diff --git a/.dnssec-trigger.metadata b/.dnssec-trigger.metadata new file mode 100644 index 0000000..b9d76c5 --- /dev/null +++ b/.dnssec-trigger.metadata @@ -0,0 +1 @@ +3e67ed39b936ce8297fb3888c09c1dba6e86c2ad SOURCES/dnssec-trigger-0.11.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4c75b9c --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/dnssec-trigger-0.11.tar.gz diff --git a/SOURCES/01-dnssec-trigger-hook b/SOURCES/01-dnssec-trigger-hook new file mode 100755 index 0000000..858af2e --- /dev/null +++ b/SOURCES/01-dnssec-trigger-hook @@ -0,0 +1,550 @@ +#!/usr/bin/python2 +# -*- coding: utf-8 -*- +""" +@author: Tomas Hozza +""" + +from gi.repository import NMClient +import socket +import struct +import subprocess +import os +import os.path +import syslog +import sys + + +# DO NOT CHANGE THE VALUE HERE, CHANGE IT IN **DNSSEC_CONF** file +DEFAULT_VALIDATE_FORWARD_ZONES = True +DEFAULT_ADD_WIFI_PROVIDED_ZONES = False + +STATE_DIR = "/var/run/dnssec-trigger" +DNSSEC_CONF = "/etc/dnssec.conf" + +UNBOUND = "/usr/sbin/unbound" +UNBOUND_CONTROL = "/usr/sbin/unbound-control" +DNSSEC_TRIGGER = "/usr/sbin/dnssec-triggerd" +DNSSEC_TRIGGER_CONTROL = "/usr/sbin/dnssec-trigger-control" +PIDOF = "/usr/sbin/pidof" + + +class FZonesConfig: + + """ + Class representing dnssec-trigger script forward zones behaviour + configuration. + """ + + def __init__(self): + self.validate_fzones = DEFAULT_VALIDATE_FORWARD_ZONES + self.add_wifi_zones = DEFAULT_ADD_WIFI_PROVIDED_ZONES + + +class ActiveConnection: + + """ + Simple class representing NM Active Connection with information relevant + for this script. + """ + + TYPE_WIFI = "WIFI" + TYPE_VPN = "VPN" + TYPE_OTHER = "OTHER" + + def __init__(self): + self.type = self.TYPE_OTHER + self.is_default = False + self.nameservers = [] + self.domains = [] + self.uuid = "" + pass + + def __str__(self): + string = "UUID: " + self.get_uuid() + "\n" + string += "TYPE: " + str(self.get_type()) + "\n" + string += "DEFAULT: " + str(self.get_is_default()) + "\n" + string += "NS: " + str(self.get_nameservers()) + "\n" + string += "DOMAINS: " + str(self.get_domains()) + return string + + def get_uuid(self): + return self.uuid + + def get_type(self): + return self.type + + def get_is_default(self): + return self.is_default + + def get_nameservers(self): + return self.nameservers + + def get_domains(self): + return self.domains + + def set_uuid(self, uuid=""): + self.uuid = uuid + + def set_type(self, conn_type=TYPE_OTHER): + if conn_type == self.TYPE_VPN: + self.type = self.TYPE_VPN + elif conn_type == self.TYPE_WIFI: + self.type = self.TYPE_WIFI + else: + self.type = self.TYPE_OTHER + + def set_is_default(self, is_default=True): + self.is_default = is_default + + def set_nameservers(self, servers=[]): + self.nameservers = servers + + def set_domains(self, domains=[]): + self.domains = domains + + +def ip4_to_str(ip4): + """ + Converts IPv4 address from integer to string. + """ + return socket.inet_ntop(socket.AF_INET, struct.pack("=I", ip4)) + + +def ip6_to_str(ip6): + """ + Converts IPv6 address from integer to string. + """ + addr_struct = ip6 + return socket.inet_ntop(socket.AF_INET6, addr_struct) + + +def get_fzones_settings_from_conf(conf_file=""): + """ + Reads the forward zones behaviour config from file. + """ + config = FZonesConfig() + + try: + with open(conf_file, "r") as f: + lines = [l.strip() + for l in f.readlines() if l.strip() and not l.strip().startswith("#")] + for line in lines: + option_line = line.split("=") + if option_line: + if option_line[0].strip() == "validate_connection_provided_zones": + if option_line[1].strip() == "yes": + config.validate_fzones = True + else: + config.validate_fzones = False + elif option_line[0].strip() == "add_wifi_provided_zones": + if option_line[1].strip() == "yes": + config.add_wifi_zones = True + else: + config.add_wifi_zones = False + except IOError: + # we don't mind if the config file does not exist + pass + + return config + + +def get_nm_active_connections(): + """ + Process Active Connections from NM and return list of ActiveConnection + objects. Active Connections from NM without nameservers are ignored. + """ + result = [] + client = NMClient.Client() + ac = client.get_active_connections() + + for connection in ac: + new_connection = ActiveConnection() + + # get the UUID + new_connection.set_uuid(connection.get_uuid()) + + # Find out if the ActiveConnection is VPN, WIFI or OTHER + try: + connection.get_vpn_state() + except AttributeError: + # We don't need to change anything + pass + else: + new_connection.set_type(ActiveConnection.TYPE_VPN) + + # if the connection is NOT VPN, then check if it's WIFI + if new_connection.get_type() != ActiveConnection.TYPE_VPN: + try: + device_type = connection.get_devices()[ + 0].get_device_type().value_name + except IndexError: + # if there is no device for a connection, the connection + # is going down so ignore it... + continue + except AttributeError: + # We don't need to change anything + pass + else: + if device_type == "NM_DEVICE_TYPE_WIFI": + new_connection.set_type(ActiveConnection.TYPE_WIFI) + + # Finc out if default connection for IP4 or IP6 + if connection.get_default() or connection.get_default6(): + new_connection.set_is_default(True) + else: + new_connection.set_is_default(False) + + # Get nameservers (IP4 + IP6) + ips = [] + try: + ips4_int = connection.get_ip4_config().get_nameservers() + except AttributeError: + # we don't mind if there are no IP4 nameservers + pass + else: + for ip4 in ips4_int: + ips.append(ip4_to_str(ip4)) + try: + num = connection.get_ip6_config().get_num_nameservers() + for i in range(0,num): + ips.append(ip6_to_str(connection.get_ip6_config().get_nameserver(i))) + except AttributeError: + # we don't mind if there are no IP6 nameservers + pass + new_connection.set_nameservers(ips) + + # Get domains (IP4 + IP6) + domains = [] + try: + domains.extend(connection.get_ip4_config().get_domains()) + except AttributeError: + # we don't mind if there are no IP6 domains + pass + try: + domains.extend(connection.get_ip6_config().get_domains()) + except AttributeError: + # we don't mind if there are no IP6 domains + pass + new_connection.set_domains(domains) + + # If there are no nameservers in the connection, it is useless + if new_connection.get_nameservers(): + result.append(new_connection) + + return result + + +def is_running(binary=""): + """ + Checks if the given binary is running. + """ + if binary: + sp = subprocess.Popen(PIDOF + " " + binary, + stdout=subprocess.PIPE, + stderr=open(os.devnull, "wb"), + shell=True) + sp.wait() + if sp.returncode == 0: + # pidof returns "0" if at least one program with the name runs + return True + return False + + +def dnssec_trigger_set_global_ns(servers=[]): + """ + Configures global nameservers into dnssec-trigger. + """ + if servers: + servers_list = " ".join(servers) + ret = subprocess.call( + DNSSEC_TRIGGER_CONTROL + " submit " + servers_list, + stdout=open(os.devnull, "wb"), + stderr=subprocess.STDOUT, + shell=True) + if ret == 0: + syslog.syslog( + syslog.LOG_INFO, "Global forwarders added: " + servers_list) + else: + syslog.syslog( + syslog.LOG_ERR, "Global forwarders NOT added: " + servers_list) + + +def unbound_add_forward_zone(domain="", servers=[], secure=DEFAULT_VALIDATE_FORWARD_ZONES): + """ + Adds a forward zone into the unbound. + """ + if domain and servers: + servers_list = " ".join(servers) + # build the command + cmd = UNBOUND_CONTROL + " forward_add" + if not secure: + cmd += " +i" + cmd += " " + domain + " " + servers_list + # Add the forward zone + ret = subprocess.call(cmd, + stdout=open(os.devnull, "wb"), + stderr=subprocess.STDOUT, + shell=True) + # Flush cache + subprocess.call(UNBOUND_CONTROL + " flush_zone " + domain, + stdout=open(os.devnull, "wb"), + stderr=subprocess.STDOUT, + shell=True) + subprocess.call(UNBOUND_CONTROL + " flush_requestlist", + stdout=open(os.devnull, "wb"), + stderr=subprocess.STDOUT, + shell=True) + + if secure: + validated = "(DNSSEC validated)" + else: + validated = "(*NOT* DNSSEC validated)" + + if ret == 0: + syslog.syslog( + syslog.LOG_INFO, "Added " + validated + " connection provided forward zone '" + domain + "' with NS: " + servers_list) + else: + syslog.syslog( + syslog.LOG_ERR, "NOT added connection provided forward zone '" + domain + "' with NS: " + servers_list) + + +def unbound_del_forward_zone(domain="", secure=DEFAULT_VALIDATE_FORWARD_ZONES): + """ + Deletes a forward zone from the unbound. + """ + if domain: + cmd = UNBOUND_CONTROL + " forward_remove" + if not secure: + cmd += " +i" + cmd += " " + domain + # Remove the forward zone + ret = subprocess.call(cmd, + stdout=open(os.devnull, "wb"), + stderr=subprocess.STDOUT, + shell=True) + # Flush cache + subprocess.call(UNBOUND_CONTROL + " flush_zone " + domain, + stdout=open(os.devnull, "wb"), + stderr=subprocess.STDOUT, + shell=True) + subprocess.call(UNBOUND_CONTROL + " flush_requestlist", + stdout=open(os.devnull, "wb"), + stderr=subprocess.STDOUT, + shell=True) + if ret == 0: + syslog.syslog( + syslog.LOG_INFO, "Removed connection provided forward zone '" + domain + "'") + else: + syslog.syslog( + syslog.LOG_ERR, "NOT removed connection provided forward zone '" + domain + "'") + + +def unbound_get_forward_zones(): + """ + Returns list of currently configured forward zones from the unbound. + """ + zones = [] + # get all configured forward zones + sp = subprocess.Popen(UNBOUND_CONTROL + " list_forwards", + stdout=subprocess.PIPE, + stderr=open(os.devnull, "wb"), + shell=True) + + sp.wait() + + if sp.returncode == 0: + for line in sp.stdout.readlines(): + zones.append(line.strip().split(" ")[0][:-1]) + + return zones + +############################################################################## + + +def append_fzone_to_file(uuid="", zone=""): + """ + Append forward zones from connection with UUID to the disk file. + """ + if uuid and zone: + with open(os.path.join(STATE_DIR, uuid), "a") as f: + f.write(zone + "\n") + + +def write_fzones_to_file(uuid="", zones=[]): + """ + Write forward zones from connection with UUID to the disk file. + """ + if uuid and zones: + with open(os.path.join(STATE_DIR, uuid), "w") as f: + for zone in zones: + f.write(zone + "\n") + + +def get_fzones_from_file(uuid=""): + """ + Gets all zones from a file with specified UUID name din STATE_DIR + """ + zones = [] + if uuid: + with open(os.path.join(STATE_DIR, uuid), "r") as f: + zones = [line.strip() for line in f.readlines()] + return zones + + +def get_fzones_from_disk(): + """ + Gets all forward zones from the disk STATE_DIR. + Return a dict of "zone" : "connection UUID" + """ + zones = {} + conn_files = os.listdir(STATE_DIR) + for uuid in conn_files: + for zone in get_fzones_from_file(uuid): + zones[zone] = uuid + return zones + + +def del_all_fzones_from_file(uuid="", secure=DEFAULT_VALIDATE_FORWARD_ZONES): + """ + Removes all forward zones contained in file with UUID name in STATE_DIR. + """ + if uuid: + with open(os.path.join(STATE_DIR, uuid), "r") as f: + for line in f.readlines(): + unbound_del_forward_zone(line.strip(), secure) + + +def del_fzones_for_nonexisting_conn(ac=[], secure=DEFAULT_VALIDATE_FORWARD_ZONES): + """ + Removes all forward zones contained in file (in STATE_DIR) for non-existing + active connections. + """ + ac_uuid_list = [conn.get_uuid() for conn in ac] + conn_files = os.listdir(STATE_DIR) + # Remove all non-existing connections zones + for uuid in conn_files: + if uuid not in ac_uuid_list: + # remove all zones from the file + del_all_fzones_from_file(uuid, secure) + # remove the file + os.unlink(os.path.join(STATE_DIR, uuid)) + + +def del_fzone_from_file(uuid="", zone=""): + """ + Deletes a zone from file and writes changes into it. If there are no zones + left, the file is deleted. + """ + if uuid and zone: + zones = get_fzones_from_file(uuid) + zones.remove(zone) + if zones: + write_fzones_to_file(uuid, zones) + else: + os.unlink(os.path.join(STATE_DIR, uuid)) + + +############################################################################## + + +def configure_global_forwarders(active_connections=[]): + """ + Configure global forwarders using dnssec-trigger-control + """ + # get only default connections + default_conns = filter(lambda x: x.get_is_default(), active_connections) + # get forwarders from default connections + default_forwarders = [] + for conn in default_conns: + default_forwarders.extend(conn.get_nameservers()) + + if default_forwarders: + dnssec_trigger_set_global_ns(default_forwarders) + +############################################################################## + + +def configure_forward_zones(active_connections=[], fzones_config=None): + """ + Configures forward zones in the unbound using unbound-control. + """ + # Filter out WIFI connections if desirable + if not fzones_config.add_wifi_zones: + connections = filter( + lambda x: x.get_type() != ActiveConnection.TYPE_WIFI, active_connections) + else: + connections = active_connections + # If validate forward zones + secure = fzones_config.validate_fzones + + # Filter active connections with domain(s) + conns_with_domains = filter(lambda x: x.get_domains(), connections) + fzones_from_ac = {} + # Construct dict of domain -> active connection + for conn in conns_with_domains: + # iterate through all domains in the active connection + for domain in conn.get_domains(): + # if there is already such a domain + if domain in fzones_from_ac: + # if the "conn" is VPN and the conn for existing domain is not + if fzones_from_ac[domain].get_type() != ActiveConnection.TYPE_VPN and conn.get_type() == ActiveConnection.TYPE_VPN: + fzones_from_ac[domain] = conn + # if none of there connections are VPNs or both are VPNs, + # prefer the default one + elif not fzones_from_ac[domain].get_is_default() and conn.get_is_default(): + fzones_from_ac[domain] = conn + else: + fzones_from_ac[domain] = conn + + # Remove all zones which connection UUID does not match any existing AC + del_fzones_for_nonexisting_conn(conns_with_domains, secure) + + # Remove all zones which connection UUID is different than the current AC + # UUID for the zone + fzones_from_disk = get_fzones_from_disk() + for zone, uuid in fzones_from_disk.iteritems(): + connection = fzones_from_ac[zone] + # if the AC UUID is NOT the same as from the disk, remove the zone + if connection.get_uuid() != uuid: + unbound_del_forward_zone(zone, secure) + del_fzone_from_file(uuid, zone) + + # get zones from unbound and delete them from fzones_from_ac + # there may be zones manually configured in unbound.conf and we + # don't want to replace them + unbound_zones = unbound_get_forward_zones() + for zone in unbound_zones: + try: + del fzones_from_ac[zone] + except KeyError: + # we don't mind if there is no such zone + pass + + # Add forward zones that are not already configured + fzones_from_disk = get_fzones_from_disk() + for zone, connection in fzones_from_ac.iteritems(): + if zone not in fzones_from_disk: + unbound_add_forward_zone( + zone, connection.get_nameservers(), secure) + append_fzone_to_file(connection.get_uuid(), zone) + + +############################################################################## + + +if __name__ == "__main__": + if not is_running(DNSSEC_TRIGGER): + syslog.syslog(syslog.LOG_ERR, "dnssec-triggerd daemon is not running!") + sys.exit(1) + if not is_running(UNBOUND): + syslog.syslog(syslog.LOG_ERR, "unbound server daemon is not running!") + sys.exit(1) + + fzones_config = get_fzones_settings_from_conf(DNSSEC_CONF) + + # Get all actove connections from NM + ac = get_nm_active_connections() + # Configure global forwarders + configure_global_forwarders(ac) + # Configure forward zones + configure_forward_zones(ac, fzones_config) diff --git a/SOURCES/dnssec-trigger-0.11-coverity_scan.patch b/SOURCES/dnssec-trigger-0.11-coverity_scan.patch new file mode 100644 index 0000000..30a70e3 --- /dev/null +++ b/SOURCES/dnssec-trigger-0.11-coverity_scan.patch @@ -0,0 +1,39 @@ +From b6e3deeef71a78c575d6e169d007956c02abc5da Mon Sep 17 00:00:00 2001 +From: wouter +Date: Mon, 26 Aug 2013 08:41:03 +0000 +Subject: [PATCH] - Fix#522: Errors found by static analysis of source from + Tomas Hozza. + +git-svn-id: http://www.nlnetlabs.nl/svn/dnssec-trigger/trunk@649 14dc9c71-5cc2-e011-b339-0019d10b89f4 +--- + riggerd/riggerd.c | 1 + + riggerd/update.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/riggerd/riggerd.c b/riggerd/riggerd.c +index dc61216..ef46691 100644 +--- a/riggerd/riggerd.c ++++ b/riggerd/riggerd.c +@@ -110,6 +110,7 @@ static RETSIGTYPE record_sigh(int sig) + #ifdef SIGHUP + case SIGHUP: + sig_reload = 1; ++ /* fall through and exit commbase with reload boolean set */ + #endif + case SIGTERM: + #ifdef SIGQUIT +diff --git a/riggerd/update.c b/riggerd/update.c +index 437f981..dff5380 100644 +--- a/riggerd/update.c ++++ b/riggerd/update.c +@@ -573,6 +573,7 @@ selfupdate_write_file(struct selfupdate* se, struct http_get* hg) + out)) { + log_err("cannot write to file %s: %s", se->download_file, + strerror(errno)); ++ fclose(out); + goto fail; + } + fclose(out); +-- +1.8.3.1 + diff --git a/SOURCES/dnssec-trigger-0.11-improve_dialog_texts.patch b/SOURCES/dnssec-trigger-0.11-improve_dialog_texts.patch new file mode 100644 index 0000000..360bfef --- /dev/null +++ b/SOURCES/dnssec-trigger-0.11-improve_dialog_texts.patch @@ -0,0 +1,134 @@ +From d01ec0b07d425580cf3dcf7246ec807dbcf1aa5e Mon Sep 17 00:00:00 2001 +From: Tomas Hozza +Date: Fri, 15 Nov 2013 10:44:45 +0100 +Subject: [PATCH] Improve texts in dialogs to be more clear + +Improve texts in Hotspot sing-on dialog and also +some dialogs labels and pop-up panel button label, +to describe the situation more clearly. + +Changes are proposed and reviewed by Red Hat +Documentation Team. + +Signed-off-by: Tomas Hozza +--- + panel/pui.xml | 48 +++++++++++++++++++++++++++--------------------- + 1 file changed, 27 insertions(+), 21 deletions(-) + +diff --git a/panel/pui.xml b/panel/pui.xml +index 4915d83..f1051b2 100644 +--- a/panel/pui.xml ++++ b/panel/pui.xml +@@ -4,7 +4,7 @@ + + False + 5 +- Hotspot Signon ++ Disable DNSSEC for Hotspot Sign On + dialog + + +@@ -16,10 +16,15 @@ + + True + False +- Some networks need insecure signon. After you log in to the +-network via its portal page, select <i>Reprobe</i> to get secure again. ++ Some networks, such as Hotspots, require you to sign on, or register, ++before allowing full network access. By clicking <i>OK</i>, DNSSEC will be ++disabled to allow you to connect to the captive portal's sign-on ++page. After you have signed on and full network access has been enabled, ++DNSSEC-trigger should detect this and enable DNSSEC again. You can also ++select <i>Reprobe</i> to attempt to establish a secure connection to a DNSSEC ++capable name server. + +-<i>Please, stay safe out there.</i> ++<i>A red exclamation mark in the icon warns you when DNSSEC is disabled.</i> + True + + +@@ -138,10 +143,10 @@ network via its portal page, select <i>Reprobe</i> to get secure aga + + True + False +- There is no web access on this network. Do you have to login for that? ++ There is no access to external websites from this network. Do you have to login for that? + +-While you login you are <i>insecure</i>, for backwards compatibility, until +-dnssec-trigger can detect web access. ++When you select <i>Log in</i>, DNSSEC will be disabled for backwards compatibility reasons, until ++DNSSEC-trigger can detect web access. + + <i>Skip</i> this if you do not have to log in on this network. + True +@@ -162,7 +167,7 @@ dnssec-trigger can detect web access. + + False + 5 +- probe dnssec results ++ Results of DNSSEC probe + 400 + 280 + normal +@@ -251,7 +256,7 @@ dnssec-trigger can detect web access. + True + False + False +- Hotspot signon ++ Hotspot sign-on + True + + +@@ -331,28 +336,29 @@ dnssec-trigger can detect web access. + + True + False +- <b>The Network Fails to Support DNSSEC</b> ++ <b>This Network Fails to Support DNSSEC</b> + +-The network you are connected to does not allow DNSSEC, via +-the provided DNS caches, nor via contacting servers on the +-internet directly (it filters traffic to this end). It is not possible +-to provide DNSSEC security, but you can connect insecurely. ++The network you are connected to does not allow DNS Security ++Extensions (DNSSEC) via the provided DNS caches, nor via contacting ++DNS name servers on the Internet directly (it filters traffic ++to this end). It is not possible to provide DNSSEC, but you can ++connect insecurely. + + Do you want to connect insecurely? + +-* if you choose <b>Disconnect</b> then DNS is disabled. It is safe, +-but there is very little that works. ++* if you choose <b>Disconnect</b> then DNS is disabled. ++It is safe, but there is very little that works. + +-* if you choose <b>Insecure</b> then the DNSSEC security is lost. ++* if you choose <b>Insecure</b> then DNSSEC is disabled and security is lost. + You can connect and work. But there is no safety. The network + interferes with DNSSEC, it may also interfere with other things. + Have caution and work with sensitive personal and financial + things some other time. + +-Some hotspots may work after you have gained access via +-its signon page. Then use <i>Reprobe</i> from the menu to retry. ++Some Hotspots may work after you have gained access via ++its sign-on page. Then use <i>Reprobe</i> from the menu to retry. + +-<i>Stay safe out there!</i> ++<i>A red exclamation mark in the icon warns you when DNSSEC is disabled.</i> + True + + +@@ -383,7 +389,7 @@ its signon page. Then use <i>Reprobe</i> from the menu to retry. + + True + False +- There is a software update available for dnssec-trigger. ++ There is a software update available for DNSSEC-trigger. + Do you wish to install the update? + True + +-- +1.8.3.1 + diff --git a/SOURCES/dnssec-trigger-0.11-nl489.patch b/SOURCES/dnssec-trigger-0.11-nl489.patch new file mode 100644 index 0000000..7af6ab3 --- /dev/null +++ b/SOURCES/dnssec-trigger-0.11-nl489.patch @@ -0,0 +1,12 @@ +diff -up dnssec-trigger-0.11/panel/dnssec-trigger-panel.desktop.in.nl489 dnssec-trigger-0.11/panel/dnssec-trigger-panel.desktop.in +--- dnssec-trigger-0.11/panel/dnssec-trigger-panel.desktop.in.nl489 2013-03-04 18:48:38.606852783 +0100 ++++ dnssec-trigger-0.11/panel/dnssec-trigger-panel.desktop.in 2013-03-04 18:48:46.838834610 +0100 +@@ -8,7 +8,7 @@ Comment=Shows DNS state and warning dial + Exec=0bindir0/dnssec-trigger + Icon=0uidir0/status-icon.png + Terminal=false +-Categories=Application;Utility; ++Categories=Utility; + X-KDE-StartupNotify=false + StartupNotify=false + diff --git a/SOURCES/dnssec-trigger-842455.patch b/SOURCES/dnssec-trigger-842455.patch new file mode 100644 index 0000000..c92cc6c --- /dev/null +++ b/SOURCES/dnssec-trigger-842455.patch @@ -0,0 +1,10 @@ +--- dnssec-trigger-0.11-orig/riggerd/riggerd.c 2012-07-24 10:27:43.638865272 -0400 ++++ dnssec-trigger-0.11/riggerd/riggerd.c 2012-07-24 10:51:39.910814143 -0400 +@@ -298,6 +298,7 @@ + so that during the reboot there is no window of opportunity */ + if(svr->insecure_state) + hook_resolv_localhost(cfg); ++ hook_resolv_uninstall(cfg); /* we want to remove immutable flag on TERM when systemd signals us */ + unlink_pid(cfg->pidfile); + log_info("%s stop", PACKAGE_STRING); + svr_delete(svr); diff --git a/SOURCES/dnssec-trigger-rh1254473.patch b/SOURCES/dnssec-trigger-rh1254473.patch new file mode 100644 index 0000000..6edeebc --- /dev/null +++ b/SOURCES/dnssec-trigger-rh1254473.patch @@ -0,0 +1,19 @@ +diff --git a/panel/attach.c b/panel/attach.c +index 8f12403..ba491b2 100644 +--- a/panel/attach.c ++++ b/panel/attach.c +@@ -501,9 +501,11 @@ void fetch_proberesults(char* buf, size_t len, const char* lf) + "results is used, but no queries are made.%s", lf, lf); + else if(strstr(p->str, "forced_insecure")) + n=snprintf(pos, left, +- "DNS queries are sent to INSECURE servers, because of%s" +- "Hotspot Signon. Select Reprobe (from menu) after signon.%s" +- "Please, be careful out there.%s", lf, lf, lf); ++ "DNS queries are being sent to INSECURE servers%s" ++ "because Hotspot Sign-on mode was selected. Select%s" ++ "Reprobe (from menu) after sign-on. A red exclamation%s" ++ "mark in the icon warns you when DNSSEC is disabled.%s", ++ lf, lf, lf, lf); + else if(strstr(p->str, "http_insecure") && + strstr(p->str, "insecure_mode")==NULL) + n=snprintf(pos, left, diff --git a/SOURCES/dnssec-trigger.conf b/SOURCES/dnssec-trigger.conf new file mode 100644 index 0000000..cf0be7a --- /dev/null +++ b/SOURCES/dnssec-trigger.conf @@ -0,0 +1,84 @@ +# Red Hat Enterprise Linux 7 version of dnssec-trigger.conf + +# logging detail, 0=only errors, 1=operations, 2=detail, 3,4 debug detail. +# verbosity: 1 + +# pidfile location +pidfile: "/var/run/dnssec-triggerd.pid" + +# log to a file instead of syslog, default is to syslog +# logfile: "/var/log/dnssec-trigger.log" + +# log to syslog, or (log to to stderr or a logfile if specified). yes or no. +# use-syslog: yes + +# chroot to this directory +# chroot: "" + +# the unbound-control binary if not found in PATH. +# commandline options can be appended "unbound-control -c my.conf" if you wish. +# unbound-control: "/usr/sbin/unbound-control" + +# where is resolv.conf to edit. +# resolvconf: "/etc/resolv.conf" + +# the domain example.com line (if any) to add to resolv.conf(5). default none. +# domain: "" + +# domain name search path to add to resolv.conf(5). default none. +# the search path from DHCP is not picked up, it could be used to misdirect. +# search: "" + +# the command to run to open login pages on hot spots, a web browser. +# empty string runs no command. +# login-command: "xdg-open" + +# the url to open to get hot spot login, it gets overridden by the hotspot. +login-location: "http://www.nlnetlabs.nl/projects/dnssec-trigger" +# should to be a ttl=0 entry + +# do not perform actions (unbound-control or resolv.conf), for a dry-run. +# noaction: no + +# port number to use for probe daemon. +# port: 8955 + +# keys and certificates generated by the dnssec-trigger-keygen systemd service +# (which called dnssec-trigger-control-setup) +server-key-file: "/etc/dnssec-trigger/dnssec_trigger_server.key" +server-cert-file: "/etc/dnssec-trigger/dnssec_trigger_server.pem" +control-key-file: "/etc/dnssec-trigger/dnssec_trigger_control.key" +control-cert-file: "/etc/dnssec-trigger/dnssec_trigger_control.pem" + +# check for updates, download and ask to install them (for Windows, OSX). +# check-updates: no + +# webservers that are probed to see if internet access is possible. +# They serve a simple static page over HTTP port 80. It probes a random url: +# after a space is the content expected on the page, (the page can contain +# whitespace before and after this code). Without urls it skips http probes. + +# provided by NLnetLabs +# It is provided on a best effort basis, with no service guarantee. +url: "http://ster.nlnetlabs.nl/hotspot.txt OK" + +# fallback open DNSSEC resolvers that run on TCP port 80 and TCP port 443. +# the ssl443 adds an ssl server IP, if you specify a hash it is checked, put +# the following on one line: ssl443: +# hash is output of openssl x509 -sha256 -fingerprint -in server.pem +# You can add more with extra config lines. + +# provided by Paul Wouters (pwouters@redhat.com) +# It is provided on a best effort basis, with no service guarantee. +# tcp80: 193.110.157.123 +# tcp80: 2001:888:2003:1004::123 +# ssl443: 193.110.157.123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7 +# ssl443: 2001:888:2003:1004::123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7 + +# provided by NLnetLabs (www.nlnetlabs.nl) +# It is provided on a best effort basis, with no service guarantee. +tcp80: 213.154.224.3 +tcp80: 2001:7b8:206:1:bb:: +ssl443: 213.154.224.3 DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F +ssl443: 2001:7b8:206:1:bb:: DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F + diff --git a/SOURCES/dnssec-trigger.tmpfiles.d b/SOURCES/dnssec-trigger.tmpfiles.d new file mode 100644 index 0000000..000d918 --- /dev/null +++ b/SOURCES/dnssec-trigger.tmpfiles.d @@ -0,0 +1 @@ +d /var/run/dnssec-trigger 0755 root root - diff --git a/SOURCES/dnssec-triggerd-keygen.service b/SOURCES/dnssec-triggerd-keygen.service new file mode 100644 index 0000000..fcff223 --- /dev/null +++ b/SOURCES/dnssec-triggerd-keygen.service @@ -0,0 +1,15 @@ +[Unit] +Description=dnssec-triggerd Control Key And Certificate Generator +After=syslog.target +Before=dnssec-triggerd.service +ConditionPathExists=!/etc/dnssec-trigger/dnssec_trigger_control.key + +[Service] +Type=oneshot +#Group=dnssec-trigger +ExecStart=/usr/sbin/dnssec-trigger-control-setup -d /etc/dnssec-trigger/ +ExecStart=/sbin/restorecon /etc/dnssec-trigger/* +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/SOURCES/dnssec-triggerd-resolvconf-handle.service b/SOURCES/dnssec-triggerd-resolvconf-handle.service new file mode 100644 index 0000000..a23760c --- /dev/null +++ b/SOURCES/dnssec-triggerd-resolvconf-handle.service @@ -0,0 +1,11 @@ +[Unit] +Description=Backups and restores /etc/resolv.conf after dnssec-trigger starts/stops +PartOf=dnssec-triggerd.service + + +[Service] +Type=oneshot +RemainAfterExit=yes + +ExecStart=/usr/libexec/dnssec-triggerd-resolvconf-handle.sh backup +ExecStop=/usr/libexec/dnssec-triggerd-resolvconf-handle.sh restore diff --git a/SOURCES/dnssec-triggerd-resolvconf-handle.sh b/SOURCES/dnssec-triggerd-resolvconf-handle.sh new file mode 100755 index 0000000..622df12 --- /dev/null +++ b/SOURCES/dnssec-triggerd-resolvconf-handle.sh @@ -0,0 +1,62 @@ +#!/bin/sh +# dnssec-trigger script handling possible backup and restore of resolv.conf + +SCRIPT_NAME="dnssec-trigger-resolvconf-handle.sh" +STATE_DIR="/var/run/dnssec-trigger" +RESOLV_CONF="/etc/resolv.conf" +RESOLV_CONF_BAK="$STATE_DIR/resolv.conf.bak" +NM_CONFIG="/etc/NetworkManager/NetworkManager.conf" + +usage() +{ + echo + echo "This script backs up or restores /etc/resolv.conf content" + echo "Usage: $SCRIPT_NAME [backup|restore]" +} + +# check number of arguments +if ! [ "$#" -eq 1 ]; then + echo "ERROR: Wrong number of arguments!" + usage + exit 1 +fi + +does_nm_handle_resolv_conf() +{ + grep -x "^dns=none" $NM_CONFIG &> /dev/null + echo "$?" +} + +backup_resolv_conf() +{ + # find out if NM handles the resolv.conf + if [ "`does_nm_handle_resolv_conf`" -eq 0 ]; then + cp -fp $RESOLV_CONF $RESOLV_CONF_BAK + fi +} + +restore_resolv_conf() +{ + # if we have a backup and NM does not handle resolv.conf -> restore it + if [ "`does_nm_handle_resolv_conf`" -eq 0 ] && [ -s $RESOLV_CONF_BAK ]; then + cp -fp $RESOLV_CONF_BAK $RESOLV_CONF + else + # let NM rewrite the resolv.conf + systemctl restart NetworkManager.service + fi +} + +case "$1" in + backup) + backup_resolv_conf + ;; + restore) + restore_resolv_conf + ;; + *) + echo "ERROR: Wrong argument!" + usage + exit 1 +esac + +exit 0 diff --git a/SOURCES/dnssec-triggerd.service b/SOURCES/dnssec-triggerd.service new file mode 100644 index 0000000..9d55778 --- /dev/null +++ b/SOURCES/dnssec-triggerd.service @@ -0,0 +1,22 @@ +[Unit] +Description=Reconfigure local DNS(SEC) resolver on network change +After=syslog.target network.target +After=dnssec-triggerd-keygen.service +Wants=dnssec-triggerd-keygen.service +After=dnssec-triggerd-resolvconf-handle.service +Wants=dnssec-triggerd-resolvconf-handle.service +After=unbound.service +Wants=unbound.service + +[Service] +Type=simple +Restart=always +#EnvironmentFile=-/etc/sysconfig/dnssec-trigger +ExecStart=/usr/sbin/dnssec-triggerd -d +ExecStartPost=/etc/NetworkManager/dispatcher.d/01-dnssec-trigger-hook +RestartSec=0 +ExecStopPost=/usr/bin/chattr -i /etc/resolv.conf + +[Install] +WantedBy=multi-user.target +Alias=dnssec-trigger.service diff --git a/SOURCES/dnssec.conf.sample b/SOURCES/dnssec.conf.sample new file mode 100644 index 0000000..dc1325b --- /dev/null +++ b/SOURCES/dnssec.conf.sample @@ -0,0 +1,54 @@ +# validate_connection_provided_zones: +# ----------------------------------- +# Setts if forward zones added into unbound by dnssec-trigger script +# will be DNSSEC validated or NOT. Note that this setting is global +# for all added forward zones.. +# Possible options are: +# +# validate_connection_provided_zones=yes - All connection provided zones +# configured as forward zones into +# unbound WILL BE DNSSEC validated +# (NOTE: If connection provided DNS +# servers are NOT DNSSEC capable, the +# resolving of provided zones will +# NOT work!) +# +# validate_connection_provided_zones=no - All connection provided zones +# configured as forward zones into +# unbound will NOT be DNSSEC validated +# +# +# NOTICE: if you turn the validation OFF then all forward zones added by +# dnssec-trigger script will NOT be DNSSEC validated. If you turn the +# validation ON, only newly added forward zones will be DNSSEC validated. +# Forward zones added before the change will still NOT be DNSSEC validated. +# To force validation of previously added forward zone you need to restart +# it. For VPNs this can be done by restart NetworkManager. +validate_connection_provided_zones=yes + +# add_wifi_provided_zones: +# ------------------------ +# Setts if domains provided by WiFi connection are configured as forward zones +# into unbound. +# Possible options are: +# +# add_wifi_provided_zones=yes - Domains provided by ANY WiFi connection will +# be configured as forward zones into unbound. +# (NOTE: See the possible security implications +# stated below!) +# +# add_wifi_provided_zones=no - Domains provided by ANY WiFi connection will +# NOT be configured as forward zones into unbound. +# (NOTE: Forward zones will be still configured +# for any other type of connection!) +# +# NOTICE: Turning ON the addition of WiFi provided domains as forward zones +# into unbound may have SECURITY implications such as: +# - A WiFi access point can intentionally provide you a domain via DHCP for +# which it does not have authority and route all your DNS queries to its +# DNS servers. +# - In addition to the previous point, if you have the DNSSEC validation +# of forward zones turned OFF, the WiFi provided DNS servers can spoof +# the IP address for domain names from the provided domain WITHOUT YOU +# KNOWING IT! +add_wifi_provided_zones=no diff --git a/SPECS/dnssec-trigger.spec b/SPECS/dnssec-trigger.spec new file mode 100644 index 0000000..569594d --- /dev/null +++ b/SPECS/dnssec-trigger.spec @@ -0,0 +1,264 @@ +%global _hardened_build 1 + +Summary: NetworkManager plugin to update/reconfigure DNSSEC resolving +Name: dnssec-trigger +Version: 0.11 +Release: 22%{?dist} +License: BSD +Url: http://www.nlnetlabs.nl/downloads/dnssec-trigger/ +Source: http://www.nlnetlabs.nl/downloads/dnssec-trigger/%{name}-%{version}.tar.gz +Source1:dnssec-triggerd.service +Source2: dnssec-triggerd-keygen.service +Source3: dnssec-trigger.conf +# Latest NM dispatcher Python hook from upstream SVN +# http://www.nlnetlabs.nl/svn/dnssec-trigger/trunk/contrib/01-dnssec-trigger-hook-new_nm +Source4: 01-dnssec-trigger-hook +Source5: dnssec-trigger.tmpfiles.d +Source6: dnssec-triggerd-resolvconf-handle.sh +Source7: dnssec-triggerd-resolvconf-handle.service +# http://www.nlnetlabs.nl/svn/dnssec-trigger/trunk/contrib/dnssec.conf.sample +Source8: dnssec.conf.sample +Patch1: dnssec-trigger-0.11-improve_dialog_texts.patch +Patch2: dnssec-trigger-842455.patch +# https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=489 +Patch3: dnssec-trigger-0.11-nl489.patch +Patch4: dnssec-trigger-0.11-coverity_scan.patch +Patch5: dnssec-trigger-rh1254473.patch + +Requires(postun): initscripts +Requires: ldns >= 1.6.10, NetworkManager, NetworkManager-glib, unbound, xdg-utils +Requires(pre): shadow-utils +BuildRequires: desktop-file-utils systemd-units, openssl-devel, ldns-devel +BuildRequires: gtk2-devel, NetworkManager-devel + +BuildRequires: systemd +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd + +%description +dnssec-trigger reconfigures the local unbound DNS server. This unbound DNS +server performs DNSSEC validation, but dnssec-trigger will signal it to +use the DHCP obtained forwarders if possible, and fallback to doing its +own AUTH queries if that fails, and if that fails prompt the user via +dnssec-trigger-applet the option to go with insecure DNS only. + +%prep +%setup -q +# Fixup the name to not include "panel" in the menu item or name +sed -i "s/ Panel//" panel/dnssec-trigger-panel.desktop.in +sed -i "s/-panel//" panel/dnssec-trigger-panel.desktop.in +# change some text in the popups +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 + +%build +%configure --with-keydir=/etc/dnssec-trigger +%{__make} %{?_smp_mflags} + +%install +rm -rf %{buildroot} +%{__make} DESTDIR=%{buildroot} install +install -d 0755 %{buildroot}%{_unitdir} +install -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}d.service +install -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}d-keygen.service +install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/%{name}/ + +mkdir -p %{buildroot}%{_libexecdir} +install -m 0755 %{SOURCE6} %{buildroot}%{_libexecdir}/%{name}d-resolvconf-handle.sh +install -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/%{name}d-resolvconf-handle.service + +desktop-file-install --dir=%{buildroot}%{_datadir}/applications dnssec-trigger-panel.desktop + +# overwrite the stock NM hook since there is new one in upstream SVN that is not used by default +install -p -m 0755 %{SOURCE4} %{buildroot}/%{_sysconfdir}/NetworkManager/dispatcher.d/01-dnssec-trigger-hook +#install the /etc/dnssec.conf configuration file +install -p -m 0644 %{SOURCE8} %{buildroot}/%{_sysconfdir}/dnssec.conf + +# install the configuration for /var/run/dnssec-trigger into tmpfiles.d dir +mkdir -p %{buildroot}%{_tmpfilesdir} +install -m 644 %{SOURCE5} ${RPM_BUILD_ROOT}%{_tmpfilesdir}/%{name}.conf +# we must create the /var/run/dnssec-trigger directory +mkdir -p %{buildroot}%{_localstatedir}/run +install -d -m 0755 %{buildroot}%{_localstatedir}/run/%{name} + +# supress the panel name everywhere including the gnome3 panel at the bottom +ln -s dnssec-trigger-panel %{buildroot}%{_bindir}/dnssec-trigger + +# Make dnssec-trigger.8 manpage available under names of all dnssec-trigger-* +# executables +for all in dnssec-trigger-control dnssec-trigger-control-setup dnssec-triggerd; do + ln -s %{_mandir}/man8/dnssec-trigger.8 %{buildroot}/%{_mandir}/man8/"$all".8 +done +ln -s %{_mandir}/man8/dnssec-trigger.8 %{buildroot}/%{_mandir}/man8/dnssec-trigger.conf.8 + +%clean +rm -rf ${RPM_BUILD_ROOT} + +%files +%defattr(-,root,root,-) +%doc README LICENSE +%{_unitdir}/%{name}d.service +%{_unitdir}/%{name}d-keygen.service +%{_unitdir}/%{name}d-resolvconf-handle.service + +%attr(0755,root,root) %dir %{_sysconfdir}/%{name} +%attr(0755,root,root) %{_sysconfdir}/NetworkManager/dispatcher.d/01-dnssec-trigger-hook +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/dnssec.conf +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-trigger.conf +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/xdg/autostart/dnssec-trigger-panel.desktop +%dir %{_localstatedir}/run/%{name} +%{_tmpfilesdir}/%{name}.conf +%{_bindir}/dnssec-trigger-panel +%{_bindir}/dnssec-trigger +%{_sbindir}/dnssec-trigger* +%{_libexecdir}/%{name}d-resolvconf-handle.sh +%{_mandir}/*/* +%attr(0755,root,root) %dir %{_datadir}/%{name} +%attr(0644,root,root) %{_datadir}/%{name}/* +%attr(0644,root,root) %{_datadir}/applications/dnssec-trigger-panel.desktop + + +%post +%systemd_post %{name}d.service + + +%preun +%systemd_preun %{name}d.service +if [ "$1" -eq "0" ] ; then + # dnssec-triggerd makes /etc/resolv.conf immutable, undo that on removal + chattr -i /etc/resolv.conf +fi + +%postun +%systemd_postun_with_restart %{name}d.service + + +%changelog +* Wed May 18 2016 Tomas Hozza - 0.11-22 +- Improved text in the GUI panel in Hotspot sign-on mode (#1254473) +- Build all binaries with PIE hardening (#1092526) + +* Tue Feb 11 2014 Tomas Hozza - 0.11-21 +- handle IndexError exception in NM script until NM provides better API (#1063735) +- restart NM when stopping dnssec-trigger daemon instead of handling + resolv.conf by ourself. (#1061370) + +* Wed Jan 29 2014 Tomas Hozza - 0.11-20 +- use systemd macros instead of directly using systemctl (#1058773) +- Replace the "Fedora /EPEL" comment in dnssec-trigger.conf (#1055949) +- Use more newer and more advanced dispatcher script (#1034813) + +* Fri Jan 24 2014 Daniel Mach - 0.11-19 +- Mass rebuild 2014-01-24 + +* Fri Dec 27 2013 Daniel Mach - 0.11-18 +- Mass rebuild 2013-12-27 + +* Tue Nov 26 2013 Tomas Hozza - 0.11-17 +- Add script to backup and restore resolv.conf on dnssec-trigger start/stop (#1031648) + +* Mon Nov 18 2013 Tomas Hozza - 0.11-16 +- Improve GUI dialogs texts (#1029889) + +* Mon Nov 11 2013 Tomas Hozza - 0.11-15 +- Fix the dispatcher script to use new nmcli syntax (#1028003) + +* Mon Aug 26 2013 Tomas Hozza - 0.11-14 +- Fix errors found by static analysis of source + +* Fri Aug 09 2013 Tomas Hozza - 0.11-13 +- Use improved NM dispatcher script from upstream (#980036) +- Added tmpfiles.d config due to improved NM dispatcher script + +* Mon Jul 22 2013 Tomas Hozza - 0.11-12 +- Removed Fedora infrastructure from dnssec-trigger.conf (#955149) + +* Mon Mar 04 2013 Adam Tkac - 0.11-11 +- link dnssec-trigger.conf.8 to dnssec-trigger.8 +- build dnssec-triggerd with full RELRO + +* Mon Mar 04 2013 Adam Tkac - 0.11-10 +- remove deprecated "Application" keyword from desktop file + +* Mon Mar 04 2013 Adam Tkac - 0.11-9 +- install various dnssec-trigger-* symlinks to dnssec-trigger.8 manpage + +* Wed Feb 13 2013 Fedora Release Engineering - 0.11-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Tue Jan 08 2013 Paul Wouters - 0.11-7 +- Use full path for systemd (rhbz#842455) + +* Tue Jul 24 2012 Paul Wouters - 0.11-6 +- Patched daemon to remove immutable attr (rhbz#842455) as the + systemd ExecStopPost= target does not seem to work + +* Tue Jul 24 2012 Paul Wouters - 0.11-5 +- On service stop, remove immutable attr from resolv.conf (rhbz#842455) + +* Wed Jul 18 2012 Fedora Release Engineering - 0.11-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu Jun 28 2012 Paul Wouters - 0.11-3 +- Fix DHCP hook for f17+ version of nmcli (rhbz#835298) + +* Sun Jun 17 2012 Paul Wouters - 0.11-2 +- Small textual changes to some popup windows + +* Fri Jun 15 2012 Paul Wouters - 0.11-1 +- Updated to 0.11 +- http Hotspot detection via fedoraproject.org/static/hotspot.html +- http Hotspot Login page via uses hotspot-nocache.fedoraproject.org + +* Thu Feb 23 2012 Paul Wouters - 0.10-4 +- Require: unbound + +* Wed Feb 22 2012 Paul Wouters - 0.10-3 +- Fix the systemd startup to require unbound +- dnssec-triggerd no longer forks, giving systemd more control +- Fire NM dispatcher in ExecStartPost of dnssec-triggerd.service +- Fix tcp80 entries in dnssec-triggerd.conf +- symlink dnssec-trigger-panel to dnssec-trigger to supress the + "-panel" in the applet name shown in gnome3 + + +* Wed Feb 22 2012 Paul Wouters - 0.10-2 +- The NM hook was not modified at the right time during build + +* Wed Feb 22 2012 Paul Wouters - 0.10-1 +- Updated to 0.10 +- The NM hook lacks /usr/sbin in path, resulting in empty resolv.conf on hotspot + +* Wed Feb 08 2012 Paul Wouters - 0.9-4 +- Updated tls443 / tls80 resolver instances supplied by Fedora Hosted + +* Mon Feb 06 2012 Paul Wouters - 0.9-3 +- Convert from SysV to systemd for initial Fedora release +- Moved configs and pem files to /etc/dnssec-trigger/ +- No more /var/run/dnssec-triggerd/ +- Fix Build-requires +- Added commented tls443 port80 entries of pwouters resolvers +- On uninstall ensure there is no immutable bit on /etc/resolv.conf + +* Sat Jan 07 2012 Paul Wouters - 0.9-2 +- Added LICENCE to doc section + +* Mon Dec 19 2011 Paul Wouters - 0.9-1 +- Upgraded to 0.9 + +* Fri Oct 28 2011 Paul Wouters - 0.7-1 +- Upgraded to 0.7 + +* Fri Sep 23 2011 Paul Wouters - 0.4-1 +- Upgraded to 0.4 + +* Sat Sep 17 2011 Paul Wouters - 0.3-5 +- Start 01-dnssec-trigger-hook in daemon start +- Ensure dnssec-triggerd starts after NetworkManager + +* Fri Sep 16 2011 Paul Wouters - 0.3-4 +- Initial package