[bug#30748] [PATCH] gnu: Add nsd.

[bug#30748] [PATCH] gnu: Add nsd.

[Tobias Geerinckx-Rice]

* gnu/packages/dns.scm (nsd): New public variable.
---

Guix,

Have this two-year-old patch I found.

Kind regards,

T G-R

 gnu/packages/dns.scm | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)

diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index b0f6ddaec..b0649dc53 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -573,3 +573,71 @@ synthesis, and on-the-fly re-configuration.")
       license:lgpl2.0+              ; parts of scr/contrib/ucw
       license:public-domain         ; src/contrib/fnv and possibly murmurhash3
       license:gpl3+))))             ; everything else
+
+(define-public nsd
+  (package
+    (name "nsd")
+    (version "4.1.20")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "https://www.nlnetlabs.nl/downloads/"
+                           name "/" name "-" version ".tar.gz"))
+       (sha256
+        (base32
+         "04zph9zli3a0zx1sfphwbxx6f8whdxcjai6w0k7a565vgcfzd5wa"))))
+    (build-system gnu-build-system)
+    (inputs
+     `(("libevent" ,libevent)
+       ("openssl" ,openssl)))
+    (arguments
+     `(#:configure-flags
+       (list "--enable-pie"             ; fully benefit from ASLR
+             "--enable-ratelimit"
+             "--enable-recvmmsg"
+             "--enable-relro-now"       ; protect GOT and .dtor areas
+             "--disable-radix-tree"
+             (string-append "--with-libevent="
+                            (assoc-ref %build-inputs "libevent"))
+             (string-append "--with-ssl="
+                            (assoc-ref %build-inputs "openssl"))
+             "--with-configdir=/etc"
+             "--with-nsd_conf_file=/etc/nsd/nsd.conf"
+             "--with-logfile=/var/log/nsd.log"
+             "--with-pidfile=/var/db/nsd/nsd.pid"
+             "--with-dbfile=/var/db/nsd/nsd.db"
+             "--with-zonesdir=/etc/nsd"
+             "--with-xfrdfile=/var/db/nsd/xfrd.state"
+             "--with-zonelistfile=/var/db/nsd/zone.list")
+       #:phases
+       (modify-phases %standard-phases
+         (add-before 'configure 'patch-installation-paths
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let* ((out (assoc-ref outputs "out"))
+                    (doc (string-append out "/share/doc/" ,name "-" ,version)))
+               (substitute* "Makefile.in"
+                 (((string-append ".*\\$\\(DESTDIR\\)\\$\\("
+                                  "(config|pid|xfr|db)dir"
+                                  "\\).*"))
+                  "")
+                 (("\\$\\(nsdconfigfile\\)\\.sample")
+                  (string-append doc "/examples/$(nsdconfigfile).sample")))
+               #t))))
+       #:tests? #f))                    ; no tests
+    (home-page "https://www.nlnetlabs.nl/projects/nsd/")
+    (synopsis "Authoritative DNS name server")
+    (description "@dfn{NSD}, short for Name Server Daemon, is an authoritative
+name server for the Domain Name System (@dfn{DNS}).  It aims to be a fast and
+RFC-compliant nameserver.
+
+NSD uses zone information compiled via @command{zonec} into a binary database
+file (@file{nsd.db}).  This allows fast startup of the name service daemon and
+allows syntax-structural errors in zone files to be flagged at compile time,
+before being made available to NSD service itself.  However, most traditional
+BIND-style zone files can be directly imported into NSD without modification.
+
+The collection of programs and processes that make up NSD are designed so that
+the daemon itself runs as a non-privileged user and can be easily configured to
+run in a @code{chroot} jail, thus making any security flaws in NSD less likely
+to result in system-wide compromise.")
+    (license (list license:bsd-3))))
-- 
2.15.1

[bug#30748] [PATCH] gnu: Add nsd.

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 756 bytes --]

Tobias Geerinckx-Rice <me@tobias.gr> writes:

> * gnu/packages/dns.scm (nsd): New public variable.

[...]

> +         (add-before 'configure 'patch-installation-paths
> +           (lambda* (#:key outputs #:allow-other-keys)
> +             (let* ((out (assoc-ref outputs "out"))
> +                    (doc (string-append out "/share/doc/" ,name "-" ,version)))
> +               (substitute* "Makefile.in"
> +                 (((string-append ".*\\$\\(DESTDIR\\)\\$\\("
> +                                  "(config|pid|xfr|db)dir"
> +                                  "\\).*"))
> +                  "")

Can you add a comment about what's going on here?  Would setting
DESTDIR=(assoc-ref %outputs "out") in #:make-flags suffice?

Apart from that LGTM.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

[bug#30748] [PATCH] gnu: Add nsd.

[Danny Milosavljevic]

[-- Attachment #1: Type: text/plain, Size: 1366 bytes --]

Hi Marius,
Hi Tobias,

> > +         (add-before 'configure 'patch-installation-paths
> > +           (lambda* (#:key outputs #:allow-other-keys)
> > +             (let* ((out (assoc-ref outputs "out"))
> > +                    (doc (string-append out "/share/doc/" ,name "-" ,version)))
> > +               (substitute* "Makefile.in"
> > +                 (((string-append ".*\\$\\(DESTDIR\\)\\$\\("
> > +                                  "(config|pid|xfr|db)dir"
> > +                                  "\\).*"))
> > +                  "")  
> 
> Can you add a comment about what's going on here?

I agree... I'm scratching my head here. The ".*" is particularily worrying.
Doesn't that mean it will replace all the installation lines by nothing in the end?

Does that install anything still? :)

So now I've downloaded the source tarball and checked.

By extreme obscurity :), this only matches the "install -d" lines which are
creating empty directories (empty because of the configure-flags).

>  Would setting
> DESTDIR=(assoc-ref %outputs "out") in #:make-flags suffice?

DESTDIR is for installing into a tempdir.  After that is done the system
is supposed to "mv $tempdir /" and the software is usually written *not*
to expect DESTDIR to be still here when it runs.  PREFIX is something
else and probably what you had in mind.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

[bug#30748] [PATCH] gnu: Add nsd.

[Tobias Geerinckx-Rice]

Danny,
Marius,

On 2018-03-12 22:03, Danny Milosavljevic wrote:
> Hi Marius,
> Hi Tobias,
> 
>> > +         (add-before 'configure 'patch-installation-paths
>> > +           (lambda* (#:key outputs #:allow-other-keys)
>> > +             (let* ((out (assoc-ref outputs "out"))
>> > +                    (doc (string-append out "/share/doc/" ,name "-" ,version)))
>> > +               (substitute* "Makefile.in"
>> > +                 (((string-append ".*\\$\\(DESTDIR\\)\\$\\("
>> > +                                  "(config|pid|xfr|db)dir"
>> > +                                  "\\).*"))
>> > +                  "")
>> 
>> Can you add a comment about what's going on here?
> 
> I agree... I'm scratching my head here. The ".*" is particularily 
> worrying.
> Doesn't that mean it will replace all the installation lines by
> nothing in the end?

Hmm? Well, the matching ones, yes...

I'd not call it ‘worrying’, since it does exactly what it should do, but 
you might want to have a word with 2016 Tobias about how ‘clever’ they 
think they're being.

Us less clever folks will just have to make do with a comment, indeed.

> Does that install anything still? :)
> 
> So now I've downloaded the source tarball and checked.
> 
> By extreme obscurity :), this only matches the "install -d" lines which 
> are
> creating empty directories (empty because of the configure-flags).

Obcurity by design :-)

>>  Would setting
>> DESTDIR=(assoc-ref %outputs "out") in #:make-flags suffice?
> 
> DESTDIR is for installing into a tempdir.  After that is done the 
> system
> is supposed to "mv $tempdir /" and the software is usually written 
> *not*
> to expect DESTDIR to be still here when it runs.  PREFIX is something
> else and probably what you had in mind.

Correct. DESTDIR is never the answer (unless, of course, it is).

Now, I think we can pretty safely credit my past self with knowing about 
PREFIX, so I suspect it wasn't as easy as just setting that. Or it's 
used incorrectly to look up data at run time, as some packages are wont 
to do, or something like that. I'll take a look when I get home; with 
extreme luck the problem I was solving there is no longer an issue in 
the current release.

Kind regards,

T G-R

Sent from a Web browser. Excuse or enjoy my brevity.

[bug#30748] [PATCH] gnu: Add nsd.

[Tobias Geerinckx-Rice]

Marius,
Danny,

So...

On 2018-03-10 10:18, Marius Bakke wrote:
> Tobias Geerinckx-Rice <me@tobias.gr> writes:
> 
>> * gnu/packages/dns.scm (nsd): New public variable.
> 
> [...]
> 
>> +         (add-before 'configure 'patch-installation-paths
>> +           (lambda* (#:key outputs #:allow-other-keys)
>> +             (let* ((out (assoc-ref outputs "out"))
>> +                    (doc (string-append out "/share/doc/" ,name "-" 
>> ,version)))
>> +               (substitute* "Makefile.in"
>> +                 (((string-append ".*\\$\\(DESTDIR\\)\\$\\("
>> +                                  "(config|pid|xfr|db)dir"
>> +                                  "\\).*"))
>> +                  "")

It's just a Makefile being very stupid. How boring :-(

It tries to create run-time systemy things like `dirname $pidfile` (from 
#:configure-flags), which it has no business doing, so we ask it not to 
by politely shooting it in the head.

> Can you add a comment about what's going on here?

Sure. If anyone has a cleaner fix or regex to match I'll gladly take it, 
but I'm done staring at metamake. Otherwise a comment paraphrasing the 
above will have to do.

T G-R

Sent from a Web browser. Excuse or enjoy my brevity.

bug#30748: [PATCH] gnu: Add nsd.

[Tobias Geerinckx-Rice]

Guix,

I've pushed an updated NSD as 
7382ecd81859de878b22a6510b8262abe69d38bf. We're now one server 
(PowerDNS) away from having all major name servers in Guix, though 
not all have services.

Thanks for the reviews, Marius & Danny! I never understood what's 
obscure about the regex, but I tried to make it a bit more 
self-explanatory.

Kind regards,

T G-R