#global prever rcX %global _hardened_build 1 Summary: DNSSEC key and zone management software Name: opendnssec Version: 1.4.14 Release: 6%{?prever}%{?dist} License: BSD Url: http://www.opendnssec.org/ Source0: http://www.opendnssec.org/files/source/%{?prever:testing/}%{name}-%{version}%{?prever}.tar.gz Source1: ods-enforcerd.service Source2: ods-signerd.service Source3: ods.sysconfig Source4: conf.xml Source5: tmpfiles-opendnssec.conf Source6: opendnssec.cron Requires: opencryptoki, softhsm, systemd-units Requires: libxml2, libxslt sqlite BuildRequires: gcc BuildRequires: ldns-devel >= 1.6.12, sqlite-devel , openssl-devel BuildRequires: libxml2-devel CUnit-devel, doxygen # It tests for pkill/killall and would use /bin/false if not found BuildRequires: procps-ng BuildRequires: perl-interpreter BuildRequires: systemd-units Requires(pre): shadow-utils Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units %if 0%{?prever:1} #For building snapshots Buildrequires: autoconf, automake, libtool, java %endif %description OpenDNSSEC was created as an open-source turn-key solution for DNSSEC. It secures zone data just before it is published in an authoritative name server. It requires a PKCS#11 crypto module library, such as softhsm %prep %setup -q -n %{name}-%{version}%{?prever} # bump default policy ZSK keysize to 2048 sed -i "s/1024/2048/" conf/kasp.xml.in %build export LDFLAGS="-Wl,-z,relro,-z,now -pie -specs=/usr/lib/rpm/redhat/redhat-hardened-ld" export CFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wextra -Wformat -Wformat-nonliteral -Wformat-security" export CXXFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wformat-nonliteral -Wformat-security" %configure --with-ldns=%{_libdir} make %{?_smp_mflags} %check # Requires sample db not shipped with upstream # make check %install rm -rf %{buildroot} make DESTDIR=%{buildroot} install mkdir -p %{buildroot}%{_localstatedir}/opendnssec/{tmp,signed,signconf} install -d -m 0755 %{buildroot}%{_initrddir} %{buildroot}%{_sysconfdir}/cron.d/ install -m 0644 %{SOURCE6} %{buildroot}/%{_sysconfdir}/cron.d/opendnssec rm -f %{buildroot}/%{_sysconfdir}/opendnssec/*.sample install -d -m 0755 %{buildroot}/%{_sysconfdir}/sysconfig install -d -m 0755 %{buildroot}%{_unitdir} install -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/ install -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/ install -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/sysconfig/ods install -m 0644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/opendnssec/ mkdir -p %{buildroot}%{_tmpfilesdir}/ install -m 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/opendnssec.conf mkdir -p %{buildroot}%{_localstatedir}/run/opendnssec cp enforcer/utils/migrate_1_4_8.sqlite3 %{buildroot}%{_datadir}/%{name}/ %files %{_unitdir}/ods-enforcerd.service %{_unitdir}/ods-signerd.service %config(noreplace) %{_tmpfilesdir}/opendnssec.conf %attr(0770,root,ods) %dir %{_sysconfdir}/opendnssec %attr(0770,root,ods) %dir %{_localstatedir}/opendnssec %attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/tmp %attr(0775,root,ods) %dir %{_localstatedir}/opendnssec/signed %attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/signconf %attr(0660,root,ods) %config(noreplace) %{_sysconfdir}/opendnssec/*.xml %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ods %attr(0770,root,ods) %dir %{_localstatedir}/run/opendnssec %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/cron.d/opendnssec %doc NEWS README.md %license LICENSE %{_mandir}/*/* %{_sbindir}/* %{_bindir}/* %attr(0755,root,root) %dir %{_datadir}/%{name} %{_datadir}/%{name}/* %pre getent group ods >/dev/null || groupadd -r ods getent passwd ods >/dev/null || \ useradd -r -g ods -d /etc/opendnssec -s /sbin/nologin \ -c "opendnssec daemon account" ods exit 0 %post # Initialise a slot on the softhsm on first install if [ "$1" -eq 1 ]; then %{_sbindir}/runuser -u ods -- %{_bindir}/softhsm2-util --init-token \ --slot 0 --label "OpenDNSSEC" --pin 1234 --so-pin 1234 if [ ! -s %{_localstatedir}opendnssec/kasp.db ]; then echo y | %{_bindir}/ods-ksmutil setup fi fi # Migrate version 3 db to version 4 db if [ "`%{_bindir}/sqlite3 %{_localstatedir}/%{name}/kasp.db 'select version from dbadmin;'`" != "4" ]; then %{_bindir}/sqlite3 %{_localstatedir}/%{name}/kasp.db < %{_datadir}/%{name}/migrate_1_4_8.sqlite3 fi # in case we update any xml conf file ods-ksmutil update all >/dev/null 2>/dev/null ||: %systemd_post ods-enforcerd.service %systemd_post ods-signerd.service %preun %systemd_preun ods-enforcerd.service %systemd_preun ods-signerd.service %postun %systemd_postun_with_restart ods-enforcerd.service %systemd_postun_with_restart ods-signerd.service %changelog * Wed Jan 29 2020 Fedora Release Engineering - 1.4.14-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild * Thu Jul 25 2019 Fedora Release Engineering - 1.4.14-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild * Fri Feb 01 2019 Fedora Release Engineering - 1.4.14-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild * Fri Jul 13 2018 Fedora Release Engineering - 1.4.14-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild * Thu Feb 08 2018 Fedora Release Engineering - 1.4.14-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild * Tue Dec 12 2017 Paul Wouters - 1.4.14-1 - Update to 1.4.14 as first steop to migrating to 2.x - Resolves: rhbz#1413254 Move tmpfiles.d config to %%{_tmpfilesdir}, install LICENSE as %%license * Thu Aug 03 2017 Fedora Release Engineering - 1.4.9-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild * Thu Jul 27 2017 Fedora Release Engineering - 1.4.9-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild * Wed Mar 08 2017 Tomas Hozza - 1.4.9-5 - Fix FTBFS (#1424019) in order to rebuild against new ldns * Sat Feb 11 2017 Fedora Release Engineering - 1.4.9-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild * Thu Feb 18 2016 Paul Wouters - 1.4.9-3 - Resolves: rbz#1303965 upgrade to opendnssec-1.4.9-1.fc23 breaks old installations - On initial install, after token init, also run ods-ksmutil setup * Thu Feb 04 2016 Fedora Release Engineering - 1.4.9-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild * Mon Feb 01 2016 Paul Wouters - 1.4.9-1 - Updated to 1.4.9 - Removed merged in patch * Wed Jun 17 2015 Fedora Release Engineering - 1.4.7-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild * Tue Jun 09 2015 Paul Wouters - 1.4.7-2 - Resolves rhbz#1219746 ods-signerd.service misplaced After= in section Service - Resolves rhbz#1220443 OpenDNSSEC fails to initialise a slot in softhsm on first install * Tue Dec 09 2014 Paul Wouters - 1.4.7-1 - Updated to 1.4.7 (fix zone update can get stuck, crash on retransfer cmd) * Wed Oct 15 2014 Paul Wouters - 1.4.6-4 - Change /etc/opendnssec to be ods group writable * Wed Oct 08 2014 Paul Wouters - 1.4.6-3 - Added Petr Spacek's patch that adds the config option (rhbz#1123354) * Sun Aug 17 2014 Fedora Release Engineering - 1.4.6-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild * Mon Jul 28 2014 Paul Wouters - 1.4.6-1 - Updated to 1.4.6 - Removed incorporated patch upstream - Remove Wants= from ods-signerd.service (rhbz#1098205) * Sat Jun 07 2014 Fedora Release Engineering - 1.4.5-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild * Fri Apr 18 2014 Paul Wouters - 1.4.5-2 - Updated to 1.4.5 - Added patch for serial 0 bug in XFR adapter * Tue Apr 01 2014 Paul Wouters - 1.4.4-3 - Add buildrequires for ods-kasp2html (rhbz#1073313) * Sat Mar 29 2014 Paul Wouters - 1.4.4-2 - Add requires for ods-kasp2html (rhbz#1073313) * Thu Mar 27 2014 Paul Wouters - 1.4.4-1 - Updated to 1.4.4 (compatibility with non RFC 5155 errata 3441) - Change the default ZSK policy from 1024 to 2048 bit RSA keys - Fix post to be quiet when upgrading opendnssec * Thu Jan 09 2014 Paul Wouters - 1.4.3-1 - Updated to 1.4.3 (rhel#1048449) - minor bugfixes, minor feature enhancements - rhel#1025985 OpenDNSSEC signer cannot be started due to a typo in service file * Wed Sep 11 2013 Paul Wouters - 1.4.2-1 - Updated to 1.4.2, bugfix release * Sat Aug 03 2013 Fedora Release Engineering - 1.4.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild * Fri Jun 28 2013 Paul Wouters - 1.4.1-1 - Updated to 1.4.1. NSEC3 handling and serial number handling fixes - Add BuildRequire for systemd-units * Sat May 11 2013 Paul Wouters - 1.4.0-1 - Updated to 1.4.0 * Fri Apr 12 2013 Paul Wouters - 1.4.20-0.8.rc3 - Updated to 1.4.0rc3 - Enabled hardened compile, full relzo/pie * Fri Jan 25 2013 Patrick Uiterwijk - 1.4.0-0.7.rc2 - Updated to 1.4.0rc2, which includes svn r6952 * Fri Jan 18 2013 Patrick Uiterwijk - 1.4.0-0.6.rc1 - Updated to 1.4.0rc1 - Applied opendnssec-ksk-premature-retirement.patch (svn r6952) * Tue Dec 18 2012 Paul Wouters - 1.4.0-0.5.b2 - Updated to 1.4.0b2 - All patches have been merged upstream - cron job should be marked as config file * Tue Oct 30 2012 Paul Wouters - 1.4.0-0.4.b1 - Added BuildRequires: procps-ng for bug OPENDNSSEC-345 - Change RRSIG inception offset to -2h to avoid possible daylight saving issues on resolvers - Patch to prevent removal of occluded data * Wed Sep 26 2012 Paul Wouters - 1.4.0-0.3.b1 - Just an EVR fix to the proper standard - Cleanup of spec file - Introduce new systemd-rpm macros (rhbz#850242) * Wed Sep 12 2012 Paul Wouters - 1.4.0-0.b1.1 - Updated to 1.4.0b1 - Patch for NSEC3PARAM TTL - Cron job to assist narrowing ods-enforcerd timing differences * Wed Aug 29 2012 Paul Wouters - 1.4.0-0.a3.1 - Updated to 1.4.0a3 - Patch to more aggressively try to resign - Patch to fix locking issue eating up cpu * Fri Jul 20 2012 Fedora Release Engineering - 1.4.0-0.a2.2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild * Tue Jun 12 2012 Paul Wouters - 1.4.0-0.a2.1 - Updated to 1.4.0a2 - ksm-utils patch for ods-ksmutil to die sooner when it can't lock the HSM. * Wed May 16 2012 Paul Wouters - 1.4.0-0.a1.3 - Patch for crasher with deleted RRsets and NSEC3/OPTOUT chains * Mon Mar 26 2012 Paul Wouters - 1.4.0-0.a1.2 - Added opendnssec LICENSE file from trunk (Thanks Jakob!) * Mon Mar 26 2012 Paul Wouters - 1.4.0-0.a1.1 - Fix macros in comment - Added missing -m to install target * Sun Mar 25 2012 Paul Wouters - 1.4.0-0.a1 - The 1.4.x branch no longer needs ruby, as the auditor has been removed - Added missing openssl-devel BuildRequire - Comment out so keys generated by ods can be used by bind * Fri Feb 24 2012 Paul Wouters - 1.3.6-3 - Requires rubygem-soap4r when using ruby-1.9 - Don't ghost /var/run/opendnssec - Converted initd to systemd * Thu Nov 24 2011 root - 1.3.2-6 - Added rubygem-dnsruby requires as rpm does not pick it up automatically * Tue Nov 22 2011 root - 1.3.2-5 - Added /var/opendnssec/signconf/ /as this temp dir is needed * Mon Nov 21 2011 Paul Wouters - 1.3.2-4 - Added /var/opendnssec/signed/ as this is the default output dir * Sun Nov 20 2011 Paul Wouters - 1.3.2-3 - Add ods user for opendnssec tasks - Added initscripts and services for ods-signerd and ods-enforcerd - Initialise OpenDNSSEC softhsm token on first install * Wed Oct 05 2011 Paul Wouters - 1.3.2-1 - Updated to 1.3.2 - Added dependancies on opencryptoki and softhsm - Don't install duplicate unreadable .sample files - Fix upstream conf.xml to point to actually used library paths * Thu Mar 3 2011 Paul Wouters - 1.2.0-1 - Initial package for Fedora