# # Red Hat BIND package .spec file # %define PATCHVER P2 #%%define VERSION %%{version} #%%define PREVER rc2 #%%define VERSION %%{version}%%{PREVER} %define VERSION %{version}-%{PATCHVER} %{?!bind_uid: %define bind_uid 25} %{?!bind_gid: %define bind_gid 25} %{?!GSSTSIG: %define GSSTSIG 0} %define bind_dir /var/named %define chroot_prefix %{bind_dir}/chroot # Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server Name: bind97 License: ISC Version: 9.7.0 Release: 17.%{PATCHVER}%{?dist} Epoch: 32 Url: http://www.isc.org/products/BIND/ Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Group: System Environment/Daemons # Source: ftp://ftp.isc.org/isc/bind9/%{VERSION}/bind-%{VERSION}.tar.gz Source1: named.sysconfig Source2: named.init Source3: named.logrotate Source4: named.NetworkManager Source5: rfc1912.txt Source6: named.root.key Source7: bind-9.3.1rc1-sdb_tools-Makefile.in Source8: dnszone.schema Source12: README.sdb_pgsql Source21: Copyright.caching-nameserver Source25: named.conf.sample Source28: config-6.tar.bz2 Source30: ldap2zone.c Source31: ldap2zone.1 Source32: named-sdb.8 Source33: zonetodb.1 Source34: zone2sqlite.1 # Common patches # Install *.so libraries with +x perms Patch5: bind-nonexec.patch # Build named as PIE Patch10: bind-9.5-PIE.patch # Add Red Hat specific bits to documentation Patch16: bind-9.3.2-redhat_doc.patch # RH #247856 Patch71: bind-9.5-overflow.patch # Build libdns.so paralelly to speed-up build process Patch87: bind-9.5-parallel-build.patch Patch102:bind-95-rh452060.patch Patch106:bind93-rh490837.patch # Put zone with dynamic DNSSEC keys into /var/named/dynamic directory Patch108:bind97-managed-keyfile.patch Patch109:bind97-rh478718.patch Patch111:bind97-rh554316.patch Patch112:bind97-ppc64.patch Patch113:bind97-rh643102.patch Patch114:bind97-rh659268.patch Patch115:bind97-rh675467-validator.patch Patch116:bind97-rh675467-ncache.patch Patch117:bind97-rh675467-view.patch Patch118:bind97-CVE-2011-1910.patch Patch119:bind97-CVE-2011-2464.patch Patch120:bind97-rh754398.patch Patch121:bind97-CVE-2012-1667.patch Patch122:bind97-CVE-2012-1033.patch Patch123:bind97-CVE-2012-1033-2.patch Patch124:bind97-rh703397.patch Patch125:bind97-rh717610.patch Patch126:bind97-rh749214.patch Patch127:bind97-rh758057.patch Patch128:bind97-rh803369.patch Patch129:bind97-rh811566.patch Patch130:bind97-testsuite.patch Patch131:bind98-rh816164.patch Patch132:bind97-rh829831.patch Patch133:bind97-CVE-2012-3817.patch Patch134:bind97-CVE-2012-4244.patch Patch135:bind97-CVE-2012-5166.patch # Dynamic database backend support, needed by IPA Patch104: bind-96-dyndb.patch # IDN paches - add IDN support to dig/host/nslookup Patch73: bind-9.5-libidn.patch Patch83: bind-9.5-libidn2.patch Patch85: bind-9.5-libidn3.patch Patch94: bind95-rh461409.patch # Requires: mktemp Requires(post): grep, chkconfig Requires(pre): shadow-utils Requires(preun):chkconfig Requires: bind97-libs = %{epoch}:%{version}-%{release} Obsoletes: bind-config < 30:9.3.2-34 Provides: bind-config = 30:9.3.2-34 BuildRequires: openssl-devel, libtool, autoconf, pkgconfig, libcap-devel BuildRequires: libidn-devel, libxml2-devel %if %{GSSTSIG} BuildRequires: krb5-devel %endif Conflicts: bind, caching-nameserver # Needed to regenerate dig.1 manpage BuildRequires: docbook-style-xsl, libxslt %description BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly. %package libs Summary: Libraries used by the BIND DNS packages Group: Applications/System Conflicts:bind-libs %description libs Contains libraries used by both the bind server package as well as the utils packages. %package utils Summary: Utilities for querying DNS name servers Group: Applications/System Conflicts:bind-utils Requires: bind97-libs = %{epoch}:%{version}-%{release} %description utils Bind-utils contains a collection of utilities for querying DNS (Domain Name System) name servers to find out information about Internet hosts. These tools will provide you with the IP addresses for given host names, as well as other information about registered domains and network addresses. You should install bind-utils if you need to get information from DNS name servers. %package devel Summary: Header files and libraries needed for BIND DNS development Group: Development/Libraries Conflicts:bind-libbind-devel Conflicts:bind-devel Requires: bind97-libs = %{epoch}:%{version}-%{release} %description devel The bind-devel package contains all the header files and libraries required for development with ISC BIND 9 and BIND 8 %package chroot Summary: A chroot runtime environment for the ISC BIND DNS server, named(8) Group: System Environment/Daemons Prefix: %{chroot_prefix} Requires(post): grep Requires(preun):grep Requires: bind97 = %{epoch}:%{version}-%{release} Conflicts: bind-chroot %description chroot This package contains a tree of files which can be used as a chroot(2) jail for the named(8) program from the BIND package. Based on the code from Jan "Yenya" Kasprzak <kas@fi.muni.cz> %prep %setup -q -n bind-%{VERSION} # Common patches %patch5 -p1 -b .nonexec %patch10 -p1 -b .PIE %patch16 -p1 -b .redhat_doc %patch104 -p1 -b .dyndb %patch108 -p1 -b .managed-keyfile %patch71 -p1 -b .overflow %patch73 -p1 -b .libidn %patch83 -p1 -b .libidn2 %patch85 -p1 -b .libidn3 %patch87 -p1 -b .parallel %patch94 -p1 -b .rh461409 %patch102 -p1 -b .rh452060 %patch106 -p0 -b .rh490837 %patch109 -p1 -b .rh478718 %patch111 -p1 -b .rh554316 %patch112 -p1 -b .ppc64 %patch113 -p1 -b .rh643102 %patch114 -p1 -b .rh659268 pushd lib/dns %patch115 -p0 -b .rh675467-validator %patch116 -p0 -b .rh675467-ncache %patch117 -p0 -b .rh675467-view popd %patch118 -p1 -b .CVE-2011-1910 %patch119 -p1 -b .CVE-2011-2464 %patch120 -p1 -b .rh754398 %patch121 -p1 -b .CVE-2012-1667 %patch122 -p1 -b .CVE-2012-1033 %patch123 -p1 -b .CVE-2012-1033-2 %patch124 -p1 -b .rh703397 %patch125 -p1 -b .rh717610 %patch126 -p1 -b .rh749214 %patch127 -p1 -b .rh758057 %patch128 -p1 -b .rh803369 %patch129 -p1 -b .rh811566 %patch130 -p1 -b .testsuite %patch131 -p1 -b .rh816164 %patch132 -p1 -b .rh829831 %patch133 -p1 -b .CVE-2012-3817 %patch134 -p1 -b .CVE-2012-4244 %patch135 -p1 -b .CVE-2012-5166 # Sparc and s390 arches need to use -fPIE %ifarch sparcv9 sparc64 s390 s390x for i in bin/named/{,unix}/Makefile.in; do sed -i 's|fpie|fPIE|g' $i done %endif :; %build export CFLAGS="$CFLAGS $RPM_OPT_FLAGS" export CPPFLAGS="$CPPFLAGS -DDIG_SIGCHASE" export STD_CDEFINES="$CPPFLAGS" sed -i -e \ 's/RELEASEVER=\(.*\)/RELEASEVER=\1-RedHat-%{version}-%{release}/' \ version libtoolize -c -f; aclocal --force; autoconf -f %configure \ --with-libtool \ --localstatedir=/var \ --enable-threads \ --enable-ipv6 \ --with-pic \ --disable-static \ --disable-openssl-version-check \ %if %{GSSTSIG} --with-gssapi=yes \ --disable-isc-spnego \ %endif --with-docbook-xsl=%{_datadir}/sgml/docbook/xsl-stylesheets \ ; make %{?_smp_mflags} # Regenerate dig.1 manpage pushd bin/dig make man popd %install rm -rf ${RPM_BUILD_ROOT} # We don't want these rm -f doc/rfc/fetch cp --preserve=timestamps %{SOURCE5} doc/rfc gzip -9 doc/rfc/* # Build directory hierarchy mkdir -p ${RPM_BUILD_ROOT}/etc/{rc.d/init.d,logrotate.d,NetworkManager/dispatcher.d} mkdir -p ${RPM_BUILD_ROOT}%{_libdir}/bind mkdir -p ${RPM_BUILD_ROOT}/var/named/{slaves,data,dynamic} mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/{man1,man5,man8} mkdir -p ${RPM_BUILD_ROOT}/var/run/named mkdir -p ${RPM_BUILD_ROOT}/var/log #chroot mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}/{dev,etc,var} mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}/var/{log,named,run/named,tmp} mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}/etc/{pki/dnssec-keys,named} mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}/%{_libdir}/bind # these are required to prevent them being erased during upgrade of previous # versions that included them (bug #130121): touch ${RPM_BUILD_ROOT}/%{chroot_prefix}/dev/null touch ${RPM_BUILD_ROOT}/%{chroot_prefix}/dev/random touch ${RPM_BUILD_ROOT}/%{chroot_prefix}/dev/zero touch ${RPM_BUILD_ROOT}/%{chroot_prefix}/etc/localtime touch ${RPM_BUILD_ROOT}/%{chroot_prefix}/etc/named.conf #end chroot make DESTDIR=${RPM_BUILD_ROOT} install # Remove unwanted files rm -f ${RPM_BUILD_ROOT}/etc/bind.keys rm -f ${RPM_BUILD_ROOT}/%{_bindir}/isc-config.sh # Remove all arch dependent files in doc/ pushd doc find -type f -name 'Makefile*' | xargs rm -f -- popd install -m 755 %{SOURCE2} ${RPM_BUILD_ROOT}/etc/rc.d/init.d/named install -m 644 %{SOURCE3} ${RPM_BUILD_ROOT}/etc/logrotate.d/named install -m 755 %{SOURCE4} ${RPM_BUILD_ROOT}/etc/NetworkManager/dispatcher.d/13-named mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig install -m 644 %{SOURCE1} ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/named # Remove libtool .la files: find ${RPM_BUILD_ROOT}/%{_libdir} -name '*.la' -exec '/bin/rm' '-f' '{}' ';'; # /usr/lib/rpm/brp-compress # # Ghost config files: touch ${RPM_BUILD_ROOT}%{_localstatedir}/log/named.log # configuration files: tar -C ${RPM_BUILD_ROOT} -xjf %{SOURCE28} touch ${RPM_BUILD_ROOT}/etc/rndc.key touch ${RPM_BUILD_ROOT}/etc/rndc.conf mkdir ${RPM_BUILD_ROOT}/etc/named install -m 644 bind.keys ${RPM_BUILD_ROOT}/etc/named.iscdlv.key install -m 644 %{SOURCE6} ${RPM_BUILD_ROOT}/etc/named.root.key install -m 644 %{SOURCE5} ./rfc1912.txt install -m 644 %{SOURCE21} ./Copyright # sample bind configuration files for %%doc: mkdir -p sample/etc sample/var/named/{data,slaves} install -m 644 %{SOURCE25} sample/etc/named.conf # Copy default configuration to %%doc to make it usable from system-config-bind install -m 644 ${RPM_BUILD_ROOT}/etc/named.conf named.conf.default install -m 644 ${RPM_BUILD_ROOT}/etc/named.rfc1912.zones sample/etc/named.rfc1912.zones install -m 644 ${RPM_BUILD_ROOT}/var/named/{named.ca,named.localhost,named.loopback,named.empty} sample/var/named for f in my.internal.zone.db slaves/my.slave.internal.zone.db slaves/my.ddns.internal.zone.db my.external.zone.db; do echo '@ in soa localhost. root 1 3H 15M 1W 1D ns localhost.' > sample/var/named/$f; done :; %pre if [ "$1" -eq 1 ]; then /usr/sbin/groupadd -g %{bind_gid} -f -r named >/dev/null 2>&1 || :; /usr/sbin/useradd -u %{bind_uid} -r -M -g named -s /sbin/nologin -d /var/named -c Named named >/dev/null 2>&1 || :; fi; :; %post /sbin/ldconfig /sbin/chkconfig --add named if [ "$1" -eq 1 ]; then if [ ! -e /etc/rndc.key ]; then /usr/sbin/rndc-confgen -a > /dev/null 2>&1 fi [ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.* /etc/named.* >/dev/null 2>&1 ; # rndc.key has to have correct perms and ownership, CVE-2007-6283 [ -e /etc/rndc.key ] && chown root:named /etc/rndc.key [ -e /etc/rndc.key ] && chmod 0640 /etc/rndc.key fi :; %preun if [ "$1" -eq 0 ]; then /sbin/service named stop >/dev/null 2>&1 || :; /sbin/chkconfig --del named || :; fi; :; %postun /sbin/ldconfig if [ "$1" -ge 1 ]; then /sbin/service named try-restart >/dev/null 2>&1 || :; fi; :; %post libs -p /sbin/ldconfig %postun libs -p /sbin/ldconfig %post chroot if [ "$1" -gt 0 ]; then [ -e %{chroot_prefix}/dev/random ] || \ /bin/mknod %{chroot_prefix}/dev/random c 1 8 [ -e %{chroot_prefix}/dev/zero ] || \ /bin/mknod %{chroot_prefix}/dev/zero c 1 5 [ -e %{chroot_prefix}/dev/null ] || \ /bin/mknod %{chroot_prefix}/dev/null c 1 3 rm -f %{chroot_prefix}/etc/localtime cp /etc/localtime %{chroot_prefix}/etc/localtime if ! grep -q '^ROOTDIR=' /etc/sysconfig/named; then echo 'ROOTDIR=/var/named/chroot' >> /etc/sysconfig/named /sbin/service named try-restart > /dev/null 2>&1 || :; fi fi; :; %posttrans chroot if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then [ -x /sbin/restorecon ] && /sbin/restorecon %{chroot_prefix}/dev/* > /dev/null 2>&1; fi; :; %preun chroot if [ "$1" -eq 0 ]; then rm -f %{chroot_prefix}/dev/{random,zero,null} rm -f %{chroot_prefix}/etc/localtime if grep -q '^ROOTDIR=' /etc/sysconfig/named; then # NOTE: Do NOT call `service named try-restart` because chroot # files will remain mounted. START=no [ -e /var/lock/subsys/named ] && START=yes /sbin/service named stop > /dev/null 2>&1 || :; sed -i -e '/^ROOTDIR=.*/d' /etc/sysconfig/named if [ "x$START" = xyes ]; then /sbin/service named start > /dev/null 2>&1 || :; fi fi fi :; %clean rm -rf ${RPM_BUILD_ROOT} :; %files %defattr(-,root,root,-) %{_libdir}/bind %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/sysconfig/named %config(noreplace) %attr(-,root,named) %{_sysconfdir}/named.iscdlv.key %config(noreplace) %attr(-,root,named) %{_sysconfdir}/named.root.key %{_sysconfdir}/rc.d/init.d/named %{_sysconfdir}/NetworkManager/dispatcher.d/13-named %{_sbindir}/arpaname %{_sbindir}/ddns-confgen %{_sbindir}/genrandom %{_sbindir}/named-journalprint %{_sbindir}/nsec3hash %{_sbindir}/dnssec* %{_sbindir}/named-check* %{_sbindir}/lwresd %{_sbindir}/named %{_sbindir}/rndc* %{_sbindir}/named-compilezone %{_sbindir}/isc-hmac-fixup %{_mandir}/man1/arpaname.1* %{_mandir}/man5/named.conf.5* %{_mandir}/man5/rndc.conf.5* %{_mandir}/man8/rndc.8* %{_mandir}/man8/named.8* %{_mandir}/man8/lwresd.8* %{_mandir}/man8/dnssec*.8* %{_mandir}/man8/named-checkconf.8* %{_mandir}/man8/named-checkzone.8* %{_mandir}/man8/named-compilezone.8* %{_mandir}/man8/rndc-confgen.8* %{_mandir}/man8/ddns-confgen.8* %{_mandir}/man8/genrandom.8* %{_mandir}/man8/named-journalprint.8* %{_mandir}/man8/nsec3hash.8* %{_mandir}/man8/isc-hmac-fixup.8* %doc CHANGES COPYRIGHT README named.conf.default %doc doc/arm doc/misc doc/draft doc/rfc %doc sample/ %doc Copyright %doc rfc1912.txt # Hide configuration %defattr(0640,root,named,0750) %dir %{_sysconfdir}/named %dir %{_localstatedir}/named %config(noreplace) %verify(not link) %{_sysconfdir}/named.conf %config(noreplace) %verify(not link) %{_sysconfdir}/named.rfc1912.zones %config %verify(not link) %{_localstatedir}/named/named.ca %config %verify(not link) %{_localstatedir}/named/named.localhost %config %verify(not link) %{_localstatedir}/named/named.loopback %config %verify(not link) %{_localstatedir}/named/named.empty %defattr(0660,named,named,0770) %dir %{_localstatedir}/named/slaves %dir %{_localstatedir}/named/data %dir %{_localstatedir}/named/dynamic %ghost %{_localstatedir}/log/named.log %defattr(0640,root,named,0750) %ghost %config(noreplace) %{_sysconfdir}/rndc.key # ^- rndc.key now created on first install only if it does not exist # %%verify(not size,not md5) %%config(noreplace) %%attr(0640,root,named) /etc/rndc.conf # ^- Let the named internal default rndc.conf be used - # rndc.conf not required unless it differs from default. %ghost %config(noreplace) %{_sysconfdir}/rndc.conf # ^- The default rndc.conf which uses rndc.key is in named's default internal config - # so rndc.conf is not necessary. %config(noreplace) %{_sysconfdir}/logrotate.d/named %defattr(-,named,named,-) %dir %{_localstatedir}/run/named %files libs %defattr(-,root,root,-) %{_libdir}/*so.* %files utils %defattr(-,root,root,-) %{_bindir}/dig %{_bindir}/host %{_bindir}/nslookup %{_bindir}/nsupdate %{_mandir}/man1/host.1* %{_mandir}/man1/nsupdate.1* %{_mandir}/man1/dig.1* %{_mandir}/man1/nslookup.1* %files devel %defattr(-,root,root,-) %{_libdir}/*so %{_includedir}/bind9 %{_includedir}/dns %{_includedir}/dst %{_includedir}/isc %{_includedir}/isccc %{_includedir}/isccfg %{_includedir}/lwres %{_mandir}/man1/isc-config.sh.1* %{_mandir}/man3/lwres* %files chroot %defattr(-,root,root,-) %ghost %{chroot_prefix}/dev/null %ghost %{chroot_prefix}/dev/random %ghost %{chroot_prefix}/dev/zero %ghost %{chroot_prefix}/etc/localtime %defattr(0640,root,named,0750) %dir %{chroot_prefix} %dir %{chroot_prefix}/dev %dir %{chroot_prefix}/etc %dir %{chroot_prefix}/etc/named %dir %{chroot_prefix}/etc/pki %dir %{chroot_prefix}/etc/pki/dnssec-keys %dir %{chroot_prefix}/var %dir %{chroot_prefix}/var/run %dir %{chroot_prefix}/var/named %dir %{chroot_prefix}/usr %dir %{chroot_prefix}/%{_libdir} %dir %{chroot_prefix}/%{_libdir}/bind %ghost %config(noreplace) %{chroot_prefix}/etc/named.conf %defattr(0660,named,named,0770) %dir %{chroot_prefix}/var/run/named %dir %{chroot_prefix}/var/tmp %dir %{chroot_prefix}/var/log %changelog * Tue Oct 23 2012 Adam Tkac <atkac redhat com> 32:9.7.0-17.P2 - fix typo in initscript (caused by "kill the correct named" patch) * Wed Oct 10 2012 Adam Tkac <atkac redhat com> 32:9.7.0-16.P2 - fix CVE-2012-5166 * Thu Sep 13 2012 Adam Tkac <atkac redhat com> 32:9.7.0-15.P2 - fix CVE-2012-4244 * Wed Jul 25 2012 Adam Tkac <atkac redhat com> 32:9.7.0-14.P2 - fix CVE-2012-3817 * Thu Jul 12 2012 Adam Tkac <atkac redhat com> 32:9.7.0-13.P2 - fixed various bind-chroot packaging errors (#829823) - generate rndc.key during `service named start` (#829827) - nslookup: return non-zero exit code when fail to get answer (#829829) - named could fail to send a uncompressable zone * Wed Jun 20 2012 Adam Tkac <atkac redhat com> 32:9.7.0-12.P2 - initscript should kill only the "correct" named process - don't check MD5, size and mtime of sysconfig/named - host utility now honors "attempts", "timeout" and "debug" options in resolv.conf - add new option DISABLE_ZONE_CHECKING to sysconfig/named - improve handling of lame responses with no SOA - mount /etc/named.root.key into chroot (#719855) - document dig exit codes - print "the working directory is not writable" as debug message - zero zone->curmaster before return in dns_zone_setmasterswithkeys() - fix IDN related statement in dig.1 manpage (#811566) - disable broken testsuite tests, they also don't work with upstream tarball * Mon Jun 04 2012 Adam Tkac <atkac redhat com> 32:9.7.0-11.P2 - fix CVE-2012-1667 and CVE-2012-1033 * Wed Nov 16 2011 Adam Tkac <atkac redhat com> 32:9.7.0-10.P2 - fix DOS against recursive servers (#754398) * Tue Jul 05 2011 Adam Tkac <atkac redhat com> 32:9.7.0-9.P2 - fix CVE-2011-2464 * Fri May 27 2011 Adam Tkac <atkac redhat com> 32:9.7.0-8.P2 - fix CVE-2011-1910 * Mon Apr 11 2011 Adam Tkac <atkac redhat com> 32:9.7.0-7.P2 - work correctly when new DS is introduced in the trusted DNS tree (#675467) - include root zone DNSKEY (#693788) * Thu Dec 02 2010 Adam Tkac <atkac redhat com> 32:9.7.0-6.P2 - fix CVE-2010-3613 and CVE-2010-3614 * Mon Oct 18 2010 Adam Tkac <atkac redhat com> 32:9.7.0-5.P2 - don't obsolete bind-libbind-devel, "Conflicts" with it instead * Fri Oct 15 2010 Adam Tkac <atkac redhat com> 32:9.7.0-4.P2 - replace bind97-rh507429.patch by improved bind97-rh643102.patch - don't pass unsupported "-N" option to useradd (#643323) * Mon Sep 13 2010 Adam Tkac <atkac redhat com> 32:9.7.0-3.P2 - don't obsolete/provide caching-nameserver, conflict with it instead (#631681) * Thu Aug 12 2010 Adam Tkac <atkac redhat com> 32:9.7.0-2.P2 - fix rpmdiff issues * Wed Jun 16 2010 Adam Tkac <atkac redhat com> 32:9.7.0-1.P2 - Initial bind97 package, based on bind-9.7.0-10.P2.fc14