# # Red Hat BIND9 package .spec file # # vim:expandtab ts=2: # bcond_without is built by default, unless --without X is passed # bcond_with is built only when --with X is passed to build %bcond_with SYSTEMTEST # Allow net configuration using sudo when SYSTEMTEST is enabled %bcond_without SUDO %bcond_without GSSTSIG %bcond_without JSON # New MaxMind GeoLite support %bcond_without GEOIP2 # Disabled temporarily until kyua is fixed on rawhide, bug #1926779 %bcond_without UNITTEST # Do not set CI environment, include more unit tests, even less stable %bcond_with UNITTEST_ALL %bcond_without DNSTAP %bcond_without LMDB %bcond_without DOC # Add experimental extra verbose logging of query processing %bcond_with QUERYTRACE %bcond_with TSAN %bcond_without DTRACE # Bug rhbz#2277997 %bcond_with JEMALLOC # Possible on Fedora only %bcond_with OPENSSL_ENGINE %{!?_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} %global bind_dir /var/named %global chroot_prefix %{bind_dir}/chroot %global chroot_create_directories /dev /run/named %{_localstatedir}/{log,named,tmp} \\\ %{_sysconfdir}/{crypto-policies/back-ends,pki/dnssec-keys,pki/tls,named} \\\ %{_libdir}/bind %{_libdir}/named %{_datadir}/GeoIP /proc/sys/net/ipv4 %global forgeurl0 https://gitlab.isc.org/isc-projects/bind9 # libisc-nosym requires to be linked with unresolved symbols # When libisc-nosym linking is fixed, it can be defined to 1 # Visit https://bugzilla.redhat.com/show_bug.cgi?id=1540300 %undefine _strict_symbol_defs_build # BIND 9 does not work with fortify 3 level, make builds work on Fedora %global _fortify_level 2 # Upstream package name %global upname bind # Provide only bind-utils on f37+, it has better behaviour %define upname_compat() \ %if "%{name}" != "%{upname}" \ Provides: %1 = %{version}-%{release} \ Conflicts: %1 \ %endif Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server Name: bind # Most of code is licensed under MPL-2.0. Some additions follow: # ./lib/isccc/*.c ISC and/or MPL-2.0 # ./lib/isccc/include/isccc/*.h ISC and/or MPL-2.0 # ./lib/isc/picohttpparser.c Expat, should be MIT # ./lib/isc/picohttpparser.h Expat, should be MIT # ./lib/isc/url.c Expat and/or MPL-2.0, should be MIT # ./lib/isc/include/isc/url.h Expat and/or MPL-2.0 # ./lib/dns/dnstap.c BSD-3-clause and/or MPL-2.0 # ./lib/isc/commandline.c BSD-3-clause and/or MPL-2.0 # ./lib/isc/file.c BSD-3-clause and/or MPL-2.0 # ./lib/isc/string.c BSD-3-clause and/or MPL-2.0 # ./lib/isc/tm.c BSD-2-clause and/or MPL-2.0 # ./lib/isccfg/parser.c BSD-2-clause and/or MPL-2.0 License: MPL-2.0 AND ISC AND MIT AND BSD-3-Clause AND BSD-2-Clause # # Before rebasing bind, ensure bind-dyndb-ldap is ready to be rebuild and use side-tag with it. # Updating just bind will cause freeipa-dns-server package to be uninstallable. Version: 9.20.13 Release: %autorelease Epoch: 32 Url: https://www.isc.org/downloads/bind/ VCS: git:%{forgeurl0} # Source0: https://downloads.isc.org/isc/bind9/%{version}/%{upname}-%{version}.tar.xz Source1: named.sysconfig Source2: https://downloads.isc.org/isc/bind9/%{version}/%{upname}-%{version}.tar.xz.asc Source3: named.logrotate Source4: https://www.isc.org/docs/isc-keyblock.asc Source16: named.conf # Refresh by command: dig @a.root-servers.net. +tcp +norec # or from URL Source17: https://www.internic.net/domain/named.root Source18: named.localhost Source19: named.loopback Source20: named.empty Source23: named.rfc1912.zones Source25: named.conf.sample Source27: named.root.key Source35: bind.tmpfiles.d Source36: trusted-key.key Source37: named.service Source38: named-chroot.service Source41: setup-named-chroot.sh Source42: generate-rndc-key.sh Source43: named.rwtab Source44: named-chroot-setup.service Source46: named-setup-rndc.service Source48: setup-named-softhsm.sh Source49: named-chroot.files Source50: named.sysusers # Common patches # Red Hat specific documentation is not relevant to upstream Patch1: bind-9.16-redhat_doc.patch # Try to avoid failure with FreeIPA's openssl Patch3: bind-9.20-check-algorithm-provider.patch %{?systemd_ordering} # https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers %{?sysusers_requires_compat} Requires: coreutils Requires(post): shadow-utils Requires(post): glibc-common Requires(post): grep Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} Recommends: %{name}-utils %{name}-dnssec-utils %upname_compat %{upname} Obsoletes: %{name}-pkcs11 < 32:9.18.4-2 BuildRequires: gcc, make BuildRequires: openssl-devel, libtool, autoconf, pkgconfig, libcap-devel BuildRequires: libidn2-devel, libxml2-devel BuildRequires: systemd-rpm-macros BuildRequires: selinux-policy BuildRequires: findutils sed BuildRequires: libnghttp2-devel BuildRequires: userspace-rcu-devel %if 0%{?fedora} BuildRequires: gnupg2 %endif BuildRequires: libuv-devel %if %{with JEMALLOC} BuildRequires: jemalloc-devel %endif %if %{without JEMALLOC} && ! 0%{?rhel} # Used from LD_PRELOAD BuildRequires: jemalloc %endif %if 0%{?fedora} >= 41 && %{with OPENSSL_ENGINE} BuildRequires: openssl-devel-engine %endif %if %{with UNITTEST} # make unit dependencies BuildRequires: libcmocka-devel # Ensure we have lscpu BuildRequires: util-linux %endif %if %{with UNITTEST} || %{with SYSTEMTEST} BuildRequires: softhsm %endif %if %{with SYSTEMTEST} # bin/tests/system dependencies BuildRequires: perl(Net::DNS) perl(Net::DNS::Nameserver) perl(Time::HiRes) perl(Getopt::Long) BuildRequires: perl(English) BuildRequires: python3-dns BuildRequires: python3-pytest # manual configuration requires this tool BuildRequires: iproute %if %{with SUDO} BuildRequires: libcap sudo %endif %endif %if %{with GSSTSIG} BuildRequires: krb5-devel %endif %if %{with LMDB} BuildRequires: lmdb-devel %endif %if %{with JSON} BuildRequires: json-c-devel %endif %if %{with GEOIP2} BuildRequires: libmaxminddb-devel %endif %if %{with DNSTAP} BuildRequires: fstrm-devel protobuf-c-devel %endif # Needed to regenerate dig.1 manpage %if %{with DOC} BuildRequires: python3-sphinx python3-sphinx_rtd_theme BuildRequires: doxygen %endif %if %{with TSAN} BuildRequires: libtsan %endif %if %{with DTRACE} # https://gitlab.isc.org/isc-projects/bind9/-/issues/4041 BuildRequires: systemtap-sdt-devel %endif %description BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly. %package libs Summary: Libraries used by the BIND DNS packages Provides: %{name}-license = %{epoch}:%{version}-%{release} Provides: %{name}-libs-lite = %{epoch}:%{version}-%{release} Obsoletes: %{name}-libs-lite < 32:9.16.13 Obsoletes: %{name}-pkcs11-libs < 32:9.18.4-2 Obsoletes: %{name}-license < 32:9.18.27-2 %description libs Contains heavyweight version of BIND suite libraries used by both named DNS server and utilities in %{name}-utils package. %package utils Summary: Utilities for querying DNS name servers Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} # For compatibility with Debian package Provides: dnsutils = %{epoch}:%{version}-%{release} Obsoletes: %{name}-pkcs11-utils < 32:9.18.4-2 %upname_compat %{upname}-utils %description utils Bind-utils contains a collection of utilities for querying DNS (Domain Name System) name servers to find out information about Internet hosts. These tools will provide you with the IP addresses for given host names, as well as other information about registered domains and network addresses. You should install %{name}-utils if you need to get information from DNS name servers. %package dnssec-utils Summary: DNSSEC keys and zones management utilities Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} Recommends: %{name}-utils Obsoletes: python3-%{name} < 32:9.18.0 Obsoletes: %{name}-dnssec-doc < 32:9.18.4-2 %upname_compat %{upname}-dnssec-utils %description dnssec-utils %{name}-dnssec-utils contains a collection of utilities for editing DNSSEC keys and BIND zone files. These tools provide generation, revocation and verification of keys and DNSSEC signatures in zone files. You should install %{name}-dnssec-utils if you need to sign a DNS zone or maintain keys for it. %package devel Summary: Header files and libraries needed for bind-dyndb-ldap Provides: %{name}-lite-devel = %{epoch}:%{version}-%{release} Obsoletes: %{name}-lite-devel < 32:9.16.6-3 Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} Requires: openssl-devel%{?_isa} libxml2-devel%{?_isa} Requires: libcap-devel%{?_isa} Requires: userspace-rcu-devel%{?_isa} %upname_compat %{upname}-devel %if %{with GSSTSIG} Requires: krb5-devel%{?_isa} %endif %if %{with LMDB} Requires: lmdb-devel%{?_isa} %endif %if %{with JSON} Requires: json-c-devel%{?_isa} %endif %if %{with DNSTAP} Requires: fstrm-devel%{?_isa} protobuf-c-devel%{?_isa} %endif %if %{with GEOIP2} Requires: libmaxminddb-devel%{?_isa} %endif %description devel The %{name}-devel package contains full version of the header files and libraries required for building bind-dyndb-ldap. Upstream no longer supports nor recommends bind libraries for third party applications. %package chroot Summary: A chroot runtime environment for the ISC BIND DNS server, named(8) Prefix: %{chroot_prefix} # grep is required due to setup-named-chroot.sh script Requires: grep Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} %upname_compat %{upname}-chroot %if "%{name}" != "%{upname}" Conflicts: %{upname}-sdb-chroot %endif %description chroot This package contains a tree of files which can be used as a chroot(2) jail for the named(8) program from the BIND package. Based on the code from Jan "Yenya" Kasprzak %if %{without JEMALLOC} && ! 0%{?rhel} %package jemalloc Summary: Jemalloc extension to bind9 Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} Requires: jemalloc %description jemalloc This package contains addition to %{name} package, enabling jemalloc in named service. %endif %if %{with DOC} %package doc Summary: BIND 9 Administrator Reference Manual Requires: python3-sphinx_rtd_theme BuildArch: noarch %description doc BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly. This package contains BIND 9 Administrator Reference Manual in HTML and PDF format. %end %endif %prep %if 0%{?fedora} # RHEL does not yet support this verification %{gpgverify} --keyring='%{SOURCE4}' --signature='%{SOURCE2}' --data='%{SOURCE0}' %endif %autosetup -n %{upname}-%{version} -p1 # Sparc and s390 arches need to use -fPIE %ifarch sparcv9 sparc64 s390 s390x for i in bin/named/Makefile.am; do sed -i 's|fpie|fPIE|g' $i done %endif %ifarch %{ix86} # f40 FTBFS on quota_test, bug #2261010 sed -e '/^\s*quota_test/ d' -i tests/isc/Makefile.am %endif :; %build ## We use out of tree configure/build for export libs %define _configure "../configure" # normal and pkcs11 unit tests %define unit_prepare_build() \ find lib -name 'K*.key' -exec cp -uv '{}' "%{1}/{}" ';' \ find lib -name 'testdata' -type d -exec cp -Tav '{}' "%{1}/{}" ';' \ find lib -name 'testkeys' -type d -exec cp -Tav '{}' "%{1}/{}" ';' \ %define systemtest_prepare_build() \ cp -Tuav bin/tests "%{1}/bin/tests/" \ %if %{with OPENSSL_ENGINE} CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=10100" %else CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_ENGINE=1" %endif %if %{with TSAN} CFLAGS+=" -O1 -fsanitize=thread -fPIE -pie" %endif %if %{with QUERYTRACE} CFLAGS+=" -DWANT_QUERYTRACE" %endif export CFLAGS CPPFLAGS export STD_CDEFINES="$CPPFLAGS" sed -i -e \ 's/([bind_VERSION_EXTRA],\s*\([^)]*\))/([bind_VERSION_EXTRA], \1-RH)/' \ configure.ac %if 0%{?rhel} && 0%{?rhel} < 9 # disable Sphinx warnings as errors, epel8 does not pass cleanly sed -e 's/-W\s//' -i Makefile.docs %endif autoreconf --force --install mkdir build pushd build LIBDIR_SUFFIX= export LIBDIR_SUFFIX %configure \ --with-pic \ --disable-static \ --includedir=%{_includedir}/bind9 \ --with-libidn2 \ %if %{with GEOIP2} --with-maxminddb \ %endif %if %{with GSSTSIG} --with-gssapi=yes \ %endif %if %{with LMDB} --with-lmdb=yes \ %else --with-lmdb=no \ %endif %if %{with JSON} --with-json-c \ %endif %if %{with DNSTAP} --enable-dnstap \ %endif %if %{with UNITTEST} --with-cmocka \ %endif %if %{with JEMALLOC} --with-jemalloc \ %else --without-jemalloc \ %endif --enable-full-report \ ; %if %{with DNSTAP} pushd lib SRCLIB="../../../lib" (cd dns && ln -s ${SRCLIB}/dns/dnstap.proto) popd %endif %make_build SPHINX_W='' %if %{with DOC} %make_build doc SPHINX_W='' %endif %if %{without JEMALLOC} && ! 0%{?rhel} LIB_JEMALLOC=$(ls -1 %{_libdir}/libjemalloc.so.*) cat > "jemalloc.conf" << EOF [Service] Environment=LD_PRELOAD=${LIB_JEMALLOC} EOF %endif popd # build %unit_prepare_build build %systemtest_prepare_build build %check %if %{with UNITTEST} || %{with SYSTEMTEST} # Tests require initialization of pkcs11 token eval "$(bash %{SOURCE48} -A "`pwd`/softhsm-tokens")" %endif %if %{with TSAN} export TSAN_OPTIONS="log_exe_name=true log_path=ThreadSanitizer exitcode=0" %endif %if %{with UNITTEST} pushd build CPUS=$(lscpu -p=cpu,core | grep -v '^#' | wc -l) THREADS="$CPUS" %if %{without UNITTEST_ALL} export CI=true %endif if [ "$CPUS" -gt 16 ]; then ORIGFILES=$(ulimit -n) THREADS=16 ulimit -n 8092 || : # Requires on some machines with many cores fi e=0 %make_build unit -j${THREADS} || e=$? # Display details of failure cat tests/*/test-suite.log if [ "$e" -ne 0 ]; then echo "ERROR: this build of BIND failed 'make unit'. Aborting." exit $e; fi; [ "$CPUS" -gt 16 ] && ulimit -n $ORIGFILES || : popd ## End of UNITTEST %endif %if %{with SYSTEMTEST} # Runs system test if ip addresses are already configured # or it is able to configure them SUDO= pushd build/bin/tests/system/ if perl ./testsock.pl then CONFIGURED=already else %if %{with SUDO} if [ -x /usr/sbin/capsh ] && ! /usr/sbin/capsh --has-p=cap_net_admin; then echo "Not running as privileged user, using sudo" SUDO=sudo fi %endif CONFIGURED= $SUDO sh ./ifconfig.sh up perl ./testsock.pl && CONFIGURED=build fi popd if [ -n "$CONFIGURED" ] then set -e pushd build/bin/tests export CI_SYSTEM=yes # allow running tests as root chown -R ${USER} . # Can be unknown user %make_build test 2>&1 | tee test.log e=$? [ "$CONFIGURED" = build ] && $SUDO sh ./ifconfig.sh down popd if [ "$e" -ne 0 ]; then echo "ERROR: this build of BIND failed 'make test'. Aborting." exit $e; fi; else echo 'SKIPPED: tests require root, CAP_NET_ADMIN or already configured test addresses.' fi %endif : %install # Build directory hierarchy mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/logrotate.d mkdir -p ${RPM_BUILD_ROOT}%{_libdir}/{bind,named} mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/named/{slaves,data,dynamic} mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/{man1,man5,man8} mkdir -p ${RPM_BUILD_ROOT}/run/named mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/log #chroot for D in %{chroot_create_directories} do mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}${D} done # create symlink as it is on real filesystem pushd ${RPM_BUILD_ROOT}/%{chroot_prefix}/var ln -s ../run run popd # these are required to prevent them being erased during upgrade of previous touch ${RPM_BUILD_ROOT}/%{chroot_prefix}%{_sysconfdir}/named.conf #end chroot pushd build %make_install mkdir -p ${RPM_BUILD_ROOT}%{_includedir}/bind9 install -pm 644 config.h ${RPM_BUILD_ROOT}%{_includedir}/bind9/config.h popd # Remove unwanted files rm -f ${RPM_BUILD_ROOT}/etc/bind.keys # Systemd unit files mkdir -p ${RPM_BUILD_ROOT}%{_unitdir} install -pm 644 %{SOURCE37} ${RPM_BUILD_ROOT}%{_unitdir} install -pm 644 %{SOURCE38} ${RPM_BUILD_ROOT}%{_unitdir} install -pm 644 %{SOURCE44} ${RPM_BUILD_ROOT}%{_unitdir} install -pm 644 %{SOURCE46} ${RPM_BUILD_ROOT}%{_unitdir} mkdir -p ${RPM_BUILD_ROOT}%{_sysusersdir} install -m 644 %{SOURCE50} ${RPM_BUILD_ROOT}%{_sysusersdir}/named.conf mkdir -p ${RPM_BUILD_ROOT}%{_libexecdir} install -pm 755 %{SOURCE41} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-chroot.sh install -pm 755 %{SOURCE42} ${RPM_BUILD_ROOT}%{_libexecdir}/generate-rndc-key.sh install -pm 755 %{SOURCE48} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-softhsm.sh install -pm 644 %SOURCE3 ${RPM_BUILD_ROOT}/etc/logrotate.d/named mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig install -pm 644 %{SOURCE1} ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/named install -pm 644 %{SOURCE49} ${RPM_BUILD_ROOT}%{_sysconfdir}/named-chroot.files %if "%{_sbindir}" != "%{_bindir}" ln -s ../bin/{named-checkconf,named-checkzone,named-compilezone} %{buildroot}%{_sbindir}/ %endif %if %{without JEMALLOC} && ! 0%{?rhel} pushd build mkdir -p ${RPM_BUILD_ROOT}%{_unitdir}/named.service.d install -m 0644 jemalloc.conf ${RPM_BUILD_ROOT}%{_unitdir}/named.service.d popd %endif # Remove libtool .la files: find ${RPM_BUILD_ROOT}/%{_libdir} -name '*.la' -exec '/bin/rm' '-f' '{}' ';'; # 9.16.4 installs even manual pages for tools not generated %if %{without DNSTAP} rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/dnstap-read.1* || true %endif %if %{without LMDB} rm -f ${RPM_BUILD_ROOT}%{_mandir}/man8/named-nzd2nzf.8* || true %endif pushd ${RPM_BUILD_ROOT}%{_mandir}/man8 ln -s ddns-confgen.8.gz tsig-keygen.8.gz popd pushd ${RPM_BUILD_ROOT}%{_mandir}/man1 ln -s named-checkzone.1.gz named-compilezone.1.gz popd %if %{with DOC} mkdir -p ${RPM_BUILD_ROOT}%{_pkgdocdir} cp -a build/doc/arm/_build/html ${RPM_BUILD_ROOT}%{_pkgdocdir} rm -rf ${RPM_BUILD_ROOT}%{_pkgdocdir}/html/.{buildinfo,doctrees} # Backward compatible link to 9.11 documentation (cd ${RPM_BUILD_ROOT}%{_pkgdocdir} && ln -s html/index.html Bv9ARM.html) # Share static data from original sphinx package for DIR in %{python3_sitelib}/sphinx_rtd_theme/static/* do BASE=$(basename -- "$DIR") BINDTHEMEDIR="${RPM_BUILD_ROOT}%{_pkgdocdir}/html/_static/$BASE" if [ -d "$BINDTHEMEDIR" ]; then rm -rf "$BINDTHEMEDIR" ln -sr "${RPM_BUILD_ROOT}${DIR}" "$BINDTHEMEDIR" fi done cp -p build/doc/arm/_build/epub/Bv9ARM.epub ${RPM_BUILD_ROOT}%{_pkgdocdir} %endif # Ghost config files: touch ${RPM_BUILD_ROOT}%{_localstatedir}/log/named.log # configuration files: install -m 640 %{SOURCE16} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.conf touch ${RPM_BUILD_ROOT}%{_sysconfdir}/rndc.{key,conf} install -m 644 %{SOURCE27} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.root.key install -m 644 %{SOURCE36} ${RPM_BUILD_ROOT}%{_sysconfdir}/trusted-key.key mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/named # data files: mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/named install -m 640 %{SOURCE17} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.ca install -m 640 %{SOURCE18} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.localhost install -m 640 %{SOURCE19} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.loopback install -m 640 %{SOURCE20} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.empty install -m 640 %{SOURCE23} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.rfc1912.zones # sample bind configuration files for %%doc: mkdir -p sample/etc sample/var/named/{data,slaves} install -m 644 %{SOURCE25} sample/etc/named.conf # Copy default configuration to %%doc to make it usable from system-config-bind install -m 644 %{SOURCE16} named.conf.default install -m 644 %{SOURCE23} sample/etc/named.rfc1912.zones install -m 644 %{SOURCE18} %{SOURCE19} %{SOURCE20} sample/var/named install -m 644 %{SOURCE17} sample/var/named/named.ca for f in my.internal.zone.db slaves/my.slave.internal.zone.db slaves/my.ddns.internal.zone.db my.external.zone.db; do echo '@ in soa localhost. root 1 3H 15M 1W 1D ns localhost.' > sample/var/named/$f; done :; mkdir -p ${RPM_BUILD_ROOT}%{_tmpfilesdir} install -m 644 %{SOURCE35} ${RPM_BUILD_ROOT}%{_tmpfilesdir}/named.conf mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d install -m 644 %{SOURCE43} ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d/named %post %?ldconfig if [ "$1" -eq 1 ]; then # Initial installation [ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.* /etc/named.* >/dev/null 2>&1 ; # rndc.key has to have correct perms and ownership, CVE-2007-6283 [ -e /etc/rndc.key ] && chown root:named /etc/rndc.key [ -e /etc/rndc.key ] && chmod 0640 /etc/rndc.key else # Upgrade, use invalid shell if getent passwd named | grep ':/bin/false$' >/dev/null; then /sbin/usermod -s /sbin/nologin named fi # Checkconf will parse out comments if /usr/bin/named-checkconf -p /etc/named.conf 2>/dev/null | grep -q named.iscdlv.key then echo "Replacing obsolete named.iscdlv.key with named.root.key..." if cp -Rf --preserve=all --remove-destination /etc/named.conf /etc/named.conf.rpmbackup; then sed -e 's/named\.iscdlv\.key/named.root.key/' \ /etc/named.conf.rpmbackup > /etc/named.conf || \ mv /etc/named.conf.rpmbackup /etc/named.conf fi fi fi %systemd_post named.service :; %preun # Package removal, not upgrade %systemd_preun named.service %postun %?ldconfig # Package upgrade, not uninstall %systemd_postun_with_restart named.service # Fix permissions on existing device files on upgrade %define chroot_fix_devices() \ if [ $1 -gt 1 ]; then \ for DEV in "%{1}/dev"/{null,random,zero}; do \ if [ -e "$DEV" -a "$(/bin/stat --printf="%G %a" "$DEV")" = "root 644" ]; \ then \ /bin/chmod 0664 "$DEV" \ /bin/chgrp named "$DEV" \ fi \ done \ fi %triggerpostun -- bind < 32:9.18.4-2, selinux-policy, policycoreutils if [ -x %{_sbindir}/selinuxenabled ] && [ -x %{_sbindir}/getsebool ] && [ -x %{_sbindir}/setsebool ] \ && %{_sbindir}/selinuxenabled && [ -x %{_sbindir}/named ]; then # Return master zones after upgrade from selinux_booleans version WRITEBOOL="$(LC_ALL=C %{_sbindir}/getsebool named_write_master_zones)" if [ "${WRITEBOOL#named_write_master_zones --> }" = "off" ]; then echo "Restoring new sebool default of named_write_master_zones..." %{_sbindir}/setsebool -P named_write_master_zones=1 || : fi fi %ldconfig_scriptlets libs %post chroot %systemd_post named-chroot.service %chroot_fix_devices %{chroot_prefix} :; %posttrans chroot if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then [ -x /sbin/restorecon ] && /sbin/restorecon %{chroot_prefix}/dev/* > /dev/null 2>&1; fi; %preun chroot # wait for stop of both named-chroot and named-chroot-setup services # on uninstall %systemd_preun named-chroot.service named-chroot-setup.service :; %postun chroot # Package upgrade, not uninstall %systemd_postun_with_restart named-chroot.service %files # TODO: Move from lib/bind to lib/named, as used by upstream # FIXME: current build targets filters into %%_libdir/bind again? %dir %{_libdir}/bind %{_libdir}/bind/filter*.so %dir %{_libdir}/named %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/sysconfig/named %config(noreplace) %attr(0644,root,named) %{_sysconfdir}/named.root.key %config(noreplace) %{_sysconfdir}/logrotate.d/named %{_tmpfilesdir}/named.conf %{_sysconfdir}/rwtab.d/named %{_unitdir}/named.service %{_unitdir}/named-setup-rndc.service %{_sysusersdir}/named.conf %{_bindir}/named-journalprint %{_bindir}/named-checkconf %{_bindir}/named-rrchecker %{_bindir}/mdig %{_sbindir}/named %{_sbindir}/rndc* %if "%{_sbindir}" != "%{_bindir}" %{_sbindir}/named-checkconf %endif %{_libexecdir}/generate-rndc-key.sh %{_libexecdir}/setup-named-softhsm.sh %{_mandir}/man1/mdig.1* %{_mandir}/man1/named-rrchecker.1* %{_mandir}/man5/named.conf.5* %{_mandir}/man5/rndc.conf.5* %{_mandir}/man8/rndc.8* %{_mandir}/man8/named.8* %{_mandir}/man1/named-checkconf.1* %{_mandir}/man8/rndc-confgen.8* %{_mandir}/man1/named-journalprint.1* %{_mandir}/man8/filter-*.8.gz %doc README.md named.conf.default %doc sample/ # Hide configuration %defattr(0640,root,named,0750) %dir %{_sysconfdir}/named %config(noreplace) %verify(not link) %{_sysconfdir}/named.conf %config(noreplace) %verify(not link) %{_sysconfdir}/named.rfc1912.zones %defattr(0660,root,named,01770) %dir %{_localstatedir}/named %defattr(0660,named,named,0770) %dir %{_localstatedir}/named/slaves %dir %{_localstatedir}/named/data %dir %{_localstatedir}/named/dynamic %ghost %{_localstatedir}/log/named.log %defattr(0640,root,named,0750) %config %verify(not link) %{_localstatedir}/named/named.ca %config %verify(not link) %{_localstatedir}/named/named.localhost %config %verify(not link) %{_localstatedir}/named/named.loopback %config %verify(not link) %{_localstatedir}/named/named.empty %ghost %config(noreplace) %{_sysconfdir}/rndc.key # ^- rndc.key now created on first install only if it does not exist %ghost %config(noreplace) %{_sysconfdir}/rndc.conf # ^- The default rndc.conf which uses rndc.key is in named's default internal config - # so rndc.conf is not necessary. %defattr(-,named,named,-) %dir /run/named %files libs %license COPYRIGHT %{_libdir}/libisccc-%{version}*.so %{_libdir}/libns-%{version}*.so %{_libdir}/libdns-%{version}*.so %{_libdir}/libisc-%{version}*.so %{_libdir}/libisccfg-%{version}*.so %files utils %{_bindir}/dig %{_bindir}/delv %{_bindir}/host %{_bindir}/nslookup %{_bindir}/nsupdate %{_bindir}/arpaname %{_sbindir}/ddns-confgen %{_sbindir}/tsig-keygen %{_bindir}/nsec3hash %{_bindir}/named-checkzone %{_bindir}/named-compilezone %if "%{_sbindir}" != "%{_bindir}" %{_sbindir}/named-checkzone %{_sbindir}/named-compilezone %endif %if %{with DNSTAP} %{_bindir}/dnstap-read %{_mandir}/man1/dnstap-read.1* %endif %if %{with LMDB} %{_bindir}/named-nzd2nzf %{_mandir}/man1/named-nzd2nzf.1* %endif %{_mandir}/man1/host.1* %{_mandir}/man1/nsupdate.1* %{_mandir}/man1/dig.1* %{_mandir}/man1/delv.1* %{_mandir}/man1/nslookup.1* %{_mandir}/man1/arpaname.1* %{_mandir}/man8/ddns-confgen.8* %{_mandir}/man8/tsig-keygen.8* %{_mandir}/man1/nsec3hash.1* %{_mandir}/man1/named-checkzone.1* %{_mandir}/man1/named-compilezone.1* %{_sysconfdir}/trusted-key.key %files dnssec-utils %{_bindir}/dnssec* %{_mandir}/man1/dnssec*.1* %files devel %{_libdir}/libisccc.so %{_libdir}/libns.so %{_libdir}/libdns.so %{_libdir}/libisc.so %{_libdir}/libisccfg.so %dir %{_includedir}/bind9 %{_includedir}/bind9/isccc %{_includedir}/bind9/ns %{_includedir}/bind9/dns %{_includedir}/bind9/dst %{_includedir}/bind9/irs %{_includedir}/bind9/isc %{_includedir}/bind9/isccfg %{_includedir}/bind9/config.h %files chroot %config(noreplace) %{_sysconfdir}/named-chroot.files %{_unitdir}/named-chroot.service %{_unitdir}/named-chroot-setup.service %{_libexecdir}/setup-named-chroot.sh %defattr(0664,root,named,-) %ghost %dev(c,1,3) %verify(not mtime) %{chroot_prefix}/dev/null %ghost %dev(c,1,8) %verify(not mtime) %{chroot_prefix}/dev/random %ghost %dev(c,1,9) %verify(not mtime) %{chroot_prefix}/dev/urandom %ghost %dev(c,1,5) %verify(not mtime) %{chroot_prefix}/dev/zero %defattr(0640,root,named,0750) %dir %{chroot_prefix} %dir %{chroot_prefix}/dev %dir %{chroot_prefix}%{_sysconfdir} %dir %{chroot_prefix}%{_sysconfdir}/named %dir %{chroot_prefix}%{_sysconfdir}/pki %dir %{chroot_prefix}%{_sysconfdir}/pki/dnssec-keys %dir %{chroot_prefix}%{_sysconfdir}/pki/tls %dir %{chroot_prefix}%{_sysconfdir}/crypto-policies %dir %{chroot_prefix}%{_sysconfdir}/crypto-policies/back-ends %dir %{chroot_prefix}%{_localstatedir} %dir %{chroot_prefix}/run %ghost %config(noreplace) %{chroot_prefix}%{_sysconfdir}/named.conf %defattr(-,root,root,-) %dir %{chroot_prefix}/usr %dir %{chroot_prefix}/%{_libdir} %dir %{chroot_prefix}/%{_libdir}/bind %dir %{chroot_prefix}/%{_datadir} %dir %{chroot_prefix}/%{_datadir}/GeoIP %{chroot_prefix}/proc %defattr(0660,root,named,01770) %dir %{chroot_prefix}%{_localstatedir}/named %defattr(0660,named,named,0770) %dir %{chroot_prefix}%{_localstatedir}/tmp %dir %{chroot_prefix}%{_localstatedir}/log %defattr(-,named,named,-) %dir %{chroot_prefix}/run/named %{chroot_prefix}%{_localstatedir}/run %if %{without JEMALLOC} && ! 0%{?rhel} %files jemalloc %{_unitdir}/named.service.d %endif %if %{with DOC} %files doc %dir %{_pkgdocdir} %doc %{_pkgdocdir}/html %doc %{_pkgdocdir}/Bv9ARM.html %license COPYRIGHT %doc %{_pkgdocdir}/Bv9ARM.epub %endif %changelog %autochangelog