- obsolete dnssec-confbind-9_7_0-0_14_rc2_fc13F-13-startF-13-split

- automatically update configuration from old dnssec-conf based
- improve default configuration; enable DLV by default
- remove obsolete triggerpostun from bind-libs subpackage

7 files changed, 53 insertions, 27 deletions

diff --git a/.cvsignore b/.cvsignore
index 0ad34d1..8ca3bf5 100644
--- a/.cvsignore
+++ b/.cvsignore
@@ -1,2 +1,2 @@
-config-5.tar.bz2
 bind-9.7.0rc2.tar.gz
+config-6.tar.bz2
diff --git a/bind.spec b/bind.spec
index 5a1844e..6bab9e2 100644
--- a/bind.spec
+++ b/bind.spec
@@ -20,7 +20,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  ISC
 Version:  9.7.0
-Release:  0.13.%{PREVER}%{?dist}
+Release:  0.14.%{PREVER}%{?dist}
 Epoch:    32
 Url:      http://www.isc.org/products/BIND/
 Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -37,7 +37,7 @@ Source8:  dnszone.schema
 Source12: README.sdb_pgsql
 Source21: Copyright.caching-nameserver
 Source25: named.conf.sample
-Source28: config-5.tar.bz2
+Source28: config-6.tar.bz2
 Source30: ldap2zone.c
 
 # Common patches
@@ -52,6 +52,7 @@ Patch101:bind-96-old-api.patch
 Patch102:bind-95-rh452060.patch
 Patch106:bind93-rh490837.patch
 Patch107:bind97-dist-pkcs11.patch
+Patch108:bind97-managed-keyfile.patch
 
 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -73,9 +74,12 @@ Requires:       mktemp
 Requires(post): grep, chkconfig
 Requires(pre):  shadow-utils
 Requires(preun):chkconfig
-Requires:       dnssec-conf
-Obsoletes:      bind-config < 30:9.3.2-34.fc6, caching-nameserver < 31:9.4.1-7.fc8
-Provides:       bind-config = 30:9.3.2-34.fc6, caching-nameserver = 31:9.4.1-7.fc8
+Obsoletes:      bind-config < 30:9.3.2-34.fc6
+Provides:       bind-config = 30:9.3.2-34.fc6
+Obsoletes:      caching-nameserver < 31:9.4.1-7.fc8
+Provides:       caching-nameserver = 31:9.4.1-7.fc8
+Obsoletes:      dnssec-conf < 1.22-6
+Provides:       dnssec-conf = 1.22-5
 BuildRequires:  openssl-devel, libtool, autoconf, pkgconfig, libcap-devel
 BuildRequires:  libidn-devel, libxml2-devel
 %if %{SDB}
@@ -180,6 +184,7 @@ Based on the code from Jan "Yenya" Kasprzak <kas@fi.muni.cz>
 %patch10 -p1 -b .PIE
 %patch16 -p1 -b .redhat_doc
 %patch104 -p1 -b .dyndb
+%patch108 -p1 -b .managed-keyfile
 %if %{SDB}
 %patch101 -p1 -b .old-api
 mkdir bin/named-sdb
@@ -362,6 +367,7 @@ tar -C ${RPM_BUILD_ROOT} -xjf %{SOURCE28}
 touch ${RPM_BUILD_ROOT}/etc/rndc.key
 touch ${RPM_BUILD_ROOT}/etc/rndc.conf
 mkdir ${RPM_BUILD_ROOT}/etc/named
+install -m 644 bind.keys ${RPM_BUILD_ROOT}/etc/named.iscdlv.key
 
 install -m 644 %{SOURCE5}  ./rfc1912.txt
 install -m 644 %{SOURCE21} ./Copyright
@@ -397,14 +403,6 @@ if [ "$1" -eq 1 ]; then
   # rndc.key has to have correct perms and ownership, CVE-2007-6283
   [ -e /etc/rndc.key ] && chown root:named /etc/rndc.key
   [ -e /etc/rndc.key ] && chmod 0640 /etc/rndc.key
-
-  # Check DNSSEC settings if this is a fresh install
-  if [ -r /etc/sysconfig/dnssec ]; then
-    . /etc/sysconfig/dnssec
-    [ -x /usr/sbin/dnssec-configure ] && \
-      dnssec-configure -b --norestart --dnssec="$DNSSEC" --dlv="$DLV" > \
-        /dev/null 2>&1
-  fi;
 fi
 :;
 
@@ -442,12 +440,14 @@ fi
 %postun libs
 /sbin/ldconfig
 
-# bind-libs between 32:9.6.1-0.1.b1 and 32:9.6.1-0.4.rc1 have bigger SOnames
-# than current bind - https://bugzilla.redhat.com/show_bug.cgi?id=509635.
-# Remove this trigger when SOnames get bigger and also correct the %%postun
-# section above (use %%postun libs -p /sbin/ldconfig)
-%triggerpostun -n bind-libs -p /bin/bash -- bind-libs > 32:9.6.1-0.1.b1
-/sbin/ldconfig
+# Automatically update configuration from "dnssec-conf-based" to "BIND-based"
+%triggerpostun -n bind -- dnssec-conf
+[ -r '/etc/named.conf' ] || exit 0
+cp -fp /etc/named.conf /etc/named.conf.rpmsave
+if grep -Eq '/etc/(named.dnssec.keys|pki/dnssec-keys)' /etc/named.conf; then
+  sed -i -e '/.*named\.dnssec\.keys.*/d' -e '/.*pki\/dnssec-keys.*/d' \
+    /etc/named.conf
+fi
 
 %post chroot
 if [ "$1" -gt 0 ]; then
@@ -483,6 +483,7 @@ rm -rf ${RPM_BUILD_ROOT}
 %defattr(-,root,root,-)
 %{_libdir}/bind
 %config(noreplace) %{_sysconfdir}/sysconfig/named
+%config(noreplace) %attr(-,root,named) %{_sysconfdir}/named.iscdlv.key
 %{_sysconfdir}/rc.d/init.d/named
 %{_sysconfdir}/NetworkManager/dispatcher.d/13-named
 %{_sbindir}/arpaname
@@ -623,6 +624,12 @@ rm -rf ${RPM_BUILD_ROOT}
 %endif
 
 %changelog
+* Mon Feb 15 2010 Adam Tkac <atkac redhat com> 32:9.7.0-0.14.rc2
+- obsolete dnssec-conf
+- automatically update configuration from old dnssec-conf based
+- improve default configuration; enable DLV by default
+- remove obsolete triggerpostun from bind-libs subpackage
+
 * Thu Jan 28 2010 Adam Tkac <atkac redhat com> 32:9.7.0-0.13.rc2
 - update to 9.7.0rc2
 
diff --git a/bind97-managed-keyfile.patch b/bind97-managed-keyfile.patch
new file mode 100644
index 0000000..3bd86f2
--- /dev/null
+++ b/bind97-managed-keyfile.patch
@@ -0,0 +1,20 @@
+diff -up bind-9.7.0rc2/bin/named/server.c.managed-keyfile bind-9.7.0rc2/bin/named/server.c
+--- bind-9.7.0rc2/bin/named/server.c.managed-keyfile	2010-02-15 16:17:26.051369348 +0100
++++ bind-9.7.0rc2/bin/named/server.c	2010-02-15 16:24:16.408368990 +0100
+@@ -3020,6 +3020,7 @@ configure_zone(const cfg_obj_t *config, 
+  */
+ 
+ #define KEYZONE "managed-keys.bind"
++#define KEYFILE "dynamic/managed-keys.bind"
+ 
+ static isc_result_t
+ add_keydata_zone(dns_view_t *view, isc_mem_t *mctx) {
+@@ -3040,7 +3041,7 @@ add_keydata_zone(dns_view_t *view, isc_m
+ 	CHECK(dns_zone_setorigin(zone, &zname));
+ 	dns_name_free(&zname, mctx);
+ 
+-	CHECK(dns_zone_setfile(zone, KEYZONE));
++	CHECK(dns_zone_setfile(zone, KEYFILE));
+ 
+ 	if (view->hints == NULL)
+ 		dns_view_sethints(view, ns_g_server->in_roothints);
diff --git a/named.conf.sample b/named.conf.sample
index d02efc4..659fdc9 100644
--- a/named.conf.sample
+++ b/named.conf.sample
@@ -57,6 +57,9 @@ options
 
 	/* Enable DNSSEC validation on recursive servers */
 	dnssec-validation yes;
+
+	/* Enable DLV by default, use built-in ISC DLV key. */
+	dnssec-lookaside auto;
 };
 
 logging 
diff --git a/named.init b/named.init
index 0394900..ce5c745 100755
--- a/named.init
+++ b/named.init
@@ -22,7 +22,6 @@
 . /etc/rc.d/init.d/functions
 
 [ -r /etc/sysconfig/named ] && . /etc/sysconfig/named
-[ -r /etc/sysconfig/dnssec ] && . /etc/sysconfig/dnssec
 
 RETVAL=0
 export KRB5_KTNAME=${KEYTAB_FILE:-/etc/named.keytab}
@@ -43,13 +42,9 @@ if [ -n "$ROOTDIR" ]; then
    fi;
 fi
 
-[ -x /usr/sbin/dnssec-configure ] && [ -r /etc/named.conf ] && \
-  [ /etc/sysconfig/dnssec -nt /etc/named.conf ] && \
-   /usr/sbin/dnssec-configure -b --norestart --dnssec="$DNSSEC" --dlv="$DLV"
-
 ROOTDIR_MOUNT='/etc/named /etc/pki/dnssec-keys /var/named /etc/named.conf
 /etc/named.dnssec.keys /etc/named.rfc1912.zones /etc/rndc.conf /etc/rndc.key
-/usr/lib64/bind /usr/lib/bind'
+/usr/lib64/bind /usr/lib/bind /etc/named.iscdlv.key'
 
 mount_chroot_conf()
 {
diff --git a/named.sysconfig b/named.sysconfig
index 53b6a1b..671621d 100644
--- a/named.sysconfig
+++ b/named.sysconfig
@@ -22,6 +22,7 @@
 #          - /etc/rndc.key
 #          - /etc/named.rfc1912.zones
 #          - /etc/named.dnssec.keys
+#	   - /etc/named.iscdlv.key
 #
 #	Don't forget to add "$AddUnixListenSocket /var/named/chroot/dev/log"
 #	line to your /etc/rsyslog.conf file. Otherwise your logging becomes
diff --git a/sources b/sources
index 18e6f3c..8e8f30f 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-4c35a2aac8d8054ea2154906bf57fb52  config-5.tar.bz2
 9b8a31ac279868264e5bcbacd7991149  bind-9.7.0rc2.tar.gz
+90bd7f32fd5717b8294313b6b5ccc742  config-6.tar.bz2