pwouters@redhat.com> - 0.10-2
+- The NM hook was not modified at the right time during build
+
+* Wed Feb 22 2012 Paul Wouters <pwouters@redhat.com> - 0.10-1
+- Updated to 0.10
+- The NM hook lacks /usr/sbin in path, resulting in empty resolv.conf on hotspot
+
+* Wed Feb 08 2012 Paul Wouters <pwouters@redhat.com> - 0.9-4
+- Updated tls443 / tls80 resolver instances supplied by Fedora Hosted
+
+* Mon Feb 06 2012 Paul Wouters <pwouters@redhat.com> - 0.9-3
+- Convert from SysV to systemd for initial Fedora release
+- Moved configs and pem files to /etc/dnssec-trigger/
+- No more /var/run/dnssec-triggerd/
+- Fix Build-requires
+- Added commented tls443 port80 entries of pwouters resolvers
+- On uninstall ensure there is no immutable bit on /etc/resolv.conf
+
+* Sat Jan 07 2012 Paul Wouters <paul@xelerance.com> - 0.9-2
+- Added LICENCE to doc section
+
+* Mon Dec 19 2011 Paul Wouters <paul@xelerance.com> - 0.9-1
+- Upgraded to 0.9
+
+* Fri Oct 28 2011 Paul Wouters <paul@xelerance.com> - 0.7-1
+- Upgraded to 0.7
+
+* Fri Sep 23 2011 Paul Wouters <paul@xelerance.com> - 0.4-1
+- Upgraded to 0.4
+
+* Sat Sep 17 2011 Paul Wouters <paul@xelerance.com> - 0.3-5
+- Start 01-dnssec-trigger-hook in daemon start
+- Ensure dnssec-triggerd starts after NetworkManager
+
+* Fri Sep 16 2011 Paul Wouters <paul@xelerance.com> - 0.3-4
+- Initial package

dnssec-trigger-0.17-allowed-characters.patch

@@ -0,0 +1,30 @@
+From f410871470773c0767f97f86c1bd05074db63081 Mon Sep 17 00:00:00 2001
+From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
+Date: Mon, 3 Feb 2020 10:37:26 +0100
+Subject: [PATCH] - Fix for #3: Allow @ character to make scripts work, which
+ may fix resolv.conf lost in some situation bug.
+
+Changelog:
+3 February 2020: Wouter
+	- Fix for #3: Allow @ character to make scripts work, which may
+	  fix resolv.conf lost in some situation bug.
+---
+ riggerd/ubhook.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/riggerd/ubhook.c b/riggerd/ubhook.c
+index 382eee3..f1ce73c 100644
+--- a/riggerd/ubhook.c
++++ b/riggerd/ubhook.c
+@@ -80,7 +80,7 @@ allowed_arg(const char* arg)
+ 		}
+ 		if( isalnum((unsigned char)*s) || *s == ' ' || *s == ':' ||
+ 			*s == '.' || *s == '_' || *s == '-' || *s == '+' ||
+-			*s == '\t') {
++			*s == '\t' || *s == '@') {
+ 			continue;
+ 		} else 	{
+ 			log_err("command line string argument '%s' fails check on allowed characters", arg);
+-- 
+2.41.0
+

dnssec-trigger-0.17-openssl-3.2.patch

@@ -0,0 +1,34 @@
+From 7c3ff5b59952bc6bf11f988c9dbd961ae3c626ea Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Tue, 10 Sep 2024 16:22:07 +0200
+Subject: [PATCH] Mark explicitly server cert with CA flag
+
+Since OpenSSL 3.2 it did not connect from control to server cert. Create
+server with indication is it CA.
+
+Also use clientAuth trust for CA cert. That allows control cert to be
+used for client authentication.
+---
+ dnssec-trigger-control-setup.sh.in | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/dnssec-trigger-control-setup.sh.in b/dnssec-trigger-control-setup.sh.in
+index 7cc305a..eede665 100644
+--- a/dnssec-trigger-control-setup.sh.in
++++ b/dnssec-trigger-control-setup.sh.in
+@@ -200,9 +200,9 @@ EOF
+ test -f request.cfg || error "could not create request.cfg"
+ 
+ echo "create $SVR_BASE.pem (self signed certificate)"
+-openssl req -key $SVR_BASE.key -config request.cfg  -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
+-# create trusted usage pem
+-openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
++openssl req -key $SVR_BASE.key -config request.cfg  -new -x509 -days $DAYS -addext "basicConstraints=critical,CA:TRUE,pathlen:0" -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
++# create trusted usage pem for CA, what are signed certs allowed to do?
++openssl x509 -in "$SVR_BASE.pem" -addtrust clientAuth -out "${SVR_BASE}_trust.pem"
+ 
+ # create client request and sign it, piped
+ cat >request.cfg <<EOF
+-- 
+2.46.0
+

dnssec-trigger-0.17-server-recipe.patch

@@ -0,0 +1,59 @@
+From f6b4cd17294d8faa8fd4d70110ac9da9916e7d61 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Wed, 20 Nov 2024 16:58:48 +0100
+Subject: [PATCH] Add recipe for adding own server
+
+Until someone adds nice support for using just CA bundle and server
+name, allow specification by fingerprint obtained manually. Do not rely
+only on server provided by upstream.
+---
+ dnssec.conf     | 4 ++--
+ example.conf.in | 6 +++++-
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/dnssec.conf b/dnssec.conf
+index bf896d3..4726ca1 100644
+--- a/dnssec.conf
++++ b/dnssec.conf
+@@ -38,7 +38,7 @@
+ #
+ #  - See also security notes on the `add_wifi_provided_zones` option.
+ #
+-# validate_connection_provided_zones=yes
++# validate_connection_provided_zones=no
+ #
+ #  - Connection provided zones will be configured in Unbound as secure forward
+ #    zones, validated using DNSSEC.
+@@ -63,7 +63,7 @@
+ #    Turning this option off has security implications, See the security
+ #    notice above.
+ #
+-validate_connection_provided_zones=yes
++validate_connection_provided_zones=no
+ 
+ # add_wifi_provided_zones:
+ # ------------------------
+diff --git a/example.conf.in b/example.conf.in
+index dafd35d..f7e8a54 100644
+--- a/example.conf.in
++++ b/example.conf.in
+@@ -79,6 +79,11 @@ tcp80: 2a04:b900::10:0:0:67
+ ssl443: 185.49.140.67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF
+ ssl443: 2a04:b900::10:0:0:67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF
+ 
++# How to add your own record:
++# openssl s_client -connect example.com:443 -showcerts </dev/null > /tmp/dns.crt
++# openssl x509 -noout -in /tmp/dns.crt -fingerprint -sha256
++# Append returned sha256 Fingerprint after ssl443: IP-address section.
++
+ # Use VPN servers for all traffic
+ # use-vpn-forwarders: no
+ 
+@@ -87,4 +92,3 @@ ssl443: 2a04:b900::10:0:0:67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:
+ 
+ # Add domains provided by VPN connections into Unbound forward zones
+ # add-wifi-provided-zones: no
+-
+-- 
+2.47.0
+

dnssec-trigger-config-default.patch

@@ -0,0 +1,53 @@
+From 27bb1f49fe69055e2a5f02e5fe54e71e79d98fdc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Tue, 25 Jul 2023 15:39:15 +0200
+Subject: [PATCH] Make fedora default config changes
+
+Customize upstream example configuration for Fedora.
+---
+ example.conf | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/example.conf b/example.conf
+index 6031c0d..6251c98 100644
+--- a/example.conf
++++ b/example.conf
+@@ -1,5 +1,4 @@
+-# config for dnssec-trigger 0.17.
+-# this is a comment. there must be one statement per line.
++# Fedora/EPEL version of dnssec-trigger.conf
+ 
+ # logging detail, 0=only errors, 1=operations, 2=detail, 3,4 debug detail.
+ # verbosity: 1
+@@ -43,8 +42,8 @@
+ # port number to use for probe daemon.
+ # port: 8955
+ 
+-# these keys and certificates can be generated with the script
+-# dnssec-trigger-control-setup
++# keys and certificates generated by the dnssec-trigger-keygen systemd service
++# (which called dnssec-trigger-control-setup)
+ # server-key-file: "/etc/dnssec-trigger/dnssec_trigger_server.key"
+ # server-cert-file: "/etc/dnssec-trigger/dnssec_trigger_server.pem"
+ # control-key-file: "/etc/dnssec-trigger/dnssec_trigger_control.key"
+@@ -60,7 +59,7 @@
+ 
+ # provided by NLnetLabs
+ # It is provided on a best effort basis, with no service guarantee.
+-url: "http://ster.nlnetlabs.nl/hotspot.txt OK"
++# url: "http://ster.nlnetlabs.nl/hotspot.txt OK"
+ 
+ # provided by FedoraProject
+ url: "http://fedoraproject.org/static/hotspot.txt OK"
+@@ -72,7 +71,7 @@ url: "http://fedoraproject.org/static/hotspot.txt OK"
+ # hash is output of openssl x509 -sha256 -fingerprint -in server.pem
+ # You can add more with extra config lines.
+ 
+-# provided by NLnetLabs
++# provided by NLnetLabs (www.nlnetlabs.nl)
+ # It is provided on a best effort basis, with no service guarantee.
+ tcp80: 185.49.140.67
+ tcp80: 2a04:b900::10:0:0:67
+-- 
+2.41.0
+

dnssec-trigger-config-workstation.patch

@@ -0,0 +1,34 @@
+From d4b08251d816038950b522fc1b003c8d4f1bcc6d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Tue, 25 Jul 2023 15:42:50 +0200
+Subject: [PATCH] Customize workstation only
+
+---
+ dnssec-trigger-workstation.conf | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/dnssec-trigger-workstation.conf b/dnssec-trigger-workstation.conf
+index 6251c98..bb2b5db 100644
+--- a/dnssec-trigger-workstation.conf
++++ b/dnssec-trigger-workstation.conf
+@@ -32,6 +32,7 @@
+ # the command to run to open login pages on hot spots, a web browser.
+ # empty string runs no command.
+ # login-command: "/usr/bin/xdg-open"
++login-command: ""
+ 
+ # the url to open to get hot spot login, it gets overridden by the hotspot.
+ # login-location: "http://hotspot-nocache.fedoraproject.org/"
+@@ -62,7 +63,8 @@
+ # url: "http://ster.nlnetlabs.nl/hotspot.txt OK"
+ 
+ # provided by FedoraProject
+-url: "http://fedoraproject.org/static/hotspot.txt OK"
++# on Workstation, the detection is turned off
++# url: "http://fedoraproject.org/static/hotspot.txt OK"
+ 
+ # fallback open DNSSEC resolvers that run on TCP port 80 and TCP port 443.
+ # These relay incoming DNS traffic on the other port numbers to the usual DNS
+-- 
+2.41.0
+

dnssec-trigger-configure-c99.patch

@@ -0,0 +1,30 @@
+Do not rely on an implicit function declaration for detecting
+the daemon function.  Future compilers may not accept such
+declarations by default, causing the detection result to change.
+
+Submitted upstream: <https://github.com/NLnetLabs/dnssec-trigger/pull/11>
+
+diff --git a/configure b/configure
+index 079ea641e2940515..22c9487fb0d311f8 100755
+--- a/configure
++++ b/configure
+@@ -6757,6 +6757,7 @@ else
+ 
+ echo '
+ #include <stdlib.h>
++#include <unistd.h>
+ ' >conftest.c
+ echo 'void f(){ (void)daemon(0, 0); }' >>conftest.c
+ if test -z "`$CC -c conftest.c 2>&1 | grep deprecated`"; then
+diff --git a/configure.ac b/configure.ac
+index c809367d307f108e..e8095fe7288ba68a 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -225,6 +225,7 @@ AC_CHECK_FUNCS([daemon])
+ if test $ac_cv_func_daemon = yes; then
+         ACX_FUNC_DEPRECATED([daemon], [(void)daemon(0, 0);], [
+ #include <stdlib.h>
++#include <unistd.h>
+ ])
+ fi
+ 

dnssec-trigger-default.conf

@@ -1,99 +0,0 @@
-# Fedora/EPEL version of dnssec-trigger.conf
-
-# logging detail, 0=only errors, 1=operations, 2=detail, 3,4 debug detail.
-# verbosity: 1
-
-# pidfile location
-pidfile: "/var/run/dnssec-triggerd.pid"
-
-# log to a file instead of syslog, default is to syslog
-# logfile: "/var/log/dnssec-trigger.log"
-
-# log to syslog, or (log to to stderr or a logfile if specified). yes or no.
-# use-syslog: yes
-
-# chroot to this directory
-# chroot: ""
-
-# the unbound-control binary if not found in PATH.
-# commandline options can be appended "unbound-control -c my.conf" if you wish.
-# unbound-control: "/usr/sbin/unbound-control"
-
-# where is resolv.conf to edit.
-# resolvconf: "/etc/resolv.conf"
-
-# the domain example.com line (if any) to add to resolv.conf(5). default none.
-# domain: ""
-
-# domain name search path to add to resolv.conf(5). default none.
-# the search path from DHCP is not picked up, it could be used to misdirect.
-# search: ""
-
-# the command to run to open login pages on hot spots, a web browser.
-# empty string runs no command.
-# login-command: "xdg-open"
-
-# the url to open to get hot spot login, it gets overridden by the hotspot.
-# login-location: "http://www.nlnetlabs.nl/projects/dnssec-trigger"
-# should to be a ttl=0 entry
-login-location: "http://hotspot-nocache.fedoraproject.org/"
-
-# do not perform actions (unbound-control or resolv.conf), for a dry-run.
-# noaction: no
-
-# port number to use for probe daemon.
-# port: 8955
-
-# keys and certificates generated by the dnssec-trigger-keygen systemd service
-# (which called dnssec-trigger-control-setup)
-server-key-file: "/etc/dnssec-trigger/dnssec_trigger_server.key"
-server-cert-file: "/etc/dnssec-trigger/dnssec_trigger_server.pem"
-control-key-file: "/etc/dnssec-trigger/dnssec_trigger_control.key"
-control-cert-file: "/etc/dnssec-trigger/dnssec_trigger_control.pem"
-
-# check for updates, download and ask to install them (for Windows, OSX).
-# check-updates: no
-
-# webservers that are probed to see if internet access is possible.
-# They serve a simple static page over HTTP port 80.  It probes a random url:
-# after a space is the content expected on the page, (the page can contain
-# whitespace before and after this code).  Without urls it skips http probes.
-
-# provided by NLnetLabs
-# It is provided on a best effort basis, with no service guarantee.
-# url: "http://ster.nlnetlabs.nl/hotspot.txt OK"
-
-# provided by FedoraProject
-url: "http://fedoraproject.org/static/hotspot.txt OK"
-
-# fallback open DNSSEC resolvers that run on TCP port 80 and TCP port 443.
-# the ssl443 adds an ssl server IP, if you specify a hash it is checked, put
-# the following on one line: ssl443:<space><IP><space><HASHoutput>
-# hash is output of openssl x509 -sha256 -fingerprint -in server.pem
-# You can add more with extra config lines.
-
-# Provided by fedoraproject.org, #fedora-admin
-# It is provided on a best effort basis, with no service guarantee.
-ssl443: 140.211.169.201 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
-tcp80:  140.211.169.201
-ssl443: 8.43.85.74 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
-tcp80:  8.43.85.74
-ssl443: 152.19.134.150 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
-tcp80:  152.19.134.150 
-ssl443: 2610:28:3090:3001:dead:beef:cafe:fed9 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
-tcp80:  2610:28:3090:3001:dead:beef:cafe:fed9 
-
-# provided by Paul Wouters (pwouters@redhat.com)
-# It is provided on a best effort basis, with no service guarantee.
-# tcp80:  193.110.157.123
-# tcp80:  2001:888:2003:1004::123
-# ssl443: 193.110.157.123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7
-# ssl443: 2001:888:2003:1004::123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7
-
-# provided by NLnetLabs (www.nlnetlabs.nl)
-# It is provided on a best effort basis, with no service guarantee.
-# tcp80: 213.154.224.3
-# tcp80: 2001:7b8:206:1:bb::
-# ssl443: 213.154.224.3 DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
-# ssl443: 2001:7b8:206:1:bb:: DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
-

dnssec-trigger-workstation.conf

@@ -1,101 +0,0 @@
-# Fedora/EPEL version of dnssec-trigger.conf
-
-# logging detail, 0=only errors, 1=operations, 2=detail, 3,4 debug detail.
-# verbosity: 1
-
-# pidfile location
-pidfile: "/var/run/dnssec-triggerd.pid"
-
-# log to a file instead of syslog, default is to syslog
-# logfile: "/var/log/dnssec-trigger.log"
-
-# log to syslog, or (log to to stderr or a logfile if specified). yes or no.
-# use-syslog: yes
-
-# chroot to this directory
-# chroot: ""
-
-# the unbound-control binary if not found in PATH.
-# commandline options can be appended "unbound-control -c my.conf" if you wish.
-# unbound-control: "/usr/sbin/unbound-control"
-
-# where is resolv.conf to edit.
-# resolvconf: "/etc/resolv.conf"
-
-# the domain example.com line (if any) to add to resolv.conf(5). default none.
-# domain: ""
-
-# domain name search path to add to resolv.conf(5). default none.
-# the search path from DHCP is not picked up, it could be used to misdirect.
-# search: ""
-
-# the command to run to open login pages on hot spots, a web browser.
-# empty string runs no command.
-# login-command: "xdg-open"
-login-command: ""
-
-# the url to open to get hot spot login, it gets overridden by the hotspot.
-# login-location: "http://www.nlnetlabs.nl/projects/dnssec-trigger"
-# should to be a ttl=0 entry
-# login-location: "http://hotspot-nocache.fedoraproject.org/"
-
-# do not perform actions (unbound-control or resolv.conf), for a dry-run.
-# noaction: no
-
-# port number to use for probe daemon.
-# port: 8955
-
-# keys and certificates generated by the dnssec-trigger-keygen systemd service
-# (which called dnssec-trigger-control-setup)
-server-key-file: "/etc/dnssec-trigger/dnssec_trigger_server.key"
-server-cert-file: "/etc/dnssec-trigger/dnssec_trigger_server.pem"
-control-key-file: "/etc/dnssec-trigger/dnssec_trigger_control.key"
-control-cert-file: "/etc/dnssec-trigger/dnssec_trigger_control.pem"
-
-# check for updates, download and ask to install them (for Windows, OSX).
-# check-updates: no
-
-# webservers that are probed to see if internet access is possible.
-# They serve a simple static page over HTTP port 80.  It probes a random url:
-# after a space is the content expected on the page, (the page can contain
-# whitespace before and after this code).  Without urls it skips http probes.
-
-# provided by NLnetLabs
-# It is provided on a best effort basis, with no service guarantee.
-# url: "http://ster.nlnetlabs.nl/hotspot.txt OK"
-
-# provided by FedoraProject
-# on Workstation, the detection is turned off
-# url: "http://fedoraproject.org/static/hotspot.txt OK"
-
-# fallback open DNSSEC resolvers that run on TCP port 80 and TCP port 443.
-# the ssl443 adds an ssl server IP, if you specify a hash it is checked, put
-# the following on one line: ssl443:<space><IP><space><HASHoutput>
-# hash is output of openssl x509 -sha256 -fingerprint -in server.pem
-# You can add more with extra config lines.
-
-# Provided by fedoraproject.org, #fedora-admin
-# It is provided on a best effort basis, with no service guarantee.
-ssl443: 140.211.169.201 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
-tcp80:  140.211.169.201
-ssl443: 8.43.85.74 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
-tcp80:  8.43.85.74
-ssl443: 152.19.134.150 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
-tcp80:  152.19.134.150 
-ssl443: 2610:28:3090:3001:dead:beef:cafe:fed9 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
-tcp80:  2610:28:3090:3001:dead:beef:cafe:fed9 
-
-# provided by Paul Wouters (pwouters@redhat.com)
-# It is provided on a best effort basis, with no service guarantee.
-# tcp80:  193.110.157.123
-# tcp80:  2001:888:2003:1004::123
-# ssl443: 193.110.157.123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7
-# ssl443: 2001:888:2003:1004::123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7
-
-# provided by NLnetLabs (www.nlnetlabs.nl)
-# It is provided on a best effort basis, with no service guarantee.
-# tcp80: 213.154.224.3
-# tcp80: 2001:7b8:206:1:bb::
-# ssl443: 213.154.224.3 DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
-# ssl443: 2001:7b8:206:1:bb:: DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
-

dnssec-trigger.spec

@@ -5,8 +5,8 @@
 Summary: Tool for dynamic reconfiguration of validating resolver Unbound
 Name: dnssec-trigger
 Version: 0.17
-Release: 1%{?snapshot:.%{snapshot}git}%{?dist}
-License: BSD
+Release: %autorelease
+License: BSD-3-clause AND MIT AND ISC
 Url: https://www.nlnetlabs.nl/projects/dnssec-trigger/
 
 %if 0%{?snapshot:1}
@@ -18,14 +18,24 @@ Source1: https://www.nlnetlabs.nl/downloads/dnssec-trigger/%{name}-%{version}.ta
 Source2: https://keys.openpgp.org/vks/v1/by-fingerprint/EDFAA3F2CA4E6EB05681AF8E9F6F1C2D7E045F8D#/wouter.asc
 %endif
 Source3: dnssec-trigger.tmpfiles.d
-Source4: dnssec-trigger-default.conf
-Source5: dnssec-trigger-workstation.conf
+#Source4: dnssec-trigger-default.conf
+#Source5: dnssec-trigger-workstation.conf
 Source6: ssh_config.conf
 
 # Patches
+# Downstream changes to configuration
+Patch1: dnssec-trigger-config-workstation.patch
+# Downstream changes to configuration
+Patch2: dnssec-trigger-config-default.patch
 Patch3: 0003-Move-the-NetworkManager-dispatcher-script-out-of-etc.patch
 # https://github.com/NLnetLabs/dnssec-trigger/pull/7
 Patch4: 0004-Add-options-edns0-and-trust-ad.patch
+Patch5: dnssec-trigger-configure-c99.patch
+# https://github.com/NLnetLabs/dnssec-trigger/commit/f187c2be221a26f3c4ef4d9b16f1df67104ae634
+Patch6: dnssec-trigger-0.17-allowed-characters.patch
+Patch7: dnssec-trigger-0.17-openssl-3.2.patch
+# https://github.com/NLnetLabs/dnssec-trigger/pull/15
+Patch8: dnssec-trigger-0.17-server-recipe.patch
 
 # to obsolete the version in which the panel was in main package
 Obsoletes: %{name} < 0.12-22
@@ -53,10 +63,8 @@ BuildRequires: NetworkManager-libnm-devel
 BuildRequires: gnupg2
 %endif
 
-BuildRequires: systemd
-Requires(post): systemd
-Requires(preun): systemd
-Requires(postun): systemd
+BuildRequires: systemd-rpm-macros
+%{?systemd_ordering}
 
 # Provides Workstation specific configuration
 # - No captive portal detection and no action available on Captive portal (No UI)
@@ -76,6 +84,7 @@ Requires: %{name} = %{version}-%{release}
 Obsoletes: %{name} < 0.12-22
 Requires: xdg-utils
 BuildRequires: gtk2-devel, desktop-file-utils
+BuildRequires: make
 
 %description panel
 This package provides the GTK panel for interaction between the user
@@ -88,7 +97,8 @@ some user input is needed, the panel creates a dialog window.
 %if 0%{?fedora} && ! 0%{?snapshot:1}
 %gpgverify -d 0 -s 1 -k 2
 %endif
-%autosetup %{?snapshot:-n %{name}-%{version}_%{snapshot}} -p1
+%autosetup %{?snapshot:-n %{name}-%{version}_%{snapshot}} -N
+%autopatch -m 3 -p1
 
 # don't use DNSSEC for forward zones for now
 sed -i "s/validate_connection_provided_zones=yes/validate_connection_provided_zones=no/" dnssec.conf
@@ -102,20 +112,27 @@ sed -i "s/validate_connection_provided_zones=yes/validate_connection_provided_zo
     --with-networkmanager-dispatch=%{_sysconfdir}/NetworkManager/dispatcher.d \
 %endif
     --with-python=%{__python3} \
-    --with-pidfile=%{_rundir}/%{name}d.pid
+    --with-pidfile=%{_rundir}/%{name}d.pid \
+    --with-login-command=%{_bindir}/xdg-open \
+    --with-login-location="http://hotspot-nocache.fedoraproject.org/"
 
-%{__make} %{?_smp_mflags}
+# hotspot-nocache should have TTL=0
+
+%make_build
+
+%autopatch -p1 2
+cp -p example.conf dnssec-trigger-workstation.conf
+%autopatch -p1 1
 
 
 %install
-rm -rf %{buildroot}
-%{__make} DESTDIR=%{buildroot} install
+# https://github.com/NLnetLabs/dnssec-trigger/pull/13
+install -d -m 0755 %{buildroot}%{_libexecdir}
+%make_install
 
 install -d 0755 %{buildroot}%{_unitdir}
-install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/%{name}/
-install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/%{name}/
-
-mkdir -p %{buildroot}%{_libexecdir}
+install -p -m 0644 example.conf %{buildroot}%{_sysconfdir}/%{name}/dnssec-trigger-default.conf
+install -p -m 0644 dnssec-trigger-workstation.conf %{buildroot}%{_sysconfdir}/%{name}/
 
 desktop-file-install --dir=%{buildroot}%{_datadir}/applications dnssec-trigger-panel.desktop
 
@@ -132,9 +149,9 @@ ln -s dnssec-trigger-panel %{buildroot}%{_bindir}/dnssec-trigger
 # Make dnssec-trigger.8 manpage available under names of all dnssec-trigger-*
 # executables
 for all in dnssec-trigger-control dnssec-trigger-control-setup dnssec-triggerd; do
-    ln -s %{_mandir}/man8/dnssec-trigger.8 %{buildroot}/%{_mandir}/man8/"$all".8
+    ln -s dnssec-trigger.8 %{buildroot}/%{_mandir}/man8/"$all".8
 done
-ln -s %{_mandir}/man8/dnssec-trigger.8 %{buildroot}/%{_mandir}/man8/dnssec-trigger.conf.8
+ln -s dnssec-trigger.8 %{buildroot}/%{_mandir}/man8/dnssec-trigger.conf.8
 
 install -d -m 0755 %{buildroot}%{_sysconfdir}/ssh/ssh_config.d
 install -m 0644 %{SOURCE6} %{buildroot}%{_sysconfdir}/ssh/ssh_config.d/10-%{name}.conf
@@ -186,7 +203,7 @@ fi
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-trigger-default.conf
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-trigger-workstation.conf
 %attr(0755,root,root) %dir %{_sysconfdir}/ssh/ssh_config.d
-%attr(0755,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/10-%{name}.conf
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/10-%{name}.conf
 %dir %{_localstatedir}/run/%{name}
 %{_tmpfilesdir}/%{name}.conf
 %{_mandir}/man8/dnssec-trigger*
@@ -200,282 +217,4 @@ fi
 
 
 %changelog
-* Tue Oct 13 2020 Petr Menšík <pemensik@redhat.com> - 0.17-1
-- Update to 0.17
-
-* Mon Oct 12 2020 Petr Menšík <pemensik@redhat.com> - 0.15-14
-- Add edns0 option to resolv.conf
-- Add VerifyHostKeyDNS to ssh config
-
-* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.15-13
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.15-12
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Mon Jan 06 2020 Jeff Law <law@redhat.com> - 0.15-11
-- Fix typo in last change
-
-* Thu Aug 22 2019 Lubomir Rintel <lkundrak@v3.sk> - 0.15-10
-- Move the NetworkManager dispatcher script out of /etc
-
-* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.15-9
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.15-8
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.15-7
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
-
-* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 0.15-6
-- Rebuilt for Python 3.7
-
-* Wed Mar 14 2018 Petr Menšík <pemensik@redhat.com> - 0.15-5
-- Accept NXDOMAIN for NSEC probe (#1555355)
-
-* Mon Feb 19 2018 Tomas Hozza <thozza@redhat.com> - 0.15-4
-- Added explicit BuildRequires on gcc as required by packaging guidelines
-- Added explicit Requires on e2fsprogs, so that /usr/bin/chattr is available
-- Remove redundant removal of immutable bit in %%preun scriptlet (#1542400)
-
-* Mon Feb 19 2018 Tomas Hozza <thozza@redhat.com> - 0.15-3
-- use NetworkManager-libnm instead of NetworkManager-glib
-
-* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.15-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
-
-* Mon Dec 11 2017 Tomas Hozza <thozza@redhat.com> - 0.15-1
-- Update to stable 0.15 upstream release
-
-* Fri Aug 18 2017 Petr Menšík <pemensik@redhat.com> - 0.13-6
-- Skip always failing kr.com, update root IPs (#1482939)
-
-* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.13-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
-
-* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.13-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
-
-* Wed Mar 08 2017 Tomas Hozza <thozza@redhat.com> - 0.13-3
-- Rebuild against new ldns
-
-* Wed Mar 01 2017 Tomas Hozza <thozza@redhat.com> - 0.13-2
-- Include fix for runtime issues with OpenSSL 1.1.0 (#1427561)
-
-* Fri Feb 17 2017 Tomas Hozza <thozza@redhat.com> - 0.13-1
-- Update to stable 0.13 upstream release
-- Dropped merged patches
-
-* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.13-0.6.20150714svn
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
-
-* Mon Dec 19 2016 Miro Hrončok <mhroncok@redhat.com> - 0.13-0.5.20150714svn
-- Rebuild for Python 3.6
-
-* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.13-0.4.20150714svn
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
-
-* Tue Nov 10 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org>
-- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5
-
-* Mon Jul 20 2015 Tomas Hozza <thozza@redhat.com> - 0.13-0.2.20150714svn
-- Provide Workstation specific configuration
-
-* Wed Jul 15 2015 Tomas Hozza <thozza@redhat.com> - 0.13-0.1.20150714svn
-- split dnssec-trigger panel into separate subpackage (#1236363)
-- SPEC file cleanup based on rpmlint and fedora-review issues
-- implement some suggestions (#1236363)
-- rebase to the latest svn trunk snapshot 0.13_20150714
-- Script is not searching local user directories any more (#1213062)
-- Script now doesn't restart NM if version is >= 1.0.3, but sends just signal
-- Script now specifies the NMClient version for GI (#1242430)
-- Script now sets negative-cache-ttl in unbound to 5 seconds (#1229596)
-
-* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.12-21
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
-
-* Wed Apr 08 2015 Tomas Hozza <thozza@redhat.com> - 0.12-20
-- Fix issue when installing private address range zone without global forwarders (#1205864)
-- Fix configuration of private address range zones (#1128310#c20)
-
-* Fri Mar 13 2015 Tomas Hozza <thozza@redhat.com> - 0.12-19
-- Fix typo in the dnssec-trigger-script (#1187371)
-- Use Python3 by default
-
-* Mon Jan 26 2015 Pavel Šimerda <psimerda@redhat.com> - 0.12-18
-- Resolves: #1185796, #1130502, #1105685, #1128310 – update
-
-* Tue Jan 20 2015 Pavel Šimerda <psimerda@redhat.com> - 0.12-17
-- Resolves: #1183975 - systemd cgroup check fails
-
-* Tue Jan 20 2015 Pavel Šimerda <psimerda@redhat.com> - 0.12-16
-- Resolves: #1165126, #1125267, #1089766, #1112248, #824219 - update
-
-* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.12-15
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
-
-* Thu Aug 14 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-14
-- Resolves: #1125261 - dnssec-trigger-script: use fcntl.flock instead of
-  lockfile
-
-* Mon Aug 11 2014 Tomas Hozza <thozza@redhat.com> - 0.12-13
-- One Fedora fallback server changed IP address (#1125440)
-
-* Mon Jun 30 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-12
-- Resolves: #1112248 - require a version of NetworkManager with #1113122 fixed
-
-* Tue Jun 24 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-11
-- Resolves: #1112248 - serialize the script instances
-
-* Tue Jun 24 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-10
-- Resolves: #1112248 - fix a typo
-
-* Tue Jun 24 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-9
-- Resolves: #1112248 - fix systemd race condition
-
-* Mon Jun 23 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-8
-- Resolves: #1112248 - don't block on systemctl restart NetworkManager
-
-* Mon Jun 23 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-7
-- Resolves: #1112248, #1111143 - update dnssec-trigger-script and dnssec-triggerd.service
-
-* Fri Jun 20 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-6
-- Resolves: #1111143 - fix for python2
-
-* Fri Jun 20 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-5
-- Related: #842455 - remove a patch that is now redundant
-
-* Fri Jun 20 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-4
-- update dnssec-trigger-script to current development submitted upstream
-
-* Wed Jun 18 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-3
-- Resolves: #1105896 - the new script doesn't call dnssec-trigger-control submit
-
-* Fri Jun 06 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-2
-- fix various dnssec-trigger-script issues
-
-* Fri May 23 2014 Tomas Hozza <thozza@redhat.com> - 0.12-1
-- Update to 0.12 version
-- Drop merged patches
-- Drop downstream files (systemd, dispatcher scripts)
-
-* Tue May 13 2014 Paul Wouters <pwouters@redhat.com> - 0.11-21
-- Enable full hardening (includig PIE)
-- Resolves: rhbz#1045689 dnssec-trigger creates long-time RSA key with inappropriate size
-
-* Wed Feb 19 2014 Tomas Hozza <thozza@redhat.com> - 0.11-20
-- Restart NM on dnssec-trigger shutdown (let NM handle the resolv.conf content)
-- HN-hook: Handle situation when connection does not have a device
-
-* Wed Jan 29 2014 Tomas Hozza <thozza@redhat.com> - 0.11-19
-- Use new Python dispatcher script and ship /etc/dnssec.conf
-
-* Tue Jan 28 2014 Tomas Hozza <thozza@redhat.com> - 0.11-18
-- Use systemd macros instead of directly calling systemctl
-- simplify the systemd unit file for generating keys
-
-* Thu Nov 21 2013 Tomas Hozza <thozza@redhat.com> - 0.11-17
-- Add script to backup and restore resolv.conf on dnssec-trigger start/stop
-
-* Mon Nov 18 2013 Tomas Hozza <thozza@redhat.com> - 0.11-16
-- Improve GUI dialogs texts
-
-* Tue Nov 12 2013 Tomas Hozza <thozza@redhat.com> - 0.11-15
-- Fix NM dispatcher script to work with NM >= 0.9.9.0 (#1029571)
-
-* Mon Aug 26 2013 Tomas Hozza <thozza@redhat.com> - 0.11-14
-- Fix errors found by static analysis of source
-
-* Fri Aug 09 2013 Tomas Hozza <thozza@redhat.com> - 0.11-13
-- Use improved NM dispatcher script from upstream
-- Added tmpfiles.d config due to improved NM dispatcher script
-
-* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.11-12
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
-
-* Mon Mar 04 2013 Adam Tkac <atkac redhat com> - 0.11-11
-- link dnssec-trigger.conf.8 to dnssec-trigger.8
-- build dnssec-triggerd with full RELRO
-
-* Mon Mar 04 2013 Adam Tkac <atkac redhat com> - 0.11-10
-- remove deprecated "Application" keyword from desktop file
-
-* Mon Mar 04 2013 Adam Tkac <atkac redhat com> - 0.11-9
-- install various dnssec-trigger-* symlinks to dnssec-trigger.8 manpage
-
-* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.11-8
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
-
-* Tue Jan 08 2013 Paul Wouters <pwouters@redhat.com> - 0.11-7
-- Use full path for systemd (rhbz#842455)
-
-* Tue Jul 24 2012 Paul Wouters <pwouters@redhat.com> - 0.11-6
-- Patched daemon to remove immutable attr (rhbz#842455) as the
-  systemd ExecStopPost= target does not seem to work
-
-* Tue Jul 24 2012 Paul Wouters <pwouters@redhat.com> - 0.11-5
-- On service stop, remove immutable attr from resolv.conf (rhbz#842455)
-
-* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.11-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
-
-* Thu Jun 28 2012 Paul Wouters <pwouters@redhat.com> - 0.11-3
-- Fix DHCP hook for f17+ version of nmcli (rhbz#835298)
-
-* Sun Jun 17 2012 Paul Wouters <pwouters@redhat.com> - 0.11-2
-- Small textual changes to some popup windows
-
-* Fri Jun 15 2012 Paul Wouters <pwouters@redhat.com> - 0.11-1
-- Updated to 0.11
-- http Hotspot detection via fedoraproject.org/static/hotspot.html
-- http Hotspot Login page via uses hotspot-nocache.fedoraproject.org
-
-* Thu Feb 23 2012 Paul Wouters <pwouters@redhat.com> - 0.10-4
-- Require: unbound
-
-* Wed Feb 22 2012 Paul Wouters <pwouters@redhat.com> - 0.10-3
-- Fix the systemd startup to require unbound
-- dnssec-triggerd no longer forks, giving systemd more control
-- Fire NM dispatcher in ExecStartPost of dnssec-triggerd.service
-- Fix tcp80 entries in dnssec-triggerd.conf
-- symlink dnssec-trigger-panel to dnssec-trigger to supress the
-  "-panel" in the applet name shown in gnome3
-
-
-* Wed Feb 22 2012 Paul Wouters <pwouters@redhat.com> - 0.10-2
-- The NM hook was not modified at the right time during build
-
-* Wed Feb 22 2012 Paul Wouters <pwouters@redhat.com> - 0.10-1
-- Updated to 0.10
-- The NM hook lacks /usr/sbin in path, resulting in empty resolv.conf on hotspot
-
-* Wed Feb 08 2012 Paul Wouters <pwouters@redhat.com> - 0.9-4
-- Updated tls443 / tls80 resolver instances supplied by Fedora Hosted
-
-* Mon Feb 06 2012 Paul Wouters <pwouters@redhat.com> - 0.9-3
-- Convert from SysV to systemd for initial Fedora release
-- Moved configs and pem files to /etc/dnssec-trigger/
-- No more /var/run/dnssec-triggerd/
-- Fix Build-requires
-- Added commented tls443 port80 entries of pwouters resolvers
-- On uninstall ensure there is no immutable bit on /etc/resolv.conf
-
-* Sat Jan 07 2012 Paul Wouters <paul@xelerance.com> - 0.9-2
-- Added LICENCE to doc section
-
-* Mon Dec 19 2011 Paul Wouters <paul@xelerance.com> - 0.9-1
-- Upgraded to 0.9
-
-* Fri Oct 28 2011 Paul Wouters <paul@xelerance.com> - 0.7-1
-- Upgraded to 0.7
-
-* Fri Sep 23 2011 Paul Wouters <paul@xelerance.com> - 0.4-1
-- Upgraded to 0.4
-
-* Sat Sep 17 2011 Paul Wouters <paul@xelerance.com> - 0.3-5
-- Start 01-dnssec-trigger-hook in daemon start
-- Ensure dnssec-triggerd starts after NetworkManager
-
-* Fri Sep 16 2011 Paul Wouters <paul@xelerance.com> - 0.3-4
-- Initial package
+%autochangelog

plans/public.fmf

@@ -0,0 +1,6 @@
+summary: Run all beakerlib tests for dnssec-trigger
+discover:
+  - name: fedora_tests_dnssec-trigger
+    how: fmf
+execute:
+    how: tmt

tests/.gitignore

@@ -0,0 +1,2 @@
+.testinfo.tmt
+.*.swp

tests/Sanity/basic-functionality/main.fmf

@@ -0,0 +1,9 @@
+summary: Try starting dnssec-triggerd and use fallbacks
+description: |
+  Use configured fallbacks manually by test_tcp and test_http commands.
+  Also check resolutions is actually working.
+test: ./test.sh
+framework: beakerlib
+require:
+  - dnssec-trigger
+  - unbound

tests/Sanity/basic-functionality/test.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+MOVED_RESOLV_CONF=""
+
+wait_for_probe() {
+	while dnssec-trigger-control status | grep -q '^probe is in progress'; do
+		sleep 1
+	done
+}
+
+test_fallback() {
+	local TYPE=$1
+	local HOST=$2
+
+	rlRun "dnssec-trigger-control test_${TYPE}"
+	wait_for_probe
+	sleep 1
+	rlRun "dnssec-trigger-control status"
+	rlRun -s "unbound-host -rvD ${HOST}" 0 "Check dnssec works over ${TYPE} fallback"
+	rlAssertGrep '(secure)' $rlRun_LOG
+}
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlRun "tmp=\$(mktemp -d)" 0 "Create tmp directory"
+	rlAssertRpm dnssec-trigger
+	rlFileBackup --missing-ok /etc/resolv.conf
+	if test -L /etc/resolv.conf; then
+		MOVED_RESOLV_CONF="/etc/resolv-backup-$$.conf"
+		rlRun "mv /etc/resolv.conf ${MOVED_RESOLV_CONF}"
+	fi
+        rlRun "pushd $tmp"
+	rlServiceStart dnssec-triggerd
+    rlPhaseEnd
+
+    rlPhaseStartTest
+    	rlRun "dnssec-trigger-control status"
+	rlRun -s "unbound-host -rvD example.org" 0 "Check dnssec actually works"
+	rlAssertGrep '(secure)' $rlRun_LOG
+
+	test_fallback tcp www.example.org
+	# This variant is not passing
+	#test_fallback http example.net
+	test_fallback ssl www.example.net
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rlServiceRestore dnssec-triggerd
+        rlRun "popd"
+	if [ -n "$MOVED_RESOLV_CONF" ]; then
+		rm -f /etc/resolv.conf
+		rlRun "mv -f ${MOVED_RESOLV_CONF} /etc/resolv.conf"
+	fi
+	rlFileRestore
+        rlRun "rm -r $tmp" 0 "Remove tmp directory"
+    rlPhaseEnd
+rlJournalEnd