GNU bug report logs -
#68621
[PATCH 0/2] Provide default DNSSEC trust anchors for knot-resolver
Previous Next
To reply to this bug, email your comments to 68621 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#68621; Package
guix-patches.
(Sat, 20 Jan 2024 21:27:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Nikkilä <hello <at> lnikki.la>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sat, 20 Jan 2024 21:27:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
The default DNSSEC trust anchors for knot-resolver are currently
disabled through a build phase, but configured when you use the default
kresd.conf file provided by Guix.
If you write your own configuration, you might expect kresd to have
DNSSEC enabled by default since this is what upstream does [1]. On Guix,
DNSSEC is disabled unless you provide the same custom path in your own
configuration and install the file into the appropriate location.
This set updates the package to be built with the correct path as the
default, and the service to use that path and install the default trust
anchors at activation time when missing.
[1]: https://knot-resolver.readthedocs.io/en/stable/config-dnssec.html
Leo Nikkilä (2):
gnu: knot-resolver: Re-enable default DNSSEC trust anchors.
services: knot-resolver: Use default DNSSEC trust anchors.
gnu/packages/dns.scm | 20 +++++++++++++-------
gnu/services/dns.scm | 17 +++++++++++++----
2 files changed, 26 insertions(+), 11 deletions(-)
base-commit: 9072f27f5d3514be22c6af208f2ad56ef4e112f4
--
2.41.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#68621; Package
guix-patches.
(Sat, 20 Jan 2024 21:39:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 68621 <at> debbugs.gnu.org (full text, mbox):
Forgot to mention, but this is more or less what was done for the upstream RPM package, see:
https://gitlab.nic.cz/knot/knot-resolver/-/issues/513
https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/888/diffs
Information forwarded
to
guix-patches <at> gnu.org:
bug#68621; Package
guix-patches.
(Tue, 23 Apr 2024 16:03:13 GMT)
Full text and
rfc822 format available.
Message #11 received at 68621 <at> debbugs.gnu.org (full text, mbox):
The patches that follow are:
* two patches which were originally supposed to accompany this issue
* a fix to quieten some guix lint warnings
* a package version micro-bump, to 5.7.2.
Information forwarded
to
guix-patches <at> gnu.org:
bug#68621; Package
guix-patches.
(Tue, 23 Apr 2024 16:14:09 GMT)
Full text and
rfc822 format available.
Message #14 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Leo Nikkilä <hello <at> lnikki.la>
* gnu/packages/dns.scm (knot-resolver) [#:configure-flags]: Configure
root keys and managed TA.
[#:phases] Remove `'disable-default-ta', add `'install-root-keys'.
---
gnu/packages/dns.scm | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index 36d3eb8b7e..947a6e89ba 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -995,15 +995,13 @@ (define-public knot-resolver
(build-system meson-build-system)
(outputs '("out" "doc"))
(arguments
- '(#:configure-flags '("-Ddoc=enabled")
+ `(#:configure-flags
+ '("-Ddoc=enabled"
+ "-Dinstall_root_keys=disabled" ; installed manually outside store
+ "-Dkeyfile_default=/var/cache/knot-resolver/root.keys"
+ "-Dmanaged_ta=enabled")
#:phases
(modify-phases %standard-phases
- (add-before 'configure 'disable-default-ta
- (lambda _
- ;; Disable the default managed root TA, since we don't have
- ;; write access to the keyfile and its directory in store.
- (substitute* "daemon/lua/sandbox.lua.in"
- (("^trust_anchors\\.add_file.*") ""))))
(add-after 'build 'build-doc
(lambda _
(invoke "ninja" "doc")))
@@ -1021,6 +1019,14 @@ (define-public knot-resolver
'("doc/knot-resolver/examples"
"doc/knot-resolver/html"
"info")))))
+ (add-after 'install 'install-root-keys
+ (lambda* (#:key outputs #:allow-other-keys)
+ (let ((dir (string-append (assoc-ref outputs "out")
+ "/etc/knot-resolver")))
+ (mkdir-p dir)
+ (install-file (string-append "../knot-resolver-" ,version
+ "/etc/root.keys")
+ dir))))
(add-after 'install 'wrap-binary
(lambda* (#:key inputs outputs #:allow-other-keys)
(let* ((out (assoc-ref outputs "out"))
--
2.41.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#68621; Package
guix-patches.
(Tue, 23 Apr 2024 16:14:14 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org:
bug#68621; Package
guix-patches.
(Tue, 23 Apr 2024 16:15:05 GMT)
Full text and
rfc822 format available.
Message #20 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Dale Mellor <black-hole <at> rdmp.org>
* gnu/packages/dns.scm (knot-resolver): Add bash-minimal to inputs, re-label
input items to 'lua5.1-bitop' and 'nghttp2:lib'.
---
gnu/packages/dns.scm | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index 947a6e89ba..bb86fd34f8 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -1051,15 +1051,16 @@ (define-public knot-resolver
python-sphinx-rtd-theme
texinfo))
(inputs
- `(("fstrm" ,fstrm)
+ `(("bash-minimal" ,bash-minimal)
+ ("fstrm" ,fstrm)
("gnutls" ,gnutls)
("knot:lib" ,knot "lib")
("libuv" ,libuv)
("lmdb" ,lmdb)
("luajit" ,luajit)
;; TODO: Add optional lua modules: basexx and psl.
- ("lua-bitop" ,lua5.1-bitop)
- ("nghttp2" ,nghttp2 "lib")
+ ("lua5.1-bitop" ,lua5.1-bitop)
+ ("nghttp2:lib" ,nghttp2 "lib")
("python" ,python)))
(home-page "https://www.knot-resolver.cz/")
(synopsis "Caching validating DNS resolver")
--
2.41.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#68621; Package
guix-patches.
(Tue, 23 Apr 2024 16:15:07 GMT)
Full text and
rfc822 format available.
Message #23 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Leo Nikkilä <hello <at> lnikki.la>
* gnu/services/dns.scm (%kresd.conf): Use default anchors.
(knot-resolver-activation): Install default anchors when missing.
---
gnu/services/dns.scm | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/gnu/services/dns.scm b/gnu/services/dns.scm
index 6608046909..f83c5b6594 100644
--- a/gnu/services/dns.scm
+++ b/gnu/services/dns.scm
@@ -655,7 +655,6 @@ (define-record-type* <knot-resolver-configuration>
(define %kresd.conf
(plain-file "kresd.conf" "-- -*- mode: lua -*-
-trust_anchors.add_file('/var/cache/knot-resolver/root.keys')
net = { '127.0.0.1', '::1' }
user('knot-resolver', 'knot-resolver')
modules = { 'hints > iterate', 'stats', 'predict' }
@@ -676,10 +675,20 @@ (define %knot-resolver-accounts
(define (knot-resolver-activation config)
#~(begin
(use-modules (guix build utils))
- (let ((rundir "/var/cache/knot-resolver")
- (owner (getpwnam "knot-resolver")))
+ (let* ((rundir "/var/cache/knot-resolver")
+ (keyfile (string-append rundir "/root.keys"))
+ (owner (getpwnam "knot-resolver")))
(mkdir-p rundir)
- (chown rundir (passwd:uid owner) (passwd:gid owner)))))
+ (chown rundir (passwd:uid owner) (passwd:gid owner))
+
+ ;; Install initial trust anchors when missing.
+ (unless (file-exists? keyfile)
+ (copy-file #$(file-append (knot-resolver-configuration-package
+ config)
+ "/etc/knot-resolver/root.keys")
+ keyfile)
+ (chown keyfile (passwd:uid owner) (passwd:gid owner))
+ (chmod keyfile #o755)))))
(define knot-resolver-shepherd-services
(match-lambda
--
2.41.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#68621; Package
guix-patches.
(Tue, 23 Apr 2024 16:15:09 GMT)
Full text and
rfc822 format available.
Message #26 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Dale Mellor <black-hole <at> rdmp.org>
* gnu/packages/dns.scm (knot-resolver): Version to 5.7.2.
---
gnu/packages/dns.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index bb86fd34f8..d8b3606f10 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -984,14 +984,14 @@ (define (move source target file)
(define-public knot-resolver
(package
(name "knot-resolver")
- (version "5.7.1")
+ (version "5.7.2")
(source (origin
(method url-fetch)
(uri (string-append "https://secure.nic.cz/files/knot-resolver/"
"knot-resolver-" version ".tar.xz"))
(sha256
(base32
- "18n3jh17d22xmzpg8syw2dm85vv7jchdc4hzk5x78lqxqqav856s"))))
+ "03wszdrx5wcd0gz9h4p0ggn67n59almnb2h2m38c5m7wj1rj4sjz"))))
(build-system meson-build-system)
(outputs '("out" "doc"))
(arguments
--
2.41.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#68621; Package
guix-patches.
(Tue, 23 Apr 2024 16:15:11 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org:
bug#68621; Package
guix-patches.
(Tue, 23 Apr 2024 16:15:14 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org:
bug#68621; Package
guix-patches.
(Tue, 23 Apr 2024 16:15:16 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org:
bug#68621; Package
guix-patches.
(Tue, 23 Apr 2024 18:35:07 GMT)
Full text and
rfc822 format available.
Message #38 received at 68621 <at> debbugs.gnu.org (full text, mbox):
As per previous messages.
This bug report was last modified 1 year and 51 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.