clarify gpgverify a bit to make it look less magical

- Resolved rhbz#2160397 unbound-1.17.1 is available (bugfix release)
- Add support for building with redis
- update unbound.conf

.gitignore

@@ -75,3 +75,5 @@ unbound-1.4.5.tar.gz
 /unbound-1.16.2.tar.gz.asc
 /unbound-1.16.3.tar.gz
 /unbound-1.16.3.tar.gz.asc
+/unbound-1.17.1.tar.gz
+/unbound-1.17.1.tar.gz.asc

sources

@@ -1,2 +1,2 @@
-SHA512 (unbound-1.16.3.tar.gz) = ef5cda926dd1082a750615d8687bccd756869c66e9f24f984fda4c6613f94f3e4884db328b8d7b490777a75d3e616dcb61c5258e7777923c0590e6fabacd207c
-SHA512 (unbound-1.16.3.tar.gz.asc) = b106f080d877e479d944a7ebe24a380f4c40c38308733f43f8a60d4e7aedc6597e6daa4a1428f596e705c9c75e6ee7b4187dbbc5750a9c406f59d76d4f1b4a8d
+SHA512 (unbound-1.17.1.tar.gz) = 10dd4c3aff77f1c0d19eb3c66956ed6ef1aae19e827d0b3259dc75d9de28dedd41862982a299e67ee07e17fb52058b4beee9d4b1d3bb0a3f633b9ba5b864d168
+SHA512 (unbound-1.17.1.tar.gz.asc) = d663c2ebf9ba4420eb6cd351378d646ac4c9e88bd69913dc1c862a326e98329496a901c86b857f2c157c0401a289ff91e5ac83911477cb9894156c6d959b2b80

unbound.conf

@@ -41,6 +41,11 @@ server:
 	# Needs to be enabled for munin plugin
 	extended-statistics: yes
 
+	# Inhibits selected extended statistics (qtype, qclass, qopcode, rcode,
+	# rpz-actions) from printing if their value is 0.
+	# Default on.
+	# statistics-inhibit-zero: yes
+
 	# number of threads to create. 1 disables threading.
 	num-threads: 4
 
@@ -148,7 +153,7 @@ server:
 	# ip-dscp: 0
 
 	# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
-	# is set with msg-buffer-size). 1472 can solve fragmentation (timeouts)
+	# is set with msg-buffer-size).
 	# edns-buffer-size: 1232
 
 	# Maximum UDP response size (not applied to TCP response).
@@ -189,6 +194,15 @@ server:
 	# a throwaway response (also timeouts) is received.
 	# outbound-msg-retry: 5
 
+	# Hard limit on the number of outgoing queries Unbound will make while
+	# resolving a name, making sure large NS sets do not loop.
+	# It resets on query restarts (e.g., CNAME) and referrals.
+	# max-sent-count: 32
+
+	# Hard limit on the number of times Unbound is allowed to restart a
+	# query upon encountering a CNAME record.
+	# max-query-restarts: 11
+
 	# msec for waiting for an unknown server to reply.  Increase if you
 	# are behind a slow satellite link, to eg. 1128.
 	# unknown-server-time-limit: 376
@@ -234,7 +248,8 @@ server:
 	# the maximum number of hosts that are cached (roundtrip, EDNS, lame).
 	# infra-cache-numhosts: 10000
 
-	# define a number of tags here, use with local-zone, access-control.
+	# define a number of tags here, use with local-zone, access-control,
+	# interface-*.
 	# repeat the define-tag statement to add additional tags.
 	# define-tag: "tag1 tag2 tag3"
 
@@ -277,7 +292,9 @@ server:
 	# Timeout for EDNS TCP keepalive, in msec.
 	# edns-tcp-keepalive-timeout: 120000
 
-	# Fedora note: do not activate this - can cause a crash
+	# Fedora note: do not activate this - not compiled in because
+	# it causes frequent unbound crashes. Also, socket activation
+	# is bad when you have things like dnsmasq also running with libvirt.
 	# Use systemd socket activation for UDP, TCP, and control sockets.
 	# use-systemd: no
 
@@ -293,9 +310,7 @@ server:
 	# allow_snoop (recursive and nonrecursive ok)
 	# deny_non_local (drop queries unless can be answered from local-data)
 	# refuse_non_local (like deny_non_local but polite error reply).
-	# access-control: 0.0.0.0/0 refuse
 	# access-control: 127.0.0.0/8 allow
-	# access-control: ::0/0 refuse
 	# access-control: ::1 allow
 	# access-control: ::ffff:127.0.0.1 allow
 
@@ -539,6 +554,8 @@ server:
 	# most modules have to be listed at the beginning of the line,
 	# except cachedb(just before iterator), and python (at the beginning,
 	# or, just before the iterator).
+	# For redis cachedb use:
+	#    "ipsecmod validator cachedb iterator"
 	module-config: "ipsecmod validator iterator"
 
 	# File with trusted keys, kept uptodate using RFC5011 probes,
@@ -546,7 +563,8 @@ server:
 	# Use several entries, one per domain name, to track multiple zones.
 	#
 	# If you want to perform DNSSEC validation, run unbound-anchor before
-	# you start Unbound (i.e. in the system boot scripts).  And enable:
+	# you start Unbound (i.e. in the system boot scripts).
+	# And then enable the auto-trust-anchor-file config item.
 	# Please note usage of unbound-anchor root anchor is at your own risk
 	# and under the terms of our LICENSE (see that file in the source).
 	# auto-trust-anchor-file: "/var/lib/unbound/root.key"

unbound.spec

@@ -4,6 +4,7 @@
 %bcond_without dnstap
 %bcond_with    systemd
 %bcond_without doh
+%bcond_with    redis
 
 %global _hardened_build 1
 
@@ -29,7 +30,7 @@
 
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
-Version: 1.16.3
+Version: 1.17.1
 Release: 1%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: https://nlnetlabs.nl/projects/unbound/
@@ -53,6 +54,7 @@ Source17: unbound-anchor.service
 Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
 # source: https://nlnetlabs.nl/people/
 Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key
+Source20: unbound.sysusers
 
 
 BuildRequires: gcc, make
@@ -77,6 +79,9 @@ BuildRequires: systemd-devel
 %if %{with doh}
 BuildRequires: libnghttp2-devel
 %endif
+%if %{with redis}
+BuildRequires: redis-devel
+%endif
 %if 0%{?fedora} >= 30
 BuildRequires: systemd-rpm-macros
 %else
@@ -92,6 +97,7 @@ Requires: %{name}-anchor%{?_isa} = %{version}-%{release}
 Recommends: %{name}-utils%{?_isa} = %{version}-%{release}
 # unbound-keygen.service requires it, bug #2116790
 Requires: openssl
+Requires(pre): systemd-sysusers
 
 %description
 Unbound is a validating, recursive, and caching DNS(SEC) resolver.
@@ -179,7 +185,7 @@ Python 3 modules and extensions for unbound
 
 %prep
 %if 0%{?fedora}
-%gpgverify -k 19 -s 18 -d 0
+%{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}'
 %endif
 %global pkgname %{name}-%{version}%{?extra_version}
 
@@ -223,7 +229,8 @@ cp -a %{dir_primary} %{dir_secondary}
             --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\
             --enable-sha2 --disable-gost --enable-ecdsa \\\
             --with-rootkey-file=%{_sharedstatedir}/unbound/root.key \\\
-            --enable-linux-ip-local-port-range
+            --enable-linux-ip-local-port-range \\\
+
 
 pushd %{dir_primary}
 
@@ -239,6 +246,10 @@ pushd %{dir_primary}
 %endif
 %if %{with doh}
             --with-libnghttp2 \
+%endif
+%if %{with redis}
+            --with-libhiredis \
+            --enable-cachedb \
 %endif
             %{configure_args}
 
@@ -287,6 +298,7 @@ install -p -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/unbound-anchor.service
 install -p -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound
 install -p -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/unbound
 install -p -m 0644 %{SOURCE14} %{buildroot}%{_sysconfdir}/sysconfig/unbound
+install -p -D -m 0644 %{SOURCE20} %{buildroot}%{_sysusersdir}/%{name}.sysusers
 %if %{with_munin}
 # Install munin plugin and its softlinks
 install -d -m 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d
@@ -338,18 +350,15 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8
 
 
-%pre anchor
-getent group unbound >/dev/null || groupadd -r unbound
-getent passwd unbound >/dev/null || \
-useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \
--c "Unbound DNS resolver" unbound
+%pre libs
+%sysusers_create_compat %{SOURCE20}
 
 %post
 %systemd_post unbound.service
 %systemd_post unbound-keygen.service
 
 %post anchor
-%systemd_post unbound-anchor.timer
+%systemd_post unbound-anchor.service unbound-anchor.timer
 # start the timer only if installing the package to prevent starting it, if it was stopped on purpose
 if [ "$1" -eq 1 ]; then
     # the Unit is in presets, but would be started after reboot
@@ -361,14 +370,14 @@ fi
 %systemd_preun unbound-keygen.service
 
 %preun anchor
-%systemd_preun unbound-anchor.timer
+%systemd_preun unbound-anchor.service unbound-anchor.timer
 
 %postun
 %systemd_postun_with_restart unbound.service
 %systemd_postun unbound-keygen.service
 
-%postun libs
-%systemd_postun_with_restart unbound-anchor.timer
+%postun anchor
+%systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer
 
 %check
 pushd %{dir_primary}
@@ -449,7 +458,8 @@ popd
 %doc doc/README
 %license doc/LICENSE
 %attr(0755,root,root) %dir %{_sysconfdir}/%{name}
-%{_libdir}/libunbound.so.*
+%{_sysusersdir}/%{name}.sysusers
+%{_libdir}/libunbound.so.8*
 %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name}
 %attr(0644,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key
 # just left for backwards compat with user changed unbound.conf files - format is different!
@@ -471,6 +481,17 @@ popd
 %{_mandir}/man1/unbound-*
 
 %changelog
+* Fri Jan 13 2023 Paul Wouters <paul.wouters@aiven.io - 1.17.1-1
+- Resolved rhbz#2160397 unbound-1.17.1 is available (bugfix release)
+- Add support for building with redis
+
+* Thu Dec 01 2022 Petr Menšík <pemensik@redhat.com> - 1.16.3-3
+- Move unbound user creation to libs (#2149036)
+- Use systemd-sysusers for user creation (#2105416)
+
+* Wed Oct 05 2022 Petr Menšík <pemensik@redhat.com> - 1.16.3-2
+- Correct issues made by unbound-anchor package split (#2110858)
+
 * Fri Sep 23 2022 Petr Menšík <pemensik@redhat.com> - 1.16.3-1
 - Update to 1.16.3 (#2128638)
 
@@ -482,18 +503,12 @@ popd
 - Require openssl tool for unbound-keygen (#2116790)
 
 * Wed Aug 03 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-1
-- Update to 1.16.2 (#2105947) for CVE-2022-30698 and CVE-2022-30699
+- Update to 1.16.2 (#2105947)
 
-* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.16.0-7
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
-* Mon Jun 27 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-6
+* Mon Jun 27 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-5
 - Move unbound-anchor to separate package
 - Move unbound-host and unbound-streamtcp to unbound-utils package
 
-* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 1.16.0-5
-- Rebuilt for Python 3.11
-
 * Tue Jun 07 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-4
 - Restart keygen service before every unbound start
 

unbound.sysusers

@@ -0,0 +1 @@
+u unbound - "Unbound DNS resolver" /var/lib/unbound /sbin/nologin