Update opendnssec 1.4.14 -> 2.1.3

Take maintainership, OK'd by MAINTAINER; ok rsadowski@
This commit is contained in:
pvk 2019-01-25 08:32:02 +00:00
parent fd55fb6ae4
commit 28a5390a0c
15 changed files with 496 additions and 89 deletions

View File

@ -1,28 +1,30 @@
# $OpenBSD: Makefile,v 1.15 2018/09/04 12:46:21 espie Exp $
# $OpenBSD: Makefile,v 1.16 2019/01/25 08:32:02 pvk Exp $
COMMENT= open-source turn-key solution for DNSSEC
DISTNAME= opendnssec-1.4.14
REVISION= 1
DISTNAME= opendnssec-2.1.3
CATEGORIES= security
HOMEPAGE= http://www.opendnssec.org/
HOMEPAGE= https://www.opendnssec.org/
MAINTAINER= Patrik Lundin <patrik@sigterm.se>
MAINTAINER= Pavel Korovin <pvk@openbsd.org>
# BSD
PERMIT_PACKAGE_CDROM= Yes
WANTLIB += c crypto iconv ldns lzma m pthread xml2 z
MASTER_SITES= http://dist.opendnssec.org/source/
MASTER_SITES= https://dist.opendnssec.org/source/
BUILD_DEPENDS= devel/cunit
LIB_DEPENDS= converters/libiconv \
net/ldns/libldns \
textproc/libxml
TEST_DEPENDS= security/softhsm
TEST_DEPENDS= ${BUILD_DEPENDS} \
security/softhsm2
FAKE_FLAGS= sysconfdir=${PREFIX}/share/examples/opendnssec
@ -47,11 +49,52 @@ LIB_DEPENDS+= databases/mariadb
ERRORS+= "Fatal: mutually exclusive flavors: ${FLAVORS}"
.endif
SUBST_TARGETS= ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/README.md \
${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/convert_{mysql,sqlite} \
${WRKSRC}/enforcer/utils/convert_{mysql_to_sqlite,sqlite_to_mysql} \
${WRKSRC}/contrib/ods-sequencer/ods-sequencer-submit.sh \
${WRKSRC}/MIGRATION
post-patch:
${SUBST_CMD} ${SUBST_TARGETS}
# regress-db target doesn't currently work
# https://github.com/opendnssec/opendnssec/commit/6b1b0da4a7ba5ae658aca49a45a45be4867f6806
pre-test:
sed -i 's/^check: regress-db/\#check: regress-db/' \
${WRKSRC}/enforcer/src/db/test/Makefile
post-install:
${INSTALL_DATA_DIR} ${PREFIX}/share/doc/opendnssec
cd ${WRKSRC}; \
${INSTALL_DATA} LICENSE ${PREFIX}/share/doc/opendnssec; \
${INSTALL_DATA} plugins/simple-dnskey-mailer/simple-dnskey-mailer.sh \
${PREFIX}/share/opendnssec
sed -i 's,#!/bin/bash,#!/bin/sh,' \
${WRKSRC}/contrib/ods-sequencer/ods-sequencer-submit.sh \
${WRKSRC}/contrib/simple-dnskey-mailer/simple-dnskey-mailer.sh
@find ${WRKSRC} -type f \
\( -name '*.beforesubst' -o -name '*.orig' \) -delete
${INSTALL_SCRIPT} ${WRKSRC}/enforcer/utils/convert_mysql_to_sqlite \
${PREFIX}/sbin/ods-convert_mysql_to_sqlite
${INSTALL_SCRIPT} ${WRKSRC}/enforcer/utils/convert_sqlite_to_mysql \
${PREFIX}/sbin/ods-convert_sqlite_to_mysql
${INSTALL_SCRIPT} ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/convert_mysql \
${PREFIX}/sbin/ods-migrate-mysql
${INSTALL_SCRIPT} ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/convert_sqlite \
${PREFIX}/sbin/ods-migrate-sqlite3
${INSTALL_DATA_DIR} ${PREFIX}/share/doc/opendnssec/
${INSTALL_DATA} ${WRKSRC}/{LICENSE,MIGRATION,NEWS} \
${PREFIX}/share/doc/opendnssec/
${INSTALL_DATA} ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/README.md \
${PREFIX}/share/doc/opendnssec/MIGRATE_1.4-2.0.md
${INSTALL_DATA_DIR} ${PREFIX}/share/examples/opendnssec/ods-sequencer/
${INSTALL_DATA} ${WRKSRC}/contrib/ods-sequencer/* \
${PREFIX}/share/examples/opendnssec/ods-sequencer/
${INSTALL_DATA} ${WRKSRC}/contrib/simple-dnskey-mailer/simple-dnskey-mailer.sh \
${PREFIX}/share/examples/opendnssec/
${INSTALL_DATA_DIR} ${PREFIX}/share/opendnssec/migration/
${INSTALL_DATA} ${WRKSRC}/enforcer/src/db/schema.* ${PREFIX}/share/opendnssec/
${INSTALL_DATA} ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/find_problematic_zones.sql \
${PREFIX}/share/opendnssec/migration/
${INSTALL_DATA} ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/sqlite_convert.sql \
${PREFIX}/share/opendnssec/migration/migrate-sqlite.sql
${INSTALL_DATA} ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/mysql_convert.sql \
${PREFIX}/share/opendnssec/migration/migrate-mysql.sql
.include <bsd.port.mk>

View File

@ -1,2 +1,2 @@
SHA256 (opendnssec-1.4.14.tar.gz) = 4cQexbxhdiM7LZT09PcD51h7rmdgdkqxvvA88QvR3N8=
SIZE (opendnssec-1.4.14.tar.gz) = 1037188
SHA256 (opendnssec-2.1.3.tar.gz) = PeKgPtyeK4w2a/CrVBAE+YR3fUgTBXy7p6eARdjL/n4=
SIZE (opendnssec-2.1.3.tar.gz) = 1107073

View File

@ -0,0 +1,18 @@
$OpenBSD: patch-MIGRATION,v 1.1 2019/01/25 08:32:02 pvk Exp $
Index: MIGRATION
--- MIGRATION.orig
+++ MIGRATION
@@ -17,7 +17,8 @@ full resign of your zone when upgrading, however if yo
a full resign is needed.
The enforcer does require a full migration, as the internal database has
-been completely revised. See the documentation in the source tree
-enforcer/utils/1.4-2.0_db_convert/README.md for a description.
-Migration scripts are not installed and should be retrieved from the source
-separately.
+been completely revised.
+See the documentation in ${PREFIX}/share/doc/opendnssec/MIGRATE_1.4-2.0.md
+for a description.
+
+Migration script is installed in ${PREFIX}/sbin/ods-migrate${FLAVOR_EXT}

View File

@ -1,6 +1,8 @@
$OpenBSD: patch-conf_conf_xml_in,v 1.2 2016/11/19 12:25:27 sthen Exp $
--- conf/conf.xml.in.orig Mon Oct 17 14:32:58 2016
+++ conf/conf.xml.in Mon Nov 14 18:41:45 2016
$OpenBSD: patch-conf_conf_xml_in,v 1.3 2019/01/25 08:32:02 pvk Exp $
Index: conf/conf.xml.in
--- conf/conf.xml.in.orig
+++ conf/conf.xml.in
@@ -31,7 +31,7 @@
<Logging>
<!-- Command line verbosity will overwrite configure file -->
@ -10,41 +12,33 @@ $OpenBSD: patch-conf_conf_xml_in,v 1.2 2016/11/19 12:25:27 sthen Exp $
</Logging>
<PolicyFile>@OPENDNSSEC_CONFIG_DIR@/kasp.xml</PolicyFile>
@@ -39,19 +39,17 @@
@@ -39,10 +39,10 @@
</Common>
<Enforcer>
-<!--
<Privileges>
- <User>opendnssec</User>
- <Group>opendnssec</Group>
-<?xmlif if condition privdrop="user|group|both"?> <Privileges>
-<?xmlif fi?><?xmlif if condition privdrop="user|both"?> <User>@INSTALLATIONUSER@</User>
-<?xmlif fi?><?xmlif if condition privdrop="group|both"?> <Group>@INSTALLATIONGROUP@</Group>
-<?xmlif fi?><?xmlif if condition privdrop="user|group|both"?> </Privileges><?xmlif fi?>
+ <Privileges>
+ <User>_opendnssec</User>
+ <Group>_opendnssec</Group>
</Privileges>
--->
<!-- NOTE: Enforcer worker threads are not used; this option is ignored -->
<!--
<WorkerThreads>4</WorkerThreads>
-->
+ </Privileges>
<!-- <PidFile>@OPENDNSSEC_ENFORCER_PIDFILE@</PidFile> -->
- <Datastore><SQLite>@OPENDNSSEC_STATE_DIR@/kasp.db</SQLite></Datastore>
+ <Datastore><SQLite>@OPENDNSSEC_STATE_DIR@/db/kasp.db</SQLite></Datastore>
<Interval>PT3600S</Interval>
<Datastore><SQLite>@OPENDNSSEC_STATE_DIR@/kasp.db</SQLite></Datastore>
<!-- <ManualKeyGeneration/> -->
<!-- <RolloverNotification>P14D</RolloverNotification> -->
@@ -63,12 +61,10 @@
@@ -59,10 +59,10 @@
</Enforcer>
<Signer>
-<!--
<Privileges>
- <User>opendnssec</User>
- <Group>opendnssec</Group>
-<?xmlif if condition privdrop="user|group|both"?> <Privileges>
-<?xmlif fi?><?xmlif if condition privdrop="user|both"?> <User>@INSTALLATIONUSER@</User>
-<?xmlif fi?><?xmlif if condition privdrop="group|both"?> <Group>@INSTALLATIONGROUP@</Group>
-<?xmlif fi?><?xmlif if condition privdrop="user|group|both"?> </Privileges><?xmlif fi?>
+ <Privileges>
+ <User>_opendnssec</User>
+ <Group>_opendnssec</Group>
</Privileges>
--->
+ </Privileges>
<!-- <PidFile>@OPENDNSSEC_SIGNER_PIDFILE@</PidFile> -->
<!-- <SocketFile>@OPENDNSSEC_SIGNER_SOCKET@</SocketFile> -->
<WorkingDirectory>@OPENDNSSEC_STATE_DIR@/signer</WorkingDirectory>
<WorkerThreads>4</WorkerThreads>

View File

@ -0,0 +1,15 @@
$OpenBSD: patch-contrib_ods-sequencer_ods-sequencer-submit_sh,v 1.1 2019/01/25 08:32:02 pvk Exp $
Index: contrib/ods-sequencer/ods-sequencer-submit.sh
--- contrib/ods-sequencer/ods-sequencer-submit.sh.orig
+++ contrib/ods-sequencer/ods-sequencer-submit.sh
@@ -1,6 +1,6 @@
-#!/bin/bash
+#!/bin/sh
-now=`../../../sbin/ods-enforcer queue 2>&1 | sed -e 's/^It is now.*(\([0-9][0-9]*\)[^)]*).*$/\1/p' -e 'd'`
-cat > ../../../var/opendnssec/sequences/$now-dssubmit
+now=`${PREFIX}/sbin/ods-enforcer queue 2>&1 | sed -e 's/^It is now.*(\([0-9][0-9]*\)[^)]*).*$/\1/p' -e 'd'`
+cat > ${LOCALSTATEDIR}/opendnssec/sequences/$now-dssubmit
exit 0

View File

@ -0,0 +1,75 @@
$OpenBSD: patch-enforcer_utils_1_4-2_0_db_convert_README_md,v 1.1 2019/01/25 08:32:02 pvk Exp $
Index: enforcer/utils/1.4-2.0_db_convert/README.md
--- enforcer/utils/1.4-2.0_db_convert/README.md.orig
+++ enforcer/utils/1.4-2.0_db_convert/README.md
@@ -16,8 +16,8 @@ General preparation
-------------------
* First stop OpenDNSSEC entirely.
- * You are strongly advised to backup /etc/opendnssec and /var/opendnssec before
- continuing.
+ * You are strongly advised to backup ${SYSCONFDIR}/opendnssec and
+ ${LOCALSTATEDIR}/opendnssec before continuing.
* Also prevent any nameserver from receiving updates from OpenDNSSEC until
you are sure the migration was successful.
* It is discouraged to perform the migration during a rollover. The migration
@@ -31,27 +31,32 @@ Conversion Sqlite
There are 2 relevant files for the conversion:
- * convert_sqlite - A bash conversion script
- * sqlite_convert.sql - Contains SQL statements, called by convert_sqlite
+ * ${PREFIX}/sbin/ods-migrate-sqlite3 - Conversion script
+ * ${PREFIX}/share/opendnssec/migration/migrate-sqlite.sql -
+ Contains SQL statements, called by ods-migrate-sqlite3
-call the script like so: `./convert_sqlite -i INPUT -o OUTPUT`. Where INPUT is
-the kasp.db file commonly found in _/var/opendnssec/kasp.db_. And OUTPUT is a
-non-existing file where the new database should go. On success, replace old
-database file with the new database file or adjust _conf.xml_ accordingly.
+Call the script like so: `${PREFIX}/sbin/ods-migrate-sqlite3 -i INPUT -o OUTPUT`.
+Where INPUT is the kasp.db file commonly found in _${LOCALSTATEDIR}/opendnssec/db/kasp.db_.
+And OUTPUT is a non-existing file where the new database should go,
+default location for OpenDNSSEC 2.x is _${LOCALSTATEDIR}/opendnssec/kasp.db_.
+On success, replace old database file with the new database file or adjust
+_${SYSCONFDIR}/opendnssec/conf.xml_ accordingly.
Conversion MySQL
----------------
There are 2 relevant files for the conversion:
- * convert_mysql - A bash conversion script
- * mysql_convert.sql - Contains SQL statements, called by convert_mysql
+ * ${PREFIX}/sbin/ods-migrate-mysql - Conversion script
+ * ${PREFIX}/share/opendnssec/migration/migrate-mysql.sql -
+ Contains SQL statements, called by convert_mysql
-call the script like so: `./convert_sqlite -i INPUT -o OUTPUT -h HOST -u USER
--p PASSWORD`. Where INPUT is the name of the existing database on HOST. And
+Call the script like so:
+`${PREFIX}/sbin/ods-migrate-mysql -i INPUT -o OUTPUT -h HOST -u USER -p PASSWORD`.
+Where INPUT is the name of the existing database on HOST. And
OUTPUT is a non-existing database on the same host where the new database
should go. On success, replace old database with the new database file or
-adjust _conf.xml_ accordingly.
+adjust _${SYSCONFDIR}/opendnssec/conf.xml_ accordingly.
Post Conversion
---------------
@@ -59,11 +64,11 @@ Post Conversion
ODS 2.0 stores the keytags in the database, 1.4 unfortunately does not.
Therefore an additional tool is provided which calculates the keytags and
stores them in the database. Make sure that at this point conf.xml points to
-the new database. Then run `ods-migrate`.
+the new database. Then run `${PREFIX}/sbin/ods-migrate`.
Now your new database is ready for use. At this point the signer will refuse to
-run because the file `/var/opendnssec/enforcer/zones.xml` does not exist
-yet. In ODS 1.4 `/etc/opendnssec/zonelist.xml` is always on par with the
+run because the file `${LOCALSTATEDIR}/opendnssec/enforcer/zones.xml` does not exist
+yet. In ODS 1.4 `${SYSCONFDIR}/opendnssec/zonelist.xml` is always on par with the
database contents (this is no longer true for 2.0) so it is safe to copy this
file over to the missing file.

View File

@ -0,0 +1,36 @@
$OpenBSD: patch-enforcer_utils_1_4-2_0_db_convert_convert_mysql,v 1.1 2019/01/25 08:32:02 pvk Exp $
Index: enforcer/utils/1.4-2.0_db_convert/convert_mysql
--- enforcer/utils/1.4-2.0_db_convert/convert_mysql.orig
+++ enforcer/utils/1.4-2.0_db_convert/convert_mysql
@@ -1,11 +1,11 @@
-#!/bin/bash
+#!/bin/sh
set -e
# This scipt converts a ODS 1.4.9 MySQL database to ODS 2.0. It assumes both
# old and new databases live on the same host and are accessable by the same
# user.
-SCHEMA=../../src/db/schema.mysql
+SCHEMA=${PREFIX}/share/opendnssec/schema.mysql
DB_IN=""
DB_OUT=""
@@ -44,7 +44,7 @@ if [ ! $DB_VERSION -eq 4 ]; then
fi
# Look for zones without an active key.
-Z=`mysql -u $DB_USR -p$DB_PWD -h $DB_HOST $DB_IN < find_problematic_zones.sql`
+Z=`mysql -u $DB_USR -p$DB_PWD -h $DB_HOST $DB_IN < ${PREFIX}/share/opendnssec/migration/find_problematic_zones.sql`
if [[ $Z = *[![:space:]]* ]]; then
echo "Found zones without an active KSK but with a ready KSK waiting for ds-seen. This can cause problem after the conversion if the DS was actually already uploaded. You are adviced to submit these DS records and issue a ds-seen command before continueing. If you know better, disable this check to continue."
echo "Zones: $Z"
@@ -59,6 +59,6 @@ echo "Creating tables in $DB_OUT (as user $DB_USR)"
mysql -u $DB_USR -p$DB_PWD -h $DB_HOST $DB_OUT < $SCHEMA
echo "Converting database"
-sed "s/REMOTE/$DB_IN/g" mysql_convert.sql > TMP
+sed "s/REMOTE/$DB_IN/g" ${PREFIX}/share/opendnssec/migration/migrate-mysql.sql > TMP
mysql -u $DB_USR -p$DB_PWD -h $DB_HOST $DB_OUT < TMP
rm TMP

View File

@ -0,0 +1,33 @@
$OpenBSD: patch-enforcer_utils_1_4-2_0_db_convert_convert_sqlite,v 1.1 2019/01/25 08:32:02 pvk Exp $
Index: enforcer/utils/1.4-2.0_db_convert/convert_sqlite
--- enforcer/utils/1.4-2.0_db_convert/convert_sqlite.orig
+++ enforcer/utils/1.4-2.0_db_convert/convert_sqlite
@@ -1,9 +1,9 @@
-#!/bin/bash
+#!/bin/sh
set -e
# This scipt converts a ODS 1.4.9 Sqlite database to ODS 2.0.
-SCHEMA=../../src/db/schema.sqlite
+SCHEMA=${PREFIX}/share/opendnssec/schema.sqlite
DB_IN=""
DB_OUT=""
@@ -36,7 +36,7 @@ if [ ! $DB_VERSION -eq 4 ]; then
fi
# Look for zones without an active key.
-Z=`sqlite3 $DB_IN < find_problematic_zones.sql`
+Z=`sqlite3 $DB_IN < ${PREFIX}/share/opendnssec/migration/find_problematic_zones.sql`
if [[ $Z = *[![:space:]]* ]]; then
echo "Found zones without an active KSK but with a ready KSK waiting for ds-seen. This can cause problem after the conversion if the DS was actually already uploaded. You are adviced to submit these DS records and issue a ds-seen command before continueing. If you know better, disable this check to continue."
echo "Zones: $Z"
@@ -46,5 +46,5 @@ fi
rm -f $DB_OUT
sqlite3 $DB_OUT < $SCHEMA
echo "attach '$DB_IN' as REMOTE;" |
- cat - sqlite_convert.sql | sqlite3 $DB_OUT
+ cat - ${PREFIX}/share/opendnssec/migration/migrate-sqlite.sql | sqlite3 $DB_OUT

View File

@ -0,0 +1,21 @@
$OpenBSD: patch-enforcer_utils_convert_mysql_to_sqlite,v 1.1 2019/01/25 08:32:02 pvk Exp $
Index: enforcer/utils/convert_mysql_to_sqlite
--- enforcer/utils/convert_mysql_to_sqlite.orig
+++ enforcer/utils/convert_mysql_to_sqlite
@@ -1,11 +1,11 @@
-#!/usr/bin/env bash
+#!/bin/sh
set -e
-# This scipt converts a MySQL to a SQLite database. It assumes both
-# old and new databases live on the same host and are accessable by the same
+# This script converts a MySQL to a SQLite database. It assumes both
+# old and new databases live on the same host and are accessible by the same
# user.
-SCHEMA=../src/db/schema.sqlite
+SCHEMA=${PREFIX}/share/opendnssec/schema.sqlite
DB_IN=""
DB_OUT=""

View File

@ -0,0 +1,21 @@
$OpenBSD: patch-enforcer_utils_convert_sqlite_to_mysql,v 1.1 2019/01/25 08:32:02 pvk Exp $
Index: enforcer/utils/convert_sqlite_to_mysql
--- enforcer/utils/convert_sqlite_to_mysql.orig
+++ enforcer/utils/convert_sqlite_to_mysql
@@ -1,11 +1,11 @@
-#!/usr/bin/env bash
+#!/bin/sh
set -e
-# This scipt converts a SQLite3 to a MySQL database. It assumes both
-# old and new databases live on the same host and are accessable by the same
+# This script converts a SQLite3 to a MySQL database. It assumes both
+# old and new databases live on the same host and are accessible by the same
# user.
-SCHEMA=../src/db/schema.mysql
+SCHEMA=${PREFIX}/share/opendnssec/schema.mysql
DB_IN=""
DB_OUT=""

View File

@ -1,2 +1,5 @@
@comment $OpenBSD: PFRAG.mysql,v 1.1.1.1 2015/10/13 17:03:55 jca Exp $
share/opendnssec/database_create.mysql
@comment $OpenBSD: PFRAG.mysql,v 1.2 2019/01/25 08:32:02 pvk Exp $
sbin/ods-convert_sqlite_to_mysql
sbin/ods-migrate-mysql
share/opendnssec/migration/migrate-mysql.sql
share/opendnssec/schema.mysql

View File

@ -1,2 +1,5 @@
@comment $OpenBSD: PFRAG.sqlite3,v 1.1.1.1 2015/10/13 17:03:55 jca Exp $
share/opendnssec/database_create.sqlite3
@comment $OpenBSD: PFRAG.sqlite3,v 1.2 2019/01/25 08:32:02 pvk Exp $
sbin/ods-convert_mysql_to_sqlite
sbin/ods-migrate-sqlite3
share/opendnssec/migration/migrate-sqlite.sql
share/opendnssec/schema.sqlite

View File

@ -1,36 +1,44 @@
@comment $OpenBSD: PLIST,v 1.3 2018/09/04 12:46:21 espie Exp $
@comment $OpenBSD: PLIST,v 1.4 2019/01/25 08:32:02 pvk Exp $
@conflict opendnssec-<2.1.3
@ask-update opendnssec-<2.1.3 OpenDNSSEC enforcer database migration required
@newgroup _opendnssec:757
@newuser _opendnssec:757:_opendnssec:daemon:OpenDNSSEC Account:/nonexistent:/sbin/nologin
@bin bin/ods-getconf
@rcscript ${RCDIR}/opendnssec
@bin bin/ods-hsmspeed
@bin bin/ods-hsmutil
bin/ods-kasp2html
@bin bin/ods-kaspcheck
@bin bin/ods-ksmutil
@man man/man1/ods-hsmspeed.1
@man man/man1/ods-hsmutil.1
@man man/man1/ods-kaspcheck.1
@man man/man1/ods-ksmutil.1
@man man/man5/ods-kasp.5
@man man/man5/ods-timing.5
@man man/man7/opendnssec.7
@man man/man8/ods-control.8
@man man/man8/ods-enforcer-db-setup.8
@man man/man8/ods-enforcer.8
@man man/man8/ods-enforcerd.8
@man man/man8/ods-getconf.8
@man man/man8/ods-signer.8
@man man/man8/ods-signerd.8
sbin/ods-control
@bin sbin/ods-enforcer
@bin sbin/ods-enforcer-db-setup
@bin sbin/ods-enforcerd
@bin sbin/ods-migrate
@bin sbin/ods-signer
@bin sbin/ods-signerd
share/doc/opendnssec/
share/doc/opendnssec/LICENSE
share/doc/opendnssec/MIGRATE_1.4-2.0.md
share/doc/opendnssec/MIGRATION
share/doc/opendnssec/NEWS
share/doc/pkg-readmes/${PKGSTEM}
share/examples/opendnssec/
@mode 0750
@group _opendnssec
@sample ${SYSCONFDIR}/opendnssec/
@mode
@group
share/doc/opendnssec/
share/doc/opendnssec/LICENSE
share/doc/pkg-readmes/${PKGSTEM}
share/examples/opendnssec/
share/examples/opendnssec/addns.xml
@mode 0640
@group _opendnssec
@ -52,6 +60,11 @@ share/examples/opendnssec/kasp.xml
@mode
@group
share/examples/opendnssec/kasp.xml.sample
share/examples/opendnssec/ods-sequencer/
share/examples/opendnssec/ods-sequencer/ods-sequencer
share/examples/opendnssec/ods-sequencer/ods-sequencer-submit.sh
share/examples/opendnssec/ods-sequencer/ods-sequencer.md
share/examples/opendnssec/simple-dnskey-mailer.sh
share/examples/opendnssec/zonelist.xml
@mode 0640
@group _opendnssec
@ -64,27 +77,26 @@ share/opendnssec/addns.rnc
share/opendnssec/addns.rng
share/opendnssec/conf.rnc
share/opendnssec/conf.rng
%%sqlite3%%
%%mysql%%
share/opendnssec/enforcerstate.rnc
share/opendnssec/enforcerstate.rng
share/opendnssec/kasp.rnc
share/opendnssec/kasp.rng
share/opendnssec/kasp2html.xsl
share/opendnssec/migration/
share/opendnssec/migration/find_problematic_zones.sql
share/opendnssec/signconf.rnc
share/opendnssec/signconf.rng
share/opendnssec/simple-dnskey-mailer.sh
share/opendnssec/zonelist.rnc
share/opendnssec/zonelist.rng
@sample ${LOCALSTATEDIR}/opendnssec/
%%sqlite3%%
%%mysql%%
@mode 0750
@owner _opendnssec
@group _opendnssec
@sample ${LOCALSTATEDIR}/opendnssec/db/
@sample ${LOCALSTATEDIR}/opendnssec/
@sample ${LOCALSTATEDIR}/opendnssec/enforcer/
@sample ${LOCALSTATEDIR}/opendnssec/signconf/
@sample ${LOCALSTATEDIR}/opendnssec/signed/
@sample ${LOCALSTATEDIR}/opendnssec/tmp/
@sample ${LOCALSTATEDIR}/opendnssec/signer/
@sample ${LOCALSTATEDIR}/opendnssec/unsigned/
@sample ${LOCALSTATEDIR}/opendnssec/softhsm/
@owner
@group
@rcscript ${RCDIR}/opendnssec
@sample ${LOCALSTATEDIR}/run/opendnssec/

View File

@ -1,4 +1,4 @@
$OpenBSD: README,v 1.3 2018/09/04 12:46:21 espie Exp $
$OpenBSD: README,v 1.4 2019/01/25 08:32:02 pvk Exp $
+-----------------------------------------------------------------------
| Running ${PKGSTEM} on OpenBSD
@ -8,43 +8,172 @@ Getting started
===============
This is a summary of steps needed to get OpenDNSSEC up and running in a
basic state using SoftHSM as the key backend. Make sure you have
installed the softhsm package before proceeding.
installed the softhsm2 package before proceeding.
Initial setup of SoftHSM
------------------------
Configure SoftHSM to store its token in
${LOCALSTATEDIR}/opendnssec/softhsm/:
# vi ${SYSCONFDIR}/softhsm.conf
If you plan to use SoftHSM, install softhsm2 package:
Initialize the SoftHSM token (here assuming you used slot 0).
The user PIN code has to match the <PIN> configured in
${SYSCONFDIR}/opendnssec/conf.xml:
# softhsm --init-token --slot 0 --label OpenDNSSEC
# pkg_add softhsm2
Make sure the token is writeable by the _opendnssec user:
# chown _opendnssec ${LOCALSTATEDIR}/opendnssec/softhsm/slot0.db
Create ${LOCALSTATEDIR}/opendnssec/softhsm/ directory for tokens storage,
instruct opendnssec to use this location:
# install -d -o _opendnssec -g _opendnssec -m 700 \
${LOCALSTATEDIR}/opendnssec/softhsm/
# grep tokendir ${SYSCONFDIR}/softhsm2.conf
directories.tokendir = ${LOCALSTATEDIR}/opendnssec/softhsm/
Choose preferred storage method, either 'file' or 'sqlite3':
# grep objectstore ${SYSCONFDIR}/softhsm2.conf
objectstore.backend = db
Initialize the SoftHSM token (here assuming you are using slot 0):
# doas -u _opendnssec softhsm2-util --init-token --slot 0 \
--label OpenDNSSEC
User PIN and token label must be reflected in appropriate sections
of ${SYSCONFDIR}/opendnssec/conf.xml:
# grep PIN ${SYSCONFDIR}/opendnssec/conf.xml
<PIN>MySecretUserPIN</PIN>
# grep TokenLabel ${SYSCONFDIR}/opendnssec/conf.xml
<TokenLabel>OpenDNSSEC</TokenLabel>
Verify token:
# doas -u _opendnssec softhsm2-util --show-slots
Available slots:
Slot 1557156002
Slot info:
Description: SoftHSM slot ID 0x5cd050a2
Manufacturer ID: SoftHSM project
Hardware version: 2.5
Firmware version: 2.5
Token present: yes
Token info:
Manufacturer ID: SoftHSM project
Model: SoftHSM v2
Hardware version: 2.5
Firmware version: 2.5
Serial number: e1a305015cd050a2
Initialized: yes
User PIN init.: yes
Label: OpenDNSSEC
Bootstrapping OpenDNSSEC
------------------------
Check if the configuration is valid:
# doas -u _opendnssec ods-kaspcheck
INFO: The XML in ${SYSCONFDIR}/opendnssec/conf.xml is valid
ERROR: SQLite datastore (${LOCALSTATEDIR}/opendnssec/kasp.db) does not exist
INFO: The XML in ${SYSCONFDIR}/opendnssec/kasp.xml is valid
INFO: The XML in ${SYSCONFDIR}/opendnssec/zonelist.xml is valid
Create an initial KASP database (if you are running the mysql flavor you
will first need to configure mariadb-server and modify <Datastore> in
${SYSCONFDIR}/opendnssec/conf.xml):
# ods-ksmutil setup
Start the OpenDNSSEC system:
# rcctl start opendnssec
# doas -u _opendnssec ods-enforcer-db-setup
*WARNING* This will erase all data in the database; are you sure? [y/N] y
Database setup successfully.
Start OpenDNSSEC:
# rcctl start opendnssec
Import policy:
# doas -u _opendnssec ods-enforcer policy import
Created policy default successfully
Check policy:
# ods-enforcer policy list
Policy: Description:
default ECDSAP256SHA256 NSEC3 KSK1Y ZSK90D
Copy an unsigned zone file into the unsigned/ directory:
# cp <somewhere>/example.com ${LOCALSTATEDIR}/opendnssec/unsigned/
Add the zone:
# ods-ksmutil zone add --zone example.com --policy default
# cp <somewhere>/example.com ${LOCALSTATEDIR}/opendnssec/unsigned/
Notify the enforcer of the updated database:
# ods-control enforcer notify
Import zones from zonelist.xml:
You now have a signed version of example.com in the signed/ directory:
# cat ${LOCALSTATEDIR}/opendnssec/signed/example.com
# doas -u _opendnssec ods-enforcer zonelist import
Zone example.com created successfully
List the keys for the zone:
# ods-ksmutil key list -v
Or add the zone from the command line:
# doas -u _opendnssec ods-enforcer zone add --zone example.com
input is set to ${LOCALSTATEDIR}/opendnssec/unsigned/example.com.
output is set to ${LOCALSTATEDIR}/opendnssec/signed/example.com.
Zone example.com added successfully
Check the zone:
# doas -u _opendnssec ods-enforcer zone list
Database set to: ${LOCALSTATEDIR}/opendnssec/kasp.db
Zones:
Zone: Policy: Next change:
example.com default Fri Nov 16 14:50:25 2018
List the keys:
# ods-enforcer key list
Keys:
Zone: Keytype: State: Date of next transition:
example.com KSK publish 2018-11-16 14:50:25
example.com ZSK ready 2018-11-16 14:50:25
After the KSK state transitions to "waiting for ds-seen", export the DS record:
# doas -u _opendnssec ods-enforcer key list
Keys:
Zone:
example.com KSK ready waiting for ds-seen
example.com ZSK active 2019-02-14 00:50:25
# doas -u _opendnssec ods-enforcer key export --zone example.com \
--keystate ready --keytype KSK --ds
;ready KSK DS record (SHA256):
example.com. 600 IN DS 65331 13 2 <DSKEY>
Before submitting DS record to the parent zone, run:
# doas -u _opendnssec \
ods-enforcer key ds-submit --zone example.com --keytag 65331
Then submit the DS record to the parent zone.
When DS RR appears in the parent zone, activate the KSK:
# ods-enforcer key ds-seen --zone example.com --keytag 65331
1 KSK matches found.
1 KSKs changed.
# ods-enforcer key list -v
Keys:
Zone: Keytype: State: Date of next transition:
example.com KSK active 2018-11-17 20:07:31
example.com ZSK active 2018-11-17 20:07:31
The signed zone will appear in ${LOCALSTATEDIR}/opendnssec/signed/ directory
or will be transferred to your authoritative DNS server, depending on the zone
output configuration.
Upgrading from version 1.4.x to 2.x
-----------------------------------
OpenDNSSEC enforcer database migration is required if you are upgrading from
1.4.x to 2.x. Read ${PREFIX}/share/doc/opendnssec/MIGRATION
for more information.
Database conversion scripts
---------------------------
Note that OpenDNSSEC database conversion scripts are installed in
${PREFIX}/sbin and renamed:
convert_mysql_to_sqlite to ods-convert_mysql_to_sqlite
convert_sqlite_to_mysql to ods-convert_sqlite_to_mysql

View File

@ -1,6 +1,6 @@
#!/bin/ksh
#
# $OpenBSD: opendnssec.rc,v 1.2 2018/01/11 19:27:09 rpe Exp $
# $OpenBSD: opendnssec.rc,v 1.3 2019/01/25 08:32:02 pvk Exp $
daemon="${TRUEPREFIX}/sbin/ods-control"
@ -10,6 +10,10 @@ rc_reload=NO
pexp="${TRUEPREFIX}/sbin/ods-(enforcerd|signerd)"
rc_pre() {
install -d -o _opendnssec /var/run/opendnssec/
}
rc_start() {
${rcexec} "${daemon} start"
}