rpms/dnssec-conf/F-12 dnssec-conf.spec,1.17,1.18

Fri Feb 5 20:19:56 UTC 2010

Author: pwouters

Update of /cvs/extras/rpms/dnssec-conf/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv15218

Modified Files:
	dnssec-conf.spec 
Log Message:
* Thu Feb 05 2010 Paul Wouters <paul at xelerance.com> - 1.21-6
- Do not ship (expired!) DNSSEC trust anchors for in-addr.arpa zones.
  Rely on the DLV and (from July 2010 onwards) the signed root
- Use trigger to recreate an updated named.dnssec.keys and restart nameservers



Index: dnssec-conf.spec
===================================================================
RCS file: /cvs/extras/rpms/dnssec-conf/F-12/dnssec-conf.spec,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -p -r1.17 -r1.18

--- dnssec-conf.spec	8 Sep 2009 16:18:52 -0000	1.17
+++ dnssec-conf.spec	5 Feb 2010 20:19:56 -0000	1.18
@@ -1,7 +1,7 @@
 Summary: DNSSEC and DLV configuration and priming tool
 Name: dnssec-conf
 Version: 1.21
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: GPLv2+
 Url: http://www.xelerance.com/software/dnssec-conf/
 Source0: http://www.xelerance.com/software/%{name}/%{name}-%{version}.tar.gz
@@ -33,6 +33,13 @@ make 
 %install
 rm -rf ${RPM_BUILD_ROOT}
 make PREFIX=%{_prefix} DESTDIR=${RPM_BUILD_ROOT} ETCDIR=${RPM_BUILD_ROOT}/etc install
+# We no longer ship trust anchors. Most of these are in the DLV Registry now.
+# and it prevents the problem of shipping outdated trust anchors.
+# For DLV, we ship the ISC DLV Registry key
+rm -rf ${RPM_BUILD_ROOT}/%{_sysconfdir}/pki/dnssec-keys/harvest/*
+#rm -rf ${RPM_BUILD_ROOT}/%{_sysconfdir}/pki/dnssec-keys/testing/*
+#rm -rf ${RPM_BUILD_ROOT}/%{_sysconfdir}/pki/dnssec-keys/production/*
+rm -rf ${RPM_BUILD_ROOT}/%{_sysconfdir}/pki/dnssec-keys/production/reverse/*
 install -d 0755 ${RPM_BUILD_ROOT}/%{_sysconfdir}/sysconfig
 install -m 0644 packaging/fedora/dnssec.sysconfig ${RPM_BUILD_ROOT}/%{_sysconfdir}/sysconfig/dnssec
 # new key for pr. This will be in version 1.22 but that one has unreleased
@@ -42,15 +49,24 @@ cp %{SOURCE1} ${RPM_BUILD_ROOT}/etc/pki/
 %clean
 rm -rf ${RPM_BUILD_ROOT}
 
+%triggerpostun -- dnssec-conf < 1.21-6
+# we use a trigger because otherwise unbound restarts too soon and uses
+# keyfiles that are about to get removed.
+# remove old RIPE trust anchors from the generated bind include
+sed -i "/^.*reverse.*$/d" /etc/pki/dnssec-keys/named.dnssec.keys
+# restart DNS servers which might be using now removed DNSSEC keys
+/sbin/service named try-restart >/dev/null 2>&1 || :;
+/sbin/service unbound try-restart >/dev/null 2>&1 || :;
+
 %files 
 %defattr(-,root,root)
 %doc LICENSE README INSTALL
 %attr(0755,root,root) %dir %{_sysconfdir}/pki/dnssec-keys
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pki/dnssec-keys/*/*
 %attr(0755,root,root) %dir %{_sysconfdir}/pki/dnssec-keys/production
-%attr(0755,root,root) %dir %{_sysconfdir}/pki/dnssec-keys/production/reverse
+#%attr(0755,root,root) %dir %{_sysconfdir}/pki/dnssec-keys/production/reverse
 %attr(0755,root,root) %dir %{_sysconfdir}/pki/dnssec-keys/testing
-%attr(0755,root,root) %dir %{_sysconfdir}/pki/dnssec-keys/harvest
+#%attr(0755,root,root) %dir %{_sysconfdir}/pki/dnssec-keys/harvest
 %attr(0755,root,root) %dir %{_sysconfdir}/pki/dnssec-keys/dlv
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/dnssec
 %{_bindir}/dnskey-pull
@@ -58,6 +74,11 @@ rm -rf ${RPM_BUILD_ROOT}
 %{_mandir}/*/*
 
 %changelog
+* Thu Feb 05 2010 Paul Wouters <paul at xelerance.com> - 1.21-6
+- Do not ship (expired!) DNSSEC trust anchors for in-addr.arpa zones.
+  Rely on the DLV and (from July 2010 onwards) the signed root
+- Use trigger to recreate an updated named.dnssec.keys and restart nameservers
+
 * Tue Sep 08 2009 Paul Wouters <paul at xelerance.com> - 1.21-5
 - Bump version
 

