From d7bcc153a9ad40627fb4d1a9450d6366d172747f783d85cef4e8eece4b8f89a6 Mon Sep 17 00:00:00 2001 From: Darin Perusich Date: Sat, 6 Feb 2016 12:52:28 +0000 Subject: [PATCH] Accepting request 357761 from home:msmeissn:branches:server:dns - split off a libunbound package with less buildrequires to allow shorter buildcycles when built by gnutls. bsc#964346 After accepting do this: osc linkpac server:dns unbound server:dns libunbound libunbound as used by gnutls will then not have Java in its buildrequires (implicit by protobuf-c) OBS-URL: https://build.opensuse.org/request/show/357761 OBS-URL: https://build.opensuse.org/package/show/server:dns/unbound?expand=0&rev=31 --- libunbound.changes | 515 +++++++++++++++++++++++++++++++++++++++++++++ libunbound.spec | 442 ++++++++++++++++++++++++++++++++++++++ unbound.changes | 6 + unbound.spec | 111 ++++++---- 4 files changed, 1037 insertions(+), 37 deletions(-) create mode 100644 libunbound.changes create mode 100644 libunbound.spec diff --git a/libunbound.changes b/libunbound.changes new file mode 100644 index 0000000..336000c --- /dev/null +++ b/libunbound.changes @@ -0,0 +1,515 @@ +------------------------------------------------------------------- +Thu Feb 4 13:01:35 UTC 2016 - meissner@suse.com + +- split off a libunbound package with less buildrequires to + allow shorter buildcycles when built by gnutls. bsc#964346 + +------------------------------------------------------------------- +Thu Dec 10 11:48:46 UTC 2015 - michael@stroeder.com + +- update to 1.5.7 + +Features + * Fix #594. libunbound: optionally use libnettle for crypto. + Contributed by Luca Bruno. Added --with-nettle for use with + --with-libunbound-only. + * Implemented qname minimisation + +Bug Fixes + * Fix #712: unbound-anchor appears to not fsync root.key. + * Fix #714: Document config to block private-address for IPv4 + mapped IPv6 addresses. + * portability, replace snprintf if return value broken + * portability fixes. + * detect libexpat without xml_StopParser function. + * isblank() compat implementation. + * patch from Doug Hogan for SSL_OP_NO_SSLvx options. + * Fix #716: nodata proof with empty non-terminals and wildcards. + * Fix #718: Fix unbound-control-setup with support for env + without HEREDOC bash support. + * ACX_SSL_CHECKS no longer adds -ldl needlessly. + * Change example.conf: ftp.internic.net to https://www.internic.net + * Fix for lenient accept of reverse order DNAME and CNAME. + * spelling fixes from Igor Sobrado Delgado. + * Fix that malformed EDNS query gets a response without malformed EDNS. + * Added assert on rrset cache correctness. + * Fix #720: add windows scripts to zip bundle, + and fix unbound-control-setup windows batch file. + * Fix for #724: conf syntax to read files from run dir (on Windows). + And fix PCA prompt for unbound-service-install.exe. + And add Changelog to windows binary dist. + * .gitignore for git users. + * iana portlist update. + * Removed unneeded whitespace from example.conf. + * Do not minimise forwarded requests. + +------------------------------------------------------------------- +Thu Oct 15 19:31:43 UTC 2015 - michael@stroeder.com + +- update to 1.5.6 + Features + - Default for ssl-port is port 853, the temporary port assignment for + secure domain name system traffic. If you used to rely on the older + default of port 443, you have to put a clause in unbound.conf for + that. The new value is likely going to be the standardised port number + for this traffic. + - ANY responses include DNAME records if present, as per Evan Hunt's + remark in dnsop. + + Bug Fixes + - Fix segfault in the dns64 module in the formaterror error path. + - Fix manpage to suggest using SIGTERM to terminate the server. + - iana portlist update. + +------------------------------------------------------------------- +Sat Oct 10 09:31:40 UTC 2015 - michael@stroeder.com + +- ignore absence of the systemd-tmpfiles command + +------------------------------------------------------------------- +Tue Oct 6 14:21:00 UTC 2015 - mrueckert@suse.de + +- update to 1.5.5 + Features + - Change default of harden-algo-downgrade to off. This is lenient + for algorithm rollover. + - Added permit-small-holddown config to debug fast 5011 rollover. + - Allow certificate chain files to allow for intermediate + certificates. (thanks Daniel Kahn Gillmor) + - Enable ECDHE for servers. Where available, use + SSL_CTX_set_ecdh_auto() for TLS-wrapped server configurations + to enable ECDHE. Otherwise, manually offer curve p256. Client + connections should automatically use ECDHE when available. + (thanks Daniel Kahn Gillmor) + - Feature --enable-pie option to that builds PIE binary. + [bugzilla: 699 ] + - Feature --enable-relro-now option that enables full read-only + relocation. [bugzilla: 700 ] + - New IPs for for h.root-servers.net. [bugzilla: 702 ] + Bug Fixes + - Fix setting forwarders with unbound-control forward implicitly + turns on forward-first. [bugzilla: 681 ] + - Fix that reload fails when so-reuseport is yes after changing + num-threads. [bugzilla: 690 ] + - please afl-gcc (llvm) for uninitialised variable warning. + - Fix mktime in unbound-anchor not using UTC. + - Fix 5011 anchor update timer after reload. + - 5011 implementation does not insist on all algorithms, when + harden-algo-downgrade is turned off. + - Document in the manual more text about configuring locally + served zones. + - Document that local-zone nodefault matches exactly and + transparent can be used to release a subzone. + - Fix that configure script does not detect LibreSSL 2.2.2 + [bugzilla: 694 ] + - Fix deadlock for local data add and zone add when + unbound-control list_local_data printout is interrupted. + - Fix get PY_MAJOR_VERSION failure at configure for python 2.4 to + 2.6. [bugzilla: 697 ] + - changed windows setup compression to be more transparent. + - Fix config globbed include chroot treatment, this fixes reload + of globs (patch from Dag-Erling Smørgrav). + - Fix ub_ctx_set_fwd() return value mishandled on windows. + [bugzilla: 705 ] + - Fix minor error in unbound.conf.5.in. + - Fix unbound.conf(5) access-control description for precedence + and default. + - Fix unbound-control flush that does not succeed in removing + data. + - MAX_TARGET_COUNT increased to 64, to fix up sporadic resolution + failures. + - iana portlist update. +- remove manual hacks for relro,now and pie and replace them with + official configure options. + +------------------------------------------------------------------- +Fri Sep 4 13:37:38 UTC 2015 - mrueckert@suse.de + +- enable event api +- enable dnstap support + +------------------------------------------------------------------- +Thu Jul 9 10:16:32 UTC 2015 - michael@stroeder.com + +- update to 1.5.4 + +Features + - [bugzilla: 644 ] harden-algo-downgrade option, if turned off, + fixes the reported excessive validation failure when multiple + algorithms are present. If set to 'no', it allows the weakest + algorithm to validate the zone. + - stats reports tcp usage, of incoming-num-tcp buffers. + - contrib/unbound_smf22.tar.gz: Solaris SMF installation/removal + scripts. Contributed by Yuri Voinov. + - Add ip-transparent config option for bind to non-local addresses. + - Synthesize ANY responses from cache. Does not search exhaustively, + but MX,A,AAAA,SOA,NS also CNAME. + - unbound-control list_insecure command shows the negative trust + anchors currently configured, patch from Jelte Jansen. + - ratelimit feature, ratelimit: 1000, can be used to turn it on. It + ratelimits recursion effort per zone. For particular names you can + configure exceptions in unbound.conf. + - Ratelimit does not apply to prefetched queries, and + ratelimit-factor is default 10. Repeated normal queries get resolved + and with prefetch stay in the cache. + - unbound-control ratelimit_list lists high rate domains. + - caps-whitelist in unbound.conf allows whitelist of loadbalancers + that cannot work with caps-for-id or its fallback. + - RFC 7553 RR type URI support, is now enabled by default. + - cache-max-negative-ttl config option, default 3600. + - Add local-zone type inform_deny, that logs query and drops answer. + +Bug Fixes + - Unbound exits with a fatal error when the auto-trust-anchor-file + fails to be writable. This is seconds after startup. You can load a + readonly auto-trust-anchor-file with trust-anchor-file. The file has + to be writable to notice the trust anchor change, without it, a trust + anchor change will be unnoticed and the system will then become + inoperable. + - DLV is going to be decommissioned. Advice to stop using it, and + put text in the example configuration and man page to that effect. + - Patch from Brad Smith that syncs compat/getentropy_linux with + OpenBSD's version (2015-03-04). + - 0x20 fallback improved: servfail responses do not count as missing + comparisons (except if all responses are errors), inability to find + nameservers does not fail equality comparisons, many nameservers does + not try to compare more than max-sent-count, parse failures start 0x20 + fallback procedure. + - store caps_response with best response in case downgrade response + happens to be the last one. + - Document that incoming-num-tcp increase is good for large servers. + - Fix lintian warning in unbound-checkconf man page (from Andreas + Schulze). + - Updated default keylength in unbound-control-setup to 3k. + - Fixup compile on cygwin, more portable openssl thread id. + - Use reallocarray for integer overflow protection, patch submitted + by Loganaden Velvindron. + - Fixed to add integer overflow checks on allocation (defense in depth). + - Fix segfault on user not found at startup (from Maciej Soltysiak). + - [bugzilla: 657 ] Fix that libunbound(3) recommends deprecated + CRYPTO_set_id_callback. + - If unknown trust anchor algorithm, and libressl is used, error + message encourages upgrade of the libressl package. + - rename ldns subdirectory to sldns to avoid name collision. + - [bugzilla: 660 ] Fix interface-automatic broken in the presence of + asymmetric routing. + - Libunbound skips dos-line-endings from etc/hosts. + - Fix crash in dnstap: Do not try to log TCP responses after timeout. + - Fix that get_option for cache-sizes does not print double newline. + - [bugzilla: 663 ] Fix that ssl handshake fails when using unix + socket because dh size is too small. + - [bugzilla: 664 ] libunbound python3 related fixes (from Tomas + Hozza); Use print_function also for Python2. libunbound examples: + produce sorted output. libunbound-Python: libldns is not used anymore. + Fix issue with Python 3 mapping of FILE* using file_py3.i from ldns. + - Fix leaked dns64prefix configuration string. + - Removed contrib/unbound_unixsock.diff, because it has been + integrated, use control-interface: /path in unbound.conf. + - Change syntax of particular validator error to be easier for + machine parse, swap rrset and ip adres info so it looks like: + validation failure : signature crypto failed + from 2001:DB8:7:bba4::53 for <*.example.nl. NSEC IN> + - Fix that unparseable error responses are ratelimited. + - SOA negative TTL is capped at minimumttl in its rdata section. + - [bugzilla: 674 ] Do not free pointers given by getenv. + - [bugzilla: 677 ] Fix CNAME corresponding to a DNAME was checked + incorrectly and was therefore always synthesized (thanks to Valentin + Dietrich). And fix DNAME responses from cache that failed internal + chain test. + - iana portlist update. + +------------------------------------------------------------------- +Fri Apr 24 13:53:53 UTC 2015 - michael@stroeder.com + +- update to 1.5.3 +- Bug Fixes + [bugzilla: 647 ] + Fix #647 crash in 1.5.2 because pwd.db no longer accessible after reload. + [bugzilla: 645 ] + Fix #645 Portability to Solaris 10, use AF_LOCAL. + [bugzilla: 646 ] + Fix #646 Portability to Solaris, -lrt for getentropy_solaris. + Use the getrandom syscall introduced in Linux 3.17 (from Heiner Kallweit). + +------------------------------------------------------------------- +Thu Feb 19 23:35:58 UTC 2015 - mrueckert@suse.de + +- update to 1.5.2 + - Features + - local-zone: example.com inform makes unbound log a message + with client IP for queries in that zone. Eg. for finding + infected hosts. + - patch from Stephane Lapie that adds to the python API, that + exposes struct delegpt, and adds the find_delegation + function. + - Updated contrib warmup.cmd/sh to support two modes - load + from pre-defined list of domains or (with filename as + argument) load from user-specified list of domains, and + updated contrib unbound_cache.sh/cmd to support + loading/save/reload cache to/from default path or (with + secondary argument) arbitrary path/filename, from Yuri + Voinov. + - patch for remote control over local sockets, from Dag-Erling + Smorgrav, Ilya Bakulin. Use control-interface: /path/sock and + control-use-cert: no. + - unbound-checkconf -f prints chroot with pidfile path. + - infra-cache-min-rtt patch from Florian Riehm, for expected + long uplink roundtrip times. + - Bug Fixes + - config.guess and config.sub update from libtoolize. + - getauxval test for ppc64 linux compatibility. + - make strip works for unbound-host and unbound-anchor. + - print query name when max target count is exceeded. + - patch from Stuart Henderson that fixes DESTDIR in + unbound-control-setup for installs where config is not in the + prefix location. + - [bugzilla: 634 ] Fix #634: fix fail to start on Linux LTS + 3.14.X, ignores missing IP_MTU_DISCOVER OMIT option (fix from + Remi Gacogne). + - Patch from Philip Paeps to contrib/unbound_munin_ that uses + type ABSOLUTE. Allows munin.conf: [idleserver.example.net] + unbound_munin_hits.graph_period minute + - Fix pyunbound ord call, portable for python 2 and 3. + - Fix unintended use of gcc extension for incomplete enum + types, compile with pedantic c99 compliance (from Daniel + Dickman). + - Fix pyunbound byte string representation for python3. + - Fix 0x20 capsforid fallback to omit gratuitous NS and + additional section changes. + - Fix validation failure in case upstream forwarder (ISC BIND) + does not have the same trust anchors and decides to insert + unsigned NS record in authority section. + - Fix scrubber with harden-glue turned off to reject NS (and + other not-address) records. + - iana portlist update. + - [bugzilla: 643 ] Fix doc/example.conf.in: unnecessary + whitespace. + +------------------------------------------------------------------- +Mon Dec 8 16:12:23 UTC 2014 - mrueckert@suse.de + +- update to 1.5.1 (boo# 908990) + Features + - Patch from Stephane Lapie for ASAHI Net that implements + aaaa-filter, added to contrib/aaaa-filter-iterator.patch. + Bug Fixes + - Fix that CD flag disables DNS64 processing, returning the + DNSSEC signed AAAA denial. + - Fix compat/getentropy_win.c check if CryptGenRandom works and + no immediate exit on windows. + - Fix crash on multiple thread random usage on systems without + arc4random. + - Fix log at high verbosity and memory allocation failure. + - Fix libunbound undefined symbol errors for main. + - Patch from Robert Edmonds to build pyunbound python module + differently. No versioninfo, with -shared and without $(LIBS). + - Patch from Robert Edmonds fixes hyphens in unbound-anchor man + page. + - Removed 'increased limit open files' log message that is + written to console. It is only written on verbosity 4 and + higher. This keeps system bootup console cleaner. + - Patch from James Raftery, always print stats for rcodes 0..5. + - [bugzilla: 627 ] Fix SSL_CTX_load_verify_locations return code + not properly checked. + - Fix makefile for build from noexec source tree. + - Add include to getentropy_linux.c, fixing debian build. + - [bugzilla: 632 ] Fix that unbound fails to build on AArch64, + protects getentropy compat code from calling sysctl if it is + has been removed. + - Fix CVE-2014-8602: denial of service by making resolver chase + endless series of delegations. +- changes in 1.5.0 + Features + - This release has DNS64, DNSTAP, better random numbers and + ub_ctx_add_ta_autr(), num.query.tcpout=value, flush_negative, + unblock-lan-zones conf. + - C.ROOT-SERVERS.NET has an IPv6 address, and we updated the root + hints (patch from Anand Buddhdev). + - Patch from Hannes Frederic Sowa for Linux 3.15 fragmentation + option for DNS fragmentation defense. + - unbound-control stats prints num.query.tcpout with number of + TCP outgoing queries made in the previous statistics interval. + - Patch from Jeremie Courreges-Anglas to use arc4random_uniform + if available on the OS, it gets entropy from the OS. + - Add unbound-control flush_negative that flushed nxdomains, + nodata, and errors from the cache. For dnssec-trigger and + NetworkManager, fixes cases where network changes have + localdata that was already negatively cached from the previous + network. + - Contrib windows scripts from Yuri Voinov added to src/contrib: + create_unbound_ad_servers.cmd: enters anti-ad server lists. + unbound_cache.cmd: saves and loads the cache. Also warmup.cmd + (and .sh): warm up the DNS cache with your MRU domains. + - Added unbound-control-setup.cmd from Yuri Voinov to the windows + unbound distribution set. It requires openssl installed in + %PATH%. + - Implement draft-ietf-dnsop-rfc6598-rfc6303-01. + - Feature, unblock-lan-zones: yesno that you can use to make + unbound perform 10.0.0.0/8 and other reverse lookups normally, + for use if unbound is running service for localhost on localhost. + - unbound-host -D enabled dnssec and reads root trust anchor from + the default root key file that was compiled in. + - Add AAAA for B root server to default root hints. + - unbound-control status reports if so-reuseport was successful. + - so-reuseport is available on BSDs(such as FreeBSD 10) and OS/X. + - arc4random in compat/ and getentropy, explicit_bzero, chacha + for dependencies, from OpenBSD. arc4_lock and sha512 in compat. + This makes arc4random available on all platforms, except when + compiled with LIBNSS (it uses libNSS crypto random). + - Patch from Dag-Erling Smorgrav that implements that: unbound + -dd does not fork in the background and also logs to stderr. + - DNS64 from Viagenie (BSD Licensed), written by Simon Perrault. + Initial commit of the patch from the FreeBSD base (with its + fixes). This adds a module (for module-config in unbound.conf) + dns64 that performs DNS64 processing, see README.DNS64. + - Patch add msg, rrset, infra and key cache sizes to stats + command from Maciej Soltysiak. + - DNSTAP support, with a patch from Farsight Security, written by + Robert Edmonds. The --enable-dnstap needs libfstrm and + protobuf-c. It is BSD licensed (see dnstap/dnstap.c). Also + --with-libfstrm and --with-protobuf-c configure options. + - type CDS and CDNSKEY types. + - Updated the TCP_BACLOG from 5 to 256, so that the tcp accept + queue is longer and more tcp connections can be handled. + - Add ub_ctx_add_ta_autr function to add a RFC5011 automatically + tracked trust anchor to libunbound. + Bug Fixes + - Fix print filename of encompassing config file on read failure. + - Patch from Stuart Henderson to build unbound-host man from + .1.in. + - [bugzilla: 569] Fix do_tcp is do-tcp in unbound.conf man page. + - [bugzilla: 572] Fix unit test failure for systems with + different /etc/ services. + - iana portlist updated. + - [bugzilla: 574] Fix make test fails on Ubuntu 14.04. Disabled + remote-control in testbound scripts. + - Documented that dump_requestlist only prints queries from + thread 0. + - [bugzilla: 567] Fix unbound lists if forward zone is secure or + insecure with +i annotation in output of list_forwards, also + for list_stubs (for NetworkManager integration). And remove ':' + from output of stub and forward lists, this is easier to parse. + - [bugzilla: 554] Fix use unsigned long to print 64bit statistics + counters on 64bit systems. + - [bugzilla: 558] Fix failed prefetch lookup does not remove + cached response but delays next prefetch (in lieu of caching a + SERVFAIL). + - [bugzilla: 545] Fix improved logging, the ip address of the + error is printed on the same log-line as the error. + - [bugzilla: 502] Fix explain that do-ip6 disable does not stop + AAAA lookups, but it stops the use of the ipv6 transport layer + for DNS traffic. + - Fix compile with libevent2 on FreeBSD. + - Change MAX_SENT_COUNT from 16 to 32 to resolve some cases easier. + - Fixup out-of-directory compile with unbound-control-setup.sh.in. + - Code cleanup patch from Dag-Erling Smorgrav, with compiler + issue fixes from FreeBSD's copy of Unbound, he notes: Generate + unbound-control-setup.sh at build time so it respects prefix + and sysconfdir from the configure script. Also fix the umask + to match the comment, and the comment to match the umask. Add + const and static where needed. Use unions instead of playing + pointer poker. Move declarations that are needed in multiple + source files into a shared header. Move sldns_bgetc() from + parse.c to buffer.c where it belongs. Introduce a new header + file, worker.h, which declares the callbacks that all workers + must define. Remove those declarations from libworker.h. + Include the correct headers in the correct places. Fix a few + dummy callbacks that don't match their prototype. Fix some + casts. Hide the sbrk madness behind #ifdef HAVE_SBRK. Remove a + useless printf which breaks reproducible builds. Get rid of + CONFIGURE_{TARGET,DATE,BUILD_WITH} now that they're no longer + used. Add unbound-control-setup.sh to the list of generated + files. The prototype for libworker_event_done_cb() needs to be + moved from libunbound/libworker.h to libunbound/worker.h. + - Fix caps-for-id fallback, and added fallback attempt when + servers drop 0x20 perturbed queries. + - [bugzilla: 593] Fix segfault or crash upon rotating logfile. + - fake-rfc2553 patch (thanks Benjamin Baier). + - LibreSSL provides compat items, check for that in configure. + - [bugzilla: 596] Bail out of unbound-control list_local_zones + when ssl write fails. + - Fix endian.h include for OpenBSD. + - [bugzilla: 603] Fix unbound-checkconf -o option should skip + verification checks. + - Fixup doc/unbound.doxygen to remove obsolete 1.8.7 settings. + - Update unbound manpage with more explanation (from Florian Obser). + - Fix tcp timer waiting list removal code. + - patches to also build with Python 3.x (from Pavel Simerda). + - improve python configuration detection to build on Fedora 22. + - Fix swig and python examples for Python 3.x. + - Fix for mingw compile with openssl-1.0.1i. + - [bugzilla: 612] Fix create service with service.conf in present + directory and auto load it. + - [bugzilla: 613] Allow tab ws in var length last rdfs (in ldns + str2wire). + - [bugzilla: 614] Fix man page variable substitution bug. + - Whitespaces after $ORIGIN are not part of the origin dname + (ldns). + - $TTL's value starts at position 5 (ldns). + - Fix unbound-checkconf check for module config with dns64 + module. + - Fix unbound capsforid fallback, it ignores TTLs in comparison. + - [bugzilla: 617] Fix in ldns in unbound, lowercase WKS services. + - Fix ctype invocation casts. + - Disabled use of SSLv3 in remote-control and ssl-upstream. + - Redefine internal minievent symbols to unique symbols that + helps linking on platforms where the linker leaks names across + modules. + - Fix bug where forward or stub addresses with same address but + different port number were not tried. + +------------------------------------------------------------------- +Mon Nov 10 00:45:00 UTC 2014 - Led + +- fix bashisms in pre script + +------------------------------------------------------------------- +Fri Sep 5 13:32:55 UTC 2014 - darin@darins.net + +- cleanup .spec +- removed unused packes + +------------------------------------------------------------------- +Tue Sep 2 13:21:55 UTC 2014 - darin@darins.net + +- disable %check until https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=602 is fixed + +------------------------------------------------------------------- +Wed Aug 20 13:34:00 UTC 2014 - darin@darins.net + +- Added firewall service file + +------------------------------------------------------------------- +Wed Aug 13 20:00:21 UTC 2014 - darin@darins.net + +- upadte to 1.4.22 +- use /run for pid to clear dir-or-file-in-var-run in factory + +------------------------------------------------------------------- +Sat Dec 28 13:32:06 UTC 2013 - mrueckert@suse.de + +- fixed the execstartpre for unbound so we actually call + unbound-anchor now. + +------------------------------------------------------------------- +Sat Dec 28 13:29:56 UTC 2013 - mrueckert@suse.de + +- fixed a few rpmlint warnings + - added unbound-rpmlintrc: files duplicate on those man page + links + - changed symlink to /usr/sbin/service + - improved descriptions + +------------------------------------------------------------------- +Sat Dec 28 04:02:56 UTC 2013 - mrueckert@suse.de + +- update to 1.4.21 + merged lots of stuff from the fedora package + - added python/munin/shlib/anchor subpackages +- currently the package only supports systemd + +------------------------------------------------------------------- +Wed May 21 03:50:15 CEST 2008 - mrueckert@suse.de + +- initial package + diff --git a/libunbound.spec b/libunbound.spec new file mode 100644 index 0000000..98dfe2b --- /dev/null +++ b/libunbound.spec @@ -0,0 +1,442 @@ +# +# spec file for package libunbound +# +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# + + +%bcond_without python +%bcond_without munin +%bcond_without hardened_build + +%if 0%{?suse_version} > 1320 +%bcond_without dnstap +%else +%bcond_with dnstap +%endif + +%if 0%{?suse_version} >= 1230 +%bcond_without systemd +%else +%bcond_with systemd +%endif + +# only needed for < 1310 +%{!?_tmpfilesdir:%global _tmpfilesdir /usr/lib/tmpfiles.d} + +# +%define _sharedstatedir /var/lib/ +%define ldns_version 1.6.16 +%define fwdir /etc/sysconfig/SuSEfirewall2.d/services + +# +%if 0%{?suse_version} > 1220 +%define piddir /run +%else +%define piddir %{_localstatedir}/run +%endif + +%if %{with python} +%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} +%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} +%endif + +Name: libunbound +Version: 1.5.7 +Release: 0 +# +# +BuildRoot: %{_tmppath}/%{name}-%{version}-build +BuildRequires: flex +BuildRequires: ldns-devel >= %{ldns_version} +BuildRequires: libevent-devel +BuildRequires: libexpat-devel +BuildRequires: openssl-devel +%if %name == "unbound" +BuildRequires: python-devel +%if %{with python} +BuildRequires: swig +%endif +%if %{with dnstap} +BuildRequires: libfstrm-devel +BuildRequires: libprotobuf-c-devel >= 1.0.0 +BuildRequires: protobuf-c >= 1.0.0 +%endif +PreReq: pwdutils +Requires: ldns >= %{ldns_version} +# until we figured something else out for the unbound-anchor part in the systemd unit file +Requires: sudo +%if %{with systemd} +BuildRequires: systemd-devel +%{?systemd_requires} +%endif +%endif +# +Url: http://www.unbound.net/ +Source: http://www.unbound.net/downloads/unbound-%{version}.tar.gz +Source1: unbound.service +Source2: unbound.conf +Source3: unbound.munin +Source4: unbound_munin_ +Source5: root.key +Source6: dlv.isc.org.key +Source7: unbound-keygen.service +Source8: tmpfiles-unbound.conf +Source9: example.com.key +Source10: example.com.conf +Source11: block-example.com.conf +# From http://data.iana.org/root-anchors/icannbundle.pem +Source12: icannbundle.pem +Source13: root.anchor +Source14: unbound.sysconfig +Source15: unbound.cron +Source16: unbound-munin.README +Source17: unbound.firewall + +Summary: Validating, recursive, and caching DNS(SEC) resolver +License: BSD-3-Clause +Group: Productivity/Networking/DNS/Servers + +%description +Unbound is a validating, recursive, and caching DNS(SEC) resolver. + +The C implementation of Unbound is developed and maintained by NLnet +Labs. It is based on ideas and algorithms taken from a java prototype +developed by Verisign labs, Nominet, Kirei and ep.net. + +Unbound is designed as a set of modular components, so that also +DNSSEC (secure DNS) validation and stub-resolvers (that do not run +as a server, but are linked into an application) are easily possible. + +%define libname libunbound2 +%if %name == "libunbound" +%package -n %{libname} +Requires: %{name}-anchor >= %{version} +# +Summary: Shared library from unbound +Group: Development/Libraries/C and C++ + +%description -n %{libname} +Unbound is a validating, recursive, and caching DNS(SEC) resolver. + +This package holds the shared library from unbound. + +%package devel +Requires: %{libname} = %{version} +Requires: ldns-devel >= %{ldns_version} +Requires: openssl-devel +# +Summary: Development files for libunbound +Group: Development/Libraries/C and C++ + +%description devel +Unbound is a validating, recursive, and caching DNS(SEC) resolver. + +This package holds the development files to work with libunbound. + +%else + +%if %{with_munin} +%package munin +Summary: Plugin for the munin / munin-node monitoring package +Group: System Environment/Daemons +Requires: %{name} = %{version} +Requires: bc +Requires: munin-node +BuildArch: noarch + +%description munin +Unbound is a validating, recursive, and caching DNS(SEC) resolver. + +This package holds the plugin for the munin / munin-node monitoring package +%endif + +%package anchor +# +Requires: cron +Summary: Unbound Anchor cert management tools +Group: Productivity/Networking/DNS/Servers + +%description anchor +Unbound is a validating, recursive, and caching DNS(SEC) resolver. + +This package contains the tools to manage the anchor certs. + +%if %{with python} +%package python +Summary: Python modules and extensions for unbound +Group: Applications/System +Requires: %{libname} = %{version} + +%description python +Unbound is a validating, recursive, and caching DNS(SEC) resolver. + +This package holds the Python modules and extensions for unbound. +%endif + +%endif + +%prep +%setup -n unbound-%version + +%build +export CFLAGS="%{optflags}" +export CXXFLAGS="%{optflags}" +%configure \ + --disable-rpath \ + --with-libevent \ + --with-pthreads \ + --disable-static \ + --with-ldns=%{_prefix} \ + --enable-sha2 \ + --enable-gost \ + --enable-ecdsa \ + --enable-event-api \ + --enable-pie \ + --enable-relro-now \ + --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \ + --with-pidfile=%{piddir}%{name}/%{name}.pid \ +%if %name == "unbound" +%if %{with dnstap} + --enable-dnstap \ +%endif +%if %{with python} + --with-pythonmodule --with-pyunbound \ +%endif +%else + --without-pythonmodule --without-pyunbound \ +%endif + --with-rootkey-file=%{_sharedstatedir}/unbound/root.key + +%{__make} %{?_smp_mflags} +%{__make} %{?_smp_mflags} streamtcp + +%install +make install DESTDIR="%{buildroot}" + +%if %name == "unbound" +install -d -m 0750 %{buildroot}/var/lib/unbound +install -d 0755 %{buildroot}%{_unitdir} +install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service +install -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/unbound-keygen.service +install -p -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound +install -p -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/unbound +install -D -p -m 0644 %{SOURCE14} %{buildroot}/var/adm/fillup-templates/sysconfig.%{name} +ln -sf /usr/sbin/service %{buildroot}%{_sbindir}/rcunbound +ln -sf /usr/sbin/service %{buildroot}%{_sbindir}/rcunbound-keygen + +install -p -m 0644 %{SOURCE16} . +install -d 0755 %{buildroot}%{_sysconfdir}/cron.d +install -p -m 0644 %{SOURCE15} %{buildroot}%{_sysconfdir}/cron.d/unbound-anchor + +install -d 0755 %{buildroot}%{fwdir} +install -p -m 0644 %{SOURCE17} %{buildroot}%{fwdir}/%{name} + +%if %{with munin} +# Install munin plugin and its softlinks +install -d 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d +install -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/munin/plugin-conf.d/unbound +install -d 0755 %{buildroot}%{_datadir}/munin/plugins/ +install -p -m 0755 %{SOURCE4} %{buildroot}%{_datadir}/munin/plugins/unbound +for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unbound_munin_by_type unbound_munin_by_class unbound_munin_by_opcode unbound_munin_by_rcode unbound_munin_by_flags unbound_munin_histogram; do + ln -s unbound %{buildroot}%{_datadir}/munin/plugins/$plugin +done +%endif + +# install streamtcp used for monitoring / debugging unbound's port 80/443 modes +install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp +# install streamtcp man page +install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1 + +# Install tmpfiles.d config +install -d -m 0755 %{buildroot}%{_tmpfilesdir}/ \ + %{buildroot}%{_sharedstatedir}/unbound +install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf + +# install root and DLV key - we keep a copy of the root key in old location, +# in case user has changed the configuration and we wouldn't update it there +install -m 0644 %{SOURCE5} %{SOURCE6} %{buildroot}%{_sysconfdir}/unbound/ +install -m 0644 %{SOURCE13} %{buildroot}%{_sharedstatedir}/unbound/root.key + +# remove static library from install (fedora packaging guidelines) +rm %{buildroot}%{_libdir}/*.la +%if %{with python} +rm %{buildroot}%{python_sitearch}/*.la +%endif + +# create softlink for all functions of libunbound man pages +for mpage in ub_ctx ub_result ub_ctx_create ub_ctx_delete ub_ctx_set_option ub_ctx_get_option ub_ctx_config ub_ctx_set_fwd ub_ctx_resolvconf ub_ctx_hosts ub_ctx_add_ta ub_ctx_add_ta_file ub_ctx_trustedkeys ub_ctx_debugout ub_ctx_debuglevel ub_ctx_async ub_poll ub_wait ub_fd ub_process ub_resolve ub_resolve_async ub_cancel ub_resolve_free ub_strerror ub_ctx_print_local_zones ub_ctx_zone_add ub_ctx_zone_remove ub_ctx_data_add ub_ctx_data_remove; +do + echo ".so man3/libunbound.3" > %{buildroot}%{_mandir}/man3/${mpage}.3 ; +done + +mkdir -p %{buildroot}%{piddir}/%{name} + +# Install directories for easier config file drop in + +mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d} +install -m 0640 -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/ +install -m 0640 -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ +install -m 0640 -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ + +# Link unbound-control-setup.8 manpage to unbound-control.8 +echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 + +###### split out library things. + +rm -rf %{buildroot}%{_mandir}/man3 +rm -rf %{buildroot}%{_includedir}/ +rm -rf %{buildroot}%{_libdir}/libunbound*.so* + +%else +rm -rf %{buildroot}%{_sysconfdir}/ +rm -rf %{buildroot}%{_bindir}/ +rm -rf %{buildroot}%{_sbindir}/ +rm -rf %{buildroot}%{_libdir}/libunbound.la +rm -rf %{buildroot}%{_mandir}/man1 +rm -rf %{buildroot}%{_mandir}/man5 +rm -rf %{buildroot}%{_mandir}/man8 + +%endif + +%check +# it currently fails in the ldns unit test. which is weird as both come from the same project +make check ||: + +%if %name == "unbound" +%pre anchor +/usr/sbin/groupadd -r unbound >/dev/null 2>&1 || : +/usr/sbin/useradd -g unbound -s /bin/false -r -c "unbound caching dns server" -d /var/lib/unbound unbound >/dev/null 2>&1 || : + +%pre +%if %{with systemd} +%service_add_pre unbound-keygen.service unbound.service +%endif + +%post +%fillup_only %{name} +%if %{with systemd} +systemd-tmpfiles --create %{_tmpfilesdir}/unbound.conf || : +%service_add_post unbound-keygen.service unbound.service +%endif + +%preun +%if %{with systemd} +%service_del_preun unbound-keygen.service unbound.service +%else +%stop_on_removal %{name} +%endif + +%postun +%if %{with systemd} +%service_del_postun unbound-keygen.service unbound.service +%else +%restart_on_update %{name} +%{insserv_cleanup} +%endif + +%else + +%post -n %{libname} -p /sbin/ldconfig +%postun -n %{libname} -p /sbin/ldconfig + +%endif + +%if %name == "unbound" +%files +%defattr(-,root,root,-) +%doc doc/README doc/CREDITS doc/LICENSE doc/FEATURES +%attr(0755,unbound,unbound) %ghost %dir %{piddir}/%{name} +%attr(0640,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf +%dir %attr(-,root,unbound) %{_sysconfdir}/%{name}/keys.d +%attr(0660,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d/*.key +%dir %attr(-,root,unbound) %{_sysconfdir}/%{name}/conf.d +%attr(0660,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d/*.conf +%dir %attr(-,root,unbound) %{_sysconfdir}/%{name}/local.d +%attr(0660,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/local.d/*.conf +%{_sbindir}/unbound +%{_sbindir}/unbound-checkconf +%{_sbindir}/unbound-host +%{_sbindir}/unbound-control +%{_sbindir}/unbound-control-setup +%{_sbindir}/unbound-streamtcp +%{_mandir}/man1/unbound-host.1* +%{_mandir}/man5/unbound.conf.5* +%{_mandir}/man8/unbound.8* +%{_mandir}/man8/unbound-checkconf.8* +%{_mandir}/man8/unbound-control-setup.8* +%{_mandir}/man8/unbound-control.8* +%{_mandir}/man1/unbound-streamtcp.1* +/var/adm/fillup-templates/sysconfig.%{name} +%if %{with systemd} +%{_tmpfilesdir}/unbound.conf +%{_unitdir}/unbound-keygen.service +%{_unitdir}/unbound.service +%endif +%{_sbindir}/rcunbound +%{_sbindir}/rcunbound-keygen +%dir %{fwdir} +%config %{fwdir}/%{name} + +%if %{with python} +%files python +%defattr(-,root,root,-) +%{python_sitearch}/* +%doc libunbound/python/examples/* +%doc pythonmod/examples/* +%endif + +%if %{with munin} +%files munin +%defattr(-,root,root,-) +%dir %{_sysconfdir}/munin/ +%dir %{_sysconfdir}/munin/plugin-conf.d/ +%config(noreplace) %{_sysconfdir}/munin/plugin-conf.d/unbound +%dir %{_datadir}/munin/ +%dir %{_datadir}/munin/plugins/ + %{_datadir}/munin/plugins/unbound* +%doc unbound-munin.README +%endif + +%files anchor +%defattr(-,root,root,-) +%dir %{_sysconfdir}/%{name}/ +%{_sbindir}/unbound-anchor +%config %{_sysconfdir}/%{name}/icannbundle.pem +%config %{_sysconfdir}/cron.d/unbound-anchor +%dir %attr(-,unbound,unbound) %{_sharedstatedir}/%{name} +%attr(0640,unbound,unbound) %config(noreplace) %{_sharedstatedir}/%{name}/root.key +%attr(0640,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key +# just left for backwards compat with user changed unbound.conf files - format is different! +%attr(0640,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/root.key +%{_mandir}/man8/unbound-anchor.8* +%doc doc/README doc/LICENSE + +%else + +%files -n %{libname} +%defattr(-,root,root,-) +%{_libdir}/libunbound.so.* + +%files devel +%defattr(-,root,root,-) +%{_includedir}/unbound.h +%{_includedir}/unbound-event.h +%{_libdir}/libunbound.so +%{_mandir}/man3/libunbound.3* +%{_mandir}/man3/ub_*.3* + +%endif + +%changelog diff --git a/unbound.changes b/unbound.changes index 1587cc3..336000c 100644 --- a/unbound.changes +++ b/unbound.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Feb 4 13:01:35 UTC 2016 - meissner@suse.com + +- split off a libunbound package with less buildrequires to + allow shorter buildcycles when built by gnutls. bsc#964346 + ------------------------------------------------------------------- Thu Dec 10 11:48:46 UTC 2015 - michael@stroeder.com diff --git a/unbound.spec b/unbound.spec index d7455c6..8cdd3f8 100644 --- a/unbound.spec +++ b/unbound.spec @@ -1,7 +1,7 @@ # # spec file for package unbound # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -63,15 +63,16 @@ BuildRequires: ldns-devel >= %{ldns_version} BuildRequires: libevent-devel BuildRequires: libexpat-devel BuildRequires: openssl-devel +%if %name == "unbound" BuildRequires: python-devel -%if %{with dnstap} -BuildRequires: protobuf-c >= 1.0.0 -BuildRequires: libprotobuf-c-devel >= 1.0.0 -BuildRequires: libfstrm-devel -%endif %if %{with python} BuildRequires: swig %endif +%if %{with dnstap} +BuildRequires: libfstrm-devel +BuildRequires: libprotobuf-c-devel >= 1.0.0 +BuildRequires: protobuf-c >= 1.0.0 +%endif PreReq: pwdutils Requires: ldns >= %{ldns_version} # until we figured something else out for the unbound-anchor part in the systemd unit file @@ -80,6 +81,7 @@ Requires: sudo BuildRequires: systemd-devel %{?systemd_requires} %endif +%endif # Url: http://www.unbound.net/ Source: http://www.unbound.net/downloads/unbound-%{version}.tar.gz @@ -118,6 +120,7 @@ DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible. %define libname libunbound2 +%if %name == "libunbound" %package -n %{libname} Requires: %{name}-anchor >= %{version} # @@ -129,6 +132,21 @@ Unbound is a validating, recursive, and caching DNS(SEC) resolver. This package holds the shared library from unbound. +%package devel +Requires: %{libname} = %{version} +Requires: ldns-devel >= %{ldns_version} +Requires: openssl-devel +# +Summary: Development files for libunbound +Group: Development/Libraries/C and C++ + +%description devel +Unbound is a validating, recursive, and caching DNS(SEC) resolver. + +This package holds the development files to work with libunbound. + +%else + %if %{with_munin} %package munin Summary: Plugin for the munin / munin-node monitoring package @@ -144,19 +162,6 @@ Unbound is a validating, recursive, and caching DNS(SEC) resolver. This package holds the plugin for the munin / munin-node monitoring package %endif -%package devel -Requires: %{libname} = %{version} -Requires: ldns-devel >= %{ldns_version} -Requires: openssl-devel -# -Summary: Development files for libunbound -Group: Development/Libraries/C and C++ - -%description devel -Unbound is a validating, recursive, and caching DNS(SEC) resolver. - -This package holds the development files to work with libunbound. - %package anchor # Requires: cron @@ -180,8 +185,10 @@ Unbound is a validating, recursive, and caching DNS(SEC) resolver. This package holds the Python modules and extensions for unbound. %endif +%endif + %prep -%setup +%setup -n unbound-%version %build export CFLAGS="%{optflags}" @@ -198,13 +205,17 @@ export CXXFLAGS="%{optflags}" --enable-event-api \ --enable-pie \ --enable-relro-now \ + --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \ + --with-pidfile=%{piddir}%{name}/%{name}.pid \ +%if %name == "unbound" %if %{with dnstap} --enable-dnstap \ %endif - --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \ - --with-pidfile=%{piddir}%{name}/%{name}.pid \ %if %{with python} --with-pythonmodule --with-pyunbound \ +%endif +%else + --without-pythonmodule --without-pyunbound \ %endif --with-rootkey-file=%{_sharedstatedir}/unbound/root.key @@ -213,6 +224,8 @@ export CXXFLAGS="%{optflags}" %install make install DESTDIR="%{buildroot}" + +%if %name == "unbound" install -d -m 0750 %{buildroot}/var/lib/unbound install -d 0755 %{buildroot}%{_unitdir} install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service @@ -280,13 +293,28 @@ install -m 0640 -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ # Link unbound-control-setup.8 manpage to unbound-control.8 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 +###### split out library things. + +rm -rf %{buildroot}%{_mandir}/man3 +rm -rf %{buildroot}%{_includedir}/ +rm -rf %{buildroot}%{_libdir}/libunbound*.so* + +%else +rm -rf %{buildroot}%{_sysconfdir}/ +rm -rf %{buildroot}%{_bindir}/ +rm -rf %{buildroot}%{_sbindir}/ +rm -rf %{buildroot}%{_libdir}/libunbound.la +rm -rf %{buildroot}%{_mandir}/man1 +rm -rf %{buildroot}%{_mandir}/man5 +rm -rf %{buildroot}%{_mandir}/man8 + +%endif + %check # it currently fails in the ldns unit test. which is weird as both come from the same project make check ||: -%clean -%{__rm} -rf %{buildroot} - +%if %name == "unbound" %pre anchor /usr/sbin/groupadd -r unbound >/dev/null 2>&1 || : /usr/sbin/useradd -g unbound -s /bin/false -r -c "unbound caching dns server" -d /var/lib/unbound unbound >/dev/null 2>&1 || : @@ -318,9 +346,14 @@ systemd-tmpfiles --create %{_tmpfilesdir}/unbound.conf || : %{insserv_cleanup} %endif +%else + %post -n %{libname} -p /sbin/ldconfig %postun -n %{libname} -p /sbin/ldconfig +%endif + +%if %name == "unbound" %files %defattr(-,root,root,-) %doc doc/README doc/CREDITS doc/LICENSE doc/FEATURES @@ -356,10 +389,6 @@ systemd-tmpfiles --create %{_tmpfilesdir}/unbound.conf || : %dir %{fwdir} %config %{fwdir}/%{name} -%files -n %{libname} -%defattr(-,root,root,-) -%{_libdir}/libunbound.so.* - %if %{with python} %files python %defattr(-,root,root,-) @@ -380,14 +409,6 @@ systemd-tmpfiles --create %{_tmpfilesdir}/unbound.conf || : %doc unbound-munin.README %endif -%files devel -%defattr(-,root,root,-) -%{_includedir}/unbound.h -%{_includedir}/unbound-event.h -%{_libdir}/libunbound.so -%{_mandir}/man3/libunbound.3* -%{_mandir}/man3/ub_*.3* - %files anchor %defattr(-,root,root,-) %dir %{_sysconfdir}/%{name}/ @@ -402,4 +423,20 @@ systemd-tmpfiles --create %{_tmpfilesdir}/unbound.conf || : %{_mandir}/man8/unbound-anchor.8* %doc doc/README doc/LICENSE +%else + +%files -n %{libname} +%defattr(-,root,root,-) +%{_libdir}/libunbound.so.* + +%files devel +%defattr(-,root,root,-) +%{_includedir}/unbound.h +%{_includedir}/unbound-event.h +%{_libdir}/libunbound.so +%{_mandir}/man3/libunbound.3* +%{_mandir}/man3/ub_*.3* + +%endif + %changelog