rpms/dnssec-conf/F-12 dnssec-conf.spec,1.17,1.18
Paul Wouters
pwouters at fedoraproject.org
Fri Feb 5 20:19:56 UTC 2010
Author: pwouters
Update of /cvs/extras/rpms/dnssec-conf/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv15218
Modified Files:
dnssec-conf.spec
Log Message:
* Thu Feb 05 2010 Paul Wouters <paul at xelerance.com> - 1.21-6
- Do not ship (expired!) DNSSEC trust anchors for in-addr.arpa zones.
Rely on the DLV and (from July 2010 onwards) the signed root
- Use trigger to recreate an updated named.dnssec.keys and restart nameservers
Index: dnssec-conf.spec
===================================================================
RCS file: /cvs/extras/rpms/dnssec-conf/F-12/dnssec-conf.spec,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -p -r1.17 -r1.18
--- dnssec-conf.spec 8 Sep 2009 16:18:52 -0000 1.17
+++ dnssec-conf.spec 5 Feb 2010 20:19:56 -0000 1.18
@@ -1,7 +1,7 @@
Summary: DNSSEC and DLV configuration and priming tool
Name: dnssec-conf
Version: 1.21
-Release: 5%{?dist}
+Release: 6%{?dist}
License: GPLv2+
Url: http://www.xelerance.com/software/dnssec-conf/
Source0: http://www.xelerance.com/software/%{name}/%{name}-%{version}.tar.gz
@@ -33,6 +33,13 @@ make
%install
rm -rf ${RPM_BUILD_ROOT}
make PREFIX=%{_prefix} DESTDIR=${RPM_BUILD_ROOT} ETCDIR=${RPM_BUILD_ROOT}/etc install
+# We no longer ship trust anchors. Most of these are in the DLV Registry now.
+# and it prevents the problem of shipping outdated trust anchors.
+# For DLV, we ship the ISC DLV Registry key
+rm -rf ${RPM_BUILD_ROOT}/%{_sysconfdir}/pki/dnssec-keys/harvest/*
+#rm -rf ${RPM_BUILD_ROOT}/%{_sysconfdir}/pki/dnssec-keys/testing/*
+#rm -rf ${RPM_BUILD_ROOT}/%{_sysconfdir}/pki/dnssec-keys/production/*
+rm -rf ${RPM_BUILD_ROOT}/%{_sysconfdir}/pki/dnssec-keys/production/reverse/*
install -d 0755 ${RPM_BUILD_ROOT}/%{_sysconfdir}/sysconfig
install -m 0644 packaging/fedora/dnssec.sysconfig ${RPM_BUILD_ROOT}/%{_sysconfdir}/sysconfig/dnssec
# new key for pr. This will be in version 1.22 but that one has unreleased
@@ -42,15 +49,24 @@ cp %{SOURCE1} ${RPM_BUILD_ROOT}/etc/pki/
%clean
rm -rf ${RPM_BUILD_ROOT}
+%triggerpostun -- dnssec-conf < 1.21-6
+# we use a trigger because otherwise unbound restarts too soon and uses
+# keyfiles that are about to get removed.
+# remove old RIPE trust anchors from the generated bind include
+sed -i "/^.*reverse.*$/d" /etc/pki/dnssec-keys/named.dnssec.keys
+# restart DNS servers which might be using now removed DNSSEC keys
+/sbin/service named try-restart >/dev/null 2>&1 || :;
+/sbin/service unbound try-restart >/dev/null 2>&1 || :;
+
%files
%defattr(-,root,root)
%doc LICENSE README INSTALL
%attr(0755,root,root) %dir %{_sysconfdir}/pki/dnssec-keys
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pki/dnssec-keys/*/*
%attr(0755,root,root) %dir %{_sysconfdir}/pki/dnssec-keys/production
-%attr(0755,root,root) %dir %{_sysconfdir}/pki/dnssec-keys/production/reverse
+#%attr(0755,root,root) %dir %{_sysconfdir}/pki/dnssec-keys/production/reverse
%attr(0755,root,root) %dir %{_sysconfdir}/pki/dnssec-keys/testing
-%attr(0755,root,root) %dir %{_sysconfdir}/pki/dnssec-keys/harvest
+#%attr(0755,root,root) %dir %{_sysconfdir}/pki/dnssec-keys/harvest
%attr(0755,root,root) %dir %{_sysconfdir}/pki/dnssec-keys/dlv
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/dnssec
%{_bindir}/dnskey-pull
@@ -58,6 +74,11 @@ rm -rf ${RPM_BUILD_ROOT}
%{_mandir}/*/*
%changelog
+* Thu Feb 05 2010 Paul Wouters <paul at xelerance.com> - 1.21-6
+- Do not ship (expired!) DNSSEC trust anchors for in-addr.arpa zones.
+ Rely on the DLV and (from July 2010 onwards) the signed root
+- Use trigger to recreate an updated named.dnssec.keys and restart nameservers
+
* Tue Sep 08 2009 Paul Wouters <paul at xelerance.com> - 1.21-5
- Bump version
More information about the scm-commits
mailing list