rpms/dnssec-conf/EL-5 dnssec-conf.spec,1.9,1.10
Paul Wouters
pwouters at fedoraproject.org
Fri Feb 5 20:05:37 UTC 2010
- Previous message: rpms/i3status/F-12 i3status-2.0-18c4b9866d395720077e815d85755a8ac54354ca.patch, NONE, 1.1 i3status-2.0-37882cee889d556a932d26084119f516d6639b13.patch, NONE, 1.1 i3status-2.0-6823fbf05537ca88716f403235cea5e7064ef9b1.patch, NONE, 1.1 i3status-2.0-9307ff9d131a70164a50e57e3aa3115c92715925.patch, NONE, 1.1 i3status-2.0-998109a6537c4534652673ff25d72a502cb15605.patch, NONE, 1.1 i3status-2.0-9c14b7a527a34f0ed04a53c72fe85f4d21f094ec.patch, NONE, 1.1 i3status-2.0-a5594ee17f967d037a558b55aba0ae6c6e1077b9.patch, NONE, 1.1 i3status-2.0-c166d2e2d312e198a4dc9039302c5b82ed2805d1.patch, NONE, 1.1 i3status-2.0-ced822f4611b7c3f6df49cae188ab05aa65ab0d6.patch, NONE, 1.1 i3status.spec, 1.1, 1.2
- Next message: rpms/dnssec-conf/F-12 dnssec-conf.spec,1.17,1.18
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: pwouters
Update of /cvs/extras/rpms/dnssec-conf/EL-5
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv13824
Modified Files:
dnssec-conf.spec
Log Message:
* Thu Feb 05 2010 Paul Wouters <paul at xelerance.com> - 1.21-6
- Do not ship DNSSEC trust anchors for in-addr.arpa zones. Rely on the DLV
and (from July 2010 onwards) the signed root
- Use trigger to recreate an updated named.dnssec.keys and restart nameservers
Index: dnssec-conf.spec
===================================================================
RCS file: /cvs/extras/rpms/dnssec-conf/EL-5/dnssec-conf.spec,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -p -r1.9 -r1.10
--- dnssec-conf.spec 19 Oct 2009 05:59:38 -0000 1.9
+++ dnssec-conf.spec 5 Feb 2010 20:05:37 -0000 1.10
@@ -1,7 +1,7 @@
Summary: DNSSEC and DLV configuration and priming tool
Name: dnssec-conf
Version: 1.21
-Release: 5%{?dist}
+Release: 6%{?dist}
License: GPLv2+
Url: http://www.xelerance.com/software/dnssec-conf/
Source0: http://www.xelerance.com/software/%{name}/%{name}-%{version}.tar.gz
@@ -33,6 +33,13 @@ make
%install
rm -rf ${RPM_BUILD_ROOT}
make PREFIX=%{_prefix} DESTDIR=${RPM_BUILD_ROOT} ETCDIR=${RPM_BUILD_ROOT}/etc install
+# We no longer ship trust anchors. Most of these are in the DLV Registry now.
+# and it prevents the problem of shipping outdated trust anchors.
+# For DLV, we ship the ISC DLV Registry key
+rm -rf ${RPM_BUILD_ROOT}/%{_sysconfdir}/pki/dnssec-keys/harvest/*
+#rm -rf ${RPM_BUILD_ROOT}/%{_sysconfdir}/pki/dnssec-keys/testing/*
+#rm -rf ${RPM_BUILD_ROOT}/%{_sysconfdir}/pki/dnssec-keys/production/*
+rm -rf ${RPM_BUILD_ROOT}/%{_sysconfdir}/pki/dnssec-keys/production/reverse/*
install -d 0755 ${RPM_BUILD_ROOT}/%{_sysconfdir}/sysconfig
install -m 0644 packaging/fedora/dnssec.sysconfig ${RPM_BUILD_ROOT}/%{_sysconfdir}/sysconfig/dnssec
cp %{SOURCE1} ${RPM_BUILD_ROOT}/etc/pki/dnssec-keys/production/
@@ -40,15 +47,24 @@ cp %{SOURCE1} ${RPM_BUILD_ROOT}/etc/pki/
%clean
rm -rf ${RPM_BUILD_ROOT}
+%triggerpostun -- dnssec-conf < 1.21-6
+# we use a trigger because otherwise unbound restarts too soon and uses
+# keyfiles that are about to get removed.
+# remove old RIPE trust anchors from the generated bind include
+sed -i "/^.*reverse.*$/d" /etc/pki/dnssec-keys/named.dnssec.keys
+# restart DNS servers which might be using now removed DNSSEC keys
+/sbin/service named try-restart >/dev/null 2>&1 || :;
+/sbin/service unbound try-restart >/dev/null 2>&1 || :;
+
%files
%defattr(-,root,root)
%doc LICENSE README INSTALL
%attr(0755,root,root) %dir %{_sysconfdir}/pki/dnssec-keys
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pki/dnssec-keys/*/*
%attr(0755,root,root) %dir %{_sysconfdir}/pki/dnssec-keys/production
-%attr(0755,root,root) %dir %{_sysconfdir}/pki/dnssec-keys/production/reverse
+#%attr(0755,root,root) %dir %{_sysconfdir}/pki/dnssec-keys/production/reverse
%attr(0755,root,root) %dir %{_sysconfdir}/pki/dnssec-keys/testing
-%attr(0755,root,root) %dir %{_sysconfdir}/pki/dnssec-keys/harvest
+#%attr(0755,root,root) %dir %{_sysconfdir}/pki/dnssec-keys/harvest
%attr(0755,root,root) %dir %{_sysconfdir}/pki/dnssec-keys/dlv
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/dnssec
%{_bindir}/dnskey-pull
@@ -56,6 +72,11 @@ rm -rf ${RPM_BUILD_ROOT}
%{_mandir}/*/*
%changelog
+* Thu Feb 05 2010 Paul Wouters <paul at xelerance.com> - 1.21-6
+- Do not ship DNSSEC trust anchors for in-addr.arpa zones. Rely on the DLV
+ and (from July 2010 onwards) the signed root
+- Use trigger to recreate an updated named.dnssec.keys and restart nameservers
+
* Mon Oct 19 2009 Paul Wouters <paul at xelerance.com> - 1.21-5
- Removed bogus unbound dependancy
- Previous message: rpms/i3status/F-12 i3status-2.0-18c4b9866d395720077e815d85755a8ac54354ca.patch, NONE, 1.1 i3status-2.0-37882cee889d556a932d26084119f516d6639b13.patch, NONE, 1.1 i3status-2.0-6823fbf05537ca88716f403235cea5e7064ef9b1.patch, NONE, 1.1 i3status-2.0-9307ff9d131a70164a50e57e3aa3115c92715925.patch, NONE, 1.1 i3status-2.0-998109a6537c4534652673ff25d72a502cb15605.patch, NONE, 1.1 i3status-2.0-9c14b7a527a34f0ed04a53c72fe85f4d21f094ec.patch, NONE, 1.1 i3status-2.0-a5594ee17f967d037a558b55aba0ae6c6e1077b9.patch, NONE, 1.1 i3status-2.0-c166d2e2d312e198a4dc9039302c5b82ed2805d1.patch, NONE, 1.1 i3status-2.0-ced822f4611b7c3f6df49cae188ab05aa65ab0d6.patch, NONE, 1.1 i3status.spec, 1.1, 1.2
- Next message: rpms/dnssec-conf/F-12 dnssec-conf.spec,1.17,1.18
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list