From c44576a4620efc1cba93e65e122a75c43d5e15f0 Mon Sep 17 00:00:00 2001 From: Tomas Hozza Date: Jul 15 2015 08:05:42 +0000 Subject: rebase to the latest svn trunk snapshot 0.13_20150714 - Script is not searching local user directories any more (#1213062) - Script now doesn't restart NM if version is >= 1.0.3, but sends just signal - Script now specifies the NMClient version for GI (#1242430) - Script now sets negative-cache-ttl in unbound to 5 seconds (#1229596) Signed-off-by: Tomas Hozza --- diff --git a/.gitignore b/.gitignore index 6888079..3d39692 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ /dnssec-trigger-0.10.tar.gz /dnssec-trigger-0.11.tar.gz /dnssec-trigger-0.12.tar.gz +/dnssec-trigger-0.13_20150714.tar.gz diff --git a/dnssec-trigger-0.12-bz1128310-v2.patch b/dnssec-trigger-0.12-bz1128310-v2.patch deleted file mode 100644 index 61102f1..0000000 --- a/dnssec-trigger-0.12-bz1128310-v2.patch +++ /dev/null @@ -1,192 +0,0 @@ -From 5b0c27136acbbd17ce3167341a9ca22e4397766e Mon Sep 17 00:00:00 2001 -From: wouter -Date: Wed, 8 Apr 2015 13:00:10 +0000 -Subject: [PATCH 2/2] - Patches from Tomas Hozza for dnssec-trigger-script: - Add newlines between classes to conform with PEP-8 and increase - readability. Add/remove local zones in Unbound when configuring reverse - addr forward zones. - -git-svn-id: http://www.nlnetlabs.nl/svn/dnssec-trigger/trunk@695 14dc9c71-5cc2-e011-b339-0019d10b89f4 ---- - dnssec-trigger-script.in | 79 ++++++++++++++++++++++++++++++++++++++++++------ - 2 files changed, 77 insertions(+), 9 deletions(-) - -diff --git a/dnssec-trigger-script.in b/dnssec-trigger-script.in -index 88010e9..4cb2940 100644 ---- a/dnssec-trigger-script.in -+++ b/dnssec-trigger-script.in -@@ -24,9 +24,11 @@ log.addHandler(logging.StreamHandler()) - # NetworkManager reportedly doesn't pass the PATH environment variable. - os.environ['PATH'] = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" - -+ - class UserError(Exception): - pass - -+ - class Lock: - """Lock used to serialize the script""" - -@@ -45,6 +47,7 @@ class Lock: - def __exit__(self, t, v, tb): - fcntl.lockf(self.lock, fcntl.LOCK_UN) - -+ - class Config: - """Global configuration options""" - -@@ -84,10 +87,12 @@ class Config: - def flush_command(self): - return "flush_negative" if self.keep_positive_answers else "flush_zone" - -+ - config = Config() - if config.debug: - log.setLevel(logging.DEBUG) - -+ - class ConnectionList: - """List of NetworkManager active connections""" - -@@ -151,6 +156,7 @@ class ConnectionList: - # Prefer first connection - return first - -+ - class Connection: - """Representation of a NetworkManager active connection""" - -@@ -217,6 +223,7 @@ class Connection: - def is_wifi(self): - return self.type == "wifi" - -+ - class UnboundZoneConfig: - """A dictionary-like proxy object for Unbound's forward zone configuration.""" - -@@ -287,6 +294,45 @@ class UnboundZoneConfig: - log.debug("unbound-control: {}".format(args)) - subprocess.check_call(["unbound-control"] + args, stdout=DEVNULL, stderr=DEVNULL) - -+ -+class UnboundLocalZoneConfig: -+ """A dictionary-like proxy object for Unbound's local zone configuration.""" -+ -+ def __init__(self): -+ subprocess.check_call(["unbound-control", "status"], stdout=DEVNULL, stderr=DEVNULL) -+ self.cache = {} -+ for line in subprocess.check_output(["unbound-control", "list_local_zones"]).decode().split('\n'): -+ if line: -+ fields = line.split(" ") -+ name = fields.pop(0).rstrip(".") -+ type = fields.pop(0) -+ self.cache[name] = type -+ log.debug(self) -+ -+ def __repr__(self): -+ return "".format(**vars(self)) -+ -+ def __iter__(self): -+ return iter(self.cache) -+ -+ def add(self, zone, type): -+ """Install a local zone into Unbound.""" -+ self.cache[zone] = type -+ self._control(["local_zone", zone, type]) -+ log.debug(self) -+ -+ def remove(self, zone): -+ """Remove a local zone from Unbound.""" -+ if self.cache.pop(zone, None): -+ self._control(["local_zone_remove", zone]) -+ log.debug(self) -+ -+ @staticmethod -+ def _control(args): -+ log.debug("unbound-control: {}".format(args)) -+ subprocess.check_call(["unbound-control"] + args, stdout=DEVNULL, stderr=DEVNULL) -+ -+ - class Store: - """A proxy object to access stored zones or global servers.""" - -@@ -371,8 +417,7 @@ class Application: - "d.f.ip6.arpa", - "168.192.in-addr.arpa", - ] + ["{}.172.in-addr.arpa".format(octet) for octet in range(16, 32)] + [ -- "10.in-addr.arpa", -- ] if config.use_private_address_ranges else [] -+ "10.in-addr.arpa"] - - def __init__(self, argv): - if len(argv) > 1 and argv[1] == '--debug': -@@ -589,18 +634,31 @@ class Application: - with Lock(): - connections = ConnectionList(self.client, skip_wifi=not config.add_wifi_provided_zones).get_zone_connection_mapping() - unbound_zones = UnboundZoneConfig() -+ unbound_local_zones = UnboundLocalZoneConfig() - stored_zones = Store('zones') - - # Remove any zones managed by dnssec-trigger that are no longer - # valid. - log.debug("removing zones that are no longer valid") - for zone in stored_zones: -- # Remove all zones that are not in connections except those for -- # reverse name resolution of private addresses. -- if zone not in connections and zone not in self.rfc1918_reverse_zones: -- if zone in unbound_zones: -- unbound_zones.remove(zone) -- stored_zones.remove(zone) -+ # leave zones that are provided by some connection -+ if zone in connections: -+ continue -+ -+ if zone in self.rfc1918_reverse_zones: -+ # if zone is private address range reverse zone and we are congifured to use them, leave it -+ if config.use_private_address_ranges: -+ continue -+ # otherwise add Unbound local zone of type 'static' like Unbound does and remove it later -+ else: -+ unbound_local_zones.add(zone, "static") -+ -+ # Remove all zones that are not in connections except OR -+ # are private address ranges reverse zones and we are NOT -+ # configured to use them -+ if zone in unbound_zones: -+ unbound_zones.remove(zone) -+ stored_zones.remove(zone) - - # Install all zones coming from connections except those installed - # by other means than dnssec-trigger-script. -@@ -615,7 +673,7 @@ class Application: - # RFC1918 zones will be installed, except those already provided by connections - # and those installed by other means than by dnssec-trigger-script. - # RFC19118 zones will be removed if there are no global forwarders. -- if self.rfc1918_reverse_zones: -+ if config.use_private_address_ranges: - log.debug("configuring RFC 1918 private zones") - for zone in self.rfc1918_reverse_zones: - # Ignore a connection provided zone as it's been already -@@ -628,6 +686,7 @@ class Application: - if zone in stored_zones or zone not in unbound_zones: - unbound_zones.add(zone, self.global_forwarders, secure=False) - stored_zones.add(zone) -+ unbound_local_zones.remove(zone) - else: - # There are no global forwarders, therefore remove the zone - log.debug("Removing RFC 1918 private zone '%s' since there are no global forwarders", zone) -@@ -635,9 +694,11 @@ class Application: - unbound_zones.remove(zone) - if zone in stored_zones: - stored_zones.remove(zone) -+ unbound_local_zones.add(zone, "static") - - stored_zones.commit() - -+ - if __name__ == "__main__": - try: - Application(sys.argv).run() --- -2.1.0 - diff --git a/dnssec-trigger-0.12-bz1205864.patch b/dnssec-trigger-0.12-bz1205864.patch deleted file mode 100644 index 271fa0b..0000000 --- a/dnssec-trigger-0.12-bz1205864.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 867d4d76de92ce9057a42b464503075066cc92ef Mon Sep 17 00:00:00 2001 -From: Tomas Hozza -Date: Thu, 2 Apr 2015 20:02:46 +0200 -Subject: [PATCH] dnssec-trigger-script: Don't configure RFC1918 zones if there - are no global forwarders - -Previously the script tried to install RFC1918 zones even if there -were no global forwarders from NetworkManager. This lead to removing -the zones from Unbound which is good, but not from zones Store. Also -on subsequent calls the script tried to remove the zones from Unbound -again and crashed with traceback. - -When a machine had configuration of RFC1918 zones enabled by default, -the script crashed also during boot, if the machine was not connected -to any network. - -Please also see https://bugzilla.redhat.com/show_bug.cgi?id=1205864 - -This change makes the script to add RFC1918 zones only if there -are global forwarders, otherwise it will remove them from Unbound -and zones Store. If zones are not configured in Unbound or are not -present in the zones Store, it will do nothing. - -Signed-off-by: Tomas Hozza ---- - dnssec-trigger-script.in | 27 ++++++++++++++++++--------- - 1 file changed, 18 insertions(+), 9 deletions(-) - -diff --git a/dnssec-trigger-script.in b/dnssec-trigger-script.in -index 7bf6c2e..88010e9 100644 ---- a/dnssec-trigger-script.in -+++ b/dnssec-trigger-script.in -@@ -611,21 +611,30 @@ class Application: - unbound_zones.add(zone, connections[zone].servers, secure=config.validate_connection_provided_zones) - stored_zones.add(zone) - -- # Install zones for reverse name resolution of private addresses -- # except those already provided by connections and those installed -- # by other means than dnssec-trigger-script. -+ # Configure forward zones for reverse name resolution of private addresses. -+ # RFC1918 zones will be installed, except those already provided by connections -+ # and those installed by other means than by dnssec-trigger-script. -+ # RFC19118 zones will be removed if there are no global forwarders. - if self.rfc1918_reverse_zones: -- log.debug("adding RFC 1918 private zones not present in unbound or connections") -- global_forwarders = self.global_forwarders -+ log.debug("configuring RFC 1918 private zones") - for zone in self.rfc1918_reverse_zones: - # Ignore a connection provided zone as it's been already - # processed. - if zone in connections: - continue -- # Reinstall a known zone or install a new zone. -- if zone in stored_zones or zone not in unbound_zones: -- unbound_zones.add(zone, global_forwarders, secure=False) -- stored_zones.add(zone) -+ if self.global_forwarders: -+ # Reinstall a known zone or install a new zone. -+ log.debug("Installing RFC 1918 private zone '%s' not present in unbound or connections", zone) -+ if zone in stored_zones or zone not in unbound_zones: -+ unbound_zones.add(zone, self.global_forwarders, secure=False) -+ stored_zones.add(zone) -+ else: -+ # There are no global forwarders, therefore remove the zone -+ log.debug("Removing RFC 1918 private zone '%s' since there are no global forwarders", zone) -+ if zone in unbound_zones: -+ unbound_zones.remove(zone) -+ if zone in stored_zones: -+ stored_zones.remove(zone) - - stored_zones.commit() - --- -2.1.0 - diff --git a/dnssec-trigger-0.12-dnssec-conf.patch b/dnssec-trigger-0.12-dnssec-conf.patch deleted file mode 100644 index f803fe0..0000000 --- a/dnssec-trigger-0.12-dnssec-conf.patch +++ /dev/null @@ -1,167 +0,0 @@ -diff --git a/dnssec.conf b/dnssec.conf -index 4d9dbfb..bf896d3 100644 ---- a/dnssec.conf -+++ b/dnssec.conf -@@ -1,54 +1,115 @@ -+# The options configured in this file are supported by dnssec-trigger-script -+# which is called due to various events in related services including -+# dnssec-trigger and NetworkManager. As a result, dnssec-trigger-script, -+# together with the dnssec-trigger daemon, reconfigures a running instance -+# of Unbound, your local validating resolver. -+# -+# Changes in this file are typically applied on the next network change. To -+# make them work immediately, restart the dnssec-trigger service. On many -+# systems this is achieved by the following command: -+# -+# systemctl restart dnssec-triggerd -+# -+# To achieve a clean state of Unbound, you can just restart the unbound -+# service and dnssec-trigger gets restarted automatically. Note that some -+# other services like VPN clients may have reconfigured unbound at runtime -+# and thus may need to be restarted as well. -+# -+# systemctl restart unbound -+# -+# In future some of the options may be interpretted by other services as well, -+# so be careful to restart all of them. One such service may be a future -+# version of NetworkManager. -+# -+# systemctl restart NetworkManager -+# -+ - # validate_connection_provided_zones: - # ----------------------------------- --# Setts if forward zones added into unbound by dnssec-trigger script --# will be DNSSEC validated or NOT. Note that this setting is global --# for all added forward zones.. --# Possible options are: --# --# validate_connection_provided_zones=yes - All connection provided zones --# configured as forward zones into --# unbound WILL BE DNSSEC validated --# (NOTE: If connection provided DNS --# servers are NOT DNSSEC capable, the --# resolving of provided zones will --# NOT work!) --# --# validate_connection_provided_zones=no - All connection provided zones --# configured as forward zones into --# unbound will NOT be DNSSEC validated --# --# --# NOTICE: if you turn the validation OFF then all forward zones added by --# dnssec-trigger script will NOT be DNSSEC validated. If you turn the --# validation ON, only newly added forward zones will be DNSSEC validated. --# Forward zones added before the change will still NOT be DNSSEC validated. --# To force validation of previously added forward zone you need to restart --# it. For VPNs this can be done by restart NetworkManager. -+# Ensures that foward zones provided by NetworkManager connections will be -+# validated by Unbound. -+# -+# Security notes: -+# -+# - If this option is turned off, the network you're connecting to -+# can provide you a list of spoofed domains e.g. via DHCP. Those domains -+# are then configured as insecure forward zones in your local validating -+# resolver, constituting a downgrade attack on DNSSEC validation. -+# -+# - See also security notes on the `add_wifi_provided_zones` option. -+# -+# validate_connection_provided_zones=yes -+# -+# - Connection provided zones will be configured in Unbound as secure forward -+# zones, validated using DNSSEC. -+# -+# If the DNS servers for such a connection are not capable of forwarding -+# DNSSEC queries and responses or the local zone is required to be signed -+# according to the global DNSSEC database, local resources will not be -+# resolved correctly and will appear inaccessible. -+# -+# Many networks use fake top level domains which fail DNSSEC validation -+# as there is no way to validate them at all. Do not use this strict -+# option if you want to access resources on such networks. -+# -+# validate_connection_provided_zones=no -+# -+# - Connection provided zones will be configured in Unbound as insecure -+# forward zones, not validated using DNSSEC. This allows you to access -+# local resources on networks with non-compliant DNS servers as well -+# as networks that hijack domains that are either not in the global DNS -+# tree at all or are required to be signed. -+# -+# Turning this option off has security implications, See the security -+# notice above. -+# - validate_connection_provided_zones=yes - - # add_wifi_provided_zones: - # ------------------------ --# Setts if domains provided by WiFi connection are configured as forward zones --# into unbound. --# Possible options are: --# --# add_wifi_provided_zones=yes - Domains provided by ANY WiFi connection will --# be configured as forward zones into unbound. --# (NOTE: See the possible security implications --# stated below!) --# --# add_wifi_provided_zones=no - Domains provided by ANY WiFi connection will --# NOT be configured as forward zones into unbound. --# (NOTE: Forward zones will be still configured --# for any other type of connection!) --# --# NOTICE: Turning ON the addition of WiFi provided domains as forward zones --# into unbound may have SECURITY implications such as: --# - A WiFi access point can intentionally provide you a domain via DHCP for --# which it does not have authority and route all your DNS queries to its --# DNS servers. --# - In addition to the previous point, if you have the DNSSEC validation --# of forward zones turned OFF, the WiFi provided DNS servers can spoof --# the IP address for domain names from the provided domain WITHOUT YOU --# KNOWING IT! -+# Ensures that wifi provided zones are accepted by dnssec-trigger-script just -+# as any other connection provided zones. Wireless ethernet is special in -+# that you often connect to network with no authentication or authentication -+# based on a shared secret. -+# -+# Security notes: -+# -+# - Anyone knowing such a shared secret can set up an access point for the -+# network and provide you a spoofed domain list via DHCP. When this option -+# is turned on, the spoofed domains are configured as forward zones in your -+# local validating resolver. -+# -+# - See also security notes on the `validate_connection_provided_zones` option. -+# -+# add_wifi_provided_zones=yes -+# -+# - Domains provided by WiFi connections will be configured as forward zones -+# in your local validating resolver. See the security notice above. -+# -+# add_wifi_provided_zones=no -+# -+# - Domains provided by WiFi connection will be ignored. -+# - add_wifi_provided_zones=no -+ -+# set_search_domains: -+# ------------------- -+# Enable or disable writing of search domains to `/etc/resolv.conf`. -+# -+# set_search_domains=yes - Search domains are written to `/etc/resolv.conf`. -+# -+# set_search_domains=no - Search domains are not written to `/etc/resolv.conf`. -+# -+set_search_domains=no -+ -+# use_private_address_ranges: -+# --------------------------- -+# Enable or disable adding reverse name resolution zones derived from -+# private IP addresses as defined in RFC 1918 and RFC 4193. -+# -+# use_private_address_ranges=yes - Use standard private IP address ranges to build -+# reverse name resolution zones using the global -+# forwarders. -+# -+# use_private_address_ranges=no - Ignore standard IP address ranges. -+use_private_address_ranges=yes diff --git a/dnssec-trigger-0.12-nm-script.patch b/dnssec-trigger-0.12-nm-script.patch deleted file mode 100644 index 9d4275e..0000000 --- a/dnssec-trigger-0.12-nm-script.patch +++ /dev/null @@ -1,557 +0,0 @@ -diff --git a/dnssec-trigger-script.in b/dnssec-trigger-script.in -index b572dd1..830baa9 100644 ---- a/dnssec-trigger-script.in -+++ b/dnssec-trigger-script.in -@@ -6,17 +6,20 @@ - """ - - from gi.repository import NMClient --import os, sys, shutil, subprocess -+import os, sys, fcntl, shutil, glob, subprocess - import logging, logging.handlers - import socket, struct - -+# Python compatibility stuff -+if not hasattr(os, "O_CLOEXEC"): -+ os.O_CLOEXEC = 0x80000 -+ - DEVNULL = open("/dev/null", "wb") - - log = logging.getLogger() - log.setLevel(logging.INFO) - log.addHandler(logging.handlers.SysLogHandler()) --if sys.stderr.isatty(): -- log.addHandler(logging.StreamHandler()) -+log.addHandler(logging.StreamHandler()) - - # NetworkManager reportedly doesn't pass the PATH environment variable. - os.environ['PATH'] = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -@@ -24,12 +27,40 @@ os.environ['PATH'] = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/b - class UserError(Exception): - pass - -+class Lock: -+ """Lock used to serialize the script""" -+ -+ path = "/var/run/dnssec-trigger/lock" -+ -+ def __init__(self): -+ # We don't use os.makedirs(..., exist_ok=True) to ensure Python 2 compatibility -+ dirname = os.path.dirname(self.path) -+ if not os.path.exists(dirname): -+ os.makedirs(dirname) -+ self.lock = os.open(self.path, os.O_WRONLY | os.O_CREAT | os.O_CLOEXEC, 0o600) -+ -+ def __enter__(self): -+ fcntl.lockf(self.lock, fcntl.LOCK_EX) -+ -+ def __exit__(self, t, v, tb): -+ fcntl.lockf(self.lock, fcntl.LOCK_UN) -+ - class Config: - """Global configuration options""" - - path = "/etc/dnssec.conf" -- validate_connection_provided_zones = True -- add_wifi_provided_zones = False -+ -+ bool_options = { -+ "debug": False, -+ "validate_connection_provided_zones": True, -+ "add_wifi_provided_zones": False, -+ "use_vpn_global_forwarders": False, -+ "use_resolv_conf_symlink": False, -+ "use_resolv_secure_conf_symlink": False, -+ "use_private_address_ranges": TRUE, -+ "set_search_domains": False, -+ "keep_positive_answers": False, -+ } - - def __init__(self): - try: -@@ -37,35 +68,44 @@ class Config: - for line in config_file: - if '=' in line: - option, value = [part.strip() for part in line.split("=", 1)] -- if option == "validate_connection_provided_zones": -- self.validate_connection_provided_zones = (value == "yes") -- elif option == "add_wifi_provided_zones": -- self.add_wifi_provided_zones = (value == "yes") -+ if option in self.bool_options: -+ self.bool_options[option] = (value == "yes") - except IOError: - pass - log.debug(self) - -- def __repr__(self): -- return "".format(**vars(self)) -+ def __getattr__(self, option): -+ return self.bool_options[option] -+ -+ def __str__(self): -+ return "".format(self.bool_options) -+ -+ @property -+ def flush_command(self): -+ return "flush_negative" if self.keep_positive_answers else "flush_zone" -+ -+config = Config() -+if config.debug: -+ log.setLevel(logging.DEBUG); - - class ConnectionList: - """List of NetworkManager active connections""" - - nm_connections = None - -- def __init__(self, only_default=False, skip_wifi=False): -+ def __init__(self, client, only_default=False, only_vpn=False, skip_wifi=False): - # Cache the active connection list in the class -+ if not client.get_manager_running(): -+ raise UserError("NetworkManager is not running.") - if self.nm_connections is None: -- self.__class__.client = NMClient.Client() -- self.__class__.nm_connections = self.client.get_active_connections() -+ self.__class__.nm_connections = client.get_active_connections() - self.skip_wifi = skip_wifi - self.only_default = only_default -+ self.only_vpn = only_vpn - log.debug(self) - - def __repr__(self): -- if not list(self): -- raise Exception("!!!") -- return "".format(list(self), **vars(self)) -+ return "".format(list(self), **vars(self)) - - def __iter__(self): - for item in self.nm_connections: -@@ -82,6 +122,8 @@ class ConnectionList: - # Skip non-default connections if appropriate - if self.only_default and not connection.is_default: - continue -+ if self.only_vpn and not connection.is_vpn: -+ continue - yield connection - - def get_zone_connection_mapping(self): -@@ -190,10 +232,10 @@ class UnboundZoneConfig: - if fields.pop(0) in ('forward', 'forward:'): - fields.pop(0) - secure = False -- if fields[0] == '+i': -+ if fields and fields[0] == '+i': - secure = True - fields.pop(0) -- self.cache[name] = set(fields[3:]), secure -+ self.cache[name] = set(fields), secure - log.debug(self) - - def __repr__(self): -@@ -216,28 +258,33 @@ class UnboundZoneConfig: - self._commit(zone, None, None) - - def _commit(self, name, servers, secure): -- # Check the list of servers. -+ # FIXME: Older versions of unbound don't print +i for insecure zones -+ # and thus we cannot see whether the zone has changed or not. Therefore -+ # we have no other chance than to re-add existing zones as well. - # -- # Older versions of unbound don't print +i and so we can't distinguish -- # secure and insecure zones properly. Therefore we need to ignore the -- # insecure flag which leads to not being able to switch the zone -- # between secure and insecure unless it's removed or its servers change. -- if self.cache.get(name, [None])[0] == servers: -- log.debug("Connection provided zone '{}' already set to {} ({})".format(name, servers, 'secure' if servers else 'insecure')) -- return -+ # old_servers, old_secure = self.cache.get(name, [None, None]) -+ # if servers, secure == old_servers, old_secure: -+ # log.debug("Connection provided zone '{}' already set to {} ({})".format(name, servers, 'secure' if old_secure else 'insecure')) -+ # return - - if servers: - self.cache[name] = servers, secure - self._control(["forward_add"] + ([] if secure else ["+i"]) + [name] + list(servers)) -+ # Unbound doesn't switch an insecure zone to a secure zone when "+i" is -+ # specified and there is no "-i" to add a secure zone explicitly. -+ if secure: -+ self._control(["insecure_remove", name]) - else: - del self.cache[name] - self._control(["forward_remove", name]) -- self._control(["flush_zone", name]) -+ self._control([config.flush_command, name]) - self._control(["flush_requestlist"]) - - log.debug(self) - -- def _control(self, args): -+ @staticmethod -+ def _control(args): -+ log.debug("unbound-control: {}".format(args)) - subprocess.check_call(["unbound-control"] + args, stdout=DEVNULL, stderr=DEVNULL) - - class Store: -@@ -255,7 +302,7 @@ class Store: - line = line.strip() - if line: - self.cache.add(line) -- except FileNotFoundError: -+ except IOError: - pass - log.debug(self) - -@@ -277,10 +324,16 @@ class Store: - log.debug(self) - - def update(self, zones): -- """Commit a new zone list.""" -+ """Commit a new set of items and return True when it differs""" - -- self.cache = set(zones) -- log.debug(self) -+ zones = set(zones) -+ -+ if zones != self.cache: -+ self.cache = set(zones) -+ log.debug(self) -+ return True -+ -+ return False - - def remove(self, zone): - """Remove zone from the cache.""" -@@ -309,10 +362,29 @@ class GlobalForwarders: - line = line.strip() - if line: - self.cache.add(line) -- except FileNotFoundError: -+ except IOError: - pass - - class Application: -+ resolvconf = "/etc/resolv.conf" -+ resolvconf_tmp = "/etc/.resolv.conf.dnssec-trigger" -+ resolvconf_secure = "/etc/resolv-secure.conf" -+ resolvconf_secure_tmp = "/etc/.resolv-secure.conf.dnssec-trigger" -+ resolvconf_backup = "/var/run/dnssec-trigger/resolv.conf.backup" -+ resolvconf_trigger = "/var/run/dnssec-trigger/resolv.conf" -+ resolvconf_trigger_tmp = resolvconf_trigger + ".tmp" -+ resolvconf_networkmanager = "/var/run/NetworkManager/resolv.conf" -+ -+ resolvconf_localhost_contents = "# Generated by dnssec-trigger-script\nnameserver 127.0.0.1\n" -+ -+ rfc1918_reverse_zones = [ -+ "c.f.ip6.arpa", -+ "d.f.ip6.arpa", -+ "168.192.in-addr.arpa", -+ ] + ["{}.172.in-addr.arpa".format(octet) for octet in range(16, 32)] + [ -+ "10.in-addr.arpa", -+ ] if config.use_private_address_ranges else [] -+ - def __init__(self, argv): - if len(argv) > 1 and argv[1] == '--debug': - argv.pop(1) -@@ -327,108 +399,246 @@ class Application: - self.method = getattr(self, "run_" + argv[1][2:].replace('-', '_')) - except AttributeError: - self.usage() -- self.config = Config() -+ -+ self.client = NMClient.Client() - - def nm_handles_resolv_conf(self): -- if subprocess.call(["pidof", "NetworkManager"], stdout=DEVNULL, stderr=DEVNULL) != 0: -+ if not self.client.get_manager_running(): -+ log.debug("NetworkManager is not running") - return False - try: - with open("/etc/NetworkManager/NetworkManager.conf") as nm_config_file: - for line in nm_config_file: -- if line.strip == "dns=none": -+ if line.strip() in ("dns=none", "dns=unbound"): -+ log.debug("NetworkManager doesn't handle resolv.conf") - return False - except IOError: - pass -+ log.debug("NetworkManager handles resolv.conf") - return True - - def usage(self): -- raise UserError("Usage: dnssec-trigger-script [--debug] [--async] --prepare|--update|--update-global-forwarders|--update-connection-zones|--cleanup") -+ raise UserError("Usage: dnssec-trigger-script [--debug] [--async] --prepare|--setup|--update|--update-global-forwarders|--update-connection-zones|--cleanup") - - def run(self): - log.debug("Running: {}".format(self.method.__name__)) - self.method() - -+ def _check_resolv_conf(self, path): -+ try: -+ with open(path) as source: -+ if source.read() != self.resolvconf_localhost_contents: -+ log.info("Rewriting {!r}!".format(path)) -+ return False; -+ return True -+ except IOError: -+ return False -+ -+ def _write_resolv_conf(self, path): -+ self._try_remove(path) -+ with open(path, "w") as target: -+ target.write(self.resolvconf_localhost_contents) -+ -+ def _install_resolv_conf(self, path, path_tmp, symlink=False): -+ if symlink: -+ self._try_remove(path_tmp) -+ os.symlink(self.resolvconf_trigger, path_tmp) -+ self._try_set_mutable(path) -+ os.rename(path_tmp, path) -+ elif not self._check_resolv_conf(path): -+ self._write_resolv_conf(path_tmp) -+ self._try_set_mutable(path) -+ os.rename(path_tmp, path) -+ self._try_set_immutable(path) -+ -+ def _try_remove(self, path): -+ self._try_set_mutable(path) -+ try: -+ os.remove(path) -+ except OSError: -+ pass -+ -+ def _try_set_immutable(self, path): -+ subprocess.call(["chattr", "+i", path]) -+ -+ def _try_set_mutable(self, path): -+ if os.path.exists(path) and not os.path.islink(path): -+ subprocess.call(["chattr", "-i", path]) -+ - def run_prepare(self): -- """Prepare for dnssec-trigger.""" -+ """Prepare for starting dnssec-trigger - -+ Called by the service manager before starting dnssec-trigger daemon. -+ """ -+ -+ # Backup resolv.conf when appropriate - if not self.nm_handles_resolv_conf(): -- log.info("Backing up /etc/resolv.conf") -- shutil.copy("/etc/resolv.conf", "/var/run/dnssec-trigger/resolv.conf.bak") -+ try: -+ log.info("Backing up {} as {}...".format(self.resolvconf, self.resolvconf_backup)) -+ shutil.move(self.resolvconf, self.resolvconf_backup) -+ except IOError as error: -+ log.warning("Cannot back up {!r} as {!r}: {}".format(self.resolvconf, self.resolvconf_backup, error.strerror)) -+ -+ # Make sure dnssec-trigger daemon doesn't get confused by existing files. -+ self._try_remove(self.resolvconf) -+ self._try_remove(self.resolvconf_secure) -+ self._try_remove(self.resolvconf_trigger) -+ -+ def run_setup(self): -+ """Set up resolv.conf with localhost nameserver -+ -+ Called by dnssec-trigger. -+ """ -+ -+ if config.add_search_domains: -+ zones = set(sum((connection.zones for connection in ConnectionList(self.client)), [])) -+ log.info("Search domains: " + ' '.join(zones)) -+ self.resolvconf_localhost_contents = self.__class__.resolvconf_localhost_contents -+ self.resolvconf_localhost_contents += "search {}\n".format(' '.join(zones)) -+ -+ self._install_resolv_conf(self.resolvconf_trigger, self.resolvconf_trigger_tmp, False) -+ self._install_resolv_conf(self.resolvconf, self.resolvconf_tmp, config.use_resolv_conf_symlink) -+ self._install_resolv_conf(self.resolvconf_secure, self.resolvconf_secure_tmp, config.use_resolv_secure_conf_symlink) -+ -+ def run_restore(self): -+ """Restore resolv.conf with original data -+ -+ Called by dnssec-trigger or internally as part of other actions. -+ """ -+ -+ self._try_remove(self.resolvconf) -+ self._try_remove(self.resolvconf_secure) -+ self._try_remove(self.resolvconf_trigger) -+ -+ log.info("Recovering {}...".format(self.resolvconf)) -+ if self.nm_handles_resolv_conf(): -+ if os.path.exists(self.resolvconf_networkmanager): -+ os.symlink(self.resolvconf_networkmanager, self.resolvconf) -+ elif os.path.exists("/sys/fs/cgroup/systemd"): -+ subprocess.check_call(["systemctl", "--ignore-dependencies", "try-restart", "NetworkManager.service"]) -+ else: -+ subprocess.check_call(["/etc/init.d/NetworkManager", "restart"]) -+ else: -+ try: -+ shutil.move(self.resolvconf_backup, self.resolvconf) -+ except IOError as error: -+ log.warning("Cannot restore {!r} from {!r}: {}".format(self.resolvconf, self.resolvconf_backup, error.strerror)) - - def run_cleanup(self): -- """Clean up after dnssec-trigger.""" -+ """Clean up after dnssec-trigger daemon -+ -+ Called by the service manager after stopping dnssec-trigger daemon. -+ """ -+ -+ self.run_restore() - - stored_zones = Store('zones') -+ stored_servers = Store('servers') - unbound_zones = UnboundZoneConfig() - -+ # provide upgrade path for previous versions -+ old_zones = glob.glob("/var/run/dnssec-trigger/????????-????-????-????-????????????") -+ if old_zones: -+ log.info("Reading zones from the legacy zone store") -+ with open("/var/run/dnssec-trigger/zones", "a") as target: -+ for filename in old_zones: -+ with open(filename) as source: -+ log.debug("Reading zones from {}".format(filename)) -+ for line in source: -+ stored_zones.add(line.strip()) -+ os.remove(filename) -+ - log.debug("clearing unbound configuration") - for zone in stored_zones: - unbound_zones.remove(zone) - stored_zones.remove(zone) -+ for server in stored_servers: -+ stored_servers.remove(server) - stored_zones.commit() -+ stored_servers.commit() - -- log.debug("recovering /etc/resolv.conf") -- subprocess.check_call(["chattr", "-i", "/etc/resolv.conf"]) -- if not self.nm_handles_resolv_conf(): -- shutil.copy("/var/run/dnssec-trigger/resolv.conf.bak", "/etc/resolv.conf") -- # NetworkManager currently doesn't support explicit /etc/resolv.conf -- # write out. For now we simply restart the daemon. -- elif os.path.exists("/sys/fs/cgroup/systemd"): -- subprocess.check_call(["systemctl", "try-restart", "NetworkManager.service"]) -- else: -- subprocess.check_call(["/etc/init.d/NetworkManager", "restart"]) -+ @property -+ def global_forwarders(self): -+ connections = None -+ if config.use_vpn_global_forwarders: -+ connections = list(ConnectionList(self.client, only_vpn=True)) -+ if not connections: -+ connections = list(ConnectionList(self.client, only_default=True)) -+ -+ return sum((connection.servers for connection in connections), []) - - def run_update(self): -+ """Update unbound and dnssec-trigger configuration.""" -+ - self.run_update_global_forwarders() - self.run_update_connection_zones() - -+ @staticmethod -+ def dnssec_trigger_control(args): -+ log.debug("dnssec-trigger-control: {}".format(args)) -+ subprocess.check_call(["dnssec-trigger-control"] + args, stdout=DEVNULL, stderr=DEVNULL) -+ - def run_update_global_forwarders(self): - """Configure global forwarders using dnssec-trigger-control.""" - -- subprocess.check_call(["dnssec-trigger-control", "status"], stdout=DEVNULL, stderr=DEVNULL) -+ with Lock(): -+ self.dnssec_trigger_control(["status"]) - -- default_connections = ConnectionList(only_default=True) -- servers = Store('servers') -+ servers = Store('servers') - -- if servers.update(sum((connection.servers for connection in default_connections), [])): -- subprocess.check_call(["unbound-control", "flush_zone", "."]) -- subprocess.check_call(["dnssec-trigger-control", "submit"] + list(servers)) -- servers.commit() -- log.info("Global forwarders: {}".format(' '.join(servers))) -+ if servers.update(self.global_forwarders): -+ UnboundZoneConfig._control([config.flush_command, "."]) -+ self.dnssec_trigger_control(["submit"] + list(servers)) -+ servers.commit() -+ log.info("Global forwarders: {}".format(' '.join(servers))) -+ else: -+ log.info("Global forwarders: {} (unchanged)".format(' '.join(servers))) - - def run_update_connection_zones(self): - """Configures forward zones in the unbound using unbound-control.""" - -- connections = ConnectionList(skip_wifi=not self.config.add_wifi_provided_zones).get_zone_connection_mapping() -- unbound_zones = UnboundZoneConfig() -- stored_zones = Store('zones') -- -- # The purpose of the zone store is to keep the list of Unbound zones -- # that are managed by dnssec-trigger-script. We don't want to track -- # zones accoss Unbound restarts. We want to clear any Unbound zones -- # that are no longer active in NetworkManager. -- log.debug("removing stored zones not present in both unbound and an active connection") -- for zone in stored_zones: -- if zone not in unbound_zones: -- stored_zones.remove(zone) -- elif zone not in connections: -- unbound_zones.remove(zone) -- stored_zones.remove(zone) -- -- # We need to install zones that are not yet in Unbound. We also need to -- # reinstall zones that are already managed by dnssec-trigger in case their -- # list of nameservers was changed. -- # -- # TODO: In some cases, we don't seem to flush Unbound cache properly, -- # even when Unbound is restarted (and dnssec-trigger as well, because -- # of dependency). -- log.debug("installing connection provided zones") -- for zone in connections: -- if zone in stored_zones or zone not in unbound_zones: -- unbound_zones.add(zone, connections[zone].servers, secure=self.config.validate_connection_provided_zones) -- stored_zones.add(zone) -- -- stored_zones.commit() -+ with Lock(): -+ connections = ConnectionList(self.client, skip_wifi=not config.add_wifi_provided_zones).get_zone_connection_mapping() -+ unbound_zones = UnboundZoneConfig() -+ stored_zones = Store('zones') -+ -+ # Remove any zones managed by dnssec-trigger that are no longer -+ # valid. -+ log.debug("removing zones that are no longer valid") -+ for zone in stored_zones: -+ # Remove all zones that are not in connections except those for -+ # reverse name resolution of private addresses. -+ if zone not in connections and zone not in self.rfc1918_reverse_zones: -+ if zone in unbound_zones: -+ unbound_zones.remove(zone) -+ stored_zones.remove(zone) -+ -+ # Install all zones coming from connections except those installed -+ # by other means than dnssec-trigger-script. -+ log.debug("installing connection provided zones") -+ for zone in connections: -+ # Reinstall a known zone or install a new zone. -+ if zone in stored_zones or zone not in unbound_zones: -+ unbound_zones.add(zone, connections[zone].servers, secure=config.validate_connection_provided_zones) -+ stored_zones.add(zone) -+ -+ # Install zones for reverse name resolution of private addresses -+ # except those already provided by connections and those installed -+ # by other means than dnssec-trigger-script. -+ if self.rfc1918_reverse_zones: -+ log.debug("adding RFC 1918 private zones not present in unbound or connections") -+ global_forwarders = self.global_forwarders -+ for zone in self.rfc1918_reverse_zones: -+ # Ignore a connection provided zone as it's been already -+ # processed. -+ if zone in connections: -+ continue -+ # Reinstall a known zone or install a new zone. -+ if zone in stored_zones or zone not in unbound_zones: -+ unbound_zones.add(zone, global_forwarders, secure=False) -+ stored_zones.add(zone) -+ -+ stored_zones.commit() - - if __name__ == "__main__": - try: diff --git a/dnssec-trigger-0.12-probe.patch b/dnssec-trigger-0.12-probe.patch deleted file mode 100644 index ea2611b..0000000 --- a/dnssec-trigger-0.12-probe.patch +++ /dev/null @@ -1,39 +0,0 @@ -diff --git a/riggerd/probe.c b/riggerd/probe.c -index b521b09..dcd83dd 100644 ---- a/riggerd/probe.c -+++ b/riggerd/probe.c -@@ -156,7 +156,7 @@ get_random_dest(void) - static const char* - get_random_nsec3_dest(void) - { -- const char* choices[] = { "com.", "uk.", "nl.", "de." }; -+ const char* choices[] = { "_probe.us.com.", "_probe.uk.com.", "_probe.kr.com.", "_probe.uk.net." }; - return choices[ ldns_get_random() % 4 ]; - } - -@@ -172,7 +172,7 @@ get_random_auth_ip4(void) - "198.41.0.4", /* a */ - "192.228.79.201", /* b */ - "192.33.4.12", /* c */ -- "128.8.10.90", /* d */ -+ "199.7.91.13", /* d */ - "192.203.230.10", /* e */ - "192.5.5.241", /* f */ - "192.112.36.4", /* g */ -@@ -193,6 +193,7 @@ get_random_auth_ip6(void) - /* list of root servers */ - const char* choices[] = { - "2001:503:ba3e::2:30", /* a */ -+ "2001:500:2::c", /* c */ - "2001:500:2d::d", /* d */ - "2001:500:2f::f", /* f */ - "2001:500:1::803f:235", /* h */ -@@ -202,7 +203,7 @@ get_random_auth_ip6(void) - "2001:500:3::42", /* l */ - "2001:dc3::35" /* m */ - }; -- return choices[ ldns_get_random() % 9 ]; -+ return choices[ ldns_get_random() % 10 ]; - } - - static const char* get_random_tcp80_ip4(struct cfg* cfg) diff --git a/dnssec-trigger-0.12-reshook.patch b/dnssec-trigger-0.12-reshook.patch deleted file mode 100644 index 52f5518..0000000 --- a/dnssec-trigger-0.12-reshook.patch +++ /dev/null @@ -1,34 +0,0 @@ -diff --git a/riggerd/reshook.c b/riggerd/reshook.c -index c5e6250..f35d4af 100644 ---- a/riggerd/reshook.c -+++ b/riggerd/reshook.c -@@ -256,6 +256,9 @@ void hook_resolv_localhost(struct cfg* cfg) - win_set_resolv("127.0.0.1"); - #else /* not on windows */ - # ifndef HOOKS_OSX /* on Linux/BSD */ -+ if (system("/usr/libexec/dnssec-trigger-script --setup") == 0) -+ return; -+ - if(really_set_to_localhost(cfg)) { - /* already done, do not do it again, that would open - * a brief moment of mutable resolv.conf */ -@@ -281,6 +284,9 @@ void hook_resolv_iplist(struct cfg* cfg, struct probe_ip* list) - #if defined(HOOKS_OSX) || defined(USE_WINSOCK) - char iplist[10240]; - iplist[0] = 0; -+#else -+ if (system("/usr/libexec/dnssec-trigger-script --restore") == 0) -+ return; - #endif - set_to_localhost = 0; - if(cfg->noaction) -@@ -323,7 +329,8 @@ void hook_resolv_flush(struct cfg* cfg) - (void)cfg; - #ifdef HOOKS_OSX - /* dscacheutil on 10.5 an later, lookupd before that */ -- system("dscacheutil -flushcache || lookupd -flushcache"); -+ system("dscacheutil -flushcache || lookupd -flushcache || discoveryutil udnsflushcaches"); -+ system("discoveryutil mdnsflushcache"); - #elif defined(USE_WINSOCK) - win_run_cmd("ipconfig /flushdns"); - #else diff --git a/dnssec-trigger-0.12-script-fixes-python-key-length.patch b/dnssec-trigger-0.12-script-fixes-python-key-length.patch deleted file mode 100644 index 334c637..0000000 --- a/dnssec-trigger-0.12-script-fixes-python-key-length.patch +++ /dev/null @@ -1,227 +0,0 @@ -From 47323af3dfd5afe38ebd90f550ad5d7dc078e860 Mon Sep 17 00:00:00 2001 -From: wouter -Date: Thu, 12 Mar 2015 15:37:44 +0000 -Subject: [PATCH] - Patches from Tomas Hozza (7): dnssec-trigger-script: - Fix wrong default value in configuration dnssec-trigger-script: Fix - formatting errors dnssec-trigger-script: Remove unused class Allow - to select the default Python interpretter during build Fix - 01-dnssec-trigger NOT to hardcode shell path dnssec-trigger-script: Fix - typo when adding search domains dnssec-trigger-control-setup: Use 3072 - bit keys - -git-svn-id: http://www.nlnetlabs.nl/svn/dnssec-trigger/trunk@693 14dc9c71-5cc2-e011-b339-0019d10b89f4 ---- - 01-dnssec-trigger.in | 2 +- - Changelog | 10 ++++++++++ - Makefile.in | 3 +++ - config.h.in | 3 +++ - configure | 25 +++++++++++++++++++++++++ - configure.ac | 10 ++++++++++ - dnssec-trigger-control-setup.sh.in | 4 +++- - dnssec-trigger-script.in | 21 +++++---------------- - 8 files changed, 60 insertions(+), 18 deletions(-) - -diff --git a/01-dnssec-trigger.in b/01-dnssec-trigger.in -index f410723..8ece20e 100644 ---- a/01-dnssec-trigger.in -+++ b/01-dnssec-trigger.in -@@ -1,4 +1,4 @@ --#!/bin/sh -+#!0SHELL0 - # - # Script to notify dnssec-trigger that the DNS configuration in NetworkManager - # may have changed. -diff --git a/Makefile.in b/Makefile.in -index 8d4de79..5b356fc 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -20,6 +20,7 @@ endif - - SHELL=@SHELL@ - VERSION=@PACKAGE_VERSION@ -+PYTHON=@PYTHON@ - srcdir=@srcdir@ - prefix=@prefix@ - exec_prefix=@exec_prefix@ -@@ -223,6 +225,7 @@ networkmanager-hook: 01-dnssec-trigger dnssec-trigger-script - - dnssec-trigger-script: $(srcdir)/dnssec-trigger-script.in Makefile - cp $< $@ -+ sed -e 's?0PYTHON0?$(PYTHON)?' < $(srcdir)/dnssec-trigger-script.in > $@ - chmod +x $@ - - osx/RiggerStatusItem/log.c: $(srcdir)/riggerd/log.c osx/RiggerStatusItem -diff --git a/config.h.in b/config.h.in -index e79b245..022d056 100644 ---- a/config.h.in -+++ b/config.h.in -@@ -258,6 +258,9 @@ - /* default pidfile name for dnssec-trigger */ - #undef PIDFILE - -+/* default Python interpreter path for all Python scripts */ -+#undef PYTHON -+ - /* Define as the return type of signal handlers (`int' or `void'). */ - #undef RETSIGTYPE - -diff --git a/configure b/configure -index 2082a49..a53d6b2 100755 ---- a/configure -+++ b/configure -@@ -626,6 +626,7 @@ DATE - LDNSLIBS - ldnsdir - unbound_control_path -+PYTHON - pidfile - configfile - uidir -@@ -718,6 +719,7 @@ with_keydir - with_uidir - with_configfile - with_pidfile -+with_python - with_unbound_control - with_ldns - enable_rpath -@@ -1383,6 +1385,8 @@ Optional Packages: - keydir/dnssec-trigger.conf - --with-pidfile=path set the pidfile to use, default - /var/run/dnssec-trigger.pid -+ --with-python=path set the path to Python interpreter to use for Python -+ scripts, defaults /usr/bin/python - --with-unbound-control=path - set the unbound-control to use, default what - configure finds in its path -@@ -7336,6 +7340,27 @@ _ACEOF - - - -+# Check whether --with-python was given. -+if test "${with_python+set}" = set; then : -+ withval=$with_python; -+else -+ withval="" -+fi -+ -+PYTHON="/usr/bin/python" -+if test -n "$withval"; then -+ PYTHON="$withval" -+fi -+python_esc="`echo $PYTHON | sed -e 's/\\\\/\\\\\\\\/g'`" -+ -+ -+cat >>confdefs.h <<_ACEOF -+#define PYTHON "$python_esc" -+_ACEOF -+ -+ -+ -+ - # Check whether --with-unbound-control was given. - if test "${with_unbound_control+set}" = set; then : - withval=$with_unbound_control; -diff --git a/configure.ac b/configure.ac -index 1f9967b..4c1c716 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -504,6 +504,16 @@ ACX_ESCAPE_BACKSLASH($pidfile, pidfile_esc) - AC_DEFINE_UNQUOTED([PIDFILE], ["$pidfile_esc"], [default pidfile name for dnssec-trigger]) - AC_SUBST(pidfile) - -+AC_ARG_WITH([python], AC_HELP_STRING([--with-python=path], -+[set the path to Python interpreter to use for Python scripts, defaults /usr/bin/python]),, withval="") -+PYTHON="/usr/bin/python" -+if test -n "$withval"; then -+ PYTHON="$withval" -+fi -+ACX_ESCAPE_BACKSLASH($PYTHON, python_esc) -+AC_DEFINE_UNQUOTED([PYTHON], ["$python_esc"], [default Python interpreter path for all Python scripts]) -+AC_SUBST(PYTHON) -+ - AC_ARG_WITH([unbound-control], AC_HELP_STRING([--with-unbound-control=path], - [set the unbound-control to use, default what configure finds in its path]),, withval="") - AC_MSG_CHECKING([for unbound-control]) -diff --git a/dnssec-trigger-control-setup.sh.in b/dnssec-trigger-control-setup.sh.in -index 7d0387a..7cc305a 100644 ---- a/dnssec-trigger-control-setup.sh.in -+++ b/dnssec-trigger-control-setup.sh.in -@@ -48,7 +48,9 @@ CLIENTNAME=dnssec-trigger-control - DAYS=7200 - - # size of keys in bits --BITS=1536 -+# recommendation for new systems is to use at least 3072 bits -+# http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-sizes-and-parameters-report -+BITS=3072 - - # hash algorithm - HASH=sha256 -diff --git a/dnssec-trigger-script.in b/dnssec-trigger-script.in -index 830baa9..7bf6c2e 100644 ---- a/dnssec-trigger-script.in -+++ b/dnssec-trigger-script.in -@@ -1,4 +1,4 @@ --#!/usr/bin/python -+#!0PYTHON0 - # -*- coding: utf-8 -*- - """ - @author: Tomas Hozza -@@ -57,7 +57,7 @@ class Config: - "use_vpn_global_forwarders": False, - "use_resolv_conf_symlink": False, - "use_resolv_secure_conf_symlink": False, -- "use_private_address_ranges": TRUE, -+ "use_private_address_ranges": True, - "set_search_domains": False, - "keep_positive_answers": False, - } -@@ -86,7 +86,7 @@ class Config: - - config = Config() - if config.debug: -- log.setLevel(logging.DEBUG); -+ log.setLevel(logging.DEBUG) - - class ConnectionList: - """List of NetworkManager active connections""" -@@ -186,7 +186,7 @@ class Connection: - pass - try: - self.servers += [self.ip6_to_str(connection.get_ip6_config().get_nameserver(i)) -- for i in range(connection.get_ip6_config().get_num_nameservers())] -+ for i in range(connection.get_ip6_config().get_num_nameservers())] - except AttributeError: - pass - -@@ -353,17 +353,6 @@ class Store: - zone_file.write("{}\n".format(zone)) - os.rename(self.path_tmp, self.path) - --class GlobalForwarders: -- def __init__(self): -- self.cache = set() -- try: -- with open(self.path) as zone_file: -- for line in zone_file: -- line = line.strip() -- if line: -- self.cache.add(line) -- except IOError: -- pass - - class Application: - resolvconf = "/etc/resolv.conf" -@@ -490,7 +479,7 @@ class Application: - Called by dnssec-trigger. - """ - -- if config.add_search_domains: -+ if config.set_search_domains: - zones = set(sum((connection.zones for connection in ConnectionList(self.client)), [])) - log.info("Search domains: " + ' '.join(zones)) - self.resolvconf_localhost_contents = self.__class__.resolvconf_localhost_contents --- -2.1.0 - diff --git a/dnssec-trigger-0.12-service.patch b/dnssec-trigger-0.12-service.patch deleted file mode 100644 index c731d47..0000000 --- a/dnssec-trigger-0.12-service.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/dnssec-triggerd.service b/dnssec-triggerd.service -index db6af13..f2a37ca 100644 ---- a/dnssec-triggerd.service -+++ b/dnssec-triggerd.service -@@ -1,6 +1,6 @@ - [Unit] - Description=Reconfigure local DNSSEC resolver on connectivity changes --After=unbound.service dnssec-triggerd-keygen.service -+After=NetworkManager.service unbound.service dnssec-triggerd-keygen.service - Requires=unbound.service - Wants=dnssec-triggerd-keygen.service - diff --git a/dnssec-trigger.spec b/dnssec-trigger.spec index 10be5e4..ec637d2 100644 --- a/dnssec-trigger.spec +++ b/dnssec-trigger.spec @@ -1,54 +1,23 @@ %global _hardened_build 1 +%global svn_snapshot 20150714 + Summary: NetworkManager plugin to update/reconfigure DNSSEC resolving Name: dnssec-trigger -Version: 0.12 -Release: 21%{?dist} +Version: 0.13 +Release: 0.1%{?svn_snapshot:.%{svn_snapshot}svn}%{?dist} License: BSD Url: http://www.nlnetlabs.nl/downloads/dnssec-trigger/ +%if 0%{?svn_snapshot:1} +# generated using './makedist.sh -s' in the cloned upstream trunk +Source0: %{name}-%{version}_%{svn_snapshot}.tar.gz +%else Source0: http://www.nlnetlabs.nl/downloads/dnssec-trigger/%{name}-%{version}.tar.gz +%endif Source1: dnssec-trigger.conf Source2: dnssec-trigger.tmpfiles.d -# Most patches are just diffs of specific files between 0.12 release and the -# current upstream head. Sometimes the patch also includes code that has just -# been submitted upstream. - -# Upstream often squashes our patches so it's more practical to use just one -# patch. Please don't forget to submit the changes to upstream before -# updating the patch. -# -# https://bugzilla.redhat.com/show_bug.cgi?id=1100794 -# https://bugzilla.redhat.com/show_bug.cgi?id=1100796 -# https://bugzilla.redhat.com/show_bug.cgi?id=1105896 -# https://bugzilla.redhat.com/show_bug.cgi?id=842455 -# https://bugzilla.redhat.com/show_bug.cgi?id=1111143 -# https://bugzilla.redhat.com/show_bug.cgi?id=1112248 -# https://bugzilla.redhat.com/show_bug.cgi?id=1165126 -# https://bugzilla.redhat.com/show_bug.cgi?id=1125267 -# https://bugzilla.redhat.com/show_bug.cgi?id=1089766 -# https://bugzilla.redhat.com/show_bug.cgi?id=1183975 -# https://bugzilla.redhat.com/show_bug.cgi?id=1185796 -# https://bugzilla.redhat.com/show_bug.cgi?id=1130502 -# https://bugzilla.redhat.com/show_bug.cgi?id=1105685 -# https://bugzilla.redhat.com/show_bug.cgi?id=1128310 -Patch2: dnssec-trigger-0.12-nm-script.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1112248 -Patch3: dnssec-trigger-0.12-service.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1165126 -# https://bugzilla.redhat.com/show_bug.cgi?id=1125267 -Patch4: dnssec-trigger-0.12-reshook.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=824219 -Patch5: dnssec-trigger-0.12-probe.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1130502 -# https://bugzilla.redhat.com/show_bug.cgi?id=1128310 -Patch6: dnssec-trigger-0.12-dnssec-conf.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1187371 + other fixes -Patch7: dnssec-trigger-0.12-script-fixes-python-key-length.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1205864 -Patch8: dnssec-trigger-0.12-bz1205864.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1128310 -Patch9: dnssec-trigger-0.12-bz1128310-v2.patch +# Patches Requires(postun): initscripts Requires: ldns >= 1.6.10, NetworkManager-glib, unbound, xdg-utils @@ -81,20 +50,12 @@ own AUTH queries if that fails, and if that fails prompt the user via dnssec-trigger-applet the option to go with insecure DNS only. %prep -%setup -q +%setup -q %{?svn_snapshot:-n %{name}-%{version}_%{svn_snapshot}} + # Fixup the name to not include "panel" in the menu item or name sed -i "s/ Panel//" panel/dnssec-trigger-panel.desktop.in sed -i "s/-panel//" panel/dnssec-trigger-panel.desktop.in -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 - # don't use DNSSEC for forward zones for now sed -i "s/validate_connection_provided_zones=yes/validate_connection_provided_zones=no/" dnssec.conf @@ -174,6 +135,13 @@ fi %systemd_postun_with_restart %{name}d.service %changelog +* Tue Jul 14 2015 Tomas Hozza - 0.13-0.1.20150714svn +- rebase to the latest svn trunk snapshot 0.13_20150714 +- Script is not searching local user directories any more (#1213062) +- Script now doesn't restart NM if version is >= 1.0.3, but sends just signal +- Script now specifies the NMClient version for GI (#1242430) +- Script now sets negative-cache-ttl in unbound to 5 seconds (#1229596) + * Wed Jun 17 2015 Fedora Release Engineering - 0.12-21 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild diff --git a/sources b/sources index 26bb275..01a1db1 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -811b14e79b97defcff17ea4d58325b2b dnssec-trigger-0.12.tar.gz +8eef1982013b95fbba6f633f7340b2be dnssec-trigger-0.13_20150714.tar.gz