diff --git a/.gitignore b/.gitignore index 3476ae7..864e509 100644 --- a/.gitignore +++ b/.gitignore @@ -75,3 +75,5 @@ unbound-1.4.5.tar.gz /unbound-1.16.2.tar.gz.asc /unbound-1.16.3.tar.gz /unbound-1.16.3.tar.gz.asc +/unbound-1.17.1.tar.gz +/unbound-1.17.1.tar.gz.asc diff --git a/sources b/sources index c6e4d53..d6e9a7b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.16.3.tar.gz) = ef5cda926dd1082a750615d8687bccd756869c66e9f24f984fda4c6613f94f3e4884db328b8d7b490777a75d3e616dcb61c5258e7777923c0590e6fabacd207c -SHA512 (unbound-1.16.3.tar.gz.asc) = b106f080d877e479d944a7ebe24a380f4c40c38308733f43f8a60d4e7aedc6597e6daa4a1428f596e705c9c75e6ee7b4187dbbc5750a9c406f59d76d4f1b4a8d +SHA512 (unbound-1.17.1.tar.gz) = 10dd4c3aff77f1c0d19eb3c66956ed6ef1aae19e827d0b3259dc75d9de28dedd41862982a299e67ee07e17fb52058b4beee9d4b1d3bb0a3f633b9ba5b864d168 +SHA512 (unbound-1.17.1.tar.gz.asc) = d663c2ebf9ba4420eb6cd351378d646ac4c9e88bd69913dc1c862a326e98329496a901c86b857f2c157c0401a289ff91e5ac83911477cb9894156c6d959b2b80 diff --git a/unbound.conf b/unbound.conf index 2d7d6a7..73d35a5 100644 --- a/unbound.conf +++ b/unbound.conf @@ -41,6 +41,11 @@ server: # Needs to be enabled for munin plugin extended-statistics: yes + # Inhibits selected extended statistics (qtype, qclass, qopcode, rcode, + # rpz-actions) from printing if their value is 0. + # Default on. + # statistics-inhibit-zero: yes + # number of threads to create. 1 disables threading. num-threads: 4 @@ -148,7 +153,7 @@ server: # ip-dscp: 0 # EDNS reassembly buffer to advertise to UDP peers (the actual buffer - # is set with msg-buffer-size). 1472 can solve fragmentation (timeouts) + # is set with msg-buffer-size). # edns-buffer-size: 1232 # Maximum UDP response size (not applied to TCP response). @@ -189,6 +194,15 @@ server: # a throwaway response (also timeouts) is received. # outbound-msg-retry: 5 + # Hard limit on the number of outgoing queries Unbound will make while + # resolving a name, making sure large NS sets do not loop. + # It resets on query restarts (e.g., CNAME) and referrals. + # max-sent-count: 32 + + # Hard limit on the number of times Unbound is allowed to restart a + # query upon encountering a CNAME record. + # max-query-restarts: 11 + # msec for waiting for an unknown server to reply. Increase if you # are behind a slow satellite link, to eg. 1128. # unknown-server-time-limit: 376 @@ -234,7 +248,8 @@ server: # the maximum number of hosts that are cached (roundtrip, EDNS, lame). # infra-cache-numhosts: 10000 - # define a number of tags here, use with local-zone, access-control. + # define a number of tags here, use with local-zone, access-control, + # interface-*. # repeat the define-tag statement to add additional tags. # define-tag: "tag1 tag2 tag3" @@ -277,7 +292,9 @@ server: # Timeout for EDNS TCP keepalive, in msec. # edns-tcp-keepalive-timeout: 120000 - # Fedora note: do not activate this - can cause a crash + # Fedora note: do not activate this - not compiled in because + # it causes frequent unbound crashes. Also, socket activation + # is bad when you have things like dnsmasq also running with libvirt. # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no @@ -293,9 +310,7 @@ server: # allow_snoop (recursive and nonrecursive ok) # deny_non_local (drop queries unless can be answered from local-data) # refuse_non_local (like deny_non_local but polite error reply). - # access-control: 0.0.0.0/0 refuse # access-control: 127.0.0.0/8 allow - # access-control: ::0/0 refuse # access-control: ::1 allow # access-control: ::ffff:127.0.0.1 allow @@ -539,6 +554,8 @@ server: # most modules have to be listed at the beginning of the line, # except cachedb(just before iterator), and python (at the beginning, # or, just before the iterator). + # For redis cachedb use: + # "ipsecmod validator cachedb iterator" module-config: "ipsecmod validator iterator" # File with trusted keys, kept uptodate using RFC5011 probes, @@ -546,7 +563,8 @@ server: # Use several entries, one per domain name, to track multiple zones. # # If you want to perform DNSSEC validation, run unbound-anchor before - # you start Unbound (i.e. in the system boot scripts). And enable: + # you start Unbound (i.e. in the system boot scripts). + # And then enable the auto-trust-anchor-file config item. # Please note usage of unbound-anchor root anchor is at your own risk # and under the terms of our LICENSE (see that file in the source). # auto-trust-anchor-file: "/var/lib/unbound/root.key" diff --git a/unbound.spec b/unbound.spec index c710788..1404424 100644 --- a/unbound.spec +++ b/unbound.spec @@ -4,6 +4,7 @@ %bcond_without dnstap %bcond_with systemd %bcond_without doh +%bcond_with redis %global _hardened_build 1 @@ -29,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.16.3 +Version: 1.17.1 Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ @@ -53,6 +54,7 @@ Source17: unbound-anchor.service Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc # source: https://nlnetlabs.nl/people/ Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key +Source20: unbound.sysusers BuildRequires: gcc, make @@ -77,6 +79,9 @@ BuildRequires: systemd-devel %if %{with doh} BuildRequires: libnghttp2-devel %endif +%if %{with redis} +BuildRequires: redis-devel +%endif %if 0%{?fedora} >= 30 BuildRequires: systemd-rpm-macros %else @@ -92,6 +97,7 @@ Requires: %{name}-anchor%{?_isa} = %{version}-%{release} Recommends: %{name}-utils%{?_isa} = %{version}-%{release} # unbound-keygen.service requires it, bug #2116790 Requires: openssl +Requires(pre): systemd-sysusers %description Unbound is a validating, recursive, and caching DNS(SEC) resolver. @@ -179,7 +185,7 @@ Python 3 modules and extensions for unbound %prep %if 0%{?fedora} -%gpgverify -k 19 -s 18 -d 0 +%{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}' %endif %global pkgname %{name}-%{version}%{?extra_version} @@ -223,7 +229,8 @@ cp -a %{dir_primary} %{dir_secondary} --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\ --enable-sha2 --disable-gost --enable-ecdsa \\\ --with-rootkey-file=%{_sharedstatedir}/unbound/root.key \\\ - --enable-linux-ip-local-port-range + --enable-linux-ip-local-port-range \\\ + pushd %{dir_primary} @@ -239,6 +246,10 @@ pushd %{dir_primary} %endif %if %{with doh} --with-libnghttp2 \ +%endif +%if %{with redis} + --with-libhiredis \ + --enable-cachedb \ %endif %{configure_args} @@ -287,6 +298,7 @@ install -p -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/unbound-anchor.service install -p -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound install -p -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/unbound install -p -m 0644 %{SOURCE14} %{buildroot}%{_sysconfdir}/sysconfig/unbound +install -p -D -m 0644 %{SOURCE20} %{buildroot}%{_sysusersdir}/%{name}.sysusers %if %{with_munin} # Install munin plugin and its softlinks install -d -m 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d @@ -338,18 +350,15 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 -%pre anchor -getent group unbound >/dev/null || groupadd -r unbound -getent passwd unbound >/dev/null || \ -useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \ --c "Unbound DNS resolver" unbound +%pre libs +%sysusers_create_compat %{SOURCE20} %post %systemd_post unbound.service %systemd_post unbound-keygen.service %post anchor -%systemd_post unbound-anchor.timer +%systemd_post unbound-anchor.service unbound-anchor.timer # start the timer only if installing the package to prevent starting it, if it was stopped on purpose if [ "$1" -eq 1 ]; then # the Unit is in presets, but would be started after reboot @@ -361,14 +370,14 @@ fi %systemd_preun unbound-keygen.service %preun anchor -%systemd_preun unbound-anchor.timer +%systemd_preun unbound-anchor.service unbound-anchor.timer %postun %systemd_postun_with_restart unbound.service %systemd_postun unbound-keygen.service -%postun libs -%systemd_postun_with_restart unbound-anchor.timer +%postun anchor +%systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer %check pushd %{dir_primary} @@ -449,7 +458,8 @@ popd %doc doc/README %license doc/LICENSE %attr(0755,root,root) %dir %{_sysconfdir}/%{name} -%{_libdir}/libunbound.so.* +%{_sysusersdir}/%{name}.sysusers +%{_libdir}/libunbound.so.8* %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name} %attr(0644,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key # just left for backwards compat with user changed unbound.conf files - format is different! @@ -471,6 +481,17 @@ popd %{_mandir}/man1/unbound-* %changelog +* Fri Jan 13 2023 Paul Wouters - 1.16.3-3 +- Move unbound user creation to libs (#2149036) +- Use systemd-sysusers for user creation (#2105416) + +* Wed Oct 05 2022 Petr Menšík - 1.16.3-2 +- Correct issues made by unbound-anchor package split (#2110858) + * Fri Sep 23 2022 Petr Menšík - 1.16.3-1 - Update to 1.16.3 (#2128638) @@ -482,18 +503,12 @@ popd - Require openssl tool for unbound-keygen (#2116790) * Wed Aug 03 2022 Petr Menšík - 1.16.2-1 -- Update to 1.16.2 (#2105947) for CVE-2022-30698 and CVE-2022-30699 +- Update to 1.16.2 (#2105947) -* Sat Jul 23 2022 Fedora Release Engineering - 1.16.0-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - -* Mon Jun 27 2022 Petr Menšík - 1.16.0-6 +* Mon Jun 27 2022 Petr Menšík - 1.16.0-5 - Move unbound-anchor to separate package - Move unbound-host and unbound-streamtcp to unbound-utils package -* Mon Jun 13 2022 Python Maint - 1.16.0-5 -- Rebuilt for Python 3.11 - * Tue Jun 07 2022 Petr Menšík - 1.16.0-4 - Restart keygen service before every unbound start diff --git a/unbound.sysusers b/unbound.sysusers new file mode 100644 index 0000000..6614682 --- /dev/null +++ b/unbound.sysusers @@ -0,0 +1 @@ +u unbound - "Unbound DNS resolver" /var/lib/unbound /sbin/nologin