rpms/dnssec-conf/F-11 dnssec-conf.spec,1.15,1.16
Paul Wouters
pwouters at fedoraproject.org
Fri Feb 5 21:29:14 UTC 2010
- Previous message: rpms/cld/devel cld.spec,1.28,1.29 sources,1.23,1.24
- Next message: rpms/poedit/F-12 .cvsignore, 1.9, 1.10 poedit.spec, 1.16, 1.17 sources, 1.9, 1.10
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: pwouters
Update of /cvs/extras/rpms/dnssec-conf/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv22231
Modified Files:
dnssec-conf.spec
Log Message:
* Thu Feb 05 2010 Paul Wouters <paul at xelerance.com> - 1.21-3
- Do not ship DNSSEC trust anchors for in-addr.arpa zones. Rely on the DLV
and (from July 2010 onwards) the signed root
- Use trigger to recreate an updated named.dnssec.keys and restart nameservers
Index: dnssec-conf.spec
===================================================================
RCS file: /cvs/extras/rpms/dnssec-conf/F-11/dnssec-conf.spec,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -p -r1.15 -r1.16
--- dnssec-conf.spec 8 Sep 2009 19:32:32 -0000 1.15
+++ dnssec-conf.spec 5 Feb 2010 21:29:14 -0000 1.16
@@ -1,7 +1,7 @@
Summary: DNSSEC and DLV configuration and priming tool
Name: dnssec-conf
Version: 1.21
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Url: http://www.xelerance.com/software/dnssec-conf/
Source0: http://www.xelerance.com/software/%{name}/%{name}-%{version}.tar.gz
@@ -33,6 +33,13 @@ make
%install
rm -rf ${RPM_BUILD_ROOT}
make PREFIX=%{_prefix} DESTDIR=${RPM_BUILD_ROOT} ETCDIR=${RPM_BUILD_ROOT}/etc install
+# We no longer ship trust anchors. Most of these are in the DLV Registry now.
+# and it prevents the problem of shipping outdated trust anchors.
+# For DLV, we ship the ISC DLV Registry key
+rm -rf ${RPM_BUILD_ROOT}/%{_sysconfdir}/pki/dnssec-keys/harvest/*
+#rm -rf ${RPM_BUILD_ROOT}/%{_sysconfdir}/pki/dnssec-keys/testing/*
+#rm -rf ${RPM_BUILD_ROOT}/%{_sysconfdir}/pki/dnssec-keys/production/*
+rm -rf ${RPM_BUILD_ROOT}/%{_sysconfdir}/pki/dnssec-keys/production/reverse/*
install -d 0755 ${RPM_BUILD_ROOT}/%{_sysconfdir}/sysconfig
install -m 0644 packaging/fedora/dnssec.sysconfig ${RPM_BUILD_ROOT}/%{_sysconfdir}/sysconfig/dnssec
cp %{SOURCE1} ${RPM_BUILD_ROOT}/etc/pki/dnssec-keys/production/
@@ -40,15 +47,24 @@ cp %{SOURCE1} ${RPM_BUILD_ROOT}/etc/pki/
%clean
rm -rf ${RPM_BUILD_ROOT}
+%triggerpostun -- dnssec-conf < 1.21-3
+# we use a trigger because otherwise unbound restarts too soon and uses
+# keyfiles that are about to get removed.
+# remove old RIPE trust anchors from the generated bind include
+sed -i "/^.*reverse.*$/d" /etc/pki/dnssec-keys/named.dnssec.keys
+# restart DNS servers which might be using now removed DNSSEC keys
+/sbin/service named try-restart >/dev/null 2>&1 || :;
+/sbin/service unbound try-restart >/dev/null 2>&1 || :;
+
%files
%defattr(-,root,root)
%doc LICENSE README INSTALL
%attr(0755,root,root) %dir %{_sysconfdir}/pki/dnssec-keys
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pki/dnssec-keys/*/*
%attr(0755,root,root) %dir %{_sysconfdir}/pki/dnssec-keys/production
-%attr(0755,root,root) %dir %{_sysconfdir}/pki/dnssec-keys/production/reverse
+#%attr(0755,root,root) %dir %{_sysconfdir}/pki/dnssec-keys/production/reverse
%attr(0755,root,root) %dir %{_sysconfdir}/pki/dnssec-keys/testing
-%attr(0755,root,root) %dir %{_sysconfdir}/pki/dnssec-keys/harvest
+#%attr(0755,root,root) %dir %{_sysconfdir}/pki/dnssec-keys/harvest
%attr(0755,root,root) %dir %{_sysconfdir}/pki/dnssec-keys/dlv
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/dnssec
%{_bindir}/dnskey-pull
@@ -56,6 +72,11 @@ rm -rf ${RPM_BUILD_ROOT}
%{_mandir}/*/*
%changelog
+* Thu Feb 05 2010 Paul Wouters <paul at xelerance.com> - 1.21-3
+- Do not ship DNSSEC trust anchors for in-addr.arpa zones. Rely on the DLV
+ and (from July 2010 onwards) the signed root
+- Use trigger to recreate an updated named.dnssec.keys and restart nameservers
+
* Tue Sep 08 2009 Paul Wouters <paul at xelerance.com> - 1.21-2
-New key for .pr.
- Previous message: rpms/cld/devel cld.spec,1.28,1.29 sources,1.23,1.24
- Next message: rpms/poedit/F-12 .cvsignore, 1.9, 1.10 poedit.spec, 1.16, 1.17 sources, 1.9, 1.10
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list