Mail archive
alpine-aports

[alpine-aports] [PATCH 2/2] main/dnssec-root: cleanup

From: Sören Tempel <soeren+git_at_soeren-tempel.net>
Date: Mon, 16 Nov 2015 13:30:14 +0100

---
 main/dnssec-root/APKBUILD | 70 ++++++++++++++++++++---------------------------
 1 file changed, 30 insertions(+), 40 deletions(-)
diff --git a/main/dnssec-root/APKBUILD b/main/dnssec-root/APKBUILD
index 425a7e9..4bade41 100644
--- a/main/dnssec-root/APKBUILD
+++ b/main/dnssec-root/APKBUILD
_at_@ -1,43 +1,33 @@
+# Contributor: Sören Tempel <soeren+alpine_at_soeren-tempel.net>
 # Contributor: Natanael Copa <ncopa_at_alpinelinux.org>
 # Maintainer: Natanael Copa <ncopa_at_alpinelinux.org>
 pkgname=dnssec-root
 pkgver=20100715
-pkgrel=2
+pkgrel=3
 pkgdesc="The DNSSEC root key(s)"
 url="https://www.iana.org/dnssec/"
 arch="noarch"
 license="public-domain"
 depends=""
-makedepends="libxslt gnupg openssl"
+makedepends="libxslt gnupg bind-tools"
 install=""
 subpackages=""
 source="https://data.iana.org/root-anchors/icann.pgp
-	https://data.iana.org/root-anchors/Kjqmt7v.csr
+	https://data.iana.org/root-anchors/root-anchors.xml
 	https://data.iana.org/root-anchors/root-anchors.asc
 	anchors2ds.xsl
 	"
 
+# Modeled after the following approach:
 # http://permalink.gmane.org/gmane.network.dns.unbound.user/1039
 
-_builddir="$srcdir"/build
-_dnssecdir="usr/share/dnssec"
+_keyflags=257
+_hashalgo=-2
+
+_builddir="$srcdir"/$pkgname-$pkgver
 prepare() {
+	cd "$srcdir"
 	mkdir -p "$_builddir"
-	cd "$_builddir"
-
-	# curl https://data.iana.org/root-anchors/root-anchors.xml
-	cat >root-anchors.xml<<EOF
-<?xml version="1.0" encoding="UTF-8"?>
-<TrustAnchor id="AD42165F-3B1A-4778-8F42-D34A1D41FD93" source="http://data.iana.org/root-anchors/root-anchors.xml">
-<Zone>.</Zone>
-<KeyDigest id="Kjqmt7v" validFrom="2010-07-15T00:00:00+00:00">
-<KeyTag>19036</KeyTag>
-<Algorithm>8</Algorithm>
-<DigestType>2</DigestType>
-<Digest>49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5</Digest>
-</KeyDigest>
-</TrustAnchor>
-EOF
 
 	(
 		export GNUPGHOME="$_builddir"/gpg
_at_@ -46,43 +36,43 @@ EOF
 		gpg --verify "$srcdir"/root-anchors.asc \
 			root-anchors.xml
 	) || return 1
-
-# the cert in p7s file expired:
-# curl http://data.iana.org/root-anchors/root-anchors.p7s \
-#	| openssl pkcs7 -inform DER -print_certs \
-#	| openssl x509 -noout -text \
-#	| grep 'Not After'
-# Not After : Jun 28 22:32:16 2014 GMT
-
-#	openssl smime  -verify -content "$srcdir"/root-anchors-$pkgver.xml \
-#		-in "$srcdir"/root-anchors.p7s -inform der \
-#		-CAfile "$srcdir"/icannbundle.pem \
-#		|| return 1
 }
 
 build() {
 	cd "$_builddir"
-	xsltproc -o root-anchors.txt "$srcdir"/anchors2ds.xsl root-anchors.xml
+	xsltproc -o root-anchors.txt "$srcdir"/anchors2ds.xsl "$srcdir"/root-anchors.xml
+
+	dig DNSKEY . | grep -w $_keyflags > untrusted.key
+	dnssec-dsfromkey $_hashalgo untrusted.key > untrusted.ds
 
+	cut -d ' ' -f1-6 untrusted.ds | tr '\n' ' ' > root-anchors.tmp
+	cut -d ' ' -f7- untrusted.ds | sed 's/ //g' | tr '\n' ' ' >> root-anchors.tmp
+	printf '\n' >> root-anchors.tmp
 
+	if ! cmp root-anchors.txt root-anchors.tmp; then
+		echo "DNSKEY is invalid, don't continue." 1>&2
+		exit 1
+	fi
+
+	awk '{print $1 "\t" $2 "\t" $3 "\t" $4 "\t" $5 " " $6 " " $7; for (i = 8; i <= NF; i++) printf $i}' \
+		untrusted.key | tr '\n' ' ' > trusted-key.key
+	printf "\n" >> trusted-key.key
 }
 
 package() {
-	cd "$_builddir"
-	mkdir -p "$pkgdir"/$_dnssecdir
-	install root-anchors.xml root-anchors.txt "$srcdir"/Kjqmt7v.csr \
-		"$pkgdir"/$_dnssecdir || return 1
+	install -Dm644 "$_builddir"/trusted-key.key \
+		"$pkgdir"/usr/share/$pkgname/trusted-key.key || return 1
 }
 
 md5sums="041a789ee96301623d3e66e4d52c8a0b  icann.pgp
-427766bf91c674c4f0469ed363f207a8  Kjqmt7v.csr
+69e6f9b67e92fbc952d488cc6f67198f  root-anchors.xml
 a5612e1b84a75c29b642b9342286c511  root-anchors.asc
 1043c559c923279600a6da395b794597  anchors2ds.xsl"
 sha256sums="3e9beaaf9bbd1fe78a0d104230cbc04d544e833a2dc6b982992f74a4860a9ae8  icann.pgp
-401120c1721ba100b2d9abf2d01332399535ba0f9c71dbd9f97232c5ebd608d2  Kjqmt7v.csr
+dfb281b771dc854c18d1cff9d2eecaf184cf7a9668606aaa33e8f01bf4b4d8e4  root-anchors.xml
 5bffcac53f810c5fb1e1baf543e2de2f10ec99d7f7cddb5f1e47b1e58cf34cfa  root-anchors.asc
 2cc436e29e5bfd39c055390045a4c14dfae517ebdad79002983756a508a15e8f  anchors2ds.xsl"
 sha512sums="5fba8334850f2ae753f4f8a30d1e6c62abc341ece2dc83df4bc0f6db2b91ae68942c0d2a38eab3d33b5b91640cd1cf0970777225c15d5f961884c00077d539a2  icann.pgp
-8e47be5054bbb801cb914d94a6f0d1e6b9b2eba387714f011f118bf8af6dacfe24a2dec80525ad005c545fa15fd8413cf90615e6d5c50d7925daa4aefff77112  Kjqmt7v.csr
+bca506c852bc83aa9d04ed0b52bef6d0baec745e466292273d52f49fd73cec73db4c6d55a9921fe086c7edc618f3ab21dc03146b6d617644495b3926e262e572  root-anchors.xml
 e9c86b897d7e8edb979cba4bebe353b7c7f21b4061cd6f571c8671b02e73c2ea0b78a980169fa7d40987b9e962a0f1ba17dbb392b5ec6ad14fedce65a139c913  root-anchors.asc
 5b496d8f7fcb6a1241d889221f539b68485fea356feec13a94329b0807768c543c828c2821567f59d6a56931a6b2ea22827e49a1527582e3dda844d61c28b198  anchors2ds.xsl"
-- 
2.6.3
---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Mon Nov 16 2015 - 13:30:14 GMT