diff --git a/.gitignore b/.gitignore index cec9517..7b0a36a 100644 --- a/.gitignore +++ b/.gitignore @@ -81,23 +81,3 @@ unbound-1.4.5.tar.gz /unbound-1.17.1.tar.gz.asc /unbound-1.18.0.tar.gz /unbound-1.18.0.tar.gz.asc -/unbound-1.19.0.tar.gz -/unbound-1.19.0.tar.gz.asc -/unbound-1.19.1.tar.gz -/unbound-1.19.1.tar.gz.asc -/unbound-1.19.3.tar.gz -/unbound-1.19.3.tar.gz.asc -/unbound-1.20.0.tar.gz -/unbound-1.20.0.tar.gz.asc -/unbound-1.21.0.tar.gz -/unbound-1.21.0.tar.gz.asc -/unbound-1.21.1.tar.gz -/unbound-1.21.1.tar.gz.asc -/unbound-1.22.0.tar.gz -/unbound-1.22.0.tar.gz.asc -/unbound-1.23.0.tar.gz -/unbound-1.23.0.tar.gz.asc -/unbound-1.23.1.tar.gz -/unbound-1.23.1.tar.gz.asc -/unbound-1.*.tar.gz -/unbound-1.*.tar.gz.asc diff --git a/Yorgos.asc b/Yorgos.asc deleted file mode 100644 index 8d0008d..0000000 --- a/Yorgos.asc +++ /dev/null @@ -1,128 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -mQINBFfYHeYBEAC/8SdeXNspt9ZIoZRSL9juNLHA17TXcHdKSthgWBtwwWZbUPq8 -SJr7Y+hr6jMCDKY9800QzLF0nLkyXnZgaBcvR0rRbCT/qvALJ0fpfjcotapZ1hBv -omb9s8Bo28uKn8tbTMXYNsElUae4Ch/CrU1vfe50YoyQgLR8UBa15gV+2RmC+6jI -qxDYS8sylWlDn6Qim+77feLlObPnNdzgfWGZo14eJByTsz0qrh8aS/BS1FAsnEQ6 -W6AqukhpuKuWvoAUXKjfguXQolxeexubmKaLcGOTvecw+cbh/a5SPHRtRVr9qTxp -elk6UEpakY5K9UtZkrG55VWih/4KqY9bNyhJBtpAk1fXA+mYfx5BcFpECYdU9kz4 -UgV5jK0HYRHQTLC91PPVQgH86we+Aae6TaJneCLEIzBK36TgAP8RKrvFfPUym5OP -YbWOom27QTKfRVcyxPKglJxrTSWixnKWS/pqxNY8hF9Ne4crRAF4wX2yBVbGnjNr -S9TpYmjMwURbuYm+rWZk/8w5OJG60V3wax56c0jn/42O3Y2hzQ+PbOv2M4UuuajS -2YL3/KUsRLBapUpPQjzChwzdr/vzFEhk9XxK2VGMN+dh2HjYwDFendc5csyt/cVr -g3LssVS2bKy5g3IhrzCKAk0Sky4S5t/mcN+lWztNvCijuLz58GCym5GwJQARAQAB -tCtZb3Jnb3MgVGhlc3NhbG9uaWtlZnMgPHlvcmdvc0BubG5ldGxhYnMubmw+iQJX -BBMBCABBAhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAhkBFiEElI60IyLF0At5 -NA9dz/M0TZCHpJAFAmjWhkcFCRLfm+EACgkQz/M0TZCHpJANXhAAvTpKNl5+kU1d -lcFrXx4pgi/knhe0y1Z+ENQWVDYTs9v+lMoyCRQuAt1Cir1LAGWfRBdTQh60I6Dc -BDj+15pFJCv/dyZiQLPUgxLtIxkwIUSjELp8JevNHhGMNz7QWdG4SEpG2aF/D2Zz -kvaoomPGjRyo/bkgR2la6eqrCOxYVP+FT7682yf0bCvSTs1kTrnwFY93s7O2RciI -MS0XWcHPtoi96JxhzUIT+v0gSFuitZhRGPh9pyIcHmRER1yKugvMp6xF5UjNIcfL -ScrNlGXgjc6EJiGXS5CHliIlxlAxs4J1T9JiGQZOAW/CPxe4IND34DhqwvQcJdtL -8jt1b2xUcuFfYNa3SY671OnLt3EhwMsYDaSIXrPqW8R6XuaSxhb4sL/okHkb833b -CgaWvjQZgRm1h0R2IY5C3kHotsLUd2fygrtVVvaLxGEoi9UBsKoLu2kHEJnV5HJO -jfJMBBGgGFscfk3p1v4SAA30xPR7i6O2KDmFsVzL6xKbnFMMmayEVfWzGXmxB7lv -ob6HrJIvVH6mx64OsAY0LQI6abQI3TTZn13+RNxuATQS+j0tqbZvVJtWFw41eqsU -OqeNF9W323uvhJcjDyYquAREIivFXkzxa9y3rgQfB9OX9usD79aij4y/YLqZxafl -InYUlMGygNOGXruFRZ7DD6zciK2Zu7W0K0dlb3JnZSBUaGVzc2Fsb25pa2VmcyA8 -Z2VvcmdlQG5sbmV0bGFicy5ubD6JAlQEEwEIAD4CGyMFCwkIBwIGFQgJCgsCBBYC -AwECHgECF4AWIQSUjrQjIsXQC3k0D13P8zRNkIekkAUCaNaGWAUJEt+b4QAKCRDP -8zRNkIekkKovEACQkeEImQeer9jsY066WyIpvrhcy6xtWjeW8v1ZasRoi+DOFWeA -18O5iD34UaIPPGFRu6PRdSMLdUqtelFgONVDnXEuqOGAptMcCI4wp4+NIFd00v0J -9A9ur7xWt0Q0O1fMjFOMPa5oQK9dg1MCI0/RWRObOPf3cIr2NhgWwBuKTCluKyFc -mnRQXwyxBGCBRvK5zKmA8BBlnHuPfunTAcduNSExUx3e0w5BD5lcG4YeyuR+IRcY -HJPGU20f634dDSJGKJvGxjpaCxGQNca6s8Mpkq3lm/D3Ia4Vpw/HdiSawv/U71S/ -4F6lctMjvoS73Ao9DZ4iDPqkHJ73HidNp7n25SLnXKruZsnXitjYT8ueP7byeLPi -7IvqoENXoXNqNfDuXfqri/WnHPYWbKIdj5WWFeaR3Ws+szw3Wql7mJ1cNFWbNCE7 -rGFPhSNyG3n6mlEBUKUYn8FuOF9PHwwWl86GHLI6O4xOIohESyrZrq2mJS61sSq6 -AAQ7cqx6UMNJdBcgB5Ry7qRUF6ZmowZZu3aWFF4dW+LwMvuaFjKzShsKzj8GCE0B -pQDjy+IeWM2mBVneuCicWwvbSzVWx+Ow42QRvmH8Ja9PqoIYeJQUiMr1+aAG6kUK -3VW4iugsu3/oFIlFrkYZy9YEfCOEMgqRKL/cuBJTZt0OPFRE/9O/M/FVmIkBHAQS -AQIABgUCV9kUOAAKCRAwkY2CdXJCIju1B/oCvf1kWYndNeLS6U2O6DtFAL2Ia5tY -Zukcyqb1hkYcrBiMZbQN94gX5a+6Q4pdd2n241r1ZuSWdwUhRUbF4mvbZMVsavnk -cvrRGviVIUXf71W0O/IsmQ9oN0Finhpf14Y4z/xqF8DpvJdkWc6X5g+RJuko6q2w -B7x2UfSyF4USp47LSmUQnC59IF8jzaElgBha3gwEuXL3d2qBepoV/e9RiXJClUAT -+O7qdxzDq1eiZ+NXUjDCmrkuWjHLAZAv0jx1KUTCQ2no62UM95igtJ+Kn56Lc2+J -CqFJztaZeX8CgXXryxNpsyhZJ33dIoLCT03K25wrV5Y+eag05slQ9sC3iQI9BBMB -CAAnBQJX2RCwAhsjBQkFo5qABQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEM/z -NE2Qh6SQ3JUP/2G3bRNObS7zsfN3rjkbjLxaDOwNggRdbeXM5rHDVEG9SWesCGaI -vyQdkSGQoIaKUgNv7Yp8O8pEnD4IwdhNSaXVIB3pBtdOD0UM1wuxRpfqJOUxZEoW -T2Jr31Tg2qepp6nT7UmdiF7uCBDy8Jm6k6Q+6UT58cPaesRQdSPi6Go7ho2/xVvK -Ve9ufSTSTdG5+7bJDu6Iv7sydKUEG4jPDqo+jjVLn1X6Rfp+E4JAvOvFrSJHW5sa -A332xV40GeV+aM1ndP7dPkz8+AGB3QD7JF2DLcqvLo0TYOvjnlOGYcNp8gzp23g9 -KFwe2sdbdtVpuWaJUSpXXiUZnFzrrVxDNiEBjqsPa5ysOxzJ+1gUbcrIjUeNeAFh -us4XL+IidPATnhTIX3X/uPRB87KaTaA8XUqsuSd2DM9mLxdHKC9Jf8D1t+ywYrek -Cp+K80vCtFPWBM4+w8nGugTNKJEGIXZDGFOF/c7r6xKkaOYK0Y+IGJawlV5LaADl -BmQpPk0ubYclwb07FcegaHSxxIqUo/kbyt1YV5mU+QVymZ+xyvIBrnW8hBuNWRvU -5acnIZibCERayo8ZuI+r/X3bLHfDx0oh2h+cL3utNZUqmgZNR0Di8P+x0hUYsYPO -TJaDBSgvxUtY0Ci+OWX38kffGGvhW3CM8V6skdVc8cp7Db7gxase4BxxtC5HZW9y -Z2UgVGhlc3NhbG9uaWtlZnMgPGdlb3JnZUBvcGVubmV0bGFicy5jb20+iQJUBBMB -CAA+AhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEElI60IyLF0At5NA9dz/M0 -TZCHpJAFAmjWhlgFCRLfm+EACgkQz/M0TZCHpJCWag/+MJOLW1tBNPA9sBcjl9V4 -Cjc2TIR/r8RRGv5lstVXlXc5T4SR48UvQTxaUU+KJia5POsaAsw9yk7Zz4r7ul0D -Vd9tzHCcwxl46e0Kwn2VGBMHThsWC7QDuK7b+4AlxeO4EDWRPPw4BCB7aTxJzA3N -O4qpEF4TVeb97uyNQr2YaTGUzSI58vCgXgeOpH9ivomQi1nCxZbdrFh2yKJ+H4EH -gI8+D9iSnJMI16RS1dE7Pa85IG+qPd3owAbOlc+tBsSvdbFdRufQZeiNGKfQno1E -oygZt8svcuKpGAG1flzpPu5LE9oMsIDia9hcn4YFqr80F5bW1rUvFeC0rYp9/0ui -6lo34PAhEieB8XzjbpDDEnlkziRoz2YNVJmZOWrCAMI1bUFI5/+YWuJTXCGF62dE -dO7aBWoUkchkGGSGKbPW9KYdmqMdfOeuqZRBhKs8bgHIArJ+kvglhCJr/qNX5T8p -oCHE5bnEwFxnH2Q6a2ffpMpOExGvPaoAWlym/ID/MMet0riZ2izFUdmjEkA0HUaa -7h5x1dKMhHzYDXOW8Ksx9vE24gLrjfqfvIiYpErn+SVs0KUqkR0BRWLRYjyq/Bj/ -btTQXcDeYpQj4tL2cX3Eosqaoy5NDGCK4yqWOxENOJ/YcO5dTPJDNsHlc2JSdejz -a4g8AHFlkpPn0tlflbuE7q6JARwEEgECAAYFAlfZFDwACgkQMJGNgnVyQiIHjAf/ -VrPMgIRjRTYi4cxOr5ewaim1hgJZO1oCJoMopwIvpZ2kAUqL/uPMT3wREe5bi79H -jXYcaX+RbrV4ZdzaajDUFCj867KGErxqtRkANJ1eNLcQmVwGNoFeTQbgEOBfKq1t -hRfMqHF3fxCPJp4z4U3kBPUpIQPERjgUdkH8fxZ34Omo1SLO1b0dVqsneezccBVv -Hj7gVoaWw65Ov7vngwNCKH3fjOkcoINTH/nEw4WWh6UV5ZN49GRqa6oWdUJMZbgB -w8z357RLN6YLe7KMh4oGpUIvfH6Vfq6CIb6s9pfgjAvq8O7p9n0/0FG77j84MuGw -fdhq8eSazO/j9LUCBM+8k4kCPQQTAQgAJwUCV9kQiwIbIwUJBaOagAULCQgHAgYV -CAkKCwIEFgIDAQIeAQIXgAAKCRDP8zRNkIekkN9pD/wI8JAyjJEIjUJNLRuARDDv -pJrQjAo/02naPcGs4yyUd7yRkhzVKLFLvif8XICxxLWk6FdT0PJeKGTvRoe2+Rje -c14rO30niRymWkBi36iDW46Dpt7Jx+LUDhUMYPL+woKSoHmbBGWLSYXKxaD8F93A -nVs97nP4PWpspv2BFiuwKGsSsOyyQPPvr7jCin3H5oPH9qDnIV0KonAYbzzEKod5 -t0Rgzo/nWXZBFXWC5xvKeghwkdT++gYS/ThvQY2ua6A1XRE8BntyldD081NPi3NO -dWa9m8ufFOJsEEiWcpdT+EWoDw5JyGAR7U3IOVl3BTo7shdcYEvRVrDMBpac+ItG -WvogUv7alBdHWi48amvZE06RI/nDJ/rxj13S/4POgMHU++aQI5a1G5H3jBu4cehH -4iT1UKmozfzVEfcHb2dsaKnnuFzQxmol0lZu1ETyof+Lxvs+wErN0QR+VDNweJEJ -PMXiEcjASdLtrEKgFSP2B5yGGzt93C+HbD+VQOU359aAnvVjbTAVz8izuMphd6Bz -Ix1q//q2VmxqjjT3Iv30hBRX02x2M8gsP/e49XWEll7stkMtbYhBU0sHQ2CqzLGh -gJN3ecpi2sKWVqN8HUZOwJFj6f9ZX76YSM23wIugHfscMAVJUXvBrbd151WIshOf -FFPo62sYGt+SEMXWeRcHjbQuWW9yZ29zIFRoZXNzYWxvbmlrZWZzIDx5b3Jnb3NA -b3Blbm5ldGxhYnMuY29tPokCVAQTAQgAPgIbIwULCQgHAgYVCAkKCwIEFgIDAQIe -AQIXgBYhBJSOtCMixdALeTQPXc/zNE2Qh6SQBQJo1oZYBQkS35vhAAoJEM/zNE2Q -h6SQjBkP/0IvctNT9T+DtGZyMiw/Jna9G3QhtW7exhlxzqqX3tFmZpaJj3VswyqA -5hx5BdJEShC8qNEqrBCHxcCZgsLvR3GKc/0LTgP7+7VH/ugAScrlVeI8rB6V1jn5 -cnfY5fsfOQ8i0b/8C+CiEe0TW90VRHjYV6DWMdUfqQb3E/snl23RMFeTL0Qrrk8H -Lo3MTko7TeKRYOV/g/qQkb9CFQZNyzgIjD7uZi8or8qFJ/uZTnlBq5/NRDB5Z3ew -7WXc3QrRUXmbbDzdnIeCtu5vmuk+hc69gbOst9nWf3y2qlK7BjZqT+PqKZa/fa/i -5pZpv1hB8DrA2WTIpN7iXhCvABXSEoUOJaLkRSJVDqzvuaeqOEPrk1aJSMWoio/w -8RRa1L7k6m81Dc0dqYbBOSI4MCNm8ZawQI2L4qRs5QORg4nRnAevFgkzhJKFYF2N -jzX/2xlAuOym126DODC9qJSJZR7uTOJXh0yqknfkPgDXjchpzq+Q+CM+jYo6AGas -/XPAuRQCQaLSYr9UPL7Fn62//ysZQAyAkJQR1u7UwAd6/UTTMVZpUJsLQyMyikF7 -UT4K7MWrvkZxMRPhGan0P2pRe36M9BBjYRTp0TIr+UjUT8iBfjdrttI9DQlkcEeQ -rKhcE31KqjwJMdiuzbpqqXaEss9AFuJng3Owewt4wAft3eu1U7PWuQINBFfYHeYB -EAC2h9yjSe2SgtcB0H+E0ndaewaZaQCE7q+RO43dotGH9eFnVwE4/ftcK1SN42ih -lF5OnTaKPyXvgQ6U8W8VB8eLjeTwA/dSXuJX7kJpEK8saPqJP6zTUmPqp/GSzS6Y -rhKLfpFn4chmywpDFcGNMz0sYXiJgPqKL7W0KuG+ziPToAeWl8ckeXyl77/lHVhW -YylaQJEASklqCViPXSp9vI7/57UEm4MQPXwsDBOwuVVqcSu3ZM5MtY9XlbVPNCYm -ZIMqmh8HgYwbiq9dTfJi+6v17+uDQGZewWK/WwFM+9dDx7YkTeOBiUduYtJPW64N -W/RJ7pskbLAy+OZApTZWg0cISN6GOmPN3F0AiWzUjvSMREHhFHyxj4Y15vuDOFvP -GFxr4xBiyMX1JLCKK6OFnyPfoJ9v/o3UgrQgLrfXCmKdvkwBCgJvN3Fsxzha6Dtf -6RcZ02fr7SCZZhdBrlrflvC1uWZ0g3A87ss7h4Iw3njlO3aX6Bo9R4VOLUkiRKi4 -hmQBxPvXxI2ERmKRomo6lrMaDMzIjD4APSM1vUfZguzQxVYpM8lwy1COeqxsj5p+ -LH6f/EU+4dXZwooJ1uanBOvG2ntnz8SErE+e7wNYE4a/fb8xYM4j7p6qYtnNZPb8 -sj8bvx8iWXp4A1csVetyVSchBhTVQhhNos6ouYpc4ibrYwARAQABiQI8BBgBCAAm -AhsMFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmjWhoAFCRLfnBoACgkQz/M0TZCH -pJA4sA/7BZrP4nwWF1eQVliMWJ1KKG+sHizK4c+ZiB67aFJw4pLDCL5o6unOWH8V -ocr1pWC/BMmLG4K77O2qadhUH7mzXm/ddZ/DVF3xHTvTmG1W1bLd6zj3k6qOFYq8 -yPS2QNTa3+3oNbtZQ+RpvhCAmv2Dc1GMPNP2hKR/Ju9r9NwGWBEDQBtiMZ7872QJ -yR3IFyfQGRvj+GBbEBvJwCFmaRb3eDorhaNhM0b0c/RbIueEWD40nkCUtmM4Zrc1 -0HLod8Li8C4j8sIqIdfTKo1RiJUUg86q1K3pGA86hoOzeaihZekcm6wMwGlhXymb -Ng41yB/ZTedl9wk+XEEcD6HZMCXyfh55hBdWG06aEhMIALjOCj2VkRnDLmOKLgDZ -kg7OOQxDfKACCCvk72HZG3qKtaN9oNH1oeaVwc3ytWR8y2hQJcCxmoQsLn+Xvkgc -aYRNklPW2z8817J3fmvvwS0o6sOWRHLb0XAc+NZg4lEQOgwVFrE0XIAgkXHLQbuQ -GRpRzRncHX95RXMzGb1+8kpWEcM7gazgUA3omoAumwNEqmeBX1TmEtDop1k5RFCS -UWbv+A2s2GSAb05MHY0InIhMxzJXEa5+dJDPSvZnbiGRGhQitEe4eIlmPcNA1lB+ -ADFE2UTzcpRTo5cOKfrXyZXr6JCEl2+tB3o5m0v7FRdr6+zIS5g= -=Ubkv ------END PGP PUBLIC KEY BLOCK----- diff --git a/changelog b/changelog deleted file mode 100644 index 7ce4f5e..0000000 --- a/changelog +++ /dev/null @@ -1,917 +0,0 @@ -* Thu Nov 02 2023 Petr Menšík - 1.19.0-1 -- Update to 1.19.0 (#2248686) - -* Wed Sep 06 2023 Petr Menšík - 1.18.0-2 -- Skip failing tests on ELN builds - -* Fri Sep 01 2023 Petr Menšík - 1.18.0-1 -- Update to 1.18.0 (#2236097) - -* Sat Jul 22 2023 Fedora Release Engineering - 1.17.1-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - -* Tue Jun 13 2023 Python Maint - 1.17.1-3 -- Rebuilt for Python 3.12 - -* Sat Jan 21 2023 Fedora Release Engineering - 1.17.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - -* Fri Jan 13 2023 Paul Wouters - 1.17.0-2 -- Move unbound user creation to libs (#2149036) -- Use systemd-sysusers for user creation (#2105416) -- Keep original DNSSEC root key as config (#2132103) - -* Tue Nov 01 2022 Petr Menšík - 1.17.0-1 -- Update to 1.17.0 (#2134348) - -* Wed Oct 05 2022 Petr Menšík - 1.16.3-3 -- Correct issues made by unbound-anchor package split (#2110858) - -* Fri Sep 30 2022 Petr Menšík - 1.16.3-2 -- Update License tag to SPDX identifier - -* Fri Sep 23 2022 Petr Menšík - 1.16.3-1 -- Update to 1.16.3 (#2128638) - -* Tue Aug 09 2022 Paul Wouters - 1.16.2-3 -- sync up to upstream unbound.conf -- Enable Extended DNS Error codes (RFC8914) - -* Tue Aug 09 2022 Petr Menšík - 1.16.2-2 -- Require openssl tool for unbound-keygen (#2116790) - -* Wed Aug 03 2022 Petr Menšík - 1.16.2-1 -- Update to 1.16.2 (#2105947) for CVE-2022-30698 and CVE-2022-30699 - -* Sat Jul 23 2022 Fedora Release Engineering - 1.16.0-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - -* Mon Jun 27 2022 Petr Menšík - 1.16.0-6 -- Move unbound-anchor to separate package -- Move unbound-host and unbound-streamtcp to unbound-utils package - -* Mon Jun 13 2022 Python Maint - 1.16.0-5 -- Rebuilt for Python 3.11 - -* Tue Jun 07 2022 Petr Menšík - 1.16.0-4 -- Restart keygen service before every unbound start - -* Sat Jun 04 2022 Petr Menšík - 1.16.0-1 -- Update to 1.16.0 - -* Tue Apr 26 2022 Petr Menšík - 1.15.0-3 -- Stop creating wrong devel manual pages (#2078929) - -* Wed Apr 20 2022 Petr Menšík - 1.15.0-2 -- Update icannbundle.pem - -* Tue Mar 29 2022 Petr Menšík - 1.15.0-1 -- Update to 1.15.0 (#2030608) - -* Sat Jan 22 2022 Fedora Release Engineering - 1.13.2-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Sat Nov 06 2021 Adrian Reber - 1.13.2-4 -- Rebuilt for protobuf 3.19.0 - -* Mon Oct 25 2021 Adrian Reber - 1.13.2-3 -- Rebuilt for protobuf 3.18.1 - -* Tue Sep 14 2021 Sahana Prasad - 1.13.2-2 -- Rebuilt with OpenSSL 3.0.0 - -* Thu Aug 12 2021 Paul Wouters - 1.13.2-1 -- Resolves: rhbz#1992985 unbound-1.13.2 is available -- Use system-wide crypto policies - -* Fri Jul 23 2021 Fedora Release Engineering - 1.13.1-8 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Wed Jun 02 2021 Python Maint - 1.13.1-7 -- Rebuilt for Python 3.10 - -* Fri Apr 23 2021 Artem Egorenkov - 1.13.1-6 -- Option --enable-linux-ip-local-port-range added to use system configured port range for libunbound on Linux -- Resolves: rhbz#1935101 - -* Tue Apr 13 2021 Paul Wouters - 1.13.1-5 -- Fix unbound.service to use After=network-online.target - -* Tue Apr 06 2021 Artem Egorenkov - 1.13.1-4 -- Don't start unbound-anchor before unbound service if DISABLE_UNBOUND_ANCHOR - environment variable equals to "yes" - -* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 1.13.1-3 -- Rebuilt for updated systemd-rpm-macros - See https://pagure.io/fesco/issue/2583. - -* Mon Feb 15 2021 Victor Stinner - 1.13.1-2 -- Fix build on Python 3.10 (rhbz#1889726). - -* Wed Feb 10 2021 Paul Wouters - 1.13.1-1 -- Resolves rhbz#1860887 unbound-1.13.1 is available -- Fixup unbound.conf - -* Wed Jan 27 2021 Fedora Release Engineering - 1.13.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Thu Dec 10 2020 Petr Menšík - 1.13.0-1 -- Update to 1.13.0 - -* Tue Oct 13 2020 Petr Menšík - 1.12.0-1 -- Update to 1.12.0 (#1860887) - -* Tue Sep 15 2020 Petr Menšík - 1.10.1-5 -- Move command line tools to utils subpackage - -* Wed Jul 29 2020 Fedora Release Engineering - 1.10.1-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Tue Jul 14 2020 Tom Stellard - 1.10.1-3 -- Use make macros -- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro - -* Fri May 22 2020 Miro Hrončok - 1.10.1-2 -- Rebuilt for Python 3.9 - -* Tue May 19 2020 Paul Wouters - 1.10.1-1 -- Resolves: rhbz#1837279 unbound-1.10.1 is available -- Resolves: rhbz#1837598 CVE-2020-12662 unbound: insufficient control of network message volume leads to DoS -- Resolves: rhbz#1837609 CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers -- Updated unbound.conf for new options in 1.10.1 - -* Wed Apr 29 2020 Paul Wouters - 1.10.0-3 -- Resolves: rhbz#1667742 SELinux is preventing unbound from 'name_bind' accesses on the udp_socket port 61000. - -* Thu Apr 16 2020 Artem Egorenkov - 1.10.0-2 -- Resolves: rhbz#1824536 unbound crash - -* Thu Mar 19 2020 Petr Menšík - 1.10.0-1 -- Update to 1.10.0 (#1805199) - -* Fri Jan 31 2020 Fedora Release Engineering - 1.9.6-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Fri Dec 13 2019 Paul Wouters - 1.9.6-1 -- Resolves: rhbz#1758107 unbound-1.9.5 is available -- Resolves: CVE-2019-18934 - -* Fri Nov 01 2019 Paul Wouters - 1.9.4-1 -- Fix build on rhel/centos systems -- Resolves: rhbz#1767955 (CVE-2019-16866) uninitialized memory accesses leads to crash via a crafted NOTIFY query - -* Thu Sep 26 2019 Petr Menšík - 1.9.3-2 -- Obsolete no longer provided python2 subpackage (#1749400) - -* Tue Aug 27 2019 Paul Wouters - 1.9.3-1 -- Updated to 1.9.3 -- Resolves: rhbz#1672578 unbound-1.9.2 is available -- Resolves: rhbz#1694831 [/usr/lib/tmpfiles.d/unbound.conf:1] Line references path below legacy directory /var/run/ -- Resolves: rhbz# 1667387 [abrt] unbound: memmove(): unbound killed by SIGABRT - -* Thu Aug 22 2019 Miro Hrončok - 1.8.3-8 -- Subpackage python2-unbound has been removed - See https://fedoraproject.org/wiki/Changes/Mass_Python_2_Package_Removal - -* Thu Aug 15 2019 Miro Hrončok - 1.8.3-7 -- Rebuilt for Python 3.8 - -* Mon Aug 5 2019 Zbigniew Jędrzejewski-Szmek - 1.8.3-6 -- Drop install-time requirements on systemd (#1723777) - -* Sat Jul 27 2019 Fedora Release Engineering - 1.8.3-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Sun Feb 03 2019 Fedora Release Engineering - 1.8.3-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Fri Jan 11 2019 Paul Wouters - 1.8.3-3 -- Remove KSK-2010 from configs - it has been revoked - -* Wed Dec 12 2018 Paul Wouters - 1.8.3-2 -- Another dns64 fixup - -* Wed Dec 12 2018 Paul Wouters - 1.8.3-1 -- Updated to 1.8.3 with fixes the dns64 bug and has some other minor fixes - -* Mon Dec 10 2018 Paul Wouters - 1.8.2-2 -- Fix dns64 allocation in wrong region for returned internal queries. - -* Tue Dec 04 2018 Paul Wouters - 1.8.2-1 -- Updated to 1.8.2. -- Enabled deny ANY query support and edns-tcp-keepalive -- Set serve-stale timeout to 4h -- Updated unbound.conf for latest options - -* Mon Oct 22 2018 Petr Menšík - 1.8.1-2 -- Allow group by default to unbound-control (#1640259) - -* Mon Oct 08 2018 Petr Menšík - 1.8.1-1 -- Update to 1.8.1 - -* Mon Oct 01 2018 Petr Menšík - 1.8.0-2 -- Skip ipv6 forwarders without ipv6 support (#1633874) - -* Wed Sep 19 2018 Petr Menšík - 1.8.0-1 -- Rebase to 1.8.0 - -* Tue Aug 14 2018 Paul Wouters - 1.7.3-9 -- Fix for restarting unbound service after deleting key/pem files for remote control - -* Tue Jul 31 2018 Petr Menšík - 1.7.3-8 -- Release memory in unbound-host - -* Mon Jul 23 2018 Petr Menšík - 1.7.3-7 -- Remove unused Group tag - -* Wed Jul 18 2018 Petr Menšík - 1.7.3-6 -- Cleanup generated client and server keys (#1601773) - -* Sat Jul 14 2018 Fedora Release Engineering - 1.7.3-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Mon Jul 09 2018 Petr Menšík - 1.7.3-4 -- Do not call ldconfig if possible - -* Wed Jul 04 2018 Petr Menšík - 1.7.3-3 -- Update trust anchors also behind firewall (#1598078) - -* Mon Jul 02 2018 Miro Hrončok - 1.7.3-2 -- Rebuilt for Python 3.7 - -* Wed Jun 27 2018 Petr Menšík - 1.7.3-1 -- Update to 1.7.3 (#1593708) - -* Wed Jun 27 2018 Petr Menšík - 1.7.2-3 -- Remove last python2 dependency from python3 build - -* Tue Jun 19 2018 Miro Hrončok - 1.7.2-2 -- Rebuilt for Python 3.7 - -* Mon Jun 11 2018 Paul Wouters - 1.7.2-1 -- Resolves rhbz#1589807 unbound-1.7.2 is available -- Add patch to fix stub/forward zone not returning ServFail when TTL expires -- Enabled the new root-key-sentinel option - -* Wed May 30 2018 Petr Menšík - 1.7.1-1 -- Update to 1.7.1 (#1574495) - -* Mon Apr 09 2018 Petr Menšík - 1.7.0-5 -- Require gcc and make on build -- Remove group, simplify systemd requires -- Simplify building with single python version, make python3 primary - -* Mon Apr 09 2018 Paul Wouters - 1.7.0-4 -- Patch for prefetching after flushing cache - -* Fri Apr 06 2018 Paul Wouters - 1.7.0-3 -- Patch for referral with auth-zone: response - - -* Wed Mar 21 2018 Paul Wouters - 1.7.0-2 -- Patch for broken Aggressive NSEC + stub-zone configuration causing NXDOMAIN at TTL expiry - -* Thu Mar 15 2018 Paul Wouters - 1.7.0-1 -- Updated to 1.7.0 (aggressive nsec, local root support, bugfixes) - -* Thu Feb 22 2018 Petr Menšík - 1.6.8-6 -- Uncomment again original max-upd-size - -* Wed Feb 21 2018 Petr Menšík - 1.6.8-5 -- Use default RPM build flags and configure parameters (#1539097) - -* Wed Feb 21 2018 Petr Menšík - 1.6.8-4 -- Remove group writable bit from some config files (#1528445) - -* Wed Feb 14 2018 Filipe Rosset - 1.6.8-3 -- rebuilt due new libevent 2.1.8 - -* Fri Feb 09 2018 Igor Gnatenko - 1.6.8-2 -- Escape macros in %%changelog - -* Mon Jan 22 2018 Paul Wouters - 1.6.8-1 -- Resolves rhbz#1483572 unbound-1.6.8 is available -- Resolves rhbz#1507049 CVE-2017-15105 unbound: Improper validation of wildcard synthesized NSEC records -- Resolves rhbz#1536518 CVE-2017-15105 unbound: Improper validation of wildcard synthesized NSEC records [fedora-all] - -* Sun Dec 17 2017 Zbigniew Jędrzejewski-Szmek - 1.6.7-2 -- Python 2 binary package renamed to python2-unbound - See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 - -* Thu Oct 12 2017 Paul Wouters - 1.6.7-1 -- Updated to 1.6.7 (minor bugfixes) - -* Tue Oct 03 2017 Petr Menšík - 1.6.6-3 -- Update icannbundle.pem - -* Mon Oct 02 2017 Paul Wouters - 1.6.6-2 -- Enable RFC 8145 Trust Anchor Signaling to help the root zone get keytag statistics - -* Fri Sep 22 2017 Paul Wouters - 1.6.6-1 -- Resolves: rhbz#1483572 unbound-1.6.6 is available -- Resolves: rhbz#1465575 unbound fails to start up, complains about missing ipsecmod-hook (edit) - -* Wed Aug 16 2017 Paul Wouters - 1.6.4-4 -- Rebuilt with KSK2017 added to root.key and root.anchor -- Remove noreplace for root key files. We can only improve these files over local copies - -* Thu Aug 03 2017 Fedora Release Engineering - 1.6.4-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Thu Jul 27 2017 Fedora Release Engineering - 1.6.4-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Sun Jul 02 2017 Paul Wouters - 1.6.4-1 -- Updated to 1.6.4 full release, patch to allow missing ipsechook -- Resolves rhbz#1465575 unbound fails to start up, complains about missing ipsecmod-hook - -* Thu Jun 22 2017 Paul Wouters - 1.6.4-0.rc2 -- Update to 1.6.4 (esubnet, ipsecmod support, bugfixes) - -* Tue Jun 13 2017 Paul Wouters - 1.6.3-1 -- Updated to 1.6.3 (fixes assertion failure when receiving malformed packet with 0x20 enabled) - -* Thu Jun 08 2017 Paul Wouters - 1.6.2-2 -- Patch for cmd: unbound-control set_option val-permissive-mode: yes - -* Wed Apr 26 2017 Paul Wouters - 1.6.2-1 -- Update to 1.6.2 (rhbz#1425649) -- Updated unbound.conf with new options - -* Wed Mar 22 2017 Paul Wouters - 1.6.0-6 -- Call make unbound-event-install to install unbound-event.h - -* Sat Feb 11 2017 Fedora Release Engineering - 1.6.0-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Wed Jan 18 2017 Paul Wouters - 1.6.0-4 -- Remove obsoleted DLV key - -* Mon Jan 02 2017 Paul Wouters - 1.6.0-3 -- Actually remove dependency because minimum is always satisfied - -* Mon Jan 02 2017 Paul Wouters - 1.6.0-2 -- Depend on openssl-libs, not opensl - -* Wed Dec 21 2016 Kevin Fenzi - 1.6.0-1 -- Update to 1.6.0 - -* Mon Dec 19 2016 Miro Hrončok - 1.5.10-3 -- Rebuild for Python 3.6 - -* Wed Oct 26 2016 Ilya Evseev - 1.5.10-2 -- Bugfix building without python2 and python3 -- Fixup streamtcp build (Paul) - -* Tue Sep 27 2016 Paul Wouters - 1.5.10-1 -- Updated to 1.5.10 (better TCP handling, bugfixes) -- Install pkgconfig file in -devel package -- Updated unbound.conf - -* Tue Jul 19 2016 Fedora Release Engineering - 1.5.9-4 -- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages - -* Thu Jul 07 2016 Paul Wouters - 1.5.9-3 -- Fix upper port range to 60999 because that's what selinux allows - -* Thu Jun 16 2016 Paul Wouters - 1.5.9-2 -- Patch for allowing more queries before failure (needed for query minimalization) - -* Mon Jun 13 2016 Paul Wouters - 1.5.9-1 -- Updated to 1.5.9 - -* Thu Apr 21 2016 Toshio Kuratomi - 1.5.8-2 -- Fix streamtcp to link against libpython3.x instead of libpython2.x - -* Wed Mar 02 2016 Paul Wouters - 1.5.8-1 -- Update to 1.5.8 (rhbz#1313831) which incorporates rhbz#1294339 patch -- Updated unbound.conf with new upstream options -- Enabled ip-transparent: yes (see rhbz#1291449) - -* Fri Feb 05 2016 Fedora Release Engineering - 1.5.7-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - -* Thu Jan 21 2016 Tomas Hozza - 1.5.7-2 -- Fix escaping of shell chars in unbound-control-setup (#1294339) - -* Fri Dec 11 2015 Paul Wouters - 1.5.7-1 -- Update to 1.5.7 -- Enable query minimalization for enhanced DNS query privacy -- Enable nxdomain hardening to assist with query minimalization and SBLs -- Updated default unbound.conf for new features from upstream. - -* Fri Nov 13 2015 Tomas Hozza - 1.5.6-1 -- Update to 1.5.6 (#1176729) - -* Wed Nov 04 2015 Robert Kuska - 1.5.5-2 -- Rebuilt for Python3.5 rebuild - -* Wed Oct 07 2015 Tomas Hozza - 1.5.5-1 -- New upstream release 1.5.5 (#1269137) -- Removed the anchor update from %%post section of -libs subpackage (#1269137#c2) - -* Tue Sep 15 2015 Tomas Hozza - 1.5.4-5 -- Removed dependency and ordering on unbound-anchor.service in unbound.service - -* Thu Sep 03 2015 Tomas Hozza - 1.5.4-4 -- Prefer Python3 build over Python2 build for now (#1254566) - -* Mon Jul 20 2015 Tomas Hozza - 1.5.4-3 -- Added ExecReload section to unbound.service (#1195785) -- Removed After syslog.target since it is not needed any more - -* Thu Jul 16 2015 Tomas Hozza - 1.5.4-2 -- Start unbound-anchor.timer only on new installations -- Rename root.anchor to root.key in %%post section - -* Tue Jul 14 2015 Paul Wouters - 1.5.4-1 -- Update to 1.5.4 -- Removed patches merged into upstream - -* Tue Jun 16 2015 Tomas Hozza - 1.5.3-8 -- Revert: Use low maximum negative cache TTL (5 sec) (#1229596) - -* Mon Jun 15 2015 Tomas Hozza - 1.5.3-7 -- Add option for maximum negative cache TTL (#1229599) -- Use low maximum negative cache TTL (5 sec) (#1229596) - -* Tue May 26 2015 Tomas Hozza - 1.5.3-6 -- Removed usage of DLV from the default configuration (#1223363) - -* Wed May 13 2015 Tomas Hozza - 1.5.3-5 -- unbound.service now Wants unbound-anchor.timer -- unbound-anchor man page moved to the unbound-libs - -* Mon May 11 2015 Paul Wouters - 1.5.3-4 -- Fixup scriptlets causing systemctl: command not found -- Resolves rhbz#1219587 Error in PREIN scriptlet in rpm package unbound-libs - -* Mon Apr 27 2015 Tomas Hozza - 1.5.3-3 -- migrate cronjob to systemd timer unit (#1177285) -- change the period for unbound-anchor from monthly to daily (#1180267) -- Thanks to Tomasz Torcz for the initial patch - -* Thu Apr 16 2015 Tomas Hozza - 1.5.3-2 -- Fix FTBFS (#1206129) -- Build python3-unbound and python-unbound bindings for Python 3 and 2 (#1188080) - -* Mon Mar 16 2015 Paul Wouters - 1.5.3-1 -- Updated to 1.5.3 which is a bugfix on 1.5.2 for sighup handling -- Updated to 1.5.2 which fixes DNSSEC validation with different - trust anchors upstream, local-zone has a new keyword 'inform' - -* Mon Feb 02 2015 Paul Wouters - 1.5.1-4 -- Build with --enable-ecdsa - -* Sun Feb 01 2015 Paul Wouters - 1.5.1-3 -- Fix post to create root.anchor, not root.key, to match cron job - -* Tue Dec 09 2014 Paul Wouters - 1.5.1-2 -- Change systemd-units to systemd -- Use _tmpfilesdir macro, don't mark tmpfiles as config - -* Tue Dec 09 2014 Paul Wouters - 1.5.1-1 -- Update to 1.5.1 for CVE-2014-8602 (rhbz#1172066) -- Removed unbound-aarch64.patch which was merged upstream -- Don't require autotools for non snapshots or run autoreconf - -* Fri Nov 28 2014 Tomas Hozza - 1.5.1-0.1.rc1 -- update to 1.5.1rc1 - -* Fri Nov 28 2014 Marcin Juszkiewicz - 1.5.0-3 -- fix build on aarch64 - -* Wed Nov 26 2014 Tomas Hozza - 1.5.0-2 -- Fix race condition in arc4random (#1166878) - -* Wed Nov 19 2014 Tomas Hozza - 1.5.0-1 -- update to 1.5.0 - -* Wed Sep 24 2014 Pavel Šimerda - 1.4.22-6 -- Resolves: #1115489 - build with python 3.x for fedora >= 22 - -* Thu Aug 21 2014 Kevin Fenzi - 1.4.22-5 -- Rebuild for rpm bug 1131960 - -* Mon Aug 18 2014 Fedora Release Engineering - 1.4.22-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild - -* Sun Jun 08 2014 Fedora Release Engineering - 1.4.22-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild - -* Thu May 01 2014 Paul Wouters - 1.4.22-2 -- Added flushcache patch (SVN commit 3125) - -* Thu Mar 13 2014 Paul Wouters - 1.4.22-1 -- Updated to 1.4.22 -- No longer requires the ldns library - -* Thu Jan 16 2014 Tomas Hozza - 1.4.21-3 -- Fix segfault on adding insecure forward zone when using only iterator (#1054192) - -* Mon Oct 21 2013 Tomas Hozza - 1.4.21-2 -- run test suite during the build - -* Thu Sep 19 2013 Paul Wouters - 1.4.21-1 -- Updated to 1.4.21, -- Enabled new max-udp-size: 3072 (so ANY isc.org won't fit) -- Removed patched merged in by upstream -- Enable statistics-cumulative for munin-plugin -- Added outgoing-port-avoid: 0-32767 conformant to SElinux restrictions -- Updated unbound.conf - -* Mon Aug 26 2013 Tomas Hozza - 1.4.20-19 -- Fix errors found by static analysis of source - -* Mon Aug 12 2013 Paul Wouters - 1.4.20-18 -- Change unbound.conf to only use ephemeral ports (32768-65535) - -* Sun Aug 04 2013 Fedora Release Engineering - 1.4.20-17 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild - -* Mon Jul 22 2013 Tomas Hozza - 1.4.20-16 -- provide man page for unbound-streamtcp - -* Mon Jul 08 2013 Paul Wouters - 1.4.20-15 -- Re-introduce hardening flags for full relro and pie -- Fixes compilation failure for python module - -* Wed Jul 03 2013 Tomas Hozza - 1.4.20-14 -- remove missing unbound-rootkey.service from post/preun/postun sections -- don't hardcode hardening flags, let hardened build macro handles it - -* Sat Jun 01 2013 Paul Wouters - 1.4.20-13 -- Run unbound-anchor as user unbound in unbound.service - -* Tue May 28 2013 Paul Wouters - 1.4.20-12 -- Enable round-robin (with noths() patch) -- Change cron and systemd service to use root.key, not root.anchor - -* Sat May 25 2013 Paul Wouters - 1.4.20-10 -- Use /var/lib/unbound/root.key (more consistent with other distros) -- Enable minimal responses - -* Mon Apr 22 2013 Paul Wouters - 1.4.20-8 -- Refix - -* Fri Apr 19 2013 Paul Wouters - 1.4.20-7 -- Fix runuser call in post. - -* Tue Apr 16 2013 Paul Wouters - 1.4.20-6 -- /var/lib/unbound should be owned by unbound. group write is not enough - -* Fri Apr 12 2013 Paul Wouters - 1.4.20-5 -- Fix cron job syntax (rhbz#951725) -- Use install -p to prevent .rpmnew files that are identical to originals - -* Mon Apr 8 2013 Paul Wouters - 1.4.20-4 -- Updated to 1.4.20 -- Build with full RELRO (not use -z,relro but with -z,relo,-z,now) -- Fixup man page for unbound-control-setup -- unbound.service should start before nss-lookup.target (rhbz#919955) -- Removed patch for rhbz#888759 merged in upstream -- Move root.anchor to /var/lib/unbound to make selinux policy easier for updating (rhbz#896599/rhbz#891008) -- Move cronjob for root.anchor from unbound to unbound-libs, require crontabs -- /etc/unbound (and all) should be owned by unbound-libs (rhbz#909691) -- Remove Obsolete/Provides for dnssec-conf which was last seen in f13 -- Ensure any unbound-anchor failure in post is ignored - -* Tue Mar 05 2013 Adam Tkac - 1.4.19-5 -- build with full RELRO -- symlink unbound-control-setup.8 manpage to unbound-control.8 - -* Fri Feb 15 2013 Fedora Release Engineering - 1.4.19-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild - -* Wed Dec 12 2012 Paul Wouters - 1.4.19-3 -- Updated to 1.4.19 - this integrates all existing patches -- Patch for unbound-anchor (rhbz#888759) - -* Fri Nov 09 2012 Paul Wouters - 1.4.18-6 -- Patch to ensure stube-zone's aren't lost when using dnssec-triggerd -- added unbound-munin.README file - -* Wed Sep 26 2012 Paul Wouters - 1.4.18-5 -- Patch to allow wildcards in include: statements -- Add directories /etc/unbound/keys.d,conf.d,local.d with - example entries -- Added /etc/unbound/root.anchor, maintained by unbound-anchor - which is installed as monthly cron and PreExec in systemd config - (root.key is unused, but left installed in case people depend on it) -- Native systemd (simple) and /etc/sysconfig/unbound support -- Run unbound-checkconf in PreExec -- Moved trust anchor related files to unbound-libs, as they can - be used without the daemon. -- sub packages now depends on base package of same arch -- Build munin package as noarch -- unbound-anchor moved to unbound-libs package. It is needed - to update the root.anchor key file. - -* Tue Sep 04 2012 Paul Wouters - 1.4.18-3 -- Fix openssl thread locking bug under high query load - -* Thu Aug 23 2012 Paul Wouters - 1.4.18-2 -- Use new systemd-rpm macros (rhbz#850351) -- Clean up old obsoleted dnssec-conf from < fedora 15 - -* Fri Aug 03 2012 Paul Wouters - 1.4.18-1 -- Updated to 1.4.18 (FIPS related fixes mostly) -- Removed patches that were merged in upstream -- Added comment to root.key - -* Mon Jul 23 2012 Paul Wouters - 1.4.17-5 -- Fix for unbound crasher (upstream bug #452) -- Support libunbound functions in man pages and place in -devel - -* Sun Jul 22 2012 Fedora Release Engineering - 1.4.17-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild - -* Tue Jul 03 2012 Paul Wouters - 1.4.17-3 -- unbound FIPS patches for MD5,randomness (rhbz#835106) - -* Fri Jun 15 2012 Adam Tkac - 1.4.17-2 -- don't build unbound-munin on RHEL - -* Thu May 24 2012 Paul Wouters - 1.4.17-1 -- Updated to 1.4.17 (which mostly brings in patches we already - applied from svn trunk) - -* Wed Feb 29 2012 Paul Wouters - 1.4.16-3 -- Since the daemon links to the libs staticly, add Requires: - (this is rhbz#745288) -- Package up streamtcp as unbound-streamtcp (for monitoring) - -* Mon Feb 27 2012 Paul Wouters - 1.4.16-2 -- Don't ghost the directory (rhbz#788805) -- Patch for unbound to support unbound-control forward_zone - (needed for openswan in XAUTH mode) - -* Thu Feb 02 2012 Paul Wouters - 1.4.16-1 -- Upgraded to 1.4.16, which was relesed due to the soname - and some DNSSEC validation failures - -* Wed Feb 01 2012 Paul Wouters - 1.4.15-2 -- Patch for SONAME version (libtool's -version-number vs -version-info) - -* Fri Jan 27 2012 Paul Wouters - 1.4.15-1 -- Upgraded to 1.4.15 -- Updated unbound.conf to show how to configure listening on tls443 - -* Sat Jan 14 2012 Fedora Release Engineering - 1.4.14-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild - -* Mon Dec 19 2011 Paul Wouters - 1.4.14-1 -- Upgraded to 1.4.14 for CVE-2011-4528 / VU#209659 -- SSL-wrapped query support for dnssec-trigger -- EDNS handling changes -- Removed integrated EDNS patches -- Disabled use-caps-for-id, GoDaddy domains now break on it -- Enabled new harden-below-nxdomain - -* Thu Sep 15 2011 Paul Wouters - 1.4.13-1 -- Upgraded to 1.4.13 -- Removed merged in pythonmod patch -- Added EDNS1480 patch to fix unbound on broken EDNS/UDP networks -- Fix python to go into sitearch instead of sitelib - -* Wed Sep 14 2011 Tom Callaway - 1.4.12-4 -- convert to systemd, tmpfiles.d - -* Mon Aug 08 2011 Paul Wouters - 1.4.12-3 -- Added pythonmod docs and examples - -* Mon Aug 08 2011 Paul Wouters - 1.4.12-2 -- Fix for python module load in the server (Tom Hendrikx) -- No longer enable --enable-debug as it causes degraded performance - under load. - -* Mon Jul 18 2011 Paul Wouters - 1.4.12-1 -- Updated to 1.4.12 - -* Sun Jul 03 2011 Paul Wouters - 1.4.11-1 -- Updated to 1.4.11 -- removed integrated CVE patch -- updated stock unbound.conf for new options introduced - -* Mon Jun 06 2011 Paul Wouters - 1.4.10-1 -- Added ghost for /var/run/unbound (bz#656710) - -* Mon Jun 06 2011 Paul Wouters - 1.4.9-3 -- rebuilt - -* Wed May 25 2011 Paul Wouters - 1.4.9-2 -- Applied patch for CVE-2011-1922 DoS vulnerability - -* Sun Mar 27 2011 Paul Wouters - 1.4.9-1 -- Updated to 1.4.9 - -* Sat Feb 12 2011 Paul Wouters - 1.4.8-2 -- rebuilt - -* Tue Jan 25 2011 Paul Wouters - 1.4.8-1 -- Updated to 1.4.8 -- Enable root key for DNSSEC -- Fix unbound-munin to use proper file (could cause excessive logging) -- Build unbound-python per default -- Disable gost as Fedora/EPEL does not allow ECC and has mangled openssl - -* Tue Oct 26 2010 Paul Wouters - 1.4.5-4 -- Revert last build - it was on the wrong branch - -* Tue Oct 26 2010 Paul Wouters - 1.4.5-3 -- Disable do-ipv6 per default - causes severe degradation on non-ipv6 machines - (see comments in inbound.conf) - -* Tue Jun 15 2010 Paul Wouters - 1.4.5-2 -- Bump release - forgot to upload the new tar ball. - -* Tue Jun 15 2010 Paul Wouters - 1.4.5-1 -- Upgraded to 1.4.5 - -* Mon May 31 2010 Paul Wouters - 1.4.4-2 -- Added accidentally omitted svn patches to cvs - -* Mon May 31 2010 Paul Wouters - 1.4.4-1 -- Upgraded to 1.4.4 with svn patches -- Obsolete dnssec-conf to ensure it is de-installed - -* Thu Mar 11 2010 Paul Wouters - 1.4.3-1 -- Update to 1.4.3 that fixes 64bit crasher - -* Tue Mar 09 2010 Paul Wouters - 1.4.2-1 -- Updated to 1.4.2 -- Updated unbound.conf with new options -- Enabled pre-fetching DNSKEY records (DNSSEC speedup) -- Enabled re-fetching popular records before they expire -- Enabled logging of DNSSEC validation errors - -* Mon Mar 01 2010 Paul Wouters - 1.4.1-5 -- Overriding -D_GNU_SOURCE is no longer needed. This fixes DSO issues - with pthreads - -* Wed Feb 24 2010 Paul Wouters - 1.4.1-3 -- Change make/configure lines to attempt to fix -lphtread linking issue - -* Thu Feb 18 2010 Paul Wouters - 1.4.1-2 -- Removed dependancy for dnssec-conf -- Added ISC DLV key (formerly in dnssec-conf) -- Fixup old DLV locations in unbound.conf file via %%post -- Fix parent child disagreement handling and no-ipv6 present [svn r1953] - -* Tue Jan 05 2010 Paul Wouters - 1.4.1-1 -- Updated to 1.4.1 -- Changed %%define to %%global - -* Thu Oct 08 2009 Paul Wouters - 1.3.4-2 -- Bump version - -* Thu Oct 08 2009 Paul Wouters - 1.3.4-1 -- Upgraded to 1.3.4. Security fix with validating NSEC3 records - -* Fri Aug 21 2009 Tomas Mraz - 1.3.3-2 -- rebuilt with new openssl - -* Mon Aug 17 2009 Paul Wouters - 1.3.3-1 -- Updated to 1.3.3 - -* Sun Jul 26 2009 Fedora Release Engineering - 1.3.0-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild - -* Sat Jun 20 2009 Paul Wouters - 1.3.0-2 -- Added missing glob patch to cvs -- Place python macros within the %%with_python check - -* Sat Jun 20 2009 Paul Wouters - 1.3.0-1 -- Updated to 1.3.0 -- Added unbound-python sub package. disabled for now -- Patch from svn to fix DLV lookups -- Patches from svn to detect wrong truncated response from BIND 9.6.1 with - minimal-responses) -- Added Default-Start and Default-Stop to unbound.init -- Re-enabled --enable-sha2 -- Re-enabled glob.patch - -* Wed May 20 2009 Paul Wouters - 1.2.1-7 -- unbound-iterator.patch was not commited - -* Wed May 20 2009 Paul Wouters - 1.2.1-6 -- Fix for https://bugzilla.redhat.com/show_bug.cgi?id=499793 - -* Tue Mar 17 2009 Paul Wouters - 1.2.1-5 -- Use --nocheck to avoid giving an error on missing unbound-remote certs/keys - -* Tue Mar 10 2009 Adam Tkac - 1.2.1-4 -- enable DNSSEC only if it is enabled in sysconfig/dnssec - -* Mon Mar 09 2009 Adam Tkac - 1.2.1-3 -- add DNSSEC support to initscript and enabled it per default -- add requires dnssec-conf - -* Wed Feb 25 2009 Fedora Release Engineering - 1.2.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild - -* Tue Feb 10 2009 Paul Wouters - 1.2.0-2 -- rebuild with new openssl - -* Wed Jan 14 2009 Paul Wouters - 1.1.1-7 -- Modified scandir patch to silently fail when wildcard matches nothing -- Patch to allow unbound-checkconf to find empty wildcard matches - -* Mon Jan 5 2009 Paul Wouters - 1.1.1-6 -- Added scandir patch for trusted-keys-file: option, which - is used to load multiple dnssec keys in bind file format - -* Mon Dec 8 2008 Paul Wouters - 1.1.1-4 -- Added Requires: for selinux-policy >= 3.5.13-33 for proper SElinux rules. - -* Mon Dec 1 2008 Paul Wouters - 1.1.1-3 -- We did not own the /etc/unbound directory (#474020) -- Fixed cvs anomalies - -* Fri Nov 28 2008 Adam Tkac - 1.1.1-2 -- removed all obsolete chroot related stuff -- label control certs after generation correctly - -* Thu Nov 20 2008 Paul Wouters - 1.1.1-1 -- Updated to unbound 1.1.1 which fixes a crasher and - addresses nlnetlabs bug #219 - -* Wed Nov 19 2008 Paul Wouters - 1.1.0-3 -- Remove the chroot, obsoleted by SElinux -- Add additional munin plugin links supported by unbound plugin -- Move configuration directory from /var/lib/unbound to /etc/unbound -- Modified unbound.init and unbound.conf to account for chroot changes -- Updated unbound.conf with new available options -- Enabled dns-0x20 protection per default - -* Wed Nov 19 2008 Adam Tkac - 1.1.0-2 -- unbound-1.1.0-log_open.patch - - make sure log is opened before chroot call - - tracked as http://www.nlnetlabs.nl/bugs/show_bug.cgi?id=219 -- removed /dev/log and /var/run/unbound and /etc/resolv.conf from - chroot, not needed -- don't mount files in chroot, it causes problems during updates -- fixed typo in default config file - -* Fri Nov 14 2008 Paul Wouters - 1.1.0-1 -- Updated to version 1.1.0 -- Updated unbound.conf's statistics options and remote-control - to work properly for munin -- Added unbound-munin package -- Generate unbound remote-control key/certs on first startup -- Required ldns is now 1.4.0 - -* Wed Oct 22 2008 Paul Wouters - 1.0.2-5 -- Only call ldconfig in -libs package -- Move configure into build section -- devel subpackage should only depend on libs subpackage - -* Tue Oct 21 2008 Paul Wouters - 1.0.2-4 -- Fix CFLAGS getting lost in build -- Don't enable interface-automatic:yes because that - causes unbound to listen on 0.0.0.0 instead of 127.0.0.1 - -* Sun Oct 19 2008 Paul Wouters - 1.0.2-3 -- Split off unbound-libs, make build verbose - -* Thu Oct 9 2008 Paul Wouters - 1.0.2-2 -- FSB compliance, chroot fixes, initscript fixes - -* Thu Sep 11 2008 Paul Wouters - 1.0.2-1 -- Upgraded to 1.0.2 - -* Wed Jul 16 2008 Paul Wouters - 1.0.1-1 -- upgraded to new release - -* Wed May 21 2008 Paul Wouters - 1.0.0-2 -- Build against ldns-1.3.0 - -* Wed May 21 2008 Paul Wouters - 1.0.0-1 -- Split of -devel package, fixed dependancies, make rpmlint happy - -* Fri Apr 25 2008 Wouter Wijngaards - 0.12 -- Using parts from ports collection entry by Jaap Akkerhuis. -- Using Fedoraproject wiki guidelines. - -* Wed Apr 23 2008 Wouter Wijngaards - 0.11 -- Initial version. diff --git a/fedora-defaults.conf b/fedora-defaults.conf deleted file mode 100644 index 99ff95d..0000000 --- a/fedora-defaults.conf +++ /dev/null @@ -1,229 +0,0 @@ -# Fedora distribution defaults - -server: - # verbosity number, 0 is least verbose. 1 is default. - verbosity: 1 - - # print statistics to the log (for every thread) every N seconds. - # Set to "" or 0 to disable. Default is disabled. - # Needs to be disabled for munin plugin - statistics-interval: 0 - - # enable cumulative statistics, without clearing them after printing. - # Needs to be disabled for munin plugin - statistics-cumulative: no - - # enable extended statistics (query types, answer codes, status) - # Needs to be enabled for munin plugin - extended-statistics: yes - - # number of threads to create. 1 disables threading. - # num-threads: 1 - num-threads: 4 - - # specify the interfaces to answer queries from by ip-address. - # The default is to listen to localhost (127.0.0.1 and ::1). - # specify 0.0.0.0 and ::0 to bind to all available interfaces. - # specify every interface[@port] on a new 'interface:' labelled line. - # The listen interfaces are not changed on reload, only on restart. - # interface: 0.0.0.0 - # interface: ::0 - # interface: 192.0.2.153 - # interface: 192.0.2.154 - # interface: 192.0.2.154@5003 - # interface: 2001:DB8::5 - # interface: eth0@5003 - # - # for dns over tls and raw dns over port 80 - # interface: 0.0.0.0@443 - # interface: ::0@443 - # interface: 0.0.0.0@80 - # interface: ::0@80 - - # enable this feature to copy the source address of queries to reply. - # Socket options are not supported on all platforms. experimental. - # interface-automatic: yes - # - # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 - # NOTE: Disabled per Fedora policy not to listen to * on default install - # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled - interface-automatic: no - - # permit Unbound to use this port number or port range for - # making outgoing queries, using an outgoing interface. - # Only ephemeral ports are allowed by SElinux - outgoing-port-permit: 32768-60999 - - # IANA-assigned port numbers. - # If multiple outgoing-port-permit and outgoing-port-avoid options - # are present, they are processed in order. - # Our SElinux policy does not allow non-ephemeral ports to be used - outgoing-port-avoid: 0-32767 - outgoing-port-avoid: 61000-65535 - - # use SO_REUSEPORT to distribute queries over threads. - # at extreme load it could be better to turn it off to distribute even. - so-reuseport: yes - - # use IP_TRANSPARENT so the interface: addresses can be non-local - # and you can config non-existing IPs that are going to work later on - # (uses IP_BINDANY on FreeBSD). - ip-transparent: yes - - # Enable UDP, "yes" or "no". - # NOTE: if setting up an Unbound on tls443 for public use, you might want to - # disable UDP to avoid being used in DNS amplification attacks. - # do-udp: yes - - # Enable EDNS TCP keepalive option. - edns-tcp-keepalive: yes - - # Fedora note: do not activate this - not compiled in because - # it causes frequent unbound crashes. Also, socket activation - # is bad when you have things like dnsmasq also running with libvirt. - # Use systemd socket activation for UDP, TCP, and control sockets. - # use-systemd: no - - # If you give "" no chroot is performed. The path must not end in a /. - # chroot: "/etc/unbound" - chroot: "" - - # If you give a server: directory: dir before include: file statements - # then those includes can be relative to the working directory. - directory: "/etc/unbound" - - # print UTC timestamp in ascii to logfile, default is epoch in seconds. - log-time-ascii: yes - - # Harden against unseemly large queries. - harden-large-queries: yes - - # Harden against unverified (outside-zone, including sibling zone) glue rrsets - harden-unverified-glue: yes - - # Default off, because the lookups burden the server. Experimental - # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. - harden-referral-path: yes - - # Sent minimum amount of information to upstream servers to enhance - # privacy. Only sent minimum required labels of the QNAME and set QTYPE - # to A when possible. - qname-minimisation: yes - - # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN - # and other denials, using information from previous NXDOMAINs answers. - aggressive-nsec: yes - - # threshold, a warning is printed and a defensive action is taken, - # the cache is cleared to flush potential poison out of it. - # A suggested value is 10000000, the default is 0 (turned off). - unwanted-reply-threshold: 10000000 - - # if yes, perform prefetching of almost expired message cache entries. - prefetch: yes - - # if yes, perform key lookups adjacent to normal lookups. - prefetch-key: yes - - # deny queries of type ANY with an empty response. - deny-any: yes - - # if yes, Unbound rotates RRSet order in response. - rrset-roundrobin: yes - - # if yes, Unbound doesn't insert authority/additional sections - # into response messages when those sections are not required. - minimal-responses: yes - - # module configuration of the server. A string with identifiers - # separated by spaces. Syntax: "[dns64] [validator] iterator" - # most modules have to be listed at the beginning of the line, - # except cachedb(just before iterator), and python (at the beginning, - # or, just before the iterator). - # For redis cachedb use: - # "ipsecmod validator cachedb iterator" - module-config: "ipsecmod validator iterator" - - # trust anchor signaling sends a RFC8145 key tag query after priming. - trust-anchor-signaling: yes - - # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) - root-key-sentinel: yes - - # the trusted-keys { name flag proto algo "key"; }; clauses are read. - # you need external update procedures to track changes in keys. - # trusted-keys-file: "" - # - trusted-keys-file: /etc/unbound/keys.d/*.key - auto-trust-anchor-file: "/var/lib/unbound/root.key" - - # Should additional section of secure message also be kept clean of - # unsecure data. Useful to shield the users of this validator from - # potential bogus data in the additional section. All unsigned data - # in the additional section is removed from secure messages. - val-clean-additional: yes - - # Turn permissive mode on to permit bogus messages. Thus, messages - # for which security checks failed will be returned to clients, - # instead of SERVFAIL. It still performs the security checks, which - # result in interesting log files and possibly the AD bit in - # replies if the message is found secure. The default is off. - # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY - val-permissive-mode: no - - # Serve expired responses from cache, with serve-expired-reply-ttl in - # the response, and then attempt to fetch the data afresh. - serve-expired: yes - - # Limit serving of expired responses to configured seconds after - # expiration. 0 disables the limit. - serve-expired-ttl: 14400 - - # Have the validator log failed validations for your diagnosis. - # 0: off. 1: A line per failed user query. 2: With reason and bad IP. - val-log-level: 1 - - # service clients over TLS (on the TCP sockets) with plain DNS inside - # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. - # Give the certificate to use and private key. - # default is "" (disabled). requires restart to take effect. - # tls-service-key: "/etc/unbound/unbound_server.key" - # tls-service-pem: "/etc/unbound/unbound_server.pem" - - # Fedora/RHEL: use system-wide crypto policies - tls-ciphers: "PROFILE=SYSTEM" - - # Enable to attach Extended DNS Error codes (RFC8914) to responses. - # Fedora defaults to yes. - ede: yes - - # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale - # Answer as EDNS0 option to expired responses. - # Note that the ede option above needs to be enabled for this to work. - # Fedora defaults to yes. - ede-serve-expired: yes - - # Enable or disable ipsecmod (it still needs to be defined in - # module-config above). Can be used when ipsecmod needs to be - # enabled/disabled via remote-control(below). - # Fedora: module will be enabled on-demand by libreswan - ipsecmod-enabled: no - - # Path to executable external hook. It must be defined when ipsecmod is - # listed in module-config (above). - ipsecmod-hook: /usr/libexec/ipsec/_unbound-hook - -python: - # Script file to load - # python-script: "/etc/unbound/ubmodule-tst.py" - -# Remote control config section moved into own remote-control.conf - -# the module-config then you need one dynlib-file per instance. -dynlib: - # Script file to load - # dynlib-file: "/etc/unbound/dynlib.so" - -# Fedora: DNSCrypt support not enabled since it requires linking to -# another crypto library -# diff --git a/mkroot.sh b/mkroot.sh deleted file mode 100755 index eb6d5b3..0000000 --- a/mkroot.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/sh - -SOURCE="/usr/share/dns-root-data/root.key" -DEST="${1:-root.key}" - -mk_key() { -echo "# Generated from $SOURCE" -echo "# Use /var/lib/unbound/root.key instead." -echo "trusted-keys {" -while read DOMAIN CLS TYPE FLAGS PROTO ALG KEYDATA COMMENT KEYTAG; do -echo "$DOMAIN $CLS $TYPE $FLAGS $PROTO $ALG \"$KEYDATA\" # $KEYTAG" -done < "$SOURCE" -echo "};" -} - -mk_key > "$DEST" -touch -r "$SOURCE" "$DEST" diff --git a/module-setup.sh b/module-setup.sh deleted file mode 100644 index 439bc6d..0000000 --- a/module-setup.sh +++ /dev/null @@ -1,44 +0,0 @@ -#!/usr/bin/bash - -check() { - require_binaries unbound unbound-checkconf unbound-control || return 1 - # the module will be only included if explicitly required either - # by configuration or another module - return 255 -} - -depends() { - # because of pid file we need sysusers to create unbound user - echo systemd systemd-sysusers - return 0 -} - -install() { - # We have to make unbound wanted by network-online target to make sure - # there is a synchronization point when other services are able - # to make queries - inst_simple "$moddir"/unbound-initrd.conf /etc/systemd/system/unbound.service.d/unbound-initrd.conf - - # /etc and /var/lib do not have its variables - inst_multiple -o \ - "$systemdsystemunitdir"/unbound.service \ - /etc/unbound/conf.d/remote-control.conf \ - /etc/unbound/openssl-sha1.conf \ - /usr/share/unbound/fedora-defaults.conf \ - /usr/share/unbound/conf.d/*.conf \ - /etc/unbound/local.d/*.conf \ - /etc/unbound/keys.d/*.key \ - /etc/unbound/unbound.conf \ - /etc/unbound/unbound_control.key \ - /etc/unbound/unbound_control.pem \ - /etc/unbound/unbound_server.key \ - /etc/unbound/unbound_server.pem \ - "$sysusers"/unbound.conf \ - "$tmpfilesdir"/unbound.conf \ - /var/lib/unbound/root.key \ - unbound \ - unbound-checkconf \ - unbound-control - - $SYSTEMCTL -q --root "$initdir" enable unbound.service -} diff --git a/nlnetlabs2026-g2.asc b/nlnetlabs2026-g2.asc deleted file mode 100644 index a8f7de7..0000000 --- a/nlnetlabs2026-g2.asc +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -mQGNBGc7H5IBDADOZfJwZ6zZ/4JbbR2hef4261/zh7YpdjUREUs0dMQSbf+x7sAE -50JgvLQWlvA8sDHzbUMQ9cAYZBGGE6iHb50KboeEfuiP5BdiLe8XWKlo1EIh+Idz -0+e1binxwvXV1/9ACm/UHPRuWjkG7vrP+mVRuhfKglO6xSDxV1cwjYTRtvRtQx8D -+kTdZzprvtzkU7OIWeczKFJRhVHzNDHYFG9SuxvDA9cbVm1KPVJEkRBwoSBPeB0z -Z3LSib2uT6Lc/ghAijOwIpR+zNYKOYxRhzoFArrLa0Fs4nq6//LA42/aVjSienEJ -SR5CVUbZy14WuUsYCkV+ZoORVRYZOcjtPG7FUKDXKzY9/iNhEAZ3OMK7Np2Xq/YO -gaOiUDFXLHU1n2UVH1rwkMiS2o4EMqvO7gINmnL/ccpI2wj2QrQ+JZ9y1Xky7dQM -LIIbtp40e0kGocgyba484rW17xlvXRxb1Pjn93JygD6WcraLLNh9jq87hW/J37qi -S4DL+GUe10H8SeEAEQEAAbQ6TkxuZXQgTGFicyByZWxlYXNlcyBzaWduaW5nIGtl -eSBHMiA8cmVsZWFzZXNAbmxuZXRsYWJzLm5sPokBzgQTAQoAOBYhBCMQGGkMTZA+ -9BkUaqFEMj3qrN9FBQJnOx+SAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ -EKFEMj3qrN9FZigL/0aVsJ48oe7vko1Mwg9DucFoCL8CESAarA40in1Bauq7p/pT -l5UcNnFPLO8HBAHWGWtDI63pEhNzHacPzSI94GKS4TUMGzCV1H/c0KnxB7wAO55b -HEQOZJ+kFRBFXWxbXORtp86NZuyCvVoSA4QAcnCf4m5ZEBb72H2cmy8xP+/HLkbS -rpr5pyoUWtCYM8FxnjM3bClXSGOlWNl9cSXLqyyVjxvc7cOAS8ytL/zoVStoBmi/ -OwQbeJfAiqDMnipBJNzOHlfniKXE0FGDozKCHWP88ifs8A8OUNtJng7cNq7EQf9K -vTvbJCcF4akUUcXnx4gv9Z1ZQ93Jg5X7h+0MP7Ut4z9hKSIAOowru7GXGEt256Ja -eE1nSviDcqUtZpyqCLjpCDFGPMwSPzSwlPXjJVlVxPkDvPuNt2LUIEd8BR8Wo7z+ -NA5uM/zTHkQXEdUgCcl/rHy6moHYV3Q+YbMb17zU37a5vLb+wQ74doaiYo3b8KoV -K6vVKMmB0qru6ERJ3g== -=4R8U ------END PGP PUBLIC KEY BLOCK----- diff --git a/openssl-sha1.conf b/openssl-sha1.conf deleted file mode 100644 index 97a3218..0000000 --- a/openssl-sha1.conf +++ /dev/null @@ -1,8 +0,0 @@ -# OpenSSL configuration file to allow SHA1 validation, -# regardless of crypto-policy selected. -# Use it by adding into /etc/sysconfig/unbound: -# OPENSSL_CONF=/etc/unbound/openssl-sha1.conf -.include = /etc/ssl/openssl.cnf - -[evp_properties] -rh-allow-sha1-signatures = yes diff --git a/plans/all.fmf b/plans/all.fmf index 538bd41..cd001bd 100644 --- a/plans/all.fmf +++ b/plans/all.fmf @@ -1,7 +1,7 @@ summary: Test plan with all Fedora tests discover: how: fmf - url: https://gitlab.com/redhat/centos-stream/tests/unbound.git + url: https://src.fedoraproject.org/tests/unbound.git execute: how: tmt diff --git a/plans/tier1-public.fmf b/plans/tier1-public.fmf index 6ffbfd1..10f167c 100644 --- a/plans/tier1-public.fmf +++ b/plans/tier1-public.fmf @@ -1,7 +1,7 @@ summary: Public (Fedora) Tier1 beakerlib tests discover: how: fmf - url: https://gitlab.com/redhat/centos-stream/tests/unbound.git + url: https://src.fedoraproject.org/tests/unbound.git filter: 'tier: 1' execute: how: tmt diff --git a/remote-control-include.conf b/remote-control-include.conf deleted file mode 100644 index 5688480..0000000 --- a/remote-control-include.conf +++ /dev/null @@ -1,4 +0,0 @@ -# Previous defaults allowed any process to change settings, CVE-2023-1488 -# If you want to modify remote configuration, replace this file with -# contents of included file and modify afterwards. -include: "/usr/share/unbound/conf.d/remote-control.conf" diff --git a/remote-control.conf b/remote-control.conf deleted file mode 100644 index 6f6942e..0000000 --- a/remote-control.conf +++ /dev/null @@ -1,26 +0,0 @@ -# Remote control config section update. -# Previous defaults allowed any process to change settings, CVE-2023-1488 -# This file can be used also by: unbound-control -c -remote-control: - # Enable remote control with unbound-control(8) here. - # set up the keys and certificates with unbound-control-setup. - control-enable: yes - - # set to an absolute path to use a unix local name pipe, certificates - # are not used for that, so key and cert files need not be present. - control-interface: "/run/unbound/control" - - # For local sockets this option is ignored, and TLS is not used. - control-use-cert: "yes" - - # Unbound server key file. - server-key-file: "/etc/unbound/unbound_server.key" - - # Unbound server certificate file. - server-cert-file: "/etc/unbound/unbound_server.pem" - - # unbound-control key file. - control-key-file: "/etc/unbound/unbound_control.key" - - # unbound-control certificate file. - control-cert-file: "/etc/unbound/unbound_control.pem" diff --git a/root.anchor b/root.anchor index 1559542..c78ee03 100644 --- a/root.anchor +++ b/root.anchor @@ -1,2 +1 @@ -. 172800 IN DNSKEY 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ;{id = 38696 (ksk), size = 2048b} . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} diff --git a/root.key b/root.key new file mode 100644 index 0000000..6c5622c --- /dev/null +++ b/root.key @@ -0,0 +1,6 @@ +; // The root key in bind format. This can be read by most tools, including +; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this +trusted-keys { +"." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326 + +}; diff --git a/sources b/sources index 7d4806d..558d84a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.24.2.tar.gz) = 655d63ec5305323e84d82691425d74d98c332d0028517bd729d191e5f968ce9481b49ec7447d4c4906dce7997a998a115db36e911a59d2d877da5840c2080261 -SHA512 (unbound-1.24.2.tar.gz.asc) = 66a3e569a606cc3ed7dac9b411fba347da150728427619bdbf12ac57a5d7db1fc17963b1ba052a95d6c6fed67a6f0c1b5920318f6cd34e5091750626dd63fb21 +SHA512 (unbound-1.18.0.tar.gz) = 24ca6bfe0ed493eb6aaa5cb1b2b108076ce97c48de7470adf596d1154254351e382b83aae33fcd8d4fa64847e359613e00c979b6f3ba7671215b2d0fd2b03b14 +SHA512 (unbound-1.18.0.tar.gz.asc) = 222ff184d952b9ee8ce81e1f3384d1640ff4695ca60b7d5f946dc24489d583618fc0f4e3c169514b699c684766fdb352f47ca29853223fbae70a65fd994d4fd2 diff --git a/tmpfiles-unbound-libs.conf b/tmpfiles-unbound-libs.conf deleted file mode 100644 index d71ea46..0000000 --- a/tmpfiles-unbound-libs.conf +++ /dev/null @@ -1,2 +0,0 @@ -d /var/lib/unbound 0755 unbound unbound - -L /var/lib/unbound/root.key - - - - ../../../etc/unbound/dnssec-root.key diff --git a/tmpfiles-unbound.conf b/tmpfiles-unbound.conf index c09cc75..bb88f01 100644 --- a/tmpfiles-unbound.conf +++ b/tmpfiles-unbound.conf @@ -1 +1 @@ -D /run/unbound 0775 unbound root - +D /run/unbound 0755 unbound unbound - diff --git a/unbound-1.24-quic-on-demand-only.patch b/unbound-1.24-quic-on-demand-only.patch deleted file mode 100644 index e074ab0..0000000 --- a/unbound-1.24-quic-on-demand-only.patch +++ /dev/null @@ -1,171 +0,0 @@ -From 1dfe06278c1446558b5043d7c57cd901e7d96829 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Mon, 24 Nov 2025 13:44:14 +0100 -Subject: [PATCH] Do not initialize quic_table unless it is enabled - -Fedora in FIPS mode might fail to initialize ngtcp2 library, because -some ciphers desired are not available. - -Make it possible to skip initialization by setting explicitly quic_port -to 0. Unless we have some listeners for port 853 configured, skip its -initialization as well. - -Related: https://pagure.io/freeipa/issue/9877 ---- - daemon/daemon.c | 14 +++++++++----- - services/listen_dnsport.c | 14 +++++++++++--- - util/configparser.y | 15 +++++++++------ - util/netevent.c | 3 +++ - 4 files changed, 32 insertions(+), 14 deletions(-) - -diff --git a/daemon/daemon.c b/daemon/daemon.c -index f882bb9ad..a9cc25c67 100644 ---- a/daemon/daemon.c -+++ b/daemon/daemon.c -@@ -558,9 +558,11 @@ daemon_create_workers(struct daemon* daemon) - verbose(VERB_ALGO, "total of %d outgoing ports available", numport); - - #ifdef HAVE_NGTCP2 -- daemon->doq_table = doq_table_create(daemon->cfg, daemon->rand); -- if(!daemon->doq_table) -- fatal_exit("could not create doq_table: out of memory"); -+ if (cfg_has_quic(daemon->cfg)) { -+ daemon->doq_table = doq_table_create(daemon->cfg, daemon->rand); -+ if(!daemon->doq_table) -+ fatal_exit("could not create doq_table: out of memory"); -+ } - #endif - - daemon->num = (daemon->cfg->num_threads?daemon->cfg->num_threads:1); -@@ -917,8 +919,10 @@ daemon_cleanup(struct daemon* daemon) - daemon->dnscenv = NULL; - #endif - #ifdef HAVE_NGTCP2 -- doq_table_delete(daemon->doq_table); -- daemon->doq_table = NULL; -+ if (daemon->doq_table) { -+ doq_table_delete(daemon->doq_table); -+ daemon->doq_table = NULL; -+ } - #endif - daemon->cfg = NULL; - } -diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c -index f7fcca194..ab8f1ba72 100644 ---- a/services/listen_dnsport.c -+++ b/services/listen_dnsport.c -@@ -1564,7 +1564,7 @@ listen_create(struct comm_base* base, struct listen_port* ports, - cp = comm_point_create_udp(base, ports->fd, - front->udp_buff, ports->pp2_enabled, cb, - cb_arg, ports->socket); -- } else if(ports->ftype == listen_type_doq) { -+ } else if(ports->ftype == listen_type_doq && doq_table) { - #ifndef HAVE_NGTCP2 - log_warn("Unbound is not compiled with " - "ngtcp2. This is required to use DNS " -@@ -3275,7 +3275,11 @@ nghttp2_session_callbacks* http2_req_callbacks_create(void) - struct doq_table* - doq_table_create(struct config_file* cfg, struct ub_randstate* rnd) - { -- struct doq_table* table = calloc(1, sizeof(*table)); -+ struct doq_table* table; -+ -+ if (!cfg->quic_port) -+ return NULL; -+ table = calloc(1, sizeof(*table)); - if(!table) - return NULL; - #ifdef USE_NGTCP2_CRYPTO_OSSL -@@ -3354,7 +3358,7 @@ conn_tree_del(rbnode_type* node, void* arg) - { - struct doq_table* table = (struct doq_table*)arg; - struct doq_conn* conn; -- if(!node) -+ if(!node || !table) - return; - conn = (struct doq_conn*)node->key; - if(conn->timer.timer_in_list) { -@@ -3413,6 +3417,7 @@ doq_timer_find_time(struct doq_table* table, struct timeval* tv) - { - struct doq_timer key; - struct rbnode_type* node; -+ log_assert(table != NULL); - memset(&key, 0, sizeof(key)); - key.time.tv_sec = tv->tv_sec; - key.time.tv_usec = tv->tv_usec; -@@ -4922,6 +4927,7 @@ doq_conid_find(struct doq_table* table, const uint8_t* data, size_t datalen) - key.node.key = &key; - key.cid = (void*)data; - key.cidlen = datalen; -+ log_assert(table != NULL); - node = rbtree_search(table->conid_tree, &key); - if(node) - return (struct doq_conid*)node->key; -@@ -5662,6 +5668,8 @@ doq_table_quic_size_available(struct doq_table* table, - struct config_file* cfg, size_t mem) - { - size_t cur; -+ if (!table) -+ return 0; - lock_basic_lock(&table->size_lock); - cur = table->current_size; - lock_basic_unlock(&table->size_lock); -diff --git a/util/configparser.y b/util/configparser.y -index bf9c196fc..f159b8cec 100644 ---- a/util/configparser.y -+++ b/util/configparser.y -@@ -1235,14 +1235,17 @@ server_http_notls_downstream: VAR_HTTP_NOTLS_DOWNSTREAM STRING_ARG - server_quic_port: VAR_QUIC_PORT STRING_ARG - { - OUTYY(("P(server_quic_port:%s)\n", $2)); -+ if(atoi($2) == 0 && strcmp($2,"0")!=0) -+ yyerror("port number expected"); -+ else { -+ cfg_parser->cfg->quic_port = atoi($2); - #ifndef HAVE_NGTCP2 -- log_warn("%s:%d: Unbound is not compiled with " -- "ngtcp2. This is required to use DNS " -- "over QUIC.", cfg_parser->filename, cfg_parser->line); -+ if (cfg_parser->cfg->quic_port != 0) -+ log_warn("%s:%d: Unbound is not compiled with " -+ "ngtcp2. This is required to use DNS " -+ "over QUIC.", cfg_parser->filename, cfg_parser->line); - #endif -- if(atoi($2) == 0) -- yyerror("port number expected"); -- else cfg_parser->cfg->quic_port = atoi($2); -+ } - free($2); - }; - server_quic_size: VAR_QUIC_SIZE STRING_ARG -diff --git a/util/netevent.c b/util/netevent.c -index aedcb5e07..93db16675 100644 ---- a/util/netevent.c -+++ b/util/netevent.c -@@ -2723,6 +2723,7 @@ doq_server_socket_create(struct doq_table* table, struct ub_randstate* rnd, - { - size_t doq_buffer_size = 4096; /* bytes buffer size, for one packet. */ - struct doq_server_socket* doq_socket; -+ log_assert(doq_table != NULL); - doq_socket = calloc(1, sizeof(*doq_socket)); - if(!doq_socket) { - return NULL; -@@ -2804,6 +2805,7 @@ doq_lookup_repinfo(struct doq_table* table, struct comm_reply* repinfo) - { - struct doq_conn* conn; - struct doq_conn_key key; -+ log_assert(table != NULL); - doq_conn_key_from_repinfo(&key, repinfo); - lock_rw_rdlock(&table->lock); - conn = doq_conn_find(table, &key.paddr.addr, -@@ -5880,6 +5882,7 @@ comm_point_create_doq(struct comm_base *base, int fd, sldns_buffer* buffer, - struct config_file* cfg) - { - #ifdef HAVE_NGTCP2 -+ log_assert(table != NULL); - struct comm_point* c = (struct comm_point*)calloc(1, - sizeof(struct comm_point)); - short evbits; --- -2.52.0 - diff --git a/unbound-1.24-swig-function.patch b/unbound-1.24-swig-function.patch deleted file mode 100644 index 3257766..0000000 --- a/unbound-1.24-swig-function.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 0fc825def2f812af70189a01b0fe66e1c5050aec Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Fri, 24 Oct 2025 20:20:50 +0200 -Subject: [PATCH] Use $action instead of $function in python SWIG interface - -$function is not supported since SWIG 4.4.0. ---- - libunbound/python/libunbound.i | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libunbound/python/libunbound.i b/libunbound/python/libunbound.i -index dc12514..4576844 100644 ---- a/libunbound/python/libunbound.i -+++ b/libunbound/python/libunbound.i -@@ -853,7 +853,7 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104'] - %{ - //printf("resolve_start(%lX)\n",(long unsigned int)arg1); - Py_BEGIN_ALLOW_THREADS -- $function -+ $action - Py_END_ALLOW_THREADS - //printf("resolve_stop()\n"); - %} --- -2.51.0 - diff --git a/unbound-anchor.service b/unbound-anchor.service index 1116243..59683c8 100644 --- a/unbound-anchor.service +++ b/unbound-anchor.service @@ -6,5 +6,5 @@ Documentation=man:unbound-anchor(8) Type=oneshot User=unbound EnvironmentFile=-/etc/sysconfig/unbound -ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ] || [ -f /run/unbound/anchor-disable ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi' +ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi' SuccessExitStatus=1 diff --git a/unbound-as112-networks.conf b/unbound-as112-networks.conf deleted file mode 100644 index 96c291f..0000000 --- a/unbound-as112-networks.conf +++ /dev/null @@ -1,118 +0,0 @@ -# Allow forwarding of private ranges, which are marked forwardable by IANA -# https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml -# https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml -# https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml -# RFC 6303: Locally Served DNS Zones (https://www.rfc-editor.org/rfc/rfc6303.html) -# -# Using this configuration file will simplify forwarding to potentially private ranges. -# Enables forwarding of networks marked as forwardable at IANA special registry. -# This is useful when upstream forwarder may be still inside private network. That is the case -# when unbound works as a localhost DNS cache, not network wide resolver. - -server: - # RFC 8375: Special-Use Domain 'home.arpa.' - local-zone: "home.arpa." nodefault - - # RFC 1918: Address Allocation for Private Internets - local-zone: "10.in-addr.arpa." nodefault - local-zone: "16.172.in-addr.arpa." nodefault - local-zone: "17.172.in-addr.arpa." nodefault - local-zone: "18.172.in-addr.arpa." nodefault - local-zone: "19.172.in-addr.arpa." nodefault - local-zone: "20.172.in-addr.arpa." nodefault - local-zone: "21.172.in-addr.arpa." nodefault - local-zone: "22.172.in-addr.arpa." nodefault - local-zone: "23.172.in-addr.arpa." nodefault - local-zone: "24.172.in-addr.arpa." nodefault - local-zone: "25.172.in-addr.arpa." nodefault - local-zone: "26.172.in-addr.arpa." nodefault - local-zone: "27.172.in-addr.arpa." nodefault - local-zone: "28.172.in-addr.arpa." nodefault - local-zone: "29.172.in-addr.arpa." nodefault - local-zone: "30.172.in-addr.arpa." nodefault - local-zone: "31.172.in-addr.arpa." nodefault - local-zone: "168.192.in-addr.arpa." nodefault - # RFC 6598: IANA-Reserved IPv4 Prefix for Shared Address Space - local-zone: "64.100.in-addr.arpa." nodefault - local-zone: "65.100.in-addr.arpa." nodefault - local-zone: "66.100.in-addr.arpa." nodefault - local-zone: "67.100.in-addr.arpa." nodefault - local-zone: "68.100.in-addr.arpa." nodefault - local-zone: "69.100.in-addr.arpa." nodefault - local-zone: "70.100.in-addr.arpa." nodefault - local-zone: "71.100.in-addr.arpa." nodefault - local-zone: "72.100.in-addr.arpa." nodefault - local-zone: "73.100.in-addr.arpa." nodefault - local-zone: "74.100.in-addr.arpa." nodefault - local-zone: "75.100.in-addr.arpa." nodefault - local-zone: "76.100.in-addr.arpa." nodefault - local-zone: "77.100.in-addr.arpa." nodefault - local-zone: "78.100.in-addr.arpa." nodefault - local-zone: "79.100.in-addr.arpa." nodefault - local-zone: "80.100.in-addr.arpa." nodefault - local-zone: "81.100.in-addr.arpa." nodefault - local-zone: "82.100.in-addr.arpa." nodefault - local-zone: "83.100.in-addr.arpa." nodefault - local-zone: "84.100.in-addr.arpa." nodefault - local-zone: "85.100.in-addr.arpa." nodefault - local-zone: "86.100.in-addr.arpa." nodefault - local-zone: "87.100.in-addr.arpa." nodefault - local-zone: "88.100.in-addr.arpa." nodefault - local-zone: "89.100.in-addr.arpa." nodefault - local-zone: "90.100.in-addr.arpa." nodefault - local-zone: "91.100.in-addr.arpa." nodefault - local-zone: "92.100.in-addr.arpa." nodefault - local-zone: "93.100.in-addr.arpa." nodefault - local-zone: "94.100.in-addr.arpa." nodefault - local-zone: "95.100.in-addr.arpa." nodefault - local-zone: "96.100.in-addr.arpa." nodefault - local-zone: "97.100.in-addr.arpa." nodefault - local-zone: "98.100.in-addr.arpa." nodefault - local-zone: "99.100.in-addr.arpa." nodefault - local-zone: "100.100.in-addr.arpa." nodefault - local-zone: "101.100.in-addr.arpa." nodefault - local-zone: "102.100.in-addr.arpa." nodefault - local-zone: "103.100.in-addr.arpa." nodefault - local-zone: "104.100.in-addr.arpa." nodefault - local-zone: "105.100.in-addr.arpa." nodefault - local-zone: "106.100.in-addr.arpa." nodefault - local-zone: "107.100.in-addr.arpa." nodefault - local-zone: "108.100.in-addr.arpa." nodefault - local-zone: "109.100.in-addr.arpa." nodefault - local-zone: "110.100.in-addr.arpa." nodefault - local-zone: "111.100.in-addr.arpa." nodefault - local-zone: "112.100.in-addr.arpa." nodefault - local-zone: "113.100.in-addr.arpa." nodefault - local-zone: "114.100.in-addr.arpa." nodefault - local-zone: "115.100.in-addr.arpa." nodefault - local-zone: "116.100.in-addr.arpa." nodefault - local-zone: "117.100.in-addr.arpa." nodefault - local-zone: "118.100.in-addr.arpa." nodefault - local-zone: "119.100.in-addr.arpa." nodefault - local-zone: "120.100.in-addr.arpa." nodefault - local-zone: "121.100.in-addr.arpa." nodefault - local-zone: "122.100.in-addr.arpa." nodefault - local-zone: "123.100.in-addr.arpa." nodefault - local-zone: "124.100.in-addr.arpa." nodefault - local-zone: "125.100.in-addr.arpa." nodefault - local-zone: "126.100.in-addr.arpa." nodefault - local-zone: "127.100.in-addr.arpa." nodefault - - # RFC 4193: Unique Local IPv6 Unicast Addresses - local-zone: "d.f.ip6.arpa." nodefault - - # RFC 2606: Reserved Top Level DNS Names - local-zone: "test." nodefault - domain-insecure: "test" - domain-insecure: "example" - - # RFC 6762: Multicast DNS, Appendix G - domain-insecure: "local" - domain-insecure: "intranet" - domain-insecure: "private" - domain-insecure: "corp" - domain-insecure: "home" - domain-insecure: "lan" - - # draft-davies-internal-tld - domain-insecure: "internal" diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch deleted file mode 100644 index da88960..0000000 --- a/unbound-fedora-config.patch +++ /dev/null @@ -1,120 +0,0 @@ -From 6e2d042505a006ab5fd703631661e68d1cdc66df Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Fri, 15 Nov 2024 13:25:34 +0100 -Subject: [PATCH] Customize unbound.conf for Fedora defaults - -Set some Fedora/RHEL specific changes to example configuration file. By -patching upstream provided config file we would not need to manually -update external copy in source RPM. ---- - doc/example.conf.in | 33 +++++++++++++++++++++++++++++++-- - 1 file changed, 31 insertions(+), 2 deletions(-) - -diff --git a/doc/example.conf.in b/doc/example.conf.in -index 59090c6..3a86809 100644 ---- a/doc/example.conf.in -+++ b/doc/example.conf.in -@@ -8,6 +8,9 @@ - # Use this anywhere in the file to include other text into this file. - #include: "otherfile.conf" - -+# Default Fedora settings -+include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf" -+ - # Use this anywhere in the file to include other text, that explicitly starts a - # clause, into this file. Text after this directive needs to start a clause. - #include-toplevel: "otherfile.conf" -@@ -51,11 +51,19 @@ server: - # specify 0.0.0.0 and ::0 to bind to all available interfaces. - # specify every interface[@port] on a new 'interface:' labelled line. - # The listen interfaces are not changed on reload, only on restart. -+ # interface: 0.0.0.0 -+ # interface: ::0 - # interface: 192.0.2.153 - # interface: 192.0.2.154 - # interface: 192.0.2.154@5003 - # interface: 2001:DB8::5 - # interface: eth0@5003 -+ # -+ # for dns over tls and raw dns over port 80 -+ # interface: 0.0.0.0@443 -+ # interface: ::0@443 -+ # interface: 0.0.0.0@80 -+ # interface: ::0@80 - - # enable this feature to copy the source address of queries to reply. - # Socket options are not supported on all platforms. experimental. -@@ -285,6 +293,8 @@ server: - # nat64-prefix: 64:ff9b::0/96 - - # Enable UDP, "yes" or "no". -+ # NOTE: if setting up an Unbound on tls443 for public use, you might want to -+ # disable UDP to avoid being used in DNS amplification attacks. - # do-udp: yes - - # Enable TCP, "yes" or "no". -@@ -320,6 +330,9 @@ server: - # can be dropped. Default is 0, disabled. In seconds, such as 3. - # sock-queue-timeout: 0 - -+ # Fedora note: do not activate this - not compiled in because -+ # it causes frequent unbound crashes. Also, socket activation -+ # is bad when you have things like dnsmasq also running with libvirt. - # Use systemd socket activation for UDP, TCP, and control sockets. - # use-systemd: no - -@@ -906,6 +919,8 @@ server: - # you need to do the reverse notation yourself. - # local-data-ptr: "192.0.2.3 www.example.com" - -+ include: /etc/unbound/local.d/*.conf -+ - # tag a localzone with a list of tag names (in "" with spaces between) - # local-zone-tag: "example.com" "tag2 tag3" - -@@ -916,8 +931,8 @@ server: - # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. - # Give the certificate to use and private key. - # default is "" (disabled). requires restart to take effect. -- # tls-service-key: "path/to/privatekeyfile.key" -- # tls-service-pem: "path/to/publiccertfile.pem" -+ # tls-service-key: "/etc/unbound/unbound_server.key" -+ # tls-service-pem: "/etc/unbound/unbound_server.pem" - # tls-port: 853 - # https-port: 443 - # quic-port: 853 -@@ -1166,6 +1181,9 @@ remote-control: - # unbound-control certificate file. - # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem" - -+# Stub and Forward zones -+include: "@sysconfdir@/unbound/conf.d/*.conf" -+ - # Stub zones. - # Create entries like below, to make all queries for 'example.com' and - # 'example.org' go to the given list of nameservers. list zero or more -@@ -1186,6 +1207,10 @@ remote-control: - # name: "example.org" - # stub-host: ns.example.com. - -+# You can now also dynamically create and delete stub-zone's using -+# unbound-control stub_add domain.com 1.2.3.4 5.6.7.8 -+# unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8 -+ - # Forward zones - # Create entries like below, to make all queries for 'example.com' and - # 'example.org' go to the given list of servers. These servers have to handle -@@ -1203,6 +1228,10 @@ remote-control: - # forward-zone: - # name: "example.org" - # forward-host: fwd.example.com -+# -+# You can now also dynamically create and delete forward-zone's using -+# unbound-control forward_add domain.com 1.2.3.4 5.6.7.8 -+# unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8 - - # Authority zones - # The data for these zones is kept locally, from a file or downloaded. --- -2.47.0 - diff --git a/unbound-initrd.conf b/unbound-initrd.conf deleted file mode 100644 index 7838b3d..0000000 --- a/unbound-initrd.conf +++ /dev/null @@ -1,5 +0,0 @@ -[Unit] -Before=network-online.target - -[Install] -WantedBy=network-online.target diff --git a/unbound-local-root.conf b/unbound-local-root.conf deleted file mode 100644 index 4ba5e9d..0000000 --- a/unbound-local-root.conf +++ /dev/null @@ -1,30 +0,0 @@ -# Authority zones -# The data for these zones is kept locally, from a file or downloaded. -# The data can be served to downstream clients, or used instead of the -# upstream (which saves a lookup to the upstream). -# -# Download local root copy and answer TLD queries from it. Because -# auth-zone has higher precedence, defined forward-zones to internal -# only TLD will not work. Use stub-zone or disable this zone. -# Good for a network-wide resolvers, worse for a localhost caching forwarder. -auth-zone: - name: "." - primary: 170.247.170.2 # b.root-servers.net - primary: 192.33.4.12 # c.root-servers.net - primary: 199.7.91.13 # d.root-servers.net - primary: 192.5.5.241 # f.root-servers.net - primary: 192.112.36.4 # g.root-servers.net - primary: 193.0.14.129 # k.root-servers.net - primary: 192.0.47.132 # xfr.cjr.dns.icann.org - primary: 192.0.32.132 # xfr.lax.dns.icann.org - primary: 2801:1b8:10::b # b.root-servers.net - primary: 2001:500:2::c # c.root-servers.net - primary: 2001:500:2d::d # d.root-servers.net - primary: 2001:500:2f::f # f.root-servers.net - primary: 2001:500:12::d0d # g.root-servers.net - primary: 2001:7fd::1 # k.root-servers.net - primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org - primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org - fallback-enabled: yes - for-downstream: no - for-upstream: yes diff --git a/unbound.conf b/unbound.conf new file mode 100644 index 0000000..b038b4a --- /dev/null +++ b/unbound.conf @@ -0,0 +1,1363 @@ +# +# Example configuration file. +# +# See unbound.conf(5) man page +# +# this is a comment. + +# Use this anywhere in the file to include other text into this file. +#include: "otherfile.conf" + +# Use this anywhere in the file to include other text, that explicitly starts a +# clause, into this file. Text after this directive needs to start a clause. +#include-toplevel: "otherfile.conf" + +# The server clause sets the main parameters. +server: + # whitespace is not necessary, but looks cleaner. + + # verbosity number, 0 is least verbose. 1 is default. + verbosity: 1 + + # print statistics to the log (for every thread) every N seconds. + # Set to "" or 0 to disable. Default is disabled. + # Needs to be disabled for munin plugin + statistics-interval: 0 + + # enable shm for stats, default no. if you enable also enable + # statistics-interval, every time it also writes stats to the + # shared memory segment keyed with shm-key. + # shm-enable: no + + # shm for stats uses this key, and key+1 for the shared mem segment. + # shm-key: 11777 + + # enable cumulative statistics, without clearing them after printing. + # Needs to be disabled for munin plugin + statistics-cumulative: no + + # enable extended statistics (query types, answer codes, status) + # printed from unbound-control. default off, because of speed. + # Needs to be enabled for munin plugin + extended-statistics: yes + + # Inhibits selected extended statistics (qtype, qclass, qopcode, rcode, + # rpz-actions) from printing if their value is 0. + # Default on. + # statistics-inhibit-zero: yes + + # number of threads to create. 1 disables threading. + num-threads: 4 + + # specify the interfaces to answer queries from by ip-address. + # The default is to listen to localhost (127.0.0.1 and ::1). + # specify 0.0.0.0 and ::0 to bind to all available interfaces. + # specify every interface[@port] on a new 'interface:' labelled line. + # The listen interfaces are not changed on reload, only on restart. + # interface: 0.0.0.0 + # interface: ::0 + # interface: 192.0.2.153 + # interface: 192.0.2.154 + # interface: 192.0.2.154@5003 + # interface: 2001:DB8::5 + # + # for dns over tls and raw dns over port 80 + # interface: 0.0.0.0@443 + # interface: ::0@443 + # interface: 0.0.0.0@80 + # interface: ::0@80 + + # enable this feature to copy the source address of queries to reply. + # Socket options are not supported on all platforms. experimental. + # interface-automatic: yes + # + # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 + # NOTE: Disabled per Fedora policy not to listen to * on default install + # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled + interface-automatic: no + + # instead of the default port, open additional ports separated by + # spaces when interface-automatic is enabled, by listing them here. + # interface-automatic-ports: "" + + # port to answer queries from + # port: 53 + + # specify the interfaces to send outgoing queries to authoritative + # server from by ip-address. If none, the default (all) interface + # is used. Specify every interface on a 'outgoing-interface:' line. + # outgoing-interface: 192.0.2.153 + # outgoing-interface: 2001:DB8::5 + # outgoing-interface: 2001:DB8::6 + + # Specify a netblock to use remainder 64 bits as random bits for + # upstream queries. Uses freebind option (Linux). + # outgoing-interface: 2001:DB8::/64 + # Also (Linux:) ip -6 addr add 2001:db8::/64 dev lo + # And: ip -6 route add local 2001:db8::/64 dev lo + # And set prefer-ip6: yes to use the ip6 randomness from a netblock. + # Set this to yes to prefer ipv6 upstream servers over ipv4. + # prefer-ip6: no + + # Prefer ipv4 upstream servers, even if ipv6 is available. + # prefer-ip4: no + + # number of ports to allocate per thread, determines the size of the + # port range that can be open simultaneously. About double the + # num-queries-per-thread, or, use as many as the OS will allow you. + # outgoing-range: 4096 + + # permit Unbound to use this port number or port range for + # making outgoing queries, using an outgoing interface. + # Only ephemeral ports are allowed by SElinux + outgoing-port-permit: 32768-60999 + + # deny Unbound the use this of port number or port range for + # making outgoing queries, using an outgoing interface. + # Use this to make sure Unbound does not grab a UDP port that some + # other server on this computer needs. The default is to avoid + # IANA-assigned port numbers. + # If multiple outgoing-port-permit and outgoing-port-avoid options + # are present, they are processed in order. + # Our SElinux policy does not allow non-ephemeral ports to be used + outgoing-port-avoid: 0-32767 + outgoing-port-avoid: 61000-65535 + + # number of outgoing simultaneous tcp buffers to hold per thread. + # outgoing-num-tcp: 10 + + # number of incoming simultaneous tcp buffers to hold per thread. + # incoming-num-tcp: 10 + + # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). + # 0 is system default. Use 4m to catch query spikes for busy servers. + # so-rcvbuf: 0 + + # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option). + # 0 is system default. Use 4m to handle spikes on very busy servers. + # so-sndbuf: 0 + + # use SO_REUSEPORT to distribute queries over threads. + # at extreme load it could be better to turn it off to distribute even. + so-reuseport: yes + + # use IP_TRANSPARENT so the interface: addresses can be non-local + # and you can config non-existing IPs that are going to work later on + # (uses IP_BINDANY on FreeBSD). + ip-transparent: yes + + # use IP_FREEBIND so the interface: addresses can be non-local + # and you can bind to nonexisting IPs and interfaces that are down. + # Linux only. On Linux you also have ip-transparent that is similar. + # ip-freebind: no + + # the value of the Differentiated Services Codepoint (DSCP) + # in the differentiated services field (DS) of the outgoing + # IP packets + # ip-dscp: 0 + + # EDNS reassembly buffer to advertise to UDP peers (the actual buffer + # is set with msg-buffer-size). + # edns-buffer-size: 1232 + + # Maximum UDP response size (not applied to TCP response). + # Suggested values are 512 to 4096. Default is 1232. 65536 disables it. + # max-udp-size: 1232 + + # max memory to use for stream(tcp and tls) waiting result buffers. + # stream-wait-size: 4m + + # buffer size for handling DNS data. No messages larger than this + # size can be sent or received, by UDP or TCP. In bytes. + # msg-buffer-size: 65552 + + # the amount of memory to use for the message cache. + # plain value in bytes or you can append k, m or G. default is "4Mb". + # msg-cache-size: 4m + + # the number of slabs to use for the message cache. + # the number of slabs must be a power of 2. + # more slabs reduce lock contention, but fragment memory usage. + # msg-cache-slabs: 4 + + # the number of queries that a thread gets to service. + # num-queries-per-thread: 1024 + + # if very busy, 50% queries run to completion, 50% get timeout in msec + # jostle-timeout: 200 + + # msec to wait before close of port on timeout UDP. 0 disables. + # delay-close: 0 + + # perform connect for UDP sockets to mitigate ICMP side channel. + # udp-connect: yes + + # The number of retries, per upstream nameserver in a delegation, when + # a throwaway response (also timeouts) is received. + # outbound-msg-retry: 5 + + # Hard limit on the number of outgoing queries Unbound will make while + # resolving a name, making sure large NS sets do not loop. + # It resets on query restarts (e.g., CNAME) and referrals. + # max-sent-count: 32 + + # Hard limit on the number of times Unbound is allowed to restart a + # query upon encountering a CNAME record. + # max-query-restarts: 11 + + # msec for waiting for an unknown server to reply. Increase if you + # are behind a slow satellite link, to eg. 1128. + # unknown-server-time-limit: 376 + + # the amount of memory to use for the RRset cache. + # plain value in bytes or you can append k, m or G. default is "4Mb". + # rrset-cache-size: 4m + + # the number of slabs to use for the RRset cache. + # the number of slabs must be a power of 2. + # more slabs reduce lock contention, but fragment memory usage. + # rrset-cache-slabs: 4 + + # the time to live (TTL) value lower bound, in seconds. Default 0. + # If more than an hour could easily give trouble due to stale data. + # cache-min-ttl: 0 + + # the time to live (TTL) value cap for RRsets and messages in the + # cache. Items are not cached for longer. In seconds. + # cache-max-ttl: 86400 + + # the time to live (TTL) value cap for negative responses in the cache + # cache-max-negative-ttl: 3600 + + # the time to live (TTL) value for cached roundtrip times, lameness and + # EDNS version information for hosts. In seconds. + # infra-host-ttl: 900 + + # minimum wait time for responses, increase if uplink is long. In msec. + # infra-cache-min-rtt: 50 + + # maximum wait time for responses. In msec. + # infra-cache-max-rtt: 120000 + + # enable to make server probe down hosts more frequently. + # infra-keep-probing: no + + # the number of slabs to use for the Infrastructure cache. + # the number of slabs must be a power of 2. + # more slabs reduce lock contention, but fragment memory usage. + # infra-cache-slabs: 4 + + # the maximum number of hosts that are cached (roundtrip, EDNS, lame). + # infra-cache-numhosts: 10000 + + # define a number of tags here, use with local-zone, access-control, + # interface-*. + # repeat the define-tag statement to add additional tags. + # define-tag: "tag1 tag2 tag3" + + # Enable IPv4, "yes" or "no". + # do-ip4: yes + + # Enable IPv6, "yes" or "no". + # do-ip6: yes + + # If running unbound on an IPv6-only host, domains that only have + # IPv4 servers would become unresolveable. If NAT64 is available in + # the network, unbound can use NAT64 to reach these servers with + # the following option. This is NOT needed for enabling DNS64 on a + # system that has IPv4 connectivity. + # Consider also enabling prefer-ip6 to prefer native IPv6 connections + # to nameservers. + # do-nat64: no + + # NAT64 prefix. Defaults to using dns64-prefix value. + # nat64-prefix: 64:ff9b::0/96 + + # Enable UDP, "yes" or "no". + # NOTE: if setting up an Unbound on tls443 for public use, you might want to + # disable UDP to avoid being used in DNS amplification attacks. + # do-udp: yes + + # Enable TCP, "yes" or "no". + # do-tcp: yes + + # upstream connections use TCP only (and no UDP), "yes" or "no" + # useful for tunneling scenarios, default no. + # tcp-upstream: no + + # upstream connections also use UDP (even if do-udp is no). + # useful if if you want UDP upstream, but don't provide UDP downstream. + # udp-upstream-without-downstream: no + + # Maximum segment size (MSS) of TCP socket on which the server + # responds to queries. Default is 0, system default MSS. + # tcp-mss: 0 + + # Maximum segment size (MSS) of TCP socket for outgoing queries. + # Default is 0, system default MSS. + # outgoing-tcp-mss: 0 + + # Idle TCP timeout, connection closed in milliseconds + # tcp-idle-timeout: 30000 + + # Enable EDNS TCP keepalive option. + edns-tcp-keepalive: yes + + # Timeout for EDNS TCP keepalive, in msec. + # edns-tcp-keepalive-timeout: 120000 + + # UDP queries that have waited in the socket buffer for a long time + # can be dropped. Default is 0, disabled. In seconds, such as 3. + # sock-queue-timeout: 0 + + # Fedora note: do not activate this - not compiled in because + # it causes frequent unbound crashes. Also, socket activation + # is bad when you have things like dnsmasq also running with libvirt. + # Use systemd socket activation for UDP, TCP, and control sockets. + # use-systemd: no + + # Detach from the terminal, run in background, "yes" or "no". + # Set the value to "no" when Unbound runs as systemd service. + # do-daemonize: yes + + # control which clients are allowed to make (recursive) queries + # to this server. Specify classless netblocks with /size and action. + # By default everything is refused, except for localhost. + # Choose deny (drop message), refuse (polite error reply), + # allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on), + # allow_snoop (recursive and nonrecursive ok) + # deny_non_local (drop queries unless can be answered from local-data) + # refuse_non_local (like deny_non_local but polite error reply). + # access-control: 127.0.0.0/8 allow + # access-control: ::1 allow + # access-control: ::ffff:127.0.0.1 allow + + # tag access-control with list of tags (in "" with spaces between) + # Clients using this access control element use localzones that + # are tagged with one of these tags. + # access-control-tag: 192.0.2.0/24 "tag2 tag3" + + # set action for particular tag for given access control element. + # if you have multiple tag values, the tag used to lookup the action + # is the first tag match between access-control-tag and local-zone-tag + # where "first" comes from the order of the define-tag values. + # access-control-tag-action: 192.0.2.0/24 tag3 refuse + + # set redirect data for particular tag for access control element + # access-control-tag-data: 192.0.2.0/24 tag2 "A 127.0.0.1" + + # Set view for access control element + # access-control-view: 192.0.2.0/24 viewname + + # Similar to 'access-control:' but for interfaces. + # Control which listening interfaces are allowed to accept (recursive) + # queries for this server. + # The specified interfaces should be the same as the ones specified in + # 'interface:' followed by the action. + # The actions are the same as 'access-control:' above. + # By default all the interfaces configured are refused. + # Note: any 'access-control*:' setting overrides all 'interface-*:' + # settings for targeted clients. + # interface-action: 192.0.2.153 allow + # interface-action: 192.0.2.154 allow + # interface-action: 192.0.2.154@5003 allow + # interface-action: 2001:DB8::5 allow + # interface-action: eth0@5003 allow + + # Similar to 'access-control-tag:' but for interfaces. + # Tag interfaces with a list of tags (in "" with spaces between). + # Interfaces using these tags use localzones that are tagged with one + # of these tags. + # The specified interfaces should be the same as the ones specified in + # 'interface:' followed by the list of tags. + # Note: any 'access-control*:' setting overrides all 'interface-*:' + # settings for targeted clients. + # interface-tag: eth0@5003 "tag2 tag3" + + # Similar to 'access-control-tag-action:' but for interfaces. + # Set action for particular tag for a given interface element. + # If you have multiple tag values, the tag used to lookup the action + # is the first tag match between interface-tag and local-zone-tag + # where "first" comes from the order of the define-tag values. + # The specified interfaces should be the same as the ones specified in + # 'interface:' followed by the tag and action. + # Note: any 'access-control*:' setting overrides all 'interface-*:' + # settings for targeted clients. + # interface-tag-action: eth0@5003 tag3 refuse + + # Similar to 'access-control-tag-data:' but for interfaces. + # Set redirect data for a particular tag for an interface element. + # The specified interfaces should be the same as the ones specified in + # 'interface:' followed by the tag and the redirect data. + # Note: any 'access-control*:' setting overrides all 'interface-*:' + # settings for targeted clients. + # interface-tag-data: eth0@5003 tag2 "A 127.0.0.1" + + # Similar to 'access-control-view:' but for interfaces. + # Set view for an interface element. + # The specified interfaces should be the same as the ones specified in + # 'interface:' followed by the view name. + # Note: any 'access-control*:' setting overrides all 'interface-*:' + # settings for targeted clients. + # interface-view: eth0@5003 viewname + + # if given, a chroot(2) is done to the given directory. + # i.e. you can chroot to the working directory, for example, + # for extra security, but make sure all files are in that directory. + # + # If chroot is enabled, you should pass the configfile (from the + # commandline) as a full path from the original root. After the + # chroot has been performed the now defunct portion of the config + # file path is removed to be able to reread the config after a reload. + # + # All other file paths (working dir, logfile, roothints, and + # key files) can be specified in several ways: + # o as an absolute path relative to the new root. + # o as a relative path to the working directory. + # o as an absolute path relative to the original root. + # In the last case the path is adjusted to remove the unused portion. + # + # The pid file can be absolute and outside of the chroot, it is + # written just prior to performing the chroot and dropping permissions. + # + # Additionally, Unbound may need to access /dev/urandom (for entropy). + # How to do this is specific to your OS. + # + # If you give "" no chroot is performed. The path must not end in a /. + # chroot: "/var/lib/unbound" + chroot: "" + + # if given, user privileges are dropped (after binding port), + # and the given username is assumed. Default is user "unbound". + # If you give "" no privileges are dropped. + username: "unbound" + + # the working directory. The relative files in this config are + # relative to this directory. If you give "" the working directory + # is not changed. + # If you give a server: directory: dir before include: file statements + # then those includes can be relative to the working directory. + directory: "/etc/unbound" + + # the log file, "" means log to stderr. + # Use of this option sets use-syslog to "no". + # logfile: "" + + # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to + # log to. If yes, it overrides the logfile. + # use-syslog: yes + + # Log identity to report. if empty, defaults to the name of argv[0] + # (usually "unbound"). + # log-identity: "" + + # print UTC timestamp in ascii to logfile, default is epoch in seconds. + log-time-ascii: yes + + # print one line with time, IP, name, type, class for every query. + # log-queries: no + + # print one line per reply, with time, IP, name, type, class, rcode, + # timetoresolve, fromcache and responsesize. + # log-replies: no + + # log with tag 'query' and 'reply' instead of 'info' for + # filtering log-queries and log-replies from the log. + # log-tag-queryreply: no + + # log the local-zone actions, like local-zone type inform is enabled + # also for the other local zone types. + # log-local-actions: no + + # print log lines that say why queries return SERVFAIL to clients. + # log-servfail: no + + # the pid file. Can be an absolute path outside of chroot/work dir. + pidfile: "/var/run/unbound/unbound.pid" + + # file to read root hints from. + # get one from https://www.internic.net/domain/named.cache + # root-hints: "" + + # enable to not answer id.server and hostname.bind queries. + # hide-identity: no + + # enable to not answer version.server and version.bind queries. + # hide-version: no + + # enable to not answer trustanchor.unbound queries. + # hide-trustanchor: no + + # enable to not set the User-Agent HTTP header. + # hide-http-user-agent: no + + # the identity to report. Leave "" or default to return hostname. + # identity: "" + + # the version to report. Leave "" or default to return package version. + # version: "" + + # NSID identity (hex string, or "ascii_somestring"). default disabled. + # nsid: "aabbccdd" + + # User-Agent HTTP header to use. Leave "" or default to use package name + # and version. + # http-user-agent: "" + + # the target fetch policy. + # series of integers describing the policy per dependency depth. + # The number of values in the list determines the maximum dependency + # depth the recursor will pursue before giving up. Each integer means: + # -1 : fetch all targets opportunistically, + # 0: fetch on demand, + # positive value: fetch that many targets opportunistically. + # Enclose the list of numbers between quotes (""). + # target-fetch-policy: "3 2 1 0 0" + + # Harden against very small EDNS buffer sizes. + # harden-short-bufsize: yes + + # Harden against unseemly large queries. + # harden-large-queries: no + + # Harden against out of zone rrsets, to avoid spoofing attempts. + harden-glue: yes + + # Harden against receiving dnssec-stripped data. If you turn it + # off, failing to validate dnskey data for a trustanchor will + # trigger insecure mode for that zone (like without a trustanchor). + # Default on, which insists on dnssec data for trust-anchored zones. + harden-dnssec-stripped: yes + + # Harden against queries that fall under dnssec-signed nxdomain names. + harden-below-nxdomain: yes + + # Harden the referral path by performing additional queries for + # infrastructure data. Validates the replies (if possible). + # Default off, because the lookups burden the server. Experimental + # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. + harden-referral-path: yes + + # Harden against algorithm downgrade when multiple algorithms are + # advertised in the DS record. If no, allows the weakest algorithm + # to validate the zone. + # harden-algo-downgrade: no + + # Harden against unknown records in the authority section and the + # additional section. + # harden-unknown-additional: no + + # Sent minimum amount of information to upstream servers to enhance + # privacy. Only sent minimum required labels of the QNAME and set QTYPE + # to A when possible. + qname-minimisation: yes + + # QNAME minimisation in strict mode. Do not fall-back to sending full + # QNAME to potentially broken nameservers. A lot of domains will not be + # resolvable when this option in enabled. + # This option only has effect when qname-minimisation is enabled. + # qname-minimisation-strict: no + + # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN + # and other denials, using information from previous NXDOMAINs answers. + aggressive-nsec: yes + + # Use 0x20-encoded random bits in the query to foil spoof attempts. + # This feature is an experimental implementation of draft dns-0x20. + # use-caps-for-id: no + + # Domains (and domains in them) without support for dns-0x20 and + # the fallback fails because they keep sending different answers. + # caps-exempt: "licdn.com" + # caps-exempt: "senderbase.org" + + # Enforce privacy of these addresses. Strips them away from answers. + # It may cause DNSSEC validation to additionally mark it as bogus. + # Protects against 'DNS Rebinding' (uses browser as network proxy). + # Only 'private-domain' and 'local-data' names are allowed to have + # these private addresses. No default. + # private-address: 10.0.0.0/8 + # private-address: 172.16.0.0/12 + # private-address: 192.168.0.0/16 + # private-address: 169.254.0.0/16 + # private-address: fd00::/8 + # private-address: fe80::/10 + # private-address: ::ffff:0:0/96 + + # Allow the domain (and its subdomains) to contain private addresses. + # local-data statements are allowed to contain private addresses too. + # private-domain: "example.com" + + # If nonzero, unwanted replies are not only reported in statistics, + # but also a running total is kept per thread. If it reaches the + # threshold, a warning is printed and a defensive action is taken, + # the cache is cleared to flush potential poison out of it. + # A suggested value is 10000000, the default is 0 (turned off). + unwanted-reply-threshold: 10000000 + + # Do not query the following addresses. No DNS queries are sent there. + # List one address per entry. List classless netblocks with /size, + # do-not-query-address: 127.0.0.1/8 + # do-not-query-address: ::1 + + # if yes, the above default do-not-query-address entries are present. + # if no, localhost can be queried (for testing and debugging). + # do-not-query-localhost: yes + + # if yes, perform prefetching of almost expired message cache entries. + prefetch: yes + + # if yes, perform key lookups adjacent to normal lookups. + prefetch-key: yes + + # deny queries of type ANY with an empty response. + deny-any: yes + + # if yes, Unbound rotates RRSet order in response. + rrset-roundrobin: yes + + # if yes, Unbound doesn't insert authority/additional sections + # into response messages when those sections are not required. + minimal-responses: yes + + # true to disable DNSSEC lameness check in iterator. + # disable-dnssec-lame-check: no + + # module configuration of the server. A string with identifiers + # separated by spaces. Syntax: "[dns64] [validator] iterator" + # most modules have to be listed at the beginning of the line, + # except cachedb(just before iterator), and python (at the beginning, + # or, just before the iterator). + # For redis cachedb use: + # "ipsecmod validator cachedb iterator" + module-config: "ipsecmod validator iterator" + + # File with trusted keys, kept uptodate using RFC5011 probes, + # initial file like trust-anchor-file, then it stores metadata. + # Use several entries, one per domain name, to track multiple zones. + # + # If you want to perform DNSSEC validation, run unbound-anchor before + # you start Unbound (i.e. in the system boot scripts). + # And then enable the auto-trust-anchor-file config item. + # Please note usage of unbound-anchor root anchor is at your own risk + # and under the terms of our LICENSE (see that file in the source). + # auto-trust-anchor-file: "/var/lib/unbound/root.key" + + # trust anchor signaling sends a RFC8145 key tag query after priming. + trust-anchor-signaling: yes + + # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) + root-key-sentinel: yes + + # File with trusted keys for validation. Specify more than one file + # with several entries, one file per entry. + # Zone file format, with DS and DNSKEY entries. + # Note this gets out of date, use auto-trust-anchor-file please. + # trust-anchor-file: "" + + # Trusted key for validation. DS or DNSKEY. specify the RR on a + # single line, surrounded by "". TTL is ignored. class is IN default. + # Note this gets out of date, use auto-trust-anchor-file please. + # (These examples are from August 2007 and may not be valid anymore). + # trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ==" + # trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A" + + # File with trusted keys for validation. Specify more than one file + # with several entries, one file per entry. Like trust-anchor-file + # but has a different file format. Format is BIND-9 style format, + # the trusted-keys { name flag proto algo "key"; }; clauses are read. + # you need external update procedures to track changes in keys. + # trusted-keys-file: "" + # + trusted-keys-file: /etc/unbound/keys.d/*.key + auto-trust-anchor-file: "/var/lib/unbound/root.key" + + # Ignore chain of trust. Domain is treated as insecure. + # domain-insecure: "example.com" + + # Override the date for validation with a specific fixed date. + # Do not set this unless you are debugging signature inception + # and expiration. "" or "0" turns the feature off. -1 ignores date. + # val-override-date: "" + + # The time to live for bogus data, rrsets and messages. This avoids + # some of the revalidation, until the time interval expires. in secs. + # val-bogus-ttl: 60 + + # The signature inception and expiration dates are allowed to be off + # by 10% of the signature lifetime (expir-incep) from our local clock. + # This leeway is capped with a minimum and a maximum. In seconds. + # val-sig-skew-min: 3600 + # val-sig-skew-max: 86400 + + # The maximum number the validator should restart validation with + # another authority in case of failed validation. + # val-max-restart: 5 + + # Should additional section of secure message also be kept clean of + # unsecure data. Useful to shield the users of this validator from + # potential bogus data in the additional section. All unsigned data + # in the additional section is removed from secure messages. + val-clean-additional: yes + + # Turn permissive mode on to permit bogus messages. Thus, messages + # for which security checks failed will be returned to clients, + # instead of SERVFAIL. It still performs the security checks, which + # result in interesting log files and possibly the AD bit in + # replies if the message is found secure. The default is off. + # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY + val-permissive-mode: no + + # Ignore the CD flag in incoming queries and refuse them bogus data. + # Enable it if the only clients of Unbound are legacy servers (w2008) + # that set CD but cannot validate themselves. + # ignore-cd-flag: no + + # Serve expired responses from cache, with serve-expired-reply-ttl in + # the response, and then attempt to fetch the data afresh. + serve-expired: yes + # + # Limit serving of expired responses to configured seconds after + # expiration. 0 disables the limit. + serve-expired-ttl: 14400 + # + # Set the TTL of expired records to the serve-expired-ttl value after a + # failed attempt to retrieve the record from upstream. This makes sure + # that the expired records will be served as long as there are queries + # for it. + # serve-expired-ttl-reset: no + # + # TTL value to use when replying with expired data. + # serve-expired-reply-ttl: 30 + # + # Time in milliseconds before replying to the client with expired data. + # This essentially enables the serve-stale behavior as specified in + # RFC 8767 that first tries to resolve before + # immediately responding with expired data. 0 disables this behavior. + # A recommended value is 1800. + # serve-expired-client-timeout: 0 + + # Return the original TTL as received from the upstream name server rather + # than the decrementing TTL as stored in the cache. Enabling this feature + # does not impact cache expiry, it only changes the TTL Unbound embeds in + # responses to queries. Note that enabling this feature implicitly disables + # enforcement of the configured minimum and maximum TTL. + # serve-original-ttl: no + + # Have the validator log failed validations for your diagnosis. + # 0: off. 1: A line per failed user query. 2: With reason and bad IP. + val-log-level: 1 + + # It is possible to configure NSEC3 maximum iteration counts per + # keysize. Keep this table very short, as linear search is done. + # A message with an NSEC3 with larger count is marked insecure. + # List in ascending order the keysize and count values. + # val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150" + + # if enabled, ZONEMD verification failures do not block the zone. + # zonemd-permissive-mode: no + + # instruct the auto-trust-anchor-file probing to add anchors after ttl. + # add-holddown: 2592000 # 30 days + + # instruct the auto-trust-anchor-file probing to del anchors after ttl. + # del-holddown: 2592000 # 30 days + + # auto-trust-anchor-file probing removes missing anchors after ttl. + # If the value 0 is given, missing anchors are not removed. + # keep-missing: 31622400 # 366 days + + # debug option that allows very small holddown times for key rollover, + # otherwise the RFC mandates probe intervals must be at least 1 hour. + # permit-small-holddown: no + + # the amount of memory to use for the key cache. + # plain value in bytes or you can append k, m or G. default is "4Mb". + # key-cache-size: 4m + + # the number of slabs to use for the key cache. + # the number of slabs must be a power of 2. + # more slabs reduce lock contention, but fragment memory usage. + # key-cache-slabs: 4 + + # the amount of memory to use for the negative cache. + # plain value in bytes or you can append k, m or G. default is "1Mb". + # neg-cache-size: 1m + + # By default, for a number of zones a small default 'nothing here' + # reply is built-in. Query traffic is thus blocked. If you + # wish to serve such zone you can unblock them by uncommenting one + # of the nodefault statements below. + # You may also have to use domain-insecure: zone to make DNSSEC work, + # unless you have your own trust anchors for this zone. + # local-zone: "localhost." nodefault + # local-zone: "127.in-addr.arpa." nodefault + # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault + # local-zone: "home.arpa." nodefault + # local-zone: "onion." nodefault + # local-zone: "test." nodefault + # local-zone: "invalid." nodefault + # local-zone: "10.in-addr.arpa." nodefault + # local-zone: "16.172.in-addr.arpa." nodefault + # local-zone: "17.172.in-addr.arpa." nodefault + # local-zone: "18.172.in-addr.arpa." nodefault + # local-zone: "19.172.in-addr.arpa." nodefault + # local-zone: "20.172.in-addr.arpa." nodefault + # local-zone: "21.172.in-addr.arpa." nodefault + # local-zone: "22.172.in-addr.arpa." nodefault + # local-zone: "23.172.in-addr.arpa." nodefault + # local-zone: "24.172.in-addr.arpa." nodefault + # local-zone: "25.172.in-addr.arpa." nodefault + # local-zone: "26.172.in-addr.arpa." nodefault + # local-zone: "27.172.in-addr.arpa." nodefault + # local-zone: "28.172.in-addr.arpa." nodefault + # local-zone: "29.172.in-addr.arpa." nodefault + # local-zone: "30.172.in-addr.arpa." nodefault + # local-zone: "31.172.in-addr.arpa." nodefault + # local-zone: "168.192.in-addr.arpa." nodefault + # local-zone: "0.in-addr.arpa." nodefault + # local-zone: "254.169.in-addr.arpa." nodefault + # local-zone: "2.0.192.in-addr.arpa." nodefault + # local-zone: "100.51.198.in-addr.arpa." nodefault + # local-zone: "113.0.203.in-addr.arpa." nodefault + # local-zone: "255.255.255.255.in-addr.arpa." nodefault + # local-zone: "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault + # local-zone: "d.f.ip6.arpa." nodefault + # local-zone: "8.e.f.ip6.arpa." nodefault + # local-zone: "9.e.f.ip6.arpa." nodefault + # local-zone: "a.e.f.ip6.arpa." nodefault + # local-zone: "b.e.f.ip6.arpa." nodefault + # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault + # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa. + + # Add example.com into ipset + # local-zone: "example.com" ipset + + # If Unbound is running service for the local host then it is useful + # to perform lan-wide lookups to the upstream, and unblock the + # long list of local-zones above. If this Unbound is a dns server + # for a network of computers, disabled is better and stops information + # leakage of local lan information. + # unblock-lan-zones: no + + # The insecure-lan-zones option disables validation for + # these zones, as if they were all listed as domain-insecure. + # insecure-lan-zones: no + + # a number of locally served zones can be configured. + # local-zone: + # local-data: "" + # o deny serves local data (if any), else, drops queries. + # o refuse serves local data (if any), else, replies with error. + # o static serves local data, else, nxdomain or nodata answer. + # o transparent gives local data, but resolves normally for other names + # o redirect serves the zone data for any subdomain in the zone. + # o nodefault can be used to normally resolve AS112 zones. + # o typetransparent resolves normally for other types and other names + # o inform acts like transparent, but logs client IP address + # o inform_deny drops queries and logs client IP address + # o inform_redirect redirects queries and logs client IP address + # o always_transparent, always_refuse, always_nxdomain, always_nodata, + # always_deny resolve in that way but ignore local data for + # that name + # o block_a resolves all records normally but returns + # NODATA for A queries and ignores local data for that name + # o always_null returns 0.0.0.0 or ::0 for any name in the zone. + # o noview breaks out of that view towards global local-zones. + # + # defaults are localhost address, reverse for 127.0.0.1 and ::1 + # and nxdomain for AS112 zones. If you configure one of these zones + # the default content is omitted, or you can omit it with 'nodefault'. + # + # If you configure local-data without specifying local-zone, by + # default a transparent local-zone is created for the data. + # + # You can add locally served data with + # local-zone: "local." static + # local-data: "mycomputer.local. IN A 192.0.2.51" + # local-data: 'mytext.local TXT "content of text record"' + # + # You can override certain queries with + # local-data: "adserver.example.com A 127.0.0.1" + # + # You can redirect a domain to a fixed address with + # (this makes example.com, www.example.com, etc, all go to 192.0.2.3) + # local-zone: "example.com" redirect + # local-data: "example.com A 192.0.2.3" + # + # Shorthand to make PTR records, "IPv4 name" or "IPv6 name". + # You can also add PTR records using local-data directly, but then + # you need to do the reverse notation yourself. + # local-data-ptr: "192.0.2.3 www.example.com" + + include: /etc/unbound/local.d/*.conf + + # tag a localzone with a list of tag names (in "" with spaces between) + # local-zone-tag: "example.com" "tag2 tag3" + + # add a netblock specific override to a localzone, with zone type + # local-zone-override: "example.com" 192.0.2.0/24 refuse + + # service clients over TLS (on the TCP sockets) with plain DNS inside + # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. + # Give the certificate to use and private key. + # default is "" (disabled). requires restart to take effect. + # tls-service-key: "/etc/unbound/unbound_server.key" + # tls-service-pem: "/etc/unbound/unbound_server.pem" + # tls-port: 853 + # https-port: 443 + + # cipher setting for TLSv1.2 + # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" + # cipher setting for TLSv1.3 + # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" + # Fedora/RHEL: use system-wide crypto policies + tls-ciphers: "PROFILE=SYSTEM" + # TODO: ask system-wide crypto people what to use here + #tls-ciphersuites: "PROFILE=SYSTEM" # does not work + + # Pad responses to padded queries received over TLS + # pad-responses: yes + + # Padded responses will be padded to the closest multiple of this size. + # pad-responses-block-size: 468 + + # Use the SNI extension for TLS connections. Default is yes. + # Changing the value requires a reload. + # tls-use-sni: yes + + # Add the secret file for TLS Session Ticket. + # Secret file must be 80 bytes of random data. + # First key use to encrypt and decrypt TLS session tickets. + # Other keys use to decrypt only. + # requires restart to take effect. + # tls-session-ticket-keys: "path/to/secret_file1" + # tls-session-ticket-keys: "path/to/secret_file2" + + # request upstream over TLS (with plain DNS inside the TLS stream). + # Default is no. Can be turned on and off with unbound-control. + # tls-upstream: no + + # Certificates used to authenticate connections made upstream. + # tls-cert-bundle: "" + + # Add system certs to the cert bundle, from the Windows Cert Store + # tls-win-cert: no + # and on other systems, the default openssl certificates + # tls-system-cert: no + + # Pad queries over TLS upstreams + # pad-queries: yes + + # Padded queries will be padded to the closest multiple of this size. + # pad-queries-block-size: 128 + + # Also serve tls on these port numbers (eg. 443, ...), by listing + # tls-additional-port: portno for each of the port numbers. + + # HTTP endpoint to provide DNS-over-HTTPS service on. + # http-endpoint: "/dns-query" + + # HTTP/2 SETTINGS_MAX_CONCURRENT_STREAMS value to use. + # http-max-streams: 100 + + # Maximum number of bytes used for all HTTP/2 query buffers. + # http-query-buffer-size: 4m + + # Maximum number of bytes used for all HTTP/2 response buffers. + # http-response-buffer-size: 4m + + # Set TCP_NODELAY socket option on sockets used for DNS-over-HTTPS + # service. + # http-nodelay: yes + + # Disable TLS for DNS-over-HTTP downstream service. + # http-notls-downstream: no + + # The interfaces that use these listed port numbers will support and + # expect PROXYv2. For UDP and TCP/TLS interfaces. + # proxy-protocol-port: portno for each of the port numbers. + + # DNS64 prefix. Must be specified when DNS64 is use. + # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. + # dns64-prefix: 64:ff9b::0/96 + + # DNS64 ignore AAAA records for these domains and use A instead. + # dns64-ignore-aaaa: "example.com" + + # ratelimit for uncached, new queries, this limits recursion effort. + # ratelimiting is experimental, and may help against randomqueryflood. + # if 0(default) it is disabled, otherwise state qps allowed per zone. + # ratelimit: 0 + + # ratelimits are tracked in a cache, size in bytes of cache (or k,m). + # ratelimit-size: 4m + # ratelimit cache slabs, reduces lock contention if equal to cpucount. + # ratelimit-slabs: 4 + + # 0 blocks when ratelimited, otherwise let 1/xth traffic through + # ratelimit-factor: 10 + + # Aggressive rate limit when the limit is reached and until demand has + # decreased in a 2 second rate window. + # ratelimit-backoff: no + + # override the ratelimit for a specific domain name. + # give this setting multiple times to have multiple overrides. + # ratelimit-for-domain: example.com 1000 + # override the ratelimits for all domains below a domain name + # can give this multiple times, the name closest to the zone is used. + # ratelimit-below-domain: com 1000 + + # global query ratelimit for all ip addresses. + # feature is experimental. + # if 0(default) it is disabled, otherwise states qps allowed per ip address + # ip-ratelimit: 0 + + # ip ratelimits are tracked in a cache, size in bytes of cache (or k,m). + # ip-ratelimit-size: 4m + # ip ratelimit cache slabs, reduces lock contention if equal to cpucount. + # ip-ratelimit-slabs: 4 + + # 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through + # ip-ratelimit-factor: 10 + + # Aggressive rate limit when the limit is reached and until demand has + # decreased in a 2 second rate window. + # ip-ratelimit-backoff: no + + # Limit the number of connections simultaneous from a netblock + # tcp-connection-limit: 192.0.2.0/24 12 + + # select from the fastest servers this many times out of 1000. 0 means + # the fast server select is disabled. prefetches are not sped up. + # fast-server-permil: 0 + # the number of servers that will be used in the fast server selection. + # fast-server-num: 3 + + # Enable to attach Extended DNS Error codes (RFC8914) to responses. + ede: yes + + # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale + # Answer as EDNS0 option to expired responses. + # Note that the ede option above needs to be enabled for this to work. + ede-serve-expired: yes + + # Specific options for ipsecmod. Unbound needs to be configured with + # --enable-ipsecmod for these to take effect. + # + # Enable or disable ipsecmod (it still needs to be defined in + # module-config above). Can be used when ipsecmod needs to be + # enabled/disabled via remote-control(below). + # Fedora: module will be enabled on-demand by libreswan + ipsecmod-enabled: no + + # Path to executable external hook. It must be defined when ipsecmod is + # listed in module-config (above). + # ipsecmod-hook: "./my_executable" + ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook + + # When enabled Unbound will reply with SERVFAIL if the return value of + # the ipsecmod-hook is not 0. + # ipsecmod-strict: no + # + # Maximum time to live (TTL) for cached A/AAAA records with IPSECKEY. + # ipsecmod-max-ttl: 3600 + # + # Reply with A/AAAA even if the relevant IPSECKEY is bogus. Mainly used for + # testing. + # ipsecmod-ignore-bogus: no + # + # Domains for which ipsecmod will be triggered. If not defined (default) + # all domains are treated as being allowed. + # ipsecmod-allow: "example.com" + # ipsecmod-allow: "nlnetlabs.nl" + + # Timeout for REUSE entries in milliseconds. + # tcp-reuse-timeout: 60000 + # Max number of queries on a reuse connection. + # max-reuse-tcp-queries: 200 + # Timeout in milliseconds for TCP queries to auth servers. + # tcp-auth-query-timeout: 3000 + +# Python config section. To enable: +# o use --with-pythonmodule to configure before compiling. +# o list python in the module-config string (above) to enable. +# It can be at the start, it gets validated results, or just before +# the iterator and process before DNSSEC validation. +# o and give a python-script to run. +python: + # Script file to load + # python-script: "/etc/unbound/ubmodule-tst.py" + +# Dynamic library config section. To enable: +# o use --with-dynlibmodule to configure before compiling. +# o list dynlib in the module-config string (above) to enable. +# It can be placed anywhere, the dynlib module is only a very thin wrapper +# to load modules dynamically. +# o and give a dynlib-file to run. If more than one dynlib entry is listed in +# the module-config then you need one dynlib-file per instance. +dynlib: + # Script file to load + # dynlib-file: "/etc/unbound/dynlib.so" + +# Remote control config section. +remote-control: + # Enable remote control with unbound-control(8) here. + # set up the keys and certificates with unbound-control-setup. + # Note: required for unbound-munin package + control-enable: yes + + # Set to no and use an absolute path as control-interface to use + # a unix local named pipe for unbound-control. + # control-use-cert: yes + + # what interfaces are listened to for remote control. + # give 0.0.0.0 and ::0 to listen to all interfaces. + # set to an absolute path to use a unix local name pipe, certificates + # are not used for that, so key and cert files need not be present. + # control-interface: 127.0.0.1 + # control-interface: ::1 + + # port number for remote control operations. + # control-port: 8953 + + # for localhost, you can disable use of TLS by setting this to "no" + # For local sockets this option is ignored, and TLS is not used. + control-use-cert: "no" + + # Unbound server key file. + server-key-file: "/etc/unbound/unbound_server.key" + + # Unbound server certificate file. + server-cert-file: "/etc/unbound/unbound_server.pem" + + # unbound-control key file. + control-key-file: "/etc/unbound/unbound_control.key" + + # unbound-control certificate file. + control-cert-file: "/etc/unbound/unbound_control.pem" + +# Stub and Forward zones +include: /etc/unbound/conf.d/*.conf + +# Stub zones. +# Create entries like below, to make all queries for 'example.com' and +# 'example.org' go to the given list of nameservers. list zero or more +# nameservers by hostname or by ipaddress. If you set stub-prime to yes, +# the list is treated as priming hints (default is no). +# With stub-first yes, it attempts without the stub if it fails. +# Consider adding domain-insecure: name and local-zone: name nodefault +# to the server: section if the stub is a locally served zone. +# stub-zone: +# name: "example.com" +# stub-addr: 192.0.2.68 +# stub-prime: no +# stub-first: no +# stub-tcp-upstream: no +# stub-tls-upstream: no +# stub-no-cache: no +# stub-zone: +# name: "example.org" +# stub-host: ns.example.com. + +# You can now also dynamically create and delete stub-zone's using +# unbound-control stub_add domain.com 1.2.3.4 5.6.7.8 +# unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8 + +# Forward zones +# Create entries like below, to make all queries for 'example.com' and +# 'example.org' go to the given list of servers. These servers have to handle +# recursion to other nameservers. List zero or more nameservers by hostname +# or by ipaddress. Use an entry with name "." to forward all queries. +# If you enable forward-first, it attempts without the forward if it fails. +# forward-zone: +# name: "example.com" +# forward-addr: 192.0.2.68 +# forward-addr: 192.0.2.73@5355 # forward to port 5355. +# forward-first: no +# forward-tcp-upstream: no +# forward-tls-upstream: no +# forward-no-cache: no +# forward-zone: +# name: "example.org" +# forward-host: fwd.example.com +# +# You can now also dynamically create and delete forward-zone's using +# unbound-control forward_add domain.com 1.2.3.4 5.6.7.8 +# unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8 + +# Authority zones +# The data for these zones is kept locally, from a file or downloaded. +# The data can be served to downstream clients, or used instead of the +# upstream (which saves a lookup to the upstream). The first example +# has a copy of the root for local usage. The second serves example.org +# authoritatively. zonefile: reads from file (and writes to it if you also +# download it), master: fetches with AXFR and IXFR, or url to zonefile. +# With allow-notify: you can give additional (apart from masters) sources of +# notifies. +auth-zone: + name: "." + primary: 199.9.14.201 # b.root-servers.net + primary: 192.33.4.12 # c.root-servers.net + primary: 199.7.91.13 # d.root-servers.net + primary: 192.5.5.241 # f.root-servers.net + primary: 192.112.36.4 # g.root-servers.net + primary: 193.0.14.129 # k.root-servers.net + primary: 192.0.47.132 # xfr.cjr.dns.icann.org + primary: 192.0.32.132 # xfr.lax.dns.icann.org + primary: 2001:500:200::b # b.root-servers.net + primary: 2001:500:2::c # c.root-servers.net + primary: 2001:500:2d::d # d.root-servers.net + primary: 2001:500:2f::f # f.root-servers.net + primary: 2001:500:12::d0d # g.root-servers.net + primary: 2001:7fd::1 # k.root-servers.net + primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org + primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org + fallback-enabled: yes + for-downstream: no + for-upstream: yes + +# auth-zone: +# name: "example.org" +# for-downstream: yes +# for-upstream: yes +# zonemd-check: no +# zonemd-reject-absence: no +# zonefile: "example.org.zone" + +# Views +# Create named views. Name must be unique. Map views to requests using +# the access-control-view option. Views can contain zero or more local-zone +# and local-data options. Options from matching views will override global +# options. Global options will be used if no matching view is found. +# With view-first yes, it will try to answer using the global local-zone and +# local-data elements if there is no view specific match. +# view: +# name: "viewname" +# local-zone: "example.com" redirect +# local-data: "example.com A 192.0.2.3" +# local-data-ptr: "192.0.2.3 www.example.com" +# view-first: no +# view: +# name: "anotherview" +# local-zone: "example.com" refuse + +# Fedora: DNSCrypt support not enabled since it requires linking to +# another crypto library +# +# DNSCrypt +# o enable, use --enable-dnscrypt to configure before compiling. +# Caveats: +# 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper +# for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage +# 2. dnscrypt channel attaches to an interface. you MUST set interfaces to +# listen on `dnscrypt-port` with the follo0wing snippet: +# server: +# interface: 0.0.0.0@443 +# interface: ::0@443 +# +# Finally, `dnscrypt` config has its own section. +# dnscrypt: +# dnscrypt-enable: yes +# dnscrypt-port: 443 +# dnscrypt-provider: 2.dnscrypt-cert.example.com. +# dnscrypt-secret-key: /path/unbound-conf/keys1/1.key +# dnscrypt-secret-key: /path/unbound-conf/keys2/1.key +# dnscrypt-provider-cert: /path/unbound-conf/keys1/1.cert +# dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert + +# CacheDB +# External backend DB as auxiliary cache. +# To enable, use --enable-cachedb to configure before compiling. +# Specify the backend name +# (default is "testframe", which has no use other than for debugging and +# testing) and backend-specific options. The 'cachedb' module must be +# included in module-config, just before the iterator module. +# cachedb: +# backend: "testframe" +# # secret seed string to calculate hashed keys +# secret-seed: "default" +# +# # For "redis" backend: +# # (to enable, use --with-libhiredis to configure before compiling) +# # redis server's IP address or host name +# redis-server-host: 127.0.0.1 +# # redis server's TCP port +# redis-server-port: 6379 +# # if the server uses a unix socket, set its path, or "" when not used. +# # redis-server-path: "/var/lib/redis/redis-server.sock" +# # if the server uses an AUTH password, specify here, or "" when not used. +# # redis-server-password: "" +# # timeout (in ms) for communication with the redis server +# redis-timeout: 100 +# # set timeout on redis records based on DNS response TTL +# redis-expire-records: no + +# IPSet +# Add specify domain into set via ipset. +# To enable: +# o use --enable-ipset to configure before compiling; +# o Unbound then needs to run as root user. +# ipset: +# # set name for ip v4 addresses +# name-v4: "list-v4" +# # set name for ip v6 addresses +# name-v6: "list-v6" +# + +# Dnstap logging support, if compiled in by using --enable-dnstap to configure. +# To enable, set the dnstap-enable to yes and also some of +# dnstap-log-..-messages to yes. And select an upstream log destination, by +# socket path, TCP or TLS destination. +# dnstap: +# dnstap-enable: no +# # if set to yes frame streams will be used in bidirectional mode +# dnstap-bidirectional: yes +# dnstap-socket-path: "/etc/unbound/dnstap.sock" +# # if "" use the unix socket in dnstap-socket-path, otherwise, +# # set it to "IPaddress[@port]" of the destination. +# dnstap-ip: "" +# # if set to yes if you want to use TLS to dnstap-ip, no for TCP. +# dnstap-tls: yes +# # name for authenticating the upstream server. or "" disabled. +# dnstap-tls-server-name: "" +# # if "", it uses the cert bundle from the main Unbound config. +# dnstap-tls-cert-bundle: "" +# # key file for client authentication, or "" disabled. +# dnstap-tls-client-key-file: "" +# # cert file for client authentication, or "" disabled. +# dnstap-tls-client-cert-file: "" +# dnstap-send-identity: no +# dnstap-send-version: no +# # if "" it uses the hostname. +# dnstap-identity: "" +# # if "" it uses the package version. +# dnstap-version: "" +# dnstap-log-resolver-query-messages: no +# dnstap-log-resolver-response-messages: no +# dnstap-log-client-query-messages: no +# dnstap-log-client-response-messages: no +# dnstap-log-forwarder-query-messages: no +# dnstap-log-forwarder-response-messages: no + +# Response Policy Zones +# RPZ policies. Applied in order of configuration. QNAME, Response IP +# Address, nsdname, nsip and clientip triggers are supported. Supported +# actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp-only +# and drop. Policies can be loaded from a file, or using zone +# transfer, or using HTTP. The respip module needs to be added +# to the module-config, e.g.: module-config: "respip validator iterator". +# rpz: +# name: "rpz.example.com" +# zonefile: "rpz.example.com" +# primary: 192.0.2.0 +# allow-notify: 192.0.2.0/32 +# url: http://www.example.com/rpz.example.org.zone +# rpz-action-override: cname +# rpz-cname-override: www.example.org +# rpz-log: yes +# rpz-log-name: "example policy" +# rpz-signal-nxdomain-ra: no +# for-downstream: no +# tags: "example" diff --git a/unbound.service b/unbound.service index d476504..ffaf783 100644 --- a/unbound.service +++ b/unbound.service @@ -1,9 +1,6 @@ [Unit] Description=Unbound recursive Domain Name Server -After=network.target -# Use ip-freebind: yes or add After=network-online.target, rhbz#2338429, -# if interface: specifies exact address, not localhost nor wildcard -#After=network-online.target +After=network-online.target After=unbound-keygen.service Wants=unbound-keygen.service After=unbound-anchor.service @@ -12,12 +9,11 @@ Before=nss-lookup.target Wants=nss-lookup.target [Service] -Type=notify +Type=simple EnvironmentFile=-/etc/sysconfig/unbound ExecStartPre=/usr/sbin/unbound-checkconf ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS ExecReload=/usr/sbin/unbound-control reload -Restart=on-abnormal [Install] WantedBy=multi-user.target diff --git a/unbound.spec b/unbound.spec index d173141..62e7933 100644 --- a/unbound.spec +++ b/unbound.spec @@ -2,23 +2,13 @@ %{?!with_python3: %global with_python3 1} %{?!with_munin: %global with_munin 1} %bcond_without dnstap -%bcond_without systemd +%bcond_with systemd %bcond_without doh -%if 0%{?fedora} >= 43 && !0%{?rhel} -# Do not build with QUIC support in RHEL, until we have also client support. -%bcond_without ngtcp2 -%endif -%if 0%{?rhel} && ! 0%{?epel} %bcond_with redis -%else -%bcond_without redis -%endif -%global forgeurl0 https://github.com/NLnetLabs/unbound -%global downloads https://nlnetlabs.nl/downloads %global _hardened_build 1 -#global extra_version rc1 +#%%global extra_version rc1 %if 0%{with_python2} %global python_primary %{__python2} @@ -40,16 +30,16 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.24.2 -Release: %autorelease %{?extra_version:-e %{extra_version}} +Version: 1.18.0 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ -VCS: git:%{forgeurl0} -Source: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz +Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz Source1: unbound.service +Source2: unbound.conf Source3: unbound.munin Source4: unbound_munin_ -Source5: mkroot.sh +Source5: root.key Source7: unbound-keygen.service Source8: tmpfiles-unbound.conf Source9: example.com.key @@ -61,41 +51,17 @@ Source14: unbound.sysconfig Source15: unbound-anchor.timer Source16: unbound-munin.README Source17: unbound-anchor.service -Source18: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc -# https://nlnetlabs.nl/signing-keys/ -Source19: https://nlnetlabs.nl/downloads/keys/releases-g2.asc#/nlnetlabs2026-g2.asc +Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc +# source: https://nlnetlabs.nl/people/ +Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key Source20: unbound.sysusers -Source21: remote-control.conf -Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc -Source23: unbound-as112-networks.conf -Source24: unbound-local-root.conf -Source25: openssl-sha1.conf -Source26: remote-control-include.conf -Source27: fedora-defaults.conf -Source28: module-setup.sh -Source29: unbound-initrd.conf -Source30: tmpfiles-unbound-libs.conf -# Downstream configuration changes -Patch1: unbound-fedora-config.patch -# https://github.com/NLnetLabs/unbound/pull/1331 -Patch2: unbound-1.24-swig-function.patch -# https://github.com/NLnetLabs/unbound/pull/1381 -Patch3: unbound-1.24-quic-on-demand-only.patch BuildRequires: gcc, make -BuildRequires: openssl-devel +BuildRequires: flex, openssl-devel BuildRequires: libevent-devel expat-devel BuildRequires: pkgconfig - -# Required for configure regeneration -BuildRequires: automake autoconf libtool -BuildRequires: autoconf-archive -# Regenerate config parser too -BuildRequires: bison flex byacc -BuildRequires: dns-root-data - -%if 0%{?fedora} || 0%{?rhel} >= 9 +%if 0%{?fedora} BuildRequires: gnupg2 %endif %if 0%{with_python2} @@ -114,16 +80,16 @@ BuildRequires: systemd-devel BuildRequires: libnghttp2-devel %endif %if %{with redis} -BuildRequires: hiredis-devel +BuildRequires: redis-devel %endif %if 0%{?fedora} >= 30 || 0%{?rhel} >= 9 BuildRequires: systemd-rpm-macros %else BuildRequires: systemd %endif -%if %{with ngtcp2} -BuildRequires: ngtcp2-crypto-ossl-devel -%endif +# Required for SVN versions +# BuildRequires: bison +# BuildRequires: automake autoconf libtool # Needed because /usr/sbin/unbound links unbound libs staticly Requires: %{name}-libs%{?_isa} = %{version}-%{release} @@ -131,6 +97,7 @@ Requires: %{name}-anchor%{?_isa} = %{version}-%{release} Recommends: %{name}-utils%{?_isa} = %{version}-%{release} # unbound-keygen.service requires it, bug #2116790 Requires: openssl +Requires(pre): systemd-sysusers %description Unbound is a validating, recursive, and caching DNS(SEC) resolver. @@ -165,7 +132,6 @@ The devel package contains the unbound library and the include files %package libs Summary: Libraries used by the unbound server and client applications Recommends: %{name}-anchor -Requires: dns-root-data %if ! 0%{with_python2} # Make explicit conflict with no longer provided python package Obsoletes: python2-unbound < 1.9.3 @@ -175,6 +141,7 @@ Obsoletes: python2-unbound < 1.9.3 Contains libraries used by the unbound server and client applications. %package anchor +Requires(pre): shadow-utils Requires: %{name}-libs%{?_isa} = %{version}-%{release} Summary: DNSSEC trust anchor maintaining tool @@ -215,71 +182,57 @@ Conflicts: python2-unbound < 1.9.3 Python 3 modules and extensions for unbound %endif -%package dracut -Summary: Unbound dracut module -Requires: dracut%{?_isa} -Requires: %{name}%{?_isa} = %{version}-%{release} - -%description dracut -Unbound dracut module allowing use of Unbound for name resolution -in initramfs. %prep -%if 0%{?fedora} || 0%{?rhel} >= 9 -# TODO: Remove Yorgos.asc and extra verification once releases start to be signed by new g2 key -%{gpgverify} --keyring='%{SOURCE22}' --signature='%{SOURCE18}' --data='%{SOURCE0}' || \ +%if 0%{?fedora} %{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}' %endif %global pkgname %{name}-%{version}%{?extra_version} %if 0%{with_python2} && 0%{with_python3} +%global dir_primary %{pkgname}_python3 %global python_primary %{__python3} %global dir_secondary %{pkgname}_python2 %global python_secondary %{__python2} +%else +%global dir_primary %{pkgname} %endif -%autosetup -N -n %{pkgname} +%autosetup -c -N -n %{pkgname} +pushd %{pkgname} # patches go here %autopatch -p1 -%if 0%{?rhel} > 8 - # SHA-1 breaks some tests. Disable just some tests because of that. - # This got broken in ELN - ls testdata/*.rpl - for TEST in autotrust_init_fail autotrust_init_failsig; do - mv testdata/${TEST}.rpl{,-disabled} - done -%endif +# only for snapshots +# autoreconf -iv + +# copy common doc files - after here, since it may be patched +cp -pr doc pythonmod libunbound ../ +popd %if 0%{with_python2} && 0%{with_python3} - cp -a . %{dir_secondary} +mv %{pkgname} %{dir_primary} +cp -a %{dir_primary} %{dir_secondary} %endif %build +# This is needed to rebuild the configure script to support Python 3.x +# autoreconf -iv + # ./configure script common arguments %global configure_args --with-libevent --with-pthreads --with-ssl \\\ --disable-rpath --disable-static \\\ --enable-relro-now --enable-pie \\\ --enable-subnet --enable-ipsecmod \\\ --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\ - --with-share-dir=%{_datadir}/%{name} \\\ --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\ --enable-sha2 --disable-gost --enable-ecdsa \\\ - --with-rootkey-file=%{_sharedstatedir}/%{name}/root.key \\\ - --with-username=unbound \\\ + --with-rootkey-file=%{_sharedstatedir}/unbound/root.key \\\ --enable-linux-ip-local-port-range \\\ - --with-dynlibmodule \\\ -# -# always regenerate configure -rm -f config.h.in aclocal.m4 configure ltmain.sh -rm -f {ax_pthread,ax_swig_python}.m4 -cp -p %{_datadir}/aclocal/{ax_pthread,ax_swig_python}.m4 . -# ensure bison is used to generate fresh parser -rm -f util/configparser.{c,h} util/configlexer.c -autoreconf -fiv +pushd %{dir_primary} %configure \ %if 0%{?python_primary:1} @@ -294,18 +247,20 @@ autoreconf -fiv %if %{with doh} --with-libnghttp2 \ %endif +%if 0%{?rhel} + --disable-sha1 \ +%endif %if %{with redis} --with-libhiredis \ --enable-cachedb \ -%endif -%if %{with ngtcp2} - --with-libngtcp2 \ %endif %{configure_args} %make_build %make_build streamtcp +popd + %if 0%{?python_secondary:1} pushd %{dir_secondary} %configure \ @@ -315,9 +270,6 @@ pushd %{dir_secondary} %endif %if %{with systemd} --enable-systemd \ -%endif -%if %{with ngtcp2} - --with-libngtcp2 \ %endif %{configure_args} @@ -336,18 +288,20 @@ pushd %{dir_secondary} popd %endif +pushd %{dir_primary} %make_install unbound-event-install install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp -install -p -m 0644 doc/example.conf %{buildroot}%{_sysconfdir}/unbound/unbound.conf +popd install -d -m 0755 %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service install -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/unbound-keygen.service install -p -m 0644 %{SOURCE15} %{buildroot}%{_unitdir}/unbound-anchor.timer install -p -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/unbound-anchor.service +install -p -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound install -p -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/unbound install -p -m 0644 %{SOURCE14} %{buildroot}%{_sysconfdir}/sysconfig/unbound -install -p -D -m 0644 %{SOURCE20} %{buildroot}%{_sysusersdir}/%{name}.conf +install -p -D -m 0644 %{SOURCE20} %{buildroot}%{_sysusersdir}/%{name}.sysusers %if %{with_munin} # Install munin plugin and its softlinks install -d -m 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d @@ -359,21 +313,25 @@ for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unboun done %endif +pushd %{dir_primary} # install streamtcp man page -install -p -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1 -install -p -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc +install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1 +install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc +popd # Install tmpfiles.d config install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound -install -p -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf -install -p -m 0644 %{SOURCE30} %{buildroot}%{_tmpfilesdir}/unbound-libs.conf +install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf # install root - we keep a copy of the root key in old location, # in case user has changed the configuration and we wouldn't update it there -sh %{SOURCE5} root.key -install -m 0644 root.key %{buildroot}%{_sysconfdir}/unbound/ -ln -sr "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key" "%{buildroot}%{_sharedstatedir}/unbound/root.key" -ln -sr "%{buildroot}%{_datadir}/dns-root-data/root.key" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key" +install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/ +install -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/dnssec-root.key +# make initial key static +pushd %{buildroot}%{_sharedstatedir}/unbound + KEYPATH=$(realpath --relative-to="%{buildroot}%{_sharedstatedir}/unbound" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key") + ln -s "$KEYPATH" root.key +popd # remove static library from install (fedora packaging guidelines) rm %{buildroot}%{_libdir}/*.la @@ -392,27 +350,16 @@ mkdir -p %{buildroot}%{_rundir}/unbound # Install directories for easier config file drop in mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d} -install -p -m 0644 %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/ -install -p -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ -install -p -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ -install -p -m 0644 %{SOURCE26} %{buildroot}%{_sysconfdir}/unbound/conf.d/remote-control.conf -install -p -m 0644 %{SOURCE25} %{buildroot}%{_sysconfdir}/unbound/openssl-sha1.conf - -mkdir -p %{buildroot}%{_datadir}/%{name}/conf.d -install -p -m 0644 %{SOURCE21} %{buildroot}%{_datadir}/%{name}/conf.d/ -install -p -m 0644 %{SOURCE23} %{buildroot}%{_datadir}/%{name}/conf.d/ -install -p -m 0644 %{SOURCE24} %{buildroot}%{_datadir}/%{name}/conf.d/ -install -p -m 0644 %{SOURCE27} %{buildroot}%{_datadir}/%{name}/ +install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/ +install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ +install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ # Link unbound-control-setup.8 manpage to unbound-control.8 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 -# install dracut module -mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound - -install -p -m 0755 %{SOURCE28} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound -install -p -m 0644 %{SOURCE29} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound +%pre libs +%sysusers_create_compat %{SOURCE20} %post %systemd_post unbound.service @@ -440,19 +387,21 @@ fi %postun anchor %systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer -%triggerun -- unbound < 1.23.1-4 -if [ "$(stat -c '%%a %%G' %{_sysconfdir}/%{name}/unbound_control.key 2>/dev/null)" = '600 unbound' ]; then - # change permissions of existing key just once, where it were generated with wrong perms - %{_bindir}/chmod g+r "%{_sysconfdir}/%{name}/unbound_control.key" || : -fi - - %check -export OPENSSL_CONF="%{buildroot}%{_sysconfdir}/unbound/openssl-sha1.conf" +pushd %{dir_primary} +#pushd pythonmod +#make test +#popd + make check +popd + %if 0%{?python_secondary:1} pushd %{dir_secondary} +#pushd pythonmod +#make test +#popd make check popd %endif @@ -462,10 +411,9 @@ popd %doc doc/CREDITS doc/FEATURES %{_unitdir}/%{name}.service %{_unitdir}/%{name}-keygen.service -%attr(0775,unbound,root) %dir %{_rundir}/%{name} +%attr(0755,unbound,unbound) %dir %{_rundir}/%{name} %attr(0644,root,root) %{_tmpfilesdir}/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf -%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/openssl-sha1.conf %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d %attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d/*.key %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/conf.d @@ -475,12 +423,11 @@ popd %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.pem %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.key %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.pem -%ghost %attr(0600,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key +%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key %{_sbindir}/unbound %{_sbindir}/unbound-checkconf %{_sbindir}/unbound-control %{_sbindir}/unbound-control-setup -%{_datadir}/%{name}/ %{_mandir}/man5/* %exclude %{_mandir}/man8/unbound-anchor* %{_mandir}/man8/* @@ -519,14 +466,13 @@ popd %doc doc/README %license doc/LICENSE %attr(0755,root,root) %dir %{_sysconfdir}/%{name} -%{_sysusersdir}/%{name}.conf +%{_sysusersdir}/%{name}.sysusers %{_libdir}/libunbound.so.8* %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name} -%config %verify(not link owner group size mtime mode md5) %{_sharedstatedir}/%{name}/root.key +%verify(not size mtime filedigest link mode user group) %{_sharedstatedir}/%{name}/root.key # just left for backwards compat with user changed unbound.conf files - format is different! -%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key -%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-root.key -%attr(0644,root,root) %{_tmpfilesdir}/unbound-libs.conf +%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key +%attr(0644,root,root) %config %{_sysconfdir}/%{name}/dnssec-root.key %files anchor %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name} @@ -543,8 +489,906 @@ popd %{_sbindir}/unbound-streamtcp %{_mandir}/man1/unbound-* -%files dracut -%{_prefix}/lib/dracut/modules.d/99unbound - %changelog -%autochangelog +* Fri Sep 01 2023 Petr Menšík - 1.18.0-1 +- Update to 1.18.0 (#2236097) + +* Fri Jan 13 2023 Paul Wouters - 1.17.0-2 +- Move unbound user creation to libs (#2149036) +- Use systemd-sysusers for user creation (#2105416) +- Keep original DNSSEC root key as config (#2132103) + +* Tue Nov 01 2022 Petr Menšík - 1.17.0-1 +- Update to 1.17.0 (#2134348) + +* Wed Oct 05 2022 Petr Menšík - 1.16.3-3 +- Correct issues made by unbound-anchor package split (#2110858) + +* Fri Sep 30 2022 Petr Menšík - 1.16.3-2 +- Update License tag to SPDX identifier + +* Fri Sep 23 2022 Petr Menšík - 1.16.3-1 +- Update to 1.16.3 (#2128638) + +* Tue Aug 09 2022 Paul Wouters - 1.16.2-3 +- sync up to upstream unbound.conf +- Enable Extended DNS Error codes (RFC8914) + +* Tue Aug 09 2022 Petr Menšík - 1.16.2-2 +- Require openssl tool for unbound-keygen (#2116790) + +* Wed Aug 03 2022 Petr Menšík - 1.16.2-1 +- Update to 1.16.2 (#2105947) for CVE-2022-30698 and CVE-2022-30699 + +* Sat Jul 23 2022 Fedora Release Engineering - 1.16.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Mon Jun 27 2022 Petr Menšík - 1.16.0-6 +- Move unbound-anchor to separate package +- Move unbound-host and unbound-streamtcp to unbound-utils package + +* Mon Jun 13 2022 Python Maint - 1.16.0-5 +- Rebuilt for Python 3.11 + +* Tue Jun 07 2022 Petr Menšík - 1.16.0-4 +- Restart keygen service before every unbound start + +* Sat Jun 04 2022 Petr Menšík - 1.16.0-1 +- Update to 1.16.0 + +* Tue Apr 26 2022 Petr Menšík - 1.15.0-3 +- Stop creating wrong devel manual pages (#2078929) + +* Wed Apr 20 2022 Petr Menšík - 1.15.0-2 +- Update icannbundle.pem + +* Tue Mar 29 2022 Petr Menšík - 1.15.0-1 +- Update to 1.15.0 (#2030608) + +* Sat Jan 22 2022 Fedora Release Engineering - 1.13.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Sat Nov 06 2021 Adrian Reber - 1.13.2-4 +- Rebuilt for protobuf 3.19.0 + +* Mon Oct 25 2021 Adrian Reber - 1.13.2-3 +- Rebuilt for protobuf 3.18.1 + +* Tue Sep 14 2021 Sahana Prasad - 1.13.2-2 +- Rebuilt with OpenSSL 3.0.0 + +* Thu Aug 12 2021 Paul Wouters - 1.13.2-1 +- Resolves: rhbz#1992985 unbound-1.13.2 is available +- Use system-wide crypto policies + +* Fri Jul 23 2021 Fedora Release Engineering - 1.13.1-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Wed Jun 02 2021 Python Maint - 1.13.1-7 +- Rebuilt for Python 3.10 + +* Fri Apr 23 2021 Artem Egorenkov - 1.13.1-6 +- Option --enable-linux-ip-local-port-range added to use system configured port range for libunbound on Linux +- Resolves: rhbz#1935101 + +* Tue Apr 13 2021 Paul Wouters - 1.13.1-5 +- Fix unbound.service to use After=network-online.target + +* Tue Apr 06 2021 Artem Egorenkov - 1.13.1-4 +- Don't start unbound-anchor before unbound service if DISABLE_UNBOUND_ANCHOR + environment variable equals to "yes" + +* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 1.13.1-3 +- Rebuilt for updated systemd-rpm-macros + See https://pagure.io/fesco/issue/2583. + +* Mon Feb 15 2021 Victor Stinner - 1.13.1-2 +- Fix build on Python 3.10 (rhbz#1889726). + +* Wed Feb 10 2021 Paul Wouters - 1.13.1-1 +- Resolves rhbz#1860887 unbound-1.13.1 is available +- Fixup unbound.conf + +* Wed Jan 27 2021 Fedora Release Engineering - 1.13.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Thu Dec 10 2020 Petr Menšík - 1.13.0-1 +- Update to 1.13.0 + +* Tue Oct 13 2020 Petr Menšík - 1.12.0-1 +- Update to 1.12.0 (#1860887) + +* Tue Sep 15 2020 Petr Menšík - 1.10.1-5 +- Move command line tools to utils subpackage + +* Wed Jul 29 2020 Fedora Release Engineering - 1.10.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jul 14 2020 Tom Stellard - 1.10.1-3 +- Use make macros +- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro + +* Fri May 22 2020 Miro Hrončok - 1.10.1-2 +- Rebuilt for Python 3.9 + +* Tue May 19 2020 Paul Wouters - 1.10.1-1 +- Resolves: rhbz#1837279 unbound-1.10.1 is available +- Resolves: rhbz#1837598 CVE-2020-12662 unbound: insufficient control of network message volume leads to DoS +- Resolves: rhbz#1837609 CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers +- Updated unbound.conf for new options in 1.10.1 + +* Wed Apr 29 2020 Paul Wouters - 1.10.0-3 +- Resolves: rhbz#1667742 SELinux is preventing unbound from 'name_bind' accesses on the udp_socket port 61000. + +* Thu Apr 16 2020 Artem Egorenkov - 1.10.0-2 +- Resolves: rhbz#1824536 unbound crash + +* Thu Mar 19 2020 Petr Menšík - 1.10.0-1 +- Update to 1.10.0 (#1805199) + +* Fri Jan 31 2020 Fedora Release Engineering - 1.9.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Dec 13 2019 Paul Wouters - 1.9.6-1 +- Resolves: rhbz#1758107 unbound-1.9.5 is available +- Resolves: CVE-2019-18934 + +* Fri Nov 01 2019 Paul Wouters - 1.9.4-1 +- Fix build on rhel/centos systems +- Resolves: rhbz#1767955 (CVE-2019-16866) uninitialized memory accesses leads to crash via a crafted NOTIFY query + +* Thu Sep 26 2019 Petr Menšík - 1.9.3-2 +- Obsolete no longer provided python2 subpackage (#1749400) + +* Tue Aug 27 2019 Paul Wouters - 1.9.3-1 +- Updated to 1.9.3 +- Resolves: rhbz#1672578 unbound-1.9.2 is available +- Resolves: rhbz#1694831 [/usr/lib/tmpfiles.d/unbound.conf:1] Line references path below legacy directory /var/run/ +- Resolves: rhbz# 1667387 [abrt] unbound: memmove(): unbound killed by SIGABRT + +* Thu Aug 22 2019 Miro Hrončok - 1.8.3-8 +- Subpackage python2-unbound has been removed + See https://fedoraproject.org/wiki/Changes/Mass_Python_2_Package_Removal + +* Thu Aug 15 2019 Miro Hrončok - 1.8.3-7 +- Rebuilt for Python 3.8 + +* Mon Aug 5 2019 Zbigniew Jędrzejewski-Szmek - 1.8.3-6 +- Drop install-time requirements on systemd (#1723777) + +* Sat Jul 27 2019 Fedora Release Engineering - 1.8.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sun Feb 03 2019 Fedora Release Engineering - 1.8.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jan 11 2019 Paul Wouters - 1.8.3-3 +- Remove KSK-2010 from configs - it has been revoked + +* Wed Dec 12 2018 Paul Wouters - 1.8.3-2 +- Another dns64 fixup + +* Wed Dec 12 2018 Paul Wouters - 1.8.3-1 +- Updated to 1.8.3 with fixes the dns64 bug and has some other minor fixes + +* Mon Dec 10 2018 Paul Wouters - 1.8.2-2 +- Fix dns64 allocation in wrong region for returned internal queries. + +* Tue Dec 04 2018 Paul Wouters - 1.8.2-1 +- Updated to 1.8.2. +- Enabled deny ANY query support and edns-tcp-keepalive +- Set serve-stale timeout to 4h +- Updated unbound.conf for latest options + +* Mon Oct 22 2018 Petr Menšík - 1.8.1-2 +- Allow group by default to unbound-control (#1640259) + +* Mon Oct 08 2018 Petr Menšík - 1.8.1-1 +- Update to 1.8.1 + +* Mon Oct 01 2018 Petr Menšík - 1.8.0-2 +- Skip ipv6 forwarders without ipv6 support (#1633874) + +* Wed Sep 19 2018 Petr Menšík - 1.8.0-1 +- Rebase to 1.8.0 + +* Tue Aug 14 2018 Paul Wouters - 1.7.3-9 +- Fix for restarting unbound service after deleting key/pem files for remote control + +* Tue Jul 31 2018 Petr Menšík - 1.7.3-8 +- Release memory in unbound-host + +* Mon Jul 23 2018 Petr Menšík - 1.7.3-7 +- Remove unused Group tag + +* Wed Jul 18 2018 Petr Menšík - 1.7.3-6 +- Cleanup generated client and server keys (#1601773) + +* Sat Jul 14 2018 Fedora Release Engineering - 1.7.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Mon Jul 09 2018 Petr Menšík - 1.7.3-4 +- Do not call ldconfig if possible + +* Wed Jul 04 2018 Petr Menšík - 1.7.3-3 +- Update trust anchors also behind firewall (#1598078) + +* Mon Jul 02 2018 Miro Hrončok - 1.7.3-2 +- Rebuilt for Python 3.7 + +* Wed Jun 27 2018 Petr Menšík - 1.7.3-1 +- Update to 1.7.3 (#1593708) + +* Wed Jun 27 2018 Petr Menšík - 1.7.2-3 +- Remove last python2 dependency from python3 build + +* Tue Jun 19 2018 Miro Hrončok - 1.7.2-2 +- Rebuilt for Python 3.7 + +* Mon Jun 11 2018 Paul Wouters - 1.7.2-1 +- Resolves rhbz#1589807 unbound-1.7.2 is available +- Add patch to fix stub/forward zone not returning ServFail when TTL expires +- Enabled the new root-key-sentinel option + +* Wed May 30 2018 Petr Menšík - 1.7.1-1 +- Update to 1.7.1 (#1574495) + +* Mon Apr 09 2018 Petr Menšík - 1.7.0-5 +- Require gcc and make on build +- Remove group, simplify systemd requires +- Simplify building with single python version, make python3 primary + +* Mon Apr 09 2018 Paul Wouters - 1.7.0-4 +- Patch for prefetching after flushing cache + +* Fri Apr 06 2018 Paul Wouters - 1.7.0-3 +- Patch for referral with auth-zone: response + + +* Wed Mar 21 2018 Paul Wouters - 1.7.0-2 +- Patch for broken Aggressive NSEC + stub-zone configuration causing NXDOMAIN at TTL expiry + +* Thu Mar 15 2018 Paul Wouters - 1.7.0-1 +- Updated to 1.7.0 (aggressive nsec, local root support, bugfixes) + +* Thu Feb 22 2018 Petr Menšík - 1.6.8-6 +- Uncomment again original max-upd-size + +* Wed Feb 21 2018 Petr Menšík - 1.6.8-5 +- Use default RPM build flags and configure parameters (#1539097) + +* Wed Feb 21 2018 Petr Menšík - 1.6.8-4 +- Remove group writable bit from some config files (#1528445) + +* Wed Feb 14 2018 Filipe Rosset - 1.6.8-3 +- rebuilt due new libevent 2.1.8 + +* Fri Feb 09 2018 Igor Gnatenko - 1.6.8-2 +- Escape macros in %%changelog + +* Mon Jan 22 2018 Paul Wouters - 1.6.8-1 +- Resolves rhbz#1483572 unbound-1.6.8 is available +- Resolves rhbz#1507049 CVE-2017-15105 unbound: Improper validation of wildcard synthesized NSEC records +- Resolves rhbz#1536518 CVE-2017-15105 unbound: Improper validation of wildcard synthesized NSEC records [fedora-all] + +* Sun Dec 17 2017 Zbigniew Jędrzejewski-Szmek - 1.6.7-2 +- Python 2 binary package renamed to python2-unbound + See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 + +* Thu Oct 12 2017 Paul Wouters - 1.6.7-1 +- Updated to 1.6.7 (minor bugfixes) + +* Tue Oct 03 2017 Petr Menšík - 1.6.6-3 +- Update icannbundle.pem + +* Mon Oct 02 2017 Paul Wouters - 1.6.6-2 +- Enable RFC 8145 Trust Anchor Signaling to help the root zone get keytag statistics + +* Fri Sep 22 2017 Paul Wouters - 1.6.6-1 +- Resolves: rhbz#1483572 unbound-1.6.6 is available +- Resolves: rhbz#1465575 unbound fails to start up, complains about missing ipsecmod-hook (edit) + +* Wed Aug 16 2017 Paul Wouters - 1.6.4-4 +- Rebuilt with KSK2017 added to root.key and root.anchor +- Remove noreplace for root key files. We can only improve these files over local copies + +* Thu Aug 03 2017 Fedora Release Engineering - 1.6.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1.6.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sun Jul 02 2017 Paul Wouters - 1.6.4-1 +- Updated to 1.6.4 full release, patch to allow missing ipsechook +- Resolves rhbz#1465575 unbound fails to start up, complains about missing ipsecmod-hook + +* Thu Jun 22 2017 Paul Wouters - 1.6.4-0.rc2 +- Update to 1.6.4 (esubnet, ipsecmod support, bugfixes) + +* Tue Jun 13 2017 Paul Wouters - 1.6.3-1 +- Updated to 1.6.3 (fixes assertion failure when receiving malformed packet with 0x20 enabled) + +* Thu Jun 08 2017 Paul Wouters - 1.6.2-2 +- Patch for cmd: unbound-control set_option val-permissive-mode: yes + +* Wed Apr 26 2017 Paul Wouters - 1.6.2-1 +- Update to 1.6.2 (rhbz#1425649) +- Updated unbound.conf with new options + +* Wed Mar 22 2017 Paul Wouters - 1.6.0-6 +- Call make unbound-event-install to install unbound-event.h + +* Sat Feb 11 2017 Fedora Release Engineering - 1.6.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Wed Jan 18 2017 Paul Wouters - 1.6.0-4 +- Remove obsoleted DLV key + +* Mon Jan 02 2017 Paul Wouters - 1.6.0-3 +- Actually remove dependency because minimum is always satisfied + +* Mon Jan 02 2017 Paul Wouters - 1.6.0-2 +- Depend on openssl-libs, not opensl + +* Wed Dec 21 2016 Kevin Fenzi - 1.6.0-1 +- Update to 1.6.0 + +* Mon Dec 19 2016 Miro Hrončok - 1.5.10-3 +- Rebuild for Python 3.6 + +* Wed Oct 26 2016 Ilya Evseev - 1.5.10-2 +- Bugfix building without python2 and python3 +- Fixup streamtcp build (Paul) + +* Tue Sep 27 2016 Paul Wouters - 1.5.10-1 +- Updated to 1.5.10 (better TCP handling, bugfixes) +- Install pkgconfig file in -devel package +- Updated unbound.conf + +* Tue Jul 19 2016 Fedora Release Engineering - 1.5.9-4 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Thu Jul 07 2016 Paul Wouters - 1.5.9-3 +- Fix upper port range to 60999 because that's what selinux allows + +* Thu Jun 16 2016 Paul Wouters - 1.5.9-2 +- Patch for allowing more queries before failure (needed for query minimalization) + +* Mon Jun 13 2016 Paul Wouters - 1.5.9-1 +- Updated to 1.5.9 + +* Thu Apr 21 2016 Toshio Kuratomi - 1.5.8-2 +- Fix streamtcp to link against libpython3.x instead of libpython2.x + +* Wed Mar 02 2016 Paul Wouters - 1.5.8-1 +- Update to 1.5.8 (rhbz#1313831) which incorporates rhbz#1294339 patch +- Updated unbound.conf with new upstream options +- Enabled ip-transparent: yes (see rhbz#1291449) + +* Fri Feb 05 2016 Fedora Release Engineering - 1.5.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Jan 21 2016 Tomas Hozza - 1.5.7-2 +- Fix escaping of shell chars in unbound-control-setup (#1294339) + +* Fri Dec 11 2015 Paul Wouters - 1.5.7-1 +- Update to 1.5.7 +- Enable query minimalization for enhanced DNS query privacy +- Enable nxdomain hardening to assist with query minimalization and SBLs +- Updated default unbound.conf for new features from upstream. + +* Fri Nov 13 2015 Tomas Hozza - 1.5.6-1 +- Update to 1.5.6 (#1176729) + +* Wed Nov 04 2015 Robert Kuska - 1.5.5-2 +- Rebuilt for Python3.5 rebuild + +* Wed Oct 07 2015 Tomas Hozza - 1.5.5-1 +- New upstream release 1.5.5 (#1269137) +- Removed the anchor update from %%post section of -libs subpackage (#1269137#c2) + +* Tue Sep 15 2015 Tomas Hozza - 1.5.4-5 +- Removed dependency and ordering on unbound-anchor.service in unbound.service + +* Thu Sep 03 2015 Tomas Hozza - 1.5.4-4 +- Prefer Python3 build over Python2 build for now (#1254566) + +* Mon Jul 20 2015 Tomas Hozza - 1.5.4-3 +- Added ExecReload section to unbound.service (#1195785) +- Removed After syslog.target since it is not needed any more + +* Thu Jul 16 2015 Tomas Hozza - 1.5.4-2 +- Start unbound-anchor.timer only on new installations +- Rename root.anchor to root.key in %%post section + +* Tue Jul 14 2015 Paul Wouters - 1.5.4-1 +- Update to 1.5.4 +- Removed patches merged into upstream + +* Tue Jun 16 2015 Tomas Hozza - 1.5.3-8 +- Revert: Use low maximum negative cache TTL (5 sec) (#1229596) + +* Mon Jun 15 2015 Tomas Hozza - 1.5.3-7 +- Add option for maximum negative cache TTL (#1229599) +- Use low maximum negative cache TTL (5 sec) (#1229596) + +* Tue May 26 2015 Tomas Hozza - 1.5.3-6 +- Removed usage of DLV from the default configuration (#1223363) + +* Wed May 13 2015 Tomas Hozza - 1.5.3-5 +- unbound.service now Wants unbound-anchor.timer +- unbound-anchor man page moved to the unbound-libs + +* Mon May 11 2015 Paul Wouters - 1.5.3-4 +- Fixup scriptlets causing systemctl: command not found +- Resolves rhbz#1219587 Error in PREIN scriptlet in rpm package unbound-libs + +* Mon Apr 27 2015 Tomas Hozza - 1.5.3-3 +- migrate cronjob to systemd timer unit (#1177285) +- change the period for unbound-anchor from monthly to daily (#1180267) +- Thanks to Tomasz Torcz for the initial patch + +* Thu Apr 16 2015 Tomas Hozza - 1.5.3-2 +- Fix FTBFS (#1206129) +- Build python3-unbound and python-unbound bindings for Python 3 and 2 (#1188080) + +* Mon Mar 16 2015 Paul Wouters - 1.5.3-1 +- Updated to 1.5.3 which is a bugfix on 1.5.2 for sighup handling +- Updated to 1.5.2 which fixes DNSSEC validation with different + trust anchors upstream, local-zone has a new keyword 'inform' + +* Mon Feb 02 2015 Paul Wouters - 1.5.1-4 +- Build with --enable-ecdsa + +* Sun Feb 01 2015 Paul Wouters - 1.5.1-3 +- Fix post to create root.anchor, not root.key, to match cron job + +* Tue Dec 09 2014 Paul Wouters - 1.5.1-2 +- Change systemd-units to systemd +- Use _tmpfilesdir macro, don't mark tmpfiles as config + +* Tue Dec 09 2014 Paul Wouters - 1.5.1-1 +- Update to 1.5.1 for CVE-2014-8602 (rhbz#1172066) +- Removed unbound-aarch64.patch which was merged upstream +- Don't require autotools for non snapshots or run autoreconf + +* Fri Nov 28 2014 Tomas Hozza - 1.5.1-0.1.rc1 +- update to 1.5.1rc1 + +* Fri Nov 28 2014 Marcin Juszkiewicz - 1.5.0-3 +- fix build on aarch64 + +* Wed Nov 26 2014 Tomas Hozza - 1.5.0-2 +- Fix race condition in arc4random (#1166878) + +* Wed Nov 19 2014 Tomas Hozza - 1.5.0-1 +- update to 1.5.0 + +* Wed Sep 24 2014 Pavel Šimerda - 1.4.22-6 +- Resolves: #1115489 - build with python 3.x for fedora >= 22 + +* Thu Aug 21 2014 Kevin Fenzi - 1.4.22-5 +- Rebuild for rpm bug 1131960 + +* Mon Aug 18 2014 Fedora Release Engineering - 1.4.22-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sun Jun 08 2014 Fedora Release Engineering - 1.4.22-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu May 01 2014 Paul Wouters - 1.4.22-2 +- Added flushcache patch (SVN commit 3125) + +* Thu Mar 13 2014 Paul Wouters - 1.4.22-1 +- Updated to 1.4.22 +- No longer requires the ldns library + +* Thu Jan 16 2014 Tomas Hozza - 1.4.21-3 +- Fix segfault on adding insecure forward zone when using only iterator (#1054192) + +* Mon Oct 21 2013 Tomas Hozza - 1.4.21-2 +- run test suite during the build + +* Thu Sep 19 2013 Paul Wouters - 1.4.21-1 +- Updated to 1.4.21, +- Enabled new max-udp-size: 3072 (so ANY isc.org won't fit) +- Removed patched merged in by upstream +- Enable statistics-cumulative for munin-plugin +- Added outgoing-port-avoid: 0-32767 conformant to SElinux restrictions +- Updated unbound.conf + +* Mon Aug 26 2013 Tomas Hozza - 1.4.20-19 +- Fix errors found by static analysis of source + +* Mon Aug 12 2013 Paul Wouters - 1.4.20-18 +- Change unbound.conf to only use ephemeral ports (32768-65535) + +* Sun Aug 04 2013 Fedora Release Engineering - 1.4.20-17 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Mon Jul 22 2013 Tomas Hozza - 1.4.20-16 +- provide man page for unbound-streamtcp + +* Mon Jul 08 2013 Paul Wouters - 1.4.20-15 +- Re-introduce hardening flags for full relro and pie +- Fixes compilation failure for python module + +* Wed Jul 03 2013 Tomas Hozza - 1.4.20-14 +- remove missing unbound-rootkey.service from post/preun/postun sections +- don't hardcode hardening flags, let hardened build macro handles it + +* Sat Jun 01 2013 Paul Wouters - 1.4.20-13 +- Run unbound-anchor as user unbound in unbound.service + +* Tue May 28 2013 Paul Wouters - 1.4.20-12 +- Enable round-robin (with noths() patch) +- Change cron and systemd service to use root.key, not root.anchor + +* Sat May 25 2013 Paul Wouters - 1.4.20-10 +- Use /var/lib/unbound/root.key (more consistent with other distros) +- Enable minimal responses + +* Mon Apr 22 2013 Paul Wouters - 1.4.20-8 +- Refix + +* Fri Apr 19 2013 Paul Wouters - 1.4.20-7 +- Fix runuser call in post. + +* Tue Apr 16 2013 Paul Wouters - 1.4.20-6 +- /var/lib/unbound should be owned by unbound. group write is not enough + +* Fri Apr 12 2013 Paul Wouters - 1.4.20-5 +- Fix cron job syntax (rhbz#951725) +- Use install -p to prevent .rpmnew files that are identical to originals + +* Mon Apr 8 2013 Paul Wouters - 1.4.20-4 +- Updated to 1.4.20 +- Build with full RELRO (not use -z,relro but with -z,relo,-z,now) +- Fixup man page for unbound-control-setup +- unbound.service should start before nss-lookup.target (rhbz#919955) +- Removed patch for rhbz#888759 merged in upstream +- Move root.anchor to /var/lib/unbound to make selinux policy easier for updating (rhbz#896599/rhbz#891008) +- Move cronjob for root.anchor from unbound to unbound-libs, require crontabs +- /etc/unbound (and all) should be owned by unbound-libs (rhbz#909691) +- Remove Obsolete/Provides for dnssec-conf which was last seen in f13 +- Ensure any unbound-anchor failure in post is ignored + +* Tue Mar 05 2013 Adam Tkac - 1.4.19-5 +- build with full RELRO +- symlink unbound-control-setup.8 manpage to unbound-control.8 + +* Fri Feb 15 2013 Fedora Release Engineering - 1.4.19-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Dec 12 2012 Paul Wouters - 1.4.19-3 +- Updated to 1.4.19 - this integrates all existing patches +- Patch for unbound-anchor (rhbz#888759) + +* Fri Nov 09 2012 Paul Wouters - 1.4.18-6 +- Patch to ensure stube-zone's aren't lost when using dnssec-triggerd +- added unbound-munin.README file + +* Wed Sep 26 2012 Paul Wouters - 1.4.18-5 +- Patch to allow wildcards in include: statements +- Add directories /etc/unbound/keys.d,conf.d,local.d with + example entries +- Added /etc/unbound/root.anchor, maintained by unbound-anchor + which is installed as monthly cron and PreExec in systemd config + (root.key is unused, but left installed in case people depend on it) +- Native systemd (simple) and /etc/sysconfig/unbound support +- Run unbound-checkconf in PreExec +- Moved trust anchor related files to unbound-libs, as they can + be used without the daemon. +- sub packages now depends on base package of same arch +- Build munin package as noarch +- unbound-anchor moved to unbound-libs package. It is needed + to update the root.anchor key file. + +* Tue Sep 04 2012 Paul Wouters - 1.4.18-3 +- Fix openssl thread locking bug under high query load + +* Thu Aug 23 2012 Paul Wouters - 1.4.18-2 +- Use new systemd-rpm macros (rhbz#850351) +- Clean up old obsoleted dnssec-conf from < fedora 15 + +* Fri Aug 03 2012 Paul Wouters - 1.4.18-1 +- Updated to 1.4.18 (FIPS related fixes mostly) +- Removed patches that were merged in upstream +- Added comment to root.key + +* Mon Jul 23 2012 Paul Wouters - 1.4.17-5 +- Fix for unbound crasher (upstream bug #452) +- Support libunbound functions in man pages and place in -devel + +* Sun Jul 22 2012 Fedora Release Engineering - 1.4.17-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Tue Jul 03 2012 Paul Wouters - 1.4.17-3 +- unbound FIPS patches for MD5,randomness (rhbz#835106) + +* Fri Jun 15 2012 Adam Tkac - 1.4.17-2 +- don't build unbound-munin on RHEL + +* Thu May 24 2012 Paul Wouters - 1.4.17-1 +- Updated to 1.4.17 (which mostly brings in patches we already + applied from svn trunk) + +* Wed Feb 29 2012 Paul Wouters - 1.4.16-3 +- Since the daemon links to the libs staticly, add Requires: + (this is rhbz#745288) +- Package up streamtcp as unbound-streamtcp (for monitoring) + +* Mon Feb 27 2012 Paul Wouters - 1.4.16-2 +- Don't ghost the directory (rhbz#788805) +- Patch for unbound to support unbound-control forward_zone + (needed for openswan in XAUTH mode) + +* Thu Feb 02 2012 Paul Wouters - 1.4.16-1 +- Upgraded to 1.4.16, which was relesed due to the soname + and some DNSSEC validation failures + +* Wed Feb 01 2012 Paul Wouters - 1.4.15-2 +- Patch for SONAME version (libtool's -version-number vs -version-info) + +* Fri Jan 27 2012 Paul Wouters - 1.4.15-1 +- Upgraded to 1.4.15 +- Updated unbound.conf to show how to configure listening on tls443 + +* Sat Jan 14 2012 Fedora Release Engineering - 1.4.14-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Mon Dec 19 2011 Paul Wouters - 1.4.14-1 +- Upgraded to 1.4.14 for CVE-2011-4528 / VU#209659 +- SSL-wrapped query support for dnssec-trigger +- EDNS handling changes +- Removed integrated EDNS patches +- Disabled use-caps-for-id, GoDaddy domains now break on it +- Enabled new harden-below-nxdomain + +* Thu Sep 15 2011 Paul Wouters - 1.4.13-1 +- Upgraded to 1.4.13 +- Removed merged in pythonmod patch +- Added EDNS1480 patch to fix unbound on broken EDNS/UDP networks +- Fix python to go into sitearch instead of sitelib + +* Wed Sep 14 2011 Tom Callaway - 1.4.12-4 +- convert to systemd, tmpfiles.d + +* Mon Aug 08 2011 Paul Wouters - 1.4.12-3 +- Added pythonmod docs and examples + +* Mon Aug 08 2011 Paul Wouters - 1.4.12-2 +- Fix for python module load in the server (Tom Hendrikx) +- No longer enable --enable-debug as it causes degraded performance + under load. + +* Mon Jul 18 2011 Paul Wouters - 1.4.12-1 +- Updated to 1.4.12 + +* Sun Jul 03 2011 Paul Wouters - 1.4.11-1 +- Updated to 1.4.11 +- removed integrated CVE patch +- updated stock unbound.conf for new options introduced + +* Mon Jun 06 2011 Paul Wouters - 1.4.10-1 +- Added ghost for /var/run/unbound (bz#656710) + +* Mon Jun 06 2011 Paul Wouters - 1.4.9-3 +- rebuilt + +* Wed May 25 2011 Paul Wouters - 1.4.9-2 +- Applied patch for CVE-2011-1922 DoS vulnerability + +* Sun Mar 27 2011 Paul Wouters - 1.4.9-1 +- Updated to 1.4.9 + +* Sat Feb 12 2011 Paul Wouters - 1.4.8-2 +- rebuilt + +* Tue Jan 25 2011 Paul Wouters - 1.4.8-1 +- Updated to 1.4.8 +- Enable root key for DNSSEC +- Fix unbound-munin to use proper file (could cause excessive logging) +- Build unbound-python per default +- Disable gost as Fedora/EPEL does not allow ECC and has mangled openssl + +* Tue Oct 26 2010 Paul Wouters - 1.4.5-4 +- Revert last build - it was on the wrong branch + +* Tue Oct 26 2010 Paul Wouters - 1.4.5-3 +- Disable do-ipv6 per default - causes severe degradation on non-ipv6 machines + (see comments in inbound.conf) + +* Tue Jun 15 2010 Paul Wouters - 1.4.5-2 +- Bump release - forgot to upload the new tar ball. + +* Tue Jun 15 2010 Paul Wouters - 1.4.5-1 +- Upgraded to 1.4.5 + +* Mon May 31 2010 Paul Wouters - 1.4.4-2 +- Added accidentally omitted svn patches to cvs + +* Mon May 31 2010 Paul Wouters - 1.4.4-1 +- Upgraded to 1.4.4 with svn patches +- Obsolete dnssec-conf to ensure it is de-installed + +* Thu Mar 11 2010 Paul Wouters - 1.4.3-1 +- Update to 1.4.3 that fixes 64bit crasher + +* Tue Mar 09 2010 Paul Wouters - 1.4.2-1 +- Updated to 1.4.2 +- Updated unbound.conf with new options +- Enabled pre-fetching DNSKEY records (DNSSEC speedup) +- Enabled re-fetching popular records before they expire +- Enabled logging of DNSSEC validation errors + +* Mon Mar 01 2010 Paul Wouters - 1.4.1-5 +- Overriding -D_GNU_SOURCE is no longer needed. This fixes DSO issues + with pthreads + +* Wed Feb 24 2010 Paul Wouters - 1.4.1-3 +- Change make/configure lines to attempt to fix -lphtread linking issue + +* Thu Feb 18 2010 Paul Wouters - 1.4.1-2 +- Removed dependancy for dnssec-conf +- Added ISC DLV key (formerly in dnssec-conf) +- Fixup old DLV locations in unbound.conf file via %%post +- Fix parent child disagreement handling and no-ipv6 present [svn r1953] + +* Tue Jan 05 2010 Paul Wouters - 1.4.1-1 +- Updated to 1.4.1 +- Changed %%define to %%global + +* Thu Oct 08 2009 Paul Wouters - 1.3.4-2 +- Bump version + +* Thu Oct 08 2009 Paul Wouters - 1.3.4-1 +- Upgraded to 1.3.4. Security fix with validating NSEC3 records + +* Fri Aug 21 2009 Tomas Mraz - 1.3.3-2 +- rebuilt with new openssl + +* Mon Aug 17 2009 Paul Wouters - 1.3.3-1 +- Updated to 1.3.3 + +* Sun Jul 26 2009 Fedora Release Engineering - 1.3.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Sat Jun 20 2009 Paul Wouters - 1.3.0-2 +- Added missing glob patch to cvs +- Place python macros within the %%with_python check + +* Sat Jun 20 2009 Paul Wouters - 1.3.0-1 +- Updated to 1.3.0 +- Added unbound-python sub package. disabled for now +- Patch from svn to fix DLV lookups +- Patches from svn to detect wrong truncated response from BIND 9.6.1 with + minimal-responses) +- Added Default-Start and Default-Stop to unbound.init +- Re-enabled --enable-sha2 +- Re-enabled glob.patch + +* Wed May 20 2009 Paul Wouters - 1.2.1-7 +- unbound-iterator.patch was not commited + +* Wed May 20 2009 Paul Wouters - 1.2.1-6 +- Fix for https://bugzilla.redhat.com/show_bug.cgi?id=499793 + +* Tue Mar 17 2009 Paul Wouters - 1.2.1-5 +- Use --nocheck to avoid giving an error on missing unbound-remote certs/keys + +* Tue Mar 10 2009 Adam Tkac - 1.2.1-4 +- enable DNSSEC only if it is enabled in sysconfig/dnssec + +* Mon Mar 09 2009 Adam Tkac - 1.2.1-3 +- add DNSSEC support to initscript and enabled it per default +- add requires dnssec-conf + +* Wed Feb 25 2009 Fedora Release Engineering - 1.2.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Tue Feb 10 2009 Paul Wouters - 1.2.0-2 +- rebuild with new openssl + +* Wed Jan 14 2009 Paul Wouters - 1.1.1-7 +- Modified scandir patch to silently fail when wildcard matches nothing +- Patch to allow unbound-checkconf to find empty wildcard matches + +* Mon Jan 5 2009 Paul Wouters - 1.1.1-6 +- Added scandir patch for trusted-keys-file: option, which + is used to load multiple dnssec keys in bind file format + +* Mon Dec 8 2008 Paul Wouters - 1.1.1-4 +- Added Requires: for selinux-policy >= 3.5.13-33 for proper SElinux rules. + +* Mon Dec 1 2008 Paul Wouters - 1.1.1-3 +- We did not own the /etc/unbound directory (#474020) +- Fixed cvs anomalies + +* Fri Nov 28 2008 Adam Tkac - 1.1.1-2 +- removed all obsolete chroot related stuff +- label control certs after generation correctly + +* Thu Nov 20 2008 Paul Wouters - 1.1.1-1 +- Updated to unbound 1.1.1 which fixes a crasher and + addresses nlnetlabs bug #219 + +* Wed Nov 19 2008 Paul Wouters - 1.1.0-3 +- Remove the chroot, obsoleted by SElinux +- Add additional munin plugin links supported by unbound plugin +- Move configuration directory from /var/lib/unbound to /etc/unbound +- Modified unbound.init and unbound.conf to account for chroot changes +- Updated unbound.conf with new available options +- Enabled dns-0x20 protection per default + +* Wed Nov 19 2008 Adam Tkac - 1.1.0-2 +- unbound-1.1.0-log_open.patch + - make sure log is opened before chroot call + - tracked as http://www.nlnetlabs.nl/bugs/show_bug.cgi?id=219 +- removed /dev/log and /var/run/unbound and /etc/resolv.conf from + chroot, not needed +- don't mount files in chroot, it causes problems during updates +- fixed typo in default config file + +* Fri Nov 14 2008 Paul Wouters - 1.1.0-1 +- Updated to version 1.1.0 +- Updated unbound.conf's statistics options and remote-control + to work properly for munin +- Added unbound-munin package +- Generate unbound remote-control key/certs on first startup +- Required ldns is now 1.4.0 + +* Wed Oct 22 2008 Paul Wouters - 1.0.2-5 +- Only call ldconfig in -libs package +- Move configure into build section +- devel subpackage should only depend on libs subpackage + +* Tue Oct 21 2008 Paul Wouters - 1.0.2-4 +- Fix CFLAGS getting lost in build +- Don't enable interface-automatic:yes because that + causes unbound to listen on 0.0.0.0 instead of 127.0.0.1 + +* Sun Oct 19 2008 Paul Wouters - 1.0.2-3 +- Split off unbound-libs, make build verbose + +* Thu Oct 9 2008 Paul Wouters - 1.0.2-2 +- FSB compliance, chroot fixes, initscript fixes + +* Thu Sep 11 2008 Paul Wouters - 1.0.2-1 +- Upgraded to 1.0.2 + +* Wed Jul 16 2008 Paul Wouters - 1.0.1-1 +- upgraded to new release + +* Wed May 21 2008 Paul Wouters - 1.0.0-2 +- Build against ldns-1.3.0 + +* Wed May 21 2008 Paul Wouters - 1.0.0-1 +- Split of -devel package, fixed dependancies, make rpmlint happy + +* Fri Apr 25 2008 Wouter Wijngaards - 0.12 +- Using parts from ports collection entry by Jaap Akkerhuis. +- Using Fedoraproject wiki guidelines. + +* Wed Apr 23 2008 Wouter Wijngaards - 0.11 +- Initial version. diff --git a/unbound.sysconfig b/unbound.sysconfig index 9e80f14..adcf8fd 100644 --- a/unbound.sysconfig +++ b/unbound.sysconfig @@ -5,6 +5,3 @@ UNBOUND_ANCHOR_OPTIONS="-f /etc/resolv.conf -R" # for extra debug, add "-v -v" or change verbosity: in unbound.conf UNBOUND_OPTIONS="" - -# Uncoment to validate SHA1 in any crypto policy -# OPENSSL_CONF=/etc/unbound/openssl-sha1.conf diff --git a/wouter.nlnetlabs.nl.key b/wouter.nlnetlabs.nl.key new file mode 100644 index 0000000..603e620 --- /dev/null +++ b/wouter.nlnetlabs.nl.key @@ -0,0 +1,123 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +xsFNBE2v/RwBEACyQpJlpCeSZBV1QUH7jNEp5xGdo6OnX2h9XoZ4ZPsb+u6OT+xE +SH45ncnISUh8rPCygbeWOoPR/yOBzh+lYoGxQ5iUHtwRrhHq04sQe/qFpXDO2xs6 +1pTcPU2PnH7Rsr2qp6fZLPHuXLolD7NJfaSib8sVeMM0/ecyl/L2bBg9NpaGDX0x +TQh95M8o6AFo6UKWApBpgsvEZr2aH/B8b9KnCWFhfJyheEM7DamksdZNsKxXQyq3 +l/ROfdsMLZGF8vPbYV/v11G4keyaLpn8AbBpybIiw9SYDwf2ENk3+e1NFfMaiiyE +qn9+aaLTKCY87TMUuoN3s3jWOOy5tHXzf6DbKhub4Awsby3DH5YpPhi4N2vj2pAX +Vpl5+m78cH29JLzT+HAoyZ4tq1r3m0P5QogNqYwqxkKWYOjDilNDBiKiDdgtrLYG +x+ABovKG/FvToJoaCL4AFaVCzWmL2uHkSgyBN0FPHatCB1UeEkcQit6T8E2NQqmF +WjUMXSWHHajSMG95+L5PdLHz/Ku0o3Csvlt2pkElYZmzJBfnOM9JevdsmKr/ruJC +/DCZAn5w2S/9ZF5qfo2F9HUKIwE/dChR29HcN8V4nqZs9oCvEMfFhHmrfwDc5hed +hvb6mAkvSFFtKIrygLIVeWRj3FE9sGp6sr4VwOLYTFRNk7mAsWD1rZApeQARAQAB +zSdXLkMuQS4gV2lqbmdhYXJkcyA8d291dGVyQG5sbmV0bGFicy5ubD7CwX4EEwEC +ACgFAk2v/RwCGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJ9v +HC1+BF+N3yoQAIynfrvZ/8RNAv9lLcSc2PX3fvG7oRJEJSy9uMyIbMtb/a1BVCeh +XjR8GhHJ5D/Z3jRWBQKw1rLLvOqbuBGkpKMR100ZVF4z/8e6CWtTAOFy28f1JQw2 +8kilN7K6vjno21S1JJ1XJAdoFdicyb1SW2r+KYod6fjSyF0lb71od+sdnSE9O/xd +Cqyyu6cX+AwfDcuJ6Y8iOWu8CeWAz41LR1QBUQkCb/08mVfCEu+Cj+M31jjPDZEy +UAw219vr4QFe0o3t+Msv0AUZvcRkW6+8qP5lO6I5we/33WBLZH70lhFvYtobM7HO +MCjheRZguSzvRqEETfTjia1uVi3Yz2qM4CFdJIZF6Er79yKcB3jYquultrnlHdXZ +/IZsHVRk6JfiqFkz9u1T9PkvMoQ452aUomGTg9xQchnKpe1E8osKgLulaY+izTEq +Z8pH/HWWJ/YT13/n8pxK9EbC/8SkVhyXNehOSAGDZar+tjVBofgzS8r+GDyv+pBT +SmjitIrVXZNuhigLp1o7Tvs4kjKlcFnLhfDHJ+yb5JyiZd01bVvaqnfRhACqXfWl +oC0uslRbegoYwJUgX0BOrsOuHGH2SfGjd/QnA0bcEXM2kp1Dp1gqtcEd5Qitm647 +Yz+leWkhrmMmtTwqumXoAcvgzthJFUPcAzuhXZNfqQJMOGRxAGVI0P97wsF+BBMB +AgAoAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVu+rZAUJDQIVSAAKCRCf +bxwtfgRfjdrWEACMQK0xYtZtAvLL/8CCcCi92Oi1rtXRGWnRy7JX020hftmWliMq +4P0F3CJKVLhgZ/ldp8OOqmfDfmwLMVSaCQ86Ubqn7Ofrf8Ku8SGQuIMxY2ODB97h +ouY4bnDHaM2Cqi6JkBN+G1tgdwqN/kcecF2tq3ql2k7eX91++A+F5ApIu1silzJP +L4Z8W6MVOdKrtzEM7t61hRlsbpEPj72vbVBZ1hmTiIL4VWwdxQYamxBoOeneskyD +DG+iMCI3P1GG3EQkk+9Aect/iH9uruE0mxn2aKN8cfuoR93cPF/ozCxS5ItwAVnN +e39WRO1GT2zYaFgYm0lf9czcpRsRzNbGw938lZ3iPUiZe+ybKgLKkVmvrkM59ljH +T99SrC14VXxgQwSs4gS3rdzbY9tPps62Z1q+xCVfTx1IY5P4nt59xwQV0Iw+pV9S +/mVcOnPXl1UKb0ttOdYJErrq3RpF/D2g/NDtL0OWqIa8LvrBlyQYmWPKvKw76vt4 +bJ3NU31jSc0ow/j7EOVjOst86s629zmtnbJjWVr6LOy5EDUPusmqHv1t4Z4RMjf8 +OrJdNbFJoRXZv8FbW4NzXeGtMf8k6vKeejpdMH4+eLuoZG7dchU1JccfgqfwWpy0 +ojmb59drJcaQgVC6Jvw9l0TmGPNIsE4UrIWocaFgv4dOKvHA2hcnMDM8rsLBlQQT +AQIAPwIbIwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQTt+qPyyk5usFaBr46f +bxwtfgRfjQUCWaU4BQUJEZjVaQAKCRCfbxwtfgRfjb1YEACjkhtkyZkYURUmSZNL +2IK/Zencv7DZGRfFrzijROFtHbe//H8o2ZhlyiaFSA/dT1ehjsukkR0oFkYadA+q +Ui06WpxGmd/jf8hP4yTUZkwOhQAesWoNmnhKePNaVMKY8DP57bA+N2pdCcGu7gUt +Yzq2JoTAtV+P/PE2w+H9eyBAulv6iUckM5/qvGfJPl8HB9BtgOpGN79otVWO6ebM +4TQ3cZYI9BDQnt9cF2pviex+z1iLZVJ8UeRxSxYhrBKPJioi0Q1OgcKyO56t7Eot +zxKl5TzprgvdX4cdls+lehD8StlE2Xv/TScHvdOhJuVBrn3a3QjZPb4qSsz74leW +5/EIQmozBy+qf8AHcCmTXwb2U7oHOct7cVyS5+bFx+ThpV5OK0rjTH1LMNiuTeAN +46c1y3prjZRpQUlgVwj06q3Zz/fzDyueUS/r4lW4nAf/VNZy/rTS2HYPoZbHZVCt +GpDIfag6fV6V97Pd3zfhTf2wmsJsw9Xhktp/o7rMBRSMhvL4oevOXb0JSG2583Q/ +JnCCceB4NxRRxsgkRYHwdnXN9FnOPSa4NyvF4rzpPksLGZrhvm+lBvzVn/e40Q/K +lxvSlnn2vW/WBM4pBq1jsoJrd/JkTdijZV7mt7HQ2bCLXAPgfZjy7n79WiCQVHg7 +iYnNikiNWR5TR7JcvdkxOdiA/8LBlQQTAQgAPwIbIwYLCQgHAwIGFQgCCQoLBBYC +AwECHgECF4AWIQTt+qPyyk5usFaBr46fbxwtfgRfjQUCXe4JdQUJGaQN2QAKCRCf +bxwtfgRfjQ8gEACe+49aDQHRuZdDHK1VCJKzhb+MvfdIjvl8eQxljpG9Uz5Y17Bx +4SWfuLHCeGlh1m6IOAWeW4g6Wowm1ec1PkVa79TdrkKb0MxfLSat6iDbiuVjDxy2 +bWokW0/cPzJ/FoWDtEC0H9UTAMb5QGBDZUbLuwX7ZjvMkAhH15/hO9Gj4RHoH1RJ +GJALRtZzjtzsJqL53kW/EV59V1T79Nocyx018iw50Jn02mI8wYJZ9HZc5C7D+K59 +vcqLRZgkrJrObw0sEv3YFOBYp/1DemH2nHPMBSKMmN5RAcr32guUjd4BEWf2Q7Ao ++Qnhdi161W0YKCW4JAmOoQ4bQ0wfE9Q5aUIGhUF52L+ac8Hy7dByaCExCA/WTqQQ +/iVPybmpJQhFonWt/fmpxbE2wKThSEOHTO67e5e3JfUb0vNKssyZojao4h1MF5nv +aPNKoybWwKnpNM0ORcyl+aogKwW7E15TEU0TE5//gAsFwRDcCnSEKnksgM0321m1 +7RDfJbCajIv47DHDYE3yvhRZjCJCaw0Gow1sDRWjdOFpmIixD5/vx5uxyqSHPuGA +sXlEvl+Z3Rdc5bQ7pAWu7UNpR3hnJPfg8KL2xqOF75VKG9/NjLE80yj8wdVoCfDv +vizrBtOXnHI49gCMCfNqbGIb5yVhmTdeo7li+Te9hlJ2DrHnujGJlFe+p87BTQRN +r/0cARAApvDKeVLiSazESdTY9KsSWsqoB38pvOsu25M49tEjc5TtY5LwKNckqkeR +lJ83O8dFG7UBVuGwLKaf/6OR/pe24upZ27eOOWW7sXvQNv5aXlOYfF+mjIhUINqj +q4pKDmO1c9J7h5d+auOVfzcgfotg3BVCaKn56ucjiQJ059uUMfgWTvVlibnoJ7de +Zcgt8v7VcLK9jv+P8QJHTIyDzJd+JjdjuHXqC/A37T5G9Z84x8wYrQY6mZmOIYaM +jwIKdgFeN+nLk5henARUz4MTFUW4j9hHpuyAFomDQ93/wkHZ9IEChTxdZnfvsd// +Z45vfcX9dQM+tuR8XCYThVsScI1TnwR46hi5NkfmHo3HVxwB8/owJ+FZDsTNBbJd +7AVy27Xk4L5hLe7BwLDtFMyOp4lOipCM7//mtFB9mTzqnOwiSSyTRlwGUBJkzQFW +Qa0Z6bfYwA6+y1dn19H519GW49irtl+2+W8W4N8oLriIjPvqrQOyaELFcRfV6FfL +i09HPhHVbejOqIEbOtfuN0+mjrrGAwortfTBjfw80N+W90BTvta4K2SyjHcJTkDY +ehfOo/5IMpGtDsOgvsCbDaFRnNJuYtSqQmvWk1KIPIw6CkdJtZa3+q3YA7D7ovOV +H1OBTKNdBjc+X4W8L5R9MCymXWvgiP+52Sv1VIcZmsnCBrwK490AEQEAAcLBZQQY +AQIADwUCTa/9HAIbDAUJCWYBgAAKCRCfbxwtfgRfjTY/D/9+kX8LeqBhwDdwy3ud +V67KmVmytwGMfzBHbAyBdy84X06ip/If/VkjL+2Sv5Uml/cOOzGZT7y/KEt0uXQz +gOZhGP5Y0OREf4kSzfb7tsGu3ZjTp5uJe7HiJr8uqYGfx94TQG/A3x1C7MlxOGmW +DK/Eh/eNVeNd+3yyDEzl2p7a0yUhI8LtzllVrEDX+G4rz+mdDw4tfPDqzRPzPvVt +PfqnfofHP5r2dshGe7+pCTC+o0jHWpaiFkEiIrR3PbZ9tV6+F5LzCUJJP5nepz6C +ShpLHq9ST6qZiw5ZpdznHW0kVl96YxgynJq9Y4dqD/8nOfTzdHhXXEogGvRfcxat +xeZF7YNFhUU2p+CswAjRKCUzZAz0hDAu+dJ+fw4Odx7ii8uiwhEnEHoo8rPETkXw +UK1je4MCzMRSy0Gippzk/oZ7noIml+Njas/UygavUOQm8bcPqGfWeFqvM2C7ZobL +2iV0fX/bhEmQyosiWJ0nHuKdwDYygYs/4LtZLxwiKli/lm6IDz1028j6/98Z81gG +oltXWokTYAPEgcBuhyiSLSQ1wojTVMYt9rPKMBakTzP+0FoWqoNafWOlHovP6iUB +2Igll2ZT3AvrBQ8jAbRbuUl46QpBaKsl+pBo86az0fRkMxv0N4dQv4Q7Z0g71u9N +Tpaq1vtAZOwc0kl3uGNK18PnV8LBZQQYAQIADwIbDAUCVu+raQUJDQIVTQAKCRCf +bxwtfgRfjVnYEACZ1E/FfLDi4vLUd9diImmNN/zWDHxTsO/VG3lt50rSoJM5NGB4 +RlwcbUKhah2fD44FFiIqGIvKD9hRgB51dVRIkaR3ozVtXRBKxJJqWj38wf2FDLtU +XC5/JHYb0sjAc3ad2sA9xEmEBVO1lWK3J6h4gKZiAGlWz3oeOSve3vrTKsBlP0Cu +rUeb4WTVpw4drBJD7cDh8SJ4/Cq76UFx8lW0xR+pHZHcd0/Ir5v5HnnEgbnut4Ix +eY3/CGBfQfSQHylK7ifmPWq+dflC/ZdfHY1V96EHKPM44ZLwiczoY3qp5nkmEc3B +Y6+P8Ch5gddOYaY18wpedarswnpOLQD2Xbsj66Eh0IZuuuZGyfOqJNaWbP33L27e +g35XQNTgyhuZmDyRKL6yAbhU74TXCCvze/kkfqDn2ouCtM8/kqLX1v0+NkBxlhZU +kTTVDyclZtwu6Vypus3+j2Zqk8sXeUZI64sjXpzwOcMZxdl3QuyxMktExWzk9Q5D +YqO+pj/YGt1vp2M0YgSUWNWCvfBcjEPFgaljyqz3BdvR/LYohnXuQL9SWObF+sIF +c9D0w/yORYQcKP5kSWVC/qwFdC61OGeSDnQ/0o0T5PefhYS82gsIrjQ+HIJ7CLUT +k7kBNljvtfpoWegH02feR0kSRoCXA6x+YHT4fmB41pW8S1V5a5dEltA/JMLBfAQY +AQIAJgIbDBYhBO36o/LKTm6wVoGvjp9vHC1+BF+NBQJZpTgKBQkRmNVuAAoJEJ9v +HC1+BF+NyNQP/A3h+cOOkYUxyKpNHdtlIfCn8db5tHXSCbE19Qi7EK1SiK5atjo+ +VoRtB+L01kH6GCx5oZjeIhUdzYFwEUsdCDgwD6r0dKFwKIGa4TFcfnx+Z5B+HZgL +Yc6ac5PEHF1qZVXZH9GSGeNw5h2yyqf4yhvetSN6L2id14m5XXJV5e7NfOgmaSnG +0Z+wQvPSiu+Q00XpENT8HFSTSCjRATjk12rpy6TPeeC52NK1gLhGDRHN0k6m+vm4 +yoC+Nd6iPQpnc+5xs7NDnq2dFuSTp7UTGebzPhhdSQgujEFuYLwzQMZu1h5amtA+ +v9j7BYEJkOMC7bm1PNNA2QQ6QfH8Hf+mJeINyJO8A5KS3ceP+eo3SLR8T0hPzu9g +ZuZ22Hn3DXQh1VNRshaLKgNvoXpL3dQ48d1SFFKhEDpy2HSXUq2fs5rH0uszFGes +G7K6EQRAYRcDrCkt9fdfkvCSxAFw9d+472xThzgKcN+MkOec+SaY+xlVULjEfCWy +RVC8Opam4mTm/XT4mVLxP/qnsy7kEhLoc/ouB+lY/ks06LpZJvCXL6WfA9You1Fi +1Mg7GhSh9JKg6X6E8Trm+N4dxJGut1xbbGmmKXqfi4pej9KlkdeM9t1df/vWKlPa +7Hzd8H0btgJx066wC4yt0ghxtsJXBsCDxWLfzaSRZ2/eP16mHqxDjsQQwsF8BBgB +CAAmAhsMFiEE7fqj8spObrBWga+On28cLX4EX40FAl3uCX0FCRmkDeEACgkQn28c +LX4EX43TQA/+JV8ReMRJCn3Cfqbe5ycFn8p6dIVnJiQuhiEyu5yzdpSkKyzcVFJO +bQcqw7s50FJuLUbxdvbcuGIaoTu7dhBoUXO5tOuIQAsKTfGfgoOgelJm+/q2h645 +EnAVINGbMDXrmo4/UFJkNjUMA6SQi/yiam7N0y58eoDC4sGmBKuN2EW2MoWahlXw +8SS1+Ab9qVBs/RqbSy6f1nJL39aPpPDmvyJOSYtHnNSFlYWVhr0zGAi5rnswlFGr +ECGbHpr5FajUK7zcmtNPbi7F30K48xfF3XnDIeIBcerrEBQMaPUZcBlddGhmSVVJ +ZU/YhR35JNgPnmp33gOuZaRiW9lauZFwsMQBIBkLpJWoUtu8QLkyC0HmJzVRep0/ +s1RkzaJ+1G1BzXTQiXaLaUQWG5h3pcMD8fxY5qp9KbG/+10bY0sRbRBXgS6mz7dd +HaBtg/E8ty2nEB1HDXA9HAHu7KlH9e96sPZjz9C46ZiOXe6ZAOk6wBYts4RG4bCQ +9pGORJ+P2Jr2pz1NZQbs1AhnjJixTsfZfsGZ5lHxGLjIyxtdGB/irLEqNTIMek2y +p4CShmWoZwN0V3aGYMe/rC4tSXG79IeKNwF3Vd5MHtB+hcJG2qztBtKQuW29rbRA +5bNxwTWe8skwOKsxXnP9RC974k0XkPS+VwgmVgNN1ewS/0oHvmEP71Q= +=Oqje +-----END PGP PUBLIC KEY BLOCK-----