On Thu Jan 24, 2019 at 05:29:34PM +0300, Pavel Korovin wrote: > Dear all, > Please find updated diff for the latest opendnssec attached. > Thanks to Rafael Sadowski for noticing the previous diff problem. > OK to commit?
Portwise OK with me but I didn't run a runtime test. > > -- > With best regards, > Pavel Korovin > Index: Makefile > =================================================================== > RCS file: /cvs/ports/security/opendnssec/Makefile,v > retrieving revision 1.15 > diff -u -p -r1.15 Makefile > --- Makefile 4 Sep 2018 12:46:21 -0000 1.15 > +++ Makefile 24 Jan 2019 14:17:19 -0000 > @@ -2,27 +2,29 @@ > > COMMENT= open-source turn-key solution for DNSSEC > > -DISTNAME= opendnssec-1.4.14 > -REVISION= 1 > +DISTNAME= opendnssec-2.1.3 > > CATEGORIES= security > > -HOMEPAGE= http://www.opendnssec.org/ > +HOMEPAGE= https://www.opendnssec.org/ > > -MAINTAINER= Patrik Lundin <pat...@sigterm.se> > +MAINTAINER= Pavel Korovin <p...@openbsd.org> > > # BSD > PERMIT_PACKAGE_CDROM= Yes > > WANTLIB += c crypto iconv ldns lzma m pthread xml2 z > > -MASTER_SITES= http://dist.opendnssec.org/source/ > +MASTER_SITES= https://dist.opendnssec.org/source/ > + > +BUILD_DEPENDS= devel/cunit > > LIB_DEPENDS= converters/libiconv \ > net/ldns/libldns \ > textproc/libxml > > -TEST_DEPENDS= security/softhsm > +TEST_DEPENDS= ${BUILD_DEPENDS} \ > + security/softhsm2 > > FAKE_FLAGS= sysconfdir=${PREFIX}/share/examples/opendnssec > > @@ -47,11 +49,52 @@ LIB_DEPENDS+= databases/mariadb > ERRORS+= "Fatal: mutually exclusive flavors: ${FLAVORS}" > .endif > > +SUBST_TARGETS= ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/README.md \ > + ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/convert_{mysql,sqlite} \ > + ${WRKSRC}/enforcer/utils/convert_{mysql_to_sqlite,sqlite_to_mysql} \ > + ${WRKSRC}/contrib/ods-sequencer/ods-sequencer-submit.sh \ > + ${WRKSRC}/MIGRATION > + > +post-patch: > + ${SUBST_CMD} ${SUBST_TARGETS} > + > +# regress-db target doesn't currently work > +# > https://github.com/opendnssec/opendnssec/commit/6b1b0da4a7ba5ae658aca49a45a45be4867f6806 > +pre-test: > + sed -i 's/^check: regress-db/\#check: regress-db/' \ > + ${WRKSRC}/enforcer/src/db/test/Makefile > + > post-install: > - ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/opendnssec > - cd ${WRKSRC}; \ > - ${INSTALL_DATA} LICENSE ${PREFIX}/share/doc/opendnssec; \ > - ${INSTALL_DATA} plugins/simple-dnskey-mailer/simple-dnskey-mailer.sh \ > - ${PREFIX}/share/opendnssec > + sed -i 's,#!/bin/bash,#!/bin/sh,' \ > + ${WRKSRC}/contrib/ods-sequencer/ods-sequencer-submit.sh \ > + ${WRKSRC}/contrib/simple-dnskey-mailer/simple-dnskey-mailer.sh > + @find ${WRKSRC} -type f \ > + \( -name '*.beforesubst' -o -name '*.orig' \) -delete > + ${INSTALL_SCRIPT} ${WRKSRC}/enforcer/utils/convert_mysql_to_sqlite \ > + ${PREFIX}/sbin/ods-convert_mysql_to_sqlite > + ${INSTALL_SCRIPT} ${WRKSRC}/enforcer/utils/convert_sqlite_to_mysql \ > + ${PREFIX}/sbin/ods-convert_sqlite_to_mysql > + ${INSTALL_SCRIPT} > ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/convert_mysql \ > + ${PREFIX}/sbin/ods-migrate-mysql > + ${INSTALL_SCRIPT} > ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/convert_sqlite \ > + ${PREFIX}/sbin/ods-migrate-sqlite3 > + ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/opendnssec/ > + ${INSTALL_DATA} ${WRKSRC}/{LICENSE,MIGRATION,NEWS} \ > + ${PREFIX}/share/doc/opendnssec/ > + ${INSTALL_DATA} ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/README.md \ > + ${PREFIX}/share/doc/opendnssec/MIGRATE_1.4-2.0.md > + ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/opendnssec/ods-sequencer/ > + ${INSTALL_DATA} ${WRKSRC}/contrib/ods-sequencer/* \ > + ${PREFIX}/share/examples/opendnssec/ods-sequencer/ > + ${INSTALL_DATA} > ${WRKSRC}/contrib/simple-dnskey-mailer/simple-dnskey-mailer.sh \ > + ${PREFIX}/share/examples/opendnssec/ > + ${INSTALL_DATA_DIR} ${PREFIX}/share/opendnssec/migration/ > + ${INSTALL_DATA} ${WRKSRC}/enforcer/src/db/schema.* > ${PREFIX}/share/opendnssec/ > + ${INSTALL_DATA} > ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/find_problematic_zones.sql \ > + ${PREFIX}/share/opendnssec/migration/ > + ${INSTALL_DATA} > ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/sqlite_convert.sql \ > + ${PREFIX}/share/opendnssec/migration/migrate-sqlite.sql > + ${INSTALL_DATA} > ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/mysql_convert.sql \ > + ${PREFIX}/share/opendnssec/migration/migrate-mysql.sql > > .include <bsd.port.mk> > Index: distinfo > =================================================================== > RCS file: /cvs/ports/security/opendnssec/distinfo,v > retrieving revision 1.6 > diff -u -p -r1.6 distinfo > --- distinfo 10 Jul 2017 18:12:05 -0000 1.6 > +++ distinfo 24 Jan 2019 14:17:19 -0000 > @@ -1,2 +1,2 @@ > -SHA256 (opendnssec-1.4.14.tar.gz) = > 4cQexbxhdiM7LZT09PcD51h7rmdgdkqxvvA88QvR3N8= > -SIZE (opendnssec-1.4.14.tar.gz) = 1037188 > +SHA256 (opendnssec-2.1.3.tar.gz) = > PeKgPtyeK4w2a/CrVBAE+YR3fUgTBXy7p6eARdjL/n4= > +SIZE (opendnssec-2.1.3.tar.gz) = 1107073 > Index: patches/patch-MIGRATION > =================================================================== > RCS file: patches/patch-MIGRATION > diff -N patches/patch-MIGRATION > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-MIGRATION 24 Jan 2019 14:17:19 -0000 > @@ -0,0 +1,18 @@ > +$OpenBSD$ > + > +Index: MIGRATION > +--- MIGRATION.orig > ++++ MIGRATION > +@@ -17,7 +17,8 @@ full resign of your zone when upgrading, however if yo > + a full resign is needed. > + > + The enforcer does require a full migration, as the internal database has > +-been completely revised. See the documentation in the source tree > +-enforcer/utils/1.4-2.0_db_convert/README.md for a description. > +-Migration scripts are not installed and should be retrieved from the source > +-separately. > ++been completely revised. > ++See the documentation in ${PREFIX}/share/doc/opendnssec/MIGRATE_1.4-2.0.md > ++for a description. > ++ > ++Migration script is installed in ${PREFIX}/sbin/ods-migrate${FLAVOR_EXT} > Index: patches/patch-conf_conf_xml_in > =================================================================== > RCS file: /cvs/ports/security/opendnssec/patches/patch-conf_conf_xml_in,v > retrieving revision 1.2 > diff -u -p -r1.2 patch-conf_conf_xml_in > --- patches/patch-conf_conf_xml_in 19 Nov 2016 12:25:27 -0000 1.2 > +++ patches/patch-conf_conf_xml_in 24 Jan 2019 14:17:19 -0000 > @@ -1,6 +1,8 @@ > $OpenBSD: patch-conf_conf_xml_in,v 1.2 2016/11/19 12:25:27 sthen Exp $ > ---- conf/conf.xml.in.orig Mon Oct 17 14:32:58 2016 > -+++ conf/conf.xml.in Mon Nov 14 18:41:45 2016 > + > +Index: conf/conf.xml.in > +--- conf/conf.xml.in.orig > ++++ conf/conf.xml.in > @@ -31,7 +31,7 @@ > <Logging> > <!-- Command line verbosity will overwrite configure > file --> > @@ -10,41 +12,33 @@ $OpenBSD: patch-conf_conf_xml_in,v 1.2 2 > </Logging> > > <PolicyFile>@OPENDNSSEC_CONFIG_DIR@/kasp.xml</PolicyFile> > -@@ -39,19 +39,17 @@ > +@@ -39,10 +39,10 @@ > </Common> > > <Enforcer> > --<!-- > - <Privileges> > -- <User>opendnssec</User> > -- <Group>opendnssec</Group> > +-<?xmlif if condition privdrop="user|group|both"?> <Privileges> > +-<?xmlif fi?><?xmlif if condition privdrop="user|both"?> > <User>@INSTALLATIONUSER@</User> > +-<?xmlif fi?><?xmlif if condition privdrop="group|both"?> > <Group>@INSTALLATIONGROUP@</Group> > +-<?xmlif fi?><?xmlif if condition privdrop="user|group|both"?> > </Privileges><?xmlif fi?> > ++ <Privileges> > + <User>_opendnssec</User> > + <Group>_opendnssec</Group> > - </Privileges> > ----> > - <!-- NOTE: Enforcer worker threads are not used; this option is ignored --> > - <!-- > - <WorkerThreads>4</WorkerThreads> > - --> > ++ </Privileges> > > - <!-- <PidFile>@OPENDNSSEC_ENFORCER_PIDFILE@</PidFile> --> > -- > <Datastore><SQLite>@OPENDNSSEC_STATE_DIR@/kasp.db</SQLite></Datastore> > -+ > <Datastore><SQLite>@OPENDNSSEC_STATE_DIR@/db/kasp.db</SQLite></Datastore> > - <Interval>PT3600S</Interval> > + > <Datastore><SQLite>@OPENDNSSEC_STATE_DIR@/kasp.db</SQLite></Datastore> > <!-- <ManualKeyGeneration/> --> > - <!-- <RolloverNotification>P14D</RolloverNotification> --> > -@@ -63,12 +61,10 @@ > +@@ -59,10 +59,10 @@ > </Enforcer> > > <Signer> > --<!-- > - <Privileges> > -- <User>opendnssec</User> > -- <Group>opendnssec</Group> > +-<?xmlif if condition privdrop="user|group|both"?> <Privileges> > +-<?xmlif fi?><?xmlif if condition privdrop="user|both"?> > <User>@INSTALLATIONUSER@</User> > +-<?xmlif fi?><?xmlif if condition privdrop="group|both"?> > <Group>@INSTALLATIONGROUP@</Group> > +-<?xmlif fi?><?xmlif if condition privdrop="user|group|both"?> > </Privileges><?xmlif fi?> > ++ <Privileges> > + <User>_opendnssec</User> > + <Group>_opendnssec</Group> > - </Privileges> > ----> > ++ </Privileges> > > - <!-- <PidFile>@OPENDNSSEC_SIGNER_PIDFILE@</PidFile> --> > - <!-- <SocketFile>@OPENDNSSEC_SIGNER_SOCKET@</SocketFile> --> > + > <WorkingDirectory>@OPENDNSSEC_STATE_DIR@/signer</WorkingDirectory> > + <WorkerThreads>4</WorkerThreads> > Index: patches/patch-contrib_ods-sequencer_ods-sequencer-submit_sh > =================================================================== > RCS file: patches/patch-contrib_ods-sequencer_ods-sequencer-submit_sh > diff -N patches/patch-contrib_ods-sequencer_ods-sequencer-submit_sh > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-contrib_ods-sequencer_ods-sequencer-submit_sh 24 Jan > 2019 14:17:19 -0000 > @@ -0,0 +1,15 @@ > +$OpenBSD$ > + > +Index: contrib/ods-sequencer/ods-sequencer-submit.sh > +--- contrib/ods-sequencer/ods-sequencer-submit.sh.orig > ++++ contrib/ods-sequencer/ods-sequencer-submit.sh > +@@ -1,6 +1,6 @@ > +-#!/bin/bash > ++#!/bin/sh > + > +-now=`../../../sbin/ods-enforcer queue 2>&1 | sed -e 's/^It is > now.*(\([0-9][0-9]*\)[^)]*).*$/\1/p' -e 'd'` > +-cat > ../../../var/opendnssec/sequences/$now-dssubmit > ++now=`${PREFIX}/sbin/ods-enforcer queue 2>&1 | sed -e 's/^It is > now.*(\([0-9][0-9]*\)[^)]*).*$/\1/p' -e 'd'` > ++cat > ${LOCALSTATEDIR}/opendnssec/sequences/$now-dssubmit > + > + exit 0 > Index: patches/patch-enforcer_utils_1_4-2_0_db_convert_README_md > =================================================================== > RCS file: patches/patch-enforcer_utils_1_4-2_0_db_convert_README_md > diff -N patches/patch-enforcer_utils_1_4-2_0_db_convert_README_md > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-enforcer_utils_1_4-2_0_db_convert_README_md 24 Jan 2019 > 14:17:19 -0000 > @@ -0,0 +1,75 @@ > +$OpenBSD$ > + > +Index: enforcer/utils/1.4-2.0_db_convert/README.md > +--- enforcer/utils/1.4-2.0_db_convert/README.md.orig > ++++ enforcer/utils/1.4-2.0_db_convert/README.md > +@@ -16,8 +16,8 @@ General preparation > + ------------------- > + > + * First stop OpenDNSSEC entirely. > +- * You are strongly advised to backup /etc/opendnssec and /var/opendnssec > before > +- continuing. > ++ * You are strongly advised to backup ${SYSCONFDIR}/opendnssec and > ++ ${LOCALSTATEDIR}/opendnssec before continuing. > + * Also prevent any nameserver from receiving updates from OpenDNSSEC until > + you are sure the migration was successful. > + * It is discouraged to perform the migration during a rollover. The > migration > +@@ -31,27 +31,32 @@ Conversion Sqlite > + > + There are 2 relevant files for the conversion: > + > +- * convert_sqlite - A bash conversion script > +- * sqlite_convert.sql - Contains SQL statements, called by convert_sqlite > ++ * ${PREFIX}/sbin/ods-migrate-sqlite3 - Conversion script > ++ * ${PREFIX}/share/opendnssec/migration/migrate-sqlite.sql - > ++ Contains SQL statements, called by ods-migrate-sqlite3 > + > +-call the script like so: `./convert_sqlite -i INPUT -o OUTPUT`. Where INPUT > is > +-the kasp.db file commonly found in _/var/opendnssec/kasp.db_. And OUTPUT is > a > +-non-existing file where the new database should go. On success, replace old > +-database file with the new database file or adjust _conf.xml_ accordingly. > ++Call the script like so: `${PREFIX}/sbin/ods-migrate-sqlite3 -i INPUT -o > OUTPUT`. > ++Where INPUT is the kasp.db file commonly found in > _${LOCALSTATEDIR}/opendnssec/db/kasp.db_. > ++And OUTPUT is a non-existing file where the new database should go, > ++default location for OpenDNSSEC 2.x is > _${LOCALSTATEDIR}/opendnssec/kasp.db_. > ++On success, replace old database file with the new database file or adjust > ++_${SYSCONFDIR}/opendnssec/conf.xml_ accordingly. > + > + Conversion MySQL > + ---------------- > + > + There are 2 relevant files for the conversion: > + > +- * convert_mysql - A bash conversion script > +- * mysql_convert.sql - Contains SQL statements, called by convert_mysql > ++ * ${PREFIX}/sbin/ods-migrate-mysql - Conversion script > ++ * ${PREFIX}/share/opendnssec/migration/migrate-mysql.sql - > ++ Contains SQL statements, called by convert_mysql > + > +-call the script like so: `./convert_sqlite -i INPUT -o OUTPUT -h HOST -u > USER > +--p PASSWORD`. Where INPUT is the name of the existing database on HOST. And > ++Call the script like so: > ++`${PREFIX}/sbin/ods-migrate-mysql -i INPUT -o OUTPUT -h HOST -u USER -p > PASSWORD`. > ++Where INPUT is the name of the existing database on HOST. And > + OUTPUT is a non-existing database on the same host where the new database > + should go. On success, replace old database with the new database file or > +-adjust _conf.xml_ accordingly. > ++adjust _${SYSCONFDIR}/opendnssec/conf.xml_ accordingly. > + > + Post Conversion > + --------------- > +@@ -59,11 +64,11 @@ Post Conversion > + ODS 2.0 stores the keytags in the database, 1.4 unfortunately does not. > + Therefore an additional tool is provided which calculates the keytags and > + stores them in the database. Make sure that at this point conf.xml points to > +-the new database. Then run `ods-migrate`. > ++the new database. Then run `${PREFIX}/sbin/ods-migrate`. > + > + Now your new database is ready for use. At this point the signer will > refuse to > +-run because the file `/var/opendnssec/enforcer/zones.xml` does not exist > +-yet. In ODS 1.4 `/etc/opendnssec/zonelist.xml` is always on par with the > ++run because the file `${LOCALSTATEDIR}/opendnssec/enforcer/zones.xml` does > not exist > ++yet. In ODS 1.4 `${SYSCONFDIR}/opendnssec/zonelist.xml` is always on par > with the > + database contents (this is no longer true for 2.0) so it is safe to copy > this > + file over to the missing file. > + > Index: patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_mysql > =================================================================== > RCS file: patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_mysql > diff -N patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_mysql > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_mysql 24 Jan > 2019 14:17:19 -0000 > @@ -0,0 +1,36 @@ > +$OpenBSD$ > + > +Index: enforcer/utils/1.4-2.0_db_convert/convert_mysql > +--- enforcer/utils/1.4-2.0_db_convert/convert_mysql.orig > ++++ enforcer/utils/1.4-2.0_db_convert/convert_mysql > +@@ -1,11 +1,11 @@ > +-#!/bin/bash > ++#!/bin/sh > + set -e > + > + # This scipt converts a ODS 1.4.9 MySQL database to ODS 2.0. It assumes both > + # old and new databases live on the same host and are accessable by the > same > + # user. > + > +-SCHEMA=../../src/db/schema.mysql > ++SCHEMA=${PREFIX}/share/opendnssec/schema.mysql > + > + DB_IN="" > + DB_OUT="" > +@@ -44,7 +44,7 @@ if [ ! $DB_VERSION -eq 4 ]; then > + fi > + > + # Look for zones without an active key. > +-Z=`mysql -u $DB_USR -p$DB_PWD -h $DB_HOST $DB_IN < > find_problematic_zones.sql` > ++Z=`mysql -u $DB_USR -p$DB_PWD -h $DB_HOST $DB_IN < > ${PREFIX}/share/opendnssec/migration/find_problematic_zones.sql` > + if [[ $Z = *[![:space:]]* ]]; then > + echo "Found zones without an active KSK but with a ready KSK waiting > for ds-seen. This can cause problem after the conversion if the DS was > actually already uploaded. You are adviced to submit these DS records and > issue a ds-seen command before continueing. If you know better, disable this > check to continue." > + echo "Zones: $Z" > +@@ -59,6 +59,6 @@ echo "Creating tables in $DB_OUT (as user $DB_USR)" > + mysql -u $DB_USR -p$DB_PWD -h $DB_HOST $DB_OUT < $SCHEMA > + > + echo "Converting database" > +-sed "s/REMOTE/$DB_IN/g" mysql_convert.sql > TMP > ++sed "s/REMOTE/$DB_IN/g" > ${PREFIX}/share/opendnssec/migration/migrate-mysql.sql > TMP > + mysql -u $DB_USR -p$DB_PWD -h $DB_HOST $DB_OUT < TMP > + rm TMP > Index: patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_sqlite > =================================================================== > RCS file: patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_sqlite > diff -N patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_sqlite > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_sqlite 24 Jan > 2019 14:17:19 -0000 > @@ -0,0 +1,33 @@ > +$OpenBSD$ > + > +Index: enforcer/utils/1.4-2.0_db_convert/convert_sqlite > +--- enforcer/utils/1.4-2.0_db_convert/convert_sqlite.orig > ++++ enforcer/utils/1.4-2.0_db_convert/convert_sqlite > +@@ -1,9 +1,9 @@ > +-#!/bin/bash > ++#!/bin/sh > + set -e > + > + # This scipt converts a ODS 1.4.9 Sqlite database to ODS 2.0. > + > +-SCHEMA=../../src/db/schema.sqlite > ++SCHEMA=${PREFIX}/share/opendnssec/schema.sqlite > + > + DB_IN="" > + DB_OUT="" > +@@ -36,7 +36,7 @@ if [ ! $DB_VERSION -eq 4 ]; then > + fi > + > + # Look for zones without an active key. > +-Z=`sqlite3 $DB_IN < find_problematic_zones.sql` > ++Z=`sqlite3 $DB_IN < > ${PREFIX}/share/opendnssec/migration/find_problematic_zones.sql` > + if [[ $Z = *[![:space:]]* ]]; then > + echo "Found zones without an active KSK but with a ready KSK waiting > for ds-seen. This can cause problem after the conversion if the DS was > actually already uploaded. You are adviced to submit these DS records and > issue a ds-seen command before continueing. If you know better, disable this > check to continue." > + echo "Zones: $Z" > +@@ -46,5 +46,5 @@ fi > + rm -f $DB_OUT > + sqlite3 $DB_OUT < $SCHEMA > + echo "attach '$DB_IN' as REMOTE;" | > +- cat - sqlite_convert.sql | sqlite3 $DB_OUT > ++ cat - ${PREFIX}/share/opendnssec/migration/migrate-sqlite.sql | sqlite3 > $DB_OUT > + > Index: patches/patch-enforcer_utils_convert_mysql_to_sqlite > =================================================================== > RCS file: patches/patch-enforcer_utils_convert_mysql_to_sqlite > diff -N patches/patch-enforcer_utils_convert_mysql_to_sqlite > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-enforcer_utils_convert_mysql_to_sqlite 24 Jan 2019 > 14:17:19 -0000 > @@ -0,0 +1,21 @@ > +$OpenBSD$ > + > +Index: enforcer/utils/convert_mysql_to_sqlite > +--- enforcer/utils/convert_mysql_to_sqlite.orig > ++++ enforcer/utils/convert_mysql_to_sqlite > +@@ -1,11 +1,11 @@ > +-#!/usr/bin/env bash > ++#!/bin/sh > + set -e > + > +-# This scipt converts a MySQL to a SQLite database. It assumes both > +-# old and new databases live on the same host and are accessable by the > same > ++# This script converts a MySQL to a SQLite database. It assumes both > ++# old and new databases live on the same host and are accessible by the > same > + # user. > + > +-SCHEMA=../src/db/schema.sqlite > ++SCHEMA=${PREFIX}/share/opendnssec/schema.sqlite > + > + DB_IN="" > + DB_OUT="" > Index: patches/patch-enforcer_utils_convert_sqlite_to_mysql > =================================================================== > RCS file: patches/patch-enforcer_utils_convert_sqlite_to_mysql > diff -N patches/patch-enforcer_utils_convert_sqlite_to_mysql > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-enforcer_utils_convert_sqlite_to_mysql 24 Jan 2019 > 14:17:19 -0000 > @@ -0,0 +1,21 @@ > +$OpenBSD$ > + > +Index: enforcer/utils/convert_sqlite_to_mysql > +--- enforcer/utils/convert_sqlite_to_mysql.orig > ++++ enforcer/utils/convert_sqlite_to_mysql > +@@ -1,11 +1,11 @@ > +-#!/usr/bin/env bash > ++#!/bin/sh > + set -e > + > +-# This scipt converts a SQLite3 to a MySQL database. It assumes both > +-# old and new databases live on the same host and are accessable by the > same > ++# This script converts a SQLite3 to a MySQL database. It assumes both > ++# old and new databases live on the same host and are accessible by the > same > + # user. > + > +-SCHEMA=../src/db/schema.mysql > ++SCHEMA=${PREFIX}/share/opendnssec/schema.mysql > + > + DB_IN="" > + DB_OUT="" > Index: pkg/PFRAG.mysql > =================================================================== > RCS file: /cvs/ports/security/opendnssec/pkg/PFRAG.mysql,v > retrieving revision 1.1.1.1 > diff -u -p -r1.1.1.1 PFRAG.mysql > --- pkg/PFRAG.mysql 13 Oct 2015 17:03:55 -0000 1.1.1.1 > +++ pkg/PFRAG.mysql 24 Jan 2019 14:17:19 -0000 > @@ -1,2 +1,5 @@ > @comment $OpenBSD: PFRAG.mysql,v 1.1.1.1 2015/10/13 17:03:55 jca Exp $ > -share/opendnssec/database_create.mysql > +sbin/ods-convert_sqlite_to_mysql > +sbin/ods-migrate-mysql > +share/opendnssec/migration/migrate-mysql.sql > +share/opendnssec/schema.mysql > Index: pkg/PFRAG.sqlite3 > =================================================================== > RCS file: /cvs/ports/security/opendnssec/pkg/PFRAG.sqlite3,v > retrieving revision 1.1.1.1 > diff -u -p -r1.1.1.1 PFRAG.sqlite3 > --- pkg/PFRAG.sqlite3 13 Oct 2015 17:03:55 -0000 1.1.1.1 > +++ pkg/PFRAG.sqlite3 24 Jan 2019 14:17:19 -0000 > @@ -1,2 +1,5 @@ > @comment $OpenBSD: PFRAG.sqlite3,v 1.1.1.1 2015/10/13 17:03:55 jca Exp $ > -share/opendnssec/database_create.sqlite3 > +sbin/ods-convert_mysql_to_sqlite > +sbin/ods-migrate-sqlite3 > +share/opendnssec/migration/migrate-sqlite.sql > +share/opendnssec/schema.sqlite > Index: pkg/PLIST > =================================================================== > RCS file: /cvs/ports/security/opendnssec/pkg/PLIST,v > retrieving revision 1.3 > diff -u -p -r1.3 PLIST > --- pkg/PLIST 4 Sep 2018 12:46:21 -0000 1.3 > +++ pkg/PLIST 24 Jan 2019 14:17:19 -0000 > @@ -1,36 +1,44 @@ > @comment $OpenBSD: PLIST,v 1.3 2018/09/04 12:46:21 espie Exp $ > +@conflict opendnssec-<2.1.3 > +@ask-update opendnssec-<2.1.3 OpenDNSSEC enforcer database migration required > @newgroup _opendnssec:757 > @newuser _opendnssec:757:_opendnssec:daemon:OpenDNSSEC > Account:/nonexistent:/sbin/nologin > -@bin bin/ods-getconf > +@rcscript ${RCDIR}/opendnssec > @bin bin/ods-hsmspeed > @bin bin/ods-hsmutil > bin/ods-kasp2html > @bin bin/ods-kaspcheck > -@bin bin/ods-ksmutil > @man man/man1/ods-hsmspeed.1 > @man man/man1/ods-hsmutil.1 > @man man/man1/ods-kaspcheck.1 > -@man man/man1/ods-ksmutil.1 > +@man man/man5/ods-kasp.5 > @man man/man5/ods-timing.5 > @man man/man7/opendnssec.7 > @man man/man8/ods-control.8 > +@man man/man8/ods-enforcer-db-setup.8 > +@man man/man8/ods-enforcer.8 > @man man/man8/ods-enforcerd.8 > -@man man/man8/ods-getconf.8 > @man man/man8/ods-signer.8 > @man man/man8/ods-signerd.8 > sbin/ods-control > +@bin sbin/ods-enforcer > +@bin sbin/ods-enforcer-db-setup > @bin sbin/ods-enforcerd > +@bin sbin/ods-migrate > @bin sbin/ods-signer > @bin sbin/ods-signerd > +share/doc/opendnssec/ > +share/doc/opendnssec/LICENSE > +share/doc/opendnssec/MIGRATE_1.4-2.0.md > +share/doc/opendnssec/MIGRATION > +share/doc/opendnssec/NEWS > +share/doc/pkg-readmes/${PKGSTEM} > +share/examples/opendnssec/ > @mode 0750 > @group _opendnssec > @sample ${SYSCONFDIR}/opendnssec/ > @mode > @group > -share/doc/opendnssec/ > -share/doc/opendnssec/LICENSE > -share/doc/pkg-readmes/${PKGSTEM} > -share/examples/opendnssec/ > share/examples/opendnssec/addns.xml > @mode 0640 > @group _opendnssec > @@ -52,6 +60,11 @@ share/examples/opendnssec/kasp.xml > @mode > @group > share/examples/opendnssec/kasp.xml.sample > +share/examples/opendnssec/ods-sequencer/ > +share/examples/opendnssec/ods-sequencer/ods-sequencer > +share/examples/opendnssec/ods-sequencer/ods-sequencer-submit.sh > +share/examples/opendnssec/ods-sequencer/ods-sequencer.md > +share/examples/opendnssec/simple-dnskey-mailer.sh > share/examples/opendnssec/zonelist.xml > @mode 0640 > @group _opendnssec > @@ -64,27 +77,26 @@ share/opendnssec/addns.rnc > share/opendnssec/addns.rng > share/opendnssec/conf.rnc > share/opendnssec/conf.rng > -%%sqlite3%% > -%%mysql%% > share/opendnssec/enforcerstate.rnc > share/opendnssec/enforcerstate.rng > share/opendnssec/kasp.rnc > share/opendnssec/kasp.rng > share/opendnssec/kasp2html.xsl > +share/opendnssec/migration/ > +share/opendnssec/migration/find_problematic_zones.sql > share/opendnssec/signconf.rnc > share/opendnssec/signconf.rng > -share/opendnssec/simple-dnskey-mailer.sh > share/opendnssec/zonelist.rnc > share/opendnssec/zonelist.rng > -@sample ${LOCALSTATEDIR}/opendnssec/ > +%%sqlite3%% > +%%mysql%% > +@mode 0750 > @owner _opendnssec > @group _opendnssec > -@sample ${LOCALSTATEDIR}/opendnssec/db/ > +@sample ${LOCALSTATEDIR}/opendnssec/ > +@sample ${LOCALSTATEDIR}/opendnssec/enforcer/ > @sample ${LOCALSTATEDIR}/opendnssec/signconf/ > @sample ${LOCALSTATEDIR}/opendnssec/signed/ > -@sample ${LOCALSTATEDIR}/opendnssec/tmp/ > +@sample ${LOCALSTATEDIR}/opendnssec/signer/ > @sample ${LOCALSTATEDIR}/opendnssec/unsigned/ > -@sample ${LOCALSTATEDIR}/opendnssec/softhsm/ > -@owner > -@group > -@rcscript ${RCDIR}/opendnssec > +@sample ${LOCALSTATEDIR}/run/opendnssec/ > Index: pkg/README > =================================================================== > RCS file: /cvs/ports/security/opendnssec/pkg/README,v > retrieving revision 1.3 > diff -u -p -r1.3 README > --- pkg/README 4 Sep 2018 12:46:21 -0000 1.3 > +++ pkg/README 24 Jan 2019 14:17:19 -0000 > @@ -8,43 +8,172 @@ Getting started > =============== > This is a summary of steps needed to get OpenDNSSEC up and running in a > basic state using SoftHSM as the key backend. Make sure you have > -installed the softhsm package before proceeding. > +installed the softhsm2 package before proceeding. > > Initial setup of SoftHSM > ------------------------ > -Configure SoftHSM to store its token in > -${LOCALSTATEDIR}/opendnssec/softhsm/: > -# vi ${SYSCONFDIR}/softhsm.conf > - > -Initialize the SoftHSM token (here assuming you used slot 0). > -The user PIN code has to match the <PIN> configured in > -${SYSCONFDIR}/opendnssec/conf.xml: > -# softhsm --init-token --slot 0 --label OpenDNSSEC > +If you plan to use SoftHSM, install softhsm2 package: > > -Make sure the token is writeable by the _opendnssec user: > -# chown _opendnssec ${LOCALSTATEDIR}/opendnssec/softhsm/slot0.db > + # pkg_add softhsm2 > + > +Create ${LOCALSTATEDIR}/opendnssec/softhsm/ directory for tokens storage, > +instruct opendnssec to use this location: > + > + # install -d -o _opendnssec -g _opendnssec -m 700 \ > + ${LOCALSTATEDIR}/opendnssec/softhsm/ > + > + # grep tokendir ${SYSCONFDIR}/softhsm2.conf > + directories.tokendir = ${LOCALSTATEDIR}/opendnssec/softhsm/ > + > +Choose preferred storage method, either 'file' or 'sqlite3': > + > + # grep objectstore ${SYSCONFDIR}/softhsm2.conf > + objectstore.backend = db > + > +Initialize the SoftHSM token (here assuming you are using slot 0): > + > + # doas -u _opendnssec softhsm2-util --init-token --slot 0 \ > + --label OpenDNSSEC > + > +User PIN and token label must be reflected in appropriate sections > +of ${SYSCONFDIR}/opendnssec/conf.xml: > + > + # grep PIN ${SYSCONFDIR}/opendnssec/conf.xml > + <PIN>MySecretUserPIN</PIN> > + > + # grep TokenLabel ${SYSCONFDIR}/opendnssec/conf.xml > + <TokenLabel>OpenDNSSEC</TokenLabel> > +Verify token: > + > + # doas -u _opendnssec softhsm2-util --show-slots > + Available slots: > + Slot 1557156002 > + Slot info: > + Description: SoftHSM slot ID 0x5cd050a2 > + Manufacturer ID: SoftHSM project > + Hardware version: 2.5 > + Firmware version: 2.5 > + Token present: yes > + Token info: > + Manufacturer ID: SoftHSM project > + Model: SoftHSM v2 > + Hardware version: 2.5 > + Firmware version: 2.5 > + Serial number: e1a305015cd050a2 > + Initialized: yes > + User PIN init.: yes > + Label: OpenDNSSEC > > Bootstrapping OpenDNSSEC > ------------------------ > + > +Check if the configuration is valid: > + > + # doas -u _opendnssec ods-kaspcheck > + INFO: The XML in ${SYSCONFDIR}/opendnssec/conf.xml is valid > + ERROR: SQLite datastore (${LOCALSTATEDIR}/opendnssec/kasp.db) does not > exist > + INFO: The XML in ${SYSCONFDIR}/opendnssec/kasp.xml is valid > + INFO: The XML in ${SYSCONFDIR}/opendnssec/zonelist.xml is valid > + > Create an initial KASP database (if you are running the mysql flavor you > will first need to configure mariadb-server and modify <Datastore> in > ${SYSCONFDIR}/opendnssec/conf.xml): > -# ods-ksmutil setup > > -Start the OpenDNSSEC system: > -# rcctl start opendnssec > + # doas -u _opendnssec ods-enforcer-db-setup > + *WARNING* This will erase all data in the database; are you sure? [y/N] y > + Database setup successfully. > + > +Start OpenDNSSEC: > + > + # rcctl start opendnssec > + > +Import policy: > + > + # doas -u _opendnssec ods-enforcer policy import > + Created policy default successfully > + > +Check policy: > + > + # ods-enforcer policy list > + Policy: Description: > + default ECDSAP256SHA256 NSEC3 KSK1Y ZSK90D > > Copy an unsigned zone file into the unsigned/ directory: > -# cp <somewhere>/example.com ${LOCALSTATEDIR}/opendnssec/unsigned/ > > -Add the zone: > -# ods-ksmutil zone add --zone example.com --policy default > + # cp <somewhere>/example.com ${LOCALSTATEDIR}/opendnssec/unsigned/ > + > +Import zones from zonelist.xml: > > -Notify the enforcer of the updated database: > -# ods-control enforcer notify > + # doas -u _opendnssec ods-enforcer zonelist import > + Zone example.com created successfully > > -You now have a signed version of example.com in the signed/ directory: > -# cat ${LOCALSTATEDIR}/opendnssec/signed/example.com > +Or add the zone from the command line: > > -List the keys for the zone: > -# ods-ksmutil key list -v > + # doas -u _opendnssec ods-enforcer zone add --zone example.com > + input is set to ${LOCALSTATEDIR}/opendnssec/unsigned/example.com. > + output is set to ${LOCALSTATEDIR}/opendnssec/signed/example.com. > + Zone example.com added successfully > + > +Check the zone: > + > + # doas -u _opendnssec ods-enforcer zone list > + Database set to: ${LOCALSTATEDIR}/opendnssec/kasp.db > + Zones: > + Zone: Policy: Next change: > + example.com default Fri Nov 16 14:50:25 2018 > + > +List the keys: > + > + # ods-enforcer key list > + Keys: > + Zone: Keytype: State: Date of next > transition: > + example.com KSK publish 2018-11-16 14:50:25 > + example.com ZSK ready 2018-11-16 14:50:25 > + > +After the KSK state transitions to "waiting for ds-seen", export the DS > record: > + > + # doas -u _opendnssec ods-enforcer key list > + Keys: > + Zone: > + example.com KSK ready waiting for ds-seen > + example.com ZSK active 2019-02-14 00:50:25 > + > + # doas -u _opendnssec ods-enforcer key export --zone example.com \ > + --keystate ready --keytype KSK --ds > + ;ready KSK DS record (SHA256): > + example.com. 600 IN DS 65331 13 2 <DSKEY> > + > +Before submitting DS record to the parent zone, run: > + > + # doas -u _opendnssec \ > + ods-enforcer key ds-submit --zone example.com --keytag 65331 > + > +Then submit the DS record to the parent zone. > + > +When DS RR appears in the parent zone, activate the KSK: > + > + # ods-enforcer key ds-seen --zone example.com --keytag 65331 > + 1 KSK matches found. > + 1 KSKs changed. > + # ods-enforcer key list -v > + Keys: > + Zone: Keytype: State: Date of next > transition: > + example.com KSK active 2018-11-17 20:07:31 > + example.com ZSK active 2018-11-17 20:07:31 > + > +The signed zone will appear in ${LOCALSTATEDIR}/opendnssec/signed/ directory > +or will be transferred to your authoritative DNS server, depending on the > zone > +output configuration. > + > +Upgrading from version 1.4.x to 2.x > +----------------------------------- > +OpenDNSSEC enforcer database migration is required if you are upgrading from > +1.4.x to 2.x. Read ${PREFIX}/share/doc/opendnssec/MIGRATION > +for more information. > + > +Database conversion scripts > +--------------------------- > +Note that OpenDNSSEC database conversion scripts are installed in > +${PREFIX}/sbin and renamed: > + convert_mysql_to_sqlite to ods-convert_mysql_to_sqlite > + convert_sqlite_to_mysql to ods-convert_sqlite_to_mysql > Index: pkg/opendnssec.rc > =================================================================== > RCS file: /cvs/ports/security/opendnssec/pkg/opendnssec.rc,v > retrieving revision 1.2 > diff -u -p -r1.2 opendnssec.rc > --- pkg/opendnssec.rc 11 Jan 2018 19:27:09 -0000 1.2 > +++ pkg/opendnssec.rc 24 Jan 2019 14:17:19 -0000 > @@ -10,6 +10,10 @@ rc_reload=NO > > pexp="${TRUEPREFIX}/sbin/ods-(enforcerd|signerd)" > > +rc_pre() { > + install -d -o _opendnssec /var/run/opendnssec/ > +} > + > rc_start() { > ${rcexec} "${daemon} start" > }