diff --git a/.gitignore b/.gitignore index 5ff0acf..cec9517 100644 --- a/.gitignore +++ b/.gitignore @@ -89,5 +89,15 @@ unbound-1.4.5.tar.gz /unbound-1.19.3.tar.gz.asc /unbound-1.20.0.tar.gz /unbound-1.20.0.tar.gz.asc +/unbound-1.21.0.tar.gz +/unbound-1.21.0.tar.gz.asc /unbound-1.21.1.tar.gz /unbound-1.21.1.tar.gz.asc +/unbound-1.22.0.tar.gz +/unbound-1.22.0.tar.gz.asc +/unbound-1.23.0.tar.gz +/unbound-1.23.0.tar.gz.asc +/unbound-1.23.1.tar.gz +/unbound-1.23.1.tar.gz.asc +/unbound-1.*.tar.gz +/unbound-1.*.tar.gz.asc diff --git a/Yorgos.asc b/Yorgos.asc index e18ec55..8d0008d 100644 --- a/Yorgos.asc +++ b/Yorgos.asc @@ -13,31 +13,31 @@ S9TpYmjMwURbuYm+rWZk/8w5OJG60V3wax56c0jn/42O3Y2hzQ+PbOv2M4UuuajS g3LssVS2bKy5g3IhrzCKAk0Sky4S5t/mcN+lWztNvCijuLz58GCym5GwJQARAQAB tCtZb3Jnb3MgVGhlc3NhbG9uaWtlZnMgPHlvcmdvc0BubG5ldGxhYnMubmw+iQJX BBMBCABBAhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAhkBFiEElI60IyLF0At5 -NA9dz/M0TZCHpJAFAmbz0CwFCRD85cYACgkQz/M0TZCHpJBVnhAAkcd79Twxj/tt -C4q2Xpq75+Ew6YR9gLqYiV5vEd6fu0oyhuVoUlfTkjH4ALIoGIKaO9yAVUXsrGrs -n1aJPo1Mw3q6mIwtQOxXz/W44LuFzcvZkHtCYX4YyLrUHXZPvl+r4eYkTOcyyQMU -BmbuvWhufv8MBilvWltQLxfLlgihbfuIrxqjAYDhqCffpgUiZyCut2rrenIgeh1f -DvC+GjZ3cfb1UsIpzm19yr4NCiTHkLkCOAAcAUFwWWeO/jfUsSvFQEHUnYNRREzI -Lth9NlKwPtsOVi+wcNnWQtFQb11BMr407xBib7hLSIFiqvOiYgQABjZdWN+snCRP -ZZSruigjE9ateOloJwmBqrSJLAywxvDE0ivqfSj51W5eJc/JLSXvjrOuW28dJCr8 -RV9PjC9X7zuTiFLzV8SVH71Z43Rix8n7AOp3wgRe3SygEyQXPj4qbm5HHVsx9GEA -zn495L99dJ4wZgjkbEsGhzwUx7N9FHEGS/sz3LiEq+ZYckR6gzTMMrQJgbsS9lnK -9xlXsp37uIYvx9W9JZXtS+AZhw0q3osMYBF68HPX8B9GBYlkQWmWSIMfzRYcD2n1 -5+XsfERK4mxcTWl2sCYpt8Sy3tADj9nQDabAlGUd/hlFS1dvDVQjGh6ER5S0nZjY -nmRsLl8nOTKhb2xY+2p1sDjxxQYJJQe0K0dlb3JnZSBUaGVzc2Fsb25pa2VmcyA8 +NA9dz/M0TZCHpJAFAmjWhkcFCRLfm+EACgkQz/M0TZCHpJANXhAAvTpKNl5+kU1d +lcFrXx4pgi/knhe0y1Z+ENQWVDYTs9v+lMoyCRQuAt1Cir1LAGWfRBdTQh60I6Dc +BDj+15pFJCv/dyZiQLPUgxLtIxkwIUSjELp8JevNHhGMNz7QWdG4SEpG2aF/D2Zz +kvaoomPGjRyo/bkgR2la6eqrCOxYVP+FT7682yf0bCvSTs1kTrnwFY93s7O2RciI +MS0XWcHPtoi96JxhzUIT+v0gSFuitZhRGPh9pyIcHmRER1yKugvMp6xF5UjNIcfL +ScrNlGXgjc6EJiGXS5CHliIlxlAxs4J1T9JiGQZOAW/CPxe4IND34DhqwvQcJdtL +8jt1b2xUcuFfYNa3SY671OnLt3EhwMsYDaSIXrPqW8R6XuaSxhb4sL/okHkb833b +CgaWvjQZgRm1h0R2IY5C3kHotsLUd2fygrtVVvaLxGEoi9UBsKoLu2kHEJnV5HJO +jfJMBBGgGFscfk3p1v4SAA30xPR7i6O2KDmFsVzL6xKbnFMMmayEVfWzGXmxB7lv +ob6HrJIvVH6mx64OsAY0LQI6abQI3TTZn13+RNxuATQS+j0tqbZvVJtWFw41eqsU +OqeNF9W323uvhJcjDyYquAREIivFXkzxa9y3rgQfB9OX9usD79aij4y/YLqZxafl +InYUlMGygNOGXruFRZ7DD6zciK2Zu7W0K0dlb3JnZSBUaGVzc2Fsb25pa2VmcyA8 Z2VvcmdlQG5sbmV0bGFicy5ubD6JAlQEEwEIAD4CGyMFCwkIBwIGFQgJCgsCBBYC -AwECHgECF4AWIQSUjrQjIsXQC3k0D13P8zRNkIekkAUCZvPQPQUJEPzlxgAKCRDP -8zRNkIekkFfCEACheY1yr2Z+LPjm/Nd2eA4CFFO7nUQHI+a6lYBd57txrRuIicuG -pGjOhnvcioRwICiKNLJD3YTU+WOd+sbO7BXH2sw2KdU9NK1ojKX/SQiTg6upfJsu -gbgar2oPvR88B7oSiuonZnhEf72HfWKDSBXHpi6KC6S3JZ+o50NB3GBpwUL1lfKW -ovymYbN6tYQfqw/+AP5jUUNpkclC0RbcW69rpvrHHqeQV1AVKkm/jNQpWLKYTGF7 -bbdLkgMh3rHp8gmF0/GuK+oyL7xD+TEXfr3iqlDIVuxbxDN8xTti1RrERU/MWQar -qOSFZcr4t+nlwThJidDLF/u3h0Ymrjz92VTfCgELIwCKxGX7jAyLZHzuWAp+0Pr/ -yuHodbweGNcGVoXmIpK93/WZcfFlBcyQLECVcijmxd7Euk0xDk76RQpuuL5VOWqn -aZcf2uNfppwKFZJjcXwK+EQbwN7+RFNvLrwoRn/1xM57T5AYBAgSvKb6h0G5KwW6 -tJfJdSu1MHfCZS1hH1Gr4+UG+VbLCVmQ9N/lUs0bcD7pK+bA1W0YnsIVuaQ+YZUh -KrJoCUF0kVDtW9ETZkp0iVBm1Q9xgTGaxUTVmctOyAbdCLyHNra4fo1BAdGlu+IP -qAcktaBUKFxWxRxf9O5kGihce9anK8CJ/TCnQ7wSvyYrlAoBoQaS78VzYYkBHAQS +AwECHgECF4AWIQSUjrQjIsXQC3k0D13P8zRNkIekkAUCaNaGWAUJEt+b4QAKCRDP +8zRNkIekkKovEACQkeEImQeer9jsY066WyIpvrhcy6xtWjeW8v1ZasRoi+DOFWeA +18O5iD34UaIPPGFRu6PRdSMLdUqtelFgONVDnXEuqOGAptMcCI4wp4+NIFd00v0J +9A9ur7xWt0Q0O1fMjFOMPa5oQK9dg1MCI0/RWRObOPf3cIr2NhgWwBuKTCluKyFc +mnRQXwyxBGCBRvK5zKmA8BBlnHuPfunTAcduNSExUx3e0w5BD5lcG4YeyuR+IRcY +HJPGU20f634dDSJGKJvGxjpaCxGQNca6s8Mpkq3lm/D3Ia4Vpw/HdiSawv/U71S/ +4F6lctMjvoS73Ao9DZ4iDPqkHJ73HidNp7n25SLnXKruZsnXitjYT8ueP7byeLPi +7IvqoENXoXNqNfDuXfqri/WnHPYWbKIdj5WWFeaR3Ws+szw3Wql7mJ1cNFWbNCE7 +rGFPhSNyG3n6mlEBUKUYn8FuOF9PHwwWl86GHLI6O4xOIohESyrZrq2mJS61sSq6 +AAQ7cqx6UMNJdBcgB5Ry7qRUF6ZmowZZu3aWFF4dW+LwMvuaFjKzShsKzj8GCE0B +pQDjy+IeWM2mBVneuCicWwvbSzVWx+Ow42QRvmH8Ja9PqoIYeJQUiMr1+aAG6kUK +3VW4iugsu3/oFIlFrkYZy9YEfCOEMgqRKL/cuBJTZt0OPFRE/9O/M/FVmIkBHAQS AQIABgUCV9kUOAAKCRAwkY2CdXJCIju1B/oCvf1kWYndNeLS6U2O6DtFAL2Ia5tY Zukcyqb1hkYcrBiMZbQN94gX5a+6Q4pdd2n241r1ZuSWdwUhRUbF4mvbZMVsavnk cvrRGviVIUXf71W0O/IsmQ9oN0Finhpf14Y4z/xqF8DpvJdkWc6X5g+RJuko6q2w @@ -58,18 +58,18 @@ BmQpPk0ubYclwb07FcegaHSxxIqUo/kbyt1YV5mU+QVymZ+xyvIBrnW8hBuNWRvU TJaDBSgvxUtY0Ci+OWX38kffGGvhW3CM8V6skdVc8cp7Db7gxase4BxxtC5HZW9y Z2UgVGhlc3NhbG9uaWtlZnMgPGdlb3JnZUBvcGVubmV0bGFicy5jb20+iQJUBBMB CAA+AhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEElI60IyLF0At5NA9dz/M0 -TZCHpJAFAmbz0D0FCRD85cYACgkQz/M0TZCHpJBnFw/8CRLGJnNAP43mBniIP5R1 -/10i4xG5s1Ka/y5C3aRgZUNaGMPLF8VmrC26HTPNhmduhn3j9gnBuSHgRAJUWs2K -o1q0A2/O5fFJvqPyEUl30gG8qkzFl5UGRUr7VNtBa6VpI7g78d3P4/H8THB0tYZ3 -GZv980QXwTE11aXjvPQu4e8sMOR1OVEEH+6hW1T0SvEKAMV1BHwuZAmC6HTfx5e7 -iGNWu/dwJsmwzqcAkuTTSqlmzZdIjZWJDL8pfnschkVilC3pEpEk5ExSkt/onOD2 -WCAKJUiPR6gRI2H6fE0PF8iG9isisvNhQ3MrWUIKS+1WOotoG7Bu7ob46viJKQuN -9t7KBqjdftjJHjmVop3mfX0UUEDPjkZXK5R/aUspXi4IGdM+9JijqxveicQegOhM -LcE8039Z0AaXn9IA0kQB05A4a+CEnoPL7qe+fIBJM5hZDrpMe4fAAGxiQzbRpdkZ -CrXmT+CRkhc/BvUJ5yoE1q++9Fw9eyMbPOak6GLckCIPy+Mqi4z+ZXNCtcPs3Qbc -/7AY8qyswRsD2t5bbe4g+fLEt9IsN3UvKFUKnQ88jcn9Zmps69msMDm9jEj/qo+j -QCriLLu8E1ZwhedNVOQN89w4Zww/BUyEnL4hng8Tw+RTV8Jtq5EvAleW5sZsnTzA -zn1ysZUyO/Pu7Br2jnGRAQyJARwEEgECAAYFAlfZFDwACgkQMJGNgnVyQiIHjAf/ +TZCHpJAFAmjWhlgFCRLfm+EACgkQz/M0TZCHpJCWag/+MJOLW1tBNPA9sBcjl9V4 +Cjc2TIR/r8RRGv5lstVXlXc5T4SR48UvQTxaUU+KJia5POsaAsw9yk7Zz4r7ul0D +Vd9tzHCcwxl46e0Kwn2VGBMHThsWC7QDuK7b+4AlxeO4EDWRPPw4BCB7aTxJzA3N +O4qpEF4TVeb97uyNQr2YaTGUzSI58vCgXgeOpH9ivomQi1nCxZbdrFh2yKJ+H4EH +gI8+D9iSnJMI16RS1dE7Pa85IG+qPd3owAbOlc+tBsSvdbFdRufQZeiNGKfQno1E +oygZt8svcuKpGAG1flzpPu5LE9oMsIDia9hcn4YFqr80F5bW1rUvFeC0rYp9/0ui +6lo34PAhEieB8XzjbpDDEnlkziRoz2YNVJmZOWrCAMI1bUFI5/+YWuJTXCGF62dE +dO7aBWoUkchkGGSGKbPW9KYdmqMdfOeuqZRBhKs8bgHIArJ+kvglhCJr/qNX5T8p +oCHE5bnEwFxnH2Q6a2ffpMpOExGvPaoAWlym/ID/MMet0riZ2izFUdmjEkA0HUaa +7h5x1dKMhHzYDXOW8Ksx9vE24gLrjfqfvIiYpErn+SVs0KUqkR0BRWLRYjyq/Bj/ +btTQXcDeYpQj4tL2cX3Eosqaoy5NDGCK4yqWOxENOJ/YcO5dTPJDNsHlc2JSdejz +a4g8AHFlkpPn0tlflbuE7q6JARwEEgECAAYFAlfZFDwACgkQMJGNgnVyQiIHjAf/ VrPMgIRjRTYi4cxOr5ewaim1hgJZO1oCJoMopwIvpZ2kAUqL/uPMT3wREe5bi79H jXYcaX+RbrV4ZdzaajDUFCj867KGErxqtRkANJ1eNLcQmVwGNoFeTQbgEOBfKq1t hRfMqHF3fxCPJp4z4U3kBPUpIQPERjgUdkH8fxZ34Omo1SLO1b0dVqsneezccBVv @@ -89,18 +89,18 @@ Ix1q//q2VmxqjjT3Iv30hBRX02x2M8gsP/e49XWEll7stkMtbYhBU0sHQ2CqzLGh gJN3ecpi2sKWVqN8HUZOwJFj6f9ZX76YSM23wIugHfscMAVJUXvBrbd151WIshOf FFPo62sYGt+SEMXWeRcHjbQuWW9yZ29zIFRoZXNzYWxvbmlrZWZzIDx5b3Jnb3NA b3Blbm5ldGxhYnMuY29tPokCVAQTAQgAPgIbIwULCQgHAgYVCAkKCwIEFgIDAQIe -AQIXgBYhBJSOtCMixdALeTQPXc/zNE2Qh6SQBQJm89A9BQkQ/OXGAAoJEM/zNE2Q -h6SQOf4QAIp5fEn+vVOqDuLrv8Li61UDVPE3v5b9ocPR7OMENeFpRH7K2p8xFkAM -f6JeS2ehbIjyUS8iGc+mZOalvZynJdOiHtys5r4lZanm1Rl+mWXb+nHGE/Oi4gQ3 -aEF/AwolbKi9oNXAiCtA3hmaI6FYWtAh5XOnyMG140dhlXMWzvN1ZAWXWioS33Fp -n9Z7xOsyG2Bmky69JjUQPD119noD4pEFtCipciiACVNdHGfI8QDT/8pMAxv/Q7tW -+7gyFztT1XvKONWyCfHjf1x60JQNPPM31x3xUVRz/sK+GyLq6VLiydvSZeUX3CzM -4bHixKKkSyvsX+bc9K/iLrXwZFhRdrRbpVQFpsdxv48mN5WsDlpN17KgMCyNiMDV -0VagYjZC5AurOo2mmS7PKAYGILaq3YwQ3nXYiuWfdXVW6EXtw/vdFOjFU6ppbaA3 -1+xyMDOLSGLr7f+gdZvlEc+5MX1F3mHpmuKN7clUju/HEOdVq1Bbla7BplPgqCaH -ZYCg/VHNt7ue7MYeEgTJ8OGgUDRNPa3PdU3YHRCuwJH1UzinD39K8R9/g9qiGJbC -87//1FGZp9lhIE5tja6F5pJ5GwJK9zC0iGj2NrwBvTKhuyF6W3ZQc2voYQn+gIq4 -sfbned7qpvpjLcMgIv/y82iVm2EtKtKYl982aA9S53pHqjV27kieuQINBFfYHeYB +AQIXgBYhBJSOtCMixdALeTQPXc/zNE2Qh6SQBQJo1oZYBQkS35vhAAoJEM/zNE2Q +h6SQjBkP/0IvctNT9T+DtGZyMiw/Jna9G3QhtW7exhlxzqqX3tFmZpaJj3VswyqA +5hx5BdJEShC8qNEqrBCHxcCZgsLvR3GKc/0LTgP7+7VH/ugAScrlVeI8rB6V1jn5 +cnfY5fsfOQ8i0b/8C+CiEe0TW90VRHjYV6DWMdUfqQb3E/snl23RMFeTL0Qrrk8H +Lo3MTko7TeKRYOV/g/qQkb9CFQZNyzgIjD7uZi8or8qFJ/uZTnlBq5/NRDB5Z3ew +7WXc3QrRUXmbbDzdnIeCtu5vmuk+hc69gbOst9nWf3y2qlK7BjZqT+PqKZa/fa/i +5pZpv1hB8DrA2WTIpN7iXhCvABXSEoUOJaLkRSJVDqzvuaeqOEPrk1aJSMWoio/w +8RRa1L7k6m81Dc0dqYbBOSI4MCNm8ZawQI2L4qRs5QORg4nRnAevFgkzhJKFYF2N +jzX/2xlAuOym126DODC9qJSJZR7uTOJXh0yqknfkPgDXjchpzq+Q+CM+jYo6AGas +/XPAuRQCQaLSYr9UPL7Fn62//ysZQAyAkJQR1u7UwAd6/UTTMVZpUJsLQyMyikF7 +UT4K7MWrvkZxMRPhGan0P2pRe36M9BBjYRTp0TIr+UjUT8iBfjdrttI9DQlkcEeQ +rKhcE31KqjwJMdiuzbpqqXaEss9AFuJng3Owewt4wAft3eu1U7PWuQINBFfYHeYB EAC2h9yjSe2SgtcB0H+E0ndaewaZaQCE7q+RO43dotGH9eFnVwE4/ftcK1SN42ih lF5OnTaKPyXvgQ6U8W8VB8eLjeTwA/dSXuJX7kJpEK8saPqJP6zTUmPqp/GSzS6Y rhKLfpFn4chmywpDFcGNMz0sYXiJgPqKL7W0KuG+ziPToAeWl8ckeXyl77/lHVhW @@ -112,17 +112,17 @@ GFxr4xBiyMX1JLCKK6OFnyPfoJ9v/o3UgrQgLrfXCmKdvkwBCgJvN3Fsxzha6Dtf hmQBxPvXxI2ERmKRomo6lrMaDMzIjD4APSM1vUfZguzQxVYpM8lwy1COeqxsj5p+ LH6f/EU+4dXZwooJ1uanBOvG2ntnz8SErE+e7wNYE4a/fb8xYM4j7p6qYtnNZPb8 sj8bvx8iWXp4A1csVetyVSchBhTVQhhNos6ouYpc4ibrYwARAQABiQI8BBgBCAAm -AhsMFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmbz0dUFCRD8528ACgkQz/M0TZCH -pJA7hg/7Bh0jb7nrp2EuU4BWK55VG+3zbrye/NdDy6eo3sVVOOO1r+jBMoJK3m1A -GWUx40ogZjRn8GMtJfxkL6wsep2P775smm7x1TH6s2dgreTj9J66gitKEgxF0tjo -JztmGJ8YKSGE4wKi37KvvSqCm1ecA8akBzJVo0B8/GtXpg+y/q3/KSY1ujW7Ihu3 -60JXT1FRXOiYfrzUKIBm8/UVnv7guPudaJf0eU4btoy4Ywzn1UXyi8BdxPIQrQDR -tt69ffcjX8BIEloK7FURLre/LhbVxlssdWYIEFQhIlb+nghZlUbWHf0Ue3L0SFFS -xV5otzQL2WjJKtCnTpSopSUmwYyT7wyAL1RokOemXL47WOfiLjiGuS+K/4lT7VHS -fdLsYinS0LYr5dmhc05s//kLyQ0OSKNh3SNAN+lM/klLE/pFwM4mo56C+seNEvCm -sT53VPOOwp6JwsLKSqm8pu1fbVjT6laMc9BPi6KUjN/f7ZahCXNXOrA2uLnTlxw/ -ns1sOXSWZDWciZeL3kJeUQER5YZ59hzLYWAiJ+5KblWRlBMXb71FUp0Mh9V3dA5O -BX3IlcF54qE50chGzLnfQf1YLuh13xxxc2WsdMZjiCj8CVDMkD6ekShfQK8nyQsK -SJgdXcnw1CxcAVvsROtecUiD+DWrJcYExjSZ+zcI4+aRhp7uNt8= -=iknu +AhsMFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmjWhoAFCRLfnBoACgkQz/M0TZCH +pJA4sA/7BZrP4nwWF1eQVliMWJ1KKG+sHizK4c+ZiB67aFJw4pLDCL5o6unOWH8V +ocr1pWC/BMmLG4K77O2qadhUH7mzXm/ddZ/DVF3xHTvTmG1W1bLd6zj3k6qOFYq8 +yPS2QNTa3+3oNbtZQ+RpvhCAmv2Dc1GMPNP2hKR/Ju9r9NwGWBEDQBtiMZ7872QJ +yR3IFyfQGRvj+GBbEBvJwCFmaRb3eDorhaNhM0b0c/RbIueEWD40nkCUtmM4Zrc1 +0HLod8Li8C4j8sIqIdfTKo1RiJUUg86q1K3pGA86hoOzeaihZekcm6wMwGlhXymb +Ng41yB/ZTedl9wk+XEEcD6HZMCXyfh55hBdWG06aEhMIALjOCj2VkRnDLmOKLgDZ +kg7OOQxDfKACCCvk72HZG3qKtaN9oNH1oeaVwc3ytWR8y2hQJcCxmoQsLn+Xvkgc +aYRNklPW2z8817J3fmvvwS0o6sOWRHLb0XAc+NZg4lEQOgwVFrE0XIAgkXHLQbuQ +GRpRzRncHX95RXMzGb1+8kpWEcM7gazgUA3omoAumwNEqmeBX1TmEtDop1k5RFCS +UWbv+A2s2GSAb05MHY0InIhMxzJXEa5+dJDPSvZnbiGRGhQitEe4eIlmPcNA1lB+ +ADFE2UTzcpRTo5cOKfrXyZXr6JCEl2+tB3o5m0v7FRdr6+zIS5g= +=Ubkv -----END PGP PUBLIC KEY BLOCK----- diff --git a/fedora-defaults.conf b/fedora-defaults.conf new file mode 100644 index 0000000..99ff95d --- /dev/null +++ b/fedora-defaults.conf @@ -0,0 +1,229 @@ +# Fedora distribution defaults + +server: + # verbosity number, 0 is least verbose. 1 is default. + verbosity: 1 + + # print statistics to the log (for every thread) every N seconds. + # Set to "" or 0 to disable. Default is disabled. + # Needs to be disabled for munin plugin + statistics-interval: 0 + + # enable cumulative statistics, without clearing them after printing. + # Needs to be disabled for munin plugin + statistics-cumulative: no + + # enable extended statistics (query types, answer codes, status) + # Needs to be enabled for munin plugin + extended-statistics: yes + + # number of threads to create. 1 disables threading. + # num-threads: 1 + num-threads: 4 + + # specify the interfaces to answer queries from by ip-address. + # The default is to listen to localhost (127.0.0.1 and ::1). + # specify 0.0.0.0 and ::0 to bind to all available interfaces. + # specify every interface[@port] on a new 'interface:' labelled line. + # The listen interfaces are not changed on reload, only on restart. + # interface: 0.0.0.0 + # interface: ::0 + # interface: 192.0.2.153 + # interface: 192.0.2.154 + # interface: 192.0.2.154@5003 + # interface: 2001:DB8::5 + # interface: eth0@5003 + # + # for dns over tls and raw dns over port 80 + # interface: 0.0.0.0@443 + # interface: ::0@443 + # interface: 0.0.0.0@80 + # interface: ::0@80 + + # enable this feature to copy the source address of queries to reply. + # Socket options are not supported on all platforms. experimental. + # interface-automatic: yes + # + # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 + # NOTE: Disabled per Fedora policy not to listen to * on default install + # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled + interface-automatic: no + + # permit Unbound to use this port number or port range for + # making outgoing queries, using an outgoing interface. + # Only ephemeral ports are allowed by SElinux + outgoing-port-permit: 32768-60999 + + # IANA-assigned port numbers. + # If multiple outgoing-port-permit and outgoing-port-avoid options + # are present, they are processed in order. + # Our SElinux policy does not allow non-ephemeral ports to be used + outgoing-port-avoid: 0-32767 + outgoing-port-avoid: 61000-65535 + + # use SO_REUSEPORT to distribute queries over threads. + # at extreme load it could be better to turn it off to distribute even. + so-reuseport: yes + + # use IP_TRANSPARENT so the interface: addresses can be non-local + # and you can config non-existing IPs that are going to work later on + # (uses IP_BINDANY on FreeBSD). + ip-transparent: yes + + # Enable UDP, "yes" or "no". + # NOTE: if setting up an Unbound on tls443 for public use, you might want to + # disable UDP to avoid being used in DNS amplification attacks. + # do-udp: yes + + # Enable EDNS TCP keepalive option. + edns-tcp-keepalive: yes + + # Fedora note: do not activate this - not compiled in because + # it causes frequent unbound crashes. Also, socket activation + # is bad when you have things like dnsmasq also running with libvirt. + # Use systemd socket activation for UDP, TCP, and control sockets. + # use-systemd: no + + # If you give "" no chroot is performed. The path must not end in a /. + # chroot: "/etc/unbound" + chroot: "" + + # If you give a server: directory: dir before include: file statements + # then those includes can be relative to the working directory. + directory: "/etc/unbound" + + # print UTC timestamp in ascii to logfile, default is epoch in seconds. + log-time-ascii: yes + + # Harden against unseemly large queries. + harden-large-queries: yes + + # Harden against unverified (outside-zone, including sibling zone) glue rrsets + harden-unverified-glue: yes + + # Default off, because the lookups burden the server. Experimental + # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. + harden-referral-path: yes + + # Sent minimum amount of information to upstream servers to enhance + # privacy. Only sent minimum required labels of the QNAME and set QTYPE + # to A when possible. + qname-minimisation: yes + + # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN + # and other denials, using information from previous NXDOMAINs answers. + aggressive-nsec: yes + + # threshold, a warning is printed and a defensive action is taken, + # the cache is cleared to flush potential poison out of it. + # A suggested value is 10000000, the default is 0 (turned off). + unwanted-reply-threshold: 10000000 + + # if yes, perform prefetching of almost expired message cache entries. + prefetch: yes + + # if yes, perform key lookups adjacent to normal lookups. + prefetch-key: yes + + # deny queries of type ANY with an empty response. + deny-any: yes + + # if yes, Unbound rotates RRSet order in response. + rrset-roundrobin: yes + + # if yes, Unbound doesn't insert authority/additional sections + # into response messages when those sections are not required. + minimal-responses: yes + + # module configuration of the server. A string with identifiers + # separated by spaces. Syntax: "[dns64] [validator] iterator" + # most modules have to be listed at the beginning of the line, + # except cachedb(just before iterator), and python (at the beginning, + # or, just before the iterator). + # For redis cachedb use: + # "ipsecmod validator cachedb iterator" + module-config: "ipsecmod validator iterator" + + # trust anchor signaling sends a RFC8145 key tag query after priming. + trust-anchor-signaling: yes + + # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) + root-key-sentinel: yes + + # the trusted-keys { name flag proto algo "key"; }; clauses are read. + # you need external update procedures to track changes in keys. + # trusted-keys-file: "" + # + trusted-keys-file: /etc/unbound/keys.d/*.key + auto-trust-anchor-file: "/var/lib/unbound/root.key" + + # Should additional section of secure message also be kept clean of + # unsecure data. Useful to shield the users of this validator from + # potential bogus data in the additional section. All unsigned data + # in the additional section is removed from secure messages. + val-clean-additional: yes + + # Turn permissive mode on to permit bogus messages. Thus, messages + # for which security checks failed will be returned to clients, + # instead of SERVFAIL. It still performs the security checks, which + # result in interesting log files and possibly the AD bit in + # replies if the message is found secure. The default is off. + # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY + val-permissive-mode: no + + # Serve expired responses from cache, with serve-expired-reply-ttl in + # the response, and then attempt to fetch the data afresh. + serve-expired: yes + + # Limit serving of expired responses to configured seconds after + # expiration. 0 disables the limit. + serve-expired-ttl: 14400 + + # Have the validator log failed validations for your diagnosis. + # 0: off. 1: A line per failed user query. 2: With reason and bad IP. + val-log-level: 1 + + # service clients over TLS (on the TCP sockets) with plain DNS inside + # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. + # Give the certificate to use and private key. + # default is "" (disabled). requires restart to take effect. + # tls-service-key: "/etc/unbound/unbound_server.key" + # tls-service-pem: "/etc/unbound/unbound_server.pem" + + # Fedora/RHEL: use system-wide crypto policies + tls-ciphers: "PROFILE=SYSTEM" + + # Enable to attach Extended DNS Error codes (RFC8914) to responses. + # Fedora defaults to yes. + ede: yes + + # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale + # Answer as EDNS0 option to expired responses. + # Note that the ede option above needs to be enabled for this to work. + # Fedora defaults to yes. + ede-serve-expired: yes + + # Enable or disable ipsecmod (it still needs to be defined in + # module-config above). Can be used when ipsecmod needs to be + # enabled/disabled via remote-control(below). + # Fedora: module will be enabled on-demand by libreswan + ipsecmod-enabled: no + + # Path to executable external hook. It must be defined when ipsecmod is + # listed in module-config (above). + ipsecmod-hook: /usr/libexec/ipsec/_unbound-hook + +python: + # Script file to load + # python-script: "/etc/unbound/ubmodule-tst.py" + +# Remote control config section moved into own remote-control.conf + +# the module-config then you need one dynlib-file per instance. +dynlib: + # Script file to load + # dynlib-file: "/etc/unbound/dynlib.so" + +# Fedora: DNSCrypt support not enabled since it requires linking to +# another crypto library +# diff --git a/mkroot.sh b/mkroot.sh new file mode 100755 index 0000000..eb6d5b3 --- /dev/null +++ b/mkroot.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +SOURCE="/usr/share/dns-root-data/root.key" +DEST="${1:-root.key}" + +mk_key() { +echo "# Generated from $SOURCE" +echo "# Use /var/lib/unbound/root.key instead." +echo "trusted-keys {" +while read DOMAIN CLS TYPE FLAGS PROTO ALG KEYDATA COMMENT KEYTAG; do +echo "$DOMAIN $CLS $TYPE $FLAGS $PROTO $ALG \"$KEYDATA\" # $KEYTAG" +done < "$SOURCE" +echo "};" +} + +mk_key > "$DEST" +touch -r "$SOURCE" "$DEST" diff --git a/module-setup.sh b/module-setup.sh new file mode 100644 index 0000000..439bc6d --- /dev/null +++ b/module-setup.sh @@ -0,0 +1,44 @@ +#!/usr/bin/bash + +check() { + require_binaries unbound unbound-checkconf unbound-control || return 1 + # the module will be only included if explicitly required either + # by configuration or another module + return 255 +} + +depends() { + # because of pid file we need sysusers to create unbound user + echo systemd systemd-sysusers + return 0 +} + +install() { + # We have to make unbound wanted by network-online target to make sure + # there is a synchronization point when other services are able + # to make queries + inst_simple "$moddir"/unbound-initrd.conf /etc/systemd/system/unbound.service.d/unbound-initrd.conf + + # /etc and /var/lib do not have its variables + inst_multiple -o \ + "$systemdsystemunitdir"/unbound.service \ + /etc/unbound/conf.d/remote-control.conf \ + /etc/unbound/openssl-sha1.conf \ + /usr/share/unbound/fedora-defaults.conf \ + /usr/share/unbound/conf.d/*.conf \ + /etc/unbound/local.d/*.conf \ + /etc/unbound/keys.d/*.key \ + /etc/unbound/unbound.conf \ + /etc/unbound/unbound_control.key \ + /etc/unbound/unbound_control.pem \ + /etc/unbound/unbound_server.key \ + /etc/unbound/unbound_server.pem \ + "$sysusers"/unbound.conf \ + "$tmpfilesdir"/unbound.conf \ + /var/lib/unbound/root.key \ + unbound \ + unbound-checkconf \ + unbound-control + + $SYSTEMCTL -q --root "$initdir" enable unbound.service +} diff --git a/nlnetlabs2026-g2.asc b/nlnetlabs2026-g2.asc new file mode 100644 index 0000000..a8f7de7 --- /dev/null +++ b/nlnetlabs2026-g2.asc @@ -0,0 +1,24 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGNBGc7H5IBDADOZfJwZ6zZ/4JbbR2hef4261/zh7YpdjUREUs0dMQSbf+x7sAE +50JgvLQWlvA8sDHzbUMQ9cAYZBGGE6iHb50KboeEfuiP5BdiLe8XWKlo1EIh+Idz +0+e1binxwvXV1/9ACm/UHPRuWjkG7vrP+mVRuhfKglO6xSDxV1cwjYTRtvRtQx8D ++kTdZzprvtzkU7OIWeczKFJRhVHzNDHYFG9SuxvDA9cbVm1KPVJEkRBwoSBPeB0z +Z3LSib2uT6Lc/ghAijOwIpR+zNYKOYxRhzoFArrLa0Fs4nq6//LA42/aVjSienEJ +SR5CVUbZy14WuUsYCkV+ZoORVRYZOcjtPG7FUKDXKzY9/iNhEAZ3OMK7Np2Xq/YO +gaOiUDFXLHU1n2UVH1rwkMiS2o4EMqvO7gINmnL/ccpI2wj2QrQ+JZ9y1Xky7dQM +LIIbtp40e0kGocgyba484rW17xlvXRxb1Pjn93JygD6WcraLLNh9jq87hW/J37qi +S4DL+GUe10H8SeEAEQEAAbQ6TkxuZXQgTGFicyByZWxlYXNlcyBzaWduaW5nIGtl +eSBHMiA8cmVsZWFzZXNAbmxuZXRsYWJzLm5sPokBzgQTAQoAOBYhBCMQGGkMTZA+ +9BkUaqFEMj3qrN9FBQJnOx+SAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ +EKFEMj3qrN9FZigL/0aVsJ48oe7vko1Mwg9DucFoCL8CESAarA40in1Bauq7p/pT +l5UcNnFPLO8HBAHWGWtDI63pEhNzHacPzSI94GKS4TUMGzCV1H/c0KnxB7wAO55b +HEQOZJ+kFRBFXWxbXORtp86NZuyCvVoSA4QAcnCf4m5ZEBb72H2cmy8xP+/HLkbS +rpr5pyoUWtCYM8FxnjM3bClXSGOlWNl9cSXLqyyVjxvc7cOAS8ytL/zoVStoBmi/ +OwQbeJfAiqDMnipBJNzOHlfniKXE0FGDozKCHWP88ifs8A8OUNtJng7cNq7EQf9K +vTvbJCcF4akUUcXnx4gv9Z1ZQ93Jg5X7h+0MP7Ut4z9hKSIAOowru7GXGEt256Ja +eE1nSviDcqUtZpyqCLjpCDFGPMwSPzSwlPXjJVlVxPkDvPuNt2LUIEd8BR8Wo7z+ +NA5uM/zTHkQXEdUgCcl/rHy6moHYV3Q+YbMb17zU37a5vLb+wQ74doaiYo3b8KoV +K6vVKMmB0qru6ERJ3g== +=4R8U +-----END PGP PUBLIC KEY BLOCK----- diff --git a/openssl-sha1.conf b/openssl-sha1.conf new file mode 100644 index 0000000..97a3218 --- /dev/null +++ b/openssl-sha1.conf @@ -0,0 +1,8 @@ +# OpenSSL configuration file to allow SHA1 validation, +# regardless of crypto-policy selected. +# Use it by adding into /etc/sysconfig/unbound: +# OPENSSL_CONF=/etc/unbound/openssl-sha1.conf +.include = /etc/ssl/openssl.cnf + +[evp_properties] +rh-allow-sha1-signatures = yes diff --git a/plans/all.fmf b/plans/all.fmf index cd001bd..538bd41 100644 --- a/plans/all.fmf +++ b/plans/all.fmf @@ -1,7 +1,7 @@ summary: Test plan with all Fedora tests discover: how: fmf - url: https://src.fedoraproject.org/tests/unbound.git + url: https://gitlab.com/redhat/centos-stream/tests/unbound.git execute: how: tmt diff --git a/plans/tier1-public.fmf b/plans/tier1-public.fmf index 10f167c..6ffbfd1 100644 --- a/plans/tier1-public.fmf +++ b/plans/tier1-public.fmf @@ -1,7 +1,7 @@ summary: Public (Fedora) Tier1 beakerlib tests discover: how: fmf - url: https://src.fedoraproject.org/tests/unbound.git + url: https://gitlab.com/redhat/centos-stream/tests/unbound.git filter: 'tier: 1' execute: how: tmt diff --git a/remote-control-include.conf b/remote-control-include.conf new file mode 100644 index 0000000..5688480 --- /dev/null +++ b/remote-control-include.conf @@ -0,0 +1,4 @@ +# Previous defaults allowed any process to change settings, CVE-2023-1488 +# If you want to modify remote configuration, replace this file with +# contents of included file and modify afterwards. +include: "/usr/share/unbound/conf.d/remote-control.conf" diff --git a/remote-control.conf b/remote-control.conf new file mode 100644 index 0000000..6f6942e --- /dev/null +++ b/remote-control.conf @@ -0,0 +1,26 @@ +# Remote control config section update. +# Previous defaults allowed any process to change settings, CVE-2023-1488 +# This file can be used also by: unbound-control -c +remote-control: + # Enable remote control with unbound-control(8) here. + # set up the keys and certificates with unbound-control-setup. + control-enable: yes + + # set to an absolute path to use a unix local name pipe, certificates + # are not used for that, so key and cert files need not be present. + control-interface: "/run/unbound/control" + + # For local sockets this option is ignored, and TLS is not used. + control-use-cert: "yes" + + # Unbound server key file. + server-key-file: "/etc/unbound/unbound_server.key" + + # Unbound server certificate file. + server-cert-file: "/etc/unbound/unbound_server.pem" + + # unbound-control key file. + control-key-file: "/etc/unbound/unbound_control.key" + + # unbound-control certificate file. + control-cert-file: "/etc/unbound/unbound_control.pem" diff --git a/root.anchor b/root.anchor index c78ee03..1559542 100644 --- a/root.anchor +++ b/root.anchor @@ -1 +1,2 @@ +. 172800 IN DNSKEY 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ;{id = 38696 (ksk), size = 2048b} . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} diff --git a/root.key b/root.key deleted file mode 100644 index 6c5622c..0000000 --- a/root.key +++ /dev/null @@ -1,6 +0,0 @@ -; // The root key in bind format. This can be read by most tools, including -; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this -trusted-keys { -"." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326 - -}; diff --git a/sources b/sources index efb1f71..7d4806d 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.21.1.tar.gz) = 82be3faf5e4f9531342008105f5ab2ecc22a56faab1ef5c86420d85ef48443e5dac3455dbc654178a927e34ca4067c7655443f91a250b87945a63e9ba5f74ba7 -SHA512 (unbound-1.21.1.tar.gz.asc) = 5bb3961c210aefb20f91eb96f7d3980324e30cb2307c6c1187f016cacafcade7adcd95855faedfebc2c91464fd6c095511322364357c5b72525fc8e61c0ad248 +SHA512 (unbound-1.24.2.tar.gz) = 655d63ec5305323e84d82691425d74d98c332d0028517bd729d191e5f968ce9481b49ec7447d4c4906dce7997a998a115db36e911a59d2d877da5840c2080261 +SHA512 (unbound-1.24.2.tar.gz.asc) = 66a3e569a606cc3ed7dac9b411fba347da150728427619bdbf12ac57a5d7db1fc17963b1ba052a95d6c6fed67a6f0c1b5920318f6cd34e5091750626dd63fb21 diff --git a/tmpfiles-unbound-libs.conf b/tmpfiles-unbound-libs.conf new file mode 100644 index 0000000..d71ea46 --- /dev/null +++ b/tmpfiles-unbound-libs.conf @@ -0,0 +1,2 @@ +d /var/lib/unbound 0755 unbound unbound - +L /var/lib/unbound/root.key - - - - ../../../etc/unbound/dnssec-root.key diff --git a/tmpfiles-unbound.conf b/tmpfiles-unbound.conf index bb88f01..c09cc75 100644 --- a/tmpfiles-unbound.conf +++ b/tmpfiles-unbound.conf @@ -1 +1 @@ -D /run/unbound 0755 unbound unbound - +D /run/unbound 0775 unbound root - diff --git a/unbound-1.24-quic-on-demand-only.patch b/unbound-1.24-quic-on-demand-only.patch new file mode 100644 index 0000000..e074ab0 --- /dev/null +++ b/unbound-1.24-quic-on-demand-only.patch @@ -0,0 +1,171 @@ +From 1dfe06278c1446558b5043d7c57cd901e7d96829 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Mon, 24 Nov 2025 13:44:14 +0100 +Subject: [PATCH] Do not initialize quic_table unless it is enabled + +Fedora in FIPS mode might fail to initialize ngtcp2 library, because +some ciphers desired are not available. + +Make it possible to skip initialization by setting explicitly quic_port +to 0. Unless we have some listeners for port 853 configured, skip its +initialization as well. + +Related: https://pagure.io/freeipa/issue/9877 +--- + daemon/daemon.c | 14 +++++++++----- + services/listen_dnsport.c | 14 +++++++++++--- + util/configparser.y | 15 +++++++++------ + util/netevent.c | 3 +++ + 4 files changed, 32 insertions(+), 14 deletions(-) + +diff --git a/daemon/daemon.c b/daemon/daemon.c +index f882bb9ad..a9cc25c67 100644 +--- a/daemon/daemon.c ++++ b/daemon/daemon.c +@@ -558,9 +558,11 @@ daemon_create_workers(struct daemon* daemon) + verbose(VERB_ALGO, "total of %d outgoing ports available", numport); + + #ifdef HAVE_NGTCP2 +- daemon->doq_table = doq_table_create(daemon->cfg, daemon->rand); +- if(!daemon->doq_table) +- fatal_exit("could not create doq_table: out of memory"); ++ if (cfg_has_quic(daemon->cfg)) { ++ daemon->doq_table = doq_table_create(daemon->cfg, daemon->rand); ++ if(!daemon->doq_table) ++ fatal_exit("could not create doq_table: out of memory"); ++ } + #endif + + daemon->num = (daemon->cfg->num_threads?daemon->cfg->num_threads:1); +@@ -917,8 +919,10 @@ daemon_cleanup(struct daemon* daemon) + daemon->dnscenv = NULL; + #endif + #ifdef HAVE_NGTCP2 +- doq_table_delete(daemon->doq_table); +- daemon->doq_table = NULL; ++ if (daemon->doq_table) { ++ doq_table_delete(daemon->doq_table); ++ daemon->doq_table = NULL; ++ } + #endif + daemon->cfg = NULL; + } +diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c +index f7fcca194..ab8f1ba72 100644 +--- a/services/listen_dnsport.c ++++ b/services/listen_dnsport.c +@@ -1564,7 +1564,7 @@ listen_create(struct comm_base* base, struct listen_port* ports, + cp = comm_point_create_udp(base, ports->fd, + front->udp_buff, ports->pp2_enabled, cb, + cb_arg, ports->socket); +- } else if(ports->ftype == listen_type_doq) { ++ } else if(ports->ftype == listen_type_doq && doq_table) { + #ifndef HAVE_NGTCP2 + log_warn("Unbound is not compiled with " + "ngtcp2. This is required to use DNS " +@@ -3275,7 +3275,11 @@ nghttp2_session_callbacks* http2_req_callbacks_create(void) + struct doq_table* + doq_table_create(struct config_file* cfg, struct ub_randstate* rnd) + { +- struct doq_table* table = calloc(1, sizeof(*table)); ++ struct doq_table* table; ++ ++ if (!cfg->quic_port) ++ return NULL; ++ table = calloc(1, sizeof(*table)); + if(!table) + return NULL; + #ifdef USE_NGTCP2_CRYPTO_OSSL +@@ -3354,7 +3358,7 @@ conn_tree_del(rbnode_type* node, void* arg) + { + struct doq_table* table = (struct doq_table*)arg; + struct doq_conn* conn; +- if(!node) ++ if(!node || !table) + return; + conn = (struct doq_conn*)node->key; + if(conn->timer.timer_in_list) { +@@ -3413,6 +3417,7 @@ doq_timer_find_time(struct doq_table* table, struct timeval* tv) + { + struct doq_timer key; + struct rbnode_type* node; ++ log_assert(table != NULL); + memset(&key, 0, sizeof(key)); + key.time.tv_sec = tv->tv_sec; + key.time.tv_usec = tv->tv_usec; +@@ -4922,6 +4927,7 @@ doq_conid_find(struct doq_table* table, const uint8_t* data, size_t datalen) + key.node.key = &key; + key.cid = (void*)data; + key.cidlen = datalen; ++ log_assert(table != NULL); + node = rbtree_search(table->conid_tree, &key); + if(node) + return (struct doq_conid*)node->key; +@@ -5662,6 +5668,8 @@ doq_table_quic_size_available(struct doq_table* table, + struct config_file* cfg, size_t mem) + { + size_t cur; ++ if (!table) ++ return 0; + lock_basic_lock(&table->size_lock); + cur = table->current_size; + lock_basic_unlock(&table->size_lock); +diff --git a/util/configparser.y b/util/configparser.y +index bf9c196fc..f159b8cec 100644 +--- a/util/configparser.y ++++ b/util/configparser.y +@@ -1235,14 +1235,17 @@ server_http_notls_downstream: VAR_HTTP_NOTLS_DOWNSTREAM STRING_ARG + server_quic_port: VAR_QUIC_PORT STRING_ARG + { + OUTYY(("P(server_quic_port:%s)\n", $2)); ++ if(atoi($2) == 0 && strcmp($2,"0")!=0) ++ yyerror("port number expected"); ++ else { ++ cfg_parser->cfg->quic_port = atoi($2); + #ifndef HAVE_NGTCP2 +- log_warn("%s:%d: Unbound is not compiled with " +- "ngtcp2. This is required to use DNS " +- "over QUIC.", cfg_parser->filename, cfg_parser->line); ++ if (cfg_parser->cfg->quic_port != 0) ++ log_warn("%s:%d: Unbound is not compiled with " ++ "ngtcp2. This is required to use DNS " ++ "over QUIC.", cfg_parser->filename, cfg_parser->line); + #endif +- if(atoi($2) == 0) +- yyerror("port number expected"); +- else cfg_parser->cfg->quic_port = atoi($2); ++ } + free($2); + }; + server_quic_size: VAR_QUIC_SIZE STRING_ARG +diff --git a/util/netevent.c b/util/netevent.c +index aedcb5e07..93db16675 100644 +--- a/util/netevent.c ++++ b/util/netevent.c +@@ -2723,6 +2723,7 @@ doq_server_socket_create(struct doq_table* table, struct ub_randstate* rnd, + { + size_t doq_buffer_size = 4096; /* bytes buffer size, for one packet. */ + struct doq_server_socket* doq_socket; ++ log_assert(doq_table != NULL); + doq_socket = calloc(1, sizeof(*doq_socket)); + if(!doq_socket) { + return NULL; +@@ -2804,6 +2805,7 @@ doq_lookup_repinfo(struct doq_table* table, struct comm_reply* repinfo) + { + struct doq_conn* conn; + struct doq_conn_key key; ++ log_assert(table != NULL); + doq_conn_key_from_repinfo(&key, repinfo); + lock_rw_rdlock(&table->lock); + conn = doq_conn_find(table, &key.paddr.addr, +@@ -5880,6 +5882,7 @@ comm_point_create_doq(struct comm_base *base, int fd, sldns_buffer* buffer, + struct config_file* cfg) + { + #ifdef HAVE_NGTCP2 ++ log_assert(table != NULL); + struct comm_point* c = (struct comm_point*)calloc(1, + sizeof(struct comm_point)); + short evbits; +-- +2.52.0 + diff --git a/unbound-1.24-swig-function.patch b/unbound-1.24-swig-function.patch new file mode 100644 index 0000000..3257766 --- /dev/null +++ b/unbound-1.24-swig-function.patch @@ -0,0 +1,26 @@ +From 0fc825def2f812af70189a01b0fe66e1c5050aec Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Fri, 24 Oct 2025 20:20:50 +0200 +Subject: [PATCH] Use $action instead of $function in python SWIG interface + +$function is not supported since SWIG 4.4.0. +--- + libunbound/python/libunbound.i | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libunbound/python/libunbound.i b/libunbound/python/libunbound.i +index dc12514..4576844 100644 +--- a/libunbound/python/libunbound.i ++++ b/libunbound/python/libunbound.i +@@ -853,7 +853,7 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104'] + %{ + //printf("resolve_start(%lX)\n",(long unsigned int)arg1); + Py_BEGIN_ALLOW_THREADS +- $function ++ $action + Py_END_ALLOW_THREADS + //printf("resolve_stop()\n"); + %} +-- +2.51.0 + diff --git a/unbound-anchor.service b/unbound-anchor.service index 59683c8..1116243 100644 --- a/unbound-anchor.service +++ b/unbound-anchor.service @@ -6,5 +6,5 @@ Documentation=man:unbound-anchor(8) Type=oneshot User=unbound EnvironmentFile=-/etc/sysconfig/unbound -ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi' +ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ] || [ -f /run/unbound/anchor-disable ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi' SuccessExitStatus=1 diff --git a/unbound-as112-networks.conf b/unbound-as112-networks.conf new file mode 100644 index 0000000..96c291f --- /dev/null +++ b/unbound-as112-networks.conf @@ -0,0 +1,118 @@ +# Allow forwarding of private ranges, which are marked forwardable by IANA +# https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml +# https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml +# https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml +# RFC 6303: Locally Served DNS Zones (https://www.rfc-editor.org/rfc/rfc6303.html) +# +# Using this configuration file will simplify forwarding to potentially private ranges. +# Enables forwarding of networks marked as forwardable at IANA special registry. +# This is useful when upstream forwarder may be still inside private network. That is the case +# when unbound works as a localhost DNS cache, not network wide resolver. + +server: + # RFC 8375: Special-Use Domain 'home.arpa.' + local-zone: "home.arpa." nodefault + + # RFC 1918: Address Allocation for Private Internets + local-zone: "10.in-addr.arpa." nodefault + local-zone: "16.172.in-addr.arpa." nodefault + local-zone: "17.172.in-addr.arpa." nodefault + local-zone: "18.172.in-addr.arpa." nodefault + local-zone: "19.172.in-addr.arpa." nodefault + local-zone: "20.172.in-addr.arpa." nodefault + local-zone: "21.172.in-addr.arpa." nodefault + local-zone: "22.172.in-addr.arpa." nodefault + local-zone: "23.172.in-addr.arpa." nodefault + local-zone: "24.172.in-addr.arpa." nodefault + local-zone: "25.172.in-addr.arpa." nodefault + local-zone: "26.172.in-addr.arpa." nodefault + local-zone: "27.172.in-addr.arpa." nodefault + local-zone: "28.172.in-addr.arpa." nodefault + local-zone: "29.172.in-addr.arpa." nodefault + local-zone: "30.172.in-addr.arpa." nodefault + local-zone: "31.172.in-addr.arpa." nodefault + local-zone: "168.192.in-addr.arpa." nodefault + # RFC 6598: IANA-Reserved IPv4 Prefix for Shared Address Space + local-zone: "64.100.in-addr.arpa." nodefault + local-zone: "65.100.in-addr.arpa." nodefault + local-zone: "66.100.in-addr.arpa." nodefault + local-zone: "67.100.in-addr.arpa." nodefault + local-zone: "68.100.in-addr.arpa." nodefault + local-zone: "69.100.in-addr.arpa." nodefault + local-zone: "70.100.in-addr.arpa." nodefault + local-zone: "71.100.in-addr.arpa." nodefault + local-zone: "72.100.in-addr.arpa." nodefault + local-zone: "73.100.in-addr.arpa." nodefault + local-zone: "74.100.in-addr.arpa." nodefault + local-zone: "75.100.in-addr.arpa." nodefault + local-zone: "76.100.in-addr.arpa." nodefault + local-zone: "77.100.in-addr.arpa." nodefault + local-zone: "78.100.in-addr.arpa." nodefault + local-zone: "79.100.in-addr.arpa." nodefault + local-zone: "80.100.in-addr.arpa." nodefault + local-zone: "81.100.in-addr.arpa." nodefault + local-zone: "82.100.in-addr.arpa." nodefault + local-zone: "83.100.in-addr.arpa." nodefault + local-zone: "84.100.in-addr.arpa." nodefault + local-zone: "85.100.in-addr.arpa." nodefault + local-zone: "86.100.in-addr.arpa." nodefault + local-zone: "87.100.in-addr.arpa." nodefault + local-zone: "88.100.in-addr.arpa." nodefault + local-zone: "89.100.in-addr.arpa." nodefault + local-zone: "90.100.in-addr.arpa." nodefault + local-zone: "91.100.in-addr.arpa." nodefault + local-zone: "92.100.in-addr.arpa." nodefault + local-zone: "93.100.in-addr.arpa." nodefault + local-zone: "94.100.in-addr.arpa." nodefault + local-zone: "95.100.in-addr.arpa." nodefault + local-zone: "96.100.in-addr.arpa." nodefault + local-zone: "97.100.in-addr.arpa." nodefault + local-zone: "98.100.in-addr.arpa." nodefault + local-zone: "99.100.in-addr.arpa." nodefault + local-zone: "100.100.in-addr.arpa." nodefault + local-zone: "101.100.in-addr.arpa." nodefault + local-zone: "102.100.in-addr.arpa." nodefault + local-zone: "103.100.in-addr.arpa." nodefault + local-zone: "104.100.in-addr.arpa." nodefault + local-zone: "105.100.in-addr.arpa." nodefault + local-zone: "106.100.in-addr.arpa." nodefault + local-zone: "107.100.in-addr.arpa." nodefault + local-zone: "108.100.in-addr.arpa." nodefault + local-zone: "109.100.in-addr.arpa." nodefault + local-zone: "110.100.in-addr.arpa." nodefault + local-zone: "111.100.in-addr.arpa." nodefault + local-zone: "112.100.in-addr.arpa." nodefault + local-zone: "113.100.in-addr.arpa." nodefault + local-zone: "114.100.in-addr.arpa." nodefault + local-zone: "115.100.in-addr.arpa." nodefault + local-zone: "116.100.in-addr.arpa." nodefault + local-zone: "117.100.in-addr.arpa." nodefault + local-zone: "118.100.in-addr.arpa." nodefault + local-zone: "119.100.in-addr.arpa." nodefault + local-zone: "120.100.in-addr.arpa." nodefault + local-zone: "121.100.in-addr.arpa." nodefault + local-zone: "122.100.in-addr.arpa." nodefault + local-zone: "123.100.in-addr.arpa." nodefault + local-zone: "124.100.in-addr.arpa." nodefault + local-zone: "125.100.in-addr.arpa." nodefault + local-zone: "126.100.in-addr.arpa." nodefault + local-zone: "127.100.in-addr.arpa." nodefault + + # RFC 4193: Unique Local IPv6 Unicast Addresses + local-zone: "d.f.ip6.arpa." nodefault + + # RFC 2606: Reserved Top Level DNS Names + local-zone: "test." nodefault + domain-insecure: "test" + domain-insecure: "example" + + # RFC 6762: Multicast DNS, Appendix G + domain-insecure: "local" + domain-insecure: "intranet" + domain-insecure: "private" + domain-insecure: "corp" + domain-insecure: "home" + domain-insecure: "lan" + + # draft-davies-internal-tld + domain-insecure: "internal" diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index 2a745e7..da88960 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,60 +1,30 @@ -From 71cbef33920b3b5704be7eab399da506ab51cde1 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Fri, 10 Nov 2023 12:58:31 +0100 +From 6e2d042505a006ab5fd703631661e68d1cdc66df Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Fri, 15 Nov 2024 13:25:34 +0100 Subject: [PATCH] Customize unbound.conf for Fedora defaults Set some Fedora/RHEL specific changes to example configuration file. By patching upstream provided config file we would not need to manually update external copy in source RPM. --- - doc/example.conf.in | 196 ++++++++++++++++++++++++++++---------------- - 1 file changed, 126 insertions(+), 70 deletions(-) + doc/example.conf.in | 33 +++++++++++++++++++++++++++++++-- + 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/doc/example.conf.in b/doc/example.conf.in -index 130cb4e..7174d81 100644 +index 59090c6..3a86809 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in -@@ -17,11 +17,12 @@ server: - # whitespace is not necessary, but looks cleaner. - - # verbosity number, 0 is least verbose. 1 is default. -- # verbosity: 1 -+ verbosity: 1 - - # print statistics to the log (for every thread) every N seconds. - # Set to "" or 0 to disable. Default is disabled. -- # statistics-interval: 0 -+ # Needs to be disabled for munin plugin -+ statistics-interval: 0 - - # enable shm for stats, default no. if you enable also enable - # statistics-interval, every time it also writes stats to the -@@ -32,11 +33,13 @@ server: - # shm-key: 11777 - - # enable cumulative statistics, without clearing them after printing. -- # statistics-cumulative: no -+ # Needs to be disabled for munin plugin -+ statistics-cumulative: no - - # enable extended statistics (query types, answer codes, status) -- # printed from unbound-control. Default off, because of speed. -- # extended-statistics: no -+ # printed from unbound-control. default off, because of speed. -+ # Needs to be enabled for munin plugin -+ extended-statistics: yes - - # Inhibits selected extended statistics (qtype, qclass, qopcode, rcode, - # rpz-actions) from printing if their value is 0. -@@ -44,22 +47,35 @@ server: - # statistics-inhibit-zero: yes - - # number of threads to create. 1 disables threading. -- # num-threads: 1 -+ num-threads: 4 - - # specify the interfaces to answer queries from by ip-address. - # The default is to listen to localhost (127.0.0.1 and ::1). +@@ -8,6 +8,9 @@ + # Use this anywhere in the file to include other text into this file. + #include: "otherfile.conf" + ++# Default Fedora settings ++include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf" ++ + # Use this anywhere in the file to include other text, that explicitly starts a + # clause, into this file. Text after this directive needs to start a clause. + #include-toplevel: "otherfile.conf" +@@ -51,11 +51,19 @@ server: # specify 0.0.0.0 and ::0 to bind to all available interfaces. # specify every interface[@port] on a new 'interface:' labelled line. # The listen interfaces are not changed on reload, only on restart. @@ -74,53 +44,7 @@ index 130cb4e..7174d81 100644 # enable this feature to copy the source address of queries to reply. # Socket options are not supported on all platforms. experimental. -- # interface-automatic: no -+ # interface-automatic: yes -+ # -+ # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 -+ # NOTE: Disabled per Fedora policy not to listen to * on default install -+ # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled -+ interface-automatic: no - - # instead of the default port, open additional ports separated by - # spaces when interface-automatic is enabled, by listing them here. -@@ -94,7 +110,8 @@ server: - - # permit Unbound to use this port number or port range for - # making outgoing queries, using an outgoing interface. -- # outgoing-port-permit: 32768 -+ # Only ephemeral ports are allowed by SElinux -+ outgoing-port-permit: 32768-60999 - - # deny Unbound the use this of port number or port range for - # making outgoing queries, using an outgoing interface. -@@ -103,7 +120,9 @@ server: - # IANA-assigned port numbers. - # If multiple outgoing-port-permit and outgoing-port-avoid options - # are present, they are processed in order. -- # outgoing-port-avoid: "3200-3208" -+ # Our SElinux policy does not allow non-ephemeral ports to be used -+ outgoing-port-avoid: 0-32767 -+ outgoing-port-avoid: 61000-65535 - - # number of outgoing simultaneous tcp buffers to hold per thread. - # outgoing-num-tcp: 10 -@@ -121,12 +140,12 @@ server: - - # use SO_REUSEPORT to distribute queries over threads. - # at extreme load it could be better to turn it off to distribute even. -- # so-reuseport: yes -+ so-reuseport: yes - - # use IP_TRANSPARENT so the interface: addresses can be non-local - # and you can config non-existing IPs that are going to work later on - # (uses IP_BINDANY on FreeBSD). -- # ip-transparent: no -+ ip-transparent: yes - - # use IP_FREEBIND so the interface: addresses can be non-local - # and you can bind to nonexisting IPs and interfaces that are down. -@@ -276,6 +295,8 @@ server: +@@ -285,6 +293,8 @@ server: # nat64-prefix: 64:ff9b::0/96 # Enable UDP, "yes" or "no". @@ -129,16 +53,7 @@ index 130cb4e..7174d81 100644 # do-udp: yes # Enable TCP, "yes" or "no". -@@ -301,7 +322,7 @@ server: - # tcp-idle-timeout: 30000 - - # Enable EDNS TCP keepalive option. -- # edns-tcp-keepalive: no -+ edns-tcp-keepalive: yes - - # Timeout for EDNS TCP keepalive, in msec. Overrides tcp-idle-timeout - # if edns-tcp-keepalive is set. -@@ -311,6 +332,9 @@ server: +@@ -320,6 +330,9 @@ server: # can be dropped. Default is 0, disabled. In seconds, such as 3. # sock-queue-timeout: 0 @@ -148,188 +63,7 @@ index 130cb4e..7174d81 100644 # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no -@@ -424,6 +448,7 @@ server: - # - # If you give "" no chroot is performed. The path must not end in a /. - # chroot: "@UNBOUND_CHROOT_DIR@" -+ chroot: "" - - # if given, user privileges are dropped (after binding port), - # and the given username is assumed. Default is user "unbound". -@@ -435,7 +460,7 @@ server: - # is not changed. - # If you give a server: directory: dir before include: file statements - # then those includes can be relative to the working directory. -- # directory: "@UNBOUND_RUN_DIR@" -+ directory: "/etc/unbound" - - # the log file, "" means log to stderr. - # Use of this option sets use-syslog to "no". -@@ -450,7 +475,7 @@ server: - # log-identity: "" - - # print UTC timestamp in ascii to logfile, default is epoch in seconds. -- # log-time-ascii: no -+ log-time-ascii: yes - - # print one line with time, IP, name, type, class for every query. - # log-queries: no -@@ -522,22 +547,22 @@ server: - # harden-large-queries: no - - # Harden against out of zone rrsets, to avoid spoofing attempts. -- # harden-glue: yes -+ harden-glue: yes - - # Harden against receiving dnssec-stripped data. If you turn it - # off, failing to validate dnskey data for a trustanchor will - # trigger insecure mode for that zone (like without a trustanchor). - # Default on, which insists on dnssec data for trust-anchored zones. -- # harden-dnssec-stripped: yes -+ harden-dnssec-stripped: yes - - # Harden against queries that fall under dnssec-signed nxdomain names. -- # harden-below-nxdomain: yes -+ harden-below-nxdomain: yes - - # Harden the referral path by performing additional queries for - # infrastructure data. Validates the replies (if possible). - # Default off, because the lookups burden the server. Experimental - # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. -- # harden-referral-path: no -+ harden-referral-path: yes - - # Harden against algorithm downgrade when multiple algorithms are - # advertised in the DS record. If no, allows the weakest algorithm -@@ -551,7 +576,7 @@ server: - # Sent minimum amount of information to upstream servers to enhance - # privacy. Only sent minimum required labels of the QNAME and set QTYPE - # to A when possible. -- # qname-minimisation: yes -+ qname-minimisation: yes - - # QNAME minimisation in strict mode. Do not fall-back to sending full - # QNAME to potentially broken nameservers. A lot of domains will not be -@@ -561,7 +586,7 @@ server: - - # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN - # and other denials, using information from previous NXDOMAINs answers. -- # aggressive-nsec: yes -+ aggressive-nsec: yes - - # Use 0x20-encoded random bits in the query to foil spoof attempts. - # This feature is an experimental implementation of draft dns-0x20. -@@ -594,7 +619,7 @@ server: - # threshold, a warning is printed and a defensive action is taken, - # the cache is cleared to flush potential poison out of it. - # A suggested value is 10000000, the default is 0 (turned off). -- # unwanted-reply-threshold: 0 -+ unwanted-reply-threshold: 10000000 - - # Do not query the following addresses. No DNS queries are sent there. - # List one address per entry. List classless netblocks with /size, -@@ -606,20 +631,20 @@ server: - # do-not-query-localhost: yes - - # if yes, perform prefetching of almost expired message cache entries. -- # prefetch: no -+ prefetch: yes - - # if yes, perform key lookups adjacent to normal lookups. -- # prefetch-key: no -+ prefetch-key: yes - - # deny queries of type ANY with an empty response. -- # deny-any: no -+ deny-any: yes - - # if yes, Unbound rotates RRSet order in response. -- # rrset-roundrobin: yes -+ rrset-roundrobin: yes - - # if yes, Unbound doesn't insert authority/additional sections - # into response messages when those sections are not required. -- # minimal-responses: yes -+ minimal-responses: yes - - # true to disable DNSSEC lameness check in iterator. - # disable-dnssec-lame-check: no -@@ -629,7 +654,9 @@ server: - # most modules have to be listed at the beginning of the line, - # except cachedb(just before iterator), and python (at the beginning, - # or, just before the iterator). -- # module-config: "validator iterator" -+ # For redis cachedb use: -+ # "ipsecmod validator cachedb iterator" -+ module-config: "ipsecmod validator iterator" - - # File with trusted keys, kept uptodate using RFC5011 probes, - # initial file like trust-anchor-file, then it stores metadata. -@@ -643,10 +670,10 @@ server: - # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" - - # trust anchor signaling sends a RFC8145 key tag query after priming. -- # trust-anchor-signaling: yes -+ trust-anchor-signaling: yes - - # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) -- # root-key-sentinel: yes -+ root-key-sentinel: yes - - # File with trusted keys for validation. Specify more than one file - # with several entries, one file per entry. -@@ -667,6 +694,9 @@ server: - # the trusted-keys { name flag proto algo "key"; }; clauses are read. - # you need external update procedures to track changes in keys. - # trusted-keys-file: "" -+ # -+ trusted-keys-file: /etc/unbound/keys.d/*.key -+ auto-trust-anchor-file: "/var/lib/unbound/root.key" - - # Ignore chain of trust. Domain is treated as insecure. - # domain-insecure: "example.com" -@@ -694,14 +724,15 @@ server: - # unsecure data. Useful to shield the users of this validator from - # potential bogus data in the additional section. All unsigned data - # in the additional section is removed from secure messages. -- # val-clean-additional: yes -+ val-clean-additional: yes - - # Turn permissive mode on to permit bogus messages. Thus, messages - # for which security checks failed will be returned to clients, - # instead of SERVFAIL. It still performs the security checks, which - # result in interesting log files and possibly the AD bit in - # replies if the message is found secure. The default is off. -- # val-permissive-mode: no -+ # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY -+ val-permissive-mode: no - - # Ignore the CD flag in incoming queries and refuse them bogus data. - # Enable it if the only clients of Unbound are legacy servers (w2008) -@@ -715,11 +746,11 @@ server: - - # Serve expired responses from cache, with serve-expired-reply-ttl in - # the response, and then attempt to fetch the data afresh. -- # serve-expired: no -+ serve-expired: yes - # - # Limit serving of expired responses to configured seconds after - # expiration. 0 disables the limit. -- # serve-expired-ttl: 0 -+ serve-expired-ttl: 14400 - # - # Set the TTL of expired records to the serve-expired-ttl value after a - # failed attempt to retrieve the record from upstream. This makes sure -@@ -746,7 +777,7 @@ server: - - # Have the validator log failed validations for your diagnosis. - # 0: off. 1: A line per failed user query. 2: With reason and bad IP. -- # val-log-level: 0 -+ val-log-level: 1 - - # It is possible to configure NSEC3 maximum iteration counts per - # keysize. Keep this table very short, as linear search is done. -@@ -890,6 +921,8 @@ server: +@@ -906,6 +919,8 @@ server: # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" @@ -338,7 +72,7 @@ index 130cb4e..7174d81 100644 # tag a localzone with a list of tag names (in "" with spaces between) # local-zone-tag: "example.com" "tag2 tag3" -@@ -900,8 +933,8 @@ server: +@@ -916,8 +931,8 @@ server: # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. # Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. @@ -348,110 +82,18 @@ index 130cb4e..7174d81 100644 + # tls-service-pem: "/etc/unbound/unbound_server.pem" # tls-port: 853 # https-port: 443 - -@@ -909,6 +942,8 @@ server: - # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" - # cipher setting for TLSv1.3 - # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" -+ # Fedora/RHEL: use system-wide crypto policies -+ tls-ciphers: "PROFILE=SYSTEM" - - # Pad responses to padded queries received over TLS - # pad-responses: yes -@@ -1050,12 +1085,14 @@ server: - # cookie-secret-file: "/usr/local/etc/unbound_cookiesecrets.txt" - - # Enable to attach Extended DNS Error codes (RFC8914) to responses. -- # ede: no -+ # Fedora defaults to yes. -+ ede: yes - - # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale - # Answer as EDNS0 option to expired responses. - # Note that the ede option above needs to be enabled for this to work. -- # ede-serve-expired: no -+ # Fedora defaults to yes. -+ ede-serve-expired: yes - - # Specific options for ipsecmod. Unbound needs to be configured with - # --enable-ipsecmod for these to take effect. -@@ -1063,12 +1100,14 @@ server: - # Enable or disable ipsecmod (it still needs to be defined in - # module-config above). Can be used when ipsecmod needs to be - # enabled/disabled via remote-control(below). -- # ipsecmod-enabled: yes -- # -+ # Fedora: module will be enabled on-demand by libreswan -+ ipsecmod-enabled: no -+ - # Path to executable external hook. It must be defined when ipsecmod is - # listed in module-config (above). - # ipsecmod-hook: "./my_executable" -- # -+ ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook -+ - # When enabled Unbound will reply with SERVFAIL if the return value of - # the ipsecmod-hook is not 0. - # ipsecmod-strict: no -@@ -1101,7 +1140,7 @@ server: - # o and give a python-script to run. - python: - # Script file to load -- # python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py" -+ # python-script: "/etc/unbound/ubmodule-tst.py" - - # Dynamic library config section. To enable: - # o use --with-dynlibmodule to configure before compiling. -@@ -1112,13 +1151,14 @@ python: - # the module-config then you need one dynlib-file per instance. - dynlib: - # Script file to load -- # dynlib-file: "@UNBOUND_SHARE_DIR@/dynlib.so" -+ # dynlib-file: "/etc/unbound/dynlib.so" - - # Remote control config section. - remote-control: - # Enable remote control with unbound-control(8) here. - # set up the keys and certificates with unbound-control-setup. -- # control-enable: no -+ # Note: required for unbound-munin package -+ control-enable: yes - - # what interfaces are listened to for remote control. - # give 0.0.0.0 and ::0 to listen to all interfaces. -@@ -1126,6 +1166,7 @@ remote-control: - # are not used for that, so key and cert files need not be present. - # control-interface: 127.0.0.1 - # control-interface: ::1 -+ control-interface: "/run/unbound/control" - - # port number for remote control operations. - # control-port: 8953 -@@ -1135,16 +1176,19 @@ remote-control: - # control-use-cert: "yes" - - # Unbound server key file. -- # server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key" -+ server-key-file: "/etc/unbound/unbound_server.key" - - # Unbound server certificate file. -- # server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem" -+ server-cert-file: "/etc/unbound/unbound_server.pem" - - # unbound-control key file. -- # control-key-file: "@UNBOUND_RUN_DIR@/unbound_control.key" -+ control-key-file: "/etc/unbound/unbound_control.key" - + # quic-port: 853 +@@ -1166,6 +1181,9 @@ remote-control: # unbound-control certificate file. -- # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem" -+ control-cert-file: "/etc/unbound/unbound_control.pem" -+ + # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem" + +# Stub and Forward zones -+include: /etc/unbound/conf.d/*.conf - ++include: "@sysconfdir@/unbound/conf.d/*.conf" ++ # Stub zones. # Create entries like below, to make all queries for 'example.com' and -@@ -1166,6 +1210,10 @@ remote-control: + # 'example.org' go to the given list of nameservers. list zero or more +@@ -1186,6 +1207,10 @@ remote-control: # name: "example.org" # stub-host: ns.example.com. @@ -462,7 +104,7 @@ index 130cb4e..7174d81 100644 # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle -@@ -1183,6 +1231,10 @@ remote-control: +@@ -1203,6 +1228,10 @@ remote-control: # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -473,75 +115,6 @@ index 130cb4e..7174d81 100644 # Authority zones # The data for these zones is kept locally, from a file or downloaded. -@@ -1193,27 +1245,28 @@ remote-control: - # download it), primary: fetches with AXFR and IXFR, or url to zonefile. - # With allow-notify: you can give additional (apart from primaries and urls) - # sources of notifies. --# auth-zone: --# name: "." --# primary: 170.247.170.2 # b.root-servers.net --# primary: 192.33.4.12 # c.root-servers.net --# primary: 199.7.91.13 # d.root-servers.net --# primary: 192.5.5.241 # f.root-servers.net --# primary: 192.112.36.4 # g.root-servers.net --# primary: 193.0.14.129 # k.root-servers.net --# primary: 192.0.47.132 # xfr.cjr.dns.icann.org --# primary: 192.0.32.132 # xfr.lax.dns.icann.org --# primary: 2801:1b8:10::b # b.root-servers.net --# primary: 2001:500:2::c # c.root-servers.net --# primary: 2001:500:2d::d # d.root-servers.net --# primary: 2001:500:2f::f # f.root-servers.net --# primary: 2001:500:12::d0d # g.root-servers.net --# primary: 2001:7fd::1 # k.root-servers.net --# primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org --# primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org --# fallback-enabled: yes --# for-downstream: no --# for-upstream: yes -+ auth-zone: -+ name: "." -+ primary: 170.247.170.2 # b.root-servers.net -+ primary: 192.33.4.12 # c.root-servers.net -+ primary: 199.7.91.13 # d.root-servers.net -+ primary: 192.5.5.241 # f.root-servers.net -+ primary: 192.112.36.4 # g.root-servers.net -+ primary: 193.0.14.129 # k.root-servers.net -+ primary: 192.0.47.132 # xfr.cjr.dns.icann.org -+ primary: 192.0.32.132 # xfr.lax.dns.icann.org -+ primary: 2801:1b8:10::b # b.root-servers.net -+ primary: 2001:500:2::c # c.root-servers.net -+ primary: 2001:500:2d::d # d.root-servers.net -+ primary: 2001:500:2f::f # f.root-servers.net -+ primary: 2001:500:12::d0d # g.root-servers.net -+ primary: 2001:7fd::1 # k.root-servers.net -+ primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org -+ primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org -+ fallback-enabled: yes -+ for-downstream: no -+ for-upstream: yes -+ - # auth-zone: - # name: "example.org" - # for-downstream: yes -@@ -1239,6 +1292,9 @@ remote-control: - # name: "anotherview" - # local-zone: "example.com" refuse - -+# Fedora: DNSCrypt support not enabled since it requires linking to -+# another crypto library -+# - # DNSCrypt - # To enable, use --enable-dnscrypt to configure before compiling. - # Caveats: -@@ -1314,7 +1370,7 @@ remote-control: - # dnstap-enable: no - # # if set to yes frame streams will be used in bidirectional mode - # dnstap-bidirectional: yes --# dnstap-socket-path: "@DNSTAP_SOCKET_PATH@" -+# dnstap-socket-path: "/etc/unbound/dnstap.sock" - # # if "" use the unix socket in dnstap-socket-path, otherwise, - # # set it to "IPaddress[@port]" of the destination. - # dnstap-ip: "" -- -2.46.0 +2.47.0 diff --git a/unbound-initrd.conf b/unbound-initrd.conf new file mode 100644 index 0000000..7838b3d --- /dev/null +++ b/unbound-initrd.conf @@ -0,0 +1,5 @@ +[Unit] +Before=network-online.target + +[Install] +WantedBy=network-online.target diff --git a/unbound-local-root.conf b/unbound-local-root.conf new file mode 100644 index 0000000..4ba5e9d --- /dev/null +++ b/unbound-local-root.conf @@ -0,0 +1,30 @@ +# Authority zones +# The data for these zones is kept locally, from a file or downloaded. +# The data can be served to downstream clients, or used instead of the +# upstream (which saves a lookup to the upstream). +# +# Download local root copy and answer TLD queries from it. Because +# auth-zone has higher precedence, defined forward-zones to internal +# only TLD will not work. Use stub-zone or disable this zone. +# Good for a network-wide resolvers, worse for a localhost caching forwarder. +auth-zone: + name: "." + primary: 170.247.170.2 # b.root-servers.net + primary: 192.33.4.12 # c.root-servers.net + primary: 199.7.91.13 # d.root-servers.net + primary: 192.5.5.241 # f.root-servers.net + primary: 192.112.36.4 # g.root-servers.net + primary: 193.0.14.129 # k.root-servers.net + primary: 192.0.47.132 # xfr.cjr.dns.icann.org + primary: 192.0.32.132 # xfr.lax.dns.icann.org + primary: 2801:1b8:10::b # b.root-servers.net + primary: 2001:500:2::c # c.root-servers.net + primary: 2001:500:2d::d # d.root-servers.net + primary: 2001:500:2f::f # f.root-servers.net + primary: 2001:500:12::d0d # g.root-servers.net + primary: 2001:7fd::1 # k.root-servers.net + primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org + primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org + fallback-enabled: yes + for-downstream: no + for-upstream: yes diff --git a/unbound.service b/unbound.service index 74321c7..d476504 100644 --- a/unbound.service +++ b/unbound.service @@ -1,6 +1,9 @@ [Unit] Description=Unbound recursive Domain Name Server -After=network-online.target +After=network.target +# Use ip-freebind: yes or add After=network-online.target, rhbz#2338429, +# if interface: specifies exact address, not localhost nor wildcard +#After=network-online.target After=unbound-keygen.service Wants=unbound-keygen.service After=unbound-anchor.service @@ -9,7 +12,7 @@ Before=nss-lookup.target Wants=nss-lookup.target [Service] -Type=simple +Type=notify EnvironmentFile=-/etc/sysconfig/unbound ExecStartPre=/usr/sbin/unbound-checkconf ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS diff --git a/unbound.spec b/unbound.spec index 3e95770..d173141 100644 --- a/unbound.spec +++ b/unbound.spec @@ -2,9 +2,17 @@ %{?!with_python3: %global with_python3 1} %{?!with_munin: %global with_munin 1} %bcond_without dnstap -%bcond_with systemd +%bcond_without systemd %bcond_without doh +%if 0%{?fedora} >= 43 && !0%{?rhel} +# Do not build with QUIC support in RHEL, until we have also client support. +%bcond_without ngtcp2 +%endif +%if 0%{?rhel} && ! 0%{?epel} %bcond_with redis +%else +%bcond_without redis +%endif %global forgeurl0 https://github.com/NLnetLabs/unbound %global downloads https://nlnetlabs.nl/downloads @@ -32,7 +40,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.21.1 +Version: 1.24.2 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ @@ -41,7 +49,7 @@ Source: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz Source1: unbound.service Source3: unbound.munin Source4: unbound_munin_ -Source5: root.key +Source5: mkroot.sh Source7: unbound-keygen.service Source8: tmpfiles-unbound.conf Source9: example.com.key @@ -54,19 +62,40 @@ Source15: unbound-anchor.timer Source16: unbound-munin.README Source17: unbound-anchor.service Source18: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc -# source: https://nlnetlabs.nl/people/ -Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key +# https://nlnetlabs.nl/signing-keys/ +Source19: https://nlnetlabs.nl/downloads/keys/releases-g2.asc#/nlnetlabs2026-g2.asc Source20: unbound.sysusers +Source21: remote-control.conf Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc +Source23: unbound-as112-networks.conf +Source24: unbound-local-root.conf +Source25: openssl-sha1.conf +Source26: remote-control-include.conf +Source27: fedora-defaults.conf +Source28: module-setup.sh +Source29: unbound-initrd.conf +Source30: tmpfiles-unbound-libs.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch +# https://github.com/NLnetLabs/unbound/pull/1331 +Patch2: unbound-1.24-swig-function.patch +# https://github.com/NLnetLabs/unbound/pull/1381 +Patch3: unbound-1.24-quic-on-demand-only.patch BuildRequires: gcc, make -BuildRequires: flex, openssl-devel +BuildRequires: openssl-devel BuildRequires: libevent-devel expat-devel BuildRequires: pkgconfig -%if 0%{?fedora} + +# Required for configure regeneration +BuildRequires: automake autoconf libtool +BuildRequires: autoconf-archive +# Regenerate config parser too +BuildRequires: bison flex byacc +BuildRequires: dns-root-data + +%if 0%{?fedora} || 0%{?rhel} >= 9 BuildRequires: gnupg2 %endif %if 0%{with_python2} @@ -92,9 +121,9 @@ BuildRequires: systemd-rpm-macros %else BuildRequires: systemd %endif -# Required for SVN versions -# BuildRequires: bison -# BuildRequires: automake autoconf libtool +%if %{with ngtcp2} +BuildRequires: ngtcp2-crypto-ossl-devel +%endif # Needed because /usr/sbin/unbound links unbound libs staticly Requires: %{name}-libs%{?_isa} = %{version}-%{release} @@ -136,7 +165,7 @@ The devel package contains the unbound library and the include files %package libs Summary: Libraries used by the unbound server and client applications Recommends: %{name}-anchor -%{?sysusers_requires_compat} +Requires: dns-root-data %if ! 0%{with_python2} # Make explicit conflict with no longer provided python package Obsoletes: python2-unbound < 1.9.3 @@ -186,10 +215,20 @@ Conflicts: python2-unbound < 1.9.3 Python 3 modules and extensions for unbound %endif +%package dracut +Summary: Unbound dracut module +Requires: dracut%{?_isa} +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description dracut +Unbound dracut module allowing use of Unbound for name resolution +in initramfs. %prep -%if 0%{?fedora} -%{gpgverify} --keyring='%{SOURCE22}' --signature='%{SOURCE18}' --data='%{SOURCE0}' +%if 0%{?fedora} || 0%{?rhel} >= 9 +# TODO: Remove Yorgos.asc and extra verification once releases start to be signed by new g2 key +%{gpgverify} --keyring='%{SOURCE22}' --signature='%{SOURCE18}' --data='%{SOURCE0}' || \ +%{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}' %endif %global pkgname %{name}-%{version}%{?extra_version} @@ -203,9 +242,6 @@ Python 3 modules and extensions for unbound # patches go here %autopatch -p1 -# only for snapshots -# autoreconf -iv - %if 0%{?rhel} > 8 # SHA-1 breaks some tests. Disable just some tests because of that. @@ -221,15 +257,13 @@ Python 3 modules and extensions for unbound %endif %build -# This is needed to rebuild the configure script to support Python 3.x -# autoreconf -iv - # ./configure script common arguments %global configure_args --with-libevent --with-pthreads --with-ssl \\\ --disable-rpath --disable-static \\\ --enable-relro-now --enable-pie \\\ --enable-subnet --enable-ipsecmod \\\ --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\ + --with-share-dir=%{_datadir}/%{name} \\\ --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\ --enable-sha2 --disable-gost --enable-ecdsa \\\ --with-rootkey-file=%{_sharedstatedir}/%{name}/root.key \\\ @@ -238,6 +272,14 @@ Python 3 modules and extensions for unbound --with-dynlibmodule \\\ # +# always regenerate configure +rm -f config.h.in aclocal.m4 configure ltmain.sh +rm -f {ax_pthread,ax_swig_python}.m4 +cp -p %{_datadir}/aclocal/{ax_pthread,ax_swig_python}.m4 . +# ensure bison is used to generate fresh parser +rm -f util/configparser.{c,h} util/configlexer.c + +autoreconf -fiv %configure \ %if 0%{?python_primary:1} @@ -252,12 +294,12 @@ Python 3 modules and extensions for unbound %if %{with doh} --with-libnghttp2 \ %endif -%if 0%{?rhel} - --disable-sha1 \ -%endif %if %{with redis} --with-libhiredis \ --enable-cachedb \ +%endif +%if %{with ngtcp2} + --with-libngtcp2 \ %endif %{configure_args} @@ -273,6 +315,9 @@ pushd %{dir_secondary} %endif %if %{with systemd} --enable-systemd \ +%endif +%if %{with ngtcp2} + --with-libngtcp2 \ %endif %{configure_args} @@ -293,7 +338,7 @@ popd %make_install unbound-event-install install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp -install -p -m 0755 doc/example.conf %{buildroot}%{_sysconfdir}/unbound/unbound.conf +install -p -m 0644 doc/example.conf %{buildroot}%{_sysconfdir}/unbound/unbound.conf install -d -m 0755 %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service @@ -315,22 +360,20 @@ done %endif # install streamtcp man page -install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1 -install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc +install -p -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1 +install -p -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc # Install tmpfiles.d config install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound -install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf +install -p -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf +install -p -m 0644 %{SOURCE30} %{buildroot}%{_tmpfilesdir}/unbound-libs.conf # install root - we keep a copy of the root key in old location, # in case user has changed the configuration and we wouldn't update it there -install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/ -install -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/dnssec-root.key -# make initial key static -pushd %{buildroot}%{_sharedstatedir}/unbound - KEYPATH=$(realpath --relative-to="%{buildroot}%{_sharedstatedir}/unbound" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key") - ln -s "$KEYPATH" root.key -popd +sh %{SOURCE5} root.key +install -m 0644 root.key %{buildroot}%{_sysconfdir}/unbound/ +ln -sr "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key" "%{buildroot}%{_sharedstatedir}/unbound/root.key" +ln -sr "%{buildroot}%{_datadir}/dns-root-data/root.key" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key" # remove static library from install (fedora packaging guidelines) rm %{buildroot}%{_libdir}/*.la @@ -349,16 +392,27 @@ mkdir -p %{buildroot}%{_rundir}/unbound # Install directories for easier config file drop in mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d} -install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/ -install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ -install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ +install -p -m 0644 %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/ +install -p -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ +install -p -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ +install -p -m 0644 %{SOURCE26} %{buildroot}%{_sysconfdir}/unbound/conf.d/remote-control.conf +install -p -m 0644 %{SOURCE25} %{buildroot}%{_sysconfdir}/unbound/openssl-sha1.conf + +mkdir -p %{buildroot}%{_datadir}/%{name}/conf.d +install -p -m 0644 %{SOURCE21} %{buildroot}%{_datadir}/%{name}/conf.d/ +install -p -m 0644 %{SOURCE23} %{buildroot}%{_datadir}/%{name}/conf.d/ +install -p -m 0644 %{SOURCE24} %{buildroot}%{_datadir}/%{name}/conf.d/ +install -p -m 0644 %{SOURCE27} %{buildroot}%{_datadir}/%{name}/ # Link unbound-control-setup.8 manpage to unbound-control.8 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 +# install dracut module +mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound + +install -p -m 0755 %{SOURCE28} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound +install -p -m 0644 %{SOURCE29} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound -%pre libs -%sysusers_create_compat %{SOURCE20} %post %systemd_post unbound.service @@ -386,18 +440,19 @@ fi %postun anchor %systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer -%check -#pushd pythonmod -#make test -#popd +%triggerun -- unbound < 1.23.1-4 +if [ "$(stat -c '%%a %%G' %{_sysconfdir}/%{name}/unbound_control.key 2>/dev/null)" = '600 unbound' ]; then + # change permissions of existing key just once, where it were generated with wrong perms + %{_bindir}/chmod g+r "%{_sysconfdir}/%{name}/unbound_control.key" || : +fi + +%check +export OPENSSL_CONF="%{buildroot}%{_sysconfdir}/unbound/openssl-sha1.conf" make check %if 0%{?python_secondary:1} pushd %{dir_secondary} -#pushd pythonmod -#make test -#popd make check popd %endif @@ -407,9 +462,10 @@ popd %doc doc/CREDITS doc/FEATURES %{_unitdir}/%{name}.service %{_unitdir}/%{name}-keygen.service -%attr(0755,unbound,unbound) %dir %{_rundir}/%{name} +%attr(0775,unbound,root) %dir %{_rundir}/%{name} %attr(0644,root,root) %{_tmpfilesdir}/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/openssl-sha1.conf %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d %attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d/*.key %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/conf.d @@ -419,11 +475,12 @@ popd %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.pem %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.key %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.pem -%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key +%ghost %attr(0600,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key %{_sbindir}/unbound %{_sbindir}/unbound-checkconf %{_sbindir}/unbound-control %{_sbindir}/unbound-control-setup +%{_datadir}/%{name}/ %{_mandir}/man5/* %exclude %{_mandir}/man8/unbound-anchor* %{_mandir}/man8/* @@ -465,10 +522,11 @@ popd %{_sysusersdir}/%{name}.conf %{_libdir}/libunbound.so.8* %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name} -%config(noreplace) %verify(not link user group) %{_sharedstatedir}/%{name}/root.key +%config %verify(not link owner group size mtime mode md5) %{_sharedstatedir}/%{name}/root.key # just left for backwards compat with user changed unbound.conf files - format is different! -%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key -%attr(0644,root,root) %config %{_sysconfdir}/%{name}/dnssec-root.key +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-root.key +%attr(0644,root,root) %{_tmpfilesdir}/unbound-libs.conf %files anchor %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name} @@ -485,5 +543,8 @@ popd %{_sbindir}/unbound-streamtcp %{_mandir}/man1/unbound-* +%files dracut +%{_prefix}/lib/dracut/modules.d/99unbound + %changelog %autochangelog diff --git a/unbound.sysconfig b/unbound.sysconfig index adcf8fd..9e80f14 100644 --- a/unbound.sysconfig +++ b/unbound.sysconfig @@ -5,3 +5,6 @@ UNBOUND_ANCHOR_OPTIONS="-f /etc/resolv.conf -R" # for extra debug, add "-v -v" or change verbosity: in unbound.conf UNBOUND_OPTIONS="" + +# Uncoment to validate SHA1 in any crypto policy +# OPENSSL_CONF=/etc/unbound/openssl-sha1.conf diff --git a/wouter.nlnetlabs.nl.key b/wouter.nlnetlabs.nl.key deleted file mode 100644 index 603e620..0000000 --- a/wouter.nlnetlabs.nl.key +++ /dev/null @@ -1,123 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -xsFNBE2v/RwBEACyQpJlpCeSZBV1QUH7jNEp5xGdo6OnX2h9XoZ4ZPsb+u6OT+xE -SH45ncnISUh8rPCygbeWOoPR/yOBzh+lYoGxQ5iUHtwRrhHq04sQe/qFpXDO2xs6 -1pTcPU2PnH7Rsr2qp6fZLPHuXLolD7NJfaSib8sVeMM0/ecyl/L2bBg9NpaGDX0x -TQh95M8o6AFo6UKWApBpgsvEZr2aH/B8b9KnCWFhfJyheEM7DamksdZNsKxXQyq3 -l/ROfdsMLZGF8vPbYV/v11G4keyaLpn8AbBpybIiw9SYDwf2ENk3+e1NFfMaiiyE -qn9+aaLTKCY87TMUuoN3s3jWOOy5tHXzf6DbKhub4Awsby3DH5YpPhi4N2vj2pAX -Vpl5+m78cH29JLzT+HAoyZ4tq1r3m0P5QogNqYwqxkKWYOjDilNDBiKiDdgtrLYG -x+ABovKG/FvToJoaCL4AFaVCzWmL2uHkSgyBN0FPHatCB1UeEkcQit6T8E2NQqmF -WjUMXSWHHajSMG95+L5PdLHz/Ku0o3Csvlt2pkElYZmzJBfnOM9JevdsmKr/ruJC -/DCZAn5w2S/9ZF5qfo2F9HUKIwE/dChR29HcN8V4nqZs9oCvEMfFhHmrfwDc5hed -hvb6mAkvSFFtKIrygLIVeWRj3FE9sGp6sr4VwOLYTFRNk7mAsWD1rZApeQARAQAB -zSdXLkMuQS4gV2lqbmdhYXJkcyA8d291dGVyQG5sbmV0bGFicy5ubD7CwX4EEwEC -ACgFAk2v/RwCGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJ9v -HC1+BF+N3yoQAIynfrvZ/8RNAv9lLcSc2PX3fvG7oRJEJSy9uMyIbMtb/a1BVCeh -XjR8GhHJ5D/Z3jRWBQKw1rLLvOqbuBGkpKMR100ZVF4z/8e6CWtTAOFy28f1JQw2 -8kilN7K6vjno21S1JJ1XJAdoFdicyb1SW2r+KYod6fjSyF0lb71od+sdnSE9O/xd -Cqyyu6cX+AwfDcuJ6Y8iOWu8CeWAz41LR1QBUQkCb/08mVfCEu+Cj+M31jjPDZEy -UAw219vr4QFe0o3t+Msv0AUZvcRkW6+8qP5lO6I5we/33WBLZH70lhFvYtobM7HO -MCjheRZguSzvRqEETfTjia1uVi3Yz2qM4CFdJIZF6Er79yKcB3jYquultrnlHdXZ -/IZsHVRk6JfiqFkz9u1T9PkvMoQ452aUomGTg9xQchnKpe1E8osKgLulaY+izTEq -Z8pH/HWWJ/YT13/n8pxK9EbC/8SkVhyXNehOSAGDZar+tjVBofgzS8r+GDyv+pBT -SmjitIrVXZNuhigLp1o7Tvs4kjKlcFnLhfDHJ+yb5JyiZd01bVvaqnfRhACqXfWl -oC0uslRbegoYwJUgX0BOrsOuHGH2SfGjd/QnA0bcEXM2kp1Dp1gqtcEd5Qitm647 -Yz+leWkhrmMmtTwqumXoAcvgzthJFUPcAzuhXZNfqQJMOGRxAGVI0P97wsF+BBMB -AgAoAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVu+rZAUJDQIVSAAKCRCf -bxwtfgRfjdrWEACMQK0xYtZtAvLL/8CCcCi92Oi1rtXRGWnRy7JX020hftmWliMq -4P0F3CJKVLhgZ/ldp8OOqmfDfmwLMVSaCQ86Ubqn7Ofrf8Ku8SGQuIMxY2ODB97h -ouY4bnDHaM2Cqi6JkBN+G1tgdwqN/kcecF2tq3ql2k7eX91++A+F5ApIu1silzJP -L4Z8W6MVOdKrtzEM7t61hRlsbpEPj72vbVBZ1hmTiIL4VWwdxQYamxBoOeneskyD -DG+iMCI3P1GG3EQkk+9Aect/iH9uruE0mxn2aKN8cfuoR93cPF/ozCxS5ItwAVnN -e39WRO1GT2zYaFgYm0lf9czcpRsRzNbGw938lZ3iPUiZe+ybKgLKkVmvrkM59ljH -T99SrC14VXxgQwSs4gS3rdzbY9tPps62Z1q+xCVfTx1IY5P4nt59xwQV0Iw+pV9S -/mVcOnPXl1UKb0ttOdYJErrq3RpF/D2g/NDtL0OWqIa8LvrBlyQYmWPKvKw76vt4 -bJ3NU31jSc0ow/j7EOVjOst86s629zmtnbJjWVr6LOy5EDUPusmqHv1t4Z4RMjf8 -OrJdNbFJoRXZv8FbW4NzXeGtMf8k6vKeejpdMH4+eLuoZG7dchU1JccfgqfwWpy0 -ojmb59drJcaQgVC6Jvw9l0TmGPNIsE4UrIWocaFgv4dOKvHA2hcnMDM8rsLBlQQT -AQIAPwIbIwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQTt+qPyyk5usFaBr46f -bxwtfgRfjQUCWaU4BQUJEZjVaQAKCRCfbxwtfgRfjb1YEACjkhtkyZkYURUmSZNL -2IK/Zencv7DZGRfFrzijROFtHbe//H8o2ZhlyiaFSA/dT1ehjsukkR0oFkYadA+q -Ui06WpxGmd/jf8hP4yTUZkwOhQAesWoNmnhKePNaVMKY8DP57bA+N2pdCcGu7gUt -Yzq2JoTAtV+P/PE2w+H9eyBAulv6iUckM5/qvGfJPl8HB9BtgOpGN79otVWO6ebM -4TQ3cZYI9BDQnt9cF2pviex+z1iLZVJ8UeRxSxYhrBKPJioi0Q1OgcKyO56t7Eot -zxKl5TzprgvdX4cdls+lehD8StlE2Xv/TScHvdOhJuVBrn3a3QjZPb4qSsz74leW -5/EIQmozBy+qf8AHcCmTXwb2U7oHOct7cVyS5+bFx+ThpV5OK0rjTH1LMNiuTeAN -46c1y3prjZRpQUlgVwj06q3Zz/fzDyueUS/r4lW4nAf/VNZy/rTS2HYPoZbHZVCt -GpDIfag6fV6V97Pd3zfhTf2wmsJsw9Xhktp/o7rMBRSMhvL4oevOXb0JSG2583Q/ -JnCCceB4NxRRxsgkRYHwdnXN9FnOPSa4NyvF4rzpPksLGZrhvm+lBvzVn/e40Q/K -lxvSlnn2vW/WBM4pBq1jsoJrd/JkTdijZV7mt7HQ2bCLXAPgfZjy7n79WiCQVHg7 -iYnNikiNWR5TR7JcvdkxOdiA/8LBlQQTAQgAPwIbIwYLCQgHAwIGFQgCCQoLBBYC -AwECHgECF4AWIQTt+qPyyk5usFaBr46fbxwtfgRfjQUCXe4JdQUJGaQN2QAKCRCf -bxwtfgRfjQ8gEACe+49aDQHRuZdDHK1VCJKzhb+MvfdIjvl8eQxljpG9Uz5Y17Bx -4SWfuLHCeGlh1m6IOAWeW4g6Wowm1ec1PkVa79TdrkKb0MxfLSat6iDbiuVjDxy2 -bWokW0/cPzJ/FoWDtEC0H9UTAMb5QGBDZUbLuwX7ZjvMkAhH15/hO9Gj4RHoH1RJ -GJALRtZzjtzsJqL53kW/EV59V1T79Nocyx018iw50Jn02mI8wYJZ9HZc5C7D+K59 -vcqLRZgkrJrObw0sEv3YFOBYp/1DemH2nHPMBSKMmN5RAcr32guUjd4BEWf2Q7Ao -+Qnhdi161W0YKCW4JAmOoQ4bQ0wfE9Q5aUIGhUF52L+ac8Hy7dByaCExCA/WTqQQ -/iVPybmpJQhFonWt/fmpxbE2wKThSEOHTO67e5e3JfUb0vNKssyZojao4h1MF5nv -aPNKoybWwKnpNM0ORcyl+aogKwW7E15TEU0TE5//gAsFwRDcCnSEKnksgM0321m1 -7RDfJbCajIv47DHDYE3yvhRZjCJCaw0Gow1sDRWjdOFpmIixD5/vx5uxyqSHPuGA -sXlEvl+Z3Rdc5bQ7pAWu7UNpR3hnJPfg8KL2xqOF75VKG9/NjLE80yj8wdVoCfDv -vizrBtOXnHI49gCMCfNqbGIb5yVhmTdeo7li+Te9hlJ2DrHnujGJlFe+p87BTQRN -r/0cARAApvDKeVLiSazESdTY9KsSWsqoB38pvOsu25M49tEjc5TtY5LwKNckqkeR -lJ83O8dFG7UBVuGwLKaf/6OR/pe24upZ27eOOWW7sXvQNv5aXlOYfF+mjIhUINqj -q4pKDmO1c9J7h5d+auOVfzcgfotg3BVCaKn56ucjiQJ059uUMfgWTvVlibnoJ7de -Zcgt8v7VcLK9jv+P8QJHTIyDzJd+JjdjuHXqC/A37T5G9Z84x8wYrQY6mZmOIYaM -jwIKdgFeN+nLk5henARUz4MTFUW4j9hHpuyAFomDQ93/wkHZ9IEChTxdZnfvsd// -Z45vfcX9dQM+tuR8XCYThVsScI1TnwR46hi5NkfmHo3HVxwB8/owJ+FZDsTNBbJd -7AVy27Xk4L5hLe7BwLDtFMyOp4lOipCM7//mtFB9mTzqnOwiSSyTRlwGUBJkzQFW -Qa0Z6bfYwA6+y1dn19H519GW49irtl+2+W8W4N8oLriIjPvqrQOyaELFcRfV6FfL -i09HPhHVbejOqIEbOtfuN0+mjrrGAwortfTBjfw80N+W90BTvta4K2SyjHcJTkDY -ehfOo/5IMpGtDsOgvsCbDaFRnNJuYtSqQmvWk1KIPIw6CkdJtZa3+q3YA7D7ovOV -H1OBTKNdBjc+X4W8L5R9MCymXWvgiP+52Sv1VIcZmsnCBrwK490AEQEAAcLBZQQY -AQIADwUCTa/9HAIbDAUJCWYBgAAKCRCfbxwtfgRfjTY/D/9+kX8LeqBhwDdwy3ud -V67KmVmytwGMfzBHbAyBdy84X06ip/If/VkjL+2Sv5Uml/cOOzGZT7y/KEt0uXQz -gOZhGP5Y0OREf4kSzfb7tsGu3ZjTp5uJe7HiJr8uqYGfx94TQG/A3x1C7MlxOGmW -DK/Eh/eNVeNd+3yyDEzl2p7a0yUhI8LtzllVrEDX+G4rz+mdDw4tfPDqzRPzPvVt -PfqnfofHP5r2dshGe7+pCTC+o0jHWpaiFkEiIrR3PbZ9tV6+F5LzCUJJP5nepz6C -ShpLHq9ST6qZiw5ZpdznHW0kVl96YxgynJq9Y4dqD/8nOfTzdHhXXEogGvRfcxat -xeZF7YNFhUU2p+CswAjRKCUzZAz0hDAu+dJ+fw4Odx7ii8uiwhEnEHoo8rPETkXw -UK1je4MCzMRSy0Gippzk/oZ7noIml+Njas/UygavUOQm8bcPqGfWeFqvM2C7ZobL -2iV0fX/bhEmQyosiWJ0nHuKdwDYygYs/4LtZLxwiKli/lm6IDz1028j6/98Z81gG -oltXWokTYAPEgcBuhyiSLSQ1wojTVMYt9rPKMBakTzP+0FoWqoNafWOlHovP6iUB -2Igll2ZT3AvrBQ8jAbRbuUl46QpBaKsl+pBo86az0fRkMxv0N4dQv4Q7Z0g71u9N -Tpaq1vtAZOwc0kl3uGNK18PnV8LBZQQYAQIADwIbDAUCVu+raQUJDQIVTQAKCRCf -bxwtfgRfjVnYEACZ1E/FfLDi4vLUd9diImmNN/zWDHxTsO/VG3lt50rSoJM5NGB4 -RlwcbUKhah2fD44FFiIqGIvKD9hRgB51dVRIkaR3ozVtXRBKxJJqWj38wf2FDLtU -XC5/JHYb0sjAc3ad2sA9xEmEBVO1lWK3J6h4gKZiAGlWz3oeOSve3vrTKsBlP0Cu -rUeb4WTVpw4drBJD7cDh8SJ4/Cq76UFx8lW0xR+pHZHcd0/Ir5v5HnnEgbnut4Ix -eY3/CGBfQfSQHylK7ifmPWq+dflC/ZdfHY1V96EHKPM44ZLwiczoY3qp5nkmEc3B -Y6+P8Ch5gddOYaY18wpedarswnpOLQD2Xbsj66Eh0IZuuuZGyfOqJNaWbP33L27e -g35XQNTgyhuZmDyRKL6yAbhU74TXCCvze/kkfqDn2ouCtM8/kqLX1v0+NkBxlhZU -kTTVDyclZtwu6Vypus3+j2Zqk8sXeUZI64sjXpzwOcMZxdl3QuyxMktExWzk9Q5D -YqO+pj/YGt1vp2M0YgSUWNWCvfBcjEPFgaljyqz3BdvR/LYohnXuQL9SWObF+sIF -c9D0w/yORYQcKP5kSWVC/qwFdC61OGeSDnQ/0o0T5PefhYS82gsIrjQ+HIJ7CLUT -k7kBNljvtfpoWegH02feR0kSRoCXA6x+YHT4fmB41pW8S1V5a5dEltA/JMLBfAQY -AQIAJgIbDBYhBO36o/LKTm6wVoGvjp9vHC1+BF+NBQJZpTgKBQkRmNVuAAoJEJ9v -HC1+BF+NyNQP/A3h+cOOkYUxyKpNHdtlIfCn8db5tHXSCbE19Qi7EK1SiK5atjo+ -VoRtB+L01kH6GCx5oZjeIhUdzYFwEUsdCDgwD6r0dKFwKIGa4TFcfnx+Z5B+HZgL -Yc6ac5PEHF1qZVXZH9GSGeNw5h2yyqf4yhvetSN6L2id14m5XXJV5e7NfOgmaSnG -0Z+wQvPSiu+Q00XpENT8HFSTSCjRATjk12rpy6TPeeC52NK1gLhGDRHN0k6m+vm4 -yoC+Nd6iPQpnc+5xs7NDnq2dFuSTp7UTGebzPhhdSQgujEFuYLwzQMZu1h5amtA+ -v9j7BYEJkOMC7bm1PNNA2QQ6QfH8Hf+mJeINyJO8A5KS3ceP+eo3SLR8T0hPzu9g -ZuZ22Hn3DXQh1VNRshaLKgNvoXpL3dQ48d1SFFKhEDpy2HSXUq2fs5rH0uszFGes -G7K6EQRAYRcDrCkt9fdfkvCSxAFw9d+472xThzgKcN+MkOec+SaY+xlVULjEfCWy -RVC8Opam4mTm/XT4mVLxP/qnsy7kEhLoc/ouB+lY/ks06LpZJvCXL6WfA9You1Fi -1Mg7GhSh9JKg6X6E8Trm+N4dxJGut1xbbGmmKXqfi4pej9KlkdeM9t1df/vWKlPa -7Hzd8H0btgJx066wC4yt0ghxtsJXBsCDxWLfzaSRZ2/eP16mHqxDjsQQwsF8BBgB -CAAmAhsMFiEE7fqj8spObrBWga+On28cLX4EX40FAl3uCX0FCRmkDeEACgkQn28c -LX4EX43TQA/+JV8ReMRJCn3Cfqbe5ycFn8p6dIVnJiQuhiEyu5yzdpSkKyzcVFJO -bQcqw7s50FJuLUbxdvbcuGIaoTu7dhBoUXO5tOuIQAsKTfGfgoOgelJm+/q2h645 -EnAVINGbMDXrmo4/UFJkNjUMA6SQi/yiam7N0y58eoDC4sGmBKuN2EW2MoWahlXw -8SS1+Ab9qVBs/RqbSy6f1nJL39aPpPDmvyJOSYtHnNSFlYWVhr0zGAi5rnswlFGr -ECGbHpr5FajUK7zcmtNPbi7F30K48xfF3XnDIeIBcerrEBQMaPUZcBlddGhmSVVJ -ZU/YhR35JNgPnmp33gOuZaRiW9lauZFwsMQBIBkLpJWoUtu8QLkyC0HmJzVRep0/ -s1RkzaJ+1G1BzXTQiXaLaUQWG5h3pcMD8fxY5qp9KbG/+10bY0sRbRBXgS6mz7dd -HaBtg/E8ty2nEB1HDXA9HAHu7KlH9e96sPZjz9C46ZiOXe6ZAOk6wBYts4RG4bCQ -9pGORJ+P2Jr2pz1NZQbs1AhnjJixTsfZfsGZ5lHxGLjIyxtdGB/irLEqNTIMek2y -p4CShmWoZwN0V3aGYMe/rC4tSXG79IeKNwF3Vd5MHtB+hcJG2qztBtKQuW29rbRA -5bNxwTWe8skwOKsxXnP9RC974k0XkPS+VwgmVgNN1ewS/0oHvmEP71Q= -=Oqje ------END PGP PUBLIC KEY BLOCK-----