diff --git a/.gitignore b/.gitignore index 7b0a36a..cec9517 100644 --- a/.gitignore +++ b/.gitignore @@ -81,3 +81,23 @@ unbound-1.4.5.tar.gz /unbound-1.17.1.tar.gz.asc /unbound-1.18.0.tar.gz /unbound-1.18.0.tar.gz.asc +/unbound-1.19.0.tar.gz +/unbound-1.19.0.tar.gz.asc +/unbound-1.19.1.tar.gz +/unbound-1.19.1.tar.gz.asc +/unbound-1.19.3.tar.gz +/unbound-1.19.3.tar.gz.asc +/unbound-1.20.0.tar.gz +/unbound-1.20.0.tar.gz.asc +/unbound-1.21.0.tar.gz +/unbound-1.21.0.tar.gz.asc +/unbound-1.21.1.tar.gz +/unbound-1.21.1.tar.gz.asc +/unbound-1.22.0.tar.gz +/unbound-1.22.0.tar.gz.asc +/unbound-1.23.0.tar.gz +/unbound-1.23.0.tar.gz.asc +/unbound-1.23.1.tar.gz +/unbound-1.23.1.tar.gz.asc +/unbound-1.*.tar.gz +/unbound-1.*.tar.gz.asc diff --git a/Yorgos.asc b/Yorgos.asc new file mode 100644 index 0000000..8d0008d --- /dev/null +++ b/Yorgos.asc @@ -0,0 +1,128 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFfYHeYBEAC/8SdeXNspt9ZIoZRSL9juNLHA17TXcHdKSthgWBtwwWZbUPq8 +SJr7Y+hr6jMCDKY9800QzLF0nLkyXnZgaBcvR0rRbCT/qvALJ0fpfjcotapZ1hBv +omb9s8Bo28uKn8tbTMXYNsElUae4Ch/CrU1vfe50YoyQgLR8UBa15gV+2RmC+6jI +qxDYS8sylWlDn6Qim+77feLlObPnNdzgfWGZo14eJByTsz0qrh8aS/BS1FAsnEQ6 +W6AqukhpuKuWvoAUXKjfguXQolxeexubmKaLcGOTvecw+cbh/a5SPHRtRVr9qTxp +elk6UEpakY5K9UtZkrG55VWih/4KqY9bNyhJBtpAk1fXA+mYfx5BcFpECYdU9kz4 +UgV5jK0HYRHQTLC91PPVQgH86we+Aae6TaJneCLEIzBK36TgAP8RKrvFfPUym5OP +YbWOom27QTKfRVcyxPKglJxrTSWixnKWS/pqxNY8hF9Ne4crRAF4wX2yBVbGnjNr +S9TpYmjMwURbuYm+rWZk/8w5OJG60V3wax56c0jn/42O3Y2hzQ+PbOv2M4UuuajS +2YL3/KUsRLBapUpPQjzChwzdr/vzFEhk9XxK2VGMN+dh2HjYwDFendc5csyt/cVr +g3LssVS2bKy5g3IhrzCKAk0Sky4S5t/mcN+lWztNvCijuLz58GCym5GwJQARAQAB +tCtZb3Jnb3MgVGhlc3NhbG9uaWtlZnMgPHlvcmdvc0BubG5ldGxhYnMubmw+iQJX +BBMBCABBAhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAhkBFiEElI60IyLF0At5 +NA9dz/M0TZCHpJAFAmjWhkcFCRLfm+EACgkQz/M0TZCHpJANXhAAvTpKNl5+kU1d +lcFrXx4pgi/knhe0y1Z+ENQWVDYTs9v+lMoyCRQuAt1Cir1LAGWfRBdTQh60I6Dc +BDj+15pFJCv/dyZiQLPUgxLtIxkwIUSjELp8JevNHhGMNz7QWdG4SEpG2aF/D2Zz +kvaoomPGjRyo/bkgR2la6eqrCOxYVP+FT7682yf0bCvSTs1kTrnwFY93s7O2RciI +MS0XWcHPtoi96JxhzUIT+v0gSFuitZhRGPh9pyIcHmRER1yKugvMp6xF5UjNIcfL +ScrNlGXgjc6EJiGXS5CHliIlxlAxs4J1T9JiGQZOAW/CPxe4IND34DhqwvQcJdtL +8jt1b2xUcuFfYNa3SY671OnLt3EhwMsYDaSIXrPqW8R6XuaSxhb4sL/okHkb833b +CgaWvjQZgRm1h0R2IY5C3kHotsLUd2fygrtVVvaLxGEoi9UBsKoLu2kHEJnV5HJO +jfJMBBGgGFscfk3p1v4SAA30xPR7i6O2KDmFsVzL6xKbnFMMmayEVfWzGXmxB7lv +ob6HrJIvVH6mx64OsAY0LQI6abQI3TTZn13+RNxuATQS+j0tqbZvVJtWFw41eqsU +OqeNF9W323uvhJcjDyYquAREIivFXkzxa9y3rgQfB9OX9usD79aij4y/YLqZxafl +InYUlMGygNOGXruFRZ7DD6zciK2Zu7W0K0dlb3JnZSBUaGVzc2Fsb25pa2VmcyA8 +Z2VvcmdlQG5sbmV0bGFicy5ubD6JAlQEEwEIAD4CGyMFCwkIBwIGFQgJCgsCBBYC +AwECHgECF4AWIQSUjrQjIsXQC3k0D13P8zRNkIekkAUCaNaGWAUJEt+b4QAKCRDP +8zRNkIekkKovEACQkeEImQeer9jsY066WyIpvrhcy6xtWjeW8v1ZasRoi+DOFWeA +18O5iD34UaIPPGFRu6PRdSMLdUqtelFgONVDnXEuqOGAptMcCI4wp4+NIFd00v0J +9A9ur7xWt0Q0O1fMjFOMPa5oQK9dg1MCI0/RWRObOPf3cIr2NhgWwBuKTCluKyFc +mnRQXwyxBGCBRvK5zKmA8BBlnHuPfunTAcduNSExUx3e0w5BD5lcG4YeyuR+IRcY +HJPGU20f634dDSJGKJvGxjpaCxGQNca6s8Mpkq3lm/D3Ia4Vpw/HdiSawv/U71S/ +4F6lctMjvoS73Ao9DZ4iDPqkHJ73HidNp7n25SLnXKruZsnXitjYT8ueP7byeLPi +7IvqoENXoXNqNfDuXfqri/WnHPYWbKIdj5WWFeaR3Ws+szw3Wql7mJ1cNFWbNCE7 +rGFPhSNyG3n6mlEBUKUYn8FuOF9PHwwWl86GHLI6O4xOIohESyrZrq2mJS61sSq6 +AAQ7cqx6UMNJdBcgB5Ry7qRUF6ZmowZZu3aWFF4dW+LwMvuaFjKzShsKzj8GCE0B +pQDjy+IeWM2mBVneuCicWwvbSzVWx+Ow42QRvmH8Ja9PqoIYeJQUiMr1+aAG6kUK +3VW4iugsu3/oFIlFrkYZy9YEfCOEMgqRKL/cuBJTZt0OPFRE/9O/M/FVmIkBHAQS +AQIABgUCV9kUOAAKCRAwkY2CdXJCIju1B/oCvf1kWYndNeLS6U2O6DtFAL2Ia5tY +Zukcyqb1hkYcrBiMZbQN94gX5a+6Q4pdd2n241r1ZuSWdwUhRUbF4mvbZMVsavnk +cvrRGviVIUXf71W0O/IsmQ9oN0Finhpf14Y4z/xqF8DpvJdkWc6X5g+RJuko6q2w +B7x2UfSyF4USp47LSmUQnC59IF8jzaElgBha3gwEuXL3d2qBepoV/e9RiXJClUAT ++O7qdxzDq1eiZ+NXUjDCmrkuWjHLAZAv0jx1KUTCQ2no62UM95igtJ+Kn56Lc2+J +CqFJztaZeX8CgXXryxNpsyhZJ33dIoLCT03K25wrV5Y+eag05slQ9sC3iQI9BBMB +CAAnBQJX2RCwAhsjBQkFo5qABQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEM/z +NE2Qh6SQ3JUP/2G3bRNObS7zsfN3rjkbjLxaDOwNggRdbeXM5rHDVEG9SWesCGaI +vyQdkSGQoIaKUgNv7Yp8O8pEnD4IwdhNSaXVIB3pBtdOD0UM1wuxRpfqJOUxZEoW +T2Jr31Tg2qepp6nT7UmdiF7uCBDy8Jm6k6Q+6UT58cPaesRQdSPi6Go7ho2/xVvK +Ve9ufSTSTdG5+7bJDu6Iv7sydKUEG4jPDqo+jjVLn1X6Rfp+E4JAvOvFrSJHW5sa +A332xV40GeV+aM1ndP7dPkz8+AGB3QD7JF2DLcqvLo0TYOvjnlOGYcNp8gzp23g9 +KFwe2sdbdtVpuWaJUSpXXiUZnFzrrVxDNiEBjqsPa5ysOxzJ+1gUbcrIjUeNeAFh +us4XL+IidPATnhTIX3X/uPRB87KaTaA8XUqsuSd2DM9mLxdHKC9Jf8D1t+ywYrek +Cp+K80vCtFPWBM4+w8nGugTNKJEGIXZDGFOF/c7r6xKkaOYK0Y+IGJawlV5LaADl +BmQpPk0ubYclwb07FcegaHSxxIqUo/kbyt1YV5mU+QVymZ+xyvIBrnW8hBuNWRvU +5acnIZibCERayo8ZuI+r/X3bLHfDx0oh2h+cL3utNZUqmgZNR0Di8P+x0hUYsYPO +TJaDBSgvxUtY0Ci+OWX38kffGGvhW3CM8V6skdVc8cp7Db7gxase4BxxtC5HZW9y +Z2UgVGhlc3NhbG9uaWtlZnMgPGdlb3JnZUBvcGVubmV0bGFicy5jb20+iQJUBBMB +CAA+AhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEElI60IyLF0At5NA9dz/M0 +TZCHpJAFAmjWhlgFCRLfm+EACgkQz/M0TZCHpJCWag/+MJOLW1tBNPA9sBcjl9V4 +Cjc2TIR/r8RRGv5lstVXlXc5T4SR48UvQTxaUU+KJia5POsaAsw9yk7Zz4r7ul0D +Vd9tzHCcwxl46e0Kwn2VGBMHThsWC7QDuK7b+4AlxeO4EDWRPPw4BCB7aTxJzA3N +O4qpEF4TVeb97uyNQr2YaTGUzSI58vCgXgeOpH9ivomQi1nCxZbdrFh2yKJ+H4EH +gI8+D9iSnJMI16RS1dE7Pa85IG+qPd3owAbOlc+tBsSvdbFdRufQZeiNGKfQno1E +oygZt8svcuKpGAG1flzpPu5LE9oMsIDia9hcn4YFqr80F5bW1rUvFeC0rYp9/0ui +6lo34PAhEieB8XzjbpDDEnlkziRoz2YNVJmZOWrCAMI1bUFI5/+YWuJTXCGF62dE +dO7aBWoUkchkGGSGKbPW9KYdmqMdfOeuqZRBhKs8bgHIArJ+kvglhCJr/qNX5T8p +oCHE5bnEwFxnH2Q6a2ffpMpOExGvPaoAWlym/ID/MMet0riZ2izFUdmjEkA0HUaa +7h5x1dKMhHzYDXOW8Ksx9vE24gLrjfqfvIiYpErn+SVs0KUqkR0BRWLRYjyq/Bj/ +btTQXcDeYpQj4tL2cX3Eosqaoy5NDGCK4yqWOxENOJ/YcO5dTPJDNsHlc2JSdejz +a4g8AHFlkpPn0tlflbuE7q6JARwEEgECAAYFAlfZFDwACgkQMJGNgnVyQiIHjAf/ +VrPMgIRjRTYi4cxOr5ewaim1hgJZO1oCJoMopwIvpZ2kAUqL/uPMT3wREe5bi79H +jXYcaX+RbrV4ZdzaajDUFCj867KGErxqtRkANJ1eNLcQmVwGNoFeTQbgEOBfKq1t +hRfMqHF3fxCPJp4z4U3kBPUpIQPERjgUdkH8fxZ34Omo1SLO1b0dVqsneezccBVv +Hj7gVoaWw65Ov7vngwNCKH3fjOkcoINTH/nEw4WWh6UV5ZN49GRqa6oWdUJMZbgB +w8z357RLN6YLe7KMh4oGpUIvfH6Vfq6CIb6s9pfgjAvq8O7p9n0/0FG77j84MuGw +fdhq8eSazO/j9LUCBM+8k4kCPQQTAQgAJwUCV9kQiwIbIwUJBaOagAULCQgHAgYV +CAkKCwIEFgIDAQIeAQIXgAAKCRDP8zRNkIekkN9pD/wI8JAyjJEIjUJNLRuARDDv +pJrQjAo/02naPcGs4yyUd7yRkhzVKLFLvif8XICxxLWk6FdT0PJeKGTvRoe2+Rje +c14rO30niRymWkBi36iDW46Dpt7Jx+LUDhUMYPL+woKSoHmbBGWLSYXKxaD8F93A +nVs97nP4PWpspv2BFiuwKGsSsOyyQPPvr7jCin3H5oPH9qDnIV0KonAYbzzEKod5 +t0Rgzo/nWXZBFXWC5xvKeghwkdT++gYS/ThvQY2ua6A1XRE8BntyldD081NPi3NO +dWa9m8ufFOJsEEiWcpdT+EWoDw5JyGAR7U3IOVl3BTo7shdcYEvRVrDMBpac+ItG +WvogUv7alBdHWi48amvZE06RI/nDJ/rxj13S/4POgMHU++aQI5a1G5H3jBu4cehH +4iT1UKmozfzVEfcHb2dsaKnnuFzQxmol0lZu1ETyof+Lxvs+wErN0QR+VDNweJEJ +PMXiEcjASdLtrEKgFSP2B5yGGzt93C+HbD+VQOU359aAnvVjbTAVz8izuMphd6Bz +Ix1q//q2VmxqjjT3Iv30hBRX02x2M8gsP/e49XWEll7stkMtbYhBU0sHQ2CqzLGh +gJN3ecpi2sKWVqN8HUZOwJFj6f9ZX76YSM23wIugHfscMAVJUXvBrbd151WIshOf +FFPo62sYGt+SEMXWeRcHjbQuWW9yZ29zIFRoZXNzYWxvbmlrZWZzIDx5b3Jnb3NA +b3Blbm5ldGxhYnMuY29tPokCVAQTAQgAPgIbIwULCQgHAgYVCAkKCwIEFgIDAQIe +AQIXgBYhBJSOtCMixdALeTQPXc/zNE2Qh6SQBQJo1oZYBQkS35vhAAoJEM/zNE2Q +h6SQjBkP/0IvctNT9T+DtGZyMiw/Jna9G3QhtW7exhlxzqqX3tFmZpaJj3VswyqA +5hx5BdJEShC8qNEqrBCHxcCZgsLvR3GKc/0LTgP7+7VH/ugAScrlVeI8rB6V1jn5 +cnfY5fsfOQ8i0b/8C+CiEe0TW90VRHjYV6DWMdUfqQb3E/snl23RMFeTL0Qrrk8H +Lo3MTko7TeKRYOV/g/qQkb9CFQZNyzgIjD7uZi8or8qFJ/uZTnlBq5/NRDB5Z3ew +7WXc3QrRUXmbbDzdnIeCtu5vmuk+hc69gbOst9nWf3y2qlK7BjZqT+PqKZa/fa/i +5pZpv1hB8DrA2WTIpN7iXhCvABXSEoUOJaLkRSJVDqzvuaeqOEPrk1aJSMWoio/w +8RRa1L7k6m81Dc0dqYbBOSI4MCNm8ZawQI2L4qRs5QORg4nRnAevFgkzhJKFYF2N +jzX/2xlAuOym126DODC9qJSJZR7uTOJXh0yqknfkPgDXjchpzq+Q+CM+jYo6AGas +/XPAuRQCQaLSYr9UPL7Fn62//ysZQAyAkJQR1u7UwAd6/UTTMVZpUJsLQyMyikF7 +UT4K7MWrvkZxMRPhGan0P2pRe36M9BBjYRTp0TIr+UjUT8iBfjdrttI9DQlkcEeQ +rKhcE31KqjwJMdiuzbpqqXaEss9AFuJng3Owewt4wAft3eu1U7PWuQINBFfYHeYB +EAC2h9yjSe2SgtcB0H+E0ndaewaZaQCE7q+RO43dotGH9eFnVwE4/ftcK1SN42ih +lF5OnTaKPyXvgQ6U8W8VB8eLjeTwA/dSXuJX7kJpEK8saPqJP6zTUmPqp/GSzS6Y +rhKLfpFn4chmywpDFcGNMz0sYXiJgPqKL7W0KuG+ziPToAeWl8ckeXyl77/lHVhW +YylaQJEASklqCViPXSp9vI7/57UEm4MQPXwsDBOwuVVqcSu3ZM5MtY9XlbVPNCYm +ZIMqmh8HgYwbiq9dTfJi+6v17+uDQGZewWK/WwFM+9dDx7YkTeOBiUduYtJPW64N +W/RJ7pskbLAy+OZApTZWg0cISN6GOmPN3F0AiWzUjvSMREHhFHyxj4Y15vuDOFvP +GFxr4xBiyMX1JLCKK6OFnyPfoJ9v/o3UgrQgLrfXCmKdvkwBCgJvN3Fsxzha6Dtf +6RcZ02fr7SCZZhdBrlrflvC1uWZ0g3A87ss7h4Iw3njlO3aX6Bo9R4VOLUkiRKi4 +hmQBxPvXxI2ERmKRomo6lrMaDMzIjD4APSM1vUfZguzQxVYpM8lwy1COeqxsj5p+ +LH6f/EU+4dXZwooJ1uanBOvG2ntnz8SErE+e7wNYE4a/fb8xYM4j7p6qYtnNZPb8 +sj8bvx8iWXp4A1csVetyVSchBhTVQhhNos6ouYpc4ibrYwARAQABiQI8BBgBCAAm +AhsMFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmjWhoAFCRLfnBoACgkQz/M0TZCH +pJA4sA/7BZrP4nwWF1eQVliMWJ1KKG+sHizK4c+ZiB67aFJw4pLDCL5o6unOWH8V +ocr1pWC/BMmLG4K77O2qadhUH7mzXm/ddZ/DVF3xHTvTmG1W1bLd6zj3k6qOFYq8 +yPS2QNTa3+3oNbtZQ+RpvhCAmv2Dc1GMPNP2hKR/Ju9r9NwGWBEDQBtiMZ7872QJ +yR3IFyfQGRvj+GBbEBvJwCFmaRb3eDorhaNhM0b0c/RbIueEWD40nkCUtmM4Zrc1 +0HLod8Li8C4j8sIqIdfTKo1RiJUUg86q1K3pGA86hoOzeaihZekcm6wMwGlhXymb +Ng41yB/ZTedl9wk+XEEcD6HZMCXyfh55hBdWG06aEhMIALjOCj2VkRnDLmOKLgDZ +kg7OOQxDfKACCCvk72HZG3qKtaN9oNH1oeaVwc3ytWR8y2hQJcCxmoQsLn+Xvkgc +aYRNklPW2z8817J3fmvvwS0o6sOWRHLb0XAc+NZg4lEQOgwVFrE0XIAgkXHLQbuQ +GRpRzRncHX95RXMzGb1+8kpWEcM7gazgUA3omoAumwNEqmeBX1TmEtDop1k5RFCS +UWbv+A2s2GSAb05MHY0InIhMxzJXEa5+dJDPSvZnbiGRGhQitEe4eIlmPcNA1lB+ +ADFE2UTzcpRTo5cOKfrXyZXr6JCEl2+tB3o5m0v7FRdr6+zIS5g= +=Ubkv +-----END PGP PUBLIC KEY BLOCK----- diff --git a/changelog b/changelog new file mode 100644 index 0000000..7ce4f5e --- /dev/null +++ b/changelog @@ -0,0 +1,917 @@ +* Thu Nov 02 2023 Petr Menšík - 1.19.0-1 +- Update to 1.19.0 (#2248686) + +* Wed Sep 06 2023 Petr Menšík - 1.18.0-2 +- Skip failing tests on ELN builds + +* Fri Sep 01 2023 Petr Menšík - 1.18.0-1 +- Update to 1.18.0 (#2236097) + +* Sat Jul 22 2023 Fedora Release Engineering - 1.17.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Tue Jun 13 2023 Python Maint - 1.17.1-3 +- Rebuilt for Python 3.12 + +* Sat Jan 21 2023 Fedora Release Engineering - 1.17.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Fri Jan 13 2023 Paul Wouters - 1.17.0-2 +- Move unbound user creation to libs (#2149036) +- Use systemd-sysusers for user creation (#2105416) +- Keep original DNSSEC root key as config (#2132103) + +* Tue Nov 01 2022 Petr Menšík - 1.17.0-1 +- Update to 1.17.0 (#2134348) + +* Wed Oct 05 2022 Petr Menšík - 1.16.3-3 +- Correct issues made by unbound-anchor package split (#2110858) + +* Fri Sep 30 2022 Petr Menšík - 1.16.3-2 +- Update License tag to SPDX identifier + +* Fri Sep 23 2022 Petr Menšík - 1.16.3-1 +- Update to 1.16.3 (#2128638) + +* Tue Aug 09 2022 Paul Wouters - 1.16.2-3 +- sync up to upstream unbound.conf +- Enable Extended DNS Error codes (RFC8914) + +* Tue Aug 09 2022 Petr Menšík - 1.16.2-2 +- Require openssl tool for unbound-keygen (#2116790) + +* Wed Aug 03 2022 Petr Menšík - 1.16.2-1 +- Update to 1.16.2 (#2105947) for CVE-2022-30698 and CVE-2022-30699 + +* Sat Jul 23 2022 Fedora Release Engineering - 1.16.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Mon Jun 27 2022 Petr Menšík - 1.16.0-6 +- Move unbound-anchor to separate package +- Move unbound-host and unbound-streamtcp to unbound-utils package + +* Mon Jun 13 2022 Python Maint - 1.16.0-5 +- Rebuilt for Python 3.11 + +* Tue Jun 07 2022 Petr Menšík - 1.16.0-4 +- Restart keygen service before every unbound start + +* Sat Jun 04 2022 Petr Menšík - 1.16.0-1 +- Update to 1.16.0 + +* Tue Apr 26 2022 Petr Menšík - 1.15.0-3 +- Stop creating wrong devel manual pages (#2078929) + +* Wed Apr 20 2022 Petr Menšík - 1.15.0-2 +- Update icannbundle.pem + +* Tue Mar 29 2022 Petr Menšík - 1.15.0-1 +- Update to 1.15.0 (#2030608) + +* Sat Jan 22 2022 Fedora Release Engineering - 1.13.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Sat Nov 06 2021 Adrian Reber - 1.13.2-4 +- Rebuilt for protobuf 3.19.0 + +* Mon Oct 25 2021 Adrian Reber - 1.13.2-3 +- Rebuilt for protobuf 3.18.1 + +* Tue Sep 14 2021 Sahana Prasad - 1.13.2-2 +- Rebuilt with OpenSSL 3.0.0 + +* Thu Aug 12 2021 Paul Wouters - 1.13.2-1 +- Resolves: rhbz#1992985 unbound-1.13.2 is available +- Use system-wide crypto policies + +* Fri Jul 23 2021 Fedora Release Engineering - 1.13.1-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Wed Jun 02 2021 Python Maint - 1.13.1-7 +- Rebuilt for Python 3.10 + +* Fri Apr 23 2021 Artem Egorenkov - 1.13.1-6 +- Option --enable-linux-ip-local-port-range added to use system configured port range for libunbound on Linux +- Resolves: rhbz#1935101 + +* Tue Apr 13 2021 Paul Wouters - 1.13.1-5 +- Fix unbound.service to use After=network-online.target + +* Tue Apr 06 2021 Artem Egorenkov - 1.13.1-4 +- Don't start unbound-anchor before unbound service if DISABLE_UNBOUND_ANCHOR + environment variable equals to "yes" + +* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 1.13.1-3 +- Rebuilt for updated systemd-rpm-macros + See https://pagure.io/fesco/issue/2583. + +* Mon Feb 15 2021 Victor Stinner - 1.13.1-2 +- Fix build on Python 3.10 (rhbz#1889726). + +* Wed Feb 10 2021 Paul Wouters - 1.13.1-1 +- Resolves rhbz#1860887 unbound-1.13.1 is available +- Fixup unbound.conf + +* Wed Jan 27 2021 Fedora Release Engineering - 1.13.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Thu Dec 10 2020 Petr Menšík - 1.13.0-1 +- Update to 1.13.0 + +* Tue Oct 13 2020 Petr Menšík - 1.12.0-1 +- Update to 1.12.0 (#1860887) + +* Tue Sep 15 2020 Petr Menšík - 1.10.1-5 +- Move command line tools to utils subpackage + +* Wed Jul 29 2020 Fedora Release Engineering - 1.10.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jul 14 2020 Tom Stellard - 1.10.1-3 +- Use make macros +- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro + +* Fri May 22 2020 Miro Hrončok - 1.10.1-2 +- Rebuilt for Python 3.9 + +* Tue May 19 2020 Paul Wouters - 1.10.1-1 +- Resolves: rhbz#1837279 unbound-1.10.1 is available +- Resolves: rhbz#1837598 CVE-2020-12662 unbound: insufficient control of network message volume leads to DoS +- Resolves: rhbz#1837609 CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers +- Updated unbound.conf for new options in 1.10.1 + +* Wed Apr 29 2020 Paul Wouters - 1.10.0-3 +- Resolves: rhbz#1667742 SELinux is preventing unbound from 'name_bind' accesses on the udp_socket port 61000. + +* Thu Apr 16 2020 Artem Egorenkov - 1.10.0-2 +- Resolves: rhbz#1824536 unbound crash + +* Thu Mar 19 2020 Petr Menšík - 1.10.0-1 +- Update to 1.10.0 (#1805199) + +* Fri Jan 31 2020 Fedora Release Engineering - 1.9.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Dec 13 2019 Paul Wouters - 1.9.6-1 +- Resolves: rhbz#1758107 unbound-1.9.5 is available +- Resolves: CVE-2019-18934 + +* Fri Nov 01 2019 Paul Wouters - 1.9.4-1 +- Fix build on rhel/centos systems +- Resolves: rhbz#1767955 (CVE-2019-16866) uninitialized memory accesses leads to crash via a crafted NOTIFY query + +* Thu Sep 26 2019 Petr Menšík - 1.9.3-2 +- Obsolete no longer provided python2 subpackage (#1749400) + +* Tue Aug 27 2019 Paul Wouters - 1.9.3-1 +- Updated to 1.9.3 +- Resolves: rhbz#1672578 unbound-1.9.2 is available +- Resolves: rhbz#1694831 [/usr/lib/tmpfiles.d/unbound.conf:1] Line references path below legacy directory /var/run/ +- Resolves: rhbz# 1667387 [abrt] unbound: memmove(): unbound killed by SIGABRT + +* Thu Aug 22 2019 Miro Hrončok - 1.8.3-8 +- Subpackage python2-unbound has been removed + See https://fedoraproject.org/wiki/Changes/Mass_Python_2_Package_Removal + +* Thu Aug 15 2019 Miro Hrončok - 1.8.3-7 +- Rebuilt for Python 3.8 + +* Mon Aug 5 2019 Zbigniew Jędrzejewski-Szmek - 1.8.3-6 +- Drop install-time requirements on systemd (#1723777) + +* Sat Jul 27 2019 Fedora Release Engineering - 1.8.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sun Feb 03 2019 Fedora Release Engineering - 1.8.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jan 11 2019 Paul Wouters - 1.8.3-3 +- Remove KSK-2010 from configs - it has been revoked + +* Wed Dec 12 2018 Paul Wouters - 1.8.3-2 +- Another dns64 fixup + +* Wed Dec 12 2018 Paul Wouters - 1.8.3-1 +- Updated to 1.8.3 with fixes the dns64 bug and has some other minor fixes + +* Mon Dec 10 2018 Paul Wouters - 1.8.2-2 +- Fix dns64 allocation in wrong region for returned internal queries. + +* Tue Dec 04 2018 Paul Wouters - 1.8.2-1 +- Updated to 1.8.2. +- Enabled deny ANY query support and edns-tcp-keepalive +- Set serve-stale timeout to 4h +- Updated unbound.conf for latest options + +* Mon Oct 22 2018 Petr Menšík - 1.8.1-2 +- Allow group by default to unbound-control (#1640259) + +* Mon Oct 08 2018 Petr Menšík - 1.8.1-1 +- Update to 1.8.1 + +* Mon Oct 01 2018 Petr Menšík - 1.8.0-2 +- Skip ipv6 forwarders without ipv6 support (#1633874) + +* Wed Sep 19 2018 Petr Menšík - 1.8.0-1 +- Rebase to 1.8.0 + +* Tue Aug 14 2018 Paul Wouters - 1.7.3-9 +- Fix for restarting unbound service after deleting key/pem files for remote control + +* Tue Jul 31 2018 Petr Menšík - 1.7.3-8 +- Release memory in unbound-host + +* Mon Jul 23 2018 Petr Menšík - 1.7.3-7 +- Remove unused Group tag + +* Wed Jul 18 2018 Petr Menšík - 1.7.3-6 +- Cleanup generated client and server keys (#1601773) + +* Sat Jul 14 2018 Fedora Release Engineering - 1.7.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Mon Jul 09 2018 Petr Menšík - 1.7.3-4 +- Do not call ldconfig if possible + +* Wed Jul 04 2018 Petr Menšík - 1.7.3-3 +- Update trust anchors also behind firewall (#1598078) + +* Mon Jul 02 2018 Miro Hrončok - 1.7.3-2 +- Rebuilt for Python 3.7 + +* Wed Jun 27 2018 Petr Menšík - 1.7.3-1 +- Update to 1.7.3 (#1593708) + +* Wed Jun 27 2018 Petr Menšík - 1.7.2-3 +- Remove last python2 dependency from python3 build + +* Tue Jun 19 2018 Miro Hrončok - 1.7.2-2 +- Rebuilt for Python 3.7 + +* Mon Jun 11 2018 Paul Wouters - 1.7.2-1 +- Resolves rhbz#1589807 unbound-1.7.2 is available +- Add patch to fix stub/forward zone not returning ServFail when TTL expires +- Enabled the new root-key-sentinel option + +* Wed May 30 2018 Petr Menšík - 1.7.1-1 +- Update to 1.7.1 (#1574495) + +* Mon Apr 09 2018 Petr Menšík - 1.7.0-5 +- Require gcc and make on build +- Remove group, simplify systemd requires +- Simplify building with single python version, make python3 primary + +* Mon Apr 09 2018 Paul Wouters - 1.7.0-4 +- Patch for prefetching after flushing cache + +* Fri Apr 06 2018 Paul Wouters - 1.7.0-3 +- Patch for referral with auth-zone: response + + +* Wed Mar 21 2018 Paul Wouters - 1.7.0-2 +- Patch for broken Aggressive NSEC + stub-zone configuration causing NXDOMAIN at TTL expiry + +* Thu Mar 15 2018 Paul Wouters - 1.7.0-1 +- Updated to 1.7.0 (aggressive nsec, local root support, bugfixes) + +* Thu Feb 22 2018 Petr Menšík - 1.6.8-6 +- Uncomment again original max-upd-size + +* Wed Feb 21 2018 Petr Menšík - 1.6.8-5 +- Use default RPM build flags and configure parameters (#1539097) + +* Wed Feb 21 2018 Petr Menšík - 1.6.8-4 +- Remove group writable bit from some config files (#1528445) + +* Wed Feb 14 2018 Filipe Rosset - 1.6.8-3 +- rebuilt due new libevent 2.1.8 + +* Fri Feb 09 2018 Igor Gnatenko - 1.6.8-2 +- Escape macros in %%changelog + +* Mon Jan 22 2018 Paul Wouters - 1.6.8-1 +- Resolves rhbz#1483572 unbound-1.6.8 is available +- Resolves rhbz#1507049 CVE-2017-15105 unbound: Improper validation of wildcard synthesized NSEC records +- Resolves rhbz#1536518 CVE-2017-15105 unbound: Improper validation of wildcard synthesized NSEC records [fedora-all] + +* Sun Dec 17 2017 Zbigniew Jędrzejewski-Szmek - 1.6.7-2 +- Python 2 binary package renamed to python2-unbound + See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 + +* Thu Oct 12 2017 Paul Wouters - 1.6.7-1 +- Updated to 1.6.7 (minor bugfixes) + +* Tue Oct 03 2017 Petr Menšík - 1.6.6-3 +- Update icannbundle.pem + +* Mon Oct 02 2017 Paul Wouters - 1.6.6-2 +- Enable RFC 8145 Trust Anchor Signaling to help the root zone get keytag statistics + +* Fri Sep 22 2017 Paul Wouters - 1.6.6-1 +- Resolves: rhbz#1483572 unbound-1.6.6 is available +- Resolves: rhbz#1465575 unbound fails to start up, complains about missing ipsecmod-hook (edit) + +* Wed Aug 16 2017 Paul Wouters - 1.6.4-4 +- Rebuilt with KSK2017 added to root.key and root.anchor +- Remove noreplace for root key files. We can only improve these files over local copies + +* Thu Aug 03 2017 Fedora Release Engineering - 1.6.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1.6.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sun Jul 02 2017 Paul Wouters - 1.6.4-1 +- Updated to 1.6.4 full release, patch to allow missing ipsechook +- Resolves rhbz#1465575 unbound fails to start up, complains about missing ipsecmod-hook + +* Thu Jun 22 2017 Paul Wouters - 1.6.4-0.rc2 +- Update to 1.6.4 (esubnet, ipsecmod support, bugfixes) + +* Tue Jun 13 2017 Paul Wouters - 1.6.3-1 +- Updated to 1.6.3 (fixes assertion failure when receiving malformed packet with 0x20 enabled) + +* Thu Jun 08 2017 Paul Wouters - 1.6.2-2 +- Patch for cmd: unbound-control set_option val-permissive-mode: yes + +* Wed Apr 26 2017 Paul Wouters - 1.6.2-1 +- Update to 1.6.2 (rhbz#1425649) +- Updated unbound.conf with new options + +* Wed Mar 22 2017 Paul Wouters - 1.6.0-6 +- Call make unbound-event-install to install unbound-event.h + +* Sat Feb 11 2017 Fedora Release Engineering - 1.6.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Wed Jan 18 2017 Paul Wouters - 1.6.0-4 +- Remove obsoleted DLV key + +* Mon Jan 02 2017 Paul Wouters - 1.6.0-3 +- Actually remove dependency because minimum is always satisfied + +* Mon Jan 02 2017 Paul Wouters - 1.6.0-2 +- Depend on openssl-libs, not opensl + +* Wed Dec 21 2016 Kevin Fenzi - 1.6.0-1 +- Update to 1.6.0 + +* Mon Dec 19 2016 Miro Hrončok - 1.5.10-3 +- Rebuild for Python 3.6 + +* Wed Oct 26 2016 Ilya Evseev - 1.5.10-2 +- Bugfix building without python2 and python3 +- Fixup streamtcp build (Paul) + +* Tue Sep 27 2016 Paul Wouters - 1.5.10-1 +- Updated to 1.5.10 (better TCP handling, bugfixes) +- Install pkgconfig file in -devel package +- Updated unbound.conf + +* Tue Jul 19 2016 Fedora Release Engineering - 1.5.9-4 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Thu Jul 07 2016 Paul Wouters - 1.5.9-3 +- Fix upper port range to 60999 because that's what selinux allows + +* Thu Jun 16 2016 Paul Wouters - 1.5.9-2 +- Patch for allowing more queries before failure (needed for query minimalization) + +* Mon Jun 13 2016 Paul Wouters - 1.5.9-1 +- Updated to 1.5.9 + +* Thu Apr 21 2016 Toshio Kuratomi - 1.5.8-2 +- Fix streamtcp to link against libpython3.x instead of libpython2.x + +* Wed Mar 02 2016 Paul Wouters - 1.5.8-1 +- Update to 1.5.8 (rhbz#1313831) which incorporates rhbz#1294339 patch +- Updated unbound.conf with new upstream options +- Enabled ip-transparent: yes (see rhbz#1291449) + +* Fri Feb 05 2016 Fedora Release Engineering - 1.5.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Jan 21 2016 Tomas Hozza - 1.5.7-2 +- Fix escaping of shell chars in unbound-control-setup (#1294339) + +* Fri Dec 11 2015 Paul Wouters - 1.5.7-1 +- Update to 1.5.7 +- Enable query minimalization for enhanced DNS query privacy +- Enable nxdomain hardening to assist with query minimalization and SBLs +- Updated default unbound.conf for new features from upstream. + +* Fri Nov 13 2015 Tomas Hozza - 1.5.6-1 +- Update to 1.5.6 (#1176729) + +* Wed Nov 04 2015 Robert Kuska - 1.5.5-2 +- Rebuilt for Python3.5 rebuild + +* Wed Oct 07 2015 Tomas Hozza - 1.5.5-1 +- New upstream release 1.5.5 (#1269137) +- Removed the anchor update from %%post section of -libs subpackage (#1269137#c2) + +* Tue Sep 15 2015 Tomas Hozza - 1.5.4-5 +- Removed dependency and ordering on unbound-anchor.service in unbound.service + +* Thu Sep 03 2015 Tomas Hozza - 1.5.4-4 +- Prefer Python3 build over Python2 build for now (#1254566) + +* Mon Jul 20 2015 Tomas Hozza - 1.5.4-3 +- Added ExecReload section to unbound.service (#1195785) +- Removed After syslog.target since it is not needed any more + +* Thu Jul 16 2015 Tomas Hozza - 1.5.4-2 +- Start unbound-anchor.timer only on new installations +- Rename root.anchor to root.key in %%post section + +* Tue Jul 14 2015 Paul Wouters - 1.5.4-1 +- Update to 1.5.4 +- Removed patches merged into upstream + +* Tue Jun 16 2015 Tomas Hozza - 1.5.3-8 +- Revert: Use low maximum negative cache TTL (5 sec) (#1229596) + +* Mon Jun 15 2015 Tomas Hozza - 1.5.3-7 +- Add option for maximum negative cache TTL (#1229599) +- Use low maximum negative cache TTL (5 sec) (#1229596) + +* Tue May 26 2015 Tomas Hozza - 1.5.3-6 +- Removed usage of DLV from the default configuration (#1223363) + +* Wed May 13 2015 Tomas Hozza - 1.5.3-5 +- unbound.service now Wants unbound-anchor.timer +- unbound-anchor man page moved to the unbound-libs + +* Mon May 11 2015 Paul Wouters - 1.5.3-4 +- Fixup scriptlets causing systemctl: command not found +- Resolves rhbz#1219587 Error in PREIN scriptlet in rpm package unbound-libs + +* Mon Apr 27 2015 Tomas Hozza - 1.5.3-3 +- migrate cronjob to systemd timer unit (#1177285) +- change the period for unbound-anchor from monthly to daily (#1180267) +- Thanks to Tomasz Torcz for the initial patch + +* Thu Apr 16 2015 Tomas Hozza - 1.5.3-2 +- Fix FTBFS (#1206129) +- Build python3-unbound and python-unbound bindings for Python 3 and 2 (#1188080) + +* Mon Mar 16 2015 Paul Wouters - 1.5.3-1 +- Updated to 1.5.3 which is a bugfix on 1.5.2 for sighup handling +- Updated to 1.5.2 which fixes DNSSEC validation with different + trust anchors upstream, local-zone has a new keyword 'inform' + +* Mon Feb 02 2015 Paul Wouters - 1.5.1-4 +- Build with --enable-ecdsa + +* Sun Feb 01 2015 Paul Wouters - 1.5.1-3 +- Fix post to create root.anchor, not root.key, to match cron job + +* Tue Dec 09 2014 Paul Wouters - 1.5.1-2 +- Change systemd-units to systemd +- Use _tmpfilesdir macro, don't mark tmpfiles as config + +* Tue Dec 09 2014 Paul Wouters - 1.5.1-1 +- Update to 1.5.1 for CVE-2014-8602 (rhbz#1172066) +- Removed unbound-aarch64.patch which was merged upstream +- Don't require autotools for non snapshots or run autoreconf + +* Fri Nov 28 2014 Tomas Hozza - 1.5.1-0.1.rc1 +- update to 1.5.1rc1 + +* Fri Nov 28 2014 Marcin Juszkiewicz - 1.5.0-3 +- fix build on aarch64 + +* Wed Nov 26 2014 Tomas Hozza - 1.5.0-2 +- Fix race condition in arc4random (#1166878) + +* Wed Nov 19 2014 Tomas Hozza - 1.5.0-1 +- update to 1.5.0 + +* Wed Sep 24 2014 Pavel Šimerda - 1.4.22-6 +- Resolves: #1115489 - build with python 3.x for fedora >= 22 + +* Thu Aug 21 2014 Kevin Fenzi - 1.4.22-5 +- Rebuild for rpm bug 1131960 + +* Mon Aug 18 2014 Fedora Release Engineering - 1.4.22-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sun Jun 08 2014 Fedora Release Engineering - 1.4.22-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu May 01 2014 Paul Wouters - 1.4.22-2 +- Added flushcache patch (SVN commit 3125) + +* Thu Mar 13 2014 Paul Wouters - 1.4.22-1 +- Updated to 1.4.22 +- No longer requires the ldns library + +* Thu Jan 16 2014 Tomas Hozza - 1.4.21-3 +- Fix segfault on adding insecure forward zone when using only iterator (#1054192) + +* Mon Oct 21 2013 Tomas Hozza - 1.4.21-2 +- run test suite during the build + +* Thu Sep 19 2013 Paul Wouters - 1.4.21-1 +- Updated to 1.4.21, +- Enabled new max-udp-size: 3072 (so ANY isc.org won't fit) +- Removed patched merged in by upstream +- Enable statistics-cumulative for munin-plugin +- Added outgoing-port-avoid: 0-32767 conformant to SElinux restrictions +- Updated unbound.conf + +* Mon Aug 26 2013 Tomas Hozza - 1.4.20-19 +- Fix errors found by static analysis of source + +* Mon Aug 12 2013 Paul Wouters - 1.4.20-18 +- Change unbound.conf to only use ephemeral ports (32768-65535) + +* Sun Aug 04 2013 Fedora Release Engineering - 1.4.20-17 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Mon Jul 22 2013 Tomas Hozza - 1.4.20-16 +- provide man page for unbound-streamtcp + +* Mon Jul 08 2013 Paul Wouters - 1.4.20-15 +- Re-introduce hardening flags for full relro and pie +- Fixes compilation failure for python module + +* Wed Jul 03 2013 Tomas Hozza - 1.4.20-14 +- remove missing unbound-rootkey.service from post/preun/postun sections +- don't hardcode hardening flags, let hardened build macro handles it + +* Sat Jun 01 2013 Paul Wouters - 1.4.20-13 +- Run unbound-anchor as user unbound in unbound.service + +* Tue May 28 2013 Paul Wouters - 1.4.20-12 +- Enable round-robin (with noths() patch) +- Change cron and systemd service to use root.key, not root.anchor + +* Sat May 25 2013 Paul Wouters - 1.4.20-10 +- Use /var/lib/unbound/root.key (more consistent with other distros) +- Enable minimal responses + +* Mon Apr 22 2013 Paul Wouters - 1.4.20-8 +- Refix + +* Fri Apr 19 2013 Paul Wouters - 1.4.20-7 +- Fix runuser call in post. + +* Tue Apr 16 2013 Paul Wouters - 1.4.20-6 +- /var/lib/unbound should be owned by unbound. group write is not enough + +* Fri Apr 12 2013 Paul Wouters - 1.4.20-5 +- Fix cron job syntax (rhbz#951725) +- Use install -p to prevent .rpmnew files that are identical to originals + +* Mon Apr 8 2013 Paul Wouters - 1.4.20-4 +- Updated to 1.4.20 +- Build with full RELRO (not use -z,relro but with -z,relo,-z,now) +- Fixup man page for unbound-control-setup +- unbound.service should start before nss-lookup.target (rhbz#919955) +- Removed patch for rhbz#888759 merged in upstream +- Move root.anchor to /var/lib/unbound to make selinux policy easier for updating (rhbz#896599/rhbz#891008) +- Move cronjob for root.anchor from unbound to unbound-libs, require crontabs +- /etc/unbound (and all) should be owned by unbound-libs (rhbz#909691) +- Remove Obsolete/Provides for dnssec-conf which was last seen in f13 +- Ensure any unbound-anchor failure in post is ignored + +* Tue Mar 05 2013 Adam Tkac - 1.4.19-5 +- build with full RELRO +- symlink unbound-control-setup.8 manpage to unbound-control.8 + +* Fri Feb 15 2013 Fedora Release Engineering - 1.4.19-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Dec 12 2012 Paul Wouters - 1.4.19-3 +- Updated to 1.4.19 - this integrates all existing patches +- Patch for unbound-anchor (rhbz#888759) + +* Fri Nov 09 2012 Paul Wouters - 1.4.18-6 +- Patch to ensure stube-zone's aren't lost when using dnssec-triggerd +- added unbound-munin.README file + +* Wed Sep 26 2012 Paul Wouters - 1.4.18-5 +- Patch to allow wildcards in include: statements +- Add directories /etc/unbound/keys.d,conf.d,local.d with + example entries +- Added /etc/unbound/root.anchor, maintained by unbound-anchor + which is installed as monthly cron and PreExec in systemd config + (root.key is unused, but left installed in case people depend on it) +- Native systemd (simple) and /etc/sysconfig/unbound support +- Run unbound-checkconf in PreExec +- Moved trust anchor related files to unbound-libs, as they can + be used without the daemon. +- sub packages now depends on base package of same arch +- Build munin package as noarch +- unbound-anchor moved to unbound-libs package. It is needed + to update the root.anchor key file. + +* Tue Sep 04 2012 Paul Wouters - 1.4.18-3 +- Fix openssl thread locking bug under high query load + +* Thu Aug 23 2012 Paul Wouters - 1.4.18-2 +- Use new systemd-rpm macros (rhbz#850351) +- Clean up old obsoleted dnssec-conf from < fedora 15 + +* Fri Aug 03 2012 Paul Wouters - 1.4.18-1 +- Updated to 1.4.18 (FIPS related fixes mostly) +- Removed patches that were merged in upstream +- Added comment to root.key + +* Mon Jul 23 2012 Paul Wouters - 1.4.17-5 +- Fix for unbound crasher (upstream bug #452) +- Support libunbound functions in man pages and place in -devel + +* Sun Jul 22 2012 Fedora Release Engineering - 1.4.17-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Tue Jul 03 2012 Paul Wouters - 1.4.17-3 +- unbound FIPS patches for MD5,randomness (rhbz#835106) + +* Fri Jun 15 2012 Adam Tkac - 1.4.17-2 +- don't build unbound-munin on RHEL + +* Thu May 24 2012 Paul Wouters - 1.4.17-1 +- Updated to 1.4.17 (which mostly brings in patches we already + applied from svn trunk) + +* Wed Feb 29 2012 Paul Wouters - 1.4.16-3 +- Since the daemon links to the libs staticly, add Requires: + (this is rhbz#745288) +- Package up streamtcp as unbound-streamtcp (for monitoring) + +* Mon Feb 27 2012 Paul Wouters - 1.4.16-2 +- Don't ghost the directory (rhbz#788805) +- Patch for unbound to support unbound-control forward_zone + (needed for openswan in XAUTH mode) + +* Thu Feb 02 2012 Paul Wouters - 1.4.16-1 +- Upgraded to 1.4.16, which was relesed due to the soname + and some DNSSEC validation failures + +* Wed Feb 01 2012 Paul Wouters - 1.4.15-2 +- Patch for SONAME version (libtool's -version-number vs -version-info) + +* Fri Jan 27 2012 Paul Wouters - 1.4.15-1 +- Upgraded to 1.4.15 +- Updated unbound.conf to show how to configure listening on tls443 + +* Sat Jan 14 2012 Fedora Release Engineering - 1.4.14-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Mon Dec 19 2011 Paul Wouters - 1.4.14-1 +- Upgraded to 1.4.14 for CVE-2011-4528 / VU#209659 +- SSL-wrapped query support for dnssec-trigger +- EDNS handling changes +- Removed integrated EDNS patches +- Disabled use-caps-for-id, GoDaddy domains now break on it +- Enabled new harden-below-nxdomain + +* Thu Sep 15 2011 Paul Wouters - 1.4.13-1 +- Upgraded to 1.4.13 +- Removed merged in pythonmod patch +- Added EDNS1480 patch to fix unbound on broken EDNS/UDP networks +- Fix python to go into sitearch instead of sitelib + +* Wed Sep 14 2011 Tom Callaway - 1.4.12-4 +- convert to systemd, tmpfiles.d + +* Mon Aug 08 2011 Paul Wouters - 1.4.12-3 +- Added pythonmod docs and examples + +* Mon Aug 08 2011 Paul Wouters - 1.4.12-2 +- Fix for python module load in the server (Tom Hendrikx) +- No longer enable --enable-debug as it causes degraded performance + under load. + +* Mon Jul 18 2011 Paul Wouters - 1.4.12-1 +- Updated to 1.4.12 + +* Sun Jul 03 2011 Paul Wouters - 1.4.11-1 +- Updated to 1.4.11 +- removed integrated CVE patch +- updated stock unbound.conf for new options introduced + +* Mon Jun 06 2011 Paul Wouters - 1.4.10-1 +- Added ghost for /var/run/unbound (bz#656710) + +* Mon Jun 06 2011 Paul Wouters - 1.4.9-3 +- rebuilt + +* Wed May 25 2011 Paul Wouters - 1.4.9-2 +- Applied patch for CVE-2011-1922 DoS vulnerability + +* Sun Mar 27 2011 Paul Wouters - 1.4.9-1 +- Updated to 1.4.9 + +* Sat Feb 12 2011 Paul Wouters - 1.4.8-2 +- rebuilt + +* Tue Jan 25 2011 Paul Wouters - 1.4.8-1 +- Updated to 1.4.8 +- Enable root key for DNSSEC +- Fix unbound-munin to use proper file (could cause excessive logging) +- Build unbound-python per default +- Disable gost as Fedora/EPEL does not allow ECC and has mangled openssl + +* Tue Oct 26 2010 Paul Wouters - 1.4.5-4 +- Revert last build - it was on the wrong branch + +* Tue Oct 26 2010 Paul Wouters - 1.4.5-3 +- Disable do-ipv6 per default - causes severe degradation on non-ipv6 machines + (see comments in inbound.conf) + +* Tue Jun 15 2010 Paul Wouters - 1.4.5-2 +- Bump release - forgot to upload the new tar ball. + +* Tue Jun 15 2010 Paul Wouters - 1.4.5-1 +- Upgraded to 1.4.5 + +* Mon May 31 2010 Paul Wouters - 1.4.4-2 +- Added accidentally omitted svn patches to cvs + +* Mon May 31 2010 Paul Wouters - 1.4.4-1 +- Upgraded to 1.4.4 with svn patches +- Obsolete dnssec-conf to ensure it is de-installed + +* Thu Mar 11 2010 Paul Wouters - 1.4.3-1 +- Update to 1.4.3 that fixes 64bit crasher + +* Tue Mar 09 2010 Paul Wouters - 1.4.2-1 +- Updated to 1.4.2 +- Updated unbound.conf with new options +- Enabled pre-fetching DNSKEY records (DNSSEC speedup) +- Enabled re-fetching popular records before they expire +- Enabled logging of DNSSEC validation errors + +* Mon Mar 01 2010 Paul Wouters - 1.4.1-5 +- Overriding -D_GNU_SOURCE is no longer needed. This fixes DSO issues + with pthreads + +* Wed Feb 24 2010 Paul Wouters - 1.4.1-3 +- Change make/configure lines to attempt to fix -lphtread linking issue + +* Thu Feb 18 2010 Paul Wouters - 1.4.1-2 +- Removed dependancy for dnssec-conf +- Added ISC DLV key (formerly in dnssec-conf) +- Fixup old DLV locations in unbound.conf file via %%post +- Fix parent child disagreement handling and no-ipv6 present [svn r1953] + +* Tue Jan 05 2010 Paul Wouters - 1.4.1-1 +- Updated to 1.4.1 +- Changed %%define to %%global + +* Thu Oct 08 2009 Paul Wouters - 1.3.4-2 +- Bump version + +* Thu Oct 08 2009 Paul Wouters - 1.3.4-1 +- Upgraded to 1.3.4. Security fix with validating NSEC3 records + +* Fri Aug 21 2009 Tomas Mraz - 1.3.3-2 +- rebuilt with new openssl + +* Mon Aug 17 2009 Paul Wouters - 1.3.3-1 +- Updated to 1.3.3 + +* Sun Jul 26 2009 Fedora Release Engineering - 1.3.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Sat Jun 20 2009 Paul Wouters - 1.3.0-2 +- Added missing glob patch to cvs +- Place python macros within the %%with_python check + +* Sat Jun 20 2009 Paul Wouters - 1.3.0-1 +- Updated to 1.3.0 +- Added unbound-python sub package. disabled for now +- Patch from svn to fix DLV lookups +- Patches from svn to detect wrong truncated response from BIND 9.6.1 with + minimal-responses) +- Added Default-Start and Default-Stop to unbound.init +- Re-enabled --enable-sha2 +- Re-enabled glob.patch + +* Wed May 20 2009 Paul Wouters - 1.2.1-7 +- unbound-iterator.patch was not commited + +* Wed May 20 2009 Paul Wouters - 1.2.1-6 +- Fix for https://bugzilla.redhat.com/show_bug.cgi?id=499793 + +* Tue Mar 17 2009 Paul Wouters - 1.2.1-5 +- Use --nocheck to avoid giving an error on missing unbound-remote certs/keys + +* Tue Mar 10 2009 Adam Tkac - 1.2.1-4 +- enable DNSSEC only if it is enabled in sysconfig/dnssec + +* Mon Mar 09 2009 Adam Tkac - 1.2.1-3 +- add DNSSEC support to initscript and enabled it per default +- add requires dnssec-conf + +* Wed Feb 25 2009 Fedora Release Engineering - 1.2.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Tue Feb 10 2009 Paul Wouters - 1.2.0-2 +- rebuild with new openssl + +* Wed Jan 14 2009 Paul Wouters - 1.1.1-7 +- Modified scandir patch to silently fail when wildcard matches nothing +- Patch to allow unbound-checkconf to find empty wildcard matches + +* Mon Jan 5 2009 Paul Wouters - 1.1.1-6 +- Added scandir patch for trusted-keys-file: option, which + is used to load multiple dnssec keys in bind file format + +* Mon Dec 8 2008 Paul Wouters - 1.1.1-4 +- Added Requires: for selinux-policy >= 3.5.13-33 for proper SElinux rules. + +* Mon Dec 1 2008 Paul Wouters - 1.1.1-3 +- We did not own the /etc/unbound directory (#474020) +- Fixed cvs anomalies + +* Fri Nov 28 2008 Adam Tkac - 1.1.1-2 +- removed all obsolete chroot related stuff +- label control certs after generation correctly + +* Thu Nov 20 2008 Paul Wouters - 1.1.1-1 +- Updated to unbound 1.1.1 which fixes a crasher and + addresses nlnetlabs bug #219 + +* Wed Nov 19 2008 Paul Wouters - 1.1.0-3 +- Remove the chroot, obsoleted by SElinux +- Add additional munin plugin links supported by unbound plugin +- Move configuration directory from /var/lib/unbound to /etc/unbound +- Modified unbound.init and unbound.conf to account for chroot changes +- Updated unbound.conf with new available options +- Enabled dns-0x20 protection per default + +* Wed Nov 19 2008 Adam Tkac - 1.1.0-2 +- unbound-1.1.0-log_open.patch + - make sure log is opened before chroot call + - tracked as http://www.nlnetlabs.nl/bugs/show_bug.cgi?id=219 +- removed /dev/log and /var/run/unbound and /etc/resolv.conf from + chroot, not needed +- don't mount files in chroot, it causes problems during updates +- fixed typo in default config file + +* Fri Nov 14 2008 Paul Wouters - 1.1.0-1 +- Updated to version 1.1.0 +- Updated unbound.conf's statistics options and remote-control + to work properly for munin +- Added unbound-munin package +- Generate unbound remote-control key/certs on first startup +- Required ldns is now 1.4.0 + +* Wed Oct 22 2008 Paul Wouters - 1.0.2-5 +- Only call ldconfig in -libs package +- Move configure into build section +- devel subpackage should only depend on libs subpackage + +* Tue Oct 21 2008 Paul Wouters - 1.0.2-4 +- Fix CFLAGS getting lost in build +- Don't enable interface-automatic:yes because that + causes unbound to listen on 0.0.0.0 instead of 127.0.0.1 + +* Sun Oct 19 2008 Paul Wouters - 1.0.2-3 +- Split off unbound-libs, make build verbose + +* Thu Oct 9 2008 Paul Wouters - 1.0.2-2 +- FSB compliance, chroot fixes, initscript fixes + +* Thu Sep 11 2008 Paul Wouters - 1.0.2-1 +- Upgraded to 1.0.2 + +* Wed Jul 16 2008 Paul Wouters - 1.0.1-1 +- upgraded to new release + +* Wed May 21 2008 Paul Wouters - 1.0.0-2 +- Build against ldns-1.3.0 + +* Wed May 21 2008 Paul Wouters - 1.0.0-1 +- Split of -devel package, fixed dependancies, make rpmlint happy + +* Fri Apr 25 2008 Wouter Wijngaards - 0.12 +- Using parts from ports collection entry by Jaap Akkerhuis. +- Using Fedoraproject wiki guidelines. + +* Wed Apr 23 2008 Wouter Wijngaards - 0.11 +- Initial version. diff --git a/fedora-defaults.conf b/fedora-defaults.conf new file mode 100644 index 0000000..99ff95d --- /dev/null +++ b/fedora-defaults.conf @@ -0,0 +1,229 @@ +# Fedora distribution defaults + +server: + # verbosity number, 0 is least verbose. 1 is default. + verbosity: 1 + + # print statistics to the log (for every thread) every N seconds. + # Set to "" or 0 to disable. Default is disabled. + # Needs to be disabled for munin plugin + statistics-interval: 0 + + # enable cumulative statistics, without clearing them after printing. + # Needs to be disabled for munin plugin + statistics-cumulative: no + + # enable extended statistics (query types, answer codes, status) + # Needs to be enabled for munin plugin + extended-statistics: yes + + # number of threads to create. 1 disables threading. + # num-threads: 1 + num-threads: 4 + + # specify the interfaces to answer queries from by ip-address. + # The default is to listen to localhost (127.0.0.1 and ::1). + # specify 0.0.0.0 and ::0 to bind to all available interfaces. + # specify every interface[@port] on a new 'interface:' labelled line. + # The listen interfaces are not changed on reload, only on restart. + # interface: 0.0.0.0 + # interface: ::0 + # interface: 192.0.2.153 + # interface: 192.0.2.154 + # interface: 192.0.2.154@5003 + # interface: 2001:DB8::5 + # interface: eth0@5003 + # + # for dns over tls and raw dns over port 80 + # interface: 0.0.0.0@443 + # interface: ::0@443 + # interface: 0.0.0.0@80 + # interface: ::0@80 + + # enable this feature to copy the source address of queries to reply. + # Socket options are not supported on all platforms. experimental. + # interface-automatic: yes + # + # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 + # NOTE: Disabled per Fedora policy not to listen to * on default install + # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled + interface-automatic: no + + # permit Unbound to use this port number or port range for + # making outgoing queries, using an outgoing interface. + # Only ephemeral ports are allowed by SElinux + outgoing-port-permit: 32768-60999 + + # IANA-assigned port numbers. + # If multiple outgoing-port-permit and outgoing-port-avoid options + # are present, they are processed in order. + # Our SElinux policy does not allow non-ephemeral ports to be used + outgoing-port-avoid: 0-32767 + outgoing-port-avoid: 61000-65535 + + # use SO_REUSEPORT to distribute queries over threads. + # at extreme load it could be better to turn it off to distribute even. + so-reuseport: yes + + # use IP_TRANSPARENT so the interface: addresses can be non-local + # and you can config non-existing IPs that are going to work later on + # (uses IP_BINDANY on FreeBSD). + ip-transparent: yes + + # Enable UDP, "yes" or "no". + # NOTE: if setting up an Unbound on tls443 for public use, you might want to + # disable UDP to avoid being used in DNS amplification attacks. + # do-udp: yes + + # Enable EDNS TCP keepalive option. + edns-tcp-keepalive: yes + + # Fedora note: do not activate this - not compiled in because + # it causes frequent unbound crashes. Also, socket activation + # is bad when you have things like dnsmasq also running with libvirt. + # Use systemd socket activation for UDP, TCP, and control sockets. + # use-systemd: no + + # If you give "" no chroot is performed. The path must not end in a /. + # chroot: "/etc/unbound" + chroot: "" + + # If you give a server: directory: dir before include: file statements + # then those includes can be relative to the working directory. + directory: "/etc/unbound" + + # print UTC timestamp in ascii to logfile, default is epoch in seconds. + log-time-ascii: yes + + # Harden against unseemly large queries. + harden-large-queries: yes + + # Harden against unverified (outside-zone, including sibling zone) glue rrsets + harden-unverified-glue: yes + + # Default off, because the lookups burden the server. Experimental + # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. + harden-referral-path: yes + + # Sent minimum amount of information to upstream servers to enhance + # privacy. Only sent minimum required labels of the QNAME and set QTYPE + # to A when possible. + qname-minimisation: yes + + # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN + # and other denials, using information from previous NXDOMAINs answers. + aggressive-nsec: yes + + # threshold, a warning is printed and a defensive action is taken, + # the cache is cleared to flush potential poison out of it. + # A suggested value is 10000000, the default is 0 (turned off). + unwanted-reply-threshold: 10000000 + + # if yes, perform prefetching of almost expired message cache entries. + prefetch: yes + + # if yes, perform key lookups adjacent to normal lookups. + prefetch-key: yes + + # deny queries of type ANY with an empty response. + deny-any: yes + + # if yes, Unbound rotates RRSet order in response. + rrset-roundrobin: yes + + # if yes, Unbound doesn't insert authority/additional sections + # into response messages when those sections are not required. + minimal-responses: yes + + # module configuration of the server. A string with identifiers + # separated by spaces. Syntax: "[dns64] [validator] iterator" + # most modules have to be listed at the beginning of the line, + # except cachedb(just before iterator), and python (at the beginning, + # or, just before the iterator). + # For redis cachedb use: + # "ipsecmod validator cachedb iterator" + module-config: "ipsecmod validator iterator" + + # trust anchor signaling sends a RFC8145 key tag query after priming. + trust-anchor-signaling: yes + + # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) + root-key-sentinel: yes + + # the trusted-keys { name flag proto algo "key"; }; clauses are read. + # you need external update procedures to track changes in keys. + # trusted-keys-file: "" + # + trusted-keys-file: /etc/unbound/keys.d/*.key + auto-trust-anchor-file: "/var/lib/unbound/root.key" + + # Should additional section of secure message also be kept clean of + # unsecure data. Useful to shield the users of this validator from + # potential bogus data in the additional section. All unsigned data + # in the additional section is removed from secure messages. + val-clean-additional: yes + + # Turn permissive mode on to permit bogus messages. Thus, messages + # for which security checks failed will be returned to clients, + # instead of SERVFAIL. It still performs the security checks, which + # result in interesting log files and possibly the AD bit in + # replies if the message is found secure. The default is off. + # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY + val-permissive-mode: no + + # Serve expired responses from cache, with serve-expired-reply-ttl in + # the response, and then attempt to fetch the data afresh. + serve-expired: yes + + # Limit serving of expired responses to configured seconds after + # expiration. 0 disables the limit. + serve-expired-ttl: 14400 + + # Have the validator log failed validations for your diagnosis. + # 0: off. 1: A line per failed user query. 2: With reason and bad IP. + val-log-level: 1 + + # service clients over TLS (on the TCP sockets) with plain DNS inside + # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. + # Give the certificate to use and private key. + # default is "" (disabled). requires restart to take effect. + # tls-service-key: "/etc/unbound/unbound_server.key" + # tls-service-pem: "/etc/unbound/unbound_server.pem" + + # Fedora/RHEL: use system-wide crypto policies + tls-ciphers: "PROFILE=SYSTEM" + + # Enable to attach Extended DNS Error codes (RFC8914) to responses. + # Fedora defaults to yes. + ede: yes + + # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale + # Answer as EDNS0 option to expired responses. + # Note that the ede option above needs to be enabled for this to work. + # Fedora defaults to yes. + ede-serve-expired: yes + + # Enable or disable ipsecmod (it still needs to be defined in + # module-config above). Can be used when ipsecmod needs to be + # enabled/disabled via remote-control(below). + # Fedora: module will be enabled on-demand by libreswan + ipsecmod-enabled: no + + # Path to executable external hook. It must be defined when ipsecmod is + # listed in module-config (above). + ipsecmod-hook: /usr/libexec/ipsec/_unbound-hook + +python: + # Script file to load + # python-script: "/etc/unbound/ubmodule-tst.py" + +# Remote control config section moved into own remote-control.conf + +# the module-config then you need one dynlib-file per instance. +dynlib: + # Script file to load + # dynlib-file: "/etc/unbound/dynlib.so" + +# Fedora: DNSCrypt support not enabled since it requires linking to +# another crypto library +# diff --git a/mkroot.sh b/mkroot.sh new file mode 100755 index 0000000..eb6d5b3 --- /dev/null +++ b/mkroot.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +SOURCE="/usr/share/dns-root-data/root.key" +DEST="${1:-root.key}" + +mk_key() { +echo "# Generated from $SOURCE" +echo "# Use /var/lib/unbound/root.key instead." +echo "trusted-keys {" +while read DOMAIN CLS TYPE FLAGS PROTO ALG KEYDATA COMMENT KEYTAG; do +echo "$DOMAIN $CLS $TYPE $FLAGS $PROTO $ALG \"$KEYDATA\" # $KEYTAG" +done < "$SOURCE" +echo "};" +} + +mk_key > "$DEST" +touch -r "$SOURCE" "$DEST" diff --git a/module-setup.sh b/module-setup.sh new file mode 100644 index 0000000..439bc6d --- /dev/null +++ b/module-setup.sh @@ -0,0 +1,44 @@ +#!/usr/bin/bash + +check() { + require_binaries unbound unbound-checkconf unbound-control || return 1 + # the module will be only included if explicitly required either + # by configuration or another module + return 255 +} + +depends() { + # because of pid file we need sysusers to create unbound user + echo systemd systemd-sysusers + return 0 +} + +install() { + # We have to make unbound wanted by network-online target to make sure + # there is a synchronization point when other services are able + # to make queries + inst_simple "$moddir"/unbound-initrd.conf /etc/systemd/system/unbound.service.d/unbound-initrd.conf + + # /etc and /var/lib do not have its variables + inst_multiple -o \ + "$systemdsystemunitdir"/unbound.service \ + /etc/unbound/conf.d/remote-control.conf \ + /etc/unbound/openssl-sha1.conf \ + /usr/share/unbound/fedora-defaults.conf \ + /usr/share/unbound/conf.d/*.conf \ + /etc/unbound/local.d/*.conf \ + /etc/unbound/keys.d/*.key \ + /etc/unbound/unbound.conf \ + /etc/unbound/unbound_control.key \ + /etc/unbound/unbound_control.pem \ + /etc/unbound/unbound_server.key \ + /etc/unbound/unbound_server.pem \ + "$sysusers"/unbound.conf \ + "$tmpfilesdir"/unbound.conf \ + /var/lib/unbound/root.key \ + unbound \ + unbound-checkconf \ + unbound-control + + $SYSTEMCTL -q --root "$initdir" enable unbound.service +} diff --git a/nlnetlabs2026-g2.asc b/nlnetlabs2026-g2.asc new file mode 100644 index 0000000..a8f7de7 --- /dev/null +++ b/nlnetlabs2026-g2.asc @@ -0,0 +1,24 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGNBGc7H5IBDADOZfJwZ6zZ/4JbbR2hef4261/zh7YpdjUREUs0dMQSbf+x7sAE +50JgvLQWlvA8sDHzbUMQ9cAYZBGGE6iHb50KboeEfuiP5BdiLe8XWKlo1EIh+Idz +0+e1binxwvXV1/9ACm/UHPRuWjkG7vrP+mVRuhfKglO6xSDxV1cwjYTRtvRtQx8D ++kTdZzprvtzkU7OIWeczKFJRhVHzNDHYFG9SuxvDA9cbVm1KPVJEkRBwoSBPeB0z +Z3LSib2uT6Lc/ghAijOwIpR+zNYKOYxRhzoFArrLa0Fs4nq6//LA42/aVjSienEJ +SR5CVUbZy14WuUsYCkV+ZoORVRYZOcjtPG7FUKDXKzY9/iNhEAZ3OMK7Np2Xq/YO +gaOiUDFXLHU1n2UVH1rwkMiS2o4EMqvO7gINmnL/ccpI2wj2QrQ+JZ9y1Xky7dQM +LIIbtp40e0kGocgyba484rW17xlvXRxb1Pjn93JygD6WcraLLNh9jq87hW/J37qi +S4DL+GUe10H8SeEAEQEAAbQ6TkxuZXQgTGFicyByZWxlYXNlcyBzaWduaW5nIGtl +eSBHMiA8cmVsZWFzZXNAbmxuZXRsYWJzLm5sPokBzgQTAQoAOBYhBCMQGGkMTZA+ +9BkUaqFEMj3qrN9FBQJnOx+SAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ +EKFEMj3qrN9FZigL/0aVsJ48oe7vko1Mwg9DucFoCL8CESAarA40in1Bauq7p/pT +l5UcNnFPLO8HBAHWGWtDI63pEhNzHacPzSI94GKS4TUMGzCV1H/c0KnxB7wAO55b +HEQOZJ+kFRBFXWxbXORtp86NZuyCvVoSA4QAcnCf4m5ZEBb72H2cmy8xP+/HLkbS +rpr5pyoUWtCYM8FxnjM3bClXSGOlWNl9cSXLqyyVjxvc7cOAS8ytL/zoVStoBmi/ +OwQbeJfAiqDMnipBJNzOHlfniKXE0FGDozKCHWP88ifs8A8OUNtJng7cNq7EQf9K +vTvbJCcF4akUUcXnx4gv9Z1ZQ93Jg5X7h+0MP7Ut4z9hKSIAOowru7GXGEt256Ja +eE1nSviDcqUtZpyqCLjpCDFGPMwSPzSwlPXjJVlVxPkDvPuNt2LUIEd8BR8Wo7z+ +NA5uM/zTHkQXEdUgCcl/rHy6moHYV3Q+YbMb17zU37a5vLb+wQ74doaiYo3b8KoV +K6vVKMmB0qru6ERJ3g== +=4R8U +-----END PGP PUBLIC KEY BLOCK----- diff --git a/openssl-sha1.conf b/openssl-sha1.conf new file mode 100644 index 0000000..97a3218 --- /dev/null +++ b/openssl-sha1.conf @@ -0,0 +1,8 @@ +# OpenSSL configuration file to allow SHA1 validation, +# regardless of crypto-policy selected. +# Use it by adding into /etc/sysconfig/unbound: +# OPENSSL_CONF=/etc/unbound/openssl-sha1.conf +.include = /etc/ssl/openssl.cnf + +[evp_properties] +rh-allow-sha1-signatures = yes diff --git a/plans/all.fmf b/plans/all.fmf index cd001bd..538bd41 100644 --- a/plans/all.fmf +++ b/plans/all.fmf @@ -1,7 +1,7 @@ summary: Test plan with all Fedora tests discover: how: fmf - url: https://src.fedoraproject.org/tests/unbound.git + url: https://gitlab.com/redhat/centos-stream/tests/unbound.git execute: how: tmt diff --git a/plans/tier1-public.fmf b/plans/tier1-public.fmf index 10f167c..6ffbfd1 100644 --- a/plans/tier1-public.fmf +++ b/plans/tier1-public.fmf @@ -1,7 +1,7 @@ summary: Public (Fedora) Tier1 beakerlib tests discover: how: fmf - url: https://src.fedoraproject.org/tests/unbound.git + url: https://gitlab.com/redhat/centos-stream/tests/unbound.git filter: 'tier: 1' execute: how: tmt diff --git a/remote-control-include.conf b/remote-control-include.conf new file mode 100644 index 0000000..5688480 --- /dev/null +++ b/remote-control-include.conf @@ -0,0 +1,4 @@ +# Previous defaults allowed any process to change settings, CVE-2023-1488 +# If you want to modify remote configuration, replace this file with +# contents of included file and modify afterwards. +include: "/usr/share/unbound/conf.d/remote-control.conf" diff --git a/remote-control.conf b/remote-control.conf new file mode 100644 index 0000000..6f6942e --- /dev/null +++ b/remote-control.conf @@ -0,0 +1,26 @@ +# Remote control config section update. +# Previous defaults allowed any process to change settings, CVE-2023-1488 +# This file can be used also by: unbound-control -c +remote-control: + # Enable remote control with unbound-control(8) here. + # set up the keys and certificates with unbound-control-setup. + control-enable: yes + + # set to an absolute path to use a unix local name pipe, certificates + # are not used for that, so key and cert files need not be present. + control-interface: "/run/unbound/control" + + # For local sockets this option is ignored, and TLS is not used. + control-use-cert: "yes" + + # Unbound server key file. + server-key-file: "/etc/unbound/unbound_server.key" + + # Unbound server certificate file. + server-cert-file: "/etc/unbound/unbound_server.pem" + + # unbound-control key file. + control-key-file: "/etc/unbound/unbound_control.key" + + # unbound-control certificate file. + control-cert-file: "/etc/unbound/unbound_control.pem" diff --git a/root.anchor b/root.anchor index c78ee03..1559542 100644 --- a/root.anchor +++ b/root.anchor @@ -1 +1,2 @@ +. 172800 IN DNSKEY 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ;{id = 38696 (ksk), size = 2048b} . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} diff --git a/root.key b/root.key deleted file mode 100644 index 6c5622c..0000000 --- a/root.key +++ /dev/null @@ -1,6 +0,0 @@ -; // The root key in bind format. This can be read by most tools, including -; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this -trusted-keys { -"." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326 - -}; diff --git a/sources b/sources index 558d84a..7d4806d 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.18.0.tar.gz) = 24ca6bfe0ed493eb6aaa5cb1b2b108076ce97c48de7470adf596d1154254351e382b83aae33fcd8d4fa64847e359613e00c979b6f3ba7671215b2d0fd2b03b14 -SHA512 (unbound-1.18.0.tar.gz.asc) = 222ff184d952b9ee8ce81e1f3384d1640ff4695ca60b7d5f946dc24489d583618fc0f4e3c169514b699c684766fdb352f47ca29853223fbae70a65fd994d4fd2 +SHA512 (unbound-1.24.2.tar.gz) = 655d63ec5305323e84d82691425d74d98c332d0028517bd729d191e5f968ce9481b49ec7447d4c4906dce7997a998a115db36e911a59d2d877da5840c2080261 +SHA512 (unbound-1.24.2.tar.gz.asc) = 66a3e569a606cc3ed7dac9b411fba347da150728427619bdbf12ac57a5d7db1fc17963b1ba052a95d6c6fed67a6f0c1b5920318f6cd34e5091750626dd63fb21 diff --git a/tmpfiles-unbound-libs.conf b/tmpfiles-unbound-libs.conf new file mode 100644 index 0000000..d71ea46 --- /dev/null +++ b/tmpfiles-unbound-libs.conf @@ -0,0 +1,2 @@ +d /var/lib/unbound 0755 unbound unbound - +L /var/lib/unbound/root.key - - - - ../../../etc/unbound/dnssec-root.key diff --git a/tmpfiles-unbound.conf b/tmpfiles-unbound.conf index bb88f01..c09cc75 100644 --- a/tmpfiles-unbound.conf +++ b/tmpfiles-unbound.conf @@ -1 +1 @@ -D /run/unbound 0755 unbound unbound - +D /run/unbound 0775 unbound root - diff --git a/unbound-1.24-quic-on-demand-only.patch b/unbound-1.24-quic-on-demand-only.patch new file mode 100644 index 0000000..e074ab0 --- /dev/null +++ b/unbound-1.24-quic-on-demand-only.patch @@ -0,0 +1,171 @@ +From 1dfe06278c1446558b5043d7c57cd901e7d96829 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Mon, 24 Nov 2025 13:44:14 +0100 +Subject: [PATCH] Do not initialize quic_table unless it is enabled + +Fedora in FIPS mode might fail to initialize ngtcp2 library, because +some ciphers desired are not available. + +Make it possible to skip initialization by setting explicitly quic_port +to 0. Unless we have some listeners for port 853 configured, skip its +initialization as well. + +Related: https://pagure.io/freeipa/issue/9877 +--- + daemon/daemon.c | 14 +++++++++----- + services/listen_dnsport.c | 14 +++++++++++--- + util/configparser.y | 15 +++++++++------ + util/netevent.c | 3 +++ + 4 files changed, 32 insertions(+), 14 deletions(-) + +diff --git a/daemon/daemon.c b/daemon/daemon.c +index f882bb9ad..a9cc25c67 100644 +--- a/daemon/daemon.c ++++ b/daemon/daemon.c +@@ -558,9 +558,11 @@ daemon_create_workers(struct daemon* daemon) + verbose(VERB_ALGO, "total of %d outgoing ports available", numport); + + #ifdef HAVE_NGTCP2 +- daemon->doq_table = doq_table_create(daemon->cfg, daemon->rand); +- if(!daemon->doq_table) +- fatal_exit("could not create doq_table: out of memory"); ++ if (cfg_has_quic(daemon->cfg)) { ++ daemon->doq_table = doq_table_create(daemon->cfg, daemon->rand); ++ if(!daemon->doq_table) ++ fatal_exit("could not create doq_table: out of memory"); ++ } + #endif + + daemon->num = (daemon->cfg->num_threads?daemon->cfg->num_threads:1); +@@ -917,8 +919,10 @@ daemon_cleanup(struct daemon* daemon) + daemon->dnscenv = NULL; + #endif + #ifdef HAVE_NGTCP2 +- doq_table_delete(daemon->doq_table); +- daemon->doq_table = NULL; ++ if (daemon->doq_table) { ++ doq_table_delete(daemon->doq_table); ++ daemon->doq_table = NULL; ++ } + #endif + daemon->cfg = NULL; + } +diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c +index f7fcca194..ab8f1ba72 100644 +--- a/services/listen_dnsport.c ++++ b/services/listen_dnsport.c +@@ -1564,7 +1564,7 @@ listen_create(struct comm_base* base, struct listen_port* ports, + cp = comm_point_create_udp(base, ports->fd, + front->udp_buff, ports->pp2_enabled, cb, + cb_arg, ports->socket); +- } else if(ports->ftype == listen_type_doq) { ++ } else if(ports->ftype == listen_type_doq && doq_table) { + #ifndef HAVE_NGTCP2 + log_warn("Unbound is not compiled with " + "ngtcp2. This is required to use DNS " +@@ -3275,7 +3275,11 @@ nghttp2_session_callbacks* http2_req_callbacks_create(void) + struct doq_table* + doq_table_create(struct config_file* cfg, struct ub_randstate* rnd) + { +- struct doq_table* table = calloc(1, sizeof(*table)); ++ struct doq_table* table; ++ ++ if (!cfg->quic_port) ++ return NULL; ++ table = calloc(1, sizeof(*table)); + if(!table) + return NULL; + #ifdef USE_NGTCP2_CRYPTO_OSSL +@@ -3354,7 +3358,7 @@ conn_tree_del(rbnode_type* node, void* arg) + { + struct doq_table* table = (struct doq_table*)arg; + struct doq_conn* conn; +- if(!node) ++ if(!node || !table) + return; + conn = (struct doq_conn*)node->key; + if(conn->timer.timer_in_list) { +@@ -3413,6 +3417,7 @@ doq_timer_find_time(struct doq_table* table, struct timeval* tv) + { + struct doq_timer key; + struct rbnode_type* node; ++ log_assert(table != NULL); + memset(&key, 0, sizeof(key)); + key.time.tv_sec = tv->tv_sec; + key.time.tv_usec = tv->tv_usec; +@@ -4922,6 +4927,7 @@ doq_conid_find(struct doq_table* table, const uint8_t* data, size_t datalen) + key.node.key = &key; + key.cid = (void*)data; + key.cidlen = datalen; ++ log_assert(table != NULL); + node = rbtree_search(table->conid_tree, &key); + if(node) + return (struct doq_conid*)node->key; +@@ -5662,6 +5668,8 @@ doq_table_quic_size_available(struct doq_table* table, + struct config_file* cfg, size_t mem) + { + size_t cur; ++ if (!table) ++ return 0; + lock_basic_lock(&table->size_lock); + cur = table->current_size; + lock_basic_unlock(&table->size_lock); +diff --git a/util/configparser.y b/util/configparser.y +index bf9c196fc..f159b8cec 100644 +--- a/util/configparser.y ++++ b/util/configparser.y +@@ -1235,14 +1235,17 @@ server_http_notls_downstream: VAR_HTTP_NOTLS_DOWNSTREAM STRING_ARG + server_quic_port: VAR_QUIC_PORT STRING_ARG + { + OUTYY(("P(server_quic_port:%s)\n", $2)); ++ if(atoi($2) == 0 && strcmp($2,"0")!=0) ++ yyerror("port number expected"); ++ else { ++ cfg_parser->cfg->quic_port = atoi($2); + #ifndef HAVE_NGTCP2 +- log_warn("%s:%d: Unbound is not compiled with " +- "ngtcp2. This is required to use DNS " +- "over QUIC.", cfg_parser->filename, cfg_parser->line); ++ if (cfg_parser->cfg->quic_port != 0) ++ log_warn("%s:%d: Unbound is not compiled with " ++ "ngtcp2. This is required to use DNS " ++ "over QUIC.", cfg_parser->filename, cfg_parser->line); + #endif +- if(atoi($2) == 0) +- yyerror("port number expected"); +- else cfg_parser->cfg->quic_port = atoi($2); ++ } + free($2); + }; + server_quic_size: VAR_QUIC_SIZE STRING_ARG +diff --git a/util/netevent.c b/util/netevent.c +index aedcb5e07..93db16675 100644 +--- a/util/netevent.c ++++ b/util/netevent.c +@@ -2723,6 +2723,7 @@ doq_server_socket_create(struct doq_table* table, struct ub_randstate* rnd, + { + size_t doq_buffer_size = 4096; /* bytes buffer size, for one packet. */ + struct doq_server_socket* doq_socket; ++ log_assert(doq_table != NULL); + doq_socket = calloc(1, sizeof(*doq_socket)); + if(!doq_socket) { + return NULL; +@@ -2804,6 +2805,7 @@ doq_lookup_repinfo(struct doq_table* table, struct comm_reply* repinfo) + { + struct doq_conn* conn; + struct doq_conn_key key; ++ log_assert(table != NULL); + doq_conn_key_from_repinfo(&key, repinfo); + lock_rw_rdlock(&table->lock); + conn = doq_conn_find(table, &key.paddr.addr, +@@ -5880,6 +5882,7 @@ comm_point_create_doq(struct comm_base *base, int fd, sldns_buffer* buffer, + struct config_file* cfg) + { + #ifdef HAVE_NGTCP2 ++ log_assert(table != NULL); + struct comm_point* c = (struct comm_point*)calloc(1, + sizeof(struct comm_point)); + short evbits; +-- +2.52.0 + diff --git a/unbound-1.24-swig-function.patch b/unbound-1.24-swig-function.patch new file mode 100644 index 0000000..3257766 --- /dev/null +++ b/unbound-1.24-swig-function.patch @@ -0,0 +1,26 @@ +From 0fc825def2f812af70189a01b0fe66e1c5050aec Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Fri, 24 Oct 2025 20:20:50 +0200 +Subject: [PATCH] Use $action instead of $function in python SWIG interface + +$function is not supported since SWIG 4.4.0. +--- + libunbound/python/libunbound.i | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libunbound/python/libunbound.i b/libunbound/python/libunbound.i +index dc12514..4576844 100644 +--- a/libunbound/python/libunbound.i ++++ b/libunbound/python/libunbound.i +@@ -853,7 +853,7 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104'] + %{ + //printf("resolve_start(%lX)\n",(long unsigned int)arg1); + Py_BEGIN_ALLOW_THREADS +- $function ++ $action + Py_END_ALLOW_THREADS + //printf("resolve_stop()\n"); + %} +-- +2.51.0 + diff --git a/unbound-anchor.service b/unbound-anchor.service index 59683c8..1116243 100644 --- a/unbound-anchor.service +++ b/unbound-anchor.service @@ -6,5 +6,5 @@ Documentation=man:unbound-anchor(8) Type=oneshot User=unbound EnvironmentFile=-/etc/sysconfig/unbound -ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi' +ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ] || [ -f /run/unbound/anchor-disable ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi' SuccessExitStatus=1 diff --git a/unbound-as112-networks.conf b/unbound-as112-networks.conf new file mode 100644 index 0000000..96c291f --- /dev/null +++ b/unbound-as112-networks.conf @@ -0,0 +1,118 @@ +# Allow forwarding of private ranges, which are marked forwardable by IANA +# https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml +# https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml +# https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml +# RFC 6303: Locally Served DNS Zones (https://www.rfc-editor.org/rfc/rfc6303.html) +# +# Using this configuration file will simplify forwarding to potentially private ranges. +# Enables forwarding of networks marked as forwardable at IANA special registry. +# This is useful when upstream forwarder may be still inside private network. That is the case +# when unbound works as a localhost DNS cache, not network wide resolver. + +server: + # RFC 8375: Special-Use Domain 'home.arpa.' + local-zone: "home.arpa." nodefault + + # RFC 1918: Address Allocation for Private Internets + local-zone: "10.in-addr.arpa." nodefault + local-zone: "16.172.in-addr.arpa." nodefault + local-zone: "17.172.in-addr.arpa." nodefault + local-zone: "18.172.in-addr.arpa." nodefault + local-zone: "19.172.in-addr.arpa." nodefault + local-zone: "20.172.in-addr.arpa." nodefault + local-zone: "21.172.in-addr.arpa." nodefault + local-zone: "22.172.in-addr.arpa." nodefault + local-zone: "23.172.in-addr.arpa." nodefault + local-zone: "24.172.in-addr.arpa." nodefault + local-zone: "25.172.in-addr.arpa." nodefault + local-zone: "26.172.in-addr.arpa." nodefault + local-zone: "27.172.in-addr.arpa." nodefault + local-zone: "28.172.in-addr.arpa." nodefault + local-zone: "29.172.in-addr.arpa." nodefault + local-zone: "30.172.in-addr.arpa." nodefault + local-zone: "31.172.in-addr.arpa." nodefault + local-zone: "168.192.in-addr.arpa." nodefault + # RFC 6598: IANA-Reserved IPv4 Prefix for Shared Address Space + local-zone: "64.100.in-addr.arpa." nodefault + local-zone: "65.100.in-addr.arpa." nodefault + local-zone: "66.100.in-addr.arpa." nodefault + local-zone: "67.100.in-addr.arpa." nodefault + local-zone: "68.100.in-addr.arpa." nodefault + local-zone: "69.100.in-addr.arpa." nodefault + local-zone: "70.100.in-addr.arpa." nodefault + local-zone: "71.100.in-addr.arpa." nodefault + local-zone: "72.100.in-addr.arpa." nodefault + local-zone: "73.100.in-addr.arpa." nodefault + local-zone: "74.100.in-addr.arpa." nodefault + local-zone: "75.100.in-addr.arpa." nodefault + local-zone: "76.100.in-addr.arpa." nodefault + local-zone: "77.100.in-addr.arpa." nodefault + local-zone: "78.100.in-addr.arpa." nodefault + local-zone: "79.100.in-addr.arpa." nodefault + local-zone: "80.100.in-addr.arpa." nodefault + local-zone: "81.100.in-addr.arpa." nodefault + local-zone: "82.100.in-addr.arpa." nodefault + local-zone: "83.100.in-addr.arpa." nodefault + local-zone: "84.100.in-addr.arpa." nodefault + local-zone: "85.100.in-addr.arpa." nodefault + local-zone: "86.100.in-addr.arpa." nodefault + local-zone: "87.100.in-addr.arpa." nodefault + local-zone: "88.100.in-addr.arpa." nodefault + local-zone: "89.100.in-addr.arpa." nodefault + local-zone: "90.100.in-addr.arpa." nodefault + local-zone: "91.100.in-addr.arpa." nodefault + local-zone: "92.100.in-addr.arpa." nodefault + local-zone: "93.100.in-addr.arpa." nodefault + local-zone: "94.100.in-addr.arpa." nodefault + local-zone: "95.100.in-addr.arpa." nodefault + local-zone: "96.100.in-addr.arpa." nodefault + local-zone: "97.100.in-addr.arpa." nodefault + local-zone: "98.100.in-addr.arpa." nodefault + local-zone: "99.100.in-addr.arpa." nodefault + local-zone: "100.100.in-addr.arpa." nodefault + local-zone: "101.100.in-addr.arpa." nodefault + local-zone: "102.100.in-addr.arpa." nodefault + local-zone: "103.100.in-addr.arpa." nodefault + local-zone: "104.100.in-addr.arpa." nodefault + local-zone: "105.100.in-addr.arpa." nodefault + local-zone: "106.100.in-addr.arpa." nodefault + local-zone: "107.100.in-addr.arpa." nodefault + local-zone: "108.100.in-addr.arpa." nodefault + local-zone: "109.100.in-addr.arpa." nodefault + local-zone: "110.100.in-addr.arpa." nodefault + local-zone: "111.100.in-addr.arpa." nodefault + local-zone: "112.100.in-addr.arpa." nodefault + local-zone: "113.100.in-addr.arpa." nodefault + local-zone: "114.100.in-addr.arpa." nodefault + local-zone: "115.100.in-addr.arpa." nodefault + local-zone: "116.100.in-addr.arpa." nodefault + local-zone: "117.100.in-addr.arpa." nodefault + local-zone: "118.100.in-addr.arpa." nodefault + local-zone: "119.100.in-addr.arpa." nodefault + local-zone: "120.100.in-addr.arpa." nodefault + local-zone: "121.100.in-addr.arpa." nodefault + local-zone: "122.100.in-addr.arpa." nodefault + local-zone: "123.100.in-addr.arpa." nodefault + local-zone: "124.100.in-addr.arpa." nodefault + local-zone: "125.100.in-addr.arpa." nodefault + local-zone: "126.100.in-addr.arpa." nodefault + local-zone: "127.100.in-addr.arpa." nodefault + + # RFC 4193: Unique Local IPv6 Unicast Addresses + local-zone: "d.f.ip6.arpa." nodefault + + # RFC 2606: Reserved Top Level DNS Names + local-zone: "test." nodefault + domain-insecure: "test" + domain-insecure: "example" + + # RFC 6762: Multicast DNS, Appendix G + domain-insecure: "local" + domain-insecure: "intranet" + domain-insecure: "private" + domain-insecure: "corp" + domain-insecure: "home" + domain-insecure: "lan" + + # draft-davies-internal-tld + domain-insecure: "internal" diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch new file mode 100644 index 0000000..da88960 --- /dev/null +++ b/unbound-fedora-config.patch @@ -0,0 +1,120 @@ +From 6e2d042505a006ab5fd703631661e68d1cdc66df Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Fri, 15 Nov 2024 13:25:34 +0100 +Subject: [PATCH] Customize unbound.conf for Fedora defaults + +Set some Fedora/RHEL specific changes to example configuration file. By +patching upstream provided config file we would not need to manually +update external copy in source RPM. +--- + doc/example.conf.in | 33 +++++++++++++++++++++++++++++++-- + 1 file changed, 31 insertions(+), 2 deletions(-) + +diff --git a/doc/example.conf.in b/doc/example.conf.in +index 59090c6..3a86809 100644 +--- a/doc/example.conf.in ++++ b/doc/example.conf.in +@@ -8,6 +8,9 @@ + # Use this anywhere in the file to include other text into this file. + #include: "otherfile.conf" + ++# Default Fedora settings ++include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf" ++ + # Use this anywhere in the file to include other text, that explicitly starts a + # clause, into this file. Text after this directive needs to start a clause. + #include-toplevel: "otherfile.conf" +@@ -51,11 +51,19 @@ server: + # specify 0.0.0.0 and ::0 to bind to all available interfaces. + # specify every interface[@port] on a new 'interface:' labelled line. + # The listen interfaces are not changed on reload, only on restart. ++ # interface: 0.0.0.0 ++ # interface: ::0 + # interface: 192.0.2.153 + # interface: 192.0.2.154 + # interface: 192.0.2.154@5003 + # interface: 2001:DB8::5 + # interface: eth0@5003 ++ # ++ # for dns over tls and raw dns over port 80 ++ # interface: 0.0.0.0@443 ++ # interface: ::0@443 ++ # interface: 0.0.0.0@80 ++ # interface: ::0@80 + + # enable this feature to copy the source address of queries to reply. + # Socket options are not supported on all platforms. experimental. +@@ -285,6 +293,8 @@ server: + # nat64-prefix: 64:ff9b::0/96 + + # Enable UDP, "yes" or "no". ++ # NOTE: if setting up an Unbound on tls443 for public use, you might want to ++ # disable UDP to avoid being used in DNS amplification attacks. + # do-udp: yes + + # Enable TCP, "yes" or "no". +@@ -320,6 +330,9 @@ server: + # can be dropped. Default is 0, disabled. In seconds, such as 3. + # sock-queue-timeout: 0 + ++ # Fedora note: do not activate this - not compiled in because ++ # it causes frequent unbound crashes. Also, socket activation ++ # is bad when you have things like dnsmasq also running with libvirt. + # Use systemd socket activation for UDP, TCP, and control sockets. + # use-systemd: no + +@@ -906,6 +919,8 @@ server: + # you need to do the reverse notation yourself. + # local-data-ptr: "192.0.2.3 www.example.com" + ++ include: /etc/unbound/local.d/*.conf ++ + # tag a localzone with a list of tag names (in "" with spaces between) + # local-zone-tag: "example.com" "tag2 tag3" + +@@ -916,8 +931,8 @@ server: + # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. + # Give the certificate to use and private key. + # default is "" (disabled). requires restart to take effect. +- # tls-service-key: "path/to/privatekeyfile.key" +- # tls-service-pem: "path/to/publiccertfile.pem" ++ # tls-service-key: "/etc/unbound/unbound_server.key" ++ # tls-service-pem: "/etc/unbound/unbound_server.pem" + # tls-port: 853 + # https-port: 443 + # quic-port: 853 +@@ -1166,6 +1181,9 @@ remote-control: + # unbound-control certificate file. + # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem" + ++# Stub and Forward zones ++include: "@sysconfdir@/unbound/conf.d/*.conf" ++ + # Stub zones. + # Create entries like below, to make all queries for 'example.com' and + # 'example.org' go to the given list of nameservers. list zero or more +@@ -1186,6 +1207,10 @@ remote-control: + # name: "example.org" + # stub-host: ns.example.com. + ++# You can now also dynamically create and delete stub-zone's using ++# unbound-control stub_add domain.com 1.2.3.4 5.6.7.8 ++# unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8 ++ + # Forward zones + # Create entries like below, to make all queries for 'example.com' and + # 'example.org' go to the given list of servers. These servers have to handle +@@ -1203,6 +1228,10 @@ remote-control: + # forward-zone: + # name: "example.org" + # forward-host: fwd.example.com ++# ++# You can now also dynamically create and delete forward-zone's using ++# unbound-control forward_add domain.com 1.2.3.4 5.6.7.8 ++# unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8 + + # Authority zones + # The data for these zones is kept locally, from a file or downloaded. +-- +2.47.0 + diff --git a/unbound-initrd.conf b/unbound-initrd.conf new file mode 100644 index 0000000..7838b3d --- /dev/null +++ b/unbound-initrd.conf @@ -0,0 +1,5 @@ +[Unit] +Before=network-online.target + +[Install] +WantedBy=network-online.target diff --git a/unbound-local-root.conf b/unbound-local-root.conf new file mode 100644 index 0000000..4ba5e9d --- /dev/null +++ b/unbound-local-root.conf @@ -0,0 +1,30 @@ +# Authority zones +# The data for these zones is kept locally, from a file or downloaded. +# The data can be served to downstream clients, or used instead of the +# upstream (which saves a lookup to the upstream). +# +# Download local root copy and answer TLD queries from it. Because +# auth-zone has higher precedence, defined forward-zones to internal +# only TLD will not work. Use stub-zone or disable this zone. +# Good for a network-wide resolvers, worse for a localhost caching forwarder. +auth-zone: + name: "." + primary: 170.247.170.2 # b.root-servers.net + primary: 192.33.4.12 # c.root-servers.net + primary: 199.7.91.13 # d.root-servers.net + primary: 192.5.5.241 # f.root-servers.net + primary: 192.112.36.4 # g.root-servers.net + primary: 193.0.14.129 # k.root-servers.net + primary: 192.0.47.132 # xfr.cjr.dns.icann.org + primary: 192.0.32.132 # xfr.lax.dns.icann.org + primary: 2801:1b8:10::b # b.root-servers.net + primary: 2001:500:2::c # c.root-servers.net + primary: 2001:500:2d::d # d.root-servers.net + primary: 2001:500:2f::f # f.root-servers.net + primary: 2001:500:12::d0d # g.root-servers.net + primary: 2001:7fd::1 # k.root-servers.net + primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org + primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org + fallback-enabled: yes + for-downstream: no + for-upstream: yes diff --git a/unbound.conf b/unbound.conf deleted file mode 100644 index b038b4a..0000000 --- a/unbound.conf +++ /dev/null @@ -1,1363 +0,0 @@ -# -# Example configuration file. -# -# See unbound.conf(5) man page -# -# this is a comment. - -# Use this anywhere in the file to include other text into this file. -#include: "otherfile.conf" - -# Use this anywhere in the file to include other text, that explicitly starts a -# clause, into this file. Text after this directive needs to start a clause. -#include-toplevel: "otherfile.conf" - -# The server clause sets the main parameters. -server: - # whitespace is not necessary, but looks cleaner. - - # verbosity number, 0 is least verbose. 1 is default. - verbosity: 1 - - # print statistics to the log (for every thread) every N seconds. - # Set to "" or 0 to disable. Default is disabled. - # Needs to be disabled for munin plugin - statistics-interval: 0 - - # enable shm for stats, default no. if you enable also enable - # statistics-interval, every time it also writes stats to the - # shared memory segment keyed with shm-key. - # shm-enable: no - - # shm for stats uses this key, and key+1 for the shared mem segment. - # shm-key: 11777 - - # enable cumulative statistics, without clearing them after printing. - # Needs to be disabled for munin plugin - statistics-cumulative: no - - # enable extended statistics (query types, answer codes, status) - # printed from unbound-control. default off, because of speed. - # Needs to be enabled for munin plugin - extended-statistics: yes - - # Inhibits selected extended statistics (qtype, qclass, qopcode, rcode, - # rpz-actions) from printing if their value is 0. - # Default on. - # statistics-inhibit-zero: yes - - # number of threads to create. 1 disables threading. - num-threads: 4 - - # specify the interfaces to answer queries from by ip-address. - # The default is to listen to localhost (127.0.0.1 and ::1). - # specify 0.0.0.0 and ::0 to bind to all available interfaces. - # specify every interface[@port] on a new 'interface:' labelled line. - # The listen interfaces are not changed on reload, only on restart. - # interface: 0.0.0.0 - # interface: ::0 - # interface: 192.0.2.153 - # interface: 192.0.2.154 - # interface: 192.0.2.154@5003 - # interface: 2001:DB8::5 - # - # for dns over tls and raw dns over port 80 - # interface: 0.0.0.0@443 - # interface: ::0@443 - # interface: 0.0.0.0@80 - # interface: ::0@80 - - # enable this feature to copy the source address of queries to reply. - # Socket options are not supported on all platforms. experimental. - # interface-automatic: yes - # - # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 - # NOTE: Disabled per Fedora policy not to listen to * on default install - # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled - interface-automatic: no - - # instead of the default port, open additional ports separated by - # spaces when interface-automatic is enabled, by listing them here. - # interface-automatic-ports: "" - - # port to answer queries from - # port: 53 - - # specify the interfaces to send outgoing queries to authoritative - # server from by ip-address. If none, the default (all) interface - # is used. Specify every interface on a 'outgoing-interface:' line. - # outgoing-interface: 192.0.2.153 - # outgoing-interface: 2001:DB8::5 - # outgoing-interface: 2001:DB8::6 - - # Specify a netblock to use remainder 64 bits as random bits for - # upstream queries. Uses freebind option (Linux). - # outgoing-interface: 2001:DB8::/64 - # Also (Linux:) ip -6 addr add 2001:db8::/64 dev lo - # And: ip -6 route add local 2001:db8::/64 dev lo - # And set prefer-ip6: yes to use the ip6 randomness from a netblock. - # Set this to yes to prefer ipv6 upstream servers over ipv4. - # prefer-ip6: no - - # Prefer ipv4 upstream servers, even if ipv6 is available. - # prefer-ip4: no - - # number of ports to allocate per thread, determines the size of the - # port range that can be open simultaneously. About double the - # num-queries-per-thread, or, use as many as the OS will allow you. - # outgoing-range: 4096 - - # permit Unbound to use this port number or port range for - # making outgoing queries, using an outgoing interface. - # Only ephemeral ports are allowed by SElinux - outgoing-port-permit: 32768-60999 - - # deny Unbound the use this of port number or port range for - # making outgoing queries, using an outgoing interface. - # Use this to make sure Unbound does not grab a UDP port that some - # other server on this computer needs. The default is to avoid - # IANA-assigned port numbers. - # If multiple outgoing-port-permit and outgoing-port-avoid options - # are present, they are processed in order. - # Our SElinux policy does not allow non-ephemeral ports to be used - outgoing-port-avoid: 0-32767 - outgoing-port-avoid: 61000-65535 - - # number of outgoing simultaneous tcp buffers to hold per thread. - # outgoing-num-tcp: 10 - - # number of incoming simultaneous tcp buffers to hold per thread. - # incoming-num-tcp: 10 - - # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). - # 0 is system default. Use 4m to catch query spikes for busy servers. - # so-rcvbuf: 0 - - # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option). - # 0 is system default. Use 4m to handle spikes on very busy servers. - # so-sndbuf: 0 - - # use SO_REUSEPORT to distribute queries over threads. - # at extreme load it could be better to turn it off to distribute even. - so-reuseport: yes - - # use IP_TRANSPARENT so the interface: addresses can be non-local - # and you can config non-existing IPs that are going to work later on - # (uses IP_BINDANY on FreeBSD). - ip-transparent: yes - - # use IP_FREEBIND so the interface: addresses can be non-local - # and you can bind to nonexisting IPs and interfaces that are down. - # Linux only. On Linux you also have ip-transparent that is similar. - # ip-freebind: no - - # the value of the Differentiated Services Codepoint (DSCP) - # in the differentiated services field (DS) of the outgoing - # IP packets - # ip-dscp: 0 - - # EDNS reassembly buffer to advertise to UDP peers (the actual buffer - # is set with msg-buffer-size). - # edns-buffer-size: 1232 - - # Maximum UDP response size (not applied to TCP response). - # Suggested values are 512 to 4096. Default is 1232. 65536 disables it. - # max-udp-size: 1232 - - # max memory to use for stream(tcp and tls) waiting result buffers. - # stream-wait-size: 4m - - # buffer size for handling DNS data. No messages larger than this - # size can be sent or received, by UDP or TCP. In bytes. - # msg-buffer-size: 65552 - - # the amount of memory to use for the message cache. - # plain value in bytes or you can append k, m or G. default is "4Mb". - # msg-cache-size: 4m - - # the number of slabs to use for the message cache. - # the number of slabs must be a power of 2. - # more slabs reduce lock contention, but fragment memory usage. - # msg-cache-slabs: 4 - - # the number of queries that a thread gets to service. - # num-queries-per-thread: 1024 - - # if very busy, 50% queries run to completion, 50% get timeout in msec - # jostle-timeout: 200 - - # msec to wait before close of port on timeout UDP. 0 disables. - # delay-close: 0 - - # perform connect for UDP sockets to mitigate ICMP side channel. - # udp-connect: yes - - # The number of retries, per upstream nameserver in a delegation, when - # a throwaway response (also timeouts) is received. - # outbound-msg-retry: 5 - - # Hard limit on the number of outgoing queries Unbound will make while - # resolving a name, making sure large NS sets do not loop. - # It resets on query restarts (e.g., CNAME) and referrals. - # max-sent-count: 32 - - # Hard limit on the number of times Unbound is allowed to restart a - # query upon encountering a CNAME record. - # max-query-restarts: 11 - - # msec for waiting for an unknown server to reply. Increase if you - # are behind a slow satellite link, to eg. 1128. - # unknown-server-time-limit: 376 - - # the amount of memory to use for the RRset cache. - # plain value in bytes or you can append k, m or G. default is "4Mb". - # rrset-cache-size: 4m - - # the number of slabs to use for the RRset cache. - # the number of slabs must be a power of 2. - # more slabs reduce lock contention, but fragment memory usage. - # rrset-cache-slabs: 4 - - # the time to live (TTL) value lower bound, in seconds. Default 0. - # If more than an hour could easily give trouble due to stale data. - # cache-min-ttl: 0 - - # the time to live (TTL) value cap for RRsets and messages in the - # cache. Items are not cached for longer. In seconds. - # cache-max-ttl: 86400 - - # the time to live (TTL) value cap for negative responses in the cache - # cache-max-negative-ttl: 3600 - - # the time to live (TTL) value for cached roundtrip times, lameness and - # EDNS version information for hosts. In seconds. - # infra-host-ttl: 900 - - # minimum wait time for responses, increase if uplink is long. In msec. - # infra-cache-min-rtt: 50 - - # maximum wait time for responses. In msec. - # infra-cache-max-rtt: 120000 - - # enable to make server probe down hosts more frequently. - # infra-keep-probing: no - - # the number of slabs to use for the Infrastructure cache. - # the number of slabs must be a power of 2. - # more slabs reduce lock contention, but fragment memory usage. - # infra-cache-slabs: 4 - - # the maximum number of hosts that are cached (roundtrip, EDNS, lame). - # infra-cache-numhosts: 10000 - - # define a number of tags here, use with local-zone, access-control, - # interface-*. - # repeat the define-tag statement to add additional tags. - # define-tag: "tag1 tag2 tag3" - - # Enable IPv4, "yes" or "no". - # do-ip4: yes - - # Enable IPv6, "yes" or "no". - # do-ip6: yes - - # If running unbound on an IPv6-only host, domains that only have - # IPv4 servers would become unresolveable. If NAT64 is available in - # the network, unbound can use NAT64 to reach these servers with - # the following option. This is NOT needed for enabling DNS64 on a - # system that has IPv4 connectivity. - # Consider also enabling prefer-ip6 to prefer native IPv6 connections - # to nameservers. - # do-nat64: no - - # NAT64 prefix. Defaults to using dns64-prefix value. - # nat64-prefix: 64:ff9b::0/96 - - # Enable UDP, "yes" or "no". - # NOTE: if setting up an Unbound on tls443 for public use, you might want to - # disable UDP to avoid being used in DNS amplification attacks. - # do-udp: yes - - # Enable TCP, "yes" or "no". - # do-tcp: yes - - # upstream connections use TCP only (and no UDP), "yes" or "no" - # useful for tunneling scenarios, default no. - # tcp-upstream: no - - # upstream connections also use UDP (even if do-udp is no). - # useful if if you want UDP upstream, but don't provide UDP downstream. - # udp-upstream-without-downstream: no - - # Maximum segment size (MSS) of TCP socket on which the server - # responds to queries. Default is 0, system default MSS. - # tcp-mss: 0 - - # Maximum segment size (MSS) of TCP socket for outgoing queries. - # Default is 0, system default MSS. - # outgoing-tcp-mss: 0 - - # Idle TCP timeout, connection closed in milliseconds - # tcp-idle-timeout: 30000 - - # Enable EDNS TCP keepalive option. - edns-tcp-keepalive: yes - - # Timeout for EDNS TCP keepalive, in msec. - # edns-tcp-keepalive-timeout: 120000 - - # UDP queries that have waited in the socket buffer for a long time - # can be dropped. Default is 0, disabled. In seconds, such as 3. - # sock-queue-timeout: 0 - - # Fedora note: do not activate this - not compiled in because - # it causes frequent unbound crashes. Also, socket activation - # is bad when you have things like dnsmasq also running with libvirt. - # Use systemd socket activation for UDP, TCP, and control sockets. - # use-systemd: no - - # Detach from the terminal, run in background, "yes" or "no". - # Set the value to "no" when Unbound runs as systemd service. - # do-daemonize: yes - - # control which clients are allowed to make (recursive) queries - # to this server. Specify classless netblocks with /size and action. - # By default everything is refused, except for localhost. - # Choose deny (drop message), refuse (polite error reply), - # allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on), - # allow_snoop (recursive and nonrecursive ok) - # deny_non_local (drop queries unless can be answered from local-data) - # refuse_non_local (like deny_non_local but polite error reply). - # access-control: 127.0.0.0/8 allow - # access-control: ::1 allow - # access-control: ::ffff:127.0.0.1 allow - - # tag access-control with list of tags (in "" with spaces between) - # Clients using this access control element use localzones that - # are tagged with one of these tags. - # access-control-tag: 192.0.2.0/24 "tag2 tag3" - - # set action for particular tag for given access control element. - # if you have multiple tag values, the tag used to lookup the action - # is the first tag match between access-control-tag and local-zone-tag - # where "first" comes from the order of the define-tag values. - # access-control-tag-action: 192.0.2.0/24 tag3 refuse - - # set redirect data for particular tag for access control element - # access-control-tag-data: 192.0.2.0/24 tag2 "A 127.0.0.1" - - # Set view for access control element - # access-control-view: 192.0.2.0/24 viewname - - # Similar to 'access-control:' but for interfaces. - # Control which listening interfaces are allowed to accept (recursive) - # queries for this server. - # The specified interfaces should be the same as the ones specified in - # 'interface:' followed by the action. - # The actions are the same as 'access-control:' above. - # By default all the interfaces configured are refused. - # Note: any 'access-control*:' setting overrides all 'interface-*:' - # settings for targeted clients. - # interface-action: 192.0.2.153 allow - # interface-action: 192.0.2.154 allow - # interface-action: 192.0.2.154@5003 allow - # interface-action: 2001:DB8::5 allow - # interface-action: eth0@5003 allow - - # Similar to 'access-control-tag:' but for interfaces. - # Tag interfaces with a list of tags (in "" with spaces between). - # Interfaces using these tags use localzones that are tagged with one - # of these tags. - # The specified interfaces should be the same as the ones specified in - # 'interface:' followed by the list of tags. - # Note: any 'access-control*:' setting overrides all 'interface-*:' - # settings for targeted clients. - # interface-tag: eth0@5003 "tag2 tag3" - - # Similar to 'access-control-tag-action:' but for interfaces. - # Set action for particular tag for a given interface element. - # If you have multiple tag values, the tag used to lookup the action - # is the first tag match between interface-tag and local-zone-tag - # where "first" comes from the order of the define-tag values. - # The specified interfaces should be the same as the ones specified in - # 'interface:' followed by the tag and action. - # Note: any 'access-control*:' setting overrides all 'interface-*:' - # settings for targeted clients. - # interface-tag-action: eth0@5003 tag3 refuse - - # Similar to 'access-control-tag-data:' but for interfaces. - # Set redirect data for a particular tag for an interface element. - # The specified interfaces should be the same as the ones specified in - # 'interface:' followed by the tag and the redirect data. - # Note: any 'access-control*:' setting overrides all 'interface-*:' - # settings for targeted clients. - # interface-tag-data: eth0@5003 tag2 "A 127.0.0.1" - - # Similar to 'access-control-view:' but for interfaces. - # Set view for an interface element. - # The specified interfaces should be the same as the ones specified in - # 'interface:' followed by the view name. - # Note: any 'access-control*:' setting overrides all 'interface-*:' - # settings for targeted clients. - # interface-view: eth0@5003 viewname - - # if given, a chroot(2) is done to the given directory. - # i.e. you can chroot to the working directory, for example, - # for extra security, but make sure all files are in that directory. - # - # If chroot is enabled, you should pass the configfile (from the - # commandline) as a full path from the original root. After the - # chroot has been performed the now defunct portion of the config - # file path is removed to be able to reread the config after a reload. - # - # All other file paths (working dir, logfile, roothints, and - # key files) can be specified in several ways: - # o as an absolute path relative to the new root. - # o as a relative path to the working directory. - # o as an absolute path relative to the original root. - # In the last case the path is adjusted to remove the unused portion. - # - # The pid file can be absolute and outside of the chroot, it is - # written just prior to performing the chroot and dropping permissions. - # - # Additionally, Unbound may need to access /dev/urandom (for entropy). - # How to do this is specific to your OS. - # - # If you give "" no chroot is performed. The path must not end in a /. - # chroot: "/var/lib/unbound" - chroot: "" - - # if given, user privileges are dropped (after binding port), - # and the given username is assumed. Default is user "unbound". - # If you give "" no privileges are dropped. - username: "unbound" - - # the working directory. The relative files in this config are - # relative to this directory. If you give "" the working directory - # is not changed. - # If you give a server: directory: dir before include: file statements - # then those includes can be relative to the working directory. - directory: "/etc/unbound" - - # the log file, "" means log to stderr. - # Use of this option sets use-syslog to "no". - # logfile: "" - - # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to - # log to. If yes, it overrides the logfile. - # use-syslog: yes - - # Log identity to report. if empty, defaults to the name of argv[0] - # (usually "unbound"). - # log-identity: "" - - # print UTC timestamp in ascii to logfile, default is epoch in seconds. - log-time-ascii: yes - - # print one line with time, IP, name, type, class for every query. - # log-queries: no - - # print one line per reply, with time, IP, name, type, class, rcode, - # timetoresolve, fromcache and responsesize. - # log-replies: no - - # log with tag 'query' and 'reply' instead of 'info' for - # filtering log-queries and log-replies from the log. - # log-tag-queryreply: no - - # log the local-zone actions, like local-zone type inform is enabled - # also for the other local zone types. - # log-local-actions: no - - # print log lines that say why queries return SERVFAIL to clients. - # log-servfail: no - - # the pid file. Can be an absolute path outside of chroot/work dir. - pidfile: "/var/run/unbound/unbound.pid" - - # file to read root hints from. - # get one from https://www.internic.net/domain/named.cache - # root-hints: "" - - # enable to not answer id.server and hostname.bind queries. - # hide-identity: no - - # enable to not answer version.server and version.bind queries. - # hide-version: no - - # enable to not answer trustanchor.unbound queries. - # hide-trustanchor: no - - # enable to not set the User-Agent HTTP header. - # hide-http-user-agent: no - - # the identity to report. Leave "" or default to return hostname. - # identity: "" - - # the version to report. Leave "" or default to return package version. - # version: "" - - # NSID identity (hex string, or "ascii_somestring"). default disabled. - # nsid: "aabbccdd" - - # User-Agent HTTP header to use. Leave "" or default to use package name - # and version. - # http-user-agent: "" - - # the target fetch policy. - # series of integers describing the policy per dependency depth. - # The number of values in the list determines the maximum dependency - # depth the recursor will pursue before giving up. Each integer means: - # -1 : fetch all targets opportunistically, - # 0: fetch on demand, - # positive value: fetch that many targets opportunistically. - # Enclose the list of numbers between quotes (""). - # target-fetch-policy: "3 2 1 0 0" - - # Harden against very small EDNS buffer sizes. - # harden-short-bufsize: yes - - # Harden against unseemly large queries. - # harden-large-queries: no - - # Harden against out of zone rrsets, to avoid spoofing attempts. - harden-glue: yes - - # Harden against receiving dnssec-stripped data. If you turn it - # off, failing to validate dnskey data for a trustanchor will - # trigger insecure mode for that zone (like without a trustanchor). - # Default on, which insists on dnssec data for trust-anchored zones. - harden-dnssec-stripped: yes - - # Harden against queries that fall under dnssec-signed nxdomain names. - harden-below-nxdomain: yes - - # Harden the referral path by performing additional queries for - # infrastructure data. Validates the replies (if possible). - # Default off, because the lookups burden the server. Experimental - # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. - harden-referral-path: yes - - # Harden against algorithm downgrade when multiple algorithms are - # advertised in the DS record. If no, allows the weakest algorithm - # to validate the zone. - # harden-algo-downgrade: no - - # Harden against unknown records in the authority section and the - # additional section. - # harden-unknown-additional: no - - # Sent minimum amount of information to upstream servers to enhance - # privacy. Only sent minimum required labels of the QNAME and set QTYPE - # to A when possible. - qname-minimisation: yes - - # QNAME minimisation in strict mode. Do not fall-back to sending full - # QNAME to potentially broken nameservers. A lot of domains will not be - # resolvable when this option in enabled. - # This option only has effect when qname-minimisation is enabled. - # qname-minimisation-strict: no - - # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN - # and other denials, using information from previous NXDOMAINs answers. - aggressive-nsec: yes - - # Use 0x20-encoded random bits in the query to foil spoof attempts. - # This feature is an experimental implementation of draft dns-0x20. - # use-caps-for-id: no - - # Domains (and domains in them) without support for dns-0x20 and - # the fallback fails because they keep sending different answers. - # caps-exempt: "licdn.com" - # caps-exempt: "senderbase.org" - - # Enforce privacy of these addresses. Strips them away from answers. - # It may cause DNSSEC validation to additionally mark it as bogus. - # Protects against 'DNS Rebinding' (uses browser as network proxy). - # Only 'private-domain' and 'local-data' names are allowed to have - # these private addresses. No default. - # private-address: 10.0.0.0/8 - # private-address: 172.16.0.0/12 - # private-address: 192.168.0.0/16 - # private-address: 169.254.0.0/16 - # private-address: fd00::/8 - # private-address: fe80::/10 - # private-address: ::ffff:0:0/96 - - # Allow the domain (and its subdomains) to contain private addresses. - # local-data statements are allowed to contain private addresses too. - # private-domain: "example.com" - - # If nonzero, unwanted replies are not only reported in statistics, - # but also a running total is kept per thread. If it reaches the - # threshold, a warning is printed and a defensive action is taken, - # the cache is cleared to flush potential poison out of it. - # A suggested value is 10000000, the default is 0 (turned off). - unwanted-reply-threshold: 10000000 - - # Do not query the following addresses. No DNS queries are sent there. - # List one address per entry. List classless netblocks with /size, - # do-not-query-address: 127.0.0.1/8 - # do-not-query-address: ::1 - - # if yes, the above default do-not-query-address entries are present. - # if no, localhost can be queried (for testing and debugging). - # do-not-query-localhost: yes - - # if yes, perform prefetching of almost expired message cache entries. - prefetch: yes - - # if yes, perform key lookups adjacent to normal lookups. - prefetch-key: yes - - # deny queries of type ANY with an empty response. - deny-any: yes - - # if yes, Unbound rotates RRSet order in response. - rrset-roundrobin: yes - - # if yes, Unbound doesn't insert authority/additional sections - # into response messages when those sections are not required. - minimal-responses: yes - - # true to disable DNSSEC lameness check in iterator. - # disable-dnssec-lame-check: no - - # module configuration of the server. A string with identifiers - # separated by spaces. Syntax: "[dns64] [validator] iterator" - # most modules have to be listed at the beginning of the line, - # except cachedb(just before iterator), and python (at the beginning, - # or, just before the iterator). - # For redis cachedb use: - # "ipsecmod validator cachedb iterator" - module-config: "ipsecmod validator iterator" - - # File with trusted keys, kept uptodate using RFC5011 probes, - # initial file like trust-anchor-file, then it stores metadata. - # Use several entries, one per domain name, to track multiple zones. - # - # If you want to perform DNSSEC validation, run unbound-anchor before - # you start Unbound (i.e. in the system boot scripts). - # And then enable the auto-trust-anchor-file config item. - # Please note usage of unbound-anchor root anchor is at your own risk - # and under the terms of our LICENSE (see that file in the source). - # auto-trust-anchor-file: "/var/lib/unbound/root.key" - - # trust anchor signaling sends a RFC8145 key tag query after priming. - trust-anchor-signaling: yes - - # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) - root-key-sentinel: yes - - # File with trusted keys for validation. Specify more than one file - # with several entries, one file per entry. - # Zone file format, with DS and DNSKEY entries. - # Note this gets out of date, use auto-trust-anchor-file please. - # trust-anchor-file: "" - - # Trusted key for validation. DS or DNSKEY. specify the RR on a - # single line, surrounded by "". TTL is ignored. class is IN default. - # Note this gets out of date, use auto-trust-anchor-file please. - # (These examples are from August 2007 and may not be valid anymore). - # trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ==" - # trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A" - - # File with trusted keys for validation. Specify more than one file - # with several entries, one file per entry. Like trust-anchor-file - # but has a different file format. Format is BIND-9 style format, - # the trusted-keys { name flag proto algo "key"; }; clauses are read. - # you need external update procedures to track changes in keys. - # trusted-keys-file: "" - # - trusted-keys-file: /etc/unbound/keys.d/*.key - auto-trust-anchor-file: "/var/lib/unbound/root.key" - - # Ignore chain of trust. Domain is treated as insecure. - # domain-insecure: "example.com" - - # Override the date for validation with a specific fixed date. - # Do not set this unless you are debugging signature inception - # and expiration. "" or "0" turns the feature off. -1 ignores date. - # val-override-date: "" - - # The time to live for bogus data, rrsets and messages. This avoids - # some of the revalidation, until the time interval expires. in secs. - # val-bogus-ttl: 60 - - # The signature inception and expiration dates are allowed to be off - # by 10% of the signature lifetime (expir-incep) from our local clock. - # This leeway is capped with a minimum and a maximum. In seconds. - # val-sig-skew-min: 3600 - # val-sig-skew-max: 86400 - - # The maximum number the validator should restart validation with - # another authority in case of failed validation. - # val-max-restart: 5 - - # Should additional section of secure message also be kept clean of - # unsecure data. Useful to shield the users of this validator from - # potential bogus data in the additional section. All unsigned data - # in the additional section is removed from secure messages. - val-clean-additional: yes - - # Turn permissive mode on to permit bogus messages. Thus, messages - # for which security checks failed will be returned to clients, - # instead of SERVFAIL. It still performs the security checks, which - # result in interesting log files and possibly the AD bit in - # replies if the message is found secure. The default is off. - # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY - val-permissive-mode: no - - # Ignore the CD flag in incoming queries and refuse them bogus data. - # Enable it if the only clients of Unbound are legacy servers (w2008) - # that set CD but cannot validate themselves. - # ignore-cd-flag: no - - # Serve expired responses from cache, with serve-expired-reply-ttl in - # the response, and then attempt to fetch the data afresh. - serve-expired: yes - # - # Limit serving of expired responses to configured seconds after - # expiration. 0 disables the limit. - serve-expired-ttl: 14400 - # - # Set the TTL of expired records to the serve-expired-ttl value after a - # failed attempt to retrieve the record from upstream. This makes sure - # that the expired records will be served as long as there are queries - # for it. - # serve-expired-ttl-reset: no - # - # TTL value to use when replying with expired data. - # serve-expired-reply-ttl: 30 - # - # Time in milliseconds before replying to the client with expired data. - # This essentially enables the serve-stale behavior as specified in - # RFC 8767 that first tries to resolve before - # immediately responding with expired data. 0 disables this behavior. - # A recommended value is 1800. - # serve-expired-client-timeout: 0 - - # Return the original TTL as received from the upstream name server rather - # than the decrementing TTL as stored in the cache. Enabling this feature - # does not impact cache expiry, it only changes the TTL Unbound embeds in - # responses to queries. Note that enabling this feature implicitly disables - # enforcement of the configured minimum and maximum TTL. - # serve-original-ttl: no - - # Have the validator log failed validations for your diagnosis. - # 0: off. 1: A line per failed user query. 2: With reason and bad IP. - val-log-level: 1 - - # It is possible to configure NSEC3 maximum iteration counts per - # keysize. Keep this table very short, as linear search is done. - # A message with an NSEC3 with larger count is marked insecure. - # List in ascending order the keysize and count values. - # val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150" - - # if enabled, ZONEMD verification failures do not block the zone. - # zonemd-permissive-mode: no - - # instruct the auto-trust-anchor-file probing to add anchors after ttl. - # add-holddown: 2592000 # 30 days - - # instruct the auto-trust-anchor-file probing to del anchors after ttl. - # del-holddown: 2592000 # 30 days - - # auto-trust-anchor-file probing removes missing anchors after ttl. - # If the value 0 is given, missing anchors are not removed. - # keep-missing: 31622400 # 366 days - - # debug option that allows very small holddown times for key rollover, - # otherwise the RFC mandates probe intervals must be at least 1 hour. - # permit-small-holddown: no - - # the amount of memory to use for the key cache. - # plain value in bytes or you can append k, m or G. default is "4Mb". - # key-cache-size: 4m - - # the number of slabs to use for the key cache. - # the number of slabs must be a power of 2. - # more slabs reduce lock contention, but fragment memory usage. - # key-cache-slabs: 4 - - # the amount of memory to use for the negative cache. - # plain value in bytes or you can append k, m or G. default is "1Mb". - # neg-cache-size: 1m - - # By default, for a number of zones a small default 'nothing here' - # reply is built-in. Query traffic is thus blocked. If you - # wish to serve such zone you can unblock them by uncommenting one - # of the nodefault statements below. - # You may also have to use domain-insecure: zone to make DNSSEC work, - # unless you have your own trust anchors for this zone. - # local-zone: "localhost." nodefault - # local-zone: "127.in-addr.arpa." nodefault - # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault - # local-zone: "home.arpa." nodefault - # local-zone: "onion." nodefault - # local-zone: "test." nodefault - # local-zone: "invalid." nodefault - # local-zone: "10.in-addr.arpa." nodefault - # local-zone: "16.172.in-addr.arpa." nodefault - # local-zone: "17.172.in-addr.arpa." nodefault - # local-zone: "18.172.in-addr.arpa." nodefault - # local-zone: "19.172.in-addr.arpa." nodefault - # local-zone: "20.172.in-addr.arpa." nodefault - # local-zone: "21.172.in-addr.arpa." nodefault - # local-zone: "22.172.in-addr.arpa." nodefault - # local-zone: "23.172.in-addr.arpa." nodefault - # local-zone: "24.172.in-addr.arpa." nodefault - # local-zone: "25.172.in-addr.arpa." nodefault - # local-zone: "26.172.in-addr.arpa." nodefault - # local-zone: "27.172.in-addr.arpa." nodefault - # local-zone: "28.172.in-addr.arpa." nodefault - # local-zone: "29.172.in-addr.arpa." nodefault - # local-zone: "30.172.in-addr.arpa." nodefault - # local-zone: "31.172.in-addr.arpa." nodefault - # local-zone: "168.192.in-addr.arpa." nodefault - # local-zone: "0.in-addr.arpa." nodefault - # local-zone: "254.169.in-addr.arpa." nodefault - # local-zone: "2.0.192.in-addr.arpa." nodefault - # local-zone: "100.51.198.in-addr.arpa." nodefault - # local-zone: "113.0.203.in-addr.arpa." nodefault - # local-zone: "255.255.255.255.in-addr.arpa." nodefault - # local-zone: "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault - # local-zone: "d.f.ip6.arpa." nodefault - # local-zone: "8.e.f.ip6.arpa." nodefault - # local-zone: "9.e.f.ip6.arpa." nodefault - # local-zone: "a.e.f.ip6.arpa." nodefault - # local-zone: "b.e.f.ip6.arpa." nodefault - # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault - # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa. - - # Add example.com into ipset - # local-zone: "example.com" ipset - - # If Unbound is running service for the local host then it is useful - # to perform lan-wide lookups to the upstream, and unblock the - # long list of local-zones above. If this Unbound is a dns server - # for a network of computers, disabled is better and stops information - # leakage of local lan information. - # unblock-lan-zones: no - - # The insecure-lan-zones option disables validation for - # these zones, as if they were all listed as domain-insecure. - # insecure-lan-zones: no - - # a number of locally served zones can be configured. - # local-zone: - # local-data: "" - # o deny serves local data (if any), else, drops queries. - # o refuse serves local data (if any), else, replies with error. - # o static serves local data, else, nxdomain or nodata answer. - # o transparent gives local data, but resolves normally for other names - # o redirect serves the zone data for any subdomain in the zone. - # o nodefault can be used to normally resolve AS112 zones. - # o typetransparent resolves normally for other types and other names - # o inform acts like transparent, but logs client IP address - # o inform_deny drops queries and logs client IP address - # o inform_redirect redirects queries and logs client IP address - # o always_transparent, always_refuse, always_nxdomain, always_nodata, - # always_deny resolve in that way but ignore local data for - # that name - # o block_a resolves all records normally but returns - # NODATA for A queries and ignores local data for that name - # o always_null returns 0.0.0.0 or ::0 for any name in the zone. - # o noview breaks out of that view towards global local-zones. - # - # defaults are localhost address, reverse for 127.0.0.1 and ::1 - # and nxdomain for AS112 zones. If you configure one of these zones - # the default content is omitted, or you can omit it with 'nodefault'. - # - # If you configure local-data without specifying local-zone, by - # default a transparent local-zone is created for the data. - # - # You can add locally served data with - # local-zone: "local." static - # local-data: "mycomputer.local. IN A 192.0.2.51" - # local-data: 'mytext.local TXT "content of text record"' - # - # You can override certain queries with - # local-data: "adserver.example.com A 127.0.0.1" - # - # You can redirect a domain to a fixed address with - # (this makes example.com, www.example.com, etc, all go to 192.0.2.3) - # local-zone: "example.com" redirect - # local-data: "example.com A 192.0.2.3" - # - # Shorthand to make PTR records, "IPv4 name" or "IPv6 name". - # You can also add PTR records using local-data directly, but then - # you need to do the reverse notation yourself. - # local-data-ptr: "192.0.2.3 www.example.com" - - include: /etc/unbound/local.d/*.conf - - # tag a localzone with a list of tag names (in "" with spaces between) - # local-zone-tag: "example.com" "tag2 tag3" - - # add a netblock specific override to a localzone, with zone type - # local-zone-override: "example.com" 192.0.2.0/24 refuse - - # service clients over TLS (on the TCP sockets) with plain DNS inside - # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. - # Give the certificate to use and private key. - # default is "" (disabled). requires restart to take effect. - # tls-service-key: "/etc/unbound/unbound_server.key" - # tls-service-pem: "/etc/unbound/unbound_server.pem" - # tls-port: 853 - # https-port: 443 - - # cipher setting for TLSv1.2 - # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" - # cipher setting for TLSv1.3 - # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" - # Fedora/RHEL: use system-wide crypto policies - tls-ciphers: "PROFILE=SYSTEM" - # TODO: ask system-wide crypto people what to use here - #tls-ciphersuites: "PROFILE=SYSTEM" # does not work - - # Pad responses to padded queries received over TLS - # pad-responses: yes - - # Padded responses will be padded to the closest multiple of this size. - # pad-responses-block-size: 468 - - # Use the SNI extension for TLS connections. Default is yes. - # Changing the value requires a reload. - # tls-use-sni: yes - - # Add the secret file for TLS Session Ticket. - # Secret file must be 80 bytes of random data. - # First key use to encrypt and decrypt TLS session tickets. - # Other keys use to decrypt only. - # requires restart to take effect. - # tls-session-ticket-keys: "path/to/secret_file1" - # tls-session-ticket-keys: "path/to/secret_file2" - - # request upstream over TLS (with plain DNS inside the TLS stream). - # Default is no. Can be turned on and off with unbound-control. - # tls-upstream: no - - # Certificates used to authenticate connections made upstream. - # tls-cert-bundle: "" - - # Add system certs to the cert bundle, from the Windows Cert Store - # tls-win-cert: no - # and on other systems, the default openssl certificates - # tls-system-cert: no - - # Pad queries over TLS upstreams - # pad-queries: yes - - # Padded queries will be padded to the closest multiple of this size. - # pad-queries-block-size: 128 - - # Also serve tls on these port numbers (eg. 443, ...), by listing - # tls-additional-port: portno for each of the port numbers. - - # HTTP endpoint to provide DNS-over-HTTPS service on. - # http-endpoint: "/dns-query" - - # HTTP/2 SETTINGS_MAX_CONCURRENT_STREAMS value to use. - # http-max-streams: 100 - - # Maximum number of bytes used for all HTTP/2 query buffers. - # http-query-buffer-size: 4m - - # Maximum number of bytes used for all HTTP/2 response buffers. - # http-response-buffer-size: 4m - - # Set TCP_NODELAY socket option on sockets used for DNS-over-HTTPS - # service. - # http-nodelay: yes - - # Disable TLS for DNS-over-HTTP downstream service. - # http-notls-downstream: no - - # The interfaces that use these listed port numbers will support and - # expect PROXYv2. For UDP and TCP/TLS interfaces. - # proxy-protocol-port: portno for each of the port numbers. - - # DNS64 prefix. Must be specified when DNS64 is use. - # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. - # dns64-prefix: 64:ff9b::0/96 - - # DNS64 ignore AAAA records for these domains and use A instead. - # dns64-ignore-aaaa: "example.com" - - # ratelimit for uncached, new queries, this limits recursion effort. - # ratelimiting is experimental, and may help against randomqueryflood. - # if 0(default) it is disabled, otherwise state qps allowed per zone. - # ratelimit: 0 - - # ratelimits are tracked in a cache, size in bytes of cache (or k,m). - # ratelimit-size: 4m - # ratelimit cache slabs, reduces lock contention if equal to cpucount. - # ratelimit-slabs: 4 - - # 0 blocks when ratelimited, otherwise let 1/xth traffic through - # ratelimit-factor: 10 - - # Aggressive rate limit when the limit is reached and until demand has - # decreased in a 2 second rate window. - # ratelimit-backoff: no - - # override the ratelimit for a specific domain name. - # give this setting multiple times to have multiple overrides. - # ratelimit-for-domain: example.com 1000 - # override the ratelimits for all domains below a domain name - # can give this multiple times, the name closest to the zone is used. - # ratelimit-below-domain: com 1000 - - # global query ratelimit for all ip addresses. - # feature is experimental. - # if 0(default) it is disabled, otherwise states qps allowed per ip address - # ip-ratelimit: 0 - - # ip ratelimits are tracked in a cache, size in bytes of cache (or k,m). - # ip-ratelimit-size: 4m - # ip ratelimit cache slabs, reduces lock contention if equal to cpucount. - # ip-ratelimit-slabs: 4 - - # 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through - # ip-ratelimit-factor: 10 - - # Aggressive rate limit when the limit is reached and until demand has - # decreased in a 2 second rate window. - # ip-ratelimit-backoff: no - - # Limit the number of connections simultaneous from a netblock - # tcp-connection-limit: 192.0.2.0/24 12 - - # select from the fastest servers this many times out of 1000. 0 means - # the fast server select is disabled. prefetches are not sped up. - # fast-server-permil: 0 - # the number of servers that will be used in the fast server selection. - # fast-server-num: 3 - - # Enable to attach Extended DNS Error codes (RFC8914) to responses. - ede: yes - - # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale - # Answer as EDNS0 option to expired responses. - # Note that the ede option above needs to be enabled for this to work. - ede-serve-expired: yes - - # Specific options for ipsecmod. Unbound needs to be configured with - # --enable-ipsecmod for these to take effect. - # - # Enable or disable ipsecmod (it still needs to be defined in - # module-config above). Can be used when ipsecmod needs to be - # enabled/disabled via remote-control(below). - # Fedora: module will be enabled on-demand by libreswan - ipsecmod-enabled: no - - # Path to executable external hook. It must be defined when ipsecmod is - # listed in module-config (above). - # ipsecmod-hook: "./my_executable" - ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook - - # When enabled Unbound will reply with SERVFAIL if the return value of - # the ipsecmod-hook is not 0. - # ipsecmod-strict: no - # - # Maximum time to live (TTL) for cached A/AAAA records with IPSECKEY. - # ipsecmod-max-ttl: 3600 - # - # Reply with A/AAAA even if the relevant IPSECKEY is bogus. Mainly used for - # testing. - # ipsecmod-ignore-bogus: no - # - # Domains for which ipsecmod will be triggered. If not defined (default) - # all domains are treated as being allowed. - # ipsecmod-allow: "example.com" - # ipsecmod-allow: "nlnetlabs.nl" - - # Timeout for REUSE entries in milliseconds. - # tcp-reuse-timeout: 60000 - # Max number of queries on a reuse connection. - # max-reuse-tcp-queries: 200 - # Timeout in milliseconds for TCP queries to auth servers. - # tcp-auth-query-timeout: 3000 - -# Python config section. To enable: -# o use --with-pythonmodule to configure before compiling. -# o list python in the module-config string (above) to enable. -# It can be at the start, it gets validated results, or just before -# the iterator and process before DNSSEC validation. -# o and give a python-script to run. -python: - # Script file to load - # python-script: "/etc/unbound/ubmodule-tst.py" - -# Dynamic library config section. To enable: -# o use --with-dynlibmodule to configure before compiling. -# o list dynlib in the module-config string (above) to enable. -# It can be placed anywhere, the dynlib module is only a very thin wrapper -# to load modules dynamically. -# o and give a dynlib-file to run. If more than one dynlib entry is listed in -# the module-config then you need one dynlib-file per instance. -dynlib: - # Script file to load - # dynlib-file: "/etc/unbound/dynlib.so" - -# Remote control config section. -remote-control: - # Enable remote control with unbound-control(8) here. - # set up the keys and certificates with unbound-control-setup. - # Note: required for unbound-munin package - control-enable: yes - - # Set to no and use an absolute path as control-interface to use - # a unix local named pipe for unbound-control. - # control-use-cert: yes - - # what interfaces are listened to for remote control. - # give 0.0.0.0 and ::0 to listen to all interfaces. - # set to an absolute path to use a unix local name pipe, certificates - # are not used for that, so key and cert files need not be present. - # control-interface: 127.0.0.1 - # control-interface: ::1 - - # port number for remote control operations. - # control-port: 8953 - - # for localhost, you can disable use of TLS by setting this to "no" - # For local sockets this option is ignored, and TLS is not used. - control-use-cert: "no" - - # Unbound server key file. - server-key-file: "/etc/unbound/unbound_server.key" - - # Unbound server certificate file. - server-cert-file: "/etc/unbound/unbound_server.pem" - - # unbound-control key file. - control-key-file: "/etc/unbound/unbound_control.key" - - # unbound-control certificate file. - control-cert-file: "/etc/unbound/unbound_control.pem" - -# Stub and Forward zones -include: /etc/unbound/conf.d/*.conf - -# Stub zones. -# Create entries like below, to make all queries for 'example.com' and -# 'example.org' go to the given list of nameservers. list zero or more -# nameservers by hostname or by ipaddress. If you set stub-prime to yes, -# the list is treated as priming hints (default is no). -# With stub-first yes, it attempts without the stub if it fails. -# Consider adding domain-insecure: name and local-zone: name nodefault -# to the server: section if the stub is a locally served zone. -# stub-zone: -# name: "example.com" -# stub-addr: 192.0.2.68 -# stub-prime: no -# stub-first: no -# stub-tcp-upstream: no -# stub-tls-upstream: no -# stub-no-cache: no -# stub-zone: -# name: "example.org" -# stub-host: ns.example.com. - -# You can now also dynamically create and delete stub-zone's using -# unbound-control stub_add domain.com 1.2.3.4 5.6.7.8 -# unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8 - -# Forward zones -# Create entries like below, to make all queries for 'example.com' and -# 'example.org' go to the given list of servers. These servers have to handle -# recursion to other nameservers. List zero or more nameservers by hostname -# or by ipaddress. Use an entry with name "." to forward all queries. -# If you enable forward-first, it attempts without the forward if it fails. -# forward-zone: -# name: "example.com" -# forward-addr: 192.0.2.68 -# forward-addr: 192.0.2.73@5355 # forward to port 5355. -# forward-first: no -# forward-tcp-upstream: no -# forward-tls-upstream: no -# forward-no-cache: no -# forward-zone: -# name: "example.org" -# forward-host: fwd.example.com -# -# You can now also dynamically create and delete forward-zone's using -# unbound-control forward_add domain.com 1.2.3.4 5.6.7.8 -# unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8 - -# Authority zones -# The data for these zones is kept locally, from a file or downloaded. -# The data can be served to downstream clients, or used instead of the -# upstream (which saves a lookup to the upstream). The first example -# has a copy of the root for local usage. The second serves example.org -# authoritatively. zonefile: reads from file (and writes to it if you also -# download it), master: fetches with AXFR and IXFR, or url to zonefile. -# With allow-notify: you can give additional (apart from masters) sources of -# notifies. -auth-zone: - name: "." - primary: 199.9.14.201 # b.root-servers.net - primary: 192.33.4.12 # c.root-servers.net - primary: 199.7.91.13 # d.root-servers.net - primary: 192.5.5.241 # f.root-servers.net - primary: 192.112.36.4 # g.root-servers.net - primary: 193.0.14.129 # k.root-servers.net - primary: 192.0.47.132 # xfr.cjr.dns.icann.org - primary: 192.0.32.132 # xfr.lax.dns.icann.org - primary: 2001:500:200::b # b.root-servers.net - primary: 2001:500:2::c # c.root-servers.net - primary: 2001:500:2d::d # d.root-servers.net - primary: 2001:500:2f::f # f.root-servers.net - primary: 2001:500:12::d0d # g.root-servers.net - primary: 2001:7fd::1 # k.root-servers.net - primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org - primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org - fallback-enabled: yes - for-downstream: no - for-upstream: yes - -# auth-zone: -# name: "example.org" -# for-downstream: yes -# for-upstream: yes -# zonemd-check: no -# zonemd-reject-absence: no -# zonefile: "example.org.zone" - -# Views -# Create named views. Name must be unique. Map views to requests using -# the access-control-view option. Views can contain zero or more local-zone -# and local-data options. Options from matching views will override global -# options. Global options will be used if no matching view is found. -# With view-first yes, it will try to answer using the global local-zone and -# local-data elements if there is no view specific match. -# view: -# name: "viewname" -# local-zone: "example.com" redirect -# local-data: "example.com A 192.0.2.3" -# local-data-ptr: "192.0.2.3 www.example.com" -# view-first: no -# view: -# name: "anotherview" -# local-zone: "example.com" refuse - -# Fedora: DNSCrypt support not enabled since it requires linking to -# another crypto library -# -# DNSCrypt -# o enable, use --enable-dnscrypt to configure before compiling. -# Caveats: -# 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper -# for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage -# 2. dnscrypt channel attaches to an interface. you MUST set interfaces to -# listen on `dnscrypt-port` with the follo0wing snippet: -# server: -# interface: 0.0.0.0@443 -# interface: ::0@443 -# -# Finally, `dnscrypt` config has its own section. -# dnscrypt: -# dnscrypt-enable: yes -# dnscrypt-port: 443 -# dnscrypt-provider: 2.dnscrypt-cert.example.com. -# dnscrypt-secret-key: /path/unbound-conf/keys1/1.key -# dnscrypt-secret-key: /path/unbound-conf/keys2/1.key -# dnscrypt-provider-cert: /path/unbound-conf/keys1/1.cert -# dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert - -# CacheDB -# External backend DB as auxiliary cache. -# To enable, use --enable-cachedb to configure before compiling. -# Specify the backend name -# (default is "testframe", which has no use other than for debugging and -# testing) and backend-specific options. The 'cachedb' module must be -# included in module-config, just before the iterator module. -# cachedb: -# backend: "testframe" -# # secret seed string to calculate hashed keys -# secret-seed: "default" -# -# # For "redis" backend: -# # (to enable, use --with-libhiredis to configure before compiling) -# # redis server's IP address or host name -# redis-server-host: 127.0.0.1 -# # redis server's TCP port -# redis-server-port: 6379 -# # if the server uses a unix socket, set its path, or "" when not used. -# # redis-server-path: "/var/lib/redis/redis-server.sock" -# # if the server uses an AUTH password, specify here, or "" when not used. -# # redis-server-password: "" -# # timeout (in ms) for communication with the redis server -# redis-timeout: 100 -# # set timeout on redis records based on DNS response TTL -# redis-expire-records: no - -# IPSet -# Add specify domain into set via ipset. -# To enable: -# o use --enable-ipset to configure before compiling; -# o Unbound then needs to run as root user. -# ipset: -# # set name for ip v4 addresses -# name-v4: "list-v4" -# # set name for ip v6 addresses -# name-v6: "list-v6" -# - -# Dnstap logging support, if compiled in by using --enable-dnstap to configure. -# To enable, set the dnstap-enable to yes and also some of -# dnstap-log-..-messages to yes. And select an upstream log destination, by -# socket path, TCP or TLS destination. -# dnstap: -# dnstap-enable: no -# # if set to yes frame streams will be used in bidirectional mode -# dnstap-bidirectional: yes -# dnstap-socket-path: "/etc/unbound/dnstap.sock" -# # if "" use the unix socket in dnstap-socket-path, otherwise, -# # set it to "IPaddress[@port]" of the destination. -# dnstap-ip: "" -# # if set to yes if you want to use TLS to dnstap-ip, no for TCP. -# dnstap-tls: yes -# # name for authenticating the upstream server. or "" disabled. -# dnstap-tls-server-name: "" -# # if "", it uses the cert bundle from the main Unbound config. -# dnstap-tls-cert-bundle: "" -# # key file for client authentication, or "" disabled. -# dnstap-tls-client-key-file: "" -# # cert file for client authentication, or "" disabled. -# dnstap-tls-client-cert-file: "" -# dnstap-send-identity: no -# dnstap-send-version: no -# # if "" it uses the hostname. -# dnstap-identity: "" -# # if "" it uses the package version. -# dnstap-version: "" -# dnstap-log-resolver-query-messages: no -# dnstap-log-resolver-response-messages: no -# dnstap-log-client-query-messages: no -# dnstap-log-client-response-messages: no -# dnstap-log-forwarder-query-messages: no -# dnstap-log-forwarder-response-messages: no - -# Response Policy Zones -# RPZ policies. Applied in order of configuration. QNAME, Response IP -# Address, nsdname, nsip and clientip triggers are supported. Supported -# actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp-only -# and drop. Policies can be loaded from a file, or using zone -# transfer, or using HTTP. The respip module needs to be added -# to the module-config, e.g.: module-config: "respip validator iterator". -# rpz: -# name: "rpz.example.com" -# zonefile: "rpz.example.com" -# primary: 192.0.2.0 -# allow-notify: 192.0.2.0/32 -# url: http://www.example.com/rpz.example.org.zone -# rpz-action-override: cname -# rpz-cname-override: www.example.org -# rpz-log: yes -# rpz-log-name: "example policy" -# rpz-signal-nxdomain-ra: no -# for-downstream: no -# tags: "example" diff --git a/unbound.service b/unbound.service index ffaf783..d476504 100644 --- a/unbound.service +++ b/unbound.service @@ -1,6 +1,9 @@ [Unit] Description=Unbound recursive Domain Name Server -After=network-online.target +After=network.target +# Use ip-freebind: yes or add After=network-online.target, rhbz#2338429, +# if interface: specifies exact address, not localhost nor wildcard +#After=network-online.target After=unbound-keygen.service Wants=unbound-keygen.service After=unbound-anchor.service @@ -9,11 +12,12 @@ Before=nss-lookup.target Wants=nss-lookup.target [Service] -Type=simple +Type=notify EnvironmentFile=-/etc/sysconfig/unbound ExecStartPre=/usr/sbin/unbound-checkconf ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS ExecReload=/usr/sbin/unbound-control reload +Restart=on-abnormal [Install] WantedBy=multi-user.target diff --git a/unbound.spec b/unbound.spec index 62e7933..d173141 100644 --- a/unbound.spec +++ b/unbound.spec @@ -2,13 +2,23 @@ %{?!with_python3: %global with_python3 1} %{?!with_munin: %global with_munin 1} %bcond_without dnstap -%bcond_with systemd +%bcond_without systemd %bcond_without doh +%if 0%{?fedora} >= 43 && !0%{?rhel} +# Do not build with QUIC support in RHEL, until we have also client support. +%bcond_without ngtcp2 +%endif +%if 0%{?rhel} && ! 0%{?epel} %bcond_with redis +%else +%bcond_without redis +%endif +%global forgeurl0 https://github.com/NLnetLabs/unbound +%global downloads https://nlnetlabs.nl/downloads %global _hardened_build 1 -#%%global extra_version rc1 +#global extra_version rc1 %if 0%{with_python2} %global python_primary %{__python2} @@ -30,16 +40,16 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.18.0 -Release: 1%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.24.2 +Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ -Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz +VCS: git:%{forgeurl0} +Source: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz Source1: unbound.service -Source2: unbound.conf Source3: unbound.munin Source4: unbound_munin_ -Source5: root.key +Source5: mkroot.sh Source7: unbound-keygen.service Source8: tmpfiles-unbound.conf Source9: example.com.key @@ -51,17 +61,41 @@ Source14: unbound.sysconfig Source15: unbound-anchor.timer Source16: unbound-munin.README Source17: unbound-anchor.service -Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc -# source: https://nlnetlabs.nl/people/ -Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key +Source18: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc +# https://nlnetlabs.nl/signing-keys/ +Source19: https://nlnetlabs.nl/downloads/keys/releases-g2.asc#/nlnetlabs2026-g2.asc Source20: unbound.sysusers +Source21: remote-control.conf +Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc +Source23: unbound-as112-networks.conf +Source24: unbound-local-root.conf +Source25: openssl-sha1.conf +Source26: remote-control-include.conf +Source27: fedora-defaults.conf +Source28: module-setup.sh +Source29: unbound-initrd.conf +Source30: tmpfiles-unbound-libs.conf +# Downstream configuration changes +Patch1: unbound-fedora-config.patch +# https://github.com/NLnetLabs/unbound/pull/1331 +Patch2: unbound-1.24-swig-function.patch +# https://github.com/NLnetLabs/unbound/pull/1381 +Patch3: unbound-1.24-quic-on-demand-only.patch BuildRequires: gcc, make -BuildRequires: flex, openssl-devel +BuildRequires: openssl-devel BuildRequires: libevent-devel expat-devel BuildRequires: pkgconfig -%if 0%{?fedora} + +# Required for configure regeneration +BuildRequires: automake autoconf libtool +BuildRequires: autoconf-archive +# Regenerate config parser too +BuildRequires: bison flex byacc +BuildRequires: dns-root-data + +%if 0%{?fedora} || 0%{?rhel} >= 9 BuildRequires: gnupg2 %endif %if 0%{with_python2} @@ -80,16 +114,16 @@ BuildRequires: systemd-devel BuildRequires: libnghttp2-devel %endif %if %{with redis} -BuildRequires: redis-devel +BuildRequires: hiredis-devel %endif %if 0%{?fedora} >= 30 || 0%{?rhel} >= 9 BuildRequires: systemd-rpm-macros %else BuildRequires: systemd %endif -# Required for SVN versions -# BuildRequires: bison -# BuildRequires: automake autoconf libtool +%if %{with ngtcp2} +BuildRequires: ngtcp2-crypto-ossl-devel +%endif # Needed because /usr/sbin/unbound links unbound libs staticly Requires: %{name}-libs%{?_isa} = %{version}-%{release} @@ -97,7 +131,6 @@ Requires: %{name}-anchor%{?_isa} = %{version}-%{release} Recommends: %{name}-utils%{?_isa} = %{version}-%{release} # unbound-keygen.service requires it, bug #2116790 Requires: openssl -Requires(pre): systemd-sysusers %description Unbound is a validating, recursive, and caching DNS(SEC) resolver. @@ -132,6 +165,7 @@ The devel package contains the unbound library and the include files %package libs Summary: Libraries used by the unbound server and client applications Recommends: %{name}-anchor +Requires: dns-root-data %if ! 0%{with_python2} # Make explicit conflict with no longer provided python package Obsoletes: python2-unbound < 1.9.3 @@ -141,7 +175,6 @@ Obsoletes: python2-unbound < 1.9.3 Contains libraries used by the unbound server and client applications. %package anchor -Requires(pre): shadow-utils Requires: %{name}-libs%{?_isa} = %{version}-%{release} Summary: DNSSEC trust anchor maintaining tool @@ -182,57 +215,71 @@ Conflicts: python2-unbound < 1.9.3 Python 3 modules and extensions for unbound %endif +%package dracut +Summary: Unbound dracut module +Requires: dracut%{?_isa} +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description dracut +Unbound dracut module allowing use of Unbound for name resolution +in initramfs. %prep -%if 0%{?fedora} +%if 0%{?fedora} || 0%{?rhel} >= 9 +# TODO: Remove Yorgos.asc and extra verification once releases start to be signed by new g2 key +%{gpgverify} --keyring='%{SOURCE22}' --signature='%{SOURCE18}' --data='%{SOURCE0}' || \ %{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}' %endif %global pkgname %{name}-%{version}%{?extra_version} %if 0%{with_python2} && 0%{with_python3} -%global dir_primary %{pkgname}_python3 %global python_primary %{__python3} %global dir_secondary %{pkgname}_python2 %global python_secondary %{__python2} -%else -%global dir_primary %{pkgname} %endif -%autosetup -c -N -n %{pkgname} +%autosetup -N -n %{pkgname} -pushd %{pkgname} # patches go here %autopatch -p1 -# only for snapshots -# autoreconf -iv - -# copy common doc files - after here, since it may be patched -cp -pr doc pythonmod libunbound ../ -popd +%if 0%{?rhel} > 8 + # SHA-1 breaks some tests. Disable just some tests because of that. + # This got broken in ELN + ls testdata/*.rpl + for TEST in autotrust_init_fail autotrust_init_failsig; do + mv testdata/${TEST}.rpl{,-disabled} + done +%endif %if 0%{with_python2} && 0%{with_python3} -mv %{pkgname} %{dir_primary} -cp -a %{dir_primary} %{dir_secondary} + cp -a . %{dir_secondary} %endif %build -# This is needed to rebuild the configure script to support Python 3.x -# autoreconf -iv - # ./configure script common arguments %global configure_args --with-libevent --with-pthreads --with-ssl \\\ --disable-rpath --disable-static \\\ --enable-relro-now --enable-pie \\\ --enable-subnet --enable-ipsecmod \\\ --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\ + --with-share-dir=%{_datadir}/%{name} \\\ --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\ --enable-sha2 --disable-gost --enable-ecdsa \\\ - --with-rootkey-file=%{_sharedstatedir}/unbound/root.key \\\ + --with-rootkey-file=%{_sharedstatedir}/%{name}/root.key \\\ + --with-username=unbound \\\ --enable-linux-ip-local-port-range \\\ + --with-dynlibmodule \\\ +# +# always regenerate configure +rm -f config.h.in aclocal.m4 configure ltmain.sh +rm -f {ax_pthread,ax_swig_python}.m4 +cp -p %{_datadir}/aclocal/{ax_pthread,ax_swig_python}.m4 . +# ensure bison is used to generate fresh parser +rm -f util/configparser.{c,h} util/configlexer.c -pushd %{dir_primary} +autoreconf -fiv %configure \ %if 0%{?python_primary:1} @@ -247,20 +294,18 @@ pushd %{dir_primary} %if %{with doh} --with-libnghttp2 \ %endif -%if 0%{?rhel} - --disable-sha1 \ -%endif %if %{with redis} --with-libhiredis \ --enable-cachedb \ +%endif +%if %{with ngtcp2} + --with-libngtcp2 \ %endif %{configure_args} %make_build %make_build streamtcp -popd - %if 0%{?python_secondary:1} pushd %{dir_secondary} %configure \ @@ -270,6 +315,9 @@ pushd %{dir_secondary} %endif %if %{with systemd} --enable-systemd \ +%endif +%if %{with ngtcp2} + --with-libngtcp2 \ %endif %{configure_args} @@ -288,20 +336,18 @@ pushd %{dir_secondary} popd %endif -pushd %{dir_primary} %make_install unbound-event-install install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp -popd +install -p -m 0644 doc/example.conf %{buildroot}%{_sysconfdir}/unbound/unbound.conf install -d -m 0755 %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service install -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/unbound-keygen.service install -p -m 0644 %{SOURCE15} %{buildroot}%{_unitdir}/unbound-anchor.timer install -p -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/unbound-anchor.service -install -p -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound install -p -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/unbound install -p -m 0644 %{SOURCE14} %{buildroot}%{_sysconfdir}/sysconfig/unbound -install -p -D -m 0644 %{SOURCE20} %{buildroot}%{_sysusersdir}/%{name}.sysusers +install -p -D -m 0644 %{SOURCE20} %{buildroot}%{_sysusersdir}/%{name}.conf %if %{with_munin} # Install munin plugin and its softlinks install -d -m 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d @@ -313,25 +359,21 @@ for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unboun done %endif -pushd %{dir_primary} # install streamtcp man page -install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1 -install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc -popd +install -p -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1 +install -p -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc # Install tmpfiles.d config install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound -install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf +install -p -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf +install -p -m 0644 %{SOURCE30} %{buildroot}%{_tmpfilesdir}/unbound-libs.conf # install root - we keep a copy of the root key in old location, # in case user has changed the configuration and we wouldn't update it there -install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/ -install -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/dnssec-root.key -# make initial key static -pushd %{buildroot}%{_sharedstatedir}/unbound - KEYPATH=$(realpath --relative-to="%{buildroot}%{_sharedstatedir}/unbound" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key") - ln -s "$KEYPATH" root.key -popd +sh %{SOURCE5} root.key +install -m 0644 root.key %{buildroot}%{_sysconfdir}/unbound/ +ln -sr "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key" "%{buildroot}%{_sharedstatedir}/unbound/root.key" +ln -sr "%{buildroot}%{_datadir}/dns-root-data/root.key" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key" # remove static library from install (fedora packaging guidelines) rm %{buildroot}%{_libdir}/*.la @@ -350,16 +392,27 @@ mkdir -p %{buildroot}%{_rundir}/unbound # Install directories for easier config file drop in mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d} -install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/ -install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ -install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ +install -p -m 0644 %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/ +install -p -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ +install -p -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ +install -p -m 0644 %{SOURCE26} %{buildroot}%{_sysconfdir}/unbound/conf.d/remote-control.conf +install -p -m 0644 %{SOURCE25} %{buildroot}%{_sysconfdir}/unbound/openssl-sha1.conf + +mkdir -p %{buildroot}%{_datadir}/%{name}/conf.d +install -p -m 0644 %{SOURCE21} %{buildroot}%{_datadir}/%{name}/conf.d/ +install -p -m 0644 %{SOURCE23} %{buildroot}%{_datadir}/%{name}/conf.d/ +install -p -m 0644 %{SOURCE24} %{buildroot}%{_datadir}/%{name}/conf.d/ +install -p -m 0644 %{SOURCE27} %{buildroot}%{_datadir}/%{name}/ # Link unbound-control-setup.8 manpage to unbound-control.8 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 +# install dracut module +mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound + +install -p -m 0755 %{SOURCE28} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound +install -p -m 0644 %{SOURCE29} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound -%pre libs -%sysusers_create_compat %{SOURCE20} %post %systemd_post unbound.service @@ -387,21 +440,19 @@ fi %postun anchor %systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer +%triggerun -- unbound < 1.23.1-4 +if [ "$(stat -c '%%a %%G' %{_sysconfdir}/%{name}/unbound_control.key 2>/dev/null)" = '600 unbound' ]; then + # change permissions of existing key just once, where it were generated with wrong perms + %{_bindir}/chmod g+r "%{_sysconfdir}/%{name}/unbound_control.key" || : +fi + + %check -pushd %{dir_primary} -#pushd pythonmod -#make test -#popd - +export OPENSSL_CONF="%{buildroot}%{_sysconfdir}/unbound/openssl-sha1.conf" make check -popd - %if 0%{?python_secondary:1} pushd %{dir_secondary} -#pushd pythonmod -#make test -#popd make check popd %endif @@ -411,9 +462,10 @@ popd %doc doc/CREDITS doc/FEATURES %{_unitdir}/%{name}.service %{_unitdir}/%{name}-keygen.service -%attr(0755,unbound,unbound) %dir %{_rundir}/%{name} +%attr(0775,unbound,root) %dir %{_rundir}/%{name} %attr(0644,root,root) %{_tmpfilesdir}/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/openssl-sha1.conf %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d %attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d/*.key %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/conf.d @@ -423,11 +475,12 @@ popd %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.pem %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.key %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.pem -%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key +%ghost %attr(0600,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key %{_sbindir}/unbound %{_sbindir}/unbound-checkconf %{_sbindir}/unbound-control %{_sbindir}/unbound-control-setup +%{_datadir}/%{name}/ %{_mandir}/man5/* %exclude %{_mandir}/man8/unbound-anchor* %{_mandir}/man8/* @@ -466,13 +519,14 @@ popd %doc doc/README %license doc/LICENSE %attr(0755,root,root) %dir %{_sysconfdir}/%{name} -%{_sysusersdir}/%{name}.sysusers +%{_sysusersdir}/%{name}.conf %{_libdir}/libunbound.so.8* %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name} -%verify(not size mtime filedigest link mode user group) %{_sharedstatedir}/%{name}/root.key +%config %verify(not link owner group size mtime mode md5) %{_sharedstatedir}/%{name}/root.key # just left for backwards compat with user changed unbound.conf files - format is different! -%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key -%attr(0644,root,root) %config %{_sysconfdir}/%{name}/dnssec-root.key +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-root.key +%attr(0644,root,root) %{_tmpfilesdir}/unbound-libs.conf %files anchor %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name} @@ -489,906 +543,8 @@ popd %{_sbindir}/unbound-streamtcp %{_mandir}/man1/unbound-* +%files dracut +%{_prefix}/lib/dracut/modules.d/99unbound + %changelog -* Fri Sep 01 2023 Petr Menšík - 1.18.0-1 -- Update to 1.18.0 (#2236097) - -* Fri Jan 13 2023 Paul Wouters - 1.17.0-2 -- Move unbound user creation to libs (#2149036) -- Use systemd-sysusers for user creation (#2105416) -- Keep original DNSSEC root key as config (#2132103) - -* Tue Nov 01 2022 Petr Menšík - 1.17.0-1 -- Update to 1.17.0 (#2134348) - -* Wed Oct 05 2022 Petr Menšík - 1.16.3-3 -- Correct issues made by unbound-anchor package split (#2110858) - -* Fri Sep 30 2022 Petr Menšík - 1.16.3-2 -- Update License tag to SPDX identifier - -* Fri Sep 23 2022 Petr Menšík - 1.16.3-1 -- Update to 1.16.3 (#2128638) - -* Tue Aug 09 2022 Paul Wouters - 1.16.2-3 -- sync up to upstream unbound.conf -- Enable Extended DNS Error codes (RFC8914) - -* Tue Aug 09 2022 Petr Menšík - 1.16.2-2 -- Require openssl tool for unbound-keygen (#2116790) - -* Wed Aug 03 2022 Petr Menšík - 1.16.2-1 -- Update to 1.16.2 (#2105947) for CVE-2022-30698 and CVE-2022-30699 - -* Sat Jul 23 2022 Fedora Release Engineering - 1.16.0-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - -* Mon Jun 27 2022 Petr Menšík - 1.16.0-6 -- Move unbound-anchor to separate package -- Move unbound-host and unbound-streamtcp to unbound-utils package - -* Mon Jun 13 2022 Python Maint - 1.16.0-5 -- Rebuilt for Python 3.11 - -* Tue Jun 07 2022 Petr Menšík - 1.16.0-4 -- Restart keygen service before every unbound start - -* Sat Jun 04 2022 Petr Menšík - 1.16.0-1 -- Update to 1.16.0 - -* Tue Apr 26 2022 Petr Menšík - 1.15.0-3 -- Stop creating wrong devel manual pages (#2078929) - -* Wed Apr 20 2022 Petr Menšík - 1.15.0-2 -- Update icannbundle.pem - -* Tue Mar 29 2022 Petr Menšík - 1.15.0-1 -- Update to 1.15.0 (#2030608) - -* Sat Jan 22 2022 Fedora Release Engineering - 1.13.2-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Sat Nov 06 2021 Adrian Reber - 1.13.2-4 -- Rebuilt for protobuf 3.19.0 - -* Mon Oct 25 2021 Adrian Reber - 1.13.2-3 -- Rebuilt for protobuf 3.18.1 - -* Tue Sep 14 2021 Sahana Prasad - 1.13.2-2 -- Rebuilt with OpenSSL 3.0.0 - -* Thu Aug 12 2021 Paul Wouters - 1.13.2-1 -- Resolves: rhbz#1992985 unbound-1.13.2 is available -- Use system-wide crypto policies - -* Fri Jul 23 2021 Fedora Release Engineering - 1.13.1-8 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Wed Jun 02 2021 Python Maint - 1.13.1-7 -- Rebuilt for Python 3.10 - -* Fri Apr 23 2021 Artem Egorenkov - 1.13.1-6 -- Option --enable-linux-ip-local-port-range added to use system configured port range for libunbound on Linux -- Resolves: rhbz#1935101 - -* Tue Apr 13 2021 Paul Wouters - 1.13.1-5 -- Fix unbound.service to use After=network-online.target - -* Tue Apr 06 2021 Artem Egorenkov - 1.13.1-4 -- Don't start unbound-anchor before unbound service if DISABLE_UNBOUND_ANCHOR - environment variable equals to "yes" - -* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 1.13.1-3 -- Rebuilt for updated systemd-rpm-macros - See https://pagure.io/fesco/issue/2583. - -* Mon Feb 15 2021 Victor Stinner - 1.13.1-2 -- Fix build on Python 3.10 (rhbz#1889726). - -* Wed Feb 10 2021 Paul Wouters - 1.13.1-1 -- Resolves rhbz#1860887 unbound-1.13.1 is available -- Fixup unbound.conf - -* Wed Jan 27 2021 Fedora Release Engineering - 1.13.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Thu Dec 10 2020 Petr Menšík - 1.13.0-1 -- Update to 1.13.0 - -* Tue Oct 13 2020 Petr Menšík - 1.12.0-1 -- Update to 1.12.0 (#1860887) - -* Tue Sep 15 2020 Petr Menšík - 1.10.1-5 -- Move command line tools to utils subpackage - -* Wed Jul 29 2020 Fedora Release Engineering - 1.10.1-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Tue Jul 14 2020 Tom Stellard - 1.10.1-3 -- Use make macros -- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro - -* Fri May 22 2020 Miro Hrončok - 1.10.1-2 -- Rebuilt for Python 3.9 - -* Tue May 19 2020 Paul Wouters - 1.10.1-1 -- Resolves: rhbz#1837279 unbound-1.10.1 is available -- Resolves: rhbz#1837598 CVE-2020-12662 unbound: insufficient control of network message volume leads to DoS -- Resolves: rhbz#1837609 CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers -- Updated unbound.conf for new options in 1.10.1 - -* Wed Apr 29 2020 Paul Wouters - 1.10.0-3 -- Resolves: rhbz#1667742 SELinux is preventing unbound from 'name_bind' accesses on the udp_socket port 61000. - -* Thu Apr 16 2020 Artem Egorenkov - 1.10.0-2 -- Resolves: rhbz#1824536 unbound crash - -* Thu Mar 19 2020 Petr Menšík - 1.10.0-1 -- Update to 1.10.0 (#1805199) - -* Fri Jan 31 2020 Fedora Release Engineering - 1.9.6-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Fri Dec 13 2019 Paul Wouters - 1.9.6-1 -- Resolves: rhbz#1758107 unbound-1.9.5 is available -- Resolves: CVE-2019-18934 - -* Fri Nov 01 2019 Paul Wouters - 1.9.4-1 -- Fix build on rhel/centos systems -- Resolves: rhbz#1767955 (CVE-2019-16866) uninitialized memory accesses leads to crash via a crafted NOTIFY query - -* Thu Sep 26 2019 Petr Menšík - 1.9.3-2 -- Obsolete no longer provided python2 subpackage (#1749400) - -* Tue Aug 27 2019 Paul Wouters - 1.9.3-1 -- Updated to 1.9.3 -- Resolves: rhbz#1672578 unbound-1.9.2 is available -- Resolves: rhbz#1694831 [/usr/lib/tmpfiles.d/unbound.conf:1] Line references path below legacy directory /var/run/ -- Resolves: rhbz# 1667387 [abrt] unbound: memmove(): unbound killed by SIGABRT - -* Thu Aug 22 2019 Miro Hrončok - 1.8.3-8 -- Subpackage python2-unbound has been removed - See https://fedoraproject.org/wiki/Changes/Mass_Python_2_Package_Removal - -* Thu Aug 15 2019 Miro Hrončok - 1.8.3-7 -- Rebuilt for Python 3.8 - -* Mon Aug 5 2019 Zbigniew Jędrzejewski-Szmek - 1.8.3-6 -- Drop install-time requirements on systemd (#1723777) - -* Sat Jul 27 2019 Fedora Release Engineering - 1.8.3-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Sun Feb 03 2019 Fedora Release Engineering - 1.8.3-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Fri Jan 11 2019 Paul Wouters - 1.8.3-3 -- Remove KSK-2010 from configs - it has been revoked - -* Wed Dec 12 2018 Paul Wouters - 1.8.3-2 -- Another dns64 fixup - -* Wed Dec 12 2018 Paul Wouters - 1.8.3-1 -- Updated to 1.8.3 with fixes the dns64 bug and has some other minor fixes - -* Mon Dec 10 2018 Paul Wouters - 1.8.2-2 -- Fix dns64 allocation in wrong region for returned internal queries. - -* Tue Dec 04 2018 Paul Wouters - 1.8.2-1 -- Updated to 1.8.2. -- Enabled deny ANY query support and edns-tcp-keepalive -- Set serve-stale timeout to 4h -- Updated unbound.conf for latest options - -* Mon Oct 22 2018 Petr Menšík - 1.8.1-2 -- Allow group by default to unbound-control (#1640259) - -* Mon Oct 08 2018 Petr Menšík - 1.8.1-1 -- Update to 1.8.1 - -* Mon Oct 01 2018 Petr Menšík - 1.8.0-2 -- Skip ipv6 forwarders without ipv6 support (#1633874) - -* Wed Sep 19 2018 Petr Menšík - 1.8.0-1 -- Rebase to 1.8.0 - -* Tue Aug 14 2018 Paul Wouters - 1.7.3-9 -- Fix for restarting unbound service after deleting key/pem files for remote control - -* Tue Jul 31 2018 Petr Menšík - 1.7.3-8 -- Release memory in unbound-host - -* Mon Jul 23 2018 Petr Menšík - 1.7.3-7 -- Remove unused Group tag - -* Wed Jul 18 2018 Petr Menšík - 1.7.3-6 -- Cleanup generated client and server keys (#1601773) - -* Sat Jul 14 2018 Fedora Release Engineering - 1.7.3-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Mon Jul 09 2018 Petr Menšík - 1.7.3-4 -- Do not call ldconfig if possible - -* Wed Jul 04 2018 Petr Menšík - 1.7.3-3 -- Update trust anchors also behind firewall (#1598078) - -* Mon Jul 02 2018 Miro Hrončok - 1.7.3-2 -- Rebuilt for Python 3.7 - -* Wed Jun 27 2018 Petr Menšík - 1.7.3-1 -- Update to 1.7.3 (#1593708) - -* Wed Jun 27 2018 Petr Menšík - 1.7.2-3 -- Remove last python2 dependency from python3 build - -* Tue Jun 19 2018 Miro Hrončok - 1.7.2-2 -- Rebuilt for Python 3.7 - -* Mon Jun 11 2018 Paul Wouters - 1.7.2-1 -- Resolves rhbz#1589807 unbound-1.7.2 is available -- Add patch to fix stub/forward zone not returning ServFail when TTL expires -- Enabled the new root-key-sentinel option - -* Wed May 30 2018 Petr Menšík - 1.7.1-1 -- Update to 1.7.1 (#1574495) - -* Mon Apr 09 2018 Petr Menšík - 1.7.0-5 -- Require gcc and make on build -- Remove group, simplify systemd requires -- Simplify building with single python version, make python3 primary - -* Mon Apr 09 2018 Paul Wouters - 1.7.0-4 -- Patch for prefetching after flushing cache - -* Fri Apr 06 2018 Paul Wouters - 1.7.0-3 -- Patch for referral with auth-zone: response - - -* Wed Mar 21 2018 Paul Wouters - 1.7.0-2 -- Patch for broken Aggressive NSEC + stub-zone configuration causing NXDOMAIN at TTL expiry - -* Thu Mar 15 2018 Paul Wouters - 1.7.0-1 -- Updated to 1.7.0 (aggressive nsec, local root support, bugfixes) - -* Thu Feb 22 2018 Petr Menšík - 1.6.8-6 -- Uncomment again original max-upd-size - -* Wed Feb 21 2018 Petr Menšík - 1.6.8-5 -- Use default RPM build flags and configure parameters (#1539097) - -* Wed Feb 21 2018 Petr Menšík - 1.6.8-4 -- Remove group writable bit from some config files (#1528445) - -* Wed Feb 14 2018 Filipe Rosset - 1.6.8-3 -- rebuilt due new libevent 2.1.8 - -* Fri Feb 09 2018 Igor Gnatenko - 1.6.8-2 -- Escape macros in %%changelog - -* Mon Jan 22 2018 Paul Wouters - 1.6.8-1 -- Resolves rhbz#1483572 unbound-1.6.8 is available -- Resolves rhbz#1507049 CVE-2017-15105 unbound: Improper validation of wildcard synthesized NSEC records -- Resolves rhbz#1536518 CVE-2017-15105 unbound: Improper validation of wildcard synthesized NSEC records [fedora-all] - -* Sun Dec 17 2017 Zbigniew Jędrzejewski-Szmek - 1.6.7-2 -- Python 2 binary package renamed to python2-unbound - See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 - -* Thu Oct 12 2017 Paul Wouters - 1.6.7-1 -- Updated to 1.6.7 (minor bugfixes) - -* Tue Oct 03 2017 Petr Menšík - 1.6.6-3 -- Update icannbundle.pem - -* Mon Oct 02 2017 Paul Wouters - 1.6.6-2 -- Enable RFC 8145 Trust Anchor Signaling to help the root zone get keytag statistics - -* Fri Sep 22 2017 Paul Wouters - 1.6.6-1 -- Resolves: rhbz#1483572 unbound-1.6.6 is available -- Resolves: rhbz#1465575 unbound fails to start up, complains about missing ipsecmod-hook (edit) - -* Wed Aug 16 2017 Paul Wouters - 1.6.4-4 -- Rebuilt with KSK2017 added to root.key and root.anchor -- Remove noreplace for root key files. We can only improve these files over local copies - -* Thu Aug 03 2017 Fedora Release Engineering - 1.6.4-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Thu Jul 27 2017 Fedora Release Engineering - 1.6.4-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Sun Jul 02 2017 Paul Wouters - 1.6.4-1 -- Updated to 1.6.4 full release, patch to allow missing ipsechook -- Resolves rhbz#1465575 unbound fails to start up, complains about missing ipsecmod-hook - -* Thu Jun 22 2017 Paul Wouters - 1.6.4-0.rc2 -- Update to 1.6.4 (esubnet, ipsecmod support, bugfixes) - -* Tue Jun 13 2017 Paul Wouters - 1.6.3-1 -- Updated to 1.6.3 (fixes assertion failure when receiving malformed packet with 0x20 enabled) - -* Thu Jun 08 2017 Paul Wouters - 1.6.2-2 -- Patch for cmd: unbound-control set_option val-permissive-mode: yes - -* Wed Apr 26 2017 Paul Wouters - 1.6.2-1 -- Update to 1.6.2 (rhbz#1425649) -- Updated unbound.conf with new options - -* Wed Mar 22 2017 Paul Wouters - 1.6.0-6 -- Call make unbound-event-install to install unbound-event.h - -* Sat Feb 11 2017 Fedora Release Engineering - 1.6.0-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Wed Jan 18 2017 Paul Wouters - 1.6.0-4 -- Remove obsoleted DLV key - -* Mon Jan 02 2017 Paul Wouters - 1.6.0-3 -- Actually remove dependency because minimum is always satisfied - -* Mon Jan 02 2017 Paul Wouters - 1.6.0-2 -- Depend on openssl-libs, not opensl - -* Wed Dec 21 2016 Kevin Fenzi - 1.6.0-1 -- Update to 1.6.0 - -* Mon Dec 19 2016 Miro Hrončok - 1.5.10-3 -- Rebuild for Python 3.6 - -* Wed Oct 26 2016 Ilya Evseev - 1.5.10-2 -- Bugfix building without python2 and python3 -- Fixup streamtcp build (Paul) - -* Tue Sep 27 2016 Paul Wouters - 1.5.10-1 -- Updated to 1.5.10 (better TCP handling, bugfixes) -- Install pkgconfig file in -devel package -- Updated unbound.conf - -* Tue Jul 19 2016 Fedora Release Engineering - 1.5.9-4 -- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages - -* Thu Jul 07 2016 Paul Wouters - 1.5.9-3 -- Fix upper port range to 60999 because that's what selinux allows - -* Thu Jun 16 2016 Paul Wouters - 1.5.9-2 -- Patch for allowing more queries before failure (needed for query minimalization) - -* Mon Jun 13 2016 Paul Wouters - 1.5.9-1 -- Updated to 1.5.9 - -* Thu Apr 21 2016 Toshio Kuratomi - 1.5.8-2 -- Fix streamtcp to link against libpython3.x instead of libpython2.x - -* Wed Mar 02 2016 Paul Wouters - 1.5.8-1 -- Update to 1.5.8 (rhbz#1313831) which incorporates rhbz#1294339 patch -- Updated unbound.conf with new upstream options -- Enabled ip-transparent: yes (see rhbz#1291449) - -* Fri Feb 05 2016 Fedora Release Engineering - 1.5.7-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - -* Thu Jan 21 2016 Tomas Hozza - 1.5.7-2 -- Fix escaping of shell chars in unbound-control-setup (#1294339) - -* Fri Dec 11 2015 Paul Wouters - 1.5.7-1 -- Update to 1.5.7 -- Enable query minimalization for enhanced DNS query privacy -- Enable nxdomain hardening to assist with query minimalization and SBLs -- Updated default unbound.conf for new features from upstream. - -* Fri Nov 13 2015 Tomas Hozza - 1.5.6-1 -- Update to 1.5.6 (#1176729) - -* Wed Nov 04 2015 Robert Kuska - 1.5.5-2 -- Rebuilt for Python3.5 rebuild - -* Wed Oct 07 2015 Tomas Hozza - 1.5.5-1 -- New upstream release 1.5.5 (#1269137) -- Removed the anchor update from %%post section of -libs subpackage (#1269137#c2) - -* Tue Sep 15 2015 Tomas Hozza - 1.5.4-5 -- Removed dependency and ordering on unbound-anchor.service in unbound.service - -* Thu Sep 03 2015 Tomas Hozza - 1.5.4-4 -- Prefer Python3 build over Python2 build for now (#1254566) - -* Mon Jul 20 2015 Tomas Hozza - 1.5.4-3 -- Added ExecReload section to unbound.service (#1195785) -- Removed After syslog.target since it is not needed any more - -* Thu Jul 16 2015 Tomas Hozza - 1.5.4-2 -- Start unbound-anchor.timer only on new installations -- Rename root.anchor to root.key in %%post section - -* Tue Jul 14 2015 Paul Wouters - 1.5.4-1 -- Update to 1.5.4 -- Removed patches merged into upstream - -* Tue Jun 16 2015 Tomas Hozza - 1.5.3-8 -- Revert: Use low maximum negative cache TTL (5 sec) (#1229596) - -* Mon Jun 15 2015 Tomas Hozza - 1.5.3-7 -- Add option for maximum negative cache TTL (#1229599) -- Use low maximum negative cache TTL (5 sec) (#1229596) - -* Tue May 26 2015 Tomas Hozza - 1.5.3-6 -- Removed usage of DLV from the default configuration (#1223363) - -* Wed May 13 2015 Tomas Hozza - 1.5.3-5 -- unbound.service now Wants unbound-anchor.timer -- unbound-anchor man page moved to the unbound-libs - -* Mon May 11 2015 Paul Wouters - 1.5.3-4 -- Fixup scriptlets causing systemctl: command not found -- Resolves rhbz#1219587 Error in PREIN scriptlet in rpm package unbound-libs - -* Mon Apr 27 2015 Tomas Hozza - 1.5.3-3 -- migrate cronjob to systemd timer unit (#1177285) -- change the period for unbound-anchor from monthly to daily (#1180267) -- Thanks to Tomasz Torcz for the initial patch - -* Thu Apr 16 2015 Tomas Hozza - 1.5.3-2 -- Fix FTBFS (#1206129) -- Build python3-unbound and python-unbound bindings for Python 3 and 2 (#1188080) - -* Mon Mar 16 2015 Paul Wouters - 1.5.3-1 -- Updated to 1.5.3 which is a bugfix on 1.5.2 for sighup handling -- Updated to 1.5.2 which fixes DNSSEC validation with different - trust anchors upstream, local-zone has a new keyword 'inform' - -* Mon Feb 02 2015 Paul Wouters - 1.5.1-4 -- Build with --enable-ecdsa - -* Sun Feb 01 2015 Paul Wouters - 1.5.1-3 -- Fix post to create root.anchor, not root.key, to match cron job - -* Tue Dec 09 2014 Paul Wouters - 1.5.1-2 -- Change systemd-units to systemd -- Use _tmpfilesdir macro, don't mark tmpfiles as config - -* Tue Dec 09 2014 Paul Wouters - 1.5.1-1 -- Update to 1.5.1 for CVE-2014-8602 (rhbz#1172066) -- Removed unbound-aarch64.patch which was merged upstream -- Don't require autotools for non snapshots or run autoreconf - -* Fri Nov 28 2014 Tomas Hozza - 1.5.1-0.1.rc1 -- update to 1.5.1rc1 - -* Fri Nov 28 2014 Marcin Juszkiewicz - 1.5.0-3 -- fix build on aarch64 - -* Wed Nov 26 2014 Tomas Hozza - 1.5.0-2 -- Fix race condition in arc4random (#1166878) - -* Wed Nov 19 2014 Tomas Hozza - 1.5.0-1 -- update to 1.5.0 - -* Wed Sep 24 2014 Pavel Šimerda - 1.4.22-6 -- Resolves: #1115489 - build with python 3.x for fedora >= 22 - -* Thu Aug 21 2014 Kevin Fenzi - 1.4.22-5 -- Rebuild for rpm bug 1131960 - -* Mon Aug 18 2014 Fedora Release Engineering - 1.4.22-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild - -* Sun Jun 08 2014 Fedora Release Engineering - 1.4.22-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild - -* Thu May 01 2014 Paul Wouters - 1.4.22-2 -- Added flushcache patch (SVN commit 3125) - -* Thu Mar 13 2014 Paul Wouters - 1.4.22-1 -- Updated to 1.4.22 -- No longer requires the ldns library - -* Thu Jan 16 2014 Tomas Hozza - 1.4.21-3 -- Fix segfault on adding insecure forward zone when using only iterator (#1054192) - -* Mon Oct 21 2013 Tomas Hozza - 1.4.21-2 -- run test suite during the build - -* Thu Sep 19 2013 Paul Wouters - 1.4.21-1 -- Updated to 1.4.21, -- Enabled new max-udp-size: 3072 (so ANY isc.org won't fit) -- Removed patched merged in by upstream -- Enable statistics-cumulative for munin-plugin -- Added outgoing-port-avoid: 0-32767 conformant to SElinux restrictions -- Updated unbound.conf - -* Mon Aug 26 2013 Tomas Hozza - 1.4.20-19 -- Fix errors found by static analysis of source - -* Mon Aug 12 2013 Paul Wouters - 1.4.20-18 -- Change unbound.conf to only use ephemeral ports (32768-65535) - -* Sun Aug 04 2013 Fedora Release Engineering - 1.4.20-17 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild - -* Mon Jul 22 2013 Tomas Hozza - 1.4.20-16 -- provide man page for unbound-streamtcp - -* Mon Jul 08 2013 Paul Wouters - 1.4.20-15 -- Re-introduce hardening flags for full relro and pie -- Fixes compilation failure for python module - -* Wed Jul 03 2013 Tomas Hozza - 1.4.20-14 -- remove missing unbound-rootkey.service from post/preun/postun sections -- don't hardcode hardening flags, let hardened build macro handles it - -* Sat Jun 01 2013 Paul Wouters - 1.4.20-13 -- Run unbound-anchor as user unbound in unbound.service - -* Tue May 28 2013 Paul Wouters - 1.4.20-12 -- Enable round-robin (with noths() patch) -- Change cron and systemd service to use root.key, not root.anchor - -* Sat May 25 2013 Paul Wouters - 1.4.20-10 -- Use /var/lib/unbound/root.key (more consistent with other distros) -- Enable minimal responses - -* Mon Apr 22 2013 Paul Wouters - 1.4.20-8 -- Refix - -* Fri Apr 19 2013 Paul Wouters - 1.4.20-7 -- Fix runuser call in post. - -* Tue Apr 16 2013 Paul Wouters - 1.4.20-6 -- /var/lib/unbound should be owned by unbound. group write is not enough - -* Fri Apr 12 2013 Paul Wouters - 1.4.20-5 -- Fix cron job syntax (rhbz#951725) -- Use install -p to prevent .rpmnew files that are identical to originals - -* Mon Apr 8 2013 Paul Wouters - 1.4.20-4 -- Updated to 1.4.20 -- Build with full RELRO (not use -z,relro but with -z,relo,-z,now) -- Fixup man page for unbound-control-setup -- unbound.service should start before nss-lookup.target (rhbz#919955) -- Removed patch for rhbz#888759 merged in upstream -- Move root.anchor to /var/lib/unbound to make selinux policy easier for updating (rhbz#896599/rhbz#891008) -- Move cronjob for root.anchor from unbound to unbound-libs, require crontabs -- /etc/unbound (and all) should be owned by unbound-libs (rhbz#909691) -- Remove Obsolete/Provides for dnssec-conf which was last seen in f13 -- Ensure any unbound-anchor failure in post is ignored - -* Tue Mar 05 2013 Adam Tkac - 1.4.19-5 -- build with full RELRO -- symlink unbound-control-setup.8 manpage to unbound-control.8 - -* Fri Feb 15 2013 Fedora Release Engineering - 1.4.19-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild - -* Wed Dec 12 2012 Paul Wouters - 1.4.19-3 -- Updated to 1.4.19 - this integrates all existing patches -- Patch for unbound-anchor (rhbz#888759) - -* Fri Nov 09 2012 Paul Wouters - 1.4.18-6 -- Patch to ensure stube-zone's aren't lost when using dnssec-triggerd -- added unbound-munin.README file - -* Wed Sep 26 2012 Paul Wouters - 1.4.18-5 -- Patch to allow wildcards in include: statements -- Add directories /etc/unbound/keys.d,conf.d,local.d with - example entries -- Added /etc/unbound/root.anchor, maintained by unbound-anchor - which is installed as monthly cron and PreExec in systemd config - (root.key is unused, but left installed in case people depend on it) -- Native systemd (simple) and /etc/sysconfig/unbound support -- Run unbound-checkconf in PreExec -- Moved trust anchor related files to unbound-libs, as they can - be used without the daemon. -- sub packages now depends on base package of same arch -- Build munin package as noarch -- unbound-anchor moved to unbound-libs package. It is needed - to update the root.anchor key file. - -* Tue Sep 04 2012 Paul Wouters - 1.4.18-3 -- Fix openssl thread locking bug under high query load - -* Thu Aug 23 2012 Paul Wouters - 1.4.18-2 -- Use new systemd-rpm macros (rhbz#850351) -- Clean up old obsoleted dnssec-conf from < fedora 15 - -* Fri Aug 03 2012 Paul Wouters - 1.4.18-1 -- Updated to 1.4.18 (FIPS related fixes mostly) -- Removed patches that were merged in upstream -- Added comment to root.key - -* Mon Jul 23 2012 Paul Wouters - 1.4.17-5 -- Fix for unbound crasher (upstream bug #452) -- Support libunbound functions in man pages and place in -devel - -* Sun Jul 22 2012 Fedora Release Engineering - 1.4.17-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild - -* Tue Jul 03 2012 Paul Wouters - 1.4.17-3 -- unbound FIPS patches for MD5,randomness (rhbz#835106) - -* Fri Jun 15 2012 Adam Tkac - 1.4.17-2 -- don't build unbound-munin on RHEL - -* Thu May 24 2012 Paul Wouters - 1.4.17-1 -- Updated to 1.4.17 (which mostly brings in patches we already - applied from svn trunk) - -* Wed Feb 29 2012 Paul Wouters - 1.4.16-3 -- Since the daemon links to the libs staticly, add Requires: - (this is rhbz#745288) -- Package up streamtcp as unbound-streamtcp (for monitoring) - -* Mon Feb 27 2012 Paul Wouters - 1.4.16-2 -- Don't ghost the directory (rhbz#788805) -- Patch for unbound to support unbound-control forward_zone - (needed for openswan in XAUTH mode) - -* Thu Feb 02 2012 Paul Wouters - 1.4.16-1 -- Upgraded to 1.4.16, which was relesed due to the soname - and some DNSSEC validation failures - -* Wed Feb 01 2012 Paul Wouters - 1.4.15-2 -- Patch for SONAME version (libtool's -version-number vs -version-info) - -* Fri Jan 27 2012 Paul Wouters - 1.4.15-1 -- Upgraded to 1.4.15 -- Updated unbound.conf to show how to configure listening on tls443 - -* Sat Jan 14 2012 Fedora Release Engineering - 1.4.14-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild - -* Mon Dec 19 2011 Paul Wouters - 1.4.14-1 -- Upgraded to 1.4.14 for CVE-2011-4528 / VU#209659 -- SSL-wrapped query support for dnssec-trigger -- EDNS handling changes -- Removed integrated EDNS patches -- Disabled use-caps-for-id, GoDaddy domains now break on it -- Enabled new harden-below-nxdomain - -* Thu Sep 15 2011 Paul Wouters - 1.4.13-1 -- Upgraded to 1.4.13 -- Removed merged in pythonmod patch -- Added EDNS1480 patch to fix unbound on broken EDNS/UDP networks -- Fix python to go into sitearch instead of sitelib - -* Wed Sep 14 2011 Tom Callaway - 1.4.12-4 -- convert to systemd, tmpfiles.d - -* Mon Aug 08 2011 Paul Wouters - 1.4.12-3 -- Added pythonmod docs and examples - -* Mon Aug 08 2011 Paul Wouters - 1.4.12-2 -- Fix for python module load in the server (Tom Hendrikx) -- No longer enable --enable-debug as it causes degraded performance - under load. - -* Mon Jul 18 2011 Paul Wouters - 1.4.12-1 -- Updated to 1.4.12 - -* Sun Jul 03 2011 Paul Wouters - 1.4.11-1 -- Updated to 1.4.11 -- removed integrated CVE patch -- updated stock unbound.conf for new options introduced - -* Mon Jun 06 2011 Paul Wouters - 1.4.10-1 -- Added ghost for /var/run/unbound (bz#656710) - -* Mon Jun 06 2011 Paul Wouters - 1.4.9-3 -- rebuilt - -* Wed May 25 2011 Paul Wouters - 1.4.9-2 -- Applied patch for CVE-2011-1922 DoS vulnerability - -* Sun Mar 27 2011 Paul Wouters - 1.4.9-1 -- Updated to 1.4.9 - -* Sat Feb 12 2011 Paul Wouters - 1.4.8-2 -- rebuilt - -* Tue Jan 25 2011 Paul Wouters - 1.4.8-1 -- Updated to 1.4.8 -- Enable root key for DNSSEC -- Fix unbound-munin to use proper file (could cause excessive logging) -- Build unbound-python per default -- Disable gost as Fedora/EPEL does not allow ECC and has mangled openssl - -* Tue Oct 26 2010 Paul Wouters - 1.4.5-4 -- Revert last build - it was on the wrong branch - -* Tue Oct 26 2010 Paul Wouters - 1.4.5-3 -- Disable do-ipv6 per default - causes severe degradation on non-ipv6 machines - (see comments in inbound.conf) - -* Tue Jun 15 2010 Paul Wouters - 1.4.5-2 -- Bump release - forgot to upload the new tar ball. - -* Tue Jun 15 2010 Paul Wouters - 1.4.5-1 -- Upgraded to 1.4.5 - -* Mon May 31 2010 Paul Wouters - 1.4.4-2 -- Added accidentally omitted svn patches to cvs - -* Mon May 31 2010 Paul Wouters - 1.4.4-1 -- Upgraded to 1.4.4 with svn patches -- Obsolete dnssec-conf to ensure it is de-installed - -* Thu Mar 11 2010 Paul Wouters - 1.4.3-1 -- Update to 1.4.3 that fixes 64bit crasher - -* Tue Mar 09 2010 Paul Wouters - 1.4.2-1 -- Updated to 1.4.2 -- Updated unbound.conf with new options -- Enabled pre-fetching DNSKEY records (DNSSEC speedup) -- Enabled re-fetching popular records before they expire -- Enabled logging of DNSSEC validation errors - -* Mon Mar 01 2010 Paul Wouters - 1.4.1-5 -- Overriding -D_GNU_SOURCE is no longer needed. This fixes DSO issues - with pthreads - -* Wed Feb 24 2010 Paul Wouters - 1.4.1-3 -- Change make/configure lines to attempt to fix -lphtread linking issue - -* Thu Feb 18 2010 Paul Wouters - 1.4.1-2 -- Removed dependancy for dnssec-conf -- Added ISC DLV key (formerly in dnssec-conf) -- Fixup old DLV locations in unbound.conf file via %%post -- Fix parent child disagreement handling and no-ipv6 present [svn r1953] - -* Tue Jan 05 2010 Paul Wouters - 1.4.1-1 -- Updated to 1.4.1 -- Changed %%define to %%global - -* Thu Oct 08 2009 Paul Wouters - 1.3.4-2 -- Bump version - -* Thu Oct 08 2009 Paul Wouters - 1.3.4-1 -- Upgraded to 1.3.4. Security fix with validating NSEC3 records - -* Fri Aug 21 2009 Tomas Mraz - 1.3.3-2 -- rebuilt with new openssl - -* Mon Aug 17 2009 Paul Wouters - 1.3.3-1 -- Updated to 1.3.3 - -* Sun Jul 26 2009 Fedora Release Engineering - 1.3.0-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild - -* Sat Jun 20 2009 Paul Wouters - 1.3.0-2 -- Added missing glob patch to cvs -- Place python macros within the %%with_python check - -* Sat Jun 20 2009 Paul Wouters - 1.3.0-1 -- Updated to 1.3.0 -- Added unbound-python sub package. disabled for now -- Patch from svn to fix DLV lookups -- Patches from svn to detect wrong truncated response from BIND 9.6.1 with - minimal-responses) -- Added Default-Start and Default-Stop to unbound.init -- Re-enabled --enable-sha2 -- Re-enabled glob.patch - -* Wed May 20 2009 Paul Wouters - 1.2.1-7 -- unbound-iterator.patch was not commited - -* Wed May 20 2009 Paul Wouters - 1.2.1-6 -- Fix for https://bugzilla.redhat.com/show_bug.cgi?id=499793 - -* Tue Mar 17 2009 Paul Wouters - 1.2.1-5 -- Use --nocheck to avoid giving an error on missing unbound-remote certs/keys - -* Tue Mar 10 2009 Adam Tkac - 1.2.1-4 -- enable DNSSEC only if it is enabled in sysconfig/dnssec - -* Mon Mar 09 2009 Adam Tkac - 1.2.1-3 -- add DNSSEC support to initscript and enabled it per default -- add requires dnssec-conf - -* Wed Feb 25 2009 Fedora Release Engineering - 1.2.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild - -* Tue Feb 10 2009 Paul Wouters - 1.2.0-2 -- rebuild with new openssl - -* Wed Jan 14 2009 Paul Wouters - 1.1.1-7 -- Modified scandir patch to silently fail when wildcard matches nothing -- Patch to allow unbound-checkconf to find empty wildcard matches - -* Mon Jan 5 2009 Paul Wouters - 1.1.1-6 -- Added scandir patch for trusted-keys-file: option, which - is used to load multiple dnssec keys in bind file format - -* Mon Dec 8 2008 Paul Wouters - 1.1.1-4 -- Added Requires: for selinux-policy >= 3.5.13-33 for proper SElinux rules. - -* Mon Dec 1 2008 Paul Wouters - 1.1.1-3 -- We did not own the /etc/unbound directory (#474020) -- Fixed cvs anomalies - -* Fri Nov 28 2008 Adam Tkac - 1.1.1-2 -- removed all obsolete chroot related stuff -- label control certs after generation correctly - -* Thu Nov 20 2008 Paul Wouters - 1.1.1-1 -- Updated to unbound 1.1.1 which fixes a crasher and - addresses nlnetlabs bug #219 - -* Wed Nov 19 2008 Paul Wouters - 1.1.0-3 -- Remove the chroot, obsoleted by SElinux -- Add additional munin plugin links supported by unbound plugin -- Move configuration directory from /var/lib/unbound to /etc/unbound -- Modified unbound.init and unbound.conf to account for chroot changes -- Updated unbound.conf with new available options -- Enabled dns-0x20 protection per default - -* Wed Nov 19 2008 Adam Tkac - 1.1.0-2 -- unbound-1.1.0-log_open.patch - - make sure log is opened before chroot call - - tracked as http://www.nlnetlabs.nl/bugs/show_bug.cgi?id=219 -- removed /dev/log and /var/run/unbound and /etc/resolv.conf from - chroot, not needed -- don't mount files in chroot, it causes problems during updates -- fixed typo in default config file - -* Fri Nov 14 2008 Paul Wouters - 1.1.0-1 -- Updated to version 1.1.0 -- Updated unbound.conf's statistics options and remote-control - to work properly for munin -- Added unbound-munin package -- Generate unbound remote-control key/certs on first startup -- Required ldns is now 1.4.0 - -* Wed Oct 22 2008 Paul Wouters - 1.0.2-5 -- Only call ldconfig in -libs package -- Move configure into build section -- devel subpackage should only depend on libs subpackage - -* Tue Oct 21 2008 Paul Wouters - 1.0.2-4 -- Fix CFLAGS getting lost in build -- Don't enable interface-automatic:yes because that - causes unbound to listen on 0.0.0.0 instead of 127.0.0.1 - -* Sun Oct 19 2008 Paul Wouters - 1.0.2-3 -- Split off unbound-libs, make build verbose - -* Thu Oct 9 2008 Paul Wouters - 1.0.2-2 -- FSB compliance, chroot fixes, initscript fixes - -* Thu Sep 11 2008 Paul Wouters - 1.0.2-1 -- Upgraded to 1.0.2 - -* Wed Jul 16 2008 Paul Wouters - 1.0.1-1 -- upgraded to new release - -* Wed May 21 2008 Paul Wouters - 1.0.0-2 -- Build against ldns-1.3.0 - -* Wed May 21 2008 Paul Wouters - 1.0.0-1 -- Split of -devel package, fixed dependancies, make rpmlint happy - -* Fri Apr 25 2008 Wouter Wijngaards - 0.12 -- Using parts from ports collection entry by Jaap Akkerhuis. -- Using Fedoraproject wiki guidelines. - -* Wed Apr 23 2008 Wouter Wijngaards - 0.11 -- Initial version. +%autochangelog diff --git a/unbound.sysconfig b/unbound.sysconfig index adcf8fd..9e80f14 100644 --- a/unbound.sysconfig +++ b/unbound.sysconfig @@ -5,3 +5,6 @@ UNBOUND_ANCHOR_OPTIONS="-f /etc/resolv.conf -R" # for extra debug, add "-v -v" or change verbosity: in unbound.conf UNBOUND_OPTIONS="" + +# Uncoment to validate SHA1 in any crypto policy +# OPENSSL_CONF=/etc/unbound/openssl-sha1.conf diff --git a/wouter.nlnetlabs.nl.key b/wouter.nlnetlabs.nl.key deleted file mode 100644 index 603e620..0000000 --- a/wouter.nlnetlabs.nl.key +++ /dev/null @@ -1,123 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -xsFNBE2v/RwBEACyQpJlpCeSZBV1QUH7jNEp5xGdo6OnX2h9XoZ4ZPsb+u6OT+xE -SH45ncnISUh8rPCygbeWOoPR/yOBzh+lYoGxQ5iUHtwRrhHq04sQe/qFpXDO2xs6 -1pTcPU2PnH7Rsr2qp6fZLPHuXLolD7NJfaSib8sVeMM0/ecyl/L2bBg9NpaGDX0x -TQh95M8o6AFo6UKWApBpgsvEZr2aH/B8b9KnCWFhfJyheEM7DamksdZNsKxXQyq3 -l/ROfdsMLZGF8vPbYV/v11G4keyaLpn8AbBpybIiw9SYDwf2ENk3+e1NFfMaiiyE -qn9+aaLTKCY87TMUuoN3s3jWOOy5tHXzf6DbKhub4Awsby3DH5YpPhi4N2vj2pAX -Vpl5+m78cH29JLzT+HAoyZ4tq1r3m0P5QogNqYwqxkKWYOjDilNDBiKiDdgtrLYG -x+ABovKG/FvToJoaCL4AFaVCzWmL2uHkSgyBN0FPHatCB1UeEkcQit6T8E2NQqmF -WjUMXSWHHajSMG95+L5PdLHz/Ku0o3Csvlt2pkElYZmzJBfnOM9JevdsmKr/ruJC -/DCZAn5w2S/9ZF5qfo2F9HUKIwE/dChR29HcN8V4nqZs9oCvEMfFhHmrfwDc5hed -hvb6mAkvSFFtKIrygLIVeWRj3FE9sGp6sr4VwOLYTFRNk7mAsWD1rZApeQARAQAB -zSdXLkMuQS4gV2lqbmdhYXJkcyA8d291dGVyQG5sbmV0bGFicy5ubD7CwX4EEwEC -ACgFAk2v/RwCGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJ9v -HC1+BF+N3yoQAIynfrvZ/8RNAv9lLcSc2PX3fvG7oRJEJSy9uMyIbMtb/a1BVCeh -XjR8GhHJ5D/Z3jRWBQKw1rLLvOqbuBGkpKMR100ZVF4z/8e6CWtTAOFy28f1JQw2 -8kilN7K6vjno21S1JJ1XJAdoFdicyb1SW2r+KYod6fjSyF0lb71od+sdnSE9O/xd -Cqyyu6cX+AwfDcuJ6Y8iOWu8CeWAz41LR1QBUQkCb/08mVfCEu+Cj+M31jjPDZEy -UAw219vr4QFe0o3t+Msv0AUZvcRkW6+8qP5lO6I5we/33WBLZH70lhFvYtobM7HO -MCjheRZguSzvRqEETfTjia1uVi3Yz2qM4CFdJIZF6Er79yKcB3jYquultrnlHdXZ -/IZsHVRk6JfiqFkz9u1T9PkvMoQ452aUomGTg9xQchnKpe1E8osKgLulaY+izTEq -Z8pH/HWWJ/YT13/n8pxK9EbC/8SkVhyXNehOSAGDZar+tjVBofgzS8r+GDyv+pBT -SmjitIrVXZNuhigLp1o7Tvs4kjKlcFnLhfDHJ+yb5JyiZd01bVvaqnfRhACqXfWl -oC0uslRbegoYwJUgX0BOrsOuHGH2SfGjd/QnA0bcEXM2kp1Dp1gqtcEd5Qitm647 -Yz+leWkhrmMmtTwqumXoAcvgzthJFUPcAzuhXZNfqQJMOGRxAGVI0P97wsF+BBMB -AgAoAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVu+rZAUJDQIVSAAKCRCf -bxwtfgRfjdrWEACMQK0xYtZtAvLL/8CCcCi92Oi1rtXRGWnRy7JX020hftmWliMq -4P0F3CJKVLhgZ/ldp8OOqmfDfmwLMVSaCQ86Ubqn7Ofrf8Ku8SGQuIMxY2ODB97h -ouY4bnDHaM2Cqi6JkBN+G1tgdwqN/kcecF2tq3ql2k7eX91++A+F5ApIu1silzJP -L4Z8W6MVOdKrtzEM7t61hRlsbpEPj72vbVBZ1hmTiIL4VWwdxQYamxBoOeneskyD -DG+iMCI3P1GG3EQkk+9Aect/iH9uruE0mxn2aKN8cfuoR93cPF/ozCxS5ItwAVnN -e39WRO1GT2zYaFgYm0lf9czcpRsRzNbGw938lZ3iPUiZe+ybKgLKkVmvrkM59ljH -T99SrC14VXxgQwSs4gS3rdzbY9tPps62Z1q+xCVfTx1IY5P4nt59xwQV0Iw+pV9S -/mVcOnPXl1UKb0ttOdYJErrq3RpF/D2g/NDtL0OWqIa8LvrBlyQYmWPKvKw76vt4 -bJ3NU31jSc0ow/j7EOVjOst86s629zmtnbJjWVr6LOy5EDUPusmqHv1t4Z4RMjf8 -OrJdNbFJoRXZv8FbW4NzXeGtMf8k6vKeejpdMH4+eLuoZG7dchU1JccfgqfwWpy0 -ojmb59drJcaQgVC6Jvw9l0TmGPNIsE4UrIWocaFgv4dOKvHA2hcnMDM8rsLBlQQT -AQIAPwIbIwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQTt+qPyyk5usFaBr46f -bxwtfgRfjQUCWaU4BQUJEZjVaQAKCRCfbxwtfgRfjb1YEACjkhtkyZkYURUmSZNL -2IK/Zencv7DZGRfFrzijROFtHbe//H8o2ZhlyiaFSA/dT1ehjsukkR0oFkYadA+q -Ui06WpxGmd/jf8hP4yTUZkwOhQAesWoNmnhKePNaVMKY8DP57bA+N2pdCcGu7gUt -Yzq2JoTAtV+P/PE2w+H9eyBAulv6iUckM5/qvGfJPl8HB9BtgOpGN79otVWO6ebM -4TQ3cZYI9BDQnt9cF2pviex+z1iLZVJ8UeRxSxYhrBKPJioi0Q1OgcKyO56t7Eot -zxKl5TzprgvdX4cdls+lehD8StlE2Xv/TScHvdOhJuVBrn3a3QjZPb4qSsz74leW -5/EIQmozBy+qf8AHcCmTXwb2U7oHOct7cVyS5+bFx+ThpV5OK0rjTH1LMNiuTeAN -46c1y3prjZRpQUlgVwj06q3Zz/fzDyueUS/r4lW4nAf/VNZy/rTS2HYPoZbHZVCt -GpDIfag6fV6V97Pd3zfhTf2wmsJsw9Xhktp/o7rMBRSMhvL4oevOXb0JSG2583Q/ -JnCCceB4NxRRxsgkRYHwdnXN9FnOPSa4NyvF4rzpPksLGZrhvm+lBvzVn/e40Q/K -lxvSlnn2vW/WBM4pBq1jsoJrd/JkTdijZV7mt7HQ2bCLXAPgfZjy7n79WiCQVHg7 -iYnNikiNWR5TR7JcvdkxOdiA/8LBlQQTAQgAPwIbIwYLCQgHAwIGFQgCCQoLBBYC -AwECHgECF4AWIQTt+qPyyk5usFaBr46fbxwtfgRfjQUCXe4JdQUJGaQN2QAKCRCf -bxwtfgRfjQ8gEACe+49aDQHRuZdDHK1VCJKzhb+MvfdIjvl8eQxljpG9Uz5Y17Bx -4SWfuLHCeGlh1m6IOAWeW4g6Wowm1ec1PkVa79TdrkKb0MxfLSat6iDbiuVjDxy2 -bWokW0/cPzJ/FoWDtEC0H9UTAMb5QGBDZUbLuwX7ZjvMkAhH15/hO9Gj4RHoH1RJ -GJALRtZzjtzsJqL53kW/EV59V1T79Nocyx018iw50Jn02mI8wYJZ9HZc5C7D+K59 -vcqLRZgkrJrObw0sEv3YFOBYp/1DemH2nHPMBSKMmN5RAcr32guUjd4BEWf2Q7Ao -+Qnhdi161W0YKCW4JAmOoQ4bQ0wfE9Q5aUIGhUF52L+ac8Hy7dByaCExCA/WTqQQ -/iVPybmpJQhFonWt/fmpxbE2wKThSEOHTO67e5e3JfUb0vNKssyZojao4h1MF5nv -aPNKoybWwKnpNM0ORcyl+aogKwW7E15TEU0TE5//gAsFwRDcCnSEKnksgM0321m1 -7RDfJbCajIv47DHDYE3yvhRZjCJCaw0Gow1sDRWjdOFpmIixD5/vx5uxyqSHPuGA -sXlEvl+Z3Rdc5bQ7pAWu7UNpR3hnJPfg8KL2xqOF75VKG9/NjLE80yj8wdVoCfDv -vizrBtOXnHI49gCMCfNqbGIb5yVhmTdeo7li+Te9hlJ2DrHnujGJlFe+p87BTQRN -r/0cARAApvDKeVLiSazESdTY9KsSWsqoB38pvOsu25M49tEjc5TtY5LwKNckqkeR -lJ83O8dFG7UBVuGwLKaf/6OR/pe24upZ27eOOWW7sXvQNv5aXlOYfF+mjIhUINqj -q4pKDmO1c9J7h5d+auOVfzcgfotg3BVCaKn56ucjiQJ059uUMfgWTvVlibnoJ7de -Zcgt8v7VcLK9jv+P8QJHTIyDzJd+JjdjuHXqC/A37T5G9Z84x8wYrQY6mZmOIYaM -jwIKdgFeN+nLk5henARUz4MTFUW4j9hHpuyAFomDQ93/wkHZ9IEChTxdZnfvsd// -Z45vfcX9dQM+tuR8XCYThVsScI1TnwR46hi5NkfmHo3HVxwB8/owJ+FZDsTNBbJd -7AVy27Xk4L5hLe7BwLDtFMyOp4lOipCM7//mtFB9mTzqnOwiSSyTRlwGUBJkzQFW -Qa0Z6bfYwA6+y1dn19H519GW49irtl+2+W8W4N8oLriIjPvqrQOyaELFcRfV6FfL -i09HPhHVbejOqIEbOtfuN0+mjrrGAwortfTBjfw80N+W90BTvta4K2SyjHcJTkDY -ehfOo/5IMpGtDsOgvsCbDaFRnNJuYtSqQmvWk1KIPIw6CkdJtZa3+q3YA7D7ovOV -H1OBTKNdBjc+X4W8L5R9MCymXWvgiP+52Sv1VIcZmsnCBrwK490AEQEAAcLBZQQY -AQIADwUCTa/9HAIbDAUJCWYBgAAKCRCfbxwtfgRfjTY/D/9+kX8LeqBhwDdwy3ud -V67KmVmytwGMfzBHbAyBdy84X06ip/If/VkjL+2Sv5Uml/cOOzGZT7y/KEt0uXQz -gOZhGP5Y0OREf4kSzfb7tsGu3ZjTp5uJe7HiJr8uqYGfx94TQG/A3x1C7MlxOGmW -DK/Eh/eNVeNd+3yyDEzl2p7a0yUhI8LtzllVrEDX+G4rz+mdDw4tfPDqzRPzPvVt -PfqnfofHP5r2dshGe7+pCTC+o0jHWpaiFkEiIrR3PbZ9tV6+F5LzCUJJP5nepz6C -ShpLHq9ST6qZiw5ZpdznHW0kVl96YxgynJq9Y4dqD/8nOfTzdHhXXEogGvRfcxat -xeZF7YNFhUU2p+CswAjRKCUzZAz0hDAu+dJ+fw4Odx7ii8uiwhEnEHoo8rPETkXw -UK1je4MCzMRSy0Gippzk/oZ7noIml+Njas/UygavUOQm8bcPqGfWeFqvM2C7ZobL -2iV0fX/bhEmQyosiWJ0nHuKdwDYygYs/4LtZLxwiKli/lm6IDz1028j6/98Z81gG -oltXWokTYAPEgcBuhyiSLSQ1wojTVMYt9rPKMBakTzP+0FoWqoNafWOlHovP6iUB -2Igll2ZT3AvrBQ8jAbRbuUl46QpBaKsl+pBo86az0fRkMxv0N4dQv4Q7Z0g71u9N -Tpaq1vtAZOwc0kl3uGNK18PnV8LBZQQYAQIADwIbDAUCVu+raQUJDQIVTQAKCRCf -bxwtfgRfjVnYEACZ1E/FfLDi4vLUd9diImmNN/zWDHxTsO/VG3lt50rSoJM5NGB4 -RlwcbUKhah2fD44FFiIqGIvKD9hRgB51dVRIkaR3ozVtXRBKxJJqWj38wf2FDLtU -XC5/JHYb0sjAc3ad2sA9xEmEBVO1lWK3J6h4gKZiAGlWz3oeOSve3vrTKsBlP0Cu -rUeb4WTVpw4drBJD7cDh8SJ4/Cq76UFx8lW0xR+pHZHcd0/Ir5v5HnnEgbnut4Ix -eY3/CGBfQfSQHylK7ifmPWq+dflC/ZdfHY1V96EHKPM44ZLwiczoY3qp5nkmEc3B -Y6+P8Ch5gddOYaY18wpedarswnpOLQD2Xbsj66Eh0IZuuuZGyfOqJNaWbP33L27e -g35XQNTgyhuZmDyRKL6yAbhU74TXCCvze/kkfqDn2ouCtM8/kqLX1v0+NkBxlhZU -kTTVDyclZtwu6Vypus3+j2Zqk8sXeUZI64sjXpzwOcMZxdl3QuyxMktExWzk9Q5D -YqO+pj/YGt1vp2M0YgSUWNWCvfBcjEPFgaljyqz3BdvR/LYohnXuQL9SWObF+sIF -c9D0w/yORYQcKP5kSWVC/qwFdC61OGeSDnQ/0o0T5PefhYS82gsIrjQ+HIJ7CLUT -k7kBNljvtfpoWegH02feR0kSRoCXA6x+YHT4fmB41pW8S1V5a5dEltA/JMLBfAQY -AQIAJgIbDBYhBO36o/LKTm6wVoGvjp9vHC1+BF+NBQJZpTgKBQkRmNVuAAoJEJ9v -HC1+BF+NyNQP/A3h+cOOkYUxyKpNHdtlIfCn8db5tHXSCbE19Qi7EK1SiK5atjo+ -VoRtB+L01kH6GCx5oZjeIhUdzYFwEUsdCDgwD6r0dKFwKIGa4TFcfnx+Z5B+HZgL -Yc6ac5PEHF1qZVXZH9GSGeNw5h2yyqf4yhvetSN6L2id14m5XXJV5e7NfOgmaSnG -0Z+wQvPSiu+Q00XpENT8HFSTSCjRATjk12rpy6TPeeC52NK1gLhGDRHN0k6m+vm4 -yoC+Nd6iPQpnc+5xs7NDnq2dFuSTp7UTGebzPhhdSQgujEFuYLwzQMZu1h5amtA+ -v9j7BYEJkOMC7bm1PNNA2QQ6QfH8Hf+mJeINyJO8A5KS3ceP+eo3SLR8T0hPzu9g -ZuZ22Hn3DXQh1VNRshaLKgNvoXpL3dQ48d1SFFKhEDpy2HSXUq2fs5rH0uszFGes -G7K6EQRAYRcDrCkt9fdfkvCSxAFw9d+472xThzgKcN+MkOec+SaY+xlVULjEfCWy -RVC8Opam4mTm/XT4mVLxP/qnsy7kEhLoc/ouB+lY/ks06LpZJvCXL6WfA9You1Fi -1Mg7GhSh9JKg6X6E8Trm+N4dxJGut1xbbGmmKXqfi4pej9KlkdeM9t1df/vWKlPa -7Hzd8H0btgJx066wC4yt0ghxtsJXBsCDxWLfzaSRZ2/eP16mHqxDjsQQwsF8BBgB -CAAmAhsMFiEE7fqj8spObrBWga+On28cLX4EX40FAl3uCX0FCRmkDeEACgkQn28c -LX4EX43TQA/+JV8ReMRJCn3Cfqbe5ycFn8p6dIVnJiQuhiEyu5yzdpSkKyzcVFJO -bQcqw7s50FJuLUbxdvbcuGIaoTu7dhBoUXO5tOuIQAsKTfGfgoOgelJm+/q2h645 -EnAVINGbMDXrmo4/UFJkNjUMA6SQi/yiam7N0y58eoDC4sGmBKuN2EW2MoWahlXw -8SS1+Ab9qVBs/RqbSy6f1nJL39aPpPDmvyJOSYtHnNSFlYWVhr0zGAi5rnswlFGr -ECGbHpr5FajUK7zcmtNPbi7F30K48xfF3XnDIeIBcerrEBQMaPUZcBlddGhmSVVJ -ZU/YhR35JNgPnmp33gOuZaRiW9lauZFwsMQBIBkLpJWoUtu8QLkyC0HmJzVRep0/ -s1RkzaJ+1G1BzXTQiXaLaUQWG5h3pcMD8fxY5qp9KbG/+10bY0sRbRBXgS6mz7dd -HaBtg/E8ty2nEB1HDXA9HAHu7KlH9e96sPZjz9C46ZiOXe6ZAOk6wBYts4RG4bCQ -9pGORJ+P2Jr2pz1NZQbs1AhnjJixTsfZfsGZ5lHxGLjIyxtdGB/irLEqNTIMek2y -p4CShmWoZwN0V3aGYMe/rC4tSXG79IeKNwF3Vd5MHtB+hcJG2qztBtKQuW29rbRA -5bNxwTWe8skwOKsxXnP9RC974k0XkPS+VwgmVgNN1ewS/0oHvmEP71Q= -=Oqje ------END PGP PUBLIC KEY BLOCK-----