Utilize system-wide crypto-policies (#1179925)

Signed-off-by: Tomas Hozza <thozza@redhat.com>

5 files changed, 14 insertions, 3 deletions

diff --git a/.gitignore b/.gitignore
index 496dd2c..66cb17b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -53,3 +53,4 @@ bind-9.7.2b1.tar.gz
 /bind-9.10.2rc2.tar.gz
 /bind-9.10.2.tar.gz
 /config-13.tar.bz2
+/config-14.tar.bz2
diff --git a/bind.spec b/bind.spec
index 8f9543b..35e8eb7 100644
--- a/bind.spec
+++ b/bind.spec
@@ -38,7 +38,7 @@ Source7:  bind-9.3.1rc1-sdb_tools-Makefile.in
 Source8:  dnszone.schema
 Source12: README.sdb_pgsql
 Source25: named.conf.sample
-Source28: config-13.tar.bz2
+Source28: config-14.tar.bz2
 Source30: ldap2zone.c
 Source31: ldap2zone.1
 Source32: named-sdb.8
@@ -455,6 +455,7 @@ mkdir -p ${RPM_BUILD_ROOT}/var/log
 #chroot
 mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}/{dev,etc,var,run/named}
 mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}/var/{log,named,tmp}
+mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}/etc/crypto-policies/back-ends
 
 # create symlink as it is on real filesystem
 pushd ${RPM_BUILD_ROOT}/%{chroot_prefix}/var
@@ -477,6 +478,7 @@ touch ${RPM_BUILD_ROOT}/%{chroot_prefix}/etc/named.conf
 %if %{SDB}
 mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/{dev,etc,var,run/named}
 mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/var/{log,named,tmp}
+mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/etc/crypto-policies/back-ends
 
 # create symlink as it is on real filesystem
 pushd ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/var
@@ -930,6 +932,7 @@ rm -rf ${RPM_BUILD_ROOT}
 %dir %{chroot_prefix}/etc/named
 %dir %{chroot_prefix}/etc/pki
 %dir %{chroot_prefix}/etc/pki/dnssec-keys
+%dir %{chroot_prefix}/etc/crypto-policies/back-ends
 %dir %{chroot_prefix}/var
 %dir %{chroot_prefix}/run
 %dir %{chroot_prefix}/var/named
@@ -960,6 +963,7 @@ rm -rf ${RPM_BUILD_ROOT}
 %dir %{chroot_sdb_prefix}/etc/named
 %dir %{chroot_sdb_prefix}/etc/pki
 %dir %{chroot_sdb_prefix}/etc/pki/dnssec-keys
+%dir %{chroot_sdb_prefix}/etc/crypto-policies/back-ends
 %dir %{chroot_sdb_prefix}/var
 %dir %{chroot_sdb_prefix}/run
 %dir %{chroot_sdb_prefix}/var/named
@@ -1008,6 +1012,7 @@ rm -rf ${RPM_BUILD_ROOT}
 %changelog
 * Fri May 22 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.2-3
 - Don't use ISC's DLV by default (#1223365)
+- Utilize system-wide crypto-policies (#1179925)
 
 * Thu May 21 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.2-2
 - enable tuning for large systems - increases hardcoded internal limits
diff --git a/named.conf.sample b/named.conf.sample
index c0563cf..9bf563f 100644
--- a/named.conf.sample
+++ b/named.conf.sample
@@ -74,6 +74,10 @@ options
 	session-keyfile "/run/named/session.key";
 
 	managed-keys-directory "/var/named/dynamic";
+
+    /* In Fedora we use system-wide Crypto Policy */
+    /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
+    include "/etc/crypto-policies/back-ends/bind.config";
 };
 
 logging 
diff --git a/setup-named-chroot.sh b/setup-named-chroot.sh
index 8de494b..4a2c5a2 100755
--- a/setup-named-chroot.sh
+++ b/setup-named-chroot.sh
@@ -2,7 +2,8 @@
 
 ROOTDIR_MOUNT='/etc/named /etc/pki/dnssec-keys /etc/named.root.key /etc/named.conf
 /etc/named.dnssec.keys /etc/named.rfc1912.zones /etc/rndc.conf /etc/rndc.key
-/usr/lib64/bind /usr/lib/bind /etc/named.iscdlv.key /run/named /var/named'
+/usr/lib64/bind /usr/lib/bind /etc/named.iscdlv.key /run/named /var/named
+/etc/crypto-policies/back-ends/bind.config'
 
 usage()
 {
diff --git a/sources b/sources
index fa1986e..d2893ab 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 dca7a9967947bffa98547fca6130fc04  bind-9.10.2.tar.gz
-f187d60dd6e0ac1854bf18a70df0b4a0  config-13.tar.bz2
+dd419c3869c9bb1d73e044177ec1623c  config-14.tar.bz2