From 8505fddf6eaaf077f14eca46e480619732db0428 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 29 Mar 2022 17:28:39 +0200 Subject: [PATCH 01/14] Import few changes to configuration --- unbound.conf | 47 +++++++++++++++++++++++++---------------------- 1 file changed, 25 insertions(+), 22 deletions(-) diff --git a/unbound.conf b/unbound.conf index 4ee6d10..977d39f 100644 --- a/unbound.conf +++ b/unbound.conf @@ -98,14 +98,14 @@ server: # num-queries-per-thread, or, use as many as the OS will allow you. # outgoing-range: 4096 - # permit unbound to use this port number or port range for + # permit Unbound to use this port number or port range for # making outgoing queries, using an outgoing interface. # Only ephemeral ports are allowed by SElinux outgoing-port-permit: 32768-60999 - # deny unbound the use this of port number or port range for + # deny Unbound the use this of port number or port range for # making outgoing queries, using an outgoing interface. - # Use this to make sure unbound does not grab a UDP port that some + # Use this to make sure Unbound does not grab a UDP port that some # other server on this computer needs. The default is to avoid # IANA-assigned port numbers. # If multiple outgoing-port-permit and outgoing-port-avoid options @@ -238,7 +238,7 @@ server: # do-ip6: yes # Enable UDP, "yes" or "no". - # NOTE: if setting up an unbound on tls443 for public use, you might want to + # NOTE: if setting up an Unbound on tls443 for public use, you might want to # disable UDP to avoid being used in DNS amplification attacks. # do-udp: yes @@ -275,7 +275,7 @@ server: # use-systemd: no # Detach from the terminal, run in background, "yes" or "no". - # Set the value to "no" when unbound runs as systemd service. + # Set the value to "no" when Unbound runs as systemd service. # do-daemonize: yes # control which clients are allowed to make (recursive) queries @@ -328,7 +328,7 @@ server: # The pid file can be absolute and outside of the chroot, it is # written just prior to performing the chroot and dropping permissions. # - # Additionally, unbound may need to access /dev/urandom (for entropy). + # Additionally, Unbound may need to access /dev/urandom (for entropy). # How to do this is specific to your OS. # # If you give "" no chroot is performed. The path must not end in a /. @@ -542,7 +542,7 @@ server: # Use several entries, one per domain name, to track multiple zones. # # If you want to perform DNSSEC validation, run unbound-anchor before - # you start unbound (i.e. in the system boot scripts). And enable: + # you start Unbound (i.e. in the system boot scripts). And enable: # Please note usage of unbound-anchor root anchor is at your own risk # and under the terms of our LICENSE (see that file in the source). # auto-trust-anchor-file: "/var/lib/unbound/root.key" @@ -613,7 +613,7 @@ server: val-permissive-mode: no # Ignore the CD flag in incoming queries and refuse them bogus data. - # Enable it if the only clients of unbound are legacy servers (w2008) + # Enable it if the only clients of Unbound are legacy servers (w2008) # that set CD but cannot validate themselves. # ignore-cd-flag: no @@ -643,7 +643,7 @@ server: # Return the original TTL as received from the upstream name server rather # than the decrementing TTL as stored in the cache. Enabling this feature - # does not impact cache expiry, it only changes the TTL unbound embeds in + # does not impact cache expiry, it only changes the TTL Unbound embeds in # responses to queries. Note that enabling this feature implicitly disables # enforcement of the configured minimum and maximum TTL. # serve-original-ttl: no @@ -736,9 +736,9 @@ server: # Add example.com into ipset # local-zone: "example.com" ipset - # If unbound is running service for the local host then it is useful + # If Unbound is running service for the local host then it is useful # to perform lan-wide lookups to the upstream, and unblock the - # long list of local-zones above. If this unbound is a dns server + # long list of local-zones above. If this Unbound is a dns server # for a network of computers, disabled is better and stops information # leakage of local lan information. # unblock-lan-zones: no @@ -922,7 +922,7 @@ server: # the number of servers that will be used in the fast server selection. # fast-server-num: 3 - # Specific options for ipsecmod. unbound needs to be configured with + # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. # # Enable or disable ipsecmod (it still needs to be defined in @@ -936,7 +936,7 @@ server: # ipsecmod-hook: "./my_executable" ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook - # When enabled unbound will reply with SERVFAIL if the return value of + # When enabled Unbound will reply with SERVFAIL if the return value of # the ipsecmod-hook is not 0. # ipsecmod-strict: no # @@ -1005,10 +1005,10 @@ remote-control: # For local sockets this option is ignored, and TLS is not used. control-use-cert: "no" - # unbound server key file. + # Unbound server key file. server-key-file: "/etc/unbound/unbound_server.key" - # unbound server certificate file. + # Unbound server certificate file. server-cert-file: "/etc/unbound/unbound_server.pem" # unbound-control key file. @@ -1125,7 +1125,7 @@ auth-zone: # # DNSCrypt # Caveats: -# 1. the keys/certs cannot be produced by unbound. You can use dnscrypt-wrapper +# 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper # for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage # 2. dnscrypt channel attaches to an interface. you MUST set interfaces to # listen on `dnscrypt-port` with the follo0wing snippet: @@ -1165,7 +1165,7 @@ auth-zone: # IPSet # Add specify domain into set via ipset. -# Note: To enable ipset unbound needs to run as root user. +# Note: To enable ipset Unbound needs to run as root user. # ipset: # # set name for ip v4 addresses # name-v4: "list-v4" @@ -1188,7 +1188,7 @@ auth-zone: # dnstap-tls: yes # # name for authenticating the upstream server. or "" disabled. # dnstap-tls-server-name: "" -# # if "", it uses the cert bundle from the main unbound config. +# # if "", it uses the cert bundle from the main Unbound config. # dnstap-tls-cert-bundle: "" # # key file for client authentication, or "" disabled. # dnstap-tls-client-key-file: "" @@ -1208,10 +1208,11 @@ auth-zone: # dnstap-log-forwarder-response-messages: no # Response Policy Zones -# RPZ policies. Applied in order of configuration. QNAME and Response IP -# Address trigger are the only supported triggers. Supported actions are: -# NXDOMAIN, NODATA, PASSTHRU, DROP and Local Data. Policies can be loaded from -# file, using zone transfer, or using HTTP. The respip module needs to be added +# RPZ policies. Applied in order of configuration. QNAME, Response IP +# Address, nsdname, nsip and clientip triggers are supported. Supported +# actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp-only +# and drop. Policies can be loaded from a file, or using zone +# transfer, or using HTTP. The respip module needs to be added # to the module-config, e.g.: module-config: "respip validator iterator". # rpz: # name: "rpz.example.com" @@ -1223,4 +1224,6 @@ auth-zone: # rpz-cname-override: www.example.org # rpz-log: yes # rpz-log-name: "example policy" +# rpz-signal-nxdomain-ra: no +# for-downstream: no # tags: "example" From 0808d584c014c9a92b4875daf92324e95d5d7472 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 20 Apr 2022 21:06:56 +0200 Subject: [PATCH 02/14] Update icann bundle, fix spec errors rpmlint detects several errors, fix some detected issues. --- icannbundle.pem | 216 ------------------------------------------------ unbound.spec | 15 ++-- 2 files changed, 9 insertions(+), 222 deletions(-) diff --git a/icannbundle.pem b/icannbundle.pem index d76ce0b..ceeef5b 100644 --- a/icannbundle.pem +++ b/icannbundle.pem @@ -1,59 +1,3 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 1 (0x1) - Signature Algorithm: sha256WithRSAEncryption - Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US - Validity - Not Before: Dec 23 04:19:12 2009 GMT - Not After : Dec 18 04:19:12 2029 GMT - Subject: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public Key: (2048 bit) - Modulus (2048 bit): - 00:a0:db:70:b8:4f:34:da:9c:d4:d0:7e:bb:ea:15: - bc:e9:c9:11:2a:1f:61:2f:6a:b9:bd:3f:3d:76:a0: - 9a:0a:f7:ee:93:6e:6e:55:53:84:8c:f2:2c:f1:82: - 27:c8:0f:9a:cf:52:1b:54:da:28:d2:2c:30:8e:dd: - fb:92:20:33:2d:d6:c8:f1:0e:10:21:88:71:fa:84: - 22:4b:5d:47:56:16:7c:9b:9f:5d:c3:11:79:9c:14: - e2:ff:c0:74:ac:dd:39:d7:e0:38:d8:b0:73:aa:fb: - d1:db:84:af:52:22:a8:f6:d5:9b:94:f4:e6:5d:5e: - e8:3f:87:90:0b:c7:1a:77:f5:2e:d3:8f:1a:ce:02: - 1d:07:69:21:47:32:da:46:ae:00:4c:b6:a5:a2:9c: - 39:c1:c0:4a:f6:d3:1c:ae:d3:6d:bb:c7:18:f0:7e: - ed:f6:80:ce:d0:01:2e:89:de:12:ba:ee:11:cb:a6: - 7a:d7:0d:7c:f3:08:8d:72:9d:bf:55:75:13:70:bb: - 31:22:4a:cb:e8:c0:aa:a4:09:aa:36:68:40:60:74: - 9d:e7:19:81:43:22:52:fe:c9:2b:52:0f:41:13:36: - 09:72:65:95:cc:89:ae:6f:56:17:16:34:73:52:a3: - 04:ed:bd:88:82:8a:eb:d7:dc:82:52:9c:06:e1:52: - 85:41 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Key Usage: critical - Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign - X509v3 Subject Key Identifier: - BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 - Signature Algorithm: sha256WithRSAEncryption - 0f:f1:e9:82:a2:0a:87:9f:2d:94:60:5a:b2:c0:4b:a1:2f:2b: - 3b:47:d5:0a:99:86:38:b2:ec:c6:3b:89:e4:6e:07:cf:14:c7: - c7:e8:cf:99:8f:aa:30:c3:19:70:b9:e6:6d:d6:3f:c8:68:26: - b2:a0:a5:37:42:ca:d8:62:80:d1:a2:5a:48:2e:1f:85:3f:0c: - 7b:c2:c7:94:11:5f:19:2a:95:ac:a0:3a:03:d8:91:5b:2e:0d: - 9c:7c:1f:2e:fc:e9:44:e1:16:26:73:1c:45:4a:65:c1:83:4c: - 90:f3:f2:28:42:df:db:c4:e7:04:12:18:62:43:5e:bc:1f:6c: - 84:e6:bc:49:32:df:61:d7:99:ee:e4:90:52:7b:0a:c2:91:8a: - 98:62:66:b1:c8:e0:b7:5a:b5:46:7c:76:71:54:8e:cc:a4:81: - 5c:19:db:d2:6f:66:b5:bb:2b:ae:6b:c9:74:04:a8:24:de:e8: - c5:d3:fc:2c:1c:d7:8f:db:6a:8d:c9:53:be:5d:50:73:ac:cf: - 1f:93:c0:52:50:5b:a2:4f:fe:ad:65:36:17:46:d1:2d:e5:a2: - 90:66:05:db:29:4e:5d:50:5d:e3:4f:da:a0:8f:f0:6b:e4:16: - 70:dd:7f:f3:77:7d:b9:4e:f9:ec:c3:33:02:d7:e9:63:2f:31: - e7:40:61:a4 -----BEGIN CERTIFICATE----- MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV @@ -75,163 +19,3 @@ DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH 0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk -----END CERTIFICATE----- -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 11 (0xb) - Signature Algorithm: sha256WithRSAEncryption - Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US - Validity - Not Before: Nov 8 23:39:47 2016 GMT - Not After : Nov 6 23:39:47 2026 GMT - Subject: O=ICANN, CN=ICANN EMAIL CA - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public Key: (2048 bit) - Modulus (2048 bit): - 00:d2:19:1e:22:69:33:f6:a4:d2:76:c5:80:11:75: - 8e:d0:e8:6f:bf:89:f8:2a:6a:da:8a:85:28:40:ba: - c5:23:5f:47:ed:72:e2:8e:d3:5c:c8:8a:3a:99:a9: - 57:2c:0a:2b:22:f3:54:7b:8b:f7:8c:21:a2:50:01: - 4f:8b:af:34:df:72:fc:78:31:d0:1d:eb:bc:9b:e6: - fa:c1:84:d0:05:07:8a:74:53:a5:60:9e:eb:75:9e: - a8:5d:32:c8:02:32:e4:bf:cb:97:9b:7a:fa:2c:f6: - 6a:1d:b8:57:ad:e3:03:22:93:d0:f4:4f:a8:b8:01: - db:82:33:98:b6:87:ed:3d:67:40:00:27:2e:d5:95: - d2:ad:36:46:14:c6:17:79:65:7f:65:f3:88:80:65: - 7c:22:67:08:23:3c:cf:a5:10:38:72:30:97:92:6f: - 20:4a:ba:24:4c:4a:c8:4a:a5:dc:2a:44:a1:29:78: - b4:9f:fe:84:ff:27:5b:3a:72:ea:31:c1:ad:06:22: - d6:44:a0:4a:57:32:9c:f2:46:47:d0:89:6e:20:23: - 2c:ea:b0:83:7e:c1:f3:ea:da:dd:e3:63:59:97:21: - fa:1b:11:39:27:cf:82:8b:56:15:d4:36:92:0c:a5: - 7e:80:e0:18:c9:50:08:42:0a:df:97:3c:9c:b8:0a: - 4d:b1 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - X509v3 Authority Key Identifier: - keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 - - X509v3 Subject Key Identifier: - 7B:3F:BA:CE:A1:B3:A6:13:2E:5A:82:84:D4:D2:EA:A5:24:F1:CD:B4 - Signature Algorithm: sha256WithRSAEncryption - 0e:8a:c9:ea:6f:9c:e9:23:b6:9c:a6:a4:c2:d1:b1:ee:25:18: - 24:2b:79:d4:a8:f2:99:b9:5c:91:4d:e6:2b:32:2e:01:f5:87: - 95:64:fc:6d:f1:87:fa:24:b4:43:4b:49:f3:84:54:44:eb:af: - 41:ab:49:ab:c8:b7:32:6c:14:83:5b:d7:2c:41:f9:89:d5:c4: - 2b:9a:55:c5:b6:ad:17:d5:4d:bc:41:58:56:72:0d:db:b7:7d: - 57:c6:a2:9c:7e:6b:67:ae:26:f8:26:45:bb:c4:95:2e:ea:71: - e3:b4:7a:69:95:a4:8a:80:f8:59:dc:88:6e:e1:a7:fc:bb:8e: - b2:aa:a8:b6:1b:2f:2c:97:a5:12:d5:82:ae:a0:e8:a6:15:fd: - d1:e0:5d:e4:84:b1:76:db:0a:e2:ca:58:2e:d3:df:48:4e:46: - ac:c6:35:79:17:99:ce:e9:be:2c:e4:c2:50:ff:5b:96:15:cd: - 64:ac:1b:db:fe:d2:ac:43:61:c8:5f:ee:24:b6:a4:3b:d2:ff: - 0a:f4:0c:88:58:a1:9d:a4:c1:1f:6a:6c:67:90:98:e8:1f:5e: - 2d:55:60:91:26:2a:b1:66:80:e4:e6:0e:05:2c:75:a9:ca:0b: - e4:a0:8f:e1:47:a8:8f:61:5d:7c:ce:09:60:88:48:c3:46:bf: - be:7e:36:be ------BEGIN CERTIFICATE----- -MIIDZDCCAkygAwIBAgIBCzANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO -TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV -BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTE2MTEwODIzMzk0N1oX -DTI2MTEwNjIzMzk0N1owKTEOMAwGA1UEChMFSUNBTk4xFzAVBgNVBAMTDklDQU5O -IEVNQUlMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0hkeImkz -9qTSdsWAEXWO0Ohvv4n4KmraioUoQLrFI19H7XLijtNcyIo6malXLAorIvNUe4v3 -jCGiUAFPi68033L8eDHQHeu8m+b6wYTQBQeKdFOlYJ7rdZ6oXTLIAjLkv8uXm3r6 -LPZqHbhXreMDIpPQ9E+ouAHbgjOYtoftPWdAACcu1ZXSrTZGFMYXeWV/ZfOIgGV8 -ImcIIzzPpRA4cjCXkm8gSrokTErISqXcKkShKXi0n/6E/ydbOnLqMcGtBiLWRKBK -VzKc8kZH0IluICMs6rCDfsHz6trd42NZlyH6GxE5J8+Ci1YV1DaSDKV+gOAYyVAI -QgrflzycuApNsQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE -AwIBBjAfBgNVHSMEGDAWgBS6UulJgySGUi/Hmc38jWtpCE3AUDAdBgNVHQ4EFgQU -ez+6zqGzphMuWoKE1NLqpSTxzbQwDQYJKoZIhvcNAQELBQADggEBAA6KyepvnOkj -tpympMLRse4lGCQredSo8pm5XJFN5isyLgH1h5Vk/G3xh/oktENLSfOEVETrr0Gr -SavItzJsFINb1yxB+YnVxCuaVcW2rRfVTbxBWFZyDdu3fVfGopx+a2euJvgmRbvE -lS7qceO0emmVpIqA+FnciG7hp/y7jrKqqLYbLyyXpRLVgq6g6KYV/dHgXeSEsXbb -CuLKWC7T30hORqzGNXkXmc7pvizkwlD/W5YVzWSsG9v+0qxDYchf7iS2pDvS/wr0 -DIhYoZ2kwR9qbGeQmOgfXi1VYJEmKrFmgOTmDgUsdanKC+Sgj+FHqI9hXXzOCWCI -SMNGv75+Nr4= ------END CERTIFICATE----- -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 10 (0xa) - Signature Algorithm: sha256WithRSAEncryption - Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US - Validity - Not Before: Nov 8 23:38:16 2016 GMT - Not After : Nov 6 23:38:16 2026 GMT - Subject: O=ICANN, CN=ICANN SSL CA - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public Key: (2048 bit) - Modulus (2048 bit): - 00:dd:c6:ab:bf:7c:66:9d:b3:2b:96:00:14:c7:60: - 7a:8d:62:5b:26:4b:30:d7:b3:4c:82:69:c6:4d:4d: - 73:f3:d4:91:21:5d:ab:35:f0:c8:04:0e:f4:a3:35: - e2:e1:18:a9:98:12:03:58:f8:9f:eb:77:54:5b:89: - 81:26:c9:aa:c2:f4:c9:0c:82:57:2a:5e:05:e9:61: - 17:cc:19:18:71:eb:35:83:c1:86:9d:ec:f1:6b:ca: - dd:a1:96:0b:95:d4:e1:0f:9e:24:6f:dc:3c:d0:28: - 9e:f2:53:47:2b:a1:ad:32:03:c8:3f:0d:80:80:7d: - f0:02:d2:6e:5a:2c:44:21:9b:09:50:15:3f:a1:3d: - d3:c9:c8:24:e7:ea:4e:92:2f:94:90:2e:de:e7:68: - f6:c6:b3:90:1f:bc:c9:7b:a2:65:d7:11:e9:8b:f0: - 3a:5a:b7:17:07:df:69:e3:6e:b9:54:6a:8e:3a:aa: - 94:7f:2c:0a:a1:ad:ba:b7:d9:60:62:27:a7:71:40: - 3b:8e:b0:84:7b:b8:c8:67:ef:66:ba:3d:ac:c3:85: - e5:86:bb:a7:9c:fd:b6:e1:c0:10:53:3d:d4:7e:1b: - 09:e6:9f:22:5c:a7:27:09:7e:27:12:33:fa:df:9b: - 20:2f:14:f7:17:c0:e4:1e:07:91:1f:f9:9a:cd:a8: - e2:c5 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - X509v3 Authority Key Identifier: - keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 - - X509v3 Subject Key Identifier: - 6E:77:A8:40:10:4A:D8:9C:0C:F2:B7:5A:3A:A5:2F:79:4A:61:14:D8 - Signature Algorithm: sha256WithRSAEncryption - 47:46:4f:c7:5f:46:e3:d1:dc:fc:2b:f8:fc:65:ce:36:b1:f4: - 5f:ee:14:75:a3:d9:5f:de:75:4b:fa:7b:88:9f:10:8c:2e:97: - cc:35:1b:ce:24:d3:36:60:95:d5:ae:11:b6:3f:8b:f4:12:69: - 85:b5:3b:2a:b6:ab:7a:81:85:c2:55:57:ed:d0:b5:e7:4f:54: - 37:51:24:c9:d5:07:3a:ef:b6:c5:1a:3e:14:29:a7:a6:f8:08: - 2a:0b:26:79:f9:62:85:4a:e5:ea:90:ca:71:38:16:91:4e:7e: - fd:e3:b3:f3:55:8f:5a:d0:86:cf:33:94:88:f1:90:99:cb:81: - e2:81:92:68:2f:c3:61:d5:52:8d:e6:9a:5b:00:83:42:27:88: - f6:d9:fa:d1:bc:bb:b0:bc:b5:14:0b:4e:1a:54:ef:fa:d6:9d: - c4:0c:fc:ed:15:ab:21:4b:45:b5:d9:3b:ed:3c:d5:1e:2e:7a: - 83:6f:24:45:d4:4c:b4:ef:60:43:18:d0:84:5d:16:7b:f5:50: - 80:b1:a9:c2:8f:3b:c8:90:08:fd:aa:17:13:19:38:19:d1:8e: - 85:7c:1e:57:16:8c:f9:8a:e8:29:25:38:cd:bb:55:8e:4a:6a: - 6f:e5:7d:fc:d7:55:d6:ae:38:07:96:c1:97:ff:e5:2b:4f:99: - 2d:70:f2:08 ------BEGIN CERTIFICATE----- -MIIDYjCCAkqgAwIBAgIBCjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO -TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV -BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTE2MTEwODIzMzgxNloX -DTI2MTEwNjIzMzgxNlowJzEOMAwGA1UEChMFSUNBTk4xFTATBgNVBAMTDElDQU5O -IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN3Gq798Zp2z -K5YAFMdgeo1iWyZLMNezTIJpxk1Nc/PUkSFdqzXwyAQO9KM14uEYqZgSA1j4n+t3 -VFuJgSbJqsL0yQyCVypeBelhF8wZGHHrNYPBhp3s8WvK3aGWC5XU4Q+eJG/cPNAo -nvJTRyuhrTIDyD8NgIB98ALSblosRCGbCVAVP6E908nIJOfqTpIvlJAu3udo9saz -kB+8yXuiZdcR6YvwOlq3FwffaeNuuVRqjjqqlH8sCqGturfZYGInp3FAO46whHu4 -yGfvZro9rMOF5Ya7p5z9tuHAEFM91H4bCeafIlynJwl+JxIz+t+bIC8U9xfA5B4H -kR/5ms2o4sUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC -AQYwHwYDVR0jBBgwFoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFG53 -qEAQSticDPK3WjqlL3lKYRTYMA0GCSqGSIb3DQEBCwUAA4IBAQBHRk/HX0bj0dz8 -K/j8Zc42sfRf7hR1o9lf3nVL+nuInxCMLpfMNRvOJNM2YJXVrhG2P4v0EmmFtTsq -tqt6gYXCVVft0LXnT1Q3USTJ1Qc677bFGj4UKaem+AgqCyZ5+WKFSuXqkMpxOBaR -Tn7947PzVY9a0IbPM5SI8ZCZy4HigZJoL8Nh1VKN5ppbAINCJ4j22frRvLuwvLUU -C04aVO/61p3EDPztFashS0W12TvtPNUeLnqDbyRF1Ey072BDGNCEXRZ79VCAsanC -jzvIkAj9qhcTGTgZ0Y6FfB5XFoz5iugpJTjNu1WOSmpv5X3811XWrjgHlsGX/+Ur -T5ktcPII ------END CERTIFICATE----- diff --git a/unbound.spec b/unbound.spec index 51ec747..ad0d472 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.13.2 -Release: 1%{?extra_version:.%{extra_version}}%{?dist} +Release: 2%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -310,7 +310,7 @@ do echo ".so man3/libunbound.3" > %{buildroot}%{_mandir}/man3/$mpage ; done -mkdir -p %{buildroot}%{_localstatedir}/run/unbound +mkdir -p %{buildroot}%{_rundir}/unbound # Install directories for easier config file drop in @@ -334,7 +334,6 @@ useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \ %systemd_post unbound-keygen.service %post libs -%{?ldconfig} %systemd_post unbound-anchor.timer # start the timer only if installing the package to prevent starting it, if it was stopped on purpose if [ "$1" -eq 1 ]; then @@ -354,7 +353,6 @@ fi %systemd_postun unbound-keygen.service %postun libs -%{?ldconfig} %systemd_postun_with_restart unbound-anchor.timer %check @@ -381,7 +379,7 @@ popd %doc doc/CREDITS doc/FEATURES %{_unitdir}/%{name}.service %{_unitdir}/%{name}-keygen.service -%attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name} +%attr(0755,unbound,unbound) %dir %{_rundir}/%{name} %attr(0644,root,root) %{_tmpfilesdir}/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name} @@ -443,7 +441,9 @@ popd %{_sbindir}/unbound-anchor %{_libdir}/libunbound.so.* %{_mandir}/man8/unbound-anchor* -%{_sysconfdir}/%{name}/icannbundle.pem +# icannbundle and root.key(s) should be replaced from package +# intentionally not using noreplace +%config %{_sysconfdir}/%{name}/icannbundle.pem %{_unitdir}/unbound-anchor.timer %{_unitdir}/unbound-anchor.service %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name} @@ -452,6 +452,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Wed Apr 20 2022 Petr Menšík - 1.15.0-2 +- Update icannbundle.pem + * Thu Aug 12 2021 Paul Wouters - 1.13.2-1 - Resolves: rhbz#1992985 unbound-1.13.2 is available - Use system-wide crypto policies From ddcfc8a5372187d5a3e2ada71af88e485eb60944 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 20 Apr 2022 21:47:30 +0200 Subject: [PATCH 03/14] Add lint exceptions to avoid errors on updates Fixed something, others are just unimportant warnings. --- unbound.rpmlintrc | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 unbound.rpmlintrc diff --git a/unbound.rpmlintrc b/unbound.rpmlintrc new file mode 100644 index 0000000..05dce51 --- /dev/null +++ b/unbound.rpmlintrc @@ -0,0 +1,30 @@ +addFilter(r'crypto-policy-non-compliance-openssl') + +# Ignore generated certificates +addFilter(r'non-readable /etc/unbound/unbound_control.key') +addFilter(r'non-readable /etc/unbound/unbound_control.pem') +addFilter(r'non-readable /etc/unbound/unbound_server.key') +addFilter(r'non-readable /etc/unbound/unbound_server.pem') + +addFilter(r'non-standard-gid /etc/unbound/unbound_control.pem') +addFilter(r'non-standard-gid /etc/unbound/unbound_control.key') +addFilter(r'non-standard-gid /etc/unbound/unbound_server.pem') +addFilter(r'non-standard-gid /etc/unbound/unbound_server.key') + +# Yes, it is indeed certificate +addFilter(r'pem-certificate /etc/unbound/icannbundle.pem') + +# These files are intentionally replaceable. +addFilter(r'conffile-without-noreplace-flag /etc/unbound/icannbundle.pem') +addFilter(r'conffile-without-noreplace-flag /etc/unbound/root.key') +addFilter(r'conffile-without-noreplace-flag /var/lib/unbound/root.key') + +# ldconfig is no longer required +addFilter(r'post[iu]n-without-ldconfig /usr/lib64/libunbound.so') + +# Ignore unbound owned files +addFilter(r'non-standard-[ug]id (/var/lib|/etc|/run)/unbound') + +# Ignore spelling errors +addFilter(r'spelling-error %description -l en_US ep ') +addFilter(r'spelling-error %description -l en_US resolvers ') From da6e8e545c0cae8461a7385873d2093b16122185 Mon Sep 17 00:00:00 2001 From: Petr Sklenar Date: Thu, 24 Mar 2022 10:42:19 +0100 Subject: [PATCH 04/14] Adding fmf plan --- .fmf/version | 1 + ci.fmf | 1 + gating.yaml | 16 ++++++++++++++++ plans/all.fmf | 7 +++++++ plans/tier1-public.fmf | 7 +++++++ 5 files changed, 32 insertions(+) create mode 100644 .fmf/version create mode 100644 ci.fmf create mode 100644 gating.yaml create mode 100644 plans/all.fmf create mode 100644 plans/tier1-public.fmf diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/.fmf/version @@ -0,0 +1 @@ +1 diff --git a/ci.fmf b/ci.fmf new file mode 100644 index 0000000..c5aa0e0 --- /dev/null +++ b/ci.fmf @@ -0,0 +1 @@ +resultsdb-testcase: separate diff --git a/gating.yaml b/gating.yaml new file mode 100644 index 0000000..e4c04e7 --- /dev/null +++ b/gating.yaml @@ -0,0 +1,16 @@ +--- !Policy +product_versions: + - fedora-* +decision_contexts: [bodhi_update_push_testing] +subject_type: koji_build +rules: + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional} + +#gating rawhide +--- !Policy +product_versions: + - fedora-* +decision_contexts: [bodhi_update_push_stable] +subject_type: koji_build +rules: + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional} diff --git a/plans/all.fmf b/plans/all.fmf new file mode 100644 index 0000000..cd001bd --- /dev/null +++ b/plans/all.fmf @@ -0,0 +1,7 @@ +summary: Test plan with all Fedora tests +discover: + how: fmf + url: https://src.fedoraproject.org/tests/unbound.git +execute: + how: tmt + diff --git a/plans/tier1-public.fmf b/plans/tier1-public.fmf new file mode 100644 index 0000000..10f167c --- /dev/null +++ b/plans/tier1-public.fmf @@ -0,0 +1,7 @@ +summary: Public (Fedora) Tier1 beakerlib tests +discover: + how: fmf + url: https://src.fedoraproject.org/tests/unbound.git + filter: 'tier: 1' +execute: + how: tmt From cc615737a43ea23d8714bfac8df2b3c793b5ef32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 26 Apr 2022 16:00:59 +0200 Subject: [PATCH 05/14] Stop creating wrong devel manual pages Devel manual pages install correct manual pages with 3.gz suffix. But there are also additional links just with .gz suffix. They are created only in spec file. I think they were needed before unbound contained proper installation of manuals for development. It is missing .3 suffix. But it is not necessary anymore, because such recipe already exists in upstream Makefile.in. Resolves: rhbz#2078929 --- unbound.spec | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/unbound.spec b/unbound.spec index ad0d472..fc2caf4 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.13.2 -Release: 2%{?extra_version:.%{extra_version}}%{?dist} +Release: 3%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -304,12 +304,6 @@ rm %{buildroot}%{python2_sitearch}/*.la rm %{buildroot}%{python3_sitearch}/*.la %endif -# create softlink for all functions of libunbound man pages -for mpage in ub_ctx ub_result ub_ctx_create ub_ctx_delete ub_ctx_set_option ub_ctx_get_option ub_ctx_config ub_ctx_set_fwd ub_ctx_resolvconf ub_ctx_hosts ub_ctx_add_ta ub_ctx_add_ta_file ub_ctx_trustedkeys ub_ctx_debugout ub_ctx_debuglevel ub_ctx_async ub_poll ub_wait ub_fd ub_process ub_resolve ub_resolve_async ub_cancel ub_resolve_free ub_strerror ub_ctx_print_local_zones ub_ctx_zone_add ub_ctx_zone_remove ub_ctx_data_add ub_ctx_data_remove; -do - echo ".so man3/libunbound.3" > %{buildroot}%{_mandir}/man3/$mpage ; -done - mkdir -p %{buildroot}%{_rundir}/unbound # Install directories for easier config file drop in @@ -452,6 +446,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Tue Apr 26 2022 Petr Menšík - 1.15.0-3 +- Stop creating wrong devel manual pages (#2078929) + * Wed Apr 20 2022 Petr Menšík - 1.15.0-2 - Update icannbundle.pem From 505c4a911929e105228ab0c197ce11cd4f856aca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Sat, 4 Jun 2022 12:08:37 +0200 Subject: [PATCH 06/14] Update to 1.16.0 Adds basic support for EDE (RFC 8914). https://nlnetlabs.nl/projects/unbound/download/#unbound-1-16-0 --- .gitignore | 2 ++ sources | 4 ++-- unbound.spec | 5 ++++- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index bb7787d..9a34e7f 100644 --- a/.gitignore +++ b/.gitignore @@ -67,3 +67,5 @@ unbound-1.4.5.tar.gz /unbound-1.13.1.tar.gz.asc /unbound-1.13.2.tar.gz /unbound-1.13.2.tar.gz.asc +/unbound-1.16.0.tar.gz +/unbound-1.16.0.tar.gz.asc diff --git a/sources b/sources index d54a5cf..1586e1f 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.13.2.tar.gz) = 1e89441446e7a25c6a49bded645f8b348c1758c3be54e3a986041cb1f00c45d152fd469dc52666fb820574db9d51b16f1627dc8afcb9519508d4833ca358191a -SHA512 (unbound-1.13.2.tar.gz.asc) = b905f5f981361131e7a8d3403df632603304778bd7d4fffba8d113c4246d8133f26903a5af53d21b979b652cbae8f6e92620d3a262d8b2837ab8c2a5712650ee +SHA512 (unbound-1.16.0.tar.gz) = 134679c0baad6738541295fcfbf8cc701c647b5d5cd00f87e50394bc7b5b74b7326ed2fc42f3282cae8094b4980c1e580d7b748b7151642c9060c449b644715f +SHA512 (unbound-1.16.0.tar.gz.asc) = 1b7640df051bf9f37e261c4e7fa3b3343982f608c529553985eeb9444688ba9e751f45ad666ab13b783beff24806eef14e9833090a4aea249e1fa5023e3c0432 diff --git a/unbound.spec b/unbound.spec index fc2caf4..f970c6a 100644 --- a/unbound.spec +++ b/unbound.spec @@ -29,7 +29,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.13.2 +Version: 1.16.0 Release: 3%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ @@ -446,6 +446,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Sat Jun 04 2022 Petr Menšík - 1.16.0-1 +- Update to 1.16.0 + * Tue Apr 26 2022 Petr Menšík - 1.15.0-3 - Stop creating wrong devel manual pages (#2078929) From d74e08893dc6843161de285a0ab0ea1ae464ac4a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 7 Jun 2022 14:17:11 +0200 Subject: [PATCH 07/14] Do not keep keygen running, check certs each time Rely on condition of unbound-keygen service. If it does stop after generating them, then it will recreate also after restart later. That might be the case if someone removes these certificates. --- unbound-keygen.service | 1 - unbound.spec | 5 ++++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/unbound-keygen.service b/unbound-keygen.service index f5e6535..b169002 100644 --- a/unbound-keygen.service +++ b/unbound-keygen.service @@ -13,7 +13,6 @@ Type=oneshot Group=unbound ExecStart=/usr/sbin/unbound-control-setup -d /etc/unbound/ ExecStart=/sbin/restorecon /etc/unbound/* -RemainAfterExit=yes [Install] WantedBy=multi-user.target diff --git a/unbound.spec b/unbound.spec index f970c6a..0536423 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.16.0 -Release: 3%{?extra_version:.%{extra_version}}%{?dist} +Release: 4%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -446,6 +446,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Tue Jun 07 2022 Petr Menšík - 1.16.0-4 +- Restart keygen service before every unbound start + * Sat Jun 04 2022 Petr Menšík - 1.16.0-1 - Update to 1.16.0 From c34b09dbeb715fad70f7b2a069dc1d311b098eb5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 27 Jun 2022 12:00:02 +0200 Subject: [PATCH 08/14] Move unbound-anchor to separate package It has the service and requires unbound user created. Make it separate, because some users of unbound-libs might not want or need anchor maintenance. Make it also easier to add custom options to unbound-anchor running from the service. Do not start timer from unbound.service, start instead unbound-anchor service before starting unbound. It would ensure root anchor is in the place. Run it from single place from both timer and unbound service. --- unbound-anchor.service | 3 ++- unbound.service | 4 ++-- unbound.spec | 38 ++++++++++++++++++++++++++------------ unbound.sysconfig | 6 +++++- 4 files changed, 35 insertions(+), 16 deletions(-) diff --git a/unbound-anchor.service b/unbound-anchor.service index cd949e5..59683c8 100644 --- a/unbound-anchor.service +++ b/unbound-anchor.service @@ -5,5 +5,6 @@ Documentation=man:unbound-anchor(8) [Service] Type=oneshot User=unbound -ExecStart=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R +EnvironmentFile=-/etc/sysconfig/unbound +ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi' SuccessExitStatus=1 diff --git a/unbound.service b/unbound.service index c59ffbf..ffaf783 100644 --- a/unbound.service +++ b/unbound.service @@ -3,7 +3,8 @@ Description=Unbound recursive Domain Name Server After=network-online.target After=unbound-keygen.service Wants=unbound-keygen.service -Wants=unbound-anchor.timer +After=unbound-anchor.service +Wants=unbound-anchor.service Before=nss-lookup.target Wants=nss-lookup.target @@ -11,7 +12,6 @@ Wants=nss-lookup.target Type=simple EnvironmentFile=-/etc/sysconfig/unbound ExecStartPre=/usr/sbin/unbound-checkconf -ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_UNBOUND_ANCHOR" == "yes" ]; then /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R; else echo "Updates of root keys with unbound-anchor is disabled"; fi' ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS ExecReload=/usr/sbin/unbound-control reload diff --git a/unbound.spec b/unbound.spec index 6627b48..337db4c 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.16.0 -Release: 4%{?extra_version:.%{extra_version}}%{?dist} +Release: 5%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -88,6 +88,7 @@ BuildRequires: systemd # Needed because /usr/sbin/unbound links unbound libs staticly Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-anchor%{?_isa} = %{version}-%{release} %description Unbound is a validating, recursive, and caching DNS(SEC) resolver. @@ -121,14 +122,22 @@ The devel package contains the unbound library and the include files %package libs Summary: Libraries used by the unbound server and client applications -Requires(pre): shadow-utils +Recommends: %{name}-anchor %if ! 0%{with_python2} # Make explicit conflict with no longer provided python package Obsoletes: python2-unbound < 1.9.3 %endif %description libs -Contains libraries used by the unbound server and client applications +Contains libraries used by the unbound server and client applications. + +%package anchor +Requires(pre): shadow-utils +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Summary: DNSSEC trust anchor maintaining tool + +%description anchor +Contains tool maintaining trust anchor using RFC 5011 key rollover algorithm. %if 0%{with_python2} %package -n python2-unbound @@ -317,7 +326,7 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 -%pre libs +%pre anchor getent group unbound >/dev/null || groupadd -r unbound getent passwd unbound >/dev/null || \ useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \ @@ -327,7 +336,7 @@ useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \ %systemd_post unbound.service %systemd_post unbound-keygen.service -%post libs +%post anchor %systemd_post unbound-anchor.timer # start the timer only if installing the package to prevent starting it, if it was stopped on purpose if [ "$1" -eq 1 ]; then @@ -339,7 +348,7 @@ fi %systemd_preun unbound.service %systemd_preun unbound-keygen.service -%preun libs +%preun anchor %systemd_preun unbound-anchor.timer %postun @@ -376,7 +385,6 @@ popd %attr(0755,unbound,unbound) %dir %{_rundir}/%{name} %attr(0644,root,root) %{_tmpfilesdir}/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf -%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name} %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d %attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d/*.key %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/conf.d @@ -432,20 +440,26 @@ popd %doc doc/README %license doc/LICENSE %attr(0755,root,root) %dir %{_sysconfdir}/%{name} -%{_sbindir}/unbound-anchor %{_libdir}/libunbound.so.* +%dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name} +%attr(0644,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key +# just left for backwards compat with user changed unbound.conf files - format is different! +%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key + +%files anchor +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name} +%{_sbindir}/unbound-anchor %{_mandir}/man8/unbound-anchor* # icannbundle and root.key(s) should be replaced from package # intentionally not using noreplace %config %{_sysconfdir}/%{name}/icannbundle.pem %{_unitdir}/unbound-anchor.timer %{_unitdir}/unbound-anchor.service -%dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name} -%attr(0644,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key -# just left for backwards compat with user changed unbound.conf files - format is different! -%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Mon Jun 27 2022 Petr Menšík - 1.16.0-5 +- Move unbound-anchor to separate package + * Tue Jun 07 2022 Petr Menšík - 1.16.0-4 - Restart keygen service before every unbound start diff --git a/unbound.sysconfig b/unbound.sysconfig index fae3306..adcf8fd 100644 --- a/unbound.sysconfig +++ b/unbound.sysconfig @@ -1,3 +1,7 @@ -# for extra debug, add "-v -v" or change verbosity: in unbound.conf +# uncomment following line to skip anchor refresh before unbound start +#DISABLE_UNBOUND_ANCHOR=yes +# Better way is systemctl mask unbound-anchor.service +UNBOUND_ANCHOR_OPTIONS="-f /etc/resolv.conf -R" +# for extra debug, add "-v -v" or change verbosity: in unbound.conf UNBOUND_OPTIONS="" From aa40efb56e4f1ccdfdaa29914ee362c50d627200 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 27 Jun 2022 13:53:54 +0200 Subject: [PATCH 09/14] Move host and streamtcp utilities to separate package They do not require unbound in any sense. They can work with just unbound-libs and therefore should be installable independently of main bigger daemon. --- unbound.spec | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/unbound.spec b/unbound.spec index 337db4c..322a85f 100644 --- a/unbound.spec +++ b/unbound.spec @@ -89,6 +89,7 @@ BuildRequires: systemd # Needed because /usr/sbin/unbound links unbound libs staticly Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-anchor%{?_isa} = %{version}-%{release} +Recommends: %{name}-utils%{?_isa} = %{version}-%{release} %description Unbound is a validating, recursive, and caching DNS(SEC) resolver. @@ -139,6 +140,15 @@ Summary: DNSSEC trust anchor maintaining tool %description anchor Contains tool maintaining trust anchor using RFC 5011 key rollover algorithm. +%package utils +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Summary: Unbound DNS lookup utilities + +%description utils +Contains tools for making DNS queries. Can make queries to DNS servers +also over TLS connection or validate DNSSEC signatures. Similar to +bind-utils. + %if 0%{with_python2} %package -n python2-unbound %{?python_provide:%python_provide python2-unbound} @@ -399,9 +409,6 @@ popd %{_sbindir}/unbound-checkconf %{_sbindir}/unbound-control %{_sbindir}/unbound-control-setup -%{_sbindir}/unbound-host -%{_sbindir}/unbound-streamtcp -%{_mandir}/man1/* %{_mandir}/man5/* %exclude %{_mandir}/man8/unbound-anchor* %{_mandir}/man8/* @@ -456,9 +463,15 @@ popd %{_unitdir}/unbound-anchor.timer %{_unitdir}/unbound-anchor.service +%files utils +%{_sbindir}/unbound-host +%{_sbindir}/unbound-streamtcp +%{_mandir}/man1/unbound-* + %changelog * Mon Jun 27 2022 Petr Menšík - 1.16.0-5 - Move unbound-anchor to separate package +- Move unbound-host and unbound-streamtcp to unbound-utils package * Tue Jun 07 2022 Petr Menšík - 1.16.0-4 - Restart keygen service before every unbound start From f216966e35c5c19513648b7da49bafc4c5dfa19c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 3 Aug 2022 20:12:34 +0200 Subject: [PATCH 10/14] Update to 0.16.2 (#2105947) https://nlnetlabs.nl/projects/unbound/download/#unbound-1-16-2 --- .gitignore | 2 ++ sources | 4 ++-- unbound.spec | 7 +++++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 3b9ae64..7bd5a0c 100644 --- a/.gitignore +++ b/.gitignore @@ -71,3 +71,5 @@ unbound-1.4.5.tar.gz /unbound-1.15.0.tar.gz.asc /unbound-1.16.0.tar.gz /unbound-1.16.0.tar.gz.asc +/unbound-1.16.2.tar.gz +/unbound-1.16.2.tar.gz.asc diff --git a/sources b/sources index 1586e1f..abff2db 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.16.0.tar.gz) = 134679c0baad6738541295fcfbf8cc701c647b5d5cd00f87e50394bc7b5b74b7326ed2fc42f3282cae8094b4980c1e580d7b748b7151642c9060c449b644715f -SHA512 (unbound-1.16.0.tar.gz.asc) = 1b7640df051bf9f37e261c4e7fa3b3343982f608c529553985eeb9444688ba9e751f45ad666ab13b783beff24806eef14e9833090a4aea249e1fa5023e3c0432 +SHA512 (unbound-1.16.2.tar.gz) = 0ea65ea63265be677441bd2a28df12098ec5e86c3372240c2874f9bd13752b8b818da81ae6076cf02cbeba3d36e397698a4c2b50570be1a6a8e47f57a0251572 +SHA512 (unbound-1.16.2.tar.gz.asc) = bc5241c86f90be76886209c81d6f1c025d4774fa00d114180b99d43999f31b1b4c8d123717b8a79a60bc3acfcbe9f46678b80b3d961431c7bfd05ff48c69ef4f diff --git a/unbound.spec b/unbound.spec index 322a85f..137e36e 100644 --- a/unbound.spec +++ b/unbound.spec @@ -29,8 +29,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.16.0 -Release: 5%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.16.2 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -469,6 +469,9 @@ popd %{_mandir}/man1/unbound-* %changelog +* Wed Aug 03 2022 Petr Menšík - 1.16.2-1 +- Update to 1.16.2 (#2105947) + * Mon Jun 27 2022 Petr Menšík - 1.16.0-5 - Move unbound-anchor to separate package - Move unbound-host and unbound-streamtcp to unbound-utils package From cd04c373b304b647bff5a0996872f86a08c8d6d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 3 Aug 2022 20:12:34 +0200 Subject: [PATCH 11/14] Update to 0.16.2 (#2105947) https://nlnetlabs.nl/projects/unbound/download/#unbound-1-16-2 --- .gitignore | 2 ++ sources | 4 ++-- unbound.spec | 7 +++++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 9a34e7f..dbd8714 100644 --- a/.gitignore +++ b/.gitignore @@ -69,3 +69,5 @@ unbound-1.4.5.tar.gz /unbound-1.13.2.tar.gz.asc /unbound-1.16.0.tar.gz /unbound-1.16.0.tar.gz.asc +/unbound-1.16.2.tar.gz +/unbound-1.16.2.tar.gz.asc diff --git a/sources b/sources index 1586e1f..abff2db 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.16.0.tar.gz) = 134679c0baad6738541295fcfbf8cc701c647b5d5cd00f87e50394bc7b5b74b7326ed2fc42f3282cae8094b4980c1e580d7b748b7151642c9060c449b644715f -SHA512 (unbound-1.16.0.tar.gz.asc) = 1b7640df051bf9f37e261c4e7fa3b3343982f608c529553985eeb9444688ba9e751f45ad666ab13b783beff24806eef14e9833090a4aea249e1fa5023e3c0432 +SHA512 (unbound-1.16.2.tar.gz) = 0ea65ea63265be677441bd2a28df12098ec5e86c3372240c2874f9bd13752b8b818da81ae6076cf02cbeba3d36e397698a4c2b50570be1a6a8e47f57a0251572 +SHA512 (unbound-1.16.2.tar.gz.asc) = bc5241c86f90be76886209c81d6f1c025d4774fa00d114180b99d43999f31b1b4c8d123717b8a79a60bc3acfcbe9f46678b80b3d961431c7bfd05ff48c69ef4f diff --git a/unbound.spec b/unbound.spec index 0536423..be0f696 100644 --- a/unbound.spec +++ b/unbound.spec @@ -29,8 +29,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.16.0 -Release: 4%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.16.2 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -446,6 +446,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Wed Aug 03 2022 Petr Menšík - 1.16.2-1 +- Update to 1.16.2 (#2105947) + * Tue Jun 07 2022 Petr Menšík - 1.16.0-4 - Restart keygen service before every unbound start From d93dc48524bfc2f87f7e5b0b45a4e18674ea3990 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 9 Aug 2022 12:11:15 +0200 Subject: [PATCH 12/14] Require openssl tool for unbound-keygen (#2116790) --- unbound.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 137e36e..dd281a1 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.16.2 -Release: 1%{?extra_version:.%{extra_version}}%{?dist} +Release: 2%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -90,6 +90,8 @@ BuildRequires: systemd Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-anchor%{?_isa} = %{version}-%{release} Recommends: %{name}-utils%{?_isa} = %{version}-%{release} +# unbound-keygen.service requires it, bug #2116790 +Requires: openssl %description Unbound is a validating, recursive, and caching DNS(SEC) resolver. @@ -469,6 +471,9 @@ popd %{_mandir}/man1/unbound-* %changelog +* Tue Aug 09 2022 Petr Menšík - 1.16.2-2 +- Require openssl tool for unbound-keygen (#2116790) + * Wed Aug 03 2022 Petr Menšík - 1.16.2-1 - Update to 1.16.2 (#2105947) From ae58676ba88dc2fca0902908411dce7d3e9f96ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 9 Aug 2022 12:11:15 +0200 Subject: [PATCH 13/14] Require openssl tool for unbound-keygen (#2116790) --- unbound.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index be0f696..47c7d46 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.16.2 -Release: 1%{?extra_version:.%{extra_version}}%{?dist} +Release: 2%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -88,6 +88,8 @@ BuildRequires: systemd # Needed because /usr/sbin/unbound links unbound libs staticly Requires: %{name}-libs%{?_isa} = %{version}-%{release} +# unbound-keygen.service requires it, bug #2116790 +Requires: openssl %description Unbound is a validating, recursive, and caching DNS(SEC) resolver. @@ -446,6 +448,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Tue Aug 09 2022 Petr Menšík - 1.16.2-2 +- Require openssl tool for unbound-keygen (#2116790) + * Wed Aug 03 2022 Petr Menšík - 1.16.2-1 - Update to 1.16.2 (#2105947) From 780cfafdf04105134a099910453f3abe73fd5466 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 23 Sep 2022 23:01:23 +0200 Subject: [PATCH 14/14] Update to 1.16.3 Resolves: rhbz#2128638 CVE-2022-3204 --- .gitignore | 2 ++ sources | 4 ++-- unbound.spec | 7 +++++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 7bd5a0c..3476ae7 100644 --- a/.gitignore +++ b/.gitignore @@ -73,3 +73,5 @@ unbound-1.4.5.tar.gz /unbound-1.16.0.tar.gz.asc /unbound-1.16.2.tar.gz /unbound-1.16.2.tar.gz.asc +/unbound-1.16.3.tar.gz +/unbound-1.16.3.tar.gz.asc diff --git a/sources b/sources index abff2db..c6e4d53 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.16.2.tar.gz) = 0ea65ea63265be677441bd2a28df12098ec5e86c3372240c2874f9bd13752b8b818da81ae6076cf02cbeba3d36e397698a4c2b50570be1a6a8e47f57a0251572 -SHA512 (unbound-1.16.2.tar.gz.asc) = bc5241c86f90be76886209c81d6f1c025d4774fa00d114180b99d43999f31b1b4c8d123717b8a79a60bc3acfcbe9f46678b80b3d961431c7bfd05ff48c69ef4f +SHA512 (unbound-1.16.3.tar.gz) = ef5cda926dd1082a750615d8687bccd756869c66e9f24f984fda4c6613f94f3e4884db328b8d7b490777a75d3e616dcb61c5258e7777923c0590e6fabacd207c +SHA512 (unbound-1.16.3.tar.gz.asc) = b106f080d877e479d944a7ebe24a380f4c40c38308733f43f8a60d4e7aedc6597e6daa4a1428f596e705c9c75e6ee7b4187dbbc5750a9c406f59d76d4f1b4a8d diff --git a/unbound.spec b/unbound.spec index 859792e..e923580 100644 --- a/unbound.spec +++ b/unbound.spec @@ -29,8 +29,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.16.2 -Release: 3%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.16.3 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -471,6 +471,9 @@ popd %{_mandir}/man1/unbound-* %changelog +* Fri Sep 23 2022 Petr Menšík - 1.16.3-1 +- Update to 1.16.3 (#2128638) + * Tue Aug 09 2022 Paul Wouters - 1.16.2-3 - sync up to upstream unbound.conf - Enable Extended DNS Error codes (RFC8914)