* Wed Dec 05 2018 Paul Wouters <pwouters@redhat.com> - 1.8.2-1

- Updated to 1.8.2.
- Enabled deny ANY query support and edns-tcp-keepalive
- Set serve-stale timeout to 4h
- Updated unbound.conf for latest options

.gitignore

@@ -49,3 +49,6 @@ unbound-1.4.5.tar.gz
 /unbound-1.7.1.tar.gz
 /unbound-1.7.2.tar.gz
 /unbound-1.7.3.tar.gz
+/unbound-1.8.0.tar.gz
+/unbound-1.8.1.tar.gz
+/unbound-1.8.2.tar.gz

sources

@@ -1 +1 @@
-SHA512 (unbound-1.7.3.tar.gz) = 34b2e93660e519b2eccefef26a6c7ac09fa3312384cc3bc449ff2b10743bd86bfeb36ec19d35eb913f8d0a3d91ad7923260a66fc799f28b0a2cc06741d80f27a
+SHA512 (unbound-1.8.2.tar.gz) = a775c799d41ede3c2df82a5cf4d419ec1d037d84c9bb7f2f4216727afc1e3d82c991d1a1ee99baf315530c094a416004e836312ba1ee2b7b17a4a60454878cb5

unbound-1.7.2-python3-devel.patch

@@ -1,320 +0,0 @@
-From b5aab36d41f374eddb0f66f28f251588f53a1e1e Mon Sep 17 00:00:00 2001
-From: Wouter Wijngaards <wouter@nlnetlabs.nl>
-Date: Wed, 27 Jun 2018 05:46:36 +0000
-Subject: [PATCH 1/2] - #4109: Fix that package config depends on python
- unconditionally.
-
-git-svn-id: file:///svn/unbound/trunk@4757 be551aaa-1e26-0410-a405-d3ace91eadb9
----
- configure    | 257 +++++++++++++++++++++++++++++++----------------------------
- configure.ac |   5 +-
- 2 files changed, 137 insertions(+), 125 deletions(-)
-
-diff --git a/configure b/configure
-index 3f1c372a..2a1687ae 100755
---- a/configure
-+++ b/configure
-@@ -670,9 +670,6 @@ SYSTEMD_DAEMON_LIBS
- SYSTEMD_DAEMON_CFLAGS
- SYSTEMD_LIBS
- SYSTEMD_CFLAGS
--PKG_CONFIG_LIBDIR
--PKG_CONFIG_PATH
--PKG_CONFIG
- staticexe
- PC_LIBEVENT_DEPENDENCY
- UNBOUND_EVENT_UNINSTALL
-@@ -697,6 +694,9 @@ swig
- SWIG_LIB
- SWIG
- PC_PY_DEPENDENCY
-+PKG_CONFIG_LIBDIR
-+PKG_CONFIG_PATH
-+PKG_CONFIG
- PY_MAJOR_VERSION
- PYTHON_SITE_PKG
- PYTHON_LDFLAGS
-@@ -16930,7 +16930,136 @@ $as_echo "#define HAVE_PYTHON 1" >>confdefs.h
-         CPPFLAGS="$PYTHON_CPPFLAGS"
-       fi
-       ub_have_python=yes
--      PC_PY_DEPENDENCY="python"
-+
-+
-+
-+
-+
-+
-+
-+if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
-+	if test -n "$ac_tool_prefix"; then
-+  # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
-+set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-+$as_echo_n "checking for $ac_word... " >&6; }
-+if ${ac_cv_path_PKG_CONFIG+:} false; then :
-+  $as_echo_n "(cached) " >&6
-+else
-+  case $PKG_CONFIG in
-+  [\\/]* | ?:[\\/]*)
-+  ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path.
-+  ;;
-+  *)
-+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-+for as_dir in $PATH
-+do
-+  IFS=$as_save_IFS
-+  test -z "$as_dir" && as_dir=.
-+    for ac_exec_ext in '' $ac_executable_extensions; do
-+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-+    ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
-+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
-+    break 2
-+  fi
-+done
-+  done
-+IFS=$as_save_IFS
-+
-+  ;;
-+esac
-+fi
-+PKG_CONFIG=$ac_cv_path_PKG_CONFIG
-+if test -n "$PKG_CONFIG"; then
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5
-+$as_echo "$PKG_CONFIG" >&6; }
-+else
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
-+fi
-+
-+
-+fi
-+if test -z "$ac_cv_path_PKG_CONFIG"; then
-+  ac_pt_PKG_CONFIG=$PKG_CONFIG
-+  # Extract the first word of "pkg-config", so it can be a program name with args.
-+set dummy pkg-config; ac_word=$2
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-+$as_echo_n "checking for $ac_word... " >&6; }
-+if ${ac_cv_path_ac_pt_PKG_CONFIG+:} false; then :
-+  $as_echo_n "(cached) " >&6
-+else
-+  case $ac_pt_PKG_CONFIG in
-+  [\\/]* | ?:[\\/]*)
-+  ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path.
-+  ;;
-+  *)
-+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-+for as_dir in $PATH
-+do
-+  IFS=$as_save_IFS
-+  test -z "$as_dir" && as_dir=.
-+    for ac_exec_ext in '' $ac_executable_extensions; do
-+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-+    ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
-+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
-+    break 2
-+  fi
-+done
-+  done
-+IFS=$as_save_IFS
-+
-+  ;;
-+esac
-+fi
-+ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG
-+if test -n "$ac_pt_PKG_CONFIG"; then
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKG_CONFIG" >&5
-+$as_echo "$ac_pt_PKG_CONFIG" >&6; }
-+else
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
-+fi
-+
-+  if test "x$ac_pt_PKG_CONFIG" = x; then
-+    PKG_CONFIG=""
-+  else
-+    case $cross_compiling:$ac_tool_warned in
-+yes:)
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
-+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
-+ac_tool_warned=yes ;;
-+esac
-+    PKG_CONFIG=$ac_pt_PKG_CONFIG
-+  fi
-+else
-+  PKG_CONFIG="$ac_cv_path_PKG_CONFIG"
-+fi
-+
-+fi
-+if test -n "$PKG_CONFIG"; then
-+	_pkg_min_version=0.9.0
-+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking pkg-config is at least version $_pkg_min_version" >&5
-+$as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; }
-+	if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
-+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-+$as_echo "yes" >&6; }
-+	else
-+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
-+		PKG_CONFIG=""
-+	fi
-+fi
-+      if test -n "$PKG_CONFIG" && \
-+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"\"python\${PY_MAJOR_VERSION}\"\""; } >&5
-+  ($PKG_CONFIG --exists --print-errors ""python${PY_MAJOR_VERSION}"") 2>&5
-+  ac_status=$?
-+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+  test $ac_status = 0; }; then
-+  PC_PY_DEPENDENCY="python${PY_MAJOR_VERSION}"
-+else
-+  PC_PY_DEPENDENCY="python"
-+fi
- 
- 
-       # Check for SWIG
-@@ -18960,126 +19089,6 @@ else
- fi
- 
- have_systemd=no
--
--
--
--
--
--
--
--if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
--	if test -n "$ac_tool_prefix"; then
--  # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
--set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
--{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
--$as_echo_n "checking for $ac_word... " >&6; }
--if ${ac_cv_path_PKG_CONFIG+:} false; then :
--  $as_echo_n "(cached) " >&6
--else
--  case $PKG_CONFIG in
--  [\\/]* | ?:[\\/]*)
--  ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path.
--  ;;
--  *)
--  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
--for as_dir in $PATH
--do
--  IFS=$as_save_IFS
--  test -z "$as_dir" && as_dir=.
--    for ac_exec_ext in '' $ac_executable_extensions; do
--  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
--    ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
--    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
--    break 2
--  fi
--done
--  done
--IFS=$as_save_IFS
--
--  ;;
--esac
--fi
--PKG_CONFIG=$ac_cv_path_PKG_CONFIG
--if test -n "$PKG_CONFIG"; then
--  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5
--$as_echo "$PKG_CONFIG" >&6; }
--else
--  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
--$as_echo "no" >&6; }
--fi
--
--
--fi
--if test -z "$ac_cv_path_PKG_CONFIG"; then
--  ac_pt_PKG_CONFIG=$PKG_CONFIG
--  # Extract the first word of "pkg-config", so it can be a program name with args.
--set dummy pkg-config; ac_word=$2
--{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
--$as_echo_n "checking for $ac_word... " >&6; }
--if ${ac_cv_path_ac_pt_PKG_CONFIG+:} false; then :
--  $as_echo_n "(cached) " >&6
--else
--  case $ac_pt_PKG_CONFIG in
--  [\\/]* | ?:[\\/]*)
--  ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path.
--  ;;
--  *)
--  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
--for as_dir in $PATH
--do
--  IFS=$as_save_IFS
--  test -z "$as_dir" && as_dir=.
--    for ac_exec_ext in '' $ac_executable_extensions; do
--  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
--    ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
--    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
--    break 2
--  fi
--done
--  done
--IFS=$as_save_IFS
--
--  ;;
--esac
--fi
--ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG
--if test -n "$ac_pt_PKG_CONFIG"; then
--  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKG_CONFIG" >&5
--$as_echo "$ac_pt_PKG_CONFIG" >&6; }
--else
--  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
--$as_echo "no" >&6; }
--fi
--
--  if test "x$ac_pt_PKG_CONFIG" = x; then
--    PKG_CONFIG=""
--  else
--    case $cross_compiling:$ac_tool_warned in
--yes:)
--{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
--$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
--ac_tool_warned=yes ;;
--esac
--    PKG_CONFIG=$ac_pt_PKG_CONFIG
--  fi
--else
--  PKG_CONFIG="$ac_cv_path_PKG_CONFIG"
--fi
--
--fi
--if test -n "$PKG_CONFIG"; then
--	_pkg_min_version=0.9.0
--	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking pkg-config is at least version $_pkg_min_version" >&5
--$as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; }
--	if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
--		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
--$as_echo "yes" >&6; }
--	else
--		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
--$as_echo "no" >&6; }
--		PKG_CONFIG=""
--	fi
--fi
- if test "x$enable_systemd" != xno; then :
- 
- 
-diff --git a/configure.ac b/configure.ac
-index 1828253c..b2c95d1a 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -586,7 +586,10 @@ if test x_$ub_test_python != x_no; then
-         CPPFLAGS="$PYTHON_CPPFLAGS"
-       fi
-       ub_have_python=yes
--      PC_PY_DEPENDENCY="python"
-+      PKG_PROG_PKG_CONFIG
-+      PKG_CHECK_EXISTS(["python${PY_MAJOR_VERSION}"],
-+                       [PC_PY_DEPENDENCY="python${PY_MAJOR_VERSION}"],
-+                       [PC_PY_DEPENDENCY="python"])
-       AC_SUBST(PC_PY_DEPENDENCY)
- 
-       # Check for SWIG
--- 
-2.14.4
-

unbound-1.7.2-python3-pkgconfig.patch

@@ -1,31 +0,0 @@
-From bca54a8b252d4a75e940424dc761c6a4e487eb84 Mon Sep 17 00:00:00 2001
-From: Wouter Wijngaards <wouter@nlnetlabs.nl>
-Date: Wed, 27 Jun 2018 06:07:31 +0000
-Subject: [PATCH 2/2] =?UTF-8?q?-=20Patch,=20do=20not=20export=20python=20f?=
- =?UTF-8?q?rom=20pkg-config,=20from=20Petr=20Men=C5=A1=C3=ADk.?=
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-git-svn-id: file:///svn/unbound/trunk@4758 be551aaa-1e26-0410-a405-d3ace91eadb9
----
- contrib/libunbound.pc.in | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/contrib/libunbound.pc.in b/contrib/libunbound.pc.in
-index 0cb9f875..810c5713 100644
---- a/contrib/libunbound.pc.in
-+++ b/contrib/libunbound.pc.in
-@@ -7,7 +7,8 @@ Name: unbound
- Description: Library with validating, recursive, and caching DNS resolver
- URL: http://www.unbound.net
- Version: @PACKAGE_VERSION@
--Requires: @PC_LIBEVENT_DEPENDENCY@ @PC_PY_DEPENDENCY@
-+Requires: libcrypto libssl @PC_LIBEVENT_DEPENDENCY@
-+Requires.private: @PC_PY_DEPENDENCY@
- Libs: -L${libdir} -lunbound -lssl -lcrypto
- Libs.private: @SSLLIB@ @LIBS@
- Cflags: -I${includedir} 
--- 
-2.14.4
-

unbound-1.7.3-anchor-fallback.patch

@@ -1,182 +0,0 @@
-From 81e9f82a8ddd811d7ebafe2fd0ee5af836d0b405 Mon Sep 17 00:00:00 2001
-From: Wouter Wijngaards <wouter@nlnetlabs.nl>
-Date: Wed, 4 Jul 2018 10:02:16 +0000
-Subject: [PATCH] - Fix #4112: Fix that unbound-anchor -f /etc/resolv.conf will
- not pass   if DNSSEC is not enabled.  New option -R allows fallback from  
- resolv.conf to direct queries.
-
-git-svn-id: file:///svn/unbound/trunk@4770 be551aaa-1e26-0410-a405-d3ace91eadb9
----
- doc/unbound-anchor.8.in   |  5 ++++
- smallapp/unbound-anchor.c | 66 ++++++++++++++++++++++++++++++++++-------------
- 2 files changed, 53 insertions(+), 18 deletions(-)
-
-diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in
-index 02a3e781..e114eb25 100644
---- a/doc/unbound-anchor.8.in
-+++ b/doc/unbound-anchor.8.in
-@@ -109,6 +109,11 @@ It does so, because the tool when used for bootstrapping the recursive
- resolver, cannot use that recursive resolver itself because it is bootstrapping
- that server.
- .TP
-+.B \-R
-+Allow fallback from \-f resolv.conf file to direct root servers query.
-+It allows you to prefer local resolvers, but fallback automatically
-+to direct root query if they do not respond or do not support DNSSEC.
-+.TP
- .B \-v
- More verbose. Once prints informational messages, multiple times may enable
- large debug amounts (such as full certificates or byte\-dumps of downloaded
-diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c
-index b3009108..f3985090 100644
---- a/smallapp/unbound-anchor.c
-+++ b/smallapp/unbound-anchor.c
-@@ -192,9 +192,10 @@ usage(void)
- 	printf("-n name		signer's subject emailAddress, default %s\n", P7SIGNER);
- 	printf("-4		work using IPv4 only\n");
- 	printf("-6		work using IPv6 only\n");
--	printf("-f resolv.conf	use given resolv.conf to resolve -u name\n");
--	printf("-r root.hints	use given root.hints to resolve -u name\n"
-+	printf("-f resolv.conf	use given resolv.conf\n");
-+	printf("-r root.hints	use given root.hints\n"
- 		"		builtin root hints are used by default\n");
-+	printf("-R		fallback from -f to root query on error\n");
- 	printf("-v		more verbose\n");
- 	printf("-C conf		debug, read config\n");
- 	printf("-P port		use port for https connect, default 443\n");
-@@ -1920,8 +1921,7 @@ static int
- do_certupdate(const char* root_anchor_file, const char* root_cert_file,
- 	const char* urlname, const char* xmlname, const char* p7sname,
- 	const char* p7signer, const char* res_conf, const char* root_hints,
--	const char* debugconf, int ip4only, int ip6only, int port,
--	struct ub_result* dnskey)
-+	const char* debugconf, int ip4only, int ip6only, int port)
- {
- 	STACK_OF(X509)* cert;
- 	BIO *xml, *p7s;
-@@ -1961,7 +1961,6 @@ do_certupdate(const char* root_anchor_file, const char* root_cert_file,
- #ifndef S_SPLINT_S
- 	sk_X509_pop_free(cert, X509_free);
- #endif
--	ub_resolve_free(dnskey);
- 	ip_list_free(ip_list);
- 	return 1;
- }
-@@ -2199,16 +2198,33 @@ probe_date_allows_certupdate(const char* root_anchor_file)
- 	return 0;
- }
- 
-+static struct ub_result *
-+fetch_root_key(const char* root_anchor_file, const char* res_conf,
-+	const char* root_hints, const char* debugconf,
-+	int ip4only, int ip6only)
-+{
-+	struct ub_ctx* ctx;
-+	struct ub_result* dnskey;
-+
-+	ctx = create_unbound_context(res_conf, root_hints, debugconf,
-+		ip4only, ip6only);
-+	add_5011_probe_root(ctx, root_anchor_file);
-+	dnskey = prime_root_key(ctx);
-+	ub_ctx_delete(ctx);
-+	return dnskey;
-+}
-+
- /** perform the unbound-anchor work */
- static int
- do_root_update_work(const char* root_anchor_file, const char* root_cert_file,
- 	const char* urlname, const char* xmlname, const char* p7sname,
- 	const char* p7signer, const char* res_conf, const char* root_hints,
--	const char* debugconf, int ip4only, int ip6only, int force, int port)
-+	const char* debugconf, int ip4only, int ip6only, int force,
-+	int res_conf_fallback, int port)
- {
--	struct ub_ctx* ctx;
- 	struct ub_result* dnskey;
- 	int used_builtin = 0;
-+	int rcode;
- 
- 	/* see if builtin rootanchor needs to be provided, or if
- 	 * rootanchor is 'revoked-trust-point' */
-@@ -2217,12 +2233,22 @@ do_root_update_work(const char* root_anchor_file, const char* root_cert_file,
- 
- 	/* make unbound context with 5011-probe for root anchor,
- 	 * and probe . DNSKEY */
--	ctx = create_unbound_context(res_conf, root_hints, debugconf,
--		ip4only, ip6only);
--	add_5011_probe_root(ctx, root_anchor_file);
--	dnskey = prime_root_key(ctx);
--	ub_ctx_delete(ctx);
--	
-+	dnskey = fetch_root_key(root_anchor_file, res_conf,
-+		root_hints, debugconf, ip4only, ip6only);
-+	rcode = dnskey->rcode;
-+
-+	if (res_conf_fallback && res_conf && !dnskey->secure) {
-+		if (verb) printf("%s failed, retrying direct\n", res_conf);
-+		ub_resolve_free(dnskey);
-+		/* try direct query without res_conf */
-+		dnskey = fetch_root_key(root_anchor_file, NULL,
-+			root_hints, debugconf, ip4only, ip6only);
-+		if (rcode != 0 && dnskey->rcode == 0) {
-+			res_conf = NULL;
-+			rcode = 0;
-+		}
-+	}
-+
- 	/* if secure: exit */
- 	if(dnskey->secure && !force) {
- 		if(verb) printf("success: the anchor is ok\n");
-@@ -2230,18 +2256,18 @@ do_root_update_work(const char* root_anchor_file, const char* root_cert_file,
- 		return used_builtin;
- 	}
- 	if(force && verb) printf("debug cert update forced\n");
-+	ub_resolve_free(dnskey);
- 
- 	/* if not (and NOERROR): check date and do certupdate */
--	if((dnskey->rcode == 0 &&
-+	if((rcode == 0 &&
- 		probe_date_allows_certupdate(root_anchor_file)) || force) {
- 		if(do_certupdate(root_anchor_file, root_cert_file, urlname,
- 			xmlname, p7sname, p7signer, res_conf, root_hints,
--			debugconf, ip4only, ip6only, port, dnskey))
-+			debugconf, ip4only, ip6only, port))
- 			return 1;
- 		return used_builtin;
- 	}
- 	if(verb) printf("fail: the anchor is NOT ok and could not be fixed\n");
--	ub_resolve_free(dnskey);
- 	return used_builtin;
- }
- 
-@@ -2264,8 +2290,9 @@ int main(int argc, char* argv[])
- 	const char* root_hints = NULL;
- 	const char* debugconf = NULL;
- 	int dolist=0, ip4only=0, ip6only=0, force=0, port = HTTPS_PORT;
-+	int res_conf_fallback = 0;
- 	/* parse the options */
--	while( (c=getopt(argc, argv, "46C:FP:a:c:f:hln:r:s:u:vx:")) != -1) {
-+	while( (c=getopt(argc, argv, "46C:FRP:a:c:f:hln:r:s:u:vx:")) != -1) {
- 		switch(c) {
- 		case 'l':
- 			dolist = 1;
-@@ -2300,6 +2327,9 @@ int main(int argc, char* argv[])
- 		case 'r':
- 			root_hints = optarg;
- 			break;
-+		case 'R':
-+			res_conf_fallback = 1;
-+			break;
- 		case 'C':
- 			debugconf = optarg;
- 			break;
-@@ -2346,5 +2376,5 @@ int main(int argc, char* argv[])
- 
- 	return do_root_update_work(root_anchor_file, root_cert_file, urlname,
- 		xmlname, p7sname, p7signer, res_conf, root_hints, debugconf,
--		ip4only, ip6only, force, port);
-+		ip4only, ip6only, force, res_conf_fallback, port);
- }
--- 
-2.14.4
-

unbound-1.7.3-host-any.patch

@@ -1,12 +0,0 @@
-diff --git a/smallapp/unbound-host.c b/smallapp/unbound-host.c
-index 53bf3277..f02511fe 100644
---- a/smallapp/unbound-host.c
-+++ b/smallapp/unbound-host.c
-@@ -340,6 +340,7 @@ pretty_output(char* q, int t, int c, struct ub_result* result, int docname)
- 					exit(1);
- 				}
- 				printf("%s\n", s);
-+				free(s);
- 			} else	printf(" has no %s record", tstr);
- 			printf(" %s\n", secstatus);
- 		}

unbound-aarch64.patch

@@ -1,22 +0,0 @@
-Index: unbound-1.5.0/compat/getentropy_linux.c
-===================================================================
---- unbound-1.5.0.orig/compat/getentropy_linux.c
-+++ unbound-1.5.0/compat/getentropy_linux.c
-@@ -102,7 +102,7 @@ getentropy(void *buf, size_t len)
- 	if (ret != -1)
- 		return (ret);
- 
--#ifdef CTL_MAXNAME
-+#ifdef SYS__sysctl
- 	/*
- 	 * Try to use sysctl CTL_KERN, KERN_RANDOM, RANDOM_UUID.
- 	 * sysctl is a failsafe API, so it guarantees a result.  This
-@@ -235,7 +235,7 @@ nodevrandom:
- 	return -1;
- }
- 
--#ifdef CTL_MAXNAME
-+#ifdef SYS__sysctl
- static int
- getentropy_sysctl(void *buf, size_t len)
- {

unbound-keygen.service

@@ -2,7 +2,11 @@
 Description=Unbound Control Key And Certificate Generator
 After=syslog.target 
 Before=unbound.service
-ConditionPathExists=!/etc/unbound/unbound_control.key
+ConditionPathExists=|!/etc/unbound/unbound_control.pem
+ConditionPathExists=|!/etc/unbound/unbound_control.key
+ConditionPathExists=|!/etc/unbound/unbound_server.pem
+ConditionPathExists=|!/etc/unbound/unbound_server.key
+PartOf=unbound.service
 
 [Service]
 Type=oneshot

unbound.conf

@@ -165,6 +165,10 @@ server:
 	# msec to wait before close of port on timeout UDP. 0 disables.
 	# delay-close: 0
 
+	# msec for waiting for an unknown server to reply.  Increase if you
+	# are behind a slow satellite link, to eg. 1128.
+	# unknown-server-time-limit: 376
+
 	# the amount of memory to use for the RRset cache.
 	# plain value in bytes or you can append k, m or G. default is "4Mb".
 	# rrset-cache-size: 4m
@@ -234,6 +238,15 @@ server:
 	# Default is 0, system default MSS.
 	# outgoing-tcp-mss: 0
 
+	# Idle TCP timeout, connection closed in milliseconds
+	# tcp-idle-timeout: 30000
+
+	# Enable EDNS TCP keepalive option.
+	edns-tcp-keepalive: yes
+
+	# Timeout for EDNS TCP keepalive, in msec.
+	# edns-tcp-keepalive-timeout: 120000
+
 	# Fedora note: do not activate this - can cause a crash
 	# Use systemd socket activation for UDP, TCP, and control sockets.
 	# use-systemd: no
@@ -333,6 +346,13 @@ server:
 	# timetoresolve, fromcache and responsesize.
 	# log-replies: no
 
+	# log the local-zone actions, like local-zone type inform is enabled
+	# also for the other local zone types.
+	# log-local-actions: no
+
+	# print log lines that say why queries return SERVFAIL to clients.
+	# log-servfail: no
+
 	# the pid file. Can be an absolute path outside of chroot/work dir.
 	pidfile: "/var/run/unbound/unbound.pid"
 
@@ -396,7 +416,7 @@ server:
 
 	# Sent minimum amount of information to upstream servers to enhance
 	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
-	# to NS when possible.
+	# to A when possible.
 	qname-minimisation: yes
 
 	# QNAME minimisation in strict mode. Do not fall-back to sending full
@@ -457,6 +477,9 @@ server:
 	# if yes, perform key lookups adjacent to normal lookups.
 	prefetch-key: yes
 
+	# deny queries of type ANY with an empty response.
+	deny-any: yes
+
 	# if yes, Unbound rotates RRSet order in response.
 	rrset-roundrobin: yes
 
@@ -555,6 +578,16 @@ server:
 	# Serve expired responses from cache, with TTL 0 in the response,
 	# and then attempt to fetch the data afresh.
 	serve-expired: yes
+	#
+	# Limit serving of expired responses to configured seconds after
+	# expiration. 0 disables the limit.
+	serve-expired-ttl: 14400
+	#
+	# Set the TTL of expired records to the serve-expired-ttl value after a
+	# failed attempt to retrieve the record from upstream. This makes sure
+	# that the expired records will be served as long as there are queries
+	# for it.
+	# serve-expired-ttl-reset: no
 
 	# Have the validator log failed validations for your diagnosis.
 	# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
@@ -698,14 +731,14 @@ server:
 	# add a netblock specific override to a localzone, with zone type
 	# local-zone-override: "example.com" 192.0.2.0/24 refuse
 
-	# service clients over SSL (on the TCP sockets), with plain DNS inside
-	# the SSL stream.  Give the certificate to use and private key.
+	# service clients over TLS (on the TCP sockets), with plain DNS inside
+	# the TLS stream.  Give the certificate to use and private key.
 	# default is "" (disabled).  requires restart to take effect.
 	# tls-service-key: "/etc/unbound/unbound_server.key"
 	# tls-service-pem: "/etc/unbound/unbound_server.pem"
 	# tls-port: 853
 	#
-	# request upstream over SSL (with plain DNS inside the SSL stream).
+	# request upstream over TLS (with plain DNS inside the TLS stream).
 	# Default is no.  Can be turned on and off with unbound-control.
 	# tls-upstream: no
 
@@ -716,12 +749,15 @@ server:
 	# tls-win-cert: no
 
 	# Also serve tls on these port numbers (eg. 443, ...), by listing
-	# tls-additional-ports: portno for each of the port numbers.
+	# tls-additional-port: portno for each of the port numbers.
 
 	# DNS64 prefix. Must be specified when DNS64 is use.
 	# Enable dns64 in module-config.  Used to synthesize IPv6 from IPv4.
 	# dns64-prefix: 64:ff9b::0/96
 
+	# DNS64 ignore AAAA records for these domains and use A instead.
+	# dns64-ignore-aaaa: "example.com"
+
 	# ratelimit for uncached, new queries, this limits recursion effort.
 	# ratelimiting is experimental, and may help against randomqueryflood.
 	# if 0(default) it is disabled, otherwise state qps allowed per zone.
@@ -735,12 +771,6 @@ server:
 	# 0 blocks when ratelimited, otherwise let 1/xth traffic through
 	# ratelimit-factor: 10
 
-	# what is considered a low rtt (ping time for upstream server), in msec
-	# low-rtt: 45
-	# select low rtt this many times out of 1000. 0 means the fast server
-	# select is disabled.  prefetches are not sped up.
-	# low-rtt-permil: 0
-
 	# override the ratelimit for a specific domain name.
 	# give this setting multiple times to have multiple overrides.
 	# ratelimit-for-domain: example.com 1000
@@ -761,6 +791,15 @@ server:
 	# 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through
 	# ip-ratelimit-factor: 10
 
+	# Limit the number of connections simultaneous from a netblock
+	# tcp-connection-limit: 192.0.2.0/24 12
+
+	# select from the fastest servers this many times out of 1000. 0 means
+	# the fast server select is disabled. prefetches are not sped up.
+	# fast-server-permil: 0
+	# the number of servers that will be used in the fast server selection.
+	# fast-server-num: 3
+
 	# Specific options for ipsecmod. unbound needs to be configured with
 	# --enable-ipsecmod for these to take effect.
 	#
@@ -812,12 +851,18 @@ remote-control:
 
 	# what interfaces are listened to for remote control.
 	# give 0.0.0.0 and ::0 to listen to all interfaces.
+	# set to an absolute path to use a unix local name pipe, certificates
+	# are not used for that, so key and cert files need not be present.
 	# control-interface: 127.0.0.1
 	# control-interface: ::1
 
 	# port number for remote control operations.
 	# control-port: 8953
 
+	# for localhost, you can disable use of TLS by setting this to "no"
+	# For local sockets this option is ignored, and TLS is not used.
+	control-use-cert: "no"
+
 	# unbound server key file.
 	server-key-file: "/etc/unbound/unbound_server.key"
 
@@ -847,6 +892,7 @@ include: /etc/unbound/conf.d/*.conf
 #	stub-prime: no
 #	stub-first: no
 #	stub-tls-upstream: no
+#	stub-no-cache: no
 # stub-zone:
 #	name: "example.org"
 #	stub-host: ns.example.com.
@@ -882,6 +928,8 @@ include: /etc/unbound/conf.d/*.conf
 # has a copy of the root for local usage.  The second serves example.org
 # authoritatively.  zonefile: reads from file (and writes to it if you also
 # download it), master: fetches with AXFR and IXFR, or url to zonefile.
+# With allow-notify: you can give additional (apart from masters) sources of
+# notifies.
 auth-zone:
 	name: "."
 	for-downstream: no
@@ -948,6 +996,7 @@ auth-zone:
 #     backend: "testframe"
 #     # secret seed string to calculate hashed keys
 #     secret-seed: "default"
+#
 #     # For "redis" backend:
 #     # redis server's IP address or host name
 #     redis-server-host: 127.0.0.1

unbound.spec

@@ -4,7 +4,7 @@
 
 %global _hardened_build 1
 
-#global extra_version rc1
+#%%global extra_version rc1
 
 %if 0%{with_python2}
 %global python_primary %{__python2}
@@ -33,8 +33,8 @@
 
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
-Version: 1.7.3
-Release: 8%{?extra_version:.%{extra_version}}%{?dist}
+Version: 1.8.2
+Release: 1%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: https://www.unbound.net/
 Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
@@ -55,11 +55,6 @@ Source15: unbound-anchor.timer
 Source16: unbound-munin.README
 Source17: unbound-anchor.service
 
-Patch2: unbound-1.7.2-python3-devel.patch
-Patch3: unbound-1.7.2-python3-pkgconfig.patch
-Patch4: unbound-1.7.3-anchor-fallback.patch
-Patch5: unbound-1.7.3-host-any.patch
-
 BuildRequires: gcc, make
 BuildRequires: flex, openssl-devel
 BuildRequires: libevent-devel expat-devel
@@ -154,10 +149,6 @@ Python 3 modules and extensions for unbound
 %setup -qcn %{pkgname}
 
 pushd %{pkgname}
-%patch2 -p1 -b .python3
-%patch3 -p1 -b .python3
-%patch4 -p1 -b .anchor-fallback
-%patch5 -p1 -b .host-any
 
 # only for snapshots
 # autoreconf -iv
@@ -429,6 +420,18 @@ popd
 %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
 
 %changelog
+* Wed Dec 05 2018 Paul Wouters <pwouters@redhat.com> - 1.8.2-1
+- Updated to 1.8.2.
+- Enabled deny ANY query support and edns-tcp-keepalive
+- Set serve-stale timeout to 4h
+- Updated unbound.conf for latest options
+
+* Tue Oct 02 2018 Petr Menšík <pemensik@redhat.com> - 1.7.3-10
+- Try to fix occasional crash (#1562594)
+
+* Mon Oct 01 2018 Petr Menšík <pemensik@redhat.com> - 1.7.3-9
+- Skip ipv6 forwarders without ipv6 support (#1633874)
+
 * Tue Jul 31 2018 Petr Menšík <pemensik@redhat.com> - 1.7.3-8
 - Release memory in unbound-host