From 29d16cea8c673bbb6cf6ad920e6c0d506d65a48c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 16 Jan 2024 17:05:56 +0100 Subject: [PATCH 1/9] Update address of b.root-servers.net (#2253461) Modification of a config file differs from upstream version, we have it uncommented in Fedora. Resolves: rhbz#2253461 --- unbound-1.19-b.root-servers.net-conf.patch | 38 ++++++++++++++++++++++ unbound-1.19-b.root-servers.net.patch | 35 ++++++++++++++++++++ unbound.spec | 5 +++ 3 files changed, 78 insertions(+) create mode 100644 unbound-1.19-b.root-servers.net-conf.patch create mode 100644 unbound-1.19-b.root-servers.net.patch diff --git a/unbound-1.19-b.root-servers.net-conf.patch b/unbound-1.19-b.root-servers.net-conf.patch new file mode 100644 index 0000000..c3f41c9 --- /dev/null +++ b/unbound-1.19-b.root-servers.net-conf.patch @@ -0,0 +1,38 @@ +From 101f9efb8de8e5e41fe40d05461276299e4c8980 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Tue, 16 Jan 2024 16:13:29 +0100 +Subject: [PATCH] Update b.root-servers.net also in example config file + +Addition to commit a8739bad76d4d179290627e989c7ef236345bda6, which +updated only address specified in code. But addresses provided in +example configuration were not updated, I think they should be updated +too. +--- + unbound-1.19.0/doc/example.conf.in | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/unbound-1.19.0/doc/example.conf.in b/unbound-1.19.0/doc/example.conf.in +index b79a322..3a15357 100644 +--- a/unbound-1.19.0/doc/example.conf.in ++++ b/unbound-1.19.0/doc/example.conf.in +@@ -1203,7 +1203,7 @@ include: /etc/unbound/conf.d/*.conf + # notifies. + auth-zone: + name: "." +- primary: 199.9.14.201 # b.root-servers.net ++ primary: 170.247.170.2 # b.root-servers.net + primary: 192.33.4.12 # c.root-servers.net + primary: 199.7.91.13 # d.root-servers.net + primary: 192.5.5.241 # f.root-servers.net +@@ -1211,7 +1211,7 @@ auth-zone: + primary: 193.0.14.129 # k.root-servers.net + primary: 192.0.47.132 # xfr.cjr.dns.icann.org + primary: 192.0.32.132 # xfr.lax.dns.icann.org +- primary: 2001:500:200::b # b.root-servers.net ++ primary: 2801:1b8:10::b # b.root-servers.net + primary: 2001:500:2::c # c.root-servers.net + primary: 2001:500:2d::d # d.root-servers.net + primary: 2001:500:2f::f # f.root-servers.net +-- +2.43.0 + diff --git a/unbound-1.19-b.root-servers.net.patch b/unbound-1.19-b.root-servers.net.patch new file mode 100644 index 0000000..c3b9a47 --- /dev/null +++ b/unbound-1.19-b.root-servers.net.patch @@ -0,0 +1,35 @@ +From 72c65bfc2fe35cf4f0665a5e3f173f4f8f6f151b Mon Sep 17 00:00:00 2001 +From: "W.C.A. Wijngaards" +Date: Wed, 6 Dec 2023 13:25:58 +0100 +Subject: [PATCH] - Updated IPv4 and IPv6 address for b.root-servers.net in + root hints. + +--- + unbound-1.19.0/iterator/iter_hints.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/unbound-1.19.0/iterator/iter_hints.c b/unbound-1.19.0/iterator/iter_hints.c +index a60d9a6..6b56daa 100644 +--- a/unbound-1.19.0/iterator/iter_hints.c ++++ b/unbound-1.19.0/iterator/iter_hints.c +@@ -129,7 +129,7 @@ compile_time_root_prime(int do_ip4, int do_ip6) + dp->has_parent_side_NS = 1; + if(do_ip4) { + if(!ah(dp, "A.ROOT-SERVERS.NET.", "198.41.0.4")) goto failed; +- if(!ah(dp, "B.ROOT-SERVERS.NET.", "199.9.14.201")) goto failed; ++ if(!ah(dp, "B.ROOT-SERVERS.NET.", "170.247.170.2")) goto failed; + if(!ah(dp, "C.ROOT-SERVERS.NET.", "192.33.4.12")) goto failed; + if(!ah(dp, "D.ROOT-SERVERS.NET.", "199.7.91.13")) goto failed; + if(!ah(dp, "E.ROOT-SERVERS.NET.", "192.203.230.10")) goto failed; +@@ -144,7 +144,7 @@ compile_time_root_prime(int do_ip4, int do_ip6) + } + if(do_ip6) { + if(!ah(dp, "A.ROOT-SERVERS.NET.", "2001:503:ba3e::2:30")) goto failed; +- if(!ah(dp, "B.ROOT-SERVERS.NET.", "2001:500:200::b")) goto failed; ++ if(!ah(dp, "B.ROOT-SERVERS.NET.", "2801:1b8:10::b")) goto failed; + if(!ah(dp, "C.ROOT-SERVERS.NET.", "2001:500:2::c")) goto failed; + if(!ah(dp, "D.ROOT-SERVERS.NET.", "2001:500:2d::d")) goto failed; + if(!ah(dp, "E.ROOT-SERVERS.NET.", "2001:500:a8::e")) goto failed; +-- +2.43.0 + diff --git a/unbound.spec b/unbound.spec index 31b1448..7c07131 100644 --- a/unbound.spec +++ b/unbound.spec @@ -57,6 +57,11 @@ Source20: unbound.sysusers # Downstream configuration changes Patch1: unbound-fedora-config.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2253461 +# https://github.com/NLnetLabs/unbound/commit/a8739bad76d4d179290627e989c7ef236345bda6 +Patch2: unbound-1.19-b.root-servers.net.patch +# https://github.com/NLnetLabs/unbound/pull/993 +Patch3: unbound-1.19-b.root-servers.net-conf.patch BuildRequires: gcc, make BuildRequires: flex, openssl-devel From 474a140b59050dd1b4b273cf8f189c8b67ffe0bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 29 Jan 2024 12:35:47 +0100 Subject: [PATCH 2/9] Always auto-restart on crash events Although no way of crashing is known, ensure unbound will restart itself in case of crash. That should minimize possible damage and allow less degraded service until a fix for crashes arrives. Do not try to restart on configuration failures. There restarts will not likely to fix the issue anyway. --- unbound.service | 1 + 1 file changed, 1 insertion(+) diff --git a/unbound.service b/unbound.service index ffaf783..74321c7 100644 --- a/unbound.service +++ b/unbound.service @@ -14,6 +14,7 @@ EnvironmentFile=-/etc/sysconfig/unbound ExecStartPre=/usr/sbin/unbound-checkconf ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS ExecReload=/usr/sbin/unbound-control reload +Restart=on-abnormal [Install] WantedBy=multi-user.target From 9c9eefdc134a9ef1077677c48e11b754358e1586 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Tue, 13 Feb 2024 09:20:26 -0500 Subject: [PATCH 3/9] Update to 1.19.1 for CVE-2023-50387, CVE-2023-50868 Resolves: CVE-2023-50387 (KeyTrap Denial of Service) Resolves: CVE-2023-50868 (NSEC3 Denial of Service) --- .gitignore | 2 ++ sources | 4 ++-- unbound.spec | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index c4bf873..62eba4b 100644 --- a/.gitignore +++ b/.gitignore @@ -83,3 +83,5 @@ unbound-1.4.5.tar.gz /unbound-1.18.0.tar.gz.asc /unbound-1.19.0.tar.gz /unbound-1.19.0.tar.gz.asc +/unbound-1.19.1.tar.gz +/unbound-1.19.1.tar.gz.asc diff --git a/sources b/sources index 4adc154..a941fce 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.19.0.tar.gz) = c7df997ab003d098f53ac97ffb4c8428ab28e24573ff21e21782cbeadca42edadeb5b0db53ce954c9ff3106a5edb36eb47109240c554a44d9aac75727b66aeb4 -SHA512 (unbound-1.19.0.tar.gz.asc) = 63aa94192de7840f7abe43367e2c3f5d3fd42b8d72c08a5645cf28e2c0ad2e11d54f3aa645384fff5d4dfe66bc7ee25d81bd967780a992b54956343974206580 +SHA512 (unbound-1.19.1.tar.gz) = c81192b70f14a4e289cf738bf6b647cf25b58b1ab11076dee306ff25a530b6a1bbeca71cfa8820d80f48fd843019beb29a68796a1b1fcec6e561dfeccd62d96a +SHA512 (unbound-1.19.1.tar.gz.asc) = 2e4c6b7df844d1fb93d948791a20b9ff201bd1e6de6c89a830ddce06e24e5d770409265005f549757ef3a9c99d11b9860ae21711425d76d42bf2c33240dd3b52 diff --git a/unbound.spec b/unbound.spec index 7c07131..55685f8 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.19.0 +Version: 1.19.1 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ From bb0bf7f7e566cc9401a4be638d0754590ec618f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 13 Feb 2024 22:47:36 +0100 Subject: [PATCH 4/9] Ensure only unbound group members can make changes unbound-control should allow only privileged users from unbound group to modify running instance. --- unbound-fedora-config.patch | 46 ++++++++++++++++++------------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index a249d2c..009cb07 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,4 +1,4 @@ -From ecfc3a96a0d38cc31fb871d98789467434c7afda Mon Sep 17 00:00:00 2001 +From 77710cef1d7001fc52b7f19b0b9e305fd355f07e Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Fri, 10 Nov 2023 12:58:31 +0100 Subject: [PATCH] Customize unbound.conf for Fedora defaults @@ -7,13 +7,13 @@ Set some Fedora/RHEL specific changes to example configuration file. By patching upstream provided config file we would not need to manually update external copy in source RPM. --- - unbound-1.19.0/doc/example.conf.in | 205 ++++++++++++++++++----------- - 1 file changed, 131 insertions(+), 74 deletions(-) + unbound-1.19.1/doc/example.conf.in | 200 ++++++++++++++++++----------- + 1 file changed, 127 insertions(+), 73 deletions(-) -diff --git a/unbound-1.19.0/doc/example.conf.in b/unbound-1.19.0/doc/example.conf.in -index fe0dde6..b79a322 100644 ---- a/unbound-1.19.0/doc/example.conf.in -+++ b/unbound-1.19.0/doc/example.conf.in +diff --git a/unbound-1.19.1/doc/example.conf.in b/unbound-1.19.1/doc/example.conf.in +index fcfb1da..a61b530 100644 +--- a/unbound-1.19.1/doc/example.conf.in ++++ b/unbound-1.19.1/doc/example.conf.in @@ -17,11 +17,12 @@ server: # whitespace is not necessary, but looks cleaner. @@ -400,7 +400,7 @@ index fe0dde6..b79a322 100644 # Dynamic library config section. To enable: # o use --with-dynlibmodule to configure before compiling. -@@ -1067,13 +1104,18 @@ python: +@@ -1067,13 +1104,14 @@ python: # the module-config then you need one dynlib-file per instance. dynlib: # Script file to load @@ -414,19 +414,19 @@ index fe0dde6..b79a322 100644 - # control-enable: no + # Note: required for unbound-munin package + control-enable: yes -+ -+ # Set to no and use an absolute path as control-interface to use -+ # a unix local named pipe for unbound-control. -+ # control-use-cert: yes # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. -@@ -1087,19 +1129,22 @@ remote-control: +@@ -1081,6 +1119,7 @@ remote-control: + # are not used for that, so key and cert files need not be present. + # control-interface: 127.0.0.1 + # control-interface: ::1 ++ control-interface: "/run/unbound/control" - # for localhost, you can disable use of TLS by setting this to "no" - # For local sockets this option is ignored, and TLS is not used. -- # control-use-cert: "yes" -+ control-use-cert: "no" + # port number for remote control operations. + # control-port: 8953 +@@ -1090,16 +1129,19 @@ remote-control: + # control-use-cert: "yes" # Unbound server key file. - # server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key" @@ -449,7 +449,7 @@ index fe0dde6..b79a322 100644 # Stub zones. # Create entries like below, to make all queries for 'example.com' and -@@ -1121,6 +1166,10 @@ remote-control: +@@ -1121,6 +1163,10 @@ remote-control: # name: "example.org" # stub-host: ns.example.com. @@ -460,7 +460,7 @@ index fe0dde6..b79a322 100644 # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle -@@ -1138,6 +1187,10 @@ remote-control: +@@ -1138,6 +1184,10 @@ remote-control: # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -471,7 +471,7 @@ index fe0dde6..b79a322 100644 # Authority zones # The data for these zones is kept locally, from a file or downloaded. -@@ -1145,30 +1198,31 @@ remote-control: +@@ -1145,30 +1195,31 @@ remote-control: # upstream (which saves a lookup to the upstream). The first example # has a copy of the root for local usage. The second serves example.org # authoritatively. zonefile: reads from file (and writes to it if you also @@ -527,7 +527,7 @@ index fe0dde6..b79a322 100644 # auth-zone: # name: "example.org" # for-downstream: yes -@@ -1194,6 +1248,9 @@ remote-control: +@@ -1194,6 +1245,9 @@ remote-control: # name: "anotherview" # local-zone: "example.com" refuse @@ -537,7 +537,7 @@ index fe0dde6..b79a322 100644 # DNSCrypt # To enable, use --enable-dnscrypt to configure before compiling. # Caveats: -@@ -1266,7 +1323,7 @@ remote-control: +@@ -1266,7 +1320,7 @@ remote-control: # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode # dnstap-bidirectional: yes @@ -547,5 +547,5 @@ index fe0dde6..b79a322 100644 # # set it to "IPaddress[@port]" of the destination. # dnstap-ip: "" -- -2.41.0 +2.43.0 From cbf2fd5d541e167812bb29b94c2d8b0868501ed9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 12 Apr 2024 19:54:21 +0200 Subject: [PATCH 5/9] Update to 1.19.3 (rhbz#2268404) - Fix CVE-2024-1931, Denial of service when trimming EDE text on positive replies. (rhbz#2268419) - Use the origin (DNAME) TTL for synthesized CNAMEs as per RFC 6672. - Bug fixes https://nlnetlabs.nl/projects/unbound/download/#unbound-1-19-3 --- .gitignore | 2 + sources | 4 +- unbound-1.19-EDE-cpu-lock.patch | 14 ---- unbound-1.19-b.root-servers.net-conf.patch | 38 --------- unbound-1.19-b.root-servers.net.patch | 35 -------- unbound-fedora-config.patch | 96 ++++++++++------------ unbound.spec | 9 +- 7 files changed, 50 insertions(+), 148 deletions(-) delete mode 100644 unbound-1.19-EDE-cpu-lock.patch delete mode 100644 unbound-1.19-b.root-servers.net-conf.patch delete mode 100644 unbound-1.19-b.root-servers.net.patch diff --git a/.gitignore b/.gitignore index 62eba4b..dde18f4 100644 --- a/.gitignore +++ b/.gitignore @@ -85,3 +85,5 @@ unbound-1.4.5.tar.gz /unbound-1.19.0.tar.gz.asc /unbound-1.19.1.tar.gz /unbound-1.19.1.tar.gz.asc +/unbound-1.19.3.tar.gz +/unbound-1.19.3.tar.gz.asc diff --git a/sources b/sources index a941fce..eea1e9c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.19.1.tar.gz) = c81192b70f14a4e289cf738bf6b647cf25b58b1ab11076dee306ff25a530b6a1bbeca71cfa8820d80f48fd843019beb29a68796a1b1fcec6e561dfeccd62d96a -SHA512 (unbound-1.19.1.tar.gz.asc) = 2e4c6b7df844d1fb93d948791a20b9ff201bd1e6de6c89a830ddce06e24e5d770409265005f549757ef3a9c99d11b9860ae21711425d76d42bf2c33240dd3b52 +SHA512 (unbound-1.19.3.tar.gz) = f860614f090a5a081cceff8ca7f4b3d416c00a251ae14ceb6b4159dc8cd022f025592074d3d78aee2f86c3eeae9d1a314713e4740aa91062579143199accd159 +SHA512 (unbound-1.19.3.tar.gz.asc) = 1b6437d7ac4394ab7d6eb0d12f22b39538152f9c88175a5368263059950b8e6b093fa5392d1ff37874effef7a422afa9c690f766802208979a99500a4bea5906 diff --git a/unbound-1.19-EDE-cpu-lock.patch b/unbound-1.19-EDE-cpu-lock.patch deleted file mode 100644 index 85b76ff..0000000 --- a/unbound-1.19-EDE-cpu-lock.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff --git a/unbound-1.19.1/util/data/msgencode.c b/unbound-1.19.1/util/data/msgencode.c -index 80ae33a38..898ff8412 100644 ---- a/unbound-1.19.1/util/data/msgencode.c -+++ b/unbound-1.19.1/util/data/msgencode.c -@@ -886,6 +886,9 @@ ede_trim_text(struct edns_option** list) - curr->opt_len = 2; - prev = curr; - curr = curr->next; -+ } else { -+ prev = curr; -+ curr = curr->next; - } - } else { - /* continue */ diff --git a/unbound-1.19-b.root-servers.net-conf.patch b/unbound-1.19-b.root-servers.net-conf.patch deleted file mode 100644 index c3f41c9..0000000 --- a/unbound-1.19-b.root-servers.net-conf.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 101f9efb8de8e5e41fe40d05461276299e4c8980 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Tue, 16 Jan 2024 16:13:29 +0100 -Subject: [PATCH] Update b.root-servers.net also in example config file - -Addition to commit a8739bad76d4d179290627e989c7ef236345bda6, which -updated only address specified in code. But addresses provided in -example configuration were not updated, I think they should be updated -too. ---- - unbound-1.19.0/doc/example.conf.in | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/unbound-1.19.0/doc/example.conf.in b/unbound-1.19.0/doc/example.conf.in -index b79a322..3a15357 100644 ---- a/unbound-1.19.0/doc/example.conf.in -+++ b/unbound-1.19.0/doc/example.conf.in -@@ -1203,7 +1203,7 @@ include: /etc/unbound/conf.d/*.conf - # notifies. - auth-zone: - name: "." -- primary: 199.9.14.201 # b.root-servers.net -+ primary: 170.247.170.2 # b.root-servers.net - primary: 192.33.4.12 # c.root-servers.net - primary: 199.7.91.13 # d.root-servers.net - primary: 192.5.5.241 # f.root-servers.net -@@ -1211,7 +1211,7 @@ auth-zone: - primary: 193.0.14.129 # k.root-servers.net - primary: 192.0.47.132 # xfr.cjr.dns.icann.org - primary: 192.0.32.132 # xfr.lax.dns.icann.org -- primary: 2001:500:200::b # b.root-servers.net -+ primary: 2801:1b8:10::b # b.root-servers.net - primary: 2001:500:2::c # c.root-servers.net - primary: 2001:500:2d::d # d.root-servers.net - primary: 2001:500:2f::f # f.root-servers.net --- -2.43.0 - diff --git a/unbound-1.19-b.root-servers.net.patch b/unbound-1.19-b.root-servers.net.patch deleted file mode 100644 index c3b9a47..0000000 --- a/unbound-1.19-b.root-servers.net.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 72c65bfc2fe35cf4f0665a5e3f173f4f8f6f151b Mon Sep 17 00:00:00 2001 -From: "W.C.A. Wijngaards" -Date: Wed, 6 Dec 2023 13:25:58 +0100 -Subject: [PATCH] - Updated IPv4 and IPv6 address for b.root-servers.net in - root hints. - ---- - unbound-1.19.0/iterator/iter_hints.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/unbound-1.19.0/iterator/iter_hints.c b/unbound-1.19.0/iterator/iter_hints.c -index a60d9a6..6b56daa 100644 ---- a/unbound-1.19.0/iterator/iter_hints.c -+++ b/unbound-1.19.0/iterator/iter_hints.c -@@ -129,7 +129,7 @@ compile_time_root_prime(int do_ip4, int do_ip6) - dp->has_parent_side_NS = 1; - if(do_ip4) { - if(!ah(dp, "A.ROOT-SERVERS.NET.", "198.41.0.4")) goto failed; -- if(!ah(dp, "B.ROOT-SERVERS.NET.", "199.9.14.201")) goto failed; -+ if(!ah(dp, "B.ROOT-SERVERS.NET.", "170.247.170.2")) goto failed; - if(!ah(dp, "C.ROOT-SERVERS.NET.", "192.33.4.12")) goto failed; - if(!ah(dp, "D.ROOT-SERVERS.NET.", "199.7.91.13")) goto failed; - if(!ah(dp, "E.ROOT-SERVERS.NET.", "192.203.230.10")) goto failed; -@@ -144,7 +144,7 @@ compile_time_root_prime(int do_ip4, int do_ip6) - } - if(do_ip6) { - if(!ah(dp, "A.ROOT-SERVERS.NET.", "2001:503:ba3e::2:30")) goto failed; -- if(!ah(dp, "B.ROOT-SERVERS.NET.", "2001:500:200::b")) goto failed; -+ if(!ah(dp, "B.ROOT-SERVERS.NET.", "2801:1b8:10::b")) goto failed; - if(!ah(dp, "C.ROOT-SERVERS.NET.", "2001:500:2::c")) goto failed; - if(!ah(dp, "D.ROOT-SERVERS.NET.", "2001:500:2d::d")) goto failed; - if(!ah(dp, "E.ROOT-SERVERS.NET.", "2001:500:a8::e")) goto failed; --- -2.43.0 - diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index 009cb07..0aeb6cb 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,4 +1,4 @@ -From 77710cef1d7001fc52b7f19b0b9e305fd355f07e Mon Sep 17 00:00:00 2001 +From 17d4cc5fea24faa55358b7c36fdae0cd9bdd48b6 Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Fri, 10 Nov 2023 12:58:31 +0100 Subject: [PATCH] Customize unbound.conf for Fedora defaults @@ -7,13 +7,13 @@ Set some Fedora/RHEL specific changes to example configuration file. By patching upstream provided config file we would not need to manually update external copy in source RPM. --- - unbound-1.19.1/doc/example.conf.in | 200 ++++++++++++++++++----------- - 1 file changed, 127 insertions(+), 73 deletions(-) + unbound-1.19.3/doc/example.conf.in | 194 ++++++++++++++++++----------- + 1 file changed, 124 insertions(+), 70 deletions(-) -diff --git a/unbound-1.19.1/doc/example.conf.in b/unbound-1.19.1/doc/example.conf.in -index fcfb1da..a61b530 100644 ---- a/unbound-1.19.1/doc/example.conf.in -+++ b/unbound-1.19.1/doc/example.conf.in +diff --git a/unbound-1.19.3/doc/example.conf.in b/unbound-1.19.3/doc/example.conf.in +index d791cf8..af163b2 100644 +--- a/unbound-1.19.3/doc/example.conf.in ++++ b/unbound-1.19.3/doc/example.conf.in @@ -17,11 +17,12 @@ server: # whitespace is not necessary, but looks cleaner. @@ -148,7 +148,7 @@ index fcfb1da..a61b530 100644 # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no -@@ -402,6 +426,7 @@ server: +@@ -403,6 +427,7 @@ server: # # If you give "" no chroot is performed. The path must not end in a /. # chroot: "@UNBOUND_CHROOT_DIR@" @@ -156,7 +156,7 @@ index fcfb1da..a61b530 100644 # if given, user privileges are dropped (after binding port), # and the given username is assumed. Default is user "unbound". -@@ -413,7 +438,7 @@ server: +@@ -414,7 +439,7 @@ server: # is not changed. # If you give a server: directory: dir before include: file statements # then those includes can be relative to the working directory. @@ -165,7 +165,7 @@ index fcfb1da..a61b530 100644 # the log file, "" means log to stderr. # Use of this option sets use-syslog to "no". -@@ -428,7 +453,7 @@ server: +@@ -429,7 +454,7 @@ server: # log-identity: "" # print UTC timestamp in ascii to logfile, default is epoch in seconds. @@ -174,7 +174,7 @@ index fcfb1da..a61b530 100644 # print one line with time, IP, name, type, class for every query. # log-queries: no -@@ -497,22 +522,22 @@ server: +@@ -501,22 +526,22 @@ server: # harden-large-queries: no # Harden against out of zone rrsets, to avoid spoofing attempts. @@ -201,7 +201,7 @@ index fcfb1da..a61b530 100644 # Harden against algorithm downgrade when multiple algorithms are # advertised in the DS record. If no, allows the weakest algorithm -@@ -526,7 +551,7 @@ server: +@@ -530,7 +555,7 @@ server: # Sent minimum amount of information to upstream servers to enhance # privacy. Only sent minimum required labels of the QNAME and set QTYPE # to A when possible. @@ -210,7 +210,7 @@ index fcfb1da..a61b530 100644 # QNAME minimisation in strict mode. Do not fall-back to sending full # QNAME to potentially broken nameservers. A lot of domains will not be -@@ -536,7 +561,7 @@ server: +@@ -540,7 +565,7 @@ server: # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN # and other denials, using information from previous NXDOMAINs answers. @@ -219,7 +219,7 @@ index fcfb1da..a61b530 100644 # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. -@@ -569,7 +594,7 @@ server: +@@ -573,7 +598,7 @@ server: # threshold, a warning is printed and a defensive action is taken, # the cache is cleared to flush potential poison out of it. # A suggested value is 10000000, the default is 0 (turned off). @@ -228,7 +228,7 @@ index fcfb1da..a61b530 100644 # Do not query the following addresses. No DNS queries are sent there. # List one address per entry. List classless netblocks with /size, -@@ -581,20 +606,20 @@ server: +@@ -585,20 +610,20 @@ server: # do-not-query-localhost: yes # if yes, perform prefetching of almost expired message cache entries. @@ -254,7 +254,7 @@ index fcfb1da..a61b530 100644 # true to disable DNSSEC lameness check in iterator. # disable-dnssec-lame-check: no -@@ -604,7 +629,9 @@ server: +@@ -608,7 +633,9 @@ server: # most modules have to be listed at the beginning of the line, # except cachedb(just before iterator), and python (at the beginning, # or, just before the iterator). @@ -265,7 +265,7 @@ index fcfb1da..a61b530 100644 # File with trusted keys, kept uptodate using RFC5011 probes, # initial file like trust-anchor-file, then it stores metadata. -@@ -618,10 +645,10 @@ server: +@@ -622,10 +649,10 @@ server: # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" # trust anchor signaling sends a RFC8145 key tag query after priming. @@ -278,7 +278,7 @@ index fcfb1da..a61b530 100644 # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry. -@@ -642,6 +669,9 @@ server: +@@ -646,6 +673,9 @@ server: # the trusted-keys { name flag proto algo "key"; }; clauses are read. # you need external update procedures to track changes in keys. # trusted-keys-file: "" @@ -288,7 +288,7 @@ index fcfb1da..a61b530 100644 # Ignore chain of trust. Domain is treated as insecure. # domain-insecure: "example.com" -@@ -669,14 +699,15 @@ server: +@@ -673,14 +703,15 @@ server: # unsecure data. Useful to shield the users of this validator from # potential bogus data in the additional section. All unsigned data # in the additional section is removed from secure messages. @@ -306,7 +306,7 @@ index fcfb1da..a61b530 100644 # Ignore the CD flag in incoming queries and refuse them bogus data. # Enable it if the only clients of Unbound are legacy servers (w2008) -@@ -690,11 +721,11 @@ server: +@@ -694,11 +725,11 @@ server: # Serve expired responses from cache, with serve-expired-reply-ttl in # the response, and then attempt to fetch the data afresh. @@ -320,7 +320,7 @@ index fcfb1da..a61b530 100644 # # Set the TTL of expired records to the serve-expired-ttl value after a # failed attempt to retrieve the record from upstream. This makes sure -@@ -721,7 +752,7 @@ server: +@@ -725,7 +756,7 @@ server: # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. @@ -329,7 +329,7 @@ index fcfb1da..a61b530 100644 # It is possible to configure NSEC3 maximum iteration counts per # keysize. Keep this table very short, as linear search is done. -@@ -865,6 +896,8 @@ server: +@@ -869,6 +900,8 @@ server: # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" @@ -338,7 +338,7 @@ index fcfb1da..a61b530 100644 # tag a localzone with a list of tag names (in "" with spaces between) # local-zone-tag: "example.com" "tag2 tag3" -@@ -875,8 +908,8 @@ server: +@@ -879,8 +912,8 @@ server: # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. # Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. @@ -349,7 +349,7 @@ index fcfb1da..a61b530 100644 # tls-port: 853 # https-port: 443 -@@ -884,6 +917,8 @@ server: +@@ -888,6 +921,8 @@ server: # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" # cipher setting for TLSv1.3 # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" @@ -358,8 +358,8 @@ index fcfb1da..a61b530 100644 # Pad responses to padded queries received over TLS # pad-responses: yes -@@ -1005,12 +1040,12 @@ server: - # fast-server-num: 3 +@@ -1024,12 +1059,12 @@ server: + # cookie-secret: <128 bit random hex string> # Enable to attach Extended DNS Error codes (RFC8914) to responses. - # ede: no @@ -373,7 +373,7 @@ index fcfb1da..a61b530 100644 # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. -@@ -1018,12 +1053,14 @@ server: +@@ -1037,12 +1072,14 @@ server: # Enable or disable ipsecmod (it still needs to be defined in # module-config above). Can be used when ipsecmod needs to be # enabled/disabled via remote-control(below). @@ -391,7 +391,7 @@ index fcfb1da..a61b530 100644 # When enabled Unbound will reply with SERVFAIL if the return value of # the ipsecmod-hook is not 0. # ipsecmod-strict: no -@@ -1056,7 +1093,7 @@ server: +@@ -1075,7 +1112,7 @@ server: # o and give a python-script to run. python: # Script file to load @@ -400,7 +400,7 @@ index fcfb1da..a61b530 100644 # Dynamic library config section. To enable: # o use --with-dynlibmodule to configure before compiling. -@@ -1067,13 +1104,14 @@ python: +@@ -1086,13 +1123,14 @@ python: # the module-config then you need one dynlib-file per instance. dynlib: # Script file to load @@ -417,7 +417,7 @@ index fcfb1da..a61b530 100644 # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. -@@ -1081,6 +1119,7 @@ remote-control: +@@ -1100,6 +1138,7 @@ remote-control: # are not used for that, so key and cert files need not be present. # control-interface: 127.0.0.1 # control-interface: ::1 @@ -425,7 +425,7 @@ index fcfb1da..a61b530 100644 # port number for remote control operations. # control-port: 8953 -@@ -1090,16 +1129,19 @@ remote-control: +@@ -1109,16 +1148,19 @@ remote-control: # control-use-cert: "yes" # Unbound server key file. @@ -449,7 +449,7 @@ index fcfb1da..a61b530 100644 # Stub zones. # Create entries like below, to make all queries for 'example.com' and -@@ -1121,6 +1163,10 @@ remote-control: +@@ -1140,6 +1182,10 @@ remote-control: # name: "example.org" # stub-host: ns.example.com. @@ -460,7 +460,7 @@ index fcfb1da..a61b530 100644 # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle -@@ -1138,6 +1184,10 @@ remote-control: +@@ -1157,6 +1203,10 @@ remote-control: # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -471,16 +471,13 @@ index fcfb1da..a61b530 100644 # Authority zones # The data for these zones is kept locally, from a file or downloaded. -@@ -1145,30 +1195,31 @@ remote-control: - # upstream (which saves a lookup to the upstream). The first example - # has a copy of the root for local usage. The second serves example.org - # authoritatively. zonefile: reads from file (and writes to it if you also --# download it), primary: fetches with AXFR and IXFR, or url to zonefile. --# With allow-notify: you can give additional (apart from primaries and urls) --# sources of notifies. +@@ -1167,27 +1217,28 @@ remote-control: + # download it), primary: fetches with AXFR and IXFR, or url to zonefile. + # With allow-notify: you can give additional (apart from primaries and urls) + # sources of notifies. -# auth-zone: -# name: "." --# primary: 199.9.14.201 # b.root-servers.net +-# primary: 170.247.170.2 # b.root-servers.net -# primary: 192.33.4.12 # c.root-servers.net -# primary: 199.7.91.13 # d.root-servers.net -# primary: 192.5.5.241 # f.root-servers.net @@ -488,7 +485,7 @@ index fcfb1da..a61b530 100644 -# primary: 193.0.14.129 # k.root-servers.net -# primary: 192.0.47.132 # xfr.cjr.dns.icann.org -# primary: 192.0.32.132 # xfr.lax.dns.icann.org --# primary: 2001:500:200::b # b.root-servers.net +-# primary: 2801:1b8:10::b # b.root-servers.net -# primary: 2001:500:2::c # c.root-servers.net -# primary: 2001:500:2d::d # d.root-servers.net -# primary: 2001:500:2f::f # f.root-servers.net @@ -499,12 +496,9 @@ index fcfb1da..a61b530 100644 -# fallback-enabled: yes -# for-downstream: no -# for-upstream: yes -+# download it), master: fetches with AXFR and IXFR, or url to zonefile. -+# With allow-notify: you can give additional (apart from masters) sources of -+# notifies. -+auth-zone: ++ auth-zone: + name: "." -+ primary: 199.9.14.201 # b.root-servers.net ++ primary: 170.247.170.2 # b.root-servers.net + primary: 192.33.4.12 # c.root-servers.net + primary: 199.7.91.13 # d.root-servers.net + primary: 192.5.5.241 # f.root-servers.net @@ -512,7 +506,7 @@ index fcfb1da..a61b530 100644 + primary: 193.0.14.129 # k.root-servers.net + primary: 192.0.47.132 # xfr.cjr.dns.icann.org + primary: 192.0.32.132 # xfr.lax.dns.icann.org -+ primary: 2001:500:200::b # b.root-servers.net ++ primary: 2801:1b8:10::b # b.root-servers.net + primary: 2001:500:2::c # c.root-servers.net + primary: 2001:500:2d::d # d.root-servers.net + primary: 2001:500:2f::f # f.root-servers.net @@ -527,7 +521,7 @@ index fcfb1da..a61b530 100644 # auth-zone: # name: "example.org" # for-downstream: yes -@@ -1194,6 +1245,9 @@ remote-control: +@@ -1213,6 +1264,9 @@ remote-control: # name: "anotherview" # local-zone: "example.com" refuse @@ -537,7 +531,7 @@ index fcfb1da..a61b530 100644 # DNSCrypt # To enable, use --enable-dnscrypt to configure before compiling. # Caveats: -@@ -1266,7 +1320,7 @@ remote-control: +@@ -1285,7 +1339,7 @@ remote-control: # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode # dnstap-bidirectional: yes @@ -547,5 +541,5 @@ index fcfb1da..a61b530 100644 # # set it to "IPaddress[@port]" of the destination. # dnstap-ip: "" -- -2.43.0 +2.44.0 diff --git a/unbound.spec b/unbound.spec index a764abc..8d421c6 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.19.1 +Version: 1.19.3 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ @@ -57,13 +57,6 @@ Source20: unbound.sysusers # Downstream configuration changes Patch1: unbound-fedora-config.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2253461 -# https://github.com/NLnetLabs/unbound/commit/a8739bad76d4d179290627e989c7ef236345bda6 -Patch2: unbound-1.19-b.root-servers.net.patch -# https://github.com/NLnetLabs/unbound/pull/993 -Patch3: unbound-1.19-b.root-servers.net-conf.patch -# https://github.com/NLnetLabs/unbound/commit/ccbe31c21f91ae96e759547be264a34ac63f4f90 -Patch4: unbound-1.19-EDE-cpu-lock.patch BuildRequires: gcc, make BuildRequires: flex, openssl-devel From 189e9997c2fefdcd090b469054cfddf9aa893032 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 10 May 2024 15:37:36 +0200 Subject: [PATCH 6/9] Update to 1.20.0 Features: The config for discard-timeout, wait-limit, wait-limit-cookie, wait-limit-netblock and wait-limit-cookie-netblock was added, for the fix to the DNSBomb issue. Merge #1027: Introduce 'cache-min-negative-ttl' option. Merge #1043 from xiaoxiaoafeifei: Add loongarch support; updates config.guess(2024-01-01) and config.sub(2024-01-01), verified with upstream. Implement cachedb-check-when-serve-expired: yes option, default is enabled. When serve expired is enabled with cachedb, it first checks cachedb before serving the expired response. Fix #876: [FR] can unbound-checkconf be silenced when configuration is valid? And bug fixes. https://nlnetlabs.nl/projects/unbound/download/#unbound-1-20-0 Resolves: CVE-2024-33655 --- .gitignore | 2 + sources | 4 +- unbound-fedora-config.patch | 78 ++++++++++++++++++------------------- unbound.spec | 9 +++-- 4 files changed, 49 insertions(+), 44 deletions(-) diff --git a/.gitignore b/.gitignore index dde18f4..2ad282d 100644 --- a/.gitignore +++ b/.gitignore @@ -87,3 +87,5 @@ unbound-1.4.5.tar.gz /unbound-1.19.1.tar.gz.asc /unbound-1.19.3.tar.gz /unbound-1.19.3.tar.gz.asc +/unbound-1.20.0.tar.gz +/unbound-1.20.0.tar.gz.asc diff --git a/sources b/sources index eea1e9c..5a055a7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.19.3.tar.gz) = f860614f090a5a081cceff8ca7f4b3d416c00a251ae14ceb6b4159dc8cd022f025592074d3d78aee2f86c3eeae9d1a314713e4740aa91062579143199accd159 -SHA512 (unbound-1.19.3.tar.gz.asc) = 1b6437d7ac4394ab7d6eb0d12f22b39538152f9c88175a5368263059950b8e6b093fa5392d1ff37874effef7a422afa9c690f766802208979a99500a4bea5906 +SHA512 (unbound-1.20.0.tar.gz) = 2f6bc76c03b71ca1c2cd2331dc72d62f51493d15e17c59af46b400e542fcabff22e6b9d33f750a3e5f918a0116f45afa760651b2d5aa2feadac151cbbd71b0bd +SHA512 (unbound-1.20.0.tar.gz.asc) = 1586a320077c606c5c19f251615df54a61854f51acca02df1d391dcc2287aff2c641b009aeee1a98392f63719d70b6bac23ebb7d86b780f8a27cda6e114fc0ad diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index 0aeb6cb..7a66564 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,4 +1,4 @@ -From 17d4cc5fea24faa55358b7c36fdae0cd9bdd48b6 Mon Sep 17 00:00:00 2001 +From 79506679335ef1e02a960ccc7cfeda19348f5619 Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Fri, 10 Nov 2023 12:58:31 +0100 Subject: [PATCH] Customize unbound.conf for Fedora defaults @@ -7,13 +7,13 @@ Set some Fedora/RHEL specific changes to example configuration file. By patching upstream provided config file we would not need to manually update external copy in source RPM. --- - unbound-1.19.3/doc/example.conf.in | 194 ++++++++++++++++++----------- + unbound-1.20.0/doc/example.conf.in | 194 ++++++++++++++++++----------- 1 file changed, 124 insertions(+), 70 deletions(-) -diff --git a/unbound-1.19.3/doc/example.conf.in b/unbound-1.19.3/doc/example.conf.in -index d791cf8..af163b2 100644 ---- a/unbound-1.19.3/doc/example.conf.in -+++ b/unbound-1.19.3/doc/example.conf.in +diff --git a/unbound-1.20.0/doc/example.conf.in b/unbound-1.20.0/doc/example.conf.in +index 0368c8d..9ece701 100644 +--- a/unbound-1.20.0/doc/example.conf.in ++++ b/unbound-1.20.0/doc/example.conf.in @@ -17,11 +17,12 @@ server: # whitespace is not necessary, but looks cleaner. @@ -120,7 +120,7 @@ index d791cf8..af163b2 100644 # use IP_FREEBIND so the interface: addresses can be non-local # and you can bind to nonexisting IPs and interfaces that are down. -@@ -256,6 +275,8 @@ server: +@@ -276,6 +295,8 @@ server: # nat64-prefix: 64:ff9b::0/96 # Enable UDP, "yes" or "no". @@ -129,16 +129,16 @@ index d791cf8..af163b2 100644 # do-udp: yes # Enable TCP, "yes" or "no". -@@ -281,7 +302,7 @@ server: +@@ -301,7 +322,7 @@ server: # tcp-idle-timeout: 30000 # Enable EDNS TCP keepalive option. - # edns-tcp-keepalive: no + edns-tcp-keepalive: yes - # Timeout for EDNS TCP keepalive, in msec. - # edns-tcp-keepalive-timeout: 120000 -@@ -290,6 +311,9 @@ server: + # Timeout for EDNS TCP keepalive, in msec. Overrides tcp-idle-timeout + # if edns-tcp-keepalive is set. +@@ -311,6 +332,9 @@ server: # can be dropped. Default is 0, disabled. In seconds, such as 3. # sock-queue-timeout: 0 @@ -148,7 +148,7 @@ index d791cf8..af163b2 100644 # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no -@@ -403,6 +427,7 @@ server: +@@ -424,6 +448,7 @@ server: # # If you give "" no chroot is performed. The path must not end in a /. # chroot: "@UNBOUND_CHROOT_DIR@" @@ -156,7 +156,7 @@ index d791cf8..af163b2 100644 # if given, user privileges are dropped (after binding port), # and the given username is assumed. Default is user "unbound". -@@ -414,7 +439,7 @@ server: +@@ -435,7 +460,7 @@ server: # is not changed. # If you give a server: directory: dir before include: file statements # then those includes can be relative to the working directory. @@ -165,7 +165,7 @@ index d791cf8..af163b2 100644 # the log file, "" means log to stderr. # Use of this option sets use-syslog to "no". -@@ -429,7 +454,7 @@ server: +@@ -450,7 +475,7 @@ server: # log-identity: "" # print UTC timestamp in ascii to logfile, default is epoch in seconds. @@ -174,7 +174,7 @@ index d791cf8..af163b2 100644 # print one line with time, IP, name, type, class for every query. # log-queries: no -@@ -501,22 +526,22 @@ server: +@@ -522,22 +547,22 @@ server: # harden-large-queries: no # Harden against out of zone rrsets, to avoid spoofing attempts. @@ -201,7 +201,7 @@ index d791cf8..af163b2 100644 # Harden against algorithm downgrade when multiple algorithms are # advertised in the DS record. If no, allows the weakest algorithm -@@ -530,7 +555,7 @@ server: +@@ -551,7 +576,7 @@ server: # Sent minimum amount of information to upstream servers to enhance # privacy. Only sent minimum required labels of the QNAME and set QTYPE # to A when possible. @@ -210,7 +210,7 @@ index d791cf8..af163b2 100644 # QNAME minimisation in strict mode. Do not fall-back to sending full # QNAME to potentially broken nameservers. A lot of domains will not be -@@ -540,7 +565,7 @@ server: +@@ -561,7 +586,7 @@ server: # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN # and other denials, using information from previous NXDOMAINs answers. @@ -219,7 +219,7 @@ index d791cf8..af163b2 100644 # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. -@@ -573,7 +598,7 @@ server: +@@ -594,7 +619,7 @@ server: # threshold, a warning is printed and a defensive action is taken, # the cache is cleared to flush potential poison out of it. # A suggested value is 10000000, the default is 0 (turned off). @@ -228,7 +228,7 @@ index d791cf8..af163b2 100644 # Do not query the following addresses. No DNS queries are sent there. # List one address per entry. List classless netblocks with /size, -@@ -585,20 +610,20 @@ server: +@@ -606,20 +631,20 @@ server: # do-not-query-localhost: yes # if yes, perform prefetching of almost expired message cache entries. @@ -254,7 +254,7 @@ index d791cf8..af163b2 100644 # true to disable DNSSEC lameness check in iterator. # disable-dnssec-lame-check: no -@@ -608,7 +633,9 @@ server: +@@ -629,7 +654,9 @@ server: # most modules have to be listed at the beginning of the line, # except cachedb(just before iterator), and python (at the beginning, # or, just before the iterator). @@ -265,7 +265,7 @@ index d791cf8..af163b2 100644 # File with trusted keys, kept uptodate using RFC5011 probes, # initial file like trust-anchor-file, then it stores metadata. -@@ -622,10 +649,10 @@ server: +@@ -643,10 +670,10 @@ server: # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" # trust anchor signaling sends a RFC8145 key tag query after priming. @@ -278,7 +278,7 @@ index d791cf8..af163b2 100644 # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry. -@@ -646,6 +673,9 @@ server: +@@ -667,6 +694,9 @@ server: # the trusted-keys { name flag proto algo "key"; }; clauses are read. # you need external update procedures to track changes in keys. # trusted-keys-file: "" @@ -288,7 +288,7 @@ index d791cf8..af163b2 100644 # Ignore chain of trust. Domain is treated as insecure. # domain-insecure: "example.com" -@@ -673,14 +703,15 @@ server: +@@ -694,14 +724,15 @@ server: # unsecure data. Useful to shield the users of this validator from # potential bogus data in the additional section. All unsigned data # in the additional section is removed from secure messages. @@ -306,7 +306,7 @@ index d791cf8..af163b2 100644 # Ignore the CD flag in incoming queries and refuse them bogus data. # Enable it if the only clients of Unbound are legacy servers (w2008) -@@ -694,11 +725,11 @@ server: +@@ -715,11 +746,11 @@ server: # Serve expired responses from cache, with serve-expired-reply-ttl in # the response, and then attempt to fetch the data afresh. @@ -320,7 +320,7 @@ index d791cf8..af163b2 100644 # # Set the TTL of expired records to the serve-expired-ttl value after a # failed attempt to retrieve the record from upstream. This makes sure -@@ -725,7 +756,7 @@ server: +@@ -746,7 +777,7 @@ server: # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. @@ -329,7 +329,7 @@ index d791cf8..af163b2 100644 # It is possible to configure NSEC3 maximum iteration counts per # keysize. Keep this table very short, as linear search is done. -@@ -869,6 +900,8 @@ server: +@@ -890,6 +921,8 @@ server: # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" @@ -338,7 +338,7 @@ index d791cf8..af163b2 100644 # tag a localzone with a list of tag names (in "" with spaces between) # local-zone-tag: "example.com" "tag2 tag3" -@@ -879,8 +912,8 @@ server: +@@ -900,8 +933,8 @@ server: # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. # Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. @@ -349,7 +349,7 @@ index d791cf8..af163b2 100644 # tls-port: 853 # https-port: 443 -@@ -888,6 +921,8 @@ server: +@@ -909,6 +942,8 @@ server: # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" # cipher setting for TLSv1.3 # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" @@ -358,7 +358,7 @@ index d791cf8..af163b2 100644 # Pad responses to padded queries received over TLS # pad-responses: yes -@@ -1024,12 +1059,12 @@ server: +@@ -1045,12 +1080,12 @@ server: # cookie-secret: <128 bit random hex string> # Enable to attach Extended DNS Error codes (RFC8914) to responses. @@ -373,7 +373,7 @@ index d791cf8..af163b2 100644 # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. -@@ -1037,12 +1072,14 @@ server: +@@ -1058,12 +1093,14 @@ server: # Enable or disable ipsecmod (it still needs to be defined in # module-config above). Can be used when ipsecmod needs to be # enabled/disabled via remote-control(below). @@ -391,7 +391,7 @@ index d791cf8..af163b2 100644 # When enabled Unbound will reply with SERVFAIL if the return value of # the ipsecmod-hook is not 0. # ipsecmod-strict: no -@@ -1075,7 +1112,7 @@ server: +@@ -1096,7 +1133,7 @@ server: # o and give a python-script to run. python: # Script file to load @@ -400,7 +400,7 @@ index d791cf8..af163b2 100644 # Dynamic library config section. To enable: # o use --with-dynlibmodule to configure before compiling. -@@ -1086,13 +1123,14 @@ python: +@@ -1107,13 +1144,14 @@ python: # the module-config then you need one dynlib-file per instance. dynlib: # Script file to load @@ -417,7 +417,7 @@ index d791cf8..af163b2 100644 # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. -@@ -1100,6 +1138,7 @@ remote-control: +@@ -1121,6 +1159,7 @@ remote-control: # are not used for that, so key and cert files need not be present. # control-interface: 127.0.0.1 # control-interface: ::1 @@ -425,7 +425,7 @@ index d791cf8..af163b2 100644 # port number for remote control operations. # control-port: 8953 -@@ -1109,16 +1148,19 @@ remote-control: +@@ -1130,16 +1169,19 @@ remote-control: # control-use-cert: "yes" # Unbound server key file. @@ -449,7 +449,7 @@ index d791cf8..af163b2 100644 # Stub zones. # Create entries like below, to make all queries for 'example.com' and -@@ -1140,6 +1182,10 @@ remote-control: +@@ -1161,6 +1203,10 @@ remote-control: # name: "example.org" # stub-host: ns.example.com. @@ -460,7 +460,7 @@ index d791cf8..af163b2 100644 # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle -@@ -1157,6 +1203,10 @@ remote-control: +@@ -1178,6 +1224,10 @@ remote-control: # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -471,7 +471,7 @@ index d791cf8..af163b2 100644 # Authority zones # The data for these zones is kept locally, from a file or downloaded. -@@ -1167,27 +1217,28 @@ remote-control: +@@ -1188,27 +1238,28 @@ remote-control: # download it), primary: fetches with AXFR and IXFR, or url to zonefile. # With allow-notify: you can give additional (apart from primaries and urls) # sources of notifies. @@ -521,7 +521,7 @@ index d791cf8..af163b2 100644 # auth-zone: # name: "example.org" # for-downstream: yes -@@ -1213,6 +1264,9 @@ remote-control: +@@ -1234,6 +1285,9 @@ remote-control: # name: "anotherview" # local-zone: "example.com" refuse @@ -531,7 +531,7 @@ index d791cf8..af163b2 100644 # DNSCrypt # To enable, use --enable-dnscrypt to configure before compiling. # Caveats: -@@ -1285,7 +1339,7 @@ remote-control: +@@ -1309,7 +1363,7 @@ remote-control: # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode # dnstap-bidirectional: yes diff --git a/unbound.spec b/unbound.spec index 8d421c6..4e13b41 100644 --- a/unbound.spec +++ b/unbound.spec @@ -6,6 +6,8 @@ %bcond_without doh %bcond_with redis +%global forgeurl0 https://github.com/NLnetLabs/unbound +%global downloads https://nlnetlabs.nl/downloads %global _hardened_build 1 #global extra_version rc1 @@ -30,11 +32,12 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.19.3 +Version: 1.20.0 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ -Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz +VCS: git:%{forgeurl0} +Source: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz Source1: unbound.service Source3: unbound.munin Source4: unbound_munin_ @@ -50,7 +53,7 @@ Source14: unbound.sysconfig Source15: unbound-anchor.timer Source16: unbound-munin.README Source17: unbound-anchor.service -Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc +Source18: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc # source: https://nlnetlabs.nl/people/ Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key Source20: unbound.sysusers From efd39ce86171e8c6cc142ad47a623c4cc4252d92 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 3 Oct 2024 21:24:40 +0200 Subject: [PATCH 7/9] Update to 1.21.1 (rbhz#2316313) https://github.com/NLnetLabs/unbound/releases/tag/release-1.21.1 A vulnerability has been discovered in Unbound when handling replies with very large RRsets that Unbound needs to perform name compression for. --- .gitignore | 2 + Yorgos.asc | 128 +++++++++++++++++++++++++++++++++++++++++++++++++++ sources | 4 +- unbound.spec | 5 +- 4 files changed, 135 insertions(+), 4 deletions(-) create mode 100644 Yorgos.asc diff --git a/.gitignore b/.gitignore index 2ad282d..5ff0acf 100644 --- a/.gitignore +++ b/.gitignore @@ -89,3 +89,5 @@ unbound-1.4.5.tar.gz /unbound-1.19.3.tar.gz.asc /unbound-1.20.0.tar.gz /unbound-1.20.0.tar.gz.asc +/unbound-1.21.1.tar.gz +/unbound-1.21.1.tar.gz.asc diff --git a/Yorgos.asc b/Yorgos.asc new file mode 100644 index 0000000..e18ec55 --- /dev/null +++ b/Yorgos.asc @@ -0,0 +1,128 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFfYHeYBEAC/8SdeXNspt9ZIoZRSL9juNLHA17TXcHdKSthgWBtwwWZbUPq8 +SJr7Y+hr6jMCDKY9800QzLF0nLkyXnZgaBcvR0rRbCT/qvALJ0fpfjcotapZ1hBv +omb9s8Bo28uKn8tbTMXYNsElUae4Ch/CrU1vfe50YoyQgLR8UBa15gV+2RmC+6jI +qxDYS8sylWlDn6Qim+77feLlObPnNdzgfWGZo14eJByTsz0qrh8aS/BS1FAsnEQ6 +W6AqukhpuKuWvoAUXKjfguXQolxeexubmKaLcGOTvecw+cbh/a5SPHRtRVr9qTxp +elk6UEpakY5K9UtZkrG55VWih/4KqY9bNyhJBtpAk1fXA+mYfx5BcFpECYdU9kz4 +UgV5jK0HYRHQTLC91PPVQgH86we+Aae6TaJneCLEIzBK36TgAP8RKrvFfPUym5OP +YbWOom27QTKfRVcyxPKglJxrTSWixnKWS/pqxNY8hF9Ne4crRAF4wX2yBVbGnjNr +S9TpYmjMwURbuYm+rWZk/8w5OJG60V3wax56c0jn/42O3Y2hzQ+PbOv2M4UuuajS +2YL3/KUsRLBapUpPQjzChwzdr/vzFEhk9XxK2VGMN+dh2HjYwDFendc5csyt/cVr +g3LssVS2bKy5g3IhrzCKAk0Sky4S5t/mcN+lWztNvCijuLz58GCym5GwJQARAQAB +tCtZb3Jnb3MgVGhlc3NhbG9uaWtlZnMgPHlvcmdvc0BubG5ldGxhYnMubmw+iQJX +BBMBCABBAhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAhkBFiEElI60IyLF0At5 +NA9dz/M0TZCHpJAFAmbz0CwFCRD85cYACgkQz/M0TZCHpJBVnhAAkcd79Twxj/tt +C4q2Xpq75+Ew6YR9gLqYiV5vEd6fu0oyhuVoUlfTkjH4ALIoGIKaO9yAVUXsrGrs +n1aJPo1Mw3q6mIwtQOxXz/W44LuFzcvZkHtCYX4YyLrUHXZPvl+r4eYkTOcyyQMU +BmbuvWhufv8MBilvWltQLxfLlgihbfuIrxqjAYDhqCffpgUiZyCut2rrenIgeh1f +DvC+GjZ3cfb1UsIpzm19yr4NCiTHkLkCOAAcAUFwWWeO/jfUsSvFQEHUnYNRREzI +Lth9NlKwPtsOVi+wcNnWQtFQb11BMr407xBib7hLSIFiqvOiYgQABjZdWN+snCRP +ZZSruigjE9ateOloJwmBqrSJLAywxvDE0ivqfSj51W5eJc/JLSXvjrOuW28dJCr8 +RV9PjC9X7zuTiFLzV8SVH71Z43Rix8n7AOp3wgRe3SygEyQXPj4qbm5HHVsx9GEA +zn495L99dJ4wZgjkbEsGhzwUx7N9FHEGS/sz3LiEq+ZYckR6gzTMMrQJgbsS9lnK +9xlXsp37uIYvx9W9JZXtS+AZhw0q3osMYBF68HPX8B9GBYlkQWmWSIMfzRYcD2n1 +5+XsfERK4mxcTWl2sCYpt8Sy3tADj9nQDabAlGUd/hlFS1dvDVQjGh6ER5S0nZjY +nmRsLl8nOTKhb2xY+2p1sDjxxQYJJQe0K0dlb3JnZSBUaGVzc2Fsb25pa2VmcyA8 +Z2VvcmdlQG5sbmV0bGFicy5ubD6JAlQEEwEIAD4CGyMFCwkIBwIGFQgJCgsCBBYC +AwECHgECF4AWIQSUjrQjIsXQC3k0D13P8zRNkIekkAUCZvPQPQUJEPzlxgAKCRDP +8zRNkIekkFfCEACheY1yr2Z+LPjm/Nd2eA4CFFO7nUQHI+a6lYBd57txrRuIicuG +pGjOhnvcioRwICiKNLJD3YTU+WOd+sbO7BXH2sw2KdU9NK1ojKX/SQiTg6upfJsu +gbgar2oPvR88B7oSiuonZnhEf72HfWKDSBXHpi6KC6S3JZ+o50NB3GBpwUL1lfKW +ovymYbN6tYQfqw/+AP5jUUNpkclC0RbcW69rpvrHHqeQV1AVKkm/jNQpWLKYTGF7 +bbdLkgMh3rHp8gmF0/GuK+oyL7xD+TEXfr3iqlDIVuxbxDN8xTti1RrERU/MWQar +qOSFZcr4t+nlwThJidDLF/u3h0Ymrjz92VTfCgELIwCKxGX7jAyLZHzuWAp+0Pr/ +yuHodbweGNcGVoXmIpK93/WZcfFlBcyQLECVcijmxd7Euk0xDk76RQpuuL5VOWqn +aZcf2uNfppwKFZJjcXwK+EQbwN7+RFNvLrwoRn/1xM57T5AYBAgSvKb6h0G5KwW6 +tJfJdSu1MHfCZS1hH1Gr4+UG+VbLCVmQ9N/lUs0bcD7pK+bA1W0YnsIVuaQ+YZUh +KrJoCUF0kVDtW9ETZkp0iVBm1Q9xgTGaxUTVmctOyAbdCLyHNra4fo1BAdGlu+IP +qAcktaBUKFxWxRxf9O5kGihce9anK8CJ/TCnQ7wSvyYrlAoBoQaS78VzYYkBHAQS +AQIABgUCV9kUOAAKCRAwkY2CdXJCIju1B/oCvf1kWYndNeLS6U2O6DtFAL2Ia5tY +Zukcyqb1hkYcrBiMZbQN94gX5a+6Q4pdd2n241r1ZuSWdwUhRUbF4mvbZMVsavnk +cvrRGviVIUXf71W0O/IsmQ9oN0Finhpf14Y4z/xqF8DpvJdkWc6X5g+RJuko6q2w +B7x2UfSyF4USp47LSmUQnC59IF8jzaElgBha3gwEuXL3d2qBepoV/e9RiXJClUAT ++O7qdxzDq1eiZ+NXUjDCmrkuWjHLAZAv0jx1KUTCQ2no62UM95igtJ+Kn56Lc2+J +CqFJztaZeX8CgXXryxNpsyhZJ33dIoLCT03K25wrV5Y+eag05slQ9sC3iQI9BBMB +CAAnBQJX2RCwAhsjBQkFo5qABQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEM/z +NE2Qh6SQ3JUP/2G3bRNObS7zsfN3rjkbjLxaDOwNggRdbeXM5rHDVEG9SWesCGaI +vyQdkSGQoIaKUgNv7Yp8O8pEnD4IwdhNSaXVIB3pBtdOD0UM1wuxRpfqJOUxZEoW +T2Jr31Tg2qepp6nT7UmdiF7uCBDy8Jm6k6Q+6UT58cPaesRQdSPi6Go7ho2/xVvK +Ve9ufSTSTdG5+7bJDu6Iv7sydKUEG4jPDqo+jjVLn1X6Rfp+E4JAvOvFrSJHW5sa +A332xV40GeV+aM1ndP7dPkz8+AGB3QD7JF2DLcqvLo0TYOvjnlOGYcNp8gzp23g9 +KFwe2sdbdtVpuWaJUSpXXiUZnFzrrVxDNiEBjqsPa5ysOxzJ+1gUbcrIjUeNeAFh +us4XL+IidPATnhTIX3X/uPRB87KaTaA8XUqsuSd2DM9mLxdHKC9Jf8D1t+ywYrek +Cp+K80vCtFPWBM4+w8nGugTNKJEGIXZDGFOF/c7r6xKkaOYK0Y+IGJawlV5LaADl +BmQpPk0ubYclwb07FcegaHSxxIqUo/kbyt1YV5mU+QVymZ+xyvIBrnW8hBuNWRvU +5acnIZibCERayo8ZuI+r/X3bLHfDx0oh2h+cL3utNZUqmgZNR0Di8P+x0hUYsYPO +TJaDBSgvxUtY0Ci+OWX38kffGGvhW3CM8V6skdVc8cp7Db7gxase4BxxtC5HZW9y +Z2UgVGhlc3NhbG9uaWtlZnMgPGdlb3JnZUBvcGVubmV0bGFicy5jb20+iQJUBBMB +CAA+AhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEElI60IyLF0At5NA9dz/M0 +TZCHpJAFAmbz0D0FCRD85cYACgkQz/M0TZCHpJBnFw/8CRLGJnNAP43mBniIP5R1 +/10i4xG5s1Ka/y5C3aRgZUNaGMPLF8VmrC26HTPNhmduhn3j9gnBuSHgRAJUWs2K +o1q0A2/O5fFJvqPyEUl30gG8qkzFl5UGRUr7VNtBa6VpI7g78d3P4/H8THB0tYZ3 +GZv980QXwTE11aXjvPQu4e8sMOR1OVEEH+6hW1T0SvEKAMV1BHwuZAmC6HTfx5e7 +iGNWu/dwJsmwzqcAkuTTSqlmzZdIjZWJDL8pfnschkVilC3pEpEk5ExSkt/onOD2 +WCAKJUiPR6gRI2H6fE0PF8iG9isisvNhQ3MrWUIKS+1WOotoG7Bu7ob46viJKQuN +9t7KBqjdftjJHjmVop3mfX0UUEDPjkZXK5R/aUspXi4IGdM+9JijqxveicQegOhM +LcE8039Z0AaXn9IA0kQB05A4a+CEnoPL7qe+fIBJM5hZDrpMe4fAAGxiQzbRpdkZ +CrXmT+CRkhc/BvUJ5yoE1q++9Fw9eyMbPOak6GLckCIPy+Mqi4z+ZXNCtcPs3Qbc +/7AY8qyswRsD2t5bbe4g+fLEt9IsN3UvKFUKnQ88jcn9Zmps69msMDm9jEj/qo+j +QCriLLu8E1ZwhedNVOQN89w4Zww/BUyEnL4hng8Tw+RTV8Jtq5EvAleW5sZsnTzA +zn1ysZUyO/Pu7Br2jnGRAQyJARwEEgECAAYFAlfZFDwACgkQMJGNgnVyQiIHjAf/ +VrPMgIRjRTYi4cxOr5ewaim1hgJZO1oCJoMopwIvpZ2kAUqL/uPMT3wREe5bi79H +jXYcaX+RbrV4ZdzaajDUFCj867KGErxqtRkANJ1eNLcQmVwGNoFeTQbgEOBfKq1t +hRfMqHF3fxCPJp4z4U3kBPUpIQPERjgUdkH8fxZ34Omo1SLO1b0dVqsneezccBVv +Hj7gVoaWw65Ov7vngwNCKH3fjOkcoINTH/nEw4WWh6UV5ZN49GRqa6oWdUJMZbgB +w8z357RLN6YLe7KMh4oGpUIvfH6Vfq6CIb6s9pfgjAvq8O7p9n0/0FG77j84MuGw +fdhq8eSazO/j9LUCBM+8k4kCPQQTAQgAJwUCV9kQiwIbIwUJBaOagAULCQgHAgYV +CAkKCwIEFgIDAQIeAQIXgAAKCRDP8zRNkIekkN9pD/wI8JAyjJEIjUJNLRuARDDv +pJrQjAo/02naPcGs4yyUd7yRkhzVKLFLvif8XICxxLWk6FdT0PJeKGTvRoe2+Rje +c14rO30niRymWkBi36iDW46Dpt7Jx+LUDhUMYPL+woKSoHmbBGWLSYXKxaD8F93A +nVs97nP4PWpspv2BFiuwKGsSsOyyQPPvr7jCin3H5oPH9qDnIV0KonAYbzzEKod5 +t0Rgzo/nWXZBFXWC5xvKeghwkdT++gYS/ThvQY2ua6A1XRE8BntyldD081NPi3NO +dWa9m8ufFOJsEEiWcpdT+EWoDw5JyGAR7U3IOVl3BTo7shdcYEvRVrDMBpac+ItG +WvogUv7alBdHWi48amvZE06RI/nDJ/rxj13S/4POgMHU++aQI5a1G5H3jBu4cehH +4iT1UKmozfzVEfcHb2dsaKnnuFzQxmol0lZu1ETyof+Lxvs+wErN0QR+VDNweJEJ +PMXiEcjASdLtrEKgFSP2B5yGGzt93C+HbD+VQOU359aAnvVjbTAVz8izuMphd6Bz +Ix1q//q2VmxqjjT3Iv30hBRX02x2M8gsP/e49XWEll7stkMtbYhBU0sHQ2CqzLGh +gJN3ecpi2sKWVqN8HUZOwJFj6f9ZX76YSM23wIugHfscMAVJUXvBrbd151WIshOf +FFPo62sYGt+SEMXWeRcHjbQuWW9yZ29zIFRoZXNzYWxvbmlrZWZzIDx5b3Jnb3NA +b3Blbm5ldGxhYnMuY29tPokCVAQTAQgAPgIbIwULCQgHAgYVCAkKCwIEFgIDAQIe +AQIXgBYhBJSOtCMixdALeTQPXc/zNE2Qh6SQBQJm89A9BQkQ/OXGAAoJEM/zNE2Q +h6SQOf4QAIp5fEn+vVOqDuLrv8Li61UDVPE3v5b9ocPR7OMENeFpRH7K2p8xFkAM +f6JeS2ehbIjyUS8iGc+mZOalvZynJdOiHtys5r4lZanm1Rl+mWXb+nHGE/Oi4gQ3 +aEF/AwolbKi9oNXAiCtA3hmaI6FYWtAh5XOnyMG140dhlXMWzvN1ZAWXWioS33Fp +n9Z7xOsyG2Bmky69JjUQPD119noD4pEFtCipciiACVNdHGfI8QDT/8pMAxv/Q7tW ++7gyFztT1XvKONWyCfHjf1x60JQNPPM31x3xUVRz/sK+GyLq6VLiydvSZeUX3CzM +4bHixKKkSyvsX+bc9K/iLrXwZFhRdrRbpVQFpsdxv48mN5WsDlpN17KgMCyNiMDV +0VagYjZC5AurOo2mmS7PKAYGILaq3YwQ3nXYiuWfdXVW6EXtw/vdFOjFU6ppbaA3 +1+xyMDOLSGLr7f+gdZvlEc+5MX1F3mHpmuKN7clUju/HEOdVq1Bbla7BplPgqCaH +ZYCg/VHNt7ue7MYeEgTJ8OGgUDRNPa3PdU3YHRCuwJH1UzinD39K8R9/g9qiGJbC +87//1FGZp9lhIE5tja6F5pJ5GwJK9zC0iGj2NrwBvTKhuyF6W3ZQc2voYQn+gIq4 +sfbned7qpvpjLcMgIv/y82iVm2EtKtKYl982aA9S53pHqjV27kieuQINBFfYHeYB +EAC2h9yjSe2SgtcB0H+E0ndaewaZaQCE7q+RO43dotGH9eFnVwE4/ftcK1SN42ih +lF5OnTaKPyXvgQ6U8W8VB8eLjeTwA/dSXuJX7kJpEK8saPqJP6zTUmPqp/GSzS6Y +rhKLfpFn4chmywpDFcGNMz0sYXiJgPqKL7W0KuG+ziPToAeWl8ckeXyl77/lHVhW +YylaQJEASklqCViPXSp9vI7/57UEm4MQPXwsDBOwuVVqcSu3ZM5MtY9XlbVPNCYm +ZIMqmh8HgYwbiq9dTfJi+6v17+uDQGZewWK/WwFM+9dDx7YkTeOBiUduYtJPW64N +W/RJ7pskbLAy+OZApTZWg0cISN6GOmPN3F0AiWzUjvSMREHhFHyxj4Y15vuDOFvP +GFxr4xBiyMX1JLCKK6OFnyPfoJ9v/o3UgrQgLrfXCmKdvkwBCgJvN3Fsxzha6Dtf +6RcZ02fr7SCZZhdBrlrflvC1uWZ0g3A87ss7h4Iw3njlO3aX6Bo9R4VOLUkiRKi4 +hmQBxPvXxI2ERmKRomo6lrMaDMzIjD4APSM1vUfZguzQxVYpM8lwy1COeqxsj5p+ +LH6f/EU+4dXZwooJ1uanBOvG2ntnz8SErE+e7wNYE4a/fb8xYM4j7p6qYtnNZPb8 +sj8bvx8iWXp4A1csVetyVSchBhTVQhhNos6ouYpc4ibrYwARAQABiQI8BBgBCAAm +AhsMFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmbz0dUFCRD8528ACgkQz/M0TZCH +pJA7hg/7Bh0jb7nrp2EuU4BWK55VG+3zbrye/NdDy6eo3sVVOOO1r+jBMoJK3m1A +GWUx40ogZjRn8GMtJfxkL6wsep2P775smm7x1TH6s2dgreTj9J66gitKEgxF0tjo +JztmGJ8YKSGE4wKi37KvvSqCm1ecA8akBzJVo0B8/GtXpg+y/q3/KSY1ujW7Ihu3 +60JXT1FRXOiYfrzUKIBm8/UVnv7guPudaJf0eU4btoy4Ywzn1UXyi8BdxPIQrQDR +tt69ffcjX8BIEloK7FURLre/LhbVxlssdWYIEFQhIlb+nghZlUbWHf0Ue3L0SFFS +xV5otzQL2WjJKtCnTpSopSUmwYyT7wyAL1RokOemXL47WOfiLjiGuS+K/4lT7VHS +fdLsYinS0LYr5dmhc05s//kLyQ0OSKNh3SNAN+lM/klLE/pFwM4mo56C+seNEvCm +sT53VPOOwp6JwsLKSqm8pu1fbVjT6laMc9BPi6KUjN/f7ZahCXNXOrA2uLnTlxw/ +ns1sOXSWZDWciZeL3kJeUQER5YZ59hzLYWAiJ+5KblWRlBMXb71FUp0Mh9V3dA5O +BX3IlcF54qE50chGzLnfQf1YLuh13xxxc2WsdMZjiCj8CVDMkD6ekShfQK8nyQsK +SJgdXcnw1CxcAVvsROtecUiD+DWrJcYExjSZ+zcI4+aRhp7uNt8= +=iknu +-----END PGP PUBLIC KEY BLOCK----- diff --git a/sources b/sources index 5a055a7..efb1f71 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.20.0.tar.gz) = 2f6bc76c03b71ca1c2cd2331dc72d62f51493d15e17c59af46b400e542fcabff22e6b9d33f750a3e5f918a0116f45afa760651b2d5aa2feadac151cbbd71b0bd -SHA512 (unbound-1.20.0.tar.gz.asc) = 1586a320077c606c5c19f251615df54a61854f51acca02df1d391dcc2287aff2c641b009aeee1a98392f63719d70b6bac23ebb7d86b780f8a27cda6e114fc0ad +SHA512 (unbound-1.21.1.tar.gz) = 82be3faf5e4f9531342008105f5ab2ecc22a56faab1ef5c86420d85ef48443e5dac3455dbc654178a927e34ca4067c7655443f91a250b87945a63e9ba5f74ba7 +SHA512 (unbound-1.21.1.tar.gz.asc) = 5bb3961c210aefb20f91eb96f7d3980324e30cb2307c6c1187f016cacafcade7adcd95855faedfebc2c91464fd6c095511322364357c5b72525fc8e61c0ad248 diff --git a/unbound.spec b/unbound.spec index 4e13b41..9327d01 100644 --- a/unbound.spec +++ b/unbound.spec @@ -32,7 +32,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.20.0 +Version: 1.21.1 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ @@ -57,6 +57,7 @@ Source18: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc # source: https://nlnetlabs.nl/people/ Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key Source20: unbound.sysusers +Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc # Downstream configuration changes Patch1: unbound-fedora-config.patch @@ -188,7 +189,7 @@ Python 3 modules and extensions for unbound %prep %if 0%{?fedora} -%{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}' +%{gpgverify} --keyring='%{SOURCE22}' --signature='%{SOURCE18}' --data='%{SOURCE0}' %endif %global pkgname %{name}-%{version}%{?extra_version} From abd0f8d7d219ca65dc6b5aa189ccd201b07a3fb8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 25 Sep 2024 13:29:49 +0200 Subject: [PATCH 8/9] Enable native dynamic modules Support modules similar to pythom modules, but implemented in native code. --- unbound.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 9327d01..e679ddc 100644 --- a/unbound.spec +++ b/unbound.spec @@ -244,7 +244,8 @@ cp -a %{dir_primary} %{dir_secondary} --with-rootkey-file=%{_sharedstatedir}/%{name}/root.key \\\ --with-username=unbound \\\ --enable-linux-ip-local-port-range \\\ - + --with-dynlibmodule \\\ +# pushd %{dir_primary} From aa0a8e2e152d9f5d0ebe6e742c55e330fee401c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 25 Sep 2024 14:18:27 +0200 Subject: [PATCH 9/9] Remove additional subdirectory for python3 build Python2 builds are not common anymore. Make basic unbound directory for primary build in normal default directory. Try subdirectory only for alternative secondary build, if enabled. --- unbound-fedora-config.patch | 42 +++++++++++++++++++------------------ unbound.spec | 25 +++------------------- 2 files changed, 25 insertions(+), 42 deletions(-) diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index 7a66564..2a745e7 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,4 +1,4 @@ -From 79506679335ef1e02a960ccc7cfeda19348f5619 Mon Sep 17 00:00:00 2001 +From 71cbef33920b3b5704be7eab399da506ab51cde1 Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Fri, 10 Nov 2023 12:58:31 +0100 Subject: [PATCH] Customize unbound.conf for Fedora defaults @@ -7,13 +7,13 @@ Set some Fedora/RHEL specific changes to example configuration file. By patching upstream provided config file we would not need to manually update external copy in source RPM. --- - unbound-1.20.0/doc/example.conf.in | 194 ++++++++++++++++++----------- - 1 file changed, 124 insertions(+), 70 deletions(-) + doc/example.conf.in | 196 ++++++++++++++++++++++++++++---------------- + 1 file changed, 126 insertions(+), 70 deletions(-) -diff --git a/unbound-1.20.0/doc/example.conf.in b/unbound-1.20.0/doc/example.conf.in -index 0368c8d..9ece701 100644 ---- a/unbound-1.20.0/doc/example.conf.in -+++ b/unbound-1.20.0/doc/example.conf.in +diff --git a/doc/example.conf.in b/doc/example.conf.in +index 130cb4e..7174d81 100644 +--- a/doc/example.conf.in ++++ b/doc/example.conf.in @@ -17,11 +17,12 @@ server: # whitespace is not necessary, but looks cleaner. @@ -358,22 +358,24 @@ index 0368c8d..9ece701 100644 # Pad responses to padded queries received over TLS # pad-responses: yes -@@ -1045,12 +1080,12 @@ server: - # cookie-secret: <128 bit random hex string> +@@ -1050,12 +1085,14 @@ server: + # cookie-secret-file: "/usr/local/etc/unbound_cookiesecrets.txt" # Enable to attach Extended DNS Error codes (RFC8914) to responses. - # ede: no ++ # Fedora defaults to yes. + ede: yes # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale # Answer as EDNS0 option to expired responses. # Note that the ede option above needs to be enabled for this to work. - # ede-serve-expired: no ++ # Fedora defaults to yes. + ede-serve-expired: yes # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. -@@ -1058,12 +1093,14 @@ server: +@@ -1063,12 +1100,14 @@ server: # Enable or disable ipsecmod (it still needs to be defined in # module-config above). Can be used when ipsecmod needs to be # enabled/disabled via remote-control(below). @@ -391,7 +393,7 @@ index 0368c8d..9ece701 100644 # When enabled Unbound will reply with SERVFAIL if the return value of # the ipsecmod-hook is not 0. # ipsecmod-strict: no -@@ -1096,7 +1133,7 @@ server: +@@ -1101,7 +1140,7 @@ server: # o and give a python-script to run. python: # Script file to load @@ -400,7 +402,7 @@ index 0368c8d..9ece701 100644 # Dynamic library config section. To enable: # o use --with-dynlibmodule to configure before compiling. -@@ -1107,13 +1144,14 @@ python: +@@ -1112,13 +1151,14 @@ python: # the module-config then you need one dynlib-file per instance. dynlib: # Script file to load @@ -417,7 +419,7 @@ index 0368c8d..9ece701 100644 # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. -@@ -1121,6 +1159,7 @@ remote-control: +@@ -1126,6 +1166,7 @@ remote-control: # are not used for that, so key and cert files need not be present. # control-interface: 127.0.0.1 # control-interface: ::1 @@ -425,7 +427,7 @@ index 0368c8d..9ece701 100644 # port number for remote control operations. # control-port: 8953 -@@ -1130,16 +1169,19 @@ remote-control: +@@ -1135,16 +1176,19 @@ remote-control: # control-use-cert: "yes" # Unbound server key file. @@ -449,7 +451,7 @@ index 0368c8d..9ece701 100644 # Stub zones. # Create entries like below, to make all queries for 'example.com' and -@@ -1161,6 +1203,10 @@ remote-control: +@@ -1166,6 +1210,10 @@ remote-control: # name: "example.org" # stub-host: ns.example.com. @@ -460,7 +462,7 @@ index 0368c8d..9ece701 100644 # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle -@@ -1178,6 +1224,10 @@ remote-control: +@@ -1183,6 +1231,10 @@ remote-control: # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -471,7 +473,7 @@ index 0368c8d..9ece701 100644 # Authority zones # The data for these zones is kept locally, from a file or downloaded. -@@ -1188,27 +1238,28 @@ remote-control: +@@ -1193,27 +1245,28 @@ remote-control: # download it), primary: fetches with AXFR and IXFR, or url to zonefile. # With allow-notify: you can give additional (apart from primaries and urls) # sources of notifies. @@ -521,7 +523,7 @@ index 0368c8d..9ece701 100644 # auth-zone: # name: "example.org" # for-downstream: yes -@@ -1234,6 +1285,9 @@ remote-control: +@@ -1239,6 +1292,9 @@ remote-control: # name: "anotherview" # local-zone: "example.com" refuse @@ -531,7 +533,7 @@ index 0368c8d..9ece701 100644 # DNSCrypt # To enable, use --enable-dnscrypt to configure before compiling. # Caveats: -@@ -1309,7 +1363,7 @@ remote-control: +@@ -1314,7 +1370,7 @@ remote-control: # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode # dnstap-bidirectional: yes @@ -541,5 +543,5 @@ index 0368c8d..9ece701 100644 # # set it to "IPaddress[@port]" of the destination. # dnstap-ip: "" -- -2.44.0 +2.46.0 diff --git a/unbound.spec b/unbound.spec index e679ddc..3e95770 100644 --- a/unbound.spec +++ b/unbound.spec @@ -194,25 +194,18 @@ Python 3 modules and extensions for unbound %global pkgname %{name}-%{version}%{?extra_version} %if 0%{with_python2} && 0%{with_python3} -%global dir_primary %{pkgname}_python3 %global python_primary %{__python3} %global dir_secondary %{pkgname}_python2 %global python_secondary %{__python2} -%else -%global dir_primary %{pkgname} %endif -%autosetup -c -N -n %{pkgname} +%autosetup -N -n %{pkgname} -pushd %{pkgname} # patches go here -%autopatch -p2 - +%autopatch -p1 # only for snapshots # autoreconf -iv -# copy common doc files - after here, since it may be patched -cp -pr doc pythonmod libunbound ../ %if 0%{?rhel} > 8 # SHA-1 breaks some tests. Disable just some tests because of that. @@ -222,11 +215,9 @@ cp -pr doc pythonmod libunbound ../ mv testdata/${TEST}.rpl{,-disabled} done %endif -popd %if 0%{with_python2} && 0%{with_python3} -mv %{pkgname} %{dir_primary} -cp -a %{dir_primary} %{dir_secondary} + cp -a . %{dir_secondary} %endif %build @@ -247,7 +238,6 @@ cp -a %{dir_primary} %{dir_secondary} --with-dynlibmodule \\\ # -pushd %{dir_primary} %configure \ %if 0%{?python_primary:1} @@ -274,8 +264,6 @@ pushd %{dir_primary} %make_build %make_build streamtcp -popd - %if 0%{?python_secondary:1} pushd %{dir_secondary} %configure \ @@ -303,11 +291,9 @@ pushd %{dir_secondary} popd %endif -pushd %{dir_primary} %make_install unbound-event-install install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp install -p -m 0755 doc/example.conf %{buildroot}%{_sysconfdir}/unbound/unbound.conf -popd install -d -m 0755 %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service @@ -328,11 +314,9 @@ for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unboun done %endif -pushd %{dir_primary} # install streamtcp man page install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1 install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc -popd # Install tmpfiles.d config install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound @@ -403,15 +387,12 @@ fi %systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer %check -pushd %{dir_primary} #pushd pythonmod #make test #popd make check -popd - %if 0%{?python_secondary:1} pushd %{dir_secondary} #pushd pythonmod