knot/knot.spec

%global _hardened_build 1
%{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}}

Summary: High-performance authoritative DNS server
Name: knot
Version: 2.3.2
Release: 1%{?dist}
License: GPLv3
Group: System Environment/Daemons
URL: http://www.knot-dns.cz
Source0: http://public.nic.cz/files/knot-dns/%{name}-%{version}.tar.xz
Source1: %{name}.service
Source2: %{name}.conf
Source3: %{name}.tmpfiles

# Required dependencies
BuildRequires: pkgconfig(liburcu) pkgconfig(gnutls) >= 3.0 pkgconfig(nettle) pkgconfig(jansson) lmdb-devel pkgconfig(libedit)
# Optional dependencies
BuildRequires: pkgconfig(libcap-ng) pkgconfig(libidn) pkgconfig(libsystemd) pkgconfig(libfstrm) pkgconfig(libprotobuf-c)

BuildRequires: systemd
Requires(post): systemd %{_sbindir}/runuser
Requires(preun): systemd
Requires(postun): systemd

Requires: %{name}-libs%{?_isa} = %{version}-%{release}

%description
Knot DNS is a high-performance authoritative DNS server implementation.

%package libs
Summary: Libraries used by the Knot DNS server and client applications

%description libs
The package contains shared libraries used by the Knot DNS server and
utilities.

%package devel
Summary: Development header files for the Knot DNS libraries
Requires: %{name}-libs%{?_isa} = %{version}-%{release}

%description devel
The package contains development header files for the Knot DNS libraries
included in knot-libs package.

%package utils
Summary: DNS client utilities shipped with the Knot DNS server
Requires: %{name}-libs%{?_isa} = %{version}-%{release}

%description utils
The package contains DNS client utilities shipped with the Knot DNS server.

%package doc
Summary: Documentation for the Knot DNS server
License: GPLv3 and BSD and MIT
BuildArch: noarch
BuildRequires: python3-sphinx
Provides: bundled(jquery)

%description doc
The package contains documentation for the Knot DNS server.

%prep
%setup -q

# make sure embedded LMDB library is not used
rm -vr src/contrib/lmdb

%build
# disable debug code (causes unused warnings)
CFLAGS="%{optflags} -DNDEBUG -Wno-unused"
%configure
make %{?_smp_mflags}
make html

%install
make install DESTDIR=%{buildroot}

# install documentation
mkdir -p %{buildroot}%{_pkgdocdir}
cp -av doc/_build/html %{buildroot}%{_pkgdocdir}
[ -r %{buildroot}%{_pkgdocdir}/html/index.html ] || exit 1
rm -f %{buildroot}%{_pkgdocdir}/html/.buildinfo

# install shell completion scripts
install -p -m 0644 -D samples/keymgr-completion.sh %{buildroot}%{_datadir}/bash-completion/completions/keymgr
install -p -m 0644 -D samples/keymgr-completion.zsh %{buildroot}%{_datadir}/zsh/site-functions/_keymgr

# install customized configuration file
rm %{buildroot}%{_sysconfdir}/%{name}/*
install -p -m 0644 -D %{SOURCE2} %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf

# install service file and create rundir
install -p -m 0644 -D %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service
install -p -m 0644 -D %{SOURCE3} %{buildroot}%{_tmpfilesdir}/%{name}.conf
install -d -m 0755 %{buildroot}%{_localstatedir}/run/%{name}

# create storage dir and key dir
mkdir -p %{buildroot}%{_sharedstatedir}
install -d -m 0775 %{buildroot}%{_sharedstatedir}/%{name}
install -d -m 0770 %{buildroot}%{_sharedstatedir}/%{name}/keys

# install config samples into docdir
install -d -m 0755 %{buildroot}%{_pkgdocdir}/samples
for sample_file in knot.sample.conf example.com.zone; do
    install -p -m 0644 samples/${sample_file} %{buildroot}%{_pkgdocdir}/samples
done

# remove static libraries and libarchive files
rm %{buildroot}%{_libdir}/*.a
rm %{buildroot}%{_libdir}/*.la

%check
make check

%pre
getent group knot >/dev/null || groupadd -r knot
getent passwd knot >/dev/null || useradd -r -g knot -d %{_sysconfdir}/knot -s /sbin/nologin -c "Knot DNS server" knot
exit 0

%post
%systemd_post knot.service
# initialize/upgrade KASP database
%{_sbindir}/runuser -u knot -- %{_sbindir}/keymgr --dir %{_sharedstatedir}/%{name}/keys --legacy init

%preun
%systemd_preun knot.service

%postun
%systemd_postun_with_restart knot.service

%post libs -p /sbin/ldconfig

%postun libs -p /sbin/ldconfig

%files
%{_pkgdocdir}/samples
%dir %attr(750,root,knot) %{_sysconfdir}/%{name}
%config(noreplace) %attr(640,root,knot) %{_sysconfdir}/%{name}/%{name}.conf
%dir %attr(775,root,knot) %{_sharedstatedir}/%{name}
%dir %attr(770,root,knot) %{_sharedstatedir}/%{name}/keys
%dir %attr(-,knot,knot) %{_localstatedir}/run/%{name}
%{_unitdir}/%{name}.service
%{_tmpfilesdir}/%{name}.conf
%{_libexecdir}/knot1to2
%{_bindir}/kzonecheck
%{_sbindir}/keymgr
%{_sbindir}/knotc
%{_sbindir}/knotd
%{_mandir}/man1/knot1to2.*
%{_mandir}/man1/kzonecheck.*
%{_mandir}/man5/knot.conf.*
%{_mandir}/man8/keymgr.*
%{_mandir}/man8/knotc.*
%{_mandir}/man8/knotd.*
%{_datadir}/bash-completion/completions/keymgr
%{_datadir}/zsh/site-functions/_keymgr

%files utils
%{_bindir}/kdig
%{_bindir}/khost
%{_bindir}/knsec3hash
%{_bindir}/knsupdate
%{_mandir}/man1/kdig.*
%{_mandir}/man1/khost.*
%{_mandir}/man1/knsec3hash.*
%{_mandir}/man1/knsupdate.*

%files libs
%doc COPYING AUTHORS NEWS THANKS
%{_libdir}/libdnssec.so.*
%{_libdir}/libknot.so.*
%{_libdir}/libzscanner.so.*

%files devel
%{_includedir}/dnssec
%{_includedir}/libknot
%{_includedir}/zscanner
%{_libdir}/libdnssec.so
%{_libdir}/libknot.so
%{_libdir}/libzscanner.so
%{_libdir}/pkgconfig/libdnssec.pc
%{_libdir}/pkgconfig/libknot.pc
%{_libdir}/pkgconfig/libzscanner.pc

%files doc
%dir %{_pkgdocdir}
%{_pkgdocdir}/html

%changelog
* Thu Nov 17 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.3.2-1
- new upstream release:
  + fix: missing glue in some responses
  + fix: knsupdate prompt printing on non-terminal
  + fix: configuration policy item names in documentation
  + fix: segfault on OS X Sierra
  + fix: incorrect %s expansion for the root zone
  + fix: refresh not existing slave zone after restart
  + fix: immediate zone refresh upon restart if refresh already scheduled
  + fix: early zone transfer after restart if transfer already scheduled
  + fix: not ignoring empty non-terminal parents during delegation lookup
  + fix: CD bit clearing in responses
  + fix: compilation error on GNU/kFreeBSD
  + fix: server crash after double zone-commit if journal error
  + improvement: significant speed-up of conf-commit and conf-diff operations
  + improvement: new EDNS Client Subnet API
  + improvement: better semantic-checks error messages
  + improvement: speed-up of knotc if control operation and known socket
  + improvement: zone purge operation purges also zone timers
  + feature: print TLS certificate hierarchy in kdig verbose mode
  + feature: new +subnet alias for +client
  + feature: new mod-whoami and mod-noudp modules
  + feature: new zone-purge control command
  + feature: new log-queries and log-responses options for mod-dnstap
  + feature: simple modules don't require empty configuration section
  + feature: new zone journal path configuration option
  + feature: new timeout configuration option for module dnsproxy

* Mon Aug 29 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.3.0-3
- fix post-installation scriptlet (RHBZ #1370939)

* Thu Aug 11 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.3.0-2
- endian independent DNS cookies (fixes build on ppc64 and s390x)

* Tue Aug 09 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.3.0-1
- new upstream release:
  + fix: No wildcard expansion below empty non-terminal for NSEC signed zone
  + fix: Don't ignore non-existing records to be removed in IXFR
  + fix: Fix kdig IXFR response processing if the transfer content is empty
  + fix: Avoid multiple loads of the same PKCS #11 module
  + improvement: Refactored semantic checks and better error messages
  + improvement: Set TC flag in delegation only if mandatory glue doesn't fit the response
  + improvement: Separate EDNS(0) payload size configuration for IPv4 and IPv6
  + feature: Zone size limit restriction for DDNS, AXFR, and IXFR (CVE-2016-6171)
  + feature: DNS-over-TLS support in kdig (RFC 7858)
  + feature: EDNS(0) padding and alignment support in kdig (RFC 7830)

* Fri Jun 24 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.2.1-2
- rebuild for updated userspace-rcu

* Mon May 30 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.2.1-1
- new upstream release:
  + fix: Separate logging of server and zone events
  + fix: Concurrent zone file flushing with many zones
  + fix: Control timeout parsing in knotc
  + fix: "Environment maxreaders limit reached" error in knotc
  + fix: Don't apply journal changes on modified zone file
  + fix: Enable multiple zone names completion in interactive knotc
  + fix: Set the TC flag in a response if a glue doesn't fit the response
  + fix: Disallow server reload when there is an active configuration transaction
  + improvement: Distinguish unavailable zones from zones with zero serial in log messages
  + improvement: Log warning and error messages to standard error output in all utilities
  + improvement: Document tested PKCS #11 devices
  + improvement: Extended Python configuration interface
- update requirements for Fedora 25

* Sun May 29 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.2.0-3
- update default configuration file

* Sun May 08 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.2.0-2
- fix: systemd service starting

* Tue Apr 26 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.2.0-1
- new upstream release:
  + fix: Query/response message type setting in dnstap module
  + fix: Remote address retrieval from dnstap capture in kdig
  + fix: Global modules execution for queries hitting existing zones
  + fix: Execution of semantic checks after an IXFR transfer
  + fix: kdig failure when the first AXFR message contains just the SOA record
  + fix: Exclude non-authoritative types from NSEC/NSEC3 bitmap at a delegation
  + fix: Mark PKCS#11 generated keys as sensitive
  + fix: Error when removing the only zone from the server
  + fix: Don't abort knotc transaction when some check fails
  + feature: URI and CAA resource record types support
  + feature: RRL client address based white list
  + feature: knotc interactive mode
  + improvement: Consistent IXFR error messages
  + improvement: Various fixes for better compatibility with PKCS#11 devices
  + improvement: Various keymgr user interface improvements
  + improvement: Better zone event scheduler performance with many zones
  + improvement: New server control interface
  + improvement: kdig uses local resolver if resolv.conf is empty

* Wed Feb 10 2016 Jan Vcelak <jvcelak@fedoraproject.org> 2.1.1-1
- new upstream release:
  + fix: Allow import of duplicate private key into the KASP
  + fix: Avoid duplicate NSEC for Wildcard No Data answer
  + fix: Server crash when an incomming transfer is in progress and reload is issued
  + fix: Socket polling when configured with many interfaces and threads
  + improvement: Use correct source address for UDP messages recieved on ANY address
  + improvement: Extend documentation of knotc commands

* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild

* Thu Jan 14 2016 Jan Vcelak <jvcelak@fedoraproject.org> 2.1.0-1
- new upstream release:
  + improvement: Remove implementation limit for the number of network interfaces
  + improvement: Remove possibly insecure server control over a network socket
  + fix: Schedule zone bootstrap after slave zone fails to load from disk

* Sun Dec 20 2015 Jan Vcelak <jvcelak@fedoraproject.org> 2.1.0-0.1.rc1
- new upstream pre-release:
  + feature: Per-thread UDP socket binding using SO_REUSEPORT
  + feature: Support for dynamic configuration database
  + feature: DNSSEC, Support for cryptographic tokens via PKCS #11 interface
  + feature: DNSSEC, Experimental support for online signing
  + improvement: Support for zone file name patterns
  + improvement: Configurable location of zone timer database
  + improvement: Non-blocking network operations and better timeout handling
  + improvement: Caching of Critical configuration values for better performance
  + improvement: Logging of ACL failures
  + improvement: RRL: Add rate-limit-slip zero support to drop all responses
  + improvement: RRL: Document behavior for different rate-limit-slip options
  + improvement: kdig: Warning instead of error on TSIG validation failure
  + improvement: Cleanup of support libraries interfaces (libknot, libzscanner, libdnssec)
  + fix: synth-record module: Fix application of default configuration options
  + fix: TSIG: Allow compressed TSIG name when forwarding DDNS updates

* Wed Nov 25 2015 Jan Vcelak <jvcelak@fedoraproject.org> 2.0.2-1
- new upstream release:
  + security fix: out-of-bound read in packet parser for malformed NAPTR record

* Thu Sep 03 2015 Jan Vcelak <jvcelak@fedoraproject.org> 2.0.1-1
- new upstream release:
  + fix: do not reload expired zones on 'knotc reload' and server startup
  + fix: rare race-condition in event scheduling causing delayed event execution
  + fix: skipping of non-authoritative nodes in NSEC proofs
  + fix: TC flag setting in RRL slipped answers
  + fix: disable domain name compression for root label
  + fix: fix CNAME following when quering for NSEC RR type
  + fix: fix refreshing of DNSSEC signatures for zone keys
  + fix: fix binding an unavailable IPv6 address (IP_FREEBIND)
  + fix: fix infinite loop in knotc zonestatus and memstats
  + fix: fix memory leak in configuration on server shutdown
  + fix: fix broken dnsproxy module
  + fix: fix multi value parsing on big-endian
  + fix: adapt to Nettle 3 API break causing base64 decoding failures on big-endian
  + feature: add 'keymgr zone key ds' to show key's DS record
  + feature: add 'keymgr tsig generate' to generate TSIG keys
  + feature: add query module scoping to process either all queries or zone queries only
  + feature: add support for file name globbing in config file includes
  + feature: add 'request-edns-option' config option to add custom EDNS0 option into server initiated queries
  + improvement: send minimal responses (remove NS from Authority section for NOERROR)
  + improvement: update persistent timers only on shutdown for better performance
  + improvement: allow change of RR TTL over DDNS
  + improvement: documentation fixes, updates, and improvements in formatting
  + improvement: install yparser and zscanner header files

* Mon Jul 20 2015 Jan Vcelak <jvcelak@fedoraproject.org> 2.0.0-1
- new upstream release:
  + feature: possibility to disable zone file synchronization
  + feature: knsupdate, add input prompt in interactive mode
  + feature: knsupdate, TSIG algorithm specification in interactive mode

* Thu Jun 18 2015 Jan Vcelak <jvcelak@fedoraproject.org> 2.0.0-0.1.rc1
- new upstream pre-release:
  + fix: lost NOTIFY message if received during zone transfer
  + fix: kdig, record correct dnstap SocketProtocol when retrying over TCP
  + fix: kdig, hide TSIG section with +noall
  + fix: do not set AA flag for AXFR/IXFR queries
  + feature: new configuration format in YAML, binary store im LMDB
  + feature: DNSSEC, separate library, switch to GnuTLS, new utilities
  + feature: DNSSEC, basic KASP support (generate initial keys, ZSK rollover)
  + feature: zone parser, split long TXT/SPF strings into multiple strings
  + feature: kdig, add generic dump style option (+generic)
  + feature: try all master servers on failure in multi-master environment
  + feature: improved remotes and ACLs (multiple addresses, multiple keys)
  + feature: basic support for zone file patterns (%s to substitute zone name)
  + improvement: do not write class for SOA record (unified with other RR types)
  + improvement: do not write master server address into the zone file
  + documentation: manual pages also in HTML and PDF format

* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.99.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild

* Mon May 04 2015 Kalev Lember <kalevlember@gmail.com> - 1.99.1-3
- Rebuilt for nettle soname bump

* Fri Feb 13 2015 Jan Vcelak <jvcelak@fedoraproject.org> 1.99.1-2
- fix BuildRequires for systemd integration

* Fri Feb 13 2015 Jan Vcelak <jvcelak@fedoraproject.org> 1.99.1-1
- new upstream pre-release version:
  + DNSSEC: switch from OpenSSL to GnuTLS
  + DNSSEC: initial support for KASP
- split package into subpackages
- add documentation building
- restart daemon on updated