%global _hardened_build 1 # comment out this define using #%% if it is not a pre-release version # %% define PRERELEASE rc3 Name: knot-resolver Version: 1.3.1 Release: %{?PRERELEASE}%{?PRERELEASE:.}1%{?dist}.1 Summary: Caching full DNS Resolver License: GPLv3 URL: https://www.knot-resolver.cz/ Source0: https://secure.nic.cz/files/%{name}/%{name}-%{version}%{?PRERELEASE:-}%{?PRERELEASE}.tar.xz Source1: https://secure.nic.cz/files/%{name}/%{name}-%{version}%{?PRERELEASE:-}%{?PRERELEASE}.tar.xz.asc # LuaJIT only on these arches ExclusiveArch: %{arm} aarch64 %{ix86} x86_64 Source2: config Source3: rootkeys/root.keys Source100: kresd.service Source101: kresd.socket Source102: kresd-control.socket Source103: kresd-tls.socket Source104: kresd.tmpfiles BuildRequires: pkgconfig(libknot) >= 2.3.1 BuildRequires: pkgconfig(libzscanner) >= 2.3.1 BuildRequires: pkgconfig(libdnssec) >= 2.3.1 BuildRequires: pkgconfig(libuv) BuildRequires: pkgconfig(luajit) >= 2.0 BuildRequires: pkgconfig(libedit) BuildRequires: pkgconfig(libmemcached) >= 1.0 BuildRequires: pkgconfig(hiredis) BuildRequires: pkgconfig(libsystemd) BuildRequires: pkgconfig(cmocka) BuildRequires: systemd # FIXME: documentation fails to build on Fedora 25 # https://bugzilla.redhat.com/show_bug.cgi?id=1333391 #BuildRequires: doxygen #BuildRequires: breathe #BuildRequires: python-sphinx #BuildRequires: python-sphinx_rtd_theme # Lua 5.1 version of the libraries have different package names %if 0%{?rhel} Requires: lua-socket Requires: lua-sec %else Requires: lua-socket-compat Requires: lua-sec-compat %endif Requires(pre): shadow-utils Requires(post): systemd Requires(preun): systemd Requires(postun): systemd %description The Knot DNS Resolver is a caching full resolver implementation written in C and LuaJIT, including both a resolver library and a daemon. Modular architecture of the library keeps the core tiny and efficient, and provides a state-machine like API for extensions. The package is pre-configured as local caching resolver. To start using it, just start the local DNS socket: # systemctl start kresd.socket BEWARE: Because of https://bugzilla.redhat.com/show_bug.cgi?id=1366968 you need to switch your system to SELinux permissive mode. %package devel Summary: Development headers for Knot DNS Resolver Requires: %{name}%{?_isa} = %{version}-%{release} %description devel The package contains development headers for Knot DNS Resolver. %prep %setup -q -n %{name}-%{version}%{?PRERELEASE:-}%{?PRERELEASE} rm -v scripts/bootstrap-depends.sh %build %global build_paths PREFIX=%{_prefix} BINDIR=%{_bindir} LIBDIR=%{_libdir} INCLUDEDIR=%{_includedir} ETCDIR=%{_sysconfdir}/kresd %global build_flags V=1 CFLAGS="%{optflags}" LDFLAGS="%{__global_ldflags}" %{build_paths} HAS_go=no %make_build %{build_flags} %install %make_install %{build_flags} # move sample configuration files to documentation install -m 0755 -d %{buildroot}%{_pkgdocdir} mv %{buildroot}%{_sysconfdir}/kresd/config.* %{buildroot}%{_pkgdocdir} chmod 0644 %{buildroot}%{_pkgdocdir}/config.* rm -vr %{buildroot}%{_sysconfdir}/kresd # install configuration files mkdir -p %{buildroot}%{_sysconfdir} install -m 0755 -d %{buildroot}%{_sysconfdir}/kresd install -m 0644 -p %SOURCE2 %{buildroot}%{_sysconfdir}/kresd/config install -m 0664 -p %SOURCE3 %{buildroot}%{_sysconfdir}/kresd/root.keys # install systemd units mkdir -p %{buildroot}%{_unitdir} install -m 0644 -p %SOURCE100 %{buildroot}%{_unitdir}/kresd.service install -m 0644 -p %SOURCE101 %{buildroot}%{_unitdir}/kresd.socket install -m 0644 -p %SOURCE102 %{buildroot}%{_unitdir}/kresd-control.socket install -m 0644 -p %SOURCE103 %{buildroot}%{_unitdir}/kresd-tls.socket # install tmpfiles.d mkdir -p %{buildroot}%{_tmpfilesdir} install -m 0644 -p %SOURCE104 %{buildroot}%{_tmpfilesdir}/kresd.conf mkdir -p %{buildroot}%{_rundir} install -m 0750 -d %{buildroot}%{_rundir}/kresd # remove module with unsatisfied dependencies rm -r %{buildroot}%{_libdir}/kdns_modules/{http,http.lua} %check LD_PRELOAD=lib/libkres.so make check %{build_flags} LDFLAGS="%{__global_ldflags} -ldl" %pre getent group kresd >/dev/null || groupadd -r kresd getent passwd kresd >/dev/null || useradd -r -g kresd -d %{_sysconfdir}/kresd -s /sbin/nologin -c "Knot DNS Resolver" kresd exit 0 %post %systemd_post kresd.service /sbin/ldconfig %preun %systemd_preun kresd.service %postun %systemd_postun_with_restart kresd.service /sbin/ldconfig %files %license COPYING %doc %{_pkgdocdir} %attr(775,root,kresd) %dir %{_sysconfdir}/kresd %attr(644,root,kresd) %config(noreplace) %{_sysconfdir}/kresd/config %attr(664,root,kresd) %config(noreplace) %{_sysconfdir}/kresd/root.keys %attr(750,kresd,kresd) %dir %{_rundir}/kresd %{_unitdir}/kresd.service %{_unitdir}/kresd*.socket %{_tmpfilesdir}/kresd.conf %{_sbindir}/kresd %{_sbindir}/kresc %{_libdir}/libkres.so.* %{_libdir}/kdns_modules %{_mandir}/man8/kresd.* %files devel %{_includedir}/libkres %{_libdir}/pkgconfig/libkres.pc %{_libdir}/libkres.so %changelog * Wed Jul 26 2017 Fedora Release Engineering - 1.3.1-1.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild * Tue Jul 11 2017 Petr Spacek - 1.3.1-2 - build experimental command line interface "kresc" * Tue Jul 11 2017 Petr Spacek - 1.3.1-1 New upstream release: Knot Resolver 1.3.1 (2017-06-23) ================================ Bugfixes -------- - modules/http: fix finding the static files (bug from 1.3.0) - policy.FORWARD: fix some cases of CNAMEs obstructing search for zone cuts Knot Resolver 1.3.0 (2017-06-13) ================================ Security -------- - Refactor handling of AD flag and security status of resource records. In some cases it was possible for secure domains to get cached as insecure, even for a TLD, leading to disabled validation. It also fixes answering with non-authoritative data about nameservers. Improvements ------------ - major feature: support for forwarding with validation (#112). The old policy.FORWARD action now does that; the previous non-validating mode is still avaliable as policy.STUB except that also uses caching (#122). - command line: specify ports via @ but still support # for compatibility - policy: recognize 100.64.0.0/10 as local addresses - layer/iterate: *do* retry repeatedly if REFUSED, as we can't yet easily retry with other NSs while avoiding retrying with those who REFUSED - modules: allow changing the directory where modules are found, and do not search the default library path anymore. Bugfixes -------- - validate: fix insufficient caching for some cases (relatively rare) - avoid putting "duplicate" record-sets into the answer (#198) Knot Resolver 1.2.6 (2017-04-24) ================================ Security -------- - dnssec: don't set AD flag for NODATA answers if wildcard non-existence is not guaranteed due to opt-out in NSEC3 Improvements ------------ - layer/iterate: don't retry repeatedly if REFUSED Bugfixes -------- - lib/nsrep: revert some changes to NS reputation tracking that caused severe problems to some users of 1.2.5 (#178 and #179) - dnssec: fix verification of wildcarded non-singleton RRsets - dnssec: allow wildcards located directly under the root - layer/rrcache: avoid putting answer records into queries in some cases * Thu Apr 06 2017 Petr Spacek - 1.2.5-1 - new upstream relase + security: layer/validate: clear AD if closest encloser proof has opt-outed NSEC3 (#169) + security: layer/validate: check if NSEC3 records in wildcard expansion proof has an opt-out + security: dnssec/nsec: missed wildcard no-data answers validation has been implemented + fix: trust anchors: Improve trust anchors storage format (#167) + fix: trust anchors: support non-root TAs, one domain per file + fix: policy.DENY: set AA flag and clear AD flag + fix: lib/resolve: avoid unnecessary DS queries + fix: lib/nsrep: don't treat servers with NOIP4 + NOIP6 flags as timeouted + fix: layer/iterate: During packet classification (answer vs. referral) don't analyze AUTHORITY section in authoritative answer if ANSWER section contains records that have been requested + enhancement: modules/dnstap: a DNSTAP support module (Contributed by Vicky Shrestha) + enhancement: modules/workarounds: a module adding workarounds for known DNS protocol violators + enhancement: layer/iterate: fix logging of glue addresses + enhancement: kr_bitcmp: allow bits=0 and consequently 0.0.0.0/0 matches in view and renumber modules. + enhancement: modules/padding: Improve default padding of responses (Contributed by Daniel Kahn Gillmor) + enhancement: New kresc client utility (experimental; don't rely on the API yet) * Thu Mar 09 2017 Petr Spacek - 1.2.4-1 - new upstream release + security: Knot Resolver 1.2.0 and higher could return AD flag for insecure answer if the daemon received answer with invalid RRSIG several times in a row. + fix: layer/iterate: some improvements in cname chain unrolling + fix: layer/validate: fix duplicate records in AUTHORITY section in case + fix: of WC expansion proof + fix: lua: do *not* truncate cache size to unsigned + fix: forwarding mode: correctly forward +cd flag + fix: fix a potential memory leak + fix: don't treat answers that contain DS non-existance proof as insecure + fix: don't store NSEC3 and their signatures in the cache + fix: layer/iterate: when processing delegations, check if qname is at or below new authority + enhancement: modules/policy: allow QTRACE policy to be chained with other policies + enhancement: hints.add_hosts(path): a new property + enhancement: module: document the API and simplify the code + enhancement: policy.MIRROR: support IPv6 link-local addresses + enhancement: policy.FORWARD: support IPv6 link-local addresses + enhancement: add net.outgoing_{v4,v6} to allow specifying address to use for connections * Mon Feb 27 2017 Petr Spacek - 1.2.3-1 - new upstream release + security: a cached negative answer from a CD query would be reused to construct response for non-CD queries, resulting in Insecure status instead of Bogus. + fix: lua: make the map command check its arguments + fix: -k argument processing to avoid out-of-bounds memory accesses + fix: lib/resolve: fix zonecut fetching for explicit DS queries + fix: hints: more NULL checks + fix: TA bootstrapping for multiple TAs in the IANA XML file + fix: Disable storing GLUE records into the cache even in the + fix: (non-default) QUERY_PERMISSIVE mode + fix: iterate: skip answer RRs that don't match the query + fix: layer/iterate: some additional processing for referrals + fix: lib/resolve: zonecut fetching error was fixed * Fri Feb 10 2017 Fedora Release Engineering - 1.2.0-2.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild * Fri Jan 27 2017 Petr Spacek - 1.2.0-2 - rebuild against knot-2.4.0 * Fri Jan 27 2017 Petr Spacek - 1.2.0 - new upstream release: + fix: reworked DNSSEC Validation, that fixes several know problems with less standard DNS configurations + fix: the resolver was setting AD flag when running in a forwarding mode + fix: correctly return RCODE=NOTIMPL on meta-queries and non IN class queries + fix: crash in hints module when hints file was empty + fix: non-lowercase hints + features: optional EDNS(0) Padding support for DNS over TLS + features: support for debugging DNSSEC with CD bit + features: DNS over TLS is now able to create ephemeral certs on the runtime (Thanks Daniel Kahn Gilmore for contributing to DNS over TLS implementation in Knot Resolver.) + features: configurable minimum and maximum TTL (default 6 days) + features: configurable pseudo-random reordering of RR sets + features: new module 'version' that can call home and report new versions and security vulnerabilities to the log file * Mon Jan 23 2017 Petr Spacek - 1.2.0-rc1 - Update to latest upstream version - Fix packaging bug: depend on proper Lua library versions - Allow automatic trust anchor management to work * Sat Nov 19 2016 Peter Robinson 1.1.1-3 - Add ExclusiveArch for architectures with LuaJIT * Mon Aug 29 2016 Igor Gnatenko - 1.1.1-2 - Rebuild for LuaJIT 2.1.0 * Wed Aug 24 2016 Jan Vcelak - 1.1.1-1 - new upstream release: + fix name server fallback in case some of the servers are unreachable * Fri Aug 12 2016 Jan Vcelak - 1.1.0-1 - new upstream release: + RFC7873 DNS Cookies + RFC7858 DNS over TLS + Metrics exported in Prometheus + DNS firewall module + Explicit CNAME target fetching in strict mode + Query minimisation improvements + Improved integration with systemd * Tue May 31 2016 Jan Vcelak - 1.0.0-1 - final release * Thu May 05 2016 Jan Vcelak - 1.0.0-0.3.4f463d7 - update to latest git version - re-enable unit-test * Sat Apr 09 2016 Jan Vcelak - 1.0.0-0.2.79a8440 - update to latest git version - fix package review issues * Tue Feb 02 2016 Jan Vcelak - 1.0.0-0.1.beta3 - initial package