From b2855b7bff586ee8402aca1175822a881acb920a Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Tue, 19 May 2020 15:07:41 -0400 Subject: [PATCH 001/139] * Tue May 19 2020 Paul Wouters - 1.10.1-1 - Resolves: rhbz#1837279 unbound-1.10.1 is available - Resolves: rhbz#1837598 CVE-2020-12662 unbound: insufficient control of network message volume leads to DoS - Resolves: rhbz#1837609 CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers - Updated unbound.conf for new options in 1.10.1 --- .gitignore | 1 + sources | 3 +-- unbound.conf | 27 +++++++++++++++++++++++++++ unbound.spec | 10 ++++++++-- 4 files changed, 37 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 513eec6..bd711c5 100644 --- a/.gitignore +++ b/.gitignore @@ -57,3 +57,4 @@ unbound-1.4.5.tar.gz /unbound-1.9.6.tar.gz /unbound-1.10.0.tar.gz /unbound-1.10.0.tar.gz.asc +/unbound-1.10.1.tar.gz diff --git a/sources b/sources index 427fe5c..f5b7bd7 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -SHA512 (unbound-1.10.0.tar.gz) = a64514990f5d614d749045a11f5ce9bb33cf856cc31895b4db3503f2b05a98f1ca57945b17dd7ec5befbd0c356fc42a717d3e2bae3d3510a0507d0445b1f6d59 -SHA512 (unbound-1.10.0.tar.gz.asc) = e5fb047d9e5313e512e7d09e309f8467389c4887a1886446cb6eb7e26c97d9f3351a430d8c44bcac0cb405f3ce44ec71e1fa616e988c8f961016ec7f09c450a4 +SHA512 (unbound-1.10.1.tar.gz) = d07f3ac0e751c17a3ff7d99518c22529cf6856861218564a2ca073422905525cb9ddaf76c9600187946fadb7324343bcd85c34ff06bd322e0ea621a2d258bb85 diff --git a/unbound.conf b/unbound.conf index 8f7d9f6..b130f9b 100644 --- a/unbound.conf +++ b/unbound.conf @@ -601,6 +601,16 @@ server: # for it. # serve-expired-ttl-reset: no + # TTL value to use when replying with expired data. + # serve-expired-reply-ttl: 30 + # + # Time in milliseconds before replying to the client with expired data. + # This essentially enables the serve-stale behavior as specified in + # draft-ietf-dnsop-serve-stale-10 that first tries to resolve before + # immediately responding with expired data. 0 disables this behavior. + # A recommended value is 1800. + # serve-expired-client-timeout: 0 + # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. val-log-level: 1 @@ -1057,3 +1067,20 @@ auth-zone: # name-v6: "list-v6" # +# Response Policy Zones +# RPZ policies. Applied in order of configuration. QNAME and Response IP +# Address trigger are the only supported triggers. Supported actions are: +# NXDOMAIN, NODATA, PASSTHRU, DROP and Local Data. Policies can be loaded from +# file, using zone transfer, or using HTTP. The respip module needs to be added +# to the module-config, e.g.: module-config: "respip validator iterator". +# rpz: +# name: "rpz.example.com" +# zonefile: "rpz.example.com" +# master: 192.0.2.0 +# allow-notify: 192.0.2.0/32 +# url: http://www.example.com/rpz.example.org.zone +# rpz-action-override: cname +# rpz-cname-override: www.example.org +# rpz-log: yes +# rpz-log-name: "example policy" +# tags: "example" diff --git a/unbound.spec b/unbound.spec index e65ce30..3b2e492 100644 --- a/unbound.spec +++ b/unbound.spec @@ -35,8 +35,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.10.0 -Release: 3%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.10.1 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -448,6 +448,12 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Tue May 19 2020 Paul Wouters - 1.10.1-1 +- Resolves: rhbz#1837279 unbound-1.10.1 is available +- Resolves: rhbz#1837598 CVE-2020-12662 unbound: insufficient control of network message volume leads to DoS +- Resolves: rhbz#1837609 CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers +- Updated unbound.conf for new options in 1.10.1 + * Wed Apr 29 2020 Paul Wouters - 1.10.0-3 - Resolves: rhbz#1667742 SELinux is preventing unbound from 'name_bind' accesses on the udp_socket port 61000. From 554ef607afdc0eb98f27a1984696148231837e2b Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Tue, 19 May 2020 15:18:53 -0400 Subject: [PATCH 002/139] update sources for sig file --- .gitignore | 1 + sources | 1 + 2 files changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index bd711c5..68c7ed8 100644 --- a/.gitignore +++ b/.gitignore @@ -58,3 +58,4 @@ unbound-1.4.5.tar.gz /unbound-1.10.0.tar.gz /unbound-1.10.0.tar.gz.asc /unbound-1.10.1.tar.gz +/unbound-1.10.1.tar.gz.asc diff --git a/sources b/sources index f5b7bd7..5a8f28c 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ SHA512 (unbound-1.10.1.tar.gz) = d07f3ac0e751c17a3ff7d99518c22529cf6856861218564a2ca073422905525cb9ddaf76c9600187946fadb7324343bcd85c34ff06bd322e0ea621a2d258bb85 +SHA512 (unbound-1.10.1.tar.gz.asc) = 95d32b4ebfac501a1ae481c9211a88f7ad115e51a470794c6273bea7fedff62cef71445a4110b686938657b9450502bd5d47935e4552d3a9fc740b1348d6d991 From 741df0971d86857061c3a2113260e38bb606f8fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Fri, 22 May 2020 21:10:05 +0200 Subject: [PATCH 003/139] Rebuilt for Python 3.9 --- unbound.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 3b2e492..f4cd39b 100644 --- a/unbound.spec +++ b/unbound.spec @@ -36,7 +36,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.10.1 -Release: 1%{?extra_version:.%{extra_version}}%{?dist} +Release: 2%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -448,6 +448,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Fri May 22 2020 Miro Hrončok - 1.10.1-2 +- Rebuilt for Python 3.9 + * Tue May 19 2020 Paul Wouters - 1.10.1-1 - Resolves: rhbz#1837279 unbound-1.10.1 is available - Resolves: rhbz#1837598 CVE-2020-12662 unbound: insufficient control of network message volume leads to DoS From 66b41c854ad0bb35e66fbdfd3a9a7b4b073ec616 Mon Sep 17 00:00:00 2001 From: Tom Stellard Date: Tue, 14 Jul 2020 14:38:00 +0000 Subject: [PATCH 004/139] Use make macros https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro --- unbound.spec | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/unbound.spec b/unbound.spec index f4cd39b..db27320 100644 --- a/unbound.spec +++ b/unbound.spec @@ -36,7 +36,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.10.1 -Release: 2%{?extra_version:.%{extra_version}}%{?dist} +Release: 3%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -217,8 +217,8 @@ pushd %{dir_primary} %endif %{configure_args} -%{__make} %{?_smp_mflags} -%{__make} %{?_smp_mflags} streamtcp +%make_build +%make_build streamtcp popd @@ -234,7 +234,7 @@ pushd %{dir_secondary} %endif %{configure_args} -%{__make} %{?_smp_mflags} +%make_build popd %endif @@ -245,12 +245,12 @@ install -p -m 0644 %{SOURCE16} . %if 0%{?python_secondary:1} # install first secondary build. It will be overwritten by primary pushd %{dir_secondary} -%{__make} DESTDIR=%{buildroot} unbound-event-install install +%make_install unbound-event-install popd %endif pushd %{dir_primary} -%{__make} DESTDIR=%{buildroot} unbound-event-install install +%make_install unbound-event-install install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp popd @@ -448,6 +448,10 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Tue Jul 14 2020 Tom Stellard - 1.10.1-3 +- Use make macros +- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro + * Fri May 22 2020 Miro Hrončok - 1.10.1-2 - Rebuilt for Python 3.9 From 29d755fba8f085e173bb26f1cc89e0fc0cc4258e Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 29 Jul 2020 13:15:57 +0000 Subject: [PATCH 005/139] - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- unbound.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index db27320..0dbdc12 100644 --- a/unbound.spec +++ b/unbound.spec @@ -36,7 +36,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.10.1 -Release: 3%{?extra_version:.%{extra_version}}%{?dist} +Release: 4%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -448,6 +448,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Wed Jul 29 2020 Fedora Release Engineering - 1.10.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + * Tue Jul 14 2020 Tom Stellard - 1.10.1-3 - Use make macros - https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro From db21e34ec380186da810cfa5a27356e2204e0aa6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 15 Sep 2020 14:59:21 +0200 Subject: [PATCH 006/139] Rebuilt for libevent rebase MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Petr Menšík --- unbound.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 0dbdc12..606f361 100644 --- a/unbound.spec +++ b/unbound.spec @@ -36,7 +36,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.10.1 -Release: 4%{?extra_version:.%{extra_version}}%{?dist} +Release: 5%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -448,6 +448,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Tue Sep 15 2020 Petr Menšík - 1.10.1-5 +- Move command line tools to utils subpackage + * Wed Jul 29 2020 Fedora Release Engineering - 1.10.1-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild From 058dac652cd5fe2cb15a6e13219d5fc83c6005bc Mon Sep 17 00:00:00 2001 From: Anna Khaitovich Date: Fri, 18 Sep 2020 13:39:03 +0200 Subject: [PATCH 007/139] Rebuilt for rawhide --- unbound.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 606f361..3894ac1 100644 --- a/unbound.spec +++ b/unbound.spec @@ -36,7 +36,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.10.1 -Release: 5%{?extra_version:.%{extra_version}}%{?dist} +Release: 6%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -448,6 +448,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Fri Sep 18 2020 Anna Khaitovich - 1.10.1-6 +- Rebuilt for rawhide + * Tue Sep 15 2020 Petr Menšík - 1.10.1-5 - Move command line tools to utils subpackage From 9bf72f2b9791186ed8cf9807178e945819d4f589 Mon Sep 17 00:00:00 2001 From: Anna Khaitovich Date: Fri, 18 Sep 2020 14:24:52 +0200 Subject: [PATCH 008/139] Revert "Rebuilt for rawhide" This reverts commit 058dac652cd5fe2cb15a6e13219d5fc83c6005bc. --- unbound.spec | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/unbound.spec b/unbound.spec index 3894ac1..606f361 100644 --- a/unbound.spec +++ b/unbound.spec @@ -36,7 +36,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.10.1 -Release: 6%{?extra_version:.%{extra_version}}%{?dist} +Release: 5%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -448,9 +448,6 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog -* Fri Sep 18 2020 Anna Khaitovich - 1.10.1-6 -- Rebuilt for rawhide - * Tue Sep 15 2020 Petr Menšík - 1.10.1-5 - Move command line tools to utils subpackage From 9b40e98f88a0f0fe76703f101cd542b578c13ea5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 13 Oct 2020 17:26:04 +0200 Subject: [PATCH 009/139] Update to 1.12.0 - DNS flag day 2020 applied - DNS over HTTPS support - EDNS client tag support Upstream changelog: https://nlnetlabs.nl/projects/unbound/download/#unbound-1-12-0 --- .gitignore | 2 + sources | 4 +- unbound-1.10.0-auth-callback.patch | 74 ------------------------------ unbound.spec | 13 ++++-- 4 files changed, 13 insertions(+), 80 deletions(-) delete mode 100644 unbound-1.10.0-auth-callback.patch diff --git a/.gitignore b/.gitignore index 68c7ed8..ff034dd 100644 --- a/.gitignore +++ b/.gitignore @@ -59,3 +59,5 @@ unbound-1.4.5.tar.gz /unbound-1.10.0.tar.gz.asc /unbound-1.10.1.tar.gz /unbound-1.10.1.tar.gz.asc +/unbound-1.12.0.tar.gz +/unbound-1.12.0.tar.gz.asc diff --git a/sources b/sources index 5a8f28c..8c72027 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.10.1.tar.gz) = d07f3ac0e751c17a3ff7d99518c22529cf6856861218564a2ca073422905525cb9ddaf76c9600187946fadb7324343bcd85c34ff06bd322e0ea621a2d258bb85 -SHA512 (unbound-1.10.1.tar.gz.asc) = 95d32b4ebfac501a1ae481c9211a88f7ad115e51a470794c6273bea7fedff62cef71445a4110b686938657b9450502bd5d47935e4552d3a9fc740b1348d6d991 +SHA512 (unbound-1.12.0.tar.gz) = 90d99bc65e9ba62e50a7809dbf1e98889d0fc9fd50cf3cc99b726c67bcaeda0c2bc176d09f84771adb9796833b595591462f96e949d6969a47d6898d8fae3479 +SHA512 (unbound-1.12.0.tar.gz.asc) = b9db74bde4cd2ecbd9ba04468716135f4a45b437f17e92564f0e595e5e3462e955808aa1f0dea17a9a6fd1403c32e4eff7815f22e630229db10f50080c9a85a3 diff --git a/unbound-1.10.0-auth-callback.patch b/unbound-1.10.0-auth-callback.patch deleted file mode 100644 index c4d01b8..0000000 --- a/unbound-1.10.0-auth-callback.patch +++ /dev/null @@ -1,74 +0,0 @@ ---- a/services/authzone.c 2020-04-16 13:01:10.550618034 +0200 -+++ b/services/authzone.c 2020-04-16 13:07:04.624476160 +0200 -@@ -5331,7 +5331,7 @@ - log_assert(xfr->task_transfer); - lock_basic_lock(&xfr->lock); - env = xfr->task_transfer->env; -- if(env->outnet->want_to_quit) { -+ if(!env || env->outnet->want_to_quit) { - lock_basic_unlock(&xfr->lock); - return; /* stop on quit */ - } -@@ -5770,7 +5770,7 @@ - log_assert(xfr->task_transfer); - lock_basic_lock(&xfr->lock); - env = xfr->task_transfer->env; -- if(env->outnet->want_to_quit) { -+ if(!env || env->outnet->want_to_quit) { - lock_basic_unlock(&xfr->lock); - return; /* stop on quit */ - } -@@ -5812,7 +5812,7 @@ - log_assert(xfr->task_transfer); - lock_basic_lock(&xfr->lock); - env = xfr->task_transfer->env; -- if(env->outnet->want_to_quit) { -+ if(!env || env->outnet->want_to_quit) { - lock_basic_unlock(&xfr->lock); - return 0; /* stop on quit */ - } -@@ -5893,7 +5893,7 @@ - log_assert(xfr->task_transfer); - lock_basic_lock(&xfr->lock); - env = xfr->task_transfer->env; -- if(env->outnet->want_to_quit) { -+ if(!env || env->outnet->want_to_quit) { - lock_basic_unlock(&xfr->lock); - return 0; /* stop on quit */ - } -@@ -6107,7 +6107,7 @@ - log_assert(xfr->task_probe); - lock_basic_lock(&xfr->lock); - env = xfr->task_probe->env; -- if(env->outnet->want_to_quit) { -+ if(!env || env->outnet->want_to_quit) { - lock_basic_unlock(&xfr->lock); - return; /* stop on quit */ - } -@@ -6143,7 +6143,7 @@ - log_assert(xfr->task_probe); - lock_basic_lock(&xfr->lock); - env = xfr->task_probe->env; -- if(env->outnet->want_to_quit) { -+ if(!env || env->outnet->want_to_quit) { - lock_basic_unlock(&xfr->lock); - return 0; /* stop on quit */ - } -@@ -6388,7 +6388,7 @@ - log_assert(xfr->task_probe); - lock_basic_lock(&xfr->lock); - env = xfr->task_probe->env; -- if(env->outnet->want_to_quit) { -+ if(!env || env->outnet->want_to_quit) { - lock_basic_unlock(&xfr->lock); - return; /* stop on quit */ - } -@@ -6465,7 +6465,7 @@ - log_assert(xfr->task_nextprobe); - lock_basic_lock(&xfr->lock); - env = xfr->task_nextprobe->env; -- if(env->outnet->want_to_quit) { -+ if(!env || env->outnet->want_to_quit) { - lock_basic_unlock(&xfr->lock); - return; /* stop on quit */ - } diff --git a/unbound.spec b/unbound.spec index 606f361..d1875ce 100644 --- a/unbound.spec +++ b/unbound.spec @@ -35,8 +35,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.10.1 -Release: 5%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.12.0 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -59,8 +59,7 @@ Source17: unbound-anchor.service Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc Source19: http://keys.gnupg.net/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key -# https://github.com/NLnetLabs/unbound/issues/220 -Patch0: unbound-1.10.0-auth-callback.patch +#Patch0: # No patches BuildRequires: gcc, make BuildRequires: flex, openssl-devel @@ -214,6 +213,9 @@ pushd %{dir_primary} %endif %if %{with systemd} --enable-systemd \ +%endif +%if %{with doh} + --with-libnghttp2 \ %endif %{configure_args} @@ -448,6 +450,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Tue Oct 13 2020 Petr Menšík - 1.12.0-1 +- Update to 1.12.0 (#1860887) + * Tue Sep 15 2020 Petr Menšík - 1.10.1-5 - Move command line tools to utils subpackage From ee9c33779ec74a437d6b03cad9f69cc0dcb07053 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 13 Oct 2020 18:18:50 +0200 Subject: [PATCH 010/139] Update config file to 1.12.0 Use new defaults from example.conf in Fedora shipped default file. Don't include dnstap and DoH features yet. --- unbound.conf | 53 +++++++++++++++++++++++++++++++++------------------- unbound.spec | 4 ++++ 2 files changed, 38 insertions(+), 19 deletions(-) diff --git a/unbound.conf b/unbound.conf index b130f9b..a05f8d1 100644 --- a/unbound.conf +++ b/unbound.conf @@ -5,9 +5,13 @@ # # this is a comment. -#Use this to include other text into the file. +# Use this anywhere in the file to include other text into this file. #include: "otherfile.conf" +# Use this anywhere in the file to include other text, that explicitly starts a +# clause, into this file. Text after this directive needs to start a clause. +#include-toplevel: "otherfile.conf" + # The server clause sets the main parameters. server: # whitespace is not necessary, but looks cleaner. @@ -86,6 +90,9 @@ server: # Set this to yes to prefer ipv6 upstream servers over ipv4. # prefer-ip6: no + # Prefer ipv4 upstream servers, even if ipv6 is available. + # prefer-ip4: no + # number of ports to allocate per thread, determines the size of the # port range that can be open simultaneously. About double the # num-queries-per-thread, or, use as many as the OS will allow you. @@ -135,9 +142,14 @@ server: # Linux only. On Linux you also have ip-transparent that is similar. # ip-freebind: no + # the value of the Differentiated Services Codepoint (DSCP) + # in the differentiated services field (DS) of the outgoing + # IP packets + # ip-dscp: 0 + # EDNS reassembly buffer to advertise to UDP peers (the actual buffer # is set with msg-buffer-size). 1472 can solve fragmentation (timeouts) - # edns-buffer-size: 4096 + # edns-buffer-size: 1232 # Maximum UDP response size (not applied to TCP response). # Suggested values are 512 to 4096. Default is 4096. 65536 disables it. @@ -444,8 +456,8 @@ server: # Domains (and domains in them) without support for dns-0x20 and # the fallback fails because they keep sending different answers. - # caps-whitelist: "licdn.com" - # caps-whitelist: "senderbase.org" + # caps-exempt: "licdn.com" + # caps-exempt: "senderbase.org" # Enforce privacy of these addresses. Strips them away from answers. # It may cause DNSSEC validation to additionally mark it as bogus. @@ -522,11 +534,6 @@ server: # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) root-key-sentinel: yes - # File with DLV trusted keys. Same format as trust-anchor-file. - # There can be only one DLV configured, it is trusted from root down. - # DLV is going to be decommissioned. Please do not use it any more. - # dlv-anchor-file: "dlv.isc.org.key" - # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry. # Zone file format, with DS and DNSKEY entries. @@ -587,8 +594,8 @@ server: # that set CD but cannot validate themselves. # ignore-cd-flag: no - # Serve expired responses from cache, with TTL 0 in the response, - # and then attempt to fetch the data afresh. + # Serve expired responses from cache, with serve-expired-reply-ttl in + # the response, and then attempt to fetch the data afresh. serve-expired: yes # # Limit serving of expired responses to configured seconds after @@ -606,7 +613,7 @@ server: # # Time in milliseconds before replying to the client with expired data. # This essentially enables the serve-stale behavior as specified in - # draft-ietf-dnsop-serve-stale-10 that first tries to resolve before + # RFC 8767 that first tries to resolve before # immediately responding with expired data. 0 disables this behavior. # A recommended value is 1800. # serve-expired-client-timeout: 0 @@ -644,7 +651,7 @@ server: # more slabs reduce lock contention, but fragment memory usage. # key-cache-slabs: 4 - # the amount of memory to use for the negative cache (used for DLV). + # the amount of memory to use for the negative cache. # plain value in bytes or you can append k, m or G. default is "1Mb". # neg-cache-size: 1m @@ -757,18 +764,24 @@ server: # add a netblock specific override to a localzone, with zone type # local-zone-override: "example.com" 192.0.2.0/24 refuse - # service clients over TLS (on the TCP sockets), with plain DNS inside - # the TLS stream. Give the certificate to use and private key. + # service clients over TLS (on the TCP sockets) with plain DNS inside + # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. + # Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. # tls-service-key: "/etc/unbound/unbound_server.key" # tls-service-pem: "/etc/unbound/unbound_server.pem" # tls-port: 853 + # https-port: 443 # cipher setting for TLSv1.2 # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" # cipher setting for TLSv1.3 # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" + # Use the SNI extension for TLS connections. Default is yes. + # Changing the value requires a reload. + # tls-use-sni: yes + # Add the secret file for TLS Session Ticket. # Secret file must be 80 bytes of random data. # First key use to encrypt and decrypt TLS session tickets. @@ -865,9 +878,9 @@ server: # ipsecmod-ignore-bogus: no # # Domains for which ipsecmod will be triggered. If not defined (default) - # all domains are treated as being whitelisted. - # ipsecmod-whitelist: "libreswan.org" - # ipsecmod-whitelist: "nlnetlabs.nl" + # all domains are treated as being allowed. + # ipsecmod-allow: "example.com" + # ipsecmod-allow: "nlnetlabs.nl" # Python config section. To enable: # o use --with-pythonmodule to configure before compiling. @@ -1056,10 +1069,12 @@ auth-zone: # redis-server-port: 6379 # # timeout (in ms) for communication with the redis server # redis-timeout: 100 +# # set timeout on redis records based on DNS response TTL +# redis-expire-records: no # IPSet # Add specify domain into set via ipset. -# Note: To enable ipset needs run unbound as root user. +# Note: To enable ipset unbound needs run as root user. # ipset: # # set name for ip v4 addresses # name-v4: "list-v4" diff --git a/unbound.spec b/unbound.spec index d1875ce..ca53228 100644 --- a/unbound.spec +++ b/unbound.spec @@ -3,6 +3,7 @@ %{?!with_munin: %global with_munin 1} %bcond_with dnstap %bcond_with systemd +%bcond_with doh %global _hardened_build 1 @@ -78,6 +79,9 @@ BuildRequires: fstrm-devel protobuf-c-devel %if %{with systemd} BuildRequires: systemd-devel %endif +%if %{with doh} +BuildRequires: libnghttp2-devel +%endif %if 0%{?fedora} >= 30 BuildRequires: systemd-rpm-macros %else From 07b18f13c3dc4595d3025cdf22dbbad6ad0bad63 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 13 Oct 2020 18:24:11 +0200 Subject: [PATCH 011/139] Enable DNS over HTTPS --- unbound.conf | 32 ++++++++++++++++++++++++++++++++ unbound.spec | 2 +- 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/unbound.conf b/unbound.conf index a05f8d1..6820b18 100644 --- a/unbound.conf +++ b/unbound.conf @@ -803,6 +803,38 @@ server: # Also serve tls on these port numbers (eg. 443, ...), by listing # tls-additional-port: portno for each of the port numbers. + # HTTP endpoint to provide DNS-over-HTTPS service on. + # http-endpoint: "/dns-query" + + # HTTP/2 SETTINGS_MAX_CONCURRENT_STREAMS value to use. + # http-max-streams: 100 + + # Maximum number of bytes used for all HTTP/2 query buffers. + # http-query-buffer-size: 4m + + # Maximum number of bytes used for all HTTP/2 response buffers. + # http-response-buffer-size: 4m + + # Set TCP_NODELAY socket option on sockets used for DNS-over-HTTPS + # service. + # http-nodelay: yes + + # HTTP endpoint to provide DNS-over-HTTPS service on. + # http-endpoint: "/dns-query" + + # HTTP/2 SETTINGS_MAX_CONCURRENT_STREAMS value to use. + # http-max-streams: 100 + + # Maximum number of bytes used for all HTTP/2 query buffers. + # http-query-buffer-size: 4m + + # Maximum number of bytes used for all HTTP/2 response buffers. + # http-response-buffer-size: 4m + + # Set TCP_NODELAY socket option on sockets used for DNS-over-HTTPS + # service. + # http-nodelay: yes + # DNS64 prefix. Must be specified when DNS64 is use. # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. # dns64-prefix: 64:ff9b::0/96 diff --git a/unbound.spec b/unbound.spec index ca53228..5d4ac1e 100644 --- a/unbound.spec +++ b/unbound.spec @@ -3,7 +3,7 @@ %{?!with_munin: %global with_munin 1} %bcond_with dnstap %bcond_with systemd -%bcond_with doh +%bcond_without doh %global _hardened_build 1 From ac21a84ee91563205fa38675d051278c2e81d38f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 13 Oct 2020 18:25:53 +0200 Subject: [PATCH 012/139] Enable DNSTAP Allows easy recording of incoming and outgoing queries. --- unbound.conf | 34 ++++++++++++++++++++++++++++++++++ unbound.spec | 2 +- 2 files changed, 35 insertions(+), 1 deletion(-) diff --git a/unbound.conf b/unbound.conf index 6820b18..dfbd635 100644 --- a/unbound.conf +++ b/unbound.conf @@ -1114,6 +1114,40 @@ auth-zone: # name-v6: "list-v6" # +# Dnstap logging support, if compiled in. To enable, set the dnstap-enable +# to yes and also some of dnstap-log-..-messages to yes. And select an +# upstream log destination, by socket path, TCP or TLS destination. +# dnstap: +# dnstap-enable: no +# # if set to yes frame streams will be used in bidirectional mode +# dnstap-bidirectional: yes +# dnstap-socket-path: "" +# # if "" use the unix socket in dnstap-socket-path, otherwise, +# # set it to "IPaddress[@port]" of the destination. +# dnstap-ip: "" +# # if set to yes if you want to use TLS to dnstap-ip, no for TCP. +# dnstap-tls: yes +# # name for authenticating the upstream server. or "" disabled. +# dnstap-tls-server-name: "" +# # if "", it uses the cert bundle from the main unbound config. +# dnstap-tls-cert-bundle: "" +# # key file for client authentication, or "" disabled. +# dnstap-tls-client-key-file: "" +# # cert file for client authentication, or "" disabled. +# dnstap-tls-client-cert-file: "" +# dnstap-send-identity: no +# dnstap-send-version: no +# # if "" it uses the hostname. +# dnstap-identity: "" +# # if "" it uses the package version. +# dnstap-version: "" +# dnstap-log-resolver-query-messages: no +# dnstap-log-resolver-response-messages: no +# dnstap-log-client-query-messages: no +# dnstap-log-client-response-messages: no +# dnstap-log-forwarder-query-messages: no +# dnstap-log-forwarder-response-messages: no + # Response Policy Zones # RPZ policies. Applied in order of configuration. QNAME and Response IP # Address trigger are the only supported triggers. Supported actions are: diff --git a/unbound.spec b/unbound.spec index 5d4ac1e..69e571f 100644 --- a/unbound.spec +++ b/unbound.spec @@ -1,7 +1,7 @@ %{?!with_python2: %global with_python2 0} %{?!with_python3: %global with_python3 1} %{?!with_munin: %global with_munin 1} -%bcond_with dnstap +%bcond_without dnstap %bcond_with systemd %bcond_without doh From b29f943a4c335573eadbb8511cc76b34bd450b18 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 13 Oct 2020 18:41:29 +0200 Subject: [PATCH 013/139] Build on EPEL without signature check %gpgverify is defined on RHEL 8 in incompatible way to Fedora. Use it only on Fedora, leave to manual signatures for other distributions. --- unbound.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 69e571f..8bed946 100644 --- a/unbound.spec +++ b/unbound.spec @@ -66,7 +66,9 @@ BuildRequires: gcc, make BuildRequires: flex, openssl-devel BuildRequires: libevent-devel expat-devel BuildRequires: pkgconfig +%if 0%{?fedora} BuildRequires: gnupg2 +%endif %if 0%{with_python2} BuildRequires: python2-devel swig %endif @@ -162,7 +164,9 @@ Python 3 modules and extensions for unbound %prep -%{?gpgverify:%gpgverify -k 19 -s 18 -d 0} +%if 0%{?fedora} +%gpgverify -k 19 -s 18 -d 0 +%endif %global pkgname %{name}-%{version}%{?extra_version} %if 0%{with_python2} && 0%{with_python3} From 65b8de222e3975d135f47c54393a4232e306db9a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 10 Dec 2020 12:01:38 +0100 Subject: [PATCH 014/139] Update to 1.13.0 Enabled TLS and TCP stream reuse for increased performance. --- .gitignore | 2 ++ sources | 4 ++-- unbound.spec | 5 ++++- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index ff034dd..9b0a67b 100644 --- a/.gitignore +++ b/.gitignore @@ -61,3 +61,5 @@ unbound-1.4.5.tar.gz /unbound-1.10.1.tar.gz.asc /unbound-1.12.0.tar.gz /unbound-1.12.0.tar.gz.asc +/unbound-1.13.0.tar.gz +/unbound-1.13.0.tar.gz.asc diff --git a/sources b/sources index 8c72027..6e5f7a7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.12.0.tar.gz) = 90d99bc65e9ba62e50a7809dbf1e98889d0fc9fd50cf3cc99b726c67bcaeda0c2bc176d09f84771adb9796833b595591462f96e949d6969a47d6898d8fae3479 -SHA512 (unbound-1.12.0.tar.gz.asc) = b9db74bde4cd2ecbd9ba04468716135f4a45b437f17e92564f0e595e5e3462e955808aa1f0dea17a9a6fd1403c32e4eff7815f22e630229db10f50080c9a85a3 +SHA512 (unbound-1.13.0.tar.gz) = d4f3c5a7df5d46f8b1ee32b61e68bdc0d63030820d236ecc51bc3ac356d15248acb9a5e0b6009e1936b03b751e8dd05a071a95ab239fdbbbb308442a59642ad5 +SHA512 (unbound-1.13.0.tar.gz.asc) = 924396fe8c92945386cedcfd5a52ec65b892b3dac20f2b6bf7dd99f7e263f5e3a11ce1f8f6ccc8107529c3be81d6b61d14e66bdda2d3e5c8bc8a8462b93c7d84 diff --git a/unbound.spec b/unbound.spec index 8bed946..092144c 100644 --- a/unbound.spec +++ b/unbound.spec @@ -36,7 +36,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.12.0 +Version: 1.13.0 Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ @@ -458,6 +458,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Thu Dec 10 2020 Petr Menšík - 1.13.0-1 +- Update to 1.13.0 + * Tue Oct 13 2020 Petr Menšík - 1.12.0-1 - Update to 1.12.0 (#1860887) From f70050e6d603c5dae873af1327a4bffaa4b48475 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 10 Dec 2020 19:46:23 +0100 Subject: [PATCH 015/139] Update default configuration from 1.13.0 Add new additions to default configuration. None of them is uncommented, but some of they changed default values. --- unbound.conf | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/unbound.conf b/unbound.conf index dfbd635..ae3fcf5 100644 --- a/unbound.conf +++ b/unbound.conf @@ -182,6 +182,9 @@ server: # msec to wait before close of port on timeout UDP. 0 disables. # delay-close: 0 + # perform connect for UDP sockets to mitigate ICMP side channel. + # udp-connect: yes + # msec for waiting for an unknown server to reply. Increase if you # are behind a slow satellite link, to eg. 1128. # unknown-server-time-limit: 376 @@ -213,6 +216,9 @@ server: # minimum wait time for responses, increase if uplink is long. In msec. # infra-cache-min-rtt: 50 + # enable to make server probe down hosts more frequently. + # infra-keep-probing: no + # the number of slabs to use for the Infrastructure cache. # the number of slabs must be a power of 2. # more slabs reduce lock contention, but fragment memory usage. @@ -835,6 +841,9 @@ server: # service. # http-nodelay: yes + # Disable TLS for DNS-over-HTTP downstream service. + # http-notls-downstream: no + # DNS64 prefix. Must be specified when DNS64 is use. # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. # dns64-prefix: 64:ff9b::0/96 From 4bc5d3058200e4f213d460ef1a520d1970ccd110 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 27 Jan 2021 22:38:55 +0000 Subject: [PATCH 016/139] - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- unbound.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 092144c..d5a086e 100644 --- a/unbound.spec +++ b/unbound.spec @@ -37,7 +37,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.13.0 -Release: 1%{?extra_version:.%{extra_version}}%{?dist} +Release: 2%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -458,6 +458,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Wed Jan 27 2021 Fedora Release Engineering - 1.13.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + * Thu Dec 10 2020 Petr Menšík - 1.13.0-1 - Update to 1.13.0 From 809b23a9f131bcca011ef38298761775793312a7 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Tue, 9 Feb 2021 20:41:54 -0500 Subject: [PATCH 017/139] - Resolves rhbz#1860887 unbound-1.13.1 is available - Fixup unbound.conf --- .gitignore | 1 + sources | 3 +-- unbound.conf | 54 ++++++++++++++++++++++++++++++---------------------- unbound.spec | 8 ++++++-- 4 files changed, 39 insertions(+), 27 deletions(-) diff --git a/.gitignore b/.gitignore index 9b0a67b..823aa06 100644 --- a/.gitignore +++ b/.gitignore @@ -63,3 +63,4 @@ unbound-1.4.5.tar.gz /unbound-1.12.0.tar.gz.asc /unbound-1.13.0.tar.gz /unbound-1.13.0.tar.gz.asc +/unbound-1.13.1.tar.gz diff --git a/sources b/sources index 6e5f7a7..0e8cbee 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -SHA512 (unbound-1.13.0.tar.gz) = d4f3c5a7df5d46f8b1ee32b61e68bdc0d63030820d236ecc51bc3ac356d15248acb9a5e0b6009e1936b03b751e8dd05a071a95ab239fdbbbb308442a59642ad5 -SHA512 (unbound-1.13.0.tar.gz.asc) = 924396fe8c92945386cedcfd5a52ec65b892b3dac20f2b6bf7dd99f7e263f5e3a11ce1f8f6ccc8107529c3be81d6b61d14e66bdda2d3e5c8bc8a8462b93c7d84 +SHA512 (unbound-1.13.1.tar.gz) = f4d26dca28dbcc33a5e65a55147fa01077c331292e88b6a87798cb6c3d4edb0515015d131fd893c92b74d22d9998a640f0adce404e6192d61ebe69a6a599287c diff --git a/unbound.conf b/unbound.conf index ae3fcf5..e414f9c 100644 --- a/unbound.conf +++ b/unbound.conf @@ -328,7 +328,7 @@ server: # The pid file can be absolute and outside of the chroot, it is # written just prior to performing the chroot and dropping permissions. # - # Additionally, unbound may need to access /dev/random (for entropy). + # Additionally, unbound may need to access /dev/urandom (for entropy). # How to do this is specific to your OS. # # If you give "" no chroot is performed. The path must not end in a /. @@ -393,6 +393,9 @@ server: # enable to not answer version.server and version.bind queries. # hide-version: no + # NSID identity (hex string, or "ascii_somestring"). default disabled. + # nsid: "aabbccdd" + # enable to not answer trustanchor.unbound queries. # hide-trustanchor: no @@ -413,7 +416,7 @@ server: # target-fetch-policy: "3 2 1 0 0" # Harden against very small EDNS buffer sizes. - # harden-short-bufsize: no + # harden-short-bufsize: yes # Harden against unseemly large queries. # harden-large-queries: no @@ -624,6 +627,13 @@ server: # A recommended value is 1800. # serve-expired-client-timeout: 0 + # Return the original TTL as received from the upstream name server rather + # than the decrementing TTL as stored in the cache. Enabling this feature + # does not impact cache expiry, it only changes the TTL unbound embeds in + # responses to queries. Note that enabling this feature implicitly disables + # enforcement of the configured minimum and maximum TTL. + # serve-original-ttl: no + # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. val-log-level: 1 @@ -733,8 +743,10 @@ server: # o inform acts like transparent, but logs client IP address # o inform_deny drops queries and logs client IP address # o inform_redirect redirects queries and logs client IP address - # o always_transparent, always_refuse, always_nxdomain, resolve in - # that way but ignore local data for that name + # o always_transparent, always_refuse, always_nxdomain, always_nodata, + # always_deny resolve in that way but ignore local data for + # that name + # o always_null returns 0.0.0.0 or ::0 for any name in the zone. # o noview breaks out of that view towards global local-zones. # # defaults are localhost address, reverse for 127.0.0.1 and ::1 @@ -784,6 +796,12 @@ server: # cipher setting for TLSv1.3 # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" + # Pad responses to padded queries received over TLS + # pad-responses: yes + + # Padded responses will be padded to the closest multiple of this size. + # pad-responses-block-size: 468 + # Use the SNI extension for TLS connections. Default is yes. # Changing the value requires a reload. # tls-use-sni: yes @@ -806,6 +824,12 @@ server: # Add system certs to the cert bundle, from the Windows Cert Store # tls-win-cert: no + # Pad queries over TLS upstreams + # pad-queries: yes + + # Padded queries will be padded to the closest multiple of this size. + # pad-queries-block-size: 128 + # Also serve tls on these port numbers (eg. 443, ...), by listing # tls-additional-port: portno for each of the port numbers. @@ -825,22 +849,6 @@ server: # service. # http-nodelay: yes - # HTTP endpoint to provide DNS-over-HTTPS service on. - # http-endpoint: "/dns-query" - - # HTTP/2 SETTINGS_MAX_CONCURRENT_STREAMS value to use. - # http-max-streams: 100 - - # Maximum number of bytes used for all HTTP/2 query buffers. - # http-query-buffer-size: 4m - - # Maximum number of bytes used for all HTTP/2 response buffers. - # http-response-buffer-size: 4m - - # Set TCP_NODELAY socket option on sockets used for DNS-over-HTTPS - # service. - # http-nodelay: yes - # Disable TLS for DNS-over-HTTP downstream service. # http-notls-downstream: no @@ -1115,7 +1123,7 @@ auth-zone: # IPSet # Add specify domain into set via ipset. -# Note: To enable ipset unbound needs run as root user. +# Note: To enable ipset unbound needs to run as root user. # ipset: # # set name for ip v4 addresses # name-v4: "list-v4" @@ -1130,7 +1138,7 @@ auth-zone: # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode # dnstap-bidirectional: yes -# dnstap-socket-path: "" +# dnstap-socket-path: "/etc/unbound/dnstap.sock" # # if "" use the unix socket in dnstap-socket-path, otherwise, # # set it to "IPaddress[@port]" of the destination. # dnstap-ip: "" @@ -1166,7 +1174,7 @@ auth-zone: # rpz: # name: "rpz.example.com" # zonefile: "rpz.example.com" -# master: 192.0.2.0 +# primary: 192.0.2.0 # allow-notify: 192.0.2.0/32 # url: http://www.example.com/rpz.example.org.zone # rpz-action-override: cname diff --git a/unbound.spec b/unbound.spec index d5a086e..6662cc2 100644 --- a/unbound.spec +++ b/unbound.spec @@ -36,8 +36,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.13.0 -Release: 2%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.13.1 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -458,6 +458,10 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Wed Feb 10 2021 Paul Wouters - 1.13.1-1 +- Resolves rhbz#1860887 unbound-1.13.1 is available +- Fixup unbound.conf + * Wed Jan 27 2021 Fedora Release Engineering - 1.13.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild From cf0e47e9b70b8c471b740bc51ede0a1ee2bfa0a6 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Tue, 9 Feb 2021 22:26:31 -0500 Subject: [PATCH 018/139] add gpg sig --- .gitignore | 1 + sources | 1 + 2 files changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index 823aa06..1911c71 100644 --- a/.gitignore +++ b/.gitignore @@ -64,3 +64,4 @@ unbound-1.4.5.tar.gz /unbound-1.13.0.tar.gz /unbound-1.13.0.tar.gz.asc /unbound-1.13.1.tar.gz +/unbound-1.13.1.tar.gz.asc diff --git a/sources b/sources index 0e8cbee..c7d1af2 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ SHA512 (unbound-1.13.1.tar.gz) = f4d26dca28dbcc33a5e65a55147fa01077c331292e88b6a87798cb6c3d4edb0515015d131fd893c92b74d22d9998a640f0adce404e6192d61ebe69a6a599287c +SHA512 (unbound-1.13.1.tar.gz.asc) = a4a943841c4db14b2d236b4b80ac80129148c42f7b3d82246b0e0150c1e3e3e294863d5c72d1ac41c2164126d1d10f9044554f97aa6d94019acb41b5f7ed7d34 From 67f3c8594f03a27183efb64c2d5099e02c123eeb Mon Sep 17 00:00:00 2001 From: Victor Stinner Date: Mon, 15 Feb 2021 16:11:27 +0100 Subject: [PATCH 019/139] Fix build on Python 3.10 Backport upstream commit: https://github.com/NLnetLabs/unbound/commit/e0d426ebb10653a78bf5c4053198f6ac19bfcd3e Resolves: rhbz#1889726 --- unbound-python310.patch | 107 ++++++++++++++++++++++++++++++++++++++++ unbound.spec | 11 ++++- 2 files changed, 116 insertions(+), 2 deletions(-) create mode 100644 unbound-python310.patch diff --git a/unbound-python310.patch b/unbound-python310.patch new file mode 100644 index 0000000..7948e46 --- /dev/null +++ b/unbound-python310.patch @@ -0,0 +1,107 @@ +Fix build on Python 3.10 (rhbz#1889726). + +Backport two fixes: +* https://github.com/NLnetLabs/unbound/commit/e0d426ebb10653a78bf5c4053198f6ac19bfcd3e +* https://github.com/NLnetLabs/unbound/pull/427 + +diff --git a/libunbound/python/libunbound.i b/libunbound/python/libunbound.i +index a23c45b9c..ab244a6fb 100644 +--- a/libunbound/python/libunbound.i ++++ b/libunbound/python/libunbound.i +@@ -916,7 +916,13 @@ int _ub_resolve_async(struct ub_ctx* ctx, char* name, int rrtype, int rrclass, v + struct cb_data* id; + id = (struct cb_data*) iddata; + arglist = Py_BuildValue("(OiO)",id->data,status, SWIG_NewPointerObj(SWIG_as_voidptr(result), SWIGTYPE_p_ub_result, 0 | 0 )); // Build argument list ++#if PY_MAJOR_VERSION <= 2 || (PY_MAJOR_VERSION == 3 && PY_MINOR_VERSION < 9) ++ /* for python before 3.9 */ + fresult = PyEval_CallObject(id->func,arglist); // Call Python ++#else ++ /* for python 3.9 and newer */ ++ fresult = PyObject_Call(id->func,arglist,NULL); ++#endif + Py_DECREF(id->func); + Py_DECREF(id->data); + free(id); +diff --git a/pythonmod/pythonmod.c b/pythonmod/pythonmod.c +index 9006429ef..040ff7051 100644 +--- a/pythonmod/pythonmod.c ++++ b/pythonmod/pythonmod.c +@@ -299,7 +299,10 @@ int pythonmod_init(struct module_env* env, int id) + PyImport_AppendInittab(SWIG_name, (void*)SWIG_init); + #endif + Py_Initialize(); ++#if PY_MAJOR_VERSION <= 2 || (PY_MAJOR_VERSION == 3 && PY_MINOR_VERSION <= 6) ++ /* initthreads only for python 3.6 and older */ + PyEval_InitThreads(); ++#endif + SWIG_init(); + mainthr = PyEval_SaveThread(); + } +@@ -354,6 +357,8 @@ int pythonmod_init(struct module_env* env, int id) + /* TODO: deallocation of pe->... if an error occurs */ + + if (PyRun_SimpleFile(script_py, pe->fname) < 0) { ++#if PY_MAJOR_VERSION <= 2 || (PY_MAJOR_VERSION == 3 && PY_MINOR_VERSION < 9) ++ /* for python before 3.9 */ + log_err("pythonmod: can't parse Python script %s", pe->fname); + /* print the error to logs too, run it again */ + fseek(script_py, 0, SEEK_SET); +@@ -369,9 +374,45 @@ int pythonmod_init(struct module_env* env, int id) + /* ignore the NULL return of _node, it is NULL due to the parse failure + * that we are expecting */ + (void)PyParser_SimpleParseFile(script_py, pe->fname, Py_file_input); ++#else ++ /* for python 3.9 and newer */ ++ char* fstr = NULL; ++ size_t flen = 0; ++ log_err("pythonmod: can't parse Python script %s", pe->fname); ++ /* print the error to logs too, run it again */ ++ fseek(script_py, 0, SEEK_END); ++ flen = (size_t)ftell(script_py); ++ fstr = malloc(flen+1); ++ if(!fstr) { ++ log_err("malloc failure to print parse error"); ++ PyGILState_Release(gil); ++ fclose(script_py); ++ return 0; ++ } ++ fseek(script_py, 0, SEEK_SET); ++ if(fread(fstr, flen, 1, script_py) < 1) { ++ log_err("file read failed to print parse error: %s: %s", ++ pe->fname, strerror(errno)); ++ PyGILState_Release(gil); ++ fclose(script_py); ++ free(fstr); ++ return 0; ++ } ++ fstr[flen] = 0; ++ /* we compile the string, but do not run it, to stop side-effects */ ++ /* ignore the NULL return of _node, it is NULL due to the parse failure ++ * that we are expecting */ ++ (void)Py_CompileString(fstr, pe->fname, Py_file_input); ++#endif + log_py_err(); + PyGILState_Release(gil); + fclose(script_py); ++#if PY_MAJOR_VERSION <= 2 || (PY_MAJOR_VERSION == 3 && PY_MINOR_VERSION < 9) ++ /* no cleanup needed for python before 3.9 */ ++#else ++ /* cleanup for python 3.9 and newer */ ++ free(fstr); ++#endif + return 0; + } + #if PY_MAJOR_VERSION < 3 +diff --git a/pythonmod/pythonmod.c b/pythonmod/pythonmod.c +index 040ff70..6e60d02 100644 +--- a/pythonmod/pythonmod.c ++++ b/pythonmod/pythonmod.c +@@ -338,7 +338,7 @@ int pythonmod_init(struct module_env* env, int id) + PyFileObject = PyFile_FromString((char*)pe->fname, "r"); + script_py = PyFile_AsFile(PyFileObject); + #else +- script_py = _Py_fopen(pe->fname, "r"); ++ script_py = fopen(pe->fname, "r"); + #endif + if (script_py == NULL) + { diff --git a/unbound.spec b/unbound.spec index 6662cc2..8498df5 100644 --- a/unbound.spec +++ b/unbound.spec @@ -37,7 +37,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.13.1 -Release: 1%{?extra_version:.%{extra_version}}%{?dist} +Release: 2%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -60,7 +60,11 @@ Source17: unbound-anchor.service Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc Source19: http://keys.gnupg.net/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key -#Patch0: # No patches +# Backport two fixes: +# https://github.com/NLnetLabs/unbound/commit/e0d426ebb10653a78bf5c4053198f6ac19bfcd3e +# https://github.com/NLnetLabs/unbound/pull/427 +# Fix build on Python 3.10 (rhbz#1889726). +Patch1: unbound-python310.patch BuildRequires: gcc, make BuildRequires: flex, openssl-devel @@ -458,6 +462,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Mon Feb 15 2021 Victor Stinner - 1.13.1-2 +- Fix build on Python 3.10 (rhbz#1889726). + * Wed Feb 10 2021 Paul Wouters - 1.13.1-1 - Resolves rhbz#1860887 unbound-1.13.1 is available - Fixup unbound.conf From e90de70c690a2acb5285e6fd77a212f6ad5576bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 2 Mar 2021 16:12:06 +0100 Subject: [PATCH 020/139] Rebuilt for updated systemd-rpm-macros See https://pagure.io/fesco/issue/2583. --- unbound.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 8498df5..5145080 100644 --- a/unbound.spec +++ b/unbound.spec @@ -37,7 +37,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.13.1 -Release: 2%{?extra_version:.%{extra_version}}%{?dist} +Release: 3%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -462,6 +462,10 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 1.13.1-3 +- Rebuilt for updated systemd-rpm-macros + See https://pagure.io/fesco/issue/2583. + * Mon Feb 15 2021 Victor Stinner - 1.13.1-2 - Fix build on Python 3.10 (rhbz#1889726). From 30c1e39469fac7f7fcd2e904d9bda42abb4e25b8 Mon Sep 17 00:00:00 2001 From: Artem Egorenkov Date: Wed, 7 Apr 2021 11:16:46 +0200 Subject: [PATCH 021/139] DISABLE_UNBOUND_ANCHOR == "yes" disable unbound-anchor on unbound.service startup --- unbound.service | 2 +- unbound.spec | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/unbound.service b/unbound.service index 287fe8d..49dc7bd 100644 --- a/unbound.service +++ b/unbound.service @@ -11,7 +11,7 @@ Wants=nss-lookup.target Type=simple EnvironmentFile=-/etc/sysconfig/unbound ExecStartPre=/usr/sbin/unbound-checkconf -ExecStartPre=-/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R +ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_UNBOUND_ANCHOR" == "yes" ]; then /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R; else echo "Updates of root keys with unbound-anchor is disabled"; fi' ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS ExecReload=/usr/sbin/unbound-control reload diff --git a/unbound.spec b/unbound.spec index 5145080..4811f69 100644 --- a/unbound.spec +++ b/unbound.spec @@ -37,7 +37,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.13.1 -Release: 3%{?extra_version:.%{extra_version}}%{?dist} +Release: 4%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -462,6 +462,10 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Tue Apr 06 2021 Artem Egorenkov - 1.13.1-4 +- Don't start unbound-anchor before unbound service if DISABLE_UNBOUND_ANCHOR + environment variable equals to "yes" + * Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 1.13.1-3 - Rebuilt for updated systemd-rpm-macros See https://pagure.io/fesco/issue/2583. From 2b640c85f833618e67f3b412d3a5b88f4518c34b Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Tue, 13 Apr 2021 11:33:09 -0400 Subject: [PATCH 022/139] - Fix unbound.service to use After=network-online.target --- unbound.service | 2 +- unbound.spec | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/unbound.service b/unbound.service index 49dc7bd..c59ffbf 100644 --- a/unbound.service +++ b/unbound.service @@ -1,6 +1,6 @@ [Unit] Description=Unbound recursive Domain Name Server -After=network.target +After=network-online.target After=unbound-keygen.service Wants=unbound-keygen.service Wants=unbound-anchor.timer diff --git a/unbound.spec b/unbound.spec index 4811f69..044c2b7 100644 --- a/unbound.spec +++ b/unbound.spec @@ -37,7 +37,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.13.1 -Release: 4%{?extra_version:.%{extra_version}}%{?dist} +Release: 5%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -462,6 +462,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Tue Apr 13 2021 Paul Wouters - 1.13.1-5 +- Fix unbound.service to use After=network-online.target + * Tue Apr 06 2021 Artem Egorenkov - 1.13.1-4 - Don't start unbound-anchor before unbound service if DISABLE_UNBOUND_ANCHOR environment variable equals to "yes" From 195a78ed8e59fd366796461c75971c3d8b39f8dd Mon Sep 17 00:00:00 2001 From: Artem Egorenkov Date: Sat, 24 Apr 2021 15:27:48 +0200 Subject: [PATCH 023/139] Option --enable-linux-ip-local-port-range added to use system configured port range for libunbound on Linux Resolves: rhbz#1935101 --- unbound-1.13.1-rh1935101.patch | 204 +++++++++++++++++++++++++++++++++ unbound.spec | 11 +- 2 files changed, 213 insertions(+), 2 deletions(-) create mode 100644 unbound-1.13.1-rh1935101.patch diff --git a/unbound-1.13.1-rh1935101.patch b/unbound-1.13.1-rh1935101.patch new file mode 100644 index 0000000..261ed20 --- /dev/null +++ b/unbound-1.13.1-rh1935101.patch @@ -0,0 +1,204 @@ +diff --git a/config.h.in b/config.h.in +index 103ad9f..0bb29d9 100644 +--- a/config.h.in ++++ b/config.h.in +@@ -847,6 +847,14 @@ + /* Define if you enable libevent */ + #undef USE_LIBEVENT + ++/* WARNING! This is only for the libunbound on Linux and does not affect ++ unbound resolving daemon itself. This may severely limit the number of ++ available outgoing ports and thus decrease randomness. Define this only ++ when the target system restricts (e.g. some of SELinux enabled ++ distributions) the use of non-ephemeral ports. Define this to enable use of ++ /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range. */ ++#undef USE_LINUX_IP_LOCAL_PORT_RANGE ++ + /* Define if you want to use internal select based events */ + #undef USE_MINI_EVENT + +diff --git a/configure b/configure +index c91e8a3..826dce9 100755 +--- a/configure ++++ b/configure +@@ -898,6 +898,7 @@ enable_ipsecmod + enable_ipset + with_libmnl + enable_explicit_port_randomisation ++enable_linux_ip_local_port_range + with_libunbound_only + ' + ac_precious_vars='build_alias +@@ -1590,6 +1591,16 @@ Optional Features: + --disable-explicit-port-randomisation + disable explicit source port randomisation and rely + on the kernel to provide random source ports ++ --enable-linux-ip-local-port-range ++ WARNING! This is only for the libunbound on Linux ++ and does not affect unbound resolving daemon itself. ++ This may severely limit the number of available ++ outgoing ports and thus decrease randomness. Use ++ this option only when the target system restricts ++ the use of non-ephemeral ports. (e.g. some of ++ SELinux enabled distributions) Enable this option to ++ use /proc/sys/net/ipv4/ip_local_port_range as a ++ default outgoing port range + + Optional Packages: + --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] +@@ -4202,6 +4213,13 @@ else + else on_mingw="no"; fi + fi + ++# are we on Linux? ++if uname -s 2>&1 | grep -i linux >/dev/null; then on_linux="yes" ++else ++ if echo $host $target | grep linux >/dev/null; then on_linux="yes" ++ else on_linux="no"; fi ++fi ++ + # + # Determine configuration file + # the eval is to evaluate shell expansion twice +@@ -21588,6 +21606,23 @@ $as_echo "#define DISABLE_EXPLICIT_PORT_RANDOMISATION 1" >>confdefs.h + ;; + esac + ++if test $on_linux = "yes"; then ++ # Check whether --enable-linux-ip-local-port-range was given. ++if test "${enable_linux_ip_local_port_range+set}" = set; then : ++ enableval=$enable_linux_ip_local_port_range; ++fi ++ ++ case "$enable_linux_ip_local_port_range" in ++ yes) ++ ++$as_echo "#define USE_LINUX_IP_LOCAL_PORT_RANGE 1" >>confdefs.h ++ ++ ;; ++ no|*) ++ ;; ++ esac ++fi ++ + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if ${MAKE:-make} supports $< with implicit rule in scope" >&5 + $as_echo_n "checking if ${MAKE:-make} supports $< with implicit rule in scope... " >&6; } +diff --git a/configure.ac b/configure.ac +index 2d88048..1207047 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -152,6 +152,13 @@ else + else on_mingw="no"; fi + fi + ++# are we on Linux? ++if uname -s 2>&1 | grep -i linux >/dev/null; then on_linux="yes" ++else ++ if echo $host $target | grep linux >/dev/null; then on_linux="yes" ++ else on_linux="no"; fi ++fi ++ + # + # Determine configuration file + # the eval is to evaluate shell expansion twice +@@ -1847,6 +1854,17 @@ case "$enable_explicit_port_randomisation" in + ;; + esac + ++if test $on_linux = "yes"; then ++ AC_ARG_ENABLE(linux-ip-local-port-range, AC_HELP_STRING([--enable-linux-ip-local-port-range], [WARNING! This is only for the libunbound on Linux and does not affect unbound resolving daemon itself. This may severely limit the number of available outgoing ports and thus decrease randomness. Use this option only when the target system restricts the use of non-ephemeral ports. (e.g. some of SELinux enabled distributions) Enable this option to use /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range])) ++ case "$enable_linux_ip_local_port_range" in ++ yes) ++ AC_DEFINE([USE_LINUX_IP_LOCAL_PORT_RANGE], [1], [WARNING! This is only for the libunbound on Linux and does not affect unbound resolving daemon itself. This may severely limit the number of available outgoing ports and thus decrease randomness. Define this only when the target system restricts (e.g. some of SELinux enabled distributions) the use of non-ephemeral ports. Define this to enable use of /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range.]) ++ ;; ++ no|*) ++ ;; ++ esac ++fi ++ + + AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope]) + # on openBSD, the implicit rule make $< work. +diff --git a/libunbound/context.c b/libunbound/context.c +index cff2831..48d76d9 100644 +--- a/libunbound/context.c ++++ b/libunbound/context.c +@@ -69,6 +69,7 @@ context_finalize(struct ub_ctx* ctx) + } else { + log_init(cfg->logfile, cfg->use_syslog, NULL); + } ++ cfg_apply_local_port_policy(cfg, 65536); + config_apply(cfg); + if(!modstack_setup(&ctx->mods, cfg->module_conf, ctx->env)) + return UB_INITFAIL; +diff --git a/util/config_file.c b/util/config_file.c +index 4d87dee..6b90e48 100644 +--- a/util/config_file.c ++++ b/util/config_file.c +@@ -1681,6 +1681,37 @@ int cfg_condense_ports(struct config_file* cfg, int** avail) + return num; + } + ++void cfg_apply_local_port_policy(struct config_file* cfg, int num) { ++(void)cfg; ++(void)num; ++#ifdef USE_LINUX_IP_LOCAL_PORT_RANGE ++ { ++ int i = 0; ++ FILE* range_fd; ++ if ((range_fd = fopen(LINUX_IP_LOCAL_PORT_RANGE_PATH, "r")) != NULL) { ++ int min_port = 0; ++ int max_port = num - 1; ++ if (fscanf(range_fd, "%d %d", &min_port, &max_port) == 2) { ++ for(i=0; ioutgoing_avail_ports[i] = 0; ++ } ++ for(i=max_port+1; ioutgoing_avail_ports[i] = 0; ++ } ++ } else { ++ log_err("unexpected port range in %s", ++ LINUX_IP_LOCAL_PORT_RANGE_PATH); ++ } ++ fclose(range_fd); ++ } else { ++ log_warn("failed to read from file: %s (%s)", ++ LINUX_IP_LOCAL_PORT_RANGE_PATH, ++ strerror(errno)); ++ } ++ } ++#endif ++} ++ + /** print error with file and line number */ + static void ub_c_error_va_list(const char *fmt, va_list args) + { +diff --git a/util/config_file.h b/util/config_file.h +index 7cf27cc..d091ef7 100644 +--- a/util/config_file.h ++++ b/util/config_file.h +@@ -1172,6 +1172,13 @@ int cfg_mark_ports(const char* str, int allow, int* avail, int num); + */ + int cfg_condense_ports(struct config_file* cfg, int** avail); + ++/** ++ * Apply system specific port range policy. ++ * @param cfg: config file. ++ * @param num: size of the array (65536). ++ */ ++void cfg_apply_local_port_policy(struct config_file* cfg, int num); ++ + /** + * Scan ports available + * @param avail: the array from cfg. +@@ -1301,5 +1308,9 @@ void w_config_adjust_directory(struct config_file* cfg); + /** debug option for unit tests. */ + extern int fake_dsa, fake_sha1; + ++#ifdef USE_LINUX_IP_LOCAL_PORT_RANGE ++#define LINUX_IP_LOCAL_PORT_RANGE_PATH "/proc/sys/net/ipv4/ip_local_port_range" ++#endif ++ + #endif /* UTIL_CONFIG_FILE_H */ + diff --git a/unbound.spec b/unbound.spec index 044c2b7..704562f 100644 --- a/unbound.spec +++ b/unbound.spec @@ -37,7 +37,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.13.1 -Release: 5%{?extra_version:.%{extra_version}}%{?dist} +Release: 6%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -65,6 +65,8 @@ Source19: http://keys.gnupg.net/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wou # https://github.com/NLnetLabs/unbound/pull/427 # Fix build on Python 3.10 (rhbz#1889726). Patch1: unbound-python310.patch +# rhbz#1935101 upstream PR https://github.com/NLnetLabs/unbound/pull/415/files +Patch2: unbound-1.13.1-rh1935101.patch BuildRequires: gcc, make BuildRequires: flex, openssl-devel @@ -212,7 +214,8 @@ cp -a %{dir_primary} %{dir_secondary} --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\ --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\ --enable-sha2 --disable-gost --enable-ecdsa \\\ - --with-rootkey-file=%{_sharedstatedir}/unbound/root.key + --with-rootkey-file=%{_sharedstatedir}/unbound/root.key \\\ + --enable-linux-ip-local-port-range pushd %{dir_primary} @@ -462,6 +465,10 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Fri Apr 23 2021 Artem Egorenkov - 1.13.1-6 +- Option --enable-linux-ip-local-port-range added to use system configured port range for libunbound on Linux +- Resolves: rhbz#1935101 + * Tue Apr 13 2021 Paul Wouters - 1.13.1-5 - Fix unbound.service to use After=network-online.target From 680ab1f23e439b82a035602aae87c4e79ce68b52 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Wed, 2 Jun 2021 21:47:49 +0200 Subject: [PATCH 024/139] Rebuilt for Python 3.10 --- unbound.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 704562f..65d5cca 100644 --- a/unbound.spec +++ b/unbound.spec @@ -37,7 +37,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.13.1 -Release: 6%{?extra_version:.%{extra_version}}%{?dist} +Release: 7%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -465,6 +465,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Wed Jun 02 2021 Python Maint - 1.13.1-7 +- Rebuilt for Python 3.10 + * Fri Apr 23 2021 Artem Egorenkov - 1.13.1-6 - Option --enable-linux-ip-local-port-range added to use system configured port range for libunbound on Linux - Resolves: rhbz#1935101 From adccc55c5a73033939cce0d5e00740fa8b31fa89 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 24 Jun 2021 13:01:52 +0200 Subject: [PATCH 025/139] Update source signer's key link Modifies existing key to better key, since original link stopped working. --- unbound.spec | 3 +- wouter.nlnetlabs.nl.key | 331 +++++++++++++++------------------------- 2 files changed, 123 insertions(+), 211 deletions(-) diff --git a/unbound.spec b/unbound.spec index 65d5cca..68493f9 100644 --- a/unbound.spec +++ b/unbound.spec @@ -58,7 +58,8 @@ Source15: unbound-anchor.timer Source16: unbound-munin.README Source17: unbound-anchor.service Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc -Source19: http://keys.gnupg.net/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key +# source: https://nlnetlabs.nl/people/ +Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key # Backport two fixes: # https://github.com/NLnetLabs/unbound/commit/e0d426ebb10653a78bf5c4053198f6ac19bfcd3e diff --git a/wouter.nlnetlabs.nl.key b/wouter.nlnetlabs.nl.key index f932293..603e620 100644 --- a/wouter.nlnetlabs.nl.key +++ b/wouter.nlnetlabs.nl.key @@ -1,212 +1,123 @@ - - - - -Public Key Server -- Get "0x9f6f1c2d7e045f8d " - -

Public Key Server -- Get "0x9f6f1c2d7e045f8d "

-
 -----BEGIN PGP PUBLIC KEY BLOCK-----
-Version: SKS 1.1.6
-Comment: Hostname: sks.pod02.fleetstreetops.com
 
-mQINBE2v/RwBEACyQpJlpCeSZBV1QUH7jNEp5xGdo6OnX2h9XoZ4ZPsb+u6OT+xESH45ncnI
-SUh8rPCygbeWOoPR/yOBzh+lYoGxQ5iUHtwRrhHq04sQe/qFpXDO2xs61pTcPU2PnH7Rsr2q
-p6fZLPHuXLolD7NJfaSib8sVeMM0/ecyl/L2bBg9NpaGDX0xTQh95M8o6AFo6UKWApBpgsvE
-Zr2aH/B8b9KnCWFhfJyheEM7DamksdZNsKxXQyq3l/ROfdsMLZGF8vPbYV/v11G4keyaLpn8
-AbBpybIiw9SYDwf2ENk3+e1NFfMaiiyEqn9+aaLTKCY87TMUuoN3s3jWOOy5tHXzf6DbKhub
-4Awsby3DH5YpPhi4N2vj2pAXVpl5+m78cH29JLzT+HAoyZ4tq1r3m0P5QogNqYwqxkKWYOjD
-ilNDBiKiDdgtrLYGx+ABovKG/FvToJoaCL4AFaVCzWmL2uHkSgyBN0FPHatCB1UeEkcQit6T
-8E2NQqmFWjUMXSWHHajSMG95+L5PdLHz/Ku0o3Csvlt2pkElYZmzJBfnOM9JevdsmKr/ruJC
-/DCZAn5w2S/9ZF5qfo2F9HUKIwE/dChR29HcN8V4nqZs9oCvEMfFhHmrfwDc5hedhvb6mAkv
-SFFtKIrygLIVeWRj3FE9sGp6sr4VwOLYTFRNk7mAsWD1rZApeQARAQABtCdXLkMuQS4gV2lq
-bmdhYXJkcyA8d291dGVyQG5sbmV0bGFicy5ubD6IRgQQEQIABgUCThRSKQAKCRD5yv3rOc/E
-3iiwAJ0SIjqFSwBm7sEZf2nn4JhkWKoG0gCfTD0g9RhtJFZa+0rdtMGUpYtDA1aIRgQQEQIA
-BgUCT/FYZQAKCRDidkIqx06dxeI6AJ9JZvcA78yRPDAMS+TklrNhFbEixgCgwiltuquOD4Qw
-vTS+NZr1ECUit8+IRgQTEQIABgUCTa///wAKCRCQMuo3A6Gk+Ot2AKCi4IvI/AT2kSzy0pWH
-Zfrpl93zlACZAaBqkUKcA1jxk8HtqDYtuCRhSfiIRgQTEQIABgUCTb7dfwAKCRCL5TxDRLCU
-K/4yAJ9Zgx/YRiu/X+KLDTQoYXTxNNbCHACfcBLrfl5uABiyOzBC+/R5rXnoRaqIRgQTEQIA
-BgUCV+zVuQAKCRAjc9NHiaFq+OY4AKC6GV6dlBdvo4bEaJpWPHh9WShqIwCgjJi+haVoUR52
-ovPF0zsXx6/um+GITAQTEQIADAUCTbAJsgWDCWX06gAKCRC039xrdgkihyx4AJ9iuMMszOpC
-jRYkVjTgmDyVmAA5uACg7qmMbKb03FbTFdd5VG5/6RTiPtSJARwEEAECAAYFAlTvL9UACgkQ
-lumWUDlMmaxLZgf/WeQK3FqemgsgcNCfkPuE9XpSdyJhQ+n1Yb6tAK4osry7H3lFBQIKTpmX
-SxauZDazYt6G4BYWsA0ARBwZVOaEaIbFRHFWs3/SLynNf9ZGBw8FumIMlEw3+tUdZck6u7pU
-q1OFeL1HWRLEC/njyLe7zAFHHWwMUIL9ZAZGiknADbqiiyF/JTcv4cpfNhdRAFzRriUJ2zYf
-0r6vKnf8pjc9QfDricAq/WzfANycfaSqx5GEBokxZY3lq/oLe4dGpZmrGecvBMtmTRHAG0Ln
-sNwXVujej3sU0vfhkZ1A0lnKoZCOTwGTPkL3dkOwbUdoYiYakTjM8NKav/TxNDxdaG/QbYkB
-HAQQAQgABgUCVnyBkgAKCRAIbcKm1AudBFrsB/9oKXW7oiQ7eJJ036fsfM5UODQGoXc1XO0R
-TEV/8pBRSDhqOVwRUsPqgtU6p2UWJbwxgB7MmPt3Z4cXs+ff1jkTzn/iefMyB7W6NogotrTt
-Nlj8x30Y9dVJB4KSHnQW2Gsf/OmZM9cDBAuyK3j3yLWkn65FRKVoH/4sYil1Tm/ogEC8vdvX
-RpwsCaZG8HOLDphjjU0JErE1jWk2L+P0TeGCmbrsfhORxTaCROjvcJ0fQsdX7kcA262iRrU0
-xDlBBYZA9wyGfd4wf+zIt7LcVBjNNvIUdUC3Uf0prYJawaG2/YV6R7eY4ooJxTutadugLmZp
-fBRiITflLZssO3YAW9RxiQEcBBMBCgAGBQJU7y/ZAAoJEMFDUWYtzEe6MyQIALSGlZ4X0LJw
-6zNoHGVxC0P911NBtDRO2/Hfg38UMT8KjQ1jOynm1KZm67viNOVGRGWar23PNppofpViZSlQ
-xUXUyLXVajcV9klg7RV7GC/3P2dvrCjELHXJ6w8qrcUKDighjbdctHXiQ9W5nU1IWPTLdg+z
-cvTbSVybvLwcbu5kzUzlYvesetJjSWnU9PXswed2cN9sqN3ikrWlYv4qHp6RwrLBN/VjZQov
-AxXN68PHxLz8GNxZTO9Aa4j4CheejXPVHDhqqw/K0XI86hnvZX7kwy4KBq/o4Kl+fstaOM6T
-571D2fljTVztmsKZBhiuKm1t8/Ltoifch+bpFx5AZkaJAhwEEAECAAYFAk2+3aIACgkQi0GC
-sRlrLScyHw//accdcVbHGYLwS0imk5SMEJX2bdu87uXqseeMU5OhnYip4ySQ727VihGYkhmL
-c/o1dIEznvFudWc/fMEi0x3R5J53Qbt3XQEUjOgZUoeomQJCItoJsDRoItvgdUvj3o6hVWhu
-+8PL6oC2J/JAHvfsMKiaTBHrUcNdgovLPGo5bcZCJwOxqPLYPLW2fCkanY9EhbyVAsFIiuH4
-+8tSDnqrgZFATyDqhqAYP96CanJrSalB6l/2r10q3V/OxcyCwys5w54FExhQAhpwThpbpFcK
-kBrM647ak7x8dZha4C/RltwkFn6jFp2sNUSEa0USTOTyDw7WkqgZZOWvauQ+fKgSOJwWU+MR
-cs11bNEGtwBu+wPheeyAlITu7A9PIrMZTmmJKy124I7ZvfXF3NZrHVm2KanLaWqHrso8tYg4
-9C7ptSCEZlgLHaeOl1wOOLbH6OneB3mQqf2u0elWYv64sbEqmFwd0C4rFeT7VSFSDLc1AsZB
-zc4WveDPnjzMXE2KLIwP+/x+betpntuYKYzYov0fryS79fjwu5JGh0gfEDITSta+tPRAYqKf
-mCt/jpeZxUQBfI6SW6LyP2Go8uYlbplV5IJuZ04c2Pr/9G/e3vh4O/kJmDZo4EX9op9TKJpg
-w/shReVuUAP9E24rD0oEyiWnHu/ZsgMtaVKQc2SsIghSG8eJAhwEEAEKAAYFAlTvL+sACgkQ
-V0EnLQMH4n8IuA//cZqhGvBiSNpRkSjjZWu5BY7fhMOdshiVPkEZmILRytnXnxVcu+PuuIk0
-kXfgt/jcS762dBZK3UOVAAsGsLfkisLN18UGWKhokNUWybSmdmhTb6Ns5tJbZfnFTaSjA3Gk
-Z+R/U8O1tNHTmqBfYHTSq8utpIi1JEJRf5itUYytP75nt0rnjpYTFEbvKgukgZldLDk581Zc
-x4Y6pj1ILrxtqF369yBtYIEkHFcYDuXsApTIXY1G4V5mq4t9QCk07E2ZKZ2aJjaCA7VeD+vR
-8Z50oyu4kuc1RdFnP8TfQUAr/tYIFinuzKSqELu9b+JSPO3qawXaq9Y+X42XWkeQSeu7SNl2
-xqe1uVhHd8qduf8U438fUOBeY+gpae9e2IPbErU+itmd+m+WlHp8FUH2pS6VlXXhBrBPEZ3+
-8ph9wUtSAenFVyT1leu21pMuP2nNpD2nTsNlYcX9gA/vkA7bQyOtaEOC+8zNHtZYhx4u/nmI
-+yZ4Cc95CmfwTE0/fRX+T+jK2x5ZGRZMudygnKRbnod+OgnNVBWIykGSzULKgLY9i5PlxCA2
-a7FUoLpIOW4OJSgo6WNsBc3j48RjqNm3cUcLco1kDcoGaQ43dGyLVGMlB332u6m2W+g+AwGm
-vhJQh3yy5XYvRXRzfiHvWUok8ess1/0qSRua22JY14KBxJF80EeJAhwEEwECAAYFAk2wI04A
-CgkQ5fj4IS93pJjaOw/8DG4fn6z4LYmY3MsLNu2Efg9YflaWPkD+z0iLPGUHhrzObIIMfGL0
-kpqYJSbvYqYUSIR8AjQGwRrJVidBqOX9bK7ZVPPvsX61hjt6e0T0O2Q6JuDMCfseiseLBo/a
-6DJu2P7LfDNGaath0WMonOxnqs+kRG8SVyTqmbnyC0AwthgYB57CIyNuz3MPkQr7pJNmyWFv
-kUYs7Z2Awq0hyD9M1KAV8igqFGYjrZAJoSv1nX6OzGRCSFmxqKwmCd7OtHLpqdNHos5CLhrj
-ouLJwiNt8gv7w06owYFxEsctAGqjVjvvtD0L19Skp3jgLAro6x53UFUtxm+Z/8YLLh+lNHJx
-JMDQu5CpSn3zLwRkF/cYgINOa1CS1yceynlbRGxrIb2vSfmnZeNZ2cTwedM/+9C044DfIB1y
-9FmmZBaXOaA4ITjvcEf2FpFn9MdF+zN8N8AN5m1y/qftFqgG0P40AQ0hQAhk+F8JxD7wVh65
-jcj62f287L1h8EDo/NE1JH8dAb9dUlJQeohAkiIMurDYLYRop9u+ogtUtRpMKXTwgNUanIq7
-oTYpNunbI1NUXc9Fdi9Z8OYZagHlo4v6T3fqvaRbGElncoF6faz7les2zh2S8etACX7mNsxV
-c6kXIpdHqoHKGShdxtb+PhRirbIxdCzlFstk5c9zpsCJCr/yu+pCL6KJAiIEEAECAAwFAk2w
-CcoFgwll9NIACgkQVGoRHjtqqmQGaRAAuHuKIupTerS7qrEIkyOvECN06fg+U/caYv3Qpue0
-4ZC2aIk4oK/7wsuhEsMLCL3J1JFYCCmbc0QfYBtzIM5lu9SX7/1R8/+VnCvYvME8tKdMdQAM
-BWq4ZG5Bi9rH8j+450mjgmPRC0s8tmmfp62gB9zBAd/poVZQOVSUV43HE3n6Vkxj0ediGEmw
-GakB2pPtAY7HAaLxRdXidwjNTzpAz7JPinoZgpz/MYseuxSSyhIqqREYn/ynX1+YQhu1l4X6
-rpIsVWawMv93PhO42Y3Ny6SvC/hnZ1J+Y359quClHTQ/ogrbZrbhlKtpJNeNOCBKUzgIuT3/
-PSy1XheYQR2m8SbOmOMpgInr16i3ijsYBKI6qdoxB//YCkFCJmxfCUqRGPe6sAW2n9ow4VmE
-rAUDEqYTPDzkRA5zBY6C6cMugoClY8LidDwKHGXjbPMLz+CnWIVsC8BedjQcfPkuQs/P4QtQ
-+UYwt6UiFywYe4Na9JfJsYDwkUaKgZadva/JFxGkm7ApMpeMBuZUDIl9qptKipdmRrMnBx9l
-fvBqrrXYKPEzVMW0FpX9D5F1L4k5u3x4B0VDZ9WPJgkSKFQIMatDxFsyJNWZmh/0dODC/LKF
-mZZCk3B34rr91He99MzKNrrq3vZSlbMKoCQYjDGQDWVXCplwjq1zCt/JSZUJYVhwbcyJAiIE
-EQECAAwFAlRgbtMFgwK1j8kACgkQBhyEc3tNEByR3A/+MKwW1tgIspbnE8WEGjdNJtXUHQUv
-UJHFTuoBNKZA/uAYxe7FLoSKQI8lH5PgJrLnu8lq0Z7h4BObnx7F4NrB1ixTtMGgRXD1amVY
-Gw6STlXH6Fhr/0RvBTg/wbdm/nFFdaEEhclMNHY/mW69bcqGjHjcnk6nOmlVrYegWRGjGgTI
-JBqHUhoX2+VixkMrBDSESBpHHQHlwsOlT9T0v3pCVHQz9I/WygQpn0bjgWEISyZkWbLcmJVZ
-yYYmWU9WWw8n16qFChdO6BTEjChuzVupLS5LoBgxCJkh9gl4F6VGRg2kVvsQoxE0CKbM+4qy
-qAAK2jrgQZRg4ihC2WmOpr9X0mrjO38Bz/tmZL389ZBzj9S3VO8otgBRgDbJvNHm8EjWdQHj
-SOE2x5/F2T69g8IK3S/vkkKrySsjSlD/NJpWwldkUh1RtO7wFO2Zk+2+vr55joOjKApXKQgO
-7PKw2awkL91UWWHAvJ3tTq/16FUypnY9RHM9rHtU8XDLCp4iEzE7rzIywEwX4fUAut4CRf8m
-u3czrhdPh+oQyOyQHZJMdX0mCKZREPgKo2ca5iAFtzOzrgD5OTCD/Pz4+99+gLEMOML1bWQ4
-R43L4YyrB1UIQUAvVmLDhn19bUcIS+wZ3kKI0et24wqjkaIsLSSounGBPxB4jOLhG0BBojzV
-dvqUElOJAiIEEwECAAwFAk2wAP4Fgwll/Z4ACgkQrImYjct//fHn8Q/+JdXKAXtSq5ReGTDR
-F3PcpsQK9q0LGvdyNPZ91oSkGl2UpcRhQ2KqTY0RJa7CZdk/3jG9G8aRuAmC6O5MhcsVU36j
-zBTanDgiSqFEpJCLXWWkPbwWIXdL3/FVm/1iYkDNqOZkWsYxU6BixgrDJoKcIZctt2igZqqa
-qdJYJ8tdbEXfW67rx+cu+DTXuZIuBwFETNix8zL7XpCQZAOG79IvBNaSaJr0x90tn+6rlLrk
-w6+NCXFjzm9aDNGyyWTs7s4kLfDR1LbBGpJNL+kmWmF9hkQTFHDxwNmHPyhjZcHVXaRfdl86
-ahClxBT6hitmurAGDIjjqy0d3Rs41Q3rcm9AZUWH4YbtRn2hXC/VCzsDvZvsjFB258mj4oDl
-jcgeuoY4uJEK8EJa9RJ6z3+UATcDaZTmlWhmb3UhG6suhz4hjmC4Y+JcovSVvq9AJksLJA74
-m6TxExiKzCGwy9xw1gcgJlFD4iVarfV4+jv5YGuPipPwz1ho6+P4uUOOtLFVHesSQ7S0W8eX
-rMdbu1Plw+m+fad/Asb8SoUm4ckfCwgoDMZsrGHBLhMa9D7AW/4z478DWqM6aZnZlpK4pNk+
-/jyW8cPDfjRePFKC/zH2Vm679JGgT13qQUJF1fja4KOSEi0lIKegPCRVJ1h0MseVgd2Qa9vX
-2VJwbZkrnoBa6VZH8dqJAj4EEwECACgCGyMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJW
-76tkBQkNAhVIAAoJEJ9vHC1+BF+N2tYQAIxArTFi1m0C8sv/wIJwKL3Y6LWu1dEZadHLslfT
-bSF+2ZaWIyrg/QXcIkpUuGBn+V2nw46qZ8N+bAsxVJoJDzpRuqfs5+t/wq7xIZC4gzFjY4MH
-3uGi5jhucMdozYKqLomQE34bW2B3Co3+Rx5wXa2reqXaTt5f3X74D4XkCki7WyKXMk8vhnxb
-oxU50qu3MQzu3rWFGWxukQ+Pva9tUFnWGZOIgvhVbB3FBhqbEGg56d6yTIMMb6IwIjc/UYbc
-RCST70B5y3+If26u4TSbGfZoo3xx+6hH3dw8X+jMLFLki3ABWc17f1ZE7UZPbNhoWBibSV/1
-zNylGxHM1sbD3fyVneI9SJl77JsqAsqRWa+uQzn2WMdP31KsLXhVfGBDBKziBLet3Ntj20+m
-zrZnWr7EJV9PHUhjk/ie3n3HBBXQjD6lX1L+ZVw6c9eXVQpvS2051gkSuurdGkX8PaD80O0v
-Q5aohrwu+sGXJBiZY8q8rDvq+3hsnc1TfWNJzSjD+PsQ5WM6y3zqzrb3Oa2dsmNZWvos7LkQ
-NQ+6yaoe/W3hnhEyN/w6sl01sUmhFdm/wVtbg3Nd4a0x/yTq8p56Ol0wfj54u6hkbt1yFTUl
-xx+Cp/BanLSiOZvn12slxpCBULom/D2XROYY80iwThSshahxoWC/h04q8cDaFycwMzyuiQI+
-BBMBAgAoBQJNr/0cAhsjBQkJZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCfbxwt
-fgRfjd8qEACMp3672f/ETQL/ZS3EnNj1937xu6ESRCUsvbjMiGzLW/2tQVQnoV40fBoRyeQ/
-2d40VgUCsNayy7zqm7gRpKSjEddNGVReM//HuglrUwDhctvH9SUMNvJIpTeyur456NtUtSSd
-VyQHaBXYnMm9Ultq/imKHen40shdJW+9aHfrHZ0hPTv8XQqssrunF/gMHw3LiemPIjlrvAnl
-gM+NS0dUAVEJAm/9PJlXwhLvgo/jN9Y4zw2RMlAMNtfb6+EBXtKN7fjLL9AFGb3EZFuvvKj+
-ZTuiOcHv991gS2R+9JYRb2LaGzOxzjAo4XkWYLks70ahBE3044mtblYt2M9qjOAhXSSGRehK
-+/cinAd42Krrpba55R3V2fyGbB1UZOiX4qhZM/btU/T5LzKEOOdmlKJhk4PcUHIZyqXtRPKL
-CoC7pWmPos0xKmfKR/x1lif2E9d/5/KcSvRGwv/EpFYclzXoTkgBg2Wq/rY1QaH4M0vK/hg8
-r/qQU0po4rSK1V2TboYoC6daO077OJIypXBZy4Xwxyfsm+ScomXdNW1b2qp30YQAql31paAt
-LrJUW3oKGMCVIF9ATq7Drhxh9knxo3f0JwNG3BFzNpKdQ6dYKrXBHeUIrZuuO2M/pXlpIa5j
-JrU8Krpl6AHL4M7YSRVD3AM7oV2TX6kCTDhkcQBlSND/e4kCVQQTAQIAPwIbIwYLCQgHAwIG
-FQgCCQoLBBYCAwECHgECF4AWIQTt+qPyyk5usFaBr46fbxwtfgRfjQUCWaU4BQUJEZjVaQAK
-CRCfbxwtfgRfjb1YEACjkhtkyZkYURUmSZNL2IK/Zencv7DZGRfFrzijROFtHbe//H8o2Zhl
-yiaFSA/dT1ehjsukkR0oFkYadA+qUi06WpxGmd/jf8hP4yTUZkwOhQAesWoNmnhKePNaVMKY
-8DP57bA+N2pdCcGu7gUtYzq2JoTAtV+P/PE2w+H9eyBAulv6iUckM5/qvGfJPl8HB9BtgOpG
-N79otVWO6ebM4TQ3cZYI9BDQnt9cF2pviex+z1iLZVJ8UeRxSxYhrBKPJioi0Q1OgcKyO56t
-7EotzxKl5TzprgvdX4cdls+lehD8StlE2Xv/TScHvdOhJuVBrn3a3QjZPb4qSsz74leW5/EI
-QmozBy+qf8AHcCmTXwb2U7oHOct7cVyS5+bFx+ThpV5OK0rjTH1LMNiuTeAN46c1y3prjZRp
-QUlgVwj06q3Zz/fzDyueUS/r4lW4nAf/VNZy/rTS2HYPoZbHZVCtGpDIfag6fV6V97Pd3zfh
-Tf2wmsJsw9Xhktp/o7rMBRSMhvL4oevOXb0JSG2583Q/JnCCceB4NxRRxsgkRYHwdnXN9FnO
-PSa4NyvF4rzpPksLGZrhvm+lBvzVn/e40Q/KlxvSlnn2vW/WBM4pBq1jsoJrd/JkTdijZV7m
-t7HQ2bCLXAPgfZjy7n79WiCQVHg7iYnNikiNWR5TR7JcvdkxOdiA/4kCVQQTAQgAPwIbIwYL
-CQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQTt+qPyyk5usFaBr46fbxwtfgRfjQUCXe4JdQUJ
-GaQN2QAKCRCfbxwtfgRfjQ8gEACe+49aDQHRuZdDHK1VCJKzhb+MvfdIjvl8eQxljpG9Uz5Y
-17Bx4SWfuLHCeGlh1m6IOAWeW4g6Wowm1ec1PkVa79TdrkKb0MxfLSat6iDbiuVjDxy2bWok
-W0/cPzJ/FoWDtEC0H9UTAMb5QGBDZUbLuwX7ZjvMkAhH15/hO9Gj4RHoH1RJGJALRtZzjtzs
-JqL53kW/EV59V1T79Nocyx018iw50Jn02mI8wYJZ9HZc5C7D+K59vcqLRZgkrJrObw0sEv3Y
-FOBYp/1DemH2nHPMBSKMmN5RAcr32guUjd4BEWf2Q7Ao+Qnhdi161W0YKCW4JAmOoQ4bQ0wf
-E9Q5aUIGhUF52L+ac8Hy7dByaCExCA/WTqQQ/iVPybmpJQhFonWt/fmpxbE2wKThSEOHTO67
-e5e3JfUb0vNKssyZojao4h1MF5nvaPNKoybWwKnpNM0ORcyl+aogKwW7E15TEU0TE5//gAsF
-wRDcCnSEKnksgM0321m17RDfJbCajIv47DHDYE3yvhRZjCJCaw0Gow1sDRWjdOFpmIixD5/v
-x5uxyqSHPuGAsXlEvl+Z3Rdc5bQ7pAWu7UNpR3hnJPfg8KL2xqOF75VKG9/NjLE80yj8wdVo
-CfDvvizrBtOXnHI49gCMCfNqbGIb5yVhmTdeo7li+Te9hlJ2DrHnujGJlFe+p7kCDQRNr/0c
-ARAApvDKeVLiSazESdTY9KsSWsqoB38pvOsu25M49tEjc5TtY5LwKNckqkeRlJ83O8dFG7UB
-VuGwLKaf/6OR/pe24upZ27eOOWW7sXvQNv5aXlOYfF+mjIhUINqjq4pKDmO1c9J7h5d+auOV
-fzcgfotg3BVCaKn56ucjiQJ059uUMfgWTvVlibnoJ7deZcgt8v7VcLK9jv+P8QJHTIyDzJd+
-JjdjuHXqC/A37T5G9Z84x8wYrQY6mZmOIYaMjwIKdgFeN+nLk5henARUz4MTFUW4j9hHpuyA
-FomDQ93/wkHZ9IEChTxdZnfvsd//Z45vfcX9dQM+tuR8XCYThVsScI1TnwR46hi5NkfmHo3H
-VxwB8/owJ+FZDsTNBbJd7AVy27Xk4L5hLe7BwLDtFMyOp4lOipCM7//mtFB9mTzqnOwiSSyT
-RlwGUBJkzQFWQa0Z6bfYwA6+y1dn19H519GW49irtl+2+W8W4N8oLriIjPvqrQOyaELFcRfV
-6FfLi09HPhHVbejOqIEbOtfuN0+mjrrGAwortfTBjfw80N+W90BTvta4K2SyjHcJTkDYehfO
-o/5IMpGtDsOgvsCbDaFRnNJuYtSqQmvWk1KIPIw6CkdJtZa3+q3YA7D7ovOVH1OBTKNdBjc+
-X4W8L5R9MCymXWvgiP+52Sv1VIcZmsnCBrwK490AEQEAAYkCJQQYAQIADwIbDAUCVu+raQUJ
-DQIVTQAKCRCfbxwtfgRfjVnYEACZ1E/FfLDi4vLUd9diImmNN/zWDHxTsO/VG3lt50rSoJM5
-NGB4RlwcbUKhah2fD44FFiIqGIvKD9hRgB51dVRIkaR3ozVtXRBKxJJqWj38wf2FDLtUXC5/
-JHYb0sjAc3ad2sA9xEmEBVO1lWK3J6h4gKZiAGlWz3oeOSve3vrTKsBlP0CurUeb4WTVpw4d
-rBJD7cDh8SJ4/Cq76UFx8lW0xR+pHZHcd0/Ir5v5HnnEgbnut4IxeY3/CGBfQfSQHylK7ifm
-PWq+dflC/ZdfHY1V96EHKPM44ZLwiczoY3qp5nkmEc3BY6+P8Ch5gddOYaY18wpedarswnpO
-LQD2Xbsj66Eh0IZuuuZGyfOqJNaWbP33L27eg35XQNTgyhuZmDyRKL6yAbhU74TXCCvze/kk
-fqDn2ouCtM8/kqLX1v0+NkBxlhZUkTTVDyclZtwu6Vypus3+j2Zqk8sXeUZI64sjXpzwOcMZ
-xdl3QuyxMktExWzk9Q5DYqO+pj/YGt1vp2M0YgSUWNWCvfBcjEPFgaljyqz3BdvR/LYohnXu
-QL9SWObF+sIFc9D0w/yORYQcKP5kSWVC/qwFdC61OGeSDnQ/0o0T5PefhYS82gsIrjQ+HIJ7
-CLUTk7kBNljvtfpoWegH02feR0kSRoCXA6x+YHT4fmB41pW8S1V5a5dEltA/JIkCJQQYAQIA
-DwUCTa/9HAIbDAUJCWYBgAAKCRCfbxwtfgRfjTY/D/9+kX8LeqBhwDdwy3udV67KmVmytwGM
-fzBHbAyBdy84X06ip/If/VkjL+2Sv5Uml/cOOzGZT7y/KEt0uXQzgOZhGP5Y0OREf4kSzfb7
-tsGu3ZjTp5uJe7HiJr8uqYGfx94TQG/A3x1C7MlxOGmWDK/Eh/eNVeNd+3yyDEzl2p7a0yUh
-I8LtzllVrEDX+G4rz+mdDw4tfPDqzRPzPvVtPfqnfofHP5r2dshGe7+pCTC+o0jHWpaiFkEi
-IrR3PbZ9tV6+F5LzCUJJP5nepz6CShpLHq9ST6qZiw5ZpdznHW0kVl96YxgynJq9Y4dqD/8n
-OfTzdHhXXEogGvRfcxatxeZF7YNFhUU2p+CswAjRKCUzZAz0hDAu+dJ+fw4Odx7ii8uiwhEn
-EHoo8rPETkXwUK1je4MCzMRSy0Gippzk/oZ7noIml+Njas/UygavUOQm8bcPqGfWeFqvM2C7
-ZobL2iV0fX/bhEmQyosiWJ0nHuKdwDYygYs/4LtZLxwiKli/lm6IDz1028j6/98Z81gGoltX
-WokTYAPEgcBuhyiSLSQ1wojTVMYt9rPKMBakTzP+0FoWqoNafWOlHovP6iUB2Igll2ZT3Avr
-BQ8jAbRbuUl46QpBaKsl+pBo86az0fRkMxv0N4dQv4Q7Z0g71u9NTpaq1vtAZOwc0kl3uGNK
-18PnV4kCPAQYAQIAJgIbDBYhBO36o/LKTm6wVoGvjp9vHC1+BF+NBQJZpTgKBQkRmNVuAAoJ
-EJ9vHC1+BF+NyNQP/A3h+cOOkYUxyKpNHdtlIfCn8db5tHXSCbE19Qi7EK1SiK5atjo+VoRt
-B+L01kH6GCx5oZjeIhUdzYFwEUsdCDgwD6r0dKFwKIGa4TFcfnx+Z5B+HZgLYc6ac5PEHF1q
-ZVXZH9GSGeNw5h2yyqf4yhvetSN6L2id14m5XXJV5e7NfOgmaSnG0Z+wQvPSiu+Q00XpENT8
-HFSTSCjRATjk12rpy6TPeeC52NK1gLhGDRHN0k6m+vm4yoC+Nd6iPQpnc+5xs7NDnq2dFuST
-p7UTGebzPhhdSQgujEFuYLwzQMZu1h5amtA+v9j7BYEJkOMC7bm1PNNA2QQ6QfH8Hf+mJeIN
-yJO8A5KS3ceP+eo3SLR8T0hPzu9gZuZ22Hn3DXQh1VNRshaLKgNvoXpL3dQ48d1SFFKhEDpy
-2HSXUq2fs5rH0uszFGesG7K6EQRAYRcDrCkt9fdfkvCSxAFw9d+472xThzgKcN+MkOec+SaY
-+xlVULjEfCWyRVC8Opam4mTm/XT4mVLxP/qnsy7kEhLoc/ouB+lY/ks06LpZJvCXL6WfA9Yo
-u1Fi1Mg7GhSh9JKg6X6E8Trm+N4dxJGut1xbbGmmKXqfi4pej9KlkdeM9t1df/vWKlPa7Hzd
-8H0btgJx066wC4yt0ghxtsJXBsCDxWLfzaSRZ2/eP16mHqxDjsQQiQI8BBgBCAAmAhsMFiEE
-7fqj8spObrBWga+On28cLX4EX40FAl3uCX0FCRmkDeEACgkQn28cLX4EX43TQA/+JV8ReMRJ
-Cn3Cfqbe5ycFn8p6dIVnJiQuhiEyu5yzdpSkKyzcVFJObQcqw7s50FJuLUbxdvbcuGIaoTu7
-dhBoUXO5tOuIQAsKTfGfgoOgelJm+/q2h645EnAVINGbMDXrmo4/UFJkNjUMA6SQi/yiam7N
-0y58eoDC4sGmBKuN2EW2MoWahlXw8SS1+Ab9qVBs/RqbSy6f1nJL39aPpPDmvyJOSYtHnNSF
-lYWVhr0zGAi5rnswlFGrECGbHpr5FajUK7zcmtNPbi7F30K48xfF3XnDIeIBcerrEBQMaPUZ
-cBlddGhmSVVJZU/YhR35JNgPnmp33gOuZaRiW9lauZFwsMQBIBkLpJWoUtu8QLkyC0HmJzVR
-ep0/s1RkzaJ+1G1BzXTQiXaLaUQWG5h3pcMD8fxY5qp9KbG/+10bY0sRbRBXgS6mz7ddHaBt
-g/E8ty2nEB1HDXA9HAHu7KlH9e96sPZjz9C46ZiOXe6ZAOk6wBYts4RG4bCQ9pGORJ+P2Jr2
-pz1NZQbs1AhnjJixTsfZfsGZ5lHxGLjIyxtdGB/irLEqNTIMek2yp4CShmWoZwN0V3aGYMe/
-rC4tSXG79IeKNwF3Vd5MHtB+hcJG2qztBtKQuW29rbRA5bNxwTWe8skwOKsxXnP9RC974k0X
-kPS+VwgmVgNN1ewS/0oHvmEP71Q=
-=ZSkT
------END PGP PUBLIC KEY BLOCK-----
-
- +xsFNBE2v/RwBEACyQpJlpCeSZBV1QUH7jNEp5xGdo6OnX2h9XoZ4ZPsb+u6OT+xE +SH45ncnISUh8rPCygbeWOoPR/yOBzh+lYoGxQ5iUHtwRrhHq04sQe/qFpXDO2xs6 +1pTcPU2PnH7Rsr2qp6fZLPHuXLolD7NJfaSib8sVeMM0/ecyl/L2bBg9NpaGDX0x +TQh95M8o6AFo6UKWApBpgsvEZr2aH/B8b9KnCWFhfJyheEM7DamksdZNsKxXQyq3 +l/ROfdsMLZGF8vPbYV/v11G4keyaLpn8AbBpybIiw9SYDwf2ENk3+e1NFfMaiiyE +qn9+aaLTKCY87TMUuoN3s3jWOOy5tHXzf6DbKhub4Awsby3DH5YpPhi4N2vj2pAX +Vpl5+m78cH29JLzT+HAoyZ4tq1r3m0P5QogNqYwqxkKWYOjDilNDBiKiDdgtrLYG +x+ABovKG/FvToJoaCL4AFaVCzWmL2uHkSgyBN0FPHatCB1UeEkcQit6T8E2NQqmF +WjUMXSWHHajSMG95+L5PdLHz/Ku0o3Csvlt2pkElYZmzJBfnOM9JevdsmKr/ruJC +/DCZAn5w2S/9ZF5qfo2F9HUKIwE/dChR29HcN8V4nqZs9oCvEMfFhHmrfwDc5hed +hvb6mAkvSFFtKIrygLIVeWRj3FE9sGp6sr4VwOLYTFRNk7mAsWD1rZApeQARAQAB +zSdXLkMuQS4gV2lqbmdhYXJkcyA8d291dGVyQG5sbmV0bGFicy5ubD7CwX4EEwEC +ACgFAk2v/RwCGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJ9v +HC1+BF+N3yoQAIynfrvZ/8RNAv9lLcSc2PX3fvG7oRJEJSy9uMyIbMtb/a1BVCeh +XjR8GhHJ5D/Z3jRWBQKw1rLLvOqbuBGkpKMR100ZVF4z/8e6CWtTAOFy28f1JQw2 +8kilN7K6vjno21S1JJ1XJAdoFdicyb1SW2r+KYod6fjSyF0lb71od+sdnSE9O/xd +Cqyyu6cX+AwfDcuJ6Y8iOWu8CeWAz41LR1QBUQkCb/08mVfCEu+Cj+M31jjPDZEy +UAw219vr4QFe0o3t+Msv0AUZvcRkW6+8qP5lO6I5we/33WBLZH70lhFvYtobM7HO +MCjheRZguSzvRqEETfTjia1uVi3Yz2qM4CFdJIZF6Er79yKcB3jYquultrnlHdXZ +/IZsHVRk6JfiqFkz9u1T9PkvMoQ452aUomGTg9xQchnKpe1E8osKgLulaY+izTEq +Z8pH/HWWJ/YT13/n8pxK9EbC/8SkVhyXNehOSAGDZar+tjVBofgzS8r+GDyv+pBT +SmjitIrVXZNuhigLp1o7Tvs4kjKlcFnLhfDHJ+yb5JyiZd01bVvaqnfRhACqXfWl +oC0uslRbegoYwJUgX0BOrsOuHGH2SfGjd/QnA0bcEXM2kp1Dp1gqtcEd5Qitm647 +Yz+leWkhrmMmtTwqumXoAcvgzthJFUPcAzuhXZNfqQJMOGRxAGVI0P97wsF+BBMB +AgAoAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVu+rZAUJDQIVSAAKCRCf +bxwtfgRfjdrWEACMQK0xYtZtAvLL/8CCcCi92Oi1rtXRGWnRy7JX020hftmWliMq +4P0F3CJKVLhgZ/ldp8OOqmfDfmwLMVSaCQ86Ubqn7Ofrf8Ku8SGQuIMxY2ODB97h +ouY4bnDHaM2Cqi6JkBN+G1tgdwqN/kcecF2tq3ql2k7eX91++A+F5ApIu1silzJP +L4Z8W6MVOdKrtzEM7t61hRlsbpEPj72vbVBZ1hmTiIL4VWwdxQYamxBoOeneskyD +DG+iMCI3P1GG3EQkk+9Aect/iH9uruE0mxn2aKN8cfuoR93cPF/ozCxS5ItwAVnN +e39WRO1GT2zYaFgYm0lf9czcpRsRzNbGw938lZ3iPUiZe+ybKgLKkVmvrkM59ljH +T99SrC14VXxgQwSs4gS3rdzbY9tPps62Z1q+xCVfTx1IY5P4nt59xwQV0Iw+pV9S +/mVcOnPXl1UKb0ttOdYJErrq3RpF/D2g/NDtL0OWqIa8LvrBlyQYmWPKvKw76vt4 +bJ3NU31jSc0ow/j7EOVjOst86s629zmtnbJjWVr6LOy5EDUPusmqHv1t4Z4RMjf8 +OrJdNbFJoRXZv8FbW4NzXeGtMf8k6vKeejpdMH4+eLuoZG7dchU1JccfgqfwWpy0 +ojmb59drJcaQgVC6Jvw9l0TmGPNIsE4UrIWocaFgv4dOKvHA2hcnMDM8rsLBlQQT +AQIAPwIbIwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQTt+qPyyk5usFaBr46f +bxwtfgRfjQUCWaU4BQUJEZjVaQAKCRCfbxwtfgRfjb1YEACjkhtkyZkYURUmSZNL +2IK/Zencv7DZGRfFrzijROFtHbe//H8o2ZhlyiaFSA/dT1ehjsukkR0oFkYadA+q +Ui06WpxGmd/jf8hP4yTUZkwOhQAesWoNmnhKePNaVMKY8DP57bA+N2pdCcGu7gUt +Yzq2JoTAtV+P/PE2w+H9eyBAulv6iUckM5/qvGfJPl8HB9BtgOpGN79otVWO6ebM +4TQ3cZYI9BDQnt9cF2pviex+z1iLZVJ8UeRxSxYhrBKPJioi0Q1OgcKyO56t7Eot +zxKl5TzprgvdX4cdls+lehD8StlE2Xv/TScHvdOhJuVBrn3a3QjZPb4qSsz74leW +5/EIQmozBy+qf8AHcCmTXwb2U7oHOct7cVyS5+bFx+ThpV5OK0rjTH1LMNiuTeAN +46c1y3prjZRpQUlgVwj06q3Zz/fzDyueUS/r4lW4nAf/VNZy/rTS2HYPoZbHZVCt +GpDIfag6fV6V97Pd3zfhTf2wmsJsw9Xhktp/o7rMBRSMhvL4oevOXb0JSG2583Q/ +JnCCceB4NxRRxsgkRYHwdnXN9FnOPSa4NyvF4rzpPksLGZrhvm+lBvzVn/e40Q/K +lxvSlnn2vW/WBM4pBq1jsoJrd/JkTdijZV7mt7HQ2bCLXAPgfZjy7n79WiCQVHg7 +iYnNikiNWR5TR7JcvdkxOdiA/8LBlQQTAQgAPwIbIwYLCQgHAwIGFQgCCQoLBBYC +AwECHgECF4AWIQTt+qPyyk5usFaBr46fbxwtfgRfjQUCXe4JdQUJGaQN2QAKCRCf +bxwtfgRfjQ8gEACe+49aDQHRuZdDHK1VCJKzhb+MvfdIjvl8eQxljpG9Uz5Y17Bx +4SWfuLHCeGlh1m6IOAWeW4g6Wowm1ec1PkVa79TdrkKb0MxfLSat6iDbiuVjDxy2 +bWokW0/cPzJ/FoWDtEC0H9UTAMb5QGBDZUbLuwX7ZjvMkAhH15/hO9Gj4RHoH1RJ +GJALRtZzjtzsJqL53kW/EV59V1T79Nocyx018iw50Jn02mI8wYJZ9HZc5C7D+K59 +vcqLRZgkrJrObw0sEv3YFOBYp/1DemH2nHPMBSKMmN5RAcr32guUjd4BEWf2Q7Ao ++Qnhdi161W0YKCW4JAmOoQ4bQ0wfE9Q5aUIGhUF52L+ac8Hy7dByaCExCA/WTqQQ +/iVPybmpJQhFonWt/fmpxbE2wKThSEOHTO67e5e3JfUb0vNKssyZojao4h1MF5nv +aPNKoybWwKnpNM0ORcyl+aogKwW7E15TEU0TE5//gAsFwRDcCnSEKnksgM0321m1 +7RDfJbCajIv47DHDYE3yvhRZjCJCaw0Gow1sDRWjdOFpmIixD5/vx5uxyqSHPuGA +sXlEvl+Z3Rdc5bQ7pAWu7UNpR3hnJPfg8KL2xqOF75VKG9/NjLE80yj8wdVoCfDv +vizrBtOXnHI49gCMCfNqbGIb5yVhmTdeo7li+Te9hlJ2DrHnujGJlFe+p87BTQRN +r/0cARAApvDKeVLiSazESdTY9KsSWsqoB38pvOsu25M49tEjc5TtY5LwKNckqkeR +lJ83O8dFG7UBVuGwLKaf/6OR/pe24upZ27eOOWW7sXvQNv5aXlOYfF+mjIhUINqj +q4pKDmO1c9J7h5d+auOVfzcgfotg3BVCaKn56ucjiQJ059uUMfgWTvVlibnoJ7de +Zcgt8v7VcLK9jv+P8QJHTIyDzJd+JjdjuHXqC/A37T5G9Z84x8wYrQY6mZmOIYaM +jwIKdgFeN+nLk5henARUz4MTFUW4j9hHpuyAFomDQ93/wkHZ9IEChTxdZnfvsd// +Z45vfcX9dQM+tuR8XCYThVsScI1TnwR46hi5NkfmHo3HVxwB8/owJ+FZDsTNBbJd +7AVy27Xk4L5hLe7BwLDtFMyOp4lOipCM7//mtFB9mTzqnOwiSSyTRlwGUBJkzQFW +Qa0Z6bfYwA6+y1dn19H519GW49irtl+2+W8W4N8oLriIjPvqrQOyaELFcRfV6FfL +i09HPhHVbejOqIEbOtfuN0+mjrrGAwortfTBjfw80N+W90BTvta4K2SyjHcJTkDY +ehfOo/5IMpGtDsOgvsCbDaFRnNJuYtSqQmvWk1KIPIw6CkdJtZa3+q3YA7D7ovOV +H1OBTKNdBjc+X4W8L5R9MCymXWvgiP+52Sv1VIcZmsnCBrwK490AEQEAAcLBZQQY +AQIADwUCTa/9HAIbDAUJCWYBgAAKCRCfbxwtfgRfjTY/D/9+kX8LeqBhwDdwy3ud +V67KmVmytwGMfzBHbAyBdy84X06ip/If/VkjL+2Sv5Uml/cOOzGZT7y/KEt0uXQz +gOZhGP5Y0OREf4kSzfb7tsGu3ZjTp5uJe7HiJr8uqYGfx94TQG/A3x1C7MlxOGmW +DK/Eh/eNVeNd+3yyDEzl2p7a0yUhI8LtzllVrEDX+G4rz+mdDw4tfPDqzRPzPvVt +PfqnfofHP5r2dshGe7+pCTC+o0jHWpaiFkEiIrR3PbZ9tV6+F5LzCUJJP5nepz6C +ShpLHq9ST6qZiw5ZpdznHW0kVl96YxgynJq9Y4dqD/8nOfTzdHhXXEogGvRfcxat +xeZF7YNFhUU2p+CswAjRKCUzZAz0hDAu+dJ+fw4Odx7ii8uiwhEnEHoo8rPETkXw +UK1je4MCzMRSy0Gippzk/oZ7noIml+Njas/UygavUOQm8bcPqGfWeFqvM2C7ZobL +2iV0fX/bhEmQyosiWJ0nHuKdwDYygYs/4LtZLxwiKli/lm6IDz1028j6/98Z81gG +oltXWokTYAPEgcBuhyiSLSQ1wojTVMYt9rPKMBakTzP+0FoWqoNafWOlHovP6iUB +2Igll2ZT3AvrBQ8jAbRbuUl46QpBaKsl+pBo86az0fRkMxv0N4dQv4Q7Z0g71u9N +Tpaq1vtAZOwc0kl3uGNK18PnV8LBZQQYAQIADwIbDAUCVu+raQUJDQIVTQAKCRCf +bxwtfgRfjVnYEACZ1E/FfLDi4vLUd9diImmNN/zWDHxTsO/VG3lt50rSoJM5NGB4 +RlwcbUKhah2fD44FFiIqGIvKD9hRgB51dVRIkaR3ozVtXRBKxJJqWj38wf2FDLtU +XC5/JHYb0sjAc3ad2sA9xEmEBVO1lWK3J6h4gKZiAGlWz3oeOSve3vrTKsBlP0Cu +rUeb4WTVpw4drBJD7cDh8SJ4/Cq76UFx8lW0xR+pHZHcd0/Ir5v5HnnEgbnut4Ix +eY3/CGBfQfSQHylK7ifmPWq+dflC/ZdfHY1V96EHKPM44ZLwiczoY3qp5nkmEc3B +Y6+P8Ch5gddOYaY18wpedarswnpOLQD2Xbsj66Eh0IZuuuZGyfOqJNaWbP33L27e +g35XQNTgyhuZmDyRKL6yAbhU74TXCCvze/kkfqDn2ouCtM8/kqLX1v0+NkBxlhZU +kTTVDyclZtwu6Vypus3+j2Zqk8sXeUZI64sjXpzwOcMZxdl3QuyxMktExWzk9Q5D +YqO+pj/YGt1vp2M0YgSUWNWCvfBcjEPFgaljyqz3BdvR/LYohnXuQL9SWObF+sIF +c9D0w/yORYQcKP5kSWVC/qwFdC61OGeSDnQ/0o0T5PefhYS82gsIrjQ+HIJ7CLUT +k7kBNljvtfpoWegH02feR0kSRoCXA6x+YHT4fmB41pW8S1V5a5dEltA/JMLBfAQY +AQIAJgIbDBYhBO36o/LKTm6wVoGvjp9vHC1+BF+NBQJZpTgKBQkRmNVuAAoJEJ9v +HC1+BF+NyNQP/A3h+cOOkYUxyKpNHdtlIfCn8db5tHXSCbE19Qi7EK1SiK5atjo+ +VoRtB+L01kH6GCx5oZjeIhUdzYFwEUsdCDgwD6r0dKFwKIGa4TFcfnx+Z5B+HZgL +Yc6ac5PEHF1qZVXZH9GSGeNw5h2yyqf4yhvetSN6L2id14m5XXJV5e7NfOgmaSnG +0Z+wQvPSiu+Q00XpENT8HFSTSCjRATjk12rpy6TPeeC52NK1gLhGDRHN0k6m+vm4 +yoC+Nd6iPQpnc+5xs7NDnq2dFuSTp7UTGebzPhhdSQgujEFuYLwzQMZu1h5amtA+ +v9j7BYEJkOMC7bm1PNNA2QQ6QfH8Hf+mJeINyJO8A5KS3ceP+eo3SLR8T0hPzu9g +ZuZ22Hn3DXQh1VNRshaLKgNvoXpL3dQ48d1SFFKhEDpy2HSXUq2fs5rH0uszFGes +G7K6EQRAYRcDrCkt9fdfkvCSxAFw9d+472xThzgKcN+MkOec+SaY+xlVULjEfCWy +RVC8Opam4mTm/XT4mVLxP/qnsy7kEhLoc/ouB+lY/ks06LpZJvCXL6WfA9You1Fi +1Mg7GhSh9JKg6X6E8Trm+N4dxJGut1xbbGmmKXqfi4pej9KlkdeM9t1df/vWKlPa +7Hzd8H0btgJx066wC4yt0ghxtsJXBsCDxWLfzaSRZ2/eP16mHqxDjsQQwsF8BBgB +CAAmAhsMFiEE7fqj8spObrBWga+On28cLX4EX40FAl3uCX0FCRmkDeEACgkQn28c +LX4EX43TQA/+JV8ReMRJCn3Cfqbe5ycFn8p6dIVnJiQuhiEyu5yzdpSkKyzcVFJO +bQcqw7s50FJuLUbxdvbcuGIaoTu7dhBoUXO5tOuIQAsKTfGfgoOgelJm+/q2h645 +EnAVINGbMDXrmo4/UFJkNjUMA6SQi/yiam7N0y58eoDC4sGmBKuN2EW2MoWahlXw +8SS1+Ab9qVBs/RqbSy6f1nJL39aPpPDmvyJOSYtHnNSFlYWVhr0zGAi5rnswlFGr +ECGbHpr5FajUK7zcmtNPbi7F30K48xfF3XnDIeIBcerrEBQMaPUZcBlddGhmSVVJ +ZU/YhR35JNgPnmp33gOuZaRiW9lauZFwsMQBIBkLpJWoUtu8QLkyC0HmJzVRep0/ +s1RkzaJ+1G1BzXTQiXaLaUQWG5h3pcMD8fxY5qp9KbG/+10bY0sRbRBXgS6mz7dd +HaBtg/E8ty2nEB1HDXA9HAHu7KlH9e96sPZjz9C46ZiOXe6ZAOk6wBYts4RG4bCQ +9pGORJ+P2Jr2pz1NZQbs1AhnjJixTsfZfsGZ5lHxGLjIyxtdGB/irLEqNTIMek2y +p4CShmWoZwN0V3aGYMe/rC4tSXG79IeKNwF3Vd5MHtB+hcJG2qztBtKQuW29rbRA +5bNxwTWe8skwOKsxXnP9RC974k0XkPS+VwgmVgNN1ewS/0oHvmEP71Q= +=Oqje +-----END PGP PUBLIC KEY BLOCK----- From d747677049a29cde9f4867a22b08d4ba371857ab Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 23 Jul 2021 20:01:00 +0000 Subject: [PATCH 026/139] - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- unbound.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 68493f9..46623e1 100644 --- a/unbound.spec +++ b/unbound.spec @@ -37,7 +37,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.13.1 -Release: 7%{?extra_version:.%{extra_version}}%{?dist} +Release: 8%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -466,6 +466,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Fri Jul 23 2021 Fedora Release Engineering - 1.13.1-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + * Wed Jun 02 2021 Python Maint - 1.13.1-7 - Rebuilt for Python 3.10 From 0ce96eb7907e1f5d3fe58db16df5889a156b7417 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Thu, 12 Aug 2021 17:58:22 -0400 Subject: [PATCH 027/139] - Resolves: rhbz#1992985 unbound-1.13.2 is available - Use system-wide crypto policies --- .gitignore | 2 ++ sources | 4 +-- unbound.conf | 84 +++++++++++++++++++++++++++++++++++++++------------- unbound.spec | 22 ++++---------- 4 files changed, 73 insertions(+), 39 deletions(-) diff --git a/.gitignore b/.gitignore index 1911c71..bb7787d 100644 --- a/.gitignore +++ b/.gitignore @@ -65,3 +65,5 @@ unbound-1.4.5.tar.gz /unbound-1.13.0.tar.gz.asc /unbound-1.13.1.tar.gz /unbound-1.13.1.tar.gz.asc +/unbound-1.13.2.tar.gz +/unbound-1.13.2.tar.gz.asc diff --git a/sources b/sources index c7d1af2..d54a5cf 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.13.1.tar.gz) = f4d26dca28dbcc33a5e65a55147fa01077c331292e88b6a87798cb6c3d4edb0515015d131fd893c92b74d22d9998a640f0adce404e6192d61ebe69a6a599287c -SHA512 (unbound-1.13.1.tar.gz.asc) = a4a943841c4db14b2d236b4b80ac80129148c42f7b3d82246b0e0150c1e3e3e294863d5c72d1ac41c2164126d1d10f9044554f97aa6d94019acb41b5f7ed7d34 +SHA512 (unbound-1.13.2.tar.gz) = 1e89441446e7a25c6a49bded645f8b348c1758c3be54e3a986041cb1f00c45d152fd469dc52666fb820574db9d51b16f1627dc8afcb9519508d4833ca358191a +SHA512 (unbound-1.13.2.tar.gz.asc) = b905f5f981361131e7a8d3403df632603304778bd7d4fffba8d113c4246d8133f26903a5af53d21b979b652cbae8f6e92620d3a262d8b2837ab8c2a5712650ee diff --git a/unbound.conf b/unbound.conf index e414f9c..4ee6d10 100644 --- a/unbound.conf +++ b/unbound.conf @@ -393,18 +393,28 @@ server: # enable to not answer version.server and version.bind queries. # hide-version: no - # NSID identity (hex string, or "ascii_somestring"). default disabled. - # nsid: "aabbccdd" + # enable to not set the User-Agent HTTP header. + # hide-http-user-agent: no # enable to not answer trustanchor.unbound queries. # hide-trustanchor: no + # enable to not set the User-Agent HTTP header. + # hide-http-user-agent: no + # the identity to report. Leave "" or default to return hostname. # identity: "" # the version to report. Leave "" or default to return package version. # version: "" + # NSID identity (hex string, or "ascii_somestring"). default disabled. + # nsid: "aabbccdd" + + # User-Agent HTTP header to use. Leave "" or default to use package name + # and version. + # http-user-agent: "" + # the target fetch policy. # series of integers describing the policy per dependency depth. # The number of values in the list determines the maximum dependency @@ -584,6 +594,10 @@ server: # val-sig-skew-min: 3600 # val-sig-skew-max: 86400 + # The maximum number the validator should restart validation with + # another authority in case of failed validation. + # val-max-restart: 5 + # Should additional section of secure message also be kept clean of # unsecure data. Useful to shield the users of this validator from # potential bogus data in the additional section. All unsigned data @@ -616,7 +630,7 @@ server: # that the expired records will be served as long as there are queries # for it. # serve-expired-ttl-reset: no - + # # TTL value to use when replying with expired data. # serve-expired-reply-ttl: 30 # @@ -642,7 +656,10 @@ server: # keysize. Keep this table very short, as linear search is done. # A message with an NSEC3 with larger count is marked insecure. # List in ascending order the keysize and count values. - # val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500" + # val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150" + + # if enabled, ZONEMD verification failures do not block the zone. + # zonemd-permissive-mode: no # instruct the auto-trust-anchor-file probing to add anchors after ttl. # add-holddown: 2592000 # 30 days @@ -795,6 +812,10 @@ server: # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" # cipher setting for TLSv1.3 # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" + # Fedora/RHEL: use system-wide crypto policies + tls-ciphers: "PROFILE=SYSTEM" + # TODO: ask system-wide crypto people what to use here + #tls-ciphersuites: "PROFILE=SYSTEM" # does not work # Pad responses to padded queries received over TLS # pad-responses: yes @@ -931,6 +952,13 @@ server: # ipsecmod-allow: "example.com" # ipsecmod-allow: "nlnetlabs.nl" + # Timeout for REUSE entries in milliseconds. + # tcp-reuse-timeout: 60000 + # Max number of queries on a reuse connection. + # max-reuse-tcp-queries: 200 + # Timeout in milliseconds for TCP queries to auth servers. + # tcp-auth-query-timeout: 3000 + # Python config section. To enable: # o use --with-pythonmodule to configure before compiling. # o list python in the module-config string (above) to enable. @@ -941,6 +969,17 @@ python: # Script file to load # python-script: "/etc/unbound/ubmodule-tst.py" +# Dynamic library config section. To enable: +# o use --with-dynlibmodule to configure before compiling. +# o list dynlib in the module-config string (above) to enable. +# It can be placed anywhere, the dynlib module is only a very thin wrapper +# to load modules dynamically. +# o and give a dynlib-file to run. If more than one dynlib entry is listed in +# the module-config then you need one dynlib-file per instance. +dynlib: + # Script file to load + # dynlib-file: "/etc/unbound/dynlib.so" + # Remote control config section. remote-control: # Enable remote control with unbound-control(8) here. @@ -1036,29 +1075,32 @@ include: /etc/unbound/conf.d/*.conf # notifies. auth-zone: name: "." + primary: 199.9.14.201 # b.root-servers.net + primary: 192.33.4.12 # c.root-servers.net + primary: 199.7.91.13 # d.root-servers.net + primary: 192.5.5.241 # f.root-servers.net + primary: 192.112.36.4 # g.root-servers.net + primary: 193.0.14.129 # k.root-servers.net + primary: 192.0.47.132 # xfr.cjr.dns.icann.org + primary: 192.0.32.132 # xfr.lax.dns.icann.org + primary: 2001:500:200::b # b.root-servers.net + primary: 2001:500:2::c # c.root-servers.net + primary: 2001:500:2d::d # d.root-servers.net + primary: 2001:500:2f::f # f.root-servers.net + primary: 2001:500:12::d0d # g.root-servers.net + primary: 2001:7fd::1 # k.root-servers.net + primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org + primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org + fallback-enabled: yes for-downstream: no for-upstream: yes - fallback-enabled: yes - master: 199.9.14.201 # b.root-servers.net - master: 192.33.4.12 # c.root-servers.net - master: 199.7.91.13 # d.root-servers.net - master: 192.5.5.241 # f.root-servers.net - master: 192.112.36.4 # g.root-servers.net - master: 193.0.14.129 # k.root-servers.net - master: 192.0.47.132 # xfr.cjr.dns.icann.org - master: 192.0.32.132 # xfr.lax.dns.icann.org - master: 2001:500:200::b # b.root-servers.net - master: 2001:500:2::c # c.root-servers.net - master: 2001:500:2d::d # d.root-servers.net - master: 2001:500:2f::f # f.root-servers.net - master: 2001:500:12::d0d # g.root-servers.net - master: 2001:7fd::1 # k.root-servers.net - master: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org - master: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org + # auth-zone: # name: "example.org" # for-downstream: yes # for-upstream: yes +# zonemd-check: no +# zonemd-reject-absence: no # zonefile: "example.org.zone" # Views diff --git a/unbound.spec b/unbound.spec index 46623e1..51ec747 100644 --- a/unbound.spec +++ b/unbound.spec @@ -20,13 +20,6 @@ %if 0%{?rhel} %global with_munin 0 -%if 0%{?with_python2} && 0%{?rhel} <= 6 -# needed just for EPEL -%{!?__python2: %global __python2 /usr/bin/python2} -%{!?python2_sitelib: %global python2_sitelib %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")} -%{!?python2_sitearch: %global python2_sitearch %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")} -%endif - %if 0%{?rhel} <= 7 %global with_python3 0 %else @@ -36,8 +29,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.13.1 -Release: 8%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.13.2 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -61,13 +54,6 @@ Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_vers # source: https://nlnetlabs.nl/people/ Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key -# Backport two fixes: -# https://github.com/NLnetLabs/unbound/commit/e0d426ebb10653a78bf5c4053198f6ac19bfcd3e -# https://github.com/NLnetLabs/unbound/pull/427 -# Fix build on Python 3.10 (rhbz#1889726). -Patch1: unbound-python310.patch -# rhbz#1935101 upstream PR https://github.com/NLnetLabs/unbound/pull/415/files -Patch2: unbound-1.13.1-rh1935101.patch BuildRequires: gcc, make BuildRequires: flex, openssl-devel @@ -466,6 +452,10 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Thu Aug 12 2021 Paul Wouters - 1.13.2-1 +- Resolves: rhbz#1992985 unbound-1.13.2 is available +- Use system-wide crypto policies + * Fri Jul 23 2021 Fedora Release Engineering - 1.13.1-8 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild From c9eef9068b34f2c23ce956f5338ae7c5ca57f989 Mon Sep 17 00:00:00 2001 From: Sahana Prasad Date: Tue, 14 Sep 2021 19:17:21 +0200 Subject: [PATCH 028/139] Rebuilt with OpenSSL 3.0.0 --- unbound.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 51ec747..4386a83 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.13.2 -Release: 1%{?extra_version:.%{extra_version}}%{?dist} +Release: 2%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -452,6 +452,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Tue Sep 14 2021 Sahana Prasad - 1.13.2-2 +- Rebuilt with OpenSSL 3.0.0 + * Thu Aug 12 2021 Paul Wouters - 1.13.2-1 - Resolves: rhbz#1992985 unbound-1.13.2 is available - Use system-wide crypto policies From 63ab0fcf801d16009024494c9df3bef1b0fe8e67 Mon Sep 17 00:00:00 2001 From: Adrian Reber Date: Mon, 25 Oct 2021 17:38:09 +0200 Subject: [PATCH 029/139] Rebuilt for protobuf 3.18.1 --- unbound.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 4386a83..23a8454 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.13.2 -Release: 2%{?extra_version:.%{extra_version}}%{?dist} +Release: 3%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -452,6 +452,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Mon Oct 25 2021 Adrian Reber - 1.13.2-3 +- Rebuilt for protobuf 3.18.1 + * Tue Sep 14 2021 Sahana Prasad - 1.13.2-2 - Rebuilt with OpenSSL 3.0.0 From b35e3fb2d27899ca27bc8ca869dd9f72b6a85c13 Mon Sep 17 00:00:00 2001 From: Adrian Reber Date: Sat, 6 Nov 2021 13:03:18 +0100 Subject: [PATCH 030/139] Rebuilt for protobuf 3.19.0 --- unbound.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 23a8454..4858d9c 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.13.2 -Release: 3%{?extra_version:.%{extra_version}}%{?dist} +Release: 4%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -452,6 +452,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Sat Nov 06 2021 Adrian Reber - 1.13.2-4 +- Rebuilt for protobuf 3.19.0 + * Mon Oct 25 2021 Adrian Reber - 1.13.2-3 - Rebuilt for protobuf 3.18.1 From 24949785a431b0aa427b9752979a22809d567fa0 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 22 Jan 2022 03:29:59 +0000 Subject: [PATCH 031/139] - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- unbound.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 4858d9c..f6c3d4c 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.13.2 -Release: 4%{?extra_version:.%{extra_version}}%{?dist} +Release: 5%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -452,6 +452,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Sat Jan 22 2022 Fedora Release Engineering - 1.13.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + * Sat Nov 06 2021 Adrian Reber - 1.13.2-4 - Rebuilt for protobuf 3.19.0 From 84e89add4a667f1c8e046345572a5c55cd54e318 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 29 Mar 2022 17:25:53 +0200 Subject: [PATCH 032/139] Update to 1.15.0 https://nlnetlabs.nl/projects/unbound/download/#unbound-1-15-0 - Fix #596: unset the RA bit when a query is blocked by an unbound RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to signal that a domain is externally blocked to clients when it is blocked with NXDOMAIN by unsetting RA. - Add rpz: for-downstream: yesno option, where the RPZ zone is authoritatively answered for, so the RPZ zone contents can be checked with DNS queries directed at the RPZ zone. - Merge PR #616: Update ratelimit logic. It also introduces ratelimit-backoff and ip-ratelimit-backoff configuration options. - Change aggressive-nsec default to yes. --- .gitignore | 2 ++ sources | 4 ++-- unbound.spec | 7 +++++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index bb7787d..8b086ad 100644 --- a/.gitignore +++ b/.gitignore @@ -67,3 +67,5 @@ unbound-1.4.5.tar.gz /unbound-1.13.1.tar.gz.asc /unbound-1.13.2.tar.gz /unbound-1.13.2.tar.gz.asc +/unbound-1.15.0.tar.gz +/unbound-1.15.0.tar.gz.asc diff --git a/sources b/sources index d54a5cf..abd4858 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.13.2.tar.gz) = 1e89441446e7a25c6a49bded645f8b348c1758c3be54e3a986041cb1f00c45d152fd469dc52666fb820574db9d51b16f1627dc8afcb9519508d4833ca358191a -SHA512 (unbound-1.13.2.tar.gz.asc) = b905f5f981361131e7a8d3403df632603304778bd7d4fffba8d113c4246d8133f26903a5af53d21b979b652cbae8f6e92620d3a262d8b2837ab8c2a5712650ee +SHA512 (unbound-1.15.0.tar.gz) = c5dab305694c14f64e05080700bb52f6e6bf5b76f15e1fde34e35c932cb3ffed0de2c03b570cf4bfe18165cb10e82e67ee9b12c6583295380f88c2c03800cc1f +SHA512 (unbound-1.15.0.tar.gz.asc) = 123818a855689ee3d402fd8f4b5a4646c08d5602e4544ce872d132c4c0de4a79c9efcc2d49324bf58ab06521f02deef795d89bdf632eee758e6ec36b408ea54a diff --git a/unbound.spec b/unbound.spec index f6c3d4c..76312a2 100644 --- a/unbound.spec +++ b/unbound.spec @@ -29,8 +29,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.13.2 -Release: 5%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.15.0 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -452,6 +452,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Tue Mar 29 2022 Petr Menšík - 1.15.0-1 +- Update to 1.15.0 (#2030608) + * Sat Jan 22 2022 Fedora Release Engineering - 1.13.2-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild From c469ecef1546594729359c39d744e692e37f545e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 29 Mar 2022 17:28:39 +0200 Subject: [PATCH 033/139] Import few changes to configuration --- unbound.conf | 47 +++++++++++++++++++++++++---------------------- 1 file changed, 25 insertions(+), 22 deletions(-) diff --git a/unbound.conf b/unbound.conf index 4ee6d10..977d39f 100644 --- a/unbound.conf +++ b/unbound.conf @@ -98,14 +98,14 @@ server: # num-queries-per-thread, or, use as many as the OS will allow you. # outgoing-range: 4096 - # permit unbound to use this port number or port range for + # permit Unbound to use this port number or port range for # making outgoing queries, using an outgoing interface. # Only ephemeral ports are allowed by SElinux outgoing-port-permit: 32768-60999 - # deny unbound the use this of port number or port range for + # deny Unbound the use this of port number or port range for # making outgoing queries, using an outgoing interface. - # Use this to make sure unbound does not grab a UDP port that some + # Use this to make sure Unbound does not grab a UDP port that some # other server on this computer needs. The default is to avoid # IANA-assigned port numbers. # If multiple outgoing-port-permit and outgoing-port-avoid options @@ -238,7 +238,7 @@ server: # do-ip6: yes # Enable UDP, "yes" or "no". - # NOTE: if setting up an unbound on tls443 for public use, you might want to + # NOTE: if setting up an Unbound on tls443 for public use, you might want to # disable UDP to avoid being used in DNS amplification attacks. # do-udp: yes @@ -275,7 +275,7 @@ server: # use-systemd: no # Detach from the terminal, run in background, "yes" or "no". - # Set the value to "no" when unbound runs as systemd service. + # Set the value to "no" when Unbound runs as systemd service. # do-daemonize: yes # control which clients are allowed to make (recursive) queries @@ -328,7 +328,7 @@ server: # The pid file can be absolute and outside of the chroot, it is # written just prior to performing the chroot and dropping permissions. # - # Additionally, unbound may need to access /dev/urandom (for entropy). + # Additionally, Unbound may need to access /dev/urandom (for entropy). # How to do this is specific to your OS. # # If you give "" no chroot is performed. The path must not end in a /. @@ -542,7 +542,7 @@ server: # Use several entries, one per domain name, to track multiple zones. # # If you want to perform DNSSEC validation, run unbound-anchor before - # you start unbound (i.e. in the system boot scripts). And enable: + # you start Unbound (i.e. in the system boot scripts). And enable: # Please note usage of unbound-anchor root anchor is at your own risk # and under the terms of our LICENSE (see that file in the source). # auto-trust-anchor-file: "/var/lib/unbound/root.key" @@ -613,7 +613,7 @@ server: val-permissive-mode: no # Ignore the CD flag in incoming queries and refuse them bogus data. - # Enable it if the only clients of unbound are legacy servers (w2008) + # Enable it if the only clients of Unbound are legacy servers (w2008) # that set CD but cannot validate themselves. # ignore-cd-flag: no @@ -643,7 +643,7 @@ server: # Return the original TTL as received from the upstream name server rather # than the decrementing TTL as stored in the cache. Enabling this feature - # does not impact cache expiry, it only changes the TTL unbound embeds in + # does not impact cache expiry, it only changes the TTL Unbound embeds in # responses to queries. Note that enabling this feature implicitly disables # enforcement of the configured minimum and maximum TTL. # serve-original-ttl: no @@ -736,9 +736,9 @@ server: # Add example.com into ipset # local-zone: "example.com" ipset - # If unbound is running service for the local host then it is useful + # If Unbound is running service for the local host then it is useful # to perform lan-wide lookups to the upstream, and unblock the - # long list of local-zones above. If this unbound is a dns server + # long list of local-zones above. If this Unbound is a dns server # for a network of computers, disabled is better and stops information # leakage of local lan information. # unblock-lan-zones: no @@ -922,7 +922,7 @@ server: # the number of servers that will be used in the fast server selection. # fast-server-num: 3 - # Specific options for ipsecmod. unbound needs to be configured with + # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. # # Enable or disable ipsecmod (it still needs to be defined in @@ -936,7 +936,7 @@ server: # ipsecmod-hook: "./my_executable" ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook - # When enabled unbound will reply with SERVFAIL if the return value of + # When enabled Unbound will reply with SERVFAIL if the return value of # the ipsecmod-hook is not 0. # ipsecmod-strict: no # @@ -1005,10 +1005,10 @@ remote-control: # For local sockets this option is ignored, and TLS is not used. control-use-cert: "no" - # unbound server key file. + # Unbound server key file. server-key-file: "/etc/unbound/unbound_server.key" - # unbound server certificate file. + # Unbound server certificate file. server-cert-file: "/etc/unbound/unbound_server.pem" # unbound-control key file. @@ -1125,7 +1125,7 @@ auth-zone: # # DNSCrypt # Caveats: -# 1. the keys/certs cannot be produced by unbound. You can use dnscrypt-wrapper +# 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper # for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage # 2. dnscrypt channel attaches to an interface. you MUST set interfaces to # listen on `dnscrypt-port` with the follo0wing snippet: @@ -1165,7 +1165,7 @@ auth-zone: # IPSet # Add specify domain into set via ipset. -# Note: To enable ipset unbound needs to run as root user. +# Note: To enable ipset Unbound needs to run as root user. # ipset: # # set name for ip v4 addresses # name-v4: "list-v4" @@ -1188,7 +1188,7 @@ auth-zone: # dnstap-tls: yes # # name for authenticating the upstream server. or "" disabled. # dnstap-tls-server-name: "" -# # if "", it uses the cert bundle from the main unbound config. +# # if "", it uses the cert bundle from the main Unbound config. # dnstap-tls-cert-bundle: "" # # key file for client authentication, or "" disabled. # dnstap-tls-client-key-file: "" @@ -1208,10 +1208,11 @@ auth-zone: # dnstap-log-forwarder-response-messages: no # Response Policy Zones -# RPZ policies. Applied in order of configuration. QNAME and Response IP -# Address trigger are the only supported triggers. Supported actions are: -# NXDOMAIN, NODATA, PASSTHRU, DROP and Local Data. Policies can be loaded from -# file, using zone transfer, or using HTTP. The respip module needs to be added +# RPZ policies. Applied in order of configuration. QNAME, Response IP +# Address, nsdname, nsip and clientip triggers are supported. Supported +# actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp-only +# and drop. Policies can be loaded from a file, or using zone +# transfer, or using HTTP. The respip module needs to be added # to the module-config, e.g.: module-config: "respip validator iterator". # rpz: # name: "rpz.example.com" @@ -1223,4 +1224,6 @@ auth-zone: # rpz-cname-override: www.example.org # rpz-log: yes # rpz-log-name: "example policy" +# rpz-signal-nxdomain-ra: no +# for-downstream: no # tags: "example" From e00e1b55bb9eab2d4abc94751865e11aa339896e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 20 Apr 2022 21:06:56 +0200 Subject: [PATCH 034/139] Update icann bundle, fix spec errors rpmlint detects several errors, fix some detected issues. --- icannbundle.pem | 216 ------------------------------------------------ unbound.spec | 15 ++-- 2 files changed, 9 insertions(+), 222 deletions(-) diff --git a/icannbundle.pem b/icannbundle.pem index d76ce0b..ceeef5b 100644 --- a/icannbundle.pem +++ b/icannbundle.pem @@ -1,59 +1,3 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 1 (0x1) - Signature Algorithm: sha256WithRSAEncryption - Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US - Validity - Not Before: Dec 23 04:19:12 2009 GMT - Not After : Dec 18 04:19:12 2029 GMT - Subject: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public Key: (2048 bit) - Modulus (2048 bit): - 00:a0:db:70:b8:4f:34:da:9c:d4:d0:7e:bb:ea:15: - bc:e9:c9:11:2a:1f:61:2f:6a:b9:bd:3f:3d:76:a0: - 9a:0a:f7:ee:93:6e:6e:55:53:84:8c:f2:2c:f1:82: - 27:c8:0f:9a:cf:52:1b:54:da:28:d2:2c:30:8e:dd: - fb:92:20:33:2d:d6:c8:f1:0e:10:21:88:71:fa:84: - 22:4b:5d:47:56:16:7c:9b:9f:5d:c3:11:79:9c:14: - e2:ff:c0:74:ac:dd:39:d7:e0:38:d8:b0:73:aa:fb: - d1:db:84:af:52:22:a8:f6:d5:9b:94:f4:e6:5d:5e: - e8:3f:87:90:0b:c7:1a:77:f5:2e:d3:8f:1a:ce:02: - 1d:07:69:21:47:32:da:46:ae:00:4c:b6:a5:a2:9c: - 39:c1:c0:4a:f6:d3:1c:ae:d3:6d:bb:c7:18:f0:7e: - ed:f6:80:ce:d0:01:2e:89:de:12:ba:ee:11:cb:a6: - 7a:d7:0d:7c:f3:08:8d:72:9d:bf:55:75:13:70:bb: - 31:22:4a:cb:e8:c0:aa:a4:09:aa:36:68:40:60:74: - 9d:e7:19:81:43:22:52:fe:c9:2b:52:0f:41:13:36: - 09:72:65:95:cc:89:ae:6f:56:17:16:34:73:52:a3: - 04:ed:bd:88:82:8a:eb:d7:dc:82:52:9c:06:e1:52: - 85:41 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Key Usage: critical - Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign - X509v3 Subject Key Identifier: - BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 - Signature Algorithm: sha256WithRSAEncryption - 0f:f1:e9:82:a2:0a:87:9f:2d:94:60:5a:b2:c0:4b:a1:2f:2b: - 3b:47:d5:0a:99:86:38:b2:ec:c6:3b:89:e4:6e:07:cf:14:c7: - c7:e8:cf:99:8f:aa:30:c3:19:70:b9:e6:6d:d6:3f:c8:68:26: - b2:a0:a5:37:42:ca:d8:62:80:d1:a2:5a:48:2e:1f:85:3f:0c: - 7b:c2:c7:94:11:5f:19:2a:95:ac:a0:3a:03:d8:91:5b:2e:0d: - 9c:7c:1f:2e:fc:e9:44:e1:16:26:73:1c:45:4a:65:c1:83:4c: - 90:f3:f2:28:42:df:db:c4:e7:04:12:18:62:43:5e:bc:1f:6c: - 84:e6:bc:49:32:df:61:d7:99:ee:e4:90:52:7b:0a:c2:91:8a: - 98:62:66:b1:c8:e0:b7:5a:b5:46:7c:76:71:54:8e:cc:a4:81: - 5c:19:db:d2:6f:66:b5:bb:2b:ae:6b:c9:74:04:a8:24:de:e8: - c5:d3:fc:2c:1c:d7:8f:db:6a:8d:c9:53:be:5d:50:73:ac:cf: - 1f:93:c0:52:50:5b:a2:4f:fe:ad:65:36:17:46:d1:2d:e5:a2: - 90:66:05:db:29:4e:5d:50:5d:e3:4f:da:a0:8f:f0:6b:e4:16: - 70:dd:7f:f3:77:7d:b9:4e:f9:ec:c3:33:02:d7:e9:63:2f:31: - e7:40:61:a4 -----BEGIN CERTIFICATE----- MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV @@ -75,163 +19,3 @@ DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH 0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk -----END CERTIFICATE----- -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 11 (0xb) - Signature Algorithm: sha256WithRSAEncryption - Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US - Validity - Not Before: Nov 8 23:39:47 2016 GMT - Not After : Nov 6 23:39:47 2026 GMT - Subject: O=ICANN, CN=ICANN EMAIL CA - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public Key: (2048 bit) - Modulus (2048 bit): - 00:d2:19:1e:22:69:33:f6:a4:d2:76:c5:80:11:75: - 8e:d0:e8:6f:bf:89:f8:2a:6a:da:8a:85:28:40:ba: - c5:23:5f:47:ed:72:e2:8e:d3:5c:c8:8a:3a:99:a9: - 57:2c:0a:2b:22:f3:54:7b:8b:f7:8c:21:a2:50:01: - 4f:8b:af:34:df:72:fc:78:31:d0:1d:eb:bc:9b:e6: - fa:c1:84:d0:05:07:8a:74:53:a5:60:9e:eb:75:9e: - a8:5d:32:c8:02:32:e4:bf:cb:97:9b:7a:fa:2c:f6: - 6a:1d:b8:57:ad:e3:03:22:93:d0:f4:4f:a8:b8:01: - db:82:33:98:b6:87:ed:3d:67:40:00:27:2e:d5:95: - d2:ad:36:46:14:c6:17:79:65:7f:65:f3:88:80:65: - 7c:22:67:08:23:3c:cf:a5:10:38:72:30:97:92:6f: - 20:4a:ba:24:4c:4a:c8:4a:a5:dc:2a:44:a1:29:78: - b4:9f:fe:84:ff:27:5b:3a:72:ea:31:c1:ad:06:22: - d6:44:a0:4a:57:32:9c:f2:46:47:d0:89:6e:20:23: - 2c:ea:b0:83:7e:c1:f3:ea:da:dd:e3:63:59:97:21: - fa:1b:11:39:27:cf:82:8b:56:15:d4:36:92:0c:a5: - 7e:80:e0:18:c9:50:08:42:0a:df:97:3c:9c:b8:0a: - 4d:b1 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - X509v3 Authority Key Identifier: - keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 - - X509v3 Subject Key Identifier: - 7B:3F:BA:CE:A1:B3:A6:13:2E:5A:82:84:D4:D2:EA:A5:24:F1:CD:B4 - Signature Algorithm: sha256WithRSAEncryption - 0e:8a:c9:ea:6f:9c:e9:23:b6:9c:a6:a4:c2:d1:b1:ee:25:18: - 24:2b:79:d4:a8:f2:99:b9:5c:91:4d:e6:2b:32:2e:01:f5:87: - 95:64:fc:6d:f1:87:fa:24:b4:43:4b:49:f3:84:54:44:eb:af: - 41:ab:49:ab:c8:b7:32:6c:14:83:5b:d7:2c:41:f9:89:d5:c4: - 2b:9a:55:c5:b6:ad:17:d5:4d:bc:41:58:56:72:0d:db:b7:7d: - 57:c6:a2:9c:7e:6b:67:ae:26:f8:26:45:bb:c4:95:2e:ea:71: - e3:b4:7a:69:95:a4:8a:80:f8:59:dc:88:6e:e1:a7:fc:bb:8e: - b2:aa:a8:b6:1b:2f:2c:97:a5:12:d5:82:ae:a0:e8:a6:15:fd: - d1:e0:5d:e4:84:b1:76:db:0a:e2:ca:58:2e:d3:df:48:4e:46: - ac:c6:35:79:17:99:ce:e9:be:2c:e4:c2:50:ff:5b:96:15:cd: - 64:ac:1b:db:fe:d2:ac:43:61:c8:5f:ee:24:b6:a4:3b:d2:ff: - 0a:f4:0c:88:58:a1:9d:a4:c1:1f:6a:6c:67:90:98:e8:1f:5e: - 2d:55:60:91:26:2a:b1:66:80:e4:e6:0e:05:2c:75:a9:ca:0b: - e4:a0:8f:e1:47:a8:8f:61:5d:7c:ce:09:60:88:48:c3:46:bf: - be:7e:36:be ------BEGIN CERTIFICATE----- -MIIDZDCCAkygAwIBAgIBCzANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO -TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV -BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTE2MTEwODIzMzk0N1oX -DTI2MTEwNjIzMzk0N1owKTEOMAwGA1UEChMFSUNBTk4xFzAVBgNVBAMTDklDQU5O -IEVNQUlMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0hkeImkz -9qTSdsWAEXWO0Ohvv4n4KmraioUoQLrFI19H7XLijtNcyIo6malXLAorIvNUe4v3 -jCGiUAFPi68033L8eDHQHeu8m+b6wYTQBQeKdFOlYJ7rdZ6oXTLIAjLkv8uXm3r6 -LPZqHbhXreMDIpPQ9E+ouAHbgjOYtoftPWdAACcu1ZXSrTZGFMYXeWV/ZfOIgGV8 -ImcIIzzPpRA4cjCXkm8gSrokTErISqXcKkShKXi0n/6E/ydbOnLqMcGtBiLWRKBK -VzKc8kZH0IluICMs6rCDfsHz6trd42NZlyH6GxE5J8+Ci1YV1DaSDKV+gOAYyVAI -QgrflzycuApNsQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE -AwIBBjAfBgNVHSMEGDAWgBS6UulJgySGUi/Hmc38jWtpCE3AUDAdBgNVHQ4EFgQU -ez+6zqGzphMuWoKE1NLqpSTxzbQwDQYJKoZIhvcNAQELBQADggEBAA6KyepvnOkj -tpympMLRse4lGCQredSo8pm5XJFN5isyLgH1h5Vk/G3xh/oktENLSfOEVETrr0Gr -SavItzJsFINb1yxB+YnVxCuaVcW2rRfVTbxBWFZyDdu3fVfGopx+a2euJvgmRbvE -lS7qceO0emmVpIqA+FnciG7hp/y7jrKqqLYbLyyXpRLVgq6g6KYV/dHgXeSEsXbb -CuLKWC7T30hORqzGNXkXmc7pvizkwlD/W5YVzWSsG9v+0qxDYchf7iS2pDvS/wr0 -DIhYoZ2kwR9qbGeQmOgfXi1VYJEmKrFmgOTmDgUsdanKC+Sgj+FHqI9hXXzOCWCI -SMNGv75+Nr4= ------END CERTIFICATE----- -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 10 (0xa) - Signature Algorithm: sha256WithRSAEncryption - Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US - Validity - Not Before: Nov 8 23:38:16 2016 GMT - Not After : Nov 6 23:38:16 2026 GMT - Subject: O=ICANN, CN=ICANN SSL CA - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public Key: (2048 bit) - Modulus (2048 bit): - 00:dd:c6:ab:bf:7c:66:9d:b3:2b:96:00:14:c7:60: - 7a:8d:62:5b:26:4b:30:d7:b3:4c:82:69:c6:4d:4d: - 73:f3:d4:91:21:5d:ab:35:f0:c8:04:0e:f4:a3:35: - e2:e1:18:a9:98:12:03:58:f8:9f:eb:77:54:5b:89: - 81:26:c9:aa:c2:f4:c9:0c:82:57:2a:5e:05:e9:61: - 17:cc:19:18:71:eb:35:83:c1:86:9d:ec:f1:6b:ca: - dd:a1:96:0b:95:d4:e1:0f:9e:24:6f:dc:3c:d0:28: - 9e:f2:53:47:2b:a1:ad:32:03:c8:3f:0d:80:80:7d: - f0:02:d2:6e:5a:2c:44:21:9b:09:50:15:3f:a1:3d: - d3:c9:c8:24:e7:ea:4e:92:2f:94:90:2e:de:e7:68: - f6:c6:b3:90:1f:bc:c9:7b:a2:65:d7:11:e9:8b:f0: - 3a:5a:b7:17:07:df:69:e3:6e:b9:54:6a:8e:3a:aa: - 94:7f:2c:0a:a1:ad:ba:b7:d9:60:62:27:a7:71:40: - 3b:8e:b0:84:7b:b8:c8:67:ef:66:ba:3d:ac:c3:85: - e5:86:bb:a7:9c:fd:b6:e1:c0:10:53:3d:d4:7e:1b: - 09:e6:9f:22:5c:a7:27:09:7e:27:12:33:fa:df:9b: - 20:2f:14:f7:17:c0:e4:1e:07:91:1f:f9:9a:cd:a8: - e2:c5 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - X509v3 Authority Key Identifier: - keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 - - X509v3 Subject Key Identifier: - 6E:77:A8:40:10:4A:D8:9C:0C:F2:B7:5A:3A:A5:2F:79:4A:61:14:D8 - Signature Algorithm: sha256WithRSAEncryption - 47:46:4f:c7:5f:46:e3:d1:dc:fc:2b:f8:fc:65:ce:36:b1:f4: - 5f:ee:14:75:a3:d9:5f:de:75:4b:fa:7b:88:9f:10:8c:2e:97: - cc:35:1b:ce:24:d3:36:60:95:d5:ae:11:b6:3f:8b:f4:12:69: - 85:b5:3b:2a:b6:ab:7a:81:85:c2:55:57:ed:d0:b5:e7:4f:54: - 37:51:24:c9:d5:07:3a:ef:b6:c5:1a:3e:14:29:a7:a6:f8:08: - 2a:0b:26:79:f9:62:85:4a:e5:ea:90:ca:71:38:16:91:4e:7e: - fd:e3:b3:f3:55:8f:5a:d0:86:cf:33:94:88:f1:90:99:cb:81: - e2:81:92:68:2f:c3:61:d5:52:8d:e6:9a:5b:00:83:42:27:88: - f6:d9:fa:d1:bc:bb:b0:bc:b5:14:0b:4e:1a:54:ef:fa:d6:9d: - c4:0c:fc:ed:15:ab:21:4b:45:b5:d9:3b:ed:3c:d5:1e:2e:7a: - 83:6f:24:45:d4:4c:b4:ef:60:43:18:d0:84:5d:16:7b:f5:50: - 80:b1:a9:c2:8f:3b:c8:90:08:fd:aa:17:13:19:38:19:d1:8e: - 85:7c:1e:57:16:8c:f9:8a:e8:29:25:38:cd:bb:55:8e:4a:6a: - 6f:e5:7d:fc:d7:55:d6:ae:38:07:96:c1:97:ff:e5:2b:4f:99: - 2d:70:f2:08 ------BEGIN CERTIFICATE----- -MIIDYjCCAkqgAwIBAgIBCjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO -TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV -BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTE2MTEwODIzMzgxNloX -DTI2MTEwNjIzMzgxNlowJzEOMAwGA1UEChMFSUNBTk4xFTATBgNVBAMTDElDQU5O -IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN3Gq798Zp2z -K5YAFMdgeo1iWyZLMNezTIJpxk1Nc/PUkSFdqzXwyAQO9KM14uEYqZgSA1j4n+t3 -VFuJgSbJqsL0yQyCVypeBelhF8wZGHHrNYPBhp3s8WvK3aGWC5XU4Q+eJG/cPNAo -nvJTRyuhrTIDyD8NgIB98ALSblosRCGbCVAVP6E908nIJOfqTpIvlJAu3udo9saz -kB+8yXuiZdcR6YvwOlq3FwffaeNuuVRqjjqqlH8sCqGturfZYGInp3FAO46whHu4 -yGfvZro9rMOF5Ya7p5z9tuHAEFM91H4bCeafIlynJwl+JxIz+t+bIC8U9xfA5B4H -kR/5ms2o4sUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC -AQYwHwYDVR0jBBgwFoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFG53 -qEAQSticDPK3WjqlL3lKYRTYMA0GCSqGSIb3DQEBCwUAA4IBAQBHRk/HX0bj0dz8 -K/j8Zc42sfRf7hR1o9lf3nVL+nuInxCMLpfMNRvOJNM2YJXVrhG2P4v0EmmFtTsq -tqt6gYXCVVft0LXnT1Q3USTJ1Qc677bFGj4UKaem+AgqCyZ5+WKFSuXqkMpxOBaR -Tn7947PzVY9a0IbPM5SI8ZCZy4HigZJoL8Nh1VKN5ppbAINCJ4j22frRvLuwvLUU -C04aVO/61p3EDPztFashS0W12TvtPNUeLnqDbyRF1Ey072BDGNCEXRZ79VCAsanC -jzvIkAj9qhcTGTgZ0Y6FfB5XFoz5iugpJTjNu1WOSmpv5X3811XWrjgHlsGX/+Ur -T5ktcPII ------END CERTIFICATE----- diff --git a/unbound.spec b/unbound.spec index 76312a2..4b63e23 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.15.0 -Release: 1%{?extra_version:.%{extra_version}}%{?dist} +Release: 2%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -310,7 +310,7 @@ do echo ".so man3/libunbound.3" > %{buildroot}%{_mandir}/man3/$mpage ; done -mkdir -p %{buildroot}%{_localstatedir}/run/unbound +mkdir -p %{buildroot}%{_rundir}/unbound # Install directories for easier config file drop in @@ -334,7 +334,6 @@ useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \ %systemd_post unbound-keygen.service %post libs -%{?ldconfig} %systemd_post unbound-anchor.timer # start the timer only if installing the package to prevent starting it, if it was stopped on purpose if [ "$1" -eq 1 ]; then @@ -354,7 +353,6 @@ fi %systemd_postun unbound-keygen.service %postun libs -%{?ldconfig} %systemd_postun_with_restart unbound-anchor.timer %check @@ -381,7 +379,7 @@ popd %doc doc/CREDITS doc/FEATURES %{_unitdir}/%{name}.service %{_unitdir}/%{name}-keygen.service -%attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name} +%attr(0755,unbound,unbound) %dir %{_rundir}/%{name} %attr(0644,root,root) %{_tmpfilesdir}/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name} @@ -443,7 +441,9 @@ popd %{_sbindir}/unbound-anchor %{_libdir}/libunbound.so.* %{_mandir}/man8/unbound-anchor* -%{_sysconfdir}/%{name}/icannbundle.pem +# icannbundle and root.key(s) should be replaced from package +# intentionally not using noreplace +%config %{_sysconfdir}/%{name}/icannbundle.pem %{_unitdir}/unbound-anchor.timer %{_unitdir}/unbound-anchor.service %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name} @@ -452,6 +452,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Wed Apr 20 2022 Petr Menšík - 1.15.0-2 +- Update icannbundle.pem + * Tue Mar 29 2022 Petr Menšík - 1.15.0-1 - Update to 1.15.0 (#2030608) From c7f8c027aaf1b6a965d8498fe1897941ad31617a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 20 Apr 2022 21:47:30 +0200 Subject: [PATCH 035/139] Add lint exceptions to avoid errors on updates Fixed something, others are just unimportant warnings. --- unbound.rpmlintrc | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 unbound.rpmlintrc diff --git a/unbound.rpmlintrc b/unbound.rpmlintrc new file mode 100644 index 0000000..05dce51 --- /dev/null +++ b/unbound.rpmlintrc @@ -0,0 +1,30 @@ +addFilter(r'crypto-policy-non-compliance-openssl') + +# Ignore generated certificates +addFilter(r'non-readable /etc/unbound/unbound_control.key') +addFilter(r'non-readable /etc/unbound/unbound_control.pem') +addFilter(r'non-readable /etc/unbound/unbound_server.key') +addFilter(r'non-readable /etc/unbound/unbound_server.pem') + +addFilter(r'non-standard-gid /etc/unbound/unbound_control.pem') +addFilter(r'non-standard-gid /etc/unbound/unbound_control.key') +addFilter(r'non-standard-gid /etc/unbound/unbound_server.pem') +addFilter(r'non-standard-gid /etc/unbound/unbound_server.key') + +# Yes, it is indeed certificate +addFilter(r'pem-certificate /etc/unbound/icannbundle.pem') + +# These files are intentionally replaceable. +addFilter(r'conffile-without-noreplace-flag /etc/unbound/icannbundle.pem') +addFilter(r'conffile-without-noreplace-flag /etc/unbound/root.key') +addFilter(r'conffile-without-noreplace-flag /var/lib/unbound/root.key') + +# ldconfig is no longer required +addFilter(r'post[iu]n-without-ldconfig /usr/lib64/libunbound.so') + +# Ignore unbound owned files +addFilter(r'non-standard-[ug]id (/var/lib|/etc|/run)/unbound') + +# Ignore spelling errors +addFilter(r'spelling-error %description -l en_US ep ') +addFilter(r'spelling-error %description -l en_US resolvers ') From 9038e97724a06d1b53373fcfbd1120ed4e93f16c Mon Sep 17 00:00:00 2001 From: Petr Sklenar Date: Thu, 24 Mar 2022 10:42:19 +0100 Subject: [PATCH 036/139] Adding fmf plan --- .fmf/version | 1 + ci.fmf | 1 + gating.yaml | 16 ++++++++++++++++ plans/all.fmf | 7 +++++++ plans/tier1-public.fmf | 7 +++++++ 5 files changed, 32 insertions(+) create mode 100644 .fmf/version create mode 100644 ci.fmf create mode 100644 gating.yaml create mode 100644 plans/all.fmf create mode 100644 plans/tier1-public.fmf diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/.fmf/version @@ -0,0 +1 @@ +1 diff --git a/ci.fmf b/ci.fmf new file mode 100644 index 0000000..c5aa0e0 --- /dev/null +++ b/ci.fmf @@ -0,0 +1 @@ +resultsdb-testcase: separate diff --git a/gating.yaml b/gating.yaml new file mode 100644 index 0000000..e4c04e7 --- /dev/null +++ b/gating.yaml @@ -0,0 +1,16 @@ +--- !Policy +product_versions: + - fedora-* +decision_contexts: [bodhi_update_push_testing] +subject_type: koji_build +rules: + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional} + +#gating rawhide +--- !Policy +product_versions: + - fedora-* +decision_contexts: [bodhi_update_push_stable] +subject_type: koji_build +rules: + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional} diff --git a/plans/all.fmf b/plans/all.fmf new file mode 100644 index 0000000..cd001bd --- /dev/null +++ b/plans/all.fmf @@ -0,0 +1,7 @@ +summary: Test plan with all Fedora tests +discover: + how: fmf + url: https://src.fedoraproject.org/tests/unbound.git +execute: + how: tmt + diff --git a/plans/tier1-public.fmf b/plans/tier1-public.fmf new file mode 100644 index 0000000..10f167c --- /dev/null +++ b/plans/tier1-public.fmf @@ -0,0 +1,7 @@ +summary: Public (Fedora) Tier1 beakerlib tests +discover: + how: fmf + url: https://src.fedoraproject.org/tests/unbound.git + filter: 'tier: 1' +execute: + how: tmt From 2bc40de8691706c26cad2a96de3456754a491921 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 26 Apr 2022 16:00:59 +0200 Subject: [PATCH 037/139] Stop creating wrong devel manual pages Devel manual pages install correct manual pages with 3.gz suffix. But there are also additional links just with .gz suffix. They are created only in spec file. I think they were needed before unbound contained proper installation of manuals for development. It is missing .3 suffix. But it is not necessary anymore, because such recipe already exists in upstream Makefile.in. Resolves: rhbz#2078929 --- unbound.spec | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/unbound.spec b/unbound.spec index 4b63e23..ea40c5d 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.15.0 -Release: 2%{?extra_version:.%{extra_version}}%{?dist} +Release: 3%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -304,12 +304,6 @@ rm %{buildroot}%{python2_sitearch}/*.la rm %{buildroot}%{python3_sitearch}/*.la %endif -# create softlink for all functions of libunbound man pages -for mpage in ub_ctx ub_result ub_ctx_create ub_ctx_delete ub_ctx_set_option ub_ctx_get_option ub_ctx_config ub_ctx_set_fwd ub_ctx_resolvconf ub_ctx_hosts ub_ctx_add_ta ub_ctx_add_ta_file ub_ctx_trustedkeys ub_ctx_debugout ub_ctx_debuglevel ub_ctx_async ub_poll ub_wait ub_fd ub_process ub_resolve ub_resolve_async ub_cancel ub_resolve_free ub_strerror ub_ctx_print_local_zones ub_ctx_zone_add ub_ctx_zone_remove ub_ctx_data_add ub_ctx_data_remove; -do - echo ".so man3/libunbound.3" > %{buildroot}%{_mandir}/man3/$mpage ; -done - mkdir -p %{buildroot}%{_rundir}/unbound # Install directories for easier config file drop in @@ -452,6 +446,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Tue Apr 26 2022 Petr Menšík - 1.15.0-3 +- Stop creating wrong devel manual pages (#2078929) + * Wed Apr 20 2022 Petr Menšík - 1.15.0-2 - Update icannbundle.pem From 2c00b91a493c5261174dade4444e8dced757da9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Sat, 4 Jun 2022 12:08:37 +0200 Subject: [PATCH 038/139] Update to 1.16.0 Adds basic support for EDE (RFC 8914). https://nlnetlabs.nl/projects/unbound/download/#unbound-1-16-0 --- .gitignore | 2 ++ sources | 4 ++-- unbound.spec | 7 +++++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 8b086ad..3b9ae64 100644 --- a/.gitignore +++ b/.gitignore @@ -69,3 +69,5 @@ unbound-1.4.5.tar.gz /unbound-1.13.2.tar.gz.asc /unbound-1.15.0.tar.gz /unbound-1.15.0.tar.gz.asc +/unbound-1.16.0.tar.gz +/unbound-1.16.0.tar.gz.asc diff --git a/sources b/sources index abd4858..1586e1f 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.15.0.tar.gz) = c5dab305694c14f64e05080700bb52f6e6bf5b76f15e1fde34e35c932cb3ffed0de2c03b570cf4bfe18165cb10e82e67ee9b12c6583295380f88c2c03800cc1f -SHA512 (unbound-1.15.0.tar.gz.asc) = 123818a855689ee3d402fd8f4b5a4646c08d5602e4544ce872d132c4c0de4a79c9efcc2d49324bf58ab06521f02deef795d89bdf632eee758e6ec36b408ea54a +SHA512 (unbound-1.16.0.tar.gz) = 134679c0baad6738541295fcfbf8cc701c647b5d5cd00f87e50394bc7b5b74b7326ed2fc42f3282cae8094b4980c1e580d7b748b7151642c9060c449b644715f +SHA512 (unbound-1.16.0.tar.gz.asc) = 1b7640df051bf9f37e261c4e7fa3b3343982f608c529553985eeb9444688ba9e751f45ad666ab13b783beff24806eef14e9833090a4aea249e1fa5023e3c0432 diff --git a/unbound.spec b/unbound.spec index ea40c5d..ac8f03c 100644 --- a/unbound.spec +++ b/unbound.spec @@ -29,8 +29,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.15.0 -Release: 3%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.16.0 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -446,6 +446,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Sat Jun 04 2022 Petr Menšík - 1.16.0-1 +- Update to 1.16.0 + * Tue Apr 26 2022 Petr Menšík - 1.15.0-3 - Stop creating wrong devel manual pages (#2078929) From 9cab78fef5ee1fcddb20eecc465d0b7cac7d9a03 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 7 Jun 2022 14:17:11 +0200 Subject: [PATCH 039/139] Do not keep keygen running, check certs each time Rely on condition of unbound-keygen service. If it does stop after generating them, then it will recreate also after restart later. That might be the case if someone removes these certificates. --- unbound-keygen.service | 1 - unbound.spec | 5 ++++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/unbound-keygen.service b/unbound-keygen.service index f5e6535..b169002 100644 --- a/unbound-keygen.service +++ b/unbound-keygen.service @@ -13,7 +13,6 @@ Type=oneshot Group=unbound ExecStart=/usr/sbin/unbound-control-setup -d /etc/unbound/ ExecStart=/sbin/restorecon /etc/unbound/* -RemainAfterExit=yes [Install] WantedBy=multi-user.target diff --git a/unbound.spec b/unbound.spec index ac8f03c..6627b48 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.16.0 -Release: 1%{?extra_version:.%{extra_version}}%{?dist} +Release: 4%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -446,6 +446,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Tue Jun 07 2022 Petr Menšík - 1.16.0-4 +- Restart keygen service before every unbound start + * Sat Jun 04 2022 Petr Menšík - 1.16.0-1 - Update to 1.16.0 From 3e61cdf8501b2f064dcdc569c14b30902e2f9196 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Mon, 13 Jun 2022 15:31:01 +0200 Subject: [PATCH 040/139] Rebuilt for Python 3.11 --- unbound.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 6627b48..c973a10 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.16.0 -Release: 4%{?extra_version:.%{extra_version}}%{?dist} +Release: 5%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -446,6 +446,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Mon Jun 13 2022 Python Maint - 1.16.0-5 +- Rebuilt for Python 3.11 + * Tue Jun 07 2022 Petr Menšík - 1.16.0-4 - Restart keygen service before every unbound start From ab99d1d23ee0a05f9bc4bdd4023feb537cabf52e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 27 Jun 2022 12:00:02 +0200 Subject: [PATCH 041/139] Move unbound-anchor to separate package It has the service and requires unbound user created. Make it separate, because some users of unbound-libs might not want or need anchor maintenance. Make it also easier to add custom options to unbound-anchor running from the service. Do not start timer from unbound.service, start instead unbound-anchor service before starting unbound. It would ensure root anchor is in the place. Run it from single place from both timer and unbound service. --- unbound-anchor.service | 3 ++- unbound.service | 4 ++-- unbound.spec | 38 ++++++++++++++++++++++++++------------ unbound.sysconfig | 6 +++++- 4 files changed, 35 insertions(+), 16 deletions(-) diff --git a/unbound-anchor.service b/unbound-anchor.service index cd949e5..59683c8 100644 --- a/unbound-anchor.service +++ b/unbound-anchor.service @@ -5,5 +5,6 @@ Documentation=man:unbound-anchor(8) [Service] Type=oneshot User=unbound -ExecStart=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R +EnvironmentFile=-/etc/sysconfig/unbound +ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi' SuccessExitStatus=1 diff --git a/unbound.service b/unbound.service index c59ffbf..ffaf783 100644 --- a/unbound.service +++ b/unbound.service @@ -3,7 +3,8 @@ Description=Unbound recursive Domain Name Server After=network-online.target After=unbound-keygen.service Wants=unbound-keygen.service -Wants=unbound-anchor.timer +After=unbound-anchor.service +Wants=unbound-anchor.service Before=nss-lookup.target Wants=nss-lookup.target @@ -11,7 +12,6 @@ Wants=nss-lookup.target Type=simple EnvironmentFile=-/etc/sysconfig/unbound ExecStartPre=/usr/sbin/unbound-checkconf -ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_UNBOUND_ANCHOR" == "yes" ]; then /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R; else echo "Updates of root keys with unbound-anchor is disabled"; fi' ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS ExecReload=/usr/sbin/unbound-control reload diff --git a/unbound.spec b/unbound.spec index c973a10..f2cc896 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.16.0 -Release: 5%{?extra_version:.%{extra_version}}%{?dist} +Release: 6%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -88,6 +88,7 @@ BuildRequires: systemd # Needed because /usr/sbin/unbound links unbound libs staticly Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-anchor%{?_isa} = %{version}-%{release} %description Unbound is a validating, recursive, and caching DNS(SEC) resolver. @@ -121,14 +122,22 @@ The devel package contains the unbound library and the include files %package libs Summary: Libraries used by the unbound server and client applications -Requires(pre): shadow-utils +Recommends: %{name}-anchor %if ! 0%{with_python2} # Make explicit conflict with no longer provided python package Obsoletes: python2-unbound < 1.9.3 %endif %description libs -Contains libraries used by the unbound server and client applications +Contains libraries used by the unbound server and client applications. + +%package anchor +Requires(pre): shadow-utils +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Summary: DNSSEC trust anchor maintaining tool + +%description anchor +Contains tool maintaining trust anchor using RFC 5011 key rollover algorithm. %if 0%{with_python2} %package -n python2-unbound @@ -317,7 +326,7 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 -%pre libs +%pre anchor getent group unbound >/dev/null || groupadd -r unbound getent passwd unbound >/dev/null || \ useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \ @@ -327,7 +336,7 @@ useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \ %systemd_post unbound.service %systemd_post unbound-keygen.service -%post libs +%post anchor %systemd_post unbound-anchor.timer # start the timer only if installing the package to prevent starting it, if it was stopped on purpose if [ "$1" -eq 1 ]; then @@ -339,7 +348,7 @@ fi %systemd_preun unbound.service %systemd_preun unbound-keygen.service -%preun libs +%preun anchor %systemd_preun unbound-anchor.timer %postun @@ -376,7 +385,6 @@ popd %attr(0755,unbound,unbound) %dir %{_rundir}/%{name} %attr(0644,root,root) %{_tmpfilesdir}/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf -%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name} %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d %attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d/*.key %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/conf.d @@ -432,20 +440,26 @@ popd %doc doc/README %license doc/LICENSE %attr(0755,root,root) %dir %{_sysconfdir}/%{name} -%{_sbindir}/unbound-anchor %{_libdir}/libunbound.so.* +%dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name} +%attr(0644,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key +# just left for backwards compat with user changed unbound.conf files - format is different! +%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key + +%files anchor +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name} +%{_sbindir}/unbound-anchor %{_mandir}/man8/unbound-anchor* # icannbundle and root.key(s) should be replaced from package # intentionally not using noreplace %config %{_sysconfdir}/%{name}/icannbundle.pem %{_unitdir}/unbound-anchor.timer %{_unitdir}/unbound-anchor.service -%dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name} -%attr(0644,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key -# just left for backwards compat with user changed unbound.conf files - format is different! -%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Mon Jun 27 2022 Petr Menšík - 1.16.0-6 +- Move unbound-anchor to separate package + * Mon Jun 13 2022 Python Maint - 1.16.0-5 - Rebuilt for Python 3.11 diff --git a/unbound.sysconfig b/unbound.sysconfig index fae3306..adcf8fd 100644 --- a/unbound.sysconfig +++ b/unbound.sysconfig @@ -1,3 +1,7 @@ -# for extra debug, add "-v -v" or change verbosity: in unbound.conf +# uncomment following line to skip anchor refresh before unbound start +#DISABLE_UNBOUND_ANCHOR=yes +# Better way is systemctl mask unbound-anchor.service +UNBOUND_ANCHOR_OPTIONS="-f /etc/resolv.conf -R" +# for extra debug, add "-v -v" or change verbosity: in unbound.conf UNBOUND_OPTIONS="" From 9e8de9414f2bfa536ea42ac28b3a0f6c60101c3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 27 Jun 2022 13:53:54 +0200 Subject: [PATCH 042/139] Move host and streamtcp utilities to separate package They do not require unbound in any sense. They can work with just unbound-libs and therefore should be installable independently of main bigger daemon. --- unbound.spec | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/unbound.spec b/unbound.spec index f2cc896..2968c2b 100644 --- a/unbound.spec +++ b/unbound.spec @@ -89,6 +89,7 @@ BuildRequires: systemd # Needed because /usr/sbin/unbound links unbound libs staticly Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-anchor%{?_isa} = %{version}-%{release} +Recommends: %{name}-utils%{?_isa} = %{version}-%{release} %description Unbound is a validating, recursive, and caching DNS(SEC) resolver. @@ -139,6 +140,15 @@ Summary: DNSSEC trust anchor maintaining tool %description anchor Contains tool maintaining trust anchor using RFC 5011 key rollover algorithm. +%package utils +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Summary: Unbound DNS lookup utilities + +%description utils +Contains tools for making DNS queries. Can make queries to DNS servers +also over TLS connection or validate DNSSEC signatures. Similar to +bind-utils. + %if 0%{with_python2} %package -n python2-unbound %{?python_provide:%python_provide python2-unbound} @@ -399,9 +409,6 @@ popd %{_sbindir}/unbound-checkconf %{_sbindir}/unbound-control %{_sbindir}/unbound-control-setup -%{_sbindir}/unbound-host -%{_sbindir}/unbound-streamtcp -%{_mandir}/man1/* %{_mandir}/man5/* %exclude %{_mandir}/man8/unbound-anchor* %{_mandir}/man8/* @@ -456,9 +463,15 @@ popd %{_unitdir}/unbound-anchor.timer %{_unitdir}/unbound-anchor.service +%files utils +%{_sbindir}/unbound-host +%{_sbindir}/unbound-streamtcp +%{_mandir}/man1/unbound-* + %changelog * Mon Jun 27 2022 Petr Menšík - 1.16.0-6 - Move unbound-anchor to separate package +- Move unbound-host and unbound-streamtcp to unbound-utils package * Mon Jun 13 2022 Python Maint - 1.16.0-5 - Rebuilt for Python 3.11 From a53f6dc92e2b7108ef76d48367889f37cd263f6d Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 23 Jul 2022 11:21:53 +0000 Subject: [PATCH 043/139] Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- unbound.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 2968c2b..c0d8bf2 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.16.0 -Release: 6%{?extra_version:.%{extra_version}}%{?dist} +Release: 7%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -469,6 +469,9 @@ popd %{_mandir}/man1/unbound-* %changelog +* Sat Jul 23 2022 Fedora Release Engineering - 1.16.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + * Mon Jun 27 2022 Petr Menšík - 1.16.0-6 - Move unbound-anchor to separate package - Move unbound-host and unbound-streamtcp to unbound-utils package From 9efe622c795a62fd034b266785ae9f0753d08efc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 3 Aug 2022 20:12:34 +0200 Subject: [PATCH 044/139] Update to 0.16.2 (#2105947) https://nlnetlabs.nl/projects/unbound/download/#unbound-1-16-2 --- .gitignore | 2 ++ sources | 4 ++-- unbound.spec | 7 +++++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 3b9ae64..7bd5a0c 100644 --- a/.gitignore +++ b/.gitignore @@ -71,3 +71,5 @@ unbound-1.4.5.tar.gz /unbound-1.15.0.tar.gz.asc /unbound-1.16.0.tar.gz /unbound-1.16.0.tar.gz.asc +/unbound-1.16.2.tar.gz +/unbound-1.16.2.tar.gz.asc diff --git a/sources b/sources index 1586e1f..abff2db 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.16.0.tar.gz) = 134679c0baad6738541295fcfbf8cc701c647b5d5cd00f87e50394bc7b5b74b7326ed2fc42f3282cae8094b4980c1e580d7b748b7151642c9060c449b644715f -SHA512 (unbound-1.16.0.tar.gz.asc) = 1b7640df051bf9f37e261c4e7fa3b3343982f608c529553985eeb9444688ba9e751f45ad666ab13b783beff24806eef14e9833090a4aea249e1fa5023e3c0432 +SHA512 (unbound-1.16.2.tar.gz) = 0ea65ea63265be677441bd2a28df12098ec5e86c3372240c2874f9bd13752b8b818da81ae6076cf02cbeba3d36e397698a4c2b50570be1a6a8e47f57a0251572 +SHA512 (unbound-1.16.2.tar.gz.asc) = bc5241c86f90be76886209c81d6f1c025d4774fa00d114180b99d43999f31b1b4c8d123717b8a79a60bc3acfcbe9f46678b80b3d961431c7bfd05ff48c69ef4f diff --git a/unbound.spec b/unbound.spec index c0d8bf2..8a73436 100644 --- a/unbound.spec +++ b/unbound.spec @@ -29,8 +29,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.16.0 -Release: 7%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.16.2 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -469,6 +469,9 @@ popd %{_mandir}/man1/unbound-* %changelog +* Wed Aug 03 2022 Petr Menšík - 1.16.2-1 +- Update to 0.16.2 (#2105947) + * Sat Jul 23 2022 Fedora Release Engineering - 1.16.0-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild From 2868e371c32258654996da60bc6ee58d29bd11e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 9 Aug 2022 12:11:15 +0200 Subject: [PATCH 045/139] Require openssl tool for unbound-keygen (#2116790) --- unbound.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 8a73436..5d44771 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.16.2 -Release: 1%{?extra_version:.%{extra_version}}%{?dist} +Release: 2%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -90,6 +90,8 @@ BuildRequires: systemd Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-anchor%{?_isa} = %{version}-%{release} Recommends: %{name}-utils%{?_isa} = %{version}-%{release} +# unbound-keygen.service requires it, bug #2116790 +Requires: openssl %description Unbound is a validating, recursive, and caching DNS(SEC) resolver. @@ -469,6 +471,9 @@ popd %{_mandir}/man1/unbound-* %changelog +* Tue Aug 09 2022 Petr Menšík - 1.16.2-2 +- Require openssl tool for unbound-keygen (#2116790) + * Wed Aug 03 2022 Petr Menšík - 1.16.2-1 - Update to 0.16.2 (#2105947) From 7722f4b9bb207d705b52bf0f44b093969b96bb03 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Tue, 9 Aug 2022 10:13:35 -0400 Subject: [PATCH 046/139] fix changelog entry --- unbound.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 5d44771..5154212 100644 --- a/unbound.spec +++ b/unbound.spec @@ -475,7 +475,7 @@ popd - Require openssl tool for unbound-keygen (#2116790) * Wed Aug 03 2022 Petr Menšík - 1.16.2-1 -- Update to 0.16.2 (#2105947) +- Update to 1.16.2 (#2105947) for CVE-2022-30698 and CVE-2022-30699 * Sat Jul 23 2022 Fedora Release Engineering - 1.16.0-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild From cb937b3e49b030dd835362643c60f5188be63d48 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Tue, 9 Aug 2022 11:06:18 -0400 Subject: [PATCH 047/139] pull in new options of upstream unbound.conf and enable EDE (RFC8914) --- unbound.conf | 48 ++++++++++++++++++++++++++++++++++++++++-------- unbound.spec | 6 +++++- 2 files changed, 45 insertions(+), 9 deletions(-) diff --git a/unbound.conf b/unbound.conf index 977d39f..2d7d6a7 100644 --- a/unbound.conf +++ b/unbound.conf @@ -185,6 +185,10 @@ server: # perform connect for UDP sockets to mitigate ICMP side channel. # udp-connect: yes + # The number of retries, per upstream nameserver in a delegation, when + # a throwaway response (also timeouts) is received. + # outbound-msg-retry: 5 + # msec for waiting for an unknown server to reply. Increase if you # are behind a slow satellite link, to eg. 1128. # unknown-server-time-limit: 376 @@ -216,6 +220,9 @@ server: # minimum wait time for responses, increase if uplink is long. In msec. # infra-cache-min-rtt: 50 + # maximum wait time for responses. In msec. + # infra-cache-max-rtt: 120000 + # enable to make server probe down hosts more frequently. # infra-keep-probing: no @@ -393,9 +400,6 @@ server: # enable to not answer version.server and version.bind queries. # hide-version: no - # enable to not set the User-Agent HTTP header. - # hide-http-user-agent: no - # enable to not answer trustanchor.unbound queries. # hide-trustanchor: no @@ -697,6 +701,7 @@ server: # local-zone: "localhost." nodefault # local-zone: "127.in-addr.arpa." nodefault # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault + # local-zone: "home.arpa." nodefault # local-zone: "onion." nodefault # local-zone: "test." nodefault # local-zone: "invalid." nodefault @@ -844,6 +849,8 @@ server: # Add system certs to the cert bundle, from the Windows Cert Store # tls-win-cert: no + # and on other systems, the default openssl certificates + # tls-system-cert: no # Pad queries over TLS upstreams # pad-queries: yes @@ -893,6 +900,10 @@ server: # 0 blocks when ratelimited, otherwise let 1/xth traffic through # ratelimit-factor: 10 + # Aggressive rate limit when the limit is reached and until demand has + # decreased in a 2 second rate window. + # ratelimit-backoff: no + # override the ratelimit for a specific domain name. # give this setting multiple times to have multiple overrides. # ratelimit-for-domain: example.com 1000 @@ -913,6 +924,10 @@ server: # 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through # ip-ratelimit-factor: 10 + # Aggressive rate limit when the limit is reached and until demand has + # decreased in a 2 second rate window. + # ip-ratelimit-backoff: no + # Limit the number of connections simultaneous from a netblock # tcp-connection-limit: 192.0.2.0/24 12 @@ -922,6 +937,14 @@ server: # the number of servers that will be used in the fast server selection. # fast-server-num: 3 + # Enable to attach Extended DNS Error codes (RFC8914) to responses. + ede: yes + + # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale + # Answer as EDNS0 option to expired responses. + # Note that the ede option above needs to be enabled for this to work. + ede-serve-expired: yes + # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. # @@ -1033,6 +1056,7 @@ include: /etc/unbound/conf.d/*.conf # stub-addr: 192.0.2.68 # stub-prime: no # stub-first: no +# stub-tcp-upstream: no # stub-tls-upstream: no # stub-no-cache: no # stub-zone: @@ -1054,6 +1078,7 @@ include: /etc/unbound/conf.d/*.conf # forward-addr: 192.0.2.68 # forward-addr: 192.0.2.73@5355 # forward to port 5355. # forward-first: no +# forward-tcp-upstream: no # forward-tls-upstream: no # forward-no-cache: no # forward-zone: @@ -1124,6 +1149,7 @@ auth-zone: # another crypto library # # DNSCrypt +# o enable, use --enable-dnscrypt to configure before compiling. # Caveats: # 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper # for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage @@ -1144,7 +1170,9 @@ auth-zone: # dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert # CacheDB -# Enable external backend DB as auxiliary cache. Specify the backend name +# External backend DB as auxiliary cache. +# To enable, use --enable-cachedb to configure before compiling. +# Specify the backend name # (default is "testframe", which has no use other than for debugging and # testing) and backend-specific options. The 'cachedb' module must be # included in module-config, just before the iterator module. @@ -1154,6 +1182,7 @@ auth-zone: # secret-seed: "default" # # # For "redis" backend: +# # (to enable, use --with-libhiredis to configure before compiling) # # redis server's IP address or host name # redis-server-host: 127.0.0.1 # # redis server's TCP port @@ -1165,7 +1194,9 @@ auth-zone: # IPSet # Add specify domain into set via ipset. -# Note: To enable ipset Unbound needs to run as root user. +# To enable: +# o use --enable-ipset to configure before compiling; +# o Unbound then needs to run as root user. # ipset: # # set name for ip v4 addresses # name-v4: "list-v4" @@ -1173,9 +1204,10 @@ auth-zone: # name-v6: "list-v6" # -# Dnstap logging support, if compiled in. To enable, set the dnstap-enable -# to yes and also some of dnstap-log-..-messages to yes. And select an -# upstream log destination, by socket path, TCP or TLS destination. +# Dnstap logging support, if compiled in by using --enable-dnstap to configure. +# To enable, set the dnstap-enable to yes and also some of +# dnstap-log-..-messages to yes. And select an upstream log destination, by +# socket path, TCP or TLS destination. # dnstap: # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode diff --git a/unbound.spec b/unbound.spec index 5154212..69f962f 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.16.2 -Release: 2%{?extra_version:.%{extra_version}}%{?dist} +Release: 3%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -471,6 +471,10 @@ popd %{_mandir}/man1/unbound-* %changelog +* Tue Aug 09 2022 Paul Wouters - 1.16.2-3 +- sync up to upstream unbound.conf +- Enable Extended DNS Error codes (RFC8914) + * Tue Aug 09 2022 Petr Menšík - 1.16.2-2 - Require openssl tool for unbound-keygen (#2116790) From 4e237a1016065790c31c127fe64a269653438c3f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 23 Sep 2022 23:01:23 +0200 Subject: [PATCH 048/139] Update to 1.16.3 Resolves: rhbz#2128638 CVE-2022-3204 --- .gitignore | 2 ++ sources | 4 ++-- unbound.spec | 7 +++++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 7bd5a0c..3476ae7 100644 --- a/.gitignore +++ b/.gitignore @@ -73,3 +73,5 @@ unbound-1.4.5.tar.gz /unbound-1.16.0.tar.gz.asc /unbound-1.16.2.tar.gz /unbound-1.16.2.tar.gz.asc +/unbound-1.16.3.tar.gz +/unbound-1.16.3.tar.gz.asc diff --git a/sources b/sources index abff2db..c6e4d53 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.16.2.tar.gz) = 0ea65ea63265be677441bd2a28df12098ec5e86c3372240c2874f9bd13752b8b818da81ae6076cf02cbeba3d36e397698a4c2b50570be1a6a8e47f57a0251572 -SHA512 (unbound-1.16.2.tar.gz.asc) = bc5241c86f90be76886209c81d6f1c025d4774fa00d114180b99d43999f31b1b4c8d123717b8a79a60bc3acfcbe9f46678b80b3d961431c7bfd05ff48c69ef4f +SHA512 (unbound-1.16.3.tar.gz) = ef5cda926dd1082a750615d8687bccd756869c66e9f24f984fda4c6613f94f3e4884db328b8d7b490777a75d3e616dcb61c5258e7777923c0590e6fabacd207c +SHA512 (unbound-1.16.3.tar.gz.asc) = b106f080d877e479d944a7ebe24a380f4c40c38308733f43f8a60d4e7aedc6597e6daa4a1428f596e705c9c75e6ee7b4187dbbc5750a9c406f59d76d4f1b4a8d diff --git a/unbound.spec b/unbound.spec index 69f962f..c710788 100644 --- a/unbound.spec +++ b/unbound.spec @@ -29,8 +29,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.16.2 -Release: 3%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.16.3 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -471,6 +471,9 @@ popd %{_mandir}/man1/unbound-* %changelog +* Fri Sep 23 2022 Petr Menšík - 1.16.3-1 +- Update to 1.16.3 (#2128638) + * Tue Aug 09 2022 Paul Wouters - 1.16.2-3 - sync up to upstream unbound.conf - Enable Extended DNS Error codes (RFC8914) From ad8a93625dcfaa97d4d88cd848aa77e5f3578328 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 30 Sep 2022 13:02:49 +0200 Subject: [PATCH 049/139] Update License tag to SPDX identifier --- unbound.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/unbound.spec b/unbound.spec index c710788..f9ee060 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,8 +30,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.16.3 -Release: 1%{?extra_version:.%{extra_version}}%{?dist} -License: BSD +Release: 2%{?extra_version:.%{extra_version}}%{?dist} +License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz Source1: unbound.service @@ -471,6 +471,9 @@ popd %{_mandir}/man1/unbound-* %changelog +* Fri Sep 30 2022 Petr Menšík - 1.16.3-2 +- Update License tag to SPDX identifier + * Fri Sep 23 2022 Petr Menšík - 1.16.3-1 - Update to 1.16.3 (#2128638) From 7b3bfe9b4de3413a6e74e989011fe95ee421746a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 11 Oct 2022 11:34:09 +0200 Subject: [PATCH 050/139] Correct issues made by unbound-anchor package split Resolves: rhbz#2110858 --- unbound.spec | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/unbound.spec b/unbound.spec index f9ee060..f9ac9a7 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.16.3 -Release: 2%{?extra_version:.%{extra_version}}%{?dist} +Release: 3%{?extra_version:.%{extra_version}}%{?dist} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -349,7 +349,7 @@ useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \ %systemd_post unbound-keygen.service %post anchor -%systemd_post unbound-anchor.timer +%systemd_post unbound-anchor.service unbound-anchor.timer # start the timer only if installing the package to prevent starting it, if it was stopped on purpose if [ "$1" -eq 1 ]; then # the Unit is in presets, but would be started after reboot @@ -361,14 +361,14 @@ fi %systemd_preun unbound-keygen.service %preun anchor -%systemd_preun unbound-anchor.timer +%systemd_preun unbound-anchor.service unbound-anchor.timer %postun %systemd_postun_with_restart unbound.service %systemd_postun unbound-keygen.service -%postun libs -%systemd_postun_with_restart unbound-anchor.timer +%postun anchor +%systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer %check pushd %{dir_primary} @@ -471,6 +471,9 @@ popd %{_mandir}/man1/unbound-* %changelog +* Wed Oct 05 2022 Petr Menšík - 1.16.3-3 +- Correct issues made by unbound-anchor package split (#2110858) + * Fri Sep 30 2022 Petr Menšík - 1.16.3-2 - Update License tag to SPDX identifier From 1da004f437be3e5e70ace37e09c6aa12b282af93 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 1 Nov 2022 16:05:52 +0100 Subject: [PATCH 051/139] Update to 1.17.0 (#2134348) https://nlnetlabs.nl/projects/unbound/download/#unbound-1-17-0 New Features: - Merge #753: ACL per interface. (New interface-* configuration options). - Merge #760: PROXYv2 downstream support. (New proxy-protocol-port configuration option). --- .gitignore | 2 ++ sources | 4 ++-- unbound.conf | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++- unbound.spec | 7 ++++-- 4 files changed, 70 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 3476ae7..3c64874 100644 --- a/.gitignore +++ b/.gitignore @@ -75,3 +75,5 @@ unbound-1.4.5.tar.gz /unbound-1.16.2.tar.gz.asc /unbound-1.16.3.tar.gz /unbound-1.16.3.tar.gz.asc +/unbound-1.17.0.tar.gz +/unbound-1.17.0.tar.gz.asc diff --git a/sources b/sources index c6e4d53..691909a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.16.3.tar.gz) = ef5cda926dd1082a750615d8687bccd756869c66e9f24f984fda4c6613f94f3e4884db328b8d7b490777a75d3e616dcb61c5258e7777923c0590e6fabacd207c -SHA512 (unbound-1.16.3.tar.gz.asc) = b106f080d877e479d944a7ebe24a380f4c40c38308733f43f8a60d4e7aedc6597e6daa4a1428f596e705c9c75e6ee7b4187dbbc5750a9c406f59d76d4f1b4a8d +SHA512 (unbound-1.17.0.tar.gz) = f6b9f279330fb19b5feca09524959940aad8c4e064528aa82b369c726d77e9e8e5ca23f366f6e9edcf2c061b96f482ed7a2c26ac70fc15ae5762b3d7e36a5284 +SHA512 (unbound-1.17.0.tar.gz.asc) = e1567f088bdf0a96dbdcf365deccb72f42319b9b29510d5d9aefbe66df054446d3dcdfcc54826046af6e4f751aa518798b968685611b1b7f1860f66a96e32a57 diff --git a/unbound.conf b/unbound.conf index 2d7d6a7..2b6dc59 100644 --- a/unbound.conf +++ b/unbound.conf @@ -71,6 +71,10 @@ server: # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled interface-automatic: no + # instead of the default port, open additional ports separated by + # spaces when interface-automatic is enabled, by listing them here. + # interface-automatic-ports: "" + # port to answer queries from # port: 53 @@ -304,7 +308,7 @@ server: # are tagged with one of these tags. # access-control-tag: 192.0.2.0/24 "tag2 tag3" - # set action for particular tag for given access control element + # set action for particular tag for given access control element. # if you have multiple tag values, the tag used to lookup the action # is the first tag match between access-control-tag and local-zone-tag # where "first" comes from the order of the define-tag values. @@ -316,6 +320,58 @@ server: # Set view for access control element # access-control-view: 192.0.2.0/24 viewname + # Similar to 'access-control:' but for interfaces. + # Control which listening interfaces are allowed to accept (recursive) + # queries for this server. + # The specified interfaces should be the same as the ones specified in + # 'interface:' followed by the action. + # The actions are the same as 'access-control:' above. + # By default all the interfaces configured are refused. + # Note: any 'access-control*:' setting overrides all 'interface-*:' + # settings for targeted clients. + # interface-action: 192.0.2.153 allow + # interface-action: 192.0.2.154 allow + # interface-action: 192.0.2.154@5003 allow + # interface-action: 2001:DB8::5 allow + # interface-action: eth0@5003 allow + + # Similar to 'access-control-tag:' but for interfaces. + # Tag interfaces with a list of tags (in "" with spaces between). + # Interfaces using these tags use localzones that are tagged with one + # of these tags. + # The specified interfaces should be the same as the ones specified in + # 'interface:' followed by the list of tags. + # Note: any 'access-control*:' setting overrides all 'interface-*:' + # settings for targeted clients. + # interface-tag: eth0@5003 "tag2 tag3" + + # Similar to 'access-control-tag-action:' but for interfaces. + # Set action for particular tag for a given interface element. + # If you have multiple tag values, the tag used to lookup the action + # is the first tag match between interface-tag and local-zone-tag + # where "first" comes from the order of the define-tag values. + # The specified interfaces should be the same as the ones specified in + # 'interface:' followed by the tag and action. + # Note: any 'access-control*:' setting overrides all 'interface-*:' + # settings for targeted clients. + # interface-tag-action: eth0@5003 tag3 refuse + + # Similar to 'access-control-tag-data:' but for interfaces. + # Set redirect data for a particular tag for an interface element. + # The specified interfaces should be the same as the ones specified in + # 'interface:' followed by the tag and the redirect data. + # Note: any 'access-control*:' setting overrides all 'interface-*:' + # settings for targeted clients. + # interface-tag-data: eth0@5003 tag2 "A 127.0.0.1" + + # Similar to 'access-control-view:' but for interfaces. + # Set view for an interface element. + # The specified interfaces should be the same as the ones specified in + # 'interface:' followed by the view name. + # Note: any 'access-control*:' setting overrides all 'interface-*:' + # settings for targeted clients. + # interface-view: eth0@5003 viewname + # if given, a chroot(2) is done to the given directory. # i.e. you can chroot to the working directory, for example, # for extra security, but make sure all files are in that directory. @@ -880,6 +936,10 @@ server: # Disable TLS for DNS-over-HTTP downstream service. # http-notls-downstream: no + # The interfaces that use these listed port numbers will support and + # expect PROXYv2. For UDP and TCP/TLS interfaces. + # proxy-protocol-port: portno for each of the port numbers. + # DNS64 prefix. Must be specified when DNS64 is use. # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. # dns64-prefix: 64:ff9b::0/96 diff --git a/unbound.spec b/unbound.spec index f9ac9a7..bfe7891 100644 --- a/unbound.spec +++ b/unbound.spec @@ -29,8 +29,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.16.3 -Release: 3%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.17.0 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -471,6 +471,9 @@ popd %{_mandir}/man1/unbound-* %changelog +* Tue Nov 01 2022 Petr Menšík - 1.17.0-1 +- Update to 1.17.0 (#2134348) + * Wed Oct 05 2022 Petr Menšík - 1.16.3-3 - Correct issues made by unbound-anchor package split (#2110858) From 2efa55aa147a979be8ebf6f3ef9f0ee5b53e1bf0 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Wed, 7 Dec 2022 19:49:28 -0500 Subject: [PATCH 052/139] Disable SHA-1 support in ELN --- unbound.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index bfe7891..bda025e 100644 --- a/unbound.spec +++ b/unbound.spec @@ -77,7 +77,7 @@ BuildRequires: systemd-devel %if %{with doh} BuildRequires: libnghttp2-devel %endif -%if 0%{?fedora} >= 30 +%if 0%{?fedora} >= 30 || 0%{?rhel} >= 9 BuildRequires: systemd-rpm-macros %else BuildRequires: systemd @@ -239,6 +239,9 @@ pushd %{dir_primary} %endif %if %{with doh} --with-libnghttp2 \ +%endif +%if 0%{?rhel} + --disable-sha1 \ %endif %{configure_args} From e70e0f040e080a233ddb2cb5e60c88ceca9e9e82 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 1 Dec 2022 17:05:37 +0100 Subject: [PATCH 053/139] Move unbound user creation to libs (#2149036) libs contains also few key anchor owned by unbound user. It needs to be created also for unbound-libs, which is required by all other packages. --- unbound.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/unbound.spec b/unbound.spec index bda025e..1303e48 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.17.0 -Release: 1%{?extra_version:.%{extra_version}}%{?dist} +Release: 2%{?extra_version:.%{extra_version}}%{?dist} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -341,7 +341,7 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 -%pre anchor +%pre libs getent group unbound >/dev/null || groupadd -r unbound getent passwd unbound >/dev/null || \ useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \ @@ -474,6 +474,9 @@ popd %{_mandir}/man1/unbound-* %changelog +* Thu Dec 01 2022 Petr Menšík - 1.17.0-2 +- Move unbound user creation to libs (#2149036) + * Tue Nov 01 2022 Petr Menšík - 1.17.0-1 - Update to 1.17.0 (#2134348) From 0953d812045eb6b7361af869d8ad095bbf34e807 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 1 Dec 2022 17:30:31 +0100 Subject: [PATCH 054/139] Use systemd-sysusers for user creation (#2105416) --- unbound.spec | 12 +++++++----- unbound.sysusers | 1 + 2 files changed, 8 insertions(+), 5 deletions(-) create mode 100644 unbound.sysusers diff --git a/unbound.spec b/unbound.spec index 1303e48..453f964 100644 --- a/unbound.spec +++ b/unbound.spec @@ -53,6 +53,7 @@ Source17: unbound-anchor.service Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc # source: https://nlnetlabs.nl/people/ Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key +Source20: unbound.sysusers BuildRequires: gcc, make @@ -92,6 +93,7 @@ Requires: %{name}-anchor%{?_isa} = %{version}-%{release} Recommends: %{name}-utils%{?_isa} = %{version}-%{release} # unbound-keygen.service requires it, bug #2116790 Requires: openssl +Requires(pre): systemd-sysusers %description Unbound is a validating, recursive, and caching DNS(SEC) resolver. @@ -290,6 +292,7 @@ install -p -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/unbound-anchor.service install -p -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound install -p -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/unbound install -p -m 0644 %{SOURCE14} %{buildroot}%{_sysconfdir}/sysconfig/unbound +install -p -D -m 0644 %{SOURCE20} %{buildroot}%{_sysusersdir}/%{name}.sysusers %if %{with_munin} # Install munin plugin and its softlinks install -d -m 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d @@ -342,10 +345,7 @@ echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control %pre libs -getent group unbound >/dev/null || groupadd -r unbound -getent passwd unbound >/dev/null || \ -useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \ --c "Unbound DNS resolver" unbound +%sysusers_create_compat %{SOURCE20} %post %systemd_post unbound.service @@ -452,7 +452,8 @@ popd %doc doc/README %license doc/LICENSE %attr(0755,root,root) %dir %{_sysconfdir}/%{name} -%{_libdir}/libunbound.so.* +%{_sysusersdir}/%{name}.sysusers +%{_libdir}/libunbound.so.8* %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name} %attr(0644,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key # just left for backwards compat with user changed unbound.conf files - format is different! @@ -476,6 +477,7 @@ popd %changelog * Thu Dec 01 2022 Petr Menšík - 1.17.0-2 - Move unbound user creation to libs (#2149036) +- Use systemd-sysusers for user creation (#2105416) * Tue Nov 01 2022 Petr Menšík - 1.17.0-1 - Update to 1.17.0 (#2134348) diff --git a/unbound.sysusers b/unbound.sysusers new file mode 100644 index 0000000..6614682 --- /dev/null +++ b/unbound.sysusers @@ -0,0 +1 @@ +u unbound - "Unbound DNS resolver" /var/lib/unbound /sbin/nologin From 00b1b0c570d74b12cd0f9fe53525b41c486a3f06 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 1 Dec 2022 18:09:12 +0100 Subject: [PATCH 055/139] Use static dnssec-root.key with link from lib Points to static data, which would be overwritten by unbound-anchor.service. Makes default key kept intact and dynamic data put instead of symlink. Ignore most of file properties of %_localstatedir/unbound/root.key, default symlink is replaced with anchor maintained regular file. Resolves: rhbz#2132103 --- unbound.spec | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/unbound.spec b/unbound.spec index 453f964..94f4cf3 100644 --- a/unbound.spec +++ b/unbound.spec @@ -317,7 +317,12 @@ install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf # install root - we keep a copy of the root key in old location, # in case user has changed the configuration and we wouldn't update it there install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/ -install -m 0644 %{SOURCE13} %{buildroot}%{_sharedstatedir}/unbound/root.key +install -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/dnssec-root.key +# make initial key static +pushd %{buildroot}%{_sharedstatedir}/unbound + KEYPATH=$(realpath --relative-to="%{buildroot}%{_sharedstatedir}/unbound" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key") + ln -s "$KEYPATH" root.key +popd # remove static library from install (fedora packaging guidelines) rm %{buildroot}%{_libdir}/*.la @@ -455,9 +460,10 @@ popd %{_sysusersdir}/%{name}.sysusers %{_libdir}/libunbound.so.8* %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name} -%attr(0644,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key +%verify(not size mtime filedigest link mode user group) %{_sharedstatedir}/%{name}/root.key # just left for backwards compat with user changed unbound.conf files - format is different! %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key +%attr(0644,root,root) %config %{_sysconfdir}/%{name}/dnssec-root.key %files anchor %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name} @@ -478,6 +484,7 @@ popd * Thu Dec 01 2022 Petr Menšík - 1.17.0-2 - Move unbound user creation to libs (#2149036) - Use systemd-sysusers for user creation (#2105416) +- Keep original DNSSEC root key as config (#2132103) * Tue Nov 01 2022 Petr Menšík - 1.17.0-1 - Update to 1.17.0 (#2134348) From 668ceaffe5564700fae979d1617d36fe28a8d493 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Fri, 13 Jan 2023 19:17:50 -0500 Subject: [PATCH 056/139] update to 1.17.1 - Resolved rhbz#2160397 unbound-1.17.1 is available (bugfix release) - Add support for building with redis - update unbound.conf --- unbound.conf | 30 ++++++++++++++++++++++++------ unbound.spec | 19 ++++++++++++++++--- 2 files changed, 40 insertions(+), 9 deletions(-) diff --git a/unbound.conf b/unbound.conf index 2b6dc59..54c4d7b 100644 --- a/unbound.conf +++ b/unbound.conf @@ -41,6 +41,11 @@ server: # Needs to be enabled for munin plugin extended-statistics: yes + # Inhibits selected extended statistics (qtype, qclass, qopcode, rcode, + # rpz-actions) from printing if their value is 0. + # Default on. + # statistics-inhibit-zero: yes + # number of threads to create. 1 disables threading. num-threads: 4 @@ -152,7 +157,7 @@ server: # ip-dscp: 0 # EDNS reassembly buffer to advertise to UDP peers (the actual buffer - # is set with msg-buffer-size). 1472 can solve fragmentation (timeouts) + # is set with msg-buffer-size). # edns-buffer-size: 1232 # Maximum UDP response size (not applied to TCP response). @@ -193,6 +198,15 @@ server: # a throwaway response (also timeouts) is received. # outbound-msg-retry: 5 + # Hard limit on the number of outgoing queries Unbound will make while + # resolving a name, making sure large NS sets do not loop. + # It resets on query restarts (e.g., CNAME) and referrals. + # max-sent-count: 32 + + # Hard limit on the number of times Unbound is allowed to restart a + # query upon encountering a CNAME record. + # max-query-restarts: 11 + # msec for waiting for an unknown server to reply. Increase if you # are behind a slow satellite link, to eg. 1128. # unknown-server-time-limit: 376 @@ -238,7 +252,8 @@ server: # the maximum number of hosts that are cached (roundtrip, EDNS, lame). # infra-cache-numhosts: 10000 - # define a number of tags here, use with local-zone, access-control. + # define a number of tags here, use with local-zone, access-control, + # interface-*. # repeat the define-tag statement to add additional tags. # define-tag: "tag1 tag2 tag3" @@ -281,7 +296,9 @@ server: # Timeout for EDNS TCP keepalive, in msec. # edns-tcp-keepalive-timeout: 120000 - # Fedora note: do not activate this - can cause a crash + # Fedora note: do not activate this - not compiled in because + # it causes frequent unbound crashes. Also, socket activation + # is bad when you have things like dnsmasq also running with libvirt. # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no @@ -297,9 +314,7 @@ server: # allow_snoop (recursive and nonrecursive ok) # deny_non_local (drop queries unless can be answered from local-data) # refuse_non_local (like deny_non_local but polite error reply). - # access-control: 0.0.0.0/0 refuse # access-control: 127.0.0.0/8 allow - # access-control: ::0/0 refuse # access-control: ::1 allow # access-control: ::ffff:127.0.0.1 allow @@ -595,6 +610,8 @@ server: # most modules have to be listed at the beginning of the line, # except cachedb(just before iterator), and python (at the beginning, # or, just before the iterator). + # For redis cachedb use: + # "ipsecmod validator cachedb iterator" module-config: "ipsecmod validator iterator" # File with trusted keys, kept uptodate using RFC5011 probes, @@ -602,7 +619,8 @@ server: # Use several entries, one per domain name, to track multiple zones. # # If you want to perform DNSSEC validation, run unbound-anchor before - # you start Unbound (i.e. in the system boot scripts). And enable: + # you start Unbound (i.e. in the system boot scripts). + # And then enable the auto-trust-anchor-file config item. # Please note usage of unbound-anchor root anchor is at your own risk # and under the terms of our LICENSE (see that file in the source). # auto-trust-anchor-file: "/var/lib/unbound/root.key" diff --git a/unbound.spec b/unbound.spec index 94f4cf3..c2cab90 100644 --- a/unbound.spec +++ b/unbound.spec @@ -4,6 +4,7 @@ %bcond_without dnstap %bcond_with systemd %bcond_without doh +%bcond_with redis %global _hardened_build 1 @@ -29,8 +30,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.17.0 -Release: 2%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.17.1 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -78,6 +79,9 @@ BuildRequires: systemd-devel %if %{with doh} BuildRequires: libnghttp2-devel %endif +%if %{with redis} +BuildRequires: redis-devel +%endif %if 0%{?fedora} >= 30 || 0%{?rhel} >= 9 BuildRequires: systemd-rpm-macros %else @@ -225,7 +229,8 @@ cp -a %{dir_primary} %{dir_secondary} --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\ --enable-sha2 --disable-gost --enable-ecdsa \\\ --with-rootkey-file=%{_sharedstatedir}/unbound/root.key \\\ - --enable-linux-ip-local-port-range + --enable-linux-ip-local-port-range \\\ + pushd %{dir_primary} @@ -244,6 +249,10 @@ pushd %{dir_primary} %endif %if 0%{?rhel} --disable-sha1 \ +%endif +%if %{with redis} + --with-libhiredis \ + --enable-cachedb \ %endif %{configure_args} @@ -481,6 +490,10 @@ popd %{_mandir}/man1/unbound-* %changelog +* Fri Jan 13 2023 Paul Wouters - 1.17.0-2 - Move unbound user creation to libs (#2149036) - Use systemd-sysusers for user creation (#2105416) From ff081b069fe0a7473ec929a0c385c8bbbab94bfe Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Fri, 13 Jan 2023 19:21:58 -0500 Subject: [PATCH 057/139] update sources --- sources | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sources b/sources index 691909a..d6e9a7b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.17.0.tar.gz) = f6b9f279330fb19b5feca09524959940aad8c4e064528aa82b369c726d77e9e8e5ca23f366f6e9edcf2c061b96f482ed7a2c26ac70fc15ae5762b3d7e36a5284 -SHA512 (unbound-1.17.0.tar.gz.asc) = e1567f088bdf0a96dbdcf365deccb72f42319b9b29510d5d9aefbe66df054446d3dcdfcc54826046af6e4f751aa518798b968685611b1b7f1860f66a96e32a57 +SHA512 (unbound-1.17.1.tar.gz) = 10dd4c3aff77f1c0d19eb3c66956ed6ef1aae19e827d0b3259dc75d9de28dedd41862982a299e67ee07e17fb52058b4beee9d4b1d3bb0a3f633b9ba5b864d168 +SHA512 (unbound-1.17.1.tar.gz.asc) = d663c2ebf9ba4420eb6cd351378d646ac4c9e88bd69913dc1c862a326e98329496a901c86b857f2c157c0401a289ff91e5ac83911477cb9894156c6d959b2b80 From 49e721cb96e5058845e162504d9ebb3eb15ce11f Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Fri, 13 Jan 2023 19:22:06 -0500 Subject: [PATCH 058/139] clarify gpgverify a bit to make it look less magical --- .gitignore | 2 ++ unbound.spec | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 3c64874..44cbc77 100644 --- a/.gitignore +++ b/.gitignore @@ -77,3 +77,5 @@ unbound-1.4.5.tar.gz /unbound-1.16.3.tar.gz.asc /unbound-1.17.0.tar.gz /unbound-1.17.0.tar.gz.asc +/unbound-1.17.1.tar.gz +/unbound-1.17.1.tar.gz.asc diff --git a/unbound.spec b/unbound.spec index c2cab90..bfd27f5 100644 --- a/unbound.spec +++ b/unbound.spec @@ -185,7 +185,7 @@ Python 3 modules and extensions for unbound %prep %if 0%{?fedora} -%gpgverify -k 19 -s 18 -d 0 +%{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}' %endif %global pkgname %{name}-%{version}%{?extra_version} From 0f8f31408c23d19792e67ec148727689aabacfc8 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 21 Jan 2023 05:47:20 +0000 Subject: [PATCH 059/139] Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- unbound.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index bfd27f5..d84d54d 100644 --- a/unbound.spec +++ b/unbound.spec @@ -31,7 +31,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.17.1 -Release: 1%{?extra_version:.%{extra_version}}%{?dist} +Release: 2%{?extra_version:.%{extra_version}}%{?dist} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -490,6 +490,9 @@ popd %{_mandir}/man1/unbound-* %changelog +* Sat Jan 21 2023 Fedora Release Engineering - 1.17.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + * Fri Jan 13 2023 Paul Wouters Date: Fri, 7 Apr 2023 02:48:56 +0000 Subject: [PATCH 060/139] fix building with redis --- unbound.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index d84d54d..27967bf 100644 --- a/unbound.spec +++ b/unbound.spec @@ -80,7 +80,7 @@ BuildRequires: systemd-devel BuildRequires: libnghttp2-devel %endif %if %{with redis} -BuildRequires: redis-devel +BuildRequires: hiredis-devel %endif %if 0%{?fedora} >= 30 || 0%{?rhel} >= 9 BuildRequires: systemd-rpm-macros From 2572eb13e5c53efd4f2f197797d5ee0dab6557dc Mon Sep 17 00:00:00 2001 From: Python Maint Date: Tue, 13 Jun 2023 20:56:32 +0200 Subject: [PATCH 061/139] Rebuilt for Python 3.12 --- unbound.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 27967bf..f32b636 100644 --- a/unbound.spec +++ b/unbound.spec @@ -31,7 +31,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.17.1 -Release: 2%{?extra_version:.%{extra_version}}%{?dist} +Release: 3%{?extra_version:.%{extra_version}}%{?dist} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -490,6 +490,9 @@ popd %{_mandir}/man1/unbound-* %changelog +* Tue Jun 13 2023 Python Maint - 1.17.1-3 +- Rebuilt for Python 3.12 + * Sat Jan 21 2023 Fedora Release Engineering - 1.17.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild From 6fcb60a14dcaac2f5004ce1fdb7972b1071be575 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 22 Jul 2023 17:05:22 +0000 Subject: [PATCH 062/139] Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- unbound.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index f32b636..b25ef89 100644 --- a/unbound.spec +++ b/unbound.spec @@ -31,7 +31,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.17.1 -Release: 3%{?extra_version:.%{extra_version}}%{?dist} +Release: 4%{?extra_version:.%{extra_version}}%{?dist} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -490,6 +490,9 @@ popd %{_mandir}/man1/unbound-* %changelog +* Sat Jul 22 2023 Fedora Release Engineering - 1.17.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + * Tue Jun 13 2023 Python Maint - 1.17.1-3 - Rebuilt for Python 3.12 From 249e1d560180e55a1700e68f33bee18c78f52308 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 1 Sep 2023 10:50:36 +0200 Subject: [PATCH 063/139] Update to 1.18.0 https://nlnetlabs.nl/projects/unbound/download/#unbound-1-18-0 - NAT64 support - Downstream DNS cookies - EDE caching - Set max-udp-size default to 1232 Resolves: rhbz#2236097 --- .gitignore | 2 ++ sources | 4 ++-- unbound.conf | 32 ++++++++++++++++++++++++++++---- unbound.spec | 7 +++++-- 4 files changed, 37 insertions(+), 8 deletions(-) diff --git a/.gitignore b/.gitignore index 44cbc77..7b0a36a 100644 --- a/.gitignore +++ b/.gitignore @@ -79,3 +79,5 @@ unbound-1.4.5.tar.gz /unbound-1.17.0.tar.gz.asc /unbound-1.17.1.tar.gz /unbound-1.17.1.tar.gz.asc +/unbound-1.18.0.tar.gz +/unbound-1.18.0.tar.gz.asc diff --git a/sources b/sources index d6e9a7b..558d84a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.17.1.tar.gz) = 10dd4c3aff77f1c0d19eb3c66956ed6ef1aae19e827d0b3259dc75d9de28dedd41862982a299e67ee07e17fb52058b4beee9d4b1d3bb0a3f633b9ba5b864d168 -SHA512 (unbound-1.17.1.tar.gz.asc) = d663c2ebf9ba4420eb6cd351378d646ac4c9e88bd69913dc1c862a326e98329496a901c86b857f2c157c0401a289ff91e5ac83911477cb9894156c6d959b2b80 +SHA512 (unbound-1.18.0.tar.gz) = 24ca6bfe0ed493eb6aaa5cb1b2b108076ce97c48de7470adf596d1154254351e382b83aae33fcd8d4fa64847e359613e00c979b6f3ba7671215b2d0fd2b03b14 +SHA512 (unbound-1.18.0.tar.gz.asc) = 222ff184d952b9ee8ce81e1f3384d1640ff4695ca60b7d5f946dc24489d583618fc0f4e3c169514b699c684766fdb352f47ca29853223fbae70a65fd994d4fd2 diff --git a/unbound.conf b/unbound.conf index 54c4d7b..b038b4a 100644 --- a/unbound.conf +++ b/unbound.conf @@ -161,10 +161,8 @@ server: # edns-buffer-size: 1232 # Maximum UDP response size (not applied to TCP response). - # Suggested values are 512 to 4096. Default is 4096. 65536 disables it. - # 3072 causes +dnssec any isc.org queries to need TC=1. - # Helps mitigating DDOS - max-udp-size: 3072 + # Suggested values are 512 to 4096. Default is 1232. 65536 disables it. + # max-udp-size: 1232 # max memory to use for stream(tcp and tls) waiting result buffers. # stream-wait-size: 4m @@ -263,6 +261,18 @@ server: # Enable IPv6, "yes" or "no". # do-ip6: yes + # If running unbound on an IPv6-only host, domains that only have + # IPv4 servers would become unresolveable. If NAT64 is available in + # the network, unbound can use NAT64 to reach these servers with + # the following option. This is NOT needed for enabling DNS64 on a + # system that has IPv4 connectivity. + # Consider also enabling prefer-ip6 to prefer native IPv6 connections + # to nameservers. + # do-nat64: no + + # NAT64 prefix. Defaults to using dns64-prefix value. + # nat64-prefix: 64:ff9b::0/96 + # Enable UDP, "yes" or "no". # NOTE: if setting up an Unbound on tls443 for public use, you might want to # disable UDP to avoid being used in DNS amplification attacks. @@ -296,6 +306,10 @@ server: # Timeout for EDNS TCP keepalive, in msec. # edns-tcp-keepalive-timeout: 120000 + # UDP queries that have waited in the socket buffer for a long time + # can be dropped. Default is 0, disabled. In seconds, such as 3. + # sock-queue-timeout: 0 + # Fedora note: do not activate this - not compiled in because # it causes frequent unbound crashes. Also, socket activation # is bad when you have things like dnsmasq also running with libvirt. @@ -529,6 +543,10 @@ server: # to validate the zone. # harden-algo-downgrade: no + # Harden against unknown records in the authority section and the + # additional section. + # harden-unknown-additional: no + # Sent minimum amount of information to upstream servers to enhance # privacy. Only sent minimum required labels of the QNAME and set QTYPE # to A when possible. @@ -842,6 +860,8 @@ server: # o always_transparent, always_refuse, always_nxdomain, always_nodata, # always_deny resolve in that way but ignore local data for # that name + # o block_a resolves all records normally but returns + # NODATA for A queries and ignores local data for that name # o always_null returns 0.0.0.0 or ::0 for any name in the zone. # o noview breaks out of that view towards global local-zones. # @@ -1265,6 +1285,10 @@ auth-zone: # redis-server-host: 127.0.0.1 # # redis server's TCP port # redis-server-port: 6379 +# # if the server uses a unix socket, set its path, or "" when not used. +# # redis-server-path: "/var/lib/redis/redis-server.sock" +# # if the server uses an AUTH password, specify here, or "" when not used. +# # redis-server-password: "" # # timeout (in ms) for communication with the redis server # redis-timeout: 100 # # set timeout on redis records based on DNS response TTL diff --git a/unbound.spec b/unbound.spec index b25ef89..7b37a97 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,8 +30,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.17.1 -Release: 4%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.18.0 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -490,6 +490,9 @@ popd %{_mandir}/man1/unbound-* %changelog +* Fri Sep 01 2023 Petr Menšík - 1.18.0-1 +- Update to 1.18.0 (#2236097) + * Sat Jul 22 2023 Fedora Release Engineering - 1.17.1-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild From 940496db6d39ee6a259bf2b3eedccc110b54d186 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 6 Sep 2023 13:31:59 +0200 Subject: [PATCH 064/139] Skip failing tests on ELN builds Some tests are failing, caused by SHA-1 disabled on openssl in those branches. Skip those tests only on RHEL branches, where this should be a problem. Related: https://github.com/NLnetLabs/unbound/pull/770 --- unbound.spec | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/unbound.spec b/unbound.spec index 7b37a97..b7dfd45 100644 --- a/unbound.spec +++ b/unbound.spec @@ -31,7 +31,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.18.0 -Release: 1%{?extra_version:.%{extra_version}}%{?dist} +Release: 2%{?extra_version:.%{extra_version}}%{?dist} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -56,6 +56,7 @@ Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_vers Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key Source20: unbound.sysusers +#Patch1: BuildRequires: gcc, make BuildRequires: flex, openssl-devel @@ -202,13 +203,22 @@ Python 3 modules and extensions for unbound pushd %{pkgname} # patches go here -%autopatch -p1 +%autopatch -p2 # only for snapshots # autoreconf -iv # copy common doc files - after here, since it may be patched cp -pr doc pythonmod libunbound ../ + +%if 0%{?rhel} > 8 + # SHA-1 breaks some tests. Disable just some tests because of that. + # This got broken in ELN + ls testdata/*.rpl + for TEST in autotrust_init_fail autotrust_init_failsig; do + mv testdata/${TEST}.rpl{,-disabled} + done +%endif popd %if 0%{with_python2} && 0%{with_python3} @@ -490,6 +500,9 @@ popd %{_mandir}/man1/unbound-* %changelog +* Wed Sep 06 2023 Petr Menšík - 1.18.0-2 +- Skip failing tests on ELN builds + * Fri Sep 01 2023 Petr Menšík - 1.18.0-1 - Update to 1.18.0 (#2236097) From 997299863e6d3219c01fd9edb1eab88d3a5a93dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 26 Sep 2023 20:30:20 +0200 Subject: [PATCH 065/139] Correct dependencies on creating the unbound user Move correct requirements in the package to libs subpackage, which creates the user. --- unbound.spec | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/unbound.spec b/unbound.spec index b7dfd45..7f97e5d 100644 --- a/unbound.spec +++ b/unbound.spec @@ -98,7 +98,6 @@ Requires: %{name}-anchor%{?_isa} = %{version}-%{release} Recommends: %{name}-utils%{?_isa} = %{version}-%{release} # unbound-keygen.service requires it, bug #2116790 Requires: openssl -Requires(pre): systemd-sysusers %description Unbound is a validating, recursive, and caching DNS(SEC) resolver. @@ -133,6 +132,7 @@ The devel package contains the unbound library and the include files %package libs Summary: Libraries used by the unbound server and client applications Recommends: %{name}-anchor +%{?sysusers_requires_compat} %if ! 0%{with_python2} # Make explicit conflict with no longer provided python package Obsoletes: python2-unbound < 1.9.3 @@ -142,7 +142,6 @@ Obsoletes: python2-unbound < 1.9.3 Contains libraries used by the unbound server and client applications. %package anchor -Requires(pre): shadow-utils Requires: %{name}-libs%{?_isa} = %{version}-%{release} Summary: DNSSEC trust anchor maintaining tool From 218f551c2490d49fc5ce06cb04c0ac6b814e5cef Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Wed, 11 Oct 2023 16:55:31 -0400 Subject: [PATCH 066/139] Fix for resolving outlook.com via forwarders - See https://github.com/NLnetLabs/unbound/issues/946 - Use autochangelog macro --- unbound-1.18-outlook.patch | 228 +++++++++ unbound.spec | 922 +------------------------------------ 2 files changed, 233 insertions(+), 917 deletions(-) create mode 100644 unbound-1.18-outlook.patch diff --git a/unbound-1.18-outlook.patch b/unbound-1.18-outlook.patch new file mode 100644 index 0000000..6689bbc --- /dev/null +++ b/unbound-1.18-outlook.patch @@ -0,0 +1,228 @@ +diff --git a/Makefile.in b/Makefile.in +index 627a650f6..22fb75c12 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -793,7 +793,7 @@ iter_priv.lo iter_priv.o: $(srcdir)/iterator/iter_priv.c config.h $(srcdir)/iter + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/sbuffer.h + iter_resptype.lo iter_resptype.o: $(srcdir)/iterator/iter_resptype.c config.h \ +- $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \ ++ $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iterator.h $(srcdir)/util/log.h \ + $(srcdir)/services/cache/dns.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/data/dname.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h +diff --git a/iterator/iter_resptype.c b/iterator/iter_resptype.c +index e85595b84..38e186e79 100644 +--- a/iterator/iter_resptype.c ++++ b/iterator/iter_resptype.c +@@ -42,6 +42,7 @@ + #include "config.h" + #include "iterator/iter_resptype.h" + #include "iterator/iter_delegpt.h" ++#include "iterator/iterator.h" + #include "services/cache/dns.h" + #include "util/net_help.h" + #include "util/data/dname.h" +@@ -105,7 +106,8 @@ response_type_from_cache(struct dns_msg* msg, + + enum response_type + response_type_from_server(int rdset, +- struct dns_msg* msg, struct query_info* request, struct delegpt* dp) ++ struct dns_msg* msg, struct query_info* request, struct delegpt* dp, ++ int* empty_nodata_found) + { + uint8_t* origzone = (uint8_t*)"\000"; /* the default */ + struct ub_packed_rrset_key* s; +@@ -284,13 +286,22 @@ response_type_from_server(int rdset, + + /* If we've gotten this far, this is NOERROR/NODATA (which could + * be an entirely empty message) */ +- /* but ignore entirely empty messages, noerror/nodata has a soa +- * negative ttl value in the authority section, this makes it try +- * again at another authority. And turns it from a 5 second empty +- * message into a 5 second servfail response. */ ++ /* For entirely empty messages, try again, at first, then accept ++ * it it happens more. A regular noerror/nodata response has a soa ++ * negative ttl value in the authority section. This makes it try ++ * again at another authority. And decides between storing a 5 second ++ * empty message or a 5 second servfail response. */ + if(msg->rep->an_numrrsets == 0 && msg->rep->ns_numrrsets == 0 && +- msg->rep->ar_numrrsets == 0) +- return RESPONSE_TYPE_THROWAWAY; ++ msg->rep->ar_numrrsets == 0) { ++ if(empty_nodata_found) { ++ /* detect as throwaway at first, but accept later. */ ++ (*empty_nodata_found)++; ++ if(*empty_nodata_found < EMPTY_NODATA_RETRY_COUNT) ++ return RESPONSE_TYPE_THROWAWAY; ++ return RESPONSE_TYPE_ANSWER; ++ } ++ return RESPONSE_TYPE_ANSWER; ++ } + /* check if recursive answer; saying it has empty cache */ + if( (msg->rep->flags&BIT_RA) && !(msg->rep->flags&BIT_AA) && !rdset) + return RESPONSE_TYPE_REC_LAME; +diff --git a/iterator/iter_resptype.h b/iterator/iter_resptype.h +index fee9ef35f..bfd4b664f 100644 +--- a/iterator/iter_resptype.h ++++ b/iterator/iter_resptype.h +@@ -119,9 +119,11 @@ enum response_type response_type_from_cache(struct dns_msg* msg, + * @param request: the request that generated the response. + * @param dp: The delegation point that was being queried + * when the response was returned. ++ * @param empty_nodata_found: flag to keep track of empty nodata detection. + * @return the response type (CNAME or ANSWER). + */ + enum response_type response_type_from_server(int rdset, +- struct dns_msg* msg, struct query_info* request, struct delegpt* dp); ++ struct dns_msg* msg, struct query_info* request, struct delegpt* dp, ++ int* empty_nodata_found); + + #endif /* ITERATOR_ITER_RESPTYPE_H */ +diff --git a/iterator/iterator.c b/iterator/iterator.c +index 9f78aa17d..106e2877e 100644 +--- a/iterator/iterator.c ++++ b/iterator/iterator.c +@@ -2940,7 +2940,7 @@ static int + processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, + struct iter_env* ie, int id) + { +- int dnsseclame = 0, origtypecname = 0; ++ int dnsseclame = 0, origtypecname = 0, orig_empty_nodata_found; + enum response_type type; + + iq->num_current_queries--; +@@ -2960,12 +2960,25 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, + return next_state(iq, QUERYTARGETS_STATE); + } + iq->timeout_count = 0; ++ orig_empty_nodata_found = iq->empty_nodata_found; + type = response_type_from_server( + (int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd), +- iq->response, &iq->qinfo_out, iq->dp); ++ iq->response, &iq->qinfo_out, iq->dp, &iq->empty_nodata_found); + iq->chase_to_rd = 0; + /* remove TC flag, if this is erroneously set by TCP upstream */ + iq->response->rep->flags &= ~BIT_TC; ++ if(orig_empty_nodata_found != iq->empty_nodata_found && ++ iq->empty_nodata_found < EMPTY_NODATA_RETRY_COUNT) { ++ /* try to search at another server */ ++ if(qstate->reply) { ++ struct delegpt_addr* a = delegpt_find_addr( ++ iq->dp, &qstate->reply->remote_addr, ++ qstate->reply->remote_addrlen); ++ /* make selection disprefer it */ ++ if(a) a->lame = 1; ++ } ++ return next_state(iq, QUERYTARGETS_STATE); ++ } + if(type == RESPONSE_TYPE_REFERRAL && (iq->chase_flags&BIT_RD) && + !iq->auth_zone_response) { + /* When forwarding (RD bit is set), we handle referrals +@@ -3501,7 +3514,7 @@ processPrimeResponse(struct module_qstate* qstate, int id) + iq->response->rep->flags &= ~(BIT_RD|BIT_RA); /* ignore rec-lame */ + type = response_type_from_server( + (int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd), +- iq->response, &iq->qchase, iq->dp); ++ iq->response, &iq->qchase, iq->dp, NULL); + if(type == RESPONSE_TYPE_ANSWER) { + qstate->return_rcode = LDNS_RCODE_NOERROR; + qstate->return_msg = iq->response; +diff --git a/iterator/iterator.h b/iterator/iterator.h +index fad7f03e6..e253f3f7e 100644 +--- a/iterator/iterator.h ++++ b/iterator/iterator.h +@@ -101,6 +101,8 @@ extern int BLACKLIST_PENALTY; + * Chosen so that the UNKNOWN_SERVER_NICENESS falls within the band of a + * fast server, this causes server exploration as a side benefit. msec. */ + #define RTT_BAND 400 ++/** Number of retries for empty nodata packets before it is accepted. */ ++#define EMPTY_NODATA_RETRY_COUNT 2 + + /** + * Global state for the iterator. +@@ -415,6 +417,11 @@ struct iter_qstate { + */ + int refetch_glue; + ++ /** ++ * This flag detects that a completely empty nodata was received, ++ * already so that it is accepted later. */ ++ int empty_nodata_found; ++ + /** list of pending queries to authoritative servers. */ + struct outbound_list outlist; + +diff --git a/testdata/iter_ignore_empty.rpl b/testdata/iter_ignore_empty.rpl +index c70dd7e8d..4b2f695b8 100644 +--- a/testdata/iter_ignore_empty.rpl ++++ b/testdata/iter_ignore_empty.rpl +@@ -78,6 +78,18 @@ example2.com. IN NS ns2.example2.com. + SECTION ADDITIONAL + ns2.example2.com. IN A 1.2.3.5 + ENTRY_END ++ ++ENTRY_BEGIN ++MATCH opcode subdomain ++ADJUST copy_id copy_query ++REPLY QR NOERROR ++SECTION QUESTION ++foo.com. IN NS ++SECTION AUTHORITY ++foo.com. IN NS ns.foo.com. ++SECTION ADDITIONAL ++ns.foo.com. IN A 1.2.3.5 ++ENTRY_END + RANGE_END + + ; ns.example.com. +@@ -172,6 +184,27 @@ www.example.com. IN A + SECTION ANSWER + www.example.com. IN A 10.20.30.40 + ENTRY_END ++ ++; foo.com ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY QR AA NOERROR ++SECTION QUESTION ++www.foo.com. IN A ++SECTION ANSWER ++ENTRY_END ++ ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY QR AA NOERROR ++SECTION QUESTION ++ns.foo.com. IN AAAA ++SECTION ANSWER ++SECTION AUTHORITY ++;foo.com. IN SOA ns2.foo.com root.foo.com 4 14400 3600 604800 3600 ++ENTRY_END + RANGE_END + + STEP 1 QUERY +@@ -195,4 +228,21 @@ ENTRY_END + ; wait for pending nameserver lookups. + STEP 20 TRAFFIC + ++; Test that a nodata stays a nodata. ++STEP 30 QUERY ++ENTRY_BEGIN ++REPLY RD ++SECTION QUESTION ++www.foo.com. IN A ++ENTRY_END ++ ++STEP 40 CHECK_ANSWER ++ENTRY_BEGIN ++MATCH all ++REPLY QR RD RA NOERROR ++SECTION QUESTION ++www.foo.com. IN A ++SECTION ANSWER ++ENTRY_END ++ + SCENARIO_END diff --git a/unbound.spec b/unbound.spec index 7f97e5d..ba98372 100644 --- a/unbound.spec +++ b/unbound.spec @@ -31,7 +31,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.18.0 -Release: 2%{?extra_version:.%{extra_version}}%{?dist} +Release: 3%{?extra_version:.%{extra_version}}%{?dist} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -56,7 +56,8 @@ Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_vers Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key Source20: unbound.sysusers -#Patch1: +# https://github.com/NLnetLabs/unbound/issues/946 +Patch1: unbound-1.18-outlook.patch BuildRequires: gcc, make BuildRequires: flex, openssl-devel @@ -202,7 +203,7 @@ Python 3 modules and extensions for unbound pushd %{pkgname} # patches go here -%autopatch -p2 +%autopatch -p1 # only for snapshots # autoreconf -iv @@ -499,917 +500,4 @@ popd %{_mandir}/man1/unbound-* %changelog -* Wed Sep 06 2023 Petr Menšík - 1.18.0-2 -- Skip failing tests on ELN builds - -* Fri Sep 01 2023 Petr Menšík - 1.18.0-1 -- Update to 1.18.0 (#2236097) - -* Sat Jul 22 2023 Fedora Release Engineering - 1.17.1-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - -* Tue Jun 13 2023 Python Maint - 1.17.1-3 -- Rebuilt for Python 3.12 - -* Sat Jan 21 2023 Fedora Release Engineering - 1.17.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - -* Fri Jan 13 2023 Paul Wouters - 1.17.0-2 -- Move unbound user creation to libs (#2149036) -- Use systemd-sysusers for user creation (#2105416) -- Keep original DNSSEC root key as config (#2132103) - -* Tue Nov 01 2022 Petr Menšík - 1.17.0-1 -- Update to 1.17.0 (#2134348) - -* Wed Oct 05 2022 Petr Menšík - 1.16.3-3 -- Correct issues made by unbound-anchor package split (#2110858) - -* Fri Sep 30 2022 Petr Menšík - 1.16.3-2 -- Update License tag to SPDX identifier - -* Fri Sep 23 2022 Petr Menšík - 1.16.3-1 -- Update to 1.16.3 (#2128638) - -* Tue Aug 09 2022 Paul Wouters - 1.16.2-3 -- sync up to upstream unbound.conf -- Enable Extended DNS Error codes (RFC8914) - -* Tue Aug 09 2022 Petr Menšík - 1.16.2-2 -- Require openssl tool for unbound-keygen (#2116790) - -* Wed Aug 03 2022 Petr Menšík - 1.16.2-1 -- Update to 1.16.2 (#2105947) for CVE-2022-30698 and CVE-2022-30699 - -* Sat Jul 23 2022 Fedora Release Engineering - 1.16.0-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - -* Mon Jun 27 2022 Petr Menšík - 1.16.0-6 -- Move unbound-anchor to separate package -- Move unbound-host and unbound-streamtcp to unbound-utils package - -* Mon Jun 13 2022 Python Maint - 1.16.0-5 -- Rebuilt for Python 3.11 - -* Tue Jun 07 2022 Petr Menšík - 1.16.0-4 -- Restart keygen service before every unbound start - -* Sat Jun 04 2022 Petr Menšík - 1.16.0-1 -- Update to 1.16.0 - -* Tue Apr 26 2022 Petr Menšík - 1.15.0-3 -- Stop creating wrong devel manual pages (#2078929) - -* Wed Apr 20 2022 Petr Menšík - 1.15.0-2 -- Update icannbundle.pem - -* Tue Mar 29 2022 Petr Menšík - 1.15.0-1 -- Update to 1.15.0 (#2030608) - -* Sat Jan 22 2022 Fedora Release Engineering - 1.13.2-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Sat Nov 06 2021 Adrian Reber - 1.13.2-4 -- Rebuilt for protobuf 3.19.0 - -* Mon Oct 25 2021 Adrian Reber - 1.13.2-3 -- Rebuilt for protobuf 3.18.1 - -* Tue Sep 14 2021 Sahana Prasad - 1.13.2-2 -- Rebuilt with OpenSSL 3.0.0 - -* Thu Aug 12 2021 Paul Wouters - 1.13.2-1 -- Resolves: rhbz#1992985 unbound-1.13.2 is available -- Use system-wide crypto policies - -* Fri Jul 23 2021 Fedora Release Engineering - 1.13.1-8 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Wed Jun 02 2021 Python Maint - 1.13.1-7 -- Rebuilt for Python 3.10 - -* Fri Apr 23 2021 Artem Egorenkov - 1.13.1-6 -- Option --enable-linux-ip-local-port-range added to use system configured port range for libunbound on Linux -- Resolves: rhbz#1935101 - -* Tue Apr 13 2021 Paul Wouters - 1.13.1-5 -- Fix unbound.service to use After=network-online.target - -* Tue Apr 06 2021 Artem Egorenkov - 1.13.1-4 -- Don't start unbound-anchor before unbound service if DISABLE_UNBOUND_ANCHOR - environment variable equals to "yes" - -* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 1.13.1-3 -- Rebuilt for updated systemd-rpm-macros - See https://pagure.io/fesco/issue/2583. - -* Mon Feb 15 2021 Victor Stinner - 1.13.1-2 -- Fix build on Python 3.10 (rhbz#1889726). - -* Wed Feb 10 2021 Paul Wouters - 1.13.1-1 -- Resolves rhbz#1860887 unbound-1.13.1 is available -- Fixup unbound.conf - -* Wed Jan 27 2021 Fedora Release Engineering - 1.13.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Thu Dec 10 2020 Petr Menšík - 1.13.0-1 -- Update to 1.13.0 - -* Tue Oct 13 2020 Petr Menšík - 1.12.0-1 -- Update to 1.12.0 (#1860887) - -* Tue Sep 15 2020 Petr Menšík - 1.10.1-5 -- Move command line tools to utils subpackage - -* Wed Jul 29 2020 Fedora Release Engineering - 1.10.1-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Tue Jul 14 2020 Tom Stellard - 1.10.1-3 -- Use make macros -- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro - -* Fri May 22 2020 Miro Hrončok - 1.10.1-2 -- Rebuilt for Python 3.9 - -* Tue May 19 2020 Paul Wouters - 1.10.1-1 -- Resolves: rhbz#1837279 unbound-1.10.1 is available -- Resolves: rhbz#1837598 CVE-2020-12662 unbound: insufficient control of network message volume leads to DoS -- Resolves: rhbz#1837609 CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers -- Updated unbound.conf for new options in 1.10.1 - -* Wed Apr 29 2020 Paul Wouters - 1.10.0-3 -- Resolves: rhbz#1667742 SELinux is preventing unbound from 'name_bind' accesses on the udp_socket port 61000. - -* Thu Apr 16 2020 Artem Egorenkov - 1.10.0-2 -- Resolves: rhbz#1824536 unbound crash - -* Thu Mar 19 2020 Petr Menšík - 1.10.0-1 -- Update to 1.10.0 (#1805199) - -* Fri Jan 31 2020 Fedora Release Engineering - 1.9.6-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Fri Dec 13 2019 Paul Wouters - 1.9.6-1 -- Resolves: rhbz#1758107 unbound-1.9.5 is available -- Resolves: CVE-2019-18934 - -* Fri Nov 01 2019 Paul Wouters - 1.9.4-1 -- Fix build on rhel/centos systems -- Resolves: rhbz#1767955 (CVE-2019-16866) uninitialized memory accesses leads to crash via a crafted NOTIFY query - -* Thu Sep 26 2019 Petr Menšík - 1.9.3-2 -- Obsolete no longer provided python2 subpackage (#1749400) - -* Tue Aug 27 2019 Paul Wouters - 1.9.3-1 -- Updated to 1.9.3 -- Resolves: rhbz#1672578 unbound-1.9.2 is available -- Resolves: rhbz#1694831 [/usr/lib/tmpfiles.d/unbound.conf:1] Line references path below legacy directory /var/run/ -- Resolves: rhbz# 1667387 [abrt] unbound: memmove(): unbound killed by SIGABRT - -* Thu Aug 22 2019 Miro Hrončok - 1.8.3-8 -- Subpackage python2-unbound has been removed - See https://fedoraproject.org/wiki/Changes/Mass_Python_2_Package_Removal - -* Thu Aug 15 2019 Miro Hrončok - 1.8.3-7 -- Rebuilt for Python 3.8 - -* Mon Aug 5 2019 Zbigniew Jędrzejewski-Szmek - 1.8.3-6 -- Drop install-time requirements on systemd (#1723777) - -* Sat Jul 27 2019 Fedora Release Engineering - 1.8.3-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Sun Feb 03 2019 Fedora Release Engineering - 1.8.3-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Fri Jan 11 2019 Paul Wouters - 1.8.3-3 -- Remove KSK-2010 from configs - it has been revoked - -* Wed Dec 12 2018 Paul Wouters - 1.8.3-2 -- Another dns64 fixup - -* Wed Dec 12 2018 Paul Wouters - 1.8.3-1 -- Updated to 1.8.3 with fixes the dns64 bug and has some other minor fixes - -* Mon Dec 10 2018 Paul Wouters - 1.8.2-2 -- Fix dns64 allocation in wrong region for returned internal queries. - -* Tue Dec 04 2018 Paul Wouters - 1.8.2-1 -- Updated to 1.8.2. -- Enabled deny ANY query support and edns-tcp-keepalive -- Set serve-stale timeout to 4h -- Updated unbound.conf for latest options - -* Mon Oct 22 2018 Petr Menšík - 1.8.1-2 -- Allow group by default to unbound-control (#1640259) - -* Mon Oct 08 2018 Petr Menšík - 1.8.1-1 -- Update to 1.8.1 - -* Mon Oct 01 2018 Petr Menšík - 1.8.0-2 -- Skip ipv6 forwarders without ipv6 support (#1633874) - -* Wed Sep 19 2018 Petr Menšík - 1.8.0-1 -- Rebase to 1.8.0 - -* Tue Aug 14 2018 Paul Wouters - 1.7.3-9 -- Fix for restarting unbound service after deleting key/pem files for remote control - -* Tue Jul 31 2018 Petr Menšík - 1.7.3-8 -- Release memory in unbound-host - -* Mon Jul 23 2018 Petr Menšík - 1.7.3-7 -- Remove unused Group tag - -* Wed Jul 18 2018 Petr Menšík - 1.7.3-6 -- Cleanup generated client and server keys (#1601773) - -* Sat Jul 14 2018 Fedora Release Engineering - 1.7.3-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Mon Jul 09 2018 Petr Menšík - 1.7.3-4 -- Do not call ldconfig if possible - -* Wed Jul 04 2018 Petr Menšík - 1.7.3-3 -- Update trust anchors also behind firewall (#1598078) - -* Mon Jul 02 2018 Miro Hrončok - 1.7.3-2 -- Rebuilt for Python 3.7 - -* Wed Jun 27 2018 Petr Menšík - 1.7.3-1 -- Update to 1.7.3 (#1593708) - -* Wed Jun 27 2018 Petr Menšík - 1.7.2-3 -- Remove last python2 dependency from python3 build - -* Tue Jun 19 2018 Miro Hrončok - 1.7.2-2 -- Rebuilt for Python 3.7 - -* Mon Jun 11 2018 Paul Wouters - 1.7.2-1 -- Resolves rhbz#1589807 unbound-1.7.2 is available -- Add patch to fix stub/forward zone not returning ServFail when TTL expires -- Enabled the new root-key-sentinel option - -* Wed May 30 2018 Petr Menšík - 1.7.1-1 -- Update to 1.7.1 (#1574495) - -* Mon Apr 09 2018 Petr Menšík - 1.7.0-5 -- Require gcc and make on build -- Remove group, simplify systemd requires -- Simplify building with single python version, make python3 primary - -* Mon Apr 09 2018 Paul Wouters - 1.7.0-4 -- Patch for prefetching after flushing cache - -* Fri Apr 06 2018 Paul Wouters - 1.7.0-3 -- Patch for referral with auth-zone: response - - -* Wed Mar 21 2018 Paul Wouters - 1.7.0-2 -- Patch for broken Aggressive NSEC + stub-zone configuration causing NXDOMAIN at TTL expiry - -* Thu Mar 15 2018 Paul Wouters - 1.7.0-1 -- Updated to 1.7.0 (aggressive nsec, local root support, bugfixes) - -* Thu Feb 22 2018 Petr Menšík - 1.6.8-6 -- Uncomment again original max-upd-size - -* Wed Feb 21 2018 Petr Menšík - 1.6.8-5 -- Use default RPM build flags and configure parameters (#1539097) - -* Wed Feb 21 2018 Petr Menšík - 1.6.8-4 -- Remove group writable bit from some config files (#1528445) - -* Wed Feb 14 2018 Filipe Rosset - 1.6.8-3 -- rebuilt due new libevent 2.1.8 - -* Fri Feb 09 2018 Igor Gnatenko - 1.6.8-2 -- Escape macros in %%changelog - -* Mon Jan 22 2018 Paul Wouters - 1.6.8-1 -- Resolves rhbz#1483572 unbound-1.6.8 is available -- Resolves rhbz#1507049 CVE-2017-15105 unbound: Improper validation of wildcard synthesized NSEC records -- Resolves rhbz#1536518 CVE-2017-15105 unbound: Improper validation of wildcard synthesized NSEC records [fedora-all] - -* Sun Dec 17 2017 Zbigniew Jędrzejewski-Szmek - 1.6.7-2 -- Python 2 binary package renamed to python2-unbound - See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 - -* Thu Oct 12 2017 Paul Wouters - 1.6.7-1 -- Updated to 1.6.7 (minor bugfixes) - -* Tue Oct 03 2017 Petr Menšík - 1.6.6-3 -- Update icannbundle.pem - -* Mon Oct 02 2017 Paul Wouters - 1.6.6-2 -- Enable RFC 8145 Trust Anchor Signaling to help the root zone get keytag statistics - -* Fri Sep 22 2017 Paul Wouters - 1.6.6-1 -- Resolves: rhbz#1483572 unbound-1.6.6 is available -- Resolves: rhbz#1465575 unbound fails to start up, complains about missing ipsecmod-hook (edit) - -* Wed Aug 16 2017 Paul Wouters - 1.6.4-4 -- Rebuilt with KSK2017 added to root.key and root.anchor -- Remove noreplace for root key files. We can only improve these files over local copies - -* Thu Aug 03 2017 Fedora Release Engineering - 1.6.4-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Thu Jul 27 2017 Fedora Release Engineering - 1.6.4-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Sun Jul 02 2017 Paul Wouters - 1.6.4-1 -- Updated to 1.6.4 full release, patch to allow missing ipsechook -- Resolves rhbz#1465575 unbound fails to start up, complains about missing ipsecmod-hook - -* Thu Jun 22 2017 Paul Wouters - 1.6.4-0.rc2 -- Update to 1.6.4 (esubnet, ipsecmod support, bugfixes) - -* Tue Jun 13 2017 Paul Wouters - 1.6.3-1 -- Updated to 1.6.3 (fixes assertion failure when receiving malformed packet with 0x20 enabled) - -* Thu Jun 08 2017 Paul Wouters - 1.6.2-2 -- Patch for cmd: unbound-control set_option val-permissive-mode: yes - -* Wed Apr 26 2017 Paul Wouters - 1.6.2-1 -- Update to 1.6.2 (rhbz#1425649) -- Updated unbound.conf with new options - -* Wed Mar 22 2017 Paul Wouters - 1.6.0-6 -- Call make unbound-event-install to install unbound-event.h - -* Sat Feb 11 2017 Fedora Release Engineering - 1.6.0-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Wed Jan 18 2017 Paul Wouters - 1.6.0-4 -- Remove obsoleted DLV key - -* Mon Jan 02 2017 Paul Wouters - 1.6.0-3 -- Actually remove dependency because minimum is always satisfied - -* Mon Jan 02 2017 Paul Wouters - 1.6.0-2 -- Depend on openssl-libs, not opensl - -* Wed Dec 21 2016 Kevin Fenzi - 1.6.0-1 -- Update to 1.6.0 - -* Mon Dec 19 2016 Miro Hrončok - 1.5.10-3 -- Rebuild for Python 3.6 - -* Wed Oct 26 2016 Ilya Evseev - 1.5.10-2 -- Bugfix building without python2 and python3 -- Fixup streamtcp build (Paul) - -* Tue Sep 27 2016 Paul Wouters - 1.5.10-1 -- Updated to 1.5.10 (better TCP handling, bugfixes) -- Install pkgconfig file in -devel package -- Updated unbound.conf - -* Tue Jul 19 2016 Fedora Release Engineering - 1.5.9-4 -- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages - -* Thu Jul 07 2016 Paul Wouters - 1.5.9-3 -- Fix upper port range to 60999 because that's what selinux allows - -* Thu Jun 16 2016 Paul Wouters - 1.5.9-2 -- Patch for allowing more queries before failure (needed for query minimalization) - -* Mon Jun 13 2016 Paul Wouters - 1.5.9-1 -- Updated to 1.5.9 - -* Thu Apr 21 2016 Toshio Kuratomi - 1.5.8-2 -- Fix streamtcp to link against libpython3.x instead of libpython2.x - -* Wed Mar 02 2016 Paul Wouters - 1.5.8-1 -- Update to 1.5.8 (rhbz#1313831) which incorporates rhbz#1294339 patch -- Updated unbound.conf with new upstream options -- Enabled ip-transparent: yes (see rhbz#1291449) - -* Fri Feb 05 2016 Fedora Release Engineering - 1.5.7-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - -* Thu Jan 21 2016 Tomas Hozza - 1.5.7-2 -- Fix escaping of shell chars in unbound-control-setup (#1294339) - -* Fri Dec 11 2015 Paul Wouters - 1.5.7-1 -- Update to 1.5.7 -- Enable query minimalization for enhanced DNS query privacy -- Enable nxdomain hardening to assist with query minimalization and SBLs -- Updated default unbound.conf for new features from upstream. - -* Fri Nov 13 2015 Tomas Hozza - 1.5.6-1 -- Update to 1.5.6 (#1176729) - -* Wed Nov 04 2015 Robert Kuska - 1.5.5-2 -- Rebuilt for Python3.5 rebuild - -* Wed Oct 07 2015 Tomas Hozza - 1.5.5-1 -- New upstream release 1.5.5 (#1269137) -- Removed the anchor update from %%post section of -libs subpackage (#1269137#c2) - -* Tue Sep 15 2015 Tomas Hozza - 1.5.4-5 -- Removed dependency and ordering on unbound-anchor.service in unbound.service - -* Thu Sep 03 2015 Tomas Hozza - 1.5.4-4 -- Prefer Python3 build over Python2 build for now (#1254566) - -* Mon Jul 20 2015 Tomas Hozza - 1.5.4-3 -- Added ExecReload section to unbound.service (#1195785) -- Removed After syslog.target since it is not needed any more - -* Thu Jul 16 2015 Tomas Hozza - 1.5.4-2 -- Start unbound-anchor.timer only on new installations -- Rename root.anchor to root.key in %%post section - -* Tue Jul 14 2015 Paul Wouters - 1.5.4-1 -- Update to 1.5.4 -- Removed patches merged into upstream - -* Tue Jun 16 2015 Tomas Hozza - 1.5.3-8 -- Revert: Use low maximum negative cache TTL (5 sec) (#1229596) - -* Mon Jun 15 2015 Tomas Hozza - 1.5.3-7 -- Add option for maximum negative cache TTL (#1229599) -- Use low maximum negative cache TTL (5 sec) (#1229596) - -* Tue May 26 2015 Tomas Hozza - 1.5.3-6 -- Removed usage of DLV from the default configuration (#1223363) - -* Wed May 13 2015 Tomas Hozza - 1.5.3-5 -- unbound.service now Wants unbound-anchor.timer -- unbound-anchor man page moved to the unbound-libs - -* Mon May 11 2015 Paul Wouters - 1.5.3-4 -- Fixup scriptlets causing systemctl: command not found -- Resolves rhbz#1219587 Error in PREIN scriptlet in rpm package unbound-libs - -* Mon Apr 27 2015 Tomas Hozza - 1.5.3-3 -- migrate cronjob to systemd timer unit (#1177285) -- change the period for unbound-anchor from monthly to daily (#1180267) -- Thanks to Tomasz Torcz for the initial patch - -* Thu Apr 16 2015 Tomas Hozza - 1.5.3-2 -- Fix FTBFS (#1206129) -- Build python3-unbound and python-unbound bindings for Python 3 and 2 (#1188080) - -* Mon Mar 16 2015 Paul Wouters - 1.5.3-1 -- Updated to 1.5.3 which is a bugfix on 1.5.2 for sighup handling -- Updated to 1.5.2 which fixes DNSSEC validation with different - trust anchors upstream, local-zone has a new keyword 'inform' - -* Mon Feb 02 2015 Paul Wouters - 1.5.1-4 -- Build with --enable-ecdsa - -* Sun Feb 01 2015 Paul Wouters - 1.5.1-3 -- Fix post to create root.anchor, not root.key, to match cron job - -* Tue Dec 09 2014 Paul Wouters - 1.5.1-2 -- Change systemd-units to systemd -- Use _tmpfilesdir macro, don't mark tmpfiles as config - -* Tue Dec 09 2014 Paul Wouters - 1.5.1-1 -- Update to 1.5.1 for CVE-2014-8602 (rhbz#1172066) -- Removed unbound-aarch64.patch which was merged upstream -- Don't require autotools for non snapshots or run autoreconf - -* Fri Nov 28 2014 Tomas Hozza - 1.5.1-0.1.rc1 -- update to 1.5.1rc1 - -* Fri Nov 28 2014 Marcin Juszkiewicz - 1.5.0-3 -- fix build on aarch64 - -* Wed Nov 26 2014 Tomas Hozza - 1.5.0-2 -- Fix race condition in arc4random (#1166878) - -* Wed Nov 19 2014 Tomas Hozza - 1.5.0-1 -- update to 1.5.0 - -* Wed Sep 24 2014 Pavel Šimerda - 1.4.22-6 -- Resolves: #1115489 - build with python 3.x for fedora >= 22 - -* Thu Aug 21 2014 Kevin Fenzi - 1.4.22-5 -- Rebuild for rpm bug 1131960 - -* Mon Aug 18 2014 Fedora Release Engineering - 1.4.22-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild - -* Sun Jun 08 2014 Fedora Release Engineering - 1.4.22-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild - -* Thu May 01 2014 Paul Wouters - 1.4.22-2 -- Added flushcache patch (SVN commit 3125) - -* Thu Mar 13 2014 Paul Wouters - 1.4.22-1 -- Updated to 1.4.22 -- No longer requires the ldns library - -* Thu Jan 16 2014 Tomas Hozza - 1.4.21-3 -- Fix segfault on adding insecure forward zone when using only iterator (#1054192) - -* Mon Oct 21 2013 Tomas Hozza - 1.4.21-2 -- run test suite during the build - -* Thu Sep 19 2013 Paul Wouters - 1.4.21-1 -- Updated to 1.4.21, -- Enabled new max-udp-size: 3072 (so ANY isc.org won't fit) -- Removed patched merged in by upstream -- Enable statistics-cumulative for munin-plugin -- Added outgoing-port-avoid: 0-32767 conformant to SElinux restrictions -- Updated unbound.conf - -* Mon Aug 26 2013 Tomas Hozza - 1.4.20-19 -- Fix errors found by static analysis of source - -* Mon Aug 12 2013 Paul Wouters - 1.4.20-18 -- Change unbound.conf to only use ephemeral ports (32768-65535) - -* Sun Aug 04 2013 Fedora Release Engineering - 1.4.20-17 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild - -* Mon Jul 22 2013 Tomas Hozza - 1.4.20-16 -- provide man page for unbound-streamtcp - -* Mon Jul 08 2013 Paul Wouters - 1.4.20-15 -- Re-introduce hardening flags for full relro and pie -- Fixes compilation failure for python module - -* Wed Jul 03 2013 Tomas Hozza - 1.4.20-14 -- remove missing unbound-rootkey.service from post/preun/postun sections -- don't hardcode hardening flags, let hardened build macro handles it - -* Sat Jun 01 2013 Paul Wouters - 1.4.20-13 -- Run unbound-anchor as user unbound in unbound.service - -* Tue May 28 2013 Paul Wouters - 1.4.20-12 -- Enable round-robin (with noths() patch) -- Change cron and systemd service to use root.key, not root.anchor - -* Sat May 25 2013 Paul Wouters - 1.4.20-10 -- Use /var/lib/unbound/root.key (more consistent with other distros) -- Enable minimal responses - -* Mon Apr 22 2013 Paul Wouters - 1.4.20-8 -- Refix - -* Fri Apr 19 2013 Paul Wouters - 1.4.20-7 -- Fix runuser call in post. - -* Tue Apr 16 2013 Paul Wouters - 1.4.20-6 -- /var/lib/unbound should be owned by unbound. group write is not enough - -* Fri Apr 12 2013 Paul Wouters - 1.4.20-5 -- Fix cron job syntax (rhbz#951725) -- Use install -p to prevent .rpmnew files that are identical to originals - -* Mon Apr 8 2013 Paul Wouters - 1.4.20-4 -- Updated to 1.4.20 -- Build with full RELRO (not use -z,relro but with -z,relo,-z,now) -- Fixup man page for unbound-control-setup -- unbound.service should start before nss-lookup.target (rhbz#919955) -- Removed patch for rhbz#888759 merged in upstream -- Move root.anchor to /var/lib/unbound to make selinux policy easier for updating (rhbz#896599/rhbz#891008) -- Move cronjob for root.anchor from unbound to unbound-libs, require crontabs -- /etc/unbound (and all) should be owned by unbound-libs (rhbz#909691) -- Remove Obsolete/Provides for dnssec-conf which was last seen in f13 -- Ensure any unbound-anchor failure in post is ignored - -* Tue Mar 05 2013 Adam Tkac - 1.4.19-5 -- build with full RELRO -- symlink unbound-control-setup.8 manpage to unbound-control.8 - -* Fri Feb 15 2013 Fedora Release Engineering - 1.4.19-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild - -* Wed Dec 12 2012 Paul Wouters - 1.4.19-3 -- Updated to 1.4.19 - this integrates all existing patches -- Patch for unbound-anchor (rhbz#888759) - -* Fri Nov 09 2012 Paul Wouters - 1.4.18-6 -- Patch to ensure stube-zone's aren't lost when using dnssec-triggerd -- added unbound-munin.README file - -* Wed Sep 26 2012 Paul Wouters - 1.4.18-5 -- Patch to allow wildcards in include: statements -- Add directories /etc/unbound/keys.d,conf.d,local.d with - example entries -- Added /etc/unbound/root.anchor, maintained by unbound-anchor - which is installed as monthly cron and PreExec in systemd config - (root.key is unused, but left installed in case people depend on it) -- Native systemd (simple) and /etc/sysconfig/unbound support -- Run unbound-checkconf in PreExec -- Moved trust anchor related files to unbound-libs, as they can - be used without the daemon. -- sub packages now depends on base package of same arch -- Build munin package as noarch -- unbound-anchor moved to unbound-libs package. It is needed - to update the root.anchor key file. - -* Tue Sep 04 2012 Paul Wouters - 1.4.18-3 -- Fix openssl thread locking bug under high query load - -* Thu Aug 23 2012 Paul Wouters - 1.4.18-2 -- Use new systemd-rpm macros (rhbz#850351) -- Clean up old obsoleted dnssec-conf from < fedora 15 - -* Fri Aug 03 2012 Paul Wouters - 1.4.18-1 -- Updated to 1.4.18 (FIPS related fixes mostly) -- Removed patches that were merged in upstream -- Added comment to root.key - -* Mon Jul 23 2012 Paul Wouters - 1.4.17-5 -- Fix for unbound crasher (upstream bug #452) -- Support libunbound functions in man pages and place in -devel - -* Sun Jul 22 2012 Fedora Release Engineering - 1.4.17-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild - -* Tue Jul 03 2012 Paul Wouters - 1.4.17-3 -- unbound FIPS patches for MD5,randomness (rhbz#835106) - -* Fri Jun 15 2012 Adam Tkac - 1.4.17-2 -- don't build unbound-munin on RHEL - -* Thu May 24 2012 Paul Wouters - 1.4.17-1 -- Updated to 1.4.17 (which mostly brings in patches we already - applied from svn trunk) - -* Wed Feb 29 2012 Paul Wouters - 1.4.16-3 -- Since the daemon links to the libs staticly, add Requires: - (this is rhbz#745288) -- Package up streamtcp as unbound-streamtcp (for monitoring) - -* Mon Feb 27 2012 Paul Wouters - 1.4.16-2 -- Don't ghost the directory (rhbz#788805) -- Patch for unbound to support unbound-control forward_zone - (needed for openswan in XAUTH mode) - -* Thu Feb 02 2012 Paul Wouters - 1.4.16-1 -- Upgraded to 1.4.16, which was relesed due to the soname - and some DNSSEC validation failures - -* Wed Feb 01 2012 Paul Wouters - 1.4.15-2 -- Patch for SONAME version (libtool's -version-number vs -version-info) - -* Fri Jan 27 2012 Paul Wouters - 1.4.15-1 -- Upgraded to 1.4.15 -- Updated unbound.conf to show how to configure listening on tls443 - -* Sat Jan 14 2012 Fedora Release Engineering - 1.4.14-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild - -* Mon Dec 19 2011 Paul Wouters - 1.4.14-1 -- Upgraded to 1.4.14 for CVE-2011-4528 / VU#209659 -- SSL-wrapped query support for dnssec-trigger -- EDNS handling changes -- Removed integrated EDNS patches -- Disabled use-caps-for-id, GoDaddy domains now break on it -- Enabled new harden-below-nxdomain - -* Thu Sep 15 2011 Paul Wouters - 1.4.13-1 -- Upgraded to 1.4.13 -- Removed merged in pythonmod patch -- Added EDNS1480 patch to fix unbound on broken EDNS/UDP networks -- Fix python to go into sitearch instead of sitelib - -* Wed Sep 14 2011 Tom Callaway - 1.4.12-4 -- convert to systemd, tmpfiles.d - -* Mon Aug 08 2011 Paul Wouters - 1.4.12-3 -- Added pythonmod docs and examples - -* Mon Aug 08 2011 Paul Wouters - 1.4.12-2 -- Fix for python module load in the server (Tom Hendrikx) -- No longer enable --enable-debug as it causes degraded performance - under load. - -* Mon Jul 18 2011 Paul Wouters - 1.4.12-1 -- Updated to 1.4.12 - -* Sun Jul 03 2011 Paul Wouters - 1.4.11-1 -- Updated to 1.4.11 -- removed integrated CVE patch -- updated stock unbound.conf for new options introduced - -* Mon Jun 06 2011 Paul Wouters - 1.4.10-1 -- Added ghost for /var/run/unbound (bz#656710) - -* Mon Jun 06 2011 Paul Wouters - 1.4.9-3 -- rebuilt - -* Wed May 25 2011 Paul Wouters - 1.4.9-2 -- Applied patch for CVE-2011-1922 DoS vulnerability - -* Sun Mar 27 2011 Paul Wouters - 1.4.9-1 -- Updated to 1.4.9 - -* Sat Feb 12 2011 Paul Wouters - 1.4.8-2 -- rebuilt - -* Tue Jan 25 2011 Paul Wouters - 1.4.8-1 -- Updated to 1.4.8 -- Enable root key for DNSSEC -- Fix unbound-munin to use proper file (could cause excessive logging) -- Build unbound-python per default -- Disable gost as Fedora/EPEL does not allow ECC and has mangled openssl - -* Tue Oct 26 2010 Paul Wouters - 1.4.5-4 -- Revert last build - it was on the wrong branch - -* Tue Oct 26 2010 Paul Wouters - 1.4.5-3 -- Disable do-ipv6 per default - causes severe degradation on non-ipv6 machines - (see comments in inbound.conf) - -* Tue Jun 15 2010 Paul Wouters - 1.4.5-2 -- Bump release - forgot to upload the new tar ball. - -* Tue Jun 15 2010 Paul Wouters - 1.4.5-1 -- Upgraded to 1.4.5 - -* Mon May 31 2010 Paul Wouters - 1.4.4-2 -- Added accidentally omitted svn patches to cvs - -* Mon May 31 2010 Paul Wouters - 1.4.4-1 -- Upgraded to 1.4.4 with svn patches -- Obsolete dnssec-conf to ensure it is de-installed - -* Thu Mar 11 2010 Paul Wouters - 1.4.3-1 -- Update to 1.4.3 that fixes 64bit crasher - -* Tue Mar 09 2010 Paul Wouters - 1.4.2-1 -- Updated to 1.4.2 -- Updated unbound.conf with new options -- Enabled pre-fetching DNSKEY records (DNSSEC speedup) -- Enabled re-fetching popular records before they expire -- Enabled logging of DNSSEC validation errors - -* Mon Mar 01 2010 Paul Wouters - 1.4.1-5 -- Overriding -D_GNU_SOURCE is no longer needed. This fixes DSO issues - with pthreads - -* Wed Feb 24 2010 Paul Wouters - 1.4.1-3 -- Change make/configure lines to attempt to fix -lphtread linking issue - -* Thu Feb 18 2010 Paul Wouters - 1.4.1-2 -- Removed dependancy for dnssec-conf -- Added ISC DLV key (formerly in dnssec-conf) -- Fixup old DLV locations in unbound.conf file via %%post -- Fix parent child disagreement handling and no-ipv6 present [svn r1953] - -* Tue Jan 05 2010 Paul Wouters - 1.4.1-1 -- Updated to 1.4.1 -- Changed %%define to %%global - -* Thu Oct 08 2009 Paul Wouters - 1.3.4-2 -- Bump version - -* Thu Oct 08 2009 Paul Wouters - 1.3.4-1 -- Upgraded to 1.3.4. Security fix with validating NSEC3 records - -* Fri Aug 21 2009 Tomas Mraz - 1.3.3-2 -- rebuilt with new openssl - -* Mon Aug 17 2009 Paul Wouters - 1.3.3-1 -- Updated to 1.3.3 - -* Sun Jul 26 2009 Fedora Release Engineering - 1.3.0-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild - -* Sat Jun 20 2009 Paul Wouters - 1.3.0-2 -- Added missing glob patch to cvs -- Place python macros within the %%with_python check - -* Sat Jun 20 2009 Paul Wouters - 1.3.0-1 -- Updated to 1.3.0 -- Added unbound-python sub package. disabled for now -- Patch from svn to fix DLV lookups -- Patches from svn to detect wrong truncated response from BIND 9.6.1 with - minimal-responses) -- Added Default-Start and Default-Stop to unbound.init -- Re-enabled --enable-sha2 -- Re-enabled glob.patch - -* Wed May 20 2009 Paul Wouters - 1.2.1-7 -- unbound-iterator.patch was not commited - -* Wed May 20 2009 Paul Wouters - 1.2.1-6 -- Fix for https://bugzilla.redhat.com/show_bug.cgi?id=499793 - -* Tue Mar 17 2009 Paul Wouters - 1.2.1-5 -- Use --nocheck to avoid giving an error on missing unbound-remote certs/keys - -* Tue Mar 10 2009 Adam Tkac - 1.2.1-4 -- enable DNSSEC only if it is enabled in sysconfig/dnssec - -* Mon Mar 09 2009 Adam Tkac - 1.2.1-3 -- add DNSSEC support to initscript and enabled it per default -- add requires dnssec-conf - -* Wed Feb 25 2009 Fedora Release Engineering - 1.2.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild - -* Tue Feb 10 2009 Paul Wouters - 1.2.0-2 -- rebuild with new openssl - -* Wed Jan 14 2009 Paul Wouters - 1.1.1-7 -- Modified scandir patch to silently fail when wildcard matches nothing -- Patch to allow unbound-checkconf to find empty wildcard matches - -* Mon Jan 5 2009 Paul Wouters - 1.1.1-6 -- Added scandir patch for trusted-keys-file: option, which - is used to load multiple dnssec keys in bind file format - -* Mon Dec 8 2008 Paul Wouters - 1.1.1-4 -- Added Requires: for selinux-policy >= 3.5.13-33 for proper SElinux rules. - -* Mon Dec 1 2008 Paul Wouters - 1.1.1-3 -- We did not own the /etc/unbound directory (#474020) -- Fixed cvs anomalies - -* Fri Nov 28 2008 Adam Tkac - 1.1.1-2 -- removed all obsolete chroot related stuff -- label control certs after generation correctly - -* Thu Nov 20 2008 Paul Wouters - 1.1.1-1 -- Updated to unbound 1.1.1 which fixes a crasher and - addresses nlnetlabs bug #219 - -* Wed Nov 19 2008 Paul Wouters - 1.1.0-3 -- Remove the chroot, obsoleted by SElinux -- Add additional munin plugin links supported by unbound plugin -- Move configuration directory from /var/lib/unbound to /etc/unbound -- Modified unbound.init and unbound.conf to account for chroot changes -- Updated unbound.conf with new available options -- Enabled dns-0x20 protection per default - -* Wed Nov 19 2008 Adam Tkac - 1.1.0-2 -- unbound-1.1.0-log_open.patch - - make sure log is opened before chroot call - - tracked as http://www.nlnetlabs.nl/bugs/show_bug.cgi?id=219 -- removed /dev/log and /var/run/unbound and /etc/resolv.conf from - chroot, not needed -- don't mount files in chroot, it causes problems during updates -- fixed typo in default config file - -* Fri Nov 14 2008 Paul Wouters - 1.1.0-1 -- Updated to version 1.1.0 -- Updated unbound.conf's statistics options and remote-control - to work properly for munin -- Added unbound-munin package -- Generate unbound remote-control key/certs on first startup -- Required ldns is now 1.4.0 - -* Wed Oct 22 2008 Paul Wouters - 1.0.2-5 -- Only call ldconfig in -libs package -- Move configure into build section -- devel subpackage should only depend on libs subpackage - -* Tue Oct 21 2008 Paul Wouters - 1.0.2-4 -- Fix CFLAGS getting lost in build -- Don't enable interface-automatic:yes because that - causes unbound to listen on 0.0.0.0 instead of 127.0.0.1 - -* Sun Oct 19 2008 Paul Wouters - 1.0.2-3 -- Split off unbound-libs, make build verbose - -* Thu Oct 9 2008 Paul Wouters - 1.0.2-2 -- FSB compliance, chroot fixes, initscript fixes - -* Thu Sep 11 2008 Paul Wouters - 1.0.2-1 -- Upgraded to 1.0.2 - -* Wed Jul 16 2008 Paul Wouters - 1.0.1-1 -- upgraded to new release - -* Wed May 21 2008 Paul Wouters - 1.0.0-2 -- Build against ldns-1.3.0 - -* Wed May 21 2008 Paul Wouters - 1.0.0-1 -- Split of -devel package, fixed dependancies, make rpmlint happy - -* Fri Apr 25 2008 Wouter Wijngaards - 0.12 -- Using parts from ports collection entry by Jaap Akkerhuis. -- Using Fedoraproject wiki guidelines. - -* Wed Apr 23 2008 Wouter Wijngaards - 0.11 -- Initial version. +%autochangelog From d389610bfb075a94575b43371db4368184a43e3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 2 Nov 2023 19:39:30 +0100 Subject: [PATCH 067/139] Update to 1.19.0 (#2248686) - New disable-edns-do option Changes: https://nlnetlabs.nl/projects/unbound/download/#unbound-1-19-0 https://lists.nlnetlabs.nl/pipermail/unbound-users/2023-November/008186.html --- .gitignore | 2 + sources | 4 +- unbound-1.18-outlook.patch | 228 ------------------------------------- unbound.spec | 12 +- 4 files changed, 11 insertions(+), 235 deletions(-) delete mode 100644 unbound-1.18-outlook.patch diff --git a/.gitignore b/.gitignore index 7b0a36a..c4bf873 100644 --- a/.gitignore +++ b/.gitignore @@ -81,3 +81,5 @@ unbound-1.4.5.tar.gz /unbound-1.17.1.tar.gz.asc /unbound-1.18.0.tar.gz /unbound-1.18.0.tar.gz.asc +/unbound-1.19.0.tar.gz +/unbound-1.19.0.tar.gz.asc diff --git a/sources b/sources index 558d84a..4adc154 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.18.0.tar.gz) = 24ca6bfe0ed493eb6aaa5cb1b2b108076ce97c48de7470adf596d1154254351e382b83aae33fcd8d4fa64847e359613e00c979b6f3ba7671215b2d0fd2b03b14 -SHA512 (unbound-1.18.0.tar.gz.asc) = 222ff184d952b9ee8ce81e1f3384d1640ff4695ca60b7d5f946dc24489d583618fc0f4e3c169514b699c684766fdb352f47ca29853223fbae70a65fd994d4fd2 +SHA512 (unbound-1.19.0.tar.gz) = c7df997ab003d098f53ac97ffb4c8428ab28e24573ff21e21782cbeadca42edadeb5b0db53ce954c9ff3106a5edb36eb47109240c554a44d9aac75727b66aeb4 +SHA512 (unbound-1.19.0.tar.gz.asc) = 63aa94192de7840f7abe43367e2c3f5d3fd42b8d72c08a5645cf28e2c0ad2e11d54f3aa645384fff5d4dfe66bc7ee25d81bd967780a992b54956343974206580 diff --git a/unbound-1.18-outlook.patch b/unbound-1.18-outlook.patch deleted file mode 100644 index 6689bbc..0000000 --- a/unbound-1.18-outlook.patch +++ /dev/null @@ -1,228 +0,0 @@ -diff --git a/Makefile.in b/Makefile.in -index 627a650f6..22fb75c12 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -793,7 +793,7 @@ iter_priv.lo iter_priv.o: $(srcdir)/iterator/iter_priv.c config.h $(srcdir)/iter - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/sbuffer.h - iter_resptype.lo iter_resptype.o: $(srcdir)/iterator/iter_resptype.c config.h \ -- $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \ -+ $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iterator.h $(srcdir)/util/log.h \ - $(srcdir)/services/cache/dns.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/data/dname.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h -diff --git a/iterator/iter_resptype.c b/iterator/iter_resptype.c -index e85595b84..38e186e79 100644 ---- a/iterator/iter_resptype.c -+++ b/iterator/iter_resptype.c -@@ -42,6 +42,7 @@ - #include "config.h" - #include "iterator/iter_resptype.h" - #include "iterator/iter_delegpt.h" -+#include "iterator/iterator.h" - #include "services/cache/dns.h" - #include "util/net_help.h" - #include "util/data/dname.h" -@@ -105,7 +106,8 @@ response_type_from_cache(struct dns_msg* msg, - - enum response_type - response_type_from_server(int rdset, -- struct dns_msg* msg, struct query_info* request, struct delegpt* dp) -+ struct dns_msg* msg, struct query_info* request, struct delegpt* dp, -+ int* empty_nodata_found) - { - uint8_t* origzone = (uint8_t*)"\000"; /* the default */ - struct ub_packed_rrset_key* s; -@@ -284,13 +286,22 @@ response_type_from_server(int rdset, - - /* If we've gotten this far, this is NOERROR/NODATA (which could - * be an entirely empty message) */ -- /* but ignore entirely empty messages, noerror/nodata has a soa -- * negative ttl value in the authority section, this makes it try -- * again at another authority. And turns it from a 5 second empty -- * message into a 5 second servfail response. */ -+ /* For entirely empty messages, try again, at first, then accept -+ * it it happens more. A regular noerror/nodata response has a soa -+ * negative ttl value in the authority section. This makes it try -+ * again at another authority. And decides between storing a 5 second -+ * empty message or a 5 second servfail response. */ - if(msg->rep->an_numrrsets == 0 && msg->rep->ns_numrrsets == 0 && -- msg->rep->ar_numrrsets == 0) -- return RESPONSE_TYPE_THROWAWAY; -+ msg->rep->ar_numrrsets == 0) { -+ if(empty_nodata_found) { -+ /* detect as throwaway at first, but accept later. */ -+ (*empty_nodata_found)++; -+ if(*empty_nodata_found < EMPTY_NODATA_RETRY_COUNT) -+ return RESPONSE_TYPE_THROWAWAY; -+ return RESPONSE_TYPE_ANSWER; -+ } -+ return RESPONSE_TYPE_ANSWER; -+ } - /* check if recursive answer; saying it has empty cache */ - if( (msg->rep->flags&BIT_RA) && !(msg->rep->flags&BIT_AA) && !rdset) - return RESPONSE_TYPE_REC_LAME; -diff --git a/iterator/iter_resptype.h b/iterator/iter_resptype.h -index fee9ef35f..bfd4b664f 100644 ---- a/iterator/iter_resptype.h -+++ b/iterator/iter_resptype.h -@@ -119,9 +119,11 @@ enum response_type response_type_from_cache(struct dns_msg* msg, - * @param request: the request that generated the response. - * @param dp: The delegation point that was being queried - * when the response was returned. -+ * @param empty_nodata_found: flag to keep track of empty nodata detection. - * @return the response type (CNAME or ANSWER). - */ - enum response_type response_type_from_server(int rdset, -- struct dns_msg* msg, struct query_info* request, struct delegpt* dp); -+ struct dns_msg* msg, struct query_info* request, struct delegpt* dp, -+ int* empty_nodata_found); - - #endif /* ITERATOR_ITER_RESPTYPE_H */ -diff --git a/iterator/iterator.c b/iterator/iterator.c -index 9f78aa17d..106e2877e 100644 ---- a/iterator/iterator.c -+++ b/iterator/iterator.c -@@ -2940,7 +2940,7 @@ static int - processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, - struct iter_env* ie, int id) - { -- int dnsseclame = 0, origtypecname = 0; -+ int dnsseclame = 0, origtypecname = 0, orig_empty_nodata_found; - enum response_type type; - - iq->num_current_queries--; -@@ -2960,12 +2960,25 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, - return next_state(iq, QUERYTARGETS_STATE); - } - iq->timeout_count = 0; -+ orig_empty_nodata_found = iq->empty_nodata_found; - type = response_type_from_server( - (int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd), -- iq->response, &iq->qinfo_out, iq->dp); -+ iq->response, &iq->qinfo_out, iq->dp, &iq->empty_nodata_found); - iq->chase_to_rd = 0; - /* remove TC flag, if this is erroneously set by TCP upstream */ - iq->response->rep->flags &= ~BIT_TC; -+ if(orig_empty_nodata_found != iq->empty_nodata_found && -+ iq->empty_nodata_found < EMPTY_NODATA_RETRY_COUNT) { -+ /* try to search at another server */ -+ if(qstate->reply) { -+ struct delegpt_addr* a = delegpt_find_addr( -+ iq->dp, &qstate->reply->remote_addr, -+ qstate->reply->remote_addrlen); -+ /* make selection disprefer it */ -+ if(a) a->lame = 1; -+ } -+ return next_state(iq, QUERYTARGETS_STATE); -+ } - if(type == RESPONSE_TYPE_REFERRAL && (iq->chase_flags&BIT_RD) && - !iq->auth_zone_response) { - /* When forwarding (RD bit is set), we handle referrals -@@ -3501,7 +3514,7 @@ processPrimeResponse(struct module_qstate* qstate, int id) - iq->response->rep->flags &= ~(BIT_RD|BIT_RA); /* ignore rec-lame */ - type = response_type_from_server( - (int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd), -- iq->response, &iq->qchase, iq->dp); -+ iq->response, &iq->qchase, iq->dp, NULL); - if(type == RESPONSE_TYPE_ANSWER) { - qstate->return_rcode = LDNS_RCODE_NOERROR; - qstate->return_msg = iq->response; -diff --git a/iterator/iterator.h b/iterator/iterator.h -index fad7f03e6..e253f3f7e 100644 ---- a/iterator/iterator.h -+++ b/iterator/iterator.h -@@ -101,6 +101,8 @@ extern int BLACKLIST_PENALTY; - * Chosen so that the UNKNOWN_SERVER_NICENESS falls within the band of a - * fast server, this causes server exploration as a side benefit. msec. */ - #define RTT_BAND 400 -+/** Number of retries for empty nodata packets before it is accepted. */ -+#define EMPTY_NODATA_RETRY_COUNT 2 - - /** - * Global state for the iterator. -@@ -415,6 +417,11 @@ struct iter_qstate { - */ - int refetch_glue; - -+ /** -+ * This flag detects that a completely empty nodata was received, -+ * already so that it is accepted later. */ -+ int empty_nodata_found; -+ - /** list of pending queries to authoritative servers. */ - struct outbound_list outlist; - -diff --git a/testdata/iter_ignore_empty.rpl b/testdata/iter_ignore_empty.rpl -index c70dd7e8d..4b2f695b8 100644 ---- a/testdata/iter_ignore_empty.rpl -+++ b/testdata/iter_ignore_empty.rpl -@@ -78,6 +78,18 @@ example2.com. IN NS ns2.example2.com. - SECTION ADDITIONAL - ns2.example2.com. IN A 1.2.3.5 - ENTRY_END -+ -+ENTRY_BEGIN -+MATCH opcode subdomain -+ADJUST copy_id copy_query -+REPLY QR NOERROR -+SECTION QUESTION -+foo.com. IN NS -+SECTION AUTHORITY -+foo.com. IN NS ns.foo.com. -+SECTION ADDITIONAL -+ns.foo.com. IN A 1.2.3.5 -+ENTRY_END - RANGE_END - - ; ns.example.com. -@@ -172,6 +184,27 @@ www.example.com. IN A - SECTION ANSWER - www.example.com. IN A 10.20.30.40 - ENTRY_END -+ -+; foo.com -+ENTRY_BEGIN -+MATCH opcode qtype qname -+ADJUST copy_id -+REPLY QR AA NOERROR -+SECTION QUESTION -+www.foo.com. IN A -+SECTION ANSWER -+ENTRY_END -+ -+ENTRY_BEGIN -+MATCH opcode qtype qname -+ADJUST copy_id -+REPLY QR AA NOERROR -+SECTION QUESTION -+ns.foo.com. IN AAAA -+SECTION ANSWER -+SECTION AUTHORITY -+;foo.com. IN SOA ns2.foo.com root.foo.com 4 14400 3600 604800 3600 -+ENTRY_END - RANGE_END - - STEP 1 QUERY -@@ -195,4 +228,21 @@ ENTRY_END - ; wait for pending nameserver lookups. - STEP 20 TRAFFIC - -+; Test that a nodata stays a nodata. -+STEP 30 QUERY -+ENTRY_BEGIN -+REPLY RD -+SECTION QUESTION -+www.foo.com. IN A -+ENTRY_END -+ -+STEP 40 CHECK_ANSWER -+ENTRY_BEGIN -+MATCH all -+REPLY QR RD RA NOERROR -+SECTION QUESTION -+www.foo.com. IN A -+SECTION ANSWER -+ENTRY_END -+ - SCENARIO_END diff --git a/unbound.spec b/unbound.spec index ba98372..60925b1 100644 --- a/unbound.spec +++ b/unbound.spec @@ -8,7 +8,7 @@ %global _hardened_build 1 -#%%global extra_version rc1 +#global extra_version rc1 %if 0%{with_python2} %global python_primary %{__python2} @@ -30,8 +30,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.18.0 -Release: 3%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.19.0 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -56,8 +56,7 @@ Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_vers Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key Source20: unbound.sysusers -# https://github.com/NLnetLabs/unbound/issues/946 -Patch1: unbound-1.18-outlook.patch +# Patch1: BuildRequires: gcc, make BuildRequires: flex, openssl-devel @@ -500,4 +499,7 @@ popd %{_mandir}/man1/unbound-* %changelog +* Thu Nov 02 2023 Petr Menšík - 1.19.0-1 +- Update to 1.19.0 (#2248686) + %autochangelog From 8eb43fc4675bd5970499d96fcb1b4e7384717efa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 10 Nov 2023 13:12:23 +0100 Subject: [PATCH 068/139] Generate configuration file from upstream example.conf To reduce rebase burden, just modify upstream example with our Fedora specific changes. The result should be the same, but without the need to manually add new features into separate config file. --- unbound-fedora-config.patch | 551 ++++++++++++++ unbound.conf | 1363 ----------------------------------- unbound.spec | 11 +- 3 files changed, 557 insertions(+), 1368 deletions(-) create mode 100644 unbound-fedora-config.patch delete mode 100644 unbound.conf diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch new file mode 100644 index 0000000..a249d2c --- /dev/null +++ b/unbound-fedora-config.patch @@ -0,0 +1,551 @@ +From ecfc3a96a0d38cc31fb871d98789467434c7afda Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Fri, 10 Nov 2023 12:58:31 +0100 +Subject: [PATCH] Customize unbound.conf for Fedora defaults + +Set some Fedora/RHEL specific changes to example configuration file. By +patching upstream provided config file we would not need to manually +update external copy in source RPM. +--- + unbound-1.19.0/doc/example.conf.in | 205 ++++++++++++++++++----------- + 1 file changed, 131 insertions(+), 74 deletions(-) + +diff --git a/unbound-1.19.0/doc/example.conf.in b/unbound-1.19.0/doc/example.conf.in +index fe0dde6..b79a322 100644 +--- a/unbound-1.19.0/doc/example.conf.in ++++ b/unbound-1.19.0/doc/example.conf.in +@@ -17,11 +17,12 @@ server: + # whitespace is not necessary, but looks cleaner. + + # verbosity number, 0 is least verbose. 1 is default. +- # verbosity: 1 ++ verbosity: 1 + + # print statistics to the log (for every thread) every N seconds. + # Set to "" or 0 to disable. Default is disabled. +- # statistics-interval: 0 ++ # Needs to be disabled for munin plugin ++ statistics-interval: 0 + + # enable shm for stats, default no. if you enable also enable + # statistics-interval, every time it also writes stats to the +@@ -32,11 +33,13 @@ server: + # shm-key: 11777 + + # enable cumulative statistics, without clearing them after printing. +- # statistics-cumulative: no ++ # Needs to be disabled for munin plugin ++ statistics-cumulative: no + + # enable extended statistics (query types, answer codes, status) +- # printed from unbound-control. Default off, because of speed. +- # extended-statistics: no ++ # printed from unbound-control. default off, because of speed. ++ # Needs to be enabled for munin plugin ++ extended-statistics: yes + + # Inhibits selected extended statistics (qtype, qclass, qopcode, rcode, + # rpz-actions) from printing if their value is 0. +@@ -44,22 +47,35 @@ server: + # statistics-inhibit-zero: yes + + # number of threads to create. 1 disables threading. +- # num-threads: 1 ++ num-threads: 4 + + # specify the interfaces to answer queries from by ip-address. + # The default is to listen to localhost (127.0.0.1 and ::1). + # specify 0.0.0.0 and ::0 to bind to all available interfaces. + # specify every interface[@port] on a new 'interface:' labelled line. + # The listen interfaces are not changed on reload, only on restart. ++ # interface: 0.0.0.0 ++ # interface: ::0 + # interface: 192.0.2.153 + # interface: 192.0.2.154 + # interface: 192.0.2.154@5003 + # interface: 2001:DB8::5 + # interface: eth0@5003 ++ # ++ # for dns over tls and raw dns over port 80 ++ # interface: 0.0.0.0@443 ++ # interface: ::0@443 ++ # interface: 0.0.0.0@80 ++ # interface: ::0@80 + + # enable this feature to copy the source address of queries to reply. + # Socket options are not supported on all platforms. experimental. +- # interface-automatic: no ++ # interface-automatic: yes ++ # ++ # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 ++ # NOTE: Disabled per Fedora policy not to listen to * on default install ++ # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled ++ interface-automatic: no + + # instead of the default port, open additional ports separated by + # spaces when interface-automatic is enabled, by listing them here. +@@ -94,7 +110,8 @@ server: + + # permit Unbound to use this port number or port range for + # making outgoing queries, using an outgoing interface. +- # outgoing-port-permit: 32768 ++ # Only ephemeral ports are allowed by SElinux ++ outgoing-port-permit: 32768-60999 + + # deny Unbound the use this of port number or port range for + # making outgoing queries, using an outgoing interface. +@@ -103,7 +120,9 @@ server: + # IANA-assigned port numbers. + # If multiple outgoing-port-permit and outgoing-port-avoid options + # are present, they are processed in order. +- # outgoing-port-avoid: "3200-3208" ++ # Our SElinux policy does not allow non-ephemeral ports to be used ++ outgoing-port-avoid: 0-32767 ++ outgoing-port-avoid: 61000-65535 + + # number of outgoing simultaneous tcp buffers to hold per thread. + # outgoing-num-tcp: 10 +@@ -121,12 +140,12 @@ server: + + # use SO_REUSEPORT to distribute queries over threads. + # at extreme load it could be better to turn it off to distribute even. +- # so-reuseport: yes ++ so-reuseport: yes + + # use IP_TRANSPARENT so the interface: addresses can be non-local + # and you can config non-existing IPs that are going to work later on + # (uses IP_BINDANY on FreeBSD). +- # ip-transparent: no ++ ip-transparent: yes + + # use IP_FREEBIND so the interface: addresses can be non-local + # and you can bind to nonexisting IPs and interfaces that are down. +@@ -256,6 +275,8 @@ server: + # nat64-prefix: 64:ff9b::0/96 + + # Enable UDP, "yes" or "no". ++ # NOTE: if setting up an Unbound on tls443 for public use, you might want to ++ # disable UDP to avoid being used in DNS amplification attacks. + # do-udp: yes + + # Enable TCP, "yes" or "no". +@@ -281,7 +302,7 @@ server: + # tcp-idle-timeout: 30000 + + # Enable EDNS TCP keepalive option. +- # edns-tcp-keepalive: no ++ edns-tcp-keepalive: yes + + # Timeout for EDNS TCP keepalive, in msec. + # edns-tcp-keepalive-timeout: 120000 +@@ -290,6 +311,9 @@ server: + # can be dropped. Default is 0, disabled. In seconds, such as 3. + # sock-queue-timeout: 0 + ++ # Fedora note: do not activate this - not compiled in because ++ # it causes frequent unbound crashes. Also, socket activation ++ # is bad when you have things like dnsmasq also running with libvirt. + # Use systemd socket activation for UDP, TCP, and control sockets. + # use-systemd: no + +@@ -402,6 +426,7 @@ server: + # + # If you give "" no chroot is performed. The path must not end in a /. + # chroot: "@UNBOUND_CHROOT_DIR@" ++ chroot: "" + + # if given, user privileges are dropped (after binding port), + # and the given username is assumed. Default is user "unbound". +@@ -413,7 +438,7 @@ server: + # is not changed. + # If you give a server: directory: dir before include: file statements + # then those includes can be relative to the working directory. +- # directory: "@UNBOUND_RUN_DIR@" ++ directory: "/etc/unbound" + + # the log file, "" means log to stderr. + # Use of this option sets use-syslog to "no". +@@ -428,7 +453,7 @@ server: + # log-identity: "" + + # print UTC timestamp in ascii to logfile, default is epoch in seconds. +- # log-time-ascii: no ++ log-time-ascii: yes + + # print one line with time, IP, name, type, class for every query. + # log-queries: no +@@ -497,22 +522,22 @@ server: + # harden-large-queries: no + + # Harden against out of zone rrsets, to avoid spoofing attempts. +- # harden-glue: yes ++ harden-glue: yes + + # Harden against receiving dnssec-stripped data. If you turn it + # off, failing to validate dnskey data for a trustanchor will + # trigger insecure mode for that zone (like without a trustanchor). + # Default on, which insists on dnssec data for trust-anchored zones. +- # harden-dnssec-stripped: yes ++ harden-dnssec-stripped: yes + + # Harden against queries that fall under dnssec-signed nxdomain names. +- # harden-below-nxdomain: yes ++ harden-below-nxdomain: yes + + # Harden the referral path by performing additional queries for + # infrastructure data. Validates the replies (if possible). + # Default off, because the lookups burden the server. Experimental + # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. +- # harden-referral-path: no ++ harden-referral-path: yes + + # Harden against algorithm downgrade when multiple algorithms are + # advertised in the DS record. If no, allows the weakest algorithm +@@ -526,7 +551,7 @@ server: + # Sent minimum amount of information to upstream servers to enhance + # privacy. Only sent minimum required labels of the QNAME and set QTYPE + # to A when possible. +- # qname-minimisation: yes ++ qname-minimisation: yes + + # QNAME minimisation in strict mode. Do not fall-back to sending full + # QNAME to potentially broken nameservers. A lot of domains will not be +@@ -536,7 +561,7 @@ server: + + # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN + # and other denials, using information from previous NXDOMAINs answers. +- # aggressive-nsec: yes ++ aggressive-nsec: yes + + # Use 0x20-encoded random bits in the query to foil spoof attempts. + # This feature is an experimental implementation of draft dns-0x20. +@@ -569,7 +594,7 @@ server: + # threshold, a warning is printed and a defensive action is taken, + # the cache is cleared to flush potential poison out of it. + # A suggested value is 10000000, the default is 0 (turned off). +- # unwanted-reply-threshold: 0 ++ unwanted-reply-threshold: 10000000 + + # Do not query the following addresses. No DNS queries are sent there. + # List one address per entry. List classless netblocks with /size, +@@ -581,20 +606,20 @@ server: + # do-not-query-localhost: yes + + # if yes, perform prefetching of almost expired message cache entries. +- # prefetch: no ++ prefetch: yes + + # if yes, perform key lookups adjacent to normal lookups. +- # prefetch-key: no ++ prefetch-key: yes + + # deny queries of type ANY with an empty response. +- # deny-any: no ++ deny-any: yes + + # if yes, Unbound rotates RRSet order in response. +- # rrset-roundrobin: yes ++ rrset-roundrobin: yes + + # if yes, Unbound doesn't insert authority/additional sections + # into response messages when those sections are not required. +- # minimal-responses: yes ++ minimal-responses: yes + + # true to disable DNSSEC lameness check in iterator. + # disable-dnssec-lame-check: no +@@ -604,7 +629,9 @@ server: + # most modules have to be listed at the beginning of the line, + # except cachedb(just before iterator), and python (at the beginning, + # or, just before the iterator). +- # module-config: "validator iterator" ++ # For redis cachedb use: ++ # "ipsecmod validator cachedb iterator" ++ module-config: "ipsecmod validator iterator" + + # File with trusted keys, kept uptodate using RFC5011 probes, + # initial file like trust-anchor-file, then it stores metadata. +@@ -618,10 +645,10 @@ server: + # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" + + # trust anchor signaling sends a RFC8145 key tag query after priming. +- # trust-anchor-signaling: yes ++ trust-anchor-signaling: yes + + # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) +- # root-key-sentinel: yes ++ root-key-sentinel: yes + + # File with trusted keys for validation. Specify more than one file + # with several entries, one file per entry. +@@ -642,6 +669,9 @@ server: + # the trusted-keys { name flag proto algo "key"; }; clauses are read. + # you need external update procedures to track changes in keys. + # trusted-keys-file: "" ++ # ++ trusted-keys-file: /etc/unbound/keys.d/*.key ++ auto-trust-anchor-file: "/var/lib/unbound/root.key" + + # Ignore chain of trust. Domain is treated as insecure. + # domain-insecure: "example.com" +@@ -669,14 +699,15 @@ server: + # unsecure data. Useful to shield the users of this validator from + # potential bogus data in the additional section. All unsigned data + # in the additional section is removed from secure messages. +- # val-clean-additional: yes ++ val-clean-additional: yes + + # Turn permissive mode on to permit bogus messages. Thus, messages + # for which security checks failed will be returned to clients, + # instead of SERVFAIL. It still performs the security checks, which + # result in interesting log files and possibly the AD bit in + # replies if the message is found secure. The default is off. +- # val-permissive-mode: no ++ # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY ++ val-permissive-mode: no + + # Ignore the CD flag in incoming queries and refuse them bogus data. + # Enable it if the only clients of Unbound are legacy servers (w2008) +@@ -690,11 +721,11 @@ server: + + # Serve expired responses from cache, with serve-expired-reply-ttl in + # the response, and then attempt to fetch the data afresh. +- # serve-expired: no ++ serve-expired: yes + # + # Limit serving of expired responses to configured seconds after + # expiration. 0 disables the limit. +- # serve-expired-ttl: 0 ++ serve-expired-ttl: 14400 + # + # Set the TTL of expired records to the serve-expired-ttl value after a + # failed attempt to retrieve the record from upstream. This makes sure +@@ -721,7 +752,7 @@ server: + + # Have the validator log failed validations for your diagnosis. + # 0: off. 1: A line per failed user query. 2: With reason and bad IP. +- # val-log-level: 0 ++ val-log-level: 1 + + # It is possible to configure NSEC3 maximum iteration counts per + # keysize. Keep this table very short, as linear search is done. +@@ -865,6 +896,8 @@ server: + # you need to do the reverse notation yourself. + # local-data-ptr: "192.0.2.3 www.example.com" + ++ include: /etc/unbound/local.d/*.conf ++ + # tag a localzone with a list of tag names (in "" with spaces between) + # local-zone-tag: "example.com" "tag2 tag3" + +@@ -875,8 +908,8 @@ server: + # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. + # Give the certificate to use and private key. + # default is "" (disabled). requires restart to take effect. +- # tls-service-key: "path/to/privatekeyfile.key" +- # tls-service-pem: "path/to/publiccertfile.pem" ++ # tls-service-key: "/etc/unbound/unbound_server.key" ++ # tls-service-pem: "/etc/unbound/unbound_server.pem" + # tls-port: 853 + # https-port: 443 + +@@ -884,6 +917,8 @@ server: + # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" + # cipher setting for TLSv1.3 + # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" ++ # Fedora/RHEL: use system-wide crypto policies ++ tls-ciphers: "PROFILE=SYSTEM" + + # Pad responses to padded queries received over TLS + # pad-responses: yes +@@ -1005,12 +1040,12 @@ server: + # fast-server-num: 3 + + # Enable to attach Extended DNS Error codes (RFC8914) to responses. +- # ede: no ++ ede: yes + + # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale + # Answer as EDNS0 option to expired responses. + # Note that the ede option above needs to be enabled for this to work. +- # ede-serve-expired: no ++ ede-serve-expired: yes + + # Specific options for ipsecmod. Unbound needs to be configured with + # --enable-ipsecmod for these to take effect. +@@ -1018,12 +1053,14 @@ server: + # Enable or disable ipsecmod (it still needs to be defined in + # module-config above). Can be used when ipsecmod needs to be + # enabled/disabled via remote-control(below). +- # ipsecmod-enabled: yes +- # ++ # Fedora: module will be enabled on-demand by libreswan ++ ipsecmod-enabled: no ++ + # Path to executable external hook. It must be defined when ipsecmod is + # listed in module-config (above). + # ipsecmod-hook: "./my_executable" +- # ++ ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook ++ + # When enabled Unbound will reply with SERVFAIL if the return value of + # the ipsecmod-hook is not 0. + # ipsecmod-strict: no +@@ -1056,7 +1093,7 @@ server: + # o and give a python-script to run. + python: + # Script file to load +- # python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py" ++ # python-script: "/etc/unbound/ubmodule-tst.py" + + # Dynamic library config section. To enable: + # o use --with-dynlibmodule to configure before compiling. +@@ -1067,13 +1104,18 @@ python: + # the module-config then you need one dynlib-file per instance. + dynlib: + # Script file to load +- # dynlib-file: "@UNBOUND_SHARE_DIR@/dynlib.so" ++ # dynlib-file: "/etc/unbound/dynlib.so" + + # Remote control config section. + remote-control: + # Enable remote control with unbound-control(8) here. + # set up the keys and certificates with unbound-control-setup. +- # control-enable: no ++ # Note: required for unbound-munin package ++ control-enable: yes ++ ++ # Set to no and use an absolute path as control-interface to use ++ # a unix local named pipe for unbound-control. ++ # control-use-cert: yes + + # what interfaces are listened to for remote control. + # give 0.0.0.0 and ::0 to listen to all interfaces. +@@ -1087,19 +1129,22 @@ remote-control: + + # for localhost, you can disable use of TLS by setting this to "no" + # For local sockets this option is ignored, and TLS is not used. +- # control-use-cert: "yes" ++ control-use-cert: "no" + + # Unbound server key file. +- # server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key" ++ server-key-file: "/etc/unbound/unbound_server.key" + + # Unbound server certificate file. +- # server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem" ++ server-cert-file: "/etc/unbound/unbound_server.pem" + + # unbound-control key file. +- # control-key-file: "@UNBOUND_RUN_DIR@/unbound_control.key" ++ control-key-file: "/etc/unbound/unbound_control.key" + + # unbound-control certificate file. +- # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem" ++ control-cert-file: "/etc/unbound/unbound_control.pem" ++ ++# Stub and Forward zones ++include: /etc/unbound/conf.d/*.conf + + # Stub zones. + # Create entries like below, to make all queries for 'example.com' and +@@ -1121,6 +1166,10 @@ remote-control: + # name: "example.org" + # stub-host: ns.example.com. + ++# You can now also dynamically create and delete stub-zone's using ++# unbound-control stub_add domain.com 1.2.3.4 5.6.7.8 ++# unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8 ++ + # Forward zones + # Create entries like below, to make all queries for 'example.com' and + # 'example.org' go to the given list of servers. These servers have to handle +@@ -1138,6 +1187,10 @@ remote-control: + # forward-zone: + # name: "example.org" + # forward-host: fwd.example.com ++# ++# You can now also dynamically create and delete forward-zone's using ++# unbound-control forward_add domain.com 1.2.3.4 5.6.7.8 ++# unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8 + + # Authority zones + # The data for these zones is kept locally, from a file or downloaded. +@@ -1145,30 +1198,31 @@ remote-control: + # upstream (which saves a lookup to the upstream). The first example + # has a copy of the root for local usage. The second serves example.org + # authoritatively. zonefile: reads from file (and writes to it if you also +-# download it), primary: fetches with AXFR and IXFR, or url to zonefile. +-# With allow-notify: you can give additional (apart from primaries and urls) +-# sources of notifies. +-# auth-zone: +-# name: "." +-# primary: 199.9.14.201 # b.root-servers.net +-# primary: 192.33.4.12 # c.root-servers.net +-# primary: 199.7.91.13 # d.root-servers.net +-# primary: 192.5.5.241 # f.root-servers.net +-# primary: 192.112.36.4 # g.root-servers.net +-# primary: 193.0.14.129 # k.root-servers.net +-# primary: 192.0.47.132 # xfr.cjr.dns.icann.org +-# primary: 192.0.32.132 # xfr.lax.dns.icann.org +-# primary: 2001:500:200::b # b.root-servers.net +-# primary: 2001:500:2::c # c.root-servers.net +-# primary: 2001:500:2d::d # d.root-servers.net +-# primary: 2001:500:2f::f # f.root-servers.net +-# primary: 2001:500:12::d0d # g.root-servers.net +-# primary: 2001:7fd::1 # k.root-servers.net +-# primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org +-# primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org +-# fallback-enabled: yes +-# for-downstream: no +-# for-upstream: yes ++# download it), master: fetches with AXFR and IXFR, or url to zonefile. ++# With allow-notify: you can give additional (apart from masters) sources of ++# notifies. ++auth-zone: ++ name: "." ++ primary: 199.9.14.201 # b.root-servers.net ++ primary: 192.33.4.12 # c.root-servers.net ++ primary: 199.7.91.13 # d.root-servers.net ++ primary: 192.5.5.241 # f.root-servers.net ++ primary: 192.112.36.4 # g.root-servers.net ++ primary: 193.0.14.129 # k.root-servers.net ++ primary: 192.0.47.132 # xfr.cjr.dns.icann.org ++ primary: 192.0.32.132 # xfr.lax.dns.icann.org ++ primary: 2001:500:200::b # b.root-servers.net ++ primary: 2001:500:2::c # c.root-servers.net ++ primary: 2001:500:2d::d # d.root-servers.net ++ primary: 2001:500:2f::f # f.root-servers.net ++ primary: 2001:500:12::d0d # g.root-servers.net ++ primary: 2001:7fd::1 # k.root-servers.net ++ primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org ++ primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org ++ fallback-enabled: yes ++ for-downstream: no ++ for-upstream: yes ++ + # auth-zone: + # name: "example.org" + # for-downstream: yes +@@ -1194,6 +1248,9 @@ remote-control: + # name: "anotherview" + # local-zone: "example.com" refuse + ++# Fedora: DNSCrypt support not enabled since it requires linking to ++# another crypto library ++# + # DNSCrypt + # To enable, use --enable-dnscrypt to configure before compiling. + # Caveats: +@@ -1266,7 +1323,7 @@ remote-control: + # dnstap-enable: no + # # if set to yes frame streams will be used in bidirectional mode + # dnstap-bidirectional: yes +-# dnstap-socket-path: "@DNSTAP_SOCKET_PATH@" ++# dnstap-socket-path: "/etc/unbound/dnstap.sock" + # # if "" use the unix socket in dnstap-socket-path, otherwise, + # # set it to "IPaddress[@port]" of the destination. + # dnstap-ip: "" +-- +2.41.0 + diff --git a/unbound.conf b/unbound.conf deleted file mode 100644 index b038b4a..0000000 --- a/unbound.conf +++ /dev/null @@ -1,1363 +0,0 @@ -# -# Example configuration file. -# -# See unbound.conf(5) man page -# -# this is a comment. - -# Use this anywhere in the file to include other text into this file. -#include: "otherfile.conf" - -# Use this anywhere in the file to include other text, that explicitly starts a -# clause, into this file. Text after this directive needs to start a clause. -#include-toplevel: "otherfile.conf" - -# The server clause sets the main parameters. -server: - # whitespace is not necessary, but looks cleaner. - - # verbosity number, 0 is least verbose. 1 is default. - verbosity: 1 - - # print statistics to the log (for every thread) every N seconds. - # Set to "" or 0 to disable. Default is disabled. - # Needs to be disabled for munin plugin - statistics-interval: 0 - - # enable shm for stats, default no. if you enable also enable - # statistics-interval, every time it also writes stats to the - # shared memory segment keyed with shm-key. - # shm-enable: no - - # shm for stats uses this key, and key+1 for the shared mem segment. - # shm-key: 11777 - - # enable cumulative statistics, without clearing them after printing. - # Needs to be disabled for munin plugin - statistics-cumulative: no - - # enable extended statistics (query types, answer codes, status) - # printed from unbound-control. default off, because of speed. - # Needs to be enabled for munin plugin - extended-statistics: yes - - # Inhibits selected extended statistics (qtype, qclass, qopcode, rcode, - # rpz-actions) from printing if their value is 0. - # Default on. - # statistics-inhibit-zero: yes - - # number of threads to create. 1 disables threading. - num-threads: 4 - - # specify the interfaces to answer queries from by ip-address. - # The default is to listen to localhost (127.0.0.1 and ::1). - # specify 0.0.0.0 and ::0 to bind to all available interfaces. - # specify every interface[@port] on a new 'interface:' labelled line. - # The listen interfaces are not changed on reload, only on restart. - # interface: 0.0.0.0 - # interface: ::0 - # interface: 192.0.2.153 - # interface: 192.0.2.154 - # interface: 192.0.2.154@5003 - # interface: 2001:DB8::5 - # - # for dns over tls and raw dns over port 80 - # interface: 0.0.0.0@443 - # interface: ::0@443 - # interface: 0.0.0.0@80 - # interface: ::0@80 - - # enable this feature to copy the source address of queries to reply. - # Socket options are not supported on all platforms. experimental. - # interface-automatic: yes - # - # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 - # NOTE: Disabled per Fedora policy not to listen to * on default install - # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled - interface-automatic: no - - # instead of the default port, open additional ports separated by - # spaces when interface-automatic is enabled, by listing them here. - # interface-automatic-ports: "" - - # port to answer queries from - # port: 53 - - # specify the interfaces to send outgoing queries to authoritative - # server from by ip-address. If none, the default (all) interface - # is used. Specify every interface on a 'outgoing-interface:' line. - # outgoing-interface: 192.0.2.153 - # outgoing-interface: 2001:DB8::5 - # outgoing-interface: 2001:DB8::6 - - # Specify a netblock to use remainder 64 bits as random bits for - # upstream queries. Uses freebind option (Linux). - # outgoing-interface: 2001:DB8::/64 - # Also (Linux:) ip -6 addr add 2001:db8::/64 dev lo - # And: ip -6 route add local 2001:db8::/64 dev lo - # And set prefer-ip6: yes to use the ip6 randomness from a netblock. - # Set this to yes to prefer ipv6 upstream servers over ipv4. - # prefer-ip6: no - - # Prefer ipv4 upstream servers, even if ipv6 is available. - # prefer-ip4: no - - # number of ports to allocate per thread, determines the size of the - # port range that can be open simultaneously. About double the - # num-queries-per-thread, or, use as many as the OS will allow you. - # outgoing-range: 4096 - - # permit Unbound to use this port number or port range for - # making outgoing queries, using an outgoing interface. - # Only ephemeral ports are allowed by SElinux - outgoing-port-permit: 32768-60999 - - # deny Unbound the use this of port number or port range for - # making outgoing queries, using an outgoing interface. - # Use this to make sure Unbound does not grab a UDP port that some - # other server on this computer needs. The default is to avoid - # IANA-assigned port numbers. - # If multiple outgoing-port-permit and outgoing-port-avoid options - # are present, they are processed in order. - # Our SElinux policy does not allow non-ephemeral ports to be used - outgoing-port-avoid: 0-32767 - outgoing-port-avoid: 61000-65535 - - # number of outgoing simultaneous tcp buffers to hold per thread. - # outgoing-num-tcp: 10 - - # number of incoming simultaneous tcp buffers to hold per thread. - # incoming-num-tcp: 10 - - # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). - # 0 is system default. Use 4m to catch query spikes for busy servers. - # so-rcvbuf: 0 - - # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option). - # 0 is system default. Use 4m to handle spikes on very busy servers. - # so-sndbuf: 0 - - # use SO_REUSEPORT to distribute queries over threads. - # at extreme load it could be better to turn it off to distribute even. - so-reuseport: yes - - # use IP_TRANSPARENT so the interface: addresses can be non-local - # and you can config non-existing IPs that are going to work later on - # (uses IP_BINDANY on FreeBSD). - ip-transparent: yes - - # use IP_FREEBIND so the interface: addresses can be non-local - # and you can bind to nonexisting IPs and interfaces that are down. - # Linux only. On Linux you also have ip-transparent that is similar. - # ip-freebind: no - - # the value of the Differentiated Services Codepoint (DSCP) - # in the differentiated services field (DS) of the outgoing - # IP packets - # ip-dscp: 0 - - # EDNS reassembly buffer to advertise to UDP peers (the actual buffer - # is set with msg-buffer-size). - # edns-buffer-size: 1232 - - # Maximum UDP response size (not applied to TCP response). - # Suggested values are 512 to 4096. Default is 1232. 65536 disables it. - # max-udp-size: 1232 - - # max memory to use for stream(tcp and tls) waiting result buffers. - # stream-wait-size: 4m - - # buffer size for handling DNS data. No messages larger than this - # size can be sent or received, by UDP or TCP. In bytes. - # msg-buffer-size: 65552 - - # the amount of memory to use for the message cache. - # plain value in bytes or you can append k, m or G. default is "4Mb". - # msg-cache-size: 4m - - # the number of slabs to use for the message cache. - # the number of slabs must be a power of 2. - # more slabs reduce lock contention, but fragment memory usage. - # msg-cache-slabs: 4 - - # the number of queries that a thread gets to service. - # num-queries-per-thread: 1024 - - # if very busy, 50% queries run to completion, 50% get timeout in msec - # jostle-timeout: 200 - - # msec to wait before close of port on timeout UDP. 0 disables. - # delay-close: 0 - - # perform connect for UDP sockets to mitigate ICMP side channel. - # udp-connect: yes - - # The number of retries, per upstream nameserver in a delegation, when - # a throwaway response (also timeouts) is received. - # outbound-msg-retry: 5 - - # Hard limit on the number of outgoing queries Unbound will make while - # resolving a name, making sure large NS sets do not loop. - # It resets on query restarts (e.g., CNAME) and referrals. - # max-sent-count: 32 - - # Hard limit on the number of times Unbound is allowed to restart a - # query upon encountering a CNAME record. - # max-query-restarts: 11 - - # msec for waiting for an unknown server to reply. Increase if you - # are behind a slow satellite link, to eg. 1128. - # unknown-server-time-limit: 376 - - # the amount of memory to use for the RRset cache. - # plain value in bytes or you can append k, m or G. default is "4Mb". - # rrset-cache-size: 4m - - # the number of slabs to use for the RRset cache. - # the number of slabs must be a power of 2. - # more slabs reduce lock contention, but fragment memory usage. - # rrset-cache-slabs: 4 - - # the time to live (TTL) value lower bound, in seconds. Default 0. - # If more than an hour could easily give trouble due to stale data. - # cache-min-ttl: 0 - - # the time to live (TTL) value cap for RRsets and messages in the - # cache. Items are not cached for longer. In seconds. - # cache-max-ttl: 86400 - - # the time to live (TTL) value cap for negative responses in the cache - # cache-max-negative-ttl: 3600 - - # the time to live (TTL) value for cached roundtrip times, lameness and - # EDNS version information for hosts. In seconds. - # infra-host-ttl: 900 - - # minimum wait time for responses, increase if uplink is long. In msec. - # infra-cache-min-rtt: 50 - - # maximum wait time for responses. In msec. - # infra-cache-max-rtt: 120000 - - # enable to make server probe down hosts more frequently. - # infra-keep-probing: no - - # the number of slabs to use for the Infrastructure cache. - # the number of slabs must be a power of 2. - # more slabs reduce lock contention, but fragment memory usage. - # infra-cache-slabs: 4 - - # the maximum number of hosts that are cached (roundtrip, EDNS, lame). - # infra-cache-numhosts: 10000 - - # define a number of tags here, use with local-zone, access-control, - # interface-*. - # repeat the define-tag statement to add additional tags. - # define-tag: "tag1 tag2 tag3" - - # Enable IPv4, "yes" or "no". - # do-ip4: yes - - # Enable IPv6, "yes" or "no". - # do-ip6: yes - - # If running unbound on an IPv6-only host, domains that only have - # IPv4 servers would become unresolveable. If NAT64 is available in - # the network, unbound can use NAT64 to reach these servers with - # the following option. This is NOT needed for enabling DNS64 on a - # system that has IPv4 connectivity. - # Consider also enabling prefer-ip6 to prefer native IPv6 connections - # to nameservers. - # do-nat64: no - - # NAT64 prefix. Defaults to using dns64-prefix value. - # nat64-prefix: 64:ff9b::0/96 - - # Enable UDP, "yes" or "no". - # NOTE: if setting up an Unbound on tls443 for public use, you might want to - # disable UDP to avoid being used in DNS amplification attacks. - # do-udp: yes - - # Enable TCP, "yes" or "no". - # do-tcp: yes - - # upstream connections use TCP only (and no UDP), "yes" or "no" - # useful for tunneling scenarios, default no. - # tcp-upstream: no - - # upstream connections also use UDP (even if do-udp is no). - # useful if if you want UDP upstream, but don't provide UDP downstream. - # udp-upstream-without-downstream: no - - # Maximum segment size (MSS) of TCP socket on which the server - # responds to queries. Default is 0, system default MSS. - # tcp-mss: 0 - - # Maximum segment size (MSS) of TCP socket for outgoing queries. - # Default is 0, system default MSS. - # outgoing-tcp-mss: 0 - - # Idle TCP timeout, connection closed in milliseconds - # tcp-idle-timeout: 30000 - - # Enable EDNS TCP keepalive option. - edns-tcp-keepalive: yes - - # Timeout for EDNS TCP keepalive, in msec. - # edns-tcp-keepalive-timeout: 120000 - - # UDP queries that have waited in the socket buffer for a long time - # can be dropped. Default is 0, disabled. In seconds, such as 3. - # sock-queue-timeout: 0 - - # Fedora note: do not activate this - not compiled in because - # it causes frequent unbound crashes. Also, socket activation - # is bad when you have things like dnsmasq also running with libvirt. - # Use systemd socket activation for UDP, TCP, and control sockets. - # use-systemd: no - - # Detach from the terminal, run in background, "yes" or "no". - # Set the value to "no" when Unbound runs as systemd service. - # do-daemonize: yes - - # control which clients are allowed to make (recursive) queries - # to this server. Specify classless netblocks with /size and action. - # By default everything is refused, except for localhost. - # Choose deny (drop message), refuse (polite error reply), - # allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on), - # allow_snoop (recursive and nonrecursive ok) - # deny_non_local (drop queries unless can be answered from local-data) - # refuse_non_local (like deny_non_local but polite error reply). - # access-control: 127.0.0.0/8 allow - # access-control: ::1 allow - # access-control: ::ffff:127.0.0.1 allow - - # tag access-control with list of tags (in "" with spaces between) - # Clients using this access control element use localzones that - # are tagged with one of these tags. - # access-control-tag: 192.0.2.0/24 "tag2 tag3" - - # set action for particular tag for given access control element. - # if you have multiple tag values, the tag used to lookup the action - # is the first tag match between access-control-tag and local-zone-tag - # where "first" comes from the order of the define-tag values. - # access-control-tag-action: 192.0.2.0/24 tag3 refuse - - # set redirect data for particular tag for access control element - # access-control-tag-data: 192.0.2.0/24 tag2 "A 127.0.0.1" - - # Set view for access control element - # access-control-view: 192.0.2.0/24 viewname - - # Similar to 'access-control:' but for interfaces. - # Control which listening interfaces are allowed to accept (recursive) - # queries for this server. - # The specified interfaces should be the same as the ones specified in - # 'interface:' followed by the action. - # The actions are the same as 'access-control:' above. - # By default all the interfaces configured are refused. - # Note: any 'access-control*:' setting overrides all 'interface-*:' - # settings for targeted clients. - # interface-action: 192.0.2.153 allow - # interface-action: 192.0.2.154 allow - # interface-action: 192.0.2.154@5003 allow - # interface-action: 2001:DB8::5 allow - # interface-action: eth0@5003 allow - - # Similar to 'access-control-tag:' but for interfaces. - # Tag interfaces with a list of tags (in "" with spaces between). - # Interfaces using these tags use localzones that are tagged with one - # of these tags. - # The specified interfaces should be the same as the ones specified in - # 'interface:' followed by the list of tags. - # Note: any 'access-control*:' setting overrides all 'interface-*:' - # settings for targeted clients. - # interface-tag: eth0@5003 "tag2 tag3" - - # Similar to 'access-control-tag-action:' but for interfaces. - # Set action for particular tag for a given interface element. - # If you have multiple tag values, the tag used to lookup the action - # is the first tag match between interface-tag and local-zone-tag - # where "first" comes from the order of the define-tag values. - # The specified interfaces should be the same as the ones specified in - # 'interface:' followed by the tag and action. - # Note: any 'access-control*:' setting overrides all 'interface-*:' - # settings for targeted clients. - # interface-tag-action: eth0@5003 tag3 refuse - - # Similar to 'access-control-tag-data:' but for interfaces. - # Set redirect data for a particular tag for an interface element. - # The specified interfaces should be the same as the ones specified in - # 'interface:' followed by the tag and the redirect data. - # Note: any 'access-control*:' setting overrides all 'interface-*:' - # settings for targeted clients. - # interface-tag-data: eth0@5003 tag2 "A 127.0.0.1" - - # Similar to 'access-control-view:' but for interfaces. - # Set view for an interface element. - # The specified interfaces should be the same as the ones specified in - # 'interface:' followed by the view name. - # Note: any 'access-control*:' setting overrides all 'interface-*:' - # settings for targeted clients. - # interface-view: eth0@5003 viewname - - # if given, a chroot(2) is done to the given directory. - # i.e. you can chroot to the working directory, for example, - # for extra security, but make sure all files are in that directory. - # - # If chroot is enabled, you should pass the configfile (from the - # commandline) as a full path from the original root. After the - # chroot has been performed the now defunct portion of the config - # file path is removed to be able to reread the config after a reload. - # - # All other file paths (working dir, logfile, roothints, and - # key files) can be specified in several ways: - # o as an absolute path relative to the new root. - # o as a relative path to the working directory. - # o as an absolute path relative to the original root. - # In the last case the path is adjusted to remove the unused portion. - # - # The pid file can be absolute and outside of the chroot, it is - # written just prior to performing the chroot and dropping permissions. - # - # Additionally, Unbound may need to access /dev/urandom (for entropy). - # How to do this is specific to your OS. - # - # If you give "" no chroot is performed. The path must not end in a /. - # chroot: "/var/lib/unbound" - chroot: "" - - # if given, user privileges are dropped (after binding port), - # and the given username is assumed. Default is user "unbound". - # If you give "" no privileges are dropped. - username: "unbound" - - # the working directory. The relative files in this config are - # relative to this directory. If you give "" the working directory - # is not changed. - # If you give a server: directory: dir before include: file statements - # then those includes can be relative to the working directory. - directory: "/etc/unbound" - - # the log file, "" means log to stderr. - # Use of this option sets use-syslog to "no". - # logfile: "" - - # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to - # log to. If yes, it overrides the logfile. - # use-syslog: yes - - # Log identity to report. if empty, defaults to the name of argv[0] - # (usually "unbound"). - # log-identity: "" - - # print UTC timestamp in ascii to logfile, default is epoch in seconds. - log-time-ascii: yes - - # print one line with time, IP, name, type, class for every query. - # log-queries: no - - # print one line per reply, with time, IP, name, type, class, rcode, - # timetoresolve, fromcache and responsesize. - # log-replies: no - - # log with tag 'query' and 'reply' instead of 'info' for - # filtering log-queries and log-replies from the log. - # log-tag-queryreply: no - - # log the local-zone actions, like local-zone type inform is enabled - # also for the other local zone types. - # log-local-actions: no - - # print log lines that say why queries return SERVFAIL to clients. - # log-servfail: no - - # the pid file. Can be an absolute path outside of chroot/work dir. - pidfile: "/var/run/unbound/unbound.pid" - - # file to read root hints from. - # get one from https://www.internic.net/domain/named.cache - # root-hints: "" - - # enable to not answer id.server and hostname.bind queries. - # hide-identity: no - - # enable to not answer version.server and version.bind queries. - # hide-version: no - - # enable to not answer trustanchor.unbound queries. - # hide-trustanchor: no - - # enable to not set the User-Agent HTTP header. - # hide-http-user-agent: no - - # the identity to report. Leave "" or default to return hostname. - # identity: "" - - # the version to report. Leave "" or default to return package version. - # version: "" - - # NSID identity (hex string, or "ascii_somestring"). default disabled. - # nsid: "aabbccdd" - - # User-Agent HTTP header to use. Leave "" or default to use package name - # and version. - # http-user-agent: "" - - # the target fetch policy. - # series of integers describing the policy per dependency depth. - # The number of values in the list determines the maximum dependency - # depth the recursor will pursue before giving up. Each integer means: - # -1 : fetch all targets opportunistically, - # 0: fetch on demand, - # positive value: fetch that many targets opportunistically. - # Enclose the list of numbers between quotes (""). - # target-fetch-policy: "3 2 1 0 0" - - # Harden against very small EDNS buffer sizes. - # harden-short-bufsize: yes - - # Harden against unseemly large queries. - # harden-large-queries: no - - # Harden against out of zone rrsets, to avoid spoofing attempts. - harden-glue: yes - - # Harden against receiving dnssec-stripped data. If you turn it - # off, failing to validate dnskey data for a trustanchor will - # trigger insecure mode for that zone (like without a trustanchor). - # Default on, which insists on dnssec data for trust-anchored zones. - harden-dnssec-stripped: yes - - # Harden against queries that fall under dnssec-signed nxdomain names. - harden-below-nxdomain: yes - - # Harden the referral path by performing additional queries for - # infrastructure data. Validates the replies (if possible). - # Default off, because the lookups burden the server. Experimental - # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. - harden-referral-path: yes - - # Harden against algorithm downgrade when multiple algorithms are - # advertised in the DS record. If no, allows the weakest algorithm - # to validate the zone. - # harden-algo-downgrade: no - - # Harden against unknown records in the authority section and the - # additional section. - # harden-unknown-additional: no - - # Sent minimum amount of information to upstream servers to enhance - # privacy. Only sent minimum required labels of the QNAME and set QTYPE - # to A when possible. - qname-minimisation: yes - - # QNAME minimisation in strict mode. Do not fall-back to sending full - # QNAME to potentially broken nameservers. A lot of domains will not be - # resolvable when this option in enabled. - # This option only has effect when qname-minimisation is enabled. - # qname-minimisation-strict: no - - # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN - # and other denials, using information from previous NXDOMAINs answers. - aggressive-nsec: yes - - # Use 0x20-encoded random bits in the query to foil spoof attempts. - # This feature is an experimental implementation of draft dns-0x20. - # use-caps-for-id: no - - # Domains (and domains in them) without support for dns-0x20 and - # the fallback fails because they keep sending different answers. - # caps-exempt: "licdn.com" - # caps-exempt: "senderbase.org" - - # Enforce privacy of these addresses. Strips them away from answers. - # It may cause DNSSEC validation to additionally mark it as bogus. - # Protects against 'DNS Rebinding' (uses browser as network proxy). - # Only 'private-domain' and 'local-data' names are allowed to have - # these private addresses. No default. - # private-address: 10.0.0.0/8 - # private-address: 172.16.0.0/12 - # private-address: 192.168.0.0/16 - # private-address: 169.254.0.0/16 - # private-address: fd00::/8 - # private-address: fe80::/10 - # private-address: ::ffff:0:0/96 - - # Allow the domain (and its subdomains) to contain private addresses. - # local-data statements are allowed to contain private addresses too. - # private-domain: "example.com" - - # If nonzero, unwanted replies are not only reported in statistics, - # but also a running total is kept per thread. If it reaches the - # threshold, a warning is printed and a defensive action is taken, - # the cache is cleared to flush potential poison out of it. - # A suggested value is 10000000, the default is 0 (turned off). - unwanted-reply-threshold: 10000000 - - # Do not query the following addresses. No DNS queries are sent there. - # List one address per entry. List classless netblocks with /size, - # do-not-query-address: 127.0.0.1/8 - # do-not-query-address: ::1 - - # if yes, the above default do-not-query-address entries are present. - # if no, localhost can be queried (for testing and debugging). - # do-not-query-localhost: yes - - # if yes, perform prefetching of almost expired message cache entries. - prefetch: yes - - # if yes, perform key lookups adjacent to normal lookups. - prefetch-key: yes - - # deny queries of type ANY with an empty response. - deny-any: yes - - # if yes, Unbound rotates RRSet order in response. - rrset-roundrobin: yes - - # if yes, Unbound doesn't insert authority/additional sections - # into response messages when those sections are not required. - minimal-responses: yes - - # true to disable DNSSEC lameness check in iterator. - # disable-dnssec-lame-check: no - - # module configuration of the server. A string with identifiers - # separated by spaces. Syntax: "[dns64] [validator] iterator" - # most modules have to be listed at the beginning of the line, - # except cachedb(just before iterator), and python (at the beginning, - # or, just before the iterator). - # For redis cachedb use: - # "ipsecmod validator cachedb iterator" - module-config: "ipsecmod validator iterator" - - # File with trusted keys, kept uptodate using RFC5011 probes, - # initial file like trust-anchor-file, then it stores metadata. - # Use several entries, one per domain name, to track multiple zones. - # - # If you want to perform DNSSEC validation, run unbound-anchor before - # you start Unbound (i.e. in the system boot scripts). - # And then enable the auto-trust-anchor-file config item. - # Please note usage of unbound-anchor root anchor is at your own risk - # and under the terms of our LICENSE (see that file in the source). - # auto-trust-anchor-file: "/var/lib/unbound/root.key" - - # trust anchor signaling sends a RFC8145 key tag query after priming. - trust-anchor-signaling: yes - - # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) - root-key-sentinel: yes - - # File with trusted keys for validation. Specify more than one file - # with several entries, one file per entry. - # Zone file format, with DS and DNSKEY entries. - # Note this gets out of date, use auto-trust-anchor-file please. - # trust-anchor-file: "" - - # Trusted key for validation. DS or DNSKEY. specify the RR on a - # single line, surrounded by "". TTL is ignored. class is IN default. - # Note this gets out of date, use auto-trust-anchor-file please. - # (These examples are from August 2007 and may not be valid anymore). - # trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ==" - # trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A" - - # File with trusted keys for validation. Specify more than one file - # with several entries, one file per entry. Like trust-anchor-file - # but has a different file format. Format is BIND-9 style format, - # the trusted-keys { name flag proto algo "key"; }; clauses are read. - # you need external update procedures to track changes in keys. - # trusted-keys-file: "" - # - trusted-keys-file: /etc/unbound/keys.d/*.key - auto-trust-anchor-file: "/var/lib/unbound/root.key" - - # Ignore chain of trust. Domain is treated as insecure. - # domain-insecure: "example.com" - - # Override the date for validation with a specific fixed date. - # Do not set this unless you are debugging signature inception - # and expiration. "" or "0" turns the feature off. -1 ignores date. - # val-override-date: "" - - # The time to live for bogus data, rrsets and messages. This avoids - # some of the revalidation, until the time interval expires. in secs. - # val-bogus-ttl: 60 - - # The signature inception and expiration dates are allowed to be off - # by 10% of the signature lifetime (expir-incep) from our local clock. - # This leeway is capped with a minimum and a maximum. In seconds. - # val-sig-skew-min: 3600 - # val-sig-skew-max: 86400 - - # The maximum number the validator should restart validation with - # another authority in case of failed validation. - # val-max-restart: 5 - - # Should additional section of secure message also be kept clean of - # unsecure data. Useful to shield the users of this validator from - # potential bogus data in the additional section. All unsigned data - # in the additional section is removed from secure messages. - val-clean-additional: yes - - # Turn permissive mode on to permit bogus messages. Thus, messages - # for which security checks failed will be returned to clients, - # instead of SERVFAIL. It still performs the security checks, which - # result in interesting log files and possibly the AD bit in - # replies if the message is found secure. The default is off. - # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY - val-permissive-mode: no - - # Ignore the CD flag in incoming queries and refuse them bogus data. - # Enable it if the only clients of Unbound are legacy servers (w2008) - # that set CD but cannot validate themselves. - # ignore-cd-flag: no - - # Serve expired responses from cache, with serve-expired-reply-ttl in - # the response, and then attempt to fetch the data afresh. - serve-expired: yes - # - # Limit serving of expired responses to configured seconds after - # expiration. 0 disables the limit. - serve-expired-ttl: 14400 - # - # Set the TTL of expired records to the serve-expired-ttl value after a - # failed attempt to retrieve the record from upstream. This makes sure - # that the expired records will be served as long as there are queries - # for it. - # serve-expired-ttl-reset: no - # - # TTL value to use when replying with expired data. - # serve-expired-reply-ttl: 30 - # - # Time in milliseconds before replying to the client with expired data. - # This essentially enables the serve-stale behavior as specified in - # RFC 8767 that first tries to resolve before - # immediately responding with expired data. 0 disables this behavior. - # A recommended value is 1800. - # serve-expired-client-timeout: 0 - - # Return the original TTL as received from the upstream name server rather - # than the decrementing TTL as stored in the cache. Enabling this feature - # does not impact cache expiry, it only changes the TTL Unbound embeds in - # responses to queries. Note that enabling this feature implicitly disables - # enforcement of the configured minimum and maximum TTL. - # serve-original-ttl: no - - # Have the validator log failed validations for your diagnosis. - # 0: off. 1: A line per failed user query. 2: With reason and bad IP. - val-log-level: 1 - - # It is possible to configure NSEC3 maximum iteration counts per - # keysize. Keep this table very short, as linear search is done. - # A message with an NSEC3 with larger count is marked insecure. - # List in ascending order the keysize and count values. - # val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150" - - # if enabled, ZONEMD verification failures do not block the zone. - # zonemd-permissive-mode: no - - # instruct the auto-trust-anchor-file probing to add anchors after ttl. - # add-holddown: 2592000 # 30 days - - # instruct the auto-trust-anchor-file probing to del anchors after ttl. - # del-holddown: 2592000 # 30 days - - # auto-trust-anchor-file probing removes missing anchors after ttl. - # If the value 0 is given, missing anchors are not removed. - # keep-missing: 31622400 # 366 days - - # debug option that allows very small holddown times for key rollover, - # otherwise the RFC mandates probe intervals must be at least 1 hour. - # permit-small-holddown: no - - # the amount of memory to use for the key cache. - # plain value in bytes or you can append k, m or G. default is "4Mb". - # key-cache-size: 4m - - # the number of slabs to use for the key cache. - # the number of slabs must be a power of 2. - # more slabs reduce lock contention, but fragment memory usage. - # key-cache-slabs: 4 - - # the amount of memory to use for the negative cache. - # plain value in bytes or you can append k, m or G. default is "1Mb". - # neg-cache-size: 1m - - # By default, for a number of zones a small default 'nothing here' - # reply is built-in. Query traffic is thus blocked. If you - # wish to serve such zone you can unblock them by uncommenting one - # of the nodefault statements below. - # You may also have to use domain-insecure: zone to make DNSSEC work, - # unless you have your own trust anchors for this zone. - # local-zone: "localhost." nodefault - # local-zone: "127.in-addr.arpa." nodefault - # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault - # local-zone: "home.arpa." nodefault - # local-zone: "onion." nodefault - # local-zone: "test." nodefault - # local-zone: "invalid." nodefault - # local-zone: "10.in-addr.arpa." nodefault - # local-zone: "16.172.in-addr.arpa." nodefault - # local-zone: "17.172.in-addr.arpa." nodefault - # local-zone: "18.172.in-addr.arpa." nodefault - # local-zone: "19.172.in-addr.arpa." nodefault - # local-zone: "20.172.in-addr.arpa." nodefault - # local-zone: "21.172.in-addr.arpa." nodefault - # local-zone: "22.172.in-addr.arpa." nodefault - # local-zone: "23.172.in-addr.arpa." nodefault - # local-zone: "24.172.in-addr.arpa." nodefault - # local-zone: "25.172.in-addr.arpa." nodefault - # local-zone: "26.172.in-addr.arpa." nodefault - # local-zone: "27.172.in-addr.arpa." nodefault - # local-zone: "28.172.in-addr.arpa." nodefault - # local-zone: "29.172.in-addr.arpa." nodefault - # local-zone: "30.172.in-addr.arpa." nodefault - # local-zone: "31.172.in-addr.arpa." nodefault - # local-zone: "168.192.in-addr.arpa." nodefault - # local-zone: "0.in-addr.arpa." nodefault - # local-zone: "254.169.in-addr.arpa." nodefault - # local-zone: "2.0.192.in-addr.arpa." nodefault - # local-zone: "100.51.198.in-addr.arpa." nodefault - # local-zone: "113.0.203.in-addr.arpa." nodefault - # local-zone: "255.255.255.255.in-addr.arpa." nodefault - # local-zone: "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault - # local-zone: "d.f.ip6.arpa." nodefault - # local-zone: "8.e.f.ip6.arpa." nodefault - # local-zone: "9.e.f.ip6.arpa." nodefault - # local-zone: "a.e.f.ip6.arpa." nodefault - # local-zone: "b.e.f.ip6.arpa." nodefault - # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault - # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa. - - # Add example.com into ipset - # local-zone: "example.com" ipset - - # If Unbound is running service for the local host then it is useful - # to perform lan-wide lookups to the upstream, and unblock the - # long list of local-zones above. If this Unbound is a dns server - # for a network of computers, disabled is better and stops information - # leakage of local lan information. - # unblock-lan-zones: no - - # The insecure-lan-zones option disables validation for - # these zones, as if they were all listed as domain-insecure. - # insecure-lan-zones: no - - # a number of locally served zones can be configured. - # local-zone: - # local-data: "" - # o deny serves local data (if any), else, drops queries. - # o refuse serves local data (if any), else, replies with error. - # o static serves local data, else, nxdomain or nodata answer. - # o transparent gives local data, but resolves normally for other names - # o redirect serves the zone data for any subdomain in the zone. - # o nodefault can be used to normally resolve AS112 zones. - # o typetransparent resolves normally for other types and other names - # o inform acts like transparent, but logs client IP address - # o inform_deny drops queries and logs client IP address - # o inform_redirect redirects queries and logs client IP address - # o always_transparent, always_refuse, always_nxdomain, always_nodata, - # always_deny resolve in that way but ignore local data for - # that name - # o block_a resolves all records normally but returns - # NODATA for A queries and ignores local data for that name - # o always_null returns 0.0.0.0 or ::0 for any name in the zone. - # o noview breaks out of that view towards global local-zones. - # - # defaults are localhost address, reverse for 127.0.0.1 and ::1 - # and nxdomain for AS112 zones. If you configure one of these zones - # the default content is omitted, or you can omit it with 'nodefault'. - # - # If you configure local-data without specifying local-zone, by - # default a transparent local-zone is created for the data. - # - # You can add locally served data with - # local-zone: "local." static - # local-data: "mycomputer.local. IN A 192.0.2.51" - # local-data: 'mytext.local TXT "content of text record"' - # - # You can override certain queries with - # local-data: "adserver.example.com A 127.0.0.1" - # - # You can redirect a domain to a fixed address with - # (this makes example.com, www.example.com, etc, all go to 192.0.2.3) - # local-zone: "example.com" redirect - # local-data: "example.com A 192.0.2.3" - # - # Shorthand to make PTR records, "IPv4 name" or "IPv6 name". - # You can also add PTR records using local-data directly, but then - # you need to do the reverse notation yourself. - # local-data-ptr: "192.0.2.3 www.example.com" - - include: /etc/unbound/local.d/*.conf - - # tag a localzone with a list of tag names (in "" with spaces between) - # local-zone-tag: "example.com" "tag2 tag3" - - # add a netblock specific override to a localzone, with zone type - # local-zone-override: "example.com" 192.0.2.0/24 refuse - - # service clients over TLS (on the TCP sockets) with plain DNS inside - # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. - # Give the certificate to use and private key. - # default is "" (disabled). requires restart to take effect. - # tls-service-key: "/etc/unbound/unbound_server.key" - # tls-service-pem: "/etc/unbound/unbound_server.pem" - # tls-port: 853 - # https-port: 443 - - # cipher setting for TLSv1.2 - # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" - # cipher setting for TLSv1.3 - # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" - # Fedora/RHEL: use system-wide crypto policies - tls-ciphers: "PROFILE=SYSTEM" - # TODO: ask system-wide crypto people what to use here - #tls-ciphersuites: "PROFILE=SYSTEM" # does not work - - # Pad responses to padded queries received over TLS - # pad-responses: yes - - # Padded responses will be padded to the closest multiple of this size. - # pad-responses-block-size: 468 - - # Use the SNI extension for TLS connections. Default is yes. - # Changing the value requires a reload. - # tls-use-sni: yes - - # Add the secret file for TLS Session Ticket. - # Secret file must be 80 bytes of random data. - # First key use to encrypt and decrypt TLS session tickets. - # Other keys use to decrypt only. - # requires restart to take effect. - # tls-session-ticket-keys: "path/to/secret_file1" - # tls-session-ticket-keys: "path/to/secret_file2" - - # request upstream over TLS (with plain DNS inside the TLS stream). - # Default is no. Can be turned on and off with unbound-control. - # tls-upstream: no - - # Certificates used to authenticate connections made upstream. - # tls-cert-bundle: "" - - # Add system certs to the cert bundle, from the Windows Cert Store - # tls-win-cert: no - # and on other systems, the default openssl certificates - # tls-system-cert: no - - # Pad queries over TLS upstreams - # pad-queries: yes - - # Padded queries will be padded to the closest multiple of this size. - # pad-queries-block-size: 128 - - # Also serve tls on these port numbers (eg. 443, ...), by listing - # tls-additional-port: portno for each of the port numbers. - - # HTTP endpoint to provide DNS-over-HTTPS service on. - # http-endpoint: "/dns-query" - - # HTTP/2 SETTINGS_MAX_CONCURRENT_STREAMS value to use. - # http-max-streams: 100 - - # Maximum number of bytes used for all HTTP/2 query buffers. - # http-query-buffer-size: 4m - - # Maximum number of bytes used for all HTTP/2 response buffers. - # http-response-buffer-size: 4m - - # Set TCP_NODELAY socket option on sockets used for DNS-over-HTTPS - # service. - # http-nodelay: yes - - # Disable TLS for DNS-over-HTTP downstream service. - # http-notls-downstream: no - - # The interfaces that use these listed port numbers will support and - # expect PROXYv2. For UDP and TCP/TLS interfaces. - # proxy-protocol-port: portno for each of the port numbers. - - # DNS64 prefix. Must be specified when DNS64 is use. - # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. - # dns64-prefix: 64:ff9b::0/96 - - # DNS64 ignore AAAA records for these domains and use A instead. - # dns64-ignore-aaaa: "example.com" - - # ratelimit for uncached, new queries, this limits recursion effort. - # ratelimiting is experimental, and may help against randomqueryflood. - # if 0(default) it is disabled, otherwise state qps allowed per zone. - # ratelimit: 0 - - # ratelimits are tracked in a cache, size in bytes of cache (or k,m). - # ratelimit-size: 4m - # ratelimit cache slabs, reduces lock contention if equal to cpucount. - # ratelimit-slabs: 4 - - # 0 blocks when ratelimited, otherwise let 1/xth traffic through - # ratelimit-factor: 10 - - # Aggressive rate limit when the limit is reached and until demand has - # decreased in a 2 second rate window. - # ratelimit-backoff: no - - # override the ratelimit for a specific domain name. - # give this setting multiple times to have multiple overrides. - # ratelimit-for-domain: example.com 1000 - # override the ratelimits for all domains below a domain name - # can give this multiple times, the name closest to the zone is used. - # ratelimit-below-domain: com 1000 - - # global query ratelimit for all ip addresses. - # feature is experimental. - # if 0(default) it is disabled, otherwise states qps allowed per ip address - # ip-ratelimit: 0 - - # ip ratelimits are tracked in a cache, size in bytes of cache (or k,m). - # ip-ratelimit-size: 4m - # ip ratelimit cache slabs, reduces lock contention if equal to cpucount. - # ip-ratelimit-slabs: 4 - - # 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through - # ip-ratelimit-factor: 10 - - # Aggressive rate limit when the limit is reached and until demand has - # decreased in a 2 second rate window. - # ip-ratelimit-backoff: no - - # Limit the number of connections simultaneous from a netblock - # tcp-connection-limit: 192.0.2.0/24 12 - - # select from the fastest servers this many times out of 1000. 0 means - # the fast server select is disabled. prefetches are not sped up. - # fast-server-permil: 0 - # the number of servers that will be used in the fast server selection. - # fast-server-num: 3 - - # Enable to attach Extended DNS Error codes (RFC8914) to responses. - ede: yes - - # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale - # Answer as EDNS0 option to expired responses. - # Note that the ede option above needs to be enabled for this to work. - ede-serve-expired: yes - - # Specific options for ipsecmod. Unbound needs to be configured with - # --enable-ipsecmod for these to take effect. - # - # Enable or disable ipsecmod (it still needs to be defined in - # module-config above). Can be used when ipsecmod needs to be - # enabled/disabled via remote-control(below). - # Fedora: module will be enabled on-demand by libreswan - ipsecmod-enabled: no - - # Path to executable external hook. It must be defined when ipsecmod is - # listed in module-config (above). - # ipsecmod-hook: "./my_executable" - ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook - - # When enabled Unbound will reply with SERVFAIL if the return value of - # the ipsecmod-hook is not 0. - # ipsecmod-strict: no - # - # Maximum time to live (TTL) for cached A/AAAA records with IPSECKEY. - # ipsecmod-max-ttl: 3600 - # - # Reply with A/AAAA even if the relevant IPSECKEY is bogus. Mainly used for - # testing. - # ipsecmod-ignore-bogus: no - # - # Domains for which ipsecmod will be triggered. If not defined (default) - # all domains are treated as being allowed. - # ipsecmod-allow: "example.com" - # ipsecmod-allow: "nlnetlabs.nl" - - # Timeout for REUSE entries in milliseconds. - # tcp-reuse-timeout: 60000 - # Max number of queries on a reuse connection. - # max-reuse-tcp-queries: 200 - # Timeout in milliseconds for TCP queries to auth servers. - # tcp-auth-query-timeout: 3000 - -# Python config section. To enable: -# o use --with-pythonmodule to configure before compiling. -# o list python in the module-config string (above) to enable. -# It can be at the start, it gets validated results, or just before -# the iterator and process before DNSSEC validation. -# o and give a python-script to run. -python: - # Script file to load - # python-script: "/etc/unbound/ubmodule-tst.py" - -# Dynamic library config section. To enable: -# o use --with-dynlibmodule to configure before compiling. -# o list dynlib in the module-config string (above) to enable. -# It can be placed anywhere, the dynlib module is only a very thin wrapper -# to load modules dynamically. -# o and give a dynlib-file to run. If more than one dynlib entry is listed in -# the module-config then you need one dynlib-file per instance. -dynlib: - # Script file to load - # dynlib-file: "/etc/unbound/dynlib.so" - -# Remote control config section. -remote-control: - # Enable remote control with unbound-control(8) here. - # set up the keys and certificates with unbound-control-setup. - # Note: required for unbound-munin package - control-enable: yes - - # Set to no and use an absolute path as control-interface to use - # a unix local named pipe for unbound-control. - # control-use-cert: yes - - # what interfaces are listened to for remote control. - # give 0.0.0.0 and ::0 to listen to all interfaces. - # set to an absolute path to use a unix local name pipe, certificates - # are not used for that, so key and cert files need not be present. - # control-interface: 127.0.0.1 - # control-interface: ::1 - - # port number for remote control operations. - # control-port: 8953 - - # for localhost, you can disable use of TLS by setting this to "no" - # For local sockets this option is ignored, and TLS is not used. - control-use-cert: "no" - - # Unbound server key file. - server-key-file: "/etc/unbound/unbound_server.key" - - # Unbound server certificate file. - server-cert-file: "/etc/unbound/unbound_server.pem" - - # unbound-control key file. - control-key-file: "/etc/unbound/unbound_control.key" - - # unbound-control certificate file. - control-cert-file: "/etc/unbound/unbound_control.pem" - -# Stub and Forward zones -include: /etc/unbound/conf.d/*.conf - -# Stub zones. -# Create entries like below, to make all queries for 'example.com' and -# 'example.org' go to the given list of nameservers. list zero or more -# nameservers by hostname or by ipaddress. If you set stub-prime to yes, -# the list is treated as priming hints (default is no). -# With stub-first yes, it attempts without the stub if it fails. -# Consider adding domain-insecure: name and local-zone: name nodefault -# to the server: section if the stub is a locally served zone. -# stub-zone: -# name: "example.com" -# stub-addr: 192.0.2.68 -# stub-prime: no -# stub-first: no -# stub-tcp-upstream: no -# stub-tls-upstream: no -# stub-no-cache: no -# stub-zone: -# name: "example.org" -# stub-host: ns.example.com. - -# You can now also dynamically create and delete stub-zone's using -# unbound-control stub_add domain.com 1.2.3.4 5.6.7.8 -# unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8 - -# Forward zones -# Create entries like below, to make all queries for 'example.com' and -# 'example.org' go to the given list of servers. These servers have to handle -# recursion to other nameservers. List zero or more nameservers by hostname -# or by ipaddress. Use an entry with name "." to forward all queries. -# If you enable forward-first, it attempts without the forward if it fails. -# forward-zone: -# name: "example.com" -# forward-addr: 192.0.2.68 -# forward-addr: 192.0.2.73@5355 # forward to port 5355. -# forward-first: no -# forward-tcp-upstream: no -# forward-tls-upstream: no -# forward-no-cache: no -# forward-zone: -# name: "example.org" -# forward-host: fwd.example.com -# -# You can now also dynamically create and delete forward-zone's using -# unbound-control forward_add domain.com 1.2.3.4 5.6.7.8 -# unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8 - -# Authority zones -# The data for these zones is kept locally, from a file or downloaded. -# The data can be served to downstream clients, or used instead of the -# upstream (which saves a lookup to the upstream). The first example -# has a copy of the root for local usage. The second serves example.org -# authoritatively. zonefile: reads from file (and writes to it if you also -# download it), master: fetches with AXFR and IXFR, or url to zonefile. -# With allow-notify: you can give additional (apart from masters) sources of -# notifies. -auth-zone: - name: "." - primary: 199.9.14.201 # b.root-servers.net - primary: 192.33.4.12 # c.root-servers.net - primary: 199.7.91.13 # d.root-servers.net - primary: 192.5.5.241 # f.root-servers.net - primary: 192.112.36.4 # g.root-servers.net - primary: 193.0.14.129 # k.root-servers.net - primary: 192.0.47.132 # xfr.cjr.dns.icann.org - primary: 192.0.32.132 # xfr.lax.dns.icann.org - primary: 2001:500:200::b # b.root-servers.net - primary: 2001:500:2::c # c.root-servers.net - primary: 2001:500:2d::d # d.root-servers.net - primary: 2001:500:2f::f # f.root-servers.net - primary: 2001:500:12::d0d # g.root-servers.net - primary: 2001:7fd::1 # k.root-servers.net - primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org - primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org - fallback-enabled: yes - for-downstream: no - for-upstream: yes - -# auth-zone: -# name: "example.org" -# for-downstream: yes -# for-upstream: yes -# zonemd-check: no -# zonemd-reject-absence: no -# zonefile: "example.org.zone" - -# Views -# Create named views. Name must be unique. Map views to requests using -# the access-control-view option. Views can contain zero or more local-zone -# and local-data options. Options from matching views will override global -# options. Global options will be used if no matching view is found. -# With view-first yes, it will try to answer using the global local-zone and -# local-data elements if there is no view specific match. -# view: -# name: "viewname" -# local-zone: "example.com" redirect -# local-data: "example.com A 192.0.2.3" -# local-data-ptr: "192.0.2.3 www.example.com" -# view-first: no -# view: -# name: "anotherview" -# local-zone: "example.com" refuse - -# Fedora: DNSCrypt support not enabled since it requires linking to -# another crypto library -# -# DNSCrypt -# o enable, use --enable-dnscrypt to configure before compiling. -# Caveats: -# 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper -# for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage -# 2. dnscrypt channel attaches to an interface. you MUST set interfaces to -# listen on `dnscrypt-port` with the follo0wing snippet: -# server: -# interface: 0.0.0.0@443 -# interface: ::0@443 -# -# Finally, `dnscrypt` config has its own section. -# dnscrypt: -# dnscrypt-enable: yes -# dnscrypt-port: 443 -# dnscrypt-provider: 2.dnscrypt-cert.example.com. -# dnscrypt-secret-key: /path/unbound-conf/keys1/1.key -# dnscrypt-secret-key: /path/unbound-conf/keys2/1.key -# dnscrypt-provider-cert: /path/unbound-conf/keys1/1.cert -# dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert - -# CacheDB -# External backend DB as auxiliary cache. -# To enable, use --enable-cachedb to configure before compiling. -# Specify the backend name -# (default is "testframe", which has no use other than for debugging and -# testing) and backend-specific options. The 'cachedb' module must be -# included in module-config, just before the iterator module. -# cachedb: -# backend: "testframe" -# # secret seed string to calculate hashed keys -# secret-seed: "default" -# -# # For "redis" backend: -# # (to enable, use --with-libhiredis to configure before compiling) -# # redis server's IP address or host name -# redis-server-host: 127.0.0.1 -# # redis server's TCP port -# redis-server-port: 6379 -# # if the server uses a unix socket, set its path, or "" when not used. -# # redis-server-path: "/var/lib/redis/redis-server.sock" -# # if the server uses an AUTH password, specify here, or "" when not used. -# # redis-server-password: "" -# # timeout (in ms) for communication with the redis server -# redis-timeout: 100 -# # set timeout on redis records based on DNS response TTL -# redis-expire-records: no - -# IPSet -# Add specify domain into set via ipset. -# To enable: -# o use --enable-ipset to configure before compiling; -# o Unbound then needs to run as root user. -# ipset: -# # set name for ip v4 addresses -# name-v4: "list-v4" -# # set name for ip v6 addresses -# name-v6: "list-v6" -# - -# Dnstap logging support, if compiled in by using --enable-dnstap to configure. -# To enable, set the dnstap-enable to yes and also some of -# dnstap-log-..-messages to yes. And select an upstream log destination, by -# socket path, TCP or TLS destination. -# dnstap: -# dnstap-enable: no -# # if set to yes frame streams will be used in bidirectional mode -# dnstap-bidirectional: yes -# dnstap-socket-path: "/etc/unbound/dnstap.sock" -# # if "" use the unix socket in dnstap-socket-path, otherwise, -# # set it to "IPaddress[@port]" of the destination. -# dnstap-ip: "" -# # if set to yes if you want to use TLS to dnstap-ip, no for TCP. -# dnstap-tls: yes -# # name for authenticating the upstream server. or "" disabled. -# dnstap-tls-server-name: "" -# # if "", it uses the cert bundle from the main Unbound config. -# dnstap-tls-cert-bundle: "" -# # key file for client authentication, or "" disabled. -# dnstap-tls-client-key-file: "" -# # cert file for client authentication, or "" disabled. -# dnstap-tls-client-cert-file: "" -# dnstap-send-identity: no -# dnstap-send-version: no -# # if "" it uses the hostname. -# dnstap-identity: "" -# # if "" it uses the package version. -# dnstap-version: "" -# dnstap-log-resolver-query-messages: no -# dnstap-log-resolver-response-messages: no -# dnstap-log-client-query-messages: no -# dnstap-log-client-response-messages: no -# dnstap-log-forwarder-query-messages: no -# dnstap-log-forwarder-response-messages: no - -# Response Policy Zones -# RPZ policies. Applied in order of configuration. QNAME, Response IP -# Address, nsdname, nsip and clientip triggers are supported. Supported -# actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp-only -# and drop. Policies can be loaded from a file, or using zone -# transfer, or using HTTP. The respip module needs to be added -# to the module-config, e.g.: module-config: "respip validator iterator". -# rpz: -# name: "rpz.example.com" -# zonefile: "rpz.example.com" -# primary: 192.0.2.0 -# allow-notify: 192.0.2.0/32 -# url: http://www.example.com/rpz.example.org.zone -# rpz-action-override: cname -# rpz-cname-override: www.example.org -# rpz-log: yes -# rpz-log-name: "example policy" -# rpz-signal-nxdomain-ra: no -# for-downstream: no -# tags: "example" diff --git a/unbound.spec b/unbound.spec index 60925b1..ee7d4a0 100644 --- a/unbound.spec +++ b/unbound.spec @@ -36,7 +36,6 @@ License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz Source1: unbound.service -Source2: unbound.conf Source3: unbound.munin Source4: unbound_munin_ Source5: root.key @@ -56,7 +55,8 @@ Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_vers Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key Source20: unbound.sysusers -# Patch1: +# Downstream configuration changes +Patch1: unbound-fedora-config.patch BuildRequires: gcc, make BuildRequires: flex, openssl-devel @@ -202,7 +202,7 @@ Python 3 modules and extensions for unbound pushd %{pkgname} # patches go here -%autopatch -p1 +%autopatch -p2 # only for snapshots # autoreconf -iv @@ -237,7 +237,8 @@ cp -a %{dir_primary} %{dir_secondary} --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\ --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\ --enable-sha2 --disable-gost --enable-ecdsa \\\ - --with-rootkey-file=%{_sharedstatedir}/unbound/root.key \\\ + --with-rootkey-file=%{_sharedstatedir}/%{name}/root.key \\\ + --with-username=unbound \\\ --enable-linux-ip-local-port-range \\\ @@ -300,6 +301,7 @@ popd pushd %{dir_primary} %make_install unbound-event-install install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp +install -p -m 0755 doc/example.conf %{buildroot}%{_sysconfdir}/unbound/unbound.conf popd install -d -m 0755 %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig @@ -307,7 +309,6 @@ install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service install -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/unbound-keygen.service install -p -m 0644 %{SOURCE15} %{buildroot}%{_unitdir}/unbound-anchor.timer install -p -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/unbound-anchor.service -install -p -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound install -p -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/unbound install -p -m 0644 %{SOURCE14} %{buildroot}%{_sysconfdir}/sysconfig/unbound install -p -D -m 0644 %{SOURCE20} %{buildroot}%{_sysusersdir}/%{name}.sysusers From f3b35b2ddde6229b0c212eb3d33a64e28f1f3d89 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 6 Dec 2023 21:18:39 +0100 Subject: [PATCH 069/139] Rename unbound.sysusers to unbound.conf Resolves: rhbz#2252265 --- unbound.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/unbound.spec b/unbound.spec index ee7d4a0..de33dbc 100644 --- a/unbound.spec +++ b/unbound.spec @@ -311,7 +311,7 @@ install -p -m 0644 %{SOURCE15} %{buildroot}%{_unitdir}/unbound-anchor.timer install -p -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/unbound-anchor.service install -p -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/unbound install -p -m 0644 %{SOURCE14} %{buildroot}%{_sysconfdir}/sysconfig/unbound -install -p -D -m 0644 %{SOURCE20} %{buildroot}%{_sysusersdir}/%{name}.sysusers +install -p -D -m 0644 %{SOURCE20} %{buildroot}%{_sysusersdir}/%{name}.conf %if %{with_munin} # Install munin plugin and its softlinks install -d -m 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d @@ -476,7 +476,7 @@ popd %doc doc/README %license doc/LICENSE %attr(0755,root,root) %dir %{_sysconfdir}/%{name} -%{_sysusersdir}/%{name}.sysusers +%{_sysusersdir}/%{name}.conf %{_libdir}/libunbound.so.8* %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name} %verify(not size mtime filedigest link mode user group) %{_sharedstatedir}/%{name}/root.key From 06e6f74d5fbb846589795dde5330c18f1b28bc4e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 6 Dec 2023 21:48:12 +0100 Subject: [PATCH 070/139] Consider unbound-anchor maintained root.key config file Required to keep it maintained by the unbound-anchor.service. Do not reset it to vendor file again on package upgrade. If it were once modified, keep it modified. Resolves: rhbz#2142368 --- unbound.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index de33dbc..bcc5e24 100644 --- a/unbound.spec +++ b/unbound.spec @@ -479,7 +479,7 @@ popd %{_sysusersdir}/%{name}.conf %{_libdir}/libunbound.so.8* %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name} -%verify(not size mtime filedigest link mode user group) %{_sharedstatedir}/%{name}/root.key +%config(noreplace) %verify(not link user group) %{_sharedstatedir}/%{name}/root.key # just left for backwards compat with user changed unbound.conf files - format is different! %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %attr(0644,root,root) %config %{_sysconfdir}/%{name}/dnssec-root.key From cac99bf119184278b6efbc26dfb4fc51ed43be33 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 7 Dec 2023 12:30:25 +0100 Subject: [PATCH 071/139] Convert to %autorelease and %autochangelog Finish Paul's conversion to autorelease. Used rpmautospec convert to migrate old part of changelog into a separate file. That should still include old changelog entries in the package. [skip changelog] --- changelog | 917 +++++++++++++++++++++++++++++++++++++++++++++++++++ unbound.spec | 5 +- 2 files changed, 918 insertions(+), 4 deletions(-) create mode 100644 changelog diff --git a/changelog b/changelog new file mode 100644 index 0000000..7ce4f5e --- /dev/null +++ b/changelog @@ -0,0 +1,917 @@ +* Thu Nov 02 2023 Petr Menšík - 1.19.0-1 +- Update to 1.19.0 (#2248686) + +* Wed Sep 06 2023 Petr Menšík - 1.18.0-2 +- Skip failing tests on ELN builds + +* Fri Sep 01 2023 Petr Menšík - 1.18.0-1 +- Update to 1.18.0 (#2236097) + +* Sat Jul 22 2023 Fedora Release Engineering - 1.17.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Tue Jun 13 2023 Python Maint - 1.17.1-3 +- Rebuilt for Python 3.12 + +* Sat Jan 21 2023 Fedora Release Engineering - 1.17.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Fri Jan 13 2023 Paul Wouters - 1.17.0-2 +- Move unbound user creation to libs (#2149036) +- Use systemd-sysusers for user creation (#2105416) +- Keep original DNSSEC root key as config (#2132103) + +* Tue Nov 01 2022 Petr Menšík - 1.17.0-1 +- Update to 1.17.0 (#2134348) + +* Wed Oct 05 2022 Petr Menšík - 1.16.3-3 +- Correct issues made by unbound-anchor package split (#2110858) + +* Fri Sep 30 2022 Petr Menšík - 1.16.3-2 +- Update License tag to SPDX identifier + +* Fri Sep 23 2022 Petr Menšík - 1.16.3-1 +- Update to 1.16.3 (#2128638) + +* Tue Aug 09 2022 Paul Wouters - 1.16.2-3 +- sync up to upstream unbound.conf +- Enable Extended DNS Error codes (RFC8914) + +* Tue Aug 09 2022 Petr Menšík - 1.16.2-2 +- Require openssl tool for unbound-keygen (#2116790) + +* Wed Aug 03 2022 Petr Menšík - 1.16.2-1 +- Update to 1.16.2 (#2105947) for CVE-2022-30698 and CVE-2022-30699 + +* Sat Jul 23 2022 Fedora Release Engineering - 1.16.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Mon Jun 27 2022 Petr Menšík - 1.16.0-6 +- Move unbound-anchor to separate package +- Move unbound-host and unbound-streamtcp to unbound-utils package + +* Mon Jun 13 2022 Python Maint - 1.16.0-5 +- Rebuilt for Python 3.11 + +* Tue Jun 07 2022 Petr Menšík - 1.16.0-4 +- Restart keygen service before every unbound start + +* Sat Jun 04 2022 Petr Menšík - 1.16.0-1 +- Update to 1.16.0 + +* Tue Apr 26 2022 Petr Menšík - 1.15.0-3 +- Stop creating wrong devel manual pages (#2078929) + +* Wed Apr 20 2022 Petr Menšík - 1.15.0-2 +- Update icannbundle.pem + +* Tue Mar 29 2022 Petr Menšík - 1.15.0-1 +- Update to 1.15.0 (#2030608) + +* Sat Jan 22 2022 Fedora Release Engineering - 1.13.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Sat Nov 06 2021 Adrian Reber - 1.13.2-4 +- Rebuilt for protobuf 3.19.0 + +* Mon Oct 25 2021 Adrian Reber - 1.13.2-3 +- Rebuilt for protobuf 3.18.1 + +* Tue Sep 14 2021 Sahana Prasad - 1.13.2-2 +- Rebuilt with OpenSSL 3.0.0 + +* Thu Aug 12 2021 Paul Wouters - 1.13.2-1 +- Resolves: rhbz#1992985 unbound-1.13.2 is available +- Use system-wide crypto policies + +* Fri Jul 23 2021 Fedora Release Engineering - 1.13.1-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Wed Jun 02 2021 Python Maint - 1.13.1-7 +- Rebuilt for Python 3.10 + +* Fri Apr 23 2021 Artem Egorenkov - 1.13.1-6 +- Option --enable-linux-ip-local-port-range added to use system configured port range for libunbound on Linux +- Resolves: rhbz#1935101 + +* Tue Apr 13 2021 Paul Wouters - 1.13.1-5 +- Fix unbound.service to use After=network-online.target + +* Tue Apr 06 2021 Artem Egorenkov - 1.13.1-4 +- Don't start unbound-anchor before unbound service if DISABLE_UNBOUND_ANCHOR + environment variable equals to "yes" + +* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 1.13.1-3 +- Rebuilt for updated systemd-rpm-macros + See https://pagure.io/fesco/issue/2583. + +* Mon Feb 15 2021 Victor Stinner - 1.13.1-2 +- Fix build on Python 3.10 (rhbz#1889726). + +* Wed Feb 10 2021 Paul Wouters - 1.13.1-1 +- Resolves rhbz#1860887 unbound-1.13.1 is available +- Fixup unbound.conf + +* Wed Jan 27 2021 Fedora Release Engineering - 1.13.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Thu Dec 10 2020 Petr Menšík - 1.13.0-1 +- Update to 1.13.0 + +* Tue Oct 13 2020 Petr Menšík - 1.12.0-1 +- Update to 1.12.0 (#1860887) + +* Tue Sep 15 2020 Petr Menšík - 1.10.1-5 +- Move command line tools to utils subpackage + +* Wed Jul 29 2020 Fedora Release Engineering - 1.10.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jul 14 2020 Tom Stellard - 1.10.1-3 +- Use make macros +- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro + +* Fri May 22 2020 Miro Hrončok - 1.10.1-2 +- Rebuilt for Python 3.9 + +* Tue May 19 2020 Paul Wouters - 1.10.1-1 +- Resolves: rhbz#1837279 unbound-1.10.1 is available +- Resolves: rhbz#1837598 CVE-2020-12662 unbound: insufficient control of network message volume leads to DoS +- Resolves: rhbz#1837609 CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers +- Updated unbound.conf for new options in 1.10.1 + +* Wed Apr 29 2020 Paul Wouters - 1.10.0-3 +- Resolves: rhbz#1667742 SELinux is preventing unbound from 'name_bind' accesses on the udp_socket port 61000. + +* Thu Apr 16 2020 Artem Egorenkov - 1.10.0-2 +- Resolves: rhbz#1824536 unbound crash + +* Thu Mar 19 2020 Petr Menšík - 1.10.0-1 +- Update to 1.10.0 (#1805199) + +* Fri Jan 31 2020 Fedora Release Engineering - 1.9.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Dec 13 2019 Paul Wouters - 1.9.6-1 +- Resolves: rhbz#1758107 unbound-1.9.5 is available +- Resolves: CVE-2019-18934 + +* Fri Nov 01 2019 Paul Wouters - 1.9.4-1 +- Fix build on rhel/centos systems +- Resolves: rhbz#1767955 (CVE-2019-16866) uninitialized memory accesses leads to crash via a crafted NOTIFY query + +* Thu Sep 26 2019 Petr Menšík - 1.9.3-2 +- Obsolete no longer provided python2 subpackage (#1749400) + +* Tue Aug 27 2019 Paul Wouters - 1.9.3-1 +- Updated to 1.9.3 +- Resolves: rhbz#1672578 unbound-1.9.2 is available +- Resolves: rhbz#1694831 [/usr/lib/tmpfiles.d/unbound.conf:1] Line references path below legacy directory /var/run/ +- Resolves: rhbz# 1667387 [abrt] unbound: memmove(): unbound killed by SIGABRT + +* Thu Aug 22 2019 Miro Hrončok - 1.8.3-8 +- Subpackage python2-unbound has been removed + See https://fedoraproject.org/wiki/Changes/Mass_Python_2_Package_Removal + +* Thu Aug 15 2019 Miro Hrončok - 1.8.3-7 +- Rebuilt for Python 3.8 + +* Mon Aug 5 2019 Zbigniew Jędrzejewski-Szmek - 1.8.3-6 +- Drop install-time requirements on systemd (#1723777) + +* Sat Jul 27 2019 Fedora Release Engineering - 1.8.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sun Feb 03 2019 Fedora Release Engineering - 1.8.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jan 11 2019 Paul Wouters - 1.8.3-3 +- Remove KSK-2010 from configs - it has been revoked + +* Wed Dec 12 2018 Paul Wouters - 1.8.3-2 +- Another dns64 fixup + +* Wed Dec 12 2018 Paul Wouters - 1.8.3-1 +- Updated to 1.8.3 with fixes the dns64 bug and has some other minor fixes + +* Mon Dec 10 2018 Paul Wouters - 1.8.2-2 +- Fix dns64 allocation in wrong region for returned internal queries. + +* Tue Dec 04 2018 Paul Wouters - 1.8.2-1 +- Updated to 1.8.2. +- Enabled deny ANY query support and edns-tcp-keepalive +- Set serve-stale timeout to 4h +- Updated unbound.conf for latest options + +* Mon Oct 22 2018 Petr Menšík - 1.8.1-2 +- Allow group by default to unbound-control (#1640259) + +* Mon Oct 08 2018 Petr Menšík - 1.8.1-1 +- Update to 1.8.1 + +* Mon Oct 01 2018 Petr Menšík - 1.8.0-2 +- Skip ipv6 forwarders without ipv6 support (#1633874) + +* Wed Sep 19 2018 Petr Menšík - 1.8.0-1 +- Rebase to 1.8.0 + +* Tue Aug 14 2018 Paul Wouters - 1.7.3-9 +- Fix for restarting unbound service after deleting key/pem files for remote control + +* Tue Jul 31 2018 Petr Menšík - 1.7.3-8 +- Release memory in unbound-host + +* Mon Jul 23 2018 Petr Menšík - 1.7.3-7 +- Remove unused Group tag + +* Wed Jul 18 2018 Petr Menšík - 1.7.3-6 +- Cleanup generated client and server keys (#1601773) + +* Sat Jul 14 2018 Fedora Release Engineering - 1.7.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Mon Jul 09 2018 Petr Menšík - 1.7.3-4 +- Do not call ldconfig if possible + +* Wed Jul 04 2018 Petr Menšík - 1.7.3-3 +- Update trust anchors also behind firewall (#1598078) + +* Mon Jul 02 2018 Miro Hrončok - 1.7.3-2 +- Rebuilt for Python 3.7 + +* Wed Jun 27 2018 Petr Menšík - 1.7.3-1 +- Update to 1.7.3 (#1593708) + +* Wed Jun 27 2018 Petr Menšík - 1.7.2-3 +- Remove last python2 dependency from python3 build + +* Tue Jun 19 2018 Miro Hrončok - 1.7.2-2 +- Rebuilt for Python 3.7 + +* Mon Jun 11 2018 Paul Wouters - 1.7.2-1 +- Resolves rhbz#1589807 unbound-1.7.2 is available +- Add patch to fix stub/forward zone not returning ServFail when TTL expires +- Enabled the new root-key-sentinel option + +* Wed May 30 2018 Petr Menšík - 1.7.1-1 +- Update to 1.7.1 (#1574495) + +* Mon Apr 09 2018 Petr Menšík - 1.7.0-5 +- Require gcc and make on build +- Remove group, simplify systemd requires +- Simplify building with single python version, make python3 primary + +* Mon Apr 09 2018 Paul Wouters - 1.7.0-4 +- Patch for prefetching after flushing cache + +* Fri Apr 06 2018 Paul Wouters - 1.7.0-3 +- Patch for referral with auth-zone: response + + +* Wed Mar 21 2018 Paul Wouters - 1.7.0-2 +- Patch for broken Aggressive NSEC + stub-zone configuration causing NXDOMAIN at TTL expiry + +* Thu Mar 15 2018 Paul Wouters - 1.7.0-1 +- Updated to 1.7.0 (aggressive nsec, local root support, bugfixes) + +* Thu Feb 22 2018 Petr Menšík - 1.6.8-6 +- Uncomment again original max-upd-size + +* Wed Feb 21 2018 Petr Menšík - 1.6.8-5 +- Use default RPM build flags and configure parameters (#1539097) + +* Wed Feb 21 2018 Petr Menšík - 1.6.8-4 +- Remove group writable bit from some config files (#1528445) + +* Wed Feb 14 2018 Filipe Rosset - 1.6.8-3 +- rebuilt due new libevent 2.1.8 + +* Fri Feb 09 2018 Igor Gnatenko - 1.6.8-2 +- Escape macros in %%changelog + +* Mon Jan 22 2018 Paul Wouters - 1.6.8-1 +- Resolves rhbz#1483572 unbound-1.6.8 is available +- Resolves rhbz#1507049 CVE-2017-15105 unbound: Improper validation of wildcard synthesized NSEC records +- Resolves rhbz#1536518 CVE-2017-15105 unbound: Improper validation of wildcard synthesized NSEC records [fedora-all] + +* Sun Dec 17 2017 Zbigniew Jędrzejewski-Szmek - 1.6.7-2 +- Python 2 binary package renamed to python2-unbound + See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 + +* Thu Oct 12 2017 Paul Wouters - 1.6.7-1 +- Updated to 1.6.7 (minor bugfixes) + +* Tue Oct 03 2017 Petr Menšík - 1.6.6-3 +- Update icannbundle.pem + +* Mon Oct 02 2017 Paul Wouters - 1.6.6-2 +- Enable RFC 8145 Trust Anchor Signaling to help the root zone get keytag statistics + +* Fri Sep 22 2017 Paul Wouters - 1.6.6-1 +- Resolves: rhbz#1483572 unbound-1.6.6 is available +- Resolves: rhbz#1465575 unbound fails to start up, complains about missing ipsecmod-hook (edit) + +* Wed Aug 16 2017 Paul Wouters - 1.6.4-4 +- Rebuilt with KSK2017 added to root.key and root.anchor +- Remove noreplace for root key files. We can only improve these files over local copies + +* Thu Aug 03 2017 Fedora Release Engineering - 1.6.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1.6.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sun Jul 02 2017 Paul Wouters - 1.6.4-1 +- Updated to 1.6.4 full release, patch to allow missing ipsechook +- Resolves rhbz#1465575 unbound fails to start up, complains about missing ipsecmod-hook + +* Thu Jun 22 2017 Paul Wouters - 1.6.4-0.rc2 +- Update to 1.6.4 (esubnet, ipsecmod support, bugfixes) + +* Tue Jun 13 2017 Paul Wouters - 1.6.3-1 +- Updated to 1.6.3 (fixes assertion failure when receiving malformed packet with 0x20 enabled) + +* Thu Jun 08 2017 Paul Wouters - 1.6.2-2 +- Patch for cmd: unbound-control set_option val-permissive-mode: yes + +* Wed Apr 26 2017 Paul Wouters - 1.6.2-1 +- Update to 1.6.2 (rhbz#1425649) +- Updated unbound.conf with new options + +* Wed Mar 22 2017 Paul Wouters - 1.6.0-6 +- Call make unbound-event-install to install unbound-event.h + +* Sat Feb 11 2017 Fedora Release Engineering - 1.6.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Wed Jan 18 2017 Paul Wouters - 1.6.0-4 +- Remove obsoleted DLV key + +* Mon Jan 02 2017 Paul Wouters - 1.6.0-3 +- Actually remove dependency because minimum is always satisfied + +* Mon Jan 02 2017 Paul Wouters - 1.6.0-2 +- Depend on openssl-libs, not opensl + +* Wed Dec 21 2016 Kevin Fenzi - 1.6.0-1 +- Update to 1.6.0 + +* Mon Dec 19 2016 Miro Hrončok - 1.5.10-3 +- Rebuild for Python 3.6 + +* Wed Oct 26 2016 Ilya Evseev - 1.5.10-2 +- Bugfix building without python2 and python3 +- Fixup streamtcp build (Paul) + +* Tue Sep 27 2016 Paul Wouters - 1.5.10-1 +- Updated to 1.5.10 (better TCP handling, bugfixes) +- Install pkgconfig file in -devel package +- Updated unbound.conf + +* Tue Jul 19 2016 Fedora Release Engineering - 1.5.9-4 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Thu Jul 07 2016 Paul Wouters - 1.5.9-3 +- Fix upper port range to 60999 because that's what selinux allows + +* Thu Jun 16 2016 Paul Wouters - 1.5.9-2 +- Patch for allowing more queries before failure (needed for query minimalization) + +* Mon Jun 13 2016 Paul Wouters - 1.5.9-1 +- Updated to 1.5.9 + +* Thu Apr 21 2016 Toshio Kuratomi - 1.5.8-2 +- Fix streamtcp to link against libpython3.x instead of libpython2.x + +* Wed Mar 02 2016 Paul Wouters - 1.5.8-1 +- Update to 1.5.8 (rhbz#1313831) which incorporates rhbz#1294339 patch +- Updated unbound.conf with new upstream options +- Enabled ip-transparent: yes (see rhbz#1291449) + +* Fri Feb 05 2016 Fedora Release Engineering - 1.5.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Jan 21 2016 Tomas Hozza - 1.5.7-2 +- Fix escaping of shell chars in unbound-control-setup (#1294339) + +* Fri Dec 11 2015 Paul Wouters - 1.5.7-1 +- Update to 1.5.7 +- Enable query minimalization for enhanced DNS query privacy +- Enable nxdomain hardening to assist with query minimalization and SBLs +- Updated default unbound.conf for new features from upstream. + +* Fri Nov 13 2015 Tomas Hozza - 1.5.6-1 +- Update to 1.5.6 (#1176729) + +* Wed Nov 04 2015 Robert Kuska - 1.5.5-2 +- Rebuilt for Python3.5 rebuild + +* Wed Oct 07 2015 Tomas Hozza - 1.5.5-1 +- New upstream release 1.5.5 (#1269137) +- Removed the anchor update from %%post section of -libs subpackage (#1269137#c2) + +* Tue Sep 15 2015 Tomas Hozza - 1.5.4-5 +- Removed dependency and ordering on unbound-anchor.service in unbound.service + +* Thu Sep 03 2015 Tomas Hozza - 1.5.4-4 +- Prefer Python3 build over Python2 build for now (#1254566) + +* Mon Jul 20 2015 Tomas Hozza - 1.5.4-3 +- Added ExecReload section to unbound.service (#1195785) +- Removed After syslog.target since it is not needed any more + +* Thu Jul 16 2015 Tomas Hozza - 1.5.4-2 +- Start unbound-anchor.timer only on new installations +- Rename root.anchor to root.key in %%post section + +* Tue Jul 14 2015 Paul Wouters - 1.5.4-1 +- Update to 1.5.4 +- Removed patches merged into upstream + +* Tue Jun 16 2015 Tomas Hozza - 1.5.3-8 +- Revert: Use low maximum negative cache TTL (5 sec) (#1229596) + +* Mon Jun 15 2015 Tomas Hozza - 1.5.3-7 +- Add option for maximum negative cache TTL (#1229599) +- Use low maximum negative cache TTL (5 sec) (#1229596) + +* Tue May 26 2015 Tomas Hozza - 1.5.3-6 +- Removed usage of DLV from the default configuration (#1223363) + +* Wed May 13 2015 Tomas Hozza - 1.5.3-5 +- unbound.service now Wants unbound-anchor.timer +- unbound-anchor man page moved to the unbound-libs + +* Mon May 11 2015 Paul Wouters - 1.5.3-4 +- Fixup scriptlets causing systemctl: command not found +- Resolves rhbz#1219587 Error in PREIN scriptlet in rpm package unbound-libs + +* Mon Apr 27 2015 Tomas Hozza - 1.5.3-3 +- migrate cronjob to systemd timer unit (#1177285) +- change the period for unbound-anchor from monthly to daily (#1180267) +- Thanks to Tomasz Torcz for the initial patch + +* Thu Apr 16 2015 Tomas Hozza - 1.5.3-2 +- Fix FTBFS (#1206129) +- Build python3-unbound and python-unbound bindings for Python 3 and 2 (#1188080) + +* Mon Mar 16 2015 Paul Wouters - 1.5.3-1 +- Updated to 1.5.3 which is a bugfix on 1.5.2 for sighup handling +- Updated to 1.5.2 which fixes DNSSEC validation with different + trust anchors upstream, local-zone has a new keyword 'inform' + +* Mon Feb 02 2015 Paul Wouters - 1.5.1-4 +- Build with --enable-ecdsa + +* Sun Feb 01 2015 Paul Wouters - 1.5.1-3 +- Fix post to create root.anchor, not root.key, to match cron job + +* Tue Dec 09 2014 Paul Wouters - 1.5.1-2 +- Change systemd-units to systemd +- Use _tmpfilesdir macro, don't mark tmpfiles as config + +* Tue Dec 09 2014 Paul Wouters - 1.5.1-1 +- Update to 1.5.1 for CVE-2014-8602 (rhbz#1172066) +- Removed unbound-aarch64.patch which was merged upstream +- Don't require autotools for non snapshots or run autoreconf + +* Fri Nov 28 2014 Tomas Hozza - 1.5.1-0.1.rc1 +- update to 1.5.1rc1 + +* Fri Nov 28 2014 Marcin Juszkiewicz - 1.5.0-3 +- fix build on aarch64 + +* Wed Nov 26 2014 Tomas Hozza - 1.5.0-2 +- Fix race condition in arc4random (#1166878) + +* Wed Nov 19 2014 Tomas Hozza - 1.5.0-1 +- update to 1.5.0 + +* Wed Sep 24 2014 Pavel Šimerda - 1.4.22-6 +- Resolves: #1115489 - build with python 3.x for fedora >= 22 + +* Thu Aug 21 2014 Kevin Fenzi - 1.4.22-5 +- Rebuild for rpm bug 1131960 + +* Mon Aug 18 2014 Fedora Release Engineering - 1.4.22-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sun Jun 08 2014 Fedora Release Engineering - 1.4.22-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu May 01 2014 Paul Wouters - 1.4.22-2 +- Added flushcache patch (SVN commit 3125) + +* Thu Mar 13 2014 Paul Wouters - 1.4.22-1 +- Updated to 1.4.22 +- No longer requires the ldns library + +* Thu Jan 16 2014 Tomas Hozza - 1.4.21-3 +- Fix segfault on adding insecure forward zone when using only iterator (#1054192) + +* Mon Oct 21 2013 Tomas Hozza - 1.4.21-2 +- run test suite during the build + +* Thu Sep 19 2013 Paul Wouters - 1.4.21-1 +- Updated to 1.4.21, +- Enabled new max-udp-size: 3072 (so ANY isc.org won't fit) +- Removed patched merged in by upstream +- Enable statistics-cumulative for munin-plugin +- Added outgoing-port-avoid: 0-32767 conformant to SElinux restrictions +- Updated unbound.conf + +* Mon Aug 26 2013 Tomas Hozza - 1.4.20-19 +- Fix errors found by static analysis of source + +* Mon Aug 12 2013 Paul Wouters - 1.4.20-18 +- Change unbound.conf to only use ephemeral ports (32768-65535) + +* Sun Aug 04 2013 Fedora Release Engineering - 1.4.20-17 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Mon Jul 22 2013 Tomas Hozza - 1.4.20-16 +- provide man page for unbound-streamtcp + +* Mon Jul 08 2013 Paul Wouters - 1.4.20-15 +- Re-introduce hardening flags for full relro and pie +- Fixes compilation failure for python module + +* Wed Jul 03 2013 Tomas Hozza - 1.4.20-14 +- remove missing unbound-rootkey.service from post/preun/postun sections +- don't hardcode hardening flags, let hardened build macro handles it + +* Sat Jun 01 2013 Paul Wouters - 1.4.20-13 +- Run unbound-anchor as user unbound in unbound.service + +* Tue May 28 2013 Paul Wouters - 1.4.20-12 +- Enable round-robin (with noths() patch) +- Change cron and systemd service to use root.key, not root.anchor + +* Sat May 25 2013 Paul Wouters - 1.4.20-10 +- Use /var/lib/unbound/root.key (more consistent with other distros) +- Enable minimal responses + +* Mon Apr 22 2013 Paul Wouters - 1.4.20-8 +- Refix + +* Fri Apr 19 2013 Paul Wouters - 1.4.20-7 +- Fix runuser call in post. + +* Tue Apr 16 2013 Paul Wouters - 1.4.20-6 +- /var/lib/unbound should be owned by unbound. group write is not enough + +* Fri Apr 12 2013 Paul Wouters - 1.4.20-5 +- Fix cron job syntax (rhbz#951725) +- Use install -p to prevent .rpmnew files that are identical to originals + +* Mon Apr 8 2013 Paul Wouters - 1.4.20-4 +- Updated to 1.4.20 +- Build with full RELRO (not use -z,relro but with -z,relo,-z,now) +- Fixup man page for unbound-control-setup +- unbound.service should start before nss-lookup.target (rhbz#919955) +- Removed patch for rhbz#888759 merged in upstream +- Move root.anchor to /var/lib/unbound to make selinux policy easier for updating (rhbz#896599/rhbz#891008) +- Move cronjob for root.anchor from unbound to unbound-libs, require crontabs +- /etc/unbound (and all) should be owned by unbound-libs (rhbz#909691) +- Remove Obsolete/Provides for dnssec-conf which was last seen in f13 +- Ensure any unbound-anchor failure in post is ignored + +* Tue Mar 05 2013 Adam Tkac - 1.4.19-5 +- build with full RELRO +- symlink unbound-control-setup.8 manpage to unbound-control.8 + +* Fri Feb 15 2013 Fedora Release Engineering - 1.4.19-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Dec 12 2012 Paul Wouters - 1.4.19-3 +- Updated to 1.4.19 - this integrates all existing patches +- Patch for unbound-anchor (rhbz#888759) + +* Fri Nov 09 2012 Paul Wouters - 1.4.18-6 +- Patch to ensure stube-zone's aren't lost when using dnssec-triggerd +- added unbound-munin.README file + +* Wed Sep 26 2012 Paul Wouters - 1.4.18-5 +- Patch to allow wildcards in include: statements +- Add directories /etc/unbound/keys.d,conf.d,local.d with + example entries +- Added /etc/unbound/root.anchor, maintained by unbound-anchor + which is installed as monthly cron and PreExec in systemd config + (root.key is unused, but left installed in case people depend on it) +- Native systemd (simple) and /etc/sysconfig/unbound support +- Run unbound-checkconf in PreExec +- Moved trust anchor related files to unbound-libs, as they can + be used without the daemon. +- sub packages now depends on base package of same arch +- Build munin package as noarch +- unbound-anchor moved to unbound-libs package. It is needed + to update the root.anchor key file. + +* Tue Sep 04 2012 Paul Wouters - 1.4.18-3 +- Fix openssl thread locking bug under high query load + +* Thu Aug 23 2012 Paul Wouters - 1.4.18-2 +- Use new systemd-rpm macros (rhbz#850351) +- Clean up old obsoleted dnssec-conf from < fedora 15 + +* Fri Aug 03 2012 Paul Wouters - 1.4.18-1 +- Updated to 1.4.18 (FIPS related fixes mostly) +- Removed patches that were merged in upstream +- Added comment to root.key + +* Mon Jul 23 2012 Paul Wouters - 1.4.17-5 +- Fix for unbound crasher (upstream bug #452) +- Support libunbound functions in man pages and place in -devel + +* Sun Jul 22 2012 Fedora Release Engineering - 1.4.17-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Tue Jul 03 2012 Paul Wouters - 1.4.17-3 +- unbound FIPS patches for MD5,randomness (rhbz#835106) + +* Fri Jun 15 2012 Adam Tkac - 1.4.17-2 +- don't build unbound-munin on RHEL + +* Thu May 24 2012 Paul Wouters - 1.4.17-1 +- Updated to 1.4.17 (which mostly brings in patches we already + applied from svn trunk) + +* Wed Feb 29 2012 Paul Wouters - 1.4.16-3 +- Since the daemon links to the libs staticly, add Requires: + (this is rhbz#745288) +- Package up streamtcp as unbound-streamtcp (for monitoring) + +* Mon Feb 27 2012 Paul Wouters - 1.4.16-2 +- Don't ghost the directory (rhbz#788805) +- Patch for unbound to support unbound-control forward_zone + (needed for openswan in XAUTH mode) + +* Thu Feb 02 2012 Paul Wouters - 1.4.16-1 +- Upgraded to 1.4.16, which was relesed due to the soname + and some DNSSEC validation failures + +* Wed Feb 01 2012 Paul Wouters - 1.4.15-2 +- Patch for SONAME version (libtool's -version-number vs -version-info) + +* Fri Jan 27 2012 Paul Wouters - 1.4.15-1 +- Upgraded to 1.4.15 +- Updated unbound.conf to show how to configure listening on tls443 + +* Sat Jan 14 2012 Fedora Release Engineering - 1.4.14-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Mon Dec 19 2011 Paul Wouters - 1.4.14-1 +- Upgraded to 1.4.14 for CVE-2011-4528 / VU#209659 +- SSL-wrapped query support for dnssec-trigger +- EDNS handling changes +- Removed integrated EDNS patches +- Disabled use-caps-for-id, GoDaddy domains now break on it +- Enabled new harden-below-nxdomain + +* Thu Sep 15 2011 Paul Wouters - 1.4.13-1 +- Upgraded to 1.4.13 +- Removed merged in pythonmod patch +- Added EDNS1480 patch to fix unbound on broken EDNS/UDP networks +- Fix python to go into sitearch instead of sitelib + +* Wed Sep 14 2011 Tom Callaway - 1.4.12-4 +- convert to systemd, tmpfiles.d + +* Mon Aug 08 2011 Paul Wouters - 1.4.12-3 +- Added pythonmod docs and examples + +* Mon Aug 08 2011 Paul Wouters - 1.4.12-2 +- Fix for python module load in the server (Tom Hendrikx) +- No longer enable --enable-debug as it causes degraded performance + under load. + +* Mon Jul 18 2011 Paul Wouters - 1.4.12-1 +- Updated to 1.4.12 + +* Sun Jul 03 2011 Paul Wouters - 1.4.11-1 +- Updated to 1.4.11 +- removed integrated CVE patch +- updated stock unbound.conf for new options introduced + +* Mon Jun 06 2011 Paul Wouters - 1.4.10-1 +- Added ghost for /var/run/unbound (bz#656710) + +* Mon Jun 06 2011 Paul Wouters - 1.4.9-3 +- rebuilt + +* Wed May 25 2011 Paul Wouters - 1.4.9-2 +- Applied patch for CVE-2011-1922 DoS vulnerability + +* Sun Mar 27 2011 Paul Wouters - 1.4.9-1 +- Updated to 1.4.9 + +* Sat Feb 12 2011 Paul Wouters - 1.4.8-2 +- rebuilt + +* Tue Jan 25 2011 Paul Wouters - 1.4.8-1 +- Updated to 1.4.8 +- Enable root key for DNSSEC +- Fix unbound-munin to use proper file (could cause excessive logging) +- Build unbound-python per default +- Disable gost as Fedora/EPEL does not allow ECC and has mangled openssl + +* Tue Oct 26 2010 Paul Wouters - 1.4.5-4 +- Revert last build - it was on the wrong branch + +* Tue Oct 26 2010 Paul Wouters - 1.4.5-3 +- Disable do-ipv6 per default - causes severe degradation on non-ipv6 machines + (see comments in inbound.conf) + +* Tue Jun 15 2010 Paul Wouters - 1.4.5-2 +- Bump release - forgot to upload the new tar ball. + +* Tue Jun 15 2010 Paul Wouters - 1.4.5-1 +- Upgraded to 1.4.5 + +* Mon May 31 2010 Paul Wouters - 1.4.4-2 +- Added accidentally omitted svn patches to cvs + +* Mon May 31 2010 Paul Wouters - 1.4.4-1 +- Upgraded to 1.4.4 with svn patches +- Obsolete dnssec-conf to ensure it is de-installed + +* Thu Mar 11 2010 Paul Wouters - 1.4.3-1 +- Update to 1.4.3 that fixes 64bit crasher + +* Tue Mar 09 2010 Paul Wouters - 1.4.2-1 +- Updated to 1.4.2 +- Updated unbound.conf with new options +- Enabled pre-fetching DNSKEY records (DNSSEC speedup) +- Enabled re-fetching popular records before they expire +- Enabled logging of DNSSEC validation errors + +* Mon Mar 01 2010 Paul Wouters - 1.4.1-5 +- Overriding -D_GNU_SOURCE is no longer needed. This fixes DSO issues + with pthreads + +* Wed Feb 24 2010 Paul Wouters - 1.4.1-3 +- Change make/configure lines to attempt to fix -lphtread linking issue + +* Thu Feb 18 2010 Paul Wouters - 1.4.1-2 +- Removed dependancy for dnssec-conf +- Added ISC DLV key (formerly in dnssec-conf) +- Fixup old DLV locations in unbound.conf file via %%post +- Fix parent child disagreement handling and no-ipv6 present [svn r1953] + +* Tue Jan 05 2010 Paul Wouters - 1.4.1-1 +- Updated to 1.4.1 +- Changed %%define to %%global + +* Thu Oct 08 2009 Paul Wouters - 1.3.4-2 +- Bump version + +* Thu Oct 08 2009 Paul Wouters - 1.3.4-1 +- Upgraded to 1.3.4. Security fix with validating NSEC3 records + +* Fri Aug 21 2009 Tomas Mraz - 1.3.3-2 +- rebuilt with new openssl + +* Mon Aug 17 2009 Paul Wouters - 1.3.3-1 +- Updated to 1.3.3 + +* Sun Jul 26 2009 Fedora Release Engineering - 1.3.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Sat Jun 20 2009 Paul Wouters - 1.3.0-2 +- Added missing glob patch to cvs +- Place python macros within the %%with_python check + +* Sat Jun 20 2009 Paul Wouters - 1.3.0-1 +- Updated to 1.3.0 +- Added unbound-python sub package. disabled for now +- Patch from svn to fix DLV lookups +- Patches from svn to detect wrong truncated response from BIND 9.6.1 with + minimal-responses) +- Added Default-Start and Default-Stop to unbound.init +- Re-enabled --enable-sha2 +- Re-enabled glob.patch + +* Wed May 20 2009 Paul Wouters - 1.2.1-7 +- unbound-iterator.patch was not commited + +* Wed May 20 2009 Paul Wouters - 1.2.1-6 +- Fix for https://bugzilla.redhat.com/show_bug.cgi?id=499793 + +* Tue Mar 17 2009 Paul Wouters - 1.2.1-5 +- Use --nocheck to avoid giving an error on missing unbound-remote certs/keys + +* Tue Mar 10 2009 Adam Tkac - 1.2.1-4 +- enable DNSSEC only if it is enabled in sysconfig/dnssec + +* Mon Mar 09 2009 Adam Tkac - 1.2.1-3 +- add DNSSEC support to initscript and enabled it per default +- add requires dnssec-conf + +* Wed Feb 25 2009 Fedora Release Engineering - 1.2.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Tue Feb 10 2009 Paul Wouters - 1.2.0-2 +- rebuild with new openssl + +* Wed Jan 14 2009 Paul Wouters - 1.1.1-7 +- Modified scandir patch to silently fail when wildcard matches nothing +- Patch to allow unbound-checkconf to find empty wildcard matches + +* Mon Jan 5 2009 Paul Wouters - 1.1.1-6 +- Added scandir patch for trusted-keys-file: option, which + is used to load multiple dnssec keys in bind file format + +* Mon Dec 8 2008 Paul Wouters - 1.1.1-4 +- Added Requires: for selinux-policy >= 3.5.13-33 for proper SElinux rules. + +* Mon Dec 1 2008 Paul Wouters - 1.1.1-3 +- We did not own the /etc/unbound directory (#474020) +- Fixed cvs anomalies + +* Fri Nov 28 2008 Adam Tkac - 1.1.1-2 +- removed all obsolete chroot related stuff +- label control certs after generation correctly + +* Thu Nov 20 2008 Paul Wouters - 1.1.1-1 +- Updated to unbound 1.1.1 which fixes a crasher and + addresses nlnetlabs bug #219 + +* Wed Nov 19 2008 Paul Wouters - 1.1.0-3 +- Remove the chroot, obsoleted by SElinux +- Add additional munin plugin links supported by unbound plugin +- Move configuration directory from /var/lib/unbound to /etc/unbound +- Modified unbound.init and unbound.conf to account for chroot changes +- Updated unbound.conf with new available options +- Enabled dns-0x20 protection per default + +* Wed Nov 19 2008 Adam Tkac - 1.1.0-2 +- unbound-1.1.0-log_open.patch + - make sure log is opened before chroot call + - tracked as http://www.nlnetlabs.nl/bugs/show_bug.cgi?id=219 +- removed /dev/log and /var/run/unbound and /etc/resolv.conf from + chroot, not needed +- don't mount files in chroot, it causes problems during updates +- fixed typo in default config file + +* Fri Nov 14 2008 Paul Wouters - 1.1.0-1 +- Updated to version 1.1.0 +- Updated unbound.conf's statistics options and remote-control + to work properly for munin +- Added unbound-munin package +- Generate unbound remote-control key/certs on first startup +- Required ldns is now 1.4.0 + +* Wed Oct 22 2008 Paul Wouters - 1.0.2-5 +- Only call ldconfig in -libs package +- Move configure into build section +- devel subpackage should only depend on libs subpackage + +* Tue Oct 21 2008 Paul Wouters - 1.0.2-4 +- Fix CFLAGS getting lost in build +- Don't enable interface-automatic:yes because that + causes unbound to listen on 0.0.0.0 instead of 127.0.0.1 + +* Sun Oct 19 2008 Paul Wouters - 1.0.2-3 +- Split off unbound-libs, make build verbose + +* Thu Oct 9 2008 Paul Wouters - 1.0.2-2 +- FSB compliance, chroot fixes, initscript fixes + +* Thu Sep 11 2008 Paul Wouters - 1.0.2-1 +- Upgraded to 1.0.2 + +* Wed Jul 16 2008 Paul Wouters - 1.0.1-1 +- upgraded to new release + +* Wed May 21 2008 Paul Wouters - 1.0.0-2 +- Build against ldns-1.3.0 + +* Wed May 21 2008 Paul Wouters - 1.0.0-1 +- Split of -devel package, fixed dependancies, make rpmlint happy + +* Fri Apr 25 2008 Wouter Wijngaards - 0.12 +- Using parts from ports collection entry by Jaap Akkerhuis. +- Using Fedoraproject wiki guidelines. + +* Wed Apr 23 2008 Wouter Wijngaards - 0.11 +- Initial version. diff --git a/unbound.spec b/unbound.spec index bcc5e24..31b1448 100644 --- a/unbound.spec +++ b/unbound.spec @@ -31,7 +31,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.19.0 -Release: 1%{?extra_version:.%{extra_version}}%{?dist} +Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -500,7 +500,4 @@ popd %{_mandir}/man1/unbound-* %changelog -* Thu Nov 02 2023 Petr Menšík - 1.19.0-1 -- Update to 1.19.0 (#2248686) - %autochangelog From 5a98539d5136861a57b338039b710b8b926600c7 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 27 Jan 2024 07:05:17 +0000 Subject: [PATCH 072/139] Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild From c89e088ab83363318657ea1288b0c4106736036c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 16 Jan 2024 17:05:56 +0100 Subject: [PATCH 073/139] Update address of b.root-servers.net (#2253461) Modification of a config file differs from upstream version, we have it uncommented in Fedora. Resolves: rhbz#2253461 --- unbound-1.19-b.root-servers.net-conf.patch | 38 ++++++++++++++++++++++ unbound-1.19-b.root-servers.net.patch | 35 ++++++++++++++++++++ unbound.spec | 5 +++ 3 files changed, 78 insertions(+) create mode 100644 unbound-1.19-b.root-servers.net-conf.patch create mode 100644 unbound-1.19-b.root-servers.net.patch diff --git a/unbound-1.19-b.root-servers.net-conf.patch b/unbound-1.19-b.root-servers.net-conf.patch new file mode 100644 index 0000000..c3f41c9 --- /dev/null +++ b/unbound-1.19-b.root-servers.net-conf.patch @@ -0,0 +1,38 @@ +From 101f9efb8de8e5e41fe40d05461276299e4c8980 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Tue, 16 Jan 2024 16:13:29 +0100 +Subject: [PATCH] Update b.root-servers.net also in example config file + +Addition to commit a8739bad76d4d179290627e989c7ef236345bda6, which +updated only address specified in code. But addresses provided in +example configuration were not updated, I think they should be updated +too. +--- + unbound-1.19.0/doc/example.conf.in | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/unbound-1.19.0/doc/example.conf.in b/unbound-1.19.0/doc/example.conf.in +index b79a322..3a15357 100644 +--- a/unbound-1.19.0/doc/example.conf.in ++++ b/unbound-1.19.0/doc/example.conf.in +@@ -1203,7 +1203,7 @@ include: /etc/unbound/conf.d/*.conf + # notifies. + auth-zone: + name: "." +- primary: 199.9.14.201 # b.root-servers.net ++ primary: 170.247.170.2 # b.root-servers.net + primary: 192.33.4.12 # c.root-servers.net + primary: 199.7.91.13 # d.root-servers.net + primary: 192.5.5.241 # f.root-servers.net +@@ -1211,7 +1211,7 @@ auth-zone: + primary: 193.0.14.129 # k.root-servers.net + primary: 192.0.47.132 # xfr.cjr.dns.icann.org + primary: 192.0.32.132 # xfr.lax.dns.icann.org +- primary: 2001:500:200::b # b.root-servers.net ++ primary: 2801:1b8:10::b # b.root-servers.net + primary: 2001:500:2::c # c.root-servers.net + primary: 2001:500:2d::d # d.root-servers.net + primary: 2001:500:2f::f # f.root-servers.net +-- +2.43.0 + diff --git a/unbound-1.19-b.root-servers.net.patch b/unbound-1.19-b.root-servers.net.patch new file mode 100644 index 0000000..c3b9a47 --- /dev/null +++ b/unbound-1.19-b.root-servers.net.patch @@ -0,0 +1,35 @@ +From 72c65bfc2fe35cf4f0665a5e3f173f4f8f6f151b Mon Sep 17 00:00:00 2001 +From: "W.C.A. Wijngaards" +Date: Wed, 6 Dec 2023 13:25:58 +0100 +Subject: [PATCH] - Updated IPv4 and IPv6 address for b.root-servers.net in + root hints. + +--- + unbound-1.19.0/iterator/iter_hints.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/unbound-1.19.0/iterator/iter_hints.c b/unbound-1.19.0/iterator/iter_hints.c +index a60d9a6..6b56daa 100644 +--- a/unbound-1.19.0/iterator/iter_hints.c ++++ b/unbound-1.19.0/iterator/iter_hints.c +@@ -129,7 +129,7 @@ compile_time_root_prime(int do_ip4, int do_ip6) + dp->has_parent_side_NS = 1; + if(do_ip4) { + if(!ah(dp, "A.ROOT-SERVERS.NET.", "198.41.0.4")) goto failed; +- if(!ah(dp, "B.ROOT-SERVERS.NET.", "199.9.14.201")) goto failed; ++ if(!ah(dp, "B.ROOT-SERVERS.NET.", "170.247.170.2")) goto failed; + if(!ah(dp, "C.ROOT-SERVERS.NET.", "192.33.4.12")) goto failed; + if(!ah(dp, "D.ROOT-SERVERS.NET.", "199.7.91.13")) goto failed; + if(!ah(dp, "E.ROOT-SERVERS.NET.", "192.203.230.10")) goto failed; +@@ -144,7 +144,7 @@ compile_time_root_prime(int do_ip4, int do_ip6) + } + if(do_ip6) { + if(!ah(dp, "A.ROOT-SERVERS.NET.", "2001:503:ba3e::2:30")) goto failed; +- if(!ah(dp, "B.ROOT-SERVERS.NET.", "2001:500:200::b")) goto failed; ++ if(!ah(dp, "B.ROOT-SERVERS.NET.", "2801:1b8:10::b")) goto failed; + if(!ah(dp, "C.ROOT-SERVERS.NET.", "2001:500:2::c")) goto failed; + if(!ah(dp, "D.ROOT-SERVERS.NET.", "2001:500:2d::d")) goto failed; + if(!ah(dp, "E.ROOT-SERVERS.NET.", "2001:500:a8::e")) goto failed; +-- +2.43.0 + diff --git a/unbound.spec b/unbound.spec index 31b1448..7c07131 100644 --- a/unbound.spec +++ b/unbound.spec @@ -57,6 +57,11 @@ Source20: unbound.sysusers # Downstream configuration changes Patch1: unbound-fedora-config.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2253461 +# https://github.com/NLnetLabs/unbound/commit/a8739bad76d4d179290627e989c7ef236345bda6 +Patch2: unbound-1.19-b.root-servers.net.patch +# https://github.com/NLnetLabs/unbound/pull/993 +Patch3: unbound-1.19-b.root-servers.net-conf.patch BuildRequires: gcc, make BuildRequires: flex, openssl-devel From a8b2f2adc217cbe84e000b2b6ade92a12c11c6f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 29 Jan 2024 12:35:47 +0100 Subject: [PATCH 074/139] Always auto-restart on crash events Although no way of crashing is known, ensure unbound will restart itself in case of crash. That should minimize possible damage and allow less degraded service until a fix for crashes arrives. Do not try to restart on configuration failures. There restarts will not likely to fix the issue anyway. --- unbound.service | 1 + 1 file changed, 1 insertion(+) diff --git a/unbound.service b/unbound.service index ffaf783..74321c7 100644 --- a/unbound.service +++ b/unbound.service @@ -14,6 +14,7 @@ EnvironmentFile=-/etc/sysconfig/unbound ExecStartPre=/usr/sbin/unbound-checkconf ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS ExecReload=/usr/sbin/unbound-control reload +Restart=on-abnormal [Install] WantedBy=multi-user.target From 9a01e409528feab940515b57b80f8049a1e2a214 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Tue, 13 Feb 2024 09:20:26 -0500 Subject: [PATCH 075/139] Update to 1.19.1 for CVE-2023-50387, CVE-2023-50868 Resolves: CVE-2023-50387 (KeyTrap Denial of Service) Resolves: CVE-2023-50868 (NSEC3 Denial of Service) --- .gitignore | 2 ++ sources | 4 ++-- unbound.spec | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index c4bf873..62eba4b 100644 --- a/.gitignore +++ b/.gitignore @@ -83,3 +83,5 @@ unbound-1.4.5.tar.gz /unbound-1.18.0.tar.gz.asc /unbound-1.19.0.tar.gz /unbound-1.19.0.tar.gz.asc +/unbound-1.19.1.tar.gz +/unbound-1.19.1.tar.gz.asc diff --git a/sources b/sources index 4adc154..a941fce 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.19.0.tar.gz) = c7df997ab003d098f53ac97ffb4c8428ab28e24573ff21e21782cbeadca42edadeb5b0db53ce954c9ff3106a5edb36eb47109240c554a44d9aac75727b66aeb4 -SHA512 (unbound-1.19.0.tar.gz.asc) = 63aa94192de7840f7abe43367e2c3f5d3fd42b8d72c08a5645cf28e2c0ad2e11d54f3aa645384fff5d4dfe66bc7ee25d81bd967780a992b54956343974206580 +SHA512 (unbound-1.19.1.tar.gz) = c81192b70f14a4e289cf738bf6b647cf25b58b1ab11076dee306ff25a530b6a1bbeca71cfa8820d80f48fd843019beb29a68796a1b1fcec6e561dfeccd62d96a +SHA512 (unbound-1.19.1.tar.gz.asc) = 2e4c6b7df844d1fb93d948791a20b9ff201bd1e6de6c89a830ddce06e24e5d770409265005f549757ef3a9c99d11b9860ae21711425d76d42bf2c33240dd3b52 diff --git a/unbound.spec b/unbound.spec index 7c07131..55685f8 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.19.0 +Version: 1.19.1 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ From 1e3b336d801154fffa5969ebe65566b072177d52 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 13 Feb 2024 22:47:36 +0100 Subject: [PATCH 076/139] Ensure only unbound group members can make changes unbound-control should allow only privileged users from unbound group to modify running instance. --- unbound-fedora-config.patch | 46 ++++++++++++++++++------------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index a249d2c..009cb07 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,4 +1,4 @@ -From ecfc3a96a0d38cc31fb871d98789467434c7afda Mon Sep 17 00:00:00 2001 +From 77710cef1d7001fc52b7f19b0b9e305fd355f07e Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Fri, 10 Nov 2023 12:58:31 +0100 Subject: [PATCH] Customize unbound.conf for Fedora defaults @@ -7,13 +7,13 @@ Set some Fedora/RHEL specific changes to example configuration file. By patching upstream provided config file we would not need to manually update external copy in source RPM. --- - unbound-1.19.0/doc/example.conf.in | 205 ++++++++++++++++++----------- - 1 file changed, 131 insertions(+), 74 deletions(-) + unbound-1.19.1/doc/example.conf.in | 200 ++++++++++++++++++----------- + 1 file changed, 127 insertions(+), 73 deletions(-) -diff --git a/unbound-1.19.0/doc/example.conf.in b/unbound-1.19.0/doc/example.conf.in -index fe0dde6..b79a322 100644 ---- a/unbound-1.19.0/doc/example.conf.in -+++ b/unbound-1.19.0/doc/example.conf.in +diff --git a/unbound-1.19.1/doc/example.conf.in b/unbound-1.19.1/doc/example.conf.in +index fcfb1da..a61b530 100644 +--- a/unbound-1.19.1/doc/example.conf.in ++++ b/unbound-1.19.1/doc/example.conf.in @@ -17,11 +17,12 @@ server: # whitespace is not necessary, but looks cleaner. @@ -400,7 +400,7 @@ index fe0dde6..b79a322 100644 # Dynamic library config section. To enable: # o use --with-dynlibmodule to configure before compiling. -@@ -1067,13 +1104,18 @@ python: +@@ -1067,13 +1104,14 @@ python: # the module-config then you need one dynlib-file per instance. dynlib: # Script file to load @@ -414,19 +414,19 @@ index fe0dde6..b79a322 100644 - # control-enable: no + # Note: required for unbound-munin package + control-enable: yes -+ -+ # Set to no and use an absolute path as control-interface to use -+ # a unix local named pipe for unbound-control. -+ # control-use-cert: yes # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. -@@ -1087,19 +1129,22 @@ remote-control: +@@ -1081,6 +1119,7 @@ remote-control: + # are not used for that, so key and cert files need not be present. + # control-interface: 127.0.0.1 + # control-interface: ::1 ++ control-interface: "/run/unbound/control" - # for localhost, you can disable use of TLS by setting this to "no" - # For local sockets this option is ignored, and TLS is not used. -- # control-use-cert: "yes" -+ control-use-cert: "no" + # port number for remote control operations. + # control-port: 8953 +@@ -1090,16 +1129,19 @@ remote-control: + # control-use-cert: "yes" # Unbound server key file. - # server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key" @@ -449,7 +449,7 @@ index fe0dde6..b79a322 100644 # Stub zones. # Create entries like below, to make all queries for 'example.com' and -@@ -1121,6 +1166,10 @@ remote-control: +@@ -1121,6 +1163,10 @@ remote-control: # name: "example.org" # stub-host: ns.example.com. @@ -460,7 +460,7 @@ index fe0dde6..b79a322 100644 # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle -@@ -1138,6 +1187,10 @@ remote-control: +@@ -1138,6 +1184,10 @@ remote-control: # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -471,7 +471,7 @@ index fe0dde6..b79a322 100644 # Authority zones # The data for these zones is kept locally, from a file or downloaded. -@@ -1145,30 +1198,31 @@ remote-control: +@@ -1145,30 +1195,31 @@ remote-control: # upstream (which saves a lookup to the upstream). The first example # has a copy of the root for local usage. The second serves example.org # authoritatively. zonefile: reads from file (and writes to it if you also @@ -527,7 +527,7 @@ index fe0dde6..b79a322 100644 # auth-zone: # name: "example.org" # for-downstream: yes -@@ -1194,6 +1248,9 @@ remote-control: +@@ -1194,6 +1245,9 @@ remote-control: # name: "anotherview" # local-zone: "example.com" refuse @@ -537,7 +537,7 @@ index fe0dde6..b79a322 100644 # DNSCrypt # To enable, use --enable-dnscrypt to configure before compiling. # Caveats: -@@ -1266,7 +1323,7 @@ remote-control: +@@ -1266,7 +1320,7 @@ remote-control: # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode # dnstap-bidirectional: yes @@ -547,5 +547,5 @@ index fe0dde6..b79a322 100644 # # set it to "IPaddress[@port]" of the destination. # dnstap-ip: "" -- -2.41.0 +2.43.0 From 4442f601422b97519fa54f380dd3814669f84dd3 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Fri, 1 Mar 2024 10:24:02 -0500 Subject: [PATCH 077/139] - Fix trim of EDE text from large udp responses from spinning cpu. --- unbound-1.19-EDE-cpu-lock.patch | 14 ++++++++++++++ unbound.spec | 2 ++ 2 files changed, 16 insertions(+) create mode 100644 unbound-1.19-EDE-cpu-lock.patch diff --git a/unbound-1.19-EDE-cpu-lock.patch b/unbound-1.19-EDE-cpu-lock.patch new file mode 100644 index 0000000..85b76ff --- /dev/null +++ b/unbound-1.19-EDE-cpu-lock.patch @@ -0,0 +1,14 @@ +diff --git a/unbound-1.19.1/util/data/msgencode.c b/unbound-1.19.1/util/data/msgencode.c +index 80ae33a38..898ff8412 100644 +--- a/unbound-1.19.1/util/data/msgencode.c ++++ b/unbound-1.19.1/util/data/msgencode.c +@@ -886,6 +886,9 @@ ede_trim_text(struct edns_option** list) + curr->opt_len = 2; + prev = curr; + curr = curr->next; ++ } else { ++ prev = curr; ++ curr = curr->next; + } + } else { + /* continue */ diff --git a/unbound.spec b/unbound.spec index 55685f8..a764abc 100644 --- a/unbound.spec +++ b/unbound.spec @@ -62,6 +62,8 @@ Patch1: unbound-fedora-config.patch Patch2: unbound-1.19-b.root-servers.net.patch # https://github.com/NLnetLabs/unbound/pull/993 Patch3: unbound-1.19-b.root-servers.net-conf.patch +# https://github.com/NLnetLabs/unbound/commit/ccbe31c21f91ae96e759547be264a34ac63f4f90 +Patch4: unbound-1.19-EDE-cpu-lock.patch BuildRequires: gcc, make BuildRequires: flex, openssl-devel From 09e3b23ab0144a28e7ae1780357d04f2d05139cd Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Sat, 9 Mar 2024 16:24:15 -0500 Subject: [PATCH 078/139] Add spec file comment Note that last patch was for now public CVE-2024-1931 --- unbound.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index a764abc..391d7aa 100644 --- a/unbound.spec +++ b/unbound.spec @@ -62,7 +62,7 @@ Patch1: unbound-fedora-config.patch Patch2: unbound-1.19-b.root-servers.net.patch # https://github.com/NLnetLabs/unbound/pull/993 Patch3: unbound-1.19-b.root-servers.net-conf.patch -# https://github.com/NLnetLabs/unbound/commit/ccbe31c21f91ae96e759547be264a34ac63f4f90 +# https://github.com/NLnetLabs/unbound/commit/ccbe31c21f91ae96e759547be264a34ac63f4f90 (now released as CVE-2024-1931) Patch4: unbound-1.19-EDE-cpu-lock.patch BuildRequires: gcc, make From b4c26d9205df98c01125e2361b650b3bad06b11e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 12 Apr 2024 19:54:21 +0200 Subject: [PATCH 079/139] Update to 1.19.3 (rhbz#2268404) - Fix CVE-2024-1931, Denial of service when trimming EDE text on positive replies. (rhbz#2268419) - Use the origin (DNAME) TTL for synthesized CNAMEs as per RFC 6672. - Bug fixes https://nlnetlabs.nl/projects/unbound/download/#unbound-1-19-3 --- .gitignore | 2 + sources | 4 +- unbound-1.19-EDE-cpu-lock.patch | 14 ---- unbound-1.19-b.root-servers.net-conf.patch | 38 --------- unbound-1.19-b.root-servers.net.patch | 35 -------- unbound-fedora-config.patch | 96 ++++++++++------------ unbound.spec | 9 +- 7 files changed, 50 insertions(+), 148 deletions(-) delete mode 100644 unbound-1.19-EDE-cpu-lock.patch delete mode 100644 unbound-1.19-b.root-servers.net-conf.patch delete mode 100644 unbound-1.19-b.root-servers.net.patch diff --git a/.gitignore b/.gitignore index 62eba4b..dde18f4 100644 --- a/.gitignore +++ b/.gitignore @@ -85,3 +85,5 @@ unbound-1.4.5.tar.gz /unbound-1.19.0.tar.gz.asc /unbound-1.19.1.tar.gz /unbound-1.19.1.tar.gz.asc +/unbound-1.19.3.tar.gz +/unbound-1.19.3.tar.gz.asc diff --git a/sources b/sources index a941fce..eea1e9c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.19.1.tar.gz) = c81192b70f14a4e289cf738bf6b647cf25b58b1ab11076dee306ff25a530b6a1bbeca71cfa8820d80f48fd843019beb29a68796a1b1fcec6e561dfeccd62d96a -SHA512 (unbound-1.19.1.tar.gz.asc) = 2e4c6b7df844d1fb93d948791a20b9ff201bd1e6de6c89a830ddce06e24e5d770409265005f549757ef3a9c99d11b9860ae21711425d76d42bf2c33240dd3b52 +SHA512 (unbound-1.19.3.tar.gz) = f860614f090a5a081cceff8ca7f4b3d416c00a251ae14ceb6b4159dc8cd022f025592074d3d78aee2f86c3eeae9d1a314713e4740aa91062579143199accd159 +SHA512 (unbound-1.19.3.tar.gz.asc) = 1b6437d7ac4394ab7d6eb0d12f22b39538152f9c88175a5368263059950b8e6b093fa5392d1ff37874effef7a422afa9c690f766802208979a99500a4bea5906 diff --git a/unbound-1.19-EDE-cpu-lock.patch b/unbound-1.19-EDE-cpu-lock.patch deleted file mode 100644 index 85b76ff..0000000 --- a/unbound-1.19-EDE-cpu-lock.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff --git a/unbound-1.19.1/util/data/msgencode.c b/unbound-1.19.1/util/data/msgencode.c -index 80ae33a38..898ff8412 100644 ---- a/unbound-1.19.1/util/data/msgencode.c -+++ b/unbound-1.19.1/util/data/msgencode.c -@@ -886,6 +886,9 @@ ede_trim_text(struct edns_option** list) - curr->opt_len = 2; - prev = curr; - curr = curr->next; -+ } else { -+ prev = curr; -+ curr = curr->next; - } - } else { - /* continue */ diff --git a/unbound-1.19-b.root-servers.net-conf.patch b/unbound-1.19-b.root-servers.net-conf.patch deleted file mode 100644 index c3f41c9..0000000 --- a/unbound-1.19-b.root-servers.net-conf.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 101f9efb8de8e5e41fe40d05461276299e4c8980 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Tue, 16 Jan 2024 16:13:29 +0100 -Subject: [PATCH] Update b.root-servers.net also in example config file - -Addition to commit a8739bad76d4d179290627e989c7ef236345bda6, which -updated only address specified in code. But addresses provided in -example configuration were not updated, I think they should be updated -too. ---- - unbound-1.19.0/doc/example.conf.in | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/unbound-1.19.0/doc/example.conf.in b/unbound-1.19.0/doc/example.conf.in -index b79a322..3a15357 100644 ---- a/unbound-1.19.0/doc/example.conf.in -+++ b/unbound-1.19.0/doc/example.conf.in -@@ -1203,7 +1203,7 @@ include: /etc/unbound/conf.d/*.conf - # notifies. - auth-zone: - name: "." -- primary: 199.9.14.201 # b.root-servers.net -+ primary: 170.247.170.2 # b.root-servers.net - primary: 192.33.4.12 # c.root-servers.net - primary: 199.7.91.13 # d.root-servers.net - primary: 192.5.5.241 # f.root-servers.net -@@ -1211,7 +1211,7 @@ auth-zone: - primary: 193.0.14.129 # k.root-servers.net - primary: 192.0.47.132 # xfr.cjr.dns.icann.org - primary: 192.0.32.132 # xfr.lax.dns.icann.org -- primary: 2001:500:200::b # b.root-servers.net -+ primary: 2801:1b8:10::b # b.root-servers.net - primary: 2001:500:2::c # c.root-servers.net - primary: 2001:500:2d::d # d.root-servers.net - primary: 2001:500:2f::f # f.root-servers.net --- -2.43.0 - diff --git a/unbound-1.19-b.root-servers.net.patch b/unbound-1.19-b.root-servers.net.patch deleted file mode 100644 index c3b9a47..0000000 --- a/unbound-1.19-b.root-servers.net.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 72c65bfc2fe35cf4f0665a5e3f173f4f8f6f151b Mon Sep 17 00:00:00 2001 -From: "W.C.A. Wijngaards" -Date: Wed, 6 Dec 2023 13:25:58 +0100 -Subject: [PATCH] - Updated IPv4 and IPv6 address for b.root-servers.net in - root hints. - ---- - unbound-1.19.0/iterator/iter_hints.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/unbound-1.19.0/iterator/iter_hints.c b/unbound-1.19.0/iterator/iter_hints.c -index a60d9a6..6b56daa 100644 ---- a/unbound-1.19.0/iterator/iter_hints.c -+++ b/unbound-1.19.0/iterator/iter_hints.c -@@ -129,7 +129,7 @@ compile_time_root_prime(int do_ip4, int do_ip6) - dp->has_parent_side_NS = 1; - if(do_ip4) { - if(!ah(dp, "A.ROOT-SERVERS.NET.", "198.41.0.4")) goto failed; -- if(!ah(dp, "B.ROOT-SERVERS.NET.", "199.9.14.201")) goto failed; -+ if(!ah(dp, "B.ROOT-SERVERS.NET.", "170.247.170.2")) goto failed; - if(!ah(dp, "C.ROOT-SERVERS.NET.", "192.33.4.12")) goto failed; - if(!ah(dp, "D.ROOT-SERVERS.NET.", "199.7.91.13")) goto failed; - if(!ah(dp, "E.ROOT-SERVERS.NET.", "192.203.230.10")) goto failed; -@@ -144,7 +144,7 @@ compile_time_root_prime(int do_ip4, int do_ip6) - } - if(do_ip6) { - if(!ah(dp, "A.ROOT-SERVERS.NET.", "2001:503:ba3e::2:30")) goto failed; -- if(!ah(dp, "B.ROOT-SERVERS.NET.", "2001:500:200::b")) goto failed; -+ if(!ah(dp, "B.ROOT-SERVERS.NET.", "2801:1b8:10::b")) goto failed; - if(!ah(dp, "C.ROOT-SERVERS.NET.", "2001:500:2::c")) goto failed; - if(!ah(dp, "D.ROOT-SERVERS.NET.", "2001:500:2d::d")) goto failed; - if(!ah(dp, "E.ROOT-SERVERS.NET.", "2001:500:a8::e")) goto failed; --- -2.43.0 - diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index 009cb07..0aeb6cb 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,4 +1,4 @@ -From 77710cef1d7001fc52b7f19b0b9e305fd355f07e Mon Sep 17 00:00:00 2001 +From 17d4cc5fea24faa55358b7c36fdae0cd9bdd48b6 Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Fri, 10 Nov 2023 12:58:31 +0100 Subject: [PATCH] Customize unbound.conf for Fedora defaults @@ -7,13 +7,13 @@ Set some Fedora/RHEL specific changes to example configuration file. By patching upstream provided config file we would not need to manually update external copy in source RPM. --- - unbound-1.19.1/doc/example.conf.in | 200 ++++++++++++++++++----------- - 1 file changed, 127 insertions(+), 73 deletions(-) + unbound-1.19.3/doc/example.conf.in | 194 ++++++++++++++++++----------- + 1 file changed, 124 insertions(+), 70 deletions(-) -diff --git a/unbound-1.19.1/doc/example.conf.in b/unbound-1.19.1/doc/example.conf.in -index fcfb1da..a61b530 100644 ---- a/unbound-1.19.1/doc/example.conf.in -+++ b/unbound-1.19.1/doc/example.conf.in +diff --git a/unbound-1.19.3/doc/example.conf.in b/unbound-1.19.3/doc/example.conf.in +index d791cf8..af163b2 100644 +--- a/unbound-1.19.3/doc/example.conf.in ++++ b/unbound-1.19.3/doc/example.conf.in @@ -17,11 +17,12 @@ server: # whitespace is not necessary, but looks cleaner. @@ -148,7 +148,7 @@ index fcfb1da..a61b530 100644 # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no -@@ -402,6 +426,7 @@ server: +@@ -403,6 +427,7 @@ server: # # If you give "" no chroot is performed. The path must not end in a /. # chroot: "@UNBOUND_CHROOT_DIR@" @@ -156,7 +156,7 @@ index fcfb1da..a61b530 100644 # if given, user privileges are dropped (after binding port), # and the given username is assumed. Default is user "unbound". -@@ -413,7 +438,7 @@ server: +@@ -414,7 +439,7 @@ server: # is not changed. # If you give a server: directory: dir before include: file statements # then those includes can be relative to the working directory. @@ -165,7 +165,7 @@ index fcfb1da..a61b530 100644 # the log file, "" means log to stderr. # Use of this option sets use-syslog to "no". -@@ -428,7 +453,7 @@ server: +@@ -429,7 +454,7 @@ server: # log-identity: "" # print UTC timestamp in ascii to logfile, default is epoch in seconds. @@ -174,7 +174,7 @@ index fcfb1da..a61b530 100644 # print one line with time, IP, name, type, class for every query. # log-queries: no -@@ -497,22 +522,22 @@ server: +@@ -501,22 +526,22 @@ server: # harden-large-queries: no # Harden against out of zone rrsets, to avoid spoofing attempts. @@ -201,7 +201,7 @@ index fcfb1da..a61b530 100644 # Harden against algorithm downgrade when multiple algorithms are # advertised in the DS record. If no, allows the weakest algorithm -@@ -526,7 +551,7 @@ server: +@@ -530,7 +555,7 @@ server: # Sent minimum amount of information to upstream servers to enhance # privacy. Only sent minimum required labels of the QNAME and set QTYPE # to A when possible. @@ -210,7 +210,7 @@ index fcfb1da..a61b530 100644 # QNAME minimisation in strict mode. Do not fall-back to sending full # QNAME to potentially broken nameservers. A lot of domains will not be -@@ -536,7 +561,7 @@ server: +@@ -540,7 +565,7 @@ server: # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN # and other denials, using information from previous NXDOMAINs answers. @@ -219,7 +219,7 @@ index fcfb1da..a61b530 100644 # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. -@@ -569,7 +594,7 @@ server: +@@ -573,7 +598,7 @@ server: # threshold, a warning is printed and a defensive action is taken, # the cache is cleared to flush potential poison out of it. # A suggested value is 10000000, the default is 0 (turned off). @@ -228,7 +228,7 @@ index fcfb1da..a61b530 100644 # Do not query the following addresses. No DNS queries are sent there. # List one address per entry. List classless netblocks with /size, -@@ -581,20 +606,20 @@ server: +@@ -585,20 +610,20 @@ server: # do-not-query-localhost: yes # if yes, perform prefetching of almost expired message cache entries. @@ -254,7 +254,7 @@ index fcfb1da..a61b530 100644 # true to disable DNSSEC lameness check in iterator. # disable-dnssec-lame-check: no -@@ -604,7 +629,9 @@ server: +@@ -608,7 +633,9 @@ server: # most modules have to be listed at the beginning of the line, # except cachedb(just before iterator), and python (at the beginning, # or, just before the iterator). @@ -265,7 +265,7 @@ index fcfb1da..a61b530 100644 # File with trusted keys, kept uptodate using RFC5011 probes, # initial file like trust-anchor-file, then it stores metadata. -@@ -618,10 +645,10 @@ server: +@@ -622,10 +649,10 @@ server: # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" # trust anchor signaling sends a RFC8145 key tag query after priming. @@ -278,7 +278,7 @@ index fcfb1da..a61b530 100644 # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry. -@@ -642,6 +669,9 @@ server: +@@ -646,6 +673,9 @@ server: # the trusted-keys { name flag proto algo "key"; }; clauses are read. # you need external update procedures to track changes in keys. # trusted-keys-file: "" @@ -288,7 +288,7 @@ index fcfb1da..a61b530 100644 # Ignore chain of trust. Domain is treated as insecure. # domain-insecure: "example.com" -@@ -669,14 +699,15 @@ server: +@@ -673,14 +703,15 @@ server: # unsecure data. Useful to shield the users of this validator from # potential bogus data in the additional section. All unsigned data # in the additional section is removed from secure messages. @@ -306,7 +306,7 @@ index fcfb1da..a61b530 100644 # Ignore the CD flag in incoming queries and refuse them bogus data. # Enable it if the only clients of Unbound are legacy servers (w2008) -@@ -690,11 +721,11 @@ server: +@@ -694,11 +725,11 @@ server: # Serve expired responses from cache, with serve-expired-reply-ttl in # the response, and then attempt to fetch the data afresh. @@ -320,7 +320,7 @@ index fcfb1da..a61b530 100644 # # Set the TTL of expired records to the serve-expired-ttl value after a # failed attempt to retrieve the record from upstream. This makes sure -@@ -721,7 +752,7 @@ server: +@@ -725,7 +756,7 @@ server: # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. @@ -329,7 +329,7 @@ index fcfb1da..a61b530 100644 # It is possible to configure NSEC3 maximum iteration counts per # keysize. Keep this table very short, as linear search is done. -@@ -865,6 +896,8 @@ server: +@@ -869,6 +900,8 @@ server: # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" @@ -338,7 +338,7 @@ index fcfb1da..a61b530 100644 # tag a localzone with a list of tag names (in "" with spaces between) # local-zone-tag: "example.com" "tag2 tag3" -@@ -875,8 +908,8 @@ server: +@@ -879,8 +912,8 @@ server: # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. # Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. @@ -349,7 +349,7 @@ index fcfb1da..a61b530 100644 # tls-port: 853 # https-port: 443 -@@ -884,6 +917,8 @@ server: +@@ -888,6 +921,8 @@ server: # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" # cipher setting for TLSv1.3 # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" @@ -358,8 +358,8 @@ index fcfb1da..a61b530 100644 # Pad responses to padded queries received over TLS # pad-responses: yes -@@ -1005,12 +1040,12 @@ server: - # fast-server-num: 3 +@@ -1024,12 +1059,12 @@ server: + # cookie-secret: <128 bit random hex string> # Enable to attach Extended DNS Error codes (RFC8914) to responses. - # ede: no @@ -373,7 +373,7 @@ index fcfb1da..a61b530 100644 # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. -@@ -1018,12 +1053,14 @@ server: +@@ -1037,12 +1072,14 @@ server: # Enable or disable ipsecmod (it still needs to be defined in # module-config above). Can be used when ipsecmod needs to be # enabled/disabled via remote-control(below). @@ -391,7 +391,7 @@ index fcfb1da..a61b530 100644 # When enabled Unbound will reply with SERVFAIL if the return value of # the ipsecmod-hook is not 0. # ipsecmod-strict: no -@@ -1056,7 +1093,7 @@ server: +@@ -1075,7 +1112,7 @@ server: # o and give a python-script to run. python: # Script file to load @@ -400,7 +400,7 @@ index fcfb1da..a61b530 100644 # Dynamic library config section. To enable: # o use --with-dynlibmodule to configure before compiling. -@@ -1067,13 +1104,14 @@ python: +@@ -1086,13 +1123,14 @@ python: # the module-config then you need one dynlib-file per instance. dynlib: # Script file to load @@ -417,7 +417,7 @@ index fcfb1da..a61b530 100644 # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. -@@ -1081,6 +1119,7 @@ remote-control: +@@ -1100,6 +1138,7 @@ remote-control: # are not used for that, so key and cert files need not be present. # control-interface: 127.0.0.1 # control-interface: ::1 @@ -425,7 +425,7 @@ index fcfb1da..a61b530 100644 # port number for remote control operations. # control-port: 8953 -@@ -1090,16 +1129,19 @@ remote-control: +@@ -1109,16 +1148,19 @@ remote-control: # control-use-cert: "yes" # Unbound server key file. @@ -449,7 +449,7 @@ index fcfb1da..a61b530 100644 # Stub zones. # Create entries like below, to make all queries for 'example.com' and -@@ -1121,6 +1163,10 @@ remote-control: +@@ -1140,6 +1182,10 @@ remote-control: # name: "example.org" # stub-host: ns.example.com. @@ -460,7 +460,7 @@ index fcfb1da..a61b530 100644 # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle -@@ -1138,6 +1184,10 @@ remote-control: +@@ -1157,6 +1203,10 @@ remote-control: # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -471,16 +471,13 @@ index fcfb1da..a61b530 100644 # Authority zones # The data for these zones is kept locally, from a file or downloaded. -@@ -1145,30 +1195,31 @@ remote-control: - # upstream (which saves a lookup to the upstream). The first example - # has a copy of the root for local usage. The second serves example.org - # authoritatively. zonefile: reads from file (and writes to it if you also --# download it), primary: fetches with AXFR and IXFR, or url to zonefile. --# With allow-notify: you can give additional (apart from primaries and urls) --# sources of notifies. +@@ -1167,27 +1217,28 @@ remote-control: + # download it), primary: fetches with AXFR and IXFR, or url to zonefile. + # With allow-notify: you can give additional (apart from primaries and urls) + # sources of notifies. -# auth-zone: -# name: "." --# primary: 199.9.14.201 # b.root-servers.net +-# primary: 170.247.170.2 # b.root-servers.net -# primary: 192.33.4.12 # c.root-servers.net -# primary: 199.7.91.13 # d.root-servers.net -# primary: 192.5.5.241 # f.root-servers.net @@ -488,7 +485,7 @@ index fcfb1da..a61b530 100644 -# primary: 193.0.14.129 # k.root-servers.net -# primary: 192.0.47.132 # xfr.cjr.dns.icann.org -# primary: 192.0.32.132 # xfr.lax.dns.icann.org --# primary: 2001:500:200::b # b.root-servers.net +-# primary: 2801:1b8:10::b # b.root-servers.net -# primary: 2001:500:2::c # c.root-servers.net -# primary: 2001:500:2d::d # d.root-servers.net -# primary: 2001:500:2f::f # f.root-servers.net @@ -499,12 +496,9 @@ index fcfb1da..a61b530 100644 -# fallback-enabled: yes -# for-downstream: no -# for-upstream: yes -+# download it), master: fetches with AXFR and IXFR, or url to zonefile. -+# With allow-notify: you can give additional (apart from masters) sources of -+# notifies. -+auth-zone: ++ auth-zone: + name: "." -+ primary: 199.9.14.201 # b.root-servers.net ++ primary: 170.247.170.2 # b.root-servers.net + primary: 192.33.4.12 # c.root-servers.net + primary: 199.7.91.13 # d.root-servers.net + primary: 192.5.5.241 # f.root-servers.net @@ -512,7 +506,7 @@ index fcfb1da..a61b530 100644 + primary: 193.0.14.129 # k.root-servers.net + primary: 192.0.47.132 # xfr.cjr.dns.icann.org + primary: 192.0.32.132 # xfr.lax.dns.icann.org -+ primary: 2001:500:200::b # b.root-servers.net ++ primary: 2801:1b8:10::b # b.root-servers.net + primary: 2001:500:2::c # c.root-servers.net + primary: 2001:500:2d::d # d.root-servers.net + primary: 2001:500:2f::f # f.root-servers.net @@ -527,7 +521,7 @@ index fcfb1da..a61b530 100644 # auth-zone: # name: "example.org" # for-downstream: yes -@@ -1194,6 +1245,9 @@ remote-control: +@@ -1213,6 +1264,9 @@ remote-control: # name: "anotherview" # local-zone: "example.com" refuse @@ -537,7 +531,7 @@ index fcfb1da..a61b530 100644 # DNSCrypt # To enable, use --enable-dnscrypt to configure before compiling. # Caveats: -@@ -1266,7 +1320,7 @@ remote-control: +@@ -1285,7 +1339,7 @@ remote-control: # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode # dnstap-bidirectional: yes @@ -547,5 +541,5 @@ index fcfb1da..a61b530 100644 # # set it to "IPaddress[@port]" of the destination. # dnstap-ip: "" -- -2.43.0 +2.44.0 diff --git a/unbound.spec b/unbound.spec index 391d7aa..8d421c6 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.19.1 +Version: 1.19.3 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ @@ -57,13 +57,6 @@ Source20: unbound.sysusers # Downstream configuration changes Patch1: unbound-fedora-config.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2253461 -# https://github.com/NLnetLabs/unbound/commit/a8739bad76d4d179290627e989c7ef236345bda6 -Patch2: unbound-1.19-b.root-servers.net.patch -# https://github.com/NLnetLabs/unbound/pull/993 -Patch3: unbound-1.19-b.root-servers.net-conf.patch -# https://github.com/NLnetLabs/unbound/commit/ccbe31c21f91ae96e759547be264a34ac63f4f90 (now released as CVE-2024-1931) -Patch4: unbound-1.19-EDE-cpu-lock.patch BuildRequires: gcc, make BuildRequires: flex, openssl-devel From cd3bdb1b777935f939249df2b899956b1bb9a59e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 15 Apr 2024 13:10:32 +0200 Subject: [PATCH 080/139] Harden autoconf re-generation Try to use known working replacements from autoconf-archive instead of bundled outdated copy. Remove first files known to be regenerated. --- unbound.spec | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/unbound.spec b/unbound.spec index 8d421c6..c44dc7d 100644 --- a/unbound.spec +++ b/unbound.spec @@ -62,6 +62,12 @@ BuildRequires: gcc, make BuildRequires: flex, openssl-devel BuildRequires: libevent-devel expat-devel BuildRequires: pkgconfig + +# Required for configure regeneration +BuildRequires: bison +BuildRequires: automake autoconf libtool +BuildRequires: autoconf-archive + %if 0%{?fedora} BuildRequires: gnupg2 %endif @@ -88,9 +94,6 @@ BuildRequires: systemd-rpm-macros %else BuildRequires: systemd %endif -# Required for SVN versions -# BuildRequires: bison -# BuildRequires: automake autoconf libtool # Needed because /usr/sbin/unbound links unbound libs staticly Requires: %{name}-libs%{?_isa} = %{version}-%{release} @@ -204,9 +207,6 @@ pushd %{pkgname} # patches go here %autopatch -p2 -# only for snapshots -# autoreconf -iv - # copy common doc files - after here, since it may be patched cp -pr doc pythonmod libunbound ../ @@ -226,9 +226,6 @@ cp -a %{dir_primary} %{dir_secondary} %endif %build -# This is needed to rebuild the configure script to support Python 3.x -# autoreconf -iv - # ./configure script common arguments %global configure_args --with-libevent --with-pthreads --with-ssl \\\ --disable-rpath --disable-static \\\ @@ -244,6 +241,14 @@ cp -a %{dir_primary} %{dir_secondary} pushd %{dir_primary} +# always regenerate configure +rm -f config.h.in aclocal.m4 configure ltmain.sh +rm -f ax_pthread.m4 +cp -p %{_datadir}/aclocal/{ax_pthread,ax_swig_python}.m4 . +# TODO: use ax_swig_python.m4 from autoconf-archive too +# https://github.com/NLnetLabs/unbound/pull/1048 +autoreconf -fiv + %configure \ %if 0%{?python_primary:1} --with-pythonmodule --with-pyunbound PYTHON=%{python_primary} \ From befd44516251caa12b67f78d6cd97a5cb056e795 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 15 Apr 2024 13:58:59 +0200 Subject: [PATCH 081/139] Use newer swig m4 configuration Use autoconf-archive version of swig initialization too. Backport it from upstream change. --- unbound-1.19-autoconf-m4.patch | 792 +++++++++++++++++++++++++++++++++ unbound.spec | 6 +- 2 files changed, 795 insertions(+), 3 deletions(-) create mode 100644 unbound-1.19-autoconf-m4.patch diff --git a/unbound-1.19-autoconf-m4.patch b/unbound-1.19-autoconf-m4.patch new file mode 100644 index 0000000..b014cb2 --- /dev/null +++ b/unbound-1.19-autoconf-m4.patch @@ -0,0 +1,792 @@ +From 926b5dadfb1f1454bd0e54dd195018d11c223c34 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Mon, 15 Apr 2024 11:30:19 +0200 +Subject: [PATCH] Update ax_pkg_swig.m4 and ax_pthread.m4 + +Use vanilla m4 files with known source. Prepared for possible removal at +build time if the system already has autoconf-archive source present. +Switch to AX_PKG_SWIG macro for versioned or unversioned swig detection. +--- + unbound-1.19.3/ac_pkg_swig.m4 | 133 ---------- + unbound-1.19.3/ax_pthread.m4 | 444 ++++++++++++++++++++++++---------- + unbound-1.19.3/configure.ac | 6 +- + 3 files changed, 320 insertions(+), 263 deletions(-) + delete mode 100644 unbound-1.19.3/ac_pkg_swig.m4 + +diff --git a/unbound-1.19.3/ac_pkg_swig.m4 b/unbound-1.19.3/ac_pkg_swig.m4 +deleted file mode 100644 +index 87f99fb..0000000 +--- a/unbound-1.19.3/ac_pkg_swig.m4 ++++ /dev/null +@@ -1,133 +0,0 @@ +-# =========================================================================== +-# http://autoconf-archive.cryp.to/ac_pkg_swig.html +-# =========================================================================== +-# +-# SYNOPSIS +-# +-# AC_PROG_SWIG([major.minor.micro]) +-# +-# DESCRIPTION +-# +-# This macro searches for a SWIG installation on your system. If found you +-# should call SWIG via $(SWIG). You can use the optional first argument to +-# check if the version of the available SWIG is greater than or equal to +-# the value of the argument. It should have the format: N[.N[.N]] (N is a +-# number between 0 and 999. Only the first N is mandatory.) +-# +-# If the version argument is given (e.g. 1.3.17), AC_PROG_SWIG checks that +-# the swig package is this version number or higher. +-# +-# In configure.in, use as: +-# +-# AC_PROG_SWIG(1.3.17) +-# SWIG_ENABLE_CXX +-# SWIG_MULTI_MODULE_SUPPORT +-# SWIG_PYTHON +-# +-# LAST MODIFICATION +-# +-# 2008-04-12 +-# +-# COPYLEFT +-# +-# Copyright (c) 2008 Sebastian Huber +-# Copyright (c) 2008 Alan W. Irwin +-# Copyright (c) 2008 Rafael Laboissiere +-# Copyright (c) 2008 Andrew Collier +-# +-# This program is free software; you can redistribute it and/or modify it +-# under the terms of the GNU General Public License as published by the +-# Free Software Foundation; either version 2 of the License, or (at your +-# option) any later version. +-# +-# This program is distributed in the hope that it will be useful, but +-# WITHOUT ANY WARRANTY; without even the implied warranty of +-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General +-# Public License for more details. +-# +-# You should have received a copy of the GNU General Public License along +-# with this program. If not, see . +-# +-# As a special exception, the respective Autoconf Macro's copyright owner +-# gives unlimited permission to copy, distribute and modify the configure +-# scripts that are the output of Autoconf when processing the Macro. You +-# need not follow the terms of the GNU General Public License when using +-# or distributing such scripts, even though portions of the text of the +-# Macro appear in them. The GNU General Public License (GPL) does govern +-# all other use of the material that constitutes the Autoconf Macro. +-# +-# This special exception to the GPL applies to versions of the Autoconf +-# Macro released by the Autoconf Macro Archive. When you make and +-# distribute a modified version of the Autoconf Macro, you may extend this +-# special exception to the GPL to apply to your modified version as well. +- +-AC_DEFUN([AC_PROG_SWIG],[ +- AC_PATH_PROG([SWIG],[swig]) +- if test -z "$SWIG" ; then +- AC_MSG_WARN([cannot find 'swig' program. You should look at http://www.swig.org]) +- SWIG='echo "Error: SWIG is not installed. You should look at http://www.swig.org" ; false' +- elif test -n "$1" ; then +- AC_MSG_CHECKING([for SWIG version]) +- [swig_version=`$SWIG -version 2>&1 | grep 'SWIG Version' | sed 's/.*\([0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\).*/\1/g'`] +- AC_MSG_RESULT([$swig_version]) +- if test -n "$swig_version" ; then +- # Calculate the required version number components +- [required=$1] +- [required_major=`echo $required | sed 's/[^0-9].*//'`] +- if test -z "$required_major" ; then +- [required_major=0] +- fi +- [required=`echo $required | sed 's/[0-9]*[^0-9]//'`] +- [required_minor=`echo $required | sed 's/[^0-9].*//'`] +- if test -z "$required_minor" ; then +- [required_minor=0] +- fi +- [required=`echo $required | sed 's/[0-9]*[^0-9]//'`] +- [required_patch=`echo $required | sed 's/[^0-9].*//'`] +- if test -z "$required_patch" ; then +- [required_patch=0] +- fi +- # Calculate the available version number components +- [available=$swig_version] +- [available_major=`echo $available | sed 's/[^0-9].*//'`] +- if test -z "$available_major" ; then +- [available_major=0] +- fi +- [available=`echo $available | sed 's/[0-9]*[^0-9]//'`] +- [available_minor=`echo $available | sed 's/[^0-9].*//'`] +- if test -z "$available_minor" ; then +- [available_minor=0] +- fi +- [available=`echo $available | sed 's/[0-9]*[^0-9]//'`] +- [available_patch=`echo $available | sed 's/[^0-9].*//'`] +- if test -z "$available_patch" ; then +- [available_patch=0] +- fi +- [badversion=0] +- if test $available_major -lt $required_major ; then +- [badversion=1] +- fi +- if test $available_major -eq $required_major \ +- -a $available_minor -lt $required_minor ; then +- [badversion=1] +- fi +- if test $available_major -eq $required_major \ +- -a $available_minor -eq $required_minor \ +- -a $available_patch -lt $required_patch ; then +- [badversion=1] +- fi +- if test $badversion -eq 1 ; then +- AC_MSG_WARN([SWIG version >= $1 is required. You have $swig_version. You should look at http://www.swig.org]) +- SWIG='echo "Error: SWIG version >= $1 is required. You have '"$swig_version"'. You should look at http://www.swig.org" ; false' +- else +- AC_MSG_NOTICE([SWIG executable is '$SWIG']) +- SWIG_LIB=`$SWIG -swiglib` +- AC_MSG_NOTICE([SWIG library directory is '$SWIG_LIB']) +- fi +- else +- AC_MSG_WARN([cannot determine SWIG version]) +- SWIG='echo "Error: Cannot determine SWIG version. You should look at http://www.swig.org" ; false' +- fi +- fi +- AC_SUBST([SWIG_LIB]) +-]) +diff --git a/unbound-1.19.3/ax_pthread.m4 b/unbound-1.19.3/ax_pthread.m4 +index ff7d2a6..9f35d13 100644 +--- a/unbound-1.19.3/ax_pthread.m4 ++++ b/unbound-1.19.3/ax_pthread.m4 +@@ -1,5 +1,5 @@ + # =========================================================================== +-# http://www.gnu.org/software/autoconf-archive/ax_pthread.html ++# https://www.gnu.org/software/autoconf-archive/ax_pthread.html + # =========================================================================== + # + # SYNOPSIS +@@ -14,24 +14,28 @@ + # flags that are needed. (The user can also force certain compiler + # flags/libs to be tested by setting these environment variables.) + # +-# Also sets PTHREAD_CC to any special C compiler that is needed for +-# multi-threaded programs (defaults to the value of CC otherwise). (This +-# is necessary on AIX to use the special cc_r compiler alias.) ++# Also sets PTHREAD_CC and PTHREAD_CXX to any special C compiler that is ++# needed for multi-threaded programs (defaults to the value of CC ++# respectively CXX otherwise). (This is necessary on e.g. AIX to use the ++# special cc_r/CC_r compiler alias.) + # + # NOTE: You are assumed to not only compile your program with these flags, +-# but also link it with them as well. e.g. you should link with ++# but also to link with them as well. For example, you might link with + # $PTHREAD_CC $CFLAGS $PTHREAD_CFLAGS $LDFLAGS ... $PTHREAD_LIBS $LIBS ++# $PTHREAD_CXX $CXXFLAGS $PTHREAD_CFLAGS $LDFLAGS ... $PTHREAD_LIBS $LIBS + # +-# If you are only building threads programs, you may wish to use these ++# If you are only building threaded programs, you may wish to use these + # variables in your default LIBS, CFLAGS, and CC: + # + # LIBS="$PTHREAD_LIBS $LIBS" + # CFLAGS="$CFLAGS $PTHREAD_CFLAGS" ++# CXXFLAGS="$CXXFLAGS $PTHREAD_CFLAGS" + # CC="$PTHREAD_CC" ++# CXX="$PTHREAD_CXX" + # + # In addition, if the PTHREAD_CREATE_JOINABLE thread-attribute constant +-# has a nonstandard name, defines PTHREAD_CREATE_JOINABLE to that name +-# (e.g. PTHREAD_CREATE_UNDETACHED on AIX). ++# has a nonstandard name, this macro defines PTHREAD_CREATE_JOINABLE to ++# that name (e.g. PTHREAD_CREATE_UNDETACHED on AIX). + # + # Also HAVE_PTHREAD_PRIO_INHERIT is defined if pthread is found and the + # PTHREAD_PRIO_INHERIT symbol is defined when compiling with +@@ -55,6 +59,7 @@ + # + # Copyright (c) 2008 Steven G. Johnson + # Copyright (c) 2011 Daniel Richard G. ++# Copyright (c) 2019 Marc Stevens + # + # This program is free software: you can redistribute it and/or modify it + # under the terms of the GNU General Public License as published by the +@@ -67,7 +72,7 @@ + # Public License for more details. + # + # You should have received a copy of the GNU General Public License along +-# with this program. If not, see . ++# with this program. If not, see . + # + # As a special exception, the respective Autoconf Macro's copyright owner + # gives unlimited permission to copy, distribute and modify the configure +@@ -82,35 +87,41 @@ + # modified version of the Autoconf Macro, you may extend this special + # exception to the GPL to apply to your modified version as well. + +-#serial 21 ++#serial 31 + + AU_ALIAS([ACX_PTHREAD], [AX_PTHREAD]) + AC_DEFUN([AX_PTHREAD], [ + AC_REQUIRE([AC_CANONICAL_HOST]) ++AC_REQUIRE([AC_PROG_CC]) ++AC_REQUIRE([AC_PROG_SED]) + AC_LANG_PUSH([C]) + ax_pthread_ok=no + + # We used to check for pthread.h first, but this fails if pthread.h +-# requires special compiler flags (e.g. on True64 or Sequent). ++# requires special compiler flags (e.g. on Tru64 or Sequent). + # It gets checked for in the link test anyway. + + # First of all, check if the user has set any of the PTHREAD_LIBS, + # etcetera environment variables, and if threads linking works using + # them: +-if test x"$PTHREAD_LIBS$PTHREAD_CFLAGS" != x; then +- save_CFLAGS="$CFLAGS" ++if test "x$PTHREAD_CFLAGS$PTHREAD_LIBS" != "x"; then ++ ax_pthread_save_CC="$CC" ++ ax_pthread_save_CFLAGS="$CFLAGS" ++ ax_pthread_save_LIBS="$LIBS" ++ AS_IF([test "x$PTHREAD_CC" != "x"], [CC="$PTHREAD_CC"]) ++ AS_IF([test "x$PTHREAD_CXX" != "x"], [CXX="$PTHREAD_CXX"]) + CFLAGS="$CFLAGS $PTHREAD_CFLAGS" +- save_LIBS="$LIBS" + LIBS="$PTHREAD_LIBS $LIBS" +- AC_MSG_CHECKING([for pthread_join in LIBS=$PTHREAD_LIBS with CFLAGS=$PTHREAD_CFLAGS]) +- AC_TRY_LINK_FUNC([pthread_join], [ax_pthread_ok=yes]) ++ AC_MSG_CHECKING([for pthread_join using $CC $PTHREAD_CFLAGS $PTHREAD_LIBS]) ++ AC_LINK_IFELSE([AC_LANG_CALL([], [pthread_join])], [ax_pthread_ok=yes]) + AC_MSG_RESULT([$ax_pthread_ok]) +- if test x"$ax_pthread_ok" = xno; then ++ if test "x$ax_pthread_ok" = "xno"; then + PTHREAD_LIBS="" + PTHREAD_CFLAGS="" + fi +- LIBS="$save_LIBS" +- CFLAGS="$save_CFLAGS" ++ CC="$ax_pthread_save_CC" ++ CFLAGS="$ax_pthread_save_CFLAGS" ++ LIBS="$ax_pthread_save_LIBS" + fi + + # We must check for the threads library under a number of different +@@ -118,12 +129,14 @@ fi + # (e.g. DEC) have both -lpthread and -lpthreads, where one of the + # libraries is broken (non-POSIX). + +-# Create a list of thread flags to try. Items starting with a "-" are +-# C compiler flags, and other items are library names, except for "none" +-# which indicates that we try without any flags at all, and "pthread-config" +-# which is a program returning the flags for the Pth emulation library. ++# Create a list of thread flags to try. Items with a "," contain both ++# C compiler flags (before ",") and linker flags (after ","). Other items ++# starting with a "-" are C compiler flags, and remaining items are ++# library names, except for "none" which indicates that we try without ++# any flags at all, and "pthread-config" which is a program returning ++# the flags for the Pth emulation library. + +-ax_pthread_flags="pthreads none -Kthread -kthread lthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config" ++ax_pthread_flags="pthreads none -Kthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config" + + # The ordering *is* (sometimes) important. Some notes on the + # individual items follow: +@@ -132,82 +145,163 @@ ax_pthread_flags="pthreads none -Kthread -kthread lthread -pthread -pthreads -mt + # none: in case threads are in libc; should be tried before -Kthread and + # other compiler flags to prevent continual compiler warnings + # -Kthread: Sequent (threads in libc, but -Kthread needed for pthread.h) +-# -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able) +-# lthread: LinuxThreads port on FreeBSD (also preferred to -pthread) +-# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads) +-# -pthreads: Solaris/gcc +-# -mthreads: Mingw32/gcc, Lynx/gcc ++# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads), Tru64 ++# (Note: HP C rejects this with "bad form for `-t' option") ++# -pthreads: Solaris/gcc (Note: HP C also rejects) + # -mt: Sun Workshop C (may only link SunOS threads [-lthread], but it +-# doesn't hurt to check since this sometimes defines pthreads too; +-# also defines -D_REENTRANT) +-# ... -mt is also the pthreads flag for HP/aCC ++# doesn't hurt to check since this sometimes defines pthreads and ++# -D_REENTRANT too), HP C (must be checked before -lpthread, which ++# is present but should not be used directly; and before -mthreads, ++# because the compiler interprets this as "-mt" + "-hreads") ++# -mthreads: Mingw32/gcc, Lynx/gcc + # pthread: Linux, etcetera + # --thread-safe: KAI C++ + # pthread-config: use pthread-config program (for GNU Pth library) + +-case ${host_os} in ++case $host_os in ++ ++ freebsd*) ++ ++ # -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able) ++ # lthread: LinuxThreads port on FreeBSD (also preferred to -pthread) ++ ++ ax_pthread_flags="-kthread lthread $ax_pthread_flags" ++ ;; ++ ++ hpux*) ++ ++ # From the cc(1) man page: "[-mt] Sets various -D flags to enable ++ # multi-threading and also sets -lpthread." ++ ++ ax_pthread_flags="-mt -pthread pthread $ax_pthread_flags" ++ ;; ++ ++ openedition*) ++ ++ # IBM z/OS requires a feature-test macro to be defined in order to ++ # enable POSIX threads at all, so give the user a hint if this is ++ # not set. (We don't define these ourselves, as they can affect ++ # other portions of the system API in unpredictable ways.) ++ ++ AC_EGREP_CPP([AX_PTHREAD_ZOS_MISSING], ++ [ ++# if !defined(_OPEN_THREADS) && !defined(_UNIX03_THREADS) ++ AX_PTHREAD_ZOS_MISSING ++# endif ++ ], ++ [AC_MSG_WARN([IBM z/OS requires -D_OPEN_THREADS or -D_UNIX03_THREADS to enable pthreads support.])]) ++ ;; ++ + solaris*) + + # On Solaris (at least, for some versions), libc contains stubbed + # (non-functional) versions of the pthreads routines, so link-based +- # tests will erroneously succeed. (We need to link with -pthreads/-mt/ +- # -lpthread.) (The stubs are missing pthread_cleanup_push, or rather +- # a function called by this macro, so we could check for that, but +- # who knows whether they'll stub that too in a future libc.) So, +- # we'll just look for -pthreads and -lpthread first: ++ # tests will erroneously succeed. (N.B.: The stubs are missing ++ # pthread_cleanup_push, or rather a function called by this macro, ++ # so we could check for that, but who knows whether they'll stub ++ # that too in a future libc.) So we'll check first for the ++ # standard Solaris way of linking pthreads (-mt -lpthread). ++ ++ ax_pthread_flags="-mt,-lpthread pthread $ax_pthread_flags" ++ ;; ++esac ++ ++# Are we compiling with Clang? ++ ++AC_CACHE_CHECK([whether $CC is Clang], ++ [ax_cv_PTHREAD_CLANG], ++ [ax_cv_PTHREAD_CLANG=no ++ # Note that Autoconf sets GCC=yes for Clang as well as GCC ++ if test "x$GCC" = "xyes"; then ++ AC_EGREP_CPP([AX_PTHREAD_CC_IS_CLANG], ++ [/* Note: Clang 2.7 lacks __clang_[a-z]+__ */ ++# if defined(__clang__) && defined(__llvm__) ++ AX_PTHREAD_CC_IS_CLANG ++# endif ++ ], ++ [ax_cv_PTHREAD_CLANG=yes]) ++ fi ++ ]) ++ax_pthread_clang="$ax_cv_PTHREAD_CLANG" ++ ++ ++# GCC generally uses -pthread, or -pthreads on some platforms (e.g. SPARC) ++ ++# Note that for GCC and Clang -pthread generally implies -lpthread, ++# except when -nostdlib is passed. ++# This is problematic using libtool to build C++ shared libraries with pthread: ++# [1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=25460 ++# [2] https://bugzilla.redhat.com/show_bug.cgi?id=661333 ++# [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=468555 ++# To solve this, first try -pthread together with -lpthread for GCC ++ ++AS_IF([test "x$GCC" = "xyes"], ++ [ax_pthread_flags="-pthread,-lpthread -pthread -pthreads $ax_pthread_flags"]) ++ ++# Clang takes -pthread (never supported any other flag), but we'll try with -lpthread first ++ ++AS_IF([test "x$ax_pthread_clang" = "xyes"], ++ [ax_pthread_flags="-pthread,-lpthread -pthread"]) + +- ax_pthread_flags="-pthreads pthread -mt -pthread $ax_pthread_flags" ++ ++# The presence of a feature test macro requesting re-entrant function ++# definitions is, on some systems, a strong hint that pthreads support is ++# correctly enabled ++ ++case $host_os in ++ darwin* | hpux* | linux* | osf* | solaris*) ++ ax_pthread_check_macro="_REENTRANT" + ;; + +- darwin*) +- ax_pthread_flags="-pthread $ax_pthread_flags" ++ aix*) ++ ax_pthread_check_macro="_THREAD_SAFE" + ;; +-esac + +-# Clang doesn't consider unrecognized options an error unless we specify +-# -Werror. We throw in some extra Clang-specific options to ensure that +-# this doesn't happen for GCC, which also accepts -Werror. ++ *) ++ ax_pthread_check_macro="--" ++ ;; ++esac ++AS_IF([test "x$ax_pthread_check_macro" = "x--"], ++ [ax_pthread_check_cond=0], ++ [ax_pthread_check_cond="!defined($ax_pthread_check_macro)"]) + +-AC_MSG_CHECKING([if compiler needs -Werror to reject unknown flags]) +-save_CFLAGS="$CFLAGS" +-ax_pthread_extra_flags="-Werror" +-CFLAGS="$CFLAGS $ax_pthread_extra_flags -Wunknown-warning-option -Wsizeof-array-argument" +-AC_COMPILE_IFELSE([AC_LANG_PROGRAM([int foo(void);],[foo()])], +- [AC_MSG_RESULT([yes])], +- [ax_pthread_extra_flags= +- AC_MSG_RESULT([no])]) +-CFLAGS="$save_CFLAGS" + +-if test x"$ax_pthread_ok" = xno; then +-for flag in $ax_pthread_flags; do ++if test "x$ax_pthread_ok" = "xno"; then ++for ax_pthread_try_flag in $ax_pthread_flags; do + +- case $flag in ++ case $ax_pthread_try_flag in + none) + AC_MSG_CHECKING([whether pthreads work without any flags]) + ;; + ++ *,*) ++ PTHREAD_CFLAGS=`echo $ax_pthread_try_flag | sed "s/^\(.*\),\(.*\)$/\1/"` ++ PTHREAD_LIBS=`echo $ax_pthread_try_flag | sed "s/^\(.*\),\(.*\)$/\2/"` ++ AC_MSG_CHECKING([whether pthreads work with "$PTHREAD_CFLAGS" and "$PTHREAD_LIBS"]) ++ ;; ++ + -*) +- AC_MSG_CHECKING([whether pthreads work with $flag]) +- PTHREAD_CFLAGS="$flag" ++ AC_MSG_CHECKING([whether pthreads work with $ax_pthread_try_flag]) ++ PTHREAD_CFLAGS="$ax_pthread_try_flag" + ;; + + pthread-config) + AC_CHECK_PROG([ax_pthread_config], [pthread-config], [yes], [no]) +- if test x"$ax_pthread_config" = xno; then continue; fi ++ AS_IF([test "x$ax_pthread_config" = "xno"], [continue]) + PTHREAD_CFLAGS="`pthread-config --cflags`" + PTHREAD_LIBS="`pthread-config --ldflags` `pthread-config --libs`" + ;; + + *) +- AC_MSG_CHECKING([for the pthreads library -l$flag]) +- PTHREAD_LIBS="-l$flag" ++ AC_MSG_CHECKING([for the pthreads library -l$ax_pthread_try_flag]) ++ PTHREAD_LIBS="-l$ax_pthread_try_flag" + ;; + esac + +- save_LIBS="$LIBS" +- save_CFLAGS="$CFLAGS" ++ ax_pthread_save_CFLAGS="$CFLAGS" ++ ax_pthread_save_LIBS="$LIBS" ++ CFLAGS="$CFLAGS $PTHREAD_CFLAGS" + LIBS="$PTHREAD_LIBS $LIBS" +- CFLAGS="$CFLAGS $PTHREAD_CFLAGS $ax_pthread_extra_flags" + + # Check for various functions. We must include pthread.h, + # since some functions may be macros. (On the Sequent, we +@@ -218,8 +312,18 @@ for flag in $ax_pthread_flags; do + # pthread_cleanup_push because it is one of the few pthread + # functions on Solaris that doesn't have a non-functional libc stub. + # We try pthread_create on general principles. ++ + AC_LINK_IFELSE([AC_LANG_PROGRAM([#include +- static void routine(void *a) { *((int*)a) = 0; } ++# if $ax_pthread_check_cond ++# error "$ax_pthread_check_macro must be defined" ++# endif ++ static void *some_global = NULL; ++ static void routine(void *a) ++ { ++ /* To avoid any unused-parameter or ++ unused-but-set-parameter warning. */ ++ some_global = a; ++ } + static void *start_routine(void *a) { return a; }], + [pthread_t th; pthread_attr_t attr; + pthread_create(&th, 0, start_routine, 0); +@@ -227,101 +331,187 @@ for flag in $ax_pthread_flags; do + pthread_attr_init(&attr); + pthread_cleanup_push(routine, 0); + pthread_cleanup_pop(0) /* ; */])], +- [ax_pthread_ok=yes], +- []) ++ [ax_pthread_ok=yes], ++ []) + +- LIBS="$save_LIBS" +- CFLAGS="$save_CFLAGS" ++ CFLAGS="$ax_pthread_save_CFLAGS" ++ LIBS="$ax_pthread_save_LIBS" + + AC_MSG_RESULT([$ax_pthread_ok]) +- if test "x$ax_pthread_ok" = xyes; then +- break; +- fi ++ AS_IF([test "x$ax_pthread_ok" = "xyes"], [break]) + + PTHREAD_LIBS="" + PTHREAD_CFLAGS="" + done + fi + ++ ++# Clang needs special handling, because older versions handle the -pthread ++# option in a rather... idiosyncratic way ++ ++if test "x$ax_pthread_clang" = "xyes"; then ++ ++ # Clang takes -pthread; it has never supported any other flag ++ ++ # (Note 1: This will need to be revisited if a system that Clang ++ # supports has POSIX threads in a separate library. This tends not ++ # to be the way of modern systems, but it's conceivable.) ++ ++ # (Note 2: On some systems, notably Darwin, -pthread is not needed ++ # to get POSIX threads support; the API is always present and ++ # active. We could reasonably leave PTHREAD_CFLAGS empty. But ++ # -pthread does define _REENTRANT, and while the Darwin headers ++ # ignore this macro, third-party headers might not.) ++ ++ # However, older versions of Clang make a point of warning the user ++ # that, in an invocation where only linking and no compilation is ++ # taking place, the -pthread option has no effect ("argument unused ++ # during compilation"). They expect -pthread to be passed in only ++ # when source code is being compiled. ++ # ++ # Problem is, this is at odds with the way Automake and most other ++ # C build frameworks function, which is that the same flags used in ++ # compilation (CFLAGS) are also used in linking. Many systems ++ # supported by AX_PTHREAD require exactly this for POSIX threads ++ # support, and in fact it is often not straightforward to specify a ++ # flag that is used only in the compilation phase and not in ++ # linking. Such a scenario is extremely rare in practice. ++ # ++ # Even though use of the -pthread flag in linking would only print ++ # a warning, this can be a nuisance for well-run software projects ++ # that build with -Werror. So if the active version of Clang has ++ # this misfeature, we search for an option to squash it. ++ ++ AC_CACHE_CHECK([whether Clang needs flag to prevent "argument unused" warning when linking with -pthread], ++ [ax_cv_PTHREAD_CLANG_NO_WARN_FLAG], ++ [ax_cv_PTHREAD_CLANG_NO_WARN_FLAG=unknown ++ # Create an alternate version of $ac_link that compiles and ++ # links in two steps (.c -> .o, .o -> exe) instead of one ++ # (.c -> exe), because the warning occurs only in the second ++ # step ++ ax_pthread_save_ac_link="$ac_link" ++ ax_pthread_sed='s/conftest\.\$ac_ext/conftest.$ac_objext/g' ++ ax_pthread_link_step=`AS_ECHO(["$ac_link"]) | sed "$ax_pthread_sed"` ++ ax_pthread_2step_ac_link="($ac_compile) && (echo ==== >&5) && ($ax_pthread_link_step)" ++ ax_pthread_save_CFLAGS="$CFLAGS" ++ for ax_pthread_try in '' -Qunused-arguments -Wno-unused-command-line-argument unknown; do ++ AS_IF([test "x$ax_pthread_try" = "xunknown"], [break]) ++ CFLAGS="-Werror -Wunknown-warning-option $ax_pthread_try -pthread $ax_pthread_save_CFLAGS" ++ ac_link="$ax_pthread_save_ac_link" ++ AC_LINK_IFELSE([AC_LANG_SOURCE([[int main(void){return 0;}]])], ++ [ac_link="$ax_pthread_2step_ac_link" ++ AC_LINK_IFELSE([AC_LANG_SOURCE([[int main(void){return 0;}]])], ++ [break]) ++ ]) ++ done ++ ac_link="$ax_pthread_save_ac_link" ++ CFLAGS="$ax_pthread_save_CFLAGS" ++ AS_IF([test "x$ax_pthread_try" = "x"], [ax_pthread_try=no]) ++ ax_cv_PTHREAD_CLANG_NO_WARN_FLAG="$ax_pthread_try" ++ ]) ++ ++ case "$ax_cv_PTHREAD_CLANG_NO_WARN_FLAG" in ++ no | unknown) ;; ++ *) PTHREAD_CFLAGS="$ax_cv_PTHREAD_CLANG_NO_WARN_FLAG $PTHREAD_CFLAGS" ;; ++ esac ++ ++fi # $ax_pthread_clang = yes ++ ++ ++ + # Various other checks: +-if test "x$ax_pthread_ok" = xyes; then +- save_LIBS="$LIBS" +- LIBS="$PTHREAD_LIBS $LIBS" +- save_CFLAGS="$CFLAGS" ++if test "x$ax_pthread_ok" = "xyes"; then ++ ax_pthread_save_CFLAGS="$CFLAGS" ++ ax_pthread_save_LIBS="$LIBS" + CFLAGS="$CFLAGS $PTHREAD_CFLAGS" ++ LIBS="$PTHREAD_LIBS $LIBS" + + # Detect AIX lossage: JOINABLE attribute is called UNDETACHED. +- AC_MSG_CHECKING([for joinable pthread attribute]) +- attr_name=unknown +- for attr in PTHREAD_CREATE_JOINABLE PTHREAD_CREATE_UNDETACHED; do +- AC_LINK_IFELSE([AC_LANG_PROGRAM([#include ], +- [int attr = $attr; return attr /* ; */])], +- [attr_name=$attr; break], +- []) +- done +- AC_MSG_RESULT([$attr_name]) +- if test "$attr_name" != PTHREAD_CREATE_JOINABLE; then +- AC_DEFINE_UNQUOTED([PTHREAD_CREATE_JOINABLE], [$attr_name], +- [Define to necessary symbol if this constant +- uses a non-standard name on your system.]) +- fi +- +- AC_MSG_CHECKING([if more special flags are required for pthreads]) +- flag=no +- case ${host_os} in +- aix* | freebsd* | darwin*) flag="-D_THREAD_SAFE";; +- osf* | hpux*) flag="-D_REENTRANT";; +- solaris*) +- if test "$GCC" = "yes"; then +- flag="-D_REENTRANT" +- else +- # TODO: What about Clang on Solaris? +- flag="-mt -D_REENTRANT" +- fi +- ;; +- esac +- AC_MSG_RESULT([$flag]) +- if test "x$flag" != xno; then +- PTHREAD_CFLAGS="$flag $PTHREAD_CFLAGS" +- fi ++ AC_CACHE_CHECK([for joinable pthread attribute], ++ [ax_cv_PTHREAD_JOINABLE_ATTR], ++ [ax_cv_PTHREAD_JOINABLE_ATTR=unknown ++ for ax_pthread_attr in PTHREAD_CREATE_JOINABLE PTHREAD_CREATE_UNDETACHED; do ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([#include ], ++ [int attr = $ax_pthread_attr; return attr /* ; */])], ++ [ax_cv_PTHREAD_JOINABLE_ATTR=$ax_pthread_attr; break], ++ []) ++ done ++ ]) ++ AS_IF([test "x$ax_cv_PTHREAD_JOINABLE_ATTR" != "xunknown" && \ ++ test "x$ax_cv_PTHREAD_JOINABLE_ATTR" != "xPTHREAD_CREATE_JOINABLE" && \ ++ test "x$ax_pthread_joinable_attr_defined" != "xyes"], ++ [AC_DEFINE_UNQUOTED([PTHREAD_CREATE_JOINABLE], ++ [$ax_cv_PTHREAD_JOINABLE_ATTR], ++ [Define to necessary symbol if this constant ++ uses a non-standard name on your system.]) ++ ax_pthread_joinable_attr_defined=yes ++ ]) ++ ++ AC_CACHE_CHECK([whether more special flags are required for pthreads], ++ [ax_cv_PTHREAD_SPECIAL_FLAGS], ++ [ax_cv_PTHREAD_SPECIAL_FLAGS=no ++ case $host_os in ++ solaris*) ++ ax_cv_PTHREAD_SPECIAL_FLAGS="-D_POSIX_PTHREAD_SEMANTICS" ++ ;; ++ esac ++ ]) ++ AS_IF([test "x$ax_cv_PTHREAD_SPECIAL_FLAGS" != "xno" && \ ++ test "x$ax_pthread_special_flags_added" != "xyes"], ++ [PTHREAD_CFLAGS="$ax_cv_PTHREAD_SPECIAL_FLAGS $PTHREAD_CFLAGS" ++ ax_pthread_special_flags_added=yes]) + + AC_CACHE_CHECK([for PTHREAD_PRIO_INHERIT], +- [ax_cv_PTHREAD_PRIO_INHERIT], [ +- AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], +- [[int i = PTHREAD_PRIO_INHERIT;]])], +- [ax_cv_PTHREAD_PRIO_INHERIT=yes], +- [ax_cv_PTHREAD_PRIO_INHERIT=no]) ++ [ax_cv_PTHREAD_PRIO_INHERIT], ++ [AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], ++ [[int i = PTHREAD_PRIO_INHERIT; ++ return i;]])], ++ [ax_cv_PTHREAD_PRIO_INHERIT=yes], ++ [ax_cv_PTHREAD_PRIO_INHERIT=no]) + ]) +- AS_IF([test "x$ax_cv_PTHREAD_PRIO_INHERIT" = "xyes"], +- [AC_DEFINE([HAVE_PTHREAD_PRIO_INHERIT], [1], [Have PTHREAD_PRIO_INHERIT.])]) ++ AS_IF([test "x$ax_cv_PTHREAD_PRIO_INHERIT" = "xyes" && \ ++ test "x$ax_pthread_prio_inherit_defined" != "xyes"], ++ [AC_DEFINE([HAVE_PTHREAD_PRIO_INHERIT], [1], [Have PTHREAD_PRIO_INHERIT.]) ++ ax_pthread_prio_inherit_defined=yes ++ ]) + +- LIBS="$save_LIBS" +- CFLAGS="$save_CFLAGS" ++ CFLAGS="$ax_pthread_save_CFLAGS" ++ LIBS="$ax_pthread_save_LIBS" + + # More AIX lossage: compile with *_r variant +- if test "x$GCC" != xyes; then ++ if test "x$GCC" != "xyes"; then + case $host_os in + aix*) + AS_CASE(["x/$CC"], +- [x*/c89|x*/c89_128|x*/c99|x*/c99_128|x*/cc|x*/cc128|x*/xlc|x*/xlc_v6|x*/xlc128|x*/xlc128_v6], +- [#handle absolute path differently from PATH based program lookup +- AS_CASE(["x$CC"], +- [x/*], +- [AS_IF([AS_EXECUTABLE_P([${CC}_r])],[PTHREAD_CC="${CC}_r"])], +- [AC_CHECK_PROGS([PTHREAD_CC],[${CC}_r],[$CC])])]) ++ [x*/c89|x*/c89_128|x*/c99|x*/c99_128|x*/cc|x*/cc128|x*/xlc|x*/xlc_v6|x*/xlc128|x*/xlc128_v6], ++ [#handle absolute path differently from PATH based program lookup ++ AS_CASE(["x$CC"], ++ [x/*], ++ [ ++ AS_IF([AS_EXECUTABLE_P([${CC}_r])],[PTHREAD_CC="${CC}_r"]) ++ AS_IF([test "x${CXX}" != "x"], [AS_IF([AS_EXECUTABLE_P([${CXX}_r])],[PTHREAD_CXX="${CXX}_r"])]) ++ ], ++ [ ++ AC_CHECK_PROGS([PTHREAD_CC],[${CC}_r],[$CC]) ++ AS_IF([test "x${CXX}" != "x"], [AC_CHECK_PROGS([PTHREAD_CXX],[${CXX}_r],[$CXX])]) ++ ] ++ ) ++ ]) + ;; + esac + fi + fi + + test -n "$PTHREAD_CC" || PTHREAD_CC="$CC" ++test -n "$PTHREAD_CXX" || PTHREAD_CXX="$CXX" + + AC_SUBST([PTHREAD_LIBS]) + AC_SUBST([PTHREAD_CFLAGS]) + AC_SUBST([PTHREAD_CC]) ++AC_SUBST([PTHREAD_CXX]) + + # Finally, execute ACTION-IF-FOUND/ACTION-IF-NOT-FOUND: +-if test x"$ax_pthread_ok" = xyes; then ++if test "x$ax_pthread_ok" = "xyes"; then + ifelse([$1],,[AC_DEFINE([HAVE_PTHREAD],[1],[Define if you have POSIX threads libraries and header files.])],[$1]) + : + else +diff --git a/unbound-1.19.3/configure.ac b/unbound-1.19.3/configure.ac +index e0dedbe..34f2da7 100644 +--- a/unbound-1.19.3/configure.ac ++++ b/unbound-1.19.3/configure.ac +@@ -4,7 +4,7 @@ AC_PREREQ([2.56]) + sinclude(acx_nlnetlabs.m4) + sinclude(ax_pthread.m4) + sinclude(acx_python.m4) +-sinclude(ac_pkg_swig.m4) ++sinclude(ax_pkg_swig.m4) + sinclude(dnstap/dnstap.m4) + sinclude(dnscrypt/dnscrypt.m4) + +@@ -795,9 +795,9 @@ if test x_$ub_test_python != x_no; then + ub_have_swig=no + AC_ARG_ENABLE(swig-version-check, AS_HELP_STRING([--disable-swig-version-check],[Disable swig version check to build python modules with older swig even though that is unreliable])) + if test "$enable_swig_version_check" = "yes"; then +- AC_PROG_SWIG(2.0.1) ++ AX_PKG_SWIG(2.0.1) + else +- AC_PROG_SWIG ++ AX_PKG_SWIG + fi + AC_MSG_CHECKING(SWIG) + if test ! -x "$SWIG"; then +-- +2.44.0 + diff --git a/unbound.spec b/unbound.spec index c44dc7d..f9ae8ba 100644 --- a/unbound.spec +++ b/unbound.spec @@ -57,6 +57,8 @@ Source20: unbound.sysusers # Downstream configuration changes Patch1: unbound-fedora-config.patch +# https://github.com/NLnetLabs/unbound/pull/1048 +Patch2: unbound-1.19-autoconf-m4.patch BuildRequires: gcc, make BuildRequires: flex, openssl-devel @@ -243,10 +245,8 @@ pushd %{dir_primary} # always regenerate configure rm -f config.h.in aclocal.m4 configure ltmain.sh -rm -f ax_pthread.m4 +rm -f {ax_pthread,ax_swig_python}.m4 cp -p %{_datadir}/aclocal/{ax_pthread,ax_swig_python}.m4 . -# TODO: use ax_swig_python.m4 from autoconf-archive too -# https://github.com/NLnetLabs/unbound/pull/1048 autoreconf -fiv %configure \ From f119256acc028e42cfed0ce156f51b8d57d46113 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 15 Apr 2024 14:07:51 +0200 Subject: [PATCH 082/139] Correct python3.12 warning Python since 3.12 prints warning about Py_NoSiteFlag is deprecated. It seems that variable is not needed since Python 3.8, since it sets in such cases directly config.site_import variable few moments later. Move using deprecated variable to versions before that flag in config could be used only. --- unbound-1.19-python3.12-Py_NoSiteFlag.patch | 48 +++++++++++++++++++++ unbound.spec | 2 + 2 files changed, 50 insertions(+) create mode 100644 unbound-1.19-python3.12-Py_NoSiteFlag.patch diff --git a/unbound-1.19-python3.12-Py_NoSiteFlag.patch b/unbound-1.19-python3.12-Py_NoSiteFlag.patch new file mode 100644 index 0000000..8d7125c --- /dev/null +++ b/unbound-1.19-python3.12-Py_NoSiteFlag.patch @@ -0,0 +1,48 @@ +From 4d66057470cd5c5533cb39b4e049c3ae48044090 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Mon, 15 Apr 2024 13:43:58 +0200 +Subject: [PATCH] Py_NoSiteFlag is not needed since Python 3.8 + +Python since 3.12 prints warning about Py_NoSiteFlag is deprecated. It +seems that variable is not needed since Python 3.8, since it sets in +such cases directly config.site_import variable few moments later. +Move using deprecated variable to versions before that flag in config +could be used only. + +This should fix warning like: + +pythonmod/pythonmod.c: In function 'pythonmod_init': +pythonmod/pythonmod.c:359:7: warning: 'Py_NoSiteFlag' is deprecated [-Wdeprecated-declarations] + 359 | Py_NoSiteFlag = 1; + | ^~~~~~~~~~~~~ +In file included from /usr/include/python3.12/Python.h:48, + from pythonmod/pythonmod.c:54: +/usr/include/python3.12/cpython/pydebug.h:14:37: note: declared here + 14 | Py_DEPRECATED(3.12) PyAPI_DATA(int) Py_NoSiteFlag; + | ^~~~~~~~~~~~~ + +https://docs.python.org/3/c-api/init.html#c.Py_NoSiteFlag +--- + unbound-1.19.3/pythonmod/pythonmod.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/unbound-1.19.3/pythonmod/pythonmod.c b/unbound-1.19.3/pythonmod/pythonmod.c +index c6294a1..b8f2d62 100644 +--- a/unbound-1.19.3/pythonmod/pythonmod.c ++++ b/unbound-1.19.3/pythonmod/pythonmod.c +@@ -356,11 +356,11 @@ int pythonmod_init(struct module_env* env, int id) + return 0; + } + #endif +- Py_NoSiteFlag = 1; + #if PY_MAJOR_VERSION >= 3 + PyImport_AppendInittab(SWIG_name, (void*)SWIG_init); + #endif + #if PY_VERSION_HEX < 0x03080000 ++ Py_NoSiteFlag = 1; + Py_Initialize(); + #else + PyConfig_InitPythonConfig(&config); +-- +2.44.0 + diff --git a/unbound.spec b/unbound.spec index f9ae8ba..4068f83 100644 --- a/unbound.spec +++ b/unbound.spec @@ -59,6 +59,8 @@ Source20: unbound.sysusers Patch1: unbound-fedora-config.patch # https://github.com/NLnetLabs/unbound/pull/1048 Patch2: unbound-1.19-autoconf-m4.patch +# https://github.com/NLnetLabs/unbound/pull/1049 +Patch3: unbound-1.19-python3.12-Py_NoSiteFlag.patch BuildRequires: gcc, make BuildRequires: flex, openssl-devel From 081ff5cf5781eb2c603c7ecffa7fa6611829c7b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 15 Apr 2024 15:20:42 +0200 Subject: [PATCH 083/139] Always regenerate config parser Do not rely on pregenerated parser provided by upstream. Delete it and generate its own. --- unbound.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/unbound.spec b/unbound.spec index 4068f83..69aedca 100644 --- a/unbound.spec +++ b/unbound.spec @@ -63,14 +63,15 @@ Patch2: unbound-1.19-autoconf-m4.patch Patch3: unbound-1.19-python3.12-Py_NoSiteFlag.patch BuildRequires: gcc, make -BuildRequires: flex, openssl-devel +BuildRequires: openssl-devel BuildRequires: libevent-devel expat-devel BuildRequires: pkgconfig # Required for configure regeneration -BuildRequires: bison BuildRequires: automake autoconf libtool BuildRequires: autoconf-archive +# Regenerate config parser too +BuildRequires: bison flex byacc %if 0%{?fedora} BuildRequires: gnupg2 @@ -249,6 +250,8 @@ pushd %{dir_primary} rm -f config.h.in aclocal.m4 configure ltmain.sh rm -f {ax_pthread,ax_swig_python}.m4 cp -p %{_datadir}/aclocal/{ax_pthread,ax_swig_python}.m4 . +# ensure bison is used to generate fresh parser +rm -f util/configparser.{c,h} util/configlexer.c autoreconf -fiv %configure \ From 10fcecddd62f15ec4b0dd13fffae780a67a34895 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 15 Apr 2024 15:48:38 +0200 Subject: [PATCH 084/139] Prevent executable bit on configuration files Do not rely on packaging safeguards to reset executable bits. Removes warning after install phase. --- unbound.spec | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/unbound.spec b/unbound.spec index 69aedca..238cbac 100644 --- a/unbound.spec +++ b/unbound.spec @@ -311,7 +311,7 @@ popd pushd %{dir_primary} %make_install unbound-event-install install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp -install -p -m 0755 doc/example.conf %{buildroot}%{_sysconfdir}/unbound/unbound.conf +install -p -m 0644 doc/example.conf %{buildroot}%{_sysconfdir}/unbound/unbound.conf popd install -d -m 0755 %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig @@ -370,9 +370,9 @@ mkdir -p %{buildroot}%{_rundir}/unbound # Install directories for easier config file drop in mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d} -install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/ -install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ -install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ +install -p -m 0644 %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/ +install -p -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ +install -p -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ # Link unbound-control-setup.8 manpage to unbound-control.8 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 From 96134e75821b6242562c68acb59620bd8e186cb1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 11 Mar 2024 10:33:46 +0100 Subject: [PATCH 085/139] Ensure group access correction reaches also updated configs If the user has already modified configuration file unbound.conf, our change of defaults would not affect them. Let's move the change to extra file, which will be applied even when main config file were not modified. Resolves: CVE-2024-1488 --- remote-control.conf | 9 +++++++++ unbound-fedora-config.patch | 2 +- unbound.spec | 2 ++ 3 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 remote-control.conf diff --git a/remote-control.conf b/remote-control.conf new file mode 100644 index 0000000..4561a63 --- /dev/null +++ b/remote-control.conf @@ -0,0 +1,9 @@ +# Remote control config section update. +# Previous defaults allowed any process to change settings, CVE-2023-1488 +remote-control: + # set to an absolute path to use a unix local name pipe, certificates + # are not used for that, so key and cert files need not be present. + control-interface: "/run/unbound/control" + + # For local sockets this option is ignored, and TLS is not used. + control-use-cert: "yes" diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index 0aeb6cb..f350be8 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -421,7 +421,7 @@ index d791cf8..af163b2 100644 # are not used for that, so key and cert files need not be present. # control-interface: 127.0.0.1 # control-interface: ::1 -+ control-interface: "/run/unbound/control" ++ # moved to /etc/unbound/conf.d/remote-control.conf # port number for remote control operations. # control-port: 8953 diff --git a/unbound.spec b/unbound.spec index 238cbac..40bfc39 100644 --- a/unbound.spec +++ b/unbound.spec @@ -54,6 +54,7 @@ Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_vers # source: https://nlnetlabs.nl/people/ Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key Source20: unbound.sysusers +Source21: remote-control.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch @@ -373,6 +374,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d} install -p -m 0644 %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/ install -p -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ install -p -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ +install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/ # Link unbound-control-setup.8 manpage to unbound-control.8 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 From 09e446c1982cd4277ea36cf7767c506f651d75d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 10 May 2024 15:37:36 +0200 Subject: [PATCH 086/139] Update to 1.20.0 Features: The config for discard-timeout, wait-limit, wait-limit-cookie, wait-limit-netblock and wait-limit-cookie-netblock was added, for the fix to the DNSBomb issue. Merge #1027: Introduce 'cache-min-negative-ttl' option. Merge #1043 from xiaoxiaoafeifei: Add loongarch support; updates config.guess(2024-01-01) and config.sub(2024-01-01), verified with upstream. Implement cachedb-check-when-serve-expired: yes option, default is enabled. When serve expired is enabled with cachedb, it first checks cachedb before serving the expired response. Fix #876: [FR] can unbound-checkconf be silenced when configuration is valid? And bug fixes. https://nlnetlabs.nl/projects/unbound/download/#unbound-1-20-0 Resolves: CVE-2024-33655 --- .gitignore | 2 + sources | 4 +- unbound-1.19-autoconf-m4.patch | 792 -------------------- unbound-1.19-python3.12-Py_NoSiteFlag.patch | 48 -- unbound-fedora-config.patch | 78 +- unbound.spec | 13 +- 6 files changed, 49 insertions(+), 888 deletions(-) delete mode 100644 unbound-1.19-autoconf-m4.patch delete mode 100644 unbound-1.19-python3.12-Py_NoSiteFlag.patch diff --git a/.gitignore b/.gitignore index dde18f4..2ad282d 100644 --- a/.gitignore +++ b/.gitignore @@ -87,3 +87,5 @@ unbound-1.4.5.tar.gz /unbound-1.19.1.tar.gz.asc /unbound-1.19.3.tar.gz /unbound-1.19.3.tar.gz.asc +/unbound-1.20.0.tar.gz +/unbound-1.20.0.tar.gz.asc diff --git a/sources b/sources index eea1e9c..5a055a7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.19.3.tar.gz) = f860614f090a5a081cceff8ca7f4b3d416c00a251ae14ceb6b4159dc8cd022f025592074d3d78aee2f86c3eeae9d1a314713e4740aa91062579143199accd159 -SHA512 (unbound-1.19.3.tar.gz.asc) = 1b6437d7ac4394ab7d6eb0d12f22b39538152f9c88175a5368263059950b8e6b093fa5392d1ff37874effef7a422afa9c690f766802208979a99500a4bea5906 +SHA512 (unbound-1.20.0.tar.gz) = 2f6bc76c03b71ca1c2cd2331dc72d62f51493d15e17c59af46b400e542fcabff22e6b9d33f750a3e5f918a0116f45afa760651b2d5aa2feadac151cbbd71b0bd +SHA512 (unbound-1.20.0.tar.gz.asc) = 1586a320077c606c5c19f251615df54a61854f51acca02df1d391dcc2287aff2c641b009aeee1a98392f63719d70b6bac23ebb7d86b780f8a27cda6e114fc0ad diff --git a/unbound-1.19-autoconf-m4.patch b/unbound-1.19-autoconf-m4.patch deleted file mode 100644 index b014cb2..0000000 --- a/unbound-1.19-autoconf-m4.patch +++ /dev/null @@ -1,792 +0,0 @@ -From 926b5dadfb1f1454bd0e54dd195018d11c223c34 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Mon, 15 Apr 2024 11:30:19 +0200 -Subject: [PATCH] Update ax_pkg_swig.m4 and ax_pthread.m4 - -Use vanilla m4 files with known source. Prepared for possible removal at -build time if the system already has autoconf-archive source present. -Switch to AX_PKG_SWIG macro for versioned or unversioned swig detection. ---- - unbound-1.19.3/ac_pkg_swig.m4 | 133 ---------- - unbound-1.19.3/ax_pthread.m4 | 444 ++++++++++++++++++++++++---------- - unbound-1.19.3/configure.ac | 6 +- - 3 files changed, 320 insertions(+), 263 deletions(-) - delete mode 100644 unbound-1.19.3/ac_pkg_swig.m4 - -diff --git a/unbound-1.19.3/ac_pkg_swig.m4 b/unbound-1.19.3/ac_pkg_swig.m4 -deleted file mode 100644 -index 87f99fb..0000000 ---- a/unbound-1.19.3/ac_pkg_swig.m4 -+++ /dev/null -@@ -1,133 +0,0 @@ --# =========================================================================== --# http://autoconf-archive.cryp.to/ac_pkg_swig.html --# =========================================================================== --# --# SYNOPSIS --# --# AC_PROG_SWIG([major.minor.micro]) --# --# DESCRIPTION --# --# This macro searches for a SWIG installation on your system. If found you --# should call SWIG via $(SWIG). You can use the optional first argument to --# check if the version of the available SWIG is greater than or equal to --# the value of the argument. It should have the format: N[.N[.N]] (N is a --# number between 0 and 999. Only the first N is mandatory.) --# --# If the version argument is given (e.g. 1.3.17), AC_PROG_SWIG checks that --# the swig package is this version number or higher. --# --# In configure.in, use as: --# --# AC_PROG_SWIG(1.3.17) --# SWIG_ENABLE_CXX --# SWIG_MULTI_MODULE_SUPPORT --# SWIG_PYTHON --# --# LAST MODIFICATION --# --# 2008-04-12 --# --# COPYLEFT --# --# Copyright (c) 2008 Sebastian Huber --# Copyright (c) 2008 Alan W. Irwin --# Copyright (c) 2008 Rafael Laboissiere --# Copyright (c) 2008 Andrew Collier --# --# This program is free software; you can redistribute it and/or modify it --# under the terms of the GNU General Public License as published by the --# Free Software Foundation; either version 2 of the License, or (at your --# option) any later version. --# --# This program is distributed in the hope that it will be useful, but --# WITHOUT ANY WARRANTY; without even the implied warranty of --# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General --# Public License for more details. --# --# You should have received a copy of the GNU General Public License along --# with this program. If not, see . --# --# As a special exception, the respective Autoconf Macro's copyright owner --# gives unlimited permission to copy, distribute and modify the configure --# scripts that are the output of Autoconf when processing the Macro. You --# need not follow the terms of the GNU General Public License when using --# or distributing such scripts, even though portions of the text of the --# Macro appear in them. The GNU General Public License (GPL) does govern --# all other use of the material that constitutes the Autoconf Macro. --# --# This special exception to the GPL applies to versions of the Autoconf --# Macro released by the Autoconf Macro Archive. When you make and --# distribute a modified version of the Autoconf Macro, you may extend this --# special exception to the GPL to apply to your modified version as well. -- --AC_DEFUN([AC_PROG_SWIG],[ -- AC_PATH_PROG([SWIG],[swig]) -- if test -z "$SWIG" ; then -- AC_MSG_WARN([cannot find 'swig' program. You should look at http://www.swig.org]) -- SWIG='echo "Error: SWIG is not installed. You should look at http://www.swig.org" ; false' -- elif test -n "$1" ; then -- AC_MSG_CHECKING([for SWIG version]) -- [swig_version=`$SWIG -version 2>&1 | grep 'SWIG Version' | sed 's/.*\([0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\).*/\1/g'`] -- AC_MSG_RESULT([$swig_version]) -- if test -n "$swig_version" ; then -- # Calculate the required version number components -- [required=$1] -- [required_major=`echo $required | sed 's/[^0-9].*//'`] -- if test -z "$required_major" ; then -- [required_major=0] -- fi -- [required=`echo $required | sed 's/[0-9]*[^0-9]//'`] -- [required_minor=`echo $required | sed 's/[^0-9].*//'`] -- if test -z "$required_minor" ; then -- [required_minor=0] -- fi -- [required=`echo $required | sed 's/[0-9]*[^0-9]//'`] -- [required_patch=`echo $required | sed 's/[^0-9].*//'`] -- if test -z "$required_patch" ; then -- [required_patch=0] -- fi -- # Calculate the available version number components -- [available=$swig_version] -- [available_major=`echo $available | sed 's/[^0-9].*//'`] -- if test -z "$available_major" ; then -- [available_major=0] -- fi -- [available=`echo $available | sed 's/[0-9]*[^0-9]//'`] -- [available_minor=`echo $available | sed 's/[^0-9].*//'`] -- if test -z "$available_minor" ; then -- [available_minor=0] -- fi -- [available=`echo $available | sed 's/[0-9]*[^0-9]//'`] -- [available_patch=`echo $available | sed 's/[^0-9].*//'`] -- if test -z "$available_patch" ; then -- [available_patch=0] -- fi -- [badversion=0] -- if test $available_major -lt $required_major ; then -- [badversion=1] -- fi -- if test $available_major -eq $required_major \ -- -a $available_minor -lt $required_minor ; then -- [badversion=1] -- fi -- if test $available_major -eq $required_major \ -- -a $available_minor -eq $required_minor \ -- -a $available_patch -lt $required_patch ; then -- [badversion=1] -- fi -- if test $badversion -eq 1 ; then -- AC_MSG_WARN([SWIG version >= $1 is required. You have $swig_version. You should look at http://www.swig.org]) -- SWIG='echo "Error: SWIG version >= $1 is required. You have '"$swig_version"'. You should look at http://www.swig.org" ; false' -- else -- AC_MSG_NOTICE([SWIG executable is '$SWIG']) -- SWIG_LIB=`$SWIG -swiglib` -- AC_MSG_NOTICE([SWIG library directory is '$SWIG_LIB']) -- fi -- else -- AC_MSG_WARN([cannot determine SWIG version]) -- SWIG='echo "Error: Cannot determine SWIG version. You should look at http://www.swig.org" ; false' -- fi -- fi -- AC_SUBST([SWIG_LIB]) --]) -diff --git a/unbound-1.19.3/ax_pthread.m4 b/unbound-1.19.3/ax_pthread.m4 -index ff7d2a6..9f35d13 100644 ---- a/unbound-1.19.3/ax_pthread.m4 -+++ b/unbound-1.19.3/ax_pthread.m4 -@@ -1,5 +1,5 @@ - # =========================================================================== --# http://www.gnu.org/software/autoconf-archive/ax_pthread.html -+# https://www.gnu.org/software/autoconf-archive/ax_pthread.html - # =========================================================================== - # - # SYNOPSIS -@@ -14,24 +14,28 @@ - # flags that are needed. (The user can also force certain compiler - # flags/libs to be tested by setting these environment variables.) - # --# Also sets PTHREAD_CC to any special C compiler that is needed for --# multi-threaded programs (defaults to the value of CC otherwise). (This --# is necessary on AIX to use the special cc_r compiler alias.) -+# Also sets PTHREAD_CC and PTHREAD_CXX to any special C compiler that is -+# needed for multi-threaded programs (defaults to the value of CC -+# respectively CXX otherwise). (This is necessary on e.g. AIX to use the -+# special cc_r/CC_r compiler alias.) - # - # NOTE: You are assumed to not only compile your program with these flags, --# but also link it with them as well. e.g. you should link with -+# but also to link with them as well. For example, you might link with - # $PTHREAD_CC $CFLAGS $PTHREAD_CFLAGS $LDFLAGS ... $PTHREAD_LIBS $LIBS -+# $PTHREAD_CXX $CXXFLAGS $PTHREAD_CFLAGS $LDFLAGS ... $PTHREAD_LIBS $LIBS - # --# If you are only building threads programs, you may wish to use these -+# If you are only building threaded programs, you may wish to use these - # variables in your default LIBS, CFLAGS, and CC: - # - # LIBS="$PTHREAD_LIBS $LIBS" - # CFLAGS="$CFLAGS $PTHREAD_CFLAGS" -+# CXXFLAGS="$CXXFLAGS $PTHREAD_CFLAGS" - # CC="$PTHREAD_CC" -+# CXX="$PTHREAD_CXX" - # - # In addition, if the PTHREAD_CREATE_JOINABLE thread-attribute constant --# has a nonstandard name, defines PTHREAD_CREATE_JOINABLE to that name --# (e.g. PTHREAD_CREATE_UNDETACHED on AIX). -+# has a nonstandard name, this macro defines PTHREAD_CREATE_JOINABLE to -+# that name (e.g. PTHREAD_CREATE_UNDETACHED on AIX). - # - # Also HAVE_PTHREAD_PRIO_INHERIT is defined if pthread is found and the - # PTHREAD_PRIO_INHERIT symbol is defined when compiling with -@@ -55,6 +59,7 @@ - # - # Copyright (c) 2008 Steven G. Johnson - # Copyright (c) 2011 Daniel Richard G. -+# Copyright (c) 2019 Marc Stevens - # - # This program is free software: you can redistribute it and/or modify it - # under the terms of the GNU General Public License as published by the -@@ -67,7 +72,7 @@ - # Public License for more details. - # - # You should have received a copy of the GNU General Public License along --# with this program. If not, see . -+# with this program. If not, see . - # - # As a special exception, the respective Autoconf Macro's copyright owner - # gives unlimited permission to copy, distribute and modify the configure -@@ -82,35 +87,41 @@ - # modified version of the Autoconf Macro, you may extend this special - # exception to the GPL to apply to your modified version as well. - --#serial 21 -+#serial 31 - - AU_ALIAS([ACX_PTHREAD], [AX_PTHREAD]) - AC_DEFUN([AX_PTHREAD], [ - AC_REQUIRE([AC_CANONICAL_HOST]) -+AC_REQUIRE([AC_PROG_CC]) -+AC_REQUIRE([AC_PROG_SED]) - AC_LANG_PUSH([C]) - ax_pthread_ok=no - - # We used to check for pthread.h first, but this fails if pthread.h --# requires special compiler flags (e.g. on True64 or Sequent). -+# requires special compiler flags (e.g. on Tru64 or Sequent). - # It gets checked for in the link test anyway. - - # First of all, check if the user has set any of the PTHREAD_LIBS, - # etcetera environment variables, and if threads linking works using - # them: --if test x"$PTHREAD_LIBS$PTHREAD_CFLAGS" != x; then -- save_CFLAGS="$CFLAGS" -+if test "x$PTHREAD_CFLAGS$PTHREAD_LIBS" != "x"; then -+ ax_pthread_save_CC="$CC" -+ ax_pthread_save_CFLAGS="$CFLAGS" -+ ax_pthread_save_LIBS="$LIBS" -+ AS_IF([test "x$PTHREAD_CC" != "x"], [CC="$PTHREAD_CC"]) -+ AS_IF([test "x$PTHREAD_CXX" != "x"], [CXX="$PTHREAD_CXX"]) - CFLAGS="$CFLAGS $PTHREAD_CFLAGS" -- save_LIBS="$LIBS" - LIBS="$PTHREAD_LIBS $LIBS" -- AC_MSG_CHECKING([for pthread_join in LIBS=$PTHREAD_LIBS with CFLAGS=$PTHREAD_CFLAGS]) -- AC_TRY_LINK_FUNC([pthread_join], [ax_pthread_ok=yes]) -+ AC_MSG_CHECKING([for pthread_join using $CC $PTHREAD_CFLAGS $PTHREAD_LIBS]) -+ AC_LINK_IFELSE([AC_LANG_CALL([], [pthread_join])], [ax_pthread_ok=yes]) - AC_MSG_RESULT([$ax_pthread_ok]) -- if test x"$ax_pthread_ok" = xno; then -+ if test "x$ax_pthread_ok" = "xno"; then - PTHREAD_LIBS="" - PTHREAD_CFLAGS="" - fi -- LIBS="$save_LIBS" -- CFLAGS="$save_CFLAGS" -+ CC="$ax_pthread_save_CC" -+ CFLAGS="$ax_pthread_save_CFLAGS" -+ LIBS="$ax_pthread_save_LIBS" - fi - - # We must check for the threads library under a number of different -@@ -118,12 +129,14 @@ fi - # (e.g. DEC) have both -lpthread and -lpthreads, where one of the - # libraries is broken (non-POSIX). - --# Create a list of thread flags to try. Items starting with a "-" are --# C compiler flags, and other items are library names, except for "none" --# which indicates that we try without any flags at all, and "pthread-config" --# which is a program returning the flags for the Pth emulation library. -+# Create a list of thread flags to try. Items with a "," contain both -+# C compiler flags (before ",") and linker flags (after ","). Other items -+# starting with a "-" are C compiler flags, and remaining items are -+# library names, except for "none" which indicates that we try without -+# any flags at all, and "pthread-config" which is a program returning -+# the flags for the Pth emulation library. - --ax_pthread_flags="pthreads none -Kthread -kthread lthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config" -+ax_pthread_flags="pthreads none -Kthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config" - - # The ordering *is* (sometimes) important. Some notes on the - # individual items follow: -@@ -132,82 +145,163 @@ ax_pthread_flags="pthreads none -Kthread -kthread lthread -pthread -pthreads -mt - # none: in case threads are in libc; should be tried before -Kthread and - # other compiler flags to prevent continual compiler warnings - # -Kthread: Sequent (threads in libc, but -Kthread needed for pthread.h) --# -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able) --# lthread: LinuxThreads port on FreeBSD (also preferred to -pthread) --# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads) --# -pthreads: Solaris/gcc --# -mthreads: Mingw32/gcc, Lynx/gcc -+# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads), Tru64 -+# (Note: HP C rejects this with "bad form for `-t' option") -+# -pthreads: Solaris/gcc (Note: HP C also rejects) - # -mt: Sun Workshop C (may only link SunOS threads [-lthread], but it --# doesn't hurt to check since this sometimes defines pthreads too; --# also defines -D_REENTRANT) --# ... -mt is also the pthreads flag for HP/aCC -+# doesn't hurt to check since this sometimes defines pthreads and -+# -D_REENTRANT too), HP C (must be checked before -lpthread, which -+# is present but should not be used directly; and before -mthreads, -+# because the compiler interprets this as "-mt" + "-hreads") -+# -mthreads: Mingw32/gcc, Lynx/gcc - # pthread: Linux, etcetera - # --thread-safe: KAI C++ - # pthread-config: use pthread-config program (for GNU Pth library) - --case ${host_os} in -+case $host_os in -+ -+ freebsd*) -+ -+ # -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able) -+ # lthread: LinuxThreads port on FreeBSD (also preferred to -pthread) -+ -+ ax_pthread_flags="-kthread lthread $ax_pthread_flags" -+ ;; -+ -+ hpux*) -+ -+ # From the cc(1) man page: "[-mt] Sets various -D flags to enable -+ # multi-threading and also sets -lpthread." -+ -+ ax_pthread_flags="-mt -pthread pthread $ax_pthread_flags" -+ ;; -+ -+ openedition*) -+ -+ # IBM z/OS requires a feature-test macro to be defined in order to -+ # enable POSIX threads at all, so give the user a hint if this is -+ # not set. (We don't define these ourselves, as they can affect -+ # other portions of the system API in unpredictable ways.) -+ -+ AC_EGREP_CPP([AX_PTHREAD_ZOS_MISSING], -+ [ -+# if !defined(_OPEN_THREADS) && !defined(_UNIX03_THREADS) -+ AX_PTHREAD_ZOS_MISSING -+# endif -+ ], -+ [AC_MSG_WARN([IBM z/OS requires -D_OPEN_THREADS or -D_UNIX03_THREADS to enable pthreads support.])]) -+ ;; -+ - solaris*) - - # On Solaris (at least, for some versions), libc contains stubbed - # (non-functional) versions of the pthreads routines, so link-based -- # tests will erroneously succeed. (We need to link with -pthreads/-mt/ -- # -lpthread.) (The stubs are missing pthread_cleanup_push, or rather -- # a function called by this macro, so we could check for that, but -- # who knows whether they'll stub that too in a future libc.) So, -- # we'll just look for -pthreads and -lpthread first: -+ # tests will erroneously succeed. (N.B.: The stubs are missing -+ # pthread_cleanup_push, or rather a function called by this macro, -+ # so we could check for that, but who knows whether they'll stub -+ # that too in a future libc.) So we'll check first for the -+ # standard Solaris way of linking pthreads (-mt -lpthread). -+ -+ ax_pthread_flags="-mt,-lpthread pthread $ax_pthread_flags" -+ ;; -+esac -+ -+# Are we compiling with Clang? -+ -+AC_CACHE_CHECK([whether $CC is Clang], -+ [ax_cv_PTHREAD_CLANG], -+ [ax_cv_PTHREAD_CLANG=no -+ # Note that Autoconf sets GCC=yes for Clang as well as GCC -+ if test "x$GCC" = "xyes"; then -+ AC_EGREP_CPP([AX_PTHREAD_CC_IS_CLANG], -+ [/* Note: Clang 2.7 lacks __clang_[a-z]+__ */ -+# if defined(__clang__) && defined(__llvm__) -+ AX_PTHREAD_CC_IS_CLANG -+# endif -+ ], -+ [ax_cv_PTHREAD_CLANG=yes]) -+ fi -+ ]) -+ax_pthread_clang="$ax_cv_PTHREAD_CLANG" -+ -+ -+# GCC generally uses -pthread, or -pthreads on some platforms (e.g. SPARC) -+ -+# Note that for GCC and Clang -pthread generally implies -lpthread, -+# except when -nostdlib is passed. -+# This is problematic using libtool to build C++ shared libraries with pthread: -+# [1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=25460 -+# [2] https://bugzilla.redhat.com/show_bug.cgi?id=661333 -+# [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=468555 -+# To solve this, first try -pthread together with -lpthread for GCC -+ -+AS_IF([test "x$GCC" = "xyes"], -+ [ax_pthread_flags="-pthread,-lpthread -pthread -pthreads $ax_pthread_flags"]) -+ -+# Clang takes -pthread (never supported any other flag), but we'll try with -lpthread first -+ -+AS_IF([test "x$ax_pthread_clang" = "xyes"], -+ [ax_pthread_flags="-pthread,-lpthread -pthread"]) - -- ax_pthread_flags="-pthreads pthread -mt -pthread $ax_pthread_flags" -+ -+# The presence of a feature test macro requesting re-entrant function -+# definitions is, on some systems, a strong hint that pthreads support is -+# correctly enabled -+ -+case $host_os in -+ darwin* | hpux* | linux* | osf* | solaris*) -+ ax_pthread_check_macro="_REENTRANT" - ;; - -- darwin*) -- ax_pthread_flags="-pthread $ax_pthread_flags" -+ aix*) -+ ax_pthread_check_macro="_THREAD_SAFE" - ;; --esac - --# Clang doesn't consider unrecognized options an error unless we specify --# -Werror. We throw in some extra Clang-specific options to ensure that --# this doesn't happen for GCC, which also accepts -Werror. -+ *) -+ ax_pthread_check_macro="--" -+ ;; -+esac -+AS_IF([test "x$ax_pthread_check_macro" = "x--"], -+ [ax_pthread_check_cond=0], -+ [ax_pthread_check_cond="!defined($ax_pthread_check_macro)"]) - --AC_MSG_CHECKING([if compiler needs -Werror to reject unknown flags]) --save_CFLAGS="$CFLAGS" --ax_pthread_extra_flags="-Werror" --CFLAGS="$CFLAGS $ax_pthread_extra_flags -Wunknown-warning-option -Wsizeof-array-argument" --AC_COMPILE_IFELSE([AC_LANG_PROGRAM([int foo(void);],[foo()])], -- [AC_MSG_RESULT([yes])], -- [ax_pthread_extra_flags= -- AC_MSG_RESULT([no])]) --CFLAGS="$save_CFLAGS" - --if test x"$ax_pthread_ok" = xno; then --for flag in $ax_pthread_flags; do -+if test "x$ax_pthread_ok" = "xno"; then -+for ax_pthread_try_flag in $ax_pthread_flags; do - -- case $flag in -+ case $ax_pthread_try_flag in - none) - AC_MSG_CHECKING([whether pthreads work without any flags]) - ;; - -+ *,*) -+ PTHREAD_CFLAGS=`echo $ax_pthread_try_flag | sed "s/^\(.*\),\(.*\)$/\1/"` -+ PTHREAD_LIBS=`echo $ax_pthread_try_flag | sed "s/^\(.*\),\(.*\)$/\2/"` -+ AC_MSG_CHECKING([whether pthreads work with "$PTHREAD_CFLAGS" and "$PTHREAD_LIBS"]) -+ ;; -+ - -*) -- AC_MSG_CHECKING([whether pthreads work with $flag]) -- PTHREAD_CFLAGS="$flag" -+ AC_MSG_CHECKING([whether pthreads work with $ax_pthread_try_flag]) -+ PTHREAD_CFLAGS="$ax_pthread_try_flag" - ;; - - pthread-config) - AC_CHECK_PROG([ax_pthread_config], [pthread-config], [yes], [no]) -- if test x"$ax_pthread_config" = xno; then continue; fi -+ AS_IF([test "x$ax_pthread_config" = "xno"], [continue]) - PTHREAD_CFLAGS="`pthread-config --cflags`" - PTHREAD_LIBS="`pthread-config --ldflags` `pthread-config --libs`" - ;; - - *) -- AC_MSG_CHECKING([for the pthreads library -l$flag]) -- PTHREAD_LIBS="-l$flag" -+ AC_MSG_CHECKING([for the pthreads library -l$ax_pthread_try_flag]) -+ PTHREAD_LIBS="-l$ax_pthread_try_flag" - ;; - esac - -- save_LIBS="$LIBS" -- save_CFLAGS="$CFLAGS" -+ ax_pthread_save_CFLAGS="$CFLAGS" -+ ax_pthread_save_LIBS="$LIBS" -+ CFLAGS="$CFLAGS $PTHREAD_CFLAGS" - LIBS="$PTHREAD_LIBS $LIBS" -- CFLAGS="$CFLAGS $PTHREAD_CFLAGS $ax_pthread_extra_flags" - - # Check for various functions. We must include pthread.h, - # since some functions may be macros. (On the Sequent, we -@@ -218,8 +312,18 @@ for flag in $ax_pthread_flags; do - # pthread_cleanup_push because it is one of the few pthread - # functions on Solaris that doesn't have a non-functional libc stub. - # We try pthread_create on general principles. -+ - AC_LINK_IFELSE([AC_LANG_PROGRAM([#include -- static void routine(void *a) { *((int*)a) = 0; } -+# if $ax_pthread_check_cond -+# error "$ax_pthread_check_macro must be defined" -+# endif -+ static void *some_global = NULL; -+ static void routine(void *a) -+ { -+ /* To avoid any unused-parameter or -+ unused-but-set-parameter warning. */ -+ some_global = a; -+ } - static void *start_routine(void *a) { return a; }], - [pthread_t th; pthread_attr_t attr; - pthread_create(&th, 0, start_routine, 0); -@@ -227,101 +331,187 @@ for flag in $ax_pthread_flags; do - pthread_attr_init(&attr); - pthread_cleanup_push(routine, 0); - pthread_cleanup_pop(0) /* ; */])], -- [ax_pthread_ok=yes], -- []) -+ [ax_pthread_ok=yes], -+ []) - -- LIBS="$save_LIBS" -- CFLAGS="$save_CFLAGS" -+ CFLAGS="$ax_pthread_save_CFLAGS" -+ LIBS="$ax_pthread_save_LIBS" - - AC_MSG_RESULT([$ax_pthread_ok]) -- if test "x$ax_pthread_ok" = xyes; then -- break; -- fi -+ AS_IF([test "x$ax_pthread_ok" = "xyes"], [break]) - - PTHREAD_LIBS="" - PTHREAD_CFLAGS="" - done - fi - -+ -+# Clang needs special handling, because older versions handle the -pthread -+# option in a rather... idiosyncratic way -+ -+if test "x$ax_pthread_clang" = "xyes"; then -+ -+ # Clang takes -pthread; it has never supported any other flag -+ -+ # (Note 1: This will need to be revisited if a system that Clang -+ # supports has POSIX threads in a separate library. This tends not -+ # to be the way of modern systems, but it's conceivable.) -+ -+ # (Note 2: On some systems, notably Darwin, -pthread is not needed -+ # to get POSIX threads support; the API is always present and -+ # active. We could reasonably leave PTHREAD_CFLAGS empty. But -+ # -pthread does define _REENTRANT, and while the Darwin headers -+ # ignore this macro, third-party headers might not.) -+ -+ # However, older versions of Clang make a point of warning the user -+ # that, in an invocation where only linking and no compilation is -+ # taking place, the -pthread option has no effect ("argument unused -+ # during compilation"). They expect -pthread to be passed in only -+ # when source code is being compiled. -+ # -+ # Problem is, this is at odds with the way Automake and most other -+ # C build frameworks function, which is that the same flags used in -+ # compilation (CFLAGS) are also used in linking. Many systems -+ # supported by AX_PTHREAD require exactly this for POSIX threads -+ # support, and in fact it is often not straightforward to specify a -+ # flag that is used only in the compilation phase and not in -+ # linking. Such a scenario is extremely rare in practice. -+ # -+ # Even though use of the -pthread flag in linking would only print -+ # a warning, this can be a nuisance for well-run software projects -+ # that build with -Werror. So if the active version of Clang has -+ # this misfeature, we search for an option to squash it. -+ -+ AC_CACHE_CHECK([whether Clang needs flag to prevent "argument unused" warning when linking with -pthread], -+ [ax_cv_PTHREAD_CLANG_NO_WARN_FLAG], -+ [ax_cv_PTHREAD_CLANG_NO_WARN_FLAG=unknown -+ # Create an alternate version of $ac_link that compiles and -+ # links in two steps (.c -> .o, .o -> exe) instead of one -+ # (.c -> exe), because the warning occurs only in the second -+ # step -+ ax_pthread_save_ac_link="$ac_link" -+ ax_pthread_sed='s/conftest\.\$ac_ext/conftest.$ac_objext/g' -+ ax_pthread_link_step=`AS_ECHO(["$ac_link"]) | sed "$ax_pthread_sed"` -+ ax_pthread_2step_ac_link="($ac_compile) && (echo ==== >&5) && ($ax_pthread_link_step)" -+ ax_pthread_save_CFLAGS="$CFLAGS" -+ for ax_pthread_try in '' -Qunused-arguments -Wno-unused-command-line-argument unknown; do -+ AS_IF([test "x$ax_pthread_try" = "xunknown"], [break]) -+ CFLAGS="-Werror -Wunknown-warning-option $ax_pthread_try -pthread $ax_pthread_save_CFLAGS" -+ ac_link="$ax_pthread_save_ac_link" -+ AC_LINK_IFELSE([AC_LANG_SOURCE([[int main(void){return 0;}]])], -+ [ac_link="$ax_pthread_2step_ac_link" -+ AC_LINK_IFELSE([AC_LANG_SOURCE([[int main(void){return 0;}]])], -+ [break]) -+ ]) -+ done -+ ac_link="$ax_pthread_save_ac_link" -+ CFLAGS="$ax_pthread_save_CFLAGS" -+ AS_IF([test "x$ax_pthread_try" = "x"], [ax_pthread_try=no]) -+ ax_cv_PTHREAD_CLANG_NO_WARN_FLAG="$ax_pthread_try" -+ ]) -+ -+ case "$ax_cv_PTHREAD_CLANG_NO_WARN_FLAG" in -+ no | unknown) ;; -+ *) PTHREAD_CFLAGS="$ax_cv_PTHREAD_CLANG_NO_WARN_FLAG $PTHREAD_CFLAGS" ;; -+ esac -+ -+fi # $ax_pthread_clang = yes -+ -+ -+ - # Various other checks: --if test "x$ax_pthread_ok" = xyes; then -- save_LIBS="$LIBS" -- LIBS="$PTHREAD_LIBS $LIBS" -- save_CFLAGS="$CFLAGS" -+if test "x$ax_pthread_ok" = "xyes"; then -+ ax_pthread_save_CFLAGS="$CFLAGS" -+ ax_pthread_save_LIBS="$LIBS" - CFLAGS="$CFLAGS $PTHREAD_CFLAGS" -+ LIBS="$PTHREAD_LIBS $LIBS" - - # Detect AIX lossage: JOINABLE attribute is called UNDETACHED. -- AC_MSG_CHECKING([for joinable pthread attribute]) -- attr_name=unknown -- for attr in PTHREAD_CREATE_JOINABLE PTHREAD_CREATE_UNDETACHED; do -- AC_LINK_IFELSE([AC_LANG_PROGRAM([#include ], -- [int attr = $attr; return attr /* ; */])], -- [attr_name=$attr; break], -- []) -- done -- AC_MSG_RESULT([$attr_name]) -- if test "$attr_name" != PTHREAD_CREATE_JOINABLE; then -- AC_DEFINE_UNQUOTED([PTHREAD_CREATE_JOINABLE], [$attr_name], -- [Define to necessary symbol if this constant -- uses a non-standard name on your system.]) -- fi -- -- AC_MSG_CHECKING([if more special flags are required for pthreads]) -- flag=no -- case ${host_os} in -- aix* | freebsd* | darwin*) flag="-D_THREAD_SAFE";; -- osf* | hpux*) flag="-D_REENTRANT";; -- solaris*) -- if test "$GCC" = "yes"; then -- flag="-D_REENTRANT" -- else -- # TODO: What about Clang on Solaris? -- flag="-mt -D_REENTRANT" -- fi -- ;; -- esac -- AC_MSG_RESULT([$flag]) -- if test "x$flag" != xno; then -- PTHREAD_CFLAGS="$flag $PTHREAD_CFLAGS" -- fi -+ AC_CACHE_CHECK([for joinable pthread attribute], -+ [ax_cv_PTHREAD_JOINABLE_ATTR], -+ [ax_cv_PTHREAD_JOINABLE_ATTR=unknown -+ for ax_pthread_attr in PTHREAD_CREATE_JOINABLE PTHREAD_CREATE_UNDETACHED; do -+ AC_LINK_IFELSE([AC_LANG_PROGRAM([#include ], -+ [int attr = $ax_pthread_attr; return attr /* ; */])], -+ [ax_cv_PTHREAD_JOINABLE_ATTR=$ax_pthread_attr; break], -+ []) -+ done -+ ]) -+ AS_IF([test "x$ax_cv_PTHREAD_JOINABLE_ATTR" != "xunknown" && \ -+ test "x$ax_cv_PTHREAD_JOINABLE_ATTR" != "xPTHREAD_CREATE_JOINABLE" && \ -+ test "x$ax_pthread_joinable_attr_defined" != "xyes"], -+ [AC_DEFINE_UNQUOTED([PTHREAD_CREATE_JOINABLE], -+ [$ax_cv_PTHREAD_JOINABLE_ATTR], -+ [Define to necessary symbol if this constant -+ uses a non-standard name on your system.]) -+ ax_pthread_joinable_attr_defined=yes -+ ]) -+ -+ AC_CACHE_CHECK([whether more special flags are required for pthreads], -+ [ax_cv_PTHREAD_SPECIAL_FLAGS], -+ [ax_cv_PTHREAD_SPECIAL_FLAGS=no -+ case $host_os in -+ solaris*) -+ ax_cv_PTHREAD_SPECIAL_FLAGS="-D_POSIX_PTHREAD_SEMANTICS" -+ ;; -+ esac -+ ]) -+ AS_IF([test "x$ax_cv_PTHREAD_SPECIAL_FLAGS" != "xno" && \ -+ test "x$ax_pthread_special_flags_added" != "xyes"], -+ [PTHREAD_CFLAGS="$ax_cv_PTHREAD_SPECIAL_FLAGS $PTHREAD_CFLAGS" -+ ax_pthread_special_flags_added=yes]) - - AC_CACHE_CHECK([for PTHREAD_PRIO_INHERIT], -- [ax_cv_PTHREAD_PRIO_INHERIT], [ -- AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], -- [[int i = PTHREAD_PRIO_INHERIT;]])], -- [ax_cv_PTHREAD_PRIO_INHERIT=yes], -- [ax_cv_PTHREAD_PRIO_INHERIT=no]) -+ [ax_cv_PTHREAD_PRIO_INHERIT], -+ [AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], -+ [[int i = PTHREAD_PRIO_INHERIT; -+ return i;]])], -+ [ax_cv_PTHREAD_PRIO_INHERIT=yes], -+ [ax_cv_PTHREAD_PRIO_INHERIT=no]) - ]) -- AS_IF([test "x$ax_cv_PTHREAD_PRIO_INHERIT" = "xyes"], -- [AC_DEFINE([HAVE_PTHREAD_PRIO_INHERIT], [1], [Have PTHREAD_PRIO_INHERIT.])]) -+ AS_IF([test "x$ax_cv_PTHREAD_PRIO_INHERIT" = "xyes" && \ -+ test "x$ax_pthread_prio_inherit_defined" != "xyes"], -+ [AC_DEFINE([HAVE_PTHREAD_PRIO_INHERIT], [1], [Have PTHREAD_PRIO_INHERIT.]) -+ ax_pthread_prio_inherit_defined=yes -+ ]) - -- LIBS="$save_LIBS" -- CFLAGS="$save_CFLAGS" -+ CFLAGS="$ax_pthread_save_CFLAGS" -+ LIBS="$ax_pthread_save_LIBS" - - # More AIX lossage: compile with *_r variant -- if test "x$GCC" != xyes; then -+ if test "x$GCC" != "xyes"; then - case $host_os in - aix*) - AS_CASE(["x/$CC"], -- [x*/c89|x*/c89_128|x*/c99|x*/c99_128|x*/cc|x*/cc128|x*/xlc|x*/xlc_v6|x*/xlc128|x*/xlc128_v6], -- [#handle absolute path differently from PATH based program lookup -- AS_CASE(["x$CC"], -- [x/*], -- [AS_IF([AS_EXECUTABLE_P([${CC}_r])],[PTHREAD_CC="${CC}_r"])], -- [AC_CHECK_PROGS([PTHREAD_CC],[${CC}_r],[$CC])])]) -+ [x*/c89|x*/c89_128|x*/c99|x*/c99_128|x*/cc|x*/cc128|x*/xlc|x*/xlc_v6|x*/xlc128|x*/xlc128_v6], -+ [#handle absolute path differently from PATH based program lookup -+ AS_CASE(["x$CC"], -+ [x/*], -+ [ -+ AS_IF([AS_EXECUTABLE_P([${CC}_r])],[PTHREAD_CC="${CC}_r"]) -+ AS_IF([test "x${CXX}" != "x"], [AS_IF([AS_EXECUTABLE_P([${CXX}_r])],[PTHREAD_CXX="${CXX}_r"])]) -+ ], -+ [ -+ AC_CHECK_PROGS([PTHREAD_CC],[${CC}_r],[$CC]) -+ AS_IF([test "x${CXX}" != "x"], [AC_CHECK_PROGS([PTHREAD_CXX],[${CXX}_r],[$CXX])]) -+ ] -+ ) -+ ]) - ;; - esac - fi - fi - - test -n "$PTHREAD_CC" || PTHREAD_CC="$CC" -+test -n "$PTHREAD_CXX" || PTHREAD_CXX="$CXX" - - AC_SUBST([PTHREAD_LIBS]) - AC_SUBST([PTHREAD_CFLAGS]) - AC_SUBST([PTHREAD_CC]) -+AC_SUBST([PTHREAD_CXX]) - - # Finally, execute ACTION-IF-FOUND/ACTION-IF-NOT-FOUND: --if test x"$ax_pthread_ok" = xyes; then -+if test "x$ax_pthread_ok" = "xyes"; then - ifelse([$1],,[AC_DEFINE([HAVE_PTHREAD],[1],[Define if you have POSIX threads libraries and header files.])],[$1]) - : - else -diff --git a/unbound-1.19.3/configure.ac b/unbound-1.19.3/configure.ac -index e0dedbe..34f2da7 100644 ---- a/unbound-1.19.3/configure.ac -+++ b/unbound-1.19.3/configure.ac -@@ -4,7 +4,7 @@ AC_PREREQ([2.56]) - sinclude(acx_nlnetlabs.m4) - sinclude(ax_pthread.m4) - sinclude(acx_python.m4) --sinclude(ac_pkg_swig.m4) -+sinclude(ax_pkg_swig.m4) - sinclude(dnstap/dnstap.m4) - sinclude(dnscrypt/dnscrypt.m4) - -@@ -795,9 +795,9 @@ if test x_$ub_test_python != x_no; then - ub_have_swig=no - AC_ARG_ENABLE(swig-version-check, AS_HELP_STRING([--disable-swig-version-check],[Disable swig version check to build python modules with older swig even though that is unreliable])) - if test "$enable_swig_version_check" = "yes"; then -- AC_PROG_SWIG(2.0.1) -+ AX_PKG_SWIG(2.0.1) - else -- AC_PROG_SWIG -+ AX_PKG_SWIG - fi - AC_MSG_CHECKING(SWIG) - if test ! -x "$SWIG"; then --- -2.44.0 - diff --git a/unbound-1.19-python3.12-Py_NoSiteFlag.patch b/unbound-1.19-python3.12-Py_NoSiteFlag.patch deleted file mode 100644 index 8d7125c..0000000 --- a/unbound-1.19-python3.12-Py_NoSiteFlag.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 4d66057470cd5c5533cb39b4e049c3ae48044090 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Mon, 15 Apr 2024 13:43:58 +0200 -Subject: [PATCH] Py_NoSiteFlag is not needed since Python 3.8 - -Python since 3.12 prints warning about Py_NoSiteFlag is deprecated. It -seems that variable is not needed since Python 3.8, since it sets in -such cases directly config.site_import variable few moments later. -Move using deprecated variable to versions before that flag in config -could be used only. - -This should fix warning like: - -pythonmod/pythonmod.c: In function 'pythonmod_init': -pythonmod/pythonmod.c:359:7: warning: 'Py_NoSiteFlag' is deprecated [-Wdeprecated-declarations] - 359 | Py_NoSiteFlag = 1; - | ^~~~~~~~~~~~~ -In file included from /usr/include/python3.12/Python.h:48, - from pythonmod/pythonmod.c:54: -/usr/include/python3.12/cpython/pydebug.h:14:37: note: declared here - 14 | Py_DEPRECATED(3.12) PyAPI_DATA(int) Py_NoSiteFlag; - | ^~~~~~~~~~~~~ - -https://docs.python.org/3/c-api/init.html#c.Py_NoSiteFlag ---- - unbound-1.19.3/pythonmod/pythonmod.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/unbound-1.19.3/pythonmod/pythonmod.c b/unbound-1.19.3/pythonmod/pythonmod.c -index c6294a1..b8f2d62 100644 ---- a/unbound-1.19.3/pythonmod/pythonmod.c -+++ b/unbound-1.19.3/pythonmod/pythonmod.c -@@ -356,11 +356,11 @@ int pythonmod_init(struct module_env* env, int id) - return 0; - } - #endif -- Py_NoSiteFlag = 1; - #if PY_MAJOR_VERSION >= 3 - PyImport_AppendInittab(SWIG_name, (void*)SWIG_init); - #endif - #if PY_VERSION_HEX < 0x03080000 -+ Py_NoSiteFlag = 1; - Py_Initialize(); - #else - PyConfig_InitPythonConfig(&config); --- -2.44.0 - diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index f350be8..f57207b 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,4 +1,4 @@ -From 17d4cc5fea24faa55358b7c36fdae0cd9bdd48b6 Mon Sep 17 00:00:00 2001 +From 79506679335ef1e02a960ccc7cfeda19348f5619 Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Fri, 10 Nov 2023 12:58:31 +0100 Subject: [PATCH] Customize unbound.conf for Fedora defaults @@ -7,13 +7,13 @@ Set some Fedora/RHEL specific changes to example configuration file. By patching upstream provided config file we would not need to manually update external copy in source RPM. --- - unbound-1.19.3/doc/example.conf.in | 194 ++++++++++++++++++----------- + unbound-1.20.0/doc/example.conf.in | 194 ++++++++++++++++++----------- 1 file changed, 124 insertions(+), 70 deletions(-) -diff --git a/unbound-1.19.3/doc/example.conf.in b/unbound-1.19.3/doc/example.conf.in -index d791cf8..af163b2 100644 ---- a/unbound-1.19.3/doc/example.conf.in -+++ b/unbound-1.19.3/doc/example.conf.in +diff --git a/unbound-1.20.0/doc/example.conf.in b/unbound-1.20.0/doc/example.conf.in +index 0368c8d..9ece701 100644 +--- a/unbound-1.20.0/doc/example.conf.in ++++ b/unbound-1.20.0/doc/example.conf.in @@ -17,11 +17,12 @@ server: # whitespace is not necessary, but looks cleaner. @@ -120,7 +120,7 @@ index d791cf8..af163b2 100644 # use IP_FREEBIND so the interface: addresses can be non-local # and you can bind to nonexisting IPs and interfaces that are down. -@@ -256,6 +275,8 @@ server: +@@ -276,6 +295,8 @@ server: # nat64-prefix: 64:ff9b::0/96 # Enable UDP, "yes" or "no". @@ -129,16 +129,16 @@ index d791cf8..af163b2 100644 # do-udp: yes # Enable TCP, "yes" or "no". -@@ -281,7 +302,7 @@ server: +@@ -301,7 +322,7 @@ server: # tcp-idle-timeout: 30000 # Enable EDNS TCP keepalive option. - # edns-tcp-keepalive: no + edns-tcp-keepalive: yes - # Timeout for EDNS TCP keepalive, in msec. - # edns-tcp-keepalive-timeout: 120000 -@@ -290,6 +311,9 @@ server: + # Timeout for EDNS TCP keepalive, in msec. Overrides tcp-idle-timeout + # if edns-tcp-keepalive is set. +@@ -311,6 +332,9 @@ server: # can be dropped. Default is 0, disabled. In seconds, such as 3. # sock-queue-timeout: 0 @@ -148,7 +148,7 @@ index d791cf8..af163b2 100644 # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no -@@ -403,6 +427,7 @@ server: +@@ -424,6 +448,7 @@ server: # # If you give "" no chroot is performed. The path must not end in a /. # chroot: "@UNBOUND_CHROOT_DIR@" @@ -156,7 +156,7 @@ index d791cf8..af163b2 100644 # if given, user privileges are dropped (after binding port), # and the given username is assumed. Default is user "unbound". -@@ -414,7 +439,7 @@ server: +@@ -435,7 +460,7 @@ server: # is not changed. # If you give a server: directory: dir before include: file statements # then those includes can be relative to the working directory. @@ -165,7 +165,7 @@ index d791cf8..af163b2 100644 # the log file, "" means log to stderr. # Use of this option sets use-syslog to "no". -@@ -429,7 +454,7 @@ server: +@@ -450,7 +475,7 @@ server: # log-identity: "" # print UTC timestamp in ascii to logfile, default is epoch in seconds. @@ -174,7 +174,7 @@ index d791cf8..af163b2 100644 # print one line with time, IP, name, type, class for every query. # log-queries: no -@@ -501,22 +526,22 @@ server: +@@ -522,22 +547,22 @@ server: # harden-large-queries: no # Harden against out of zone rrsets, to avoid spoofing attempts. @@ -201,7 +201,7 @@ index d791cf8..af163b2 100644 # Harden against algorithm downgrade when multiple algorithms are # advertised in the DS record. If no, allows the weakest algorithm -@@ -530,7 +555,7 @@ server: +@@ -551,7 +576,7 @@ server: # Sent minimum amount of information to upstream servers to enhance # privacy. Only sent minimum required labels of the QNAME and set QTYPE # to A when possible. @@ -210,7 +210,7 @@ index d791cf8..af163b2 100644 # QNAME minimisation in strict mode. Do not fall-back to sending full # QNAME to potentially broken nameservers. A lot of domains will not be -@@ -540,7 +565,7 @@ server: +@@ -561,7 +586,7 @@ server: # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN # and other denials, using information from previous NXDOMAINs answers. @@ -219,7 +219,7 @@ index d791cf8..af163b2 100644 # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. -@@ -573,7 +598,7 @@ server: +@@ -594,7 +619,7 @@ server: # threshold, a warning is printed and a defensive action is taken, # the cache is cleared to flush potential poison out of it. # A suggested value is 10000000, the default is 0 (turned off). @@ -228,7 +228,7 @@ index d791cf8..af163b2 100644 # Do not query the following addresses. No DNS queries are sent there. # List one address per entry. List classless netblocks with /size, -@@ -585,20 +610,20 @@ server: +@@ -606,20 +631,20 @@ server: # do-not-query-localhost: yes # if yes, perform prefetching of almost expired message cache entries. @@ -254,7 +254,7 @@ index d791cf8..af163b2 100644 # true to disable DNSSEC lameness check in iterator. # disable-dnssec-lame-check: no -@@ -608,7 +633,9 @@ server: +@@ -629,7 +654,9 @@ server: # most modules have to be listed at the beginning of the line, # except cachedb(just before iterator), and python (at the beginning, # or, just before the iterator). @@ -265,7 +265,7 @@ index d791cf8..af163b2 100644 # File with trusted keys, kept uptodate using RFC5011 probes, # initial file like trust-anchor-file, then it stores metadata. -@@ -622,10 +649,10 @@ server: +@@ -643,10 +670,10 @@ server: # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" # trust anchor signaling sends a RFC8145 key tag query after priming. @@ -278,7 +278,7 @@ index d791cf8..af163b2 100644 # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry. -@@ -646,6 +673,9 @@ server: +@@ -667,6 +694,9 @@ server: # the trusted-keys { name flag proto algo "key"; }; clauses are read. # you need external update procedures to track changes in keys. # trusted-keys-file: "" @@ -288,7 +288,7 @@ index d791cf8..af163b2 100644 # Ignore chain of trust. Domain is treated as insecure. # domain-insecure: "example.com" -@@ -673,14 +703,15 @@ server: +@@ -694,14 +724,15 @@ server: # unsecure data. Useful to shield the users of this validator from # potential bogus data in the additional section. All unsigned data # in the additional section is removed from secure messages. @@ -306,7 +306,7 @@ index d791cf8..af163b2 100644 # Ignore the CD flag in incoming queries and refuse them bogus data. # Enable it if the only clients of Unbound are legacy servers (w2008) -@@ -694,11 +725,11 @@ server: +@@ -715,11 +746,11 @@ server: # Serve expired responses from cache, with serve-expired-reply-ttl in # the response, and then attempt to fetch the data afresh. @@ -320,7 +320,7 @@ index d791cf8..af163b2 100644 # # Set the TTL of expired records to the serve-expired-ttl value after a # failed attempt to retrieve the record from upstream. This makes sure -@@ -725,7 +756,7 @@ server: +@@ -746,7 +777,7 @@ server: # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. @@ -329,7 +329,7 @@ index d791cf8..af163b2 100644 # It is possible to configure NSEC3 maximum iteration counts per # keysize. Keep this table very short, as linear search is done. -@@ -869,6 +900,8 @@ server: +@@ -890,6 +921,8 @@ server: # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" @@ -338,7 +338,7 @@ index d791cf8..af163b2 100644 # tag a localzone with a list of tag names (in "" with spaces between) # local-zone-tag: "example.com" "tag2 tag3" -@@ -879,8 +912,8 @@ server: +@@ -900,8 +933,8 @@ server: # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. # Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. @@ -349,7 +349,7 @@ index d791cf8..af163b2 100644 # tls-port: 853 # https-port: 443 -@@ -888,6 +921,8 @@ server: +@@ -909,6 +942,8 @@ server: # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" # cipher setting for TLSv1.3 # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" @@ -358,7 +358,7 @@ index d791cf8..af163b2 100644 # Pad responses to padded queries received over TLS # pad-responses: yes -@@ -1024,12 +1059,12 @@ server: +@@ -1045,12 +1080,12 @@ server: # cookie-secret: <128 bit random hex string> # Enable to attach Extended DNS Error codes (RFC8914) to responses. @@ -373,7 +373,7 @@ index d791cf8..af163b2 100644 # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. -@@ -1037,12 +1072,14 @@ server: +@@ -1058,12 +1093,14 @@ server: # Enable or disable ipsecmod (it still needs to be defined in # module-config above). Can be used when ipsecmod needs to be # enabled/disabled via remote-control(below). @@ -391,7 +391,7 @@ index d791cf8..af163b2 100644 # When enabled Unbound will reply with SERVFAIL if the return value of # the ipsecmod-hook is not 0. # ipsecmod-strict: no -@@ -1075,7 +1112,7 @@ server: +@@ -1096,7 +1133,7 @@ server: # o and give a python-script to run. python: # Script file to load @@ -400,7 +400,7 @@ index d791cf8..af163b2 100644 # Dynamic library config section. To enable: # o use --with-dynlibmodule to configure before compiling. -@@ -1086,13 +1123,14 @@ python: +@@ -1107,13 +1144,14 @@ python: # the module-config then you need one dynlib-file per instance. dynlib: # Script file to load @@ -417,7 +417,7 @@ index d791cf8..af163b2 100644 # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. -@@ -1100,6 +1138,7 @@ remote-control: +@@ -1121,6 +1159,7 @@ remote-control: # are not used for that, so key and cert files need not be present. # control-interface: 127.0.0.1 # control-interface: ::1 @@ -425,7 +425,7 @@ index d791cf8..af163b2 100644 # port number for remote control operations. # control-port: 8953 -@@ -1109,16 +1148,19 @@ remote-control: +@@ -1130,16 +1169,19 @@ remote-control: # control-use-cert: "yes" # Unbound server key file. @@ -449,7 +449,7 @@ index d791cf8..af163b2 100644 # Stub zones. # Create entries like below, to make all queries for 'example.com' and -@@ -1140,6 +1182,10 @@ remote-control: +@@ -1161,6 +1203,10 @@ remote-control: # name: "example.org" # stub-host: ns.example.com. @@ -460,7 +460,7 @@ index d791cf8..af163b2 100644 # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle -@@ -1157,6 +1203,10 @@ remote-control: +@@ -1178,6 +1224,10 @@ remote-control: # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -471,7 +471,7 @@ index d791cf8..af163b2 100644 # Authority zones # The data for these zones is kept locally, from a file or downloaded. -@@ -1167,27 +1217,28 @@ remote-control: +@@ -1188,27 +1238,28 @@ remote-control: # download it), primary: fetches with AXFR and IXFR, or url to zonefile. # With allow-notify: you can give additional (apart from primaries and urls) # sources of notifies. @@ -521,7 +521,7 @@ index d791cf8..af163b2 100644 # auth-zone: # name: "example.org" # for-downstream: yes -@@ -1213,6 +1264,9 @@ remote-control: +@@ -1234,6 +1285,9 @@ remote-control: # name: "anotherview" # local-zone: "example.com" refuse @@ -531,7 +531,7 @@ index d791cf8..af163b2 100644 # DNSCrypt # To enable, use --enable-dnscrypt to configure before compiling. # Caveats: -@@ -1285,7 +1339,7 @@ remote-control: +@@ -1309,7 +1363,7 @@ remote-control: # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode # dnstap-bidirectional: yes diff --git a/unbound.spec b/unbound.spec index 40bfc39..17c922b 100644 --- a/unbound.spec +++ b/unbound.spec @@ -6,6 +6,8 @@ %bcond_without doh %bcond_with redis +%global forgeurl0 https://github.com/NLnetLabs/unbound +%global downloads https://nlnetlabs.nl/downloads %global _hardened_build 1 #global extra_version rc1 @@ -30,11 +32,12 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.19.3 +Version: 1.20.0 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ -Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz +VCS: git:%{forgeurl0} +Source: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz Source1: unbound.service Source3: unbound.munin Source4: unbound_munin_ @@ -50,7 +53,7 @@ Source14: unbound.sysconfig Source15: unbound-anchor.timer Source16: unbound-munin.README Source17: unbound-anchor.service -Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc +Source18: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc # source: https://nlnetlabs.nl/people/ Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key Source20: unbound.sysusers @@ -58,10 +61,6 @@ Source21: remote-control.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch -# https://github.com/NLnetLabs/unbound/pull/1048 -Patch2: unbound-1.19-autoconf-m4.patch -# https://github.com/NLnetLabs/unbound/pull/1049 -Patch3: unbound-1.19-python3.12-Py_NoSiteFlag.patch BuildRequires: gcc, make BuildRequires: openssl-devel From 2ee03600906ffdf666a076bf38420868d9677b44 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 7 Jun 2024 09:08:20 +0200 Subject: [PATCH 087/139] Rebuilt for Python 3.13 From b1fbf13e87c44119d2222dfb84613b75ed0fcae0 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 20 Jul 2024 08:14:07 +0000 Subject: [PATCH 088/139] Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild From c7eee55bc6895c723d68fddec757d3f173b675b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 25 Sep 2024 13:09:58 +0200 Subject: [PATCH 089/139] Update to 1.21.0 (rhbz#2305092) Features: - Fix #1071: [FR] Clear both in-memory and cachedb module cache with `unbound-control flush*` commands. - Fix #144: Port ipset to BSD pf tables. - Add dnstap-sample-rate that logs only 1/N messages, for high volume server environments. Thanks Dan Luther. - Add root key 38696 from 2024 for DNSSEC validation. It is added to the default root keys in unbound-anchor. The content can be inspected with `unbound-anchor -l`. - Merge #1090: Cookie secret file. Adds `cookie-secret-file: "unbound_cookiesecrets.txt"` option to store cookie secrets for EDNS COOKIE secret rollover. The remote control add_cookie_secret, activate_cookie_secret and drop_cookie_secret commands can be used for rollover, the command print_cookie_secrets shows the values in use. Lot of Bugs fixes. https://nlnetlabs.nl/projects/unbound/download/#unbound-1-21-0 --- .gitignore | 2 ++ sources | 4 ++-- unbound-fedora-config.patch | 42 +++++++++++++++++++------------------ unbound.spec | 2 +- 4 files changed, 27 insertions(+), 23 deletions(-) diff --git a/.gitignore b/.gitignore index 2ad282d..a89efdb 100644 --- a/.gitignore +++ b/.gitignore @@ -89,3 +89,5 @@ unbound-1.4.5.tar.gz /unbound-1.19.3.tar.gz.asc /unbound-1.20.0.tar.gz /unbound-1.20.0.tar.gz.asc +/unbound-1.21.0.tar.gz +/unbound-1.21.0.tar.gz.asc diff --git a/sources b/sources index 5a055a7..01a2cff 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.20.0.tar.gz) = 2f6bc76c03b71ca1c2cd2331dc72d62f51493d15e17c59af46b400e542fcabff22e6b9d33f750a3e5f918a0116f45afa760651b2d5aa2feadac151cbbd71b0bd -SHA512 (unbound-1.20.0.tar.gz.asc) = 1586a320077c606c5c19f251615df54a61854f51acca02df1d391dcc2287aff2c641b009aeee1a98392f63719d70b6bac23ebb7d86b780f8a27cda6e114fc0ad +SHA512 (unbound-1.21.0.tar.gz) = 481534271f443d72635025c79b83bb71bb77b96ae81ec74c7f82f1e958160f5d75489931bdbdf460a72c871268d33628be990d6acf3c5303f04f7ff347ad83c1 +SHA512 (unbound-1.21.0.tar.gz.asc) = 931181070e5ca6c9d6525bbaee5f2b556f36658c879dd63084d8059c83a122bee379720d80952420a116a9837c3ba1793917a2372167464e7a6b2e0520c69230 diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index f57207b..ea4d6e9 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,4 +1,4 @@ -From 79506679335ef1e02a960ccc7cfeda19348f5619 Mon Sep 17 00:00:00 2001 +From 88d3d8e8a28752b80a4bfd4ab2baaf45554a89a1 Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Fri, 10 Nov 2023 12:58:31 +0100 Subject: [PATCH] Customize unbound.conf for Fedora defaults @@ -7,13 +7,13 @@ Set some Fedora/RHEL specific changes to example configuration file. By patching upstream provided config file we would not need to manually update external copy in source RPM. --- - unbound-1.20.0/doc/example.conf.in | 194 ++++++++++++++++++----------- - 1 file changed, 124 insertions(+), 70 deletions(-) + unbound-1.21.0/doc/example.conf.in | 196 ++++++++++++++++++----------- + 1 file changed, 126 insertions(+), 70 deletions(-) -diff --git a/unbound-1.20.0/doc/example.conf.in b/unbound-1.20.0/doc/example.conf.in -index 0368c8d..9ece701 100644 ---- a/unbound-1.20.0/doc/example.conf.in -+++ b/unbound-1.20.0/doc/example.conf.in +diff --git a/unbound-1.21.0/doc/example.conf.in b/unbound-1.21.0/doc/example.conf.in +index 130cb4e..7174d81 100644 +--- a/unbound-1.21.0/doc/example.conf.in ++++ b/unbound-1.21.0/doc/example.conf.in @@ -17,11 +17,12 @@ server: # whitespace is not necessary, but looks cleaner. @@ -358,22 +358,24 @@ index 0368c8d..9ece701 100644 # Pad responses to padded queries received over TLS # pad-responses: yes -@@ -1045,12 +1080,12 @@ server: - # cookie-secret: <128 bit random hex string> +@@ -1050,12 +1085,14 @@ server: + # cookie-secret-file: "/usr/local/etc/unbound_cookiesecrets.txt" # Enable to attach Extended DNS Error codes (RFC8914) to responses. - # ede: no ++ # Fedora defaults to yes. + ede: yes # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale # Answer as EDNS0 option to expired responses. # Note that the ede option above needs to be enabled for this to work. - # ede-serve-expired: no ++ # Fedora defaults to yes. + ede-serve-expired: yes # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. -@@ -1058,12 +1093,14 @@ server: +@@ -1063,12 +1100,14 @@ server: # Enable or disable ipsecmod (it still needs to be defined in # module-config above). Can be used when ipsecmod needs to be # enabled/disabled via remote-control(below). @@ -391,7 +393,7 @@ index 0368c8d..9ece701 100644 # When enabled Unbound will reply with SERVFAIL if the return value of # the ipsecmod-hook is not 0. # ipsecmod-strict: no -@@ -1096,7 +1133,7 @@ server: +@@ -1101,7 +1140,7 @@ server: # o and give a python-script to run. python: # Script file to load @@ -400,7 +402,7 @@ index 0368c8d..9ece701 100644 # Dynamic library config section. To enable: # o use --with-dynlibmodule to configure before compiling. -@@ -1107,13 +1144,14 @@ python: +@@ -1112,13 +1151,14 @@ python: # the module-config then you need one dynlib-file per instance. dynlib: # Script file to load @@ -417,7 +419,7 @@ index 0368c8d..9ece701 100644 # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. -@@ -1121,6 +1159,7 @@ remote-control: +@@ -1126,6 +1166,7 @@ remote-control: # are not used for that, so key and cert files need not be present. # control-interface: 127.0.0.1 # control-interface: ::1 @@ -425,7 +427,7 @@ index 0368c8d..9ece701 100644 # port number for remote control operations. # control-port: 8953 -@@ -1130,16 +1169,19 @@ remote-control: +@@ -1135,16 +1176,19 @@ remote-control: # control-use-cert: "yes" # Unbound server key file. @@ -449,7 +451,7 @@ index 0368c8d..9ece701 100644 # Stub zones. # Create entries like below, to make all queries for 'example.com' and -@@ -1161,6 +1203,10 @@ remote-control: +@@ -1166,6 +1210,10 @@ remote-control: # name: "example.org" # stub-host: ns.example.com. @@ -460,7 +462,7 @@ index 0368c8d..9ece701 100644 # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle -@@ -1178,6 +1224,10 @@ remote-control: +@@ -1183,6 +1231,10 @@ remote-control: # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -471,7 +473,7 @@ index 0368c8d..9ece701 100644 # Authority zones # The data for these zones is kept locally, from a file or downloaded. -@@ -1188,27 +1238,28 @@ remote-control: +@@ -1193,27 +1245,28 @@ remote-control: # download it), primary: fetches with AXFR and IXFR, or url to zonefile. # With allow-notify: you can give additional (apart from primaries and urls) # sources of notifies. @@ -521,7 +523,7 @@ index 0368c8d..9ece701 100644 # auth-zone: # name: "example.org" # for-downstream: yes -@@ -1234,6 +1285,9 @@ remote-control: +@@ -1239,6 +1292,9 @@ remote-control: # name: "anotherview" # local-zone: "example.com" refuse @@ -531,7 +533,7 @@ index 0368c8d..9ece701 100644 # DNSCrypt # To enable, use --enable-dnscrypt to configure before compiling. # Caveats: -@@ -1309,7 +1363,7 @@ remote-control: +@@ -1314,7 +1370,7 @@ remote-control: # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode # dnstap-bidirectional: yes @@ -541,5 +543,5 @@ index 0368c8d..9ece701 100644 # # set it to "IPaddress[@port]" of the destination. # dnstap-ip: "" -- -2.44.0 +2.46.0 diff --git a/unbound.spec b/unbound.spec index 17c922b..10281a5 100644 --- a/unbound.spec +++ b/unbound.spec @@ -32,7 +32,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.20.0 +Version: 1.21.0 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ From 9f287be368da5673ad1843c19f1239618441c830 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 25 Sep 2024 13:29:49 +0200 Subject: [PATCH 090/139] Enable native dynamic modules Support modules similar to pythom modules, but implemented in native code. --- unbound.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 10281a5..99c0c32 100644 --- a/unbound.spec +++ b/unbound.spec @@ -242,7 +242,8 @@ cp -a %{dir_primary} %{dir_secondary} --with-rootkey-file=%{_sharedstatedir}/%{name}/root.key \\\ --with-username=unbound \\\ --enable-linux-ip-local-port-range \\\ - + --with-dynlibmodule \\\ +# pushd %{dir_primary} From 06a30c3c57e19f8f67a973111e9243f0751026c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 25 Sep 2024 14:18:27 +0200 Subject: [PATCH 091/139] Remove additional subdirectory for python3 build Python2 builds are not common anymore. Make basic unbound directory for primary build in normal default directory. Try subdirectory only for alternative secondary build, if enabled. --- unbound-fedora-config.patch | 10 +++++----- unbound.spec | 27 ++++----------------------- 2 files changed, 9 insertions(+), 28 deletions(-) diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index ea4d6e9..b4803b6 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,4 +1,4 @@ -From 88d3d8e8a28752b80a4bfd4ab2baaf45554a89a1 Mon Sep 17 00:00:00 2001 +From 71cbef33920b3b5704be7eab399da506ab51cde1 Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Fri, 10 Nov 2023 12:58:31 +0100 Subject: [PATCH] Customize unbound.conf for Fedora defaults @@ -7,13 +7,13 @@ Set some Fedora/RHEL specific changes to example configuration file. By patching upstream provided config file we would not need to manually update external copy in source RPM. --- - unbound-1.21.0/doc/example.conf.in | 196 ++++++++++++++++++----------- + doc/example.conf.in | 196 ++++++++++++++++++++++++++++---------------- 1 file changed, 126 insertions(+), 70 deletions(-) -diff --git a/unbound-1.21.0/doc/example.conf.in b/unbound-1.21.0/doc/example.conf.in +diff --git a/doc/example.conf.in b/doc/example.conf.in index 130cb4e..7174d81 100644 ---- a/unbound-1.21.0/doc/example.conf.in -+++ b/unbound-1.21.0/doc/example.conf.in +--- a/doc/example.conf.in ++++ b/doc/example.conf.in @@ -17,11 +17,12 @@ server: # whitespace is not necessary, but looks cleaner. diff --git a/unbound.spec b/unbound.spec index 99c0c32..7f63453 100644 --- a/unbound.spec +++ b/unbound.spec @@ -198,22 +198,15 @@ Python 3 modules and extensions for unbound %global pkgname %{name}-%{version}%{?extra_version} %if 0%{with_python2} && 0%{with_python3} -%global dir_primary %{pkgname}_python3 %global python_primary %{__python3} %global dir_secondary %{pkgname}_python2 %global python_secondary %{__python2} -%else -%global dir_primary %{pkgname} %endif -%autosetup -c -N -n %{pkgname} +%autosetup -N -n %{pkgname} -pushd %{pkgname} # patches go here -%autopatch -p2 - -# copy common doc files - after here, since it may be patched -cp -pr doc pythonmod libunbound ../ +%autopatch -p1 %if 0%{?rhel} > 8 # SHA-1 breaks some tests. Disable just some tests because of that. @@ -223,11 +216,9 @@ cp -pr doc pythonmod libunbound ../ mv testdata/${TEST}.rpl{,-disabled} done %endif -popd %if 0%{with_python2} && 0%{with_python3} -mv %{pkgname} %{dir_primary} -cp -a %{dir_primary} %{dir_secondary} + cp -a . %{dir_secondary} %endif %build @@ -245,14 +236,13 @@ cp -a %{dir_primary} %{dir_secondary} --with-dynlibmodule \\\ # -pushd %{dir_primary} - # always regenerate configure rm -f config.h.in aclocal.m4 configure ltmain.sh rm -f {ax_pthread,ax_swig_python}.m4 cp -p %{_datadir}/aclocal/{ax_pthread,ax_swig_python}.m4 . # ensure bison is used to generate fresh parser rm -f util/configparser.{c,h} util/configlexer.c + autoreconf -fiv %configure \ @@ -280,8 +270,6 @@ autoreconf -fiv %make_build %make_build streamtcp -popd - %if 0%{?python_secondary:1} pushd %{dir_secondary} %configure \ @@ -309,11 +297,9 @@ pushd %{dir_secondary} popd %endif -pushd %{dir_primary} %make_install unbound-event-install install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp install -p -m 0644 doc/example.conf %{buildroot}%{_sysconfdir}/unbound/unbound.conf -popd install -d -m 0755 %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service @@ -334,11 +320,9 @@ for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unboun done %endif -pushd %{dir_primary} # install streamtcp man page install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1 install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc -popd # Install tmpfiles.d config install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound @@ -410,15 +394,12 @@ fi %systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer %check -pushd %{dir_primary} #pushd pythonmod #make test #popd make check -popd - %if 0%{?python_secondary:1} pushd %{dir_secondary} #pushd pythonmod From 07478f417b441a971876719f37cca3a8bb0790f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 3 Oct 2024 13:25:37 +0200 Subject: [PATCH 092/139] Disable SHA1 support to work with new default crypto-policy https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer Similar to RHEL9+, Fedora now does not allow using any SHA-1 hash for signature verification. This makes our unbound violate rfc 8624. This method of disabling sha1 at all times does not support validating in DEFAULT:SHA1 policy, where SHA1 algorithm would be accepted. That would require more complex machinery, which is not finished unfortunately. This change makes our unbound unsupporting SHA1, no matter which crypto policy is active. Resolves: rhbz#2301344 --- unbound.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 7f63453..78ef319 100644 --- a/unbound.spec +++ b/unbound.spec @@ -258,7 +258,7 @@ autoreconf -fiv %if %{with doh} --with-libnghttp2 \ %endif -%if 0%{?rhel} +%if 0%{?rhel} || 0%{?fedora} > 40 --disable-sha1 \ %endif %if %{with redis} From a74fe60f128b54225df7106efc0becb1a48b44ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 3 Oct 2024 21:24:40 +0200 Subject: [PATCH 093/139] Update to 1.21.1 (rbhz#2316313) https://github.com/NLnetLabs/unbound/releases/tag/release-1.21.1 A vulnerability has been discovered in Unbound when handling replies with very large RRsets that Unbound needs to perform name compression for. --- .gitignore | 2 + Yorgos.asc | 128 +++++++++++++++++++++++++++++++++++++++++++++++++++ sources | 4 +- unbound.spec | 5 +- 4 files changed, 135 insertions(+), 4 deletions(-) create mode 100644 Yorgos.asc diff --git a/.gitignore b/.gitignore index a89efdb..149c0ab 100644 --- a/.gitignore +++ b/.gitignore @@ -91,3 +91,5 @@ unbound-1.4.5.tar.gz /unbound-1.20.0.tar.gz.asc /unbound-1.21.0.tar.gz /unbound-1.21.0.tar.gz.asc +/unbound-1.21.1.tar.gz +/unbound-1.21.1.tar.gz.asc diff --git a/Yorgos.asc b/Yorgos.asc new file mode 100644 index 0000000..e18ec55 --- /dev/null +++ b/Yorgos.asc @@ -0,0 +1,128 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFfYHeYBEAC/8SdeXNspt9ZIoZRSL9juNLHA17TXcHdKSthgWBtwwWZbUPq8 +SJr7Y+hr6jMCDKY9800QzLF0nLkyXnZgaBcvR0rRbCT/qvALJ0fpfjcotapZ1hBv +omb9s8Bo28uKn8tbTMXYNsElUae4Ch/CrU1vfe50YoyQgLR8UBa15gV+2RmC+6jI +qxDYS8sylWlDn6Qim+77feLlObPnNdzgfWGZo14eJByTsz0qrh8aS/BS1FAsnEQ6 +W6AqukhpuKuWvoAUXKjfguXQolxeexubmKaLcGOTvecw+cbh/a5SPHRtRVr9qTxp +elk6UEpakY5K9UtZkrG55VWih/4KqY9bNyhJBtpAk1fXA+mYfx5BcFpECYdU9kz4 +UgV5jK0HYRHQTLC91PPVQgH86we+Aae6TaJneCLEIzBK36TgAP8RKrvFfPUym5OP +YbWOom27QTKfRVcyxPKglJxrTSWixnKWS/pqxNY8hF9Ne4crRAF4wX2yBVbGnjNr +S9TpYmjMwURbuYm+rWZk/8w5OJG60V3wax56c0jn/42O3Y2hzQ+PbOv2M4UuuajS +2YL3/KUsRLBapUpPQjzChwzdr/vzFEhk9XxK2VGMN+dh2HjYwDFendc5csyt/cVr +g3LssVS2bKy5g3IhrzCKAk0Sky4S5t/mcN+lWztNvCijuLz58GCym5GwJQARAQAB +tCtZb3Jnb3MgVGhlc3NhbG9uaWtlZnMgPHlvcmdvc0BubG5ldGxhYnMubmw+iQJX +BBMBCABBAhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAhkBFiEElI60IyLF0At5 +NA9dz/M0TZCHpJAFAmbz0CwFCRD85cYACgkQz/M0TZCHpJBVnhAAkcd79Twxj/tt +C4q2Xpq75+Ew6YR9gLqYiV5vEd6fu0oyhuVoUlfTkjH4ALIoGIKaO9yAVUXsrGrs +n1aJPo1Mw3q6mIwtQOxXz/W44LuFzcvZkHtCYX4YyLrUHXZPvl+r4eYkTOcyyQMU +BmbuvWhufv8MBilvWltQLxfLlgihbfuIrxqjAYDhqCffpgUiZyCut2rrenIgeh1f +DvC+GjZ3cfb1UsIpzm19yr4NCiTHkLkCOAAcAUFwWWeO/jfUsSvFQEHUnYNRREzI +Lth9NlKwPtsOVi+wcNnWQtFQb11BMr407xBib7hLSIFiqvOiYgQABjZdWN+snCRP +ZZSruigjE9ateOloJwmBqrSJLAywxvDE0ivqfSj51W5eJc/JLSXvjrOuW28dJCr8 +RV9PjC9X7zuTiFLzV8SVH71Z43Rix8n7AOp3wgRe3SygEyQXPj4qbm5HHVsx9GEA +zn495L99dJ4wZgjkbEsGhzwUx7N9FHEGS/sz3LiEq+ZYckR6gzTMMrQJgbsS9lnK +9xlXsp37uIYvx9W9JZXtS+AZhw0q3osMYBF68HPX8B9GBYlkQWmWSIMfzRYcD2n1 +5+XsfERK4mxcTWl2sCYpt8Sy3tADj9nQDabAlGUd/hlFS1dvDVQjGh6ER5S0nZjY +nmRsLl8nOTKhb2xY+2p1sDjxxQYJJQe0K0dlb3JnZSBUaGVzc2Fsb25pa2VmcyA8 +Z2VvcmdlQG5sbmV0bGFicy5ubD6JAlQEEwEIAD4CGyMFCwkIBwIGFQgJCgsCBBYC +AwECHgECF4AWIQSUjrQjIsXQC3k0D13P8zRNkIekkAUCZvPQPQUJEPzlxgAKCRDP +8zRNkIekkFfCEACheY1yr2Z+LPjm/Nd2eA4CFFO7nUQHI+a6lYBd57txrRuIicuG +pGjOhnvcioRwICiKNLJD3YTU+WOd+sbO7BXH2sw2KdU9NK1ojKX/SQiTg6upfJsu +gbgar2oPvR88B7oSiuonZnhEf72HfWKDSBXHpi6KC6S3JZ+o50NB3GBpwUL1lfKW +ovymYbN6tYQfqw/+AP5jUUNpkclC0RbcW69rpvrHHqeQV1AVKkm/jNQpWLKYTGF7 +bbdLkgMh3rHp8gmF0/GuK+oyL7xD+TEXfr3iqlDIVuxbxDN8xTti1RrERU/MWQar +qOSFZcr4t+nlwThJidDLF/u3h0Ymrjz92VTfCgELIwCKxGX7jAyLZHzuWAp+0Pr/ +yuHodbweGNcGVoXmIpK93/WZcfFlBcyQLECVcijmxd7Euk0xDk76RQpuuL5VOWqn +aZcf2uNfppwKFZJjcXwK+EQbwN7+RFNvLrwoRn/1xM57T5AYBAgSvKb6h0G5KwW6 +tJfJdSu1MHfCZS1hH1Gr4+UG+VbLCVmQ9N/lUs0bcD7pK+bA1W0YnsIVuaQ+YZUh +KrJoCUF0kVDtW9ETZkp0iVBm1Q9xgTGaxUTVmctOyAbdCLyHNra4fo1BAdGlu+IP +qAcktaBUKFxWxRxf9O5kGihce9anK8CJ/TCnQ7wSvyYrlAoBoQaS78VzYYkBHAQS +AQIABgUCV9kUOAAKCRAwkY2CdXJCIju1B/oCvf1kWYndNeLS6U2O6DtFAL2Ia5tY +Zukcyqb1hkYcrBiMZbQN94gX5a+6Q4pdd2n241r1ZuSWdwUhRUbF4mvbZMVsavnk +cvrRGviVIUXf71W0O/IsmQ9oN0Finhpf14Y4z/xqF8DpvJdkWc6X5g+RJuko6q2w +B7x2UfSyF4USp47LSmUQnC59IF8jzaElgBha3gwEuXL3d2qBepoV/e9RiXJClUAT ++O7qdxzDq1eiZ+NXUjDCmrkuWjHLAZAv0jx1KUTCQ2no62UM95igtJ+Kn56Lc2+J +CqFJztaZeX8CgXXryxNpsyhZJ33dIoLCT03K25wrV5Y+eag05slQ9sC3iQI9BBMB +CAAnBQJX2RCwAhsjBQkFo5qABQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEM/z +NE2Qh6SQ3JUP/2G3bRNObS7zsfN3rjkbjLxaDOwNggRdbeXM5rHDVEG9SWesCGaI +vyQdkSGQoIaKUgNv7Yp8O8pEnD4IwdhNSaXVIB3pBtdOD0UM1wuxRpfqJOUxZEoW +T2Jr31Tg2qepp6nT7UmdiF7uCBDy8Jm6k6Q+6UT58cPaesRQdSPi6Go7ho2/xVvK +Ve9ufSTSTdG5+7bJDu6Iv7sydKUEG4jPDqo+jjVLn1X6Rfp+E4JAvOvFrSJHW5sa +A332xV40GeV+aM1ndP7dPkz8+AGB3QD7JF2DLcqvLo0TYOvjnlOGYcNp8gzp23g9 +KFwe2sdbdtVpuWaJUSpXXiUZnFzrrVxDNiEBjqsPa5ysOxzJ+1gUbcrIjUeNeAFh +us4XL+IidPATnhTIX3X/uPRB87KaTaA8XUqsuSd2DM9mLxdHKC9Jf8D1t+ywYrek +Cp+K80vCtFPWBM4+w8nGugTNKJEGIXZDGFOF/c7r6xKkaOYK0Y+IGJawlV5LaADl +BmQpPk0ubYclwb07FcegaHSxxIqUo/kbyt1YV5mU+QVymZ+xyvIBrnW8hBuNWRvU +5acnIZibCERayo8ZuI+r/X3bLHfDx0oh2h+cL3utNZUqmgZNR0Di8P+x0hUYsYPO +TJaDBSgvxUtY0Ci+OWX38kffGGvhW3CM8V6skdVc8cp7Db7gxase4BxxtC5HZW9y +Z2UgVGhlc3NhbG9uaWtlZnMgPGdlb3JnZUBvcGVubmV0bGFicy5jb20+iQJUBBMB +CAA+AhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEElI60IyLF0At5NA9dz/M0 +TZCHpJAFAmbz0D0FCRD85cYACgkQz/M0TZCHpJBnFw/8CRLGJnNAP43mBniIP5R1 +/10i4xG5s1Ka/y5C3aRgZUNaGMPLF8VmrC26HTPNhmduhn3j9gnBuSHgRAJUWs2K +o1q0A2/O5fFJvqPyEUl30gG8qkzFl5UGRUr7VNtBa6VpI7g78d3P4/H8THB0tYZ3 +GZv980QXwTE11aXjvPQu4e8sMOR1OVEEH+6hW1T0SvEKAMV1BHwuZAmC6HTfx5e7 +iGNWu/dwJsmwzqcAkuTTSqlmzZdIjZWJDL8pfnschkVilC3pEpEk5ExSkt/onOD2 +WCAKJUiPR6gRI2H6fE0PF8iG9isisvNhQ3MrWUIKS+1WOotoG7Bu7ob46viJKQuN +9t7KBqjdftjJHjmVop3mfX0UUEDPjkZXK5R/aUspXi4IGdM+9JijqxveicQegOhM +LcE8039Z0AaXn9IA0kQB05A4a+CEnoPL7qe+fIBJM5hZDrpMe4fAAGxiQzbRpdkZ +CrXmT+CRkhc/BvUJ5yoE1q++9Fw9eyMbPOak6GLckCIPy+Mqi4z+ZXNCtcPs3Qbc +/7AY8qyswRsD2t5bbe4g+fLEt9IsN3UvKFUKnQ88jcn9Zmps69msMDm9jEj/qo+j +QCriLLu8E1ZwhedNVOQN89w4Zww/BUyEnL4hng8Tw+RTV8Jtq5EvAleW5sZsnTzA +zn1ysZUyO/Pu7Br2jnGRAQyJARwEEgECAAYFAlfZFDwACgkQMJGNgnVyQiIHjAf/ +VrPMgIRjRTYi4cxOr5ewaim1hgJZO1oCJoMopwIvpZ2kAUqL/uPMT3wREe5bi79H +jXYcaX+RbrV4ZdzaajDUFCj867KGErxqtRkANJ1eNLcQmVwGNoFeTQbgEOBfKq1t +hRfMqHF3fxCPJp4z4U3kBPUpIQPERjgUdkH8fxZ34Omo1SLO1b0dVqsneezccBVv +Hj7gVoaWw65Ov7vngwNCKH3fjOkcoINTH/nEw4WWh6UV5ZN49GRqa6oWdUJMZbgB +w8z357RLN6YLe7KMh4oGpUIvfH6Vfq6CIb6s9pfgjAvq8O7p9n0/0FG77j84MuGw +fdhq8eSazO/j9LUCBM+8k4kCPQQTAQgAJwUCV9kQiwIbIwUJBaOagAULCQgHAgYV +CAkKCwIEFgIDAQIeAQIXgAAKCRDP8zRNkIekkN9pD/wI8JAyjJEIjUJNLRuARDDv +pJrQjAo/02naPcGs4yyUd7yRkhzVKLFLvif8XICxxLWk6FdT0PJeKGTvRoe2+Rje +c14rO30niRymWkBi36iDW46Dpt7Jx+LUDhUMYPL+woKSoHmbBGWLSYXKxaD8F93A +nVs97nP4PWpspv2BFiuwKGsSsOyyQPPvr7jCin3H5oPH9qDnIV0KonAYbzzEKod5 +t0Rgzo/nWXZBFXWC5xvKeghwkdT++gYS/ThvQY2ua6A1XRE8BntyldD081NPi3NO +dWa9m8ufFOJsEEiWcpdT+EWoDw5JyGAR7U3IOVl3BTo7shdcYEvRVrDMBpac+ItG +WvogUv7alBdHWi48amvZE06RI/nDJ/rxj13S/4POgMHU++aQI5a1G5H3jBu4cehH +4iT1UKmozfzVEfcHb2dsaKnnuFzQxmol0lZu1ETyof+Lxvs+wErN0QR+VDNweJEJ +PMXiEcjASdLtrEKgFSP2B5yGGzt93C+HbD+VQOU359aAnvVjbTAVz8izuMphd6Bz +Ix1q//q2VmxqjjT3Iv30hBRX02x2M8gsP/e49XWEll7stkMtbYhBU0sHQ2CqzLGh +gJN3ecpi2sKWVqN8HUZOwJFj6f9ZX76YSM23wIugHfscMAVJUXvBrbd151WIshOf +FFPo62sYGt+SEMXWeRcHjbQuWW9yZ29zIFRoZXNzYWxvbmlrZWZzIDx5b3Jnb3NA +b3Blbm5ldGxhYnMuY29tPokCVAQTAQgAPgIbIwULCQgHAgYVCAkKCwIEFgIDAQIe +AQIXgBYhBJSOtCMixdALeTQPXc/zNE2Qh6SQBQJm89A9BQkQ/OXGAAoJEM/zNE2Q +h6SQOf4QAIp5fEn+vVOqDuLrv8Li61UDVPE3v5b9ocPR7OMENeFpRH7K2p8xFkAM +f6JeS2ehbIjyUS8iGc+mZOalvZynJdOiHtys5r4lZanm1Rl+mWXb+nHGE/Oi4gQ3 +aEF/AwolbKi9oNXAiCtA3hmaI6FYWtAh5XOnyMG140dhlXMWzvN1ZAWXWioS33Fp +n9Z7xOsyG2Bmky69JjUQPD119noD4pEFtCipciiACVNdHGfI8QDT/8pMAxv/Q7tW ++7gyFztT1XvKONWyCfHjf1x60JQNPPM31x3xUVRz/sK+GyLq6VLiydvSZeUX3CzM +4bHixKKkSyvsX+bc9K/iLrXwZFhRdrRbpVQFpsdxv48mN5WsDlpN17KgMCyNiMDV +0VagYjZC5AurOo2mmS7PKAYGILaq3YwQ3nXYiuWfdXVW6EXtw/vdFOjFU6ppbaA3 +1+xyMDOLSGLr7f+gdZvlEc+5MX1F3mHpmuKN7clUju/HEOdVq1Bbla7BplPgqCaH +ZYCg/VHNt7ue7MYeEgTJ8OGgUDRNPa3PdU3YHRCuwJH1UzinD39K8R9/g9qiGJbC +87//1FGZp9lhIE5tja6F5pJ5GwJK9zC0iGj2NrwBvTKhuyF6W3ZQc2voYQn+gIq4 +sfbned7qpvpjLcMgIv/y82iVm2EtKtKYl982aA9S53pHqjV27kieuQINBFfYHeYB +EAC2h9yjSe2SgtcB0H+E0ndaewaZaQCE7q+RO43dotGH9eFnVwE4/ftcK1SN42ih +lF5OnTaKPyXvgQ6U8W8VB8eLjeTwA/dSXuJX7kJpEK8saPqJP6zTUmPqp/GSzS6Y +rhKLfpFn4chmywpDFcGNMz0sYXiJgPqKL7W0KuG+ziPToAeWl8ckeXyl77/lHVhW +YylaQJEASklqCViPXSp9vI7/57UEm4MQPXwsDBOwuVVqcSu3ZM5MtY9XlbVPNCYm +ZIMqmh8HgYwbiq9dTfJi+6v17+uDQGZewWK/WwFM+9dDx7YkTeOBiUduYtJPW64N +W/RJ7pskbLAy+OZApTZWg0cISN6GOmPN3F0AiWzUjvSMREHhFHyxj4Y15vuDOFvP +GFxr4xBiyMX1JLCKK6OFnyPfoJ9v/o3UgrQgLrfXCmKdvkwBCgJvN3Fsxzha6Dtf +6RcZ02fr7SCZZhdBrlrflvC1uWZ0g3A87ss7h4Iw3njlO3aX6Bo9R4VOLUkiRKi4 +hmQBxPvXxI2ERmKRomo6lrMaDMzIjD4APSM1vUfZguzQxVYpM8lwy1COeqxsj5p+ +LH6f/EU+4dXZwooJ1uanBOvG2ntnz8SErE+e7wNYE4a/fb8xYM4j7p6qYtnNZPb8 +sj8bvx8iWXp4A1csVetyVSchBhTVQhhNos6ouYpc4ibrYwARAQABiQI8BBgBCAAm +AhsMFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmbz0dUFCRD8528ACgkQz/M0TZCH +pJA7hg/7Bh0jb7nrp2EuU4BWK55VG+3zbrye/NdDy6eo3sVVOOO1r+jBMoJK3m1A +GWUx40ogZjRn8GMtJfxkL6wsep2P775smm7x1TH6s2dgreTj9J66gitKEgxF0tjo +JztmGJ8YKSGE4wKi37KvvSqCm1ecA8akBzJVo0B8/GtXpg+y/q3/KSY1ujW7Ihu3 +60JXT1FRXOiYfrzUKIBm8/UVnv7guPudaJf0eU4btoy4Ywzn1UXyi8BdxPIQrQDR +tt69ffcjX8BIEloK7FURLre/LhbVxlssdWYIEFQhIlb+nghZlUbWHf0Ue3L0SFFS +xV5otzQL2WjJKtCnTpSopSUmwYyT7wyAL1RokOemXL47WOfiLjiGuS+K/4lT7VHS +fdLsYinS0LYr5dmhc05s//kLyQ0OSKNh3SNAN+lM/klLE/pFwM4mo56C+seNEvCm +sT53VPOOwp6JwsLKSqm8pu1fbVjT6laMc9BPi6KUjN/f7ZahCXNXOrA2uLnTlxw/ +ns1sOXSWZDWciZeL3kJeUQER5YZ59hzLYWAiJ+5KblWRlBMXb71FUp0Mh9V3dA5O +BX3IlcF54qE50chGzLnfQf1YLuh13xxxc2WsdMZjiCj8CVDMkD6ekShfQK8nyQsK +SJgdXcnw1CxcAVvsROtecUiD+DWrJcYExjSZ+zcI4+aRhp7uNt8= +=iknu +-----END PGP PUBLIC KEY BLOCK----- diff --git a/sources b/sources index 01a2cff..efb1f71 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.21.0.tar.gz) = 481534271f443d72635025c79b83bb71bb77b96ae81ec74c7f82f1e958160f5d75489931bdbdf460a72c871268d33628be990d6acf3c5303f04f7ff347ad83c1 -SHA512 (unbound-1.21.0.tar.gz.asc) = 931181070e5ca6c9d6525bbaee5f2b556f36658c879dd63084d8059c83a122bee379720d80952420a116a9837c3ba1793917a2372167464e7a6b2e0520c69230 +SHA512 (unbound-1.21.1.tar.gz) = 82be3faf5e4f9531342008105f5ab2ecc22a56faab1ef5c86420d85ef48443e5dac3455dbc654178a927e34ca4067c7655443f91a250b87945a63e9ba5f74ba7 +SHA512 (unbound-1.21.1.tar.gz.asc) = 5bb3961c210aefb20f91eb96f7d3980324e30cb2307c6c1187f016cacafcade7adcd95855faedfebc2c91464fd6c095511322364357c5b72525fc8e61c0ad248 diff --git a/unbound.spec b/unbound.spec index 78ef319..73c8ecb 100644 --- a/unbound.spec +++ b/unbound.spec @@ -32,7 +32,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.21.0 +Version: 1.21.1 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ @@ -58,6 +58,7 @@ Source18: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key Source20: unbound.sysusers Source21: remote-control.conf +Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc # Downstream configuration changes Patch1: unbound-fedora-config.patch @@ -193,7 +194,7 @@ Python 3 modules and extensions for unbound %prep %if 0%{?fedora} -%{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}' +%{gpgverify} --keyring='%{SOURCE22}' --signature='%{SOURCE18}' --data='%{SOURCE0}' %endif %global pkgname %{name}-%{version}%{?extra_version} From 421386aa5e127d140e07131b1cf465b1a213a1a5 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Mon, 7 Oct 2024 16:40:08 -0400 Subject: [PATCH 094/139] - enable hiredis (using valkey) by default --- unbound.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 73c8ecb..150186b 100644 --- a/unbound.spec +++ b/unbound.spec @@ -4,7 +4,7 @@ %bcond_without dnstap %bcond_with systemd %bcond_without doh -%bcond_with redis +%bcond_without redis %global forgeurl0 https://github.com/NLnetLabs/unbound %global downloads https://nlnetlabs.nl/downloads From 3c9495eea1b75cab157c564d84c9ba7af929c688 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Thu, 17 Oct 2024 11:34:06 -0400 Subject: [PATCH 095/139] Update to 1.22.0 (rbhz#2319347) cleanup the unbound.conf diff file against updated upstream defaults. DNS over QUIC cannot be enabled yet because Fedora does not have libngtcp2 --- .gitignore | 2 + sources | 4 +- unbound-fedora-config.patch | 126 ++++++++++++++++-------------------- unbound.spec | 4 +- 4 files changed, 60 insertions(+), 76 deletions(-) diff --git a/.gitignore b/.gitignore index 149c0ab..31c5a81 100644 --- a/.gitignore +++ b/.gitignore @@ -93,3 +93,5 @@ unbound-1.4.5.tar.gz /unbound-1.21.0.tar.gz.asc /unbound-1.21.1.tar.gz /unbound-1.21.1.tar.gz.asc +/unbound-1.22.0.tar.gz +/unbound-1.22.0.tar.gz.asc diff --git a/sources b/sources index efb1f71..87f2b6b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.21.1.tar.gz) = 82be3faf5e4f9531342008105f5ab2ecc22a56faab1ef5c86420d85ef48443e5dac3455dbc654178a927e34ca4067c7655443f91a250b87945a63e9ba5f74ba7 -SHA512 (unbound-1.21.1.tar.gz.asc) = 5bb3961c210aefb20f91eb96f7d3980324e30cb2307c6c1187f016cacafcade7adcd95855faedfebc2c91464fd6c095511322364357c5b72525fc8e61c0ad248 +SHA512 (unbound-1.22.0.tar.gz) = 6c873e19902ce6cd59cec7084d5dba1a5bd5fe4437c827ae69bdf9273bcd8d2d1ec0dc183076f8d2e1fd38730bf8c10852d678399f0b2ea8ccf7e39119568978 +SHA512 (unbound-1.22.0.tar.gz.asc) = afbf5a125f104a25576b1c416b32f68d715b41a025fc3a61e6ee3bc28f9988b4277c7f0dd188c51cbe5641f51ade20f740ea131d1a7b5db38e2d1462a9edbb69 diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index b4803b6..c039cf4 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,20 +1,7 @@ -From 71cbef33920b3b5704be7eab399da506ab51cde1 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Fri, 10 Nov 2023 12:58:31 +0100 -Subject: [PATCH] Customize unbound.conf for Fedora defaults - -Set some Fedora/RHEL specific changes to example configuration file. By -patching upstream provided config file we would not need to manually -update external copy in source RPM. ---- - doc/example.conf.in | 196 ++++++++++++++++++++++++++++---------------- - 1 file changed, 126 insertions(+), 70 deletions(-) - -diff --git a/doc/example.conf.in b/doc/example.conf.in -index 130cb4e..7174d81 100644 ---- a/doc/example.conf.in -+++ b/doc/example.conf.in -@@ -17,11 +17,12 @@ server: +diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.conf.in +--- unbound-1.22.0-orig/doc/example.conf.in 2024-10-17 03:23:22.000000000 -0400 ++++ unbound-1.22.0/doc/example.conf.in 2024-10-17 11:06:58.882896891 -0400 +@@ -17,11 +17,12 @@ # whitespace is not necessary, but looks cleaner. # verbosity number, 0 is least verbose. 1 is default. @@ -29,7 +16,7 @@ index 130cb4e..7174d81 100644 # enable shm for stats, default no. if you enable also enable # statistics-interval, every time it also writes stats to the -@@ -32,11 +33,13 @@ server: +@@ -32,11 +33,13 @@ # shm-key: 11777 # enable cumulative statistics, without clearing them after printing. @@ -46,7 +33,7 @@ index 130cb4e..7174d81 100644 # Inhibits selected extended statistics (qtype, qclass, qopcode, rcode, # rpz-actions) from printing if their value is 0. -@@ -44,22 +47,35 @@ server: +@@ -44,22 +47,35 @@ # statistics-inhibit-zero: yes # number of threads to create. 1 disables threading. @@ -84,7 +71,7 @@ index 130cb4e..7174d81 100644 # instead of the default port, open additional ports separated by # spaces when interface-automatic is enabled, by listing them here. -@@ -94,7 +110,8 @@ server: +@@ -94,7 +110,8 @@ # permit Unbound to use this port number or port range for # making outgoing queries, using an outgoing interface. @@ -94,7 +81,7 @@ index 130cb4e..7174d81 100644 # deny Unbound the use this of port number or port range for # making outgoing queries, using an outgoing interface. -@@ -103,7 +120,9 @@ server: +@@ -103,7 +120,9 @@ # IANA-assigned port numbers. # If multiple outgoing-port-permit and outgoing-port-avoid options # are present, they are processed in order. @@ -105,7 +92,7 @@ index 130cb4e..7174d81 100644 # number of outgoing simultaneous tcp buffers to hold per thread. # outgoing-num-tcp: 10 -@@ -121,12 +140,12 @@ server: +@@ -121,12 +140,12 @@ # use SO_REUSEPORT to distribute queries over threads. # at extreme load it could be better to turn it off to distribute even. @@ -120,7 +107,7 @@ index 130cb4e..7174d81 100644 # use IP_FREEBIND so the interface: addresses can be non-local # and you can bind to nonexisting IPs and interfaces that are down. -@@ -276,6 +295,8 @@ server: +@@ -285,6 +304,8 @@ # nat64-prefix: 64:ff9b::0/96 # Enable UDP, "yes" or "no". @@ -129,7 +116,7 @@ index 130cb4e..7174d81 100644 # do-udp: yes # Enable TCP, "yes" or "no". -@@ -301,7 +322,7 @@ server: +@@ -310,7 +331,7 @@ # tcp-idle-timeout: 30000 # Enable EDNS TCP keepalive option. @@ -138,7 +125,7 @@ index 130cb4e..7174d81 100644 # Timeout for EDNS TCP keepalive, in msec. Overrides tcp-idle-timeout # if edns-tcp-keepalive is set. -@@ -311,6 +332,9 @@ server: +@@ -320,6 +341,9 @@ # can be dropped. Default is 0, disabled. In seconds, such as 3. # sock-queue-timeout: 0 @@ -148,7 +135,7 @@ index 130cb4e..7174d81 100644 # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no -@@ -424,6 +448,7 @@ server: +@@ -433,6 +457,7 @@ # # If you give "" no chroot is performed. The path must not end in a /. # chroot: "@UNBOUND_CHROOT_DIR@" @@ -156,7 +143,7 @@ index 130cb4e..7174d81 100644 # if given, user privileges are dropped (after binding port), # and the given username is assumed. Default is user "unbound". -@@ -435,7 +460,7 @@ server: +@@ -444,7 +469,7 @@ # is not changed. # If you give a server: directory: dir before include: file statements # then those includes can be relative to the working directory. @@ -165,34 +152,32 @@ index 130cb4e..7174d81 100644 # the log file, "" means log to stderr. # Use of this option sets use-syslog to "no". -@@ -450,7 +475,7 @@ server: +@@ -459,7 +484,7 @@ # log-identity: "" # print UTC timestamp in ascii to logfile, default is epoch in seconds. - # log-time-ascii: no + log-time-ascii: yes - # print one line with time, IP, name, type, class for every query. - # log-queries: no -@@ -522,22 +547,22 @@ server: - # harden-large-queries: no + # log timestamp in ISO8601 format if also log-time-ascii is enabled. + # (y-m-dTh:m:s.msec[+-]tzhours:tzminutes) +@@ -532,13 +557,13 @@ + # harden-short-bufsize: yes + + # Harden against unseemly large queries. +- # harden-large-queries: no ++ harden-large-queries: yes # Harden against out of zone rrsets, to avoid spoofing attempts. -- # harden-glue: yes -+ harden-glue: yes + # harden-glue: yes + + # Harden against unverified (outside-zone, including sibling zone) glue rrsets +- # harden-unverified-glue: no ++ harden-unverified-glue: yes # Harden against receiving dnssec-stripped data. If you turn it # off, failing to validate dnskey data for a trustanchor will - # trigger insecure mode for that zone (like without a trustanchor). - # Default on, which insists on dnssec data for trust-anchored zones. -- # harden-dnssec-stripped: yes -+ harden-dnssec-stripped: yes - - # Harden against queries that fall under dnssec-signed nxdomain names. -- # harden-below-nxdomain: yes -+ harden-below-nxdomain: yes - - # Harden the referral path by performing additional queries for +@@ -553,7 +578,7 @@ # infrastructure data. Validates the replies (if possible). # Default off, because the lookups burden the server. Experimental # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. @@ -201,7 +186,7 @@ index 130cb4e..7174d81 100644 # Harden against algorithm downgrade when multiple algorithms are # advertised in the DS record. If no, allows the weakest algorithm -@@ -551,7 +576,7 @@ server: +@@ -567,7 +592,7 @@ # Sent minimum amount of information to upstream servers to enhance # privacy. Only sent minimum required labels of the QNAME and set QTYPE # to A when possible. @@ -210,7 +195,7 @@ index 130cb4e..7174d81 100644 # QNAME minimisation in strict mode. Do not fall-back to sending full # QNAME to potentially broken nameservers. A lot of domains will not be -@@ -561,7 +586,7 @@ server: +@@ -577,7 +602,7 @@ # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN # and other denials, using information from previous NXDOMAINs answers. @@ -219,7 +204,7 @@ index 130cb4e..7174d81 100644 # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. -@@ -594,7 +619,7 @@ server: +@@ -610,7 +635,7 @@ # threshold, a warning is printed and a defensive action is taken, # the cache is cleared to flush potential poison out of it. # A suggested value is 10000000, the default is 0 (turned off). @@ -228,7 +213,7 @@ index 130cb4e..7174d81 100644 # Do not query the following addresses. No DNS queries are sent there. # List one address per entry. List classless netblocks with /size, -@@ -606,20 +631,20 @@ server: +@@ -622,20 +647,20 @@ # do-not-query-localhost: yes # if yes, perform prefetching of almost expired message cache entries. @@ -254,7 +239,7 @@ index 130cb4e..7174d81 100644 # true to disable DNSSEC lameness check in iterator. # disable-dnssec-lame-check: no -@@ -629,7 +654,9 @@ server: +@@ -645,7 +670,9 @@ # most modules have to be listed at the beginning of the line, # except cachedb(just before iterator), and python (at the beginning, # or, just before the iterator). @@ -265,7 +250,7 @@ index 130cb4e..7174d81 100644 # File with trusted keys, kept uptodate using RFC5011 probes, # initial file like trust-anchor-file, then it stores metadata. -@@ -643,10 +670,10 @@ server: +@@ -659,10 +686,10 @@ # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" # trust anchor signaling sends a RFC8145 key tag query after priming. @@ -278,7 +263,7 @@ index 130cb4e..7174d81 100644 # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry. -@@ -667,6 +694,9 @@ server: +@@ -683,6 +710,9 @@ # the trusted-keys { name flag proto algo "key"; }; clauses are read. # you need external update procedures to track changes in keys. # trusted-keys-file: "" @@ -288,7 +273,7 @@ index 130cb4e..7174d81 100644 # Ignore chain of trust. Domain is treated as insecure. # domain-insecure: "example.com" -@@ -694,14 +724,15 @@ server: +@@ -710,14 +740,15 @@ # unsecure data. Useful to shield the users of this validator from # potential bogus data in the additional section. All unsigned data # in the additional section is removed from secure messages. @@ -306,7 +291,7 @@ index 130cb4e..7174d81 100644 # Ignore the CD flag in incoming queries and refuse them bogus data. # Enable it if the only clients of Unbound are legacy servers (w2008) -@@ -715,11 +746,11 @@ server: +@@ -731,11 +762,11 @@ # Serve expired responses from cache, with serve-expired-reply-ttl in # the response, and then attempt to fetch the data afresh. @@ -320,7 +305,7 @@ index 130cb4e..7174d81 100644 # # Set the TTL of expired records to the serve-expired-ttl value after a # failed attempt to retrieve the record from upstream. This makes sure -@@ -746,7 +777,7 @@ server: +@@ -762,7 +793,7 @@ # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. @@ -329,7 +314,7 @@ index 130cb4e..7174d81 100644 # It is possible to configure NSEC3 maximum iteration counts per # keysize. Keep this table very short, as linear search is done. -@@ -890,6 +921,8 @@ server: +@@ -906,6 +937,8 @@ # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" @@ -338,7 +323,7 @@ index 130cb4e..7174d81 100644 # tag a localzone with a list of tag names (in "" with spaces between) # local-zone-tag: "example.com" "tag2 tag3" -@@ -900,8 +933,8 @@ server: +@@ -916,8 +949,8 @@ # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. # Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. @@ -348,8 +333,8 @@ index 130cb4e..7174d81 100644 + # tls-service-pem: "/etc/unbound/unbound_server.pem" # tls-port: 853 # https-port: 443 - -@@ -909,6 +942,8 @@ server: + # quic-port: 853 +@@ -926,6 +959,8 @@ # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" # cipher setting for TLSv1.3 # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" @@ -358,7 +343,7 @@ index 130cb4e..7174d81 100644 # Pad responses to padded queries received over TLS # pad-responses: yes -@@ -1050,12 +1085,14 @@ server: +@@ -1070,12 +1105,14 @@ # cookie-secret-file: "/usr/local/etc/unbound_cookiesecrets.txt" # Enable to attach Extended DNS Error codes (RFC8914) to responses. @@ -375,7 +360,7 @@ index 130cb4e..7174d81 100644 # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. -@@ -1063,12 +1100,14 @@ server: +@@ -1083,12 +1120,14 @@ # Enable or disable ipsecmod (it still needs to be defined in # module-config above). Can be used when ipsecmod needs to be # enabled/disabled via remote-control(below). @@ -393,7 +378,7 @@ index 130cb4e..7174d81 100644 # When enabled Unbound will reply with SERVFAIL if the return value of # the ipsecmod-hook is not 0. # ipsecmod-strict: no -@@ -1101,7 +1140,7 @@ server: +@@ -1121,7 +1160,7 @@ # o and give a python-script to run. python: # Script file to load @@ -402,7 +387,7 @@ index 130cb4e..7174d81 100644 # Dynamic library config section. To enable: # o use --with-dynlibmodule to configure before compiling. -@@ -1112,13 +1151,14 @@ python: +@@ -1132,13 +1171,14 @@ # the module-config then you need one dynlib-file per instance. dynlib: # Script file to load @@ -419,7 +404,7 @@ index 130cb4e..7174d81 100644 # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. -@@ -1126,6 +1166,7 @@ remote-control: +@@ -1146,6 +1186,7 @@ # are not used for that, so key and cert files need not be present. # control-interface: 127.0.0.1 # control-interface: ::1 @@ -427,7 +412,7 @@ index 130cb4e..7174d81 100644 # port number for remote control operations. # control-port: 8953 -@@ -1135,16 +1176,19 @@ remote-control: +@@ -1155,16 +1196,19 @@ # control-use-cert: "yes" # Unbound server key file. @@ -451,7 +436,7 @@ index 130cb4e..7174d81 100644 # Stub zones. # Create entries like below, to make all queries for 'example.com' and -@@ -1166,6 +1210,10 @@ remote-control: +@@ -1186,6 +1230,10 @@ # name: "example.org" # stub-host: ns.example.com. @@ -462,7 +447,7 @@ index 130cb4e..7174d81 100644 # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle -@@ -1183,6 +1231,10 @@ remote-control: +@@ -1203,6 +1251,10 @@ # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -473,7 +458,7 @@ index 130cb4e..7174d81 100644 # Authority zones # The data for these zones is kept locally, from a file or downloaded. -@@ -1193,27 +1245,28 @@ remote-control: +@@ -1213,27 +1265,28 @@ # download it), primary: fetches with AXFR and IXFR, or url to zonefile. # With allow-notify: you can give additional (apart from primaries and urls) # sources of notifies. @@ -523,7 +508,7 @@ index 130cb4e..7174d81 100644 # auth-zone: # name: "example.org" # for-downstream: yes -@@ -1239,6 +1292,9 @@ remote-control: +@@ -1259,6 +1312,9 @@ # name: "anotherview" # local-zone: "example.com" refuse @@ -533,7 +518,7 @@ index 130cb4e..7174d81 100644 # DNSCrypt # To enable, use --enable-dnscrypt to configure before compiling. # Caveats: -@@ -1314,7 +1370,7 @@ remote-control: +@@ -1338,7 +1394,7 @@ # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode # dnstap-bidirectional: yes @@ -542,6 +527,3 @@ index 130cb4e..7174d81 100644 # # if "" use the unix socket in dnstap-socket-path, otherwise, # # set it to "IPaddress[@port]" of the destination. # dnstap-ip: "" --- -2.46.0 - diff --git a/unbound.spec b/unbound.spec index 150186b..1fd43f9 100644 --- a/unbound.spec +++ b/unbound.spec @@ -32,7 +32,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.21.1 +Version: 1.22.0 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ @@ -194,7 +194,7 @@ Python 3 modules and extensions for unbound %prep %if 0%{?fedora} -%{gpgverify} --keyring='%{SOURCE22}' --signature='%{SOURCE18}' --data='%{SOURCE0}' +%{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}' %endif %global pkgname %{name}-%{version}%{?extra_version} From 97cf366613562564939994830bde76aa4bf82a0c Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Mon, 4 Nov 2024 20:42:08 -0500 Subject: [PATCH 096/139] Disable redis in RHEL builds hiredis is not included in RHEL. --- unbound.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/unbound.spec b/unbound.spec index 1fd43f9..a0718c3 100644 --- a/unbound.spec +++ b/unbound.spec @@ -4,7 +4,11 @@ %bcond_without dnstap %bcond_with systemd %bcond_without doh +%if 0%{?rhel} && ! 0%{?epel} +%bcond_with redis +%else %bcond_without redis +%endif %global forgeurl0 https://github.com/NLnetLabs/unbound %global downloads https://nlnetlabs.nl/downloads From 1b2c93fae61771c2191ab4a5f5a1f1c59dc4dca1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 22 Oct 2024 14:59:19 +0200 Subject: [PATCH 097/139] Make separate configuration Ship new config snippets in data directory. They should be symlinked from /etc/unbound/conf.d directory if they should be used as they are. Copy and modification if they should be used as a template. --- unbound-as112-networks.conf | 118 ++++++++++++++++++++++++++++++++++++ unbound-local-root.conf | 30 +++++++++ unbound.spec | 7 +++ 3 files changed, 155 insertions(+) create mode 100644 unbound-as112-networks.conf create mode 100644 unbound-local-root.conf diff --git a/unbound-as112-networks.conf b/unbound-as112-networks.conf new file mode 100644 index 0000000..96c291f --- /dev/null +++ b/unbound-as112-networks.conf @@ -0,0 +1,118 @@ +# Allow forwarding of private ranges, which are marked forwardable by IANA +# https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml +# https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml +# https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml +# RFC 6303: Locally Served DNS Zones (https://www.rfc-editor.org/rfc/rfc6303.html) +# +# Using this configuration file will simplify forwarding to potentially private ranges. +# Enables forwarding of networks marked as forwardable at IANA special registry. +# This is useful when upstream forwarder may be still inside private network. That is the case +# when unbound works as a localhost DNS cache, not network wide resolver. + +server: + # RFC 8375: Special-Use Domain 'home.arpa.' + local-zone: "home.arpa." nodefault + + # RFC 1918: Address Allocation for Private Internets + local-zone: "10.in-addr.arpa." nodefault + local-zone: "16.172.in-addr.arpa." nodefault + local-zone: "17.172.in-addr.arpa." nodefault + local-zone: "18.172.in-addr.arpa." nodefault + local-zone: "19.172.in-addr.arpa." nodefault + local-zone: "20.172.in-addr.arpa." nodefault + local-zone: "21.172.in-addr.arpa." nodefault + local-zone: "22.172.in-addr.arpa." nodefault + local-zone: "23.172.in-addr.arpa." nodefault + local-zone: "24.172.in-addr.arpa." nodefault + local-zone: "25.172.in-addr.arpa." nodefault + local-zone: "26.172.in-addr.arpa." nodefault + local-zone: "27.172.in-addr.arpa." nodefault + local-zone: "28.172.in-addr.arpa." nodefault + local-zone: "29.172.in-addr.arpa." nodefault + local-zone: "30.172.in-addr.arpa." nodefault + local-zone: "31.172.in-addr.arpa." nodefault + local-zone: "168.192.in-addr.arpa." nodefault + # RFC 6598: IANA-Reserved IPv4 Prefix for Shared Address Space + local-zone: "64.100.in-addr.arpa." nodefault + local-zone: "65.100.in-addr.arpa." nodefault + local-zone: "66.100.in-addr.arpa." nodefault + local-zone: "67.100.in-addr.arpa." nodefault + local-zone: "68.100.in-addr.arpa." nodefault + local-zone: "69.100.in-addr.arpa." nodefault + local-zone: "70.100.in-addr.arpa." nodefault + local-zone: "71.100.in-addr.arpa." nodefault + local-zone: "72.100.in-addr.arpa." nodefault + local-zone: "73.100.in-addr.arpa." nodefault + local-zone: "74.100.in-addr.arpa." nodefault + local-zone: "75.100.in-addr.arpa." nodefault + local-zone: "76.100.in-addr.arpa." nodefault + local-zone: "77.100.in-addr.arpa." nodefault + local-zone: "78.100.in-addr.arpa." nodefault + local-zone: "79.100.in-addr.arpa." nodefault + local-zone: "80.100.in-addr.arpa." nodefault + local-zone: "81.100.in-addr.arpa." nodefault + local-zone: "82.100.in-addr.arpa." nodefault + local-zone: "83.100.in-addr.arpa." nodefault + local-zone: "84.100.in-addr.arpa." nodefault + local-zone: "85.100.in-addr.arpa." nodefault + local-zone: "86.100.in-addr.arpa." nodefault + local-zone: "87.100.in-addr.arpa." nodefault + local-zone: "88.100.in-addr.arpa." nodefault + local-zone: "89.100.in-addr.arpa." nodefault + local-zone: "90.100.in-addr.arpa." nodefault + local-zone: "91.100.in-addr.arpa." nodefault + local-zone: "92.100.in-addr.arpa." nodefault + local-zone: "93.100.in-addr.arpa." nodefault + local-zone: "94.100.in-addr.arpa." nodefault + local-zone: "95.100.in-addr.arpa." nodefault + local-zone: "96.100.in-addr.arpa." nodefault + local-zone: "97.100.in-addr.arpa." nodefault + local-zone: "98.100.in-addr.arpa." nodefault + local-zone: "99.100.in-addr.arpa." nodefault + local-zone: "100.100.in-addr.arpa." nodefault + local-zone: "101.100.in-addr.arpa." nodefault + local-zone: "102.100.in-addr.arpa." nodefault + local-zone: "103.100.in-addr.arpa." nodefault + local-zone: "104.100.in-addr.arpa." nodefault + local-zone: "105.100.in-addr.arpa." nodefault + local-zone: "106.100.in-addr.arpa." nodefault + local-zone: "107.100.in-addr.arpa." nodefault + local-zone: "108.100.in-addr.arpa." nodefault + local-zone: "109.100.in-addr.arpa." nodefault + local-zone: "110.100.in-addr.arpa." nodefault + local-zone: "111.100.in-addr.arpa." nodefault + local-zone: "112.100.in-addr.arpa." nodefault + local-zone: "113.100.in-addr.arpa." nodefault + local-zone: "114.100.in-addr.arpa." nodefault + local-zone: "115.100.in-addr.arpa." nodefault + local-zone: "116.100.in-addr.arpa." nodefault + local-zone: "117.100.in-addr.arpa." nodefault + local-zone: "118.100.in-addr.arpa." nodefault + local-zone: "119.100.in-addr.arpa." nodefault + local-zone: "120.100.in-addr.arpa." nodefault + local-zone: "121.100.in-addr.arpa." nodefault + local-zone: "122.100.in-addr.arpa." nodefault + local-zone: "123.100.in-addr.arpa." nodefault + local-zone: "124.100.in-addr.arpa." nodefault + local-zone: "125.100.in-addr.arpa." nodefault + local-zone: "126.100.in-addr.arpa." nodefault + local-zone: "127.100.in-addr.arpa." nodefault + + # RFC 4193: Unique Local IPv6 Unicast Addresses + local-zone: "d.f.ip6.arpa." nodefault + + # RFC 2606: Reserved Top Level DNS Names + local-zone: "test." nodefault + domain-insecure: "test" + domain-insecure: "example" + + # RFC 6762: Multicast DNS, Appendix G + domain-insecure: "local" + domain-insecure: "intranet" + domain-insecure: "private" + domain-insecure: "corp" + domain-insecure: "home" + domain-insecure: "lan" + + # draft-davies-internal-tld + domain-insecure: "internal" diff --git a/unbound-local-root.conf b/unbound-local-root.conf new file mode 100644 index 0000000..4ba5e9d --- /dev/null +++ b/unbound-local-root.conf @@ -0,0 +1,30 @@ +# Authority zones +# The data for these zones is kept locally, from a file or downloaded. +# The data can be served to downstream clients, or used instead of the +# upstream (which saves a lookup to the upstream). +# +# Download local root copy and answer TLD queries from it. Because +# auth-zone has higher precedence, defined forward-zones to internal +# only TLD will not work. Use stub-zone or disable this zone. +# Good for a network-wide resolvers, worse for a localhost caching forwarder. +auth-zone: + name: "." + primary: 170.247.170.2 # b.root-servers.net + primary: 192.33.4.12 # c.root-servers.net + primary: 199.7.91.13 # d.root-servers.net + primary: 192.5.5.241 # f.root-servers.net + primary: 192.112.36.4 # g.root-servers.net + primary: 193.0.14.129 # k.root-servers.net + primary: 192.0.47.132 # xfr.cjr.dns.icann.org + primary: 192.0.32.132 # xfr.lax.dns.icann.org + primary: 2801:1b8:10::b # b.root-servers.net + primary: 2001:500:2::c # c.root-servers.net + primary: 2001:500:2d::d # d.root-servers.net + primary: 2001:500:2f::f # f.root-servers.net + primary: 2001:500:12::d0d # g.root-servers.net + primary: 2001:7fd::1 # k.root-servers.net + primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org + primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org + fallback-enabled: yes + for-downstream: no + for-upstream: yes diff --git a/unbound.spec b/unbound.spec index a0718c3..4f6df3b 100644 --- a/unbound.spec +++ b/unbound.spec @@ -63,6 +63,8 @@ Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/ Source20: unbound.sysusers Source21: remote-control.conf Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc +Source23: unbound-as112-networks.conf +Source24: unbound-local-root.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch @@ -365,6 +367,10 @@ install -p -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ install -p -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/ +mkdir -p %{buildroot}%{_datadir}/%{name}/conf.d +install -p -m 0644 %{SOURCE23} %{buildroot}%{_datadir}/%{name}/conf.d/ +install -p -m 0644 %{SOURCE24} %{buildroot}%{_datadir}/%{name}/conf.d/ + # Link unbound-control-setup.8 manpage to unbound-control.8 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 @@ -436,6 +442,7 @@ popd %{_sbindir}/unbound-checkconf %{_sbindir}/unbound-control %{_sbindir}/unbound-control-setup +%{_datadir}/%{name}/ %{_mandir}/man5/* %exclude %{_mandir}/man8/unbound-anchor* %{_mandir}/man8/* From f0da98d7c6c1af7f5fc61c66a7dbec803a694922 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 14 Nov 2024 20:03:08 +0100 Subject: [PATCH 098/139] Enable SHA1 during tests to pass build with enabled SHA1 (rhbz#2255591) Internal unbound code seems to handle validation correctly. Regardless SHA1 status in openssl, it either makes result as insecure or secure. But tests fail when SHA1 is not available, because they assert expected value. The way how tests are coded, it needs to know what the status would be. OpenSSL does not provide any API to help with that. Requested on: https://issues.redhat.com/browse/RHEL-67619 Use newly discovered OpenSSL workaround to allow just test pass with SHA1 enabled. --- openssl-sha1.conf | 8 ++++++++ unbound.spec | 14 ++++---------- unbound.sysconfig | 3 +++ 3 files changed, 15 insertions(+), 10 deletions(-) create mode 100644 openssl-sha1.conf diff --git a/openssl-sha1.conf b/openssl-sha1.conf new file mode 100644 index 0000000..97a3218 --- /dev/null +++ b/openssl-sha1.conf @@ -0,0 +1,8 @@ +# OpenSSL configuration file to allow SHA1 validation, +# regardless of crypto-policy selected. +# Use it by adding into /etc/sysconfig/unbound: +# OPENSSL_CONF=/etc/unbound/openssl-sha1.conf +.include = /etc/ssl/openssl.cnf + +[evp_properties] +rh-allow-sha1-signatures = yes diff --git a/unbound.spec b/unbound.spec index 4f6df3b..cb8b8bb 100644 --- a/unbound.spec +++ b/unbound.spec @@ -65,6 +65,7 @@ Source21: remote-control.conf Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc Source23: unbound-as112-networks.conf Source24: unbound-local-root.conf +Source25: openssl-sha1.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch @@ -265,9 +266,6 @@ autoreconf -fiv %if %{with doh} --with-libnghttp2 \ %endif -%if 0%{?rhel} || 0%{?fedora} > 40 - --disable-sha1 \ -%endif %if %{with redis} --with-libhiredis \ --enable-cachedb \ @@ -366,6 +364,7 @@ install -p -m 0644 %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/ install -p -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ install -p -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/ +install -p -m 0644 %{SOURCE25} %{buildroot}%{_sysconfdir}/unbound/openssl-sha1.conf mkdir -p %{buildroot}%{_datadir}/%{name}/conf.d install -p -m 0644 %{SOURCE23} %{buildroot}%{_datadir}/%{name}/conf.d/ @@ -405,17 +404,11 @@ fi %systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer %check -#pushd pythonmod -#make test -#popd - +export OPENSSL_CONF="%{buildroot}%{_sysconfdir}/unbound/openssl-sha1.conf" make check %if 0%{?python_secondary:1} pushd %{dir_secondary} -#pushd pythonmod -#make test -#popd make check popd %endif @@ -428,6 +421,7 @@ popd %attr(0755,unbound,unbound) %dir %{_rundir}/%{name} %attr(0644,root,root) %{_tmpfilesdir}/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/openssl-sha1.conf %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d %attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d/*.key %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/conf.d diff --git a/unbound.sysconfig b/unbound.sysconfig index adcf8fd..9e80f14 100644 --- a/unbound.sysconfig +++ b/unbound.sysconfig @@ -5,3 +5,6 @@ UNBOUND_ANCHOR_OPTIONS="-f /etc/resolv.conf -R" # for extra debug, add "-v -v" or change verbosity: in unbound.conf UNBOUND_OPTIONS="" + +# Uncoment to validate SHA1 in any crypto policy +# OPENSSL_CONF=/etc/unbound/openssl-sha1.conf From 5591157f6a3a9e718c7b51c198485e31a02bb88e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 15 Nov 2024 09:24:04 +0100 Subject: [PATCH 099/139] Deactivate automatic root zone fetching (rhbz#2322697) Automatic maintained root zone is great for network resolvers, which are used by multiple machines. Its usage on every common device is not desired however, especially when used as localhost only cache daemon. Make it simple to activate local root zone by creating symlink in directory /etc/unbound/conf.d to /usr/share/unbound/conf.d/unbound-local-root.conf. But have it deactivated in default configuration. --- unbound-fedora-config.patch | 146 +++++++++++++++--------------------- 1 file changed, 60 insertions(+), 86 deletions(-) diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index c039cf4..9c39596 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,7 +1,20 @@ -diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.conf.in ---- unbound-1.22.0-orig/doc/example.conf.in 2024-10-17 03:23:22.000000000 -0400 -+++ unbound-1.22.0/doc/example.conf.in 2024-10-17 11:06:58.882896891 -0400 -@@ -17,11 +17,12 @@ +From aa201e383210d02c0396d0a1375d217551c0e2bd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Fri, 15 Nov 2024 08:57:14 +0100 +Subject: [PATCH] Customize unbound.conf for Fedora defaults + +Set some Fedora/RHEL specific changes to example configuration file. By +patching upstream provided config file we would not need to manually +update external copy in source RPM. +--- + doc/example.conf.in | 152 ++++++++++++++++++++++++++++++-------------- + 1 file changed, 104 insertions(+), 48 deletions(-) + +diff --git a/doc/example.conf.in b/doc/example.conf.in +index 59090c6..33c6209 100644 +--- a/doc/example.conf.in ++++ b/doc/example.conf.in +@@ -17,11 +17,12 @@ server: # whitespace is not necessary, but looks cleaner. # verbosity number, 0 is least verbose. 1 is default. @@ -16,7 +29,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # enable shm for stats, default no. if you enable also enable # statistics-interval, every time it also writes stats to the -@@ -32,11 +33,13 @@ +@@ -32,11 +33,13 @@ server: # shm-key: 11777 # enable cumulative statistics, without clearing them after printing. @@ -33,7 +46,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Inhibits selected extended statistics (qtype, qclass, qopcode, rcode, # rpz-actions) from printing if their value is 0. -@@ -44,22 +47,35 @@ +@@ -44,22 +47,35 @@ server: # statistics-inhibit-zero: yes # number of threads to create. 1 disables threading. @@ -71,7 +84,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # instead of the default port, open additional ports separated by # spaces when interface-automatic is enabled, by listing them here. -@@ -94,7 +110,8 @@ +@@ -94,7 +110,8 @@ server: # permit Unbound to use this port number or port range for # making outgoing queries, using an outgoing interface. @@ -81,7 +94,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # deny Unbound the use this of port number or port range for # making outgoing queries, using an outgoing interface. -@@ -103,7 +120,9 @@ +@@ -103,7 +120,9 @@ server: # IANA-assigned port numbers. # If multiple outgoing-port-permit and outgoing-port-avoid options # are present, they are processed in order. @@ -92,7 +105,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # number of outgoing simultaneous tcp buffers to hold per thread. # outgoing-num-tcp: 10 -@@ -121,12 +140,12 @@ +@@ -121,12 +140,12 @@ server: # use SO_REUSEPORT to distribute queries over threads. # at extreme load it could be better to turn it off to distribute even. @@ -107,7 +120,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # use IP_FREEBIND so the interface: addresses can be non-local # and you can bind to nonexisting IPs and interfaces that are down. -@@ -285,6 +304,8 @@ +@@ -285,6 +304,8 @@ server: # nat64-prefix: 64:ff9b::0/96 # Enable UDP, "yes" or "no". @@ -116,7 +129,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # do-udp: yes # Enable TCP, "yes" or "no". -@@ -310,7 +331,7 @@ +@@ -310,7 +331,7 @@ server: # tcp-idle-timeout: 30000 # Enable EDNS TCP keepalive option. @@ -125,7 +138,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Timeout for EDNS TCP keepalive, in msec. Overrides tcp-idle-timeout # if edns-tcp-keepalive is set. -@@ -320,6 +341,9 @@ +@@ -320,6 +341,9 @@ server: # can be dropped. Default is 0, disabled. In seconds, such as 3. # sock-queue-timeout: 0 @@ -135,7 +148,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no -@@ -433,6 +457,7 @@ +@@ -433,6 +457,7 @@ server: # # If you give "" no chroot is performed. The path must not end in a /. # chroot: "@UNBOUND_CHROOT_DIR@" @@ -143,7 +156,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # if given, user privileges are dropped (after binding port), # and the given username is assumed. Default is user "unbound". -@@ -444,7 +469,7 @@ +@@ -444,7 +469,7 @@ server: # is not changed. # If you give a server: directory: dir before include: file statements # then those includes can be relative to the working directory. @@ -152,7 +165,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # the log file, "" means log to stderr. # Use of this option sets use-syslog to "no". -@@ -459,7 +484,7 @@ +@@ -459,7 +484,7 @@ server: # log-identity: "" # print UTC timestamp in ascii to logfile, default is epoch in seconds. @@ -161,7 +174,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # log timestamp in ISO8601 format if also log-time-ascii is enabled. # (y-m-dTh:m:s.msec[+-]tzhours:tzminutes) -@@ -532,13 +557,13 @@ +@@ -532,13 +557,13 @@ server: # harden-short-bufsize: yes # Harden against unseemly large queries. @@ -177,7 +190,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Harden against receiving dnssec-stripped data. If you turn it # off, failing to validate dnskey data for a trustanchor will -@@ -553,7 +578,7 @@ +@@ -553,7 +578,7 @@ server: # infrastructure data. Validates the replies (if possible). # Default off, because the lookups burden the server. Experimental # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. @@ -186,7 +199,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Harden against algorithm downgrade when multiple algorithms are # advertised in the DS record. If no, allows the weakest algorithm -@@ -567,7 +592,7 @@ +@@ -567,7 +592,7 @@ server: # Sent minimum amount of information to upstream servers to enhance # privacy. Only sent minimum required labels of the QNAME and set QTYPE # to A when possible. @@ -195,7 +208,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # QNAME minimisation in strict mode. Do not fall-back to sending full # QNAME to potentially broken nameservers. A lot of domains will not be -@@ -577,7 +602,7 @@ +@@ -577,7 +602,7 @@ server: # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN # and other denials, using information from previous NXDOMAINs answers. @@ -204,7 +217,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. -@@ -610,7 +635,7 @@ +@@ -610,7 +635,7 @@ server: # threshold, a warning is printed and a defensive action is taken, # the cache is cleared to flush potential poison out of it. # A suggested value is 10000000, the default is 0 (turned off). @@ -213,7 +226,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Do not query the following addresses. No DNS queries are sent there. # List one address per entry. List classless netblocks with /size, -@@ -622,20 +647,20 @@ +@@ -622,20 +647,20 @@ server: # do-not-query-localhost: yes # if yes, perform prefetching of almost expired message cache entries. @@ -239,7 +252,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # true to disable DNSSEC lameness check in iterator. # disable-dnssec-lame-check: no -@@ -645,7 +670,9 @@ +@@ -645,7 +670,9 @@ server: # most modules have to be listed at the beginning of the line, # except cachedb(just before iterator), and python (at the beginning, # or, just before the iterator). @@ -250,7 +263,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # File with trusted keys, kept uptodate using RFC5011 probes, # initial file like trust-anchor-file, then it stores metadata. -@@ -659,10 +686,10 @@ +@@ -659,10 +686,10 @@ server: # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" # trust anchor signaling sends a RFC8145 key tag query after priming. @@ -263,7 +276,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry. -@@ -683,6 +710,9 @@ +@@ -683,6 +710,9 @@ server: # the trusted-keys { name flag proto algo "key"; }; clauses are read. # you need external update procedures to track changes in keys. # trusted-keys-file: "" @@ -273,7 +286,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Ignore chain of trust. Domain is treated as insecure. # domain-insecure: "example.com" -@@ -710,14 +740,15 @@ +@@ -710,14 +740,15 @@ server: # unsecure data. Useful to shield the users of this validator from # potential bogus data in the additional section. All unsigned data # in the additional section is removed from secure messages. @@ -291,7 +304,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Ignore the CD flag in incoming queries and refuse them bogus data. # Enable it if the only clients of Unbound are legacy servers (w2008) -@@ -731,11 +762,11 @@ +@@ -731,11 +762,11 @@ server: # Serve expired responses from cache, with serve-expired-reply-ttl in # the response, and then attempt to fetch the data afresh. @@ -305,7 +318,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # # Set the TTL of expired records to the serve-expired-ttl value after a # failed attempt to retrieve the record from upstream. This makes sure -@@ -762,7 +793,7 @@ +@@ -762,7 +793,7 @@ server: # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. @@ -314,7 +327,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # It is possible to configure NSEC3 maximum iteration counts per # keysize. Keep this table very short, as linear search is done. -@@ -906,6 +937,8 @@ +@@ -906,6 +937,8 @@ server: # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" @@ -323,7 +336,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # tag a localzone with a list of tag names (in "" with spaces between) # local-zone-tag: "example.com" "tag2 tag3" -@@ -916,8 +949,8 @@ +@@ -916,8 +949,8 @@ server: # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. # Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. @@ -334,7 +347,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # tls-port: 853 # https-port: 443 # quic-port: 853 -@@ -926,6 +959,8 @@ +@@ -926,6 +959,8 @@ server: # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" # cipher setting for TLSv1.3 # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" @@ -343,7 +356,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Pad responses to padded queries received over TLS # pad-responses: yes -@@ -1070,12 +1105,14 @@ +@@ -1070,12 +1105,14 @@ server: # cookie-secret-file: "/usr/local/etc/unbound_cookiesecrets.txt" # Enable to attach Extended DNS Error codes (RFC8914) to responses. @@ -360,7 +373,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. -@@ -1083,12 +1120,14 @@ +@@ -1083,12 +1120,14 @@ server: # Enable or disable ipsecmod (it still needs to be defined in # module-config above). Can be used when ipsecmod needs to be # enabled/disabled via remote-control(below). @@ -378,7 +391,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # When enabled Unbound will reply with SERVFAIL if the return value of # the ipsecmod-hook is not 0. # ipsecmod-strict: no -@@ -1121,7 +1160,7 @@ +@@ -1121,7 +1160,7 @@ server: # o and give a python-script to run. python: # Script file to load @@ -387,7 +400,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Dynamic library config section. To enable: # o use --with-dynlibmodule to configure before compiling. -@@ -1132,13 +1171,14 @@ +@@ -1132,13 +1171,14 @@ python: # the module-config then you need one dynlib-file per instance. dynlib: # Script file to load @@ -404,7 +417,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. -@@ -1146,6 +1186,7 @@ +@@ -1146,6 +1186,7 @@ remote-control: # are not used for that, so key and cert files need not be present. # control-interface: 127.0.0.1 # control-interface: ::1 @@ -412,7 +425,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # port number for remote control operations. # control-port: 8953 -@@ -1155,16 +1196,19 @@ +@@ -1155,16 +1196,19 @@ remote-control: # control-use-cert: "yes" # Unbound server key file. @@ -436,7 +449,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Stub zones. # Create entries like below, to make all queries for 'example.com' and -@@ -1186,6 +1230,10 @@ +@@ -1186,6 +1230,10 @@ remote-control: # name: "example.org" # stub-host: ns.example.com. @@ -447,7 +460,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle -@@ -1203,6 +1251,10 @@ +@@ -1203,6 +1251,10 @@ remote-control: # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -458,57 +471,15 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # Authority zones # The data for these zones is kept locally, from a file or downloaded. -@@ -1213,27 +1265,28 @@ - # download it), primary: fetches with AXFR and IXFR, or url to zonefile. - # With allow-notify: you can give additional (apart from primaries and urls) - # sources of notifies. --# auth-zone: --# name: "." --# primary: 170.247.170.2 # b.root-servers.net --# primary: 192.33.4.12 # c.root-servers.net --# primary: 199.7.91.13 # d.root-servers.net --# primary: 192.5.5.241 # f.root-servers.net --# primary: 192.112.36.4 # g.root-servers.net --# primary: 193.0.14.129 # k.root-servers.net --# primary: 192.0.47.132 # xfr.cjr.dns.icann.org --# primary: 192.0.32.132 # xfr.lax.dns.icann.org --# primary: 2801:1b8:10::b # b.root-servers.net --# primary: 2001:500:2::c # c.root-servers.net --# primary: 2001:500:2d::d # d.root-servers.net --# primary: 2001:500:2f::f # f.root-servers.net --# primary: 2001:500:12::d0d # g.root-servers.net --# primary: 2001:7fd::1 # k.root-servers.net --# primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org --# primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org --# fallback-enabled: yes --# for-downstream: no --# for-upstream: yes -+ auth-zone: -+ name: "." -+ primary: 170.247.170.2 # b.root-servers.net -+ primary: 192.33.4.12 # c.root-servers.net -+ primary: 199.7.91.13 # d.root-servers.net -+ primary: 192.5.5.241 # f.root-servers.net -+ primary: 192.112.36.4 # g.root-servers.net -+ primary: 193.0.14.129 # k.root-servers.net -+ primary: 192.0.47.132 # xfr.cjr.dns.icann.org -+ primary: 192.0.32.132 # xfr.lax.dns.icann.org -+ primary: 2801:1b8:10::b # b.root-servers.net -+ primary: 2001:500:2::c # c.root-servers.net -+ primary: 2001:500:2d::d # d.root-servers.net -+ primary: 2001:500:2f::f # f.root-servers.net -+ primary: 2001:500:12::d0d # g.root-servers.net -+ primary: 2001:7fd::1 # k.root-servers.net -+ primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org -+ primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org -+ fallback-enabled: yes -+ for-downstream: no -+ for-upstream: yes +@@ -1234,6 +1286,7 @@ remote-control: + # fallback-enabled: yes + # for-downstream: no + # for-upstream: yes + # auth-zone: # name: "example.org" # for-downstream: yes -@@ -1259,6 +1312,9 @@ +@@ -1259,6 +1312,9 @@ remote-control: # name: "anotherview" # local-zone: "example.com" refuse @@ -518,7 +489,7 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # DNSCrypt # To enable, use --enable-dnscrypt to configure before compiling. # Caveats: -@@ -1338,7 +1394,7 @@ +@@ -1338,7 +1394,7 @@ remote-control: # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode # dnstap-bidirectional: yes @@ -527,3 +498,6 @@ diff -Naur unbound-1.22.0-orig/doc/example.conf.in unbound-1.22.0/doc/example.co # # if "" use the unix socket in dnstap-socket-path, otherwise, # # set it to "IPaddress[@port]" of the destination. # dnstap-ip: "" +-- +2.47.0 + From e121fcf04fb9ba27c7c4e0d4c51b0d208bd844ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 15 Nov 2024 11:59:34 +0100 Subject: [PATCH 100/139] Move remote-control configuration to vendor directory Keep just simple include stub at original place. Add also enabling of remote control into the same file. Makes it possible to be used directly by unbound-control command. --- remote-control-include.conf | 4 ++++ remote-control.conf | 27 ++++++++++++++++++++++----- unbound.spec | 4 +++- 3 files changed, 29 insertions(+), 6 deletions(-) create mode 100644 remote-control-include.conf diff --git a/remote-control-include.conf b/remote-control-include.conf new file mode 100644 index 0000000..5688480 --- /dev/null +++ b/remote-control-include.conf @@ -0,0 +1,4 @@ +# Previous defaults allowed any process to change settings, CVE-2023-1488 +# If you want to modify remote configuration, replace this file with +# contents of included file and modify afterwards. +include: "/usr/share/unbound/conf.d/remote-control.conf" diff --git a/remote-control.conf b/remote-control.conf index 4561a63..6f6942e 100644 --- a/remote-control.conf +++ b/remote-control.conf @@ -1,9 +1,26 @@ # Remote control config section update. # Previous defaults allowed any process to change settings, CVE-2023-1488 +# This file can be used also by: unbound-control -c remote-control: - # set to an absolute path to use a unix local name pipe, certificates - # are not used for that, so key and cert files need not be present. - control-interface: "/run/unbound/control" + # Enable remote control with unbound-control(8) here. + # set up the keys and certificates with unbound-control-setup. + control-enable: yes - # For local sockets this option is ignored, and TLS is not used. - control-use-cert: "yes" + # set to an absolute path to use a unix local name pipe, certificates + # are not used for that, so key and cert files need not be present. + control-interface: "/run/unbound/control" + + # For local sockets this option is ignored, and TLS is not used. + control-use-cert: "yes" + + # Unbound server key file. + server-key-file: "/etc/unbound/unbound_server.key" + + # Unbound server certificate file. + server-cert-file: "/etc/unbound/unbound_server.pem" + + # unbound-control key file. + control-key-file: "/etc/unbound/unbound_control.key" + + # unbound-control certificate file. + control-cert-file: "/etc/unbound/unbound_control.pem" diff --git a/unbound.spec b/unbound.spec index cb8b8bb..32eec1e 100644 --- a/unbound.spec +++ b/unbound.spec @@ -66,6 +66,7 @@ Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc Source23: unbound-as112-networks.conf Source24: unbound-local-root.conf Source25: openssl-sha1.conf +Source26: remote-control-include.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch @@ -363,10 +364,11 @@ mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d} install -p -m 0644 %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/ install -p -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ install -p -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ -install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/ +install -p -m 0644 %{SOURCE26} %{buildroot}%{_sysconfdir}/unbound/conf.d/remote-control.conf install -p -m 0644 %{SOURCE25} %{buildroot}%{_sysconfdir}/unbound/openssl-sha1.conf mkdir -p %{buildroot}%{_datadir}/%{name}/conf.d +install -p -m 0644 %{SOURCE21} %{buildroot}%{_datadir}/%{name}/conf.d/ install -p -m 0644 %{SOURCE23} %{buildroot}%{_datadir}/%{name}/conf.d/ install -p -m 0644 %{SOURCE24} %{buildroot}%{_datadir}/%{name}/conf.d/ From 524bcf06fe07ab93ec3d3c90f1a06b698d0c24c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 15 Nov 2024 14:55:19 +0100 Subject: [PATCH 101/139] Move defaults to separate configuration file Place distribution defaults into file provided in /usr/share/unbound. Include that file from default configuration before conf.d/*.conf is included, to ensure similar order is kept. Rely on remote-control to be configured by conf.d/remote-control.conf only. Moved parts from orinal unbound.conf to single file together. --- fedora-defaults.conf | 225 +++++++++++++++++++ unbound-fedora-config.patch | 430 ++---------------------------------- unbound.spec | 3 + 3 files changed, 248 insertions(+), 410 deletions(-) create mode 100644 fedora-defaults.conf diff --git a/fedora-defaults.conf b/fedora-defaults.conf new file mode 100644 index 0000000..ccbc20a --- /dev/null +++ b/fedora-defaults.conf @@ -0,0 +1,225 @@ +# Fedora distribution defaults + +server: + # verbosity number, 0 is least verbose. 1 is default. + verbosity: 1 + + # print statistics to the log (for every thread) every N seconds. + # Set to "" or 0 to disable. Default is disabled. + # Needs to be disabled for munin plugin + statistics-interval: 0 + + # enable cumulative statistics, without clearing them after printing. + # Needs to be disabled for munin plugin + statistics-cumulative: no + + # enable extended statistics (query types, answer codes, status) + # Needs to be enabled for munin plugin + extended-statistics: yes + + # number of threads to create. 1 disables threading. + # num-threads: 1 + num-threads: 4 + + # specify the interfaces to answer queries from by ip-address. + # The default is to listen to localhost (127.0.0.1 and ::1). + # specify 0.0.0.0 and ::0 to bind to all available interfaces. + # specify every interface[@port] on a new 'interface:' labelled line. + # The listen interfaces are not changed on reload, only on restart. + # interface: 0.0.0.0 + # interface: ::0 + # interface: 192.0.2.153 + # interface: 192.0.2.154 + # interface: 192.0.2.154@5003 + # interface: 2001:DB8::5 + # interface: eth0@5003 + # + # for dns over tls and raw dns over port 80 + # interface: 0.0.0.0@443 + # interface: ::0@443 + # interface: 0.0.0.0@80 + # interface: ::0@80 + + # enable this feature to copy the source address of queries to reply. + # Socket options are not supported on all platforms. experimental. + # interface-automatic: yes + # + # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 + # NOTE: Disabled per Fedora policy not to listen to * on default install + # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled + interface-automatic: no + + # permit Unbound to use this port number or port range for + # making outgoing queries, using an outgoing interface. + # Only ephemeral ports are allowed by SElinux + outgoing-port-permit: 32768-60999 + + # IANA-assigned port numbers. + # If multiple outgoing-port-permit and outgoing-port-avoid options + # are present, they are processed in order. + # Our SElinux policy does not allow non-ephemeral ports to be used + outgoing-port-avoid: 0-32767 + outgoing-port-avoid: 61000-65535 + + # use SO_REUSEPORT to distribute queries over threads. + # at extreme load it could be better to turn it off to distribute even. + so-reuseport: yes + + # use IP_TRANSPARENT so the interface: addresses can be non-local + # and you can config non-existing IPs that are going to work later on + # (uses IP_BINDANY on FreeBSD). + ip-transparent: yes + + # Enable UDP, "yes" or "no". + # NOTE: if setting up an Unbound on tls443 for public use, you might want to + # disable UDP to avoid being used in DNS amplification attacks. + # do-udp: yes + + # Enable EDNS TCP keepalive option. + edns-tcp-keepalive: yes + + # Fedora note: do not activate this - not compiled in because + # it causes frequent unbound crashes. Also, socket activation + # is bad when you have things like dnsmasq also running with libvirt. + # Use systemd socket activation for UDP, TCP, and control sockets. + # use-systemd: no + + # If you give a server: directory: dir before include: file statements + # then those includes can be relative to the working directory. + directory: "/etc/unbound" + + # print UTC timestamp in ascii to logfile, default is epoch in seconds. + log-time-ascii: yes + + # Harden against unseemly large queries. + harden-large-queries: yes + + # Harden against unverified (outside-zone, including sibling zone) glue rrsets + harden-unverified-glue: yes + + # Default off, because the lookups burden the server. Experimental + # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. + harden-referral-path: yes + + # Sent minimum amount of information to upstream servers to enhance + # privacy. Only sent minimum required labels of the QNAME and set QTYPE + # to A when possible. + qname-minimisation: yes + + # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN + # and other denials, using information from previous NXDOMAINs answers. + aggressive-nsec: yes + + # threshold, a warning is printed and a defensive action is taken, + # the cache is cleared to flush potential poison out of it. + # A suggested value is 10000000, the default is 0 (turned off). + unwanted-reply-threshold: 10000000 + + # if yes, perform prefetching of almost expired message cache entries. + prefetch: yes + + # if yes, perform key lookups adjacent to normal lookups. + prefetch-key: yes + + # deny queries of type ANY with an empty response. + deny-any: yes + + # if yes, Unbound rotates RRSet order in response. + rrset-roundrobin: yes + + # if yes, Unbound doesn't insert authority/additional sections + # into response messages when those sections are not required. + minimal-responses: yes + + # module configuration of the server. A string with identifiers + # separated by spaces. Syntax: "[dns64] [validator] iterator" + # most modules have to be listed at the beginning of the line, + # except cachedb(just before iterator), and python (at the beginning, + # or, just before the iterator). + # For redis cachedb use: + # "ipsecmod validator cachedb iterator" + module-config: "ipsecmod validator iterator" + + # trust anchor signaling sends a RFC8145 key tag query after priming. + trust-anchor-signaling: yes + + # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) + root-key-sentinel: yes + + # the trusted-keys { name flag proto algo "key"; }; clauses are read. + # you need external update procedures to track changes in keys. + # trusted-keys-file: "" + # + trusted-keys-file: /etc/unbound/keys.d/*.key + auto-trust-anchor-file: "/var/lib/unbound/root.key" + + # Should additional section of secure message also be kept clean of + # unsecure data. Useful to shield the users of this validator from + # potential bogus data in the additional section. All unsigned data + # in the additional section is removed from secure messages. + val-clean-additional: yes + + # Turn permissive mode on to permit bogus messages. Thus, messages + # for which security checks failed will be returned to clients, + # instead of SERVFAIL. It still performs the security checks, which + # result in interesting log files and possibly the AD bit in + # replies if the message is found secure. The default is off. + # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY + val-permissive-mode: no + + # Serve expired responses from cache, with serve-expired-reply-ttl in + # the response, and then attempt to fetch the data afresh. + serve-expired: yes + + # Limit serving of expired responses to configured seconds after + # expiration. 0 disables the limit. + serve-expired-ttl: 14400 + + # Have the validator log failed validations for your diagnosis. + # 0: off. 1: A line per failed user query. 2: With reason and bad IP. + val-log-level: 1 + + # service clients over TLS (on the TCP sockets) with plain DNS inside + # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. + # Give the certificate to use and private key. + # default is "" (disabled). requires restart to take effect. + # tls-service-key: "/etc/unbound/unbound_server.key" + # tls-service-pem: "/etc/unbound/unbound_server.pem" + + # Fedora/RHEL: use system-wide crypto policies + tls-ciphers: "PROFILE=SYSTEM" + + # Enable to attach Extended DNS Error codes (RFC8914) to responses. + # Fedora defaults to yes. + ede: yes + + # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale + # Answer as EDNS0 option to expired responses. + # Note that the ede option above needs to be enabled for this to work. + # Fedora defaults to yes. + ede-serve-expired: yes + + # Enable or disable ipsecmod (it still needs to be defined in + # module-config above). Can be used when ipsecmod needs to be + # enabled/disabled via remote-control(below). + # Fedora: module will be enabled on-demand by libreswan + ipsecmod-enabled: no + + # Path to executable external hook. It must be defined when ipsecmod is + # listed in module-config (above). + ipsecmod-hook: /usr/libexec/ipsec/_unbound-hook + +python: + # Script file to load + # python-script: "/etc/unbound/ubmodule-tst.py" + +# Remote control config section moved into own remote-control.conf + +# the module-config then you need one dynlib-file per instance. +dynlib: + # Script file to load + # dynlib-file: "/etc/unbound/dynlib.so" + +# Fedora: DNSCrypt support not enabled since it requires linking to +# another crypto library +# diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index 9c39596..be28920 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,60 +1,20 @@ -From aa201e383210d02c0396d0a1375d217551c0e2bd Mon Sep 17 00:00:00 2001 +From 6e2d042505a006ab5fd703631661e68d1cdc66df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Fri, 15 Nov 2024 08:57:14 +0100 +Date: Fri, 15 Nov 2024 13:25:34 +0100 Subject: [PATCH] Customize unbound.conf for Fedora defaults Set some Fedora/RHEL specific changes to example configuration file. By patching upstream provided config file we would not need to manually update external copy in source RPM. --- - doc/example.conf.in | 152 ++++++++++++++++++++++++++++++-------------- - 1 file changed, 104 insertions(+), 48 deletions(-) + doc/example.conf.in | 33 +++++++++++++++++++++++++++++++-- + 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/doc/example.conf.in b/doc/example.conf.in -index 59090c6..33c6209 100644 +index 59090c6..3a86809 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in -@@ -17,11 +17,12 @@ server: - # whitespace is not necessary, but looks cleaner. - - # verbosity number, 0 is least verbose. 1 is default. -- # verbosity: 1 -+ verbosity: 1 - - # print statistics to the log (for every thread) every N seconds. - # Set to "" or 0 to disable. Default is disabled. -- # statistics-interval: 0 -+ # Needs to be disabled for munin plugin -+ statistics-interval: 0 - - # enable shm for stats, default no. if you enable also enable - # statistics-interval, every time it also writes stats to the -@@ -32,11 +33,13 @@ server: - # shm-key: 11777 - - # enable cumulative statistics, without clearing them after printing. -- # statistics-cumulative: no -+ # Needs to be disabled for munin plugin -+ statistics-cumulative: no - - # enable extended statistics (query types, answer codes, status) -- # printed from unbound-control. Default off, because of speed. -- # extended-statistics: no -+ # printed from unbound-control. default off, because of speed. -+ # Needs to be enabled for munin plugin -+ extended-statistics: yes - - # Inhibits selected extended statistics (qtype, qclass, qopcode, rcode, - # rpz-actions) from printing if their value is 0. -@@ -44,22 +47,35 @@ server: - # statistics-inhibit-zero: yes - - # number of threads to create. 1 disables threading. -- # num-threads: 1 -+ num-threads: 4 - - # specify the interfaces to answer queries from by ip-address. - # The default is to listen to localhost (127.0.0.1 and ::1). +@@ -51,11 +51,19 @@ server: # specify 0.0.0.0 and ::0 to bind to all available interfaces. # specify every interface[@port] on a new 'interface:' labelled line. # The listen interfaces are not changed on reload, only on restart. @@ -74,53 +34,7 @@ index 59090c6..33c6209 100644 # enable this feature to copy the source address of queries to reply. # Socket options are not supported on all platforms. experimental. -- # interface-automatic: no -+ # interface-automatic: yes -+ # -+ # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 -+ # NOTE: Disabled per Fedora policy not to listen to * on default install -+ # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled -+ interface-automatic: no - - # instead of the default port, open additional ports separated by - # spaces when interface-automatic is enabled, by listing them here. -@@ -94,7 +110,8 @@ server: - - # permit Unbound to use this port number or port range for - # making outgoing queries, using an outgoing interface. -- # outgoing-port-permit: 32768 -+ # Only ephemeral ports are allowed by SElinux -+ outgoing-port-permit: 32768-60999 - - # deny Unbound the use this of port number or port range for - # making outgoing queries, using an outgoing interface. -@@ -103,7 +120,9 @@ server: - # IANA-assigned port numbers. - # If multiple outgoing-port-permit and outgoing-port-avoid options - # are present, they are processed in order. -- # outgoing-port-avoid: "3200-3208" -+ # Our SElinux policy does not allow non-ephemeral ports to be used -+ outgoing-port-avoid: 0-32767 -+ outgoing-port-avoid: 61000-65535 - - # number of outgoing simultaneous tcp buffers to hold per thread. - # outgoing-num-tcp: 10 -@@ -121,12 +140,12 @@ server: - - # use SO_REUSEPORT to distribute queries over threads. - # at extreme load it could be better to turn it off to distribute even. -- # so-reuseport: yes -+ so-reuseport: yes - - # use IP_TRANSPARENT so the interface: addresses can be non-local - # and you can config non-existing IPs that are going to work later on - # (uses IP_BINDANY on FreeBSD). -- # ip-transparent: no -+ ip-transparent: yes - - # use IP_FREEBIND so the interface: addresses can be non-local - # and you can bind to nonexisting IPs and interfaces that are down. -@@ -285,6 +304,8 @@ server: +@@ -285,6 +293,8 @@ server: # nat64-prefix: 64:ff9b::0/96 # Enable UDP, "yes" or "no". @@ -129,16 +43,7 @@ index 59090c6..33c6209 100644 # do-udp: yes # Enable TCP, "yes" or "no". -@@ -310,7 +331,7 @@ server: - # tcp-idle-timeout: 30000 - - # Enable EDNS TCP keepalive option. -- # edns-tcp-keepalive: no -+ edns-tcp-keepalive: yes - - # Timeout for EDNS TCP keepalive, in msec. Overrides tcp-idle-timeout - # if edns-tcp-keepalive is set. -@@ -320,6 +341,9 @@ server: +@@ -320,6 +330,9 @@ server: # can be dropped. Default is 0, disabled. In seconds, such as 3. # sock-queue-timeout: 0 @@ -148,186 +53,7 @@ index 59090c6..33c6209 100644 # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no -@@ -433,6 +457,7 @@ server: - # - # If you give "" no chroot is performed. The path must not end in a /. - # chroot: "@UNBOUND_CHROOT_DIR@" -+ chroot: "" - - # if given, user privileges are dropped (after binding port), - # and the given username is assumed. Default is user "unbound". -@@ -444,7 +469,7 @@ server: - # is not changed. - # If you give a server: directory: dir before include: file statements - # then those includes can be relative to the working directory. -- # directory: "@UNBOUND_RUN_DIR@" -+ directory: "/etc/unbound" - - # the log file, "" means log to stderr. - # Use of this option sets use-syslog to "no". -@@ -459,7 +484,7 @@ server: - # log-identity: "" - - # print UTC timestamp in ascii to logfile, default is epoch in seconds. -- # log-time-ascii: no -+ log-time-ascii: yes - - # log timestamp in ISO8601 format if also log-time-ascii is enabled. - # (y-m-dTh:m:s.msec[+-]tzhours:tzminutes) -@@ -532,13 +557,13 @@ server: - # harden-short-bufsize: yes - - # Harden against unseemly large queries. -- # harden-large-queries: no -+ harden-large-queries: yes - - # Harden against out of zone rrsets, to avoid spoofing attempts. - # harden-glue: yes - - # Harden against unverified (outside-zone, including sibling zone) glue rrsets -- # harden-unverified-glue: no -+ harden-unverified-glue: yes - - # Harden against receiving dnssec-stripped data. If you turn it - # off, failing to validate dnskey data for a trustanchor will -@@ -553,7 +578,7 @@ server: - # infrastructure data. Validates the replies (if possible). - # Default off, because the lookups burden the server. Experimental - # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. -- # harden-referral-path: no -+ harden-referral-path: yes - - # Harden against algorithm downgrade when multiple algorithms are - # advertised in the DS record. If no, allows the weakest algorithm -@@ -567,7 +592,7 @@ server: - # Sent minimum amount of information to upstream servers to enhance - # privacy. Only sent minimum required labels of the QNAME and set QTYPE - # to A when possible. -- # qname-minimisation: yes -+ qname-minimisation: yes - - # QNAME minimisation in strict mode. Do not fall-back to sending full - # QNAME to potentially broken nameservers. A lot of domains will not be -@@ -577,7 +602,7 @@ server: - - # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN - # and other denials, using information from previous NXDOMAINs answers. -- # aggressive-nsec: yes -+ aggressive-nsec: yes - - # Use 0x20-encoded random bits in the query to foil spoof attempts. - # This feature is an experimental implementation of draft dns-0x20. -@@ -610,7 +635,7 @@ server: - # threshold, a warning is printed and a defensive action is taken, - # the cache is cleared to flush potential poison out of it. - # A suggested value is 10000000, the default is 0 (turned off). -- # unwanted-reply-threshold: 0 -+ unwanted-reply-threshold: 10000000 - - # Do not query the following addresses. No DNS queries are sent there. - # List one address per entry. List classless netblocks with /size, -@@ -622,20 +647,20 @@ server: - # do-not-query-localhost: yes - - # if yes, perform prefetching of almost expired message cache entries. -- # prefetch: no -+ prefetch: yes - - # if yes, perform key lookups adjacent to normal lookups. -- # prefetch-key: no -+ prefetch-key: yes - - # deny queries of type ANY with an empty response. -- # deny-any: no -+ deny-any: yes - - # if yes, Unbound rotates RRSet order in response. -- # rrset-roundrobin: yes -+ rrset-roundrobin: yes - - # if yes, Unbound doesn't insert authority/additional sections - # into response messages when those sections are not required. -- # minimal-responses: yes -+ minimal-responses: yes - - # true to disable DNSSEC lameness check in iterator. - # disable-dnssec-lame-check: no -@@ -645,7 +670,9 @@ server: - # most modules have to be listed at the beginning of the line, - # except cachedb(just before iterator), and python (at the beginning, - # or, just before the iterator). -- # module-config: "validator iterator" -+ # For redis cachedb use: -+ # "ipsecmod validator cachedb iterator" -+ module-config: "ipsecmod validator iterator" - - # File with trusted keys, kept uptodate using RFC5011 probes, - # initial file like trust-anchor-file, then it stores metadata. -@@ -659,10 +686,10 @@ server: - # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" - - # trust anchor signaling sends a RFC8145 key tag query after priming. -- # trust-anchor-signaling: yes -+ trust-anchor-signaling: yes - - # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) -- # root-key-sentinel: yes -+ root-key-sentinel: yes - - # File with trusted keys for validation. Specify more than one file - # with several entries, one file per entry. -@@ -683,6 +710,9 @@ server: - # the trusted-keys { name flag proto algo "key"; }; clauses are read. - # you need external update procedures to track changes in keys. - # trusted-keys-file: "" -+ # -+ trusted-keys-file: /etc/unbound/keys.d/*.key -+ auto-trust-anchor-file: "/var/lib/unbound/root.key" - - # Ignore chain of trust. Domain is treated as insecure. - # domain-insecure: "example.com" -@@ -710,14 +740,15 @@ server: - # unsecure data. Useful to shield the users of this validator from - # potential bogus data in the additional section. All unsigned data - # in the additional section is removed from secure messages. -- # val-clean-additional: yes -+ val-clean-additional: yes - - # Turn permissive mode on to permit bogus messages. Thus, messages - # for which security checks failed will be returned to clients, - # instead of SERVFAIL. It still performs the security checks, which - # result in interesting log files and possibly the AD bit in - # replies if the message is found secure. The default is off. -- # val-permissive-mode: no -+ # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY -+ val-permissive-mode: no - - # Ignore the CD flag in incoming queries and refuse them bogus data. - # Enable it if the only clients of Unbound are legacy servers (w2008) -@@ -731,11 +762,11 @@ server: - - # Serve expired responses from cache, with serve-expired-reply-ttl in - # the response, and then attempt to fetch the data afresh. -- # serve-expired: no -+ serve-expired: yes - # - # Limit serving of expired responses to configured seconds after - # expiration. 0 disables the limit. -- # serve-expired-ttl: 0 -+ serve-expired-ttl: 14400 - # - # Set the TTL of expired records to the serve-expired-ttl value after a - # failed attempt to retrieve the record from upstream. This makes sure -@@ -762,7 +793,7 @@ server: - - # Have the validator log failed validations for your diagnosis. - # 0: off. 1: A line per failed user query. 2: With reason and bad IP. -- # val-log-level: 0 -+ val-log-level: 1 - - # It is possible to configure NSEC3 maximum iteration counts per - # keysize. Keep this table very short, as linear search is done. -@@ -906,6 +937,8 @@ server: +@@ -906,6 +919,8 @@ server: # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" @@ -336,7 +62,7 @@ index 59090c6..33c6209 100644 # tag a localzone with a list of tag names (in "" with spaces between) # local-zone-tag: "example.com" "tag2 tag3" -@@ -916,8 +949,8 @@ server: +@@ -916,8 +931,8 @@ server: # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. # Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. @@ -347,109 +73,20 @@ index 59090c6..33c6209 100644 # tls-port: 853 # https-port: 443 # quic-port: 853 -@@ -926,6 +959,8 @@ server: - # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" - # cipher setting for TLSv1.3 - # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" -+ # Fedora/RHEL: use system-wide crypto policies -+ tls-ciphers: "PROFILE=SYSTEM" - - # Pad responses to padded queries received over TLS - # pad-responses: yes -@@ -1070,12 +1105,14 @@ server: - # cookie-secret-file: "/usr/local/etc/unbound_cookiesecrets.txt" - - # Enable to attach Extended DNS Error codes (RFC8914) to responses. -- # ede: no -+ # Fedora defaults to yes. -+ ede: yes - - # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale - # Answer as EDNS0 option to expired responses. - # Note that the ede option above needs to be enabled for this to work. -- # ede-serve-expired: no -+ # Fedora defaults to yes. -+ ede-serve-expired: yes - - # Specific options for ipsecmod. Unbound needs to be configured with - # --enable-ipsecmod for these to take effect. -@@ -1083,12 +1120,14 @@ server: - # Enable or disable ipsecmod (it still needs to be defined in - # module-config above). Can be used when ipsecmod needs to be - # enabled/disabled via remote-control(below). -- # ipsecmod-enabled: yes -- # -+ # Fedora: module will be enabled on-demand by libreswan -+ ipsecmod-enabled: no -+ - # Path to executable external hook. It must be defined when ipsecmod is - # listed in module-config (above). - # ipsecmod-hook: "./my_executable" -- # -+ ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook -+ - # When enabled Unbound will reply with SERVFAIL if the return value of - # the ipsecmod-hook is not 0. - # ipsecmod-strict: no -@@ -1121,7 +1160,7 @@ server: - # o and give a python-script to run. - python: - # Script file to load -- # python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py" -+ # python-script: "/etc/unbound/ubmodule-tst.py" - - # Dynamic library config section. To enable: - # o use --with-dynlibmodule to configure before compiling. -@@ -1132,13 +1171,14 @@ python: - # the module-config then you need one dynlib-file per instance. - dynlib: - # Script file to load -- # dynlib-file: "@UNBOUND_SHARE_DIR@/dynlib.so" -+ # dynlib-file: "/etc/unbound/dynlib.so" - - # Remote control config section. - remote-control: - # Enable remote control with unbound-control(8) here. - # set up the keys and certificates with unbound-control-setup. -- # control-enable: no -+ # Note: required for unbound-munin package -+ control-enable: yes - - # what interfaces are listened to for remote control. - # give 0.0.0.0 and ::0 to listen to all interfaces. -@@ -1146,6 +1186,7 @@ remote-control: - # are not used for that, so key and cert files need not be present. - # control-interface: 127.0.0.1 - # control-interface: ::1 -+ # moved to /etc/unbound/conf.d/remote-control.conf - - # port number for remote control operations. - # control-port: 8953 -@@ -1155,16 +1196,19 @@ remote-control: - # control-use-cert: "yes" - - # Unbound server key file. -- # server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key" -+ server-key-file: "/etc/unbound/unbound_server.key" - - # Unbound server certificate file. -- # server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem" -+ server-cert-file: "/etc/unbound/unbound_server.pem" - - # unbound-control key file. -- # control-key-file: "@UNBOUND_RUN_DIR@/unbound_control.key" -+ control-key-file: "/etc/unbound/unbound_control.key" - +@@ -1166,6 +1181,12 @@ remote-control: # unbound-control certificate file. -- # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem" -+ control-cert-file: "/etc/unbound/unbound_control.pem" + # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem" + ++# Default Fedora settings ++include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf" + +# Stub and Forward zones -+include: /etc/unbound/conf.d/*.conf - ++include: "@sysconfdir@/unbound/conf.d/*.conf" ++ # Stub zones. # Create entries like below, to make all queries for 'example.com' and -@@ -1186,6 +1230,10 @@ remote-control: + # 'example.org' go to the given list of nameservers. list zero or more +@@ -1186,6 +1207,10 @@ remote-control: # name: "example.org" # stub-host: ns.example.com. @@ -460,7 +97,7 @@ index 59090c6..33c6209 100644 # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle -@@ -1203,6 +1251,10 @@ remote-control: +@@ -1203,6 +1228,10 @@ remote-control: # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -471,33 +108,6 @@ index 59090c6..33c6209 100644 # Authority zones # The data for these zones is kept locally, from a file or downloaded. -@@ -1234,6 +1286,7 @@ remote-control: - # fallback-enabled: yes - # for-downstream: no - # for-upstream: yes -+ - # auth-zone: - # name: "example.org" - # for-downstream: yes -@@ -1259,6 +1312,9 @@ remote-control: - # name: "anotherview" - # local-zone: "example.com" refuse - -+# Fedora: DNSCrypt support not enabled since it requires linking to -+# another crypto library -+# - # DNSCrypt - # To enable, use --enable-dnscrypt to configure before compiling. - # Caveats: -@@ -1338,7 +1394,7 @@ remote-control: - # dnstap-enable: no - # # if set to yes frame streams will be used in bidirectional mode - # dnstap-bidirectional: yes --# dnstap-socket-path: "@DNSTAP_SOCKET_PATH@" -+# dnstap-socket-path: "/etc/unbound/dnstap.sock" - # # if "" use the unix socket in dnstap-socket-path, otherwise, - # # set it to "IPaddress[@port]" of the destination. - # dnstap-ip: "" -- 2.47.0 diff --git a/unbound.spec b/unbound.spec index 32eec1e..b0803ee 100644 --- a/unbound.spec +++ b/unbound.spec @@ -67,6 +67,7 @@ Source23: unbound-as112-networks.conf Source24: unbound-local-root.conf Source25: openssl-sha1.conf Source26: remote-control-include.conf +Source27: fedora-defaults.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch @@ -237,6 +238,7 @@ Python 3 modules and extensions for unbound --enable-relro-now --enable-pie \\\ --enable-subnet --enable-ipsecmod \\\ --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\ + --with-share-dir=%{_datadir}/%{name} \\\ --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\ --enable-sha2 --disable-gost --enable-ecdsa \\\ --with-rootkey-file=%{_sharedstatedir}/%{name}/root.key \\\ @@ -371,6 +373,7 @@ mkdir -p %{buildroot}%{_datadir}/%{name}/conf.d install -p -m 0644 %{SOURCE21} %{buildroot}%{_datadir}/%{name}/conf.d/ install -p -m 0644 %{SOURCE23} %{buildroot}%{_datadir}/%{name}/conf.d/ install -p -m 0644 %{SOURCE24} %{buildroot}%{_datadir}/%{name}/conf.d/ +install -p -m 0644 %{SOURCE27} %{buildroot}%{_datadir}/%{name}/ # Link unbound-control-setup.8 manpage to unbound-control.8 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 From 5f8c4336b8215b65fb9c4e313385129c5fcbd630 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 21 Nov 2024 06:44:19 +0100 Subject: [PATCH 102/139] Fix real regression detected by unbound-localhost test Reset chroot to empty directory in fedora-defaults.conf. That needs to be set for packaing to work as before. --- fedora-defaults.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fedora-defaults.conf b/fedora-defaults.conf index ccbc20a..99ff95d 100644 --- a/fedora-defaults.conf +++ b/fedora-defaults.conf @@ -84,6 +84,10 @@ server: # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no + # If you give "" no chroot is performed. The path must not end in a /. + # chroot: "/etc/unbound" + chroot: "" + # If you give a server: directory: dir before include: file statements # then those includes can be relative to the working directory. directory: "/etc/unbound" From 07cf660542bf406e22f0407c286f06ac1fe1fa25 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 16 Jan 2025 16:08:43 +0100 Subject: [PATCH 103/139] Use ip-freebind: yes or add After=network-online.target (rhbz#2338429) if interface: specifies exact address, not localhost nor wildcard. It should not be used by default when only localhost listening is enabled. Default configuration does not need it. --- unbound.service | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/unbound.service b/unbound.service index 74321c7..86ada76 100644 --- a/unbound.service +++ b/unbound.service @@ -1,6 +1,9 @@ [Unit] Description=Unbound recursive Domain Name Server -After=network-online.target +After=network.target +# Use ip-freebind: yes or add After=network-online.target, rhbz#2338429, +# if interface: specifies exact address, not localhost nor wildcard +#After=network-online.target After=unbound-keygen.service Wants=unbound-keygen.service After=unbound-anchor.service From df03e4d58a2804984b825b26da71511984af912b Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Tue, 19 Nov 2024 10:55:05 +0100 Subject: [PATCH 104/139] Add dracut module Dracut module allows unbound to be used as resolver in initramfs. It is set before to network-online.target to ensure that other services which depend on name resolution have general synchronization point when they can expect unbound to be configured and listening. --- module-setup.sh | 44 ++++++++++++++++++++++++++++++++++++++++++++ unbound-initrd.conf | 5 +++++ unbound.spec | 18 ++++++++++++++++++ 3 files changed, 67 insertions(+) create mode 100644 module-setup.sh create mode 100644 unbound-initrd.conf diff --git a/module-setup.sh b/module-setup.sh new file mode 100644 index 0000000..439bc6d --- /dev/null +++ b/module-setup.sh @@ -0,0 +1,44 @@ +#!/usr/bin/bash + +check() { + require_binaries unbound unbound-checkconf unbound-control || return 1 + # the module will be only included if explicitly required either + # by configuration or another module + return 255 +} + +depends() { + # because of pid file we need sysusers to create unbound user + echo systemd systemd-sysusers + return 0 +} + +install() { + # We have to make unbound wanted by network-online target to make sure + # there is a synchronization point when other services are able + # to make queries + inst_simple "$moddir"/unbound-initrd.conf /etc/systemd/system/unbound.service.d/unbound-initrd.conf + + # /etc and /var/lib do not have its variables + inst_multiple -o \ + "$systemdsystemunitdir"/unbound.service \ + /etc/unbound/conf.d/remote-control.conf \ + /etc/unbound/openssl-sha1.conf \ + /usr/share/unbound/fedora-defaults.conf \ + /usr/share/unbound/conf.d/*.conf \ + /etc/unbound/local.d/*.conf \ + /etc/unbound/keys.d/*.key \ + /etc/unbound/unbound.conf \ + /etc/unbound/unbound_control.key \ + /etc/unbound/unbound_control.pem \ + /etc/unbound/unbound_server.key \ + /etc/unbound/unbound_server.pem \ + "$sysusers"/unbound.conf \ + "$tmpfilesdir"/unbound.conf \ + /var/lib/unbound/root.key \ + unbound \ + unbound-checkconf \ + unbound-control + + $SYSTEMCTL -q --root "$initdir" enable unbound.service +} diff --git a/unbound-initrd.conf b/unbound-initrd.conf new file mode 100644 index 0000000..7838b3d --- /dev/null +++ b/unbound-initrd.conf @@ -0,0 +1,5 @@ +[Unit] +Before=network-online.target + +[Install] +WantedBy=network-online.target diff --git a/unbound.spec b/unbound.spec index b0803ee..3bb050c 100644 --- a/unbound.spec +++ b/unbound.spec @@ -68,6 +68,8 @@ Source24: unbound-local-root.conf Source25: openssl-sha1.conf Source26: remote-control-include.conf Source27: fedora-defaults.conf +Source28: module-setup.sh +Source29: unbound-initrd.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch @@ -200,6 +202,14 @@ Conflicts: python2-unbound < 1.9.3 Python 3 modules and extensions for unbound %endif +%package dracut +Summary: Unbound dracut module +Requires: dracut%{?_isa} +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description dracut +Unbound dracut module allowing use of Unbound for name resolution +in initramfs. %prep %if 0%{?fedora} @@ -378,6 +388,11 @@ install -p -m 0644 %{SOURCE27} %{buildroot}%{_datadir}/%{name}/ # Link unbound-control-setup.8 manpage to unbound-control.8 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 +# install dracut module +mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound + +install -p -m 0755 %{SOURCE28} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound +install -p -m 0644 %{SOURCE29} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound %pre libs %sysusers_create_compat %{SOURCE20} @@ -503,5 +518,8 @@ popd %{_sbindir}/unbound-streamtcp %{_mandir}/man1/unbound-* +%files dracut +%{_prefix}/lib/dracut/modules.d/99unbound + %changelog %autochangelog From 70b71eee0d7b60ffea53379648af77d684f48df4 Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Sun, 2 Feb 2025 09:26:21 +0100 Subject: [PATCH 105/139] Enabled libsystemd and change unbound service type to notify-reload "notify-reload" service type allows unbound to notify systemd not only about its readiness on startup but also about start and finish of reloading process. --- unbound.service | 2 +- unbound.spec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/unbound.service b/unbound.service index 86ada76..66a8a34 100644 --- a/unbound.service +++ b/unbound.service @@ -12,7 +12,7 @@ Before=nss-lookup.target Wants=nss-lookup.target [Service] -Type=simple +Type=notify-reload EnvironmentFile=-/etc/sysconfig/unbound ExecStartPre=/usr/sbin/unbound-checkconf ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS diff --git a/unbound.spec b/unbound.spec index 3bb050c..d671a71 100644 --- a/unbound.spec +++ b/unbound.spec @@ -2,7 +2,7 @@ %{?!with_python3: %global with_python3 1} %{?!with_munin: %global with_munin 1} %bcond_without dnstap -%bcond_with systemd +%bcond_without systemd %bcond_without doh %if 0%{?rhel} && ! 0%{?epel} %bcond_with redis From 70853eb59e4dcd428ab7ca958d234996c9f006c4 Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Fri, 7 Feb 2025 13:00:10 +0100 Subject: [PATCH 106/139] Change service type to notify notify-reload was a mistake. It unconditionally sends signal to service process additionally to executing ExecReload which does not make sense. --- unbound.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unbound.service b/unbound.service index 66a8a34..d476504 100644 --- a/unbound.service +++ b/unbound.service @@ -12,7 +12,7 @@ Before=nss-lookup.target Wants=nss-lookup.target [Service] -Type=notify-reload +Type=notify EnvironmentFile=-/etc/sysconfig/unbound ExecStartPre=/usr/sbin/unbound-checkconf ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS From 7bf537562731e72de05a26b7ea7714ca7d4cd56f Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Mon, 10 Feb 2025 14:08:28 +0100 Subject: [PATCH 107/139] Add possibility to disable unbound-anchor by file presence --- tmpfiles-unbound.conf | 2 +- unbound-anchor.service | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tmpfiles-unbound.conf b/tmpfiles-unbound.conf index bb88f01..c09cc75 100644 --- a/tmpfiles-unbound.conf +++ b/tmpfiles-unbound.conf @@ -1 +1 @@ -D /run/unbound 0755 unbound unbound - +D /run/unbound 0775 unbound root - diff --git a/unbound-anchor.service b/unbound-anchor.service index 59683c8..1116243 100644 --- a/unbound-anchor.service +++ b/unbound-anchor.service @@ -6,5 +6,5 @@ Documentation=man:unbound-anchor(8) Type=oneshot User=unbound EnvironmentFile=-/etc/sysconfig/unbound -ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi' +ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ] || [ -f /run/unbound/anchor-disable ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi' SuccessExitStatus=1 From 9e6c96e4debe3ed2f7c35c182dc3f33699294533 Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Mon, 10 Feb 2025 20:32:06 +0100 Subject: [PATCH 108/139] Fix ownership and mode record of rundir Previous change introduced mode change and group change of rundir but it was not changed in files section, so fix that. --- unbound.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index d671a71..aa9ce44 100644 --- a/unbound.spec +++ b/unbound.spec @@ -438,7 +438,7 @@ popd %doc doc/CREDITS doc/FEATURES %{_unitdir}/%{name}.service %{_unitdir}/%{name}-keygen.service -%attr(0755,unbound,unbound) %dir %{_rundir}/%{name} +%attr(0775,unbound,root) %dir %{_rundir}/%{name} %attr(0644,root,root) %{_tmpfilesdir}/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/openssl-sha1.conf From 553fad845fcef27d8ce3fde25ae6d77b11469898 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 11 Feb 2025 18:03:11 +0100 Subject: [PATCH 109/139] Drop call to %sysusers_create_compat After https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers, rpm will handle account creation automatically. --- unbound.spec | 3 --- 1 file changed, 3 deletions(-) diff --git a/unbound.spec b/unbound.spec index aa9ce44..7d7a345 100644 --- a/unbound.spec +++ b/unbound.spec @@ -152,7 +152,6 @@ The devel package contains the unbound library and the include files %package libs Summary: Libraries used by the unbound server and client applications Recommends: %{name}-anchor -%{?sysusers_requires_compat} %if ! 0%{with_python2} # Make explicit conflict with no longer provided python package Obsoletes: python2-unbound < 1.9.3 @@ -394,8 +393,6 @@ mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound install -p -m 0755 %{SOURCE28} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound install -p -m 0644 %{SOURCE29} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound -%pre libs -%sysusers_create_compat %{SOURCE20} %post %systemd_post unbound.service From 4235e612e401caa3250127544a885469f243df5c Mon Sep 17 00:00:00 2001 From: Python Maint Date: Mon, 2 Jun 2025 20:47:35 +0200 Subject: [PATCH 110/139] Rebuilt for Python 3.14 From 82c9bae8100adedb366562fc57aa9df07b1a84c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 25 Apr 2025 14:23:35 +0200 Subject: [PATCH 111/139] Update to 1.23.0 (rhbz#2362019) Features: - Increase the default of max-global-quota to 200 from 128 after operational feedback. Still keeping the possible amplification factor (CAMP related issues) in the hundreds. - Fix #1175: serve-expired does not adhere to secure-by-default principle. The default value of serve-expired-client-timeout is set to 1800 as suggested by RFC8767. - For #1175, the default value of serve-expired-ttl is set to 86400 (1 day) as suggested by RFC8767. - For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT. - Add resolver.arpa and service.arpa to the default locally served zones. - Merge #1042: Fast Reload. The unbound-control fast_reload is added. It reads changed config in a thread, then only briefly pauses the service threads, that keep running. DNS service is only interrupted briefly, less than a second. - Merge #1019: Redis read-only replica support. Introduces new 'redis-replica-*' options for the Redis cache backend. - Merge #902: DNS Error Reporting (RFC 9567). Introduces new configuration option 'dns-error-reporting' and new statistics for 'num.dns_error_reports'. And bug fixes. https://nlnetlabs.nl/projects/unbound/download/#unbound-1-23-0 --- .gitignore | 2 ++ sources | 4 ++-- unbound.spec | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 31c5a81..0d774db 100644 --- a/.gitignore +++ b/.gitignore @@ -95,3 +95,5 @@ unbound-1.4.5.tar.gz /unbound-1.21.1.tar.gz.asc /unbound-1.22.0.tar.gz /unbound-1.22.0.tar.gz.asc +/unbound-1.23.0.tar.gz +/unbound-1.23.0.tar.gz.asc diff --git a/sources b/sources index 87f2b6b..bcc3609 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.22.0.tar.gz) = 6c873e19902ce6cd59cec7084d5dba1a5bd5fe4437c827ae69bdf9273bcd8d2d1ec0dc183076f8d2e1fd38730bf8c10852d678399f0b2ea8ccf7e39119568978 -SHA512 (unbound-1.22.0.tar.gz.asc) = afbf5a125f104a25576b1c416b32f68d715b41a025fc3a61e6ee3bc28f9988b4277c7f0dd188c51cbe5641f51ade20f740ea131d1a7b5db38e2d1462a9edbb69 +SHA512 (unbound-1.23.0.tar.gz) = 9b5ca48f4f5189f168f76396f5895f39262a4333e589f8c64bb9298a55c6266f626a4a4399370c68edd9f6318215a401146bf9e16a101c54decf623668a398af +SHA512 (unbound-1.23.0.tar.gz.asc) = f69db33fe13813fbbeb7c6bfe9158d1475f6e1ba4014e11c33f18e276f6f9fa903318d2718d7864b8af1dd5e4c90ac59b8d31579600c7e08eedf71b07301a10c diff --git a/unbound.spec b/unbound.spec index 7d7a345..bc78d87 100644 --- a/unbound.spec +++ b/unbound.spec @@ -36,7 +36,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.22.0 +Version: 1.23.0 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ From db5deb1acce8a0f1d06812510900d33330f5efec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 19 May 2025 11:22:49 +0200 Subject: [PATCH 112/139] Add wildcard into gitignore for new upstreams --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index 0d774db..9a43a25 100644 --- a/.gitignore +++ b/.gitignore @@ -97,3 +97,5 @@ unbound-1.4.5.tar.gz /unbound-1.22.0.tar.gz.asc /unbound-1.23.0.tar.gz /unbound-1.23.0.tar.gz.asc +/unbound-1.*.tar.gz +/unbound-1.*.tar.gz.asc From 15a52378b59b3c7949d63a26352082faf6e2fd46 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 9 Jun 2025 16:20:27 +0200 Subject: [PATCH 113/139] Remove group access from unbound_server.key It were ensured by the generation script, that the generated key would be readable just by the user. Since PR #1220 is the control channel key readable by group too, but make generated server key marked for the root only. Do not show in list of modified files. --- unbound.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index bc78d87..5d98a01 100644 --- a/unbound.spec +++ b/unbound.spec @@ -448,7 +448,7 @@ popd %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.pem %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.key %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.pem -%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key +%ghost %attr(0600,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key %{_sbindir}/unbound %{_sbindir}/unbound-checkconf %{_sbindir}/unbound-control From e3be8477dd432a8c74e4e266b408b3b6123c6f68 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Tue, 10 Jun 2025 15:23:50 +0200 Subject: [PATCH 114/139] Rebuilt for Python 3.14 From a5499543e550d6a2b42ef33daf803be1c710c7b2 Mon Sep 17 00:00:00 2001 From: "psklenar@redhat.com" Date: Mon, 9 Jun 2025 17:02:37 +0200 Subject: [PATCH 115/139] fedora CI plans move to gitlab for centos-stream test space https://issues.redhat.com/browse/RHELMISC-13073 --- plans/all.fmf | 2 +- plans/tier1-public.fmf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/plans/all.fmf b/plans/all.fmf index cd001bd..538bd41 100644 --- a/plans/all.fmf +++ b/plans/all.fmf @@ -1,7 +1,7 @@ summary: Test plan with all Fedora tests discover: how: fmf - url: https://src.fedoraproject.org/tests/unbound.git + url: https://gitlab.com/redhat/centos-stream/tests/unbound.git execute: how: tmt diff --git a/plans/tier1-public.fmf b/plans/tier1-public.fmf index 10f167c..6ffbfd1 100644 --- a/plans/tier1-public.fmf +++ b/plans/tier1-public.fmf @@ -1,7 +1,7 @@ summary: Public (Fedora) Tier1 beakerlib tests discover: how: fmf - url: https://src.fedoraproject.org/tests/unbound.git + url: https://gitlab.com/redhat/centos-stream/tests/unbound.git filter: 'tier: 1' execute: how: tmt From 2ae538e522cba7aeb0074cb58ad16897fafdd8e2 Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Thu, 17 Jul 2025 12:55:05 +0200 Subject: [PATCH 116/139] Update to 1.23.1 (rhbz#2380450) https://github.com/NLnetLabs/unbound/releases/tag/release-1.23.1 This security release fixes the Rebirthday Attack CVE-2025-5994. --- .gitignore | 2 ++ sources | 4 ++-- unbound.spec | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 9a43a25..cec9517 100644 --- a/.gitignore +++ b/.gitignore @@ -97,5 +97,7 @@ unbound-1.4.5.tar.gz /unbound-1.22.0.tar.gz.asc /unbound-1.23.0.tar.gz /unbound-1.23.0.tar.gz.asc +/unbound-1.23.1.tar.gz +/unbound-1.23.1.tar.gz.asc /unbound-1.*.tar.gz /unbound-1.*.tar.gz.asc diff --git a/sources b/sources index bcc3609..aa34842 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.23.0.tar.gz) = 9b5ca48f4f5189f168f76396f5895f39262a4333e589f8c64bb9298a55c6266f626a4a4399370c68edd9f6318215a401146bf9e16a101c54decf623668a398af -SHA512 (unbound-1.23.0.tar.gz.asc) = f69db33fe13813fbbeb7c6bfe9158d1475f6e1ba4014e11c33f18e276f6f9fa903318d2718d7864b8af1dd5e4c90ac59b8d31579600c7e08eedf71b07301a10c +SHA512 (unbound-1.23.1.tar.gz) = b31858eb03fed1fb2aead03aa5b6f32476678067c28ff4816808cbdcae32591e36bee966b25c6b702e3fb51588ae467efab7934a24971193f1183edd5c561b7b +SHA512 (unbound-1.23.1.tar.gz.asc) = b1cea2405e6d5fe5d3f37ae64598fd8490c04b001345e3f6b1ed02b6f8f940a3dc7c7af5a52053378cf23cbff3c4887ccd9b3fa440c1d0d5a3d43544fbe3e956 diff --git a/unbound.spec b/unbound.spec index 5d98a01..df72cb2 100644 --- a/unbound.spec +++ b/unbound.spec @@ -36,7 +36,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.23.0 +Version: 1.23.1 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ From 90c60fc7f873390b841aba4063387e09cf031be7 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 25 Jul 2025 19:46:00 +0000 Subject: [PATCH 117/139] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild From b28faf7eaad0f6384bae144f90e20e56fe868b44 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 15 Aug 2025 15:21:27 +0200 Subject: [PATCH 118/139] Rebuilt for Python 3.14.0rc2 bytecode From 977179bbc7545c2a2a9da5801479d49cc2fa3381 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 2 Jul 2025 15:13:05 +0200 Subject: [PATCH 119/139] Make root.key maintained unmodified Hide rpm -V unbound-libs changed file when unbound-anchor has done the change. Use %config for the symlink presence to protect it against unrelated package changes. It will reset root.key only when that file were modified. Related: RHEL-64339 --- unbound.spec | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/unbound.spec b/unbound.spec index df72cb2..1272b21 100644 --- a/unbound.spec +++ b/unbound.spec @@ -495,10 +495,10 @@ popd %{_sysusersdir}/%{name}.conf %{_libdir}/libunbound.so.8* %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name} -%config(noreplace) %verify(not link user group) %{_sharedstatedir}/%{name}/root.key +%config %verify(not link owner group size mtime mode md5) %{_sharedstatedir}/%{name}/root.key # just left for backwards compat with user changed unbound.conf files - format is different! -%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key -%attr(0644,root,root) %config %{_sysconfdir}/%{name}/dnssec-root.key +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-root.key %files anchor %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name} From df6032978a05b9a12855a75c8d780abfc4598a22 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 2 Jul 2025 15:27:35 +0200 Subject: [PATCH 120/139] Add new DNSSEC root anchor 38696 --- root.anchor | 1 + root.key | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/root.anchor b/root.anchor index c78ee03..1559542 100644 --- a/root.anchor +++ b/root.anchor @@ -1 +1,2 @@ +. 172800 IN DNSKEY 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ;{id = 38696 (ksk), size = 2048b} . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} diff --git a/root.key b/root.key index 6c5622c..94d2e23 100644 --- a/root.key +++ b/root.key @@ -1,6 +1,6 @@ ; // The root key in bind format. This can be read by most tools, including ; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this trusted-keys { +"." 257 3 8 "AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc="; // key id = 38696 "." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326 - }; From 1bfccbf959fbc5f73e3a23f024e0b313f0b48dcb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 29 Aug 2025 12:18:39 +0200 Subject: [PATCH 121/139] Make even existing unbound_control.key readable by group Make the permission change only when updating from version, where it were generated without group readable bit. Related: RHEL-73862 --- unbound.spec | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/unbound.spec b/unbound.spec index 1272b21..a8aa282 100644 --- a/unbound.spec +++ b/unbound.spec @@ -420,6 +420,13 @@ fi %postun anchor %systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer +%triggerun -- unbound < 1.23.1-4 +if [ "$(stat -c '%%a %%G' %{_sysconfdir}/%{name}/unbound_control.key 2>/dev/null)" = '600 unbound' ]; then + # change permissions of existing key just once, where it were generated with wrong perms + %{_bindir}/chmod g+r "%{_sysconfdir}/%{name}/unbound_control.key" || : +fi + + %check export OPENSSL_CONF="%{buildroot}%{_sysconfdir}/unbound/openssl-sha1.conf" make check From b2122945560534708dcd2ead9bf0c5599757252f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 29 Aug 2025 13:30:03 +0200 Subject: [PATCH 122/139] Deprecate /etc/unbound/root.key That format has been obsoleted by bind and has minimal format verification. Use instead DNS format in dnssec-root.key or file maintained by unbound-anchor service. --- root.key | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/root.key b/root.key index 94d2e23..848887d 100644 --- a/root.key +++ b/root.key @@ -1,5 +1,7 @@ -; // The root key in bind format. This can be read by most tools, including -; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this +# The root key in obsoleted bind format. This can be read by some tools, including +# named, unbound, delv etc. For libunbound, use ub_ctx_trustedkeys() to load this +# Prefer DNS format in /var/lib/unbound/root.key or /etc/unbound/dnssec-root.key, +# ub_ctx_add_ta_file or trust-anchor-file: format trusted-keys { "." 257 3 8 "AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc="; // key id = 38696 "." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326 From 54b50a3ae263d929947feaea29f3e44218d098e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 18 Sep 2025 16:22:44 +0200 Subject: [PATCH 123/139] Update 1.24.0 (rhbz#2396332) Features: - Increase default to num-queries-per-thread: 2048, when unbound is compiled with libevent. - Merge #1276: Auto-configure '-slabs' values. - Adjusted so-sndbuf default to 4m. - Fix #1303: [FR] Disable TLSv1.2. - unbound-control cache_lookup prints the cached rrsets and messages for those. - unbound-control cache_lookup +t allows tld and root names. And subnet cache contents are printed. - Fix #1319: [FR] zone status for Unbound auth-zones. And bug fixes. https://github.com/NLnetLabs/unbound/releases/tag/release-1.24.0 --- sources | 4 ++-- unbound.spec | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/sources b/sources index aa34842..9339806 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.23.1.tar.gz) = b31858eb03fed1fb2aead03aa5b6f32476678067c28ff4816808cbdcae32591e36bee966b25c6b702e3fb51588ae467efab7934a24971193f1183edd5c561b7b -SHA512 (unbound-1.23.1.tar.gz.asc) = b1cea2405e6d5fe5d3f37ae64598fd8490c04b001345e3f6b1ed02b6f8f940a3dc7c7af5a52053378cf23cbff3c4887ccd9b3fa440c1d0d5a3d43544fbe3e956 +SHA512 (unbound-1.24.0.tar.gz) = ca2adb421bb7ebf636d1442d684b5f43bf5db7c778d9ca159635b67212294bb499aa451b79f244acbea36106db7242ed1afb72fcf425fec57c0eff5f19866ae3 +SHA512 (unbound-1.24.0.tar.gz.asc) = 076c1b82c08c94950e0f364578270a0d1377e0d59197ef822552a6fb05fd01d5a3aa77e6b53c2d785720c30c10cd112eb737caeb7db6eb280752e98a1e8c9866 diff --git a/unbound.spec b/unbound.spec index a8aa282..d66648e 100644 --- a/unbound.spec +++ b/unbound.spec @@ -36,7 +36,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.23.1 +Version: 1.24.0 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ From 6484d5618ba899a8fd42e115024e21590695ea2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 18 Sep 2025 16:20:28 +0200 Subject: [PATCH 124/139] Basic ngtcp2 support Not yet enabled by default --- unbound.spec | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/unbound.spec b/unbound.spec index d66648e..2c584c6 100644 --- a/unbound.spec +++ b/unbound.spec @@ -4,6 +4,7 @@ %bcond_without dnstap %bcond_without systemd %bcond_without doh +%bcond_with ngtcp2 %if 0%{?rhel} && ! 0%{?epel} %bcond_with redis %else @@ -111,6 +112,9 @@ BuildRequires: systemd-rpm-macros %else BuildRequires: systemd %endif +%if %{with ngtcp2} +BuildRequires: ngtcp2-devel +%endif # Needed because /usr/sbin/unbound links unbound libs staticly Requires: %{name}-libs%{?_isa} = %{version}-%{release} @@ -281,6 +285,9 @@ autoreconf -fiv %if %{with redis} --with-libhiredis \ --enable-cachedb \ +%endif +%if %{with ngtcp2} + --with-libngtcp2 \ %endif %{configure_args} @@ -296,6 +303,9 @@ pushd %{dir_secondary} %endif %if %{with systemd} --enable-systemd \ +%endif +%if %{with ngtcp2} + --with-libngtcp2 \ %endif %{configure_args} From 829c6a90cd845aceefeef8cc10d6629a64ff09f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 19 Sep 2025 10:19:04 +0200 Subject: [PATCH 125/139] Require only ngtcp ossl devel package and enable it Enable it only conditionally on distributions with OpenSSL 3.5.0 present, avoid it elsewhere. --- unbound.spec | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/unbound.spec b/unbound.spec index 2c584c6..76cb314 100644 --- a/unbound.spec +++ b/unbound.spec @@ -4,7 +4,9 @@ %bcond_without dnstap %bcond_without systemd %bcond_without doh -%bcond_with ngtcp2 +%if 0%{?rhel} >= 10 || 0%{?fedora} >= 43 +%bcond_without ngtcp2 +%endif %if 0%{?rhel} && ! 0%{?epel} %bcond_with redis %else @@ -113,7 +115,7 @@ BuildRequires: systemd-rpm-macros BuildRequires: systemd %endif %if %{with ngtcp2} -BuildRequires: ngtcp2-devel +BuildRequires: ngtcp2-crypto-ossl-devel %endif # Needed because /usr/sbin/unbound links unbound libs staticly From 7135b6ff2a3faa1a0bc92895b1f43e2d600ac36b Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 19 Sep 2025 15:01:14 +0200 Subject: [PATCH 126/139] Rebuilt for Python 3.14.0rc3 bytecode From 5a16ee63cc7e0c9c9bd1492f81e242ee03aadde1 Mon Sep 17 00:00:00 2001 From: Jens Kuehnel Date: Sun, 5 Oct 2025 01:08:31 +0200 Subject: [PATCH 127/139] allow parameters from fedora-defaults to be overwritten (rhzb#2401608) --- unbound-fedora-config.patch | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index be28920..da88960 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -14,6 +14,16 @@ diff --git a/doc/example.conf.in b/doc/example.conf.in index 59090c6..3a86809 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in +@@ -8,6 +8,9 @@ + # Use this anywhere in the file to include other text into this file. + #include: "otherfile.conf" + ++# Default Fedora settings ++include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf" ++ + # Use this anywhere in the file to include other text, that explicitly starts a + # clause, into this file. Text after this directive needs to start a clause. + #include-toplevel: "otherfile.conf" @@ -51,11 +51,19 @@ server: # specify 0.0.0.0 and ::0 to bind to all available interfaces. # specify every interface[@port] on a new 'interface:' labelled line. @@ -73,13 +83,10 @@ index 59090c6..3a86809 100644 # tls-port: 853 # https-port: 443 # quic-port: 853 -@@ -1166,6 +1181,12 @@ remote-control: +@@ -1166,6 +1181,9 @@ remote-control: # unbound-control certificate file. # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem" - -+# Default Fedora settings -+include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf" -+ + +# Stub and Forward zones +include: "@sysconfdir@/unbound/conf.d/*.conf" + From 4f4dfb2fcb4226902ab2aa9c5a6c00a0550d3071 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 2 Oct 2025 18:02:42 +0200 Subject: [PATCH 128/139] Create root key if missing automatically Prepare tmpfiles.d script for creating /var/lib/unbound in case it is missing. Prepare link to root.key also. Related: RHEL-118375 --- tmpfiles-unbound-libs.conf | 2 ++ unbound.spec | 11 +++++++---- 2 files changed, 9 insertions(+), 4 deletions(-) create mode 100644 tmpfiles-unbound-libs.conf diff --git a/tmpfiles-unbound-libs.conf b/tmpfiles-unbound-libs.conf new file mode 100644 index 0000000..d71ea46 --- /dev/null +++ b/tmpfiles-unbound-libs.conf @@ -0,0 +1,2 @@ +d /var/lib/unbound 0755 unbound unbound - +L /var/lib/unbound/root.key - - - - ../../../etc/unbound/dnssec-root.key diff --git a/unbound.spec b/unbound.spec index 76cb314..3b7ffeb 100644 --- a/unbound.spec +++ b/unbound.spec @@ -73,6 +73,7 @@ Source26: remote-control-include.conf Source27: fedora-defaults.conf Source28: module-setup.sh Source29: unbound-initrd.conf +Source30: tmpfiles-unbound-libs.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch @@ -350,17 +351,18 @@ done %endif # install streamtcp man page -install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1 -install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc +install -p -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1 +install -p -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc # Install tmpfiles.d config install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound -install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf +install -p -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf +install -p -m 0644 %{SOURCE30} %{buildroot}%{_tmpfilesdir}/unbound-libs.conf # install root - we keep a copy of the root key in old location, # in case user has changed the configuration and we wouldn't update it there install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/ -install -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/dnssec-root.key +install -p -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/dnssec-root.key # make initial key static pushd %{buildroot}%{_sharedstatedir}/unbound KEYPATH=$(realpath --relative-to="%{buildroot}%{_sharedstatedir}/unbound" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key") @@ -518,6 +520,7 @@ popd # just left for backwards compat with user changed unbound.conf files - format is different! %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-root.key +%attr(0644,root,root) %{_tmpfilesdir}/unbound-libs.conf %files anchor %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name} From dc162ef64715726ad7819af5bad1f2cb2c6d26b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 24 Oct 2025 18:10:12 +0200 Subject: [PATCH 129/139] Update to 1.24.1 (rhbz#2405698) Fix CVE-2025-11411 (possible domain hijacking attack), reported by Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan from Tsinghua University. https://nlnetlabs.nl/projects/unbound/download/#unbound-1-24-1 --- Yorgos.asc | 122 +++++++++++++++++++++++++-------------------------- sources | 4 +- unbound.spec | 3 +- 3 files changed, 65 insertions(+), 64 deletions(-) diff --git a/Yorgos.asc b/Yorgos.asc index e18ec55..8d0008d 100644 --- a/Yorgos.asc +++ b/Yorgos.asc @@ -13,31 +13,31 @@ S9TpYmjMwURbuYm+rWZk/8w5OJG60V3wax56c0jn/42O3Y2hzQ+PbOv2M4UuuajS g3LssVS2bKy5g3IhrzCKAk0Sky4S5t/mcN+lWztNvCijuLz58GCym5GwJQARAQAB tCtZb3Jnb3MgVGhlc3NhbG9uaWtlZnMgPHlvcmdvc0BubG5ldGxhYnMubmw+iQJX BBMBCABBAhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAhkBFiEElI60IyLF0At5 -NA9dz/M0TZCHpJAFAmbz0CwFCRD85cYACgkQz/M0TZCHpJBVnhAAkcd79Twxj/tt -C4q2Xpq75+Ew6YR9gLqYiV5vEd6fu0oyhuVoUlfTkjH4ALIoGIKaO9yAVUXsrGrs -n1aJPo1Mw3q6mIwtQOxXz/W44LuFzcvZkHtCYX4YyLrUHXZPvl+r4eYkTOcyyQMU -BmbuvWhufv8MBilvWltQLxfLlgihbfuIrxqjAYDhqCffpgUiZyCut2rrenIgeh1f -DvC+GjZ3cfb1UsIpzm19yr4NCiTHkLkCOAAcAUFwWWeO/jfUsSvFQEHUnYNRREzI -Lth9NlKwPtsOVi+wcNnWQtFQb11BMr407xBib7hLSIFiqvOiYgQABjZdWN+snCRP -ZZSruigjE9ateOloJwmBqrSJLAywxvDE0ivqfSj51W5eJc/JLSXvjrOuW28dJCr8 -RV9PjC9X7zuTiFLzV8SVH71Z43Rix8n7AOp3wgRe3SygEyQXPj4qbm5HHVsx9GEA -zn495L99dJ4wZgjkbEsGhzwUx7N9FHEGS/sz3LiEq+ZYckR6gzTMMrQJgbsS9lnK -9xlXsp37uIYvx9W9JZXtS+AZhw0q3osMYBF68HPX8B9GBYlkQWmWSIMfzRYcD2n1 -5+XsfERK4mxcTWl2sCYpt8Sy3tADj9nQDabAlGUd/hlFS1dvDVQjGh6ER5S0nZjY -nmRsLl8nOTKhb2xY+2p1sDjxxQYJJQe0K0dlb3JnZSBUaGVzc2Fsb25pa2VmcyA8 +NA9dz/M0TZCHpJAFAmjWhkcFCRLfm+EACgkQz/M0TZCHpJANXhAAvTpKNl5+kU1d +lcFrXx4pgi/knhe0y1Z+ENQWVDYTs9v+lMoyCRQuAt1Cir1LAGWfRBdTQh60I6Dc +BDj+15pFJCv/dyZiQLPUgxLtIxkwIUSjELp8JevNHhGMNz7QWdG4SEpG2aF/D2Zz +kvaoomPGjRyo/bkgR2la6eqrCOxYVP+FT7682yf0bCvSTs1kTrnwFY93s7O2RciI +MS0XWcHPtoi96JxhzUIT+v0gSFuitZhRGPh9pyIcHmRER1yKugvMp6xF5UjNIcfL +ScrNlGXgjc6EJiGXS5CHliIlxlAxs4J1T9JiGQZOAW/CPxe4IND34DhqwvQcJdtL +8jt1b2xUcuFfYNa3SY671OnLt3EhwMsYDaSIXrPqW8R6XuaSxhb4sL/okHkb833b +CgaWvjQZgRm1h0R2IY5C3kHotsLUd2fygrtVVvaLxGEoi9UBsKoLu2kHEJnV5HJO +jfJMBBGgGFscfk3p1v4SAA30xPR7i6O2KDmFsVzL6xKbnFMMmayEVfWzGXmxB7lv +ob6HrJIvVH6mx64OsAY0LQI6abQI3TTZn13+RNxuATQS+j0tqbZvVJtWFw41eqsU +OqeNF9W323uvhJcjDyYquAREIivFXkzxa9y3rgQfB9OX9usD79aij4y/YLqZxafl +InYUlMGygNOGXruFRZ7DD6zciK2Zu7W0K0dlb3JnZSBUaGVzc2Fsb25pa2VmcyA8 Z2VvcmdlQG5sbmV0bGFicy5ubD6JAlQEEwEIAD4CGyMFCwkIBwIGFQgJCgsCBBYC -AwECHgECF4AWIQSUjrQjIsXQC3k0D13P8zRNkIekkAUCZvPQPQUJEPzlxgAKCRDP -8zRNkIekkFfCEACheY1yr2Z+LPjm/Nd2eA4CFFO7nUQHI+a6lYBd57txrRuIicuG -pGjOhnvcioRwICiKNLJD3YTU+WOd+sbO7BXH2sw2KdU9NK1ojKX/SQiTg6upfJsu -gbgar2oPvR88B7oSiuonZnhEf72HfWKDSBXHpi6KC6S3JZ+o50NB3GBpwUL1lfKW -ovymYbN6tYQfqw/+AP5jUUNpkclC0RbcW69rpvrHHqeQV1AVKkm/jNQpWLKYTGF7 -bbdLkgMh3rHp8gmF0/GuK+oyL7xD+TEXfr3iqlDIVuxbxDN8xTti1RrERU/MWQar -qOSFZcr4t+nlwThJidDLF/u3h0Ymrjz92VTfCgELIwCKxGX7jAyLZHzuWAp+0Pr/ -yuHodbweGNcGVoXmIpK93/WZcfFlBcyQLECVcijmxd7Euk0xDk76RQpuuL5VOWqn -aZcf2uNfppwKFZJjcXwK+EQbwN7+RFNvLrwoRn/1xM57T5AYBAgSvKb6h0G5KwW6 -tJfJdSu1MHfCZS1hH1Gr4+UG+VbLCVmQ9N/lUs0bcD7pK+bA1W0YnsIVuaQ+YZUh -KrJoCUF0kVDtW9ETZkp0iVBm1Q9xgTGaxUTVmctOyAbdCLyHNra4fo1BAdGlu+IP -qAcktaBUKFxWxRxf9O5kGihce9anK8CJ/TCnQ7wSvyYrlAoBoQaS78VzYYkBHAQS +AwECHgECF4AWIQSUjrQjIsXQC3k0D13P8zRNkIekkAUCaNaGWAUJEt+b4QAKCRDP +8zRNkIekkKovEACQkeEImQeer9jsY066WyIpvrhcy6xtWjeW8v1ZasRoi+DOFWeA +18O5iD34UaIPPGFRu6PRdSMLdUqtelFgONVDnXEuqOGAptMcCI4wp4+NIFd00v0J +9A9ur7xWt0Q0O1fMjFOMPa5oQK9dg1MCI0/RWRObOPf3cIr2NhgWwBuKTCluKyFc +mnRQXwyxBGCBRvK5zKmA8BBlnHuPfunTAcduNSExUx3e0w5BD5lcG4YeyuR+IRcY +HJPGU20f634dDSJGKJvGxjpaCxGQNca6s8Mpkq3lm/D3Ia4Vpw/HdiSawv/U71S/ +4F6lctMjvoS73Ao9DZ4iDPqkHJ73HidNp7n25SLnXKruZsnXitjYT8ueP7byeLPi +7IvqoENXoXNqNfDuXfqri/WnHPYWbKIdj5WWFeaR3Ws+szw3Wql7mJ1cNFWbNCE7 +rGFPhSNyG3n6mlEBUKUYn8FuOF9PHwwWl86GHLI6O4xOIohESyrZrq2mJS61sSq6 +AAQ7cqx6UMNJdBcgB5Ry7qRUF6ZmowZZu3aWFF4dW+LwMvuaFjKzShsKzj8GCE0B +pQDjy+IeWM2mBVneuCicWwvbSzVWx+Ow42QRvmH8Ja9PqoIYeJQUiMr1+aAG6kUK +3VW4iugsu3/oFIlFrkYZy9YEfCOEMgqRKL/cuBJTZt0OPFRE/9O/M/FVmIkBHAQS AQIABgUCV9kUOAAKCRAwkY2CdXJCIju1B/oCvf1kWYndNeLS6U2O6DtFAL2Ia5tY Zukcyqb1hkYcrBiMZbQN94gX5a+6Q4pdd2n241r1ZuSWdwUhRUbF4mvbZMVsavnk cvrRGviVIUXf71W0O/IsmQ9oN0Finhpf14Y4z/xqF8DpvJdkWc6X5g+RJuko6q2w @@ -58,18 +58,18 @@ BmQpPk0ubYclwb07FcegaHSxxIqUo/kbyt1YV5mU+QVymZ+xyvIBrnW8hBuNWRvU TJaDBSgvxUtY0Ci+OWX38kffGGvhW3CM8V6skdVc8cp7Db7gxase4BxxtC5HZW9y Z2UgVGhlc3NhbG9uaWtlZnMgPGdlb3JnZUBvcGVubmV0bGFicy5jb20+iQJUBBMB CAA+AhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEElI60IyLF0At5NA9dz/M0 -TZCHpJAFAmbz0D0FCRD85cYACgkQz/M0TZCHpJBnFw/8CRLGJnNAP43mBniIP5R1 -/10i4xG5s1Ka/y5C3aRgZUNaGMPLF8VmrC26HTPNhmduhn3j9gnBuSHgRAJUWs2K -o1q0A2/O5fFJvqPyEUl30gG8qkzFl5UGRUr7VNtBa6VpI7g78d3P4/H8THB0tYZ3 -GZv980QXwTE11aXjvPQu4e8sMOR1OVEEH+6hW1T0SvEKAMV1BHwuZAmC6HTfx5e7 -iGNWu/dwJsmwzqcAkuTTSqlmzZdIjZWJDL8pfnschkVilC3pEpEk5ExSkt/onOD2 -WCAKJUiPR6gRI2H6fE0PF8iG9isisvNhQ3MrWUIKS+1WOotoG7Bu7ob46viJKQuN -9t7KBqjdftjJHjmVop3mfX0UUEDPjkZXK5R/aUspXi4IGdM+9JijqxveicQegOhM -LcE8039Z0AaXn9IA0kQB05A4a+CEnoPL7qe+fIBJM5hZDrpMe4fAAGxiQzbRpdkZ -CrXmT+CRkhc/BvUJ5yoE1q++9Fw9eyMbPOak6GLckCIPy+Mqi4z+ZXNCtcPs3Qbc -/7AY8qyswRsD2t5bbe4g+fLEt9IsN3UvKFUKnQ88jcn9Zmps69msMDm9jEj/qo+j -QCriLLu8E1ZwhedNVOQN89w4Zww/BUyEnL4hng8Tw+RTV8Jtq5EvAleW5sZsnTzA -zn1ysZUyO/Pu7Br2jnGRAQyJARwEEgECAAYFAlfZFDwACgkQMJGNgnVyQiIHjAf/ +TZCHpJAFAmjWhlgFCRLfm+EACgkQz/M0TZCHpJCWag/+MJOLW1tBNPA9sBcjl9V4 +Cjc2TIR/r8RRGv5lstVXlXc5T4SR48UvQTxaUU+KJia5POsaAsw9yk7Zz4r7ul0D +Vd9tzHCcwxl46e0Kwn2VGBMHThsWC7QDuK7b+4AlxeO4EDWRPPw4BCB7aTxJzA3N +O4qpEF4TVeb97uyNQr2YaTGUzSI58vCgXgeOpH9ivomQi1nCxZbdrFh2yKJ+H4EH +gI8+D9iSnJMI16RS1dE7Pa85IG+qPd3owAbOlc+tBsSvdbFdRufQZeiNGKfQno1E +oygZt8svcuKpGAG1flzpPu5LE9oMsIDia9hcn4YFqr80F5bW1rUvFeC0rYp9/0ui +6lo34PAhEieB8XzjbpDDEnlkziRoz2YNVJmZOWrCAMI1bUFI5/+YWuJTXCGF62dE +dO7aBWoUkchkGGSGKbPW9KYdmqMdfOeuqZRBhKs8bgHIArJ+kvglhCJr/qNX5T8p +oCHE5bnEwFxnH2Q6a2ffpMpOExGvPaoAWlym/ID/MMet0riZ2izFUdmjEkA0HUaa +7h5x1dKMhHzYDXOW8Ksx9vE24gLrjfqfvIiYpErn+SVs0KUqkR0BRWLRYjyq/Bj/ +btTQXcDeYpQj4tL2cX3Eosqaoy5NDGCK4yqWOxENOJ/YcO5dTPJDNsHlc2JSdejz +a4g8AHFlkpPn0tlflbuE7q6JARwEEgECAAYFAlfZFDwACgkQMJGNgnVyQiIHjAf/ VrPMgIRjRTYi4cxOr5ewaim1hgJZO1oCJoMopwIvpZ2kAUqL/uPMT3wREe5bi79H jXYcaX+RbrV4ZdzaajDUFCj867KGErxqtRkANJ1eNLcQmVwGNoFeTQbgEOBfKq1t hRfMqHF3fxCPJp4z4U3kBPUpIQPERjgUdkH8fxZ34Omo1SLO1b0dVqsneezccBVv @@ -89,18 +89,18 @@ Ix1q//q2VmxqjjT3Iv30hBRX02x2M8gsP/e49XWEll7stkMtbYhBU0sHQ2CqzLGh gJN3ecpi2sKWVqN8HUZOwJFj6f9ZX76YSM23wIugHfscMAVJUXvBrbd151WIshOf FFPo62sYGt+SEMXWeRcHjbQuWW9yZ29zIFRoZXNzYWxvbmlrZWZzIDx5b3Jnb3NA b3Blbm5ldGxhYnMuY29tPokCVAQTAQgAPgIbIwULCQgHAgYVCAkKCwIEFgIDAQIe -AQIXgBYhBJSOtCMixdALeTQPXc/zNE2Qh6SQBQJm89A9BQkQ/OXGAAoJEM/zNE2Q -h6SQOf4QAIp5fEn+vVOqDuLrv8Li61UDVPE3v5b9ocPR7OMENeFpRH7K2p8xFkAM -f6JeS2ehbIjyUS8iGc+mZOalvZynJdOiHtys5r4lZanm1Rl+mWXb+nHGE/Oi4gQ3 -aEF/AwolbKi9oNXAiCtA3hmaI6FYWtAh5XOnyMG140dhlXMWzvN1ZAWXWioS33Fp -n9Z7xOsyG2Bmky69JjUQPD119noD4pEFtCipciiACVNdHGfI8QDT/8pMAxv/Q7tW -+7gyFztT1XvKONWyCfHjf1x60JQNPPM31x3xUVRz/sK+GyLq6VLiydvSZeUX3CzM -4bHixKKkSyvsX+bc9K/iLrXwZFhRdrRbpVQFpsdxv48mN5WsDlpN17KgMCyNiMDV -0VagYjZC5AurOo2mmS7PKAYGILaq3YwQ3nXYiuWfdXVW6EXtw/vdFOjFU6ppbaA3 -1+xyMDOLSGLr7f+gdZvlEc+5MX1F3mHpmuKN7clUju/HEOdVq1Bbla7BplPgqCaH -ZYCg/VHNt7ue7MYeEgTJ8OGgUDRNPa3PdU3YHRCuwJH1UzinD39K8R9/g9qiGJbC -87//1FGZp9lhIE5tja6F5pJ5GwJK9zC0iGj2NrwBvTKhuyF6W3ZQc2voYQn+gIq4 -sfbned7qpvpjLcMgIv/y82iVm2EtKtKYl982aA9S53pHqjV27kieuQINBFfYHeYB +AQIXgBYhBJSOtCMixdALeTQPXc/zNE2Qh6SQBQJo1oZYBQkS35vhAAoJEM/zNE2Q +h6SQjBkP/0IvctNT9T+DtGZyMiw/Jna9G3QhtW7exhlxzqqX3tFmZpaJj3VswyqA +5hx5BdJEShC8qNEqrBCHxcCZgsLvR3GKc/0LTgP7+7VH/ugAScrlVeI8rB6V1jn5 +cnfY5fsfOQ8i0b/8C+CiEe0TW90VRHjYV6DWMdUfqQb3E/snl23RMFeTL0Qrrk8H +Lo3MTko7TeKRYOV/g/qQkb9CFQZNyzgIjD7uZi8or8qFJ/uZTnlBq5/NRDB5Z3ew +7WXc3QrRUXmbbDzdnIeCtu5vmuk+hc69gbOst9nWf3y2qlK7BjZqT+PqKZa/fa/i +5pZpv1hB8DrA2WTIpN7iXhCvABXSEoUOJaLkRSJVDqzvuaeqOEPrk1aJSMWoio/w +8RRa1L7k6m81Dc0dqYbBOSI4MCNm8ZawQI2L4qRs5QORg4nRnAevFgkzhJKFYF2N +jzX/2xlAuOym126DODC9qJSJZR7uTOJXh0yqknfkPgDXjchpzq+Q+CM+jYo6AGas +/XPAuRQCQaLSYr9UPL7Fn62//ysZQAyAkJQR1u7UwAd6/UTTMVZpUJsLQyMyikF7 +UT4K7MWrvkZxMRPhGan0P2pRe36M9BBjYRTp0TIr+UjUT8iBfjdrttI9DQlkcEeQ +rKhcE31KqjwJMdiuzbpqqXaEss9AFuJng3Owewt4wAft3eu1U7PWuQINBFfYHeYB EAC2h9yjSe2SgtcB0H+E0ndaewaZaQCE7q+RO43dotGH9eFnVwE4/ftcK1SN42ih lF5OnTaKPyXvgQ6U8W8VB8eLjeTwA/dSXuJX7kJpEK8saPqJP6zTUmPqp/GSzS6Y rhKLfpFn4chmywpDFcGNMz0sYXiJgPqKL7W0KuG+ziPToAeWl8ckeXyl77/lHVhW @@ -112,17 +112,17 @@ GFxr4xBiyMX1JLCKK6OFnyPfoJ9v/o3UgrQgLrfXCmKdvkwBCgJvN3Fsxzha6Dtf hmQBxPvXxI2ERmKRomo6lrMaDMzIjD4APSM1vUfZguzQxVYpM8lwy1COeqxsj5p+ LH6f/EU+4dXZwooJ1uanBOvG2ntnz8SErE+e7wNYE4a/fb8xYM4j7p6qYtnNZPb8 sj8bvx8iWXp4A1csVetyVSchBhTVQhhNos6ouYpc4ibrYwARAQABiQI8BBgBCAAm -AhsMFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmbz0dUFCRD8528ACgkQz/M0TZCH -pJA7hg/7Bh0jb7nrp2EuU4BWK55VG+3zbrye/NdDy6eo3sVVOOO1r+jBMoJK3m1A -GWUx40ogZjRn8GMtJfxkL6wsep2P775smm7x1TH6s2dgreTj9J66gitKEgxF0tjo -JztmGJ8YKSGE4wKi37KvvSqCm1ecA8akBzJVo0B8/GtXpg+y/q3/KSY1ujW7Ihu3 -60JXT1FRXOiYfrzUKIBm8/UVnv7guPudaJf0eU4btoy4Ywzn1UXyi8BdxPIQrQDR -tt69ffcjX8BIEloK7FURLre/LhbVxlssdWYIEFQhIlb+nghZlUbWHf0Ue3L0SFFS -xV5otzQL2WjJKtCnTpSopSUmwYyT7wyAL1RokOemXL47WOfiLjiGuS+K/4lT7VHS -fdLsYinS0LYr5dmhc05s//kLyQ0OSKNh3SNAN+lM/klLE/pFwM4mo56C+seNEvCm -sT53VPOOwp6JwsLKSqm8pu1fbVjT6laMc9BPi6KUjN/f7ZahCXNXOrA2uLnTlxw/ -ns1sOXSWZDWciZeL3kJeUQER5YZ59hzLYWAiJ+5KblWRlBMXb71FUp0Mh9V3dA5O -BX3IlcF54qE50chGzLnfQf1YLuh13xxxc2WsdMZjiCj8CVDMkD6ekShfQK8nyQsK -SJgdXcnw1CxcAVvsROtecUiD+DWrJcYExjSZ+zcI4+aRhp7uNt8= -=iknu +AhsMFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmjWhoAFCRLfnBoACgkQz/M0TZCH +pJA4sA/7BZrP4nwWF1eQVliMWJ1KKG+sHizK4c+ZiB67aFJw4pLDCL5o6unOWH8V +ocr1pWC/BMmLG4K77O2qadhUH7mzXm/ddZ/DVF3xHTvTmG1W1bLd6zj3k6qOFYq8 +yPS2QNTa3+3oNbtZQ+RpvhCAmv2Dc1GMPNP2hKR/Ju9r9NwGWBEDQBtiMZ7872QJ +yR3IFyfQGRvj+GBbEBvJwCFmaRb3eDorhaNhM0b0c/RbIueEWD40nkCUtmM4Zrc1 +0HLod8Li8C4j8sIqIdfTKo1RiJUUg86q1K3pGA86hoOzeaihZekcm6wMwGlhXymb +Ng41yB/ZTedl9wk+XEEcD6HZMCXyfh55hBdWG06aEhMIALjOCj2VkRnDLmOKLgDZ +kg7OOQxDfKACCCvk72HZG3qKtaN9oNH1oeaVwc3ytWR8y2hQJcCxmoQsLn+Xvkgc +aYRNklPW2z8817J3fmvvwS0o6sOWRHLb0XAc+NZg4lEQOgwVFrE0XIAgkXHLQbuQ +GRpRzRncHX95RXMzGb1+8kpWEcM7gazgUA3omoAumwNEqmeBX1TmEtDop1k5RFCS +UWbv+A2s2GSAb05MHY0InIhMxzJXEa5+dJDPSvZnbiGRGhQitEe4eIlmPcNA1lB+ +ADFE2UTzcpRTo5cOKfrXyZXr6JCEl2+tB3o5m0v7FRdr6+zIS5g= +=Ubkv -----END PGP PUBLIC KEY BLOCK----- diff --git a/sources b/sources index 9339806..d2b95bf 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.24.0.tar.gz) = ca2adb421bb7ebf636d1442d684b5f43bf5db7c778d9ca159635b67212294bb499aa451b79f244acbea36106db7242ed1afb72fcf425fec57c0eff5f19866ae3 -SHA512 (unbound-1.24.0.tar.gz.asc) = 076c1b82c08c94950e0f364578270a0d1377e0d59197ef822552a6fb05fd01d5a3aa77e6b53c2d785720c30c10cd112eb737caeb7db6eb280752e98a1e8c9866 +SHA512 (unbound-1.24.1.tar.gz) = 0332053ff6b2a2b6743fe33460950780a26e2cad236d21a9219e7b1a04576a9887342d59bc244c02c405e93812168175bc3dbe5481a201296899e77cbd201ea5 +SHA512 (unbound-1.24.1.tar.gz.asc) = 64f7baa0af069093f2d2a52d00fa41c26dd3a4a8eb39fbf90ae7355725121583f7dcd79257c064fa13d05f7bb0c602fe30104859a41164a81664cd4c1e275f30 diff --git a/unbound.spec b/unbound.spec index 3b7ffeb..2fcb22a 100644 --- a/unbound.spec +++ b/unbound.spec @@ -39,7 +39,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.24.0 +Version: 1.24.1 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ @@ -219,6 +219,7 @@ in initramfs. %prep %if 0%{?fedora} +%{gpgverify} --keyring='%{SOURCE22}' --signature='%{SOURCE18}' --data='%{SOURCE0}' || \ %{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}' %endif %global pkgname %{name}-%{version}%{?extra_version} From 7dd805b7438744b1499050da3b33923ea47b3389 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 24 Oct 2025 20:23:03 +0200 Subject: [PATCH 130/139] Fix failure with SWIG 4.4.0 (rhbz#2405293) https://github.com/NLnetLabs/unbound/pull/1365 --- unbound-1.24-swig-function.patch | 26 ++++++++++++++++++++++++++ unbound.spec | 2 ++ 2 files changed, 28 insertions(+) create mode 100644 unbound-1.24-swig-function.patch diff --git a/unbound-1.24-swig-function.patch b/unbound-1.24-swig-function.patch new file mode 100644 index 0000000..3257766 --- /dev/null +++ b/unbound-1.24-swig-function.patch @@ -0,0 +1,26 @@ +From 0fc825def2f812af70189a01b0fe66e1c5050aec Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Fri, 24 Oct 2025 20:20:50 +0200 +Subject: [PATCH] Use $action instead of $function in python SWIG interface + +$function is not supported since SWIG 4.4.0. +--- + libunbound/python/libunbound.i | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libunbound/python/libunbound.i b/libunbound/python/libunbound.i +index dc12514..4576844 100644 +--- a/libunbound/python/libunbound.i ++++ b/libunbound/python/libunbound.i +@@ -853,7 +853,7 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104'] + %{ + //printf("resolve_start(%lX)\n",(long unsigned int)arg1); + Py_BEGIN_ALLOW_THREADS +- $function ++ $action + Py_END_ALLOW_THREADS + //printf("resolve_stop()\n"); + %} +-- +2.51.0 + diff --git a/unbound.spec b/unbound.spec index 2fcb22a..80e5dd0 100644 --- a/unbound.spec +++ b/unbound.spec @@ -77,6 +77,8 @@ Source30: tmpfiles-unbound-libs.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch +# https://github.com/NLnetLabs/unbound/pull/1365 +Patch2: unbound-1.24-swig-function.patch BuildRequires: gcc, make BuildRequires: openssl-devel From c6dcb50ddd56bf2b77716142aa56bdeaf1aa8a77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 24 Oct 2025 20:34:21 +0200 Subject: [PATCH 131/139] Update link to PR of Jitka --- unbound.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 80e5dd0..44c4564 100644 --- a/unbound.spec +++ b/unbound.spec @@ -77,7 +77,7 @@ Source30: tmpfiles-unbound-libs.conf # Downstream configuration changes Patch1: unbound-fedora-config.patch -# https://github.com/NLnetLabs/unbound/pull/1365 +# https://github.com/NLnetLabs/unbound/pull/1331 Patch2: unbound-1.24-swig-function.patch BuildRequires: gcc, make From 7357a73777e80b0ec1fd971cfcc8c708c3fe7e4c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 6 Nov 2025 14:47:41 +0100 Subject: [PATCH 132/139] Do not build with QUIC support in RHEL Until we have also client support, server side support of QUIC is not too important to us. --- unbound.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/unbound.spec b/unbound.spec index 44c4564..2995d25 100644 --- a/unbound.spec +++ b/unbound.spec @@ -4,7 +4,8 @@ %bcond_without dnstap %bcond_without systemd %bcond_without doh -%if 0%{?rhel} >= 10 || 0%{?fedora} >= 43 +%if 0%{?fedora} >= 43 && !0%{?rhel} +# Do not build with QUIC support in RHEL, until we have also client support. %bcond_without ngtcp2 %endif %if 0%{?rhel} && ! 0%{?epel} From 531b1140b74cdcc168385e7414d747bc0c36cf36 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 24 Nov 2025 14:46:24 +0100 Subject: [PATCH 133/139] Do not initialize QUIC when not requested (rhbz#2416728) --- unbound-1.24-quic-on-demand-only.patch | 171 +++++++++++++++++++++++++ unbound.spec | 2 + 2 files changed, 173 insertions(+) create mode 100644 unbound-1.24-quic-on-demand-only.patch diff --git a/unbound-1.24-quic-on-demand-only.patch b/unbound-1.24-quic-on-demand-only.patch new file mode 100644 index 0000000..e074ab0 --- /dev/null +++ b/unbound-1.24-quic-on-demand-only.patch @@ -0,0 +1,171 @@ +From 1dfe06278c1446558b5043d7c57cd901e7d96829 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Mon, 24 Nov 2025 13:44:14 +0100 +Subject: [PATCH] Do not initialize quic_table unless it is enabled + +Fedora in FIPS mode might fail to initialize ngtcp2 library, because +some ciphers desired are not available. + +Make it possible to skip initialization by setting explicitly quic_port +to 0. Unless we have some listeners for port 853 configured, skip its +initialization as well. + +Related: https://pagure.io/freeipa/issue/9877 +--- + daemon/daemon.c | 14 +++++++++----- + services/listen_dnsport.c | 14 +++++++++++--- + util/configparser.y | 15 +++++++++------ + util/netevent.c | 3 +++ + 4 files changed, 32 insertions(+), 14 deletions(-) + +diff --git a/daemon/daemon.c b/daemon/daemon.c +index f882bb9ad..a9cc25c67 100644 +--- a/daemon/daemon.c ++++ b/daemon/daemon.c +@@ -558,9 +558,11 @@ daemon_create_workers(struct daemon* daemon) + verbose(VERB_ALGO, "total of %d outgoing ports available", numport); + + #ifdef HAVE_NGTCP2 +- daemon->doq_table = doq_table_create(daemon->cfg, daemon->rand); +- if(!daemon->doq_table) +- fatal_exit("could not create doq_table: out of memory"); ++ if (cfg_has_quic(daemon->cfg)) { ++ daemon->doq_table = doq_table_create(daemon->cfg, daemon->rand); ++ if(!daemon->doq_table) ++ fatal_exit("could not create doq_table: out of memory"); ++ } + #endif + + daemon->num = (daemon->cfg->num_threads?daemon->cfg->num_threads:1); +@@ -917,8 +919,10 @@ daemon_cleanup(struct daemon* daemon) + daemon->dnscenv = NULL; + #endif + #ifdef HAVE_NGTCP2 +- doq_table_delete(daemon->doq_table); +- daemon->doq_table = NULL; ++ if (daemon->doq_table) { ++ doq_table_delete(daemon->doq_table); ++ daemon->doq_table = NULL; ++ } + #endif + daemon->cfg = NULL; + } +diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c +index f7fcca194..ab8f1ba72 100644 +--- a/services/listen_dnsport.c ++++ b/services/listen_dnsport.c +@@ -1564,7 +1564,7 @@ listen_create(struct comm_base* base, struct listen_port* ports, + cp = comm_point_create_udp(base, ports->fd, + front->udp_buff, ports->pp2_enabled, cb, + cb_arg, ports->socket); +- } else if(ports->ftype == listen_type_doq) { ++ } else if(ports->ftype == listen_type_doq && doq_table) { + #ifndef HAVE_NGTCP2 + log_warn("Unbound is not compiled with " + "ngtcp2. This is required to use DNS " +@@ -3275,7 +3275,11 @@ nghttp2_session_callbacks* http2_req_callbacks_create(void) + struct doq_table* + doq_table_create(struct config_file* cfg, struct ub_randstate* rnd) + { +- struct doq_table* table = calloc(1, sizeof(*table)); ++ struct doq_table* table; ++ ++ if (!cfg->quic_port) ++ return NULL; ++ table = calloc(1, sizeof(*table)); + if(!table) + return NULL; + #ifdef USE_NGTCP2_CRYPTO_OSSL +@@ -3354,7 +3358,7 @@ conn_tree_del(rbnode_type* node, void* arg) + { + struct doq_table* table = (struct doq_table*)arg; + struct doq_conn* conn; +- if(!node) ++ if(!node || !table) + return; + conn = (struct doq_conn*)node->key; + if(conn->timer.timer_in_list) { +@@ -3413,6 +3417,7 @@ doq_timer_find_time(struct doq_table* table, struct timeval* tv) + { + struct doq_timer key; + struct rbnode_type* node; ++ log_assert(table != NULL); + memset(&key, 0, sizeof(key)); + key.time.tv_sec = tv->tv_sec; + key.time.tv_usec = tv->tv_usec; +@@ -4922,6 +4927,7 @@ doq_conid_find(struct doq_table* table, const uint8_t* data, size_t datalen) + key.node.key = &key; + key.cid = (void*)data; + key.cidlen = datalen; ++ log_assert(table != NULL); + node = rbtree_search(table->conid_tree, &key); + if(node) + return (struct doq_conid*)node->key; +@@ -5662,6 +5668,8 @@ doq_table_quic_size_available(struct doq_table* table, + struct config_file* cfg, size_t mem) + { + size_t cur; ++ if (!table) ++ return 0; + lock_basic_lock(&table->size_lock); + cur = table->current_size; + lock_basic_unlock(&table->size_lock); +diff --git a/util/configparser.y b/util/configparser.y +index bf9c196fc..f159b8cec 100644 +--- a/util/configparser.y ++++ b/util/configparser.y +@@ -1235,14 +1235,17 @@ server_http_notls_downstream: VAR_HTTP_NOTLS_DOWNSTREAM STRING_ARG + server_quic_port: VAR_QUIC_PORT STRING_ARG + { + OUTYY(("P(server_quic_port:%s)\n", $2)); ++ if(atoi($2) == 0 && strcmp($2,"0")!=0) ++ yyerror("port number expected"); ++ else { ++ cfg_parser->cfg->quic_port = atoi($2); + #ifndef HAVE_NGTCP2 +- log_warn("%s:%d: Unbound is not compiled with " +- "ngtcp2. This is required to use DNS " +- "over QUIC.", cfg_parser->filename, cfg_parser->line); ++ if (cfg_parser->cfg->quic_port != 0) ++ log_warn("%s:%d: Unbound is not compiled with " ++ "ngtcp2. This is required to use DNS " ++ "over QUIC.", cfg_parser->filename, cfg_parser->line); + #endif +- if(atoi($2) == 0) +- yyerror("port number expected"); +- else cfg_parser->cfg->quic_port = atoi($2); ++ } + free($2); + }; + server_quic_size: VAR_QUIC_SIZE STRING_ARG +diff --git a/util/netevent.c b/util/netevent.c +index aedcb5e07..93db16675 100644 +--- a/util/netevent.c ++++ b/util/netevent.c +@@ -2723,6 +2723,7 @@ doq_server_socket_create(struct doq_table* table, struct ub_randstate* rnd, + { + size_t doq_buffer_size = 4096; /* bytes buffer size, for one packet. */ + struct doq_server_socket* doq_socket; ++ log_assert(doq_table != NULL); + doq_socket = calloc(1, sizeof(*doq_socket)); + if(!doq_socket) { + return NULL; +@@ -2804,6 +2805,7 @@ doq_lookup_repinfo(struct doq_table* table, struct comm_reply* repinfo) + { + struct doq_conn* conn; + struct doq_conn_key key; ++ log_assert(table != NULL); + doq_conn_key_from_repinfo(&key, repinfo); + lock_rw_rdlock(&table->lock); + conn = doq_conn_find(table, &key.paddr.addr, +@@ -5880,6 +5882,7 @@ comm_point_create_doq(struct comm_base *base, int fd, sldns_buffer* buffer, + struct config_file* cfg) + { + #ifdef HAVE_NGTCP2 ++ log_assert(table != NULL); + struct comm_point* c = (struct comm_point*)calloc(1, + sizeof(struct comm_point)); + short evbits; +-- +2.52.0 + diff --git a/unbound.spec b/unbound.spec index 2995d25..ccad149 100644 --- a/unbound.spec +++ b/unbound.spec @@ -80,6 +80,8 @@ Source30: tmpfiles-unbound-libs.conf Patch1: unbound-fedora-config.patch # https://github.com/NLnetLabs/unbound/pull/1331 Patch2: unbound-1.24-swig-function.patch +# https://github.com/NLnetLabs/unbound/pull/1381 +Patch3: unbound-1.24-quic-on-demand-only.patch BuildRequires: gcc, make BuildRequires: openssl-devel From 4161ebcee0794614c79b1571fe58c5d205e100a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 25 Nov 2025 15:09:46 +0100 Subject: [PATCH 134/139] Add dependency on dns-root-data package Do not contain own copy of root key. Use shared key provided by the package. --- unbound.spec | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/unbound.spec b/unbound.spec index ccad149..367e499 100644 --- a/unbound.spec +++ b/unbound.spec @@ -93,6 +93,7 @@ BuildRequires: automake autoconf libtool BuildRequires: autoconf-archive # Regenerate config parser too BuildRequires: bison flex byacc +BuildRequires: dns-root-data %if 0%{?fedora} BuildRequires: gnupg2 @@ -164,6 +165,7 @@ The devel package contains the unbound library and the include files %package libs Summary: Libraries used by the unbound server and client applications Recommends: %{name}-anchor +Requires: dns-root-data %if ! 0%{with_python2} # Make explicit conflict with no longer provided python package Obsoletes: python2-unbound < 1.9.3 @@ -368,12 +370,8 @@ install -p -m 0644 %{SOURCE30} %{buildroot}%{_tmpfilesdir}/unbound-libs.conf # install root - we keep a copy of the root key in old location, # in case user has changed the configuration and we wouldn't update it there install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/ -install -p -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/dnssec-root.key -# make initial key static -pushd %{buildroot}%{_sharedstatedir}/unbound - KEYPATH=$(realpath --relative-to="%{buildroot}%{_sharedstatedir}/unbound" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key") - ln -s "$KEYPATH" root.key -popd +ln -sr "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key" "%{buildroot}%{_sharedstatedir}/unbound/root.key" +ln -sr "%{buildroot}%{_datadir}/dns-root-data/root.key" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key" # remove static library from install (fedora packaging guidelines) rm %{buildroot}%{_libdir}/*.la From 21f2c5bc52591684bd5b8bc11783e7df301e2c05 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 25 Nov 2025 15:23:54 +0100 Subject: [PATCH 135/139] Create root.key from dns-root-data It is old compat file, but stop having it contained copy. --- mkroot.sh | 17 +++++++++++++++++ root.key | 8 -------- unbound.spec | 5 +++-- 3 files changed, 20 insertions(+), 10 deletions(-) create mode 100755 mkroot.sh delete mode 100644 root.key diff --git a/mkroot.sh b/mkroot.sh new file mode 100755 index 0000000..eb6d5b3 --- /dev/null +++ b/mkroot.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +SOURCE="/usr/share/dns-root-data/root.key" +DEST="${1:-root.key}" + +mk_key() { +echo "# Generated from $SOURCE" +echo "# Use /var/lib/unbound/root.key instead." +echo "trusted-keys {" +while read DOMAIN CLS TYPE FLAGS PROTO ALG KEYDATA COMMENT KEYTAG; do +echo "$DOMAIN $CLS $TYPE $FLAGS $PROTO $ALG \"$KEYDATA\" # $KEYTAG" +done < "$SOURCE" +echo "};" +} + +mk_key > "$DEST" +touch -r "$SOURCE" "$DEST" diff --git a/root.key b/root.key deleted file mode 100644 index 848887d..0000000 --- a/root.key +++ /dev/null @@ -1,8 +0,0 @@ -# The root key in obsoleted bind format. This can be read by some tools, including -# named, unbound, delv etc. For libunbound, use ub_ctx_trustedkeys() to load this -# Prefer DNS format in /var/lib/unbound/root.key or /etc/unbound/dnssec-root.key, -# ub_ctx_add_ta_file or trust-anchor-file: format -trusted-keys { -"." 257 3 8 "AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc="; // key id = 38696 -"." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326 -}; diff --git a/unbound.spec b/unbound.spec index 367e499..14ac006 100644 --- a/unbound.spec +++ b/unbound.spec @@ -49,7 +49,7 @@ Source: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz Source1: unbound.service Source3: unbound.munin Source4: unbound_munin_ -Source5: root.key +Source5: mkroot.sh Source7: unbound-keygen.service Source8: tmpfiles-unbound.conf Source9: example.com.key @@ -369,7 +369,8 @@ install -p -m 0644 %{SOURCE30} %{buildroot}%{_tmpfilesdir}/unbound-libs.conf # install root - we keep a copy of the root key in old location, # in case user has changed the configuration and we wouldn't update it there -install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/ +sh %{SOURCE5} root.key +install -m 0644 root.key %{buildroot}%{_sysconfdir}/unbound/ ln -sr "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key" "%{buildroot}%{_sharedstatedir}/unbound/root.key" ln -sr "%{buildroot}%{_datadir}/dns-root-data/root.key" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key" From 79dc8264748806d5d2a54a0b235fb5d43ea64431 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 26 Nov 2025 14:16:02 +0100 Subject: [PATCH 136/139] Update to 1.16.2 (rhbz#2417261) - Additional fix for CVE-2025-11411 https://nlnetlabs.nl/projects/unbound/download/#unbound-1-24-2 --- sources | 4 ++-- unbound.spec | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/sources b/sources index d2b95bf..7d4806d 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.24.1.tar.gz) = 0332053ff6b2a2b6743fe33460950780a26e2cad236d21a9219e7b1a04576a9887342d59bc244c02c405e93812168175bc3dbe5481a201296899e77cbd201ea5 -SHA512 (unbound-1.24.1.tar.gz.asc) = 64f7baa0af069093f2d2a52d00fa41c26dd3a4a8eb39fbf90ae7355725121583f7dcd79257c064fa13d05f7bb0c602fe30104859a41164a81664cd4c1e275f30 +SHA512 (unbound-1.24.2.tar.gz) = 655d63ec5305323e84d82691425d74d98c332d0028517bd729d191e5f968ce9481b49ec7447d4c4906dce7997a998a115db36e911a59d2d877da5840c2080261 +SHA512 (unbound-1.24.2.tar.gz.asc) = 66a3e569a606cc3ed7dac9b411fba347da150728427619bdbf12ac57a5d7db1fc17963b1ba052a95d6c6fed67a6f0c1b5920318f6cd34e5091750626dd63fb21 diff --git a/unbound.spec b/unbound.spec index 14ac006..1fc03d9 100644 --- a/unbound.spec +++ b/unbound.spec @@ -40,7 +40,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.24.1 +Version: 1.24.2 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ From 64fc0f02705035a7a0c7960669724ca4dcc1aa02 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Tue, 9 Dec 2025 11:32:18 -0500 Subject: [PATCH 137/139] Add nlnetlabs2026-g2.asc key for 2026 signature verification downloaded from: https://nlnetlabs.nl/downloads/keys/releases-g2.asc --- nlnetlabs2026-g2.asc | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 nlnetlabs2026-g2.asc diff --git a/nlnetlabs2026-g2.asc b/nlnetlabs2026-g2.asc new file mode 100644 index 0000000..a8f7de7 --- /dev/null +++ b/nlnetlabs2026-g2.asc @@ -0,0 +1,24 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGNBGc7H5IBDADOZfJwZ6zZ/4JbbR2hef4261/zh7YpdjUREUs0dMQSbf+x7sAE +50JgvLQWlvA8sDHzbUMQ9cAYZBGGE6iHb50KboeEfuiP5BdiLe8XWKlo1EIh+Idz +0+e1binxwvXV1/9ACm/UHPRuWjkG7vrP+mVRuhfKglO6xSDxV1cwjYTRtvRtQx8D ++kTdZzprvtzkU7OIWeczKFJRhVHzNDHYFG9SuxvDA9cbVm1KPVJEkRBwoSBPeB0z +Z3LSib2uT6Lc/ghAijOwIpR+zNYKOYxRhzoFArrLa0Fs4nq6//LA42/aVjSienEJ +SR5CVUbZy14WuUsYCkV+ZoORVRYZOcjtPG7FUKDXKzY9/iNhEAZ3OMK7Np2Xq/YO +gaOiUDFXLHU1n2UVH1rwkMiS2o4EMqvO7gINmnL/ccpI2wj2QrQ+JZ9y1Xky7dQM +LIIbtp40e0kGocgyba484rW17xlvXRxb1Pjn93JygD6WcraLLNh9jq87hW/J37qi +S4DL+GUe10H8SeEAEQEAAbQ6TkxuZXQgTGFicyByZWxlYXNlcyBzaWduaW5nIGtl +eSBHMiA8cmVsZWFzZXNAbmxuZXRsYWJzLm5sPokBzgQTAQoAOBYhBCMQGGkMTZA+ +9BkUaqFEMj3qrN9FBQJnOx+SAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ +EKFEMj3qrN9FZigL/0aVsJ48oe7vko1Mwg9DucFoCL8CESAarA40in1Bauq7p/pT +l5UcNnFPLO8HBAHWGWtDI63pEhNzHacPzSI94GKS4TUMGzCV1H/c0KnxB7wAO55b +HEQOZJ+kFRBFXWxbXORtp86NZuyCvVoSA4QAcnCf4m5ZEBb72H2cmy8xP+/HLkbS +rpr5pyoUWtCYM8FxnjM3bClXSGOlWNl9cSXLqyyVjxvc7cOAS8ytL/zoVStoBmi/ +OwQbeJfAiqDMnipBJNzOHlfniKXE0FGDozKCHWP88ifs8A8OUNtJng7cNq7EQf9K +vTvbJCcF4akUUcXnx4gv9Z1ZQ93Jg5X7h+0MP7Ut4z9hKSIAOowru7GXGEt256Ja +eE1nSviDcqUtZpyqCLjpCDFGPMwSPzSwlPXjJVlVxPkDvPuNt2LUIEd8BR8Wo7z+ +NA5uM/zTHkQXEdUgCcl/rHy6moHYV3Q+YbMb17zU37a5vLb+wQ74doaiYo3b8KoV +K6vVKMmB0qru6ERJ3g== +=4R8U +-----END PGP PUBLIC KEY BLOCK----- From 71efccae360b4733b7c2c1994305801e33230cef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 13 Jan 2026 16:35:32 +0100 Subject: [PATCH 138/139] Replace Wouter's key with release-g2 key Prepare for next release verification. Enable verification also for RHEL build from this release. Should enable ELN source verification. --- releases-g2.asc | 24 ++++++++ unbound.spec | 9 +-- wouter.nlnetlabs.nl.key | 123 ---------------------------------------- 3 files changed, 29 insertions(+), 127 deletions(-) create mode 100644 releases-g2.asc delete mode 100644 wouter.nlnetlabs.nl.key diff --git a/releases-g2.asc b/releases-g2.asc new file mode 100644 index 0000000..a8f7de7 --- /dev/null +++ b/releases-g2.asc @@ -0,0 +1,24 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGNBGc7H5IBDADOZfJwZ6zZ/4JbbR2hef4261/zh7YpdjUREUs0dMQSbf+x7sAE +50JgvLQWlvA8sDHzbUMQ9cAYZBGGE6iHb50KboeEfuiP5BdiLe8XWKlo1EIh+Idz +0+e1binxwvXV1/9ACm/UHPRuWjkG7vrP+mVRuhfKglO6xSDxV1cwjYTRtvRtQx8D ++kTdZzprvtzkU7OIWeczKFJRhVHzNDHYFG9SuxvDA9cbVm1KPVJEkRBwoSBPeB0z +Z3LSib2uT6Lc/ghAijOwIpR+zNYKOYxRhzoFArrLa0Fs4nq6//LA42/aVjSienEJ +SR5CVUbZy14WuUsYCkV+ZoORVRYZOcjtPG7FUKDXKzY9/iNhEAZ3OMK7Np2Xq/YO +gaOiUDFXLHU1n2UVH1rwkMiS2o4EMqvO7gINmnL/ccpI2wj2QrQ+JZ9y1Xky7dQM +LIIbtp40e0kGocgyba484rW17xlvXRxb1Pjn93JygD6WcraLLNh9jq87hW/J37qi +S4DL+GUe10H8SeEAEQEAAbQ6TkxuZXQgTGFicyByZWxlYXNlcyBzaWduaW5nIGtl +eSBHMiA8cmVsZWFzZXNAbmxuZXRsYWJzLm5sPokBzgQTAQoAOBYhBCMQGGkMTZA+ +9BkUaqFEMj3qrN9FBQJnOx+SAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ +EKFEMj3qrN9FZigL/0aVsJ48oe7vko1Mwg9DucFoCL8CESAarA40in1Bauq7p/pT +l5UcNnFPLO8HBAHWGWtDI63pEhNzHacPzSI94GKS4TUMGzCV1H/c0KnxB7wAO55b +HEQOZJ+kFRBFXWxbXORtp86NZuyCvVoSA4QAcnCf4m5ZEBb72H2cmy8xP+/HLkbS +rpr5pyoUWtCYM8FxnjM3bClXSGOlWNl9cSXLqyyVjxvc7cOAS8ytL/zoVStoBmi/ +OwQbeJfAiqDMnipBJNzOHlfniKXE0FGDozKCHWP88ifs8A8OUNtJng7cNq7EQf9K +vTvbJCcF4akUUcXnx4gv9Z1ZQ93Jg5X7h+0MP7Ut4z9hKSIAOowru7GXGEt256Ja +eE1nSviDcqUtZpyqCLjpCDFGPMwSPzSwlPXjJVlVxPkDvPuNt2LUIEd8BR8Wo7z+ +NA5uM/zTHkQXEdUgCcl/rHy6moHYV3Q+YbMb17zU37a5vLb+wQ74doaiYo3b8KoV +K6vVKMmB0qru6ERJ3g== +=4R8U +-----END PGP PUBLIC KEY BLOCK----- diff --git a/unbound.spec b/unbound.spec index 1fc03d9..58a0ccf 100644 --- a/unbound.spec +++ b/unbound.spec @@ -62,8 +62,8 @@ Source15: unbound-anchor.timer Source16: unbound-munin.README Source17: unbound-anchor.service Source18: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc -# source: https://nlnetlabs.nl/people/ -Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key +# https://nlnetlabs.nl/signing-keys/ +Source19: https://nlnetlabs.nl/downloads/keys/releases-g2.asc Source20: unbound.sysusers Source21: remote-control.conf Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc @@ -95,7 +95,7 @@ BuildRequires: autoconf-archive BuildRequires: bison flex byacc BuildRequires: dns-root-data -%if 0%{?fedora} +%if 0%{?fedora} || 0%{?rhel} >= 9 BuildRequires: gnupg2 %endif %if 0%{with_python2} @@ -225,7 +225,8 @@ Unbound dracut module allowing use of Unbound for name resolution in initramfs. %prep -%if 0%{?fedora} +%if 0%{?fedora} || 0%{?rhel} >= 9 +# TODO: Remove Yorgos.asc and extra verification once releases start to be signed by new g2 key %{gpgverify} --keyring='%{SOURCE22}' --signature='%{SOURCE18}' --data='%{SOURCE0}' || \ %{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}' %endif diff --git a/wouter.nlnetlabs.nl.key b/wouter.nlnetlabs.nl.key deleted file mode 100644 index 603e620..0000000 --- a/wouter.nlnetlabs.nl.key +++ /dev/null @@ -1,123 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -xsFNBE2v/RwBEACyQpJlpCeSZBV1QUH7jNEp5xGdo6OnX2h9XoZ4ZPsb+u6OT+xE -SH45ncnISUh8rPCygbeWOoPR/yOBzh+lYoGxQ5iUHtwRrhHq04sQe/qFpXDO2xs6 -1pTcPU2PnH7Rsr2qp6fZLPHuXLolD7NJfaSib8sVeMM0/ecyl/L2bBg9NpaGDX0x -TQh95M8o6AFo6UKWApBpgsvEZr2aH/B8b9KnCWFhfJyheEM7DamksdZNsKxXQyq3 -l/ROfdsMLZGF8vPbYV/v11G4keyaLpn8AbBpybIiw9SYDwf2ENk3+e1NFfMaiiyE -qn9+aaLTKCY87TMUuoN3s3jWOOy5tHXzf6DbKhub4Awsby3DH5YpPhi4N2vj2pAX -Vpl5+m78cH29JLzT+HAoyZ4tq1r3m0P5QogNqYwqxkKWYOjDilNDBiKiDdgtrLYG -x+ABovKG/FvToJoaCL4AFaVCzWmL2uHkSgyBN0FPHatCB1UeEkcQit6T8E2NQqmF -WjUMXSWHHajSMG95+L5PdLHz/Ku0o3Csvlt2pkElYZmzJBfnOM9JevdsmKr/ruJC -/DCZAn5w2S/9ZF5qfo2F9HUKIwE/dChR29HcN8V4nqZs9oCvEMfFhHmrfwDc5hed -hvb6mAkvSFFtKIrygLIVeWRj3FE9sGp6sr4VwOLYTFRNk7mAsWD1rZApeQARAQAB -zSdXLkMuQS4gV2lqbmdhYXJkcyA8d291dGVyQG5sbmV0bGFicy5ubD7CwX4EEwEC -ACgFAk2v/RwCGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJ9v -HC1+BF+N3yoQAIynfrvZ/8RNAv9lLcSc2PX3fvG7oRJEJSy9uMyIbMtb/a1BVCeh -XjR8GhHJ5D/Z3jRWBQKw1rLLvOqbuBGkpKMR100ZVF4z/8e6CWtTAOFy28f1JQw2 -8kilN7K6vjno21S1JJ1XJAdoFdicyb1SW2r+KYod6fjSyF0lb71od+sdnSE9O/xd -Cqyyu6cX+AwfDcuJ6Y8iOWu8CeWAz41LR1QBUQkCb/08mVfCEu+Cj+M31jjPDZEy -UAw219vr4QFe0o3t+Msv0AUZvcRkW6+8qP5lO6I5we/33WBLZH70lhFvYtobM7HO -MCjheRZguSzvRqEETfTjia1uVi3Yz2qM4CFdJIZF6Er79yKcB3jYquultrnlHdXZ -/IZsHVRk6JfiqFkz9u1T9PkvMoQ452aUomGTg9xQchnKpe1E8osKgLulaY+izTEq -Z8pH/HWWJ/YT13/n8pxK9EbC/8SkVhyXNehOSAGDZar+tjVBofgzS8r+GDyv+pBT -SmjitIrVXZNuhigLp1o7Tvs4kjKlcFnLhfDHJ+yb5JyiZd01bVvaqnfRhACqXfWl -oC0uslRbegoYwJUgX0BOrsOuHGH2SfGjd/QnA0bcEXM2kp1Dp1gqtcEd5Qitm647 -Yz+leWkhrmMmtTwqumXoAcvgzthJFUPcAzuhXZNfqQJMOGRxAGVI0P97wsF+BBMB -AgAoAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVu+rZAUJDQIVSAAKCRCf -bxwtfgRfjdrWEACMQK0xYtZtAvLL/8CCcCi92Oi1rtXRGWnRy7JX020hftmWliMq -4P0F3CJKVLhgZ/ldp8OOqmfDfmwLMVSaCQ86Ubqn7Ofrf8Ku8SGQuIMxY2ODB97h -ouY4bnDHaM2Cqi6JkBN+G1tgdwqN/kcecF2tq3ql2k7eX91++A+F5ApIu1silzJP -L4Z8W6MVOdKrtzEM7t61hRlsbpEPj72vbVBZ1hmTiIL4VWwdxQYamxBoOeneskyD -DG+iMCI3P1GG3EQkk+9Aect/iH9uruE0mxn2aKN8cfuoR93cPF/ozCxS5ItwAVnN -e39WRO1GT2zYaFgYm0lf9czcpRsRzNbGw938lZ3iPUiZe+ybKgLKkVmvrkM59ljH -T99SrC14VXxgQwSs4gS3rdzbY9tPps62Z1q+xCVfTx1IY5P4nt59xwQV0Iw+pV9S -/mVcOnPXl1UKb0ttOdYJErrq3RpF/D2g/NDtL0OWqIa8LvrBlyQYmWPKvKw76vt4 -bJ3NU31jSc0ow/j7EOVjOst86s629zmtnbJjWVr6LOy5EDUPusmqHv1t4Z4RMjf8 -OrJdNbFJoRXZv8FbW4NzXeGtMf8k6vKeejpdMH4+eLuoZG7dchU1JccfgqfwWpy0 -ojmb59drJcaQgVC6Jvw9l0TmGPNIsE4UrIWocaFgv4dOKvHA2hcnMDM8rsLBlQQT -AQIAPwIbIwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQTt+qPyyk5usFaBr46f -bxwtfgRfjQUCWaU4BQUJEZjVaQAKCRCfbxwtfgRfjb1YEACjkhtkyZkYURUmSZNL -2IK/Zencv7DZGRfFrzijROFtHbe//H8o2ZhlyiaFSA/dT1ehjsukkR0oFkYadA+q -Ui06WpxGmd/jf8hP4yTUZkwOhQAesWoNmnhKePNaVMKY8DP57bA+N2pdCcGu7gUt -Yzq2JoTAtV+P/PE2w+H9eyBAulv6iUckM5/qvGfJPl8HB9BtgOpGN79otVWO6ebM -4TQ3cZYI9BDQnt9cF2pviex+z1iLZVJ8UeRxSxYhrBKPJioi0Q1OgcKyO56t7Eot -zxKl5TzprgvdX4cdls+lehD8StlE2Xv/TScHvdOhJuVBrn3a3QjZPb4qSsz74leW -5/EIQmozBy+qf8AHcCmTXwb2U7oHOct7cVyS5+bFx+ThpV5OK0rjTH1LMNiuTeAN -46c1y3prjZRpQUlgVwj06q3Zz/fzDyueUS/r4lW4nAf/VNZy/rTS2HYPoZbHZVCt -GpDIfag6fV6V97Pd3zfhTf2wmsJsw9Xhktp/o7rMBRSMhvL4oevOXb0JSG2583Q/ -JnCCceB4NxRRxsgkRYHwdnXN9FnOPSa4NyvF4rzpPksLGZrhvm+lBvzVn/e40Q/K -lxvSlnn2vW/WBM4pBq1jsoJrd/JkTdijZV7mt7HQ2bCLXAPgfZjy7n79WiCQVHg7 -iYnNikiNWR5TR7JcvdkxOdiA/8LBlQQTAQgAPwIbIwYLCQgHAwIGFQgCCQoLBBYC -AwECHgECF4AWIQTt+qPyyk5usFaBr46fbxwtfgRfjQUCXe4JdQUJGaQN2QAKCRCf -bxwtfgRfjQ8gEACe+49aDQHRuZdDHK1VCJKzhb+MvfdIjvl8eQxljpG9Uz5Y17Bx -4SWfuLHCeGlh1m6IOAWeW4g6Wowm1ec1PkVa79TdrkKb0MxfLSat6iDbiuVjDxy2 -bWokW0/cPzJ/FoWDtEC0H9UTAMb5QGBDZUbLuwX7ZjvMkAhH15/hO9Gj4RHoH1RJ -GJALRtZzjtzsJqL53kW/EV59V1T79Nocyx018iw50Jn02mI8wYJZ9HZc5C7D+K59 -vcqLRZgkrJrObw0sEv3YFOBYp/1DemH2nHPMBSKMmN5RAcr32guUjd4BEWf2Q7Ao -+Qnhdi161W0YKCW4JAmOoQ4bQ0wfE9Q5aUIGhUF52L+ac8Hy7dByaCExCA/WTqQQ -/iVPybmpJQhFonWt/fmpxbE2wKThSEOHTO67e5e3JfUb0vNKssyZojao4h1MF5nv -aPNKoybWwKnpNM0ORcyl+aogKwW7E15TEU0TE5//gAsFwRDcCnSEKnksgM0321m1 -7RDfJbCajIv47DHDYE3yvhRZjCJCaw0Gow1sDRWjdOFpmIixD5/vx5uxyqSHPuGA -sXlEvl+Z3Rdc5bQ7pAWu7UNpR3hnJPfg8KL2xqOF75VKG9/NjLE80yj8wdVoCfDv -vizrBtOXnHI49gCMCfNqbGIb5yVhmTdeo7li+Te9hlJ2DrHnujGJlFe+p87BTQRN -r/0cARAApvDKeVLiSazESdTY9KsSWsqoB38pvOsu25M49tEjc5TtY5LwKNckqkeR -lJ83O8dFG7UBVuGwLKaf/6OR/pe24upZ27eOOWW7sXvQNv5aXlOYfF+mjIhUINqj -q4pKDmO1c9J7h5d+auOVfzcgfotg3BVCaKn56ucjiQJ059uUMfgWTvVlibnoJ7de -Zcgt8v7VcLK9jv+P8QJHTIyDzJd+JjdjuHXqC/A37T5G9Z84x8wYrQY6mZmOIYaM -jwIKdgFeN+nLk5henARUz4MTFUW4j9hHpuyAFomDQ93/wkHZ9IEChTxdZnfvsd// -Z45vfcX9dQM+tuR8XCYThVsScI1TnwR46hi5NkfmHo3HVxwB8/owJ+FZDsTNBbJd -7AVy27Xk4L5hLe7BwLDtFMyOp4lOipCM7//mtFB9mTzqnOwiSSyTRlwGUBJkzQFW -Qa0Z6bfYwA6+y1dn19H519GW49irtl+2+W8W4N8oLriIjPvqrQOyaELFcRfV6FfL -i09HPhHVbejOqIEbOtfuN0+mjrrGAwortfTBjfw80N+W90BTvta4K2SyjHcJTkDY -ehfOo/5IMpGtDsOgvsCbDaFRnNJuYtSqQmvWk1KIPIw6CkdJtZa3+q3YA7D7ovOV -H1OBTKNdBjc+X4W8L5R9MCymXWvgiP+52Sv1VIcZmsnCBrwK490AEQEAAcLBZQQY -AQIADwUCTa/9HAIbDAUJCWYBgAAKCRCfbxwtfgRfjTY/D/9+kX8LeqBhwDdwy3ud -V67KmVmytwGMfzBHbAyBdy84X06ip/If/VkjL+2Sv5Uml/cOOzGZT7y/KEt0uXQz -gOZhGP5Y0OREf4kSzfb7tsGu3ZjTp5uJe7HiJr8uqYGfx94TQG/A3x1C7MlxOGmW -DK/Eh/eNVeNd+3yyDEzl2p7a0yUhI8LtzllVrEDX+G4rz+mdDw4tfPDqzRPzPvVt -PfqnfofHP5r2dshGe7+pCTC+o0jHWpaiFkEiIrR3PbZ9tV6+F5LzCUJJP5nepz6C -ShpLHq9ST6qZiw5ZpdznHW0kVl96YxgynJq9Y4dqD/8nOfTzdHhXXEogGvRfcxat -xeZF7YNFhUU2p+CswAjRKCUzZAz0hDAu+dJ+fw4Odx7ii8uiwhEnEHoo8rPETkXw -UK1je4MCzMRSy0Gippzk/oZ7noIml+Njas/UygavUOQm8bcPqGfWeFqvM2C7ZobL -2iV0fX/bhEmQyosiWJ0nHuKdwDYygYs/4LtZLxwiKli/lm6IDz1028j6/98Z81gG -oltXWokTYAPEgcBuhyiSLSQ1wojTVMYt9rPKMBakTzP+0FoWqoNafWOlHovP6iUB -2Igll2ZT3AvrBQ8jAbRbuUl46QpBaKsl+pBo86az0fRkMxv0N4dQv4Q7Z0g71u9N -Tpaq1vtAZOwc0kl3uGNK18PnV8LBZQQYAQIADwIbDAUCVu+raQUJDQIVTQAKCRCf -bxwtfgRfjVnYEACZ1E/FfLDi4vLUd9diImmNN/zWDHxTsO/VG3lt50rSoJM5NGB4 -RlwcbUKhah2fD44FFiIqGIvKD9hRgB51dVRIkaR3ozVtXRBKxJJqWj38wf2FDLtU -XC5/JHYb0sjAc3ad2sA9xEmEBVO1lWK3J6h4gKZiAGlWz3oeOSve3vrTKsBlP0Cu -rUeb4WTVpw4drBJD7cDh8SJ4/Cq76UFx8lW0xR+pHZHcd0/Ir5v5HnnEgbnut4Ix -eY3/CGBfQfSQHylK7ifmPWq+dflC/ZdfHY1V96EHKPM44ZLwiczoY3qp5nkmEc3B -Y6+P8Ch5gddOYaY18wpedarswnpOLQD2Xbsj66Eh0IZuuuZGyfOqJNaWbP33L27e -g35XQNTgyhuZmDyRKL6yAbhU74TXCCvze/kkfqDn2ouCtM8/kqLX1v0+NkBxlhZU -kTTVDyclZtwu6Vypus3+j2Zqk8sXeUZI64sjXpzwOcMZxdl3QuyxMktExWzk9Q5D -YqO+pj/YGt1vp2M0YgSUWNWCvfBcjEPFgaljyqz3BdvR/LYohnXuQL9SWObF+sIF -c9D0w/yORYQcKP5kSWVC/qwFdC61OGeSDnQ/0o0T5PefhYS82gsIrjQ+HIJ7CLUT -k7kBNljvtfpoWegH02feR0kSRoCXA6x+YHT4fmB41pW8S1V5a5dEltA/JMLBfAQY -AQIAJgIbDBYhBO36o/LKTm6wVoGvjp9vHC1+BF+NBQJZpTgKBQkRmNVuAAoJEJ9v -HC1+BF+NyNQP/A3h+cOOkYUxyKpNHdtlIfCn8db5tHXSCbE19Qi7EK1SiK5atjo+ -VoRtB+L01kH6GCx5oZjeIhUdzYFwEUsdCDgwD6r0dKFwKIGa4TFcfnx+Z5B+HZgL -Yc6ac5PEHF1qZVXZH9GSGeNw5h2yyqf4yhvetSN6L2id14m5XXJV5e7NfOgmaSnG -0Z+wQvPSiu+Q00XpENT8HFSTSCjRATjk12rpy6TPeeC52NK1gLhGDRHN0k6m+vm4 -yoC+Nd6iPQpnc+5xs7NDnq2dFuSTp7UTGebzPhhdSQgujEFuYLwzQMZu1h5amtA+ -v9j7BYEJkOMC7bm1PNNA2QQ6QfH8Hf+mJeINyJO8A5KS3ceP+eo3SLR8T0hPzu9g -ZuZ22Hn3DXQh1VNRshaLKgNvoXpL3dQ48d1SFFKhEDpy2HSXUq2fs5rH0uszFGes -G7K6EQRAYRcDrCkt9fdfkvCSxAFw9d+472xThzgKcN+MkOec+SaY+xlVULjEfCWy -RVC8Opam4mTm/XT4mVLxP/qnsy7kEhLoc/ouB+lY/ks06LpZJvCXL6WfA9You1Fi -1Mg7GhSh9JKg6X6E8Trm+N4dxJGut1xbbGmmKXqfi4pej9KlkdeM9t1df/vWKlPa -7Hzd8H0btgJx066wC4yt0ghxtsJXBsCDxWLfzaSRZ2/eP16mHqxDjsQQwsF8BBgB -CAAmAhsMFiEE7fqj8spObrBWga+On28cLX4EX40FAl3uCX0FCRmkDeEACgkQn28c -LX4EX43TQA/+JV8ReMRJCn3Cfqbe5ycFn8p6dIVnJiQuhiEyu5yzdpSkKyzcVFJO -bQcqw7s50FJuLUbxdvbcuGIaoTu7dhBoUXO5tOuIQAsKTfGfgoOgelJm+/q2h645 -EnAVINGbMDXrmo4/UFJkNjUMA6SQi/yiam7N0y58eoDC4sGmBKuN2EW2MoWahlXw -8SS1+Ab9qVBs/RqbSy6f1nJL39aPpPDmvyJOSYtHnNSFlYWVhr0zGAi5rnswlFGr -ECGbHpr5FajUK7zcmtNPbi7F30K48xfF3XnDIeIBcerrEBQMaPUZcBlddGhmSVVJ -ZU/YhR35JNgPnmp33gOuZaRiW9lauZFwsMQBIBkLpJWoUtu8QLkyC0HmJzVRep0/ -s1RkzaJ+1G1BzXTQiXaLaUQWG5h3pcMD8fxY5qp9KbG/+10bY0sRbRBXgS6mz7dd -HaBtg/E8ty2nEB1HDXA9HAHu7KlH9e96sPZjz9C46ZiOXe6ZAOk6wBYts4RG4bCQ -9pGORJ+P2Jr2pz1NZQbs1AhnjJixTsfZfsGZ5lHxGLjIyxtdGB/irLEqNTIMek2y -p4CShmWoZwN0V3aGYMe/rC4tSXG79IeKNwF3Vd5MHtB+hcJG2qztBtKQuW29rbRA -5bNxwTWe8skwOKsxXnP9RC974k0XkPS+VwgmVgNN1ewS/0oHvmEP71Q= -=Oqje ------END PGP PUBLIC KEY BLOCK----- From 21dc077e040de49174e41c99f5c7defb457c9d8e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 13 Jan 2026 16:40:21 +0100 Subject: [PATCH 139/139] Replace downloaded key with existing Paul's key Keep only one instance of the key. --- releases-g2.asc | 24 ------------------------ unbound.spec | 2 +- 2 files changed, 1 insertion(+), 25 deletions(-) delete mode 100644 releases-g2.asc diff --git a/releases-g2.asc b/releases-g2.asc deleted file mode 100644 index a8f7de7..0000000 --- a/releases-g2.asc +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -mQGNBGc7H5IBDADOZfJwZ6zZ/4JbbR2hef4261/zh7YpdjUREUs0dMQSbf+x7sAE -50JgvLQWlvA8sDHzbUMQ9cAYZBGGE6iHb50KboeEfuiP5BdiLe8XWKlo1EIh+Idz -0+e1binxwvXV1/9ACm/UHPRuWjkG7vrP+mVRuhfKglO6xSDxV1cwjYTRtvRtQx8D -+kTdZzprvtzkU7OIWeczKFJRhVHzNDHYFG9SuxvDA9cbVm1KPVJEkRBwoSBPeB0z -Z3LSib2uT6Lc/ghAijOwIpR+zNYKOYxRhzoFArrLa0Fs4nq6//LA42/aVjSienEJ -SR5CVUbZy14WuUsYCkV+ZoORVRYZOcjtPG7FUKDXKzY9/iNhEAZ3OMK7Np2Xq/YO -gaOiUDFXLHU1n2UVH1rwkMiS2o4EMqvO7gINmnL/ccpI2wj2QrQ+JZ9y1Xky7dQM -LIIbtp40e0kGocgyba484rW17xlvXRxb1Pjn93JygD6WcraLLNh9jq87hW/J37qi -S4DL+GUe10H8SeEAEQEAAbQ6TkxuZXQgTGFicyByZWxlYXNlcyBzaWduaW5nIGtl -eSBHMiA8cmVsZWFzZXNAbmxuZXRsYWJzLm5sPokBzgQTAQoAOBYhBCMQGGkMTZA+ -9BkUaqFEMj3qrN9FBQJnOx+SAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ -EKFEMj3qrN9FZigL/0aVsJ48oe7vko1Mwg9DucFoCL8CESAarA40in1Bauq7p/pT -l5UcNnFPLO8HBAHWGWtDI63pEhNzHacPzSI94GKS4TUMGzCV1H/c0KnxB7wAO55b -HEQOZJ+kFRBFXWxbXORtp86NZuyCvVoSA4QAcnCf4m5ZEBb72H2cmy8xP+/HLkbS -rpr5pyoUWtCYM8FxnjM3bClXSGOlWNl9cSXLqyyVjxvc7cOAS8ytL/zoVStoBmi/ -OwQbeJfAiqDMnipBJNzOHlfniKXE0FGDozKCHWP88ifs8A8OUNtJng7cNq7EQf9K -vTvbJCcF4akUUcXnx4gv9Z1ZQ93Jg5X7h+0MP7Ut4z9hKSIAOowru7GXGEt256Ja -eE1nSviDcqUtZpyqCLjpCDFGPMwSPzSwlPXjJVlVxPkDvPuNt2LUIEd8BR8Wo7z+ -NA5uM/zTHkQXEdUgCcl/rHy6moHYV3Q+YbMb17zU37a5vLb+wQ74doaiYo3b8KoV -K6vVKMmB0qru6ERJ3g== -=4R8U ------END PGP PUBLIC KEY BLOCK----- diff --git a/unbound.spec b/unbound.spec index 58a0ccf..d173141 100644 --- a/unbound.spec +++ b/unbound.spec @@ -63,7 +63,7 @@ Source16: unbound-munin.README Source17: unbound-anchor.service Source18: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc # https://nlnetlabs.nl/signing-keys/ -Source19: https://nlnetlabs.nl/downloads/keys/releases-g2.asc +Source19: https://nlnetlabs.nl/downloads/keys/releases-g2.asc#/nlnetlabs2026-g2.asc Source20: unbound.sysusers Source21: remote-control.conf Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc