From f5a7ce13174f04b94f807f731915029c1d7739df Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Fri, 16 Jun 2017 05:12:37 +0200 Subject: [PATCH 1/3] ldns: also build examples --- pkgs/development/libraries/ldns/default.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/pkgs/development/libraries/ldns/default.nix b/pkgs/development/libraries/ldns/default.nix index 91eb7aecea90..ff63b6af25ec 100644 --- a/pkgs/development/libraries/ldns/default.nix +++ b/pkgs/development/libraries/ldns/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { patchShebangs doc/doxyparse.pl ''; - outputs = [ "out" "dev" "man" ]; + outputs = [ "out" "dev" "man" "examples" ]; nativeBuildInputs = [ perl ]; buildInputs = [ openssl ]; @@ -24,6 +24,13 @@ stdenv.mkDerivation rec { postInstall = '' moveToOutput "bin/ldns-config" "$dev" + + pushd examples + configureFlagsArray+=( "--bindir=$examples/bin" ) + configurePhase + make + make install + popd ''; meta = with stdenv.lib; { From 3bb9954a6bb977f3e33f766ae5df926495ef7bc4 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Fri, 16 Jun 2017 05:11:56 +0200 Subject: [PATCH 2/3] dns-root-data: init at 2017-06-16 --- pkgs/data/misc/dns-root-data/default.nix | 29 +++++++++++++++++++ pkgs/data/misc/dns-root-data/root.ds | 3 ++ pkgs/data/misc/dns-root-data/root.key | 2 ++ .../misc/dns-root-data/update-root-key.sh | 9 ++++++ pkgs/development/libraries/gnutls/generic.nix | 4 ++- pkgs/development/libraries/ldns/default.nix | 9 ++++-- pkgs/tools/networking/unbound/default.nix | 3 +- pkgs/top-level/all-packages.nix | 2 ++ 8 files changed, 57 insertions(+), 4 deletions(-) create mode 100644 pkgs/data/misc/dns-root-data/default.nix create mode 100644 pkgs/data/misc/dns-root-data/root.ds create mode 100644 pkgs/data/misc/dns-root-data/root.key create mode 100755 pkgs/data/misc/dns-root-data/update-root-key.sh diff --git a/pkgs/data/misc/dns-root-data/default.nix b/pkgs/data/misc/dns-root-data/default.nix new file mode 100644 index 000000000000..ec0d9c83ad51 --- /dev/null +++ b/pkgs/data/misc/dns-root-data/default.nix @@ -0,0 +1,29 @@ +{ stdenv, lib, fetchurl }: + +let + + rootHints = fetchurl { + url = "http://www.internic.net/domain/named.root"; + sha256 = "1zf3ydn44z70gq1kd95lvk9cp68xlbl8vqpswqlhd30qafx6v6d1"; + }; + + rootKey = ./root.key; + rootDs = ./root.ds; + +in + +stdenv.mkDerivation { + name = "dns-root-data-2017-07-11"; + + buildCommand = '' + mkdir $out + cp ${rootHints} $out/root.hints + cp ${rootKey} $out/root.key + cp ${rootDs} $out/root.ds + ''; + + meta = with lib; { + description = "DNS root data including root zone and DNSSEC key"; + maintainers = with maintainers; [ fpletz ]; + }; +} diff --git a/pkgs/data/misc/dns-root-data/root.ds b/pkgs/data/misc/dns-root-data/root.ds new file mode 100644 index 000000000000..61c5b8fcd344 --- /dev/null +++ b/pkgs/data/misc/dns-root-data/root.ds @@ -0,0 +1,3 @@ +; created by unbound-anchor on Tue Jul 11 23:48:16 2017 +. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 +. IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D diff --git a/pkgs/data/misc/dns-root-data/root.key b/pkgs/data/misc/dns-root-data/root.key new file mode 100644 index 000000000000..9046cefcb713 --- /dev/null +++ b/pkgs/data/misc/dns-root-data/root.key @@ -0,0 +1,2 @@ +. 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=1 [ ADDPEND ] +. 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [ VALID ] diff --git a/pkgs/data/misc/dns-root-data/update-root-key.sh b/pkgs/data/misc/dns-root-data/update-root-key.sh new file mode 100755 index 000000000000..5db179621a70 --- /dev/null +++ b/pkgs/data/misc/dns-root-data/update-root-key.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env nix-shell +#!nix-shell -i bash -p busybox unbound + +TMP=`mktemp` +unbound-anchor -a $TMP +grep -Ev "^($$|;)" $TMP | sed -e 's/ ;;count=.*//' > root.key +rm $TMP + +unbound-anchor -F -a root.ds diff --git a/pkgs/development/libraries/gnutls/generic.nix b/pkgs/development/libraries/gnutls/generic.nix index 48aa3fb96737..2a73682a7461 100644 --- a/pkgs/development/libraries/gnutls/generic.nix +++ b/pkgs/development/libraries/gnutls/generic.nix @@ -1,6 +1,7 @@ { lib, fetchurl, stdenv, zlib, lzo, libtasn1, nettle, pkgconfig, lzip , guileBindings, guile, perl, gmp, autogen, libidn, p11_kit, libiconv , tpmSupport ? false, trousers, which, nettools, libunistring +, unbound, dns-root-data # Version dependent args , version, src, patches ? [], postPatch ? "", nativeBuildInputs ? [] @@ -32,12 +33,13 @@ stdenv.mkDerivation { ++ [ "--disable-dependency-tracking" "--enable-fast-install" + "--with-unbound-root-key-file=${dns-root-data}/root.key" ] ++ lib.optional guileBindings [ "--enable-guile" "--with-guile-site-dir=\${out}/share/guile/site" ]; enableParallelBuilding = true; - buildInputs = [ lzo lzip libtasn1 libidn p11_kit zlib gmp autogen libunistring ] + buildInputs = [ lzo lzip libtasn1 libidn p11_kit zlib gmp autogen libunistring unbound ] ++ lib.optional (stdenv.isFreeBSD || stdenv.isDarwin) libiconv ++ lib.optional (tpmSupport && stdenv.isLinux) trousers ++ lib.optional guileBindings guile diff --git a/pkgs/development/libraries/ldns/default.nix b/pkgs/development/libraries/ldns/default.nix index ff63b6af25ec..816b850f1003 100644 --- a/pkgs/development/libraries/ldns/default.nix +++ b/pkgs/development/libraries/ldns/default.nix @@ -1,4 +1,4 @@ -{stdenv, fetchurl, openssl, perl}: +{stdenv, fetchurl, openssl, perl, dns-root-data}: stdenv.mkDerivation rec { pname = "ldns"; @@ -20,7 +20,12 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ perl ]; buildInputs = [ openssl ]; - configureFlags = [ "--with-ssl=${openssl.dev}" "--with-drill"]; + configureFlags = [ + "--with-ssl=${openssl.dev}" + "--with-trust-anchor=${dns-root-data}/root.key" + "--with-drill" + "--disable-gost" + ]; postInstall = '' moveToOutput "bin/ldns-config" "$dev" diff --git a/pkgs/tools/networking/unbound/default.nix b/pkgs/tools/networking/unbound/default.nix index 7fc5fb90173d..b70fc2ced830 100644 --- a/pkgs/tools/networking/unbound/default.nix +++ b/pkgs/tools/networking/unbound/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, openssl, nettle, expat, libevent }: +{ stdenv, fetchurl, openssl, nettle, expat, libevent, dns-root-data }: stdenv.mkDerivation rec { name = "unbound-${version}"; @@ -20,6 +20,7 @@ stdenv.mkDerivation rec { "--localstatedir=/var" "--sysconfdir=/etc" "--sbindir=\${out}/bin" + "--with-rootkey-file=${dns-root-data}/root.key" "--enable-pie" "--enable-relro-now" ]; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index c783b3cb916d..3ce85d114b72 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -12807,6 +12807,8 @@ with pkgs; dina-font-pcf = callPackage ../data/fonts/dina-pcf { }; + dns-root-data = callPackage ../data/misc/dns-root-data { }; + docbook5 = callPackage ../data/sgml+xml/schemas/docbook-5.0 { }; docbook_sgml_dtd_31 = callPackage ../data/sgml+xml/schemas/sgml-dtd/docbook/3.1.nix { }; From 338a19520493f941a3f478bf852074e74a67b03d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Sat, 15 Jul 2017 10:38:01 +0200 Subject: [PATCH 3/3] dns-root-data: improve determinism, clear key status Nitpicks: - The timestamps there were useless. - The generator now switched the two keys; I don't know why. I intentionally remove the comments like "state=1 [ ADDPEND ]". The problem is that keys e.g. in ADDPEND state are *not* immediately usable for validation - see RFC5011 for details. I verified that Unbound does disregard this on the format we and Debian use ATM, presumably due to removing parts of the comments, but it would be confusing nevertheless. --- pkgs/data/misc/dns-root-data/root.ds | 1 - pkgs/data/misc/dns-root-data/root.key | 4 ++-- pkgs/data/misc/dns-root-data/update-root-key.sh | 9 +++++---- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/pkgs/data/misc/dns-root-data/root.ds b/pkgs/data/misc/dns-root-data/root.ds index 61c5b8fcd344..7578e0405d9d 100644 --- a/pkgs/data/misc/dns-root-data/root.ds +++ b/pkgs/data/misc/dns-root-data/root.ds @@ -1,3 +1,2 @@ -; created by unbound-anchor on Tue Jul 11 23:48:16 2017 . IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 . IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D diff --git a/pkgs/data/misc/dns-root-data/root.key b/pkgs/data/misc/dns-root-data/root.key index 9046cefcb713..c0da7b3f60fa 100644 --- a/pkgs/data/misc/dns-root-data/root.key +++ b/pkgs/data/misc/dns-root-data/root.key @@ -1,2 +1,2 @@ -. 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=1 [ ADDPEND ] -. 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [ VALID ] +. 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} +. 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} diff --git a/pkgs/data/misc/dns-root-data/update-root-key.sh b/pkgs/data/misc/dns-root-data/update-root-key.sh index 5db179621a70..9a3141aef197 100755 --- a/pkgs/data/misc/dns-root-data/update-root-key.sh +++ b/pkgs/data/misc/dns-root-data/update-root-key.sh @@ -2,8 +2,9 @@ #!nix-shell -i bash -p busybox unbound TMP=`mktemp` -unbound-anchor -a $TMP -grep -Ev "^($$|;)" $TMP | sed -e 's/ ;;count=.*//' > root.key -rm $TMP +unbound-anchor -a "$TMP" +grep -Ev "^($$|;)" "$TMP" | sed -e 's/ ;;.*//' > root.key -unbound-anchor -F -a root.ds +unbound-anchor -F -a "$TMP" +sed '/^;/d' < "$TMP" > root.ds +rm $TMP