dns-root-data: init at 2017-06-16

8 files changed, 57 insertions, 4 deletions

diff --git a/pkgs/data/misc/dns-root-data/default.nix b/pkgs/data/misc/dns-root-data/default.nix
new file mode 100644
index 00000000000..ec0d9c83ad5
--- /dev/null
+++ b/pkgs/data/misc/dns-root-data/default.nix
@@ -0,0 +1,29 @@
+{ stdenv, lib, fetchurl }:
+
+let
+
+  rootHints = fetchurl {
+    url = "http://www.internic.net/domain/named.root";
+    sha256 = "1zf3ydn44z70gq1kd95lvk9cp68xlbl8vqpswqlhd30qafx6v6d1";
+  };
+
+  rootKey = ./root.key;
+  rootDs = ./root.ds;
+
+in
+
+stdenv.mkDerivation {
+  name = "dns-root-data-2017-07-11";
+
+  buildCommand = ''
+    mkdir $out
+    cp ${rootHints} $out/root.hints
+    cp ${rootKey} $out/root.key
+    cp ${rootDs} $out/root.ds
+  '';
+
+  meta = with lib; {
+    description = "DNS root data including root zone and DNSSEC key";
+    maintainers = with maintainers; [ fpletz ];
+  };
+}
diff --git a/pkgs/data/misc/dns-root-data/root.ds b/pkgs/data/misc/dns-root-data/root.ds
new file mode 100644
index 00000000000..61c5b8fcd34
--- /dev/null
+++ b/pkgs/data/misc/dns-root-data/root.ds
@@ -0,0 +1,3 @@
+; created by unbound-anchor on Tue Jul 11 23:48:16 2017
+. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
+. IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
diff --git a/pkgs/data/misc/dns-root-data/root.key b/pkgs/data/misc/dns-root-data/root.key
new file mode 100644
index 00000000000..9046cefcb71
--- /dev/null
+++ b/pkgs/data/misc/dns-root-data/root.key
@@ -0,0 +1,2 @@
+.	172800	IN	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=1 [ ADDPEND ]
+.	172800	IN	DNSKEY	257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [  VALID  ]
diff --git a/pkgs/data/misc/dns-root-data/update-root-key.sh b/pkgs/data/misc/dns-root-data/update-root-key.sh
new file mode 100755
index 00000000000..5db179621a7
--- /dev/null
+++ b/pkgs/data/misc/dns-root-data/update-root-key.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p busybox unbound
+
+TMP=`mktemp`
+unbound-anchor -a $TMP
+grep -Ev "^($$|;)" $TMP | sed -e 's/ ;;count=.*//' > root.key
+rm $TMP
+
+unbound-anchor -F -a root.ds
diff --git a/pkgs/development/libraries/gnutls/generic.nix b/pkgs/development/libraries/gnutls/generic.nix
index 48aa3fb9673..2a73682a746 100644
--- a/pkgs/development/libraries/gnutls/generic.nix
+++ b/pkgs/development/libraries/gnutls/generic.nix
@@ -1,6 +1,7 @@
 { lib, fetchurl, stdenv, zlib, lzo, libtasn1, nettle, pkgconfig, lzip
 , guileBindings, guile, perl, gmp, autogen, libidn, p11_kit, libiconv
 , tpmSupport ? false, trousers, which, nettools, libunistring
+, unbound, dns-root-data
 
 # Version dependent args
 , version, src, patches ? [], postPatch ? "", nativeBuildInputs ? []
@@ -32,12 +33,13 @@ stdenv.mkDerivation {
   ++ [
     "--disable-dependency-tracking"
     "--enable-fast-install"
+    "--with-unbound-root-key-file=${dns-root-data}/root.key"
   ] ++ lib.optional guileBindings
     [ "--enable-guile" "--with-guile-site-dir=\${out}/share/guile/site" ];
 
   enableParallelBuilding = true;
 
-  buildInputs = [ lzo lzip libtasn1 libidn p11_kit zlib gmp autogen libunistring ]
+  buildInputs = [ lzo lzip libtasn1 libidn p11_kit zlib gmp autogen libunistring unbound ]
     ++ lib.optional (stdenv.isFreeBSD || stdenv.isDarwin) libiconv
     ++ lib.optional (tpmSupport && stdenv.isLinux) trousers
     ++ lib.optional guileBindings guile
diff --git a/pkgs/development/libraries/ldns/default.nix b/pkgs/development/libraries/ldns/default.nix
index ff63b6af25e..816b850f100 100644
--- a/pkgs/development/libraries/ldns/default.nix
+++ b/pkgs/development/libraries/ldns/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl, openssl, perl}:
+{stdenv, fetchurl, openssl, perl, dns-root-data}:
 
 stdenv.mkDerivation rec {
   pname = "ldns";
@@ -20,7 +20,12 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ perl ];
   buildInputs = [ openssl ];
 
-  configureFlags = [ "--with-ssl=${openssl.dev}" "--with-drill"];
+  configureFlags = [
+    "--with-ssl=${openssl.dev}"
+    "--with-trust-anchor=${dns-root-data}/root.key"
+    "--with-drill"
+    "--disable-gost"
+  ];
 
   postInstall = ''
     moveToOutput "bin/ldns-config" "$dev"
diff --git a/pkgs/tools/networking/unbound/default.nix b/pkgs/tools/networking/unbound/default.nix
index 7fc5fb90173..b70fc2ced83 100644
--- a/pkgs/tools/networking/unbound/default.nix
+++ b/pkgs/tools/networking/unbound/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, openssl, nettle, expat, libevent }:
+{ stdenv, fetchurl, openssl, nettle, expat, libevent, dns-root-data }:
 
 stdenv.mkDerivation rec {
   name = "unbound-${version}";
@@ -20,6 +20,7 @@ stdenv.mkDerivation rec {
     "--localstatedir=/var"
     "--sysconfdir=/etc"
     "--sbindir=\${out}/bin"
+    "--with-rootkey-file=${dns-root-data}/root.key"
     "--enable-pie"
     "--enable-relro-now"
   ];
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index c783b3cb916..3ce85d114b7 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -12807,6 +12807,8 @@ with pkgs;
 
   dina-font-pcf = callPackage ../data/fonts/dina-pcf { };
 
+  dns-root-data = callPackage ../data/misc/dns-root-data { };
+
   docbook5 = callPackage ../data/sgml+xml/schemas/docbook-5.0 { };
 
   docbook_sgml_dtd_31 = callPackage ../data/sgml+xml/schemas/sgml-dtd/docbook/3.1.nix { };