summaryrefslogtreecommitdiffstats
path: root/distro
diff options
context:
space:
mode:
Diffstat (limited to 'distro')
-rw-r--r--distro/arch/PKGBUILD56
-rw-r--r--distro/arch/install15
-rw-r--r--distro/common/kresd.conf19
-rw-r--r--distro/common/kresd.no_ta.conf19
-rw-r--r--distro/common/root.keys2
-rw-r--r--distro/common/systemd/README.md31
-rw-r--r--distro/common/systemd/drop-in/listen-tls.conf7
-rw-r--r--distro/common/systemd/drop-in/listen-udp-tcp.conf8
-rw-r--r--distro/common/systemd/drop-in/systemd-compat.conf17
-rw-r--r--distro/common/systemd/kresd-control@.socket16
-rw-r--r--distro/common/systemd/kresd-tls.socket16
-rw-r--r--distro/common/systemd/kresd.socket17
-rw-r--r--distro/common/systemd/kresd.systemd.7230
-rw-r--r--distro/common/systemd/kresd.target8
-rw-r--r--distro/common/systemd/kresd@.service17
-rw-r--r--distro/common/tmpfiles/knot-resolver.conf4
-rw-r--r--distro/deb/NEWS23
-rw-r--r--distro/deb/README.source70
-rw-r--r--distro/deb/changelog6
-rw-r--r--distro/deb/clean4
-rw-r--r--distro/deb/compat1
-rw-r--r--distro/deb/control137
-rw-r--r--distro/deb/copyright448
-rw-r--r--distro/deb/docs1
-rwxr-xr-xdistro/deb/init-d-script239
-rw-r--r--distro/deb/knot-resolver-doc.doc-base11
-rw-r--r--distro/deb/knot-resolver-doc.docs1
-rw-r--r--distro/deb/knot-resolver-doc.links2
-rw-r--r--distro/deb/knot-resolver-module-http.install6
-rw-r--r--distro/deb/knot-resolver-module-http.links5
-rw-r--r--distro/deb/knot-resolver-module-tinyweb.install1
-rw-r--r--distro/deb/knot-resolver.dirs3
-rw-r--r--distro/deb/knot-resolver.install38
-rw-r--r--distro/deb/knot-resolver.kresd.default13
-rw-r--r--distro/deb/knot-resolver.kresd.init59
-rw-r--r--distro/deb/knot-resolver.links2
-rw-r--r--distro/deb/knot-resolver.manpages2
-rw-r--r--distro/deb/knot-resolver.postinst30
-rw-r--r--distro/deb/knot-resolver.postrm8
-rw-r--r--distro/deb/knot-resolver.triggers1
-rw-r--r--distro/deb/kresd.conf19
-rw-r--r--distro/deb/libkres-dev.install3
-rw-r--r--distro/deb/libkres9.install1
-rw-r--r--distro/deb/libkres9.symbols144
-rw-r--r--distro/deb/not-installed1
-rw-r--r--distro/deb/patches/0001-Update-documentation-of-keyfile-ro.patch41
-rw-r--r--distro/deb/patches/series1
-rwxr-xr-xdistro/deb/rules68
-rw-r--r--distro/deb/source/format1
-rw-r--r--distro/deb/tests/control2
-rw-r--r--distro/rpm/knot-resolver.spec235
-rw-r--r--distro/tests/README.md42
-rw-r--r--distro/tests/arch/Vagrantfile16
-rw-r--r--distro/tests/centos7/Vagrantfile19
-rw-r--r--distro/tests/debian9/Vagrantfile16
-rw-r--r--distro/tests/fedora28/Vagrantfile19
-rw-r--r--distro/tests/fedora29/Vagrantfile19
-rw-r--r--distro/tests/knot-resolver-test.yaml148
-rw-r--r--distro/tests/leap15/Vagrantfile16
-rw-r--r--distro/tests/repos.yaml3
-rwxr-xr-xdistro/tests/test-distro.sh32
-rw-r--r--distro/tests/tumbleweed/Vagrantfile16
-rw-r--r--distro/tests/ubuntu1604/Vagrantfile19
-rw-r--r--distro/tests/ubuntu1804/Vagrantfile19
-rw-r--r--distro/tests/ubuntu1810/Vagrantfile19
65 files changed, 2512 insertions, 0 deletions
diff --git a/distro/arch/PKGBUILD b/distro/arch/PKGBUILD
new file mode 100644
index 0000000..87f8aa7
--- /dev/null
+++ b/distro/arch/PKGBUILD
@@ -0,0 +1,56 @@
+# Maintainer: Tomas Krizek <tomas.krizek@mailbox.org>
+# Contributor: Ondřej Surý <ondrej@sury.org>
+
+pkgname=knot-resolver
+pkgver=__VERSION__
+pkgrel=1
+pkgdesc='full caching DNS resolver implementation'
+url='https://www.knot-resolver.cz/'
+arch=('x86_64' 'armv7h')
+license=('GPL3')
+backup=('etc/knot-resolver/kresd.conf')
+options=(debug strip)
+install=install
+depends=('cmocka'
+ 'dnssec-anchors'
+ 'gnutls'
+ 'knot>=2.7.2'
+ 'libedit'
+ 'libsystemd'
+ 'libuv'
+ 'lmdb'
+ 'lua51-sec'
+ 'lua51-socket'
+ 'luajit')
+source=("knot-resolver_${pkgver}.orig.tar.xz")
+
+_makevars="PREFIX=/usr SBINDIR=/usr/bin LIBDIR=/usr/lib INCLUDEDIR=/usr/include ETCDIR=/etc/knot-resolver KEYFILE_DEFAULT=/etc/trusted-key.key V=1"
+
+sha256sums=('SKIP')
+
+build() {
+ cd "${srcdir}/${pkgname}-${pkgver}"
+ make ${_makevars}
+}
+
+check() {
+ cd "${srcdir}/${pkgname}-${pkgver}"
+ make check-unit ${_makevars}
+}
+
+package() {
+ cd "${srcdir}/${pkgname}-${pkgver}"
+
+ make ${_makevars} DESTDIR="${pkgdir}" install
+ install -Dm 0644 "${srcdir}/${pkgname}-${pkgver}/distro/common/systemd/kresd.socket" "${pkgdir}/usr/lib/systemd/system/kresd.socket"
+ install -Dm 0644 "${srcdir}/${pkgname}-${pkgver}/distro/common/systemd/kresd-control@.socket" "${pkgdir}/usr/lib/systemd/system/kresd-control@.socket"
+ install -Dm 0644 "${srcdir}/${pkgname}-${pkgver}/distro/common/systemd/kresd-tls.socket" "${pkgdir}/usr/lib/systemd/system/kresd-tls.socket"
+ install -Dm 0644 "${srcdir}/${pkgname}-${pkgver}/distro/common/systemd/kresd@.service" "${pkgdir}/usr/lib/systemd/system/kresd@.service"
+ install -Dm 0644 "${srcdir}/${pkgname}-${pkgver}/distro/common/systemd/kresd.target" "${pkgdir}/usr/lib/systemd/system/kresd.target"
+ install -dm 0755 "${pkgdir}/usr/lib/systemd/system/multi-user.target.wants"
+ ln -s ../kresd.target "${pkgdir}/usr/lib/systemd/system/multi-user.target.wants/kresd.target"
+ install -Dm 0644 "${srcdir}/${pkgname}-${pkgver}/distro/common/systemd/kresd.systemd.7" "${pkgdir}/usr/share/man/man7/kresd.systemd.7"
+ install -Dm 0644 "${srcdir}/${pkgname}-${pkgver}/distro/common/tmpfiles/knot-resolver.conf" "${pkgdir}/usr/lib/tmpfiles.d/knot-resolver.conf"
+ install -dm 0775 "${pkgdir}/etc/knot-resolver"
+ install -Dm 0644 "${srcdir}/${pkgname}-${pkgver}/distro/common/kresd.no_ta.conf" "${pkgdir}/etc/knot-resolver/kresd.conf"
+}
diff --git a/distro/arch/install b/distro/arch/install
new file mode 100644
index 0000000..de23d59
--- /dev/null
+++ b/distro/arch/install
@@ -0,0 +1,15 @@
+post_install() {
+ getent group knot-resolver &>/dev/null || groupadd -r knot-resolver >/dev/null
+ getent passwd knot-resolver &>/dev/null || useradd -r -g knot-resolver -d /dev/null -s /bin/false -c knot-resolver knot-resolver >/dev/null
+ chown -R root:knot-resolver /etc/knot-resolver
+}
+
+post_upgrade() {
+ chown -R root:knot-resolver /etc/knot-resolver
+}
+
+post_remove() {
+ getent passwd knot-resolver &>/dev/null && userdel knot-resolver >/dev/null
+ getent group knot-resolver &>/dev/null && groupdel knot-resolver >/dev/null
+ true
+}
diff --git a/distro/common/kresd.conf b/distro/common/kresd.conf
new file mode 100644
index 0000000..a82a893
--- /dev/null
+++ b/distro/common/kresd.conf
@@ -0,0 +1,19 @@
+-- vim:syntax=lua:
+-- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration
+
+-- Load useful modules
+modules = {
+ 'hints > iterate', -- Load /etc/hosts and allow custom root hints
+ 'stats', -- Track internal statistics
+ 'predict', -- Prefetch expiring/frequent records
+}
+
+-- See kresd.systemd(7) about configuring network interfaces when using systemd
+-- Listen on localhost (default)
+-- net = { '127.0.0.1', '::1' }
+
+-- Enable DNSSEC validation
+trust_anchors.file = '/etc/knot-resolver/root.keys'
+
+-- Cache size
+cache.size = 100 * MB
diff --git a/distro/common/kresd.no_ta.conf b/distro/common/kresd.no_ta.conf
new file mode 100644
index 0000000..e452f0e
--- /dev/null
+++ b/distro/common/kresd.no_ta.conf
@@ -0,0 +1,19 @@
+-- vim:syntax=lua:
+-- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration
+
+-- Load useful modules
+modules = {
+ 'hints > iterate', -- Load /etc/hosts and allow custom root hints
+ 'stats', -- Track internal statistics
+ 'predict', -- Prefetch expiring/frequent records
+}
+
+-- See kresd.systemd(7) about configuring network interfaces when using systemd
+-- Listen on localhost (default)
+-- net = { '127.0.0.1', '::1' }
+
+-- To disable DNSSEC validation, uncomment the following line (not recommended)
+-- trust_anchors.keyfile_default = nil
+
+-- Cache size
+cache.size = 100 * MB
diff --git a/distro/common/root.keys b/distro/common/root.keys
new file mode 100644
index 0000000..7578e04
--- /dev/null
+++ b/distro/common/root.keys
@@ -0,0 +1,2 @@
+. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
+. IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
diff --git a/distro/common/systemd/README.md b/distro/common/systemd/README.md
new file mode 100644
index 0000000..433f92f
--- /dev/null
+++ b/distro/common/systemd/README.md
@@ -0,0 +1,31 @@
+Running Knot Resolver under systemd (or equivalent) socket activation
+=====================================================================
+
+You can use the files in this directory to run kresd under supervision
+by systemd (or any supervisor that provides equivalent file descriptor
+initialization via the interface supported by
+sd_listen_fds_with_names(3)).
+
+Usage and Configuration
+-----------------------
+
+See kresd.systemd(7) for details.
+
+Compatibility with older systemd
+--------------------------------
+
+If you're using systemd prior to version 227, use the systemd-compat.conf
+drop-in file to use manual activation. In this case, socket files shouldn't
+be packaged, because they won't be used.
+
+Notes
+-----
+
+* If you're using the upstream systemd unit files, don't forget to also include
+ kresd.systemd.7 manual page in the package.
+* Distributions using systemd-sysv-generator should mask kresd.service to
+ be consistent with other distributions. Any use of kresd.service instead of
+ kresd@N.service is discouraged to avoid confusing the users.
+* kresd.target should be enabled by default by linking it to systemd lib/
+ directory. Instances of kresd@.service are then added manually to
+ kresd.target when the user enables them.
diff --git a/distro/common/systemd/drop-in/listen-tls.conf b/distro/common/systemd/drop-in/listen-tls.conf
new file mode 100644
index 0000000..6c798f0
--- /dev/null
+++ b/distro/common/systemd/drop-in/listen-tls.conf
@@ -0,0 +1,7 @@
+# /etc/systemd/system/kresd-tls.socket.d/override.conf
+
+# Configure which interfaces should kresd listen on.
+# ListenStream can be added multiple times.
+
+[Socket]
+ListenStream=192.0.2.115:853
diff --git a/distro/common/systemd/drop-in/listen-udp-tcp.conf b/distro/common/systemd/drop-in/listen-udp-tcp.conf
new file mode 100644
index 0000000..480767a
--- /dev/null
+++ b/distro/common/systemd/drop-in/listen-udp-tcp.conf
@@ -0,0 +1,8 @@
+# /etc/systemd/system/kresd.socket.d/override.conf
+
+# Configure which interfaces should kresd listen on.
+# ListenDatagram and ListenStream can be added multiple times.
+
+[Socket]
+ListenDatagram=192.0.2.115:53
+ListenStream=192.0.2.115:53
diff --git a/distro/common/systemd/drop-in/systemd-compat.conf b/distro/common/systemd/drop-in/systemd-compat.conf
new file mode 100644
index 0000000..d251c41
--- /dev/null
+++ b/distro/common/systemd/drop-in/systemd-compat.conf
@@ -0,0 +1,17 @@
+# /usr/lib/systemd/system/kresd@.service.d/override.conf
+
+# If systemd.227+ isn't available (e.g. CentOS 7), socket activation can't be used
+# and the following modifications are required to use the service with
+# manual activation.
+
+# CAP_NET_BIND_SERVICE is necessary to be able to bind to a well-known port
+# as an unprivilidged user.
+
+# Explicit --forks=1 turns off interactive mode.
+
+[Service]
+Type=simple
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+ExecStart=
+ExecStart=/usr/sbin/kresd --config=/etc/knot-resolver/kresd.conf --forks=1
+Sockets=
diff --git a/distro/common/systemd/kresd-control@.socket b/distro/common/systemd/kresd-control@.socket
new file mode 100644
index 0000000..6937436
--- /dev/null
+++ b/distro/common/systemd/kresd-control@.socket
@@ -0,0 +1,16 @@
+[Unit]
+Description=Knot Resolver control socket
+Documentation=man:kresd.systemd(7)
+Documentation=man:kresd(8)
+Before=sockets.target
+PartOf=kresd@%i.service
+
+[Socket]
+Service=kresd@%i.service
+ListenStream=/run/knot-resolver/control@%i
+FileDescriptorName=control
+SocketMode=0660
+Slice=system-kresd.slice
+
+[Install]
+WantedBy=sockets.target
diff --git a/distro/common/systemd/kresd-tls.socket b/distro/common/systemd/kresd-tls.socket
new file mode 100644
index 0000000..ab16c81
--- /dev/null
+++ b/distro/common/systemd/kresd-tls.socket
@@ -0,0 +1,16 @@
+[Unit]
+Description=Knot Resolver TLS network listener
+Documentation=man:kresd.systemd(7)
+Documentation=man:kresd(8)
+Before=sockets.target
+
+[Socket]
+FreeBind=true
+FileDescriptorName=tls
+ListenStream=[::1]:853
+ListenStream=127.0.0.1:853
+Service=kresd@1.service
+Slice=system-kresd.slice
+
+[Install]
+WantedBy=sockets.target
diff --git a/distro/common/systemd/kresd.socket b/distro/common/systemd/kresd.socket
new file mode 100644
index 0000000..9dd9424
--- /dev/null
+++ b/distro/common/systemd/kresd.socket
@@ -0,0 +1,17 @@
+[Unit]
+Description=Knot Resolver network listeners
+Documentation=man:kresd.systemd(7)
+Documentation=man:kresd(8)
+Before=sockets.target
+
+[Socket]
+FreeBind=true
+ListenDatagram=[::1]:53
+ListenStream=[::1]:53
+ListenDatagram=127.0.0.1:53
+ListenStream=127.0.0.1:53
+Service=kresd@1.service
+Slice=system-kresd.slice
+
+[Install]
+WantedBy=sockets.target
diff --git a/distro/common/systemd/kresd.systemd.7 b/distro/common/systemd/kresd.systemd.7
new file mode 100644
index 0000000..420b110
--- /dev/null
+++ b/distro/common/systemd/kresd.systemd.7
@@ -0,0 +1,230 @@
+.TH "kresd.systemd" "7" "2018-06-04" "CZ.NIC" "Knot Resolver Systemd Units"
+.\"
+.\" kresd.systemd.7 -- man page for systemd units for kresd
+.\"
+.\" Copyright (c) 2018, CZ.NIC. All rights reserved.
+.\"
+.\" See COPYING for the license.
+.\"
+.\"
+.SH "NAME"
+kresd.systemd
+\- managing Knot Resolver through systemd.
+
+.SH "SYNOPSIS"
+.nf
+kresd@.service
+kresd.socket
+kresd-tls.socket
+kresd-control@.socket
+kresd.target
+system-kresd.slice
+.fi
+
+.SH "DESCRIPTION"
+.P
+This manual page describes how to manage \fBkresd\fR using \fBsystemd\fR
+units. Depending on your distribution, this can be either be done with
+socket-based activation or without it. The following assumes socket-based activation.
+For differences see \fINOTES\fR below.
+
+\fBkresd\fR daemon can be executed in multiple independent processes, which can be
+managed with \fBsystemd\fR via systemd templates (see \fBsystemd.unit\fR(5)).
+Each \fBsystemd\fR service instance of \fBkresd\fR (\fIkresd@.service\fR) represents a
+single, independent kresd process.
+
+The systemd-managed \fBkresd\fR service set is grouped in the
+\fIsystem-kresd.slice\fR slice. The slice includes one or more
+running daemons (instances of \fIkresd@.service\fR), public listening
+sockets (the same listening sockets are shared by all daemons) and a
+dedicated control socket for each running daemon.
+
+Each instance of \fIkresd@.service\fR has three systemd sockets (see
+\fBsystemd.socket(5)\fR) associated with it:
+
+.nf
+.RS
+\fIkresd.socket\fR - UDP/TCP network socket (default: localhost:53), shared with other instances
+\fIkresd-tls.socket\fR - network socket for DNS-over-TLS (default: localhost:853), shared with other instances
+\fIkresd-control@.socket\fR - UNIX socket with control terminal, dedicated
+.RE
+.fi
+
+.B Configuring network interfaces
+
+When using socket-based activation, the daemon requires neither root privileges
+nor any special capabilities, because the sockets are created by \fBsystemd\fR and
+passed to \fBkresd\fR. This means \fBkresd\fR can't bind to ports below 1024 when
+configured in \fI/etc/knot-resolver/kresd.conf\fR.
+
+To configure \fBkresd\fR to listen on public interfaces, drop-in files (see
+\fBsystemd.unit\fR(5)) should be used. These can be created with:
+
+.nf
+.RS 4n
+.B systemctl edit kresd.socket
+.B systemctl edit kresd-tls.socket
+.RE
+.fi
+
+For example, to configure \fBkresd\fR to listen on 192.0.2.115 on ports 53 and
+853, the drop-in files would look like:
+
+.nf
+.RS 4n
+# /etc/systemd/system/kresd.socket.d/override.conf
+[Socket]
+ListenDatagram=192.0.2.115:53
+ListenStream=192.0.2.115:53
+
+# /etc/systemd/system/kresd-tls.socket.d/override.conf
+[Socket]
+ListenStream=192.0.2.115:853
+.RE
+.fi
+
+For more detailed socket configuration, see \fBsystemd.socket\fR(5).
+
+.B Concurrent daemons
+
+If you have more than one CPU core available, a single running
+\fBkresd\fR daemon will only be able to make use of one core at a
+time, leaving the other cores idle. If you want \fBkresd\fR to take
+advantage of all available cores, while sharing both cache and public
+listening ports, you should enable and start as many instances of the
+\fBkresd@.service\fR as you have cores. Typically, each instance is
+just named \fIkresd@\fBN\fI.service\fR, where \fIN\fR is a decimal
+number. To enable 3 concurrent daemons:
+
+.nf
+.RS 4n
+.B systemctl enable --now kresd@1.service kresd@2.service kresd@3.service
+.RE
+.fi
+
+.B Using system-kresd.slice and kresd.target
+
+The following commands may not work with older systemd (e.g. on CentOS 7).
+See notes for more info.
+
+The easiest way to view the status of systemd-supervised \fBkresd\fR
+instances is to use the \fIsystem-kresd.slice\fR:
+
+.nf
+.RS 4n
+.B systemctl status system-kresd.slice
+.RE
+.fi
+
+You can also use the slice to restart all sockets as well as daemons:
+
+.nf
+.RS 4n
+.B systemctl restart system-kresd.slice
+.RE
+.fi
+
+Or you can use it to stop kresd altogether (e.g. during package removal):
+
+.nf
+.RS 4n
+.B systemctl stop system-kresd.slice
+.RE
+.fi
+
+To start all enabled kresd daemons, use the provided \fIkresd.target\fR:
+
+.nf
+.RS 4n
+.B systemctl start kresd.target
+.RE
+.fi
+
+.SH "NOTES"
+
+.IP * 2
+When an instance of \fIkresd@.service\fR is started, stopped or
+restarted, its associated control socket is also automatically
+started, stopped or restarted, but the public listening sockets remain
+open. As long as either of the public sockets are listening, at least
+\fIkresd@1.service\fR will be automatically activated when a request arrives.
+
+.IP * 2
+If your distribution doesn't use socket-based activation, you can configure the
+network interfaces for \fBkresd\fR in \fI/etc/knot-resolver/kresd.conf\fR. The
+service can be started or enabled in the same way as in the examples below, but
+it doesn't have any sockets associated with it.
+
+.IP * 2
+Controlling the service with \fIsystem-kresd.slice\fR requires newer systemd.
+It may not work in some distributions, notably CentOS 7. To control multiple
+kresd instances, use \fIkresd@*.service\fR or \fIBrace Expansion\fR mentioned
+below.
+
+.SH "EXAMPLES"
+
+.B Single instance
+.RS 4n
+
+To start the service:
+.nf
+.RS 4n
+.B systemctl start kresd@1.service
+.RE
+.fi
+
+To start the service at boot:
+.nf
+.RS 4n
+.B systemctl enable kresd@1.service
+.RE
+.fi
+
+To delay the service startup until some traffic arrives, start (or enable) just
+the sockets:
+.nf
+.RS 4n
+.B systemctl start kresd.socket
+.B systemctl start kresd-tls.socket
+.RE
+.fi
+
+To disable the TLS socket, you can mask it:
+
+.RS 4n
+.B systemctl mask kresd-tls.socket
+.RE
+
+.RE
+
+.B Multiple instances
+.RS 4n
+
+Multiple instances can be handled with the use of \fIBrace Expansion\fR (see
+\fBbash\fR(1)).
+
+To enable multiple concurrent daemons, for example 16:
+.nf
+.RS
+.B systemctl enable kresd@{1..16}.service
+.RE
+.fi
+
+To start all enabled daemons:
+.nf
+.RS
+.B systemctl start kresd.target
+.RE
+.fi
+
+.RE
+
+.SH "SEE ALSO"
+\fIkresd(8)\fR,
+\fIsystemd.unit(5)\fR,
+\fIsystemd.socket(5)\fR,
+\fIhttps://knot-resolver.readthedocs.io\fR
+
+.SH "AUTHORS"
+.B kresd
+developers are mentioned in the AUTHORS file in the distribution.
diff --git a/distro/common/systemd/kresd.target b/distro/common/systemd/kresd.target
new file mode 100644
index 0000000..9b524da
--- /dev/null
+++ b/distro/common/systemd/kresd.target
@@ -0,0 +1,8 @@
+[Unit]
+Description=Knot Resolver daemons
+Documentation=man:kresd.systemd(7)
+Documentation=man:kresd(8)
+After=network-online.target
+
+[Install]
+WantedBy=multi-user.target
diff --git a/distro/common/systemd/kresd@.service b/distro/common/systemd/kresd@.service
new file mode 100644
index 0000000..048aee0
--- /dev/null
+++ b/distro/common/systemd/kresd@.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=Knot Resolver daemon
+Documentation=man:kresd.systemd(7)
+Documentation=man:kresd(8)
+
+[Service]
+Type=notify
+WorkingDirectory=/var/cache/knot-resolver
+ExecStart=/usr/sbin/kresd --config=/etc/knot-resolver/kresd.conf
+User=knot-resolver
+Restart=on-failure
+Sockets=kresd.socket
+Sockets=kresd-tls.socket
+Sockets=kresd-control@%i.socket
+
+[Install]
+WantedBy=kresd.target
diff --git a/distro/common/tmpfiles/knot-resolver.conf b/distro/common/tmpfiles/knot-resolver.conf
new file mode 100644
index 0000000..9ac5952
--- /dev/null
+++ b/distro/common/tmpfiles/knot-resolver.conf
@@ -0,0 +1,4 @@
+# tmpfiles.d(5) runtime directory for knot-resolver (kresd)
+#Type Path Mode UID GID Age Argument
+ d /run/knot-resolver 0750 root root - -
+ d /var/cache/knot-resolver 0750 knot-resolver knot-resolver - -
diff --git a/distro/deb/NEWS b/distro/deb/NEWS
new file mode 100644
index 0000000..e81403c
--- /dev/null
+++ b/distro/deb/NEWS
@@ -0,0 +1,23 @@
+knot-resolver (2.0.0-1) unstable; urgency=medium
+
+ Knot Resolver systemd service units are now templated, so that multiple
+ processes can run concurrently on multi-core systems. For a full
+ overview of the status of all the running daemons, use:
+
+ systemctl status system-kresd.slice
+
+ For more information about this setup, please see kresd.systemd(7).
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 03 Feb 2018 22:51:02 -0500
+
+knot-resolver (1.1.0~git2016072900-1) unstable; urgency=medium
+
+ Knot Resolver now starts and runs under unprivileged user and uses a
+ socket activations to bind on the privileged ports. That means that if
+ you use anything more complicated than that you need to either override
+ the default service file with `systemd edit kresd.service` and
+ `systemd edit kresd.socket` to add more IP addresses, or just disable
+ it with `systemd mask kresd*.socket kresd.service` and provide your
+ own custom system service file tailored to your needs.
+
+ -- Ondřej Surý <ondrej@debian.org> Thu, 04 Aug 2016 09:04:53 +0200
diff --git a/distro/deb/README.source b/distro/deb/README.source
new file mode 100644
index 0000000..657fc28
--- /dev/null
+++ b/distro/deb/README.source
@@ -0,0 +1,70 @@
+Tracking upstream sources in git
+--------------------------------
+
+This debian package is tracked in the git "debian/master" branch at
+https://salsa.debian.org/dns-team/knot-resolver, which
+includes the commits from the upstream git repository at
+https://gitlab.labs.nic.cz/knot/knot-resolver.git. When importing
+upstream tarballs, make sure you've fetched from the upstream repo
+before using "gbp import-orig" the tarball. We rely on
+upstream-vcs-tag from debian/gbp.conf to link upstream git history
+with new package history.
+
+See Joey Hess's thoughts about why tracking upstream git history is
+useful: https://joeyh.name/blog/entry/upstream_git_repositories/, as
+well as DEP-14 for the branch-naming scheme:
+http://dep.debian.net/deps/dep14/
+
+Rebuilding epoch.js and epoch.css
+---------------------------------
+
+ If you need to rebuild epoch.js and epoch.css using only tools
+ available in Debian, read gulpfile.js in d/missing-sources/epoch/ and
+ adjust following script if any files has been changed. You also need
+ to install ruby-sass, coffeescript and node-uglify
+
+cat > build.sh << EOF
+#!/bin/sh
+
+coffee -b -c \
+ src/epoch.coffee \
+ src/core/context.coffee \
+ src/core/util.coffee \
+ src/core/d3.coffee \
+ src/core/format.coffee \
+ src/core/chart.coffee \
+ src/core/css.coffee \
+ src/data.coffee \
+ src/model.coffee \
+ src/basic.coffee \
+ src/basic/*.coffee \
+ src/time.coffee \
+ src/time/*.coffee \
+ src/adapters.coffee \
+ src/adapters/*.coffee
+
+cat \
+ src/epoch.js \
+ src/core/context.js \
+ src/core/util.js \
+ src/core/d3.js \
+ src/core/format.js \
+ src/core/chart.js \
+ src/core/css.js \
+ src/data.js \
+ src/model.js \
+ src/basic.js \
+ src/basic/*.js \
+ src/time.js \
+ src/time/*.js \
+ src/adapters.js \
+ src/adapters/*.js \
+ > dist/js/epoch.js
+
+uglifyjs dist/js/epoch.js > dist/js/epoch.min.js
+
+sass -t compact sass/epoch.scss > dist/css/epoch.css
+sass -t compressed sass/epoch.scss > dist/css/epoch.min.css
+EOF
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Thu, 22 Feb 2018 13:25:27 -0800
diff --git a/distro/deb/changelog b/distro/deb/changelog
new file mode 100644
index 0000000..b0a6a3f
--- /dev/null
+++ b/distro/deb/changelog
@@ -0,0 +1,6 @@
+knot-resolver (__VERSION__-1) unstable; urgency=medium
+
+ * move changelog to OBS
+ * see NEWS or https://knot-resolver.cz
+
+ -- Tomas Krizek <tomas.krizek@nic.cz> Tue, 20 Feb 2018 19:36:45 +0100
diff --git a/distro/deb/clean b/distro/deb/clean
new file mode 100644
index 0000000..2ef7cbc
--- /dev/null
+++ b/distro/deb/clean
@@ -0,0 +1,4 @@
+doc/kresd.8
+libkres.pc
+lib/libkres.a
+lib/libkres.so.9
diff --git a/distro/deb/compat b/distro/deb/compat
new file mode 100644
index 0000000..ec63514
--- /dev/null
+++ b/distro/deb/compat
@@ -0,0 +1 @@
+9
diff --git a/distro/deb/control b/distro/deb/control
new file mode 100644
index 0000000..012ff2b
--- /dev/null
+++ b/distro/deb/control
@@ -0,0 +1,137 @@
+Source: knot-resolver
+Section: net
+Priority: optional
+Maintainer: Knot Resolver <knot-resolver@labs.nic.cz>
+Uploaders:
+ Tomas Krizek <tomas.krizek@nic.cz>
+Build-Depends-Indep:
+ doxygen,
+ python3-breathe,
+ python3-sphinx,
+ python3-sphinx-rtd-theme,
+Build-Depends:
+ debhelper (>= 9~),
+ dns-root-data,
+ libcmocka-dev (>= 1.0.0),
+ libedit-dev,
+ libgeoip-dev,
+ libgnutls28-dev,
+ libknot-dev (>= 2.7.2),
+ liblmdb-dev,
+ libluajit-5.1-dev,
+ libsystemd-dev (>= 227) [linux-any],
+ libuv1-dev,
+ luajit,
+ pkg-config,
+Homepage: https://www.knot-resolver.cz/
+Rules-Requires-Root: no
+
+Package: knot-resolver
+Architecture: any
+Depends:
+ adduser,
+ dns-root-data,
+ libkres9 (= ${binary:Version}),
+ lua-sec,
+ lua-socket,
+ ${misc:Depends},
+ ${shlibs:Depends},
+Recommends:
+ knot-resolver-module-http,
+Description: caching, DNSSEC-validating DNS resolver
+ The Knot Resolver is a caching full resolver implementation
+ written in C and LuaJIT, including both a resolver library and a
+ daemon. Modular architecture of the library keeps the core tiny and
+ efficient, and provides a state-machine like API for
+ extensions. There are three built-in modules - iterator, cache,
+ validator, and many external.
+ .
+ The Lua modules, switchable and shareable cache, and fast FFI
+ bindings makes it great to tap into resolution process, or be used
+ for your recursive DNS service. It's the OpenResty of DNS.
+ .
+ The server adopts a different scaling strategy than the rest of the
+ DNS recursors - no threading, shared-nothing architecture (except
+ MVCC cache that may be shared). You can start and stop additional
+ nodes depending on the contention without downtime.
+
+Package: knot-resolver-module-http
+Architecture: all
+Depends:
+ libjs-bootstrap,
+ libjs-d3,
+ libjs-jquery,
+ lua-http,
+ lua-mmdb,
+ ${misc:Depends},
+ ${shlibs:Depends},
+Breaks:
+ knot-resolver-module-tinyweb (<< 1.1.0~git20160713-1~),
+Description: HTTP/2 module for Knot Resolver
+ The Knot Resolver is a caching full resolver implementation
+ written in C and LuaJIT, including both a resolver library and a
+ daemon. Modular architecture of the library keeps the core tiny and
+ efficient, and provides a state-machine like API for
+ extensions. There are three built-in modules - iterator, cache,
+ validator, and many external.
+ .
+ This package contains HTTP/2 module for local visualization of the
+ resolver cache and queries.
+
+Package: knot-resolver-doc
+Architecture: all
+Section: doc
+Depends:
+ libjs-jquery,
+ libjs-underscore,
+ ${misc:Depends},
+Description: Documentation for Knot Resolver
+ The Knot Resolver is a caching full resolver implementation
+ written in C and LuaJIT, including both a resolver library and a
+ daemon. Modular architecture of the library keeps the core tiny and
+ efficient, and provides a state-machine like API for
+ extensions. There are three built-in modules - iterator, cache,
+ validator, and many external.
+ .
+ This package contains Knot Resolver Documentation.
+
+Package: libkres9
+Architecture: any
+Section: libs
+Depends:
+ ${misc:Depends},
+ ${shlibs:Depends},
+Breaks:
+ knot-resolver (<< 3.2.0-1),
+Replaces:
+ knot-resolver (<< 3.2.0-1),
+Description: caching, DNSSEC-validating DNS resolver (shared library)
+ The Knot Resolver is a caching full resolver implementation
+ written in C and LuaJIT, including both a resolver library and a
+ daemon. Modular architecture of the library keeps the core tiny and
+ efficient, and provides a state-machine like API for
+ extensions.
+ .
+ This package contains the libkres shared library used by Knot
+ Resolver.
+
+Package: libkres-dev
+Architecture: any
+Section: libdevel
+Depends:
+ libkres9 (= ${binary:Version}),
+ ${misc:Depends},
+ ${shlibs:Depends},
+Breaks:
+ knot-resolver (<< 3.2.0-1),
+Replaces:
+ knot-resolver (<< 3.2.0-1),
+Description: caching, DNSSEC-validating DNS resolver (shared library development files)
+ The Knot Resolver is a caching full resolver implementation
+ written in C and LuaJIT, including both a resolver library and a
+ daemon. Modular architecture of the library keeps the core tiny and
+ efficient, and provides a state-machine like API for
+ extensions.
+ .
+ This package provides development files for use when building against
+ the libkres shared library.
diff --git a/distro/deb/copyright b/distro/deb/copyright
new file mode 100644
index 0000000..10ecbf3
--- /dev/null
+++ b/distro/deb/copyright
@@ -0,0 +1,448 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: knot-resolver
+Source: https://www.knot-resolver.cz/
+
+Files: *
+Copyright: 2015-2018 CZ.NIC
+License: GPL-3.0+
+
+Files: contrib/ccan/asprintf/*
+Copyright: Rusty Russell
+License: Expat
+
+Files: contrib/ccan/compiler/*
+ contrib/ccan/ilog/*
+Copyright: Rusty Russell
+License: CC0
+
+Files: tests/config/tapered/*
+Copyright: 2012-2017, Peter Aronoff
+License: BSD-3-clause
+
+Files: contrib/lmdb/*
+Copyright: 1999-2003 The OpenLDAP Foundation
+License: OpenLDAP
+
+Files: tests/deckard/contrib/libfaketime/*
+Copyright: 2003-2017 Wolfgang Hommel
+License: GPL-2
+
+Files: tests/deckard/contrib/libswrap/*
+Copyright: 2005,2008 Jelmer Vernooij <jelmer@samba.org>
+ 2006-2009 Stefan Metzmacher <metze@samba.org>
+ 2013 Andreas Schneider <asn@samba.org>
+License: BSD-3-clause
+
+Files: contrib/murmurhash3/*
+Copyright: Austin Appleby
+License: CC0-1.0
+
+Files: debian/missing-sources/dygraph-combined.js
+ modules/http/static/dygraph-combined.js
+Copyright: 2006-2014 Dan Vanderkam <danvdk@gmail.com>
+ 2016 Paul Miller
+ 2011 Robert Konigsberg <konigsberg@google.com>
+ 2013 David Eberlein <david.eberlein@ch.sauter-bc.com>
+License: MIT
+
+Files: contrib/ucw/*
+Copyright: 1997-2015 Martin Mares
+ 2005-2014 Tomas Valla
+ 2006 Robert Spalek
+ 2007-2015 Pavel Charvat
+License: LGPL-2.1
+
+Files: contrib/ccan/json/*
+Copyright: 2011 Joey Adams
+License: Expat
+
+Files: lib/generic/map.c lib/generic/map.h
+Copyright: Dan Bernstein
+ Jonas Gehring
+ Adam Langley
+ Marek Vavrusa
+License: public-domain
+
+Files: modules/policy/lua-aho-corasick/*
+Copyright: 2013 CloudFlare, Inc.
+License: BSD-3-CloudFlare
+
+Files: modules/http/static/jquery.js
+Copyright: 2005-2011 John Resig, Brandon Aaron & Jörn Zaefferer
+License: GPL-2 or Expat
+
+Files: modules/http/static/d3.js
+ modules/http/static/topojson.js
+Copyright: 2010-2015 Michael Bostock
+License: BSD-3-clause
+
+Files: modules/http/static/epoch.*
+ debian/missing-sources/epoch/*
+ debian/missing-sources/epoch.*
+Copyright: 2014 Fastly, Inc.
+License: Expat
+
+Files: modules/http/static/datamaps.world.min.js
+Copyright: 2012 Mark DiMarco
+License: Expat
+
+Files: modules/http/static/bootstrap.min.css
+ modules/http/static/bootstrap.min.js
+ modules/http/static/bootstrap-theme.min.css
+ modules/http/static/glyphicons-halflings-regular.woff2
+Copyright: 2012-2016 Thomas Park
+ 2011-2015 Twitter, Inc.
+License: Expat
+
+Files: modules/http/static/selectize.bootstrap3.min.css
+ modules/http/static/selectize.min.css
+ modules/http/static/selectize.min.js
+Copyright: 2013–2015 Brian Reavis & contributors
+License: Apache-2.0
+
+Files: debian/*
+Copyright: 2015 Ondřej Surý <ondrej@debian.org>
+License: GPL-3.0+
+
+License: LGPL-2.1
+ This library is free software; you can redistribute it and/or modify
+ it under the terms of the GNU Lesser General Public License as
+ published by the Free Software Foundation; either version 2.1 of the
+ License, or (at your option) any later version.
+ .
+ This library is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+ .
+ You should have received a copy of the GNU Lesser General Public
+ License along with this library. If not, see <https://www.gnu.org/licenses/>.
+ .
+ On Debian systems, the complete text of the GNU General
+ Public License version 3 can be found in "/usr/share/common-licenses/LGPL-2.1".
+
+License: GPL-3.0+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <https://www.gnu.org/licenses/>.
+ .
+ On Debian systems, the complete text of the GNU General
+ Public License version 3 can be found in "/usr/share/common-licenses/GPL-3".
+
+License: Expat
+ Permission is hereby granted, free of charge, to any person obtaining
+ a copy of this software and associated documentation files (the
+ "Software"), to deal in the Software without restriction, including
+ without limitation the rights to use, copy, modify, merge, publish,
+ distribute, sublicense, and/or sell copies of the Software, and to
+ permit persons to whom the Software is furnished to do so, subject to
+ the following conditions:
+ .
+ The above copyright notice and this permission notice shall be
+ included in all copies or substantial portions of the Software.
+ .
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ SOFTWARE.
+
+License: CC0
+ Statement of Purpose
+ .
+ The laws of most jurisdictions throughout the world automatically
+ confer exclusive Copyright and Related Rights (defined below) upon
+ the creator and subsequent owner(s) (each and all, an "owner") of an
+ original work of authorship and/or a database (each, a "Work").
+ .
+ Certain owners wish to permanently relinquish those rights to a Work
+ for the purpose of contributing to a commons of creative, cultural
+ and scientific works ("Commons") that the public can reliably and
+ without fear of later claims of infringement build upon, modify,
+ incorporate in other works, reuse and redistribute as freely as
+ possible in any form whatsoever and for any purposes, including
+ without limitation commercial purposes. These owners may contribute
+ to the Commons to promote the ideal of a free culture and the further
+ production of creative, cultural and scientific works, or to gain
+ reputation or greater distribution for their Work in part through the
+ use and efforts of others.
+ .
+ For these and/or other purposes and motivations, and without any
+ expectation of additional consideration or compensation, the person
+ associating CC0 with a Work (the "Affirmer"), to the extent that he
+ or she is an owner of Copyright and Related Rights in the Work,
+ voluntarily elects to apply CC0 to the Work and publicly distribute
+ the Work under its terms, with knowledge of his or her Copyright and
+ Related Rights in the Work and the meaning and intended legal effect
+ of CC0 on those rights.
+ .
+ 1. Copyright and Related Rights. A Work made available under CC0 may
+ be protected by copyright and related or neighboring rights
+ ("Copyright and Related Rights"). Copyright and Related Rights
+ include, but are not limited to, the following:
+ .
+ i. the right to reproduce, adapt, distribute, perform, display,
+ communicate, and translate a Work;
+ ii. moral rights retained by the original author(s) and/or
+ performer(s);
+ iii. publicity and privacy rights pertaining to a person's image or
+ likeness depicted in a Work;
+ iv. rights protecting against unfair competition in regards to a
+ Work, subject to the limitations in paragraph 4(a), below;
+ v. rights protecting the extraction, dissemination, use and reuse
+ of data in a Work;
+ vi. database rights (such as those arising under Directive 96/9/EC
+ of the European Parliament and of the Council of 11 March 1996
+ on the legal protection of databases, and under any national
+ implementation thereof, including any amended or successor
+ version of such directive); and
+ vii. other similar, equivalent or corresponding rights throughout
+ the world based on applicable law or treaty, and any national
+ implementations thereof.
+ .
+ 2. Waiver. To the greatest extent permitted by, but not in
+ contravention of, applicable law, Affirmer hereby overtly, fully,
+ permanently, irrevocably and unconditionally waives, abandons, and
+ surrenders all of Affirmer's Copyright and Related Rights and
+ associated claims and causes of action, whether now known or
+ unknown (including existing as well as future claims and causes of
+ action), in the Work (i) in all territories worldwide, (ii) for
+ the maximum duration provided by applicable law or treaty
+ (including future time extensions), (iii) in any current or future
+ medium and for any number of copies, and (iv) for any purpose
+ whatsoever, including without limitation commercial, advertising
+ or promotional purposes (the "Waiver"). Affirmer makes the Waiver
+ for the benefit of each member of the public at large and to the
+ detriment of Affirmer's heirs and successors, fully intending that
+ such Waiver shall not be subject to revocation, rescission,
+ cancellation, termination, or any other legal or equitable action
+ to disrupt the quiet enjoyment of the Work by the public as
+ contemplated by Affirmer's express Statement of Purpose.
+ .
+ 3. Public License Fallback. Should any part of the Waiver for any
+ reason be judged legally invalid or ineffective under applicable
+ law, then the Waiver shall be preserved to the maximum extent
+ permitted taking into account Affirmer's express Statement of
+ Purpose. In addition, to the extent the Waiver is so judged
+ Affirmer hereby grants to each affected person a royalty-free, non
+ transferable, non sublicensable, non exclusive, irrevocable and
+ unconditional license to exercise Affirmer's Copyright and Related
+ Rights in the Work (i) in all territories worldwide, (ii) for the
+ maximum duration provided by applicable law or treaty (including
+ future time extensions), (iii) in any current or future medium and
+ for any number of copies, and (iv) for any purpose whatsoever,
+ including without limitation commercial, advertising or
+ promotional purposes (the "License"). The License shall be deemed
+ effective as of the date CC0 was applied by Affirmer to the
+ Work. Should any part of the License for any reason be judged
+ legally invalid or ineffective under applicable law, such partial
+ invalidity or ineffectiveness shall not invalidate the remainder
+ of the License, and in such case Affirmer hereby affirms that he
+ or she will not (i) exercise any of his or her remaining Copyright
+ and Related Rights in the Work or (ii) assert any associated
+ claims and causes of action with respect to the Work, in either
+ case contrary to Affirmer's express Statement of Purpose.
+ .
+ 4. Limitations and Disclaimers.
+ .
+ a. No trademark or patent rights held by Affirmer are waived,
+ abandoned, surrendered, licensed or otherwise affected by this
+ document.
+ b. Affirmer offers the Work as-is and makes no representations or
+ warranties of any kind concerning the Work, express, implied,
+ statutory or otherwise, including without limitation warranties
+ of title, merchantability, fitness for a particular purpose, non
+ infringement, or the absence of latent or other defects,
+ accuracy, or the present or absence of errors, whether or not
+ discoverable, all to the greatest extent permissible under
+ applicable law.
+ c. Affirmer disclaims responsibility for clearing rights of other
+ persons that may apply to the Work or any use thereof, including
+ without limitation any person's Copyright and Related Rights in
+ the Work. Further, Affirmer disclaims responsibility for
+ obtaining any necessary consents, permissions or other rights
+ required for any use of the Work.
+ d. Affirmer understands and acknowledges that Creative Commons is
+ not a party to this document and has no duty or obligation with
+ respect to this CC0 or use of the Work.
+
+License: BSD-3-CloudFlare
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ .
+ 1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ .
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in
+ the documentation and/or other materials provided with the
+ distribution.
+ .
+ 3. Neither the name of CloudFlare, Inc. nor the names of its
+ contributors may be used to endorse or promote products derived
+ from this software without specific prior written permission.
+ .
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+License: BSD-3-clause
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ .
+ 1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ .
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ .
+ 3. Neither the name of the author nor the names of its contributors
+ may be used to endorse or promote products derived from this software
+ without specific prior written permission.
+ .
+ THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ SUCH DAMAGE.
+
+
+License: GPL-2
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+ .
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License along
+ with this program; if not, write to the Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ .
+ On Debian systems, the complete text of the GNU General Public
+ License version 2 can be found in "/usr/share/common-licenses/GPL-2".
+
+License: Apache-2.0
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+ .
+ https://www.apache.org/licenses/LICENSE-2.0
+ .
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ .
+ On Debian systems, the full text of the Apache Software License version 2 can
+ be found in the file `/usr/share/common-licenses/Apache-2.0'.
+
+License: MIT
+ Permission is hereby granted, free of charge, to any person obtaining
+ a copy of this software and associated documentation files (the
+ "Software"), to deal in the Software without restriction, including
+ without limitation the rights to use, copy, modify, merge, publish,
+ distribute, sublicense, and/or sell copies of the Software, and to
+ permit persons to whom the Software is furnished to do so, subject to
+ the following conditions:
+ .
+ The above copyright notice and this permission notice shall be
+ included in all copies or substantial portions of the Software.
+ .
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ SOFTWARE.
+
+License: OpenLDAP
+ Redistribution and use of this software and associated documentation
+ ("Software"), with or without modification, are permitted provided
+ that the following conditions are met:
+ .
+ 1. Redistributions in source form must retain copyright statements
+ and notices,
+ .
+ 2. Redistributions in binary form must reproduce applicable copyright
+ statements and notices, this list of conditions, and the following
+ disclaimer in the documentation and/or other materials provided
+ with the distribution, and
+ .
+ 3. Redistributions must contain a verbatim copy of this document.
+ .
+ The OpenLDAP Foundation may revise this license from time to time.
+ Each revision is distinguished by a version number. You may use
+ this Software under terms of this license revision or under the
+ terms of any subsequent revision of the license.
+ .
+ THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS
+ CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
+ SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S)
+ OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT,
+ INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ .
+ The names of the authors and copyright holders must not be used in
+ advertising or otherwise to promote the sale, use or other dealing
+ in this Software without specific, written prior permission. Title
+ to copyright in this Software shall at all times remain with copyright
+ holders.
+ .
+ OpenLDAP is a registered trademark of the OpenLDAP Foundation.
+
+License: CC0-1.0
+ This work is licensed under the "Creative Commons Zero" license.
+ .
+ On debian systems, a copy of the Creative Commons Zero license may be
+ found at /usr/share/common-licenses/CC0-1.0.
+
+License: public-domain
+ This work has been released into the public domain. The map
+ implementation builds off of prior public domain work from Dan
+ Bernstein (qhasm) and Adam Langley (critbit).
diff --git a/distro/deb/docs b/distro/deb/docs
new file mode 100644
index 0000000..b43bf86
--- /dev/null
+++ b/distro/deb/docs
@@ -0,0 +1 @@
+README.md
diff --git a/distro/deb/init-d-script b/distro/deb/init-d-script
new file mode 100755
index 0000000..334dc32
--- /dev/null
+++ b/distro/deb/init-d-script
@@ -0,0 +1,239 @@
+#!/bin/sh
+# See init-d-script(5) for instructions on how to use this library.
+#=============================================================================
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh
+# script. Scripts running before mountnfs.sh should remove the /usr/*
+# entries.
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+export PATH
+
+is_call_implemented() {
+ command -V $1 > /dev/null 2>&1
+}
+
+do_usage() {
+ if is_call_implemented do_reload ; then
+ echo "Usage: $SCRIPTNAME {start|stop|status|reload|restart|try-restart|force-reload}" >&2
+ else
+ echo "Usage: $SCRIPTNAME {start|stop|status|restart|try-restart|force-reload}" >&2
+ fi
+}
+
+call() {
+ cmd="$1"
+ shift
+ if is_call_implemented ${cmd}_override ; then
+ ${cmd}_override "$@"
+ else
+ ${cmd} "$@"
+ fi
+}
+
+#
+# Function that starts the daemon/service
+#
+
+# Return
+# 0 if daemon has been started
+# 1 if daemon was already running
+# 2 if daemon could not be started
+do_start_cmd() {
+ start-stop-daemon --start --quiet ${PIDFILE:+--pidfile ${PIDFILE}} \
+ $START_ARGS \
+ --startas $DAEMON --name $NAME --exec $DAEMON --test > /dev/null \
+ || return 1
+ start-stop-daemon --start --quiet ${PIDFILE:+--pidfile ${PIDFILE}} \
+ $START_ARGS \
+ --startas $DAEMON --name $NAME --exec $DAEMON -- $DAEMON_ARGS \
+ || return 2
+ # Add code here, if necessary, that waits for the process to be ready
+ # to handle requests from services started subsequently which depend
+ # on this one. As a last resort, sleep for some time.
+}
+
+do_start()
+{
+ if is_call_implemented do_start_prepare ; then
+ call do_start_prepare
+ fi
+ [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+ call do_start_cmd
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ if is_call_implemented do_start_cleanup ; then
+ call do_start_cleanup
+ fi
+}
+
+#
+# Function that stops the daemon/service
+#
+
+# Return
+# 0 if daemon has been stopped
+# 1 if daemon was already stopped
+# 2 if daemon could not be stopped
+# other if a failure occurred
+do_stop_cmd() {
+ start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 \
+ $STOP_ARGS \
+ ${PIDFILE:+--pidfile ${PIDFILE}} --name $NAME --exec $DAEMON
+ RETVAL="$?"
+ [ "$RETVAL" = 2 ] && return 2
+ # Wait for children to finish too if this is a daemon that forks
+ # and if the daemon is only ever run from this initscript.
+ # If the above conditions are not satisfied then add some other code
+ # that waits for the process to drop all resources that could be
+ # needed by services started subsequently. A last resort is to
+ # sleep for some time.
+ start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 \
+ $STOP_ARGS \
+ --exec $DAEMON
+ [ "$?" = 2 ] && return 2
+ # Many daemons don't delete their pidfiles when they exit.
+ rm -f $PIDFILE
+ return $RETVAL
+}
+
+do_stop()
+{
+ if is_call_implemented do_stop_prepare ; then
+ call do_stop_prepare
+ fi
+ [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+ call do_stop_cmd
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ if is_call_implemented do_stop_cleanup ; then
+ call do_stop_cleanup
+ fi
+}
+
+do_restart() {
+ [ "$VERBOSE" != no ] && log_daemon_msg "Restarting $DESC" "$NAME"
+ call do_stop_cmd
+ call do_start_cmd
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+}
+
+do_force_reload() {
+ if is_call_implemented do_reload ; then
+ call do_reload
+ else
+ call do_restart
+ fi
+}
+
+# Enable this using
+# alias do_reload=do_reload_sigusr1
+do_reload_sigusr1() {
+ log_daemon_msg "Reloading $DESC configuration files" "$NAME"
+ start-stop-daemon --oknodo --stop --signal 1 --quiet \
+ --pidfile "$PIDFILE" --exec "$DAEMON"
+ log_end_msg $?
+}
+
+do_status() {
+ status_of_proc "$DAEMON" "$NAME" && return 0 || return $?
+}
+
+if [ "$DEBUG" = "true" ] ; then
+ set -x
+fi
+
+SCRIPTNAME=$1
+scriptbasename="$(basename $1)"
+if [ "$scriptbasename" != "init-d-script" ] ; then
+ script="$1"
+ shift
+ . $script
+else
+ exit 0
+fi
+
+NAME=${NAME:=$(basename $DAEMON)}
+DESC=${DESC:=$NAME}
+
+# Do not use pid file if $PIDFILE is 'none'. Otherwise, generate from
+# $NAME or use the value provided by the init.d script.
+if [ none = "$PIDFILE" ] ; then
+ PIDFILE=
+elif [ -z "$PIDFILE" ] ; then
+ PIDFILE=/var/run/$NAME.pid
+fi
+
+# Exit if the package is not installed
+if [ none != "$DAEMON" ] && [ ! -x "$DAEMON" ] ; then
+ exit 0
+fi
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+if [ -t 0 ] ; then # Be verbose when called from a terminal
+ VERBOSE=yes
+fi
+
+case "$1" in
+ start)
+ call do_start
+ ;;
+ stop)
+ call do_stop
+ ;;
+ status)
+ call do_status
+ ;;
+ reload)
+ if is_call_implemented do_reload ; then
+ do_reload
+ else
+ call do_usage
+ exit 3
+ fi
+ ;;
+ force-reload)
+ call do_force_reload
+ ;;
+ restart)
+ call do_restart
+ ;;
+ try-restart)
+ log_daemon_msg "Trying to restart $DESC" "$NAME"
+ if call do_status > /dev/null 2>&1 ; then
+ call do_restart
+ log_end_msg $?
+ else
+ log_progress_msg "is not running."
+ log_end_msg 1
+ fi
+ ;;
+ '')
+ call do_usage
+ exit 3
+ ;;
+ *)
+ if is_call_implemented do_unknown ; then
+ call do_unknown "$1"
+ exit 3
+ else
+ call do_usage
+ exit 3
+ fi
+ ;;
+esac
+exit 0
diff --git a/distro/deb/knot-resolver-doc.doc-base b/distro/deb/knot-resolver-doc.doc-base
new file mode 100644
index 0000000..f82b8ba
--- /dev/null
+++ b/distro/deb/knot-resolver-doc.doc-base
@@ -0,0 +1,11 @@
+Document: knot-resolver
+Title: Knot Resolver documentation
+Author: CZ.NIC labs
+Abstract: Documentation for the Knot Resolver,
+ including building from source, using the library,
+ and configuration and operation of the daemon.
+Section: Network/Communication
+
+Format: HTML
+Index: /usr/share/doc/knot-resolver/index.html
+Files: /usr/share/doc/knot-resolver/*.html
diff --git a/distro/deb/knot-resolver-doc.docs b/distro/deb/knot-resolver-doc.docs
new file mode 100644
index 0000000..3ff7356
--- /dev/null
+++ b/distro/deb/knot-resolver-doc.docs
@@ -0,0 +1 @@
+doc/html/*
diff --git a/distro/deb/knot-resolver-doc.links b/distro/deb/knot-resolver-doc.links
new file mode 100644
index 0000000..4c7c74f
--- /dev/null
+++ b/distro/deb/knot-resolver-doc.links
@@ -0,0 +1,2 @@
+usr/share/javascript/jquery/jquery.min.js usr/share/doc/knot-resolver/_static/jquery.js
+usr/share/javascript/underscore/underscore.min.js usr/share/doc/knot-resolver/_static/underscore.js
diff --git a/distro/deb/knot-resolver-module-http.install b/distro/deb/knot-resolver-module-http.install
new file mode 100644
index 0000000..3c2d56b
--- /dev/null
+++ b/distro/deb/knot-resolver-module-http.install
@@ -0,0 +1,6 @@
+usr/lib/knot-resolver/http.lua
+usr/lib/knot-resolver/http/*.css
+usr/lib/knot-resolver/http/*.ico
+usr/lib/knot-resolver/http/*.js
+usr/lib/knot-resolver/http/*.tpl
+usr/lib/knot-resolver/http/*.woff2
diff --git a/distro/deb/knot-resolver-module-http.links b/distro/deb/knot-resolver-module-http.links
new file mode 100644
index 0000000..322529c
--- /dev/null
+++ b/distro/deb/knot-resolver-module-http.links
@@ -0,0 +1,5 @@
+/usr/share/javascript/bootstrap/css/bootstrap-theme.min.css /usr/lib/knot-resolver/http/bootstrap-theme.min.css
+/usr/share/javascript/bootstrap/css/bootstrap.min.css /usr/lib/knot-resolver/http/bootstrap.min.css
+/usr/share/javascript/bootstrap/js/bootstrap.min.js /usr/lib/knot-resolver/http/bootstrap.min.js
+/usr/share/javascript/d3/d3.min.js /usr/lib/knot-resolver/http/d3.js
+/usr/share/javascript/jquery/jquery.min.js /usr/lib/knot-resolver/http/jquery.js
diff --git a/distro/deb/knot-resolver-module-tinyweb.install b/distro/deb/knot-resolver-module-tinyweb.install
new file mode 100644
index 0000000..905241c
--- /dev/null
+++ b/distro/deb/knot-resolver-module-tinyweb.install
@@ -0,0 +1 @@
+usr/lib/knot-resolver/tinyweb/*
diff --git a/distro/deb/knot-resolver.dirs b/distro/deb/knot-resolver.dirs
new file mode 100644
index 0000000..472b32a
--- /dev/null
+++ b/distro/deb/knot-resolver.dirs
@@ -0,0 +1,3 @@
+/etc/knot-resolver
+/usr/share/doc/knot-resolver/examples/
+/var/lib/knot-resolver
diff --git a/distro/deb/knot-resolver.install b/distro/deb/knot-resolver.install
new file mode 100644
index 0000000..d6c9b10
--- /dev/null
+++ b/distro/deb/knot-resolver.install
@@ -0,0 +1,38 @@
+debian/init-d-script usr/lib/knot-resolver/
+debian/kresd.conf etc/knot-resolver/
+etc/knot-resolver/config.* /usr/share/doc/knot-resolver/examples/
+distro/common/systemd/kresd-control@.socket lib/systemd/system/
+distro/common/systemd/kresd-tls.socket lib/systemd/system/
+distro/common/systemd/kresd.socket lib/systemd/system/
+distro/common/systemd/kresd@.service lib/systemd/system/
+distro/common/systemd/kresd.target lib/systemd/system/
+distro/common/tmpfiles/knot-resolver.conf usr/lib/tmpfiles.d/
+usr/lib/knot-resolver/*.so
+usr/lib/knot-resolver/basexx.lua
+usr/lib/knot-resolver/daf.lua
+usr/lib/knot-resolver/daf/
+usr/lib/knot-resolver/detect_time_jump.lua
+usr/lib/knot-resolver/detect_time_skew.lua
+usr/lib/knot-resolver/dns64.lua
+usr/lib/knot-resolver/etcd.lua
+usr/lib/knot-resolver/experimental_dot_auth.lua
+usr/lib/knot-resolver/graphite.lua
+usr/lib/knot-resolver/http_trace.lua
+usr/lib/knot-resolver/kres-gen.lua
+usr/lib/knot-resolver/kres.lua
+usr/lib/knot-resolver/policy.lua
+usr/lib/knot-resolver/predict.lua
+usr/lib/knot-resolver/prefill.lua
+usr/lib/knot-resolver/priming.lua
+usr/lib/knot-resolver/prometheus.lua
+usr/lib/knot-resolver/rebinding.lua
+usr/lib/knot-resolver/renumber.lua
+usr/lib/knot-resolver/serve_stale.lua
+usr/lib/knot-resolver/ta_sentinel.lua
+usr/lib/knot-resolver/ta_signal_query.lua
+usr/lib/knot-resolver/trust_anchors.lua
+usr/lib/knot-resolver/view.lua
+usr/lib/knot-resolver/workarounds.lua
+usr/lib/knot-resolver/zonefile.lua
+usr/sbin/kresc
+usr/sbin/kresd
diff --git a/distro/deb/knot-resolver.kresd.default b/distro/deb/knot-resolver.kresd.default
new file mode 100644
index 0000000..f7c46e5
--- /dev/null
+++ b/distro/deb/knot-resolver.kresd.default
@@ -0,0 +1,13 @@
+# /etc/default/kresd
+
+# This file is used only under sysvinit. If you use systemd and you
+# want to modify the arguments with which kresd is invoked, you should
+# instead use "systemctl edit kresd@.service" to override ExecStart=
+# in the [Service] section (see kresd.systemd(7) for more details).
+
+# For sysvinit users: KRESD_ARGS used to exist for historical reasons,
+# but that variable is deprecated and may stop working at some point
+# in the future. You are encouraged to merge any local changes into
+# DAEMON_ARGS directly.
+
+DAEMON_ARGS="--config=/etc/knot-resolver/kresd.conf --addr=127.0.0.1#53 --addr=::1#53 $KRESD_ARGS"
diff --git a/distro/deb/knot-resolver.kresd.init b/distro/deb/knot-resolver.kresd.init
new file mode 100644
index 0000000..b1361fd
--- /dev/null
+++ b/distro/deb/knot-resolver.kresd.init
@@ -0,0 +1,59 @@
+#!/bin/sh
+# kFreeBSD do not accept scripts as interpreters, using #!/bin/sh and sourcing.
+if [ true != "$INIT_D_SCRIPT_SOURCED" ] ; then
+ if [ -x /lib/init/init-d-script ]; then
+ set "$0" "$@"; INIT_D_SCRIPT_SOURCED=true . /lib/init/init-d-script
+ else
+ set "$0" "$@"; INIT_D_SCRIPT_SOURCED=true . /usr/lib/knot-resolver/init-d-script
+ fi
+fi
+### BEGIN INIT INFO
+# Provides: kresd
+# Required-Start: $remote_fs $syslog
+# Required-Stop: $remote_fs $syslog
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Knot Resolver
+# Description: Knot Resolver
+### END INIT INFO
+
+# Author: Ondřej Surý <ondrej@debian.org>
+
+NAME=kresd
+DESC="Knot Resolver"
+DAEMON=/usr/sbin/kresd
+START_ARGS="--background --make-pidfile"
+
+do_tmpfiles() {
+ local tmpfile type path mode user group age argument
+ tmpfile=/usr/lib/tmpfiles.d/$1.conf
+ if [ -r "$tmpfile" ]; then
+ if [ -x /bin/systemd-tmpfiles ]; then
+ /bin/systemd-tmpfiles --create "$tmpfile"
+ else
+ while read type path mode user group age argument; do
+ case "$type" in
+ d)
+ mkdir -p "$path";
+ chmod "$mode" "$path";
+ chown "$user:$group" "$path";
+ ;;
+ L)
+ if [ ! -e "$path" ]; then ln -s "$argument" "$path"; fi
+ ;;
+ \#*)
+ ;;
+ *)
+ log_warning_msg "tmpfile.d type '$type' is not supported yet"
+ ;;
+ esac
+ done < "$tmpfile"
+ fi
+ else
+ log_warning_msg "tmpfiles.d file '$1' doesn't exist or is not readable"
+ fi
+}
+
+do_start_prepare() {
+ do_tmpfiles knot-resolver
+}
diff --git a/distro/deb/knot-resolver.links b/distro/deb/knot-resolver.links
new file mode 100644
index 0000000..8196524
--- /dev/null
+++ b/distro/deb/knot-resolver.links
@@ -0,0 +1,2 @@
+dev/null lib/systemd/system/kresd.service
+lib/systemd/system/kresd.target lib/systemd/system/multi-user.target.wants/kresd.target
diff --git a/distro/deb/knot-resolver.manpages b/distro/deb/knot-resolver.manpages
new file mode 100644
index 0000000..9f97677
--- /dev/null
+++ b/distro/deb/knot-resolver.manpages
@@ -0,0 +1,2 @@
+debian/tmp/usr/share/man/man8/kresd.8
+distro/common/systemd/kresd.systemd.7
diff --git a/distro/deb/knot-resolver.postinst b/distro/deb/knot-resolver.postinst
new file mode 100644
index 0000000..7c4bc5b
--- /dev/null
+++ b/distro/deb/knot-resolver.postinst
@@ -0,0 +1,30 @@
+#!/bin/sh
+set -e
+
+if [ "$1" = "configure" ]; then
+ adduser --quiet --system --group --no-create-home --home /var/cache/knot-resolver knot-resolver
+fi
+
+# Restart any running kresd instances if the root key is updated.
+# Note: if knot-resolver upstream watches this file and reloads it
+# upon a change, we can and should remove this trigger.
+if [ "$1" = "triggered" ]; then
+ if [ "$2" = "/usr/share/dns/root.key" ]; then
+ # systemctl of the sub-services is the preferred method to restart
+ systemctl try-restart 'kresd@*.service' || true
+ # but if we are running sysvinit, we can try to restart that process anyway
+ # (kresd.service is masked on systems that use systemd)
+ invoke-rc.d kresd try-restart || true
+ fi
+ exit 0
+fi
+
+if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
+ if [ -d /run/systemd/system ]; then
+ systemctl try-restart 'kresd@*.service' || true
+ else
+ invoke-rc.d kresd try-restart || true
+ fi
+fi
+
+#DEBHELPER#
diff --git a/distro/deb/knot-resolver.postrm b/distro/deb/knot-resolver.postrm
new file mode 100644
index 0000000..d67739e
--- /dev/null
+++ b/distro/deb/knot-resolver.postrm
@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+
+if [ "$1" = "remove" ] && [ -x "/bin/systemctl" ]; then
+ systemctl stop system-kresd.slice || true
+fi
+
+#DEBHELPER#
diff --git a/distro/deb/knot-resolver.triggers b/distro/deb/knot-resolver.triggers
new file mode 100644
index 0000000..e8d8246
--- /dev/null
+++ b/distro/deb/knot-resolver.triggers
@@ -0,0 +1 @@
+interest-noawait /usr/share/dns/root.key
diff --git a/distro/deb/kresd.conf b/distro/deb/kresd.conf
new file mode 100644
index 0000000..e452f0e
--- /dev/null
+++ b/distro/deb/kresd.conf
@@ -0,0 +1,19 @@
+-- vim:syntax=lua:
+-- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration
+
+-- Load useful modules
+modules = {
+ 'hints > iterate', -- Load /etc/hosts and allow custom root hints
+ 'stats', -- Track internal statistics
+ 'predict', -- Prefetch expiring/frequent records
+}
+
+-- See kresd.systemd(7) about configuring network interfaces when using systemd
+-- Listen on localhost (default)
+-- net = { '127.0.0.1', '::1' }
+
+-- To disable DNSSEC validation, uncomment the following line (not recommended)
+-- trust_anchors.keyfile_default = nil
+
+-- Cache size
+cache.size = 100 * MB
diff --git a/distro/deb/libkres-dev.install b/distro/deb/libkres-dev.install
new file mode 100644
index 0000000..d565b38
--- /dev/null
+++ b/distro/deb/libkres-dev.install
@@ -0,0 +1,3 @@
+usr/include/libkres/*.h
+usr/lib/*.so
+usr/lib/pkgconfig/libkres.pc
diff --git a/distro/deb/libkres9.install b/distro/deb/libkres9.install
new file mode 100644
index 0000000..093956b
--- /dev/null
+++ b/distro/deb/libkres9.install
@@ -0,0 +1 @@
+usr/lib/*.so.*
diff --git a/distro/deb/libkres9.symbols b/distro/deb/libkres9.symbols
new file mode 100644
index 0000000..444e333
--- /dev/null
+++ b/distro/deb/libkres9.symbols
@@ -0,0 +1,144 @@
+libkres.so.9 libkres9 #MINVER#
+ cache_api@Base 2.1.0
+ iterate_api@Base 2.1.0
+ kr_bitcmp@Base 2.1.0
+ kr_cache_clear@Base 2.1.0
+ kr_cache_close@Base 2.1.0
+ kr_cache_closest_apex@Base 3.1.0
+ kr_cache_emergency_file_to_remove@Base 3.1.0
+ kr_cache_insert_rr@Base 3.0.0
+ kr_cache_match@Base 3.1.0
+ kr_cache_materialize@Base 2.1.0
+ kr_cache_open@Base 2.1.0
+ kr_cache_peek_exact@Base 2.1.0
+ kr_cache_remove@Base 3.1.0
+ kr_cache_remove_subtree@Base 3.1.0
+ kr_cache_sync@Base 2.1.0
+ kr_cache_ttl@Base 2.1.0
+ kr_cdb_lmdb@Base 2.1.0
+ kr_crypto_cleanup@Base 2.1.0
+ kr_crypto_init@Base 2.1.0
+ kr_crypto_reinit@Base 2.1.0
+ kr_dnssec_key_ksk@Base 2.1.0
+ kr_dnssec_key_match@Base 2.1.0
+ kr_dnssec_key_revoked@Base 2.1.0
+ kr_dnssec_key_tag@Base 2.1.0
+ kr_dnssec_key_zsk@Base 2.1.0
+ kr_family_len@Base 2.1.0
+ kr_inaddr@Base 2.1.0
+ kr_inaddr_family@Base 2.1.0
+ kr_inaddr_len@Base 2.1.0
+ kr_inaddr_port@Base 2.1.0
+ kr_inaddr_set_port@Base 3.1.0
+ kr_inaddr_str@Base 2.1.0
+ kr_log_qverbose_impl@Base 3.2.0
+ kr_log_trace@Base 2.1.0
+ kr_log_verbose@Base 2.1.0
+ kr_make_query@Base 3.0.0
+ kr_memreserve@Base 2.1.0
+ kr_module_call@Base 2.1.0
+ kr_module_embedded@Base 2.1.0
+ kr_module_load@Base 2.1.0
+ kr_module_unload@Base 2.1.0
+ kr_now@Base 2.1.0
+ kr_nsrep_elect@Base 2.1.0
+ kr_nsrep_elect_addr@Base 2.1.0
+ kr_nsrep_set@Base 2.1.0
+ kr_nsrep_sort@Base 3.2.0
+ kr_nsrep_update_rep@Base 2.1.0
+ kr_nsrep_update_rtt@Base 2.1.0
+ kr_pkt_clear_payload@Base 2.1.0
+ kr_pkt_make_auth_header@Base 2.1.0
+ kr_pkt_put@Base 2.1.0
+ kr_pkt_qclass@Base 3.0.0
+ kr_pkt_qtype@Base 3.0.0
+ kr_pkt_recycle@Base 2.1.0
+ kr_qflags_clear@Base 2.1.0
+ kr_qflags_set@Base 2.1.0
+ kr_ranked_rrarray_add@Base 2.1.0
+ kr_resolve_begin@Base 2.1.0
+ kr_resolve_checkout@Base 2.1.0
+ kr_resolve_consume@Base 2.1.0
+ kr_resolve_finish@Base 2.1.0
+ kr_resolve_plan@Base 2.1.0
+ kr_resolve_pool@Base 2.1.0
+ kr_resolve_produce@Base 2.1.0
+ kr_rnd_buffered@Base 3.2.0
+ kr_rplan_deinit@Base 2.1.0
+ kr_rplan_empty@Base 2.1.0
+ kr_rplan_find_resolved@Base 2.1.0
+ kr_rplan_init@Base 2.1.0
+ kr_rplan_last@Base 2.1.0
+ kr_rplan_pop@Base 2.1.0
+ kr_rplan_push@Base 2.1.0
+ kr_rplan_push_empty@Base 2.1.0
+ kr_rplan_resolved@Base 2.1.0
+ kr_rplan_satisfies@Base 2.1.0
+ kr_rrkey@Base 2.1.0
+ kr_rrset_init@Base 3.0.0
+ kr_rrsig_sig_expiration@Base 3.0.0
+ kr_rrsig_sig_inception@Base 3.0.0
+ kr_rrsig_type_covered@Base 3.0.0
+ kr_sockaddr_cmp@Base 3.0.0
+ kr_sockaddr_len@Base 2.1.0
+ kr_straddr_family@Base 2.1.0
+ kr_straddr_join@Base 2.1.0
+ kr_straddr_socket@Base 2.1.0
+ kr_straddr_split@Base 2.1.0
+ kr_straddr_subnet@Base 2.1.0
+ kr_strcatdup@Base 2.1.0
+ kr_ta_add@Base 2.1.0
+ kr_ta_clear@Base 2.1.0
+ kr_ta_covers@Base 2.1.0
+ kr_ta_covers_qry@Base 2.1.0
+ kr_ta_del@Base 2.1.0
+ kr_ta_get@Base 2.1.0
+ kr_ta_get_longest_name@Base 2.1.0
+ kr_unpack_cache_key@Base 3.1.0
+ kr_verbose_set@Base 2.1.0
+ kr_verbose_status@Base 2.1.0
+ kr_zonecut_add@Base 3.2.0
+ kr_zonecut_copy@Base 2.1.0
+ kr_zonecut_copy_trust@Base 2.1.0
+ kr_zonecut_deinit@Base 2.1.0
+ kr_zonecut_del@Base 3.2.0
+ kr_zonecut_del_all@Base 2.1.0
+ kr_zonecut_find@Base 2.1.0
+ kr_zonecut_find_cached@Base 2.1.0
+ kr_zonecut_init@Base 2.1.0
+ kr_zonecut_is_empty@Base 3.0.0
+ kr_zonecut_move@Base 3.2.0
+ kr_zonecut_set@Base 2.1.0
+ kr_zonecut_set_sbelt@Base 2.1.0
+ lru_apply_impl@Base 2.1.0
+ lru_create_impl@Base 2.1.0
+ lru_free_items_impl@Base 2.1.0
+ lru_get_impl@Base 2.1.0
+ map_clear@Base 2.1.0
+ map_contains@Base 2.1.0
+ map_del@Base 2.1.0
+ map_get@Base 2.1.0
+ map_set@Base 2.1.0
+ map_walk_prefixed@Base 2.1.0
+ mm_realloc@Base 3.2.0
+ queue_deinit_impl@Base 3.1.0
+ queue_init_impl@Base 3.1.0
+ queue_push_head_impl@Base 3.1.0
+ queue_push_impl@Base 3.1.0
+ trie_clear@Base 3.0.0
+ trie_create@Base 3.0.0
+ trie_del@Base 3.0.0
+ trie_del_first@Base 3.1.0
+ trie_free@Base 3.0.0
+ trie_get_first@Base 3.1.0
+ trie_get_ins@Base 3.0.0
+ trie_get_leq@Base 3.1.0
+ trie_get_try@Base 3.0.0
+ trie_it_begin@Base 3.0.0
+ trie_it_finished@Base 3.0.0
+ trie_it_free@Base 3.0.0
+ trie_it_key@Base 3.0.0
+ trie_it_next@Base 3.0.0
+ trie_it_val@Base 3.0.0
+ trie_weight@Base 3.0.0
+ validate_api@Base 2.1.0
diff --git a/distro/deb/not-installed b/distro/deb/not-installed
new file mode 100644
index 0000000..590e3b2
--- /dev/null
+++ b/distro/deb/not-installed
@@ -0,0 +1 @@
+usr/lib/knot-resolver/http/LICENSE
diff --git a/distro/deb/patches/0001-Update-documentation-of-keyfile-ro.patch b/distro/deb/patches/0001-Update-documentation-of-keyfile-ro.patch
new file mode 100644
index 0000000..53e6bb3
--- /dev/null
+++ b/distro/deb/patches/0001-Update-documentation-of-keyfile-ro.patch
@@ -0,0 +1,41 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Sat, 17 Feb 2018 15:52:20 -0500
+Subject: Update documentation of --keyfile-ro
+
+On Debian systems, we depend on the OS package management to update
+the dns root data. Make the documentation for running with this
+option less scary-sounding, as it is the default.
+---
+ doc/kresd.8.in | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/doc/kresd.8.in b/doc/kresd.8.in
+index 266e9f0..6c5195b 100644
+--- a/doc/kresd.8.in
++++ b/doc/kresd.8.in
+@@ -123,7 +123,7 @@ file at the default location (\fIconfig\fR). The syntax is
+ described in \fIdaemon/README.md\fR.
+ .TP
+ .B \-k\fI keyfile\fR, \fB\-\-keyfile=\fI<keyfile>
+-(Recommended!) Automatically managed root trust anchors file.
++Automatically managed root trust anchors file.
+ Root trust anchors in this file are managed using standard RFC 5011 (Automated Updates of DNS Security Trust Anchors).
+ Kresd needs write access to the directory containing the keyfile.
+
+@@ -134,9 +134,14 @@ The file contains DNSKEY/DS records in presentation format,
+ and is compatible with Unbound and BIND 9 root key files.
+ .TP
+ .B \-K\fI keyfile\fR, \fB\-\-keyfile\-ro=\fI<keyfile>
+-(Discouraged) Static root trust anchors file. The file is not updated by kresd. Use of this option is discouraged because it will break your installation when the trust anchor key changes!
++Static root trust anchors file. The file is not updated by
++kresd. Please ensure that any running kresd instances are restarted if
++the trust anchors change. (On Debian, kresd will be restarted
++automatically when the dns-root-data package updates
++/usr/share/dns/root.key, so nothing extra needs to be done unless you
++diverge from the default here.)
+
+-Default: "@KEYFILE_DEFAULT@" (can be empty if your distribution did not provide one)
++Default: "@KEYFILE_DEFAULT@"
+ .TP
+ .B \-m\fI path\fR, \fB\-\-moduledir=\fI<path>
+ Override the directory that is searched for modules. Default: @MODULEDIR@
diff --git a/distro/deb/patches/series b/distro/deb/patches/series
new file mode 100644
index 0000000..5f6f9b5
--- /dev/null
+++ b/distro/deb/patches/series
@@ -0,0 +1 @@
+0001-Update-documentation-of-keyfile-ro.patch
diff --git a/distro/deb/rules b/distro/deb/rules
new file mode 100755
index 0000000..758f30c
--- /dev/null
+++ b/distro/deb/rules
@@ -0,0 +1,68 @@
+#!/usr/bin/make -f
+
+# see FEATURE AREAS in dpkg-buildflags(1)
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all,-pie
+
+# see ENVIRONMENT in dpkg-buildflags(1)
+# package maintainers to append CFLAGS
+export DEB_CFLAGS_MAINT_APPEND = -Wall -pedantic -fno-omit-frame-pointer
+# package maintainers to append LDFLAGS
+export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed
+
+# see EXAMPLES in dpkg-buildflags(1) and read /usr/share/dpkg/*
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/default.mk
+
+export ARCH=$(DEB_HOST_GNU_CPU)
+export PREFIX=/usr
+export MODULEDIR=/usr/lib/knot-resolver
+export ETCDIR=/etc/knot-resolver
+
+RUN_TESTS := yes
+ifeq ($(DEB_HOST_ARCH),$(filter $(DEB_HOST_ARCH),hurd-i386 mips mipsel ppc64 ppc64el armel armhf arm64 kfreebsd-amd64 kfreebsd-i386))
+ $(warning Disabling checks on $(DEB_HOST_ARCH))
+ RUN_TESTS := no
+endif
+
+%:
+ dh $@
+
+override_dh_auto_clean-indep:
+ dh_auto_clean -- doc-clean http-clean
+
+override_dh_auto_build-arch:
+ CFLAGS="$${CFLAGS} -DNDEBUG" dh_auto_build -- V=1 BUILDMODE=static lib
+ CFLAGS="$${CFLAGS} -DNDEBUG" dh_auto_build -- V=1 \
+ ROOTHINTS=/usr/share/dns/root.hints \
+ KEYFILE_DEFAULT=/usr/share/dns/root.key
+
+override_dh_auto_build-indep:
+ dh_auto_build -- V=1 http
+ dh_auto_build -- V=1 doc-doxygen
+ cd doc && sphinx-build -b html -D html_theme=nature . html
+
+override_dh_auto_install-arch:
+ dh_auto_install --destdir=debian/tmp -- V=1 KEYFILE_DEFAULT=/usr/share/dns/root.key
+ rm -f debian/tmp/etc/knot-resolver/root.hints debian/tmp/etc/knot-resolver/icann-ca.pem
+
+override_dh_auto_install-indep:
+# install just the http/2 module
+ make http-install DESTDIR=debian/tmp V=1
+
+override_dh_installinit:
+ dh_installinit -pknot-resolver --name=kresd --no-start
+
+override_dh_installsystemd:
+ dh_installsystemd -pknot-resolver --name=kresd kresd-tls.socket kresd.socket
+
+override_dh_auto_test-indep:
+override_dh_auto_test-arch:
+ifeq ($(RUN_TESTS),yes)
+ dh_auto_test -- V=1
+endif
+
+override_dh_missing:
+ dh_missing --fail-missing
+
+override_dh_installchangelogs:
+ dh_installchangelogs NEWS
diff --git a/distro/deb/source/format b/distro/deb/source/format
new file mode 100644
index 0000000..163aaf8
--- /dev/null
+++ b/distro/deb/source/format
@@ -0,0 +1 @@
+3.0 (quilt)
diff --git a/distro/deb/tests/control b/distro/deb/tests/control
new file mode 100644
index 0000000..be666d7
--- /dev/null
+++ b/distro/deb/tests/control
@@ -0,0 +1,2 @@
+Test-Command: make installcheck
+Depends: @, @builddeps@
diff --git a/distro/rpm/knot-resolver.spec b/distro/rpm/knot-resolver.spec
new file mode 100644
index 0000000..359e5b6
--- /dev/null
+++ b/distro/rpm/knot-resolver.spec
@@ -0,0 +1,235 @@
+%global _hardened_build 1
+%{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}}
+
+%define GPG_CHECK 0
+%define VERSION __VERSION__
+%define repodir %{_builddir}/%{name}-%{version}
+
+Name: knot-resolver
+Version: %{VERSION}
+Release: 1%{?dist}
+Summary: Caching full DNS Resolver
+
+License: GPLv3
+URL: https://www.knot-resolver.cz/
+Source0: knot-resolver_%{version}.orig.tar.xz
+
+# LuaJIT only on these arches
+%if 0%{?rhel}
+# RHEL 7 does not have aarch64 LuaJIT
+ExclusiveArch: %{ix86} x86_64
+%else
+ExclusiveArch: %{arm} aarch64 %{ix86} x86_64
+%endif
+
+%if 0%{GPG_CHECK}
+Source1: knot-resolver-%{version}.tar.xz.asc
+# PGP keys used to sign upstream releases
+# Export with --armor using command from https://fedoraproject.org/wiki/PackagingDrafts:GPGSignatures
+# Don't forget to update %%prep section when adding/removing keys
+Source100: gpgkey-B6006460B60A80E782062449E747DF1F9575A3AA.gpg.asc
+Source101: gpgkey-BE26EBB9CBE059B3910CA35BCE8DD6A1A50A21E4.gpg.asc
+Source102: gpgkey-4A8BA48C2AED933BD495C509A1FBA5F7EF8C4869.gpg.asc
+BuildRequires: gnupg2
+%endif
+
+BuildRequires: gcc
+BuildRequires: gcc-c++
+BuildRequires: pkgconfig(cmocka)
+BuildRequires: pkgconfig(gnutls)
+BuildRequires: pkgconfig(libedit)
+BuildRequires: pkgconfig(libknot) >= 2.7.2
+BuildRequires: pkgconfig(libzscanner) >= 2.7.2
+BuildRequires: pkgconfig(libdnssec) >= 2.7.2
+BuildRequires: pkgconfig(libsystemd)
+BuildRequires: pkgconfig(libuv)
+BuildRequires: pkgconfig(luajit) >= 2.0
+BuildRequires: pkgconfig(systemd)
+
+# Distro-dependent dependencies
+%if 0%{?rhel}
+BuildRequires: lmdb-devel
+# Lua 5.1 version of the libraries have different package names
+Requires: lua-socket
+Requires: lua-sec
+Requires(pre): shadow-utils
+%endif
+%if 0%{?fedora}
+BuildRequires: pkgconfig(lmdb)
+BuildRequires: python3-sphinx
+Requires: lua-socket-compat
+Requires: lua-sec-compat
+Requires(pre): shadow-utils
+%endif
+%if 0%{?suse_version}
+BuildRequires: lmdb-devel
+BuildRequires: python3-Sphinx
+Requires: lua51-luasocket
+Requires: lua51-luasec
+Requires(pre): shadow
+%endif
+
+%if "x%{?rhel}" == "x"
+# dependencies for doc package; disable in EPEL (missing fonts)
+# https://bugzilla.redhat.com/show_bug.cgi?id=1492884
+BuildRequires: doxygen
+BuildRequires: python3-breathe
+BuildRequires: python3-sphinx_rtd_theme
+%endif
+
+Requires(post): systemd
+Requires(preun): systemd
+Requires(postun): systemd
+
+%description
+The Knot Resolver is a caching full resolver implementation written in C
+and LuaJIT, including both a resolver library and a daemon. Modular
+architecture of the library keeps the core tiny and efficient, and provides
+a state-machine like API for extensions.
+
+The package is pre-configured as local caching resolver.
+To start using it, start a single kresd instance:
+$ systemctl start kresd@1.service
+
+%package devel
+Summary: Development headers for Knot Resolver
+Requires: %{name}%{?_isa} = %{version}-%{release}
+
+%description devel
+The package contains development headers for Knot Resolver.
+
+%if "x%{?rhel}" == "x"
+%package doc
+Summary: Documentation for Knot Resolver
+BuildArch: noarch
+Requires: %{name} = %{version}-%{release}
+
+%description doc
+Documentation for Knot Resolver
+%endif
+
+%prep
+%if 0%{GPG_CHECK}
+export GNUPGHOME=./gpg-keyring
+mkdir ${GNUPGHOME}
+gpg2 --import %{SOURCE100} %{SOURCE101} %{SOURCE102}
+gpg2 --verify %{SOURCE1} %{SOURCE0}
+%endif
+%setup -q -n %{name}-%{version}
+
+%build
+%global build_paths PREFIX=%{_prefix} BINDIR=%{_bindir} LIBDIR=%{_libdir} INCLUDEDIR=%{_includedir} ETCDIR=%{_sysconfdir}/knot-resolver
+%global build_flags V=1 CFLAGS="%{optflags}" LDFLAGS="%{?__global_ldflags}" %{build_paths} HAS_go=no
+%make_build %{build_flags}
+
+%if "x%{?rhel}" == "x"
+# build documentation
+make doc
+%endif
+
+%check
+make %{?_smp_mflags} check
+
+%install
+%make_install %{build_flags}
+
+# move sample configuration files to documentation
+install -m 0755 -d %{buildroot}%{_pkgdocdir}
+mv %{buildroot}%{_sysconfdir}/knot-resolver/config.* %{buildroot}%{_pkgdocdir}
+chmod 0644 %{buildroot}%{_pkgdocdir}/config.*
+
+# install configuration files
+mkdir -p %{buildroot}%{_sysconfdir}
+install -m 0755 -d %{buildroot}%{_sysconfdir}/knot-resolver
+install -m 0644 -p %{repodir}/distro/common/kresd.conf %{buildroot}%{_sysconfdir}/knot-resolver/kresd.conf
+install -m 0664 -p %{repodir}/distro/common/root.keys %{buildroot}%{_sysconfdir}/knot-resolver/root.keys
+
+# install systemd units and doc
+mkdir -p %{buildroot}%{_unitdir}
+install -m 0644 -p %{repodir}/distro/common/systemd/kresd@.service %{buildroot}%{_unitdir}/kresd@.service
+install -m 0644 -p %{repodir}/distro/common/systemd/kresd.target %{buildroot}%{_unitdir}/kresd.target
+install -m 0755 -d %{buildroot}%{_unitdir}/multi-user.target.wants
+ln -s ../kresd.target %{buildroot}%{_unitdir}/multi-user.target.wants/kresd.target
+mkdir -p %{buildroot}%{_mandir}/man7
+install -m 0644 -p %{repodir}/distro/common/systemd/kresd.systemd.7 %{buildroot}%{_mandir}/man7/kresd.systemd.7
+
+%if 0%{?rhel}
+# no socket activation for CentOS 7 (requires systemd.227)
+mkdir -p %{buildroot}%{_unitdir}/kresd@.service.d
+install -m 0644 -p %{repodir}/distro/common/systemd/drop-in/systemd-compat.conf %{buildroot}%{_unitdir}/kresd@.service.d/override.conf
+%endif
+%if "x%{?rhel}" == "x"
+install -m 0644 -p %{repodir}/distro/common/systemd/kresd.socket %{buildroot}%{_unitdir}/kresd.socket
+install -m 0644 -p %{repodir}/distro/common/systemd/kresd-control@.socket %{buildroot}%{_unitdir}/kresd-control@.socket
+install -m 0644 -p %{repodir}/distro/common/systemd/kresd-tls.socket %{buildroot}%{_unitdir}/kresd-tls.socket
+%endif
+
+# install tmpfiles.d
+mkdir -p %{buildroot}%{_tmpfilesdir}
+install -m 0644 -p %{repodir}/distro/common/tmpfiles/knot-resolver.conf %{buildroot}%{_tmpfilesdir}/knot-resolver.conf
+mkdir -p %{buildroot}%{_rundir}
+install -m 0750 -d %{buildroot}%{_rundir}/knot-resolver
+
+# install cache
+mkdir -p %{buildroot}%{_localstatedir}/cache
+install -m 0750 -d %{buildroot}%{_localstatedir}/cache/knot-resolver
+
+# remove module with unsatisfied dependencies
+rm -r %{buildroot}%{_libdir}/kdns_modules/{http,http.lua}
+
+%pre
+getent group knot-resolver >/dev/null || groupadd -r knot-resolver
+getent passwd knot-resolver >/dev/null || useradd -r -g knot-resolver -d %{_sysconfdir}/knot-resolver -s /sbin/nologin -c "Knot Resolver" knot-resolver
+
+%post
+%systemd_post 'kresd@*.service'
+/sbin/ldconfig
+
+%preun
+%systemd_preun 'kresd@*.service' kresd.target kresd.socket kresd-tls.socket
+
+%postun
+# NOTE: this doesn't restart the services on CentOS 7
+%systemd_postun_with_restart 'kresd@*.service'
+/sbin/ldconfig
+
+%files
+%license COPYING
+%doc %{_pkgdocdir}
+%attr(775,root,knot-resolver) %dir %{_sysconfdir}/knot-resolver
+%attr(644,root,knot-resolver) %config(noreplace) %{_sysconfdir}/knot-resolver/kresd.conf
+%attr(664,root,knot-resolver) %config(noreplace) %{_sysconfdir}/knot-resolver/root.keys
+%attr(644,root,knot-resolver) %config(noreplace) %{_sysconfdir}/knot-resolver/root.hints
+%attr(644,root,knot-resolver) %config(noreplace) %{_sysconfdir}/knot-resolver/icann-ca.pem
+%attr(750,knot-resolver,knot-resolver) %dir %{_localstatedir}/cache/knot-resolver
+%{_unitdir}/kresd*.service
+%{_unitdir}/kresd.target
+%{_unitdir}/multi-user.target.wants/kresd.target
+%if 0%{?rhel}
+%{_unitdir}/kresd@.service.d/override.conf
+%endif
+%if "x%{?rhel}" == "x"
+%{_unitdir}/kresd*.socket
+%endif
+%{_tmpfilesdir}/knot-resolver.conf
+%{_sbindir}/kresd
+%{_sbindir}/kresc
+%{_libdir}/libkres.so.*
+%{_libdir}/kdns_modules
+%{_mandir}/man8/kresd.8.gz
+%{_mandir}/man7/kresd.systemd.7.gz
+
+%files devel
+%{_includedir}/libkres
+%{_libdir}/pkgconfig/libkres.pc
+%{_libdir}/libkres.so
+
+%if "x%{?rhel}" == "x"
+%files doc
+%doc doc/html
+%endif
+
+%changelog
+* Fri Feb 16 2018 Tomas Krizek <tomas.krizek@nic.cz> - 2.1.0-1
+- see NEWS or https://www.knot-resolver.cz/
+- move spec file to upstream
diff --git a/distro/tests/README.md b/distro/tests/README.md
new file mode 100644
index 0000000..f528348
--- /dev/null
+++ b/distro/tests/README.md
@@ -0,0 +1,42 @@
+Requirements
+------------
+
+- ansible
+- vagrant
+- libvirt (+vagrant-libvirt) / virtualbox
+
+Usage
+-----
+
+`vagrant up` command is configured to trigger ansible provisioning
+which configures OBS repository, installs the knot-resolver package,
+starts the kresd@1 service and finally attempts to use it to resolve
+a domain name. It also tests that DNSSEC validation is turned on.
+
+By default, the *knot-resolver-devel* repo (for knot-resolver) along
+with *knot-resoler-latest* (for knot) is used. To test only the
+*knot-resolver-latest* repo, set it in `repos.yaml` (or use the
+test-distro.sh script which overwrites this file). If you're running
+tests in parallel, they all HAVE TO use the same repo(s).
+
+Run the following command for every distro (aka directory with
+Vagrantfile):
+
+```
+./test-distro.sh devel debian9
+```
+
+or
+
+```
+./test-distro.sh testing debian9
+```
+
+or
+
+```
+./test-distro.sh latest debian9
+```
+
+At the end of the test, the package version that was tested is
+printed out. Make sure you're testing what you intended to.
diff --git a/distro/tests/arch/Vagrantfile b/distro/tests/arch/Vagrantfile
new file mode 100644
index 0000000..8e3677e
--- /dev/null
+++ b/distro/tests/arch/Vagrantfile
@@ -0,0 +1,16 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+#
+
+Vagrant.configure(2) do |config|
+
+ config.vm.box = "archlinux/archlinux"
+ config.vm.synced_folder ".", "/vagrant", disabled: true
+
+ config.vm.define "arch_knot-resolver" do |machine|
+ machine.vm.provision "ansible" do |ansible|
+ ansible.playbook = "../knot-resolver-test.yaml"
+ end
+ end
+
+end
diff --git a/distro/tests/centos7/Vagrantfile b/distro/tests/centos7/Vagrantfile
new file mode 100644
index 0000000..a03e599
--- /dev/null
+++ b/distro/tests/centos7/Vagrantfile
@@ -0,0 +1,19 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+#
+
+Vagrant.configure(2) do |config|
+
+ config.vm.box = "centos/7"
+ config.vm.synced_folder ".", "/vagrant", disabled: true
+
+ config.vm.define "centos7_knot-resolver" do |machine|
+ machine.vm.provision "ansible" do |ansible|
+ ansible.playbook = "../knot-resolver-test.yaml"
+ ansible.extra_vars = {
+ ansible_python_interpreter: "/usr/bin/python2"
+ }
+ end
+ end
+
+end
diff --git a/distro/tests/debian9/Vagrantfile b/distro/tests/debian9/Vagrantfile
new file mode 100644
index 0000000..3b7891b
--- /dev/null
+++ b/distro/tests/debian9/Vagrantfile
@@ -0,0 +1,16 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+#
+
+Vagrant.configure(2) do |config|
+
+ config.vm.box = "debian/stretch64"
+ config.vm.synced_folder ".", "/vagrant", disabled: true
+
+ config.vm.define "debian9_knot-resolver" do |machine|
+ machine.vm.provision "ansible" do |ansible|
+ ansible.playbook = "../knot-resolver-test.yaml"
+ end
+ end
+
+end
diff --git a/distro/tests/fedora28/Vagrantfile b/distro/tests/fedora28/Vagrantfile
new file mode 100644
index 0000000..0171b4f
--- /dev/null
+++ b/distro/tests/fedora28/Vagrantfile
@@ -0,0 +1,19 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+#
+
+Vagrant.configure(2) do |config|
+
+ config.vm.box = "generic/fedora28"
+ config.vm.synced_folder ".", "/vagrant", disabled: true
+
+ config.vm.define "fedora28_knot-resolver" do |machine|
+ machine.vm.provision "ansible" do |ansible|
+ ansible.playbook = "../knot-resolver-test.yaml"
+ ansible.extra_vars = {
+ ansible_python_interpreter: "/usr/bin/python3"
+ }
+ end
+ end
+
+end
diff --git a/distro/tests/fedora29/Vagrantfile b/distro/tests/fedora29/Vagrantfile
new file mode 100644
index 0000000..67407e8
--- /dev/null
+++ b/distro/tests/fedora29/Vagrantfile
@@ -0,0 +1,19 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+#
+
+Vagrant.configure(2) do |config|
+
+ config.vm.box = "generic/fedora29"
+ config.vm.synced_folder ".", "/vagrant", disabled: true
+
+ config.vm.define "fedora29_knot-resolver" do |machine|
+ machine.vm.provision "ansible" do |ansible|
+ ansible.playbook = "../knot-resolver-test.yaml"
+ ansible.extra_vars = {
+ ansible_python_interpreter: "/usr/bin/python3"
+ }
+ end
+ end
+
+end
diff --git a/distro/tests/knot-resolver-test.yaml b/distro/tests/knot-resolver-test.yaml
new file mode 100644
index 0000000..33d07aa
--- /dev/null
+++ b/distro/tests/knot-resolver-test.yaml
@@ -0,0 +1,148 @@
+---
+- hosts: all
+
+ remote_user: root
+ become: true
+
+ vars:
+ dig_package:
+ Debian: dnsutils
+ Ubuntu: dnsutils
+ Fedora: bind-utils
+ CentOS: bind-utils
+ openSUSE Leap: bind-utils
+ openSUSE Tumbleweed: bind-utils
+ Archlinux: bind-tools
+ configure_obs_repo:
+ Fedora: |
+ dnf config-manager --add-repo https://download.opensuse.org/repositories/home:CZ-NIC:{{ item }}/Fedora_{{ ansible_distribution_major_version }}/home:CZ-NIC:{{ item }}.repo
+ CentOS: |
+ yum install -y wget &&
+ wget -i wget https://download.opensuse.org/repositories/home:CZ-NIC:{{ item }}/CentOS_7_EPEL/home:CZ-NIC:{{ item }}.repo -O /etc/yum.repos.d/home:CZ-NIC:{{ item }}.repo
+ Debian: |
+ echo 'deb http://download.opensuse.org/repositories/home:/CZ-NIC:/{{ item }}/Debian_9.0/ /' > /etc/apt/sources.list.d/{{ item }}.list &&
+ wget -nv https://download.opensuse.org/repositories/home:CZ-NIC:{{ item }}/Debian_9.0/Release.key -O Release.key &&
+ apt-key add - < Release.key &&
+ apt-get update
+ Ubuntu: |
+ echo 'deb http://download.opensuse.org/repositories/home:/CZ-NIC:/{{ item }}/xUbuntu_{{ ansible_distribution_version }}/ /' > /etc/apt/sources.list.d/{{ item }}.list &&
+ wget -nv https://download.opensuse.org/repositories/home:CZ-NIC:{{ item }}/xUbuntu_{{ ansible_distribution_version }}/Release.key -O Release.key &&
+ apt-key add - < Release.key &&
+ apt-get update
+ openSUSE Tumbleweed: |
+ zypper addrepo https://download.opensuse.org/repositories/home:CZ-NIC:{{ item }}/openSUSE_Tumbleweed/home:CZ-NIC:{{ item }}.repo &&
+ zypper --gpg-auto-import-keys refresh
+ openSUSE Leap: |
+ zypper addrepo https://download.opensuse.org/repositories/home:CZ-NIC:{{ item }}/openSUSE_Leap_15.0/home:CZ-NIC:{{ item }}.repo &&
+ zypper --gpg-auto-import-keys refresh
+ show_package_version:
+ Archlinux:
+ pacman -Qi knot-resolver | grep '^Version'
+ Fedora: &pkg_version_rpm |
+ rpm -qi knot-resolver | grep '^Version'
+ CentOS: *pkg_version_rpm
+ openSUSE Leap: *pkg_version_rpm
+ openSUSE Tumbleweed: *pkg_version_rpm
+ Debian:
+ dpkg -s knot-resolver | grep '^Version'
+ Ubuntu: |
+ dpkg -s knot-resolver | grep '^Version'
+ vars_files:
+ - repos.yaml
+
+ gather_facts: false
+ pre_tasks:
+ - name: install python3 (Arch)
+ raw: |
+ (pacman-key --init && pacman-key --populate archlinux && \
+ pacman -Sy python3 --noconfirm) || :
+ ignore_errors: true
+ - name: gather facts
+ setup:
+
+ tasks:
+ - name: install epel
+ package:
+ name: epel-release
+ state: present
+ when: ansible_distribution == 'CentOS'
+
+ - name: configure OBS repository
+ shell: "{{ configure_obs_repo[ansible_distribution] }}"
+ args:
+ warn: false
+ with_items: "{{ repos }}"
+ when: ansible_distribution_file_variety != 'Archlinux'
+
+ - block:
+ - name: configure OBS repository (Arch)
+ blockinfile:
+ block: |
+ [home_CZ-NIC_{{ item }}_Arch]
+ SigLevel = Never
+ Server = https://download.opensuse.org/repositories/home:/CZ-NIC:/{{ item }}/Arch/$arch
+ insertbefore: '^\[core\]'
+ path: /etc/pacman.conf
+ state: present
+ with_items: "{{ repos }}"
+ - name: set up package mirrors
+ copy:
+ content: |
+ ## Arch Linux repository mirrorlist
+ ## Generated on 2018-12-10
+ ## Czechia
+ Server = http://mirrors.nic.cz/archlinux/$repo/os/$arch
+ Server = http://ftp.fi.muni.cz/pub/linux/arch/$repo/os/$arch
+ Server = http://ftp.sh.cvut.cz/arch/$repo/os/$arch
+ Server = http://gluttony.sin.cvut.cz/arch/$repo/os/$arch
+ dest: /etc/pacman.d/mirrorlist
+ - name: sync repos (Arch)
+ shell: pacman -Syu --noconfirm
+ args:
+ warn: false
+ when: ansible_distribution_file_variety == 'Archlinux'
+
+ - name: install knot-resolver
+ package:
+ name: knot-resolver
+ state: latest
+
+ - name: get installed package version
+ shell: "{{ show_package_version[ansible_distribution] }}"
+ args:
+ warn: false
+ register: package_version
+
+ - name: install dig
+ package:
+ name: "{{ dig_package[ansible_distribution] }}"
+ state: present
+
+ - name: testing block
+ block:
+ - name: start kresd@1.service
+ service:
+ name: kresd@1.service
+ state: restarted
+
+ - name: resolve nic.cz
+ shell: dig @127.0.0.1 nic.cz
+ register: res
+ failed_when: '"status: NOERROR" not in res.stdout'
+
+ - name: test dnssec is turned on
+ block:
+ - name: test dnssec-failed.org +cd returns NOERROR
+ shell: dig +cd @127.0.0.1 dnssec-failed.org
+ register: res
+ failed_when: '"status: NOERROR" not in res.stdout'
+
+ - name: test dnssec-failed.org returns SERVFAIL
+ shell: dig @127.0.0.1 dnssec-failed.org
+ register: res
+ failed_when: '"status: SERVFAIL" not in res.stdout'
+
+ always:
+ - name: show installed version
+ debug:
+ var: package_version.stdout
diff --git a/distro/tests/leap15/Vagrantfile b/distro/tests/leap15/Vagrantfile
new file mode 100644
index 0000000..14bae76
--- /dev/null
+++ b/distro/tests/leap15/Vagrantfile
@@ -0,0 +1,16 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+#
+
+Vagrant.configure(2) do |config|
+
+ config.vm.box = "opensuse/openSUSE-15.0-x86_64"
+ config.vm.synced_folder ".", "/vagrant", disabled: true
+
+ config.vm.define "leap15_knot-resolver" do |machine|
+ machine.vm.provision "ansible" do |ansible|
+ ansible.playbook = "../knot-resolver-test.yaml"
+ end
+ end
+
+end
diff --git a/distro/tests/repos.yaml b/distro/tests/repos.yaml
new file mode 100644
index 0000000..9827fe7
--- /dev/null
+++ b/distro/tests/repos.yaml
@@ -0,0 +1,3 @@
+repos:
+ - knot-resolver-latest
+ - knot-resolver-devel
diff --git a/distro/tests/test-distro.sh b/distro/tests/test-distro.sh
new file mode 100755
index 0000000..0ae8662
--- /dev/null
+++ b/distro/tests/test-distro.sh
@@ -0,0 +1,32 @@
+#!/bin/bash -x
+
+# ./test-distro.sh {devel|latest} {distro}
+# Example usage: ./test-distro.sh devel debian9
+
+distro=$2
+repo=$1
+
+# Select repos
+echo -e 'repos:\n - knot-resolver-latest' > repos.yaml # latest is needed for knot
+case "$repo" in
+ devel)
+ echo -e ' - knot-resolver-devel' >> repos.yaml
+ ;;
+ testing)
+ echo -e 'repos:\n - knot-resolver-testing' > repos.yaml
+ ;;
+ latest)
+ ;;
+ *)
+ echo "Unknown repo, choose devel|latest|testing"
+ exit 1
+ ;;
+esac
+
+cd "$distro"
+vagrant destroy -f &>/dev/null
+vagrant up
+ret=$?
+vagrant destroy -f &>/dev/null
+exit $ret
+
diff --git a/distro/tests/tumbleweed/Vagrantfile b/distro/tests/tumbleweed/Vagrantfile
new file mode 100644
index 0000000..ba0dada
--- /dev/null
+++ b/distro/tests/tumbleweed/Vagrantfile
@@ -0,0 +1,16 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+#
+
+Vagrant.configure(2) do |config|
+
+ config.vm.box = "opensuse/openSUSE-Tumbleweed-x86_64"
+ config.vm.synced_folder ".", "/vagrant", disabled: true
+
+ config.vm.define "tumbleweed_knot-resolver" do |machine|
+ machine.vm.provision "ansible" do |ansible|
+ ansible.playbook = "../knot-resolver-test.yaml"
+ end
+ end
+
+end
diff --git a/distro/tests/ubuntu1604/Vagrantfile b/distro/tests/ubuntu1604/Vagrantfile
new file mode 100644
index 0000000..40e0492
--- /dev/null
+++ b/distro/tests/ubuntu1604/Vagrantfile
@@ -0,0 +1,19 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+#
+
+Vagrant.configure(2) do |config|
+
+ config.vm.box = "generic/ubuntu1604"
+ config.vm.synced_folder ".", "/vagrant", disabled: true
+
+ config.vm.define "ubuntu1604_knot-resolver" do |machine|
+ machine.vm.provision "ansible" do |ansible|
+ ansible.playbook = "../knot-resolver-test.yaml"
+ ansible.extra_vars = {
+ ansible_python_interpreter: "/usr/bin/python3"
+ }
+ end
+ end
+
+end
diff --git a/distro/tests/ubuntu1804/Vagrantfile b/distro/tests/ubuntu1804/Vagrantfile
new file mode 100644
index 0000000..57e210d
--- /dev/null
+++ b/distro/tests/ubuntu1804/Vagrantfile
@@ -0,0 +1,19 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+#
+
+Vagrant.configure(2) do |config|
+
+ config.vm.box = "generic/ubuntu1804"
+ config.vm.synced_folder ".", "/vagrant", disabled: true
+
+ config.vm.define "ubuntu1804_knot-resolver" do |machine|
+ machine.vm.provision "ansible" do |ansible|
+ ansible.playbook = "../knot-resolver-test.yaml"
+ ansible.extra_vars = {
+ ansible_python_interpreter: "/usr/bin/python3"
+ }
+ end
+ end
+
+end
diff --git a/distro/tests/ubuntu1810/Vagrantfile b/distro/tests/ubuntu1810/Vagrantfile
new file mode 100644
index 0000000..c560be1
--- /dev/null
+++ b/distro/tests/ubuntu1810/Vagrantfile
@@ -0,0 +1,19 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+#
+
+Vagrant.configure(2) do |config|
+
+ config.vm.box = "generic/ubuntu1810"
+ config.vm.synced_folder ".", "/vagrant", disabled: true
+
+ config.vm.define "ubuntu1810_knot-resolver" do |machine|
+ machine.vm.provision "ansible" do |ansible|
+ ansible.playbook = "../knot-resolver-test.yaml"
+ ansible.extra_vars = {
+ ansible_python_interpreter: "/usr/bin/python3"
+ }
+ end
+ end
+
+end