diff --git a/.gitignore b/.gitignore index 2ad282d..5ff0acf 100644 --- a/.gitignore +++ b/.gitignore @@ -89,3 +89,5 @@ unbound-1.4.5.tar.gz /unbound-1.19.3.tar.gz.asc /unbound-1.20.0.tar.gz /unbound-1.20.0.tar.gz.asc +/unbound-1.21.1.tar.gz +/unbound-1.21.1.tar.gz.asc diff --git a/Yorgos.asc b/Yorgos.asc new file mode 100644 index 0000000..e18ec55 --- /dev/null +++ b/Yorgos.asc @@ -0,0 +1,128 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFfYHeYBEAC/8SdeXNspt9ZIoZRSL9juNLHA17TXcHdKSthgWBtwwWZbUPq8 +SJr7Y+hr6jMCDKY9800QzLF0nLkyXnZgaBcvR0rRbCT/qvALJ0fpfjcotapZ1hBv +omb9s8Bo28uKn8tbTMXYNsElUae4Ch/CrU1vfe50YoyQgLR8UBa15gV+2RmC+6jI +qxDYS8sylWlDn6Qim+77feLlObPnNdzgfWGZo14eJByTsz0qrh8aS/BS1FAsnEQ6 +W6AqukhpuKuWvoAUXKjfguXQolxeexubmKaLcGOTvecw+cbh/a5SPHRtRVr9qTxp +elk6UEpakY5K9UtZkrG55VWih/4KqY9bNyhJBtpAk1fXA+mYfx5BcFpECYdU9kz4 +UgV5jK0HYRHQTLC91PPVQgH86we+Aae6TaJneCLEIzBK36TgAP8RKrvFfPUym5OP +YbWOom27QTKfRVcyxPKglJxrTSWixnKWS/pqxNY8hF9Ne4crRAF4wX2yBVbGnjNr +S9TpYmjMwURbuYm+rWZk/8w5OJG60V3wax56c0jn/42O3Y2hzQ+PbOv2M4UuuajS +2YL3/KUsRLBapUpPQjzChwzdr/vzFEhk9XxK2VGMN+dh2HjYwDFendc5csyt/cVr +g3LssVS2bKy5g3IhrzCKAk0Sky4S5t/mcN+lWztNvCijuLz58GCym5GwJQARAQAB +tCtZb3Jnb3MgVGhlc3NhbG9uaWtlZnMgPHlvcmdvc0BubG5ldGxhYnMubmw+iQJX +BBMBCABBAhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAhkBFiEElI60IyLF0At5 +NA9dz/M0TZCHpJAFAmbz0CwFCRD85cYACgkQz/M0TZCHpJBVnhAAkcd79Twxj/tt +C4q2Xpq75+Ew6YR9gLqYiV5vEd6fu0oyhuVoUlfTkjH4ALIoGIKaO9yAVUXsrGrs +n1aJPo1Mw3q6mIwtQOxXz/W44LuFzcvZkHtCYX4YyLrUHXZPvl+r4eYkTOcyyQMU +BmbuvWhufv8MBilvWltQLxfLlgihbfuIrxqjAYDhqCffpgUiZyCut2rrenIgeh1f +DvC+GjZ3cfb1UsIpzm19yr4NCiTHkLkCOAAcAUFwWWeO/jfUsSvFQEHUnYNRREzI +Lth9NlKwPtsOVi+wcNnWQtFQb11BMr407xBib7hLSIFiqvOiYgQABjZdWN+snCRP +ZZSruigjE9ateOloJwmBqrSJLAywxvDE0ivqfSj51W5eJc/JLSXvjrOuW28dJCr8 +RV9PjC9X7zuTiFLzV8SVH71Z43Rix8n7AOp3wgRe3SygEyQXPj4qbm5HHVsx9GEA +zn495L99dJ4wZgjkbEsGhzwUx7N9FHEGS/sz3LiEq+ZYckR6gzTMMrQJgbsS9lnK +9xlXsp37uIYvx9W9JZXtS+AZhw0q3osMYBF68HPX8B9GBYlkQWmWSIMfzRYcD2n1 +5+XsfERK4mxcTWl2sCYpt8Sy3tADj9nQDabAlGUd/hlFS1dvDVQjGh6ER5S0nZjY +nmRsLl8nOTKhb2xY+2p1sDjxxQYJJQe0K0dlb3JnZSBUaGVzc2Fsb25pa2VmcyA8 +Z2VvcmdlQG5sbmV0bGFicy5ubD6JAlQEEwEIAD4CGyMFCwkIBwIGFQgJCgsCBBYC +AwECHgECF4AWIQSUjrQjIsXQC3k0D13P8zRNkIekkAUCZvPQPQUJEPzlxgAKCRDP +8zRNkIekkFfCEACheY1yr2Z+LPjm/Nd2eA4CFFO7nUQHI+a6lYBd57txrRuIicuG +pGjOhnvcioRwICiKNLJD3YTU+WOd+sbO7BXH2sw2KdU9NK1ojKX/SQiTg6upfJsu +gbgar2oPvR88B7oSiuonZnhEf72HfWKDSBXHpi6KC6S3JZ+o50NB3GBpwUL1lfKW +ovymYbN6tYQfqw/+AP5jUUNpkclC0RbcW69rpvrHHqeQV1AVKkm/jNQpWLKYTGF7 +bbdLkgMh3rHp8gmF0/GuK+oyL7xD+TEXfr3iqlDIVuxbxDN8xTti1RrERU/MWQar +qOSFZcr4t+nlwThJidDLF/u3h0Ymrjz92VTfCgELIwCKxGX7jAyLZHzuWAp+0Pr/ +yuHodbweGNcGVoXmIpK93/WZcfFlBcyQLECVcijmxd7Euk0xDk76RQpuuL5VOWqn +aZcf2uNfppwKFZJjcXwK+EQbwN7+RFNvLrwoRn/1xM57T5AYBAgSvKb6h0G5KwW6 +tJfJdSu1MHfCZS1hH1Gr4+UG+VbLCVmQ9N/lUs0bcD7pK+bA1W0YnsIVuaQ+YZUh +KrJoCUF0kVDtW9ETZkp0iVBm1Q9xgTGaxUTVmctOyAbdCLyHNra4fo1BAdGlu+IP +qAcktaBUKFxWxRxf9O5kGihce9anK8CJ/TCnQ7wSvyYrlAoBoQaS78VzYYkBHAQS +AQIABgUCV9kUOAAKCRAwkY2CdXJCIju1B/oCvf1kWYndNeLS6U2O6DtFAL2Ia5tY +Zukcyqb1hkYcrBiMZbQN94gX5a+6Q4pdd2n241r1ZuSWdwUhRUbF4mvbZMVsavnk +cvrRGviVIUXf71W0O/IsmQ9oN0Finhpf14Y4z/xqF8DpvJdkWc6X5g+RJuko6q2w +B7x2UfSyF4USp47LSmUQnC59IF8jzaElgBha3gwEuXL3d2qBepoV/e9RiXJClUAT ++O7qdxzDq1eiZ+NXUjDCmrkuWjHLAZAv0jx1KUTCQ2no62UM95igtJ+Kn56Lc2+J +CqFJztaZeX8CgXXryxNpsyhZJ33dIoLCT03K25wrV5Y+eag05slQ9sC3iQI9BBMB +CAAnBQJX2RCwAhsjBQkFo5qABQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEM/z +NE2Qh6SQ3JUP/2G3bRNObS7zsfN3rjkbjLxaDOwNggRdbeXM5rHDVEG9SWesCGaI +vyQdkSGQoIaKUgNv7Yp8O8pEnD4IwdhNSaXVIB3pBtdOD0UM1wuxRpfqJOUxZEoW +T2Jr31Tg2qepp6nT7UmdiF7uCBDy8Jm6k6Q+6UT58cPaesRQdSPi6Go7ho2/xVvK +Ve9ufSTSTdG5+7bJDu6Iv7sydKUEG4jPDqo+jjVLn1X6Rfp+E4JAvOvFrSJHW5sa +A332xV40GeV+aM1ndP7dPkz8+AGB3QD7JF2DLcqvLo0TYOvjnlOGYcNp8gzp23g9 +KFwe2sdbdtVpuWaJUSpXXiUZnFzrrVxDNiEBjqsPa5ysOxzJ+1gUbcrIjUeNeAFh +us4XL+IidPATnhTIX3X/uPRB87KaTaA8XUqsuSd2DM9mLxdHKC9Jf8D1t+ywYrek +Cp+K80vCtFPWBM4+w8nGugTNKJEGIXZDGFOF/c7r6xKkaOYK0Y+IGJawlV5LaADl +BmQpPk0ubYclwb07FcegaHSxxIqUo/kbyt1YV5mU+QVymZ+xyvIBrnW8hBuNWRvU +5acnIZibCERayo8ZuI+r/X3bLHfDx0oh2h+cL3utNZUqmgZNR0Di8P+x0hUYsYPO +TJaDBSgvxUtY0Ci+OWX38kffGGvhW3CM8V6skdVc8cp7Db7gxase4BxxtC5HZW9y +Z2UgVGhlc3NhbG9uaWtlZnMgPGdlb3JnZUBvcGVubmV0bGFicy5jb20+iQJUBBMB +CAA+AhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEElI60IyLF0At5NA9dz/M0 +TZCHpJAFAmbz0D0FCRD85cYACgkQz/M0TZCHpJBnFw/8CRLGJnNAP43mBniIP5R1 +/10i4xG5s1Ka/y5C3aRgZUNaGMPLF8VmrC26HTPNhmduhn3j9gnBuSHgRAJUWs2K +o1q0A2/O5fFJvqPyEUl30gG8qkzFl5UGRUr7VNtBa6VpI7g78d3P4/H8THB0tYZ3 +GZv980QXwTE11aXjvPQu4e8sMOR1OVEEH+6hW1T0SvEKAMV1BHwuZAmC6HTfx5e7 +iGNWu/dwJsmwzqcAkuTTSqlmzZdIjZWJDL8pfnschkVilC3pEpEk5ExSkt/onOD2 +WCAKJUiPR6gRI2H6fE0PF8iG9isisvNhQ3MrWUIKS+1WOotoG7Bu7ob46viJKQuN +9t7KBqjdftjJHjmVop3mfX0UUEDPjkZXK5R/aUspXi4IGdM+9JijqxveicQegOhM +LcE8039Z0AaXn9IA0kQB05A4a+CEnoPL7qe+fIBJM5hZDrpMe4fAAGxiQzbRpdkZ +CrXmT+CRkhc/BvUJ5yoE1q++9Fw9eyMbPOak6GLckCIPy+Mqi4z+ZXNCtcPs3Qbc +/7AY8qyswRsD2t5bbe4g+fLEt9IsN3UvKFUKnQ88jcn9Zmps69msMDm9jEj/qo+j +QCriLLu8E1ZwhedNVOQN89w4Zww/BUyEnL4hng8Tw+RTV8Jtq5EvAleW5sZsnTzA +zn1ysZUyO/Pu7Br2jnGRAQyJARwEEgECAAYFAlfZFDwACgkQMJGNgnVyQiIHjAf/ +VrPMgIRjRTYi4cxOr5ewaim1hgJZO1oCJoMopwIvpZ2kAUqL/uPMT3wREe5bi79H +jXYcaX+RbrV4ZdzaajDUFCj867KGErxqtRkANJ1eNLcQmVwGNoFeTQbgEOBfKq1t +hRfMqHF3fxCPJp4z4U3kBPUpIQPERjgUdkH8fxZ34Omo1SLO1b0dVqsneezccBVv +Hj7gVoaWw65Ov7vngwNCKH3fjOkcoINTH/nEw4WWh6UV5ZN49GRqa6oWdUJMZbgB +w8z357RLN6YLe7KMh4oGpUIvfH6Vfq6CIb6s9pfgjAvq8O7p9n0/0FG77j84MuGw +fdhq8eSazO/j9LUCBM+8k4kCPQQTAQgAJwUCV9kQiwIbIwUJBaOagAULCQgHAgYV +CAkKCwIEFgIDAQIeAQIXgAAKCRDP8zRNkIekkN9pD/wI8JAyjJEIjUJNLRuARDDv +pJrQjAo/02naPcGs4yyUd7yRkhzVKLFLvif8XICxxLWk6FdT0PJeKGTvRoe2+Rje +c14rO30niRymWkBi36iDW46Dpt7Jx+LUDhUMYPL+woKSoHmbBGWLSYXKxaD8F93A +nVs97nP4PWpspv2BFiuwKGsSsOyyQPPvr7jCin3H5oPH9qDnIV0KonAYbzzEKod5 +t0Rgzo/nWXZBFXWC5xvKeghwkdT++gYS/ThvQY2ua6A1XRE8BntyldD081NPi3NO +dWa9m8ufFOJsEEiWcpdT+EWoDw5JyGAR7U3IOVl3BTo7shdcYEvRVrDMBpac+ItG +WvogUv7alBdHWi48amvZE06RI/nDJ/rxj13S/4POgMHU++aQI5a1G5H3jBu4cehH +4iT1UKmozfzVEfcHb2dsaKnnuFzQxmol0lZu1ETyof+Lxvs+wErN0QR+VDNweJEJ +PMXiEcjASdLtrEKgFSP2B5yGGzt93C+HbD+VQOU359aAnvVjbTAVz8izuMphd6Bz +Ix1q//q2VmxqjjT3Iv30hBRX02x2M8gsP/e49XWEll7stkMtbYhBU0sHQ2CqzLGh +gJN3ecpi2sKWVqN8HUZOwJFj6f9ZX76YSM23wIugHfscMAVJUXvBrbd151WIshOf +FFPo62sYGt+SEMXWeRcHjbQuWW9yZ29zIFRoZXNzYWxvbmlrZWZzIDx5b3Jnb3NA +b3Blbm5ldGxhYnMuY29tPokCVAQTAQgAPgIbIwULCQgHAgYVCAkKCwIEFgIDAQIe +AQIXgBYhBJSOtCMixdALeTQPXc/zNE2Qh6SQBQJm89A9BQkQ/OXGAAoJEM/zNE2Q +h6SQOf4QAIp5fEn+vVOqDuLrv8Li61UDVPE3v5b9ocPR7OMENeFpRH7K2p8xFkAM +f6JeS2ehbIjyUS8iGc+mZOalvZynJdOiHtys5r4lZanm1Rl+mWXb+nHGE/Oi4gQ3 +aEF/AwolbKi9oNXAiCtA3hmaI6FYWtAh5XOnyMG140dhlXMWzvN1ZAWXWioS33Fp +n9Z7xOsyG2Bmky69JjUQPD119noD4pEFtCipciiACVNdHGfI8QDT/8pMAxv/Q7tW ++7gyFztT1XvKONWyCfHjf1x60JQNPPM31x3xUVRz/sK+GyLq6VLiydvSZeUX3CzM +4bHixKKkSyvsX+bc9K/iLrXwZFhRdrRbpVQFpsdxv48mN5WsDlpN17KgMCyNiMDV +0VagYjZC5AurOo2mmS7PKAYGILaq3YwQ3nXYiuWfdXVW6EXtw/vdFOjFU6ppbaA3 +1+xyMDOLSGLr7f+gdZvlEc+5MX1F3mHpmuKN7clUju/HEOdVq1Bbla7BplPgqCaH +ZYCg/VHNt7ue7MYeEgTJ8OGgUDRNPa3PdU3YHRCuwJH1UzinD39K8R9/g9qiGJbC +87//1FGZp9lhIE5tja6F5pJ5GwJK9zC0iGj2NrwBvTKhuyF6W3ZQc2voYQn+gIq4 +sfbned7qpvpjLcMgIv/y82iVm2EtKtKYl982aA9S53pHqjV27kieuQINBFfYHeYB +EAC2h9yjSe2SgtcB0H+E0ndaewaZaQCE7q+RO43dotGH9eFnVwE4/ftcK1SN42ih +lF5OnTaKPyXvgQ6U8W8VB8eLjeTwA/dSXuJX7kJpEK8saPqJP6zTUmPqp/GSzS6Y +rhKLfpFn4chmywpDFcGNMz0sYXiJgPqKL7W0KuG+ziPToAeWl8ckeXyl77/lHVhW +YylaQJEASklqCViPXSp9vI7/57UEm4MQPXwsDBOwuVVqcSu3ZM5MtY9XlbVPNCYm +ZIMqmh8HgYwbiq9dTfJi+6v17+uDQGZewWK/WwFM+9dDx7YkTeOBiUduYtJPW64N +W/RJ7pskbLAy+OZApTZWg0cISN6GOmPN3F0AiWzUjvSMREHhFHyxj4Y15vuDOFvP +GFxr4xBiyMX1JLCKK6OFnyPfoJ9v/o3UgrQgLrfXCmKdvkwBCgJvN3Fsxzha6Dtf +6RcZ02fr7SCZZhdBrlrflvC1uWZ0g3A87ss7h4Iw3njlO3aX6Bo9R4VOLUkiRKi4 +hmQBxPvXxI2ERmKRomo6lrMaDMzIjD4APSM1vUfZguzQxVYpM8lwy1COeqxsj5p+ +LH6f/EU+4dXZwooJ1uanBOvG2ntnz8SErE+e7wNYE4a/fb8xYM4j7p6qYtnNZPb8 +sj8bvx8iWXp4A1csVetyVSchBhTVQhhNos6ouYpc4ibrYwARAQABiQI8BBgBCAAm +AhsMFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmbz0dUFCRD8528ACgkQz/M0TZCH +pJA7hg/7Bh0jb7nrp2EuU4BWK55VG+3zbrye/NdDy6eo3sVVOOO1r+jBMoJK3m1A +GWUx40ogZjRn8GMtJfxkL6wsep2P775smm7x1TH6s2dgreTj9J66gitKEgxF0tjo +JztmGJ8YKSGE4wKi37KvvSqCm1ecA8akBzJVo0B8/GtXpg+y/q3/KSY1ujW7Ihu3 +60JXT1FRXOiYfrzUKIBm8/UVnv7guPudaJf0eU4btoy4Ywzn1UXyi8BdxPIQrQDR +tt69ffcjX8BIEloK7FURLre/LhbVxlssdWYIEFQhIlb+nghZlUbWHf0Ue3L0SFFS +xV5otzQL2WjJKtCnTpSopSUmwYyT7wyAL1RokOemXL47WOfiLjiGuS+K/4lT7VHS +fdLsYinS0LYr5dmhc05s//kLyQ0OSKNh3SNAN+lM/klLE/pFwM4mo56C+seNEvCm +sT53VPOOwp6JwsLKSqm8pu1fbVjT6laMc9BPi6KUjN/f7ZahCXNXOrA2uLnTlxw/ +ns1sOXSWZDWciZeL3kJeUQER5YZ59hzLYWAiJ+5KblWRlBMXb71FUp0Mh9V3dA5O +BX3IlcF54qE50chGzLnfQf1YLuh13xxxc2WsdMZjiCj8CVDMkD6ekShfQK8nyQsK +SJgdXcnw1CxcAVvsROtecUiD+DWrJcYExjSZ+zcI4+aRhp7uNt8= +=iknu +-----END PGP PUBLIC KEY BLOCK----- diff --git a/fedora-defaults.conf b/fedora-defaults.conf new file mode 100644 index 0000000..5fee76f --- /dev/null +++ b/fedora-defaults.conf @@ -0,0 +1,226 @@ +# Fedora distribution defaults + +server: + # verbosity number, 0 is least verbose. 1 is default. + verbosity: 1 + + # print statistics to the log (for every thread) every N seconds. + # Set to "" or 0 to disable. Default is disabled. + # Needs to be disabled for munin plugin + statistics-interval: 0 + + # enable cumulative statistics, without clearing them after printing. + # Needs to be disabled for munin plugin + statistics-cumulative: no + + # enable extended statistics (query types, answer codes, status) + # Needs to be enabled for munin plugin + extended-statistics: yes + + # number of threads to create. 1 disables threading. + # num-threads: 1 + num-threads: 4 + + # specify the interfaces to answer queries from by ip-address. + # The default is to listen to localhost (127.0.0.1 and ::1). + # specify 0.0.0.0 and ::0 to bind to all available interfaces. + # specify every interface[@port] on a new 'interface:' labelled line. + # The listen interfaces are not changed on reload, only on restart. + # interface: 0.0.0.0 + # interface: ::0 + # interface: 192.0.2.153 + # interface: 192.0.2.154 + # interface: 192.0.2.154@5003 + # interface: 2001:DB8::5 + # interface: eth0@5003 + # + # for dns over tls and raw dns over port 80 + # interface: 0.0.0.0@443 + # interface: ::0@443 + # interface: 0.0.0.0@80 + # interface: ::0@80 + + # enable this feature to copy the source address of queries to reply. + # Socket options are not supported on all platforms. experimental. + # interface-automatic: yes + # + # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 + # NOTE: Disabled per Fedora policy not to listen to * on default install + # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled + interface-automatic: no + + # permit Unbound to use this port number or port range for + # making outgoing queries, using an outgoing interface. + # Only ephemeral ports are allowed by SElinux + outgoing-port-permit: 32768-60999 + + # IANA-assigned port numbers. + # If multiple outgoing-port-permit and outgoing-port-avoid options + # are present, they are processed in order. + # Our SElinux policy does not allow non-ephemeral ports to be used + outgoing-port-avoid: 0-32767 + outgoing-port-avoid: 61000-65535 + + # use SO_REUSEPORT to distribute queries over threads. + # at extreme load it could be better to turn it off to distribute even. + so-reuseport: yes + + # use IP_TRANSPARENT so the interface: addresses can be non-local + # and you can config non-existing IPs that are going to work later on + # (uses IP_BINDANY on FreeBSD). + ip-transparent: yes + + # Enable UDP, "yes" or "no". + # NOTE: if setting up an Unbound on tls443 for public use, you might want to + # disable UDP to avoid being used in DNS amplification attacks. + # do-udp: yes + + # Enable EDNS TCP keepalive option. + edns-tcp-keepalive: yes + + # Fedora note: do not activate this - not compiled in because + # it causes frequent unbound crashes. Also, socket activation + # is bad when you have things like dnsmasq also running with libvirt. + # Use systemd socket activation for UDP, TCP, and control sockets. + # use-systemd: no + + # If you give "" no chroot is performed. The path must not end in a /. + # chroot: "/etc/unbound" + chroot: "" + + # If you give a server: directory: dir before include: file statements + # then those includes can be relative to the working directory. + directory: "/etc/unbound" + + # print UTC timestamp in ascii to logfile, default is epoch in seconds. + log-time-ascii: yes + + # Harden against unseemly large queries. + harden-large-queries: yes + + # Default off, because the lookups burden the server. Experimental + # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. + harden-referral-path: yes + + # Sent minimum amount of information to upstream servers to enhance + # privacy. Only sent minimum required labels of the QNAME and set QTYPE + # to A when possible. + qname-minimisation: yes + + # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN + # and other denials, using information from previous NXDOMAINs answers. + aggressive-nsec: yes + + # threshold, a warning is printed and a defensive action is taken, + # the cache is cleared to flush potential poison out of it. + # A suggested value is 10000000, the default is 0 (turned off). + unwanted-reply-threshold: 10000000 + + # if yes, perform prefetching of almost expired message cache entries. + prefetch: yes + + # if yes, perform key lookups adjacent to normal lookups. + prefetch-key: yes + + # deny queries of type ANY with an empty response. + deny-any: yes + + # if yes, Unbound rotates RRSet order in response. + rrset-roundrobin: yes + + # if yes, Unbound doesn't insert authority/additional sections + # into response messages when those sections are not required. + minimal-responses: yes + + # module configuration of the server. A string with identifiers + # separated by spaces. Syntax: "[dns64] [validator] iterator" + # most modules have to be listed at the beginning of the line, + # except cachedb(just before iterator), and python (at the beginning, + # or, just before the iterator). + # For redis cachedb use: + # "ipsecmod validator cachedb iterator" + module-config: "ipsecmod validator iterator" + + # trust anchor signaling sends a RFC8145 key tag query after priming. + trust-anchor-signaling: yes + + # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) + root-key-sentinel: yes + + # the trusted-keys { name flag proto algo "key"; }; clauses are read. + # you need external update procedures to track changes in keys. + # trusted-keys-file: "" + # + trusted-keys-file: /etc/unbound/keys.d/*.key + auto-trust-anchor-file: "/var/lib/unbound/root.key" + + # Should additional section of secure message also be kept clean of + # unsecure data. Useful to shield the users of this validator from + # potential bogus data in the additional section. All unsigned data + # in the additional section is removed from secure messages. + val-clean-additional: yes + + # Turn permissive mode on to permit bogus messages. Thus, messages + # for which security checks failed will be returned to clients, + # instead of SERVFAIL. It still performs the security checks, which + # result in interesting log files and possibly the AD bit in + # replies if the message is found secure. The default is off. + # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY + val-permissive-mode: no + + # Serve expired responses from cache, with serve-expired-reply-ttl in + # the response, and then attempt to fetch the data afresh. + serve-expired: yes + + # Limit serving of expired responses to configured seconds after + # expiration. 0 disables the limit. + serve-expired-ttl: 14400 + + # Have the validator log failed validations for your diagnosis. + # 0: off. 1: A line per failed user query. 2: With reason and bad IP. + val-log-level: 1 + + # service clients over TLS (on the TCP sockets) with plain DNS inside + # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. + # Give the certificate to use and private key. + # default is "" (disabled). requires restart to take effect. + # tls-service-key: "/etc/unbound/unbound_server.key" + # tls-service-pem: "/etc/unbound/unbound_server.pem" + + # Fedora/RHEL: use system-wide crypto policies + tls-ciphers: "PROFILE=SYSTEM" + + # Enable to attach Extended DNS Error codes (RFC8914) to responses. + # Fedora defaults to yes. + ede: yes + + # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale + # Answer as EDNS0 option to expired responses. + # Note that the ede option above needs to be enabled for this to work. + # Fedora defaults to yes. + ede-serve-expired: yes + + # Enable or disable ipsecmod (it still needs to be defined in + # module-config above). Can be used when ipsecmod needs to be + # enabled/disabled via remote-control(below). + # Fedora: module will be enabled on-demand by libreswan + ipsecmod-enabled: no + + # Path to executable external hook. It must be defined when ipsecmod is + # listed in module-config (above). + ipsecmod-hook: /usr/libexec/ipsec/_unbound-hook + +python: + # Script file to load + # python-script: "/etc/unbound/ubmodule-tst.py" + +# Remote control config section moved into own remote-control.conf + +# the module-config then you need one dynlib-file per instance. +dynlib: + # Script file to load + # dynlib-file: "/etc/unbound/dynlib.so" + +# Fedora: DNSCrypt support not enabled since it requires linking to +# another crypto library +# diff --git a/module-setup.sh b/module-setup.sh new file mode 100644 index 0000000..439bc6d --- /dev/null +++ b/module-setup.sh @@ -0,0 +1,44 @@ +#!/usr/bin/bash + +check() { + require_binaries unbound unbound-checkconf unbound-control || return 1 + # the module will be only included if explicitly required either + # by configuration or another module + return 255 +} + +depends() { + # because of pid file we need sysusers to create unbound user + echo systemd systemd-sysusers + return 0 +} + +install() { + # We have to make unbound wanted by network-online target to make sure + # there is a synchronization point when other services are able + # to make queries + inst_simple "$moddir"/unbound-initrd.conf /etc/systemd/system/unbound.service.d/unbound-initrd.conf + + # /etc and /var/lib do not have its variables + inst_multiple -o \ + "$systemdsystemunitdir"/unbound.service \ + /etc/unbound/conf.d/remote-control.conf \ + /etc/unbound/openssl-sha1.conf \ + /usr/share/unbound/fedora-defaults.conf \ + /usr/share/unbound/conf.d/*.conf \ + /etc/unbound/local.d/*.conf \ + /etc/unbound/keys.d/*.key \ + /etc/unbound/unbound.conf \ + /etc/unbound/unbound_control.key \ + /etc/unbound/unbound_control.pem \ + /etc/unbound/unbound_server.key \ + /etc/unbound/unbound_server.pem \ + "$sysusers"/unbound.conf \ + "$tmpfilesdir"/unbound.conf \ + /var/lib/unbound/root.key \ + unbound \ + unbound-checkconf \ + unbound-control + + $SYSTEMCTL -q --root "$initdir" enable unbound.service +} diff --git a/remote-control-include.conf b/remote-control-include.conf new file mode 100644 index 0000000..5688480 --- /dev/null +++ b/remote-control-include.conf @@ -0,0 +1,4 @@ +# Previous defaults allowed any process to change settings, CVE-2023-1488 +# If you want to modify remote configuration, replace this file with +# contents of included file and modify afterwards. +include: "/usr/share/unbound/conf.d/remote-control.conf" diff --git a/remote-control.conf b/remote-control.conf index 4561a63..6f6942e 100644 --- a/remote-control.conf +++ b/remote-control.conf @@ -1,9 +1,26 @@ # Remote control config section update. # Previous defaults allowed any process to change settings, CVE-2023-1488 +# This file can be used also by: unbound-control -c remote-control: - # set to an absolute path to use a unix local name pipe, certificates - # are not used for that, so key and cert files need not be present. - control-interface: "/run/unbound/control" + # Enable remote control with unbound-control(8) here. + # set up the keys and certificates with unbound-control-setup. + control-enable: yes - # For local sockets this option is ignored, and TLS is not used. - control-use-cert: "yes" + # set to an absolute path to use a unix local name pipe, certificates + # are not used for that, so key and cert files need not be present. + control-interface: "/run/unbound/control" + + # For local sockets this option is ignored, and TLS is not used. + control-use-cert: "yes" + + # Unbound server key file. + server-key-file: "/etc/unbound/unbound_server.key" + + # Unbound server certificate file. + server-cert-file: "/etc/unbound/unbound_server.pem" + + # unbound-control key file. + control-key-file: "/etc/unbound/unbound_control.key" + + # unbound-control certificate file. + control-cert-file: "/etc/unbound/unbound_control.pem" diff --git a/sources b/sources index 5a055a7..efb1f71 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.20.0.tar.gz) = 2f6bc76c03b71ca1c2cd2331dc72d62f51493d15e17c59af46b400e542fcabff22e6b9d33f750a3e5f918a0116f45afa760651b2d5aa2feadac151cbbd71b0bd -SHA512 (unbound-1.20.0.tar.gz.asc) = 1586a320077c606c5c19f251615df54a61854f51acca02df1d391dcc2287aff2c641b009aeee1a98392f63719d70b6bac23ebb7d86b780f8a27cda6e114fc0ad +SHA512 (unbound-1.21.1.tar.gz) = 82be3faf5e4f9531342008105f5ab2ecc22a56faab1ef5c86420d85ef48443e5dac3455dbc654178a927e34ca4067c7655443f91a250b87945a63e9ba5f74ba7 +SHA512 (unbound-1.21.1.tar.gz.asc) = 5bb3961c210aefb20f91eb96f7d3980324e30cb2307c6c1187f016cacafcade7adcd95855faedfebc2c91464fd6c095511322364357c5b72525fc8e61c0ad248 diff --git a/tmpfiles-unbound.conf b/tmpfiles-unbound.conf index bb88f01..c09cc75 100644 --- a/tmpfiles-unbound.conf +++ b/tmpfiles-unbound.conf @@ -1 +1 @@ -D /run/unbound 0755 unbound unbound - +D /run/unbound 0775 unbound root - diff --git a/unbound-anchor.service b/unbound-anchor.service index 59683c8..1116243 100644 --- a/unbound-anchor.service +++ b/unbound-anchor.service @@ -6,5 +6,5 @@ Documentation=man:unbound-anchor(8) Type=oneshot User=unbound EnvironmentFile=-/etc/sysconfig/unbound -ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi' +ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ] || [ -f /run/unbound/anchor-disable ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi' SuccessExitStatus=1 diff --git a/unbound-as112-networks.conf b/unbound-as112-networks.conf new file mode 100644 index 0000000..96c291f --- /dev/null +++ b/unbound-as112-networks.conf @@ -0,0 +1,118 @@ +# Allow forwarding of private ranges, which are marked forwardable by IANA +# https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml +# https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml +# https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml +# RFC 6303: Locally Served DNS Zones (https://www.rfc-editor.org/rfc/rfc6303.html) +# +# Using this configuration file will simplify forwarding to potentially private ranges. +# Enables forwarding of networks marked as forwardable at IANA special registry. +# This is useful when upstream forwarder may be still inside private network. That is the case +# when unbound works as a localhost DNS cache, not network wide resolver. + +server: + # RFC 8375: Special-Use Domain 'home.arpa.' + local-zone: "home.arpa." nodefault + + # RFC 1918: Address Allocation for Private Internets + local-zone: "10.in-addr.arpa." nodefault + local-zone: "16.172.in-addr.arpa." nodefault + local-zone: "17.172.in-addr.arpa." nodefault + local-zone: "18.172.in-addr.arpa." nodefault + local-zone: "19.172.in-addr.arpa." nodefault + local-zone: "20.172.in-addr.arpa." nodefault + local-zone: "21.172.in-addr.arpa." nodefault + local-zone: "22.172.in-addr.arpa." nodefault + local-zone: "23.172.in-addr.arpa." nodefault + local-zone: "24.172.in-addr.arpa." nodefault + local-zone: "25.172.in-addr.arpa." nodefault + local-zone: "26.172.in-addr.arpa." nodefault + local-zone: "27.172.in-addr.arpa." nodefault + local-zone: "28.172.in-addr.arpa." nodefault + local-zone: "29.172.in-addr.arpa." nodefault + local-zone: "30.172.in-addr.arpa." nodefault + local-zone: "31.172.in-addr.arpa." nodefault + local-zone: "168.192.in-addr.arpa." nodefault + # RFC 6598: IANA-Reserved IPv4 Prefix for Shared Address Space + local-zone: "64.100.in-addr.arpa." nodefault + local-zone: "65.100.in-addr.arpa." nodefault + local-zone: "66.100.in-addr.arpa." nodefault + local-zone: "67.100.in-addr.arpa." nodefault + local-zone: "68.100.in-addr.arpa." nodefault + local-zone: "69.100.in-addr.arpa." nodefault + local-zone: "70.100.in-addr.arpa." nodefault + local-zone: "71.100.in-addr.arpa." nodefault + local-zone: "72.100.in-addr.arpa." nodefault + local-zone: "73.100.in-addr.arpa." nodefault + local-zone: "74.100.in-addr.arpa." nodefault + local-zone: "75.100.in-addr.arpa." nodefault + local-zone: "76.100.in-addr.arpa." nodefault + local-zone: "77.100.in-addr.arpa." nodefault + local-zone: "78.100.in-addr.arpa." nodefault + local-zone: "79.100.in-addr.arpa." nodefault + local-zone: "80.100.in-addr.arpa." nodefault + local-zone: "81.100.in-addr.arpa." nodefault + local-zone: "82.100.in-addr.arpa." nodefault + local-zone: "83.100.in-addr.arpa." nodefault + local-zone: "84.100.in-addr.arpa." nodefault + local-zone: "85.100.in-addr.arpa." nodefault + local-zone: "86.100.in-addr.arpa." nodefault + local-zone: "87.100.in-addr.arpa." nodefault + local-zone: "88.100.in-addr.arpa." nodefault + local-zone: "89.100.in-addr.arpa." nodefault + local-zone: "90.100.in-addr.arpa." nodefault + local-zone: "91.100.in-addr.arpa." nodefault + local-zone: "92.100.in-addr.arpa." nodefault + local-zone: "93.100.in-addr.arpa." nodefault + local-zone: "94.100.in-addr.arpa." nodefault + local-zone: "95.100.in-addr.arpa." nodefault + local-zone: "96.100.in-addr.arpa." nodefault + local-zone: "97.100.in-addr.arpa." nodefault + local-zone: "98.100.in-addr.arpa." nodefault + local-zone: "99.100.in-addr.arpa." nodefault + local-zone: "100.100.in-addr.arpa." nodefault + local-zone: "101.100.in-addr.arpa." nodefault + local-zone: "102.100.in-addr.arpa." nodefault + local-zone: "103.100.in-addr.arpa." nodefault + local-zone: "104.100.in-addr.arpa." nodefault + local-zone: "105.100.in-addr.arpa." nodefault + local-zone: "106.100.in-addr.arpa." nodefault + local-zone: "107.100.in-addr.arpa." nodefault + local-zone: "108.100.in-addr.arpa." nodefault + local-zone: "109.100.in-addr.arpa." nodefault + local-zone: "110.100.in-addr.arpa." nodefault + local-zone: "111.100.in-addr.arpa." nodefault + local-zone: "112.100.in-addr.arpa." nodefault + local-zone: "113.100.in-addr.arpa." nodefault + local-zone: "114.100.in-addr.arpa." nodefault + local-zone: "115.100.in-addr.arpa." nodefault + local-zone: "116.100.in-addr.arpa." nodefault + local-zone: "117.100.in-addr.arpa." nodefault + local-zone: "118.100.in-addr.arpa." nodefault + local-zone: "119.100.in-addr.arpa." nodefault + local-zone: "120.100.in-addr.arpa." nodefault + local-zone: "121.100.in-addr.arpa." nodefault + local-zone: "122.100.in-addr.arpa." nodefault + local-zone: "123.100.in-addr.arpa." nodefault + local-zone: "124.100.in-addr.arpa." nodefault + local-zone: "125.100.in-addr.arpa." nodefault + local-zone: "126.100.in-addr.arpa." nodefault + local-zone: "127.100.in-addr.arpa." nodefault + + # RFC 4193: Unique Local IPv6 Unicast Addresses + local-zone: "d.f.ip6.arpa." nodefault + + # RFC 2606: Reserved Top Level DNS Names + local-zone: "test." nodefault + domain-insecure: "test" + domain-insecure: "example" + + # RFC 6762: Multicast DNS, Appendix G + domain-insecure: "local" + domain-insecure: "intranet" + domain-insecure: "private" + domain-insecure: "corp" + domain-insecure: "home" + domain-insecure: "lan" + + # draft-davies-internal-tld + domain-insecure: "internal" diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index f57207b..7142817 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,60 +1,20 @@ -From 79506679335ef1e02a960ccc7cfeda19348f5619 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Fri, 10 Nov 2023 12:58:31 +0100 +From 41c489180eeecba97641f747ee6a43aa2c6d4299 Mon Sep 17 00:00:00 2001 +From: Tomas Korbar +Date: Thu, 6 Feb 2025 16:01:21 +0100 Subject: [PATCH] Customize unbound.conf for Fedora defaults Set some Fedora/RHEL specific changes to example configuration file. By patching upstream provided config file we would not need to manually update external copy in source RPM. --- - unbound-1.20.0/doc/example.conf.in | 194 ++++++++++++++++++----------- - 1 file changed, 124 insertions(+), 70 deletions(-) + doc/example.conf.in | 33 +++++++++++++++++++++++++++++++-- + 1 file changed, 31 insertions(+), 2 deletions(-) -diff --git a/unbound-1.20.0/doc/example.conf.in b/unbound-1.20.0/doc/example.conf.in -index 0368c8d..9ece701 100644 ---- a/unbound-1.20.0/doc/example.conf.in -+++ b/unbound-1.20.0/doc/example.conf.in -@@ -17,11 +17,12 @@ server: - # whitespace is not necessary, but looks cleaner. - - # verbosity number, 0 is least verbose. 1 is default. -- # verbosity: 1 -+ verbosity: 1 - - # print statistics to the log (for every thread) every N seconds. - # Set to "" or 0 to disable. Default is disabled. -- # statistics-interval: 0 -+ # Needs to be disabled for munin plugin -+ statistics-interval: 0 - - # enable shm for stats, default no. if you enable also enable - # statistics-interval, every time it also writes stats to the -@@ -32,11 +33,13 @@ server: - # shm-key: 11777 - - # enable cumulative statistics, without clearing them after printing. -- # statistics-cumulative: no -+ # Needs to be disabled for munin plugin -+ statistics-cumulative: no - - # enable extended statistics (query types, answer codes, status) -- # printed from unbound-control. Default off, because of speed. -- # extended-statistics: no -+ # printed from unbound-control. default off, because of speed. -+ # Needs to be enabled for munin plugin -+ extended-statistics: yes - - # Inhibits selected extended statistics (qtype, qclass, qopcode, rcode, - # rpz-actions) from printing if their value is 0. -@@ -44,22 +47,35 @@ server: - # statistics-inhibit-zero: yes - - # number of threads to create. 1 disables threading. -- # num-threads: 1 -+ num-threads: 4 - - # specify the interfaces to answer queries from by ip-address. - # The default is to listen to localhost (127.0.0.1 and ::1). +diff --git a/doc/example.conf.in b/doc/example.conf.in +index dc2aa1c..a656bd7 100644 +--- a/doc/example.conf.in ++++ b/doc/example.conf.in +@@ -51,11 +51,19 @@ server: # specify 0.0.0.0 and ::0 to bind to all available interfaces. # specify every interface[@port] on a new 'interface:' labelled line. # The listen interfaces are not changed on reload, only on restart. @@ -74,53 +34,7 @@ index 0368c8d..9ece701 100644 # enable this feature to copy the source address of queries to reply. # Socket options are not supported on all platforms. experimental. -- # interface-automatic: no -+ # interface-automatic: yes -+ # -+ # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 -+ # NOTE: Disabled per Fedora policy not to listen to * on default install -+ # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled -+ interface-automatic: no - - # instead of the default port, open additional ports separated by - # spaces when interface-automatic is enabled, by listing them here. -@@ -94,7 +110,8 @@ server: - - # permit Unbound to use this port number or port range for - # making outgoing queries, using an outgoing interface. -- # outgoing-port-permit: 32768 -+ # Only ephemeral ports are allowed by SElinux -+ outgoing-port-permit: 32768-60999 - - # deny Unbound the use this of port number or port range for - # making outgoing queries, using an outgoing interface. -@@ -103,7 +120,9 @@ server: - # IANA-assigned port numbers. - # If multiple outgoing-port-permit and outgoing-port-avoid options - # are present, they are processed in order. -- # outgoing-port-avoid: "3200-3208" -+ # Our SElinux policy does not allow non-ephemeral ports to be used -+ outgoing-port-avoid: 0-32767 -+ outgoing-port-avoid: 61000-65535 - - # number of outgoing simultaneous tcp buffers to hold per thread. - # outgoing-num-tcp: 10 -@@ -121,12 +140,12 @@ server: - - # use SO_REUSEPORT to distribute queries over threads. - # at extreme load it could be better to turn it off to distribute even. -- # so-reuseport: yes -+ so-reuseport: yes - - # use IP_TRANSPARENT so the interface: addresses can be non-local - # and you can config non-existing IPs that are going to work later on - # (uses IP_BINDANY on FreeBSD). -- # ip-transparent: no -+ ip-transparent: yes - - # use IP_FREEBIND so the interface: addresses can be non-local - # and you can bind to nonexisting IPs and interfaces that are down. -@@ -276,6 +295,8 @@ server: +@@ -276,6 +284,8 @@ server: # nat64-prefix: 64:ff9b::0/96 # Enable UDP, "yes" or "no". @@ -129,16 +43,7 @@ index 0368c8d..9ece701 100644 # do-udp: yes # Enable TCP, "yes" or "no". -@@ -301,7 +322,7 @@ server: - # tcp-idle-timeout: 30000 - - # Enable EDNS TCP keepalive option. -- # edns-tcp-keepalive: no -+ edns-tcp-keepalive: yes - - # Timeout for EDNS TCP keepalive, in msec. Overrides tcp-idle-timeout - # if edns-tcp-keepalive is set. -@@ -311,6 +332,9 @@ server: +@@ -311,6 +321,9 @@ server: # can be dropped. Default is 0, disabled. In seconds, such as 3. # sock-queue-timeout: 0 @@ -148,188 +53,7 @@ index 0368c8d..9ece701 100644 # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no -@@ -424,6 +448,7 @@ server: - # - # If you give "" no chroot is performed. The path must not end in a /. - # chroot: "@UNBOUND_CHROOT_DIR@" -+ chroot: "" - - # if given, user privileges are dropped (after binding port), - # and the given username is assumed. Default is user "unbound". -@@ -435,7 +460,7 @@ server: - # is not changed. - # If you give a server: directory: dir before include: file statements - # then those includes can be relative to the working directory. -- # directory: "@UNBOUND_RUN_DIR@" -+ directory: "/etc/unbound" - - # the log file, "" means log to stderr. - # Use of this option sets use-syslog to "no". -@@ -450,7 +475,7 @@ server: - # log-identity: "" - - # print UTC timestamp in ascii to logfile, default is epoch in seconds. -- # log-time-ascii: no -+ log-time-ascii: yes - - # print one line with time, IP, name, type, class for every query. - # log-queries: no -@@ -522,22 +547,22 @@ server: - # harden-large-queries: no - - # Harden against out of zone rrsets, to avoid spoofing attempts. -- # harden-glue: yes -+ harden-glue: yes - - # Harden against receiving dnssec-stripped data. If you turn it - # off, failing to validate dnskey data for a trustanchor will - # trigger insecure mode for that zone (like without a trustanchor). - # Default on, which insists on dnssec data for trust-anchored zones. -- # harden-dnssec-stripped: yes -+ harden-dnssec-stripped: yes - - # Harden against queries that fall under dnssec-signed nxdomain names. -- # harden-below-nxdomain: yes -+ harden-below-nxdomain: yes - - # Harden the referral path by performing additional queries for - # infrastructure data. Validates the replies (if possible). - # Default off, because the lookups burden the server. Experimental - # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. -- # harden-referral-path: no -+ harden-referral-path: yes - - # Harden against algorithm downgrade when multiple algorithms are - # advertised in the DS record. If no, allows the weakest algorithm -@@ -551,7 +576,7 @@ server: - # Sent minimum amount of information to upstream servers to enhance - # privacy. Only sent minimum required labels of the QNAME and set QTYPE - # to A when possible. -- # qname-minimisation: yes -+ qname-minimisation: yes - - # QNAME minimisation in strict mode. Do not fall-back to sending full - # QNAME to potentially broken nameservers. A lot of domains will not be -@@ -561,7 +586,7 @@ server: - - # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN - # and other denials, using information from previous NXDOMAINs answers. -- # aggressive-nsec: yes -+ aggressive-nsec: yes - - # Use 0x20-encoded random bits in the query to foil spoof attempts. - # This feature is an experimental implementation of draft dns-0x20. -@@ -594,7 +619,7 @@ server: - # threshold, a warning is printed and a defensive action is taken, - # the cache is cleared to flush potential poison out of it. - # A suggested value is 10000000, the default is 0 (turned off). -- # unwanted-reply-threshold: 0 -+ unwanted-reply-threshold: 10000000 - - # Do not query the following addresses. No DNS queries are sent there. - # List one address per entry. List classless netblocks with /size, -@@ -606,20 +631,20 @@ server: - # do-not-query-localhost: yes - - # if yes, perform prefetching of almost expired message cache entries. -- # prefetch: no -+ prefetch: yes - - # if yes, perform key lookups adjacent to normal lookups. -- # prefetch-key: no -+ prefetch-key: yes - - # deny queries of type ANY with an empty response. -- # deny-any: no -+ deny-any: yes - - # if yes, Unbound rotates RRSet order in response. -- # rrset-roundrobin: yes -+ rrset-roundrobin: yes - - # if yes, Unbound doesn't insert authority/additional sections - # into response messages when those sections are not required. -- # minimal-responses: yes -+ minimal-responses: yes - - # true to disable DNSSEC lameness check in iterator. - # disable-dnssec-lame-check: no -@@ -629,7 +654,9 @@ server: - # most modules have to be listed at the beginning of the line, - # except cachedb(just before iterator), and python (at the beginning, - # or, just before the iterator). -- # module-config: "validator iterator" -+ # For redis cachedb use: -+ # "ipsecmod validator cachedb iterator" -+ module-config: "ipsecmod validator iterator" - - # File with trusted keys, kept uptodate using RFC5011 probes, - # initial file like trust-anchor-file, then it stores metadata. -@@ -643,10 +670,10 @@ server: - # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" - - # trust anchor signaling sends a RFC8145 key tag query after priming. -- # trust-anchor-signaling: yes -+ trust-anchor-signaling: yes - - # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) -- # root-key-sentinel: yes -+ root-key-sentinel: yes - - # File with trusted keys for validation. Specify more than one file - # with several entries, one file per entry. -@@ -667,6 +694,9 @@ server: - # the trusted-keys { name flag proto algo "key"; }; clauses are read. - # you need external update procedures to track changes in keys. - # trusted-keys-file: "" -+ # -+ trusted-keys-file: /etc/unbound/keys.d/*.key -+ auto-trust-anchor-file: "/var/lib/unbound/root.key" - - # Ignore chain of trust. Domain is treated as insecure. - # domain-insecure: "example.com" -@@ -694,14 +724,15 @@ server: - # unsecure data. Useful to shield the users of this validator from - # potential bogus data in the additional section. All unsigned data - # in the additional section is removed from secure messages. -- # val-clean-additional: yes -+ val-clean-additional: yes - - # Turn permissive mode on to permit bogus messages. Thus, messages - # for which security checks failed will be returned to clients, - # instead of SERVFAIL. It still performs the security checks, which - # result in interesting log files and possibly the AD bit in - # replies if the message is found secure. The default is off. -- # val-permissive-mode: no -+ # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY -+ val-permissive-mode: no - - # Ignore the CD flag in incoming queries and refuse them bogus data. - # Enable it if the only clients of Unbound are legacy servers (w2008) -@@ -715,11 +746,11 @@ server: - - # Serve expired responses from cache, with serve-expired-reply-ttl in - # the response, and then attempt to fetch the data afresh. -- # serve-expired: no -+ serve-expired: yes - # - # Limit serving of expired responses to configured seconds after - # expiration. 0 disables the limit. -- # serve-expired-ttl: 0 -+ serve-expired-ttl: 14400 - # - # Set the TTL of expired records to the serve-expired-ttl value after a - # failed attempt to retrieve the record from upstream. This makes sure -@@ -746,7 +777,7 @@ server: - - # Have the validator log failed validations for your diagnosis. - # 0: off. 1: A line per failed user query. 2: With reason and bad IP. -- # val-log-level: 0 -+ val-log-level: 1 - - # It is possible to configure NSEC3 maximum iteration counts per - # keysize. Keep this table very short, as linear search is done. -@@ -890,6 +921,8 @@ server: +@@ -890,6 +903,8 @@ server: # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" @@ -338,7 +62,7 @@ index 0368c8d..9ece701 100644 # tag a localzone with a list of tag names (in "" with spaces between) # local-zone-tag: "example.com" "tag2 tag3" -@@ -900,8 +933,8 @@ server: +@@ -900,8 +915,8 @@ server: # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. # Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. @@ -349,107 +73,20 @@ index 0368c8d..9ece701 100644 # tls-port: 853 # https-port: 443 -@@ -909,6 +942,8 @@ server: - # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" - # cipher setting for TLSv1.3 - # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" -+ # Fedora/RHEL: use system-wide crypto policies -+ tls-ciphers: "PROFILE=SYSTEM" - - # Pad responses to padded queries received over TLS - # pad-responses: yes -@@ -1045,12 +1080,12 @@ server: - # cookie-secret: <128 bit random hex string> - - # Enable to attach Extended DNS Error codes (RFC8914) to responses. -- # ede: no -+ ede: yes - - # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale - # Answer as EDNS0 option to expired responses. - # Note that the ede option above needs to be enabled for this to work. -- # ede-serve-expired: no -+ ede-serve-expired: yes - - # Specific options for ipsecmod. Unbound needs to be configured with - # --enable-ipsecmod for these to take effect. -@@ -1058,12 +1093,14 @@ server: - # Enable or disable ipsecmod (it still needs to be defined in - # module-config above). Can be used when ipsecmod needs to be - # enabled/disabled via remote-control(below). -- # ipsecmod-enabled: yes -- # -+ # Fedora: module will be enabled on-demand by libreswan -+ ipsecmod-enabled: no -+ - # Path to executable external hook. It must be defined when ipsecmod is - # listed in module-config (above). - # ipsecmod-hook: "./my_executable" -- # -+ ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook -+ - # When enabled Unbound will reply with SERVFAIL if the return value of - # the ipsecmod-hook is not 0. - # ipsecmod-strict: no -@@ -1096,7 +1133,7 @@ server: - # o and give a python-script to run. - python: - # Script file to load -- # python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py" -+ # python-script: "/etc/unbound/ubmodule-tst.py" - - # Dynamic library config section. To enable: - # o use --with-dynlibmodule to configure before compiling. -@@ -1107,13 +1144,14 @@ python: - # the module-config then you need one dynlib-file per instance. - dynlib: - # Script file to load -- # dynlib-file: "@UNBOUND_SHARE_DIR@/dynlib.so" -+ # dynlib-file: "/etc/unbound/dynlib.so" - - # Remote control config section. - remote-control: - # Enable remote control with unbound-control(8) here. - # set up the keys and certificates with unbound-control-setup. -- # control-enable: no -+ # Note: required for unbound-munin package -+ control-enable: yes - - # what interfaces are listened to for remote control. - # give 0.0.0.0 and ::0 to listen to all interfaces. -@@ -1121,6 +1159,7 @@ remote-control: - # are not used for that, so key and cert files need not be present. - # control-interface: 127.0.0.1 - # control-interface: ::1 -+ # moved to /etc/unbound/conf.d/remote-control.conf - - # port number for remote control operations. - # control-port: 8953 -@@ -1130,16 +1169,19 @@ remote-control: - # control-use-cert: "yes" - - # Unbound server key file. -- # server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key" -+ server-key-file: "/etc/unbound/unbound_server.key" - - # Unbound server certificate file. -- # server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem" -+ server-cert-file: "/etc/unbound/unbound_server.pem" - - # unbound-control key file. -- # control-key-file: "@UNBOUND_RUN_DIR@/unbound_control.key" -+ control-key-file: "/etc/unbound/unbound_control.key" - +@@ -1146,6 +1161,12 @@ remote-control: # unbound-control certificate file. -- # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem" -+ control-cert-file: "/etc/unbound/unbound_control.pem" + # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem" + ++# Default Fedora settings ++include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf" + +# Stub and Forward zones -+include: /etc/unbound/conf.d/*.conf - ++include: "@sysconfdir@/unbound/conf.d/*.conf" ++ # Stub zones. # Create entries like below, to make all queries for 'example.com' and -@@ -1161,6 +1203,10 @@ remote-control: + # 'example.org' go to the given list of nameservers. list zero or more +@@ -1166,6 +1187,10 @@ remote-control: # name: "example.org" # stub-host: ns.example.com. @@ -460,7 +97,7 @@ index 0368c8d..9ece701 100644 # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle -@@ -1178,6 +1224,10 @@ remote-control: +@@ -1183,6 +1208,10 @@ remote-control: # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -471,75 +108,6 @@ index 0368c8d..9ece701 100644 # Authority zones # The data for these zones is kept locally, from a file or downloaded. -@@ -1188,27 +1238,28 @@ remote-control: - # download it), primary: fetches with AXFR and IXFR, or url to zonefile. - # With allow-notify: you can give additional (apart from primaries and urls) - # sources of notifies. --# auth-zone: --# name: "." --# primary: 170.247.170.2 # b.root-servers.net --# primary: 192.33.4.12 # c.root-servers.net --# primary: 199.7.91.13 # d.root-servers.net --# primary: 192.5.5.241 # f.root-servers.net --# primary: 192.112.36.4 # g.root-servers.net --# primary: 193.0.14.129 # k.root-servers.net --# primary: 192.0.47.132 # xfr.cjr.dns.icann.org --# primary: 192.0.32.132 # xfr.lax.dns.icann.org --# primary: 2801:1b8:10::b # b.root-servers.net --# primary: 2001:500:2::c # c.root-servers.net --# primary: 2001:500:2d::d # d.root-servers.net --# primary: 2001:500:2f::f # f.root-servers.net --# primary: 2001:500:12::d0d # g.root-servers.net --# primary: 2001:7fd::1 # k.root-servers.net --# primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org --# primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org --# fallback-enabled: yes --# for-downstream: no --# for-upstream: yes -+ auth-zone: -+ name: "." -+ primary: 170.247.170.2 # b.root-servers.net -+ primary: 192.33.4.12 # c.root-servers.net -+ primary: 199.7.91.13 # d.root-servers.net -+ primary: 192.5.5.241 # f.root-servers.net -+ primary: 192.112.36.4 # g.root-servers.net -+ primary: 193.0.14.129 # k.root-servers.net -+ primary: 192.0.47.132 # xfr.cjr.dns.icann.org -+ primary: 192.0.32.132 # xfr.lax.dns.icann.org -+ primary: 2801:1b8:10::b # b.root-servers.net -+ primary: 2001:500:2::c # c.root-servers.net -+ primary: 2001:500:2d::d # d.root-servers.net -+ primary: 2001:500:2f::f # f.root-servers.net -+ primary: 2001:500:12::d0d # g.root-servers.net -+ primary: 2001:7fd::1 # k.root-servers.net -+ primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org -+ primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org -+ fallback-enabled: yes -+ for-downstream: no -+ for-upstream: yes -+ - # auth-zone: - # name: "example.org" - # for-downstream: yes -@@ -1234,6 +1285,9 @@ remote-control: - # name: "anotherview" - # local-zone: "example.com" refuse - -+# Fedora: DNSCrypt support not enabled since it requires linking to -+# another crypto library -+# - # DNSCrypt - # To enable, use --enable-dnscrypt to configure before compiling. - # Caveats: -@@ -1309,7 +1363,7 @@ remote-control: - # dnstap-enable: no - # # if set to yes frame streams will be used in bidirectional mode - # dnstap-bidirectional: yes --# dnstap-socket-path: "@DNSTAP_SOCKET_PATH@" -+# dnstap-socket-path: "/etc/unbound/dnstap.sock" - # # if "" use the unix socket in dnstap-socket-path, otherwise, - # # set it to "IPaddress[@port]" of the destination. - # dnstap-ip: "" -- -2.44.0 +2.48.1 diff --git a/unbound-initrd.conf b/unbound-initrd.conf new file mode 100644 index 0000000..7838b3d --- /dev/null +++ b/unbound-initrd.conf @@ -0,0 +1,5 @@ +[Unit] +Before=network-online.target + +[Install] +WantedBy=network-online.target diff --git a/unbound-local-root.conf b/unbound-local-root.conf new file mode 100644 index 0000000..4ba5e9d --- /dev/null +++ b/unbound-local-root.conf @@ -0,0 +1,30 @@ +# Authority zones +# The data for these zones is kept locally, from a file or downloaded. +# The data can be served to downstream clients, or used instead of the +# upstream (which saves a lookup to the upstream). +# +# Download local root copy and answer TLD queries from it. Because +# auth-zone has higher precedence, defined forward-zones to internal +# only TLD will not work. Use stub-zone or disable this zone. +# Good for a network-wide resolvers, worse for a localhost caching forwarder. +auth-zone: + name: "." + primary: 170.247.170.2 # b.root-servers.net + primary: 192.33.4.12 # c.root-servers.net + primary: 199.7.91.13 # d.root-servers.net + primary: 192.5.5.241 # f.root-servers.net + primary: 192.112.36.4 # g.root-servers.net + primary: 193.0.14.129 # k.root-servers.net + primary: 192.0.47.132 # xfr.cjr.dns.icann.org + primary: 192.0.32.132 # xfr.lax.dns.icann.org + primary: 2801:1b8:10::b # b.root-servers.net + primary: 2001:500:2::c # c.root-servers.net + primary: 2001:500:2d::d # d.root-servers.net + primary: 2001:500:2f::f # f.root-servers.net + primary: 2001:500:12::d0d # g.root-servers.net + primary: 2001:7fd::1 # k.root-servers.net + primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org + primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org + fallback-enabled: yes + for-downstream: no + for-upstream: yes diff --git a/unbound.service b/unbound.service index 74321c7..d476504 100644 --- a/unbound.service +++ b/unbound.service @@ -1,6 +1,9 @@ [Unit] Description=Unbound recursive Domain Name Server -After=network-online.target +After=network.target +# Use ip-freebind: yes or add After=network-online.target, rhbz#2338429, +# if interface: specifies exact address, not localhost nor wildcard +#After=network-online.target After=unbound-keygen.service Wants=unbound-keygen.service After=unbound-anchor.service @@ -9,7 +12,7 @@ Before=nss-lookup.target Wants=nss-lookup.target [Service] -Type=simple +Type=notify EnvironmentFile=-/etc/sysconfig/unbound ExecStartPre=/usr/sbin/unbound-checkconf ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS diff --git a/unbound.spec b/unbound.spec index 17c922b..dbb7c78 100644 --- a/unbound.spec +++ b/unbound.spec @@ -2,7 +2,7 @@ %{?!with_python3: %global with_python3 1} %{?!with_munin: %global with_munin 1} %bcond_without dnstap -%bcond_with systemd +%bcond_without systemd %bcond_without doh %bcond_with redis @@ -32,7 +32,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.20.0 +Version: 1.21.1 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ @@ -58,6 +58,13 @@ Source18: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key Source20: unbound.sysusers Source21: remote-control.conf +Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc +Source23: unbound-as112-networks.conf +Source24: unbound-local-root.conf +Source25: remote-control-include.conf +Source26: fedora-defaults.conf +Source27: module-setup.sh +Source28: unbound-initrd.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch @@ -190,30 +197,31 @@ Conflicts: python2-unbound < 1.9.3 Python 3 modules and extensions for unbound %endif +%package dracut +Summary: Unbound dracut module +Requires: dracut%{?_isa} +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description dracut +Unbound dracut module allowing use of Unbound for name resolution +in initramfs. %prep %if 0%{?fedora} -%{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}' +%{gpgverify} --keyring='%{SOURCE22}' --signature='%{SOURCE18}' --data='%{SOURCE0}' %endif %global pkgname %{name}-%{version}%{?extra_version} %if 0%{with_python2} && 0%{with_python3} -%global dir_primary %{pkgname}_python3 %global python_primary %{__python3} %global dir_secondary %{pkgname}_python2 %global python_secondary %{__python2} -%else -%global dir_primary %{pkgname} %endif -%autosetup -c -N -n %{pkgname} +%autosetup -N -n %{pkgname} -pushd %{pkgname} # patches go here -%autopatch -p2 - -# copy common doc files - after here, since it may be patched -cp -pr doc pythonmod libunbound ../ +%autopatch -p1 %if 0%{?rhel} > 8 # SHA-1 breaks some tests. Disable just some tests because of that. @@ -223,11 +231,9 @@ cp -pr doc pythonmod libunbound ../ mv testdata/${TEST}.rpl{,-disabled} done %endif -popd %if 0%{with_python2} && 0%{with_python3} -mv %{pkgname} %{dir_primary} -cp -a %{dir_primary} %{dir_secondary} + cp -a . %{dir_secondary} %endif %build @@ -237,14 +243,14 @@ cp -a %{dir_primary} %{dir_secondary} --enable-relro-now --enable-pie \\\ --enable-subnet --enable-ipsecmod \\\ --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\ + --with-share-dir=%{_datadir}/%{name} \\\ --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\ --enable-sha2 --disable-gost --enable-ecdsa \\\ --with-rootkey-file=%{_sharedstatedir}/%{name}/root.key \\\ --with-username=unbound \\\ --enable-linux-ip-local-port-range \\\ - - -pushd %{dir_primary} + --with-dynlibmodule \\\ +# # always regenerate configure rm -f config.h.in aclocal.m4 configure ltmain.sh @@ -252,6 +258,7 @@ rm -f {ax_pthread,ax_swig_python}.m4 cp -p %{_datadir}/aclocal/{ax_pthread,ax_swig_python}.m4 . # ensure bison is used to generate fresh parser rm -f util/configparser.{c,h} util/configlexer.c + autoreconf -fiv %configure \ @@ -279,8 +286,6 @@ autoreconf -fiv %make_build %make_build streamtcp -popd - %if 0%{?python_secondary:1} pushd %{dir_secondary} %configure \ @@ -308,11 +313,9 @@ pushd %{dir_secondary} popd %endif -pushd %{dir_primary} %make_install unbound-event-install install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp install -p -m 0644 doc/example.conf %{buildroot}%{_sysconfdir}/unbound/unbound.conf -popd install -d -m 0755 %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service @@ -333,11 +336,9 @@ for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unboun done %endif -pushd %{dir_primary} # install streamtcp man page install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1 install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc -popd # Install tmpfiles.d config install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound @@ -374,10 +375,22 @@ install -p -m 0644 %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/ install -p -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ install -p -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/ +install -p -m 0644 %{SOURCE25} %{buildroot}%{_sysconfdir}/unbound/conf.d/remote-control.conf + +mkdir -p %{buildroot}%{_datadir}/%{name}/conf.d +install -p -m 0644 %{SOURCE21} %{buildroot}%{_datadir}/%{name}/conf.d/ +install -p -m 0644 %{SOURCE23} %{buildroot}%{_datadir}/%{name}/conf.d/ +install -p -m 0644 %{SOURCE24} %{buildroot}%{_datadir}/%{name}/conf.d/ +install -p -m 0644 %{SOURCE26} %{buildroot}%{_datadir}/%{name}/ # Link unbound-control-setup.8 manpage to unbound-control.8 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 +# install dracut module +mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound + +install -p -m 0755 %{SOURCE27} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound +install -p -m 0644 %{SOURCE28} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound %pre libs %sysusers_create_compat %{SOURCE20} @@ -409,15 +422,12 @@ fi %systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer %check -pushd %{dir_primary} #pushd pythonmod #make test #popd make check -popd - %if 0%{?python_secondary:1} pushd %{dir_secondary} #pushd pythonmod @@ -432,7 +442,7 @@ popd %doc doc/CREDITS doc/FEATURES %{_unitdir}/%{name}.service %{_unitdir}/%{name}-keygen.service -%attr(0755,unbound,unbound) %dir %{_rundir}/%{name} +%attr(0775,unbound,root) %dir %{_rundir}/%{name} %attr(0644,root,root) %{_tmpfilesdir}/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d @@ -449,6 +459,7 @@ popd %{_sbindir}/unbound-checkconf %{_sbindir}/unbound-control %{_sbindir}/unbound-control-setup +%{_datadir}/%{name}/ %{_mandir}/man5/* %exclude %{_mandir}/man8/unbound-anchor* %{_mandir}/man8/* @@ -510,5 +521,8 @@ popd %{_sbindir}/unbound-streamtcp %{_mandir}/man1/unbound-* +%files dracut +%{_prefix}/lib/dracut/modules.d/99unbound + %changelog %autochangelog