OpenBSD Mail Box: Re: UPDATE: security/opendnssec

On Sun Nov 18, 2018 at 04:57:55PM +0300, Pavel Korovin wrote:
> Dear all,
> please find the update for the latest OpenDNSSEC attached.
> Tested with sqlite3, softhsm/softhsm2 on amd64.
> Also tested migration from v1.4 (enforcer database migration is
> required for v2).

Is there any howto to migrate from 1.4? A note or an howto/link to
current.html would be nice!

Please switch to https otherwise the port is okay.

Rafael Sadowski

> Didn't test mysql flavor.
>
> --
> With best regards,
> Pavel Korovin

> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/security/opendnssec/Makefile,v
> retrieving revision 1.15
> diff -u -p -r1.15 Makefile
> --- Makefile 4 Sep 2018 12:46:21 -0000 1.15
> +++ Makefile 18 Nov 2018 13:42:52 -0000
> @@ -2,8 +2,7 @@
>
> COMMENT= open-source turn-key solution for DNSSEC
>
> -DISTNAME= opendnssec-1.4.14
> -REVISION= 1
> +DISTNAME= opendnssec-2.1.3
>
> CATEGORIES= security
>
> @@ -18,11 +17,14 @@ WANTLIB += c crypto iconv ldns lzma m pt
>
> MASTER_SITES= http://dist.opendnssec.org/source/
>
> +BUILD_DEPENDS= devel/cunit
> +
> LIB_DEPENDS= converters/libiconv \
> net/ldns/libldns \
> textproc/libxml
>
> -TEST_DEPENDS= security/softhsm
> +TEST_DEPENDS= ${BUILD_DEPENDS} \
> + security/softhsm2
>
> FAKE_FLAGS= sysconfdir=${PREFIX}/share/examples/opendnssec
>
> @@ -47,11 +49,52 @@ LIB_DEPENDS+= databases/mariadb
> ERRORS+= "Fatal: mutually exclusive flavors: ${FLAVORS}"
> .endif
>
> +SUBST_TARGETS= ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/README.md \
> + ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/convert_{mysql,sqlite} \
> + ${WRKSRC}/enforcer/utils/convert_{mysql_to_sqlite,sqlite_to_mysql} \
> + ${WRKSRC}/contrib/ods-sequencer/ods-sequencer-submit.sh \
> + ${WRKSRC}/MIGRATION
> +
> +post-patch:
> + ${SUBST_CMD} ${SUBST_TARGETS}
> +
> +# regress-db target doesn't currently work
> +# https://github.com/opendnssec/opendnssec/commit/6b1b0da4a7ba5ae658aca49a45a45be4867f6806
> +pre-test:
> + sed -i 's/^check: regress-db/\#check: regress-db/' \
> + ${WRKSRC}/enforcer/src/db/test/Makefile
> +
> post-install:
> - ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/opendnssec
> - cd ${WRKSRC}; \
> - ${INSTALL_DATA} LICENSE ${PREFIX}/share/doc/opendnssec; \
> - ${INSTALL_DATA} plugins/simple-dnskey-mailer/simple-dnskey-mailer.sh \
> - ${PREFIX}/share/opendnssec
> + sed -i 's,#!/bin/bash,#!/bin/sh,' \
> + ${WRKSRC}/contrib/ods-sequencer/ods-sequencer-submit.sh \
> + ${WRKSRC}/contrib/simple-dnskey-mailer/simple-dnskey-mailer.sh
> + @find ${WRKSRC} -type f \
> + $ -name '*.beforesubst' -o -name '*.orig' $ -delete
> + ${INSTALL_SCRIPT} ${WRKSRC}/enforcer/utils/convert_mysql_to_sqlite \
> + ${PREFIX}/sbin/ods-convert_mysql_to_sqlite
> + ${INSTALL_SCRIPT} ${WRKSRC}/enforcer/utils/convert_sqlite_to_mysql \
> + ${PREFIX}/sbin/ods-convert_sqlite_to_mysql
> + ${INSTALL_SCRIPT} ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/convert_mysql \
> + ${PREFIX}/sbin/ods-migrate-mysql
> + ${INSTALL_SCRIPT} ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/convert_sqlite \
> + ${PREFIX}/sbin/ods-migrate-sqlite3
> + ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/opendnssec/
> + ${INSTALL_DATA} ${WRKSRC}/{LICENSE,MIGRATION,NEWS} \
> + ${PREFIX}/share/doc/opendnssec/
> + ${INSTALL_DATA} ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/README.md \
> + ${PREFIX}/share/doc/opendnssec/MIGRATE_1.4-2.0.md
> + ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/opendnssec/ods-sequencer/
> + ${INSTALL_DATA} ${WRKSRC}/contrib/ods-sequencer/* \
> + ${PREFIX}/share/examples/opendnssec/ods-sequencer/
> + ${INSTALL_DATA} ${WRKSRC}/contrib/simple-dnskey-mailer/simple-dnskey-mailer.sh \
> + ${PREFIX}/share/examples/opendnssec/
> + ${INSTALL_DATA_DIR} ${PREFIX}/share/opendnssec/migration/
> + ${INSTALL_DATA} ${WRKSRC}/enforcer/src/db/schema.* ${PREFIX}/share/opendnssec/
> + ${INSTALL_DATA} ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/find_problematic_zones.sql \
> + ${PREFIX}/share/opendnssec/migration/
> + ${INSTALL_DATA} ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/sqlite_convert.sql \
> + ${PREFIX}/share/opendnssec/migration/migrate-sqlite.sql
> + ${INSTALL_DATA} ${WRKSRC}/enforcer/utils/1.4-2.0_db_convert/mysql_convert.sql \
> + ${PREFIX}/share/opendnssec/migration/migrate-mysql.sql
>
> .include <bsd.port.mk>
> Index: distinfo
> ===================================================================
> RCS file: /cvs/ports/security/opendnssec/distinfo,v
> retrieving revision 1.6
> diff -u -p -r1.6 distinfo
> --- distinfo 10 Jul 2017 18:12:05 -0000 1.6
> +++ distinfo 18 Nov 2018 13:42:52 -0000
> @@ -1,2 +1,2 @@
> -SHA256 (opendnssec-1.4.14.tar.gz) = 4cQexbxhdiM7LZT09PcD51h7rmdgdkqxvvA88QvR3N8=
> -SIZE (opendnssec-1.4.14.tar.gz) = 1037188
> +SHA256 (opendnssec-2.1.3.tar.gz) = PeKgPtyeK4w2a/CrVBAE+YR3fUgTBXy7p6eARdjL/n4=
> +SIZE (opendnssec-2.1.3.tar.gz) = 1107073
> Index: patches/patch-MIGRATION
> ===================================================================
> RCS file: patches/patch-MIGRATION
> diff -N patches/patch-MIGRATION
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-MIGRATION 18 Nov 2018 13:42:52 -0000
> @@ -0,0 +1,18 @@
> +$OpenBSD$
> +
> +Index: MIGRATION
> +--- MIGRATION.orig
> ++++ MIGRATION
> +@@ -17,7 +17,8 @@ full resign of your zone when upgrading, however if yo
> + a full resign is needed.
> +
> + The enforcer does require a full migration, as the internal database has
> +-been completely revised. See the documentation in the source tree
> +-enforcer/utils/1.4-2.0_db_convert/README.md for a description.
> +-Migration scripts are not installed and should be retrieved from the source
> +-separately.
> ++been completely revised.
> ++See the documentation in ${PREFIX}/share/doc/opendnssec/MIGRATE_1.4-2.0.md
> ++for a description.
> ++
> ++Migration script is installed in ${PREFIX}/sbin/ods-migrate${FLAVOR_EXT}
> Index: patches/patch-conf_conf_xml_in
> ===================================================================
> RCS file: /cvs/ports/security/opendnssec/patches/patch-conf_conf_xml_in,v
> retrieving revision 1.2
> diff -u -p -r1.2 patch-conf_conf_xml_in
> --- patches/patch-conf_conf_xml_in 19 Nov 2016 12:25:27 -0000 1.2
> +++ patches/patch-conf_conf_xml_in 18 Nov 2018 13:42:52 -0000
> @@ -1,6 +1,8 @@
> $OpenBSD: patch-conf_conf_xml_in,v 1.2 2016/11/19 12:25:27 sthen Exp $
> ---- conf/conf.xml.in.orig Mon Oct 17 14:32:58 2016
> -+++ conf/conf.xml.in Mon Nov 14 18:41:45 2016
> +
> +Index: conf/conf.xml.in
> +--- conf/conf.xml.in.orig
> ++++ conf/conf.xml.in
> @@ -31,7 +31,7 @@
> <Logging>
> 
> @@ -10,41 +12,33 @@ $OpenBSD: patch-conf_conf_xml_in,v 1.2 2
> </Logging>
>
> <PolicyFile>@OPENDNSSEC_CONFIG_DIR@/kasp.xml</PolicyFile>
> -@@ -39,19 +39,17 @@
> +@@ -39,10 +39,10 @@
> </Common>
>
> <Enforcer>
> --
> - 
> - 
> ++ </Privileges>
>
> - 
> -- <Datastore><SQLite>@OPENDNSSEC_STATE_DIR@/kasp.db</SQLite></Datastore>
> -+ <Datastore><SQLite>@OPENDNSSEC_STATE_DIR@/db/kasp.db</SQLite></Datastore>
> - <Interval>PT3600S</Interval>
> + <Datastore><SQLite>@OPENDNSSEC_STATE_DIR@/kasp.db</SQLite></Datastore>
> 
> - 
> -@@ -63,12 +61,10 @@
> +@@ -59,10 +59,10 @@
> </Enforcer>
>
> <Signer>
> --
> ++ </Privileges>
>
> - 
> - 
> + <WorkingDirectory>@OPENDNSSEC_STATE_DIR@/signer</WorkingDirectory>
> + <WorkerThreads>4</WorkerThreads>
> Index: patches/patch-contrib_ods-sequencer_ods-sequencer-submit_sh
> ===================================================================
> RCS file: patches/patch-contrib_ods-sequencer_ods-sequencer-submit_sh
> diff -N patches/patch-contrib_ods-sequencer_ods-sequencer-submit_sh
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-contrib_ods-sequencer_ods-sequencer-submit_sh 18 Nov 2018 13:42:52 -0000
> @@ -0,0 +1,15 @@
> +$OpenBSD$
> +
> +Index: contrib/ods-sequencer/ods-sequencer-submit.sh
> +--- contrib/ods-sequencer/ods-sequencer-submit.sh.orig
> ++++ contrib/ods-sequencer/ods-sequencer-submit.sh
> +@@ -1,6 +1,6 @@
> +-#!/bin/bash
> ++#!/bin/sh
> +
> +-now=`../../../sbin/ods-enforcer queue 2>&1 | sed -e 's/^It is now.*($[0-9][0-9]*$[^)]*).*$/\1/p' -e 'd'`
> +-cat > ../../../var/opendnssec/sequences/$now-dssubmit
> ++now=`${PREFIX}/sbin/ods-enforcer queue 2>&1 | sed -e 's/^It is now.*($[0-9][0-9]*$[^)]*).*$/\1/p' -e 'd'`
> ++cat > ${LOCALSTATEDIR}/opendnssec/sequences/$now-dssubmit
> +
> + exit 0
> Index: patches/patch-enforcer_utils_1_4-2_0_db_convert_README_md
> ===================================================================
> RCS file: patches/patch-enforcer_utils_1_4-2_0_db_convert_README_md
> diff -N patches/patch-enforcer_utils_1_4-2_0_db_convert_README_md
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-enforcer_utils_1_4-2_0_db_convert_README_md 18 Nov 2018 13:42:52 -0000
> @@ -0,0 +1,75 @@
> +$OpenBSD$
> +
> +Index: enforcer/utils/1.4-2.0_db_convert/README.md
> +--- enforcer/utils/1.4-2.0_db_convert/README.md.orig
> ++++ enforcer/utils/1.4-2.0_db_convert/README.md
> +@@ -16,8 +16,8 @@ General preparation
> + -------------------
> +
> + * First stop OpenDNSSEC entirely.
> +- * You are strongly advised to backup /etc/opendnssec and /var/opendnssec before
> +- continuing.
> ++ * You are strongly advised to backup ${SYSCONFDIR}/opendnssec and
> ++ ${LOCALSTATEDIR}/opendnssec before continuing.
> + * Also prevent any nameserver from receiving updates from OpenDNSSEC until
> + you are sure the migration was successful.
> + * It is discouraged to perform the migration during a rollover. The migration
> +@@ -31,27 +31,32 @@ Conversion Sqlite
> +
> + There are 2 relevant files for the conversion:
> +
> +- * convert_sqlite - A bash conversion script
> +- * sqlite_convert.sql - Contains SQL statements, called by convert_sqlite
> ++ * ${PREFIX}/sbin/ods-migrate-sqlite3 - Conversion script
> ++ * ${PREFIX}/share/opendnssec/migration/migrate-sqlite.sql -
> ++ Contains SQL statements, called by ods-migrate-sqlite3
> +
> +-call the script like so: `./convert_sqlite -i INPUT -o OUTPUT`. Where INPUT is
> +-the kasp.db file commonly found in _/var/opendnssec/kasp.db_. And OUTPUT is a
> +-non-existing file where the new database should go. On success, replace old
> +-database file with the new database file or adjust _conf.xml_ accordingly.
> ++Call the script like so: `${PREFIX}/sbin/ods-migrate-sqlite3 -i INPUT -o OUTPUT`.
> ++Where INPUT is the kasp.db file commonly found in _${LOCALSTATEDIR}/opendnssec/db/kasp.db_.
> ++And OUTPUT is a non-existing file where the new database should go,
> ++default location for OpenDNSSEC 2.x is _${LOCALSTATEDIR}/opendnssec/kasp.db_.
> ++On success, replace old database file with the new database file or adjust
> ++_${SYSCONFDIR}/opendnssec/conf.xml_ accordingly.
> +
> + Conversion MySQL
> + ----------------
> +
> + There are 2 relevant files for the conversion:
> +
> +- * convert_mysql - A bash conversion script
> +- * mysql_convert.sql - Contains SQL statements, called by convert_mysql
> ++ * ${PREFIX}/sbin/ods-migrate-mysql - Conversion script
> ++ * ${PREFIX}/share/opendnssec/migration/migrate-mysql.sql -
> ++ Contains SQL statements, called by convert_mysql
> +
> +-call the script like so: `./convert_sqlite -i INPUT -o OUTPUT -h HOST -u USER
> +--p PASSWORD`. Where INPUT is the name of the existing database on HOST. And
> ++Call the script like so:
> ++`${PREFIX}/sbin/ods-migrate-mysql -i INPUT -o OUTPUT -h HOST -u USER -p PASSWORD`.
> ++Where INPUT is the name of the existing database on HOST. And
> + OUTPUT is a non-existing database on the same host where the new database
> + should go. On success, replace old database with the new database file or
> +-adjust _conf.xml_ accordingly.
> ++adjust _${SYSCONFDIR}/opendnssec/conf.xml_ accordingly.
> +
> + Post Conversion
> + ---------------
> +@@ -59,11 +64,11 @@ Post Conversion
> + ODS 2.0 stores the keytags in the database, 1.4 unfortunately does not.
> + Therefore an additional tool is provided which calculates the keytags and
> + stores them in the database. Make sure that at this point conf.xml points to
> +-the new database. Then run `ods-migrate`.
> ++the new database. Then run `${PREFIX}/sbin/ods-migrate`.
> +
> + Now your new database is ready for use. At this point the signer will refuse to
> +-run because the file `/var/opendnssec/enforcer/zones.xml` does not exist
> +-yet. In ODS 1.4 `/etc/opendnssec/zonelist.xml` is always on par with the
> ++run because the file `${LOCALSTATEDIR}/opendnssec/enforcer/zones.xml` does not exist
> ++yet. In ODS 1.4 `${SYSCONFDIR}/opendnssec/zonelist.xml` is always on par with the
> + database contents (this is no longer true for 2.0) so it is safe to copy this
> + file over to the missing file.
> +
> Index: patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_mysql
> ===================================================================
> RCS file: patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_mysql
> diff -N patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_mysql
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_mysql 18 Nov 2018 13:42:52 -0000
> @@ -0,0 +1,36 @@
> +$OpenBSD$
> +
> +Index: enforcer/utils/1.4-2.0_db_convert/convert_mysql
> +--- enforcer/utils/1.4-2.0_db_convert/convert_mysql.orig
> ++++ enforcer/utils/1.4-2.0_db_convert/convert_mysql
> +@@ -1,11 +1,11 @@
> +-#!/bin/bash
> ++#!/bin/sh
> + set -e
> +
> + # This scipt converts a ODS 1.4.9 MySQL database to ODS 2.0. It assumes both
> + # old and new databases live on the same host and are accessable by the same
> + # user.
> +
> +-SCHEMA=../../src/db/schema.mysql
> ++SCHEMA=${PREFIX}/share/opendnssec/schema.mysql
> +
> + DB_IN=""
> + DB_OUT=""
> +@@ -44,7 +44,7 @@ if [ ! $DB_VERSION -eq 4 ]; then
> + fi
> +
> + # Look for zones without an active key.
> +-Z=`mysql -u $DB_USR -p$DB_PWD -h $DB_HOST $DB_IN < find_problematic_zones.sql`
> ++Z=`mysql -u $DB_USR -p$DB_PWD -h $DB_HOST $DB_IN < ${PREFIX}/share/opendnssec/migration/find_problematic_zones.sql`
> + if [[ $Z = *[![:space:]]* ]]; then
> + echo "Found zones without an active KSK but with a ready KSK waiting for ds-seen. This can cause problem after the conversion if the DS was actually already uploaded. You are adviced to submit these DS records and issue a ds-seen command before continueing. If you know better, disable this check to continue."
> + echo "Zones: $Z"
> +@@ -59,6 +59,6 @@ echo "Creating tables in $DB_OUT (as user $DB_USR)"
> + mysql -u $DB_USR -p$DB_PWD -h $DB_HOST $DB_OUT < $SCHEMA
> +
> + echo "Converting database"
> +-sed "s/REMOTE/$DB_IN/g" mysql_convert.sql > TMP
> ++sed "s/REMOTE/$DB_IN/g" ${PREFIX}/share/opendnssec/migration/migrate-mysql.sql > TMP
> + mysql -u $DB_USR -p$DB_PWD -h $DB_HOST $DB_OUT < TMP
> + rm TMP
> Index: patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_sqlite
> ===================================================================
> RCS file: patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_sqlite
> diff -N patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_sqlite
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-enforcer_utils_1_4-2_0_db_convert_convert_sqlite 18 Nov 2018 13:42:52 -0000
> @@ -0,0 +1,33 @@
> +$OpenBSD$
> +
> +Index: enforcer/utils/1.4-2.0_db_convert/convert_sqlite
> +--- enforcer/utils/1.4-2.0_db_convert/convert_sqlite.orig
> ++++ enforcer/utils/1.4-2.0_db_convert/convert_sqlite
> +@@ -1,9 +1,9 @@
> +-#!/bin/bash
> ++#!/bin/sh
> + set -e
> +
> + # This scipt converts a ODS 1.4.9 Sqlite database to ODS 2.0.
> +
> +-SCHEMA=../../src/db/schema.sqlite
> ++SCHEMA=${PREFIX}/share/opendnssec/schema.sqlite
> +
> + DB_IN=""
> + DB_OUT=""
> +@@ -36,7 +36,7 @@ if [ ! $DB_VERSION -eq 4 ]; then
> + fi
> +
> + # Look for zones without an active key.
> +-Z=`sqlite3 $DB_IN < find_problematic_zones.sql`
> ++Z=`sqlite3 $DB_IN < ${PREFIX}/share/opendnssec/migration/find_problematic_zones.sql`
> + if [[ $Z = *[![:space:]]* ]]; then
> + echo "Found zones without an active KSK but with a ready KSK waiting for ds-seen. This can cause problem after the conversion if the DS was actually already uploaded. You are adviced to submit these DS records and issue a ds-seen command before continueing. If you know better, disable this check to continue."
> + echo "Zones: $Z"
> +@@ -46,5 +46,5 @@ fi
> + rm -f $DB_OUT
> + sqlite3 $DB_OUT < $SCHEMA
> + echo "attach '$DB_IN' as REMOTE;" |
> +- cat - sqlite_convert.sql | sqlite3 $DB_OUT
> ++ cat - ${PREFIX}/share/opendnssec/migration/migrate-sqlite.sql | sqlite3 $DB_OUT
> +
> Index: patches/patch-enforcer_utils_convert_mysql_to_sqlite
> ===================================================================
> RCS file: patches/patch-enforcer_utils_convert_mysql_to_sqlite
> diff -N patches/patch-enforcer_utils_convert_mysql_to_sqlite
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-enforcer_utils_convert_mysql_to_sqlite 18 Nov 2018 13:42:52 -0000
> @@ -0,0 +1,21 @@
> +$OpenBSD$
> +
> +Index: enforcer/utils/convert_mysql_to_sqlite
> +--- enforcer/utils/convert_mysql_to_sqlite.orig
> ++++ enforcer/utils/convert_mysql_to_sqlite
> +@@ -1,11 +1,11 @@
> +-#!/usr/bin/env bash
> ++#!/bin/sh
> + set -e
> +
> +-# This scipt converts a MySQL to a SQLite database. It assumes both
> +-# old and new databases live on the same host and are accessable by the same
> ++# This script converts a MySQL to a SQLite database. It assumes both
> ++# old and new databases live on the same host and are accessible by the same
> + # user.
> +
> +-SCHEMA=../src/db/schema.sqlite
> ++SCHEMA=${PREFIX}/share/opendnssec/schema.sqlite
> +
> + DB_IN=""
> + DB_OUT=""
> Index: patches/patch-enforcer_utils_convert_sqlite_to_mysql
> ===================================================================
> RCS file: patches/patch-enforcer_utils_convert_sqlite_to_mysql
> diff -N patches/patch-enforcer_utils_convert_sqlite_to_mysql
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-enforcer_utils_convert_sqlite_to_mysql 18 Nov 2018 13:42:52 -0000
> @@ -0,0 +1,21 @@
> +$OpenBSD$
> +
> +Index: enforcer/utils/convert_sqlite_to_mysql
> +--- enforcer/utils/convert_sqlite_to_mysql.orig
> ++++ enforcer/utils/convert_sqlite_to_mysql
> +@@ -1,11 +1,11 @@
> +-#!/usr/bin/env bash
> ++#!/bin/sh
> + set -e
> +
> +-# This scipt converts a SQLite3 to a MySQL database. It assumes both
> +-# old and new databases live on the same host and are accessable by the same
> ++# This script converts a SQLite3 to a MySQL database. It assumes both
> ++# old and new databases live on the same host and are accessible by the same
> + # user.
> +
> +-SCHEMA=../src/db/schema.mysql
> ++SCHEMA=${PREFIX}/share/opendnssec/schema.mysql
> +
> + DB_IN=""
> + DB_OUT=""
> Index: pkg/PFRAG.mysql
> ===================================================================
> RCS file: /cvs/ports/security/opendnssec/pkg/PFRAG.mysql,v
> retrieving revision 1.1.1.1
> diff -u -p -r1.1.1.1 PFRAG.mysql
> --- pkg/PFRAG.mysql 13 Oct 2015 17:03:55 -0000 1.1.1.1
> +++ pkg/PFRAG.mysql 18 Nov 2018 13:42:52 -0000
> @@ -1,2 +1,5 @@
> @comment $OpenBSD: PFRAG.mysql,v 1.1.1.1 2015/10/13 17:03:55 jca Exp $
> -share/opendnssec/database_create.mysql
> +sbin/ods-convert_sqlite_to_mysql
> +sbin/ods-migrate-mysql
> +share/opendnssec/migration/migrate-mysql.sql
> +share/opendnssec/schema.mysql
> Index: pkg/PFRAG.sqlite3
> ===================================================================
> RCS file: /cvs/ports/security/opendnssec/pkg/PFRAG.sqlite3,v
> retrieving revision 1.1.1.1
> diff -u -p -r1.1.1.1 PFRAG.sqlite3
> --- pkg/PFRAG.sqlite3 13 Oct 2015 17:03:55 -0000 1.1.1.1
> +++ pkg/PFRAG.sqlite3 18 Nov 2018 13:42:52 -0000
> @@ -1,2 +1,5 @@
> @comment $OpenBSD: PFRAG.sqlite3,v 1.1.1.1 2015/10/13 17:03:55 jca Exp $
> -share/opendnssec/database_create.sqlite3
> +sbin/ods-convert_mysql_to_sqlite
> +sbin/ods-migrate-sqlite3
> +share/opendnssec/migration/migrate-sqlite.sql
> +share/opendnssec/schema.sqlite
> Index: pkg/PLIST
> ===================================================================
> RCS file: /cvs/ports/security/opendnssec/pkg/PLIST,v
> retrieving revision 1.3
> diff -u -p -r1.3 PLIST
> --- pkg/PLIST 4 Sep 2018 12:46:21 -0000 1.3
> +++ pkg/PLIST 18 Nov 2018 13:42:52 -0000
> @@ -1,36 +1,44 @@
> @comment $OpenBSD: PLIST,v 1.3 2018/09/04 12:46:21 espie Exp $
> +@conflict opendnssec-<2.1.3
> +@ask-update opendnssec-<2.1.3 OpenDNSSEC enforcer database migration required
> @newgroup _opendnssec:757
> @newuser _opendnssec:757:_opendnssec:daemon:OpenDNSSEC Account:/nonexistent:/sbin/nologin
> -@bin bin/ods-getconf
> +@rcscript ${RCDIR}/opendnssec
> @bin bin/ods-hsmspeed
> @bin bin/ods-hsmutil
> bin/ods-kasp2html
> @bin bin/ods-kaspcheck
> -@bin bin/ods-ksmutil
> @man man/man1/ods-hsmspeed.1
> @man man/man1/ods-hsmutil.1
> @man man/man1/ods-kaspcheck.1
> -@man man/man1/ods-ksmutil.1
> +@man man/man5/ods-kasp.5
> @man man/man5/ods-timing.5
> @man man/man7/opendnssec.7
> @man man/man8/ods-control.8
> +@man man/man8/ods-enforcer-db-setup.8
> +@man man/man8/ods-enforcer.8
> @man man/man8/ods-enforcerd.8
> -@man man/man8/ods-getconf.8
> @man man/man8/ods-signer.8
> @man man/man8/ods-signerd.8
> sbin/ods-control
> +@bin sbin/ods-enforcer
> +@bin sbin/ods-enforcer-db-setup
> @bin sbin/ods-enforcerd
> +@bin sbin/ods-migrate
> @bin sbin/ods-signer
> @bin sbin/ods-signerd
> +share/doc/opendnssec/
> +share/doc/opendnssec/LICENSE
> +share/doc/opendnssec/MIGRATE_1.4-2.0.md
> +share/doc/opendnssec/MIGRATION
> +share/doc/opendnssec/NEWS
> +share/doc/pkg-readmes/${PKGSTEM}
> +share/examples/opendnssec/
> @mode 0750
> @group _opendnssec
> @sample ${SYSCONFDIR}/opendnssec/
> @mode
> @group
> -share/doc/opendnssec/
> -share/doc/opendnssec/LICENSE
> -share/doc/pkg-readmes/${PKGSTEM}
> -share/examples/opendnssec/
> share/examples/opendnssec/addns.xml
> @mode 0640
> @group _opendnssec
> @@ -52,6 +60,11 @@ share/examples/opendnssec/kasp.xml
> @mode
> @group
> share/examples/opendnssec/kasp.xml.sample
> +share/examples/opendnssec/ods-sequencer/
> +share/examples/opendnssec/ods-sequencer/ods-sequencer
> +share/examples/opendnssec/ods-sequencer/ods-sequencer-submit.sh
> +share/examples/opendnssec/ods-sequencer/ods-sequencer.md
> +share/examples/opendnssec/simple-dnskey-mailer.sh
> share/examples/opendnssec/zonelist.xml
> @mode 0640
> @group _opendnssec
> @@ -64,27 +77,26 @@ share/opendnssec/addns.rnc
> share/opendnssec/addns.rng
> share/opendnssec/conf.rnc
> share/opendnssec/conf.rng
> -%%sqlite3%%
> -%%mysql%%
> share/opendnssec/enforcerstate.rnc
> share/opendnssec/enforcerstate.rng
> share/opendnssec/kasp.rnc
> share/opendnssec/kasp.rng
> share/opendnssec/kasp2html.xsl
> +share/opendnssec/migration/
> +share/opendnssec/migration/find_problematic_zones.sql
> share/opendnssec/signconf.rnc
> share/opendnssec/signconf.rng
> -share/opendnssec/simple-dnskey-mailer.sh
> share/opendnssec/zonelist.rnc
> share/opendnssec/zonelist.rng
> -@sample ${LOCALSTATEDIR}/opendnssec/
> +%%sqlite3%%
> +%%mysql%%
> +@mode 0750
> @owner _opendnssec
> @group _opendnssec
> -@sample ${LOCALSTATEDIR}/opendnssec/db/
> +@sample ${LOCALSTATEDIR}/opendnssec/
> +@sample ${LOCALSTATEDIR}/opendnssec/enforcer/
> @sample ${LOCALSTATEDIR}/opendnssec/signconf/
> @sample ${LOCALSTATEDIR}/opendnssec/signed/
> -@sample ${LOCALSTATEDIR}/opendnssec/tmp/
> +@sample ${LOCALSTATEDIR}/opendnssec/signer/
> @sample ${LOCALSTATEDIR}/opendnssec/unsigned/
> -@sample ${LOCALSTATEDIR}/opendnssec/softhsm/
> -@owner
> -@group
> -@rcscript ${RCDIR}/opendnssec
> +@sample ${LOCALSTATEDIR}/run/opendnssec/
> Index: pkg/README
> ===================================================================
> RCS file: /cvs/ports/security/opendnssec/pkg/README,v
> retrieving revision 1.3
> diff -u -p -r1.3 README
> --- pkg/README 4 Sep 2018 12:46:21 -0000 1.3
> +++ pkg/README 18 Nov 2018 13:42:52 -0000
> @@ -8,43 +8,171 @@ Getting started
> ===============
> This is a summary of steps needed to get OpenDNSSEC up and running in a
> basic state using SoftHSM as the key backend. Make sure you have
> -installed the softhsm package before proceeding.
> +installed the softhsm2 package before proceeding.
>
> Initial setup of SoftHSM
> ------------------------
> -Configure SoftHSM to store its token in
> -${LOCALSTATEDIR}/opendnssec/softhsm/:
> -# vi ${SYSCONFDIR}/softhsm.conf
> -
> -Initialize the SoftHSM token (here assuming you used slot 0).
> -The user PIN code has to match the <PIN> configured in
> -${SYSCONFDIR}/opendnssec/conf.xml:
> -# softhsm --init-token --slot 0 --label OpenDNSSEC
> +If you plan to use SoftHSM, install softhsm2 package:
>
> -Make sure the token is writeable by the _opendnssec user:
> -# chown _opendnssec ${LOCALSTATEDIR}/opendnssec/softhsm/slot0.db
> + # pkg_add softhsm2
> +
> +Create ${LOCALSTATEDIR}/opendnssec/softhsm/ directory for tokens storage,
> +instruct opendnssec to use this location:
> +
> + # install -d -o _opendnssec -g _opendnssec -m 700 \
> + ${LOCALSTATEDIR}/opendnssec/softhsm/
> +
> + # grep tokendir ${SYSCONFDIR}/softhsm2.conf
> + directories.tokendir = ${LOCALSTATEDIR}/opendnssec/softhsm/
> +
> +Choose preferred storage method, either 'file' or 'sqlite3':
> +
> + # grep objectstore ${SYSCONFDIR}/softhsm2.conf
> + objectstore.backend = db
> +
> +Initialize the SoftHSM token (here assuming you are using slot 0):
> +
> + # doas -u _opendnssec softhsm2-util --init-token --slot 0 \
> + --label OpenDNSSEC
> +
> +User PIN and token label must be reflected in appropriate sections
> +of ${SYSCONFDIR}/opendnssec/conf.xml:
> +
> + # grep PIN ${SYSCONFDIR}/opendnssec/conf.xml
> + <PIN>MySecretUserPIN</PIN>
> +
> + # grep TokenLabel ${SYSCONFDIR}/opendnssec/conf.xml
> + <TokenLabel>OpenDNSSEC</TokenLabel>
> +Verify token:
> +
> + # doas -u _opendnssec softhsm2-util --show-slots
> + Available slots:
> + Slot 1557156002
> + Slot info:
> + Description: SoftHSM slot ID 0x5cd050a2
> + Manufacturer ID: SoftHSM project
> + Hardware version: 2.5
> + Firmware version: 2.5
> + Token present: yes
> + Token info:
> + Manufacturer ID: SoftHSM project
> + Model: SoftHSM v2
> + Hardware version: 2.5
> + Firmware version: 2.5
> + Serial number: e1a305015cd050a2
> + Initialized: yes
> + User PIN init.: yes
> + Label: OpenDNSSEC
>
> Bootstrapping OpenDNSSEC
> ------------------------
> +
> +Check if the configuration is valid:
> +
> + # doas -u _opendnssec ods-kaspcheck
> + INFO: The XML in ${SYSCONFDIR}/opendnssec/conf.xml is valid
> + ERROR: SQLite datastore (${LOCALSTATEDIR}/opendnssec/kasp.db) does not exist
> + INFO: The XML in ${SYSCONFDIR}/opendnssec/kasp.xml is valid
> + INFO: The XML in ${SYSCONFDIR}/opendnssec/zonelist.xml is valid
> +
> Create an initial KASP database (if you are running the mysql flavor you
> will first need to configure mariadb-server and modify <Datastore> in
> ${SYSCONFDIR}/opendnssec/conf.xml):
> -# ods-ksmutil setup
>
> -Start the OpenDNSSEC system:
> -# rcctl start opendnssec
> + # doas -u _opendnssec ods-enforcer-db-setup
> + *WARNING* This will erase all data in the database; are you sure? [y/N] y
> + Database setup successfully.
> +
> +Start OpenDNSSEC:
> +
> + # rcctl start opendnssec
> +
> +Import policy:
> +
> + # doas -u _opendnssec ods-enforcer policy import
> + Created policy default successfully
> +
> +Check policy:
> +
> + # ods-enforcer policy list
> + Policy: Description:
> + default ECDSAP256SHA256 NSEC3 KSK1Y ZSK90D
>
> Copy an unsigned zone file into the unsigned/ directory:
> -# cp <somewhere>/example.com ${LOCALSTATEDIR}/opendnssec/unsigned/
>
> -Add the zone:
> -# ods-ksmutil zone add --zone example.com --policy default
> + # cp <somewhere>/example.com ${LOCALSTATEDIR}/opendnssec/unsigned/
> +
> +Import zones from zonelist.xml:
>
> -Notify the enforcer of the updated database:
> -# ods-control enforcer notify
> + # doas -u _opendnssec ods-enforcer zonelist import
> + Zone example.com created successfully
>
> -You now have a signed version of example.com in the signed/ directory:
> -# cat ${LOCALSTATEDIR}/opendnssec/signed/example.com
> +Or add the zone from the command line:
>
> -List the keys for the zone:
> -# ods-ksmutil key list -v
> + # doas -u _opendnssec ods-enforcer zone add --zone example.com
> + input is set to ${LOCALSTATEDIR}/opendnssec/unsigned/example.com.
> + output is set to ${LOCALSTATEDIR}/opendnssec/signed/example.com.
> + Zone example.com added successfully
> +
> +Check the zone:
> +
> + # doas -u _opendnssec ods-enforcer zone list
> + Database set to: ${LOCALSTATEDIR}/opendnssec/kasp.db
> + Zones:
> + Zone: Policy: Next change:
> + example.com default Fri Nov 16 14:50:25 2018
> +
> +List the keys:
> +
> + # ods-enforcer key list
> + Keys:
> + Zone: Keytype: State: Date of next transition:
> + example.com KSK publish 2018-11-16 14:50:25
> + example.com ZSK ready 2018-11-16 14:50:25
> +
> +After the KSK state transitions to "waiting for ds-seen", export the DS record:
> +
> + # doas -u _opendnssec ods-enforcer key list
> + Keys:
> + Zone:
> + example.com KSK ready waiting for ds-seen
> + example.com ZSK active 2019-02-14 00:50:25
> +
> + # doas -u _opendnssec ods-enforcer key export --zone example.com \
> + --keystate ready --keytype KSK --ds
> + ;ready KSK DS record (SHA256):
> + example.com. 600 IN DS 65331 13 2 <DSKEY>
> +
> +Before submitting DS record to the parent zone, run:
> +
> + # doas -u _opendnssec \
> + ods-enforcer key ds-submit --zone example.com --keytag 65331
> +
> +Then submit the DS record to the parent zone.
> +
> +When DS RR appears in the parent zone, activate the KSK:
> +
> + # ods-enforcer key ds-seen --zone example.com --keytag 65331
> + 1 KSK matches found.
> + 1 KSKs changed.
> + # ods-enforcer key list -v
> + Keys:
> + Zone: Keytype: State: Date of next transition:
> + example.com KSK active 2018-11-17 20:07:31
> + example.com ZSK active 2018-11-17 20:07:31
> +
> +The signed zone will appear in ${LOCALSTATEDIR}/opendnssec/signed/ directory
> +or will be transferred to your authoritative DNS server, depending on the zone
> +output configuration.
> +
> +Upgrading from version 1.4.x to 2.x
> +-----------------------------------
> +OpenDNSSEC enforcer database migration is required if you are upgrading from
> +1.4.x to 2.x. Read ${PREFIX}/share/doc/MIGRATE* documents for more information.
> +
> +Database conversion scripts
> +---------------------------
> +Note that OpenDNSSEC database conversion scripts are installed in
> +${PREFIX}/sbin and renamed:
> + convert_mysql_to_sqlite to ods-convert_mysql_to_sqlite
> + convert_sqlite_to_mysql to ods-convert_sqlite_to_mysql

OpenBSD Mail Box

Sunday, December 30, 2018

Re: UPDATE: security/opendnssec

No comments:

Post a Comment