debian/0000755000000000000000000000000012167243746007202 5ustar debian/dnssec-tools.rollrec0000644000000000000000000000130712167243647013204 0ustar # An example rollrec file follows: # # roll "example.com" # zonename "example.com" # zonefile "/etc/dnssec-tools/zones/db.example.com" # keyrec "/etc/dnssec-tools/keyrec/example.keyrec" # zskphase "2" # kskphase "0" # maxttl "86400" # administrator "bob@bobhost.example.com" # curerrors "0" # display "0" # phasestart "Wed Mar 09 21:49:22 2005" # # roll "example2.com" # zonename "example2.com" # zonefile "/usr/etc/dnssec-tools/zone/db.example2.com" # keyrec "/usr/etc/dnssec-tools/keyrec/example2.keyrec" # kskphase "1" # zskphase "0" # maxttl "100000" # display "1" # loglevel "info" # curerrors "0" # maxerrors "5" # phasestart "Sun Jan 01 16:00:00 2005" # debian/dnssec-tools.logrotate0000644000000000000000000000011012167243647013531 0ustar /var/log/dnssec-tools/*.log { rotate 12 weekly compress missingok } debian/dnssec-tools.conf0000644000000000000000000000273012167243647012470 0ustar # # DNSSEC-Tools Configuration # # # Settings for DNSSEC-Tools administration. # admin-email root@localhost # # Paths to needed programs. These may need adjusting for individual hosts. # keyarch /usr/sbin/keyarch rollchk /usr/sbin/rollchk zonesigner /usr/sbin/zonesigner keygen /usr/sbin/dnssec-keygen rndc /usr/sbin/rndc zonecheck /usr/sbin/named-checkzone zonesign /usr/sbin/dnssec-signzone # # Key-related values. # algorithm rsasha256 ksklength 2048 zsklength 1024 random /dev/urandom # # NSEC3 functionality # usensec3 no nsec3iter 100 nsec3salt random:64 nsec3optout no # # Settings for dnssec-signzone. # endtime +2592000 # RRSIGs good for thirty days. # # Life-times for keys. These defaults indicate how long a key has # between rollovers. The values are measured in seconds. # # Sample values: # 3600 hour # 86400 day # 604800 week # 2592000 30-day month # 15768000 half-year # 31536000 year # lifespan-max 94608000 lifespan-min 3600 ksklife 15768000 zsklife 604800 # # Settings for zonesigner. # archivedir /var/lib/dnssec-tools/archive entropy_msg 1 savekeys 1 kskcount 1 zskcount 1 # # Settings for rollerd. # roll_loadzone 1 roll_logfile /var/log/dnssec-tools/rollerd.log roll_loglevel phase roll_phasemsg long roll_sleeptime 3600 zone_errors 5 log_tz gmt # # Settings for trustman # tacontact tasmtpserver localhost taresolvconf localhost tatmpdir /var/run/dnssec-tools/trustman # # GUI-usage flag. # usegui 0 debian/watch0000644000000000000000000000026112167243647010232 0ustar # Compulsory line, this is a version 3 file version=3 # Uncomment to find new files on sourceforge, for devscripts >= 2.9 http://sf.net/dnssec-tools/dnssec-tools-(.*)\.tar\.gz debian/dnssec-tools.postrm0000644000000000000000000000047612167243647013074 0ustar #!/bin/sh # postrm script for dnssec-tools set -e case "$1" in purge) rm -rf /var/log/dnssec-tools ;; remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) ;; *) echo "postrm called with unknown argument \`$1'" >&2 exit 1 ;; esac #DEBHELPER# exit 0 debian/copyright0000644000000000000000000000367012167243647011143 0ustar This package was debianized by Ondřej Surý on Thu, 14 Aug 2008 18:07:30 +0200. It was downloaded from https://sourceforge.net/project/showfiles.php?group_id=121671 Upstream Author: SPARTA, Inc. Copyright: 2004-2008 SPARTA, Inc. All rights reserved. License: Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of SPARTA, Inc nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The Debian packaging is (C) 2008, Ondřej Surý and is licensed under the GPL, see `/usr/share/common-licenses/GPL'. debian/dirs0000644000000000000000000000017512167243647010071 0ustar usr/bin usr/share/man/man5 etc/dnssec-tools var/lib/dnssec-tools/archive var/log/dnssec-tools var/cache/dnssec-tools/donutsd debian/README.Debian0000644000000000000000000000027712167243647011251 0ustar dnssec-tools for Debian ----------------------- Compiled without validator tools and library. It's on the todo list. -- Ondřej Surý Thu, 14 Aug 2008 18:07:30 +0200 debian/dnssec-tools.rollerd.default0000644000000000000000000000040112167243647014622 0ustar # Defaults for dnssec-tools rollerd initscript # sourced by /etc/init.d/rollerd # installed at /etc/default/rollerd by the maintainer scripts # Additional options that are passed to the Daemon. #DAEMON_OPTS="-rrfile /etc/dnssec-tools/dnssec-tools.rollrec" debian/dnssec-tools.rollerd.init0000755000000000000000000001112512167243647014151 0ustar #!/bin/sh ### BEGIN INIT INFO # Provides: rollerd # Required-Start: $network $local_fs $remote_fs # Required-Stop: $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: DNSSEC-Tools daemon to manage DNSSEC key rollover # Description: The rollerd daemon manages key rollover for zones. # rollerd handles both KSK and ZSK rollover, though only # one rollover may take place at a time. Initiation of # KSK rollovers takes precedence over the initiation of # ZSK rollovers. The Pre-Publish Method of key rollover # is used for ZSK key rollovers. The Double Signature # Method of key rollover is used for KSK rollovers. # rollerd maintains zone rollover state in files called # rollrec files. The administrator may control rollerd # with the rollctl command. ### END INIT INFO # Author: Ondřej Surý # PATH should only include /usr/* if it runs after the mountnfs.sh script PATH=/sbin:/usr/sbin:/bin:/usr/bin DESC="DNSSEC-Tools rollerd" NAME=rollerd DAEMON=/usr/sbin/rollerd DAEMON_OPTS="" PIDFILE=/var/run/$NAME.pid SCRIPTNAME=/etc/init.d/$NAME # Exit if the package is not installed [ -x $DAEMON ] || exit 0 # Read configuration variable file if it is present [ -r /etc/default/$NAME ] && . /etc/default/$NAME # Load the VERBOSE setting and other rcS variables . /lib/init/vars.sh # Define LSB log_* functions. # Depend on lsb-base (>= 3.0-6) to ensure that this file is present. . /lib/lsb/init-functions # # Function that starts the daemon/service # do_start() { # Return # 0 if daemon has been started # 1 if daemon was already running # 2 if daemon could not be started start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ || return 1 start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \ $DAEMON_OPTS \ || return 2 # Add code here, if necessary, that waits for the process to be ready # to handle requests from services started subsequently which depend # on this one. As a last resort, sleep for some time. } # # Function that stops the daemon/service # do_stop() { # Return # 0 if daemon has been stopped # 1 if daemon was already stopped # 2 if daemon could not be stopped # other if a failure occurred start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME RETVAL="$?" [ "$RETVAL" = 2 ] && return 2 # Wait for children to finish too if this is a daemon that forks # and if the daemon is only ever run from this initscript. # If the above conditions are not satisfied then add some other code # that waits for the process to drop all resources that could be # needed by services started subsequently. A last resort is to # sleep for some time. start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON [ "$?" = 2 ] && return 2 # Many daemons don't delete their pidfiles when they exit. rm -f $PIDFILE return "$RETVAL" } # # Function that sends a SIGHUP to the daemon/service # do_reload() { # # If the daemon can reload its configuration without # restarting (for example, when it is sent a SIGHUP), # then implement that here. # start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME return 0 } case "$1" in start) [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC " "$NAME" do_start case "$?" in 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; stop) [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" do_stop case "$?" in 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; status) status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? ;; #reload|force-reload) # # If do_reload() is not implemented then leave this commented out # and leave 'force-reload' as an alias for 'restart'. # #log_daemon_msg "Reloading $DESC" "$NAME" #do_reload #log_end_msg $? #;; restart|force-reload) # # If the "reload" option is implemented then remove the # 'force-reload' alias # log_daemon_msg "Restarting $DESC" "$NAME" do_stop case "$?" in 0|1) do_start case "$?" in 0) log_end_msg 0 ;; 1) log_end_msg 1 ;; # Old process is still running *) log_end_msg 1 ;; # Failed to start esac ;; *) # Failed to stop log_end_msg 1 ;; esac ;; *) #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 exit 3 ;; esac : debian/source/0000755000000000000000000000000012167243647010502 5ustar debian/source/format0000644000000000000000000000001412167243647011710 0ustar 3.0 (quilt) debian/changelog0000644000000000000000000000760612167243647011065 0ustar dnssec-tools (2.0-1) unstable; urgency=low * New upstream version 2.0 * Update patches for 2.0 release -- Ondřej Surý Wed, 10 Jul 2013 13:38:11 +0200 dnssec-tools (1.13-1) unstable; urgency=low * Imported Upstream version 1.13 * Adapt patches for new upstream release -- Ondřej Surý Thu, 28 Jun 2012 12:23:52 +0200 dnssec-tools (1.12.1-1) unstable; urgency=low * Imported Upstream version 1.12.1 * Update patches to 1.12.1 release -- Ondřej Surý Sun, 01 Apr 2012 09:52:55 +0200 dnssec-tools (1.11-1) unstable; urgency=low * Update Vcs-* links * Imported Upstream version 1.11 * Update patches to the new release -- Ondřej Surý Wed, 19 Oct 2011 09:44:33 +0200 dnssec-tools (1.9-1) unstable; urgency=low * Imported Upstream version 1.9 * Refreshed patches for new upstream release * Enable BIND9 utilities configure checks * Enable NSEC3 support * Enable IPv6 support * Update configuration file by running dtinitconf (Closes: #610813) * Add libmailtools-perl dependency for rollerd * Create /var/log/dnssec-tools/rollerd.log log file * Remove all log files from /var/log/dnssec-tools/ on purge * Add a logrotate configuration for /var/log/dnssec-tools/*.log (Closes: #590289) * Install rollerd init script and /etc/dnssec-tools/rollerd.conf (Closes: #589335) * Bump standards version to 3.9.2 -- Ondřej Surý Sat, 07 May 2011 20:18:39 +0200 dnssec-tools (1.8-1) unstable; urgency=low * Imported Upstream version 1.8 * Refreshed patches to new upstream version * Move donutsd temporary directory to /var/cache/dnssec-tools/donutsd (Closes: #587031) -- Ondřej Surý Mon, 24 Jan 2011 15:35:55 +0100 dnssec-tools (1.7-3) unstable; urgency=high * Fix checks for System return value (Closes: #610369) -- Ondřej Surý Wed, 19 Jan 2011 11:12:25 +0100 dnssec-tools (1.7-2) unstable; urgency=low * Use parentheses around PERLARGS * Update path in defaults.pm to /usr/sbin (Closes: #590171) * Remove /usr/bin from installation -- Ondřej Surý Wed, 04 Aug 2010 17:35:07 +0200 dnssec-tools (1.7-1) unstable; urgency=low * New Upstream version 1.7 (Closes: #588816) * Acknowledge NMU (Closes: #587611) * Convert to 3.0 (quilt) source package format * Check for errors in every System() call (Closes: #588821) * Add some upstream distribution patches (Closes: #587030) * Update dnssec-tools configuration to 1.7 * Depend only on bind9utils, move bind9 to Recommends (Closes: #588521) * Install scripts to /usr/sbin (Closes: #587614) -- Ondřej Surý Tue, 13 Jul 2010 14:15:06 +0200 dnssec-tools (1.5-1.1) unstable; urgency=low * Non-maintainer upload. * debian/rules - set "--localstatedir=/var/lib/dnssec-tools" to fix FHS violation (Closes: #587611, #587616) -- Hideki Yamane Fri, 02 Jul 2010 16:33:24 +0900 dnssec-tools (1.5-1) unstable; urgency=low * New Upstream Version (Closes: #533034) -- Ondřej Surý Thu, 20 Aug 2009 19:11:29 +0200 dnssec-tools (1.4.1-2) unstable; urgency=low * debian/patches/02_honor_zcopts.dpatch - make zonesigner honor zopts after signing zone * debian/patches/03_disable_presigned.dpatch - disable presigned check, zone resigning is valid (option would be better, but we are disabling it for now) * debian/patches/04_serialincr.dpatch - make serial increase work for one-line SOA without parentheses -- Ondřej Surý Mon, 13 Oct 2008 12:43:56 +0200 dnssec-tools (1.4.1-1) unstable; urgency=low * Initial release (Closes: #492895) * Use customized dnssec-tools.conf. * Extra install of dnssec-tools.conf and blinkenlights.conf man pages. -- Ondřej Surý Thu, 14 Aug 2008 19:34:42 +0200 debian/control0000644000000000000000000000214112167243647010603 0ustar Source: dnssec-tools Section: net Priority: extra Maintainer: Ondřej Surý Build-Depends: debhelper (>= 7.0.50~), quilt (>= 0.46-7~), autotools-dev, autoconf, automake, libtool, bind9utils (>= 9.7), hardening-wrapper Build-Depends-Indep: perl (>= 5.8.8-12) Standards-Version: 3.9.2 Homepage: http://www.dnssec-tools.org/ Vcs-Browser: http://git.debian.org/?p=users/ondrej/dnssec-tools.git Vcs-Git: git://git.debian.org/users/ondrej/dnssec-tools.git Package: dnssec-tools Architecture: all Depends: ${perl:Depends}, ${misc:Depends}, libnet-dns-sec-perl, libnet-dns-perl, libtimedate-perl, libmailtools-perl, bind9utils (>= 9.7) Recommends: bind9 Description: DNSSEC tools, applications and wrappers The goal of the DNSSEC-Tools project is to create a set of tools, patches, applications, wrappers, extensions, and plugins that will help ease the deployment of DNSSEC-related technologies. . This package contains tools to maintain DNSSEC enabled zone files, i.e. generate DNSSEC keys, sign zone files and publish them to DNS. debian/docs0000644000000000000000000000001412167243647010050 0ustar NEWS README debian/rules0000755000000000000000000000362312167243647010266 0ustar #!/usr/bin/make -f # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 export DEB_BUILD_HARDENING=1 CFLAGS=-Wall -Wextra -g $(if $(findstring noopt,$(DEB_BUILD_OPTIONS)),-O0,-O2) CPPFLAGS=-D_XOPEN_SOURCE=600 PERLINSTALLVENDOR=INSTALLDIRS=vendor INSTALLVENDORSCRIPT=/usr/sbin INSTALLVENDORBIN=/usr/sbin INSTALLVENDORARCH=/usr/share/perl5/ VENDORARCHEXP=/usr/share/perl5/ VENDORPREFIX=/usr srcpkg = $(shell dpkg-parsechangelog | sed -ne 's/Source: *//p') srcver = $(shell dpkg-parsechangelog | sed -ne 's/Version: *\(.*\)-.*/\1/p') #{{{ generic rules ../$(srcpkg)_$(srcver).orig.tar.gz: @! git rev-parse --git-dir >/dev/null 2>&1 || pristine-tar checkout $@ check-tarball: ../$(srcpkg)_$(srcver).orig.tar.gz .PHONY: check-tarball #}}} %: dh --with quilt $@ override_dh_auto_configure: autoreconf -fi CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" dh_auto_configure -- \ --without-validator \ --with-ipv6 \ --with-nsec3 \ --enable-bind-checks \ --sysconfdir=/etc \ --with-perl-build-args="$(PERLINSTALLVENDOR)" \ --localstatedir=/var override_dh_auto_install: dh_auto_install rmdir $(CURDIR)/debian/dnssec-tools/usr/lib \ $(CURDIR)/debian/dnssec-tools/usr/bin \ $(CURDIR)/debian/dnssec-tools/usr/include install -m 640 $(CURDIR)/tools/etc/dnssec-tools/blinkenlights.conf $(CURDIR)/debian/dnssec-tools/etc/dnssec-tools/ install -m 640 $(CURDIR)/debian/dnssec-tools.conf $(CURDIR)/debian/dnssec-tools/etc/dnssec-tools/ install -m 640 $(CURDIR)/debian/dnssec-tools.rollrec $(CURDIR)/debian/dnssec-tools/etc/dnssec-tools/ pod2man --section 5 $(CURDIR)/tools/etc/dnssec-tools/blinkenlights.conf.pod > $(CURDIR)/debian/dnssec-tools/usr/share/man/man5/blinkenlights.conf.5 pod2man --section 5 $(CURDIR)/tools/etc/dnssec-tools/dnssec-tools.conf.pod > $(CURDIR)/debian/dnssec-tools/usr/share/man/man5/dnssec-tools.conf.5 override_dh_installinit: dh_installinit --name=rollerd debian/dnssec-tools.postinst0000644000000000000000000000054112167243647013424 0ustar #!/bin/sh # postinst script for dnssec-tools set -e case "$1" in configure) mkdir -p /var/log/dnssec-tools touch /var/log/dnssec-tools/rollerd.log ;; abort-upgrade|abort-remove|abort-deconfigure) ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 1 ;; esac #DEBHELPER# exit 0 debian/patches/0000755000000000000000000000000012167243647010631 5ustar debian/patches/dnssec-tools-maketestzone-bb.patch0000644000000000000000000000101012167243647017347 0ustar --- dnssec-tools.orig/tools/maketestzone/maketestzone +++ dnssec-tools/tools/maketestzone/maketestzone @@ -14,6 +14,10 @@ use Net::DNS::SEC::Tools::QWPrimitives; # Net::DNS::RR::DS that gets triggered if you don't have it. use Digest::BubbleBabble; +# this is actually not used directly, but there is an autoload bug in +# Net::DNS::RR::DS that gets triggered if you don't have it. +use Digest::BubbleBabble; + ###################################################################### # detect needed perl modules # debian/patches/dnssec-tools-donuts-rules-paths.patch0000644000000000000000000000141212167243647020044 0ustar --- dnssec-tools.orig/tools/donuts/donuts +++ dnssec-tools/tools/donuts/donuts @@ -42,7 +42,7 @@ my %opts = (l => 5, c => $ENV{'HOME'} . "/.donuts.conf", T => 'port 53 || ip[6:2] & 0x1fff != 0', o => '%d.%t.pcap', - r => "/usr/local/share/dnssec-tools/donuts/rules/*.txt," . + r => "/usr/share/dnssec-tools/donuts/rules/*.txt," . $ENV{'HOME'} . "/.dnssec-tools/donuts/rules/*.txt"); my $TCPDUMP = "tcpdump"; --- dnssec-tools.orig/tools/donuts/Makefile.PL +++ dnssec-tools/tools/donuts/Makefile.PL @@ -20,7 +20,7 @@ WriteMakefile(%opts); sub MY::postamble { return ' -RULESDIR=$(DESTDIR)/$(PREFIX)/share/dnssec-tools/donuts/rules +RULESDIR=$(DESTDIR)/usr/share/dnssec-tools/donuts/rules INSTALL=$(PERL) "-MExtUtils::Command" -e cp debian/patches/dnssec-tools-validator-destdir-fixes.patch0000644000000000000000000000105412167243647021022 0ustar Index: validator/Makefile.in =================================================================== --- a/validator/Makefile.in (revision 3384) +++ b/validator/Makefile.in (working copy) @@ -43,7 +43,7 @@ @for i in $(INSTALLDIRS) ; do \ if test ! -d $$i ; then \ echo "creating directory $$i/" ; \ - $(MKPATH) $$i ; \ + $(MKPATH) $(DESTDIR)$$i ; \ fi \ done # @@ -67,7 +67,7 @@ done localinstall: - $(INSTALL) libval-config $(bindir) + $(INSTALL) libval-config $(DESTDIR)$(bindir) subdirclean: @for i in $(SUBDIRS) ; do \ debian/patches/588821_check_for_errors.patch0000644000000000000000000001146612167243647016040 0ustar --- dnssec-tools.orig/tools/scripts/zonesigner +++ dnssec-tools/tools/scripts/zonesigner @@ -1983,6 +1983,7 @@ sub ssetkeytype my $keys; # Keys we're modifying. my @keylist; # Keys inna list. + my @args; # # Change the type of the given signing set to the specified type. @@ -2018,6 +2019,11 @@ sub ssetkeytype vmed_print("setting revoke bit($cwd): $cmd\n"); System($cmd); + if ($? != 0) + { + print STDERR "'$cmd' returned $?\n" if($verbose); + exit($?); + } # # Record the time when key is revoked. @@ -2049,7 +2055,13 @@ sub ssetkeytype if(! -e $archdir) { vmed_print("creating key archive directory $archdir\n\n"); - System("$MKDIR -p -m 0700 $archdir"); + @args = ($MKDIR, "-p", "-m 0700", $archdir); + System(@args); + if ($? != 0) + { + print STDERR "'@args' returned $?\n" if($verbose); + exit($?); + } } else { @@ -2077,7 +2089,13 @@ sub ssetkeytype $newname = "$archdir/$kronos.$archfn"; vhigh_print("moving $key to $newname\n\n"); - System("$MV $archfn $newname"); + @args = ($MV, $archfn, $newname); + System(@args); + if ($? != 0) + { + print STDERR "'@args' returned $?\n" if($verbose); + exit($?); + } if($archfn =~ /\.key$/) { @@ -2162,6 +2180,7 @@ sub revkeys sub keydirs { my $cwd = getcwd(); # Current directory. + my @args; vmed_print("checking key directories\n"); @@ -2184,12 +2203,24 @@ sub keydirs foreach my $ksk (@kskcurlist) { - System("$MV $ksk.* $kskdir"); + @args = ($MV, "$ksk.*", $kskdir); + System(@args); + if ($? != 0) + { + print STDERR "'@args' returned $?\n" if($verbose); + exit($?) + } } foreach my $ksk (@kskpublist) { - System("$MV $ksk.* $kskdir"); + @args = ($MV, "$ksk.*", $kskdir); + System(@args); + if ($? != 0) + { + print STDERR "'@args' returned $?\n" if($verbose); + exit($?) + } } } @@ -2213,17 +2244,35 @@ sub keydirs foreach my $zsk (@zskcurlist) { - System("$MV $zsk.* $zskdir"); + @args = ($MV, "$zsk.*", $zskdir); + System(@args); + if ($? != 0) + { + print STDERR "'@args' returned $?\n" if($verbose); + exit($?) + } } foreach my $zsk (@zskpublist) { - System("$MV $zsk.* $zskdir"); + @args = ($MV, "$zsk.*", $zskdir); + System(@args); + if ($? != 0) + { + print STDERR "'@args' returned $?\n" if($verbose); + exit($?) + } } foreach my $zsk (@zsknewlist) { - System("$MV $zsk.* $zskdir"); + @args = ($MV, "$zsk.*", $zskdir); + System(@args); + if ($? != 0) + { + print STDERR "'@args' returned $?\n" if($verbose); + exit($?) + } } } @@ -2240,6 +2289,7 @@ sub zoneincludes my $file; # Zone's contents. my $flen; # Zone file's length. my $newserial; # Zone's new serial number. + my @args; vhigh_print("\n"); vprint("adding key includes to zone file\n"); @@ -2345,7 +2395,16 @@ sub zoneincludes # # Copy the zone data to a new file. # - System("$CP $zonefile $zoneftmp") if($zonefile ne $zoneftmp); + if ($zonefile ne $zoneftmp) + { + @args = ($CP, $zonefile, $zoneftmp); + System(@args); + if ($? != 0) + { + print STDERR "'@args' returned $?\n" if($verbose); + exit($?); + } + } open(ZF,"+< $zonefile"); @zonestat = stat($zonefile); } @@ -2356,7 +2415,16 @@ sub zoneincludes # # Copy the zone data to a new file. # - System("$CP $zonefile $zoneftmp") if($zonefile ne $zoneftmp); + @args = ($CP, $zonefile, $zoneftmp); + if($zonefile ne $zoneftmp) + { + System(@args); + if ($? != 0) + { + print STDERR "'@args' returned $?\n" if($verbose); + exit($?); + } + } # # Get the include-keys section. @@ -2391,6 +2459,7 @@ sub zonesign my $status; # Execution return code. my $zscmd; # Zone-signing command line. my $zcq = '-q'; # Quiet option for zone checker. + my @args; # # Get the most recent revoked keys if we're rolling KSKs or if @@ -2459,8 +2528,8 @@ sub zonesign # vprint("checking zone\n"); $zcq = '' if($verbose > $VERBOSE_LOW); - $status = System("$zonecheck $zcopts $zcq $zone $szone"); - if($status != 0) + System("$zonecheck $zcopts $zcq $zone $szone"); + if($? != 0) { print STDERR "problems with zone signing\n"; System("$zonecheck $zcopts $zone $szone"); @@ -2590,10 +2659,22 @@ sub zonesign { my $now = time(); my $newzftmp = "$zoneftmp.$now"; - System("$CP $zoneftmp $newzftmp"); + @args = ($CP, $zoneftmp, $newzftmp); + System(@args); + if ($? != 0) + { + print STDERR "'@args' returned $?\n" if($verbose); + exit($?); + } } - System("$RM $zoneftmp"); + @args = ($RM, $zoneftmp); + System(@args); + if ($? != 0) + { + print STDERR "'@args' returned $?\n" if($verbose); + exit($?); + } } return(0); debian/patches/dnssec-tools-linux-conf-paths-1.2.patch0000644000000000000000000000256712167243647017774 0ustar --- dnssec-tools.orig/tools/etc/dnssec-tools/dnssec-tools.conf +++ dnssec-tools/tools/etc/dnssec-tools/dnssec-tools.conf @@ -19,10 +19,10 @@ rollchk /usr/bin/rollchk rollctl /usr/bin/rollctl zonesigner /usr/bin/zonesigner -keygen /usr/local/sbin/dnssec-keygen -rndc /usr/local/sbin/rndc -zonecheck /usr/local/sbin/named-checkzone -zonesign /usr/local/sbin/dnssec-signzone +keygen /usr/sbin/dnssec-keygen +rndc /usr/sbin/rndc +zonecheck /usr/sbin/named-checkzone +zonesign /usr/sbin/dnssec-signzone zonecheck-opts -i local @@ -70,7 +70,7 @@ lifespan-min 3600 # Settings that will be noticed by zonesigner. # # default_keyrec output.krf -archivedir /usr/local/etc/dnssec-tools/KEY-SAFE +archivedir /var/lib/dnssec-tools/archive entropy_msg 1 savekeys 1 kskcount 1 @@ -81,7 +81,7 @@ zskcount 1 # autosign 1 roll_loadzone 1 -roll_logfile /usr/local/etc/dnssec-tools/log-rollerd +roll_logfile /var/log/dnssec-tools/rollerd.log roll_loglevel info roll_phasemsg long roll_sleeptime 60 --- dnssec-tools.orig/tools/modules/defaults.pm +++ dnssec-tools/tools/modules/defaults.pm @@ -28,7 +28,7 @@ our @EXPORT = qw( our $VERSION = "2.0"; our $MODULE_VERSION = "2.0.0"; -my $installdir = getprefixdir() . "/bin"; # DNSSEC-Tools installation directory. +my $installdir = getprefixdir() . "/sbin"; # DNSSEC-Tools installation directory. my %defaults = ( debian/patches/series0000644000000000000000000000042012167243647012042 0ustar dnssec-tools-donuts-rules-paths.patch dnssec-tools-linux-conf-paths-1.2.patch dnssec-tools-maketestzone-bb.patch 588821_check_for_errors.patch 05_poderrors.dpatch 03_disable_presigned.dpatch 04_donutsd_temporary_directory.patch bind9utils-path.patch debian-defaults.patch debian/patches/bind9utils-path.patch0000644000000000000000000000202412167243647014670 0ustar --- dnssec-tools.orig/configure.in +++ dnssec-tools/configure.in @@ -24,15 +24,15 @@ AC_PATH_PROG(RM, rm) AC_ARG_ENABLE(bind-checks, [ --disable-bind-checks Disable checks for bind dnssec utilities]) if test "x$enable_bind_checks" != "xno"; then - AC_PATH_PROG(BIND_DNSSEC_KEYGEN, dnssec-keygen) + AC_PATH_PROG(BIND_DNSSEC_KEYGEN, dnssec-keygen, path = '/usr/sbin') if test -z "$BIND_DNSSEC_KEYGEN"; then AC_ERROR([Could not locate dnssec-keygen. Please install BIND utilities.]) fi - AC_PATH_PROG(BIND_DNSSEC_SIGNZONE, dnssec-signzone) + AC_PATH_PROG(BIND_DNSSEC_SIGNZONE, dnssec-signzone, path = '/usr/sbin') if test -z "$BIND_DNSSEC_SIGNZONE"; then AC_ERROR([Could not locate dnssec-signzone. Please install BIND utilities.]) fi - AC_PATH_PROG(BIND_DNSSEC_CHECKZONE, named-checkzone) + AC_PATH_PROG(BIND_DNSSEC_CHECKZONE, named-checkzone, path = '/usr/sbin') if test -z "$BIND_DNSSEC_CHECKZONE"; then AC_ERROR([Could not locate named-checkzone. Please install BIND utilities.]) fi debian/patches/debian-defaults.patch0000644000000000000000000000723412167243647014707 0ustar --- dnssec-tools.orig/tools/modules/defaults.pm +++ dnssec-tools/tools/modules/defaults.pm @@ -33,12 +33,12 @@ my $installdir = getprefixdir() . "/sbin my %defaults = ( 'admin-email' => "root", # Admin's email address. - 'archivedir' => getprefixdir() . "/var/key-archive", - 'algorithm' => "rsasha1", # Encryption algorithm. + 'archivedir' => "/var/lib/dnssec-tools/archive", + 'algorithm' => "rsasha256", # Encryption algorithm. 'autosign' => 1, # Auto-sign zone files flag. 'enddate' => "+2764800", # Zone life, in seconds. 'entropy_msg' => 1, # Display entropy message flag. - 'keygen' => getprefixdir() . "/sbin/dnssec-keygen", + 'keygen' => "/usr/sbin/dnssec-keygen", 'keygen-opts' => "", # Options for key generator. 'kskcount' => 1, # Number of KSK keys. 'ksklength' => 2048, # Length of KSK key. @@ -59,9 +59,9 @@ my %defaults = 'prog-zsk3' => 'default', # Program for ZSK phase 3. 'prog-zsk4' => 'default', # Program for ZSK phase 4. 'random' => "/dev/urandom", # Random no. generator device. - 'rndc' => getprefixdir() . "/sbin/rndc", + 'rndc' => "/usr/sbin/rndc", 'roll_loadzone' => 1, # Zone-reloading flag. - 'roll_logfile' => makelocalstatedir() . "/log.rollerd", + 'roll_logfile' => "/var/log/dnssec-tools/rollerd.log", 'roll_loglevel' => "phase", # Rollerd's logging level. 'roll_phasemsg' => "long", # Rollerd's phase logmsg length. 'roll_sleeptime' => 3600, # Rollerd's sleep time. @@ -70,18 +70,18 @@ my %defaults = 'mailer-server' => "localhost", # Mail server. 'mailer-type' => "smtp", # Mail type. 'tacontact' => "", - 'tatmpdir' => "/tmp/dnssec-tools/trustman", - 'tadnsvalconffile' => getconfdir() . "/dnsval.conf", - 'tanamedconffile' => getconfdir() . "/named/named.conf", + 'tatmpdir' => "/var/run/dnssec-tools/trustman", + 'tadnsvalconffile' => "/etc/dnssec-tools/dnsval.conf", + 'tanamedconffile' => "/etc/bind/named.conf", 'tasleeptime' => 3600, 'tasmtpserver' => "localhost", # Trustman's SMTP server. 'taresolvconf' => "/etc/resolv.conf", # resolv.conf file. 'usegui' => 0, # Use GUI for option entry flag. 'zone_errors' => 5, - 'zonecheck' => getprefixdir() . "/sbin/named-checkzone", + 'zonecheck' => "/usr/sbin/named-checkzone", 'zonecheck-opts' => "-i local", # Options for zone checker. 'zonefile-parser' => "Net::DNS::ZoneFile::Fast", - 'zonesign' => getprefixdir() . "/sbin/dnssec-signzone", + 'zonesign' => "/usr/sbin/dnssec-signzone", 'zonesign-opts' => "", # Options for zone signer. 'zskcount' => 1, # Number of Current ZSK keys. 'zsklength' => 1024, # Length of ZSK key. --- dnssec-tools.orig/tools/modules/rollmgr.pm +++ dnssec-tools/tools/modules/rollmgr.pm @@ -468,7 +468,7 @@ my %port_archs = # my $UNIX_ROLLMGR_DIR = makelocalstatedir("run"); -our $UNIX_ROLLMGR_PIDFILE = ($UNIX_ROLLMGR_DIR . "/rollmgr.pid"); +our $UNIX_ROLLMGR_PIDFILE = ($UNIX_ROLLMGR_DIR . "/rollerd.pid"); my $PS = "/bin/ps"; @@ -1591,7 +1591,7 @@ sub rollmgr_channel # # Build the socket name and construct the socket data. # - $unixsock = makelocalstatedir("/dnssec-tools") . $UNIXSOCK; + $unixsock = makelocalstatedir("run/dnssec-tools") . $UNIXSOCK; # print STDERR "rollmgr_channel: unixsock - <$unixsock>\n"; # --- dnssec-tools.orig/tools/modules/rollrec.pm +++ dnssec-tools/tools/modules/rollrec.pm @@ -200,7 +200,7 @@ sub rollrec_lock # # Get the DNSSEC-Tools config directory. # - $lockdir = makelocalstatedir("/dnssec-tools") || $DEFAULT_DNSSECTOOLS_DIR; + $lockdir = makelocalstatedir("run/dnssec-tools") || $DEFAULT_DNSSECTOOLS_DIR; # # Build our lock file. debian/patches/03_disable_presigned.dpatch0000644000000000000000000000072512167243647015767 0ustar --- dnssec-tools.orig/tools/scripts/zonesigner +++ dnssec-tools/tools/scripts/zonesigner @@ -1085,11 +1085,11 @@ sub verify_zonefile # # Ensure that the zone file has not been signed yet. # - if(presigned()) - { - print STDERR "zone file $zonefile already signed\n"; - exit(17); - } + #if(presigned()) + #{ + # print STDERR "zone file $zonefile already signed\n"; + # exit(17); + #} } #---------------------------------------------------------------------- debian/patches/04_donutsd_temporary_directory.patch0000644000000000000000000000044712167243647020030 0ustar --- dnssec-tools.orig/tools/donuts/donutsd +++ dnssec-tools/tools/donuts/donutsd @@ -18,7 +18,7 @@ if (runpacked()) { } my %opts = (z => 60*60*24, - t => '/tmp/donutsd', + t => '/var/cache/dnssec-tools/donutsd', f => $ENV{'USER'} || $ENV{'LOGNAME'}, s => 'localhost'); debian/patches/05_poderrors.dpatch0000644000000000000000000001217012167243647014342 0ustar --- dnssec-tools.orig/tools/maketestzone/maketestzone +++ dnssec-tools/tools/maketestzone/maketestzone @@ -1006,10 +1006,10 @@ maketestzone [OTHER DESIRED OPTIONS] Below are thoe options that are accepted by the B tool. -=over - =head2 Output File Naming: +=over + =item -o STRING =item --output-file-prefix=STRING @@ -1038,8 +1038,12 @@ Run donuts on the results The file suffix to use for donuts output (default = .donuts) +=back + =head2 Output Zone Information: +=over + =item -d STRING =item --domain=STRING @@ -1066,8 +1070,12 @@ A record (IPv4) address to use in data AAAA record (IPv6) address to use in data +=back + =head2 Output Data Type Selection: +=over + =item -p STRING =item --record-prefixes=STRING @@ -1092,8 +1100,12 @@ Don't create CNAME records Don't create sub-zone records +=back + =head2 Task Selection: +=over + =item -g =item --dont-generate-zone @@ -1134,8 +1146,12 @@ Generate a test script for running dig c Verbose output +=back + =head2 Zonesigner Configuration: +=over + =item -a STRING =item --zonesigner-arguments=STRING @@ -1148,14 +1164,22 @@ Arguments to pass to zonesigner Have zonesigner generate needed keys +=back + =head2 Bind Configuration Options +=over + =item --bind-db-dir=STRING The base directory where the bind DB files will be placed +=back + =head2 HTML Output Configuration +=over + =item --html-out-add-links Make each html record name a http link to that address @@ -1168,14 +1192,22 @@ Add a link to each of the generated DB f Add a link to each of the generated donuts error list files. +=back + =head2 SH Test Script Configuration Options +=over + =item --sh-test-resolver=STRING The resolver address to force +=back + =head2 Help Options +=over + =item -h Display a help summary (short flags preferred) --- dnssec-tools.orig/tools/convertar/lib/Net/DNS/SEC/Tools/TrustAnchor/Bind.pm +++ dnssec-tools/tools/convertar/lib/Net/DNS/SEC/Tools/TrustAnchor/Bind.pm @@ -101,8 +101,3 @@ sub write_trailer { $fh->printf("};\n"); } } - -=pod - -=cut - --- dnssec-tools.orig/tools/convertar/lib/Net/DNS/SEC/Tools/TrustAnchor/Csv.pm +++ dnssec-tools/tools/convertar/lib/Net/DNS/SEC/Tools/TrustAnchor/Csv.pm @@ -88,8 +88,3 @@ sub write_dnskey { $record->{'content'}); $fh->print($self->get_csv()->string() . "\n"); } - -=pod - -=cut - --- dnssec-tools.orig/tools/convertar/lib/Net/DNS/SEC/Tools/TrustAnchor/Dns.pm +++ dnssec-tools/tools/convertar/lib/Net/DNS/SEC/Tools/TrustAnchor/Dns.pm @@ -68,8 +68,3 @@ sub read_content { return $doc; } - -=pod - -=cut - --- dnssec-tools.orig/tools/convertar/lib/Net/DNS/SEC/Tools/TrustAnchor/Dump.pm +++ dnssec-tools/tools/convertar/lib/Net/DNS/SEC/Tools/TrustAnchor/Dump.pm @@ -30,8 +30,3 @@ sub write { close(O); return 0; } - -=pod - -=cut - --- dnssec-tools.orig/tools/convertar/lib/Net/DNS/SEC/Tools/TrustAnchor/Itar.pm +++ dnssec-tools/tools/convertar/lib/Net/DNS/SEC/Tools/TrustAnchor/Itar.pm @@ -39,8 +39,3 @@ sub write { close(O); return 0; } - -=pod - -=cut - --- dnssec-tools.orig/tools/convertar/lib/Net/DNS/SEC/Tools/TrustAnchor/Libval.pm +++ dnssec-tools/tools/convertar/lib/Net/DNS/SEC/Tools/TrustAnchor/Libval.pm @@ -95,8 +95,3 @@ sub write_trailer { $fh->printf(";\n"); } } - -=pod - -=cut - --- dnssec-tools.orig/tools/convertar/lib/Net/DNS/SEC/Tools/TrustAnchor/Mf.pm +++ dnssec-tools/tools/convertar/lib/Net/DNS/SEC/Tools/TrustAnchor/Mf.pm @@ -91,8 +91,3 @@ sub write_dnskey { my $status; $fh->printf("\t%15s DNSKEY $record->{flags} $record->{algorithm} $record->{digesttype} $record->{content}\n", $name); } - -=pod - -=cut - --- dnssec-tools.orig/tools/convertar/lib/Net/DNS/SEC/Tools/TrustAnchor/Secspider.pm +++ dnssec-tools/tools/convertar/lib/Net/DNS/SEC/Tools/TrustAnchor/Secspider.pm @@ -53,8 +53,3 @@ sub write_dnskey { $keytag = " # $record->{keytag}" if (exists($record->{keytag})); $fh->printf("\t%15s $record->{flags} $record->{algorithm} $record->{digesttype} \"$record->{content}\";$keytag\n", $name); } - -=pod - -=cut - --- dnssec-tools.orig/tools/modules/dnssectools.pm +++ dnssec-tools/tools/modules/dnssectools.pm @@ -516,6 +516,8 @@ Return values: It relies on the the following dnssec-tools.conf configuration parameters: +=back + =over 4 =item I --- dnssec-tools.orig/tools/convertar/lib/Net/DNS/SEC/Tools/TrustAnchor.pm +++ dnssec-tools/tools/convertar/lib/Net/DNS/SEC/Tools/TrustAnchor.pm @@ -4,7 +4,7 @@ package Net::DNS::SEC::Tools::TrustAncho =head1 NAME -Net::DNS::SEC::Tools::TrustAnchor +Net::DNS::SEC::Tools::TrustAnchor - base class for TA repositories =head1 SYNOPSIS @@ -29,8 +29,6 @@ Note that: is assumed to have imported some of the API routines mentioned below. -=over 4 - =cut use Exporter; @@ -42,6 +40,8 @@ our @EXPORT = qw(load_module parse_compo =pod +=over 4 + =item $tar = new Net::DNS::SEC::Tools::TrustAnchor(); Initializes a new collection of trust anchors. @@ -219,6 +219,7 @@ Merges the I<@other> array of trust anch trust anchor list. =cut + sub merge { my ($self, @others) = @_; foreach my $other (@others) { debian/gbp.conf0000644000000000000000000000025412167243647010622 0ustar [DEFAULT] debian-branch = debian-sid debian-tag = debian/%(version)s upstream-branch = upstream upstream-tag = upstream/%(version)s pristine-tar = True [git-dch] meta = 1 debian/compat0000644000000000000000000000000212167243647010400 0ustar 7