Dear all, Please find updated diff for the latest opendnssec attached. Added /var/run/opendnssec/ creation to rc script. Waiting for OK's to commit.
On 01/18, Pavel Korovin wrote: > Dear all, > Please see the fixed patch for the latest opendnssec + > patch for www/faq/current.html > > Took the maintainership (OK'd by maintainer Patrik Lundin), switched > HOMEPAGE/MASTER_SITES to https as suggested by Rafael Sadowski, fixed > package docs dir in pkg README. > Looking for OK's to commit. -- With best regards, Pavel Korovin
Index: Makefile =================================================================== RCS file: /cvs/ports/security/opendnssec/Makefile,v retrieving revision 1.15 diff -u -p -r1.15 Makefile --- Makefile 4 Sep 2018 12:46:21 -0000 1.15 +++ Makefile 21 Jan 2019 08:07:49 -0000 @@ -2,27 +2,29 @@ COMMENT= open-source turn-key solution for DNSSEC -DISTNAME= opendnssec-1.4.14 -REVISION= 1 +DISTNAME= opendnssec-2.1.3 CATEGORIES= security -HOMEPAGE= http://www.opendnssec.org/ +HOMEPAGE= https://www.opendnssec.org/ -MAINTAINER= Patrik Lundin <pat...@sigterm.se> +MAINTAINER= Pavel Korovin <p...@openbsd.org> # BSD PERMIT_PACKAGE_CDROM= Yes WANTLIB += c crypto iconv ldns lzma m pthread xml2 z -MASTER_SITES= http://dist.opendnssec.org/source/ +MASTER_SITES= https://dist.opendnssec.org/source/ + +BUILD_DEPENDS= devel/cunit LIB_DEPENDS= converters/libiconv \ net/ldns/libldns \ textproc/libxml -TEST_DEPENDS= security/softhsm +TEST_DEPENDS= ${BUILD_DEPENDS} \ + security/softhsm2 FAKE_FLAGS= sysconfdir=${PREFIX}/share/examples/opendnssec @@ -47,11 +49,52 @@ LIB_DEPENDS+= databases/mariadb ERRORS+= "Fatal: mutually exclusive flavors: ${FLAVORS}" .endif +SUBST_TARGETS= ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/README.md \ + ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/convert_{mysql,sqlite} \ + ${WRKSRC}/enforcer/utils/convert_{mysql_to_sqlite,sqlite_to_mysql} \ + ${WRKSRC}/contrib/ods-sequencer/ods-sequencer-submit.sh \ + ${WRKSRC}/MIGRATION + +post-patch: + ${SUBST_CMD} ${SUBST_TARGETS} + +# regress-db target doesn't currently work +# https://github.com/opendnssec/opendnssec/commit/6b1b0da4a7ba5ae658aca49a45a45be4867f6806 +pre-test: + sed -i 's/^check: regress-db/\#check: regress-db/' \ + ${WRKSRC}/enforcer/src/db/test/Makefile + post-install: - ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/opendnssec - cd ${WRKSRC}; \ - ${INSTALL_DATA} LICENSE ${PREFIX}/share/doc/opendnssec; \ - ${INSTALL_DATA} plugins/simple-dnskey-mailer/simple-dnskey-mailer.sh \ - ${PREFIX}/share/opendnssec + sed -i 's,#!/bin/bash,#!/bin/sh,' \ + ${WRKSRC}/contrib/ods-sequencer/ods-sequencer-submit.sh \ + ${WRKSRC}/contrib/simple-dnskey-mailer/simple-dnskey-mailer.sh + @find ${WRKSRC} -type f \ + \( -name '*.beforesubst' -o -name '*.orig' \) -delete + ${INSTALL_SCRIPT} ${WRKSRC}/enforcer/utils/convert_mysql_to_sqlite \ + ${PREFIX}/sbin/ods-convert_mysql_to_sqlite + ${INSTALL_SCRIPT} ${WRKSRC}/enforcer/utils/convert_sqlite_to_mysql \ + ${PREFIX}/sbin/ods-convert_sqlite_to_mysql + ${INSTALL_SCRIPT} ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/convert_mysql \ + ${PREFIX}/sbin/ods-migrate-mysql + ${INSTALL_SCRIPT} ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/convert_sqlite \ + ${PREFIX}/sbin/ods-migrate-sqlite3 + ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/opendnssec/ + ${INSTALL_DATA} ${WRKSRC}/{LICENSE,MIGRATION,NEWS} \ + ${PREFIX}/share/doc/opendnssec/ + ${INSTALL_DATA} ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/README.md \ + ${PREFIX}/share/doc/opendnssec/MIGRATE_1.4-2.0.md + ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/opendnssec/ods-sequencer/ + ${INSTALL_DATA} ${WRKSRC}/contrib/ods-sequencer/* \ + ${PREFIX}/share/examples/opendnssec/ods-sequencer/ + ${INSTALL_DATA} ${WRKSRC}/contrib/simple-dnskey-mailer/simple-dnskey-mailer.sh \ + ${PREFIX}/share/examples/opendnssec/ + ${INSTALL_DATA_DIR} ${PREFIX}/share/opendnssec/migration/ + ${INSTALL_DATA} ${WRKSRC}/enforcer/src/db/schema.* ${PREFIX}/share/opendnssec/ + ${INSTALL_DATA} ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/find_problematic_zones.sql \ + ${PREFIX}/share/opendnssec/migration/ + ${INSTALL_DATA} ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/sqlite_convert.sql \ + ${PREFIX}/share/opendnssec/migration/migrate-sqlite.sql + ${INSTALL_DATA} ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/mysql_convert.sql \ + ${PREFIX}/share/opendnssec/migration/migrate-mysql.sql .include <bsd.port.mk> Index: distinfo =================================================================== RCS file: /cvs/ports/security/opendnssec/distinfo,v retrieving revision 1.6 diff -u -p -r1.6 distinfo --- distinfo 10 Jul 2017 18:12:05 -0000 1.6 +++ distinfo 21 Jan 2019 08:07:49 -0000 @@ -1,2 +1,2 @@ -SHA256 (opendnssec-1.4.14.tar.gz) = 4cQexbxhdiM7LZT09PcD51h7rmdgdkqxvvA88QvR3N8= -SIZE (opendnssec-1.4.14.tar.gz) = 1037188 +SHA256 (opendnssec-2.1.3.tar.gz) = PeKgPtyeK4w2a/CrVBAE+YR3fUgTBXy7p6eARdjL/n4= +SIZE (opendnssec-2.1.3.tar.gz) = 1107073 Index: patches/patch-MIGRATION =================================================================== RCS file: patches/patch-MIGRATION diff -N patches/patch-MIGRATION --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-MIGRATION 21 Jan 2019 08:07:49 -0000 @@ -0,0 +1,18 @@ +$OpenBSD$ + +Index: MIGRATION +--- MIGRATION.orig ++++ MIGRATION +@@ -17,7 +17,8 @@ full resign of your zone when upgrading, however if yo + a full resign is needed. + + The enforcer does require a full migration, as the internal database has +-been completely revised. See the documentation in the source tree +-enforcer/utils/1.4-2.0_db_convert/README.md for a description. +-Migration scripts are not installed and should be retrieved from the source +-separately. ++been completely revised. ++See the documentation in ${PREFIX}/share/doc/opendnssec/MIGRATE_1.4-2.0.md ++for a description. ++ ++Migration script is installed in ${PREFIX}/sbin/ods-migrate${FLAVOR_EXT} Index: patches/patch-conf_conf_xml_in =================================================================== RCS file: /cvs/ports/security/opendnssec/patches/patch-conf_conf_xml_in,v retrieving revision 1.2 diff -u -p -r1.2 patch-conf_conf_xml_in --- patches/patch-conf_conf_xml_in 19 Nov 2016 12:25:27 -0000 1.2 +++ patches/patch-conf_conf_xml_in 21 Jan 2019 08:07:49 -0000 @@ -1,6 +1,8 @@ -$OpenBSD: patch-conf_conf_xml_in,v 1.2 2016/11/19 12:25:27 sthen Exp $ ---- conf/conf.xml.in.orig Mon Oct 17 14:32:58 2016 -+++ conf/conf.xml.in Mon Nov 14 18:41:45 2016 +$OpenBSD$ + +Index: conf/conf.xml.in +--- conf/conf.xml.in.orig ++++ conf/conf.xml.in @@ -31,7 +31,7 @@ <Logging> <!-- Command line verbosity will overwrite configure file --> @@ -10,41 +12,33 @@ $OpenBSD: patch-conf_conf_xml_in,v 1.2 2 </Logging> <PolicyFile>@OPENDNSSEC_CONFIG_DIR@/kasp.xml</PolicyFile> -@@ -39,19 +39,17 @@ +@@ -39,10 +39,10 @@ </Common> <Enforcer> --<!-- - <Privileges> -- <User>opendnssec</User> -- <Group>opendnssec</Group> +-<?xmlif if condition privdrop="user|group|both"?> <Privileges> +-<?xmlif fi?><?xmlif if condition privdrop="user|both"?> <User>@INSTALLATIONUSER@</User> +-<?xmlif fi?><?xmlif if condition privdrop="group|both"?> <Group>@INSTALLATIONGROUP@</Group> +-<?xmlif fi?><?xmlif if condition privdrop="user|group|both"?> </Privileges><?xmlif fi?> ++ <Privileges> + <User>_opendnssec</User> + <Group>_opendnssec</Group> - </Privileges> ----> - <!-- NOTE: Enforcer worker threads are not used; this option is ignored --> - <!-- - <WorkerThreads>4</WorkerThreads> - --> ++ </Privileges> - <!-- <PidFile>@OPENDNSSEC_ENFORCER_PIDFILE@</PidFile> --> -- <Datastore><SQLite>@OPENDNSSEC_STATE_DIR@/kasp.db</SQLite></Datastore> -+ <Datastore><SQLite>@OPENDNSSEC_STATE_DIR@/db/kasp.db</SQLite></Datastore> - <Interval>PT3600S</Interval> + <Datastore><SQLite>@OPENDNSSEC_STATE_DIR@/kasp.db</SQLite></Datastore> <!-- <ManualKeyGeneration/> --> - <!-- <RolloverNotification>P14D</RolloverNotification> --> -@@ -63,12 +61,10 @@ +@@ -59,10 +59,10 @@ </Enforcer> <Signer> --<!-- - <Privileges> -- <User>opendnssec</User> -- <Group>opendnssec</Group> +-<?xmlif if condition privdrop="user|group|both"?> <Privileges> +-<?xmlif fi?><?xmlif if condition privdrop="user|both"?> <User>@INSTALLATIONUSER@</User> +-<?xmlif fi?><?xmlif if condition privdrop="group|both"?> <Group>@INSTALLATIONGROUP@</Group> +-<?xmlif fi?><?xmlif if condition privdrop="user|group|both"?> </Privileges><?xmlif fi?> ++ <Privileges> + <User>_opendnssec</User> + <Group>_opendnssec</Group> - </Privileges> ----> ++ </Privileges> - <!-- <PidFile>@OPENDNSSEC_SIGNER_PIDFILE@</PidFile> --> - <!-- <SocketFile>@OPENDNSSEC_SIGNER_SOCKET@</SocketFile> --> + <WorkingDirectory>@OPENDNSSEC_STATE_DIR@/signer</WorkingDirectory> + <WorkerThreads>4</WorkerThreads> Index: patches/patch-contrib_ods-sequencer_ods-sequencer-submit_sh =================================================================== RCS file: patches/patch-contrib_ods-sequencer_ods-sequencer-submit_sh diff -N patches/patch-contrib_ods-sequencer_ods-sequencer-submit_sh --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-contrib_ods-sequencer_ods-sequencer-submit_sh 21 Jan 2019 08:07:49 -0000 @@ -0,0 +1,15 @@ +$OpenBSD$ + +Index: contrib/ods-sequencer/ods-sequencer-submit.sh +--- contrib/ods-sequencer/ods-sequencer-submit.sh.orig ++++ contrib/ods-sequencer/ods-sequencer-submit.sh +@@ -1,6 +1,6 @@ +-#!/bin/bash ++#!/bin/sh + +-now=`../../../sbin/ods-enforcer queue 2>&1 | sed -e 's/^It is now.*(\([0-9][0-9]*\)[^)]*).*$/\1/p' -e 'd'` +-cat > ../../../var/opendnssec/sequences/$now-dssubmit ++now=`${PREFIX}/sbin/ods-enforcer queue 2>&1 | sed -e 's/^It is now.*(\([0-9][0-9]*\)[^)]*).*$/\1/p' -e 'd'` ++cat > ${LOCALSTATEDIR}/opendnssec/sequences/$now-dssubmit + + exit 0 Index: patches/patch-enforcer_utils_1_4-2_0_db_convert_README_md =================================================================== RCS file: patches/patch-enforcer_utils_1_4-2_0_db_convert_README_md diff -N patches/patch-enforcer_utils_1_4-2_0_db_convert_README_md --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-enforcer_utils_1_4-2_0_db_convert_README_md 21 Jan 2019 08:07:49 -0000 @@ -0,0 +1,75 @@ +$OpenBSD$ + +Index: enforcer/utils/1.4-2.0_db_convert/README.md +--- enforcer/utils/1.4-2.0_db_convert/README.md.orig ++++ enforcer/utils/1.4-2.0_db_convert/README.md +@@ -16,8 +16,8 @@ General preparation + ------------------- + + * First stop OpenDNSSEC entirely. +- * You are strongly advised to backup /etc/opendnssec and /var/opendnssec before +- continuing. ++ * You are strongly advised to backup ${SYSCONFDIR}/opendnssec and ++ ${LOCALSTATEDIR}/opendnssec before continuing. + * Also prevent any nameserver from receiving updates from OpenDNSSEC until + you are sure the migration was successful. + * It is discouraged to perform the migration during a rollover. The migration +@@ -31,27 +31,32 @@ Conversion Sqlite + + There are 2 relevant files for the conversion: + +- * convert_sqlite - A bash conversion script +- * sqlite_convert.sql - Contains SQL statements, called by convert_sqlite ++ * ${PREFIX}/sbin/ods-migrate-sqlite3 - Conversion script ++ * ${PREFIX}/share/opendnssec/migration/migrate-sqlite.sql - ++ Contains SQL statements, called by ods-migrate-sqlite3 + +-call the script like so: `./convert_sqlite -i INPUT -o OUTPUT`. Where INPUT is +-the kasp.db file commonly found in _/var/opendnssec/kasp.db_. And OUTPUT is a +-non-existing file where the new database should go. On success, replace old +-database file with the new database file or adjust _conf.xml_ accordingly. ++Call the script like so: `${PREFIX}/sbin/ods-migrate-sqlite3 -i INPUT -o OUTPUT`. ++Where INPUT is the kasp.db file commonly found in _${LOCALSTATEDIR}/opendnssec/db/kasp.db_. ++And OUTPUT is a non-existing file where the new database should go, ++default location for OpenDNSSEC 2.x is _${LOCALSTATEDIR}/opendnssec/kasp.db_. ++On success, replace old database file with the new database file or adjust ++_${SYSCONFDIR}/opendnssec/conf.xml_ accordingly. + + Conversion MySQL + ---------------- + + There are 2 relevant files for the conversion: + +- * convert_mysql - A bash conversion script +- * mysql_convert.sql - Contains SQL statements, called by convert_mysql ++ * ${PREFIX}/sbin/ods-migrate-mysql - Conversion script ++ * ${PREFIX}/share/opendnssec/migration/migrate-mysql.sql - ++ Contains SQL statements, called by convert_mysql + +-call the script like so: `./convert_sqlite -i INPUT -o OUTPUT -h HOST -u USER +--p PASSWORD`. Where INPUT is the name of the existing database on HOST. And ++Call the script like so: ++`${PREFIX}/sbin/ods-migrate-mysql -i INPUT -o OUTPUT -h HOST -u USER -p PASSWORD`. ++Where INPUT is the name of the existing database on HOST. And + OUTPUT is a non-existing database on the same host where the new database + should go. On success, replace old database with the new database file or +-adjust _conf.xml_ accordingly. ++adjust _${SYSCONFDIR}/opendnssec/conf.xml_ accordingly. + + Post Conversion + --------------- +@@ -59,11 +64,11 @@ Post Conversion + ODS 2.0 stores the keytags in the database, 1.4 unfortunately does not. + Therefore an additional tool is provided which calculates the keytags and + stores them in the database. Make sure that at this point conf.xml points to +-the new database. Then run `ods-migrate`. ++the new database. Then run `${PREFIX}/sbin/ods-migrate`. + + Now your new database is ready for use. At this point the signer will refuse to +-run because the file `/var/opendnssec/enforcer/zones.xml` does not exist +-yet. In ODS 1.4 `/etc/opendnssec/zonelist.xml` is always on par with the ++run because the file `${LOCALSTATEDIR}/opendnssec/enforcer/zones.xml` does not exist ++yet. In ODS 1.4 `${SYSCONFDIR}/opendnssec/zonelist.xml` is always on par with the + database contents (this is no longer true for 2.0) so it is safe to copy this + file over to the missing file. + Index: patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_mysql =================================================================== RCS file: patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_mysql diff -N patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_mysql --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_mysql 21 Jan 2019 08:07:49 -0000 @@ -0,0 +1,36 @@ +$OpenBSD$ + +Index: enforcer/utils/1.4-2.0_db_convert/convert_mysql +--- enforcer/utils/1.4-2.0_db_convert/convert_mysql.orig ++++ enforcer/utils/1.4-2.0_db_convert/convert_mysql +@@ -1,11 +1,11 @@ +-#!/bin/bash ++#!/bin/sh + set -e + + # This scipt converts a ODS 1.4.9 MySQL database to ODS 2.0. It assumes both + # old and new databases live on the same host and are accessable by the same + # user. + +-SCHEMA=../../src/db/schema.mysql ++SCHEMA=${PREFIX}/share/opendnssec/schema.mysql + + DB_IN="" + DB_OUT="" +@@ -44,7 +44,7 @@ if [ ! $DB_VERSION -eq 4 ]; then + fi + + # Look for zones without an active key. +-Z=`mysql -u $DB_USR -p$DB_PWD -h $DB_HOST $DB_IN < find_problematic_zones.sql` ++Z=`mysql -u $DB_USR -p$DB_PWD -h $DB_HOST $DB_IN < ${PREFIX}/share/opendnssec/migration/find_problematic_zones.sql` + if [[ $Z = *[![:space:]]* ]]; then + echo "Found zones without an active KSK but with a ready KSK waiting for ds-seen. This can cause problem after the conversion if the DS was actually already uploaded. You are adviced to submit these DS records and issue a ds-seen command before continueing. If you know better, disable this check to continue." + echo "Zones: $Z" +@@ -59,6 +59,6 @@ echo "Creating tables in $DB_OUT (as user $DB_USR)" + mysql -u $DB_USR -p$DB_PWD -h $DB_HOST $DB_OUT < $SCHEMA + + echo "Converting database" +-sed "s/REMOTE/$DB_IN/g" mysql_convert.sql > TMP ++sed "s/REMOTE/$DB_IN/g" ${PREFIX}/share/opendnssec/migration/migrate-mysql.sql > TMP + mysql -u $DB_USR -p$DB_PWD -h $DB_HOST $DB_OUT < TMP + rm TMP Index: patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_sqlite =================================================================== RCS file: patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_sqlite diff -N patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_sqlite --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_sqlite 21 Jan 2019 08:07:49 -0000 @@ -0,0 +1,33 @@ +$OpenBSD$ + +Index: enforcer/utils/1.4-2.0_db_convert/convert_sqlite +--- enforcer/utils/1.4-2.0_db_convert/convert_sqlite.orig ++++ enforcer/utils/1.4-2.0_db_convert/convert_sqlite +@@ -1,9 +1,9 @@ +-#!/bin/bash ++#!/bin/sh + set -e + + # This scipt converts a ODS 1.4.9 Sqlite database to ODS 2.0. + +-SCHEMA=../../src/db/schema.sqlite ++SCHEMA=${PREFIX}/share/opendnssec/schema.sqlite + + DB_IN="" + DB_OUT="" +@@ -36,7 +36,7 @@ if [ ! $DB_VERSION -eq 4 ]; then + fi + + # Look for zones without an active key. +-Z=`sqlite3 $DB_IN < find_problematic_zones.sql` ++Z=`sqlite3 $DB_IN < ${PREFIX}/share/opendnssec/migration/find_problematic_zones.sql` + if [[ $Z = *[![:space:]]* ]]; then + echo "Found zones without an active KSK but with a ready KSK waiting for ds-seen. This can cause problem after the conversion if the DS was actually already uploaded. You are adviced to submit these DS records and issue a ds-seen command before continueing. If you know better, disable this check to continue." + echo "Zones: $Z" +@@ -46,5 +46,5 @@ fi + rm -f $DB_OUT + sqlite3 $DB_OUT < $SCHEMA + echo "attach '$DB_IN' as REMOTE;" | +- cat - sqlite_convert.sql | sqlite3 $DB_OUT ++ cat - ${PREFIX}/share/opendnssec/migration/migrate-sqlite.sql | sqlite3 $DB_OUT + Index: patches/patch-enforcer_utils_convert_mysql_to_sqlite =================================================================== RCS file: patches/patch-enforcer_utils_convert_mysql_to_sqlite diff -N patches/patch-enforcer_utils_convert_mysql_to_sqlite --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-enforcer_utils_convert_mysql_to_sqlite 21 Jan 2019 08:07:49 -0000 @@ -0,0 +1,21 @@ +$OpenBSD$ + +Index: enforcer/utils/convert_mysql_to_sqlite +--- enforcer/utils/convert_mysql_to_sqlite.orig ++++ enforcer/utils/convert_mysql_to_sqlite +@@ -1,11 +1,11 @@ +-#!/usr/bin/env bash ++#!/bin/sh + set -e + +-# This scipt converts a MySQL to a SQLite database. It assumes both +-# old and new databases live on the same host and are accessable by the same ++# This script converts a MySQL to a SQLite database. It assumes both ++# old and new databases live on the same host and are accessible by the same + # user. + +-SCHEMA=../src/db/schema.sqlite ++SCHEMA=${PREFIX}/share/opendnssec/schema.sqlite + + DB_IN="" + DB_OUT="" Index: patches/patch-enforcer_utils_convert_sqlite_to_mysql =================================================================== RCS file: patches/patch-enforcer_utils_convert_sqlite_to_mysql diff -N patches/patch-enforcer_utils_convert_sqlite_to_mysql --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-enforcer_utils_convert_sqlite_to_mysql 21 Jan 2019 08:07:49 -0000 @@ -0,0 +1,21 @@ +$OpenBSD$ + +Index: enforcer/utils/convert_sqlite_to_mysql +--- enforcer/utils/convert_sqlite_to_mysql.orig ++++ enforcer/utils/convert_sqlite_to_mysql +@@ -1,11 +1,11 @@ +-#!/usr/bin/env bash ++#!/bin/sh + set -e + +-# This scipt converts a SQLite3 to a MySQL database. It assumes both +-# old and new databases live on the same host and are accessable by the same ++# This script converts a SQLite3 to a MySQL database. It assumes both ++# old and new databases live on the same host and are accessible by the same + # user. + +-SCHEMA=../src/db/schema.mysql ++SCHEMA=${PREFIX}/share/opendnssec/schema.mysql + + DB_IN="" + DB_OUT="" Index: pkg/PFRAG.mysql =================================================================== RCS file: /cvs/ports/security/opendnssec/pkg/PFRAG.mysql,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 PFRAG.mysql --- pkg/PFRAG.mysql 13 Oct 2015 17:03:55 -0000 1.1.1.1 +++ pkg/PFRAG.mysql 21 Jan 2019 08:07:49 -0000 @@ -1,2 +1,5 @@ @comment $OpenBSD: PFRAG.mysql,v 1.1.1.1 2015/10/13 17:03:55 jca Exp $ -share/opendnssec/database_create.mysql +sbin/ods-convert_sqlite_to_mysql +sbin/ods-migrate-mysql +share/opendnssec/migration/migrate-mysql.sql +share/opendnssec/schema.mysql Index: pkg/PFRAG.sqlite3 =================================================================== RCS file: /cvs/ports/security/opendnssec/pkg/PFRAG.sqlite3,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 PFRAG.sqlite3 --- pkg/PFRAG.sqlite3 13 Oct 2015 17:03:55 -0000 1.1.1.1 +++ pkg/PFRAG.sqlite3 21 Jan 2019 08:07:49 -0000 @@ -1,2 +1,5 @@ @comment $OpenBSD: PFRAG.sqlite3,v 1.1.1.1 2015/10/13 17:03:55 jca Exp $ -share/opendnssec/database_create.sqlite3 +sbin/ods-convert_mysql_to_sqlite +sbin/ods-migrate-sqlite3 +share/opendnssec/migration/migrate-sqlite.sql +share/opendnssec/schema.sqlite Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/security/opendnssec/pkg/PLIST,v retrieving revision 1.3 diff -u -p -r1.3 PLIST --- pkg/PLIST 4 Sep 2018 12:46:21 -0000 1.3 +++ pkg/PLIST 21 Jan 2019 08:07:49 -0000 @@ -1,36 +1,44 @@ @comment $OpenBSD: PLIST,v 1.3 2018/09/04 12:46:21 espie Exp $ +@conflict opendnssec-<2.1.3 +@ask-update opendnssec-<2.1.3 OpenDNSSEC enforcer database migration required @newgroup _opendnssec:757 @newuser _opendnssec:757:_opendnssec:daemon:OpenDNSSEC Account:/nonexistent:/sbin/nologin -@bin bin/ods-getconf +@rcscript ${RCDIR}/opendnssec @bin bin/ods-hsmspeed @bin bin/ods-hsmutil bin/ods-kasp2html @bin bin/ods-kaspcheck -@bin bin/ods-ksmutil @man man/man1/ods-hsmspeed.1 @man man/man1/ods-hsmutil.1 @man man/man1/ods-kaspcheck.1 -@man man/man1/ods-ksmutil.1 +@man man/man5/ods-kasp.5 @man man/man5/ods-timing.5 @man man/man7/opendnssec.7 @man man/man8/ods-control.8 +@man man/man8/ods-enforcer-db-setup.8 +@man man/man8/ods-enforcer.8 @man man/man8/ods-enforcerd.8 -@man man/man8/ods-getconf.8 @man man/man8/ods-signer.8 @man man/man8/ods-signerd.8 sbin/ods-control +@bin sbin/ods-enforcer +@bin sbin/ods-enforcer-db-setup @bin sbin/ods-enforcerd +@bin sbin/ods-migrate @bin sbin/ods-signer @bin sbin/ods-signerd +share/doc/opendnssec/ +share/doc/opendnssec/LICENSE +share/doc/opendnssec/MIGRATE_1.4-2.0.md +share/doc/opendnssec/MIGRATION +share/doc/opendnssec/NEWS +share/doc/pkg-readmes/${PKGSTEM} +share/examples/opendnssec/ @mode 0750 @group _opendnssec @sample ${SYSCONFDIR}/opendnssec/ @mode @group -share/doc/opendnssec/ -share/doc/opendnssec/LICENSE -share/doc/pkg-readmes/${PKGSTEM} -share/examples/opendnssec/ share/examples/opendnssec/addns.xml @mode 0640 @group _opendnssec @@ -52,6 +60,11 @@ share/examples/opendnssec/kasp.xml @mode @group share/examples/opendnssec/kasp.xml.sample +share/examples/opendnssec/ods-sequencer/ +share/examples/opendnssec/ods-sequencer/ods-sequencer +share/examples/opendnssec/ods-sequencer/ods-sequencer-submit.sh +share/examples/opendnssec/ods-sequencer/ods-sequencer.md +share/examples/opendnssec/simple-dnskey-mailer.sh share/examples/opendnssec/zonelist.xml @mode 0640 @group _opendnssec @@ -64,27 +77,26 @@ share/opendnssec/addns.rnc share/opendnssec/addns.rng share/opendnssec/conf.rnc share/opendnssec/conf.rng -%%sqlite3%% -%%mysql%% share/opendnssec/enforcerstate.rnc share/opendnssec/enforcerstate.rng share/opendnssec/kasp.rnc share/opendnssec/kasp.rng share/opendnssec/kasp2html.xsl +share/opendnssec/migration/ +share/opendnssec/migration/find_problematic_zones.sql share/opendnssec/signconf.rnc share/opendnssec/signconf.rng -share/opendnssec/simple-dnskey-mailer.sh share/opendnssec/zonelist.rnc share/opendnssec/zonelist.rng -@sample ${LOCALSTATEDIR}/opendnssec/ +%%sqlite3%% +%%mysql%% +@mode 0750 @owner _opendnssec @group _opendnssec -@sample ${LOCALSTATEDIR}/opendnssec/db/ +@sample ${LOCALSTATEDIR}/opendnssec/ +@sample ${LOCALSTATEDIR}/opendnssec/enforcer/ @sample ${LOCALSTATEDIR}/opendnssec/signconf/ @sample ${LOCALSTATEDIR}/opendnssec/signed/ -@sample ${LOCALSTATEDIR}/opendnssec/tmp/ +@sample ${LOCALSTATEDIR}/opendnssec/signer/ @sample ${LOCALSTATEDIR}/opendnssec/unsigned/ -@sample ${LOCALSTATEDIR}/opendnssec/softhsm/ -@owner -@group -@rcscript ${RCDIR}/opendnssec +@sample ${LOCALSTATEDIR}/run/opendnssec/ Index: pkg/README =================================================================== RCS file: /cvs/ports/security/opendnssec/pkg/README,v retrieving revision 1.3 diff -u -p -r1.3 README --- pkg/README 4 Sep 2018 12:46:21 -0000 1.3 +++ pkg/README 21 Jan 2019 08:07:49 -0000 @@ -8,43 +8,172 @@ Getting started =============== This is a summary of steps needed to get OpenDNSSEC up and running in a basic state using SoftHSM as the key backend. Make sure you have -installed the softhsm package before proceeding. +installed the softhsm2 package before proceeding. Initial setup of SoftHSM ------------------------ -Configure SoftHSM to store its token in -${LOCALSTATEDIR}/opendnssec/softhsm/: -# vi ${SYSCONFDIR}/softhsm.conf - -Initialize the SoftHSM token (here assuming you used slot 0). -The user PIN code has to match the <PIN> configured in -${SYSCONFDIR}/opendnssec/conf.xml: -# softhsm --init-token --slot 0 --label OpenDNSSEC +If you plan to use SoftHSM, install softhsm2 package: -Make sure the token is writeable by the _opendnssec user: -# chown _opendnssec ${LOCALSTATEDIR}/opendnssec/softhsm/slot0.db + # pkg_add softhsm2 + +Create ${LOCALSTATEDIR}/opendnssec/softhsm/ directory for tokens storage, +instruct opendnssec to use this location: + + # install -d -o _opendnssec -g _opendnssec -m 700 \ + ${LOCALSTATEDIR}/opendnssec/softhsm/ + + # grep tokendir ${SYSCONFDIR}/softhsm2.conf + directories.tokendir = ${LOCALSTATEDIR}/opendnssec/softhsm/ + +Choose preferred storage method, either 'file' or 'sqlite3': + + # grep objectstore ${SYSCONFDIR}/softhsm2.conf + objectstore.backend = db + +Initialize the SoftHSM token (here assuming you are using slot 0): + + # doas -u _opendnssec softhsm2-util --init-token --slot 0 \ + --label OpenDNSSEC + +User PIN and token label must be reflected in appropriate sections +of ${SYSCONFDIR}/opendnssec/conf.xml: + + # grep PIN ${SYSCONFDIR}/opendnssec/conf.xml + <PIN>MySecretUserPIN</PIN> + + # grep TokenLabel ${SYSCONFDIR}/opendnssec/conf.xml + <TokenLabel>OpenDNSSEC</TokenLabel> +Verify token: + + # doas -u _opendnssec softhsm2-util --show-slots + Available slots: + Slot 1557156002 + Slot info: + Description: SoftHSM slot ID 0x5cd050a2 + Manufacturer ID: SoftHSM project + Hardware version: 2.5 + Firmware version: 2.5 + Token present: yes + Token info: + Manufacturer ID: SoftHSM project + Model: SoftHSM v2 + Hardware version: 2.5 + Firmware version: 2.5 + Serial number: e1a305015cd050a2 + Initialized: yes + User PIN init.: yes + Label: OpenDNSSEC Bootstrapping OpenDNSSEC ------------------------ + +Check if the configuration is valid: + + # doas -u _opendnssec ods-kaspcheck + INFO: The XML in ${SYSCONFDIR}/opendnssec/conf.xml is valid + ERROR: SQLite datastore (${LOCALSTATEDIR}/opendnssec/kasp.db) does not exist + INFO: The XML in ${SYSCONFDIR}/opendnssec/kasp.xml is valid + INFO: The XML in ${SYSCONFDIR}/opendnssec/zonelist.xml is valid + Create an initial KASP database (if you are running the mysql flavor you will first need to configure mariadb-server and modify <Datastore> in ${SYSCONFDIR}/opendnssec/conf.xml): -# ods-ksmutil setup -Start the OpenDNSSEC system: -# rcctl start opendnssec + # doas -u _opendnssec ods-enforcer-db-setup + *WARNING* This will erase all data in the database; are you sure? [y/N] y + Database setup successfully. + +Start OpenDNSSEC: + + # rcctl start opendnssec + +Import policy: + + # doas -u _opendnssec ods-enforcer policy import + Created policy default successfully + +Check policy: + + # ods-enforcer policy list + Policy: Description: + default ECDSAP256SHA256 NSEC3 KSK1Y ZSK90D Copy an unsigned zone file into the unsigned/ directory: -# cp <somewhere>/example.com ${LOCALSTATEDIR}/opendnssec/unsigned/ -Add the zone: -# ods-ksmutil zone add --zone example.com --policy default + # cp <somewhere>/example.com ${LOCALSTATEDIR}/opendnssec/unsigned/ + +Import zones from zonelist.xml: -Notify the enforcer of the updated database: -# ods-control enforcer notify + # doas -u _opendnssec ods-enforcer zonelist import + Zone example.com created successfully -You now have a signed version of example.com in the signed/ directory: -# cat ${LOCALSTATEDIR}/opendnssec/signed/example.com +Or add the zone from the command line: -List the keys for the zone: -# ods-ksmutil key list -v + # doas -u _opendnssec ods-enforcer zone add --zone example.com + input is set to ${LOCALSTATEDIR}/opendnssec/unsigned/example.com. + output is set to ${LOCALSTATEDIR}/opendnssec/signed/example.com. + Zone example.com added successfully + +Check the zone: + + # doas -u _opendnssec ods-enforcer zone list + Database set to: ${LOCALSTATEDIR}/opendnssec/kasp.db + Zones: + Zone: Policy: Next change: + example.com default Fri Nov 16 14:50:25 2018 + +List the keys: + + # ods-enforcer key list + Keys: + Zone: Keytype: State: Date of next transition: + example.com KSK publish 2018-11-16 14:50:25 + example.com ZSK ready 2018-11-16 14:50:25 + +After the KSK state transitions to "waiting for ds-seen", export the DS record: + + # doas -u _opendnssec ods-enforcer key list + Keys: + Zone: + example.com KSK ready waiting for ds-seen + example.com ZSK active 2019-02-14 00:50:25 + + # doas -u _opendnssec ods-enforcer key export --zone example.com \ + --keystate ready --keytype KSK --ds + ;ready KSK DS record (SHA256): + example.com. 600 IN DS 65331 13 2 <DSKEY> + +Before submitting DS record to the parent zone, run: + + # doas -u _opendnssec \ + ods-enforcer key ds-submit --zone example.com --keytag 65331 + +Then submit the DS record to the parent zone. + +When DS RR appears in the parent zone, activate the KSK: + + # ods-enforcer key ds-seen --zone example.com --keytag 65331 + 1 KSK matches found. + 1 KSKs changed. + # ods-enforcer key list -v + Keys: + Zone: Keytype: State: Date of next transition: + example.com KSK active 2018-11-17 20:07:31 + example.com ZSK active 2018-11-17 20:07:31 + +The signed zone will appear in ${LOCALSTATEDIR}/opendnssec/signed/ directory +or will be transferred to your authoritative DNS server, depending on the zone +output configuration. + +Upgrading from version 1.4.x to 2.x +----------------------------------- +OpenDNSSEC enforcer database migration is required if you are upgrading from +1.4.x to 2.x. Read ${PREFIX}/share/doc/opendnssec/MIGRATION +for more information. + +Database conversion scripts +--------------------------- +Note that OpenDNSSEC database conversion scripts are installed in +${PREFIX}/sbin and renamed: + convert_mysql_to_sqlite to ods-convert_mysql_to_sqlite + convert_sqlite_to_mysql to ods-convert_sqlite_to_mysql Index: pkg/opendnssec.rc =================================================================== RCS file: /cvs/ports/security/opendnssec/pkg/opendnssec.rc,v retrieving revision 1.2 diff -u -p -r1.2 opendnssec.rc --- pkg/opendnssec.rc 11 Jan 2018 19:27:09 -0000 1.2 +++ pkg/opendnssec.rc 21 Jan 2019 08:07:49 -0000 @@ -10,6 +10,10 @@ rc_reload=NO pexp="${TRUEPREFIX}/sbin/ods-(enforcerd|signerd)" +rc_pre() { + install -d -o _opendnssec /var/run/opendnssec/ +} + rc_start() { ${rcexec} "${daemon} start" }
