Hello community, here is the log from the commit of package pdns for openSUSE:Factory checked in at 2014-10-31 18:27:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pdns (Old) and /work/SRC/openSUSE:Factory/.pdns.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "pdns" Changes: -------- --- /work/SRC/openSUSE:Factory/pdns/pdns.changes 2014-10-29 21:11:16.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.pdns.new/pdns.changes 2014-10-31 20:20:32.000000000 +0100 @@ -1,0 +2,23 @@ +Thu Oct 30 15:36:02 UTC 2014 - michael@stroeder.com + +- update to version 3.4.1 + +Changes since 3.4.0: + + * commit dcd6524, commit a8750a5, commit 7dc86bf, commit 2fda71f: PowerDNS now + polls the security status of a release at startup and periodically. More + detail on this feature, and how to turn it off, can be found in Section 2, + “Security polling”. + + * commit 5fe6dc0: API: Replace HTTP Basic auth with static key in custom header + (X-API-Key) + + * commit 4a95ab4: Use transaction for pdnssec increase-serial + + * commit 6e82a23: Don't empty ordername during pdnssec increase-serial + + * commit 535f4e3: honor SOA-EDIT while considering "empty IXFR" fallback, fixes + ticket 1835. This fixes slaving of signed zones to IXFR-aware slaves like NSD + or BIND. + +------------------------------------------------------------------- Old: ---- pdns-3.4.0.tar.bz2 New: ---- pdns-3.4.1.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pdns.spec ++++++ --- /var/tmp/diff_new_pack.eNn8Xx/_old 2014-10-31 20:20:33.000000000 +0100 +++ /var/tmp/diff_new_pack.eNn8Xx/_new 2014-10-31 20:20:33.000000000 +0100 @@ -17,11 +17,11 @@ Name: pdns -Version: 3.4.0 +Version: 3.4.1 Release: 0 # %define pkg_name pdns -%define pkg_version 3.4.0 +%define pkg_version 3.4.1 %define polarssl_version 1.3.2 # %define home %{_var}/lib/pdns ++++++ pdns-3.4.0.tar.bz2 -> pdns-3.4.1.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.0/build-scripts/redhat/pdns-server-test.spec new/pdns-3.4.1/build-scripts/redhat/pdns-server-test.spec --- old/pdns-3.4.0/build-scripts/redhat/pdns-server-test.spec 2014-09-30 11:23:37.000000000 +0200 +++ new/pdns-3.4.1/build-scripts/redhat/pdns-server-test.spec 2014-10-30 11:18:22.000000000 +0100 @@ -9,7 +9,7 @@ Epoch: 0 License: GPL Group: System/Servers -Source: http://downloads.powerdns.com/releases/pdns-3.4.0.tar.bz2 +Source: http://downloads.powerdns.com/releases/pdns-3.4.1.tar.bz2 BuildRequires: autoconf automake BuildRequires: gcc gcc-c++ @@ -30,7 +30,7 @@ PowerDNS testbuild %prep -%setup -q -n pdns-3.4.0 +%setup -q -n pdns-3.4.1 %build %configure \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.0/configure new/pdns-3.4.1/configure --- old/pdns-3.4.0/configure 2014-09-30 11:23:48.000000000 +0200 +++ new/pdns-3.4.1/configure 2014-10-30 11:18:31.000000000 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for pdns 3.4.0. +# Generated by GNU Autoconf 2.69 for pdns 3.4.1. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ # Identity of this package. PACKAGE_NAME='pdns' PACKAGE_TARNAME='pdns' -PACKAGE_VERSION='3.4.0' -PACKAGE_STRING='pdns 3.4.0' +PACKAGE_VERSION='3.4.1' +PACKAGE_STRING='pdns 3.4.1' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1471,7 +1471,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures pdns 3.4.0 to adapt to many kinds of systems. +\`configure' configures pdns 3.4.1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1541,7 +1541,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of pdns 3.4.0:";; + short | recursive ) echo "Configuration of pdns 3.4.1:";; esac cat <<\_ACEOF @@ -1737,7 +1737,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -pdns configure 3.4.0 +pdns configure 3.4.1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2344,7 +2344,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by pdns $as_me 3.4.0, which was +It was created by pdns $as_me 3.4.1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3167,7 +3167,7 @@ # Define the identity of the package. PACKAGE='pdns' - VERSION='3.4.0' + VERSION='3.4.1' cat >>confdefs.h <<_ACEOF @@ -21020,7 +21020,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by pdns $as_me 3.4.0, which was +This file was extended by pdns $as_me 3.4.1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -21086,7 +21086,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -pdns config.status 3.4.0 +pdns config.status 3.4.1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.0/configure.ac new/pdns-3.4.1/configure.ac --- old/pdns-3.4.0/configure.ac 2014-09-30 11:23:37.000000000 +0200 +++ new/pdns-3.4.1/configure.ac 2014-10-30 11:18:22.000000000 +0100 @@ -1,7 +1,7 @@ AC_PREREQ([2.61]) dnl The following lines may be patched by set-version-auth. -AC_INIT([pdns], [3.4.0]) +AC_INIT([pdns], [3.4.1]) AC_SUBST([DIST_HOST], [jenkins@autotest.powerdns.com]) dnl End patch area. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.0/debian-pdns/changelog new/pdns-3.4.1/debian-pdns/changelog --- old/pdns-3.4.0/debian-pdns/changelog 2014-09-30 11:23:37.000000000 +0200 +++ new/pdns-3.4.1/debian-pdns/changelog 2014-10-30 11:18:22.000000000 +0100 @@ -1,4 +1,4 @@ -pdns (3.4.0-1) unstable; urgency=medium +pdns (3.4.1-1) unstable; urgency=medium * fill in the blanks diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.0/pdns/Makefile.am new/pdns-3.4.1/pdns/Makefile.am --- old/pdns-3.4.0/pdns/Makefile.am 2014-08-29 16:02:13.000000000 +0200 +++ new/pdns-3.4.1/pdns/Makefile.am 2014-10-30 11:18:22.000000000 +0100 @@ -58,7 +58,7 @@ bindparser.cc bindlexer.c \ backends/gsql/gsqlbackend.cc \ backends/gsql/gsqlbackend.hh backends/gsql/ssql.hh \ -base64.cc sillyrecords.cc \ +base64.cc sillyrecords.cc secpoll-auth.cc secpoll-auth.hh \ base64.hh zoneparser-tng.cc dnsrecords.cc dnswriter.cc \ rcpgenerator.cc dnsparser.cc dns_random.hh dns_random.cc\ randomhelper.cc namespaces.hh nsecrecords.cc base32.cc dbdnsseckeeper.cc dnssecinfra.cc \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.0/pdns/Makefile.in new/pdns-3.4.1/pdns/Makefile.in --- old/pdns-3.4.0/pdns/Makefile.in 2014-09-30 11:23:53.000000000 +0200 +++ new/pdns-3.4.1/pdns/Makefile.in 2014-10-30 11:18:39.000000000 +0100 @@ -326,11 +326,12 @@ utility.hh iputils.hh common_startup.hh unix_semaphore.cc \ bind-dnssec.schema.sqlite3.sql.h bindparser.cc bindlexer.c \ backends/gsql/gsqlbackend.cc backends/gsql/gsqlbackend.hh \ - backends/gsql/ssql.hh base64.cc sillyrecords.cc base64.hh \ - zoneparser-tng.cc dnsrecords.cc dnswriter.cc rcpgenerator.cc \ - dnsparser.cc dns_random.hh dns_random.cc randomhelper.cc \ - namespaces.hh nsecrecords.cc base32.cc dbdnsseckeeper.cc \ - dnssecinfra.cc dnsseckeeper.hh dnssecinfra.hh base32.hh dns.cc \ + backends/gsql/ssql.hh base64.cc sillyrecords.cc \ + secpoll-auth.cc secpoll-auth.hh base64.hh zoneparser-tng.cc \ + dnsrecords.cc dnswriter.cc rcpgenerator.cc dnsparser.cc \ + dns_random.hh dns_random.cc randomhelper.cc namespaces.hh \ + nsecrecords.cc base32.cc dbdnsseckeeper.cc dnssecinfra.cc \ + dnsseckeeper.hh dnssecinfra.hh base32.hh dns.cc \ dnssecsigner.cc polarrsakeyinfra.cc sha.hh md5.hh \ signingpipe.cc signingpipe.hh dnslabeltext.cc lua-pdns.cc \ lua-auth.cc lua-auth.hh serialtweaker.cc ednssubnet.cc \ @@ -357,7 +358,7 @@ unix_utility.$(OBJEXT) common_startup.$(OBJEXT) \ unix_semaphore.$(OBJEXT) bindparser.$(OBJEXT) \ bindlexer.$(OBJEXT) backends/gsql/gsqlbackend.$(OBJEXT) \ - base64.$(OBJEXT) sillyrecords.$(OBJEXT) \ + base64.$(OBJEXT) sillyrecords.$(OBJEXT) secpoll-auth.$(OBJEXT) \ zoneparser-tng.$(OBJEXT) dnsrecords.$(OBJEXT) \ dnswriter.$(OBJEXT) rcpgenerator.$(OBJEXT) dnsparser.$(OBJEXT) \ dns_random.$(OBJEXT) randomhelper.$(OBJEXT) \ @@ -961,18 +962,18 @@ unix_semaphore.cc bind-dnssec.schema.sqlite3.sql.h \ bindparser.cc bindlexer.c backends/gsql/gsqlbackend.cc \ backends/gsql/gsqlbackend.hh backends/gsql/ssql.hh base64.cc \ - sillyrecords.cc base64.hh zoneparser-tng.cc dnsrecords.cc \ - dnswriter.cc rcpgenerator.cc dnsparser.cc dns_random.hh \ - dns_random.cc randomhelper.cc namespaces.hh nsecrecords.cc \ - base32.cc dbdnsseckeeper.cc dnssecinfra.cc dnsseckeeper.hh \ - dnssecinfra.hh base32.hh dns.cc dnssecsigner.cc \ - polarrsakeyinfra.cc sha.hh md5.hh signingpipe.cc \ - signingpipe.hh dnslabeltext.cc lua-pdns.cc lua-auth.cc \ - lua-auth.hh serialtweaker.cc ednssubnet.cc ednssubnet.hh \ - cachecleaner.hh json.cc json.hh version.hh version.cc \ - rfc2136handler.cc responsestats.cc responsestats.hh comment.hh \ - auth-carbon.cc $(am__append_5) $(am__append_7) $(am__append_9) \ - $(am__append_11) $(am__append_13) + sillyrecords.cc secpoll-auth.cc secpoll-auth.hh base64.hh \ + zoneparser-tng.cc dnsrecords.cc dnswriter.cc rcpgenerator.cc \ + dnsparser.cc dns_random.hh dns_random.cc randomhelper.cc \ + namespaces.hh nsecrecords.cc base32.cc dbdnsseckeeper.cc \ + dnssecinfra.cc dnsseckeeper.hh dnssecinfra.hh base32.hh dns.cc \ + dnssecsigner.cc polarrsakeyinfra.cc sha.hh md5.hh \ + signingpipe.cc signingpipe.hh dnslabeltext.cc lua-pdns.cc \ + lua-auth.cc lua-auth.hh serialtweaker.cc ednssubnet.cc \ + ednssubnet.hh cachecleaner.hh json.cc json.hh version.hh \ + version.cc rfc2136handler.cc responsestats.cc responsestats.hh \ + comment.hh auth-carbon.cc $(am__append_5) $(am__append_7) \ + $(am__append_9) $(am__append_11) $(am__append_13) pdns_server_LDFLAGS = @moduleobjects@ @modulelibs@ $(DYNLINKFLAGS) @LIBDL@ $(THREADFLAGS) $(BOOST_SERIALIZATION_LDFLAGS) -rdynamic pdns_server_LDADD = $(POLARSSL_LIBS) $(BOOST_SERIALIZATION_LIBS) \ $(LUA_LIBS) $(SQLITE3_LIBS) $(YAHTTP_LIBS) $(am__append_6) \ @@ -1498,6 +1499,7 @@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rfc2136handler.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/saxfr.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sdig.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/secpoll-auth.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/selectmplexer.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/serialtweaker.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/signingpipe.Po@am__quote@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.0/pdns/common_startup.cc new/pdns-3.4.1/pdns/common_startup.cc --- old/pdns-3.4.0/pdns/common_startup.cc 2014-09-22 12:32:05.000000000 +0200 +++ new/pdns-3.4.1/pdns/common_startup.cc 2014-10-28 13:51:22.000000000 +0100 @@ -21,6 +21,7 @@ */ #include "common_startup.hh" #include "ws-auth.hh" +#include "secpoll-auth.hh" bool g_anyToTcp; typedef Distributor<DNSPacket,DNSPacket,PacketHandler> DNSDistributor; @@ -61,6 +62,7 @@ ::arg().set("retrieval-threads", "Number of AXFR-retrieval threads for slave operation")="2"; ::arg().setSwitch("experimental-json-interface", "If the webserver should serve JSON data")="no"; ::arg().setSwitch("experimental-api-readonly", "If the JSON API should disallow data modification")="no"; + ::arg().set("experimental-api-key", "REST API Static authentication key (required for API use)")=""; ::arg().setSwitch("experimental-dname-processing", "If we should support DNAME records")="no"; ::arg().setCmd("help","Provide a helpful message"); @@ -159,6 +161,7 @@ ::arg().set("max-nsec3-iterations","Limit the number of NSEC3 hash iterations")="500"; // RFC5155 10.3 ::arg().set("include-dir","Include *.conf files from this directory"); + ::arg().set("security-poll-suffix","Domain name from which to query security update notifications")="secpoll.powerdns.com."; } void declareStats(void) @@ -198,7 +201,7 @@ S.declare("servfail-packets","Number of times a server-failed packet was sent out"); S.declare("latency","Average number of microseconds needed to answer a question"); S.declare("timedout-packets","Number of packets which weren't answered within timeout set"); - + S.declare("security-status", "Security status based on regular polling"); S.declareRing("queries","UDP Queries Received"); S.declareRing("nxdomain-queries","Queries for non-existent records within existent domains"); S.declareRing("noerror-queries","Queries for existing records, but for type we don't have"); @@ -362,6 +365,9 @@ DNSPacket::s_udpTruncationThreshold = std::max(512, ::arg().asNum("udp-truncation-threshold")); DNSPacket::s_doEDNSSubnetProcessing = ::arg().mustDo("edns-subnet-processing"); + + doSecPoll(true); // this must be BEFORE chroot + if(!::arg()["chroot"].empty()) { if(::arg().mustDo("master") || ::arg().mustDo("slave")) gethostbyname("a.root-servers.net"); // this forces all lookup libraries to be loaded @@ -399,13 +405,19 @@ TN->go(); // tcp nameserver launch pthread_create(&qtid,0,carbonDumpThread, 0); // runs even w/o carbon, might change @ runtime + // fork(); (this worked :-)) unsigned int max_rthreads= ::arg().asNum("receiver-threads", 1); for(unsigned int n=0; n < max_rthreads; ++n) pthread_create(&qtid,0,qthread, reinterpret_cast<void *>(n)); // receives packets - void *p; - pthread_join(qtid, &p); + for(;;) { + sleep(1800); + try { + doSecPoll(false); + } + catch(...){} + } L<<Logger::Error<<"Mainthread exiting - should never happen"<<endl; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.0/pdns/docs/dnsdist.1 new/pdns-3.4.1/pdns/docs/dnsdist.1 --- old/pdns-3.4.0/pdns/docs/dnsdist.1 2014-09-30 11:24:27.000000000 +0200 +++ new/pdns-3.4.1/pdns/docs/dnsdist.1 2014-10-30 11:19:09.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: dnsdist .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 09/30/2014 +.\" Date: 10/30/2014 .\" Manual: \ \& .\" Source: \ \& .\" Language: English .\" -.TH "DNSDIST" "1" "09/30/2014" "\ \&" "\ \&" +.TH "DNSDIST" "1" "10/30/2014" "\ \&" "\ \&" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.0/pdns/docs/dnstcpbench.1 new/pdns-3.4.1/pdns/docs/dnstcpbench.1 --- old/pdns-3.4.0/pdns/docs/dnstcpbench.1 2014-09-30 11:24:26.000000000 +0200 +++ new/pdns-3.4.1/pdns/docs/dnstcpbench.1 2014-10-30 11:19:07.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: dnstcpbench .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 09/30/2014 +.\" Date: 10/30/2014 .\" Manual: \ \& .\" Source: \ \& .\" Language: English .\" -.TH "DNSTCPBENCH" "1" "09/30/2014" "\ \&" "\ \&" +.TH "DNSTCPBENCH" "1" "10/30/2014" "\ \&" "\ \&" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.0/pdns/pdns.conf-dist new/pdns-3.4.1/pdns/pdns.conf-dist --- old/pdns-3.4.0/pdns/pdns.conf-dist 2014-08-12 13:32:10.000000000 +0200 +++ new/pdns-3.4.1/pdns/pdns.conf-dist 2014-10-28 11:41:09.000000000 +0100 @@ -145,6 +145,11 @@ # entropy-source=/dev/urandom ################################# +# experimental-api-key REST API Static authentication key (required for API use) +# +# experimental-api-key= + +################################# # experimental-api-readonly If the JSON API should disallow data modification # # experimental-api-readonly=no @@ -370,6 +375,11 @@ # reuseport=no ################################# +# security-poll-suffix Domain name from which to query security update notifications +# +# security-poll-suffix=secpoll.powerdns.com. + +################################# # send-root-referral Send out old-fashioned root-referral instead of ServFail in case of no authority # # send-root-referral=no diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.0/pdns/pdns_recursor.cc new/pdns-3.4.1/pdns/pdns_recursor.cc --- old/pdns-3.4.0/pdns/pdns_recursor.cc 2014-09-25 13:42:01.000000000 +0200 +++ new/pdns-3.4.1/pdns/pdns_recursor.cc 2014-10-30 11:18:22.000000000 +0100 @@ -2101,6 +2101,7 @@ ::arg().set("experimental-webserver-password", "Password required for accessing the webserver") = ""; ::arg().set("webserver-allow-from","Webserver access is only allowed from these subnets")="0.0.0.0/0,::/0"; ::arg().set("experimental-api-config-dir", "Directory where REST API stores config and zones") = ""; + ::arg().set("experimental-api-key", "REST API Static authentication key (required for API use)") = ""; ::arg().set("carbon-ourname", "If set, overrides our reported hostname for carbon stats")=""; ::arg().set("carbon-server", "If set, send metrics in carbon (graphite) format to this server")=""; ::arg().set("carbon-interval", "Number of seconds between carbon (graphite) updates")="30"; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.0/pdns/pdnssec.cc new/pdns-3.4.1/pdns/pdnssec.cc --- old/pdns-3.4.0/pdns/pdnssec.cc 2014-07-29 14:58:22.000000000 +0200 +++ new/pdns-3.4.1/pdns/pdnssec.cc 2014-10-30 11:18:22.000000000 +0100 @@ -612,10 +612,37 @@ } rrs[0].content = serializeSOAData(sd); + sd.db->startTransaction("", -1); + if (! sd.db->replaceRRSet(sd.domain_id, zone, rr.qtype, rrs)) { + sd.db->abortTransaction(); cerr<<"Backend did not replace SOA record. Backend might not support this operation."<<endl; return -1; } + + if (sd.db->doesDNSSEC()) { + NSEC3PARAMRecordContent ns3pr; + bool narrow; + bool haveNSEC3=dk.getNSEC3PARAM(zone, &ns3pr, &narrow); + + if(haveNSEC3) + { + if(!narrow) { + string hashed=toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rrs[0].qname)); + if(g_verbose) + cerr<<"'"<<rrs[0].qname<<"' -> '"<< hashed <<"'"<<endl; + sd.db->updateDNSSECOrderAndAuthAbsolute(sd.domain_id, rrs[0].qname, hashed, 1); + } + else { + sd.db->nullifyDNSSECOrderNameAndUpdateAuth(sd.domain_id, rrs[0].qname, 1); + } + } else { + sd.db->updateDNSSECOrderAndAuth(sd.domain_id, zone, rrs[0].qname, 1); + } + } + + sd.db->commitTransaction(); + cout<<"SOA serial for zone "<<zone<<" set to "<<sd.serial<<endl; return 0; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.0/pdns/secpoll-auth.cc new/pdns-3.4.1/pdns/secpoll-auth.cc --- old/pdns-3.4.0/pdns/secpoll-auth.cc 1970-01-01 01:00:00.000000000 +0100 +++ new/pdns-3.4.1/pdns/secpoll-auth.cc 2014-10-22 20:51:18.000000000 +0200 @@ -0,0 +1,168 @@ +#include "secpoll-auth.hh" + +#include "logger.hh" +#include "arguments.hh" +#include "version.hh" +#include "version_generated.h" +#include "dnsparser.hh" +#include "misc.hh" +#include <boost/foreach.hpp> +#include "sstuff.hh" +#include "dnswriter.hh" +#include "dns_random.hh" +#include "namespaces.hh" +#include "statbag.hh" +#include <stdint.h> +#ifndef PACKAGEVERSION +#define PACKAGEVERSION PDNS_VERSION +#endif + +string g_security_message; + +extern StatBag S; + +static vector<ComboAddress> parseResolveConf() +{ + vector<ComboAddress> ret; + ifstream ifs("/etc/resolv.conf"); + if(!ifs) + return ret; + + string line; + while(std::getline(ifs, line)) { + boost::trim_right_if(line, is_any_of(" \r\n\x1a")); + boost::trim_left(line); // leading spaces, let's be nice + + string::size_type tpos = line.find_first_of(";#"); + if(tpos != string::npos) + line.resize(tpos); + + if(boost::starts_with(line, "nameserver ") || boost::starts_with(line, "nameserver\t")) { + vector<string> parts; + stringtok(parts, line, " \t,"); // be REALLY nice + for(vector<string>::const_iterator iter = parts.begin()+1; iter != parts.end(); ++iter) { + + try { + ret.push_back(ComboAddress(*iter, 53)); + } + catch(...) + { + } + } + } + + } + + return ret; +} + +int doResolve(const string& qname, uint16_t qtype, vector<DNSResourceRecord>& ret) +{ + vector<uint8_t> packet; + + DNSPacketWriter pw(packet, qname, qtype); + pw.getHeader()->id=dns_random(0xffff); + pw.getHeader()->rd=1; + + static vector<ComboAddress> s_servers; + vector<ComboAddress> servers = parseResolveConf(); + if(!servers.empty()) + s_servers = servers; // in case we chrooted in the meantime + + if(s_servers.empty()) + L<<Logger::Warning<<"Unable to poll PowerDNS security status, did not get any servers from resolv.conf"<<endl; + + BOOST_FOREACH(ComboAddress& dest, s_servers) { + Socket sock(dest.sin4.sin_family, SOCK_DGRAM); + sock.setNonBlocking(); + sock.sendTo(string((char*)&*packet.begin(), (char*)&*packet.end()), dest); + + string reply; + + waitForData(sock.getHandle(), 2, 0); + try { + retry: + sock.recvFrom(reply, dest); + if(reply.size() > sizeof(struct dnsheader)) { + struct dnsheader d; + memcpy(&d, reply.c_str(), sizeof(d)); + if(d.id != pw.getHeader()->id) + goto retry; + } + } + catch(...) { + continue; + } + MOADNSParser mdp(reply); + if(mdp.d_header.rcode == RCode::ServFail) + continue; + + + for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i!=mdp.d_answers.end(); ++i) { + if(i->first.d_place == 1 && i->first.d_type==QType::TXT) { + DNSResourceRecord rr; + rr.qname = i->first.d_label; + rr.qtype = QType(i->first.d_type); + rr.content = i->first.d_content->getZoneRepresentation(); + rr.ttl=i->first.d_ttl; + ret.push_back(rr); + } + } + + return mdp.d_header.rcode; + } + return RCode::ServFail; +} + +void doSecPoll(bool first) +{ + if(::arg()["security-poll-suffix"].empty()) + return; + + struct timeval now; + gettimeofday(&now, 0); + + string query = "auth-" PACKAGEVERSION ".security-status."+::arg()["security-poll-suffix"]; + + if(*query.rbegin()!='.') + query+='.'; + + boost::replace_all(query, "+", "_"); + + vector<DNSResourceRecord> ret; + + int res=doResolve(query, QType::TXT, ret); + + int security_status=0; + + if(!res && !ret.empty()) { + string content=ret.begin()->content; + if(!content.empty() && content[0]=='"' && content[content.size()-1]=='"') { + content=content.substr(1, content.length()-2); + } + + pair<string, string> split = splitField(content, ' '); + + security_status = atoi(split.first.c_str()); + g_security_message = split.second; + + } + else { + L<<Logger::Warning<<"Could not retrieve security status update for '" PACKAGEVERSION "' on '"+query+"', RCODE = "<< RCode::to_s(res)<<endl; + if(security_status == 1) // it was ok, not it is unknown + security_status = 0; + } + + if(security_status == 1 && first) { + L<<Logger::Warning << "Polled security status of version "<<PACKAGEVERSION<<" at startup, no known issues reported: " <<g_security_message<<endl; + } + if(security_status == 2) { + L<<Logger::Error<<"PowerDNS Security Update Recommended: "<<g_security_message<<endl; + } + else if(security_status == 3) { + L<<Logger::Error<<"PowerDNS Security Update Mandatory: "<<g_security_message<<endl; + } + + S.set("security-status",security_status); + +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.0/pdns/secpoll-auth.hh new/pdns-3.4.1/pdns/secpoll-auth.hh --- old/pdns-3.4.0/pdns/secpoll-auth.hh 1970-01-01 01:00:00.000000000 +0100 +++ new/pdns-3.4.1/pdns/secpoll-auth.hh 2014-10-22 17:01:25.000000000 +0200 @@ -0,0 +1,9 @@ +#ifndef PDNS_SECPOLL_AUTH_HH +#define PDNS_SECPOLL_AUTH_HH +#include <time.h> +#include "namespaces.hh" + +void doSecPoll(bool first); +extern std::string g_security_message; + +#endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.0/pdns/tcpreceiver.cc new/pdns-3.4.1/pdns/tcpreceiver.cc --- old/pdns-3.4.0/pdns/tcpreceiver.cc 2014-08-12 13:32:10.000000000 +0200 +++ new/pdns-3.4.1/pdns/tcpreceiver.cc 2014-10-21 13:31:14.000000000 +0200 @@ -1008,7 +1008,10 @@ sendPacket(outpacket,outsock); return 0; } - if (!rfc1982LessThan(serial, sd.serial)) { + + string soaedit; + dk.getFromMeta(target, "SOA-EDIT", soaedit); + if (!rfc1982LessThan(serial, calculateEditSOA(sd, soaedit))) { TSIGRecordContent trc; string tsigkeyname, tsigsecret; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.0/pdns/webserver.cc new/pdns-3.4.1/pdns/webserver.cc --- old/pdns-3.4.0/pdns/webserver.cc 2014-07-30 16:42:05.000000000 +0200 +++ new/pdns-3.4.1/pdns/webserver.cc 2014-10-30 11:18:22.000000000 +0100 @@ -48,6 +48,37 @@ } } +bool HttpRequest::compareAuthorization(const string &expected_password) +{ + // validate password + YaHTTP::strstr_map_t::iterator header = headers.find("authorization"); + bool auth_ok = false; + if (header != headers.end() && toLower(header->second).find("basic ") == 0) { + string cookie = header->second.substr(6); + + string plain; + B64Decode(cookie, plain); + + vector<string> cparts; + stringtok(cparts, plain, ":"); + + // this gets rid of terminating zeros + auth_ok = (cparts.size()==2 && (0==strcmp(cparts[1].c_str(), expected_password.c_str()))); + } + return auth_ok; +} + +bool HttpRequest::compareHeader(const string &header_name, const string &expected_value) +{ + YaHTTP::strstr_map_t::iterator header = headers.find(header_name); + if (header == headers.end()) + return false; + + // this gets rid of terminating zeros + return (0==strcmp(header->second.c_str(), expected_value.c_str())); +} + + void HttpResponse::setBody(rapidjson::Document& document) { this->body = makeStringFromDocument(document); @@ -58,19 +89,30 @@ return ::B64Decode(strInput, strOutput); } -static void handlerWrapper(WebServer::HandlerFunction handler, YaHTTP::Request* req, YaHTTP::Response* resp) +static void bareHandlerWrapper(WebServer::HandlerFunction handler, YaHTTP::Request* req, YaHTTP::Response* resp) { // wrapper to convert from YaHTTP::* to our subclasses handler(static_cast<HttpRequest*>(req), static_cast<HttpResponse*>(resp)); } -void WebServer::registerHandler(const string& url, HandlerFunction handler) +void WebServer::registerBareHandler(const string& url, HandlerFunction handler) { - YaHTTP::THandlerFunction f = boost::bind(&handlerWrapper, handler, _1, _2); + YaHTTP::THandlerFunction f = boost::bind(&bareHandlerWrapper, handler, _1, _2); YaHTTP::Router::Any(url, f); } static void apiWrapper(WebServer::HandlerFunction handler, HttpRequest* req, HttpResponse* resp) { + const string& api_key = arg()["experimental-api-key"]; + if (api_key.empty()) { + L<<Logger::Debug<<"HTTP API Request \"" << req->url.path << "\": Authentication failed, API Key missing in config" << endl; + throw HttpUnauthorizedException(); + } + bool auth_ok = req->compareHeader("x-api-key", api_key); + if (!auth_ok) { + L<<Logger::Debug<<"HTTP Request \"" << req->url.path << "\": Authentication by API Key failed" << endl; + throw HttpUnauthorizedException(); + } + resp->headers["Access-Control-Allow-Origin"] = "*"; resp->headers["Content-Type"] = "application/json"; @@ -108,7 +150,25 @@ void WebServer::registerApiHandler(const string& url, HandlerFunction handler) { HandlerFunction f = boost::bind(&apiWrapper, handler, _1, _2); - registerHandler(url, f); + registerBareHandler(url, f); +} + +static void webWrapper(WebServer::HandlerFunction handler, HttpRequest* req, HttpResponse* resp) { + const string& web_password = arg()["webserver-password"]; + if (!web_password.empty()) { + bool auth_ok = req->compareAuthorization(web_password); + if (!auth_ok) { + L<<Logger::Debug<<"HTTP Request \"" << req->url.path << "\": Web Authentication failed" << endl; + throw HttpUnauthorizedException(); + } + } + + handler(req, resp); +} + +void WebServer::registerWebHandler(const string& url, HandlerFunction handler) { + HandlerFunction f = boost::bind(&webWrapper, handler, _1, _2); + registerBareHandler(url, f); } static void *WebServerConnectionThreadStart(void *p) { @@ -148,28 +208,6 @@ } } - if (!d_password.empty()) { - // validate password - header = req.headers.find("authorization"); - bool auth_ok = false; - if (header != req.headers.end() && toLower(header->second).find("basic ") == 0) { - string cookie = header->second.substr(6); - - string plain; - B64Decode(cookie, plain); - - vector<string> cparts; - stringtok(cparts, plain, ":"); - - // this gets rid of terminating zeros - auth_ok = (cparts.size()==2 && (0==strcmp(cparts[1].c_str(), d_password.c_str()))); - } - if (!auth_ok) { - L<<Logger::Debug<<"HTTP Request \"" << req.url.path << "\": Authentication failed" << endl; - throw HttpUnauthorizedException(); - } - } - YaHTTP::THandlerFunction handler; if (!YaHTTP::Router::Route(&req, handler)) { L<<Logger::Debug<<"HTTP: No route found for \"" << req.url.path << "\"" << endl; @@ -268,11 +306,10 @@ L<<Logger::Error<<"HTTP: Unknown exception"<<endl; } -WebServer::WebServer(const string &listenaddress, int port, const string &password) : d_server(NULL) +WebServer::WebServer(const string &listenaddress, int port) : d_server(NULL) { d_listenaddress=listenaddress; d_port=port; - d_password=password; } void WebServer::bind() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.0/pdns/webserver.hh new/pdns-3.4.1/pdns/webserver.hh --- old/pdns-3.4.0/pdns/webserver.hh 2014-06-24 14:22:01.000000000 +0200 +++ new/pdns-3.4.1/pdns/webserver.hh 2014-10-21 14:34:39.000000000 +0200 @@ -32,6 +32,8 @@ #include "namespaces.hh" #include "sstuff.hh" +class WebServer; + class HttpRequest : public YaHTTP::Request { public: HttpRequest() : YaHTTP::Request(), accept_json(false), accept_html(false), complete(false) { }; @@ -40,6 +42,10 @@ bool accept_html; bool complete; void json(rapidjson::Document& document); + + // checks password _only_. + bool compareAuthorization(const string &expected_password); + bool compareHeader(const string &header_name, const string &expected_value); }; class HttpResponse: public YaHTTP::Response { @@ -125,7 +131,7 @@ class WebServer : public boost::noncopyable { public: - WebServer(const string &listenaddress, int port, const string &password=""); + WebServer(const string &listenaddress, int port); void bind(); void go(); @@ -133,12 +139,13 @@ HttpResponse handleRequest(HttpRequest request); typedef boost::function<void(HttpRequest* req, HttpResponse* resp)> HandlerFunction; - void registerHandler(const string& url, HandlerFunction handler); void registerApiHandler(const string& url, HandlerFunction handler); + void registerWebHandler(const string& url, HandlerFunction handler); protected: static char B64Decode1(char cInChar); static int B64Decode(const std::string& strInput, std::string& strOutput); + void registerBareHandler(const string& url, HandlerFunction handler); virtual Server* createServer() { return new Server(d_listenaddress, d_port); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.0/pdns/ws-auth.cc new/pdns-3.4.1/pdns/ws-auth.cc --- old/pdns-3.4.0/pdns/ws-auth.cc 2014-08-12 13:32:10.000000000 +0200 +++ new/pdns-3.4.1/pdns/ws-auth.cc 2014-10-30 11:18:22.000000000 +0100 @@ -61,7 +61,7 @@ d_ws = 0; d_tid = 0; if(arg().mustDo("webserver")) { - d_ws = new WebServer(arg()["webserver-address"], arg().asNum("webserver-port"),arg()["webserver-password"]); + d_ws = new WebServer(arg()["webserver-address"], arg().asNum("webserver-port")); d_ws->bind(); } } @@ -1255,8 +1255,8 @@ // legacy dispatch d_ws->registerApiHandler("/jsonstat", boost::bind(&AuthWebServer::jsonstat, this, _1, _2)); } - d_ws->registerHandler("/style.css", boost::bind(&AuthWebServer::cssfunction, this, _1, _2)); - d_ws->registerHandler("/", boost::bind(&AuthWebServer::indexfunction, this, _1, _2)); + d_ws->registerWebHandler("/style.css", boost::bind(&AuthWebServer::cssfunction, this, _1, _2)); + d_ws->registerWebHandler("/", boost::bind(&AuthWebServer::indexfunction, this, _1, _2)); d_ws->go(); } catch(...) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.0/pdns/ws-recursor.cc new/pdns-3.4.1/pdns/ws-recursor.cc --- old/pdns-3.4.0/pdns/ws-recursor.cc 2014-06-24 14:22:01.000000000 +0200 +++ new/pdns-3.4.1/pdns/ws-recursor.cc 2014-10-30 11:18:22.000000000 +0100 @@ -421,7 +421,7 @@ { RecursorControlParser rcp; // inits - d_ws = new AsyncWebServer(fdm, arg()["experimental-webserver-address"], arg().asNum("experimental-webserver-port"), arg()["experimental-webserver-password"]); + d_ws = new AsyncWebServer(fdm, arg()["experimental-webserver-address"], arg().asNum("experimental-webserver-port")); d_ws->bind(); // legacy dispatch diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.0/pdns/ws-recursor.hh new/pdns-3.4.1/pdns/ws-recursor.hh --- old/pdns-3.4.0/pdns/ws-recursor.hh 2014-03-27 12:22:04.000000000 +0100 +++ new/pdns-3.4.1/pdns/ws-recursor.hh 2014-10-21 14:34:39.000000000 +0200 @@ -45,8 +45,8 @@ class AsyncWebServer : public WebServer { public: - AsyncWebServer(FDMultiplexer* fdm, const string &listenaddress, int port, const string &password="") : - WebServer(listenaddress, port, password), d_fdm(fdm) { }; + AsyncWebServer(FDMultiplexer* fdm, const string &listenaddress, int port) : + WebServer(listenaddress, port), d_fdm(fdm) { }; void go(); private: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.0/pdns.spec new/pdns-3.4.1/pdns.spec --- old/pdns-3.4.0/pdns.spec 2014-09-30 11:23:37.000000000 +0200 +++ new/pdns-3.4.1/pdns.spec 2014-10-30 11:18:22.000000000 +0100 @@ -1,6 +1,6 @@ BuildRoot: /tmp/pdns Name: pdns-static -Version: 3.4.0 +Version: 3.4.1 Release: 1 Summary: extremely powerful and versatile nameserver License: GPL -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org