From 397e2e5b05f3dcfb25424b5972e917b67d1e7cb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 1 Sep 2023 10:50:36 +0200 Subject: [PATCH 1/7] Update to 1.18.0 https://nlnetlabs.nl/projects/unbound/download/#unbound-1-18-0 - NAT64 support - Downstream DNS cookies - EDE caching - Set max-udp-size default to 1232 Resolves: rhbz#2236097 --- .gitignore | 2 ++ sources | 4 ++-- unbound.conf | 32 ++++++++++++++++++++++++++++---- unbound.spec | 7 +++++-- 4 files changed, 37 insertions(+), 8 deletions(-) diff --git a/.gitignore b/.gitignore index 44cbc77..7b0a36a 100644 --- a/.gitignore +++ b/.gitignore @@ -79,3 +79,5 @@ unbound-1.4.5.tar.gz /unbound-1.17.0.tar.gz.asc /unbound-1.17.1.tar.gz /unbound-1.17.1.tar.gz.asc +/unbound-1.18.0.tar.gz +/unbound-1.18.0.tar.gz.asc diff --git a/sources b/sources index d6e9a7b..558d84a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.17.1.tar.gz) = 10dd4c3aff77f1c0d19eb3c66956ed6ef1aae19e827d0b3259dc75d9de28dedd41862982a299e67ee07e17fb52058b4beee9d4b1d3bb0a3f633b9ba5b864d168 -SHA512 (unbound-1.17.1.tar.gz.asc) = d663c2ebf9ba4420eb6cd351378d646ac4c9e88bd69913dc1c862a326e98329496a901c86b857f2c157c0401a289ff91e5ac83911477cb9894156c6d959b2b80 +SHA512 (unbound-1.18.0.tar.gz) = 24ca6bfe0ed493eb6aaa5cb1b2b108076ce97c48de7470adf596d1154254351e382b83aae33fcd8d4fa64847e359613e00c979b6f3ba7671215b2d0fd2b03b14 +SHA512 (unbound-1.18.0.tar.gz.asc) = 222ff184d952b9ee8ce81e1f3384d1640ff4695ca60b7d5f946dc24489d583618fc0f4e3c169514b699c684766fdb352f47ca29853223fbae70a65fd994d4fd2 diff --git a/unbound.conf b/unbound.conf index 54c4d7b..b038b4a 100644 --- a/unbound.conf +++ b/unbound.conf @@ -161,10 +161,8 @@ server: # edns-buffer-size: 1232 # Maximum UDP response size (not applied to TCP response). - # Suggested values are 512 to 4096. Default is 4096. 65536 disables it. - # 3072 causes +dnssec any isc.org queries to need TC=1. - # Helps mitigating DDOS - max-udp-size: 3072 + # Suggested values are 512 to 4096. Default is 1232. 65536 disables it. + # max-udp-size: 1232 # max memory to use for stream(tcp and tls) waiting result buffers. # stream-wait-size: 4m @@ -263,6 +261,18 @@ server: # Enable IPv6, "yes" or "no". # do-ip6: yes + # If running unbound on an IPv6-only host, domains that only have + # IPv4 servers would become unresolveable. If NAT64 is available in + # the network, unbound can use NAT64 to reach these servers with + # the following option. This is NOT needed for enabling DNS64 on a + # system that has IPv4 connectivity. + # Consider also enabling prefer-ip6 to prefer native IPv6 connections + # to nameservers. + # do-nat64: no + + # NAT64 prefix. Defaults to using dns64-prefix value. + # nat64-prefix: 64:ff9b::0/96 + # Enable UDP, "yes" or "no". # NOTE: if setting up an Unbound on tls443 for public use, you might want to # disable UDP to avoid being used in DNS amplification attacks. @@ -296,6 +306,10 @@ server: # Timeout for EDNS TCP keepalive, in msec. # edns-tcp-keepalive-timeout: 120000 + # UDP queries that have waited in the socket buffer for a long time + # can be dropped. Default is 0, disabled. In seconds, such as 3. + # sock-queue-timeout: 0 + # Fedora note: do not activate this - not compiled in because # it causes frequent unbound crashes. Also, socket activation # is bad when you have things like dnsmasq also running with libvirt. @@ -529,6 +543,10 @@ server: # to validate the zone. # harden-algo-downgrade: no + # Harden against unknown records in the authority section and the + # additional section. + # harden-unknown-additional: no + # Sent minimum amount of information to upstream servers to enhance # privacy. Only sent minimum required labels of the QNAME and set QTYPE # to A when possible. @@ -842,6 +860,8 @@ server: # o always_transparent, always_refuse, always_nxdomain, always_nodata, # always_deny resolve in that way but ignore local data for # that name + # o block_a resolves all records normally but returns + # NODATA for A queries and ignores local data for that name # o always_null returns 0.0.0.0 or ::0 for any name in the zone. # o noview breaks out of that view towards global local-zones. # @@ -1265,6 +1285,10 @@ auth-zone: # redis-server-host: 127.0.0.1 # # redis server's TCP port # redis-server-port: 6379 +# # if the server uses a unix socket, set its path, or "" when not used. +# # redis-server-path: "/var/lib/redis/redis-server.sock" +# # if the server uses an AUTH password, specify here, or "" when not used. +# # redis-server-password: "" # # timeout (in ms) for communication with the redis server # redis-timeout: 100 # # set timeout on redis records based on DNS response TTL diff --git a/unbound.spec b/unbound.spec index d84d54d..36a9492 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,8 +30,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.17.1 -Release: 2%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.18.0 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -490,6 +490,9 @@ popd %{_mandir}/man1/unbound-* %changelog +* Fri Sep 01 2023 Petr Menšík - 1.18.0-1 +- Update to 1.18.0 (#2236097) + * Sat Jan 21 2023 Fedora Release Engineering - 1.17.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild From 5a1d5b57ac3e6056962fe4bc9d9ccf81a8f13a3c Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Wed, 11 Oct 2023 16:55:31 -0400 Subject: [PATCH 2/7] Fix for resolving outlook.com via forwarders - See https://github.com/NLnetLabs/unbound/issues/946 --- unbound-1.18-outlook.patch | 228 +++++++++++++++++++++++++++++++++++++ unbound.spec | 7 +- 2 files changed, 234 insertions(+), 1 deletion(-) create mode 100644 unbound-1.18-outlook.patch diff --git a/unbound-1.18-outlook.patch b/unbound-1.18-outlook.patch new file mode 100644 index 0000000..6689bbc --- /dev/null +++ b/unbound-1.18-outlook.patch @@ -0,0 +1,228 @@ +diff --git a/Makefile.in b/Makefile.in +index 627a650f6..22fb75c12 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -793,7 +793,7 @@ iter_priv.lo iter_priv.o: $(srcdir)/iterator/iter_priv.c config.h $(srcdir)/iter + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/sbuffer.h + iter_resptype.lo iter_resptype.o: $(srcdir)/iterator/iter_resptype.c config.h \ +- $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \ ++ $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iterator.h $(srcdir)/util/log.h \ + $(srcdir)/services/cache/dns.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/data/dname.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h +diff --git a/iterator/iter_resptype.c b/iterator/iter_resptype.c +index e85595b84..38e186e79 100644 +--- a/iterator/iter_resptype.c ++++ b/iterator/iter_resptype.c +@@ -42,6 +42,7 @@ + #include "config.h" + #include "iterator/iter_resptype.h" + #include "iterator/iter_delegpt.h" ++#include "iterator/iterator.h" + #include "services/cache/dns.h" + #include "util/net_help.h" + #include "util/data/dname.h" +@@ -105,7 +106,8 @@ response_type_from_cache(struct dns_msg* msg, + + enum response_type + response_type_from_server(int rdset, +- struct dns_msg* msg, struct query_info* request, struct delegpt* dp) ++ struct dns_msg* msg, struct query_info* request, struct delegpt* dp, ++ int* empty_nodata_found) + { + uint8_t* origzone = (uint8_t*)"\000"; /* the default */ + struct ub_packed_rrset_key* s; +@@ -284,13 +286,22 @@ response_type_from_server(int rdset, + + /* If we've gotten this far, this is NOERROR/NODATA (which could + * be an entirely empty message) */ +- /* but ignore entirely empty messages, noerror/nodata has a soa +- * negative ttl value in the authority section, this makes it try +- * again at another authority. And turns it from a 5 second empty +- * message into a 5 second servfail response. */ ++ /* For entirely empty messages, try again, at first, then accept ++ * it it happens more. A regular noerror/nodata response has a soa ++ * negative ttl value in the authority section. This makes it try ++ * again at another authority. And decides between storing a 5 second ++ * empty message or a 5 second servfail response. */ + if(msg->rep->an_numrrsets == 0 && msg->rep->ns_numrrsets == 0 && +- msg->rep->ar_numrrsets == 0) +- return RESPONSE_TYPE_THROWAWAY; ++ msg->rep->ar_numrrsets == 0) { ++ if(empty_nodata_found) { ++ /* detect as throwaway at first, but accept later. */ ++ (*empty_nodata_found)++; ++ if(*empty_nodata_found < EMPTY_NODATA_RETRY_COUNT) ++ return RESPONSE_TYPE_THROWAWAY; ++ return RESPONSE_TYPE_ANSWER; ++ } ++ return RESPONSE_TYPE_ANSWER; ++ } + /* check if recursive answer; saying it has empty cache */ + if( (msg->rep->flags&BIT_RA) && !(msg->rep->flags&BIT_AA) && !rdset) + return RESPONSE_TYPE_REC_LAME; +diff --git a/iterator/iter_resptype.h b/iterator/iter_resptype.h +index fee9ef35f..bfd4b664f 100644 +--- a/iterator/iter_resptype.h ++++ b/iterator/iter_resptype.h +@@ -119,9 +119,11 @@ enum response_type response_type_from_cache(struct dns_msg* msg, + * @param request: the request that generated the response. + * @param dp: The delegation point that was being queried + * when the response was returned. ++ * @param empty_nodata_found: flag to keep track of empty nodata detection. + * @return the response type (CNAME or ANSWER). + */ + enum response_type response_type_from_server(int rdset, +- struct dns_msg* msg, struct query_info* request, struct delegpt* dp); ++ struct dns_msg* msg, struct query_info* request, struct delegpt* dp, ++ int* empty_nodata_found); + + #endif /* ITERATOR_ITER_RESPTYPE_H */ +diff --git a/iterator/iterator.c b/iterator/iterator.c +index 9f78aa17d..106e2877e 100644 +--- a/iterator/iterator.c ++++ b/iterator/iterator.c +@@ -2940,7 +2940,7 @@ static int + processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, + struct iter_env* ie, int id) + { +- int dnsseclame = 0, origtypecname = 0; ++ int dnsseclame = 0, origtypecname = 0, orig_empty_nodata_found; + enum response_type type; + + iq->num_current_queries--; +@@ -2960,12 +2960,25 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, + return next_state(iq, QUERYTARGETS_STATE); + } + iq->timeout_count = 0; ++ orig_empty_nodata_found = iq->empty_nodata_found; + type = response_type_from_server( + (int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd), +- iq->response, &iq->qinfo_out, iq->dp); ++ iq->response, &iq->qinfo_out, iq->dp, &iq->empty_nodata_found); + iq->chase_to_rd = 0; + /* remove TC flag, if this is erroneously set by TCP upstream */ + iq->response->rep->flags &= ~BIT_TC; ++ if(orig_empty_nodata_found != iq->empty_nodata_found && ++ iq->empty_nodata_found < EMPTY_NODATA_RETRY_COUNT) { ++ /* try to search at another server */ ++ if(qstate->reply) { ++ struct delegpt_addr* a = delegpt_find_addr( ++ iq->dp, &qstate->reply->remote_addr, ++ qstate->reply->remote_addrlen); ++ /* make selection disprefer it */ ++ if(a) a->lame = 1; ++ } ++ return next_state(iq, QUERYTARGETS_STATE); ++ } + if(type == RESPONSE_TYPE_REFERRAL && (iq->chase_flags&BIT_RD) && + !iq->auth_zone_response) { + /* When forwarding (RD bit is set), we handle referrals +@@ -3501,7 +3514,7 @@ processPrimeResponse(struct module_qstate* qstate, int id) + iq->response->rep->flags &= ~(BIT_RD|BIT_RA); /* ignore rec-lame */ + type = response_type_from_server( + (int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd), +- iq->response, &iq->qchase, iq->dp); ++ iq->response, &iq->qchase, iq->dp, NULL); + if(type == RESPONSE_TYPE_ANSWER) { + qstate->return_rcode = LDNS_RCODE_NOERROR; + qstate->return_msg = iq->response; +diff --git a/iterator/iterator.h b/iterator/iterator.h +index fad7f03e6..e253f3f7e 100644 +--- a/iterator/iterator.h ++++ b/iterator/iterator.h +@@ -101,6 +101,8 @@ extern int BLACKLIST_PENALTY; + * Chosen so that the UNKNOWN_SERVER_NICENESS falls within the band of a + * fast server, this causes server exploration as a side benefit. msec. */ + #define RTT_BAND 400 ++/** Number of retries for empty nodata packets before it is accepted. */ ++#define EMPTY_NODATA_RETRY_COUNT 2 + + /** + * Global state for the iterator. +@@ -415,6 +417,11 @@ struct iter_qstate { + */ + int refetch_glue; + ++ /** ++ * This flag detects that a completely empty nodata was received, ++ * already so that it is accepted later. */ ++ int empty_nodata_found; ++ + /** list of pending queries to authoritative servers. */ + struct outbound_list outlist; + +diff --git a/testdata/iter_ignore_empty.rpl b/testdata/iter_ignore_empty.rpl +index c70dd7e8d..4b2f695b8 100644 +--- a/testdata/iter_ignore_empty.rpl ++++ b/testdata/iter_ignore_empty.rpl +@@ -78,6 +78,18 @@ example2.com. IN NS ns2.example2.com. + SECTION ADDITIONAL + ns2.example2.com. IN A 1.2.3.5 + ENTRY_END ++ ++ENTRY_BEGIN ++MATCH opcode subdomain ++ADJUST copy_id copy_query ++REPLY QR NOERROR ++SECTION QUESTION ++foo.com. IN NS ++SECTION AUTHORITY ++foo.com. IN NS ns.foo.com. ++SECTION ADDITIONAL ++ns.foo.com. IN A 1.2.3.5 ++ENTRY_END + RANGE_END + + ; ns.example.com. +@@ -172,6 +184,27 @@ www.example.com. IN A + SECTION ANSWER + www.example.com. IN A 10.20.30.40 + ENTRY_END ++ ++; foo.com ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY QR AA NOERROR ++SECTION QUESTION ++www.foo.com. IN A ++SECTION ANSWER ++ENTRY_END ++ ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY QR AA NOERROR ++SECTION QUESTION ++ns.foo.com. IN AAAA ++SECTION ANSWER ++SECTION AUTHORITY ++;foo.com. IN SOA ns2.foo.com root.foo.com 4 14400 3600 604800 3600 ++ENTRY_END + RANGE_END + + STEP 1 QUERY +@@ -195,4 +228,21 @@ ENTRY_END + ; wait for pending nameserver lookups. + STEP 20 TRAFFIC + ++; Test that a nodata stays a nodata. ++STEP 30 QUERY ++ENTRY_BEGIN ++REPLY RD ++SECTION QUESTION ++www.foo.com. IN A ++ENTRY_END ++ ++STEP 40 CHECK_ANSWER ++ENTRY_BEGIN ++MATCH all ++REPLY QR RD RA NOERROR ++SECTION QUESTION ++www.foo.com. IN A ++SECTION ANSWER ++ENTRY_END ++ + SCENARIO_END diff --git a/unbound.spec b/unbound.spec index 36a9492..a1f2174 100644 --- a/unbound.spec +++ b/unbound.spec @@ -31,7 +31,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.18.0 -Release: 1%{?extra_version:.%{extra_version}}%{?dist} +Release: 2%{?extra_version:.%{extra_version}}%{?dist} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -56,6 +56,8 @@ Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_vers Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key Source20: unbound.sysusers +# https://github.com/NLnetLabs/unbound/issues/946 +Patch1: unbound-1.18-outlook.patch BuildRequires: gcc, make BuildRequires: flex, openssl-devel @@ -490,6 +492,9 @@ popd %{_mandir}/man1/unbound-* %changelog +* Thu Oct 12 2023 Paul Wouters - 1.18.0-2 +- Fix for resolving outlook.com via forwarders + * Fri Sep 01 2023 Petr Menšík - 1.18.0-1 - Update to 1.18.0 (#2236097) From e3509d767e499e156b247910a3b75d902ac96b1e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 2 Nov 2023 19:39:30 +0100 Subject: [PATCH 3/7] Update to 1.19.0 (#2248686) - New disable-edns-do option Changes: https://nlnetlabs.nl/projects/unbound/download/#unbound-1-19-0 https://lists.nlnetlabs.nl/pipermail/unbound-users/2023-November/008186.html --- .gitignore | 2 + sources | 4 +- unbound-1.18-outlook.patch | 228 ------------------------------------- unbound.spec | 12 +- 4 files changed, 11 insertions(+), 235 deletions(-) delete mode 100644 unbound-1.18-outlook.patch diff --git a/.gitignore b/.gitignore index 7b0a36a..c4bf873 100644 --- a/.gitignore +++ b/.gitignore @@ -81,3 +81,5 @@ unbound-1.4.5.tar.gz /unbound-1.17.1.tar.gz.asc /unbound-1.18.0.tar.gz /unbound-1.18.0.tar.gz.asc +/unbound-1.19.0.tar.gz +/unbound-1.19.0.tar.gz.asc diff --git a/sources b/sources index 558d84a..4adc154 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.18.0.tar.gz) = 24ca6bfe0ed493eb6aaa5cb1b2b108076ce97c48de7470adf596d1154254351e382b83aae33fcd8d4fa64847e359613e00c979b6f3ba7671215b2d0fd2b03b14 -SHA512 (unbound-1.18.0.tar.gz.asc) = 222ff184d952b9ee8ce81e1f3384d1640ff4695ca60b7d5f946dc24489d583618fc0f4e3c169514b699c684766fdb352f47ca29853223fbae70a65fd994d4fd2 +SHA512 (unbound-1.19.0.tar.gz) = c7df997ab003d098f53ac97ffb4c8428ab28e24573ff21e21782cbeadca42edadeb5b0db53ce954c9ff3106a5edb36eb47109240c554a44d9aac75727b66aeb4 +SHA512 (unbound-1.19.0.tar.gz.asc) = 63aa94192de7840f7abe43367e2c3f5d3fd42b8d72c08a5645cf28e2c0ad2e11d54f3aa645384fff5d4dfe66bc7ee25d81bd967780a992b54956343974206580 diff --git a/unbound-1.18-outlook.patch b/unbound-1.18-outlook.patch deleted file mode 100644 index 6689bbc..0000000 --- a/unbound-1.18-outlook.patch +++ /dev/null @@ -1,228 +0,0 @@ -diff --git a/Makefile.in b/Makefile.in -index 627a650f6..22fb75c12 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -793,7 +793,7 @@ iter_priv.lo iter_priv.o: $(srcdir)/iterator/iter_priv.c config.h $(srcdir)/iter - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/sbuffer.h - iter_resptype.lo iter_resptype.o: $(srcdir)/iterator/iter_resptype.c config.h \ -- $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \ -+ $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iterator.h $(srcdir)/util/log.h \ - $(srcdir)/services/cache/dns.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/data/dname.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h -diff --git a/iterator/iter_resptype.c b/iterator/iter_resptype.c -index e85595b84..38e186e79 100644 ---- a/iterator/iter_resptype.c -+++ b/iterator/iter_resptype.c -@@ -42,6 +42,7 @@ - #include "config.h" - #include "iterator/iter_resptype.h" - #include "iterator/iter_delegpt.h" -+#include "iterator/iterator.h" - #include "services/cache/dns.h" - #include "util/net_help.h" - #include "util/data/dname.h" -@@ -105,7 +106,8 @@ response_type_from_cache(struct dns_msg* msg, - - enum response_type - response_type_from_server(int rdset, -- struct dns_msg* msg, struct query_info* request, struct delegpt* dp) -+ struct dns_msg* msg, struct query_info* request, struct delegpt* dp, -+ int* empty_nodata_found) - { - uint8_t* origzone = (uint8_t*)"\000"; /* the default */ - struct ub_packed_rrset_key* s; -@@ -284,13 +286,22 @@ response_type_from_server(int rdset, - - /* If we've gotten this far, this is NOERROR/NODATA (which could - * be an entirely empty message) */ -- /* but ignore entirely empty messages, noerror/nodata has a soa -- * negative ttl value in the authority section, this makes it try -- * again at another authority. And turns it from a 5 second empty -- * message into a 5 second servfail response. */ -+ /* For entirely empty messages, try again, at first, then accept -+ * it it happens more. A regular noerror/nodata response has a soa -+ * negative ttl value in the authority section. This makes it try -+ * again at another authority. And decides between storing a 5 second -+ * empty message or a 5 second servfail response. */ - if(msg->rep->an_numrrsets == 0 && msg->rep->ns_numrrsets == 0 && -- msg->rep->ar_numrrsets == 0) -- return RESPONSE_TYPE_THROWAWAY; -+ msg->rep->ar_numrrsets == 0) { -+ if(empty_nodata_found) { -+ /* detect as throwaway at first, but accept later. */ -+ (*empty_nodata_found)++; -+ if(*empty_nodata_found < EMPTY_NODATA_RETRY_COUNT) -+ return RESPONSE_TYPE_THROWAWAY; -+ return RESPONSE_TYPE_ANSWER; -+ } -+ return RESPONSE_TYPE_ANSWER; -+ } - /* check if recursive answer; saying it has empty cache */ - if( (msg->rep->flags&BIT_RA) && !(msg->rep->flags&BIT_AA) && !rdset) - return RESPONSE_TYPE_REC_LAME; -diff --git a/iterator/iter_resptype.h b/iterator/iter_resptype.h -index fee9ef35f..bfd4b664f 100644 ---- a/iterator/iter_resptype.h -+++ b/iterator/iter_resptype.h -@@ -119,9 +119,11 @@ enum response_type response_type_from_cache(struct dns_msg* msg, - * @param request: the request that generated the response. - * @param dp: The delegation point that was being queried - * when the response was returned. -+ * @param empty_nodata_found: flag to keep track of empty nodata detection. - * @return the response type (CNAME or ANSWER). - */ - enum response_type response_type_from_server(int rdset, -- struct dns_msg* msg, struct query_info* request, struct delegpt* dp); -+ struct dns_msg* msg, struct query_info* request, struct delegpt* dp, -+ int* empty_nodata_found); - - #endif /* ITERATOR_ITER_RESPTYPE_H */ -diff --git a/iterator/iterator.c b/iterator/iterator.c -index 9f78aa17d..106e2877e 100644 ---- a/iterator/iterator.c -+++ b/iterator/iterator.c -@@ -2940,7 +2940,7 @@ static int - processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, - struct iter_env* ie, int id) - { -- int dnsseclame = 0, origtypecname = 0; -+ int dnsseclame = 0, origtypecname = 0, orig_empty_nodata_found; - enum response_type type; - - iq->num_current_queries--; -@@ -2960,12 +2960,25 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, - return next_state(iq, QUERYTARGETS_STATE); - } - iq->timeout_count = 0; -+ orig_empty_nodata_found = iq->empty_nodata_found; - type = response_type_from_server( - (int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd), -- iq->response, &iq->qinfo_out, iq->dp); -+ iq->response, &iq->qinfo_out, iq->dp, &iq->empty_nodata_found); - iq->chase_to_rd = 0; - /* remove TC flag, if this is erroneously set by TCP upstream */ - iq->response->rep->flags &= ~BIT_TC; -+ if(orig_empty_nodata_found != iq->empty_nodata_found && -+ iq->empty_nodata_found < EMPTY_NODATA_RETRY_COUNT) { -+ /* try to search at another server */ -+ if(qstate->reply) { -+ struct delegpt_addr* a = delegpt_find_addr( -+ iq->dp, &qstate->reply->remote_addr, -+ qstate->reply->remote_addrlen); -+ /* make selection disprefer it */ -+ if(a) a->lame = 1; -+ } -+ return next_state(iq, QUERYTARGETS_STATE); -+ } - if(type == RESPONSE_TYPE_REFERRAL && (iq->chase_flags&BIT_RD) && - !iq->auth_zone_response) { - /* When forwarding (RD bit is set), we handle referrals -@@ -3501,7 +3514,7 @@ processPrimeResponse(struct module_qstate* qstate, int id) - iq->response->rep->flags &= ~(BIT_RD|BIT_RA); /* ignore rec-lame */ - type = response_type_from_server( - (int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd), -- iq->response, &iq->qchase, iq->dp); -+ iq->response, &iq->qchase, iq->dp, NULL); - if(type == RESPONSE_TYPE_ANSWER) { - qstate->return_rcode = LDNS_RCODE_NOERROR; - qstate->return_msg = iq->response; -diff --git a/iterator/iterator.h b/iterator/iterator.h -index fad7f03e6..e253f3f7e 100644 ---- a/iterator/iterator.h -+++ b/iterator/iterator.h -@@ -101,6 +101,8 @@ extern int BLACKLIST_PENALTY; - * Chosen so that the UNKNOWN_SERVER_NICENESS falls within the band of a - * fast server, this causes server exploration as a side benefit. msec. */ - #define RTT_BAND 400 -+/** Number of retries for empty nodata packets before it is accepted. */ -+#define EMPTY_NODATA_RETRY_COUNT 2 - - /** - * Global state for the iterator. -@@ -415,6 +417,11 @@ struct iter_qstate { - */ - int refetch_glue; - -+ /** -+ * This flag detects that a completely empty nodata was received, -+ * already so that it is accepted later. */ -+ int empty_nodata_found; -+ - /** list of pending queries to authoritative servers. */ - struct outbound_list outlist; - -diff --git a/testdata/iter_ignore_empty.rpl b/testdata/iter_ignore_empty.rpl -index c70dd7e8d..4b2f695b8 100644 ---- a/testdata/iter_ignore_empty.rpl -+++ b/testdata/iter_ignore_empty.rpl -@@ -78,6 +78,18 @@ example2.com. IN NS ns2.example2.com. - SECTION ADDITIONAL - ns2.example2.com. IN A 1.2.3.5 - ENTRY_END -+ -+ENTRY_BEGIN -+MATCH opcode subdomain -+ADJUST copy_id copy_query -+REPLY QR NOERROR -+SECTION QUESTION -+foo.com. IN NS -+SECTION AUTHORITY -+foo.com. IN NS ns.foo.com. -+SECTION ADDITIONAL -+ns.foo.com. IN A 1.2.3.5 -+ENTRY_END - RANGE_END - - ; ns.example.com. -@@ -172,6 +184,27 @@ www.example.com. IN A - SECTION ANSWER - www.example.com. IN A 10.20.30.40 - ENTRY_END -+ -+; foo.com -+ENTRY_BEGIN -+MATCH opcode qtype qname -+ADJUST copy_id -+REPLY QR AA NOERROR -+SECTION QUESTION -+www.foo.com. IN A -+SECTION ANSWER -+ENTRY_END -+ -+ENTRY_BEGIN -+MATCH opcode qtype qname -+ADJUST copy_id -+REPLY QR AA NOERROR -+SECTION QUESTION -+ns.foo.com. IN AAAA -+SECTION ANSWER -+SECTION AUTHORITY -+;foo.com. IN SOA ns2.foo.com root.foo.com 4 14400 3600 604800 3600 -+ENTRY_END - RANGE_END - - STEP 1 QUERY -@@ -195,4 +228,21 @@ ENTRY_END - ; wait for pending nameserver lookups. - STEP 20 TRAFFIC - -+; Test that a nodata stays a nodata. -+STEP 30 QUERY -+ENTRY_BEGIN -+REPLY RD -+SECTION QUESTION -+www.foo.com. IN A -+ENTRY_END -+ -+STEP 40 CHECK_ANSWER -+ENTRY_BEGIN -+MATCH all -+REPLY QR RD RA NOERROR -+SECTION QUESTION -+www.foo.com. IN A -+SECTION ANSWER -+ENTRY_END -+ - SCENARIO_END diff --git a/unbound.spec b/unbound.spec index a1f2174..c6fcda9 100644 --- a/unbound.spec +++ b/unbound.spec @@ -8,7 +8,7 @@ %global _hardened_build 1 -#%%global extra_version rc1 +#global extra_version rc1 %if 0%{with_python2} %global python_primary %{__python2} @@ -30,8 +30,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.18.0 -Release: 2%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.19.0 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -56,8 +56,7 @@ Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_vers Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key Source20: unbound.sysusers -# https://github.com/NLnetLabs/unbound/issues/946 -Patch1: unbound-1.18-outlook.patch +# Patch1: BuildRequires: gcc, make BuildRequires: flex, openssl-devel @@ -492,6 +491,9 @@ popd %{_mandir}/man1/unbound-* %changelog +* Thu Nov 02 2023 Petr Menšík - 1.19.0-1 +- Update to 1.19.0 (#2248686) + * Thu Oct 12 2023 Paul Wouters - 1.18.0-2 - Fix for resolving outlook.com via forwarders From 5281431bea27d29af33b0ea52f9e9ba6b51bd283 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 10 Nov 2023 13:12:23 +0100 Subject: [PATCH 4/7] Generate configuration file from upstream example.conf To reduce rebase burden, just modify upstream example with our Fedora specific changes. The result should be the same, but without the need to manually add new features into separate config file. --- unbound-fedora-config.patch | 551 ++++++++++++++ unbound.conf | 1363 ----------------------------------- unbound.spec | 11 +- 3 files changed, 557 insertions(+), 1368 deletions(-) create mode 100644 unbound-fedora-config.patch delete mode 100644 unbound.conf diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch new file mode 100644 index 0000000..a249d2c --- /dev/null +++ b/unbound-fedora-config.patch @@ -0,0 +1,551 @@ +From ecfc3a96a0d38cc31fb871d98789467434c7afda Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Fri, 10 Nov 2023 12:58:31 +0100 +Subject: [PATCH] Customize unbound.conf for Fedora defaults + +Set some Fedora/RHEL specific changes to example configuration file. By +patching upstream provided config file we would not need to manually +update external copy in source RPM. +--- + unbound-1.19.0/doc/example.conf.in | 205 ++++++++++++++++++----------- + 1 file changed, 131 insertions(+), 74 deletions(-) + +diff --git a/unbound-1.19.0/doc/example.conf.in b/unbound-1.19.0/doc/example.conf.in +index fe0dde6..b79a322 100644 +--- a/unbound-1.19.0/doc/example.conf.in ++++ b/unbound-1.19.0/doc/example.conf.in +@@ -17,11 +17,12 @@ server: + # whitespace is not necessary, but looks cleaner. + + # verbosity number, 0 is least verbose. 1 is default. +- # verbosity: 1 ++ verbosity: 1 + + # print statistics to the log (for every thread) every N seconds. + # Set to "" or 0 to disable. Default is disabled. +- # statistics-interval: 0 ++ # Needs to be disabled for munin plugin ++ statistics-interval: 0 + + # enable shm for stats, default no. if you enable also enable + # statistics-interval, every time it also writes stats to the +@@ -32,11 +33,13 @@ server: + # shm-key: 11777 + + # enable cumulative statistics, without clearing them after printing. +- # statistics-cumulative: no ++ # Needs to be disabled for munin plugin ++ statistics-cumulative: no + + # enable extended statistics (query types, answer codes, status) +- # printed from unbound-control. Default off, because of speed. +- # extended-statistics: no ++ # printed from unbound-control. default off, because of speed. ++ # Needs to be enabled for munin plugin ++ extended-statistics: yes + + # Inhibits selected extended statistics (qtype, qclass, qopcode, rcode, + # rpz-actions) from printing if their value is 0. +@@ -44,22 +47,35 @@ server: + # statistics-inhibit-zero: yes + + # number of threads to create. 1 disables threading. +- # num-threads: 1 ++ num-threads: 4 + + # specify the interfaces to answer queries from by ip-address. + # The default is to listen to localhost (127.0.0.1 and ::1). + # specify 0.0.0.0 and ::0 to bind to all available interfaces. + # specify every interface[@port] on a new 'interface:' labelled line. + # The listen interfaces are not changed on reload, only on restart. ++ # interface: 0.0.0.0 ++ # interface: ::0 + # interface: 192.0.2.153 + # interface: 192.0.2.154 + # interface: 192.0.2.154@5003 + # interface: 2001:DB8::5 + # interface: eth0@5003 ++ # ++ # for dns over tls and raw dns over port 80 ++ # interface: 0.0.0.0@443 ++ # interface: ::0@443 ++ # interface: 0.0.0.0@80 ++ # interface: ::0@80 + + # enable this feature to copy the source address of queries to reply. + # Socket options are not supported on all platforms. experimental. +- # interface-automatic: no ++ # interface-automatic: yes ++ # ++ # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 ++ # NOTE: Disabled per Fedora policy not to listen to * on default install ++ # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled ++ interface-automatic: no + + # instead of the default port, open additional ports separated by + # spaces when interface-automatic is enabled, by listing them here. +@@ -94,7 +110,8 @@ server: + + # permit Unbound to use this port number or port range for + # making outgoing queries, using an outgoing interface. +- # outgoing-port-permit: 32768 ++ # Only ephemeral ports are allowed by SElinux ++ outgoing-port-permit: 32768-60999 + + # deny Unbound the use this of port number or port range for + # making outgoing queries, using an outgoing interface. +@@ -103,7 +120,9 @@ server: + # IANA-assigned port numbers. + # If multiple outgoing-port-permit and outgoing-port-avoid options + # are present, they are processed in order. +- # outgoing-port-avoid: "3200-3208" ++ # Our SElinux policy does not allow non-ephemeral ports to be used ++ outgoing-port-avoid: 0-32767 ++ outgoing-port-avoid: 61000-65535 + + # number of outgoing simultaneous tcp buffers to hold per thread. + # outgoing-num-tcp: 10 +@@ -121,12 +140,12 @@ server: + + # use SO_REUSEPORT to distribute queries over threads. + # at extreme load it could be better to turn it off to distribute even. +- # so-reuseport: yes ++ so-reuseport: yes + + # use IP_TRANSPARENT so the interface: addresses can be non-local + # and you can config non-existing IPs that are going to work later on + # (uses IP_BINDANY on FreeBSD). +- # ip-transparent: no ++ ip-transparent: yes + + # use IP_FREEBIND so the interface: addresses can be non-local + # and you can bind to nonexisting IPs and interfaces that are down. +@@ -256,6 +275,8 @@ server: + # nat64-prefix: 64:ff9b::0/96 + + # Enable UDP, "yes" or "no". ++ # NOTE: if setting up an Unbound on tls443 for public use, you might want to ++ # disable UDP to avoid being used in DNS amplification attacks. + # do-udp: yes + + # Enable TCP, "yes" or "no". +@@ -281,7 +302,7 @@ server: + # tcp-idle-timeout: 30000 + + # Enable EDNS TCP keepalive option. +- # edns-tcp-keepalive: no ++ edns-tcp-keepalive: yes + + # Timeout for EDNS TCP keepalive, in msec. + # edns-tcp-keepalive-timeout: 120000 +@@ -290,6 +311,9 @@ server: + # can be dropped. Default is 0, disabled. In seconds, such as 3. + # sock-queue-timeout: 0 + ++ # Fedora note: do not activate this - not compiled in because ++ # it causes frequent unbound crashes. Also, socket activation ++ # is bad when you have things like dnsmasq also running with libvirt. + # Use systemd socket activation for UDP, TCP, and control sockets. + # use-systemd: no + +@@ -402,6 +426,7 @@ server: + # + # If you give "" no chroot is performed. The path must not end in a /. + # chroot: "@UNBOUND_CHROOT_DIR@" ++ chroot: "" + + # if given, user privileges are dropped (after binding port), + # and the given username is assumed. Default is user "unbound". +@@ -413,7 +438,7 @@ server: + # is not changed. + # If you give a server: directory: dir before include: file statements + # then those includes can be relative to the working directory. +- # directory: "@UNBOUND_RUN_DIR@" ++ directory: "/etc/unbound" + + # the log file, "" means log to stderr. + # Use of this option sets use-syslog to "no". +@@ -428,7 +453,7 @@ server: + # log-identity: "" + + # print UTC timestamp in ascii to logfile, default is epoch in seconds. +- # log-time-ascii: no ++ log-time-ascii: yes + + # print one line with time, IP, name, type, class for every query. + # log-queries: no +@@ -497,22 +522,22 @@ server: + # harden-large-queries: no + + # Harden against out of zone rrsets, to avoid spoofing attempts. +- # harden-glue: yes ++ harden-glue: yes + + # Harden against receiving dnssec-stripped data. If you turn it + # off, failing to validate dnskey data for a trustanchor will + # trigger insecure mode for that zone (like without a trustanchor). + # Default on, which insists on dnssec data for trust-anchored zones. +- # harden-dnssec-stripped: yes ++ harden-dnssec-stripped: yes + + # Harden against queries that fall under dnssec-signed nxdomain names. +- # harden-below-nxdomain: yes ++ harden-below-nxdomain: yes + + # Harden the referral path by performing additional queries for + # infrastructure data. Validates the replies (if possible). + # Default off, because the lookups burden the server. Experimental + # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. +- # harden-referral-path: no ++ harden-referral-path: yes + + # Harden against algorithm downgrade when multiple algorithms are + # advertised in the DS record. If no, allows the weakest algorithm +@@ -526,7 +551,7 @@ server: + # Sent minimum amount of information to upstream servers to enhance + # privacy. Only sent minimum required labels of the QNAME and set QTYPE + # to A when possible. +- # qname-minimisation: yes ++ qname-minimisation: yes + + # QNAME minimisation in strict mode. Do not fall-back to sending full + # QNAME to potentially broken nameservers. A lot of domains will not be +@@ -536,7 +561,7 @@ server: + + # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN + # and other denials, using information from previous NXDOMAINs answers. +- # aggressive-nsec: yes ++ aggressive-nsec: yes + + # Use 0x20-encoded random bits in the query to foil spoof attempts. + # This feature is an experimental implementation of draft dns-0x20. +@@ -569,7 +594,7 @@ server: + # threshold, a warning is printed and a defensive action is taken, + # the cache is cleared to flush potential poison out of it. + # A suggested value is 10000000, the default is 0 (turned off). +- # unwanted-reply-threshold: 0 ++ unwanted-reply-threshold: 10000000 + + # Do not query the following addresses. No DNS queries are sent there. + # List one address per entry. List classless netblocks with /size, +@@ -581,20 +606,20 @@ server: + # do-not-query-localhost: yes + + # if yes, perform prefetching of almost expired message cache entries. +- # prefetch: no ++ prefetch: yes + + # if yes, perform key lookups adjacent to normal lookups. +- # prefetch-key: no ++ prefetch-key: yes + + # deny queries of type ANY with an empty response. +- # deny-any: no ++ deny-any: yes + + # if yes, Unbound rotates RRSet order in response. +- # rrset-roundrobin: yes ++ rrset-roundrobin: yes + + # if yes, Unbound doesn't insert authority/additional sections + # into response messages when those sections are not required. +- # minimal-responses: yes ++ minimal-responses: yes + + # true to disable DNSSEC lameness check in iterator. + # disable-dnssec-lame-check: no +@@ -604,7 +629,9 @@ server: + # most modules have to be listed at the beginning of the line, + # except cachedb(just before iterator), and python (at the beginning, + # or, just before the iterator). +- # module-config: "validator iterator" ++ # For redis cachedb use: ++ # "ipsecmod validator cachedb iterator" ++ module-config: "ipsecmod validator iterator" + + # File with trusted keys, kept uptodate using RFC5011 probes, + # initial file like trust-anchor-file, then it stores metadata. +@@ -618,10 +645,10 @@ server: + # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" + + # trust anchor signaling sends a RFC8145 key tag query after priming. +- # trust-anchor-signaling: yes ++ trust-anchor-signaling: yes + + # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) +- # root-key-sentinel: yes ++ root-key-sentinel: yes + + # File with trusted keys for validation. Specify more than one file + # with several entries, one file per entry. +@@ -642,6 +669,9 @@ server: + # the trusted-keys { name flag proto algo "key"; }; clauses are read. + # you need external update procedures to track changes in keys. + # trusted-keys-file: "" ++ # ++ trusted-keys-file: /etc/unbound/keys.d/*.key ++ auto-trust-anchor-file: "/var/lib/unbound/root.key" + + # Ignore chain of trust. Domain is treated as insecure. + # domain-insecure: "example.com" +@@ -669,14 +699,15 @@ server: + # unsecure data. Useful to shield the users of this validator from + # potential bogus data in the additional section. All unsigned data + # in the additional section is removed from secure messages. +- # val-clean-additional: yes ++ val-clean-additional: yes + + # Turn permissive mode on to permit bogus messages. Thus, messages + # for which security checks failed will be returned to clients, + # instead of SERVFAIL. It still performs the security checks, which + # result in interesting log files and possibly the AD bit in + # replies if the message is found secure. The default is off. +- # val-permissive-mode: no ++ # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY ++ val-permissive-mode: no + + # Ignore the CD flag in incoming queries and refuse them bogus data. + # Enable it if the only clients of Unbound are legacy servers (w2008) +@@ -690,11 +721,11 @@ server: + + # Serve expired responses from cache, with serve-expired-reply-ttl in + # the response, and then attempt to fetch the data afresh. +- # serve-expired: no ++ serve-expired: yes + # + # Limit serving of expired responses to configured seconds after + # expiration. 0 disables the limit. +- # serve-expired-ttl: 0 ++ serve-expired-ttl: 14400 + # + # Set the TTL of expired records to the serve-expired-ttl value after a + # failed attempt to retrieve the record from upstream. This makes sure +@@ -721,7 +752,7 @@ server: + + # Have the validator log failed validations for your diagnosis. + # 0: off. 1: A line per failed user query. 2: With reason and bad IP. +- # val-log-level: 0 ++ val-log-level: 1 + + # It is possible to configure NSEC3 maximum iteration counts per + # keysize. Keep this table very short, as linear search is done. +@@ -865,6 +896,8 @@ server: + # you need to do the reverse notation yourself. + # local-data-ptr: "192.0.2.3 www.example.com" + ++ include: /etc/unbound/local.d/*.conf ++ + # tag a localzone with a list of tag names (in "" with spaces between) + # local-zone-tag: "example.com" "tag2 tag3" + +@@ -875,8 +908,8 @@ server: + # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. + # Give the certificate to use and private key. + # default is "" (disabled). requires restart to take effect. +- # tls-service-key: "path/to/privatekeyfile.key" +- # tls-service-pem: "path/to/publiccertfile.pem" ++ # tls-service-key: "/etc/unbound/unbound_server.key" ++ # tls-service-pem: "/etc/unbound/unbound_server.pem" + # tls-port: 853 + # https-port: 443 + +@@ -884,6 +917,8 @@ server: + # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" + # cipher setting for TLSv1.3 + # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" ++ # Fedora/RHEL: use system-wide crypto policies ++ tls-ciphers: "PROFILE=SYSTEM" + + # Pad responses to padded queries received over TLS + # pad-responses: yes +@@ -1005,12 +1040,12 @@ server: + # fast-server-num: 3 + + # Enable to attach Extended DNS Error codes (RFC8914) to responses. +- # ede: no ++ ede: yes + + # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale + # Answer as EDNS0 option to expired responses. + # Note that the ede option above needs to be enabled for this to work. +- # ede-serve-expired: no ++ ede-serve-expired: yes + + # Specific options for ipsecmod. Unbound needs to be configured with + # --enable-ipsecmod for these to take effect. +@@ -1018,12 +1053,14 @@ server: + # Enable or disable ipsecmod (it still needs to be defined in + # module-config above). Can be used when ipsecmod needs to be + # enabled/disabled via remote-control(below). +- # ipsecmod-enabled: yes +- # ++ # Fedora: module will be enabled on-demand by libreswan ++ ipsecmod-enabled: no ++ + # Path to executable external hook. It must be defined when ipsecmod is + # listed in module-config (above). + # ipsecmod-hook: "./my_executable" +- # ++ ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook ++ + # When enabled Unbound will reply with SERVFAIL if the return value of + # the ipsecmod-hook is not 0. + # ipsecmod-strict: no +@@ -1056,7 +1093,7 @@ server: + # o and give a python-script to run. + python: + # Script file to load +- # python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py" ++ # python-script: "/etc/unbound/ubmodule-tst.py" + + # Dynamic library config section. To enable: + # o use --with-dynlibmodule to configure before compiling. +@@ -1067,13 +1104,18 @@ python: + # the module-config then you need one dynlib-file per instance. + dynlib: + # Script file to load +- # dynlib-file: "@UNBOUND_SHARE_DIR@/dynlib.so" ++ # dynlib-file: "/etc/unbound/dynlib.so" + + # Remote control config section. + remote-control: + # Enable remote control with unbound-control(8) here. + # set up the keys and certificates with unbound-control-setup. +- # control-enable: no ++ # Note: required for unbound-munin package ++ control-enable: yes ++ ++ # Set to no and use an absolute path as control-interface to use ++ # a unix local named pipe for unbound-control. ++ # control-use-cert: yes + + # what interfaces are listened to for remote control. + # give 0.0.0.0 and ::0 to listen to all interfaces. +@@ -1087,19 +1129,22 @@ remote-control: + + # for localhost, you can disable use of TLS by setting this to "no" + # For local sockets this option is ignored, and TLS is not used. +- # control-use-cert: "yes" ++ control-use-cert: "no" + + # Unbound server key file. +- # server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key" ++ server-key-file: "/etc/unbound/unbound_server.key" + + # Unbound server certificate file. +- # server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem" ++ server-cert-file: "/etc/unbound/unbound_server.pem" + + # unbound-control key file. +- # control-key-file: "@UNBOUND_RUN_DIR@/unbound_control.key" ++ control-key-file: "/etc/unbound/unbound_control.key" + + # unbound-control certificate file. +- # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem" ++ control-cert-file: "/etc/unbound/unbound_control.pem" ++ ++# Stub and Forward zones ++include: /etc/unbound/conf.d/*.conf + + # Stub zones. + # Create entries like below, to make all queries for 'example.com' and +@@ -1121,6 +1166,10 @@ remote-control: + # name: "example.org" + # stub-host: ns.example.com. + ++# You can now also dynamically create and delete stub-zone's using ++# unbound-control stub_add domain.com 1.2.3.4 5.6.7.8 ++# unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8 ++ + # Forward zones + # Create entries like below, to make all queries for 'example.com' and + # 'example.org' go to the given list of servers. These servers have to handle +@@ -1138,6 +1187,10 @@ remote-control: + # forward-zone: + # name: "example.org" + # forward-host: fwd.example.com ++# ++# You can now also dynamically create and delete forward-zone's using ++# unbound-control forward_add domain.com 1.2.3.4 5.6.7.8 ++# unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8 + + # Authority zones + # The data for these zones is kept locally, from a file or downloaded. +@@ -1145,30 +1198,31 @@ remote-control: + # upstream (which saves a lookup to the upstream). The first example + # has a copy of the root for local usage. The second serves example.org + # authoritatively. zonefile: reads from file (and writes to it if you also +-# download it), primary: fetches with AXFR and IXFR, or url to zonefile. +-# With allow-notify: you can give additional (apart from primaries and urls) +-# sources of notifies. +-# auth-zone: +-# name: "." +-# primary: 199.9.14.201 # b.root-servers.net +-# primary: 192.33.4.12 # c.root-servers.net +-# primary: 199.7.91.13 # d.root-servers.net +-# primary: 192.5.5.241 # f.root-servers.net +-# primary: 192.112.36.4 # g.root-servers.net +-# primary: 193.0.14.129 # k.root-servers.net +-# primary: 192.0.47.132 # xfr.cjr.dns.icann.org +-# primary: 192.0.32.132 # xfr.lax.dns.icann.org +-# primary: 2001:500:200::b # b.root-servers.net +-# primary: 2001:500:2::c # c.root-servers.net +-# primary: 2001:500:2d::d # d.root-servers.net +-# primary: 2001:500:2f::f # f.root-servers.net +-# primary: 2001:500:12::d0d # g.root-servers.net +-# primary: 2001:7fd::1 # k.root-servers.net +-# primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org +-# primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org +-# fallback-enabled: yes +-# for-downstream: no +-# for-upstream: yes ++# download it), master: fetches with AXFR and IXFR, or url to zonefile. ++# With allow-notify: you can give additional (apart from masters) sources of ++# notifies. ++auth-zone: ++ name: "." ++ primary: 199.9.14.201 # b.root-servers.net ++ primary: 192.33.4.12 # c.root-servers.net ++ primary: 199.7.91.13 # d.root-servers.net ++ primary: 192.5.5.241 # f.root-servers.net ++ primary: 192.112.36.4 # g.root-servers.net ++ primary: 193.0.14.129 # k.root-servers.net ++ primary: 192.0.47.132 # xfr.cjr.dns.icann.org ++ primary: 192.0.32.132 # xfr.lax.dns.icann.org ++ primary: 2001:500:200::b # b.root-servers.net ++ primary: 2001:500:2::c # c.root-servers.net ++ primary: 2001:500:2d::d # d.root-servers.net ++ primary: 2001:500:2f::f # f.root-servers.net ++ primary: 2001:500:12::d0d # g.root-servers.net ++ primary: 2001:7fd::1 # k.root-servers.net ++ primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org ++ primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org ++ fallback-enabled: yes ++ for-downstream: no ++ for-upstream: yes ++ + # auth-zone: + # name: "example.org" + # for-downstream: yes +@@ -1194,6 +1248,9 @@ remote-control: + # name: "anotherview" + # local-zone: "example.com" refuse + ++# Fedora: DNSCrypt support not enabled since it requires linking to ++# another crypto library ++# + # DNSCrypt + # To enable, use --enable-dnscrypt to configure before compiling. + # Caveats: +@@ -1266,7 +1323,7 @@ remote-control: + # dnstap-enable: no + # # if set to yes frame streams will be used in bidirectional mode + # dnstap-bidirectional: yes +-# dnstap-socket-path: "@DNSTAP_SOCKET_PATH@" ++# dnstap-socket-path: "/etc/unbound/dnstap.sock" + # # if "" use the unix socket in dnstap-socket-path, otherwise, + # # set it to "IPaddress[@port]" of the destination. + # dnstap-ip: "" +-- +2.41.0 + diff --git a/unbound.conf b/unbound.conf deleted file mode 100644 index b038b4a..0000000 --- a/unbound.conf +++ /dev/null @@ -1,1363 +0,0 @@ -# -# Example configuration file. -# -# See unbound.conf(5) man page -# -# this is a comment. - -# Use this anywhere in the file to include other text into this file. -#include: "otherfile.conf" - -# Use this anywhere in the file to include other text, that explicitly starts a -# clause, into this file. Text after this directive needs to start a clause. -#include-toplevel: "otherfile.conf" - -# The server clause sets the main parameters. -server: - # whitespace is not necessary, but looks cleaner. - - # verbosity number, 0 is least verbose. 1 is default. - verbosity: 1 - - # print statistics to the log (for every thread) every N seconds. - # Set to "" or 0 to disable. Default is disabled. - # Needs to be disabled for munin plugin - statistics-interval: 0 - - # enable shm for stats, default no. if you enable also enable - # statistics-interval, every time it also writes stats to the - # shared memory segment keyed with shm-key. - # shm-enable: no - - # shm for stats uses this key, and key+1 for the shared mem segment. - # shm-key: 11777 - - # enable cumulative statistics, without clearing them after printing. - # Needs to be disabled for munin plugin - statistics-cumulative: no - - # enable extended statistics (query types, answer codes, status) - # printed from unbound-control. default off, because of speed. - # Needs to be enabled for munin plugin - extended-statistics: yes - - # Inhibits selected extended statistics (qtype, qclass, qopcode, rcode, - # rpz-actions) from printing if their value is 0. - # Default on. - # statistics-inhibit-zero: yes - - # number of threads to create. 1 disables threading. - num-threads: 4 - - # specify the interfaces to answer queries from by ip-address. - # The default is to listen to localhost (127.0.0.1 and ::1). - # specify 0.0.0.0 and ::0 to bind to all available interfaces. - # specify every interface[@port] on a new 'interface:' labelled line. - # The listen interfaces are not changed on reload, only on restart. - # interface: 0.0.0.0 - # interface: ::0 - # interface: 192.0.2.153 - # interface: 192.0.2.154 - # interface: 192.0.2.154@5003 - # interface: 2001:DB8::5 - # - # for dns over tls and raw dns over port 80 - # interface: 0.0.0.0@443 - # interface: ::0@443 - # interface: 0.0.0.0@80 - # interface: ::0@80 - - # enable this feature to copy the source address of queries to reply. - # Socket options are not supported on all platforms. experimental. - # interface-automatic: yes - # - # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 - # NOTE: Disabled per Fedora policy not to listen to * on default install - # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled - interface-automatic: no - - # instead of the default port, open additional ports separated by - # spaces when interface-automatic is enabled, by listing them here. - # interface-automatic-ports: "" - - # port to answer queries from - # port: 53 - - # specify the interfaces to send outgoing queries to authoritative - # server from by ip-address. If none, the default (all) interface - # is used. Specify every interface on a 'outgoing-interface:' line. - # outgoing-interface: 192.0.2.153 - # outgoing-interface: 2001:DB8::5 - # outgoing-interface: 2001:DB8::6 - - # Specify a netblock to use remainder 64 bits as random bits for - # upstream queries. Uses freebind option (Linux). - # outgoing-interface: 2001:DB8::/64 - # Also (Linux:) ip -6 addr add 2001:db8::/64 dev lo - # And: ip -6 route add local 2001:db8::/64 dev lo - # And set prefer-ip6: yes to use the ip6 randomness from a netblock. - # Set this to yes to prefer ipv6 upstream servers over ipv4. - # prefer-ip6: no - - # Prefer ipv4 upstream servers, even if ipv6 is available. - # prefer-ip4: no - - # number of ports to allocate per thread, determines the size of the - # port range that can be open simultaneously. About double the - # num-queries-per-thread, or, use as many as the OS will allow you. - # outgoing-range: 4096 - - # permit Unbound to use this port number or port range for - # making outgoing queries, using an outgoing interface. - # Only ephemeral ports are allowed by SElinux - outgoing-port-permit: 32768-60999 - - # deny Unbound the use this of port number or port range for - # making outgoing queries, using an outgoing interface. - # Use this to make sure Unbound does not grab a UDP port that some - # other server on this computer needs. The default is to avoid - # IANA-assigned port numbers. - # If multiple outgoing-port-permit and outgoing-port-avoid options - # are present, they are processed in order. - # Our SElinux policy does not allow non-ephemeral ports to be used - outgoing-port-avoid: 0-32767 - outgoing-port-avoid: 61000-65535 - - # number of outgoing simultaneous tcp buffers to hold per thread. - # outgoing-num-tcp: 10 - - # number of incoming simultaneous tcp buffers to hold per thread. - # incoming-num-tcp: 10 - - # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). - # 0 is system default. Use 4m to catch query spikes for busy servers. - # so-rcvbuf: 0 - - # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option). - # 0 is system default. Use 4m to handle spikes on very busy servers. - # so-sndbuf: 0 - - # use SO_REUSEPORT to distribute queries over threads. - # at extreme load it could be better to turn it off to distribute even. - so-reuseport: yes - - # use IP_TRANSPARENT so the interface: addresses can be non-local - # and you can config non-existing IPs that are going to work later on - # (uses IP_BINDANY on FreeBSD). - ip-transparent: yes - - # use IP_FREEBIND so the interface: addresses can be non-local - # and you can bind to nonexisting IPs and interfaces that are down. - # Linux only. On Linux you also have ip-transparent that is similar. - # ip-freebind: no - - # the value of the Differentiated Services Codepoint (DSCP) - # in the differentiated services field (DS) of the outgoing - # IP packets - # ip-dscp: 0 - - # EDNS reassembly buffer to advertise to UDP peers (the actual buffer - # is set with msg-buffer-size). - # edns-buffer-size: 1232 - - # Maximum UDP response size (not applied to TCP response). - # Suggested values are 512 to 4096. Default is 1232. 65536 disables it. - # max-udp-size: 1232 - - # max memory to use for stream(tcp and tls) waiting result buffers. - # stream-wait-size: 4m - - # buffer size for handling DNS data. No messages larger than this - # size can be sent or received, by UDP or TCP. In bytes. - # msg-buffer-size: 65552 - - # the amount of memory to use for the message cache. - # plain value in bytes or you can append k, m or G. default is "4Mb". - # msg-cache-size: 4m - - # the number of slabs to use for the message cache. - # the number of slabs must be a power of 2. - # more slabs reduce lock contention, but fragment memory usage. - # msg-cache-slabs: 4 - - # the number of queries that a thread gets to service. - # num-queries-per-thread: 1024 - - # if very busy, 50% queries run to completion, 50% get timeout in msec - # jostle-timeout: 200 - - # msec to wait before close of port on timeout UDP. 0 disables. - # delay-close: 0 - - # perform connect for UDP sockets to mitigate ICMP side channel. - # udp-connect: yes - - # The number of retries, per upstream nameserver in a delegation, when - # a throwaway response (also timeouts) is received. - # outbound-msg-retry: 5 - - # Hard limit on the number of outgoing queries Unbound will make while - # resolving a name, making sure large NS sets do not loop. - # It resets on query restarts (e.g., CNAME) and referrals. - # max-sent-count: 32 - - # Hard limit on the number of times Unbound is allowed to restart a - # query upon encountering a CNAME record. - # max-query-restarts: 11 - - # msec for waiting for an unknown server to reply. Increase if you - # are behind a slow satellite link, to eg. 1128. - # unknown-server-time-limit: 376 - - # the amount of memory to use for the RRset cache. - # plain value in bytes or you can append k, m or G. default is "4Mb". - # rrset-cache-size: 4m - - # the number of slabs to use for the RRset cache. - # the number of slabs must be a power of 2. - # more slabs reduce lock contention, but fragment memory usage. - # rrset-cache-slabs: 4 - - # the time to live (TTL) value lower bound, in seconds. Default 0. - # If more than an hour could easily give trouble due to stale data. - # cache-min-ttl: 0 - - # the time to live (TTL) value cap for RRsets and messages in the - # cache. Items are not cached for longer. In seconds. - # cache-max-ttl: 86400 - - # the time to live (TTL) value cap for negative responses in the cache - # cache-max-negative-ttl: 3600 - - # the time to live (TTL) value for cached roundtrip times, lameness and - # EDNS version information for hosts. In seconds. - # infra-host-ttl: 900 - - # minimum wait time for responses, increase if uplink is long. In msec. - # infra-cache-min-rtt: 50 - - # maximum wait time for responses. In msec. - # infra-cache-max-rtt: 120000 - - # enable to make server probe down hosts more frequently. - # infra-keep-probing: no - - # the number of slabs to use for the Infrastructure cache. - # the number of slabs must be a power of 2. - # more slabs reduce lock contention, but fragment memory usage. - # infra-cache-slabs: 4 - - # the maximum number of hosts that are cached (roundtrip, EDNS, lame). - # infra-cache-numhosts: 10000 - - # define a number of tags here, use with local-zone, access-control, - # interface-*. - # repeat the define-tag statement to add additional tags. - # define-tag: "tag1 tag2 tag3" - - # Enable IPv4, "yes" or "no". - # do-ip4: yes - - # Enable IPv6, "yes" or "no". - # do-ip6: yes - - # If running unbound on an IPv6-only host, domains that only have - # IPv4 servers would become unresolveable. If NAT64 is available in - # the network, unbound can use NAT64 to reach these servers with - # the following option. This is NOT needed for enabling DNS64 on a - # system that has IPv4 connectivity. - # Consider also enabling prefer-ip6 to prefer native IPv6 connections - # to nameservers. - # do-nat64: no - - # NAT64 prefix. Defaults to using dns64-prefix value. - # nat64-prefix: 64:ff9b::0/96 - - # Enable UDP, "yes" or "no". - # NOTE: if setting up an Unbound on tls443 for public use, you might want to - # disable UDP to avoid being used in DNS amplification attacks. - # do-udp: yes - - # Enable TCP, "yes" or "no". - # do-tcp: yes - - # upstream connections use TCP only (and no UDP), "yes" or "no" - # useful for tunneling scenarios, default no. - # tcp-upstream: no - - # upstream connections also use UDP (even if do-udp is no). - # useful if if you want UDP upstream, but don't provide UDP downstream. - # udp-upstream-without-downstream: no - - # Maximum segment size (MSS) of TCP socket on which the server - # responds to queries. Default is 0, system default MSS. - # tcp-mss: 0 - - # Maximum segment size (MSS) of TCP socket for outgoing queries. - # Default is 0, system default MSS. - # outgoing-tcp-mss: 0 - - # Idle TCP timeout, connection closed in milliseconds - # tcp-idle-timeout: 30000 - - # Enable EDNS TCP keepalive option. - edns-tcp-keepalive: yes - - # Timeout for EDNS TCP keepalive, in msec. - # edns-tcp-keepalive-timeout: 120000 - - # UDP queries that have waited in the socket buffer for a long time - # can be dropped. Default is 0, disabled. In seconds, such as 3. - # sock-queue-timeout: 0 - - # Fedora note: do not activate this - not compiled in because - # it causes frequent unbound crashes. Also, socket activation - # is bad when you have things like dnsmasq also running with libvirt. - # Use systemd socket activation for UDP, TCP, and control sockets. - # use-systemd: no - - # Detach from the terminal, run in background, "yes" or "no". - # Set the value to "no" when Unbound runs as systemd service. - # do-daemonize: yes - - # control which clients are allowed to make (recursive) queries - # to this server. Specify classless netblocks with /size and action. - # By default everything is refused, except for localhost. - # Choose deny (drop message), refuse (polite error reply), - # allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on), - # allow_snoop (recursive and nonrecursive ok) - # deny_non_local (drop queries unless can be answered from local-data) - # refuse_non_local (like deny_non_local but polite error reply). - # access-control: 127.0.0.0/8 allow - # access-control: ::1 allow - # access-control: ::ffff:127.0.0.1 allow - - # tag access-control with list of tags (in "" with spaces between) - # Clients using this access control element use localzones that - # are tagged with one of these tags. - # access-control-tag: 192.0.2.0/24 "tag2 tag3" - - # set action for particular tag for given access control element. - # if you have multiple tag values, the tag used to lookup the action - # is the first tag match between access-control-tag and local-zone-tag - # where "first" comes from the order of the define-tag values. - # access-control-tag-action: 192.0.2.0/24 tag3 refuse - - # set redirect data for particular tag for access control element - # access-control-tag-data: 192.0.2.0/24 tag2 "A 127.0.0.1" - - # Set view for access control element - # access-control-view: 192.0.2.0/24 viewname - - # Similar to 'access-control:' but for interfaces. - # Control which listening interfaces are allowed to accept (recursive) - # queries for this server. - # The specified interfaces should be the same as the ones specified in - # 'interface:' followed by the action. - # The actions are the same as 'access-control:' above. - # By default all the interfaces configured are refused. - # Note: any 'access-control*:' setting overrides all 'interface-*:' - # settings for targeted clients. - # interface-action: 192.0.2.153 allow - # interface-action: 192.0.2.154 allow - # interface-action: 192.0.2.154@5003 allow - # interface-action: 2001:DB8::5 allow - # interface-action: eth0@5003 allow - - # Similar to 'access-control-tag:' but for interfaces. - # Tag interfaces with a list of tags (in "" with spaces between). - # Interfaces using these tags use localzones that are tagged with one - # of these tags. - # The specified interfaces should be the same as the ones specified in - # 'interface:' followed by the list of tags. - # Note: any 'access-control*:' setting overrides all 'interface-*:' - # settings for targeted clients. - # interface-tag: eth0@5003 "tag2 tag3" - - # Similar to 'access-control-tag-action:' but for interfaces. - # Set action for particular tag for a given interface element. - # If you have multiple tag values, the tag used to lookup the action - # is the first tag match between interface-tag and local-zone-tag - # where "first" comes from the order of the define-tag values. - # The specified interfaces should be the same as the ones specified in - # 'interface:' followed by the tag and action. - # Note: any 'access-control*:' setting overrides all 'interface-*:' - # settings for targeted clients. - # interface-tag-action: eth0@5003 tag3 refuse - - # Similar to 'access-control-tag-data:' but for interfaces. - # Set redirect data for a particular tag for an interface element. - # The specified interfaces should be the same as the ones specified in - # 'interface:' followed by the tag and the redirect data. - # Note: any 'access-control*:' setting overrides all 'interface-*:' - # settings for targeted clients. - # interface-tag-data: eth0@5003 tag2 "A 127.0.0.1" - - # Similar to 'access-control-view:' but for interfaces. - # Set view for an interface element. - # The specified interfaces should be the same as the ones specified in - # 'interface:' followed by the view name. - # Note: any 'access-control*:' setting overrides all 'interface-*:' - # settings for targeted clients. - # interface-view: eth0@5003 viewname - - # if given, a chroot(2) is done to the given directory. - # i.e. you can chroot to the working directory, for example, - # for extra security, but make sure all files are in that directory. - # - # If chroot is enabled, you should pass the configfile (from the - # commandline) as a full path from the original root. After the - # chroot has been performed the now defunct portion of the config - # file path is removed to be able to reread the config after a reload. - # - # All other file paths (working dir, logfile, roothints, and - # key files) can be specified in several ways: - # o as an absolute path relative to the new root. - # o as a relative path to the working directory. - # o as an absolute path relative to the original root. - # In the last case the path is adjusted to remove the unused portion. - # - # The pid file can be absolute and outside of the chroot, it is - # written just prior to performing the chroot and dropping permissions. - # - # Additionally, Unbound may need to access /dev/urandom (for entropy). - # How to do this is specific to your OS. - # - # If you give "" no chroot is performed. The path must not end in a /. - # chroot: "/var/lib/unbound" - chroot: "" - - # if given, user privileges are dropped (after binding port), - # and the given username is assumed. Default is user "unbound". - # If you give "" no privileges are dropped. - username: "unbound" - - # the working directory. The relative files in this config are - # relative to this directory. If you give "" the working directory - # is not changed. - # If you give a server: directory: dir before include: file statements - # then those includes can be relative to the working directory. - directory: "/etc/unbound" - - # the log file, "" means log to stderr. - # Use of this option sets use-syslog to "no". - # logfile: "" - - # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to - # log to. If yes, it overrides the logfile. - # use-syslog: yes - - # Log identity to report. if empty, defaults to the name of argv[0] - # (usually "unbound"). - # log-identity: "" - - # print UTC timestamp in ascii to logfile, default is epoch in seconds. - log-time-ascii: yes - - # print one line with time, IP, name, type, class for every query. - # log-queries: no - - # print one line per reply, with time, IP, name, type, class, rcode, - # timetoresolve, fromcache and responsesize. - # log-replies: no - - # log with tag 'query' and 'reply' instead of 'info' for - # filtering log-queries and log-replies from the log. - # log-tag-queryreply: no - - # log the local-zone actions, like local-zone type inform is enabled - # also for the other local zone types. - # log-local-actions: no - - # print log lines that say why queries return SERVFAIL to clients. - # log-servfail: no - - # the pid file. Can be an absolute path outside of chroot/work dir. - pidfile: "/var/run/unbound/unbound.pid" - - # file to read root hints from. - # get one from https://www.internic.net/domain/named.cache - # root-hints: "" - - # enable to not answer id.server and hostname.bind queries. - # hide-identity: no - - # enable to not answer version.server and version.bind queries. - # hide-version: no - - # enable to not answer trustanchor.unbound queries. - # hide-trustanchor: no - - # enable to not set the User-Agent HTTP header. - # hide-http-user-agent: no - - # the identity to report. Leave "" or default to return hostname. - # identity: "" - - # the version to report. Leave "" or default to return package version. - # version: "" - - # NSID identity (hex string, or "ascii_somestring"). default disabled. - # nsid: "aabbccdd" - - # User-Agent HTTP header to use. Leave "" or default to use package name - # and version. - # http-user-agent: "" - - # the target fetch policy. - # series of integers describing the policy per dependency depth. - # The number of values in the list determines the maximum dependency - # depth the recursor will pursue before giving up. Each integer means: - # -1 : fetch all targets opportunistically, - # 0: fetch on demand, - # positive value: fetch that many targets opportunistically. - # Enclose the list of numbers between quotes (""). - # target-fetch-policy: "3 2 1 0 0" - - # Harden against very small EDNS buffer sizes. - # harden-short-bufsize: yes - - # Harden against unseemly large queries. - # harden-large-queries: no - - # Harden against out of zone rrsets, to avoid spoofing attempts. - harden-glue: yes - - # Harden against receiving dnssec-stripped data. If you turn it - # off, failing to validate dnskey data for a trustanchor will - # trigger insecure mode for that zone (like without a trustanchor). - # Default on, which insists on dnssec data for trust-anchored zones. - harden-dnssec-stripped: yes - - # Harden against queries that fall under dnssec-signed nxdomain names. - harden-below-nxdomain: yes - - # Harden the referral path by performing additional queries for - # infrastructure data. Validates the replies (if possible). - # Default off, because the lookups burden the server. Experimental - # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. - harden-referral-path: yes - - # Harden against algorithm downgrade when multiple algorithms are - # advertised in the DS record. If no, allows the weakest algorithm - # to validate the zone. - # harden-algo-downgrade: no - - # Harden against unknown records in the authority section and the - # additional section. - # harden-unknown-additional: no - - # Sent minimum amount of information to upstream servers to enhance - # privacy. Only sent minimum required labels of the QNAME and set QTYPE - # to A when possible. - qname-minimisation: yes - - # QNAME minimisation in strict mode. Do not fall-back to sending full - # QNAME to potentially broken nameservers. A lot of domains will not be - # resolvable when this option in enabled. - # This option only has effect when qname-minimisation is enabled. - # qname-minimisation-strict: no - - # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN - # and other denials, using information from previous NXDOMAINs answers. - aggressive-nsec: yes - - # Use 0x20-encoded random bits in the query to foil spoof attempts. - # This feature is an experimental implementation of draft dns-0x20. - # use-caps-for-id: no - - # Domains (and domains in them) without support for dns-0x20 and - # the fallback fails because they keep sending different answers. - # caps-exempt: "licdn.com" - # caps-exempt: "senderbase.org" - - # Enforce privacy of these addresses. Strips them away from answers. - # It may cause DNSSEC validation to additionally mark it as bogus. - # Protects against 'DNS Rebinding' (uses browser as network proxy). - # Only 'private-domain' and 'local-data' names are allowed to have - # these private addresses. No default. - # private-address: 10.0.0.0/8 - # private-address: 172.16.0.0/12 - # private-address: 192.168.0.0/16 - # private-address: 169.254.0.0/16 - # private-address: fd00::/8 - # private-address: fe80::/10 - # private-address: ::ffff:0:0/96 - - # Allow the domain (and its subdomains) to contain private addresses. - # local-data statements are allowed to contain private addresses too. - # private-domain: "example.com" - - # If nonzero, unwanted replies are not only reported in statistics, - # but also a running total is kept per thread. If it reaches the - # threshold, a warning is printed and a defensive action is taken, - # the cache is cleared to flush potential poison out of it. - # A suggested value is 10000000, the default is 0 (turned off). - unwanted-reply-threshold: 10000000 - - # Do not query the following addresses. No DNS queries are sent there. - # List one address per entry. List classless netblocks with /size, - # do-not-query-address: 127.0.0.1/8 - # do-not-query-address: ::1 - - # if yes, the above default do-not-query-address entries are present. - # if no, localhost can be queried (for testing and debugging). - # do-not-query-localhost: yes - - # if yes, perform prefetching of almost expired message cache entries. - prefetch: yes - - # if yes, perform key lookups adjacent to normal lookups. - prefetch-key: yes - - # deny queries of type ANY with an empty response. - deny-any: yes - - # if yes, Unbound rotates RRSet order in response. - rrset-roundrobin: yes - - # if yes, Unbound doesn't insert authority/additional sections - # into response messages when those sections are not required. - minimal-responses: yes - - # true to disable DNSSEC lameness check in iterator. - # disable-dnssec-lame-check: no - - # module configuration of the server. A string with identifiers - # separated by spaces. Syntax: "[dns64] [validator] iterator" - # most modules have to be listed at the beginning of the line, - # except cachedb(just before iterator), and python (at the beginning, - # or, just before the iterator). - # For redis cachedb use: - # "ipsecmod validator cachedb iterator" - module-config: "ipsecmod validator iterator" - - # File with trusted keys, kept uptodate using RFC5011 probes, - # initial file like trust-anchor-file, then it stores metadata. - # Use several entries, one per domain name, to track multiple zones. - # - # If you want to perform DNSSEC validation, run unbound-anchor before - # you start Unbound (i.e. in the system boot scripts). - # And then enable the auto-trust-anchor-file config item. - # Please note usage of unbound-anchor root anchor is at your own risk - # and under the terms of our LICENSE (see that file in the source). - # auto-trust-anchor-file: "/var/lib/unbound/root.key" - - # trust anchor signaling sends a RFC8145 key tag query after priming. - trust-anchor-signaling: yes - - # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) - root-key-sentinel: yes - - # File with trusted keys for validation. Specify more than one file - # with several entries, one file per entry. - # Zone file format, with DS and DNSKEY entries. - # Note this gets out of date, use auto-trust-anchor-file please. - # trust-anchor-file: "" - - # Trusted key for validation. DS or DNSKEY. specify the RR on a - # single line, surrounded by "". TTL is ignored. class is IN default. - # Note this gets out of date, use auto-trust-anchor-file please. - # (These examples are from August 2007 and may not be valid anymore). - # trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ==" - # trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A" - - # File with trusted keys for validation. Specify more than one file - # with several entries, one file per entry. Like trust-anchor-file - # but has a different file format. Format is BIND-9 style format, - # the trusted-keys { name flag proto algo "key"; }; clauses are read. - # you need external update procedures to track changes in keys. - # trusted-keys-file: "" - # - trusted-keys-file: /etc/unbound/keys.d/*.key - auto-trust-anchor-file: "/var/lib/unbound/root.key" - - # Ignore chain of trust. Domain is treated as insecure. - # domain-insecure: "example.com" - - # Override the date for validation with a specific fixed date. - # Do not set this unless you are debugging signature inception - # and expiration. "" or "0" turns the feature off. -1 ignores date. - # val-override-date: "" - - # The time to live for bogus data, rrsets and messages. This avoids - # some of the revalidation, until the time interval expires. in secs. - # val-bogus-ttl: 60 - - # The signature inception and expiration dates are allowed to be off - # by 10% of the signature lifetime (expir-incep) from our local clock. - # This leeway is capped with a minimum and a maximum. In seconds. - # val-sig-skew-min: 3600 - # val-sig-skew-max: 86400 - - # The maximum number the validator should restart validation with - # another authority in case of failed validation. - # val-max-restart: 5 - - # Should additional section of secure message also be kept clean of - # unsecure data. Useful to shield the users of this validator from - # potential bogus data in the additional section. All unsigned data - # in the additional section is removed from secure messages. - val-clean-additional: yes - - # Turn permissive mode on to permit bogus messages. Thus, messages - # for which security checks failed will be returned to clients, - # instead of SERVFAIL. It still performs the security checks, which - # result in interesting log files and possibly the AD bit in - # replies if the message is found secure. The default is off. - # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY - val-permissive-mode: no - - # Ignore the CD flag in incoming queries and refuse them bogus data. - # Enable it if the only clients of Unbound are legacy servers (w2008) - # that set CD but cannot validate themselves. - # ignore-cd-flag: no - - # Serve expired responses from cache, with serve-expired-reply-ttl in - # the response, and then attempt to fetch the data afresh. - serve-expired: yes - # - # Limit serving of expired responses to configured seconds after - # expiration. 0 disables the limit. - serve-expired-ttl: 14400 - # - # Set the TTL of expired records to the serve-expired-ttl value after a - # failed attempt to retrieve the record from upstream. This makes sure - # that the expired records will be served as long as there are queries - # for it. - # serve-expired-ttl-reset: no - # - # TTL value to use when replying with expired data. - # serve-expired-reply-ttl: 30 - # - # Time in milliseconds before replying to the client with expired data. - # This essentially enables the serve-stale behavior as specified in - # RFC 8767 that first tries to resolve before - # immediately responding with expired data. 0 disables this behavior. - # A recommended value is 1800. - # serve-expired-client-timeout: 0 - - # Return the original TTL as received from the upstream name server rather - # than the decrementing TTL as stored in the cache. Enabling this feature - # does not impact cache expiry, it only changes the TTL Unbound embeds in - # responses to queries. Note that enabling this feature implicitly disables - # enforcement of the configured minimum and maximum TTL. - # serve-original-ttl: no - - # Have the validator log failed validations for your diagnosis. - # 0: off. 1: A line per failed user query. 2: With reason and bad IP. - val-log-level: 1 - - # It is possible to configure NSEC3 maximum iteration counts per - # keysize. Keep this table very short, as linear search is done. - # A message with an NSEC3 with larger count is marked insecure. - # List in ascending order the keysize and count values. - # val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150" - - # if enabled, ZONEMD verification failures do not block the zone. - # zonemd-permissive-mode: no - - # instruct the auto-trust-anchor-file probing to add anchors after ttl. - # add-holddown: 2592000 # 30 days - - # instruct the auto-trust-anchor-file probing to del anchors after ttl. - # del-holddown: 2592000 # 30 days - - # auto-trust-anchor-file probing removes missing anchors after ttl. - # If the value 0 is given, missing anchors are not removed. - # keep-missing: 31622400 # 366 days - - # debug option that allows very small holddown times for key rollover, - # otherwise the RFC mandates probe intervals must be at least 1 hour. - # permit-small-holddown: no - - # the amount of memory to use for the key cache. - # plain value in bytes or you can append k, m or G. default is "4Mb". - # key-cache-size: 4m - - # the number of slabs to use for the key cache. - # the number of slabs must be a power of 2. - # more slabs reduce lock contention, but fragment memory usage. - # key-cache-slabs: 4 - - # the amount of memory to use for the negative cache. - # plain value in bytes or you can append k, m or G. default is "1Mb". - # neg-cache-size: 1m - - # By default, for a number of zones a small default 'nothing here' - # reply is built-in. Query traffic is thus blocked. If you - # wish to serve such zone you can unblock them by uncommenting one - # of the nodefault statements below. - # You may also have to use domain-insecure: zone to make DNSSEC work, - # unless you have your own trust anchors for this zone. - # local-zone: "localhost." nodefault - # local-zone: "127.in-addr.arpa." nodefault - # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault - # local-zone: "home.arpa." nodefault - # local-zone: "onion." nodefault - # local-zone: "test." nodefault - # local-zone: "invalid." nodefault - # local-zone: "10.in-addr.arpa." nodefault - # local-zone: "16.172.in-addr.arpa." nodefault - # local-zone: "17.172.in-addr.arpa." nodefault - # local-zone: "18.172.in-addr.arpa." nodefault - # local-zone: "19.172.in-addr.arpa." nodefault - # local-zone: "20.172.in-addr.arpa." nodefault - # local-zone: "21.172.in-addr.arpa." nodefault - # local-zone: "22.172.in-addr.arpa." nodefault - # local-zone: "23.172.in-addr.arpa." nodefault - # local-zone: "24.172.in-addr.arpa." nodefault - # local-zone: "25.172.in-addr.arpa." nodefault - # local-zone: "26.172.in-addr.arpa." nodefault - # local-zone: "27.172.in-addr.arpa." nodefault - # local-zone: "28.172.in-addr.arpa." nodefault - # local-zone: "29.172.in-addr.arpa." nodefault - # local-zone: "30.172.in-addr.arpa." nodefault - # local-zone: "31.172.in-addr.arpa." nodefault - # local-zone: "168.192.in-addr.arpa." nodefault - # local-zone: "0.in-addr.arpa." nodefault - # local-zone: "254.169.in-addr.arpa." nodefault - # local-zone: "2.0.192.in-addr.arpa." nodefault - # local-zone: "100.51.198.in-addr.arpa." nodefault - # local-zone: "113.0.203.in-addr.arpa." nodefault - # local-zone: "255.255.255.255.in-addr.arpa." nodefault - # local-zone: "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault - # local-zone: "d.f.ip6.arpa." nodefault - # local-zone: "8.e.f.ip6.arpa." nodefault - # local-zone: "9.e.f.ip6.arpa." nodefault - # local-zone: "a.e.f.ip6.arpa." nodefault - # local-zone: "b.e.f.ip6.arpa." nodefault - # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault - # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa. - - # Add example.com into ipset - # local-zone: "example.com" ipset - - # If Unbound is running service for the local host then it is useful - # to perform lan-wide lookups to the upstream, and unblock the - # long list of local-zones above. If this Unbound is a dns server - # for a network of computers, disabled is better and stops information - # leakage of local lan information. - # unblock-lan-zones: no - - # The insecure-lan-zones option disables validation for - # these zones, as if they were all listed as domain-insecure. - # insecure-lan-zones: no - - # a number of locally served zones can be configured. - # local-zone: - # local-data: "" - # o deny serves local data (if any), else, drops queries. - # o refuse serves local data (if any), else, replies with error. - # o static serves local data, else, nxdomain or nodata answer. - # o transparent gives local data, but resolves normally for other names - # o redirect serves the zone data for any subdomain in the zone. - # o nodefault can be used to normally resolve AS112 zones. - # o typetransparent resolves normally for other types and other names - # o inform acts like transparent, but logs client IP address - # o inform_deny drops queries and logs client IP address - # o inform_redirect redirects queries and logs client IP address - # o always_transparent, always_refuse, always_nxdomain, always_nodata, - # always_deny resolve in that way but ignore local data for - # that name - # o block_a resolves all records normally but returns - # NODATA for A queries and ignores local data for that name - # o always_null returns 0.0.0.0 or ::0 for any name in the zone. - # o noview breaks out of that view towards global local-zones. - # - # defaults are localhost address, reverse for 127.0.0.1 and ::1 - # and nxdomain for AS112 zones. If you configure one of these zones - # the default content is omitted, or you can omit it with 'nodefault'. - # - # If you configure local-data without specifying local-zone, by - # default a transparent local-zone is created for the data. - # - # You can add locally served data with - # local-zone: "local." static - # local-data: "mycomputer.local. IN A 192.0.2.51" - # local-data: 'mytext.local TXT "content of text record"' - # - # You can override certain queries with - # local-data: "adserver.example.com A 127.0.0.1" - # - # You can redirect a domain to a fixed address with - # (this makes example.com, www.example.com, etc, all go to 192.0.2.3) - # local-zone: "example.com" redirect - # local-data: "example.com A 192.0.2.3" - # - # Shorthand to make PTR records, "IPv4 name" or "IPv6 name". - # You can also add PTR records using local-data directly, but then - # you need to do the reverse notation yourself. - # local-data-ptr: "192.0.2.3 www.example.com" - - include: /etc/unbound/local.d/*.conf - - # tag a localzone with a list of tag names (in "" with spaces between) - # local-zone-tag: "example.com" "tag2 tag3" - - # add a netblock specific override to a localzone, with zone type - # local-zone-override: "example.com" 192.0.2.0/24 refuse - - # service clients over TLS (on the TCP sockets) with plain DNS inside - # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. - # Give the certificate to use and private key. - # default is "" (disabled). requires restart to take effect. - # tls-service-key: "/etc/unbound/unbound_server.key" - # tls-service-pem: "/etc/unbound/unbound_server.pem" - # tls-port: 853 - # https-port: 443 - - # cipher setting for TLSv1.2 - # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" - # cipher setting for TLSv1.3 - # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" - # Fedora/RHEL: use system-wide crypto policies - tls-ciphers: "PROFILE=SYSTEM" - # TODO: ask system-wide crypto people what to use here - #tls-ciphersuites: "PROFILE=SYSTEM" # does not work - - # Pad responses to padded queries received over TLS - # pad-responses: yes - - # Padded responses will be padded to the closest multiple of this size. - # pad-responses-block-size: 468 - - # Use the SNI extension for TLS connections. Default is yes. - # Changing the value requires a reload. - # tls-use-sni: yes - - # Add the secret file for TLS Session Ticket. - # Secret file must be 80 bytes of random data. - # First key use to encrypt and decrypt TLS session tickets. - # Other keys use to decrypt only. - # requires restart to take effect. - # tls-session-ticket-keys: "path/to/secret_file1" - # tls-session-ticket-keys: "path/to/secret_file2" - - # request upstream over TLS (with plain DNS inside the TLS stream). - # Default is no. Can be turned on and off with unbound-control. - # tls-upstream: no - - # Certificates used to authenticate connections made upstream. - # tls-cert-bundle: "" - - # Add system certs to the cert bundle, from the Windows Cert Store - # tls-win-cert: no - # and on other systems, the default openssl certificates - # tls-system-cert: no - - # Pad queries over TLS upstreams - # pad-queries: yes - - # Padded queries will be padded to the closest multiple of this size. - # pad-queries-block-size: 128 - - # Also serve tls on these port numbers (eg. 443, ...), by listing - # tls-additional-port: portno for each of the port numbers. - - # HTTP endpoint to provide DNS-over-HTTPS service on. - # http-endpoint: "/dns-query" - - # HTTP/2 SETTINGS_MAX_CONCURRENT_STREAMS value to use. - # http-max-streams: 100 - - # Maximum number of bytes used for all HTTP/2 query buffers. - # http-query-buffer-size: 4m - - # Maximum number of bytes used for all HTTP/2 response buffers. - # http-response-buffer-size: 4m - - # Set TCP_NODELAY socket option on sockets used for DNS-over-HTTPS - # service. - # http-nodelay: yes - - # Disable TLS for DNS-over-HTTP downstream service. - # http-notls-downstream: no - - # The interfaces that use these listed port numbers will support and - # expect PROXYv2. For UDP and TCP/TLS interfaces. - # proxy-protocol-port: portno for each of the port numbers. - - # DNS64 prefix. Must be specified when DNS64 is use. - # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. - # dns64-prefix: 64:ff9b::0/96 - - # DNS64 ignore AAAA records for these domains and use A instead. - # dns64-ignore-aaaa: "example.com" - - # ratelimit for uncached, new queries, this limits recursion effort. - # ratelimiting is experimental, and may help against randomqueryflood. - # if 0(default) it is disabled, otherwise state qps allowed per zone. - # ratelimit: 0 - - # ratelimits are tracked in a cache, size in bytes of cache (or k,m). - # ratelimit-size: 4m - # ratelimit cache slabs, reduces lock contention if equal to cpucount. - # ratelimit-slabs: 4 - - # 0 blocks when ratelimited, otherwise let 1/xth traffic through - # ratelimit-factor: 10 - - # Aggressive rate limit when the limit is reached and until demand has - # decreased in a 2 second rate window. - # ratelimit-backoff: no - - # override the ratelimit for a specific domain name. - # give this setting multiple times to have multiple overrides. - # ratelimit-for-domain: example.com 1000 - # override the ratelimits for all domains below a domain name - # can give this multiple times, the name closest to the zone is used. - # ratelimit-below-domain: com 1000 - - # global query ratelimit for all ip addresses. - # feature is experimental. - # if 0(default) it is disabled, otherwise states qps allowed per ip address - # ip-ratelimit: 0 - - # ip ratelimits are tracked in a cache, size in bytes of cache (or k,m). - # ip-ratelimit-size: 4m - # ip ratelimit cache slabs, reduces lock contention if equal to cpucount. - # ip-ratelimit-slabs: 4 - - # 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through - # ip-ratelimit-factor: 10 - - # Aggressive rate limit when the limit is reached and until demand has - # decreased in a 2 second rate window. - # ip-ratelimit-backoff: no - - # Limit the number of connections simultaneous from a netblock - # tcp-connection-limit: 192.0.2.0/24 12 - - # select from the fastest servers this many times out of 1000. 0 means - # the fast server select is disabled. prefetches are not sped up. - # fast-server-permil: 0 - # the number of servers that will be used in the fast server selection. - # fast-server-num: 3 - - # Enable to attach Extended DNS Error codes (RFC8914) to responses. - ede: yes - - # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale - # Answer as EDNS0 option to expired responses. - # Note that the ede option above needs to be enabled for this to work. - ede-serve-expired: yes - - # Specific options for ipsecmod. Unbound needs to be configured with - # --enable-ipsecmod for these to take effect. - # - # Enable or disable ipsecmod (it still needs to be defined in - # module-config above). Can be used when ipsecmod needs to be - # enabled/disabled via remote-control(below). - # Fedora: module will be enabled on-demand by libreswan - ipsecmod-enabled: no - - # Path to executable external hook. It must be defined when ipsecmod is - # listed in module-config (above). - # ipsecmod-hook: "./my_executable" - ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook - - # When enabled Unbound will reply with SERVFAIL if the return value of - # the ipsecmod-hook is not 0. - # ipsecmod-strict: no - # - # Maximum time to live (TTL) for cached A/AAAA records with IPSECKEY. - # ipsecmod-max-ttl: 3600 - # - # Reply with A/AAAA even if the relevant IPSECKEY is bogus. Mainly used for - # testing. - # ipsecmod-ignore-bogus: no - # - # Domains for which ipsecmod will be triggered. If not defined (default) - # all domains are treated as being allowed. - # ipsecmod-allow: "example.com" - # ipsecmod-allow: "nlnetlabs.nl" - - # Timeout for REUSE entries in milliseconds. - # tcp-reuse-timeout: 60000 - # Max number of queries on a reuse connection. - # max-reuse-tcp-queries: 200 - # Timeout in milliseconds for TCP queries to auth servers. - # tcp-auth-query-timeout: 3000 - -# Python config section. To enable: -# o use --with-pythonmodule to configure before compiling. -# o list python in the module-config string (above) to enable. -# It can be at the start, it gets validated results, or just before -# the iterator and process before DNSSEC validation. -# o and give a python-script to run. -python: - # Script file to load - # python-script: "/etc/unbound/ubmodule-tst.py" - -# Dynamic library config section. To enable: -# o use --with-dynlibmodule to configure before compiling. -# o list dynlib in the module-config string (above) to enable. -# It can be placed anywhere, the dynlib module is only a very thin wrapper -# to load modules dynamically. -# o and give a dynlib-file to run. If more than one dynlib entry is listed in -# the module-config then you need one dynlib-file per instance. -dynlib: - # Script file to load - # dynlib-file: "/etc/unbound/dynlib.so" - -# Remote control config section. -remote-control: - # Enable remote control with unbound-control(8) here. - # set up the keys and certificates with unbound-control-setup. - # Note: required for unbound-munin package - control-enable: yes - - # Set to no and use an absolute path as control-interface to use - # a unix local named pipe for unbound-control. - # control-use-cert: yes - - # what interfaces are listened to for remote control. - # give 0.0.0.0 and ::0 to listen to all interfaces. - # set to an absolute path to use a unix local name pipe, certificates - # are not used for that, so key and cert files need not be present. - # control-interface: 127.0.0.1 - # control-interface: ::1 - - # port number for remote control operations. - # control-port: 8953 - - # for localhost, you can disable use of TLS by setting this to "no" - # For local sockets this option is ignored, and TLS is not used. - control-use-cert: "no" - - # Unbound server key file. - server-key-file: "/etc/unbound/unbound_server.key" - - # Unbound server certificate file. - server-cert-file: "/etc/unbound/unbound_server.pem" - - # unbound-control key file. - control-key-file: "/etc/unbound/unbound_control.key" - - # unbound-control certificate file. - control-cert-file: "/etc/unbound/unbound_control.pem" - -# Stub and Forward zones -include: /etc/unbound/conf.d/*.conf - -# Stub zones. -# Create entries like below, to make all queries for 'example.com' and -# 'example.org' go to the given list of nameservers. list zero or more -# nameservers by hostname or by ipaddress. If you set stub-prime to yes, -# the list is treated as priming hints (default is no). -# With stub-first yes, it attempts without the stub if it fails. -# Consider adding domain-insecure: name and local-zone: name nodefault -# to the server: section if the stub is a locally served zone. -# stub-zone: -# name: "example.com" -# stub-addr: 192.0.2.68 -# stub-prime: no -# stub-first: no -# stub-tcp-upstream: no -# stub-tls-upstream: no -# stub-no-cache: no -# stub-zone: -# name: "example.org" -# stub-host: ns.example.com. - -# You can now also dynamically create and delete stub-zone's using -# unbound-control stub_add domain.com 1.2.3.4 5.6.7.8 -# unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8 - -# Forward zones -# Create entries like below, to make all queries for 'example.com' and -# 'example.org' go to the given list of servers. These servers have to handle -# recursion to other nameservers. List zero or more nameservers by hostname -# or by ipaddress. Use an entry with name "." to forward all queries. -# If you enable forward-first, it attempts without the forward if it fails. -# forward-zone: -# name: "example.com" -# forward-addr: 192.0.2.68 -# forward-addr: 192.0.2.73@5355 # forward to port 5355. -# forward-first: no -# forward-tcp-upstream: no -# forward-tls-upstream: no -# forward-no-cache: no -# forward-zone: -# name: "example.org" -# forward-host: fwd.example.com -# -# You can now also dynamically create and delete forward-zone's using -# unbound-control forward_add domain.com 1.2.3.4 5.6.7.8 -# unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8 - -# Authority zones -# The data for these zones is kept locally, from a file or downloaded. -# The data can be served to downstream clients, or used instead of the -# upstream (which saves a lookup to the upstream). The first example -# has a copy of the root for local usage. The second serves example.org -# authoritatively. zonefile: reads from file (and writes to it if you also -# download it), master: fetches with AXFR and IXFR, or url to zonefile. -# With allow-notify: you can give additional (apart from masters) sources of -# notifies. -auth-zone: - name: "." - primary: 199.9.14.201 # b.root-servers.net - primary: 192.33.4.12 # c.root-servers.net - primary: 199.7.91.13 # d.root-servers.net - primary: 192.5.5.241 # f.root-servers.net - primary: 192.112.36.4 # g.root-servers.net - primary: 193.0.14.129 # k.root-servers.net - primary: 192.0.47.132 # xfr.cjr.dns.icann.org - primary: 192.0.32.132 # xfr.lax.dns.icann.org - primary: 2001:500:200::b # b.root-servers.net - primary: 2001:500:2::c # c.root-servers.net - primary: 2001:500:2d::d # d.root-servers.net - primary: 2001:500:2f::f # f.root-servers.net - primary: 2001:500:12::d0d # g.root-servers.net - primary: 2001:7fd::1 # k.root-servers.net - primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org - primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org - fallback-enabled: yes - for-downstream: no - for-upstream: yes - -# auth-zone: -# name: "example.org" -# for-downstream: yes -# for-upstream: yes -# zonemd-check: no -# zonemd-reject-absence: no -# zonefile: "example.org.zone" - -# Views -# Create named views. Name must be unique. Map views to requests using -# the access-control-view option. Views can contain zero or more local-zone -# and local-data options. Options from matching views will override global -# options. Global options will be used if no matching view is found. -# With view-first yes, it will try to answer using the global local-zone and -# local-data elements if there is no view specific match. -# view: -# name: "viewname" -# local-zone: "example.com" redirect -# local-data: "example.com A 192.0.2.3" -# local-data-ptr: "192.0.2.3 www.example.com" -# view-first: no -# view: -# name: "anotherview" -# local-zone: "example.com" refuse - -# Fedora: DNSCrypt support not enabled since it requires linking to -# another crypto library -# -# DNSCrypt -# o enable, use --enable-dnscrypt to configure before compiling. -# Caveats: -# 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper -# for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage -# 2. dnscrypt channel attaches to an interface. you MUST set interfaces to -# listen on `dnscrypt-port` with the follo0wing snippet: -# server: -# interface: 0.0.0.0@443 -# interface: ::0@443 -# -# Finally, `dnscrypt` config has its own section. -# dnscrypt: -# dnscrypt-enable: yes -# dnscrypt-port: 443 -# dnscrypt-provider: 2.dnscrypt-cert.example.com. -# dnscrypt-secret-key: /path/unbound-conf/keys1/1.key -# dnscrypt-secret-key: /path/unbound-conf/keys2/1.key -# dnscrypt-provider-cert: /path/unbound-conf/keys1/1.cert -# dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert - -# CacheDB -# External backend DB as auxiliary cache. -# To enable, use --enable-cachedb to configure before compiling. -# Specify the backend name -# (default is "testframe", which has no use other than for debugging and -# testing) and backend-specific options. The 'cachedb' module must be -# included in module-config, just before the iterator module. -# cachedb: -# backend: "testframe" -# # secret seed string to calculate hashed keys -# secret-seed: "default" -# -# # For "redis" backend: -# # (to enable, use --with-libhiredis to configure before compiling) -# # redis server's IP address or host name -# redis-server-host: 127.0.0.1 -# # redis server's TCP port -# redis-server-port: 6379 -# # if the server uses a unix socket, set its path, or "" when not used. -# # redis-server-path: "/var/lib/redis/redis-server.sock" -# # if the server uses an AUTH password, specify here, or "" when not used. -# # redis-server-password: "" -# # timeout (in ms) for communication with the redis server -# redis-timeout: 100 -# # set timeout on redis records based on DNS response TTL -# redis-expire-records: no - -# IPSet -# Add specify domain into set via ipset. -# To enable: -# o use --enable-ipset to configure before compiling; -# o Unbound then needs to run as root user. -# ipset: -# # set name for ip v4 addresses -# name-v4: "list-v4" -# # set name for ip v6 addresses -# name-v6: "list-v6" -# - -# Dnstap logging support, if compiled in by using --enable-dnstap to configure. -# To enable, set the dnstap-enable to yes and also some of -# dnstap-log-..-messages to yes. And select an upstream log destination, by -# socket path, TCP or TLS destination. -# dnstap: -# dnstap-enable: no -# # if set to yes frame streams will be used in bidirectional mode -# dnstap-bidirectional: yes -# dnstap-socket-path: "/etc/unbound/dnstap.sock" -# # if "" use the unix socket in dnstap-socket-path, otherwise, -# # set it to "IPaddress[@port]" of the destination. -# dnstap-ip: "" -# # if set to yes if you want to use TLS to dnstap-ip, no for TCP. -# dnstap-tls: yes -# # name for authenticating the upstream server. or "" disabled. -# dnstap-tls-server-name: "" -# # if "", it uses the cert bundle from the main Unbound config. -# dnstap-tls-cert-bundle: "" -# # key file for client authentication, or "" disabled. -# dnstap-tls-client-key-file: "" -# # cert file for client authentication, or "" disabled. -# dnstap-tls-client-cert-file: "" -# dnstap-send-identity: no -# dnstap-send-version: no -# # if "" it uses the hostname. -# dnstap-identity: "" -# # if "" it uses the package version. -# dnstap-version: "" -# dnstap-log-resolver-query-messages: no -# dnstap-log-resolver-response-messages: no -# dnstap-log-client-query-messages: no -# dnstap-log-client-response-messages: no -# dnstap-log-forwarder-query-messages: no -# dnstap-log-forwarder-response-messages: no - -# Response Policy Zones -# RPZ policies. Applied in order of configuration. QNAME, Response IP -# Address, nsdname, nsip and clientip triggers are supported. Supported -# actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp-only -# and drop. Policies can be loaded from a file, or using zone -# transfer, or using HTTP. The respip module needs to be added -# to the module-config, e.g.: module-config: "respip validator iterator". -# rpz: -# name: "rpz.example.com" -# zonefile: "rpz.example.com" -# primary: 192.0.2.0 -# allow-notify: 192.0.2.0/32 -# url: http://www.example.com/rpz.example.org.zone -# rpz-action-override: cname -# rpz-cname-override: www.example.org -# rpz-log: yes -# rpz-log-name: "example policy" -# rpz-signal-nxdomain-ra: no -# for-downstream: no -# tags: "example" diff --git a/unbound.spec b/unbound.spec index c6fcda9..b424564 100644 --- a/unbound.spec +++ b/unbound.spec @@ -36,7 +36,6 @@ License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz Source1: unbound.service -Source2: unbound.conf Source3: unbound.munin Source4: unbound_munin_ Source5: root.key @@ -56,7 +55,8 @@ Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_vers Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key Source20: unbound.sysusers -# Patch1: +# Downstream configuration changes +Patch1: unbound-fedora-config.patch BuildRequires: gcc, make BuildRequires: flex, openssl-devel @@ -203,7 +203,7 @@ Python 3 modules and extensions for unbound pushd %{pkgname} # patches go here -%autopatch -p1 +%autopatch -p2 # only for snapshots # autoreconf -iv @@ -229,7 +229,8 @@ cp -a %{dir_primary} %{dir_secondary} --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\ --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\ --enable-sha2 --disable-gost --enable-ecdsa \\\ - --with-rootkey-file=%{_sharedstatedir}/unbound/root.key \\\ + --with-rootkey-file=%{_sharedstatedir}/%{name}/root.key \\\ + --with-username=unbound \\\ --enable-linux-ip-local-port-range \\\ @@ -292,6 +293,7 @@ popd pushd %{dir_primary} %make_install unbound-event-install install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp +install -p -m 0755 doc/example.conf %{buildroot}%{_sysconfdir}/unbound/unbound.conf popd install -d -m 0755 %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig @@ -299,7 +301,6 @@ install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service install -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/unbound-keygen.service install -p -m 0644 %{SOURCE15} %{buildroot}%{_unitdir}/unbound-anchor.timer install -p -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/unbound-anchor.service -install -p -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound install -p -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/unbound install -p -m 0644 %{SOURCE14} %{buildroot}%{_sysconfdir}/sysconfig/unbound install -p -D -m 0644 %{SOURCE20} %{buildroot}%{_sysusersdir}/%{name}.sysusers From fa87c910e9b5ddbed1167a43cbc815c86f17c91e Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Tue, 13 Feb 2024 09:20:26 -0500 Subject: [PATCH 5/7] Update to 1.19.1 for CVE-2023-50387, CVE-2023-50868 Resolves: CVE-2023-50387 (KeyTrap Denial of Service) Resolves: CVE-2023-50868 (NSEC3 Denial of Service) --- .gitignore | 2 ++ sources | 4 ++-- unbound.spec | 5 ++++- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index c4bf873..62eba4b 100644 --- a/.gitignore +++ b/.gitignore @@ -83,3 +83,5 @@ unbound-1.4.5.tar.gz /unbound-1.18.0.tar.gz.asc /unbound-1.19.0.tar.gz /unbound-1.19.0.tar.gz.asc +/unbound-1.19.1.tar.gz +/unbound-1.19.1.tar.gz.asc diff --git a/sources b/sources index 4adc154..a941fce 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.19.0.tar.gz) = c7df997ab003d098f53ac97ffb4c8428ab28e24573ff21e21782cbeadca42edadeb5b0db53ce954c9ff3106a5edb36eb47109240c554a44d9aac75727b66aeb4 -SHA512 (unbound-1.19.0.tar.gz.asc) = 63aa94192de7840f7abe43367e2c3f5d3fd42b8d72c08a5645cf28e2c0ad2e11d54f3aa645384fff5d4dfe66bc7ee25d81bd967780a992b54956343974206580 +SHA512 (unbound-1.19.1.tar.gz) = c81192b70f14a4e289cf738bf6b647cf25b58b1ab11076dee306ff25a530b6a1bbeca71cfa8820d80f48fd843019beb29a68796a1b1fcec6e561dfeccd62d96a +SHA512 (unbound-1.19.1.tar.gz.asc) = 2e4c6b7df844d1fb93d948791a20b9ff201bd1e6de6c89a830ddce06e24e5d770409265005f549757ef3a9c99d11b9860ae21711425d76d42bf2c33240dd3b52 diff --git a/unbound.spec b/unbound.spec index b424564..44a91ab 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.19.0 +Version: 1.19.1 Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ @@ -492,6 +492,9 @@ popd %{_mandir}/man1/unbound-* %changelog +* Tue Feb 13 2024 Petr Menšík - 1.19.1-1 +- Update to 1.19.1 for CVE-2023-50387, CVE-2023-50868 (#2264029) + * Thu Nov 02 2023 Petr Menšík - 1.19.0-1 - Update to 1.19.0 (#2248686) From b0e90924f0f2bb04ec9744bc89f9046f21a7506c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 13 Feb 2024 22:47:36 +0100 Subject: [PATCH 6/7] Ensure only unbound group members can make changes unbound-control should allow only privileged users from unbound group to modify running instance. --- unbound-fedora-config.patch | 46 ++++++++++++++++++------------------- unbound.spec | 1 + 2 files changed, 24 insertions(+), 23 deletions(-) diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index a249d2c..009cb07 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,4 +1,4 @@ -From ecfc3a96a0d38cc31fb871d98789467434c7afda Mon Sep 17 00:00:00 2001 +From 77710cef1d7001fc52b7f19b0b9e305fd355f07e Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Fri, 10 Nov 2023 12:58:31 +0100 Subject: [PATCH] Customize unbound.conf for Fedora defaults @@ -7,13 +7,13 @@ Set some Fedora/RHEL specific changes to example configuration file. By patching upstream provided config file we would not need to manually update external copy in source RPM. --- - unbound-1.19.0/doc/example.conf.in | 205 ++++++++++++++++++----------- - 1 file changed, 131 insertions(+), 74 deletions(-) + unbound-1.19.1/doc/example.conf.in | 200 ++++++++++++++++++----------- + 1 file changed, 127 insertions(+), 73 deletions(-) -diff --git a/unbound-1.19.0/doc/example.conf.in b/unbound-1.19.0/doc/example.conf.in -index fe0dde6..b79a322 100644 ---- a/unbound-1.19.0/doc/example.conf.in -+++ b/unbound-1.19.0/doc/example.conf.in +diff --git a/unbound-1.19.1/doc/example.conf.in b/unbound-1.19.1/doc/example.conf.in +index fcfb1da..a61b530 100644 +--- a/unbound-1.19.1/doc/example.conf.in ++++ b/unbound-1.19.1/doc/example.conf.in @@ -17,11 +17,12 @@ server: # whitespace is not necessary, but looks cleaner. @@ -400,7 +400,7 @@ index fe0dde6..b79a322 100644 # Dynamic library config section. To enable: # o use --with-dynlibmodule to configure before compiling. -@@ -1067,13 +1104,18 @@ python: +@@ -1067,13 +1104,14 @@ python: # the module-config then you need one dynlib-file per instance. dynlib: # Script file to load @@ -414,19 +414,19 @@ index fe0dde6..b79a322 100644 - # control-enable: no + # Note: required for unbound-munin package + control-enable: yes -+ -+ # Set to no and use an absolute path as control-interface to use -+ # a unix local named pipe for unbound-control. -+ # control-use-cert: yes # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. -@@ -1087,19 +1129,22 @@ remote-control: +@@ -1081,6 +1119,7 @@ remote-control: + # are not used for that, so key and cert files need not be present. + # control-interface: 127.0.0.1 + # control-interface: ::1 ++ control-interface: "/run/unbound/control" - # for localhost, you can disable use of TLS by setting this to "no" - # For local sockets this option is ignored, and TLS is not used. -- # control-use-cert: "yes" -+ control-use-cert: "no" + # port number for remote control operations. + # control-port: 8953 +@@ -1090,16 +1129,19 @@ remote-control: + # control-use-cert: "yes" # Unbound server key file. - # server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key" @@ -449,7 +449,7 @@ index fe0dde6..b79a322 100644 # Stub zones. # Create entries like below, to make all queries for 'example.com' and -@@ -1121,6 +1166,10 @@ remote-control: +@@ -1121,6 +1163,10 @@ remote-control: # name: "example.org" # stub-host: ns.example.com. @@ -460,7 +460,7 @@ index fe0dde6..b79a322 100644 # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle -@@ -1138,6 +1187,10 @@ remote-control: +@@ -1138,6 +1184,10 @@ remote-control: # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -471,7 +471,7 @@ index fe0dde6..b79a322 100644 # Authority zones # The data for these zones is kept locally, from a file or downloaded. -@@ -1145,30 +1198,31 @@ remote-control: +@@ -1145,30 +1195,31 @@ remote-control: # upstream (which saves a lookup to the upstream). The first example # has a copy of the root for local usage. The second serves example.org # authoritatively. zonefile: reads from file (and writes to it if you also @@ -527,7 +527,7 @@ index fe0dde6..b79a322 100644 # auth-zone: # name: "example.org" # for-downstream: yes -@@ -1194,6 +1248,9 @@ remote-control: +@@ -1194,6 +1245,9 @@ remote-control: # name: "anotherview" # local-zone: "example.com" refuse @@ -537,7 +537,7 @@ index fe0dde6..b79a322 100644 # DNSCrypt # To enable, use --enable-dnscrypt to configure before compiling. # Caveats: -@@ -1266,7 +1323,7 @@ remote-control: +@@ -1266,7 +1320,7 @@ remote-control: # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode # dnstap-bidirectional: yes @@ -547,5 +547,5 @@ index fe0dde6..b79a322 100644 # # set it to "IPaddress[@port]" of the destination. # dnstap-ip: "" -- -2.41.0 +2.43.0 diff --git a/unbound.spec b/unbound.spec index 44a91ab..3db4948 100644 --- a/unbound.spec +++ b/unbound.spec @@ -494,6 +494,7 @@ popd %changelog * Tue Feb 13 2024 Petr Menšík - 1.19.1-1 - Update to 1.19.1 for CVE-2023-50387, CVE-2023-50868 (#2264029) +- Ensure only unbound group members can make changes * Thu Nov 02 2023 Petr Menšík - 1.19.0-1 - Update to 1.19.0 (#2248686) From 175ae85efc707e835550423cff7b0f2a37a830fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 12 Apr 2024 19:54:21 +0200 Subject: [PATCH 7/7] Update to 1.19.3 (rhbz#2268404) - Fix CVE-2024-1931, Denial of service when trimming EDE text on positive replies. (rhbz#2268419) - Use the origin (DNAME) TTL for synthesized CNAMEs as per RFC 6672. - Bug fixes https://nlnetlabs.nl/projects/unbound/download/#unbound-1-19-3 --- .gitignore | 2 + sources | 4 +- unbound-1.19-EDE-cpu-lock.patch | 14 ---- unbound-1.19-b.root-servers.net-conf.patch | 38 --------- unbound-1.19-b.root-servers.net.patch | 35 -------- unbound-fedora-config.patch | 96 ++++++++++------------ unbound.spec | 18 ++-- 7 files changed, 58 insertions(+), 149 deletions(-) delete mode 100644 unbound-1.19-EDE-cpu-lock.patch delete mode 100644 unbound-1.19-b.root-servers.net-conf.patch delete mode 100644 unbound-1.19-b.root-servers.net.patch diff --git a/.gitignore b/.gitignore index 62eba4b..dde18f4 100644 --- a/.gitignore +++ b/.gitignore @@ -85,3 +85,5 @@ unbound-1.4.5.tar.gz /unbound-1.19.0.tar.gz.asc /unbound-1.19.1.tar.gz /unbound-1.19.1.tar.gz.asc +/unbound-1.19.3.tar.gz +/unbound-1.19.3.tar.gz.asc diff --git a/sources b/sources index a941fce..eea1e9c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.19.1.tar.gz) = c81192b70f14a4e289cf738bf6b647cf25b58b1ab11076dee306ff25a530b6a1bbeca71cfa8820d80f48fd843019beb29a68796a1b1fcec6e561dfeccd62d96a -SHA512 (unbound-1.19.1.tar.gz.asc) = 2e4c6b7df844d1fb93d948791a20b9ff201bd1e6de6c89a830ddce06e24e5d770409265005f549757ef3a9c99d11b9860ae21711425d76d42bf2c33240dd3b52 +SHA512 (unbound-1.19.3.tar.gz) = f860614f090a5a081cceff8ca7f4b3d416c00a251ae14ceb6b4159dc8cd022f025592074d3d78aee2f86c3eeae9d1a314713e4740aa91062579143199accd159 +SHA512 (unbound-1.19.3.tar.gz.asc) = 1b6437d7ac4394ab7d6eb0d12f22b39538152f9c88175a5368263059950b8e6b093fa5392d1ff37874effef7a422afa9c690f766802208979a99500a4bea5906 diff --git a/unbound-1.19-EDE-cpu-lock.patch b/unbound-1.19-EDE-cpu-lock.patch deleted file mode 100644 index 85b76ff..0000000 --- a/unbound-1.19-EDE-cpu-lock.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff --git a/unbound-1.19.1/util/data/msgencode.c b/unbound-1.19.1/util/data/msgencode.c -index 80ae33a38..898ff8412 100644 ---- a/unbound-1.19.1/util/data/msgencode.c -+++ b/unbound-1.19.1/util/data/msgencode.c -@@ -886,6 +886,9 @@ ede_trim_text(struct edns_option** list) - curr->opt_len = 2; - prev = curr; - curr = curr->next; -+ } else { -+ prev = curr; -+ curr = curr->next; - } - } else { - /* continue */ diff --git a/unbound-1.19-b.root-servers.net-conf.patch b/unbound-1.19-b.root-servers.net-conf.patch deleted file mode 100644 index c3f41c9..0000000 --- a/unbound-1.19-b.root-servers.net-conf.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 101f9efb8de8e5e41fe40d05461276299e4c8980 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Tue, 16 Jan 2024 16:13:29 +0100 -Subject: [PATCH] Update b.root-servers.net also in example config file - -Addition to commit a8739bad76d4d179290627e989c7ef236345bda6, which -updated only address specified in code. But addresses provided in -example configuration were not updated, I think they should be updated -too. ---- - unbound-1.19.0/doc/example.conf.in | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/unbound-1.19.0/doc/example.conf.in b/unbound-1.19.0/doc/example.conf.in -index b79a322..3a15357 100644 ---- a/unbound-1.19.0/doc/example.conf.in -+++ b/unbound-1.19.0/doc/example.conf.in -@@ -1203,7 +1203,7 @@ include: /etc/unbound/conf.d/*.conf - # notifies. - auth-zone: - name: "." -- primary: 199.9.14.201 # b.root-servers.net -+ primary: 170.247.170.2 # b.root-servers.net - primary: 192.33.4.12 # c.root-servers.net - primary: 199.7.91.13 # d.root-servers.net - primary: 192.5.5.241 # f.root-servers.net -@@ -1211,7 +1211,7 @@ auth-zone: - primary: 193.0.14.129 # k.root-servers.net - primary: 192.0.47.132 # xfr.cjr.dns.icann.org - primary: 192.0.32.132 # xfr.lax.dns.icann.org -- primary: 2001:500:200::b # b.root-servers.net -+ primary: 2801:1b8:10::b # b.root-servers.net - primary: 2001:500:2::c # c.root-servers.net - primary: 2001:500:2d::d # d.root-servers.net - primary: 2001:500:2f::f # f.root-servers.net --- -2.43.0 - diff --git a/unbound-1.19-b.root-servers.net.patch b/unbound-1.19-b.root-servers.net.patch deleted file mode 100644 index c3b9a47..0000000 --- a/unbound-1.19-b.root-servers.net.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 72c65bfc2fe35cf4f0665a5e3f173f4f8f6f151b Mon Sep 17 00:00:00 2001 -From: "W.C.A. Wijngaards" -Date: Wed, 6 Dec 2023 13:25:58 +0100 -Subject: [PATCH] - Updated IPv4 and IPv6 address for b.root-servers.net in - root hints. - ---- - unbound-1.19.0/iterator/iter_hints.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/unbound-1.19.0/iterator/iter_hints.c b/unbound-1.19.0/iterator/iter_hints.c -index a60d9a6..6b56daa 100644 ---- a/unbound-1.19.0/iterator/iter_hints.c -+++ b/unbound-1.19.0/iterator/iter_hints.c -@@ -129,7 +129,7 @@ compile_time_root_prime(int do_ip4, int do_ip6) - dp->has_parent_side_NS = 1; - if(do_ip4) { - if(!ah(dp, "A.ROOT-SERVERS.NET.", "198.41.0.4")) goto failed; -- if(!ah(dp, "B.ROOT-SERVERS.NET.", "199.9.14.201")) goto failed; -+ if(!ah(dp, "B.ROOT-SERVERS.NET.", "170.247.170.2")) goto failed; - if(!ah(dp, "C.ROOT-SERVERS.NET.", "192.33.4.12")) goto failed; - if(!ah(dp, "D.ROOT-SERVERS.NET.", "199.7.91.13")) goto failed; - if(!ah(dp, "E.ROOT-SERVERS.NET.", "192.203.230.10")) goto failed; -@@ -144,7 +144,7 @@ compile_time_root_prime(int do_ip4, int do_ip6) - } - if(do_ip6) { - if(!ah(dp, "A.ROOT-SERVERS.NET.", "2001:503:ba3e::2:30")) goto failed; -- if(!ah(dp, "B.ROOT-SERVERS.NET.", "2001:500:200::b")) goto failed; -+ if(!ah(dp, "B.ROOT-SERVERS.NET.", "2801:1b8:10::b")) goto failed; - if(!ah(dp, "C.ROOT-SERVERS.NET.", "2001:500:2::c")) goto failed; - if(!ah(dp, "D.ROOT-SERVERS.NET.", "2001:500:2d::d")) goto failed; - if(!ah(dp, "E.ROOT-SERVERS.NET.", "2001:500:a8::e")) goto failed; --- -2.43.0 - diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index 009cb07..0aeb6cb 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,4 +1,4 @@ -From 77710cef1d7001fc52b7f19b0b9e305fd355f07e Mon Sep 17 00:00:00 2001 +From 17d4cc5fea24faa55358b7c36fdae0cd9bdd48b6 Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Fri, 10 Nov 2023 12:58:31 +0100 Subject: [PATCH] Customize unbound.conf for Fedora defaults @@ -7,13 +7,13 @@ Set some Fedora/RHEL specific changes to example configuration file. By patching upstream provided config file we would not need to manually update external copy in source RPM. --- - unbound-1.19.1/doc/example.conf.in | 200 ++++++++++++++++++----------- - 1 file changed, 127 insertions(+), 73 deletions(-) + unbound-1.19.3/doc/example.conf.in | 194 ++++++++++++++++++----------- + 1 file changed, 124 insertions(+), 70 deletions(-) -diff --git a/unbound-1.19.1/doc/example.conf.in b/unbound-1.19.1/doc/example.conf.in -index fcfb1da..a61b530 100644 ---- a/unbound-1.19.1/doc/example.conf.in -+++ b/unbound-1.19.1/doc/example.conf.in +diff --git a/unbound-1.19.3/doc/example.conf.in b/unbound-1.19.3/doc/example.conf.in +index d791cf8..af163b2 100644 +--- a/unbound-1.19.3/doc/example.conf.in ++++ b/unbound-1.19.3/doc/example.conf.in @@ -17,11 +17,12 @@ server: # whitespace is not necessary, but looks cleaner. @@ -148,7 +148,7 @@ index fcfb1da..a61b530 100644 # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no -@@ -402,6 +426,7 @@ server: +@@ -403,6 +427,7 @@ server: # # If you give "" no chroot is performed. The path must not end in a /. # chroot: "@UNBOUND_CHROOT_DIR@" @@ -156,7 +156,7 @@ index fcfb1da..a61b530 100644 # if given, user privileges are dropped (after binding port), # and the given username is assumed. Default is user "unbound". -@@ -413,7 +438,7 @@ server: +@@ -414,7 +439,7 @@ server: # is not changed. # If you give a server: directory: dir before include: file statements # then those includes can be relative to the working directory. @@ -165,7 +165,7 @@ index fcfb1da..a61b530 100644 # the log file, "" means log to stderr. # Use of this option sets use-syslog to "no". -@@ -428,7 +453,7 @@ server: +@@ -429,7 +454,7 @@ server: # log-identity: "" # print UTC timestamp in ascii to logfile, default is epoch in seconds. @@ -174,7 +174,7 @@ index fcfb1da..a61b530 100644 # print one line with time, IP, name, type, class for every query. # log-queries: no -@@ -497,22 +522,22 @@ server: +@@ -501,22 +526,22 @@ server: # harden-large-queries: no # Harden against out of zone rrsets, to avoid spoofing attempts. @@ -201,7 +201,7 @@ index fcfb1da..a61b530 100644 # Harden against algorithm downgrade when multiple algorithms are # advertised in the DS record. If no, allows the weakest algorithm -@@ -526,7 +551,7 @@ server: +@@ -530,7 +555,7 @@ server: # Sent minimum amount of information to upstream servers to enhance # privacy. Only sent minimum required labels of the QNAME and set QTYPE # to A when possible. @@ -210,7 +210,7 @@ index fcfb1da..a61b530 100644 # QNAME minimisation in strict mode. Do not fall-back to sending full # QNAME to potentially broken nameservers. A lot of domains will not be -@@ -536,7 +561,7 @@ server: +@@ -540,7 +565,7 @@ server: # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN # and other denials, using information from previous NXDOMAINs answers. @@ -219,7 +219,7 @@ index fcfb1da..a61b530 100644 # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. -@@ -569,7 +594,7 @@ server: +@@ -573,7 +598,7 @@ server: # threshold, a warning is printed and a defensive action is taken, # the cache is cleared to flush potential poison out of it. # A suggested value is 10000000, the default is 0 (turned off). @@ -228,7 +228,7 @@ index fcfb1da..a61b530 100644 # Do not query the following addresses. No DNS queries are sent there. # List one address per entry. List classless netblocks with /size, -@@ -581,20 +606,20 @@ server: +@@ -585,20 +610,20 @@ server: # do-not-query-localhost: yes # if yes, perform prefetching of almost expired message cache entries. @@ -254,7 +254,7 @@ index fcfb1da..a61b530 100644 # true to disable DNSSEC lameness check in iterator. # disable-dnssec-lame-check: no -@@ -604,7 +629,9 @@ server: +@@ -608,7 +633,9 @@ server: # most modules have to be listed at the beginning of the line, # except cachedb(just before iterator), and python (at the beginning, # or, just before the iterator). @@ -265,7 +265,7 @@ index fcfb1da..a61b530 100644 # File with trusted keys, kept uptodate using RFC5011 probes, # initial file like trust-anchor-file, then it stores metadata. -@@ -618,10 +645,10 @@ server: +@@ -622,10 +649,10 @@ server: # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" # trust anchor signaling sends a RFC8145 key tag query after priming. @@ -278,7 +278,7 @@ index fcfb1da..a61b530 100644 # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry. -@@ -642,6 +669,9 @@ server: +@@ -646,6 +673,9 @@ server: # the trusted-keys { name flag proto algo "key"; }; clauses are read. # you need external update procedures to track changes in keys. # trusted-keys-file: "" @@ -288,7 +288,7 @@ index fcfb1da..a61b530 100644 # Ignore chain of trust. Domain is treated as insecure. # domain-insecure: "example.com" -@@ -669,14 +699,15 @@ server: +@@ -673,14 +703,15 @@ server: # unsecure data. Useful to shield the users of this validator from # potential bogus data in the additional section. All unsigned data # in the additional section is removed from secure messages. @@ -306,7 +306,7 @@ index fcfb1da..a61b530 100644 # Ignore the CD flag in incoming queries and refuse them bogus data. # Enable it if the only clients of Unbound are legacy servers (w2008) -@@ -690,11 +721,11 @@ server: +@@ -694,11 +725,11 @@ server: # Serve expired responses from cache, with serve-expired-reply-ttl in # the response, and then attempt to fetch the data afresh. @@ -320,7 +320,7 @@ index fcfb1da..a61b530 100644 # # Set the TTL of expired records to the serve-expired-ttl value after a # failed attempt to retrieve the record from upstream. This makes sure -@@ -721,7 +752,7 @@ server: +@@ -725,7 +756,7 @@ server: # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. @@ -329,7 +329,7 @@ index fcfb1da..a61b530 100644 # It is possible to configure NSEC3 maximum iteration counts per # keysize. Keep this table very short, as linear search is done. -@@ -865,6 +896,8 @@ server: +@@ -869,6 +900,8 @@ server: # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" @@ -338,7 +338,7 @@ index fcfb1da..a61b530 100644 # tag a localzone with a list of tag names (in "" with spaces between) # local-zone-tag: "example.com" "tag2 tag3" -@@ -875,8 +908,8 @@ server: +@@ -879,8 +912,8 @@ server: # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. # Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. @@ -349,7 +349,7 @@ index fcfb1da..a61b530 100644 # tls-port: 853 # https-port: 443 -@@ -884,6 +917,8 @@ server: +@@ -888,6 +921,8 @@ server: # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" # cipher setting for TLSv1.3 # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" @@ -358,8 +358,8 @@ index fcfb1da..a61b530 100644 # Pad responses to padded queries received over TLS # pad-responses: yes -@@ -1005,12 +1040,12 @@ server: - # fast-server-num: 3 +@@ -1024,12 +1059,12 @@ server: + # cookie-secret: <128 bit random hex string> # Enable to attach Extended DNS Error codes (RFC8914) to responses. - # ede: no @@ -373,7 +373,7 @@ index fcfb1da..a61b530 100644 # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. -@@ -1018,12 +1053,14 @@ server: +@@ -1037,12 +1072,14 @@ server: # Enable or disable ipsecmod (it still needs to be defined in # module-config above). Can be used when ipsecmod needs to be # enabled/disabled via remote-control(below). @@ -391,7 +391,7 @@ index fcfb1da..a61b530 100644 # When enabled Unbound will reply with SERVFAIL if the return value of # the ipsecmod-hook is not 0. # ipsecmod-strict: no -@@ -1056,7 +1093,7 @@ server: +@@ -1075,7 +1112,7 @@ server: # o and give a python-script to run. python: # Script file to load @@ -400,7 +400,7 @@ index fcfb1da..a61b530 100644 # Dynamic library config section. To enable: # o use --with-dynlibmodule to configure before compiling. -@@ -1067,13 +1104,14 @@ python: +@@ -1086,13 +1123,14 @@ python: # the module-config then you need one dynlib-file per instance. dynlib: # Script file to load @@ -417,7 +417,7 @@ index fcfb1da..a61b530 100644 # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. -@@ -1081,6 +1119,7 @@ remote-control: +@@ -1100,6 +1138,7 @@ remote-control: # are not used for that, so key and cert files need not be present. # control-interface: 127.0.0.1 # control-interface: ::1 @@ -425,7 +425,7 @@ index fcfb1da..a61b530 100644 # port number for remote control operations. # control-port: 8953 -@@ -1090,16 +1129,19 @@ remote-control: +@@ -1109,16 +1148,19 @@ remote-control: # control-use-cert: "yes" # Unbound server key file. @@ -449,7 +449,7 @@ index fcfb1da..a61b530 100644 # Stub zones. # Create entries like below, to make all queries for 'example.com' and -@@ -1121,6 +1163,10 @@ remote-control: +@@ -1140,6 +1182,10 @@ remote-control: # name: "example.org" # stub-host: ns.example.com. @@ -460,7 +460,7 @@ index fcfb1da..a61b530 100644 # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle -@@ -1138,6 +1184,10 @@ remote-control: +@@ -1157,6 +1203,10 @@ remote-control: # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -471,16 +471,13 @@ index fcfb1da..a61b530 100644 # Authority zones # The data for these zones is kept locally, from a file or downloaded. -@@ -1145,30 +1195,31 @@ remote-control: - # upstream (which saves a lookup to the upstream). The first example - # has a copy of the root for local usage. The second serves example.org - # authoritatively. zonefile: reads from file (and writes to it if you also --# download it), primary: fetches with AXFR and IXFR, or url to zonefile. --# With allow-notify: you can give additional (apart from primaries and urls) --# sources of notifies. +@@ -1167,27 +1217,28 @@ remote-control: + # download it), primary: fetches with AXFR and IXFR, or url to zonefile. + # With allow-notify: you can give additional (apart from primaries and urls) + # sources of notifies. -# auth-zone: -# name: "." --# primary: 199.9.14.201 # b.root-servers.net +-# primary: 170.247.170.2 # b.root-servers.net -# primary: 192.33.4.12 # c.root-servers.net -# primary: 199.7.91.13 # d.root-servers.net -# primary: 192.5.5.241 # f.root-servers.net @@ -488,7 +485,7 @@ index fcfb1da..a61b530 100644 -# primary: 193.0.14.129 # k.root-servers.net -# primary: 192.0.47.132 # xfr.cjr.dns.icann.org -# primary: 192.0.32.132 # xfr.lax.dns.icann.org --# primary: 2001:500:200::b # b.root-servers.net +-# primary: 2801:1b8:10::b # b.root-servers.net -# primary: 2001:500:2::c # c.root-servers.net -# primary: 2001:500:2d::d # d.root-servers.net -# primary: 2001:500:2f::f # f.root-servers.net @@ -499,12 +496,9 @@ index fcfb1da..a61b530 100644 -# fallback-enabled: yes -# for-downstream: no -# for-upstream: yes -+# download it), master: fetches with AXFR and IXFR, or url to zonefile. -+# With allow-notify: you can give additional (apart from masters) sources of -+# notifies. -+auth-zone: ++ auth-zone: + name: "." -+ primary: 199.9.14.201 # b.root-servers.net ++ primary: 170.247.170.2 # b.root-servers.net + primary: 192.33.4.12 # c.root-servers.net + primary: 199.7.91.13 # d.root-servers.net + primary: 192.5.5.241 # f.root-servers.net @@ -512,7 +506,7 @@ index fcfb1da..a61b530 100644 + primary: 193.0.14.129 # k.root-servers.net + primary: 192.0.47.132 # xfr.cjr.dns.icann.org + primary: 192.0.32.132 # xfr.lax.dns.icann.org -+ primary: 2001:500:200::b # b.root-servers.net ++ primary: 2801:1b8:10::b # b.root-servers.net + primary: 2001:500:2::c # c.root-servers.net + primary: 2001:500:2d::d # d.root-servers.net + primary: 2001:500:2f::f # f.root-servers.net @@ -527,7 +521,7 @@ index fcfb1da..a61b530 100644 # auth-zone: # name: "example.org" # for-downstream: yes -@@ -1194,6 +1245,9 @@ remote-control: +@@ -1213,6 +1264,9 @@ remote-control: # name: "anotherview" # local-zone: "example.com" refuse @@ -537,7 +531,7 @@ index fcfb1da..a61b530 100644 # DNSCrypt # To enable, use --enable-dnscrypt to configure before compiling. # Caveats: -@@ -1266,7 +1320,7 @@ remote-control: +@@ -1285,7 +1339,7 @@ remote-control: # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode # dnstap-bidirectional: yes @@ -547,5 +541,5 @@ index fcfb1da..a61b530 100644 # # set it to "IPaddress[@port]" of the destination. # dnstap-ip: "" -- -2.43.0 +2.44.0 diff --git a/unbound.spec b/unbound.spec index e792221..31e80b0 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,8 +30,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.19.1 -Release: 2%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.19.3 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -57,13 +57,6 @@ Source20: unbound.sysusers # Downstream configuration changes Patch1: unbound-fedora-config.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2253461 -# https://github.com/NLnetLabs/unbound/commit/a8739bad76d4d179290627e989c7ef236345bda6 -Patch2: unbound-1.19-b.root-servers.net.patch -# https://github.com/NLnetLabs/unbound/pull/993 -Patch3: unbound-1.19-b.root-servers.net-conf.patch -# https://github.com/NLnetLabs/unbound/commit/ccbe31c21f91ae96e759547be264a34ac63f4f90 -Patch4: unbound-1.19-EDE-cpu-lock.patch BuildRequires: gcc, make BuildRequires: flex, openssl-devel @@ -507,6 +500,13 @@ popd %{_mandir}/man1/unbound-* %changelog +* Fri Apr 12 2024 Petr Menšík - 1.19.3-1 +- Update to 1.19.3 (rhbz#2268404) +- Fix CVE-2024-1931, Denial of service when trimming EDE text on + positive replies. (rhbz#2268419) +- Use the origin (DNAME) TTL for synthesized CNAMEs as per RFC 6672. +- Bug fixes + * Fri Mar 01 2024 Paul Wouters - 1.19.1-2 - Fix trim of EDE text from large udp responses from spinning cpu. - b rootserver patches from rawhide