Update to 1.18.0

https://nlnetlabs.nl/projects/unbound/download/#unbound-1-18-0

- NAT64 support
- Downstream DNS cookies
- EDE caching
- Set max-udp-size default to 1232

Resolves: rhbz#2236097

.gitignore

@@ -79,3 +79,5 @@ unbound-1.4.5.tar.gz
 /unbound-1.17.0.tar.gz.asc
 /unbound-1.17.1.tar.gz
 /unbound-1.17.1.tar.gz.asc
+/unbound-1.18.0.tar.gz
+/unbound-1.18.0.tar.gz.asc

sources

@@ -1,2 +1,2 @@
-SHA512 (unbound-1.17.1.tar.gz) = 10dd4c3aff77f1c0d19eb3c66956ed6ef1aae19e827d0b3259dc75d9de28dedd41862982a299e67ee07e17fb52058b4beee9d4b1d3bb0a3f633b9ba5b864d168
-SHA512 (unbound-1.17.1.tar.gz.asc) = d663c2ebf9ba4420eb6cd351378d646ac4c9e88bd69913dc1c862a326e98329496a901c86b857f2c157c0401a289ff91e5ac83911477cb9894156c6d959b2b80
+SHA512 (unbound-1.18.0.tar.gz) = 24ca6bfe0ed493eb6aaa5cb1b2b108076ce97c48de7470adf596d1154254351e382b83aae33fcd8d4fa64847e359613e00c979b6f3ba7671215b2d0fd2b03b14
+SHA512 (unbound-1.18.0.tar.gz.asc) = 222ff184d952b9ee8ce81e1f3384d1640ff4695ca60b7d5f946dc24489d583618fc0f4e3c169514b699c684766fdb352f47ca29853223fbae70a65fd994d4fd2

unbound.conf

@@ -161,10 +161,8 @@ server:
 	# edns-buffer-size: 1232
 
 	# Maximum UDP response size (not applied to TCP response).
-	# Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
-	# 3072 causes +dnssec any isc.org queries to need TC=1.
-	# Helps mitigating DDOS
-	max-udp-size: 3072
+	# Suggested values are 512 to 4096. Default is 1232. 65536 disables it.
+	# max-udp-size: 1232
 
 	# max memory to use for stream(tcp and tls) waiting result buffers.
 	# stream-wait-size: 4m
@@ -263,6 +261,18 @@ server:
 	# Enable IPv6, "yes" or "no".
 	# do-ip6: yes
 
+	# If running unbound on an IPv6-only host, domains that only have
+	# IPv4 servers would become unresolveable.  If NAT64 is available in
+	# the network, unbound can use NAT64 to reach these servers with
+	# the following option.  This is NOT needed for enabling DNS64 on a
+	# system that has IPv4 connectivity.
+	# Consider also enabling prefer-ip6 to prefer native IPv6 connections
+	# to nameservers.
+	# do-nat64: no
+
+	# NAT64 prefix.  Defaults to using dns64-prefix value.
+	# nat64-prefix: 64:ff9b::0/96
+
 	# Enable UDP, "yes" or "no".
 	# NOTE: if setting up an Unbound on tls443 for public use, you might want to
 	# disable UDP to avoid being used in DNS amplification attacks.
@@ -296,6 +306,10 @@ server:
 	# Timeout for EDNS TCP keepalive, in msec.
 	# edns-tcp-keepalive-timeout: 120000
 
+	# UDP queries that have waited in the socket buffer for a long time
+	# can be dropped. Default is 0, disabled. In seconds, such as 3.
+	# sock-queue-timeout: 0
+
 	# Fedora note: do not activate this - not compiled in because
 	# it causes frequent unbound crashes. Also, socket activation
 	# is bad when you have things like dnsmasq also running with libvirt.
@@ -529,6 +543,10 @@ server:
 	# to validate the zone.
 	# harden-algo-downgrade: no
 
+	# Harden against unknown records in the authority section and the
+	# additional section.
+	# harden-unknown-additional: no
+
 	# Sent minimum amount of information to upstream servers to enhance
 	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
 	# to A when possible.
@@ -842,6 +860,8 @@ server:
 	# o always_transparent, always_refuse, always_nxdomain, always_nodata,
 	#   always_deny resolve in that way but ignore local data for
 	#   that name
+	# o block_a resolves all records normally but returns
+	#   NODATA for A queries and ignores local data for that name
 	# o always_null returns 0.0.0.0 or ::0 for any name in the zone.
 	# o noview breaks out of that view towards global local-zones.
 	#
@@ -1265,6 +1285,10 @@ auth-zone:
 #     redis-server-host: 127.0.0.1
 #     # redis server's TCP port
 #     redis-server-port: 6379
+#     # if the server uses a unix socket, set its path, or "" when not used.
+#     # redis-server-path: "/var/lib/redis/redis-server.sock"
+#     # if the server uses an AUTH password, specify here, or "" when not used.
+#     # redis-server-password: ""
 #     # timeout (in ms) for communication with the redis server
 #     redis-timeout: 100
 #     # set timeout on redis records based on DNS response TTL

unbound.spec

@@ -30,7 +30,7 @@
 
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
-Version: 1.17.1
+Version: 1.18.0
 Release: 1%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD-3-Clause
 Url: https://nlnetlabs.nl/projects/unbound/
@@ -490,6 +490,9 @@ popd
 %{_mandir}/man1/unbound-*
 
 %changelog
+* Fri Sep 01 2023 Petr Menšík <pemensik@redhat.com> - 1.18.0-1
+- Update to 1.18.0 (#2236097)
+
 * Fri Jan 13 2023 Paul Wouters <paul.wouters@aiven.io - 1.17.1-1
 - Resolved rhbz#2160397 unbound-1.17.1 is available (bugfix release)
 - Add support for building with redis