#global prever rc3 %global _hardened_build 1 Summary: DNSSEC key and zone management software Name: opendnssec Version: 1.4.6 Release: 1%{?prever}%{?dist} License: BSD Url: http://www.opendnssec.org/ Source0: http://www.opendnssec.org/files/source/%{?prever:testing/}%{name}-%{version}%{?prever}.tar.gz Source1: ods-enforcerd.init Source2: ods-signerd.init Source3: ods.sysconfig Source4: conf.xml Source5: opendnssec.cron Source6: kasp.xml Group: Applications/System Requires: opencryptoki, softhsm >= 2.0.0a2 BuildRequires: libxml2, libxslt Requires: libxml2, libxslt BuildRequires: ldns-devel >= 1.6.13, sqlite-devel , openssl-devel BuildRequires: libxml2-devel CUnit-devel, doxygen # It tests for pkill/killall and would use /bin/false if not found BuildRequires: procps # or else no debug package on epel6 BuildRequires: redhat-rpm-config Requires(pre): shadow-utils %if 0%{?prever:1} # For building snapshots Buildrequires: autoconf, automake, libtool, java %endif %description OpenDNSSEC was created as an open-source turn-key solution for DNSSEC. It secures zone data just before it is published in an authoritative name server. It requires a PKCS#11 crypto module library, such as softhsm2 %prep %setup -q -n %{name}-%{version}%{?prever} # bump default policy ZSK keysize to 2048 sed -i "s/1024/2048/" conf/kasp.xml.in %build export LDFLAGS="-Wl,-z,relro,-z,now -pie" export CFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wextra -Wformat -Wformat-nonliteral -Wformat-security" %configure --with-ldns=%{_libdir} make %{?_smp_mflags} %check # Requires sample db not shipped with upstream # make check %install rm -rf %{buildroot} make DESTDIR=%{buildroot} install mkdir -p %{buildroot}/var/opendnssec/{tmp,signed,signconf} mkdir -p %{buildroot}/%{_initrddir} install -p -m 0755 %{SOURCE1} %{buildroot}/%{_initrddir}/ods-enforcerd install -p -m 0755 %{SOURCE2} %{buildroot}/%{_initrddir}/ods-signerd install -d -m 0755 %{buildroot}%{_initrddir} %{buildroot}%{_sysconfdir}/cron.d/ install -p -m 0644 %{SOURCE5} %{buildroot}/%{_sysconfdir}/cron.d/opendnssec # cleanup sample files rm -f %{buildroot}/%{_sysconfdir}/opendnssec/*.sample install -d -m 0755 %{buildroot}/%{_sysconfdir}/sysconfig install -p -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/sysconfig/ods install -p -m 0644 %{SOURCE4} %{SOURCE6} %{buildroot}/%{_sysconfdir}/opendnssec/ mkdir -p %{buildroot}%{_localstatedir}/run/opendnssec %files %attr(0755,root,root) %{_initrddir}/ods-enforcerd %attr(0755,root,root) %{_initrddir}/ods-signerd %attr(0750,root,ods) %dir %{_sysconfdir}/opendnssec %attr(0770,root,ods) %dir %{_localstatedir}/opendnssec %attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/tmp %attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/signed %attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/signconf %attr(0660,root,ods) %config(noreplace) %{_sysconfdir}/opendnssec/*.xml %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ods %attr(0770,root,ods) %dir %{_localstatedir}/run/opendnssec %attr(0644,root,root) %{_sysconfdir}/cron.d/opendnssec %doc NEWS README.md LICENSE %{_mandir}/*/* %{_sbindir}/* %{_bindir}/* %attr(0755,root,root) %dir %{_datadir}/%{name} %{_datadir}/%{name}/* %pre getent group ods >/dev/null || groupadd -r ods getent passwd ods >/dev/null || \ useradd -r -g ods -d /etc/opendnssec -s /sbin/nologin \ -c "opendnssec daemon account" ods exit 0 %post /sbin/chkconfig --add ods-enforcerd /sbin/chkconfig --add ods-signerd # Initialise a slot on the softhsm on first install if [ "$1" -eq 1 ]; then softhsm2-util --show-slots |grep OpenDNSSEC > /dev/null || \ softhsm2-util --init-token --slot 0 --label "OpenDNSSEC" --pin 1234 --so-pin 1234 grep libsofthsm2.so /etc/opendnssec/conf.xml > /dev/null || \ sed -i.rpmsave "s/libsofthsm.so/libsofthsm2.so/g" /etc/opendnssec/conf.xml fi # in case we update any xml conf file ods-ksmutil update all >/dev/null 2>/dev/null ||: %preun if [ $1 -eq 0 ]; then /sbin/service ods-signerd stop >/dev/null 2>&1 ||: /sbin/service ods-enforcerd stop >/dev/null 2>&1 ||: /sbin/chkconfig --del ods-enforcerd /sbin/chkconfig --del ods-signerd fi %postun if [ "$1" -ge "1" ]; then ods-ksmutil update all >/dev/null 2>/dev/null ||: /sbin/service ods-enforcerd condrestart >/dev/null 2>&1 ||: /sbin/service ods-signerd condrestart >/dev/null 2>&1 ||: fi %changelog * Tue Aug 05 2014 Paul Wouters - 1.4.6-1 - Updated to 1.4.6 - Require softhsm-2 instead of softhsm-1 (and auto migrate) - Removed patch merged upstream * Fri Apr 18 2014 Paul Wouters - 1.4.5-2 - Added patch for serial 0 bug in XFR adapter - Add redhat-rpm-config buildrequire to ensure debug package * Fri Apr 18 2014 Paul Wouters - 1.4.5-1 - Updated to 1.4.5 * Tue Apr 01 2014 Paul Wouters - 1.4.4-3 - Add buildrequires for ods-kasp2html (rhbz#1073313) * Fri Mar 28 2014 Paul Wouters - 1.4.4-2 - Add requires for ods-kasp2html (rhbz#1073313) - Updated to 1.4.4 (rhbz#1080862) (compatibility with non RFC 5155 errata 3441 implementations) - Change the default ZSK policy from 1024 to 2048 bit RSA keys - Fix post to be quiet when upgrading opendnssec * Thu Jan 09 2014 Paul Wouters - 1.4.3-1 - Updated to 1.4.3 (rhel#1048449) - minor bugfixes, minor feature enhancements * Wed Sep 11 2013 Paul Wouters - 1.4.2-1 - Updated to 1.4.2, bugfix release * Fri Jun 28 2013 Paul Wouters - 1.4.1-1 - Updated to 1.4.1, bugfixes for NSEC3 and serial handling * Sat May 11 2013 Paul Wouters - 1.4.0-1 - Updated to 1.4.0 - Enabled full relro/pie protection * Mon Apr 15 2013 Paul Wouters - 1.4.0-0.8.rc3 - Updated to 1.4.0rc3 * Mon Jan 28 2013 Paul Wouters - 1.4.0-0.7.rc2 - Updaed to 1.4.0rc2 - This merges in r6952 * Fri Jan 18 2013 Patrick Uiterwijk - 1.4.0-0.6.rc1 - Updated to 1.4.0rc1 - Applied opendnssec-ksk-premature-retirement.patch (svn r6952) * Tue Dec 18 2012 Paul Wouters - 1.4.0-0.6.b2 - Updated to 1.4.0b2 - All patches synced to/from with new release * Fri Nov 23 2012 Paul Wouters - 1.4.0-0.6.b1 - Patch for empty nonterminal NSEC3 records * Sat Nov 10 2012 Paul Wouters - 1.4.0-0.5.b1 - Patch r6816 fixes enforcer/signer communication - Patch r6817 Don't add double RRSIGs generated by same key for DNSKEY RRset * Tue Oct 30 2012 Paul Wouters - 1.4.0-0.4.b1 - Added BuildRequires: procps-ng for bug OPENDNSSEC-345 - Change RRSIG inception offset to -2h to avoid possible daylight saving issues on resolvers - Patch to prevent removal of occluded data * Wed Sep 26 2012 Paul Wouters - 1.4.0-0.2.b1 - Just an EVR fix to the proper standard - Remove accidentally added (but not released) Epoch: - Minor spec file cleanup * Wed Sep 12 2012 Paul Wouters - 1.4.0-0.b1.1 - Updated to 1.4.0b1 - Patch to more aggressively try to take lock for resigning - Patch to give NSEC3PARAM record a TTL=0 * Tue Aug 07 2012 Paul Wouters - 1.4.0-0.a3.2 - Updated to 1.4.0a3 - Added opendnssec.cron to sync key rollovers over multiple servers - Removed merged in patch. - Added patch for cpu lock from trunk - Don't re-init softhsm on remove+install of opendnssec (as opposed to upgrade) * Wed May 16 2012 Paul Wouters - 1.4.0-0.a1.4 - Missed the actual patch line, so previous build did not have the patch * Tue Apr 17 2012 Paul Wouters - 1.4.0-0.a1.3 - Remove bad artifact dependancy on systemd-units from Fedora branch * Thu Mar 29 2012 Paul Wouters - 1.4.0-0.a1.2 - Added opendnssec LICENSE file from trunk (Thanks Jakob!) - Convert back to sysv for EL5/EL6 repos * Mon Mar 26 2012 Paul Wouters - 1.4.0-0.a1.1 - Fix macros in comment - Added missing -m to install target * Sun Mar 25 2012 Paul Wouters - 1.4.0-0.a1 - The 1.4.x branch no longer needs ruby, as the auditor has been removed - Added missing openssl-devel BuildRequire - Comment out so keys generated by ods can be used by bind * Fri Feb 24 2012 Paul Wouters - 1.3.6-3 - Requires rubygem-soap4r when using ruby-1.9 - Don't ghost /var/run/opendnssec - Converted initd to systemd * Thu Nov 24 2011 root - 1.3.2-6 - Added rubygem-dnsruby requires as rpm does not pick it up automatically * Tue Nov 22 2011 root - 1.3.2-5 - Added /var/opendnssec/signconf/ /as this temp dir is needed * Mon Nov 21 2011 Paul Wouters - 1.3.2-4 - Added /var/opendnssec/signed/ as this is the default output dir * Sun Nov 20 2011 Paul Wouters - 1.3.2-3 - Add ods user for opendnssec tasks - Added initscripts and services for ods-signerd and ods-enforcerd - Initialise OpenDNSSEC softhsm token on first install * Wed Oct 05 2011 Paul Wouters - 1.3.2-1 - Updated to 1.3.2 - Added dependancies on opencryptoki and softhsm - Don't install duplicate unreadable .sample files - Fix upstream conf.xml to point to actually used library paths * Thu Mar 3 2011 Paul Wouters - 1.2.0-1 - Initial package for Fedora