Update opendnssec 1.4.14 -> 2.1.3
Take maintainership, OK'd by MAINTAINER; ok rsadowski@
This commit is contained in:
parent
fd55fb6ae4
commit
28a5390a0c
@ -1,28 +1,30 @@
|
||||
# $OpenBSD: Makefile,v 1.15 2018/09/04 12:46:21 espie Exp $
|
||||
# $OpenBSD: Makefile,v 1.16 2019/01/25 08:32:02 pvk Exp $
|
||||
|
||||
COMMENT= open-source turn-key solution for DNSSEC
|
||||
|
||||
DISTNAME= opendnssec-1.4.14
|
||||
REVISION= 1
|
||||
DISTNAME= opendnssec-2.1.3
|
||||
|
||||
CATEGORIES= security
|
||||
|
||||
HOMEPAGE= http://www.opendnssec.org/
|
||||
HOMEPAGE= https://www.opendnssec.org/
|
||||
|
||||
MAINTAINER= Patrik Lundin <patrik@sigterm.se>
|
||||
MAINTAINER= Pavel Korovin <pvk@openbsd.org>
|
||||
|
||||
# BSD
|
||||
PERMIT_PACKAGE_CDROM= Yes
|
||||
|
||||
WANTLIB += c crypto iconv ldns lzma m pthread xml2 z
|
||||
|
||||
MASTER_SITES= http://dist.opendnssec.org/source/
|
||||
MASTER_SITES= https://dist.opendnssec.org/source/
|
||||
|
||||
BUILD_DEPENDS= devel/cunit
|
||||
|
||||
LIB_DEPENDS= converters/libiconv \
|
||||
net/ldns/libldns \
|
||||
textproc/libxml
|
||||
|
||||
TEST_DEPENDS= security/softhsm
|
||||
TEST_DEPENDS= ${BUILD_DEPENDS} \
|
||||
security/softhsm2
|
||||
|
||||
FAKE_FLAGS= sysconfdir=${PREFIX}/share/examples/opendnssec
|
||||
|
||||
@ -47,11 +49,52 @@ LIB_DEPENDS+= databases/mariadb
|
||||
ERRORS+= "Fatal: mutually exclusive flavors: ${FLAVORS}"
|
||||
.endif
|
||||
|
||||
SUBST_TARGETS= ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/README.md \
|
||||
${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/convert_{mysql,sqlite} \
|
||||
${WRKSRC}/enforcer/utils/convert_{mysql_to_sqlite,sqlite_to_mysql} \
|
||||
${WRKSRC}/contrib/ods-sequencer/ods-sequencer-submit.sh \
|
||||
${WRKSRC}/MIGRATION
|
||||
|
||||
post-patch:
|
||||
${SUBST_CMD} ${SUBST_TARGETS}
|
||||
|
||||
# regress-db target doesn't currently work
|
||||
# https://github.com/opendnssec/opendnssec/commit/6b1b0da4a7ba5ae658aca49a45a45be4867f6806
|
||||
pre-test:
|
||||
sed -i 's/^check: regress-db/\#check: regress-db/' \
|
||||
${WRKSRC}/enforcer/src/db/test/Makefile
|
||||
|
||||
post-install:
|
||||
${INSTALL_DATA_DIR} ${PREFIX}/share/doc/opendnssec
|
||||
cd ${WRKSRC}; \
|
||||
${INSTALL_DATA} LICENSE ${PREFIX}/share/doc/opendnssec; \
|
||||
${INSTALL_DATA} plugins/simple-dnskey-mailer/simple-dnskey-mailer.sh \
|
||||
${PREFIX}/share/opendnssec
|
||||
sed -i 's,#!/bin/bash,#!/bin/sh,' \
|
||||
${WRKSRC}/contrib/ods-sequencer/ods-sequencer-submit.sh \
|
||||
${WRKSRC}/contrib/simple-dnskey-mailer/simple-dnskey-mailer.sh
|
||||
@find ${WRKSRC} -type f \
|
||||
\( -name '*.beforesubst' -o -name '*.orig' \) -delete
|
||||
${INSTALL_SCRIPT} ${WRKSRC}/enforcer/utils/convert_mysql_to_sqlite \
|
||||
${PREFIX}/sbin/ods-convert_mysql_to_sqlite
|
||||
${INSTALL_SCRIPT} ${WRKSRC}/enforcer/utils/convert_sqlite_to_mysql \
|
||||
${PREFIX}/sbin/ods-convert_sqlite_to_mysql
|
||||
${INSTALL_SCRIPT} ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/convert_mysql \
|
||||
${PREFIX}/sbin/ods-migrate-mysql
|
||||
${INSTALL_SCRIPT} ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/convert_sqlite \
|
||||
${PREFIX}/sbin/ods-migrate-sqlite3
|
||||
${INSTALL_DATA_DIR} ${PREFIX}/share/doc/opendnssec/
|
||||
${INSTALL_DATA} ${WRKSRC}/{LICENSE,MIGRATION,NEWS} \
|
||||
${PREFIX}/share/doc/opendnssec/
|
||||
${INSTALL_DATA} ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/README.md \
|
||||
${PREFIX}/share/doc/opendnssec/MIGRATE_1.4-2.0.md
|
||||
${INSTALL_DATA_DIR} ${PREFIX}/share/examples/opendnssec/ods-sequencer/
|
||||
${INSTALL_DATA} ${WRKSRC}/contrib/ods-sequencer/* \
|
||||
${PREFIX}/share/examples/opendnssec/ods-sequencer/
|
||||
${INSTALL_DATA} ${WRKSRC}/contrib/simple-dnskey-mailer/simple-dnskey-mailer.sh \
|
||||
${PREFIX}/share/examples/opendnssec/
|
||||
${INSTALL_DATA_DIR} ${PREFIX}/share/opendnssec/migration/
|
||||
${INSTALL_DATA} ${WRKSRC}/enforcer/src/db/schema.* ${PREFIX}/share/opendnssec/
|
||||
${INSTALL_DATA} ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/find_problematic_zones.sql \
|
||||
${PREFIX}/share/opendnssec/migration/
|
||||
${INSTALL_DATA} ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/sqlite_convert.sql \
|
||||
${PREFIX}/share/opendnssec/migration/migrate-sqlite.sql
|
||||
${INSTALL_DATA} ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/mysql_convert.sql \
|
||||
${PREFIX}/share/opendnssec/migration/migrate-mysql.sql
|
||||
|
||||
.include <bsd.port.mk>
|
||||
|
@ -1,2 +1,2 @@
|
||||
SHA256 (opendnssec-1.4.14.tar.gz) = 4cQexbxhdiM7LZT09PcD51h7rmdgdkqxvvA88QvR3N8=
|
||||
SIZE (opendnssec-1.4.14.tar.gz) = 1037188
|
||||
SHA256 (opendnssec-2.1.3.tar.gz) = PeKgPtyeK4w2a/CrVBAE+YR3fUgTBXy7p6eARdjL/n4=
|
||||
SIZE (opendnssec-2.1.3.tar.gz) = 1107073
|
||||
|
18
security/opendnssec/patches/patch-MIGRATION
Normal file
18
security/opendnssec/patches/patch-MIGRATION
Normal file
@ -0,0 +1,18 @@
|
||||
$OpenBSD: patch-MIGRATION,v 1.1 2019/01/25 08:32:02 pvk Exp $
|
||||
|
||||
Index: MIGRATION
|
||||
--- MIGRATION.orig
|
||||
+++ MIGRATION
|
||||
@@ -17,7 +17,8 @@ full resign of your zone when upgrading, however if yo
|
||||
a full resign is needed.
|
||||
|
||||
The enforcer does require a full migration, as the internal database has
|
||||
-been completely revised. See the documentation in the source tree
|
||||
-enforcer/utils/1.4-2.0_db_convert/README.md for a description.
|
||||
-Migration scripts are not installed and should be retrieved from the source
|
||||
-separately.
|
||||
+been completely revised.
|
||||
+See the documentation in ${PREFIX}/share/doc/opendnssec/MIGRATE_1.4-2.0.md
|
||||
+for a description.
|
||||
+
|
||||
+Migration script is installed in ${PREFIX}/sbin/ods-migrate${FLAVOR_EXT}
|
@ -1,6 +1,8 @@
|
||||
$OpenBSD: patch-conf_conf_xml_in,v 1.2 2016/11/19 12:25:27 sthen Exp $
|
||||
--- conf/conf.xml.in.orig Mon Oct 17 14:32:58 2016
|
||||
+++ conf/conf.xml.in Mon Nov 14 18:41:45 2016
|
||||
$OpenBSD: patch-conf_conf_xml_in,v 1.3 2019/01/25 08:32:02 pvk Exp $
|
||||
|
||||
Index: conf/conf.xml.in
|
||||
--- conf/conf.xml.in.orig
|
||||
+++ conf/conf.xml.in
|
||||
@@ -31,7 +31,7 @@
|
||||
<Logging>
|
||||
<!-- Command line verbosity will overwrite configure file -->
|
||||
@ -10,41 +12,33 @@ $OpenBSD: patch-conf_conf_xml_in,v 1.2 2016/11/19 12:25:27 sthen Exp $
|
||||
</Logging>
|
||||
|
||||
<PolicyFile>@OPENDNSSEC_CONFIG_DIR@/kasp.xml</PolicyFile>
|
||||
@@ -39,19 +39,17 @@
|
||||
@@ -39,10 +39,10 @@
|
||||
</Common>
|
||||
|
||||
<Enforcer>
|
||||
-<!--
|
||||
<Privileges>
|
||||
- <User>opendnssec</User>
|
||||
- <Group>opendnssec</Group>
|
||||
-<?xmlif if condition privdrop="user|group|both"?> <Privileges>
|
||||
-<?xmlif fi?><?xmlif if condition privdrop="user|both"?> <User>@INSTALLATIONUSER@</User>
|
||||
-<?xmlif fi?><?xmlif if condition privdrop="group|both"?> <Group>@INSTALLATIONGROUP@</Group>
|
||||
-<?xmlif fi?><?xmlif if condition privdrop="user|group|both"?> </Privileges><?xmlif fi?>
|
||||
+ <Privileges>
|
||||
+ <User>_opendnssec</User>
|
||||
+ <Group>_opendnssec</Group>
|
||||
</Privileges>
|
||||
--->
|
||||
<!-- NOTE: Enforcer worker threads are not used; this option is ignored -->
|
||||
<!--
|
||||
<WorkerThreads>4</WorkerThreads>
|
||||
-->
|
||||
+ </Privileges>
|
||||
|
||||
<!-- <PidFile>@OPENDNSSEC_ENFORCER_PIDFILE@</PidFile> -->
|
||||
- <Datastore><SQLite>@OPENDNSSEC_STATE_DIR@/kasp.db</SQLite></Datastore>
|
||||
+ <Datastore><SQLite>@OPENDNSSEC_STATE_DIR@/db/kasp.db</SQLite></Datastore>
|
||||
<Interval>PT3600S</Interval>
|
||||
<Datastore><SQLite>@OPENDNSSEC_STATE_DIR@/kasp.db</SQLite></Datastore>
|
||||
<!-- <ManualKeyGeneration/> -->
|
||||
<!-- <RolloverNotification>P14D</RolloverNotification> -->
|
||||
@@ -63,12 +61,10 @@
|
||||
@@ -59,10 +59,10 @@
|
||||
</Enforcer>
|
||||
|
||||
<Signer>
|
||||
-<!--
|
||||
<Privileges>
|
||||
- <User>opendnssec</User>
|
||||
- <Group>opendnssec</Group>
|
||||
-<?xmlif if condition privdrop="user|group|both"?> <Privileges>
|
||||
-<?xmlif fi?><?xmlif if condition privdrop="user|both"?> <User>@INSTALLATIONUSER@</User>
|
||||
-<?xmlif fi?><?xmlif if condition privdrop="group|both"?> <Group>@INSTALLATIONGROUP@</Group>
|
||||
-<?xmlif fi?><?xmlif if condition privdrop="user|group|both"?> </Privileges><?xmlif fi?>
|
||||
+ <Privileges>
|
||||
+ <User>_opendnssec</User>
|
||||
+ <Group>_opendnssec</Group>
|
||||
</Privileges>
|
||||
--->
|
||||
+ </Privileges>
|
||||
|
||||
<!-- <PidFile>@OPENDNSSEC_SIGNER_PIDFILE@</PidFile> -->
|
||||
<!-- <SocketFile>@OPENDNSSEC_SIGNER_SOCKET@</SocketFile> -->
|
||||
<WorkingDirectory>@OPENDNSSEC_STATE_DIR@/signer</WorkingDirectory>
|
||||
<WorkerThreads>4</WorkerThreads>
|
||||
|
@ -0,0 +1,15 @@
|
||||
$OpenBSD: patch-contrib_ods-sequencer_ods-sequencer-submit_sh,v 1.1 2019/01/25 08:32:02 pvk Exp $
|
||||
|
||||
Index: contrib/ods-sequencer/ods-sequencer-submit.sh
|
||||
--- contrib/ods-sequencer/ods-sequencer-submit.sh.orig
|
||||
+++ contrib/ods-sequencer/ods-sequencer-submit.sh
|
||||
@@ -1,6 +1,6 @@
|
||||
-#!/bin/bash
|
||||
+#!/bin/sh
|
||||
|
||||
-now=`../../../sbin/ods-enforcer queue 2>&1 | sed -e 's/^It is now.*(\([0-9][0-9]*\)[^)]*).*$/\1/p' -e 'd'`
|
||||
-cat > ../../../var/opendnssec/sequences/$now-dssubmit
|
||||
+now=`${PREFIX}/sbin/ods-enforcer queue 2>&1 | sed -e 's/^It is now.*(\([0-9][0-9]*\)[^)]*).*$/\1/p' -e 'd'`
|
||||
+cat > ${LOCALSTATEDIR}/opendnssec/sequences/$now-dssubmit
|
||||
|
||||
exit 0
|
@ -0,0 +1,75 @@
|
||||
$OpenBSD: patch-enforcer_utils_1_4-2_0_db_convert_README_md,v 1.1 2019/01/25 08:32:02 pvk Exp $
|
||||
|
||||
Index: enforcer/utils/1.4-2.0_db_convert/README.md
|
||||
--- enforcer/utils/1.4-2.0_db_convert/README.md.orig
|
||||
+++ enforcer/utils/1.4-2.0_db_convert/README.md
|
||||
@@ -16,8 +16,8 @@ General preparation
|
||||
-------------------
|
||||
|
||||
* First stop OpenDNSSEC entirely.
|
||||
- * You are strongly advised to backup /etc/opendnssec and /var/opendnssec before
|
||||
- continuing.
|
||||
+ * You are strongly advised to backup ${SYSCONFDIR}/opendnssec and
|
||||
+ ${LOCALSTATEDIR}/opendnssec before continuing.
|
||||
* Also prevent any nameserver from receiving updates from OpenDNSSEC until
|
||||
you are sure the migration was successful.
|
||||
* It is discouraged to perform the migration during a rollover. The migration
|
||||
@@ -31,27 +31,32 @@ Conversion Sqlite
|
||||
|
||||
There are 2 relevant files for the conversion:
|
||||
|
||||
- * convert_sqlite - A bash conversion script
|
||||
- * sqlite_convert.sql - Contains SQL statements, called by convert_sqlite
|
||||
+ * ${PREFIX}/sbin/ods-migrate-sqlite3 - Conversion script
|
||||
+ * ${PREFIX}/share/opendnssec/migration/migrate-sqlite.sql -
|
||||
+ Contains SQL statements, called by ods-migrate-sqlite3
|
||||
|
||||
-call the script like so: `./convert_sqlite -i INPUT -o OUTPUT`. Where INPUT is
|
||||
-the kasp.db file commonly found in _/var/opendnssec/kasp.db_. And OUTPUT is a
|
||||
-non-existing file where the new database should go. On success, replace old
|
||||
-database file with the new database file or adjust _conf.xml_ accordingly.
|
||||
+Call the script like so: `${PREFIX}/sbin/ods-migrate-sqlite3 -i INPUT -o OUTPUT`.
|
||||
+Where INPUT is the kasp.db file commonly found in _${LOCALSTATEDIR}/opendnssec/db/kasp.db_.
|
||||
+And OUTPUT is a non-existing file where the new database should go,
|
||||
+default location for OpenDNSSEC 2.x is _${LOCALSTATEDIR}/opendnssec/kasp.db_.
|
||||
+On success, replace old database file with the new database file or adjust
|
||||
+_${SYSCONFDIR}/opendnssec/conf.xml_ accordingly.
|
||||
|
||||
Conversion MySQL
|
||||
----------------
|
||||
|
||||
There are 2 relevant files for the conversion:
|
||||
|
||||
- * convert_mysql - A bash conversion script
|
||||
- * mysql_convert.sql - Contains SQL statements, called by convert_mysql
|
||||
+ * ${PREFIX}/sbin/ods-migrate-mysql - Conversion script
|
||||
+ * ${PREFIX}/share/opendnssec/migration/migrate-mysql.sql -
|
||||
+ Contains SQL statements, called by convert_mysql
|
||||
|
||||
-call the script like so: `./convert_sqlite -i INPUT -o OUTPUT -h HOST -u USER
|
||||
--p PASSWORD`. Where INPUT is the name of the existing database on HOST. And
|
||||
+Call the script like so:
|
||||
+`${PREFIX}/sbin/ods-migrate-mysql -i INPUT -o OUTPUT -h HOST -u USER -p PASSWORD`.
|
||||
+Where INPUT is the name of the existing database on HOST. And
|
||||
OUTPUT is a non-existing database on the same host where the new database
|
||||
should go. On success, replace old database with the new database file or
|
||||
-adjust _conf.xml_ accordingly.
|
||||
+adjust _${SYSCONFDIR}/opendnssec/conf.xml_ accordingly.
|
||||
|
||||
Post Conversion
|
||||
---------------
|
||||
@@ -59,11 +64,11 @@ Post Conversion
|
||||
ODS 2.0 stores the keytags in the database, 1.4 unfortunately does not.
|
||||
Therefore an additional tool is provided which calculates the keytags and
|
||||
stores them in the database. Make sure that at this point conf.xml points to
|
||||
-the new database. Then run `ods-migrate`.
|
||||
+the new database. Then run `${PREFIX}/sbin/ods-migrate`.
|
||||
|
||||
Now your new database is ready for use. At this point the signer will refuse to
|
||||
-run because the file `/var/opendnssec/enforcer/zones.xml` does not exist
|
||||
-yet. In ODS 1.4 `/etc/opendnssec/zonelist.xml` is always on par with the
|
||||
+run because the file `${LOCALSTATEDIR}/opendnssec/enforcer/zones.xml` does not exist
|
||||
+yet. In ODS 1.4 `${SYSCONFDIR}/opendnssec/zonelist.xml` is always on par with the
|
||||
database contents (this is no longer true for 2.0) so it is safe to copy this
|
||||
file over to the missing file.
|
||||
|
@ -0,0 +1,36 @@
|
||||
$OpenBSD: patch-enforcer_utils_1_4-2_0_db_convert_convert_mysql,v 1.1 2019/01/25 08:32:02 pvk Exp $
|
||||
|
||||
Index: enforcer/utils/1.4-2.0_db_convert/convert_mysql
|
||||
--- enforcer/utils/1.4-2.0_db_convert/convert_mysql.orig
|
||||
+++ enforcer/utils/1.4-2.0_db_convert/convert_mysql
|
||||
@@ -1,11 +1,11 @@
|
||||
-#!/bin/bash
|
||||
+#!/bin/sh
|
||||
set -e
|
||||
|
||||
# This scipt converts a ODS 1.4.9 MySQL database to ODS 2.0. It assumes both
|
||||
# old and new databases live on the same host and are accessable by the same
|
||||
# user.
|
||||
|
||||
-SCHEMA=../../src/db/schema.mysql
|
||||
+SCHEMA=${PREFIX}/share/opendnssec/schema.mysql
|
||||
|
||||
DB_IN=""
|
||||
DB_OUT=""
|
||||
@@ -44,7 +44,7 @@ if [ ! $DB_VERSION -eq 4 ]; then
|
||||
fi
|
||||
|
||||
# Look for zones without an active key.
|
||||
-Z=`mysql -u $DB_USR -p$DB_PWD -h $DB_HOST $DB_IN < find_problematic_zones.sql`
|
||||
+Z=`mysql -u $DB_USR -p$DB_PWD -h $DB_HOST $DB_IN < ${PREFIX}/share/opendnssec/migration/find_problematic_zones.sql`
|
||||
if [[ $Z = *[![:space:]]* ]]; then
|
||||
echo "Found zones without an active KSK but with a ready KSK waiting for ds-seen. This can cause problem after the conversion if the DS was actually already uploaded. You are adviced to submit these DS records and issue a ds-seen command before continueing. If you know better, disable this check to continue."
|
||||
echo "Zones: $Z"
|
||||
@@ -59,6 +59,6 @@ echo "Creating tables in $DB_OUT (as user $DB_USR)"
|
||||
mysql -u $DB_USR -p$DB_PWD -h $DB_HOST $DB_OUT < $SCHEMA
|
||||
|
||||
echo "Converting database"
|
||||
-sed "s/REMOTE/$DB_IN/g" mysql_convert.sql > TMP
|
||||
+sed "s/REMOTE/$DB_IN/g" ${PREFIX}/share/opendnssec/migration/migrate-mysql.sql > TMP
|
||||
mysql -u $DB_USR -p$DB_PWD -h $DB_HOST $DB_OUT < TMP
|
||||
rm TMP
|
@ -0,0 +1,33 @@
|
||||
$OpenBSD: patch-enforcer_utils_1_4-2_0_db_convert_convert_sqlite,v 1.1 2019/01/25 08:32:02 pvk Exp $
|
||||
|
||||
Index: enforcer/utils/1.4-2.0_db_convert/convert_sqlite
|
||||
--- enforcer/utils/1.4-2.0_db_convert/convert_sqlite.orig
|
||||
+++ enforcer/utils/1.4-2.0_db_convert/convert_sqlite
|
||||
@@ -1,9 +1,9 @@
|
||||
-#!/bin/bash
|
||||
+#!/bin/sh
|
||||
set -e
|
||||
|
||||
# This scipt converts a ODS 1.4.9 Sqlite database to ODS 2.0.
|
||||
|
||||
-SCHEMA=../../src/db/schema.sqlite
|
||||
+SCHEMA=${PREFIX}/share/opendnssec/schema.sqlite
|
||||
|
||||
DB_IN=""
|
||||
DB_OUT=""
|
||||
@@ -36,7 +36,7 @@ if [ ! $DB_VERSION -eq 4 ]; then
|
||||
fi
|
||||
|
||||
# Look for zones without an active key.
|
||||
-Z=`sqlite3 $DB_IN < find_problematic_zones.sql`
|
||||
+Z=`sqlite3 $DB_IN < ${PREFIX}/share/opendnssec/migration/find_problematic_zones.sql`
|
||||
if [[ $Z = *[![:space:]]* ]]; then
|
||||
echo "Found zones without an active KSK but with a ready KSK waiting for ds-seen. This can cause problem after the conversion if the DS was actually already uploaded. You are adviced to submit these DS records and issue a ds-seen command before continueing. If you know better, disable this check to continue."
|
||||
echo "Zones: $Z"
|
||||
@@ -46,5 +46,5 @@ fi
|
||||
rm -f $DB_OUT
|
||||
sqlite3 $DB_OUT < $SCHEMA
|
||||
echo "attach '$DB_IN' as REMOTE;" |
|
||||
- cat - sqlite_convert.sql | sqlite3 $DB_OUT
|
||||
+ cat - ${PREFIX}/share/opendnssec/migration/migrate-sqlite.sql | sqlite3 $DB_OUT
|
||||
|
@ -0,0 +1,21 @@
|
||||
$OpenBSD: patch-enforcer_utils_convert_mysql_to_sqlite,v 1.1 2019/01/25 08:32:02 pvk Exp $
|
||||
|
||||
Index: enforcer/utils/convert_mysql_to_sqlite
|
||||
--- enforcer/utils/convert_mysql_to_sqlite.orig
|
||||
+++ enforcer/utils/convert_mysql_to_sqlite
|
||||
@@ -1,11 +1,11 @@
|
||||
-#!/usr/bin/env bash
|
||||
+#!/bin/sh
|
||||
set -e
|
||||
|
||||
-# This scipt converts a MySQL to a SQLite database. It assumes both
|
||||
-# old and new databases live on the same host and are accessable by the same
|
||||
+# This script converts a MySQL to a SQLite database. It assumes both
|
||||
+# old and new databases live on the same host and are accessible by the same
|
||||
# user.
|
||||
|
||||
-SCHEMA=../src/db/schema.sqlite
|
||||
+SCHEMA=${PREFIX}/share/opendnssec/schema.sqlite
|
||||
|
||||
DB_IN=""
|
||||
DB_OUT=""
|
@ -0,0 +1,21 @@
|
||||
$OpenBSD: patch-enforcer_utils_convert_sqlite_to_mysql,v 1.1 2019/01/25 08:32:02 pvk Exp $
|
||||
|
||||
Index: enforcer/utils/convert_sqlite_to_mysql
|
||||
--- enforcer/utils/convert_sqlite_to_mysql.orig
|
||||
+++ enforcer/utils/convert_sqlite_to_mysql
|
||||
@@ -1,11 +1,11 @@
|
||||
-#!/usr/bin/env bash
|
||||
+#!/bin/sh
|
||||
set -e
|
||||
|
||||
-# This scipt converts a SQLite3 to a MySQL database. It assumes both
|
||||
-# old and new databases live on the same host and are accessable by the same
|
||||
+# This script converts a SQLite3 to a MySQL database. It assumes both
|
||||
+# old and new databases live on the same host and are accessible by the same
|
||||
# user.
|
||||
|
||||
-SCHEMA=../src/db/schema.mysql
|
||||
+SCHEMA=${PREFIX}/share/opendnssec/schema.mysql
|
||||
|
||||
DB_IN=""
|
||||
DB_OUT=""
|
@ -1,2 +1,5 @@
|
||||
@comment $OpenBSD: PFRAG.mysql,v 1.1.1.1 2015/10/13 17:03:55 jca Exp $
|
||||
share/opendnssec/database_create.mysql
|
||||
@comment $OpenBSD: PFRAG.mysql,v 1.2 2019/01/25 08:32:02 pvk Exp $
|
||||
sbin/ods-convert_sqlite_to_mysql
|
||||
sbin/ods-migrate-mysql
|
||||
share/opendnssec/migration/migrate-mysql.sql
|
||||
share/opendnssec/schema.mysql
|
||||
|
@ -1,2 +1,5 @@
|
||||
@comment $OpenBSD: PFRAG.sqlite3,v 1.1.1.1 2015/10/13 17:03:55 jca Exp $
|
||||
share/opendnssec/database_create.sqlite3
|
||||
@comment $OpenBSD: PFRAG.sqlite3,v 1.2 2019/01/25 08:32:02 pvk Exp $
|
||||
sbin/ods-convert_mysql_to_sqlite
|
||||
sbin/ods-migrate-sqlite3
|
||||
share/opendnssec/migration/migrate-sqlite.sql
|
||||
share/opendnssec/schema.sqlite
|
||||
|
@ -1,36 +1,44 @@
|
||||
@comment $OpenBSD: PLIST,v 1.3 2018/09/04 12:46:21 espie Exp $
|
||||
@comment $OpenBSD: PLIST,v 1.4 2019/01/25 08:32:02 pvk Exp $
|
||||
@conflict opendnssec-<2.1.3
|
||||
@ask-update opendnssec-<2.1.3 OpenDNSSEC enforcer database migration required
|
||||
@newgroup _opendnssec:757
|
||||
@newuser _opendnssec:757:_opendnssec:daemon:OpenDNSSEC Account:/nonexistent:/sbin/nologin
|
||||
@bin bin/ods-getconf
|
||||
@rcscript ${RCDIR}/opendnssec
|
||||
@bin bin/ods-hsmspeed
|
||||
@bin bin/ods-hsmutil
|
||||
bin/ods-kasp2html
|
||||
@bin bin/ods-kaspcheck
|
||||
@bin bin/ods-ksmutil
|
||||
@man man/man1/ods-hsmspeed.1
|
||||
@man man/man1/ods-hsmutil.1
|
||||
@man man/man1/ods-kaspcheck.1
|
||||
@man man/man1/ods-ksmutil.1
|
||||
@man man/man5/ods-kasp.5
|
||||
@man man/man5/ods-timing.5
|
||||
@man man/man7/opendnssec.7
|
||||
@man man/man8/ods-control.8
|
||||
@man man/man8/ods-enforcer-db-setup.8
|
||||
@man man/man8/ods-enforcer.8
|
||||
@man man/man8/ods-enforcerd.8
|
||||
@man man/man8/ods-getconf.8
|
||||
@man man/man8/ods-signer.8
|
||||
@man man/man8/ods-signerd.8
|
||||
sbin/ods-control
|
||||
@bin sbin/ods-enforcer
|
||||
@bin sbin/ods-enforcer-db-setup
|
||||
@bin sbin/ods-enforcerd
|
||||
@bin sbin/ods-migrate
|
||||
@bin sbin/ods-signer
|
||||
@bin sbin/ods-signerd
|
||||
share/doc/opendnssec/
|
||||
share/doc/opendnssec/LICENSE
|
||||
share/doc/opendnssec/MIGRATE_1.4-2.0.md
|
||||
share/doc/opendnssec/MIGRATION
|
||||
share/doc/opendnssec/NEWS
|
||||
share/doc/pkg-readmes/${PKGSTEM}
|
||||
share/examples/opendnssec/
|
||||
@mode 0750
|
||||
@group _opendnssec
|
||||
@sample ${SYSCONFDIR}/opendnssec/
|
||||
@mode
|
||||
@group
|
||||
share/doc/opendnssec/
|
||||
share/doc/opendnssec/LICENSE
|
||||
share/doc/pkg-readmes/${PKGSTEM}
|
||||
share/examples/opendnssec/
|
||||
share/examples/opendnssec/addns.xml
|
||||
@mode 0640
|
||||
@group _opendnssec
|
||||
@ -52,6 +60,11 @@ share/examples/opendnssec/kasp.xml
|
||||
@mode
|
||||
@group
|
||||
share/examples/opendnssec/kasp.xml.sample
|
||||
share/examples/opendnssec/ods-sequencer/
|
||||
share/examples/opendnssec/ods-sequencer/ods-sequencer
|
||||
share/examples/opendnssec/ods-sequencer/ods-sequencer-submit.sh
|
||||
share/examples/opendnssec/ods-sequencer/ods-sequencer.md
|
||||
share/examples/opendnssec/simple-dnskey-mailer.sh
|
||||
share/examples/opendnssec/zonelist.xml
|
||||
@mode 0640
|
||||
@group _opendnssec
|
||||
@ -64,27 +77,26 @@ share/opendnssec/addns.rnc
|
||||
share/opendnssec/addns.rng
|
||||
share/opendnssec/conf.rnc
|
||||
share/opendnssec/conf.rng
|
||||
%%sqlite3%%
|
||||
%%mysql%%
|
||||
share/opendnssec/enforcerstate.rnc
|
||||
share/opendnssec/enforcerstate.rng
|
||||
share/opendnssec/kasp.rnc
|
||||
share/opendnssec/kasp.rng
|
||||
share/opendnssec/kasp2html.xsl
|
||||
share/opendnssec/migration/
|
||||
share/opendnssec/migration/find_problematic_zones.sql
|
||||
share/opendnssec/signconf.rnc
|
||||
share/opendnssec/signconf.rng
|
||||
share/opendnssec/simple-dnskey-mailer.sh
|
||||
share/opendnssec/zonelist.rnc
|
||||
share/opendnssec/zonelist.rng
|
||||
@sample ${LOCALSTATEDIR}/opendnssec/
|
||||
%%sqlite3%%
|
||||
%%mysql%%
|
||||
@mode 0750
|
||||
@owner _opendnssec
|
||||
@group _opendnssec
|
||||
@sample ${LOCALSTATEDIR}/opendnssec/db/
|
||||
@sample ${LOCALSTATEDIR}/opendnssec/
|
||||
@sample ${LOCALSTATEDIR}/opendnssec/enforcer/
|
||||
@sample ${LOCALSTATEDIR}/opendnssec/signconf/
|
||||
@sample ${LOCALSTATEDIR}/opendnssec/signed/
|
||||
@sample ${LOCALSTATEDIR}/opendnssec/tmp/
|
||||
@sample ${LOCALSTATEDIR}/opendnssec/signer/
|
||||
@sample ${LOCALSTATEDIR}/opendnssec/unsigned/
|
||||
@sample ${LOCALSTATEDIR}/opendnssec/softhsm/
|
||||
@owner
|
||||
@group
|
||||
@rcscript ${RCDIR}/opendnssec
|
||||
@sample ${LOCALSTATEDIR}/run/opendnssec/
|
||||
|
@ -1,4 +1,4 @@
|
||||
$OpenBSD: README,v 1.3 2018/09/04 12:46:21 espie Exp $
|
||||
$OpenBSD: README,v 1.4 2019/01/25 08:32:02 pvk Exp $
|
||||
|
||||
+-----------------------------------------------------------------------
|
||||
| Running ${PKGSTEM} on OpenBSD
|
||||
@ -8,43 +8,172 @@ Getting started
|
||||
===============
|
||||
This is a summary of steps needed to get OpenDNSSEC up and running in a
|
||||
basic state using SoftHSM as the key backend. Make sure you have
|
||||
installed the softhsm package before proceeding.
|
||||
installed the softhsm2 package before proceeding.
|
||||
|
||||
Initial setup of SoftHSM
|
||||
------------------------
|
||||
Configure SoftHSM to store its token in
|
||||
${LOCALSTATEDIR}/opendnssec/softhsm/:
|
||||
# vi ${SYSCONFDIR}/softhsm.conf
|
||||
If you plan to use SoftHSM, install softhsm2 package:
|
||||
|
||||
Initialize the SoftHSM token (here assuming you used slot 0).
|
||||
The user PIN code has to match the <PIN> configured in
|
||||
${SYSCONFDIR}/opendnssec/conf.xml:
|
||||
# softhsm --init-token --slot 0 --label OpenDNSSEC
|
||||
# pkg_add softhsm2
|
||||
|
||||
Make sure the token is writeable by the _opendnssec user:
|
||||
# chown _opendnssec ${LOCALSTATEDIR}/opendnssec/softhsm/slot0.db
|
||||
Create ${LOCALSTATEDIR}/opendnssec/softhsm/ directory for tokens storage,
|
||||
instruct opendnssec to use this location:
|
||||
|
||||
# install -d -o _opendnssec -g _opendnssec -m 700 \
|
||||
${LOCALSTATEDIR}/opendnssec/softhsm/
|
||||
|
||||
# grep tokendir ${SYSCONFDIR}/softhsm2.conf
|
||||
directories.tokendir = ${LOCALSTATEDIR}/opendnssec/softhsm/
|
||||
|
||||
Choose preferred storage method, either 'file' or 'sqlite3':
|
||||
|
||||
# grep objectstore ${SYSCONFDIR}/softhsm2.conf
|
||||
objectstore.backend = db
|
||||
|
||||
Initialize the SoftHSM token (here assuming you are using slot 0):
|
||||
|
||||
# doas -u _opendnssec softhsm2-util --init-token --slot 0 \
|
||||
--label OpenDNSSEC
|
||||
|
||||
User PIN and token label must be reflected in appropriate sections
|
||||
of ${SYSCONFDIR}/opendnssec/conf.xml:
|
||||
|
||||
# grep PIN ${SYSCONFDIR}/opendnssec/conf.xml
|
||||
<PIN>MySecretUserPIN</PIN>
|
||||
|
||||
# grep TokenLabel ${SYSCONFDIR}/opendnssec/conf.xml
|
||||
<TokenLabel>OpenDNSSEC</TokenLabel>
|
||||
Verify token:
|
||||
|
||||
# doas -u _opendnssec softhsm2-util --show-slots
|
||||
Available slots:
|
||||
Slot 1557156002
|
||||
Slot info:
|
||||
Description: SoftHSM slot ID 0x5cd050a2
|
||||
Manufacturer ID: SoftHSM project
|
||||
Hardware version: 2.5
|
||||
Firmware version: 2.5
|
||||
Token present: yes
|
||||
Token info:
|
||||
Manufacturer ID: SoftHSM project
|
||||
Model: SoftHSM v2
|
||||
Hardware version: 2.5
|
||||
Firmware version: 2.5
|
||||
Serial number: e1a305015cd050a2
|
||||
Initialized: yes
|
||||
User PIN init.: yes
|
||||
Label: OpenDNSSEC
|
||||
|
||||
Bootstrapping OpenDNSSEC
|
||||
------------------------
|
||||
|
||||
Check if the configuration is valid:
|
||||
|
||||
# doas -u _opendnssec ods-kaspcheck
|
||||
INFO: The XML in ${SYSCONFDIR}/opendnssec/conf.xml is valid
|
||||
ERROR: SQLite datastore (${LOCALSTATEDIR}/opendnssec/kasp.db) does not exist
|
||||
INFO: The XML in ${SYSCONFDIR}/opendnssec/kasp.xml is valid
|
||||
INFO: The XML in ${SYSCONFDIR}/opendnssec/zonelist.xml is valid
|
||||
|
||||
Create an initial KASP database (if you are running the mysql flavor you
|
||||
will first need to configure mariadb-server and modify <Datastore> in
|
||||
${SYSCONFDIR}/opendnssec/conf.xml):
|
||||
# ods-ksmutil setup
|
||||
|
||||
Start the OpenDNSSEC system:
|
||||
# rcctl start opendnssec
|
||||
# doas -u _opendnssec ods-enforcer-db-setup
|
||||
*WARNING* This will erase all data in the database; are you sure? [y/N] y
|
||||
Database setup successfully.
|
||||
|
||||
Start OpenDNSSEC:
|
||||
|
||||
# rcctl start opendnssec
|
||||
|
||||
Import policy:
|
||||
|
||||
# doas -u _opendnssec ods-enforcer policy import
|
||||
Created policy default successfully
|
||||
|
||||
Check policy:
|
||||
|
||||
# ods-enforcer policy list
|
||||
Policy: Description:
|
||||
default ECDSAP256SHA256 NSEC3 KSK1Y ZSK90D
|
||||
|
||||
Copy an unsigned zone file into the unsigned/ directory:
|
||||
# cp <somewhere>/example.com ${LOCALSTATEDIR}/opendnssec/unsigned/
|
||||
|
||||
Add the zone:
|
||||
# ods-ksmutil zone add --zone example.com --policy default
|
||||
# cp <somewhere>/example.com ${LOCALSTATEDIR}/opendnssec/unsigned/
|
||||
|
||||
Notify the enforcer of the updated database:
|
||||
# ods-control enforcer notify
|
||||
Import zones from zonelist.xml:
|
||||
|
||||
You now have a signed version of example.com in the signed/ directory:
|
||||
# cat ${LOCALSTATEDIR}/opendnssec/signed/example.com
|
||||
# doas -u _opendnssec ods-enforcer zonelist import
|
||||
Zone example.com created successfully
|
||||
|
||||
List the keys for the zone:
|
||||
# ods-ksmutil key list -v
|
||||
Or add the zone from the command line:
|
||||
|
||||
# doas -u _opendnssec ods-enforcer zone add --zone example.com
|
||||
input is set to ${LOCALSTATEDIR}/opendnssec/unsigned/example.com.
|
||||
output is set to ${LOCALSTATEDIR}/opendnssec/signed/example.com.
|
||||
Zone example.com added successfully
|
||||
|
||||
Check the zone:
|
||||
|
||||
# doas -u _opendnssec ods-enforcer zone list
|
||||
Database set to: ${LOCALSTATEDIR}/opendnssec/kasp.db
|
||||
Zones:
|
||||
Zone: Policy: Next change:
|
||||
example.com default Fri Nov 16 14:50:25 2018
|
||||
|
||||
List the keys:
|
||||
|
||||
# ods-enforcer key list
|
||||
Keys:
|
||||
Zone: Keytype: State: Date of next transition:
|
||||
example.com KSK publish 2018-11-16 14:50:25
|
||||
example.com ZSK ready 2018-11-16 14:50:25
|
||||
|
||||
After the KSK state transitions to "waiting for ds-seen", export the DS record:
|
||||
|
||||
# doas -u _opendnssec ods-enforcer key list
|
||||
Keys:
|
||||
Zone:
|
||||
example.com KSK ready waiting for ds-seen
|
||||
example.com ZSK active 2019-02-14 00:50:25
|
||||
|
||||
# doas -u _opendnssec ods-enforcer key export --zone example.com \
|
||||
--keystate ready --keytype KSK --ds
|
||||
;ready KSK DS record (SHA256):
|
||||
example.com. 600 IN DS 65331 13 2 <DSKEY>
|
||||
|
||||
Before submitting DS record to the parent zone, run:
|
||||
|
||||
# doas -u _opendnssec \
|
||||
ods-enforcer key ds-submit --zone example.com --keytag 65331
|
||||
|
||||
Then submit the DS record to the parent zone.
|
||||
|
||||
When DS RR appears in the parent zone, activate the KSK:
|
||||
|
||||
# ods-enforcer key ds-seen --zone example.com --keytag 65331
|
||||
1 KSK matches found.
|
||||
1 KSKs changed.
|
||||
# ods-enforcer key list -v
|
||||
Keys:
|
||||
Zone: Keytype: State: Date of next transition:
|
||||
example.com KSK active 2018-11-17 20:07:31
|
||||
example.com ZSK active 2018-11-17 20:07:31
|
||||
|
||||
The signed zone will appear in ${LOCALSTATEDIR}/opendnssec/signed/ directory
|
||||
or will be transferred to your authoritative DNS server, depending on the zone
|
||||
output configuration.
|
||||
|
||||
Upgrading from version 1.4.x to 2.x
|
||||
-----------------------------------
|
||||
OpenDNSSEC enforcer database migration is required if you are upgrading from
|
||||
1.4.x to 2.x. Read ${PREFIX}/share/doc/opendnssec/MIGRATION
|
||||
for more information.
|
||||
|
||||
Database conversion scripts
|
||||
---------------------------
|
||||
Note that OpenDNSSEC database conversion scripts are installed in
|
||||
${PREFIX}/sbin and renamed:
|
||||
convert_mysql_to_sqlite to ods-convert_mysql_to_sqlite
|
||||
convert_sqlite_to_mysql to ods-convert_sqlite_to_mysql
|
||||
|
@ -1,6 +1,6 @@
|
||||
#!/bin/ksh
|
||||
#
|
||||
# $OpenBSD: opendnssec.rc,v 1.2 2018/01/11 19:27:09 rpe Exp $
|
||||
# $OpenBSD: opendnssec.rc,v 1.3 2019/01/25 08:32:02 pvk Exp $
|
||||
|
||||
daemon="${TRUEPREFIX}/sbin/ods-control"
|
||||
|
||||
@ -10,6 +10,10 @@ rc_reload=NO
|
||||
|
||||
pexp="${TRUEPREFIX}/sbin/ods-(enforcerd|signerd)"
|
||||
|
||||
rc_pre() {
|
||||
install -d -o _opendnssec /var/run/opendnssec/
|
||||
}
|
||||
|
||||
rc_start() {
|
||||
${rcexec} "${daemon} start"
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user