Compare commits
11 commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
064be41a03 | ||
|
|
b4c4d24c69 | ||
|
|
32330fa65e | ||
|
|
85b4661d36 | ||
|
|
8dcd587f5c | ||
|
|
f199f04259 | ||
|
|
c77221b7e7 | ||
|
|
f75d7592f8 | ||
|
23cb2f344e | ||
|
|
62c53ea087 | ||
|
|
aa830172e3 |
15 changed files with 655 additions and 496 deletions
2
.gitignore
vendored
2
.gitignore
vendored
|
|
@ -89,3 +89,5 @@ unbound-1.4.5.tar.gz
|
|||
/unbound-1.19.3.tar.gz.asc
|
||||
/unbound-1.20.0.tar.gz
|
||||
/unbound-1.20.0.tar.gz.asc
|
||||
/unbound-1.21.1.tar.gz
|
||||
/unbound-1.21.1.tar.gz.asc
|
||||
|
|
|
|||
128
Yorgos.asc
Normal file
128
Yorgos.asc
Normal file
|
|
@ -0,0 +1,128 @@
|
|||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mQINBFfYHeYBEAC/8SdeXNspt9ZIoZRSL9juNLHA17TXcHdKSthgWBtwwWZbUPq8
|
||||
SJr7Y+hr6jMCDKY9800QzLF0nLkyXnZgaBcvR0rRbCT/qvALJ0fpfjcotapZ1hBv
|
||||
omb9s8Bo28uKn8tbTMXYNsElUae4Ch/CrU1vfe50YoyQgLR8UBa15gV+2RmC+6jI
|
||||
qxDYS8sylWlDn6Qim+77feLlObPnNdzgfWGZo14eJByTsz0qrh8aS/BS1FAsnEQ6
|
||||
W6AqukhpuKuWvoAUXKjfguXQolxeexubmKaLcGOTvecw+cbh/a5SPHRtRVr9qTxp
|
||||
elk6UEpakY5K9UtZkrG55VWih/4KqY9bNyhJBtpAk1fXA+mYfx5BcFpECYdU9kz4
|
||||
UgV5jK0HYRHQTLC91PPVQgH86we+Aae6TaJneCLEIzBK36TgAP8RKrvFfPUym5OP
|
||||
YbWOom27QTKfRVcyxPKglJxrTSWixnKWS/pqxNY8hF9Ne4crRAF4wX2yBVbGnjNr
|
||||
S9TpYmjMwURbuYm+rWZk/8w5OJG60V3wax56c0jn/42O3Y2hzQ+PbOv2M4UuuajS
|
||||
2YL3/KUsRLBapUpPQjzChwzdr/vzFEhk9XxK2VGMN+dh2HjYwDFendc5csyt/cVr
|
||||
g3LssVS2bKy5g3IhrzCKAk0Sky4S5t/mcN+lWztNvCijuLz58GCym5GwJQARAQAB
|
||||
tCtZb3Jnb3MgVGhlc3NhbG9uaWtlZnMgPHlvcmdvc0BubG5ldGxhYnMubmw+iQJX
|
||||
BBMBCABBAhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAhkBFiEElI60IyLF0At5
|
||||
NA9dz/M0TZCHpJAFAmbz0CwFCRD85cYACgkQz/M0TZCHpJBVnhAAkcd79Twxj/tt
|
||||
C4q2Xpq75+Ew6YR9gLqYiV5vEd6fu0oyhuVoUlfTkjH4ALIoGIKaO9yAVUXsrGrs
|
||||
n1aJPo1Mw3q6mIwtQOxXz/W44LuFzcvZkHtCYX4YyLrUHXZPvl+r4eYkTOcyyQMU
|
||||
BmbuvWhufv8MBilvWltQLxfLlgihbfuIrxqjAYDhqCffpgUiZyCut2rrenIgeh1f
|
||||
DvC+GjZ3cfb1UsIpzm19yr4NCiTHkLkCOAAcAUFwWWeO/jfUsSvFQEHUnYNRREzI
|
||||
Lth9NlKwPtsOVi+wcNnWQtFQb11BMr407xBib7hLSIFiqvOiYgQABjZdWN+snCRP
|
||||
ZZSruigjE9ateOloJwmBqrSJLAywxvDE0ivqfSj51W5eJc/JLSXvjrOuW28dJCr8
|
||||
RV9PjC9X7zuTiFLzV8SVH71Z43Rix8n7AOp3wgRe3SygEyQXPj4qbm5HHVsx9GEA
|
||||
zn495L99dJ4wZgjkbEsGhzwUx7N9FHEGS/sz3LiEq+ZYckR6gzTMMrQJgbsS9lnK
|
||||
9xlXsp37uIYvx9W9JZXtS+AZhw0q3osMYBF68HPX8B9GBYlkQWmWSIMfzRYcD2n1
|
||||
5+XsfERK4mxcTWl2sCYpt8Sy3tADj9nQDabAlGUd/hlFS1dvDVQjGh6ER5S0nZjY
|
||||
nmRsLl8nOTKhb2xY+2p1sDjxxQYJJQe0K0dlb3JnZSBUaGVzc2Fsb25pa2VmcyA8
|
||||
Z2VvcmdlQG5sbmV0bGFicy5ubD6JAlQEEwEIAD4CGyMFCwkIBwIGFQgJCgsCBBYC
|
||||
AwECHgECF4AWIQSUjrQjIsXQC3k0D13P8zRNkIekkAUCZvPQPQUJEPzlxgAKCRDP
|
||||
8zRNkIekkFfCEACheY1yr2Z+LPjm/Nd2eA4CFFO7nUQHI+a6lYBd57txrRuIicuG
|
||||
pGjOhnvcioRwICiKNLJD3YTU+WOd+sbO7BXH2sw2KdU9NK1ojKX/SQiTg6upfJsu
|
||||
gbgar2oPvR88B7oSiuonZnhEf72HfWKDSBXHpi6KC6S3JZ+o50NB3GBpwUL1lfKW
|
||||
ovymYbN6tYQfqw/+AP5jUUNpkclC0RbcW69rpvrHHqeQV1AVKkm/jNQpWLKYTGF7
|
||||
bbdLkgMh3rHp8gmF0/GuK+oyL7xD+TEXfr3iqlDIVuxbxDN8xTti1RrERU/MWQar
|
||||
qOSFZcr4t+nlwThJidDLF/u3h0Ymrjz92VTfCgELIwCKxGX7jAyLZHzuWAp+0Pr/
|
||||
yuHodbweGNcGVoXmIpK93/WZcfFlBcyQLECVcijmxd7Euk0xDk76RQpuuL5VOWqn
|
||||
aZcf2uNfppwKFZJjcXwK+EQbwN7+RFNvLrwoRn/1xM57T5AYBAgSvKb6h0G5KwW6
|
||||
tJfJdSu1MHfCZS1hH1Gr4+UG+VbLCVmQ9N/lUs0bcD7pK+bA1W0YnsIVuaQ+YZUh
|
||||
KrJoCUF0kVDtW9ETZkp0iVBm1Q9xgTGaxUTVmctOyAbdCLyHNra4fo1BAdGlu+IP
|
||||
qAcktaBUKFxWxRxf9O5kGihce9anK8CJ/TCnQ7wSvyYrlAoBoQaS78VzYYkBHAQS
|
||||
AQIABgUCV9kUOAAKCRAwkY2CdXJCIju1B/oCvf1kWYndNeLS6U2O6DtFAL2Ia5tY
|
||||
Zukcyqb1hkYcrBiMZbQN94gX5a+6Q4pdd2n241r1ZuSWdwUhRUbF4mvbZMVsavnk
|
||||
cvrRGviVIUXf71W0O/IsmQ9oN0Finhpf14Y4z/xqF8DpvJdkWc6X5g+RJuko6q2w
|
||||
B7x2UfSyF4USp47LSmUQnC59IF8jzaElgBha3gwEuXL3d2qBepoV/e9RiXJClUAT
|
||||
+O7qdxzDq1eiZ+NXUjDCmrkuWjHLAZAv0jx1KUTCQ2no62UM95igtJ+Kn56Lc2+J
|
||||
CqFJztaZeX8CgXXryxNpsyhZJ33dIoLCT03K25wrV5Y+eag05slQ9sC3iQI9BBMB
|
||||
CAAnBQJX2RCwAhsjBQkFo5qABQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEM/z
|
||||
NE2Qh6SQ3JUP/2G3bRNObS7zsfN3rjkbjLxaDOwNggRdbeXM5rHDVEG9SWesCGaI
|
||||
vyQdkSGQoIaKUgNv7Yp8O8pEnD4IwdhNSaXVIB3pBtdOD0UM1wuxRpfqJOUxZEoW
|
||||
T2Jr31Tg2qepp6nT7UmdiF7uCBDy8Jm6k6Q+6UT58cPaesRQdSPi6Go7ho2/xVvK
|
||||
Ve9ufSTSTdG5+7bJDu6Iv7sydKUEG4jPDqo+jjVLn1X6Rfp+E4JAvOvFrSJHW5sa
|
||||
A332xV40GeV+aM1ndP7dPkz8+AGB3QD7JF2DLcqvLo0TYOvjnlOGYcNp8gzp23g9
|
||||
KFwe2sdbdtVpuWaJUSpXXiUZnFzrrVxDNiEBjqsPa5ysOxzJ+1gUbcrIjUeNeAFh
|
||||
us4XL+IidPATnhTIX3X/uPRB87KaTaA8XUqsuSd2DM9mLxdHKC9Jf8D1t+ywYrek
|
||||
Cp+K80vCtFPWBM4+w8nGugTNKJEGIXZDGFOF/c7r6xKkaOYK0Y+IGJawlV5LaADl
|
||||
BmQpPk0ubYclwb07FcegaHSxxIqUo/kbyt1YV5mU+QVymZ+xyvIBrnW8hBuNWRvU
|
||||
5acnIZibCERayo8ZuI+r/X3bLHfDx0oh2h+cL3utNZUqmgZNR0Di8P+x0hUYsYPO
|
||||
TJaDBSgvxUtY0Ci+OWX38kffGGvhW3CM8V6skdVc8cp7Db7gxase4BxxtC5HZW9y
|
||||
Z2UgVGhlc3NhbG9uaWtlZnMgPGdlb3JnZUBvcGVubmV0bGFicy5jb20+iQJUBBMB
|
||||
CAA+AhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEElI60IyLF0At5NA9dz/M0
|
||||
TZCHpJAFAmbz0D0FCRD85cYACgkQz/M0TZCHpJBnFw/8CRLGJnNAP43mBniIP5R1
|
||||
/10i4xG5s1Ka/y5C3aRgZUNaGMPLF8VmrC26HTPNhmduhn3j9gnBuSHgRAJUWs2K
|
||||
o1q0A2/O5fFJvqPyEUl30gG8qkzFl5UGRUr7VNtBa6VpI7g78d3P4/H8THB0tYZ3
|
||||
GZv980QXwTE11aXjvPQu4e8sMOR1OVEEH+6hW1T0SvEKAMV1BHwuZAmC6HTfx5e7
|
||||
iGNWu/dwJsmwzqcAkuTTSqlmzZdIjZWJDL8pfnschkVilC3pEpEk5ExSkt/onOD2
|
||||
WCAKJUiPR6gRI2H6fE0PF8iG9isisvNhQ3MrWUIKS+1WOotoG7Bu7ob46viJKQuN
|
||||
9t7KBqjdftjJHjmVop3mfX0UUEDPjkZXK5R/aUspXi4IGdM+9JijqxveicQegOhM
|
||||
LcE8039Z0AaXn9IA0kQB05A4a+CEnoPL7qe+fIBJM5hZDrpMe4fAAGxiQzbRpdkZ
|
||||
CrXmT+CRkhc/BvUJ5yoE1q++9Fw9eyMbPOak6GLckCIPy+Mqi4z+ZXNCtcPs3Qbc
|
||||
/7AY8qyswRsD2t5bbe4g+fLEt9IsN3UvKFUKnQ88jcn9Zmps69msMDm9jEj/qo+j
|
||||
QCriLLu8E1ZwhedNVOQN89w4Zww/BUyEnL4hng8Tw+RTV8Jtq5EvAleW5sZsnTzA
|
||||
zn1ysZUyO/Pu7Br2jnGRAQyJARwEEgECAAYFAlfZFDwACgkQMJGNgnVyQiIHjAf/
|
||||
VrPMgIRjRTYi4cxOr5ewaim1hgJZO1oCJoMopwIvpZ2kAUqL/uPMT3wREe5bi79H
|
||||
jXYcaX+RbrV4ZdzaajDUFCj867KGErxqtRkANJ1eNLcQmVwGNoFeTQbgEOBfKq1t
|
||||
hRfMqHF3fxCPJp4z4U3kBPUpIQPERjgUdkH8fxZ34Omo1SLO1b0dVqsneezccBVv
|
||||
Hj7gVoaWw65Ov7vngwNCKH3fjOkcoINTH/nEw4WWh6UV5ZN49GRqa6oWdUJMZbgB
|
||||
w8z357RLN6YLe7KMh4oGpUIvfH6Vfq6CIb6s9pfgjAvq8O7p9n0/0FG77j84MuGw
|
||||
fdhq8eSazO/j9LUCBM+8k4kCPQQTAQgAJwUCV9kQiwIbIwUJBaOagAULCQgHAgYV
|
||||
CAkKCwIEFgIDAQIeAQIXgAAKCRDP8zRNkIekkN9pD/wI8JAyjJEIjUJNLRuARDDv
|
||||
pJrQjAo/02naPcGs4yyUd7yRkhzVKLFLvif8XICxxLWk6FdT0PJeKGTvRoe2+Rje
|
||||
c14rO30niRymWkBi36iDW46Dpt7Jx+LUDhUMYPL+woKSoHmbBGWLSYXKxaD8F93A
|
||||
nVs97nP4PWpspv2BFiuwKGsSsOyyQPPvr7jCin3H5oPH9qDnIV0KonAYbzzEKod5
|
||||
t0Rgzo/nWXZBFXWC5xvKeghwkdT++gYS/ThvQY2ua6A1XRE8BntyldD081NPi3NO
|
||||
dWa9m8ufFOJsEEiWcpdT+EWoDw5JyGAR7U3IOVl3BTo7shdcYEvRVrDMBpac+ItG
|
||||
WvogUv7alBdHWi48amvZE06RI/nDJ/rxj13S/4POgMHU++aQI5a1G5H3jBu4cehH
|
||||
4iT1UKmozfzVEfcHb2dsaKnnuFzQxmol0lZu1ETyof+Lxvs+wErN0QR+VDNweJEJ
|
||||
PMXiEcjASdLtrEKgFSP2B5yGGzt93C+HbD+VQOU359aAnvVjbTAVz8izuMphd6Bz
|
||||
Ix1q//q2VmxqjjT3Iv30hBRX02x2M8gsP/e49XWEll7stkMtbYhBU0sHQ2CqzLGh
|
||||
gJN3ecpi2sKWVqN8HUZOwJFj6f9ZX76YSM23wIugHfscMAVJUXvBrbd151WIshOf
|
||||
FFPo62sYGt+SEMXWeRcHjbQuWW9yZ29zIFRoZXNzYWxvbmlrZWZzIDx5b3Jnb3NA
|
||||
b3Blbm5ldGxhYnMuY29tPokCVAQTAQgAPgIbIwULCQgHAgYVCAkKCwIEFgIDAQIe
|
||||
AQIXgBYhBJSOtCMixdALeTQPXc/zNE2Qh6SQBQJm89A9BQkQ/OXGAAoJEM/zNE2Q
|
||||
h6SQOf4QAIp5fEn+vVOqDuLrv8Li61UDVPE3v5b9ocPR7OMENeFpRH7K2p8xFkAM
|
||||
f6JeS2ehbIjyUS8iGc+mZOalvZynJdOiHtys5r4lZanm1Rl+mWXb+nHGE/Oi4gQ3
|
||||
aEF/AwolbKi9oNXAiCtA3hmaI6FYWtAh5XOnyMG140dhlXMWzvN1ZAWXWioS33Fp
|
||||
n9Z7xOsyG2Bmky69JjUQPD119noD4pEFtCipciiACVNdHGfI8QDT/8pMAxv/Q7tW
|
||||
+7gyFztT1XvKONWyCfHjf1x60JQNPPM31x3xUVRz/sK+GyLq6VLiydvSZeUX3CzM
|
||||
4bHixKKkSyvsX+bc9K/iLrXwZFhRdrRbpVQFpsdxv48mN5WsDlpN17KgMCyNiMDV
|
||||
0VagYjZC5AurOo2mmS7PKAYGILaq3YwQ3nXYiuWfdXVW6EXtw/vdFOjFU6ppbaA3
|
||||
1+xyMDOLSGLr7f+gdZvlEc+5MX1F3mHpmuKN7clUju/HEOdVq1Bbla7BplPgqCaH
|
||||
ZYCg/VHNt7ue7MYeEgTJ8OGgUDRNPa3PdU3YHRCuwJH1UzinD39K8R9/g9qiGJbC
|
||||
87//1FGZp9lhIE5tja6F5pJ5GwJK9zC0iGj2NrwBvTKhuyF6W3ZQc2voYQn+gIq4
|
||||
sfbned7qpvpjLcMgIv/y82iVm2EtKtKYl982aA9S53pHqjV27kieuQINBFfYHeYB
|
||||
EAC2h9yjSe2SgtcB0H+E0ndaewaZaQCE7q+RO43dotGH9eFnVwE4/ftcK1SN42ih
|
||||
lF5OnTaKPyXvgQ6U8W8VB8eLjeTwA/dSXuJX7kJpEK8saPqJP6zTUmPqp/GSzS6Y
|
||||
rhKLfpFn4chmywpDFcGNMz0sYXiJgPqKL7W0KuG+ziPToAeWl8ckeXyl77/lHVhW
|
||||
YylaQJEASklqCViPXSp9vI7/57UEm4MQPXwsDBOwuVVqcSu3ZM5MtY9XlbVPNCYm
|
||||
ZIMqmh8HgYwbiq9dTfJi+6v17+uDQGZewWK/WwFM+9dDx7YkTeOBiUduYtJPW64N
|
||||
W/RJ7pskbLAy+OZApTZWg0cISN6GOmPN3F0AiWzUjvSMREHhFHyxj4Y15vuDOFvP
|
||||
GFxr4xBiyMX1JLCKK6OFnyPfoJ9v/o3UgrQgLrfXCmKdvkwBCgJvN3Fsxzha6Dtf
|
||||
6RcZ02fr7SCZZhdBrlrflvC1uWZ0g3A87ss7h4Iw3njlO3aX6Bo9R4VOLUkiRKi4
|
||||
hmQBxPvXxI2ERmKRomo6lrMaDMzIjD4APSM1vUfZguzQxVYpM8lwy1COeqxsj5p+
|
||||
LH6f/EU+4dXZwooJ1uanBOvG2ntnz8SErE+e7wNYE4a/fb8xYM4j7p6qYtnNZPb8
|
||||
sj8bvx8iWXp4A1csVetyVSchBhTVQhhNos6ouYpc4ibrYwARAQABiQI8BBgBCAAm
|
||||
AhsMFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmbz0dUFCRD8528ACgkQz/M0TZCH
|
||||
pJA7hg/7Bh0jb7nrp2EuU4BWK55VG+3zbrye/NdDy6eo3sVVOOO1r+jBMoJK3m1A
|
||||
GWUx40ogZjRn8GMtJfxkL6wsep2P775smm7x1TH6s2dgreTj9J66gitKEgxF0tjo
|
||||
JztmGJ8YKSGE4wKi37KvvSqCm1ecA8akBzJVo0B8/GtXpg+y/q3/KSY1ujW7Ihu3
|
||||
60JXT1FRXOiYfrzUKIBm8/UVnv7guPudaJf0eU4btoy4Ywzn1UXyi8BdxPIQrQDR
|
||||
tt69ffcjX8BIEloK7FURLre/LhbVxlssdWYIEFQhIlb+nghZlUbWHf0Ue3L0SFFS
|
||||
xV5otzQL2WjJKtCnTpSopSUmwYyT7wyAL1RokOemXL47WOfiLjiGuS+K/4lT7VHS
|
||||
fdLsYinS0LYr5dmhc05s//kLyQ0OSKNh3SNAN+lM/klLE/pFwM4mo56C+seNEvCm
|
||||
sT53VPOOwp6JwsLKSqm8pu1fbVjT6laMc9BPi6KUjN/f7ZahCXNXOrA2uLnTlxw/
|
||||
ns1sOXSWZDWciZeL3kJeUQER5YZ59hzLYWAiJ+5KblWRlBMXb71FUp0Mh9V3dA5O
|
||||
BX3IlcF54qE50chGzLnfQf1YLuh13xxxc2WsdMZjiCj8CVDMkD6ekShfQK8nyQsK
|
||||
SJgdXcnw1CxcAVvsROtecUiD+DWrJcYExjSZ+zcI4+aRhp7uNt8=
|
||||
=iknu
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
226
fedora-defaults.conf
Normal file
226
fedora-defaults.conf
Normal file
|
|
@ -0,0 +1,226 @@
|
|||
# Fedora distribution defaults
|
||||
|
||||
server:
|
||||
# verbosity number, 0 is least verbose. 1 is default.
|
||||
verbosity: 1
|
||||
|
||||
# print statistics to the log (for every thread) every N seconds.
|
||||
# Set to "" or 0 to disable. Default is disabled.
|
||||
# Needs to be disabled for munin plugin
|
||||
statistics-interval: 0
|
||||
|
||||
# enable cumulative statistics, without clearing them after printing.
|
||||
# Needs to be disabled for munin plugin
|
||||
statistics-cumulative: no
|
||||
|
||||
# enable extended statistics (query types, answer codes, status)
|
||||
# Needs to be enabled for munin plugin
|
||||
extended-statistics: yes
|
||||
|
||||
# number of threads to create. 1 disables threading.
|
||||
# num-threads: 1
|
||||
num-threads: 4
|
||||
|
||||
# specify the interfaces to answer queries from by ip-address.
|
||||
# The default is to listen to localhost (127.0.0.1 and ::1).
|
||||
# specify 0.0.0.0 and ::0 to bind to all available interfaces.
|
||||
# specify every interface[@port] on a new 'interface:' labelled line.
|
||||
# The listen interfaces are not changed on reload, only on restart.
|
||||
# interface: 0.0.0.0
|
||||
# interface: ::0
|
||||
# interface: 192.0.2.153
|
||||
# interface: 192.0.2.154
|
||||
# interface: 192.0.2.154@5003
|
||||
# interface: 2001:DB8::5
|
||||
# interface: eth0@5003
|
||||
#
|
||||
# for dns over tls and raw dns over port 80
|
||||
# interface: 0.0.0.0@443
|
||||
# interface: ::0@443
|
||||
# interface: 0.0.0.0@80
|
||||
# interface: ::0@80
|
||||
|
||||
# enable this feature to copy the source address of queries to reply.
|
||||
# Socket options are not supported on all platforms. experimental.
|
||||
# interface-automatic: yes
|
||||
#
|
||||
# NOTE: Enable this option when specifying interface 0.0.0.0 or ::0
|
||||
# NOTE: Disabled per Fedora policy not to listen to * on default install
|
||||
# NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled
|
||||
interface-automatic: no
|
||||
|
||||
# permit Unbound to use this port number or port range for
|
||||
# making outgoing queries, using an outgoing interface.
|
||||
# Only ephemeral ports are allowed by SElinux
|
||||
outgoing-port-permit: 32768-60999
|
||||
|
||||
# IANA-assigned port numbers.
|
||||
# If multiple outgoing-port-permit and outgoing-port-avoid options
|
||||
# are present, they are processed in order.
|
||||
# Our SElinux policy does not allow non-ephemeral ports to be used
|
||||
outgoing-port-avoid: 0-32767
|
||||
outgoing-port-avoid: 61000-65535
|
||||
|
||||
# use SO_REUSEPORT to distribute queries over threads.
|
||||
# at extreme load it could be better to turn it off to distribute even.
|
||||
so-reuseport: yes
|
||||
|
||||
# use IP_TRANSPARENT so the interface: addresses can be non-local
|
||||
# and you can config non-existing IPs that are going to work later on
|
||||
# (uses IP_BINDANY on FreeBSD).
|
||||
ip-transparent: yes
|
||||
|
||||
# Enable UDP, "yes" or "no".
|
||||
# NOTE: if setting up an Unbound on tls443 for public use, you might want to
|
||||
# disable UDP to avoid being used in DNS amplification attacks.
|
||||
# do-udp: yes
|
||||
|
||||
# Enable EDNS TCP keepalive option.
|
||||
edns-tcp-keepalive: yes
|
||||
|
||||
# Fedora note: do not activate this - not compiled in because
|
||||
# it causes frequent unbound crashes. Also, socket activation
|
||||
# is bad when you have things like dnsmasq also running with libvirt.
|
||||
# Use systemd socket activation for UDP, TCP, and control sockets.
|
||||
# use-systemd: no
|
||||
|
||||
# If you give "" no chroot is performed. The path must not end in a /.
|
||||
# chroot: "/etc/unbound"
|
||||
chroot: ""
|
||||
|
||||
# If you give a server: directory: dir before include: file statements
|
||||
# then those includes can be relative to the working directory.
|
||||
directory: "/etc/unbound"
|
||||
|
||||
# print UTC timestamp in ascii to logfile, default is epoch in seconds.
|
||||
log-time-ascii: yes
|
||||
|
||||
# Harden against unseemly large queries.
|
||||
harden-large-queries: yes
|
||||
|
||||
# Default off, because the lookups burden the server. Experimental
|
||||
# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
|
||||
harden-referral-path: yes
|
||||
|
||||
# Sent minimum amount of information to upstream servers to enhance
|
||||
# privacy. Only sent minimum required labels of the QNAME and set QTYPE
|
||||
# to A when possible.
|
||||
qname-minimisation: yes
|
||||
|
||||
# Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
|
||||
# and other denials, using information from previous NXDOMAINs answers.
|
||||
aggressive-nsec: yes
|
||||
|
||||
# threshold, a warning is printed and a defensive action is taken,
|
||||
# the cache is cleared to flush potential poison out of it.
|
||||
# A suggested value is 10000000, the default is 0 (turned off).
|
||||
unwanted-reply-threshold: 10000000
|
||||
|
||||
# if yes, perform prefetching of almost expired message cache entries.
|
||||
prefetch: yes
|
||||
|
||||
# if yes, perform key lookups adjacent to normal lookups.
|
||||
prefetch-key: yes
|
||||
|
||||
# deny queries of type ANY with an empty response.
|
||||
deny-any: yes
|
||||
|
||||
# if yes, Unbound rotates RRSet order in response.
|
||||
rrset-roundrobin: yes
|
||||
|
||||
# if yes, Unbound doesn't insert authority/additional sections
|
||||
# into response messages when those sections are not required.
|
||||
minimal-responses: yes
|
||||
|
||||
# module configuration of the server. A string with identifiers
|
||||
# separated by spaces. Syntax: "[dns64] [validator] iterator"
|
||||
# most modules have to be listed at the beginning of the line,
|
||||
# except cachedb(just before iterator), and python (at the beginning,
|
||||
# or, just before the iterator).
|
||||
# For redis cachedb use:
|
||||
# "ipsecmod validator cachedb iterator"
|
||||
module-config: "ipsecmod validator iterator"
|
||||
|
||||
# trust anchor signaling sends a RFC8145 key tag query after priming.
|
||||
trust-anchor-signaling: yes
|
||||
|
||||
# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
|
||||
root-key-sentinel: yes
|
||||
|
||||
# the trusted-keys { name flag proto algo "key"; }; clauses are read.
|
||||
# you need external update procedures to track changes in keys.
|
||||
# trusted-keys-file: ""
|
||||
#
|
||||
trusted-keys-file: /etc/unbound/keys.d/*.key
|
||||
auto-trust-anchor-file: "/var/lib/unbound/root.key"
|
||||
|
||||
# Should additional section of secure message also be kept clean of
|
||||
# unsecure data. Useful to shield the users of this validator from
|
||||
# potential bogus data in the additional section. All unsigned data
|
||||
# in the additional section is removed from secure messages.
|
||||
val-clean-additional: yes
|
||||
|
||||
# Turn permissive mode on to permit bogus messages. Thus, messages
|
||||
# for which security checks failed will be returned to clients,
|
||||
# instead of SERVFAIL. It still performs the security checks, which
|
||||
# result in interesting log files and possibly the AD bit in
|
||||
# replies if the message is found secure. The default is off.
|
||||
# NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
|
||||
val-permissive-mode: no
|
||||
|
||||
# Serve expired responses from cache, with serve-expired-reply-ttl in
|
||||
# the response, and then attempt to fetch the data afresh.
|
||||
serve-expired: yes
|
||||
|
||||
# Limit serving of expired responses to configured seconds after
|
||||
# expiration. 0 disables the limit.
|
||||
serve-expired-ttl: 14400
|
||||
|
||||
# Have the validator log failed validations for your diagnosis.
|
||||
# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
|
||||
val-log-level: 1
|
||||
|
||||
# service clients over TLS (on the TCP sockets) with plain DNS inside
|
||||
# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
|
||||
# Give the certificate to use and private key.
|
||||
# default is "" (disabled). requires restart to take effect.
|
||||
# tls-service-key: "/etc/unbound/unbound_server.key"
|
||||
# tls-service-pem: "/etc/unbound/unbound_server.pem"
|
||||
|
||||
# Fedora/RHEL: use system-wide crypto policies
|
||||
tls-ciphers: "PROFILE=SYSTEM"
|
||||
|
||||
# Enable to attach Extended DNS Error codes (RFC8914) to responses.
|
||||
# Fedora defaults to yes.
|
||||
ede: yes
|
||||
|
||||
# Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale
|
||||
# Answer as EDNS0 option to expired responses.
|
||||
# Note that the ede option above needs to be enabled for this to work.
|
||||
# Fedora defaults to yes.
|
||||
ede-serve-expired: yes
|
||||
|
||||
# Enable or disable ipsecmod (it still needs to be defined in
|
||||
# module-config above). Can be used when ipsecmod needs to be
|
||||
# enabled/disabled via remote-control(below).
|
||||
# Fedora: module will be enabled on-demand by libreswan
|
||||
ipsecmod-enabled: no
|
||||
|
||||
# Path to executable external hook. It must be defined when ipsecmod is
|
||||
# listed in module-config (above).
|
||||
ipsecmod-hook: /usr/libexec/ipsec/_unbound-hook
|
||||
|
||||
python:
|
||||
# Script file to load
|
||||
# python-script: "/etc/unbound/ubmodule-tst.py"
|
||||
|
||||
# Remote control config section moved into own remote-control.conf
|
||||
|
||||
# the module-config then you need one dynlib-file per instance.
|
||||
dynlib:
|
||||
# Script file to load
|
||||
# dynlib-file: "/etc/unbound/dynlib.so"
|
||||
|
||||
# Fedora: DNSCrypt support not enabled since it requires linking to
|
||||
# another crypto library
|
||||
#
|
||||
44
module-setup.sh
Normal file
44
module-setup.sh
Normal file
|
|
@ -0,0 +1,44 @@
|
|||
#!/usr/bin/bash
|
||||
|
||||
check() {
|
||||
require_binaries unbound unbound-checkconf unbound-control || return 1
|
||||
# the module will be only included if explicitly required either
|
||||
# by configuration or another module
|
||||
return 255
|
||||
}
|
||||
|
||||
depends() {
|
||||
# because of pid file we need sysusers to create unbound user
|
||||
echo systemd systemd-sysusers
|
||||
return 0
|
||||
}
|
||||
|
||||
install() {
|
||||
# We have to make unbound wanted by network-online target to make sure
|
||||
# there is a synchronization point when other services are able
|
||||
# to make queries
|
||||
inst_simple "$moddir"/unbound-initrd.conf /etc/systemd/system/unbound.service.d/unbound-initrd.conf
|
||||
|
||||
# /etc and /var/lib do not have its variables
|
||||
inst_multiple -o \
|
||||
"$systemdsystemunitdir"/unbound.service \
|
||||
/etc/unbound/conf.d/remote-control.conf \
|
||||
/etc/unbound/openssl-sha1.conf \
|
||||
/usr/share/unbound/fedora-defaults.conf \
|
||||
/usr/share/unbound/conf.d/*.conf \
|
||||
/etc/unbound/local.d/*.conf \
|
||||
/etc/unbound/keys.d/*.key \
|
||||
/etc/unbound/unbound.conf \
|
||||
/etc/unbound/unbound_control.key \
|
||||
/etc/unbound/unbound_control.pem \
|
||||
/etc/unbound/unbound_server.key \
|
||||
/etc/unbound/unbound_server.pem \
|
||||
"$sysusers"/unbound.conf \
|
||||
"$tmpfilesdir"/unbound.conf \
|
||||
/var/lib/unbound/root.key \
|
||||
unbound \
|
||||
unbound-checkconf \
|
||||
unbound-control
|
||||
|
||||
$SYSTEMCTL -q --root "$initdir" enable unbound.service
|
||||
}
|
||||
4
remote-control-include.conf
Normal file
4
remote-control-include.conf
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
# Previous defaults allowed any process to change settings, CVE-2023-1488
|
||||
# If you want to modify remote configuration, replace this file with
|
||||
# contents of included file and modify afterwards.
|
||||
include: "/usr/share/unbound/conf.d/remote-control.conf"
|
||||
|
|
@ -1,9 +1,26 @@
|
|||
# Remote control config section update.
|
||||
# Previous defaults allowed any process to change settings, CVE-2023-1488
|
||||
# This file can be used also by: unbound-control -c <path>
|
||||
remote-control:
|
||||
# set to an absolute path to use a unix local name pipe, certificates
|
||||
# are not used for that, so key and cert files need not be present.
|
||||
control-interface: "/run/unbound/control"
|
||||
# Enable remote control with unbound-control(8) here.
|
||||
# set up the keys and certificates with unbound-control-setup.
|
||||
control-enable: yes
|
||||
|
||||
# For local sockets this option is ignored, and TLS is not used.
|
||||
control-use-cert: "yes"
|
||||
# set to an absolute path to use a unix local name pipe, certificates
|
||||
# are not used for that, so key and cert files need not be present.
|
||||
control-interface: "/run/unbound/control"
|
||||
|
||||
# For local sockets this option is ignored, and TLS is not used.
|
||||
control-use-cert: "yes"
|
||||
|
||||
# Unbound server key file.
|
||||
server-key-file: "/etc/unbound/unbound_server.key"
|
||||
|
||||
# Unbound server certificate file.
|
||||
server-cert-file: "/etc/unbound/unbound_server.pem"
|
||||
|
||||
# unbound-control key file.
|
||||
control-key-file: "/etc/unbound/unbound_control.key"
|
||||
|
||||
# unbound-control certificate file.
|
||||
control-cert-file: "/etc/unbound/unbound_control.pem"
|
||||
|
|
|
|||
4
sources
4
sources
|
|
@ -1,2 +1,2 @@
|
|||
SHA512 (unbound-1.20.0.tar.gz) = 2f6bc76c03b71ca1c2cd2331dc72d62f51493d15e17c59af46b400e542fcabff22e6b9d33f750a3e5f918a0116f45afa760651b2d5aa2feadac151cbbd71b0bd
|
||||
SHA512 (unbound-1.20.0.tar.gz.asc) = 1586a320077c606c5c19f251615df54a61854f51acca02df1d391dcc2287aff2c641b009aeee1a98392f63719d70b6bac23ebb7d86b780f8a27cda6e114fc0ad
|
||||
SHA512 (unbound-1.21.1.tar.gz) = 82be3faf5e4f9531342008105f5ab2ecc22a56faab1ef5c86420d85ef48443e5dac3455dbc654178a927e34ca4067c7655443f91a250b87945a63e9ba5f74ba7
|
||||
SHA512 (unbound-1.21.1.tar.gz.asc) = 5bb3961c210aefb20f91eb96f7d3980324e30cb2307c6c1187f016cacafcade7adcd95855faedfebc2c91464fd6c095511322364357c5b72525fc8e61c0ad248
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
D /run/unbound 0755 unbound unbound -
|
||||
D /run/unbound 0775 unbound root -
|
||||
|
|
|
|||
|
|
@ -6,5 +6,5 @@ Documentation=man:unbound-anchor(8)
|
|||
Type=oneshot
|
||||
User=unbound
|
||||
EnvironmentFile=-/etc/sysconfig/unbound
|
||||
ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi'
|
||||
ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ] || [ -f /run/unbound/anchor-disable ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi'
|
||||
SuccessExitStatus=1
|
||||
|
|
|
|||
118
unbound-as112-networks.conf
Normal file
118
unbound-as112-networks.conf
Normal file
|
|
@ -0,0 +1,118 @@
|
|||
# Allow forwarding of private ranges, which are marked forwardable by IANA
|
||||
# https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
|
||||
# https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
|
||||
# https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml
|
||||
# RFC 6303: Locally Served DNS Zones (https://www.rfc-editor.org/rfc/rfc6303.html)
|
||||
#
|
||||
# Using this configuration file will simplify forwarding to potentially private ranges.
|
||||
# Enables forwarding of networks marked as forwardable at IANA special registry.
|
||||
# This is useful when upstream forwarder may be still inside private network. That is the case
|
||||
# when unbound works as a localhost DNS cache, not network wide resolver.
|
||||
|
||||
server:
|
||||
# RFC 8375: Special-Use Domain 'home.arpa.'
|
||||
local-zone: "home.arpa." nodefault
|
||||
|
||||
# RFC 1918: Address Allocation for Private Internets
|
||||
local-zone: "10.in-addr.arpa." nodefault
|
||||
local-zone: "16.172.in-addr.arpa." nodefault
|
||||
local-zone: "17.172.in-addr.arpa." nodefault
|
||||
local-zone: "18.172.in-addr.arpa." nodefault
|
||||
local-zone: "19.172.in-addr.arpa." nodefault
|
||||
local-zone: "20.172.in-addr.arpa." nodefault
|
||||
local-zone: "21.172.in-addr.arpa." nodefault
|
||||
local-zone: "22.172.in-addr.arpa." nodefault
|
||||
local-zone: "23.172.in-addr.arpa." nodefault
|
||||
local-zone: "24.172.in-addr.arpa." nodefault
|
||||
local-zone: "25.172.in-addr.arpa." nodefault
|
||||
local-zone: "26.172.in-addr.arpa." nodefault
|
||||
local-zone: "27.172.in-addr.arpa." nodefault
|
||||
local-zone: "28.172.in-addr.arpa." nodefault
|
||||
local-zone: "29.172.in-addr.arpa." nodefault
|
||||
local-zone: "30.172.in-addr.arpa." nodefault
|
||||
local-zone: "31.172.in-addr.arpa." nodefault
|
||||
local-zone: "168.192.in-addr.arpa." nodefault
|
||||
# RFC 6598: IANA-Reserved IPv4 Prefix for Shared Address Space
|
||||
local-zone: "64.100.in-addr.arpa." nodefault
|
||||
local-zone: "65.100.in-addr.arpa." nodefault
|
||||
local-zone: "66.100.in-addr.arpa." nodefault
|
||||
local-zone: "67.100.in-addr.arpa." nodefault
|
||||
local-zone: "68.100.in-addr.arpa." nodefault
|
||||
local-zone: "69.100.in-addr.arpa." nodefault
|
||||
local-zone: "70.100.in-addr.arpa." nodefault
|
||||
local-zone: "71.100.in-addr.arpa." nodefault
|
||||
local-zone: "72.100.in-addr.arpa." nodefault
|
||||
local-zone: "73.100.in-addr.arpa." nodefault
|
||||
local-zone: "74.100.in-addr.arpa." nodefault
|
||||
local-zone: "75.100.in-addr.arpa." nodefault
|
||||
local-zone: "76.100.in-addr.arpa." nodefault
|
||||
local-zone: "77.100.in-addr.arpa." nodefault
|
||||
local-zone: "78.100.in-addr.arpa." nodefault
|
||||
local-zone: "79.100.in-addr.arpa." nodefault
|
||||
local-zone: "80.100.in-addr.arpa." nodefault
|
||||
local-zone: "81.100.in-addr.arpa." nodefault
|
||||
local-zone: "82.100.in-addr.arpa." nodefault
|
||||
local-zone: "83.100.in-addr.arpa." nodefault
|
||||
local-zone: "84.100.in-addr.arpa." nodefault
|
||||
local-zone: "85.100.in-addr.arpa." nodefault
|
||||
local-zone: "86.100.in-addr.arpa." nodefault
|
||||
local-zone: "87.100.in-addr.arpa." nodefault
|
||||
local-zone: "88.100.in-addr.arpa." nodefault
|
||||
local-zone: "89.100.in-addr.arpa." nodefault
|
||||
local-zone: "90.100.in-addr.arpa." nodefault
|
||||
local-zone: "91.100.in-addr.arpa." nodefault
|
||||
local-zone: "92.100.in-addr.arpa." nodefault
|
||||
local-zone: "93.100.in-addr.arpa." nodefault
|
||||
local-zone: "94.100.in-addr.arpa." nodefault
|
||||
local-zone: "95.100.in-addr.arpa." nodefault
|
||||
local-zone: "96.100.in-addr.arpa." nodefault
|
||||
local-zone: "97.100.in-addr.arpa." nodefault
|
||||
local-zone: "98.100.in-addr.arpa." nodefault
|
||||
local-zone: "99.100.in-addr.arpa." nodefault
|
||||
local-zone: "100.100.in-addr.arpa." nodefault
|
||||
local-zone: "101.100.in-addr.arpa." nodefault
|
||||
local-zone: "102.100.in-addr.arpa." nodefault
|
||||
local-zone: "103.100.in-addr.arpa." nodefault
|
||||
local-zone: "104.100.in-addr.arpa." nodefault
|
||||
local-zone: "105.100.in-addr.arpa." nodefault
|
||||
local-zone: "106.100.in-addr.arpa." nodefault
|
||||
local-zone: "107.100.in-addr.arpa." nodefault
|
||||
local-zone: "108.100.in-addr.arpa." nodefault
|
||||
local-zone: "109.100.in-addr.arpa." nodefault
|
||||
local-zone: "110.100.in-addr.arpa." nodefault
|
||||
local-zone: "111.100.in-addr.arpa." nodefault
|
||||
local-zone: "112.100.in-addr.arpa." nodefault
|
||||
local-zone: "113.100.in-addr.arpa." nodefault
|
||||
local-zone: "114.100.in-addr.arpa." nodefault
|
||||
local-zone: "115.100.in-addr.arpa." nodefault
|
||||
local-zone: "116.100.in-addr.arpa." nodefault
|
||||
local-zone: "117.100.in-addr.arpa." nodefault
|
||||
local-zone: "118.100.in-addr.arpa." nodefault
|
||||
local-zone: "119.100.in-addr.arpa." nodefault
|
||||
local-zone: "120.100.in-addr.arpa." nodefault
|
||||
local-zone: "121.100.in-addr.arpa." nodefault
|
||||
local-zone: "122.100.in-addr.arpa." nodefault
|
||||
local-zone: "123.100.in-addr.arpa." nodefault
|
||||
local-zone: "124.100.in-addr.arpa." nodefault
|
||||
local-zone: "125.100.in-addr.arpa." nodefault
|
||||
local-zone: "126.100.in-addr.arpa." nodefault
|
||||
local-zone: "127.100.in-addr.arpa." nodefault
|
||||
|
||||
# RFC 4193: Unique Local IPv6 Unicast Addresses
|
||||
local-zone: "d.f.ip6.arpa." nodefault
|
||||
|
||||
# RFC 2606: Reserved Top Level DNS Names
|
||||
local-zone: "test." nodefault
|
||||
domain-insecure: "test"
|
||||
domain-insecure: "example"
|
||||
|
||||
# RFC 6762: Multicast DNS, Appendix G
|
||||
domain-insecure: "local"
|
||||
domain-insecure: "intranet"
|
||||
domain-insecure: "private"
|
||||
domain-insecure: "corp"
|
||||
domain-insecure: "home"
|
||||
domain-insecure: "lan"
|
||||
|
||||
# draft-davies-internal-tld
|
||||
domain-insecure: "internal"
|
||||
|
|
@ -1,60 +1,20 @@
|
|||
From 79506679335ef1e02a960ccc7cfeda19348f5619 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Fri, 10 Nov 2023 12:58:31 +0100
|
||||
From 41c489180eeecba97641f747ee6a43aa2c6d4299 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Korbar <tkorbar@redhat.com>
|
||||
Date: Thu, 6 Feb 2025 16:01:21 +0100
|
||||
Subject: [PATCH] Customize unbound.conf for Fedora defaults
|
||||
|
||||
Set some Fedora/RHEL specific changes to example configuration file. By
|
||||
patching upstream provided config file we would not need to manually
|
||||
update external copy in source RPM.
|
||||
---
|
||||
unbound-1.20.0/doc/example.conf.in | 194 ++++++++++++++++++-----------
|
||||
1 file changed, 124 insertions(+), 70 deletions(-)
|
||||
doc/example.conf.in | 33 +++++++++++++++++++++++++++++++--
|
||||
1 file changed, 31 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/unbound-1.20.0/doc/example.conf.in b/unbound-1.20.0/doc/example.conf.in
|
||||
index 0368c8d..9ece701 100644
|
||||
--- a/unbound-1.20.0/doc/example.conf.in
|
||||
+++ b/unbound-1.20.0/doc/example.conf.in
|
||||
@@ -17,11 +17,12 @@ server:
|
||||
# whitespace is not necessary, but looks cleaner.
|
||||
|
||||
# verbosity number, 0 is least verbose. 1 is default.
|
||||
- # verbosity: 1
|
||||
+ verbosity: 1
|
||||
|
||||
# print statistics to the log (for every thread) every N seconds.
|
||||
# Set to "" or 0 to disable. Default is disabled.
|
||||
- # statistics-interval: 0
|
||||
+ # Needs to be disabled for munin plugin
|
||||
+ statistics-interval: 0
|
||||
|
||||
# enable shm for stats, default no. if you enable also enable
|
||||
# statistics-interval, every time it also writes stats to the
|
||||
@@ -32,11 +33,13 @@ server:
|
||||
# shm-key: 11777
|
||||
|
||||
# enable cumulative statistics, without clearing them after printing.
|
||||
- # statistics-cumulative: no
|
||||
+ # Needs to be disabled for munin plugin
|
||||
+ statistics-cumulative: no
|
||||
|
||||
# enable extended statistics (query types, answer codes, status)
|
||||
- # printed from unbound-control. Default off, because of speed.
|
||||
- # extended-statistics: no
|
||||
+ # printed from unbound-control. default off, because of speed.
|
||||
+ # Needs to be enabled for munin plugin
|
||||
+ extended-statistics: yes
|
||||
|
||||
# Inhibits selected extended statistics (qtype, qclass, qopcode, rcode,
|
||||
# rpz-actions) from printing if their value is 0.
|
||||
@@ -44,22 +47,35 @@ server:
|
||||
# statistics-inhibit-zero: yes
|
||||
|
||||
# number of threads to create. 1 disables threading.
|
||||
- # num-threads: 1
|
||||
+ num-threads: 4
|
||||
|
||||
# specify the interfaces to answer queries from by ip-address.
|
||||
# The default is to listen to localhost (127.0.0.1 and ::1).
|
||||
diff --git a/doc/example.conf.in b/doc/example.conf.in
|
||||
index dc2aa1c..a656bd7 100644
|
||||
--- a/doc/example.conf.in
|
||||
+++ b/doc/example.conf.in
|
||||
@@ -51,11 +51,19 @@ server:
|
||||
# specify 0.0.0.0 and ::0 to bind to all available interfaces.
|
||||
# specify every interface[@port] on a new 'interface:' labelled line.
|
||||
# The listen interfaces are not changed on reload, only on restart.
|
||||
|
|
@ -74,53 +34,7 @@ index 0368c8d..9ece701 100644
|
|||
|
||||
# enable this feature to copy the source address of queries to reply.
|
||||
# Socket options are not supported on all platforms. experimental.
|
||||
- # interface-automatic: no
|
||||
+ # interface-automatic: yes
|
||||
+ #
|
||||
+ # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0
|
||||
+ # NOTE: Disabled per Fedora policy not to listen to * on default install
|
||||
+ # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled
|
||||
+ interface-automatic: no
|
||||
|
||||
# instead of the default port, open additional ports separated by
|
||||
# spaces when interface-automatic is enabled, by listing them here.
|
||||
@@ -94,7 +110,8 @@ server:
|
||||
|
||||
# permit Unbound to use this port number or port range for
|
||||
# making outgoing queries, using an outgoing interface.
|
||||
- # outgoing-port-permit: 32768
|
||||
+ # Only ephemeral ports are allowed by SElinux
|
||||
+ outgoing-port-permit: 32768-60999
|
||||
|
||||
# deny Unbound the use this of port number or port range for
|
||||
# making outgoing queries, using an outgoing interface.
|
||||
@@ -103,7 +120,9 @@ server:
|
||||
# IANA-assigned port numbers.
|
||||
# If multiple outgoing-port-permit and outgoing-port-avoid options
|
||||
# are present, they are processed in order.
|
||||
- # outgoing-port-avoid: "3200-3208"
|
||||
+ # Our SElinux policy does not allow non-ephemeral ports to be used
|
||||
+ outgoing-port-avoid: 0-32767
|
||||
+ outgoing-port-avoid: 61000-65535
|
||||
|
||||
# number of outgoing simultaneous tcp buffers to hold per thread.
|
||||
# outgoing-num-tcp: 10
|
||||
@@ -121,12 +140,12 @@ server:
|
||||
|
||||
# use SO_REUSEPORT to distribute queries over threads.
|
||||
# at extreme load it could be better to turn it off to distribute even.
|
||||
- # so-reuseport: yes
|
||||
+ so-reuseport: yes
|
||||
|
||||
# use IP_TRANSPARENT so the interface: addresses can be non-local
|
||||
# and you can config non-existing IPs that are going to work later on
|
||||
# (uses IP_BINDANY on FreeBSD).
|
||||
- # ip-transparent: no
|
||||
+ ip-transparent: yes
|
||||
|
||||
# use IP_FREEBIND so the interface: addresses can be non-local
|
||||
# and you can bind to nonexisting IPs and interfaces that are down.
|
||||
@@ -276,6 +295,8 @@ server:
|
||||
@@ -276,6 +284,8 @@ server:
|
||||
# nat64-prefix: 64:ff9b::0/96
|
||||
|
||||
# Enable UDP, "yes" or "no".
|
||||
|
|
@ -129,16 +43,7 @@ index 0368c8d..9ece701 100644
|
|||
# do-udp: yes
|
||||
|
||||
# Enable TCP, "yes" or "no".
|
||||
@@ -301,7 +322,7 @@ server:
|
||||
# tcp-idle-timeout: 30000
|
||||
|
||||
# Enable EDNS TCP keepalive option.
|
||||
- # edns-tcp-keepalive: no
|
||||
+ edns-tcp-keepalive: yes
|
||||
|
||||
# Timeout for EDNS TCP keepalive, in msec. Overrides tcp-idle-timeout
|
||||
# if edns-tcp-keepalive is set.
|
||||
@@ -311,6 +332,9 @@ server:
|
||||
@@ -311,6 +321,9 @@ server:
|
||||
# can be dropped. Default is 0, disabled. In seconds, such as 3.
|
||||
# sock-queue-timeout: 0
|
||||
|
||||
|
|
@ -148,188 +53,7 @@ index 0368c8d..9ece701 100644
|
|||
# Use systemd socket activation for UDP, TCP, and control sockets.
|
||||
# use-systemd: no
|
||||
|
||||
@@ -424,6 +448,7 @@ server:
|
||||
#
|
||||
# If you give "" no chroot is performed. The path must not end in a /.
|
||||
# chroot: "@UNBOUND_CHROOT_DIR@"
|
||||
+ chroot: ""
|
||||
|
||||
# if given, user privileges are dropped (after binding port),
|
||||
# and the given username is assumed. Default is user "unbound".
|
||||
@@ -435,7 +460,7 @@ server:
|
||||
# is not changed.
|
||||
# If you give a server: directory: dir before include: file statements
|
||||
# then those includes can be relative to the working directory.
|
||||
- # directory: "@UNBOUND_RUN_DIR@"
|
||||
+ directory: "/etc/unbound"
|
||||
|
||||
# the log file, "" means log to stderr.
|
||||
# Use of this option sets use-syslog to "no".
|
||||
@@ -450,7 +475,7 @@ server:
|
||||
# log-identity: ""
|
||||
|
||||
# print UTC timestamp in ascii to logfile, default is epoch in seconds.
|
||||
- # log-time-ascii: no
|
||||
+ log-time-ascii: yes
|
||||
|
||||
# print one line with time, IP, name, type, class for every query.
|
||||
# log-queries: no
|
||||
@@ -522,22 +547,22 @@ server:
|
||||
# harden-large-queries: no
|
||||
|
||||
# Harden against out of zone rrsets, to avoid spoofing attempts.
|
||||
- # harden-glue: yes
|
||||
+ harden-glue: yes
|
||||
|
||||
# Harden against receiving dnssec-stripped data. If you turn it
|
||||
# off, failing to validate dnskey data for a trustanchor will
|
||||
# trigger insecure mode for that zone (like without a trustanchor).
|
||||
# Default on, which insists on dnssec data for trust-anchored zones.
|
||||
- # harden-dnssec-stripped: yes
|
||||
+ harden-dnssec-stripped: yes
|
||||
|
||||
# Harden against queries that fall under dnssec-signed nxdomain names.
|
||||
- # harden-below-nxdomain: yes
|
||||
+ harden-below-nxdomain: yes
|
||||
|
||||
# Harden the referral path by performing additional queries for
|
||||
# infrastructure data. Validates the replies (if possible).
|
||||
# Default off, because the lookups burden the server. Experimental
|
||||
# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
|
||||
- # harden-referral-path: no
|
||||
+ harden-referral-path: yes
|
||||
|
||||
# Harden against algorithm downgrade when multiple algorithms are
|
||||
# advertised in the DS record. If no, allows the weakest algorithm
|
||||
@@ -551,7 +576,7 @@ server:
|
||||
# Sent minimum amount of information to upstream servers to enhance
|
||||
# privacy. Only sent minimum required labels of the QNAME and set QTYPE
|
||||
# to A when possible.
|
||||
- # qname-minimisation: yes
|
||||
+ qname-minimisation: yes
|
||||
|
||||
# QNAME minimisation in strict mode. Do not fall-back to sending full
|
||||
# QNAME to potentially broken nameservers. A lot of domains will not be
|
||||
@@ -561,7 +586,7 @@ server:
|
||||
|
||||
# Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
|
||||
# and other denials, using information from previous NXDOMAINs answers.
|
||||
- # aggressive-nsec: yes
|
||||
+ aggressive-nsec: yes
|
||||
|
||||
# Use 0x20-encoded random bits in the query to foil spoof attempts.
|
||||
# This feature is an experimental implementation of draft dns-0x20.
|
||||
@@ -594,7 +619,7 @@ server:
|
||||
# threshold, a warning is printed and a defensive action is taken,
|
||||
# the cache is cleared to flush potential poison out of it.
|
||||
# A suggested value is 10000000, the default is 0 (turned off).
|
||||
- # unwanted-reply-threshold: 0
|
||||
+ unwanted-reply-threshold: 10000000
|
||||
|
||||
# Do not query the following addresses. No DNS queries are sent there.
|
||||
# List one address per entry. List classless netblocks with /size,
|
||||
@@ -606,20 +631,20 @@ server:
|
||||
# do-not-query-localhost: yes
|
||||
|
||||
# if yes, perform prefetching of almost expired message cache entries.
|
||||
- # prefetch: no
|
||||
+ prefetch: yes
|
||||
|
||||
# if yes, perform key lookups adjacent to normal lookups.
|
||||
- # prefetch-key: no
|
||||
+ prefetch-key: yes
|
||||
|
||||
# deny queries of type ANY with an empty response.
|
||||
- # deny-any: no
|
||||
+ deny-any: yes
|
||||
|
||||
# if yes, Unbound rotates RRSet order in response.
|
||||
- # rrset-roundrobin: yes
|
||||
+ rrset-roundrobin: yes
|
||||
|
||||
# if yes, Unbound doesn't insert authority/additional sections
|
||||
# into response messages when those sections are not required.
|
||||
- # minimal-responses: yes
|
||||
+ minimal-responses: yes
|
||||
|
||||
# true to disable DNSSEC lameness check in iterator.
|
||||
# disable-dnssec-lame-check: no
|
||||
@@ -629,7 +654,9 @@ server:
|
||||
# most modules have to be listed at the beginning of the line,
|
||||
# except cachedb(just before iterator), and python (at the beginning,
|
||||
# or, just before the iterator).
|
||||
- # module-config: "validator iterator"
|
||||
+ # For redis cachedb use:
|
||||
+ # "ipsecmod validator cachedb iterator"
|
||||
+ module-config: "ipsecmod validator iterator"
|
||||
|
||||
# File with trusted keys, kept uptodate using RFC5011 probes,
|
||||
# initial file like trust-anchor-file, then it stores metadata.
|
||||
@@ -643,10 +670,10 @@ server:
|
||||
# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
|
||||
|
||||
# trust anchor signaling sends a RFC8145 key tag query after priming.
|
||||
- # trust-anchor-signaling: yes
|
||||
+ trust-anchor-signaling: yes
|
||||
|
||||
# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
|
||||
- # root-key-sentinel: yes
|
||||
+ root-key-sentinel: yes
|
||||
|
||||
# File with trusted keys for validation. Specify more than one file
|
||||
# with several entries, one file per entry.
|
||||
@@ -667,6 +694,9 @@ server:
|
||||
# the trusted-keys { name flag proto algo "key"; }; clauses are read.
|
||||
# you need external update procedures to track changes in keys.
|
||||
# trusted-keys-file: ""
|
||||
+ #
|
||||
+ trusted-keys-file: /etc/unbound/keys.d/*.key
|
||||
+ auto-trust-anchor-file: "/var/lib/unbound/root.key"
|
||||
|
||||
# Ignore chain of trust. Domain is treated as insecure.
|
||||
# domain-insecure: "example.com"
|
||||
@@ -694,14 +724,15 @@ server:
|
||||
# unsecure data. Useful to shield the users of this validator from
|
||||
# potential bogus data in the additional section. All unsigned data
|
||||
# in the additional section is removed from secure messages.
|
||||
- # val-clean-additional: yes
|
||||
+ val-clean-additional: yes
|
||||
|
||||
# Turn permissive mode on to permit bogus messages. Thus, messages
|
||||
# for which security checks failed will be returned to clients,
|
||||
# instead of SERVFAIL. It still performs the security checks, which
|
||||
# result in interesting log files and possibly the AD bit in
|
||||
# replies if the message is found secure. The default is off.
|
||||
- # val-permissive-mode: no
|
||||
+ # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
|
||||
+ val-permissive-mode: no
|
||||
|
||||
# Ignore the CD flag in incoming queries and refuse them bogus data.
|
||||
# Enable it if the only clients of Unbound are legacy servers (w2008)
|
||||
@@ -715,11 +746,11 @@ server:
|
||||
|
||||
# Serve expired responses from cache, with serve-expired-reply-ttl in
|
||||
# the response, and then attempt to fetch the data afresh.
|
||||
- # serve-expired: no
|
||||
+ serve-expired: yes
|
||||
#
|
||||
# Limit serving of expired responses to configured seconds after
|
||||
# expiration. 0 disables the limit.
|
||||
- # serve-expired-ttl: 0
|
||||
+ serve-expired-ttl: 14400
|
||||
#
|
||||
# Set the TTL of expired records to the serve-expired-ttl value after a
|
||||
# failed attempt to retrieve the record from upstream. This makes sure
|
||||
@@ -746,7 +777,7 @@ server:
|
||||
|
||||
# Have the validator log failed validations for your diagnosis.
|
||||
# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
|
||||
- # val-log-level: 0
|
||||
+ val-log-level: 1
|
||||
|
||||
# It is possible to configure NSEC3 maximum iteration counts per
|
||||
# keysize. Keep this table very short, as linear search is done.
|
||||
@@ -890,6 +921,8 @@ server:
|
||||
@@ -890,6 +903,8 @@ server:
|
||||
# you need to do the reverse notation yourself.
|
||||
# local-data-ptr: "192.0.2.3 www.example.com"
|
||||
|
||||
|
|
@ -338,7 +62,7 @@ index 0368c8d..9ece701 100644
|
|||
# tag a localzone with a list of tag names (in "" with spaces between)
|
||||
# local-zone-tag: "example.com" "tag2 tag3"
|
||||
|
||||
@@ -900,8 +933,8 @@ server:
|
||||
@@ -900,8 +915,8 @@ server:
|
||||
# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
|
||||
# Give the certificate to use and private key.
|
||||
# default is "" (disabled). requires restart to take effect.
|
||||
|
|
@ -349,107 +73,20 @@ index 0368c8d..9ece701 100644
|
|||
# tls-port: 853
|
||||
# https-port: 443
|
||||
|
||||
@@ -909,6 +942,8 @@ server:
|
||||
# tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
|
||||
# cipher setting for TLSv1.3
|
||||
# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
|
||||
+ # Fedora/RHEL: use system-wide crypto policies
|
||||
+ tls-ciphers: "PROFILE=SYSTEM"
|
||||
|
||||
# Pad responses to padded queries received over TLS
|
||||
# pad-responses: yes
|
||||
@@ -1045,12 +1080,12 @@ server:
|
||||
# cookie-secret: <128 bit random hex string>
|
||||
|
||||
# Enable to attach Extended DNS Error codes (RFC8914) to responses.
|
||||
- # ede: no
|
||||
+ ede: yes
|
||||
|
||||
# Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale
|
||||
# Answer as EDNS0 option to expired responses.
|
||||
# Note that the ede option above needs to be enabled for this to work.
|
||||
- # ede-serve-expired: no
|
||||
+ ede-serve-expired: yes
|
||||
|
||||
# Specific options for ipsecmod. Unbound needs to be configured with
|
||||
# --enable-ipsecmod for these to take effect.
|
||||
@@ -1058,12 +1093,14 @@ server:
|
||||
# Enable or disable ipsecmod (it still needs to be defined in
|
||||
# module-config above). Can be used when ipsecmod needs to be
|
||||
# enabled/disabled via remote-control(below).
|
||||
- # ipsecmod-enabled: yes
|
||||
- #
|
||||
+ # Fedora: module will be enabled on-demand by libreswan
|
||||
+ ipsecmod-enabled: no
|
||||
+
|
||||
# Path to executable external hook. It must be defined when ipsecmod is
|
||||
# listed in module-config (above).
|
||||
# ipsecmod-hook: "./my_executable"
|
||||
- #
|
||||
+ ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook
|
||||
+
|
||||
# When enabled Unbound will reply with SERVFAIL if the return value of
|
||||
# the ipsecmod-hook is not 0.
|
||||
# ipsecmod-strict: no
|
||||
@@ -1096,7 +1133,7 @@ server:
|
||||
# o and give a python-script to run.
|
||||
python:
|
||||
# Script file to load
|
||||
- # python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py"
|
||||
+ # python-script: "/etc/unbound/ubmodule-tst.py"
|
||||
|
||||
# Dynamic library config section. To enable:
|
||||
# o use --with-dynlibmodule to configure before compiling.
|
||||
@@ -1107,13 +1144,14 @@ python:
|
||||
# the module-config then you need one dynlib-file per instance.
|
||||
dynlib:
|
||||
# Script file to load
|
||||
- # dynlib-file: "@UNBOUND_SHARE_DIR@/dynlib.so"
|
||||
+ # dynlib-file: "/etc/unbound/dynlib.so"
|
||||
|
||||
# Remote control config section.
|
||||
remote-control:
|
||||
# Enable remote control with unbound-control(8) here.
|
||||
# set up the keys and certificates with unbound-control-setup.
|
||||
- # control-enable: no
|
||||
+ # Note: required for unbound-munin package
|
||||
+ control-enable: yes
|
||||
|
||||
# what interfaces are listened to for remote control.
|
||||
# give 0.0.0.0 and ::0 to listen to all interfaces.
|
||||
@@ -1121,6 +1159,7 @@ remote-control:
|
||||
# are not used for that, so key and cert files need not be present.
|
||||
# control-interface: 127.0.0.1
|
||||
# control-interface: ::1
|
||||
+ # moved to /etc/unbound/conf.d/remote-control.conf
|
||||
|
||||
# port number for remote control operations.
|
||||
# control-port: 8953
|
||||
@@ -1130,16 +1169,19 @@ remote-control:
|
||||
# control-use-cert: "yes"
|
||||
|
||||
# Unbound server key file.
|
||||
- # server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key"
|
||||
+ server-key-file: "/etc/unbound/unbound_server.key"
|
||||
|
||||
# Unbound server certificate file.
|
||||
- # server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem"
|
||||
+ server-cert-file: "/etc/unbound/unbound_server.pem"
|
||||
|
||||
# unbound-control key file.
|
||||
- # control-key-file: "@UNBOUND_RUN_DIR@/unbound_control.key"
|
||||
+ control-key-file: "/etc/unbound/unbound_control.key"
|
||||
|
||||
@@ -1146,6 +1161,12 @@ remote-control:
|
||||
# unbound-control certificate file.
|
||||
- # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
|
||||
+ control-cert-file: "/etc/unbound/unbound_control.pem"
|
||||
# control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
|
||||
|
||||
+# Default Fedora settings
|
||||
+include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf"
|
||||
+
|
||||
+# Stub and Forward zones
|
||||
+include: /etc/unbound/conf.d/*.conf
|
||||
|
||||
+include: "@sysconfdir@/unbound/conf.d/*.conf"
|
||||
+
|
||||
# Stub zones.
|
||||
# Create entries like below, to make all queries for 'example.com' and
|
||||
@@ -1161,6 +1203,10 @@ remote-control:
|
||||
# 'example.org' go to the given list of nameservers. list zero or more
|
||||
@@ -1166,6 +1187,10 @@ remote-control:
|
||||
# name: "example.org"
|
||||
# stub-host: ns.example.com.
|
||||
|
||||
|
|
@ -460,7 +97,7 @@ index 0368c8d..9ece701 100644
|
|||
# Forward zones
|
||||
# Create entries like below, to make all queries for 'example.com' and
|
||||
# 'example.org' go to the given list of servers. These servers have to handle
|
||||
@@ -1178,6 +1224,10 @@ remote-control:
|
||||
@@ -1183,6 +1208,10 @@ remote-control:
|
||||
# forward-zone:
|
||||
# name: "example.org"
|
||||
# forward-host: fwd.example.com
|
||||
|
|
@ -471,75 +108,6 @@ index 0368c8d..9ece701 100644
|
|||
|
||||
# Authority zones
|
||||
# The data for these zones is kept locally, from a file or downloaded.
|
||||
@@ -1188,27 +1238,28 @@ remote-control:
|
||||
# download it), primary: fetches with AXFR and IXFR, or url to zonefile.
|
||||
# With allow-notify: you can give additional (apart from primaries and urls)
|
||||
# sources of notifies.
|
||||
-# auth-zone:
|
||||
-# name: "."
|
||||
-# primary: 170.247.170.2 # b.root-servers.net
|
||||
-# primary: 192.33.4.12 # c.root-servers.net
|
||||
-# primary: 199.7.91.13 # d.root-servers.net
|
||||
-# primary: 192.5.5.241 # f.root-servers.net
|
||||
-# primary: 192.112.36.4 # g.root-servers.net
|
||||
-# primary: 193.0.14.129 # k.root-servers.net
|
||||
-# primary: 192.0.47.132 # xfr.cjr.dns.icann.org
|
||||
-# primary: 192.0.32.132 # xfr.lax.dns.icann.org
|
||||
-# primary: 2801:1b8:10::b # b.root-servers.net
|
||||
-# primary: 2001:500:2::c # c.root-servers.net
|
||||
-# primary: 2001:500:2d::d # d.root-servers.net
|
||||
-# primary: 2001:500:2f::f # f.root-servers.net
|
||||
-# primary: 2001:500:12::d0d # g.root-servers.net
|
||||
-# primary: 2001:7fd::1 # k.root-servers.net
|
||||
-# primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
|
||||
-# primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org
|
||||
-# fallback-enabled: yes
|
||||
-# for-downstream: no
|
||||
-# for-upstream: yes
|
||||
+ auth-zone:
|
||||
+ name: "."
|
||||
+ primary: 170.247.170.2 # b.root-servers.net
|
||||
+ primary: 192.33.4.12 # c.root-servers.net
|
||||
+ primary: 199.7.91.13 # d.root-servers.net
|
||||
+ primary: 192.5.5.241 # f.root-servers.net
|
||||
+ primary: 192.112.36.4 # g.root-servers.net
|
||||
+ primary: 193.0.14.129 # k.root-servers.net
|
||||
+ primary: 192.0.47.132 # xfr.cjr.dns.icann.org
|
||||
+ primary: 192.0.32.132 # xfr.lax.dns.icann.org
|
||||
+ primary: 2801:1b8:10::b # b.root-servers.net
|
||||
+ primary: 2001:500:2::c # c.root-servers.net
|
||||
+ primary: 2001:500:2d::d # d.root-servers.net
|
||||
+ primary: 2001:500:2f::f # f.root-servers.net
|
||||
+ primary: 2001:500:12::d0d # g.root-servers.net
|
||||
+ primary: 2001:7fd::1 # k.root-servers.net
|
||||
+ primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
|
||||
+ primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org
|
||||
+ fallback-enabled: yes
|
||||
+ for-downstream: no
|
||||
+ for-upstream: yes
|
||||
+
|
||||
# auth-zone:
|
||||
# name: "example.org"
|
||||
# for-downstream: yes
|
||||
@@ -1234,6 +1285,9 @@ remote-control:
|
||||
# name: "anotherview"
|
||||
# local-zone: "example.com" refuse
|
||||
|
||||
+# Fedora: DNSCrypt support not enabled since it requires linking to
|
||||
+# another crypto library
|
||||
+#
|
||||
# DNSCrypt
|
||||
# To enable, use --enable-dnscrypt to configure before compiling.
|
||||
# Caveats:
|
||||
@@ -1309,7 +1363,7 @@ remote-control:
|
||||
# dnstap-enable: no
|
||||
# # if set to yes frame streams will be used in bidirectional mode
|
||||
# dnstap-bidirectional: yes
|
||||
-# dnstap-socket-path: "@DNSTAP_SOCKET_PATH@"
|
||||
+# dnstap-socket-path: "/etc/unbound/dnstap.sock"
|
||||
# # if "" use the unix socket in dnstap-socket-path, otherwise,
|
||||
# # set it to "IPaddress[@port]" of the destination.
|
||||
# dnstap-ip: ""
|
||||
--
|
||||
2.44.0
|
||||
2.48.1
|
||||
|
||||
|
|
|
|||
5
unbound-initrd.conf
Normal file
5
unbound-initrd.conf
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
[Unit]
|
||||
Before=network-online.target
|
||||
|
||||
[Install]
|
||||
WantedBy=network-online.target
|
||||
30
unbound-local-root.conf
Normal file
30
unbound-local-root.conf
Normal file
|
|
@ -0,0 +1,30 @@
|
|||
# Authority zones
|
||||
# The data for these zones is kept locally, from a file or downloaded.
|
||||
# The data can be served to downstream clients, or used instead of the
|
||||
# upstream (which saves a lookup to the upstream).
|
||||
#
|
||||
# Download local root copy and answer TLD queries from it. Because
|
||||
# auth-zone has higher precedence, defined forward-zones to internal
|
||||
# only TLD will not work. Use stub-zone or disable this zone.
|
||||
# Good for a network-wide resolvers, worse for a localhost caching forwarder.
|
||||
auth-zone:
|
||||
name: "."
|
||||
primary: 170.247.170.2 # b.root-servers.net
|
||||
primary: 192.33.4.12 # c.root-servers.net
|
||||
primary: 199.7.91.13 # d.root-servers.net
|
||||
primary: 192.5.5.241 # f.root-servers.net
|
||||
primary: 192.112.36.4 # g.root-servers.net
|
||||
primary: 193.0.14.129 # k.root-servers.net
|
||||
primary: 192.0.47.132 # xfr.cjr.dns.icann.org
|
||||
primary: 192.0.32.132 # xfr.lax.dns.icann.org
|
||||
primary: 2801:1b8:10::b # b.root-servers.net
|
||||
primary: 2001:500:2::c # c.root-servers.net
|
||||
primary: 2001:500:2d::d # d.root-servers.net
|
||||
primary: 2001:500:2f::f # f.root-servers.net
|
||||
primary: 2001:500:12::d0d # g.root-servers.net
|
||||
primary: 2001:7fd::1 # k.root-servers.net
|
||||
primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
|
||||
primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org
|
||||
fallback-enabled: yes
|
||||
for-downstream: no
|
||||
for-upstream: yes
|
||||
|
|
@ -1,6 +1,9 @@
|
|||
[Unit]
|
||||
Description=Unbound recursive Domain Name Server
|
||||
After=network-online.target
|
||||
After=network.target
|
||||
# Use ip-freebind: yes or add After=network-online.target, rhbz#2338429,
|
||||
# if interface: specifies exact address, not localhost nor wildcard
|
||||
#After=network-online.target
|
||||
After=unbound-keygen.service
|
||||
Wants=unbound-keygen.service
|
||||
After=unbound-anchor.service
|
||||
|
|
@ -9,7 +12,7 @@ Before=nss-lookup.target
|
|||
Wants=nss-lookup.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
Type=notify
|
||||
EnvironmentFile=-/etc/sysconfig/unbound
|
||||
ExecStartPre=/usr/sbin/unbound-checkconf
|
||||
ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS
|
||||
|
|
|
|||
70
unbound.spec
70
unbound.spec
|
|
@ -2,7 +2,7 @@
|
|||
%{?!with_python3: %global with_python3 1}
|
||||
%{?!with_munin: %global with_munin 1}
|
||||
%bcond_without dnstap
|
||||
%bcond_with systemd
|
||||
%bcond_without systemd
|
||||
%bcond_without doh
|
||||
%bcond_with redis
|
||||
|
||||
|
|
@ -32,7 +32,7 @@
|
|||
|
||||
Summary: Validating, recursive, and caching DNS(SEC) resolver
|
||||
Name: unbound
|
||||
Version: 1.20.0
|
||||
Version: 1.21.1
|
||||
Release: %autorelease %{?extra_version:-e %{extra_version}}
|
||||
License: BSD-3-Clause
|
||||
Url: https://nlnetlabs.nl/projects/unbound/
|
||||
|
|
@ -58,6 +58,13 @@ Source18: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
|
|||
Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key
|
||||
Source20: unbound.sysusers
|
||||
Source21: remote-control.conf
|
||||
Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc
|
||||
Source23: unbound-as112-networks.conf
|
||||
Source24: unbound-local-root.conf
|
||||
Source25: remote-control-include.conf
|
||||
Source26: fedora-defaults.conf
|
||||
Source27: module-setup.sh
|
||||
Source28: unbound-initrd.conf
|
||||
|
||||
# Downstream configuration changes
|
||||
Patch1: unbound-fedora-config.patch
|
||||
|
|
@ -190,30 +197,31 @@ Conflicts: python2-unbound < 1.9.3
|
|||
Python 3 modules and extensions for unbound
|
||||
%endif
|
||||
|
||||
%package dracut
|
||||
Summary: Unbound dracut module
|
||||
Requires: dracut%{?_isa}
|
||||
Requires: %{name}%{?_isa} = %{version}-%{release}
|
||||
|
||||
%description dracut
|
||||
Unbound dracut module allowing use of Unbound for name resolution
|
||||
in initramfs.
|
||||
|
||||
%prep
|
||||
%if 0%{?fedora}
|
||||
%{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}'
|
||||
%{gpgverify} --keyring='%{SOURCE22}' --signature='%{SOURCE18}' --data='%{SOURCE0}'
|
||||
%endif
|
||||
%global pkgname %{name}-%{version}%{?extra_version}
|
||||
|
||||
%if 0%{with_python2} && 0%{with_python3}
|
||||
%global dir_primary %{pkgname}_python3
|
||||
%global python_primary %{__python3}
|
||||
%global dir_secondary %{pkgname}_python2
|
||||
%global python_secondary %{__python2}
|
||||
%else
|
||||
%global dir_primary %{pkgname}
|
||||
%endif
|
||||
|
||||
%autosetup -c -N -n %{pkgname}
|
||||
%autosetup -N -n %{pkgname}
|
||||
|
||||
pushd %{pkgname}
|
||||
# patches go here
|
||||
%autopatch -p2
|
||||
|
||||
# copy common doc files - after here, since it may be patched
|
||||
cp -pr doc pythonmod libunbound ../
|
||||
%autopatch -p1
|
||||
|
||||
%if 0%{?rhel} > 8
|
||||
# SHA-1 breaks some tests. Disable just some tests because of that.
|
||||
|
|
@ -223,11 +231,9 @@ cp -pr doc pythonmod libunbound ../
|
|||
mv testdata/${TEST}.rpl{,-disabled}
|
||||
done
|
||||
%endif
|
||||
popd
|
||||
|
||||
%if 0%{with_python2} && 0%{with_python3}
|
||||
mv %{pkgname} %{dir_primary}
|
||||
cp -a %{dir_primary} %{dir_secondary}
|
||||
cp -a . %{dir_secondary}
|
||||
%endif
|
||||
|
||||
%build
|
||||
|
|
@ -237,14 +243,14 @@ cp -a %{dir_primary} %{dir_secondary}
|
|||
--enable-relro-now --enable-pie \\\
|
||||
--enable-subnet --enable-ipsecmod \\\
|
||||
--with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\
|
||||
--with-share-dir=%{_datadir}/%{name} \\\
|
||||
--with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\
|
||||
--enable-sha2 --disable-gost --enable-ecdsa \\\
|
||||
--with-rootkey-file=%{_sharedstatedir}/%{name}/root.key \\\
|
||||
--with-username=unbound \\\
|
||||
--enable-linux-ip-local-port-range \\\
|
||||
|
||||
|
||||
pushd %{dir_primary}
|
||||
--with-dynlibmodule \\\
|
||||
#
|
||||
|
||||
# always regenerate configure
|
||||
rm -f config.h.in aclocal.m4 configure ltmain.sh
|
||||
|
|
@ -252,6 +258,7 @@ rm -f {ax_pthread,ax_swig_python}.m4
|
|||
cp -p %{_datadir}/aclocal/{ax_pthread,ax_swig_python}.m4 .
|
||||
# ensure bison is used to generate fresh parser
|
||||
rm -f util/configparser.{c,h} util/configlexer.c
|
||||
|
||||
autoreconf -fiv
|
||||
|
||||
%configure \
|
||||
|
|
@ -279,8 +286,6 @@ autoreconf -fiv
|
|||
%make_build
|
||||
%make_build streamtcp
|
||||
|
||||
popd
|
||||
|
||||
%if 0%{?python_secondary:1}
|
||||
pushd %{dir_secondary}
|
||||
%configure \
|
||||
|
|
@ -308,11 +313,9 @@ pushd %{dir_secondary}
|
|||
popd
|
||||
%endif
|
||||
|
||||
pushd %{dir_primary}
|
||||
%make_install unbound-event-install
|
||||
install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp
|
||||
install -p -m 0644 doc/example.conf %{buildroot}%{_sysconfdir}/unbound/unbound.conf
|
||||
popd
|
||||
|
||||
install -d -m 0755 %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig
|
||||
install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service
|
||||
|
|
@ -333,11 +336,9 @@ for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unboun
|
|||
done
|
||||
%endif
|
||||
|
||||
pushd %{dir_primary}
|
||||
# install streamtcp man page
|
||||
install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1
|
||||
install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc
|
||||
popd
|
||||
|
||||
# Install tmpfiles.d config
|
||||
install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound
|
||||
|
|
@ -374,10 +375,22 @@ install -p -m 0644 %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/
|
|||
install -p -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/
|
||||
install -p -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
|
||||
install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/
|
||||
install -p -m 0644 %{SOURCE25} %{buildroot}%{_sysconfdir}/unbound/conf.d/remote-control.conf
|
||||
|
||||
mkdir -p %{buildroot}%{_datadir}/%{name}/conf.d
|
||||
install -p -m 0644 %{SOURCE21} %{buildroot}%{_datadir}/%{name}/conf.d/
|
||||
install -p -m 0644 %{SOURCE23} %{buildroot}%{_datadir}/%{name}/conf.d/
|
||||
install -p -m 0644 %{SOURCE24} %{buildroot}%{_datadir}/%{name}/conf.d/
|
||||
install -p -m 0644 %{SOURCE26} %{buildroot}%{_datadir}/%{name}/
|
||||
|
||||
# Link unbound-control-setup.8 manpage to unbound-control.8
|
||||
echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8
|
||||
|
||||
# install dracut module
|
||||
mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
|
||||
|
||||
install -p -m 0755 %{SOURCE27} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
|
||||
install -p -m 0644 %{SOURCE28} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
|
||||
|
||||
%pre libs
|
||||
%sysusers_create_compat %{SOURCE20}
|
||||
|
|
@ -409,15 +422,12 @@ fi
|
|||
%systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer
|
||||
|
||||
%check
|
||||
pushd %{dir_primary}
|
||||
#pushd pythonmod
|
||||
#make test
|
||||
#popd
|
||||
|
||||
make check
|
||||
|
||||
popd
|
||||
|
||||
%if 0%{?python_secondary:1}
|
||||
pushd %{dir_secondary}
|
||||
#pushd pythonmod
|
||||
|
|
@ -432,7 +442,7 @@ popd
|
|||
%doc doc/CREDITS doc/FEATURES
|
||||
%{_unitdir}/%{name}.service
|
||||
%{_unitdir}/%{name}-keygen.service
|
||||
%attr(0755,unbound,unbound) %dir %{_rundir}/%{name}
|
||||
%attr(0775,unbound,root) %dir %{_rundir}/%{name}
|
||||
%attr(0644,root,root) %{_tmpfilesdir}/unbound.conf
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
|
||||
%dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d
|
||||
|
|
@ -449,6 +459,7 @@ popd
|
|||
%{_sbindir}/unbound-checkconf
|
||||
%{_sbindir}/unbound-control
|
||||
%{_sbindir}/unbound-control-setup
|
||||
%{_datadir}/%{name}/
|
||||
%{_mandir}/man5/*
|
||||
%exclude %{_mandir}/man8/unbound-anchor*
|
||||
%{_mandir}/man8/*
|
||||
|
|
@ -510,5 +521,8 @@ popd
|
|||
%{_sbindir}/unbound-streamtcp
|
||||
%{_mandir}/man1/unbound-*
|
||||
|
||||
%files dracut
|
||||
%{_prefix}/lib/dracut/modules.d/99unbound
|
||||
|
||||
%changelog
|
||||
%autochangelog
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue