From 7f9f0a90535eb5ce25a21ab66bb06ec0eab9261a Mon Sep 17 00:00:00 2001
From: webbuilder_pel7ppc64bebuilder0 <webbuilder@powerel.org>
Date: Sat, 13 Jul 2019 16:55:11 +0200
Subject: [PATCH] nsd package creation

Signed-off-by: webbuilder_pel7ppc64bebuilder0 <webbuilder@powerel.org>
---
 SOURCES/nsd-keygen.service |  19 +++
 SOURCES/nsd.conf           | 327 +++++++++++++++++++++++++++++++++++++
 SOURCES/nsd.service        |  17 ++
 SOURCES/tmpfiles-nsd.conf  |   1 +
 SPECS/nsd.spec             | 132 +++++++++++++++
 5 files changed, 496 insertions(+)
 create mode 100644 SOURCES/nsd-keygen.service
 create mode 100644 SOURCES/nsd.conf
 create mode 100644 SOURCES/nsd.service
 create mode 100644 SOURCES/tmpfiles-nsd.conf
 create mode 100644 SPECS/nsd.spec

diff --git a/SOURCES/nsd-keygen.service b/SOURCES/nsd-keygen.service
new file mode 100644
index 0000000..a6f4cb8
--- /dev/null
+++ b/SOURCES/nsd-keygen.service
@@ -0,0 +1,19 @@
+[Unit]
+Description=NSD Control Key And Certificate Generator
+After=syslog.target 
+Before=nsd.service
+ConditionPathExists=|!/etc/nsd/nsd_control.key
+ConditionPathExists=|!/etc/nsd/nsd_control.pem
+ConditionPathExists=|!/etc/nsd/nsd_server.key
+ConditionPathExists=|!/etc/nsd/nsd_server.pem
+PartOf=nsd.service
+
+[Service]
+Type=oneshot
+Group=nsd
+ExecStart=/usr/sbin/nsd-control-setup -d /etc/nsd/
+ExecStart=/sbin/restorecon /etc/nsd/*
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/SOURCES/nsd.conf b/SOURCES/nsd.conf
new file mode 100644
index 0000000..4c12a30
--- /dev/null
+++ b/SOURCES/nsd.conf
@@ -0,0 +1,327 @@
+#
+# nsd.conf -- the NSD(8) configuration file, nsd.conf(5).
+#
+# Copyright (c) 2001-2011, NLnet Labs. All rights reserved.
+#
+# See LICENSE for the license.
+#
+
+# This is a comment.
+# Sample configuration file
+# include: "file" # include that file's text over here.  Globbed, "*.conf"
+
+# options for the nsd server
+server:
+	# Number of NSD servers to fork.  Put the number of CPUs to use here.
+	# server-count: 1
+
+	# uncomment to specify specific interfaces to bind (default are the
+	# wildcard interfaces 0.0.0.0 and ::0).
+	# For servers with multiple IP addresses, list them one by one,
+	# or the source address of replies could be wrong.
+	# Use ip-transparent to be able to list addresses that turn on later.
+	# ip-address: 1.2.3.4
+	# ip-address: 1.2.3.4@5678
+	# ip-address: 12fe::8ef0
+
+	# Allow binding to non local addresses. Default no.
+	# ip-transparent: no
+
+	# Allow binding to addresses that are down.  Default no.
+	# ip-freebind: no
+
+	# use the reuseport socket option for performance. Default no.
+	# reuseport: no
+
+	# enable debug mode, does not fork daemon process into the background.
+	# debug-mode: no
+
+	# use systemd for readiness signalling.
+	use-systemd: yes
+
+	# listen on IPv4 connections
+	# do-ip4: yes
+
+	# listen on IPv6 connections
+	# do-ip6: yes
+
+	# port to answer queries on. default is 53.
+	# port: 53
+
+	# Verbosity level.
+	# verbosity: 0
+
+	# After binding socket, drop user privileges.
+	# can be a username, id or id.gid.
+	# username: nsd
+
+	# Run NSD in a chroot-jail.
+	# make sure to have pidfile and database reachable from there.
+	# by default, no chroot-jail is used.
+	# chroot: "/etc/nsd"
+
+	# The directory for zonefile: files.  The daemon chdirs here.
+	# zonesdir: "/etc/nsd"
+
+	# the list of dynamically added zones.
+	# zonelistfile: "/var/lib/nsd/zone.list"
+
+	# the database to use
+	# if set to "" then no disk-database is used, less memory usage.
+	database: ""
+
+	# log messages to file. Default to stderr and syslog (with
+	# facility LOG_DAEMON).  stderr disappears when daemon goes to bg.
+	# logfile: "/var/log/nsd.log"
+
+	# File to store pid for nsd in.
+	# pidfile: "/var/run/nsd/nsd.pid"
+
+	# The file where secondary zone refresh and expire timeouts are kept.
+	# If you delete this file, all secondary zones are forced to be
+	# 'refreshing' (as if nsd got a notify).  Set to "" to disable.
+	# xfrdfile: "/var/lib/nsd/ixfr.state"
+
+	# The directory where zone transfers are stored, in a subdir of it.
+	# xfrdir: "/tmp"
+
+	# don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
+	# hide-version: no
+
+	# version string the server responds with for chaos queries.
+	# default is 'NSD x.y.z' with the server's version number.
+	# version: "NSD"
+
+	# identify the server (CH TXT ID.SERVER entry).
+	# identity: "unidentified server"
+
+	# NSID identity (hex string, or "ascii_somestring"). default disabled.
+	# nsid: "aabbccdd"
+
+	# Maximum number of concurrent TCP connections per server.
+	# tcp-count: 100
+
+	# Maximum number of queries served on a single TCP connection.
+	# By default 0, which means no maximum.
+	# tcp-query-count: 0
+
+	# Override the default (120 seconds) TCP timeout.
+	# tcp-timeout: 120
+
+	# Maximum segment size (MSS) of TCP socket on which the server
+	# responds to queries. Default is 0, system default MSS.
+	# tcp-mss: 0
+
+	# Maximum segment size (MSS) of TCP socket for outgoing AXFR request.
+	# Default is 0, system default MSS.
+	# outgoing-tcp-mss: 0
+
+	# Preferred EDNS buffer size for IPv4.
+	# ipv4-edns-size: 4096
+
+	# Preferred EDNS buffer size for IPv6.
+	# ipv6-edns-size: 4096
+
+	# statistics are produced every number of seconds. Prints to log.
+	# Default is 0, meaning no statistics are produced.
+	# statistics: 3600
+
+	# Number of seconds between reloads triggered by xfrd.
+	# xfrd-reload-timeout: 1
+
+	# log timestamp in ascii (y-m-d h:m:s.msec), yes is default.
+	# log-time-ascii: yes
+
+	# round robin rotation of records in the answer.
+	round-robin: yes
+
+	# minimal-responses only emits extra data for referrals.
+	minimal-responses: yes
+
+	# refuse queries of type ANY.  For stopping floods.
+	refuse-any: yes
+
+	# check mtime of all zone files on start and sighup
+	# zonefiles-check: yes
+
+	# write changed zonefiles to disk, every N seconds.
+	# default is 0(disabled) or 3600(if database is "").
+	# zonefiles-write: 3600
+
+	# RRLconfig
+	# Response Rate Limiting, size of the hashtable. Default 1000000.
+	# rrl-size: 1000000
+
+	# Response Rate Limiting, maximum QPS allowed (from one query source).
+	# If set to 0, ratelimiting is disabled. Also set
+	# rrl-whitelist-ratelimit to 0 to disable ratelimit processing.
+	# Default is on.
+	# rrl-ratelimit: 200
+
+	# Response Rate Limiting, number of packets to discard before
+	# sending a SLIP response (a truncated one, allowing an honest
+	# resolver to retry with TCP). Default is 2 (one half of the
+	# queries will receive a SLIP response, 0 disables SLIP (all
+	# packets are discarded), 1 means every request will get a
+	# SLIP response.  When the ratelimit is hit the traffic is
+	# divided by the rrl-slip value.
+	# rrl-slip: 2
+
+	# Response Rate Limiting, IPv4 prefix length. Addresses are
+	# grouped by netblock.
+	# rrl-ipv4-prefix-length: 24
+
+	# Response Rate Limiting, IPv6 prefix length. Addresses are
+	# grouped by netblock.
+	# rrl-ipv6-prefix-length: 64
+
+	# Response Rate Limiting, maximum QPS allowed (from one query source)
+	# for whitelisted types. Default is on.
+	# rrl-whitelist-ratelimit: 2000
+	# RRLend
+
+	# Optional local server config
+	include: "/etc/nsd/server.d/*.conf"
+
+# Include optional local configs.
+include: "/etc/nsd/conf.d/*.conf"
+
+# Remote control config section.
+remote-control:
+	# Enable remote control with nsd-control(8) here.
+	# set up the keys and certificates with nsd-control-setup.
+	control-enable: yes
+
+	# what interfaces are listened to for control, default is on localhost.
+	# control-interface: 127.0.0.1
+	# control-interface: ::1
+	control-interface: /run/nsd/nsd.ctl
+
+	# port number for remote control operations (uses TLS over TCP).
+	# control-port: 8952
+
+	# nsd server key file for remote control.
+	# server-key-file: "/etc/nsd/nsd_server.key"
+
+	# nsd server certificate file for remote control.
+	# server-cert-file: "/etc/nsd/nsd_server.pem"
+
+	# nsd-control key file.
+	# control-key-file: "/etc/nsd/nsd_control.key"
+
+	# nsd-control certificate file.
+	# control-cert-file: "/etc/nsd/nsd_control.pem"
+
+
+# Secret keys for TSIGs that secure zone transfers.
+# You could include: "secret.keys" and put the 'key:' statements in there,
+# and give that file special access control permissions.
+#
+# key:
+	# The key name is sent to the other party, it must be the same
+	#name: "keyname"
+	# algorithm hmac-md5, or sha1, sha256, sha224, sha384, sha512
+	#algorithm: sha256
+	# secret material, must be the same as the other party uses.
+	# base64 encoded random number.
+	# e.g. from dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64
+	#secret: "K2tf3TRjvQkVCmJF3/Z9vA=="
+
+
+# Patterns have zone configuration and they are shared by one or more zones.
+#
+# pattern:
+	# name by which the pattern is referred to
+	#name: "myzones"
+	# the zonefile for the zones that use this pattern.
+	# if relative then from the zonesdir (inside the chroot).
+	# the name is processed: %s - zone name (as appears in zone:name).
+	# %1 - first character of zone name, %2 second, %3 third.
+	# %z - topleveldomain label of zone, %y, %x next labels in name.
+	# if label or character does not exist you get a dot '.'.
+	# for example "%s.zone" or "zones/%1/%2/%3/%s" or "secondary/%z/%s"
+	#zonefile: "%s.zone"
+
+	# If no master and slave access control elements are provided,
+	# this zone will not be served to/from other servers.
+
+	# A master zone needs notify: and provide-xfr: lists.  A slave
+	# may also allow zone transfer (for debug or other secondaries).
+	# notify these slaves when the master zone changes, address TSIG|NOKEY
+	# IP can be ipv4 and ipv6, with @port for a nondefault port number.
+	#notify: 192.0.2.1 NOKEY
+	# allow these IPs and TSIG to transfer zones, addr TSIG|NOKEY|BLOCKED
+	# address range 192.0.2.0/24, 1.2.3.4&255.255.0.0, 3.0.2.20-3.0.2.40
+	#provide-xfr: 192.0.2.0/24 my_tsig_key_name
+	# set the number of retries for notify.
+	#notify-retry: 5
+
+	# uncomment to provide AXFR to all the world
+	# provide-xfr: 0.0.0.0/0 NOKEY
+	# provide-xfr: ::0/0 NOKEY
+
+	# A slave zone needs allow-notify: and request-xfr: lists.
+	#allow-notify: 2001:db8::0/64 my_tsig_key_name
+	# By default, a slave will request a zone transfer with IXFR/TCP.
+	# If you want to make use of IXFR/UDP use: UDP addr tsigkey
+	# for a master that only speaks AXFR (like NSD) use AXFR addr tsigkey
+	#request-xfr: 192.0.2.2 the_tsig_key_name
+	# Attention: You cannot use UDP and AXFR together. AXFR is always over
+	# TCP. If you use UDP, we higly recommend you to deploy TSIG.
+	# Allow AXFR fallback if the master does not support IXFR. Default
+	# is yes.
+	#allow-axfr-fallback: yes
+	# set local interface for sending zone transfer requests.
+	# default is let the OS choose.
+	#outgoing-interface: 10.0.0.10
+	# limit the refresh and retry interval in seconds.
+	#max-refresh-time: 2419200
+	#min-refresh-time: 0
+	#max-retry-time: 1209600
+	#min-retry-time: 0
+
+	# Slave server tries zone transfer to all masters and picks highest
+	# zone version available, for when masters have different versions.
+	#multi-master-check: no
+
+	# limit the zone transfer size (in bytes), stops very large transfers
+	# 0 is no limits enforced.
+	# size-limit-xfr: 0
+
+	# if compiled with --enable-zone-stats, give name of stat block for
+	# this zone (or group of zones).  Output from nsd-control stats.
+	# zonestats: "%s"
+
+	# if you give another pattern name here, at this point the settings
+	# from that pattern are inserted into this one (as if it were a
+	# macro).  The statement can be given in between other statements,
+	# because the order of access control elements can make a difference
+	# (which master to request from first, which slave to notify first).
+	#include-pattern: "common-masters"
+
+
+# Fixed zone entries.  Here you can config zones that cannot be deleted.
+# Zones that are dynamically added and deleted are put in the zonelist file.
+#
+# zone:
+	# name: "example.com"
+	# you can give a pattern here, all the settings from that pattern
+	# are then inserted at this point
+	# include-pattern: "master"
+	# You can also specify (additional) options directly for this zone.
+	# zonefile: "example.com.zone"
+	# request-xfr: 192.0.2.1 example.com.key
+
+	# RRLconfig
+	# Response Rate Limiting, whitelist types
+	# rrl-whitelist: nxdomain
+	# rrl-whitelist: error
+	# rrl-whitelist: referral
+	# rrl-whitelist: any
+	# rrl-whitelist: rrsig
+	# rrl-whitelist: wildcard
+	# rrl-whitelist: nodata
+	# rrl-whitelist: dnskey
+	# rrl-whitelist: positive
+	# rrl-whitelist: all
+	# RRLend
diff --git a/SOURCES/nsd.service b/SOURCES/nsd.service
new file mode 100644
index 0000000..c05d6aa
--- /dev/null
+++ b/SOURCES/nsd.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=NSD DNS Server
+After=syslog.target network-online.target
+After=nsd-keygen.service
+Wants=nsd-keygen.service
+
+[Service]
+Type=simple
+PIDFile=/var/run/nsd/nsd.pid
+EnvironmentFile=-/etc/sysconfig/nsd
+ExecStart=/usr/sbin/nsd -d -c /etc/nsd/nsd.conf $NSD_EXTRA_OPTS
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=mixed
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/SOURCES/tmpfiles-nsd.conf b/SOURCES/tmpfiles-nsd.conf
new file mode 100644
index 0000000..1db67d3
--- /dev/null
+++ b/SOURCES/tmpfiles-nsd.conf
@@ -0,0 +1 @@
+D /run/nsd 0755 nsd nsd -
diff --git a/SPECS/nsd.spec b/SPECS/nsd.spec
new file mode 100644
index 0000000..17701c5
--- /dev/null
+++ b/SPECS/nsd.spec
@@ -0,0 +1,132 @@
+%global _hardened_build 1
+
+Name: nsd
+Version: 4.2.1
+Release: 1%{?dist}
+License: BSD
+Summary: Fast and lean authoritative DNS Name Server
+Url: http://www.nlnetlabs.nl/nsd/
+Group: System Environment/Daemons
+Source0: http://www.nlnetlabs.nl/downloads/%{name}/%{name}-%{version}.tar.gz
+Source1: nsd.conf
+Source2: nsd.service
+Source3: nsd-keygen.service
+Source6: tmpfiles-nsd.conf
+BuildRequires:  gcc
+BuildRequires: flex
+BuildRequires: openssl-devel
+BuildRequires: libevent-devel
+Requires(pre): shadow-utils
+BuildRequires: systemd-units
+BuildRequires: systemd-devel
+Requires(post): systemd-units
+Requires(preun): systemd-units
+Requires(postun): systemd-units
+#workaround for 4.1.24 bug in systemd detection :/
+BuildRequires: autoconf automake
+
+
+%description
+NSD is a complete implementation of an authoritative DNS name server.
+For further information about what NSD is and what NSD is not please
+consult the REQUIREMENTS document which is a part of this distribution.
+
+
+%prep
+%setup -q -n %{name}-%{version}%{?prever}
+#workaround for 4.1.24 bug in systemd detection :/
+autoreconf
+
+
+%build
+CFLAGS="%{optflags} -fPIE -pie"
+LDFLAGS="-Wl,-z,relro,-z,now"
+export CFLAGS LDFLAGS
+%configure \
+    --enable-bind8-stats \
+    --enable-zone-stats \
+    --enable-checking \
+    --enable-nsec3 \
+    --with-pidfile=%{_localstatedir}/run/nsd/nsd.pid \
+    --with-zonelistfile=%{_sharedstatedir}/nsd/zone.list \
+    --with-ssl \
+    --with-user=nsd \
+    --with-xfrdfile=%{_sharedstatedir}/nsd/ixfr.state \
+    --with-dbfile="" \
+    --enable-ratelimit \
+    --enable-systemd
+
+make %{?_smp_mflags}
+
+
+%install
+make DESTDIR=%{buildroot} install
+mkdir -p %{buildroot}%{_unitdir}
+install -m 0644 %{SOURCE2} %{SOURCE3} %{buildroot}%{_unitdir}
+mkdir -p %{buildroot}%{_tmpfilesdir}
+install -m 0644 %{SOURCE6} %{buildroot}%{_tmpfilesdir}/nsd.conf
+mkdir -p %{buildroot}%{_localstatedir}/run/nsd
+mkdir -p %{buildroot}%{_sharedstatedir}/nsd
+
+# Install ghost files
+for name in control server; do
+    for extension in key pem; do
+        touch %{buildroot}%{_sysconfdir}/nsd/nsd_${name}.${extension}
+    done
+done
+
+# Take care of the configuration
+mkdir -p %{buildroot}%{_sysconfdir}/nsd/conf.d
+mkdir -p %{buildroot}%{_sysconfdir}/nsd/server.d
+install -m 0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/nsd/nsd.conf
+rm %{buildroot}%{_sysconfdir}/nsd/nsd.conf.sample 
+
+
+%files
+%doc doc/*
+%doc contrib/nsd.zones2nsd.conf
+%dir %{_sysconfdir}/nsd
+%config(noreplace) %{_sysconfdir}/nsd/nsd.conf
+%attr(0640,root,nsd) %ghost %{_sysconfdir}/nsd/nsd_server.key
+%attr(0640,root,nsd) %ghost %{_sysconfdir}/nsd/nsd_server.pem
+%attr(0640,root,nsd) %ghost %{_sysconfdir}/nsd/nsd_control.key
+%attr(0640,root,nsd) %ghost %{_sysconfdir}/nsd/nsd_control.pem
+%dir %{_sysconfdir}/nsd/conf.d
+%dir %{_sysconfdir}/nsd/server.d
+%if %{with systemd}
+%attr(0644,root,root) %{_unitdir}/nsd.service
+%attr(0644,root,root) %{_unitdir}/nsd-keygen.service
+%attr(0644,root,root) %{_tmpfilesdir}/nsd.conf
+%else
+%attr(0755,root,root) %{_initddir}/nsd
+%config(noreplace) %{_sysconfdir}/sysconfig/nsd
+%endif
+%attr(0755,nsd,nsd) %dir %{_localstatedir}/run/nsd
+%attr(0750,nsd,nsd) %dir %{_sharedstatedir}/nsd
+%{_sbindir}/*
+%{_mandir}/*/*
+
+%pre
+getent group nsd >/dev/null || groupadd -r nsd
+getent passwd nsd >/dev/null || \
+useradd -r -g nsd -d /etc/nsd -s /sbin/nologin \
+    -c "nsd daemon account" nsd
+exit 0
+
+%post
+%systemd_post nsd.service
+%systemd_post nsd-keygen.serivce
+
+%preun
+%systemd_preun nsd.service
+%systemd_preun nsd-keygen.serivce
+
+%postun
+%systemd_postun_with_restart nsd.service
+%systemd_postun nsd-keygen.service
+
+%triggerin -- nsd < 4.0.0-0
+chown nsd:nsd %{_sharedstatedir}/nsd/* 2>&1 || :
+
+
+%changelog