diff --git a/.gitignore b/.gitignore index ce77334..3550079 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ /dnssec-trigger-0.12.tar.gz /dnssec-trigger-0.13_20150714.tar.gz /dnssec-trigger-0.13.tar.gz +/dnssec-trigger-0.15.tar.gz diff --git a/dnssec-trigger-0.13-hints-update.patch b/dnssec-trigger-0.13-hints-update.patch deleted file mode 100644 index 349105b..0000000 --- a/dnssec-trigger-0.13-hints-update.patch +++ /dev/null @@ -1,49 +0,0 @@ -From fab878a1eba7221c718b74b47ac74fc67066ee57 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Fri, 18 Aug 2017 12:04:14 +0200 -Subject: [PATCH 2/2] Update root servers IPs - ---- - riggerd/probe.c | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - -diff --git a/riggerd/probe.c b/riggerd/probe.c -index a443d5f..262e618 100644 ---- a/riggerd/probe.c -+++ b/riggerd/probe.c -@@ -176,7 +176,7 @@ get_random_auth_ip4(void) - "192.203.230.10", /* e */ - "192.5.5.241", /* f */ - "192.112.36.4", /* g */ -- "128.63.2.53", /* h */ -+ "198.97.190.53", /* h */ - "192.36.148.17", /* i */ - "192.58.128.30", /* j */ - "193.0.14.129", /* k */ -@@ -193,17 +193,20 @@ get_random_auth_ip6(void) - /* list of root servers */ - const char* choices[] = { - "2001:503:ba3e::2:30", /* a */ -+ "2001:500:200::b", /* b */ - "2001:500:2::c", /* c */ - "2001:500:2d::d", /* d */ -+ "2001:500:a8::e", /* e */ - "2001:500:2f::f", /* f */ -- "2001:500:1::803f:235", /* h */ -+ "2001:500:12::d0d", /* g */ -+ "2001:500:1::53", /* h */ - "2001:7fe::53", /* i */ - "2001:503:c27::2:30", /* j */ - "2001:7fd::1", /* k */ -- "2001:500:3::42", /* l */ -+ "2001:500:9f::42", /* l */ - "2001:dc3::35" /* m */ - }; -- return choices[ ldns_get_random() % 10 ]; -+ return choices[ ldns_get_random() % 13 ]; - } - - static const char* get_random_tcp80_ip4(struct cfg* cfg) --- -2.9.5 - diff --git a/dnssec-trigger-0.13-openssl-1.1.0-fixup.patch b/dnssec-trigger-0.13-openssl-1.1.0-fixup.patch deleted file mode 100644 index d84ad7e..0000000 --- a/dnssec-trigger-0.13-openssl-1.1.0-fixup.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 2fcc4bce2043149074bcf09fcb8ee3a0c7bc2348 Mon Sep 17 00:00:00 2001 -From: Sebastian Andrzej Siewior -Date: Mon, 7 Nov 2016 20:59:11 +0000 -Subject: [PATCH 1/8] dnssec-trigger: openssl 1.1.0 fixup - -- SSL_OP_NO_SSLv2 / SSLv2 has been removed from openssl 1.1.0 and as - such it can't be tested (the way it is) if disabling it worked. - -Signed-off-by: Sebastian Andrzej Siewior ---- - riggerd/cfg.c | 2 ++ - riggerd/net_help.c | 2 ++ - riggerd/svr.c | 2 ++ - 3 files changed, 6 insertions(+) - -diff --git a/riggerd/cfg.c b/riggerd/cfg.c -index 03f4f73..08b2028 100644 ---- a/riggerd/cfg.c -+++ b/riggerd/cfg.c -@@ -540,9 +540,11 @@ cfg_setup_ctx_client(struct cfg* cfg, char* err, size_t errlen) - if(!ctx) - return ctx_err_ret(ctx, err, errlen, - "could not allocate SSL_CTX pointer"); -+#if OPENSSL_VERSION_NUMBER < 0x10100000 - if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)) - return ctx_err_ret(ctx, err, errlen, - "could not set SSL_OP_NO_SSLv2"); -+#endif - if(!SSL_CTX_use_certificate_file(ctx,c_cert,SSL_FILETYPE_PEM) || - !SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM) - || !SSL_CTX_check_private_key(ctx)) -diff --git a/riggerd/net_help.c b/riggerd/net_help.c -index 0f0d1d0..c469894 100644 ---- a/riggerd/net_help.c -+++ b/riggerd/net_help.c -@@ -447,11 +447,13 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem) - return NULL; - } - /* no SSLv2 because has defects */ -+#if OPENSSL_VERSION_NUMBER < 0x10100000 - if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){ - log_crypto_err("could not set SSL_OP_NO_SSLv2"); - SSL_CTX_free(ctx); - return NULL; - } -+#endif - if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) { - log_err("error for cert file: %s", pem); - log_crypto_err("error in SSL_CTX use_certificate_file"); -diff --git a/riggerd/svr.c b/riggerd/svr.c -index 272dc2e..e7e618f 100644 ---- a/riggerd/svr.c -+++ b/riggerd/svr.c -@@ -162,10 +162,12 @@ static int setup_ssl_ctx(struct svr* s) - return 0; - } - /* no SSLv2 because has defects */ -+#if OPENSSL_VERSION_NUMBER < 0x10100000 - if(!(SSL_CTX_set_options(s->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){ - log_crypto_err("could not set SSL_OP_NO_SSLv2"); - return 0; - } -+#endif - s_cert = s->cfg->server_cert_file; - s_key = s->cfg->server_key_file; - verbose(VERB_ALGO, "setup SSL certificates"); --- -2.7.4 - diff --git a/dnssec-trigger-0.13-remove-kr.com-probe.patch b/dnssec-trigger-0.13-remove-kr.com-probe.patch deleted file mode 100644 index a3eec65..0000000 --- a/dnssec-trigger-0.13-remove-kr.com-probe.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 3ad04ca4b4080e314b9ea05c577e8bfe5e88804f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Fri, 18 Aug 2017 12:00:20 +0200 -Subject: [PATCH 1/2] Remove kr.com because of DNSSEC failures - ---- - riggerd/probe.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/riggerd/probe.c b/riggerd/probe.c -index dcd83dd..a443d5f 100644 ---- a/riggerd/probe.c -+++ b/riggerd/probe.c -@@ -156,8 +156,8 @@ get_random_dest(void) - static const char* - get_random_nsec3_dest(void) - { -- const char* choices[] = { "_probe.us.com.", "_probe.uk.com.", "_probe.kr.com.", "_probe.uk.net." }; -- return choices[ ldns_get_random() % 4 ]; -+ const char* choices[] = { "_probe.us.com.", "_probe.uk.com.", "_probe.uk.net." }; -+ return choices[ ldns_get_random() % 3 ]; - } - - /** the NSEC3 qtype to elicit it (a nodata answer) */ --- -2.9.5 - diff --git a/dnssec-trigger.spec b/dnssec-trigger.spec index c666f9b..953ff2e 100644 --- a/dnssec-trigger.spec +++ b/dnssec-trigger.spec @@ -4,8 +4,8 @@ Summary: Tool for dynamic reconfiguration of validating resolver Unbound Name: dnssec-trigger -Version: 0.13 -Release: 6%{?svn_snapshot:.%{svn_snapshot}svn}%{?dist} +Version: 0.15 +Release: 1%{?svn_snapshot:.%{svn_snapshot}svn}%{?dist} License: BSD Url: http://www.nlnetlabs.nl/downloads/dnssec-trigger/ @@ -20,10 +20,6 @@ Source2: dnssec-trigger-default.conf Source3: dnssec-trigger-workstation.conf # Patches -# https://github.com/oerdnj/dnssec-trigger/commit/2fcc4bce2043149074bcf09fcb8ee3a0c7bc2348 -Patch0: dnssec-trigger-0.13-openssl-1.1.0-fixup.patch -Patch1: dnssec-trigger-0.13-remove-kr.com-probe.patch -Patch2: dnssec-trigger-0.13-hints-update.patch # to obsolete the version in which the panel was in main package Obsoletes: %{name} < 0.12-22 @@ -40,6 +36,9 @@ Requires: NetworkManager >= 0.9.9.0-40 %endif %endif Requires: ldns >= 1.6.10, NetworkManager-glib, unbound +# needed by /usr/sbin/dnssec-trigger-control-setup +# otherwise it ends with error: /usr/sbin/dnssec-trigger-control-setup: line 180: openssl: command not found +Requires: openssl BuildRequires: openssl-devel, ldns-devel, python3-devel BuildRequires: NetworkManager-devel @@ -80,9 +79,6 @@ some user input is needed, the panel creates a dialog window. # don't use DNSSEC for forward zones for now sed -i "s/validate_connection_provided_zones=yes/validate_connection_provided_zones=no/" dnssec.conf -%patch0 -p1 -b .openssl-110-fixup -%patch1 -p1 -%patch2 -p1 %build %configure \ @@ -187,6 +183,9 @@ rm -rf ${RPM_BUILD_ROOT} %changelog +* Mon Dec 11 2017 Tomas Hozza - 0.15-1 +- Update to stable 0.15 upstream release + * Fri Aug 18 2017 Petr Menšík - 0.13-6 - Skip always failing kr.com, update root IPs (#1482939) diff --git a/sources b/sources index 9cb78de..c7b5358 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (dnssec-trigger-0.13.tar.gz) = 0d42625a71bfda8484fa67afa129bccb2002d28b96d5267a9862a1a4bf51e0e3b12f3205a79d5977449c43c25a1ab1c66cea8cc0e8fd95763a1fe5b3674f437c +SHA512 (dnssec-trigger-0.15.tar.gz) = 5ce7d7fe9049f14afbb2075a764ae8f44e773801e6ebd7f4eb2bd4cfc07a338db7aa5b666ccad40da1f1528160bab9706cf8015b800f2e23c4b6e3639793a846