From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Tue, 15 Oct 2019 12:31:18 +0000 (+0200)
Subject: Deb: Load DNSSEC Keys from disk by default
X-Git-Tag: dnsdist-1.4.0~24^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F8418%2Fhead;p=thirdparty%2Fpdns.git

Deb: Load DNSSEC Keys from disk by default

This also automatically reloads them each 24 hours by default.
---

diff --git a/builder-support/debian/recursor/debian-buster/lua-config/rootkeys.lua b/builder-support/debian/recursor/debian-buster/lua-config/rootkeys.lua
new file mode 100644
index 0000000000..bba18fd001
--- /dev/null
+++ b/builder-support/debian/recursor/debian-buster/lua-config/rootkeys.lua
@@ -0,0 +1,3 @@
+-- readTrustAnchorsFromFile reads the DNSSEC trust anchors from the provided file
+-- and reloads it every 24 hours.
+readTrustAnchorsFromFile("/usr/share/dns/root.key")
diff --git a/builder-support/debian/recursor/debian-buster/pdns-recursor.dirs b/builder-support/debian/recursor/debian-buster/pdns-recursor.dirs
new file mode 100644
index 0000000000..1e7acadb8f
--- /dev/null
+++ b/builder-support/debian/recursor/debian-buster/pdns-recursor.dirs
@@ -0,0 +1 @@
+etc/powerdns/recursor.d
diff --git a/builder-support/debian/recursor/debian-buster/recursor.lua b/builder-support/debian/recursor/debian-buster/recursor.lua
new file mode 100644
index 0000000000..1d670a572e
--- /dev/null
+++ b/builder-support/debian/recursor/debian-buster/recursor.lua
@@ -0,0 +1,7 @@
+-- Debian default Lua configuration file for PowerDNS Recursor
+
+-- Load DNSSEC root keys from dns-root-data package.
+-- Note: If you provide your own Lua configuration file, consider
+-- running rootkeys.lua too.
+dofile("/usr/share/pdns-recursor/lua-config/rootkeys.lua")
+
diff --git a/builder-support/debian/recursor/debian-buster/rules b/builder-support/debian/recursor/debian-buster/rules
index 8cfcfa518e..59e60b8081 100755
--- a/builder-support/debian/recursor/debian-buster/rules
+++ b/builder-support/debian/recursor/debian-buster/rules
@@ -39,10 +39,15 @@ override_dh_auto_configure:
 
 override_dh_auto_install:
 	dh_auto_install
+	install -d debian/pdns-recursor/usr/share/pdns-recursor/lua-config
+	install -m 644 -t debian/pdns-recursor/usr/share/pdns-recursor/lua-config debian/lua-config/rootkeys.lua
+	install -m 644 -t debian/pdns-recursor/etc/powerdns debian/recursor.lua
 	rm -f debian/pdns-recursor/etc/powerdns/recursor.conf-dist
 	./pdns_recursor --no-config --config | sed \
 		-e 's!# config-dir=.*!config-dir=/etc/powerdns!' \
+		-e 's!# include-dir=.*!&\ninclude-dir=/etc/powerdns/recursor.d!' \
 		-e 's!# local-address=.*!local-address=127.0.0.1!' \
+		-e 's!# lua-config-file=.*!lua-config-file=/etc/powerdns/recursor.lua!' \
 		-e 's!# quiet=.*!quiet=yes!' \
 		-e 's!# setgid=.*!setgid=pdns!' \
 		-e 's!# setuid=.*!setuid=pdns!' \
@@ -60,5 +65,5 @@ override_dh_gencontrol:
 
 override_dh_fixperms:
 	dh_fixperms
-        # these files often contain passwords. 640 as it is chowned to root:pdns
+# these files often contain passwords. 640 as it is chowned to root:pdns
 	chmod 0640 debian/pdns-recursor/etc/powerdns/recursor.conf
diff --git a/builder-support/debian/recursor/debian-jessie/lua-config/rootkeys.lua b/builder-support/debian/recursor/debian-jessie/lua-config/rootkeys.lua
new file mode 100644
index 0000000000..bba18fd001
--- /dev/null
+++ b/builder-support/debian/recursor/debian-jessie/lua-config/rootkeys.lua
@@ -0,0 +1,3 @@
+-- readTrustAnchorsFromFile reads the DNSSEC trust anchors from the provided file
+-- and reloads it every 24 hours.
+readTrustAnchorsFromFile("/usr/share/dns/root.key")
diff --git a/builder-support/debian/recursor/debian-jessie/pdns-recursor.dirs b/builder-support/debian/recursor/debian-jessie/pdns-recursor.dirs
new file mode 100644
index 0000000000..1e7acadb8f
--- /dev/null
+++ b/builder-support/debian/recursor/debian-jessie/pdns-recursor.dirs
@@ -0,0 +1 @@
+etc/powerdns/recursor.d
diff --git a/builder-support/debian/recursor/debian-jessie/recursor.lua b/builder-support/debian/recursor/debian-jessie/recursor.lua
new file mode 100644
index 0000000000..1d670a572e
--- /dev/null
+++ b/builder-support/debian/recursor/debian-jessie/recursor.lua
@@ -0,0 +1,7 @@
+-- Debian default Lua configuration file for PowerDNS Recursor
+
+-- Load DNSSEC root keys from dns-root-data package.
+-- Note: If you provide your own Lua configuration file, consider
+-- running rootkeys.lua too.
+dofile("/usr/share/pdns-recursor/lua-config/rootkeys.lua")
+
diff --git a/builder-support/debian/recursor/debian-jessie/rules b/builder-support/debian/recursor/debian-jessie/rules
index 4f70a2e804..e6951a3be3 100755
--- a/builder-support/debian/recursor/debian-jessie/rules
+++ b/builder-support/debian/recursor/debian-jessie/rules
@@ -39,10 +39,15 @@ override_dh_auto_configure:
 
 override_dh_auto_install:
 	dh_auto_install -- STRIP_BINARIES=0
+	install -d debian/pdns-recursor/usr/share/pdns-recursor/lua-config
+	install -m 644 -t debian/pdns-recursor/usr/share/pdns-recursor/lua-config debian/lua-config/rootkeys.lua
+	install -m 644 -t debian/pdns-recursor/etc/powerdns debian/recursor.lua
 	rm -f debian/tmp/etc/powerdns/recursor.conf-dist
 	./pdns_recursor --no-config --config | sed \
 		-e 's!# config-dir=.*!config-dir=/etc/powerdns!' \
+		-e 's!# include-dir=.*!&\ninclude-dir=/etc/powerdns/recursor.d!' \
 		-e 's!# local-address=.*!local-address=127.0.0.1!' \
+		-e 's!# lua-config-file=.*!lua-config-file=/etc/powerdns/recursor.lua!' \
 		-e 's!# quiet=.*!quiet=yes!' \
 		-e 's!# setgid=.*!setgid=pdns!' \
 		-e 's!# setuid=.*!setuid=pdns!' \
@@ -60,5 +65,5 @@ override_dh_gencontrol:
 
 override_dh_fixperms:
 	dh_fixperms
-        # these files often contain passwords. 640 as it is chowned to root:pdns
+# these files often contain passwords. 640 as it is chowned to root:pdns
 	chmod 0640 debian/tmp/etc/powerdns/recursor.conf
diff --git a/builder-support/debian/recursor/debian-stretch/lua-config/rootkeys.lua b/builder-support/debian/recursor/debian-stretch/lua-config/rootkeys.lua
new file mode 100644
index 0000000000..bba18fd001
--- /dev/null
+++ b/builder-support/debian/recursor/debian-stretch/lua-config/rootkeys.lua
@@ -0,0 +1,3 @@
+-- readTrustAnchorsFromFile reads the DNSSEC trust anchors from the provided file
+-- and reloads it every 24 hours.
+readTrustAnchorsFromFile("/usr/share/dns/root.key")
diff --git a/builder-support/debian/recursor/debian-stretch/pdns-recursor.dirs b/builder-support/debian/recursor/debian-stretch/pdns-recursor.dirs
new file mode 100644
index 0000000000..1e7acadb8f
--- /dev/null
+++ b/builder-support/debian/recursor/debian-stretch/pdns-recursor.dirs
@@ -0,0 +1 @@
+etc/powerdns/recursor.d
diff --git a/builder-support/debian/recursor/debian-stretch/recursor.lua b/builder-support/debian/recursor/debian-stretch/recursor.lua
new file mode 100644
index 0000000000..1d670a572e
--- /dev/null
+++ b/builder-support/debian/recursor/debian-stretch/recursor.lua
@@ -0,0 +1,7 @@
+-- Debian default Lua configuration file for PowerDNS Recursor
+
+-- Load DNSSEC root keys from dns-root-data package.
+-- Note: If you provide your own Lua configuration file, consider
+-- running rootkeys.lua too.
+dofile("/usr/share/pdns-recursor/lua-config/rootkeys.lua")
+
diff --git a/builder-support/debian/recursor/debian-stretch/rules b/builder-support/debian/recursor/debian-stretch/rules
index 8cfcfa518e..59e60b8081 100755
--- a/builder-support/debian/recursor/debian-stretch/rules
+++ b/builder-support/debian/recursor/debian-stretch/rules
@@ -39,10 +39,15 @@ override_dh_auto_configure:
 
 override_dh_auto_install:
 	dh_auto_install
+	install -d debian/pdns-recursor/usr/share/pdns-recursor/lua-config
+	install -m 644 -t debian/pdns-recursor/usr/share/pdns-recursor/lua-config debian/lua-config/rootkeys.lua
+	install -m 644 -t debian/pdns-recursor/etc/powerdns debian/recursor.lua
 	rm -f debian/pdns-recursor/etc/powerdns/recursor.conf-dist
 	./pdns_recursor --no-config --config | sed \
 		-e 's!# config-dir=.*!config-dir=/etc/powerdns!' \
+		-e 's!# include-dir=.*!&\ninclude-dir=/etc/powerdns/recursor.d!' \
 		-e 's!# local-address=.*!local-address=127.0.0.1!' \
+		-e 's!# lua-config-file=.*!lua-config-file=/etc/powerdns/recursor.lua!' \
 		-e 's!# quiet=.*!quiet=yes!' \
 		-e 's!# setgid=.*!setgid=pdns!' \
 		-e 's!# setuid=.*!setuid=pdns!' \
@@ -60,5 +65,5 @@ override_dh_gencontrol:
 
 override_dh_fixperms:
 	dh_fixperms
-        # these files often contain passwords. 640 as it is chowned to root:pdns
+# these files often contain passwords. 640 as it is chowned to root:pdns
 	chmod 0640 debian/pdns-recursor/etc/powerdns/recursor.conf