From 09e3b23ab0144a28e7ae1780357d04f2d05139cd Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Sat, 9 Mar 2024 16:24:15 -0500 Subject: [PATCH 01/62] Add spec file comment Note that last patch was for now public CVE-2024-1931 --- unbound.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index a764abc..391d7aa 100644 --- a/unbound.spec +++ b/unbound.spec @@ -62,7 +62,7 @@ Patch1: unbound-fedora-config.patch Patch2: unbound-1.19-b.root-servers.net.patch # https://github.com/NLnetLabs/unbound/pull/993 Patch3: unbound-1.19-b.root-servers.net-conf.patch -# https://github.com/NLnetLabs/unbound/commit/ccbe31c21f91ae96e759547be264a34ac63f4f90 +# https://github.com/NLnetLabs/unbound/commit/ccbe31c21f91ae96e759547be264a34ac63f4f90 (now released as CVE-2024-1931) Patch4: unbound-1.19-EDE-cpu-lock.patch BuildRequires: gcc, make From b4c26d9205df98c01125e2361b650b3bad06b11e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 12 Apr 2024 19:54:21 +0200 Subject: [PATCH 02/62] Update to 1.19.3 (rhbz#2268404) - Fix CVE-2024-1931, Denial of service when trimming EDE text on positive replies. (rhbz#2268419) - Use the origin (DNAME) TTL for synthesized CNAMEs as per RFC 6672. - Bug fixes https://nlnetlabs.nl/projects/unbound/download/#unbound-1-19-3 --- .gitignore | 2 + sources | 4 +- unbound-1.19-EDE-cpu-lock.patch | 14 ---- unbound-1.19-b.root-servers.net-conf.patch | 38 --------- unbound-1.19-b.root-servers.net.patch | 35 -------- unbound-fedora-config.patch | 96 ++++++++++------------ unbound.spec | 9 +- 7 files changed, 50 insertions(+), 148 deletions(-) delete mode 100644 unbound-1.19-EDE-cpu-lock.patch delete mode 100644 unbound-1.19-b.root-servers.net-conf.patch delete mode 100644 unbound-1.19-b.root-servers.net.patch diff --git a/.gitignore b/.gitignore index 62eba4b..dde18f4 100644 --- a/.gitignore +++ b/.gitignore @@ -85,3 +85,5 @@ unbound-1.4.5.tar.gz /unbound-1.19.0.tar.gz.asc /unbound-1.19.1.tar.gz /unbound-1.19.1.tar.gz.asc +/unbound-1.19.3.tar.gz +/unbound-1.19.3.tar.gz.asc diff --git a/sources b/sources index a941fce..eea1e9c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.19.1.tar.gz) = c81192b70f14a4e289cf738bf6b647cf25b58b1ab11076dee306ff25a530b6a1bbeca71cfa8820d80f48fd843019beb29a68796a1b1fcec6e561dfeccd62d96a -SHA512 (unbound-1.19.1.tar.gz.asc) = 2e4c6b7df844d1fb93d948791a20b9ff201bd1e6de6c89a830ddce06e24e5d770409265005f549757ef3a9c99d11b9860ae21711425d76d42bf2c33240dd3b52 +SHA512 (unbound-1.19.3.tar.gz) = f860614f090a5a081cceff8ca7f4b3d416c00a251ae14ceb6b4159dc8cd022f025592074d3d78aee2f86c3eeae9d1a314713e4740aa91062579143199accd159 +SHA512 (unbound-1.19.3.tar.gz.asc) = 1b6437d7ac4394ab7d6eb0d12f22b39538152f9c88175a5368263059950b8e6b093fa5392d1ff37874effef7a422afa9c690f766802208979a99500a4bea5906 diff --git a/unbound-1.19-EDE-cpu-lock.patch b/unbound-1.19-EDE-cpu-lock.patch deleted file mode 100644 index 85b76ff..0000000 --- a/unbound-1.19-EDE-cpu-lock.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff --git a/unbound-1.19.1/util/data/msgencode.c b/unbound-1.19.1/util/data/msgencode.c -index 80ae33a38..898ff8412 100644 ---- a/unbound-1.19.1/util/data/msgencode.c -+++ b/unbound-1.19.1/util/data/msgencode.c -@@ -886,6 +886,9 @@ ede_trim_text(struct edns_option** list) - curr->opt_len = 2; - prev = curr; - curr = curr->next; -+ } else { -+ prev = curr; -+ curr = curr->next; - } - } else { - /* continue */ diff --git a/unbound-1.19-b.root-servers.net-conf.patch b/unbound-1.19-b.root-servers.net-conf.patch deleted file mode 100644 index c3f41c9..0000000 --- a/unbound-1.19-b.root-servers.net-conf.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 101f9efb8de8e5e41fe40d05461276299e4c8980 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Tue, 16 Jan 2024 16:13:29 +0100 -Subject: [PATCH] Update b.root-servers.net also in example config file - -Addition to commit a8739bad76d4d179290627e989c7ef236345bda6, which -updated only address specified in code. But addresses provided in -example configuration were not updated, I think they should be updated -too. ---- - unbound-1.19.0/doc/example.conf.in | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/unbound-1.19.0/doc/example.conf.in b/unbound-1.19.0/doc/example.conf.in -index b79a322..3a15357 100644 ---- a/unbound-1.19.0/doc/example.conf.in -+++ b/unbound-1.19.0/doc/example.conf.in -@@ -1203,7 +1203,7 @@ include: /etc/unbound/conf.d/*.conf - # notifies. - auth-zone: - name: "." -- primary: 199.9.14.201 # b.root-servers.net -+ primary: 170.247.170.2 # b.root-servers.net - primary: 192.33.4.12 # c.root-servers.net - primary: 199.7.91.13 # d.root-servers.net - primary: 192.5.5.241 # f.root-servers.net -@@ -1211,7 +1211,7 @@ auth-zone: - primary: 193.0.14.129 # k.root-servers.net - primary: 192.0.47.132 # xfr.cjr.dns.icann.org - primary: 192.0.32.132 # xfr.lax.dns.icann.org -- primary: 2001:500:200::b # b.root-servers.net -+ primary: 2801:1b8:10::b # b.root-servers.net - primary: 2001:500:2::c # c.root-servers.net - primary: 2001:500:2d::d # d.root-servers.net - primary: 2001:500:2f::f # f.root-servers.net --- -2.43.0 - diff --git a/unbound-1.19-b.root-servers.net.patch b/unbound-1.19-b.root-servers.net.patch deleted file mode 100644 index c3b9a47..0000000 --- a/unbound-1.19-b.root-servers.net.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 72c65bfc2fe35cf4f0665a5e3f173f4f8f6f151b Mon Sep 17 00:00:00 2001 -From: "W.C.A. Wijngaards" -Date: Wed, 6 Dec 2023 13:25:58 +0100 -Subject: [PATCH] - Updated IPv4 and IPv6 address for b.root-servers.net in - root hints. - ---- - unbound-1.19.0/iterator/iter_hints.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/unbound-1.19.0/iterator/iter_hints.c b/unbound-1.19.0/iterator/iter_hints.c -index a60d9a6..6b56daa 100644 ---- a/unbound-1.19.0/iterator/iter_hints.c -+++ b/unbound-1.19.0/iterator/iter_hints.c -@@ -129,7 +129,7 @@ compile_time_root_prime(int do_ip4, int do_ip6) - dp->has_parent_side_NS = 1; - if(do_ip4) { - if(!ah(dp, "A.ROOT-SERVERS.NET.", "198.41.0.4")) goto failed; -- if(!ah(dp, "B.ROOT-SERVERS.NET.", "199.9.14.201")) goto failed; -+ if(!ah(dp, "B.ROOT-SERVERS.NET.", "170.247.170.2")) goto failed; - if(!ah(dp, "C.ROOT-SERVERS.NET.", "192.33.4.12")) goto failed; - if(!ah(dp, "D.ROOT-SERVERS.NET.", "199.7.91.13")) goto failed; - if(!ah(dp, "E.ROOT-SERVERS.NET.", "192.203.230.10")) goto failed; -@@ -144,7 +144,7 @@ compile_time_root_prime(int do_ip4, int do_ip6) - } - if(do_ip6) { - if(!ah(dp, "A.ROOT-SERVERS.NET.", "2001:503:ba3e::2:30")) goto failed; -- if(!ah(dp, "B.ROOT-SERVERS.NET.", "2001:500:200::b")) goto failed; -+ if(!ah(dp, "B.ROOT-SERVERS.NET.", "2801:1b8:10::b")) goto failed; - if(!ah(dp, "C.ROOT-SERVERS.NET.", "2001:500:2::c")) goto failed; - if(!ah(dp, "D.ROOT-SERVERS.NET.", "2001:500:2d::d")) goto failed; - if(!ah(dp, "E.ROOT-SERVERS.NET.", "2001:500:a8::e")) goto failed; --- -2.43.0 - diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index 009cb07..0aeb6cb 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,4 +1,4 @@ -From 77710cef1d7001fc52b7f19b0b9e305fd355f07e Mon Sep 17 00:00:00 2001 +From 17d4cc5fea24faa55358b7c36fdae0cd9bdd48b6 Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Fri, 10 Nov 2023 12:58:31 +0100 Subject: [PATCH] Customize unbound.conf for Fedora defaults @@ -7,13 +7,13 @@ Set some Fedora/RHEL specific changes to example configuration file. By patching upstream provided config file we would not need to manually update external copy in source RPM. --- - unbound-1.19.1/doc/example.conf.in | 200 ++++++++++++++++++----------- - 1 file changed, 127 insertions(+), 73 deletions(-) + unbound-1.19.3/doc/example.conf.in | 194 ++++++++++++++++++----------- + 1 file changed, 124 insertions(+), 70 deletions(-) -diff --git a/unbound-1.19.1/doc/example.conf.in b/unbound-1.19.1/doc/example.conf.in -index fcfb1da..a61b530 100644 ---- a/unbound-1.19.1/doc/example.conf.in -+++ b/unbound-1.19.1/doc/example.conf.in +diff --git a/unbound-1.19.3/doc/example.conf.in b/unbound-1.19.3/doc/example.conf.in +index d791cf8..af163b2 100644 +--- a/unbound-1.19.3/doc/example.conf.in ++++ b/unbound-1.19.3/doc/example.conf.in @@ -17,11 +17,12 @@ server: # whitespace is not necessary, but looks cleaner. @@ -148,7 +148,7 @@ index fcfb1da..a61b530 100644 # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no -@@ -402,6 +426,7 @@ server: +@@ -403,6 +427,7 @@ server: # # If you give "" no chroot is performed. The path must not end in a /. # chroot: "@UNBOUND_CHROOT_DIR@" @@ -156,7 +156,7 @@ index fcfb1da..a61b530 100644 # if given, user privileges are dropped (after binding port), # and the given username is assumed. Default is user "unbound". -@@ -413,7 +438,7 @@ server: +@@ -414,7 +439,7 @@ server: # is not changed. # If you give a server: directory: dir before include: file statements # then those includes can be relative to the working directory. @@ -165,7 +165,7 @@ index fcfb1da..a61b530 100644 # the log file, "" means log to stderr. # Use of this option sets use-syslog to "no". -@@ -428,7 +453,7 @@ server: +@@ -429,7 +454,7 @@ server: # log-identity: "" # print UTC timestamp in ascii to logfile, default is epoch in seconds. @@ -174,7 +174,7 @@ index fcfb1da..a61b530 100644 # print one line with time, IP, name, type, class for every query. # log-queries: no -@@ -497,22 +522,22 @@ server: +@@ -501,22 +526,22 @@ server: # harden-large-queries: no # Harden against out of zone rrsets, to avoid spoofing attempts. @@ -201,7 +201,7 @@ index fcfb1da..a61b530 100644 # Harden against algorithm downgrade when multiple algorithms are # advertised in the DS record. If no, allows the weakest algorithm -@@ -526,7 +551,7 @@ server: +@@ -530,7 +555,7 @@ server: # Sent minimum amount of information to upstream servers to enhance # privacy. Only sent minimum required labels of the QNAME and set QTYPE # to A when possible. @@ -210,7 +210,7 @@ index fcfb1da..a61b530 100644 # QNAME minimisation in strict mode. Do not fall-back to sending full # QNAME to potentially broken nameservers. A lot of domains will not be -@@ -536,7 +561,7 @@ server: +@@ -540,7 +565,7 @@ server: # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN # and other denials, using information from previous NXDOMAINs answers. @@ -219,7 +219,7 @@ index fcfb1da..a61b530 100644 # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. -@@ -569,7 +594,7 @@ server: +@@ -573,7 +598,7 @@ server: # threshold, a warning is printed and a defensive action is taken, # the cache is cleared to flush potential poison out of it. # A suggested value is 10000000, the default is 0 (turned off). @@ -228,7 +228,7 @@ index fcfb1da..a61b530 100644 # Do not query the following addresses. No DNS queries are sent there. # List one address per entry. List classless netblocks with /size, -@@ -581,20 +606,20 @@ server: +@@ -585,20 +610,20 @@ server: # do-not-query-localhost: yes # if yes, perform prefetching of almost expired message cache entries. @@ -254,7 +254,7 @@ index fcfb1da..a61b530 100644 # true to disable DNSSEC lameness check in iterator. # disable-dnssec-lame-check: no -@@ -604,7 +629,9 @@ server: +@@ -608,7 +633,9 @@ server: # most modules have to be listed at the beginning of the line, # except cachedb(just before iterator), and python (at the beginning, # or, just before the iterator). @@ -265,7 +265,7 @@ index fcfb1da..a61b530 100644 # File with trusted keys, kept uptodate using RFC5011 probes, # initial file like trust-anchor-file, then it stores metadata. -@@ -618,10 +645,10 @@ server: +@@ -622,10 +649,10 @@ server: # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" # trust anchor signaling sends a RFC8145 key tag query after priming. @@ -278,7 +278,7 @@ index fcfb1da..a61b530 100644 # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry. -@@ -642,6 +669,9 @@ server: +@@ -646,6 +673,9 @@ server: # the trusted-keys { name flag proto algo "key"; }; clauses are read. # you need external update procedures to track changes in keys. # trusted-keys-file: "" @@ -288,7 +288,7 @@ index fcfb1da..a61b530 100644 # Ignore chain of trust. Domain is treated as insecure. # domain-insecure: "example.com" -@@ -669,14 +699,15 @@ server: +@@ -673,14 +703,15 @@ server: # unsecure data. Useful to shield the users of this validator from # potential bogus data in the additional section. All unsigned data # in the additional section is removed from secure messages. @@ -306,7 +306,7 @@ index fcfb1da..a61b530 100644 # Ignore the CD flag in incoming queries and refuse them bogus data. # Enable it if the only clients of Unbound are legacy servers (w2008) -@@ -690,11 +721,11 @@ server: +@@ -694,11 +725,11 @@ server: # Serve expired responses from cache, with serve-expired-reply-ttl in # the response, and then attempt to fetch the data afresh. @@ -320,7 +320,7 @@ index fcfb1da..a61b530 100644 # # Set the TTL of expired records to the serve-expired-ttl value after a # failed attempt to retrieve the record from upstream. This makes sure -@@ -721,7 +752,7 @@ server: +@@ -725,7 +756,7 @@ server: # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. @@ -329,7 +329,7 @@ index fcfb1da..a61b530 100644 # It is possible to configure NSEC3 maximum iteration counts per # keysize. Keep this table very short, as linear search is done. -@@ -865,6 +896,8 @@ server: +@@ -869,6 +900,8 @@ server: # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" @@ -338,7 +338,7 @@ index fcfb1da..a61b530 100644 # tag a localzone with a list of tag names (in "" with spaces between) # local-zone-tag: "example.com" "tag2 tag3" -@@ -875,8 +908,8 @@ server: +@@ -879,8 +912,8 @@ server: # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. # Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. @@ -349,7 +349,7 @@ index fcfb1da..a61b530 100644 # tls-port: 853 # https-port: 443 -@@ -884,6 +917,8 @@ server: +@@ -888,6 +921,8 @@ server: # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" # cipher setting for TLSv1.3 # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" @@ -358,8 +358,8 @@ index fcfb1da..a61b530 100644 # Pad responses to padded queries received over TLS # pad-responses: yes -@@ -1005,12 +1040,12 @@ server: - # fast-server-num: 3 +@@ -1024,12 +1059,12 @@ server: + # cookie-secret: <128 bit random hex string> # Enable to attach Extended DNS Error codes (RFC8914) to responses. - # ede: no @@ -373,7 +373,7 @@ index fcfb1da..a61b530 100644 # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. -@@ -1018,12 +1053,14 @@ server: +@@ -1037,12 +1072,14 @@ server: # Enable or disable ipsecmod (it still needs to be defined in # module-config above). Can be used when ipsecmod needs to be # enabled/disabled via remote-control(below). @@ -391,7 +391,7 @@ index fcfb1da..a61b530 100644 # When enabled Unbound will reply with SERVFAIL if the return value of # the ipsecmod-hook is not 0. # ipsecmod-strict: no -@@ -1056,7 +1093,7 @@ server: +@@ -1075,7 +1112,7 @@ server: # o and give a python-script to run. python: # Script file to load @@ -400,7 +400,7 @@ index fcfb1da..a61b530 100644 # Dynamic library config section. To enable: # o use --with-dynlibmodule to configure before compiling. -@@ -1067,13 +1104,14 @@ python: +@@ -1086,13 +1123,14 @@ python: # the module-config then you need one dynlib-file per instance. dynlib: # Script file to load @@ -417,7 +417,7 @@ index fcfb1da..a61b530 100644 # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. -@@ -1081,6 +1119,7 @@ remote-control: +@@ -1100,6 +1138,7 @@ remote-control: # are not used for that, so key and cert files need not be present. # control-interface: 127.0.0.1 # control-interface: ::1 @@ -425,7 +425,7 @@ index fcfb1da..a61b530 100644 # port number for remote control operations. # control-port: 8953 -@@ -1090,16 +1129,19 @@ remote-control: +@@ -1109,16 +1148,19 @@ remote-control: # control-use-cert: "yes" # Unbound server key file. @@ -449,7 +449,7 @@ index fcfb1da..a61b530 100644 # Stub zones. # Create entries like below, to make all queries for 'example.com' and -@@ -1121,6 +1163,10 @@ remote-control: +@@ -1140,6 +1182,10 @@ remote-control: # name: "example.org" # stub-host: ns.example.com. @@ -460,7 +460,7 @@ index fcfb1da..a61b530 100644 # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle -@@ -1138,6 +1184,10 @@ remote-control: +@@ -1157,6 +1203,10 @@ remote-control: # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -471,16 +471,13 @@ index fcfb1da..a61b530 100644 # Authority zones # The data for these zones is kept locally, from a file or downloaded. -@@ -1145,30 +1195,31 @@ remote-control: - # upstream (which saves a lookup to the upstream). The first example - # has a copy of the root for local usage. The second serves example.org - # authoritatively. zonefile: reads from file (and writes to it if you also --# download it), primary: fetches with AXFR and IXFR, or url to zonefile. --# With allow-notify: you can give additional (apart from primaries and urls) --# sources of notifies. +@@ -1167,27 +1217,28 @@ remote-control: + # download it), primary: fetches with AXFR and IXFR, or url to zonefile. + # With allow-notify: you can give additional (apart from primaries and urls) + # sources of notifies. -# auth-zone: -# name: "." --# primary: 199.9.14.201 # b.root-servers.net +-# primary: 170.247.170.2 # b.root-servers.net -# primary: 192.33.4.12 # c.root-servers.net -# primary: 199.7.91.13 # d.root-servers.net -# primary: 192.5.5.241 # f.root-servers.net @@ -488,7 +485,7 @@ index fcfb1da..a61b530 100644 -# primary: 193.0.14.129 # k.root-servers.net -# primary: 192.0.47.132 # xfr.cjr.dns.icann.org -# primary: 192.0.32.132 # xfr.lax.dns.icann.org --# primary: 2001:500:200::b # b.root-servers.net +-# primary: 2801:1b8:10::b # b.root-servers.net -# primary: 2001:500:2::c # c.root-servers.net -# primary: 2001:500:2d::d # d.root-servers.net -# primary: 2001:500:2f::f # f.root-servers.net @@ -499,12 +496,9 @@ index fcfb1da..a61b530 100644 -# fallback-enabled: yes -# for-downstream: no -# for-upstream: yes -+# download it), master: fetches with AXFR and IXFR, or url to zonefile. -+# With allow-notify: you can give additional (apart from masters) sources of -+# notifies. -+auth-zone: ++ auth-zone: + name: "." -+ primary: 199.9.14.201 # b.root-servers.net ++ primary: 170.247.170.2 # b.root-servers.net + primary: 192.33.4.12 # c.root-servers.net + primary: 199.7.91.13 # d.root-servers.net + primary: 192.5.5.241 # f.root-servers.net @@ -512,7 +506,7 @@ index fcfb1da..a61b530 100644 + primary: 193.0.14.129 # k.root-servers.net + primary: 192.0.47.132 # xfr.cjr.dns.icann.org + primary: 192.0.32.132 # xfr.lax.dns.icann.org -+ primary: 2001:500:200::b # b.root-servers.net ++ primary: 2801:1b8:10::b # b.root-servers.net + primary: 2001:500:2::c # c.root-servers.net + primary: 2001:500:2d::d # d.root-servers.net + primary: 2001:500:2f::f # f.root-servers.net @@ -527,7 +521,7 @@ index fcfb1da..a61b530 100644 # auth-zone: # name: "example.org" # for-downstream: yes -@@ -1194,6 +1245,9 @@ remote-control: +@@ -1213,6 +1264,9 @@ remote-control: # name: "anotherview" # local-zone: "example.com" refuse @@ -537,7 +531,7 @@ index fcfb1da..a61b530 100644 # DNSCrypt # To enable, use --enable-dnscrypt to configure before compiling. # Caveats: -@@ -1266,7 +1320,7 @@ remote-control: +@@ -1285,7 +1339,7 @@ remote-control: # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode # dnstap-bidirectional: yes @@ -547,5 +541,5 @@ index fcfb1da..a61b530 100644 # # set it to "IPaddress[@port]" of the destination. # dnstap-ip: "" -- -2.43.0 +2.44.0 diff --git a/unbound.spec b/unbound.spec index 391d7aa..8d421c6 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.19.1 +Version: 1.19.3 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ @@ -57,13 +57,6 @@ Source20: unbound.sysusers # Downstream configuration changes Patch1: unbound-fedora-config.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2253461 -# https://github.com/NLnetLabs/unbound/commit/a8739bad76d4d179290627e989c7ef236345bda6 -Patch2: unbound-1.19-b.root-servers.net.patch -# https://github.com/NLnetLabs/unbound/pull/993 -Patch3: unbound-1.19-b.root-servers.net-conf.patch -# https://github.com/NLnetLabs/unbound/commit/ccbe31c21f91ae96e759547be264a34ac63f4f90 (now released as CVE-2024-1931) -Patch4: unbound-1.19-EDE-cpu-lock.patch BuildRequires: gcc, make BuildRequires: flex, openssl-devel From cd3bdb1b777935f939249df2b899956b1bb9a59e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 15 Apr 2024 13:10:32 +0200 Subject: [PATCH 03/62] Harden autoconf re-generation Try to use known working replacements from autoconf-archive instead of bundled outdated copy. Remove first files known to be regenerated. --- unbound.spec | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/unbound.spec b/unbound.spec index 8d421c6..c44dc7d 100644 --- a/unbound.spec +++ b/unbound.spec @@ -62,6 +62,12 @@ BuildRequires: gcc, make BuildRequires: flex, openssl-devel BuildRequires: libevent-devel expat-devel BuildRequires: pkgconfig + +# Required for configure regeneration +BuildRequires: bison +BuildRequires: automake autoconf libtool +BuildRequires: autoconf-archive + %if 0%{?fedora} BuildRequires: gnupg2 %endif @@ -88,9 +94,6 @@ BuildRequires: systemd-rpm-macros %else BuildRequires: systemd %endif -# Required for SVN versions -# BuildRequires: bison -# BuildRequires: automake autoconf libtool # Needed because /usr/sbin/unbound links unbound libs staticly Requires: %{name}-libs%{?_isa} = %{version}-%{release} @@ -204,9 +207,6 @@ pushd %{pkgname} # patches go here %autopatch -p2 -# only for snapshots -# autoreconf -iv - # copy common doc files - after here, since it may be patched cp -pr doc pythonmod libunbound ../ @@ -226,9 +226,6 @@ cp -a %{dir_primary} %{dir_secondary} %endif %build -# This is needed to rebuild the configure script to support Python 3.x -# autoreconf -iv - # ./configure script common arguments %global configure_args --with-libevent --with-pthreads --with-ssl \\\ --disable-rpath --disable-static \\\ @@ -244,6 +241,14 @@ cp -a %{dir_primary} %{dir_secondary} pushd %{dir_primary} +# always regenerate configure +rm -f config.h.in aclocal.m4 configure ltmain.sh +rm -f ax_pthread.m4 +cp -p %{_datadir}/aclocal/{ax_pthread,ax_swig_python}.m4 . +# TODO: use ax_swig_python.m4 from autoconf-archive too +# https://github.com/NLnetLabs/unbound/pull/1048 +autoreconf -fiv + %configure \ %if 0%{?python_primary:1} --with-pythonmodule --with-pyunbound PYTHON=%{python_primary} \ From befd44516251caa12b67f78d6cd97a5cb056e795 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 15 Apr 2024 13:58:59 +0200 Subject: [PATCH 04/62] Use newer swig m4 configuration Use autoconf-archive version of swig initialization too. Backport it from upstream change. --- unbound-1.19-autoconf-m4.patch | 792 +++++++++++++++++++++++++++++++++ unbound.spec | 6 +- 2 files changed, 795 insertions(+), 3 deletions(-) create mode 100644 unbound-1.19-autoconf-m4.patch diff --git a/unbound-1.19-autoconf-m4.patch b/unbound-1.19-autoconf-m4.patch new file mode 100644 index 0000000..b014cb2 --- /dev/null +++ b/unbound-1.19-autoconf-m4.patch @@ -0,0 +1,792 @@ +From 926b5dadfb1f1454bd0e54dd195018d11c223c34 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Mon, 15 Apr 2024 11:30:19 +0200 +Subject: [PATCH] Update ax_pkg_swig.m4 and ax_pthread.m4 + +Use vanilla m4 files with known source. Prepared for possible removal at +build time if the system already has autoconf-archive source present. +Switch to AX_PKG_SWIG macro for versioned or unversioned swig detection. +--- + unbound-1.19.3/ac_pkg_swig.m4 | 133 ---------- + unbound-1.19.3/ax_pthread.m4 | 444 ++++++++++++++++++++++++---------- + unbound-1.19.3/configure.ac | 6 +- + 3 files changed, 320 insertions(+), 263 deletions(-) + delete mode 100644 unbound-1.19.3/ac_pkg_swig.m4 + +diff --git a/unbound-1.19.3/ac_pkg_swig.m4 b/unbound-1.19.3/ac_pkg_swig.m4 +deleted file mode 100644 +index 87f99fb..0000000 +--- a/unbound-1.19.3/ac_pkg_swig.m4 ++++ /dev/null +@@ -1,133 +0,0 @@ +-# =========================================================================== +-# http://autoconf-archive.cryp.to/ac_pkg_swig.html +-# =========================================================================== +-# +-# SYNOPSIS +-# +-# AC_PROG_SWIG([major.minor.micro]) +-# +-# DESCRIPTION +-# +-# This macro searches for a SWIG installation on your system. If found you +-# should call SWIG via $(SWIG). You can use the optional first argument to +-# check if the version of the available SWIG is greater than or equal to +-# the value of the argument. It should have the format: N[.N[.N]] (N is a +-# number between 0 and 999. Only the first N is mandatory.) +-# +-# If the version argument is given (e.g. 1.3.17), AC_PROG_SWIG checks that +-# the swig package is this version number or higher. +-# +-# In configure.in, use as: +-# +-# AC_PROG_SWIG(1.3.17) +-# SWIG_ENABLE_CXX +-# SWIG_MULTI_MODULE_SUPPORT +-# SWIG_PYTHON +-# +-# LAST MODIFICATION +-# +-# 2008-04-12 +-# +-# COPYLEFT +-# +-# Copyright (c) 2008 Sebastian Huber +-# Copyright (c) 2008 Alan W. Irwin +-# Copyright (c) 2008 Rafael Laboissiere +-# Copyright (c) 2008 Andrew Collier +-# +-# This program is free software; you can redistribute it and/or modify it +-# under the terms of the GNU General Public License as published by the +-# Free Software Foundation; either version 2 of the License, or (at your +-# option) any later version. +-# +-# This program is distributed in the hope that it will be useful, but +-# WITHOUT ANY WARRANTY; without even the implied warranty of +-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General +-# Public License for more details. +-# +-# You should have received a copy of the GNU General Public License along +-# with this program. If not, see . +-# +-# As a special exception, the respective Autoconf Macro's copyright owner +-# gives unlimited permission to copy, distribute and modify the configure +-# scripts that are the output of Autoconf when processing the Macro. You +-# need not follow the terms of the GNU General Public License when using +-# or distributing such scripts, even though portions of the text of the +-# Macro appear in them. The GNU General Public License (GPL) does govern +-# all other use of the material that constitutes the Autoconf Macro. +-# +-# This special exception to the GPL applies to versions of the Autoconf +-# Macro released by the Autoconf Macro Archive. When you make and +-# distribute a modified version of the Autoconf Macro, you may extend this +-# special exception to the GPL to apply to your modified version as well. +- +-AC_DEFUN([AC_PROG_SWIG],[ +- AC_PATH_PROG([SWIG],[swig]) +- if test -z "$SWIG" ; then +- AC_MSG_WARN([cannot find 'swig' program. You should look at http://www.swig.org]) +- SWIG='echo "Error: SWIG is not installed. You should look at http://www.swig.org" ; false' +- elif test -n "$1" ; then +- AC_MSG_CHECKING([for SWIG version]) +- [swig_version=`$SWIG -version 2>&1 | grep 'SWIG Version' | sed 's/.*\([0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\).*/\1/g'`] +- AC_MSG_RESULT([$swig_version]) +- if test -n "$swig_version" ; then +- # Calculate the required version number components +- [required=$1] +- [required_major=`echo $required | sed 's/[^0-9].*//'`] +- if test -z "$required_major" ; then +- [required_major=0] +- fi +- [required=`echo $required | sed 's/[0-9]*[^0-9]//'`] +- [required_minor=`echo $required | sed 's/[^0-9].*//'`] +- if test -z "$required_minor" ; then +- [required_minor=0] +- fi +- [required=`echo $required | sed 's/[0-9]*[^0-9]//'`] +- [required_patch=`echo $required | sed 's/[^0-9].*//'`] +- if test -z "$required_patch" ; then +- [required_patch=0] +- fi +- # Calculate the available version number components +- [available=$swig_version] +- [available_major=`echo $available | sed 's/[^0-9].*//'`] +- if test -z "$available_major" ; then +- [available_major=0] +- fi +- [available=`echo $available | sed 's/[0-9]*[^0-9]//'`] +- [available_minor=`echo $available | sed 's/[^0-9].*//'`] +- if test -z "$available_minor" ; then +- [available_minor=0] +- fi +- [available=`echo $available | sed 's/[0-9]*[^0-9]//'`] +- [available_patch=`echo $available | sed 's/[^0-9].*//'`] +- if test -z "$available_patch" ; then +- [available_patch=0] +- fi +- [badversion=0] +- if test $available_major -lt $required_major ; then +- [badversion=1] +- fi +- if test $available_major -eq $required_major \ +- -a $available_minor -lt $required_minor ; then +- [badversion=1] +- fi +- if test $available_major -eq $required_major \ +- -a $available_minor -eq $required_minor \ +- -a $available_patch -lt $required_patch ; then +- [badversion=1] +- fi +- if test $badversion -eq 1 ; then +- AC_MSG_WARN([SWIG version >= $1 is required. You have $swig_version. You should look at http://www.swig.org]) +- SWIG='echo "Error: SWIG version >= $1 is required. You have '"$swig_version"'. You should look at http://www.swig.org" ; false' +- else +- AC_MSG_NOTICE([SWIG executable is '$SWIG']) +- SWIG_LIB=`$SWIG -swiglib` +- AC_MSG_NOTICE([SWIG library directory is '$SWIG_LIB']) +- fi +- else +- AC_MSG_WARN([cannot determine SWIG version]) +- SWIG='echo "Error: Cannot determine SWIG version. You should look at http://www.swig.org" ; false' +- fi +- fi +- AC_SUBST([SWIG_LIB]) +-]) +diff --git a/unbound-1.19.3/ax_pthread.m4 b/unbound-1.19.3/ax_pthread.m4 +index ff7d2a6..9f35d13 100644 +--- a/unbound-1.19.3/ax_pthread.m4 ++++ b/unbound-1.19.3/ax_pthread.m4 +@@ -1,5 +1,5 @@ + # =========================================================================== +-# http://www.gnu.org/software/autoconf-archive/ax_pthread.html ++# https://www.gnu.org/software/autoconf-archive/ax_pthread.html + # =========================================================================== + # + # SYNOPSIS +@@ -14,24 +14,28 @@ + # flags that are needed. (The user can also force certain compiler + # flags/libs to be tested by setting these environment variables.) + # +-# Also sets PTHREAD_CC to any special C compiler that is needed for +-# multi-threaded programs (defaults to the value of CC otherwise). (This +-# is necessary on AIX to use the special cc_r compiler alias.) ++# Also sets PTHREAD_CC and PTHREAD_CXX to any special C compiler that is ++# needed for multi-threaded programs (defaults to the value of CC ++# respectively CXX otherwise). (This is necessary on e.g. AIX to use the ++# special cc_r/CC_r compiler alias.) + # + # NOTE: You are assumed to not only compile your program with these flags, +-# but also link it with them as well. e.g. you should link with ++# but also to link with them as well. For example, you might link with + # $PTHREAD_CC $CFLAGS $PTHREAD_CFLAGS $LDFLAGS ... $PTHREAD_LIBS $LIBS ++# $PTHREAD_CXX $CXXFLAGS $PTHREAD_CFLAGS $LDFLAGS ... $PTHREAD_LIBS $LIBS + # +-# If you are only building threads programs, you may wish to use these ++# If you are only building threaded programs, you may wish to use these + # variables in your default LIBS, CFLAGS, and CC: + # + # LIBS="$PTHREAD_LIBS $LIBS" + # CFLAGS="$CFLAGS $PTHREAD_CFLAGS" ++# CXXFLAGS="$CXXFLAGS $PTHREAD_CFLAGS" + # CC="$PTHREAD_CC" ++# CXX="$PTHREAD_CXX" + # + # In addition, if the PTHREAD_CREATE_JOINABLE thread-attribute constant +-# has a nonstandard name, defines PTHREAD_CREATE_JOINABLE to that name +-# (e.g. PTHREAD_CREATE_UNDETACHED on AIX). ++# has a nonstandard name, this macro defines PTHREAD_CREATE_JOINABLE to ++# that name (e.g. PTHREAD_CREATE_UNDETACHED on AIX). + # + # Also HAVE_PTHREAD_PRIO_INHERIT is defined if pthread is found and the + # PTHREAD_PRIO_INHERIT symbol is defined when compiling with +@@ -55,6 +59,7 @@ + # + # Copyright (c) 2008 Steven G. Johnson + # Copyright (c) 2011 Daniel Richard G. ++# Copyright (c) 2019 Marc Stevens + # + # This program is free software: you can redistribute it and/or modify it + # under the terms of the GNU General Public License as published by the +@@ -67,7 +72,7 @@ + # Public License for more details. + # + # You should have received a copy of the GNU General Public License along +-# with this program. If not, see . ++# with this program. If not, see . + # + # As a special exception, the respective Autoconf Macro's copyright owner + # gives unlimited permission to copy, distribute and modify the configure +@@ -82,35 +87,41 @@ + # modified version of the Autoconf Macro, you may extend this special + # exception to the GPL to apply to your modified version as well. + +-#serial 21 ++#serial 31 + + AU_ALIAS([ACX_PTHREAD], [AX_PTHREAD]) + AC_DEFUN([AX_PTHREAD], [ + AC_REQUIRE([AC_CANONICAL_HOST]) ++AC_REQUIRE([AC_PROG_CC]) ++AC_REQUIRE([AC_PROG_SED]) + AC_LANG_PUSH([C]) + ax_pthread_ok=no + + # We used to check for pthread.h first, but this fails if pthread.h +-# requires special compiler flags (e.g. on True64 or Sequent). ++# requires special compiler flags (e.g. on Tru64 or Sequent). + # It gets checked for in the link test anyway. + + # First of all, check if the user has set any of the PTHREAD_LIBS, + # etcetera environment variables, and if threads linking works using + # them: +-if test x"$PTHREAD_LIBS$PTHREAD_CFLAGS" != x; then +- save_CFLAGS="$CFLAGS" ++if test "x$PTHREAD_CFLAGS$PTHREAD_LIBS" != "x"; then ++ ax_pthread_save_CC="$CC" ++ ax_pthread_save_CFLAGS="$CFLAGS" ++ ax_pthread_save_LIBS="$LIBS" ++ AS_IF([test "x$PTHREAD_CC" != "x"], [CC="$PTHREAD_CC"]) ++ AS_IF([test "x$PTHREAD_CXX" != "x"], [CXX="$PTHREAD_CXX"]) + CFLAGS="$CFLAGS $PTHREAD_CFLAGS" +- save_LIBS="$LIBS" + LIBS="$PTHREAD_LIBS $LIBS" +- AC_MSG_CHECKING([for pthread_join in LIBS=$PTHREAD_LIBS with CFLAGS=$PTHREAD_CFLAGS]) +- AC_TRY_LINK_FUNC([pthread_join], [ax_pthread_ok=yes]) ++ AC_MSG_CHECKING([for pthread_join using $CC $PTHREAD_CFLAGS $PTHREAD_LIBS]) ++ AC_LINK_IFELSE([AC_LANG_CALL([], [pthread_join])], [ax_pthread_ok=yes]) + AC_MSG_RESULT([$ax_pthread_ok]) +- if test x"$ax_pthread_ok" = xno; then ++ if test "x$ax_pthread_ok" = "xno"; then + PTHREAD_LIBS="" + PTHREAD_CFLAGS="" + fi +- LIBS="$save_LIBS" +- CFLAGS="$save_CFLAGS" ++ CC="$ax_pthread_save_CC" ++ CFLAGS="$ax_pthread_save_CFLAGS" ++ LIBS="$ax_pthread_save_LIBS" + fi + + # We must check for the threads library under a number of different +@@ -118,12 +129,14 @@ fi + # (e.g. DEC) have both -lpthread and -lpthreads, where one of the + # libraries is broken (non-POSIX). + +-# Create a list of thread flags to try. Items starting with a "-" are +-# C compiler flags, and other items are library names, except for "none" +-# which indicates that we try without any flags at all, and "pthread-config" +-# which is a program returning the flags for the Pth emulation library. ++# Create a list of thread flags to try. Items with a "," contain both ++# C compiler flags (before ",") and linker flags (after ","). Other items ++# starting with a "-" are C compiler flags, and remaining items are ++# library names, except for "none" which indicates that we try without ++# any flags at all, and "pthread-config" which is a program returning ++# the flags for the Pth emulation library. + +-ax_pthread_flags="pthreads none -Kthread -kthread lthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config" ++ax_pthread_flags="pthreads none -Kthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config" + + # The ordering *is* (sometimes) important. Some notes on the + # individual items follow: +@@ -132,82 +145,163 @@ ax_pthread_flags="pthreads none -Kthread -kthread lthread -pthread -pthreads -mt + # none: in case threads are in libc; should be tried before -Kthread and + # other compiler flags to prevent continual compiler warnings + # -Kthread: Sequent (threads in libc, but -Kthread needed for pthread.h) +-# -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able) +-# lthread: LinuxThreads port on FreeBSD (also preferred to -pthread) +-# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads) +-# -pthreads: Solaris/gcc +-# -mthreads: Mingw32/gcc, Lynx/gcc ++# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads), Tru64 ++# (Note: HP C rejects this with "bad form for `-t' option") ++# -pthreads: Solaris/gcc (Note: HP C also rejects) + # -mt: Sun Workshop C (may only link SunOS threads [-lthread], but it +-# doesn't hurt to check since this sometimes defines pthreads too; +-# also defines -D_REENTRANT) +-# ... -mt is also the pthreads flag for HP/aCC ++# doesn't hurt to check since this sometimes defines pthreads and ++# -D_REENTRANT too), HP C (must be checked before -lpthread, which ++# is present but should not be used directly; and before -mthreads, ++# because the compiler interprets this as "-mt" + "-hreads") ++# -mthreads: Mingw32/gcc, Lynx/gcc + # pthread: Linux, etcetera + # --thread-safe: KAI C++ + # pthread-config: use pthread-config program (for GNU Pth library) + +-case ${host_os} in ++case $host_os in ++ ++ freebsd*) ++ ++ # -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able) ++ # lthread: LinuxThreads port on FreeBSD (also preferred to -pthread) ++ ++ ax_pthread_flags="-kthread lthread $ax_pthread_flags" ++ ;; ++ ++ hpux*) ++ ++ # From the cc(1) man page: "[-mt] Sets various -D flags to enable ++ # multi-threading and also sets -lpthread." ++ ++ ax_pthread_flags="-mt -pthread pthread $ax_pthread_flags" ++ ;; ++ ++ openedition*) ++ ++ # IBM z/OS requires a feature-test macro to be defined in order to ++ # enable POSIX threads at all, so give the user a hint if this is ++ # not set. (We don't define these ourselves, as they can affect ++ # other portions of the system API in unpredictable ways.) ++ ++ AC_EGREP_CPP([AX_PTHREAD_ZOS_MISSING], ++ [ ++# if !defined(_OPEN_THREADS) && !defined(_UNIX03_THREADS) ++ AX_PTHREAD_ZOS_MISSING ++# endif ++ ], ++ [AC_MSG_WARN([IBM z/OS requires -D_OPEN_THREADS or -D_UNIX03_THREADS to enable pthreads support.])]) ++ ;; ++ + solaris*) + + # On Solaris (at least, for some versions), libc contains stubbed + # (non-functional) versions of the pthreads routines, so link-based +- # tests will erroneously succeed. (We need to link with -pthreads/-mt/ +- # -lpthread.) (The stubs are missing pthread_cleanup_push, or rather +- # a function called by this macro, so we could check for that, but +- # who knows whether they'll stub that too in a future libc.) So, +- # we'll just look for -pthreads and -lpthread first: ++ # tests will erroneously succeed. (N.B.: The stubs are missing ++ # pthread_cleanup_push, or rather a function called by this macro, ++ # so we could check for that, but who knows whether they'll stub ++ # that too in a future libc.) So we'll check first for the ++ # standard Solaris way of linking pthreads (-mt -lpthread). ++ ++ ax_pthread_flags="-mt,-lpthread pthread $ax_pthread_flags" ++ ;; ++esac ++ ++# Are we compiling with Clang? ++ ++AC_CACHE_CHECK([whether $CC is Clang], ++ [ax_cv_PTHREAD_CLANG], ++ [ax_cv_PTHREAD_CLANG=no ++ # Note that Autoconf sets GCC=yes for Clang as well as GCC ++ if test "x$GCC" = "xyes"; then ++ AC_EGREP_CPP([AX_PTHREAD_CC_IS_CLANG], ++ [/* Note: Clang 2.7 lacks __clang_[a-z]+__ */ ++# if defined(__clang__) && defined(__llvm__) ++ AX_PTHREAD_CC_IS_CLANG ++# endif ++ ], ++ [ax_cv_PTHREAD_CLANG=yes]) ++ fi ++ ]) ++ax_pthread_clang="$ax_cv_PTHREAD_CLANG" ++ ++ ++# GCC generally uses -pthread, or -pthreads on some platforms (e.g. SPARC) ++ ++# Note that for GCC and Clang -pthread generally implies -lpthread, ++# except when -nostdlib is passed. ++# This is problematic using libtool to build C++ shared libraries with pthread: ++# [1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=25460 ++# [2] https://bugzilla.redhat.com/show_bug.cgi?id=661333 ++# [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=468555 ++# To solve this, first try -pthread together with -lpthread for GCC ++ ++AS_IF([test "x$GCC" = "xyes"], ++ [ax_pthread_flags="-pthread,-lpthread -pthread -pthreads $ax_pthread_flags"]) ++ ++# Clang takes -pthread (never supported any other flag), but we'll try with -lpthread first ++ ++AS_IF([test "x$ax_pthread_clang" = "xyes"], ++ [ax_pthread_flags="-pthread,-lpthread -pthread"]) + +- ax_pthread_flags="-pthreads pthread -mt -pthread $ax_pthread_flags" ++ ++# The presence of a feature test macro requesting re-entrant function ++# definitions is, on some systems, a strong hint that pthreads support is ++# correctly enabled ++ ++case $host_os in ++ darwin* | hpux* | linux* | osf* | solaris*) ++ ax_pthread_check_macro="_REENTRANT" + ;; + +- darwin*) +- ax_pthread_flags="-pthread $ax_pthread_flags" ++ aix*) ++ ax_pthread_check_macro="_THREAD_SAFE" + ;; +-esac + +-# Clang doesn't consider unrecognized options an error unless we specify +-# -Werror. We throw in some extra Clang-specific options to ensure that +-# this doesn't happen for GCC, which also accepts -Werror. ++ *) ++ ax_pthread_check_macro="--" ++ ;; ++esac ++AS_IF([test "x$ax_pthread_check_macro" = "x--"], ++ [ax_pthread_check_cond=0], ++ [ax_pthread_check_cond="!defined($ax_pthread_check_macro)"]) + +-AC_MSG_CHECKING([if compiler needs -Werror to reject unknown flags]) +-save_CFLAGS="$CFLAGS" +-ax_pthread_extra_flags="-Werror" +-CFLAGS="$CFLAGS $ax_pthread_extra_flags -Wunknown-warning-option -Wsizeof-array-argument" +-AC_COMPILE_IFELSE([AC_LANG_PROGRAM([int foo(void);],[foo()])], +- [AC_MSG_RESULT([yes])], +- [ax_pthread_extra_flags= +- AC_MSG_RESULT([no])]) +-CFLAGS="$save_CFLAGS" + +-if test x"$ax_pthread_ok" = xno; then +-for flag in $ax_pthread_flags; do ++if test "x$ax_pthread_ok" = "xno"; then ++for ax_pthread_try_flag in $ax_pthread_flags; do + +- case $flag in ++ case $ax_pthread_try_flag in + none) + AC_MSG_CHECKING([whether pthreads work without any flags]) + ;; + ++ *,*) ++ PTHREAD_CFLAGS=`echo $ax_pthread_try_flag | sed "s/^\(.*\),\(.*\)$/\1/"` ++ PTHREAD_LIBS=`echo $ax_pthread_try_flag | sed "s/^\(.*\),\(.*\)$/\2/"` ++ AC_MSG_CHECKING([whether pthreads work with "$PTHREAD_CFLAGS" and "$PTHREAD_LIBS"]) ++ ;; ++ + -*) +- AC_MSG_CHECKING([whether pthreads work with $flag]) +- PTHREAD_CFLAGS="$flag" ++ AC_MSG_CHECKING([whether pthreads work with $ax_pthread_try_flag]) ++ PTHREAD_CFLAGS="$ax_pthread_try_flag" + ;; + + pthread-config) + AC_CHECK_PROG([ax_pthread_config], [pthread-config], [yes], [no]) +- if test x"$ax_pthread_config" = xno; then continue; fi ++ AS_IF([test "x$ax_pthread_config" = "xno"], [continue]) + PTHREAD_CFLAGS="`pthread-config --cflags`" + PTHREAD_LIBS="`pthread-config --ldflags` `pthread-config --libs`" + ;; + + *) +- AC_MSG_CHECKING([for the pthreads library -l$flag]) +- PTHREAD_LIBS="-l$flag" ++ AC_MSG_CHECKING([for the pthreads library -l$ax_pthread_try_flag]) ++ PTHREAD_LIBS="-l$ax_pthread_try_flag" + ;; + esac + +- save_LIBS="$LIBS" +- save_CFLAGS="$CFLAGS" ++ ax_pthread_save_CFLAGS="$CFLAGS" ++ ax_pthread_save_LIBS="$LIBS" ++ CFLAGS="$CFLAGS $PTHREAD_CFLAGS" + LIBS="$PTHREAD_LIBS $LIBS" +- CFLAGS="$CFLAGS $PTHREAD_CFLAGS $ax_pthread_extra_flags" + + # Check for various functions. We must include pthread.h, + # since some functions may be macros. (On the Sequent, we +@@ -218,8 +312,18 @@ for flag in $ax_pthread_flags; do + # pthread_cleanup_push because it is one of the few pthread + # functions on Solaris that doesn't have a non-functional libc stub. + # We try pthread_create on general principles. ++ + AC_LINK_IFELSE([AC_LANG_PROGRAM([#include +- static void routine(void *a) { *((int*)a) = 0; } ++# if $ax_pthread_check_cond ++# error "$ax_pthread_check_macro must be defined" ++# endif ++ static void *some_global = NULL; ++ static void routine(void *a) ++ { ++ /* To avoid any unused-parameter or ++ unused-but-set-parameter warning. */ ++ some_global = a; ++ } + static void *start_routine(void *a) { return a; }], + [pthread_t th; pthread_attr_t attr; + pthread_create(&th, 0, start_routine, 0); +@@ -227,101 +331,187 @@ for flag in $ax_pthread_flags; do + pthread_attr_init(&attr); + pthread_cleanup_push(routine, 0); + pthread_cleanup_pop(0) /* ; */])], +- [ax_pthread_ok=yes], +- []) ++ [ax_pthread_ok=yes], ++ []) + +- LIBS="$save_LIBS" +- CFLAGS="$save_CFLAGS" ++ CFLAGS="$ax_pthread_save_CFLAGS" ++ LIBS="$ax_pthread_save_LIBS" + + AC_MSG_RESULT([$ax_pthread_ok]) +- if test "x$ax_pthread_ok" = xyes; then +- break; +- fi ++ AS_IF([test "x$ax_pthread_ok" = "xyes"], [break]) + + PTHREAD_LIBS="" + PTHREAD_CFLAGS="" + done + fi + ++ ++# Clang needs special handling, because older versions handle the -pthread ++# option in a rather... idiosyncratic way ++ ++if test "x$ax_pthread_clang" = "xyes"; then ++ ++ # Clang takes -pthread; it has never supported any other flag ++ ++ # (Note 1: This will need to be revisited if a system that Clang ++ # supports has POSIX threads in a separate library. This tends not ++ # to be the way of modern systems, but it's conceivable.) ++ ++ # (Note 2: On some systems, notably Darwin, -pthread is not needed ++ # to get POSIX threads support; the API is always present and ++ # active. We could reasonably leave PTHREAD_CFLAGS empty. But ++ # -pthread does define _REENTRANT, and while the Darwin headers ++ # ignore this macro, third-party headers might not.) ++ ++ # However, older versions of Clang make a point of warning the user ++ # that, in an invocation where only linking and no compilation is ++ # taking place, the -pthread option has no effect ("argument unused ++ # during compilation"). They expect -pthread to be passed in only ++ # when source code is being compiled. ++ # ++ # Problem is, this is at odds with the way Automake and most other ++ # C build frameworks function, which is that the same flags used in ++ # compilation (CFLAGS) are also used in linking. Many systems ++ # supported by AX_PTHREAD require exactly this for POSIX threads ++ # support, and in fact it is often not straightforward to specify a ++ # flag that is used only in the compilation phase and not in ++ # linking. Such a scenario is extremely rare in practice. ++ # ++ # Even though use of the -pthread flag in linking would only print ++ # a warning, this can be a nuisance for well-run software projects ++ # that build with -Werror. So if the active version of Clang has ++ # this misfeature, we search for an option to squash it. ++ ++ AC_CACHE_CHECK([whether Clang needs flag to prevent "argument unused" warning when linking with -pthread], ++ [ax_cv_PTHREAD_CLANG_NO_WARN_FLAG], ++ [ax_cv_PTHREAD_CLANG_NO_WARN_FLAG=unknown ++ # Create an alternate version of $ac_link that compiles and ++ # links in two steps (.c -> .o, .o -> exe) instead of one ++ # (.c -> exe), because the warning occurs only in the second ++ # step ++ ax_pthread_save_ac_link="$ac_link" ++ ax_pthread_sed='s/conftest\.\$ac_ext/conftest.$ac_objext/g' ++ ax_pthread_link_step=`AS_ECHO(["$ac_link"]) | sed "$ax_pthread_sed"` ++ ax_pthread_2step_ac_link="($ac_compile) && (echo ==== >&5) && ($ax_pthread_link_step)" ++ ax_pthread_save_CFLAGS="$CFLAGS" ++ for ax_pthread_try in '' -Qunused-arguments -Wno-unused-command-line-argument unknown; do ++ AS_IF([test "x$ax_pthread_try" = "xunknown"], [break]) ++ CFLAGS="-Werror -Wunknown-warning-option $ax_pthread_try -pthread $ax_pthread_save_CFLAGS" ++ ac_link="$ax_pthread_save_ac_link" ++ AC_LINK_IFELSE([AC_LANG_SOURCE([[int main(void){return 0;}]])], ++ [ac_link="$ax_pthread_2step_ac_link" ++ AC_LINK_IFELSE([AC_LANG_SOURCE([[int main(void){return 0;}]])], ++ [break]) ++ ]) ++ done ++ ac_link="$ax_pthread_save_ac_link" ++ CFLAGS="$ax_pthread_save_CFLAGS" ++ AS_IF([test "x$ax_pthread_try" = "x"], [ax_pthread_try=no]) ++ ax_cv_PTHREAD_CLANG_NO_WARN_FLAG="$ax_pthread_try" ++ ]) ++ ++ case "$ax_cv_PTHREAD_CLANG_NO_WARN_FLAG" in ++ no | unknown) ;; ++ *) PTHREAD_CFLAGS="$ax_cv_PTHREAD_CLANG_NO_WARN_FLAG $PTHREAD_CFLAGS" ;; ++ esac ++ ++fi # $ax_pthread_clang = yes ++ ++ ++ + # Various other checks: +-if test "x$ax_pthread_ok" = xyes; then +- save_LIBS="$LIBS" +- LIBS="$PTHREAD_LIBS $LIBS" +- save_CFLAGS="$CFLAGS" ++if test "x$ax_pthread_ok" = "xyes"; then ++ ax_pthread_save_CFLAGS="$CFLAGS" ++ ax_pthread_save_LIBS="$LIBS" + CFLAGS="$CFLAGS $PTHREAD_CFLAGS" ++ LIBS="$PTHREAD_LIBS $LIBS" + + # Detect AIX lossage: JOINABLE attribute is called UNDETACHED. +- AC_MSG_CHECKING([for joinable pthread attribute]) +- attr_name=unknown +- for attr in PTHREAD_CREATE_JOINABLE PTHREAD_CREATE_UNDETACHED; do +- AC_LINK_IFELSE([AC_LANG_PROGRAM([#include ], +- [int attr = $attr; return attr /* ; */])], +- [attr_name=$attr; break], +- []) +- done +- AC_MSG_RESULT([$attr_name]) +- if test "$attr_name" != PTHREAD_CREATE_JOINABLE; then +- AC_DEFINE_UNQUOTED([PTHREAD_CREATE_JOINABLE], [$attr_name], +- [Define to necessary symbol if this constant +- uses a non-standard name on your system.]) +- fi +- +- AC_MSG_CHECKING([if more special flags are required for pthreads]) +- flag=no +- case ${host_os} in +- aix* | freebsd* | darwin*) flag="-D_THREAD_SAFE";; +- osf* | hpux*) flag="-D_REENTRANT";; +- solaris*) +- if test "$GCC" = "yes"; then +- flag="-D_REENTRANT" +- else +- # TODO: What about Clang on Solaris? +- flag="-mt -D_REENTRANT" +- fi +- ;; +- esac +- AC_MSG_RESULT([$flag]) +- if test "x$flag" != xno; then +- PTHREAD_CFLAGS="$flag $PTHREAD_CFLAGS" +- fi ++ AC_CACHE_CHECK([for joinable pthread attribute], ++ [ax_cv_PTHREAD_JOINABLE_ATTR], ++ [ax_cv_PTHREAD_JOINABLE_ATTR=unknown ++ for ax_pthread_attr in PTHREAD_CREATE_JOINABLE PTHREAD_CREATE_UNDETACHED; do ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([#include ], ++ [int attr = $ax_pthread_attr; return attr /* ; */])], ++ [ax_cv_PTHREAD_JOINABLE_ATTR=$ax_pthread_attr; break], ++ []) ++ done ++ ]) ++ AS_IF([test "x$ax_cv_PTHREAD_JOINABLE_ATTR" != "xunknown" && \ ++ test "x$ax_cv_PTHREAD_JOINABLE_ATTR" != "xPTHREAD_CREATE_JOINABLE" && \ ++ test "x$ax_pthread_joinable_attr_defined" != "xyes"], ++ [AC_DEFINE_UNQUOTED([PTHREAD_CREATE_JOINABLE], ++ [$ax_cv_PTHREAD_JOINABLE_ATTR], ++ [Define to necessary symbol if this constant ++ uses a non-standard name on your system.]) ++ ax_pthread_joinable_attr_defined=yes ++ ]) ++ ++ AC_CACHE_CHECK([whether more special flags are required for pthreads], ++ [ax_cv_PTHREAD_SPECIAL_FLAGS], ++ [ax_cv_PTHREAD_SPECIAL_FLAGS=no ++ case $host_os in ++ solaris*) ++ ax_cv_PTHREAD_SPECIAL_FLAGS="-D_POSIX_PTHREAD_SEMANTICS" ++ ;; ++ esac ++ ]) ++ AS_IF([test "x$ax_cv_PTHREAD_SPECIAL_FLAGS" != "xno" && \ ++ test "x$ax_pthread_special_flags_added" != "xyes"], ++ [PTHREAD_CFLAGS="$ax_cv_PTHREAD_SPECIAL_FLAGS $PTHREAD_CFLAGS" ++ ax_pthread_special_flags_added=yes]) + + AC_CACHE_CHECK([for PTHREAD_PRIO_INHERIT], +- [ax_cv_PTHREAD_PRIO_INHERIT], [ +- AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], +- [[int i = PTHREAD_PRIO_INHERIT;]])], +- [ax_cv_PTHREAD_PRIO_INHERIT=yes], +- [ax_cv_PTHREAD_PRIO_INHERIT=no]) ++ [ax_cv_PTHREAD_PRIO_INHERIT], ++ [AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], ++ [[int i = PTHREAD_PRIO_INHERIT; ++ return i;]])], ++ [ax_cv_PTHREAD_PRIO_INHERIT=yes], ++ [ax_cv_PTHREAD_PRIO_INHERIT=no]) + ]) +- AS_IF([test "x$ax_cv_PTHREAD_PRIO_INHERIT" = "xyes"], +- [AC_DEFINE([HAVE_PTHREAD_PRIO_INHERIT], [1], [Have PTHREAD_PRIO_INHERIT.])]) ++ AS_IF([test "x$ax_cv_PTHREAD_PRIO_INHERIT" = "xyes" && \ ++ test "x$ax_pthread_prio_inherit_defined" != "xyes"], ++ [AC_DEFINE([HAVE_PTHREAD_PRIO_INHERIT], [1], [Have PTHREAD_PRIO_INHERIT.]) ++ ax_pthread_prio_inherit_defined=yes ++ ]) + +- LIBS="$save_LIBS" +- CFLAGS="$save_CFLAGS" ++ CFLAGS="$ax_pthread_save_CFLAGS" ++ LIBS="$ax_pthread_save_LIBS" + + # More AIX lossage: compile with *_r variant +- if test "x$GCC" != xyes; then ++ if test "x$GCC" != "xyes"; then + case $host_os in + aix*) + AS_CASE(["x/$CC"], +- [x*/c89|x*/c89_128|x*/c99|x*/c99_128|x*/cc|x*/cc128|x*/xlc|x*/xlc_v6|x*/xlc128|x*/xlc128_v6], +- [#handle absolute path differently from PATH based program lookup +- AS_CASE(["x$CC"], +- [x/*], +- [AS_IF([AS_EXECUTABLE_P([${CC}_r])],[PTHREAD_CC="${CC}_r"])], +- [AC_CHECK_PROGS([PTHREAD_CC],[${CC}_r],[$CC])])]) ++ [x*/c89|x*/c89_128|x*/c99|x*/c99_128|x*/cc|x*/cc128|x*/xlc|x*/xlc_v6|x*/xlc128|x*/xlc128_v6], ++ [#handle absolute path differently from PATH based program lookup ++ AS_CASE(["x$CC"], ++ [x/*], ++ [ ++ AS_IF([AS_EXECUTABLE_P([${CC}_r])],[PTHREAD_CC="${CC}_r"]) ++ AS_IF([test "x${CXX}" != "x"], [AS_IF([AS_EXECUTABLE_P([${CXX}_r])],[PTHREAD_CXX="${CXX}_r"])]) ++ ], ++ [ ++ AC_CHECK_PROGS([PTHREAD_CC],[${CC}_r],[$CC]) ++ AS_IF([test "x${CXX}" != "x"], [AC_CHECK_PROGS([PTHREAD_CXX],[${CXX}_r],[$CXX])]) ++ ] ++ ) ++ ]) + ;; + esac + fi + fi + + test -n "$PTHREAD_CC" || PTHREAD_CC="$CC" ++test -n "$PTHREAD_CXX" || PTHREAD_CXX="$CXX" + + AC_SUBST([PTHREAD_LIBS]) + AC_SUBST([PTHREAD_CFLAGS]) + AC_SUBST([PTHREAD_CC]) ++AC_SUBST([PTHREAD_CXX]) + + # Finally, execute ACTION-IF-FOUND/ACTION-IF-NOT-FOUND: +-if test x"$ax_pthread_ok" = xyes; then ++if test "x$ax_pthread_ok" = "xyes"; then + ifelse([$1],,[AC_DEFINE([HAVE_PTHREAD],[1],[Define if you have POSIX threads libraries and header files.])],[$1]) + : + else +diff --git a/unbound-1.19.3/configure.ac b/unbound-1.19.3/configure.ac +index e0dedbe..34f2da7 100644 +--- a/unbound-1.19.3/configure.ac ++++ b/unbound-1.19.3/configure.ac +@@ -4,7 +4,7 @@ AC_PREREQ([2.56]) + sinclude(acx_nlnetlabs.m4) + sinclude(ax_pthread.m4) + sinclude(acx_python.m4) +-sinclude(ac_pkg_swig.m4) ++sinclude(ax_pkg_swig.m4) + sinclude(dnstap/dnstap.m4) + sinclude(dnscrypt/dnscrypt.m4) + +@@ -795,9 +795,9 @@ if test x_$ub_test_python != x_no; then + ub_have_swig=no + AC_ARG_ENABLE(swig-version-check, AS_HELP_STRING([--disable-swig-version-check],[Disable swig version check to build python modules with older swig even though that is unreliable])) + if test "$enable_swig_version_check" = "yes"; then +- AC_PROG_SWIG(2.0.1) ++ AX_PKG_SWIG(2.0.1) + else +- AC_PROG_SWIG ++ AX_PKG_SWIG + fi + AC_MSG_CHECKING(SWIG) + if test ! -x "$SWIG"; then +-- +2.44.0 + diff --git a/unbound.spec b/unbound.spec index c44dc7d..f9ae8ba 100644 --- a/unbound.spec +++ b/unbound.spec @@ -57,6 +57,8 @@ Source20: unbound.sysusers # Downstream configuration changes Patch1: unbound-fedora-config.patch +# https://github.com/NLnetLabs/unbound/pull/1048 +Patch2: unbound-1.19-autoconf-m4.patch BuildRequires: gcc, make BuildRequires: flex, openssl-devel @@ -243,10 +245,8 @@ pushd %{dir_primary} # always regenerate configure rm -f config.h.in aclocal.m4 configure ltmain.sh -rm -f ax_pthread.m4 +rm -f {ax_pthread,ax_swig_python}.m4 cp -p %{_datadir}/aclocal/{ax_pthread,ax_swig_python}.m4 . -# TODO: use ax_swig_python.m4 from autoconf-archive too -# https://github.com/NLnetLabs/unbound/pull/1048 autoreconf -fiv %configure \ From f119256acc028e42cfed0ce156f51b8d57d46113 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 15 Apr 2024 14:07:51 +0200 Subject: [PATCH 05/62] Correct python3.12 warning Python since 3.12 prints warning about Py_NoSiteFlag is deprecated. It seems that variable is not needed since Python 3.8, since it sets in such cases directly config.site_import variable few moments later. Move using deprecated variable to versions before that flag in config could be used only. --- unbound-1.19-python3.12-Py_NoSiteFlag.patch | 48 +++++++++++++++++++++ unbound.spec | 2 + 2 files changed, 50 insertions(+) create mode 100644 unbound-1.19-python3.12-Py_NoSiteFlag.patch diff --git a/unbound-1.19-python3.12-Py_NoSiteFlag.patch b/unbound-1.19-python3.12-Py_NoSiteFlag.patch new file mode 100644 index 0000000..8d7125c --- /dev/null +++ b/unbound-1.19-python3.12-Py_NoSiteFlag.patch @@ -0,0 +1,48 @@ +From 4d66057470cd5c5533cb39b4e049c3ae48044090 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Mon, 15 Apr 2024 13:43:58 +0200 +Subject: [PATCH] Py_NoSiteFlag is not needed since Python 3.8 + +Python since 3.12 prints warning about Py_NoSiteFlag is deprecated. It +seems that variable is not needed since Python 3.8, since it sets in +such cases directly config.site_import variable few moments later. +Move using deprecated variable to versions before that flag in config +could be used only. + +This should fix warning like: + +pythonmod/pythonmod.c: In function 'pythonmod_init': +pythonmod/pythonmod.c:359:7: warning: 'Py_NoSiteFlag' is deprecated [-Wdeprecated-declarations] + 359 | Py_NoSiteFlag = 1; + | ^~~~~~~~~~~~~ +In file included from /usr/include/python3.12/Python.h:48, + from pythonmod/pythonmod.c:54: +/usr/include/python3.12/cpython/pydebug.h:14:37: note: declared here + 14 | Py_DEPRECATED(3.12) PyAPI_DATA(int) Py_NoSiteFlag; + | ^~~~~~~~~~~~~ + +https://docs.python.org/3/c-api/init.html#c.Py_NoSiteFlag +--- + unbound-1.19.3/pythonmod/pythonmod.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/unbound-1.19.3/pythonmod/pythonmod.c b/unbound-1.19.3/pythonmod/pythonmod.c +index c6294a1..b8f2d62 100644 +--- a/unbound-1.19.3/pythonmod/pythonmod.c ++++ b/unbound-1.19.3/pythonmod/pythonmod.c +@@ -356,11 +356,11 @@ int pythonmod_init(struct module_env* env, int id) + return 0; + } + #endif +- Py_NoSiteFlag = 1; + #if PY_MAJOR_VERSION >= 3 + PyImport_AppendInittab(SWIG_name, (void*)SWIG_init); + #endif + #if PY_VERSION_HEX < 0x03080000 ++ Py_NoSiteFlag = 1; + Py_Initialize(); + #else + PyConfig_InitPythonConfig(&config); +-- +2.44.0 + diff --git a/unbound.spec b/unbound.spec index f9ae8ba..4068f83 100644 --- a/unbound.spec +++ b/unbound.spec @@ -59,6 +59,8 @@ Source20: unbound.sysusers Patch1: unbound-fedora-config.patch # https://github.com/NLnetLabs/unbound/pull/1048 Patch2: unbound-1.19-autoconf-m4.patch +# https://github.com/NLnetLabs/unbound/pull/1049 +Patch3: unbound-1.19-python3.12-Py_NoSiteFlag.patch BuildRequires: gcc, make BuildRequires: flex, openssl-devel From 081ff5cf5781eb2c603c7ecffa7fa6611829c7b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 15 Apr 2024 15:20:42 +0200 Subject: [PATCH 06/62] Always regenerate config parser Do not rely on pregenerated parser provided by upstream. Delete it and generate its own. --- unbound.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/unbound.spec b/unbound.spec index 4068f83..69aedca 100644 --- a/unbound.spec +++ b/unbound.spec @@ -63,14 +63,15 @@ Patch2: unbound-1.19-autoconf-m4.patch Patch3: unbound-1.19-python3.12-Py_NoSiteFlag.patch BuildRequires: gcc, make -BuildRequires: flex, openssl-devel +BuildRequires: openssl-devel BuildRequires: libevent-devel expat-devel BuildRequires: pkgconfig # Required for configure regeneration -BuildRequires: bison BuildRequires: automake autoconf libtool BuildRequires: autoconf-archive +# Regenerate config parser too +BuildRequires: bison flex byacc %if 0%{?fedora} BuildRequires: gnupg2 @@ -249,6 +250,8 @@ pushd %{dir_primary} rm -f config.h.in aclocal.m4 configure ltmain.sh rm -f {ax_pthread,ax_swig_python}.m4 cp -p %{_datadir}/aclocal/{ax_pthread,ax_swig_python}.m4 . +# ensure bison is used to generate fresh parser +rm -f util/configparser.{c,h} util/configlexer.c autoreconf -fiv %configure \ From 10fcecddd62f15ec4b0dd13fffae780a67a34895 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 15 Apr 2024 15:48:38 +0200 Subject: [PATCH 07/62] Prevent executable bit on configuration files Do not rely on packaging safeguards to reset executable bits. Removes warning after install phase. --- unbound.spec | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/unbound.spec b/unbound.spec index 69aedca..238cbac 100644 --- a/unbound.spec +++ b/unbound.spec @@ -311,7 +311,7 @@ popd pushd %{dir_primary} %make_install unbound-event-install install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp -install -p -m 0755 doc/example.conf %{buildroot}%{_sysconfdir}/unbound/unbound.conf +install -p -m 0644 doc/example.conf %{buildroot}%{_sysconfdir}/unbound/unbound.conf popd install -d -m 0755 %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig @@ -370,9 +370,9 @@ mkdir -p %{buildroot}%{_rundir}/unbound # Install directories for easier config file drop in mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d} -install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/ -install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ -install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ +install -p -m 0644 %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/ +install -p -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ +install -p -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ # Link unbound-control-setup.8 manpage to unbound-control.8 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 From 96134e75821b6242562c68acb59620bd8e186cb1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 11 Mar 2024 10:33:46 +0100 Subject: [PATCH 08/62] Ensure group access correction reaches also updated configs If the user has already modified configuration file unbound.conf, our change of defaults would not affect them. Let's move the change to extra file, which will be applied even when main config file were not modified. Resolves: CVE-2024-1488 --- remote-control.conf | 9 +++++++++ unbound-fedora-config.patch | 2 +- unbound.spec | 2 ++ 3 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 remote-control.conf diff --git a/remote-control.conf b/remote-control.conf new file mode 100644 index 0000000..4561a63 --- /dev/null +++ b/remote-control.conf @@ -0,0 +1,9 @@ +# Remote control config section update. +# Previous defaults allowed any process to change settings, CVE-2023-1488 +remote-control: + # set to an absolute path to use a unix local name pipe, certificates + # are not used for that, so key and cert files need not be present. + control-interface: "/run/unbound/control" + + # For local sockets this option is ignored, and TLS is not used. + control-use-cert: "yes" diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index 0aeb6cb..f350be8 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -421,7 +421,7 @@ index d791cf8..af163b2 100644 # are not used for that, so key and cert files need not be present. # control-interface: 127.0.0.1 # control-interface: ::1 -+ control-interface: "/run/unbound/control" ++ # moved to /etc/unbound/conf.d/remote-control.conf # port number for remote control operations. # control-port: 8953 diff --git a/unbound.spec b/unbound.spec index 238cbac..40bfc39 100644 --- a/unbound.spec +++ b/unbound.spec @@ -54,6 +54,7 @@ Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_vers # source: https://nlnetlabs.nl/people/ Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key Source20: unbound.sysusers +Source21: remote-control.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch @@ -373,6 +374,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d} install -p -m 0644 %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/ install -p -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ install -p -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ +install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/ # Link unbound-control-setup.8 manpage to unbound-control.8 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 From 09e446c1982cd4277ea36cf7767c506f651d75d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 10 May 2024 15:37:36 +0200 Subject: [PATCH 09/62] Update to 1.20.0 Features: The config for discard-timeout, wait-limit, wait-limit-cookie, wait-limit-netblock and wait-limit-cookie-netblock was added, for the fix to the DNSBomb issue. Merge #1027: Introduce 'cache-min-negative-ttl' option. Merge #1043 from xiaoxiaoafeifei: Add loongarch support; updates config.guess(2024-01-01) and config.sub(2024-01-01), verified with upstream. Implement cachedb-check-when-serve-expired: yes option, default is enabled. When serve expired is enabled with cachedb, it first checks cachedb before serving the expired response. Fix #876: [FR] can unbound-checkconf be silenced when configuration is valid? And bug fixes. https://nlnetlabs.nl/projects/unbound/download/#unbound-1-20-0 Resolves: CVE-2024-33655 --- .gitignore | 2 + sources | 4 +- unbound-1.19-autoconf-m4.patch | 792 -------------------- unbound-1.19-python3.12-Py_NoSiteFlag.patch | 48 -- unbound-fedora-config.patch | 78 +- unbound.spec | 13 +- 6 files changed, 49 insertions(+), 888 deletions(-) delete mode 100644 unbound-1.19-autoconf-m4.patch delete mode 100644 unbound-1.19-python3.12-Py_NoSiteFlag.patch diff --git a/.gitignore b/.gitignore index dde18f4..2ad282d 100644 --- a/.gitignore +++ b/.gitignore @@ -87,3 +87,5 @@ unbound-1.4.5.tar.gz /unbound-1.19.1.tar.gz.asc /unbound-1.19.3.tar.gz /unbound-1.19.3.tar.gz.asc +/unbound-1.20.0.tar.gz +/unbound-1.20.0.tar.gz.asc diff --git a/sources b/sources index eea1e9c..5a055a7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.19.3.tar.gz) = f860614f090a5a081cceff8ca7f4b3d416c00a251ae14ceb6b4159dc8cd022f025592074d3d78aee2f86c3eeae9d1a314713e4740aa91062579143199accd159 -SHA512 (unbound-1.19.3.tar.gz.asc) = 1b6437d7ac4394ab7d6eb0d12f22b39538152f9c88175a5368263059950b8e6b093fa5392d1ff37874effef7a422afa9c690f766802208979a99500a4bea5906 +SHA512 (unbound-1.20.0.tar.gz) = 2f6bc76c03b71ca1c2cd2331dc72d62f51493d15e17c59af46b400e542fcabff22e6b9d33f750a3e5f918a0116f45afa760651b2d5aa2feadac151cbbd71b0bd +SHA512 (unbound-1.20.0.tar.gz.asc) = 1586a320077c606c5c19f251615df54a61854f51acca02df1d391dcc2287aff2c641b009aeee1a98392f63719d70b6bac23ebb7d86b780f8a27cda6e114fc0ad diff --git a/unbound-1.19-autoconf-m4.patch b/unbound-1.19-autoconf-m4.patch deleted file mode 100644 index b014cb2..0000000 --- a/unbound-1.19-autoconf-m4.patch +++ /dev/null @@ -1,792 +0,0 @@ -From 926b5dadfb1f1454bd0e54dd195018d11c223c34 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Mon, 15 Apr 2024 11:30:19 +0200 -Subject: [PATCH] Update ax_pkg_swig.m4 and ax_pthread.m4 - -Use vanilla m4 files with known source. Prepared for possible removal at -build time if the system already has autoconf-archive source present. -Switch to AX_PKG_SWIG macro for versioned or unversioned swig detection. ---- - unbound-1.19.3/ac_pkg_swig.m4 | 133 ---------- - unbound-1.19.3/ax_pthread.m4 | 444 ++++++++++++++++++++++++---------- - unbound-1.19.3/configure.ac | 6 +- - 3 files changed, 320 insertions(+), 263 deletions(-) - delete mode 100644 unbound-1.19.3/ac_pkg_swig.m4 - -diff --git a/unbound-1.19.3/ac_pkg_swig.m4 b/unbound-1.19.3/ac_pkg_swig.m4 -deleted file mode 100644 -index 87f99fb..0000000 ---- a/unbound-1.19.3/ac_pkg_swig.m4 -+++ /dev/null -@@ -1,133 +0,0 @@ --# =========================================================================== --# http://autoconf-archive.cryp.to/ac_pkg_swig.html --# =========================================================================== --# --# SYNOPSIS --# --# AC_PROG_SWIG([major.minor.micro]) --# --# DESCRIPTION --# --# This macro searches for a SWIG installation on your system. If found you --# should call SWIG via $(SWIG). You can use the optional first argument to --# check if the version of the available SWIG is greater than or equal to --# the value of the argument. It should have the format: N[.N[.N]] (N is a --# number between 0 and 999. Only the first N is mandatory.) --# --# If the version argument is given (e.g. 1.3.17), AC_PROG_SWIG checks that --# the swig package is this version number or higher. --# --# In configure.in, use as: --# --# AC_PROG_SWIG(1.3.17) --# SWIG_ENABLE_CXX --# SWIG_MULTI_MODULE_SUPPORT --# SWIG_PYTHON --# --# LAST MODIFICATION --# --# 2008-04-12 --# --# COPYLEFT --# --# Copyright (c) 2008 Sebastian Huber --# Copyright (c) 2008 Alan W. Irwin --# Copyright (c) 2008 Rafael Laboissiere --# Copyright (c) 2008 Andrew Collier --# --# This program is free software; you can redistribute it and/or modify it --# under the terms of the GNU General Public License as published by the --# Free Software Foundation; either version 2 of the License, or (at your --# option) any later version. --# --# This program is distributed in the hope that it will be useful, but --# WITHOUT ANY WARRANTY; without even the implied warranty of --# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General --# Public License for more details. --# --# You should have received a copy of the GNU General Public License along --# with this program. If not, see . --# --# As a special exception, the respective Autoconf Macro's copyright owner --# gives unlimited permission to copy, distribute and modify the configure --# scripts that are the output of Autoconf when processing the Macro. You --# need not follow the terms of the GNU General Public License when using --# or distributing such scripts, even though portions of the text of the --# Macro appear in them. The GNU General Public License (GPL) does govern --# all other use of the material that constitutes the Autoconf Macro. --# --# This special exception to the GPL applies to versions of the Autoconf --# Macro released by the Autoconf Macro Archive. When you make and --# distribute a modified version of the Autoconf Macro, you may extend this --# special exception to the GPL to apply to your modified version as well. -- --AC_DEFUN([AC_PROG_SWIG],[ -- AC_PATH_PROG([SWIG],[swig]) -- if test -z "$SWIG" ; then -- AC_MSG_WARN([cannot find 'swig' program. You should look at http://www.swig.org]) -- SWIG='echo "Error: SWIG is not installed. You should look at http://www.swig.org" ; false' -- elif test -n "$1" ; then -- AC_MSG_CHECKING([for SWIG version]) -- [swig_version=`$SWIG -version 2>&1 | grep 'SWIG Version' | sed 's/.*\([0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\).*/\1/g'`] -- AC_MSG_RESULT([$swig_version]) -- if test -n "$swig_version" ; then -- # Calculate the required version number components -- [required=$1] -- [required_major=`echo $required | sed 's/[^0-9].*//'`] -- if test -z "$required_major" ; then -- [required_major=0] -- fi -- [required=`echo $required | sed 's/[0-9]*[^0-9]//'`] -- [required_minor=`echo $required | sed 's/[^0-9].*//'`] -- if test -z "$required_minor" ; then -- [required_minor=0] -- fi -- [required=`echo $required | sed 's/[0-9]*[^0-9]//'`] -- [required_patch=`echo $required | sed 's/[^0-9].*//'`] -- if test -z "$required_patch" ; then -- [required_patch=0] -- fi -- # Calculate the available version number components -- [available=$swig_version] -- [available_major=`echo $available | sed 's/[^0-9].*//'`] -- if test -z "$available_major" ; then -- [available_major=0] -- fi -- [available=`echo $available | sed 's/[0-9]*[^0-9]//'`] -- [available_minor=`echo $available | sed 's/[^0-9].*//'`] -- if test -z "$available_minor" ; then -- [available_minor=0] -- fi -- [available=`echo $available | sed 's/[0-9]*[^0-9]//'`] -- [available_patch=`echo $available | sed 's/[^0-9].*//'`] -- if test -z "$available_patch" ; then -- [available_patch=0] -- fi -- [badversion=0] -- if test $available_major -lt $required_major ; then -- [badversion=1] -- fi -- if test $available_major -eq $required_major \ -- -a $available_minor -lt $required_minor ; then -- [badversion=1] -- fi -- if test $available_major -eq $required_major \ -- -a $available_minor -eq $required_minor \ -- -a $available_patch -lt $required_patch ; then -- [badversion=1] -- fi -- if test $badversion -eq 1 ; then -- AC_MSG_WARN([SWIG version >= $1 is required. You have $swig_version. You should look at http://www.swig.org]) -- SWIG='echo "Error: SWIG version >= $1 is required. You have '"$swig_version"'. You should look at http://www.swig.org" ; false' -- else -- AC_MSG_NOTICE([SWIG executable is '$SWIG']) -- SWIG_LIB=`$SWIG -swiglib` -- AC_MSG_NOTICE([SWIG library directory is '$SWIG_LIB']) -- fi -- else -- AC_MSG_WARN([cannot determine SWIG version]) -- SWIG='echo "Error: Cannot determine SWIG version. You should look at http://www.swig.org" ; false' -- fi -- fi -- AC_SUBST([SWIG_LIB]) --]) -diff --git a/unbound-1.19.3/ax_pthread.m4 b/unbound-1.19.3/ax_pthread.m4 -index ff7d2a6..9f35d13 100644 ---- a/unbound-1.19.3/ax_pthread.m4 -+++ b/unbound-1.19.3/ax_pthread.m4 -@@ -1,5 +1,5 @@ - # =========================================================================== --# http://www.gnu.org/software/autoconf-archive/ax_pthread.html -+# https://www.gnu.org/software/autoconf-archive/ax_pthread.html - # =========================================================================== - # - # SYNOPSIS -@@ -14,24 +14,28 @@ - # flags that are needed. (The user can also force certain compiler - # flags/libs to be tested by setting these environment variables.) - # --# Also sets PTHREAD_CC to any special C compiler that is needed for --# multi-threaded programs (defaults to the value of CC otherwise). (This --# is necessary on AIX to use the special cc_r compiler alias.) -+# Also sets PTHREAD_CC and PTHREAD_CXX to any special C compiler that is -+# needed for multi-threaded programs (defaults to the value of CC -+# respectively CXX otherwise). (This is necessary on e.g. AIX to use the -+# special cc_r/CC_r compiler alias.) - # - # NOTE: You are assumed to not only compile your program with these flags, --# but also link it with them as well. e.g. you should link with -+# but also to link with them as well. For example, you might link with - # $PTHREAD_CC $CFLAGS $PTHREAD_CFLAGS $LDFLAGS ... $PTHREAD_LIBS $LIBS -+# $PTHREAD_CXX $CXXFLAGS $PTHREAD_CFLAGS $LDFLAGS ... $PTHREAD_LIBS $LIBS - # --# If you are only building threads programs, you may wish to use these -+# If you are only building threaded programs, you may wish to use these - # variables in your default LIBS, CFLAGS, and CC: - # - # LIBS="$PTHREAD_LIBS $LIBS" - # CFLAGS="$CFLAGS $PTHREAD_CFLAGS" -+# CXXFLAGS="$CXXFLAGS $PTHREAD_CFLAGS" - # CC="$PTHREAD_CC" -+# CXX="$PTHREAD_CXX" - # - # In addition, if the PTHREAD_CREATE_JOINABLE thread-attribute constant --# has a nonstandard name, defines PTHREAD_CREATE_JOINABLE to that name --# (e.g. PTHREAD_CREATE_UNDETACHED on AIX). -+# has a nonstandard name, this macro defines PTHREAD_CREATE_JOINABLE to -+# that name (e.g. PTHREAD_CREATE_UNDETACHED on AIX). - # - # Also HAVE_PTHREAD_PRIO_INHERIT is defined if pthread is found and the - # PTHREAD_PRIO_INHERIT symbol is defined when compiling with -@@ -55,6 +59,7 @@ - # - # Copyright (c) 2008 Steven G. Johnson - # Copyright (c) 2011 Daniel Richard G. -+# Copyright (c) 2019 Marc Stevens - # - # This program is free software: you can redistribute it and/or modify it - # under the terms of the GNU General Public License as published by the -@@ -67,7 +72,7 @@ - # Public License for more details. - # - # You should have received a copy of the GNU General Public License along --# with this program. If not, see . -+# with this program. If not, see . - # - # As a special exception, the respective Autoconf Macro's copyright owner - # gives unlimited permission to copy, distribute and modify the configure -@@ -82,35 +87,41 @@ - # modified version of the Autoconf Macro, you may extend this special - # exception to the GPL to apply to your modified version as well. - --#serial 21 -+#serial 31 - - AU_ALIAS([ACX_PTHREAD], [AX_PTHREAD]) - AC_DEFUN([AX_PTHREAD], [ - AC_REQUIRE([AC_CANONICAL_HOST]) -+AC_REQUIRE([AC_PROG_CC]) -+AC_REQUIRE([AC_PROG_SED]) - AC_LANG_PUSH([C]) - ax_pthread_ok=no - - # We used to check for pthread.h first, but this fails if pthread.h --# requires special compiler flags (e.g. on True64 or Sequent). -+# requires special compiler flags (e.g. on Tru64 or Sequent). - # It gets checked for in the link test anyway. - - # First of all, check if the user has set any of the PTHREAD_LIBS, - # etcetera environment variables, and if threads linking works using - # them: --if test x"$PTHREAD_LIBS$PTHREAD_CFLAGS" != x; then -- save_CFLAGS="$CFLAGS" -+if test "x$PTHREAD_CFLAGS$PTHREAD_LIBS" != "x"; then -+ ax_pthread_save_CC="$CC" -+ ax_pthread_save_CFLAGS="$CFLAGS" -+ ax_pthread_save_LIBS="$LIBS" -+ AS_IF([test "x$PTHREAD_CC" != "x"], [CC="$PTHREAD_CC"]) -+ AS_IF([test "x$PTHREAD_CXX" != "x"], [CXX="$PTHREAD_CXX"]) - CFLAGS="$CFLAGS $PTHREAD_CFLAGS" -- save_LIBS="$LIBS" - LIBS="$PTHREAD_LIBS $LIBS" -- AC_MSG_CHECKING([for pthread_join in LIBS=$PTHREAD_LIBS with CFLAGS=$PTHREAD_CFLAGS]) -- AC_TRY_LINK_FUNC([pthread_join], [ax_pthread_ok=yes]) -+ AC_MSG_CHECKING([for pthread_join using $CC $PTHREAD_CFLAGS $PTHREAD_LIBS]) -+ AC_LINK_IFELSE([AC_LANG_CALL([], [pthread_join])], [ax_pthread_ok=yes]) - AC_MSG_RESULT([$ax_pthread_ok]) -- if test x"$ax_pthread_ok" = xno; then -+ if test "x$ax_pthread_ok" = "xno"; then - PTHREAD_LIBS="" - PTHREAD_CFLAGS="" - fi -- LIBS="$save_LIBS" -- CFLAGS="$save_CFLAGS" -+ CC="$ax_pthread_save_CC" -+ CFLAGS="$ax_pthread_save_CFLAGS" -+ LIBS="$ax_pthread_save_LIBS" - fi - - # We must check for the threads library under a number of different -@@ -118,12 +129,14 @@ fi - # (e.g. DEC) have both -lpthread and -lpthreads, where one of the - # libraries is broken (non-POSIX). - --# Create a list of thread flags to try. Items starting with a "-" are --# C compiler flags, and other items are library names, except for "none" --# which indicates that we try without any flags at all, and "pthread-config" --# which is a program returning the flags for the Pth emulation library. -+# Create a list of thread flags to try. Items with a "," contain both -+# C compiler flags (before ",") and linker flags (after ","). Other items -+# starting with a "-" are C compiler flags, and remaining items are -+# library names, except for "none" which indicates that we try without -+# any flags at all, and "pthread-config" which is a program returning -+# the flags for the Pth emulation library. - --ax_pthread_flags="pthreads none -Kthread -kthread lthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config" -+ax_pthread_flags="pthreads none -Kthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config" - - # The ordering *is* (sometimes) important. Some notes on the - # individual items follow: -@@ -132,82 +145,163 @@ ax_pthread_flags="pthreads none -Kthread -kthread lthread -pthread -pthreads -mt - # none: in case threads are in libc; should be tried before -Kthread and - # other compiler flags to prevent continual compiler warnings - # -Kthread: Sequent (threads in libc, but -Kthread needed for pthread.h) --# -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able) --# lthread: LinuxThreads port on FreeBSD (also preferred to -pthread) --# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads) --# -pthreads: Solaris/gcc --# -mthreads: Mingw32/gcc, Lynx/gcc -+# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads), Tru64 -+# (Note: HP C rejects this with "bad form for `-t' option") -+# -pthreads: Solaris/gcc (Note: HP C also rejects) - # -mt: Sun Workshop C (may only link SunOS threads [-lthread], but it --# doesn't hurt to check since this sometimes defines pthreads too; --# also defines -D_REENTRANT) --# ... -mt is also the pthreads flag for HP/aCC -+# doesn't hurt to check since this sometimes defines pthreads and -+# -D_REENTRANT too), HP C (must be checked before -lpthread, which -+# is present but should not be used directly; and before -mthreads, -+# because the compiler interprets this as "-mt" + "-hreads") -+# -mthreads: Mingw32/gcc, Lynx/gcc - # pthread: Linux, etcetera - # --thread-safe: KAI C++ - # pthread-config: use pthread-config program (for GNU Pth library) - --case ${host_os} in -+case $host_os in -+ -+ freebsd*) -+ -+ # -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able) -+ # lthread: LinuxThreads port on FreeBSD (also preferred to -pthread) -+ -+ ax_pthread_flags="-kthread lthread $ax_pthread_flags" -+ ;; -+ -+ hpux*) -+ -+ # From the cc(1) man page: "[-mt] Sets various -D flags to enable -+ # multi-threading and also sets -lpthread." -+ -+ ax_pthread_flags="-mt -pthread pthread $ax_pthread_flags" -+ ;; -+ -+ openedition*) -+ -+ # IBM z/OS requires a feature-test macro to be defined in order to -+ # enable POSIX threads at all, so give the user a hint if this is -+ # not set. (We don't define these ourselves, as they can affect -+ # other portions of the system API in unpredictable ways.) -+ -+ AC_EGREP_CPP([AX_PTHREAD_ZOS_MISSING], -+ [ -+# if !defined(_OPEN_THREADS) && !defined(_UNIX03_THREADS) -+ AX_PTHREAD_ZOS_MISSING -+# endif -+ ], -+ [AC_MSG_WARN([IBM z/OS requires -D_OPEN_THREADS or -D_UNIX03_THREADS to enable pthreads support.])]) -+ ;; -+ - solaris*) - - # On Solaris (at least, for some versions), libc contains stubbed - # (non-functional) versions of the pthreads routines, so link-based -- # tests will erroneously succeed. (We need to link with -pthreads/-mt/ -- # -lpthread.) (The stubs are missing pthread_cleanup_push, or rather -- # a function called by this macro, so we could check for that, but -- # who knows whether they'll stub that too in a future libc.) So, -- # we'll just look for -pthreads and -lpthread first: -+ # tests will erroneously succeed. (N.B.: The stubs are missing -+ # pthread_cleanup_push, or rather a function called by this macro, -+ # so we could check for that, but who knows whether they'll stub -+ # that too in a future libc.) So we'll check first for the -+ # standard Solaris way of linking pthreads (-mt -lpthread). -+ -+ ax_pthread_flags="-mt,-lpthread pthread $ax_pthread_flags" -+ ;; -+esac -+ -+# Are we compiling with Clang? -+ -+AC_CACHE_CHECK([whether $CC is Clang], -+ [ax_cv_PTHREAD_CLANG], -+ [ax_cv_PTHREAD_CLANG=no -+ # Note that Autoconf sets GCC=yes for Clang as well as GCC -+ if test "x$GCC" = "xyes"; then -+ AC_EGREP_CPP([AX_PTHREAD_CC_IS_CLANG], -+ [/* Note: Clang 2.7 lacks __clang_[a-z]+__ */ -+# if defined(__clang__) && defined(__llvm__) -+ AX_PTHREAD_CC_IS_CLANG -+# endif -+ ], -+ [ax_cv_PTHREAD_CLANG=yes]) -+ fi -+ ]) -+ax_pthread_clang="$ax_cv_PTHREAD_CLANG" -+ -+ -+# GCC generally uses -pthread, or -pthreads on some platforms (e.g. SPARC) -+ -+# Note that for GCC and Clang -pthread generally implies -lpthread, -+# except when -nostdlib is passed. -+# This is problematic using libtool to build C++ shared libraries with pthread: -+# [1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=25460 -+# [2] https://bugzilla.redhat.com/show_bug.cgi?id=661333 -+# [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=468555 -+# To solve this, first try -pthread together with -lpthread for GCC -+ -+AS_IF([test "x$GCC" = "xyes"], -+ [ax_pthread_flags="-pthread,-lpthread -pthread -pthreads $ax_pthread_flags"]) -+ -+# Clang takes -pthread (never supported any other flag), but we'll try with -lpthread first -+ -+AS_IF([test "x$ax_pthread_clang" = "xyes"], -+ [ax_pthread_flags="-pthread,-lpthread -pthread"]) - -- ax_pthread_flags="-pthreads pthread -mt -pthread $ax_pthread_flags" -+ -+# The presence of a feature test macro requesting re-entrant function -+# definitions is, on some systems, a strong hint that pthreads support is -+# correctly enabled -+ -+case $host_os in -+ darwin* | hpux* | linux* | osf* | solaris*) -+ ax_pthread_check_macro="_REENTRANT" - ;; - -- darwin*) -- ax_pthread_flags="-pthread $ax_pthread_flags" -+ aix*) -+ ax_pthread_check_macro="_THREAD_SAFE" - ;; --esac - --# Clang doesn't consider unrecognized options an error unless we specify --# -Werror. We throw in some extra Clang-specific options to ensure that --# this doesn't happen for GCC, which also accepts -Werror. -+ *) -+ ax_pthread_check_macro="--" -+ ;; -+esac -+AS_IF([test "x$ax_pthread_check_macro" = "x--"], -+ [ax_pthread_check_cond=0], -+ [ax_pthread_check_cond="!defined($ax_pthread_check_macro)"]) - --AC_MSG_CHECKING([if compiler needs -Werror to reject unknown flags]) --save_CFLAGS="$CFLAGS" --ax_pthread_extra_flags="-Werror" --CFLAGS="$CFLAGS $ax_pthread_extra_flags -Wunknown-warning-option -Wsizeof-array-argument" --AC_COMPILE_IFELSE([AC_LANG_PROGRAM([int foo(void);],[foo()])], -- [AC_MSG_RESULT([yes])], -- [ax_pthread_extra_flags= -- AC_MSG_RESULT([no])]) --CFLAGS="$save_CFLAGS" - --if test x"$ax_pthread_ok" = xno; then --for flag in $ax_pthread_flags; do -+if test "x$ax_pthread_ok" = "xno"; then -+for ax_pthread_try_flag in $ax_pthread_flags; do - -- case $flag in -+ case $ax_pthread_try_flag in - none) - AC_MSG_CHECKING([whether pthreads work without any flags]) - ;; - -+ *,*) -+ PTHREAD_CFLAGS=`echo $ax_pthread_try_flag | sed "s/^\(.*\),\(.*\)$/\1/"` -+ PTHREAD_LIBS=`echo $ax_pthread_try_flag | sed "s/^\(.*\),\(.*\)$/\2/"` -+ AC_MSG_CHECKING([whether pthreads work with "$PTHREAD_CFLAGS" and "$PTHREAD_LIBS"]) -+ ;; -+ - -*) -- AC_MSG_CHECKING([whether pthreads work with $flag]) -- PTHREAD_CFLAGS="$flag" -+ AC_MSG_CHECKING([whether pthreads work with $ax_pthread_try_flag]) -+ PTHREAD_CFLAGS="$ax_pthread_try_flag" - ;; - - pthread-config) - AC_CHECK_PROG([ax_pthread_config], [pthread-config], [yes], [no]) -- if test x"$ax_pthread_config" = xno; then continue; fi -+ AS_IF([test "x$ax_pthread_config" = "xno"], [continue]) - PTHREAD_CFLAGS="`pthread-config --cflags`" - PTHREAD_LIBS="`pthread-config --ldflags` `pthread-config --libs`" - ;; - - *) -- AC_MSG_CHECKING([for the pthreads library -l$flag]) -- PTHREAD_LIBS="-l$flag" -+ AC_MSG_CHECKING([for the pthreads library -l$ax_pthread_try_flag]) -+ PTHREAD_LIBS="-l$ax_pthread_try_flag" - ;; - esac - -- save_LIBS="$LIBS" -- save_CFLAGS="$CFLAGS" -+ ax_pthread_save_CFLAGS="$CFLAGS" -+ ax_pthread_save_LIBS="$LIBS" -+ CFLAGS="$CFLAGS $PTHREAD_CFLAGS" - LIBS="$PTHREAD_LIBS $LIBS" -- CFLAGS="$CFLAGS $PTHREAD_CFLAGS $ax_pthread_extra_flags" - - # Check for various functions. We must include pthread.h, - # since some functions may be macros. (On the Sequent, we -@@ -218,8 +312,18 @@ for flag in $ax_pthread_flags; do - # pthread_cleanup_push because it is one of the few pthread - # functions on Solaris that doesn't have a non-functional libc stub. - # We try pthread_create on general principles. -+ - AC_LINK_IFELSE([AC_LANG_PROGRAM([#include -- static void routine(void *a) { *((int*)a) = 0; } -+# if $ax_pthread_check_cond -+# error "$ax_pthread_check_macro must be defined" -+# endif -+ static void *some_global = NULL; -+ static void routine(void *a) -+ { -+ /* To avoid any unused-parameter or -+ unused-but-set-parameter warning. */ -+ some_global = a; -+ } - static void *start_routine(void *a) { return a; }], - [pthread_t th; pthread_attr_t attr; - pthread_create(&th, 0, start_routine, 0); -@@ -227,101 +331,187 @@ for flag in $ax_pthread_flags; do - pthread_attr_init(&attr); - pthread_cleanup_push(routine, 0); - pthread_cleanup_pop(0) /* ; */])], -- [ax_pthread_ok=yes], -- []) -+ [ax_pthread_ok=yes], -+ []) - -- LIBS="$save_LIBS" -- CFLAGS="$save_CFLAGS" -+ CFLAGS="$ax_pthread_save_CFLAGS" -+ LIBS="$ax_pthread_save_LIBS" - - AC_MSG_RESULT([$ax_pthread_ok]) -- if test "x$ax_pthread_ok" = xyes; then -- break; -- fi -+ AS_IF([test "x$ax_pthread_ok" = "xyes"], [break]) - - PTHREAD_LIBS="" - PTHREAD_CFLAGS="" - done - fi - -+ -+# Clang needs special handling, because older versions handle the -pthread -+# option in a rather... idiosyncratic way -+ -+if test "x$ax_pthread_clang" = "xyes"; then -+ -+ # Clang takes -pthread; it has never supported any other flag -+ -+ # (Note 1: This will need to be revisited if a system that Clang -+ # supports has POSIX threads in a separate library. This tends not -+ # to be the way of modern systems, but it's conceivable.) -+ -+ # (Note 2: On some systems, notably Darwin, -pthread is not needed -+ # to get POSIX threads support; the API is always present and -+ # active. We could reasonably leave PTHREAD_CFLAGS empty. But -+ # -pthread does define _REENTRANT, and while the Darwin headers -+ # ignore this macro, third-party headers might not.) -+ -+ # However, older versions of Clang make a point of warning the user -+ # that, in an invocation where only linking and no compilation is -+ # taking place, the -pthread option has no effect ("argument unused -+ # during compilation"). They expect -pthread to be passed in only -+ # when source code is being compiled. -+ # -+ # Problem is, this is at odds with the way Automake and most other -+ # C build frameworks function, which is that the same flags used in -+ # compilation (CFLAGS) are also used in linking. Many systems -+ # supported by AX_PTHREAD require exactly this for POSIX threads -+ # support, and in fact it is often not straightforward to specify a -+ # flag that is used only in the compilation phase and not in -+ # linking. Such a scenario is extremely rare in practice. -+ # -+ # Even though use of the -pthread flag in linking would only print -+ # a warning, this can be a nuisance for well-run software projects -+ # that build with -Werror. So if the active version of Clang has -+ # this misfeature, we search for an option to squash it. -+ -+ AC_CACHE_CHECK([whether Clang needs flag to prevent "argument unused" warning when linking with -pthread], -+ [ax_cv_PTHREAD_CLANG_NO_WARN_FLAG], -+ [ax_cv_PTHREAD_CLANG_NO_WARN_FLAG=unknown -+ # Create an alternate version of $ac_link that compiles and -+ # links in two steps (.c -> .o, .o -> exe) instead of one -+ # (.c -> exe), because the warning occurs only in the second -+ # step -+ ax_pthread_save_ac_link="$ac_link" -+ ax_pthread_sed='s/conftest\.\$ac_ext/conftest.$ac_objext/g' -+ ax_pthread_link_step=`AS_ECHO(["$ac_link"]) | sed "$ax_pthread_sed"` -+ ax_pthread_2step_ac_link="($ac_compile) && (echo ==== >&5) && ($ax_pthread_link_step)" -+ ax_pthread_save_CFLAGS="$CFLAGS" -+ for ax_pthread_try in '' -Qunused-arguments -Wno-unused-command-line-argument unknown; do -+ AS_IF([test "x$ax_pthread_try" = "xunknown"], [break]) -+ CFLAGS="-Werror -Wunknown-warning-option $ax_pthread_try -pthread $ax_pthread_save_CFLAGS" -+ ac_link="$ax_pthread_save_ac_link" -+ AC_LINK_IFELSE([AC_LANG_SOURCE([[int main(void){return 0;}]])], -+ [ac_link="$ax_pthread_2step_ac_link" -+ AC_LINK_IFELSE([AC_LANG_SOURCE([[int main(void){return 0;}]])], -+ [break]) -+ ]) -+ done -+ ac_link="$ax_pthread_save_ac_link" -+ CFLAGS="$ax_pthread_save_CFLAGS" -+ AS_IF([test "x$ax_pthread_try" = "x"], [ax_pthread_try=no]) -+ ax_cv_PTHREAD_CLANG_NO_WARN_FLAG="$ax_pthread_try" -+ ]) -+ -+ case "$ax_cv_PTHREAD_CLANG_NO_WARN_FLAG" in -+ no | unknown) ;; -+ *) PTHREAD_CFLAGS="$ax_cv_PTHREAD_CLANG_NO_WARN_FLAG $PTHREAD_CFLAGS" ;; -+ esac -+ -+fi # $ax_pthread_clang = yes -+ -+ -+ - # Various other checks: --if test "x$ax_pthread_ok" = xyes; then -- save_LIBS="$LIBS" -- LIBS="$PTHREAD_LIBS $LIBS" -- save_CFLAGS="$CFLAGS" -+if test "x$ax_pthread_ok" = "xyes"; then -+ ax_pthread_save_CFLAGS="$CFLAGS" -+ ax_pthread_save_LIBS="$LIBS" - CFLAGS="$CFLAGS $PTHREAD_CFLAGS" -+ LIBS="$PTHREAD_LIBS $LIBS" - - # Detect AIX lossage: JOINABLE attribute is called UNDETACHED. -- AC_MSG_CHECKING([for joinable pthread attribute]) -- attr_name=unknown -- for attr in PTHREAD_CREATE_JOINABLE PTHREAD_CREATE_UNDETACHED; do -- AC_LINK_IFELSE([AC_LANG_PROGRAM([#include ], -- [int attr = $attr; return attr /* ; */])], -- [attr_name=$attr; break], -- []) -- done -- AC_MSG_RESULT([$attr_name]) -- if test "$attr_name" != PTHREAD_CREATE_JOINABLE; then -- AC_DEFINE_UNQUOTED([PTHREAD_CREATE_JOINABLE], [$attr_name], -- [Define to necessary symbol if this constant -- uses a non-standard name on your system.]) -- fi -- -- AC_MSG_CHECKING([if more special flags are required for pthreads]) -- flag=no -- case ${host_os} in -- aix* | freebsd* | darwin*) flag="-D_THREAD_SAFE";; -- osf* | hpux*) flag="-D_REENTRANT";; -- solaris*) -- if test "$GCC" = "yes"; then -- flag="-D_REENTRANT" -- else -- # TODO: What about Clang on Solaris? -- flag="-mt -D_REENTRANT" -- fi -- ;; -- esac -- AC_MSG_RESULT([$flag]) -- if test "x$flag" != xno; then -- PTHREAD_CFLAGS="$flag $PTHREAD_CFLAGS" -- fi -+ AC_CACHE_CHECK([for joinable pthread attribute], -+ [ax_cv_PTHREAD_JOINABLE_ATTR], -+ [ax_cv_PTHREAD_JOINABLE_ATTR=unknown -+ for ax_pthread_attr in PTHREAD_CREATE_JOINABLE PTHREAD_CREATE_UNDETACHED; do -+ AC_LINK_IFELSE([AC_LANG_PROGRAM([#include ], -+ [int attr = $ax_pthread_attr; return attr /* ; */])], -+ [ax_cv_PTHREAD_JOINABLE_ATTR=$ax_pthread_attr; break], -+ []) -+ done -+ ]) -+ AS_IF([test "x$ax_cv_PTHREAD_JOINABLE_ATTR" != "xunknown" && \ -+ test "x$ax_cv_PTHREAD_JOINABLE_ATTR" != "xPTHREAD_CREATE_JOINABLE" && \ -+ test "x$ax_pthread_joinable_attr_defined" != "xyes"], -+ [AC_DEFINE_UNQUOTED([PTHREAD_CREATE_JOINABLE], -+ [$ax_cv_PTHREAD_JOINABLE_ATTR], -+ [Define to necessary symbol if this constant -+ uses a non-standard name on your system.]) -+ ax_pthread_joinable_attr_defined=yes -+ ]) -+ -+ AC_CACHE_CHECK([whether more special flags are required for pthreads], -+ [ax_cv_PTHREAD_SPECIAL_FLAGS], -+ [ax_cv_PTHREAD_SPECIAL_FLAGS=no -+ case $host_os in -+ solaris*) -+ ax_cv_PTHREAD_SPECIAL_FLAGS="-D_POSIX_PTHREAD_SEMANTICS" -+ ;; -+ esac -+ ]) -+ AS_IF([test "x$ax_cv_PTHREAD_SPECIAL_FLAGS" != "xno" && \ -+ test "x$ax_pthread_special_flags_added" != "xyes"], -+ [PTHREAD_CFLAGS="$ax_cv_PTHREAD_SPECIAL_FLAGS $PTHREAD_CFLAGS" -+ ax_pthread_special_flags_added=yes]) - - AC_CACHE_CHECK([for PTHREAD_PRIO_INHERIT], -- [ax_cv_PTHREAD_PRIO_INHERIT], [ -- AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], -- [[int i = PTHREAD_PRIO_INHERIT;]])], -- [ax_cv_PTHREAD_PRIO_INHERIT=yes], -- [ax_cv_PTHREAD_PRIO_INHERIT=no]) -+ [ax_cv_PTHREAD_PRIO_INHERIT], -+ [AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], -+ [[int i = PTHREAD_PRIO_INHERIT; -+ return i;]])], -+ [ax_cv_PTHREAD_PRIO_INHERIT=yes], -+ [ax_cv_PTHREAD_PRIO_INHERIT=no]) - ]) -- AS_IF([test "x$ax_cv_PTHREAD_PRIO_INHERIT" = "xyes"], -- [AC_DEFINE([HAVE_PTHREAD_PRIO_INHERIT], [1], [Have PTHREAD_PRIO_INHERIT.])]) -+ AS_IF([test "x$ax_cv_PTHREAD_PRIO_INHERIT" = "xyes" && \ -+ test "x$ax_pthread_prio_inherit_defined" != "xyes"], -+ [AC_DEFINE([HAVE_PTHREAD_PRIO_INHERIT], [1], [Have PTHREAD_PRIO_INHERIT.]) -+ ax_pthread_prio_inherit_defined=yes -+ ]) - -- LIBS="$save_LIBS" -- CFLAGS="$save_CFLAGS" -+ CFLAGS="$ax_pthread_save_CFLAGS" -+ LIBS="$ax_pthread_save_LIBS" - - # More AIX lossage: compile with *_r variant -- if test "x$GCC" != xyes; then -+ if test "x$GCC" != "xyes"; then - case $host_os in - aix*) - AS_CASE(["x/$CC"], -- [x*/c89|x*/c89_128|x*/c99|x*/c99_128|x*/cc|x*/cc128|x*/xlc|x*/xlc_v6|x*/xlc128|x*/xlc128_v6], -- [#handle absolute path differently from PATH based program lookup -- AS_CASE(["x$CC"], -- [x/*], -- [AS_IF([AS_EXECUTABLE_P([${CC}_r])],[PTHREAD_CC="${CC}_r"])], -- [AC_CHECK_PROGS([PTHREAD_CC],[${CC}_r],[$CC])])]) -+ [x*/c89|x*/c89_128|x*/c99|x*/c99_128|x*/cc|x*/cc128|x*/xlc|x*/xlc_v6|x*/xlc128|x*/xlc128_v6], -+ [#handle absolute path differently from PATH based program lookup -+ AS_CASE(["x$CC"], -+ [x/*], -+ [ -+ AS_IF([AS_EXECUTABLE_P([${CC}_r])],[PTHREAD_CC="${CC}_r"]) -+ AS_IF([test "x${CXX}" != "x"], [AS_IF([AS_EXECUTABLE_P([${CXX}_r])],[PTHREAD_CXX="${CXX}_r"])]) -+ ], -+ [ -+ AC_CHECK_PROGS([PTHREAD_CC],[${CC}_r],[$CC]) -+ AS_IF([test "x${CXX}" != "x"], [AC_CHECK_PROGS([PTHREAD_CXX],[${CXX}_r],[$CXX])]) -+ ] -+ ) -+ ]) - ;; - esac - fi - fi - - test -n "$PTHREAD_CC" || PTHREAD_CC="$CC" -+test -n "$PTHREAD_CXX" || PTHREAD_CXX="$CXX" - - AC_SUBST([PTHREAD_LIBS]) - AC_SUBST([PTHREAD_CFLAGS]) - AC_SUBST([PTHREAD_CC]) -+AC_SUBST([PTHREAD_CXX]) - - # Finally, execute ACTION-IF-FOUND/ACTION-IF-NOT-FOUND: --if test x"$ax_pthread_ok" = xyes; then -+if test "x$ax_pthread_ok" = "xyes"; then - ifelse([$1],,[AC_DEFINE([HAVE_PTHREAD],[1],[Define if you have POSIX threads libraries and header files.])],[$1]) - : - else -diff --git a/unbound-1.19.3/configure.ac b/unbound-1.19.3/configure.ac -index e0dedbe..34f2da7 100644 ---- a/unbound-1.19.3/configure.ac -+++ b/unbound-1.19.3/configure.ac -@@ -4,7 +4,7 @@ AC_PREREQ([2.56]) - sinclude(acx_nlnetlabs.m4) - sinclude(ax_pthread.m4) - sinclude(acx_python.m4) --sinclude(ac_pkg_swig.m4) -+sinclude(ax_pkg_swig.m4) - sinclude(dnstap/dnstap.m4) - sinclude(dnscrypt/dnscrypt.m4) - -@@ -795,9 +795,9 @@ if test x_$ub_test_python != x_no; then - ub_have_swig=no - AC_ARG_ENABLE(swig-version-check, AS_HELP_STRING([--disable-swig-version-check],[Disable swig version check to build python modules with older swig even though that is unreliable])) - if test "$enable_swig_version_check" = "yes"; then -- AC_PROG_SWIG(2.0.1) -+ AX_PKG_SWIG(2.0.1) - else -- AC_PROG_SWIG -+ AX_PKG_SWIG - fi - AC_MSG_CHECKING(SWIG) - if test ! -x "$SWIG"; then --- -2.44.0 - diff --git a/unbound-1.19-python3.12-Py_NoSiteFlag.patch b/unbound-1.19-python3.12-Py_NoSiteFlag.patch deleted file mode 100644 index 8d7125c..0000000 --- a/unbound-1.19-python3.12-Py_NoSiteFlag.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 4d66057470cd5c5533cb39b4e049c3ae48044090 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Mon, 15 Apr 2024 13:43:58 +0200 -Subject: [PATCH] Py_NoSiteFlag is not needed since Python 3.8 - -Python since 3.12 prints warning about Py_NoSiteFlag is deprecated. It -seems that variable is not needed since Python 3.8, since it sets in -such cases directly config.site_import variable few moments later. -Move using deprecated variable to versions before that flag in config -could be used only. - -This should fix warning like: - -pythonmod/pythonmod.c: In function 'pythonmod_init': -pythonmod/pythonmod.c:359:7: warning: 'Py_NoSiteFlag' is deprecated [-Wdeprecated-declarations] - 359 | Py_NoSiteFlag = 1; - | ^~~~~~~~~~~~~ -In file included from /usr/include/python3.12/Python.h:48, - from pythonmod/pythonmod.c:54: -/usr/include/python3.12/cpython/pydebug.h:14:37: note: declared here - 14 | Py_DEPRECATED(3.12) PyAPI_DATA(int) Py_NoSiteFlag; - | ^~~~~~~~~~~~~ - -https://docs.python.org/3/c-api/init.html#c.Py_NoSiteFlag ---- - unbound-1.19.3/pythonmod/pythonmod.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/unbound-1.19.3/pythonmod/pythonmod.c b/unbound-1.19.3/pythonmod/pythonmod.c -index c6294a1..b8f2d62 100644 ---- a/unbound-1.19.3/pythonmod/pythonmod.c -+++ b/unbound-1.19.3/pythonmod/pythonmod.c -@@ -356,11 +356,11 @@ int pythonmod_init(struct module_env* env, int id) - return 0; - } - #endif -- Py_NoSiteFlag = 1; - #if PY_MAJOR_VERSION >= 3 - PyImport_AppendInittab(SWIG_name, (void*)SWIG_init); - #endif - #if PY_VERSION_HEX < 0x03080000 -+ Py_NoSiteFlag = 1; - Py_Initialize(); - #else - PyConfig_InitPythonConfig(&config); --- -2.44.0 - diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index f350be8..f57207b 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,4 +1,4 @@ -From 17d4cc5fea24faa55358b7c36fdae0cd9bdd48b6 Mon Sep 17 00:00:00 2001 +From 79506679335ef1e02a960ccc7cfeda19348f5619 Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Fri, 10 Nov 2023 12:58:31 +0100 Subject: [PATCH] Customize unbound.conf for Fedora defaults @@ -7,13 +7,13 @@ Set some Fedora/RHEL specific changes to example configuration file. By patching upstream provided config file we would not need to manually update external copy in source RPM. --- - unbound-1.19.3/doc/example.conf.in | 194 ++++++++++++++++++----------- + unbound-1.20.0/doc/example.conf.in | 194 ++++++++++++++++++----------- 1 file changed, 124 insertions(+), 70 deletions(-) -diff --git a/unbound-1.19.3/doc/example.conf.in b/unbound-1.19.3/doc/example.conf.in -index d791cf8..af163b2 100644 ---- a/unbound-1.19.3/doc/example.conf.in -+++ b/unbound-1.19.3/doc/example.conf.in +diff --git a/unbound-1.20.0/doc/example.conf.in b/unbound-1.20.0/doc/example.conf.in +index 0368c8d..9ece701 100644 +--- a/unbound-1.20.0/doc/example.conf.in ++++ b/unbound-1.20.0/doc/example.conf.in @@ -17,11 +17,12 @@ server: # whitespace is not necessary, but looks cleaner. @@ -120,7 +120,7 @@ index d791cf8..af163b2 100644 # use IP_FREEBIND so the interface: addresses can be non-local # and you can bind to nonexisting IPs and interfaces that are down. -@@ -256,6 +275,8 @@ server: +@@ -276,6 +295,8 @@ server: # nat64-prefix: 64:ff9b::0/96 # Enable UDP, "yes" or "no". @@ -129,16 +129,16 @@ index d791cf8..af163b2 100644 # do-udp: yes # Enable TCP, "yes" or "no". -@@ -281,7 +302,7 @@ server: +@@ -301,7 +322,7 @@ server: # tcp-idle-timeout: 30000 # Enable EDNS TCP keepalive option. - # edns-tcp-keepalive: no + edns-tcp-keepalive: yes - # Timeout for EDNS TCP keepalive, in msec. - # edns-tcp-keepalive-timeout: 120000 -@@ -290,6 +311,9 @@ server: + # Timeout for EDNS TCP keepalive, in msec. Overrides tcp-idle-timeout + # if edns-tcp-keepalive is set. +@@ -311,6 +332,9 @@ server: # can be dropped. Default is 0, disabled. In seconds, such as 3. # sock-queue-timeout: 0 @@ -148,7 +148,7 @@ index d791cf8..af163b2 100644 # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no -@@ -403,6 +427,7 @@ server: +@@ -424,6 +448,7 @@ server: # # If you give "" no chroot is performed. The path must not end in a /. # chroot: "@UNBOUND_CHROOT_DIR@" @@ -156,7 +156,7 @@ index d791cf8..af163b2 100644 # if given, user privileges are dropped (after binding port), # and the given username is assumed. Default is user "unbound". -@@ -414,7 +439,7 @@ server: +@@ -435,7 +460,7 @@ server: # is not changed. # If you give a server: directory: dir before include: file statements # then those includes can be relative to the working directory. @@ -165,7 +165,7 @@ index d791cf8..af163b2 100644 # the log file, "" means log to stderr. # Use of this option sets use-syslog to "no". -@@ -429,7 +454,7 @@ server: +@@ -450,7 +475,7 @@ server: # log-identity: "" # print UTC timestamp in ascii to logfile, default is epoch in seconds. @@ -174,7 +174,7 @@ index d791cf8..af163b2 100644 # print one line with time, IP, name, type, class for every query. # log-queries: no -@@ -501,22 +526,22 @@ server: +@@ -522,22 +547,22 @@ server: # harden-large-queries: no # Harden against out of zone rrsets, to avoid spoofing attempts. @@ -201,7 +201,7 @@ index d791cf8..af163b2 100644 # Harden against algorithm downgrade when multiple algorithms are # advertised in the DS record. If no, allows the weakest algorithm -@@ -530,7 +555,7 @@ server: +@@ -551,7 +576,7 @@ server: # Sent minimum amount of information to upstream servers to enhance # privacy. Only sent minimum required labels of the QNAME and set QTYPE # to A when possible. @@ -210,7 +210,7 @@ index d791cf8..af163b2 100644 # QNAME minimisation in strict mode. Do not fall-back to sending full # QNAME to potentially broken nameservers. A lot of domains will not be -@@ -540,7 +565,7 @@ server: +@@ -561,7 +586,7 @@ server: # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN # and other denials, using information from previous NXDOMAINs answers. @@ -219,7 +219,7 @@ index d791cf8..af163b2 100644 # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. -@@ -573,7 +598,7 @@ server: +@@ -594,7 +619,7 @@ server: # threshold, a warning is printed and a defensive action is taken, # the cache is cleared to flush potential poison out of it. # A suggested value is 10000000, the default is 0 (turned off). @@ -228,7 +228,7 @@ index d791cf8..af163b2 100644 # Do not query the following addresses. No DNS queries are sent there. # List one address per entry. List classless netblocks with /size, -@@ -585,20 +610,20 @@ server: +@@ -606,20 +631,20 @@ server: # do-not-query-localhost: yes # if yes, perform prefetching of almost expired message cache entries. @@ -254,7 +254,7 @@ index d791cf8..af163b2 100644 # true to disable DNSSEC lameness check in iterator. # disable-dnssec-lame-check: no -@@ -608,7 +633,9 @@ server: +@@ -629,7 +654,9 @@ server: # most modules have to be listed at the beginning of the line, # except cachedb(just before iterator), and python (at the beginning, # or, just before the iterator). @@ -265,7 +265,7 @@ index d791cf8..af163b2 100644 # File with trusted keys, kept uptodate using RFC5011 probes, # initial file like trust-anchor-file, then it stores metadata. -@@ -622,10 +649,10 @@ server: +@@ -643,10 +670,10 @@ server: # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" # trust anchor signaling sends a RFC8145 key tag query after priming. @@ -278,7 +278,7 @@ index d791cf8..af163b2 100644 # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry. -@@ -646,6 +673,9 @@ server: +@@ -667,6 +694,9 @@ server: # the trusted-keys { name flag proto algo "key"; }; clauses are read. # you need external update procedures to track changes in keys. # trusted-keys-file: "" @@ -288,7 +288,7 @@ index d791cf8..af163b2 100644 # Ignore chain of trust. Domain is treated as insecure. # domain-insecure: "example.com" -@@ -673,14 +703,15 @@ server: +@@ -694,14 +724,15 @@ server: # unsecure data. Useful to shield the users of this validator from # potential bogus data in the additional section. All unsigned data # in the additional section is removed from secure messages. @@ -306,7 +306,7 @@ index d791cf8..af163b2 100644 # Ignore the CD flag in incoming queries and refuse them bogus data. # Enable it if the only clients of Unbound are legacy servers (w2008) -@@ -694,11 +725,11 @@ server: +@@ -715,11 +746,11 @@ server: # Serve expired responses from cache, with serve-expired-reply-ttl in # the response, and then attempt to fetch the data afresh. @@ -320,7 +320,7 @@ index d791cf8..af163b2 100644 # # Set the TTL of expired records to the serve-expired-ttl value after a # failed attempt to retrieve the record from upstream. This makes sure -@@ -725,7 +756,7 @@ server: +@@ -746,7 +777,7 @@ server: # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. @@ -329,7 +329,7 @@ index d791cf8..af163b2 100644 # It is possible to configure NSEC3 maximum iteration counts per # keysize. Keep this table very short, as linear search is done. -@@ -869,6 +900,8 @@ server: +@@ -890,6 +921,8 @@ server: # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" @@ -338,7 +338,7 @@ index d791cf8..af163b2 100644 # tag a localzone with a list of tag names (in "" with spaces between) # local-zone-tag: "example.com" "tag2 tag3" -@@ -879,8 +912,8 @@ server: +@@ -900,8 +933,8 @@ server: # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. # Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. @@ -349,7 +349,7 @@ index d791cf8..af163b2 100644 # tls-port: 853 # https-port: 443 -@@ -888,6 +921,8 @@ server: +@@ -909,6 +942,8 @@ server: # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" # cipher setting for TLSv1.3 # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" @@ -358,7 +358,7 @@ index d791cf8..af163b2 100644 # Pad responses to padded queries received over TLS # pad-responses: yes -@@ -1024,12 +1059,12 @@ server: +@@ -1045,12 +1080,12 @@ server: # cookie-secret: <128 bit random hex string> # Enable to attach Extended DNS Error codes (RFC8914) to responses. @@ -373,7 +373,7 @@ index d791cf8..af163b2 100644 # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. -@@ -1037,12 +1072,14 @@ server: +@@ -1058,12 +1093,14 @@ server: # Enable or disable ipsecmod (it still needs to be defined in # module-config above). Can be used when ipsecmod needs to be # enabled/disabled via remote-control(below). @@ -391,7 +391,7 @@ index d791cf8..af163b2 100644 # When enabled Unbound will reply with SERVFAIL if the return value of # the ipsecmod-hook is not 0. # ipsecmod-strict: no -@@ -1075,7 +1112,7 @@ server: +@@ -1096,7 +1133,7 @@ server: # o and give a python-script to run. python: # Script file to load @@ -400,7 +400,7 @@ index d791cf8..af163b2 100644 # Dynamic library config section. To enable: # o use --with-dynlibmodule to configure before compiling. -@@ -1086,13 +1123,14 @@ python: +@@ -1107,13 +1144,14 @@ python: # the module-config then you need one dynlib-file per instance. dynlib: # Script file to load @@ -417,7 +417,7 @@ index d791cf8..af163b2 100644 # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. -@@ -1100,6 +1138,7 @@ remote-control: +@@ -1121,6 +1159,7 @@ remote-control: # are not used for that, so key and cert files need not be present. # control-interface: 127.0.0.1 # control-interface: ::1 @@ -425,7 +425,7 @@ index d791cf8..af163b2 100644 # port number for remote control operations. # control-port: 8953 -@@ -1109,16 +1148,19 @@ remote-control: +@@ -1130,16 +1169,19 @@ remote-control: # control-use-cert: "yes" # Unbound server key file. @@ -449,7 +449,7 @@ index d791cf8..af163b2 100644 # Stub zones. # Create entries like below, to make all queries for 'example.com' and -@@ -1140,6 +1182,10 @@ remote-control: +@@ -1161,6 +1203,10 @@ remote-control: # name: "example.org" # stub-host: ns.example.com. @@ -460,7 +460,7 @@ index d791cf8..af163b2 100644 # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle -@@ -1157,6 +1203,10 @@ remote-control: +@@ -1178,6 +1224,10 @@ remote-control: # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -471,7 +471,7 @@ index d791cf8..af163b2 100644 # Authority zones # The data for these zones is kept locally, from a file or downloaded. -@@ -1167,27 +1217,28 @@ remote-control: +@@ -1188,27 +1238,28 @@ remote-control: # download it), primary: fetches with AXFR and IXFR, or url to zonefile. # With allow-notify: you can give additional (apart from primaries and urls) # sources of notifies. @@ -521,7 +521,7 @@ index d791cf8..af163b2 100644 # auth-zone: # name: "example.org" # for-downstream: yes -@@ -1213,6 +1264,9 @@ remote-control: +@@ -1234,6 +1285,9 @@ remote-control: # name: "anotherview" # local-zone: "example.com" refuse @@ -531,7 +531,7 @@ index d791cf8..af163b2 100644 # DNSCrypt # To enable, use --enable-dnscrypt to configure before compiling. # Caveats: -@@ -1285,7 +1339,7 @@ remote-control: +@@ -1309,7 +1363,7 @@ remote-control: # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode # dnstap-bidirectional: yes diff --git a/unbound.spec b/unbound.spec index 40bfc39..17c922b 100644 --- a/unbound.spec +++ b/unbound.spec @@ -6,6 +6,8 @@ %bcond_without doh %bcond_with redis +%global forgeurl0 https://github.com/NLnetLabs/unbound +%global downloads https://nlnetlabs.nl/downloads %global _hardened_build 1 #global extra_version rc1 @@ -30,11 +32,12 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.19.3 +Version: 1.20.0 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ -Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz +VCS: git:%{forgeurl0} +Source: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz Source1: unbound.service Source3: unbound.munin Source4: unbound_munin_ @@ -50,7 +53,7 @@ Source14: unbound.sysconfig Source15: unbound-anchor.timer Source16: unbound-munin.README Source17: unbound-anchor.service -Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc +Source18: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc # source: https://nlnetlabs.nl/people/ Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key Source20: unbound.sysusers @@ -58,10 +61,6 @@ Source21: remote-control.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch -# https://github.com/NLnetLabs/unbound/pull/1048 -Patch2: unbound-1.19-autoconf-m4.patch -# https://github.com/NLnetLabs/unbound/pull/1049 -Patch3: unbound-1.19-python3.12-Py_NoSiteFlag.patch BuildRequires: gcc, make BuildRequires: openssl-devel From 2ee03600906ffdf666a076bf38420868d9677b44 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 7 Jun 2024 09:08:20 +0200 Subject: [PATCH 10/62] Rebuilt for Python 3.13 From b1fbf13e87c44119d2222dfb84613b75ed0fcae0 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 20 Jul 2024 08:14:07 +0000 Subject: [PATCH 11/62] Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild From c7eee55bc6895c723d68fddec757d3f173b675b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 25 Sep 2024 13:09:58 +0200 Subject: [PATCH 12/62] Update to 1.21.0 (rhbz#2305092) Features: - Fix #1071: [FR] Clear both in-memory and cachedb module cache with `unbound-control flush*` commands. - Fix #144: Port ipset to BSD pf tables. - Add dnstap-sample-rate that logs only 1/N messages, for high volume server environments. Thanks Dan Luther. - Add root key 38696 from 2024 for DNSSEC validation. It is added to the default root keys in unbound-anchor. The content can be inspected with `unbound-anchor -l`. - Merge #1090: Cookie secret file. Adds `cookie-secret-file: "unbound_cookiesecrets.txt"` option to store cookie secrets for EDNS COOKIE secret rollover. The remote control add_cookie_secret, activate_cookie_secret and drop_cookie_secret commands can be used for rollover, the command print_cookie_secrets shows the values in use. Lot of Bugs fixes. https://nlnetlabs.nl/projects/unbound/download/#unbound-1-21-0 --- .gitignore | 2 ++ sources | 4 ++-- unbound-fedora-config.patch | 42 +++++++++++++++++++------------------ unbound.spec | 2 +- 4 files changed, 27 insertions(+), 23 deletions(-) diff --git a/.gitignore b/.gitignore index 2ad282d..a89efdb 100644 --- a/.gitignore +++ b/.gitignore @@ -89,3 +89,5 @@ unbound-1.4.5.tar.gz /unbound-1.19.3.tar.gz.asc /unbound-1.20.0.tar.gz /unbound-1.20.0.tar.gz.asc +/unbound-1.21.0.tar.gz +/unbound-1.21.0.tar.gz.asc diff --git a/sources b/sources index 5a055a7..01a2cff 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.20.0.tar.gz) = 2f6bc76c03b71ca1c2cd2331dc72d62f51493d15e17c59af46b400e542fcabff22e6b9d33f750a3e5f918a0116f45afa760651b2d5aa2feadac151cbbd71b0bd -SHA512 (unbound-1.20.0.tar.gz.asc) = 1586a320077c606c5c19f251615df54a61854f51acca02df1d391dcc2287aff2c641b009aeee1a98392f63719d70b6bac23ebb7d86b780f8a27cda6e114fc0ad +SHA512 (unbound-1.21.0.tar.gz) = 481534271f443d72635025c79b83bb71bb77b96ae81ec74c7f82f1e958160f5d75489931bdbdf460a72c871268d33628be990d6acf3c5303f04f7ff347ad83c1 +SHA512 (unbound-1.21.0.tar.gz.asc) = 931181070e5ca6c9d6525bbaee5f2b556f36658c879dd63084d8059c83a122bee379720d80952420a116a9837c3ba1793917a2372167464e7a6b2e0520c69230 diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index f57207b..ea4d6e9 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,4 +1,4 @@ -From 79506679335ef1e02a960ccc7cfeda19348f5619 Mon Sep 17 00:00:00 2001 +From 88d3d8e8a28752b80a4bfd4ab2baaf45554a89a1 Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Fri, 10 Nov 2023 12:58:31 +0100 Subject: [PATCH] Customize unbound.conf for Fedora defaults @@ -7,13 +7,13 @@ Set some Fedora/RHEL specific changes to example configuration file. By patching upstream provided config file we would not need to manually update external copy in source RPM. --- - unbound-1.20.0/doc/example.conf.in | 194 ++++++++++++++++++----------- - 1 file changed, 124 insertions(+), 70 deletions(-) + unbound-1.21.0/doc/example.conf.in | 196 ++++++++++++++++++----------- + 1 file changed, 126 insertions(+), 70 deletions(-) -diff --git a/unbound-1.20.0/doc/example.conf.in b/unbound-1.20.0/doc/example.conf.in -index 0368c8d..9ece701 100644 ---- a/unbound-1.20.0/doc/example.conf.in -+++ b/unbound-1.20.0/doc/example.conf.in +diff --git a/unbound-1.21.0/doc/example.conf.in b/unbound-1.21.0/doc/example.conf.in +index 130cb4e..7174d81 100644 +--- a/unbound-1.21.0/doc/example.conf.in ++++ b/unbound-1.21.0/doc/example.conf.in @@ -17,11 +17,12 @@ server: # whitespace is not necessary, but looks cleaner. @@ -358,22 +358,24 @@ index 0368c8d..9ece701 100644 # Pad responses to padded queries received over TLS # pad-responses: yes -@@ -1045,12 +1080,12 @@ server: - # cookie-secret: <128 bit random hex string> +@@ -1050,12 +1085,14 @@ server: + # cookie-secret-file: "/usr/local/etc/unbound_cookiesecrets.txt" # Enable to attach Extended DNS Error codes (RFC8914) to responses. - # ede: no ++ # Fedora defaults to yes. + ede: yes # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale # Answer as EDNS0 option to expired responses. # Note that the ede option above needs to be enabled for this to work. - # ede-serve-expired: no ++ # Fedora defaults to yes. + ede-serve-expired: yes # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. -@@ -1058,12 +1093,14 @@ server: +@@ -1063,12 +1100,14 @@ server: # Enable or disable ipsecmod (it still needs to be defined in # module-config above). Can be used when ipsecmod needs to be # enabled/disabled via remote-control(below). @@ -391,7 +393,7 @@ index 0368c8d..9ece701 100644 # When enabled Unbound will reply with SERVFAIL if the return value of # the ipsecmod-hook is not 0. # ipsecmod-strict: no -@@ -1096,7 +1133,7 @@ server: +@@ -1101,7 +1140,7 @@ server: # o and give a python-script to run. python: # Script file to load @@ -400,7 +402,7 @@ index 0368c8d..9ece701 100644 # Dynamic library config section. To enable: # o use --with-dynlibmodule to configure before compiling. -@@ -1107,13 +1144,14 @@ python: +@@ -1112,13 +1151,14 @@ python: # the module-config then you need one dynlib-file per instance. dynlib: # Script file to load @@ -417,7 +419,7 @@ index 0368c8d..9ece701 100644 # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. -@@ -1121,6 +1159,7 @@ remote-control: +@@ -1126,6 +1166,7 @@ remote-control: # are not used for that, so key and cert files need not be present. # control-interface: 127.0.0.1 # control-interface: ::1 @@ -425,7 +427,7 @@ index 0368c8d..9ece701 100644 # port number for remote control operations. # control-port: 8953 -@@ -1130,16 +1169,19 @@ remote-control: +@@ -1135,16 +1176,19 @@ remote-control: # control-use-cert: "yes" # Unbound server key file. @@ -449,7 +451,7 @@ index 0368c8d..9ece701 100644 # Stub zones. # Create entries like below, to make all queries for 'example.com' and -@@ -1161,6 +1203,10 @@ remote-control: +@@ -1166,6 +1210,10 @@ remote-control: # name: "example.org" # stub-host: ns.example.com. @@ -460,7 +462,7 @@ index 0368c8d..9ece701 100644 # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle -@@ -1178,6 +1224,10 @@ remote-control: +@@ -1183,6 +1231,10 @@ remote-control: # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -471,7 +473,7 @@ index 0368c8d..9ece701 100644 # Authority zones # The data for these zones is kept locally, from a file or downloaded. -@@ -1188,27 +1238,28 @@ remote-control: +@@ -1193,27 +1245,28 @@ remote-control: # download it), primary: fetches with AXFR and IXFR, or url to zonefile. # With allow-notify: you can give additional (apart from primaries and urls) # sources of notifies. @@ -521,7 +523,7 @@ index 0368c8d..9ece701 100644 # auth-zone: # name: "example.org" # for-downstream: yes -@@ -1234,6 +1285,9 @@ remote-control: +@@ -1239,6 +1292,9 @@ remote-control: # name: "anotherview" # local-zone: "example.com" refuse @@ -531,7 +533,7 @@ index 0368c8d..9ece701 100644 # DNSCrypt # To enable, use --enable-dnscrypt to configure before compiling. # Caveats: -@@ -1309,7 +1363,7 @@ remote-control: +@@ -1314,7 +1370,7 @@ remote-control: # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode # dnstap-bidirectional: yes @@ -541,5 +543,5 @@ index 0368c8d..9ece701 100644 # # set it to "IPaddress[@port]" of the destination. # dnstap-ip: "" -- -2.44.0 +2.46.0 diff --git a/unbound.spec b/unbound.spec index 17c922b..10281a5 100644 --- a/unbound.spec +++ b/unbound.spec @@ -32,7 +32,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.20.0 +Version: 1.21.0 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ From 9f287be368da5673ad1843c19f1239618441c830 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 25 Sep 2024 13:29:49 +0200 Subject: [PATCH 13/62] Enable native dynamic modules Support modules similar to pythom modules, but implemented in native code. --- unbound.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 10281a5..99c0c32 100644 --- a/unbound.spec +++ b/unbound.spec @@ -242,7 +242,8 @@ cp -a %{dir_primary} %{dir_secondary} --with-rootkey-file=%{_sharedstatedir}/%{name}/root.key \\\ --with-username=unbound \\\ --enable-linux-ip-local-port-range \\\ - + --with-dynlibmodule \\\ +# pushd %{dir_primary} From 06a30c3c57e19f8f67a973111e9243f0751026c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 25 Sep 2024 14:18:27 +0200 Subject: [PATCH 14/62] Remove additional subdirectory for python3 build Python2 builds are not common anymore. Make basic unbound directory for primary build in normal default directory. Try subdirectory only for alternative secondary build, if enabled. --- unbound-fedora-config.patch | 10 +++++----- unbound.spec | 27 ++++----------------------- 2 files changed, 9 insertions(+), 28 deletions(-) diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index ea4d6e9..b4803b6 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,4 +1,4 @@ -From 88d3d8e8a28752b80a4bfd4ab2baaf45554a89a1 Mon Sep 17 00:00:00 2001 +From 71cbef33920b3b5704be7eab399da506ab51cde1 Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Fri, 10 Nov 2023 12:58:31 +0100 Subject: [PATCH] Customize unbound.conf for Fedora defaults @@ -7,13 +7,13 @@ Set some Fedora/RHEL specific changes to example configuration file. By patching upstream provided config file we would not need to manually update external copy in source RPM. --- - unbound-1.21.0/doc/example.conf.in | 196 ++++++++++++++++++----------- + doc/example.conf.in | 196 ++++++++++++++++++++++++++++---------------- 1 file changed, 126 insertions(+), 70 deletions(-) -diff --git a/unbound-1.21.0/doc/example.conf.in b/unbound-1.21.0/doc/example.conf.in +diff --git a/doc/example.conf.in b/doc/example.conf.in index 130cb4e..7174d81 100644 ---- a/unbound-1.21.0/doc/example.conf.in -+++ b/unbound-1.21.0/doc/example.conf.in +--- a/doc/example.conf.in ++++ b/doc/example.conf.in @@ -17,11 +17,12 @@ server: # whitespace is not necessary, but looks cleaner. diff --git a/unbound.spec b/unbound.spec index 99c0c32..7f63453 100644 --- a/unbound.spec +++ b/unbound.spec @@ -198,22 +198,15 @@ Python 3 modules and extensions for unbound %global pkgname %{name}-%{version}%{?extra_version} %if 0%{with_python2} && 0%{with_python3} -%global dir_primary %{pkgname}_python3 %global python_primary %{__python3} %global dir_secondary %{pkgname}_python2 %global python_secondary %{__python2} -%else -%global dir_primary %{pkgname} %endif -%autosetup -c -N -n %{pkgname} +%autosetup -N -n %{pkgname} -pushd %{pkgname} # patches go here -%autopatch -p2 - -# copy common doc files - after here, since it may be patched -cp -pr doc pythonmod libunbound ../ +%autopatch -p1 %if 0%{?rhel} > 8 # SHA-1 breaks some tests. Disable just some tests because of that. @@ -223,11 +216,9 @@ cp -pr doc pythonmod libunbound ../ mv testdata/${TEST}.rpl{,-disabled} done %endif -popd %if 0%{with_python2} && 0%{with_python3} -mv %{pkgname} %{dir_primary} -cp -a %{dir_primary} %{dir_secondary} + cp -a . %{dir_secondary} %endif %build @@ -245,14 +236,13 @@ cp -a %{dir_primary} %{dir_secondary} --with-dynlibmodule \\\ # -pushd %{dir_primary} - # always regenerate configure rm -f config.h.in aclocal.m4 configure ltmain.sh rm -f {ax_pthread,ax_swig_python}.m4 cp -p %{_datadir}/aclocal/{ax_pthread,ax_swig_python}.m4 . # ensure bison is used to generate fresh parser rm -f util/configparser.{c,h} util/configlexer.c + autoreconf -fiv %configure \ @@ -280,8 +270,6 @@ autoreconf -fiv %make_build %make_build streamtcp -popd - %if 0%{?python_secondary:1} pushd %{dir_secondary} %configure \ @@ -309,11 +297,9 @@ pushd %{dir_secondary} popd %endif -pushd %{dir_primary} %make_install unbound-event-install install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp install -p -m 0644 doc/example.conf %{buildroot}%{_sysconfdir}/unbound/unbound.conf -popd install -d -m 0755 %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service @@ -334,11 +320,9 @@ for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unboun done %endif -pushd %{dir_primary} # install streamtcp man page install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1 install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc -popd # Install tmpfiles.d config install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound @@ -410,15 +394,12 @@ fi %systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer %check -pushd %{dir_primary} #pushd pythonmod #make test #popd make check -popd - %if 0%{?python_secondary:1} pushd %{dir_secondary} #pushd pythonmod From 07478f417b441a971876719f37cca3a8bb0790f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 3 Oct 2024 13:25:37 +0200 Subject: [PATCH 15/62] Disable SHA1 support to work with new default crypto-policy https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer Similar to RHEL9+, Fedora now does not allow using any SHA-1 hash for signature verification. This makes our unbound violate rfc 8624. This method of disabling sha1 at all times does not support validating in DEFAULT:SHA1 policy, where SHA1 algorithm would be accepted. That would require more complex machinery, which is not finished unfortunately. This change makes our unbound unsupporting SHA1, no matter which crypto policy is active. Resolves: rhbz#2301344 --- unbound.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 7f63453..78ef319 100644 --- a/unbound.spec +++ b/unbound.spec @@ -258,7 +258,7 @@ autoreconf -fiv %if %{with doh} --with-libnghttp2 \ %endif -%if 0%{?rhel} +%if 0%{?rhel} || 0%{?fedora} > 40 --disable-sha1 \ %endif %if %{with redis} From a74fe60f128b54225df7106efc0becb1a48b44ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 3 Oct 2024 21:24:40 +0200 Subject: [PATCH 16/62] Update to 1.21.1 (rbhz#2316313) https://github.com/NLnetLabs/unbound/releases/tag/release-1.21.1 A vulnerability has been discovered in Unbound when handling replies with very large RRsets that Unbound needs to perform name compression for. --- .gitignore | 2 + Yorgos.asc | 128 +++++++++++++++++++++++++++++++++++++++++++++++++++ sources | 4 +- unbound.spec | 5 +- 4 files changed, 135 insertions(+), 4 deletions(-) create mode 100644 Yorgos.asc diff --git a/.gitignore b/.gitignore index a89efdb..149c0ab 100644 --- a/.gitignore +++ b/.gitignore @@ -91,3 +91,5 @@ unbound-1.4.5.tar.gz /unbound-1.20.0.tar.gz.asc /unbound-1.21.0.tar.gz /unbound-1.21.0.tar.gz.asc +/unbound-1.21.1.tar.gz +/unbound-1.21.1.tar.gz.asc diff --git a/Yorgos.asc b/Yorgos.asc new file mode 100644 index 0000000..e18ec55 --- /dev/null +++ b/Yorgos.asc @@ -0,0 +1,128 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFfYHeYBEAC/8SdeXNspt9ZIoZRSL9juNLHA17TXcHdKSthgWBtwwWZbUPq8 +SJr7Y+hr6jMCDKY9800QzLF0nLkyXnZgaBcvR0rRbCT/qvALJ0fpfjcotapZ1hBv +omb9s8Bo28uKn8tbTMXYNsElUae4Ch/CrU1vfe50YoyQgLR8UBa15gV+2RmC+6jI +qxDYS8sylWlDn6Qim+77feLlObPnNdzgfWGZo14eJByTsz0qrh8aS/BS1FAsnEQ6 +W6AqukhpuKuWvoAUXKjfguXQolxeexubmKaLcGOTvecw+cbh/a5SPHRtRVr9qTxp +elk6UEpakY5K9UtZkrG55VWih/4KqY9bNyhJBtpAk1fXA+mYfx5BcFpECYdU9kz4 +UgV5jK0HYRHQTLC91PPVQgH86we+Aae6TaJneCLEIzBK36TgAP8RKrvFfPUym5OP +YbWOom27QTKfRVcyxPKglJxrTSWixnKWS/pqxNY8hF9Ne4crRAF4wX2yBVbGnjNr +S9TpYmjMwURbuYm+rWZk/8w5OJG60V3wax56c0jn/42O3Y2hzQ+PbOv2M4UuuajS +2YL3/KUsRLBapUpPQjzChwzdr/vzFEhk9XxK2VGMN+dh2HjYwDFendc5csyt/cVr +g3LssVS2bKy5g3IhrzCKAk0Sky4S5t/mcN+lWztNvCijuLz58GCym5GwJQARAQAB +tCtZb3Jnb3MgVGhlc3NhbG9uaWtlZnMgPHlvcmdvc0BubG5ldGxhYnMubmw+iQJX +BBMBCABBAhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAhkBFiEElI60IyLF0At5 +NA9dz/M0TZCHpJAFAmbz0CwFCRD85cYACgkQz/M0TZCHpJBVnhAAkcd79Twxj/tt +C4q2Xpq75+Ew6YR9gLqYiV5vEd6fu0oyhuVoUlfTkjH4ALIoGIKaO9yAVUXsrGrs +n1aJPo1Mw3q6mIwtQOxXz/W44LuFzcvZkHtCYX4YyLrUHXZPvl+r4eYkTOcyyQMU +BmbuvWhufv8MBilvWltQLxfLlgihbfuIrxqjAYDhqCffpgUiZyCut2rrenIgeh1f +DvC+GjZ3cfb1UsIpzm19yr4NCiTHkLkCOAAcAUFwWWeO/jfUsSvFQEHUnYNRREzI +Lth9NlKwPtsOVi+wcNnWQtFQb11BMr407xBib7hLSIFiqvOiYgQABjZdWN+snCRP +ZZSruigjE9ateOloJwmBqrSJLAywxvDE0ivqfSj51W5eJc/JLSXvjrOuW28dJCr8 +RV9PjC9X7zuTiFLzV8SVH71Z43Rix8n7AOp3wgRe3SygEyQXPj4qbm5HHVsx9GEA +zn495L99dJ4wZgjkbEsGhzwUx7N9FHEGS/sz3LiEq+ZYckR6gzTMMrQJgbsS9lnK +9xlXsp37uIYvx9W9JZXtS+AZhw0q3osMYBF68HPX8B9GBYlkQWmWSIMfzRYcD2n1 +5+XsfERK4mxcTWl2sCYpt8Sy3tADj9nQDabAlGUd/hlFS1dvDVQjGh6ER5S0nZjY +nmRsLl8nOTKhb2xY+2p1sDjxxQYJJQe0K0dlb3JnZSBUaGVzc2Fsb25pa2VmcyA8 +Z2VvcmdlQG5sbmV0bGFicy5ubD6JAlQEEwEIAD4CGyMFCwkIBwIGFQgJCgsCBBYC +AwECHgECF4AWIQSUjrQjIsXQC3k0D13P8zRNkIekkAUCZvPQPQUJEPzlxgAKCRDP +8zRNkIekkFfCEACheY1yr2Z+LPjm/Nd2eA4CFFO7nUQHI+a6lYBd57txrRuIicuG +pGjOhnvcioRwICiKNLJD3YTU+WOd+sbO7BXH2sw2KdU9NK1ojKX/SQiTg6upfJsu +gbgar2oPvR88B7oSiuonZnhEf72HfWKDSBXHpi6KC6S3JZ+o50NB3GBpwUL1lfKW +ovymYbN6tYQfqw/+AP5jUUNpkclC0RbcW69rpvrHHqeQV1AVKkm/jNQpWLKYTGF7 +bbdLkgMh3rHp8gmF0/GuK+oyL7xD+TEXfr3iqlDIVuxbxDN8xTti1RrERU/MWQar +qOSFZcr4t+nlwThJidDLF/u3h0Ymrjz92VTfCgELIwCKxGX7jAyLZHzuWAp+0Pr/ +yuHodbweGNcGVoXmIpK93/WZcfFlBcyQLECVcijmxd7Euk0xDk76RQpuuL5VOWqn +aZcf2uNfppwKFZJjcXwK+EQbwN7+RFNvLrwoRn/1xM57T5AYBAgSvKb6h0G5KwW6 +tJfJdSu1MHfCZS1hH1Gr4+UG+VbLCVmQ9N/lUs0bcD7pK+bA1W0YnsIVuaQ+YZUh +KrJoCUF0kVDtW9ETZkp0iVBm1Q9xgTGaxUTVmctOyAbdCLyHNra4fo1BAdGlu+IP +qAcktaBUKFxWxRxf9O5kGihce9anK8CJ/TCnQ7wSvyYrlAoBoQaS78VzYYkBHAQS +AQIABgUCV9kUOAAKCRAwkY2CdXJCIju1B/oCvf1kWYndNeLS6U2O6DtFAL2Ia5tY +Zukcyqb1hkYcrBiMZbQN94gX5a+6Q4pdd2n241r1ZuSWdwUhRUbF4mvbZMVsavnk +cvrRGviVIUXf71W0O/IsmQ9oN0Finhpf14Y4z/xqF8DpvJdkWc6X5g+RJuko6q2w +B7x2UfSyF4USp47LSmUQnC59IF8jzaElgBha3gwEuXL3d2qBepoV/e9RiXJClUAT ++O7qdxzDq1eiZ+NXUjDCmrkuWjHLAZAv0jx1KUTCQ2no62UM95igtJ+Kn56Lc2+J +CqFJztaZeX8CgXXryxNpsyhZJ33dIoLCT03K25wrV5Y+eag05slQ9sC3iQI9BBMB +CAAnBQJX2RCwAhsjBQkFo5qABQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEM/z +NE2Qh6SQ3JUP/2G3bRNObS7zsfN3rjkbjLxaDOwNggRdbeXM5rHDVEG9SWesCGaI +vyQdkSGQoIaKUgNv7Yp8O8pEnD4IwdhNSaXVIB3pBtdOD0UM1wuxRpfqJOUxZEoW +T2Jr31Tg2qepp6nT7UmdiF7uCBDy8Jm6k6Q+6UT58cPaesRQdSPi6Go7ho2/xVvK +Ve9ufSTSTdG5+7bJDu6Iv7sydKUEG4jPDqo+jjVLn1X6Rfp+E4JAvOvFrSJHW5sa +A332xV40GeV+aM1ndP7dPkz8+AGB3QD7JF2DLcqvLo0TYOvjnlOGYcNp8gzp23g9 +KFwe2sdbdtVpuWaJUSpXXiUZnFzrrVxDNiEBjqsPa5ysOxzJ+1gUbcrIjUeNeAFh +us4XL+IidPATnhTIX3X/uPRB87KaTaA8XUqsuSd2DM9mLxdHKC9Jf8D1t+ywYrek +Cp+K80vCtFPWBM4+w8nGugTNKJEGIXZDGFOF/c7r6xKkaOYK0Y+IGJawlV5LaADl +BmQpPk0ubYclwb07FcegaHSxxIqUo/kbyt1YV5mU+QVymZ+xyvIBrnW8hBuNWRvU +5acnIZibCERayo8ZuI+r/X3bLHfDx0oh2h+cL3utNZUqmgZNR0Di8P+x0hUYsYPO +TJaDBSgvxUtY0Ci+OWX38kffGGvhW3CM8V6skdVc8cp7Db7gxase4BxxtC5HZW9y +Z2UgVGhlc3NhbG9uaWtlZnMgPGdlb3JnZUBvcGVubmV0bGFicy5jb20+iQJUBBMB +CAA+AhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEElI60IyLF0At5NA9dz/M0 +TZCHpJAFAmbz0D0FCRD85cYACgkQz/M0TZCHpJBnFw/8CRLGJnNAP43mBniIP5R1 +/10i4xG5s1Ka/y5C3aRgZUNaGMPLF8VmrC26HTPNhmduhn3j9gnBuSHgRAJUWs2K +o1q0A2/O5fFJvqPyEUl30gG8qkzFl5UGRUr7VNtBa6VpI7g78d3P4/H8THB0tYZ3 +GZv980QXwTE11aXjvPQu4e8sMOR1OVEEH+6hW1T0SvEKAMV1BHwuZAmC6HTfx5e7 +iGNWu/dwJsmwzqcAkuTTSqlmzZdIjZWJDL8pfnschkVilC3pEpEk5ExSkt/onOD2 +WCAKJUiPR6gRI2H6fE0PF8iG9isisvNhQ3MrWUIKS+1WOotoG7Bu7ob46viJKQuN +9t7KBqjdftjJHjmVop3mfX0UUEDPjkZXK5R/aUspXi4IGdM+9JijqxveicQegOhM +LcE8039Z0AaXn9IA0kQB05A4a+CEnoPL7qe+fIBJM5hZDrpMe4fAAGxiQzbRpdkZ +CrXmT+CRkhc/BvUJ5yoE1q++9Fw9eyMbPOak6GLckCIPy+Mqi4z+ZXNCtcPs3Qbc +/7AY8qyswRsD2t5bbe4g+fLEt9IsN3UvKFUKnQ88jcn9Zmps69msMDm9jEj/qo+j +QCriLLu8E1ZwhedNVOQN89w4Zww/BUyEnL4hng8Tw+RTV8Jtq5EvAleW5sZsnTzA +zn1ysZUyO/Pu7Br2jnGRAQyJARwEEgECAAYFAlfZFDwACgkQMJGNgnVyQiIHjAf/ +VrPMgIRjRTYi4cxOr5ewaim1hgJZO1oCJoMopwIvpZ2kAUqL/uPMT3wREe5bi79H +jXYcaX+RbrV4ZdzaajDUFCj867KGErxqtRkANJ1eNLcQmVwGNoFeTQbgEOBfKq1t +hRfMqHF3fxCPJp4z4U3kBPUpIQPERjgUdkH8fxZ34Omo1SLO1b0dVqsneezccBVv +Hj7gVoaWw65Ov7vngwNCKH3fjOkcoINTH/nEw4WWh6UV5ZN49GRqa6oWdUJMZbgB +w8z357RLN6YLe7KMh4oGpUIvfH6Vfq6CIb6s9pfgjAvq8O7p9n0/0FG77j84MuGw +fdhq8eSazO/j9LUCBM+8k4kCPQQTAQgAJwUCV9kQiwIbIwUJBaOagAULCQgHAgYV +CAkKCwIEFgIDAQIeAQIXgAAKCRDP8zRNkIekkN9pD/wI8JAyjJEIjUJNLRuARDDv +pJrQjAo/02naPcGs4yyUd7yRkhzVKLFLvif8XICxxLWk6FdT0PJeKGTvRoe2+Rje +c14rO30niRymWkBi36iDW46Dpt7Jx+LUDhUMYPL+woKSoHmbBGWLSYXKxaD8F93A +nVs97nP4PWpspv2BFiuwKGsSsOyyQPPvr7jCin3H5oPH9qDnIV0KonAYbzzEKod5 +t0Rgzo/nWXZBFXWC5xvKeghwkdT++gYS/ThvQY2ua6A1XRE8BntyldD081NPi3NO +dWa9m8ufFOJsEEiWcpdT+EWoDw5JyGAR7U3IOVl3BTo7shdcYEvRVrDMBpac+ItG +WvogUv7alBdHWi48amvZE06RI/nDJ/rxj13S/4POgMHU++aQI5a1G5H3jBu4cehH +4iT1UKmozfzVEfcHb2dsaKnnuFzQxmol0lZu1ETyof+Lxvs+wErN0QR+VDNweJEJ +PMXiEcjASdLtrEKgFSP2B5yGGzt93C+HbD+VQOU359aAnvVjbTAVz8izuMphd6Bz +Ix1q//q2VmxqjjT3Iv30hBRX02x2M8gsP/e49XWEll7stkMtbYhBU0sHQ2CqzLGh +gJN3ecpi2sKWVqN8HUZOwJFj6f9ZX76YSM23wIugHfscMAVJUXvBrbd151WIshOf +FFPo62sYGt+SEMXWeRcHjbQuWW9yZ29zIFRoZXNzYWxvbmlrZWZzIDx5b3Jnb3NA +b3Blbm5ldGxhYnMuY29tPokCVAQTAQgAPgIbIwULCQgHAgYVCAkKCwIEFgIDAQIe +AQIXgBYhBJSOtCMixdALeTQPXc/zNE2Qh6SQBQJm89A9BQkQ/OXGAAoJEM/zNE2Q +h6SQOf4QAIp5fEn+vVOqDuLrv8Li61UDVPE3v5b9ocPR7OMENeFpRH7K2p8xFkAM +f6JeS2ehbIjyUS8iGc+mZOalvZynJdOiHtys5r4lZanm1Rl+mWXb+nHGE/Oi4gQ3 +aEF/AwolbKi9oNXAiCtA3hmaI6FYWtAh5XOnyMG140dhlXMWzvN1ZAWXWioS33Fp +n9Z7xOsyG2Bmky69JjUQPD119noD4pEFtCipciiACVNdHGfI8QDT/8pMAxv/Q7tW ++7gyFztT1XvKONWyCfHjf1x60JQNPPM31x3xUVRz/sK+GyLq6VLiydvSZeUX3CzM +4bHixKKkSyvsX+bc9K/iLrXwZFhRdrRbpVQFpsdxv48mN5WsDlpN17KgMCyNiMDV +0VagYjZC5AurOo2mmS7PKAYGILaq3YwQ3nXYiuWfdXVW6EXtw/vdFOjFU6ppbaA3 +1+xyMDOLSGLr7f+gdZvlEc+5MX1F3mHpmuKN7clUju/HEOdVq1Bbla7BplPgqCaH +ZYCg/VHNt7ue7MYeEgTJ8OGgUDRNPa3PdU3YHRCuwJH1UzinD39K8R9/g9qiGJbC +87//1FGZp9lhIE5tja6F5pJ5GwJK9zC0iGj2NrwBvTKhuyF6W3ZQc2voYQn+gIq4 +sfbned7qpvpjLcMgIv/y82iVm2EtKtKYl982aA9S53pHqjV27kieuQINBFfYHeYB +EAC2h9yjSe2SgtcB0H+E0ndaewaZaQCE7q+RO43dotGH9eFnVwE4/ftcK1SN42ih +lF5OnTaKPyXvgQ6U8W8VB8eLjeTwA/dSXuJX7kJpEK8saPqJP6zTUmPqp/GSzS6Y +rhKLfpFn4chmywpDFcGNMz0sYXiJgPqKL7W0KuG+ziPToAeWl8ckeXyl77/lHVhW +YylaQJEASklqCViPXSp9vI7/57UEm4MQPXwsDBOwuVVqcSu3ZM5MtY9XlbVPNCYm +ZIMqmh8HgYwbiq9dTfJi+6v17+uDQGZewWK/WwFM+9dDx7YkTeOBiUduYtJPW64N +W/RJ7pskbLAy+OZApTZWg0cISN6GOmPN3F0AiWzUjvSMREHhFHyxj4Y15vuDOFvP +GFxr4xBiyMX1JLCKK6OFnyPfoJ9v/o3UgrQgLrfXCmKdvkwBCgJvN3Fsxzha6Dtf +6RcZ02fr7SCZZhdBrlrflvC1uWZ0g3A87ss7h4Iw3njlO3aX6Bo9R4VOLUkiRKi4 +hmQBxPvXxI2ERmKRomo6lrMaDMzIjD4APSM1vUfZguzQxVYpM8lwy1COeqxsj5p+ +LH6f/EU+4dXZwooJ1uanBOvG2ntnz8SErE+e7wNYE4a/fb8xYM4j7p6qYtnNZPb8 +sj8bvx8iWXp4A1csVetyVSchBhTVQhhNos6ouYpc4ibrYwARAQABiQI8BBgBCAAm +AhsMFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmbz0dUFCRD8528ACgkQz/M0TZCH +pJA7hg/7Bh0jb7nrp2EuU4BWK55VG+3zbrye/NdDy6eo3sVVOOO1r+jBMoJK3m1A +GWUx40ogZjRn8GMtJfxkL6wsep2P775smm7x1TH6s2dgreTj9J66gitKEgxF0tjo +JztmGJ8YKSGE4wKi37KvvSqCm1ecA8akBzJVo0B8/GtXpg+y/q3/KSY1ujW7Ihu3 +60JXT1FRXOiYfrzUKIBm8/UVnv7guPudaJf0eU4btoy4Ywzn1UXyi8BdxPIQrQDR +tt69ffcjX8BIEloK7FURLre/LhbVxlssdWYIEFQhIlb+nghZlUbWHf0Ue3L0SFFS +xV5otzQL2WjJKtCnTpSopSUmwYyT7wyAL1RokOemXL47WOfiLjiGuS+K/4lT7VHS +fdLsYinS0LYr5dmhc05s//kLyQ0OSKNh3SNAN+lM/klLE/pFwM4mo56C+seNEvCm +sT53VPOOwp6JwsLKSqm8pu1fbVjT6laMc9BPi6KUjN/f7ZahCXNXOrA2uLnTlxw/ +ns1sOXSWZDWciZeL3kJeUQER5YZ59hzLYWAiJ+5KblWRlBMXb71FUp0Mh9V3dA5O +BX3IlcF54qE50chGzLnfQf1YLuh13xxxc2WsdMZjiCj8CVDMkD6ekShfQK8nyQsK +SJgdXcnw1CxcAVvsROtecUiD+DWrJcYExjSZ+zcI4+aRhp7uNt8= +=iknu +-----END PGP PUBLIC KEY BLOCK----- diff --git a/sources b/sources index 01a2cff..efb1f71 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.21.0.tar.gz) = 481534271f443d72635025c79b83bb71bb77b96ae81ec74c7f82f1e958160f5d75489931bdbdf460a72c871268d33628be990d6acf3c5303f04f7ff347ad83c1 -SHA512 (unbound-1.21.0.tar.gz.asc) = 931181070e5ca6c9d6525bbaee5f2b556f36658c879dd63084d8059c83a122bee379720d80952420a116a9837c3ba1793917a2372167464e7a6b2e0520c69230 +SHA512 (unbound-1.21.1.tar.gz) = 82be3faf5e4f9531342008105f5ab2ecc22a56faab1ef5c86420d85ef48443e5dac3455dbc654178a927e34ca4067c7655443f91a250b87945a63e9ba5f74ba7 +SHA512 (unbound-1.21.1.tar.gz.asc) = 5bb3961c210aefb20f91eb96f7d3980324e30cb2307c6c1187f016cacafcade7adcd95855faedfebc2c91464fd6c095511322364357c5b72525fc8e61c0ad248 diff --git a/unbound.spec b/unbound.spec index 78ef319..73c8ecb 100644 --- a/unbound.spec +++ b/unbound.spec @@ -32,7 +32,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.21.0 +Version: 1.21.1 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ @@ -58,6 +58,7 @@ Source18: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key Source20: unbound.sysusers Source21: remote-control.conf +Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc # Downstream configuration changes Patch1: unbound-fedora-config.patch @@ -193,7 +194,7 @@ Python 3 modules and extensions for unbound %prep %if 0%{?fedora} -%{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}' +%{gpgverify} --keyring='%{SOURCE22}' --signature='%{SOURCE18}' --data='%{SOURCE0}' %endif %global pkgname %{name}-%{version}%{?extra_version} From 421386aa5e127d140e07131b1cf465b1a213a1a5 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Mon, 7 Oct 2024 16:40:08 -0400 Subject: [PATCH 17/62] - enable hiredis (using valkey) by default --- unbound.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 73c8ecb..150186b 100644 --- a/unbound.spec +++ b/unbound.spec @@ -4,7 +4,7 @@ %bcond_without dnstap %bcond_with systemd %bcond_without doh -%bcond_with redis +%bcond_without redis %global forgeurl0 https://github.com/NLnetLabs/unbound %global downloads https://nlnetlabs.nl/downloads From 3c9495eea1b75cab157c564d84c9ba7af929c688 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Thu, 17 Oct 2024 11:34:06 -0400 Subject: [PATCH 18/62] Update to 1.22.0 (rbhz#2319347) cleanup the unbound.conf diff file against updated upstream defaults. DNS over QUIC cannot be enabled yet because Fedora does not have libngtcp2 --- .gitignore | 2 + sources | 4 +- unbound-fedora-config.patch | 126 ++++++++++++++++-------------------- unbound.spec | 4 +- 4 files changed, 60 insertions(+), 76 deletions(-) diff --git a/.gitignore b/.gitignore index 149c0ab..31c5a81 100644 --- a/.gitignore +++ b/.gitignore @@ -93,3 +93,5 @@ unbound-1.4.5.tar.gz /unbound-1.21.0.tar.gz.asc /unbound-1.21.1.tar.gz /unbound-1.21.1.tar.gz.asc +/unbound-1.22.0.tar.gz +/unbound-1.22.0.tar.gz.asc diff --git a/sources b/sources index efb1f71..87f2b6b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.21.1.tar.gz) = 82be3faf5e4f9531342008105f5ab2ecc22a56faab1ef5c86420d85ef48443e5dac3455dbc654178a927e34ca4067c7655443f91a250b87945a63e9ba5f74ba7 -SHA512 (unbound-1.21.1.tar.gz.asc) = 5bb3961c210aefb20f91eb96f7d3980324e30cb2307c6c1187f016cacafcade7adcd95855faedfebc2c91464fd6c095511322364357c5b72525fc8e61c0ad248 +SHA512 (unbound-1.22.0.tar.gz) = 6c873e19902ce6cd59cec7084d5dba1a5bd5fe4437c827ae69bdf9273bcd8d2d1ec0dc183076f8d2e1fd38730bf8c10852d678399f0b2ea8ccf7e39119568978 +SHA512 (unbound-1.22.0.tar.gz.asc) = afbf5a125f104a25576b1c416b32f68d715b41a025fc3a61e6ee3bc28f9988b4277c7f0dd188c51cbe5641f51ade20f740ea131d1a7b5db38e2d1462a9edbb69 diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index b4803b6..c039cf4 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,20 +1,7 @@ -From 71cbef33920b3b5704be7eab399da506ab51cde1 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Fri, 10 Nov 2023 12:58:31 +0100 -Subject: [PATCH] Customize unbound.conf for Fedora defaults - -Set some Fedora/RHEL specific changes to example configuration file. By -patching upstream provided config file we would not need to manually -update external copy in source RPM. ---- - doc/example.conf.in | 196 ++++++++++++++++++++++++++++---------------- - 1 file changed, 126 insertions(+), 70 deletions(-) - -diff --git a/doc/example.conf.in b/doc/example.conf.in -index 130cb4e..7174d81 100644 ---- a/doc/example.conf.in -+++ b/doc/example.conf.in -@@ -17,11 +17,12 @@ server: +diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.conf.in +--- unbound-1.22.0-orig/doc/example.conf.in 2024-10-17 03:23:22.000000000 -0400 ++++ unbound-1.22.0/doc/example.conf.in 2024-10-17 11:06:58.882896891 -0400 +@@ -17,11 +17,12 @@ # whitespace is not necessary, but looks cleaner. # verbosity number, 0 is least verbose. 1 is default. @@ -29,7 +16,7 @@ index 130cb4e..7174d81 100644 # enable shm for stats, default no. if you enable also enable # statistics-interval, every time it also writes stats to the -@@ -32,11 +33,13 @@ server: +@@ -32,11 +33,13 @@ # shm-key: 11777 # enable cumulative statistics, without clearing them after printing. @@ -46,7 +33,7 @@ index 130cb4e..7174d81 100644 # Inhibits selected extended statistics (qtype, qclass, qopcode, rcode, # rpz-actions) from printing if their value is 0. -@@ -44,22 +47,35 @@ server: +@@ -44,22 +47,35 @@ # statistics-inhibit-zero: yes # number of threads to create. 1 disables threading. @@ -84,7 +71,7 @@ index 130cb4e..7174d81 100644 # instead of the default port, open additional ports separated by # spaces when interface-automatic is enabled, by listing them here. -@@ -94,7 +110,8 @@ server: +@@ -94,7 +110,8 @@ # permit Unbound to use this port number or port range for # making outgoing queries, using an outgoing interface. @@ -94,7 +81,7 @@ index 130cb4e..7174d81 100644 # deny Unbound the use this of port number or port range for # making outgoing queries, using an outgoing interface. -@@ -103,7 +120,9 @@ server: +@@ -103,7 +120,9 @@ # IANA-assigned port numbers. # If multiple outgoing-port-permit and outgoing-port-avoid options # are present, they are processed in order. @@ -105,7 +92,7 @@ index 130cb4e..7174d81 100644 # number of outgoing simultaneous tcp buffers to hold per thread. # outgoing-num-tcp: 10 -@@ -121,12 +140,12 @@ server: +@@ -121,12 +140,12 @@ # use SO_REUSEPORT to distribute queries over threads. # at extreme load it could be better to turn it off to distribute even. @@ -120,7 +107,7 @@ index 130cb4e..7174d81 100644 # use IP_FREEBIND so the interface: addresses can be non-local # and you can bind to nonexisting IPs and interfaces that are down. -@@ -276,6 +295,8 @@ server: +@@ -285,6 +304,8 @@ # nat64-prefix: 64:ff9b::0/96 # Enable UDP, "yes" or "no". @@ -129,7 +116,7 @@ index 130cb4e..7174d81 100644 # do-udp: yes # Enable TCP, "yes" or "no". -@@ -301,7 +322,7 @@ server: +@@ -310,7 +331,7 @@ # tcp-idle-timeout: 30000 # Enable EDNS TCP keepalive option. @@ -138,7 +125,7 @@ index 130cb4e..7174d81 100644 # Timeout for EDNS TCP keepalive, in msec. Overrides tcp-idle-timeout # if edns-tcp-keepalive is set. -@@ -311,6 +332,9 @@ server: +@@ -320,6 +341,9 @@ # can be dropped. Default is 0, disabled. In seconds, such as 3. # sock-queue-timeout: 0 @@ -148,7 +135,7 @@ index 130cb4e..7174d81 100644 # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no -@@ -424,6 +448,7 @@ server: +@@ -433,6 +457,7 @@ # # If you give "" no chroot is performed. The path must not end in a /. # chroot: "@UNBOUND_CHROOT_DIR@" @@ -156,7 +143,7 @@ index 130cb4e..7174d81 100644 # if given, user privileges are dropped (after binding port), # and the given username is assumed. Default is user "unbound". -@@ -435,7 +460,7 @@ server: +@@ -444,7 +469,7 @@ # is not changed. # If you give a server: directory: dir before include: file statements # then those includes can be relative to the working directory. @@ -165,34 +152,32 @@ index 130cb4e..7174d81 100644 # the log file, "" means log to stderr. # Use of this option sets use-syslog to "no". -@@ -450,7 +475,7 @@ server: +@@ -459,7 +484,7 @@ # log-identity: "" # print UTC timestamp in ascii to logfile, default is epoch in seconds. - # log-time-ascii: no + log-time-ascii: yes - # print one line with time, IP, name, type, class for every query. - # log-queries: no -@@ -522,22 +547,22 @@ server: - # harden-large-queries: no + # log timestamp in ISO8601 format if also log-time-ascii is enabled. + # (y-m-dTh:m:s.msec[+-]tzhours:tzminutes) +@@ -532,13 +557,13 @@ + # harden-short-bufsize: yes + + # Harden against unseemly large queries. +- # harden-large-queries: no ++ harden-large-queries: yes # Harden against out of zone rrsets, to avoid spoofing attempts. -- # harden-glue: yes -+ harden-glue: yes + # harden-glue: yes + + # Harden against unverified (outside-zone, including sibling zone) glue rrsets +- # harden-unverified-glue: no ++ harden-unverified-glue: yes # Harden against receiving dnssec-stripped data. If you turn it # off, failing to validate dnskey data for a trustanchor will - # trigger insecure mode for that zone (like without a trustanchor). - # Default on, which insists on dnssec data for trust-anchored zones. -- # harden-dnssec-stripped: yes -+ harden-dnssec-stripped: yes - - # Harden against queries that fall under dnssec-signed nxdomain names. -- # harden-below-nxdomain: yes -+ harden-below-nxdomain: yes - - # Harden the referral path by performing additional queries for +@@ -553,7 +578,7 @@ # infrastructure data. Validates the replies (if possible). # Default off, because the lookups burden the server. Experimental # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. @@ -201,7 +186,7 @@ index 130cb4e..7174d81 100644 # Harden against algorithm downgrade when multiple algorithms are # advertised in the DS record. If no, allows the weakest algorithm -@@ -551,7 +576,7 @@ server: +@@ -567,7 +592,7 @@ # Sent minimum amount of information to upstream servers to enhance # privacy. Only sent minimum required labels of the QNAME and set QTYPE # to A when possible. @@ -210,7 +195,7 @@ index 130cb4e..7174d81 100644 # QNAME minimisation in strict mode. Do not fall-back to sending full # QNAME to potentially broken nameservers. A lot of domains will not be -@@ -561,7 +586,7 @@ server: +@@ -577,7 +602,7 @@ # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN # and other denials, using information from previous NXDOMAINs answers. @@ -219,7 +204,7 @@ index 130cb4e..7174d81 100644 # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. -@@ -594,7 +619,7 @@ server: +@@ -610,7 +635,7 @@ # threshold, a warning is printed and a defensive action is taken, # the cache is cleared to flush potential poison out of it. # A suggested value is 10000000, the default is 0 (turned off). @@ -228,7 +213,7 @@ index 130cb4e..7174d81 100644 # Do not query the following addresses. No DNS queries are sent there. # List one address per entry. List classless netblocks with /size, -@@ -606,20 +631,20 @@ server: +@@ -622,20 +647,20 @@ # do-not-query-localhost: yes # if yes, perform prefetching of almost expired message cache entries. @@ -254,7 +239,7 @@ index 130cb4e..7174d81 100644 # true to disable DNSSEC lameness check in iterator. # disable-dnssec-lame-check: no -@@ -629,7 +654,9 @@ server: +@@ -645,7 +670,9 @@ # most modules have to be listed at the beginning of the line, # except cachedb(just before iterator), and python (at the beginning, # or, just before the iterator). @@ -265,7 +250,7 @@ index 130cb4e..7174d81 100644 # File with trusted keys, kept uptodate using RFC5011 probes, # initial file like trust-anchor-file, then it stores metadata. -@@ -643,10 +670,10 @@ server: +@@ -659,10 +686,10 @@ # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" # trust anchor signaling sends a RFC8145 key tag query after priming. @@ -278,7 +263,7 @@ index 130cb4e..7174d81 100644 # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry. -@@ -667,6 +694,9 @@ server: +@@ -683,6 +710,9 @@ # the trusted-keys { name flag proto algo "key"; }; clauses are read. # you need external update procedures to track changes in keys. # trusted-keys-file: "" @@ -288,7 +273,7 @@ index 130cb4e..7174d81 100644 # Ignore chain of trust. Domain is treated as insecure. # domain-insecure: "example.com" -@@ -694,14 +724,15 @@ server: +@@ -710,14 +740,15 @@ # unsecure data. Useful to shield the users of this validator from # potential bogus data in the additional section. All unsigned data # in the additional section is removed from secure messages. @@ -306,7 +291,7 @@ index 130cb4e..7174d81 100644 # Ignore the CD flag in incoming queries and refuse them bogus data. # Enable it if the only clients of Unbound are legacy servers (w2008) -@@ -715,11 +746,11 @@ server: +@@ -731,11 +762,11 @@ # Serve expired responses from cache, with serve-expired-reply-ttl in # the response, and then attempt to fetch the data afresh. @@ -320,7 +305,7 @@ index 130cb4e..7174d81 100644 # # Set the TTL of expired records to the serve-expired-ttl value after a # failed attempt to retrieve the record from upstream. This makes sure -@@ -746,7 +777,7 @@ server: +@@ -762,7 +793,7 @@ # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. @@ -329,7 +314,7 @@ index 130cb4e..7174d81 100644 # It is possible to configure NSEC3 maximum iteration counts per # keysize. Keep this table very short, as linear search is done. -@@ -890,6 +921,8 @@ server: +@@ -906,6 +937,8 @@ # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" @@ -338,7 +323,7 @@ index 130cb4e..7174d81 100644 # tag a localzone with a list of tag names (in "" with spaces between) # local-zone-tag: "example.com" "tag2 tag3" -@@ -900,8 +933,8 @@ server: +@@ -916,8 +949,8 @@ # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. # Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. @@ -348,8 +333,8 @@ index 130cb4e..7174d81 100644 + # tls-service-pem: "/etc/unbound/unbound_server.pem" # tls-port: 853 # https-port: 443 - -@@ -909,6 +942,8 @@ server: + # quic-port: 853 +@@ -926,6 +959,8 @@ # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" # cipher setting for TLSv1.3 # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" @@ -358,7 +343,7 @@ index 130cb4e..7174d81 100644 # Pad responses to padded queries received over TLS # pad-responses: yes -@@ -1050,12 +1085,14 @@ server: +@@ -1070,12 +1105,14 @@ # cookie-secret-file: "/usr/local/etc/unbound_cookiesecrets.txt" # Enable to attach Extended DNS Error codes (RFC8914) to responses. @@ -375,7 +360,7 @@ index 130cb4e..7174d81 100644 # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. -@@ -1063,12 +1100,14 @@ server: +@@ -1083,12 +1120,14 @@ # Enable or disable ipsecmod (it still needs to be defined in # module-config above). Can be used when ipsecmod needs to be # enabled/disabled via remote-control(below). @@ -393,7 +378,7 @@ index 130cb4e..7174d81 100644 # When enabled Unbound will reply with SERVFAIL if the return value of # the ipsecmod-hook is not 0. # ipsecmod-strict: no -@@ -1101,7 +1140,7 @@ server: +@@ -1121,7 +1160,7 @@ # o and give a python-script to run. python: # Script file to load @@ -402,7 +387,7 @@ index 130cb4e..7174d81 100644 # Dynamic library config section. To enable: # o use --with-dynlibmodule to configure before compiling. -@@ -1112,13 +1151,14 @@ python: +@@ -1132,13 +1171,14 @@ # the module-config then you need one dynlib-file per instance. dynlib: # Script file to load @@ -419,7 +404,7 @@ index 130cb4e..7174d81 100644 # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. -@@ -1126,6 +1166,7 @@ remote-control: +@@ -1146,6 +1186,7 @@ # are not used for that, so key and cert files need not be present. # control-interface: 127.0.0.1 # control-interface: ::1 @@ -427,7 +412,7 @@ index 130cb4e..7174d81 100644 # port number for remote control operations. # control-port: 8953 -@@ -1135,16 +1176,19 @@ remote-control: +@@ -1155,16 +1196,19 @@ # control-use-cert: "yes" # Unbound server key file. @@ -451,7 +436,7 @@ index 130cb4e..7174d81 100644 # Stub zones. # Create entries like below, to make all queries for 'example.com' and -@@ -1166,6 +1210,10 @@ remote-control: +@@ -1186,6 +1230,10 @@ # name: "example.org" # stub-host: ns.example.com. @@ -462,7 +447,7 @@ index 130cb4e..7174d81 100644 # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle -@@ -1183,6 +1231,10 @@ remote-control: +@@ -1203,6 +1251,10 @@ # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -473,7 +458,7 @@ index 130cb4e..7174d81 100644 # Authority zones # The data for these zones is kept locally, from a file or downloaded. -@@ -1193,27 +1245,28 @@ remote-control: +@@ -1213,27 +1265,28 @@ # download it), primary: fetches with AXFR and IXFR, or url to zonefile. # With allow-notify: you can give additional (apart from primaries and urls) # sources of notifies. @@ -523,7 +508,7 @@ index 130cb4e..7174d81 100644 # auth-zone: # name: "example.org" # for-downstream: yes -@@ -1239,6 +1292,9 @@ remote-control: +@@ -1259,6 +1312,9 @@ # name: "anotherview" # local-zone: "example.com" refuse @@ -533,7 +518,7 @@ index 130cb4e..7174d81 100644 # DNSCrypt # To enable, use --enable-dnscrypt to configure before compiling. # Caveats: -@@ -1314,7 +1370,7 @@ remote-control: +@@ -1338,7 +1394,7 @@ # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode # dnstap-bidirectional: yes @@ -542,6 +527,3 @@ index 130cb4e..7174d81 100644 # # if "" use the unix socket in dnstap-socket-path, otherwise, # # set it to "IPaddress[@port]" of the destination. # dnstap-ip: "" --- -2.46.0 - diff --git a/unbound.spec b/unbound.spec index 150186b..1fd43f9 100644 --- a/unbound.spec +++ b/unbound.spec @@ -32,7 +32,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.21.1 +Version: 1.22.0 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ @@ -194,7 +194,7 @@ Python 3 modules and extensions for unbound %prep %if 0%{?fedora} -%{gpgverify} --keyring='%{SOURCE22}' --signature='%{SOURCE18}' --data='%{SOURCE0}' +%{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}' %endif %global pkgname %{name}-%{version}%{?extra_version} From 97cf366613562564939994830bde76aa4bf82a0c Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Mon, 4 Nov 2024 20:42:08 -0500 Subject: [PATCH 19/62] Disable redis in RHEL builds hiredis is not included in RHEL. --- unbound.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/unbound.spec b/unbound.spec index 1fd43f9..a0718c3 100644 --- a/unbound.spec +++ b/unbound.spec @@ -4,7 +4,11 @@ %bcond_without dnstap %bcond_with systemd %bcond_without doh +%if 0%{?rhel} && ! 0%{?epel} +%bcond_with redis +%else %bcond_without redis +%endif %global forgeurl0 https://github.com/NLnetLabs/unbound %global downloads https://nlnetlabs.nl/downloads From 1b2c93fae61771c2191ab4a5f5a1f1c59dc4dca1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 22 Oct 2024 14:59:19 +0200 Subject: [PATCH 20/62] Make separate configuration Ship new config snippets in data directory. They should be symlinked from /etc/unbound/conf.d directory if they should be used as they are. Copy and modification if they should be used as a template. --- unbound-as112-networks.conf | 118 ++++++++++++++++++++++++++++++++++++ unbound-local-root.conf | 30 +++++++++ unbound.spec | 7 +++ 3 files changed, 155 insertions(+) create mode 100644 unbound-as112-networks.conf create mode 100644 unbound-local-root.conf diff --git a/unbound-as112-networks.conf b/unbound-as112-networks.conf new file mode 100644 index 0000000..96c291f --- /dev/null +++ b/unbound-as112-networks.conf @@ -0,0 +1,118 @@ +# Allow forwarding of private ranges, which are marked forwardable by IANA +# https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml +# https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml +# https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml +# RFC 6303: Locally Served DNS Zones (https://www.rfc-editor.org/rfc/rfc6303.html) +# +# Using this configuration file will simplify forwarding to potentially private ranges. +# Enables forwarding of networks marked as forwardable at IANA special registry. +# This is useful when upstream forwarder may be still inside private network. That is the case +# when unbound works as a localhost DNS cache, not network wide resolver. + +server: + # RFC 8375: Special-Use Domain 'home.arpa.' + local-zone: "home.arpa." nodefault + + # RFC 1918: Address Allocation for Private Internets + local-zone: "10.in-addr.arpa." nodefault + local-zone: "16.172.in-addr.arpa." nodefault + local-zone: "17.172.in-addr.arpa." nodefault + local-zone: "18.172.in-addr.arpa." nodefault + local-zone: "19.172.in-addr.arpa." nodefault + local-zone: "20.172.in-addr.arpa." nodefault + local-zone: "21.172.in-addr.arpa." nodefault + local-zone: "22.172.in-addr.arpa." nodefault + local-zone: "23.172.in-addr.arpa." nodefault + local-zone: "24.172.in-addr.arpa." nodefault + local-zone: "25.172.in-addr.arpa." nodefault + local-zone: "26.172.in-addr.arpa." nodefault + local-zone: "27.172.in-addr.arpa." nodefault + local-zone: "28.172.in-addr.arpa." nodefault + local-zone: "29.172.in-addr.arpa." nodefault + local-zone: "30.172.in-addr.arpa." nodefault + local-zone: "31.172.in-addr.arpa." nodefault + local-zone: "168.192.in-addr.arpa." nodefault + # RFC 6598: IANA-Reserved IPv4 Prefix for Shared Address Space + local-zone: "64.100.in-addr.arpa." nodefault + local-zone: "65.100.in-addr.arpa." nodefault + local-zone: "66.100.in-addr.arpa." nodefault + local-zone: "67.100.in-addr.arpa." nodefault + local-zone: "68.100.in-addr.arpa." nodefault + local-zone: "69.100.in-addr.arpa." nodefault + local-zone: "70.100.in-addr.arpa." nodefault + local-zone: "71.100.in-addr.arpa." nodefault + local-zone: "72.100.in-addr.arpa." nodefault + local-zone: "73.100.in-addr.arpa." nodefault + local-zone: "74.100.in-addr.arpa." nodefault + local-zone: "75.100.in-addr.arpa." nodefault + local-zone: "76.100.in-addr.arpa." nodefault + local-zone: "77.100.in-addr.arpa." nodefault + local-zone: "78.100.in-addr.arpa." nodefault + local-zone: "79.100.in-addr.arpa." nodefault + local-zone: "80.100.in-addr.arpa." nodefault + local-zone: "81.100.in-addr.arpa." nodefault + local-zone: "82.100.in-addr.arpa." nodefault + local-zone: "83.100.in-addr.arpa." nodefault + local-zone: "84.100.in-addr.arpa." nodefault + local-zone: "85.100.in-addr.arpa." nodefault + local-zone: "86.100.in-addr.arpa." nodefault + local-zone: "87.100.in-addr.arpa." nodefault + local-zone: "88.100.in-addr.arpa." nodefault + local-zone: "89.100.in-addr.arpa." nodefault + local-zone: "90.100.in-addr.arpa." nodefault + local-zone: "91.100.in-addr.arpa." nodefault + local-zone: "92.100.in-addr.arpa." nodefault + local-zone: "93.100.in-addr.arpa." nodefault + local-zone: "94.100.in-addr.arpa." nodefault + local-zone: "95.100.in-addr.arpa." nodefault + local-zone: "96.100.in-addr.arpa." nodefault + local-zone: "97.100.in-addr.arpa." nodefault + local-zone: "98.100.in-addr.arpa." nodefault + local-zone: "99.100.in-addr.arpa." nodefault + local-zone: "100.100.in-addr.arpa." nodefault + local-zone: "101.100.in-addr.arpa." nodefault + local-zone: "102.100.in-addr.arpa." nodefault + local-zone: "103.100.in-addr.arpa." nodefault + local-zone: "104.100.in-addr.arpa." nodefault + local-zone: "105.100.in-addr.arpa." nodefault + local-zone: "106.100.in-addr.arpa." nodefault + local-zone: "107.100.in-addr.arpa." nodefault + local-zone: "108.100.in-addr.arpa." nodefault + local-zone: "109.100.in-addr.arpa." nodefault + local-zone: "110.100.in-addr.arpa." nodefault + local-zone: "111.100.in-addr.arpa." nodefault + local-zone: "112.100.in-addr.arpa." nodefault + local-zone: "113.100.in-addr.arpa." nodefault + local-zone: "114.100.in-addr.arpa." nodefault + local-zone: "115.100.in-addr.arpa." nodefault + local-zone: "116.100.in-addr.arpa." nodefault + local-zone: "117.100.in-addr.arpa." nodefault + local-zone: "118.100.in-addr.arpa." nodefault + local-zone: "119.100.in-addr.arpa." nodefault + local-zone: "120.100.in-addr.arpa." nodefault + local-zone: "121.100.in-addr.arpa." nodefault + local-zone: "122.100.in-addr.arpa." nodefault + local-zone: "123.100.in-addr.arpa." nodefault + local-zone: "124.100.in-addr.arpa." nodefault + local-zone: "125.100.in-addr.arpa." nodefault + local-zone: "126.100.in-addr.arpa." nodefault + local-zone: "127.100.in-addr.arpa." nodefault + + # RFC 4193: Unique Local IPv6 Unicast Addresses + local-zone: "d.f.ip6.arpa." nodefault + + # RFC 2606: Reserved Top Level DNS Names + local-zone: "test." nodefault + domain-insecure: "test" + domain-insecure: "example" + + # RFC 6762: Multicast DNS, Appendix G + domain-insecure: "local" + domain-insecure: "intranet" + domain-insecure: "private" + domain-insecure: "corp" + domain-insecure: "home" + domain-insecure: "lan" + + # draft-davies-internal-tld + domain-insecure: "internal" diff --git a/unbound-local-root.conf b/unbound-local-root.conf new file mode 100644 index 0000000..4ba5e9d --- /dev/null +++ b/unbound-local-root.conf @@ -0,0 +1,30 @@ +# Authority zones +# The data for these zones is kept locally, from a file or downloaded. +# The data can be served to downstream clients, or used instead of the +# upstream (which saves a lookup to the upstream). +# +# Download local root copy and answer TLD queries from it. Because +# auth-zone has higher precedence, defined forward-zones to internal +# only TLD will not work. Use stub-zone or disable this zone. +# Good for a network-wide resolvers, worse for a localhost caching forwarder. +auth-zone: + name: "." + primary: 170.247.170.2 # b.root-servers.net + primary: 192.33.4.12 # c.root-servers.net + primary: 199.7.91.13 # d.root-servers.net + primary: 192.5.5.241 # f.root-servers.net + primary: 192.112.36.4 # g.root-servers.net + primary: 193.0.14.129 # k.root-servers.net + primary: 192.0.47.132 # xfr.cjr.dns.icann.org + primary: 192.0.32.132 # xfr.lax.dns.icann.org + primary: 2801:1b8:10::b # b.root-servers.net + primary: 2001:500:2::c # c.root-servers.net + primary: 2001:500:2d::d # d.root-servers.net + primary: 2001:500:2f::f # f.root-servers.net + primary: 2001:500:12::d0d # g.root-servers.net + primary: 2001:7fd::1 # k.root-servers.net + primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org + primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org + fallback-enabled: yes + for-downstream: no + for-upstream: yes diff --git a/unbound.spec b/unbound.spec index a0718c3..4f6df3b 100644 --- a/unbound.spec +++ b/unbound.spec @@ -63,6 +63,8 @@ Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/ Source20: unbound.sysusers Source21: remote-control.conf Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc +Source23: unbound-as112-networks.conf +Source24: unbound-local-root.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch @@ -365,6 +367,10 @@ install -p -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ install -p -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/ +mkdir -p %{buildroot}%{_datadir}/%{name}/conf.d +install -p -m 0644 %{SOURCE23} %{buildroot}%{_datadir}/%{name}/conf.d/ +install -p -m 0644 %{SOURCE24} %{buildroot}%{_datadir}/%{name}/conf.d/ + # Link unbound-control-setup.8 manpage to unbound-control.8 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 @@ -436,6 +442,7 @@ popd %{_sbindir}/unbound-checkconf %{_sbindir}/unbound-control %{_sbindir}/unbound-control-setup +%{_datadir}/%{name}/ %{_mandir}/man5/* %exclude %{_mandir}/man8/unbound-anchor* %{_mandir}/man8/* From f0da98d7c6c1af7f5fc61c66a7dbec803a694922 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 14 Nov 2024 20:03:08 +0100 Subject: [PATCH 21/62] Enable SHA1 during tests to pass build with enabled SHA1 (rhbz#2255591) Internal unbound code seems to handle validation correctly. Regardless SHA1 status in openssl, it either makes result as insecure or secure. But tests fail when SHA1 is not available, because they assert expected value. The way how tests are coded, it needs to know what the status would be. OpenSSL does not provide any API to help with that. Requested on: https://issues.redhat.com/browse/RHEL-67619 Use newly discovered OpenSSL workaround to allow just test pass with SHA1 enabled. --- openssl-sha1.conf | 8 ++++++++ unbound.spec | 14 ++++---------- unbound.sysconfig | 3 +++ 3 files changed, 15 insertions(+), 10 deletions(-) create mode 100644 openssl-sha1.conf diff --git a/openssl-sha1.conf b/openssl-sha1.conf new file mode 100644 index 0000000..97a3218 --- /dev/null +++ b/openssl-sha1.conf @@ -0,0 +1,8 @@ +# OpenSSL configuration file to allow SHA1 validation, +# regardless of crypto-policy selected. +# Use it by adding into /etc/sysconfig/unbound: +# OPENSSL_CONF=/etc/unbound/openssl-sha1.conf +.include = /etc/ssl/openssl.cnf + +[evp_properties] +rh-allow-sha1-signatures = yes diff --git a/unbound.spec b/unbound.spec index 4f6df3b..cb8b8bb 100644 --- a/unbound.spec +++ b/unbound.spec @@ -65,6 +65,7 @@ Source21: remote-control.conf Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc Source23: unbound-as112-networks.conf Source24: unbound-local-root.conf +Source25: openssl-sha1.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch @@ -265,9 +266,6 @@ autoreconf -fiv %if %{with doh} --with-libnghttp2 \ %endif -%if 0%{?rhel} || 0%{?fedora} > 40 - --disable-sha1 \ -%endif %if %{with redis} --with-libhiredis \ --enable-cachedb \ @@ -366,6 +364,7 @@ install -p -m 0644 %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/ install -p -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ install -p -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/ +install -p -m 0644 %{SOURCE25} %{buildroot}%{_sysconfdir}/unbound/openssl-sha1.conf mkdir -p %{buildroot}%{_datadir}/%{name}/conf.d install -p -m 0644 %{SOURCE23} %{buildroot}%{_datadir}/%{name}/conf.d/ @@ -405,17 +404,11 @@ fi %systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer %check -#pushd pythonmod -#make test -#popd - +export OPENSSL_CONF="%{buildroot}%{_sysconfdir}/unbound/openssl-sha1.conf" make check %if 0%{?python_secondary:1} pushd %{dir_secondary} -#pushd pythonmod -#make test -#popd make check popd %endif @@ -428,6 +421,7 @@ popd %attr(0755,unbound,unbound) %dir %{_rundir}/%{name} %attr(0644,root,root) %{_tmpfilesdir}/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/openssl-sha1.conf %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d %attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d/*.key %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/conf.d diff --git a/unbound.sysconfig b/unbound.sysconfig index adcf8fd..9e80f14 100644 --- a/unbound.sysconfig +++ b/unbound.sysconfig @@ -5,3 +5,6 @@ UNBOUND_ANCHOR_OPTIONS="-f /etc/resolv.conf -R" # for extra debug, add "-v -v" or change verbosity: in unbound.conf UNBOUND_OPTIONS="" + +# Uncoment to validate SHA1 in any crypto policy +# OPENSSL_CONF=/etc/unbound/openssl-sha1.conf From 5591157f6a3a9e718c7b51c198485e31a02bb88e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 15 Nov 2024 09:24:04 +0100 Subject: [PATCH 22/62] Deactivate automatic root zone fetching (rhbz#2322697) Automatic maintained root zone is great for network resolvers, which are used by multiple machines. Its usage on every common device is not desired however, especially when used as localhost only cache daemon. Make it simple to activate local root zone by creating symlink in directory /etc/unbound/conf.d to /usr/share/unbound/conf.d/unbound-local-root.conf. But have it deactivated in default configuration. --- unbound-fedora-config.patch | 146 +++++++++++++++--------------------- 1 file changed, 60 insertions(+), 86 deletions(-) diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index c039cf4..9c39596 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,7 +1,20 @@ -diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.conf.in ---- unbound-1.22.0-orig/doc/example.conf.in 2024-10-17 03:23:22.000000000 -0400 -+++ unbound-1.22.0/doc/example.conf.in 2024-10-17 11:06:58.882896891 -0400 -@@ -17,11 +17,12 @@ +From aa201e383210d02c0396d0a1375d217551c0e2bd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Fri, 15 Nov 2024 08:57:14 +0100 +Subject: [PATCH] Customize unbound.conf for Fedora defaults + +Set some Fedora/RHEL specific changes to example configuration file. By +patching upstream provided config file we would not need to manually +update external copy in source RPM. +--- + doc/example.conf.in | 152 ++++++++++++++++++++++++++++++-------------- + 1 file changed, 104 insertions(+), 48 deletions(-) + +diff --git a/doc/example.conf.in b/doc/example.conf.in +index 59090c6..33c6209 100644 +--- a/doc/example.conf.in ++++ b/doc/example.conf.in +@@ -17,11 +17,12 @@ server: # whitespace is not necessary, but looks cleaner. # verbosity number, 0 is least verbose. 1 is default. @@ -16,7 +29,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # enable shm for stats, default no. if you enable also enable # statistics-interval, every time it also writes stats to the -@@ -32,11 +33,13 @@ +@@ -32,11 +33,13 @@ server: # shm-key: 11777 # enable cumulative statistics, without clearing them after printing. @@ -33,7 +46,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Inhibits selected extended statistics (qtype, qclass, qopcode, rcode, # rpz-actions) from printing if their value is 0. -@@ -44,22 +47,35 @@ +@@ -44,22 +47,35 @@ server: # statistics-inhibit-zero: yes # number of threads to create. 1 disables threading. @@ -71,7 +84,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # instead of the default port, open additional ports separated by # spaces when interface-automatic is enabled, by listing them here. -@@ -94,7 +110,8 @@ +@@ -94,7 +110,8 @@ server: # permit Unbound to use this port number or port range for # making outgoing queries, using an outgoing interface. @@ -81,7 +94,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # deny Unbound the use this of port number or port range for # making outgoing queries, using an outgoing interface. -@@ -103,7 +120,9 @@ +@@ -103,7 +120,9 @@ server: # IANA-assigned port numbers. # If multiple outgoing-port-permit and outgoing-port-avoid options # are present, they are processed in order. @@ -92,7 +105,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # number of outgoing simultaneous tcp buffers to hold per thread. # outgoing-num-tcp: 10 -@@ -121,12 +140,12 @@ +@@ -121,12 +140,12 @@ server: # use SO_REUSEPORT to distribute queries over threads. # at extreme load it could be better to turn it off to distribute even. @@ -107,7 +120,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # use IP_FREEBIND so the interface: addresses can be non-local # and you can bind to nonexisting IPs and interfaces that are down. -@@ -285,6 +304,8 @@ +@@ -285,6 +304,8 @@ server: # nat64-prefix: 64:ff9b::0/96 # Enable UDP, "yes" or "no". @@ -116,7 +129,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # do-udp: yes # Enable TCP, "yes" or "no". -@@ -310,7 +331,7 @@ +@@ -310,7 +331,7 @@ server: # tcp-idle-timeout: 30000 # Enable EDNS TCP keepalive option. @@ -125,7 +138,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Timeout for EDNS TCP keepalive, in msec. Overrides tcp-idle-timeout # if edns-tcp-keepalive is set. -@@ -320,6 +341,9 @@ +@@ -320,6 +341,9 @@ server: # can be dropped. Default is 0, disabled. In seconds, such as 3. # sock-queue-timeout: 0 @@ -135,7 +148,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no -@@ -433,6 +457,7 @@ +@@ -433,6 +457,7 @@ server: # # If you give "" no chroot is performed. The path must not end in a /. # chroot: "@UNBOUND_CHROOT_DIR@" @@ -143,7 +156,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # if given, user privileges are dropped (after binding port), # and the given username is assumed. Default is user "unbound". -@@ -444,7 +469,7 @@ +@@ -444,7 +469,7 @@ server: # is not changed. # If you give a server: directory: dir before include: file statements # then those includes can be relative to the working directory. @@ -152,7 +165,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # the log file, "" means log to stderr. # Use of this option sets use-syslog to "no". -@@ -459,7 +484,7 @@ +@@ -459,7 +484,7 @@ server: # log-identity: "" # print UTC timestamp in ascii to logfile, default is epoch in seconds. @@ -161,7 +174,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # log timestamp in ISO8601 format if also log-time-ascii is enabled. # (y-m-dTh:m:s.msec[+-]tzhours:tzminutes) -@@ -532,13 +557,13 @@ +@@ -532,13 +557,13 @@ server: # harden-short-bufsize: yes # Harden against unseemly large queries. @@ -177,7 +190,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Harden against receiving dnssec-stripped data. If you turn it # off, failing to validate dnskey data for a trustanchor will -@@ -553,7 +578,7 @@ +@@ -553,7 +578,7 @@ server: # infrastructure data. Validates the replies (if possible). # Default off, because the lookups burden the server. Experimental # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. @@ -186,7 +199,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Harden against algorithm downgrade when multiple algorithms are # advertised in the DS record. If no, allows the weakest algorithm -@@ -567,7 +592,7 @@ +@@ -567,7 +592,7 @@ server: # Sent minimum amount of information to upstream servers to enhance # privacy. Only sent minimum required labels of the QNAME and set QTYPE # to A when possible. @@ -195,7 +208,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # QNAME minimisation in strict mode. Do not fall-back to sending full # QNAME to potentially broken nameservers. A lot of domains will not be -@@ -577,7 +602,7 @@ +@@ -577,7 +602,7 @@ server: # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN # and other denials, using information from previous NXDOMAINs answers. @@ -204,7 +217,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. -@@ -610,7 +635,7 @@ +@@ -610,7 +635,7 @@ server: # threshold, a warning is printed and a defensive action is taken, # the cache is cleared to flush potential poison out of it. # A suggested value is 10000000, the default is 0 (turned off). @@ -213,7 +226,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Do not query the following addresses. No DNS queries are sent there. # List one address per entry. List classless netblocks with /size, -@@ -622,20 +647,20 @@ +@@ -622,20 +647,20 @@ server: # do-not-query-localhost: yes # if yes, perform prefetching of almost expired message cache entries. @@ -239,7 +252,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # true to disable DNSSEC lameness check in iterator. # disable-dnssec-lame-check: no -@@ -645,7 +670,9 @@ +@@ -645,7 +670,9 @@ server: # most modules have to be listed at the beginning of the line, # except cachedb(just before iterator), and python (at the beginning, # or, just before the iterator). @@ -250,7 +263,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # File with trusted keys, kept uptodate using RFC5011 probes, # initial file like trust-anchor-file, then it stores metadata. -@@ -659,10 +686,10 @@ +@@ -659,10 +686,10 @@ server: # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" # trust anchor signaling sends a RFC8145 key tag query after priming. @@ -263,7 +276,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry. -@@ -683,6 +710,9 @@ +@@ -683,6 +710,9 @@ server: # the trusted-keys { name flag proto algo "key"; }; clauses are read. # you need external update procedures to track changes in keys. # trusted-keys-file: "" @@ -273,7 +286,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Ignore chain of trust. Domain is treated as insecure. # domain-insecure: "example.com" -@@ -710,14 +740,15 @@ +@@ -710,14 +740,15 @@ server: # unsecure data. Useful to shield the users of this validator from # potential bogus data in the additional section. All unsigned data # in the additional section is removed from secure messages. @@ -291,7 +304,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Ignore the CD flag in incoming queries and refuse them bogus data. # Enable it if the only clients of Unbound are legacy servers (w2008) -@@ -731,11 +762,11 @@ +@@ -731,11 +762,11 @@ server: # Serve expired responses from cache, with serve-expired-reply-ttl in # the response, and then attempt to fetch the data afresh. @@ -305,7 +318,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # # Set the TTL of expired records to the serve-expired-ttl value after a # failed attempt to retrieve the record from upstream. This makes sure -@@ -762,7 +793,7 @@ +@@ -762,7 +793,7 @@ server: # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. @@ -314,7 +327,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # It is possible to configure NSEC3 maximum iteration counts per # keysize. Keep this table very short, as linear search is done. -@@ -906,6 +937,8 @@ +@@ -906,6 +937,8 @@ server: # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" @@ -323,7 +336,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # tag a localzone with a list of tag names (in "" with spaces between) # local-zone-tag: "example.com" "tag2 tag3" -@@ -916,8 +949,8 @@ +@@ -916,8 +949,8 @@ server: # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. # Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. @@ -334,7 +347,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # tls-port: 853 # https-port: 443 # quic-port: 853 -@@ -926,6 +959,8 @@ +@@ -926,6 +959,8 @@ server: # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" # cipher setting for TLSv1.3 # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" @@ -343,7 +356,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Pad responses to padded queries received over TLS # pad-responses: yes -@@ -1070,12 +1105,14 @@ +@@ -1070,12 +1105,14 @@ server: # cookie-secret-file: "/usr/local/etc/unbound_cookiesecrets.txt" # Enable to attach Extended DNS Error codes (RFC8914) to responses. @@ -360,7 +373,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. -@@ -1083,12 +1120,14 @@ +@@ -1083,12 +1120,14 @@ server: # Enable or disable ipsecmod (it still needs to be defined in # module-config above). Can be used when ipsecmod needs to be # enabled/disabled via remote-control(below). @@ -378,7 +391,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # When enabled Unbound will reply with SERVFAIL if the return value of # the ipsecmod-hook is not 0. # ipsecmod-strict: no -@@ -1121,7 +1160,7 @@ +@@ -1121,7 +1160,7 @@ server: # o and give a python-script to run. python: # Script file to load @@ -387,7 +400,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Dynamic library config section. To enable: # o use --with-dynlibmodule to configure before compiling. -@@ -1132,13 +1171,14 @@ +@@ -1132,13 +1171,14 @@ python: # the module-config then you need one dynlib-file per instance. dynlib: # Script file to load @@ -404,7 +417,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. -@@ -1146,6 +1186,7 @@ +@@ -1146,6 +1186,7 @@ remote-control: # are not used for that, so key and cert files need not be present. # control-interface: 127.0.0.1 # control-interface: ::1 @@ -412,7 +425,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # port number for remote control operations. # control-port: 8953 -@@ -1155,16 +1196,19 @@ +@@ -1155,16 +1196,19 @@ remote-control: # control-use-cert: "yes" # Unbound server key file. @@ -436,7 +449,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Stub zones. # Create entries like below, to make all queries for 'example.com' and -@@ -1186,6 +1230,10 @@ +@@ -1186,6 +1230,10 @@ remote-control: # name: "example.org" # stub-host: ns.example.com. @@ -447,7 +460,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle -@@ -1203,6 +1251,10 @@ +@@ -1203,6 +1251,10 @@ remote-control: # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -458,57 +471,15 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Authority zones # The data for these zones is kept locally, from a file or downloaded. -@@ -1213,27 +1265,28 @@ - # download it), primary: fetches with AXFR and IXFR, or url to zonefile. - # With allow-notify: you can give additional (apart from primaries and urls) - # sources of notifies. --# auth-zone: --# name: "." --# primary: 170.247.170.2 # b.root-servers.net --# primary: 192.33.4.12 # c.root-servers.net --# primary: 199.7.91.13 # d.root-servers.net --# primary: 192.5.5.241 # f.root-servers.net --# primary: 192.112.36.4 # g.root-servers.net --# primary: 193.0.14.129 # k.root-servers.net --# primary: 192.0.47.132 # xfr.cjr.dns.icann.org --# primary: 192.0.32.132 # xfr.lax.dns.icann.org --# primary: 2801:1b8:10::b # b.root-servers.net --# primary: 2001:500:2::c # c.root-servers.net --# primary: 2001:500:2d::d # d.root-servers.net --# primary: 2001:500:2f::f # f.root-servers.net --# primary: 2001:500:12::d0d # g.root-servers.net --# primary: 2001:7fd::1 # k.root-servers.net --# primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org --# primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org --# fallback-enabled: yes --# for-downstream: no --# for-upstream: yes -+ auth-zone: -+ name: "." -+ primary: 170.247.170.2 # b.root-servers.net -+ primary: 192.33.4.12 # c.root-servers.net -+ primary: 199.7.91.13 # d.root-servers.net -+ primary: 192.5.5.241 # f.root-servers.net -+ primary: 192.112.36.4 # g.root-servers.net -+ primary: 193.0.14.129 # k.root-servers.net -+ primary: 192.0.47.132 # xfr.cjr.dns.icann.org -+ primary: 192.0.32.132 # xfr.lax.dns.icann.org -+ primary: 2801:1b8:10::b # b.root-servers.net -+ primary: 2001:500:2::c # c.root-servers.net -+ primary: 2001:500:2d::d # d.root-servers.net -+ primary: 2001:500:2f::f # f.root-servers.net -+ primary: 2001:500:12::d0d # g.root-servers.net -+ primary: 2001:7fd::1 # k.root-servers.net -+ primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org -+ primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org -+ fallback-enabled: yes -+ for-downstream: no -+ for-upstream: yes +@@ -1234,6 +1286,7 @@ remote-control: + # fallback-enabled: yes + # for-downstream: no + # for-upstream: yes + # auth-zone: # name: "example.org" # for-downstream: yes -@@ -1259,6 +1312,9 @@ +@@ -1259,6 +1312,9 @@ remote-control: # name: "anotherview" # local-zone: "example.com" refuse @@ -518,7 +489,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # DNSCrypt # To enable, use --enable-dnscrypt to configure before compiling. # Caveats: -@@ -1338,7 +1394,7 @@ +@@ -1338,7 +1394,7 @@ remote-control: # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode # dnstap-bidirectional: yes @@ -527,3 +498,6 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # # if "" use the unix socket in dnstap-socket-path, otherwise, # # set it to "IPaddress[@port]" of the destination. # dnstap-ip: "" +-- +2.47.0 + From e121fcf04fb9ba27c7c4e0d4c51b0d208bd844ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 15 Nov 2024 11:59:34 +0100 Subject: [PATCH 23/62] Move remote-control configuration to vendor directory Keep just simple include stub at original place. Add also enabling of remote control into the same file. Makes it possible to be used directly by unbound-control command. --- remote-control-include.conf | 4 ++++ remote-control.conf | 27 ++++++++++++++++++++++----- unbound.spec | 4 +++- 3 files changed, 29 insertions(+), 6 deletions(-) create mode 100644 remote-control-include.conf diff --git a/remote-control-include.conf b/remote-control-include.conf new file mode 100644 index 0000000..5688480 --- /dev/null +++ b/remote-control-include.conf @@ -0,0 +1,4 @@ +# Previous defaults allowed any process to change settings, CVE-2023-1488 +# If you want to modify remote configuration, replace this file with +# contents of included file and modify afterwards. +include: "/usr/share/unbound/conf.d/remote-control.conf" diff --git a/remote-control.conf b/remote-control.conf index 4561a63..6f6942e 100644 --- a/remote-control.conf +++ b/remote-control.conf @@ -1,9 +1,26 @@ # Remote control config section update. # Previous defaults allowed any process to change settings, CVE-2023-1488 +# This file can be used also by: unbound-control -c remote-control: - # set to an absolute path to use a unix local name pipe, certificates - # are not used for that, so key and cert files need not be present. - control-interface: "/run/unbound/control" + # Enable remote control with unbound-control(8) here. + # set up the keys and certificates with unbound-control-setup. + control-enable: yes - # For local sockets this option is ignored, and TLS is not used. - control-use-cert: "yes" + # set to an absolute path to use a unix local name pipe, certificates + # are not used for that, so key and cert files need not be present. + control-interface: "/run/unbound/control" + + # For local sockets this option is ignored, and TLS is not used. + control-use-cert: "yes" + + # Unbound server key file. + server-key-file: "/etc/unbound/unbound_server.key" + + # Unbound server certificate file. + server-cert-file: "/etc/unbound/unbound_server.pem" + + # unbound-control key file. + control-key-file: "/etc/unbound/unbound_control.key" + + # unbound-control certificate file. + control-cert-file: "/etc/unbound/unbound_control.pem" diff --git a/unbound.spec b/unbound.spec index cb8b8bb..32eec1e 100644 --- a/unbound.spec +++ b/unbound.spec @@ -66,6 +66,7 @@ Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc Source23: unbound-as112-networks.conf Source24: unbound-local-root.conf Source25: openssl-sha1.conf +Source26: remote-control-include.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch @@ -363,10 +364,11 @@ mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d} install -p -m 0644 %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/ install -p -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ install -p -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ -install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/ +install -p -m 0644 %{SOURCE26} %{buildroot}%{_sysconfdir}/unbound/conf.d/remote-control.conf install -p -m 0644 %{SOURCE25} %{buildroot}%{_sysconfdir}/unbound/openssl-sha1.conf mkdir -p %{buildroot}%{_datadir}/%{name}/conf.d +install -p -m 0644 %{SOURCE21} %{buildroot}%{_datadir}/%{name}/conf.d/ install -p -m 0644 %{SOURCE23} %{buildroot}%{_datadir}/%{name}/conf.d/ install -p -m 0644 %{SOURCE24} %{buildroot}%{_datadir}/%{name}/conf.d/ From 524bcf06fe07ab93ec3d3c90f1a06b698d0c24c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 15 Nov 2024 14:55:19 +0100 Subject: [PATCH 24/62] Move defaults to separate configuration file Place distribution defaults into file provided in /usr/share/unbound. Include that file from default configuration before conf.d/*.conf is included, to ensure similar order is kept. Rely on remote-control to be configured by conf.d/remote-control.conf only. Moved parts from orinal unbound.conf to single file together. --- fedora-defaults.conf | 225 +++++++++++++++++++ unbound-fedora-config.patch | 430 ++---------------------------------- unbound.spec | 3 + 3 files changed, 248 insertions(+), 410 deletions(-) create mode 100644 fedora-defaults.conf diff --git a/fedora-defaults.conf b/fedora-defaults.conf new file mode 100644 index 0000000..ccbc20a --- /dev/null +++ b/fedora-defaults.conf @@ -0,0 +1,225 @@ +# Fedora distribution defaults + +server: + # verbosity number, 0 is least verbose. 1 is default. + verbosity: 1 + + # print statistics to the log (for every thread) every N seconds. + # Set to "" or 0 to disable. Default is disabled. + # Needs to be disabled for munin plugin + statistics-interval: 0 + + # enable cumulative statistics, without clearing them after printing. + # Needs to be disabled for munin plugin + statistics-cumulative: no + + # enable extended statistics (query types, answer codes, status) + # Needs to be enabled for munin plugin + extended-statistics: yes + + # number of threads to create. 1 disables threading. + # num-threads: 1 + num-threads: 4 + + # specify the interfaces to answer queries from by ip-address. + # The default is to listen to localhost (127.0.0.1 and ::1). + # specify 0.0.0.0 and ::0 to bind to all available interfaces. + # specify every interface[@port] on a new 'interface:' labelled line. + # The listen interfaces are not changed on reload, only on restart. + # interface: 0.0.0.0 + # interface: ::0 + # interface: 192.0.2.153 + # interface: 192.0.2.154 + # interface: 192.0.2.154@5003 + # interface: 2001:DB8::5 + # interface: eth0@5003 + # + # for dns over tls and raw dns over port 80 + # interface: 0.0.0.0@443 + # interface: ::0@443 + # interface: 0.0.0.0@80 + # interface: ::0@80 + + # enable this feature to copy the source address of queries to reply. + # Socket options are not supported on all platforms. experimental. + # interface-automatic: yes + # + # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 + # NOTE: Disabled per Fedora policy not to listen to * on default install + # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled + interface-automatic: no + + # permit Unbound to use this port number or port range for + # making outgoing queries, using an outgoing interface. + # Only ephemeral ports are allowed by SElinux + outgoing-port-permit: 32768-60999 + + # IANA-assigned port numbers. + # If multiple outgoing-port-permit and outgoing-port-avoid options + # are present, they are processed in order. + # Our SElinux policy does not allow non-ephemeral ports to be used + outgoing-port-avoid: 0-32767 + outgoing-port-avoid: 61000-65535 + + # use SO_REUSEPORT to distribute queries over threads. + # at extreme load it could be better to turn it off to distribute even. + so-reuseport: yes + + # use IP_TRANSPARENT so the interface: addresses can be non-local + # and you can config non-existing IPs that are going to work later on + # (uses IP_BINDANY on FreeBSD). + ip-transparent: yes + + # Enable UDP, "yes" or "no". + # NOTE: if setting up an Unbound on tls443 for public use, you might want to + # disable UDP to avoid being used in DNS amplification attacks. + # do-udp: yes + + # Enable EDNS TCP keepalive option. + edns-tcp-keepalive: yes + + # Fedora note: do not activate this - not compiled in because + # it causes frequent unbound crashes. Also, socket activation + # is bad when you have things like dnsmasq also running with libvirt. + # Use systemd socket activation for UDP, TCP, and control sockets. + # use-systemd: no + + # If you give a server: directory: dir before include: file statements + # then those includes can be relative to the working directory. + directory: "/etc/unbound" + + # print UTC timestamp in ascii to logfile, default is epoch in seconds. + log-time-ascii: yes + + # Harden against unseemly large queries. + harden-large-queries: yes + + # Harden against unverified (outside-zone, including sibling zone) glue rrsets + harden-unverified-glue: yes + + # Default off, because the lookups burden the server. Experimental + # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. + harden-referral-path: yes + + # Sent minimum amount of information to upstream servers to enhance + # privacy. Only sent minimum required labels of the QNAME and set QTYPE + # to A when possible. + qname-minimisation: yes + + # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN + # and other denials, using information from previous NXDOMAINs answers. + aggressive-nsec: yes + + # threshold, a warning is printed and a defensive action is taken, + # the cache is cleared to flush potential poison out of it. + # A suggested value is 10000000, the default is 0 (turned off). + unwanted-reply-threshold: 10000000 + + # if yes, perform prefetching of almost expired message cache entries. + prefetch: yes + + # if yes, perform key lookups adjacent to normal lookups. + prefetch-key: yes + + # deny queries of type ANY with an empty response. + deny-any: yes + + # if yes, Unbound rotates RRSet order in response. + rrset-roundrobin: yes + + # if yes, Unbound doesn't insert authority/additional sections + # into response messages when those sections are not required. + minimal-responses: yes + + # module configuration of the server. A string with identifiers + # separated by spaces. Syntax: "[dns64] [validator] iterator" + # most modules have to be listed at the beginning of the line, + # except cachedb(just before iterator), and python (at the beginning, + # or, just before the iterator). + # For redis cachedb use: + # "ipsecmod validator cachedb iterator" + module-config: "ipsecmod validator iterator" + + # trust anchor signaling sends a RFC8145 key tag query after priming. + trust-anchor-signaling: yes + + # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) + root-key-sentinel: yes + + # the trusted-keys { name flag proto algo "key"; }; clauses are read. + # you need external update procedures to track changes in keys. + # trusted-keys-file: "" + # + trusted-keys-file: /etc/unbound/keys.d/*.key + auto-trust-anchor-file: "/var/lib/unbound/root.key" + + # Should additional section of secure message also be kept clean of + # unsecure data. Useful to shield the users of this validator from + # potential bogus data in the additional section. All unsigned data + # in the additional section is removed from secure messages. + val-clean-additional: yes + + # Turn permissive mode on to permit bogus messages. Thus, messages + # for which security checks failed will be returned to clients, + # instead of SERVFAIL. It still performs the security checks, which + # result in interesting log files and possibly the AD bit in + # replies if the message is found secure. The default is off. + # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY + val-permissive-mode: no + + # Serve expired responses from cache, with serve-expired-reply-ttl in + # the response, and then attempt to fetch the data afresh. + serve-expired: yes + + # Limit serving of expired responses to configured seconds after + # expiration. 0 disables the limit. + serve-expired-ttl: 14400 + + # Have the validator log failed validations for your diagnosis. + # 0: off. 1: A line per failed user query. 2: With reason and bad IP. + val-log-level: 1 + + # service clients over TLS (on the TCP sockets) with plain DNS inside + # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. + # Give the certificate to use and private key. + # default is "" (disabled). requires restart to take effect. + # tls-service-key: "/etc/unbound/unbound_server.key" + # tls-service-pem: "/etc/unbound/unbound_server.pem" + + # Fedora/RHEL: use system-wide crypto policies + tls-ciphers: "PROFILE=SYSTEM" + + # Enable to attach Extended DNS Error codes (RFC8914) to responses. + # Fedora defaults to yes. + ede: yes + + # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale + # Answer as EDNS0 option to expired responses. + # Note that the ede option above needs to be enabled for this to work. + # Fedora defaults to yes. + ede-serve-expired: yes + + # Enable or disable ipsecmod (it still needs to be defined in + # module-config above). Can be used when ipsecmod needs to be + # enabled/disabled via remote-control(below). + # Fedora: module will be enabled on-demand by libreswan + ipsecmod-enabled: no + + # Path to executable external hook. It must be defined when ipsecmod is + # listed in module-config (above). + ipsecmod-hook: /usr/libexec/ipsec/_unbound-hook + +python: + # Script file to load + # python-script: "/etc/unbound/ubmodule-tst.py" + +# Remote control config section moved into own remote-control.conf + +# the module-config then you need one dynlib-file per instance. +dynlib: + # Script file to load + # dynlib-file: "/etc/unbound/dynlib.so" + +# Fedora: DNSCrypt support not enabled since it requires linking to +# another crypto library +# diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index 9c39596..be28920 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,60 +1,20 @@ -From aa201e383210d02c0396d0a1375d217551c0e2bd Mon Sep 17 00:00:00 2001 +From 6e2d042505a006ab5fd703631661e68d1cdc66df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Fri, 15 Nov 2024 08:57:14 +0100 +Date: Fri, 15 Nov 2024 13:25:34 +0100 Subject: [PATCH] Customize unbound.conf for Fedora defaults Set some Fedora/RHEL specific changes to example configuration file. By patching upstream provided config file we would not need to manually update external copy in source RPM. --- - doc/example.conf.in | 152 ++++++++++++++++++++++++++++++-------------- - 1 file changed, 104 insertions(+), 48 deletions(-) + doc/example.conf.in | 33 +++++++++++++++++++++++++++++++-- + 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/doc/example.conf.in b/doc/example.conf.in -index 59090c6..33c6209 100644 +index 59090c6..3a86809 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in -@@ -17,11 +17,12 @@ server: - # whitespace is not necessary, but looks cleaner. - - # verbosity number, 0 is least verbose. 1 is default. -- # verbosity: 1 -+ verbosity: 1 - - # print statistics to the log (for every thread) every N seconds. - # Set to "" or 0 to disable. Default is disabled. -- # statistics-interval: 0 -+ # Needs to be disabled for munin plugin -+ statistics-interval: 0 - - # enable shm for stats, default no. if you enable also enable - # statistics-interval, every time it also writes stats to the -@@ -32,11 +33,13 @@ server: - # shm-key: 11777 - - # enable cumulative statistics, without clearing them after printing. -- # statistics-cumulative: no -+ # Needs to be disabled for munin plugin -+ statistics-cumulative: no - - # enable extended statistics (query types, answer codes, status) -- # printed from unbound-control. Default off, because of speed. -- # extended-statistics: no -+ # printed from unbound-control. default off, because of speed. -+ # Needs to be enabled for munin plugin -+ extended-statistics: yes - - # Inhibits selected extended statistics (qtype, qclass, qopcode, rcode, - # rpz-actions) from printing if their value is 0. -@@ -44,22 +47,35 @@ server: - # statistics-inhibit-zero: yes - - # number of threads to create. 1 disables threading. -- # num-threads: 1 -+ num-threads: 4 - - # specify the interfaces to answer queries from by ip-address. - # The default is to listen to localhost (127.0.0.1 and ::1). +@@ -51,11 +51,19 @@ server: # specify 0.0.0.0 and ::0 to bind to all available interfaces. # specify every interface[@port] on a new 'interface:' labelled line. # The listen interfaces are not changed on reload, only on restart. @@ -74,53 +34,7 @@ index 59090c6..33c6209 100644 # enable this feature to copy the source address of queries to reply. # Socket options are not supported on all platforms. experimental. -- # interface-automatic: no -+ # interface-automatic: yes -+ # -+ # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 -+ # NOTE: Disabled per Fedora policy not to listen to * on default install -+ # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled -+ interface-automatic: no - - # instead of the default port, open additional ports separated by - # spaces when interface-automatic is enabled, by listing them here. -@@ -94,7 +110,8 @@ server: - - # permit Unbound to use this port number or port range for - # making outgoing queries, using an outgoing interface. -- # outgoing-port-permit: 32768 -+ # Only ephemeral ports are allowed by SElinux -+ outgoing-port-permit: 32768-60999 - - # deny Unbound the use this of port number or port range for - # making outgoing queries, using an outgoing interface. -@@ -103,7 +120,9 @@ server: - # IANA-assigned port numbers. - # If multiple outgoing-port-permit and outgoing-port-avoid options - # are present, they are processed in order. -- # outgoing-port-avoid: "3200-3208" -+ # Our SElinux policy does not allow non-ephemeral ports to be used -+ outgoing-port-avoid: 0-32767 -+ outgoing-port-avoid: 61000-65535 - - # number of outgoing simultaneous tcp buffers to hold per thread. - # outgoing-num-tcp: 10 -@@ -121,12 +140,12 @@ server: - - # use SO_REUSEPORT to distribute queries over threads. - # at extreme load it could be better to turn it off to distribute even. -- # so-reuseport: yes -+ so-reuseport: yes - - # use IP_TRANSPARENT so the interface: addresses can be non-local - # and you can config non-existing IPs that are going to work later on - # (uses IP_BINDANY on FreeBSD). -- # ip-transparent: no -+ ip-transparent: yes - - # use IP_FREEBIND so the interface: addresses can be non-local - # and you can bind to nonexisting IPs and interfaces that are down. -@@ -285,6 +304,8 @@ server: +@@ -285,6 +293,8 @@ server: # nat64-prefix: 64:ff9b::0/96 # Enable UDP, "yes" or "no". @@ -129,16 +43,7 @@ index 59090c6..33c6209 100644 # do-udp: yes # Enable TCP, "yes" or "no". -@@ -310,7 +331,7 @@ server: - # tcp-idle-timeout: 30000 - - # Enable EDNS TCP keepalive option. -- # edns-tcp-keepalive: no -+ edns-tcp-keepalive: yes - - # Timeout for EDNS TCP keepalive, in msec. Overrides tcp-idle-timeout - # if edns-tcp-keepalive is set. -@@ -320,6 +341,9 @@ server: +@@ -320,6 +330,9 @@ server: # can be dropped. Default is 0, disabled. In seconds, such as 3. # sock-queue-timeout: 0 @@ -148,186 +53,7 @@ index 59090c6..33c6209 100644 # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no -@@ -433,6 +457,7 @@ server: - # - # If you give "" no chroot is performed. The path must not end in a /. - # chroot: "@UNBOUND_CHROOT_DIR@" -+ chroot: "" - - # if given, user privileges are dropped (after binding port), - # and the given username is assumed. Default is user "unbound". -@@ -444,7 +469,7 @@ server: - # is not changed. - # If you give a server: directory: dir before include: file statements - # then those includes can be relative to the working directory. -- # directory: "@UNBOUND_RUN_DIR@" -+ directory: "/etc/unbound" - - # the log file, "" means log to stderr. - # Use of this option sets use-syslog to "no". -@@ -459,7 +484,7 @@ server: - # log-identity: "" - - # print UTC timestamp in ascii to logfile, default is epoch in seconds. -- # log-time-ascii: no -+ log-time-ascii: yes - - # log timestamp in ISO8601 format if also log-time-ascii is enabled. - # (y-m-dTh:m:s.msec[+-]tzhours:tzminutes) -@@ -532,13 +557,13 @@ server: - # harden-short-bufsize: yes - - # Harden against unseemly large queries. -- # harden-large-queries: no -+ harden-large-queries: yes - - # Harden against out of zone rrsets, to avoid spoofing attempts. - # harden-glue: yes - - # Harden against unverified (outside-zone, including sibling zone) glue rrsets -- # harden-unverified-glue: no -+ harden-unverified-glue: yes - - # Harden against receiving dnssec-stripped data. If you turn it - # off, failing to validate dnskey data for a trustanchor will -@@ -553,7 +578,7 @@ server: - # infrastructure data. Validates the replies (if possible). - # Default off, because the lookups burden the server. Experimental - # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. -- # harden-referral-path: no -+ harden-referral-path: yes - - # Harden against algorithm downgrade when multiple algorithms are - # advertised in the DS record. If no, allows the weakest algorithm -@@ -567,7 +592,7 @@ server: - # Sent minimum amount of information to upstream servers to enhance - # privacy. Only sent minimum required labels of the QNAME and set QTYPE - # to A when possible. -- # qname-minimisation: yes -+ qname-minimisation: yes - - # QNAME minimisation in strict mode. Do not fall-back to sending full - # QNAME to potentially broken nameservers. A lot of domains will not be -@@ -577,7 +602,7 @@ server: - - # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN - # and other denials, using information from previous NXDOMAINs answers. -- # aggressive-nsec: yes -+ aggressive-nsec: yes - - # Use 0x20-encoded random bits in the query to foil spoof attempts. - # This feature is an experimental implementation of draft dns-0x20. -@@ -610,7 +635,7 @@ server: - # threshold, a warning is printed and a defensive action is taken, - # the cache is cleared to flush potential poison out of it. - # A suggested value is 10000000, the default is 0 (turned off). -- # unwanted-reply-threshold: 0 -+ unwanted-reply-threshold: 10000000 - - # Do not query the following addresses. No DNS queries are sent there. - # List one address per entry. List classless netblocks with /size, -@@ -622,20 +647,20 @@ server: - # do-not-query-localhost: yes - - # if yes, perform prefetching of almost expired message cache entries. -- # prefetch: no -+ prefetch: yes - - # if yes, perform key lookups adjacent to normal lookups. -- # prefetch-key: no -+ prefetch-key: yes - - # deny queries of type ANY with an empty response. -- # deny-any: no -+ deny-any: yes - - # if yes, Unbound rotates RRSet order in response. -- # rrset-roundrobin: yes -+ rrset-roundrobin: yes - - # if yes, Unbound doesn't insert authority/additional sections - # into response messages when those sections are not required. -- # minimal-responses: yes -+ minimal-responses: yes - - # true to disable DNSSEC lameness check in iterator. - # disable-dnssec-lame-check: no -@@ -645,7 +670,9 @@ server: - # most modules have to be listed at the beginning of the line, - # except cachedb(just before iterator), and python (at the beginning, - # or, just before the iterator). -- # module-config: "validator iterator" -+ # For redis cachedb use: -+ # "ipsecmod validator cachedb iterator" -+ module-config: "ipsecmod validator iterator" - - # File with trusted keys, kept uptodate using RFC5011 probes, - # initial file like trust-anchor-file, then it stores metadata. -@@ -659,10 +686,10 @@ server: - # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" - - # trust anchor signaling sends a RFC8145 key tag query after priming. -- # trust-anchor-signaling: yes -+ trust-anchor-signaling: yes - - # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) -- # root-key-sentinel: yes -+ root-key-sentinel: yes - - # File with trusted keys for validation. Specify more than one file - # with several entries, one file per entry. -@@ -683,6 +710,9 @@ server: - # the trusted-keys { name flag proto algo "key"; }; clauses are read. - # you need external update procedures to track changes in keys. - # trusted-keys-file: "" -+ # -+ trusted-keys-file: /etc/unbound/keys.d/*.key -+ auto-trust-anchor-file: "/var/lib/unbound/root.key" - - # Ignore chain of trust. Domain is treated as insecure. - # domain-insecure: "example.com" -@@ -710,14 +740,15 @@ server: - # unsecure data. Useful to shield the users of this validator from - # potential bogus data in the additional section. All unsigned data - # in the additional section is removed from secure messages. -- # val-clean-additional: yes -+ val-clean-additional: yes - - # Turn permissive mode on to permit bogus messages. Thus, messages - # for which security checks failed will be returned to clients, - # instead of SERVFAIL. It still performs the security checks, which - # result in interesting log files and possibly the AD bit in - # replies if the message is found secure. The default is off. -- # val-permissive-mode: no -+ # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY -+ val-permissive-mode: no - - # Ignore the CD flag in incoming queries and refuse them bogus data. - # Enable it if the only clients of Unbound are legacy servers (w2008) -@@ -731,11 +762,11 @@ server: - - # Serve expired responses from cache, with serve-expired-reply-ttl in - # the response, and then attempt to fetch the data afresh. -- # serve-expired: no -+ serve-expired: yes - # - # Limit serving of expired responses to configured seconds after - # expiration. 0 disables the limit. -- # serve-expired-ttl: 0 -+ serve-expired-ttl: 14400 - # - # Set the TTL of expired records to the serve-expired-ttl value after a - # failed attempt to retrieve the record from upstream. This makes sure -@@ -762,7 +793,7 @@ server: - - # Have the validator log failed validations for your diagnosis. - # 0: off. 1: A line per failed user query. 2: With reason and bad IP. -- # val-log-level: 0 -+ val-log-level: 1 - - # It is possible to configure NSEC3 maximum iteration counts per - # keysize. Keep this table very short, as linear search is done. -@@ -906,6 +937,8 @@ server: +@@ -906,6 +919,8 @@ server: # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" @@ -336,7 +62,7 @@ index 59090c6..33c6209 100644 # tag a localzone with a list of tag names (in "" with spaces between) # local-zone-tag: "example.com" "tag2 tag3" -@@ -916,8 +949,8 @@ server: +@@ -916,8 +931,8 @@ server: # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. # Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. @@ -347,109 +73,20 @@ index 59090c6..33c6209 100644 # tls-port: 853 # https-port: 443 # quic-port: 853 -@@ -926,6 +959,8 @@ server: - # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" - # cipher setting for TLSv1.3 - # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" -+ # Fedora/RHEL: use system-wide crypto policies -+ tls-ciphers: "PROFILE=SYSTEM" - - # Pad responses to padded queries received over TLS - # pad-responses: yes -@@ -1070,12 +1105,14 @@ server: - # cookie-secret-file: "/usr/local/etc/unbound_cookiesecrets.txt" - - # Enable to attach Extended DNS Error codes (RFC8914) to responses. -- # ede: no -+ # Fedora defaults to yes. -+ ede: yes - - # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale - # Answer as EDNS0 option to expired responses. - # Note that the ede option above needs to be enabled for this to work. -- # ede-serve-expired: no -+ # Fedora defaults to yes. -+ ede-serve-expired: yes - - # Specific options for ipsecmod. Unbound needs to be configured with - # --enable-ipsecmod for these to take effect. -@@ -1083,12 +1120,14 @@ server: - # Enable or disable ipsecmod (it still needs to be defined in - # module-config above). Can be used when ipsecmod needs to be - # enabled/disabled via remote-control(below). -- # ipsecmod-enabled: yes -- # -+ # Fedora: module will be enabled on-demand by libreswan -+ ipsecmod-enabled: no -+ - # Path to executable external hook. It must be defined when ipsecmod is - # listed in module-config (above). - # ipsecmod-hook: "./my_executable" -- # -+ ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook -+ - # When enabled Unbound will reply with SERVFAIL if the return value of - # the ipsecmod-hook is not 0. - # ipsecmod-strict: no -@@ -1121,7 +1160,7 @@ server: - # o and give a python-script to run. - python: - # Script file to load -- # python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py" -+ # python-script: "/etc/unbound/ubmodule-tst.py" - - # Dynamic library config section. To enable: - # o use --with-dynlibmodule to configure before compiling. -@@ -1132,13 +1171,14 @@ python: - # the module-config then you need one dynlib-file per instance. - dynlib: - # Script file to load -- # dynlib-file: "@UNBOUND_SHARE_DIR@/dynlib.so" -+ # dynlib-file: "/etc/unbound/dynlib.so" - - # Remote control config section. - remote-control: - # Enable remote control with unbound-control(8) here. - # set up the keys and certificates with unbound-control-setup. -- # control-enable: no -+ # Note: required for unbound-munin package -+ control-enable: yes - - # what interfaces are listened to for remote control. - # give 0.0.0.0 and ::0 to listen to all interfaces. -@@ -1146,6 +1186,7 @@ remote-control: - # are not used for that, so key and cert files need not be present. - # control-interface: 127.0.0.1 - # control-interface: ::1 -+ # moved to /etc/unbound/conf.d/remote-control.conf - - # port number for remote control operations. - # control-port: 8953 -@@ -1155,16 +1196,19 @@ remote-control: - # control-use-cert: "yes" - - # Unbound server key file. -- # server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key" -+ server-key-file: "/etc/unbound/unbound_server.key" - - # Unbound server certificate file. -- # server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem" -+ server-cert-file: "/etc/unbound/unbound_server.pem" - - # unbound-control key file. -- # control-key-file: "@UNBOUND_RUN_DIR@/unbound_control.key" -+ control-key-file: "/etc/unbound/unbound_control.key" - +@@ -1166,6 +1181,12 @@ remote-control: # unbound-control certificate file. -- # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem" -+ control-cert-file: "/etc/unbound/unbound_control.pem" + # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem" + ++# Default Fedora settings ++include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf" + +# Stub and Forward zones -+include: /etc/unbound/conf.d/*.conf - ++include: "@sysconfdir@/unbound/conf.d/*.conf" ++ # Stub zones. # Create entries like below, to make all queries for 'example.com' and -@@ -1186,6 +1230,10 @@ remote-control: + # 'example.org' go to the given list of nameservers. list zero or more +@@ -1186,6 +1207,10 @@ remote-control: # name: "example.org" # stub-host: ns.example.com. @@ -460,7 +97,7 @@ index 59090c6..33c6209 100644 # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle -@@ -1203,6 +1251,10 @@ remote-control: +@@ -1203,6 +1228,10 @@ remote-control: # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -471,33 +108,6 @@ index 59090c6..33c6209 100644 # Authority zones # The data for these zones is kept locally, from a file or downloaded. -@@ -1234,6 +1286,7 @@ remote-control: - # fallback-enabled: yes - # for-downstream: no - # for-upstream: yes -+ - # auth-zone: - # name: "example.org" - # for-downstream: yes -@@ -1259,6 +1312,9 @@ remote-control: - # name: "anotherview" - # local-zone: "example.com" refuse - -+# Fedora: DNSCrypt support not enabled since it requires linking to -+# another crypto library -+# - # DNSCrypt - # To enable, use --enable-dnscrypt to configure before compiling. - # Caveats: -@@ -1338,7 +1394,7 @@ remote-control: - # dnstap-enable: no - # # if set to yes frame streams will be used in bidirectional mode - # dnstap-bidirectional: yes --# dnstap-socket-path: "@DNSTAP_SOCKET_PATH@" -+# dnstap-socket-path: "/etc/unbound/dnstap.sock" - # # if "" use the unix socket in dnstap-socket-path, otherwise, - # # set it to "IPaddress[@port]" of the destination. - # dnstap-ip: "" -- 2.47.0 diff --git a/unbound.spec b/unbound.spec index 32eec1e..b0803ee 100644 --- a/unbound.spec +++ b/unbound.spec @@ -67,6 +67,7 @@ Source23: unbound-as112-networks.conf Source24: unbound-local-root.conf Source25: openssl-sha1.conf Source26: remote-control-include.conf +Source27: fedora-defaults.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch @@ -237,6 +238,7 @@ Python 3 modules and extensions for unbound --enable-relro-now --enable-pie \\\ --enable-subnet --enable-ipsecmod \\\ --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\ + --with-share-dir=%{_datadir}/%{name} \\\ --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\ --enable-sha2 --disable-gost --enable-ecdsa \\\ --with-rootkey-file=%{_sharedstatedir}/%{name}/root.key \\\ @@ -371,6 +373,7 @@ mkdir -p %{buildroot}%{_datadir}/%{name}/conf.d install -p -m 0644 %{SOURCE21} %{buildroot}%{_datadir}/%{name}/conf.d/ install -p -m 0644 %{SOURCE23} %{buildroot}%{_datadir}/%{name}/conf.d/ install -p -m 0644 %{SOURCE24} %{buildroot}%{_datadir}/%{name}/conf.d/ +install -p -m 0644 %{SOURCE27} %{buildroot}%{_datadir}/%{name}/ # Link unbound-control-setup.8 manpage to unbound-control.8 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 From 5f8c4336b8215b65fb9c4e313385129c5fcbd630 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 21 Nov 2024 06:44:19 +0100 Subject: [PATCH 25/62] Fix real regression detected by unbound-localhost test Reset chroot to empty directory in fedora-defaults.conf. That needs to be set for packaing to work as before. --- fedora-defaults.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fedora-defaults.conf b/fedora-defaults.conf index ccbc20a..99ff95d 100644 --- a/fedora-defaults.conf +++ b/fedora-defaults.conf @@ -84,6 +84,10 @@ server: # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no + # If you give "" no chroot is performed. The path must not end in a /. + # chroot: "/etc/unbound" + chroot: "" + # If you give a server: directory: dir before include: file statements # then those includes can be relative to the working directory. directory: "/etc/unbound" From 07cf660542bf406e22f0407c286f06ac1fe1fa25 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 16 Jan 2025 16:08:43 +0100 Subject: [PATCH 26/62] Use ip-freebind: yes or add After=network-online.target (rhbz#2338429) if interface: specifies exact address, not localhost nor wildcard. It should not be used by default when only localhost listening is enabled. Default configuration does not need it. --- unbound.service | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/unbound.service b/unbound.service index 74321c7..86ada76 100644 --- a/unbound.service +++ b/unbound.service @@ -1,6 +1,9 @@ [Unit] Description=Unbound recursive Domain Name Server -After=network-online.target +After=network.target +# Use ip-freebind: yes or add After=network-online.target, rhbz#2338429, +# if interface: specifies exact address, not localhost nor wildcard +#After=network-online.target After=unbound-keygen.service Wants=unbound-keygen.service After=unbound-anchor.service From df03e4d58a2804984b825b26da71511984af912b Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Tue, 19 Nov 2024 10:55:05 +0100 Subject: [PATCH 27/62] Add dracut module Dracut module allows unbound to be used as resolver in initramfs. It is set before to network-online.target to ensure that other services which depend on name resolution have general synchronization point when they can expect unbound to be configured and listening. --- module-setup.sh | 44 ++++++++++++++++++++++++++++++++++++++++++++ unbound-initrd.conf | 5 +++++ unbound.spec | 18 ++++++++++++++++++ 3 files changed, 67 insertions(+) create mode 100644 module-setup.sh create mode 100644 unbound-initrd.conf diff --git a/module-setup.sh b/module-setup.sh new file mode 100644 index 0000000..439bc6d --- /dev/null +++ b/module-setup.sh @@ -0,0 +1,44 @@ +#!/usr/bin/bash + +check() { + require_binaries unbound unbound-checkconf unbound-control || return 1 + # the module will be only included if explicitly required either + # by configuration or another module + return 255 +} + +depends() { + # because of pid file we need sysusers to create unbound user + echo systemd systemd-sysusers + return 0 +} + +install() { + # We have to make unbound wanted by network-online target to make sure + # there is a synchronization point when other services are able + # to make queries + inst_simple "$moddir"/unbound-initrd.conf /etc/systemd/system/unbound.service.d/unbound-initrd.conf + + # /etc and /var/lib do not have its variables + inst_multiple -o \ + "$systemdsystemunitdir"/unbound.service \ + /etc/unbound/conf.d/remote-control.conf \ + /etc/unbound/openssl-sha1.conf \ + /usr/share/unbound/fedora-defaults.conf \ + /usr/share/unbound/conf.d/*.conf \ + /etc/unbound/local.d/*.conf \ + /etc/unbound/keys.d/*.key \ + /etc/unbound/unbound.conf \ + /etc/unbound/unbound_control.key \ + /etc/unbound/unbound_control.pem \ + /etc/unbound/unbound_server.key \ + /etc/unbound/unbound_server.pem \ + "$sysusers"/unbound.conf \ + "$tmpfilesdir"/unbound.conf \ + /var/lib/unbound/root.key \ + unbound \ + unbound-checkconf \ + unbound-control + + $SYSTEMCTL -q --root "$initdir" enable unbound.service +} diff --git a/unbound-initrd.conf b/unbound-initrd.conf new file mode 100644 index 0000000..7838b3d --- /dev/null +++ b/unbound-initrd.conf @@ -0,0 +1,5 @@ +[Unit] +Before=network-online.target + +[Install] +WantedBy=network-online.target diff --git a/unbound.spec b/unbound.spec index b0803ee..3bb050c 100644 --- a/unbound.spec +++ b/unbound.spec @@ -68,6 +68,8 @@ Source24: unbound-local-root.conf Source25: openssl-sha1.conf Source26: remote-control-include.conf Source27: fedora-defaults.conf +Source28: module-setup.sh +Source29: unbound-initrd.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch @@ -200,6 +202,14 @@ Conflicts: python2-unbound < 1.9.3 Python 3 modules and extensions for unbound %endif +%package dracut +Summary: Unbound dracut module +Requires: dracut%{?_isa} +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description dracut +Unbound dracut module allowing use of Unbound for name resolution +in initramfs. %prep %if 0%{?fedora} @@ -378,6 +388,11 @@ install -p -m 0644 %{SOURCE27} %{buildroot}%{_datadir}/%{name}/ # Link unbound-control-setup.8 manpage to unbound-control.8 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 +# install dracut module +mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound + +install -p -m 0755 %{SOURCE28} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound +install -p -m 0644 %{SOURCE29} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound %pre libs %sysusers_create_compat %{SOURCE20} @@ -503,5 +518,8 @@ popd %{_sbindir}/unbound-streamtcp %{_mandir}/man1/unbound-* +%files dracut +%{_prefix}/lib/dracut/modules.d/99unbound + %changelog %autochangelog From 70b71eee0d7b60ffea53379648af77d684f48df4 Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Sun, 2 Feb 2025 09:26:21 +0100 Subject: [PATCH 28/62] Enabled libsystemd and change unbound service type to notify-reload "notify-reload" service type allows unbound to notify systemd not only about its readiness on startup but also about start and finish of reloading process. --- unbound.service | 2 +- unbound.spec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/unbound.service b/unbound.service index 86ada76..66a8a34 100644 --- a/unbound.service +++ b/unbound.service @@ -12,7 +12,7 @@ Before=nss-lookup.target Wants=nss-lookup.target [Service] -Type=simple +Type=notify-reload EnvironmentFile=-/etc/sysconfig/unbound ExecStartPre=/usr/sbin/unbound-checkconf ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS diff --git a/unbound.spec b/unbound.spec index 3bb050c..d671a71 100644 --- a/unbound.spec +++ b/unbound.spec @@ -2,7 +2,7 @@ %{?!with_python3: %global with_python3 1} %{?!with_munin: %global with_munin 1} %bcond_without dnstap -%bcond_with systemd +%bcond_without systemd %bcond_without doh %if 0%{?rhel} && ! 0%{?epel} %bcond_with redis From 70853eb59e4dcd428ab7ca958d234996c9f006c4 Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Fri, 7 Feb 2025 13:00:10 +0100 Subject: [PATCH 29/62] Change service type to notify notify-reload was a mistake. It unconditionally sends signal to service process additionally to executing ExecReload which does not make sense. --- unbound.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unbound.service b/unbound.service index 66a8a34..d476504 100644 --- a/unbound.service +++ b/unbound.service @@ -12,7 +12,7 @@ Before=nss-lookup.target Wants=nss-lookup.target [Service] -Type=notify-reload +Type=notify EnvironmentFile=-/etc/sysconfig/unbound ExecStartPre=/usr/sbin/unbound-checkconf ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS From 7bf537562731e72de05a26b7ea7714ca7d4cd56f Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Mon, 10 Feb 2025 14:08:28 +0100 Subject: [PATCH 30/62] Add possibility to disable unbound-anchor by file presence --- tmpfiles-unbound.conf | 2 +- unbound-anchor.service | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tmpfiles-unbound.conf b/tmpfiles-unbound.conf index bb88f01..c09cc75 100644 --- a/tmpfiles-unbound.conf +++ b/tmpfiles-unbound.conf @@ -1 +1 @@ -D /run/unbound 0755 unbound unbound - +D /run/unbound 0775 unbound root - diff --git a/unbound-anchor.service b/unbound-anchor.service index 59683c8..1116243 100644 --- a/unbound-anchor.service +++ b/unbound-anchor.service @@ -6,5 +6,5 @@ Documentation=man:unbound-anchor(8) Type=oneshot User=unbound EnvironmentFile=-/etc/sysconfig/unbound -ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi' +ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ] || [ -f /run/unbound/anchor-disable ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi' SuccessExitStatus=1 From 9e6c96e4debe3ed2f7c35c182dc3f33699294533 Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Mon, 10 Feb 2025 20:32:06 +0100 Subject: [PATCH 31/62] Fix ownership and mode record of rundir Previous change introduced mode change and group change of rundir but it was not changed in files section, so fix that. --- unbound.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index d671a71..aa9ce44 100644 --- a/unbound.spec +++ b/unbound.spec @@ -438,7 +438,7 @@ popd %doc doc/CREDITS doc/FEATURES %{_unitdir}/%{name}.service %{_unitdir}/%{name}-keygen.service -%attr(0755,unbound,unbound) %dir %{_rundir}/%{name} +%attr(0775,unbound,root) %dir %{_rundir}/%{name} %attr(0644,root,root) %{_tmpfilesdir}/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/openssl-sha1.conf From 553fad845fcef27d8ce3fde25ae6d77b11469898 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 11 Feb 2025 18:03:11 +0100 Subject: [PATCH 32/62] Drop call to %sysusers_create_compat After https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers, rpm will handle account creation automatically. --- unbound.spec | 3 --- 1 file changed, 3 deletions(-) diff --git a/unbound.spec b/unbound.spec index aa9ce44..7d7a345 100644 --- a/unbound.spec +++ b/unbound.spec @@ -152,7 +152,6 @@ The devel package contains the unbound library and the include files %package libs Summary: Libraries used by the unbound server and client applications Recommends: %{name}-anchor -%{?sysusers_requires_compat} %if ! 0%{with_python2} # Make explicit conflict with no longer provided python package Obsoletes: python2-unbound < 1.9.3 @@ -394,8 +393,6 @@ mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound install -p -m 0755 %{SOURCE28} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound install -p -m 0644 %{SOURCE29} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound -%pre libs -%sysusers_create_compat %{SOURCE20} %post %systemd_post unbound.service From 4235e612e401caa3250127544a885469f243df5c Mon Sep 17 00:00:00 2001 From: Python Maint Date: Mon, 2 Jun 2025 20:47:35 +0200 Subject: [PATCH 33/62] Rebuilt for Python 3.14 From 82c9bae8100adedb366562fc57aa9df07b1a84c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 25 Apr 2025 14:23:35 +0200 Subject: [PATCH 34/62] Update to 1.23.0 (rhbz#2362019) Features: - Increase the default of max-global-quota to 200 from 128 after operational feedback. Still keeping the possible amplification factor (CAMP related issues) in the hundreds. - Fix #1175: serve-expired does not adhere to secure-by-default principle. The default value of serve-expired-client-timeout is set to 1800 as suggested by RFC8767. - For #1175, the default value of serve-expired-ttl is set to 86400 (1 day) as suggested by RFC8767. - For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT. - Add resolver.arpa and service.arpa to the default locally served zones. - Merge #1042: Fast Reload. The unbound-control fast_reload is added. It reads changed config in a thread, then only briefly pauses the service threads, that keep running. DNS service is only interrupted briefly, less than a second. - Merge #1019: Redis read-only replica support. Introduces new 'redis-replica-*' options for the Redis cache backend. - Merge #902: DNS Error Reporting (RFC 9567). Introduces new configuration option 'dns-error-reporting' and new statistics for 'num.dns_error_reports'. And bug fixes. https://nlnetlabs.nl/projects/unbound/download/#unbound-1-23-0 --- .gitignore | 2 ++ sources | 4 ++-- unbound.spec | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 31c5a81..0d774db 100644 --- a/.gitignore +++ b/.gitignore @@ -95,3 +95,5 @@ unbound-1.4.5.tar.gz /unbound-1.21.1.tar.gz.asc /unbound-1.22.0.tar.gz /unbound-1.22.0.tar.gz.asc +/unbound-1.23.0.tar.gz +/unbound-1.23.0.tar.gz.asc diff --git a/sources b/sources index 87f2b6b..bcc3609 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.22.0.tar.gz) = 6c873e19902ce6cd59cec7084d5dba1a5bd5fe4437c827ae69bdf9273bcd8d2d1ec0dc183076f8d2e1fd38730bf8c10852d678399f0b2ea8ccf7e39119568978 -SHA512 (unbound-1.22.0.tar.gz.asc) = afbf5a125f104a25576b1c416b32f68d715b41a025fc3a61e6ee3bc28f9988b4277c7f0dd188c51cbe5641f51ade20f740ea131d1a7b5db38e2d1462a9edbb69 +SHA512 (unbound-1.23.0.tar.gz) = 9b5ca48f4f5189f168f76396f5895f39262a4333e589f8c64bb9298a55c6266f626a4a4399370c68edd9f6318215a401146bf9e16a101c54decf623668a398af +SHA512 (unbound-1.23.0.tar.gz.asc) = f69db33fe13813fbbeb7c6bfe9158d1475f6e1ba4014e11c33f18e276f6f9fa903318d2718d7864b8af1dd5e4c90ac59b8d31579600c7e08eedf71b07301a10c diff --git a/unbound.spec b/unbound.spec index 7d7a345..bc78d87 100644 --- a/unbound.spec +++ b/unbound.spec @@ -36,7 +36,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.22.0 +Version: 1.23.0 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ From db5deb1acce8a0f1d06812510900d33330f5efec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 19 May 2025 11:22:49 +0200 Subject: [PATCH 35/62] Add wildcard into gitignore for new upstreams --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index 0d774db..9a43a25 100644 --- a/.gitignore +++ b/.gitignore @@ -97,3 +97,5 @@ unbound-1.4.5.tar.gz /unbound-1.22.0.tar.gz.asc /unbound-1.23.0.tar.gz /unbound-1.23.0.tar.gz.asc +/unbound-1.*.tar.gz +/unbound-1.*.tar.gz.asc From 15a52378b59b3c7949d63a26352082faf6e2fd46 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 9 Jun 2025 16:20:27 +0200 Subject: [PATCH 36/62] Remove group access from unbound_server.key It were ensured by the generation script, that the generated key would be readable just by the user. Since PR #1220 is the control channel key readable by group too, but make generated server key marked for the root only. Do not show in list of modified files. --- unbound.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index bc78d87..5d98a01 100644 --- a/unbound.spec +++ b/unbound.spec @@ -448,7 +448,7 @@ popd %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.pem %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.key %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.pem -%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key +%ghost %attr(0600,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key %{_sbindir}/unbound %{_sbindir}/unbound-checkconf %{_sbindir}/unbound-control From e3be8477dd432a8c74e4e266b408b3b6123c6f68 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Tue, 10 Jun 2025 15:23:50 +0200 Subject: [PATCH 37/62] Rebuilt for Python 3.14 From a5499543e550d6a2b42ef33daf803be1c710c7b2 Mon Sep 17 00:00:00 2001 From: "psklenar@redhat.com" Date: Mon, 9 Jun 2025 17:02:37 +0200 Subject: [PATCH 38/62] fedora CI plans move to gitlab for centos-stream test space https://issues.redhat.com/browse/RHELMISC-13073 --- plans/all.fmf | 2 +- plans/tier1-public.fmf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/plans/all.fmf b/plans/all.fmf index cd001bd..538bd41 100644 --- a/plans/all.fmf +++ b/plans/all.fmf @@ -1,7 +1,7 @@ summary: Test plan with all Fedora tests discover: how: fmf - url: https://src.fedoraproject.org/tests/unbound.git + url: https://gitlab.com/redhat/centos-stream/tests/unbound.git execute: how: tmt diff --git a/plans/tier1-public.fmf b/plans/tier1-public.fmf index 10f167c..6ffbfd1 100644 --- a/plans/tier1-public.fmf +++ b/plans/tier1-public.fmf @@ -1,7 +1,7 @@ summary: Public (Fedora) Tier1 beakerlib tests discover: how: fmf - url: https://src.fedoraproject.org/tests/unbound.git + url: https://gitlab.com/redhat/centos-stream/tests/unbound.git filter: 'tier: 1' execute: how: tmt From 2ae538e522cba7aeb0074cb58ad16897fafdd8e2 Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Thu, 17 Jul 2025 12:55:05 +0200 Subject: [PATCH 39/62] Update to 1.23.1 (rhbz#2380450) https://github.com/NLnetLabs/unbound/releases/tag/release-1.23.1 This security release fixes the Rebirthday Attack CVE-2025-5994. --- .gitignore | 2 ++ sources | 4 ++-- unbound.spec | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 9a43a25..cec9517 100644 --- a/.gitignore +++ b/.gitignore @@ -97,5 +97,7 @@ unbound-1.4.5.tar.gz /unbound-1.22.0.tar.gz.asc /unbound-1.23.0.tar.gz /unbound-1.23.0.tar.gz.asc +/unbound-1.23.1.tar.gz +/unbound-1.23.1.tar.gz.asc /unbound-1.*.tar.gz /unbound-1.*.tar.gz.asc diff --git a/sources b/sources index bcc3609..aa34842 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.23.0.tar.gz) = 9b5ca48f4f5189f168f76396f5895f39262a4333e589f8c64bb9298a55c6266f626a4a4399370c68edd9f6318215a401146bf9e16a101c54decf623668a398af -SHA512 (unbound-1.23.0.tar.gz.asc) = f69db33fe13813fbbeb7c6bfe9158d1475f6e1ba4014e11c33f18e276f6f9fa903318d2718d7864b8af1dd5e4c90ac59b8d31579600c7e08eedf71b07301a10c +SHA512 (unbound-1.23.1.tar.gz) = b31858eb03fed1fb2aead03aa5b6f32476678067c28ff4816808cbdcae32591e36bee966b25c6b702e3fb51588ae467efab7934a24971193f1183edd5c561b7b +SHA512 (unbound-1.23.1.tar.gz.asc) = b1cea2405e6d5fe5d3f37ae64598fd8490c04b001345e3f6b1ed02b6f8f940a3dc7c7af5a52053378cf23cbff3c4887ccd9b3fa440c1d0d5a3d43544fbe3e956 diff --git a/unbound.spec b/unbound.spec index 5d98a01..df72cb2 100644 --- a/unbound.spec +++ b/unbound.spec @@ -36,7 +36,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.23.0 +Version: 1.23.1 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ From 90c60fc7f873390b841aba4063387e09cf031be7 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 25 Jul 2025 19:46:00 +0000 Subject: [PATCH 40/62] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild From b28faf7eaad0f6384bae144f90e20e56fe868b44 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 15 Aug 2025 15:21:27 +0200 Subject: [PATCH 41/62] Rebuilt for Python 3.14.0rc2 bytecode From 977179bbc7545c2a2a9da5801479d49cc2fa3381 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 2 Jul 2025 15:13:05 +0200 Subject: [PATCH 42/62] Make root.key maintained unmodified Hide rpm -V unbound-libs changed file when unbound-anchor has done the change. Use %config for the symlink presence to protect it against unrelated package changes. It will reset root.key only when that file were modified. Related: RHEL-64339 --- unbound.spec | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/unbound.spec b/unbound.spec index df72cb2..1272b21 100644 --- a/unbound.spec +++ b/unbound.spec @@ -495,10 +495,10 @@ popd %{_sysusersdir}/%{name}.conf %{_libdir}/libunbound.so.8* %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name} -%config(noreplace) %verify(not link user group) %{_sharedstatedir}/%{name}/root.key +%config %verify(not link owner group size mtime mode md5) %{_sharedstatedir}/%{name}/root.key # just left for backwards compat with user changed unbound.conf files - format is different! -%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key -%attr(0644,root,root) %config %{_sysconfdir}/%{name}/dnssec-root.key +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-root.key %files anchor %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name} From df6032978a05b9a12855a75c8d780abfc4598a22 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 2 Jul 2025 15:27:35 +0200 Subject: [PATCH 43/62] Add new DNSSEC root anchor 38696 --- root.anchor | 1 + root.key | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/root.anchor b/root.anchor index c78ee03..1559542 100644 --- a/root.anchor +++ b/root.anchor @@ -1 +1,2 @@ +. 172800 IN DNSKEY 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ;{id = 38696 (ksk), size = 2048b} . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} diff --git a/root.key b/root.key index 6c5622c..94d2e23 100644 --- a/root.key +++ b/root.key @@ -1,6 +1,6 @@ ; // The root key in bind format. This can be read by most tools, including ; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this trusted-keys { +"." 257 3 8 "AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc="; // key id = 38696 "." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326 - }; From 1bfccbf959fbc5f73e3a23f024e0b313f0b48dcb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 29 Aug 2025 12:18:39 +0200 Subject: [PATCH 44/62] Make even existing unbound_control.key readable by group Make the permission change only when updating from version, where it were generated without group readable bit. Related: RHEL-73862 --- unbound.spec | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/unbound.spec b/unbound.spec index 1272b21..a8aa282 100644 --- a/unbound.spec +++ b/unbound.spec @@ -420,6 +420,13 @@ fi %postun anchor %systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer +%triggerun -- unbound < 1.23.1-4 +if [ "$(stat -c '%%a %%G' %{_sysconfdir}/%{name}/unbound_control.key 2>/dev/null)" = '600 unbound' ]; then + # change permissions of existing key just once, where it were generated with wrong perms + %{_bindir}/chmod g+r "%{_sysconfdir}/%{name}/unbound_control.key" || : +fi + + %check export OPENSSL_CONF="%{buildroot}%{_sysconfdir}/unbound/openssl-sha1.conf" make check From b2122945560534708dcd2ead9bf0c5599757252f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 29 Aug 2025 13:30:03 +0200 Subject: [PATCH 45/62] Deprecate /etc/unbound/root.key That format has been obsoleted by bind and has minimal format verification. Use instead DNS format in dnssec-root.key or file maintained by unbound-anchor service. --- root.key | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/root.key b/root.key index 94d2e23..848887d 100644 --- a/root.key +++ b/root.key @@ -1,5 +1,7 @@ -; // The root key in bind format. This can be read by most tools, including -; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this +# The root key in obsoleted bind format. This can be read by some tools, including +# named, unbound, delv etc. For libunbound, use ub_ctx_trustedkeys() to load this +# Prefer DNS format in /var/lib/unbound/root.key or /etc/unbound/dnssec-root.key, +# ub_ctx_add_ta_file or trust-anchor-file: format trusted-keys { "." 257 3 8 "AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc="; // key id = 38696 "." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326 From 54b50a3ae263d929947feaea29f3e44218d098e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 18 Sep 2025 16:22:44 +0200 Subject: [PATCH 46/62] Update 1.24.0 (rhbz#2396332) Features: - Increase default to num-queries-per-thread: 2048, when unbound is compiled with libevent. - Merge #1276: Auto-configure '-slabs' values. - Adjusted so-sndbuf default to 4m. - Fix #1303: [FR] Disable TLSv1.2. - unbound-control cache_lookup prints the cached rrsets and messages for those. - unbound-control cache_lookup +t allows tld and root names. And subnet cache contents are printed. - Fix #1319: [FR] zone status for Unbound auth-zones. And bug fixes. https://github.com/NLnetLabs/unbound/releases/tag/release-1.24.0 --- sources | 4 ++-- unbound.spec | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/sources b/sources index aa34842..9339806 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.23.1.tar.gz) = b31858eb03fed1fb2aead03aa5b6f32476678067c28ff4816808cbdcae32591e36bee966b25c6b702e3fb51588ae467efab7934a24971193f1183edd5c561b7b -SHA512 (unbound-1.23.1.tar.gz.asc) = b1cea2405e6d5fe5d3f37ae64598fd8490c04b001345e3f6b1ed02b6f8f940a3dc7c7af5a52053378cf23cbff3c4887ccd9b3fa440c1d0d5a3d43544fbe3e956 +SHA512 (unbound-1.24.0.tar.gz) = ca2adb421bb7ebf636d1442d684b5f43bf5db7c778d9ca159635b67212294bb499aa451b79f244acbea36106db7242ed1afb72fcf425fec57c0eff5f19866ae3 +SHA512 (unbound-1.24.0.tar.gz.asc) = 076c1b82c08c94950e0f364578270a0d1377e0d59197ef822552a6fb05fd01d5a3aa77e6b53c2d785720c30c10cd112eb737caeb7db6eb280752e98a1e8c9866 diff --git a/unbound.spec b/unbound.spec index a8aa282..d66648e 100644 --- a/unbound.spec +++ b/unbound.spec @@ -36,7 +36,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.23.1 +Version: 1.24.0 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ From 6484d5618ba899a8fd42e115024e21590695ea2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 18 Sep 2025 16:20:28 +0200 Subject: [PATCH 47/62] Basic ngtcp2 support Not yet enabled by default --- unbound.spec | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/unbound.spec b/unbound.spec index d66648e..2c584c6 100644 --- a/unbound.spec +++ b/unbound.spec @@ -4,6 +4,7 @@ %bcond_without dnstap %bcond_without systemd %bcond_without doh +%bcond_with ngtcp2 %if 0%{?rhel} && ! 0%{?epel} %bcond_with redis %else @@ -111,6 +112,9 @@ BuildRequires: systemd-rpm-macros %else BuildRequires: systemd %endif +%if %{with ngtcp2} +BuildRequires: ngtcp2-devel +%endif # Needed because /usr/sbin/unbound links unbound libs staticly Requires: %{name}-libs%{?_isa} = %{version}-%{release} @@ -281,6 +285,9 @@ autoreconf -fiv %if %{with redis} --with-libhiredis \ --enable-cachedb \ +%endif +%if %{with ngtcp2} + --with-libngtcp2 \ %endif %{configure_args} @@ -296,6 +303,9 @@ pushd %{dir_secondary} %endif %if %{with systemd} --enable-systemd \ +%endif +%if %{with ngtcp2} + --with-libngtcp2 \ %endif %{configure_args} From 829c6a90cd845aceefeef8cc10d6629a64ff09f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 19 Sep 2025 10:19:04 +0200 Subject: [PATCH 48/62] Require only ngtcp ossl devel package and enable it Enable it only conditionally on distributions with OpenSSL 3.5.0 present, avoid it elsewhere. --- unbound.spec | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/unbound.spec b/unbound.spec index 2c584c6..76cb314 100644 --- a/unbound.spec +++ b/unbound.spec @@ -4,7 +4,9 @@ %bcond_without dnstap %bcond_without systemd %bcond_without doh -%bcond_with ngtcp2 +%if 0%{?rhel} >= 10 || 0%{?fedora} >= 43 +%bcond_without ngtcp2 +%endif %if 0%{?rhel} && ! 0%{?epel} %bcond_with redis %else @@ -113,7 +115,7 @@ BuildRequires: systemd-rpm-macros BuildRequires: systemd %endif %if %{with ngtcp2} -BuildRequires: ngtcp2-devel +BuildRequires: ngtcp2-crypto-ossl-devel %endif # Needed because /usr/sbin/unbound links unbound libs staticly From 7135b6ff2a3faa1a0bc92895b1f43e2d600ac36b Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 19 Sep 2025 15:01:14 +0200 Subject: [PATCH 49/62] Rebuilt for Python 3.14.0rc3 bytecode From 5a16ee63cc7e0c9c9bd1492f81e242ee03aadde1 Mon Sep 17 00:00:00 2001 From: Jens Kuehnel Date: Sun, 5 Oct 2025 01:08:31 +0200 Subject: [PATCH 50/62] allow parameters from fedora-defaults to be overwritten (rhzb#2401608) --- unbound-fedora-config.patch | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index be28920..da88960 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -14,6 +14,16 @@ diff --git a/doc/example.conf.in b/doc/example.conf.in index 59090c6..3a86809 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in +@@ -8,6 +8,9 @@ + # Use this anywhere in the file to include other text into this file. + #include: "otherfile.conf" + ++# Default Fedora settings ++include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf" ++ + # Use this anywhere in the file to include other text, that explicitly starts a + # clause, into this file. Text after this directive needs to start a clause. + #include-toplevel: "otherfile.conf" @@ -51,11 +51,19 @@ server: # specify 0.0.0.0 and ::0 to bind to all available interfaces. # specify every interface[@port] on a new 'interface:' labelled line. @@ -73,13 +83,10 @@ index 59090c6..3a86809 100644 # tls-port: 853 # https-port: 443 # quic-port: 853 -@@ -1166,6 +1181,12 @@ remote-control: +@@ -1166,6 +1181,9 @@ remote-control: # unbound-control certificate file. # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem" - -+# Default Fedora settings -+include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf" -+ + +# Stub and Forward zones +include: "@sysconfdir@/unbound/conf.d/*.conf" + From 4f4dfb2fcb4226902ab2aa9c5a6c00a0550d3071 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 2 Oct 2025 18:02:42 +0200 Subject: [PATCH 51/62] Create root key if missing automatically Prepare tmpfiles.d script for creating /var/lib/unbound in case it is missing. Prepare link to root.key also. Related: RHEL-118375 --- tmpfiles-unbound-libs.conf | 2 ++ unbound.spec | 11 +++++++---- 2 files changed, 9 insertions(+), 4 deletions(-) create mode 100644 tmpfiles-unbound-libs.conf diff --git a/tmpfiles-unbound-libs.conf b/tmpfiles-unbound-libs.conf new file mode 100644 index 0000000..d71ea46 --- /dev/null +++ b/tmpfiles-unbound-libs.conf @@ -0,0 +1,2 @@ +d /var/lib/unbound 0755 unbound unbound - +L /var/lib/unbound/root.key - - - - ../../../etc/unbound/dnssec-root.key diff --git a/unbound.spec b/unbound.spec index 76cb314..3b7ffeb 100644 --- a/unbound.spec +++ b/unbound.spec @@ -73,6 +73,7 @@ Source26: remote-control-include.conf Source27: fedora-defaults.conf Source28: module-setup.sh Source29: unbound-initrd.conf +Source30: tmpfiles-unbound-libs.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch @@ -350,17 +351,18 @@ done %endif # install streamtcp man page -install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1 -install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc +install -p -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1 +install -p -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc # Install tmpfiles.d config install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound -install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf +install -p -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf +install -p -m 0644 %{SOURCE30} %{buildroot}%{_tmpfilesdir}/unbound-libs.conf # install root - we keep a copy of the root key in old location, # in case user has changed the configuration and we wouldn't update it there install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/ -install -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/dnssec-root.key +install -p -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/dnssec-root.key # make initial key static pushd %{buildroot}%{_sharedstatedir}/unbound KEYPATH=$(realpath --relative-to="%{buildroot}%{_sharedstatedir}/unbound" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key") @@ -518,6 +520,7 @@ popd # just left for backwards compat with user changed unbound.conf files - format is different! %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-root.key +%attr(0644,root,root) %{_tmpfilesdir}/unbound-libs.conf %files anchor %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name} From dc162ef64715726ad7819af5bad1f2cb2c6d26b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 24 Oct 2025 18:10:12 +0200 Subject: [PATCH 52/62] Update to 1.24.1 (rhbz#2405698) Fix CVE-2025-11411 (possible domain hijacking attack), reported by Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan from Tsinghua University. https://nlnetlabs.nl/projects/unbound/download/#unbound-1-24-1 --- Yorgos.asc | 122 +++++++++++++++++++++++++-------------------------- sources | 4 +- unbound.spec | 3 +- 3 files changed, 65 insertions(+), 64 deletions(-) diff --git a/Yorgos.asc b/Yorgos.asc index e18ec55..8d0008d 100644 --- a/Yorgos.asc +++ b/Yorgos.asc @@ -13,31 +13,31 @@ S9TpYmjMwURbuYm+rWZk/8w5OJG60V3wax56c0jn/42O3Y2hzQ+PbOv2M4UuuajS g3LssVS2bKy5g3IhrzCKAk0Sky4S5t/mcN+lWztNvCijuLz58GCym5GwJQARAQAB tCtZb3Jnb3MgVGhlc3NhbG9uaWtlZnMgPHlvcmdvc0BubG5ldGxhYnMubmw+iQJX BBMBCABBAhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAhkBFiEElI60IyLF0At5 -NA9dz/M0TZCHpJAFAmbz0CwFCRD85cYACgkQz/M0TZCHpJBVnhAAkcd79Twxj/tt -C4q2Xpq75+Ew6YR9gLqYiV5vEd6fu0oyhuVoUlfTkjH4ALIoGIKaO9yAVUXsrGrs -n1aJPo1Mw3q6mIwtQOxXz/W44LuFzcvZkHtCYX4YyLrUHXZPvl+r4eYkTOcyyQMU -BmbuvWhufv8MBilvWltQLxfLlgihbfuIrxqjAYDhqCffpgUiZyCut2rrenIgeh1f -DvC+GjZ3cfb1UsIpzm19yr4NCiTHkLkCOAAcAUFwWWeO/jfUsSvFQEHUnYNRREzI -Lth9NlKwPtsOVi+wcNnWQtFQb11BMr407xBib7hLSIFiqvOiYgQABjZdWN+snCRP -ZZSruigjE9ateOloJwmBqrSJLAywxvDE0ivqfSj51W5eJc/JLSXvjrOuW28dJCr8 -RV9PjC9X7zuTiFLzV8SVH71Z43Rix8n7AOp3wgRe3SygEyQXPj4qbm5HHVsx9GEA -zn495L99dJ4wZgjkbEsGhzwUx7N9FHEGS/sz3LiEq+ZYckR6gzTMMrQJgbsS9lnK -9xlXsp37uIYvx9W9JZXtS+AZhw0q3osMYBF68HPX8B9GBYlkQWmWSIMfzRYcD2n1 -5+XsfERK4mxcTWl2sCYpt8Sy3tADj9nQDabAlGUd/hlFS1dvDVQjGh6ER5S0nZjY -nmRsLl8nOTKhb2xY+2p1sDjxxQYJJQe0K0dlb3JnZSBUaGVzc2Fsb25pa2VmcyA8 +NA9dz/M0TZCHpJAFAmjWhkcFCRLfm+EACgkQz/M0TZCHpJANXhAAvTpKNl5+kU1d +lcFrXx4pgi/knhe0y1Z+ENQWVDYTs9v+lMoyCRQuAt1Cir1LAGWfRBdTQh60I6Dc +BDj+15pFJCv/dyZiQLPUgxLtIxkwIUSjELp8JevNHhGMNz7QWdG4SEpG2aF/D2Zz +kvaoomPGjRyo/bkgR2la6eqrCOxYVP+FT7682yf0bCvSTs1kTrnwFY93s7O2RciI +MS0XWcHPtoi96JxhzUIT+v0gSFuitZhRGPh9pyIcHmRER1yKugvMp6xF5UjNIcfL +ScrNlGXgjc6EJiGXS5CHliIlxlAxs4J1T9JiGQZOAW/CPxe4IND34DhqwvQcJdtL +8jt1b2xUcuFfYNa3SY671OnLt3EhwMsYDaSIXrPqW8R6XuaSxhb4sL/okHkb833b +CgaWvjQZgRm1h0R2IY5C3kHotsLUd2fygrtVVvaLxGEoi9UBsKoLu2kHEJnV5HJO +jfJMBBGgGFscfk3p1v4SAA30xPR7i6O2KDmFsVzL6xKbnFMMmayEVfWzGXmxB7lv +ob6HrJIvVH6mx64OsAY0LQI6abQI3TTZn13+RNxuATQS+j0tqbZvVJtWFw41eqsU +OqeNF9W323uvhJcjDyYquAREIivFXkzxa9y3rgQfB9OX9usD79aij4y/YLqZxafl +InYUlMGygNOGXruFRZ7DD6zciK2Zu7W0K0dlb3JnZSBUaGVzc2Fsb25pa2VmcyA8 Z2VvcmdlQG5sbmV0bGFicy5ubD6JAlQEEwEIAD4CGyMFCwkIBwIGFQgJCgsCBBYC -AwECHgECF4AWIQSUjrQjIsXQC3k0D13P8zRNkIekkAUCZvPQPQUJEPzlxgAKCRDP -8zRNkIekkFfCEACheY1yr2Z+LPjm/Nd2eA4CFFO7nUQHI+a6lYBd57txrRuIicuG -pGjOhnvcioRwICiKNLJD3YTU+WOd+sbO7BXH2sw2KdU9NK1ojKX/SQiTg6upfJsu -gbgar2oPvR88B7oSiuonZnhEf72HfWKDSBXHpi6KC6S3JZ+o50NB3GBpwUL1lfKW -ovymYbN6tYQfqw/+AP5jUUNpkclC0RbcW69rpvrHHqeQV1AVKkm/jNQpWLKYTGF7 -bbdLkgMh3rHp8gmF0/GuK+oyL7xD+TEXfr3iqlDIVuxbxDN8xTti1RrERU/MWQar -qOSFZcr4t+nlwThJidDLF/u3h0Ymrjz92VTfCgELIwCKxGX7jAyLZHzuWAp+0Pr/ -yuHodbweGNcGVoXmIpK93/WZcfFlBcyQLECVcijmxd7Euk0xDk76RQpuuL5VOWqn -aZcf2uNfppwKFZJjcXwK+EQbwN7+RFNvLrwoRn/1xM57T5AYBAgSvKb6h0G5KwW6 -tJfJdSu1MHfCZS1hH1Gr4+UG+VbLCVmQ9N/lUs0bcD7pK+bA1W0YnsIVuaQ+YZUh -KrJoCUF0kVDtW9ETZkp0iVBm1Q9xgTGaxUTVmctOyAbdCLyHNra4fo1BAdGlu+IP -qAcktaBUKFxWxRxf9O5kGihce9anK8CJ/TCnQ7wSvyYrlAoBoQaS78VzYYkBHAQS +AwECHgECF4AWIQSUjrQjIsXQC3k0D13P8zRNkIekkAUCaNaGWAUJEt+b4QAKCRDP +8zRNkIekkKovEACQkeEImQeer9jsY066WyIpvrhcy6xtWjeW8v1ZasRoi+DOFWeA +18O5iD34UaIPPGFRu6PRdSMLdUqtelFgONVDnXEuqOGAptMcCI4wp4+NIFd00v0J +9A9ur7xWt0Q0O1fMjFOMPa5oQK9dg1MCI0/RWRObOPf3cIr2NhgWwBuKTCluKyFc +mnRQXwyxBGCBRvK5zKmA8BBlnHuPfunTAcduNSExUx3e0w5BD5lcG4YeyuR+IRcY +HJPGU20f634dDSJGKJvGxjpaCxGQNca6s8Mpkq3lm/D3Ia4Vpw/HdiSawv/U71S/ +4F6lctMjvoS73Ao9DZ4iDPqkHJ73HidNp7n25SLnXKruZsnXitjYT8ueP7byeLPi +7IvqoENXoXNqNfDuXfqri/WnHPYWbKIdj5WWFeaR3Ws+szw3Wql7mJ1cNFWbNCE7 +rGFPhSNyG3n6mlEBUKUYn8FuOF9PHwwWl86GHLI6O4xOIohESyrZrq2mJS61sSq6 +AAQ7cqx6UMNJdBcgB5Ry7qRUF6ZmowZZu3aWFF4dW+LwMvuaFjKzShsKzj8GCE0B +pQDjy+IeWM2mBVneuCicWwvbSzVWx+Ow42QRvmH8Ja9PqoIYeJQUiMr1+aAG6kUK +3VW4iugsu3/oFIlFrkYZy9YEfCOEMgqRKL/cuBJTZt0OPFRE/9O/M/FVmIkBHAQS AQIABgUCV9kUOAAKCRAwkY2CdXJCIju1B/oCvf1kWYndNeLS6U2O6DtFAL2Ia5tY Zukcyqb1hkYcrBiMZbQN94gX5a+6Q4pdd2n241r1ZuSWdwUhRUbF4mvbZMVsavnk cvrRGviVIUXf71W0O/IsmQ9oN0Finhpf14Y4z/xqF8DpvJdkWc6X5g+RJuko6q2w @@ -58,18 +58,18 @@ BmQpPk0ubYclwb07FcegaHSxxIqUo/kbyt1YV5mU+QVymZ+xyvIBrnW8hBuNWRvU TJaDBSgvxUtY0Ci+OWX38kffGGvhW3CM8V6skdVc8cp7Db7gxase4BxxtC5HZW9y Z2UgVGhlc3NhbG9uaWtlZnMgPGdlb3JnZUBvcGVubmV0bGFicy5jb20+iQJUBBMB CAA+AhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEElI60IyLF0At5NA9dz/M0 -TZCHpJAFAmbz0D0FCRD85cYACgkQz/M0TZCHpJBnFw/8CRLGJnNAP43mBniIP5R1 -/10i4xG5s1Ka/y5C3aRgZUNaGMPLF8VmrC26HTPNhmduhn3j9gnBuSHgRAJUWs2K -o1q0A2/O5fFJvqPyEUl30gG8qkzFl5UGRUr7VNtBa6VpI7g78d3P4/H8THB0tYZ3 -GZv980QXwTE11aXjvPQu4e8sMOR1OVEEH+6hW1T0SvEKAMV1BHwuZAmC6HTfx5e7 -iGNWu/dwJsmwzqcAkuTTSqlmzZdIjZWJDL8pfnschkVilC3pEpEk5ExSkt/onOD2 -WCAKJUiPR6gRI2H6fE0PF8iG9isisvNhQ3MrWUIKS+1WOotoG7Bu7ob46viJKQuN -9t7KBqjdftjJHjmVop3mfX0UUEDPjkZXK5R/aUspXi4IGdM+9JijqxveicQegOhM -LcE8039Z0AaXn9IA0kQB05A4a+CEnoPL7qe+fIBJM5hZDrpMe4fAAGxiQzbRpdkZ -CrXmT+CRkhc/BvUJ5yoE1q++9Fw9eyMbPOak6GLckCIPy+Mqi4z+ZXNCtcPs3Qbc -/7AY8qyswRsD2t5bbe4g+fLEt9IsN3UvKFUKnQ88jcn9Zmps69msMDm9jEj/qo+j -QCriLLu8E1ZwhedNVOQN89w4Zww/BUyEnL4hng8Tw+RTV8Jtq5EvAleW5sZsnTzA -zn1ysZUyO/Pu7Br2jnGRAQyJARwEEgECAAYFAlfZFDwACgkQMJGNgnVyQiIHjAf/ +TZCHpJAFAmjWhlgFCRLfm+EACgkQz/M0TZCHpJCWag/+MJOLW1tBNPA9sBcjl9V4 +Cjc2TIR/r8RRGv5lstVXlXc5T4SR48UvQTxaUU+KJia5POsaAsw9yk7Zz4r7ul0D +Vd9tzHCcwxl46e0Kwn2VGBMHThsWC7QDuK7b+4AlxeO4EDWRPPw4BCB7aTxJzA3N +O4qpEF4TVeb97uyNQr2YaTGUzSI58vCgXgeOpH9ivomQi1nCxZbdrFh2yKJ+H4EH +gI8+D9iSnJMI16RS1dE7Pa85IG+qPd3owAbOlc+tBsSvdbFdRufQZeiNGKfQno1E +oygZt8svcuKpGAG1flzpPu5LE9oMsIDia9hcn4YFqr80F5bW1rUvFeC0rYp9/0ui +6lo34PAhEieB8XzjbpDDEnlkziRoz2YNVJmZOWrCAMI1bUFI5/+YWuJTXCGF62dE +dO7aBWoUkchkGGSGKbPW9KYdmqMdfOeuqZRBhKs8bgHIArJ+kvglhCJr/qNX5T8p +oCHE5bnEwFxnH2Q6a2ffpMpOExGvPaoAWlym/ID/MMet0riZ2izFUdmjEkA0HUaa +7h5x1dKMhHzYDXOW8Ksx9vE24gLrjfqfvIiYpErn+SVs0KUqkR0BRWLRYjyq/Bj/ +btTQXcDeYpQj4tL2cX3Eosqaoy5NDGCK4yqWOxENOJ/YcO5dTPJDNsHlc2JSdejz +a4g8AHFlkpPn0tlflbuE7q6JARwEEgECAAYFAlfZFDwACgkQMJGNgnVyQiIHjAf/ VrPMgIRjRTYi4cxOr5ewaim1hgJZO1oCJoMopwIvpZ2kAUqL/uPMT3wREe5bi79H jXYcaX+RbrV4ZdzaajDUFCj867KGErxqtRkANJ1eNLcQmVwGNoFeTQbgEOBfKq1t hRfMqHF3fxCPJp4z4U3kBPUpIQPERjgUdkH8fxZ34Omo1SLO1b0dVqsneezccBVv @@ -89,18 +89,18 @@ Ix1q//q2VmxqjjT3Iv30hBRX02x2M8gsP/e49XWEll7stkMtbYhBU0sHQ2CqzLGh gJN3ecpi2sKWVqN8HUZOwJFj6f9ZX76YSM23wIugHfscMAVJUXvBrbd151WIshOf FFPo62sYGt+SEMXWeRcHjbQuWW9yZ29zIFRoZXNzYWxvbmlrZWZzIDx5b3Jnb3NA b3Blbm5ldGxhYnMuY29tPokCVAQTAQgAPgIbIwULCQgHAgYVCAkKCwIEFgIDAQIe -AQIXgBYhBJSOtCMixdALeTQPXc/zNE2Qh6SQBQJm89A9BQkQ/OXGAAoJEM/zNE2Q -h6SQOf4QAIp5fEn+vVOqDuLrv8Li61UDVPE3v5b9ocPR7OMENeFpRH7K2p8xFkAM -f6JeS2ehbIjyUS8iGc+mZOalvZynJdOiHtys5r4lZanm1Rl+mWXb+nHGE/Oi4gQ3 -aEF/AwolbKi9oNXAiCtA3hmaI6FYWtAh5XOnyMG140dhlXMWzvN1ZAWXWioS33Fp -n9Z7xOsyG2Bmky69JjUQPD119noD4pEFtCipciiACVNdHGfI8QDT/8pMAxv/Q7tW -+7gyFztT1XvKONWyCfHjf1x60JQNPPM31x3xUVRz/sK+GyLq6VLiydvSZeUX3CzM -4bHixKKkSyvsX+bc9K/iLrXwZFhRdrRbpVQFpsdxv48mN5WsDlpN17KgMCyNiMDV -0VagYjZC5AurOo2mmS7PKAYGILaq3YwQ3nXYiuWfdXVW6EXtw/vdFOjFU6ppbaA3 -1+xyMDOLSGLr7f+gdZvlEc+5MX1F3mHpmuKN7clUju/HEOdVq1Bbla7BplPgqCaH -ZYCg/VHNt7ue7MYeEgTJ8OGgUDRNPa3PdU3YHRCuwJH1UzinD39K8R9/g9qiGJbC -87//1FGZp9lhIE5tja6F5pJ5GwJK9zC0iGj2NrwBvTKhuyF6W3ZQc2voYQn+gIq4 -sfbned7qpvpjLcMgIv/y82iVm2EtKtKYl982aA9S53pHqjV27kieuQINBFfYHeYB +AQIXgBYhBJSOtCMixdALeTQPXc/zNE2Qh6SQBQJo1oZYBQkS35vhAAoJEM/zNE2Q +h6SQjBkP/0IvctNT9T+DtGZyMiw/Jna9G3QhtW7exhlxzqqX3tFmZpaJj3VswyqA +5hx5BdJEShC8qNEqrBCHxcCZgsLvR3GKc/0LTgP7+7VH/ugAScrlVeI8rB6V1jn5 +cnfY5fsfOQ8i0b/8C+CiEe0TW90VRHjYV6DWMdUfqQb3E/snl23RMFeTL0Qrrk8H +Lo3MTko7TeKRYOV/g/qQkb9CFQZNyzgIjD7uZi8or8qFJ/uZTnlBq5/NRDB5Z3ew +7WXc3QrRUXmbbDzdnIeCtu5vmuk+hc69gbOst9nWf3y2qlK7BjZqT+PqKZa/fa/i +5pZpv1hB8DrA2WTIpN7iXhCvABXSEoUOJaLkRSJVDqzvuaeqOEPrk1aJSMWoio/w +8RRa1L7k6m81Dc0dqYbBOSI4MCNm8ZawQI2L4qRs5QORg4nRnAevFgkzhJKFYF2N +jzX/2xlAuOym126DODC9qJSJZR7uTOJXh0yqknfkPgDXjchpzq+Q+CM+jYo6AGas +/XPAuRQCQaLSYr9UPL7Fn62//ysZQAyAkJQR1u7UwAd6/UTTMVZpUJsLQyMyikF7 +UT4K7MWrvkZxMRPhGan0P2pRe36M9BBjYRTp0TIr+UjUT8iBfjdrttI9DQlkcEeQ +rKhcE31KqjwJMdiuzbpqqXaEss9AFuJng3Owewt4wAft3eu1U7PWuQINBFfYHeYB EAC2h9yjSe2SgtcB0H+E0ndaewaZaQCE7q+RO43dotGH9eFnVwE4/ftcK1SN42ih lF5OnTaKPyXvgQ6U8W8VB8eLjeTwA/dSXuJX7kJpEK8saPqJP6zTUmPqp/GSzS6Y rhKLfpFn4chmywpDFcGNMz0sYXiJgPqKL7W0KuG+ziPToAeWl8ckeXyl77/lHVhW @@ -112,17 +112,17 @@ GFxr4xBiyMX1JLCKK6OFnyPfoJ9v/o3UgrQgLrfXCmKdvkwBCgJvN3Fsxzha6Dtf hmQBxPvXxI2ERmKRomo6lrMaDMzIjD4APSM1vUfZguzQxVYpM8lwy1COeqxsj5p+ LH6f/EU+4dXZwooJ1uanBOvG2ntnz8SErE+e7wNYE4a/fb8xYM4j7p6qYtnNZPb8 sj8bvx8iWXp4A1csVetyVSchBhTVQhhNos6ouYpc4ibrYwARAQABiQI8BBgBCAAm -AhsMFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmbz0dUFCRD8528ACgkQz/M0TZCH -pJA7hg/7Bh0jb7nrp2EuU4BWK55VG+3zbrye/NdDy6eo3sVVOOO1r+jBMoJK3m1A -GWUx40ogZjRn8GMtJfxkL6wsep2P775smm7x1TH6s2dgreTj9J66gitKEgxF0tjo -JztmGJ8YKSGE4wKi37KvvSqCm1ecA8akBzJVo0B8/GtXpg+y/q3/KSY1ujW7Ihu3 -60JXT1FRXOiYfrzUKIBm8/UVnv7guPudaJf0eU4btoy4Ywzn1UXyi8BdxPIQrQDR -tt69ffcjX8BIEloK7FURLre/LhbVxlssdWYIEFQhIlb+nghZlUbWHf0Ue3L0SFFS -xV5otzQL2WjJKtCnTpSopSUmwYyT7wyAL1RokOemXL47WOfiLjiGuS+K/4lT7VHS -fdLsYinS0LYr5dmhc05s//kLyQ0OSKNh3SNAN+lM/klLE/pFwM4mo56C+seNEvCm -sT53VPOOwp6JwsLKSqm8pu1fbVjT6laMc9BPi6KUjN/f7ZahCXNXOrA2uLnTlxw/ -ns1sOXSWZDWciZeL3kJeUQER5YZ59hzLYWAiJ+5KblWRlBMXb71FUp0Mh9V3dA5O -BX3IlcF54qE50chGzLnfQf1YLuh13xxxc2WsdMZjiCj8CVDMkD6ekShfQK8nyQsK -SJgdXcnw1CxcAVvsROtecUiD+DWrJcYExjSZ+zcI4+aRhp7uNt8= -=iknu +AhsMFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmjWhoAFCRLfnBoACgkQz/M0TZCH +pJA4sA/7BZrP4nwWF1eQVliMWJ1KKG+sHizK4c+ZiB67aFJw4pLDCL5o6unOWH8V +ocr1pWC/BMmLG4K77O2qadhUH7mzXm/ddZ/DVF3xHTvTmG1W1bLd6zj3k6qOFYq8 +yPS2QNTa3+3oNbtZQ+RpvhCAmv2Dc1GMPNP2hKR/Ju9r9NwGWBEDQBtiMZ7872QJ +yR3IFyfQGRvj+GBbEBvJwCFmaRb3eDorhaNhM0b0c/RbIueEWD40nkCUtmM4Zrc1 +0HLod8Li8C4j8sIqIdfTKo1RiJUUg86q1K3pGA86hoOzeaihZekcm6wMwGlhXymb +Ng41yB/ZTedl9wk+XEEcD6HZMCXyfh55hBdWG06aEhMIALjOCj2VkRnDLmOKLgDZ +kg7OOQxDfKACCCvk72HZG3qKtaN9oNH1oeaVwc3ytWR8y2hQJcCxmoQsLn+Xvkgc +aYRNklPW2z8817J3fmvvwS0o6sOWRHLb0XAc+NZg4lEQOgwVFrE0XIAgkXHLQbuQ +GRpRzRncHX95RXMzGb1+8kpWEcM7gazgUA3omoAumwNEqmeBX1TmEtDop1k5RFCS +UWbv+A2s2GSAb05MHY0InIhMxzJXEa5+dJDPSvZnbiGRGhQitEe4eIlmPcNA1lB+ +ADFE2UTzcpRTo5cOKfrXyZXr6JCEl2+tB3o5m0v7FRdr6+zIS5g= +=Ubkv -----END PGP PUBLIC KEY BLOCK----- diff --git a/sources b/sources index 9339806..d2b95bf 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.24.0.tar.gz) = ca2adb421bb7ebf636d1442d684b5f43bf5db7c778d9ca159635b67212294bb499aa451b79f244acbea36106db7242ed1afb72fcf425fec57c0eff5f19866ae3 -SHA512 (unbound-1.24.0.tar.gz.asc) = 076c1b82c08c94950e0f364578270a0d1377e0d59197ef822552a6fb05fd01d5a3aa77e6b53c2d785720c30c10cd112eb737caeb7db6eb280752e98a1e8c9866 +SHA512 (unbound-1.24.1.tar.gz) = 0332053ff6b2a2b6743fe33460950780a26e2cad236d21a9219e7b1a04576a9887342d59bc244c02c405e93812168175bc3dbe5481a201296899e77cbd201ea5 +SHA512 (unbound-1.24.1.tar.gz.asc) = 64f7baa0af069093f2d2a52d00fa41c26dd3a4a8eb39fbf90ae7355725121583f7dcd79257c064fa13d05f7bb0c602fe30104859a41164a81664cd4c1e275f30 diff --git a/unbound.spec b/unbound.spec index 3b7ffeb..2fcb22a 100644 --- a/unbound.spec +++ b/unbound.spec @@ -39,7 +39,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.24.0 +Version: 1.24.1 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ @@ -219,6 +219,7 @@ in initramfs. %prep %if 0%{?fedora} +%{gpgverify} --keyring='%{SOURCE22}' --signature='%{SOURCE18}' --data='%{SOURCE0}' || \ %{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}' %endif %global pkgname %{name}-%{version}%{?extra_version} From 7dd805b7438744b1499050da3b33923ea47b3389 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 24 Oct 2025 20:23:03 +0200 Subject: [PATCH 53/62] Fix failure with SWIG 4.4.0 (rhbz#2405293) https://github.com/NLnetLabs/unbound/pull/1365 --- unbound-1.24-swig-function.patch | 26 ++++++++++++++++++++++++++ unbound.spec | 2 ++ 2 files changed, 28 insertions(+) create mode 100644 unbound-1.24-swig-function.patch diff --git a/unbound-1.24-swig-function.patch b/unbound-1.24-swig-function.patch new file mode 100644 index 0000000..3257766 --- /dev/null +++ b/unbound-1.24-swig-function.patch @@ -0,0 +1,26 @@ +From 0fc825def2f812af70189a01b0fe66e1c5050aec Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Fri, 24 Oct 2025 20:20:50 +0200 +Subject: [PATCH] Use $action instead of $function in python SWIG interface + +$function is not supported since SWIG 4.4.0. +--- + libunbound/python/libunbound.i | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libunbound/python/libunbound.i b/libunbound/python/libunbound.i +index dc12514..4576844 100644 +--- a/libunbound/python/libunbound.i ++++ b/libunbound/python/libunbound.i +@@ -853,7 +853,7 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104'] + %{ + //printf("resolve_start(%lX)\n",(long unsigned int)arg1); + Py_BEGIN_ALLOW_THREADS +- $function ++ $action + Py_END_ALLOW_THREADS + //printf("resolve_stop()\n"); + %} +-- +2.51.0 + diff --git a/unbound.spec b/unbound.spec index 2fcb22a..80e5dd0 100644 --- a/unbound.spec +++ b/unbound.spec @@ -77,6 +77,8 @@ Source30: tmpfiles-unbound-libs.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch +# https://github.com/NLnetLabs/unbound/pull/1365 +Patch2: unbound-1.24-swig-function.patch BuildRequires: gcc, make BuildRequires: openssl-devel From c6dcb50ddd56bf2b77716142aa56bdeaf1aa8a77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 24 Oct 2025 20:34:21 +0200 Subject: [PATCH 54/62] Update link to PR of Jitka --- unbound.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 80e5dd0..44c4564 100644 --- a/unbound.spec +++ b/unbound.spec @@ -77,7 +77,7 @@ Source30: tmpfiles-unbound-libs.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch -# https://github.com/NLnetLabs/unbound/pull/1365 +# https://github.com/NLnetLabs/unbound/pull/1331 Patch2: unbound-1.24-swig-function.patch BuildRequires: gcc, make From 7357a73777e80b0ec1fd971cfcc8c708c3fe7e4c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 6 Nov 2025 14:47:41 +0100 Subject: [PATCH 55/62] Do not build with QUIC support in RHEL Until we have also client support, server side support of QUIC is not too important to us. --- unbound.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 44c4564..2995d25 100644 --- a/unbound.spec +++ b/unbound.spec @@ -4,7 +4,8 @@ %bcond_without dnstap %bcond_without systemd %bcond_without doh -%if 0%{?rhel} >= 10 || 0%{?fedora} >= 43 +%if 0%{?fedora} >= 43 && !0%{?rhel} +# Do not build with QUIC support in RHEL, until we have also client support. %bcond_without ngtcp2 %endif %if 0%{?rhel} && ! 0%{?epel} From 531b1140b74cdcc168385e7414d747bc0c36cf36 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 24 Nov 2025 14:46:24 +0100 Subject: [PATCH 56/62] Do not initialize QUIC when not requested (rhbz#2416728) --- unbound-1.24-quic-on-demand-only.patch | 171 +++++++++++++++++++++++++ unbound.spec | 2 + 2 files changed, 173 insertions(+) create mode 100644 unbound-1.24-quic-on-demand-only.patch diff --git a/unbound-1.24-quic-on-demand-only.patch b/unbound-1.24-quic-on-demand-only.patch new file mode 100644 index 0000000..e074ab0 --- /dev/null +++ b/unbound-1.24-quic-on-demand-only.patch @@ -0,0 +1,171 @@ +From 1dfe06278c1446558b5043d7c57cd901e7d96829 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Mon, 24 Nov 2025 13:44:14 +0100 +Subject: [PATCH] Do not initialize quic_table unless it is enabled + +Fedora in FIPS mode might fail to initialize ngtcp2 library, because +some ciphers desired are not available. + +Make it possible to skip initialization by setting explicitly quic_port +to 0. Unless we have some listeners for port 853 configured, skip its +initialization as well. + +Related: https://pagure.io/freeipa/issue/9877 +--- + daemon/daemon.c | 14 +++++++++----- + services/listen_dnsport.c | 14 +++++++++++--- + util/configparser.y | 15 +++++++++------ + util/netevent.c | 3 +++ + 4 files changed, 32 insertions(+), 14 deletions(-) + +diff --git a/daemon/daemon.c b/daemon/daemon.c +index f882bb9ad..a9cc25c67 100644 +--- a/daemon/daemon.c ++++ b/daemon/daemon.c +@@ -558,9 +558,11 @@ daemon_create_workers(struct daemon* daemon) + verbose(VERB_ALGO, "total of %d outgoing ports available", numport); + + #ifdef HAVE_NGTCP2 +- daemon->doq_table = doq_table_create(daemon->cfg, daemon->rand); +- if(!daemon->doq_table) +- fatal_exit("could not create doq_table: out of memory"); ++ if (cfg_has_quic(daemon->cfg)) { ++ daemon->doq_table = doq_table_create(daemon->cfg, daemon->rand); ++ if(!daemon->doq_table) ++ fatal_exit("could not create doq_table: out of memory"); ++ } + #endif + + daemon->num = (daemon->cfg->num_threads?daemon->cfg->num_threads:1); +@@ -917,8 +919,10 @@ daemon_cleanup(struct daemon* daemon) + daemon->dnscenv = NULL; + #endif + #ifdef HAVE_NGTCP2 +- doq_table_delete(daemon->doq_table); +- daemon->doq_table = NULL; ++ if (daemon->doq_table) { ++ doq_table_delete(daemon->doq_table); ++ daemon->doq_table = NULL; ++ } + #endif + daemon->cfg = NULL; + } +diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c +index f7fcca194..ab8f1ba72 100644 +--- a/services/listen_dnsport.c ++++ b/services/listen_dnsport.c +@@ -1564,7 +1564,7 @@ listen_create(struct comm_base* base, struct listen_port* ports, + cp = comm_point_create_udp(base, ports->fd, + front->udp_buff, ports->pp2_enabled, cb, + cb_arg, ports->socket); +- } else if(ports->ftype == listen_type_doq) { ++ } else if(ports->ftype == listen_type_doq && doq_table) { + #ifndef HAVE_NGTCP2 + log_warn("Unbound is not compiled with " + "ngtcp2. This is required to use DNS " +@@ -3275,7 +3275,11 @@ nghttp2_session_callbacks* http2_req_callbacks_create(void) + struct doq_table* + doq_table_create(struct config_file* cfg, struct ub_randstate* rnd) + { +- struct doq_table* table = calloc(1, sizeof(*table)); ++ struct doq_table* table; ++ ++ if (!cfg->quic_port) ++ return NULL; ++ table = calloc(1, sizeof(*table)); + if(!table) + return NULL; + #ifdef USE_NGTCP2_CRYPTO_OSSL +@@ -3354,7 +3358,7 @@ conn_tree_del(rbnode_type* node, void* arg) + { + struct doq_table* table = (struct doq_table*)arg; + struct doq_conn* conn; +- if(!node) ++ if(!node || !table) + return; + conn = (struct doq_conn*)node->key; + if(conn->timer.timer_in_list) { +@@ -3413,6 +3417,7 @@ doq_timer_find_time(struct doq_table* table, struct timeval* tv) + { + struct doq_timer key; + struct rbnode_type* node; ++ log_assert(table != NULL); + memset(&key, 0, sizeof(key)); + key.time.tv_sec = tv->tv_sec; + key.time.tv_usec = tv->tv_usec; +@@ -4922,6 +4927,7 @@ doq_conid_find(struct doq_table* table, const uint8_t* data, size_t datalen) + key.node.key = &key; + key.cid = (void*)data; + key.cidlen = datalen; ++ log_assert(table != NULL); + node = rbtree_search(table->conid_tree, &key); + if(node) + return (struct doq_conid*)node->key; +@@ -5662,6 +5668,8 @@ doq_table_quic_size_available(struct doq_table* table, + struct config_file* cfg, size_t mem) + { + size_t cur; ++ if (!table) ++ return 0; + lock_basic_lock(&table->size_lock); + cur = table->current_size; + lock_basic_unlock(&table->size_lock); +diff --git a/util/configparser.y b/util/configparser.y +index bf9c196fc..f159b8cec 100644 +--- a/util/configparser.y ++++ b/util/configparser.y +@@ -1235,14 +1235,17 @@ server_http_notls_downstream: VAR_HTTP_NOTLS_DOWNSTREAM STRING_ARG + server_quic_port: VAR_QUIC_PORT STRING_ARG + { + OUTYY(("P(server_quic_port:%s)\n", $2)); ++ if(atoi($2) == 0 && strcmp($2,"0")!=0) ++ yyerror("port number expected"); ++ else { ++ cfg_parser->cfg->quic_port = atoi($2); + #ifndef HAVE_NGTCP2 +- log_warn("%s:%d: Unbound is not compiled with " +- "ngtcp2. This is required to use DNS " +- "over QUIC.", cfg_parser->filename, cfg_parser->line); ++ if (cfg_parser->cfg->quic_port != 0) ++ log_warn("%s:%d: Unbound is not compiled with " ++ "ngtcp2. This is required to use DNS " ++ "over QUIC.", cfg_parser->filename, cfg_parser->line); + #endif +- if(atoi($2) == 0) +- yyerror("port number expected"); +- else cfg_parser->cfg->quic_port = atoi($2); ++ } + free($2); + }; + server_quic_size: VAR_QUIC_SIZE STRING_ARG +diff --git a/util/netevent.c b/util/netevent.c +index aedcb5e07..93db16675 100644 +--- a/util/netevent.c ++++ b/util/netevent.c +@@ -2723,6 +2723,7 @@ doq_server_socket_create(struct doq_table* table, struct ub_randstate* rnd, + { + size_t doq_buffer_size = 4096; /* bytes buffer size, for one packet. */ + struct doq_server_socket* doq_socket; ++ log_assert(doq_table != NULL); + doq_socket = calloc(1, sizeof(*doq_socket)); + if(!doq_socket) { + return NULL; +@@ -2804,6 +2805,7 @@ doq_lookup_repinfo(struct doq_table* table, struct comm_reply* repinfo) + { + struct doq_conn* conn; + struct doq_conn_key key; ++ log_assert(table != NULL); + doq_conn_key_from_repinfo(&key, repinfo); + lock_rw_rdlock(&table->lock); + conn = doq_conn_find(table, &key.paddr.addr, +@@ -5880,6 +5882,7 @@ comm_point_create_doq(struct comm_base *base, int fd, sldns_buffer* buffer, + struct config_file* cfg) + { + #ifdef HAVE_NGTCP2 ++ log_assert(table != NULL); + struct comm_point* c = (struct comm_point*)calloc(1, + sizeof(struct comm_point)); + short evbits; +-- +2.52.0 + diff --git a/unbound.spec b/unbound.spec index 2995d25..ccad149 100644 --- a/unbound.spec +++ b/unbound.spec @@ -80,6 +80,8 @@ Source30: tmpfiles-unbound-libs.conf Patch1: unbound-fedora-config.patch # https://github.com/NLnetLabs/unbound/pull/1331 Patch2: unbound-1.24-swig-function.patch +# https://github.com/NLnetLabs/unbound/pull/1381 +Patch3: unbound-1.24-quic-on-demand-only.patch BuildRequires: gcc, make BuildRequires: openssl-devel From 4161ebcee0794614c79b1571fe58c5d205e100a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 25 Nov 2025 15:09:46 +0100 Subject: [PATCH 57/62] Add dependency on dns-root-data package Do not contain own copy of root key. Use shared key provided by the package. --- unbound.spec | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/unbound.spec b/unbound.spec index ccad149..367e499 100644 --- a/unbound.spec +++ b/unbound.spec @@ -93,6 +93,7 @@ BuildRequires: automake autoconf libtool BuildRequires: autoconf-archive # Regenerate config parser too BuildRequires: bison flex byacc +BuildRequires: dns-root-data %if 0%{?fedora} BuildRequires: gnupg2 @@ -164,6 +165,7 @@ The devel package contains the unbound library and the include files %package libs Summary: Libraries used by the unbound server and client applications Recommends: %{name}-anchor +Requires: dns-root-data %if ! 0%{with_python2} # Make explicit conflict with no longer provided python package Obsoletes: python2-unbound < 1.9.3 @@ -368,12 +370,8 @@ install -p -m 0644 %{SOURCE30} %{buildroot}%{_tmpfilesdir}/unbound-libs.conf # install root - we keep a copy of the root key in old location, # in case user has changed the configuration and we wouldn't update it there install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/ -install -p -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/dnssec-root.key -# make initial key static -pushd %{buildroot}%{_sharedstatedir}/unbound - KEYPATH=$(realpath --relative-to="%{buildroot}%{_sharedstatedir}/unbound" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key") - ln -s "$KEYPATH" root.key -popd +ln -sr "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key" "%{buildroot}%{_sharedstatedir}/unbound/root.key" +ln -sr "%{buildroot}%{_datadir}/dns-root-data/root.key" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key" # remove static library from install (fedora packaging guidelines) rm %{buildroot}%{_libdir}/*.la From 21f2c5bc52591684bd5b8bc11783e7df301e2c05 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 25 Nov 2025 15:23:54 +0100 Subject: [PATCH 58/62] Create root.key from dns-root-data It is old compat file, but stop having it contained copy. --- mkroot.sh | 17 +++++++++++++++++ root.key | 8 -------- unbound.spec | 5 +++-- 3 files changed, 20 insertions(+), 10 deletions(-) create mode 100755 mkroot.sh delete mode 100644 root.key diff --git a/mkroot.sh b/mkroot.sh new file mode 100755 index 0000000..eb6d5b3 --- /dev/null +++ b/mkroot.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +SOURCE="/usr/share/dns-root-data/root.key" +DEST="${1:-root.key}" + +mk_key() { +echo "# Generated from $SOURCE" +echo "# Use /var/lib/unbound/root.key instead." +echo "trusted-keys {" +while read DOMAIN CLS TYPE FLAGS PROTO ALG KEYDATA COMMENT KEYTAG; do +echo "$DOMAIN $CLS $TYPE $FLAGS $PROTO $ALG \"$KEYDATA\" # $KEYTAG" +done < "$SOURCE" +echo "};" +} + +mk_key > "$DEST" +touch -r "$SOURCE" "$DEST" diff --git a/root.key b/root.key deleted file mode 100644 index 848887d..0000000 --- a/root.key +++ /dev/null @@ -1,8 +0,0 @@ -# The root key in obsoleted bind format. This can be read by some tools, including -# named, unbound, delv etc. For libunbound, use ub_ctx_trustedkeys() to load this -# Prefer DNS format in /var/lib/unbound/root.key or /etc/unbound/dnssec-root.key, -# ub_ctx_add_ta_file or trust-anchor-file: format -trusted-keys { -"." 257 3 8 "AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc="; // key id = 38696 -"." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326 -}; diff --git a/unbound.spec b/unbound.spec index 367e499..14ac006 100644 --- a/unbound.spec +++ b/unbound.spec @@ -49,7 +49,7 @@ Source: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz Source1: unbound.service Source3: unbound.munin Source4: unbound_munin_ -Source5: root.key +Source5: mkroot.sh Source7: unbound-keygen.service Source8: tmpfiles-unbound.conf Source9: example.com.key @@ -369,7 +369,8 @@ install -p -m 0644 %{SOURCE30} %{buildroot}%{_tmpfilesdir}/unbound-libs.conf # install root - we keep a copy of the root key in old location, # in case user has changed the configuration and we wouldn't update it there -install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/ +sh %{SOURCE5} root.key +install -m 0644 root.key %{buildroot}%{_sysconfdir}/unbound/ ln -sr "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key" "%{buildroot}%{_sharedstatedir}/unbound/root.key" ln -sr "%{buildroot}%{_datadir}/dns-root-data/root.key" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key" From 79dc8264748806d5d2a54a0b235fb5d43ea64431 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 26 Nov 2025 14:16:02 +0100 Subject: [PATCH 59/62] Update to 1.16.2 (rhbz#2417261) - Additional fix for CVE-2025-11411 https://nlnetlabs.nl/projects/unbound/download/#unbound-1-24-2 --- sources | 4 ++-- unbound.spec | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/sources b/sources index d2b95bf..7d4806d 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.24.1.tar.gz) = 0332053ff6b2a2b6743fe33460950780a26e2cad236d21a9219e7b1a04576a9887342d59bc244c02c405e93812168175bc3dbe5481a201296899e77cbd201ea5 -SHA512 (unbound-1.24.1.tar.gz.asc) = 64f7baa0af069093f2d2a52d00fa41c26dd3a4a8eb39fbf90ae7355725121583f7dcd79257c064fa13d05f7bb0c602fe30104859a41164a81664cd4c1e275f30 +SHA512 (unbound-1.24.2.tar.gz) = 655d63ec5305323e84d82691425d74d98c332d0028517bd729d191e5f968ce9481b49ec7447d4c4906dce7997a998a115db36e911a59d2d877da5840c2080261 +SHA512 (unbound-1.24.2.tar.gz.asc) = 66a3e569a606cc3ed7dac9b411fba347da150728427619bdbf12ac57a5d7db1fc17963b1ba052a95d6c6fed67a6f0c1b5920318f6cd34e5091750626dd63fb21 diff --git a/unbound.spec b/unbound.spec index 14ac006..1fc03d9 100644 --- a/unbound.spec +++ b/unbound.spec @@ -40,7 +40,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.24.1 +Version: 1.24.2 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ From 64fc0f02705035a7a0c7960669724ca4dcc1aa02 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Tue, 9 Dec 2025 11:32:18 -0500 Subject: [PATCH 60/62] Add nlnetlabs2026-g2.asc key for 2026 signature verification downloaded from: https://nlnetlabs.nl/downloads/keys/releases-g2.asc --- nlnetlabs2026-g2.asc | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 nlnetlabs2026-g2.asc diff --git a/nlnetlabs2026-g2.asc b/nlnetlabs2026-g2.asc new file mode 100644 index 0000000..a8f7de7 --- /dev/null +++ b/nlnetlabs2026-g2.asc @@ -0,0 +1,24 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGNBGc7H5IBDADOZfJwZ6zZ/4JbbR2hef4261/zh7YpdjUREUs0dMQSbf+x7sAE +50JgvLQWlvA8sDHzbUMQ9cAYZBGGE6iHb50KboeEfuiP5BdiLe8XWKlo1EIh+Idz +0+e1binxwvXV1/9ACm/UHPRuWjkG7vrP+mVRuhfKglO6xSDxV1cwjYTRtvRtQx8D ++kTdZzprvtzkU7OIWeczKFJRhVHzNDHYFG9SuxvDA9cbVm1KPVJEkRBwoSBPeB0z +Z3LSib2uT6Lc/ghAijOwIpR+zNYKOYxRhzoFArrLa0Fs4nq6//LA42/aVjSienEJ +SR5CVUbZy14WuUsYCkV+ZoORVRYZOcjtPG7FUKDXKzY9/iNhEAZ3OMK7Np2Xq/YO +gaOiUDFXLHU1n2UVH1rwkMiS2o4EMqvO7gINmnL/ccpI2wj2QrQ+JZ9y1Xky7dQM +LIIbtp40e0kGocgyba484rW17xlvXRxb1Pjn93JygD6WcraLLNh9jq87hW/J37qi +S4DL+GUe10H8SeEAEQEAAbQ6TkxuZXQgTGFicyByZWxlYXNlcyBzaWduaW5nIGtl +eSBHMiA8cmVsZWFzZXNAbmxuZXRsYWJzLm5sPokBzgQTAQoAOBYhBCMQGGkMTZA+ +9BkUaqFEMj3qrN9FBQJnOx+SAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ +EKFEMj3qrN9FZigL/0aVsJ48oe7vko1Mwg9DucFoCL8CESAarA40in1Bauq7p/pT +l5UcNnFPLO8HBAHWGWtDI63pEhNzHacPzSI94GKS4TUMGzCV1H/c0KnxB7wAO55b +HEQOZJ+kFRBFXWxbXORtp86NZuyCvVoSA4QAcnCf4m5ZEBb72H2cmy8xP+/HLkbS +rpr5pyoUWtCYM8FxnjM3bClXSGOlWNl9cSXLqyyVjxvc7cOAS8ytL/zoVStoBmi/ +OwQbeJfAiqDMnipBJNzOHlfniKXE0FGDozKCHWP88ifs8A8OUNtJng7cNq7EQf9K +vTvbJCcF4akUUcXnx4gv9Z1ZQ93Jg5X7h+0MP7Ut4z9hKSIAOowru7GXGEt256Ja +eE1nSviDcqUtZpyqCLjpCDFGPMwSPzSwlPXjJVlVxPkDvPuNt2LUIEd8BR8Wo7z+ +NA5uM/zTHkQXEdUgCcl/rHy6moHYV3Q+YbMb17zU37a5vLb+wQ74doaiYo3b8KoV +K6vVKMmB0qru6ERJ3g== +=4R8U +-----END PGP PUBLIC KEY BLOCK----- From 71efccae360b4733b7c2c1994305801e33230cef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 13 Jan 2026 16:35:32 +0100 Subject: [PATCH 61/62] Replace Wouter's key with release-g2 key Prepare for next release verification. Enable verification also for RHEL build from this release. Should enable ELN source verification. --- releases-g2.asc | 24 ++++++++ unbound.spec | 9 +-- wouter.nlnetlabs.nl.key | 123 ---------------------------------------- 3 files changed, 29 insertions(+), 127 deletions(-) create mode 100644 releases-g2.asc delete mode 100644 wouter.nlnetlabs.nl.key diff --git a/releases-g2.asc b/releases-g2.asc new file mode 100644 index 0000000..a8f7de7 --- /dev/null +++ b/releases-g2.asc @@ -0,0 +1,24 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGNBGc7H5IBDADOZfJwZ6zZ/4JbbR2hef4261/zh7YpdjUREUs0dMQSbf+x7sAE +50JgvLQWlvA8sDHzbUMQ9cAYZBGGE6iHb50KboeEfuiP5BdiLe8XWKlo1EIh+Idz +0+e1binxwvXV1/9ACm/UHPRuWjkG7vrP+mVRuhfKglO6xSDxV1cwjYTRtvRtQx8D ++kTdZzprvtzkU7OIWeczKFJRhVHzNDHYFG9SuxvDA9cbVm1KPVJEkRBwoSBPeB0z +Z3LSib2uT6Lc/ghAijOwIpR+zNYKOYxRhzoFArrLa0Fs4nq6//LA42/aVjSienEJ +SR5CVUbZy14WuUsYCkV+ZoORVRYZOcjtPG7FUKDXKzY9/iNhEAZ3OMK7Np2Xq/YO +gaOiUDFXLHU1n2UVH1rwkMiS2o4EMqvO7gINmnL/ccpI2wj2QrQ+JZ9y1Xky7dQM +LIIbtp40e0kGocgyba484rW17xlvXRxb1Pjn93JygD6WcraLLNh9jq87hW/J37qi +S4DL+GUe10H8SeEAEQEAAbQ6TkxuZXQgTGFicyByZWxlYXNlcyBzaWduaW5nIGtl +eSBHMiA8cmVsZWFzZXNAbmxuZXRsYWJzLm5sPokBzgQTAQoAOBYhBCMQGGkMTZA+ +9BkUaqFEMj3qrN9FBQJnOx+SAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ +EKFEMj3qrN9FZigL/0aVsJ48oe7vko1Mwg9DucFoCL8CESAarA40in1Bauq7p/pT +l5UcNnFPLO8HBAHWGWtDI63pEhNzHacPzSI94GKS4TUMGzCV1H/c0KnxB7wAO55b +HEQOZJ+kFRBFXWxbXORtp86NZuyCvVoSA4QAcnCf4m5ZEBb72H2cmy8xP+/HLkbS +rpr5pyoUWtCYM8FxnjM3bClXSGOlWNl9cSXLqyyVjxvc7cOAS8ytL/zoVStoBmi/ +OwQbeJfAiqDMnipBJNzOHlfniKXE0FGDozKCHWP88ifs8A8OUNtJng7cNq7EQf9K +vTvbJCcF4akUUcXnx4gv9Z1ZQ93Jg5X7h+0MP7Ut4z9hKSIAOowru7GXGEt256Ja +eE1nSviDcqUtZpyqCLjpCDFGPMwSPzSwlPXjJVlVxPkDvPuNt2LUIEd8BR8Wo7z+ +NA5uM/zTHkQXEdUgCcl/rHy6moHYV3Q+YbMb17zU37a5vLb+wQ74doaiYo3b8KoV +K6vVKMmB0qru6ERJ3g== +=4R8U +-----END PGP PUBLIC KEY BLOCK----- diff --git a/unbound.spec b/unbound.spec index 1fc03d9..58a0ccf 100644 --- a/unbound.spec +++ b/unbound.spec @@ -62,8 +62,8 @@ Source15: unbound-anchor.timer Source16: unbound-munin.README Source17: unbound-anchor.service Source18: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc -# source: https://nlnetlabs.nl/people/ -Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key +# https://nlnetlabs.nl/signing-keys/ +Source19: https://nlnetlabs.nl/downloads/keys/releases-g2.asc Source20: unbound.sysusers Source21: remote-control.conf Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc @@ -95,7 +95,7 @@ BuildRequires: autoconf-archive BuildRequires: bison flex byacc BuildRequires: dns-root-data -%if 0%{?fedora} +%if 0%{?fedora} || 0%{?rhel} >= 9 BuildRequires: gnupg2 %endif %if 0%{with_python2} @@ -225,7 +225,8 @@ Unbound dracut module allowing use of Unbound for name resolution in initramfs. %prep -%if 0%{?fedora} +%if 0%{?fedora} || 0%{?rhel} >= 9 +# TODO: Remove Yorgos.asc and extra verification once releases start to be signed by new g2 key %{gpgverify} --keyring='%{SOURCE22}' --signature='%{SOURCE18}' --data='%{SOURCE0}' || \ %{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}' %endif diff --git a/wouter.nlnetlabs.nl.key b/wouter.nlnetlabs.nl.key deleted file mode 100644 index 603e620..0000000 --- a/wouter.nlnetlabs.nl.key +++ /dev/null @@ -1,123 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -xsFNBE2v/RwBEACyQpJlpCeSZBV1QUH7jNEp5xGdo6OnX2h9XoZ4ZPsb+u6OT+xE -SH45ncnISUh8rPCygbeWOoPR/yOBzh+lYoGxQ5iUHtwRrhHq04sQe/qFpXDO2xs6 -1pTcPU2PnH7Rsr2qp6fZLPHuXLolD7NJfaSib8sVeMM0/ecyl/L2bBg9NpaGDX0x -TQh95M8o6AFo6UKWApBpgsvEZr2aH/B8b9KnCWFhfJyheEM7DamksdZNsKxXQyq3 -l/ROfdsMLZGF8vPbYV/v11G4keyaLpn8AbBpybIiw9SYDwf2ENk3+e1NFfMaiiyE -qn9+aaLTKCY87TMUuoN3s3jWOOy5tHXzf6DbKhub4Awsby3DH5YpPhi4N2vj2pAX -Vpl5+m78cH29JLzT+HAoyZ4tq1r3m0P5QogNqYwqxkKWYOjDilNDBiKiDdgtrLYG -x+ABovKG/FvToJoaCL4AFaVCzWmL2uHkSgyBN0FPHatCB1UeEkcQit6T8E2NQqmF -WjUMXSWHHajSMG95+L5PdLHz/Ku0o3Csvlt2pkElYZmzJBfnOM9JevdsmKr/ruJC -/DCZAn5w2S/9ZF5qfo2F9HUKIwE/dChR29HcN8V4nqZs9oCvEMfFhHmrfwDc5hed -hvb6mAkvSFFtKIrygLIVeWRj3FE9sGp6sr4VwOLYTFRNk7mAsWD1rZApeQARAQAB -zSdXLkMuQS4gV2lqbmdhYXJkcyA8d291dGVyQG5sbmV0bGFicy5ubD7CwX4EEwEC -ACgFAk2v/RwCGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJ9v -HC1+BF+N3yoQAIynfrvZ/8RNAv9lLcSc2PX3fvG7oRJEJSy9uMyIbMtb/a1BVCeh -XjR8GhHJ5D/Z3jRWBQKw1rLLvOqbuBGkpKMR100ZVF4z/8e6CWtTAOFy28f1JQw2 -8kilN7K6vjno21S1JJ1XJAdoFdicyb1SW2r+KYod6fjSyF0lb71od+sdnSE9O/xd -Cqyyu6cX+AwfDcuJ6Y8iOWu8CeWAz41LR1QBUQkCb/08mVfCEu+Cj+M31jjPDZEy -UAw219vr4QFe0o3t+Msv0AUZvcRkW6+8qP5lO6I5we/33WBLZH70lhFvYtobM7HO -MCjheRZguSzvRqEETfTjia1uVi3Yz2qM4CFdJIZF6Er79yKcB3jYquultrnlHdXZ -/IZsHVRk6JfiqFkz9u1T9PkvMoQ452aUomGTg9xQchnKpe1E8osKgLulaY+izTEq -Z8pH/HWWJ/YT13/n8pxK9EbC/8SkVhyXNehOSAGDZar+tjVBofgzS8r+GDyv+pBT -SmjitIrVXZNuhigLp1o7Tvs4kjKlcFnLhfDHJ+yb5JyiZd01bVvaqnfRhACqXfWl -oC0uslRbegoYwJUgX0BOrsOuHGH2SfGjd/QnA0bcEXM2kp1Dp1gqtcEd5Qitm647 -Yz+leWkhrmMmtTwqumXoAcvgzthJFUPcAzuhXZNfqQJMOGRxAGVI0P97wsF+BBMB -AgAoAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVu+rZAUJDQIVSAAKCRCf -bxwtfgRfjdrWEACMQK0xYtZtAvLL/8CCcCi92Oi1rtXRGWnRy7JX020hftmWliMq -4P0F3CJKVLhgZ/ldp8OOqmfDfmwLMVSaCQ86Ubqn7Ofrf8Ku8SGQuIMxY2ODB97h -ouY4bnDHaM2Cqi6JkBN+G1tgdwqN/kcecF2tq3ql2k7eX91++A+F5ApIu1silzJP -L4Z8W6MVOdKrtzEM7t61hRlsbpEPj72vbVBZ1hmTiIL4VWwdxQYamxBoOeneskyD -DG+iMCI3P1GG3EQkk+9Aect/iH9uruE0mxn2aKN8cfuoR93cPF/ozCxS5ItwAVnN -e39WRO1GT2zYaFgYm0lf9czcpRsRzNbGw938lZ3iPUiZe+ybKgLKkVmvrkM59ljH -T99SrC14VXxgQwSs4gS3rdzbY9tPps62Z1q+xCVfTx1IY5P4nt59xwQV0Iw+pV9S -/mVcOnPXl1UKb0ttOdYJErrq3RpF/D2g/NDtL0OWqIa8LvrBlyQYmWPKvKw76vt4 -bJ3NU31jSc0ow/j7EOVjOst86s629zmtnbJjWVr6LOy5EDUPusmqHv1t4Z4RMjf8 -OrJdNbFJoRXZv8FbW4NzXeGtMf8k6vKeejpdMH4+eLuoZG7dchU1JccfgqfwWpy0 -ojmb59drJcaQgVC6Jvw9l0TmGPNIsE4UrIWocaFgv4dOKvHA2hcnMDM8rsLBlQQT -AQIAPwIbIwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQTt+qPyyk5usFaBr46f -bxwtfgRfjQUCWaU4BQUJEZjVaQAKCRCfbxwtfgRfjb1YEACjkhtkyZkYURUmSZNL -2IK/Zencv7DZGRfFrzijROFtHbe//H8o2ZhlyiaFSA/dT1ehjsukkR0oFkYadA+q -Ui06WpxGmd/jf8hP4yTUZkwOhQAesWoNmnhKePNaVMKY8DP57bA+N2pdCcGu7gUt -Yzq2JoTAtV+P/PE2w+H9eyBAulv6iUckM5/qvGfJPl8HB9BtgOpGN79otVWO6ebM -4TQ3cZYI9BDQnt9cF2pviex+z1iLZVJ8UeRxSxYhrBKPJioi0Q1OgcKyO56t7Eot -zxKl5TzprgvdX4cdls+lehD8StlE2Xv/TScHvdOhJuVBrn3a3QjZPb4qSsz74leW -5/EIQmozBy+qf8AHcCmTXwb2U7oHOct7cVyS5+bFx+ThpV5OK0rjTH1LMNiuTeAN -46c1y3prjZRpQUlgVwj06q3Zz/fzDyueUS/r4lW4nAf/VNZy/rTS2HYPoZbHZVCt -GpDIfag6fV6V97Pd3zfhTf2wmsJsw9Xhktp/o7rMBRSMhvL4oevOXb0JSG2583Q/ -JnCCceB4NxRRxsgkRYHwdnXN9FnOPSa4NyvF4rzpPksLGZrhvm+lBvzVn/e40Q/K -lxvSlnn2vW/WBM4pBq1jsoJrd/JkTdijZV7mt7HQ2bCLXAPgfZjy7n79WiCQVHg7 -iYnNikiNWR5TR7JcvdkxOdiA/8LBlQQTAQgAPwIbIwYLCQgHAwIGFQgCCQoLBBYC -AwECHgECF4AWIQTt+qPyyk5usFaBr46fbxwtfgRfjQUCXe4JdQUJGaQN2QAKCRCf -bxwtfgRfjQ8gEACe+49aDQHRuZdDHK1VCJKzhb+MvfdIjvl8eQxljpG9Uz5Y17Bx -4SWfuLHCeGlh1m6IOAWeW4g6Wowm1ec1PkVa79TdrkKb0MxfLSat6iDbiuVjDxy2 -bWokW0/cPzJ/FoWDtEC0H9UTAMb5QGBDZUbLuwX7ZjvMkAhH15/hO9Gj4RHoH1RJ -GJALRtZzjtzsJqL53kW/EV59V1T79Nocyx018iw50Jn02mI8wYJZ9HZc5C7D+K59 -vcqLRZgkrJrObw0sEv3YFOBYp/1DemH2nHPMBSKMmN5RAcr32guUjd4BEWf2Q7Ao -+Qnhdi161W0YKCW4JAmOoQ4bQ0wfE9Q5aUIGhUF52L+ac8Hy7dByaCExCA/WTqQQ -/iVPybmpJQhFonWt/fmpxbE2wKThSEOHTO67e5e3JfUb0vNKssyZojao4h1MF5nv -aPNKoybWwKnpNM0ORcyl+aogKwW7E15TEU0TE5//gAsFwRDcCnSEKnksgM0321m1 -7RDfJbCajIv47DHDYE3yvhRZjCJCaw0Gow1sDRWjdOFpmIixD5/vx5uxyqSHPuGA -sXlEvl+Z3Rdc5bQ7pAWu7UNpR3hnJPfg8KL2xqOF75VKG9/NjLE80yj8wdVoCfDv -vizrBtOXnHI49gCMCfNqbGIb5yVhmTdeo7li+Te9hlJ2DrHnujGJlFe+p87BTQRN -r/0cARAApvDKeVLiSazESdTY9KsSWsqoB38pvOsu25M49tEjc5TtY5LwKNckqkeR -lJ83O8dFG7UBVuGwLKaf/6OR/pe24upZ27eOOWW7sXvQNv5aXlOYfF+mjIhUINqj -q4pKDmO1c9J7h5d+auOVfzcgfotg3BVCaKn56ucjiQJ059uUMfgWTvVlibnoJ7de -Zcgt8v7VcLK9jv+P8QJHTIyDzJd+JjdjuHXqC/A37T5G9Z84x8wYrQY6mZmOIYaM -jwIKdgFeN+nLk5henARUz4MTFUW4j9hHpuyAFomDQ93/wkHZ9IEChTxdZnfvsd// -Z45vfcX9dQM+tuR8XCYThVsScI1TnwR46hi5NkfmHo3HVxwB8/owJ+FZDsTNBbJd -7AVy27Xk4L5hLe7BwLDtFMyOp4lOipCM7//mtFB9mTzqnOwiSSyTRlwGUBJkzQFW -Qa0Z6bfYwA6+y1dn19H519GW49irtl+2+W8W4N8oLriIjPvqrQOyaELFcRfV6FfL -i09HPhHVbejOqIEbOtfuN0+mjrrGAwortfTBjfw80N+W90BTvta4K2SyjHcJTkDY -ehfOo/5IMpGtDsOgvsCbDaFRnNJuYtSqQmvWk1KIPIw6CkdJtZa3+q3YA7D7ovOV -H1OBTKNdBjc+X4W8L5R9MCymXWvgiP+52Sv1VIcZmsnCBrwK490AEQEAAcLBZQQY -AQIADwUCTa/9HAIbDAUJCWYBgAAKCRCfbxwtfgRfjTY/D/9+kX8LeqBhwDdwy3ud -V67KmVmytwGMfzBHbAyBdy84X06ip/If/VkjL+2Sv5Uml/cOOzGZT7y/KEt0uXQz -gOZhGP5Y0OREf4kSzfb7tsGu3ZjTp5uJe7HiJr8uqYGfx94TQG/A3x1C7MlxOGmW -DK/Eh/eNVeNd+3yyDEzl2p7a0yUhI8LtzllVrEDX+G4rz+mdDw4tfPDqzRPzPvVt -PfqnfofHP5r2dshGe7+pCTC+o0jHWpaiFkEiIrR3PbZ9tV6+F5LzCUJJP5nepz6C -ShpLHq9ST6qZiw5ZpdznHW0kVl96YxgynJq9Y4dqD/8nOfTzdHhXXEogGvRfcxat -xeZF7YNFhUU2p+CswAjRKCUzZAz0hDAu+dJ+fw4Odx7ii8uiwhEnEHoo8rPETkXw -UK1je4MCzMRSy0Gippzk/oZ7noIml+Njas/UygavUOQm8bcPqGfWeFqvM2C7ZobL -2iV0fX/bhEmQyosiWJ0nHuKdwDYygYs/4LtZLxwiKli/lm6IDz1028j6/98Z81gG -oltXWokTYAPEgcBuhyiSLSQ1wojTVMYt9rPKMBakTzP+0FoWqoNafWOlHovP6iUB -2Igll2ZT3AvrBQ8jAbRbuUl46QpBaKsl+pBo86az0fRkMxv0N4dQv4Q7Z0g71u9N -Tpaq1vtAZOwc0kl3uGNK18PnV8LBZQQYAQIADwIbDAUCVu+raQUJDQIVTQAKCRCf -bxwtfgRfjVnYEACZ1E/FfLDi4vLUd9diImmNN/zWDHxTsO/VG3lt50rSoJM5NGB4 -RlwcbUKhah2fD44FFiIqGIvKD9hRgB51dVRIkaR3ozVtXRBKxJJqWj38wf2FDLtU -XC5/JHYb0sjAc3ad2sA9xEmEBVO1lWK3J6h4gKZiAGlWz3oeOSve3vrTKsBlP0Cu -rUeb4WTVpw4drBJD7cDh8SJ4/Cq76UFx8lW0xR+pHZHcd0/Ir5v5HnnEgbnut4Ix -eY3/CGBfQfSQHylK7ifmPWq+dflC/ZdfHY1V96EHKPM44ZLwiczoY3qp5nkmEc3B -Y6+P8Ch5gddOYaY18wpedarswnpOLQD2Xbsj66Eh0IZuuuZGyfOqJNaWbP33L27e -g35XQNTgyhuZmDyRKL6yAbhU74TXCCvze/kkfqDn2ouCtM8/kqLX1v0+NkBxlhZU -kTTVDyclZtwu6Vypus3+j2Zqk8sXeUZI64sjXpzwOcMZxdl3QuyxMktExWzk9Q5D -YqO+pj/YGt1vp2M0YgSUWNWCvfBcjEPFgaljyqz3BdvR/LYohnXuQL9SWObF+sIF -c9D0w/yORYQcKP5kSWVC/qwFdC61OGeSDnQ/0o0T5PefhYS82gsIrjQ+HIJ7CLUT -k7kBNljvtfpoWegH02feR0kSRoCXA6x+YHT4fmB41pW8S1V5a5dEltA/JMLBfAQY -AQIAJgIbDBYhBO36o/LKTm6wVoGvjp9vHC1+BF+NBQJZpTgKBQkRmNVuAAoJEJ9v -HC1+BF+NyNQP/A3h+cOOkYUxyKpNHdtlIfCn8db5tHXSCbE19Qi7EK1SiK5atjo+ -VoRtB+L01kH6GCx5oZjeIhUdzYFwEUsdCDgwD6r0dKFwKIGa4TFcfnx+Z5B+HZgL -Yc6ac5PEHF1qZVXZH9GSGeNw5h2yyqf4yhvetSN6L2id14m5XXJV5e7NfOgmaSnG -0Z+wQvPSiu+Q00XpENT8HFSTSCjRATjk12rpy6TPeeC52NK1gLhGDRHN0k6m+vm4 -yoC+Nd6iPQpnc+5xs7NDnq2dFuSTp7UTGebzPhhdSQgujEFuYLwzQMZu1h5amtA+ -v9j7BYEJkOMC7bm1PNNA2QQ6QfH8Hf+mJeINyJO8A5KS3ceP+eo3SLR8T0hPzu9g -ZuZ22Hn3DXQh1VNRshaLKgNvoXpL3dQ48d1SFFKhEDpy2HSXUq2fs5rH0uszFGes -G7K6EQRAYRcDrCkt9fdfkvCSxAFw9d+472xThzgKcN+MkOec+SaY+xlVULjEfCWy -RVC8Opam4mTm/XT4mVLxP/qnsy7kEhLoc/ouB+lY/ks06LpZJvCXL6WfA9You1Fi -1Mg7GhSh9JKg6X6E8Trm+N4dxJGut1xbbGmmKXqfi4pej9KlkdeM9t1df/vWKlPa -7Hzd8H0btgJx066wC4yt0ghxtsJXBsCDxWLfzaSRZ2/eP16mHqxDjsQQwsF8BBgB -CAAmAhsMFiEE7fqj8spObrBWga+On28cLX4EX40FAl3uCX0FCRmkDeEACgkQn28c -LX4EX43TQA/+JV8ReMRJCn3Cfqbe5ycFn8p6dIVnJiQuhiEyu5yzdpSkKyzcVFJO -bQcqw7s50FJuLUbxdvbcuGIaoTu7dhBoUXO5tOuIQAsKTfGfgoOgelJm+/q2h645 -EnAVINGbMDXrmo4/UFJkNjUMA6SQi/yiam7N0y58eoDC4sGmBKuN2EW2MoWahlXw -8SS1+Ab9qVBs/RqbSy6f1nJL39aPpPDmvyJOSYtHnNSFlYWVhr0zGAi5rnswlFGr -ECGbHpr5FajUK7zcmtNPbi7F30K48xfF3XnDIeIBcerrEBQMaPUZcBlddGhmSVVJ -ZU/YhR35JNgPnmp33gOuZaRiW9lauZFwsMQBIBkLpJWoUtu8QLkyC0HmJzVRep0/ -s1RkzaJ+1G1BzXTQiXaLaUQWG5h3pcMD8fxY5qp9KbG/+10bY0sRbRBXgS6mz7dd -HaBtg/E8ty2nEB1HDXA9HAHu7KlH9e96sPZjz9C46ZiOXe6ZAOk6wBYts4RG4bCQ -9pGORJ+P2Jr2pz1NZQbs1AhnjJixTsfZfsGZ5lHxGLjIyxtdGB/irLEqNTIMek2y -p4CShmWoZwN0V3aGYMe/rC4tSXG79IeKNwF3Vd5MHtB+hcJG2qztBtKQuW29rbRA -5bNxwTWe8skwOKsxXnP9RC974k0XkPS+VwgmVgNN1ewS/0oHvmEP71Q= -=Oqje ------END PGP PUBLIC KEY BLOCK----- From 21dc077e040de49174e41c99f5c7defb457c9d8e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 13 Jan 2026 16:40:21 +0100 Subject: [PATCH 62/62] Replace downloaded key with existing Paul's key Keep only one instance of the key. --- releases-g2.asc | 24 ------------------------ unbound.spec | 2 +- 2 files changed, 1 insertion(+), 25 deletions(-) delete mode 100644 releases-g2.asc diff --git a/releases-g2.asc b/releases-g2.asc deleted file mode 100644 index a8f7de7..0000000 --- a/releases-g2.asc +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -mQGNBGc7H5IBDADOZfJwZ6zZ/4JbbR2hef4261/zh7YpdjUREUs0dMQSbf+x7sAE -50JgvLQWlvA8sDHzbUMQ9cAYZBGGE6iHb50KboeEfuiP5BdiLe8XWKlo1EIh+Idz -0+e1binxwvXV1/9ACm/UHPRuWjkG7vrP+mVRuhfKglO6xSDxV1cwjYTRtvRtQx8D -+kTdZzprvtzkU7OIWeczKFJRhVHzNDHYFG9SuxvDA9cbVm1KPVJEkRBwoSBPeB0z -Z3LSib2uT6Lc/ghAijOwIpR+zNYKOYxRhzoFArrLa0Fs4nq6//LA42/aVjSienEJ -SR5CVUbZy14WuUsYCkV+ZoORVRYZOcjtPG7FUKDXKzY9/iNhEAZ3OMK7Np2Xq/YO -gaOiUDFXLHU1n2UVH1rwkMiS2o4EMqvO7gINmnL/ccpI2wj2QrQ+JZ9y1Xky7dQM -LIIbtp40e0kGocgyba484rW17xlvXRxb1Pjn93JygD6WcraLLNh9jq87hW/J37qi -S4DL+GUe10H8SeEAEQEAAbQ6TkxuZXQgTGFicyByZWxlYXNlcyBzaWduaW5nIGtl -eSBHMiA8cmVsZWFzZXNAbmxuZXRsYWJzLm5sPokBzgQTAQoAOBYhBCMQGGkMTZA+ -9BkUaqFEMj3qrN9FBQJnOx+SAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ -EKFEMj3qrN9FZigL/0aVsJ48oe7vko1Mwg9DucFoCL8CESAarA40in1Bauq7p/pT -l5UcNnFPLO8HBAHWGWtDI63pEhNzHacPzSI94GKS4TUMGzCV1H/c0KnxB7wAO55b -HEQOZJ+kFRBFXWxbXORtp86NZuyCvVoSA4QAcnCf4m5ZEBb72H2cmy8xP+/HLkbS -rpr5pyoUWtCYM8FxnjM3bClXSGOlWNl9cSXLqyyVjxvc7cOAS8ytL/zoVStoBmi/ -OwQbeJfAiqDMnipBJNzOHlfniKXE0FGDozKCHWP88ifs8A8OUNtJng7cNq7EQf9K -vTvbJCcF4akUUcXnx4gv9Z1ZQ93Jg5X7h+0MP7Ut4z9hKSIAOowru7GXGEt256Ja -eE1nSviDcqUtZpyqCLjpCDFGPMwSPzSwlPXjJVlVxPkDvPuNt2LUIEd8BR8Wo7z+ -NA5uM/zTHkQXEdUgCcl/rHy6moHYV3Q+YbMb17zU37a5vLb+wQ74doaiYo3b8KoV -K6vVKMmB0qru6ERJ3g== -=4R8U ------END PGP PUBLIC KEY BLOCK----- diff --git a/unbound.spec b/unbound.spec index 58a0ccf..d173141 100644 --- a/unbound.spec +++ b/unbound.spec @@ -63,7 +63,7 @@ Source16: unbound-munin.README Source17: unbound-anchor.service Source18: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc # https://nlnetlabs.nl/signing-keys/ -Source19: https://nlnetlabs.nl/downloads/keys/releases-g2.asc +Source19: https://nlnetlabs.nl/downloads/keys/releases-g2.asc#/nlnetlabs2026-g2.asc Source20: unbound.sysusers Source21: remote-control.conf Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc