From 2ee03600906ffdf666a076bf38420868d9677b44 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 7 Jun 2024 09:08:20 +0200 Subject: [PATCH 01/64] Rebuilt for Python 3.13 From b1fbf13e87c44119d2222dfb84613b75ed0fcae0 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 20 Jul 2024 08:14:07 +0000 Subject: [PATCH 02/64] Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild From c7eee55bc6895c723d68fddec757d3f173b675b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 25 Sep 2024 13:09:58 +0200 Subject: [PATCH 03/64] Update to 1.21.0 (rhbz#2305092) Features: - Fix #1071: [FR] Clear both in-memory and cachedb module cache with `unbound-control flush*` commands. - Fix #144: Port ipset to BSD pf tables. - Add dnstap-sample-rate that logs only 1/N messages, for high volume server environments. Thanks Dan Luther. - Add root key 38696 from 2024 for DNSSEC validation. It is added to the default root keys in unbound-anchor. The content can be inspected with `unbound-anchor -l`. - Merge #1090: Cookie secret file. Adds `cookie-secret-file: "unbound_cookiesecrets.txt"` option to store cookie secrets for EDNS COOKIE secret rollover. The remote control add_cookie_secret, activate_cookie_secret and drop_cookie_secret commands can be used for rollover, the command print_cookie_secrets shows the values in use. Lot of Bugs fixes. https://nlnetlabs.nl/projects/unbound/download/#unbound-1-21-0 --- .gitignore | 2 ++ sources | 4 ++-- unbound-fedora-config.patch | 42 +++++++++++++++++++------------------ unbound.spec | 2 +- 4 files changed, 27 insertions(+), 23 deletions(-) diff --git a/.gitignore b/.gitignore index 2ad282d..a89efdb 100644 --- a/.gitignore +++ b/.gitignore @@ -89,3 +89,5 @@ unbound-1.4.5.tar.gz /unbound-1.19.3.tar.gz.asc /unbound-1.20.0.tar.gz /unbound-1.20.0.tar.gz.asc +/unbound-1.21.0.tar.gz +/unbound-1.21.0.tar.gz.asc diff --git a/sources b/sources index 5a055a7..01a2cff 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.20.0.tar.gz) = 2f6bc76c03b71ca1c2cd2331dc72d62f51493d15e17c59af46b400e542fcabff22e6b9d33f750a3e5f918a0116f45afa760651b2d5aa2feadac151cbbd71b0bd -SHA512 (unbound-1.20.0.tar.gz.asc) = 1586a320077c606c5c19f251615df54a61854f51acca02df1d391dcc2287aff2c641b009aeee1a98392f63719d70b6bac23ebb7d86b780f8a27cda6e114fc0ad +SHA512 (unbound-1.21.0.tar.gz) = 481534271f443d72635025c79b83bb71bb77b96ae81ec74c7f82f1e958160f5d75489931bdbdf460a72c871268d33628be990d6acf3c5303f04f7ff347ad83c1 +SHA512 (unbound-1.21.0.tar.gz.asc) = 931181070e5ca6c9d6525bbaee5f2b556f36658c879dd63084d8059c83a122bee379720d80952420a116a9837c3ba1793917a2372167464e7a6b2e0520c69230 diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index f57207b..ea4d6e9 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,4 +1,4 @@ -From 79506679335ef1e02a960ccc7cfeda19348f5619 Mon Sep 17 00:00:00 2001 +From 88d3d8e8a28752b80a4bfd4ab2baaf45554a89a1 Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Fri, 10 Nov 2023 12:58:31 +0100 Subject: [PATCH] Customize unbound.conf for Fedora defaults @@ -7,13 +7,13 @@ Set some Fedora/RHEL specific changes to example configuration file. By patching upstream provided config file we would not need to manually update external copy in source RPM. --- - unbound-1.20.0/doc/example.conf.in | 194 ++++++++++++++++++----------- - 1 file changed, 124 insertions(+), 70 deletions(-) + unbound-1.21.0/doc/example.conf.in | 196 ++++++++++++++++++----------- + 1 file changed, 126 insertions(+), 70 deletions(-) -diff --git a/unbound-1.20.0/doc/example.conf.in b/unbound-1.20.0/doc/example.conf.in -index 0368c8d..9ece701 100644 ---- a/unbound-1.20.0/doc/example.conf.in -+++ b/unbound-1.20.0/doc/example.conf.in +diff --git a/unbound-1.21.0/doc/example.conf.in b/unbound-1.21.0/doc/example.conf.in +index 130cb4e..7174d81 100644 +--- a/unbound-1.21.0/doc/example.conf.in ++++ b/unbound-1.21.0/doc/example.conf.in @@ -17,11 +17,12 @@ server: # whitespace is not necessary, but looks cleaner. @@ -358,22 +358,24 @@ index 0368c8d..9ece701 100644 # Pad responses to padded queries received over TLS # pad-responses: yes -@@ -1045,12 +1080,12 @@ server: - # cookie-secret: <128 bit random hex string> +@@ -1050,12 +1085,14 @@ server: + # cookie-secret-file: "/usr/local/etc/unbound_cookiesecrets.txt" # Enable to attach Extended DNS Error codes (RFC8914) to responses. - # ede: no ++ # Fedora defaults to yes. + ede: yes # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale # Answer as EDNS0 option to expired responses. # Note that the ede option above needs to be enabled for this to work. - # ede-serve-expired: no ++ # Fedora defaults to yes. + ede-serve-expired: yes # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. -@@ -1058,12 +1093,14 @@ server: +@@ -1063,12 +1100,14 @@ server: # Enable or disable ipsecmod (it still needs to be defined in # module-config above). Can be used when ipsecmod needs to be # enabled/disabled via remote-control(below). @@ -391,7 +393,7 @@ index 0368c8d..9ece701 100644 # When enabled Unbound will reply with SERVFAIL if the return value of # the ipsecmod-hook is not 0. # ipsecmod-strict: no -@@ -1096,7 +1133,7 @@ server: +@@ -1101,7 +1140,7 @@ server: # o and give a python-script to run. python: # Script file to load @@ -400,7 +402,7 @@ index 0368c8d..9ece701 100644 # Dynamic library config section. To enable: # o use --with-dynlibmodule to configure before compiling. -@@ -1107,13 +1144,14 @@ python: +@@ -1112,13 +1151,14 @@ python: # the module-config then you need one dynlib-file per instance. dynlib: # Script file to load @@ -417,7 +419,7 @@ index 0368c8d..9ece701 100644 # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. -@@ -1121,6 +1159,7 @@ remote-control: +@@ -1126,6 +1166,7 @@ remote-control: # are not used for that, so key and cert files need not be present. # control-interface: 127.0.0.1 # control-interface: ::1 @@ -425,7 +427,7 @@ index 0368c8d..9ece701 100644 # port number for remote control operations. # control-port: 8953 -@@ -1130,16 +1169,19 @@ remote-control: +@@ -1135,16 +1176,19 @@ remote-control: # control-use-cert: "yes" # Unbound server key file. @@ -449,7 +451,7 @@ index 0368c8d..9ece701 100644 # Stub zones. # Create entries like below, to make all queries for 'example.com' and -@@ -1161,6 +1203,10 @@ remote-control: +@@ -1166,6 +1210,10 @@ remote-control: # name: "example.org" # stub-host: ns.example.com. @@ -460,7 +462,7 @@ index 0368c8d..9ece701 100644 # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle -@@ -1178,6 +1224,10 @@ remote-control: +@@ -1183,6 +1231,10 @@ remote-control: # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -471,7 +473,7 @@ index 0368c8d..9ece701 100644 # Authority zones # The data for these zones is kept locally, from a file or downloaded. -@@ -1188,27 +1238,28 @@ remote-control: +@@ -1193,27 +1245,28 @@ remote-control: # download it), primary: fetches with AXFR and IXFR, or url to zonefile. # With allow-notify: you can give additional (apart from primaries and urls) # sources of notifies. @@ -521,7 +523,7 @@ index 0368c8d..9ece701 100644 # auth-zone: # name: "example.org" # for-downstream: yes -@@ -1234,6 +1285,9 @@ remote-control: +@@ -1239,6 +1292,9 @@ remote-control: # name: "anotherview" # local-zone: "example.com" refuse @@ -531,7 +533,7 @@ index 0368c8d..9ece701 100644 # DNSCrypt # To enable, use --enable-dnscrypt to configure before compiling. # Caveats: -@@ -1309,7 +1363,7 @@ remote-control: +@@ -1314,7 +1370,7 @@ remote-control: # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode # dnstap-bidirectional: yes @@ -541,5 +543,5 @@ index 0368c8d..9ece701 100644 # # set it to "IPaddress[@port]" of the destination. # dnstap-ip: "" -- -2.44.0 +2.46.0 diff --git a/unbound.spec b/unbound.spec index 17c922b..10281a5 100644 --- a/unbound.spec +++ b/unbound.spec @@ -32,7 +32,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.20.0 +Version: 1.21.0 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ From 9f287be368da5673ad1843c19f1239618441c830 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 25 Sep 2024 13:29:49 +0200 Subject: [PATCH 04/64] Enable native dynamic modules Support modules similar to pythom modules, but implemented in native code. --- unbound.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 10281a5..99c0c32 100644 --- a/unbound.spec +++ b/unbound.spec @@ -242,7 +242,8 @@ cp -a %{dir_primary} %{dir_secondary} --with-rootkey-file=%{_sharedstatedir}/%{name}/root.key \\\ --with-username=unbound \\\ --enable-linux-ip-local-port-range \\\ - + --with-dynlibmodule \\\ +# pushd %{dir_primary} From 06a30c3c57e19f8f67a973111e9243f0751026c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 25 Sep 2024 14:18:27 +0200 Subject: [PATCH 05/64] Remove additional subdirectory for python3 build Python2 builds are not common anymore. Make basic unbound directory for primary build in normal default directory. Try subdirectory only for alternative secondary build, if enabled. --- unbound-fedora-config.patch | 10 +++++----- unbound.spec | 27 ++++----------------------- 2 files changed, 9 insertions(+), 28 deletions(-) diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index ea4d6e9..b4803b6 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,4 +1,4 @@ -From 88d3d8e8a28752b80a4bfd4ab2baaf45554a89a1 Mon Sep 17 00:00:00 2001 +From 71cbef33920b3b5704be7eab399da506ab51cde1 Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Fri, 10 Nov 2023 12:58:31 +0100 Subject: [PATCH] Customize unbound.conf for Fedora defaults @@ -7,13 +7,13 @@ Set some Fedora/RHEL specific changes to example configuration file. By patching upstream provided config file we would not need to manually update external copy in source RPM. --- - unbound-1.21.0/doc/example.conf.in | 196 ++++++++++++++++++----------- + doc/example.conf.in | 196 ++++++++++++++++++++++++++++---------------- 1 file changed, 126 insertions(+), 70 deletions(-) -diff --git a/unbound-1.21.0/doc/example.conf.in b/unbound-1.21.0/doc/example.conf.in +diff --git a/doc/example.conf.in b/doc/example.conf.in index 130cb4e..7174d81 100644 ---- a/unbound-1.21.0/doc/example.conf.in -+++ b/unbound-1.21.0/doc/example.conf.in +--- a/doc/example.conf.in ++++ b/doc/example.conf.in @@ -17,11 +17,12 @@ server: # whitespace is not necessary, but looks cleaner. diff --git a/unbound.spec b/unbound.spec index 99c0c32..7f63453 100644 --- a/unbound.spec +++ b/unbound.spec @@ -198,22 +198,15 @@ Python 3 modules and extensions for unbound %global pkgname %{name}-%{version}%{?extra_version} %if 0%{with_python2} && 0%{with_python3} -%global dir_primary %{pkgname}_python3 %global python_primary %{__python3} %global dir_secondary %{pkgname}_python2 %global python_secondary %{__python2} -%else -%global dir_primary %{pkgname} %endif -%autosetup -c -N -n %{pkgname} +%autosetup -N -n %{pkgname} -pushd %{pkgname} # patches go here -%autopatch -p2 - -# copy common doc files - after here, since it may be patched -cp -pr doc pythonmod libunbound ../ +%autopatch -p1 %if 0%{?rhel} > 8 # SHA-1 breaks some tests. Disable just some tests because of that. @@ -223,11 +216,9 @@ cp -pr doc pythonmod libunbound ../ mv testdata/${TEST}.rpl{,-disabled} done %endif -popd %if 0%{with_python2} && 0%{with_python3} -mv %{pkgname} %{dir_primary} -cp -a %{dir_primary} %{dir_secondary} + cp -a . %{dir_secondary} %endif %build @@ -245,14 +236,13 @@ cp -a %{dir_primary} %{dir_secondary} --with-dynlibmodule \\\ # -pushd %{dir_primary} - # always regenerate configure rm -f config.h.in aclocal.m4 configure ltmain.sh rm -f {ax_pthread,ax_swig_python}.m4 cp -p %{_datadir}/aclocal/{ax_pthread,ax_swig_python}.m4 . # ensure bison is used to generate fresh parser rm -f util/configparser.{c,h} util/configlexer.c + autoreconf -fiv %configure \ @@ -280,8 +270,6 @@ autoreconf -fiv %make_build %make_build streamtcp -popd - %if 0%{?python_secondary:1} pushd %{dir_secondary} %configure \ @@ -309,11 +297,9 @@ pushd %{dir_secondary} popd %endif -pushd %{dir_primary} %make_install unbound-event-install install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp install -p -m 0644 doc/example.conf %{buildroot}%{_sysconfdir}/unbound/unbound.conf -popd install -d -m 0755 %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service @@ -334,11 +320,9 @@ for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unboun done %endif -pushd %{dir_primary} # install streamtcp man page install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1 install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc -popd # Install tmpfiles.d config install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound @@ -410,15 +394,12 @@ fi %systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer %check -pushd %{dir_primary} #pushd pythonmod #make test #popd make check -popd - %if 0%{?python_secondary:1} pushd %{dir_secondary} #pushd pythonmod From 07478f417b441a971876719f37cca3a8bb0790f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 3 Oct 2024 13:25:37 +0200 Subject: [PATCH 06/64] Disable SHA1 support to work with new default crypto-policy https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer Similar to RHEL9+, Fedora now does not allow using any SHA-1 hash for signature verification. This makes our unbound violate rfc 8624. This method of disabling sha1 at all times does not support validating in DEFAULT:SHA1 policy, where SHA1 algorithm would be accepted. That would require more complex machinery, which is not finished unfortunately. This change makes our unbound unsupporting SHA1, no matter which crypto policy is active. Resolves: rhbz#2301344 --- unbound.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 7f63453..78ef319 100644 --- a/unbound.spec +++ b/unbound.spec @@ -258,7 +258,7 @@ autoreconf -fiv %if %{with doh} --with-libnghttp2 \ %endif -%if 0%{?rhel} +%if 0%{?rhel} || 0%{?fedora} > 40 --disable-sha1 \ %endif %if %{with redis} From a74fe60f128b54225df7106efc0becb1a48b44ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 3 Oct 2024 21:24:40 +0200 Subject: [PATCH 07/64] Update to 1.21.1 (rbhz#2316313) https://github.com/NLnetLabs/unbound/releases/tag/release-1.21.1 A vulnerability has been discovered in Unbound when handling replies with very large RRsets that Unbound needs to perform name compression for. --- .gitignore | 2 + Yorgos.asc | 128 +++++++++++++++++++++++++++++++++++++++++++++++++++ sources | 4 +- unbound.spec | 5 +- 4 files changed, 135 insertions(+), 4 deletions(-) create mode 100644 Yorgos.asc diff --git a/.gitignore b/.gitignore index a89efdb..149c0ab 100644 --- a/.gitignore +++ b/.gitignore @@ -91,3 +91,5 @@ unbound-1.4.5.tar.gz /unbound-1.20.0.tar.gz.asc /unbound-1.21.0.tar.gz /unbound-1.21.0.tar.gz.asc +/unbound-1.21.1.tar.gz +/unbound-1.21.1.tar.gz.asc diff --git a/Yorgos.asc b/Yorgos.asc new file mode 100644 index 0000000..e18ec55 --- /dev/null +++ b/Yorgos.asc @@ -0,0 +1,128 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFfYHeYBEAC/8SdeXNspt9ZIoZRSL9juNLHA17TXcHdKSthgWBtwwWZbUPq8 +SJr7Y+hr6jMCDKY9800QzLF0nLkyXnZgaBcvR0rRbCT/qvALJ0fpfjcotapZ1hBv +omb9s8Bo28uKn8tbTMXYNsElUae4Ch/CrU1vfe50YoyQgLR8UBa15gV+2RmC+6jI +qxDYS8sylWlDn6Qim+77feLlObPnNdzgfWGZo14eJByTsz0qrh8aS/BS1FAsnEQ6 +W6AqukhpuKuWvoAUXKjfguXQolxeexubmKaLcGOTvecw+cbh/a5SPHRtRVr9qTxp +elk6UEpakY5K9UtZkrG55VWih/4KqY9bNyhJBtpAk1fXA+mYfx5BcFpECYdU9kz4 +UgV5jK0HYRHQTLC91PPVQgH86we+Aae6TaJneCLEIzBK36TgAP8RKrvFfPUym5OP +YbWOom27QTKfRVcyxPKglJxrTSWixnKWS/pqxNY8hF9Ne4crRAF4wX2yBVbGnjNr +S9TpYmjMwURbuYm+rWZk/8w5OJG60V3wax56c0jn/42O3Y2hzQ+PbOv2M4UuuajS +2YL3/KUsRLBapUpPQjzChwzdr/vzFEhk9XxK2VGMN+dh2HjYwDFendc5csyt/cVr +g3LssVS2bKy5g3IhrzCKAk0Sky4S5t/mcN+lWztNvCijuLz58GCym5GwJQARAQAB +tCtZb3Jnb3MgVGhlc3NhbG9uaWtlZnMgPHlvcmdvc0BubG5ldGxhYnMubmw+iQJX +BBMBCABBAhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAhkBFiEElI60IyLF0At5 +NA9dz/M0TZCHpJAFAmbz0CwFCRD85cYACgkQz/M0TZCHpJBVnhAAkcd79Twxj/tt +C4q2Xpq75+Ew6YR9gLqYiV5vEd6fu0oyhuVoUlfTkjH4ALIoGIKaO9yAVUXsrGrs +n1aJPo1Mw3q6mIwtQOxXz/W44LuFzcvZkHtCYX4YyLrUHXZPvl+r4eYkTOcyyQMU +BmbuvWhufv8MBilvWltQLxfLlgihbfuIrxqjAYDhqCffpgUiZyCut2rrenIgeh1f +DvC+GjZ3cfb1UsIpzm19yr4NCiTHkLkCOAAcAUFwWWeO/jfUsSvFQEHUnYNRREzI +Lth9NlKwPtsOVi+wcNnWQtFQb11BMr407xBib7hLSIFiqvOiYgQABjZdWN+snCRP +ZZSruigjE9ateOloJwmBqrSJLAywxvDE0ivqfSj51W5eJc/JLSXvjrOuW28dJCr8 +RV9PjC9X7zuTiFLzV8SVH71Z43Rix8n7AOp3wgRe3SygEyQXPj4qbm5HHVsx9GEA +zn495L99dJ4wZgjkbEsGhzwUx7N9FHEGS/sz3LiEq+ZYckR6gzTMMrQJgbsS9lnK +9xlXsp37uIYvx9W9JZXtS+AZhw0q3osMYBF68HPX8B9GBYlkQWmWSIMfzRYcD2n1 +5+XsfERK4mxcTWl2sCYpt8Sy3tADj9nQDabAlGUd/hlFS1dvDVQjGh6ER5S0nZjY +nmRsLl8nOTKhb2xY+2p1sDjxxQYJJQe0K0dlb3JnZSBUaGVzc2Fsb25pa2VmcyA8 +Z2VvcmdlQG5sbmV0bGFicy5ubD6JAlQEEwEIAD4CGyMFCwkIBwIGFQgJCgsCBBYC +AwECHgECF4AWIQSUjrQjIsXQC3k0D13P8zRNkIekkAUCZvPQPQUJEPzlxgAKCRDP +8zRNkIekkFfCEACheY1yr2Z+LPjm/Nd2eA4CFFO7nUQHI+a6lYBd57txrRuIicuG +pGjOhnvcioRwICiKNLJD3YTU+WOd+sbO7BXH2sw2KdU9NK1ojKX/SQiTg6upfJsu +gbgar2oPvR88B7oSiuonZnhEf72HfWKDSBXHpi6KC6S3JZ+o50NB3GBpwUL1lfKW +ovymYbN6tYQfqw/+AP5jUUNpkclC0RbcW69rpvrHHqeQV1AVKkm/jNQpWLKYTGF7 +bbdLkgMh3rHp8gmF0/GuK+oyL7xD+TEXfr3iqlDIVuxbxDN8xTti1RrERU/MWQar +qOSFZcr4t+nlwThJidDLF/u3h0Ymrjz92VTfCgELIwCKxGX7jAyLZHzuWAp+0Pr/ +yuHodbweGNcGVoXmIpK93/WZcfFlBcyQLECVcijmxd7Euk0xDk76RQpuuL5VOWqn +aZcf2uNfppwKFZJjcXwK+EQbwN7+RFNvLrwoRn/1xM57T5AYBAgSvKb6h0G5KwW6 +tJfJdSu1MHfCZS1hH1Gr4+UG+VbLCVmQ9N/lUs0bcD7pK+bA1W0YnsIVuaQ+YZUh +KrJoCUF0kVDtW9ETZkp0iVBm1Q9xgTGaxUTVmctOyAbdCLyHNra4fo1BAdGlu+IP +qAcktaBUKFxWxRxf9O5kGihce9anK8CJ/TCnQ7wSvyYrlAoBoQaS78VzYYkBHAQS +AQIABgUCV9kUOAAKCRAwkY2CdXJCIju1B/oCvf1kWYndNeLS6U2O6DtFAL2Ia5tY +Zukcyqb1hkYcrBiMZbQN94gX5a+6Q4pdd2n241r1ZuSWdwUhRUbF4mvbZMVsavnk +cvrRGviVIUXf71W0O/IsmQ9oN0Finhpf14Y4z/xqF8DpvJdkWc6X5g+RJuko6q2w +B7x2UfSyF4USp47LSmUQnC59IF8jzaElgBha3gwEuXL3d2qBepoV/e9RiXJClUAT ++O7qdxzDq1eiZ+NXUjDCmrkuWjHLAZAv0jx1KUTCQ2no62UM95igtJ+Kn56Lc2+J +CqFJztaZeX8CgXXryxNpsyhZJ33dIoLCT03K25wrV5Y+eag05slQ9sC3iQI9BBMB +CAAnBQJX2RCwAhsjBQkFo5qABQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEM/z +NE2Qh6SQ3JUP/2G3bRNObS7zsfN3rjkbjLxaDOwNggRdbeXM5rHDVEG9SWesCGaI +vyQdkSGQoIaKUgNv7Yp8O8pEnD4IwdhNSaXVIB3pBtdOD0UM1wuxRpfqJOUxZEoW +T2Jr31Tg2qepp6nT7UmdiF7uCBDy8Jm6k6Q+6UT58cPaesRQdSPi6Go7ho2/xVvK +Ve9ufSTSTdG5+7bJDu6Iv7sydKUEG4jPDqo+jjVLn1X6Rfp+E4JAvOvFrSJHW5sa +A332xV40GeV+aM1ndP7dPkz8+AGB3QD7JF2DLcqvLo0TYOvjnlOGYcNp8gzp23g9 +KFwe2sdbdtVpuWaJUSpXXiUZnFzrrVxDNiEBjqsPa5ysOxzJ+1gUbcrIjUeNeAFh +us4XL+IidPATnhTIX3X/uPRB87KaTaA8XUqsuSd2DM9mLxdHKC9Jf8D1t+ywYrek +Cp+K80vCtFPWBM4+w8nGugTNKJEGIXZDGFOF/c7r6xKkaOYK0Y+IGJawlV5LaADl +BmQpPk0ubYclwb07FcegaHSxxIqUo/kbyt1YV5mU+QVymZ+xyvIBrnW8hBuNWRvU +5acnIZibCERayo8ZuI+r/X3bLHfDx0oh2h+cL3utNZUqmgZNR0Di8P+x0hUYsYPO +TJaDBSgvxUtY0Ci+OWX38kffGGvhW3CM8V6skdVc8cp7Db7gxase4BxxtC5HZW9y +Z2UgVGhlc3NhbG9uaWtlZnMgPGdlb3JnZUBvcGVubmV0bGFicy5jb20+iQJUBBMB +CAA+AhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEElI60IyLF0At5NA9dz/M0 +TZCHpJAFAmbz0D0FCRD85cYACgkQz/M0TZCHpJBnFw/8CRLGJnNAP43mBniIP5R1 +/10i4xG5s1Ka/y5C3aRgZUNaGMPLF8VmrC26HTPNhmduhn3j9gnBuSHgRAJUWs2K +o1q0A2/O5fFJvqPyEUl30gG8qkzFl5UGRUr7VNtBa6VpI7g78d3P4/H8THB0tYZ3 +GZv980QXwTE11aXjvPQu4e8sMOR1OVEEH+6hW1T0SvEKAMV1BHwuZAmC6HTfx5e7 +iGNWu/dwJsmwzqcAkuTTSqlmzZdIjZWJDL8pfnschkVilC3pEpEk5ExSkt/onOD2 +WCAKJUiPR6gRI2H6fE0PF8iG9isisvNhQ3MrWUIKS+1WOotoG7Bu7ob46viJKQuN +9t7KBqjdftjJHjmVop3mfX0UUEDPjkZXK5R/aUspXi4IGdM+9JijqxveicQegOhM +LcE8039Z0AaXn9IA0kQB05A4a+CEnoPL7qe+fIBJM5hZDrpMe4fAAGxiQzbRpdkZ +CrXmT+CRkhc/BvUJ5yoE1q++9Fw9eyMbPOak6GLckCIPy+Mqi4z+ZXNCtcPs3Qbc +/7AY8qyswRsD2t5bbe4g+fLEt9IsN3UvKFUKnQ88jcn9Zmps69msMDm9jEj/qo+j +QCriLLu8E1ZwhedNVOQN89w4Zww/BUyEnL4hng8Tw+RTV8Jtq5EvAleW5sZsnTzA +zn1ysZUyO/Pu7Br2jnGRAQyJARwEEgECAAYFAlfZFDwACgkQMJGNgnVyQiIHjAf/ +VrPMgIRjRTYi4cxOr5ewaim1hgJZO1oCJoMopwIvpZ2kAUqL/uPMT3wREe5bi79H +jXYcaX+RbrV4ZdzaajDUFCj867KGErxqtRkANJ1eNLcQmVwGNoFeTQbgEOBfKq1t +hRfMqHF3fxCPJp4z4U3kBPUpIQPERjgUdkH8fxZ34Omo1SLO1b0dVqsneezccBVv +Hj7gVoaWw65Ov7vngwNCKH3fjOkcoINTH/nEw4WWh6UV5ZN49GRqa6oWdUJMZbgB +w8z357RLN6YLe7KMh4oGpUIvfH6Vfq6CIb6s9pfgjAvq8O7p9n0/0FG77j84MuGw +fdhq8eSazO/j9LUCBM+8k4kCPQQTAQgAJwUCV9kQiwIbIwUJBaOagAULCQgHAgYV +CAkKCwIEFgIDAQIeAQIXgAAKCRDP8zRNkIekkN9pD/wI8JAyjJEIjUJNLRuARDDv +pJrQjAo/02naPcGs4yyUd7yRkhzVKLFLvif8XICxxLWk6FdT0PJeKGTvRoe2+Rje +c14rO30niRymWkBi36iDW46Dpt7Jx+LUDhUMYPL+woKSoHmbBGWLSYXKxaD8F93A +nVs97nP4PWpspv2BFiuwKGsSsOyyQPPvr7jCin3H5oPH9qDnIV0KonAYbzzEKod5 +t0Rgzo/nWXZBFXWC5xvKeghwkdT++gYS/ThvQY2ua6A1XRE8BntyldD081NPi3NO +dWa9m8ufFOJsEEiWcpdT+EWoDw5JyGAR7U3IOVl3BTo7shdcYEvRVrDMBpac+ItG +WvogUv7alBdHWi48amvZE06RI/nDJ/rxj13S/4POgMHU++aQI5a1G5H3jBu4cehH +4iT1UKmozfzVEfcHb2dsaKnnuFzQxmol0lZu1ETyof+Lxvs+wErN0QR+VDNweJEJ +PMXiEcjASdLtrEKgFSP2B5yGGzt93C+HbD+VQOU359aAnvVjbTAVz8izuMphd6Bz +Ix1q//q2VmxqjjT3Iv30hBRX02x2M8gsP/e49XWEll7stkMtbYhBU0sHQ2CqzLGh +gJN3ecpi2sKWVqN8HUZOwJFj6f9ZX76YSM23wIugHfscMAVJUXvBrbd151WIshOf +FFPo62sYGt+SEMXWeRcHjbQuWW9yZ29zIFRoZXNzYWxvbmlrZWZzIDx5b3Jnb3NA +b3Blbm5ldGxhYnMuY29tPokCVAQTAQgAPgIbIwULCQgHAgYVCAkKCwIEFgIDAQIe +AQIXgBYhBJSOtCMixdALeTQPXc/zNE2Qh6SQBQJm89A9BQkQ/OXGAAoJEM/zNE2Q +h6SQOf4QAIp5fEn+vVOqDuLrv8Li61UDVPE3v5b9ocPR7OMENeFpRH7K2p8xFkAM +f6JeS2ehbIjyUS8iGc+mZOalvZynJdOiHtys5r4lZanm1Rl+mWXb+nHGE/Oi4gQ3 +aEF/AwolbKi9oNXAiCtA3hmaI6FYWtAh5XOnyMG140dhlXMWzvN1ZAWXWioS33Fp +n9Z7xOsyG2Bmky69JjUQPD119noD4pEFtCipciiACVNdHGfI8QDT/8pMAxv/Q7tW ++7gyFztT1XvKONWyCfHjf1x60JQNPPM31x3xUVRz/sK+GyLq6VLiydvSZeUX3CzM +4bHixKKkSyvsX+bc9K/iLrXwZFhRdrRbpVQFpsdxv48mN5WsDlpN17KgMCyNiMDV +0VagYjZC5AurOo2mmS7PKAYGILaq3YwQ3nXYiuWfdXVW6EXtw/vdFOjFU6ppbaA3 +1+xyMDOLSGLr7f+gdZvlEc+5MX1F3mHpmuKN7clUju/HEOdVq1Bbla7BplPgqCaH +ZYCg/VHNt7ue7MYeEgTJ8OGgUDRNPa3PdU3YHRCuwJH1UzinD39K8R9/g9qiGJbC +87//1FGZp9lhIE5tja6F5pJ5GwJK9zC0iGj2NrwBvTKhuyF6W3ZQc2voYQn+gIq4 +sfbned7qpvpjLcMgIv/y82iVm2EtKtKYl982aA9S53pHqjV27kieuQINBFfYHeYB +EAC2h9yjSe2SgtcB0H+E0ndaewaZaQCE7q+RO43dotGH9eFnVwE4/ftcK1SN42ih +lF5OnTaKPyXvgQ6U8W8VB8eLjeTwA/dSXuJX7kJpEK8saPqJP6zTUmPqp/GSzS6Y +rhKLfpFn4chmywpDFcGNMz0sYXiJgPqKL7W0KuG+ziPToAeWl8ckeXyl77/lHVhW +YylaQJEASklqCViPXSp9vI7/57UEm4MQPXwsDBOwuVVqcSu3ZM5MtY9XlbVPNCYm +ZIMqmh8HgYwbiq9dTfJi+6v17+uDQGZewWK/WwFM+9dDx7YkTeOBiUduYtJPW64N +W/RJ7pskbLAy+OZApTZWg0cISN6GOmPN3F0AiWzUjvSMREHhFHyxj4Y15vuDOFvP +GFxr4xBiyMX1JLCKK6OFnyPfoJ9v/o3UgrQgLrfXCmKdvkwBCgJvN3Fsxzha6Dtf +6RcZ02fr7SCZZhdBrlrflvC1uWZ0g3A87ss7h4Iw3njlO3aX6Bo9R4VOLUkiRKi4 +hmQBxPvXxI2ERmKRomo6lrMaDMzIjD4APSM1vUfZguzQxVYpM8lwy1COeqxsj5p+ +LH6f/EU+4dXZwooJ1uanBOvG2ntnz8SErE+e7wNYE4a/fb8xYM4j7p6qYtnNZPb8 +sj8bvx8iWXp4A1csVetyVSchBhTVQhhNos6ouYpc4ibrYwARAQABiQI8BBgBCAAm +AhsMFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmbz0dUFCRD8528ACgkQz/M0TZCH +pJA7hg/7Bh0jb7nrp2EuU4BWK55VG+3zbrye/NdDy6eo3sVVOOO1r+jBMoJK3m1A +GWUx40ogZjRn8GMtJfxkL6wsep2P775smm7x1TH6s2dgreTj9J66gitKEgxF0tjo +JztmGJ8YKSGE4wKi37KvvSqCm1ecA8akBzJVo0B8/GtXpg+y/q3/KSY1ujW7Ihu3 +60JXT1FRXOiYfrzUKIBm8/UVnv7guPudaJf0eU4btoy4Ywzn1UXyi8BdxPIQrQDR +tt69ffcjX8BIEloK7FURLre/LhbVxlssdWYIEFQhIlb+nghZlUbWHf0Ue3L0SFFS +xV5otzQL2WjJKtCnTpSopSUmwYyT7wyAL1RokOemXL47WOfiLjiGuS+K/4lT7VHS +fdLsYinS0LYr5dmhc05s//kLyQ0OSKNh3SNAN+lM/klLE/pFwM4mo56C+seNEvCm +sT53VPOOwp6JwsLKSqm8pu1fbVjT6laMc9BPi6KUjN/f7ZahCXNXOrA2uLnTlxw/ +ns1sOXSWZDWciZeL3kJeUQER5YZ59hzLYWAiJ+5KblWRlBMXb71FUp0Mh9V3dA5O +BX3IlcF54qE50chGzLnfQf1YLuh13xxxc2WsdMZjiCj8CVDMkD6ekShfQK8nyQsK +SJgdXcnw1CxcAVvsROtecUiD+DWrJcYExjSZ+zcI4+aRhp7uNt8= +=iknu +-----END PGP PUBLIC KEY BLOCK----- diff --git a/sources b/sources index 01a2cff..efb1f71 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.21.0.tar.gz) = 481534271f443d72635025c79b83bb71bb77b96ae81ec74c7f82f1e958160f5d75489931bdbdf460a72c871268d33628be990d6acf3c5303f04f7ff347ad83c1 -SHA512 (unbound-1.21.0.tar.gz.asc) = 931181070e5ca6c9d6525bbaee5f2b556f36658c879dd63084d8059c83a122bee379720d80952420a116a9837c3ba1793917a2372167464e7a6b2e0520c69230 +SHA512 (unbound-1.21.1.tar.gz) = 82be3faf5e4f9531342008105f5ab2ecc22a56faab1ef5c86420d85ef48443e5dac3455dbc654178a927e34ca4067c7655443f91a250b87945a63e9ba5f74ba7 +SHA512 (unbound-1.21.1.tar.gz.asc) = 5bb3961c210aefb20f91eb96f7d3980324e30cb2307c6c1187f016cacafcade7adcd95855faedfebc2c91464fd6c095511322364357c5b72525fc8e61c0ad248 diff --git a/unbound.spec b/unbound.spec index 78ef319..73c8ecb 100644 --- a/unbound.spec +++ b/unbound.spec @@ -32,7 +32,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.21.0 +Version: 1.21.1 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ @@ -58,6 +58,7 @@ Source18: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key Source20: unbound.sysusers Source21: remote-control.conf +Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc # Downstream configuration changes Patch1: unbound-fedora-config.patch @@ -193,7 +194,7 @@ Python 3 modules and extensions for unbound %prep %if 0%{?fedora} -%{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}' +%{gpgverify} --keyring='%{SOURCE22}' --signature='%{SOURCE18}' --data='%{SOURCE0}' %endif %global pkgname %{name}-%{version}%{?extra_version} From aa830172e31b35fb4abad3f116a814a2b1517470 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 3 Oct 2024 21:24:40 +0200 Subject: [PATCH 08/64] Update to 1.21.1 (rbhz#2316313) https://github.com/NLnetLabs/unbound/releases/tag/release-1.21.1 A vulnerability has been discovered in Unbound when handling replies with very large RRsets that Unbound needs to perform name compression for. --- .gitignore | 2 + Yorgos.asc | 128 +++++++++++++++++++++++++++++++++++++++++++++++++++ sources | 4 +- unbound.spec | 5 +- 4 files changed, 135 insertions(+), 4 deletions(-) create mode 100644 Yorgos.asc diff --git a/.gitignore b/.gitignore index 2ad282d..5ff0acf 100644 --- a/.gitignore +++ b/.gitignore @@ -89,3 +89,5 @@ unbound-1.4.5.tar.gz /unbound-1.19.3.tar.gz.asc /unbound-1.20.0.tar.gz /unbound-1.20.0.tar.gz.asc +/unbound-1.21.1.tar.gz +/unbound-1.21.1.tar.gz.asc diff --git a/Yorgos.asc b/Yorgos.asc new file mode 100644 index 0000000..e18ec55 --- /dev/null +++ b/Yorgos.asc @@ -0,0 +1,128 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFfYHeYBEAC/8SdeXNspt9ZIoZRSL9juNLHA17TXcHdKSthgWBtwwWZbUPq8 +SJr7Y+hr6jMCDKY9800QzLF0nLkyXnZgaBcvR0rRbCT/qvALJ0fpfjcotapZ1hBv +omb9s8Bo28uKn8tbTMXYNsElUae4Ch/CrU1vfe50YoyQgLR8UBa15gV+2RmC+6jI +qxDYS8sylWlDn6Qim+77feLlObPnNdzgfWGZo14eJByTsz0qrh8aS/BS1FAsnEQ6 +W6AqukhpuKuWvoAUXKjfguXQolxeexubmKaLcGOTvecw+cbh/a5SPHRtRVr9qTxp +elk6UEpakY5K9UtZkrG55VWih/4KqY9bNyhJBtpAk1fXA+mYfx5BcFpECYdU9kz4 +UgV5jK0HYRHQTLC91PPVQgH86we+Aae6TaJneCLEIzBK36TgAP8RKrvFfPUym5OP +YbWOom27QTKfRVcyxPKglJxrTSWixnKWS/pqxNY8hF9Ne4crRAF4wX2yBVbGnjNr +S9TpYmjMwURbuYm+rWZk/8w5OJG60V3wax56c0jn/42O3Y2hzQ+PbOv2M4UuuajS +2YL3/KUsRLBapUpPQjzChwzdr/vzFEhk9XxK2VGMN+dh2HjYwDFendc5csyt/cVr +g3LssVS2bKy5g3IhrzCKAk0Sky4S5t/mcN+lWztNvCijuLz58GCym5GwJQARAQAB +tCtZb3Jnb3MgVGhlc3NhbG9uaWtlZnMgPHlvcmdvc0BubG5ldGxhYnMubmw+iQJX +BBMBCABBAhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAhkBFiEElI60IyLF0At5 +NA9dz/M0TZCHpJAFAmbz0CwFCRD85cYACgkQz/M0TZCHpJBVnhAAkcd79Twxj/tt +C4q2Xpq75+Ew6YR9gLqYiV5vEd6fu0oyhuVoUlfTkjH4ALIoGIKaO9yAVUXsrGrs +n1aJPo1Mw3q6mIwtQOxXz/W44LuFzcvZkHtCYX4YyLrUHXZPvl+r4eYkTOcyyQMU +BmbuvWhufv8MBilvWltQLxfLlgihbfuIrxqjAYDhqCffpgUiZyCut2rrenIgeh1f +DvC+GjZ3cfb1UsIpzm19yr4NCiTHkLkCOAAcAUFwWWeO/jfUsSvFQEHUnYNRREzI +Lth9NlKwPtsOVi+wcNnWQtFQb11BMr407xBib7hLSIFiqvOiYgQABjZdWN+snCRP +ZZSruigjE9ateOloJwmBqrSJLAywxvDE0ivqfSj51W5eJc/JLSXvjrOuW28dJCr8 +RV9PjC9X7zuTiFLzV8SVH71Z43Rix8n7AOp3wgRe3SygEyQXPj4qbm5HHVsx9GEA +zn495L99dJ4wZgjkbEsGhzwUx7N9FHEGS/sz3LiEq+ZYckR6gzTMMrQJgbsS9lnK +9xlXsp37uIYvx9W9JZXtS+AZhw0q3osMYBF68HPX8B9GBYlkQWmWSIMfzRYcD2n1 +5+XsfERK4mxcTWl2sCYpt8Sy3tADj9nQDabAlGUd/hlFS1dvDVQjGh6ER5S0nZjY +nmRsLl8nOTKhb2xY+2p1sDjxxQYJJQe0K0dlb3JnZSBUaGVzc2Fsb25pa2VmcyA8 +Z2VvcmdlQG5sbmV0bGFicy5ubD6JAlQEEwEIAD4CGyMFCwkIBwIGFQgJCgsCBBYC +AwECHgECF4AWIQSUjrQjIsXQC3k0D13P8zRNkIekkAUCZvPQPQUJEPzlxgAKCRDP +8zRNkIekkFfCEACheY1yr2Z+LPjm/Nd2eA4CFFO7nUQHI+a6lYBd57txrRuIicuG +pGjOhnvcioRwICiKNLJD3YTU+WOd+sbO7BXH2sw2KdU9NK1ojKX/SQiTg6upfJsu +gbgar2oPvR88B7oSiuonZnhEf72HfWKDSBXHpi6KC6S3JZ+o50NB3GBpwUL1lfKW +ovymYbN6tYQfqw/+AP5jUUNpkclC0RbcW69rpvrHHqeQV1AVKkm/jNQpWLKYTGF7 +bbdLkgMh3rHp8gmF0/GuK+oyL7xD+TEXfr3iqlDIVuxbxDN8xTti1RrERU/MWQar +qOSFZcr4t+nlwThJidDLF/u3h0Ymrjz92VTfCgELIwCKxGX7jAyLZHzuWAp+0Pr/ +yuHodbweGNcGVoXmIpK93/WZcfFlBcyQLECVcijmxd7Euk0xDk76RQpuuL5VOWqn +aZcf2uNfppwKFZJjcXwK+EQbwN7+RFNvLrwoRn/1xM57T5AYBAgSvKb6h0G5KwW6 +tJfJdSu1MHfCZS1hH1Gr4+UG+VbLCVmQ9N/lUs0bcD7pK+bA1W0YnsIVuaQ+YZUh +KrJoCUF0kVDtW9ETZkp0iVBm1Q9xgTGaxUTVmctOyAbdCLyHNra4fo1BAdGlu+IP +qAcktaBUKFxWxRxf9O5kGihce9anK8CJ/TCnQ7wSvyYrlAoBoQaS78VzYYkBHAQS +AQIABgUCV9kUOAAKCRAwkY2CdXJCIju1B/oCvf1kWYndNeLS6U2O6DtFAL2Ia5tY +Zukcyqb1hkYcrBiMZbQN94gX5a+6Q4pdd2n241r1ZuSWdwUhRUbF4mvbZMVsavnk +cvrRGviVIUXf71W0O/IsmQ9oN0Finhpf14Y4z/xqF8DpvJdkWc6X5g+RJuko6q2w +B7x2UfSyF4USp47LSmUQnC59IF8jzaElgBha3gwEuXL3d2qBepoV/e9RiXJClUAT ++O7qdxzDq1eiZ+NXUjDCmrkuWjHLAZAv0jx1KUTCQ2no62UM95igtJ+Kn56Lc2+J +CqFJztaZeX8CgXXryxNpsyhZJ33dIoLCT03K25wrV5Y+eag05slQ9sC3iQI9BBMB +CAAnBQJX2RCwAhsjBQkFo5qABQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEM/z +NE2Qh6SQ3JUP/2G3bRNObS7zsfN3rjkbjLxaDOwNggRdbeXM5rHDVEG9SWesCGaI +vyQdkSGQoIaKUgNv7Yp8O8pEnD4IwdhNSaXVIB3pBtdOD0UM1wuxRpfqJOUxZEoW +T2Jr31Tg2qepp6nT7UmdiF7uCBDy8Jm6k6Q+6UT58cPaesRQdSPi6Go7ho2/xVvK +Ve9ufSTSTdG5+7bJDu6Iv7sydKUEG4jPDqo+jjVLn1X6Rfp+E4JAvOvFrSJHW5sa +A332xV40GeV+aM1ndP7dPkz8+AGB3QD7JF2DLcqvLo0TYOvjnlOGYcNp8gzp23g9 +KFwe2sdbdtVpuWaJUSpXXiUZnFzrrVxDNiEBjqsPa5ysOxzJ+1gUbcrIjUeNeAFh +us4XL+IidPATnhTIX3X/uPRB87KaTaA8XUqsuSd2DM9mLxdHKC9Jf8D1t+ywYrek +Cp+K80vCtFPWBM4+w8nGugTNKJEGIXZDGFOF/c7r6xKkaOYK0Y+IGJawlV5LaADl +BmQpPk0ubYclwb07FcegaHSxxIqUo/kbyt1YV5mU+QVymZ+xyvIBrnW8hBuNWRvU +5acnIZibCERayo8ZuI+r/X3bLHfDx0oh2h+cL3utNZUqmgZNR0Di8P+x0hUYsYPO +TJaDBSgvxUtY0Ci+OWX38kffGGvhW3CM8V6skdVc8cp7Db7gxase4BxxtC5HZW9y +Z2UgVGhlc3NhbG9uaWtlZnMgPGdlb3JnZUBvcGVubmV0bGFicy5jb20+iQJUBBMB +CAA+AhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEElI60IyLF0At5NA9dz/M0 +TZCHpJAFAmbz0D0FCRD85cYACgkQz/M0TZCHpJBnFw/8CRLGJnNAP43mBniIP5R1 +/10i4xG5s1Ka/y5C3aRgZUNaGMPLF8VmrC26HTPNhmduhn3j9gnBuSHgRAJUWs2K +o1q0A2/O5fFJvqPyEUl30gG8qkzFl5UGRUr7VNtBa6VpI7g78d3P4/H8THB0tYZ3 +GZv980QXwTE11aXjvPQu4e8sMOR1OVEEH+6hW1T0SvEKAMV1BHwuZAmC6HTfx5e7 +iGNWu/dwJsmwzqcAkuTTSqlmzZdIjZWJDL8pfnschkVilC3pEpEk5ExSkt/onOD2 +WCAKJUiPR6gRI2H6fE0PF8iG9isisvNhQ3MrWUIKS+1WOotoG7Bu7ob46viJKQuN +9t7KBqjdftjJHjmVop3mfX0UUEDPjkZXK5R/aUspXi4IGdM+9JijqxveicQegOhM +LcE8039Z0AaXn9IA0kQB05A4a+CEnoPL7qe+fIBJM5hZDrpMe4fAAGxiQzbRpdkZ +CrXmT+CRkhc/BvUJ5yoE1q++9Fw9eyMbPOak6GLckCIPy+Mqi4z+ZXNCtcPs3Qbc +/7AY8qyswRsD2t5bbe4g+fLEt9IsN3UvKFUKnQ88jcn9Zmps69msMDm9jEj/qo+j +QCriLLu8E1ZwhedNVOQN89w4Zww/BUyEnL4hng8Tw+RTV8Jtq5EvAleW5sZsnTzA +zn1ysZUyO/Pu7Br2jnGRAQyJARwEEgECAAYFAlfZFDwACgkQMJGNgnVyQiIHjAf/ +VrPMgIRjRTYi4cxOr5ewaim1hgJZO1oCJoMopwIvpZ2kAUqL/uPMT3wREe5bi79H +jXYcaX+RbrV4ZdzaajDUFCj867KGErxqtRkANJ1eNLcQmVwGNoFeTQbgEOBfKq1t +hRfMqHF3fxCPJp4z4U3kBPUpIQPERjgUdkH8fxZ34Omo1SLO1b0dVqsneezccBVv +Hj7gVoaWw65Ov7vngwNCKH3fjOkcoINTH/nEw4WWh6UV5ZN49GRqa6oWdUJMZbgB +w8z357RLN6YLe7KMh4oGpUIvfH6Vfq6CIb6s9pfgjAvq8O7p9n0/0FG77j84MuGw +fdhq8eSazO/j9LUCBM+8k4kCPQQTAQgAJwUCV9kQiwIbIwUJBaOagAULCQgHAgYV +CAkKCwIEFgIDAQIeAQIXgAAKCRDP8zRNkIekkN9pD/wI8JAyjJEIjUJNLRuARDDv +pJrQjAo/02naPcGs4yyUd7yRkhzVKLFLvif8XICxxLWk6FdT0PJeKGTvRoe2+Rje +c14rO30niRymWkBi36iDW46Dpt7Jx+LUDhUMYPL+woKSoHmbBGWLSYXKxaD8F93A +nVs97nP4PWpspv2BFiuwKGsSsOyyQPPvr7jCin3H5oPH9qDnIV0KonAYbzzEKod5 +t0Rgzo/nWXZBFXWC5xvKeghwkdT++gYS/ThvQY2ua6A1XRE8BntyldD081NPi3NO +dWa9m8ufFOJsEEiWcpdT+EWoDw5JyGAR7U3IOVl3BTo7shdcYEvRVrDMBpac+ItG +WvogUv7alBdHWi48amvZE06RI/nDJ/rxj13S/4POgMHU++aQI5a1G5H3jBu4cehH +4iT1UKmozfzVEfcHb2dsaKnnuFzQxmol0lZu1ETyof+Lxvs+wErN0QR+VDNweJEJ +PMXiEcjASdLtrEKgFSP2B5yGGzt93C+HbD+VQOU359aAnvVjbTAVz8izuMphd6Bz +Ix1q//q2VmxqjjT3Iv30hBRX02x2M8gsP/e49XWEll7stkMtbYhBU0sHQ2CqzLGh +gJN3ecpi2sKWVqN8HUZOwJFj6f9ZX76YSM23wIugHfscMAVJUXvBrbd151WIshOf +FFPo62sYGt+SEMXWeRcHjbQuWW9yZ29zIFRoZXNzYWxvbmlrZWZzIDx5b3Jnb3NA +b3Blbm5ldGxhYnMuY29tPokCVAQTAQgAPgIbIwULCQgHAgYVCAkKCwIEFgIDAQIe +AQIXgBYhBJSOtCMixdALeTQPXc/zNE2Qh6SQBQJm89A9BQkQ/OXGAAoJEM/zNE2Q +h6SQOf4QAIp5fEn+vVOqDuLrv8Li61UDVPE3v5b9ocPR7OMENeFpRH7K2p8xFkAM +f6JeS2ehbIjyUS8iGc+mZOalvZynJdOiHtys5r4lZanm1Rl+mWXb+nHGE/Oi4gQ3 +aEF/AwolbKi9oNXAiCtA3hmaI6FYWtAh5XOnyMG140dhlXMWzvN1ZAWXWioS33Fp +n9Z7xOsyG2Bmky69JjUQPD119noD4pEFtCipciiACVNdHGfI8QDT/8pMAxv/Q7tW ++7gyFztT1XvKONWyCfHjf1x60JQNPPM31x3xUVRz/sK+GyLq6VLiydvSZeUX3CzM +4bHixKKkSyvsX+bc9K/iLrXwZFhRdrRbpVQFpsdxv48mN5WsDlpN17KgMCyNiMDV +0VagYjZC5AurOo2mmS7PKAYGILaq3YwQ3nXYiuWfdXVW6EXtw/vdFOjFU6ppbaA3 +1+xyMDOLSGLr7f+gdZvlEc+5MX1F3mHpmuKN7clUju/HEOdVq1Bbla7BplPgqCaH +ZYCg/VHNt7ue7MYeEgTJ8OGgUDRNPa3PdU3YHRCuwJH1UzinD39K8R9/g9qiGJbC +87//1FGZp9lhIE5tja6F5pJ5GwJK9zC0iGj2NrwBvTKhuyF6W3ZQc2voYQn+gIq4 +sfbned7qpvpjLcMgIv/y82iVm2EtKtKYl982aA9S53pHqjV27kieuQINBFfYHeYB +EAC2h9yjSe2SgtcB0H+E0ndaewaZaQCE7q+RO43dotGH9eFnVwE4/ftcK1SN42ih +lF5OnTaKPyXvgQ6U8W8VB8eLjeTwA/dSXuJX7kJpEK8saPqJP6zTUmPqp/GSzS6Y +rhKLfpFn4chmywpDFcGNMz0sYXiJgPqKL7W0KuG+ziPToAeWl8ckeXyl77/lHVhW +YylaQJEASklqCViPXSp9vI7/57UEm4MQPXwsDBOwuVVqcSu3ZM5MtY9XlbVPNCYm +ZIMqmh8HgYwbiq9dTfJi+6v17+uDQGZewWK/WwFM+9dDx7YkTeOBiUduYtJPW64N +W/RJ7pskbLAy+OZApTZWg0cISN6GOmPN3F0AiWzUjvSMREHhFHyxj4Y15vuDOFvP +GFxr4xBiyMX1JLCKK6OFnyPfoJ9v/o3UgrQgLrfXCmKdvkwBCgJvN3Fsxzha6Dtf +6RcZ02fr7SCZZhdBrlrflvC1uWZ0g3A87ss7h4Iw3njlO3aX6Bo9R4VOLUkiRKi4 +hmQBxPvXxI2ERmKRomo6lrMaDMzIjD4APSM1vUfZguzQxVYpM8lwy1COeqxsj5p+ +LH6f/EU+4dXZwooJ1uanBOvG2ntnz8SErE+e7wNYE4a/fb8xYM4j7p6qYtnNZPb8 +sj8bvx8iWXp4A1csVetyVSchBhTVQhhNos6ouYpc4ibrYwARAQABiQI8BBgBCAAm +AhsMFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmbz0dUFCRD8528ACgkQz/M0TZCH +pJA7hg/7Bh0jb7nrp2EuU4BWK55VG+3zbrye/NdDy6eo3sVVOOO1r+jBMoJK3m1A +GWUx40ogZjRn8GMtJfxkL6wsep2P775smm7x1TH6s2dgreTj9J66gitKEgxF0tjo +JztmGJ8YKSGE4wKi37KvvSqCm1ecA8akBzJVo0B8/GtXpg+y/q3/KSY1ujW7Ihu3 +60JXT1FRXOiYfrzUKIBm8/UVnv7guPudaJf0eU4btoy4Ywzn1UXyi8BdxPIQrQDR +tt69ffcjX8BIEloK7FURLre/LhbVxlssdWYIEFQhIlb+nghZlUbWHf0Ue3L0SFFS +xV5otzQL2WjJKtCnTpSopSUmwYyT7wyAL1RokOemXL47WOfiLjiGuS+K/4lT7VHS +fdLsYinS0LYr5dmhc05s//kLyQ0OSKNh3SNAN+lM/klLE/pFwM4mo56C+seNEvCm +sT53VPOOwp6JwsLKSqm8pu1fbVjT6laMc9BPi6KUjN/f7ZahCXNXOrA2uLnTlxw/ +ns1sOXSWZDWciZeL3kJeUQER5YZ59hzLYWAiJ+5KblWRlBMXb71FUp0Mh9V3dA5O +BX3IlcF54qE50chGzLnfQf1YLuh13xxxc2WsdMZjiCj8CVDMkD6ekShfQK8nyQsK +SJgdXcnw1CxcAVvsROtecUiD+DWrJcYExjSZ+zcI4+aRhp7uNt8= +=iknu +-----END PGP PUBLIC KEY BLOCK----- diff --git a/sources b/sources index 5a055a7..efb1f71 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.20.0.tar.gz) = 2f6bc76c03b71ca1c2cd2331dc72d62f51493d15e17c59af46b400e542fcabff22e6b9d33f750a3e5f918a0116f45afa760651b2d5aa2feadac151cbbd71b0bd -SHA512 (unbound-1.20.0.tar.gz.asc) = 1586a320077c606c5c19f251615df54a61854f51acca02df1d391dcc2287aff2c641b009aeee1a98392f63719d70b6bac23ebb7d86b780f8a27cda6e114fc0ad +SHA512 (unbound-1.21.1.tar.gz) = 82be3faf5e4f9531342008105f5ab2ecc22a56faab1ef5c86420d85ef48443e5dac3455dbc654178a927e34ca4067c7655443f91a250b87945a63e9ba5f74ba7 +SHA512 (unbound-1.21.1.tar.gz.asc) = 5bb3961c210aefb20f91eb96f7d3980324e30cb2307c6c1187f016cacafcade7adcd95855faedfebc2c91464fd6c095511322364357c5b72525fc8e61c0ad248 diff --git a/unbound.spec b/unbound.spec index 17c922b..3a835d0 100644 --- a/unbound.spec +++ b/unbound.spec @@ -32,7 +32,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.20.0 +Version: 1.21.1 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ @@ -58,6 +58,7 @@ Source18: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key Source20: unbound.sysusers Source21: remote-control.conf +Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc # Downstream configuration changes Patch1: unbound-fedora-config.patch @@ -193,7 +194,7 @@ Python 3 modules and extensions for unbound %prep %if 0%{?fedora} -%{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}' +%{gpgverify} --keyring='%{SOURCE22}' --signature='%{SOURCE18}' --data='%{SOURCE0}' %endif %global pkgname %{name}-%{version}%{?extra_version} From 62c53ea087ed349aca7821d54ed931e0d9c0ae33 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 25 Sep 2024 13:29:49 +0200 Subject: [PATCH 09/64] Enable native dynamic modules Support modules similar to pythom modules, but implemented in native code. --- unbound.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 3a835d0..7b579f0 100644 --- a/unbound.spec +++ b/unbound.spec @@ -243,7 +243,8 @@ cp -a %{dir_primary} %{dir_secondary} --with-rootkey-file=%{_sharedstatedir}/%{name}/root.key \\\ --with-username=unbound \\\ --enable-linux-ip-local-port-range \\\ - + --with-dynlibmodule \\\ +# pushd %{dir_primary} From 23cb2f344edc6bdcf2b18baaed1276abdc855540 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 25 Sep 2024 14:18:27 +0200 Subject: [PATCH 10/64] Remove additional subdirectory for python3 build Python2 builds are not common anymore. Make basic unbound directory for primary build in normal default directory. Try subdirectory only for alternative secondary build, if enabled. --- unbound-fedora-config.patch | 42 +++++++++++++++++++------------------ unbound.spec | 27 ++++-------------------- 2 files changed, 26 insertions(+), 43 deletions(-) diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index f57207b..b4803b6 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,4 +1,4 @@ -From 79506679335ef1e02a960ccc7cfeda19348f5619 Mon Sep 17 00:00:00 2001 +From 71cbef33920b3b5704be7eab399da506ab51cde1 Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Fri, 10 Nov 2023 12:58:31 +0100 Subject: [PATCH] Customize unbound.conf for Fedora defaults @@ -7,13 +7,13 @@ Set some Fedora/RHEL specific changes to example configuration file. By patching upstream provided config file we would not need to manually update external copy in source RPM. --- - unbound-1.20.0/doc/example.conf.in | 194 ++++++++++++++++++----------- - 1 file changed, 124 insertions(+), 70 deletions(-) + doc/example.conf.in | 196 ++++++++++++++++++++++++++++---------------- + 1 file changed, 126 insertions(+), 70 deletions(-) -diff --git a/unbound-1.20.0/doc/example.conf.in b/unbound-1.20.0/doc/example.conf.in -index 0368c8d..9ece701 100644 ---- a/unbound-1.20.0/doc/example.conf.in -+++ b/unbound-1.20.0/doc/example.conf.in +diff --git a/doc/example.conf.in b/doc/example.conf.in +index 130cb4e..7174d81 100644 +--- a/doc/example.conf.in ++++ b/doc/example.conf.in @@ -17,11 +17,12 @@ server: # whitespace is not necessary, but looks cleaner. @@ -358,22 +358,24 @@ index 0368c8d..9ece701 100644 # Pad responses to padded queries received over TLS # pad-responses: yes -@@ -1045,12 +1080,12 @@ server: - # cookie-secret: <128 bit random hex string> +@@ -1050,12 +1085,14 @@ server: + # cookie-secret-file: "/usr/local/etc/unbound_cookiesecrets.txt" # Enable to attach Extended DNS Error codes (RFC8914) to responses. - # ede: no ++ # Fedora defaults to yes. + ede: yes # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale # Answer as EDNS0 option to expired responses. # Note that the ede option above needs to be enabled for this to work. - # ede-serve-expired: no ++ # Fedora defaults to yes. + ede-serve-expired: yes # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. -@@ -1058,12 +1093,14 @@ server: +@@ -1063,12 +1100,14 @@ server: # Enable or disable ipsecmod (it still needs to be defined in # module-config above). Can be used when ipsecmod needs to be # enabled/disabled via remote-control(below). @@ -391,7 +393,7 @@ index 0368c8d..9ece701 100644 # When enabled Unbound will reply with SERVFAIL if the return value of # the ipsecmod-hook is not 0. # ipsecmod-strict: no -@@ -1096,7 +1133,7 @@ server: +@@ -1101,7 +1140,7 @@ server: # o and give a python-script to run. python: # Script file to load @@ -400,7 +402,7 @@ index 0368c8d..9ece701 100644 # Dynamic library config section. To enable: # o use --with-dynlibmodule to configure before compiling. -@@ -1107,13 +1144,14 @@ python: +@@ -1112,13 +1151,14 @@ python: # the module-config then you need one dynlib-file per instance. dynlib: # Script file to load @@ -417,7 +419,7 @@ index 0368c8d..9ece701 100644 # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. -@@ -1121,6 +1159,7 @@ remote-control: +@@ -1126,6 +1166,7 @@ remote-control: # are not used for that, so key and cert files need not be present. # control-interface: 127.0.0.1 # control-interface: ::1 @@ -425,7 +427,7 @@ index 0368c8d..9ece701 100644 # port number for remote control operations. # control-port: 8953 -@@ -1130,16 +1169,19 @@ remote-control: +@@ -1135,16 +1176,19 @@ remote-control: # control-use-cert: "yes" # Unbound server key file. @@ -449,7 +451,7 @@ index 0368c8d..9ece701 100644 # Stub zones. # Create entries like below, to make all queries for 'example.com' and -@@ -1161,6 +1203,10 @@ remote-control: +@@ -1166,6 +1210,10 @@ remote-control: # name: "example.org" # stub-host: ns.example.com. @@ -460,7 +462,7 @@ index 0368c8d..9ece701 100644 # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle -@@ -1178,6 +1224,10 @@ remote-control: +@@ -1183,6 +1231,10 @@ remote-control: # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -471,7 +473,7 @@ index 0368c8d..9ece701 100644 # Authority zones # The data for these zones is kept locally, from a file or downloaded. -@@ -1188,27 +1238,28 @@ remote-control: +@@ -1193,27 +1245,28 @@ remote-control: # download it), primary: fetches with AXFR and IXFR, or url to zonefile. # With allow-notify: you can give additional (apart from primaries and urls) # sources of notifies. @@ -521,7 +523,7 @@ index 0368c8d..9ece701 100644 # auth-zone: # name: "example.org" # for-downstream: yes -@@ -1234,6 +1285,9 @@ remote-control: +@@ -1239,6 +1292,9 @@ remote-control: # name: "anotherview" # local-zone: "example.com" refuse @@ -531,7 +533,7 @@ index 0368c8d..9ece701 100644 # DNSCrypt # To enable, use --enable-dnscrypt to configure before compiling. # Caveats: -@@ -1309,7 +1363,7 @@ remote-control: +@@ -1314,7 +1370,7 @@ remote-control: # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode # dnstap-bidirectional: yes @@ -541,5 +543,5 @@ index 0368c8d..9ece701 100644 # # set it to "IPaddress[@port]" of the destination. # dnstap-ip: "" -- -2.44.0 +2.46.0 diff --git a/unbound.spec b/unbound.spec index 7b579f0..0248119 100644 --- a/unbound.spec +++ b/unbound.spec @@ -199,22 +199,15 @@ Python 3 modules and extensions for unbound %global pkgname %{name}-%{version}%{?extra_version} %if 0%{with_python2} && 0%{with_python3} -%global dir_primary %{pkgname}_python3 %global python_primary %{__python3} %global dir_secondary %{pkgname}_python2 %global python_secondary %{__python2} -%else -%global dir_primary %{pkgname} %endif -%autosetup -c -N -n %{pkgname} +%autosetup -N -n %{pkgname} -pushd %{pkgname} # patches go here -%autopatch -p2 - -# copy common doc files - after here, since it may be patched -cp -pr doc pythonmod libunbound ../ +%autopatch -p1 %if 0%{?rhel} > 8 # SHA-1 breaks some tests. Disable just some tests because of that. @@ -224,11 +217,9 @@ cp -pr doc pythonmod libunbound ../ mv testdata/${TEST}.rpl{,-disabled} done %endif -popd %if 0%{with_python2} && 0%{with_python3} -mv %{pkgname} %{dir_primary} -cp -a %{dir_primary} %{dir_secondary} + cp -a . %{dir_secondary} %endif %build @@ -246,14 +237,13 @@ cp -a %{dir_primary} %{dir_secondary} --with-dynlibmodule \\\ # -pushd %{dir_primary} - # always regenerate configure rm -f config.h.in aclocal.m4 configure ltmain.sh rm -f {ax_pthread,ax_swig_python}.m4 cp -p %{_datadir}/aclocal/{ax_pthread,ax_swig_python}.m4 . # ensure bison is used to generate fresh parser rm -f util/configparser.{c,h} util/configlexer.c + autoreconf -fiv %configure \ @@ -281,8 +271,6 @@ autoreconf -fiv %make_build %make_build streamtcp -popd - %if 0%{?python_secondary:1} pushd %{dir_secondary} %configure \ @@ -310,11 +298,9 @@ pushd %{dir_secondary} popd %endif -pushd %{dir_primary} %make_install unbound-event-install install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp install -p -m 0644 doc/example.conf %{buildroot}%{_sysconfdir}/unbound/unbound.conf -popd install -d -m 0755 %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service @@ -335,11 +321,9 @@ for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unboun done %endif -pushd %{dir_primary} # install streamtcp man page install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1 install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc -popd # Install tmpfiles.d config install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound @@ -411,15 +395,12 @@ fi %systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer %check -pushd %{dir_primary} #pushd pythonmod #make test #popd make check -popd - %if 0%{?python_secondary:1} pushd %{dir_secondary} #pushd pythonmod From 421386aa5e127d140e07131b1cf465b1a213a1a5 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Mon, 7 Oct 2024 16:40:08 -0400 Subject: [PATCH 11/64] - enable hiredis (using valkey) by default --- unbound.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 73c8ecb..150186b 100644 --- a/unbound.spec +++ b/unbound.spec @@ -4,7 +4,7 @@ %bcond_without dnstap %bcond_with systemd %bcond_without doh -%bcond_with redis +%bcond_without redis %global forgeurl0 https://github.com/NLnetLabs/unbound %global downloads https://nlnetlabs.nl/downloads From 3c9495eea1b75cab157c564d84c9ba7af929c688 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Thu, 17 Oct 2024 11:34:06 -0400 Subject: [PATCH 12/64] Update to 1.22.0 (rbhz#2319347) cleanup the unbound.conf diff file against updated upstream defaults. DNS over QUIC cannot be enabled yet because Fedora does not have libngtcp2 --- .gitignore | 2 + sources | 4 +- unbound-fedora-config.patch | 126 ++++++++++++++++-------------------- unbound.spec | 4 +- 4 files changed, 60 insertions(+), 76 deletions(-) diff --git a/.gitignore b/.gitignore index 149c0ab..31c5a81 100644 --- a/.gitignore +++ b/.gitignore @@ -93,3 +93,5 @@ unbound-1.4.5.tar.gz /unbound-1.21.0.tar.gz.asc /unbound-1.21.1.tar.gz /unbound-1.21.1.tar.gz.asc +/unbound-1.22.0.tar.gz +/unbound-1.22.0.tar.gz.asc diff --git a/sources b/sources index efb1f71..87f2b6b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.21.1.tar.gz) = 82be3faf5e4f9531342008105f5ab2ecc22a56faab1ef5c86420d85ef48443e5dac3455dbc654178a927e34ca4067c7655443f91a250b87945a63e9ba5f74ba7 -SHA512 (unbound-1.21.1.tar.gz.asc) = 5bb3961c210aefb20f91eb96f7d3980324e30cb2307c6c1187f016cacafcade7adcd95855faedfebc2c91464fd6c095511322364357c5b72525fc8e61c0ad248 +SHA512 (unbound-1.22.0.tar.gz) = 6c873e19902ce6cd59cec7084d5dba1a5bd5fe4437c827ae69bdf9273bcd8d2d1ec0dc183076f8d2e1fd38730bf8c10852d678399f0b2ea8ccf7e39119568978 +SHA512 (unbound-1.22.0.tar.gz.asc) = afbf5a125f104a25576b1c416b32f68d715b41a025fc3a61e6ee3bc28f9988b4277c7f0dd188c51cbe5641f51ade20f740ea131d1a7b5db38e2d1462a9edbb69 diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index b4803b6..c039cf4 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,20 +1,7 @@ -From 71cbef33920b3b5704be7eab399da506ab51cde1 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Fri, 10 Nov 2023 12:58:31 +0100 -Subject: [PATCH] Customize unbound.conf for Fedora defaults - -Set some Fedora/RHEL specific changes to example configuration file. By -patching upstream provided config file we would not need to manually -update external copy in source RPM. ---- - doc/example.conf.in | 196 ++++++++++++++++++++++++++++---------------- - 1 file changed, 126 insertions(+), 70 deletions(-) - -diff --git a/doc/example.conf.in b/doc/example.conf.in -index 130cb4e..7174d81 100644 ---- a/doc/example.conf.in -+++ b/doc/example.conf.in -@@ -17,11 +17,12 @@ server: +diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.conf.in +--- unbound-1.22.0-orig/doc/example.conf.in 2024-10-17 03:23:22.000000000 -0400 ++++ unbound-1.22.0/doc/example.conf.in 2024-10-17 11:06:58.882896891 -0400 +@@ -17,11 +17,12 @@ # whitespace is not necessary, but looks cleaner. # verbosity number, 0 is least verbose. 1 is default. @@ -29,7 +16,7 @@ index 130cb4e..7174d81 100644 # enable shm for stats, default no. if you enable also enable # statistics-interval, every time it also writes stats to the -@@ -32,11 +33,13 @@ server: +@@ -32,11 +33,13 @@ # shm-key: 11777 # enable cumulative statistics, without clearing them after printing. @@ -46,7 +33,7 @@ index 130cb4e..7174d81 100644 # Inhibits selected extended statistics (qtype, qclass, qopcode, rcode, # rpz-actions) from printing if their value is 0. -@@ -44,22 +47,35 @@ server: +@@ -44,22 +47,35 @@ # statistics-inhibit-zero: yes # number of threads to create. 1 disables threading. @@ -84,7 +71,7 @@ index 130cb4e..7174d81 100644 # instead of the default port, open additional ports separated by # spaces when interface-automatic is enabled, by listing them here. -@@ -94,7 +110,8 @@ server: +@@ -94,7 +110,8 @@ # permit Unbound to use this port number or port range for # making outgoing queries, using an outgoing interface. @@ -94,7 +81,7 @@ index 130cb4e..7174d81 100644 # deny Unbound the use this of port number or port range for # making outgoing queries, using an outgoing interface. -@@ -103,7 +120,9 @@ server: +@@ -103,7 +120,9 @@ # IANA-assigned port numbers. # If multiple outgoing-port-permit and outgoing-port-avoid options # are present, they are processed in order. @@ -105,7 +92,7 @@ index 130cb4e..7174d81 100644 # number of outgoing simultaneous tcp buffers to hold per thread. # outgoing-num-tcp: 10 -@@ -121,12 +140,12 @@ server: +@@ -121,12 +140,12 @@ # use SO_REUSEPORT to distribute queries over threads. # at extreme load it could be better to turn it off to distribute even. @@ -120,7 +107,7 @@ index 130cb4e..7174d81 100644 # use IP_FREEBIND so the interface: addresses can be non-local # and you can bind to nonexisting IPs and interfaces that are down. -@@ -276,6 +295,8 @@ server: +@@ -285,6 +304,8 @@ # nat64-prefix: 64:ff9b::0/96 # Enable UDP, "yes" or "no". @@ -129,7 +116,7 @@ index 130cb4e..7174d81 100644 # do-udp: yes # Enable TCP, "yes" or "no". -@@ -301,7 +322,7 @@ server: +@@ -310,7 +331,7 @@ # tcp-idle-timeout: 30000 # Enable EDNS TCP keepalive option. @@ -138,7 +125,7 @@ index 130cb4e..7174d81 100644 # Timeout for EDNS TCP keepalive, in msec. Overrides tcp-idle-timeout # if edns-tcp-keepalive is set. -@@ -311,6 +332,9 @@ server: +@@ -320,6 +341,9 @@ # can be dropped. Default is 0, disabled. In seconds, such as 3. # sock-queue-timeout: 0 @@ -148,7 +135,7 @@ index 130cb4e..7174d81 100644 # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no -@@ -424,6 +448,7 @@ server: +@@ -433,6 +457,7 @@ # # If you give "" no chroot is performed. The path must not end in a /. # chroot: "@UNBOUND_CHROOT_DIR@" @@ -156,7 +143,7 @@ index 130cb4e..7174d81 100644 # if given, user privileges are dropped (after binding port), # and the given username is assumed. Default is user "unbound". -@@ -435,7 +460,7 @@ server: +@@ -444,7 +469,7 @@ # is not changed. # If you give a server: directory: dir before include: file statements # then those includes can be relative to the working directory. @@ -165,34 +152,32 @@ index 130cb4e..7174d81 100644 # the log file, "" means log to stderr. # Use of this option sets use-syslog to "no". -@@ -450,7 +475,7 @@ server: +@@ -459,7 +484,7 @@ # log-identity: "" # print UTC timestamp in ascii to logfile, default is epoch in seconds. - # log-time-ascii: no + log-time-ascii: yes - # print one line with time, IP, name, type, class for every query. - # log-queries: no -@@ -522,22 +547,22 @@ server: - # harden-large-queries: no + # log timestamp in ISO8601 format if also log-time-ascii is enabled. + # (y-m-dTh:m:s.msec[+-]tzhours:tzminutes) +@@ -532,13 +557,13 @@ + # harden-short-bufsize: yes + + # Harden against unseemly large queries. +- # harden-large-queries: no ++ harden-large-queries: yes # Harden against out of zone rrsets, to avoid spoofing attempts. -- # harden-glue: yes -+ harden-glue: yes + # harden-glue: yes + + # Harden against unverified (outside-zone, including sibling zone) glue rrsets +- # harden-unverified-glue: no ++ harden-unverified-glue: yes # Harden against receiving dnssec-stripped data. If you turn it # off, failing to validate dnskey data for a trustanchor will - # trigger insecure mode for that zone (like without a trustanchor). - # Default on, which insists on dnssec data for trust-anchored zones. -- # harden-dnssec-stripped: yes -+ harden-dnssec-stripped: yes - - # Harden against queries that fall under dnssec-signed nxdomain names. -- # harden-below-nxdomain: yes -+ harden-below-nxdomain: yes - - # Harden the referral path by performing additional queries for +@@ -553,7 +578,7 @@ # infrastructure data. Validates the replies (if possible). # Default off, because the lookups burden the server. Experimental # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. @@ -201,7 +186,7 @@ index 130cb4e..7174d81 100644 # Harden against algorithm downgrade when multiple algorithms are # advertised in the DS record. If no, allows the weakest algorithm -@@ -551,7 +576,7 @@ server: +@@ -567,7 +592,7 @@ # Sent minimum amount of information to upstream servers to enhance # privacy. Only sent minimum required labels of the QNAME and set QTYPE # to A when possible. @@ -210,7 +195,7 @@ index 130cb4e..7174d81 100644 # QNAME minimisation in strict mode. Do not fall-back to sending full # QNAME to potentially broken nameservers. A lot of domains will not be -@@ -561,7 +586,7 @@ server: +@@ -577,7 +602,7 @@ # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN # and other denials, using information from previous NXDOMAINs answers. @@ -219,7 +204,7 @@ index 130cb4e..7174d81 100644 # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. -@@ -594,7 +619,7 @@ server: +@@ -610,7 +635,7 @@ # threshold, a warning is printed and a defensive action is taken, # the cache is cleared to flush potential poison out of it. # A suggested value is 10000000, the default is 0 (turned off). @@ -228,7 +213,7 @@ index 130cb4e..7174d81 100644 # Do not query the following addresses. No DNS queries are sent there. # List one address per entry. List classless netblocks with /size, -@@ -606,20 +631,20 @@ server: +@@ -622,20 +647,20 @@ # do-not-query-localhost: yes # if yes, perform prefetching of almost expired message cache entries. @@ -254,7 +239,7 @@ index 130cb4e..7174d81 100644 # true to disable DNSSEC lameness check in iterator. # disable-dnssec-lame-check: no -@@ -629,7 +654,9 @@ server: +@@ -645,7 +670,9 @@ # most modules have to be listed at the beginning of the line, # except cachedb(just before iterator), and python (at the beginning, # or, just before the iterator). @@ -265,7 +250,7 @@ index 130cb4e..7174d81 100644 # File with trusted keys, kept uptodate using RFC5011 probes, # initial file like trust-anchor-file, then it stores metadata. -@@ -643,10 +670,10 @@ server: +@@ -659,10 +686,10 @@ # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" # trust anchor signaling sends a RFC8145 key tag query after priming. @@ -278,7 +263,7 @@ index 130cb4e..7174d81 100644 # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry. -@@ -667,6 +694,9 @@ server: +@@ -683,6 +710,9 @@ # the trusted-keys { name flag proto algo "key"; }; clauses are read. # you need external update procedures to track changes in keys. # trusted-keys-file: "" @@ -288,7 +273,7 @@ index 130cb4e..7174d81 100644 # Ignore chain of trust. Domain is treated as insecure. # domain-insecure: "example.com" -@@ -694,14 +724,15 @@ server: +@@ -710,14 +740,15 @@ # unsecure data. Useful to shield the users of this validator from # potential bogus data in the additional section. All unsigned data # in the additional section is removed from secure messages. @@ -306,7 +291,7 @@ index 130cb4e..7174d81 100644 # Ignore the CD flag in incoming queries and refuse them bogus data. # Enable it if the only clients of Unbound are legacy servers (w2008) -@@ -715,11 +746,11 @@ server: +@@ -731,11 +762,11 @@ # Serve expired responses from cache, with serve-expired-reply-ttl in # the response, and then attempt to fetch the data afresh. @@ -320,7 +305,7 @@ index 130cb4e..7174d81 100644 # # Set the TTL of expired records to the serve-expired-ttl value after a # failed attempt to retrieve the record from upstream. This makes sure -@@ -746,7 +777,7 @@ server: +@@ -762,7 +793,7 @@ # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. @@ -329,7 +314,7 @@ index 130cb4e..7174d81 100644 # It is possible to configure NSEC3 maximum iteration counts per # keysize. Keep this table very short, as linear search is done. -@@ -890,6 +921,8 @@ server: +@@ -906,6 +937,8 @@ # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" @@ -338,7 +323,7 @@ index 130cb4e..7174d81 100644 # tag a localzone with a list of tag names (in "" with spaces between) # local-zone-tag: "example.com" "tag2 tag3" -@@ -900,8 +933,8 @@ server: +@@ -916,8 +949,8 @@ # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. # Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. @@ -348,8 +333,8 @@ index 130cb4e..7174d81 100644 + # tls-service-pem: "/etc/unbound/unbound_server.pem" # tls-port: 853 # https-port: 443 - -@@ -909,6 +942,8 @@ server: + # quic-port: 853 +@@ -926,6 +959,8 @@ # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" # cipher setting for TLSv1.3 # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" @@ -358,7 +343,7 @@ index 130cb4e..7174d81 100644 # Pad responses to padded queries received over TLS # pad-responses: yes -@@ -1050,12 +1085,14 @@ server: +@@ -1070,12 +1105,14 @@ # cookie-secret-file: "/usr/local/etc/unbound_cookiesecrets.txt" # Enable to attach Extended DNS Error codes (RFC8914) to responses. @@ -375,7 +360,7 @@ index 130cb4e..7174d81 100644 # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. -@@ -1063,12 +1100,14 @@ server: +@@ -1083,12 +1120,14 @@ # Enable or disable ipsecmod (it still needs to be defined in # module-config above). Can be used when ipsecmod needs to be # enabled/disabled via remote-control(below). @@ -393,7 +378,7 @@ index 130cb4e..7174d81 100644 # When enabled Unbound will reply with SERVFAIL if the return value of # the ipsecmod-hook is not 0. # ipsecmod-strict: no -@@ -1101,7 +1140,7 @@ server: +@@ -1121,7 +1160,7 @@ # o and give a python-script to run. python: # Script file to load @@ -402,7 +387,7 @@ index 130cb4e..7174d81 100644 # Dynamic library config section. To enable: # o use --with-dynlibmodule to configure before compiling. -@@ -1112,13 +1151,14 @@ python: +@@ -1132,13 +1171,14 @@ # the module-config then you need one dynlib-file per instance. dynlib: # Script file to load @@ -419,7 +404,7 @@ index 130cb4e..7174d81 100644 # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. -@@ -1126,6 +1166,7 @@ remote-control: +@@ -1146,6 +1186,7 @@ # are not used for that, so key and cert files need not be present. # control-interface: 127.0.0.1 # control-interface: ::1 @@ -427,7 +412,7 @@ index 130cb4e..7174d81 100644 # port number for remote control operations. # control-port: 8953 -@@ -1135,16 +1176,19 @@ remote-control: +@@ -1155,16 +1196,19 @@ # control-use-cert: "yes" # Unbound server key file. @@ -451,7 +436,7 @@ index 130cb4e..7174d81 100644 # Stub zones. # Create entries like below, to make all queries for 'example.com' and -@@ -1166,6 +1210,10 @@ remote-control: +@@ -1186,6 +1230,10 @@ # name: "example.org" # stub-host: ns.example.com. @@ -462,7 +447,7 @@ index 130cb4e..7174d81 100644 # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle -@@ -1183,6 +1231,10 @@ remote-control: +@@ -1203,6 +1251,10 @@ # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -473,7 +458,7 @@ index 130cb4e..7174d81 100644 # Authority zones # The data for these zones is kept locally, from a file or downloaded. -@@ -1193,27 +1245,28 @@ remote-control: +@@ -1213,27 +1265,28 @@ # download it), primary: fetches with AXFR and IXFR, or url to zonefile. # With allow-notify: you can give additional (apart from primaries and urls) # sources of notifies. @@ -523,7 +508,7 @@ index 130cb4e..7174d81 100644 # auth-zone: # name: "example.org" # for-downstream: yes -@@ -1239,6 +1292,9 @@ remote-control: +@@ -1259,6 +1312,9 @@ # name: "anotherview" # local-zone: "example.com" refuse @@ -533,7 +518,7 @@ index 130cb4e..7174d81 100644 # DNSCrypt # To enable, use --enable-dnscrypt to configure before compiling. # Caveats: -@@ -1314,7 +1370,7 @@ remote-control: +@@ -1338,7 +1394,7 @@ # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode # dnstap-bidirectional: yes @@ -542,6 +527,3 @@ index 130cb4e..7174d81 100644 # # if "" use the unix socket in dnstap-socket-path, otherwise, # # set it to "IPaddress[@port]" of the destination. # dnstap-ip: "" --- -2.46.0 - diff --git a/unbound.spec b/unbound.spec index 150186b..1fd43f9 100644 --- a/unbound.spec +++ b/unbound.spec @@ -32,7 +32,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.21.1 +Version: 1.22.0 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ @@ -194,7 +194,7 @@ Python 3 modules and extensions for unbound %prep %if 0%{?fedora} -%{gpgverify} --keyring='%{SOURCE22}' --signature='%{SOURCE18}' --data='%{SOURCE0}' +%{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}' %endif %global pkgname %{name}-%{version}%{?extra_version} From 97cf366613562564939994830bde76aa4bf82a0c Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Mon, 4 Nov 2024 20:42:08 -0500 Subject: [PATCH 13/64] Disable redis in RHEL builds hiredis is not included in RHEL. --- unbound.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/unbound.spec b/unbound.spec index 1fd43f9..a0718c3 100644 --- a/unbound.spec +++ b/unbound.spec @@ -4,7 +4,11 @@ %bcond_without dnstap %bcond_with systemd %bcond_without doh +%if 0%{?rhel} && ! 0%{?epel} +%bcond_with redis +%else %bcond_without redis +%endif %global forgeurl0 https://github.com/NLnetLabs/unbound %global downloads https://nlnetlabs.nl/downloads From 1b2c93fae61771c2191ab4a5f5a1f1c59dc4dca1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 22 Oct 2024 14:59:19 +0200 Subject: [PATCH 14/64] Make separate configuration Ship new config snippets in data directory. They should be symlinked from /etc/unbound/conf.d directory if they should be used as they are. Copy and modification if they should be used as a template. --- unbound-as112-networks.conf | 118 ++++++++++++++++++++++++++++++++++++ unbound-local-root.conf | 30 +++++++++ unbound.spec | 7 +++ 3 files changed, 155 insertions(+) create mode 100644 unbound-as112-networks.conf create mode 100644 unbound-local-root.conf diff --git a/unbound-as112-networks.conf b/unbound-as112-networks.conf new file mode 100644 index 0000000..96c291f --- /dev/null +++ b/unbound-as112-networks.conf @@ -0,0 +1,118 @@ +# Allow forwarding of private ranges, which are marked forwardable by IANA +# https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml +# https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml +# https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml +# RFC 6303: Locally Served DNS Zones (https://www.rfc-editor.org/rfc/rfc6303.html) +# +# Using this configuration file will simplify forwarding to potentially private ranges. +# Enables forwarding of networks marked as forwardable at IANA special registry. +# This is useful when upstream forwarder may be still inside private network. That is the case +# when unbound works as a localhost DNS cache, not network wide resolver. + +server: + # RFC 8375: Special-Use Domain 'home.arpa.' + local-zone: "home.arpa." nodefault + + # RFC 1918: Address Allocation for Private Internets + local-zone: "10.in-addr.arpa." nodefault + local-zone: "16.172.in-addr.arpa." nodefault + local-zone: "17.172.in-addr.arpa." nodefault + local-zone: "18.172.in-addr.arpa." nodefault + local-zone: "19.172.in-addr.arpa." nodefault + local-zone: "20.172.in-addr.arpa." nodefault + local-zone: "21.172.in-addr.arpa." nodefault + local-zone: "22.172.in-addr.arpa." nodefault + local-zone: "23.172.in-addr.arpa." nodefault + local-zone: "24.172.in-addr.arpa." nodefault + local-zone: "25.172.in-addr.arpa." nodefault + local-zone: "26.172.in-addr.arpa." nodefault + local-zone: "27.172.in-addr.arpa." nodefault + local-zone: "28.172.in-addr.arpa." nodefault + local-zone: "29.172.in-addr.arpa." nodefault + local-zone: "30.172.in-addr.arpa." nodefault + local-zone: "31.172.in-addr.arpa." nodefault + local-zone: "168.192.in-addr.arpa." nodefault + # RFC 6598: IANA-Reserved IPv4 Prefix for Shared Address Space + local-zone: "64.100.in-addr.arpa." nodefault + local-zone: "65.100.in-addr.arpa." nodefault + local-zone: "66.100.in-addr.arpa." nodefault + local-zone: "67.100.in-addr.arpa." nodefault + local-zone: "68.100.in-addr.arpa." nodefault + local-zone: "69.100.in-addr.arpa." nodefault + local-zone: "70.100.in-addr.arpa." nodefault + local-zone: "71.100.in-addr.arpa." nodefault + local-zone: "72.100.in-addr.arpa." nodefault + local-zone: "73.100.in-addr.arpa." nodefault + local-zone: "74.100.in-addr.arpa." nodefault + local-zone: "75.100.in-addr.arpa." nodefault + local-zone: "76.100.in-addr.arpa." nodefault + local-zone: "77.100.in-addr.arpa." nodefault + local-zone: "78.100.in-addr.arpa." nodefault + local-zone: "79.100.in-addr.arpa." nodefault + local-zone: "80.100.in-addr.arpa." nodefault + local-zone: "81.100.in-addr.arpa." nodefault + local-zone: "82.100.in-addr.arpa." nodefault + local-zone: "83.100.in-addr.arpa." nodefault + local-zone: "84.100.in-addr.arpa." nodefault + local-zone: "85.100.in-addr.arpa." nodefault + local-zone: "86.100.in-addr.arpa." nodefault + local-zone: "87.100.in-addr.arpa." nodefault + local-zone: "88.100.in-addr.arpa." nodefault + local-zone: "89.100.in-addr.arpa." nodefault + local-zone: "90.100.in-addr.arpa." nodefault + local-zone: "91.100.in-addr.arpa." nodefault + local-zone: "92.100.in-addr.arpa." nodefault + local-zone: "93.100.in-addr.arpa." nodefault + local-zone: "94.100.in-addr.arpa." nodefault + local-zone: "95.100.in-addr.arpa." nodefault + local-zone: "96.100.in-addr.arpa." nodefault + local-zone: "97.100.in-addr.arpa." nodefault + local-zone: "98.100.in-addr.arpa." nodefault + local-zone: "99.100.in-addr.arpa." nodefault + local-zone: "100.100.in-addr.arpa." nodefault + local-zone: "101.100.in-addr.arpa." nodefault + local-zone: "102.100.in-addr.arpa." nodefault + local-zone: "103.100.in-addr.arpa." nodefault + local-zone: "104.100.in-addr.arpa." nodefault + local-zone: "105.100.in-addr.arpa." nodefault + local-zone: "106.100.in-addr.arpa." nodefault + local-zone: "107.100.in-addr.arpa." nodefault + local-zone: "108.100.in-addr.arpa." nodefault + local-zone: "109.100.in-addr.arpa." nodefault + local-zone: "110.100.in-addr.arpa." nodefault + local-zone: "111.100.in-addr.arpa." nodefault + local-zone: "112.100.in-addr.arpa." nodefault + local-zone: "113.100.in-addr.arpa." nodefault + local-zone: "114.100.in-addr.arpa." nodefault + local-zone: "115.100.in-addr.arpa." nodefault + local-zone: "116.100.in-addr.arpa." nodefault + local-zone: "117.100.in-addr.arpa." nodefault + local-zone: "118.100.in-addr.arpa." nodefault + local-zone: "119.100.in-addr.arpa." nodefault + local-zone: "120.100.in-addr.arpa." nodefault + local-zone: "121.100.in-addr.arpa." nodefault + local-zone: "122.100.in-addr.arpa." nodefault + local-zone: "123.100.in-addr.arpa." nodefault + local-zone: "124.100.in-addr.arpa." nodefault + local-zone: "125.100.in-addr.arpa." nodefault + local-zone: "126.100.in-addr.arpa." nodefault + local-zone: "127.100.in-addr.arpa." nodefault + + # RFC 4193: Unique Local IPv6 Unicast Addresses + local-zone: "d.f.ip6.arpa." nodefault + + # RFC 2606: Reserved Top Level DNS Names + local-zone: "test." nodefault + domain-insecure: "test" + domain-insecure: "example" + + # RFC 6762: Multicast DNS, Appendix G + domain-insecure: "local" + domain-insecure: "intranet" + domain-insecure: "private" + domain-insecure: "corp" + domain-insecure: "home" + domain-insecure: "lan" + + # draft-davies-internal-tld + domain-insecure: "internal" diff --git a/unbound-local-root.conf b/unbound-local-root.conf new file mode 100644 index 0000000..4ba5e9d --- /dev/null +++ b/unbound-local-root.conf @@ -0,0 +1,30 @@ +# Authority zones +# The data for these zones is kept locally, from a file or downloaded. +# The data can be served to downstream clients, or used instead of the +# upstream (which saves a lookup to the upstream). +# +# Download local root copy and answer TLD queries from it. Because +# auth-zone has higher precedence, defined forward-zones to internal +# only TLD will not work. Use stub-zone or disable this zone. +# Good for a network-wide resolvers, worse for a localhost caching forwarder. +auth-zone: + name: "." + primary: 170.247.170.2 # b.root-servers.net + primary: 192.33.4.12 # c.root-servers.net + primary: 199.7.91.13 # d.root-servers.net + primary: 192.5.5.241 # f.root-servers.net + primary: 192.112.36.4 # g.root-servers.net + primary: 193.0.14.129 # k.root-servers.net + primary: 192.0.47.132 # xfr.cjr.dns.icann.org + primary: 192.0.32.132 # xfr.lax.dns.icann.org + primary: 2801:1b8:10::b # b.root-servers.net + primary: 2001:500:2::c # c.root-servers.net + primary: 2001:500:2d::d # d.root-servers.net + primary: 2001:500:2f::f # f.root-servers.net + primary: 2001:500:12::d0d # g.root-servers.net + primary: 2001:7fd::1 # k.root-servers.net + primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org + primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org + fallback-enabled: yes + for-downstream: no + for-upstream: yes diff --git a/unbound.spec b/unbound.spec index a0718c3..4f6df3b 100644 --- a/unbound.spec +++ b/unbound.spec @@ -63,6 +63,8 @@ Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/ Source20: unbound.sysusers Source21: remote-control.conf Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc +Source23: unbound-as112-networks.conf +Source24: unbound-local-root.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch @@ -365,6 +367,10 @@ install -p -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ install -p -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/ +mkdir -p %{buildroot}%{_datadir}/%{name}/conf.d +install -p -m 0644 %{SOURCE23} %{buildroot}%{_datadir}/%{name}/conf.d/ +install -p -m 0644 %{SOURCE24} %{buildroot}%{_datadir}/%{name}/conf.d/ + # Link unbound-control-setup.8 manpage to unbound-control.8 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 @@ -436,6 +442,7 @@ popd %{_sbindir}/unbound-checkconf %{_sbindir}/unbound-control %{_sbindir}/unbound-control-setup +%{_datadir}/%{name}/ %{_mandir}/man5/* %exclude %{_mandir}/man8/unbound-anchor* %{_mandir}/man8/* From f0da98d7c6c1af7f5fc61c66a7dbec803a694922 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 14 Nov 2024 20:03:08 +0100 Subject: [PATCH 15/64] Enable SHA1 during tests to pass build with enabled SHA1 (rhbz#2255591) Internal unbound code seems to handle validation correctly. Regardless SHA1 status in openssl, it either makes result as insecure or secure. But tests fail when SHA1 is not available, because they assert expected value. The way how tests are coded, it needs to know what the status would be. OpenSSL does not provide any API to help with that. Requested on: https://issues.redhat.com/browse/RHEL-67619 Use newly discovered OpenSSL workaround to allow just test pass with SHA1 enabled. --- openssl-sha1.conf | 8 ++++++++ unbound.spec | 14 ++++---------- unbound.sysconfig | 3 +++ 3 files changed, 15 insertions(+), 10 deletions(-) create mode 100644 openssl-sha1.conf diff --git a/openssl-sha1.conf b/openssl-sha1.conf new file mode 100644 index 0000000..97a3218 --- /dev/null +++ b/openssl-sha1.conf @@ -0,0 +1,8 @@ +# OpenSSL configuration file to allow SHA1 validation, +# regardless of crypto-policy selected. +# Use it by adding into /etc/sysconfig/unbound: +# OPENSSL_CONF=/etc/unbound/openssl-sha1.conf +.include = /etc/ssl/openssl.cnf + +[evp_properties] +rh-allow-sha1-signatures = yes diff --git a/unbound.spec b/unbound.spec index 4f6df3b..cb8b8bb 100644 --- a/unbound.spec +++ b/unbound.spec @@ -65,6 +65,7 @@ Source21: remote-control.conf Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc Source23: unbound-as112-networks.conf Source24: unbound-local-root.conf +Source25: openssl-sha1.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch @@ -265,9 +266,6 @@ autoreconf -fiv %if %{with doh} --with-libnghttp2 \ %endif -%if 0%{?rhel} || 0%{?fedora} > 40 - --disable-sha1 \ -%endif %if %{with redis} --with-libhiredis \ --enable-cachedb \ @@ -366,6 +364,7 @@ install -p -m 0644 %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/ install -p -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ install -p -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/ +install -p -m 0644 %{SOURCE25} %{buildroot}%{_sysconfdir}/unbound/openssl-sha1.conf mkdir -p %{buildroot}%{_datadir}/%{name}/conf.d install -p -m 0644 %{SOURCE23} %{buildroot}%{_datadir}/%{name}/conf.d/ @@ -405,17 +404,11 @@ fi %systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer %check -#pushd pythonmod -#make test -#popd - +export OPENSSL_CONF="%{buildroot}%{_sysconfdir}/unbound/openssl-sha1.conf" make check %if 0%{?python_secondary:1} pushd %{dir_secondary} -#pushd pythonmod -#make test -#popd make check popd %endif @@ -428,6 +421,7 @@ popd %attr(0755,unbound,unbound) %dir %{_rundir}/%{name} %attr(0644,root,root) %{_tmpfilesdir}/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/openssl-sha1.conf %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d %attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d/*.key %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/conf.d diff --git a/unbound.sysconfig b/unbound.sysconfig index adcf8fd..9e80f14 100644 --- a/unbound.sysconfig +++ b/unbound.sysconfig @@ -5,3 +5,6 @@ UNBOUND_ANCHOR_OPTIONS="-f /etc/resolv.conf -R" # for extra debug, add "-v -v" or change verbosity: in unbound.conf UNBOUND_OPTIONS="" + +# Uncoment to validate SHA1 in any crypto policy +# OPENSSL_CONF=/etc/unbound/openssl-sha1.conf From 5591157f6a3a9e718c7b51c198485e31a02bb88e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 15 Nov 2024 09:24:04 +0100 Subject: [PATCH 16/64] Deactivate automatic root zone fetching (rhbz#2322697) Automatic maintained root zone is great for network resolvers, which are used by multiple machines. Its usage on every common device is not desired however, especially when used as localhost only cache daemon. Make it simple to activate local root zone by creating symlink in directory /etc/unbound/conf.d to /usr/share/unbound/conf.d/unbound-local-root.conf. But have it deactivated in default configuration. --- unbound-fedora-config.patch | 146 +++++++++++++++--------------------- 1 file changed, 60 insertions(+), 86 deletions(-) diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index c039cf4..9c39596 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,7 +1,20 @@ -diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.conf.in ---- unbound-1.22.0-orig/doc/example.conf.in 2024-10-17 03:23:22.000000000 -0400 -+++ unbound-1.22.0/doc/example.conf.in 2024-10-17 11:06:58.882896891 -0400 -@@ -17,11 +17,12 @@ +From aa201e383210d02c0396d0a1375d217551c0e2bd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Fri, 15 Nov 2024 08:57:14 +0100 +Subject: [PATCH] Customize unbound.conf for Fedora defaults + +Set some Fedora/RHEL specific changes to example configuration file. By +patching upstream provided config file we would not need to manually +update external copy in source RPM. +--- + doc/example.conf.in | 152 ++++++++++++++++++++++++++++++-------------- + 1 file changed, 104 insertions(+), 48 deletions(-) + +diff --git a/doc/example.conf.in b/doc/example.conf.in +index 59090c6..33c6209 100644 +--- a/doc/example.conf.in ++++ b/doc/example.conf.in +@@ -17,11 +17,12 @@ server: # whitespace is not necessary, but looks cleaner. # verbosity number, 0 is least verbose. 1 is default. @@ -16,7 +29,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # enable shm for stats, default no. if you enable also enable # statistics-interval, every time it also writes stats to the -@@ -32,11 +33,13 @@ +@@ -32,11 +33,13 @@ server: # shm-key: 11777 # enable cumulative statistics, without clearing them after printing. @@ -33,7 +46,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Inhibits selected extended statistics (qtype, qclass, qopcode, rcode, # rpz-actions) from printing if their value is 0. -@@ -44,22 +47,35 @@ +@@ -44,22 +47,35 @@ server: # statistics-inhibit-zero: yes # number of threads to create. 1 disables threading. @@ -71,7 +84,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # instead of the default port, open additional ports separated by # spaces when interface-automatic is enabled, by listing them here. -@@ -94,7 +110,8 @@ +@@ -94,7 +110,8 @@ server: # permit Unbound to use this port number or port range for # making outgoing queries, using an outgoing interface. @@ -81,7 +94,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # deny Unbound the use this of port number or port range for # making outgoing queries, using an outgoing interface. -@@ -103,7 +120,9 @@ +@@ -103,7 +120,9 @@ server: # IANA-assigned port numbers. # If multiple outgoing-port-permit and outgoing-port-avoid options # are present, they are processed in order. @@ -92,7 +105,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # number of outgoing simultaneous tcp buffers to hold per thread. # outgoing-num-tcp: 10 -@@ -121,12 +140,12 @@ +@@ -121,12 +140,12 @@ server: # use SO_REUSEPORT to distribute queries over threads. # at extreme load it could be better to turn it off to distribute even. @@ -107,7 +120,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # use IP_FREEBIND so the interface: addresses can be non-local # and you can bind to nonexisting IPs and interfaces that are down. -@@ -285,6 +304,8 @@ +@@ -285,6 +304,8 @@ server: # nat64-prefix: 64:ff9b::0/96 # Enable UDP, "yes" or "no". @@ -116,7 +129,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # do-udp: yes # Enable TCP, "yes" or "no". -@@ -310,7 +331,7 @@ +@@ -310,7 +331,7 @@ server: # tcp-idle-timeout: 30000 # Enable EDNS TCP keepalive option. @@ -125,7 +138,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Timeout for EDNS TCP keepalive, in msec. Overrides tcp-idle-timeout # if edns-tcp-keepalive is set. -@@ -320,6 +341,9 @@ +@@ -320,6 +341,9 @@ server: # can be dropped. Default is 0, disabled. In seconds, such as 3. # sock-queue-timeout: 0 @@ -135,7 +148,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no -@@ -433,6 +457,7 @@ +@@ -433,6 +457,7 @@ server: # # If you give "" no chroot is performed. The path must not end in a /. # chroot: "@UNBOUND_CHROOT_DIR@" @@ -143,7 +156,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # if given, user privileges are dropped (after binding port), # and the given username is assumed. Default is user "unbound". -@@ -444,7 +469,7 @@ +@@ -444,7 +469,7 @@ server: # is not changed. # If you give a server: directory: dir before include: file statements # then those includes can be relative to the working directory. @@ -152,7 +165,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # the log file, "" means log to stderr. # Use of this option sets use-syslog to "no". -@@ -459,7 +484,7 @@ +@@ -459,7 +484,7 @@ server: # log-identity: "" # print UTC timestamp in ascii to logfile, default is epoch in seconds. @@ -161,7 +174,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # log timestamp in ISO8601 format if also log-time-ascii is enabled. # (y-m-dTh:m:s.msec[+-]tzhours:tzminutes) -@@ -532,13 +557,13 @@ +@@ -532,13 +557,13 @@ server: # harden-short-bufsize: yes # Harden against unseemly large queries. @@ -177,7 +190,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Harden against receiving dnssec-stripped data. If you turn it # off, failing to validate dnskey data for a trustanchor will -@@ -553,7 +578,7 @@ +@@ -553,7 +578,7 @@ server: # infrastructure data. Validates the replies (if possible). # Default off, because the lookups burden the server. Experimental # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. @@ -186,7 +199,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Harden against algorithm downgrade when multiple algorithms are # advertised in the DS record. If no, allows the weakest algorithm -@@ -567,7 +592,7 @@ +@@ -567,7 +592,7 @@ server: # Sent minimum amount of information to upstream servers to enhance # privacy. Only sent minimum required labels of the QNAME and set QTYPE # to A when possible. @@ -195,7 +208,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # QNAME minimisation in strict mode. Do not fall-back to sending full # QNAME to potentially broken nameservers. A lot of domains will not be -@@ -577,7 +602,7 @@ +@@ -577,7 +602,7 @@ server: # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN # and other denials, using information from previous NXDOMAINs answers. @@ -204,7 +217,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. -@@ -610,7 +635,7 @@ +@@ -610,7 +635,7 @@ server: # threshold, a warning is printed and a defensive action is taken, # the cache is cleared to flush potential poison out of it. # A suggested value is 10000000, the default is 0 (turned off). @@ -213,7 +226,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Do not query the following addresses. No DNS queries are sent there. # List one address per entry. List classless netblocks with /size, -@@ -622,20 +647,20 @@ +@@ -622,20 +647,20 @@ server: # do-not-query-localhost: yes # if yes, perform prefetching of almost expired message cache entries. @@ -239,7 +252,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # true to disable DNSSEC lameness check in iterator. # disable-dnssec-lame-check: no -@@ -645,7 +670,9 @@ +@@ -645,7 +670,9 @@ server: # most modules have to be listed at the beginning of the line, # except cachedb(just before iterator), and python (at the beginning, # or, just before the iterator). @@ -250,7 +263,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # File with trusted keys, kept uptodate using RFC5011 probes, # initial file like trust-anchor-file, then it stores metadata. -@@ -659,10 +686,10 @@ +@@ -659,10 +686,10 @@ server: # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" # trust anchor signaling sends a RFC8145 key tag query after priming. @@ -263,7 +276,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry. -@@ -683,6 +710,9 @@ +@@ -683,6 +710,9 @@ server: # the trusted-keys { name flag proto algo "key"; }; clauses are read. # you need external update procedures to track changes in keys. # trusted-keys-file: "" @@ -273,7 +286,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Ignore chain of trust. Domain is treated as insecure. # domain-insecure: "example.com" -@@ -710,14 +740,15 @@ +@@ -710,14 +740,15 @@ server: # unsecure data. Useful to shield the users of this validator from # potential bogus data in the additional section. All unsigned data # in the additional section is removed from secure messages. @@ -291,7 +304,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Ignore the CD flag in incoming queries and refuse them bogus data. # Enable it if the only clients of Unbound are legacy servers (w2008) -@@ -731,11 +762,11 @@ +@@ -731,11 +762,11 @@ server: # Serve expired responses from cache, with serve-expired-reply-ttl in # the response, and then attempt to fetch the data afresh. @@ -305,7 +318,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # # Set the TTL of expired records to the serve-expired-ttl value after a # failed attempt to retrieve the record from upstream. This makes sure -@@ -762,7 +793,7 @@ +@@ -762,7 +793,7 @@ server: # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. @@ -314,7 +327,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # It is possible to configure NSEC3 maximum iteration counts per # keysize. Keep this table very short, as linear search is done. -@@ -906,6 +937,8 @@ +@@ -906,6 +937,8 @@ server: # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" @@ -323,7 +336,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # tag a localzone with a list of tag names (in "" with spaces between) # local-zone-tag: "example.com" "tag2 tag3" -@@ -916,8 +949,8 @@ +@@ -916,8 +949,8 @@ server: # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. # Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. @@ -334,7 +347,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # tls-port: 853 # https-port: 443 # quic-port: 853 -@@ -926,6 +959,8 @@ +@@ -926,6 +959,8 @@ server: # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" # cipher setting for TLSv1.3 # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" @@ -343,7 +356,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Pad responses to padded queries received over TLS # pad-responses: yes -@@ -1070,12 +1105,14 @@ +@@ -1070,12 +1105,14 @@ server: # cookie-secret-file: "/usr/local/etc/unbound_cookiesecrets.txt" # Enable to attach Extended DNS Error codes (RFC8914) to responses. @@ -360,7 +373,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. -@@ -1083,12 +1120,14 @@ +@@ -1083,12 +1120,14 @@ server: # Enable or disable ipsecmod (it still needs to be defined in # module-config above). Can be used when ipsecmod needs to be # enabled/disabled via remote-control(below). @@ -378,7 +391,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # When enabled Unbound will reply with SERVFAIL if the return value of # the ipsecmod-hook is not 0. # ipsecmod-strict: no -@@ -1121,7 +1160,7 @@ +@@ -1121,7 +1160,7 @@ server: # o and give a python-script to run. python: # Script file to load @@ -387,7 +400,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Dynamic library config section. To enable: # o use --with-dynlibmodule to configure before compiling. -@@ -1132,13 +1171,14 @@ +@@ -1132,13 +1171,14 @@ python: # the module-config then you need one dynlib-file per instance. dynlib: # Script file to load @@ -404,7 +417,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. -@@ -1146,6 +1186,7 @@ +@@ -1146,6 +1186,7 @@ remote-control: # are not used for that, so key and cert files need not be present. # control-interface: 127.0.0.1 # control-interface: ::1 @@ -412,7 +425,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # port number for remote control operations. # control-port: 8953 -@@ -1155,16 +1196,19 @@ +@@ -1155,16 +1196,19 @@ remote-control: # control-use-cert: "yes" # Unbound server key file. @@ -436,7 +449,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Stub zones. # Create entries like below, to make all queries for 'example.com' and -@@ -1186,6 +1230,10 @@ +@@ -1186,6 +1230,10 @@ remote-control: # name: "example.org" # stub-host: ns.example.com. @@ -447,7 +460,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle -@@ -1203,6 +1251,10 @@ +@@ -1203,6 +1251,10 @@ remote-control: # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -458,57 +471,15 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Authority zones # The data for these zones is kept locally, from a file or downloaded. -@@ -1213,27 +1265,28 @@ - # download it), primary: fetches with AXFR and IXFR, or url to zonefile. - # With allow-notify: you can give additional (apart from primaries and urls) - # sources of notifies. --# auth-zone: --# name: "." --# primary: 170.247.170.2 # b.root-servers.net --# primary: 192.33.4.12 # c.root-servers.net --# primary: 199.7.91.13 # d.root-servers.net --# primary: 192.5.5.241 # f.root-servers.net --# primary: 192.112.36.4 # g.root-servers.net --# primary: 193.0.14.129 # k.root-servers.net --# primary: 192.0.47.132 # xfr.cjr.dns.icann.org --# primary: 192.0.32.132 # xfr.lax.dns.icann.org --# primary: 2801:1b8:10::b # b.root-servers.net --# primary: 2001:500:2::c # c.root-servers.net --# primary: 2001:500:2d::d # d.root-servers.net --# primary: 2001:500:2f::f # f.root-servers.net --# primary: 2001:500:12::d0d # g.root-servers.net --# primary: 2001:7fd::1 # k.root-servers.net --# primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org --# primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org --# fallback-enabled: yes --# for-downstream: no --# for-upstream: yes -+ auth-zone: -+ name: "." -+ primary: 170.247.170.2 # b.root-servers.net -+ primary: 192.33.4.12 # c.root-servers.net -+ primary: 199.7.91.13 # d.root-servers.net -+ primary: 192.5.5.241 # f.root-servers.net -+ primary: 192.112.36.4 # g.root-servers.net -+ primary: 193.0.14.129 # k.root-servers.net -+ primary: 192.0.47.132 # xfr.cjr.dns.icann.org -+ primary: 192.0.32.132 # xfr.lax.dns.icann.org -+ primary: 2801:1b8:10::b # b.root-servers.net -+ primary: 2001:500:2::c # c.root-servers.net -+ primary: 2001:500:2d::d # d.root-servers.net -+ primary: 2001:500:2f::f # f.root-servers.net -+ primary: 2001:500:12::d0d # g.root-servers.net -+ primary: 2001:7fd::1 # k.root-servers.net -+ primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org -+ primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org -+ fallback-enabled: yes -+ for-downstream: no -+ for-upstream: yes +@@ -1234,6 +1286,7 @@ remote-control: + # fallback-enabled: yes + # for-downstream: no + # for-upstream: yes + # auth-zone: # name: "example.org" # for-downstream: yes -@@ -1259,6 +1312,9 @@ +@@ -1259,6 +1312,9 @@ remote-control: # name: "anotherview" # local-zone: "example.com" refuse @@ -518,7 +489,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # DNSCrypt # To enable, use --enable-dnscrypt to configure before compiling. # Caveats: -@@ -1338,7 +1394,7 @@ +@@ -1338,7 +1394,7 @@ remote-control: # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode # dnstap-bidirectional: yes @@ -527,3 +498,6 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # # if "" use the unix socket in dnstap-socket-path, otherwise, # # set it to "IPaddress[@port]" of the destination. # dnstap-ip: "" +-- +2.47.0 + From e121fcf04fb9ba27c7c4e0d4c51b0d208bd844ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 15 Nov 2024 11:59:34 +0100 Subject: [PATCH 17/64] Move remote-control configuration to vendor directory Keep just simple include stub at original place. Add also enabling of remote control into the same file. Makes it possible to be used directly by unbound-control command. --- remote-control-include.conf | 4 ++++ remote-control.conf | 27 ++++++++++++++++++++++----- unbound.spec | 4 +++- 3 files changed, 29 insertions(+), 6 deletions(-) create mode 100644 remote-control-include.conf diff --git a/remote-control-include.conf b/remote-control-include.conf new file mode 100644 index 0000000..5688480 --- /dev/null +++ b/remote-control-include.conf @@ -0,0 +1,4 @@ +# Previous defaults allowed any process to change settings, CVE-2023-1488 +# If you want to modify remote configuration, replace this file with +# contents of included file and modify afterwards. +include: "/usr/share/unbound/conf.d/remote-control.conf" diff --git a/remote-control.conf b/remote-control.conf index 4561a63..6f6942e 100644 --- a/remote-control.conf +++ b/remote-control.conf @@ -1,9 +1,26 @@ # Remote control config section update. # Previous defaults allowed any process to change settings, CVE-2023-1488 +# This file can be used also by: unbound-control -c remote-control: - # set to an absolute path to use a unix local name pipe, certificates - # are not used for that, so key and cert files need not be present. - control-interface: "/run/unbound/control" + # Enable remote control with unbound-control(8) here. + # set up the keys and certificates with unbound-control-setup. + control-enable: yes - # For local sockets this option is ignored, and TLS is not used. - control-use-cert: "yes" + # set to an absolute path to use a unix local name pipe, certificates + # are not used for that, so key and cert files need not be present. + control-interface: "/run/unbound/control" + + # For local sockets this option is ignored, and TLS is not used. + control-use-cert: "yes" + + # Unbound server key file. + server-key-file: "/etc/unbound/unbound_server.key" + + # Unbound server certificate file. + server-cert-file: "/etc/unbound/unbound_server.pem" + + # unbound-control key file. + control-key-file: "/etc/unbound/unbound_control.key" + + # unbound-control certificate file. + control-cert-file: "/etc/unbound/unbound_control.pem" diff --git a/unbound.spec b/unbound.spec index cb8b8bb..32eec1e 100644 --- a/unbound.spec +++ b/unbound.spec @@ -66,6 +66,7 @@ Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc Source23: unbound-as112-networks.conf Source24: unbound-local-root.conf Source25: openssl-sha1.conf +Source26: remote-control-include.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch @@ -363,10 +364,11 @@ mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d} install -p -m 0644 %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/ install -p -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ install -p -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ -install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/ +install -p -m 0644 %{SOURCE26} %{buildroot}%{_sysconfdir}/unbound/conf.d/remote-control.conf install -p -m 0644 %{SOURCE25} %{buildroot}%{_sysconfdir}/unbound/openssl-sha1.conf mkdir -p %{buildroot}%{_datadir}/%{name}/conf.d +install -p -m 0644 %{SOURCE21} %{buildroot}%{_datadir}/%{name}/conf.d/ install -p -m 0644 %{SOURCE23} %{buildroot}%{_datadir}/%{name}/conf.d/ install -p -m 0644 %{SOURCE24} %{buildroot}%{_datadir}/%{name}/conf.d/ From 524bcf06fe07ab93ec3d3c90f1a06b698d0c24c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 15 Nov 2024 14:55:19 +0100 Subject: [PATCH 18/64] Move defaults to separate configuration file Place distribution defaults into file provided in /usr/share/unbound. Include that file from default configuration before conf.d/*.conf is included, to ensure similar order is kept. Rely on remote-control to be configured by conf.d/remote-control.conf only. Moved parts from orinal unbound.conf to single file together. --- fedora-defaults.conf | 225 +++++++++++++++++++ unbound-fedora-config.patch | 430 ++---------------------------------- unbound.spec | 3 + 3 files changed, 248 insertions(+), 410 deletions(-) create mode 100644 fedora-defaults.conf diff --git a/fedora-defaults.conf b/fedora-defaults.conf new file mode 100644 index 0000000..ccbc20a --- /dev/null +++ b/fedora-defaults.conf @@ -0,0 +1,225 @@ +# Fedora distribution defaults + +server: + # verbosity number, 0 is least verbose. 1 is default. + verbosity: 1 + + # print statistics to the log (for every thread) every N seconds. + # Set to "" or 0 to disable. Default is disabled. + # Needs to be disabled for munin plugin + statistics-interval: 0 + + # enable cumulative statistics, without clearing them after printing. + # Needs to be disabled for munin plugin + statistics-cumulative: no + + # enable extended statistics (query types, answer codes, status) + # Needs to be enabled for munin plugin + extended-statistics: yes + + # number of threads to create. 1 disables threading. + # num-threads: 1 + num-threads: 4 + + # specify the interfaces to answer queries from by ip-address. + # The default is to listen to localhost (127.0.0.1 and ::1). + # specify 0.0.0.0 and ::0 to bind to all available interfaces. + # specify every interface[@port] on a new 'interface:' labelled line. + # The listen interfaces are not changed on reload, only on restart. + # interface: 0.0.0.0 + # interface: ::0 + # interface: 192.0.2.153 + # interface: 192.0.2.154 + # interface: 192.0.2.154@5003 + # interface: 2001:DB8::5 + # interface: eth0@5003 + # + # for dns over tls and raw dns over port 80 + # interface: 0.0.0.0@443 + # interface: ::0@443 + # interface: 0.0.0.0@80 + # interface: ::0@80 + + # enable this feature to copy the source address of queries to reply. + # Socket options are not supported on all platforms. experimental. + # interface-automatic: yes + # + # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 + # NOTE: Disabled per Fedora policy not to listen to * on default install + # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled + interface-automatic: no + + # permit Unbound to use this port number or port range for + # making outgoing queries, using an outgoing interface. + # Only ephemeral ports are allowed by SElinux + outgoing-port-permit: 32768-60999 + + # IANA-assigned port numbers. + # If multiple outgoing-port-permit and outgoing-port-avoid options + # are present, they are processed in order. + # Our SElinux policy does not allow non-ephemeral ports to be used + outgoing-port-avoid: 0-32767 + outgoing-port-avoid: 61000-65535 + + # use SO_REUSEPORT to distribute queries over threads. + # at extreme load it could be better to turn it off to distribute even. + so-reuseport: yes + + # use IP_TRANSPARENT so the interface: addresses can be non-local + # and you can config non-existing IPs that are going to work later on + # (uses IP_BINDANY on FreeBSD). + ip-transparent: yes + + # Enable UDP, "yes" or "no". + # NOTE: if setting up an Unbound on tls443 for public use, you might want to + # disable UDP to avoid being used in DNS amplification attacks. + # do-udp: yes + + # Enable EDNS TCP keepalive option. + edns-tcp-keepalive: yes + + # Fedora note: do not activate this - not compiled in because + # it causes frequent unbound crashes. Also, socket activation + # is bad when you have things like dnsmasq also running with libvirt. + # Use systemd socket activation for UDP, TCP, and control sockets. + # use-systemd: no + + # If you give a server: directory: dir before include: file statements + # then those includes can be relative to the working directory. + directory: "/etc/unbound" + + # print UTC timestamp in ascii to logfile, default is epoch in seconds. + log-time-ascii: yes + + # Harden against unseemly large queries. + harden-large-queries: yes + + # Harden against unverified (outside-zone, including sibling zone) glue rrsets + harden-unverified-glue: yes + + # Default off, because the lookups burden the server. Experimental + # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. + harden-referral-path: yes + + # Sent minimum amount of information to upstream servers to enhance + # privacy. Only sent minimum required labels of the QNAME and set QTYPE + # to A when possible. + qname-minimisation: yes + + # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN + # and other denials, using information from previous NXDOMAINs answers. + aggressive-nsec: yes + + # threshold, a warning is printed and a defensive action is taken, + # the cache is cleared to flush potential poison out of it. + # A suggested value is 10000000, the default is 0 (turned off). + unwanted-reply-threshold: 10000000 + + # if yes, perform prefetching of almost expired message cache entries. + prefetch: yes + + # if yes, perform key lookups adjacent to normal lookups. + prefetch-key: yes + + # deny queries of type ANY with an empty response. + deny-any: yes + + # if yes, Unbound rotates RRSet order in response. + rrset-roundrobin: yes + + # if yes, Unbound doesn't insert authority/additional sections + # into response messages when those sections are not required. + minimal-responses: yes + + # module configuration of the server. A string with identifiers + # separated by spaces. Syntax: "[dns64] [validator] iterator" + # most modules have to be listed at the beginning of the line, + # except cachedb(just before iterator), and python (at the beginning, + # or, just before the iterator). + # For redis cachedb use: + # "ipsecmod validator cachedb iterator" + module-config: "ipsecmod validator iterator" + + # trust anchor signaling sends a RFC8145 key tag query after priming. + trust-anchor-signaling: yes + + # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) + root-key-sentinel: yes + + # the trusted-keys { name flag proto algo "key"; }; clauses are read. + # you need external update procedures to track changes in keys. + # trusted-keys-file: "" + # + trusted-keys-file: /etc/unbound/keys.d/*.key + auto-trust-anchor-file: "/var/lib/unbound/root.key" + + # Should additional section of secure message also be kept clean of + # unsecure data. Useful to shield the users of this validator from + # potential bogus data in the additional section. All unsigned data + # in the additional section is removed from secure messages. + val-clean-additional: yes + + # Turn permissive mode on to permit bogus messages. Thus, messages + # for which security checks failed will be returned to clients, + # instead of SERVFAIL. It still performs the security checks, which + # result in interesting log files and possibly the AD bit in + # replies if the message is found secure. The default is off. + # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY + val-permissive-mode: no + + # Serve expired responses from cache, with serve-expired-reply-ttl in + # the response, and then attempt to fetch the data afresh. + serve-expired: yes + + # Limit serving of expired responses to configured seconds after + # expiration. 0 disables the limit. + serve-expired-ttl: 14400 + + # Have the validator log failed validations for your diagnosis. + # 0: off. 1: A line per failed user query. 2: With reason and bad IP. + val-log-level: 1 + + # service clients over TLS (on the TCP sockets) with plain DNS inside + # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. + # Give the certificate to use and private key. + # default is "" (disabled). requires restart to take effect. + # tls-service-key: "/etc/unbound/unbound_server.key" + # tls-service-pem: "/etc/unbound/unbound_server.pem" + + # Fedora/RHEL: use system-wide crypto policies + tls-ciphers: "PROFILE=SYSTEM" + + # Enable to attach Extended DNS Error codes (RFC8914) to responses. + # Fedora defaults to yes. + ede: yes + + # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale + # Answer as EDNS0 option to expired responses. + # Note that the ede option above needs to be enabled for this to work. + # Fedora defaults to yes. + ede-serve-expired: yes + + # Enable or disable ipsecmod (it still needs to be defined in + # module-config above). Can be used when ipsecmod needs to be + # enabled/disabled via remote-control(below). + # Fedora: module will be enabled on-demand by libreswan + ipsecmod-enabled: no + + # Path to executable external hook. It must be defined when ipsecmod is + # listed in module-config (above). + ipsecmod-hook: /usr/libexec/ipsec/_unbound-hook + +python: + # Script file to load + # python-script: "/etc/unbound/ubmodule-tst.py" + +# Remote control config section moved into own remote-control.conf + +# the module-config then you need one dynlib-file per instance. +dynlib: + # Script file to load + # dynlib-file: "/etc/unbound/dynlib.so" + +# Fedora: DNSCrypt support not enabled since it requires linking to +# another crypto library +# diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index 9c39596..be28920 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,60 +1,20 @@ -From aa201e383210d02c0396d0a1375d217551c0e2bd Mon Sep 17 00:00:00 2001 +From 6e2d042505a006ab5fd703631661e68d1cdc66df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Fri, 15 Nov 2024 08:57:14 +0100 +Date: Fri, 15 Nov 2024 13:25:34 +0100 Subject: [PATCH] Customize unbound.conf for Fedora defaults Set some Fedora/RHEL specific changes to example configuration file. By patching upstream provided config file we would not need to manually update external copy in source RPM. --- - doc/example.conf.in | 152 ++++++++++++++++++++++++++++++-------------- - 1 file changed, 104 insertions(+), 48 deletions(-) + doc/example.conf.in | 33 +++++++++++++++++++++++++++++++-- + 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/doc/example.conf.in b/doc/example.conf.in -index 59090c6..33c6209 100644 +index 59090c6..3a86809 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in -@@ -17,11 +17,12 @@ server: - # whitespace is not necessary, but looks cleaner. - - # verbosity number, 0 is least verbose. 1 is default. -- # verbosity: 1 -+ verbosity: 1 - - # print statistics to the log (for every thread) every N seconds. - # Set to "" or 0 to disable. Default is disabled. -- # statistics-interval: 0 -+ # Needs to be disabled for munin plugin -+ statistics-interval: 0 - - # enable shm for stats, default no. if you enable also enable - # statistics-interval, every time it also writes stats to the -@@ -32,11 +33,13 @@ server: - # shm-key: 11777 - - # enable cumulative statistics, without clearing them after printing. -- # statistics-cumulative: no -+ # Needs to be disabled for munin plugin -+ statistics-cumulative: no - - # enable extended statistics (query types, answer codes, status) -- # printed from unbound-control. Default off, because of speed. -- # extended-statistics: no -+ # printed from unbound-control. default off, because of speed. -+ # Needs to be enabled for munin plugin -+ extended-statistics: yes - - # Inhibits selected extended statistics (qtype, qclass, qopcode, rcode, - # rpz-actions) from printing if their value is 0. -@@ -44,22 +47,35 @@ server: - # statistics-inhibit-zero: yes - - # number of threads to create. 1 disables threading. -- # num-threads: 1 -+ num-threads: 4 - - # specify the interfaces to answer queries from by ip-address. - # The default is to listen to localhost (127.0.0.1 and ::1). +@@ -51,11 +51,19 @@ server: # specify 0.0.0.0 and ::0 to bind to all available interfaces. # specify every interface[@port] on a new 'interface:' labelled line. # The listen interfaces are not changed on reload, only on restart. @@ -74,53 +34,7 @@ index 59090c6..33c6209 100644 # enable this feature to copy the source address of queries to reply. # Socket options are not supported on all platforms. experimental. -- # interface-automatic: no -+ # interface-automatic: yes -+ # -+ # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 -+ # NOTE: Disabled per Fedora policy not to listen to * on default install -+ # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled -+ interface-automatic: no - - # instead of the default port, open additional ports separated by - # spaces when interface-automatic is enabled, by listing them here. -@@ -94,7 +110,8 @@ server: - - # permit Unbound to use this port number or port range for - # making outgoing queries, using an outgoing interface. -- # outgoing-port-permit: 32768 -+ # Only ephemeral ports are allowed by SElinux -+ outgoing-port-permit: 32768-60999 - - # deny Unbound the use this of port number or port range for - # making outgoing queries, using an outgoing interface. -@@ -103,7 +120,9 @@ server: - # IANA-assigned port numbers. - # If multiple outgoing-port-permit and outgoing-port-avoid options - # are present, they are processed in order. -- # outgoing-port-avoid: "3200-3208" -+ # Our SElinux policy does not allow non-ephemeral ports to be used -+ outgoing-port-avoid: 0-32767 -+ outgoing-port-avoid: 61000-65535 - - # number of outgoing simultaneous tcp buffers to hold per thread. - # outgoing-num-tcp: 10 -@@ -121,12 +140,12 @@ server: - - # use SO_REUSEPORT to distribute queries over threads. - # at extreme load it could be better to turn it off to distribute even. -- # so-reuseport: yes -+ so-reuseport: yes - - # use IP_TRANSPARENT so the interface: addresses can be non-local - # and you can config non-existing IPs that are going to work later on - # (uses IP_BINDANY on FreeBSD). -- # ip-transparent: no -+ ip-transparent: yes - - # use IP_FREEBIND so the interface: addresses can be non-local - # and you can bind to nonexisting IPs and interfaces that are down. -@@ -285,6 +304,8 @@ server: +@@ -285,6 +293,8 @@ server: # nat64-prefix: 64:ff9b::0/96 # Enable UDP, "yes" or "no". @@ -129,16 +43,7 @@ index 59090c6..33c6209 100644 # do-udp: yes # Enable TCP, "yes" or "no". -@@ -310,7 +331,7 @@ server: - # tcp-idle-timeout: 30000 - - # Enable EDNS TCP keepalive option. -- # edns-tcp-keepalive: no -+ edns-tcp-keepalive: yes - - # Timeout for EDNS TCP keepalive, in msec. Overrides tcp-idle-timeout - # if edns-tcp-keepalive is set. -@@ -320,6 +341,9 @@ server: +@@ -320,6 +330,9 @@ server: # can be dropped. Default is 0, disabled. In seconds, such as 3. # sock-queue-timeout: 0 @@ -148,186 +53,7 @@ index 59090c6..33c6209 100644 # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no -@@ -433,6 +457,7 @@ server: - # - # If you give "" no chroot is performed. The path must not end in a /. - # chroot: "@UNBOUND_CHROOT_DIR@" -+ chroot: "" - - # if given, user privileges are dropped (after binding port), - # and the given username is assumed. Default is user "unbound". -@@ -444,7 +469,7 @@ server: - # is not changed. - # If you give a server: directory: dir before include: file statements - # then those includes can be relative to the working directory. -- # directory: "@UNBOUND_RUN_DIR@" -+ directory: "/etc/unbound" - - # the log file, "" means log to stderr. - # Use of this option sets use-syslog to "no". -@@ -459,7 +484,7 @@ server: - # log-identity: "" - - # print UTC timestamp in ascii to logfile, default is epoch in seconds. -- # log-time-ascii: no -+ log-time-ascii: yes - - # log timestamp in ISO8601 format if also log-time-ascii is enabled. - # (y-m-dTh:m:s.msec[+-]tzhours:tzminutes) -@@ -532,13 +557,13 @@ server: - # harden-short-bufsize: yes - - # Harden against unseemly large queries. -- # harden-large-queries: no -+ harden-large-queries: yes - - # Harden against out of zone rrsets, to avoid spoofing attempts. - # harden-glue: yes - - # Harden against unverified (outside-zone, including sibling zone) glue rrsets -- # harden-unverified-glue: no -+ harden-unverified-glue: yes - - # Harden against receiving dnssec-stripped data. If you turn it - # off, failing to validate dnskey data for a trustanchor will -@@ -553,7 +578,7 @@ server: - # infrastructure data. Validates the replies (if possible). - # Default off, because the lookups burden the server. Experimental - # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. -- # harden-referral-path: no -+ harden-referral-path: yes - - # Harden against algorithm downgrade when multiple algorithms are - # advertised in the DS record. If no, allows the weakest algorithm -@@ -567,7 +592,7 @@ server: - # Sent minimum amount of information to upstream servers to enhance - # privacy. Only sent minimum required labels of the QNAME and set QTYPE - # to A when possible. -- # qname-minimisation: yes -+ qname-minimisation: yes - - # QNAME minimisation in strict mode. Do not fall-back to sending full - # QNAME to potentially broken nameservers. A lot of domains will not be -@@ -577,7 +602,7 @@ server: - - # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN - # and other denials, using information from previous NXDOMAINs answers. -- # aggressive-nsec: yes -+ aggressive-nsec: yes - - # Use 0x20-encoded random bits in the query to foil spoof attempts. - # This feature is an experimental implementation of draft dns-0x20. -@@ -610,7 +635,7 @@ server: - # threshold, a warning is printed and a defensive action is taken, - # the cache is cleared to flush potential poison out of it. - # A suggested value is 10000000, the default is 0 (turned off). -- # unwanted-reply-threshold: 0 -+ unwanted-reply-threshold: 10000000 - - # Do not query the following addresses. No DNS queries are sent there. - # List one address per entry. List classless netblocks with /size, -@@ -622,20 +647,20 @@ server: - # do-not-query-localhost: yes - - # if yes, perform prefetching of almost expired message cache entries. -- # prefetch: no -+ prefetch: yes - - # if yes, perform key lookups adjacent to normal lookups. -- # prefetch-key: no -+ prefetch-key: yes - - # deny queries of type ANY with an empty response. -- # deny-any: no -+ deny-any: yes - - # if yes, Unbound rotates RRSet order in response. -- # rrset-roundrobin: yes -+ rrset-roundrobin: yes - - # if yes, Unbound doesn't insert authority/additional sections - # into response messages when those sections are not required. -- # minimal-responses: yes -+ minimal-responses: yes - - # true to disable DNSSEC lameness check in iterator. - # disable-dnssec-lame-check: no -@@ -645,7 +670,9 @@ server: - # most modules have to be listed at the beginning of the line, - # except cachedb(just before iterator), and python (at the beginning, - # or, just before the iterator). -- # module-config: "validator iterator" -+ # For redis cachedb use: -+ # "ipsecmod validator cachedb iterator" -+ module-config: "ipsecmod validator iterator" - - # File with trusted keys, kept uptodate using RFC5011 probes, - # initial file like trust-anchor-file, then it stores metadata. -@@ -659,10 +686,10 @@ server: - # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" - - # trust anchor signaling sends a RFC8145 key tag query after priming. -- # trust-anchor-signaling: yes -+ trust-anchor-signaling: yes - - # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) -- # root-key-sentinel: yes -+ root-key-sentinel: yes - - # File with trusted keys for validation. Specify more than one file - # with several entries, one file per entry. -@@ -683,6 +710,9 @@ server: - # the trusted-keys { name flag proto algo "key"; }; clauses are read. - # you need external update procedures to track changes in keys. - # trusted-keys-file: "" -+ # -+ trusted-keys-file: /etc/unbound/keys.d/*.key -+ auto-trust-anchor-file: "/var/lib/unbound/root.key" - - # Ignore chain of trust. Domain is treated as insecure. - # domain-insecure: "example.com" -@@ -710,14 +740,15 @@ server: - # unsecure data. Useful to shield the users of this validator from - # potential bogus data in the additional section. All unsigned data - # in the additional section is removed from secure messages. -- # val-clean-additional: yes -+ val-clean-additional: yes - - # Turn permissive mode on to permit bogus messages. Thus, messages - # for which security checks failed will be returned to clients, - # instead of SERVFAIL. It still performs the security checks, which - # result in interesting log files and possibly the AD bit in - # replies if the message is found secure. The default is off. -- # val-permissive-mode: no -+ # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY -+ val-permissive-mode: no - - # Ignore the CD flag in incoming queries and refuse them bogus data. - # Enable it if the only clients of Unbound are legacy servers (w2008) -@@ -731,11 +762,11 @@ server: - - # Serve expired responses from cache, with serve-expired-reply-ttl in - # the response, and then attempt to fetch the data afresh. -- # serve-expired: no -+ serve-expired: yes - # - # Limit serving of expired responses to configured seconds after - # expiration. 0 disables the limit. -- # serve-expired-ttl: 0 -+ serve-expired-ttl: 14400 - # - # Set the TTL of expired records to the serve-expired-ttl value after a - # failed attempt to retrieve the record from upstream. This makes sure -@@ -762,7 +793,7 @@ server: - - # Have the validator log failed validations for your diagnosis. - # 0: off. 1: A line per failed user query. 2: With reason and bad IP. -- # val-log-level: 0 -+ val-log-level: 1 - - # It is possible to configure NSEC3 maximum iteration counts per - # keysize. Keep this table very short, as linear search is done. -@@ -906,6 +937,8 @@ server: +@@ -906,6 +919,8 @@ server: # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" @@ -336,7 +62,7 @@ index 59090c6..33c6209 100644 # tag a localzone with a list of tag names (in "" with spaces between) # local-zone-tag: "example.com" "tag2 tag3" -@@ -916,8 +949,8 @@ server: +@@ -916,8 +931,8 @@ server: # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. # Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. @@ -347,109 +73,20 @@ index 59090c6..33c6209 100644 # tls-port: 853 # https-port: 443 # quic-port: 853 -@@ -926,6 +959,8 @@ server: - # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" - # cipher setting for TLSv1.3 - # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" -+ # Fedora/RHEL: use system-wide crypto policies -+ tls-ciphers: "PROFILE=SYSTEM" - - # Pad responses to padded queries received over TLS - # pad-responses: yes -@@ -1070,12 +1105,14 @@ server: - # cookie-secret-file: "/usr/local/etc/unbound_cookiesecrets.txt" - - # Enable to attach Extended DNS Error codes (RFC8914) to responses. -- # ede: no -+ # Fedora defaults to yes. -+ ede: yes - - # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale - # Answer as EDNS0 option to expired responses. - # Note that the ede option above needs to be enabled for this to work. -- # ede-serve-expired: no -+ # Fedora defaults to yes. -+ ede-serve-expired: yes - - # Specific options for ipsecmod. Unbound needs to be configured with - # --enable-ipsecmod for these to take effect. -@@ -1083,12 +1120,14 @@ server: - # Enable or disable ipsecmod (it still needs to be defined in - # module-config above). Can be used when ipsecmod needs to be - # enabled/disabled via remote-control(below). -- # ipsecmod-enabled: yes -- # -+ # Fedora: module will be enabled on-demand by libreswan -+ ipsecmod-enabled: no -+ - # Path to executable external hook. It must be defined when ipsecmod is - # listed in module-config (above). - # ipsecmod-hook: "./my_executable" -- # -+ ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook -+ - # When enabled Unbound will reply with SERVFAIL if the return value of - # the ipsecmod-hook is not 0. - # ipsecmod-strict: no -@@ -1121,7 +1160,7 @@ server: - # o and give a python-script to run. - python: - # Script file to load -- # python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py" -+ # python-script: "/etc/unbound/ubmodule-tst.py" - - # Dynamic library config section. To enable: - # o use --with-dynlibmodule to configure before compiling. -@@ -1132,13 +1171,14 @@ python: - # the module-config then you need one dynlib-file per instance. - dynlib: - # Script file to load -- # dynlib-file: "@UNBOUND_SHARE_DIR@/dynlib.so" -+ # dynlib-file: "/etc/unbound/dynlib.so" - - # Remote control config section. - remote-control: - # Enable remote control with unbound-control(8) here. - # set up the keys and certificates with unbound-control-setup. -- # control-enable: no -+ # Note: required for unbound-munin package -+ control-enable: yes - - # what interfaces are listened to for remote control. - # give 0.0.0.0 and ::0 to listen to all interfaces. -@@ -1146,6 +1186,7 @@ remote-control: - # are not used for that, so key and cert files need not be present. - # control-interface: 127.0.0.1 - # control-interface: ::1 -+ # moved to /etc/unbound/conf.d/remote-control.conf - - # port number for remote control operations. - # control-port: 8953 -@@ -1155,16 +1196,19 @@ remote-control: - # control-use-cert: "yes" - - # Unbound server key file. -- # server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key" -+ server-key-file: "/etc/unbound/unbound_server.key" - - # Unbound server certificate file. -- # server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem" -+ server-cert-file: "/etc/unbound/unbound_server.pem" - - # unbound-control key file. -- # control-key-file: "@UNBOUND_RUN_DIR@/unbound_control.key" -+ control-key-file: "/etc/unbound/unbound_control.key" - +@@ -1166,6 +1181,12 @@ remote-control: # unbound-control certificate file. -- # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem" -+ control-cert-file: "/etc/unbound/unbound_control.pem" + # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem" + ++# Default Fedora settings ++include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf" + +# Stub and Forward zones -+include: /etc/unbound/conf.d/*.conf - ++include: "@sysconfdir@/unbound/conf.d/*.conf" ++ # Stub zones. # Create entries like below, to make all queries for 'example.com' and -@@ -1186,6 +1230,10 @@ remote-control: + # 'example.org' go to the given list of nameservers. list zero or more +@@ -1186,6 +1207,10 @@ remote-control: # name: "example.org" # stub-host: ns.example.com. @@ -460,7 +97,7 @@ index 59090c6..33c6209 100644 # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle -@@ -1203,6 +1251,10 @@ remote-control: +@@ -1203,6 +1228,10 @@ remote-control: # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -471,33 +108,6 @@ index 59090c6..33c6209 100644 # Authority zones # The data for these zones is kept locally, from a file or downloaded. -@@ -1234,6 +1286,7 @@ remote-control: - # fallback-enabled: yes - # for-downstream: no - # for-upstream: yes -+ - # auth-zone: - # name: "example.org" - # for-downstream: yes -@@ -1259,6 +1312,9 @@ remote-control: - # name: "anotherview" - # local-zone: "example.com" refuse - -+# Fedora: DNSCrypt support not enabled since it requires linking to -+# another crypto library -+# - # DNSCrypt - # To enable, use --enable-dnscrypt to configure before compiling. - # Caveats: -@@ -1338,7 +1394,7 @@ remote-control: - # dnstap-enable: no - # # if set to yes frame streams will be used in bidirectional mode - # dnstap-bidirectional: yes --# dnstap-socket-path: "@DNSTAP_SOCKET_PATH@" -+# dnstap-socket-path: "/etc/unbound/dnstap.sock" - # # if "" use the unix socket in dnstap-socket-path, otherwise, - # # set it to "IPaddress[@port]" of the destination. - # dnstap-ip: "" -- 2.47.0 diff --git a/unbound.spec b/unbound.spec index 32eec1e..b0803ee 100644 --- a/unbound.spec +++ b/unbound.spec @@ -67,6 +67,7 @@ Source23: unbound-as112-networks.conf Source24: unbound-local-root.conf Source25: openssl-sha1.conf Source26: remote-control-include.conf +Source27: fedora-defaults.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch @@ -237,6 +238,7 @@ Python 3 modules and extensions for unbound --enable-relro-now --enable-pie \\\ --enable-subnet --enable-ipsecmod \\\ --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\ + --with-share-dir=%{_datadir}/%{name} \\\ --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\ --enable-sha2 --disable-gost --enable-ecdsa \\\ --with-rootkey-file=%{_sharedstatedir}/%{name}/root.key \\\ @@ -371,6 +373,7 @@ mkdir -p %{buildroot}%{_datadir}/%{name}/conf.d install -p -m 0644 %{SOURCE21} %{buildroot}%{_datadir}/%{name}/conf.d/ install -p -m 0644 %{SOURCE23} %{buildroot}%{_datadir}/%{name}/conf.d/ install -p -m 0644 %{SOURCE24} %{buildroot}%{_datadir}/%{name}/conf.d/ +install -p -m 0644 %{SOURCE27} %{buildroot}%{_datadir}/%{name}/ # Link unbound-control-setup.8 manpage to unbound-control.8 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 From 5f8c4336b8215b65fb9c4e313385129c5fcbd630 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 21 Nov 2024 06:44:19 +0100 Subject: [PATCH 19/64] Fix real regression detected by unbound-localhost test Reset chroot to empty directory in fedora-defaults.conf. That needs to be set for packaing to work as before. --- fedora-defaults.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fedora-defaults.conf b/fedora-defaults.conf index ccbc20a..99ff95d 100644 --- a/fedora-defaults.conf +++ b/fedora-defaults.conf @@ -84,6 +84,10 @@ server: # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no + # If you give "" no chroot is performed. The path must not end in a /. + # chroot: "/etc/unbound" + chroot: "" + # If you give a server: directory: dir before include: file statements # then those includes can be relative to the working directory. directory: "/etc/unbound" From 07cf660542bf406e22f0407c286f06ac1fe1fa25 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 16 Jan 2025 16:08:43 +0100 Subject: [PATCH 20/64] Use ip-freebind: yes or add After=network-online.target (rhbz#2338429) if interface: specifies exact address, not localhost nor wildcard. It should not be used by default when only localhost listening is enabled. Default configuration does not need it. --- unbound.service | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/unbound.service b/unbound.service index 74321c7..86ada76 100644 --- a/unbound.service +++ b/unbound.service @@ -1,6 +1,9 @@ [Unit] Description=Unbound recursive Domain Name Server -After=network-online.target +After=network.target +# Use ip-freebind: yes or add After=network-online.target, rhbz#2338429, +# if interface: specifies exact address, not localhost nor wildcard +#After=network-online.target After=unbound-keygen.service Wants=unbound-keygen.service After=unbound-anchor.service From df03e4d58a2804984b825b26da71511984af912b Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Tue, 19 Nov 2024 10:55:05 +0100 Subject: [PATCH 21/64] Add dracut module Dracut module allows unbound to be used as resolver in initramfs. It is set before to network-online.target to ensure that other services which depend on name resolution have general synchronization point when they can expect unbound to be configured and listening. --- module-setup.sh | 44 ++++++++++++++++++++++++++++++++++++++++++++ unbound-initrd.conf | 5 +++++ unbound.spec | 18 ++++++++++++++++++ 3 files changed, 67 insertions(+) create mode 100644 module-setup.sh create mode 100644 unbound-initrd.conf diff --git a/module-setup.sh b/module-setup.sh new file mode 100644 index 0000000..439bc6d --- /dev/null +++ b/module-setup.sh @@ -0,0 +1,44 @@ +#!/usr/bin/bash + +check() { + require_binaries unbound unbound-checkconf unbound-control || return 1 + # the module will be only included if explicitly required either + # by configuration or another module + return 255 +} + +depends() { + # because of pid file we need sysusers to create unbound user + echo systemd systemd-sysusers + return 0 +} + +install() { + # We have to make unbound wanted by network-online target to make sure + # there is a synchronization point when other services are able + # to make queries + inst_simple "$moddir"/unbound-initrd.conf /etc/systemd/system/unbound.service.d/unbound-initrd.conf + + # /etc and /var/lib do not have its variables + inst_multiple -o \ + "$systemdsystemunitdir"/unbound.service \ + /etc/unbound/conf.d/remote-control.conf \ + /etc/unbound/openssl-sha1.conf \ + /usr/share/unbound/fedora-defaults.conf \ + /usr/share/unbound/conf.d/*.conf \ + /etc/unbound/local.d/*.conf \ + /etc/unbound/keys.d/*.key \ + /etc/unbound/unbound.conf \ + /etc/unbound/unbound_control.key \ + /etc/unbound/unbound_control.pem \ + /etc/unbound/unbound_server.key \ + /etc/unbound/unbound_server.pem \ + "$sysusers"/unbound.conf \ + "$tmpfilesdir"/unbound.conf \ + /var/lib/unbound/root.key \ + unbound \ + unbound-checkconf \ + unbound-control + + $SYSTEMCTL -q --root "$initdir" enable unbound.service +} diff --git a/unbound-initrd.conf b/unbound-initrd.conf new file mode 100644 index 0000000..7838b3d --- /dev/null +++ b/unbound-initrd.conf @@ -0,0 +1,5 @@ +[Unit] +Before=network-online.target + +[Install] +WantedBy=network-online.target diff --git a/unbound.spec b/unbound.spec index b0803ee..3bb050c 100644 --- a/unbound.spec +++ b/unbound.spec @@ -68,6 +68,8 @@ Source24: unbound-local-root.conf Source25: openssl-sha1.conf Source26: remote-control-include.conf Source27: fedora-defaults.conf +Source28: module-setup.sh +Source29: unbound-initrd.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch @@ -200,6 +202,14 @@ Conflicts: python2-unbound < 1.9.3 Python 3 modules and extensions for unbound %endif +%package dracut +Summary: Unbound dracut module +Requires: dracut%{?_isa} +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description dracut +Unbound dracut module allowing use of Unbound for name resolution +in initramfs. %prep %if 0%{?fedora} @@ -378,6 +388,11 @@ install -p -m 0644 %{SOURCE27} %{buildroot}%{_datadir}/%{name}/ # Link unbound-control-setup.8 manpage to unbound-control.8 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 +# install dracut module +mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound + +install -p -m 0755 %{SOURCE28} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound +install -p -m 0644 %{SOURCE29} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound %pre libs %sysusers_create_compat %{SOURCE20} @@ -503,5 +518,8 @@ popd %{_sbindir}/unbound-streamtcp %{_mandir}/man1/unbound-* +%files dracut +%{_prefix}/lib/dracut/modules.d/99unbound + %changelog %autochangelog From 70b71eee0d7b60ffea53379648af77d684f48df4 Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Sun, 2 Feb 2025 09:26:21 +0100 Subject: [PATCH 22/64] Enabled libsystemd and change unbound service type to notify-reload "notify-reload" service type allows unbound to notify systemd not only about its readiness on startup but also about start and finish of reloading process. --- unbound.service | 2 +- unbound.spec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/unbound.service b/unbound.service index 86ada76..66a8a34 100644 --- a/unbound.service +++ b/unbound.service @@ -12,7 +12,7 @@ Before=nss-lookup.target Wants=nss-lookup.target [Service] -Type=simple +Type=notify-reload EnvironmentFile=-/etc/sysconfig/unbound ExecStartPre=/usr/sbin/unbound-checkconf ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS diff --git a/unbound.spec b/unbound.spec index 3bb050c..d671a71 100644 --- a/unbound.spec +++ b/unbound.spec @@ -2,7 +2,7 @@ %{?!with_python3: %global with_python3 1} %{?!with_munin: %global with_munin 1} %bcond_without dnstap -%bcond_with systemd +%bcond_without systemd %bcond_without doh %if 0%{?rhel} && ! 0%{?epel} %bcond_with redis From f75d7592f82466179a469ab5cfbe02fe9e57a41b Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Thu, 6 Feb 2025 15:20:22 +0100 Subject: [PATCH 23/64] Deactivate automatic root zone fetching Automatic maintained root zone is great for network resolvers, which are used by multiple machines. Its usage on every common device is not desired however, especially when used as localhost only cache daemon. Make it simple to activate local root zone by creating symlink in directory /etc/unbound/conf.d to /usr/share/unbound/conf.d/unbound-local-root.conf. But have it deactivated in default configuration. --- unbound-fedora-config.patch | 50 ------------------------------------- 1 file changed, 50 deletions(-) diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index b4803b6..e1b3eca 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -473,56 +473,6 @@ index 130cb4e..7174d81 100644 # Authority zones # The data for these zones is kept locally, from a file or downloaded. -@@ -1193,27 +1245,28 @@ remote-control: - # download it), primary: fetches with AXFR and IXFR, or url to zonefile. - # With allow-notify: you can give additional (apart from primaries and urls) - # sources of notifies. --# auth-zone: --# name: "." --# primary: 170.247.170.2 # b.root-servers.net --# primary: 192.33.4.12 # c.root-servers.net --# primary: 199.7.91.13 # d.root-servers.net --# primary: 192.5.5.241 # f.root-servers.net --# primary: 192.112.36.4 # g.root-servers.net --# primary: 193.0.14.129 # k.root-servers.net --# primary: 192.0.47.132 # xfr.cjr.dns.icann.org --# primary: 192.0.32.132 # xfr.lax.dns.icann.org --# primary: 2801:1b8:10::b # b.root-servers.net --# primary: 2001:500:2::c # c.root-servers.net --# primary: 2001:500:2d::d # d.root-servers.net --# primary: 2001:500:2f::f # f.root-servers.net --# primary: 2001:500:12::d0d # g.root-servers.net --# primary: 2001:7fd::1 # k.root-servers.net --# primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org --# primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org --# fallback-enabled: yes --# for-downstream: no --# for-upstream: yes -+ auth-zone: -+ name: "." -+ primary: 170.247.170.2 # b.root-servers.net -+ primary: 192.33.4.12 # c.root-servers.net -+ primary: 199.7.91.13 # d.root-servers.net -+ primary: 192.5.5.241 # f.root-servers.net -+ primary: 192.112.36.4 # g.root-servers.net -+ primary: 193.0.14.129 # k.root-servers.net -+ primary: 192.0.47.132 # xfr.cjr.dns.icann.org -+ primary: 192.0.32.132 # xfr.lax.dns.icann.org -+ primary: 2801:1b8:10::b # b.root-servers.net -+ primary: 2001:500:2::c # c.root-servers.net -+ primary: 2001:500:2d::d # d.root-servers.net -+ primary: 2001:500:2f::f # f.root-servers.net -+ primary: 2001:500:12::d0d # g.root-servers.net -+ primary: 2001:7fd::1 # k.root-servers.net -+ primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org -+ primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org -+ fallback-enabled: yes -+ for-downstream: no -+ for-upstream: yes -+ - # auth-zone: - # name: "example.org" - # for-downstream: yes @@ -1239,6 +1292,9 @@ remote-control: # name: "anotherview" # local-zone: "example.com" refuse From c77221b7e77dfa465adb092a5d4de08e8133ac44 Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Thu, 6 Feb 2025 16:02:50 +0100 Subject: [PATCH 24/64] Move defaults to separate configuration file Place distribution defaults into file provided in /usr/share/unbound. Include that file from default configuration before conf.d/*.conf is included, to ensure similar order is kept. Rely on remote-control to be configured by conf.d/remote-control.conf only. Moved parts from orinal unbound.conf to single file together. --- fedora-defaults.conf | 226 +++++++++++++++++++ remote-control-include.conf | 4 + remote-control.conf | 27 ++- unbound-as112-networks.conf | 118 ++++++++++ unbound-fedora-config.patch | 428 ++---------------------------------- unbound-local-root.conf | 30 +++ unbound.spec | 13 ++ 7 files changed, 435 insertions(+), 411 deletions(-) create mode 100644 fedora-defaults.conf create mode 100644 remote-control-include.conf create mode 100644 unbound-as112-networks.conf create mode 100644 unbound-local-root.conf diff --git a/fedora-defaults.conf b/fedora-defaults.conf new file mode 100644 index 0000000..5fee76f --- /dev/null +++ b/fedora-defaults.conf @@ -0,0 +1,226 @@ +# Fedora distribution defaults + +server: + # verbosity number, 0 is least verbose. 1 is default. + verbosity: 1 + + # print statistics to the log (for every thread) every N seconds. + # Set to "" or 0 to disable. Default is disabled. + # Needs to be disabled for munin plugin + statistics-interval: 0 + + # enable cumulative statistics, without clearing them after printing. + # Needs to be disabled for munin plugin + statistics-cumulative: no + + # enable extended statistics (query types, answer codes, status) + # Needs to be enabled for munin plugin + extended-statistics: yes + + # number of threads to create. 1 disables threading. + # num-threads: 1 + num-threads: 4 + + # specify the interfaces to answer queries from by ip-address. + # The default is to listen to localhost (127.0.0.1 and ::1). + # specify 0.0.0.0 and ::0 to bind to all available interfaces. + # specify every interface[@port] on a new 'interface:' labelled line. + # The listen interfaces are not changed on reload, only on restart. + # interface: 0.0.0.0 + # interface: ::0 + # interface: 192.0.2.153 + # interface: 192.0.2.154 + # interface: 192.0.2.154@5003 + # interface: 2001:DB8::5 + # interface: eth0@5003 + # + # for dns over tls and raw dns over port 80 + # interface: 0.0.0.0@443 + # interface: ::0@443 + # interface: 0.0.0.0@80 + # interface: ::0@80 + + # enable this feature to copy the source address of queries to reply. + # Socket options are not supported on all platforms. experimental. + # interface-automatic: yes + # + # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 + # NOTE: Disabled per Fedora policy not to listen to * on default install + # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled + interface-automatic: no + + # permit Unbound to use this port number or port range for + # making outgoing queries, using an outgoing interface. + # Only ephemeral ports are allowed by SElinux + outgoing-port-permit: 32768-60999 + + # IANA-assigned port numbers. + # If multiple outgoing-port-permit and outgoing-port-avoid options + # are present, they are processed in order. + # Our SElinux policy does not allow non-ephemeral ports to be used + outgoing-port-avoid: 0-32767 + outgoing-port-avoid: 61000-65535 + + # use SO_REUSEPORT to distribute queries over threads. + # at extreme load it could be better to turn it off to distribute even. + so-reuseport: yes + + # use IP_TRANSPARENT so the interface: addresses can be non-local + # and you can config non-existing IPs that are going to work later on + # (uses IP_BINDANY on FreeBSD). + ip-transparent: yes + + # Enable UDP, "yes" or "no". + # NOTE: if setting up an Unbound on tls443 for public use, you might want to + # disable UDP to avoid being used in DNS amplification attacks. + # do-udp: yes + + # Enable EDNS TCP keepalive option. + edns-tcp-keepalive: yes + + # Fedora note: do not activate this - not compiled in because + # it causes frequent unbound crashes. Also, socket activation + # is bad when you have things like dnsmasq also running with libvirt. + # Use systemd socket activation for UDP, TCP, and control sockets. + # use-systemd: no + + # If you give "" no chroot is performed. The path must not end in a /. + # chroot: "/etc/unbound" + chroot: "" + + # If you give a server: directory: dir before include: file statements + # then those includes can be relative to the working directory. + directory: "/etc/unbound" + + # print UTC timestamp in ascii to logfile, default is epoch in seconds. + log-time-ascii: yes + + # Harden against unseemly large queries. + harden-large-queries: yes + + # Default off, because the lookups burden the server. Experimental + # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. + harden-referral-path: yes + + # Sent minimum amount of information to upstream servers to enhance + # privacy. Only sent minimum required labels of the QNAME and set QTYPE + # to A when possible. + qname-minimisation: yes + + # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN + # and other denials, using information from previous NXDOMAINs answers. + aggressive-nsec: yes + + # threshold, a warning is printed and a defensive action is taken, + # the cache is cleared to flush potential poison out of it. + # A suggested value is 10000000, the default is 0 (turned off). + unwanted-reply-threshold: 10000000 + + # if yes, perform prefetching of almost expired message cache entries. + prefetch: yes + + # if yes, perform key lookups adjacent to normal lookups. + prefetch-key: yes + + # deny queries of type ANY with an empty response. + deny-any: yes + + # if yes, Unbound rotates RRSet order in response. + rrset-roundrobin: yes + + # if yes, Unbound doesn't insert authority/additional sections + # into response messages when those sections are not required. + minimal-responses: yes + + # module configuration of the server. A string with identifiers + # separated by spaces. Syntax: "[dns64] [validator] iterator" + # most modules have to be listed at the beginning of the line, + # except cachedb(just before iterator), and python (at the beginning, + # or, just before the iterator). + # For redis cachedb use: + # "ipsecmod validator cachedb iterator" + module-config: "ipsecmod validator iterator" + + # trust anchor signaling sends a RFC8145 key tag query after priming. + trust-anchor-signaling: yes + + # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) + root-key-sentinel: yes + + # the trusted-keys { name flag proto algo "key"; }; clauses are read. + # you need external update procedures to track changes in keys. + # trusted-keys-file: "" + # + trusted-keys-file: /etc/unbound/keys.d/*.key + auto-trust-anchor-file: "/var/lib/unbound/root.key" + + # Should additional section of secure message also be kept clean of + # unsecure data. Useful to shield the users of this validator from + # potential bogus data in the additional section. All unsigned data + # in the additional section is removed from secure messages. + val-clean-additional: yes + + # Turn permissive mode on to permit bogus messages. Thus, messages + # for which security checks failed will be returned to clients, + # instead of SERVFAIL. It still performs the security checks, which + # result in interesting log files and possibly the AD bit in + # replies if the message is found secure. The default is off. + # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY + val-permissive-mode: no + + # Serve expired responses from cache, with serve-expired-reply-ttl in + # the response, and then attempt to fetch the data afresh. + serve-expired: yes + + # Limit serving of expired responses to configured seconds after + # expiration. 0 disables the limit. + serve-expired-ttl: 14400 + + # Have the validator log failed validations for your diagnosis. + # 0: off. 1: A line per failed user query. 2: With reason and bad IP. + val-log-level: 1 + + # service clients over TLS (on the TCP sockets) with plain DNS inside + # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. + # Give the certificate to use and private key. + # default is "" (disabled). requires restart to take effect. + # tls-service-key: "/etc/unbound/unbound_server.key" + # tls-service-pem: "/etc/unbound/unbound_server.pem" + + # Fedora/RHEL: use system-wide crypto policies + tls-ciphers: "PROFILE=SYSTEM" + + # Enable to attach Extended DNS Error codes (RFC8914) to responses. + # Fedora defaults to yes. + ede: yes + + # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale + # Answer as EDNS0 option to expired responses. + # Note that the ede option above needs to be enabled for this to work. + # Fedora defaults to yes. + ede-serve-expired: yes + + # Enable or disable ipsecmod (it still needs to be defined in + # module-config above). Can be used when ipsecmod needs to be + # enabled/disabled via remote-control(below). + # Fedora: module will be enabled on-demand by libreswan + ipsecmod-enabled: no + + # Path to executable external hook. It must be defined when ipsecmod is + # listed in module-config (above). + ipsecmod-hook: /usr/libexec/ipsec/_unbound-hook + +python: + # Script file to load + # python-script: "/etc/unbound/ubmodule-tst.py" + +# Remote control config section moved into own remote-control.conf + +# the module-config then you need one dynlib-file per instance. +dynlib: + # Script file to load + # dynlib-file: "/etc/unbound/dynlib.so" + +# Fedora: DNSCrypt support not enabled since it requires linking to +# another crypto library +# diff --git a/remote-control-include.conf b/remote-control-include.conf new file mode 100644 index 0000000..5688480 --- /dev/null +++ b/remote-control-include.conf @@ -0,0 +1,4 @@ +# Previous defaults allowed any process to change settings, CVE-2023-1488 +# If you want to modify remote configuration, replace this file with +# contents of included file and modify afterwards. +include: "/usr/share/unbound/conf.d/remote-control.conf" diff --git a/remote-control.conf b/remote-control.conf index 4561a63..6f6942e 100644 --- a/remote-control.conf +++ b/remote-control.conf @@ -1,9 +1,26 @@ # Remote control config section update. # Previous defaults allowed any process to change settings, CVE-2023-1488 +# This file can be used also by: unbound-control -c remote-control: - # set to an absolute path to use a unix local name pipe, certificates - # are not used for that, so key and cert files need not be present. - control-interface: "/run/unbound/control" + # Enable remote control with unbound-control(8) here. + # set up the keys and certificates with unbound-control-setup. + control-enable: yes - # For local sockets this option is ignored, and TLS is not used. - control-use-cert: "yes" + # set to an absolute path to use a unix local name pipe, certificates + # are not used for that, so key and cert files need not be present. + control-interface: "/run/unbound/control" + + # For local sockets this option is ignored, and TLS is not used. + control-use-cert: "yes" + + # Unbound server key file. + server-key-file: "/etc/unbound/unbound_server.key" + + # Unbound server certificate file. + server-cert-file: "/etc/unbound/unbound_server.pem" + + # unbound-control key file. + control-key-file: "/etc/unbound/unbound_control.key" + + # unbound-control certificate file. + control-cert-file: "/etc/unbound/unbound_control.pem" diff --git a/unbound-as112-networks.conf b/unbound-as112-networks.conf new file mode 100644 index 0000000..96c291f --- /dev/null +++ b/unbound-as112-networks.conf @@ -0,0 +1,118 @@ +# Allow forwarding of private ranges, which are marked forwardable by IANA +# https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml +# https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml +# https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml +# RFC 6303: Locally Served DNS Zones (https://www.rfc-editor.org/rfc/rfc6303.html) +# +# Using this configuration file will simplify forwarding to potentially private ranges. +# Enables forwarding of networks marked as forwardable at IANA special registry. +# This is useful when upstream forwarder may be still inside private network. That is the case +# when unbound works as a localhost DNS cache, not network wide resolver. + +server: + # RFC 8375: Special-Use Domain 'home.arpa.' + local-zone: "home.arpa." nodefault + + # RFC 1918: Address Allocation for Private Internets + local-zone: "10.in-addr.arpa." nodefault + local-zone: "16.172.in-addr.arpa." nodefault + local-zone: "17.172.in-addr.arpa." nodefault + local-zone: "18.172.in-addr.arpa." nodefault + local-zone: "19.172.in-addr.arpa." nodefault + local-zone: "20.172.in-addr.arpa." nodefault + local-zone: "21.172.in-addr.arpa." nodefault + local-zone: "22.172.in-addr.arpa." nodefault + local-zone: "23.172.in-addr.arpa." nodefault + local-zone: "24.172.in-addr.arpa." nodefault + local-zone: "25.172.in-addr.arpa." nodefault + local-zone: "26.172.in-addr.arpa." nodefault + local-zone: "27.172.in-addr.arpa." nodefault + local-zone: "28.172.in-addr.arpa." nodefault + local-zone: "29.172.in-addr.arpa." nodefault + local-zone: "30.172.in-addr.arpa." nodefault + local-zone: "31.172.in-addr.arpa." nodefault + local-zone: "168.192.in-addr.arpa." nodefault + # RFC 6598: IANA-Reserved IPv4 Prefix for Shared Address Space + local-zone: "64.100.in-addr.arpa." nodefault + local-zone: "65.100.in-addr.arpa." nodefault + local-zone: "66.100.in-addr.arpa." nodefault + local-zone: "67.100.in-addr.arpa." nodefault + local-zone: "68.100.in-addr.arpa." nodefault + local-zone: "69.100.in-addr.arpa." nodefault + local-zone: "70.100.in-addr.arpa." nodefault + local-zone: "71.100.in-addr.arpa." nodefault + local-zone: "72.100.in-addr.arpa." nodefault + local-zone: "73.100.in-addr.arpa." nodefault + local-zone: "74.100.in-addr.arpa." nodefault + local-zone: "75.100.in-addr.arpa." nodefault + local-zone: "76.100.in-addr.arpa." nodefault + local-zone: "77.100.in-addr.arpa." nodefault + local-zone: "78.100.in-addr.arpa." nodefault + local-zone: "79.100.in-addr.arpa." nodefault + local-zone: "80.100.in-addr.arpa." nodefault + local-zone: "81.100.in-addr.arpa." nodefault + local-zone: "82.100.in-addr.arpa." nodefault + local-zone: "83.100.in-addr.arpa." nodefault + local-zone: "84.100.in-addr.arpa." nodefault + local-zone: "85.100.in-addr.arpa." nodefault + local-zone: "86.100.in-addr.arpa." nodefault + local-zone: "87.100.in-addr.arpa." nodefault + local-zone: "88.100.in-addr.arpa." nodefault + local-zone: "89.100.in-addr.arpa." nodefault + local-zone: "90.100.in-addr.arpa." nodefault + local-zone: "91.100.in-addr.arpa." nodefault + local-zone: "92.100.in-addr.arpa." nodefault + local-zone: "93.100.in-addr.arpa." nodefault + local-zone: "94.100.in-addr.arpa." nodefault + local-zone: "95.100.in-addr.arpa." nodefault + local-zone: "96.100.in-addr.arpa." nodefault + local-zone: "97.100.in-addr.arpa." nodefault + local-zone: "98.100.in-addr.arpa." nodefault + local-zone: "99.100.in-addr.arpa." nodefault + local-zone: "100.100.in-addr.arpa." nodefault + local-zone: "101.100.in-addr.arpa." nodefault + local-zone: "102.100.in-addr.arpa." nodefault + local-zone: "103.100.in-addr.arpa." nodefault + local-zone: "104.100.in-addr.arpa." nodefault + local-zone: "105.100.in-addr.arpa." nodefault + local-zone: "106.100.in-addr.arpa." nodefault + local-zone: "107.100.in-addr.arpa." nodefault + local-zone: "108.100.in-addr.arpa." nodefault + local-zone: "109.100.in-addr.arpa." nodefault + local-zone: "110.100.in-addr.arpa." nodefault + local-zone: "111.100.in-addr.arpa." nodefault + local-zone: "112.100.in-addr.arpa." nodefault + local-zone: "113.100.in-addr.arpa." nodefault + local-zone: "114.100.in-addr.arpa." nodefault + local-zone: "115.100.in-addr.arpa." nodefault + local-zone: "116.100.in-addr.arpa." nodefault + local-zone: "117.100.in-addr.arpa." nodefault + local-zone: "118.100.in-addr.arpa." nodefault + local-zone: "119.100.in-addr.arpa." nodefault + local-zone: "120.100.in-addr.arpa." nodefault + local-zone: "121.100.in-addr.arpa." nodefault + local-zone: "122.100.in-addr.arpa." nodefault + local-zone: "123.100.in-addr.arpa." nodefault + local-zone: "124.100.in-addr.arpa." nodefault + local-zone: "125.100.in-addr.arpa." nodefault + local-zone: "126.100.in-addr.arpa." nodefault + local-zone: "127.100.in-addr.arpa." nodefault + + # RFC 4193: Unique Local IPv6 Unicast Addresses + local-zone: "d.f.ip6.arpa." nodefault + + # RFC 2606: Reserved Top Level DNS Names + local-zone: "test." nodefault + domain-insecure: "test" + domain-insecure: "example" + + # RFC 6762: Multicast DNS, Appendix G + domain-insecure: "local" + domain-insecure: "intranet" + domain-insecure: "private" + domain-insecure: "corp" + domain-insecure: "home" + domain-insecure: "lan" + + # draft-davies-internal-tld + domain-insecure: "internal" diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index e1b3eca..7142817 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,60 +1,20 @@ -From 71cbef33920b3b5704be7eab399da506ab51cde1 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Fri, 10 Nov 2023 12:58:31 +0100 +From 41c489180eeecba97641f747ee6a43aa2c6d4299 Mon Sep 17 00:00:00 2001 +From: Tomas Korbar +Date: Thu, 6 Feb 2025 16:01:21 +0100 Subject: [PATCH] Customize unbound.conf for Fedora defaults Set some Fedora/RHEL specific changes to example configuration file. By patching upstream provided config file we would not need to manually update external copy in source RPM. --- - doc/example.conf.in | 196 ++++++++++++++++++++++++++++---------------- - 1 file changed, 126 insertions(+), 70 deletions(-) + doc/example.conf.in | 33 +++++++++++++++++++++++++++++++-- + 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/doc/example.conf.in b/doc/example.conf.in -index 130cb4e..7174d81 100644 +index dc2aa1c..a656bd7 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in -@@ -17,11 +17,12 @@ server: - # whitespace is not necessary, but looks cleaner. - - # verbosity number, 0 is least verbose. 1 is default. -- # verbosity: 1 -+ verbosity: 1 - - # print statistics to the log (for every thread) every N seconds. - # Set to "" or 0 to disable. Default is disabled. -- # statistics-interval: 0 -+ # Needs to be disabled for munin plugin -+ statistics-interval: 0 - - # enable shm for stats, default no. if you enable also enable - # statistics-interval, every time it also writes stats to the -@@ -32,11 +33,13 @@ server: - # shm-key: 11777 - - # enable cumulative statistics, without clearing them after printing. -- # statistics-cumulative: no -+ # Needs to be disabled for munin plugin -+ statistics-cumulative: no - - # enable extended statistics (query types, answer codes, status) -- # printed from unbound-control. Default off, because of speed. -- # extended-statistics: no -+ # printed from unbound-control. default off, because of speed. -+ # Needs to be enabled for munin plugin -+ extended-statistics: yes - - # Inhibits selected extended statistics (qtype, qclass, qopcode, rcode, - # rpz-actions) from printing if their value is 0. -@@ -44,22 +47,35 @@ server: - # statistics-inhibit-zero: yes - - # number of threads to create. 1 disables threading. -- # num-threads: 1 -+ num-threads: 4 - - # specify the interfaces to answer queries from by ip-address. - # The default is to listen to localhost (127.0.0.1 and ::1). +@@ -51,11 +51,19 @@ server: # specify 0.0.0.0 and ::0 to bind to all available interfaces. # specify every interface[@port] on a new 'interface:' labelled line. # The listen interfaces are not changed on reload, only on restart. @@ -74,53 +34,7 @@ index 130cb4e..7174d81 100644 # enable this feature to copy the source address of queries to reply. # Socket options are not supported on all platforms. experimental. -- # interface-automatic: no -+ # interface-automatic: yes -+ # -+ # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 -+ # NOTE: Disabled per Fedora policy not to listen to * on default install -+ # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled -+ interface-automatic: no - - # instead of the default port, open additional ports separated by - # spaces when interface-automatic is enabled, by listing them here. -@@ -94,7 +110,8 @@ server: - - # permit Unbound to use this port number or port range for - # making outgoing queries, using an outgoing interface. -- # outgoing-port-permit: 32768 -+ # Only ephemeral ports are allowed by SElinux -+ outgoing-port-permit: 32768-60999 - - # deny Unbound the use this of port number or port range for - # making outgoing queries, using an outgoing interface. -@@ -103,7 +120,9 @@ server: - # IANA-assigned port numbers. - # If multiple outgoing-port-permit and outgoing-port-avoid options - # are present, they are processed in order. -- # outgoing-port-avoid: "3200-3208" -+ # Our SElinux policy does not allow non-ephemeral ports to be used -+ outgoing-port-avoid: 0-32767 -+ outgoing-port-avoid: 61000-65535 - - # number of outgoing simultaneous tcp buffers to hold per thread. - # outgoing-num-tcp: 10 -@@ -121,12 +140,12 @@ server: - - # use SO_REUSEPORT to distribute queries over threads. - # at extreme load it could be better to turn it off to distribute even. -- # so-reuseport: yes -+ so-reuseport: yes - - # use IP_TRANSPARENT so the interface: addresses can be non-local - # and you can config non-existing IPs that are going to work later on - # (uses IP_BINDANY on FreeBSD). -- # ip-transparent: no -+ ip-transparent: yes - - # use IP_FREEBIND so the interface: addresses can be non-local - # and you can bind to nonexisting IPs and interfaces that are down. -@@ -276,6 +295,8 @@ server: +@@ -276,6 +284,8 @@ server: # nat64-prefix: 64:ff9b::0/96 # Enable UDP, "yes" or "no". @@ -129,16 +43,7 @@ index 130cb4e..7174d81 100644 # do-udp: yes # Enable TCP, "yes" or "no". -@@ -301,7 +322,7 @@ server: - # tcp-idle-timeout: 30000 - - # Enable EDNS TCP keepalive option. -- # edns-tcp-keepalive: no -+ edns-tcp-keepalive: yes - - # Timeout for EDNS TCP keepalive, in msec. Overrides tcp-idle-timeout - # if edns-tcp-keepalive is set. -@@ -311,6 +332,9 @@ server: +@@ -311,6 +321,9 @@ server: # can be dropped. Default is 0, disabled. In seconds, such as 3. # sock-queue-timeout: 0 @@ -148,188 +53,7 @@ index 130cb4e..7174d81 100644 # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no -@@ -424,6 +448,7 @@ server: - # - # If you give "" no chroot is performed. The path must not end in a /. - # chroot: "@UNBOUND_CHROOT_DIR@" -+ chroot: "" - - # if given, user privileges are dropped (after binding port), - # and the given username is assumed. Default is user "unbound". -@@ -435,7 +460,7 @@ server: - # is not changed. - # If you give a server: directory: dir before include: file statements - # then those includes can be relative to the working directory. -- # directory: "@UNBOUND_RUN_DIR@" -+ directory: "/etc/unbound" - - # the log file, "" means log to stderr. - # Use of this option sets use-syslog to "no". -@@ -450,7 +475,7 @@ server: - # log-identity: "" - - # print UTC timestamp in ascii to logfile, default is epoch in seconds. -- # log-time-ascii: no -+ log-time-ascii: yes - - # print one line with time, IP, name, type, class for every query. - # log-queries: no -@@ -522,22 +547,22 @@ server: - # harden-large-queries: no - - # Harden against out of zone rrsets, to avoid spoofing attempts. -- # harden-glue: yes -+ harden-glue: yes - - # Harden against receiving dnssec-stripped data. If you turn it - # off, failing to validate dnskey data for a trustanchor will - # trigger insecure mode for that zone (like without a trustanchor). - # Default on, which insists on dnssec data for trust-anchored zones. -- # harden-dnssec-stripped: yes -+ harden-dnssec-stripped: yes - - # Harden against queries that fall under dnssec-signed nxdomain names. -- # harden-below-nxdomain: yes -+ harden-below-nxdomain: yes - - # Harden the referral path by performing additional queries for - # infrastructure data. Validates the replies (if possible). - # Default off, because the lookups burden the server. Experimental - # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. -- # harden-referral-path: no -+ harden-referral-path: yes - - # Harden against algorithm downgrade when multiple algorithms are - # advertised in the DS record. If no, allows the weakest algorithm -@@ -551,7 +576,7 @@ server: - # Sent minimum amount of information to upstream servers to enhance - # privacy. Only sent minimum required labels of the QNAME and set QTYPE - # to A when possible. -- # qname-minimisation: yes -+ qname-minimisation: yes - - # QNAME minimisation in strict mode. Do not fall-back to sending full - # QNAME to potentially broken nameservers. A lot of domains will not be -@@ -561,7 +586,7 @@ server: - - # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN - # and other denials, using information from previous NXDOMAINs answers. -- # aggressive-nsec: yes -+ aggressive-nsec: yes - - # Use 0x20-encoded random bits in the query to foil spoof attempts. - # This feature is an experimental implementation of draft dns-0x20. -@@ -594,7 +619,7 @@ server: - # threshold, a warning is printed and a defensive action is taken, - # the cache is cleared to flush potential poison out of it. - # A suggested value is 10000000, the default is 0 (turned off). -- # unwanted-reply-threshold: 0 -+ unwanted-reply-threshold: 10000000 - - # Do not query the following addresses. No DNS queries are sent there. - # List one address per entry. List classless netblocks with /size, -@@ -606,20 +631,20 @@ server: - # do-not-query-localhost: yes - - # if yes, perform prefetching of almost expired message cache entries. -- # prefetch: no -+ prefetch: yes - - # if yes, perform key lookups adjacent to normal lookups. -- # prefetch-key: no -+ prefetch-key: yes - - # deny queries of type ANY with an empty response. -- # deny-any: no -+ deny-any: yes - - # if yes, Unbound rotates RRSet order in response. -- # rrset-roundrobin: yes -+ rrset-roundrobin: yes - - # if yes, Unbound doesn't insert authority/additional sections - # into response messages when those sections are not required. -- # minimal-responses: yes -+ minimal-responses: yes - - # true to disable DNSSEC lameness check in iterator. - # disable-dnssec-lame-check: no -@@ -629,7 +654,9 @@ server: - # most modules have to be listed at the beginning of the line, - # except cachedb(just before iterator), and python (at the beginning, - # or, just before the iterator). -- # module-config: "validator iterator" -+ # For redis cachedb use: -+ # "ipsecmod validator cachedb iterator" -+ module-config: "ipsecmod validator iterator" - - # File with trusted keys, kept uptodate using RFC5011 probes, - # initial file like trust-anchor-file, then it stores metadata. -@@ -643,10 +670,10 @@ server: - # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" - - # trust anchor signaling sends a RFC8145 key tag query after priming. -- # trust-anchor-signaling: yes -+ trust-anchor-signaling: yes - - # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) -- # root-key-sentinel: yes -+ root-key-sentinel: yes - - # File with trusted keys for validation. Specify more than one file - # with several entries, one file per entry. -@@ -667,6 +694,9 @@ server: - # the trusted-keys { name flag proto algo "key"; }; clauses are read. - # you need external update procedures to track changes in keys. - # trusted-keys-file: "" -+ # -+ trusted-keys-file: /etc/unbound/keys.d/*.key -+ auto-trust-anchor-file: "/var/lib/unbound/root.key" - - # Ignore chain of trust. Domain is treated as insecure. - # domain-insecure: "example.com" -@@ -694,14 +724,15 @@ server: - # unsecure data. Useful to shield the users of this validator from - # potential bogus data in the additional section. All unsigned data - # in the additional section is removed from secure messages. -- # val-clean-additional: yes -+ val-clean-additional: yes - - # Turn permissive mode on to permit bogus messages. Thus, messages - # for which security checks failed will be returned to clients, - # instead of SERVFAIL. It still performs the security checks, which - # result in interesting log files and possibly the AD bit in - # replies if the message is found secure. The default is off. -- # val-permissive-mode: no -+ # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY -+ val-permissive-mode: no - - # Ignore the CD flag in incoming queries and refuse them bogus data. - # Enable it if the only clients of Unbound are legacy servers (w2008) -@@ -715,11 +746,11 @@ server: - - # Serve expired responses from cache, with serve-expired-reply-ttl in - # the response, and then attempt to fetch the data afresh. -- # serve-expired: no -+ serve-expired: yes - # - # Limit serving of expired responses to configured seconds after - # expiration. 0 disables the limit. -- # serve-expired-ttl: 0 -+ serve-expired-ttl: 14400 - # - # Set the TTL of expired records to the serve-expired-ttl value after a - # failed attempt to retrieve the record from upstream. This makes sure -@@ -746,7 +777,7 @@ server: - - # Have the validator log failed validations for your diagnosis. - # 0: off. 1: A line per failed user query. 2: With reason and bad IP. -- # val-log-level: 0 -+ val-log-level: 1 - - # It is possible to configure NSEC3 maximum iteration counts per - # keysize. Keep this table very short, as linear search is done. -@@ -890,6 +921,8 @@ server: +@@ -890,6 +903,8 @@ server: # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" @@ -338,7 +62,7 @@ index 130cb4e..7174d81 100644 # tag a localzone with a list of tag names (in "" with spaces between) # local-zone-tag: "example.com" "tag2 tag3" -@@ -900,8 +933,8 @@ server: +@@ -900,8 +915,8 @@ server: # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. # Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. @@ -349,109 +73,20 @@ index 130cb4e..7174d81 100644 # tls-port: 853 # https-port: 443 -@@ -909,6 +942,8 @@ server: - # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" - # cipher setting for TLSv1.3 - # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" -+ # Fedora/RHEL: use system-wide crypto policies -+ tls-ciphers: "PROFILE=SYSTEM" - - # Pad responses to padded queries received over TLS - # pad-responses: yes -@@ -1050,12 +1085,14 @@ server: - # cookie-secret-file: "/usr/local/etc/unbound_cookiesecrets.txt" - - # Enable to attach Extended DNS Error codes (RFC8914) to responses. -- # ede: no -+ # Fedora defaults to yes. -+ ede: yes - - # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale - # Answer as EDNS0 option to expired responses. - # Note that the ede option above needs to be enabled for this to work. -- # ede-serve-expired: no -+ # Fedora defaults to yes. -+ ede-serve-expired: yes - - # Specific options for ipsecmod. Unbound needs to be configured with - # --enable-ipsecmod for these to take effect. -@@ -1063,12 +1100,14 @@ server: - # Enable or disable ipsecmod (it still needs to be defined in - # module-config above). Can be used when ipsecmod needs to be - # enabled/disabled via remote-control(below). -- # ipsecmod-enabled: yes -- # -+ # Fedora: module will be enabled on-demand by libreswan -+ ipsecmod-enabled: no -+ - # Path to executable external hook. It must be defined when ipsecmod is - # listed in module-config (above). - # ipsecmod-hook: "./my_executable" -- # -+ ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook -+ - # When enabled Unbound will reply with SERVFAIL if the return value of - # the ipsecmod-hook is not 0. - # ipsecmod-strict: no -@@ -1101,7 +1140,7 @@ server: - # o and give a python-script to run. - python: - # Script file to load -- # python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py" -+ # python-script: "/etc/unbound/ubmodule-tst.py" - - # Dynamic library config section. To enable: - # o use --with-dynlibmodule to configure before compiling. -@@ -1112,13 +1151,14 @@ python: - # the module-config then you need one dynlib-file per instance. - dynlib: - # Script file to load -- # dynlib-file: "@UNBOUND_SHARE_DIR@/dynlib.so" -+ # dynlib-file: "/etc/unbound/dynlib.so" - - # Remote control config section. - remote-control: - # Enable remote control with unbound-control(8) here. - # set up the keys and certificates with unbound-control-setup. -- # control-enable: no -+ # Note: required for unbound-munin package -+ control-enable: yes - - # what interfaces are listened to for remote control. - # give 0.0.0.0 and ::0 to listen to all interfaces. -@@ -1126,6 +1166,7 @@ remote-control: - # are not used for that, so key and cert files need not be present. - # control-interface: 127.0.0.1 - # control-interface: ::1 -+ # moved to /etc/unbound/conf.d/remote-control.conf - - # port number for remote control operations. - # control-port: 8953 -@@ -1135,16 +1176,19 @@ remote-control: - # control-use-cert: "yes" - - # Unbound server key file. -- # server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key" -+ server-key-file: "/etc/unbound/unbound_server.key" - - # Unbound server certificate file. -- # server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem" -+ server-cert-file: "/etc/unbound/unbound_server.pem" - - # unbound-control key file. -- # control-key-file: "@UNBOUND_RUN_DIR@/unbound_control.key" -+ control-key-file: "/etc/unbound/unbound_control.key" - +@@ -1146,6 +1161,12 @@ remote-control: # unbound-control certificate file. -- # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem" -+ control-cert-file: "/etc/unbound/unbound_control.pem" + # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem" + ++# Default Fedora settings ++include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf" + +# Stub and Forward zones -+include: /etc/unbound/conf.d/*.conf - ++include: "@sysconfdir@/unbound/conf.d/*.conf" ++ # Stub zones. # Create entries like below, to make all queries for 'example.com' and -@@ -1166,6 +1210,10 @@ remote-control: + # 'example.org' go to the given list of nameservers. list zero or more +@@ -1166,6 +1187,10 @@ remote-control: # name: "example.org" # stub-host: ns.example.com. @@ -462,7 +97,7 @@ index 130cb4e..7174d81 100644 # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle -@@ -1183,6 +1231,10 @@ remote-control: +@@ -1183,6 +1208,10 @@ remote-control: # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -473,25 +108,6 @@ index 130cb4e..7174d81 100644 # Authority zones # The data for these zones is kept locally, from a file or downloaded. -@@ -1239,6 +1292,9 @@ remote-control: - # name: "anotherview" - # local-zone: "example.com" refuse - -+# Fedora: DNSCrypt support not enabled since it requires linking to -+# another crypto library -+# - # DNSCrypt - # To enable, use --enable-dnscrypt to configure before compiling. - # Caveats: -@@ -1314,7 +1370,7 @@ remote-control: - # dnstap-enable: no - # # if set to yes frame streams will be used in bidirectional mode - # dnstap-bidirectional: yes --# dnstap-socket-path: "@DNSTAP_SOCKET_PATH@" -+# dnstap-socket-path: "/etc/unbound/dnstap.sock" - # # if "" use the unix socket in dnstap-socket-path, otherwise, - # # set it to "IPaddress[@port]" of the destination. - # dnstap-ip: "" -- -2.46.0 +2.48.1 diff --git a/unbound-local-root.conf b/unbound-local-root.conf new file mode 100644 index 0000000..4ba5e9d --- /dev/null +++ b/unbound-local-root.conf @@ -0,0 +1,30 @@ +# Authority zones +# The data for these zones is kept locally, from a file or downloaded. +# The data can be served to downstream clients, or used instead of the +# upstream (which saves a lookup to the upstream). +# +# Download local root copy and answer TLD queries from it. Because +# auth-zone has higher precedence, defined forward-zones to internal +# only TLD will not work. Use stub-zone or disable this zone. +# Good for a network-wide resolvers, worse for a localhost caching forwarder. +auth-zone: + name: "." + primary: 170.247.170.2 # b.root-servers.net + primary: 192.33.4.12 # c.root-servers.net + primary: 199.7.91.13 # d.root-servers.net + primary: 192.5.5.241 # f.root-servers.net + primary: 192.112.36.4 # g.root-servers.net + primary: 193.0.14.129 # k.root-servers.net + primary: 192.0.47.132 # xfr.cjr.dns.icann.org + primary: 192.0.32.132 # xfr.lax.dns.icann.org + primary: 2801:1b8:10::b # b.root-servers.net + primary: 2001:500:2::c # c.root-servers.net + primary: 2001:500:2d::d # d.root-servers.net + primary: 2001:500:2f::f # f.root-servers.net + primary: 2001:500:12::d0d # g.root-servers.net + primary: 2001:7fd::1 # k.root-servers.net + primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org + primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org + fallback-enabled: yes + for-downstream: no + for-upstream: yes diff --git a/unbound.spec b/unbound.spec index 0248119..a9369eb 100644 --- a/unbound.spec +++ b/unbound.spec @@ -59,6 +59,10 @@ Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/ Source20: unbound.sysusers Source21: remote-control.conf Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc +Source23: unbound-as112-networks.conf +Source24: unbound-local-root.conf +Source25: remote-control-include.conf +Source26: fedora-defaults.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch @@ -229,6 +233,7 @@ Python 3 modules and extensions for unbound --enable-relro-now --enable-pie \\\ --enable-subnet --enable-ipsecmod \\\ --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\ + --with-share-dir=%{_datadir}/%{name} \\\ --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\ --enable-sha2 --disable-gost --enable-ecdsa \\\ --with-rootkey-file=%{_sharedstatedir}/%{name}/root.key \\\ @@ -360,6 +365,13 @@ install -p -m 0644 %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/ install -p -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ install -p -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/ +install -p -m 0644 %{SOURCE25} %{buildroot}%{_sysconfdir}/unbound/conf.d/remote-control.conf + +mkdir -p %{buildroot}%{_datadir}/%{name}/conf.d +install -p -m 0644 %{SOURCE21} %{buildroot}%{_datadir}/%{name}/conf.d/ +install -p -m 0644 %{SOURCE23} %{buildroot}%{_datadir}/%{name}/conf.d/ +install -p -m 0644 %{SOURCE24} %{buildroot}%{_datadir}/%{name}/conf.d/ +install -p -m 0644 %{SOURCE26} %{buildroot}%{_datadir}/%{name}/ # Link unbound-control-setup.8 manpage to unbound-control.8 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 @@ -432,6 +444,7 @@ popd %{_sbindir}/unbound-checkconf %{_sbindir}/unbound-control %{_sbindir}/unbound-control-setup +%{_datadir}/%{name}/ %{_mandir}/man5/* %exclude %{_mandir}/man8/unbound-anchor* %{_mandir}/man8/* From f199f04259acf3b2e521c1c893d2196b5f306f5d Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Thu, 6 Feb 2025 16:30:53 +0100 Subject: [PATCH 25/64] Use ip-freebind: yes or add After=network-online.target if interface: specifies exact address, not localhost nor wildcard. It should not be used by default when only localhost listening is enabled. Default configuration does not need it. --- unbound.service | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/unbound.service b/unbound.service index 74321c7..86ada76 100644 --- a/unbound.service +++ b/unbound.service @@ -1,6 +1,9 @@ [Unit] Description=Unbound recursive Domain Name Server -After=network-online.target +After=network.target +# Use ip-freebind: yes or add After=network-online.target, rhbz#2338429, +# if interface: specifies exact address, not localhost nor wildcard +#After=network-online.target After=unbound-keygen.service Wants=unbound-keygen.service After=unbound-anchor.service From 8dcd587f5c1c167e1103e7bfab1b9a37dff7170a Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Thu, 6 Feb 2025 16:32:25 +0100 Subject: [PATCH 26/64] Add dracut module Dracut module allows unbound to be used as resolver in initramfs. It is set before to network-online.target to ensure that other services which depend on name resolution have general synchronization point when they can expect unbound to be configured and listening. --- module-setup.sh | 44 ++++++++++++++++++++++++++++++++++++++++++++ unbound-initrd.conf | 5 +++++ unbound.spec | 18 ++++++++++++++++++ 3 files changed, 67 insertions(+) create mode 100644 module-setup.sh create mode 100644 unbound-initrd.conf diff --git a/module-setup.sh b/module-setup.sh new file mode 100644 index 0000000..439bc6d --- /dev/null +++ b/module-setup.sh @@ -0,0 +1,44 @@ +#!/usr/bin/bash + +check() { + require_binaries unbound unbound-checkconf unbound-control || return 1 + # the module will be only included if explicitly required either + # by configuration or another module + return 255 +} + +depends() { + # because of pid file we need sysusers to create unbound user + echo systemd systemd-sysusers + return 0 +} + +install() { + # We have to make unbound wanted by network-online target to make sure + # there is a synchronization point when other services are able + # to make queries + inst_simple "$moddir"/unbound-initrd.conf /etc/systemd/system/unbound.service.d/unbound-initrd.conf + + # /etc and /var/lib do not have its variables + inst_multiple -o \ + "$systemdsystemunitdir"/unbound.service \ + /etc/unbound/conf.d/remote-control.conf \ + /etc/unbound/openssl-sha1.conf \ + /usr/share/unbound/fedora-defaults.conf \ + /usr/share/unbound/conf.d/*.conf \ + /etc/unbound/local.d/*.conf \ + /etc/unbound/keys.d/*.key \ + /etc/unbound/unbound.conf \ + /etc/unbound/unbound_control.key \ + /etc/unbound/unbound_control.pem \ + /etc/unbound/unbound_server.key \ + /etc/unbound/unbound_server.pem \ + "$sysusers"/unbound.conf \ + "$tmpfilesdir"/unbound.conf \ + /var/lib/unbound/root.key \ + unbound \ + unbound-checkconf \ + unbound-control + + $SYSTEMCTL -q --root "$initdir" enable unbound.service +} diff --git a/unbound-initrd.conf b/unbound-initrd.conf new file mode 100644 index 0000000..7838b3d --- /dev/null +++ b/unbound-initrd.conf @@ -0,0 +1,5 @@ +[Unit] +Before=network-online.target + +[Install] +WantedBy=network-online.target diff --git a/unbound.spec b/unbound.spec index a9369eb..8305aeb 100644 --- a/unbound.spec +++ b/unbound.spec @@ -63,6 +63,8 @@ Source23: unbound-as112-networks.conf Source24: unbound-local-root.conf Source25: remote-control-include.conf Source26: fedora-defaults.conf +Source27: module-setup.sh +Source28: unbound-initrd.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch @@ -195,6 +197,14 @@ Conflicts: python2-unbound < 1.9.3 Python 3 modules and extensions for unbound %endif +%package dracut +Summary: Unbound dracut module +Requires: dracut%{?_isa} +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description dracut +Unbound dracut module allowing use of Unbound for name resolution +in initramfs. %prep %if 0%{?fedora} @@ -376,6 +386,11 @@ install -p -m 0644 %{SOURCE26} %{buildroot}%{_datadir}/%{name}/ # Link unbound-control-setup.8 manpage to unbound-control.8 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 +# install dracut module +mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound + +install -p -m 0755 %{SOURCE27} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound +install -p -m 0644 %{SOURCE28} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound %pre libs %sysusers_create_compat %{SOURCE20} @@ -506,5 +521,8 @@ popd %{_sbindir}/unbound-streamtcp %{_mandir}/man1/unbound-* +%files dracut +%{_prefix}/lib/dracut/modules.d/99unbound + %changelog %autochangelog From 85b4661d362d106f7e1e3a194b67f11b8ba8aa34 Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Thu, 6 Feb 2025 16:33:32 +0100 Subject: [PATCH 27/64] Enabled libsystemd and change unbound service type to notify-reload "notify-reload" service type allows unbound to notify systemd not only about its readiness on startup but also about start and finish of reloading process. --- unbound.service | 2 +- unbound.spec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/unbound.service b/unbound.service index 86ada76..66a8a34 100644 --- a/unbound.service +++ b/unbound.service @@ -12,7 +12,7 @@ Before=nss-lookup.target Wants=nss-lookup.target [Service] -Type=simple +Type=notify-reload EnvironmentFile=-/etc/sysconfig/unbound ExecStartPre=/usr/sbin/unbound-checkconf ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS diff --git a/unbound.spec b/unbound.spec index 8305aeb..c2b4ec0 100644 --- a/unbound.spec +++ b/unbound.spec @@ -2,7 +2,7 @@ %{?!with_python3: %global with_python3 1} %{?!with_munin: %global with_munin 1} %bcond_without dnstap -%bcond_with systemd +%bcond_without systemd %bcond_without doh %bcond_with redis From 70853eb59e4dcd428ab7ca958d234996c9f006c4 Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Fri, 7 Feb 2025 13:00:10 +0100 Subject: [PATCH 28/64] Change service type to notify notify-reload was a mistake. It unconditionally sends signal to service process additionally to executing ExecReload which does not make sense. --- unbound.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unbound.service b/unbound.service index 66a8a34..d476504 100644 --- a/unbound.service +++ b/unbound.service @@ -12,7 +12,7 @@ Before=nss-lookup.target Wants=nss-lookup.target [Service] -Type=notify-reload +Type=notify EnvironmentFile=-/etc/sysconfig/unbound ExecStartPre=/usr/sbin/unbound-checkconf ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS From 32330fa65ef2d2301af456e22684c18de9562049 Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Fri, 7 Feb 2025 14:30:54 +0100 Subject: [PATCH 29/64] Change service type to notify notify-reload was a mistake. It unconditionally sends signal to service process additionally to executing ExecReload which does not make sense. --- unbound.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unbound.service b/unbound.service index 66a8a34..d476504 100644 --- a/unbound.service +++ b/unbound.service @@ -12,7 +12,7 @@ Before=nss-lookup.target Wants=nss-lookup.target [Service] -Type=notify-reload +Type=notify EnvironmentFile=-/etc/sysconfig/unbound ExecStartPre=/usr/sbin/unbound-checkconf ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS From 7bf537562731e72de05a26b7ea7714ca7d4cd56f Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Mon, 10 Feb 2025 14:08:28 +0100 Subject: [PATCH 30/64] Add possibility to disable unbound-anchor by file presence --- tmpfiles-unbound.conf | 2 +- unbound-anchor.service | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tmpfiles-unbound.conf b/tmpfiles-unbound.conf index bb88f01..c09cc75 100644 --- a/tmpfiles-unbound.conf +++ b/tmpfiles-unbound.conf @@ -1 +1 @@ -D /run/unbound 0755 unbound unbound - +D /run/unbound 0775 unbound root - diff --git a/unbound-anchor.service b/unbound-anchor.service index 59683c8..1116243 100644 --- a/unbound-anchor.service +++ b/unbound-anchor.service @@ -6,5 +6,5 @@ Documentation=man:unbound-anchor(8) Type=oneshot User=unbound EnvironmentFile=-/etc/sysconfig/unbound -ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi' +ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ] || [ -f /run/unbound/anchor-disable ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi' SuccessExitStatus=1 From b4c4d24c699313bf75d781fa0d270526e0c72de1 Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Mon, 10 Feb 2025 15:45:48 +0100 Subject: [PATCH 31/64] Add possibility to disable unbound-anchor by file presence --- tmpfiles-unbound.conf | 2 +- unbound-anchor.service | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tmpfiles-unbound.conf b/tmpfiles-unbound.conf index bb88f01..c09cc75 100644 --- a/tmpfiles-unbound.conf +++ b/tmpfiles-unbound.conf @@ -1 +1 @@ -D /run/unbound 0755 unbound unbound - +D /run/unbound 0775 unbound root - diff --git a/unbound-anchor.service b/unbound-anchor.service index 59683c8..1116243 100644 --- a/unbound-anchor.service +++ b/unbound-anchor.service @@ -6,5 +6,5 @@ Documentation=man:unbound-anchor(8) Type=oneshot User=unbound EnvironmentFile=-/etc/sysconfig/unbound -ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi' +ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ] || [ -f /run/unbound/anchor-disable ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi' SuccessExitStatus=1 From 9e6c96e4debe3ed2f7c35c182dc3f33699294533 Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Mon, 10 Feb 2025 20:32:06 +0100 Subject: [PATCH 32/64] Fix ownership and mode record of rundir Previous change introduced mode change and group change of rundir but it was not changed in files section, so fix that. --- unbound.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index d671a71..aa9ce44 100644 --- a/unbound.spec +++ b/unbound.spec @@ -438,7 +438,7 @@ popd %doc doc/CREDITS doc/FEATURES %{_unitdir}/%{name}.service %{_unitdir}/%{name}-keygen.service -%attr(0755,unbound,unbound) %dir %{_rundir}/%{name} +%attr(0775,unbound,root) %dir %{_rundir}/%{name} %attr(0644,root,root) %{_tmpfilesdir}/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/openssl-sha1.conf From 064be41a0333b27e2549cf5d689463badd9436eb Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Mon, 10 Feb 2025 21:14:05 +0100 Subject: [PATCH 33/64] Fix ownership and mode record of rundir Previous change introduced mode change and group change of rundir but it was not changed in files section, so fix that. --- unbound.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index c2b4ec0..dbb7c78 100644 --- a/unbound.spec +++ b/unbound.spec @@ -442,7 +442,7 @@ popd %doc doc/CREDITS doc/FEATURES %{_unitdir}/%{name}.service %{_unitdir}/%{name}-keygen.service -%attr(0755,unbound,unbound) %dir %{_rundir}/%{name} +%attr(0775,unbound,root) %dir %{_rundir}/%{name} %attr(0644,root,root) %{_tmpfilesdir}/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d From 553fad845fcef27d8ce3fde25ae6d77b11469898 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 11 Feb 2025 18:03:11 +0100 Subject: [PATCH 34/64] Drop call to %sysusers_create_compat After https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers, rpm will handle account creation automatically. --- unbound.spec | 3 --- 1 file changed, 3 deletions(-) diff --git a/unbound.spec b/unbound.spec index aa9ce44..7d7a345 100644 --- a/unbound.spec +++ b/unbound.spec @@ -152,7 +152,6 @@ The devel package contains the unbound library and the include files %package libs Summary: Libraries used by the unbound server and client applications Recommends: %{name}-anchor -%{?sysusers_requires_compat} %if ! 0%{with_python2} # Make explicit conflict with no longer provided python package Obsoletes: python2-unbound < 1.9.3 @@ -394,8 +393,6 @@ mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound install -p -m 0755 %{SOURCE28} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound install -p -m 0644 %{SOURCE29} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound -%pre libs -%sysusers_create_compat %{SOURCE20} %post %systemd_post unbound.service From 4235e612e401caa3250127544a885469f243df5c Mon Sep 17 00:00:00 2001 From: Python Maint Date: Mon, 2 Jun 2025 20:47:35 +0200 Subject: [PATCH 35/64] Rebuilt for Python 3.14 From 82c9bae8100adedb366562fc57aa9df07b1a84c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 25 Apr 2025 14:23:35 +0200 Subject: [PATCH 36/64] Update to 1.23.0 (rhbz#2362019) Features: - Increase the default of max-global-quota to 200 from 128 after operational feedback. Still keeping the possible amplification factor (CAMP related issues) in the hundreds. - Fix #1175: serve-expired does not adhere to secure-by-default principle. The default value of serve-expired-client-timeout is set to 1800 as suggested by RFC8767. - For #1175, the default value of serve-expired-ttl is set to 86400 (1 day) as suggested by RFC8767. - For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT. - Add resolver.arpa and service.arpa to the default locally served zones. - Merge #1042: Fast Reload. The unbound-control fast_reload is added. It reads changed config in a thread, then only briefly pauses the service threads, that keep running. DNS service is only interrupted briefly, less than a second. - Merge #1019: Redis read-only replica support. Introduces new 'redis-replica-*' options for the Redis cache backend. - Merge #902: DNS Error Reporting (RFC 9567). Introduces new configuration option 'dns-error-reporting' and new statistics for 'num.dns_error_reports'. And bug fixes. https://nlnetlabs.nl/projects/unbound/download/#unbound-1-23-0 --- .gitignore | 2 ++ sources | 4 ++-- unbound.spec | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 31c5a81..0d774db 100644 --- a/.gitignore +++ b/.gitignore @@ -95,3 +95,5 @@ unbound-1.4.5.tar.gz /unbound-1.21.1.tar.gz.asc /unbound-1.22.0.tar.gz /unbound-1.22.0.tar.gz.asc +/unbound-1.23.0.tar.gz +/unbound-1.23.0.tar.gz.asc diff --git a/sources b/sources index 87f2b6b..bcc3609 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.22.0.tar.gz) = 6c873e19902ce6cd59cec7084d5dba1a5bd5fe4437c827ae69bdf9273bcd8d2d1ec0dc183076f8d2e1fd38730bf8c10852d678399f0b2ea8ccf7e39119568978 -SHA512 (unbound-1.22.0.tar.gz.asc) = afbf5a125f104a25576b1c416b32f68d715b41a025fc3a61e6ee3bc28f9988b4277c7f0dd188c51cbe5641f51ade20f740ea131d1a7b5db38e2d1462a9edbb69 +SHA512 (unbound-1.23.0.tar.gz) = 9b5ca48f4f5189f168f76396f5895f39262a4333e589f8c64bb9298a55c6266f626a4a4399370c68edd9f6318215a401146bf9e16a101c54decf623668a398af +SHA512 (unbound-1.23.0.tar.gz.asc) = f69db33fe13813fbbeb7c6bfe9158d1475f6e1ba4014e11c33f18e276f6f9fa903318d2718d7864b8af1dd5e4c90ac59b8d31579600c7e08eedf71b07301a10c diff --git a/unbound.spec b/unbound.spec index 7d7a345..bc78d87 100644 --- a/unbound.spec +++ b/unbound.spec @@ -36,7 +36,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.22.0 +Version: 1.23.0 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ From db5deb1acce8a0f1d06812510900d33330f5efec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 19 May 2025 11:22:49 +0200 Subject: [PATCH 37/64] Add wildcard into gitignore for new upstreams --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index 0d774db..9a43a25 100644 --- a/.gitignore +++ b/.gitignore @@ -97,3 +97,5 @@ unbound-1.4.5.tar.gz /unbound-1.22.0.tar.gz.asc /unbound-1.23.0.tar.gz /unbound-1.23.0.tar.gz.asc +/unbound-1.*.tar.gz +/unbound-1.*.tar.gz.asc From 15a52378b59b3c7949d63a26352082faf6e2fd46 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 9 Jun 2025 16:20:27 +0200 Subject: [PATCH 38/64] Remove group access from unbound_server.key It were ensured by the generation script, that the generated key would be readable just by the user. Since PR #1220 is the control channel key readable by group too, but make generated server key marked for the root only. Do not show in list of modified files. --- unbound.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index bc78d87..5d98a01 100644 --- a/unbound.spec +++ b/unbound.spec @@ -448,7 +448,7 @@ popd %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.pem %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.key %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.pem -%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key +%ghost %attr(0600,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key %{_sbindir}/unbound %{_sbindir}/unbound-checkconf %{_sbindir}/unbound-control From e3be8477dd432a8c74e4e266b408b3b6123c6f68 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Tue, 10 Jun 2025 15:23:50 +0200 Subject: [PATCH 39/64] Rebuilt for Python 3.14 From a5499543e550d6a2b42ef33daf803be1c710c7b2 Mon Sep 17 00:00:00 2001 From: "psklenar@redhat.com" Date: Mon, 9 Jun 2025 17:02:37 +0200 Subject: [PATCH 40/64] fedora CI plans move to gitlab for centos-stream test space https://issues.redhat.com/browse/RHELMISC-13073 --- plans/all.fmf | 2 +- plans/tier1-public.fmf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/plans/all.fmf b/plans/all.fmf index cd001bd..538bd41 100644 --- a/plans/all.fmf +++ b/plans/all.fmf @@ -1,7 +1,7 @@ summary: Test plan with all Fedora tests discover: how: fmf - url: https://src.fedoraproject.org/tests/unbound.git + url: https://gitlab.com/redhat/centos-stream/tests/unbound.git execute: how: tmt diff --git a/plans/tier1-public.fmf b/plans/tier1-public.fmf index 10f167c..6ffbfd1 100644 --- a/plans/tier1-public.fmf +++ b/plans/tier1-public.fmf @@ -1,7 +1,7 @@ summary: Public (Fedora) Tier1 beakerlib tests discover: how: fmf - url: https://src.fedoraproject.org/tests/unbound.git + url: https://gitlab.com/redhat/centos-stream/tests/unbound.git filter: 'tier: 1' execute: how: tmt From 2ae538e522cba7aeb0074cb58ad16897fafdd8e2 Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Thu, 17 Jul 2025 12:55:05 +0200 Subject: [PATCH 41/64] Update to 1.23.1 (rhbz#2380450) https://github.com/NLnetLabs/unbound/releases/tag/release-1.23.1 This security release fixes the Rebirthday Attack CVE-2025-5994. --- .gitignore | 2 ++ sources | 4 ++-- unbound.spec | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 9a43a25..cec9517 100644 --- a/.gitignore +++ b/.gitignore @@ -97,5 +97,7 @@ unbound-1.4.5.tar.gz /unbound-1.22.0.tar.gz.asc /unbound-1.23.0.tar.gz /unbound-1.23.0.tar.gz.asc +/unbound-1.23.1.tar.gz +/unbound-1.23.1.tar.gz.asc /unbound-1.*.tar.gz /unbound-1.*.tar.gz.asc diff --git a/sources b/sources index bcc3609..aa34842 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.23.0.tar.gz) = 9b5ca48f4f5189f168f76396f5895f39262a4333e589f8c64bb9298a55c6266f626a4a4399370c68edd9f6318215a401146bf9e16a101c54decf623668a398af -SHA512 (unbound-1.23.0.tar.gz.asc) = f69db33fe13813fbbeb7c6bfe9158d1475f6e1ba4014e11c33f18e276f6f9fa903318d2718d7864b8af1dd5e4c90ac59b8d31579600c7e08eedf71b07301a10c +SHA512 (unbound-1.23.1.tar.gz) = b31858eb03fed1fb2aead03aa5b6f32476678067c28ff4816808cbdcae32591e36bee966b25c6b702e3fb51588ae467efab7934a24971193f1183edd5c561b7b +SHA512 (unbound-1.23.1.tar.gz.asc) = b1cea2405e6d5fe5d3f37ae64598fd8490c04b001345e3f6b1ed02b6f8f940a3dc7c7af5a52053378cf23cbff3c4887ccd9b3fa440c1d0d5a3d43544fbe3e956 diff --git a/unbound.spec b/unbound.spec index 5d98a01..df72cb2 100644 --- a/unbound.spec +++ b/unbound.spec @@ -36,7 +36,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.23.0 +Version: 1.23.1 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ From 90c60fc7f873390b841aba4063387e09cf031be7 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 25 Jul 2025 19:46:00 +0000 Subject: [PATCH 42/64] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild From b28faf7eaad0f6384bae144f90e20e56fe868b44 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 15 Aug 2025 15:21:27 +0200 Subject: [PATCH 43/64] Rebuilt for Python 3.14.0rc2 bytecode From 977179bbc7545c2a2a9da5801479d49cc2fa3381 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 2 Jul 2025 15:13:05 +0200 Subject: [PATCH 44/64] Make root.key maintained unmodified Hide rpm -V unbound-libs changed file when unbound-anchor has done the change. Use %config for the symlink presence to protect it against unrelated package changes. It will reset root.key only when that file were modified. Related: RHEL-64339 --- unbound.spec | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/unbound.spec b/unbound.spec index df72cb2..1272b21 100644 --- a/unbound.spec +++ b/unbound.spec @@ -495,10 +495,10 @@ popd %{_sysusersdir}/%{name}.conf %{_libdir}/libunbound.so.8* %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name} -%config(noreplace) %verify(not link user group) %{_sharedstatedir}/%{name}/root.key +%config %verify(not link owner group size mtime mode md5) %{_sharedstatedir}/%{name}/root.key # just left for backwards compat with user changed unbound.conf files - format is different! -%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key -%attr(0644,root,root) %config %{_sysconfdir}/%{name}/dnssec-root.key +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-root.key %files anchor %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name} From df6032978a05b9a12855a75c8d780abfc4598a22 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 2 Jul 2025 15:27:35 +0200 Subject: [PATCH 45/64] Add new DNSSEC root anchor 38696 --- root.anchor | 1 + root.key | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/root.anchor b/root.anchor index c78ee03..1559542 100644 --- a/root.anchor +++ b/root.anchor @@ -1 +1,2 @@ +. 172800 IN DNSKEY 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ;{id = 38696 (ksk), size = 2048b} . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} diff --git a/root.key b/root.key index 6c5622c..94d2e23 100644 --- a/root.key +++ b/root.key @@ -1,6 +1,6 @@ ; // The root key in bind format. This can be read by most tools, including ; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this trusted-keys { +"." 257 3 8 "AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc="; // key id = 38696 "." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326 - }; From 1bfccbf959fbc5f73e3a23f024e0b313f0b48dcb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 29 Aug 2025 12:18:39 +0200 Subject: [PATCH 46/64] Make even existing unbound_control.key readable by group Make the permission change only when updating from version, where it were generated without group readable bit. Related: RHEL-73862 --- unbound.spec | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/unbound.spec b/unbound.spec index 1272b21..a8aa282 100644 --- a/unbound.spec +++ b/unbound.spec @@ -420,6 +420,13 @@ fi %postun anchor %systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer +%triggerun -- unbound < 1.23.1-4 +if [ "$(stat -c '%%a %%G' %{_sysconfdir}/%{name}/unbound_control.key 2>/dev/null)" = '600 unbound' ]; then + # change permissions of existing key just once, where it were generated with wrong perms + %{_bindir}/chmod g+r "%{_sysconfdir}/%{name}/unbound_control.key" || : +fi + + %check export OPENSSL_CONF="%{buildroot}%{_sysconfdir}/unbound/openssl-sha1.conf" make check From b2122945560534708dcd2ead9bf0c5599757252f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 29 Aug 2025 13:30:03 +0200 Subject: [PATCH 47/64] Deprecate /etc/unbound/root.key That format has been obsoleted by bind and has minimal format verification. Use instead DNS format in dnssec-root.key or file maintained by unbound-anchor service. --- root.key | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/root.key b/root.key index 94d2e23..848887d 100644 --- a/root.key +++ b/root.key @@ -1,5 +1,7 @@ -; // The root key in bind format. This can be read by most tools, including -; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this +# The root key in obsoleted bind format. This can be read by some tools, including +# named, unbound, delv etc. For libunbound, use ub_ctx_trustedkeys() to load this +# Prefer DNS format in /var/lib/unbound/root.key or /etc/unbound/dnssec-root.key, +# ub_ctx_add_ta_file or trust-anchor-file: format trusted-keys { "." 257 3 8 "AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc="; // key id = 38696 "." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326 From 54b50a3ae263d929947feaea29f3e44218d098e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 18 Sep 2025 16:22:44 +0200 Subject: [PATCH 48/64] Update 1.24.0 (rhbz#2396332) Features: - Increase default to num-queries-per-thread: 2048, when unbound is compiled with libevent. - Merge #1276: Auto-configure '-slabs' values. - Adjusted so-sndbuf default to 4m. - Fix #1303: [FR] Disable TLSv1.2. - unbound-control cache_lookup prints the cached rrsets and messages for those. - unbound-control cache_lookup +t allows tld and root names. And subnet cache contents are printed. - Fix #1319: [FR] zone status for Unbound auth-zones. And bug fixes. https://github.com/NLnetLabs/unbound/releases/tag/release-1.24.0 --- sources | 4 ++-- unbound.spec | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/sources b/sources index aa34842..9339806 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.23.1.tar.gz) = b31858eb03fed1fb2aead03aa5b6f32476678067c28ff4816808cbdcae32591e36bee966b25c6b702e3fb51588ae467efab7934a24971193f1183edd5c561b7b -SHA512 (unbound-1.23.1.tar.gz.asc) = b1cea2405e6d5fe5d3f37ae64598fd8490c04b001345e3f6b1ed02b6f8f940a3dc7c7af5a52053378cf23cbff3c4887ccd9b3fa440c1d0d5a3d43544fbe3e956 +SHA512 (unbound-1.24.0.tar.gz) = ca2adb421bb7ebf636d1442d684b5f43bf5db7c778d9ca159635b67212294bb499aa451b79f244acbea36106db7242ed1afb72fcf425fec57c0eff5f19866ae3 +SHA512 (unbound-1.24.0.tar.gz.asc) = 076c1b82c08c94950e0f364578270a0d1377e0d59197ef822552a6fb05fd01d5a3aa77e6b53c2d785720c30c10cd112eb737caeb7db6eb280752e98a1e8c9866 diff --git a/unbound.spec b/unbound.spec index a8aa282..d66648e 100644 --- a/unbound.spec +++ b/unbound.spec @@ -36,7 +36,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.23.1 +Version: 1.24.0 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ From 6484d5618ba899a8fd42e115024e21590695ea2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 18 Sep 2025 16:20:28 +0200 Subject: [PATCH 49/64] Basic ngtcp2 support Not yet enabled by default --- unbound.spec | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/unbound.spec b/unbound.spec index d66648e..2c584c6 100644 --- a/unbound.spec +++ b/unbound.spec @@ -4,6 +4,7 @@ %bcond_without dnstap %bcond_without systemd %bcond_without doh +%bcond_with ngtcp2 %if 0%{?rhel} && ! 0%{?epel} %bcond_with redis %else @@ -111,6 +112,9 @@ BuildRequires: systemd-rpm-macros %else BuildRequires: systemd %endif +%if %{with ngtcp2} +BuildRequires: ngtcp2-devel +%endif # Needed because /usr/sbin/unbound links unbound libs staticly Requires: %{name}-libs%{?_isa} = %{version}-%{release} @@ -281,6 +285,9 @@ autoreconf -fiv %if %{with redis} --with-libhiredis \ --enable-cachedb \ +%endif +%if %{with ngtcp2} + --with-libngtcp2 \ %endif %{configure_args} @@ -296,6 +303,9 @@ pushd %{dir_secondary} %endif %if %{with systemd} --enable-systemd \ +%endif +%if %{with ngtcp2} + --with-libngtcp2 \ %endif %{configure_args} From 829c6a90cd845aceefeef8cc10d6629a64ff09f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 19 Sep 2025 10:19:04 +0200 Subject: [PATCH 50/64] Require only ngtcp ossl devel package and enable it Enable it only conditionally on distributions with OpenSSL 3.5.0 present, avoid it elsewhere. --- unbound.spec | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/unbound.spec b/unbound.spec index 2c584c6..76cb314 100644 --- a/unbound.spec +++ b/unbound.spec @@ -4,7 +4,9 @@ %bcond_without dnstap %bcond_without systemd %bcond_without doh -%bcond_with ngtcp2 +%if 0%{?rhel} >= 10 || 0%{?fedora} >= 43 +%bcond_without ngtcp2 +%endif %if 0%{?rhel} && ! 0%{?epel} %bcond_with redis %else @@ -113,7 +115,7 @@ BuildRequires: systemd-rpm-macros BuildRequires: systemd %endif %if %{with ngtcp2} -BuildRequires: ngtcp2-devel +BuildRequires: ngtcp2-crypto-ossl-devel %endif # Needed because /usr/sbin/unbound links unbound libs staticly From 7135b6ff2a3faa1a0bc92895b1f43e2d600ac36b Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 19 Sep 2025 15:01:14 +0200 Subject: [PATCH 51/64] Rebuilt for Python 3.14.0rc3 bytecode From 5a16ee63cc7e0c9c9bd1492f81e242ee03aadde1 Mon Sep 17 00:00:00 2001 From: Jens Kuehnel Date: Sun, 5 Oct 2025 01:08:31 +0200 Subject: [PATCH 52/64] allow parameters from fedora-defaults to be overwritten (rhzb#2401608) --- unbound-fedora-config.patch | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index be28920..da88960 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -14,6 +14,16 @@ diff --git a/doc/example.conf.in b/doc/example.conf.in index 59090c6..3a86809 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in +@@ -8,6 +8,9 @@ + # Use this anywhere in the file to include other text into this file. + #include: "otherfile.conf" + ++# Default Fedora settings ++include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf" ++ + # Use this anywhere in the file to include other text, that explicitly starts a + # clause, into this file. Text after this directive needs to start a clause. + #include-toplevel: "otherfile.conf" @@ -51,11 +51,19 @@ server: # specify 0.0.0.0 and ::0 to bind to all available interfaces. # specify every interface[@port] on a new 'interface:' labelled line. @@ -73,13 +83,10 @@ index 59090c6..3a86809 100644 # tls-port: 853 # https-port: 443 # quic-port: 853 -@@ -1166,6 +1181,12 @@ remote-control: +@@ -1166,6 +1181,9 @@ remote-control: # unbound-control certificate file. # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem" - -+# Default Fedora settings -+include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf" -+ + +# Stub and Forward zones +include: "@sysconfdir@/unbound/conf.d/*.conf" + From 4f4dfb2fcb4226902ab2aa9c5a6c00a0550d3071 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 2 Oct 2025 18:02:42 +0200 Subject: [PATCH 53/64] Create root key if missing automatically Prepare tmpfiles.d script for creating /var/lib/unbound in case it is missing. Prepare link to root.key also. Related: RHEL-118375 --- tmpfiles-unbound-libs.conf | 2 ++ unbound.spec | 11 +++++++---- 2 files changed, 9 insertions(+), 4 deletions(-) create mode 100644 tmpfiles-unbound-libs.conf diff --git a/tmpfiles-unbound-libs.conf b/tmpfiles-unbound-libs.conf new file mode 100644 index 0000000..d71ea46 --- /dev/null +++ b/tmpfiles-unbound-libs.conf @@ -0,0 +1,2 @@ +d /var/lib/unbound 0755 unbound unbound - +L /var/lib/unbound/root.key - - - - ../../../etc/unbound/dnssec-root.key diff --git a/unbound.spec b/unbound.spec index 76cb314..3b7ffeb 100644 --- a/unbound.spec +++ b/unbound.spec @@ -73,6 +73,7 @@ Source26: remote-control-include.conf Source27: fedora-defaults.conf Source28: module-setup.sh Source29: unbound-initrd.conf +Source30: tmpfiles-unbound-libs.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch @@ -350,17 +351,18 @@ done %endif # install streamtcp man page -install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1 -install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc +install -p -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1 +install -p -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc # Install tmpfiles.d config install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound -install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf +install -p -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf +install -p -m 0644 %{SOURCE30} %{buildroot}%{_tmpfilesdir}/unbound-libs.conf # install root - we keep a copy of the root key in old location, # in case user has changed the configuration and we wouldn't update it there install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/ -install -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/dnssec-root.key +install -p -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/dnssec-root.key # make initial key static pushd %{buildroot}%{_sharedstatedir}/unbound KEYPATH=$(realpath --relative-to="%{buildroot}%{_sharedstatedir}/unbound" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key") @@ -518,6 +520,7 @@ popd # just left for backwards compat with user changed unbound.conf files - format is different! %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-root.key +%attr(0644,root,root) %{_tmpfilesdir}/unbound-libs.conf %files anchor %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name} From dc162ef64715726ad7819af5bad1f2cb2c6d26b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 24 Oct 2025 18:10:12 +0200 Subject: [PATCH 54/64] Update to 1.24.1 (rhbz#2405698) Fix CVE-2025-11411 (possible domain hijacking attack), reported by Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan from Tsinghua University. https://nlnetlabs.nl/projects/unbound/download/#unbound-1-24-1 --- Yorgos.asc | 122 +++++++++++++++++++++++++-------------------------- sources | 4 +- unbound.spec | 3 +- 3 files changed, 65 insertions(+), 64 deletions(-) diff --git a/Yorgos.asc b/Yorgos.asc index e18ec55..8d0008d 100644 --- a/Yorgos.asc +++ b/Yorgos.asc @@ -13,31 +13,31 @@ S9TpYmjMwURbuYm+rWZk/8w5OJG60V3wax56c0jn/42O3Y2hzQ+PbOv2M4UuuajS g3LssVS2bKy5g3IhrzCKAk0Sky4S5t/mcN+lWztNvCijuLz58GCym5GwJQARAQAB tCtZb3Jnb3MgVGhlc3NhbG9uaWtlZnMgPHlvcmdvc0BubG5ldGxhYnMubmw+iQJX BBMBCABBAhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAhkBFiEElI60IyLF0At5 -NA9dz/M0TZCHpJAFAmbz0CwFCRD85cYACgkQz/M0TZCHpJBVnhAAkcd79Twxj/tt -C4q2Xpq75+Ew6YR9gLqYiV5vEd6fu0oyhuVoUlfTkjH4ALIoGIKaO9yAVUXsrGrs -n1aJPo1Mw3q6mIwtQOxXz/W44LuFzcvZkHtCYX4YyLrUHXZPvl+r4eYkTOcyyQMU -BmbuvWhufv8MBilvWltQLxfLlgihbfuIrxqjAYDhqCffpgUiZyCut2rrenIgeh1f -DvC+GjZ3cfb1UsIpzm19yr4NCiTHkLkCOAAcAUFwWWeO/jfUsSvFQEHUnYNRREzI -Lth9NlKwPtsOVi+wcNnWQtFQb11BMr407xBib7hLSIFiqvOiYgQABjZdWN+snCRP -ZZSruigjE9ateOloJwmBqrSJLAywxvDE0ivqfSj51W5eJc/JLSXvjrOuW28dJCr8 -RV9PjC9X7zuTiFLzV8SVH71Z43Rix8n7AOp3wgRe3SygEyQXPj4qbm5HHVsx9GEA -zn495L99dJ4wZgjkbEsGhzwUx7N9FHEGS/sz3LiEq+ZYckR6gzTMMrQJgbsS9lnK -9xlXsp37uIYvx9W9JZXtS+AZhw0q3osMYBF68HPX8B9GBYlkQWmWSIMfzRYcD2n1 -5+XsfERK4mxcTWl2sCYpt8Sy3tADj9nQDabAlGUd/hlFS1dvDVQjGh6ER5S0nZjY -nmRsLl8nOTKhb2xY+2p1sDjxxQYJJQe0K0dlb3JnZSBUaGVzc2Fsb25pa2VmcyA8 +NA9dz/M0TZCHpJAFAmjWhkcFCRLfm+EACgkQz/M0TZCHpJANXhAAvTpKNl5+kU1d +lcFrXx4pgi/knhe0y1Z+ENQWVDYTs9v+lMoyCRQuAt1Cir1LAGWfRBdTQh60I6Dc +BDj+15pFJCv/dyZiQLPUgxLtIxkwIUSjELp8JevNHhGMNz7QWdG4SEpG2aF/D2Zz +kvaoomPGjRyo/bkgR2la6eqrCOxYVP+FT7682yf0bCvSTs1kTrnwFY93s7O2RciI +MS0XWcHPtoi96JxhzUIT+v0gSFuitZhRGPh9pyIcHmRER1yKugvMp6xF5UjNIcfL +ScrNlGXgjc6EJiGXS5CHliIlxlAxs4J1T9JiGQZOAW/CPxe4IND34DhqwvQcJdtL +8jt1b2xUcuFfYNa3SY671OnLt3EhwMsYDaSIXrPqW8R6XuaSxhb4sL/okHkb833b +CgaWvjQZgRm1h0R2IY5C3kHotsLUd2fygrtVVvaLxGEoi9UBsKoLu2kHEJnV5HJO +jfJMBBGgGFscfk3p1v4SAA30xPR7i6O2KDmFsVzL6xKbnFMMmayEVfWzGXmxB7lv +ob6HrJIvVH6mx64OsAY0LQI6abQI3TTZn13+RNxuATQS+j0tqbZvVJtWFw41eqsU +OqeNF9W323uvhJcjDyYquAREIivFXkzxa9y3rgQfB9OX9usD79aij4y/YLqZxafl +InYUlMGygNOGXruFRZ7DD6zciK2Zu7W0K0dlb3JnZSBUaGVzc2Fsb25pa2VmcyA8 Z2VvcmdlQG5sbmV0bGFicy5ubD6JAlQEEwEIAD4CGyMFCwkIBwIGFQgJCgsCBBYC -AwECHgECF4AWIQSUjrQjIsXQC3k0D13P8zRNkIekkAUCZvPQPQUJEPzlxgAKCRDP -8zRNkIekkFfCEACheY1yr2Z+LPjm/Nd2eA4CFFO7nUQHI+a6lYBd57txrRuIicuG -pGjOhnvcioRwICiKNLJD3YTU+WOd+sbO7BXH2sw2KdU9NK1ojKX/SQiTg6upfJsu -gbgar2oPvR88B7oSiuonZnhEf72HfWKDSBXHpi6KC6S3JZ+o50NB3GBpwUL1lfKW -ovymYbN6tYQfqw/+AP5jUUNpkclC0RbcW69rpvrHHqeQV1AVKkm/jNQpWLKYTGF7 -bbdLkgMh3rHp8gmF0/GuK+oyL7xD+TEXfr3iqlDIVuxbxDN8xTti1RrERU/MWQar -qOSFZcr4t+nlwThJidDLF/u3h0Ymrjz92VTfCgELIwCKxGX7jAyLZHzuWAp+0Pr/ -yuHodbweGNcGVoXmIpK93/WZcfFlBcyQLECVcijmxd7Euk0xDk76RQpuuL5VOWqn -aZcf2uNfppwKFZJjcXwK+EQbwN7+RFNvLrwoRn/1xM57T5AYBAgSvKb6h0G5KwW6 -tJfJdSu1MHfCZS1hH1Gr4+UG+VbLCVmQ9N/lUs0bcD7pK+bA1W0YnsIVuaQ+YZUh -KrJoCUF0kVDtW9ETZkp0iVBm1Q9xgTGaxUTVmctOyAbdCLyHNra4fo1BAdGlu+IP -qAcktaBUKFxWxRxf9O5kGihce9anK8CJ/TCnQ7wSvyYrlAoBoQaS78VzYYkBHAQS +AwECHgECF4AWIQSUjrQjIsXQC3k0D13P8zRNkIekkAUCaNaGWAUJEt+b4QAKCRDP +8zRNkIekkKovEACQkeEImQeer9jsY066WyIpvrhcy6xtWjeW8v1ZasRoi+DOFWeA +18O5iD34UaIPPGFRu6PRdSMLdUqtelFgONVDnXEuqOGAptMcCI4wp4+NIFd00v0J +9A9ur7xWt0Q0O1fMjFOMPa5oQK9dg1MCI0/RWRObOPf3cIr2NhgWwBuKTCluKyFc +mnRQXwyxBGCBRvK5zKmA8BBlnHuPfunTAcduNSExUx3e0w5BD5lcG4YeyuR+IRcY +HJPGU20f634dDSJGKJvGxjpaCxGQNca6s8Mpkq3lm/D3Ia4Vpw/HdiSawv/U71S/ +4F6lctMjvoS73Ao9DZ4iDPqkHJ73HidNp7n25SLnXKruZsnXitjYT8ueP7byeLPi +7IvqoENXoXNqNfDuXfqri/WnHPYWbKIdj5WWFeaR3Ws+szw3Wql7mJ1cNFWbNCE7 +rGFPhSNyG3n6mlEBUKUYn8FuOF9PHwwWl86GHLI6O4xOIohESyrZrq2mJS61sSq6 +AAQ7cqx6UMNJdBcgB5Ry7qRUF6ZmowZZu3aWFF4dW+LwMvuaFjKzShsKzj8GCE0B +pQDjy+IeWM2mBVneuCicWwvbSzVWx+Ow42QRvmH8Ja9PqoIYeJQUiMr1+aAG6kUK +3VW4iugsu3/oFIlFrkYZy9YEfCOEMgqRKL/cuBJTZt0OPFRE/9O/M/FVmIkBHAQS AQIABgUCV9kUOAAKCRAwkY2CdXJCIju1B/oCvf1kWYndNeLS6U2O6DtFAL2Ia5tY Zukcyqb1hkYcrBiMZbQN94gX5a+6Q4pdd2n241r1ZuSWdwUhRUbF4mvbZMVsavnk cvrRGviVIUXf71W0O/IsmQ9oN0Finhpf14Y4z/xqF8DpvJdkWc6X5g+RJuko6q2w @@ -58,18 +58,18 @@ BmQpPk0ubYclwb07FcegaHSxxIqUo/kbyt1YV5mU+QVymZ+xyvIBrnW8hBuNWRvU TJaDBSgvxUtY0Ci+OWX38kffGGvhW3CM8V6skdVc8cp7Db7gxase4BxxtC5HZW9y Z2UgVGhlc3NhbG9uaWtlZnMgPGdlb3JnZUBvcGVubmV0bGFicy5jb20+iQJUBBMB CAA+AhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEElI60IyLF0At5NA9dz/M0 -TZCHpJAFAmbz0D0FCRD85cYACgkQz/M0TZCHpJBnFw/8CRLGJnNAP43mBniIP5R1 -/10i4xG5s1Ka/y5C3aRgZUNaGMPLF8VmrC26HTPNhmduhn3j9gnBuSHgRAJUWs2K -o1q0A2/O5fFJvqPyEUl30gG8qkzFl5UGRUr7VNtBa6VpI7g78d3P4/H8THB0tYZ3 -GZv980QXwTE11aXjvPQu4e8sMOR1OVEEH+6hW1T0SvEKAMV1BHwuZAmC6HTfx5e7 -iGNWu/dwJsmwzqcAkuTTSqlmzZdIjZWJDL8pfnschkVilC3pEpEk5ExSkt/onOD2 -WCAKJUiPR6gRI2H6fE0PF8iG9isisvNhQ3MrWUIKS+1WOotoG7Bu7ob46viJKQuN -9t7KBqjdftjJHjmVop3mfX0UUEDPjkZXK5R/aUspXi4IGdM+9JijqxveicQegOhM -LcE8039Z0AaXn9IA0kQB05A4a+CEnoPL7qe+fIBJM5hZDrpMe4fAAGxiQzbRpdkZ -CrXmT+CRkhc/BvUJ5yoE1q++9Fw9eyMbPOak6GLckCIPy+Mqi4z+ZXNCtcPs3Qbc -/7AY8qyswRsD2t5bbe4g+fLEt9IsN3UvKFUKnQ88jcn9Zmps69msMDm9jEj/qo+j -QCriLLu8E1ZwhedNVOQN89w4Zww/BUyEnL4hng8Tw+RTV8Jtq5EvAleW5sZsnTzA -zn1ysZUyO/Pu7Br2jnGRAQyJARwEEgECAAYFAlfZFDwACgkQMJGNgnVyQiIHjAf/ +TZCHpJAFAmjWhlgFCRLfm+EACgkQz/M0TZCHpJCWag/+MJOLW1tBNPA9sBcjl9V4 +Cjc2TIR/r8RRGv5lstVXlXc5T4SR48UvQTxaUU+KJia5POsaAsw9yk7Zz4r7ul0D +Vd9tzHCcwxl46e0Kwn2VGBMHThsWC7QDuK7b+4AlxeO4EDWRPPw4BCB7aTxJzA3N +O4qpEF4TVeb97uyNQr2YaTGUzSI58vCgXgeOpH9ivomQi1nCxZbdrFh2yKJ+H4EH +gI8+D9iSnJMI16RS1dE7Pa85IG+qPd3owAbOlc+tBsSvdbFdRufQZeiNGKfQno1E +oygZt8svcuKpGAG1flzpPu5LE9oMsIDia9hcn4YFqr80F5bW1rUvFeC0rYp9/0ui +6lo34PAhEieB8XzjbpDDEnlkziRoz2YNVJmZOWrCAMI1bUFI5/+YWuJTXCGF62dE +dO7aBWoUkchkGGSGKbPW9KYdmqMdfOeuqZRBhKs8bgHIArJ+kvglhCJr/qNX5T8p +oCHE5bnEwFxnH2Q6a2ffpMpOExGvPaoAWlym/ID/MMet0riZ2izFUdmjEkA0HUaa +7h5x1dKMhHzYDXOW8Ksx9vE24gLrjfqfvIiYpErn+SVs0KUqkR0BRWLRYjyq/Bj/ +btTQXcDeYpQj4tL2cX3Eosqaoy5NDGCK4yqWOxENOJ/YcO5dTPJDNsHlc2JSdejz +a4g8AHFlkpPn0tlflbuE7q6JARwEEgECAAYFAlfZFDwACgkQMJGNgnVyQiIHjAf/ VrPMgIRjRTYi4cxOr5ewaim1hgJZO1oCJoMopwIvpZ2kAUqL/uPMT3wREe5bi79H jXYcaX+RbrV4ZdzaajDUFCj867KGErxqtRkANJ1eNLcQmVwGNoFeTQbgEOBfKq1t hRfMqHF3fxCPJp4z4U3kBPUpIQPERjgUdkH8fxZ34Omo1SLO1b0dVqsneezccBVv @@ -89,18 +89,18 @@ Ix1q//q2VmxqjjT3Iv30hBRX02x2M8gsP/e49XWEll7stkMtbYhBU0sHQ2CqzLGh gJN3ecpi2sKWVqN8HUZOwJFj6f9ZX76YSM23wIugHfscMAVJUXvBrbd151WIshOf FFPo62sYGt+SEMXWeRcHjbQuWW9yZ29zIFRoZXNzYWxvbmlrZWZzIDx5b3Jnb3NA b3Blbm5ldGxhYnMuY29tPokCVAQTAQgAPgIbIwULCQgHAgYVCAkKCwIEFgIDAQIe -AQIXgBYhBJSOtCMixdALeTQPXc/zNE2Qh6SQBQJm89A9BQkQ/OXGAAoJEM/zNE2Q -h6SQOf4QAIp5fEn+vVOqDuLrv8Li61UDVPE3v5b9ocPR7OMENeFpRH7K2p8xFkAM -f6JeS2ehbIjyUS8iGc+mZOalvZynJdOiHtys5r4lZanm1Rl+mWXb+nHGE/Oi4gQ3 -aEF/AwolbKi9oNXAiCtA3hmaI6FYWtAh5XOnyMG140dhlXMWzvN1ZAWXWioS33Fp -n9Z7xOsyG2Bmky69JjUQPD119noD4pEFtCipciiACVNdHGfI8QDT/8pMAxv/Q7tW -+7gyFztT1XvKONWyCfHjf1x60JQNPPM31x3xUVRz/sK+GyLq6VLiydvSZeUX3CzM -4bHixKKkSyvsX+bc9K/iLrXwZFhRdrRbpVQFpsdxv48mN5WsDlpN17KgMCyNiMDV -0VagYjZC5AurOo2mmS7PKAYGILaq3YwQ3nXYiuWfdXVW6EXtw/vdFOjFU6ppbaA3 -1+xyMDOLSGLr7f+gdZvlEc+5MX1F3mHpmuKN7clUju/HEOdVq1Bbla7BplPgqCaH -ZYCg/VHNt7ue7MYeEgTJ8OGgUDRNPa3PdU3YHRCuwJH1UzinD39K8R9/g9qiGJbC -87//1FGZp9lhIE5tja6F5pJ5GwJK9zC0iGj2NrwBvTKhuyF6W3ZQc2voYQn+gIq4 -sfbned7qpvpjLcMgIv/y82iVm2EtKtKYl982aA9S53pHqjV27kieuQINBFfYHeYB +AQIXgBYhBJSOtCMixdALeTQPXc/zNE2Qh6SQBQJo1oZYBQkS35vhAAoJEM/zNE2Q +h6SQjBkP/0IvctNT9T+DtGZyMiw/Jna9G3QhtW7exhlxzqqX3tFmZpaJj3VswyqA +5hx5BdJEShC8qNEqrBCHxcCZgsLvR3GKc/0LTgP7+7VH/ugAScrlVeI8rB6V1jn5 +cnfY5fsfOQ8i0b/8C+CiEe0TW90VRHjYV6DWMdUfqQb3E/snl23RMFeTL0Qrrk8H +Lo3MTko7TeKRYOV/g/qQkb9CFQZNyzgIjD7uZi8or8qFJ/uZTnlBq5/NRDB5Z3ew +7WXc3QrRUXmbbDzdnIeCtu5vmuk+hc69gbOst9nWf3y2qlK7BjZqT+PqKZa/fa/i +5pZpv1hB8DrA2WTIpN7iXhCvABXSEoUOJaLkRSJVDqzvuaeqOEPrk1aJSMWoio/w +8RRa1L7k6m81Dc0dqYbBOSI4MCNm8ZawQI2L4qRs5QORg4nRnAevFgkzhJKFYF2N +jzX/2xlAuOym126DODC9qJSJZR7uTOJXh0yqknfkPgDXjchpzq+Q+CM+jYo6AGas +/XPAuRQCQaLSYr9UPL7Fn62//ysZQAyAkJQR1u7UwAd6/UTTMVZpUJsLQyMyikF7 +UT4K7MWrvkZxMRPhGan0P2pRe36M9BBjYRTp0TIr+UjUT8iBfjdrttI9DQlkcEeQ +rKhcE31KqjwJMdiuzbpqqXaEss9AFuJng3Owewt4wAft3eu1U7PWuQINBFfYHeYB EAC2h9yjSe2SgtcB0H+E0ndaewaZaQCE7q+RO43dotGH9eFnVwE4/ftcK1SN42ih lF5OnTaKPyXvgQ6U8W8VB8eLjeTwA/dSXuJX7kJpEK8saPqJP6zTUmPqp/GSzS6Y rhKLfpFn4chmywpDFcGNMz0sYXiJgPqKL7W0KuG+ziPToAeWl8ckeXyl77/lHVhW @@ -112,17 +112,17 @@ GFxr4xBiyMX1JLCKK6OFnyPfoJ9v/o3UgrQgLrfXCmKdvkwBCgJvN3Fsxzha6Dtf hmQBxPvXxI2ERmKRomo6lrMaDMzIjD4APSM1vUfZguzQxVYpM8lwy1COeqxsj5p+ LH6f/EU+4dXZwooJ1uanBOvG2ntnz8SErE+e7wNYE4a/fb8xYM4j7p6qYtnNZPb8 sj8bvx8iWXp4A1csVetyVSchBhTVQhhNos6ouYpc4ibrYwARAQABiQI8BBgBCAAm -AhsMFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmbz0dUFCRD8528ACgkQz/M0TZCH -pJA7hg/7Bh0jb7nrp2EuU4BWK55VG+3zbrye/NdDy6eo3sVVOOO1r+jBMoJK3m1A -GWUx40ogZjRn8GMtJfxkL6wsep2P775smm7x1TH6s2dgreTj9J66gitKEgxF0tjo -JztmGJ8YKSGE4wKi37KvvSqCm1ecA8akBzJVo0B8/GtXpg+y/q3/KSY1ujW7Ihu3 -60JXT1FRXOiYfrzUKIBm8/UVnv7guPudaJf0eU4btoy4Ywzn1UXyi8BdxPIQrQDR -tt69ffcjX8BIEloK7FURLre/LhbVxlssdWYIEFQhIlb+nghZlUbWHf0Ue3L0SFFS -xV5otzQL2WjJKtCnTpSopSUmwYyT7wyAL1RokOemXL47WOfiLjiGuS+K/4lT7VHS -fdLsYinS0LYr5dmhc05s//kLyQ0OSKNh3SNAN+lM/klLE/pFwM4mo56C+seNEvCm -sT53VPOOwp6JwsLKSqm8pu1fbVjT6laMc9BPi6KUjN/f7ZahCXNXOrA2uLnTlxw/ -ns1sOXSWZDWciZeL3kJeUQER5YZ59hzLYWAiJ+5KblWRlBMXb71FUp0Mh9V3dA5O -BX3IlcF54qE50chGzLnfQf1YLuh13xxxc2WsdMZjiCj8CVDMkD6ekShfQK8nyQsK -SJgdXcnw1CxcAVvsROtecUiD+DWrJcYExjSZ+zcI4+aRhp7uNt8= -=iknu +AhsMFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmjWhoAFCRLfnBoACgkQz/M0TZCH +pJA4sA/7BZrP4nwWF1eQVliMWJ1KKG+sHizK4c+ZiB67aFJw4pLDCL5o6unOWH8V +ocr1pWC/BMmLG4K77O2qadhUH7mzXm/ddZ/DVF3xHTvTmG1W1bLd6zj3k6qOFYq8 +yPS2QNTa3+3oNbtZQ+RpvhCAmv2Dc1GMPNP2hKR/Ju9r9NwGWBEDQBtiMZ7872QJ +yR3IFyfQGRvj+GBbEBvJwCFmaRb3eDorhaNhM0b0c/RbIueEWD40nkCUtmM4Zrc1 +0HLod8Li8C4j8sIqIdfTKo1RiJUUg86q1K3pGA86hoOzeaihZekcm6wMwGlhXymb +Ng41yB/ZTedl9wk+XEEcD6HZMCXyfh55hBdWG06aEhMIALjOCj2VkRnDLmOKLgDZ +kg7OOQxDfKACCCvk72HZG3qKtaN9oNH1oeaVwc3ytWR8y2hQJcCxmoQsLn+Xvkgc +aYRNklPW2z8817J3fmvvwS0o6sOWRHLb0XAc+NZg4lEQOgwVFrE0XIAgkXHLQbuQ +GRpRzRncHX95RXMzGb1+8kpWEcM7gazgUA3omoAumwNEqmeBX1TmEtDop1k5RFCS +UWbv+A2s2GSAb05MHY0InIhMxzJXEa5+dJDPSvZnbiGRGhQitEe4eIlmPcNA1lB+ +ADFE2UTzcpRTo5cOKfrXyZXr6JCEl2+tB3o5m0v7FRdr6+zIS5g= +=Ubkv -----END PGP PUBLIC KEY BLOCK----- diff --git a/sources b/sources index 9339806..d2b95bf 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.24.0.tar.gz) = ca2adb421bb7ebf636d1442d684b5f43bf5db7c778d9ca159635b67212294bb499aa451b79f244acbea36106db7242ed1afb72fcf425fec57c0eff5f19866ae3 -SHA512 (unbound-1.24.0.tar.gz.asc) = 076c1b82c08c94950e0f364578270a0d1377e0d59197ef822552a6fb05fd01d5a3aa77e6b53c2d785720c30c10cd112eb737caeb7db6eb280752e98a1e8c9866 +SHA512 (unbound-1.24.1.tar.gz) = 0332053ff6b2a2b6743fe33460950780a26e2cad236d21a9219e7b1a04576a9887342d59bc244c02c405e93812168175bc3dbe5481a201296899e77cbd201ea5 +SHA512 (unbound-1.24.1.tar.gz.asc) = 64f7baa0af069093f2d2a52d00fa41c26dd3a4a8eb39fbf90ae7355725121583f7dcd79257c064fa13d05f7bb0c602fe30104859a41164a81664cd4c1e275f30 diff --git a/unbound.spec b/unbound.spec index 3b7ffeb..2fcb22a 100644 --- a/unbound.spec +++ b/unbound.spec @@ -39,7 +39,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.24.0 +Version: 1.24.1 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ @@ -219,6 +219,7 @@ in initramfs. %prep %if 0%{?fedora} +%{gpgverify} --keyring='%{SOURCE22}' --signature='%{SOURCE18}' --data='%{SOURCE0}' || \ %{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}' %endif %global pkgname %{name}-%{version}%{?extra_version} From 7dd805b7438744b1499050da3b33923ea47b3389 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 24 Oct 2025 20:23:03 +0200 Subject: [PATCH 55/64] Fix failure with SWIG 4.4.0 (rhbz#2405293) https://github.com/NLnetLabs/unbound/pull/1365 --- unbound-1.24-swig-function.patch | 26 ++++++++++++++++++++++++++ unbound.spec | 2 ++ 2 files changed, 28 insertions(+) create mode 100644 unbound-1.24-swig-function.patch diff --git a/unbound-1.24-swig-function.patch b/unbound-1.24-swig-function.patch new file mode 100644 index 0000000..3257766 --- /dev/null +++ b/unbound-1.24-swig-function.patch @@ -0,0 +1,26 @@ +From 0fc825def2f812af70189a01b0fe66e1c5050aec Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Fri, 24 Oct 2025 20:20:50 +0200 +Subject: [PATCH] Use $action instead of $function in python SWIG interface + +$function is not supported since SWIG 4.4.0. +--- + libunbound/python/libunbound.i | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libunbound/python/libunbound.i b/libunbound/python/libunbound.i +index dc12514..4576844 100644 +--- a/libunbound/python/libunbound.i ++++ b/libunbound/python/libunbound.i +@@ -853,7 +853,7 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104'] + %{ + //printf("resolve_start(%lX)\n",(long unsigned int)arg1); + Py_BEGIN_ALLOW_THREADS +- $function ++ $action + Py_END_ALLOW_THREADS + //printf("resolve_stop()\n"); + %} +-- +2.51.0 + diff --git a/unbound.spec b/unbound.spec index 2fcb22a..80e5dd0 100644 --- a/unbound.spec +++ b/unbound.spec @@ -77,6 +77,8 @@ Source30: tmpfiles-unbound-libs.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch +# https://github.com/NLnetLabs/unbound/pull/1365 +Patch2: unbound-1.24-swig-function.patch BuildRequires: gcc, make BuildRequires: openssl-devel From c6dcb50ddd56bf2b77716142aa56bdeaf1aa8a77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 24 Oct 2025 20:34:21 +0200 Subject: [PATCH 56/64] Update link to PR of Jitka --- unbound.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 80e5dd0..44c4564 100644 --- a/unbound.spec +++ b/unbound.spec @@ -77,7 +77,7 @@ Source30: tmpfiles-unbound-libs.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch -# https://github.com/NLnetLabs/unbound/pull/1365 +# https://github.com/NLnetLabs/unbound/pull/1331 Patch2: unbound-1.24-swig-function.patch BuildRequires: gcc, make From 7357a73777e80b0ec1fd971cfcc8c708c3fe7e4c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 6 Nov 2025 14:47:41 +0100 Subject: [PATCH 57/64] Do not build with QUIC support in RHEL Until we have also client support, server side support of QUIC is not too important to us. --- unbound.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 44c4564..2995d25 100644 --- a/unbound.spec +++ b/unbound.spec @@ -4,7 +4,8 @@ %bcond_without dnstap %bcond_without systemd %bcond_without doh -%if 0%{?rhel} >= 10 || 0%{?fedora} >= 43 +%if 0%{?fedora} >= 43 && !0%{?rhel} +# Do not build with QUIC support in RHEL, until we have also client support. %bcond_without ngtcp2 %endif %if 0%{?rhel} && ! 0%{?epel} From 531b1140b74cdcc168385e7414d747bc0c36cf36 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 24 Nov 2025 14:46:24 +0100 Subject: [PATCH 58/64] Do not initialize QUIC when not requested (rhbz#2416728) --- unbound-1.24-quic-on-demand-only.patch | 171 +++++++++++++++++++++++++ unbound.spec | 2 + 2 files changed, 173 insertions(+) create mode 100644 unbound-1.24-quic-on-demand-only.patch diff --git a/unbound-1.24-quic-on-demand-only.patch b/unbound-1.24-quic-on-demand-only.patch new file mode 100644 index 0000000..e074ab0 --- /dev/null +++ b/unbound-1.24-quic-on-demand-only.patch @@ -0,0 +1,171 @@ +From 1dfe06278c1446558b5043d7c57cd901e7d96829 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Mon, 24 Nov 2025 13:44:14 +0100 +Subject: [PATCH] Do not initialize quic_table unless it is enabled + +Fedora in FIPS mode might fail to initialize ngtcp2 library, because +some ciphers desired are not available. + +Make it possible to skip initialization by setting explicitly quic_port +to 0. Unless we have some listeners for port 853 configured, skip its +initialization as well. + +Related: https://pagure.io/freeipa/issue/9877 +--- + daemon/daemon.c | 14 +++++++++----- + services/listen_dnsport.c | 14 +++++++++++--- + util/configparser.y | 15 +++++++++------ + util/netevent.c | 3 +++ + 4 files changed, 32 insertions(+), 14 deletions(-) + +diff --git a/daemon/daemon.c b/daemon/daemon.c +index f882bb9ad..a9cc25c67 100644 +--- a/daemon/daemon.c ++++ b/daemon/daemon.c +@@ -558,9 +558,11 @@ daemon_create_workers(struct daemon* daemon) + verbose(VERB_ALGO, "total of %d outgoing ports available", numport); + + #ifdef HAVE_NGTCP2 +- daemon->doq_table = doq_table_create(daemon->cfg, daemon->rand); +- if(!daemon->doq_table) +- fatal_exit("could not create doq_table: out of memory"); ++ if (cfg_has_quic(daemon->cfg)) { ++ daemon->doq_table = doq_table_create(daemon->cfg, daemon->rand); ++ if(!daemon->doq_table) ++ fatal_exit("could not create doq_table: out of memory"); ++ } + #endif + + daemon->num = (daemon->cfg->num_threads?daemon->cfg->num_threads:1); +@@ -917,8 +919,10 @@ daemon_cleanup(struct daemon* daemon) + daemon->dnscenv = NULL; + #endif + #ifdef HAVE_NGTCP2 +- doq_table_delete(daemon->doq_table); +- daemon->doq_table = NULL; ++ if (daemon->doq_table) { ++ doq_table_delete(daemon->doq_table); ++ daemon->doq_table = NULL; ++ } + #endif + daemon->cfg = NULL; + } +diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c +index f7fcca194..ab8f1ba72 100644 +--- a/services/listen_dnsport.c ++++ b/services/listen_dnsport.c +@@ -1564,7 +1564,7 @@ listen_create(struct comm_base* base, struct listen_port* ports, + cp = comm_point_create_udp(base, ports->fd, + front->udp_buff, ports->pp2_enabled, cb, + cb_arg, ports->socket); +- } else if(ports->ftype == listen_type_doq) { ++ } else if(ports->ftype == listen_type_doq && doq_table) { + #ifndef HAVE_NGTCP2 + log_warn("Unbound is not compiled with " + "ngtcp2. This is required to use DNS " +@@ -3275,7 +3275,11 @@ nghttp2_session_callbacks* http2_req_callbacks_create(void) + struct doq_table* + doq_table_create(struct config_file* cfg, struct ub_randstate* rnd) + { +- struct doq_table* table = calloc(1, sizeof(*table)); ++ struct doq_table* table; ++ ++ if (!cfg->quic_port) ++ return NULL; ++ table = calloc(1, sizeof(*table)); + if(!table) + return NULL; + #ifdef USE_NGTCP2_CRYPTO_OSSL +@@ -3354,7 +3358,7 @@ conn_tree_del(rbnode_type* node, void* arg) + { + struct doq_table* table = (struct doq_table*)arg; + struct doq_conn* conn; +- if(!node) ++ if(!node || !table) + return; + conn = (struct doq_conn*)node->key; + if(conn->timer.timer_in_list) { +@@ -3413,6 +3417,7 @@ doq_timer_find_time(struct doq_table* table, struct timeval* tv) + { + struct doq_timer key; + struct rbnode_type* node; ++ log_assert(table != NULL); + memset(&key, 0, sizeof(key)); + key.time.tv_sec = tv->tv_sec; + key.time.tv_usec = tv->tv_usec; +@@ -4922,6 +4927,7 @@ doq_conid_find(struct doq_table* table, const uint8_t* data, size_t datalen) + key.node.key = &key; + key.cid = (void*)data; + key.cidlen = datalen; ++ log_assert(table != NULL); + node = rbtree_search(table->conid_tree, &key); + if(node) + return (struct doq_conid*)node->key; +@@ -5662,6 +5668,8 @@ doq_table_quic_size_available(struct doq_table* table, + struct config_file* cfg, size_t mem) + { + size_t cur; ++ if (!table) ++ return 0; + lock_basic_lock(&table->size_lock); + cur = table->current_size; + lock_basic_unlock(&table->size_lock); +diff --git a/util/configparser.y b/util/configparser.y +index bf9c196fc..f159b8cec 100644 +--- a/util/configparser.y ++++ b/util/configparser.y +@@ -1235,14 +1235,17 @@ server_http_notls_downstream: VAR_HTTP_NOTLS_DOWNSTREAM STRING_ARG + server_quic_port: VAR_QUIC_PORT STRING_ARG + { + OUTYY(("P(server_quic_port:%s)\n", $2)); ++ if(atoi($2) == 0 && strcmp($2,"0")!=0) ++ yyerror("port number expected"); ++ else { ++ cfg_parser->cfg->quic_port = atoi($2); + #ifndef HAVE_NGTCP2 +- log_warn("%s:%d: Unbound is not compiled with " +- "ngtcp2. This is required to use DNS " +- "over QUIC.", cfg_parser->filename, cfg_parser->line); ++ if (cfg_parser->cfg->quic_port != 0) ++ log_warn("%s:%d: Unbound is not compiled with " ++ "ngtcp2. This is required to use DNS " ++ "over QUIC.", cfg_parser->filename, cfg_parser->line); + #endif +- if(atoi($2) == 0) +- yyerror("port number expected"); +- else cfg_parser->cfg->quic_port = atoi($2); ++ } + free($2); + }; + server_quic_size: VAR_QUIC_SIZE STRING_ARG +diff --git a/util/netevent.c b/util/netevent.c +index aedcb5e07..93db16675 100644 +--- a/util/netevent.c ++++ b/util/netevent.c +@@ -2723,6 +2723,7 @@ doq_server_socket_create(struct doq_table* table, struct ub_randstate* rnd, + { + size_t doq_buffer_size = 4096; /* bytes buffer size, for one packet. */ + struct doq_server_socket* doq_socket; ++ log_assert(doq_table != NULL); + doq_socket = calloc(1, sizeof(*doq_socket)); + if(!doq_socket) { + return NULL; +@@ -2804,6 +2805,7 @@ doq_lookup_repinfo(struct doq_table* table, struct comm_reply* repinfo) + { + struct doq_conn* conn; + struct doq_conn_key key; ++ log_assert(table != NULL); + doq_conn_key_from_repinfo(&key, repinfo); + lock_rw_rdlock(&table->lock); + conn = doq_conn_find(table, &key.paddr.addr, +@@ -5880,6 +5882,7 @@ comm_point_create_doq(struct comm_base *base, int fd, sldns_buffer* buffer, + struct config_file* cfg) + { + #ifdef HAVE_NGTCP2 ++ log_assert(table != NULL); + struct comm_point* c = (struct comm_point*)calloc(1, + sizeof(struct comm_point)); + short evbits; +-- +2.52.0 + diff --git a/unbound.spec b/unbound.spec index 2995d25..ccad149 100644 --- a/unbound.spec +++ b/unbound.spec @@ -80,6 +80,8 @@ Source30: tmpfiles-unbound-libs.conf Patch1: unbound-fedora-config.patch # https://github.com/NLnetLabs/unbound/pull/1331 Patch2: unbound-1.24-swig-function.patch +# https://github.com/NLnetLabs/unbound/pull/1381 +Patch3: unbound-1.24-quic-on-demand-only.patch BuildRequires: gcc, make BuildRequires: openssl-devel From 4161ebcee0794614c79b1571fe58c5d205e100a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 25 Nov 2025 15:09:46 +0100 Subject: [PATCH 59/64] Add dependency on dns-root-data package Do not contain own copy of root key. Use shared key provided by the package. --- unbound.spec | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/unbound.spec b/unbound.spec index ccad149..367e499 100644 --- a/unbound.spec +++ b/unbound.spec @@ -93,6 +93,7 @@ BuildRequires: automake autoconf libtool BuildRequires: autoconf-archive # Regenerate config parser too BuildRequires: bison flex byacc +BuildRequires: dns-root-data %if 0%{?fedora} BuildRequires: gnupg2 @@ -164,6 +165,7 @@ The devel package contains the unbound library and the include files %package libs Summary: Libraries used by the unbound server and client applications Recommends: %{name}-anchor +Requires: dns-root-data %if ! 0%{with_python2} # Make explicit conflict with no longer provided python package Obsoletes: python2-unbound < 1.9.3 @@ -368,12 +370,8 @@ install -p -m 0644 %{SOURCE30} %{buildroot}%{_tmpfilesdir}/unbound-libs.conf # install root - we keep a copy of the root key in old location, # in case user has changed the configuration and we wouldn't update it there install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/ -install -p -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/dnssec-root.key -# make initial key static -pushd %{buildroot}%{_sharedstatedir}/unbound - KEYPATH=$(realpath --relative-to="%{buildroot}%{_sharedstatedir}/unbound" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key") - ln -s "$KEYPATH" root.key -popd +ln -sr "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key" "%{buildroot}%{_sharedstatedir}/unbound/root.key" +ln -sr "%{buildroot}%{_datadir}/dns-root-data/root.key" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key" # remove static library from install (fedora packaging guidelines) rm %{buildroot}%{_libdir}/*.la From 21f2c5bc52591684bd5b8bc11783e7df301e2c05 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 25 Nov 2025 15:23:54 +0100 Subject: [PATCH 60/64] Create root.key from dns-root-data It is old compat file, but stop having it contained copy. --- mkroot.sh | 17 +++++++++++++++++ root.key | 8 -------- unbound.spec | 5 +++-- 3 files changed, 20 insertions(+), 10 deletions(-) create mode 100755 mkroot.sh delete mode 100644 root.key diff --git a/mkroot.sh b/mkroot.sh new file mode 100755 index 0000000..eb6d5b3 --- /dev/null +++ b/mkroot.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +SOURCE="/usr/share/dns-root-data/root.key" +DEST="${1:-root.key}" + +mk_key() { +echo "# Generated from $SOURCE" +echo "# Use /var/lib/unbound/root.key instead." +echo "trusted-keys {" +while read DOMAIN CLS TYPE FLAGS PROTO ALG KEYDATA COMMENT KEYTAG; do +echo "$DOMAIN $CLS $TYPE $FLAGS $PROTO $ALG \"$KEYDATA\" # $KEYTAG" +done < "$SOURCE" +echo "};" +} + +mk_key > "$DEST" +touch -r "$SOURCE" "$DEST" diff --git a/root.key b/root.key deleted file mode 100644 index 848887d..0000000 --- a/root.key +++ /dev/null @@ -1,8 +0,0 @@ -# The root key in obsoleted bind format. This can be read by some tools, including -# named, unbound, delv etc. For libunbound, use ub_ctx_trustedkeys() to load this -# Prefer DNS format in /var/lib/unbound/root.key or /etc/unbound/dnssec-root.key, -# ub_ctx_add_ta_file or trust-anchor-file: format -trusted-keys { -"." 257 3 8 "AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc="; // key id = 38696 -"." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326 -}; diff --git a/unbound.spec b/unbound.spec index 367e499..14ac006 100644 --- a/unbound.spec +++ b/unbound.spec @@ -49,7 +49,7 @@ Source: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz Source1: unbound.service Source3: unbound.munin Source4: unbound_munin_ -Source5: root.key +Source5: mkroot.sh Source7: unbound-keygen.service Source8: tmpfiles-unbound.conf Source9: example.com.key @@ -369,7 +369,8 @@ install -p -m 0644 %{SOURCE30} %{buildroot}%{_tmpfilesdir}/unbound-libs.conf # install root - we keep a copy of the root key in old location, # in case user has changed the configuration and we wouldn't update it there -install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/ +sh %{SOURCE5} root.key +install -m 0644 root.key %{buildroot}%{_sysconfdir}/unbound/ ln -sr "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key" "%{buildroot}%{_sharedstatedir}/unbound/root.key" ln -sr "%{buildroot}%{_datadir}/dns-root-data/root.key" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key" From 79dc8264748806d5d2a54a0b235fb5d43ea64431 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 26 Nov 2025 14:16:02 +0100 Subject: [PATCH 61/64] Update to 1.16.2 (rhbz#2417261) - Additional fix for CVE-2025-11411 https://nlnetlabs.nl/projects/unbound/download/#unbound-1-24-2 --- sources | 4 ++-- unbound.spec | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/sources b/sources index d2b95bf..7d4806d 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.24.1.tar.gz) = 0332053ff6b2a2b6743fe33460950780a26e2cad236d21a9219e7b1a04576a9887342d59bc244c02c405e93812168175bc3dbe5481a201296899e77cbd201ea5 -SHA512 (unbound-1.24.1.tar.gz.asc) = 64f7baa0af069093f2d2a52d00fa41c26dd3a4a8eb39fbf90ae7355725121583f7dcd79257c064fa13d05f7bb0c602fe30104859a41164a81664cd4c1e275f30 +SHA512 (unbound-1.24.2.tar.gz) = 655d63ec5305323e84d82691425d74d98c332d0028517bd729d191e5f968ce9481b49ec7447d4c4906dce7997a998a115db36e911a59d2d877da5840c2080261 +SHA512 (unbound-1.24.2.tar.gz.asc) = 66a3e569a606cc3ed7dac9b411fba347da150728427619bdbf12ac57a5d7db1fc17963b1ba052a95d6c6fed67a6f0c1b5920318f6cd34e5091750626dd63fb21 diff --git a/unbound.spec b/unbound.spec index 14ac006..1fc03d9 100644 --- a/unbound.spec +++ b/unbound.spec @@ -40,7 +40,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.24.1 +Version: 1.24.2 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ From 64fc0f02705035a7a0c7960669724ca4dcc1aa02 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Tue, 9 Dec 2025 11:32:18 -0500 Subject: [PATCH 62/64] Add nlnetlabs2026-g2.asc key for 2026 signature verification downloaded from: https://nlnetlabs.nl/downloads/keys/releases-g2.asc --- nlnetlabs2026-g2.asc | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 nlnetlabs2026-g2.asc diff --git a/nlnetlabs2026-g2.asc b/nlnetlabs2026-g2.asc new file mode 100644 index 0000000..a8f7de7 --- /dev/null +++ b/nlnetlabs2026-g2.asc @@ -0,0 +1,24 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGNBGc7H5IBDADOZfJwZ6zZ/4JbbR2hef4261/zh7YpdjUREUs0dMQSbf+x7sAE +50JgvLQWlvA8sDHzbUMQ9cAYZBGGE6iHb50KboeEfuiP5BdiLe8XWKlo1EIh+Idz +0+e1binxwvXV1/9ACm/UHPRuWjkG7vrP+mVRuhfKglO6xSDxV1cwjYTRtvRtQx8D ++kTdZzprvtzkU7OIWeczKFJRhVHzNDHYFG9SuxvDA9cbVm1KPVJEkRBwoSBPeB0z +Z3LSib2uT6Lc/ghAijOwIpR+zNYKOYxRhzoFArrLa0Fs4nq6//LA42/aVjSienEJ +SR5CVUbZy14WuUsYCkV+ZoORVRYZOcjtPG7FUKDXKzY9/iNhEAZ3OMK7Np2Xq/YO +gaOiUDFXLHU1n2UVH1rwkMiS2o4EMqvO7gINmnL/ccpI2wj2QrQ+JZ9y1Xky7dQM +LIIbtp40e0kGocgyba484rW17xlvXRxb1Pjn93JygD6WcraLLNh9jq87hW/J37qi +S4DL+GUe10H8SeEAEQEAAbQ6TkxuZXQgTGFicyByZWxlYXNlcyBzaWduaW5nIGtl +eSBHMiA8cmVsZWFzZXNAbmxuZXRsYWJzLm5sPokBzgQTAQoAOBYhBCMQGGkMTZA+ +9BkUaqFEMj3qrN9FBQJnOx+SAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ +EKFEMj3qrN9FZigL/0aVsJ48oe7vko1Mwg9DucFoCL8CESAarA40in1Bauq7p/pT +l5UcNnFPLO8HBAHWGWtDI63pEhNzHacPzSI94GKS4TUMGzCV1H/c0KnxB7wAO55b +HEQOZJ+kFRBFXWxbXORtp86NZuyCvVoSA4QAcnCf4m5ZEBb72H2cmy8xP+/HLkbS +rpr5pyoUWtCYM8FxnjM3bClXSGOlWNl9cSXLqyyVjxvc7cOAS8ytL/zoVStoBmi/ +OwQbeJfAiqDMnipBJNzOHlfniKXE0FGDozKCHWP88ifs8A8OUNtJng7cNq7EQf9K +vTvbJCcF4akUUcXnx4gv9Z1ZQ93Jg5X7h+0MP7Ut4z9hKSIAOowru7GXGEt256Ja +eE1nSviDcqUtZpyqCLjpCDFGPMwSPzSwlPXjJVlVxPkDvPuNt2LUIEd8BR8Wo7z+ +NA5uM/zTHkQXEdUgCcl/rHy6moHYV3Q+YbMb17zU37a5vLb+wQ74doaiYo3b8KoV +K6vVKMmB0qru6ERJ3g== +=4R8U +-----END PGP PUBLIC KEY BLOCK----- From 71efccae360b4733b7c2c1994305801e33230cef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 13 Jan 2026 16:35:32 +0100 Subject: [PATCH 63/64] Replace Wouter's key with release-g2 key Prepare for next release verification. Enable verification also for RHEL build from this release. Should enable ELN source verification. --- releases-g2.asc | 24 ++++++++ unbound.spec | 9 +-- wouter.nlnetlabs.nl.key | 123 ---------------------------------------- 3 files changed, 29 insertions(+), 127 deletions(-) create mode 100644 releases-g2.asc delete mode 100644 wouter.nlnetlabs.nl.key diff --git a/releases-g2.asc b/releases-g2.asc new file mode 100644 index 0000000..a8f7de7 --- /dev/null +++ b/releases-g2.asc @@ -0,0 +1,24 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGNBGc7H5IBDADOZfJwZ6zZ/4JbbR2hef4261/zh7YpdjUREUs0dMQSbf+x7sAE +50JgvLQWlvA8sDHzbUMQ9cAYZBGGE6iHb50KboeEfuiP5BdiLe8XWKlo1EIh+Idz +0+e1binxwvXV1/9ACm/UHPRuWjkG7vrP+mVRuhfKglO6xSDxV1cwjYTRtvRtQx8D ++kTdZzprvtzkU7OIWeczKFJRhVHzNDHYFG9SuxvDA9cbVm1KPVJEkRBwoSBPeB0z +Z3LSib2uT6Lc/ghAijOwIpR+zNYKOYxRhzoFArrLa0Fs4nq6//LA42/aVjSienEJ +SR5CVUbZy14WuUsYCkV+ZoORVRYZOcjtPG7FUKDXKzY9/iNhEAZ3OMK7Np2Xq/YO +gaOiUDFXLHU1n2UVH1rwkMiS2o4EMqvO7gINmnL/ccpI2wj2QrQ+JZ9y1Xky7dQM +LIIbtp40e0kGocgyba484rW17xlvXRxb1Pjn93JygD6WcraLLNh9jq87hW/J37qi +S4DL+GUe10H8SeEAEQEAAbQ6TkxuZXQgTGFicyByZWxlYXNlcyBzaWduaW5nIGtl +eSBHMiA8cmVsZWFzZXNAbmxuZXRsYWJzLm5sPokBzgQTAQoAOBYhBCMQGGkMTZA+ +9BkUaqFEMj3qrN9FBQJnOx+SAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ +EKFEMj3qrN9FZigL/0aVsJ48oe7vko1Mwg9DucFoCL8CESAarA40in1Bauq7p/pT +l5UcNnFPLO8HBAHWGWtDI63pEhNzHacPzSI94GKS4TUMGzCV1H/c0KnxB7wAO55b +HEQOZJ+kFRBFXWxbXORtp86NZuyCvVoSA4QAcnCf4m5ZEBb72H2cmy8xP+/HLkbS +rpr5pyoUWtCYM8FxnjM3bClXSGOlWNl9cSXLqyyVjxvc7cOAS8ytL/zoVStoBmi/ +OwQbeJfAiqDMnipBJNzOHlfniKXE0FGDozKCHWP88ifs8A8OUNtJng7cNq7EQf9K +vTvbJCcF4akUUcXnx4gv9Z1ZQ93Jg5X7h+0MP7Ut4z9hKSIAOowru7GXGEt256Ja +eE1nSviDcqUtZpyqCLjpCDFGPMwSPzSwlPXjJVlVxPkDvPuNt2LUIEd8BR8Wo7z+ +NA5uM/zTHkQXEdUgCcl/rHy6moHYV3Q+YbMb17zU37a5vLb+wQ74doaiYo3b8KoV +K6vVKMmB0qru6ERJ3g== +=4R8U +-----END PGP PUBLIC KEY BLOCK----- diff --git a/unbound.spec b/unbound.spec index 1fc03d9..58a0ccf 100644 --- a/unbound.spec +++ b/unbound.spec @@ -62,8 +62,8 @@ Source15: unbound-anchor.timer Source16: unbound-munin.README Source17: unbound-anchor.service Source18: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc -# source: https://nlnetlabs.nl/people/ -Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key +# https://nlnetlabs.nl/signing-keys/ +Source19: https://nlnetlabs.nl/downloads/keys/releases-g2.asc Source20: unbound.sysusers Source21: remote-control.conf Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc @@ -95,7 +95,7 @@ BuildRequires: autoconf-archive BuildRequires: bison flex byacc BuildRequires: dns-root-data -%if 0%{?fedora} +%if 0%{?fedora} || 0%{?rhel} >= 9 BuildRequires: gnupg2 %endif %if 0%{with_python2} @@ -225,7 +225,8 @@ Unbound dracut module allowing use of Unbound for name resolution in initramfs. %prep -%if 0%{?fedora} +%if 0%{?fedora} || 0%{?rhel} >= 9 +# TODO: Remove Yorgos.asc and extra verification once releases start to be signed by new g2 key %{gpgverify} --keyring='%{SOURCE22}' --signature='%{SOURCE18}' --data='%{SOURCE0}' || \ %{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}' %endif diff --git a/wouter.nlnetlabs.nl.key b/wouter.nlnetlabs.nl.key deleted file mode 100644 index 603e620..0000000 --- a/wouter.nlnetlabs.nl.key +++ /dev/null @@ -1,123 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -xsFNBE2v/RwBEACyQpJlpCeSZBV1QUH7jNEp5xGdo6OnX2h9XoZ4ZPsb+u6OT+xE -SH45ncnISUh8rPCygbeWOoPR/yOBzh+lYoGxQ5iUHtwRrhHq04sQe/qFpXDO2xs6 -1pTcPU2PnH7Rsr2qp6fZLPHuXLolD7NJfaSib8sVeMM0/ecyl/L2bBg9NpaGDX0x -TQh95M8o6AFo6UKWApBpgsvEZr2aH/B8b9KnCWFhfJyheEM7DamksdZNsKxXQyq3 -l/ROfdsMLZGF8vPbYV/v11G4keyaLpn8AbBpybIiw9SYDwf2ENk3+e1NFfMaiiyE -qn9+aaLTKCY87TMUuoN3s3jWOOy5tHXzf6DbKhub4Awsby3DH5YpPhi4N2vj2pAX -Vpl5+m78cH29JLzT+HAoyZ4tq1r3m0P5QogNqYwqxkKWYOjDilNDBiKiDdgtrLYG -x+ABovKG/FvToJoaCL4AFaVCzWmL2uHkSgyBN0FPHatCB1UeEkcQit6T8E2NQqmF -WjUMXSWHHajSMG95+L5PdLHz/Ku0o3Csvlt2pkElYZmzJBfnOM9JevdsmKr/ruJC -/DCZAn5w2S/9ZF5qfo2F9HUKIwE/dChR29HcN8V4nqZs9oCvEMfFhHmrfwDc5hed -hvb6mAkvSFFtKIrygLIVeWRj3FE9sGp6sr4VwOLYTFRNk7mAsWD1rZApeQARAQAB -zSdXLkMuQS4gV2lqbmdhYXJkcyA8d291dGVyQG5sbmV0bGFicy5ubD7CwX4EEwEC -ACgFAk2v/RwCGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJ9v -HC1+BF+N3yoQAIynfrvZ/8RNAv9lLcSc2PX3fvG7oRJEJSy9uMyIbMtb/a1BVCeh -XjR8GhHJ5D/Z3jRWBQKw1rLLvOqbuBGkpKMR100ZVF4z/8e6CWtTAOFy28f1JQw2 -8kilN7K6vjno21S1JJ1XJAdoFdicyb1SW2r+KYod6fjSyF0lb71od+sdnSE9O/xd -Cqyyu6cX+AwfDcuJ6Y8iOWu8CeWAz41LR1QBUQkCb/08mVfCEu+Cj+M31jjPDZEy -UAw219vr4QFe0o3t+Msv0AUZvcRkW6+8qP5lO6I5we/33WBLZH70lhFvYtobM7HO -MCjheRZguSzvRqEETfTjia1uVi3Yz2qM4CFdJIZF6Er79yKcB3jYquultrnlHdXZ -/IZsHVRk6JfiqFkz9u1T9PkvMoQ452aUomGTg9xQchnKpe1E8osKgLulaY+izTEq -Z8pH/HWWJ/YT13/n8pxK9EbC/8SkVhyXNehOSAGDZar+tjVBofgzS8r+GDyv+pBT -SmjitIrVXZNuhigLp1o7Tvs4kjKlcFnLhfDHJ+yb5JyiZd01bVvaqnfRhACqXfWl -oC0uslRbegoYwJUgX0BOrsOuHGH2SfGjd/QnA0bcEXM2kp1Dp1gqtcEd5Qitm647 -Yz+leWkhrmMmtTwqumXoAcvgzthJFUPcAzuhXZNfqQJMOGRxAGVI0P97wsF+BBMB -AgAoAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVu+rZAUJDQIVSAAKCRCf -bxwtfgRfjdrWEACMQK0xYtZtAvLL/8CCcCi92Oi1rtXRGWnRy7JX020hftmWliMq -4P0F3CJKVLhgZ/ldp8OOqmfDfmwLMVSaCQ86Ubqn7Ofrf8Ku8SGQuIMxY2ODB97h -ouY4bnDHaM2Cqi6JkBN+G1tgdwqN/kcecF2tq3ql2k7eX91++A+F5ApIu1silzJP -L4Z8W6MVOdKrtzEM7t61hRlsbpEPj72vbVBZ1hmTiIL4VWwdxQYamxBoOeneskyD -DG+iMCI3P1GG3EQkk+9Aect/iH9uruE0mxn2aKN8cfuoR93cPF/ozCxS5ItwAVnN -e39WRO1GT2zYaFgYm0lf9czcpRsRzNbGw938lZ3iPUiZe+ybKgLKkVmvrkM59ljH -T99SrC14VXxgQwSs4gS3rdzbY9tPps62Z1q+xCVfTx1IY5P4nt59xwQV0Iw+pV9S -/mVcOnPXl1UKb0ttOdYJErrq3RpF/D2g/NDtL0OWqIa8LvrBlyQYmWPKvKw76vt4 -bJ3NU31jSc0ow/j7EOVjOst86s629zmtnbJjWVr6LOy5EDUPusmqHv1t4Z4RMjf8 -OrJdNbFJoRXZv8FbW4NzXeGtMf8k6vKeejpdMH4+eLuoZG7dchU1JccfgqfwWpy0 -ojmb59drJcaQgVC6Jvw9l0TmGPNIsE4UrIWocaFgv4dOKvHA2hcnMDM8rsLBlQQT -AQIAPwIbIwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQTt+qPyyk5usFaBr46f -bxwtfgRfjQUCWaU4BQUJEZjVaQAKCRCfbxwtfgRfjb1YEACjkhtkyZkYURUmSZNL -2IK/Zencv7DZGRfFrzijROFtHbe//H8o2ZhlyiaFSA/dT1ehjsukkR0oFkYadA+q -Ui06WpxGmd/jf8hP4yTUZkwOhQAesWoNmnhKePNaVMKY8DP57bA+N2pdCcGu7gUt -Yzq2JoTAtV+P/PE2w+H9eyBAulv6iUckM5/qvGfJPl8HB9BtgOpGN79otVWO6ebM -4TQ3cZYI9BDQnt9cF2pviex+z1iLZVJ8UeRxSxYhrBKPJioi0Q1OgcKyO56t7Eot -zxKl5TzprgvdX4cdls+lehD8StlE2Xv/TScHvdOhJuVBrn3a3QjZPb4qSsz74leW -5/EIQmozBy+qf8AHcCmTXwb2U7oHOct7cVyS5+bFx+ThpV5OK0rjTH1LMNiuTeAN -46c1y3prjZRpQUlgVwj06q3Zz/fzDyueUS/r4lW4nAf/VNZy/rTS2HYPoZbHZVCt -GpDIfag6fV6V97Pd3zfhTf2wmsJsw9Xhktp/o7rMBRSMhvL4oevOXb0JSG2583Q/ -JnCCceB4NxRRxsgkRYHwdnXN9FnOPSa4NyvF4rzpPksLGZrhvm+lBvzVn/e40Q/K -lxvSlnn2vW/WBM4pBq1jsoJrd/JkTdijZV7mt7HQ2bCLXAPgfZjy7n79WiCQVHg7 -iYnNikiNWR5TR7JcvdkxOdiA/8LBlQQTAQgAPwIbIwYLCQgHAwIGFQgCCQoLBBYC -AwECHgECF4AWIQTt+qPyyk5usFaBr46fbxwtfgRfjQUCXe4JdQUJGaQN2QAKCRCf -bxwtfgRfjQ8gEACe+49aDQHRuZdDHK1VCJKzhb+MvfdIjvl8eQxljpG9Uz5Y17Bx -4SWfuLHCeGlh1m6IOAWeW4g6Wowm1ec1PkVa79TdrkKb0MxfLSat6iDbiuVjDxy2 -bWokW0/cPzJ/FoWDtEC0H9UTAMb5QGBDZUbLuwX7ZjvMkAhH15/hO9Gj4RHoH1RJ -GJALRtZzjtzsJqL53kW/EV59V1T79Nocyx018iw50Jn02mI8wYJZ9HZc5C7D+K59 -vcqLRZgkrJrObw0sEv3YFOBYp/1DemH2nHPMBSKMmN5RAcr32guUjd4BEWf2Q7Ao -+Qnhdi161W0YKCW4JAmOoQ4bQ0wfE9Q5aUIGhUF52L+ac8Hy7dByaCExCA/WTqQQ -/iVPybmpJQhFonWt/fmpxbE2wKThSEOHTO67e5e3JfUb0vNKssyZojao4h1MF5nv -aPNKoybWwKnpNM0ORcyl+aogKwW7E15TEU0TE5//gAsFwRDcCnSEKnksgM0321m1 -7RDfJbCajIv47DHDYE3yvhRZjCJCaw0Gow1sDRWjdOFpmIixD5/vx5uxyqSHPuGA -sXlEvl+Z3Rdc5bQ7pAWu7UNpR3hnJPfg8KL2xqOF75VKG9/NjLE80yj8wdVoCfDv -vizrBtOXnHI49gCMCfNqbGIb5yVhmTdeo7li+Te9hlJ2DrHnujGJlFe+p87BTQRN -r/0cARAApvDKeVLiSazESdTY9KsSWsqoB38pvOsu25M49tEjc5TtY5LwKNckqkeR -lJ83O8dFG7UBVuGwLKaf/6OR/pe24upZ27eOOWW7sXvQNv5aXlOYfF+mjIhUINqj -q4pKDmO1c9J7h5d+auOVfzcgfotg3BVCaKn56ucjiQJ059uUMfgWTvVlibnoJ7de -Zcgt8v7VcLK9jv+P8QJHTIyDzJd+JjdjuHXqC/A37T5G9Z84x8wYrQY6mZmOIYaM -jwIKdgFeN+nLk5henARUz4MTFUW4j9hHpuyAFomDQ93/wkHZ9IEChTxdZnfvsd// -Z45vfcX9dQM+tuR8XCYThVsScI1TnwR46hi5NkfmHo3HVxwB8/owJ+FZDsTNBbJd -7AVy27Xk4L5hLe7BwLDtFMyOp4lOipCM7//mtFB9mTzqnOwiSSyTRlwGUBJkzQFW -Qa0Z6bfYwA6+y1dn19H519GW49irtl+2+W8W4N8oLriIjPvqrQOyaELFcRfV6FfL -i09HPhHVbejOqIEbOtfuN0+mjrrGAwortfTBjfw80N+W90BTvta4K2SyjHcJTkDY -ehfOo/5IMpGtDsOgvsCbDaFRnNJuYtSqQmvWk1KIPIw6CkdJtZa3+q3YA7D7ovOV -H1OBTKNdBjc+X4W8L5R9MCymXWvgiP+52Sv1VIcZmsnCBrwK490AEQEAAcLBZQQY -AQIADwUCTa/9HAIbDAUJCWYBgAAKCRCfbxwtfgRfjTY/D/9+kX8LeqBhwDdwy3ud -V67KmVmytwGMfzBHbAyBdy84X06ip/If/VkjL+2Sv5Uml/cOOzGZT7y/KEt0uXQz -gOZhGP5Y0OREf4kSzfb7tsGu3ZjTp5uJe7HiJr8uqYGfx94TQG/A3x1C7MlxOGmW -DK/Eh/eNVeNd+3yyDEzl2p7a0yUhI8LtzllVrEDX+G4rz+mdDw4tfPDqzRPzPvVt -PfqnfofHP5r2dshGe7+pCTC+o0jHWpaiFkEiIrR3PbZ9tV6+F5LzCUJJP5nepz6C -ShpLHq9ST6qZiw5ZpdznHW0kVl96YxgynJq9Y4dqD/8nOfTzdHhXXEogGvRfcxat -xeZF7YNFhUU2p+CswAjRKCUzZAz0hDAu+dJ+fw4Odx7ii8uiwhEnEHoo8rPETkXw -UK1je4MCzMRSy0Gippzk/oZ7noIml+Njas/UygavUOQm8bcPqGfWeFqvM2C7ZobL -2iV0fX/bhEmQyosiWJ0nHuKdwDYygYs/4LtZLxwiKli/lm6IDz1028j6/98Z81gG -oltXWokTYAPEgcBuhyiSLSQ1wojTVMYt9rPKMBakTzP+0FoWqoNafWOlHovP6iUB -2Igll2ZT3AvrBQ8jAbRbuUl46QpBaKsl+pBo86az0fRkMxv0N4dQv4Q7Z0g71u9N -Tpaq1vtAZOwc0kl3uGNK18PnV8LBZQQYAQIADwIbDAUCVu+raQUJDQIVTQAKCRCf -bxwtfgRfjVnYEACZ1E/FfLDi4vLUd9diImmNN/zWDHxTsO/VG3lt50rSoJM5NGB4 -RlwcbUKhah2fD44FFiIqGIvKD9hRgB51dVRIkaR3ozVtXRBKxJJqWj38wf2FDLtU -XC5/JHYb0sjAc3ad2sA9xEmEBVO1lWK3J6h4gKZiAGlWz3oeOSve3vrTKsBlP0Cu -rUeb4WTVpw4drBJD7cDh8SJ4/Cq76UFx8lW0xR+pHZHcd0/Ir5v5HnnEgbnut4Ix -eY3/CGBfQfSQHylK7ifmPWq+dflC/ZdfHY1V96EHKPM44ZLwiczoY3qp5nkmEc3B -Y6+P8Ch5gddOYaY18wpedarswnpOLQD2Xbsj66Eh0IZuuuZGyfOqJNaWbP33L27e -g35XQNTgyhuZmDyRKL6yAbhU74TXCCvze/kkfqDn2ouCtM8/kqLX1v0+NkBxlhZU -kTTVDyclZtwu6Vypus3+j2Zqk8sXeUZI64sjXpzwOcMZxdl3QuyxMktExWzk9Q5D -YqO+pj/YGt1vp2M0YgSUWNWCvfBcjEPFgaljyqz3BdvR/LYohnXuQL9SWObF+sIF -c9D0w/yORYQcKP5kSWVC/qwFdC61OGeSDnQ/0o0T5PefhYS82gsIrjQ+HIJ7CLUT -k7kBNljvtfpoWegH02feR0kSRoCXA6x+YHT4fmB41pW8S1V5a5dEltA/JMLBfAQY -AQIAJgIbDBYhBO36o/LKTm6wVoGvjp9vHC1+BF+NBQJZpTgKBQkRmNVuAAoJEJ9v -HC1+BF+NyNQP/A3h+cOOkYUxyKpNHdtlIfCn8db5tHXSCbE19Qi7EK1SiK5atjo+ -VoRtB+L01kH6GCx5oZjeIhUdzYFwEUsdCDgwD6r0dKFwKIGa4TFcfnx+Z5B+HZgL -Yc6ac5PEHF1qZVXZH9GSGeNw5h2yyqf4yhvetSN6L2id14m5XXJV5e7NfOgmaSnG -0Z+wQvPSiu+Q00XpENT8HFSTSCjRATjk12rpy6TPeeC52NK1gLhGDRHN0k6m+vm4 -yoC+Nd6iPQpnc+5xs7NDnq2dFuSTp7UTGebzPhhdSQgujEFuYLwzQMZu1h5amtA+ -v9j7BYEJkOMC7bm1PNNA2QQ6QfH8Hf+mJeINyJO8A5KS3ceP+eo3SLR8T0hPzu9g -ZuZ22Hn3DXQh1VNRshaLKgNvoXpL3dQ48d1SFFKhEDpy2HSXUq2fs5rH0uszFGes -G7K6EQRAYRcDrCkt9fdfkvCSxAFw9d+472xThzgKcN+MkOec+SaY+xlVULjEfCWy -RVC8Opam4mTm/XT4mVLxP/qnsy7kEhLoc/ouB+lY/ks06LpZJvCXL6WfA9You1Fi -1Mg7GhSh9JKg6X6E8Trm+N4dxJGut1xbbGmmKXqfi4pej9KlkdeM9t1df/vWKlPa -7Hzd8H0btgJx066wC4yt0ghxtsJXBsCDxWLfzaSRZ2/eP16mHqxDjsQQwsF8BBgB -CAAmAhsMFiEE7fqj8spObrBWga+On28cLX4EX40FAl3uCX0FCRmkDeEACgkQn28c -LX4EX43TQA/+JV8ReMRJCn3Cfqbe5ycFn8p6dIVnJiQuhiEyu5yzdpSkKyzcVFJO -bQcqw7s50FJuLUbxdvbcuGIaoTu7dhBoUXO5tOuIQAsKTfGfgoOgelJm+/q2h645 -EnAVINGbMDXrmo4/UFJkNjUMA6SQi/yiam7N0y58eoDC4sGmBKuN2EW2MoWahlXw -8SS1+Ab9qVBs/RqbSy6f1nJL39aPpPDmvyJOSYtHnNSFlYWVhr0zGAi5rnswlFGr -ECGbHpr5FajUK7zcmtNPbi7F30K48xfF3XnDIeIBcerrEBQMaPUZcBlddGhmSVVJ -ZU/YhR35JNgPnmp33gOuZaRiW9lauZFwsMQBIBkLpJWoUtu8QLkyC0HmJzVRep0/ -s1RkzaJ+1G1BzXTQiXaLaUQWG5h3pcMD8fxY5qp9KbG/+10bY0sRbRBXgS6mz7dd -HaBtg/E8ty2nEB1HDXA9HAHu7KlH9e96sPZjz9C46ZiOXe6ZAOk6wBYts4RG4bCQ -9pGORJ+P2Jr2pz1NZQbs1AhnjJixTsfZfsGZ5lHxGLjIyxtdGB/irLEqNTIMek2y -p4CShmWoZwN0V3aGYMe/rC4tSXG79IeKNwF3Vd5MHtB+hcJG2qztBtKQuW29rbRA -5bNxwTWe8skwOKsxXnP9RC974k0XkPS+VwgmVgNN1ewS/0oHvmEP71Q= -=Oqje ------END PGP PUBLIC KEY BLOCK----- From 21dc077e040de49174e41c99f5c7defb457c9d8e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 13 Jan 2026 16:40:21 +0100 Subject: [PATCH 64/64] Replace downloaded key with existing Paul's key Keep only one instance of the key. --- releases-g2.asc | 24 ------------------------ unbound.spec | 2 +- 2 files changed, 1 insertion(+), 25 deletions(-) delete mode 100644 releases-g2.asc diff --git a/releases-g2.asc b/releases-g2.asc deleted file mode 100644 index a8f7de7..0000000 --- a/releases-g2.asc +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -mQGNBGc7H5IBDADOZfJwZ6zZ/4JbbR2hef4261/zh7YpdjUREUs0dMQSbf+x7sAE -50JgvLQWlvA8sDHzbUMQ9cAYZBGGE6iHb50KboeEfuiP5BdiLe8XWKlo1EIh+Idz -0+e1binxwvXV1/9ACm/UHPRuWjkG7vrP+mVRuhfKglO6xSDxV1cwjYTRtvRtQx8D -+kTdZzprvtzkU7OIWeczKFJRhVHzNDHYFG9SuxvDA9cbVm1KPVJEkRBwoSBPeB0z -Z3LSib2uT6Lc/ghAijOwIpR+zNYKOYxRhzoFArrLa0Fs4nq6//LA42/aVjSienEJ -SR5CVUbZy14WuUsYCkV+ZoORVRYZOcjtPG7FUKDXKzY9/iNhEAZ3OMK7Np2Xq/YO -gaOiUDFXLHU1n2UVH1rwkMiS2o4EMqvO7gINmnL/ccpI2wj2QrQ+JZ9y1Xky7dQM -LIIbtp40e0kGocgyba484rW17xlvXRxb1Pjn93JygD6WcraLLNh9jq87hW/J37qi -S4DL+GUe10H8SeEAEQEAAbQ6TkxuZXQgTGFicyByZWxlYXNlcyBzaWduaW5nIGtl -eSBHMiA8cmVsZWFzZXNAbmxuZXRsYWJzLm5sPokBzgQTAQoAOBYhBCMQGGkMTZA+ -9BkUaqFEMj3qrN9FBQJnOx+SAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ -EKFEMj3qrN9FZigL/0aVsJ48oe7vko1Mwg9DucFoCL8CESAarA40in1Bauq7p/pT -l5UcNnFPLO8HBAHWGWtDI63pEhNzHacPzSI94GKS4TUMGzCV1H/c0KnxB7wAO55b -HEQOZJ+kFRBFXWxbXORtp86NZuyCvVoSA4QAcnCf4m5ZEBb72H2cmy8xP+/HLkbS -rpr5pyoUWtCYM8FxnjM3bClXSGOlWNl9cSXLqyyVjxvc7cOAS8ytL/zoVStoBmi/ -OwQbeJfAiqDMnipBJNzOHlfniKXE0FGDozKCHWP88ifs8A8OUNtJng7cNq7EQf9K -vTvbJCcF4akUUcXnx4gv9Z1ZQ93Jg5X7h+0MP7Ut4z9hKSIAOowru7GXGEt256Ja -eE1nSviDcqUtZpyqCLjpCDFGPMwSPzSwlPXjJVlVxPkDvPuNt2LUIEd8BR8Wo7z+ -NA5uM/zTHkQXEdUgCcl/rHy6moHYV3Q+YbMb17zU37a5vLb+wQ74doaiYo3b8KoV -K6vVKMmB0qru6ERJ3g== -=4R8U ------END PGP PUBLIC KEY BLOCK----- diff --git a/unbound.spec b/unbound.spec index 58a0ccf..d173141 100644 --- a/unbound.spec +++ b/unbound.spec @@ -63,7 +63,7 @@ Source16: unbound-munin.README Source17: unbound-anchor.service Source18: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc # https://nlnetlabs.nl/signing-keys/ -Source19: https://nlnetlabs.nl/downloads/keys/releases-g2.asc +Source19: https://nlnetlabs.nl/downloads/keys/releases-g2.asc#/nlnetlabs2026-g2.asc Source20: unbound.sysusers Source21: remote-control.conf Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc