From 46a7f788da42ee473f7543c46829f0f34a5a2b7a Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Tue, 15 Oct 2019 14:31:18 +0200
Subject: [PATCH] Deb: Load DNSSEC Keys from disk by default

This also automatically reloads them each 24 hours by default.
---
 .../debian/recursor/debian-buster/lua-config/rootkeys.lua  | 3 +++
 .../debian/recursor/debian-buster/pdns-recursor.dirs       | 1 +
 builder-support/debian/recursor/debian-buster/recursor.lua | 7 +++++++
 builder-support/debian/recursor/debian-buster/rules        | 7 ++++++-
 .../debian/recursor/debian-jessie/lua-config/rootkeys.lua  | 3 +++
 .../debian/recursor/debian-jessie/pdns-recursor.dirs       | 1 +
 builder-support/debian/recursor/debian-jessie/recursor.lua | 7 +++++++
 builder-support/debian/recursor/debian-jessie/rules        | 7 ++++++-
 .../debian/recursor/debian-stretch/lua-config/rootkeys.lua | 3 +++
 .../debian/recursor/debian-stretch/pdns-recursor.dirs      | 1 +
 .../debian/recursor/debian-stretch/recursor.lua            | 7 +++++++
 builder-support/debian/recursor/debian-stretch/rules       | 7 ++++++-
 12 files changed, 51 insertions(+), 3 deletions(-)
 create mode 100644 builder-support/debian/recursor/debian-buster/lua-config/rootkeys.lua
 create mode 100644 builder-support/debian/recursor/debian-buster/pdns-recursor.dirs
 create mode 100644 builder-support/debian/recursor/debian-buster/recursor.lua
 create mode 100644 builder-support/debian/recursor/debian-jessie/lua-config/rootkeys.lua
 create mode 100644 builder-support/debian/recursor/debian-jessie/pdns-recursor.dirs
 create mode 100644 builder-support/debian/recursor/debian-jessie/recursor.lua
 create mode 100644 builder-support/debian/recursor/debian-stretch/lua-config/rootkeys.lua
 create mode 100644 builder-support/debian/recursor/debian-stretch/pdns-recursor.dirs
 create mode 100644 builder-support/debian/recursor/debian-stretch/recursor.lua

diff --git a/builder-support/debian/recursor/debian-buster/lua-config/rootkeys.lua b/builder-support/debian/recursor/debian-buster/lua-config/rootkeys.lua
new file mode 100644
index 0000000000..bba18fd001
--- /dev/null
+++ b/builder-support/debian/recursor/debian-buster/lua-config/rootkeys.lua
@@ -0,0 +1,3 @@
+-- readTrustAnchorsFromFile reads the DNSSEC trust anchors from the provided file
+-- and reloads it every 24 hours.
+readTrustAnchorsFromFile("/usr/share/dns/root.key")
diff --git a/builder-support/debian/recursor/debian-buster/pdns-recursor.dirs b/builder-support/debian/recursor/debian-buster/pdns-recursor.dirs
new file mode 100644
index 0000000000..1e7acadb8f
--- /dev/null
+++ b/builder-support/debian/recursor/debian-buster/pdns-recursor.dirs
@@ -0,0 +1 @@
+etc/powerdns/recursor.d
diff --git a/builder-support/debian/recursor/debian-buster/recursor.lua b/builder-support/debian/recursor/debian-buster/recursor.lua
new file mode 100644
index 0000000000..1d670a572e
--- /dev/null
+++ b/builder-support/debian/recursor/debian-buster/recursor.lua
@@ -0,0 +1,7 @@
+-- Debian default Lua configuration file for PowerDNS Recursor
+
+-- Load DNSSEC root keys from dns-root-data package.
+-- Note: If you provide your own Lua configuration file, consider
+-- running rootkeys.lua too.
+dofile("/usr/share/pdns-recursor/lua-config/rootkeys.lua")
+
diff --git a/builder-support/debian/recursor/debian-buster/rules b/builder-support/debian/recursor/debian-buster/rules
index 8cfcfa518e..59e60b8081 100755
--- a/builder-support/debian/recursor/debian-buster/rules
+++ b/builder-support/debian/recursor/debian-buster/rules
@@ -39,10 +39,15 @@ override_dh_auto_configure:
 
 override_dh_auto_install:
 	dh_auto_install
+	install -d debian/pdns-recursor/usr/share/pdns-recursor/lua-config
+	install -m 644 -t debian/pdns-recursor/usr/share/pdns-recursor/lua-config debian/lua-config/rootkeys.lua
+	install -m 644 -t debian/pdns-recursor/etc/powerdns debian/recursor.lua
 	rm -f debian/pdns-recursor/etc/powerdns/recursor.conf-dist
 	./pdns_recursor --no-config --config | sed \
 		-e 's!# config-dir=.*!config-dir=/etc/powerdns!' \
+		-e 's!# include-dir=.*!&\ninclude-dir=/etc/powerdns/recursor.d!' \
 		-e 's!# local-address=.*!local-address=127.0.0.1!' \
+		-e 's!# lua-config-file=.*!lua-config-file=/etc/powerdns/recursor.lua!' \
 		-e 's!# quiet=.*!quiet=yes!' \
 		-e 's!# setgid=.*!setgid=pdns!' \
 		-e 's!# setuid=.*!setuid=pdns!' \
@@ -60,5 +65,5 @@ override_dh_gencontrol:
 
 override_dh_fixperms:
 	dh_fixperms
-        # these files often contain passwords. 640 as it is chowned to root:pdns
+# these files often contain passwords. 640 as it is chowned to root:pdns
 	chmod 0640 debian/pdns-recursor/etc/powerdns/recursor.conf
diff --git a/builder-support/debian/recursor/debian-jessie/lua-config/rootkeys.lua b/builder-support/debian/recursor/debian-jessie/lua-config/rootkeys.lua
new file mode 100644
index 0000000000..bba18fd001
--- /dev/null
+++ b/builder-support/debian/recursor/debian-jessie/lua-config/rootkeys.lua
@@ -0,0 +1,3 @@
+-- readTrustAnchorsFromFile reads the DNSSEC trust anchors from the provided file
+-- and reloads it every 24 hours.
+readTrustAnchorsFromFile("/usr/share/dns/root.key")
diff --git a/builder-support/debian/recursor/debian-jessie/pdns-recursor.dirs b/builder-support/debian/recursor/debian-jessie/pdns-recursor.dirs
new file mode 100644
index 0000000000..1e7acadb8f
--- /dev/null
+++ b/builder-support/debian/recursor/debian-jessie/pdns-recursor.dirs
@@ -0,0 +1 @@
+etc/powerdns/recursor.d
diff --git a/builder-support/debian/recursor/debian-jessie/recursor.lua b/builder-support/debian/recursor/debian-jessie/recursor.lua
new file mode 100644
index 0000000000..1d670a572e
--- /dev/null
+++ b/builder-support/debian/recursor/debian-jessie/recursor.lua
@@ -0,0 +1,7 @@
+-- Debian default Lua configuration file for PowerDNS Recursor
+
+-- Load DNSSEC root keys from dns-root-data package.
+-- Note: If you provide your own Lua configuration file, consider
+-- running rootkeys.lua too.
+dofile("/usr/share/pdns-recursor/lua-config/rootkeys.lua")
+
diff --git a/builder-support/debian/recursor/debian-jessie/rules b/builder-support/debian/recursor/debian-jessie/rules
index 4f70a2e804..e6951a3be3 100755
--- a/builder-support/debian/recursor/debian-jessie/rules
+++ b/builder-support/debian/recursor/debian-jessie/rules
@@ -39,10 +39,15 @@ override_dh_auto_configure:
 
 override_dh_auto_install:
 	dh_auto_install -- STRIP_BINARIES=0
+	install -d debian/pdns-recursor/usr/share/pdns-recursor/lua-config
+	install -m 644 -t debian/pdns-recursor/usr/share/pdns-recursor/lua-config debian/lua-config/rootkeys.lua
+	install -m 644 -t debian/pdns-recursor/etc/powerdns debian/recursor.lua
 	rm -f debian/tmp/etc/powerdns/recursor.conf-dist
 	./pdns_recursor --no-config --config | sed \
 		-e 's!# config-dir=.*!config-dir=/etc/powerdns!' \
+		-e 's!# include-dir=.*!&\ninclude-dir=/etc/powerdns/recursor.d!' \
 		-e 's!# local-address=.*!local-address=127.0.0.1!' \
+		-e 's!# lua-config-file=.*!lua-config-file=/etc/powerdns/recursor.lua!' \
 		-e 's!# quiet=.*!quiet=yes!' \
 		-e 's!# setgid=.*!setgid=pdns!' \
 		-e 's!# setuid=.*!setuid=pdns!' \
@@ -60,5 +65,5 @@ override_dh_gencontrol:
 
 override_dh_fixperms:
 	dh_fixperms
-        # these files often contain passwords. 640 as it is chowned to root:pdns
+# these files often contain passwords. 640 as it is chowned to root:pdns
 	chmod 0640 debian/tmp/etc/powerdns/recursor.conf
diff --git a/builder-support/debian/recursor/debian-stretch/lua-config/rootkeys.lua b/builder-support/debian/recursor/debian-stretch/lua-config/rootkeys.lua
new file mode 100644
index 0000000000..bba18fd001
--- /dev/null
+++ b/builder-support/debian/recursor/debian-stretch/lua-config/rootkeys.lua
@@ -0,0 +1,3 @@
+-- readTrustAnchorsFromFile reads the DNSSEC trust anchors from the provided file
+-- and reloads it every 24 hours.
+readTrustAnchorsFromFile("/usr/share/dns/root.key")
diff --git a/builder-support/debian/recursor/debian-stretch/pdns-recursor.dirs b/builder-support/debian/recursor/debian-stretch/pdns-recursor.dirs
new file mode 100644
index 0000000000..1e7acadb8f
--- /dev/null
+++ b/builder-support/debian/recursor/debian-stretch/pdns-recursor.dirs
@@ -0,0 +1 @@
+etc/powerdns/recursor.d
diff --git a/builder-support/debian/recursor/debian-stretch/recursor.lua b/builder-support/debian/recursor/debian-stretch/recursor.lua
new file mode 100644
index 0000000000..1d670a572e
--- /dev/null
+++ b/builder-support/debian/recursor/debian-stretch/recursor.lua
@@ -0,0 +1,7 @@
+-- Debian default Lua configuration file for PowerDNS Recursor
+
+-- Load DNSSEC root keys from dns-root-data package.
+-- Note: If you provide your own Lua configuration file, consider
+-- running rootkeys.lua too.
+dofile("/usr/share/pdns-recursor/lua-config/rootkeys.lua")
+
diff --git a/builder-support/debian/recursor/debian-stretch/rules b/builder-support/debian/recursor/debian-stretch/rules
index 8cfcfa518e..59e60b8081 100755
--- a/builder-support/debian/recursor/debian-stretch/rules
+++ b/builder-support/debian/recursor/debian-stretch/rules
@@ -39,10 +39,15 @@ override_dh_auto_configure:
 
 override_dh_auto_install:
 	dh_auto_install
+	install -d debian/pdns-recursor/usr/share/pdns-recursor/lua-config
+	install -m 644 -t debian/pdns-recursor/usr/share/pdns-recursor/lua-config debian/lua-config/rootkeys.lua
+	install -m 644 -t debian/pdns-recursor/etc/powerdns debian/recursor.lua
 	rm -f debian/pdns-recursor/etc/powerdns/recursor.conf-dist
 	./pdns_recursor --no-config --config | sed \
 		-e 's!# config-dir=.*!config-dir=/etc/powerdns!' \
+		-e 's!# include-dir=.*!&\ninclude-dir=/etc/powerdns/recursor.d!' \
 		-e 's!# local-address=.*!local-address=127.0.0.1!' \
+		-e 's!# lua-config-file=.*!lua-config-file=/etc/powerdns/recursor.lua!' \
 		-e 's!# quiet=.*!quiet=yes!' \
 		-e 's!# setgid=.*!setgid=pdns!' \
 		-e 's!# setuid=.*!setuid=pdns!' \
@@ -60,5 +65,5 @@ override_dh_gencontrol:
 
 override_dh_fixperms:
 	dh_fixperms
-        # these files often contain passwords. 640 as it is chowned to root:pdns
+# these files often contain passwords. 640 as it is chowned to root:pdns
 	chmod 0640 debian/pdns-recursor/etc/powerdns/recursor.conf
-- 
2.47.2