Dear all,
Please see the fixed patch for the latest opendnssec +
patch for www/faq/current.html
Took the maintainership (OK'd by maintainer Patrik Lundin), switched
HOMEPAGE/MASTER_SITES to https as suggested by Rafael Sadowski, fixed
package docs dir in pkg README.
Looking for OK's to commit.
--
With best regards,
Pavel Korovin
Index: Makefile
===================================================================
RCS file: /cvs/ports/security/opendnssec/Makefile,v
retrieving revision 1.15
diff -u -p -r1.15 Makefile
--- Makefile 4 Sep 2018 12:46:21 -0000 1.15
+++ Makefile 18 Jan 2019 20:19:49 -0000
@@ -2,27 +2,29 @@
COMMENT= open-source turn-key solution for DNSSEC
-DISTNAME= opendnssec-1.4.14
-REVISION= 1
+DISTNAME= opendnssec-2.1.3
CATEGORIES= security
-HOMEPAGE= http://www.opendnssec.org/
+HOMEPAGE= https://www.opendnssec.org/
-MAINTAINER= Patrik Lundin <pat...@sigterm.se>
+MAINTAINER= Pavel Korovin <p...@openbsd.org>
# BSD
PERMIT_PACKAGE_CDROM= Yes
WANTLIB += c crypto iconv ldns lzma m pthread xml2 z
-MASTER_SITES= http://dist.opendnssec.org/source/
+MASTER_SITES= https://dist.opendnssec.org/source/
+
+BUILD_DEPENDS= devel/cunit
LIB_DEPENDS= converters/libiconv \
net/ldns/libldns \
textproc/libxml
-TEST_DEPENDS= security/softhsm
+TEST_DEPENDS= ${BUILD_DEPENDS} \
+ security/softhsm2
FAKE_FLAGS= sysconfdir=${PREFIX}/share/examples/opendnssec
@@ -47,11 +49,52 @@ LIB_DEPENDS+= databases/mariadb
ERRORS+= "Fatal: mutually exclusive flavors: ${FLAVORS}"
.endif
+SUBST_TARGETS= ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/README.md \
+ ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/convert_{mysql,sqlite} \
+ ${WRKSRC}/enforcer/utils/convert_{mysql_to_sqlite,sqlite_to_mysql} \
+ ${WRKSRC}/contrib/ods-sequencer/ods-sequencer-submit.sh \
+ ${WRKSRC}/MIGRATION
+
+post-patch:
+ ${SUBST_CMD} ${SUBST_TARGETS}
+
+# regress-db target doesn't currently work
+#
https://github.com/opendnssec/opendnssec/commit/6b1b0da4a7ba5ae658aca49a45a45be4867f6806
+pre-test:
+ sed -i 's/^check: regress-db/\#check: regress-db/' \
+ ${WRKSRC}/enforcer/src/db/test/Makefile
+
post-install:
- ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/opendnssec
- cd ${WRKSRC}; \
- ${INSTALL_DATA} LICENSE ${PREFIX}/share/doc/opendnssec; \
- ${INSTALL_DATA} plugins/simple-dnskey-mailer/simple-dnskey-mailer.sh \
- ${PREFIX}/share/opendnssec
+ sed -i 's,#!/bin/bash,#!/bin/sh,' \
+ ${WRKSRC}/contrib/ods-sequencer/ods-sequencer-submit.sh \
+ ${WRKSRC}/contrib/simple-dnskey-mailer/simple-dnskey-mailer.sh
+ @find ${WRKSRC} -type f \
+ \( -name '*.beforesubst' -o -name '*.orig' \) -delete
+ ${INSTALL_SCRIPT} ${WRKSRC}/enforcer/utils/convert_mysql_to_sqlite \
+ ${PREFIX}/sbin/ods-convert_mysql_to_sqlite
+ ${INSTALL_SCRIPT} ${WRKSRC}/enforcer/utils/convert_sqlite_to_mysql \
+ ${PREFIX}/sbin/ods-convert_sqlite_to_mysql
+ ${INSTALL_SCRIPT}
${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/convert_mysql \
+ ${PREFIX}/sbin/ods-migrate-mysql
+ ${INSTALL_SCRIPT}
${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/convert_sqlite \
+ ${PREFIX}/sbin/ods-migrate-sqlite3
+ ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/opendnssec/
+ ${INSTALL_DATA} ${WRKSRC}/{LICENSE,MIGRATION,NEWS} \
+ ${PREFIX}/share/doc/opendnssec/
+ ${INSTALL_DATA} ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/README.md \
+ ${PREFIX}/share/doc/opendnssec/MIGRATE_1.4-2.0.md
+ ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/opendnssec/ods-sequencer/
+ ${INSTALL_DATA} ${WRKSRC}/contrib/ods-sequencer/* \
+ ${PREFIX}/share/examples/opendnssec/ods-sequencer/
+ ${INSTALL_DATA}
${WRKSRC}/contrib/simple-dnskey-mailer/simple-dnskey-mailer.sh \
+ ${PREFIX}/share/examples/opendnssec/
+ ${INSTALL_DATA_DIR} ${PREFIX}/share/opendnssec/migration/
+ ${INSTALL_DATA} ${WRKSRC}/enforcer/src/db/schema.*
${PREFIX}/share/opendnssec/
+ ${INSTALL_DATA}
${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/find_problematic_zones.sql \
+ ${PREFIX}/share/opendnssec/migration/
+ ${INSTALL_DATA}
${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/sqlite_convert.sql \
+ ${PREFIX}/share/opendnssec/migration/migrate-sqlite.sql
+ ${INSTALL_DATA}
${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/mysql_convert.sql \
+ ${PREFIX}/share/opendnssec/migration/migrate-mysql.sql
.include <bsd.port.mk>
Index: distinfo
===================================================================
RCS file: /cvs/ports/security/opendnssec/distinfo,v
retrieving revision 1.6
diff -u -p -r1.6 distinfo
--- distinfo 10 Jul 2017 18:12:05 -0000 1.6
+++ distinfo 18 Jan 2019 20:19:49 -0000
@@ -1,2 +1,2 @@
-SHA256 (opendnssec-1.4.14.tar.gz) =
4cQexbxhdiM7LZT09PcD51h7rmdgdkqxvvA88QvR3N8=
-SIZE (opendnssec-1.4.14.tar.gz) = 1037188
+SHA256 (opendnssec-2.1.3.tar.gz) = PeKgPtyeK4w2a/CrVBAE+YR3fUgTBXy7p6eARdjL/n4=
+SIZE (opendnssec-2.1.3.tar.gz) = 1107073
Index: patches/patch-MIGRATION
===================================================================
RCS file: patches/patch-MIGRATION
diff -N patches/patch-MIGRATION
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-MIGRATION 18 Jan 2019 20:19:49 -0000
@@ -0,0 +1,18 @@
+$OpenBSD$
+
+Index: MIGRATION
+--- MIGRATION.orig
++++ MIGRATION
+@@ -17,7 +17,8 @@ full resign of your zone when upgrading, however if yo
+ a full resign is needed.
+
+ The enforcer does require a full migration, as the internal database has
+-been completely revised. See the documentation in the source tree
+-enforcer/utils/1.4-2.0_db_convert/README.md for a description.
+-Migration scripts are not installed and should be retrieved from the source
+-separately.
++been completely revised.
++See the documentation in ${PREFIX}/share/doc/opendnssec/MIGRATE_1.4-2.0.md
++for a description.
++
++Migration script is installed in ${PREFIX}/sbin/ods-migrate${FLAVOR_EXT}
Index: patches/patch-conf_conf_xml_in
===================================================================
RCS file: /cvs/ports/security/opendnssec/patches/patch-conf_conf_xml_in,v
retrieving revision 1.2
diff -u -p -r1.2 patch-conf_conf_xml_in
--- patches/patch-conf_conf_xml_in 19 Nov 2016 12:25:27 -0000 1.2
+++ patches/patch-conf_conf_xml_in 18 Jan 2019 20:19:49 -0000
@@ -1,6 +1,8 @@
-$OpenBSD: patch-conf_conf_xml_in,v 1.2 2016/11/19 12:25:27 sthen Exp $
---- conf/conf.xml.in.orig Mon Oct 17 14:32:58 2016
-+++ conf/conf.xml.in Mon Nov 14 18:41:45 2016
+$OpenBSD$
+
+Index: conf/conf.xml.in
+--- conf/conf.xml.in.orig
++++ conf/conf.xml.in
@@ -31,7 +31,7 @@
<Logging>
<!-- Command line verbosity will overwrite configure
file -->
@@ -10,41 +12,33 @@ $OpenBSD: patch-conf_conf_xml_in,v 1.2 2
</Logging>
<PolicyFile>@OPENDNSSEC_CONFIG_DIR@/kasp.xml</PolicyFile>
-@@ -39,19 +39,17 @@
+@@ -39,10 +39,10 @@
</Common>
<Enforcer>
--<!--
- <Privileges>
-- <User>opendnssec</User>
-- <Group>opendnssec</Group>
+-<?xmlif if condition privdrop="user|group|both"?> <Privileges>
+-<?xmlif fi?><?xmlif if condition privdrop="user|both"?>
<User>@INSTALLATIONUSER@</User>
+-<?xmlif fi?><?xmlif if condition privdrop="group|both"?>
<Group>@INSTALLATIONGROUP@</Group>
+-<?xmlif fi?><?xmlif if condition privdrop="user|group|both"?>
</Privileges><?xmlif fi?>
++ <Privileges>
+ <User>_opendnssec</User>
+ <Group>_opendnssec</Group>
- </Privileges>
---->
- <!-- NOTE: Enforcer worker threads are not used; this option is ignored -->
- <!--
- <WorkerThreads>4</WorkerThreads>
- -->
++ </Privileges>
- <!-- <PidFile>@OPENDNSSEC_ENFORCER_PIDFILE@</PidFile> -->
--
<Datastore><SQLite>@OPENDNSSEC_STATE_DIR@/kasp.db</SQLite></Datastore>
-+
<Datastore><SQLite>@OPENDNSSEC_STATE_DIR@/db/kasp.db</SQLite></Datastore>
- <Interval>PT3600S</Interval>
+
<Datastore><SQLite>@OPENDNSSEC_STATE_DIR@/kasp.db</SQLite></Datastore>
<!-- <ManualKeyGeneration/> -->
- <!-- <RolloverNotification>P14D</RolloverNotification> -->
-@@ -63,12 +61,10 @@
+@@ -59,10 +59,10 @@
</Enforcer>
<Signer>
--<!--
- <Privileges>
-- <User>opendnssec</User>
-- <Group>opendnssec</Group>
+-<?xmlif if condition privdrop="user|group|both"?> <Privileges>
+-<?xmlif fi?><?xmlif if condition privdrop="user|both"?>
<User>@INSTALLATIONUSER@</User>
+-<?xmlif fi?><?xmlif if condition privdrop="group|both"?>
<Group>@INSTALLATIONGROUP@</Group>
+-<?xmlif fi?><?xmlif if condition privdrop="user|group|both"?>
</Privileges><?xmlif fi?>
++ <Privileges>
+ <User>_opendnssec</User>
+ <Group>_opendnssec</Group>
- </Privileges>
---->
++ </Privileges>
- <!-- <PidFile>@OPENDNSSEC_SIGNER_PIDFILE@</PidFile> -->
- <!-- <SocketFile>@OPENDNSSEC_SIGNER_SOCKET@</SocketFile> -->
+
<WorkingDirectory>@OPENDNSSEC_STATE_DIR@/signer</WorkingDirectory>
+ <WorkerThreads>4</WorkerThreads>
Index: patches/patch-contrib_ods-sequencer_ods-sequencer-submit_sh
===================================================================
RCS file: patches/patch-contrib_ods-sequencer_ods-sequencer-submit_sh
diff -N patches/patch-contrib_ods-sequencer_ods-sequencer-submit_sh
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-contrib_ods-sequencer_ods-sequencer-submit_sh 18 Jan 2019
20:19:49 -0000
@@ -0,0 +1,15 @@
+$OpenBSD$
+
+Index: contrib/ods-sequencer/ods-sequencer-submit.sh
+--- contrib/ods-sequencer/ods-sequencer-submit.sh.orig
++++ contrib/ods-sequencer/ods-sequencer-submit.sh
+@@ -1,6 +1,6 @@
+-#!/bin/bash
++#!/bin/sh
+
+-now=`../../../sbin/ods-enforcer queue 2>&1 | sed -e 's/^It is
now.*(\([0-9][0-9]*\)[^)]*).*$/\1/p' -e 'd'`
+-cat > ../../../var/opendnssec/sequences/$now-dssubmit
++now=`${PREFIX}/sbin/ods-enforcer queue 2>&1 | sed -e 's/^It is
now.*(\([0-9][0-9]*\)[^)]*).*$/\1/p' -e 'd'`
++cat > ${LOCALSTATEDIR}/opendnssec/sequences/$now-dssubmit
+
+ exit 0
Index: patches/patch-enforcer_utils_1_4-2_0_db_convert_README_md
===================================================================
RCS file: patches/patch-enforcer_utils_1_4-2_0_db_convert_README_md
diff -N patches/patch-enforcer_utils_1_4-2_0_db_convert_README_md
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-enforcer_utils_1_4-2_0_db_convert_README_md 18 Jan 2019
20:19:49 -0000
@@ -0,0 +1,75 @@
+$OpenBSD$
+
+Index: enforcer/utils/1.4-2.0_db_convert/README.md
+--- enforcer/utils/1.4-2.0_db_convert/README.md.orig
++++ enforcer/utils/1.4-2.0_db_convert/README.md
+@@ -16,8 +16,8 @@ General preparation
+ -------------------
+
+ * First stop OpenDNSSEC entirely.
+- * You are strongly advised to backup /etc/opendnssec and /var/opendnssec
before
+- continuing.
++ * You are strongly advised to backup ${SYSCONFDIR}/opendnssec and
++ ${LOCALSTATEDIR}/opendnssec before continuing.
+ * Also prevent any nameserver from receiving updates from OpenDNSSEC until
+ you are sure the migration was successful.
+ * It is discouraged to perform the migration during a rollover. The migration
+@@ -31,27 +31,32 @@ Conversion Sqlite
+
+ There are 2 relevant files for the conversion:
+
+- * convert_sqlite - A bash conversion script
+- * sqlite_convert.sql - Contains SQL statements, called by convert_sqlite
++ * ${PREFIX}/sbin/ods-migrate-sqlite3 - Conversion script
++ * ${PREFIX}/share/opendnssec/migration/migrate-sqlite.sql -
++ Contains SQL statements, called by ods-migrate-sqlite3
+
+-call the script like so: `./convert_sqlite -i INPUT -o OUTPUT`. Where INPUT is
+-the kasp.db file commonly found in _/var/opendnssec/kasp.db_. And OUTPUT is a
+-non-existing file where the new database should go. On success, replace old
+-database file with the new database file or adjust _conf.xml_ accordingly.
++Call the script like so: `${PREFIX}/sbin/ods-migrate-sqlite3 -i INPUT -o
OUTPUT`.
++Where INPUT is the kasp.db file commonly found in
_${LOCALSTATEDIR}/opendnssec/db/kasp.db_.
++And OUTPUT is a non-existing file where the new database should go,
++default location for OpenDNSSEC 2.x is _${LOCALSTATEDIR}/opendnssec/kasp.db_.
++On success, replace old database file with the new database file or adjust
++_${SYSCONFDIR}/opendnssec/conf.xml_ accordingly.
+
+ Conversion MySQL
+ ----------------
+
+ There are 2 relevant files for the conversion:
+
+- * convert_mysql - A bash conversion script
+- * mysql_convert.sql - Contains SQL statements, called by convert_mysql
++ * ${PREFIX}/sbin/ods-migrate-mysql - Conversion script
++ * ${PREFIX}/share/opendnssec/migration/migrate-mysql.sql -
++ Contains SQL statements, called by convert_mysql
+
+-call the script like so: `./convert_sqlite -i INPUT -o OUTPUT -h HOST -u USER
+--p PASSWORD`. Where INPUT is the name of the existing database on HOST. And
++Call the script like so:
++`${PREFIX}/sbin/ods-migrate-mysql -i INPUT -o OUTPUT -h HOST -u USER -p
PASSWORD`.
++Where INPUT is the name of the existing database on HOST. And
+ OUTPUT is a non-existing database on the same host where the new database
+ should go. On success, replace old database with the new database file or
+-adjust _conf.xml_ accordingly.
++adjust _${SYSCONFDIR}/opendnssec/conf.xml_ accordingly.
+
+ Post Conversion
+ ---------------
+@@ -59,11 +64,11 @@ Post Conversion
+ ODS 2.0 stores the keytags in the database, 1.4 unfortunately does not.
+ Therefore an additional tool is provided which calculates the keytags and
+ stores them in the database. Make sure that at this point conf.xml points to
+-the new database. Then run `ods-migrate`.
++the new database. Then run `${PREFIX}/sbin/ods-migrate`.
+
+ Now your new database is ready for use. At this point the signer will refuse
to
+-run because the file `/var/opendnssec/enforcer/zones.xml` does not exist
+-yet. In ODS 1.4 `/etc/opendnssec/zonelist.xml` is always on par with the
++run because the file `${LOCALSTATEDIR}/opendnssec/enforcer/zones.xml` does
not exist
++yet. In ODS 1.4 `${SYSCONFDIR}/opendnssec/zonelist.xml` is always on par
with the
+ database contents (this is no longer true for 2.0) so it is safe to copy this
+ file over to the missing file.
+
Index: patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_mysql
===================================================================
RCS file: patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_mysql
diff -N patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_mysql
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_mysql 18 Jan
2019 20:19:49 -0000
@@ -0,0 +1,36 @@
+$OpenBSD$
+
+Index: enforcer/utils/1.4-2.0_db_convert/convert_mysql
+--- enforcer/utils/1.4-2.0_db_convert/convert_mysql.orig
++++ enforcer/utils/1.4-2.0_db_convert/convert_mysql
+@@ -1,11 +1,11 @@
+-#!/bin/bash
++#!/bin/sh
+ set -e
+
+ # This scipt converts a ODS 1.4.9 MySQL database to ODS 2.0. It assumes both
+ # old and new databases live on the same host and are accessable by the same
+ # user.
+
+-SCHEMA=../../src/db/schema.mysql
++SCHEMA=${PREFIX}/share/opendnssec/schema.mysql
+
+ DB_IN=""
+ DB_OUT=""
+@@ -44,7 +44,7 @@ if [ ! $DB_VERSION -eq 4 ]; then
+ fi
+
+ # Look for zones without an active key.
+-Z=`mysql -u $DB_USR -p$DB_PWD -h $DB_HOST $DB_IN <
find_problematic_zones.sql`
++Z=`mysql -u $DB_USR -p$DB_PWD -h $DB_HOST $DB_IN <
${PREFIX}/share/opendnssec/migration/find_problematic_zones.sql`
+ if [[ $Z = *[![:space:]]* ]]; then
+ echo "Found zones without an active KSK but with a ready KSK waiting
for ds-seen. This can cause problem after the conversion if the DS was actually
already uploaded. You are adviced to submit these DS records and issue a
ds-seen command before continueing. If you know better, disable this check to
continue."
+ echo "Zones: $Z"
+@@ -59,6 +59,6 @@ echo "Creating tables in $DB_OUT (as user $DB_USR)"
+ mysql -u $DB_USR -p$DB_PWD -h $DB_HOST $DB_OUT < $SCHEMA
+
+ echo "Converting database"
+-sed "s/REMOTE/$DB_IN/g" mysql_convert.sql > TMP
++sed "s/REMOTE/$DB_IN/g"
${PREFIX}/share/opendnssec/migration/migrate-mysql.sql > TMP
+ mysql -u $DB_USR -p$DB_PWD -h $DB_HOST $DB_OUT < TMP
+ rm TMP
Index: patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_sqlite
===================================================================
RCS file: patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_sqlite
diff -N patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_sqlite
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_sqlite 18 Jan
2019 20:19:49 -0000
@@ -0,0 +1,33 @@
+$OpenBSD$
+
+Index: enforcer/utils/1.4-2.0_db_convert/convert_sqlite
+--- enforcer/utils/1.4-2.0_db_convert/convert_sqlite.orig
++++ enforcer/utils/1.4-2.0_db_convert/convert_sqlite
+@@ -1,9 +1,9 @@
+-#!/bin/bash
++#!/bin/sh
+ set -e
+
+ # This scipt converts a ODS 1.4.9 Sqlite database to ODS 2.0.
+
+-SCHEMA=../../src/db/schema.sqlite
++SCHEMA=${PREFIX}/share/opendnssec/schema.sqlite
+
+ DB_IN=""
+ DB_OUT=""
+@@ -36,7 +36,7 @@ if [ ! $DB_VERSION -eq 4 ]; then
+ fi
+
+ # Look for zones without an active key.
+-Z=`sqlite3 $DB_IN < find_problematic_zones.sql`
++Z=`sqlite3 $DB_IN <
${PREFIX}/share/opendnssec/migration/find_problematic_zones.sql`
+ if [[ $Z = *[![:space:]]* ]]; then
+ echo "Found zones without an active KSK but with a ready KSK waiting
for ds-seen. This can cause problem after the conversion if the DS was actually
already uploaded. You are adviced to submit these DS records and issue a
ds-seen command before continueing. If you know better, disable this check to
continue."
+ echo "Zones: $Z"
+@@ -46,5 +46,5 @@ fi
+ rm -f $DB_OUT
+ sqlite3 $DB_OUT < $SCHEMA
+ echo "attach '$DB_IN' as REMOTE;" |
+- cat - sqlite_convert.sql | sqlite3 $DB_OUT
++ cat - ${PREFIX}/share/opendnssec/migration/migrate-sqlite.sql | sqlite3
$DB_OUT
+
Index: patches/patch-enforcer_utils_convert_mysql_to_sqlite
===================================================================
RCS file: patches/patch-enforcer_utils_convert_mysql_to_sqlite
diff -N patches/patch-enforcer_utils_convert_mysql_to_sqlite
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-enforcer_utils_convert_mysql_to_sqlite 18 Jan 2019
20:19:49 -0000
@@ -0,0 +1,21 @@
+$OpenBSD$
+
+Index: enforcer/utils/convert_mysql_to_sqlite
+--- enforcer/utils/convert_mysql_to_sqlite.orig
++++ enforcer/utils/convert_mysql_to_sqlite
+@@ -1,11 +1,11 @@
+-#!/usr/bin/env bash
++#!/bin/sh
+ set -e
+
+-# This scipt converts a MySQL to a SQLite database. It assumes both
+-# old and new databases live on the same host and are accessable by the same
++# This script converts a MySQL to a SQLite database. It assumes both
++# old and new databases live on the same host and are accessible by the same
+ # user.
+
+-SCHEMA=../src/db/schema.sqlite
++SCHEMA=${PREFIX}/share/opendnssec/schema.sqlite
+
+ DB_IN=""
+ DB_OUT=""
Index: patches/patch-enforcer_utils_convert_sqlite_to_mysql
===================================================================
RCS file: patches/patch-enforcer_utils_convert_sqlite_to_mysql
diff -N patches/patch-enforcer_utils_convert_sqlite_to_mysql
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-enforcer_utils_convert_sqlite_to_mysql 18 Jan 2019
20:19:49 -0000
@@ -0,0 +1,21 @@
+$OpenBSD$
+
+Index: enforcer/utils/convert_sqlite_to_mysql
+--- enforcer/utils/convert_sqlite_to_mysql.orig
++++ enforcer/utils/convert_sqlite_to_mysql
+@@ -1,11 +1,11 @@
+-#!/usr/bin/env bash
++#!/bin/sh
+ set -e
+
+-# This scipt converts a SQLite3 to a MySQL database. It assumes both
+-# old and new databases live on the same host and are accessable by the same
++# This script converts a SQLite3 to a MySQL database. It assumes both
++# old and new databases live on the same host and are accessible by the same
+ # user.
+
+-SCHEMA=../src/db/schema.mysql
++SCHEMA=${PREFIX}/share/opendnssec/schema.mysql
+
+ DB_IN=""
+ DB_OUT=""
Index: pkg/PFRAG.mysql
===================================================================
RCS file: /cvs/ports/security/opendnssec/pkg/PFRAG.mysql,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 PFRAG.mysql
--- pkg/PFRAG.mysql 13 Oct 2015 17:03:55 -0000 1.1.1.1
+++ pkg/PFRAG.mysql 18 Jan 2019 20:19:49 -0000
@@ -1,2 +1,5 @@
@comment $OpenBSD: PFRAG.mysql,v 1.1.1.1 2015/10/13 17:03:55 jca Exp $
-share/opendnssec/database_create.mysql
+sbin/ods-convert_sqlite_to_mysql
+sbin/ods-migrate-mysql
+share/opendnssec/migration/migrate-mysql.sql
+share/opendnssec/schema.mysql
Index: pkg/PFRAG.sqlite3
===================================================================
RCS file: /cvs/ports/security/opendnssec/pkg/PFRAG.sqlite3,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 PFRAG.sqlite3
--- pkg/PFRAG.sqlite3 13 Oct 2015 17:03:55 -0000 1.1.1.1
+++ pkg/PFRAG.sqlite3 18 Jan 2019 20:19:49 -0000
@@ -1,2 +1,5 @@
@comment $OpenBSD: PFRAG.sqlite3,v 1.1.1.1 2015/10/13 17:03:55 jca Exp $
-share/opendnssec/database_create.sqlite3
+sbin/ods-convert_mysql_to_sqlite
+sbin/ods-migrate-sqlite3
+share/opendnssec/migration/migrate-sqlite.sql
+share/opendnssec/schema.sqlite
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/security/opendnssec/pkg/PLIST,v
retrieving revision 1.3
diff -u -p -r1.3 PLIST
--- pkg/PLIST 4 Sep 2018 12:46:21 -0000 1.3
+++ pkg/PLIST 18 Jan 2019 20:19:49 -0000
@@ -1,36 +1,44 @@
@comment $OpenBSD: PLIST,v 1.3 2018/09/04 12:46:21 espie Exp $
+@conflict opendnssec-<2.1.3
+@ask-update opendnssec-<2.1.3 OpenDNSSEC enforcer database migration required
@newgroup _opendnssec:757
@newuser _opendnssec:757:_opendnssec:daemon:OpenDNSSEC
Account:/nonexistent:/sbin/nologin
-@bin bin/ods-getconf
+@rcscript ${RCDIR}/opendnssec
@bin bin/ods-hsmspeed
@bin bin/ods-hsmutil
bin/ods-kasp2html
@bin bin/ods-kaspcheck
-@bin bin/ods-ksmutil
@man man/man1/ods-hsmspeed.1
@man man/man1/ods-hsmutil.1
@man man/man1/ods-kaspcheck.1
-@man man/man1/ods-ksmutil.1
+@man man/man5/ods-kasp.5
@man man/man5/ods-timing.5
@man man/man7/opendnssec.7
@man man/man8/ods-control.8
+@man man/man8/ods-enforcer-db-setup.8
+@man man/man8/ods-enforcer.8
@man man/man8/ods-enforcerd.8
-@man man/man8/ods-getconf.8
@man man/man8/ods-signer.8
@man man/man8/ods-signerd.8
sbin/ods-control
+@bin sbin/ods-enforcer
+@bin sbin/ods-enforcer-db-setup
@bin sbin/ods-enforcerd
+@bin sbin/ods-migrate
@bin sbin/ods-signer
@bin sbin/ods-signerd
+share/doc/opendnssec/
+share/doc/opendnssec/LICENSE
+share/doc/opendnssec/MIGRATE_1.4-2.0.md
+share/doc/opendnssec/MIGRATION
+share/doc/opendnssec/NEWS
+share/doc/pkg-readmes/${PKGSTEM}
+share/examples/opendnssec/
@mode 0750
@group _opendnssec
@sample ${SYSCONFDIR}/opendnssec/
@mode
@group
-share/doc/opendnssec/
-share/doc/opendnssec/LICENSE
-share/doc/pkg-readmes/${PKGSTEM}
-share/examples/opendnssec/
share/examples/opendnssec/addns.xml
@mode 0640
@group _opendnssec
@@ -52,6 +60,11 @@ share/examples/opendnssec/kasp.xml
@mode
@group
share/examples/opendnssec/kasp.xml.sample
+share/examples/opendnssec/ods-sequencer/
+share/examples/opendnssec/ods-sequencer/ods-sequencer
+share/examples/opendnssec/ods-sequencer/ods-sequencer-submit.sh
+share/examples/opendnssec/ods-sequencer/ods-sequencer.md
+share/examples/opendnssec/simple-dnskey-mailer.sh
share/examples/opendnssec/zonelist.xml
@mode 0640
@group _opendnssec
@@ -64,27 +77,26 @@ share/opendnssec/addns.rnc
share/opendnssec/addns.rng
share/opendnssec/conf.rnc
share/opendnssec/conf.rng
-%%sqlite3%%
-%%mysql%%
share/opendnssec/enforcerstate.rnc
share/opendnssec/enforcerstate.rng
share/opendnssec/kasp.rnc
share/opendnssec/kasp.rng
share/opendnssec/kasp2html.xsl
+share/opendnssec/migration/
+share/opendnssec/migration/find_problematic_zones.sql
share/opendnssec/signconf.rnc
share/opendnssec/signconf.rng
-share/opendnssec/simple-dnskey-mailer.sh
share/opendnssec/zonelist.rnc
share/opendnssec/zonelist.rng
-@sample ${LOCALSTATEDIR}/opendnssec/
+%%sqlite3%%
+%%mysql%%
+@mode 0750
@owner _opendnssec
@group _opendnssec
-@sample ${LOCALSTATEDIR}/opendnssec/db/
+@sample ${LOCALSTATEDIR}/opendnssec/
+@sample ${LOCALSTATEDIR}/opendnssec/enforcer/
@sample ${LOCALSTATEDIR}/opendnssec/signconf/
@sample ${LOCALSTATEDIR}/opendnssec/signed/
-@sample ${LOCALSTATEDIR}/opendnssec/tmp/
+@sample ${LOCALSTATEDIR}/opendnssec/signer/
@sample ${LOCALSTATEDIR}/opendnssec/unsigned/
-@sample ${LOCALSTATEDIR}/opendnssec/softhsm/
-@owner
-@group
-@rcscript ${RCDIR}/opendnssec
+@sample ${LOCALSTATEDIR}/run/opendnssec/
Index: pkg/README
===================================================================
RCS file: /cvs/ports/security/opendnssec/pkg/README,v
retrieving revision 1.3
diff -u -p -r1.3 README
--- pkg/README 4 Sep 2018 12:46:21 -0000 1.3
+++ pkg/README 18 Jan 2019 20:19:49 -0000
@@ -8,43 +8,172 @@ Getting started
===============
This is a summary of steps needed to get OpenDNSSEC up and running in a
basic state using SoftHSM as the key backend. Make sure you have
-installed the softhsm package before proceeding.
+installed the softhsm2 package before proceeding.
Initial setup of SoftHSM
------------------------
-Configure SoftHSM to store its token in
-${LOCALSTATEDIR}/opendnssec/softhsm/:
-# vi ${SYSCONFDIR}/softhsm.conf
-
-Initialize the SoftHSM token (here assuming you used slot 0).
-The user PIN code has to match the <PIN> configured in
-${SYSCONFDIR}/opendnssec/conf.xml:
-# softhsm --init-token --slot 0 --label OpenDNSSEC
+If you plan to use SoftHSM, install softhsm2 package:
-Make sure the token is writeable by the _opendnssec user:
-# chown _opendnssec ${LOCALSTATEDIR}/opendnssec/softhsm/slot0.db
+ # pkg_add softhsm2
+
+Create ${LOCALSTATEDIR}/opendnssec/softhsm/ directory for tokens storage,
+instruct opendnssec to use this location:
+
+ # install -d -o _opendnssec -g _opendnssec -m 700 \
+ ${LOCALSTATEDIR}/opendnssec/softhsm/
+
+ # grep tokendir ${SYSCONFDIR}/softhsm2.conf
+ directories.tokendir = ${LOCALSTATEDIR}/opendnssec/softhsm/
+
+Choose preferred storage method, either 'file' or 'sqlite3':
+
+ # grep objectstore ${SYSCONFDIR}/softhsm2.conf
+ objectstore.backend = db
+
+Initialize the SoftHSM token (here assuming you are using slot 0):
+
+ # doas -u _opendnssec softhsm2-util --init-token --slot 0 \
+ --label OpenDNSSEC
+
+User PIN and token label must be reflected in appropriate sections
+of ${SYSCONFDIR}/opendnssec/conf.xml:
+
+ # grep PIN ${SYSCONFDIR}/opendnssec/conf.xml
+ <PIN>MySecretUserPIN</PIN>
+
+ # grep TokenLabel ${SYSCONFDIR}/opendnssec/conf.xml
+ <TokenLabel>OpenDNSSEC</TokenLabel>
+Verify token:
+
+ # doas -u _opendnssec softhsm2-util --show-slots
+ Available slots:
+ Slot 1557156002
+ Slot info:
+ Description: SoftHSM slot ID 0x5cd050a2
+ Manufacturer ID: SoftHSM project
+ Hardware version: 2.5
+ Firmware version: 2.5
+ Token present: yes
+ Token info:
+ Manufacturer ID: SoftHSM project
+ Model: SoftHSM v2
+ Hardware version: 2.5
+ Firmware version: 2.5
+ Serial number: e1a305015cd050a2
+ Initialized: yes
+ User PIN init.: yes
+ Label: OpenDNSSEC
Bootstrapping OpenDNSSEC
------------------------
+
+Check if the configuration is valid:
+
+ # doas -u _opendnssec ods-kaspcheck
+ INFO: The XML in ${SYSCONFDIR}/opendnssec/conf.xml is valid
+ ERROR: SQLite datastore (${LOCALSTATEDIR}/opendnssec/kasp.db) does not
exist
+ INFO: The XML in ${SYSCONFDIR}/opendnssec/kasp.xml is valid
+ INFO: The XML in ${SYSCONFDIR}/opendnssec/zonelist.xml is valid
+
Create an initial KASP database (if you are running the mysql flavor you
will first need to configure mariadb-server and modify <Datastore> in
${SYSCONFDIR}/opendnssec/conf.xml):
-# ods-ksmutil setup
-Start the OpenDNSSEC system:
-# rcctl start opendnssec
+ # doas -u _opendnssec ods-enforcer-db-setup
+ *WARNING* This will erase all data in the database; are you sure? [y/N] y
+ Database setup successfully.
+
+Start OpenDNSSEC:
+
+ # rcctl start opendnssec
+
+Import policy:
+
+ # doas -u _opendnssec ods-enforcer policy import
+ Created policy default successfully
+
+Check policy:
+
+ # ods-enforcer policy list
+ Policy: Description:
+ default ECDSAP256SHA256 NSEC3 KSK1Y ZSK90D
Copy an unsigned zone file into the unsigned/ directory:
-# cp <somewhere>/example.com ${LOCALSTATEDIR}/opendnssec/unsigned/
-Add the zone:
-# ods-ksmutil zone add --zone example.com --policy default
+ # cp <somewhere>/example.com ${LOCALSTATEDIR}/opendnssec/unsigned/
+
+Import zones from zonelist.xml:
-Notify the enforcer of the updated database:
-# ods-control enforcer notify
+ # doas -u _opendnssec ods-enforcer zonelist import
+ Zone example.com created successfully
-You now have a signed version of example.com in the signed/ directory:
-# cat ${LOCALSTATEDIR}/opendnssec/signed/example.com
+Or add the zone from the command line:
-List the keys for the zone:
-# ods-ksmutil key list -v
+ # doas -u _opendnssec ods-enforcer zone add --zone example.com
+ input is set to ${LOCALSTATEDIR}/opendnssec/unsigned/example.com.
+ output is set to ${LOCALSTATEDIR}/opendnssec/signed/example.com.
+ Zone example.com added successfully
+
+Check the zone:
+
+ # doas -u _opendnssec ods-enforcer zone list
+ Database set to: ${LOCALSTATEDIR}/opendnssec/kasp.db
+ Zones:
+ Zone: Policy: Next change:
+ example.com default Fri Nov 16 14:50:25 2018
+
+List the keys:
+
+ # ods-enforcer key list
+ Keys:
+ Zone: Keytype: State: Date of next transition:
+ example.com KSK publish 2018-11-16 14:50:25
+ example.com ZSK ready 2018-11-16 14:50:25
+
+After the KSK state transitions to "waiting for ds-seen", export the DS record:
+
+ # doas -u _opendnssec ods-enforcer key list
+ Keys:
+ Zone:
+ example.com KSK ready waiting for ds-seen
+ example.com ZSK active 2019-02-14 00:50:25
+
+ # doas -u _opendnssec ods-enforcer key export --zone example.com \
+ --keystate ready --keytype KSK --ds
+ ;ready KSK DS record (SHA256):
+ example.com. 600 IN DS 65331 13 2 <DSKEY>
+
+Before submitting DS record to the parent zone, run:
+
+ # doas -u _opendnssec \
+ ods-enforcer key ds-submit --zone example.com --keytag 65331
+
+Then submit the DS record to the parent zone.
+
+When DS RR appears in the parent zone, activate the KSK:
+
+ # ods-enforcer key ds-seen --zone example.com --keytag 65331
+ 1 KSK matches found.
+ 1 KSKs changed.
+ # ods-enforcer key list -v
+ Keys:
+ Zone: Keytype: State: Date of next transition:
+ example.com KSK active 2018-11-17 20:07:31
+ example.com ZSK active 2018-11-17 20:07:31
+
+The signed zone will appear in ${LOCALSTATEDIR}/opendnssec/signed/ directory
+or will be transferred to your authoritative DNS server, depending on the zone
+output configuration.
+
+Upgrading from version 1.4.x to 2.x
+-----------------------------------
+OpenDNSSEC enforcer database migration is required if you are upgrading from
+1.4.x to 2.x. Read ${PREFIX}/share/doc/opendnssec/MIGRATION
+for more information.
+
+Database conversion scripts
+---------------------------
+Note that OpenDNSSEC database conversion scripts are installed in
+${PREFIX}/sbin and renamed:
+ convert_mysql_to_sqlite to ods-convert_mysql_to_sqlite
+ convert_sqlite_to_mysql to ods-convert_sqlite_to_mysql
Index: faq/current.html
===================================================================
RCS file: /cvs/www/faq/current.html,v
retrieving revision 1.971
diff -u -p -r1.971 current.html
--- faq/current.html 17 Dec 2018 21:53:24 -0000 1.971
+++ faq/current.html 18 Jan 2019 20:17:25 -0000
@@ -129,6 +129,12 @@ The chicken binaries <code>csi</code> an
<code>lang/mono</code>.
+<h3 id="r20190119">2019/01/19 - [packages] security/opendnssec update</h3>
+
+OpenDNSSEC received a major update.
+Users are advised to read
<code>/usr/local/share/doc/opendnssec/MIGRATION</code>
+
+
<!--
Two blank lines before new sections.
New sentences start on new lines.
