From aa830172e31b35fb4abad3f116a814a2b1517470 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 3 Oct 2024 21:24:40 +0200 Subject: [PATCH 01/11] Update to 1.21.1 (rbhz#2316313) https://github.com/NLnetLabs/unbound/releases/tag/release-1.21.1 A vulnerability has been discovered in Unbound when handling replies with very large RRsets that Unbound needs to perform name compression for. --- .gitignore | 2 + Yorgos.asc | 128 +++++++++++++++++++++++++++++++++++++++++++++++++++ sources | 4 +- unbound.spec | 5 +- 4 files changed, 135 insertions(+), 4 deletions(-) create mode 100644 Yorgos.asc diff --git a/.gitignore b/.gitignore index 2ad282d..5ff0acf 100644 --- a/.gitignore +++ b/.gitignore @@ -89,3 +89,5 @@ unbound-1.4.5.tar.gz /unbound-1.19.3.tar.gz.asc /unbound-1.20.0.tar.gz /unbound-1.20.0.tar.gz.asc +/unbound-1.21.1.tar.gz +/unbound-1.21.1.tar.gz.asc diff --git a/Yorgos.asc b/Yorgos.asc new file mode 100644 index 0000000..e18ec55 --- /dev/null +++ b/Yorgos.asc @@ -0,0 +1,128 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFfYHeYBEAC/8SdeXNspt9ZIoZRSL9juNLHA17TXcHdKSthgWBtwwWZbUPq8 +SJr7Y+hr6jMCDKY9800QzLF0nLkyXnZgaBcvR0rRbCT/qvALJ0fpfjcotapZ1hBv +omb9s8Bo28uKn8tbTMXYNsElUae4Ch/CrU1vfe50YoyQgLR8UBa15gV+2RmC+6jI +qxDYS8sylWlDn6Qim+77feLlObPnNdzgfWGZo14eJByTsz0qrh8aS/BS1FAsnEQ6 +W6AqukhpuKuWvoAUXKjfguXQolxeexubmKaLcGOTvecw+cbh/a5SPHRtRVr9qTxp +elk6UEpakY5K9UtZkrG55VWih/4KqY9bNyhJBtpAk1fXA+mYfx5BcFpECYdU9kz4 +UgV5jK0HYRHQTLC91PPVQgH86we+Aae6TaJneCLEIzBK36TgAP8RKrvFfPUym5OP +YbWOom27QTKfRVcyxPKglJxrTSWixnKWS/pqxNY8hF9Ne4crRAF4wX2yBVbGnjNr +S9TpYmjMwURbuYm+rWZk/8w5OJG60V3wax56c0jn/42O3Y2hzQ+PbOv2M4UuuajS +2YL3/KUsRLBapUpPQjzChwzdr/vzFEhk9XxK2VGMN+dh2HjYwDFendc5csyt/cVr +g3LssVS2bKy5g3IhrzCKAk0Sky4S5t/mcN+lWztNvCijuLz58GCym5GwJQARAQAB +tCtZb3Jnb3MgVGhlc3NhbG9uaWtlZnMgPHlvcmdvc0BubG5ldGxhYnMubmw+iQJX +BBMBCABBAhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAhkBFiEElI60IyLF0At5 +NA9dz/M0TZCHpJAFAmbz0CwFCRD85cYACgkQz/M0TZCHpJBVnhAAkcd79Twxj/tt +C4q2Xpq75+Ew6YR9gLqYiV5vEd6fu0oyhuVoUlfTkjH4ALIoGIKaO9yAVUXsrGrs +n1aJPo1Mw3q6mIwtQOxXz/W44LuFzcvZkHtCYX4YyLrUHXZPvl+r4eYkTOcyyQMU +BmbuvWhufv8MBilvWltQLxfLlgihbfuIrxqjAYDhqCffpgUiZyCut2rrenIgeh1f +DvC+GjZ3cfb1UsIpzm19yr4NCiTHkLkCOAAcAUFwWWeO/jfUsSvFQEHUnYNRREzI +Lth9NlKwPtsOVi+wcNnWQtFQb11BMr407xBib7hLSIFiqvOiYgQABjZdWN+snCRP +ZZSruigjE9ateOloJwmBqrSJLAywxvDE0ivqfSj51W5eJc/JLSXvjrOuW28dJCr8 +RV9PjC9X7zuTiFLzV8SVH71Z43Rix8n7AOp3wgRe3SygEyQXPj4qbm5HHVsx9GEA +zn495L99dJ4wZgjkbEsGhzwUx7N9FHEGS/sz3LiEq+ZYckR6gzTMMrQJgbsS9lnK +9xlXsp37uIYvx9W9JZXtS+AZhw0q3osMYBF68HPX8B9GBYlkQWmWSIMfzRYcD2n1 +5+XsfERK4mxcTWl2sCYpt8Sy3tADj9nQDabAlGUd/hlFS1dvDVQjGh6ER5S0nZjY +nmRsLl8nOTKhb2xY+2p1sDjxxQYJJQe0K0dlb3JnZSBUaGVzc2Fsb25pa2VmcyA8 +Z2VvcmdlQG5sbmV0bGFicy5ubD6JAlQEEwEIAD4CGyMFCwkIBwIGFQgJCgsCBBYC +AwECHgECF4AWIQSUjrQjIsXQC3k0D13P8zRNkIekkAUCZvPQPQUJEPzlxgAKCRDP +8zRNkIekkFfCEACheY1yr2Z+LPjm/Nd2eA4CFFO7nUQHI+a6lYBd57txrRuIicuG +pGjOhnvcioRwICiKNLJD3YTU+WOd+sbO7BXH2sw2KdU9NK1ojKX/SQiTg6upfJsu +gbgar2oPvR88B7oSiuonZnhEf72HfWKDSBXHpi6KC6S3JZ+o50NB3GBpwUL1lfKW +ovymYbN6tYQfqw/+AP5jUUNpkclC0RbcW69rpvrHHqeQV1AVKkm/jNQpWLKYTGF7 +bbdLkgMh3rHp8gmF0/GuK+oyL7xD+TEXfr3iqlDIVuxbxDN8xTti1RrERU/MWQar +qOSFZcr4t+nlwThJidDLF/u3h0Ymrjz92VTfCgELIwCKxGX7jAyLZHzuWAp+0Pr/ +yuHodbweGNcGVoXmIpK93/WZcfFlBcyQLECVcijmxd7Euk0xDk76RQpuuL5VOWqn +aZcf2uNfppwKFZJjcXwK+EQbwN7+RFNvLrwoRn/1xM57T5AYBAgSvKb6h0G5KwW6 +tJfJdSu1MHfCZS1hH1Gr4+UG+VbLCVmQ9N/lUs0bcD7pK+bA1W0YnsIVuaQ+YZUh +KrJoCUF0kVDtW9ETZkp0iVBm1Q9xgTGaxUTVmctOyAbdCLyHNra4fo1BAdGlu+IP +qAcktaBUKFxWxRxf9O5kGihce9anK8CJ/TCnQ7wSvyYrlAoBoQaS78VzYYkBHAQS +AQIABgUCV9kUOAAKCRAwkY2CdXJCIju1B/oCvf1kWYndNeLS6U2O6DtFAL2Ia5tY +Zukcyqb1hkYcrBiMZbQN94gX5a+6Q4pdd2n241r1ZuSWdwUhRUbF4mvbZMVsavnk +cvrRGviVIUXf71W0O/IsmQ9oN0Finhpf14Y4z/xqF8DpvJdkWc6X5g+RJuko6q2w +B7x2UfSyF4USp47LSmUQnC59IF8jzaElgBha3gwEuXL3d2qBepoV/e9RiXJClUAT ++O7qdxzDq1eiZ+NXUjDCmrkuWjHLAZAv0jx1KUTCQ2no62UM95igtJ+Kn56Lc2+J +CqFJztaZeX8CgXXryxNpsyhZJ33dIoLCT03K25wrV5Y+eag05slQ9sC3iQI9BBMB +CAAnBQJX2RCwAhsjBQkFo5qABQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEM/z +NE2Qh6SQ3JUP/2G3bRNObS7zsfN3rjkbjLxaDOwNggRdbeXM5rHDVEG9SWesCGaI +vyQdkSGQoIaKUgNv7Yp8O8pEnD4IwdhNSaXVIB3pBtdOD0UM1wuxRpfqJOUxZEoW +T2Jr31Tg2qepp6nT7UmdiF7uCBDy8Jm6k6Q+6UT58cPaesRQdSPi6Go7ho2/xVvK +Ve9ufSTSTdG5+7bJDu6Iv7sydKUEG4jPDqo+jjVLn1X6Rfp+E4JAvOvFrSJHW5sa +A332xV40GeV+aM1ndP7dPkz8+AGB3QD7JF2DLcqvLo0TYOvjnlOGYcNp8gzp23g9 +KFwe2sdbdtVpuWaJUSpXXiUZnFzrrVxDNiEBjqsPa5ysOxzJ+1gUbcrIjUeNeAFh +us4XL+IidPATnhTIX3X/uPRB87KaTaA8XUqsuSd2DM9mLxdHKC9Jf8D1t+ywYrek +Cp+K80vCtFPWBM4+w8nGugTNKJEGIXZDGFOF/c7r6xKkaOYK0Y+IGJawlV5LaADl +BmQpPk0ubYclwb07FcegaHSxxIqUo/kbyt1YV5mU+QVymZ+xyvIBrnW8hBuNWRvU +5acnIZibCERayo8ZuI+r/X3bLHfDx0oh2h+cL3utNZUqmgZNR0Di8P+x0hUYsYPO +TJaDBSgvxUtY0Ci+OWX38kffGGvhW3CM8V6skdVc8cp7Db7gxase4BxxtC5HZW9y +Z2UgVGhlc3NhbG9uaWtlZnMgPGdlb3JnZUBvcGVubmV0bGFicy5jb20+iQJUBBMB +CAA+AhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEElI60IyLF0At5NA9dz/M0 +TZCHpJAFAmbz0D0FCRD85cYACgkQz/M0TZCHpJBnFw/8CRLGJnNAP43mBniIP5R1 +/10i4xG5s1Ka/y5C3aRgZUNaGMPLF8VmrC26HTPNhmduhn3j9gnBuSHgRAJUWs2K +o1q0A2/O5fFJvqPyEUl30gG8qkzFl5UGRUr7VNtBa6VpI7g78d3P4/H8THB0tYZ3 +GZv980QXwTE11aXjvPQu4e8sMOR1OVEEH+6hW1T0SvEKAMV1BHwuZAmC6HTfx5e7 +iGNWu/dwJsmwzqcAkuTTSqlmzZdIjZWJDL8pfnschkVilC3pEpEk5ExSkt/onOD2 +WCAKJUiPR6gRI2H6fE0PF8iG9isisvNhQ3MrWUIKS+1WOotoG7Bu7ob46viJKQuN +9t7KBqjdftjJHjmVop3mfX0UUEDPjkZXK5R/aUspXi4IGdM+9JijqxveicQegOhM +LcE8039Z0AaXn9IA0kQB05A4a+CEnoPL7qe+fIBJM5hZDrpMe4fAAGxiQzbRpdkZ +CrXmT+CRkhc/BvUJ5yoE1q++9Fw9eyMbPOak6GLckCIPy+Mqi4z+ZXNCtcPs3Qbc +/7AY8qyswRsD2t5bbe4g+fLEt9IsN3UvKFUKnQ88jcn9Zmps69msMDm9jEj/qo+j +QCriLLu8E1ZwhedNVOQN89w4Zww/BUyEnL4hng8Tw+RTV8Jtq5EvAleW5sZsnTzA +zn1ysZUyO/Pu7Br2jnGRAQyJARwEEgECAAYFAlfZFDwACgkQMJGNgnVyQiIHjAf/ +VrPMgIRjRTYi4cxOr5ewaim1hgJZO1oCJoMopwIvpZ2kAUqL/uPMT3wREe5bi79H +jXYcaX+RbrV4ZdzaajDUFCj867KGErxqtRkANJ1eNLcQmVwGNoFeTQbgEOBfKq1t +hRfMqHF3fxCPJp4z4U3kBPUpIQPERjgUdkH8fxZ34Omo1SLO1b0dVqsneezccBVv +Hj7gVoaWw65Ov7vngwNCKH3fjOkcoINTH/nEw4WWh6UV5ZN49GRqa6oWdUJMZbgB +w8z357RLN6YLe7KMh4oGpUIvfH6Vfq6CIb6s9pfgjAvq8O7p9n0/0FG77j84MuGw +fdhq8eSazO/j9LUCBM+8k4kCPQQTAQgAJwUCV9kQiwIbIwUJBaOagAULCQgHAgYV +CAkKCwIEFgIDAQIeAQIXgAAKCRDP8zRNkIekkN9pD/wI8JAyjJEIjUJNLRuARDDv +pJrQjAo/02naPcGs4yyUd7yRkhzVKLFLvif8XICxxLWk6FdT0PJeKGTvRoe2+Rje +c14rO30niRymWkBi36iDW46Dpt7Jx+LUDhUMYPL+woKSoHmbBGWLSYXKxaD8F93A +nVs97nP4PWpspv2BFiuwKGsSsOyyQPPvr7jCin3H5oPH9qDnIV0KonAYbzzEKod5 +t0Rgzo/nWXZBFXWC5xvKeghwkdT++gYS/ThvQY2ua6A1XRE8BntyldD081NPi3NO +dWa9m8ufFOJsEEiWcpdT+EWoDw5JyGAR7U3IOVl3BTo7shdcYEvRVrDMBpac+ItG +WvogUv7alBdHWi48amvZE06RI/nDJ/rxj13S/4POgMHU++aQI5a1G5H3jBu4cehH +4iT1UKmozfzVEfcHb2dsaKnnuFzQxmol0lZu1ETyof+Lxvs+wErN0QR+VDNweJEJ +PMXiEcjASdLtrEKgFSP2B5yGGzt93C+HbD+VQOU359aAnvVjbTAVz8izuMphd6Bz +Ix1q//q2VmxqjjT3Iv30hBRX02x2M8gsP/e49XWEll7stkMtbYhBU0sHQ2CqzLGh +gJN3ecpi2sKWVqN8HUZOwJFj6f9ZX76YSM23wIugHfscMAVJUXvBrbd151WIshOf +FFPo62sYGt+SEMXWeRcHjbQuWW9yZ29zIFRoZXNzYWxvbmlrZWZzIDx5b3Jnb3NA +b3Blbm5ldGxhYnMuY29tPokCVAQTAQgAPgIbIwULCQgHAgYVCAkKCwIEFgIDAQIe +AQIXgBYhBJSOtCMixdALeTQPXc/zNE2Qh6SQBQJm89A9BQkQ/OXGAAoJEM/zNE2Q +h6SQOf4QAIp5fEn+vVOqDuLrv8Li61UDVPE3v5b9ocPR7OMENeFpRH7K2p8xFkAM +f6JeS2ehbIjyUS8iGc+mZOalvZynJdOiHtys5r4lZanm1Rl+mWXb+nHGE/Oi4gQ3 +aEF/AwolbKi9oNXAiCtA3hmaI6FYWtAh5XOnyMG140dhlXMWzvN1ZAWXWioS33Fp +n9Z7xOsyG2Bmky69JjUQPD119noD4pEFtCipciiACVNdHGfI8QDT/8pMAxv/Q7tW ++7gyFztT1XvKONWyCfHjf1x60JQNPPM31x3xUVRz/sK+GyLq6VLiydvSZeUX3CzM +4bHixKKkSyvsX+bc9K/iLrXwZFhRdrRbpVQFpsdxv48mN5WsDlpN17KgMCyNiMDV +0VagYjZC5AurOo2mmS7PKAYGILaq3YwQ3nXYiuWfdXVW6EXtw/vdFOjFU6ppbaA3 +1+xyMDOLSGLr7f+gdZvlEc+5MX1F3mHpmuKN7clUju/HEOdVq1Bbla7BplPgqCaH +ZYCg/VHNt7ue7MYeEgTJ8OGgUDRNPa3PdU3YHRCuwJH1UzinD39K8R9/g9qiGJbC +87//1FGZp9lhIE5tja6F5pJ5GwJK9zC0iGj2NrwBvTKhuyF6W3ZQc2voYQn+gIq4 +sfbned7qpvpjLcMgIv/y82iVm2EtKtKYl982aA9S53pHqjV27kieuQINBFfYHeYB +EAC2h9yjSe2SgtcB0H+E0ndaewaZaQCE7q+RO43dotGH9eFnVwE4/ftcK1SN42ih +lF5OnTaKPyXvgQ6U8W8VB8eLjeTwA/dSXuJX7kJpEK8saPqJP6zTUmPqp/GSzS6Y +rhKLfpFn4chmywpDFcGNMz0sYXiJgPqKL7W0KuG+ziPToAeWl8ckeXyl77/lHVhW +YylaQJEASklqCViPXSp9vI7/57UEm4MQPXwsDBOwuVVqcSu3ZM5MtY9XlbVPNCYm +ZIMqmh8HgYwbiq9dTfJi+6v17+uDQGZewWK/WwFM+9dDx7YkTeOBiUduYtJPW64N +W/RJ7pskbLAy+OZApTZWg0cISN6GOmPN3F0AiWzUjvSMREHhFHyxj4Y15vuDOFvP +GFxr4xBiyMX1JLCKK6OFnyPfoJ9v/o3UgrQgLrfXCmKdvkwBCgJvN3Fsxzha6Dtf +6RcZ02fr7SCZZhdBrlrflvC1uWZ0g3A87ss7h4Iw3njlO3aX6Bo9R4VOLUkiRKi4 +hmQBxPvXxI2ERmKRomo6lrMaDMzIjD4APSM1vUfZguzQxVYpM8lwy1COeqxsj5p+ +LH6f/EU+4dXZwooJ1uanBOvG2ntnz8SErE+e7wNYE4a/fb8xYM4j7p6qYtnNZPb8 +sj8bvx8iWXp4A1csVetyVSchBhTVQhhNos6ouYpc4ibrYwARAQABiQI8BBgBCAAm +AhsMFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmbz0dUFCRD8528ACgkQz/M0TZCH +pJA7hg/7Bh0jb7nrp2EuU4BWK55VG+3zbrye/NdDy6eo3sVVOOO1r+jBMoJK3m1A +GWUx40ogZjRn8GMtJfxkL6wsep2P775smm7x1TH6s2dgreTj9J66gitKEgxF0tjo +JztmGJ8YKSGE4wKi37KvvSqCm1ecA8akBzJVo0B8/GtXpg+y/q3/KSY1ujW7Ihu3 +60JXT1FRXOiYfrzUKIBm8/UVnv7guPudaJf0eU4btoy4Ywzn1UXyi8BdxPIQrQDR +tt69ffcjX8BIEloK7FURLre/LhbVxlssdWYIEFQhIlb+nghZlUbWHf0Ue3L0SFFS +xV5otzQL2WjJKtCnTpSopSUmwYyT7wyAL1RokOemXL47WOfiLjiGuS+K/4lT7VHS +fdLsYinS0LYr5dmhc05s//kLyQ0OSKNh3SNAN+lM/klLE/pFwM4mo56C+seNEvCm +sT53VPOOwp6JwsLKSqm8pu1fbVjT6laMc9BPi6KUjN/f7ZahCXNXOrA2uLnTlxw/ +ns1sOXSWZDWciZeL3kJeUQER5YZ59hzLYWAiJ+5KblWRlBMXb71FUp0Mh9V3dA5O +BX3IlcF54qE50chGzLnfQf1YLuh13xxxc2WsdMZjiCj8CVDMkD6ekShfQK8nyQsK +SJgdXcnw1CxcAVvsROtecUiD+DWrJcYExjSZ+zcI4+aRhp7uNt8= +=iknu +-----END PGP PUBLIC KEY BLOCK----- diff --git a/sources b/sources index 5a055a7..efb1f71 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.20.0.tar.gz) = 2f6bc76c03b71ca1c2cd2331dc72d62f51493d15e17c59af46b400e542fcabff22e6b9d33f750a3e5f918a0116f45afa760651b2d5aa2feadac151cbbd71b0bd -SHA512 (unbound-1.20.0.tar.gz.asc) = 1586a320077c606c5c19f251615df54a61854f51acca02df1d391dcc2287aff2c641b009aeee1a98392f63719d70b6bac23ebb7d86b780f8a27cda6e114fc0ad +SHA512 (unbound-1.21.1.tar.gz) = 82be3faf5e4f9531342008105f5ab2ecc22a56faab1ef5c86420d85ef48443e5dac3455dbc654178a927e34ca4067c7655443f91a250b87945a63e9ba5f74ba7 +SHA512 (unbound-1.21.1.tar.gz.asc) = 5bb3961c210aefb20f91eb96f7d3980324e30cb2307c6c1187f016cacafcade7adcd95855faedfebc2c91464fd6c095511322364357c5b72525fc8e61c0ad248 diff --git a/unbound.spec b/unbound.spec index 17c922b..3a835d0 100644 --- a/unbound.spec +++ b/unbound.spec @@ -32,7 +32,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.20.0 +Version: 1.21.1 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ @@ -58,6 +58,7 @@ Source18: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key Source20: unbound.sysusers Source21: remote-control.conf +Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc # Downstream configuration changes Patch1: unbound-fedora-config.patch @@ -193,7 +194,7 @@ Python 3 modules and extensions for unbound %prep %if 0%{?fedora} -%{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}' +%{gpgverify} --keyring='%{SOURCE22}' --signature='%{SOURCE18}' --data='%{SOURCE0}' %endif %global pkgname %{name}-%{version}%{?extra_version} From 62c53ea087ed349aca7821d54ed931e0d9c0ae33 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 25 Sep 2024 13:29:49 +0200 Subject: [PATCH 02/11] Enable native dynamic modules Support modules similar to pythom modules, but implemented in native code. --- unbound.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 3a835d0..7b579f0 100644 --- a/unbound.spec +++ b/unbound.spec @@ -243,7 +243,8 @@ cp -a %{dir_primary} %{dir_secondary} --with-rootkey-file=%{_sharedstatedir}/%{name}/root.key \\\ --with-username=unbound \\\ --enable-linux-ip-local-port-range \\\ - + --with-dynlibmodule \\\ +# pushd %{dir_primary} From 23cb2f344edc6bdcf2b18baaed1276abdc855540 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 25 Sep 2024 14:18:27 +0200 Subject: [PATCH 03/11] Remove additional subdirectory for python3 build Python2 builds are not common anymore. Make basic unbound directory for primary build in normal default directory. Try subdirectory only for alternative secondary build, if enabled. --- unbound-fedora-config.patch | 42 +++++++++++++++++++------------------ unbound.spec | 27 ++++-------------------- 2 files changed, 26 insertions(+), 43 deletions(-) diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index f57207b..b4803b6 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,4 +1,4 @@ -From 79506679335ef1e02a960ccc7cfeda19348f5619 Mon Sep 17 00:00:00 2001 +From 71cbef33920b3b5704be7eab399da506ab51cde1 Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Fri, 10 Nov 2023 12:58:31 +0100 Subject: [PATCH] Customize unbound.conf for Fedora defaults @@ -7,13 +7,13 @@ Set some Fedora/RHEL specific changes to example configuration file. By patching upstream provided config file we would not need to manually update external copy in source RPM. --- - unbound-1.20.0/doc/example.conf.in | 194 ++++++++++++++++++----------- - 1 file changed, 124 insertions(+), 70 deletions(-) + doc/example.conf.in | 196 ++++++++++++++++++++++++++++---------------- + 1 file changed, 126 insertions(+), 70 deletions(-) -diff --git a/unbound-1.20.0/doc/example.conf.in b/unbound-1.20.0/doc/example.conf.in -index 0368c8d..9ece701 100644 ---- a/unbound-1.20.0/doc/example.conf.in -+++ b/unbound-1.20.0/doc/example.conf.in +diff --git a/doc/example.conf.in b/doc/example.conf.in +index 130cb4e..7174d81 100644 +--- a/doc/example.conf.in ++++ b/doc/example.conf.in @@ -17,11 +17,12 @@ server: # whitespace is not necessary, but looks cleaner. @@ -358,22 +358,24 @@ index 0368c8d..9ece701 100644 # Pad responses to padded queries received over TLS # pad-responses: yes -@@ -1045,12 +1080,12 @@ server: - # cookie-secret: <128 bit random hex string> +@@ -1050,12 +1085,14 @@ server: + # cookie-secret-file: "/usr/local/etc/unbound_cookiesecrets.txt" # Enable to attach Extended DNS Error codes (RFC8914) to responses. - # ede: no ++ # Fedora defaults to yes. + ede: yes # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale # Answer as EDNS0 option to expired responses. # Note that the ede option above needs to be enabled for this to work. - # ede-serve-expired: no ++ # Fedora defaults to yes. + ede-serve-expired: yes # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. -@@ -1058,12 +1093,14 @@ server: +@@ -1063,12 +1100,14 @@ server: # Enable or disable ipsecmod (it still needs to be defined in # module-config above). Can be used when ipsecmod needs to be # enabled/disabled via remote-control(below). @@ -391,7 +393,7 @@ index 0368c8d..9ece701 100644 # When enabled Unbound will reply with SERVFAIL if the return value of # the ipsecmod-hook is not 0. # ipsecmod-strict: no -@@ -1096,7 +1133,7 @@ server: +@@ -1101,7 +1140,7 @@ server: # o and give a python-script to run. python: # Script file to load @@ -400,7 +402,7 @@ index 0368c8d..9ece701 100644 # Dynamic library config section. To enable: # o use --with-dynlibmodule to configure before compiling. -@@ -1107,13 +1144,14 @@ python: +@@ -1112,13 +1151,14 @@ python: # the module-config then you need one dynlib-file per instance. dynlib: # Script file to load @@ -417,7 +419,7 @@ index 0368c8d..9ece701 100644 # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. -@@ -1121,6 +1159,7 @@ remote-control: +@@ -1126,6 +1166,7 @@ remote-control: # are not used for that, so key and cert files need not be present. # control-interface: 127.0.0.1 # control-interface: ::1 @@ -425,7 +427,7 @@ index 0368c8d..9ece701 100644 # port number for remote control operations. # control-port: 8953 -@@ -1130,16 +1169,19 @@ remote-control: +@@ -1135,16 +1176,19 @@ remote-control: # control-use-cert: "yes" # Unbound server key file. @@ -449,7 +451,7 @@ index 0368c8d..9ece701 100644 # Stub zones. # Create entries like below, to make all queries for 'example.com' and -@@ -1161,6 +1203,10 @@ remote-control: +@@ -1166,6 +1210,10 @@ remote-control: # name: "example.org" # stub-host: ns.example.com. @@ -460,7 +462,7 @@ index 0368c8d..9ece701 100644 # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle -@@ -1178,6 +1224,10 @@ remote-control: +@@ -1183,6 +1231,10 @@ remote-control: # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -471,7 +473,7 @@ index 0368c8d..9ece701 100644 # Authority zones # The data for these zones is kept locally, from a file or downloaded. -@@ -1188,27 +1238,28 @@ remote-control: +@@ -1193,27 +1245,28 @@ remote-control: # download it), primary: fetches with AXFR and IXFR, or url to zonefile. # With allow-notify: you can give additional (apart from primaries and urls) # sources of notifies. @@ -521,7 +523,7 @@ index 0368c8d..9ece701 100644 # auth-zone: # name: "example.org" # for-downstream: yes -@@ -1234,6 +1285,9 @@ remote-control: +@@ -1239,6 +1292,9 @@ remote-control: # name: "anotherview" # local-zone: "example.com" refuse @@ -531,7 +533,7 @@ index 0368c8d..9ece701 100644 # DNSCrypt # To enable, use --enable-dnscrypt to configure before compiling. # Caveats: -@@ -1309,7 +1363,7 @@ remote-control: +@@ -1314,7 +1370,7 @@ remote-control: # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode # dnstap-bidirectional: yes @@ -541,5 +543,5 @@ index 0368c8d..9ece701 100644 # # set it to "IPaddress[@port]" of the destination. # dnstap-ip: "" -- -2.44.0 +2.46.0 diff --git a/unbound.spec b/unbound.spec index 7b579f0..0248119 100644 --- a/unbound.spec +++ b/unbound.spec @@ -199,22 +199,15 @@ Python 3 modules and extensions for unbound %global pkgname %{name}-%{version}%{?extra_version} %if 0%{with_python2} && 0%{with_python3} -%global dir_primary %{pkgname}_python3 %global python_primary %{__python3} %global dir_secondary %{pkgname}_python2 %global python_secondary %{__python2} -%else -%global dir_primary %{pkgname} %endif -%autosetup -c -N -n %{pkgname} +%autosetup -N -n %{pkgname} -pushd %{pkgname} # patches go here -%autopatch -p2 - -# copy common doc files - after here, since it may be patched -cp -pr doc pythonmod libunbound ../ +%autopatch -p1 %if 0%{?rhel} > 8 # SHA-1 breaks some tests. Disable just some tests because of that. @@ -224,11 +217,9 @@ cp -pr doc pythonmod libunbound ../ mv testdata/${TEST}.rpl{,-disabled} done %endif -popd %if 0%{with_python2} && 0%{with_python3} -mv %{pkgname} %{dir_primary} -cp -a %{dir_primary} %{dir_secondary} + cp -a . %{dir_secondary} %endif %build @@ -246,14 +237,13 @@ cp -a %{dir_primary} %{dir_secondary} --with-dynlibmodule \\\ # -pushd %{dir_primary} - # always regenerate configure rm -f config.h.in aclocal.m4 configure ltmain.sh rm -f {ax_pthread,ax_swig_python}.m4 cp -p %{_datadir}/aclocal/{ax_pthread,ax_swig_python}.m4 . # ensure bison is used to generate fresh parser rm -f util/configparser.{c,h} util/configlexer.c + autoreconf -fiv %configure \ @@ -281,8 +271,6 @@ autoreconf -fiv %make_build %make_build streamtcp -popd - %if 0%{?python_secondary:1} pushd %{dir_secondary} %configure \ @@ -310,11 +298,9 @@ pushd %{dir_secondary} popd %endif -pushd %{dir_primary} %make_install unbound-event-install install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp install -p -m 0644 doc/example.conf %{buildroot}%{_sysconfdir}/unbound/unbound.conf -popd install -d -m 0755 %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service @@ -335,11 +321,9 @@ for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unboun done %endif -pushd %{dir_primary} # install streamtcp man page install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1 install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc -popd # Install tmpfiles.d config install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound @@ -411,15 +395,12 @@ fi %systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer %check -pushd %{dir_primary} #pushd pythonmod #make test #popd make check -popd - %if 0%{?python_secondary:1} pushd %{dir_secondary} #pushd pythonmod From f75d7592f82466179a469ab5cfbe02fe9e57a41b Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Thu, 6 Feb 2025 15:20:22 +0100 Subject: [PATCH 04/11] Deactivate automatic root zone fetching Automatic maintained root zone is great for network resolvers, which are used by multiple machines. Its usage on every common device is not desired however, especially when used as localhost only cache daemon. Make it simple to activate local root zone by creating symlink in directory /etc/unbound/conf.d to /usr/share/unbound/conf.d/unbound-local-root.conf. But have it deactivated in default configuration. --- unbound-fedora-config.patch | 50 ------------------------------------- 1 file changed, 50 deletions(-) diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index b4803b6..e1b3eca 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -473,56 +473,6 @@ index 130cb4e..7174d81 100644 # Authority zones # The data for these zones is kept locally, from a file or downloaded. -@@ -1193,27 +1245,28 @@ remote-control: - # download it), primary: fetches with AXFR and IXFR, or url to zonefile. - # With allow-notify: you can give additional (apart from primaries and urls) - # sources of notifies. --# auth-zone: --# name: "." --# primary: 170.247.170.2 # b.root-servers.net --# primary: 192.33.4.12 # c.root-servers.net --# primary: 199.7.91.13 # d.root-servers.net --# primary: 192.5.5.241 # f.root-servers.net --# primary: 192.112.36.4 # g.root-servers.net --# primary: 193.0.14.129 # k.root-servers.net --# primary: 192.0.47.132 # xfr.cjr.dns.icann.org --# primary: 192.0.32.132 # xfr.lax.dns.icann.org --# primary: 2801:1b8:10::b # b.root-servers.net --# primary: 2001:500:2::c # c.root-servers.net --# primary: 2001:500:2d::d # d.root-servers.net --# primary: 2001:500:2f::f # f.root-servers.net --# primary: 2001:500:12::d0d # g.root-servers.net --# primary: 2001:7fd::1 # k.root-servers.net --# primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org --# primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org --# fallback-enabled: yes --# for-downstream: no --# for-upstream: yes -+ auth-zone: -+ name: "." -+ primary: 170.247.170.2 # b.root-servers.net -+ primary: 192.33.4.12 # c.root-servers.net -+ primary: 199.7.91.13 # d.root-servers.net -+ primary: 192.5.5.241 # f.root-servers.net -+ primary: 192.112.36.4 # g.root-servers.net -+ primary: 193.0.14.129 # k.root-servers.net -+ primary: 192.0.47.132 # xfr.cjr.dns.icann.org -+ primary: 192.0.32.132 # xfr.lax.dns.icann.org -+ primary: 2801:1b8:10::b # b.root-servers.net -+ primary: 2001:500:2::c # c.root-servers.net -+ primary: 2001:500:2d::d # d.root-servers.net -+ primary: 2001:500:2f::f # f.root-servers.net -+ primary: 2001:500:12::d0d # g.root-servers.net -+ primary: 2001:7fd::1 # k.root-servers.net -+ primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org -+ primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org -+ fallback-enabled: yes -+ for-downstream: no -+ for-upstream: yes -+ - # auth-zone: - # name: "example.org" - # for-downstream: yes @@ -1239,6 +1292,9 @@ remote-control: # name: "anotherview" # local-zone: "example.com" refuse From c77221b7e77dfa465adb092a5d4de08e8133ac44 Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Thu, 6 Feb 2025 16:02:50 +0100 Subject: [PATCH 05/11] Move defaults to separate configuration file Place distribution defaults into file provided in /usr/share/unbound. Include that file from default configuration before conf.d/*.conf is included, to ensure similar order is kept. Rely on remote-control to be configured by conf.d/remote-control.conf only. Moved parts from orinal unbound.conf to single file together. --- fedora-defaults.conf | 226 +++++++++++++++++++ remote-control-include.conf | 4 + remote-control.conf | 27 ++- unbound-as112-networks.conf | 118 ++++++++++ unbound-fedora-config.patch | 428 ++---------------------------------- unbound-local-root.conf | 30 +++ unbound.spec | 13 ++ 7 files changed, 435 insertions(+), 411 deletions(-) create mode 100644 fedora-defaults.conf create mode 100644 remote-control-include.conf create mode 100644 unbound-as112-networks.conf create mode 100644 unbound-local-root.conf diff --git a/fedora-defaults.conf b/fedora-defaults.conf new file mode 100644 index 0000000..5fee76f --- /dev/null +++ b/fedora-defaults.conf @@ -0,0 +1,226 @@ +# Fedora distribution defaults + +server: + # verbosity number, 0 is least verbose. 1 is default. + verbosity: 1 + + # print statistics to the log (for every thread) every N seconds. + # Set to "" or 0 to disable. Default is disabled. + # Needs to be disabled for munin plugin + statistics-interval: 0 + + # enable cumulative statistics, without clearing them after printing. + # Needs to be disabled for munin plugin + statistics-cumulative: no + + # enable extended statistics (query types, answer codes, status) + # Needs to be enabled for munin plugin + extended-statistics: yes + + # number of threads to create. 1 disables threading. + # num-threads: 1 + num-threads: 4 + + # specify the interfaces to answer queries from by ip-address. + # The default is to listen to localhost (127.0.0.1 and ::1). + # specify 0.0.0.0 and ::0 to bind to all available interfaces. + # specify every interface[@port] on a new 'interface:' labelled line. + # The listen interfaces are not changed on reload, only on restart. + # interface: 0.0.0.0 + # interface: ::0 + # interface: 192.0.2.153 + # interface: 192.0.2.154 + # interface: 192.0.2.154@5003 + # interface: 2001:DB8::5 + # interface: eth0@5003 + # + # for dns over tls and raw dns over port 80 + # interface: 0.0.0.0@443 + # interface: ::0@443 + # interface: 0.0.0.0@80 + # interface: ::0@80 + + # enable this feature to copy the source address of queries to reply. + # Socket options are not supported on all platforms. experimental. + # interface-automatic: yes + # + # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 + # NOTE: Disabled per Fedora policy not to listen to * on default install + # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled + interface-automatic: no + + # permit Unbound to use this port number or port range for + # making outgoing queries, using an outgoing interface. + # Only ephemeral ports are allowed by SElinux + outgoing-port-permit: 32768-60999 + + # IANA-assigned port numbers. + # If multiple outgoing-port-permit and outgoing-port-avoid options + # are present, they are processed in order. + # Our SElinux policy does not allow non-ephemeral ports to be used + outgoing-port-avoid: 0-32767 + outgoing-port-avoid: 61000-65535 + + # use SO_REUSEPORT to distribute queries over threads. + # at extreme load it could be better to turn it off to distribute even. + so-reuseport: yes + + # use IP_TRANSPARENT so the interface: addresses can be non-local + # and you can config non-existing IPs that are going to work later on + # (uses IP_BINDANY on FreeBSD). + ip-transparent: yes + + # Enable UDP, "yes" or "no". + # NOTE: if setting up an Unbound on tls443 for public use, you might want to + # disable UDP to avoid being used in DNS amplification attacks. + # do-udp: yes + + # Enable EDNS TCP keepalive option. + edns-tcp-keepalive: yes + + # Fedora note: do not activate this - not compiled in because + # it causes frequent unbound crashes. Also, socket activation + # is bad when you have things like dnsmasq also running with libvirt. + # Use systemd socket activation for UDP, TCP, and control sockets. + # use-systemd: no + + # If you give "" no chroot is performed. The path must not end in a /. + # chroot: "/etc/unbound" + chroot: "" + + # If you give a server: directory: dir before include: file statements + # then those includes can be relative to the working directory. + directory: "/etc/unbound" + + # print UTC timestamp in ascii to logfile, default is epoch in seconds. + log-time-ascii: yes + + # Harden against unseemly large queries. + harden-large-queries: yes + + # Default off, because the lookups burden the server. Experimental + # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. + harden-referral-path: yes + + # Sent minimum amount of information to upstream servers to enhance + # privacy. Only sent minimum required labels of the QNAME and set QTYPE + # to A when possible. + qname-minimisation: yes + + # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN + # and other denials, using information from previous NXDOMAINs answers. + aggressive-nsec: yes + + # threshold, a warning is printed and a defensive action is taken, + # the cache is cleared to flush potential poison out of it. + # A suggested value is 10000000, the default is 0 (turned off). + unwanted-reply-threshold: 10000000 + + # if yes, perform prefetching of almost expired message cache entries. + prefetch: yes + + # if yes, perform key lookups adjacent to normal lookups. + prefetch-key: yes + + # deny queries of type ANY with an empty response. + deny-any: yes + + # if yes, Unbound rotates RRSet order in response. + rrset-roundrobin: yes + + # if yes, Unbound doesn't insert authority/additional sections + # into response messages when those sections are not required. + minimal-responses: yes + + # module configuration of the server. A string with identifiers + # separated by spaces. Syntax: "[dns64] [validator] iterator" + # most modules have to be listed at the beginning of the line, + # except cachedb(just before iterator), and python (at the beginning, + # or, just before the iterator). + # For redis cachedb use: + # "ipsecmod validator cachedb iterator" + module-config: "ipsecmod validator iterator" + + # trust anchor signaling sends a RFC8145 key tag query after priming. + trust-anchor-signaling: yes + + # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) + root-key-sentinel: yes + + # the trusted-keys { name flag proto algo "key"; }; clauses are read. + # you need external update procedures to track changes in keys. + # trusted-keys-file: "" + # + trusted-keys-file: /etc/unbound/keys.d/*.key + auto-trust-anchor-file: "/var/lib/unbound/root.key" + + # Should additional section of secure message also be kept clean of + # unsecure data. Useful to shield the users of this validator from + # potential bogus data in the additional section. All unsigned data + # in the additional section is removed from secure messages. + val-clean-additional: yes + + # Turn permissive mode on to permit bogus messages. Thus, messages + # for which security checks failed will be returned to clients, + # instead of SERVFAIL. It still performs the security checks, which + # result in interesting log files and possibly the AD bit in + # replies if the message is found secure. The default is off. + # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY + val-permissive-mode: no + + # Serve expired responses from cache, with serve-expired-reply-ttl in + # the response, and then attempt to fetch the data afresh. + serve-expired: yes + + # Limit serving of expired responses to configured seconds after + # expiration. 0 disables the limit. + serve-expired-ttl: 14400 + + # Have the validator log failed validations for your diagnosis. + # 0: off. 1: A line per failed user query. 2: With reason and bad IP. + val-log-level: 1 + + # service clients over TLS (on the TCP sockets) with plain DNS inside + # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. + # Give the certificate to use and private key. + # default is "" (disabled). requires restart to take effect. + # tls-service-key: "/etc/unbound/unbound_server.key" + # tls-service-pem: "/etc/unbound/unbound_server.pem" + + # Fedora/RHEL: use system-wide crypto policies + tls-ciphers: "PROFILE=SYSTEM" + + # Enable to attach Extended DNS Error codes (RFC8914) to responses. + # Fedora defaults to yes. + ede: yes + + # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale + # Answer as EDNS0 option to expired responses. + # Note that the ede option above needs to be enabled for this to work. + # Fedora defaults to yes. + ede-serve-expired: yes + + # Enable or disable ipsecmod (it still needs to be defined in + # module-config above). Can be used when ipsecmod needs to be + # enabled/disabled via remote-control(below). + # Fedora: module will be enabled on-demand by libreswan + ipsecmod-enabled: no + + # Path to executable external hook. It must be defined when ipsecmod is + # listed in module-config (above). + ipsecmod-hook: /usr/libexec/ipsec/_unbound-hook + +python: + # Script file to load + # python-script: "/etc/unbound/ubmodule-tst.py" + +# Remote control config section moved into own remote-control.conf + +# the module-config then you need one dynlib-file per instance. +dynlib: + # Script file to load + # dynlib-file: "/etc/unbound/dynlib.so" + +# Fedora: DNSCrypt support not enabled since it requires linking to +# another crypto library +# diff --git a/remote-control-include.conf b/remote-control-include.conf new file mode 100644 index 0000000..5688480 --- /dev/null +++ b/remote-control-include.conf @@ -0,0 +1,4 @@ +# Previous defaults allowed any process to change settings, CVE-2023-1488 +# If you want to modify remote configuration, replace this file with +# contents of included file and modify afterwards. +include: "/usr/share/unbound/conf.d/remote-control.conf" diff --git a/remote-control.conf b/remote-control.conf index 4561a63..6f6942e 100644 --- a/remote-control.conf +++ b/remote-control.conf @@ -1,9 +1,26 @@ # Remote control config section update. # Previous defaults allowed any process to change settings, CVE-2023-1488 +# This file can be used also by: unbound-control -c remote-control: - # set to an absolute path to use a unix local name pipe, certificates - # are not used for that, so key and cert files need not be present. - control-interface: "/run/unbound/control" + # Enable remote control with unbound-control(8) here. + # set up the keys and certificates with unbound-control-setup. + control-enable: yes - # For local sockets this option is ignored, and TLS is not used. - control-use-cert: "yes" + # set to an absolute path to use a unix local name pipe, certificates + # are not used for that, so key and cert files need not be present. + control-interface: "/run/unbound/control" + + # For local sockets this option is ignored, and TLS is not used. + control-use-cert: "yes" + + # Unbound server key file. + server-key-file: "/etc/unbound/unbound_server.key" + + # Unbound server certificate file. + server-cert-file: "/etc/unbound/unbound_server.pem" + + # unbound-control key file. + control-key-file: "/etc/unbound/unbound_control.key" + + # unbound-control certificate file. + control-cert-file: "/etc/unbound/unbound_control.pem" diff --git a/unbound-as112-networks.conf b/unbound-as112-networks.conf new file mode 100644 index 0000000..96c291f --- /dev/null +++ b/unbound-as112-networks.conf @@ -0,0 +1,118 @@ +# Allow forwarding of private ranges, which are marked forwardable by IANA +# https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml +# https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml +# https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml +# RFC 6303: Locally Served DNS Zones (https://www.rfc-editor.org/rfc/rfc6303.html) +# +# Using this configuration file will simplify forwarding to potentially private ranges. +# Enables forwarding of networks marked as forwardable at IANA special registry. +# This is useful when upstream forwarder may be still inside private network. That is the case +# when unbound works as a localhost DNS cache, not network wide resolver. + +server: + # RFC 8375: Special-Use Domain 'home.arpa.' + local-zone: "home.arpa." nodefault + + # RFC 1918: Address Allocation for Private Internets + local-zone: "10.in-addr.arpa." nodefault + local-zone: "16.172.in-addr.arpa." nodefault + local-zone: "17.172.in-addr.arpa." nodefault + local-zone: "18.172.in-addr.arpa." nodefault + local-zone: "19.172.in-addr.arpa." nodefault + local-zone: "20.172.in-addr.arpa." nodefault + local-zone: "21.172.in-addr.arpa." nodefault + local-zone: "22.172.in-addr.arpa." nodefault + local-zone: "23.172.in-addr.arpa." nodefault + local-zone: "24.172.in-addr.arpa." nodefault + local-zone: "25.172.in-addr.arpa." nodefault + local-zone: "26.172.in-addr.arpa." nodefault + local-zone: "27.172.in-addr.arpa." nodefault + local-zone: "28.172.in-addr.arpa." nodefault + local-zone: "29.172.in-addr.arpa." nodefault + local-zone: "30.172.in-addr.arpa." nodefault + local-zone: "31.172.in-addr.arpa." nodefault + local-zone: "168.192.in-addr.arpa." nodefault + # RFC 6598: IANA-Reserved IPv4 Prefix for Shared Address Space + local-zone: "64.100.in-addr.arpa." nodefault + local-zone: "65.100.in-addr.arpa." nodefault + local-zone: "66.100.in-addr.arpa." nodefault + local-zone: "67.100.in-addr.arpa." nodefault + local-zone: "68.100.in-addr.arpa." nodefault + local-zone: "69.100.in-addr.arpa." nodefault + local-zone: "70.100.in-addr.arpa." nodefault + local-zone: "71.100.in-addr.arpa." nodefault + local-zone: "72.100.in-addr.arpa." nodefault + local-zone: "73.100.in-addr.arpa." nodefault + local-zone: "74.100.in-addr.arpa." nodefault + local-zone: "75.100.in-addr.arpa." nodefault + local-zone: "76.100.in-addr.arpa." nodefault + local-zone: "77.100.in-addr.arpa." nodefault + local-zone: "78.100.in-addr.arpa." nodefault + local-zone: "79.100.in-addr.arpa." nodefault + local-zone: "80.100.in-addr.arpa." nodefault + local-zone: "81.100.in-addr.arpa." nodefault + local-zone: "82.100.in-addr.arpa." nodefault + local-zone: "83.100.in-addr.arpa." nodefault + local-zone: "84.100.in-addr.arpa." nodefault + local-zone: "85.100.in-addr.arpa." nodefault + local-zone: "86.100.in-addr.arpa." nodefault + local-zone: "87.100.in-addr.arpa." nodefault + local-zone: "88.100.in-addr.arpa." nodefault + local-zone: "89.100.in-addr.arpa." nodefault + local-zone: "90.100.in-addr.arpa." nodefault + local-zone: "91.100.in-addr.arpa." nodefault + local-zone: "92.100.in-addr.arpa." nodefault + local-zone: "93.100.in-addr.arpa." nodefault + local-zone: "94.100.in-addr.arpa." nodefault + local-zone: "95.100.in-addr.arpa." nodefault + local-zone: "96.100.in-addr.arpa." nodefault + local-zone: "97.100.in-addr.arpa." nodefault + local-zone: "98.100.in-addr.arpa." nodefault + local-zone: "99.100.in-addr.arpa." nodefault + local-zone: "100.100.in-addr.arpa." nodefault + local-zone: "101.100.in-addr.arpa." nodefault + local-zone: "102.100.in-addr.arpa." nodefault + local-zone: "103.100.in-addr.arpa." nodefault + local-zone: "104.100.in-addr.arpa." nodefault + local-zone: "105.100.in-addr.arpa." nodefault + local-zone: "106.100.in-addr.arpa." nodefault + local-zone: "107.100.in-addr.arpa." nodefault + local-zone: "108.100.in-addr.arpa." nodefault + local-zone: "109.100.in-addr.arpa." nodefault + local-zone: "110.100.in-addr.arpa." nodefault + local-zone: "111.100.in-addr.arpa." nodefault + local-zone: "112.100.in-addr.arpa." nodefault + local-zone: "113.100.in-addr.arpa." nodefault + local-zone: "114.100.in-addr.arpa." nodefault + local-zone: "115.100.in-addr.arpa." nodefault + local-zone: "116.100.in-addr.arpa." nodefault + local-zone: "117.100.in-addr.arpa." nodefault + local-zone: "118.100.in-addr.arpa." nodefault + local-zone: "119.100.in-addr.arpa." nodefault + local-zone: "120.100.in-addr.arpa." nodefault + local-zone: "121.100.in-addr.arpa." nodefault + local-zone: "122.100.in-addr.arpa." nodefault + local-zone: "123.100.in-addr.arpa." nodefault + local-zone: "124.100.in-addr.arpa." nodefault + local-zone: "125.100.in-addr.arpa." nodefault + local-zone: "126.100.in-addr.arpa." nodefault + local-zone: "127.100.in-addr.arpa." nodefault + + # RFC 4193: Unique Local IPv6 Unicast Addresses + local-zone: "d.f.ip6.arpa." nodefault + + # RFC 2606: Reserved Top Level DNS Names + local-zone: "test." nodefault + domain-insecure: "test" + domain-insecure: "example" + + # RFC 6762: Multicast DNS, Appendix G + domain-insecure: "local" + domain-insecure: "intranet" + domain-insecure: "private" + domain-insecure: "corp" + domain-insecure: "home" + domain-insecure: "lan" + + # draft-davies-internal-tld + domain-insecure: "internal" diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index e1b3eca..7142817 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,60 +1,20 @@ -From 71cbef33920b3b5704be7eab399da506ab51cde1 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Fri, 10 Nov 2023 12:58:31 +0100 +From 41c489180eeecba97641f747ee6a43aa2c6d4299 Mon Sep 17 00:00:00 2001 +From: Tomas Korbar +Date: Thu, 6 Feb 2025 16:01:21 +0100 Subject: [PATCH] Customize unbound.conf for Fedora defaults Set some Fedora/RHEL specific changes to example configuration file. By patching upstream provided config file we would not need to manually update external copy in source RPM. --- - doc/example.conf.in | 196 ++++++++++++++++++++++++++++---------------- - 1 file changed, 126 insertions(+), 70 deletions(-) + doc/example.conf.in | 33 +++++++++++++++++++++++++++++++-- + 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/doc/example.conf.in b/doc/example.conf.in -index 130cb4e..7174d81 100644 +index dc2aa1c..a656bd7 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in -@@ -17,11 +17,12 @@ server: - # whitespace is not necessary, but looks cleaner. - - # verbosity number, 0 is least verbose. 1 is default. -- # verbosity: 1 -+ verbosity: 1 - - # print statistics to the log (for every thread) every N seconds. - # Set to "" or 0 to disable. Default is disabled. -- # statistics-interval: 0 -+ # Needs to be disabled for munin plugin -+ statistics-interval: 0 - - # enable shm for stats, default no. if you enable also enable - # statistics-interval, every time it also writes stats to the -@@ -32,11 +33,13 @@ server: - # shm-key: 11777 - - # enable cumulative statistics, without clearing them after printing. -- # statistics-cumulative: no -+ # Needs to be disabled for munin plugin -+ statistics-cumulative: no - - # enable extended statistics (query types, answer codes, status) -- # printed from unbound-control. Default off, because of speed. -- # extended-statistics: no -+ # printed from unbound-control. default off, because of speed. -+ # Needs to be enabled for munin plugin -+ extended-statistics: yes - - # Inhibits selected extended statistics (qtype, qclass, qopcode, rcode, - # rpz-actions) from printing if their value is 0. -@@ -44,22 +47,35 @@ server: - # statistics-inhibit-zero: yes - - # number of threads to create. 1 disables threading. -- # num-threads: 1 -+ num-threads: 4 - - # specify the interfaces to answer queries from by ip-address. - # The default is to listen to localhost (127.0.0.1 and ::1). +@@ -51,11 +51,19 @@ server: # specify 0.0.0.0 and ::0 to bind to all available interfaces. # specify every interface[@port] on a new 'interface:' labelled line. # The listen interfaces are not changed on reload, only on restart. @@ -74,53 +34,7 @@ index 130cb4e..7174d81 100644 # enable this feature to copy the source address of queries to reply. # Socket options are not supported on all platforms. experimental. -- # interface-automatic: no -+ # interface-automatic: yes -+ # -+ # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 -+ # NOTE: Disabled per Fedora policy not to listen to * on default install -+ # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled -+ interface-automatic: no - - # instead of the default port, open additional ports separated by - # spaces when interface-automatic is enabled, by listing them here. -@@ -94,7 +110,8 @@ server: - - # permit Unbound to use this port number or port range for - # making outgoing queries, using an outgoing interface. -- # outgoing-port-permit: 32768 -+ # Only ephemeral ports are allowed by SElinux -+ outgoing-port-permit: 32768-60999 - - # deny Unbound the use this of port number or port range for - # making outgoing queries, using an outgoing interface. -@@ -103,7 +120,9 @@ server: - # IANA-assigned port numbers. - # If multiple outgoing-port-permit and outgoing-port-avoid options - # are present, they are processed in order. -- # outgoing-port-avoid: "3200-3208" -+ # Our SElinux policy does not allow non-ephemeral ports to be used -+ outgoing-port-avoid: 0-32767 -+ outgoing-port-avoid: 61000-65535 - - # number of outgoing simultaneous tcp buffers to hold per thread. - # outgoing-num-tcp: 10 -@@ -121,12 +140,12 @@ server: - - # use SO_REUSEPORT to distribute queries over threads. - # at extreme load it could be better to turn it off to distribute even. -- # so-reuseport: yes -+ so-reuseport: yes - - # use IP_TRANSPARENT so the interface: addresses can be non-local - # and you can config non-existing IPs that are going to work later on - # (uses IP_BINDANY on FreeBSD). -- # ip-transparent: no -+ ip-transparent: yes - - # use IP_FREEBIND so the interface: addresses can be non-local - # and you can bind to nonexisting IPs and interfaces that are down. -@@ -276,6 +295,8 @@ server: +@@ -276,6 +284,8 @@ server: # nat64-prefix: 64:ff9b::0/96 # Enable UDP, "yes" or "no". @@ -129,16 +43,7 @@ index 130cb4e..7174d81 100644 # do-udp: yes # Enable TCP, "yes" or "no". -@@ -301,7 +322,7 @@ server: - # tcp-idle-timeout: 30000 - - # Enable EDNS TCP keepalive option. -- # edns-tcp-keepalive: no -+ edns-tcp-keepalive: yes - - # Timeout for EDNS TCP keepalive, in msec. Overrides tcp-idle-timeout - # if edns-tcp-keepalive is set. -@@ -311,6 +332,9 @@ server: +@@ -311,6 +321,9 @@ server: # can be dropped. Default is 0, disabled. In seconds, such as 3. # sock-queue-timeout: 0 @@ -148,188 +53,7 @@ index 130cb4e..7174d81 100644 # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no -@@ -424,6 +448,7 @@ server: - # - # If you give "" no chroot is performed. The path must not end in a /. - # chroot: "@UNBOUND_CHROOT_DIR@" -+ chroot: "" - - # if given, user privileges are dropped (after binding port), - # and the given username is assumed. Default is user "unbound". -@@ -435,7 +460,7 @@ server: - # is not changed. - # If you give a server: directory: dir before include: file statements - # then those includes can be relative to the working directory. -- # directory: "@UNBOUND_RUN_DIR@" -+ directory: "/etc/unbound" - - # the log file, "" means log to stderr. - # Use of this option sets use-syslog to "no". -@@ -450,7 +475,7 @@ server: - # log-identity: "" - - # print UTC timestamp in ascii to logfile, default is epoch in seconds. -- # log-time-ascii: no -+ log-time-ascii: yes - - # print one line with time, IP, name, type, class for every query. - # log-queries: no -@@ -522,22 +547,22 @@ server: - # harden-large-queries: no - - # Harden against out of zone rrsets, to avoid spoofing attempts. -- # harden-glue: yes -+ harden-glue: yes - - # Harden against receiving dnssec-stripped data. If you turn it - # off, failing to validate dnskey data for a trustanchor will - # trigger insecure mode for that zone (like without a trustanchor). - # Default on, which insists on dnssec data for trust-anchored zones. -- # harden-dnssec-stripped: yes -+ harden-dnssec-stripped: yes - - # Harden against queries that fall under dnssec-signed nxdomain names. -- # harden-below-nxdomain: yes -+ harden-below-nxdomain: yes - - # Harden the referral path by performing additional queries for - # infrastructure data. Validates the replies (if possible). - # Default off, because the lookups burden the server. Experimental - # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. -- # harden-referral-path: no -+ harden-referral-path: yes - - # Harden against algorithm downgrade when multiple algorithms are - # advertised in the DS record. If no, allows the weakest algorithm -@@ -551,7 +576,7 @@ server: - # Sent minimum amount of information to upstream servers to enhance - # privacy. Only sent minimum required labels of the QNAME and set QTYPE - # to A when possible. -- # qname-minimisation: yes -+ qname-minimisation: yes - - # QNAME minimisation in strict mode. Do not fall-back to sending full - # QNAME to potentially broken nameservers. A lot of domains will not be -@@ -561,7 +586,7 @@ server: - - # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN - # and other denials, using information from previous NXDOMAINs answers. -- # aggressive-nsec: yes -+ aggressive-nsec: yes - - # Use 0x20-encoded random bits in the query to foil spoof attempts. - # This feature is an experimental implementation of draft dns-0x20. -@@ -594,7 +619,7 @@ server: - # threshold, a warning is printed and a defensive action is taken, - # the cache is cleared to flush potential poison out of it. - # A suggested value is 10000000, the default is 0 (turned off). -- # unwanted-reply-threshold: 0 -+ unwanted-reply-threshold: 10000000 - - # Do not query the following addresses. No DNS queries are sent there. - # List one address per entry. List classless netblocks with /size, -@@ -606,20 +631,20 @@ server: - # do-not-query-localhost: yes - - # if yes, perform prefetching of almost expired message cache entries. -- # prefetch: no -+ prefetch: yes - - # if yes, perform key lookups adjacent to normal lookups. -- # prefetch-key: no -+ prefetch-key: yes - - # deny queries of type ANY with an empty response. -- # deny-any: no -+ deny-any: yes - - # if yes, Unbound rotates RRSet order in response. -- # rrset-roundrobin: yes -+ rrset-roundrobin: yes - - # if yes, Unbound doesn't insert authority/additional sections - # into response messages when those sections are not required. -- # minimal-responses: yes -+ minimal-responses: yes - - # true to disable DNSSEC lameness check in iterator. - # disable-dnssec-lame-check: no -@@ -629,7 +654,9 @@ server: - # most modules have to be listed at the beginning of the line, - # except cachedb(just before iterator), and python (at the beginning, - # or, just before the iterator). -- # module-config: "validator iterator" -+ # For redis cachedb use: -+ # "ipsecmod validator cachedb iterator" -+ module-config: "ipsecmod validator iterator" - - # File with trusted keys, kept uptodate using RFC5011 probes, - # initial file like trust-anchor-file, then it stores metadata. -@@ -643,10 +670,10 @@ server: - # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" - - # trust anchor signaling sends a RFC8145 key tag query after priming. -- # trust-anchor-signaling: yes -+ trust-anchor-signaling: yes - - # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) -- # root-key-sentinel: yes -+ root-key-sentinel: yes - - # File with trusted keys for validation. Specify more than one file - # with several entries, one file per entry. -@@ -667,6 +694,9 @@ server: - # the trusted-keys { name flag proto algo "key"; }; clauses are read. - # you need external update procedures to track changes in keys. - # trusted-keys-file: "" -+ # -+ trusted-keys-file: /etc/unbound/keys.d/*.key -+ auto-trust-anchor-file: "/var/lib/unbound/root.key" - - # Ignore chain of trust. Domain is treated as insecure. - # domain-insecure: "example.com" -@@ -694,14 +724,15 @@ server: - # unsecure data. Useful to shield the users of this validator from - # potential bogus data in the additional section. All unsigned data - # in the additional section is removed from secure messages. -- # val-clean-additional: yes -+ val-clean-additional: yes - - # Turn permissive mode on to permit bogus messages. Thus, messages - # for which security checks failed will be returned to clients, - # instead of SERVFAIL. It still performs the security checks, which - # result in interesting log files and possibly the AD bit in - # replies if the message is found secure. The default is off. -- # val-permissive-mode: no -+ # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY -+ val-permissive-mode: no - - # Ignore the CD flag in incoming queries and refuse them bogus data. - # Enable it if the only clients of Unbound are legacy servers (w2008) -@@ -715,11 +746,11 @@ server: - - # Serve expired responses from cache, with serve-expired-reply-ttl in - # the response, and then attempt to fetch the data afresh. -- # serve-expired: no -+ serve-expired: yes - # - # Limit serving of expired responses to configured seconds after - # expiration. 0 disables the limit. -- # serve-expired-ttl: 0 -+ serve-expired-ttl: 14400 - # - # Set the TTL of expired records to the serve-expired-ttl value after a - # failed attempt to retrieve the record from upstream. This makes sure -@@ -746,7 +777,7 @@ server: - - # Have the validator log failed validations for your diagnosis. - # 0: off. 1: A line per failed user query. 2: With reason and bad IP. -- # val-log-level: 0 -+ val-log-level: 1 - - # It is possible to configure NSEC3 maximum iteration counts per - # keysize. Keep this table very short, as linear search is done. -@@ -890,6 +921,8 @@ server: +@@ -890,6 +903,8 @@ server: # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" @@ -338,7 +62,7 @@ index 130cb4e..7174d81 100644 # tag a localzone with a list of tag names (in "" with spaces between) # local-zone-tag: "example.com" "tag2 tag3" -@@ -900,8 +933,8 @@ server: +@@ -900,8 +915,8 @@ server: # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. # Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. @@ -349,109 +73,20 @@ index 130cb4e..7174d81 100644 # tls-port: 853 # https-port: 443 -@@ -909,6 +942,8 @@ server: - # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" - # cipher setting for TLSv1.3 - # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" -+ # Fedora/RHEL: use system-wide crypto policies -+ tls-ciphers: "PROFILE=SYSTEM" - - # Pad responses to padded queries received over TLS - # pad-responses: yes -@@ -1050,12 +1085,14 @@ server: - # cookie-secret-file: "/usr/local/etc/unbound_cookiesecrets.txt" - - # Enable to attach Extended DNS Error codes (RFC8914) to responses. -- # ede: no -+ # Fedora defaults to yes. -+ ede: yes - - # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale - # Answer as EDNS0 option to expired responses. - # Note that the ede option above needs to be enabled for this to work. -- # ede-serve-expired: no -+ # Fedora defaults to yes. -+ ede-serve-expired: yes - - # Specific options for ipsecmod. Unbound needs to be configured with - # --enable-ipsecmod for these to take effect. -@@ -1063,12 +1100,14 @@ server: - # Enable or disable ipsecmod (it still needs to be defined in - # module-config above). Can be used when ipsecmod needs to be - # enabled/disabled via remote-control(below). -- # ipsecmod-enabled: yes -- # -+ # Fedora: module will be enabled on-demand by libreswan -+ ipsecmod-enabled: no -+ - # Path to executable external hook. It must be defined when ipsecmod is - # listed in module-config (above). - # ipsecmod-hook: "./my_executable" -- # -+ ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook -+ - # When enabled Unbound will reply with SERVFAIL if the return value of - # the ipsecmod-hook is not 0. - # ipsecmod-strict: no -@@ -1101,7 +1140,7 @@ server: - # o and give a python-script to run. - python: - # Script file to load -- # python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py" -+ # python-script: "/etc/unbound/ubmodule-tst.py" - - # Dynamic library config section. To enable: - # o use --with-dynlibmodule to configure before compiling. -@@ -1112,13 +1151,14 @@ python: - # the module-config then you need one dynlib-file per instance. - dynlib: - # Script file to load -- # dynlib-file: "@UNBOUND_SHARE_DIR@/dynlib.so" -+ # dynlib-file: "/etc/unbound/dynlib.so" - - # Remote control config section. - remote-control: - # Enable remote control with unbound-control(8) here. - # set up the keys and certificates with unbound-control-setup. -- # control-enable: no -+ # Note: required for unbound-munin package -+ control-enable: yes - - # what interfaces are listened to for remote control. - # give 0.0.0.0 and ::0 to listen to all interfaces. -@@ -1126,6 +1166,7 @@ remote-control: - # are not used for that, so key and cert files need not be present. - # control-interface: 127.0.0.1 - # control-interface: ::1 -+ # moved to /etc/unbound/conf.d/remote-control.conf - - # port number for remote control operations. - # control-port: 8953 -@@ -1135,16 +1176,19 @@ remote-control: - # control-use-cert: "yes" - - # Unbound server key file. -- # server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key" -+ server-key-file: "/etc/unbound/unbound_server.key" - - # Unbound server certificate file. -- # server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem" -+ server-cert-file: "/etc/unbound/unbound_server.pem" - - # unbound-control key file. -- # control-key-file: "@UNBOUND_RUN_DIR@/unbound_control.key" -+ control-key-file: "/etc/unbound/unbound_control.key" - +@@ -1146,6 +1161,12 @@ remote-control: # unbound-control certificate file. -- # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem" -+ control-cert-file: "/etc/unbound/unbound_control.pem" + # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem" + ++# Default Fedora settings ++include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf" + +# Stub and Forward zones -+include: /etc/unbound/conf.d/*.conf - ++include: "@sysconfdir@/unbound/conf.d/*.conf" ++ # Stub zones. # Create entries like below, to make all queries for 'example.com' and -@@ -1166,6 +1210,10 @@ remote-control: + # 'example.org' go to the given list of nameservers. list zero or more +@@ -1166,6 +1187,10 @@ remote-control: # name: "example.org" # stub-host: ns.example.com. @@ -462,7 +97,7 @@ index 130cb4e..7174d81 100644 # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle -@@ -1183,6 +1231,10 @@ remote-control: +@@ -1183,6 +1208,10 @@ remote-control: # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -473,25 +108,6 @@ index 130cb4e..7174d81 100644 # Authority zones # The data for these zones is kept locally, from a file or downloaded. -@@ -1239,6 +1292,9 @@ remote-control: - # name: "anotherview" - # local-zone: "example.com" refuse - -+# Fedora: DNSCrypt support not enabled since it requires linking to -+# another crypto library -+# - # DNSCrypt - # To enable, use --enable-dnscrypt to configure before compiling. - # Caveats: -@@ -1314,7 +1370,7 @@ remote-control: - # dnstap-enable: no - # # if set to yes frame streams will be used in bidirectional mode - # dnstap-bidirectional: yes --# dnstap-socket-path: "@DNSTAP_SOCKET_PATH@" -+# dnstap-socket-path: "/etc/unbound/dnstap.sock" - # # if "" use the unix socket in dnstap-socket-path, otherwise, - # # set it to "IPaddress[@port]" of the destination. - # dnstap-ip: "" -- -2.46.0 +2.48.1 diff --git a/unbound-local-root.conf b/unbound-local-root.conf new file mode 100644 index 0000000..4ba5e9d --- /dev/null +++ b/unbound-local-root.conf @@ -0,0 +1,30 @@ +# Authority zones +# The data for these zones is kept locally, from a file or downloaded. +# The data can be served to downstream clients, or used instead of the +# upstream (which saves a lookup to the upstream). +# +# Download local root copy and answer TLD queries from it. Because +# auth-zone has higher precedence, defined forward-zones to internal +# only TLD will not work. Use stub-zone or disable this zone. +# Good for a network-wide resolvers, worse for a localhost caching forwarder. +auth-zone: + name: "." + primary: 170.247.170.2 # b.root-servers.net + primary: 192.33.4.12 # c.root-servers.net + primary: 199.7.91.13 # d.root-servers.net + primary: 192.5.5.241 # f.root-servers.net + primary: 192.112.36.4 # g.root-servers.net + primary: 193.0.14.129 # k.root-servers.net + primary: 192.0.47.132 # xfr.cjr.dns.icann.org + primary: 192.0.32.132 # xfr.lax.dns.icann.org + primary: 2801:1b8:10::b # b.root-servers.net + primary: 2001:500:2::c # c.root-servers.net + primary: 2001:500:2d::d # d.root-servers.net + primary: 2001:500:2f::f # f.root-servers.net + primary: 2001:500:12::d0d # g.root-servers.net + primary: 2001:7fd::1 # k.root-servers.net + primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org + primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org + fallback-enabled: yes + for-downstream: no + for-upstream: yes diff --git a/unbound.spec b/unbound.spec index 0248119..a9369eb 100644 --- a/unbound.spec +++ b/unbound.spec @@ -59,6 +59,10 @@ Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/ Source20: unbound.sysusers Source21: remote-control.conf Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc +Source23: unbound-as112-networks.conf +Source24: unbound-local-root.conf +Source25: remote-control-include.conf +Source26: fedora-defaults.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch @@ -229,6 +233,7 @@ Python 3 modules and extensions for unbound --enable-relro-now --enable-pie \\\ --enable-subnet --enable-ipsecmod \\\ --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\ + --with-share-dir=%{_datadir}/%{name} \\\ --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\ --enable-sha2 --disable-gost --enable-ecdsa \\\ --with-rootkey-file=%{_sharedstatedir}/%{name}/root.key \\\ @@ -360,6 +365,13 @@ install -p -m 0644 %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/ install -p -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ install -p -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/ +install -p -m 0644 %{SOURCE25} %{buildroot}%{_sysconfdir}/unbound/conf.d/remote-control.conf + +mkdir -p %{buildroot}%{_datadir}/%{name}/conf.d +install -p -m 0644 %{SOURCE21} %{buildroot}%{_datadir}/%{name}/conf.d/ +install -p -m 0644 %{SOURCE23} %{buildroot}%{_datadir}/%{name}/conf.d/ +install -p -m 0644 %{SOURCE24} %{buildroot}%{_datadir}/%{name}/conf.d/ +install -p -m 0644 %{SOURCE26} %{buildroot}%{_datadir}/%{name}/ # Link unbound-control-setup.8 manpage to unbound-control.8 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 @@ -432,6 +444,7 @@ popd %{_sbindir}/unbound-checkconf %{_sbindir}/unbound-control %{_sbindir}/unbound-control-setup +%{_datadir}/%{name}/ %{_mandir}/man5/* %exclude %{_mandir}/man8/unbound-anchor* %{_mandir}/man8/* From f199f04259acf3b2e521c1c893d2196b5f306f5d Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Thu, 6 Feb 2025 16:30:53 +0100 Subject: [PATCH 06/11] Use ip-freebind: yes or add After=network-online.target if interface: specifies exact address, not localhost nor wildcard. It should not be used by default when only localhost listening is enabled. Default configuration does not need it. --- unbound.service | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/unbound.service b/unbound.service index 74321c7..86ada76 100644 --- a/unbound.service +++ b/unbound.service @@ -1,6 +1,9 @@ [Unit] Description=Unbound recursive Domain Name Server -After=network-online.target +After=network.target +# Use ip-freebind: yes or add After=network-online.target, rhbz#2338429, +# if interface: specifies exact address, not localhost nor wildcard +#After=network-online.target After=unbound-keygen.service Wants=unbound-keygen.service After=unbound-anchor.service From 8dcd587f5c1c167e1103e7bfab1b9a37dff7170a Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Thu, 6 Feb 2025 16:32:25 +0100 Subject: [PATCH 07/11] Add dracut module Dracut module allows unbound to be used as resolver in initramfs. It is set before to network-online.target to ensure that other services which depend on name resolution have general synchronization point when they can expect unbound to be configured and listening. --- module-setup.sh | 44 ++++++++++++++++++++++++++++++++++++++++++++ unbound-initrd.conf | 5 +++++ unbound.spec | 18 ++++++++++++++++++ 3 files changed, 67 insertions(+) create mode 100644 module-setup.sh create mode 100644 unbound-initrd.conf diff --git a/module-setup.sh b/module-setup.sh new file mode 100644 index 0000000..439bc6d --- /dev/null +++ b/module-setup.sh @@ -0,0 +1,44 @@ +#!/usr/bin/bash + +check() { + require_binaries unbound unbound-checkconf unbound-control || return 1 + # the module will be only included if explicitly required either + # by configuration or another module + return 255 +} + +depends() { + # because of pid file we need sysusers to create unbound user + echo systemd systemd-sysusers + return 0 +} + +install() { + # We have to make unbound wanted by network-online target to make sure + # there is a synchronization point when other services are able + # to make queries + inst_simple "$moddir"/unbound-initrd.conf /etc/systemd/system/unbound.service.d/unbound-initrd.conf + + # /etc and /var/lib do not have its variables + inst_multiple -o \ + "$systemdsystemunitdir"/unbound.service \ + /etc/unbound/conf.d/remote-control.conf \ + /etc/unbound/openssl-sha1.conf \ + /usr/share/unbound/fedora-defaults.conf \ + /usr/share/unbound/conf.d/*.conf \ + /etc/unbound/local.d/*.conf \ + /etc/unbound/keys.d/*.key \ + /etc/unbound/unbound.conf \ + /etc/unbound/unbound_control.key \ + /etc/unbound/unbound_control.pem \ + /etc/unbound/unbound_server.key \ + /etc/unbound/unbound_server.pem \ + "$sysusers"/unbound.conf \ + "$tmpfilesdir"/unbound.conf \ + /var/lib/unbound/root.key \ + unbound \ + unbound-checkconf \ + unbound-control + + $SYSTEMCTL -q --root "$initdir" enable unbound.service +} diff --git a/unbound-initrd.conf b/unbound-initrd.conf new file mode 100644 index 0000000..7838b3d --- /dev/null +++ b/unbound-initrd.conf @@ -0,0 +1,5 @@ +[Unit] +Before=network-online.target + +[Install] +WantedBy=network-online.target diff --git a/unbound.spec b/unbound.spec index a9369eb..8305aeb 100644 --- a/unbound.spec +++ b/unbound.spec @@ -63,6 +63,8 @@ Source23: unbound-as112-networks.conf Source24: unbound-local-root.conf Source25: remote-control-include.conf Source26: fedora-defaults.conf +Source27: module-setup.sh +Source28: unbound-initrd.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch @@ -195,6 +197,14 @@ Conflicts: python2-unbound < 1.9.3 Python 3 modules and extensions for unbound %endif +%package dracut +Summary: Unbound dracut module +Requires: dracut%{?_isa} +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description dracut +Unbound dracut module allowing use of Unbound for name resolution +in initramfs. %prep %if 0%{?fedora} @@ -376,6 +386,11 @@ install -p -m 0644 %{SOURCE26} %{buildroot}%{_datadir}/%{name}/ # Link unbound-control-setup.8 manpage to unbound-control.8 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 +# install dracut module +mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound + +install -p -m 0755 %{SOURCE27} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound +install -p -m 0644 %{SOURCE28} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound %pre libs %sysusers_create_compat %{SOURCE20} @@ -506,5 +521,8 @@ popd %{_sbindir}/unbound-streamtcp %{_mandir}/man1/unbound-* +%files dracut +%{_prefix}/lib/dracut/modules.d/99unbound + %changelog %autochangelog From 85b4661d362d106f7e1e3a194b67f11b8ba8aa34 Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Thu, 6 Feb 2025 16:33:32 +0100 Subject: [PATCH 08/11] Enabled libsystemd and change unbound service type to notify-reload "notify-reload" service type allows unbound to notify systemd not only about its readiness on startup but also about start and finish of reloading process. --- unbound.service | 2 +- unbound.spec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/unbound.service b/unbound.service index 86ada76..66a8a34 100644 --- a/unbound.service +++ b/unbound.service @@ -12,7 +12,7 @@ Before=nss-lookup.target Wants=nss-lookup.target [Service] -Type=simple +Type=notify-reload EnvironmentFile=-/etc/sysconfig/unbound ExecStartPre=/usr/sbin/unbound-checkconf ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS diff --git a/unbound.spec b/unbound.spec index 8305aeb..c2b4ec0 100644 --- a/unbound.spec +++ b/unbound.spec @@ -2,7 +2,7 @@ %{?!with_python3: %global with_python3 1} %{?!with_munin: %global with_munin 1} %bcond_without dnstap -%bcond_with systemd +%bcond_without systemd %bcond_without doh %bcond_with redis From 32330fa65ef2d2301af456e22684c18de9562049 Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Fri, 7 Feb 2025 14:30:54 +0100 Subject: [PATCH 09/11] Change service type to notify notify-reload was a mistake. It unconditionally sends signal to service process additionally to executing ExecReload which does not make sense. --- unbound.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unbound.service b/unbound.service index 66a8a34..d476504 100644 --- a/unbound.service +++ b/unbound.service @@ -12,7 +12,7 @@ Before=nss-lookup.target Wants=nss-lookup.target [Service] -Type=notify-reload +Type=notify EnvironmentFile=-/etc/sysconfig/unbound ExecStartPre=/usr/sbin/unbound-checkconf ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS From b4c4d24c699313bf75d781fa0d270526e0c72de1 Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Mon, 10 Feb 2025 15:45:48 +0100 Subject: [PATCH 10/11] Add possibility to disable unbound-anchor by file presence --- tmpfiles-unbound.conf | 2 +- unbound-anchor.service | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tmpfiles-unbound.conf b/tmpfiles-unbound.conf index bb88f01..c09cc75 100644 --- a/tmpfiles-unbound.conf +++ b/tmpfiles-unbound.conf @@ -1 +1 @@ -D /run/unbound 0755 unbound unbound - +D /run/unbound 0775 unbound root - diff --git a/unbound-anchor.service b/unbound-anchor.service index 59683c8..1116243 100644 --- a/unbound-anchor.service +++ b/unbound-anchor.service @@ -6,5 +6,5 @@ Documentation=man:unbound-anchor(8) Type=oneshot User=unbound EnvironmentFile=-/etc/sysconfig/unbound -ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi' +ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ] || [ -f /run/unbound/anchor-disable ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi' SuccessExitStatus=1 From 064be41a0333b27e2549cf5d689463badd9436eb Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Mon, 10 Feb 2025 21:14:05 +0100 Subject: [PATCH 11/11] Fix ownership and mode record of rundir Previous change introduced mode change and group change of rundir but it was not changed in files section, so fix that. --- unbound.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index c2b4ec0..dbb7c78 100644 --- a/unbound.spec +++ b/unbound.spec @@ -442,7 +442,7 @@ popd %doc doc/CREDITS doc/FEATURES %{_unitdir}/%{name}.service %{_unitdir}/%{name}-keygen.service -%attr(0755,unbound,unbound) %dir %{_rundir}/%{name} +%attr(0775,unbound,root) %dir %{_rundir}/%{name} %attr(0644,root,root) %{_tmpfilesdir}/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d