From 46ec4c5ae30e9137e303a1f7187da16da6378eb4 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 6 May 2024 02:53:35 +0200 Subject: Adding debian version 2.7.6-2. Signed-off-by: Daniel Baumann --- debian/TODO | 32 + debian/changelog | 1258 ++++++++++++++++++++ debian/clean | 1 + debian/compat | 1 + debian/control | 228 ++++ debian/copyright | 83 ++ debian/docs | 1 + debian/gbp.conf | 28 + debian/get_kaspdb | 59 + debian/get_user | 28 + debian/kasp_json2lmdb | 458 +++++++ debian/knot-dnsutils.NEWS | 6 + debian/knot-dnsutils.install | 2 + debian/knot-dnsutils.manpages | 2 + debian/knot-doc.doc-base | 20 + debian/knot-doc.install | 2 + debian/knot-doc.links | 2 + debian/knot-host.NEWS | 6 + debian/knot-host.install | 1 + debian/knot-host.manpages | 1 + debian/knot.NEWS | 12 + debian/knot.default | 1 + debian/knot.dirs | 1 + debian/knot.init | 168 +++ debian/knot.install | 11 + debian/knot.lintian-overrides | 5 + debian/knot.maintscript | 1 + debian/knot.manpages | 7 + debian/knot.postinst | 26 + debian/knot.postrm | 18 + debian/knot.service | 14 + debian/knot.tmpfile | 2 + debian/libdnssec6.install | 1 + debian/libdnssec6.symbols | 109 ++ debian/libknot-dev.install | 4 + debian/libknot8.install | 1 + debian/libknot8.symbols | 207 ++++ debian/libzscanner2.install | 1 + debian/libzscanner2.symbols | 11 + debian/not-installed | 1 + ...-git-version-inclusion-in-debian-packages.patch | 23 + ...rify-mtime-against-full-precision-timesta.patch | 129 ++ ...orrect-kdig-documentation-about-no-crypto.patch | 39 + debian/patches/series | 3 + debian/prepare-environment | 38 + debian/rules | 89 ++ debian/source/format | 1 + debian/tests/authoritative-server | 193 +++ debian/tests/control | 5 + debian/tests/kdig | 11 + debian/ufw/knot | 4 + debian/upstream/signing-key.asc | 51 + debian/watch | 4 + 53 files changed, 3410 insertions(+) create mode 100644 debian/TODO create mode 100644 debian/changelog create mode 100644 debian/clean create mode 100644 debian/compat create mode 100644 debian/control create mode 100644 debian/copyright create mode 100644 debian/docs create mode 100644 debian/gbp.conf create mode 100755 debian/get_kaspdb create mode 100755 debian/get_user create mode 100755 debian/kasp_json2lmdb create mode 100644 debian/knot-dnsutils.NEWS create mode 100644 debian/knot-dnsutils.install create mode 100644 debian/knot-dnsutils.manpages create mode 100644 debian/knot-doc.doc-base create mode 100644 debian/knot-doc.install create mode 100644 debian/knot-doc.links create mode 100644 debian/knot-host.NEWS create mode 100644 debian/knot-host.install create mode 100644 debian/knot-host.manpages create mode 100644 debian/knot.NEWS create mode 100644 debian/knot.default create mode 100644 debian/knot.dirs create mode 100644 debian/knot.init create mode 100644 debian/knot.install create mode 100644 debian/knot.lintian-overrides create mode 100644 debian/knot.maintscript create mode 100644 debian/knot.manpages create mode 100644 debian/knot.postinst create mode 100644 debian/knot.postrm create mode 100644 debian/knot.service create mode 100644 debian/knot.tmpfile create mode 100644 debian/libdnssec6.install create mode 100644 debian/libdnssec6.symbols create mode 100644 debian/libknot-dev.install create mode 100644 debian/libknot8.install create mode 100644 debian/libknot8.symbols create mode 100644 debian/libzscanner2.install create mode 100644 debian/libzscanner2.symbols create mode 100644 debian/not-installed create mode 100644 debian/patches/0001-avoid-git-version-inclusion-in-debian-packages.patch create mode 100644 debian/patches/0002-zonefile-Verify-mtime-against-full-precision-timesta.patch create mode 100644 debian/patches/0003-correct-kdig-documentation-about-no-crypto.patch create mode 100644 debian/patches/series create mode 100755 debian/prepare-environment create mode 100755 debian/rules create mode 100644 debian/source/format create mode 100755 debian/tests/authoritative-server create mode 100644 debian/tests/control create mode 100755 debian/tests/kdig create mode 100644 debian/ufw/knot create mode 100644 debian/upstream/signing-key.asc create mode 100644 debian/watch (limited to 'debian') diff --git a/debian/TODO b/debian/TODO new file mode 100644 index 0000000..ee28e33 --- /dev/null +++ b/debian/TODO @@ -0,0 +1,32 @@ + * package python3-libknot + + * add more autopkgtest tests + - set up and run an authoritative resolver + - do dnssec signing + - validate the signatures + + * consider making the modules dynamic instead of static. i see three + possible approaches: + + a) each module could ship in a separate package, and would drop + into the path identified by --with-moduledir= + (/usr/lib/$(DEB_HOST_MULTIARCH)/knot/ , currently). They would + be automatically loaded by knotd as long as the packages were + installed. + + b) we could ship them all directly in the knot package. they would + live in /usr/lib/$(DEBHOST_MULTIARCH)/knot-$(VERSION)/ in this + case, and the admin would need to manually load them in + knot.conf. + + c) we could ship them in a separate knot-modules package (one + bundle of all modules, located in the same place as (b)). the + admin would need to manually load them in knot.conf. + + In either (b) or (c) we might want to change --with-moduledir to + point to somewhere that the admin is encouraged to edit, like + /etc/knot/modules or something. or maybe we should abandon + --with-moduledir entirely? + + Transitioning from static to dynamic modules seems like an awkward + process, though. diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..faa1176 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,1258 @@ +knot (2.7.6-2) unstable; urgency=medium + + * add libsofthsm2 when testing for libdnssec/test_keystore_pkcs11 + * Check fine-grained timestamps on zonefiles. + * Correct documentation about key formats + * Standards-Version: bump to 4.3.0 (no changes needed) + + -- Daniel Kahn Gillmor Fri, 22 Feb 2019 16:51:08 -0500 + +knot (2.7.6-1) unstable; urgency=medium + + * new upstream release + + -- Ondřej Surý Fri, 08 Feb 2019 12:53:57 +0000 + +knot (2.7.4-1) unstable; urgency=medium + + * new upstream release + * drop patch applied upstream + * d/upstream/signing-key.asc: minimize OpenPGP certificate + + -- Daniel Kahn Gillmor Wed, 14 Nov 2018 01:16:27 -0500 + +knot (2.7.3-3) unstable; urgency=medium + + * update build-deps and autopkgtest deps + + -- Daniel Kahn Gillmor Thu, 08 Nov 2018 08:39:43 +0700 + +knot (2.7.3-2) unstable; urgency=medium + + * postinst: use runuser instead of su for safety and simplicity + * fix get_kaspdb and test it against shipped config (Closes: #912210) + * added Build-Depends-Package: libknot-dev to symbols files + * cleaner diffs: put dh args on separate lines + * added authoritative nameserver autopkgtest + * Avoid including git version in debian packages + * fix broken python + * fix up get_user + * autopkgtest: test upgrade/conversion tooling + + -- Daniel Kahn Gillmor Wed, 07 Nov 2018 22:55:37 +0700 + +knot (2.7.3-1) unstable; urgency=medium + + * new upstream release + + -- Daniel Kahn Gillmor Mon, 15 Oct 2018 17:21:51 -0400 + +knot (2.7.2-2) unstable; urgency=medium + + * d/rules: try moving DEB_HOST_ARCH check for -latomic + * mips and powerpc both appear to build fine without -latomic + + -- Daniel Kahn Gillmor Wed, 29 Aug 2018 16:07:02 -0400 + +knot (2.7.2-1) unstable; urgency=medium + + * new upstream release + * try to fix up architecture selection + + -- Daniel Kahn Gillmor Wed, 29 Aug 2018 10:34:56 -0400 + +knot (2.7.1-3) unstable; urgency=medium + + [ Daniel Salzman ] + * remove obsolete dependency libjansson-dev + * remove obsolete --with-bash-completions + + -- Daniel Kahn Gillmor Mon, 27 Aug 2018 19:18:20 -0400 + +knot (2.7.1-2) unstable; urgency=medium + + * Standards-Version: bump to 4.2.1 (no changes needed) + * add -latomic to riscv64 arch as well + + -- Daniel Kahn Gillmor Mon, 27 Aug 2018 19:06:08 -0400 + +knot (2.7.1-1) unstable; urgency=medium + + * new upstream release + * SONAME bumps: move to libknot8, libdnssec6, and libzscanner2 + * adopted pykeymgr from upstream, renaming to + /usr/lib/knot/kasp_json2lmdb + * ship manpages with dh_installman + * kjournalprint is now a shipped as a system administration utility + * avoid more autogened files on package import + * drop THANKS, no longer shipped upstream + * update symbols files + * Standards-Version: bump to 4.2.0 (no changes needed) + * clean up kdns-utils description + * added libcap-ng to build-deps + * move to libidn2 + * d/copyright: correct license of TAP sources + * added build-dep on libmaxminddb-dev for GeoIP module + * Only conditionally add -latomic based on the platform + * record notes about dynamic modules instead of static modules + + -- Daniel Kahn Gillmor Fri, 24 Aug 2018 18:02:44 -0400 + +knot (2.6.8-2) unstable; urgency=medium + + * d/knot.NEWS: fix spelling (thanks, Lintian!) + * refresh patches + * Standards-Version: bump to 4.1.5 (no changes needed) + + -- Daniel Kahn Gillmor Tue, 10 Jul 2018 16:14:48 -0400 + +knot (2.6.8-1) unstable; urgency=medium + + * New upstream version 2.6.8 + + -- Daniel Salzman Tue, 10 Jul 2018 16:23:19 +0200 + +knot (2.6.7-2) unstable; urgency=medium + + * use knot@packages.debian.org as Maintainer (Closes: #899825) + + -- Daniel Kahn Gillmor Thu, 24 May 2018 16:00:33 -0400 + +knot (2.6.7-1) unstable; urgency=medium + + * New upstream version 2.6.7 + + -- Daniel Salzman Thu, 17 May 2018 13:18:22 +0200 + +knot (2.6.6-2) unstable; urgency=medium + + [ Daniel Salzman ] + * Remove already included patches + * Add new symbol to libknot7.symbols + * Update changelog for 2.6.6-1 release + + [ Daniel Kahn Gillmor ] + * standards-version: bump to 4.1.4 (no changes needed) + * clean up libknot7.symbols + * prepare debian release + + -- Daniel Kahn Gillmor Mon, 23 Apr 2018 02:07:36 -0400 + +knot (2.6.5-3) unstable; urgency=medium + + * accept suggestions from the Multiarch hinter + * d/tests/control: rely on ca-certificates to validate the + DNS-over-TLS cert + + -- Daniel Kahn Gillmor Sun, 25 Feb 2018 15:49:46 -0800 + +knot (2.6.5-2) unstable; urgency=medium + + * re-ship /usr/lib/$(DEB_HOST_MULTIARCH)/knot" (Closes: #891319) + + -- Daniel Kahn Gillmor Sun, 25 Feb 2018 10:17:49 -0800 + +knot (2.6.5-1) unstable; urgency=medium + + * new upstream release + + [ Daniel Salzman ] + * Update uploaders and dependencies in the control file + * Downgrade 'Recommends' to 'Suggests' for systemd + * Update upstream signing key + + [ Daniel Kahn Gillmor ] + * wrap-and-sort -ast + * add myself to uploaders + * move to debhelper 11 + * Standards-Version: 4.1.3 (no changes needed) + * build-depend on python3-sphinx instead of python-sphinx + * d/gbp.conf: clean up, use DEP-14 + * dh11: apply --fail-missing only to dh_missing + * remove doc/modules symlink on clean + * Use python3 instead of python2 for helper functions + * use python3 for pykeymgr + * move knot from python 2 to python 3 + * Move python3-lmdb to Recommends + * d/TODO: note future debian packaging work + * knot-doc: use system jquery and underscore javascript + * include upstream VCS in git history + * d/control: add Rules-Requires-Root: no + * d/changelog: strip trailing whitespace + * ship upstream ChangeLog + * d/copyright: drop hat-trie, removed upstream + * d/*.NEWS: stop using asterisks + * stop declaring unnecessary dirs + * stop shipping /usr/lib/$(DEB_HOST_MULTIARCH)/knot + * add doc-base entry for knot-doc + * d/gbp.conf: improve cleanup during import-orig + * fix spelling errors in manpages + * info: fix direntry and category + * add really simple autopkgtest + + -- Daniel Kahn Gillmor Thu, 22 Feb 2018 23:38:33 -0800 + +knot (2.6.4-1) unstable; urgency=medium + + * Update Vcs-* links to salsa.d.o + * New upstream version 2.6.4 + + -- Ondřej Surý Thu, 04 Jan 2018 15:02:46 +0000 + +knot (2.6.3-1) unstable; urgency=medium + + * New upstream version 2.6.3 + + -- Ondřej Surý Fri, 24 Nov 2017 15:33:43 +0000 + +knot (2.6.1-2) unstable; urgency=medium + + * Add Breaks/Replaces for libdnssec5/libknot7 to remedy botched 2.6.0-1 + upload (Closes: #881638) + + -- Ondřej Surý Mon, 13 Nov 2017 19:58:35 +0000 + +knot (2.6.1-1) unstable; urgency=medium + + * New upstream version 2.6.1 + * Remove upstream patch for disabling TCP Fastopen + + -- Ondřej Surý Sun, 12 Nov 2017 03:11:26 +0000 + +knot (2.6.0-3) unstable; urgency=medium + + * kdig: disable TCP Fastopen by default as it breaks TLS connection + (Closes: #879079) + + -- Ondřej Surý Thu, 19 Oct 2017 08:22:18 +0000 + +knot (2.6.0-2) unstable; urgency=medium + + [ John Bond ] + * fix get_kasp and get_user to support unquoted ipv6 addresses + + -- Ondřej Surý Thu, 05 Oct 2017 13:08:26 +0000 + +knot (2.6.0-1) unstable; urgency=medium + + * New upstream version 2.6.0 + * Enable strict symbols checking + * Bump libknot 6->7 and libdnssec 4->5 SONAMEs and update symbols files + + -- Ondřej Surý Fri, 29 Sep 2017 19:46:41 +0200 + +knot (2.5.4-2) unstable; urgency=medium + + * Drop conflicting links to dig, nsupdate and host (Closes: #741645) + * Build-Depend on latexmk (Closes: #872203) + + -- Ondřej Surý Mon, 18 Sep 2017 07:11:39 +0200 + +knot (2.5.4-1) unstable; urgency=medium + + * New upstream version 2.5.4 + + -- Ondřej Surý Fri, 01 Sep 2017 09:03:02 +0200 + +knot (2.5.3-3) unstable; urgency=medium + + * Simple rebuild to make knot-doc arch:all again. + + -- Ondřej Surý Wed, 26 Jul 2017 14:41:26 +0200 + +knot (2.5.3-2) unstable; urgency=medium + + * Disable dh-exec usage as #831786 breaks dh_install --fail-missing + (Closes: #869199) + + -- Ondřej Surý Mon, 24 Jul 2017 10:26:09 +0200 + +knot (2.5.3-1) unstable; urgency=medium + + * New upstream version 2.5.3 + + -- Ondřej Surý Sat, 15 Jul 2017 07:26:12 +0200 + +knot (2.5.2-1) unstable; urgency=medium + + * New upstream version 2.5.2 + * Remove all patches merged upstream + + -- Ondřej Surý Fri, 23 Jun 2017 11:46:34 +0200 + +knot (2.5.1-4) unstable; urgency=medium + + * Create the modules M-A directory to workaround the bug that fails to + start knot when modules directory is missing + + -- Ondřej Surý Thu, 15 Jun 2017 11:32:09 +0200 + +knot (2.5.1-3) unstable; urgency=medium + + * Enable dnstap module and set default moduledir to multiarch path + + -- Ondřej Surý Thu, 15 Jun 2017 08:32:34 +0200 + +knot (2.5.1-2) unstable; urgency=medium + + * Explicitly exclude example.com.zone to support older debhelpers + * Add patch to fix duplicate section merging in the config + + -- Ondřej Surý Fri, 09 Jun 2017 13:47:17 +0200 + +knot (2.5.1-1) unstable; urgency=medium + + * New upstream version 2.5.1 + * Remove upstream patches released as Knot DNS 2.5.1 + + -- Ondřej Surý Wed, 07 Jun 2017 16:04:16 +0200 + +knot (2.5.0-2) unstable; urgency=medium + + * Add upstream patches to fix old DNSSEC installations + * Skip already converted kasp-db directories + * Install pykeymgr from upstream tarball + + -- Ondřej Surý Wed, 07 Jun 2017 14:20:38 +0200 + +knot (2.5.0-1) unstable; urgency=medium + + * New upstream version 2.5.0 + * Update maintscript to use dh-exec and remove obsolete cruft + * Bump the package names for libknot and libdnssec to match new + SOVERSIONs + * Simplify d/rules overrides + * Remove not-installed files from d/*.install + * Install local copy of pykeymgr (not included in the source + distribution) + * Add python-lmdb for pykeymgr migration utility + + -- Ondřej Surý Wed, 07 Jun 2017 11:03:22 +0200 + +knot (2.4.3-1) unstable; urgency=medium + + * New upstream version 2.4.3 + + -- Ondřej Surý Tue, 11 Apr 2017 21:17:47 +0200 + +knot (2.4.2-1) unstable; urgency=medium + + * New upstream version 2.4.2 + + -- Ondřej Surý Thu, 23 Mar 2017 11:47:52 +0100 + +knot (2.4.1-2) unstable; urgency=medium + + * Enable dnstap module + + -- Ondřej Surý Mon, 27 Feb 2017 11:35:15 +0100 + +knot (2.4.1-1) unstable; urgency=medium + + * New upstream version 2.4.1 + + -- Ondřej Surý Fri, 10 Feb 2017 13:54:24 +0100 + +knot (2.4.0-3) unstable; urgency=medium + + * Fix timeout call syntax in dh_auto_test invocation + + -- Ondřej Surý Wed, 25 Jan 2017 15:10:04 +0100 + +knot (2.4.0-2) unstable; urgency=medium + + * Add -latomic to LDFLAGS to fix FTBFS on platforms that need it + + -- Ondřej Surý Mon, 23 Jan 2017 11:41:59 +0100 + +knot (2.4.0-1) unstable; urgency=medium + + * Fix gbp.conf to be readable by git config --file debian/gbp.conf on Jessie + * New upstream version 2.4.0 + * Bump libknot SONAME 4->5 + * Update symbols files for 2.4.0 release + + -- Ondřej Surý Fri, 20 Jan 2017 12:15:30 +0100 + +knot (2.3.3-1) unstable; urgency=medium + + [ Daniel Kahn Gillmor ] + * Use secure URLs where possible + * Clean up debian/copyright. + * Drop duplicate Source: lines (clears lintian binary-control-field-duplicates-source) + * Avoid using asterisk in NEWS (clears lintian debian-news-entry-uses-asterisk) + * Knot needs a dependency on lsb-base (clears lintian init.d-script-needs-depends-on-lsb-base) + * Filter auto-reconfed files out during future gbp import-orig operations + * debian/control: clean up Description: lines + * Added Documentation= to knot.service + + [ Ondřej Surý ] + * Imported Upstream version 2.3.3 + * Add kjournalprint to knot package + + -- Ondřej Surý Thu, 08 Dec 2016 14:49:31 +0100 + +knot (2.3.2-1) unstable; urgency=medium + + * Imported Upstream version 2.3.2 + * Add new symbols to libknot4.symbols + + -- Ondřej Surý Fri, 04 Nov 2016 11:31:33 +0100 + +knot (2.3.1-1) unstable; urgency=medium + + * Imported Upstream version 2.3.1 + * Bump libknot3 to libknot4 + * kzonecheck was moved to /usr/bin + + -- Ondřej Surý Mon, 10 Oct 2016 12:01:41 +0200 + +knot (2.3.0-4) unstable; urgency=medium + + * Don't fail if there's no knot user defined + * Don't list explicit -c or -C path and let daemon figure it out + + -- Ondřej Surý Thu, 15 Sep 2016 12:44:57 +0200 + +knot (2.3.0-3) unstable; urgency=medium + + * Ignore the test results if they don't finish within 5 minutes + * Correctly break/replace libzscanner0 that contained libzscanner.so.1 + + -- Ondřej Surý Thu, 11 Aug 2016 08:49:25 +0200 + +knot (2.3.0-2) unstable; urgency=medium + + * Move examples to knot-doc package (fix arch-only FTBFS) + + -- Ondřej Surý Wed, 10 Aug 2016 10:17:17 +0200 + +knot (2.3.0-1) unstable; urgency=medium + + * Imported Upstream version 2.3.0 + + Zone size limit restriction for DDNS, AXFR, and IXFR (CVE-2016-6171) + (Closes: #830809) + * Restructure d/rules so dh_install --fail-missing works again + * Upstream bumped SOVERSION to libknot3, libdnssec2 and libzscanner1 + + -- Ondřej Surý Wed, 10 Aug 2016 09:16:35 +0200 + +knot (2.2.1-2) unstable; urgency=high + + * Add texlive-generic-extra to B-D for missing iftex.sty + (Closes: #829428) + + -- Ondřej Surý Mon, 11 Jul 2016 11:47:34 +0200 + +knot (2.2.1-1) unstable; urgency=medium + + * Imported Upstream version 2.2.1 + + -- Ondřej Surý Tue, 24 May 2016 17:48:16 +0200 + +knot (2.2.0-3) unstable; urgency=medium + + * knotc checkconf is not knotc conf-check (Closes: #823574) + + -- Ondřej Surý Fri, 20 May 2016 14:22:11 +0200 + +knot (2.2.0-2) unstable; urgency=medium + + * Do dbgsym migration of debug symbols + + -- Ondřej Surý Wed, 27 Apr 2016 17:43:59 +0200 + +knot (2.2.0-1) unstable; urgency=medium + + * confdb should be in /var/lib/knot/ by default + * Imported Upstream version 2.2.0 + * Add libedit-dev to Build-Depends + + -- Ondřej Surý Wed, 27 Apr 2016 10:10:10 +0200 + +knot (2.1.1-2) unstable; urgency=medium + + * Add python to Depends and run wrap-and-sort -a + * Parse correct /etc/default/knot instead of /etc/default/knotd + + -- Ondřej Surý Fri, 15 Apr 2016 17:18:02 +0200 + +knot (2.1.1-1) unstable; urgency=medium + + * Imported Upstream version 2.1.1 + + -- Ondřej Surý Wed, 10 Feb 2016 20:01:44 +0100 + +knot (2.1.0-3) unstable; urgency=medium + + * Add small python helper programs to get values from knot.conf + + -- Ondřej Surý Mon, 25 Jan 2016 12:44:00 +0100 + +knot (2.1.0-2) unstable; urgency=medium + + * Revert "Run keymgr init on every upgrade (just to be sure it happens)" + * Add support for relative directories in kasp-db + + -- Ondřej Surý Thu, 14 Jan 2016 11:46:35 +0100 + +knot (2.1.0-1) unstable; urgency=medium + + * Set knot user home directory to /var/lib/knot + * Imported Upstream version 2.1.0 + * Run keymgr init on every upgrade (just to be sure it happens) + + -- Ondřej Surý Thu, 14 Jan 2016 10:55:26 +0100 + +knot (2.1.0~rc1-55-gf227348-1) unstable; urgency=medium + + * Add libgnutls28-dev and libjansson-dev as dependencies to libknot-dev + to satisfy pkg-config requirements + * Imported Upstream version 2.1.0~rc1-55-gf227348 + * Automatically upgrade all KASP databases found in the configuration + and restart the server afterwards when upgrading from 2.0.x to 2.1.x + + -- Ondřej Surý Wed, 13 Jan 2016 14:03:17 +0100 + +knot (2.1.0~rc1-52-gd80ce77-1) unstable; urgency=medium + + * Imported Upstream version 2.1.0~rc1-52-gd80ce77 + + -- Ondřej Surý Tue, 12 Jan 2016 16:56:12 +0100 + +knot (2.0.2-1) unstable; urgency=medium + + * Imported Upstream version 2.0.2 + * Delete d/p/series as we carry no patches + + -- Ondřej Surý Tue, 24 Nov 2015 19:59:56 +0100 + +knot (2.0.1-4) unstable; urgency=medium + + * Split knot-libs into individual library packages + * Add knot.default file and use it from systemd and init.d scripts + + -- Ondřej Surý Mon, 05 Oct 2015 20:34:02 +0200 + +knot (2.0.1-3) unstable; urgency=medium + + * The upstart conffile ends with .conf, fix the stale conffile removal + + -- Ondřej Surý Mon, 21 Sep 2015 13:54:42 +0200 + +knot (2.0.1-2) unstable; urgency=medium + + * Compile the production version with NDEBUG + * Remove stale upstart init script via dpkg-maintscript-helper rm_config + + -- Ondřej Surý Mon, 14 Sep 2015 13:41:29 +0200 + +knot (2.0.1-1) unstable; urgency=medium + + * Imported Upstream version 2.0.1 + * Fix the do_tmpfiles() in sysvrc script (Courtesy of Daniel Baumann) + (Closes: #796921) + * Disable -pedantic as it causes errors to be thrown in the tests + + -- Ondřej Surý Thu, 03 Sep 2015 10:56:16 +0200 + +knot (2.0.0-1+0) unstable; urgency=medium + + * Bump the version to workaround ~exp* higher than ~bpo* + + -- Ondřej Surý Mon, 17 Aug 2015 15:05:37 +0200 + +knot (2.0.0-1) unstable; urgency=medium + + * New upstream version 2.0.0 + + Bugfixes: + - Fix lost NOTIFY message if received during zone transfer + - Disable fast zone parser when compiled in Clang (workaround for Clang bug) + - kdig: Record correct dnstap SocketProtocol when retrying over TCP + - kdig: Hide TSIG section with +noall + - Do not set AA flag for AXFR/IXFR queries + + Features: + - DNSSEC: separate library, switch to GnuTLS, new utilities + - DNSSEC: basic KASP support (generate initial keys, ZSK rollover) + - Configuration: New text format in YAML, binary store in LMDB + - Zone parser: Split long TXT/SPF strings into multiple strings + - kdig: Add generic dump style option (+generic) + - Try all master servers in multi-master environment + - Improved remotes and ACLs (multiple addresses, multiple keys) + - Basic support for zone file patterns (%s to substitute zone name) + - Disable zone file synchronization by setting 'zonefile_sync' to '-1' + - knsupdate: Add input prompt in interactive mode and 'quit' command + - knsupdate: Allow TSIG algorithm specification in interactive prompt + + Improvements: + - Zone dump: Do not write class for SOA record (unified with other RR types) + - Zone dump: Do not write master server address into the zone file + - Documentation: Manual pages are included in HTML and PDF + * Install knot1to2 configuration file conversion tool + * Automatically convert knot.conf with some safety-checks + * Add note about the conversion to debian/knot.NEWS + * Make the build libsystem-{daemon,journal}-dev friendly to allow Ubuntu + and backported builds + + -- Ondřej Surý Mon, 17 Aug 2015 11:56:43 +0200 + +knot (2.0.0-1~exp2) experimental; urgency=medium + + * Update prepare-environment to match the new config file syntax + + -- Ondřej Surý Thu, 30 Jul 2015 09:26:52 +0200 + +knot (2.0.0-1~exp1) experimental; urgency=medium + + * New upstream version 2.0.0 + + Bugfixes: + - Fix lost NOTIFY message if received during zone transfer + - Disable fast zone parser when compiled in Clang (workaround for Clang bug) + - kdig: Record correct dnstap SocketProtocol when retrying over TCP + - kdig: Hide TSIG section with +noall + - Do not set AA flag for AXFR/IXFR queries + + Features: + - DNSSEC: separate library, switch to GnuTLS, new utilities + - DNSSEC: basic KASP support (generate initial keys, ZSK rollover) + - Configuration: New text format in YAML, binary store in LMDB + - Zone parser: Split long TXT/SPF strings into multiple strings + - kdig: Add generic dump style option (+generic) + - Try all master servers in multi-master environment + - Improved remotes and ACLs (multiple addresses, multiple keys) + - Basic support for zone file patterns (%s to substitute zone name) + - Disable zone file synchronization by setting 'zonefile_sync' to '-1' + - knsupdate: Add input prompt in interactive mode and 'quit' command + - knsupdate: Allow TSIG algorithm specification in interactive prompt + + Improvements: + - Zone dump: Do not write class for SOA record (unified with other RR types) + - Zone dump: Do not write master server address into the zone file + - Documentation: Manual pages are included in HTML and PDF + * Install knot1to2 configuration file conversion tool + * Automatically convert knot.conf with some safety-checks + * Add note about the conversion to debian/knot.NEWS + * Make the build libsystem-{daemon,journal}-dev friendly to allow Ubuntu + and backported builds + + -- Ondřej Surý Mon, 29 Jun 2015 10:40:45 +0200 + +knot (1.6.1-1) unstable; urgency=medium + + * New upstream version 1.6.1 + + -- Ondřej Surý Tue, 30 Dec 2014 09:50:54 +0100 + +knot (1.6.0-1) unstable; urgency=medium + + * New upstream version 1.6.0 + * Switch to network-online.target to mitigate some network not-yet-ready races + * Recommend systemd due journald enabled logging (Closes: #766596) + + -- Ondřej Surý Fri, 24 Oct 2014 12:41:32 +0200 + +knot (1.6.0~rc2-1) unstable; urgency=medium + + * New upstream version 1.6.0~rc2 + * Update patches for 1.6.0~rc2 release + + -- Ondřej Surý Fri, 17 Oct 2014 17:32:30 +0200 + +knot (1.6.0~rc1-1) unstable; urgency=medium + + * New upstream version 1.6.0~rc1 + * Knot needs lmdb for persistent timers + + -- Ondřej Surý Mon, 13 Oct 2014 23:06:56 +0200 + +knot (1.5.3-1) unstable; urgency=medium + + * Move knot-libs to Section: net (Closes: #760795) + * New upstream version 1.5.3 + + -- Ondřej Surý Mon, 15 Sep 2014 17:00:08 +0200 + +knot (1.5.2-1) unstable; urgency=high + + * Update Vcs-Urls to point to anonscm.debian.org + * New upstream version 1.5.2 + + [CVE-2014-0486]: Fixed remote crash with crafted DNS message + * Update patches for 1.5.2 release + + -- Ondřej Surý Mon, 08 Sep 2014 11:11:56 +0200 + +knot (1.5.1-3) unstable; urgency=high + + * More arch/indep build rules splitting to fix binary-arch-only builds + * Add lintian override to override warning about internal libraries in + knot-libs + + -- Ondřej Surý Tue, 26 Aug 2014 09:43:05 +0200 + +knot (1.5.1-2) unstable; urgency=medium + + * Enable full hardening via debhelper >= 9 + * Enable IDN in knot-dnsutils and knot-host packages + * Enable systemd libraries only on linux-any + * Split arch and indep builds to build the documentation just once + * Drop ragel from build depends to allow arm64 builds + + -- Ondřej Surý Mon, 25 Aug 2014 15:54:34 +0200 + +knot (1.5.1-1) unstable; urgency=medium + + * New upstream version 1.5.1 + * Enable systemd notification mechanism + * Enable systemd journal enhanced logging + + -- Ondřej Surý Wed, 20 Aug 2014 10:45:18 +0200 + +knot (1.5.0-1) unstable; urgency=medium + + * New upstream version 1.5.0 + + Features: + - Pluggable query processing modules + - Synthetic IPv4/IPv6 reverse/forward records (optional module) + - dnstap support in both utilities & server (optional module) + - NOTIFY message support and new TSIG section in kdig + - Multi-master support + - edns-client-subnet support in kdig + - Optional asynchronous startup (config "asynchronous-start") + - DDNS forwarding reimplemented + + Improvements: + - Query processing and core functionality overhaul + - Performance and reduced memory footprint + - Faster zone events scheduling + - RFC compliant queries/responses in some corner cases + - Log messages + - New documentation (Sphinx) + - Transfer sizes logged in bytes if needed + - Logging outgoing NOTIFY messages + - Logging unauthorized incoming NOTIFYs + - Preempt task queue for faster reload + - Lazy zone file write after zone transfer (governed by "zonefile-sync") + + Bugfixes: + - Close zone transfer after SERVFAIL response + - Incremental to full zone transfer fallback, wrong log message + - Zone events corner cases, reload replanning + - Zone flush planning after bootstrap + - Incorrect incoming AXFR message sizes + - DDNS signing changes were freed too soon, posibility of stale data + - knotc remote control key handling + * Debian packaging: + + d/control: New documentation is using sphinx + + d/control: New knot-libs package containing internal shared libraries + + -- Ondřej Surý Wed, 09 Jul 2014 13:08:26 +0200 + +knot (1.4.6+hotfix-1) unstable; urgency=medium + + * New upstream version 1.4.6+hotfix + + -- Ondřej Surý Thu, 22 May 2014 15:39:07 +0200 + +knot (1.4.6-1) unstable; urgency=medium + + * New upstream version 1.4.6 + * Update patches for 1.4.6 release + + -- Ondřej Surý Thu, 22 May 2014 13:15:14 +0200 + +knot (1.4.5-2) unstable; urgency=high + + * Re-upload to fix botched amd64 upload in 1.4.5-1 + + -- Ondřej Surý Tue, 22 Apr 2014 14:58:30 +0200 + +knot (1.4.5-1) unstable; urgency=high + + * New upstream version 1.4.5 + + Fix possible weakness in TSIG signature checking + * Refresh patches for 1.4.5 release + * Use dh-autoreconf to regenerate autotools files + + -- Ondřej Surý Mon, 14 Apr 2014 15:11:12 +0200 + +knot (1.4.4-1) unstable; urgency=medium + + * New upstream version 1.4.4 + + Server is logging remote control commands + + 'knotc reload' doesn't refresh unchanged zones + + 'knotc -f refresh' forces zone retransfer + + Fixed missing notifications after DDNS/automatic resign + + Zone is rebootstrapped if the zone file is unreadable + + Progressive bootstrap retry backoff + + Zone file parser now allows asterisk as part of the label + + Fix journal maximum entry size + + Sign DNSKEYs in non-apex nodes as regular RR sets + + Various spelling and typo fixes (Courtesy of Robert Edmonds) + + -- Ondřej Surý Thu, 27 Mar 2014 15:49:54 +0100 + +knot (1.4.3-2) unstable; urgency=medium + + * Add support for autotools-dev and dh-systemd + * Enable parallel builds in dh invocation + + -- Ondřej Surý Tue, 18 Feb 2014 13:44:13 +0100 + +knot (1.4.3-1) unstable; urgency=low + + * New upstream version 1.4.3 + + -- Ondřej Surý Tue, 18 Feb 2014 13:03:42 +0100 + +knot (1.4.2-1) unstable; urgency=low + + * New upstream version 1.4.2 + * Update OpenSSL << 1.0.0 compatibility patch + + -- Ondřej Surý Mon, 27 Jan 2014 16:14:33 +0100 + +knot (1.4.1-2) unstable; urgency=low + + * Add patch to remove the requirement for OpenSSL 1.0.0 to build on + Debian squeeze, be warned though that the OpenSSL before 1.0.0 might + manifest some threading errors and crashes, so you really should + upgrade your system to Debian wheezy. + + -- Ondřej Surý Thu, 23 Jan 2014 16:53:03 +0100 + +knot (1.4.1-1) unstable; urgency=low + + * New upstream version 1.4.1 + + Empty APL record support + + 'zonestatus' when using immediate zone syncing + + Immediate zone syncing after reload + + Race condition writing time values to zone file + + Require OpenSSL >= 1.0.0 + * Don't use dh-autoreconf, upstream uses recent enough autotools + * Bump standards version to 3.9.5 + * Run the tests on every arch without the condition, but don't fail + anywhere + + -- Ondřej Surý Mon, 13 Jan 2014 18:00:18 +0100 + +knot (1.4.0-1) unstable; urgency=low + + * New major upstream version 1.4.0 + + Experimental automatic DNSSEC signing + + Fastest ragel parser enabled by default + + Reduced memory usage + + Zone SOA SERIAL policies (INCREMENT, UNIXTIME) for DDNS and + automatic DNSSEC signing + + IDN support in Knot utilities (kdig, knsupdate, ...) + + DNSSEC: support for GOST algorithm + + Support for DNSSEC key pre-publication + * Remove PATH_MAX patch, it's already included in upstream + * Run the tests on all archs, but don't fail the build if the tests fail + on broken archs + * Update watch file to match (alpha|beta|rc)\d* versions + + -- Ondřej Surý Mon, 06 Jan 2014 11:00:07 +0100 + +knot (1.4.0~rc2-1) experimental; urgency=low + + * New upstream version 1.4.0~rc2 + + -- Ondřej Surý Fri, 13 Dec 2013 17:53:26 +0100 + +knot (1.4.0~rc1-1) experimental; urgency=low + + * Disable tests on GNU Hurd + * New upstream version 1.4.0~rc1 + + -- Ondřej Surý Mon, 25 Nov 2013 16:19:27 +0100 + +knot (1.4.0~beta-1) experimental; urgency=low + + * New upstream version 1.4.0~beta + * Update patches for 1.4.0~beta release + * Disable fastparser since the ragel is broken in one test + * Add knsec3hash to knot package + + -- Ondřej Surý Tue, 29 Oct 2013 12:25:49 +0100 + +knot (1.3.4-1) unstable; urgency=low + + * Disable tests on GNU Hurd + * New upstream version 1.3.4 + + -- Ondřej Surý Fri, 13 Dec 2013 17:23:52 +0100 + +knot (1.3.3-1) unstable; urgency=low + + * New upstream version 1.3.3 + + -- Ondřej Surý Mon, 28 Oct 2013 11:40:13 +0100 + +knot (1.3.2-3) unstable; urgency=low + + * Add ufw applications.d rule for Knot DNS + * Disable recvmmsg on GNU Hurd (since recvmmsg is not implemented on GNU + Hurd and will always fail) + * Enable fastparser (requires Ragel) + + -- Ondřej Surý Fri, 11 Oct 2013 17:23:35 +0200 + +knot (1.3.2-2) unstable; urgency=low + + * Define #PATH_MAX to make GNU Hurd happy + * Don't enable LTO, it doesn't play well with debugging symbols + + -- Ondřej Surý Sun, 06 Oct 2013 01:57:13 +0200 + +knot (1.3.2-1) unstable; urgency=low + + * New upstream version 1.3.2 + * Enable link-time-optimizations by default + + -- Ondřej Surý Mon, 30 Sep 2013 15:04:01 +0200 + +knot (1.3.1-1) unstable; urgency=low + + * New upstream version 1.3.1 + * Add new debian/watch file (Courtesy of Debian QA) + * Bump standards to 3.9.4 + * Stop using /lib/init/vars.sh, we don't use $VERBOSE anymore anyway + * Drop syslog.target as it is not needed anymore + * Remove SSE detection patch as it was merged upstream + + -- Ondřej Surý Tue, 27 Aug 2013 14:27:44 +0200 + +knot (1.3.0-2) unstable; urgency=low + + * Disable SSE detection in the packaged version of Knot DNS + + -- Ondřej Surý Fri, 16 Aug 2013 13:04:39 +0200 + +knot (1.3.0-1) unstable; urgency=low + + * New upstream version 1.3.0 + * Remove upstream patch from 1.3.0~rc5-2 as it is included in + this release. + + -- Ondřej Surý Mon, 05 Aug 2013 17:01:23 +0200 + +knot (1.3.0~rc5-2) unstable; urgency=low + + * Pull some pre 1.3.0 patches (mainly to test before release): + + Initialize secondary groups for user .. + + Reworked CH TXT records support (RFC 4892). + + Fixed inactive xfers may be disconnected depending on the previous + result. + + Add server starting information to log. + + -- Ondřej Surý Mon, 05 Aug 2013 10:39:48 +0200 + +knot (1.3.0~rc5-1) unstable; urgency=low + + * New upstream version 1.3.0~rc5 + * Remove last upstream patch, all our changes have been merged. Yay\! + + -- Ondřej Surý Mon, 29 Jul 2013 17:15:56 +0200 + +knot (1.3.0~rc4-2) unstable; urgency=low + + * Disable tests on big endian architectures (but the code still needs to + be fixed) + + -- Ondřej Surý Tue, 23 Jul 2013 14:07:39 +0200 + +knot (1.3.0~rc4-1) unstable; urgency=low + + * New upstream version 1.3.0~rc4 + * Add upstream patch to honour CONFIG_DIR + * Remove now obsolete patch to run as knot:knot + * The knot/ is now added by upstream to @sysconfdir@ + + -- Ondřej Surý Mon, 15 Jul 2013 15:15:05 +0200 + +knot (1.3.0~rc3-2) unstable; urgency=low + + * Add proper support for upstart and systemd along with sysvinit + * Add /usr/lib/knot/prepare-environment script which will parse + knot configuration file and properly create rundir and set + correct permissions to configured values in /etc/knot/knot.conf + * Remove /etc/default/knot since the values are now parsed + directly from the configuration file + * Add /var/lib/knot to knot.dirs, so it gets created on package + install + * Drop checking for $VERBOSE variable and properly log start/stop from + sysvinit script + + -- Ondřej Surý Tue, 02 Jul 2013 13:08:33 +0200 + +knot (1.3.0~rc3-1) unstable; urgency=low + + * New upstream version 1.3.0~rc3 + * Packaging changes: + + Use --fail-missing to check for all new files + + Remove obsolete patches and update installed conffile with latest + options + + Don't install knot-zcompile as it is no more + + Install minimal example configuration file as /etc/knot/knot.conf + + Add --disable-silent-rules to configure invocation + + Add patch to fix missing $(DESTDIR) in src/Makefile.am + + Set --with-rundir and --with-storage to correct locations + + Run under knot:knot by default (create and delete knot user) + + Add knot-dnsutils and knot-host packages + + Add patch to move knot-{host,dnsutils} manpages to correct location + + Add samples/knot.{full,keys}.conf and example zone to examples. + * Add knot-doc package with generated documentation (PDF and HTML) + + -- Ondřej Surý Fri, 28 Jun 2013 12:59:55 +0200 + +knot (1.2.0-2) unstable; urgency=low + + * /etc/init.d/knot now sources /etc/default/knot instead of + /etc/init.d/knotd (Closes: #707683) + * Pull upstream fix for pidfile creation before dropping priviledges + (Closes: #707685) + * Enable SSE2 support again (we will simply not support anything older + than Pentium M) + + -- Ondřej Surý Wed, 26 Jun 2013 14:41:04 +0200 + +knot (1.2.0-1) unstable; urgency=low + + * Imported Upstream version 1.2.0 + + Final release. + + Some small memory leaks fixes. + + -- Ondřej Surý Wed, 03 Apr 2013 09:16:25 +0200 + +knot (1.2.0~rc4-1) unstable; urgency=low + + * Imported Upstream version 1.2.0~rc4 + + knotc 'zonestatus' command + + Changing logfile ownership before dropping privileges + + knotc respects 'control' section from configuration + + RRL: resolved bucket collisions + + RRL: updated bucket mapping to conform RRL technical memo + + -- Ondřej Surý Fri, 22 Mar 2013 15:35:50 +0100 + +knot (1.2.0~rc3-1) unstable; urgency=low + + * Imported Upstream version 1.2.0~rc3 + + New functionality: Response Rate Limiting as a response to + reflection DNS DDoS attacks in the wild + + Add missing RRSIG in ANY queries + + -- Ondřej Surý Fri, 01 Mar 2013 13:24:28 +0100 + +knot (1.2~rc2-1) unstable; urgency=low + + * Imported Upstream version 1.2~rc2 + * Fix git location + * Update patches for 1.2 release + + -- Ondřej Surý Mon, 18 Feb 2013 12:40:01 +0100 + +knot (1.1.3-1) unstable; urgency=low + + * Imported Upstream version 1.1.3 + + -- Ondřej Surý Thu, 20 Dec 2012 10:50:41 +0100 + +knot (1.1.3~rc1-1) unstable; urgency=low + + * Imported Upstream version 1.1.3~rc1 + + Fixed answering DS queries (RRSIGs not together with DS, AA bit + missing). + + Fixed setting ARCOUNT in some error responses with EDNS enabled. + + Fixed crash when compiling zone zone with NSEC3PARAM but no NSEC3 + and semantic checks enabled. + + -- Ondřej Surý Fri, 07 Dec 2012 11:19:35 +0100 + +knot (1.1.2-1) unstable; urgency=low + + * Imported Upstream version 1.1.2 + + -- Ondřej Surý Wed, 21 Nov 2012 14:45:34 +0100 + +knot (1.1.2~rc1-1) unstable; urgency=low + + * Imported Upstream version 1.1.2~rc1 + * Update patches for new release + + -- Ondřej Surý Wed, 14 Nov 2012 14:04:17 +0100 + +knot (1.1.1-1) unstable; urgency=low + + * Imported Upstream version 1.1.1 + * Update and remove obsolete patches for new release + + -- Ondřej Surý Wed, 31 Oct 2012 10:42:09 +0100 + +knot (1.1.0-5) unstable; urgency=low + + * Disable SSE2 instruction set, might solve some strange crashes. + + -- Ondřej Surý Wed, 10 Oct 2012 13:09:54 +0200 + +knot (1.1.0-4) unstable; urgency=low + + * Disable extra hardening via dpkg-buildflags, which is not needed + by debhelper 9, but breaks builds on squeeze + * Install man5 and knot.info documentation + + -- Ondřej Surý Mon, 03 Sep 2012 16:43:26 +0200 + +knot (1.1.0-3) unstable; urgency=low + + * Bump dependency on debhelper >= 9 + * Bump standards version to 3.9.3 + * Fix installation of manpages to correct directories + + -- Ondřej Surý Mon, 03 Sep 2012 16:02:11 +0200 + +knot (1.1.0-2) unstable; urgency=low + + * Disable AM_MAINTAINER_MODE and re-run autoreconf -fi + * Enable hardening build by default + * Update pidfile patch to 1.1.0 + * Cope with default MultiArch in dh_compat==9 and don't install + unittests* binaries + + -- Ondřej Surý Mon, 03 Sep 2012 15:32:53 +0200 + +knot (1.1.0-1) unstable; urgency=low + + * Imported Upstream version 1.1.0 + - User manual now available. + - Optionally disable ANY queries for authoritative answers. + - Dropping identical records in zone and incoming transfers. + - Support for '/' in zone names. + - Generating journal from reloaded zone (EXPERIMENTAL). + - Outgoing-only interfaces in configuration file. + - Following DNAME if the synthetized name is in the same zone. + - IXFR-in optimized. + - Many zones loading optimized. + - Signing SOA with TSIG queries when checking zone version with master. + * Enable maintainer mode to generate version.texi as a workaround. + + -- Ondřej Surý Fri, 31 Aug 2012 16:27:07 +0200 + +knot (1.0.6-1) unstable; urgency=low + + * Imported Upstream version 1.0.6 + - Add NSEC/NSEC3 for all wildcard CNAMEs in the response. + - Fixed potential problems with RCU synchronization. + + -- Ondřej Surý Wed, 13 Jun 2012 15:31:52 +0200 + +knot (1.0.5-1) unstable; urgency=low + + * Imported Upstream version 1.0.5 + - Fixed bug with creating journal files which didn't get merged + by accident + + -- Ondřej Surý Thu, 17 May 2012 12:25:27 +0200 + +knot (1.0.4-1) unstable; urgency=low + + * Imported Upstream version 1.0.4 + - Speed-up loading of many zones due parallelization + - Support for TLSA resource record (Type 52) + - New commands knotc checkzone and knotc refresh (forced update) + - Fixed responses to CNAME queries if the canonical name was also + an alias + - Fixed crash when NS or MX points to an alias + - Fixed crash when bootstraping/compiling a lot of zones + - Significant speed-up and memory usage reduction of IXFR-in + + -- Ondřej Surý Wed, 16 May 2012 09:33:26 +0200 + +knot (1.0.3-1) unstable; urgency=low + + * Imported Upstream version 1.0.3 + - Fixed bug in non-EDNS0 queries over TCP + - Zone compilation time regression fixed + + -- Ondřej Surý Wed, 18 Apr 2012 09:06:57 +0200 + +knot (1.0.2-1) unstable; urgency=low + + * Imported Upstream version 1.0.2 + - Bugfix release + + -- Ondřej Surý Fri, 13 Apr 2012 16:09:11 +0200 + +knot (1.0.1-1) unstable; urgency=low + + * Imported Upstream version 1.0.1 + - Implemented jitter to REFRESH/RETRY timers + - Fixed problem with creating IXFR journal for bootstrapped zone + - Fixed race condition in processing NOTIFY/SOA queries + - Fixed improper assignment of TSIG algorithm type + + -- Ondřej Surý Fri, 09 Mar 2012 20:18:37 +0100 + +knot (1.0.0-1) unstable; urgency=low + + * Imported Upstream version 1.0.0 + * Update pidfile patch + + -- Ondřej Surý Wed, 29 Feb 2012 18:46:13 +0100 + +knot (1.0~rc1-1) unstable; urgency=low + + * Imported Upstream version 1.0~rc1 + * Move knotd.pid to /var/run where it belongs + + -- Ondřej Surý Wed, 15 Feb 2012 21:12:56 +0100 + +knot (0.9.1-3) unstable; urgency=low + + * Install files into knot package (broken build after added debug + package) + + -- Ondřej Surý Mon, 23 Jan 2012 15:01:42 +0100 + +knot (0.9.1-2) unstable; urgency=low + + * Build knot-dbg package with debug symbols + + -- Ondřej Surý Mon, 23 Jan 2012 13:27:20 +0100 + +knot (0.9.1-1) unstable; urgency=low + + * Imported Upstream version 0.9.1 + + RRSet rotation functionality added + + New pseudo-random number generator (new BSD licensed) + + Fixed build on BSD + + Fixes in parsing and dumping of some RR types + * Add correct git-buildpackage configuration + * Update copyright for new PRNG + + -- Ondřej Surý Sat, 21 Jan 2012 15:47:30 +0100 + +knot (0.9-1) unstable; urgency=low + + * Imported Upstream version 0.9 + + Add TSIG support + + Several smaller bugfixes + * Add correct git-buildpackage configuration + * Imported Upstream version 0.9.1 + * Update copyright for new PRNG + + -- Ondřej Surý Sat, 21 Jan 2012 15:46:54 +0100 + +knot (0.8.1-1) unstable; urgency=low + + * Imported Upstream version 0.8.1 + + Correctly handle SPF resource records + + Fix wrong text dumping of unknown records. + + -- Ondřej Surý Thu, 01 Dec 2011 16:27:44 +0100 + +knot (0.8-1) unstable; urgency=low + + * Initial release (Closes: #647461) + * Add some dependencies in the init.d script + * Add flex and bison to b-d + * Add versioned dependency on liburcu + * Daemonize on the start + * Update copyright file to include all licenses + + -- Ondřej Surý Wed, 16 Nov 2011 07:14:55 +0100 diff --git a/debian/clean b/debian/clean new file mode 100644 index 0000000..7e5c111 --- /dev/null +++ b/debian/clean @@ -0,0 +1 @@ +doc/modules diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..b4de394 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +11 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..3f1bd7f --- /dev/null +++ b/debian/control @@ -0,0 +1,228 @@ +Source: knot +Section: net +Priority: optional +Maintainer: knot packagers +Uploaders: + Ondřej Surý , + Daniel Salzman , + Daniel Kahn Gillmor , +Build-Depends-Indep: + ghostscript, + python3-sphinx, + texinfo, + texlive, + texlive-font-utils, + texlive-generic-extra, + texlive-latex-extra, +Build-Depends: + debhelper (>= 11~), + latexmk, + libcap-ng-dev, + libedit-dev, + libfstrm-dev, + libgnutls28-dev, + libidn2-dev, + liblmdb-dev, + libmaxminddb-dev, + libprotobuf-c-dev, + libsofthsm2 , + libsystemd-dev [linux-any] | libsystemd-daemon-dev [linux-any], + libsystemd-dev [linux-any] | libsystemd-journal-dev [linux-any], + liburcu-dev (>= 0.4), + pkg-config, + protobuf-c-compiler, + python3-yaml , +Standards-Version: 4.3.0 +Homepage: https://www.knot-dns.cz/ +Vcs-Browser: https://salsa.debian.org/dns-team/knot-dns +Vcs-Git: https://salsa.debian.org/dns-team/knot-dns.git +Rules-Requires-Root: no + +Package: knot +Architecture: any +Depends: + adduser, + libdnssec6 (= ${binary:Version}), + libknot8 (= ${binary:Version}), + libzscanner2 (= ${binary:Version}), + lsb-base (>= 3.0-6), + python3, + python3-yaml, + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: + python3-lmdb, +Suggests: + systemd, +Description: Authoritative domain name server + Knot DNS is a fast, authoritative only, high performance, feature + full and open source name server. + . + Knot DNS is developed by CZ.NIC Labs, the R&D department of .CZ + registry and hence is well suited to run anything from the root + zone, the top-level domain, to many smaller standard domain names. + +Package: libknot8 +Architecture: any +Multi-Arch: same +Depends: + ${misc:Depends}, + ${shlibs:Depends}, +Section: libs +Replaces: + knot-libs (<< 2.0.1-4), + libknot6 (<< 2.6.1-1~), +Breaks: + knot-libs (<< 2.0.1-4), + libknot6 (<< 2.6.1-1~), +Description: Authoritative domain name server (shared library) + Knot DNS is a fast, authoritative only, high performance, feature + full and open source name server. + . + Knot DNS is developed by CZ.NIC Labs, the R&D department of .CZ + registry and hence is well suited to run anything from the root + zone, the top-level domain, to many smaller standard domain names. + . + This package provides libknot shared library used by Knot DNS and + Knot Resolver. + +Package: libzscanner2 +Architecture: any +Multi-Arch: same +Depends: + ${misc:Depends}, + ${shlibs:Depends}, +Section: libs +Replaces: + knot-libs (<< 2.0.1-4), + libzscanner0 (<< 2.3.0~), +Breaks: + knot-libs (<< 2.0.1-4), + libzscanner0 (<< 2.3.0~), +Description: DNS zone-parsing library from Knot + Knot DNS is a fast, authoritative only, high performance, feature + full and open source name server. + . + Knot DNS is developed by CZ.NIC Labs, the R&D department of .CZ + registry and hence is well suited to run anything from the root + zone, the top-level domain, to many smaller standard domain names. + . + This package provides a fast zone parser shared library used by Knot + DNS and Knot Resolver. + +Package: libdnssec6 +Architecture: any +Multi-Arch: same +Depends: + ${misc:Depends}, + ${shlibs:Depends}, +Section: libs +Replaces: + knot-libs (<< 2.0.1-4), + libdnssec4 (<< 2.6.1-1~), +Breaks: + knot-libs (<< 2.0.1-4), + libdnssec4 (<< 2.6.1-1~), +Description: DNSSEC shared library from Knot + Knot DNS is a fast, authoritative only, high performance, feature + full and open source name server. + . + Knot DNS is developed by CZ.NIC Labs, the R&D department of .CZ + registry and hence is well suited to run anything from the root + zone, the top-level domain, to many smaller standard domain names. + . + This package provides common DNSSEC shared library used by Knot DNS + and Knot Resolver. + +Package: libknot-dev +Architecture: any +Multi-Arch: same +Depends: + libdnssec6 (= ${binary:Version}), + libgnutls28-dev, + libknot8 (= ${binary:Version}), + libzscanner2 (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends}, +Section: libdevel +Replaces: + knot-libs (<< 2.0.1-4), +Breaks: + knot-libs (<< 2.0.1-4), +Description: Knot DNS shared library development files + Knot DNS is a fast, authoritative only, high performance, feature + full and open source name server. + . + Knot DNS is developed by CZ.NIC Labs, the R&D department of .CZ + registry and hence is well suited to run anything from the root + zone, the top-level domain, to many smaller standard domain names. + . + This package provides development files for internal common shared + libraries. + +Package: knot-dnsutils +Architecture: any +Depends: + libdnssec6 (= ${binary:Version}), + libknot8 (= ${binary:Version}), + libzscanner2 (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends}, +Description: Clients provided with Knot DNS (kdig, knslookup, knsupdate) + Knot DNS is a fast, authoritative only, high performance, feature + full and open source name server. + . + Knot DNS is developed by CZ.NIC Labs, the R&D department of .CZ + registry and hence is well suited to run anything from the root + zone, the top-level domain, to many smaller standard domain names. + . + This package delivers various client programs related to DNS that are + derived from the Knot DNS source tree. + . + - kdig - query the DNS in various ways + - knsupdate - perform dynamic updates (See RFC2136) + . + Those clients were designed to be 1:1 compatible with BIND dnsutils, + but they provide some enhancements, which are documented in respective + manpages. + . + WARNING: knslookup is not provided as it is considered obsolete. + +Package: knot-host +Architecture: any +Depends: + libdnssec6 (= ${binary:Version}), + libknot8 (= ${binary:Version}), + libzscanner2 (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends}, +Description: Version of 'host' bundled with Knot DNS + Knot DNS is a fast, authoritative only, high performance, feature + full and open source name server. + . + Knot DNS is developed by CZ.NIC Labs, the R&D department of .CZ + registry and hence is well suited to run anything from the root + zone, the top-level domain, to many smaller standard domain names. + . + This package provides the 'host' program in the form that is bundled + with the Knot DNS. The 'host' command is designed to be 1:1 + compatible with BIND 9.x 'host' program. + +Package: knot-doc +Architecture: all +Multi-Arch: foreign +Depends: + libjs-jquery, + libjs-underscore, + ${misc:Depends}, +Section: doc +Description: Documentation for Knot DNS + Knot DNS is a fast, authoritative only, high performance, feature + full and open source name server. + . + Knot DNS is developed by CZ.NIC Labs, the R&D department of .CZ + registry and hence is well suited to run anything from the root + zone, the top-level domain, to many smaller standard domain names. + . + This package provides various documents that are useful for + maintaining a working Knot DNS installation. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..f96f58e --- /dev/null +++ b/debian/copyright @@ -0,0 +1,83 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: Knot DNS +Upstream-Contact: knot-dns@labs.nic.cz +Source: https://secure.nic.cz/files/knot-dns/ + +Files: * +Copyright: 2011-2012 CZ.NIC, z.s.p.o. +License: GPL-3+ with OpenSSL exception + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + . + In addition, as a special exception, the author of this program gives + permission to link the code of its release with the OpenSSL project's + "OpenSSL" library (or with modified versions of it that use the same + license as the "OpenSSL" library), and distribute the linked + executables. You must obey the GNU General Public License in all + respects for all of the code used other than "OpenSSL". If you + modify this file, you may extend this exception to your version of + the file, but you are not obligated to do so. If you do not wish to + do so, delete this exception statement from your version. + . + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program. If not, see . + . + On Debian systems, the full text of the GNU General Public License + version 3 can be found in the file `/usr/share/common-licenses/GPL-3'. + +Files: tests/tap/* +Copyright: 2000-2001, 2004, 2006-2011 Russ Allbery +License: Expat + +Files: src/contrib/ucw/lists.c +Copyright: 1998 Martin Mares +License: GPL-3+ + +Files: debian/* +Copyright: 2011 Ondřej Surý +License: GPL-3+ + +License: Expat + Permission is hereby granted, free of charge, to any person obtaining + a copy of this software and associated documentation files (the + "Software"), to deal in the Software without restriction, including + without limitation the rights to use, copy, modify, merge, publish, + distribute, sublicense, and/or sell copies of the Software, and to + permit persons to whom the Software is furnished to do so, subject to + the following conditions: + . + The above copyright notice and this permission notice shall be + included in all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + SOFTWARE. + +License: GPL-3+ + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + . + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program. If not, see . + . + On Debian systems, the full text of the GNU General Public License + version 3 can be found in the file `/usr/share/common-licenses/GPL-3'. diff --git a/debian/docs b/debian/docs new file mode 100644 index 0000000..e845566 --- /dev/null +++ b/debian/docs @@ -0,0 +1 @@ +README diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..71bf28a --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,28 @@ +[DEFAULT] +debian-branch = debian/master +pristine-tar = True +upstream-vcs-tag = v%(version)s + +[dch] +meta = 1 + +[import-orig] +filter = [ + 'configure', + '*/Makefile.in', + '*/*/Makefile.in', + '*/*/*/Makefile.in', + 'install-sh', + 'ltmain.sh', + 'm4/libtool.m4', + '*/*/version.h', + 'src/dnssec/lib/dnssec/version.h', + 'INSTALL', + 'aclocal.m4', + 'ar-lib', + 'depcomp', + 'compile', + 'missing', + 'test-driver', + ] +filter-pristine-tar = False diff --git a/debian/get_kaspdb b/debian/get_kaspdb new file mode 100755 index 0000000..5562c1d --- /dev/null +++ b/debian/get_kaspdb @@ -0,0 +1,59 @@ +#!/usr/bin/python3 + +import yaml, os.path, sys + +conf_file = '/etc/knot/knot.conf' if len(sys.argv) < 2 else sys.argv[1] +ip_fields = ['listen', 'address', 'via', 'whitelist', 'network'] + +try: + conf = yaml.load(open(conf_file, 'r')) +except (yaml.scanner.ScannerError, yaml.parser.ParserError): + conf = False + +if not conf: + import io + conf_io = io.StringIO() + with open(conf_file) as f: + for line in f: + if line.split(':')[0].strip() not in ip_fields: + conf_io.write(line) + conf_io.seek(0) + try: + conf = yaml.load(conf_io) + except (yaml.scanner.ScannerError, yaml.parser.ParserError): + sys.exit(1) + +dirs = set() +# if we have valid yaml use it +if "template" in conf and conf["template"]: + + for template in conf["template"]: + if "kasp-db" in template: + kasp_db = template["kasp-db"] + else: + continue + + if not os.path.isabs(kasp_db): + if "storage" in template: + kasp_db = os.path.join(template["storage"], kasp_db) + else: + continue + dirs.add(kasp_db) + +if "zone" in conf and conf["zone"]: + + for domain in conf["zone"]: + if "kasp-db" in domain: + kasp_db = domain["kasp-db"] + else: + continue + + if not os.path.isabs(kasp_db): + if "storage" in kaspdomain: + kasp_db = os.path.join(domain["storage"], kasp_db) + else: + continue + dirs.add(kasp_db) + +for dir in dirs: + print(dir) diff --git a/debian/get_user b/debian/get_user new file mode 100755 index 0000000..1e0f258 --- /dev/null +++ b/debian/get_user @@ -0,0 +1,28 @@ +#!/usr/bin/python3 + +import yaml, sys + +conf_file = '/etc/knot/knot.conf' if len(sys.argv) < 2 else sys.argv[1] +ip_fields = ['listen', 'address', 'via', 'whitelist', 'network'] + +try: + conf = yaml.load(open(conf_file, 'r')) +except (yaml.scanner.ScannerError, yaml.parser.ParserError): + conf = False + +if not conf: + import io + conf_io = io.StringIO() + with open(conf_file) as f: + for line in f: + if line.split(':')[0].strip() not in ip_fields: + conf_io.write(line) + conf_io.seek(0) + try: + conf = yaml.load(conf_io) + except (yaml.scanner.ScannerError, yaml.parser.ParserError): + sys.exit(1) + +if "server" in conf and conf["server"]: + if "user" in conf["server"] and conf["server"]["user"]: + print(conf["server"]["user"].split(":")[0].split(".")[0]) diff --git a/debian/kasp_json2lmdb b/debian/kasp_json2lmdb new file mode 100755 index 0000000..f6aa785 --- /dev/null +++ b/debian/kasp_json2lmdb @@ -0,0 +1,458 @@ +#!/usr/bin/env python3 +# vim: et ts=4 sw=4 sts=4 +# +# import from obsolete JSON KASP to LMDB-beckended KASP database. +# + +from __future__ import print_function + +import datetime +import time +import json +import sys +import re +import glob +import argparse +import time +import traceback +import os +import hashlib +import importlib +import codecs + +opt_force = False +lmdb = None + +def lmdb_requirement(): + global lmdb + + try: + lmdb = importlib.import_module('lmdb') + except ImportError: + print("Error: unable to import module LMDB.") + print("Probably you need to 'apt install python3-lmdb'.") + sys.exit(10) + +# workarounding that python 2 doesn't have int.to_bytes() +def to_bytes(n, length, endianness='big'): + h = '%x' % n + assert len(h) <= length * 2 + s = ('0'*(len(h) % 2) + h).zfill(length * 2) + if sys.version_info >= (3,0): + sb = codecs.decode(s, 'hex') + else: + sb = s.decode('hex') + return bytearray(sb) if endianness == 'big' else bytearray(sb[::-1]) + +def from_bytes(ba, endianness='big'): + x = ba if endianness == 'big' else bytearray(s[::-1]) + if sys.version_info >= (3,0): + hx = codecs.encode(x, 'hex') + else: + hx = str(x).encode('hex') + return int(hx, 16) + +# aka knot_dname_from_str_alloc() +def str2dname(s): + if s.endswith('.') is False: + s += '.' + res = bytearray(b"") + nodes = s.lower().split('.') + if nodes[-1] != "": + nodes.append("") + + for node in nodes: + res.append(len(node)) + res.extend(bytearray(node.lower(), 'ascii')) + + return res + +def dname2str(dn): + res = "" + beg = 0 + end = ord(dn[0]) + 1 + while ord(dn[beg]) > 0: + res += str(dn[beg+1:end]) + "." + beg = end + end = beg + ord(dn[beg]) + 1 + + return res + +# this is just helper for shuffling time +def shuffle_unixtime(base_time, shuffle_years, shuffle_months): + rsm = shuffle_months + 12 * shuffle_years + dt = datetime.datetime.fromtimestamp(base_time) + newmonth = (dt.month - 1 + rsm) % 12 + 1 # in python, % always returns [0, 11] + sameyear = dt.month + rsm % 12 + newyear = dt.year + rsm // 12 + (0 if sameyear in range(1, 13) else 1) # in python, (-1)//12 = -1 + dt2 = dt.replace(month=newmonth, year=newyear) + print(dt2.month, "/", dt2.year) + ttuple = dt2.timetuple() + return int(time.mktime(ttuple)) + +def timespec2unix(spec): + if re.match(r"^\d+$", spec): + return int(spec) + + now = int(time.time()) + s = re.sub(r"^now", "t", spec) + if s == "t": + return now + + unitmap = { "" : 1, "mi" : 60, "h" : 3600, "d" : 86400 } + unitmap_mo = { "mo" : 1, "y" : 12 } + + if re.match(r"^t[-+]\d+", s): + unit = re.sub(r"^t[-+]\d+", "", s) + cutend = len(s) if unit == "" else -len(unit) + if unit in list(unitmap.keys()): + return now + int(s[1:cutend]) * unitmap[unit] + elif unit in list(unitmap_mo.keys()): + return shuffle_unixtime(now, 0, int(s[1:cutend]) * unitmap_mo[unit]) + else: + print("Error in time unit specification") + + print("Error in time specification") + +class Keykey: + '''Kasp DB key serialized (type, zone_name, key_id)''' + + def __init__(self, raw_bytearray): + self.raw = bytearray(raw_bytearray) + + @classmethod + def from_params(self, valtype, zone_name, key_id): + selfraw = to_bytes(valtype, 1) + if zone_name is not None: + selfraw.extend(zone_name) + if key_id is not None: + selfraw.extend(bytearray(key_id.encode("ascii"))) + selfraw.append(0) + return Keykey(selfraw) + + def getRaw(self): + return bytearray(self.raw) + + def getType(self): + return self.raw[0] + + def __getSplit(self): + x = self.raw.find(to_bytes(0, 1)) + assert x > 0 + return x + 1 + + def getZone(self): + if self.getType() == 2: + return None + return str(self.raw[1:self.__getSplit()]) + + def getKeyid(self): + if self.getType() != 1: + return None + return str(self.raw[self.__getSplit():]) + +class Keyparams: + '''Serialized key parameters for kasp-db.''' + + def __init__(self, raw_bytearray): + self.raw = bytearray(raw_bytearray) + self.timers_dict = { "created" : [ 0, 20, 28 ], + "publish" : [ 1, 28, 36 ], + "ready" : [ 2, 36, 44 ], + "active" : [ 3, 44, 52 ], + "retire" : [ 4, 52, 60 ], + "remove" : [ 5, 60, 68 ] } + + @classmethod + def from_params(self, pubkey, keytag, algorithm, isksk, timers): + assert len(timers) == 6 + if sys.version_info >= (3,0): + pk = codecs.decode(bytearray(pubkey, 'ascii'), "base64") + else: + pk = pubkey.decode("base64") + selfraw = to_bytes(len(pk), 8) + selfraw.extend(to_bytes(0, 8)) # zero length of unused-future + selfraw.extend(to_bytes(int(keytag), 2)) + selfraw.extend(to_bytes(int(algorithm), 1)) + selfraw.extend(to_bytes((1 if isksk else 0), 1)) + for t in timers: + if t < 0: + print("keytag=%i timers=(%i, %i, %i, %i, %i, %i)" % (keytag, + timers[0], timers[1], timers[2], timers[3], timers[4], timers[5])) + assert False + selfraw.extend(to_bytes(t, 8)) + selfraw.extend(pk) + return Keyparams(selfraw) + + def _check(self): + assert len(self.raw) >= 16 + pkl = from_bytes(self.raw[0:8]) + ufl = from_bytes(self.raw[8:16]) + assert len(self.raw) == 68 + pkl + ufl + assert self.raw[19] < 2 + + def getRaw(self): + self._check() + return bytearray(self.raw) + + def getAlgorithm(self): + self._check() + return int(self.raw[18]) + + def setAlgorithm(self, algorithm): + self._check() + self.raw[18] = to_bytes(algorithm, 1)[0] + + def isKSK(self): + self._check() + return 1 if self.raw[19] != 0 else 0 + + def setKSK(self, isksk): + self._check() + self.raw[11] = (b"\01" if isksk else b"\00")[0] + + def getKeytag(self): + self._check() + return from_bytes(self.raw[16:18]) + + def setKeytag(self, keytag): + self._check() + self.raw[16:18] = to_bytes(keytag, 2) + + def getTimers(self): + self._check() + res = [ 0, 0, 0, 0, 0, 0 ] + for i, x, y in list(self.timers_dict.values()): + res[i] = from_bytes(self.raw[x:y]) + return res + + def getTimersString(self): + self._check() + res = "[" + for ti in list(self.timers_dict.keys()): + _, x, y = self.timers_dict[ti]; + res += (" " if res == "[" else ", ") + ti + ": " + str(from_bytes(self.raw[x:y])) + return res + " ]" + + def setTimers(self, timers): + self._check() + assert len(timers) == 5 + for i, x, y in list(self.timers_dict.values()): + self.raw[x:y] = to_bytes(timers[i], 8) + + def getPubKey(self): + self._check() + pkl = from_bytes(self.raw[0:8]) + return self.raw[68:68+pkl].encode("base64") + + def getParams(self): + return [ self.getPubKey(), self.getKeytag(), self.getAlgorithm(), + self.isKSK(), self.getTimers() ]; + + def setByParamName(self, param_name, new_val): + if param_name == "algorithm": + self.setAlgorithm(int(new_val)) + elif param_name == "isksk": + if new_val in ("1", "True", "true", "on", "yes", "Yes"): + self.setKSK(True) + elif new_val in ("0", "False", "false", "off", "no", "No"): + self.setKSK(False) + else: + print("Error: bad true/false value", new_val) + elif param_name == "keytag": + self.setKeytag(int(new_val)) + elif param_name in list(self.timers_dict.keys()): + _, x, y = self.timers_dict[param_name] + self.raw[x:y] = to_bytes(timespec2unix(new_val), 8) + else: + print("Error: bad parameter", param_name) + + def computeDS(self, zone_str, digestalg): + ds_raw = bytearray(str2dname(zone_str)) + ds_raw.extend(to_bytes(257 if self.isKSK() else 256, 2)) + ds_raw.extend(b"\x03") # protocol is always == 3 + ds_raw.extend(self.raw[18:19]) # algorithm + pkl = from_bytes(self.raw[0:8]) + ds_raw.extend(self.raw[68:68+pkl]) # pubkey + if digestalg == "sha1": + ds_hash = hashlib.sha1(ds_raw).hexdigest() + algno = " 1 " + elif digestalg == "sha256": + ds_hash = hashlib.sha256(ds_raw).hexdigest() + algno = " 2 " + elif digestalg == "sha384": + ds_hash = hashlib.sha384(ds_raw).hexdigest() + algno = " 4 " + else: + print("Error: bad DS digest algorith", ds_hash) + return + return zone_str + ' DS ' + str(self.getKeytag()) + ' ' + str(self.getAlgorithm()) + algno + ds_hash + + def isPublished(self, moment): + tmrs = self.getTimers() + if tmrs[self.timers_dict["publish"][0]] <= moment: + if moment < tmrs[self.timers_dict["remove"][0]]: + return True + return False + + def isReady(self, moment): + tmrs = self.getTimers() + if tmrs[self.timers_dict["ready"][0]] <= moment: + if moment < tmrs[self.timers_dict["ready"][0]]: + return True + return False + + def isActive(self, moment): + tmrs = self.getTimers() + if tmrs[self.timers_dict["active"][0]] <= moment: + if moment < tmrs[self.timers_dict["retire"][0]]: + return True + return False + + def isRetired(self, moment): + tmrs = self.getTimers() + if tmrs[self.timers_dict["retire"][0]] <= moment: + return True + return False + + def isRemoved(self, moment): + tmrs = self.getTimers() + if tmrs[self.timers_dict["remove"][0]] <= moment: + return True + return False + +# static: just for use in following method +def arr_ind2unix(arr, ind, defaul): + try: + ttuple = datetime.datetime.strptime(arr[ind], "%Y-%m-%dT%H:%M:%S+0000").timetuple() + res = int(time.mktime(ttuple)) + return res if res >= 0 else 0 + except KeyError: + return defaul + +def import_nsec3salt(keys, env, db_keys, zname): + try: + with lmdb.Transaction(env, db_keys, write=True) as txn_keys: + dbk1 = Keykey.from_params(3, zname, None).getRaw() + dbv1 = keys["nsec3_salt"] + if dbv1 is None: + return + if sys.version_info >= (3,0): + dbv1d = codecs.decode(bytearray(dbv1, 'ascii'), "base64") + else: + dbv1d = dbv1.decode("base64") + txn_keys.put(dbk1, dbv1d, dupdata=False, overwrite=True) + + dbk2 = Keykey.from_params(4, zname, None).getRaw() + dbv2 = to_bytes(arr_ind2unix(keys, "nsec3_salt_created", 0), 8) + txn_keys.put(dbk2, dbv2, dupdata=False, overwrite=True) + except (KeyError, AttributeError): + pass # nsec3salt not configured or set to null, no problem + +# import single JSON zone config into open LMDB env +def import_file(fname, env, db_keys): + try: + with open(fname) as f: + keys = json.load(f) + + except ValueError: + print("Warning: not imported ", fname) + return False + + try: + zname_str = re.sub(r'^zone_', '', re.sub(r'\.json$', '', re.sub(r'.*/', '', fname))) + print("Importing zone", zname_str) + zname = str2dname(zname_str) + import_nsec3salt(keys, env, db_keys, zname) + + import_now = int(time.time()) + + for key in keys["keys"]: + dbk3 = Keykey.from_params(1, zname, key["id"]).getRaw() + + infty = 0x00ffffffffffff00 # time infinity, this is year 142'715'360 + + dbv3 = Keyparams.from_params(key["public_key"], key["keytag"], + key["algorithm"], key["ksk"], [ + arr_ind2unix(key, "created", 0), + arr_ind2unix(key, "publish", 0), + arr_ind2unix(key, "active", 0), # taking active for ready + arr_ind2unix(key, "active", 0), + arr_ind2unix(key, "retire", infty), + arr_ind2unix(key, "remove", infty) + ]) + + if dbv3.isRemoved(import_now): + continue + + with lmdb.Transaction(env, db_keys, write=True) as txn_keys: + txn_keys.put(dbk3, dbv3.getRaw(), dupdata=False, overwrite=True) + + except (KeyError, KeyboardInterrupt, TypeError): + print("Warning: not imported ", fname) + return False + + return True + +def import_dir(dirname): + print("Importing json key config in", dirname) + if os.path.isfile(dirname + "/data.mdb"): + print("Warning: LMDB key configuration in", dirname, "already exists.") + if opt_force: + print("...deleting it.") + os.remove(dirname + "/data.mdb") + os.remove(dirname + "/lock.mdb") + else: + print("If you want to delete it and import again, use 'force' option.") + return False + + env = lmdb.open(dirname, max_dbs=2, map_size=500*1024*1024) + db_keys = env.open_db(b"keys_db") + something_imported = False + for json_file in glob.glob(dirname + "/*.json"): + something_imported = import_file(json_file, env, db_keys) or something_imported + + if not something_imported: + print("Warning: nothing imported in", dirname) + +class VersionAction(argparse.Action): + def __init__(self, option_strings, version=None, dest=argparse.SUPPRESS, + default=argparse.SUPPRESS, help="show program's version number and exit"): + super(VersionAction, self).__init__(option_strings=option_strings, dest=dest, + default=default, nargs=0, help=help) + self.version = version + + def __call__(self, parser, namespace, values, option_string=None): + version = self.version + if version is None: + version = parser.version + formatter = parser._get_formatter() + formatter.add_text(version) + sys.stdout.write(formatter.format_help()) + sys.exit(0) + +def main(): + global opt_force + parser = argparse.ArgumentParser(description="Knot DNSSEC KASP converter (JSON to LMDB)", + formatter_class=argparse.RawTextHelpFormatter) + parser.add_argument("-i", "--import", action="append", nargs="?", dest="importdir", + help='''Import zone-key configuration from JSON. +Syntax: -i +(You can import multiple key_dirs at once by repeating this option.)''') + parser.add_argument("-f", "--force", action="store_true", dest="force", help="Do stuff even if dangerous.") + parser.add_argument("-V", "--version", action=VersionAction, version="knot KASP legacy JSON importer (debian support for Knot DNS), version 2.7.1") + args = parser.parse_args() + opt_force = args.force + + if args.importdir is not None: + lmdb_requirement() + if isinstance(args.importdir, (list, tuple)): + importdir = args.importdir + else: + importdir = [args.importdir] + + for dirn in importdir: + import_dir(dirn) + +if __name__ == "__main__": + main() diff --git a/debian/knot-dnsutils.NEWS b/debian/knot-dnsutils.NEWS new file mode 100644 index 0000000..20045dc --- /dev/null +++ b/debian/knot-dnsutils.NEWS @@ -0,0 +1,6 @@ +knot (2.5.4-2) unstable; urgency=medium + + The compatibility links with dig and nsupdate has been dropped + in favour of coinstallability with dnsutils (from BIND9). + + -- Ondřej Surý Mon, 18 Sep 2017 07:07:49 +0200 diff --git a/debian/knot-dnsutils.install b/debian/knot-dnsutils.install new file mode 100644 index 0000000..960fa92 --- /dev/null +++ b/debian/knot-dnsutils.install @@ -0,0 +1,2 @@ +usr/bin/kdig +usr/bin/knsupdate diff --git a/debian/knot-dnsutils.manpages b/debian/knot-dnsutils.manpages new file mode 100644 index 0000000..3cc29ec --- /dev/null +++ b/debian/knot-dnsutils.manpages @@ -0,0 +1,2 @@ +usr/share/man/man1/kdig.1 +usr/share/man/man1/knsupdate.1 diff --git a/debian/knot-doc.doc-base b/debian/knot-doc.doc-base new file mode 100644 index 0000000..c137e28 --- /dev/null +++ b/debian/knot-doc.doc-base @@ -0,0 +1,20 @@ +Document: knot +Title: Documentation for the Knot authoritative DNS server +Author: Knot DNS authors at CZ.NIC Labs (https://www.knot-dns.cz) +Abstract: Knot DNS is a high-performance open-source authoritative DNS server +Section: Network/Communication + +Format: HTML +Index: /usr/share/doc/knot-doc/index.html +Files: /usr/share/doc/knot-doc + +Format: PDF +Files: /usr/share/doc/knot-doc/knot.pdf.gz + +Format: Info +Files: /usr/share/info/knot.info.gz +Index: /usr/share/info/knot.info.gz + +Format: Text +Index: /usr/share/doc/knot-doc/_sources/index.rst.txt +Files: /usr/share/doc/knot-doc/_sources/ diff --git a/debian/knot-doc.install b/debian/knot-doc.install new file mode 100644 index 0000000..c19da52 --- /dev/null +++ b/debian/knot-doc.install @@ -0,0 +1,2 @@ +usr/share/doc/knot/* /usr/share/doc/knot-doc/ +usr/share/info diff --git a/debian/knot-doc.links b/debian/knot-doc.links new file mode 100644 index 0000000..3949022 --- /dev/null +++ b/debian/knot-doc.links @@ -0,0 +1,2 @@ +usr/share/javascript/jquery/jquery.min.js usr/share/doc/knot-doc/_static/jquery.js +usr/share/javascript/underscore/underscore.min.js usr/share/doc/knot-doc/_static/underscore.js diff --git a/debian/knot-host.NEWS b/debian/knot-host.NEWS new file mode 100644 index 0000000..20045dc --- /dev/null +++ b/debian/knot-host.NEWS @@ -0,0 +1,6 @@ +knot (2.5.4-2) unstable; urgency=medium + + The compatibility links with dig and nsupdate has been dropped + in favour of coinstallability with dnsutils (from BIND9). + + -- Ondřej Surý Mon, 18 Sep 2017 07:07:49 +0200 diff --git a/debian/knot-host.install b/debian/knot-host.install new file mode 100644 index 0000000..51bacf0 --- /dev/null +++ b/debian/knot-host.install @@ -0,0 +1 @@ +usr/bin/khost diff --git a/debian/knot-host.manpages b/debian/knot-host.manpages new file mode 100644 index 0000000..4891e2c --- /dev/null +++ b/debian/knot-host.manpages @@ -0,0 +1 @@ +usr/share/man/man1/khost.1 diff --git a/debian/knot.NEWS b/debian/knot.NEWS new file mode 100644 index 0000000..fa22ec4 --- /dev/null +++ b/debian/knot.NEWS @@ -0,0 +1,12 @@ +knot (2.0.0-1) unstable; urgency=medium + + The configuration file format has changed with Knot DNS 2.0 release. + The knot1to2 conversion tools has been provided for your convenience + and the package will automatically save the existing configuration + file to /var/backups/knot/ directory and convert the + configuration file into the new format. The Knot DNS team worked + hard to make this transition as smooth as possible, but you are + strongly advised to check the results if everything went as + expected. + + -- Ondřej Surý Mon, 29 Jun 2015 10:36:08 +0200 diff --git a/debian/knot.default b/debian/knot.default new file mode 100644 index 0000000..12d6cc5 --- /dev/null +++ b/debian/knot.default @@ -0,0 +1 @@ +KNOTD_ARGS="" diff --git a/debian/knot.dirs b/debian/knot.dirs new file mode 100644 index 0000000..6e937aa --- /dev/null +++ b/debian/knot.dirs @@ -0,0 +1 @@ +var/lib/knot diff --git a/debian/knot.init b/debian/knot.init new file mode 100644 index 0000000..ec6e3f5 --- /dev/null +++ b/debian/knot.init @@ -0,0 +1,168 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: knot +# Required-Start: $network $local_fs $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: authoritative domain name server +# Description: Knot DNS is a authoritative-only domain name server +### END INIT INFO + +# Author: Ondřej Surý + +# PATH should only include /usr/* if it runs after the mountnfs.sh script +PATH=/sbin:/usr/sbin:/bin:/usr/bin +DESC="Knot DNS server" # Introduce a short description here +NAME=knotd # Introduce the short server's name here +DAEMON=/usr/sbin/$NAME # Introduce the server's location here +PIDFILE=/run/knot/knot.pid +SCRIPTNAME=/etc/init.d/knot +KNOTC=/usr/sbin/knotc + +# Exit if the package is not installed +[ -x $DAEMON ] || exit 0 + +KNOTD_ARGS="-c /etc/knot/knot.conf" + +# Read configuration variable file if it is present +[ -r /etc/default/knot ] && . /etc/default/knot + +DAEMON_ARGS="-d $KNOTD_ARGS" + +# Define LSB log_* functions. +# Depend on lsb-base (>= 3.0-6) to ensure that this file is present. +. /lib/lsb/init-functions + +# +# Function that starts the daemon/service +# +do_start() +{ + # Return + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + + $KNOTC status >/dev/null 2>/dev/null \ + && return 1 + + start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ + || return 1 + start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \ + $DAEMON_ARGS \ + || return 2 +} + +# +# Function that stops the daemon/service +# +do_stop() +{ + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + + $KNOTC status >/dev/null 2>/dev/null \ + || return 1 + + $KNOTC stop >/dev/null + RETVAL="$?" + [ $? = 1 ] && return 2 + + # Many daemons don't delete their pidfiles when they exit. + rm -f $PIDFILE + return 0 +} + +do_reload() { + $KNOTC reload >/dev/null + return $? +} + +do_tmpfiles() { + local type path mode user group age argument + if [ -r "$1" ]; then + if [ -x /bin/systemd-tmpfiles ]; then + /bin/systemd-tmpfiles --create "$1" + else + while read type path mode user group age argument; do + case "$type" in + d) + mkdir -p "$path"; + chmod "$mode" "$path"; + chown "$user:$group" "$path"; + ;; + \#*) + ;; + *) + log_warning_msg "tmpfile.d type '$type' is not supported yet" + ;; + esac + done < "$1" + fi + else + log_warning_msg "tmpfiles.d file '$1' doesn't exist or is not readable" + fi +} + +case "$1" in + start) + do_tmpfiles /usr/lib/tmpfiles.d/knot.conf + log_daemon_msg "Starting $DESC " "$NAME" + do_start + case "$?" in + 0|1) log_end_msg 0 ;; + 2) log_end_msg 1 ;; + esac + ;; + stop) + log_daemon_msg "Stopping $DESC" "$NAME" + do_stop + case "$?" in + 0|1) log_end_msg 0 ;; + 2) log_end_msg 1 ;; + esac + ;; + status) + STATUS=$($KNOTC status 2>&1 >/dev/null) + RETVAL=$? + if [ $RETVAL = 0 ]; then + log_success_msg "$NAME is running" + else + log_failure_msg "$NAME is not running ($STATUS)" + fi + exit $RETVAL + ;; + reload|force-reload) + log_daemon_msg "Reloading $DESC" "$NAME" + do_reload + log_end_msg $? + ;; + restart) + log_daemon_msg "Restarting $DESC" "$NAME" + do_stop + case "$?" in + 0|1) + do_start + case "$?" in + 0) log_end_msg 0 ;; + 1) log_end_msg 1 ;; # Old process is still running + *) log_end_msg 1 ;; # Failed to start + esac + ;; + *) + # Failed to stop + log_end_msg 1 + ;; + esac + ;; + *) + echo "Usage: $SCRIPTNAME {start|stop|status|restart|reload|force-reload}" >&2 + exit 3 + ;; +esac + +: diff --git a/debian/knot.install b/debian/knot.install new file mode 100644 index 0000000..57c6815 --- /dev/null +++ b/debian/knot.install @@ -0,0 +1,11 @@ +debian/get_kaspdb usr/lib/knot/ +debian/get_user usr/lib/knot/ +debian/kasp_json2lmdb usr/lib/knot/ +debian/ufw/knot etc/ufw/applications.d/ +etc/knot/knot.conf +usr/bin/knsec3hash +usr/bin/kzonecheck +usr/sbin/keymgr +usr/sbin/kjournalprint +usr/sbin/knotc +usr/sbin/knotd diff --git a/debian/knot.lintian-overrides b/debian/knot.lintian-overrides new file mode 100644 index 0000000..5ac0537 --- /dev/null +++ b/debian/knot.lintian-overrides @@ -0,0 +1,5 @@ +# knot currently requires that the MODULE_DIR exists, even if it +# is empty: +# https://gitlab.labs.nic.cz/knot/knot-dns/issues/567 +# https://bugs.debian.org/891319 +knot: package-contains-empty-directory usr/lib/*/knot/ diff --git a/debian/knot.maintscript b/debian/knot.maintscript new file mode 100644 index 0000000..42bc330 --- /dev/null +++ b/debian/knot.maintscript @@ -0,0 +1 @@ +rm_conffile /etc/init/knot.conf 2.0.0-1~ diff --git a/debian/knot.manpages b/debian/knot.manpages new file mode 100644 index 0000000..bb40303 --- /dev/null +++ b/debian/knot.manpages @@ -0,0 +1,7 @@ +usr/share/man/man1/knsec3hash.1 +usr/share/man/man1/kzonecheck.1 +usr/share/man/man5/knot.conf.5 +usr/share/man/man8/keymgr.8 +usr/share/man/man8/kjournalprint.8 +usr/share/man/man8/knotc.8 +usr/share/man/man8/knotd.8 diff --git a/debian/knot.postinst b/debian/knot.postinst new file mode 100644 index 0000000..7a69d85 --- /dev/null +++ b/debian/knot.postinst @@ -0,0 +1,26 @@ +#!/bin/sh +set -e + +if [ "$1" = "configure" ]; then + if ! getent passwd knot > /dev/null; then + adduser --quiet --system --group --no-create-home --home /var/lib/knot knot + fi + + dpkg-statoverride --list /var/lib/knot > /dev/null || dpkg-statoverride --update --add knot knot 0755 /var/lib/knot + dpkg-statoverride --list /etc/knot/knot.conf > /dev/null || dpkg-statoverride --update --add knot knot 0640 /etc/knot/knot.conf + dpkg-statoverride --list /etc/knot > /dev/null || dpkg-statoverride --update --add knot knot 0750 /etc/knot +fi + +if [ "$1" = "configure" ] && [ -n "$2" ] && dpkg --compare-versions "$2" lt "2.5.0-1~"; then + KNOT_USER=$(/usr/lib/knot/get_user 2>/dev/null || echo "knot") + + /usr/lib/knot/get_kaspdb | while read KASPDB; do + if [ ! -f "${KASPDB}/data.mdb" ]; then + runuser -u "${KNOT_USER}" -- /usr/lib/knot/kasp_json2lmdb -i "${KASPDB}" + fi + done +fi + +#DEBHELPER# + +exit 0 diff --git a/debian/knot.postrm b/debian/knot.postrm new file mode 100644 index 0000000..76dccba --- /dev/null +++ b/debian/knot.postrm @@ -0,0 +1,18 @@ +#!/bin/sh +set -e + +if test "$1" = "purge"; then + spool=/var/lib/knot + rm -rf $spool/timers $spool/keys $spool/journal + rmdir $spool 2>/dev/null || true + + dpkg-statoverride --remove /var/lib/knot >/dev/null 2>/dev/null || true + dpkg-statoverride --remove /etc/knot/knot.conf >/dev/null 2>/dev/null || true + dpkg-statoverride --remove /etc/knot >/dev/null 2>/dev/null || true + + deluser --quiet knot > /dev/null || true +fi + +#DEBHELPER# + +exit 0 diff --git a/debian/knot.service b/debian/knot.service new file mode 100644 index 0000000..191fd3d --- /dev/null +++ b/debian/knot.service @@ -0,0 +1,14 @@ +[Unit] +Description=Knot DNS server +Wants=network-online.target +After=network-online.target +Documentation=man:knotd(8) man:knot.conf(5) man:knotc(8) + +[Service] +EnvironmentFile=/etc/default/knot +ExecReload=/usr/sbin/knotc reload +ExecStart=/usr/sbin/knotd $KNOTD_ARGS +Restart=on-abort + +[Install] +WantedBy=multi-user.target diff --git a/debian/knot.tmpfile b/debian/knot.tmpfile new file mode 100644 index 0000000..aab7815 --- /dev/null +++ b/debian/knot.tmpfile @@ -0,0 +1,2 @@ +#Type Path Mode UID GID Age Argument + d /run/knot 0755 knot knot - - diff --git a/debian/libdnssec6.install b/debian/libdnssec6.install new file mode 100644 index 0000000..17a9fe6 --- /dev/null +++ b/debian/libdnssec6.install @@ -0,0 +1 @@ +usr/lib/*/libdnssec.so.* diff --git a/debian/libdnssec6.symbols b/debian/libdnssec6.symbols new file mode 100644 index 0000000..35a8c99 --- /dev/null +++ b/debian/libdnssec6.symbols @@ -0,0 +1,109 @@ +libdnssec.so.6 libdnssec6 #MINVER# +* Build-Depends-Package: libknot-dev + dnssec_algorithm_digest_support@Base 2.6.0 + dnssec_algorithm_key_size_check@Base 2.3.0 + dnssec_algorithm_key_size_default@Base 2.3.0 + dnssec_algorithm_key_size_range@Base 2.3.0 + dnssec_algorithm_key_support@Base 2.6.0 + dnssec_binary_alloc@Base 2.3.0 + dnssec_binary_cmp@Base 2.3.0 + dnssec_binary_dup@Base 2.3.0 + dnssec_binary_free@Base 2.3.0 + dnssec_binary_from_base64@Base 2.3.0 + dnssec_binary_resize@Base 2.3.0 + dnssec_binary_to_base64@Base 2.3.0 + dnssec_crypto_cleanup@Base 2.3.0 + dnssec_crypto_init@Base 2.3.0 + dnssec_crypto_reinit@Base 2.3.0 + dnssec_item_get@Base 2.3.0 + dnssec_item_set@Base 2.3.0 + dnssec_key_can_sign@Base 2.3.0 + dnssec_key_can_verify@Base 2.3.0 + dnssec_key_clear@Base 2.3.0 + dnssec_key_create_ds@Base 2.3.0 + dnssec_key_dup@Base 2.3.0 + dnssec_key_free@Base 2.3.0 + dnssec_key_get_algorithm@Base 2.3.0 + dnssec_key_get_dname@Base 2.3.0 + dnssec_key_get_flags@Base 2.3.0 + dnssec_key_get_keyid@Base 2.6.0 + dnssec_key_get_keytag@Base 2.3.0 + dnssec_key_get_protocol@Base 2.3.0 + dnssec_key_get_pubkey@Base 2.3.0 + dnssec_key_get_rdata@Base 2.3.0 + dnssec_key_get_size@Base 2.3.0 + dnssec_key_import_keystore@Base 2.3.0 + dnssec_key_load_pkcs8@Base 2.3.0 + dnssec_key_new@Base 2.3.0 + dnssec_key_set_algorithm@Base 2.3.0 + dnssec_key_set_dname@Base 2.3.0 + dnssec_key_set_flags@Base 2.3.0 + dnssec_key_set_protocol@Base 2.3.0 + dnssec_key_set_pubkey@Base 2.3.0 + dnssec_key_set_rdata@Base 2.3.0 + dnssec_keyid_copy@Base 2.3.0 + dnssec_keyid_equal@Base 2.3.0 + dnssec_keyid_is_valid@Base 2.3.0 + dnssec_keyid_normalize@Base 2.3.0 + dnssec_keystore_close@Base 2.3.0 + dnssec_keystore_deinit@Base 2.3.0 + dnssec_keystore_generate_key@Base 2.3.0 + dnssec_keystore_import@Base 2.3.0 + dnssec_keystore_init@Base 2.3.0 + dnssec_keystore_init_pkcs11@Base 2.3.0 + dnssec_keystore_init_pkcs8_custom@Base 2.3.0 + dnssec_keystore_init_pkcs8_dir@Base 2.3.0 + dnssec_keystore_list_keys@Base 2.3.0 + dnssec_keystore_open@Base 2.3.0 + dnssec_keystore_remove_key@Base 2.3.0 + dnssec_keytag@Base 2.3.0 + dnssec_list_append@Base 2.3.0 + dnssec_list_clear@Base 2.3.0 + dnssec_list_clear_full@Base 2.3.0 + dnssec_list_contains@Base 2.3.0 + dnssec_list_free@Base 2.3.0 + dnssec_list_free_full@Base 2.3.0 + dnssec_list_head@Base 2.3.0 + dnssec_list_insert_after@Base 2.3.0 + dnssec_list_insert_before@Base 2.3.0 + dnssec_list_is_empty@Base 2.3.0 + dnssec_list_new@Base 2.3.0 + dnssec_list_next@Base 2.3.0 + dnssec_list_nth@Base 2.3.0 + dnssec_list_prepend@Base 2.3.0 + dnssec_list_prev@Base 2.3.0 + dnssec_list_remove@Base 2.3.0 + dnssec_list_search@Base 2.3.0 + dnssec_list_size@Base 2.3.0 + dnssec_list_tail@Base 2.3.0 + dnssec_nsec3_hash@Base 2.3.0 + dnssec_nsec3_hash_length@Base 2.3.0 + dnssec_nsec3_params_free@Base 2.3.0 + dnssec_nsec3_params_from_rdata@Base 2.3.0 + dnssec_nsec_bitmap_add@Base 2.3.0 + dnssec_nsec_bitmap_clear@Base 2.3.0 + dnssec_nsec_bitmap_contains@Base 2.7.0 + dnssec_nsec_bitmap_free@Base 2.3.0 + dnssec_nsec_bitmap_new@Base 2.3.0 + dnssec_nsec_bitmap_size@Base 2.3.0 + dnssec_nsec_bitmap_write@Base 2.3.0 + dnssec_random_binary@Base 2.3.0 + dnssec_random_buffer@Base 2.3.0 + dnssec_sign_add@Base 2.3.0 + dnssec_sign_free@Base 2.3.0 + dnssec_sign_init@Base 2.3.0 + dnssec_sign_new@Base 2.3.0 + dnssec_sign_verify@Base 2.3.0 + dnssec_sign_write@Base 2.3.0 + dnssec_strerror@Base 2.3.0 + dnssec_tsig_add@Base 2.3.0 + dnssec_tsig_algorithm_from_dname@Base 2.3.0 + dnssec_tsig_algorithm_from_name@Base 2.3.0 + dnssec_tsig_algorithm_size@Base 2.3.0 + dnssec_tsig_algorithm_to_dname@Base 2.3.0 + dnssec_tsig_algorithm_to_name@Base 2.3.0 + dnssec_tsig_free@Base 2.3.0 + dnssec_tsig_new@Base 2.3.0 + dnssec_tsig_optimal_key_size@Base 2.3.0 + dnssec_tsig_size@Base 2.3.0 + dnssec_tsig_write@Base 2.3.0 diff --git a/debian/libknot-dev.install b/debian/libknot-dev.install new file mode 100644 index 0000000..54f2635 --- /dev/null +++ b/debian/libknot-dev.install @@ -0,0 +1,4 @@ +usr/include/ +usr/lib/*/*.a +usr/lib/*/*.so +usr/lib/*/pkgconfig/* diff --git a/debian/libknot8.install b/debian/libknot8.install new file mode 100644 index 0000000..f9b9f93 --- /dev/null +++ b/debian/libknot8.install @@ -0,0 +1 @@ +usr/lib/*/libknot.so.* diff --git a/debian/libknot8.symbols b/debian/libknot8.symbols new file mode 100644 index 0000000..4c7d0dd --- /dev/null +++ b/debian/libknot8.symbols @@ -0,0 +1,207 @@ +libknot.so.8 libknot8 #MINVER# +* Build-Depends-Package: libknot-dev + KNOT_DB_LMDB_DUPSORT@Base 2.5.0 + KNOT_DB_LMDB_INTEGERKEY@Base 2.4.0 + KNOT_DB_LMDB_MAPASYNC@Base 2.5.0 + KNOT_DB_LMDB_NOSYNC@Base 2.4.0 + KNOT_DB_LMDB_NOTLS@Base 2.3.0 + KNOT_DB_LMDB_RDONLY@Base 2.3.0 + KNOT_DB_LMDB_WRITEMAP@Base 2.5.0 + KNOT_DUMP_STYLE_DEFAULT@Base 2.3.0 + knot_ctl_accept@Base 2.3.0 + knot_ctl_alloc@Base 2.3.0 + knot_ctl_bind@Base 2.3.0 + knot_ctl_close@Base 2.3.0 + knot_ctl_connect@Base 2.3.0 + knot_ctl_free@Base 2.3.0 + knot_ctl_receive@Base 2.3.0 + knot_ctl_send@Base 2.3.0 + knot_ctl_set_timeout@Base 2.3.0 + knot_ctl_unbind@Base 2.3.0 + knot_db_lmdb_api@Base 2.3.0 + knot_db_lmdb_del_exact@Base 2.5.0 + knot_db_lmdb_get_mapsize@Base 2.4.0 + knot_db_lmdb_get_usage@Base 2.4.0 + knot_db_lmdb_iter_del@Base 2.3.0 + knot_db_lmdb_txn_begin@Base 2.3.0 + knot_db_trie_api@Base 2.3.0 + knot_dname_cmp@Base 2.3.0 + knot_dname_copy@Base 2.3.0 + knot_dname_free@Base 2.3.0 + knot_dname_from_str@Base 2.3.0 + knot_dname_in_bailiwick@Base 2.7.0 + knot_dname_is_equal@Base 2.3.0 + knot_dname_labels@Base 2.3.0 + knot_dname_lf@Base 2.3.0 + knot_dname_matched_labels@Base 2.3.0 + knot_dname_prefixlen@Base 2.3.0 + knot_dname_realsize@Base 2.3.0 + knot_dname_replace_suffix@Base 2.3.0 + knot_dname_size@Base 2.3.0 + knot_dname_store@Base 2.7.0 + knot_dname_to_lower@Base 2.3.0 + knot_dname_to_str@Base 2.3.0 + knot_dname_to_wire@Base 2.3.0 + knot_dname_unpack@Base 2.3.0 + knot_dname_wire_check@Base 2.3.0 + knot_dnssec_alg_names@Base 2.3.0 + knot_edns_add_option@Base 2.3.0 + knot_edns_alignment_size@Base 2.7.0 + knot_edns_chain_parse@Base 2.4.0 + knot_edns_chain_size@Base 2.4.0 + knot_edns_chain_write@Base 2.4.0 + knot_edns_client_subnet_get_addr@Base 2.3.1 + knot_edns_client_subnet_parse@Base 2.3.0 + knot_edns_client_subnet_set_addr@Base 2.3.1 + knot_edns_client_subnet_size@Base 2.3.1 + knot_edns_client_subnet_write@Base 2.3.1 + knot_edns_cookie_client_check@Base 2.7.0 + knot_edns_cookie_client_generate@Base 2.7.0 + knot_edns_cookie_parse@Base 2.7.0 + knot_edns_cookie_server_check@Base 2.7.0 + knot_edns_cookie_server_generate@Base 2.7.0 + knot_edns_cookie_size@Base 2.7.0 + knot_edns_cookie_write@Base 2.7.0 + knot_edns_get_ext_rcode@Base 2.3.0 + knot_edns_get_option@Base 2.3.0 + knot_edns_get_options@Base 2.7.0 + knot_edns_get_version@Base 2.3.0 + knot_edns_init@Base 2.3.0 + knot_edns_keepalive_parse@Base 2.4.0 + knot_edns_keepalive_size@Base 2.4.0 + knot_edns_keepalive_write@Base 2.4.0 + knot_edns_reserve_option@Base 2.3.0 + knot_edns_set_ext_rcode@Base 2.3.0 + knot_edns_set_version@Base 2.3.0 + knot_error_from_libdnssec@Base 2.5.0 + knot_get_obsolete_rdata_descriptor@Base 2.3.0 + knot_get_rdata_descriptor@Base 2.3.0 + knot_naptr_header_size@Base 2.3.0 + knot_opcode_names@Base 2.3.0 + knot_opt_code_to_string@Base 2.6.6 + knot_pkt_begin@Base 2.3.0 + knot_pkt_clear@Base 2.3.0 + knot_pkt_copy@Base 2.3.0 + knot_pkt_ext_rcode@Base 2.4.0 + knot_pkt_ext_rcode_name@Base 2.4.0 + knot_pkt_free@Base 2.3.0 + knot_pkt_init_response@Base 2.3.0 + knot_pkt_new@Base 2.3.0 + knot_pkt_parse@Base 2.3.0 + knot_pkt_parse_question@Base 2.3.0 + knot_pkt_put_question@Base 2.3.0 + knot_pkt_put_rotate@Base 2.7.0 + knot_pkt_reclaim@Base 2.3.0 + knot_pkt_reserve@Base 2.3.0 + knot_rcode_names@Base 2.3.0 + knot_rdataset_add@Base 2.3.0 + knot_rdataset_at@Base 2.3.0 + knot_rdataset_clear@Base 2.3.0 + knot_rdataset_copy@Base 2.3.0 + knot_rdataset_eq@Base 2.3.0 + knot_rdataset_intersect@Base 2.3.0 + knot_rdataset_member@Base 2.3.0 + knot_rdataset_merge@Base 2.3.0 + knot_rdataset_reserve@Base 2.3.0 + knot_rdataset_size@Base 2.3.0 + knot_rdataset_subtract@Base 2.3.0 + knot_rdataset_unreserve@Base 2.3.0 + knot_rrclass_from_string@Base 2.3.0 + knot_rrclass_to_string@Base 2.3.0 + knot_rrset_add_rdata@Base 2.3.0 + knot_rrset_clear@Base 2.3.0 + knot_rrset_copy@Base 2.3.0 + knot_rrset_equal@Base 2.3.0 + knot_rrset_free@Base 2.3.0 + knot_rrset_is_nsec3rel@Base 2.3.0 + knot_rrset_new@Base 2.3.0 + knot_rrset_rr_from_wire@Base 2.3.0 + knot_rrset_rr_to_canonical@Base 2.3.0 + knot_rrset_size@Base 2.3.0 + knot_rrset_to_wire_extra@Base 2.7.0 + knot_rrset_to_wire_rotate@Base 2.7.0 + knot_rrset_txt_dump@Base 2.3.0 + knot_rrset_txt_dump_data@Base 2.3.0 + knot_rrset_txt_dump_header@Base 2.3.0 + knot_rrtype_additional_needed@Base 2.3.0 + knot_rrtype_from_string@Base 2.3.0 + knot_rrtype_is_dnssec@Base 2.3.0 + knot_rrtype_is_metatype@Base 2.3.0 + knot_rrtype_should_be_lowercased@Base 2.3.0 + knot_rrtype_to_string@Base 2.3.0 + knot_strerror@Base 2.3.0 + knot_tsig_add@Base 2.3.0 + knot_tsig_append@Base 2.3.0 + knot_tsig_client_check@Base 2.3.0 + knot_tsig_client_check_next@Base 2.3.0 + knot_tsig_create_rdata@Base 2.3.0 + knot_tsig_key_copy@Base 2.3.0 + knot_tsig_key_deinit@Base 2.3.0 + knot_tsig_key_init@Base 2.3.0 + knot_tsig_key_init_file@Base 2.3.0 + knot_tsig_key_init_str@Base 2.3.0 + knot_tsig_rcode_names@Base 2.4.0 + knot_tsig_rdata_alg@Base 2.3.0 + knot_tsig_rdata_alg_name@Base 2.3.0 + knot_tsig_rdata_error@Base 2.3.0 + knot_tsig_rdata_fudge@Base 2.3.0 + knot_tsig_rdata_is_ok@Base 2.3.0 + knot_tsig_rdata_mac@Base 2.3.0 + knot_tsig_rdata_mac_length@Base 2.3.0 + knot_tsig_rdata_orig_id@Base 2.3.0 + knot_tsig_rdata_other_data@Base 2.3.0 + knot_tsig_rdata_other_data_length@Base 2.3.0 + knot_tsig_rdata_set_fudge@Base 2.3.0 + knot_tsig_rdata_set_mac@Base 2.3.0 + knot_tsig_rdata_set_orig_id@Base 2.3.0 + knot_tsig_rdata_set_other_data@Base 2.3.0 + knot_tsig_rdata_set_time_signed@Base 2.3.0 + knot_tsig_rdata_time_signed@Base 2.3.0 + knot_tsig_rdata_tsig_timers_length@Base 2.3.0 + knot_tsig_rdata_tsig_variables_length@Base 2.3.0 + knot_tsig_server_check@Base 2.3.0 + knot_tsig_sign@Base 2.3.0 + knot_tsig_sign_next@Base 2.3.0 + knot_tsig_wire_maxsize@Base 2.3.0 + knot_tsig_wire_size@Base 2.4.1 + yp_addr@Base 2.5.0 + yp_addr_noport@Base 2.5.0 + yp_addr_noport_to_bin@Base 2.5.0 + yp_addr_noport_to_txt@Base 2.5.0 + yp_addr_range_to_bin@Base 2.5.0 + yp_addr_range_to_txt@Base 2.5.0 + yp_addr_to_bin@Base 2.5.0 + yp_addr_to_txt@Base 2.5.0 + yp_base64_to_bin@Base 2.5.0 + yp_base64_to_txt@Base 2.5.0 + yp_bool_to_bin@Base 2.5.0 + yp_bool_to_txt@Base 2.5.0 + yp_deinit@Base 2.5.0 + yp_dname_to_bin@Base 2.5.0 + yp_dname_to_txt@Base 2.5.0 + yp_format_id@Base 2.5.0 + yp_format_key0@Base 2.5.0 + yp_format_key1@Base 2.5.0 + yp_hex_to_bin@Base 2.5.0 + yp_hex_to_txt@Base 2.5.0 + yp_init@Base 2.5.0 + yp_int_to_bin@Base 2.5.0 + yp_int_to_txt@Base 2.5.0 + yp_item_to_bin@Base 2.5.0 + yp_item_to_txt@Base 2.5.0 + yp_option_to_bin@Base 2.5.0 + yp_option_to_txt@Base 2.5.0 + yp_parse@Base 2.5.0 + yp_schema_check_deinit@Base 2.5.0 + yp_schema_check_init@Base 2.5.0 + yp_schema_check_parser@Base 2.5.0 + yp_schema_check_str@Base 2.5.0 + yp_schema_copy@Base 2.5.0 + yp_schema_find@Base 2.5.0 + yp_schema_free@Base 2.5.0 + yp_schema_merge@Base 2.5.0 + yp_schema_purge_dynamic@Base 2.5.0 + yp_set_input_file@Base 2.5.0 + yp_set_input_string@Base 2.5.0 + yp_str_to_bin@Base 2.5.0 + yp_str_to_txt@Base 2.5.0 diff --git a/debian/libzscanner2.install b/debian/libzscanner2.install new file mode 100644 index 0000000..a8dc226 --- /dev/null +++ b/debian/libzscanner2.install @@ -0,0 +1 @@ +usr/lib/*/libzscanner.so.* diff --git a/debian/libzscanner2.symbols b/debian/libzscanner2.symbols new file mode 100644 index 0000000..3477f9c --- /dev/null +++ b/debian/libzscanner2.symbols @@ -0,0 +1,11 @@ +libzscanner.so.2 libzscanner2 #MINVER# +* Build-Depends-Package: libknot-dev + zs_deinit@Base 2.3.0 + zs_errorname@Base 2.3.0 + zs_init@Base 2.3.0 + zs_parse_all@Base 2.3.0 + zs_parse_record@Base 2.3.0 + zs_set_input_file@Base 2.3.0 + zs_set_input_string@Base 2.3.0 + zs_set_processing@Base 2.3.0 + zs_strerror@Base 2.3.0 diff --git a/debian/not-installed b/debian/not-installed new file mode 100644 index 0000000..c928be1 --- /dev/null +++ b/debian/not-installed @@ -0,0 +1 @@ +etc/knot/example.com.zone diff --git a/debian/patches/0001-avoid-git-version-inclusion-in-debian-packages.patch b/debian/patches/0001-avoid-git-version-inclusion-in-debian-packages.patch new file mode 100644 index 0000000..1ed81bf --- /dev/null +++ b/debian/patches/0001-avoid-git-version-inclusion-in-debian-packages.patch @@ -0,0 +1,23 @@ +From: Daniel Kahn Gillmor +Date: Fri, 2 Nov 2018 18:53:10 +0300 +Subject: avoid git version inclusion in debian packages + +--- + m4/knot-version.m4 | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/m4/knot-version.m4 b/m4/knot-version.m4 +index 6e9158d..d4abe1d 100644 +--- a/m4/knot-version.m4 ++++ b/m4/knot-version.m4 +@@ -11,9 +11,6 @@ + ################################################################################ + + m4_define([knot_PATCH], m4_ifblank(knot_VERSION_PATCH, [dev], knot_VERSION_PATCH))dnl +-m4_define([knot_GIT_HASH], m4_esyscmd_s(git rev-parse --short HEAD 2>/dev/null))dnl +-m4_define([knot_GIT_TAG], m4_esyscmd_s(git describe --exact-match 2>/dev/null))dnl + m4_define([knot_TIMESTAMP], m4_esyscmd_s(date -u +'%s' 2>/dev/null))dnl +-m4_define([knot_GIT_INFO], m4_ifblank(knot_GIT_TAG, m4_ifnblank(knot_GIT_HASH, .knot_TIMESTAMP.knot_GIT_HASH, []), []))dnl + +-m4_define([knot_PKG_VERSION], [knot_VERSION_MAJOR.knot_VERSION_MINOR.knot_PATCH]knot_GIT_INFO)dnl ++m4_define([knot_PKG_VERSION], [knot_VERSION_MAJOR.knot_VERSION_MINOR.knot_PATCH])dnl diff --git a/debian/patches/0002-zonefile-Verify-mtime-against-full-precision-timesta.patch b/debian/patches/0002-zonefile-Verify-mtime-against-full-precision-timesta.patch new file mode 100644 index 0000000..fa79f5d --- /dev/null +++ b/debian/patches/0002-zonefile-Verify-mtime-against-full-precision-timesta.patch @@ -0,0 +1,129 @@ +From: Daniel Kahn Gillmor +Date: Fri, 22 Feb 2019 16:05:38 -0500 +Subject: zonefile: Verify mtime against full-precision timestamp + +We've just used 1-second granularity mtime to check if a file has +changed. + +But if two updates happen within a calendar second, and knotd notices +the first one and reloads the file, it might never notice the second +change and continue serving the old file. We can see this happening +in intermittent test suite failures in the debian continuous +integration servers: + + https://ci.debian.net/packages/k/knot/unstable/amd64 + +Using nanosecond-granularity timestamps should make these problems go +away. + +Signed-off-by: Daniel Kahn Gillmor +--- + src/knot/events/handlers/load.c | 6 ++++-- + src/knot/zone/zone.c | 2 +- + src/knot/zone/zone.h | 2 +- + src/knot/zone/zonedb-load.c | 6 ++++-- + src/knot/zone/zonefile.c | 4 ++-- + src/knot/zone/zonefile.h | 2 +- + 6 files changed, 13 insertions(+), 9 deletions(-) + +diff --git a/src/knot/events/handlers/load.c b/src/knot/events/handlers/load.c +index 7410d30..1f8f368 100644 +--- a/src/knot/events/handlers/load.c ++++ b/src/knot/events/handlers/load.c +@@ -73,10 +73,12 @@ int event_load(conf_t *conf, zone_t *zone) + + // If configured, attempt to load zonefile. + if (zf_from != ZONEFILE_LOAD_NONE) { +- time_t mtime; ++ struct timespec mtime; + char *filename = conf_zonefile(conf, zone->name); + ret = zonefile_exists(filename, &mtime); +- bool zonefile_unchanged = (zone->zonefile.exists && zone->zonefile.mtime == mtime); ++ bool zonefile_unchanged = (zone->zonefile.exists && ++ zone->zonefile.mtime.tv_sec == mtime.tv_sec && ++ zone->zonefile.mtime.tv_nsec == mtime.tv_nsec); + free(filename); + if (ret == KNOT_EOK) { + ret = zone_load_contents(conf, zone->name, &zf_conts); +diff --git a/src/knot/zone/zone.c b/src/knot/zone/zone.c +index efc0caa..0ec29f1 100644 +--- a/src/knot/zone/zone.c ++++ b/src/knot/zone/zone.c +@@ -145,7 +145,7 @@ static int flush_journal(conf_t *conf, zone_t *zone, bool allow_empty_zone) + + /* Update zone file attributes. */ + zone->zonefile.exists = true; +- zone->zonefile.mtime = st.st_mtime; ++ zone->zonefile.mtime = st.st_mtim; + zone->zonefile.serial = serial_to; + zone->zonefile.resigned = false; + +diff --git a/src/knot/zone/zone.h b/src/knot/zone/zone.h +index 360e222..09c92cc 100644 +--- a/src/knot/zone/zone.h ++++ b/src/knot/zone/zone.h +@@ -50,7 +50,7 @@ typedef struct zone + + /*! \brief Zonefile parameters. */ + struct { +- time_t mtime; ++ struct timespec mtime; + uint32_t serial; + bool exists; + bool resigned; +diff --git a/src/knot/zone/zonedb-load.c b/src/knot/zone/zonedb-load.c +index a6e9834..f23b4b1 100644 +--- a/src/knot/zone/zonedb-load.c ++++ b/src/knot/zone/zonedb-load.c +@@ -35,12 +35,14 @@ static bool zone_file_updated(conf_t *conf, const zone_t *old_zone, + assert(zone_name); + + char *zonefile = conf_zonefile(conf, zone_name); +- time_t mtime; ++ struct timespec mtime; + int ret = zonefile_exists(zonefile, &mtime); + free(zonefile); + + return (ret == KNOT_EOK && old_zone != NULL && +- !(old_zone->zonefile.exists && old_zone->zonefile.mtime == mtime)); ++ !(old_zone->zonefile.exists && ++ old_zone->zonefile.mtime.tv_sec == mtime.tv_sec && ++ old_zone->zonefile.mtime.tv_nsec == mtime.tv_nsec)); + } + + static zone_t *create_zone_from(const knot_dname_t *name, server_t *server) +diff --git a/src/knot/zone/zonefile.c b/src/knot/zone/zonefile.c +index 37fc90b..0e02d21 100644 +--- a/src/knot/zone/zonefile.c ++++ b/src/knot/zone/zonefile.c +@@ -248,7 +248,7 @@ fail: + return NULL; + } + +-int zonefile_exists(const char *path, time_t *mtime) ++int zonefile_exists(const char *path, struct timespec *mtime) + { + if (path == NULL) { + return KNOT_EINVAL; +@@ -260,7 +260,7 @@ int zonefile_exists(const char *path, time_t *mtime) + } + + if (mtime != NULL) { +- *mtime = zonefile_st.st_mtime; ++ *mtime = zonefile_st.st_mtim; + } + + return KNOT_EOK; +diff --git a/src/knot/zone/zonefile.h b/src/knot/zone/zonefile.h +index 90283ee..9d0542e 100644 +--- a/src/knot/zone/zonefile.h ++++ b/src/knot/zone/zonefile.h +@@ -79,7 +79,7 @@ zone_contents_t *zonefile_load(zloader_t *loader); + * + * \return KNOT_E* + */ +-int zonefile_exists(const char *path, time_t *mtime); ++int zonefile_exists(const char *path, struct timespec *mtime); + + /*! + * \brief Write zone contents to zone file. diff --git a/debian/patches/0003-correct-kdig-documentation-about-no-crypto.patch b/debian/patches/0003-correct-kdig-documentation-about-no-crypto.patch new file mode 100644 index 0000000..02d2e15 --- /dev/null +++ b/debian/patches/0003-correct-kdig-documentation-about-no-crypto.patch @@ -0,0 +1,39 @@ +From: Daniel Kahn Gillmor +Date: Fri, 4 Jan 2019 15:14:32 -0500 +Subject: correct kdig documentation about +[no]crypto + +kdig displays cryptographic signatures and keys in base64 encoding, +not in hexdump format. + +Signed-off-by: Daniel Kahn Gillmor +--- + doc/man/kdig.1in | 2 +- + doc/man_kdig.rst | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/doc/man/kdig.1in b/doc/man/kdig.1in +index 8bb2d01..df2fb3c 100644 +--- a/doc/man/kdig.1in ++++ b/doc/man/kdig.1in +@@ -159,7 +159,7 @@ Use the generic representation format when printing resource record types + and data. + .TP + \fB+\fP[\fBno\fP]\fBcrypto\fP +-Display the DNSSEC keys and signatures values in hexdump, instead of omitting them. ++Display the DNSSEC keys and signatures values in base64, instead of omitting them. + .TP + \fB+\fP[\fBno\fP]\fBaaflag\fP + Set the AA flag. +diff --git a/doc/man_kdig.rst b/doc/man_kdig.rst +index c1b3961..7fa2db0 100644 +--- a/doc/man_kdig.rst ++++ b/doc/man_kdig.rst +@@ -138,7 +138,7 @@ Options + and data. + + **+**\ [\ **no**\ ]\ **crypto** +- Display the DNSSEC keys and signatures values in hexdump, instead of omitting them. ++ Display the DNSSEC keys and signatures values in base64, instead of omitting them. + + **+**\ [\ **no**\ ]\ **aaflag** + Set the AA flag. diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..404f14f --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,3 @@ +0001-avoid-git-version-inclusion-in-debian-packages.patch +0002-zonefile-Verify-mtime-against-full-precision-timesta.patch +0003-correct-kdig-documentation-about-no-crypto.patch diff --git a/debian/prepare-environment b/debian/prepare-environment new file mode 100755 index 0000000..7176f5e --- /dev/null +++ b/debian/prepare-environment @@ -0,0 +1,38 @@ +#!/bin/sh + +set -eu + +CONFFILE=${1:-/etc/knot/knot.conf} + +if [ ! -r $CONFFILE ]; then + echo "$CONFFILE doesn't exist or has wrong permissions." + exit 1; +fi + +KNOT_RUNDIR=$(sed -ne "s/#.*$//;s/.*rundir: \"*\([^\";]*\\).*/\\1/p;" $CONFFILE) +[ -z "$KNOT_RUNDIR" ] && KNOT_RUNDIR=/run/knot + +mkdir --parents "$KNOT_RUNDIR"; + +KNOT_USER=$(sed -ne "s/#.*$//;s/.*user:[ \"]*\\([^\\:\"]*\\)[ \"]*/\\1/p;" $CONFFILE) + +if [ -n "$KNOT_USER" ]; then + if ! getent passwd $KNOT_USER >/dev/null; then + echo "Configured user '$KNOT_USER' doesn't exist." + exit 1 + fi + + KNOT_GROUP=$(sed -ne "s/#.*$//;s/.*user:[ \"]*[^\\:\"]*\\:\\([^\"]*\\)[ \"]*/\\1/p;" $CONFFILE) + if [ -z "$KNOT_GROUP" ]; then + KNOT_GROUP=$(getent group $(getent passwd "$KNOT_USER" | cut -f 4 -d :) | cut -f 1 -d :) + fi + + if ! getent group $KNOT_GROUP >/dev/null; then + echo "Configured group '$KNOT_GROUP' doesn't exist." + exit 1 + fi + chown --silent "$KNOT_USER:$KNOT_GROUP" "$KNOT_RUNDIR" + chmod 775 "$KNOT_RUNDIR" +fi + +: diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..2d6cbb6 --- /dev/null +++ b/debian/rules @@ -0,0 +1,89 @@ +#!/usr/bin/make -f + +export DEB_BUILD_MAINT_OPTIONS = hardening=+all +export DEB_CFLAGS_MAINT_APPEND = -Wall -DNDEBUG +export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed + +export DPKG_GENSYMBOLS_CHECK_LEVEL := 4 +export KNOT_SOFTHSM2_DSO = /usr/lib/softhsm/libsofthsm2.so + +ifeq ($(DEB_HOST_ARCH),$(filter $(DEB_HOST_ARCH),riscv64)) + export DEB_LDFLAGS_MAINT_APPEND += -latomic +endif + +include /usr/share/dpkg/default.mk + +ifeq (maint,$(filter $(DEB_BUILD_OPTIONS),maint)) + FASTPARSER := --disable-fastparser +else + FASTPARSER := --enable-fastparser +endif + +ifeq ($(DEB_HOST_ARCH),$(filter $(DEB_HOST_ARCH),hurd-i386)) + RECVMMSG:=--enable-recvmmsg=no +else + RECVMMSG:=--enable-recvmmsg=yes +endif + +ifeq ($(DEB_HOST_ARCH),$(filter $(DEB_HOST_ARCH),amd64 i386)) + RUN_TEST := +else + RUN_TEST := -timeout --kill-after=5s 5m +endif + +%: + dh $@ \ + --dbgsym-migration='knot-dbg (<< 2.2.0-2~)' \ + --exclude=.la --exclude=example.com.zone + +override_dh_auto_configure: + echo confirming architecture... + echo 'arch:' $(DEB_HOST_ARCH) + echo 'filtered arch:' $(filter $(DEB_HOST_ARCH),mips powerpc riscv64) + echo 'DEB_LDFLAGS_MAINT_APPEND:' $(DEB_LDFLAGS_MAINT_APPEND) + echo done + dh_auto_configure -- \ + --sysconfdir=/etc \ + --localstatedir=/var/lib \ + --libexecdir=/usr/lib/knot \ + --with-rundir=/run/knot \ + --with-moduledir=/usr/lib/$(DEB_HOST_MULTIARCH)/knot \ + --with-storage=/var/lib/knot \ + --enable-systemd=auto \ + --enable-dnstap \ + --with-module-dnstap=yes \ + $(RECVMMSG) \ + $(FASTPARSER) \ + --disable-silent-rules + +override_dh_auto_build-indep: + dh_auto_build -- info pdf html + +override_dh_auto_install-arch: + dh_auto_install -- install + # rename knot.sample.conf to knot.conf + mv $(CURDIR)/debian/tmp/etc/knot/knot.sample.conf $(CURDIR)/debian/tmp/etc/knot/knot.conf + +override_dh_auto_install-indep: + dh_auto_install -- install-info install-pdf install-html + # rename knot.sample.conf to knot.conf + mv $(CURDIR)/debian/tmp/etc/knot/knot.sample.conf $(CURDIR)/debian/tmp/etc/knot/knot.conf + +override_dh_auto_test-indep: +override_dh_auto_test-arch: +ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) + $(RUN_TEST) dh_auto_test + $(MAKE) -C samples knot.sample.conf + debian/get_kaspdb samples/knot.sample.conf + [ $$(debian/get_user samples/knot.sample.conf) = knot ] +endif + +override_dh_installdirs-arch: + dh_installdirs --arch --package=knot /usr/lib/$(DEB_HOST_MULTIARCH)/knot + dh_installdirs --arch --remaining-packages + +override_dh_missing: + dh_missing --fail-missing + +override_dh_installchangelogs: + dh_installchangelogs NEWS diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/tests/authoritative-server b/debian/tests/authoritative-server new file mode 100755 index 0000000..a2ae9c5 --- /dev/null +++ b/debian/tests/authoritative-server @@ -0,0 +1,193 @@ +#!/bin/bash + +# Author: Daniel Kahn Gillmor +# 2018-11-02 +# License: GPLv3+ + +# error on exit +set -e +# for handling jobspecs: +set -m + +if [ -z "$AUTOPKGTEST_ARTIFACTS" ]; then + d="$(mktemp -d)" + remove="$d" +else + d="$AUTOPKGTEST_ARTIFACTS" +fi +ip="${TESTIP:-127.$(( $RANDOM % 256 )).$(( $RANDOM % 256 )).$(( $RANDOM % 256 ))}" +port="${PORT:-8123}" +knotd="${KNOTD:-/usr/sbin/knotd}" +kdig="${KDIG:-$(which kdig)}" +kzonecheck="${KZONECHECK:-$(which kzonecheck)}" +knotc="${KNOTC:-/usr/sbin/knotc}" +test_address="${TEST_ADDRESS:-192.0.2.199}" +get_kaspdb="${GET_KASPDB:-/usr/lib/knot/get_kaspdb}" +get_user="${GET_USER:-/usr/lib/knot/get_user}" +kasp_json2lmdb="${KASP_JSON2LMDB:-/usr/lib/knot/kasp_json2lmdb}" + +declare -a knot_args=(--socket "$d/knot.sock" --config="$d/knot.conf" --verbose) + +printf "%s + %s roundtrip tests\n------------\n workdir: %s\n IP addr: %s\n knot args: %s\n" "$knotd" "$kdig" "$d" "$ip" "${knot_args[*]}" + +section() { + printf "\n%s\n" "$1" + sed 's/./-/g' <<<"$1" +} + +cleanup () { + section "cleaning up" + find "$d" -ls + "${knotc}" "${knot_args[@]}" stop + wait %1 + tail -n +1 -v "$d"/*.err + if [ "$remove" ]; then + printf "\ncleaning up working directory %s\n" "$remove" + rm -rf "$remove" + fi +} +trap cleanup EXIT + +section "set up config file and zonefile" + +user=$(id -nu) +group=$(id -ng) +cat > "$d/knot.conf" < "$d/example.net.zone" <"$d/kasp-db/zone_example.net.json" < "$d/kasp-db/keys/bf033546160229f56a8c90ca6ed3b599060b0067.pem" < "$d/kasp-db/keys/ff81022ffd8e16256b3ac8e136f5f068fbe9b714.pem" < "$d/knotd.err" & + +# FIXME: this is an annoying poll -- would be better if we could be +# alerted when the daemon is done setting up the socket, but i don't +# want to "--daemonize" if i can avoid it because i want the shell to +# remain in direct supervision of all its processes +tried=0 +while [ $tried -lt 10 ] ; do + if "${knotc}" "${knot_args[@]}" status 2>&1; then + break; + fi + sleep 0.5 + tried=$(( $tried + 1 )) +done +if [ $tried -ge 10 ]; then + printf "failed to use %s\n" "${knotc}" >&2 + exit 1 +fi + + +section "querying knot" +"${kdig}" -p "${port}" @"${ip}" -t A test.example.net test2.example.net +answer="$("${kdig}" +short -p "${port}" @"${ip}" -t A test.example.net)" +if ! [ "$answer" = "$test_address" ]; then + printf "test.example.net mismatch!\nexpected: %s\n got: %s\n" "$test_address" "$answer" >&2 + exit 1 +fi +answer2="$("${kdig}" +short -p "${port}" @"${ip}" -t A test2.example.net)" +if ! [ "$answer2" = "" ]; then + printf "test2.example.net gave unexpected answer!\n got: %s\n" "$answer2" >&2 + exit 1 +fi + +section "modifying zone" +printf "test2 1D IN A $test_address\n" >>"$d/example.net.zone" +sed -i 's/^@ 1D IN SOA.*/@ 1D IN SOA a.ns hostmaster 2018110100 3h 15m 1w 1d/' "$d/example.net.zone" +"${knotc}" "${knot_args[@]}" reload + +section "querying again" +"${kdig}" -p "${port}" @"${ip}" -t A test.example.net test2.example.net +answer="$("${kdig}" +short -p "${port}" @"${ip}" -t A test.example.net)" +if ! [ "$answer" = "$test_address" ]; then + printf "test.example.net mismatch!\nexpected: %s\n got: %s\n" "$test_address" "$answer" >&2 + exit 1 +fi +answer2="$("${kdig}" +short -p "${port}" @"${ip}" -t A test2.example.net)" +if ! [ "$answer2" = "$test_address" ]; then + printf "test2.example.net mismatch!\nexpected: %s\n got: %s\n" "$test_address" "$answer2" >&2 + exit 1 +fi + +section "testing python transition helpers" +"${get_kaspdb}" "$d/knot.conf" +got_user="$(${get_user} "$d/knot.conf")" +if [ "$got_user" != "$user" ]; then + printf "user account mismatch!\nexpected: %s\n got: %s\n" "$user" "$got_user" >&2 + exit 1 +fi +"${kasp_json2lmdb}" --import "$d/kasp-db" + diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..c654e9b --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,5 @@ +Tests: kdig +Depends: knot-dnsutils, ca-certificates + +Tests: authoritative-server +Depends: knot, knot-dnsutils, findutils, python3-lmdb, python3-yaml diff --git a/debian/tests/kdig b/debian/tests/kdig new file mode 100755 index 0000000..a2f388e --- /dev/null +++ b/debian/tests/kdig @@ -0,0 +1,11 @@ +#!/bin/bash + +set -e + +expected=93.184.216.34 +answer=$(kdig +short +tls-ca +tls-hostname=dns.cmrg.net @dns.cmrg.net example.org) + +if [ "$answer" != "$expected" ]; then + printf "expected: %s\ngot: %s\n" "$expected" "$answer" >&2 + kdig +tls-ca +tls-hostname=dns.cmrg.net @dns.cmrg.net example.org +fi diff --git a/debian/ufw/knot b/debian/ufw/knot new file mode 100644 index 0000000..ee36916 --- /dev/null +++ b/debian/ufw/knot @@ -0,0 +1,4 @@ +[Knot] +title=Internet Domain Name Server +description=The Knot DNS implements an Internet domain name server. +ports=53 diff --git a/debian/upstream/signing-key.asc b/debian/upstream/signing-key.asc new file mode 100644 index 0000000..7935cee --- /dev/null +++ b/debian/upstream/signing-key.asc @@ -0,0 +1,51 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFljlBcBEACuCSBlN1vTS9eEDqowZcLAAF8NytcTlRjXTLWMQtjU+fXkz9Vz +10n9TIFj9Kcec0p0+8F+SowybecwhmYoUzhKI7S9M1ziUmaIhFs2KvZ1GzigE/W5 +L448P/7pugh875e1tIrkrbbcIp6+SxaLbgvXlFl630ILZl/gbYOa/Wk21sLu4RjQ +Y39oHb0WTiwPnKhdMdwlnxm6HeWkHzlvI9N8tlDc6oVnUfqVI8gUyExLnEYjDpZf +orTVgHRq6RNyfTRZkh8zRsXSTnJlk/bVEDW5i/VgIQugzkgpuTGWlCstryi/MRhe +NxU1YEUenT69okb96QStfr1J00n8L4VAs8V5IuFUcSc8UqSpB+LgERRTMRFo9IrE +XAW/gEKlEVR+501BvJ0/Qggxbgz4PEnKNaxXmAnykJzot2VDKTzrr26a9LnrT0GW +om9rg89Ih876PA53vUXBB+FWP9QOFDcOfz3nMjCrLbMzhTsAzrNFXxchzLq+66CL +qsQQytDVFpLI+X++sKRTOHkq6vV1bAPjlljrannLnn1y/DvkOOkiHOdYyjmR7Dfk +vxgcWh/3Gx4J9gipxZITOr7LamEYgHfElY/UWCtc1Vjt8Xvgt4dofDpvSwY9YzgR +WxJKC5ewYdqTCI+zxL1f0fjkeiRYNi959UMMjgdcY7Zpi8oPPQmlyBw15QARAQAB +tCZEYW5pZWwgU2Fsem1hbiA8ZGFuaWVsLnNhbHptYW5AbmljLmN6PokCPQQTAQoA +JwUCWWOUFwIbAwUJA8JnAAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRAQu3r2 +/rvWq1+eEAClhOEK2MZOz+nwJSeX7iINKbw477Y+LSvYkKG81pve+xtblQEn7rI3 +cYnDrqlUb3bXdbMHujYrg1fPoccpCvf6d/JvlN6WXCE25R+GR6vxr6v7jycHdSOb +Fe4sTcwce6IViwiWiSizh4UCkz8285LjLcf3AnT2v6GJwHiZbPOeMQUNIRj6PEYL +SQsq0ZlqEx8LGKLTc5Ukrkoi4lN44SI1rzSwDPIqvlvrVnDXcDB8M7E2Ii51zU8/ +TVk920KeayUeCPxpmgQW3USI45NrE/jEgyodyxMGp5lg3OqzHT2wu9BVLWkQvTjF +fLfEsTay4K4kUSbYzbpS93b33J+I20rYLGBBYlTrN5417IgF6Bb8NzyrfVy1Wdqh +cggAEKX5EkOmZM8oduRxsHqiRLC/xKF8GqTo6t3GMS5i8RClNvmdq0WUkQUvld4b +OnXBCZ2QLbjV7sXjcr56ee+qdpiuRQjEidjHzpibcIBN8LVupVgXAZl9lsiBtoJX +OHsvSdU3VgGWnRGtzFjSHzl3TRPIsaVVqD7aCzQDfXDjrGlmhzgDfMwkqmBGgsku +8tSR3Ag0MRAouJFXiZrcM3XGeYVbHT6dt7UMAB27Xc5foc0kGRo5tzlK6rWG2sJI +lcQB7tKvwI/tE9lwJDjw+XNekEdIpcdcQ7mWa1COYkcYTre3oPmN+7kCDQRZY5QX +ARAA6RnxYG82/X+A49srgHR9yIxlHqSq6IhNn+iJQ5lpVpfeBItOG4NDu4Aq5X41 +pAJ3NKxsCPV62gEald/C7gJrTI5rag/87GYFFo6QRrwGsWVGORGs9G1pBF7ZZwhP +JwD3MeagGZNfWZzRxXefL1P3mrpO3etSEEwENHtCqEMP6x/JHh3SKonKAlL4xfj3 +F54aKj4upIcjxGBAJH8u66bN1GmYjstBzzbD4TWNTwfKgp15XxjrTgbThFy7CBoO +gcaApiYTPE7D5nB1+AyhGjnO3ZlNgy1ZIHVDFk6HEakaqKM9QlkJnZsB2+cTqXlV +0etmFQsedCg2sUier0hhIrEOOtGQbY1P+0vv+VRoaNym3ritl+70RG8WgrHNLMRH +VGeLRq3gOFnt+d/3h7meAKbORW/ZY30UpwthtlZYgciFzoDJCW8Be1i1X4toiUaM +kFh79jd7YTvZ87+P4DllC9MNsoq5cY/bHBNZYtXf7y6XqVqYo2IbFUR3VXKtzSN5 +eYm5YpFPczzmg1bNgl3i6WBcOF4EPEJEVjZ+u1r59NvfVLQ8XVh/QmLoG7x8oFcv +hWctMy17Vdm4qZjpSA+B1sQocehdra+xT+PWV0kcrYpsqwkYeFRQnJGqIupWHnot +qGOBNAyQWIcjK6K5y0CeioJZpNN5Oe5XloMXsYmgXsR+gTUAEQEAAYkCJQQYAQoA +DwUCWWOUFwIbDAUJA8JnAAAKCRAQu3r2/rvWq+IQD/9ikZ5MtdDOVLtULPqXXeP3 +6Oss2Ie4/4IQ7xkUZZ/Ujig0x1rW+d21o92VryH1s4K+nyCIW31rbtexK/0a54/w +Zyyjbqfh6Tgo9n3f5bMV9qyubb49cfTSKfgzoOkG8Xdc/TIO1IjWHy1NBDl8GWKJ +0QPYz78SCCkEFiVCAFBjuIQsoPqDKcZTs7k661w0A75ken88JJLgUgffZJRQK0i1 +dCw8kS4c2pqm24Q6d0AF5EdqXn2IFH82p49Pp5bRMY3LnibRL3Sq0xvXs7i5vY+o +JLuPAdomiGbdEbxcLytqQ2KitVdrGvrnZJxPs16m0uuTeM06krorDlgGBXFp5+Z9 +JbQpViHkVpLo+vf/GuT9WOWWH8gG0r14ZLVQTvCGXiAR4Aju7W5jPMPmVDJ+wMrD +cLta1Jv0U0+AnVe67mRXb0n5E/7kVshB3rfGzunPSlqT5kEiOXq6fJWB2l0lzCv0 +WtNuINmU9U3ap1oZBGSYl83vyuRUIlx61/tlnJvwseBL1FmASXOgfedCsxjHIlgF +SUeScLxnOSyap/4ePqZ0C76Nkvzx43SfM1LJUeCHwon0o+LZv2GlBmlEp6PbekRQ +Tz1hewLBbfAeXZRnwxvmkRqTP4DJCIVu2AE47+rbqVEjJZuEO4ORlkKoBdLOV3HN +xWbfbG7+n/h2cnUw3pqbHw== +=4CxJ +-----END PGP PUBLIC KEY BLOCK----- diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000..a763cd4 --- /dev/null +++ b/debian/watch @@ -0,0 +1,4 @@ +version=3 +opts=uversionmangle=s/-((alpha|beta|rc)\d*)$/~$1/,pgpsigurlmangle=s/$/.asc/,dversionmangle=s/\+hotfix// \ +https://secure.nic.cz/files/knot-dns/ \ +(?:|.*/)knot(?:[_\-]v?|)(\d\S*)\.(?:tar\.xz|txz|tar\.bz2|tbz2|tar\.gz|tgz) -- cgit v1.2.3