diff --git a/.gitignore b/.gitignore index cec9517..dde18f4 100644 --- a/.gitignore +++ b/.gitignore @@ -87,17 +87,3 @@ unbound-1.4.5.tar.gz /unbound-1.19.1.tar.gz.asc /unbound-1.19.3.tar.gz /unbound-1.19.3.tar.gz.asc -/unbound-1.20.0.tar.gz -/unbound-1.20.0.tar.gz.asc -/unbound-1.21.0.tar.gz -/unbound-1.21.0.tar.gz.asc -/unbound-1.21.1.tar.gz -/unbound-1.21.1.tar.gz.asc -/unbound-1.22.0.tar.gz -/unbound-1.22.0.tar.gz.asc -/unbound-1.23.0.tar.gz -/unbound-1.23.0.tar.gz.asc -/unbound-1.23.1.tar.gz -/unbound-1.23.1.tar.gz.asc -/unbound-1.*.tar.gz -/unbound-1.*.tar.gz.asc diff --git a/Yorgos.asc b/Yorgos.asc deleted file mode 100644 index 8d0008d..0000000 --- a/Yorgos.asc +++ /dev/null @@ -1,128 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -mQINBFfYHeYBEAC/8SdeXNspt9ZIoZRSL9juNLHA17TXcHdKSthgWBtwwWZbUPq8 -SJr7Y+hr6jMCDKY9800QzLF0nLkyXnZgaBcvR0rRbCT/qvALJ0fpfjcotapZ1hBv -omb9s8Bo28uKn8tbTMXYNsElUae4Ch/CrU1vfe50YoyQgLR8UBa15gV+2RmC+6jI -qxDYS8sylWlDn6Qim+77feLlObPnNdzgfWGZo14eJByTsz0qrh8aS/BS1FAsnEQ6 -W6AqukhpuKuWvoAUXKjfguXQolxeexubmKaLcGOTvecw+cbh/a5SPHRtRVr9qTxp -elk6UEpakY5K9UtZkrG55VWih/4KqY9bNyhJBtpAk1fXA+mYfx5BcFpECYdU9kz4 -UgV5jK0HYRHQTLC91PPVQgH86we+Aae6TaJneCLEIzBK36TgAP8RKrvFfPUym5OP -YbWOom27QTKfRVcyxPKglJxrTSWixnKWS/pqxNY8hF9Ne4crRAF4wX2yBVbGnjNr -S9TpYmjMwURbuYm+rWZk/8w5OJG60V3wax56c0jn/42O3Y2hzQ+PbOv2M4UuuajS -2YL3/KUsRLBapUpPQjzChwzdr/vzFEhk9XxK2VGMN+dh2HjYwDFendc5csyt/cVr -g3LssVS2bKy5g3IhrzCKAk0Sky4S5t/mcN+lWztNvCijuLz58GCym5GwJQARAQAB -tCtZb3Jnb3MgVGhlc3NhbG9uaWtlZnMgPHlvcmdvc0BubG5ldGxhYnMubmw+iQJX -BBMBCABBAhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAhkBFiEElI60IyLF0At5 -NA9dz/M0TZCHpJAFAmjWhkcFCRLfm+EACgkQz/M0TZCHpJANXhAAvTpKNl5+kU1d -lcFrXx4pgi/knhe0y1Z+ENQWVDYTs9v+lMoyCRQuAt1Cir1LAGWfRBdTQh60I6Dc -BDj+15pFJCv/dyZiQLPUgxLtIxkwIUSjELp8JevNHhGMNz7QWdG4SEpG2aF/D2Zz -kvaoomPGjRyo/bkgR2la6eqrCOxYVP+FT7682yf0bCvSTs1kTrnwFY93s7O2RciI -MS0XWcHPtoi96JxhzUIT+v0gSFuitZhRGPh9pyIcHmRER1yKugvMp6xF5UjNIcfL -ScrNlGXgjc6EJiGXS5CHliIlxlAxs4J1T9JiGQZOAW/CPxe4IND34DhqwvQcJdtL -8jt1b2xUcuFfYNa3SY671OnLt3EhwMsYDaSIXrPqW8R6XuaSxhb4sL/okHkb833b -CgaWvjQZgRm1h0R2IY5C3kHotsLUd2fygrtVVvaLxGEoi9UBsKoLu2kHEJnV5HJO -jfJMBBGgGFscfk3p1v4SAA30xPR7i6O2KDmFsVzL6xKbnFMMmayEVfWzGXmxB7lv -ob6HrJIvVH6mx64OsAY0LQI6abQI3TTZn13+RNxuATQS+j0tqbZvVJtWFw41eqsU -OqeNF9W323uvhJcjDyYquAREIivFXkzxa9y3rgQfB9OX9usD79aij4y/YLqZxafl -InYUlMGygNOGXruFRZ7DD6zciK2Zu7W0K0dlb3JnZSBUaGVzc2Fsb25pa2VmcyA8 -Z2VvcmdlQG5sbmV0bGFicy5ubD6JAlQEEwEIAD4CGyMFCwkIBwIGFQgJCgsCBBYC -AwECHgECF4AWIQSUjrQjIsXQC3k0D13P8zRNkIekkAUCaNaGWAUJEt+b4QAKCRDP -8zRNkIekkKovEACQkeEImQeer9jsY066WyIpvrhcy6xtWjeW8v1ZasRoi+DOFWeA -18O5iD34UaIPPGFRu6PRdSMLdUqtelFgONVDnXEuqOGAptMcCI4wp4+NIFd00v0J -9A9ur7xWt0Q0O1fMjFOMPa5oQK9dg1MCI0/RWRObOPf3cIr2NhgWwBuKTCluKyFc -mnRQXwyxBGCBRvK5zKmA8BBlnHuPfunTAcduNSExUx3e0w5BD5lcG4YeyuR+IRcY -HJPGU20f634dDSJGKJvGxjpaCxGQNca6s8Mpkq3lm/D3Ia4Vpw/HdiSawv/U71S/ -4F6lctMjvoS73Ao9DZ4iDPqkHJ73HidNp7n25SLnXKruZsnXitjYT8ueP7byeLPi -7IvqoENXoXNqNfDuXfqri/WnHPYWbKIdj5WWFeaR3Ws+szw3Wql7mJ1cNFWbNCE7 -rGFPhSNyG3n6mlEBUKUYn8FuOF9PHwwWl86GHLI6O4xOIohESyrZrq2mJS61sSq6 -AAQ7cqx6UMNJdBcgB5Ry7qRUF6ZmowZZu3aWFF4dW+LwMvuaFjKzShsKzj8GCE0B -pQDjy+IeWM2mBVneuCicWwvbSzVWx+Ow42QRvmH8Ja9PqoIYeJQUiMr1+aAG6kUK -3VW4iugsu3/oFIlFrkYZy9YEfCOEMgqRKL/cuBJTZt0OPFRE/9O/M/FVmIkBHAQS -AQIABgUCV9kUOAAKCRAwkY2CdXJCIju1B/oCvf1kWYndNeLS6U2O6DtFAL2Ia5tY -Zukcyqb1hkYcrBiMZbQN94gX5a+6Q4pdd2n241r1ZuSWdwUhRUbF4mvbZMVsavnk -cvrRGviVIUXf71W0O/IsmQ9oN0Finhpf14Y4z/xqF8DpvJdkWc6X5g+RJuko6q2w -B7x2UfSyF4USp47LSmUQnC59IF8jzaElgBha3gwEuXL3d2qBepoV/e9RiXJClUAT -+O7qdxzDq1eiZ+NXUjDCmrkuWjHLAZAv0jx1KUTCQ2no62UM95igtJ+Kn56Lc2+J -CqFJztaZeX8CgXXryxNpsyhZJ33dIoLCT03K25wrV5Y+eag05slQ9sC3iQI9BBMB -CAAnBQJX2RCwAhsjBQkFo5qABQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEM/z -NE2Qh6SQ3JUP/2G3bRNObS7zsfN3rjkbjLxaDOwNggRdbeXM5rHDVEG9SWesCGaI -vyQdkSGQoIaKUgNv7Yp8O8pEnD4IwdhNSaXVIB3pBtdOD0UM1wuxRpfqJOUxZEoW -T2Jr31Tg2qepp6nT7UmdiF7uCBDy8Jm6k6Q+6UT58cPaesRQdSPi6Go7ho2/xVvK -Ve9ufSTSTdG5+7bJDu6Iv7sydKUEG4jPDqo+jjVLn1X6Rfp+E4JAvOvFrSJHW5sa -A332xV40GeV+aM1ndP7dPkz8+AGB3QD7JF2DLcqvLo0TYOvjnlOGYcNp8gzp23g9 -KFwe2sdbdtVpuWaJUSpXXiUZnFzrrVxDNiEBjqsPa5ysOxzJ+1gUbcrIjUeNeAFh -us4XL+IidPATnhTIX3X/uPRB87KaTaA8XUqsuSd2DM9mLxdHKC9Jf8D1t+ywYrek -Cp+K80vCtFPWBM4+w8nGugTNKJEGIXZDGFOF/c7r6xKkaOYK0Y+IGJawlV5LaADl -BmQpPk0ubYclwb07FcegaHSxxIqUo/kbyt1YV5mU+QVymZ+xyvIBrnW8hBuNWRvU -5acnIZibCERayo8ZuI+r/X3bLHfDx0oh2h+cL3utNZUqmgZNR0Di8P+x0hUYsYPO -TJaDBSgvxUtY0Ci+OWX38kffGGvhW3CM8V6skdVc8cp7Db7gxase4BxxtC5HZW9y -Z2UgVGhlc3NhbG9uaWtlZnMgPGdlb3JnZUBvcGVubmV0bGFicy5jb20+iQJUBBMB -CAA+AhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEElI60IyLF0At5NA9dz/M0 -TZCHpJAFAmjWhlgFCRLfm+EACgkQz/M0TZCHpJCWag/+MJOLW1tBNPA9sBcjl9V4 -Cjc2TIR/r8RRGv5lstVXlXc5T4SR48UvQTxaUU+KJia5POsaAsw9yk7Zz4r7ul0D -Vd9tzHCcwxl46e0Kwn2VGBMHThsWC7QDuK7b+4AlxeO4EDWRPPw4BCB7aTxJzA3N -O4qpEF4TVeb97uyNQr2YaTGUzSI58vCgXgeOpH9ivomQi1nCxZbdrFh2yKJ+H4EH -gI8+D9iSnJMI16RS1dE7Pa85IG+qPd3owAbOlc+tBsSvdbFdRufQZeiNGKfQno1E -oygZt8svcuKpGAG1flzpPu5LE9oMsIDia9hcn4YFqr80F5bW1rUvFeC0rYp9/0ui -6lo34PAhEieB8XzjbpDDEnlkziRoz2YNVJmZOWrCAMI1bUFI5/+YWuJTXCGF62dE -dO7aBWoUkchkGGSGKbPW9KYdmqMdfOeuqZRBhKs8bgHIArJ+kvglhCJr/qNX5T8p -oCHE5bnEwFxnH2Q6a2ffpMpOExGvPaoAWlym/ID/MMet0riZ2izFUdmjEkA0HUaa -7h5x1dKMhHzYDXOW8Ksx9vE24gLrjfqfvIiYpErn+SVs0KUqkR0BRWLRYjyq/Bj/ -btTQXcDeYpQj4tL2cX3Eosqaoy5NDGCK4yqWOxENOJ/YcO5dTPJDNsHlc2JSdejz -a4g8AHFlkpPn0tlflbuE7q6JARwEEgECAAYFAlfZFDwACgkQMJGNgnVyQiIHjAf/ -VrPMgIRjRTYi4cxOr5ewaim1hgJZO1oCJoMopwIvpZ2kAUqL/uPMT3wREe5bi79H -jXYcaX+RbrV4ZdzaajDUFCj867KGErxqtRkANJ1eNLcQmVwGNoFeTQbgEOBfKq1t -hRfMqHF3fxCPJp4z4U3kBPUpIQPERjgUdkH8fxZ34Omo1SLO1b0dVqsneezccBVv -Hj7gVoaWw65Ov7vngwNCKH3fjOkcoINTH/nEw4WWh6UV5ZN49GRqa6oWdUJMZbgB -w8z357RLN6YLe7KMh4oGpUIvfH6Vfq6CIb6s9pfgjAvq8O7p9n0/0FG77j84MuGw -fdhq8eSazO/j9LUCBM+8k4kCPQQTAQgAJwUCV9kQiwIbIwUJBaOagAULCQgHAgYV -CAkKCwIEFgIDAQIeAQIXgAAKCRDP8zRNkIekkN9pD/wI8JAyjJEIjUJNLRuARDDv -pJrQjAo/02naPcGs4yyUd7yRkhzVKLFLvif8XICxxLWk6FdT0PJeKGTvRoe2+Rje -c14rO30niRymWkBi36iDW46Dpt7Jx+LUDhUMYPL+woKSoHmbBGWLSYXKxaD8F93A -nVs97nP4PWpspv2BFiuwKGsSsOyyQPPvr7jCin3H5oPH9qDnIV0KonAYbzzEKod5 -t0Rgzo/nWXZBFXWC5xvKeghwkdT++gYS/ThvQY2ua6A1XRE8BntyldD081NPi3NO -dWa9m8ufFOJsEEiWcpdT+EWoDw5JyGAR7U3IOVl3BTo7shdcYEvRVrDMBpac+ItG -WvogUv7alBdHWi48amvZE06RI/nDJ/rxj13S/4POgMHU++aQI5a1G5H3jBu4cehH -4iT1UKmozfzVEfcHb2dsaKnnuFzQxmol0lZu1ETyof+Lxvs+wErN0QR+VDNweJEJ -PMXiEcjASdLtrEKgFSP2B5yGGzt93C+HbD+VQOU359aAnvVjbTAVz8izuMphd6Bz -Ix1q//q2VmxqjjT3Iv30hBRX02x2M8gsP/e49XWEll7stkMtbYhBU0sHQ2CqzLGh -gJN3ecpi2sKWVqN8HUZOwJFj6f9ZX76YSM23wIugHfscMAVJUXvBrbd151WIshOf -FFPo62sYGt+SEMXWeRcHjbQuWW9yZ29zIFRoZXNzYWxvbmlrZWZzIDx5b3Jnb3NA -b3Blbm5ldGxhYnMuY29tPokCVAQTAQgAPgIbIwULCQgHAgYVCAkKCwIEFgIDAQIe -AQIXgBYhBJSOtCMixdALeTQPXc/zNE2Qh6SQBQJo1oZYBQkS35vhAAoJEM/zNE2Q -h6SQjBkP/0IvctNT9T+DtGZyMiw/Jna9G3QhtW7exhlxzqqX3tFmZpaJj3VswyqA -5hx5BdJEShC8qNEqrBCHxcCZgsLvR3GKc/0LTgP7+7VH/ugAScrlVeI8rB6V1jn5 -cnfY5fsfOQ8i0b/8C+CiEe0TW90VRHjYV6DWMdUfqQb3E/snl23RMFeTL0Qrrk8H -Lo3MTko7TeKRYOV/g/qQkb9CFQZNyzgIjD7uZi8or8qFJ/uZTnlBq5/NRDB5Z3ew -7WXc3QrRUXmbbDzdnIeCtu5vmuk+hc69gbOst9nWf3y2qlK7BjZqT+PqKZa/fa/i -5pZpv1hB8DrA2WTIpN7iXhCvABXSEoUOJaLkRSJVDqzvuaeqOEPrk1aJSMWoio/w -8RRa1L7k6m81Dc0dqYbBOSI4MCNm8ZawQI2L4qRs5QORg4nRnAevFgkzhJKFYF2N -jzX/2xlAuOym126DODC9qJSJZR7uTOJXh0yqknfkPgDXjchpzq+Q+CM+jYo6AGas -/XPAuRQCQaLSYr9UPL7Fn62//ysZQAyAkJQR1u7UwAd6/UTTMVZpUJsLQyMyikF7 -UT4K7MWrvkZxMRPhGan0P2pRe36M9BBjYRTp0TIr+UjUT8iBfjdrttI9DQlkcEeQ -rKhcE31KqjwJMdiuzbpqqXaEss9AFuJng3Owewt4wAft3eu1U7PWuQINBFfYHeYB -EAC2h9yjSe2SgtcB0H+E0ndaewaZaQCE7q+RO43dotGH9eFnVwE4/ftcK1SN42ih -lF5OnTaKPyXvgQ6U8W8VB8eLjeTwA/dSXuJX7kJpEK8saPqJP6zTUmPqp/GSzS6Y -rhKLfpFn4chmywpDFcGNMz0sYXiJgPqKL7W0KuG+ziPToAeWl8ckeXyl77/lHVhW -YylaQJEASklqCViPXSp9vI7/57UEm4MQPXwsDBOwuVVqcSu3ZM5MtY9XlbVPNCYm -ZIMqmh8HgYwbiq9dTfJi+6v17+uDQGZewWK/WwFM+9dDx7YkTeOBiUduYtJPW64N -W/RJ7pskbLAy+OZApTZWg0cISN6GOmPN3F0AiWzUjvSMREHhFHyxj4Y15vuDOFvP -GFxr4xBiyMX1JLCKK6OFnyPfoJ9v/o3UgrQgLrfXCmKdvkwBCgJvN3Fsxzha6Dtf -6RcZ02fr7SCZZhdBrlrflvC1uWZ0g3A87ss7h4Iw3njlO3aX6Bo9R4VOLUkiRKi4 -hmQBxPvXxI2ERmKRomo6lrMaDMzIjD4APSM1vUfZguzQxVYpM8lwy1COeqxsj5p+ -LH6f/EU+4dXZwooJ1uanBOvG2ntnz8SErE+e7wNYE4a/fb8xYM4j7p6qYtnNZPb8 -sj8bvx8iWXp4A1csVetyVSchBhTVQhhNos6ouYpc4ibrYwARAQABiQI8BBgBCAAm -AhsMFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmjWhoAFCRLfnBoACgkQz/M0TZCH -pJA4sA/7BZrP4nwWF1eQVliMWJ1KKG+sHizK4c+ZiB67aFJw4pLDCL5o6unOWH8V -ocr1pWC/BMmLG4K77O2qadhUH7mzXm/ddZ/DVF3xHTvTmG1W1bLd6zj3k6qOFYq8 -yPS2QNTa3+3oNbtZQ+RpvhCAmv2Dc1GMPNP2hKR/Ju9r9NwGWBEDQBtiMZ7872QJ -yR3IFyfQGRvj+GBbEBvJwCFmaRb3eDorhaNhM0b0c/RbIueEWD40nkCUtmM4Zrc1 -0HLod8Li8C4j8sIqIdfTKo1RiJUUg86q1K3pGA86hoOzeaihZekcm6wMwGlhXymb -Ng41yB/ZTedl9wk+XEEcD6HZMCXyfh55hBdWG06aEhMIALjOCj2VkRnDLmOKLgDZ -kg7OOQxDfKACCCvk72HZG3qKtaN9oNH1oeaVwc3ytWR8y2hQJcCxmoQsLn+Xvkgc -aYRNklPW2z8817J3fmvvwS0o6sOWRHLb0XAc+NZg4lEQOgwVFrE0XIAgkXHLQbuQ -GRpRzRncHX95RXMzGb1+8kpWEcM7gazgUA3omoAumwNEqmeBX1TmEtDop1k5RFCS -UWbv+A2s2GSAb05MHY0InIhMxzJXEa5+dJDPSvZnbiGRGhQitEe4eIlmPcNA1lB+ -ADFE2UTzcpRTo5cOKfrXyZXr6JCEl2+tB3o5m0v7FRdr6+zIS5g= -=Ubkv ------END PGP PUBLIC KEY BLOCK----- diff --git a/fedora-defaults.conf b/fedora-defaults.conf deleted file mode 100644 index 99ff95d..0000000 --- a/fedora-defaults.conf +++ /dev/null @@ -1,229 +0,0 @@ -# Fedora distribution defaults - -server: - # verbosity number, 0 is least verbose. 1 is default. - verbosity: 1 - - # print statistics to the log (for every thread) every N seconds. - # Set to "" or 0 to disable. Default is disabled. - # Needs to be disabled for munin plugin - statistics-interval: 0 - - # enable cumulative statistics, without clearing them after printing. - # Needs to be disabled for munin plugin - statistics-cumulative: no - - # enable extended statistics (query types, answer codes, status) - # Needs to be enabled for munin plugin - extended-statistics: yes - - # number of threads to create. 1 disables threading. - # num-threads: 1 - num-threads: 4 - - # specify the interfaces to answer queries from by ip-address. - # The default is to listen to localhost (127.0.0.1 and ::1). - # specify 0.0.0.0 and ::0 to bind to all available interfaces. - # specify every interface[@port] on a new 'interface:' labelled line. - # The listen interfaces are not changed on reload, only on restart. - # interface: 0.0.0.0 - # interface: ::0 - # interface: 192.0.2.153 - # interface: 192.0.2.154 - # interface: 192.0.2.154@5003 - # interface: 2001:DB8::5 - # interface: eth0@5003 - # - # for dns over tls and raw dns over port 80 - # interface: 0.0.0.0@443 - # interface: ::0@443 - # interface: 0.0.0.0@80 - # interface: ::0@80 - - # enable this feature to copy the source address of queries to reply. - # Socket options are not supported on all platforms. experimental. - # interface-automatic: yes - # - # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 - # NOTE: Disabled per Fedora policy not to listen to * on default install - # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled - interface-automatic: no - - # permit Unbound to use this port number or port range for - # making outgoing queries, using an outgoing interface. - # Only ephemeral ports are allowed by SElinux - outgoing-port-permit: 32768-60999 - - # IANA-assigned port numbers. - # If multiple outgoing-port-permit and outgoing-port-avoid options - # are present, they are processed in order. - # Our SElinux policy does not allow non-ephemeral ports to be used - outgoing-port-avoid: 0-32767 - outgoing-port-avoid: 61000-65535 - - # use SO_REUSEPORT to distribute queries over threads. - # at extreme load it could be better to turn it off to distribute even. - so-reuseport: yes - - # use IP_TRANSPARENT so the interface: addresses can be non-local - # and you can config non-existing IPs that are going to work later on - # (uses IP_BINDANY on FreeBSD). - ip-transparent: yes - - # Enable UDP, "yes" or "no". - # NOTE: if setting up an Unbound on tls443 for public use, you might want to - # disable UDP to avoid being used in DNS amplification attacks. - # do-udp: yes - - # Enable EDNS TCP keepalive option. - edns-tcp-keepalive: yes - - # Fedora note: do not activate this - not compiled in because - # it causes frequent unbound crashes. Also, socket activation - # is bad when you have things like dnsmasq also running with libvirt. - # Use systemd socket activation for UDP, TCP, and control sockets. - # use-systemd: no - - # If you give "" no chroot is performed. The path must not end in a /. - # chroot: "/etc/unbound" - chroot: "" - - # If you give a server: directory: dir before include: file statements - # then those includes can be relative to the working directory. - directory: "/etc/unbound" - - # print UTC timestamp in ascii to logfile, default is epoch in seconds. - log-time-ascii: yes - - # Harden against unseemly large queries. - harden-large-queries: yes - - # Harden against unverified (outside-zone, including sibling zone) glue rrsets - harden-unverified-glue: yes - - # Default off, because the lookups burden the server. Experimental - # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. - harden-referral-path: yes - - # Sent minimum amount of information to upstream servers to enhance - # privacy. Only sent minimum required labels of the QNAME and set QTYPE - # to A when possible. - qname-minimisation: yes - - # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN - # and other denials, using information from previous NXDOMAINs answers. - aggressive-nsec: yes - - # threshold, a warning is printed and a defensive action is taken, - # the cache is cleared to flush potential poison out of it. - # A suggested value is 10000000, the default is 0 (turned off). - unwanted-reply-threshold: 10000000 - - # if yes, perform prefetching of almost expired message cache entries. - prefetch: yes - - # if yes, perform key lookups adjacent to normal lookups. - prefetch-key: yes - - # deny queries of type ANY with an empty response. - deny-any: yes - - # if yes, Unbound rotates RRSet order in response. - rrset-roundrobin: yes - - # if yes, Unbound doesn't insert authority/additional sections - # into response messages when those sections are not required. - minimal-responses: yes - - # module configuration of the server. A string with identifiers - # separated by spaces. Syntax: "[dns64] [validator] iterator" - # most modules have to be listed at the beginning of the line, - # except cachedb(just before iterator), and python (at the beginning, - # or, just before the iterator). - # For redis cachedb use: - # "ipsecmod validator cachedb iterator" - module-config: "ipsecmod validator iterator" - - # trust anchor signaling sends a RFC8145 key tag query after priming. - trust-anchor-signaling: yes - - # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) - root-key-sentinel: yes - - # the trusted-keys { name flag proto algo "key"; }; clauses are read. - # you need external update procedures to track changes in keys. - # trusted-keys-file: "" - # - trusted-keys-file: /etc/unbound/keys.d/*.key - auto-trust-anchor-file: "/var/lib/unbound/root.key" - - # Should additional section of secure message also be kept clean of - # unsecure data. Useful to shield the users of this validator from - # potential bogus data in the additional section. All unsigned data - # in the additional section is removed from secure messages. - val-clean-additional: yes - - # Turn permissive mode on to permit bogus messages. Thus, messages - # for which security checks failed will be returned to clients, - # instead of SERVFAIL. It still performs the security checks, which - # result in interesting log files and possibly the AD bit in - # replies if the message is found secure. The default is off. - # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY - val-permissive-mode: no - - # Serve expired responses from cache, with serve-expired-reply-ttl in - # the response, and then attempt to fetch the data afresh. - serve-expired: yes - - # Limit serving of expired responses to configured seconds after - # expiration. 0 disables the limit. - serve-expired-ttl: 14400 - - # Have the validator log failed validations for your diagnosis. - # 0: off. 1: A line per failed user query. 2: With reason and bad IP. - val-log-level: 1 - - # service clients over TLS (on the TCP sockets) with plain DNS inside - # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. - # Give the certificate to use and private key. - # default is "" (disabled). requires restart to take effect. - # tls-service-key: "/etc/unbound/unbound_server.key" - # tls-service-pem: "/etc/unbound/unbound_server.pem" - - # Fedora/RHEL: use system-wide crypto policies - tls-ciphers: "PROFILE=SYSTEM" - - # Enable to attach Extended DNS Error codes (RFC8914) to responses. - # Fedora defaults to yes. - ede: yes - - # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale - # Answer as EDNS0 option to expired responses. - # Note that the ede option above needs to be enabled for this to work. - # Fedora defaults to yes. - ede-serve-expired: yes - - # Enable or disable ipsecmod (it still needs to be defined in - # module-config above). Can be used when ipsecmod needs to be - # enabled/disabled via remote-control(below). - # Fedora: module will be enabled on-demand by libreswan - ipsecmod-enabled: no - - # Path to executable external hook. It must be defined when ipsecmod is - # listed in module-config (above). - ipsecmod-hook: /usr/libexec/ipsec/_unbound-hook - -python: - # Script file to load - # python-script: "/etc/unbound/ubmodule-tst.py" - -# Remote control config section moved into own remote-control.conf - -# the module-config then you need one dynlib-file per instance. -dynlib: - # Script file to load - # dynlib-file: "/etc/unbound/dynlib.so" - -# Fedora: DNSCrypt support not enabled since it requires linking to -# another crypto library -# diff --git a/mkroot.sh b/mkroot.sh deleted file mode 100755 index eb6d5b3..0000000 --- a/mkroot.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/sh - -SOURCE="/usr/share/dns-root-data/root.key" -DEST="${1:-root.key}" - -mk_key() { -echo "# Generated from $SOURCE" -echo "# Use /var/lib/unbound/root.key instead." -echo "trusted-keys {" -while read DOMAIN CLS TYPE FLAGS PROTO ALG KEYDATA COMMENT KEYTAG; do -echo "$DOMAIN $CLS $TYPE $FLAGS $PROTO $ALG \"$KEYDATA\" # $KEYTAG" -done < "$SOURCE" -echo "};" -} - -mk_key > "$DEST" -touch -r "$SOURCE" "$DEST" diff --git a/module-setup.sh b/module-setup.sh deleted file mode 100644 index 439bc6d..0000000 --- a/module-setup.sh +++ /dev/null @@ -1,44 +0,0 @@ -#!/usr/bin/bash - -check() { - require_binaries unbound unbound-checkconf unbound-control || return 1 - # the module will be only included if explicitly required either - # by configuration or another module - return 255 -} - -depends() { - # because of pid file we need sysusers to create unbound user - echo systemd systemd-sysusers - return 0 -} - -install() { - # We have to make unbound wanted by network-online target to make sure - # there is a synchronization point when other services are able - # to make queries - inst_simple "$moddir"/unbound-initrd.conf /etc/systemd/system/unbound.service.d/unbound-initrd.conf - - # /etc and /var/lib do not have its variables - inst_multiple -o \ - "$systemdsystemunitdir"/unbound.service \ - /etc/unbound/conf.d/remote-control.conf \ - /etc/unbound/openssl-sha1.conf \ - /usr/share/unbound/fedora-defaults.conf \ - /usr/share/unbound/conf.d/*.conf \ - /etc/unbound/local.d/*.conf \ - /etc/unbound/keys.d/*.key \ - /etc/unbound/unbound.conf \ - /etc/unbound/unbound_control.key \ - /etc/unbound/unbound_control.pem \ - /etc/unbound/unbound_server.key \ - /etc/unbound/unbound_server.pem \ - "$sysusers"/unbound.conf \ - "$tmpfilesdir"/unbound.conf \ - /var/lib/unbound/root.key \ - unbound \ - unbound-checkconf \ - unbound-control - - $SYSTEMCTL -q --root "$initdir" enable unbound.service -} diff --git a/nlnetlabs2026-g2.asc b/nlnetlabs2026-g2.asc deleted file mode 100644 index a8f7de7..0000000 --- a/nlnetlabs2026-g2.asc +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -mQGNBGc7H5IBDADOZfJwZ6zZ/4JbbR2hef4261/zh7YpdjUREUs0dMQSbf+x7sAE -50JgvLQWlvA8sDHzbUMQ9cAYZBGGE6iHb50KboeEfuiP5BdiLe8XWKlo1EIh+Idz -0+e1binxwvXV1/9ACm/UHPRuWjkG7vrP+mVRuhfKglO6xSDxV1cwjYTRtvRtQx8D -+kTdZzprvtzkU7OIWeczKFJRhVHzNDHYFG9SuxvDA9cbVm1KPVJEkRBwoSBPeB0z -Z3LSib2uT6Lc/ghAijOwIpR+zNYKOYxRhzoFArrLa0Fs4nq6//LA42/aVjSienEJ -SR5CVUbZy14WuUsYCkV+ZoORVRYZOcjtPG7FUKDXKzY9/iNhEAZ3OMK7Np2Xq/YO -gaOiUDFXLHU1n2UVH1rwkMiS2o4EMqvO7gINmnL/ccpI2wj2QrQ+JZ9y1Xky7dQM -LIIbtp40e0kGocgyba484rW17xlvXRxb1Pjn93JygD6WcraLLNh9jq87hW/J37qi -S4DL+GUe10H8SeEAEQEAAbQ6TkxuZXQgTGFicyByZWxlYXNlcyBzaWduaW5nIGtl -eSBHMiA8cmVsZWFzZXNAbmxuZXRsYWJzLm5sPokBzgQTAQoAOBYhBCMQGGkMTZA+ -9BkUaqFEMj3qrN9FBQJnOx+SAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ -EKFEMj3qrN9FZigL/0aVsJ48oe7vko1Mwg9DucFoCL8CESAarA40in1Bauq7p/pT -l5UcNnFPLO8HBAHWGWtDI63pEhNzHacPzSI94GKS4TUMGzCV1H/c0KnxB7wAO55b -HEQOZJ+kFRBFXWxbXORtp86NZuyCvVoSA4QAcnCf4m5ZEBb72H2cmy8xP+/HLkbS -rpr5pyoUWtCYM8FxnjM3bClXSGOlWNl9cSXLqyyVjxvc7cOAS8ytL/zoVStoBmi/ -OwQbeJfAiqDMnipBJNzOHlfniKXE0FGDozKCHWP88ifs8A8OUNtJng7cNq7EQf9K -vTvbJCcF4akUUcXnx4gv9Z1ZQ93Jg5X7h+0MP7Ut4z9hKSIAOowru7GXGEt256Ja -eE1nSviDcqUtZpyqCLjpCDFGPMwSPzSwlPXjJVlVxPkDvPuNt2LUIEd8BR8Wo7z+ -NA5uM/zTHkQXEdUgCcl/rHy6moHYV3Q+YbMb17zU37a5vLb+wQ74doaiYo3b8KoV -K6vVKMmB0qru6ERJ3g== -=4R8U ------END PGP PUBLIC KEY BLOCK----- diff --git a/openssl-sha1.conf b/openssl-sha1.conf deleted file mode 100644 index 97a3218..0000000 --- a/openssl-sha1.conf +++ /dev/null @@ -1,8 +0,0 @@ -# OpenSSL configuration file to allow SHA1 validation, -# regardless of crypto-policy selected. -# Use it by adding into /etc/sysconfig/unbound: -# OPENSSL_CONF=/etc/unbound/openssl-sha1.conf -.include = /etc/ssl/openssl.cnf - -[evp_properties] -rh-allow-sha1-signatures = yes diff --git a/plans/all.fmf b/plans/all.fmf index 538bd41..cd001bd 100644 --- a/plans/all.fmf +++ b/plans/all.fmf @@ -1,7 +1,7 @@ summary: Test plan with all Fedora tests discover: how: fmf - url: https://gitlab.com/redhat/centos-stream/tests/unbound.git + url: https://src.fedoraproject.org/tests/unbound.git execute: how: tmt diff --git a/plans/tier1-public.fmf b/plans/tier1-public.fmf index 6ffbfd1..10f167c 100644 --- a/plans/tier1-public.fmf +++ b/plans/tier1-public.fmf @@ -1,7 +1,7 @@ summary: Public (Fedora) Tier1 beakerlib tests discover: how: fmf - url: https://gitlab.com/redhat/centos-stream/tests/unbound.git + url: https://src.fedoraproject.org/tests/unbound.git filter: 'tier: 1' execute: how: tmt diff --git a/remote-control-include.conf b/remote-control-include.conf deleted file mode 100644 index 5688480..0000000 --- a/remote-control-include.conf +++ /dev/null @@ -1,4 +0,0 @@ -# Previous defaults allowed any process to change settings, CVE-2023-1488 -# If you want to modify remote configuration, replace this file with -# contents of included file and modify afterwards. -include: "/usr/share/unbound/conf.d/remote-control.conf" diff --git a/remote-control.conf b/remote-control.conf deleted file mode 100644 index 6f6942e..0000000 --- a/remote-control.conf +++ /dev/null @@ -1,26 +0,0 @@ -# Remote control config section update. -# Previous defaults allowed any process to change settings, CVE-2023-1488 -# This file can be used also by: unbound-control -c -remote-control: - # Enable remote control with unbound-control(8) here. - # set up the keys and certificates with unbound-control-setup. - control-enable: yes - - # set to an absolute path to use a unix local name pipe, certificates - # are not used for that, so key and cert files need not be present. - control-interface: "/run/unbound/control" - - # For local sockets this option is ignored, and TLS is not used. - control-use-cert: "yes" - - # Unbound server key file. - server-key-file: "/etc/unbound/unbound_server.key" - - # Unbound server certificate file. - server-cert-file: "/etc/unbound/unbound_server.pem" - - # unbound-control key file. - control-key-file: "/etc/unbound/unbound_control.key" - - # unbound-control certificate file. - control-cert-file: "/etc/unbound/unbound_control.pem" diff --git a/root.anchor b/root.anchor index 1559542..c78ee03 100644 --- a/root.anchor +++ b/root.anchor @@ -1,2 +1 @@ -. 172800 IN DNSKEY 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ;{id = 38696 (ksk), size = 2048b} . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} diff --git a/root.key b/root.key new file mode 100644 index 0000000..6c5622c --- /dev/null +++ b/root.key @@ -0,0 +1,6 @@ +; // The root key in bind format. This can be read by most tools, including +; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this +trusted-keys { +"." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326 + +}; diff --git a/sources b/sources index 7d4806d..eea1e9c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.24.2.tar.gz) = 655d63ec5305323e84d82691425d74d98c332d0028517bd729d191e5f968ce9481b49ec7447d4c4906dce7997a998a115db36e911a59d2d877da5840c2080261 -SHA512 (unbound-1.24.2.tar.gz.asc) = 66a3e569a606cc3ed7dac9b411fba347da150728427619bdbf12ac57a5d7db1fc17963b1ba052a95d6c6fed67a6f0c1b5920318f6cd34e5091750626dd63fb21 +SHA512 (unbound-1.19.3.tar.gz) = f860614f090a5a081cceff8ca7f4b3d416c00a251ae14ceb6b4159dc8cd022f025592074d3d78aee2f86c3eeae9d1a314713e4740aa91062579143199accd159 +SHA512 (unbound-1.19.3.tar.gz.asc) = 1b6437d7ac4394ab7d6eb0d12f22b39538152f9c88175a5368263059950b8e6b093fa5392d1ff37874effef7a422afa9c690f766802208979a99500a4bea5906 diff --git a/tmpfiles-unbound-libs.conf b/tmpfiles-unbound-libs.conf deleted file mode 100644 index d71ea46..0000000 --- a/tmpfiles-unbound-libs.conf +++ /dev/null @@ -1,2 +0,0 @@ -d /var/lib/unbound 0755 unbound unbound - -L /var/lib/unbound/root.key - - - - ../../../etc/unbound/dnssec-root.key diff --git a/tmpfiles-unbound.conf b/tmpfiles-unbound.conf index c09cc75..bb88f01 100644 --- a/tmpfiles-unbound.conf +++ b/tmpfiles-unbound.conf @@ -1 +1 @@ -D /run/unbound 0775 unbound root - +D /run/unbound 0755 unbound unbound - diff --git a/unbound-1.24-quic-on-demand-only.patch b/unbound-1.24-quic-on-demand-only.patch deleted file mode 100644 index e074ab0..0000000 --- a/unbound-1.24-quic-on-demand-only.patch +++ /dev/null @@ -1,171 +0,0 @@ -From 1dfe06278c1446558b5043d7c57cd901e7d96829 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Mon, 24 Nov 2025 13:44:14 +0100 -Subject: [PATCH] Do not initialize quic_table unless it is enabled - -Fedora in FIPS mode might fail to initialize ngtcp2 library, because -some ciphers desired are not available. - -Make it possible to skip initialization by setting explicitly quic_port -to 0. Unless we have some listeners for port 853 configured, skip its -initialization as well. - -Related: https://pagure.io/freeipa/issue/9877 ---- - daemon/daemon.c | 14 +++++++++----- - services/listen_dnsport.c | 14 +++++++++++--- - util/configparser.y | 15 +++++++++------ - util/netevent.c | 3 +++ - 4 files changed, 32 insertions(+), 14 deletions(-) - -diff --git a/daemon/daemon.c b/daemon/daemon.c -index f882bb9ad..a9cc25c67 100644 ---- a/daemon/daemon.c -+++ b/daemon/daemon.c -@@ -558,9 +558,11 @@ daemon_create_workers(struct daemon* daemon) - verbose(VERB_ALGO, "total of %d outgoing ports available", numport); - - #ifdef HAVE_NGTCP2 -- daemon->doq_table = doq_table_create(daemon->cfg, daemon->rand); -- if(!daemon->doq_table) -- fatal_exit("could not create doq_table: out of memory"); -+ if (cfg_has_quic(daemon->cfg)) { -+ daemon->doq_table = doq_table_create(daemon->cfg, daemon->rand); -+ if(!daemon->doq_table) -+ fatal_exit("could not create doq_table: out of memory"); -+ } - #endif - - daemon->num = (daemon->cfg->num_threads?daemon->cfg->num_threads:1); -@@ -917,8 +919,10 @@ daemon_cleanup(struct daemon* daemon) - daemon->dnscenv = NULL; - #endif - #ifdef HAVE_NGTCP2 -- doq_table_delete(daemon->doq_table); -- daemon->doq_table = NULL; -+ if (daemon->doq_table) { -+ doq_table_delete(daemon->doq_table); -+ daemon->doq_table = NULL; -+ } - #endif - daemon->cfg = NULL; - } -diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c -index f7fcca194..ab8f1ba72 100644 ---- a/services/listen_dnsport.c -+++ b/services/listen_dnsport.c -@@ -1564,7 +1564,7 @@ listen_create(struct comm_base* base, struct listen_port* ports, - cp = comm_point_create_udp(base, ports->fd, - front->udp_buff, ports->pp2_enabled, cb, - cb_arg, ports->socket); -- } else if(ports->ftype == listen_type_doq) { -+ } else if(ports->ftype == listen_type_doq && doq_table) { - #ifndef HAVE_NGTCP2 - log_warn("Unbound is not compiled with " - "ngtcp2. This is required to use DNS " -@@ -3275,7 +3275,11 @@ nghttp2_session_callbacks* http2_req_callbacks_create(void) - struct doq_table* - doq_table_create(struct config_file* cfg, struct ub_randstate* rnd) - { -- struct doq_table* table = calloc(1, sizeof(*table)); -+ struct doq_table* table; -+ -+ if (!cfg->quic_port) -+ return NULL; -+ table = calloc(1, sizeof(*table)); - if(!table) - return NULL; - #ifdef USE_NGTCP2_CRYPTO_OSSL -@@ -3354,7 +3358,7 @@ conn_tree_del(rbnode_type* node, void* arg) - { - struct doq_table* table = (struct doq_table*)arg; - struct doq_conn* conn; -- if(!node) -+ if(!node || !table) - return; - conn = (struct doq_conn*)node->key; - if(conn->timer.timer_in_list) { -@@ -3413,6 +3417,7 @@ doq_timer_find_time(struct doq_table* table, struct timeval* tv) - { - struct doq_timer key; - struct rbnode_type* node; -+ log_assert(table != NULL); - memset(&key, 0, sizeof(key)); - key.time.tv_sec = tv->tv_sec; - key.time.tv_usec = tv->tv_usec; -@@ -4922,6 +4927,7 @@ doq_conid_find(struct doq_table* table, const uint8_t* data, size_t datalen) - key.node.key = &key; - key.cid = (void*)data; - key.cidlen = datalen; -+ log_assert(table != NULL); - node = rbtree_search(table->conid_tree, &key); - if(node) - return (struct doq_conid*)node->key; -@@ -5662,6 +5668,8 @@ doq_table_quic_size_available(struct doq_table* table, - struct config_file* cfg, size_t mem) - { - size_t cur; -+ if (!table) -+ return 0; - lock_basic_lock(&table->size_lock); - cur = table->current_size; - lock_basic_unlock(&table->size_lock); -diff --git a/util/configparser.y b/util/configparser.y -index bf9c196fc..f159b8cec 100644 ---- a/util/configparser.y -+++ b/util/configparser.y -@@ -1235,14 +1235,17 @@ server_http_notls_downstream: VAR_HTTP_NOTLS_DOWNSTREAM STRING_ARG - server_quic_port: VAR_QUIC_PORT STRING_ARG - { - OUTYY(("P(server_quic_port:%s)\n", $2)); -+ if(atoi($2) == 0 && strcmp($2,"0")!=0) -+ yyerror("port number expected"); -+ else { -+ cfg_parser->cfg->quic_port = atoi($2); - #ifndef HAVE_NGTCP2 -- log_warn("%s:%d: Unbound is not compiled with " -- "ngtcp2. This is required to use DNS " -- "over QUIC.", cfg_parser->filename, cfg_parser->line); -+ if (cfg_parser->cfg->quic_port != 0) -+ log_warn("%s:%d: Unbound is not compiled with " -+ "ngtcp2. This is required to use DNS " -+ "over QUIC.", cfg_parser->filename, cfg_parser->line); - #endif -- if(atoi($2) == 0) -- yyerror("port number expected"); -- else cfg_parser->cfg->quic_port = atoi($2); -+ } - free($2); - }; - server_quic_size: VAR_QUIC_SIZE STRING_ARG -diff --git a/util/netevent.c b/util/netevent.c -index aedcb5e07..93db16675 100644 ---- a/util/netevent.c -+++ b/util/netevent.c -@@ -2723,6 +2723,7 @@ doq_server_socket_create(struct doq_table* table, struct ub_randstate* rnd, - { - size_t doq_buffer_size = 4096; /* bytes buffer size, for one packet. */ - struct doq_server_socket* doq_socket; -+ log_assert(doq_table != NULL); - doq_socket = calloc(1, sizeof(*doq_socket)); - if(!doq_socket) { - return NULL; -@@ -2804,6 +2805,7 @@ doq_lookup_repinfo(struct doq_table* table, struct comm_reply* repinfo) - { - struct doq_conn* conn; - struct doq_conn_key key; -+ log_assert(table != NULL); - doq_conn_key_from_repinfo(&key, repinfo); - lock_rw_rdlock(&table->lock); - conn = doq_conn_find(table, &key.paddr.addr, -@@ -5880,6 +5882,7 @@ comm_point_create_doq(struct comm_base *base, int fd, sldns_buffer* buffer, - struct config_file* cfg) - { - #ifdef HAVE_NGTCP2 -+ log_assert(table != NULL); - struct comm_point* c = (struct comm_point*)calloc(1, - sizeof(struct comm_point)); - short evbits; --- -2.52.0 - diff --git a/unbound-1.24-swig-function.patch b/unbound-1.24-swig-function.patch deleted file mode 100644 index 3257766..0000000 --- a/unbound-1.24-swig-function.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 0fc825def2f812af70189a01b0fe66e1c5050aec Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Fri, 24 Oct 2025 20:20:50 +0200 -Subject: [PATCH] Use $action instead of $function in python SWIG interface - -$function is not supported since SWIG 4.4.0. ---- - libunbound/python/libunbound.i | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libunbound/python/libunbound.i b/libunbound/python/libunbound.i -index dc12514..4576844 100644 ---- a/libunbound/python/libunbound.i -+++ b/libunbound/python/libunbound.i -@@ -853,7 +853,7 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104'] - %{ - //printf("resolve_start(%lX)\n",(long unsigned int)arg1); - Py_BEGIN_ALLOW_THREADS -- $function -+ $action - Py_END_ALLOW_THREADS - //printf("resolve_stop()\n"); - %} --- -2.51.0 - diff --git a/unbound-anchor.service b/unbound-anchor.service index 1116243..59683c8 100644 --- a/unbound-anchor.service +++ b/unbound-anchor.service @@ -6,5 +6,5 @@ Documentation=man:unbound-anchor(8) Type=oneshot User=unbound EnvironmentFile=-/etc/sysconfig/unbound -ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ] || [ -f /run/unbound/anchor-disable ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi' +ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi' SuccessExitStatus=1 diff --git a/unbound-as112-networks.conf b/unbound-as112-networks.conf deleted file mode 100644 index 96c291f..0000000 --- a/unbound-as112-networks.conf +++ /dev/null @@ -1,118 +0,0 @@ -# Allow forwarding of private ranges, which are marked forwardable by IANA -# https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml -# https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml -# https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml -# RFC 6303: Locally Served DNS Zones (https://www.rfc-editor.org/rfc/rfc6303.html) -# -# Using this configuration file will simplify forwarding to potentially private ranges. -# Enables forwarding of networks marked as forwardable at IANA special registry. -# This is useful when upstream forwarder may be still inside private network. That is the case -# when unbound works as a localhost DNS cache, not network wide resolver. - -server: - # RFC 8375: Special-Use Domain 'home.arpa.' - local-zone: "home.arpa." nodefault - - # RFC 1918: Address Allocation for Private Internets - local-zone: "10.in-addr.arpa." nodefault - local-zone: "16.172.in-addr.arpa." nodefault - local-zone: "17.172.in-addr.arpa." nodefault - local-zone: "18.172.in-addr.arpa." nodefault - local-zone: "19.172.in-addr.arpa." nodefault - local-zone: "20.172.in-addr.arpa." nodefault - local-zone: "21.172.in-addr.arpa." nodefault - local-zone: "22.172.in-addr.arpa." nodefault - local-zone: "23.172.in-addr.arpa." nodefault - local-zone: "24.172.in-addr.arpa." nodefault - local-zone: "25.172.in-addr.arpa." nodefault - local-zone: "26.172.in-addr.arpa." nodefault - local-zone: "27.172.in-addr.arpa." nodefault - local-zone: "28.172.in-addr.arpa." nodefault - local-zone: "29.172.in-addr.arpa." nodefault - local-zone: "30.172.in-addr.arpa." nodefault - local-zone: "31.172.in-addr.arpa." nodefault - local-zone: "168.192.in-addr.arpa." nodefault - # RFC 6598: IANA-Reserved IPv4 Prefix for Shared Address Space - local-zone: "64.100.in-addr.arpa." nodefault - local-zone: "65.100.in-addr.arpa." nodefault - local-zone: "66.100.in-addr.arpa." nodefault - local-zone: "67.100.in-addr.arpa." nodefault - local-zone: "68.100.in-addr.arpa." nodefault - local-zone: "69.100.in-addr.arpa." nodefault - local-zone: "70.100.in-addr.arpa." nodefault - local-zone: "71.100.in-addr.arpa." nodefault - local-zone: "72.100.in-addr.arpa." nodefault - local-zone: "73.100.in-addr.arpa." nodefault - local-zone: "74.100.in-addr.arpa." nodefault - local-zone: "75.100.in-addr.arpa." nodefault - local-zone: "76.100.in-addr.arpa." nodefault - local-zone: "77.100.in-addr.arpa." nodefault - local-zone: "78.100.in-addr.arpa." nodefault - local-zone: "79.100.in-addr.arpa." nodefault - local-zone: "80.100.in-addr.arpa." nodefault - local-zone: "81.100.in-addr.arpa." nodefault - local-zone: "82.100.in-addr.arpa." nodefault - local-zone: "83.100.in-addr.arpa." nodefault - local-zone: "84.100.in-addr.arpa." nodefault - local-zone: "85.100.in-addr.arpa." nodefault - local-zone: "86.100.in-addr.arpa." nodefault - local-zone: "87.100.in-addr.arpa." nodefault - local-zone: "88.100.in-addr.arpa." nodefault - local-zone: "89.100.in-addr.arpa." nodefault - local-zone: "90.100.in-addr.arpa." nodefault - local-zone: "91.100.in-addr.arpa." nodefault - local-zone: "92.100.in-addr.arpa." nodefault - local-zone: "93.100.in-addr.arpa." nodefault - local-zone: "94.100.in-addr.arpa." nodefault - local-zone: "95.100.in-addr.arpa." nodefault - local-zone: "96.100.in-addr.arpa." nodefault - local-zone: "97.100.in-addr.arpa." nodefault - local-zone: "98.100.in-addr.arpa." nodefault - local-zone: "99.100.in-addr.arpa." nodefault - local-zone: "100.100.in-addr.arpa." nodefault - local-zone: "101.100.in-addr.arpa." nodefault - local-zone: "102.100.in-addr.arpa." nodefault - local-zone: "103.100.in-addr.arpa." nodefault - local-zone: "104.100.in-addr.arpa." nodefault - local-zone: "105.100.in-addr.arpa." nodefault - local-zone: "106.100.in-addr.arpa." nodefault - local-zone: "107.100.in-addr.arpa." nodefault - local-zone: "108.100.in-addr.arpa." nodefault - local-zone: "109.100.in-addr.arpa." nodefault - local-zone: "110.100.in-addr.arpa." nodefault - local-zone: "111.100.in-addr.arpa." nodefault - local-zone: "112.100.in-addr.arpa." nodefault - local-zone: "113.100.in-addr.arpa." nodefault - local-zone: "114.100.in-addr.arpa." nodefault - local-zone: "115.100.in-addr.arpa." nodefault - local-zone: "116.100.in-addr.arpa." nodefault - local-zone: "117.100.in-addr.arpa." nodefault - local-zone: "118.100.in-addr.arpa." nodefault - local-zone: "119.100.in-addr.arpa." nodefault - local-zone: "120.100.in-addr.arpa." nodefault - local-zone: "121.100.in-addr.arpa." nodefault - local-zone: "122.100.in-addr.arpa." nodefault - local-zone: "123.100.in-addr.arpa." nodefault - local-zone: "124.100.in-addr.arpa." nodefault - local-zone: "125.100.in-addr.arpa." nodefault - local-zone: "126.100.in-addr.arpa." nodefault - local-zone: "127.100.in-addr.arpa." nodefault - - # RFC 4193: Unique Local IPv6 Unicast Addresses - local-zone: "d.f.ip6.arpa." nodefault - - # RFC 2606: Reserved Top Level DNS Names - local-zone: "test." nodefault - domain-insecure: "test" - domain-insecure: "example" - - # RFC 6762: Multicast DNS, Appendix G - domain-insecure: "local" - domain-insecure: "intranet" - domain-insecure: "private" - domain-insecure: "corp" - domain-insecure: "home" - domain-insecure: "lan" - - # draft-davies-internal-tld - domain-insecure: "internal" diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index da88960..0aeb6cb 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,30 +1,60 @@ -From 6e2d042505a006ab5fd703631661e68d1cdc66df Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Fri, 15 Nov 2024 13:25:34 +0100 +From 17d4cc5fea24faa55358b7c36fdae0cd9bdd48b6 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Fri, 10 Nov 2023 12:58:31 +0100 Subject: [PATCH] Customize unbound.conf for Fedora defaults Set some Fedora/RHEL specific changes to example configuration file. By patching upstream provided config file we would not need to manually update external copy in source RPM. --- - doc/example.conf.in | 33 +++++++++++++++++++++++++++++++-- - 1 file changed, 31 insertions(+), 2 deletions(-) + unbound-1.19.3/doc/example.conf.in | 194 ++++++++++++++++++----------- + 1 file changed, 124 insertions(+), 70 deletions(-) -diff --git a/doc/example.conf.in b/doc/example.conf.in -index 59090c6..3a86809 100644 ---- a/doc/example.conf.in -+++ b/doc/example.conf.in -@@ -8,6 +8,9 @@ - # Use this anywhere in the file to include other text into this file. - #include: "otherfile.conf" - -+# Default Fedora settings -+include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf" -+ - # Use this anywhere in the file to include other text, that explicitly starts a - # clause, into this file. Text after this directive needs to start a clause. - #include-toplevel: "otherfile.conf" -@@ -51,11 +51,19 @@ server: +diff --git a/unbound-1.19.3/doc/example.conf.in b/unbound-1.19.3/doc/example.conf.in +index d791cf8..af163b2 100644 +--- a/unbound-1.19.3/doc/example.conf.in ++++ b/unbound-1.19.3/doc/example.conf.in +@@ -17,11 +17,12 @@ server: + # whitespace is not necessary, but looks cleaner. + + # verbosity number, 0 is least verbose. 1 is default. +- # verbosity: 1 ++ verbosity: 1 + + # print statistics to the log (for every thread) every N seconds. + # Set to "" or 0 to disable. Default is disabled. +- # statistics-interval: 0 ++ # Needs to be disabled for munin plugin ++ statistics-interval: 0 + + # enable shm for stats, default no. if you enable also enable + # statistics-interval, every time it also writes stats to the +@@ -32,11 +33,13 @@ server: + # shm-key: 11777 + + # enable cumulative statistics, without clearing them after printing. +- # statistics-cumulative: no ++ # Needs to be disabled for munin plugin ++ statistics-cumulative: no + + # enable extended statistics (query types, answer codes, status) +- # printed from unbound-control. Default off, because of speed. +- # extended-statistics: no ++ # printed from unbound-control. default off, because of speed. ++ # Needs to be enabled for munin plugin ++ extended-statistics: yes + + # Inhibits selected extended statistics (qtype, qclass, qopcode, rcode, + # rpz-actions) from printing if their value is 0. +@@ -44,22 +47,35 @@ server: + # statistics-inhibit-zero: yes + + # number of threads to create. 1 disables threading. +- # num-threads: 1 ++ num-threads: 4 + + # specify the interfaces to answer queries from by ip-address. + # The default is to listen to localhost (127.0.0.1 and ::1). # specify 0.0.0.0 and ::0 to bind to all available interfaces. # specify every interface[@port] on a new 'interface:' labelled line. # The listen interfaces are not changed on reload, only on restart. @@ -44,7 +74,53 @@ index 59090c6..3a86809 100644 # enable this feature to copy the source address of queries to reply. # Socket options are not supported on all platforms. experimental. -@@ -285,6 +293,8 @@ server: +- # interface-automatic: no ++ # interface-automatic: yes ++ # ++ # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 ++ # NOTE: Disabled per Fedora policy not to listen to * on default install ++ # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled ++ interface-automatic: no + + # instead of the default port, open additional ports separated by + # spaces when interface-automatic is enabled, by listing them here. +@@ -94,7 +110,8 @@ server: + + # permit Unbound to use this port number or port range for + # making outgoing queries, using an outgoing interface. +- # outgoing-port-permit: 32768 ++ # Only ephemeral ports are allowed by SElinux ++ outgoing-port-permit: 32768-60999 + + # deny Unbound the use this of port number or port range for + # making outgoing queries, using an outgoing interface. +@@ -103,7 +120,9 @@ server: + # IANA-assigned port numbers. + # If multiple outgoing-port-permit and outgoing-port-avoid options + # are present, they are processed in order. +- # outgoing-port-avoid: "3200-3208" ++ # Our SElinux policy does not allow non-ephemeral ports to be used ++ outgoing-port-avoid: 0-32767 ++ outgoing-port-avoid: 61000-65535 + + # number of outgoing simultaneous tcp buffers to hold per thread. + # outgoing-num-tcp: 10 +@@ -121,12 +140,12 @@ server: + + # use SO_REUSEPORT to distribute queries over threads. + # at extreme load it could be better to turn it off to distribute even. +- # so-reuseport: yes ++ so-reuseport: yes + + # use IP_TRANSPARENT so the interface: addresses can be non-local + # and you can config non-existing IPs that are going to work later on + # (uses IP_BINDANY on FreeBSD). +- # ip-transparent: no ++ ip-transparent: yes + + # use IP_FREEBIND so the interface: addresses can be non-local + # and you can bind to nonexisting IPs and interfaces that are down. +@@ -256,6 +275,8 @@ server: # nat64-prefix: 64:ff9b::0/96 # Enable UDP, "yes" or "no". @@ -53,7 +129,16 @@ index 59090c6..3a86809 100644 # do-udp: yes # Enable TCP, "yes" or "no". -@@ -320,6 +330,9 @@ server: +@@ -281,7 +302,7 @@ server: + # tcp-idle-timeout: 30000 + + # Enable EDNS TCP keepalive option. +- # edns-tcp-keepalive: no ++ edns-tcp-keepalive: yes + + # Timeout for EDNS TCP keepalive, in msec. + # edns-tcp-keepalive-timeout: 120000 +@@ -290,6 +311,9 @@ server: # can be dropped. Default is 0, disabled. In seconds, such as 3. # sock-queue-timeout: 0 @@ -63,7 +148,188 @@ index 59090c6..3a86809 100644 # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no -@@ -906,6 +919,8 @@ server: +@@ -403,6 +427,7 @@ server: + # + # If you give "" no chroot is performed. The path must not end in a /. + # chroot: "@UNBOUND_CHROOT_DIR@" ++ chroot: "" + + # if given, user privileges are dropped (after binding port), + # and the given username is assumed. Default is user "unbound". +@@ -414,7 +439,7 @@ server: + # is not changed. + # If you give a server: directory: dir before include: file statements + # then those includes can be relative to the working directory. +- # directory: "@UNBOUND_RUN_DIR@" ++ directory: "/etc/unbound" + + # the log file, "" means log to stderr. + # Use of this option sets use-syslog to "no". +@@ -429,7 +454,7 @@ server: + # log-identity: "" + + # print UTC timestamp in ascii to logfile, default is epoch in seconds. +- # log-time-ascii: no ++ log-time-ascii: yes + + # print one line with time, IP, name, type, class for every query. + # log-queries: no +@@ -501,22 +526,22 @@ server: + # harden-large-queries: no + + # Harden against out of zone rrsets, to avoid spoofing attempts. +- # harden-glue: yes ++ harden-glue: yes + + # Harden against receiving dnssec-stripped data. If you turn it + # off, failing to validate dnskey data for a trustanchor will + # trigger insecure mode for that zone (like without a trustanchor). + # Default on, which insists on dnssec data for trust-anchored zones. +- # harden-dnssec-stripped: yes ++ harden-dnssec-stripped: yes + + # Harden against queries that fall under dnssec-signed nxdomain names. +- # harden-below-nxdomain: yes ++ harden-below-nxdomain: yes + + # Harden the referral path by performing additional queries for + # infrastructure data. Validates the replies (if possible). + # Default off, because the lookups burden the server. Experimental + # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. +- # harden-referral-path: no ++ harden-referral-path: yes + + # Harden against algorithm downgrade when multiple algorithms are + # advertised in the DS record. If no, allows the weakest algorithm +@@ -530,7 +555,7 @@ server: + # Sent minimum amount of information to upstream servers to enhance + # privacy. Only sent minimum required labels of the QNAME and set QTYPE + # to A when possible. +- # qname-minimisation: yes ++ qname-minimisation: yes + + # QNAME minimisation in strict mode. Do not fall-back to sending full + # QNAME to potentially broken nameservers. A lot of domains will not be +@@ -540,7 +565,7 @@ server: + + # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN + # and other denials, using information from previous NXDOMAINs answers. +- # aggressive-nsec: yes ++ aggressive-nsec: yes + + # Use 0x20-encoded random bits in the query to foil spoof attempts. + # This feature is an experimental implementation of draft dns-0x20. +@@ -573,7 +598,7 @@ server: + # threshold, a warning is printed and a defensive action is taken, + # the cache is cleared to flush potential poison out of it. + # A suggested value is 10000000, the default is 0 (turned off). +- # unwanted-reply-threshold: 0 ++ unwanted-reply-threshold: 10000000 + + # Do not query the following addresses. No DNS queries are sent there. + # List one address per entry. List classless netblocks with /size, +@@ -585,20 +610,20 @@ server: + # do-not-query-localhost: yes + + # if yes, perform prefetching of almost expired message cache entries. +- # prefetch: no ++ prefetch: yes + + # if yes, perform key lookups adjacent to normal lookups. +- # prefetch-key: no ++ prefetch-key: yes + + # deny queries of type ANY with an empty response. +- # deny-any: no ++ deny-any: yes + + # if yes, Unbound rotates RRSet order in response. +- # rrset-roundrobin: yes ++ rrset-roundrobin: yes + + # if yes, Unbound doesn't insert authority/additional sections + # into response messages when those sections are not required. +- # minimal-responses: yes ++ minimal-responses: yes + + # true to disable DNSSEC lameness check in iterator. + # disable-dnssec-lame-check: no +@@ -608,7 +633,9 @@ server: + # most modules have to be listed at the beginning of the line, + # except cachedb(just before iterator), and python (at the beginning, + # or, just before the iterator). +- # module-config: "validator iterator" ++ # For redis cachedb use: ++ # "ipsecmod validator cachedb iterator" ++ module-config: "ipsecmod validator iterator" + + # File with trusted keys, kept uptodate using RFC5011 probes, + # initial file like trust-anchor-file, then it stores metadata. +@@ -622,10 +649,10 @@ server: + # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" + + # trust anchor signaling sends a RFC8145 key tag query after priming. +- # trust-anchor-signaling: yes ++ trust-anchor-signaling: yes + + # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) +- # root-key-sentinel: yes ++ root-key-sentinel: yes + + # File with trusted keys for validation. Specify more than one file + # with several entries, one file per entry. +@@ -646,6 +673,9 @@ server: + # the trusted-keys { name flag proto algo "key"; }; clauses are read. + # you need external update procedures to track changes in keys. + # trusted-keys-file: "" ++ # ++ trusted-keys-file: /etc/unbound/keys.d/*.key ++ auto-trust-anchor-file: "/var/lib/unbound/root.key" + + # Ignore chain of trust. Domain is treated as insecure. + # domain-insecure: "example.com" +@@ -673,14 +703,15 @@ server: + # unsecure data. Useful to shield the users of this validator from + # potential bogus data in the additional section. All unsigned data + # in the additional section is removed from secure messages. +- # val-clean-additional: yes ++ val-clean-additional: yes + + # Turn permissive mode on to permit bogus messages. Thus, messages + # for which security checks failed will be returned to clients, + # instead of SERVFAIL. It still performs the security checks, which + # result in interesting log files and possibly the AD bit in + # replies if the message is found secure. The default is off. +- # val-permissive-mode: no ++ # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY ++ val-permissive-mode: no + + # Ignore the CD flag in incoming queries and refuse them bogus data. + # Enable it if the only clients of Unbound are legacy servers (w2008) +@@ -694,11 +725,11 @@ server: + + # Serve expired responses from cache, with serve-expired-reply-ttl in + # the response, and then attempt to fetch the data afresh. +- # serve-expired: no ++ serve-expired: yes + # + # Limit serving of expired responses to configured seconds after + # expiration. 0 disables the limit. +- # serve-expired-ttl: 0 ++ serve-expired-ttl: 14400 + # + # Set the TTL of expired records to the serve-expired-ttl value after a + # failed attempt to retrieve the record from upstream. This makes sure +@@ -725,7 +756,7 @@ server: + + # Have the validator log failed validations for your diagnosis. + # 0: off. 1: A line per failed user query. 2: With reason and bad IP. +- # val-log-level: 0 ++ val-log-level: 1 + + # It is possible to configure NSEC3 maximum iteration counts per + # keysize. Keep this table very short, as linear search is done. +@@ -869,6 +900,8 @@ server: # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" @@ -72,7 +338,7 @@ index 59090c6..3a86809 100644 # tag a localzone with a list of tag names (in "" with spaces between) # local-zone-tag: "example.com" "tag2 tag3" -@@ -916,8 +931,8 @@ server: +@@ -879,8 +912,8 @@ server: # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. # Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. @@ -82,18 +348,108 @@ index 59090c6..3a86809 100644 + # tls-service-pem: "/etc/unbound/unbound_server.pem" # tls-port: 853 # https-port: 443 - # quic-port: 853 -@@ -1166,6 +1181,9 @@ remote-control: - # unbound-control certificate file. - # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem" - -+# Stub and Forward zones -+include: "@sysconfdir@/unbound/conf.d/*.conf" + +@@ -888,6 +921,8 @@ server: + # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" + # cipher setting for TLSv1.3 + # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" ++ # Fedora/RHEL: use system-wide crypto policies ++ tls-ciphers: "PROFILE=SYSTEM" + + # Pad responses to padded queries received over TLS + # pad-responses: yes +@@ -1024,12 +1059,12 @@ server: + # cookie-secret: <128 bit random hex string> + + # Enable to attach Extended DNS Error codes (RFC8914) to responses. +- # ede: no ++ ede: yes + + # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale + # Answer as EDNS0 option to expired responses. + # Note that the ede option above needs to be enabled for this to work. +- # ede-serve-expired: no ++ ede-serve-expired: yes + + # Specific options for ipsecmod. Unbound needs to be configured with + # --enable-ipsecmod for these to take effect. +@@ -1037,12 +1072,14 @@ server: + # Enable or disable ipsecmod (it still needs to be defined in + # module-config above). Can be used when ipsecmod needs to be + # enabled/disabled via remote-control(below). +- # ipsecmod-enabled: yes +- # ++ # Fedora: module will be enabled on-demand by libreswan ++ ipsecmod-enabled: no + + # Path to executable external hook. It must be defined when ipsecmod is + # listed in module-config (above). + # ipsecmod-hook: "./my_executable" +- # ++ ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook ++ + # When enabled Unbound will reply with SERVFAIL if the return value of + # the ipsecmod-hook is not 0. + # ipsecmod-strict: no +@@ -1075,7 +1112,7 @@ server: + # o and give a python-script to run. + python: + # Script file to load +- # python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py" ++ # python-script: "/etc/unbound/ubmodule-tst.py" + + # Dynamic library config section. To enable: + # o use --with-dynlibmodule to configure before compiling. +@@ -1086,13 +1123,14 @@ python: + # the module-config then you need one dynlib-file per instance. + dynlib: + # Script file to load +- # dynlib-file: "@UNBOUND_SHARE_DIR@/dynlib.so" ++ # dynlib-file: "/etc/unbound/dynlib.so" + + # Remote control config section. + remote-control: + # Enable remote control with unbound-control(8) here. + # set up the keys and certificates with unbound-control-setup. +- # control-enable: no ++ # Note: required for unbound-munin package ++ control-enable: yes + + # what interfaces are listened to for remote control. + # give 0.0.0.0 and ::0 to listen to all interfaces. +@@ -1100,6 +1138,7 @@ remote-control: + # are not used for that, so key and cert files need not be present. + # control-interface: 127.0.0.1 + # control-interface: ::1 ++ control-interface: "/run/unbound/control" + + # port number for remote control operations. + # control-port: 8953 +@@ -1109,16 +1148,19 @@ remote-control: + # control-use-cert: "yes" + + # Unbound server key file. +- # server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key" ++ server-key-file: "/etc/unbound/unbound_server.key" + + # Unbound server certificate file. +- # server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem" ++ server-cert-file: "/etc/unbound/unbound_server.pem" + + # unbound-control key file. +- # control-key-file: "@UNBOUND_RUN_DIR@/unbound_control.key" ++ control-key-file: "/etc/unbound/unbound_control.key" + + # unbound-control certificate file. +- # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem" ++ control-cert-file: "/etc/unbound/unbound_control.pem" ++ ++# Stub and Forward zones ++include: /etc/unbound/conf.d/*.conf + # Stub zones. # Create entries like below, to make all queries for 'example.com' and - # 'example.org' go to the given list of nameservers. list zero or more -@@ -1186,6 +1207,10 @@ remote-control: +@@ -1140,6 +1182,10 @@ remote-control: # name: "example.org" # stub-host: ns.example.com. @@ -104,7 +460,7 @@ index 59090c6..3a86809 100644 # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle -@@ -1203,6 +1228,10 @@ remote-control: +@@ -1157,6 +1203,10 @@ remote-control: # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -115,6 +471,75 @@ index 59090c6..3a86809 100644 # Authority zones # The data for these zones is kept locally, from a file or downloaded. +@@ -1167,27 +1217,28 @@ remote-control: + # download it), primary: fetches with AXFR and IXFR, or url to zonefile. + # With allow-notify: you can give additional (apart from primaries and urls) + # sources of notifies. +-# auth-zone: +-# name: "." +-# primary: 170.247.170.2 # b.root-servers.net +-# primary: 192.33.4.12 # c.root-servers.net +-# primary: 199.7.91.13 # d.root-servers.net +-# primary: 192.5.5.241 # f.root-servers.net +-# primary: 192.112.36.4 # g.root-servers.net +-# primary: 193.0.14.129 # k.root-servers.net +-# primary: 192.0.47.132 # xfr.cjr.dns.icann.org +-# primary: 192.0.32.132 # xfr.lax.dns.icann.org +-# primary: 2801:1b8:10::b # b.root-servers.net +-# primary: 2001:500:2::c # c.root-servers.net +-# primary: 2001:500:2d::d # d.root-servers.net +-# primary: 2001:500:2f::f # f.root-servers.net +-# primary: 2001:500:12::d0d # g.root-servers.net +-# primary: 2001:7fd::1 # k.root-servers.net +-# primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org +-# primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org +-# fallback-enabled: yes +-# for-downstream: no +-# for-upstream: yes ++ auth-zone: ++ name: "." ++ primary: 170.247.170.2 # b.root-servers.net ++ primary: 192.33.4.12 # c.root-servers.net ++ primary: 199.7.91.13 # d.root-servers.net ++ primary: 192.5.5.241 # f.root-servers.net ++ primary: 192.112.36.4 # g.root-servers.net ++ primary: 193.0.14.129 # k.root-servers.net ++ primary: 192.0.47.132 # xfr.cjr.dns.icann.org ++ primary: 192.0.32.132 # xfr.lax.dns.icann.org ++ primary: 2801:1b8:10::b # b.root-servers.net ++ primary: 2001:500:2::c # c.root-servers.net ++ primary: 2001:500:2d::d # d.root-servers.net ++ primary: 2001:500:2f::f # f.root-servers.net ++ primary: 2001:500:12::d0d # g.root-servers.net ++ primary: 2001:7fd::1 # k.root-servers.net ++ primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org ++ primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org ++ fallback-enabled: yes ++ for-downstream: no ++ for-upstream: yes ++ + # auth-zone: + # name: "example.org" + # for-downstream: yes +@@ -1213,6 +1264,9 @@ remote-control: + # name: "anotherview" + # local-zone: "example.com" refuse + ++# Fedora: DNSCrypt support not enabled since it requires linking to ++# another crypto library ++# + # DNSCrypt + # To enable, use --enable-dnscrypt to configure before compiling. + # Caveats: +@@ -1285,7 +1339,7 @@ remote-control: + # dnstap-enable: no + # # if set to yes frame streams will be used in bidirectional mode + # dnstap-bidirectional: yes +-# dnstap-socket-path: "@DNSTAP_SOCKET_PATH@" ++# dnstap-socket-path: "/etc/unbound/dnstap.sock" + # # if "" use the unix socket in dnstap-socket-path, otherwise, + # # set it to "IPaddress[@port]" of the destination. + # dnstap-ip: "" -- -2.47.0 +2.44.0 diff --git a/unbound-initrd.conf b/unbound-initrd.conf deleted file mode 100644 index 7838b3d..0000000 --- a/unbound-initrd.conf +++ /dev/null @@ -1,5 +0,0 @@ -[Unit] -Before=network-online.target - -[Install] -WantedBy=network-online.target diff --git a/unbound-local-root.conf b/unbound-local-root.conf deleted file mode 100644 index 4ba5e9d..0000000 --- a/unbound-local-root.conf +++ /dev/null @@ -1,30 +0,0 @@ -# Authority zones -# The data for these zones is kept locally, from a file or downloaded. -# The data can be served to downstream clients, or used instead of the -# upstream (which saves a lookup to the upstream). -# -# Download local root copy and answer TLD queries from it. Because -# auth-zone has higher precedence, defined forward-zones to internal -# only TLD will not work. Use stub-zone or disable this zone. -# Good for a network-wide resolvers, worse for a localhost caching forwarder. -auth-zone: - name: "." - primary: 170.247.170.2 # b.root-servers.net - primary: 192.33.4.12 # c.root-servers.net - primary: 199.7.91.13 # d.root-servers.net - primary: 192.5.5.241 # f.root-servers.net - primary: 192.112.36.4 # g.root-servers.net - primary: 193.0.14.129 # k.root-servers.net - primary: 192.0.47.132 # xfr.cjr.dns.icann.org - primary: 192.0.32.132 # xfr.lax.dns.icann.org - primary: 2801:1b8:10::b # b.root-servers.net - primary: 2001:500:2::c # c.root-servers.net - primary: 2001:500:2d::d # d.root-servers.net - primary: 2001:500:2f::f # f.root-servers.net - primary: 2001:500:12::d0d # g.root-servers.net - primary: 2001:7fd::1 # k.root-servers.net - primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org - primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org - fallback-enabled: yes - for-downstream: no - for-upstream: yes diff --git a/unbound.service b/unbound.service index d476504..74321c7 100644 --- a/unbound.service +++ b/unbound.service @@ -1,9 +1,6 @@ [Unit] Description=Unbound recursive Domain Name Server -After=network.target -# Use ip-freebind: yes or add After=network-online.target, rhbz#2338429, -# if interface: specifies exact address, not localhost nor wildcard -#After=network-online.target +After=network-online.target After=unbound-keygen.service Wants=unbound-keygen.service After=unbound-anchor.service @@ -12,7 +9,7 @@ Before=nss-lookup.target Wants=nss-lookup.target [Service] -Type=notify +Type=simple EnvironmentFile=-/etc/sysconfig/unbound ExecStartPre=/usr/sbin/unbound-checkconf ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS diff --git a/unbound.spec b/unbound.spec index d173141..31e80b0 100644 --- a/unbound.spec +++ b/unbound.spec @@ -2,20 +2,10 @@ %{?!with_python3: %global with_python3 1} %{?!with_munin: %global with_munin 1} %bcond_without dnstap -%bcond_without systemd +%bcond_with systemd %bcond_without doh -%if 0%{?fedora} >= 43 && !0%{?rhel} -# Do not build with QUIC support in RHEL, until we have also client support. -%bcond_without ngtcp2 -%endif -%if 0%{?rhel} && ! 0%{?epel} %bcond_with redis -%else -%bcond_without redis -%endif -%global forgeurl0 https://github.com/NLnetLabs/unbound -%global downloads https://nlnetlabs.nl/downloads %global _hardened_build 1 #global extra_version rc1 @@ -40,16 +30,15 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.24.2 -Release: %autorelease %{?extra_version:-e %{extra_version}} +Version: 1.19.3 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ -VCS: git:%{forgeurl0} -Source: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz +Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz Source1: unbound.service Source3: unbound.munin Source4: unbound_munin_ -Source5: mkroot.sh +Source5: root.key Source7: unbound-keygen.service Source8: tmpfiles-unbound.conf Source9: example.com.key @@ -61,41 +50,19 @@ Source14: unbound.sysconfig Source15: unbound-anchor.timer Source16: unbound-munin.README Source17: unbound-anchor.service -Source18: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc -# https://nlnetlabs.nl/signing-keys/ -Source19: https://nlnetlabs.nl/downloads/keys/releases-g2.asc#/nlnetlabs2026-g2.asc +Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc +# source: https://nlnetlabs.nl/people/ +Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key Source20: unbound.sysusers -Source21: remote-control.conf -Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc -Source23: unbound-as112-networks.conf -Source24: unbound-local-root.conf -Source25: openssl-sha1.conf -Source26: remote-control-include.conf -Source27: fedora-defaults.conf -Source28: module-setup.sh -Source29: unbound-initrd.conf -Source30: tmpfiles-unbound-libs.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch -# https://github.com/NLnetLabs/unbound/pull/1331 -Patch2: unbound-1.24-swig-function.patch -# https://github.com/NLnetLabs/unbound/pull/1381 -Patch3: unbound-1.24-quic-on-demand-only.patch BuildRequires: gcc, make -BuildRequires: openssl-devel +BuildRequires: flex, openssl-devel BuildRequires: libevent-devel expat-devel BuildRequires: pkgconfig - -# Required for configure regeneration -BuildRequires: automake autoconf libtool -BuildRequires: autoconf-archive -# Regenerate config parser too -BuildRequires: bison flex byacc -BuildRequires: dns-root-data - -%if 0%{?fedora} || 0%{?rhel} >= 9 +%if 0%{?fedora} BuildRequires: gnupg2 %endif %if 0%{with_python2} @@ -121,9 +88,9 @@ BuildRequires: systemd-rpm-macros %else BuildRequires: systemd %endif -%if %{with ngtcp2} -BuildRequires: ngtcp2-crypto-ossl-devel -%endif +# Required for SVN versions +# BuildRequires: bison +# BuildRequires: automake autoconf libtool # Needed because /usr/sbin/unbound links unbound libs staticly Requires: %{name}-libs%{?_isa} = %{version}-%{release} @@ -165,7 +132,7 @@ The devel package contains the unbound library and the include files %package libs Summary: Libraries used by the unbound server and client applications Recommends: %{name}-anchor -Requires: dns-root-data +%{?sysusers_requires_compat} %if ! 0%{with_python2} # Make explicit conflict with no longer provided python package Obsoletes: python2-unbound < 1.9.3 @@ -215,33 +182,33 @@ Conflicts: python2-unbound < 1.9.3 Python 3 modules and extensions for unbound %endif -%package dracut -Summary: Unbound dracut module -Requires: dracut%{?_isa} -Requires: %{name}%{?_isa} = %{version}-%{release} - -%description dracut -Unbound dracut module allowing use of Unbound for name resolution -in initramfs. %prep -%if 0%{?fedora} || 0%{?rhel} >= 9 -# TODO: Remove Yorgos.asc and extra verification once releases start to be signed by new g2 key -%{gpgverify} --keyring='%{SOURCE22}' --signature='%{SOURCE18}' --data='%{SOURCE0}' || \ +%if 0%{?fedora} %{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}' %endif %global pkgname %{name}-%{version}%{?extra_version} %if 0%{with_python2} && 0%{with_python3} +%global dir_primary %{pkgname}_python3 %global python_primary %{__python3} %global dir_secondary %{pkgname}_python2 %global python_secondary %{__python2} +%else +%global dir_primary %{pkgname} %endif -%autosetup -N -n %{pkgname} +%autosetup -c -N -n %{pkgname} +pushd %{pkgname} # patches go here -%autopatch -p1 +%autopatch -p2 + +# only for snapshots +# autoreconf -iv + +# copy common doc files - after here, since it may be patched +cp -pr doc pythonmod libunbound ../ %if 0%{?rhel} > 8 # SHA-1 breaks some tests. Disable just some tests because of that. @@ -251,35 +218,31 @@ in initramfs. mv testdata/${TEST}.rpl{,-disabled} done %endif +popd %if 0%{with_python2} && 0%{with_python3} - cp -a . %{dir_secondary} +mv %{pkgname} %{dir_primary} +cp -a %{dir_primary} %{dir_secondary} %endif %build +# This is needed to rebuild the configure script to support Python 3.x +# autoreconf -iv + # ./configure script common arguments %global configure_args --with-libevent --with-pthreads --with-ssl \\\ --disable-rpath --disable-static \\\ --enable-relro-now --enable-pie \\\ --enable-subnet --enable-ipsecmod \\\ --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\ - --with-share-dir=%{_datadir}/%{name} \\\ --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\ --enable-sha2 --disable-gost --enable-ecdsa \\\ --with-rootkey-file=%{_sharedstatedir}/%{name}/root.key \\\ --with-username=unbound \\\ --enable-linux-ip-local-port-range \\\ - --with-dynlibmodule \\\ -# -# always regenerate configure -rm -f config.h.in aclocal.m4 configure ltmain.sh -rm -f {ax_pthread,ax_swig_python}.m4 -cp -p %{_datadir}/aclocal/{ax_pthread,ax_swig_python}.m4 . -# ensure bison is used to generate fresh parser -rm -f util/configparser.{c,h} util/configlexer.c -autoreconf -fiv +pushd %{dir_primary} %configure \ %if 0%{?python_primary:1} @@ -294,18 +257,20 @@ autoreconf -fiv %if %{with doh} --with-libnghttp2 \ %endif +%if 0%{?rhel} + --disable-sha1 \ +%endif %if %{with redis} --with-libhiredis \ --enable-cachedb \ -%endif -%if %{with ngtcp2} - --with-libngtcp2 \ %endif %{configure_args} %make_build %make_build streamtcp +popd + %if 0%{?python_secondary:1} pushd %{dir_secondary} %configure \ @@ -315,9 +280,6 @@ pushd %{dir_secondary} %endif %if %{with systemd} --enable-systemd \ -%endif -%if %{with ngtcp2} - --with-libngtcp2 \ %endif %{configure_args} @@ -336,9 +298,11 @@ pushd %{dir_secondary} popd %endif +pushd %{dir_primary} %make_install unbound-event-install install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp -install -p -m 0644 doc/example.conf %{buildroot}%{_sysconfdir}/unbound/unbound.conf +install -p -m 0755 doc/example.conf %{buildroot}%{_sysconfdir}/unbound/unbound.conf +popd install -d -m 0755 %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service @@ -359,21 +323,25 @@ for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unboun done %endif +pushd %{dir_primary} # install streamtcp man page -install -p -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1 -install -p -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc +install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1 +install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc +popd # Install tmpfiles.d config install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound -install -p -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf -install -p -m 0644 %{SOURCE30} %{buildroot}%{_tmpfilesdir}/unbound-libs.conf +install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf # install root - we keep a copy of the root key in old location, # in case user has changed the configuration and we wouldn't update it there -sh %{SOURCE5} root.key -install -m 0644 root.key %{buildroot}%{_sysconfdir}/unbound/ -ln -sr "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key" "%{buildroot}%{_sharedstatedir}/unbound/root.key" -ln -sr "%{buildroot}%{_datadir}/dns-root-data/root.key" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key" +install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/ +install -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/dnssec-root.key +# make initial key static +pushd %{buildroot}%{_sharedstatedir}/unbound + KEYPATH=$(realpath --relative-to="%{buildroot}%{_sharedstatedir}/unbound" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key") + ln -s "$KEYPATH" root.key +popd # remove static library from install (fedora packaging guidelines) rm %{buildroot}%{_libdir}/*.la @@ -392,27 +360,16 @@ mkdir -p %{buildroot}%{_rundir}/unbound # Install directories for easier config file drop in mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d} -install -p -m 0644 %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/ -install -p -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ -install -p -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ -install -p -m 0644 %{SOURCE26} %{buildroot}%{_sysconfdir}/unbound/conf.d/remote-control.conf -install -p -m 0644 %{SOURCE25} %{buildroot}%{_sysconfdir}/unbound/openssl-sha1.conf - -mkdir -p %{buildroot}%{_datadir}/%{name}/conf.d -install -p -m 0644 %{SOURCE21} %{buildroot}%{_datadir}/%{name}/conf.d/ -install -p -m 0644 %{SOURCE23} %{buildroot}%{_datadir}/%{name}/conf.d/ -install -p -m 0644 %{SOURCE24} %{buildroot}%{_datadir}/%{name}/conf.d/ -install -p -m 0644 %{SOURCE27} %{buildroot}%{_datadir}/%{name}/ +install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/ +install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ +install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ # Link unbound-control-setup.8 manpage to unbound-control.8 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 -# install dracut module -mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound - -install -p -m 0755 %{SOURCE28} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound -install -p -m 0644 %{SOURCE29} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound +%pre libs +%sysusers_create_compat %{SOURCE20} %post %systemd_post unbound.service @@ -440,19 +397,21 @@ fi %postun anchor %systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer -%triggerun -- unbound < 1.23.1-4 -if [ "$(stat -c '%%a %%G' %{_sysconfdir}/%{name}/unbound_control.key 2>/dev/null)" = '600 unbound' ]; then - # change permissions of existing key just once, where it were generated with wrong perms - %{_bindir}/chmod g+r "%{_sysconfdir}/%{name}/unbound_control.key" || : -fi - - %check -export OPENSSL_CONF="%{buildroot}%{_sysconfdir}/unbound/openssl-sha1.conf" +pushd %{dir_primary} +#pushd pythonmod +#make test +#popd + make check +popd + %if 0%{?python_secondary:1} pushd %{dir_secondary} +#pushd pythonmod +#make test +#popd make check popd %endif @@ -462,10 +421,9 @@ popd %doc doc/CREDITS doc/FEATURES %{_unitdir}/%{name}.service %{_unitdir}/%{name}-keygen.service -%attr(0775,unbound,root) %dir %{_rundir}/%{name} +%attr(0755,unbound,unbound) %dir %{_rundir}/%{name} %attr(0644,root,root) %{_tmpfilesdir}/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf -%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/openssl-sha1.conf %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d %attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d/*.key %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/conf.d @@ -475,12 +433,11 @@ popd %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.pem %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.key %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.pem -%ghost %attr(0600,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key +%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key %{_sbindir}/unbound %{_sbindir}/unbound-checkconf %{_sbindir}/unbound-control %{_sbindir}/unbound-control-setup -%{_datadir}/%{name}/ %{_mandir}/man5/* %exclude %{_mandir}/man8/unbound-anchor* %{_mandir}/man8/* @@ -522,11 +479,10 @@ popd %{_sysusersdir}/%{name}.conf %{_libdir}/libunbound.so.8* %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name} -%config %verify(not link owner group size mtime mode md5) %{_sharedstatedir}/%{name}/root.key +%config(noreplace) %verify(not link user group) %{_sharedstatedir}/%{name}/root.key # just left for backwards compat with user changed unbound.conf files - format is different! -%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key -%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-root.key -%attr(0644,root,root) %{_tmpfilesdir}/unbound-libs.conf +%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key +%attr(0644,root,root) %config %{_sysconfdir}/%{name}/dnssec-root.key %files anchor %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name} @@ -543,8 +499,930 @@ popd %{_sbindir}/unbound-streamtcp %{_mandir}/man1/unbound-* -%files dracut -%{_prefix}/lib/dracut/modules.d/99unbound - %changelog -%autochangelog +* Fri Apr 12 2024 Petr Menšík - 1.19.3-1 +- Update to 1.19.3 (rhbz#2268404) +- Fix CVE-2024-1931, Denial of service when trimming EDE text on + positive replies. (rhbz#2268419) +- Use the origin (DNAME) TTL for synthesized CNAMEs as per RFC 6672. +- Bug fixes + +* Fri Mar 01 2024 Paul Wouters - 1.19.1-2 +- Fix trim of EDE text from large udp responses from spinning cpu. +- b rootserver patches from rawhide + +* Tue Feb 13 2024 Petr Menšík - 1.19.1-1 +- Update to 1.19.1 for CVE-2023-50387, CVE-2023-50868 (#2264029) +- Ensure only unbound group members can make changes + +* Thu Nov 02 2023 Petr Menšík - 1.19.0-1 +- Update to 1.19.0 (#2248686) + +* Thu Oct 12 2023 Paul Wouters - 1.18.0-2 +- Fix for resolving outlook.com via forwarders + +* Fri Sep 01 2023 Petr Menšík - 1.18.0-1 +- Update to 1.18.0 (#2236097) + +* Sat Jan 21 2023 Fedora Release Engineering - 1.17.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Fri Jan 13 2023 Paul Wouters - 1.17.0-2 +- Move unbound user creation to libs (#2149036) +- Use systemd-sysusers for user creation (#2105416) +- Keep original DNSSEC root key as config (#2132103) + +* Tue Nov 01 2022 Petr Menšík - 1.17.0-1 +- Update to 1.17.0 (#2134348) + +* Wed Oct 05 2022 Petr Menšík - 1.16.3-3 +- Correct issues made by unbound-anchor package split (#2110858) + +* Fri Sep 30 2022 Petr Menšík - 1.16.3-2 +- Update License tag to SPDX identifier + +* Fri Sep 23 2022 Petr Menšík - 1.16.3-1 +- Update to 1.16.3 (#2128638) + +* Tue Aug 09 2022 Paul Wouters - 1.16.2-3 +- sync up to upstream unbound.conf +- Enable Extended DNS Error codes (RFC8914) + +* Tue Aug 09 2022 Petr Menšík - 1.16.2-2 +- Require openssl tool for unbound-keygen (#2116790) + +* Wed Aug 03 2022 Petr Menšík - 1.16.2-1 +- Update to 1.16.2 (#2105947) for CVE-2022-30698 and CVE-2022-30699 + +* Sat Jul 23 2022 Fedora Release Engineering - 1.16.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Mon Jun 27 2022 Petr Menšík - 1.16.0-6 +- Move unbound-anchor to separate package +- Move unbound-host and unbound-streamtcp to unbound-utils package + +* Mon Jun 13 2022 Python Maint - 1.16.0-5 +- Rebuilt for Python 3.11 + +* Tue Jun 07 2022 Petr Menšík - 1.16.0-4 +- Restart keygen service before every unbound start + +* Sat Jun 04 2022 Petr Menšík - 1.16.0-1 +- Update to 1.16.0 + +* Tue Apr 26 2022 Petr Menšík - 1.15.0-3 +- Stop creating wrong devel manual pages (#2078929) + +* Wed Apr 20 2022 Petr Menšík - 1.15.0-2 +- Update icannbundle.pem + +* Tue Mar 29 2022 Petr Menšík - 1.15.0-1 +- Update to 1.15.0 (#2030608) + +* Sat Jan 22 2022 Fedora Release Engineering - 1.13.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Sat Nov 06 2021 Adrian Reber - 1.13.2-4 +- Rebuilt for protobuf 3.19.0 + +* Mon Oct 25 2021 Adrian Reber - 1.13.2-3 +- Rebuilt for protobuf 3.18.1 + +* Tue Sep 14 2021 Sahana Prasad - 1.13.2-2 +- Rebuilt with OpenSSL 3.0.0 + +* Thu Aug 12 2021 Paul Wouters - 1.13.2-1 +- Resolves: rhbz#1992985 unbound-1.13.2 is available +- Use system-wide crypto policies + +* Fri Jul 23 2021 Fedora Release Engineering - 1.13.1-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Wed Jun 02 2021 Python Maint - 1.13.1-7 +- Rebuilt for Python 3.10 + +* Fri Apr 23 2021 Artem Egorenkov - 1.13.1-6 +- Option --enable-linux-ip-local-port-range added to use system configured port range for libunbound on Linux +- Resolves: rhbz#1935101 + +* Tue Apr 13 2021 Paul Wouters - 1.13.1-5 +- Fix unbound.service to use After=network-online.target + +* Tue Apr 06 2021 Artem Egorenkov - 1.13.1-4 +- Don't start unbound-anchor before unbound service if DISABLE_UNBOUND_ANCHOR + environment variable equals to "yes" + +* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 1.13.1-3 +- Rebuilt for updated systemd-rpm-macros + See https://pagure.io/fesco/issue/2583. + +* Mon Feb 15 2021 Victor Stinner - 1.13.1-2 +- Fix build on Python 3.10 (rhbz#1889726). + +* Wed Feb 10 2021 Paul Wouters - 1.13.1-1 +- Resolves rhbz#1860887 unbound-1.13.1 is available +- Fixup unbound.conf + +* Wed Jan 27 2021 Fedora Release Engineering - 1.13.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Thu Dec 10 2020 Petr Menšík - 1.13.0-1 +- Update to 1.13.0 + +* Tue Oct 13 2020 Petr Menšík - 1.12.0-1 +- Update to 1.12.0 (#1860887) + +* Tue Sep 15 2020 Petr Menšík - 1.10.1-5 +- Move command line tools to utils subpackage + +* Wed Jul 29 2020 Fedora Release Engineering - 1.10.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jul 14 2020 Tom Stellard - 1.10.1-3 +- Use make macros +- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro + +* Fri May 22 2020 Miro Hrončok - 1.10.1-2 +- Rebuilt for Python 3.9 + +* Tue May 19 2020 Paul Wouters - 1.10.1-1 +- Resolves: rhbz#1837279 unbound-1.10.1 is available +- Resolves: rhbz#1837598 CVE-2020-12662 unbound: insufficient control of network message volume leads to DoS +- Resolves: rhbz#1837609 CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers +- Updated unbound.conf for new options in 1.10.1 + +* Wed Apr 29 2020 Paul Wouters - 1.10.0-3 +- Resolves: rhbz#1667742 SELinux is preventing unbound from 'name_bind' accesses on the udp_socket port 61000. + +* Thu Apr 16 2020 Artem Egorenkov - 1.10.0-2 +- Resolves: rhbz#1824536 unbound crash + +* Thu Mar 19 2020 Petr Menšík - 1.10.0-1 +- Update to 1.10.0 (#1805199) + +* Fri Jan 31 2020 Fedora Release Engineering - 1.9.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Dec 13 2019 Paul Wouters - 1.9.6-1 +- Resolves: rhbz#1758107 unbound-1.9.5 is available +- Resolves: CVE-2019-18934 + +* Fri Nov 01 2019 Paul Wouters - 1.9.4-1 +- Fix build on rhel/centos systems +- Resolves: rhbz#1767955 (CVE-2019-16866) uninitialized memory accesses leads to crash via a crafted NOTIFY query + +* Thu Sep 26 2019 Petr Menšík - 1.9.3-2 +- Obsolete no longer provided python2 subpackage (#1749400) + +* Tue Aug 27 2019 Paul Wouters - 1.9.3-1 +- Updated to 1.9.3 +- Resolves: rhbz#1672578 unbound-1.9.2 is available +- Resolves: rhbz#1694831 [/usr/lib/tmpfiles.d/unbound.conf:1] Line references path below legacy directory /var/run/ +- Resolves: rhbz# 1667387 [abrt] unbound: memmove(): unbound killed by SIGABRT + +* Thu Aug 22 2019 Miro Hrončok - 1.8.3-8 +- Subpackage python2-unbound has been removed + See https://fedoraproject.org/wiki/Changes/Mass_Python_2_Package_Removal + +* Thu Aug 15 2019 Miro Hrončok - 1.8.3-7 +- Rebuilt for Python 3.8 + +* Mon Aug 5 2019 Zbigniew Jędrzejewski-Szmek - 1.8.3-6 +- Drop install-time requirements on systemd (#1723777) + +* Sat Jul 27 2019 Fedora Release Engineering - 1.8.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sun Feb 03 2019 Fedora Release Engineering - 1.8.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jan 11 2019 Paul Wouters - 1.8.3-3 +- Remove KSK-2010 from configs - it has been revoked + +* Wed Dec 12 2018 Paul Wouters - 1.8.3-2 +- Another dns64 fixup + +* Wed Dec 12 2018 Paul Wouters - 1.8.3-1 +- Updated to 1.8.3 with fixes the dns64 bug and has some other minor fixes + +* Mon Dec 10 2018 Paul Wouters - 1.8.2-2 +- Fix dns64 allocation in wrong region for returned internal queries. + +* Tue Dec 04 2018 Paul Wouters - 1.8.2-1 +- Updated to 1.8.2. +- Enabled deny ANY query support and edns-tcp-keepalive +- Set serve-stale timeout to 4h +- Updated unbound.conf for latest options + +* Mon Oct 22 2018 Petr Menšík - 1.8.1-2 +- Allow group by default to unbound-control (#1640259) + +* Mon Oct 08 2018 Petr Menšík - 1.8.1-1 +- Update to 1.8.1 + +* Mon Oct 01 2018 Petr Menšík - 1.8.0-2 +- Skip ipv6 forwarders without ipv6 support (#1633874) + +* Wed Sep 19 2018 Petr Menšík - 1.8.0-1 +- Rebase to 1.8.0 + +* Tue Aug 14 2018 Paul Wouters - 1.7.3-9 +- Fix for restarting unbound service after deleting key/pem files for remote control + +* Tue Jul 31 2018 Petr Menšík - 1.7.3-8 +- Release memory in unbound-host + +* Mon Jul 23 2018 Petr Menšík - 1.7.3-7 +- Remove unused Group tag + +* Wed Jul 18 2018 Petr Menšík - 1.7.3-6 +- Cleanup generated client and server keys (#1601773) + +* Sat Jul 14 2018 Fedora Release Engineering - 1.7.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Mon Jul 09 2018 Petr Menšík - 1.7.3-4 +- Do not call ldconfig if possible + +* Wed Jul 04 2018 Petr Menšík - 1.7.3-3 +- Update trust anchors also behind firewall (#1598078) + +* Mon Jul 02 2018 Miro Hrončok - 1.7.3-2 +- Rebuilt for Python 3.7 + +* Wed Jun 27 2018 Petr Menšík - 1.7.3-1 +- Update to 1.7.3 (#1593708) + +* Wed Jun 27 2018 Petr Menšík - 1.7.2-3 +- Remove last python2 dependency from python3 build + +* Tue Jun 19 2018 Miro Hrončok - 1.7.2-2 +- Rebuilt for Python 3.7 + +* Mon Jun 11 2018 Paul Wouters - 1.7.2-1 +- Resolves rhbz#1589807 unbound-1.7.2 is available +- Add patch to fix stub/forward zone not returning ServFail when TTL expires +- Enabled the new root-key-sentinel option + +* Wed May 30 2018 Petr Menšík - 1.7.1-1 +- Update to 1.7.1 (#1574495) + +* Mon Apr 09 2018 Petr Menšík - 1.7.0-5 +- Require gcc and make on build +- Remove group, simplify systemd requires +- Simplify building with single python version, make python3 primary + +* Mon Apr 09 2018 Paul Wouters - 1.7.0-4 +- Patch for prefetching after flushing cache + +* Fri Apr 06 2018 Paul Wouters - 1.7.0-3 +- Patch for referral with auth-zone: response + + +* Wed Mar 21 2018 Paul Wouters - 1.7.0-2 +- Patch for broken Aggressive NSEC + stub-zone configuration causing NXDOMAIN at TTL expiry + +* Thu Mar 15 2018 Paul Wouters - 1.7.0-1 +- Updated to 1.7.0 (aggressive nsec, local root support, bugfixes) + +* Thu Feb 22 2018 Petr Menšík - 1.6.8-6 +- Uncomment again original max-upd-size + +* Wed Feb 21 2018 Petr Menšík - 1.6.8-5 +- Use default RPM build flags and configure parameters (#1539097) + +* Wed Feb 21 2018 Petr Menšík - 1.6.8-4 +- Remove group writable bit from some config files (#1528445) + +* Wed Feb 14 2018 Filipe Rosset - 1.6.8-3 +- rebuilt due new libevent 2.1.8 + +* Fri Feb 09 2018 Igor Gnatenko - 1.6.8-2 +- Escape macros in %%changelog + +* Mon Jan 22 2018 Paul Wouters - 1.6.8-1 +- Resolves rhbz#1483572 unbound-1.6.8 is available +- Resolves rhbz#1507049 CVE-2017-15105 unbound: Improper validation of wildcard synthesized NSEC records +- Resolves rhbz#1536518 CVE-2017-15105 unbound: Improper validation of wildcard synthesized NSEC records [fedora-all] + +* Sun Dec 17 2017 Zbigniew Jędrzejewski-Szmek - 1.6.7-2 +- Python 2 binary package renamed to python2-unbound + See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 + +* Thu Oct 12 2017 Paul Wouters - 1.6.7-1 +- Updated to 1.6.7 (minor bugfixes) + +* Tue Oct 03 2017 Petr Menšík - 1.6.6-3 +- Update icannbundle.pem + +* Mon Oct 02 2017 Paul Wouters - 1.6.6-2 +- Enable RFC 8145 Trust Anchor Signaling to help the root zone get keytag statistics + +* Fri Sep 22 2017 Paul Wouters - 1.6.6-1 +- Resolves: rhbz#1483572 unbound-1.6.6 is available +- Resolves: rhbz#1465575 unbound fails to start up, complains about missing ipsecmod-hook (edit) + +* Wed Aug 16 2017 Paul Wouters - 1.6.4-4 +- Rebuilt with KSK2017 added to root.key and root.anchor +- Remove noreplace for root key files. We can only improve these files over local copies + +* Thu Aug 03 2017 Fedora Release Engineering - 1.6.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1.6.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sun Jul 02 2017 Paul Wouters - 1.6.4-1 +- Updated to 1.6.4 full release, patch to allow missing ipsechook +- Resolves rhbz#1465575 unbound fails to start up, complains about missing ipsecmod-hook + +* Thu Jun 22 2017 Paul Wouters - 1.6.4-0.rc2 +- Update to 1.6.4 (esubnet, ipsecmod support, bugfixes) + +* Tue Jun 13 2017 Paul Wouters - 1.6.3-1 +- Updated to 1.6.3 (fixes assertion failure when receiving malformed packet with 0x20 enabled) + +* Thu Jun 08 2017 Paul Wouters - 1.6.2-2 +- Patch for cmd: unbound-control set_option val-permissive-mode: yes + +* Wed Apr 26 2017 Paul Wouters - 1.6.2-1 +- Update to 1.6.2 (rhbz#1425649) +- Updated unbound.conf with new options + +* Wed Mar 22 2017 Paul Wouters - 1.6.0-6 +- Call make unbound-event-install to install unbound-event.h + +* Sat Feb 11 2017 Fedora Release Engineering - 1.6.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Wed Jan 18 2017 Paul Wouters - 1.6.0-4 +- Remove obsoleted DLV key + +* Mon Jan 02 2017 Paul Wouters - 1.6.0-3 +- Actually remove dependency because minimum is always satisfied + +* Mon Jan 02 2017 Paul Wouters - 1.6.0-2 +- Depend on openssl-libs, not opensl + +* Wed Dec 21 2016 Kevin Fenzi - 1.6.0-1 +- Update to 1.6.0 + +* Mon Dec 19 2016 Miro Hrončok - 1.5.10-3 +- Rebuild for Python 3.6 + +* Wed Oct 26 2016 Ilya Evseev - 1.5.10-2 +- Bugfix building without python2 and python3 +- Fixup streamtcp build (Paul) + +* Tue Sep 27 2016 Paul Wouters - 1.5.10-1 +- Updated to 1.5.10 (better TCP handling, bugfixes) +- Install pkgconfig file in -devel package +- Updated unbound.conf + +* Tue Jul 19 2016 Fedora Release Engineering - 1.5.9-4 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Thu Jul 07 2016 Paul Wouters - 1.5.9-3 +- Fix upper port range to 60999 because that's what selinux allows + +* Thu Jun 16 2016 Paul Wouters - 1.5.9-2 +- Patch for allowing more queries before failure (needed for query minimalization) + +* Mon Jun 13 2016 Paul Wouters - 1.5.9-1 +- Updated to 1.5.9 + +* Thu Apr 21 2016 Toshio Kuratomi - 1.5.8-2 +- Fix streamtcp to link against libpython3.x instead of libpython2.x + +* Wed Mar 02 2016 Paul Wouters - 1.5.8-1 +- Update to 1.5.8 (rhbz#1313831) which incorporates rhbz#1294339 patch +- Updated unbound.conf with new upstream options +- Enabled ip-transparent: yes (see rhbz#1291449) + +* Fri Feb 05 2016 Fedora Release Engineering - 1.5.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Jan 21 2016 Tomas Hozza - 1.5.7-2 +- Fix escaping of shell chars in unbound-control-setup (#1294339) + +* Fri Dec 11 2015 Paul Wouters - 1.5.7-1 +- Update to 1.5.7 +- Enable query minimalization for enhanced DNS query privacy +- Enable nxdomain hardening to assist with query minimalization and SBLs +- Updated default unbound.conf for new features from upstream. + +* Fri Nov 13 2015 Tomas Hozza - 1.5.6-1 +- Update to 1.5.6 (#1176729) + +* Wed Nov 04 2015 Robert Kuska - 1.5.5-2 +- Rebuilt for Python3.5 rebuild + +* Wed Oct 07 2015 Tomas Hozza - 1.5.5-1 +- New upstream release 1.5.5 (#1269137) +- Removed the anchor update from %%post section of -libs subpackage (#1269137#c2) + +* Tue Sep 15 2015 Tomas Hozza - 1.5.4-5 +- Removed dependency and ordering on unbound-anchor.service in unbound.service + +* Thu Sep 03 2015 Tomas Hozza - 1.5.4-4 +- Prefer Python3 build over Python2 build for now (#1254566) + +* Mon Jul 20 2015 Tomas Hozza - 1.5.4-3 +- Added ExecReload section to unbound.service (#1195785) +- Removed After syslog.target since it is not needed any more + +* Thu Jul 16 2015 Tomas Hozza - 1.5.4-2 +- Start unbound-anchor.timer only on new installations +- Rename root.anchor to root.key in %%post section + +* Tue Jul 14 2015 Paul Wouters - 1.5.4-1 +- Update to 1.5.4 +- Removed patches merged into upstream + +* Tue Jun 16 2015 Tomas Hozza - 1.5.3-8 +- Revert: Use low maximum negative cache TTL (5 sec) (#1229596) + +* Mon Jun 15 2015 Tomas Hozza - 1.5.3-7 +- Add option for maximum negative cache TTL (#1229599) +- Use low maximum negative cache TTL (5 sec) (#1229596) + +* Tue May 26 2015 Tomas Hozza - 1.5.3-6 +- Removed usage of DLV from the default configuration (#1223363) + +* Wed May 13 2015 Tomas Hozza - 1.5.3-5 +- unbound.service now Wants unbound-anchor.timer +- unbound-anchor man page moved to the unbound-libs + +* Mon May 11 2015 Paul Wouters - 1.5.3-4 +- Fixup scriptlets causing systemctl: command not found +- Resolves rhbz#1219587 Error in PREIN scriptlet in rpm package unbound-libs + +* Mon Apr 27 2015 Tomas Hozza - 1.5.3-3 +- migrate cronjob to systemd timer unit (#1177285) +- change the period for unbound-anchor from monthly to daily (#1180267) +- Thanks to Tomasz Torcz for the initial patch + +* Thu Apr 16 2015 Tomas Hozza - 1.5.3-2 +- Fix FTBFS (#1206129) +- Build python3-unbound and python-unbound bindings for Python 3 and 2 (#1188080) + +* Mon Mar 16 2015 Paul Wouters - 1.5.3-1 +- Updated to 1.5.3 which is a bugfix on 1.5.2 for sighup handling +- Updated to 1.5.2 which fixes DNSSEC validation with different + trust anchors upstream, local-zone has a new keyword 'inform' + +* Mon Feb 02 2015 Paul Wouters - 1.5.1-4 +- Build with --enable-ecdsa + +* Sun Feb 01 2015 Paul Wouters - 1.5.1-3 +- Fix post to create root.anchor, not root.key, to match cron job + +* Tue Dec 09 2014 Paul Wouters - 1.5.1-2 +- Change systemd-units to systemd +- Use _tmpfilesdir macro, don't mark tmpfiles as config + +* Tue Dec 09 2014 Paul Wouters - 1.5.1-1 +- Update to 1.5.1 for CVE-2014-8602 (rhbz#1172066) +- Removed unbound-aarch64.patch which was merged upstream +- Don't require autotools for non snapshots or run autoreconf + +* Fri Nov 28 2014 Tomas Hozza - 1.5.1-0.1.rc1 +- update to 1.5.1rc1 + +* Fri Nov 28 2014 Marcin Juszkiewicz - 1.5.0-3 +- fix build on aarch64 + +* Wed Nov 26 2014 Tomas Hozza - 1.5.0-2 +- Fix race condition in arc4random (#1166878) + +* Wed Nov 19 2014 Tomas Hozza - 1.5.0-1 +- update to 1.5.0 + +* Wed Sep 24 2014 Pavel Šimerda - 1.4.22-6 +- Resolves: #1115489 - build with python 3.x for fedora >= 22 + +* Thu Aug 21 2014 Kevin Fenzi - 1.4.22-5 +- Rebuild for rpm bug 1131960 + +* Mon Aug 18 2014 Fedora Release Engineering - 1.4.22-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sun Jun 08 2014 Fedora Release Engineering - 1.4.22-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu May 01 2014 Paul Wouters - 1.4.22-2 +- Added flushcache patch (SVN commit 3125) + +* Thu Mar 13 2014 Paul Wouters - 1.4.22-1 +- Updated to 1.4.22 +- No longer requires the ldns library + +* Thu Jan 16 2014 Tomas Hozza - 1.4.21-3 +- Fix segfault on adding insecure forward zone when using only iterator (#1054192) + +* Mon Oct 21 2013 Tomas Hozza - 1.4.21-2 +- run test suite during the build + +* Thu Sep 19 2013 Paul Wouters - 1.4.21-1 +- Updated to 1.4.21, +- Enabled new max-udp-size: 3072 (so ANY isc.org won't fit) +- Removed patched merged in by upstream +- Enable statistics-cumulative for munin-plugin +- Added outgoing-port-avoid: 0-32767 conformant to SElinux restrictions +- Updated unbound.conf + +* Mon Aug 26 2013 Tomas Hozza - 1.4.20-19 +- Fix errors found by static analysis of source + +* Mon Aug 12 2013 Paul Wouters - 1.4.20-18 +- Change unbound.conf to only use ephemeral ports (32768-65535) + +* Sun Aug 04 2013 Fedora Release Engineering - 1.4.20-17 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Mon Jul 22 2013 Tomas Hozza - 1.4.20-16 +- provide man page for unbound-streamtcp + +* Mon Jul 08 2013 Paul Wouters - 1.4.20-15 +- Re-introduce hardening flags for full relro and pie +- Fixes compilation failure for python module + +* Wed Jul 03 2013 Tomas Hozza - 1.4.20-14 +- remove missing unbound-rootkey.service from post/preun/postun sections +- don't hardcode hardening flags, let hardened build macro handles it + +* Sat Jun 01 2013 Paul Wouters - 1.4.20-13 +- Run unbound-anchor as user unbound in unbound.service + +* Tue May 28 2013 Paul Wouters - 1.4.20-12 +- Enable round-robin (with noths() patch) +- Change cron and systemd service to use root.key, not root.anchor + +* Sat May 25 2013 Paul Wouters - 1.4.20-10 +- Use /var/lib/unbound/root.key (more consistent with other distros) +- Enable minimal responses + +* Mon Apr 22 2013 Paul Wouters - 1.4.20-8 +- Refix + +* Fri Apr 19 2013 Paul Wouters - 1.4.20-7 +- Fix runuser call in post. + +* Tue Apr 16 2013 Paul Wouters - 1.4.20-6 +- /var/lib/unbound should be owned by unbound. group write is not enough + +* Fri Apr 12 2013 Paul Wouters - 1.4.20-5 +- Fix cron job syntax (rhbz#951725) +- Use install -p to prevent .rpmnew files that are identical to originals + +* Mon Apr 8 2013 Paul Wouters - 1.4.20-4 +- Updated to 1.4.20 +- Build with full RELRO (not use -z,relro but with -z,relo,-z,now) +- Fixup man page for unbound-control-setup +- unbound.service should start before nss-lookup.target (rhbz#919955) +- Removed patch for rhbz#888759 merged in upstream +- Move root.anchor to /var/lib/unbound to make selinux policy easier for updating (rhbz#896599/rhbz#891008) +- Move cronjob for root.anchor from unbound to unbound-libs, require crontabs +- /etc/unbound (and all) should be owned by unbound-libs (rhbz#909691) +- Remove Obsolete/Provides for dnssec-conf which was last seen in f13 +- Ensure any unbound-anchor failure in post is ignored + +* Tue Mar 05 2013 Adam Tkac - 1.4.19-5 +- build with full RELRO +- symlink unbound-control-setup.8 manpage to unbound-control.8 + +* Fri Feb 15 2013 Fedora Release Engineering - 1.4.19-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Dec 12 2012 Paul Wouters - 1.4.19-3 +- Updated to 1.4.19 - this integrates all existing patches +- Patch for unbound-anchor (rhbz#888759) + +* Fri Nov 09 2012 Paul Wouters - 1.4.18-6 +- Patch to ensure stube-zone's aren't lost when using dnssec-triggerd +- added unbound-munin.README file + +* Wed Sep 26 2012 Paul Wouters - 1.4.18-5 +- Patch to allow wildcards in include: statements +- Add directories /etc/unbound/keys.d,conf.d,local.d with + example entries +- Added /etc/unbound/root.anchor, maintained by unbound-anchor + which is installed as monthly cron and PreExec in systemd config + (root.key is unused, but left installed in case people depend on it) +- Native systemd (simple) and /etc/sysconfig/unbound support +- Run unbound-checkconf in PreExec +- Moved trust anchor related files to unbound-libs, as they can + be used without the daemon. +- sub packages now depends on base package of same arch +- Build munin package as noarch +- unbound-anchor moved to unbound-libs package. It is needed + to update the root.anchor key file. + +* Tue Sep 04 2012 Paul Wouters - 1.4.18-3 +- Fix openssl thread locking bug under high query load + +* Thu Aug 23 2012 Paul Wouters - 1.4.18-2 +- Use new systemd-rpm macros (rhbz#850351) +- Clean up old obsoleted dnssec-conf from < fedora 15 + +* Fri Aug 03 2012 Paul Wouters - 1.4.18-1 +- Updated to 1.4.18 (FIPS related fixes mostly) +- Removed patches that were merged in upstream +- Added comment to root.key + +* Mon Jul 23 2012 Paul Wouters - 1.4.17-5 +- Fix for unbound crasher (upstream bug #452) +- Support libunbound functions in man pages and place in -devel + +* Sun Jul 22 2012 Fedora Release Engineering - 1.4.17-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Tue Jul 03 2012 Paul Wouters - 1.4.17-3 +- unbound FIPS patches for MD5,randomness (rhbz#835106) + +* Fri Jun 15 2012 Adam Tkac - 1.4.17-2 +- don't build unbound-munin on RHEL + +* Thu May 24 2012 Paul Wouters - 1.4.17-1 +- Updated to 1.4.17 (which mostly brings in patches we already + applied from svn trunk) + +* Wed Feb 29 2012 Paul Wouters - 1.4.16-3 +- Since the daemon links to the libs staticly, add Requires: + (this is rhbz#745288) +- Package up streamtcp as unbound-streamtcp (for monitoring) + +* Mon Feb 27 2012 Paul Wouters - 1.4.16-2 +- Don't ghost the directory (rhbz#788805) +- Patch for unbound to support unbound-control forward_zone + (needed for openswan in XAUTH mode) + +* Thu Feb 02 2012 Paul Wouters - 1.4.16-1 +- Upgraded to 1.4.16, which was relesed due to the soname + and some DNSSEC validation failures + +* Wed Feb 01 2012 Paul Wouters - 1.4.15-2 +- Patch for SONAME version (libtool's -version-number vs -version-info) + +* Fri Jan 27 2012 Paul Wouters - 1.4.15-1 +- Upgraded to 1.4.15 +- Updated unbound.conf to show how to configure listening on tls443 + +* Sat Jan 14 2012 Fedora Release Engineering - 1.4.14-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Mon Dec 19 2011 Paul Wouters - 1.4.14-1 +- Upgraded to 1.4.14 for CVE-2011-4528 / VU#209659 +- SSL-wrapped query support for dnssec-trigger +- EDNS handling changes +- Removed integrated EDNS patches +- Disabled use-caps-for-id, GoDaddy domains now break on it +- Enabled new harden-below-nxdomain + +* Thu Sep 15 2011 Paul Wouters - 1.4.13-1 +- Upgraded to 1.4.13 +- Removed merged in pythonmod patch +- Added EDNS1480 patch to fix unbound on broken EDNS/UDP networks +- Fix python to go into sitearch instead of sitelib + +* Wed Sep 14 2011 Tom Callaway - 1.4.12-4 +- convert to systemd, tmpfiles.d + +* Mon Aug 08 2011 Paul Wouters - 1.4.12-3 +- Added pythonmod docs and examples + +* Mon Aug 08 2011 Paul Wouters - 1.4.12-2 +- Fix for python module load in the server (Tom Hendrikx) +- No longer enable --enable-debug as it causes degraded performance + under load. + +* Mon Jul 18 2011 Paul Wouters - 1.4.12-1 +- Updated to 1.4.12 + +* Sun Jul 03 2011 Paul Wouters - 1.4.11-1 +- Updated to 1.4.11 +- removed integrated CVE patch +- updated stock unbound.conf for new options introduced + +* Mon Jun 06 2011 Paul Wouters - 1.4.10-1 +- Added ghost for /var/run/unbound (bz#656710) + +* Mon Jun 06 2011 Paul Wouters - 1.4.9-3 +- rebuilt + +* Wed May 25 2011 Paul Wouters - 1.4.9-2 +- Applied patch for CVE-2011-1922 DoS vulnerability + +* Sun Mar 27 2011 Paul Wouters - 1.4.9-1 +- Updated to 1.4.9 + +* Sat Feb 12 2011 Paul Wouters - 1.4.8-2 +- rebuilt + +* Tue Jan 25 2011 Paul Wouters - 1.4.8-1 +- Updated to 1.4.8 +- Enable root key for DNSSEC +- Fix unbound-munin to use proper file (could cause excessive logging) +- Build unbound-python per default +- Disable gost as Fedora/EPEL does not allow ECC and has mangled openssl + +* Tue Oct 26 2010 Paul Wouters - 1.4.5-4 +- Revert last build - it was on the wrong branch + +* Tue Oct 26 2010 Paul Wouters - 1.4.5-3 +- Disable do-ipv6 per default - causes severe degradation on non-ipv6 machines + (see comments in inbound.conf) + +* Tue Jun 15 2010 Paul Wouters - 1.4.5-2 +- Bump release - forgot to upload the new tar ball. + +* Tue Jun 15 2010 Paul Wouters - 1.4.5-1 +- Upgraded to 1.4.5 + +* Mon May 31 2010 Paul Wouters - 1.4.4-2 +- Added accidentally omitted svn patches to cvs + +* Mon May 31 2010 Paul Wouters - 1.4.4-1 +- Upgraded to 1.4.4 with svn patches +- Obsolete dnssec-conf to ensure it is de-installed + +* Thu Mar 11 2010 Paul Wouters - 1.4.3-1 +- Update to 1.4.3 that fixes 64bit crasher + +* Tue Mar 09 2010 Paul Wouters - 1.4.2-1 +- Updated to 1.4.2 +- Updated unbound.conf with new options +- Enabled pre-fetching DNSKEY records (DNSSEC speedup) +- Enabled re-fetching popular records before they expire +- Enabled logging of DNSSEC validation errors + +* Mon Mar 01 2010 Paul Wouters - 1.4.1-5 +- Overriding -D_GNU_SOURCE is no longer needed. This fixes DSO issues + with pthreads + +* Wed Feb 24 2010 Paul Wouters - 1.4.1-3 +- Change make/configure lines to attempt to fix -lphtread linking issue + +* Thu Feb 18 2010 Paul Wouters - 1.4.1-2 +- Removed dependancy for dnssec-conf +- Added ISC DLV key (formerly in dnssec-conf) +- Fixup old DLV locations in unbound.conf file via %%post +- Fix parent child disagreement handling and no-ipv6 present [svn r1953] + +* Tue Jan 05 2010 Paul Wouters - 1.4.1-1 +- Updated to 1.4.1 +- Changed %%define to %%global + +* Thu Oct 08 2009 Paul Wouters - 1.3.4-2 +- Bump version + +* Thu Oct 08 2009 Paul Wouters - 1.3.4-1 +- Upgraded to 1.3.4. Security fix with validating NSEC3 records + +* Fri Aug 21 2009 Tomas Mraz - 1.3.3-2 +- rebuilt with new openssl + +* Mon Aug 17 2009 Paul Wouters - 1.3.3-1 +- Updated to 1.3.3 + +* Sun Jul 26 2009 Fedora Release Engineering - 1.3.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Sat Jun 20 2009 Paul Wouters - 1.3.0-2 +- Added missing glob patch to cvs +- Place python macros within the %%with_python check + +* Sat Jun 20 2009 Paul Wouters - 1.3.0-1 +- Updated to 1.3.0 +- Added unbound-python sub package. disabled for now +- Patch from svn to fix DLV lookups +- Patches from svn to detect wrong truncated response from BIND 9.6.1 with + minimal-responses) +- Added Default-Start and Default-Stop to unbound.init +- Re-enabled --enable-sha2 +- Re-enabled glob.patch + +* Wed May 20 2009 Paul Wouters - 1.2.1-7 +- unbound-iterator.patch was not commited + +* Wed May 20 2009 Paul Wouters - 1.2.1-6 +- Fix for https://bugzilla.redhat.com/show_bug.cgi?id=499793 + +* Tue Mar 17 2009 Paul Wouters - 1.2.1-5 +- Use --nocheck to avoid giving an error on missing unbound-remote certs/keys + +* Tue Mar 10 2009 Adam Tkac - 1.2.1-4 +- enable DNSSEC only if it is enabled in sysconfig/dnssec + +* Mon Mar 09 2009 Adam Tkac - 1.2.1-3 +- add DNSSEC support to initscript and enabled it per default +- add requires dnssec-conf + +* Wed Feb 25 2009 Fedora Release Engineering - 1.2.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Tue Feb 10 2009 Paul Wouters - 1.2.0-2 +- rebuild with new openssl + +* Wed Jan 14 2009 Paul Wouters - 1.1.1-7 +- Modified scandir patch to silently fail when wildcard matches nothing +- Patch to allow unbound-checkconf to find empty wildcard matches + +* Mon Jan 5 2009 Paul Wouters - 1.1.1-6 +- Added scandir patch for trusted-keys-file: option, which + is used to load multiple dnssec keys in bind file format + +* Mon Dec 8 2008 Paul Wouters - 1.1.1-4 +- Added Requires: for selinux-policy >= 3.5.13-33 for proper SElinux rules. + +* Mon Dec 1 2008 Paul Wouters - 1.1.1-3 +- We did not own the /etc/unbound directory (#474020) +- Fixed cvs anomalies + +* Fri Nov 28 2008 Adam Tkac - 1.1.1-2 +- removed all obsolete chroot related stuff +- label control certs after generation correctly + +* Thu Nov 20 2008 Paul Wouters - 1.1.1-1 +- Updated to unbound 1.1.1 which fixes a crasher and + addresses nlnetlabs bug #219 + +* Wed Nov 19 2008 Paul Wouters - 1.1.0-3 +- Remove the chroot, obsoleted by SElinux +- Add additional munin plugin links supported by unbound plugin +- Move configuration directory from /var/lib/unbound to /etc/unbound +- Modified unbound.init and unbound.conf to account for chroot changes +- Updated unbound.conf with new available options +- Enabled dns-0x20 protection per default + +* Wed Nov 19 2008 Adam Tkac - 1.1.0-2 +- unbound-1.1.0-log_open.patch + - make sure log is opened before chroot call + - tracked as http://www.nlnetlabs.nl/bugs/show_bug.cgi?id=219 +- removed /dev/log and /var/run/unbound and /etc/resolv.conf from + chroot, not needed +- don't mount files in chroot, it causes problems during updates +- fixed typo in default config file + +* Fri Nov 14 2008 Paul Wouters - 1.1.0-1 +- Updated to version 1.1.0 +- Updated unbound.conf's statistics options and remote-control + to work properly for munin +- Added unbound-munin package +- Generate unbound remote-control key/certs on first startup +- Required ldns is now 1.4.0 + +* Wed Oct 22 2008 Paul Wouters - 1.0.2-5 +- Only call ldconfig in -libs package +- Move configure into build section +- devel subpackage should only depend on libs subpackage + +* Tue Oct 21 2008 Paul Wouters - 1.0.2-4 +- Fix CFLAGS getting lost in build +- Don't enable interface-automatic:yes because that + causes unbound to listen on 0.0.0.0 instead of 127.0.0.1 + +* Sun Oct 19 2008 Paul Wouters - 1.0.2-3 +- Split off unbound-libs, make build verbose + +* Thu Oct 9 2008 Paul Wouters - 1.0.2-2 +- FSB compliance, chroot fixes, initscript fixes + +* Thu Sep 11 2008 Paul Wouters - 1.0.2-1 +- Upgraded to 1.0.2 + +* Wed Jul 16 2008 Paul Wouters - 1.0.1-1 +- upgraded to new release + +* Wed May 21 2008 Paul Wouters - 1.0.0-2 +- Build against ldns-1.3.0 + +* Wed May 21 2008 Paul Wouters - 1.0.0-1 +- Split of -devel package, fixed dependancies, make rpmlint happy + +* Fri Apr 25 2008 Wouter Wijngaards - 0.12 +- Using parts from ports collection entry by Jaap Akkerhuis. +- Using Fedoraproject wiki guidelines. + +* Wed Apr 23 2008 Wouter Wijngaards - 0.11 +- Initial version. diff --git a/unbound.sysconfig b/unbound.sysconfig index 9e80f14..adcf8fd 100644 --- a/unbound.sysconfig +++ b/unbound.sysconfig @@ -5,6 +5,3 @@ UNBOUND_ANCHOR_OPTIONS="-f /etc/resolv.conf -R" # for extra debug, add "-v -v" or change verbosity: in unbound.conf UNBOUND_OPTIONS="" - -# Uncoment to validate SHA1 in any crypto policy -# OPENSSL_CONF=/etc/unbound/openssl-sha1.conf diff --git a/wouter.nlnetlabs.nl.key b/wouter.nlnetlabs.nl.key new file mode 100644 index 0000000..603e620 --- /dev/null +++ b/wouter.nlnetlabs.nl.key @@ -0,0 +1,123 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +xsFNBE2v/RwBEACyQpJlpCeSZBV1QUH7jNEp5xGdo6OnX2h9XoZ4ZPsb+u6OT+xE +SH45ncnISUh8rPCygbeWOoPR/yOBzh+lYoGxQ5iUHtwRrhHq04sQe/qFpXDO2xs6 +1pTcPU2PnH7Rsr2qp6fZLPHuXLolD7NJfaSib8sVeMM0/ecyl/L2bBg9NpaGDX0x +TQh95M8o6AFo6UKWApBpgsvEZr2aH/B8b9KnCWFhfJyheEM7DamksdZNsKxXQyq3 +l/ROfdsMLZGF8vPbYV/v11G4keyaLpn8AbBpybIiw9SYDwf2ENk3+e1NFfMaiiyE +qn9+aaLTKCY87TMUuoN3s3jWOOy5tHXzf6DbKhub4Awsby3DH5YpPhi4N2vj2pAX +Vpl5+m78cH29JLzT+HAoyZ4tq1r3m0P5QogNqYwqxkKWYOjDilNDBiKiDdgtrLYG +x+ABovKG/FvToJoaCL4AFaVCzWmL2uHkSgyBN0FPHatCB1UeEkcQit6T8E2NQqmF +WjUMXSWHHajSMG95+L5PdLHz/Ku0o3Csvlt2pkElYZmzJBfnOM9JevdsmKr/ruJC +/DCZAn5w2S/9ZF5qfo2F9HUKIwE/dChR29HcN8V4nqZs9oCvEMfFhHmrfwDc5hed +hvb6mAkvSFFtKIrygLIVeWRj3FE9sGp6sr4VwOLYTFRNk7mAsWD1rZApeQARAQAB +zSdXLkMuQS4gV2lqbmdhYXJkcyA8d291dGVyQG5sbmV0bGFicy5ubD7CwX4EEwEC +ACgFAk2v/RwCGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJ9v +HC1+BF+N3yoQAIynfrvZ/8RNAv9lLcSc2PX3fvG7oRJEJSy9uMyIbMtb/a1BVCeh +XjR8GhHJ5D/Z3jRWBQKw1rLLvOqbuBGkpKMR100ZVF4z/8e6CWtTAOFy28f1JQw2 +8kilN7K6vjno21S1JJ1XJAdoFdicyb1SW2r+KYod6fjSyF0lb71od+sdnSE9O/xd +Cqyyu6cX+AwfDcuJ6Y8iOWu8CeWAz41LR1QBUQkCb/08mVfCEu+Cj+M31jjPDZEy +UAw219vr4QFe0o3t+Msv0AUZvcRkW6+8qP5lO6I5we/33WBLZH70lhFvYtobM7HO +MCjheRZguSzvRqEETfTjia1uVi3Yz2qM4CFdJIZF6Er79yKcB3jYquultrnlHdXZ +/IZsHVRk6JfiqFkz9u1T9PkvMoQ452aUomGTg9xQchnKpe1E8osKgLulaY+izTEq +Z8pH/HWWJ/YT13/n8pxK9EbC/8SkVhyXNehOSAGDZar+tjVBofgzS8r+GDyv+pBT +SmjitIrVXZNuhigLp1o7Tvs4kjKlcFnLhfDHJ+yb5JyiZd01bVvaqnfRhACqXfWl +oC0uslRbegoYwJUgX0BOrsOuHGH2SfGjd/QnA0bcEXM2kp1Dp1gqtcEd5Qitm647 +Yz+leWkhrmMmtTwqumXoAcvgzthJFUPcAzuhXZNfqQJMOGRxAGVI0P97wsF+BBMB +AgAoAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVu+rZAUJDQIVSAAKCRCf +bxwtfgRfjdrWEACMQK0xYtZtAvLL/8CCcCi92Oi1rtXRGWnRy7JX020hftmWliMq +4P0F3CJKVLhgZ/ldp8OOqmfDfmwLMVSaCQ86Ubqn7Ofrf8Ku8SGQuIMxY2ODB97h +ouY4bnDHaM2Cqi6JkBN+G1tgdwqN/kcecF2tq3ql2k7eX91++A+F5ApIu1silzJP +L4Z8W6MVOdKrtzEM7t61hRlsbpEPj72vbVBZ1hmTiIL4VWwdxQYamxBoOeneskyD +DG+iMCI3P1GG3EQkk+9Aect/iH9uruE0mxn2aKN8cfuoR93cPF/ozCxS5ItwAVnN +e39WRO1GT2zYaFgYm0lf9czcpRsRzNbGw938lZ3iPUiZe+ybKgLKkVmvrkM59ljH +T99SrC14VXxgQwSs4gS3rdzbY9tPps62Z1q+xCVfTx1IY5P4nt59xwQV0Iw+pV9S +/mVcOnPXl1UKb0ttOdYJErrq3RpF/D2g/NDtL0OWqIa8LvrBlyQYmWPKvKw76vt4 +bJ3NU31jSc0ow/j7EOVjOst86s629zmtnbJjWVr6LOy5EDUPusmqHv1t4Z4RMjf8 +OrJdNbFJoRXZv8FbW4NzXeGtMf8k6vKeejpdMH4+eLuoZG7dchU1JccfgqfwWpy0 +ojmb59drJcaQgVC6Jvw9l0TmGPNIsE4UrIWocaFgv4dOKvHA2hcnMDM8rsLBlQQT +AQIAPwIbIwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQTt+qPyyk5usFaBr46f +bxwtfgRfjQUCWaU4BQUJEZjVaQAKCRCfbxwtfgRfjb1YEACjkhtkyZkYURUmSZNL +2IK/Zencv7DZGRfFrzijROFtHbe//H8o2ZhlyiaFSA/dT1ehjsukkR0oFkYadA+q +Ui06WpxGmd/jf8hP4yTUZkwOhQAesWoNmnhKePNaVMKY8DP57bA+N2pdCcGu7gUt +Yzq2JoTAtV+P/PE2w+H9eyBAulv6iUckM5/qvGfJPl8HB9BtgOpGN79otVWO6ebM +4TQ3cZYI9BDQnt9cF2pviex+z1iLZVJ8UeRxSxYhrBKPJioi0Q1OgcKyO56t7Eot +zxKl5TzprgvdX4cdls+lehD8StlE2Xv/TScHvdOhJuVBrn3a3QjZPb4qSsz74leW +5/EIQmozBy+qf8AHcCmTXwb2U7oHOct7cVyS5+bFx+ThpV5OK0rjTH1LMNiuTeAN +46c1y3prjZRpQUlgVwj06q3Zz/fzDyueUS/r4lW4nAf/VNZy/rTS2HYPoZbHZVCt +GpDIfag6fV6V97Pd3zfhTf2wmsJsw9Xhktp/o7rMBRSMhvL4oevOXb0JSG2583Q/ +JnCCceB4NxRRxsgkRYHwdnXN9FnOPSa4NyvF4rzpPksLGZrhvm+lBvzVn/e40Q/K +lxvSlnn2vW/WBM4pBq1jsoJrd/JkTdijZV7mt7HQ2bCLXAPgfZjy7n79WiCQVHg7 +iYnNikiNWR5TR7JcvdkxOdiA/8LBlQQTAQgAPwIbIwYLCQgHAwIGFQgCCQoLBBYC +AwECHgECF4AWIQTt+qPyyk5usFaBr46fbxwtfgRfjQUCXe4JdQUJGaQN2QAKCRCf +bxwtfgRfjQ8gEACe+49aDQHRuZdDHK1VCJKzhb+MvfdIjvl8eQxljpG9Uz5Y17Bx +4SWfuLHCeGlh1m6IOAWeW4g6Wowm1ec1PkVa79TdrkKb0MxfLSat6iDbiuVjDxy2 +bWokW0/cPzJ/FoWDtEC0H9UTAMb5QGBDZUbLuwX7ZjvMkAhH15/hO9Gj4RHoH1RJ +GJALRtZzjtzsJqL53kW/EV59V1T79Nocyx018iw50Jn02mI8wYJZ9HZc5C7D+K59 +vcqLRZgkrJrObw0sEv3YFOBYp/1DemH2nHPMBSKMmN5RAcr32guUjd4BEWf2Q7Ao ++Qnhdi161W0YKCW4JAmOoQ4bQ0wfE9Q5aUIGhUF52L+ac8Hy7dByaCExCA/WTqQQ +/iVPybmpJQhFonWt/fmpxbE2wKThSEOHTO67e5e3JfUb0vNKssyZojao4h1MF5nv +aPNKoybWwKnpNM0ORcyl+aogKwW7E15TEU0TE5//gAsFwRDcCnSEKnksgM0321m1 +7RDfJbCajIv47DHDYE3yvhRZjCJCaw0Gow1sDRWjdOFpmIixD5/vx5uxyqSHPuGA +sXlEvl+Z3Rdc5bQ7pAWu7UNpR3hnJPfg8KL2xqOF75VKG9/NjLE80yj8wdVoCfDv +vizrBtOXnHI49gCMCfNqbGIb5yVhmTdeo7li+Te9hlJ2DrHnujGJlFe+p87BTQRN +r/0cARAApvDKeVLiSazESdTY9KsSWsqoB38pvOsu25M49tEjc5TtY5LwKNckqkeR +lJ83O8dFG7UBVuGwLKaf/6OR/pe24upZ27eOOWW7sXvQNv5aXlOYfF+mjIhUINqj +q4pKDmO1c9J7h5d+auOVfzcgfotg3BVCaKn56ucjiQJ059uUMfgWTvVlibnoJ7de +Zcgt8v7VcLK9jv+P8QJHTIyDzJd+JjdjuHXqC/A37T5G9Z84x8wYrQY6mZmOIYaM +jwIKdgFeN+nLk5henARUz4MTFUW4j9hHpuyAFomDQ93/wkHZ9IEChTxdZnfvsd// +Z45vfcX9dQM+tuR8XCYThVsScI1TnwR46hi5NkfmHo3HVxwB8/owJ+FZDsTNBbJd +7AVy27Xk4L5hLe7BwLDtFMyOp4lOipCM7//mtFB9mTzqnOwiSSyTRlwGUBJkzQFW +Qa0Z6bfYwA6+y1dn19H519GW49irtl+2+W8W4N8oLriIjPvqrQOyaELFcRfV6FfL +i09HPhHVbejOqIEbOtfuN0+mjrrGAwortfTBjfw80N+W90BTvta4K2SyjHcJTkDY +ehfOo/5IMpGtDsOgvsCbDaFRnNJuYtSqQmvWk1KIPIw6CkdJtZa3+q3YA7D7ovOV +H1OBTKNdBjc+X4W8L5R9MCymXWvgiP+52Sv1VIcZmsnCBrwK490AEQEAAcLBZQQY +AQIADwUCTa/9HAIbDAUJCWYBgAAKCRCfbxwtfgRfjTY/D/9+kX8LeqBhwDdwy3ud +V67KmVmytwGMfzBHbAyBdy84X06ip/If/VkjL+2Sv5Uml/cOOzGZT7y/KEt0uXQz +gOZhGP5Y0OREf4kSzfb7tsGu3ZjTp5uJe7HiJr8uqYGfx94TQG/A3x1C7MlxOGmW +DK/Eh/eNVeNd+3yyDEzl2p7a0yUhI8LtzllVrEDX+G4rz+mdDw4tfPDqzRPzPvVt +PfqnfofHP5r2dshGe7+pCTC+o0jHWpaiFkEiIrR3PbZ9tV6+F5LzCUJJP5nepz6C +ShpLHq9ST6qZiw5ZpdznHW0kVl96YxgynJq9Y4dqD/8nOfTzdHhXXEogGvRfcxat +xeZF7YNFhUU2p+CswAjRKCUzZAz0hDAu+dJ+fw4Odx7ii8uiwhEnEHoo8rPETkXw +UK1je4MCzMRSy0Gippzk/oZ7noIml+Njas/UygavUOQm8bcPqGfWeFqvM2C7ZobL +2iV0fX/bhEmQyosiWJ0nHuKdwDYygYs/4LtZLxwiKli/lm6IDz1028j6/98Z81gG +oltXWokTYAPEgcBuhyiSLSQ1wojTVMYt9rPKMBakTzP+0FoWqoNafWOlHovP6iUB +2Igll2ZT3AvrBQ8jAbRbuUl46QpBaKsl+pBo86az0fRkMxv0N4dQv4Q7Z0g71u9N +Tpaq1vtAZOwc0kl3uGNK18PnV8LBZQQYAQIADwIbDAUCVu+raQUJDQIVTQAKCRCf +bxwtfgRfjVnYEACZ1E/FfLDi4vLUd9diImmNN/zWDHxTsO/VG3lt50rSoJM5NGB4 +RlwcbUKhah2fD44FFiIqGIvKD9hRgB51dVRIkaR3ozVtXRBKxJJqWj38wf2FDLtU +XC5/JHYb0sjAc3ad2sA9xEmEBVO1lWK3J6h4gKZiAGlWz3oeOSve3vrTKsBlP0Cu +rUeb4WTVpw4drBJD7cDh8SJ4/Cq76UFx8lW0xR+pHZHcd0/Ir5v5HnnEgbnut4Ix +eY3/CGBfQfSQHylK7ifmPWq+dflC/ZdfHY1V96EHKPM44ZLwiczoY3qp5nkmEc3B +Y6+P8Ch5gddOYaY18wpedarswnpOLQD2Xbsj66Eh0IZuuuZGyfOqJNaWbP33L27e +g35XQNTgyhuZmDyRKL6yAbhU74TXCCvze/kkfqDn2ouCtM8/kqLX1v0+NkBxlhZU +kTTVDyclZtwu6Vypus3+j2Zqk8sXeUZI64sjXpzwOcMZxdl3QuyxMktExWzk9Q5D +YqO+pj/YGt1vp2M0YgSUWNWCvfBcjEPFgaljyqz3BdvR/LYohnXuQL9SWObF+sIF +c9D0w/yORYQcKP5kSWVC/qwFdC61OGeSDnQ/0o0T5PefhYS82gsIrjQ+HIJ7CLUT +k7kBNljvtfpoWegH02feR0kSRoCXA6x+YHT4fmB41pW8S1V5a5dEltA/JMLBfAQY +AQIAJgIbDBYhBO36o/LKTm6wVoGvjp9vHC1+BF+NBQJZpTgKBQkRmNVuAAoJEJ9v +HC1+BF+NyNQP/A3h+cOOkYUxyKpNHdtlIfCn8db5tHXSCbE19Qi7EK1SiK5atjo+ +VoRtB+L01kH6GCx5oZjeIhUdzYFwEUsdCDgwD6r0dKFwKIGa4TFcfnx+Z5B+HZgL +Yc6ac5PEHF1qZVXZH9GSGeNw5h2yyqf4yhvetSN6L2id14m5XXJV5e7NfOgmaSnG +0Z+wQvPSiu+Q00XpENT8HFSTSCjRATjk12rpy6TPeeC52NK1gLhGDRHN0k6m+vm4 +yoC+Nd6iPQpnc+5xs7NDnq2dFuSTp7UTGebzPhhdSQgujEFuYLwzQMZu1h5amtA+ +v9j7BYEJkOMC7bm1PNNA2QQ6QfH8Hf+mJeINyJO8A5KS3ceP+eo3SLR8T0hPzu9g +ZuZ22Hn3DXQh1VNRshaLKgNvoXpL3dQ48d1SFFKhEDpy2HSXUq2fs5rH0uszFGes +G7K6EQRAYRcDrCkt9fdfkvCSxAFw9d+472xThzgKcN+MkOec+SaY+xlVULjEfCWy +RVC8Opam4mTm/XT4mVLxP/qnsy7kEhLoc/ouB+lY/ks06LpZJvCXL6WfA9You1Fi +1Mg7GhSh9JKg6X6E8Trm+N4dxJGut1xbbGmmKXqfi4pej9KlkdeM9t1df/vWKlPa +7Hzd8H0btgJx066wC4yt0ghxtsJXBsCDxWLfzaSRZ2/eP16mHqxDjsQQwsF8BBgB +CAAmAhsMFiEE7fqj8spObrBWga+On28cLX4EX40FAl3uCX0FCRmkDeEACgkQn28c +LX4EX43TQA/+JV8ReMRJCn3Cfqbe5ycFn8p6dIVnJiQuhiEyu5yzdpSkKyzcVFJO +bQcqw7s50FJuLUbxdvbcuGIaoTu7dhBoUXO5tOuIQAsKTfGfgoOgelJm+/q2h645 +EnAVINGbMDXrmo4/UFJkNjUMA6SQi/yiam7N0y58eoDC4sGmBKuN2EW2MoWahlXw +8SS1+Ab9qVBs/RqbSy6f1nJL39aPpPDmvyJOSYtHnNSFlYWVhr0zGAi5rnswlFGr +ECGbHpr5FajUK7zcmtNPbi7F30K48xfF3XnDIeIBcerrEBQMaPUZcBlddGhmSVVJ +ZU/YhR35JNgPnmp33gOuZaRiW9lauZFwsMQBIBkLpJWoUtu8QLkyC0HmJzVRep0/ +s1RkzaJ+1G1BzXTQiXaLaUQWG5h3pcMD8fxY5qp9KbG/+10bY0sRbRBXgS6mz7dd +HaBtg/E8ty2nEB1HDXA9HAHu7KlH9e96sPZjz9C46ZiOXe6ZAOk6wBYts4RG4bCQ +9pGORJ+P2Jr2pz1NZQbs1AhnjJixTsfZfsGZ5lHxGLjIyxtdGB/irLEqNTIMek2y +p4CShmWoZwN0V3aGYMe/rC4tSXG79IeKNwF3Vd5MHtB+hcJG2qztBtKQuW29rbRA +5bNxwTWe8skwOKsxXnP9RC974k0XkPS+VwgmVgNN1ewS/0oHvmEP71Q= +=Oqje +-----END PGP PUBLIC KEY BLOCK-----