From c34b09dbeb715fad70f7b2a069dc1d311b098eb5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 27 Jun 2022 12:00:02 +0200 Subject: [PATCH 01/10] Move unbound-anchor to separate package It has the service and requires unbound user created. Make it separate, because some users of unbound-libs might not want or need anchor maintenance. Make it also easier to add custom options to unbound-anchor running from the service. Do not start timer from unbound.service, start instead unbound-anchor service before starting unbound. It would ensure root anchor is in the place. Run it from single place from both timer and unbound service. --- unbound-anchor.service | 3 ++- unbound.service | 4 ++-- unbound.spec | 38 ++++++++++++++++++++++++++------------ unbound.sysconfig | 6 +++++- 4 files changed, 35 insertions(+), 16 deletions(-) diff --git a/unbound-anchor.service b/unbound-anchor.service index cd949e5..59683c8 100644 --- a/unbound-anchor.service +++ b/unbound-anchor.service @@ -5,5 +5,6 @@ Documentation=man:unbound-anchor(8) [Service] Type=oneshot User=unbound -ExecStart=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R +EnvironmentFile=-/etc/sysconfig/unbound +ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi' SuccessExitStatus=1 diff --git a/unbound.service b/unbound.service index c59ffbf..ffaf783 100644 --- a/unbound.service +++ b/unbound.service @@ -3,7 +3,8 @@ Description=Unbound recursive Domain Name Server After=network-online.target After=unbound-keygen.service Wants=unbound-keygen.service -Wants=unbound-anchor.timer +After=unbound-anchor.service +Wants=unbound-anchor.service Before=nss-lookup.target Wants=nss-lookup.target @@ -11,7 +12,6 @@ Wants=nss-lookup.target Type=simple EnvironmentFile=-/etc/sysconfig/unbound ExecStartPre=/usr/sbin/unbound-checkconf -ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_UNBOUND_ANCHOR" == "yes" ]; then /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R; else echo "Updates of root keys with unbound-anchor is disabled"; fi' ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS ExecReload=/usr/sbin/unbound-control reload diff --git a/unbound.spec b/unbound.spec index 6627b48..337db4c 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.16.0 -Release: 4%{?extra_version:.%{extra_version}}%{?dist} +Release: 5%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -88,6 +88,7 @@ BuildRequires: systemd # Needed because /usr/sbin/unbound links unbound libs staticly Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-anchor%{?_isa} = %{version}-%{release} %description Unbound is a validating, recursive, and caching DNS(SEC) resolver. @@ -121,14 +122,22 @@ The devel package contains the unbound library and the include files %package libs Summary: Libraries used by the unbound server and client applications -Requires(pre): shadow-utils +Recommends: %{name}-anchor %if ! 0%{with_python2} # Make explicit conflict with no longer provided python package Obsoletes: python2-unbound < 1.9.3 %endif %description libs -Contains libraries used by the unbound server and client applications +Contains libraries used by the unbound server and client applications. + +%package anchor +Requires(pre): shadow-utils +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Summary: DNSSEC trust anchor maintaining tool + +%description anchor +Contains tool maintaining trust anchor using RFC 5011 key rollover algorithm. %if 0%{with_python2} %package -n python2-unbound @@ -317,7 +326,7 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 -%pre libs +%pre anchor getent group unbound >/dev/null || groupadd -r unbound getent passwd unbound >/dev/null || \ useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \ @@ -327,7 +336,7 @@ useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \ %systemd_post unbound.service %systemd_post unbound-keygen.service -%post libs +%post anchor %systemd_post unbound-anchor.timer # start the timer only if installing the package to prevent starting it, if it was stopped on purpose if [ "$1" -eq 1 ]; then @@ -339,7 +348,7 @@ fi %systemd_preun unbound.service %systemd_preun unbound-keygen.service -%preun libs +%preun anchor %systemd_preun unbound-anchor.timer %postun @@ -376,7 +385,6 @@ popd %attr(0755,unbound,unbound) %dir %{_rundir}/%{name} %attr(0644,root,root) %{_tmpfilesdir}/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf -%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name} %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d %attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d/*.key %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/conf.d @@ -432,20 +440,26 @@ popd %doc doc/README %license doc/LICENSE %attr(0755,root,root) %dir %{_sysconfdir}/%{name} -%{_sbindir}/unbound-anchor %{_libdir}/libunbound.so.* +%dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name} +%attr(0644,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key +# just left for backwards compat with user changed unbound.conf files - format is different! +%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key + +%files anchor +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name} +%{_sbindir}/unbound-anchor %{_mandir}/man8/unbound-anchor* # icannbundle and root.key(s) should be replaced from package # intentionally not using noreplace %config %{_sysconfdir}/%{name}/icannbundle.pem %{_unitdir}/unbound-anchor.timer %{_unitdir}/unbound-anchor.service -%dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name} -%attr(0644,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key -# just left for backwards compat with user changed unbound.conf files - format is different! -%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Mon Jun 27 2022 Petr Menšík - 1.16.0-5 +- Move unbound-anchor to separate package + * Tue Jun 07 2022 Petr Menšík - 1.16.0-4 - Restart keygen service before every unbound start diff --git a/unbound.sysconfig b/unbound.sysconfig index fae3306..adcf8fd 100644 --- a/unbound.sysconfig +++ b/unbound.sysconfig @@ -1,3 +1,7 @@ -# for extra debug, add "-v -v" or change verbosity: in unbound.conf +# uncomment following line to skip anchor refresh before unbound start +#DISABLE_UNBOUND_ANCHOR=yes +# Better way is systemctl mask unbound-anchor.service +UNBOUND_ANCHOR_OPTIONS="-f /etc/resolv.conf -R" +# for extra debug, add "-v -v" or change verbosity: in unbound.conf UNBOUND_OPTIONS="" From aa40efb56e4f1ccdfdaa29914ee362c50d627200 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 27 Jun 2022 13:53:54 +0200 Subject: [PATCH 02/10] Move host and streamtcp utilities to separate package They do not require unbound in any sense. They can work with just unbound-libs and therefore should be installable independently of main bigger daemon. --- unbound.spec | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/unbound.spec b/unbound.spec index 337db4c..322a85f 100644 --- a/unbound.spec +++ b/unbound.spec @@ -89,6 +89,7 @@ BuildRequires: systemd # Needed because /usr/sbin/unbound links unbound libs staticly Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-anchor%{?_isa} = %{version}-%{release} +Recommends: %{name}-utils%{?_isa} = %{version}-%{release} %description Unbound is a validating, recursive, and caching DNS(SEC) resolver. @@ -139,6 +140,15 @@ Summary: DNSSEC trust anchor maintaining tool %description anchor Contains tool maintaining trust anchor using RFC 5011 key rollover algorithm. +%package utils +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Summary: Unbound DNS lookup utilities + +%description utils +Contains tools for making DNS queries. Can make queries to DNS servers +also over TLS connection or validate DNSSEC signatures. Similar to +bind-utils. + %if 0%{with_python2} %package -n python2-unbound %{?python_provide:%python_provide python2-unbound} @@ -399,9 +409,6 @@ popd %{_sbindir}/unbound-checkconf %{_sbindir}/unbound-control %{_sbindir}/unbound-control-setup -%{_sbindir}/unbound-host -%{_sbindir}/unbound-streamtcp -%{_mandir}/man1/* %{_mandir}/man5/* %exclude %{_mandir}/man8/unbound-anchor* %{_mandir}/man8/* @@ -456,9 +463,15 @@ popd %{_unitdir}/unbound-anchor.timer %{_unitdir}/unbound-anchor.service +%files utils +%{_sbindir}/unbound-host +%{_sbindir}/unbound-streamtcp +%{_mandir}/man1/unbound-* + %changelog * Mon Jun 27 2022 Petr Menšík - 1.16.0-5 - Move unbound-anchor to separate package +- Move unbound-host and unbound-streamtcp to unbound-utils package * Tue Jun 07 2022 Petr Menšík - 1.16.0-4 - Restart keygen service before every unbound start From f216966e35c5c19513648b7da49bafc4c5dfa19c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 3 Aug 2022 20:12:34 +0200 Subject: [PATCH 03/10] Update to 0.16.2 (#2105947) https://nlnetlabs.nl/projects/unbound/download/#unbound-1-16-2 --- .gitignore | 2 ++ sources | 4 ++-- unbound.spec | 7 +++++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 3b9ae64..7bd5a0c 100644 --- a/.gitignore +++ b/.gitignore @@ -71,3 +71,5 @@ unbound-1.4.5.tar.gz /unbound-1.15.0.tar.gz.asc /unbound-1.16.0.tar.gz /unbound-1.16.0.tar.gz.asc +/unbound-1.16.2.tar.gz +/unbound-1.16.2.tar.gz.asc diff --git a/sources b/sources index 1586e1f..abff2db 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.16.0.tar.gz) = 134679c0baad6738541295fcfbf8cc701c647b5d5cd00f87e50394bc7b5b74b7326ed2fc42f3282cae8094b4980c1e580d7b748b7151642c9060c449b644715f -SHA512 (unbound-1.16.0.tar.gz.asc) = 1b7640df051bf9f37e261c4e7fa3b3343982f608c529553985eeb9444688ba9e751f45ad666ab13b783beff24806eef14e9833090a4aea249e1fa5023e3c0432 +SHA512 (unbound-1.16.2.tar.gz) = 0ea65ea63265be677441bd2a28df12098ec5e86c3372240c2874f9bd13752b8b818da81ae6076cf02cbeba3d36e397698a4c2b50570be1a6a8e47f57a0251572 +SHA512 (unbound-1.16.2.tar.gz.asc) = bc5241c86f90be76886209c81d6f1c025d4774fa00d114180b99d43999f31b1b4c8d123717b8a79a60bc3acfcbe9f46678b80b3d961431c7bfd05ff48c69ef4f diff --git a/unbound.spec b/unbound.spec index 322a85f..137e36e 100644 --- a/unbound.spec +++ b/unbound.spec @@ -29,8 +29,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.16.0 -Release: 5%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.16.2 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -469,6 +469,9 @@ popd %{_mandir}/man1/unbound-* %changelog +* Wed Aug 03 2022 Petr Menšík - 1.16.2-1 +- Update to 1.16.2 (#2105947) + * Mon Jun 27 2022 Petr Menšík - 1.16.0-5 - Move unbound-anchor to separate package - Move unbound-host and unbound-streamtcp to unbound-utils package From d93dc48524bfc2f87f7e5b0b45a4e18674ea3990 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 9 Aug 2022 12:11:15 +0200 Subject: [PATCH 04/10] Require openssl tool for unbound-keygen (#2116790) --- unbound.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 137e36e..dd281a1 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.16.2 -Release: 1%{?extra_version:.%{extra_version}}%{?dist} +Release: 2%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -90,6 +90,8 @@ BuildRequires: systemd Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-anchor%{?_isa} = %{version}-%{release} Recommends: %{name}-utils%{?_isa} = %{version}-%{release} +# unbound-keygen.service requires it, bug #2116790 +Requires: openssl %description Unbound is a validating, recursive, and caching DNS(SEC) resolver. @@ -469,6 +471,9 @@ popd %{_mandir}/man1/unbound-* %changelog +* Tue Aug 09 2022 Petr Menšík - 1.16.2-2 +- Require openssl tool for unbound-keygen (#2116790) + * Wed Aug 03 2022 Petr Menšík - 1.16.2-1 - Update to 1.16.2 (#2105947) From 9028655fcb0c321ddc65f502bb1085e6aec1388d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 11 Oct 2022 11:34:09 +0200 Subject: [PATCH 05/10] Correct issues made by unbound-anchor package split Resolves: rhbz#2110858 --- unbound.spec | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/unbound.spec b/unbound.spec index 9f6e106..d8f50a3 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.16.3 -Release: 1%{?extra_version:.%{extra_version}}%{?dist} +Release: 2%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -349,7 +349,7 @@ useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \ %systemd_post unbound-keygen.service %post anchor -%systemd_post unbound-anchor.timer +%systemd_post unbound-anchor.service unbound-anchor.timer # start the timer only if installing the package to prevent starting it, if it was stopped on purpose if [ "$1" -eq 1 ]; then # the Unit is in presets, but would be started after reboot @@ -361,14 +361,14 @@ fi %systemd_preun unbound-keygen.service %preun anchor -%systemd_preun unbound-anchor.timer +%systemd_preun unbound-anchor.service unbound-anchor.timer %postun %systemd_postun_with_restart unbound.service %systemd_postun unbound-keygen.service -%postun libs -%systemd_postun_with_restart unbound-anchor.timer +%postun anchor +%systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer %check pushd %{dir_primary} @@ -471,6 +471,9 @@ popd %{_mandir}/man1/unbound-* %changelog +* Wed Oct 05 2022 Petr Menšík - 1.16.3-2 +- Correct issues made by unbound-anchor package split (#2110858) + * Fri Sep 23 2022 Petr Menšík - 1.16.3-1 - Update to 1.16.3 (#2128638) From d33f09f8070b153c21e68806de8c5b074aa6d5b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 1 Dec 2022 17:05:37 +0100 Subject: [PATCH 06/10] Move unbound user creation to libs (#2149036) libs contains also few key anchor owned by unbound user. It needs to be created also for unbound-libs, which is required by all other packages. --- unbound.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/unbound.spec b/unbound.spec index d8f50a3..199cda8 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.16.3 -Release: 2%{?extra_version:.%{extra_version}}%{?dist} +Release: 3%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -338,7 +338,7 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 -%pre anchor +%pre libs getent group unbound >/dev/null || groupadd -r unbound getent passwd unbound >/dev/null || \ useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \ @@ -471,6 +471,9 @@ popd %{_mandir}/man1/unbound-* %changelog +* Thu Dec 01 2022 Petr Menšík - 1.16.3-3 +- Move unbound user creation to libs (#2149036) + * Wed Oct 05 2022 Petr Menšík - 1.16.3-2 - Correct issues made by unbound-anchor package split (#2110858) From 15298cce69eb6cd620a196f915758dca2645d11d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 1 Dec 2022 17:30:31 +0100 Subject: [PATCH 07/10] Use systemd-sysusers for user creation (#2105416) --- unbound.spec | 12 +++++++----- unbound.sysusers | 1 + 2 files changed, 8 insertions(+), 5 deletions(-) create mode 100644 unbound.sysusers diff --git a/unbound.spec b/unbound.spec index 199cda8..53e61f6 100644 --- a/unbound.spec +++ b/unbound.spec @@ -53,6 +53,7 @@ Source17: unbound-anchor.service Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc # source: https://nlnetlabs.nl/people/ Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key +Source20: unbound.sysusers BuildRequires: gcc, make @@ -92,6 +93,7 @@ Requires: %{name}-anchor%{?_isa} = %{version}-%{release} Recommends: %{name}-utils%{?_isa} = %{version}-%{release} # unbound-keygen.service requires it, bug #2116790 Requires: openssl +Requires(pre): systemd-sysusers %description Unbound is a validating, recursive, and caching DNS(SEC) resolver. @@ -287,6 +289,7 @@ install -p -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/unbound-anchor.service install -p -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound install -p -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/unbound install -p -m 0644 %{SOURCE14} %{buildroot}%{_sysconfdir}/sysconfig/unbound +install -p -D -m 0644 %{SOURCE20} %{buildroot}%{_sysusersdir}/%{name}.sysusers %if %{with_munin} # Install munin plugin and its softlinks install -d -m 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d @@ -339,10 +342,7 @@ echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control %pre libs -getent group unbound >/dev/null || groupadd -r unbound -getent passwd unbound >/dev/null || \ -useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \ --c "Unbound DNS resolver" unbound +%sysusers_create_compat %{SOURCE20} %post %systemd_post unbound.service @@ -449,7 +449,8 @@ popd %doc doc/README %license doc/LICENSE %attr(0755,root,root) %dir %{_sysconfdir}/%{name} -%{_libdir}/libunbound.so.* +%{_sysusersdir}/%{name}.sysusers +%{_libdir}/libunbound.so.8* %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name} %attr(0644,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key # just left for backwards compat with user changed unbound.conf files - format is different! @@ -473,6 +474,7 @@ popd %changelog * Thu Dec 01 2022 Petr Menšík - 1.16.3-3 - Move unbound user creation to libs (#2149036) +- Use systemd-sysusers for user creation (#2105416) * Wed Oct 05 2022 Petr Menšík - 1.16.3-2 - Correct issues made by unbound-anchor package split (#2110858) diff --git a/unbound.sysusers b/unbound.sysusers new file mode 100644 index 0000000..6614682 --- /dev/null +++ b/unbound.sysusers @@ -0,0 +1 @@ +u unbound - "Unbound DNS resolver" /var/lib/unbound /sbin/nologin From 67a6486567092d6d1bbede0e70d94fd6f1051afc Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Fri, 13 Jan 2023 19:17:50 -0500 Subject: [PATCH 08/10] update to 1.17.1 - Resolved rhbz#2160397 unbound-1.17.1 is available (bugfix release) - Add support for building with redis - update unbound.conf --- unbound.conf | 30 ++++++++++++++++++++++++------ unbound.spec | 19 ++++++++++++++++--- 2 files changed, 40 insertions(+), 9 deletions(-) diff --git a/unbound.conf b/unbound.conf index 2d7d6a7..73d35a5 100644 --- a/unbound.conf +++ b/unbound.conf @@ -41,6 +41,11 @@ server: # Needs to be enabled for munin plugin extended-statistics: yes + # Inhibits selected extended statistics (qtype, qclass, qopcode, rcode, + # rpz-actions) from printing if their value is 0. + # Default on. + # statistics-inhibit-zero: yes + # number of threads to create. 1 disables threading. num-threads: 4 @@ -148,7 +153,7 @@ server: # ip-dscp: 0 # EDNS reassembly buffer to advertise to UDP peers (the actual buffer - # is set with msg-buffer-size). 1472 can solve fragmentation (timeouts) + # is set with msg-buffer-size). # edns-buffer-size: 1232 # Maximum UDP response size (not applied to TCP response). @@ -189,6 +194,15 @@ server: # a throwaway response (also timeouts) is received. # outbound-msg-retry: 5 + # Hard limit on the number of outgoing queries Unbound will make while + # resolving a name, making sure large NS sets do not loop. + # It resets on query restarts (e.g., CNAME) and referrals. + # max-sent-count: 32 + + # Hard limit on the number of times Unbound is allowed to restart a + # query upon encountering a CNAME record. + # max-query-restarts: 11 + # msec for waiting for an unknown server to reply. Increase if you # are behind a slow satellite link, to eg. 1128. # unknown-server-time-limit: 376 @@ -234,7 +248,8 @@ server: # the maximum number of hosts that are cached (roundtrip, EDNS, lame). # infra-cache-numhosts: 10000 - # define a number of tags here, use with local-zone, access-control. + # define a number of tags here, use with local-zone, access-control, + # interface-*. # repeat the define-tag statement to add additional tags. # define-tag: "tag1 tag2 tag3" @@ -277,7 +292,9 @@ server: # Timeout for EDNS TCP keepalive, in msec. # edns-tcp-keepalive-timeout: 120000 - # Fedora note: do not activate this - can cause a crash + # Fedora note: do not activate this - not compiled in because + # it causes frequent unbound crashes. Also, socket activation + # is bad when you have things like dnsmasq also running with libvirt. # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no @@ -293,9 +310,7 @@ server: # allow_snoop (recursive and nonrecursive ok) # deny_non_local (drop queries unless can be answered from local-data) # refuse_non_local (like deny_non_local but polite error reply). - # access-control: 0.0.0.0/0 refuse # access-control: 127.0.0.0/8 allow - # access-control: ::0/0 refuse # access-control: ::1 allow # access-control: ::ffff:127.0.0.1 allow @@ -539,6 +554,8 @@ server: # most modules have to be listed at the beginning of the line, # except cachedb(just before iterator), and python (at the beginning, # or, just before the iterator). + # For redis cachedb use: + # "ipsecmod validator cachedb iterator" module-config: "ipsecmod validator iterator" # File with trusted keys, kept uptodate using RFC5011 probes, @@ -546,7 +563,8 @@ server: # Use several entries, one per domain name, to track multiple zones. # # If you want to perform DNSSEC validation, run unbound-anchor before - # you start Unbound (i.e. in the system boot scripts). And enable: + # you start Unbound (i.e. in the system boot scripts). + # And then enable the auto-trust-anchor-file config item. # Please note usage of unbound-anchor root anchor is at your own risk # and under the terms of our LICENSE (see that file in the source). # auto-trust-anchor-file: "/var/lib/unbound/root.key" diff --git a/unbound.spec b/unbound.spec index 53e61f6..07e2c24 100644 --- a/unbound.spec +++ b/unbound.spec @@ -4,6 +4,7 @@ %bcond_without dnstap %bcond_with systemd %bcond_without doh +%bcond_with redis %global _hardened_build 1 @@ -29,8 +30,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.16.3 -Release: 3%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.17.1 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -78,6 +79,9 @@ BuildRequires: systemd-devel %if %{with doh} BuildRequires: libnghttp2-devel %endif +%if %{with redis} +BuildRequires: redis-devel +%endif %if 0%{?fedora} >= 30 BuildRequires: systemd-rpm-macros %else @@ -225,7 +229,8 @@ cp -a %{dir_primary} %{dir_secondary} --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\ --enable-sha2 --disable-gost --enable-ecdsa \\\ --with-rootkey-file=%{_sharedstatedir}/unbound/root.key \\\ - --enable-linux-ip-local-port-range + --enable-linux-ip-local-port-range \\\ + pushd %{dir_primary} @@ -241,6 +246,10 @@ pushd %{dir_primary} %endif %if %{with doh} --with-libnghttp2 \ +%endif +%if %{with redis} + --with-libhiredis \ + --enable-cachedb \ %endif %{configure_args} @@ -472,6 +481,10 @@ popd %{_mandir}/man1/unbound-* %changelog +* Fri Jan 13 2023 Paul Wouters - 1.16.3-3 - Move unbound user creation to libs (#2149036) - Use systemd-sysusers for user creation (#2105416) From fca86019a78d7e87e6ce173c901ee4aa2f1b8beb Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Fri, 13 Jan 2023 19:21:58 -0500 Subject: [PATCH 09/10] update sources --- sources | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sources b/sources index c6e4d53..d6e9a7b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.16.3.tar.gz) = ef5cda926dd1082a750615d8687bccd756869c66e9f24f984fda4c6613f94f3e4884db328b8d7b490777a75d3e616dcb61c5258e7777923c0590e6fabacd207c -SHA512 (unbound-1.16.3.tar.gz.asc) = b106f080d877e479d944a7ebe24a380f4c40c38308733f43f8a60d4e7aedc6597e6daa4a1428f596e705c9c75e6ee7b4187dbbc5750a9c406f59d76d4f1b4a8d +SHA512 (unbound-1.17.1.tar.gz) = 10dd4c3aff77f1c0d19eb3c66956ed6ef1aae19e827d0b3259dc75d9de28dedd41862982a299e67ee07e17fb52058b4beee9d4b1d3bb0a3f633b9ba5b864d168 +SHA512 (unbound-1.17.1.tar.gz.asc) = d663c2ebf9ba4420eb6cd351378d646ac4c9e88bd69913dc1c862a326e98329496a901c86b857f2c157c0401a289ff91e5ac83911477cb9894156c6d959b2b80 From 103966442822023998323a9dca8683fd8b753ee9 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Fri, 13 Jan 2023 19:22:06 -0500 Subject: [PATCH 10/10] clarify gpgverify a bit to make it look less magical --- .gitignore | 2 ++ unbound.spec | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 3476ae7..864e509 100644 --- a/.gitignore +++ b/.gitignore @@ -75,3 +75,5 @@ unbound-1.4.5.tar.gz /unbound-1.16.2.tar.gz.asc /unbound-1.16.3.tar.gz /unbound-1.16.3.tar.gz.asc +/unbound-1.17.1.tar.gz +/unbound-1.17.1.tar.gz.asc diff --git a/unbound.spec b/unbound.spec index 07e2c24..1404424 100644 --- a/unbound.spec +++ b/unbound.spec @@ -185,7 +185,7 @@ Python 3 modules and extensions for unbound %prep %if 0%{?fedora} -%gpgverify -k 19 -s 18 -d 0 +%{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}' %endif %global pkgname %{name}-%{version}%{?extra_version}