Update opendnssec 1.4.14 -> 2.1.3

Take maintainership, OK'd by MAINTAINER; ok rsadowski@
2019-01-25 08:32:02 +00:00 · 2019-01-25 08:32:02 +00:00 · 28a5390a0c
commit 28a5390a0c
parent fd55fb6ae4
15 changed files with 496 additions and 89 deletions
--- a/security/opendnssec/Makefile
+++ b/security/opendnssec/Makefile
@ -1,28 +1,30 @@
-# $OpenBSD: Makefile,v 1.15 2018/09/04 12:46:21 espie Exp $
+# $OpenBSD: Makefile,v 1.16 2019/01/25 08:32:02 pvk Exp $

 COMMENT=	open-source turn-key solution for DNSSEC

-DISTNAME=	opendnssec-1.4.14
-REVISION=	1
+DISTNAME=	opendnssec-2.1.3

 CATEGORIES=	security

-HOMEPAGE=	http://www.opendnssec.org/
+HOMEPAGE=	https://www.opendnssec.org/

-MAINTAINER=	Patrik Lundin <patrik@sigterm.se>
+MAINTAINER=	Pavel Korovin <pvk@openbsd.org>

 # BSD
 PERMIT_PACKAGE_CDROM=	Yes

 WANTLIB += c crypto iconv ldns lzma m pthread xml2 z

-MASTER_SITES=	http://dist.opendnssec.org/source/
+MASTER_SITES=	https://dist.opendnssec.org/source/
+
+BUILD_DEPENDS=	devel/cunit

 LIB_DEPENDS=	converters/libiconv \
 		net/ldns/libldns \
 		textproc/libxml

-TEST_DEPENDS=	security/softhsm
+TEST_DEPENDS=	${BUILD_DEPENDS} \
+		security/softhsm2

 FAKE_FLAGS=	sysconfdir=${PREFIX}/share/examples/opendnssec

@ -47,11 +49,52 @@ LIB_DEPENDS+=	databases/mariadb
 ERRORS+= "Fatal: mutually exclusive flavors: ${FLAVORS}"
 .endif

+SUBST_TARGETS=	${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/README.md \
+	${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/convert_{mysql,sqlite} \
+	${WRKSRC}/enforcer/utils/convert_{mysql_to_sqlite,sqlite_to_mysql} \
+	${WRKSRC}/contrib/ods-sequencer/ods-sequencer-submit.sh \
+	${WRKSRC}/MIGRATION
+
+post-patch:
+	${SUBST_CMD} ${SUBST_TARGETS}
+
+# regress-db target doesn't currently work
+# https://github.com/opendnssec/opendnssec/commit/6b1b0da4a7ba5ae658aca49a45a45be4867f6806
+pre-test:
+	sed -i 's/^check: regress-db/\#check: regress-db/' \
+		${WRKSRC}/enforcer/src/db/test/Makefile
+
 post-install:
-	${INSTALL_DATA_DIR} ${PREFIX}/share/doc/opendnssec
-	cd ${WRKSRC}; \
-	${INSTALL_DATA} LICENSE ${PREFIX}/share/doc/opendnssec; \
-	${INSTALL_DATA} plugins/simple-dnskey-mailer/simple-dnskey-mailer.sh \
-			${PREFIX}/share/opendnssec
+	sed -i 's,#!/bin/bash,#!/bin/sh,' \
+		${WRKSRC}/contrib/ods-sequencer/ods-sequencer-submit.sh \
+		${WRKSRC}/contrib/simple-dnskey-mailer/simple-dnskey-mailer.sh
+	@find ${WRKSRC} -type f \
+		\( -name '*.beforesubst' -o -name '*.orig' \) -delete
+	${INSTALL_SCRIPT} ${WRKSRC}/enforcer/utils/convert_mysql_to_sqlite \
+		${PREFIX}/sbin/ods-convert_mysql_to_sqlite
+	${INSTALL_SCRIPT} ${WRKSRC}/enforcer/utils/convert_sqlite_to_mysql \
+		${PREFIX}/sbin/ods-convert_sqlite_to_mysql
+	${INSTALL_SCRIPT} ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/convert_mysql \
+		${PREFIX}/sbin/ods-migrate-mysql
+	${INSTALL_SCRIPT} ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/convert_sqlite \
+		${PREFIX}/sbin/ods-migrate-sqlite3
+	${INSTALL_DATA_DIR} ${PREFIX}/share/doc/opendnssec/
+	${INSTALL_DATA} ${WRKSRC}/{LICENSE,MIGRATION,NEWS} \
+		${PREFIX}/share/doc/opendnssec/
+	${INSTALL_DATA} ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/README.md \
+		${PREFIX}/share/doc/opendnssec/MIGRATE_1.4-2.0.md
+	${INSTALL_DATA_DIR} ${PREFIX}/share/examples/opendnssec/ods-sequencer/
+	${INSTALL_DATA} ${WRKSRC}/contrib/ods-sequencer/* \
+		${PREFIX}/share/examples/opendnssec/ods-sequencer/
+	${INSTALL_DATA} ${WRKSRC}/contrib/simple-dnskey-mailer/simple-dnskey-mailer.sh \
+		${PREFIX}/share/examples/opendnssec/
+	${INSTALL_DATA_DIR} ${PREFIX}/share/opendnssec/migration/
+	${INSTALL_DATA} ${WRKSRC}/enforcer/src/db/schema.* ${PREFIX}/share/opendnssec/
+	${INSTALL_DATA} ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/find_problematic_zones.sql \
+		${PREFIX}/share/opendnssec/migration/
+	${INSTALL_DATA} ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/sqlite_convert.sql \
+		${PREFIX}/share/opendnssec/migration/migrate-sqlite.sql
+	${INSTALL_DATA} ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/mysql_convert.sql \
+		${PREFIX}/share/opendnssec/migration/migrate-mysql.sql

 .include <bsd.port.mk>
--- a/security/opendnssec/distinfo
+++ b/security/opendnssec/distinfo
@ -1,2 +1,2 @@
-SHA256 (opendnssec-1.4.14.tar.gz) = 4cQexbxhdiM7LZT09PcD51h7rmdgdkqxvvA88QvR3N8=
-SIZE (opendnssec-1.4.14.tar.gz) = 1037188
+SHA256 (opendnssec-2.1.3.tar.gz) = PeKgPtyeK4w2a/CrVBAE+YR3fUgTBXy7p6eARdjL/n4=
+SIZE (opendnssec-2.1.3.tar.gz) = 1107073
--- a/security/opendnssec/patches/patch-MIGRATION
+++ b/security/opendnssec/patches/patch-MIGRATION
@ -0,0 +1,18 @@
+$OpenBSD: patch-MIGRATION,v 1.1 2019/01/25 08:32:02 pvk Exp $
+
+Index: MIGRATION
+--- MIGRATION.orig
+++ MIGRATION
+@@ -17,7 +17,8 @@ full resign of your zone when upgrading, however if yo
+ a full resign is needed.
+ 
+ The enforcer does require a full migration, as the internal database has
+-been completely revised.  See the documentation in the source tree
+-enforcer/utils/1.4-2.0_db_convert/README.md for a description.
+-Migration scripts are not installed and should be retrieved from the source
+-separately.
+been completely revised.
+See the documentation in ${PREFIX}/share/doc/opendnssec/MIGRATE_1.4-2.0.md
+for a description.
+
+Migration script is installed in ${PREFIX}/sbin/ods-migrate${FLAVOR_EXT}
--- a/security/opendnssec/patches/patch-conf_conf_xml_in
+++ b/security/opendnssec/patches/patch-conf_conf_xml_in
@ -1,6 +1,8 @@
-$OpenBSD: patch-conf_conf_xml_in,v 1.2 2016/11/19 12:25:27 sthen Exp $
--- conf/conf.xml.in.orig	Mon Oct 17 14:32:58 2016
-+++ conf/conf.xml.in	Mon Nov 14 18:41:45 2016
+$OpenBSD: patch-conf_conf_xml_in,v 1.3 2019/01/25 08:32:02 pvk Exp $
+
+Index: conf/conf.xml.in
+--- conf/conf.xml.in.orig
+++ conf/conf.xml.in
@@ -31,7 +31,7 @@
 		<Logging>
 			<!-- Command line verbosity will overwrite configure file -->
@ -10,41 +12,33 @@ $OpenBSD: patch-conf_conf_xml_in,v 1.2 2016/11/19 12:25:27 sthen Exp $
 		</Logging>
 		
 		<PolicyFile>@OPENDNSSEC_CONFIG_DIR@/kasp.xml</PolicyFile>
-@@ -39,19 +39,17 @@
+@@ -39,10 +39,10 @@
 	</Common>
 
 	<Enforcer>
-<!--
- 		<Privileges>
-			<User>opendnssec</User>
-			<Group>opendnssec</Group>
+-<?xmlif if condition privdrop="user|group|both"?>		<Privileges>
+-<?xmlif fi?><?xmlif if condition privdrop="user|both"?>			<User>@INSTALLATIONUSER@</User>
+-<?xmlif fi?><?xmlif if condition privdrop="group|both"?>			<Group>@INSTALLATIONGROUP@</Group>
+-<?xmlif fi?><?xmlif if condition privdrop="user|group|both"?>		</Privileges><?xmlif fi?>
+		<Privileges>
 +			<User>_opendnssec</User>
 +			<Group>_opendnssec</Group>
- 		</Privileges>
--->
- <!-- NOTE: Enforcer worker threads are not used; this option is ignored -->
- <!--
- 		<WorkerThreads>4</WorkerThreads>
- -->
+		</Privileges>
 
- 		<!-- <PidFile>@OPENDNSSEC_ENFORCER_PIDFILE@</PidFile> -->
-		<Datastore><SQLite>@OPENDNSSEC_STATE_DIR@/kasp.db</SQLite></Datastore>
-+		<Datastore><SQLite>@OPENDNSSEC_STATE_DIR@/db/kasp.db</SQLite></Datastore>
- 		<Interval>PT3600S</Interval>
+ 		<Datastore><SQLite>@OPENDNSSEC_STATE_DIR@/kasp.db</SQLite></Datastore>
 		<!-- <ManualKeyGeneration/> -->
- 		<!-- <RolloverNotification>P14D</RolloverNotification> -->
-@@ -63,12 +61,10 @@
+@@ -59,10 +59,10 @@
 	</Enforcer>
 
 	<Signer>
-<!--
- 		<Privileges>
-			<User>opendnssec</User>
-			<Group>opendnssec</Group>
+-<?xmlif if condition privdrop="user|group|both"?>		<Privileges>
+-<?xmlif fi?><?xmlif if condition privdrop="user|both"?>			<User>@INSTALLATIONUSER@</User>
+-<?xmlif fi?><?xmlif if condition privdrop="group|both"?>			<Group>@INSTALLATIONGROUP@</Group>
+-<?xmlif fi?><?xmlif if condition privdrop="user|group|both"?>		</Privileges><?xmlif fi?>
+		<Privileges>
 +			<User>_opendnssec</User>
 +			<Group>_opendnssec</Group>
- 		</Privileges>
--->
+		</Privileges>
 
- 		<!-- <PidFile>@OPENDNSSEC_SIGNER_PIDFILE@</PidFile> -->
- 		<!-- <SocketFile>@OPENDNSSEC_SIGNER_SOCKET@</SocketFile> -->
+ 		<WorkingDirectory>@OPENDNSSEC_STATE_DIR@/signer</WorkingDirectory>
+ 		<WorkerThreads>4</WorkerThreads>
--- a/security/opendnssec/patches/patch-contrib_ods-sequencer_ods-sequencer-submit_sh
+++ b/security/opendnssec/patches/patch-contrib_ods-sequencer_ods-sequencer-submit_sh
@ -0,0 +1,15 @@
+$OpenBSD: patch-contrib_ods-sequencer_ods-sequencer-submit_sh,v 1.1 2019/01/25 08:32:02 pvk Exp $
+
+Index: contrib/ods-sequencer/ods-sequencer-submit.sh
+--- contrib/ods-sequencer/ods-sequencer-submit.sh.orig
+++ contrib/ods-sequencer/ods-sequencer-submit.sh
+@@ -1,6 +1,6 @@
+-#!/bin/bash
+#!/bin/sh
+ 
+-now=`../../../sbin/ods-enforcer queue 2>&1 | sed -e 's/^It is now.*(\([0-9][0-9]*\)[^)]*).*$/\1/p' -e 'd'`
+-cat > ../../../var/opendnssec/sequences/$now-dssubmit
+now=`${PREFIX}/sbin/ods-enforcer queue 2>&1 | sed -e 's/^It is now.*(\([0-9][0-9]*\)[^)]*).*$/\1/p' -e 'd'`
+cat > ${LOCALSTATEDIR}/opendnssec/sequences/$now-dssubmit
+ 
+ exit 0
--- a/security/opendnssec/patches/patch-enforcer_utils_1_4-2_0_db_convert_README_md
+++ b/security/opendnssec/patches/patch-enforcer_utils_1_4-2_0_db_convert_README_md
@ -0,0 +1,75 @@
+$OpenBSD: patch-enforcer_utils_1_4-2_0_db_convert_README_md,v 1.1 2019/01/25 08:32:02 pvk Exp $
+
+Index: enforcer/utils/1.4-2.0_db_convert/README.md
+--- enforcer/utils/1.4-2.0_db_convert/README.md.orig
+++ enforcer/utils/1.4-2.0_db_convert/README.md
+@@ -16,8 +16,8 @@ General preparation
+ -------------------
+ 
+  * First stop OpenDNSSEC entirely.
+- * You are strongly advised to backup /etc/opendnssec and /var/opendnssec before
+-   continuing.
+ * You are strongly advised to backup ${SYSCONFDIR}/opendnssec and
+   ${LOCALSTATEDIR}/opendnssec before continuing.
+  * Also prevent any nameserver from receiving updates from OpenDNSSEC until
+    you are sure the migration was successful.
+  * It is discouraged to perform the migration during a rollover. The migration
+@@ -31,27 +31,32 @@ Conversion Sqlite
+ 
+ There are 2 relevant files for the conversion:
+ 
+- * convert_sqlite - A bash conversion script
+- * sqlite_convert.sql - Contains SQL statements, called by convert_sqlite
+ * ${PREFIX}/sbin/ods-migrate-sqlite3 - Conversion script
+ * ${PREFIX}/share/opendnssec/migration/migrate-sqlite.sql -
+	Contains SQL statements, called by ods-migrate-sqlite3
+ 
+-call the script like so: `./convert_sqlite -i INPUT -o OUTPUT`. Where INPUT is
+-the kasp.db file commonly found in _/var/opendnssec/kasp.db_. And OUTPUT is a
+-non-existing file where the new database should go. On success, replace old
+-database file with the new database file or adjust _conf.xml_ accordingly.
+Call the script like so: `${PREFIX}/sbin/ods-migrate-sqlite3 -i INPUT -o OUTPUT`.
+Where INPUT is the kasp.db file commonly found in _${LOCALSTATEDIR}/opendnssec/db/kasp.db_.
+And OUTPUT is a non-existing file where the new database should go,
+default location for OpenDNSSEC 2.x is _${LOCALSTATEDIR}/opendnssec/kasp.db_.
+On success, replace old database file with the new database file or adjust
+_${SYSCONFDIR}/opendnssec/conf.xml_ accordingly.
+ 
+ Conversion MySQL
+ ----------------
+  
+ There are 2 relevant files for the conversion:
+ 
+- * convert_mysql - A bash conversion script
+- * mysql_convert.sql - Contains SQL statements, called by convert_mysql
+ * ${PREFIX}/sbin/ods-migrate-mysql - Conversion script
+ * ${PREFIX}/share/opendnssec/migration/migrate-mysql.sql -
+	Contains SQL statements, called by convert_mysql
+ 
+-call the script like so: `./convert_sqlite -i INPUT -o OUTPUT -h HOST -u USER
+--p PASSWORD`. Where INPUT is the name of the existing database on HOST. And
+Call the script like so:
+`${PREFIX}/sbin/ods-migrate-mysql -i INPUT -o OUTPUT -h HOST -u USER -p PASSWORD`.
+Where INPUT is the name of the existing database on HOST. And
+ OUTPUT is a non-existing database on the same host where the new database
+ should go. On success, replace old database with the new database file or
+-adjust _conf.xml_ accordingly.
+adjust _${SYSCONFDIR}/opendnssec/conf.xml_ accordingly.
+   
+ Post Conversion
+ ---------------
+@@ -59,11 +64,11 @@ Post Conversion
+ ODS 2.0 stores the keytags in the database, 1.4 unfortunately does not.
+ Therefore an additional tool is provided which calculates the keytags and
+ stores them in the database. Make sure that at this point conf.xml points to
+-the new database. Then run `ods-migrate`.
+the new database. Then run `${PREFIX}/sbin/ods-migrate`.
+ 
+ Now your new database is ready for use. At this point the signer will refuse to
+-run because the file `/var/opendnssec/enforcer/zones.xml` does not exist
+-yet.  In ODS 1.4 `/etc/opendnssec/zonelist.xml` is always on par with the
+run because the file `${LOCALSTATEDIR}/opendnssec/enforcer/zones.xml` does not exist
+yet.  In ODS 1.4 `${SYSCONFDIR}/opendnssec/zonelist.xml` is always on par with the
+ database contents (this is no longer true for 2.0) so it is safe to copy this
+ file over to the missing file.
+ 
--- a/security/opendnssec/patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_mysql
+++ b/security/opendnssec/patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_mysql
@ -0,0 +1,36 @@
+$OpenBSD: patch-enforcer_utils_1_4-2_0_db_convert_convert_mysql,v 1.1 2019/01/25 08:32:02 pvk Exp $
+
+Index: enforcer/utils/1.4-2.0_db_convert/convert_mysql
+--- enforcer/utils/1.4-2.0_db_convert/convert_mysql.orig
+++ enforcer/utils/1.4-2.0_db_convert/convert_mysql
+@@ -1,11 +1,11 @@
+-#!/bin/bash
+#!/bin/sh
+ set -e
+ 
+ # This scipt converts a ODS 1.4.9 MySQL database to ODS 2.0. It assumes both
+ # old and new databases live on the same host and are accessable by the same 
+ # user.
+ 
+-SCHEMA=../../src/db/schema.mysql
+SCHEMA=${PREFIX}/share/opendnssec/schema.mysql
+ 
+ DB_IN=""
+ DB_OUT=""
+@@ -44,7 +44,7 @@ if [ ! $DB_VERSION -eq 4 ]; then
+ fi
+ 
+ # Look for zones without an active key.
+-Z=`mysql -u $DB_USR -p$DB_PWD -h $DB_HOST $DB_IN < find_problematic_zones.sql`	
+Z=`mysql -u $DB_USR -p$DB_PWD -h $DB_HOST $DB_IN < ${PREFIX}/share/opendnssec/migration/find_problematic_zones.sql`	
+ if [[ $Z = *[![:space:]]* ]]; then
+ 	echo "Found zones without an active KSK but with a ready KSK waiting for ds-seen. This can cause problem after the conversion if the DS was actually already uploaded. You are adviced to submit these DS records and issue a ds-seen command before continueing. If you know better, disable this check to continue."
+ 	       echo "Zones: $Z"
+@@ -59,6 +59,6 @@ echo "Creating tables in $DB_OUT (as user $DB_USR)"
+ mysql -u $DB_USR -p$DB_PWD -h $DB_HOST $DB_OUT < $SCHEMA
+ 
+ echo "Converting database"
+-sed "s/REMOTE/$DB_IN/g" mysql_convert.sql > TMP
+sed "s/REMOTE/$DB_IN/g" ${PREFIX}/share/opendnssec/migration/migrate-mysql.sql > TMP
+ mysql -u $DB_USR -p$DB_PWD -h $DB_HOST $DB_OUT < TMP
+ rm TMP
--- a/security/opendnssec/patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_sqlite
+++ b/security/opendnssec/patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_sqlite
@ -0,0 +1,33 @@
+$OpenBSD: patch-enforcer_utils_1_4-2_0_db_convert_convert_sqlite,v 1.1 2019/01/25 08:32:02 pvk Exp $
+
+Index: enforcer/utils/1.4-2.0_db_convert/convert_sqlite
+--- enforcer/utils/1.4-2.0_db_convert/convert_sqlite.orig
+++ enforcer/utils/1.4-2.0_db_convert/convert_sqlite
+@@ -1,9 +1,9 @@
+-#!/bin/bash
+#!/bin/sh
+ set -e
+ 
+ # This scipt converts a ODS 1.4.9 Sqlite database to ODS 2.0.
+ 
+-SCHEMA=../../src/db/schema.sqlite
+SCHEMA=${PREFIX}/share/opendnssec/schema.sqlite
+ 
+ DB_IN=""
+ DB_OUT=""
+@@ -36,7 +36,7 @@ if [ ! $DB_VERSION -eq 4 ]; then
+ fi
+ 
+ # Look for zones without an active key.
+-Z=`sqlite3 $DB_IN < find_problematic_zones.sql`
+Z=`sqlite3 $DB_IN < ${PREFIX}/share/opendnssec/migration/find_problematic_zones.sql`
+ if [[ $Z = *[![:space:]]* ]]; then
+ 	echo "Found zones without an active KSK but with a ready KSK waiting for ds-seen. This can cause problem after the conversion if the DS was actually already uploaded. You are adviced to submit these DS records and issue a ds-seen command before continueing. If you know better, disable this check to continue."
+ 	       echo "Zones: $Z"
+@@ -46,5 +46,5 @@ fi
+ rm -f $DB_OUT
+ sqlite3 $DB_OUT < $SCHEMA 
+ echo "attach '$DB_IN' as REMOTE;" |
+-	cat - sqlite_convert.sql | sqlite3 $DB_OUT
+	cat - ${PREFIX}/share/opendnssec/migration/migrate-sqlite.sql | sqlite3 $DB_OUT
+ 
--- a/security/opendnssec/patches/patch-enforcer_utils_convert_mysql_to_sqlite
+++ b/security/opendnssec/patches/patch-enforcer_utils_convert_mysql_to_sqlite
@ -0,0 +1,21 @@
+$OpenBSD: patch-enforcer_utils_convert_mysql_to_sqlite,v 1.1 2019/01/25 08:32:02 pvk Exp $
+
+Index: enforcer/utils/convert_mysql_to_sqlite
+--- enforcer/utils/convert_mysql_to_sqlite.orig
+++ enforcer/utils/convert_mysql_to_sqlite
+@@ -1,11 +1,11 @@
+-#!/usr/bin/env bash
+#!/bin/sh
+ set -e
+ 
+-# This scipt converts a MySQL to a SQLite database. It assumes both
+-# old and new databases live on the same host and are accessable by the same 
+# This script converts a MySQL to a SQLite database. It assumes both
+# old and new databases live on the same host and are accessible by the same 
+ # user.
+ 
+-SCHEMA=../src/db/schema.sqlite
+SCHEMA=${PREFIX}/share/opendnssec/schema.sqlite
+ 
+ DB_IN=""
+ DB_OUT=""
--- a/security/opendnssec/patches/patch-enforcer_utils_convert_sqlite_to_mysql
+++ b/security/opendnssec/patches/patch-enforcer_utils_convert_sqlite_to_mysql
@ -0,0 +1,21 @@
+$OpenBSD: patch-enforcer_utils_convert_sqlite_to_mysql,v 1.1 2019/01/25 08:32:02 pvk Exp $
+
+Index: enforcer/utils/convert_sqlite_to_mysql
+--- enforcer/utils/convert_sqlite_to_mysql.orig
+++ enforcer/utils/convert_sqlite_to_mysql
+@@ -1,11 +1,11 @@
+-#!/usr/bin/env bash
+#!/bin/sh
+ set -e
+ 
+-# This scipt converts a SQLite3 to a MySQL database. It assumes both
+-# old and new databases live on the same host and are accessable by the same 
+# This script converts a SQLite3 to a MySQL database. It assumes both
+# old and new databases live on the same host and are accessible by the same 
+ # user.
+ 
+-SCHEMA=../src/db/schema.mysql
+SCHEMA=${PREFIX}/share/opendnssec/schema.mysql
+ 
+ DB_IN=""
+ DB_OUT=""
--- a/security/opendnssec/pkg/PFRAG.mysql
+++ b/security/opendnssec/pkg/PFRAG.mysql
@ -1,2 +1,5 @@
-@comment $OpenBSD: PFRAG.mysql,v 1.1.1.1 2015/10/13 17:03:55 jca Exp $
-share/opendnssec/database_create.mysql
+@comment $OpenBSD: PFRAG.mysql,v 1.2 2019/01/25 08:32:02 pvk Exp $
+sbin/ods-convert_sqlite_to_mysql
+sbin/ods-migrate-mysql
+share/opendnssec/migration/migrate-mysql.sql
+share/opendnssec/schema.mysql
--- a/security/opendnssec/pkg/PFRAG.sqlite3
+++ b/security/opendnssec/pkg/PFRAG.sqlite3
@ -1,2 +1,5 @@
-@comment $OpenBSD: PFRAG.sqlite3,v 1.1.1.1 2015/10/13 17:03:55 jca Exp $
-share/opendnssec/database_create.sqlite3
+@comment $OpenBSD: PFRAG.sqlite3,v 1.2 2019/01/25 08:32:02 pvk Exp $
+sbin/ods-convert_mysql_to_sqlite
+sbin/ods-migrate-sqlite3
+share/opendnssec/migration/migrate-sqlite.sql
+share/opendnssec/schema.sqlite
--- a/security/opendnssec/pkg/PLIST
+++ b/security/opendnssec/pkg/PLIST
@ -1,36 +1,44 @@
-@comment $OpenBSD: PLIST,v 1.3 2018/09/04 12:46:21 espie Exp $
+@comment $OpenBSD: PLIST,v 1.4 2019/01/25 08:32:02 pvk Exp $
+@conflict opendnssec-<2.1.3
+@ask-update opendnssec-<2.1.3 OpenDNSSEC enforcer database migration required
@newgroup _opendnssec:757
@newuser _opendnssec:757:_opendnssec:daemon:OpenDNSSEC Account:/nonexistent:/sbin/nologin
-@bin bin/ods-getconf
+@rcscript ${RCDIR}/opendnssec
@bin bin/ods-hsmspeed
@bin bin/ods-hsmutil
 bin/ods-kasp2html
@bin bin/ods-kaspcheck
-@bin bin/ods-ksmutil
@man man/man1/ods-hsmspeed.1
@man man/man1/ods-hsmutil.1
@man man/man1/ods-kaspcheck.1
-@man man/man1/ods-ksmutil.1
+@man man/man5/ods-kasp.5
@man man/man5/ods-timing.5
@man man/man7/opendnssec.7
@man man/man8/ods-control.8
+@man man/man8/ods-enforcer-db-setup.8
+@man man/man8/ods-enforcer.8
@man man/man8/ods-enforcerd.8
-@man man/man8/ods-getconf.8
@man man/man8/ods-signer.8
@man man/man8/ods-signerd.8
 sbin/ods-control
+@bin sbin/ods-enforcer
+@bin sbin/ods-enforcer-db-setup
@bin sbin/ods-enforcerd
+@bin sbin/ods-migrate
@bin sbin/ods-signer
@bin sbin/ods-signerd
+share/doc/opendnssec/
+share/doc/opendnssec/LICENSE
+share/doc/opendnssec/MIGRATE_1.4-2.0.md
+share/doc/opendnssec/MIGRATION
+share/doc/opendnssec/NEWS
+share/doc/pkg-readmes/${PKGSTEM}
+share/examples/opendnssec/
@mode 0750
@group _opendnssec
@sample ${SYSCONFDIR}/opendnssec/
@mode
@group
-share/doc/opendnssec/
-share/doc/opendnssec/LICENSE
-share/doc/pkg-readmes/${PKGSTEM}
-share/examples/opendnssec/
 share/examples/opendnssec/addns.xml
@mode 0640
@group _opendnssec
@ -52,6 +60,11 @@ share/examples/opendnssec/kasp.xml
@mode
@group
 share/examples/opendnssec/kasp.xml.sample
+share/examples/opendnssec/ods-sequencer/
+share/examples/opendnssec/ods-sequencer/ods-sequencer
+share/examples/opendnssec/ods-sequencer/ods-sequencer-submit.sh
+share/examples/opendnssec/ods-sequencer/ods-sequencer.md
+share/examples/opendnssec/simple-dnskey-mailer.sh
 share/examples/opendnssec/zonelist.xml
@mode 0640
@group _opendnssec
@ -64,27 +77,26 @@ share/opendnssec/addns.rnc
 share/opendnssec/addns.rng
 share/opendnssec/conf.rnc
 share/opendnssec/conf.rng
-%%sqlite3%%
-%%mysql%%
 share/opendnssec/enforcerstate.rnc
 share/opendnssec/enforcerstate.rng
 share/opendnssec/kasp.rnc
 share/opendnssec/kasp.rng
 share/opendnssec/kasp2html.xsl
+share/opendnssec/migration/
+share/opendnssec/migration/find_problematic_zones.sql
 share/opendnssec/signconf.rnc
 share/opendnssec/signconf.rng
-share/opendnssec/simple-dnskey-mailer.sh
 share/opendnssec/zonelist.rnc
 share/opendnssec/zonelist.rng
-@sample ${LOCALSTATEDIR}/opendnssec/
+%%sqlite3%%
+%%mysql%%
+@mode 0750
@owner _opendnssec
@group _opendnssec
-@sample ${LOCALSTATEDIR}/opendnssec/db/
+@sample ${LOCALSTATEDIR}/opendnssec/
+@sample ${LOCALSTATEDIR}/opendnssec/enforcer/
@sample ${LOCALSTATEDIR}/opendnssec/signconf/
@sample ${LOCALSTATEDIR}/opendnssec/signed/
-@sample ${LOCALSTATEDIR}/opendnssec/tmp/
+@sample ${LOCALSTATEDIR}/opendnssec/signer/
@sample ${LOCALSTATEDIR}/opendnssec/unsigned/
-@sample ${LOCALSTATEDIR}/opendnssec/softhsm/
-@owner
-@group
-@rcscript ${RCDIR}/opendnssec
+@sample ${LOCALSTATEDIR}/run/opendnssec/
--- a/security/opendnssec/pkg/README
+++ b/security/opendnssec/pkg/README
@ -1,4 +1,4 @@
-$OpenBSD: README,v 1.3 2018/09/04 12:46:21 espie Exp $
+$OpenBSD: README,v 1.4 2019/01/25 08:32:02 pvk Exp $

 +-----------------------------------------------------------------------
 | Running ${PKGSTEM} on OpenBSD
@ -8,43 +8,172 @@ Getting started
 ===============
 This is a summary of steps needed to get OpenDNSSEC up and running in a
 basic state using SoftHSM as the key backend. Make sure you have
-installed the softhsm package before proceeding.
+installed the softhsm2 package before proceeding.

 Initial setup of SoftHSM
 ------------------------
-Configure SoftHSM to store its token in
-${LOCALSTATEDIR}/opendnssec/softhsm/:
-# vi ${SYSCONFDIR}/softhsm.conf
+If you plan to use SoftHSM, install softhsm2 package:

-Initialize the SoftHSM token (here assuming you used slot 0).
-The user PIN code has to match the <PIN> configured in
-${SYSCONFDIR}/opendnssec/conf.xml:
-# softhsm --init-token --slot 0 --label OpenDNSSEC
+    # pkg_add softhsm2

-Make sure the token is writeable by the _opendnssec user:
-# chown _opendnssec ${LOCALSTATEDIR}/opendnssec/softhsm/slot0.db
+Create ${LOCALSTATEDIR}/opendnssec/softhsm/ directory for tokens storage,
+instruct opendnssec to use this location:
+
+    # install -d -o _opendnssec -g _opendnssec -m 700 \
+        ${LOCALSTATEDIR}/opendnssec/softhsm/
+
+    # grep tokendir ${SYSCONFDIR}/softhsm2.conf
+    directories.tokendir = ${LOCALSTATEDIR}/opendnssec/softhsm/
+
+Choose preferred storage method, either 'file' or 'sqlite3':
+
+    # grep objectstore ${SYSCONFDIR}/softhsm2.conf
+    objectstore.backend = db
+
+Initialize the SoftHSM token (here assuming you are using slot 0):
+
+    # doas -u _opendnssec softhsm2-util --init-token --slot 0 \
+        --label OpenDNSSEC
+
+User PIN and token label must be reflected in appropriate sections
+of ${SYSCONFDIR}/opendnssec/conf.xml:
+
+    # grep PIN ${SYSCONFDIR}/opendnssec/conf.xml
+                        <PIN>MySecretUserPIN</PIN>
+
+    # grep TokenLabel ${SYSCONFDIR}/opendnssec/conf.xml
+                        <TokenLabel>OpenDNSSEC</TokenLabel>
+Verify token:
+
+	# doas -u _opendnssec softhsm2-util --show-slots
+        Available slots:
+        Slot 1557156002
+            Slot info:
+                Description:      SoftHSM slot ID 0x5cd050a2
+                Manufacturer ID:  SoftHSM project
+                Hardware version: 2.5
+                Firmware version: 2.5
+                Token present:    yes
+            Token info:
+                Manufacturer ID:  SoftHSM project
+                Model:            SoftHSM v2
+                Hardware version: 2.5
+                Firmware version: 2.5
+                Serial number:    e1a305015cd050a2
+                Initialized:      yes
+                User PIN init.:   yes
+                Label:            OpenDNSSEC

 Bootstrapping OpenDNSSEC
 ------------------------
+
+Check if the configuration is valid:
+
+    # doas -u _opendnssec ods-kaspcheck
+    INFO: The XML in ${SYSCONFDIR}/opendnssec/conf.xml is valid
+    ERROR: SQLite datastore (${LOCALSTATEDIR}/opendnssec/kasp.db) does not exist
+    INFO: The XML in ${SYSCONFDIR}/opendnssec/kasp.xml is valid
+    INFO: The XML in ${SYSCONFDIR}/opendnssec/zonelist.xml is valid
+
 Create an initial KASP database (if you are running the mysql flavor you
 will first need to configure mariadb-server and modify <Datastore> in
 ${SYSCONFDIR}/opendnssec/conf.xml):
-# ods-ksmutil setup

-Start the OpenDNSSEC system:
-# rcctl start opendnssec
+    # doas -u _opendnssec ods-enforcer-db-setup
+    *WARNING* This will erase all data in the database; are you sure? [y/N] y
+    Database setup successfully.
+
+Start OpenDNSSEC:
+
+    # rcctl start opendnssec
+
+Import policy:
+
+    # doas -u _opendnssec ods-enforcer policy import
+    Created policy default successfully
+
+Check policy:
+
+    # ods-enforcer policy list
+    Policy:                         Description:
+    default                         ECDSAP256SHA256 NSEC3 KSK1Y ZSK90D

 Copy an unsigned zone file into the unsigned/ directory:
-# cp <somewhere>/example.com ${LOCALSTATEDIR}/opendnssec/unsigned/

-Add the zone:
-# ods-ksmutil zone add --zone example.com --policy default
+    # cp <somewhere>/example.com ${LOCALSTATEDIR}/opendnssec/unsigned/

-Notify the enforcer of the updated database:
-# ods-control enforcer notify
+Import zones from zonelist.xml:

-You now have a signed version of example.com in the signed/ directory:
-# cat ${LOCALSTATEDIR}/opendnssec/signed/example.com
+    # doas -u _opendnssec ods-enforcer zonelist import
+    Zone example.com created successfully

-List the keys for the zone:
-# ods-ksmutil key list -v
+Or add the zone from the command line:
+
+    # doas -u _opendnssec ods-enforcer zone add --zone example.com
+    input is set to ${LOCALSTATEDIR}/opendnssec/unsigned/example.com.
+    output is set to ${LOCALSTATEDIR}/opendnssec/signed/example.com.
+    Zone example.com added successfully
+
+Check the zone:
+
+    # doas -u _opendnssec ods-enforcer zone list
+    Database set to: ${LOCALSTATEDIR}/opendnssec/kasp.db
+    Zones:
+    Zone:                           Policy:       Next change:
+    example.com                     default       Fri Nov 16 14:50:25 2018
+
+List the keys:
+
+    # ods-enforcer key list
+    Keys:
+    Zone:                           Keytype: State:    Date of next transition:
+    example.com                     KSK      publish   2018-11-16 14:50:25
+    example.com                     ZSK      ready     2018-11-16 14:50:25
+
+After the KSK state transitions to "waiting for ds-seen", export the DS record:
+
+    # doas -u _opendnssec ods-enforcer key list
+    Keys:
+    Zone:
+    example.com                     KSK      ready     waiting for ds-seen
+    example.com                     ZSK      active    2019-02-14 00:50:25
+
+    # doas -u _opendnssec ods-enforcer key export --zone example.com \
+        --keystate ready --keytype KSK --ds
+    ;ready KSK DS record (SHA256):
+    example.com.    600     IN      DS      65331 13 2 <DSKEY>
+
+Before submitting DS record to the parent zone, run:
+
+    # doas -u _opendnssec \
+        ods-enforcer key ds-submit --zone example.com --keytag 65331
+
+Then submit the DS record to the parent zone.
+
+When DS RR appears in the parent zone, activate the KSK:
+
+    # ods-enforcer key ds-seen --zone example.com --keytag 65331
+    1 KSK matches found.
+    1 KSKs changed.
+    # ods-enforcer key list -v
+    Keys:
+    Zone:                           Keytype: State:    Date of next transition:
+    example.com                     KSK      active    2018-11-17 20:07:31
+    example.com                     ZSK      active    2018-11-17 20:07:31
+
+The signed zone will appear in ${LOCALSTATEDIR}/opendnssec/signed/ directory
+or will be transferred to your authoritative DNS server, depending on the zone
+output configuration.
+
+Upgrading from version 1.4.x to 2.x
+-----------------------------------
+OpenDNSSEC enforcer database migration is required if you are upgrading from
+1.4.x to 2.x. Read ${PREFIX}/share/doc/opendnssec/MIGRATION
+for more information.
+
+Database conversion scripts
+---------------------------
+Note that OpenDNSSEC database conversion scripts are installed in
+${PREFIX}/sbin and renamed:
+    convert_mysql_to_sqlite to ods-convert_mysql_to_sqlite
+    convert_sqlite_to_mysql to ods-convert_sqlite_to_mysql
--- a/security/opendnssec/pkg/opendnssec.rc
+++ b/security/opendnssec/pkg/opendnssec.rc
@ -1,6 +1,6 @@
 #!/bin/ksh
 #
-# $OpenBSD: opendnssec.rc,v 1.2 2018/01/11 19:27:09 rpe Exp $
+# $OpenBSD: opendnssec.rc,v 1.3 2019/01/25 08:32:02 pvk Exp $

 daemon="${TRUEPREFIX}/sbin/ods-control"

@ -10,6 +10,10 @@ rc_reload=NO

 pexp="${TRUEPREFIX}/sbin/ods-(enforcerd|signerd)"

+rc_pre() {
+	install -d -o _opendnssec /var/run/opendnssec/
+}
+
 rc_start() {
 	${rcexec} "${daemon} start"
 }