From: Daniel Leidert Date: Mon, 18 Mar 2024 22:34:27 +0000 (+0100) Subject: pdns-recursor (4.1.11-1+deb10u2) buster; urgency=medium X-Git-Tag: archive/raspbian/4.1.11-1+rpi1+deb10u2^2~8 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=fc764205e028993a016244f1e99b9a6bd9f503ff;p=pdns-recursor.git pdns-recursor (4.1.11-1+deb10u2) buster; urgency=medium * Non-maintainer upload by the Debian LTS Team. * debian/patches/CVE-2020-14196.patch: Added (CVE-2020-14196). - Add patch to enforce 'webserver-allow-from' ACL (closes: #964103). * debian/patches/CVE-2020-25829.patch: Added (CVE-2020-25829). - Add patch to fix DoS (closes: #972159). [dgit import unpatched pdns-recursor 4.1.11-1+deb10u2] --- fc764205e028993a016244f1e99b9a6bd9f503ff diff --cc debian/.gitlab-ci.yml index 0000000,0000000..2d9798b new file mode 100644 --- /dev/null +++ b/debian/.gitlab-ci.yml @@@ -1,0 -1,0 +1,11 @@@ ++--- ++ ++include: ++ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml ++ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml ++ ++variables: ++ RELEASE: 'buster' ++ SALSA_CI_COMPONENTS: 'main contrib non-free' ++ SALSA_CI_DISABLE_REPROTEST: 1 ++ SALSA_CI_DISABLE_LINTIAN: 1 diff --cc debian/README.source index 0000000,0000000..cf42723 new file mode 100644 --- /dev/null +++ b/debian/README.source @@@ -1,0 -1,0 +1,1 @@@ ++See /usr/share/doc/quilt/README.source diff --cc debian/changelog index 0000000,0000000..7af388f new file mode 100644 --- /dev/null +++ b/debian/changelog @@@ -1,0 -1,0 +1,804 @@@ ++pdns-recursor (4.1.11-1+deb10u2) buster; urgency=medium ++ ++ * Non-maintainer upload by the Debian LTS Team. ++ * debian/patches/CVE-2020-14196.patch: Added (CVE-2020-14196). ++ - Add patch to enforce 'webserver-allow-from' ACL (closes: #964103). ++ * debian/patches/CVE-2020-25829.patch: Added (CVE-2020-25829). ++ - Add patch to fix DoS (closes: #972159). ++ ++ -- Daniel Leidert Mon, 18 Mar 2024 23:34:27 +0100 ++ ++pdns-recursor (4.1.11-1+deb10u1) buster-security; urgency=high ++ ++ * Fix security issues CVE-2020-10995 CVE-2020-12244 CVE-2020-10030 ++ ++ -- Chris Hofstaedtler Tue, 19 May 2020 08:52:06 +0000 ++ ++pdns-recursor (4.1.11-1) unstable; urgency=medium ++ ++ * New upstream version 4.1.11 ++ * Upstream has applied the patch introduced in 4.1.10-2, remove it. ++ ++ -- Chris Hofstaedtler Sun, 03 Feb 2019 15:02:43 +0000 ++ ++pdns-recursor (4.1.10-2) unstable; urgency=high ++ ++ * Apply patch from upstream to avoid timing issue in tests ++ * Keeping urgency=high to allow migration of the security fix in 4.1.9-1 ++ after the mipsel build failure. ++ ++ -- Chris Hofstaedtler Thu, 24 Jan 2019 16:19:32 +0000 ++ ++pdns-recursor (4.1.10-1) unstable; urgency=high ++ ++ * New upstream version 4.1.10, fixing build without protobuf, ++ which is not a problem in Debian. ++ * Re-add stack-size patch, hoping it fixes the mipsel build failure ++ * Keeping urgency=high to allow migration of the security fix in 4.1.9-1 ++ after the mipsel build failure. ++ ++ -- Chris Hofstaedtler Thu, 24 Jan 2019 14:53:59 +0000 ++ ++pdns-recursor (4.1.9-1) unstable; urgency=high ++ ++ * New upstream version 4.1.9, including fixes for: ++ CVE-2019-3806 CVE-2019-3807. ++ * Remove upstream applied patches. ++ ++ -- Chris Hofstaedtler Mon, 21 Jan 2019 13:08:42 +0000 ++ ++pdns-recursor (4.1.8-2) unstable; urgency=medium ++ ++ * Apply patch from upstream to avoid transient test failure on slow archs ++ ++ -- Chris Hofstaedtler Wed, 28 Nov 2018 12:32:23 +0000 ++ ++pdns-recursor (4.1.8-1) unstable; urgency=medium ++ ++ * New upstream version 4.1.8, including fix for CVE-2018-16855. ++ ++ -- Chris Hofstaedtler Mon, 26 Nov 2018 15:22:39 +0000 ++ ++pdns-recursor (4.1.7-1) unstable; urgency=medium ++ ++ * New upstream version 4.1.7, including fixes for: ++ CVE-2018-10851 CVE-2018-14626 CVE-2018-14644 ++ (Closes: #913162). ++ * Remove upstream applied patch. ++ ++ -- Chris Hofstaedtler Fri, 09 Nov 2018 19:44:44 +0000 ++ ++pdns-recursor (4.1.4-3) unstable; urgency=medium ++ ++ * Run MTasker test with the stack-size pdns_recursor would use ++ ++ -- Chris Hofstaedtler Sun, 09 Sep 2018 19:29:51 +0000 ++ ++pdns-recursor (4.1.4-2) unstable; urgency=medium ++ ++ * Show results of make check in build logs ++ * Remove override_dh_strip, ddeb migration is complete ++ * Move lintian source overrides to non-deprecated location ++ * Use debhelper compat level 11 ++ ++ -- Chris Hofstaedtler Sun, 09 Sep 2018 16:11:21 +0000 ++ ++pdns-recursor (4.1.4-1) unstable; urgency=medium ++ ++ * Bump Standards-Version to 4.2.1 ++ * New upstream version 4.1.4 ++ * Load DNSSEC root keys from dns-root-data package (Closes: #760470) ++ ++ -- Chris Hofstaedtler Mon, 03 Sep 2018 07:55:52 +0000 ++ ++pdns-recursor (4.1.3-2) unstable; urgency=medium ++ ++ * d/rules: sync build options from pdns package. ++ Includes: hardening=+all instead of +bindnow,+pie. Use dpkg ++ make macros to derive current version and vendor. Force enable ++ -Wall. ++ * Update copyright format URL and years ++ ++ -- Chris Hofstaedtler Thu, 26 Jul 2018 11:31:22 +0000 ++ ++pdns-recursor (4.1.3-1) unstable; urgency=medium ++ ++ * New upstream version 4.1.3 ++ * Remove upstream applied patches (all) ++ * Bump Standards-Version to 4.1.5 ++ ++ -- Chris Hofstaedtler Mon, 23 Jul 2018 06:56:51 +0000 ++ ++pdns-recursor (4.1.2-1) unstable; urgency=medium ++ ++ * New upstream version 4.1.2, remove upstream applied patches. ++ ++ -- Chris Hofstaedtler Thu, 29 Mar 2018 17:18:23 +0000 ++ ++pdns-recursor (4.1.1-2) unstable; urgency=medium ++ ++ * Replace obsolete priority extra with optional ++ * Add a default include-dir= setting ++ ++ -- Chris Hofstaedtler Fri, 23 Feb 2018 10:41:09 +0000 ++ ++pdns-recursor (4.1.1-1) unstable; urgency=medium ++ ++ * New upstream version 4.1.1 ++ * Drop upstream applied, refresh other patches ++ ++ -- Chris Hofstaedtler Mon, 22 Jan 2018 19:03:19 +0000 ++ ++pdns-recursor (4.1.0-5) unstable; urgency=medium ++ ++ * Avoid boost-context on platforms where it is broken ++ ++ -- Chris Hofstaedtler Fri, 19 Jan 2018 22:12:09 +0000 ++ ++pdns-recursor (4.1.0-4) unstable; urgency=medium ++ ++ * Update Maintainer: as alioth is going away ++ * Update Vcs-* URLs to point to salsa.debian.org ++ * Bump Standards-Version to 4.1.3 (no changes) ++ ++ -- Chris Hofstaedtler Thu, 18 Jan 2018 20:46:32 +0000 ++ ++pdns-recursor (4.1.0-3) unstable; urgency=medium ++ ++ * Add patch from James Cowgill to fix ++ crashes on mips64el. Thanks for analysis and the patch! (Closes: #887034) ++ ++ -- Chris Hofstaedtler Fri, 12 Jan 2018 21:11:55 +0000 ++ ++pdns-recursor (4.1.0-2) unstable; urgency=medium ++ ++ * Add patches from upstream improving test reliability. ++ * Bump Standards-Version to 4.1.2 (no changes). ++ ++ -- Chris Hofstaedtler Tue, 12 Dec 2017 09:51:18 +0000 ++ ++pdns-recursor (4.1.0-1) unstable; urgency=medium ++ ++ * New upstream version 4.1.0, upload to unstable. ++ * Build with libsodium for DNSSEC algo 15 support. ++ * Enable unit tests during build time. ++ ++ -- Chris Hofstaedtler Mon, 04 Dec 2017 15:20:54 +0000 ++ ++pdns-recursor (4.1.0~rc3-1) experimental; urgency=medium ++ ++ * New upstream version 4.1.0~rc3 ++ * Update upstream signing key ++ ++ -- Christian Hofstaedtler Mon, 27 Nov 2017 21:02:42 +0000 ++ ++pdns-recursor (4.1.0~alpha1-1) experimental; urgency=medium ++ ++ * New upstream version 4.1.0~alpha1 ++ * Bump Standards-Version to 4.1.1 (no changes) ++ * Remove Build-Depends: satisfied by debhelper >= 10 ++ ++ -- Christian Hofstaedtler Tue, 10 Oct 2017 05:46:20 +0000 ++ ++pdns-recursor (4.0.7-1) unstable; urgency=medium ++ ++ * New upstream version 4.0.7, fixes CVE-2017-15090 CVE-2017-15092 ++ CVE-2017-15093 CVE-2017-15094. ++ * Update upstream signing key ++ ++ -- Christian Hofstaedtler Mon, 27 Nov 2017 21:05:16 +0000 ++ ++pdns-recursor (4.0.6-1) unstable; urgency=medium ++ ++ * New upstream version 4.0.6 ++ * Drop upstream applied patches ++ * Drop RestrictAddressFamilies workaround for 32bit hosts, relevant only ++ for some versions of systemd in stretch. ++ ++ -- Christian Hofstaedtler Tue, 11 Jul 2017 17:56:13 +0000 ++ ++pdns-recursor (4.0.5-2) unstable; urgency=medium ++ ++ * Move -latomic handling into upstream hands, ++ including a patch from upstream to fix FTBFS on ppc64el. ++ ++ -- Christian Hofstaedtler Tue, 04 Jul 2017 13:07:56 +0000 ++ ++pdns-recursor (4.0.5-1) unstable; urgency=medium ++ ++ * New upstream version 4.0.5. ++ * Drop upstream applied patches. ++ * Bump Standards-Version to 4.0.0. ++ ++ -- Christian Hofstaedtler Tue, 04 Jul 2017 10:50:08 +0000 ++ ++pdns-recursor (4.0.4-2) unstable; urgency=medium ++ ++ * Add new root trust anchor KSK-2017 to embedded root trust list. ++ (Closes: #866112) ++ ++ -- Christian Hofstaedtler Tue, 27 Jun 2017 12:31:08 +0000 ++ ++pdns-recursor (4.0.4-1) unstable; urgency=medium ++ ++ * New upstream version, fixing security issues CVE-2016-7068 and ++ CVE-2016-7073 CVE-2016-7074. ++ * Also includes DNSSEC improvements, parts of which we carried as ++ patches already. ++ * Drop upstream applied patches. ++ ++ -- Christian Hofstaedtler Sat, 14 Jan 2017 03:03:18 +0000 ++ ++pdns-recursor (4.0.3-6) unstable; urgency=medium ++ ++ * Upload to unstable again. ++ * Import further patches from upstream to fix DNSSEC and RPZ issues. ++ ++ -- Christian Hofstaedtler Mon, 02 Jan 2017 22:15:58 +0000 ++ ++pdns-recursor (4.0.3-5+exp3) experimental; urgency=medium ++ ++ * Add file missing from dist tarball so pubsuffix.cc can be rebuilt ++ ++ -- Christian Hofstaedtler Mon, 02 Jan 2017 14:41:26 +0000 ++ ++pdns-recursor (4.0.3-5+exp2) experimental; urgency=medium ++ ++ * Build-Depend on ragel to ensure dnslabeltext.cc is rebuilt. ++ * Take public suffix list from publicsuffix package at build time. ++ * Bump dh compat to 10, remove now obsolete extra args/build-depends. ++ ++ -- Christian Hofstaedtler Mon, 02 Jan 2017 10:54:55 +0000 ++ ++pdns-recursor (4.0.3-5+exp1) experimental; urgency=medium ++ ++ * Allow building with boost::fcontext again, by importing ++ more patches from upstream. ++ * Target experimental, but hope that fcontext works on all ++ architectures anyway. ++ ++ -- Christian Hofstaedtler Mon, 02 Jan 2017 09:59:15 +0000 ++ ++pdns-recursor (4.0.3-5) unstable; urgency=medium ++ ++ * Drop RestrictAddressFamilies from .service file on 32bit. ++ This feature is broken in systemd before v233. (See also #849817) ++ * Add patches from upstream 4.0 series branch. ++ Fixes a crash in DNSSEC validation (in getZoneCuts) and in ++ statistics code. ++ ++ -- Christian Hofstaedtler Sat, 31 Dec 2016 15:37:18 +0000 ++ ++pdns-recursor (4.0.3-4) unstable; urgency=medium ++ ++ * Add patches from upstream fixing DNSSEC, RPZ issues ++ ++ -- Christian Hofstaedtler Sun, 11 Dec 2016 11:50:37 +0000 ++ ++pdns-recursor (4.0.3-3) unstable; urgency=medium ++ ++ * Drop our lsb-base dependency to avoid versioning it ++ ++ -- Christian Hofstaedtler Tue, 11 Oct 2016 03:08:20 +0000 ++ ++pdns-recursor (4.0.3-2) unstable; urgency=medium ++ ++ * Disable systemd integration on non-Linux archs. Patch from ++ Pino Toscano . (Closes: #834235) ++ ++ -- Christian Hofstaedtler Mon, 10 Oct 2016 14:30:03 +0000 ++ ++pdns-recursor (4.0.3-1) unstable; urgency=medium ++ ++ * New upstream version 4.0.3. ++ * Drop upstream applied patches. ++ * Disable check for boost fcontext, as its API has changed in boost 1.61. ++ ++ -- Christian Hofstaedtler Wed, 07 Sep 2016 08:39:15 +0000 ++ ++pdns-recursor (4.0.2-1) unstable; urgency=medium ++ ++ * New upstream version 4.0.2 ++ * Add patches from upstream to fix build with OpenSSL 1.1.0 final (again) ++ ++ -- Christian Hofstaedtler Mon, 05 Sep 2016 19:00:33 +0000 ++ ++pdns-recursor (4.0.1-1) unstable; urgency=medium ++ ++ * New upstream version. (Closes: #828491) ++ ++ -- Christian Hofstaedtler Sat, 30 Jul 2016 20:44:16 +0000 ++ ++pdns-recursor (4.0.0-3) unstable; urgency=medium ++ ++ * postinst: Remove redundant guard around addgroup/adduser ++ * debian/watch: Fix versionmangle for rc releases ++ ++ -- Christian Hofstaedtler Mon, 18 Jul 2016 07:31:27 +0000 ++ ++pdns-recursor (4.0.0-2) unstable; urgency=medium ++ ++ * Drop --retry in initscript stop action (Closes: #768078) ++ * Drop initscript force-stop action. ++ Which would use killall and as such not be safe on a container host. ++ * Deprecate resolvconf integration and flip default to off ++ * Drop "Replaces: pdns" which has not been needed since wheezy ++ * Drop version on Depends: lsb-base, which is already fulfilled in oldstable ++ * Drop upgrade code from versions before oldoldstable ++ * Ensure daemon startup errors do not cause dpkg to fail ++ * Update package description ++ * Drop unused lintian overrides ++ * Drop unused update-rc.d parameters ++ ++ -- Christian Hofstaedtler Wed, 13 Jul 2016 11:22:54 +0200 ++ ++pdns-recursor (4.0.0-1) unstable; urgency=medium ++ ++ * New upstream release. ++ ++ -- Christian Hofstaedtler Mon, 11 Jul 2016 11:35:46 +0200 ++ ++pdns-recursor (4.0.0~rc1-2) unstable; urgency=medium ++ ++ * Move package to pkg-dns team ++ * Update debhelper dependency for dbgsym options ++ * Improve reproducibility by sorting included files ++ * Inform lintian about OpenSSL Exception ++ * Remove unused license from debian/copyright ++ ++ -- Christian Hofstaedtler Sun, 03 Jul 2016 11:19:38 +0200 ++ ++pdns-recursor (4.0.0~rc1-1) unstable; urgency=medium ++ ++ * New upstream version. ++ ++ -- Christian Hofstaedtler Fri, 10 Jun 2016 21:58:56 +0000 ++ ++pdns-recursor (4.0.0~beta1-2) unstable; urgency=medium ++ ++ * Update debian/copyright. ++ * Build with upstreams systemd support and use it. ++ * Raise LimitNOFILE to match default mthread setting (again). ++ ++ -- Christian Hofstaedtler Sun, 29 May 2016 21:05:49 +0000 ++ ++pdns-recursor (4.0.0~beta1-1) unstable; urgency=medium ++ ++ * New upstream version. ++ * debian/watch: fix missing versionmangle setting ++ * Drop DNSSEC disabling patch, in favor of upstreams new ++ process-no-validate default. ++ ++ -- Christian Hofstaedtler Sat, 28 May 2016 18:24:02 +0000 ++ ++pdns-recursor (4.0.0~alpha3-1) unstable; urgency=medium ++ ++ * New upstream version. ++ * Drop upstream applied patch for boost detection. ++ * Bump Standards-Version to 3.9.8 (no changes needed) ++ ++ -- Christian Hofstaedtler Thu, 12 May 2016 20:35:07 +0000 ++ ++pdns-recursor (4.0.0~alpha2-2) unstable; urgency=medium ++ ++ * Apply patch from upstream to fix build without ++ boost::context, hopefully fixing missing builds on arm64, s390x. ++ ++ -- Christian Hofstaedtler Mon, 28 Mar 2016 12:15:09 +0000 ++ ++pdns-recursor (4.0.0~alpha2-1) unstable; urgency=medium ++ ++ * New Upstream version 4.0.0~alpha2, with autotools build system. ++ (Closes: #809091) ++ * Disable DNSSEC processing for this release, per upstream recommendation. ++ ++ -- Christian Hofstaedtler Wed, 09 Mar 2016 15:22:59 +0000 ++ ++pdns-recursor (4.0.0~alpha1-3) unstable; urgency=medium ++ ++ * Update systemd unit file from upstream ++ * Drop pdns-recursor-dbg in favor of automated dbgsym packages ++ * Disable secpoll by default ++ * Use root hints from dns-root-data package (Closes: #760470) ++ * Drop Build-Depends: quilt, as we just rely on dpkg-source ++ * Increase LimitNOFILE to a size suitable for default mthreads ++ ++ -- Christian Hofstaedtler Thu, 25 Feb 2016 00:02:07 +0000 ++ ++pdns-recursor (4.0.0~alpha1-2) unstable; urgency=medium ++ ++ * Manage daemon flag in init script, not in config file. ++ For users that get this wrong in their recursor.conf. ++ ++ -- Christian Hofstaedtler Sat, 26 Dec 2015 23:25:30 +0000 ++ ++pdns-recursor (4.0.0~alpha1-1) unstable; urgency=medium ++ ++ * Imported Upstream version 4.0.0~alpha1 ++ * debian/watch: Add upstream signature check ++ * Update debian/copyright ++ * Generate recursor.conf during build ++ * Install example files ++ * Enable reproducible build ++ ++ -- Christian Hofstaedtler Fri, 25 Dec 2015 17:47:26 +0000 ++ ++pdns-recursor (3.7.3-1) unstable; urgency=medium ++ ++ * Imported Upstream version 3.7.3 (prevent short bursts of high ++ resource usage with malformed qnames). ++ ++ -- Christian Hofstaedtler Sun, 14 Jun 2015 21:18:28 +0200 ++ ++pdns-recursor (3.7.2-1) unstable; urgency=medium ++ ++ * Stop recommending long gone pdns-doc package ++ * Imported Upstream version 3.7.2 (Fixes CVE-2015-1868) ++ ++ -- Christian Hofstaedtler Tue, 21 Apr 2015 19:13:05 +0200 ++ ++pdns-recursor (3.7.1-1) unstable; urgency=medium ++ ++ * Imported Upstream version 3.7.1 ++ ++ -- Christian Hofstaedtler Tue, 14 Apr 2015 22:30:54 +0200 ++ ++pdns-recursor (3.6.2-2) unstable; urgency=medium ++ ++ * Set package vendor for security status polling. ++ Requires directly including buildflags.mk so d/rules can modify ++ CXXFLAGS. (Closes: #767701) ++ * d/control: Update Vcs-Git and Vcs-Browser ++ * Fix "smoke" autopkgtest. ++ The test definition was incorrectly copied from the pdns-server ++ package. ++ ++ -- Christian Hofstaedtler Sat, 15 Nov 2014 17:42:26 +0100 ++ ++pdns-recursor (3.6.2-1) unstable; urgency=high ++ ++ * Imported Upstream version 3.6.2, a bugfix release (Closes: #767368) ++ * Remove API key patch, which has been incorporated upstream. ++ ++ -- Christian Hofstaedtler Thu, 30 Oct 2014 17:22:19 +0100 ++ ++pdns-recursor (3.6.1-3) unstable; urgency=medium ++ ++ * Apply API key patch from upstream ++ * Bump Standards-Version to 3.9.6 (no further changes) ++ ++ -- Christian Hofstaedtler Tue, 21 Oct 2014 21:31:43 +0200 ++ ++pdns-recursor (3.6.1-2) unstable; urgency=medium ++ ++ * Drop patch 'pdns-recursor-less-chatty' ++ * Ship native systemd unit file ++ * Enable extra hardening flags (PIE, bindnow) ++ * Add smoke test, testing example.org resolution ++ ++ -- Christian Hofstaedtler Sat, 13 Sep 2014 19:21:43 +0200 ++ ++pdns-recursor (3.6.1-1) unstable; urgency=high ++ ++ * Imported Upstream version 3.6.1 ++ Fixes security issue: CVE-2014-3614 ++ ++ -- Christian Hofstaedtler Tue, 09 Sep 2014 22:55:49 +0200 ++ ++pdns-recursor (3.6.0-2) unstable; urgency=medium ++ ++ [ Christian Hofstaedtler ] ++ * Update debian/copyright file ++ * Remove boilerplate from debian/watch ++ * Update init script options: ++ Removed X-Start-After and X-Stop-Before, which were sent to irrelevant ++ services, and updated Description fields. ++ * Add status target to init script. ++ Thanks to Iain Georgeson (Closes: #730684) ++ ++ [ SATOH Fumiyasu ] ++ * Enable resolvconf hooks only when $RESOLVCONF is set to 'yes' ++ (Closes: #722659) ++ ++ -- Christian Hofstaedtler Tue, 24 Jun 2014 13:27:38 +0200 ++ ++pdns-recursor (3.6.0-1) unstable; urgency=medium ++ ++ * Imported Upstream version 3.6.0 ++ * Drop upstream applied patches 1443, 1444, 1445 ++ ++ -- Christian Hofstaedtler Fri, 20 Jun 2014 12:34:10 +0200 ++ ++pdns-recursor (3.6.0~rc1-2) unstable; urgency=medium ++ ++ * Switch to Lua 5.2 ++ ++ -- Christian Hofstaedtler Mon, 09 Jun 2014 20:12:24 +0200 ++ ++pdns-recursor (3.6.0~rc1-1) unstable; urgency=medium ++ ++ * Imported Upstream version 3.6.0~rc1 ++ * Replace local patches with upstream PRs ++ do-not-strip-binaries, hurd-ftbfs-patch, kfreebsd-ftbfs-patch and ++ remove-pdns_hw-patch are now pending upstream approval and merge. ++ * Add myself to Uploaders ++ * Bump Standards-Version to 3.9.5 ++ ++ -- Christian Hofstaedtler Sun, 01 Jun 2014 17:39:35 +0200 ++ ++pdns-recursor (3.5.3-1) unstable; urgency=low ++ ++ * New upstream version ++ ++ -- Matthijs Möhlmann Sun, 22 Sep 2013 14:45:58 +0200 ++ ++pdns-recursor (3.5.2-2) unstable; urgency=low ++ ++ * Enable on all architectures (Closes: #579194) ++ ++ -- Matthijs Möhlmann Sat, 24 Aug 2013 16:13:37 +0200 ++ ++pdns-recursor (3.5.2-1) unstable; urgency=low ++ ++ * New upstream version (Closes: #710048, #682851, #671592, #697355, #649724) ++ - Refresh patches ++ * Improve the patch to make pdns-recursor less chatty ++ * Standards-Version: 3.9.4 (no changes necessary) ++ * Remove pdns_hw on cleanup (Closes: #652833) ++ ++ -- Matthijs Möhlmann Tue, 06 Aug 2013 21:43:01 +0200 ++ ++pdns-recursor (3.3-3) unstable; urgency=low ++ ++ * new maintainer team ++ * new Vcs links ++ * add Homepage ++ * debhelper 9 (enable hardening) (Closes: 656859) ++ * prepare new version ++ * set unapply-patches ++ * set Architecture to "all but arm{el,hf}" (Closes: 661959) ++ * Standards-Version: 3.9.3 (no changes necessary) ++ ++ -- Marc Haber Mon, 18 Jun 2012 14:45:50 +0000 ++ ++pdns-recursor (3.3-2) unstable; urgency=low ++ ++ * Fix my name in the init script and debian/control too. ++ * Update Standards-Version to 3.9.2 ++ * Use new build system dh instead of individual dh_* commands. ++ ++ -- Matthijs Möhlmann Mon, 08 Aug 2011 11:56:58 +0200 ++ ++pdns-recursor (3.3-1) unstable; urgency=low ++ ++ * New upstream release. (Closes: #565052) ++ * Init loop is fixed in pdns (Closes: #594805) ++ * Now my name is spelled correctly. ++ * Update Standards-Version to 3.9.1 ++ * Update the recursor.conf and include new configuration parameters. ++ * Add debug package (Closes: #594243) ++ ++ -- Matthijs Möhlmann Sat, 22 Jan 2011 16:39:02 +0100 ++ ++pdns-recursor (3.2-4) unstable; urgency=high ++ ++ * Upgrading from a previous version fails when the pdns-recursor isn't ++ started, this is RC bug hence urgency high. (Closes: #565415) ++ * Fix watch file ++ * Fix FTBFS on hurd again. ++ ++ -- Matthijs Mohlmann Tue, 20 Jul 2010 13:42:45 +0200 ++ ++pdns-recursor (3.2-3) unstable; urgency=low ++ ++ * Add watch file ++ * Switch to dpkg-source 3.0 (quilt) format ++ * Fix FTBFS on hurd ++ * Update logcheck rules. (Closes: #588135) ++ * Update Standards-Version to 3.9.0 ++ * Use dh_installinit instead of the pdns-recursor.install file. ++ ++ -- Matthijs Mohlmann Mon, 19 Jul 2010 14:39:02 +0200 ++ ++pdns-recursor (3.2-2) unstable; urgency=low ++ ++ * Remove Christoph Haas from Uploaders. Thanks for the great work! ++ * Add fix for FTBFS thanks to Petr Salinger ++ (Closes: #575006) ++ * Make pdns-recursor on startup less chatty (Closes: #438469) ++ ++ -- Matthijs Mohlmann Sat, 03 Apr 2010 13:46:23 +0200 ++ ++pdns-recursor (3.2-1) unstable; urgency=low ++ ++ * New upstream version. ++ * Update Standards-Version to 3.8.4 ++ * Fix boot order, thanks to Petter Reinholdtsen (Closes: #566877) ++ * All architectures enabled, needs testing (Closes: #489925) ++ ++ -- Matthijs Mohlmann Wed, 17 Mar 2010 10:59:28 +0100 ++ ++pdns-recursor (3.1.7.2-1) unstable; urgency=high ++ ++ * New upstream version. (CVE-2009-4009 and CVE-2009-4010) (Closes: #564145) ++ * Make lintian happy. ++ * Now really add sh4 to the architecture list. (Closes: #551153) ++ ++ -- Matthijs Mohlmann Fri, 08 Jan 2010 18:14:44 +0100 ++ ++pdns-recursor (3.1.7.1-4) unstable; urgency=low ++ ++ * Add mips, mipsel and sh4 to the supported list of architectures, only arm, ++ armel and armeb are missing. See #369453 (Closes: #551153) ++ ++ -- Matthijs Mohlmann Fri, 06 Nov 2009 18:09:29 +0100 ++ ++pdns-recursor (3.1.7.1-3) unstable; urgency=low ++ ++ * Update incorrect dependencies in the init.d script. (Closes: #547033) ++ ++ -- Matthijs Mohlmann Sun, 11 Oct 2009 18:46:58 +0200 ++ ++pdns-recursor (3.1.7.1-2) unstable; urgency=low ++ ++ * Fixing FTBFS on several archs (Closes: #540867, #541689) ++ * Added hppa and sparc architectures. See #489925, leaving open because of ++ more unsupported architectures. ++ ++ -- Matthijs Mohlmann Sun, 16 Aug 2009 15:39:54 +0200 ++ ++pdns-recursor (3.1.7.1-1) unstable; urgency=low ++ ++ * New upstream release (Closes: #497920) ++ * Using new patch system quilt. ++ * Updated Standards-Version to 3.8.2 ++ * Enable lua scripting support (Closes: #534893) ++ ++ -- Matthijs Mohlmann Sun, 09 Aug 2009 12:58:06 +0200 ++ ++pdns-recursor (3.1.7-5) unstable; urgency=low ++ ++ * Fix FTBFS bug with GCC 4.4 (closes: #506003) ++ * Make pdns-recursor available on hppa and sparc (closes: #489925) ++ by adding libc6-dev in a recent version to debian/control ++ ++ -- Christoph Haas Wed, 13 May 2009 21:36:55 +0200 ++ ++pdns-recursor (3.1.7-4) unstable; urgency=low ++ ++ * Fix FTBFS bug (closes: #528164) ++ ++ -- Christoph Haas Mon, 11 May 2009 22:24:44 +0200 ++ ++pdns-recursor (3.1.7-3) unstable; urgency=low ++ ++ * Fixed repository URL (SVN->Git) ++ * Increased policy version to 3.8.0 (lintian warning) ++ * Added proper description for gcc-4.2-ftbfs-fix.dpatch dpatch ++ (lintian warning) ++ * Fixed PIDFILE setting in init.d script (thanks to Serge Belyshev) ++ ++ -- Christoph Haas Sun, 14 Sep 2008 22:48:59 +0200 ++ ++pdns-recursor (3.1.7-2) unstable; urgency=low ++ ++ * Regard return code from stopping pdns in init.d script (Closes: #478593) ++ * Fixed init.d script's force-stop function. ++ ++ -- Christoph Haas Sun, 14 Sep 2008 17:36:42 +0200 ++ ++pdns-recursor (3.1.7-1) unstable; urgency=low ++ ++ * New upstream version (Closes: #490069) (Closes: #477130) ++ * init.d scripts gets socket-dir information from recursor.conf ++ (Closes: #471568) ++ * Added config file directives ++ * Set dont-query to nothing so it won't break pre-3.1.7 configs. (Closes: #476841) ++ ++ -- Christoph Haas Mon, 31 Mar 2008 21:51:59 +0200 ++ ++pdns-recursor (3.1.4-6) unstable; urgency=low ++ ++ * Standards-Version 3.7.3.0 ++ * Remove pdns_hw too on cleanup. ++ * Fix for truncating long TXT queries (Closes: #462114) ++ * Don't ignore build errors (Closes: #462128) ++ * Build option noopt was inoperative (Closes: #462126) ++ * Added gcc 4.3 fixes from upstream (Closes: #455631) ++ ++ -- Matthijs Mohlmann Wed, 13 Feb 2008 22:49:08 +0100 ++ ++pdns-recursor (3.1.4-5) unstable; urgency=low ++ ++ * daemon=no is now working if used in /etc/powerdns/recursor.conf ++ (Closes: #440020) ++ * patch added to reflect change of L root server (Closes: #449483) ++ * Makefile patched to prevent stripping of binaries (Closes: #437765) ++ ++ -- Christoph Haas Fri, 09 Nov 2007 21:57:58 +0100 ++ ++pdns-recursor (3.1.4-4) unstable; urgency=low ++ ++ * Update to debhelper 5. ++ * Fix lintian warning: debian-rules-sets-DH_COMPAT. ++ * Restore the changelog, it was partly removed by accident. (Closes: #421393) ++ * Fix FTBFS with gcc-4.2 (Closes: #387113) ++ ++ -- Matthijs Mohlmann Sun, 03 Jun 2007 15:11:22 +0200 ++ ++pdns-recursor (3.1.4-3) unstable; urgency=low ++ ++ * Stop/stop script does not return an error code when being called as ++ 'stop' when the service is actually not running. (Closes: #406428) ++ ++ -- Debian PowerDNS Maintainers Wed, 21 Feb 2007 23:10:00 +0200 ++ ++pdns-recursor (3.1.4-2) unstable; urgency=medium ++ ++ * Run pdns-recursor by default as non-privileged user. (Closes: #399669) ++ * swapcontext is supported by kfreebsd (Fixes a FTBFS) (Closes: #403746) ++ * Added lsb-base to the dependencies. (Closes: #402732) ++ ++ -- Matthijs Mohlmann Mon, 25 Dec 2006 14:00:10 +0100 ++ ++pdns-recursor (3.1.4-1) unstable; urgency=medium ++ ++ * New upstream release. ++ ++ -- Matthijs Mohlmann Sun, 12 Nov 2006 23:52:20 +0100 ++ ++pdns-recursor (3.1.3-3) unstable; urgency=low ++ ++ [ Matthijs Mohlmann ] ++ * Don't build pdns-recursor for the following architectures: arm, mips, ++ mipsel, hppa and sparc. No support for swapcontext system call. ++ (Closes: #395801) ++ * Fix a big endian problem with TCP processing large answers. ++ * Fix a crash on any record we couldn't properly print for whatever reason. ++ ++ -- Matthijs Mohlmann Sun, 29 Oct 2006 17:50:34 +0100 ++ ++pdns-recursor (3.1.3-2) unstable; urgency=low ++ ++ * Added patch to close a connectionless socket on an error. ++ * Added patch to fix a FD leak. ++ * Added missing lsb keyword Short-Description. ++ ++ -- Debian PowerDNS Maintainers Sun, 1 Oct 2006 14:52:46 +0200 ++ ++pdns-recursor (3.1.3-1) unstable; urgency=low ++ ++ * New upstream release. ++ * Make a lsb compliant init script, fixes a lintian warning. ++ ++ -- Debian PowerDNS Maintainers Thu, 14 Sep 2006 21:20:56 +0200 ++ ++pdns-recursor (3.1.2-2) unstable; urgency=low ++ ++ * Added patch to fix crashes on 64bit platforms (Closes: #380403) ++ * Added patch to prevent overwriting of auth data by unauth data. ++ * Fix a small memleak. ++ ++ -- Debian PowerDNS Maintainers Sun, 6 Aug 2006 13:20:45 +0200 ++ ++pdns-recursor (3.1.2-1) unstable; urgency=low ++ ++ * New upstream release. ++ * Drop build-with-g++-4.1 patch. g++ 4.1 is default now. (Closes: #376696) ++ * Fixed minor typo in recursor.conf (Closes: #369957) ++ * Add logcheck rule for pdns-recursor to suppress logcheck warnings. ++ (Closes: #367702) ++ ++ -- Debian PowerDNS Maintainers Tue, 4 Jul 2006 19:16:19 +0200 ++ ++pdns-recursor (3.1.1-1) unstable; urgency=low ++ ++ * New upstream version. ++ ++ -- Debian PowerDNS Maintainers Wed, 24 May 2006 19:41:09 +0200 ++ ++pdns-recursor (3.0.1-1) unstable; urgency=low ++ ++ * New upstream release (Closes: #366681) ++ ++ -- Debian PowerDNS Maintainers Tue, 25 Apr 2006 21:27:26 +0200 diff --cc debian/compat index 0000000,0000000..b4de394 new file mode 100644 --- /dev/null +++ b/debian/compat @@@ -1,0 -1,0 +1,1 @@@ ++11 diff --cc debian/control index 0000000,0000000..b4bc744 new file mode 100644 --- /dev/null +++ b/debian/control @@@ -1,0 -1,0 +1,36 @@@ ++Source: pdns-recursor ++Section: net ++Priority: optional ++Standards-Version: 4.2.1 ++Maintainer: pdns-recursor packagers ++Uploaders: Chris Hofstaedtler , ++ Marc Haber ++Build-Conflicts: libboost-context-dev [mips mipsel ppc64el] ++Build-Depends: debhelper (>= 11~), ++ libboost-context-dev [amd64 arm64 armel armhf i386], ++ libboost-dev, ++ libboost-program-options-dev, ++ libboost-test-dev, ++ liblua5.2-dev, ++ libprotobuf-dev, ++ libsodium-dev, ++ libssl-dev, ++ libsystemd-dev [linux-any], ++ pkg-config, ++ protobuf-compiler, ++ publicsuffix, ++ ragel ++Vcs-Git: https://salsa.debian.org/dns-team/pdns-recursor.git ++Vcs-Browser: https://salsa.debian.org/dns-team/pdns-recursor ++Homepage: https://www.powerdns.com/ ++ ++Package: pdns-recursor ++Architecture: any ++Built-Using: publicsuffix (= ${build:PublicSuffixVersion}) ++Depends: adduser, ++ dns-root-data, ++ ${misc:Depends}, ++ ${shlibs:Depends} ++Description: PowerDNS Recursor ++ High-performance resolving name server, utilizing multiple ++ processor and including Lua scripting capabilities. diff --cc debian/copyright index 0000000,0000000..8452619 new file mode 100644 --- /dev/null +++ b/debian/copyright @@@ -1,0 -1,0 +1,107 @@@ ++Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ ++Upstream-Name: PowerDNS ++Source: https://www.powerdns.com/downloads.html ++ ++Files: * ++Copyright: 2002 - 2018 PowerDNS.COM BV and contributors ++License: GPL-2 with OpenSSL Exception ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License version 2 ++ as published by the Free Software Foundation ++ . ++ In addition, for the avoidance of any doubt, permission is granted to ++ link this program with OpenSSL and to (re)distribute the binaries ++ produced as the result of such linking. ++ . ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ . ++ You should have received a copy of the GNU General Public License ++ along with this program; if not, write to the Free Software ++ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ++ . ++ On Debian systems, the full text of the GNU General Public ++ License version 2 can be found in the file ++ `/usr/share/common-licenses/GPL-2'. ++ ++Files: debian/* ++Copyright: 2002 - 2004 Wichert Akkermann ++ 2004 - 2013 Matthijs Möhlmann ++ 2012 - 2013 Marc Haber ++ 2014 - 2018 Christian Hofstaedtler ++ 2016 - 2018 PowerDNS.COM BV and contributors ++License: GPL-2 ++ ++Files: ext/yahttp/* ++Copyright: 2014 Aki Tuomi ++License: Expat ++ ++Files: ext/json11/* ++Copyright: 2013 Dropbox, Inc. ++License: Expat ++ ++Files: ext/luawrapper/* ++Copyright: 2013, Pierre KRIEGER ++License: BSD-3 ++ ++License: BSD-3 ++ Redistribution and use in source and binary forms, with or without ++ modification, are permitted provided that the following conditions are met: ++ * Redistributions of source code must retain the above copyright ++ notice, this list of conditions and the following disclaimer. ++ * Redistributions in binary form must reproduce the above copyright ++ notice, this list of conditions and the following disclaimer in the ++ documentation and/or other materials provided with the distribution. ++ * Neither the name of the nor the ++ names of its contributors may be used to endorse or promote products ++ derived from this software without specific prior written permission. ++ . ++ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ++ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED ++ WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ++ DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY ++ DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ++ ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS ++ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++ ++License: Expat ++ Permission is hereby granted, free of charge, to any person obtaining a copy ++ of this software and associated documentation files (the "Software"), to deal ++ in the Software without restriction, including without limitation the rights ++ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell ++ copies of the Software, and to permit persons to whom the Software is ++ furnished to do so, subject to the following conditions: ++ . ++ The above copyright notice and this permission notice shall be included in ++ all copies or substantial portions of the Software. ++ . ++ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE ++ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, ++ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN ++ THE SOFTWARE. ++ ++License: GPL-2 ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 2 of the License. ++ . ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ . ++ You should have received a copy of the GNU General Public License along ++ with this program; if not, write to the Free Software Foundation, Inc., ++ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++ . ++ On Debian systems, the full text of the GNU General Public ++ License version 2 can be found in the file ++ `/usr/share/common-licenses/GPL-2'. diff --cc debian/gbp.conf index 0000000,0000000..f712705 new file mode 100644 --- /dev/null +++ b/debian/gbp.conf @@@ -1,0 -1,0 +1,3 @@@ ++[DEFAULT] ++debian-branch = buster ++pristine-tar = True diff --cc debian/lua-config/rootkeys.lua index 0000000,0000000..6bbfa0c new file mode 100644 --- /dev/null +++ b/debian/lua-config/rootkeys.lua @@@ -1,0 -1,0 +1,22 @@@ ++function debian_load_rootkeys() ++ root_key_path = "/usr/share/dns/root.ds" ++ ds_list = {} ++ pdnslog("debian_load_rootkeys: Loading DNSSEC root keys from " .. root_key_path) ++ -- . IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5 ++ for line in io.lines(root_key_path) do ++ ds = string.match(line, "^%.%s+IN%s+DS%s+(%d+%s+%d+%s+%d+%s+%S+)") ++ if ds then ++ table.insert(ds_list, ds) ++ end ++ end ++ if #ds_list > 0 then ++ pdnslog("debian_load_rootkeys: Removing built in root DS entries.") ++ clearDS() ++ for _, ds in pairs(ds_list) do ++ pdnslog("debian_load_rootkeys: Adding DS for root: " .. ds) ++ addDS(".", ds) ++ end ++ end ++end ++ ++debian_load_rootkeys() diff --cc debian/patches/CVE-2020-14196.patch index 0000000,0000000..b3e8f91 new file mode 100644 --- /dev/null +++ b/debian/patches/CVE-2020-14196.patch @@@ -1,0 -1,0 +1,132 @@@ ++From: Otto Moerbeek ++Date: Tue, 30 Jun 2020 13:46:54 +0200 ++Subject: Backport of acl check to 4.1.x ++ ++An issue has been found in PowerDNS Recursor where the ACL applied to the ++internal web server via `webserver-allow-from` is not properly enforced, ++allowing a remote attacker to send HTTP queries to the internal web server, ++bypassing the restriction. ++ ++Note that the web server is not enabled by default. Only installations using a ++non-default value for `webserver` and `webserver-address` are affected. ++ ++Workarounds are: disable the webserver or set a password or an API key. ++Additionally, restrict the binding address using the `webserver-address` ++setting to local addresses only and/or use a firewall to disallow web requests ++from untrusted sources reaching the webserver listening address. ++ ++Bug: https://www.openwall.com/lists/oss-security/2020/07/01/1 ++Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964103 ++Origin: https://github.com/PowerDNS/pdns/commit/e81271189216dbf2850c6d4461dfc3f37c731ac8.patch ++Reviewed-by: Daniel Leidert ++--- ++ sstuff.hh | 2 +- ++ webserver.cc | 5 +---- ++ webserver.hh | 7 +++++++ ++ ws-recursor.cc | 9 +++++++++ ++ ws-recursor.hh | 5 ++++- ++ 5 files changed, 22 insertions(+), 6 deletions(-) ++ ++diff --git a/sstuff.hh b/sstuff.hh ++index 707b1ad..5ae6685 100644 ++--- a/sstuff.hh +++++ b/sstuff.hh ++@@ -111,7 +111,7 @@ public: ++ } ++ ++ //! Check remote address against netmaskgroup ng ++- bool acl(NetmaskGroup &ng) +++ bool acl(const NetmaskGroup &ng) ++ { ++ ComboAddress remote; ++ if (getRemote(remote)) ++diff --git a/webserver.cc b/webserver.cc ++index f1a95f4..5a7054b 100644 ++--- a/webserver.cc +++++ b/webserver.cc ++@@ -344,16 +344,13 @@ void WebServer::go() ++ if(!d_server) ++ return; ++ try { ++- NetmaskGroup acl; ++- acl.toMasks(::arg()["webserver-allow-from"]); ++- ++ while(true) { ++ try { ++ auto client = d_server->accept(); ++ if (!client) { ++ continue; ++ } ++- if (client->acl(acl)) { +++ if (client->acl(d_acl)) { ++ std::thread webHandler(WebServerConnectionThreadStart, this, client); ++ webHandler.detach(); ++ } else { ++diff --git a/webserver.hh b/webserver.hh ++index b3ede89..2de84fd 100644 ++--- a/webserver.hh +++++ b/webserver.hh ++@@ -139,6 +139,11 @@ class WebServer : public boost::noncopyable ++ public: ++ WebServer(const string &listenaddress, int port); ++ virtual ~WebServer() { }; +++ +++ void setACL(const NetmaskGroup &nmg) { +++ d_acl = nmg; +++ } +++ ++ void bind(); ++ void go(); ++ ++@@ -160,6 +165,8 @@ protected: ++ int d_port; ++ string d_password; ++ std::shared_ptr d_server; +++ +++ NetmaskGroup d_acl; ++ }; ++ ++ #endif /* WEBSERVER_HH */ ++diff --git a/ws-recursor.cc b/ws-recursor.cc ++index 0f71ee4..2393d75 100644 ++--- a/ws-recursor.cc +++++ b/ws-recursor.cc ++@@ -450,6 +450,11 @@ RecursorWebServer::RecursorWebServer(FDMultiplexer* fdm) ++ registerAllStats(); ++ ++ d_ws = new AsyncWebServer(fdm, arg()["webserver-address"], arg().asNum("webserver-port")); +++ +++ NetmaskGroup acl; +++ acl.toMasks(::arg()["webserver-allow-from"]); +++ d_ws->setACL(acl); +++ ++ d_ws->bind(); ++ ++ // legacy dispatch ++@@ -610,6 +615,10 @@ void AsyncServer::newConnection() ++ // This is an entry point from FDM, so it needs to catch everything. ++ void AsyncWebServer::serveConnection(std::shared_ptr client) const ++ try { +++ if (!client->acl(d_acl)) { +++ return; +++ } +++ ++ HttpRequest req; ++ YaHTTP::AsyncRequestLoader yarl; ++ yarl.initialize(&req); ++diff --git a/ws-recursor.hh b/ws-recursor.hh ++index 9df3a81..13a3707 100644 ++--- a/ws-recursor.hh +++++ b/ws-recursor.hh ++@@ -32,7 +32,10 @@ class HttpResponse; ++ ++ class AsyncServer : public Server { ++ public: ++- AsyncServer(const string &localaddress, int port) : Server(localaddress, port) { }; +++ AsyncServer(const string &localaddress, int port) : Server(localaddress, port) +++ { +++ d_server_socket.setNonBlocking(); +++ }; ++ ++ friend void AsyncServerNewConnectionMT(void *p); ++ diff --cc debian/patches/CVE-2020-25829.patch index 0000000,0000000..84692e2 new file mode 100644 --- /dev/null +++ b/debian/patches/CVE-2020-25829.patch @@@ -1,0 -1,0 +1,50 @@@ ++From: Otto Moerbeek ++Date: Mon, 12 Oct 2020 10:08:08 +0200 ++Subject: Backport of CVE-2020-25829 (any-cache-update) to 4.1.x ++ ++An issue has been found in PowerDNS Recursor before 4.1.18, 4.2.x before 4.2.5, ++and 4.3.x before 4.3.5. A remote attacker can cause the cached records for a ++given name to be updated to the Bogus DNSSEC validation state, instead of their ++actual DNSSEC Secure state, via a DNS ANY query. This results in a denial of ++service for installation that always validate (dnssec=validate), and for ++clients requesting validation when on-demand validation is enabled ++(dnssec=process). ++ ++Origin: https://github.com/PowerDNS/pdns/commit/77409aab0be43071b365760213894d6388c3df30.patch ++Bug: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html ++Bug-Debian: https://bugs.debian.org/972159 ++Reviewed-by: Daniel Leidert ++--- ++ recursor_cache.cc | 10 +++++++--- ++ 1 file changed, 7 insertions(+), 3 deletions(-) ++ ++diff --git a/recursor_cache.cc b/recursor_cache.cc ++index 9ccecf8..216245c 100644 ++--- a/recursor_cache.cc +++++ b/recursor_cache.cc ++@@ -413,9 +413,14 @@ bool MemRecursorCache::doAgeCache(time_t now, const DNSName& name, uint16_t qtyp ++ ++ bool MemRecursorCache::updateValidationStatus(time_t now, const DNSName &qname, const QType& qt, const ComboAddress& who, bool requireAuth, vState newState) ++ { +++ if (qt == QType::ANY || qt == QType::ADDR) { +++ // not doing that +++ return false; +++ } +++ ++ bool updated = false; ++ uint16_t qtype = qt.getCode(); ++- if (qtype != QType::ANY && qtype != QType::ADDR && !d_ecsIndex.empty()) { +++ if (!d_ecsIndex.empty()) { ++ auto entry = getEntryUsingECSIndex(now, qname, qtype, requireAuth, who); ++ if (entry == d_cache.end()) { ++ return false; ++@@ -434,8 +439,7 @@ bool MemRecursorCache::updateValidationStatus(time_t now, const DNSName &qname, ++ i->d_state = newState; ++ updated = true; ++ ++- if(qtype != QType::ANY && qtype != QType::ADDR) // normally if we have a hit, we are done ++- break; +++ break; ++ } ++ ++ return updated; diff --cc debian/patches/bogus-empty-nxd-4.1.15.diff index 0000000,0000000..96f7bd1 new file mode 100644 --- /dev/null +++ b/debian/patches/bogus-empty-nxd-4.1.15.diff @@@ -1,0 -1,0 +1,79 @@@ ++Index: pdns-recursor/test-syncres_cc.cc ++=================================================================== ++--- pdns-recursor.orig/test-syncres_cc.cc +++++ pdns-recursor/test-syncres_cc.cc ++@@ -8299,6 +8299,59 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_n ++ BOOST_CHECK_EQUAL(queriesCount, 4); ++ } ++ +++BOOST_AUTO_TEST_CASE(test_dnssec_bogus_nxdomain) +++{ +++ std::unique_ptr sr; +++ initSR(sr, true); +++ +++ setDNSSECValidation(sr, DNSSECMode::ValidateAll); +++ +++ primeHints(); +++ const DNSName target("powerdns.com."); +++ testkeysset_t keys; +++ +++ auto luaconfsCopy = g_luaconfs.getCopy(); +++ luaconfsCopy.dsAnchors.clear(); +++ generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); +++ generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); +++ generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); +++ g_luaconfs.setState(luaconfsCopy); +++ +++ size_t queriesCount = 0; +++ +++ sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional& srcmask, boost::optional context, std::shared_ptr outgoingLogger, LWResult* res, bool* chained) { +++ queriesCount++; +++ +++ if (type == QType::DS || type == QType::DNSKEY) { +++ return genericDSAndDNSKEYHandler(res, domain, domain, type, keys); +++ } +++ else { +++ +++ setLWResult(res, RCode::NXDomain, true, false, true); +++ return 1; +++ } +++ +++ return 0; +++ }); +++ +++ vector ret; +++ int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); +++ BOOST_CHECK_EQUAL(res, RCode::NXDomain); +++ BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); +++ BOOST_REQUIRE_EQUAL(ret.size(), 0U); +++ /* com|NS, powerdns.com|NS, powerdns.com|A */ +++ BOOST_CHECK_EQUAL(queriesCount, 3U); +++ +++ /* again, to test the cache */ +++ ret.clear(); +++ res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); +++ BOOST_CHECK_EQUAL(res, RCode::NXDomain); +++ BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); +++ BOOST_REQUIRE_EQUAL(ret.size(), 0U); +++ /* we don't store empty results */ +++ BOOST_CHECK_EQUAL(queriesCount, 4U); +++} +++ ++ BOOST_AUTO_TEST_CASE(test_nsec_denial_nowrap) { ++ init(); ++ ++Index: pdns-recursor/syncres.cc ++=================================================================== ++--- pdns-recursor.orig/syncres.cc +++++ pdns-recursor/syncres.cc ++@@ -2569,6 +2569,10 @@ bool SyncRes::processAnswer(unsigned int ++ if(lwr.d_rcode == RCode::NXDomain) { ++ LOG(prefix<(new MemRecursorCache()); ++ ++ SyncRes::s_maxqperq = 50; ++- SyncRes::s_maxtotusec = 1000*7000; +++ SyncRes::s_maxnsaddressqperq = 10; +++ SyncRes::s_maxtotusec = 1000 * 7000; ++ SyncRes::s_maxdepth = 40; ++ SyncRes::s_maxnegttl = 3600; ++ SyncRes::s_maxcachettl = 86400; ++@@ -10229,6 +10230,48 @@ BOOST_AUTO_TEST_CASE(test_getDSRecords_m ++ } ++ #endif // HAVE_BOTAN110 ++ +++BOOST_AUTO_TEST_CASE(test_completely_flawed_big_nsset) +++{ +++ std::unique_ptr sr; +++ initSR(sr); +++ +++ primeHints(); +++ +++ const DNSName target("powerdns.com."); +++ size_t queriesCount = 0; +++ +++ sr->setAsyncCallback([&queriesCount, target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional& srcmask, boost::optional context, std::shared_ptr outgoingLogger, LWResult* res, bool* chained) { +++ queriesCount++; +++ +++ if (isRootServer(ip) && domain == target) { +++ setLWResult(res, 0, false, false, true); +++ // 20 NS records +++ for (int i = 0; i < 20; i++) { +++ string n = string("pdns-public-ns") + std::to_string(i) + string(".powerdns.com."); +++ addRecordToLW(res, domain, QType::NS, n, DNSResourceRecord::AUTHORITY, 172800); +++ } +++ return 1; +++ } +++ else if (domain.toString().length() > 14 && domain.toString().substr(0, 14) == "pdns-public-ns") { +++ setLWResult(res, 0, true, false, true); +++ addRecordToLW(res, ".", QType::SOA, "a.root-servers.net. nstld.verisign-grs.com. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400); +++ return 1; +++ } +++ return 0; +++ }); +++ +++ vector ret; +++ try { +++ sr->beginResolve(target, QType(QType::A), QClass::IN, ret); +++ BOOST_CHECK(0); +++ } catch (const ImmediateServFailException& ex) { +++ BOOST_CHECK_EQUAL(ret.size(), 0U); +++ // one query to get NSs, then A and AAAA for each NS, 5th NS hits the limit +++ // limit is reduced to 5, because zone publishes many (20) NS +++ BOOST_CHECK_EQUAL(queriesCount, 11); +++ } +++} +++ ++ /* ++ // cerr<<"asyncresolve called to ask "< SyncRes::getAddrs(const DNSName &qname, unsigned int depth, set& beenthere, bool cacheOnly) +++vector SyncRes::getAddrs(const DNSName &qname, unsigned int depth, set& beenthere, bool cacheOnly, unsigned int& addressQueriesForNS) ++ { ++ typedef vector res_t; ++ res_t res; ++@@ -670,6 +671,7 @@ vector SyncRes::getAddrs(c ++ bool oldCacheOnly = d_cacheonly; ++ bool oldRequireAuthData = d_requireAuthData; ++ bool oldValidationRequested = d_DNSSECValidationRequested; +++ const unsigned int startqueries = d_outqueries; ++ d_requireAuthData = false; ++ d_DNSSECValidationRequested = false; ++ d_cacheonly = cacheOnly; ++@@ -719,6 +721,10 @@ vector SyncRes::getAddrs(c ++ } ++ } ++ +++ if (ret.empty() && d_outqueries > startqueries) { +++ // We did 1 or more outgoing queries to resolve this NS name but returned empty handed +++ addressQueriesForNS++; +++ } ++ d_requireAuthData = oldRequireAuthData; ++ d_DNSSECValidationRequested = oldValidationRequested; ++ d_cacheonly = oldCacheOnly; ++@@ -1425,13 +1431,13 @@ bool SyncRes::nameserverIPBlockedByRPZ(c ++ return false; ++ } ++ ++-vector SyncRes::retrieveAddressesForNS(const std::string& prefix, const DNSName& qname, vector::const_iterator& tns, const unsigned int depth, set& beenthere, const vector& rnameservers, NsSet& nameservers, bool& sendRDQuery, bool& pierceDontQuery, bool& flawedNSSet, bool cacheOnly) +++vector SyncRes::retrieveAddressesForNS(const std::string& prefix, const DNSName& qname, vector::const_iterator& tns, const unsigned int depth, set& beenthere, const vector& rnameservers, NsSet& nameservers, bool& sendRDQuery, bool& pierceDontQuery, bool& flawedNSSet, bool cacheOnly, unsigned int& retrieveAddressesForNS) ++ { ++ vector result; ++ ++ if(!tns->empty()) { ++ LOG(prefix< rnameservers = shuffleInSpeedOrder(nameservers, doLog() ? (prefix+qname.toString()+": ") : string() ); ++ +++ // We allow s_maxnsaddressqperq (default 10) queries with empty responses when resolving NS names. +++ // If a zone publishes many (more than s_maxnsaddressqperq) NS records, we allow less. +++ // This is to "punish" zones that publish many non-resolving NS names. +++ // We always allow 5 NS name resolving attempts with empty results. +++ unsigned int nsLimit = s_maxnsaddressqperq; +++ if (rnameservers.size() > nsLimit) { +++ int newLimit = static_cast(nsLimit) - (rnameservers.size() - nsLimit); +++ nsLimit = std::max(5, newLimit); +++ } +++ ++ for(auto tns=rnameservers.cbegin();;++tns) { +++ if (addressQueriesForNS >= nsLimit) { +++ throw ImmediateServFailException(std::to_string(nsLimit)+" (adjusted max-ns-address-qperq) or more queries with empty results for NS addresses sent resolving "+qname.toLogString()); +++ } ++ if(tns==rnameservers.cend()) { ++ LOG(prefix< shuffleInSpeedOrder(NsSet &nameservers, const string &prefix); ++ bool moreSpecificThan(const DNSName& a, const DNSName &b) const; ++- vector getAddrs(const DNSName &qname, unsigned int depth, set& beenthere, bool cacheOnly); +++ vector getAddrs(const DNSName &qname, unsigned int depth, set& beenthere, bool cacheOnly, unsigned int& addressQueriesForNS); ++ ++ bool nameserversBlockedByRPZ(const DNSFilterEngine& dfe, const NsSet& nameservers); ++ bool nameserverIPBlockedByRPZ(const DNSFilterEngine& dfe, const ComboAddress&); ++ bool throttledOrBlocked(const std::string& prefix, const ComboAddress& remoteIP, const DNSName& qname, const QType& qtype, bool pierceDontQuery); ++ ++- vector retrieveAddressesForNS(const std::string& prefix, const DNSName& qname, vector::const_iterator& tns, const unsigned int depth, set& beenthere, const vector& rnameservers, NsSet& nameservers, bool& sendRDQuery, bool& pierceDontQuery, bool& flawedNSSet, bool cacheOnly); +++ vector retrieveAddressesForNS(const std::string& prefix, const DNSName& qname, vector::const_iterator& tns, const unsigned int depth, set& beenthere, const vector& rnameservers, NsSet& nameservers, bool& sendRDQuery, bool& pierceDontQuery, bool& flawedNSSet, bool cacheOnly, unsigned int& addressQueriesForNS); ++ RCode::rcodes_ updateCacheFromRecords(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, const boost::optional, vState& state, bool& needWildcardProof, unsigned int& wildcardLabelsCount, bool sendRDQuery); ++ bool processRecords(const std::string& prefix, const DNSName& qname, const QType& qtype, const DNSName& auth, LWResult& lwr, const bool sendRDQuery, vector& ret, set& nsset, DNSName& newtarget, DNSName& newauth, bool& realreferral, bool& negindic, vState& state, const bool needWildcardProof, const unsigned int wildcardLabelsCount); ++ diff --cc debian/patches/series index 0000000,0000000..8a9e0a7 new file mode 100644 --- /dev/null +++ b/debian/patches/series @@@ -1,0 -1,0 +1,7 @@@ ++testrunner-log-verbosity ++stack-size ++bogus-empty-nxd-4.1.15.diff ++hostname-4.1.15.diff ++ns-ampl-4.1.15.diff ++CVE-2020-14196.patch ++CVE-2020-25829.patch diff --cc debian/patches/stack-size index 0000000,0000000..dc6660a new file mode 100644 --- /dev/null +++ b/debian/patches/stack-size @@@ -1,0 -1,0 +1,13 @@@ ++diff --git a/test-mtasker.cc b/test-mtasker.cc ++index f6f1b5b46..fd7e52899 100644 ++--- a/test-mtasker.cc +++++ b/test-mtasker.cc ++@@ -48,7 +48,7 @@ static void willThrow(void* p) ++ ++ BOOST_AUTO_TEST_CASE(test_MtaskerException) { ++ BOOST_CHECK_THROW( { ++- MTasker<> mt; +++ MTasker<> mt(200000); // stack-size default value from pdns_recursor.cc. ++ mt.makeThread(willThrow, 0); ++ struct timeval now; ++ diff --cc debian/patches/testrunner-log-verbosity index 0000000,0000000..88c8457 new file mode 100644 --- /dev/null +++ b/debian/patches/testrunner-log-verbosity @@@ -1,0 -1,0 +1,13 @@@ ++Index: pdns-recursor/Makefile.am ++=================================================================== ++--- pdns-recursor.orig/Makefile.am +++++ pdns-recursor/Makefile.am ++@@ -74,7 +74,7 @@ TESTS=test_libcrypto ++ ++ if UNIT_TESTS ++ noinst_PROGRAMS = testrunner ++-TESTS_ENVIRONMENT = env BOOST_TEST_LOG_LEVEL=message SRCDIR='$(srcdir)' +++TESTS_ENVIRONMENT = env BOOST_TEST_LOG_LEVEL=test_suite BOOST_TEST_REPORT_LEVEL=detailed SRCDIR='$(srcdir)' ++ TESTS += testrunner ++ else ++ check-local: diff --cc debian/pdns-recursor.default index 0000000,0000000..db03e54 new file mode 100644 --- /dev/null +++ b/debian/pdns-recursor.default @@@ -1,0 -1,0 +1,7 @@@ ++# Variables for PowerDNS recursor init script. ++# Not honored when systemd is the running init. ++# ++# Set START to yes to start the pdns-recursor ++START=yes ++# Run resolvconf? (Deprecated feature.) ++RESOLVCONF=no diff --cc debian/pdns-recursor.dirs index 0000000,0000000..1e7acad new file mode 100644 --- /dev/null +++ b/debian/pdns-recursor.dirs @@@ -1,0 -1,0 +1,1 @@@ ++etc/powerdns/recursor.d diff --cc debian/pdns-recursor.examples index 0000000,0000000..e55528c new file mode 100644 --- /dev/null +++ b/debian/pdns-recursor.examples @@@ -1,0 -1,0 +1,1 @@@ ++rrd diff --cc debian/pdns-recursor.init index 0000000,0000000..63390cf new file mode 100644 --- /dev/null +++ b/debian/pdns-recursor.init @@@ -1,0 -1,0 +1,175 @@@ ++#!/bin/sh ++### BEGIN INIT INFO ++# Provides: pdns-recursor ++# Required-Start: $network $remote_fs $syslog ++# Required-Stop: $network $remote_fs $syslog ++# Default-Start: 2 3 4 5 ++# Default-Stop: 0 1 6 ++# Short-Description: PowerDNS Recursor - Recursive DNS Server ++# Description: PowerDNS Recursor - Recursive DNS Server ++### END INIT INFO ++ ++# ++# Authors: Matthijs Möhlmann ++# Christoph Haas ++# ++# Thanks to: ++# Thomas Hood ++# ++# initscript for PowerDNS recursor ++ ++# Load lsb stuff for systemd redirection (if available). ++if [ -e /lib/lsb/init-functions ]; then ++ . /lib/lsb/init-functions ++fi ++ ++PATH=/sbin:/bin:/usr/sbin:/usr/bin ++DESC="PowerDNS Recursor" ++NAME=pdns_recursor ++DAEMON=/usr/sbin/$NAME ++# Derive the socket-dir setting from /etc/powerdns/recursor.conf ++# or fall back to the default /var/run if not specified there. ++PIDDIR=$(awk -F= '/^socket-dir=/ {print $2}' /etc/powerdns/recursor.conf) ++if [ -z "$PIDDIR" ]; then PIDDIR=/var/run; fi ++PIDFILE=$PIDDIR/$NAME.pid ++ ++# Gracefully exit if the package has been removed. ++test -x $DAEMON || exit 0 ++ ++# Read config file if it is present. ++if [ -r /etc/default/pdns-recursor ]; then ++ . /etc/default/pdns-recursor ++fi ++ ++start() { ++# Return ++# 0 if daemon has been started / was already running ++# >0 if daemon could not be started ++ start-stop-daemon --start --oknodo --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null || return 0 ++ start-stop-daemon --start --oknodo --quiet --pidfile $PIDFILE --exec $DAEMON -- --daemon=yes || return 2 ++} ++ ++start_resolvconf() { ++ if [ "X$RESOLVCONF" = "Xyes" ] && [ -x /sbin/resolvconf ]; then ++ echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.pdns-recursor ++ fi ++ return 0 ++} ++ ++stop() { ++# Return ++# 0 if daemon has been stopped ++# 1 if daemon was already stopped ++# 2 if daemon could not be stopped ++# other if a failure occured ++ start-stop-daemon --stop --quiet --pidfile $PIDFILE --name $NAME ++ RETVAL="$?" ++ [ "$RETVAL" = 2 ] && return 2 ++ rm -f $PIDFILE ++ return "$RETVAL" ++} ++ ++stop_resolvconf() { ++ if [ "X$RESOLVCONF" = "Xyes" ] && [ -x /sbin/resolvconf ]; then ++ /sbin/resolvconf -d lo.pdns-recursor ++ fi ++ return 0 ++} ++ ++isrunning() ++{ ++ /usr/bin/rec_control ping > /dev/null ++ return $? ++} ++ ++case "$1" in ++ start) ++ if [ "$START" != "yes" ]; then ++ echo "Not starting $DESC -- disabled." ++ exit 0 ++ fi ++ echo -n "Starting $DESC: $NAME ..." ++ start ++ case "$?" in ++ 0) ++ start_resolvconf ++ echo done ++ break ++ ;; ++ 1) ++ echo "already running" ++ break ++ ;; ++ *) ++ echo "failed" ++ exit 1 ++ ;; ++ esac ++ ;; ++ stop) ++ stop_resolvconf ++ echo -n "Stopping $DESC: $NAME ..." ++ stop ++ case "$?" in ++ 0) ++ echo done ++ break ++ ;; ++ 1) ++ echo "not running" ++ break ++ ;; ++ *) ++ echo "failed" ++ exit 1 ++ ;; ++ esac ++ ;; ++ restart|force-reload) ++ if [ "$START" != "yes" ]; then ++ $0 stop ++ exit 0 ++ fi ++ echo -n "Restarting $DESC ..." ++ stop ++ case "$?" in ++ 0|1) ++ start ++ case "$?" in ++ 0) ++ echo done ++ exit 0 ++ ;; ++ 1) ++ echo "failed -- old process still running" ++ exit 1 ++ ;; ++ *) ++ echo "failed to start" ++ exit 1 ++ ;; ++ esac ++ ;; ++ *) ++ echo "failed to stop" ++ exit 1 ++ ;; ++ esac ++ ;; ++ status) ++ if isrunning; then ++ echo "$NAME is running" ++ exit 0 ++ else ++ echo "$NAME is not running or not responding" ++ exit 3 ++ fi ++ ;; ++ *) ++ echo "Usage: $0 {start|stop|restart|force-reload|status}" >&2 ++ exit 3 ++ ;; ++esac ++ ++exit 0 ++ diff --cc debian/pdns-recursor.lintian-overrides index 0000000,0000000..b7f625e new file mode 100644 --- /dev/null +++ b/debian/pdns-recursor.lintian-overrides @@@ -1,0 -1,0 +1,4 @@@ ++# Source carries OpenSSL Exception ++pdns-recursor: possible-gpl-code-linked-with-openssl ++# We load lsb-functions conditionally. ++pdns-recursor: init.d-script-needs-depends-on-lsb-base diff --cc debian/pdns-recursor.logcheck.ignore.server index 0000000,0000000..f6e86ec new file mode 100644 --- /dev/null +++ b/debian/pdns-recursor.logcheck.ignore.server @@@ -1,0 -1,0 +1,1 @@@ ++^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pdns_recursor\[[0-9]+\]: stats: .* diff --cc debian/pdns-recursor.manpages index 0000000,0000000..020a6a1 new file mode 100644 --- /dev/null +++ b/debian/pdns-recursor.manpages @@@ -1,0 -1,0 +1,2 @@@ ++pdns_recursor.1 ++rec_control.1 diff --cc debian/pdns-recursor.postinst index 0000000,0000000..1c32de2 new file mode 100644 --- /dev/null +++ b/debian/pdns-recursor.postinst @@@ -1,0 -1,0 +1,23 @@@ ++#!/bin/sh ++set -e ++ ++case "$1" in ++ configure) ++ addgroup --system pdns ++ adduser --system --home /var/spool/powerdns --shell /bin/false --ingroup pdns --disabled-password --disabled-login --gecos "PowerDNS" pdns ++ ;; ++ ++ *) ++ echo "postinst called with unknown argument \`$1'" >&2 ++ exit 1 ++ ;; ++esac ++ ++# Startup errors should never cause dpkg to fail. ++initscript_error() { ++ return 0 ++} ++ ++#DEBHELPER# ++ ++exit 0 diff --cc debian/pdns-recursor.prerm index 0000000,0000000..e78608c new file mode 100644 --- /dev/null +++ b/debian/pdns-recursor.prerm @@@ -1,0 -1,0 +1,11 @@@ ++#!/bin/sh ++set -e ++ ++# Startup errors should never cause dpkg to fail. ++initscript_error() { ++ return 0 ++} ++ ++#DEBHELPER# ++ ++exit 0 diff --cc debian/recursor.lua index 0000000,0000000..1d670a5 new file mode 100644 --- /dev/null +++ b/debian/recursor.lua @@@ -1,0 -1,0 +1,7 @@@ ++-- Debian default Lua configuration file for PowerDNS Recursor ++ ++-- Load DNSSEC root keys from dns-root-data package. ++-- Note: If you provide your own Lua configuration file, consider ++-- running rootkeys.lua too. ++dofile("/usr/share/pdns-recursor/lua-config/rootkeys.lua") ++ diff --cc debian/rules index 0000000,0000000..a501d20 new file mode 100755 --- /dev/null +++ b/debian/rules @@@ -1,0 -1,0 +1,72 @@@ ++#!/usr/bin/make -f ++include /usr/share/dpkg/architecture.mk ++include /usr/share/dpkg/pkg-info.mk ++include /usr/share/dpkg/vendor.mk ++ ++# Vendor and version ++version := $(DEB_VERSION).$(DEB_VENDOR) ++CXXFLAGS += -DPACKAGEVERSION='"$(version)"' ++ ++# (Re-)Enable warnings ++CXXFLAGS += -Wall ++ ++# Turn on all hardening flags, as we're a networked daemon. ++# Note: blhc (build log hardening check) will find these false positivies: CPPFLAGS 2 missing, LDFLAGS 1 missing ++export DEB_BUILD_MAINT_OPTIONS = hardening=+all ++ ++# Disable systemd integration on non-linux archs ++ifeq ($(DEB_HOST_ARCH_OS),linux) ++CONFIGURE_ARGS += --enable-systemd --with-systemd=/lib/systemd/system ++else ++CONFIGURE_ARGS += --disable-systemd ++endif ++ ++SUBSTVARS = -Vbuild:PublicSuffixVersion=$(shell (dpkg-query -W publicsuffix | awk '{print $$2}')) ++ ++ ++%: ++ dh $@ ++ ++override_dh_auto_clean: ++ dh_auto_clean ++ rm -f effective_tld_names.dat ++ chmod +x mkpubsuffixcc || true ++ ++override_dh_auto_configure: ++ cp -f /usr/share/publicsuffix/public_suffix_list.dat effective_tld_names.dat ++ dh_auto_configure -- \ ++ --sysconfdir=/etc/powerdns \ ++ --enable-reproducible \ ++ --enable-unit-tests \ ++ --with-lua \ ++ --enable-libsodium \ ++ --with-protobuf=yes \ ++ $(CONFIGURE_ARGS) ++ ++override_dh_auto_install: ++ dh_auto_install ++ install -d debian/pdns-recursor/usr/share/pdns-recursor/lua-config ++ install -m 644 -t debian/pdns-recursor/usr/share/pdns-recursor/lua-config debian/lua-config/rootkeys.lua ++ install -m 644 -t debian/pdns-recursor/etc/powerdns debian/recursor.lua ++ rm -f debian/pdns-recursor/etc/powerdns/recursor.conf-dist ++ ./pdns_recursor --no-config --config | sed \ ++ -e 's!# config-dir=.*!config-dir=/etc/powerdns!' \ ++ -e 's!# include-dir=.*!&\ninclude-dir=/etc/powerdns/recursor.d!' \ ++ -e 's!# local-address=.*!local-address=127.0.0.1!' \ ++ -e 's!# lua-config-file=.*!lua-config-file=/etc/powerdns/recursor.lua!' \ ++ -e 's!# quiet=.*!quiet=yes!' \ ++ -e 's!# setgid=.*!setgid=pdns!' \ ++ -e 's!# setuid=.*!setuid=pdns!' \ ++ -e 's!# hint-file=.*!&\nhint-file=/usr/share/dns/root.hints!' \ ++ -e 's!# security-poll-suffix=.*!&\nsecurity-poll-suffix=!' \ ++ > debian/pdns-recursor/etc/powerdns/recursor.conf ++ ++override_dh_auto_test: ++ dh_auto_test ++ -cat testrunner.log ++ ++override_dh_installinit: ++ dh_installinit --error-handler=initscript_error ++ ++override_dh_gencontrol: ++ dh_gencontrol -- $(SUBSTVARS) diff --cc debian/source/format index 0000000,0000000..163aaf8 new file mode 100644 --- /dev/null +++ b/debian/source/format @@@ -1,0 -1,0 +1,1 @@@ ++3.0 (quilt) diff --cc debian/source/lintian-overrides index 0000000,0000000..700fed0 new file mode 100644 --- /dev/null +++ b/debian/source/lintian-overrides @@@ -1,0 -1,0 +1,2 @@@ ++# Source is in html/js/d3.js ++pdns-recursor source: source-is-missing html/js/d3.v3.js line length is 32005 characters (>512) diff --cc debian/tests/control index 0000000,0000000..a0a6fc4 new file mode 100644 --- /dev/null +++ b/debian/tests/control @@@ -1,0 -1,0 +1,3 @@@ ++Tests: smoke ++Depends: @, dnsutils ++Restrictions: needs-root diff --cc debian/tests/smoke index 0000000,0000000..7970733 new file mode 100755 --- /dev/null +++ b/debian/tests/smoke @@@ -1,0 -1,0 +1,31 @@@ ++#!/bin/bash ++exec 2>&1 ++set -ex ++ ++cat <>/etc/powerdns/recursor.conf ++auth-zones=example.org=/etc/powerdns/example.org.zone ++EOF ++ ++cat </etc/powerdns/example.org.zone ++example.org. 172800 IN SOA ns1.example.org. dns.example.org. 1 10800 3600 604800 3600 ++example.org. 172800 IN NS ns1.example.org. ++smoke.example.org. 172800 IN A 127.0.0.123 ++EOF ++ ++service pdns-recursor restart ++ ++TMPFILE=$(mktemp) ++cleanup() { ++ rm -f "$TMPFILE" ++} ++trap cleanup EXIT ++ ++dig @127.0.0.1 smoke.example.org 2>&1 | tee "$TMPFILE" ++ ++if grep -c '127\.0\.0\.123' "$TMPFILE"; then ++ echo success ++else ++ echo smoke could not be resolved ++ exit 1 ++fi ++ diff --cc debian/upstream/signing-key.asc index 0000000,0000000..3d84016 new file mode 100644 --- /dev/null +++ b/debian/upstream/signing-key.asc @@@ -1,0 -1,0 +1,165 @@@ ++-----BEGIN PGP PUBLIC KEY BLOCK----- ++ ++mQINBFT0b7IBEADHlzJvds1NqKEDhOAG0IWGN4J/jBvO5dPPFqwDJaU32x+4wTw0 ++OOxCcgFYdzWPl17nFwjC8yeXvbACCZNz62Kg5o1lWA6Mdx8eazCiGOuTdUbndZDB ++lrIEAs1OUZmqxTSydDnaRNCtLTE2o0t4MaidczjinUn2RkvrtvlCsi1HpQdO5mUT ++r/bmp7v4mvCP5vERuY2+qVc1KbqFltCeV0KAOpr1kRGyQ4D9LFloFkr7ftF0ba3B ++0fbInu2uMp46MC+jPok5uEoT66l+U7sZsCUkHH02Y6s/uXJ6ack84/phtv4xwRER ++lpC97Md+7N7qIYVrdhGVbsiHFEDIoBrLAqfdteivoocguLRI/EUn26J9+bezhmCZ ++UUu1f62iJuBnWCwjpELNMlCIpWugHAucaUZx1xyF71DR65NZwMs+TxBEf+gYlvrz ++Dm6J8fhkfKFH6PtrjIOC0mCsfqOY4FgRYknTZd4ECufkbMKXRX88qvYGX+Fr1Tgn ++QR9GChEPIiWF9e3a5J+DljBu7tEJ0LOhnWU3ApUCTE1lQSGgrUTDQsbil+lyPVjo ++MI+rxzP4o3roDyzrFEr/rlnCv3x+0kqprSXTJqcDShVJq+GU2lmeUCy7+pF2yKCq ++hChcF5CQD4Jt+plRBPq7stxaDZdLpvUtFvLRl4LO6TJjNAGf5x2+kfvupQARAQAB ++tChQaWV0ZXIgTGV4aXMgPHBpZXRlci5sZXhpc0Bwb3dlcmRucy5jb20+iQI+BBMB ++AgAoBQJU9G+yAhsDBQkJZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBe ++UHFb8v/hp0tWEADG6hcabGBjLFUacKxWdfzV8n3pC5O1wlg/vmIMGddHfI10AL9A ++R5ebm5KQhLmXW+0qhJC4Cm40X8OCg6q4u4gxo8KGHJJqodcZdtKsk2JH3kJyos7g ++VpjbFS9CU9MVMyoXBwYdW1seBTxfoqIzpWUCysFYj6RjmnLLZQXD30T0IWj+0Cyq ++zlb1UHdHm3227I0gT/qJYpOjlkYsl4iH7AJhqtDhQ7ZPn+4yNlCDAvvwA6bpczJi ++Xa/JdvMIKLnbVTPsOCweoWxTmEr1cvpHDKliPskOuA8ujpxVSOXGR948UF74qhLP ++kDczOI1EN+yqd0zwRA7xzUJHWJZZOxNuHnBf24v95AyEgX1aG0nTBjBEcTyYZzVg ++ht7BD/lj0+W3gyssHFl+JDh6ZoS98EcSW2cxLrAOyF8nnm9gFn7CQXTLTOVK9ruM ++lvQ6vbjRQ7176OJkF6jNGj5qSjeSK0s0wU//Wyr7uojiPiQYhGPwOcAskq6iLI6n ++ieVmnOnTwnDbMS1danRFTFdnoPOgP5W8pj4kIOcScxekUhcJlaW8nuxxanCky8G2 ++SR83+OgqYBcitFrmr6fdDca69KE2h8X5wB5Uw3VzMm5t2e8JRFxINoUoea60ymH4 ++4LaCCUZAo2kYeNI0ZCDNGC8ebkeTwZOoQM44pP+7GL4BuV7j62ty+mPFxrkCDQRU ++9G+yARAAo3nHYN3tSBd8wTGnRWxWoe2UjxSuGPEPjjG3ortE81z+ua0Vw0IufeY3 ++SHEGOv+4AdSILqgtB1lKPzbOxhZzZ1m6wGqFVqS4x14DCfYanciBIJbqCRAh+d3d ++GO96IvjwaGFFOc9rR4uwIoiXPajBuJvatj+8VK56gqphjuKVPZxSUxVAKHX/4qDZ ++PRHZnIi5hVJu15BzbVHClUBlhEe74nXnVi1tX4RwM4SNYWJDfOWXyFC361TWQZ9V ++Py+J68uz+xztCEMaCuzzrOmqcVOCcgExMr7J42FPlDggz10SChwGeI6BJxYchz8l ++EYHTC8UG9LNYZ20xAvrM76m/ZAtKwmp9RkW+v1XlvXkYtQqAaR7UBMGOpPmIFqb3 ++H0dMPfugR+WqsqRlpzQwlnDkyDVK6LgC2+vKMYJxAKMIViGtLo1GMvjzGBdABQK4 ++y1cbtSASmjA/1rJNMLN/PcQJ21VvNW4RzdmHtjc5w3t2HyuRZFMllzuhgNbRUMPo ++6Mbevkz3E8USS0vzBv4F3JbkBNyr/o7Xqov3W7eQPqaLV+qhjfhdRicA/5kCslC5 ++Jc5XGQiGGTfTpylW0sX59sUPPW475Db0Y7jt98dCKMyK/0f7s+E9B/VXuFKDY9r0 +++KR/wWv3q4EEn66wCTA8iAfkkSIGOywkBQd6ziL4Px4qgGN1S9cAEQEAAYkCJQQY ++AQIADwUCVPRvsgIbDAUJCWYBgAAKCRBeUHFb8v/hp4PlD/9AoyzBd9MY0Ypv/v6s ++8ftjmdUukegdpqfe9ZUMQfIAgO3Z/NFIUmWTB3zHqNjd+IrSOBxIUG/to0zoELzY ++79+szKaWYx0FIOPsWm72VN9xawdoYQ/2XTU5u5Qg/O7ysc9O35QKZLHMNtFXp2PB ++PNc9eRrliyv1KhPcCubG1aBQd+psDRaoIfFt6AQSUyaMVgRZ6mbu2q7Gl4RFqVVt ++vt+iNklmlhZiD8K1G7sCF0rr/ofpLBDnVV6/OwIMV+KrD7OODes+e8oQiM+oN6MO ++0dOiKJbA0hPMMjli99d1+lBNUeUMqgF9ckNAbZnD0YdOUgv70Xu1nj9qvk8hzKzN ++f2Czf1vV+GO5aDy9/H6ZljBGjU/0YGTxY6g26sWKcjeispnbH692D2Da83GJXNFk ++aZb6WYdw+uz4SPV7kbG9nOxgFNY1c3vWWtWaz6XAgiYKeetiPRNQ/muMe8PX7Ihg ++5DzpuSMtx04PRR/FVFjN7sK3re+GZUMkJBNV2IEY6h646iTmoyYPEMOJniLWNEAf +++ZMZgFtYfejqCgVGauRmkPAIbT5x/uKXhkBxvX70i+fKbpKnixh5EsIHTDyBWGUx ++4iA7drVZG4u7xN7ryj5tW2abzNk+pvWVJFVld/T9VvZZKlr10lX4rdRkVKRXdqJz ++O0bNI8W2fVX4kYtjm5WfVpL7bJkCDQROXyaRARAA5exKafKcYORDQWOCjO1P5a8U ++YN9wTwyXGU8apwi2zQnRDkjtUxI941pdRxIdt+jZVi7x7F4K7CogdY19N+6utkCq ++6ddLa0DLDOkIhFI8JqxicYMb9g//lNjyT4evxJRYcdT6hhAtSId6U6T9WCDc31+n ++EPf3t53OuAXAU0KmANv2CL+KRzGF2az5t/fCWWz6U9KLfYIHS7pVGEkSUPXXzSWx ++qbLTDHzpANiBb35inOQU+WP2QGshe8TwRBmwTC2mbk/KvseUt/Wcs8cwjEiCQ+52 ++AIe6iNMYqLH7vGMo1zzd8dTmF5HQSs2BJPI4vcYMjWf/R5bKtyYSc7hirlyrgtxi ++n/AXDcNCR/v1Vpqvt5Hd9GvHchoAlvmCaJPs8qOdVllS3if/+bWdvxr0YWyIrwOh ++qdnMUJcJfTro+0pATUVr4wSVKzdDRdRcSqNWKvThAqtioC595dr1EVvi1LXVw22X ++J/RnGGxhyBNMXQhkEh/x/g5IJU+t60CIATdjE0OJYbp/+QAS6u7PNgQLWpIUOUvt ++4A/i8pAnLwsYBwKVdvMiSU92WfkLerjbR39suk+HiaYhPm1iaRt7owsM0Mbt8eS+ +++ozoIkWo+h3MM0+/S6Y2TM4ZytbCoQwLiT9lTSGIQF5/FBfs+eHZgUSufLfM0FaK ++fgaSQBO0DPwxQ6d7i4cAEQEAAbQsUGV0ZXIgdmFuIERpamsgPHBldGVyLnZhbi5k ++aWprQHBvd2VyZG5zLmNvbT6JAjgEEwECACIFAlTKH88CGwMGCwkIBwMCBhUIAgkK ++CwQWAgMBAh4BAheAAAoJENz1E/p+7Rnzo4YP/jbQIh/QFRk5m6XTRzclq5j8YDuV ++yrXy2fuIM+g9UKRcBTv2Dy/YjfEYc7GSQnrLSOrT/b7gT75LuzXdSBX7mZVJoNuo ++H7VE0FJkTHf5TJtuuFjmD17tdoPPj75FMF38qAHHd9pzqUjJKYhcpkTfBrU8yJuK ++joFgNvpnRVjJdMU0rir+tDIjSLMxCg/NFMQ0tm0o9XL9lQcQxcJpa8zxGv6M8QCP ++bfQsWPC7+grBH6+ch0ljpFf5qkqPuDnoHTY4kUaHjKNP21ATrZGUspI9jjUlQZ9a ++CDmELRaK1IbUcmRSySIjtdbM54EQ6kWDrJZjDC7mdpPv2/yuBPY7yb8+8rfmNwTz ++rI0bVfbT+6EiiaUzeNz0502yjDNkaVUzd2z7X4WdfokLm5NMth9l2ijpyl+sBHY2 ++ljqAUekkc1c0s/HYDqr5HwYQP2yXIcFh58nJJO22SVzLM2n55CWc1v3lXrqKVIJM ++lnjB6epZ4KcKUqgj159dM5t2wWDUjhXQgl9kLN4QfHy4vDkBr/abopGZr3SMC9Y1 ++j9RhJJD/eMRU7b+MKoAcpMko0zAbPcxAzjhqtsdp3VCWblKaGOwBwbc5jK38Lrh8 ++MhR301aWpRN+kun+w/FAOt9bzvwRnA4/ucZwIYUwYohW8KKzYwH2bOP23ympuL+a ++2G/q4s/jiWFWtJvStC1QZXRlciB2YW4gRGlqayA8cGV0ZXIudmFuLmRpamtAbmV0 ++aGVybGFicy5ubD6JAjgEEwECACIFAk5fJpECGwMGCwkIBwMCBhUIAgkKCwQWAgMB ++Ah4BAheAAAoJENz1E/p+7RnzoQQQAJjEVUbLcBd4blXL6EW3VMqIMFbxBt4CiHRj ++sSo02+rUMWLOqZBERfynv0oufhrW3AqTO0OMoqPLWjWFNeOHOdKieBJdcXHDJPO8 ++qRUpbcYh5CXr54X09d5WZU8sGipnd8wxO68J8g+5vux3xscEaZTwWZTwyelWA77O ++xJm6WlPPxJ+lTyIuhVC3KoBUWRwfNrxE/ij/0tkVFoIXvczbAQqB6+nApHZvtoR4 ++Wys4bzmCWuo9PUj0r3+eyjsWEB0A4Ya1bwaJOchubi/Gq99wfp71zJC8FcSMWmoG ++PRnpg6oLpkxC8YreV/16DUgiMnxUPyJAEpb+AH0MMudmp6tnUaWBs/hWnpyWPXqj ++t6wzs7X31X2oj93ANKjnSpglOgUEBKk4GTyOuBo3S+kyXD9WW977kyKVtUQf3U5E ++HUR08UA/DuEJPGDnMa9lujXM17h//iyixa0RhJXX+ZRKRwEAZqj6H8wNayF045Jd ++wMJ6TIePuymV2ltyG5E0M5l5SOc4fELNHJyHvjhi1Fb23lqBxNhvdm8+RtwtFz+Q ++tFwihP/cEBMue5lcj5Bkvwx3NERJxoPi/Qe82mLZLaMCdlP++jzvSrsVrRWkyw+i ++08T0+Dp9/V5YoEUkhSfNp1w26FtrFVqC4XpVxtjda32Ipw3aygpOqEkCxNsy3+C1 ++buzr/QK9uQINBE5fJpEBEADOFiLByCv9fv9/UGW4d++olV33ODVXRNyA/y6M8/SQ ++2p45KUnKYpMLoA8ILlcfvCXTtrU8qOiU86YmfgqGsZo7nSaVE0+3w+TjXAHdbLaR ++ylEBcCXM1Oi0l6U0AqZoVebNd6cLpsY8pikZaLcS3a/fs8RZdHuFUxW+aI+CJNsL ++urHoXCLe9wMTN/AvLJhUa0XoD0C9l56vQRPllBdssmN0zlQCuUz9jG8EE5K0zok2 ++CWXTRzZb4yKWWsRyji6srTV0pl59ZNtJ4rZsrLCM79GhAtVHZLViC/4A9Wfko6yU ++Ae/8ueg8e6OoK+idjGWXqO2ttdUy3W5Xow+mzIxmh+Ak5485pDLQwv9m/hVHN8d/ ++xpUBeIVgeImk+Ggo4ijlTUIGkMgHkU7L9QVKKn/Cw8rVtfzHWpS2BJSku+7evRxE ++PR0sre0B1N7IwBuqoLKPMlp/Hm2Ann5tZcmUj9wW72f1KaCrgfmhpV47Xml0ISES ++0QNU4Io4hgN2MNXU3M9gm+NsOFDWcOK+ecjetEA0QR+Jdcq0T5bXcgGl96hIOOFP ++2ey1NmEw1/uCS9TuGRPrJw1bEzzKbmS70RZMQixtRU12WnGUV385Rc8OmFoaZx1G ++DkTt3xoW/jyjCmBJaE8i8sI5FSxxW72j7bPenQsVsg63DDqoYIiziyaO6gvv0qvJ ++PQARAQABiQIfBBgBAgAJBQJOXyaRAhsMAAoJENz1E/p+7Rnzb9QP/3WFlfry9Y4i ++/l+L0UgqwzPGwZrf3GXzeTtItx2DzHUg/ZVa/TvlmCiaIMRF19aH4BDu+K8GcRsN ++HK6zDfFTPUoDGd44qBiNeTRdyDZwNa+dxjRoSeCVZ89CldjSrbIZOwrUsa46EfKq ++ZcGzDCAlYEyBEVT9Xp7jm9xRLW4SOK3MvtlE8N4cFEQYSH1KLVRTukirt2S7HCLW ++4jcaU6k6S+gCKfVDq2Y3KnwrhbPD/ue7rrAB3KehmIYSITSHV3+uEULO4LXS1Vu9 ++c9HYksbtyhVpa1zsdK65u0UwEJ9VTi5eFuaAT73BdmVUL3fOCO+EzLaT9DEQxYC7 ++itBxxVcg339L8e+q7m0IKJus/Go4iGujHxJne8/cYUE+T1NBQKWGOh/5Fu2qPn9o ++diCI8//kIx7mJ9AqqnI5JCwu+kQIEIx2DvTSKS/RovTviNgBc/GIzit4TqcTKxfy ++4zybcQVxhRMD+LnfocwzI8Gmuz5JXJgz1AbkgyIGzb7FTQOoJ+wJG0J+jR/gyJna ++6c4KUq9RRzG4yFqqV1mwGbZjrq8Z/X+WVzygIDL5VeE0uDWap1k+R2QirNm+T3nd ++i/swHSz+TZssya0iMlUyeyTCy3wi2lrv6rB0RrdcPOoHsIO7jD3QNSBL4412iFjY ++WClKuopPgza6tGN31LkYN+UB2j03Gm/nmQGiBDz2UqURBADq+b0jXuV5JOOq+WrJ ++JEOreZoptPiO+gtEQf1ITUTXEMDJWnnyGQ2LafrwbS7eD/Ih8yLvk32FL1CiITA8 ++FkS59v8vRRRd8Ag046cEENAsFbESXAnpv4EVXKzK/K1IlJj4ZFAId6ARv4n96CmS ++xR6kc+SSywoNkeH310z3yDq/YwCg72sX/D6YNASqBTd2lVDxNcW2fgkD/jgyGV52 ++61rU0EKqIcN+/W1CwCXIwm0MGRN4/fMQfzoC6sux519M6mB+4HLtW7lWLP5LVBlM ++iC8AJlHJf711NNPxV5Xol+rOlc78tpfxbr0N19/QDUPVhIgEL3rui0x2YWWME0uC ++PTZWKe9+RJEQOPA/RPoDb9v8XMzcDx3RVAVyBACDUeqNJ6Z8e+mcXjC6DRBvg4jt ++0bd1k0/FN/a6GxrpdpglU8XSBErJhB5rvxfVhVwYrO8M4uyTx/2a29ssRCFAOGtI ++jr3R6J4hoRusgDTr3NRjqjKbw/2EVpN+oePu9oGIQYy/5woZRN4ftabntQkqXtjo ++IjIl2JcA0Nr81sl1obQZYmVydCBodWJlcnQgPGFodUBkczlhLm5sPohfBBMRAgAX ++BQI89lKlBQsHCgMEAxUDAgMWAgECF4AAEgkQHF7pkNLnFXUHZUdQRwABASq1AKDk ++dusIoMiNKktSMWfCbg/oMJcmYwCg38laBCCqB2Oudv6+OebHWSMHrNi0JWJlcnQg ++aHViZXJ0IChmb3gpIDxodWJlcnRAZm94LWl0LmNvbT6ISQQwEQIACQUCVA/k0wId ++IAAKCRAcXumQ0ucVdWFPAKC9315eBt4gCqWUfUj6EfaexeTj/ACgnv7tMyoH4Nv7 ++jK1BG4JQ0S7Fewe0JmJlcnQgaHViZXJ0IDxiZXJ0Lmh1YmVydEBuZXRzY291dC5j ++b20+iEkEMBECAAkFAlQP5PICHSAACgkQHF7pkNLnFXWhrgCg3bm+cERc+F75j2Da ++MhdStYhcCoMAoLzC6QFrVqICjXAWt7LUhRetEb+LtDNiZXJ0IGh1YmVydCAoY29y ++cG9yYXRlKSA8YmVydC5odWJlcnRAbmV0aGVybGFicy5ubD6IXwQTEQIAFwUCQoys ++wgULBwoDBAMVAwIDFgIBAheAABIJEBxe6ZDS5xV1B2VHUEcAAQFGrgCg4ZgRb7G4 ++H15PKPfOJX6C9PD0wEIAn3HjAg1fNN9WP8vP9UnlbiH08FEZtDFiZXJ0IGh1YmVy ++dCAocG93ZXJkbnMpIDxiZXJ0Lmh1YmVydEBwb3dlcmRucy5jb20+iGIEExECACIF ++Ald/SwoCGyMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEBxe6ZDS5xV1BKEA ++nikLxRY1dyV+u+r9ImnaY7AmZ+x6AJ9GWMGzivQldWwZYPYYh7f3TTE0+bkBDQQ8 ++9lKoEAQAvChVI1iQYngKQtFxxelx4Uv+10B/HaIn4Obk2LqJrbc6yS+zatqOBl0p ++M7jOTRRZp549P7U72jApCW2/bKzdcQNJlJRV7FIe5E1qZNf84AsKBHqphe/7FxHY ++ypekmcvAiZG1B5cmQDEW+ebIBqrPBolNFYUjgDaPMZz0Nr5xoyMAAwYD/jfkkn6j ++JwMSZPUHMuVGBTQlCQ3+b70XClBV5uN0UIKyWx7dRtZD7vuf+NqblygnRlsAsEuh ++99ggWKOL7zUjcXJKtHWrMhjhVtPg/4we19rOY7Z9/n8Jc427dTffAX84CHLuuSEZ ++omYQ1uds9DMMayRSiO5BOOXqeP9ItLElyHb4iE4EGBECAAYFAjz2UqgAEgkQHF7p ++kNLnFXUHZUdQRwABARDzAKDK/3G2YXuVXtDDiPe599ncuzJEPwCg471sTokR9Dn3 ++3H9ZFpjspd5Z+dGZAQ0EWOzWBQEIALuqBv3556Glk00Hu866hDtDEOtLeyVXOJA8 ++ySsKYIwacAHzaTa2whLLzfx3XdwBWKtly1o3hlduwfwL1l3aMh4zamHFgl58a+P6 ++fGTlPEEehi+1silIT3QPbqxzOowiwe93UVkJiTqhapGbFDmnguiLZYTWhgAuGYRr ++EpvtNmnJU+6TrDTO8DH834uoYTESqs+fuOVw6Ab84th+Qucq1LB3yKsHhyq7m0en ++81a22xVXIl5+CKZts7pH8bRTTSMn6eo97k1KJ2E15hoRnnrshlduxhzbRjrx1wfq ++OZ0mVzuNHSJYlGvUKnbtNTatOZXRfUAlqMqcsYkXz8t3QLz/cuUAEQEAAbQtV2lu ++a2VscywgRXJpayA8ZXJpay53aW5rZWxzQG9wZW4teGNoYW5nZS5jb20+iQExBBMB ++AgAbBQJY7NYFAhsDBAsJCAcGFQoJCAsCBQkSzAMAAAoJEG/8M0ObDQTfcIcH/32n ++9IqQwvOqh+rNjl3vHn3on4MdUebEIIg3QkhGtBb912Rdbvqp2lJxLDtgI1EolYbm ++ab1HRRBXh0x4ErGt2yJSruyQrTPp6RKX/dP7tAghTPHtiZ5JK/KjhvuBgjbZ4xiy ++3ge/ZVJoEOuxzPfZlK+MOz75RqT7eH4mBvfB4oBr67OTfAzbYQOGRXNSsRzhHr9x ++CGXk1zlNHheyXrwpPm9wD2RahRPRXscagv+HKI7W8taDLY500C3iX7ux3VfzJcy0 ++ub4m0ru96VFJRrdwi8O7WT7oJEZvxV/QtG7sXfo7dt+ryRAKxu3er24Hmk1S9iVh ++owEGnq/JRMOIg1ioRj25AQ0EWOzWBQEIAJ+8XbWUGbMEpYf0gEfnxznD6WxBf3j4 ++E2GWiqfGYHd5rQPMErrk0DXmxCwSWjJf0+96KNvJ4wrQ/G5gAUj7R7OChXWFt/KZ ++eaEBCJQd0de41pjBQ7+kVb8cRTBt3gCLWC0xEkbYn7jk9T/Rqm7fOkkmt8x2i5+j ++k83M+lteR1aFbwIIA9dMuG5lm5jz+a1Hu6fK65A2V8lsBacp3+D3NNXIwl19UEh7 ++u1H6Pg1R67BuePT2iKo/TYyLrfD/G4pLr8HoU19wXEkJq4S/yzoYr9oABZ3spTSa ++fNoVYaxqmerpBHSC5EY/D1t2QfR0C6pUVOVjxaGjYNoaajd0kA4BXqcAEQEAAYkB ++MQQYAQIAGwUCWOzWBQIbDAQLCQgHBhUKCQgLAgUJEswDAAAKCRBv/DNDmw0E3+Da ++CACIyXcUOmgyGqFXmRXC8MVzc5NcKEE6amh13Cwb75xjmXI9p2nvcklCiIAF4MrJ ++JqR22Hkok0SqlcrUb5vjJw2/CZ4PNdbWM1PaB7AyKmiqvM4lpFfH2hR1U1miQZdM ++8V1CXmzOH6DGwuZNU3jUNyYvEbidIxBcJT282Zp/jC9hZFGLL7VL1he0hUvF3WyD ++mQo9RSe0xNrLCTNN+HE2VaTEk7L0dAcVS/NbOv0BJkdB0LqlHGOAE5ahv/iUxO/6 ++FCpxjtb6qfCQwUQXjRrMSTSwdSTTlKA015yy44aEXfRnMH9zOPKYbZeJMFOCsfc8 ++fU3LLuacV5Kv6l4aJyRYJaN/ ++=z55N ++-----END PGP PUBLIC KEY BLOCK----- diff --cc debian/watch index 0000000,0000000..cf54c28 new file mode 100644 --- /dev/null +++ b/debian/watch @@@ -1,0 -1,0 +1,3 @@@ ++# Site Directory Pattern Version Script ++version=3 ++opts="pgpsigurlmangle=s/$/.asc/,versionmangle=s/-(alpha|beta|rc)/~$1/" https://downloads.powerdns.com/releases/ pdns-recursor-(4\.1\..*)\.tar\.bz2 debian uupdate