rpms/unbound
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: rpms:rawhide
Branches Tags
rpms:rawhide
rpms:main
rpms:f42
rpms:f43
rpms:f41
rpms:f40
rpms:f39
rpms:f38
rpms:f37
rpms:f36
rpms:f35
rpms:f34
rpms:unbound-1.13.2-rebase
rpms:f33
rpms:f31
rpms:f32
rpms:f30
rpms:f29
rpms:f28
rpms:f27
rpms:f26
rpms:f25
rpms:f24
rpms:el6
rpms:f23
rpms:f22
rpms:f20
rpms:f21
rpms:f18
rpms:f19
rpms:el5
rpms:f17
rpms:f16
rpms:f15
rpms:f14
rpms:f11
rpms:f9
rpms:f10
rpms:f12
rpms:f13
rpms:unbound-1_4_5-2_fc14
rpms:unbound-1_4_5-1_fc14
rpms:unbound-1_4_4-2_fc11
rpms:unbound-1_4_4-1_fc11
rpms:unbound-1_4_4-2_fc12
rpms:unbound-1_4_4-1_fc12
rpms:unbound-1_4_4-2_fc13
rpms:unbound-1_4_4-1_fc13
rpms:unbound-1_4_4-1_el6
rpms:unbound-1_4_4-2_fc14
rpms:unbound-1_4_4-1_fc14
rpms:unbound-1_4_4-1_el5
rpms:unbound-1_4_3-1_el5
rpms:unbound-1_3_4-1_el5_1
rpms:unbound-1_4_3-2_fc12
rpms:EL-6-start
rpms:EL-6-split
rpms:unbound-1_4_3-1_fc12
rpms:unbound-1_4_3-1_fc14
rpms:unbound-1_4_2-1_fc14
rpms:unbound-1_4_1-5_fc14
rpms:unbound-1_4_1-3_fc14
rpms:unbound-1_4_1-2_fc12
rpms:unbound-1_4_1-2_fc14
rpms:unbound-1_4_1-1_fc13
rpms:F-13-start
rpms:F-13-split
rpms:unbound-1_3_4-1_el5
rpms:unbound-1_3_4-2_fc12
rpms:unbound-1_3_4-2_fc11
rpms:unbound-1_3_4-2_fc10
rpms:unbound-1_3_4-1_fc10
rpms:unbound-1_3_4-2_fc13
rpms:unbound-1_3_3-2_fc12
rpms:F-12-start
rpms:F-12-split
rpms:unbound-1_3_3-1_fc12
rpms:unbound-1_3_0-3_fc12
rpms:unbound-1_3_0-1_fc9
rpms:unbound-1_3_0-2_fc12
rpms:unbound-1_3_0-1_fc12
rpms:unbound-1_2_1-7_fc12
rpms:unbound-1_2_1-6_fc12
rpms:unbound-1_2_1-1_el5
rpms:unbound-1_2_1-5_fc11
rpms:F-11-start
rpms:F-11-split
rpms:unbound-1_2_1-4_fc11
rpms:unbound-1_2_1-3_fc11
rpms:unbound-1_2_1-2_fc11
rpms:unbound-1_2_1-1_fc11
rpms:unbound-1_2_0-4_el5
rpms:unbound-1_2_0-3_el5
rpms:unbound-1_2_0-2_el5
rpms:unbound-1_2_0-1_el5
rpms:unbound-1_2_0-2_fc10
rpms:unbound-1_2_0-1_fc10
rpms:unbound-1_2_0-3_fc9
rpms:unbound-1_2_0-2_fc9
rpms:unbound-1_2_0-1_fc9
rpms:unbound-1_2_0-2_fc11
rpms:unbound-1_2_0-1_fc11
rpms:unbound-1_1_1-7_fc11
rpms:unbound-1_1_1-6_fc11
rpms:unbound-1_1_1-5_fc11
rpms:unbound-1_1_1-4_fc11
rpms:unbound-1_1_1-3_fc11
rpms:unbound-1_1_1-2_fc11
rpms:unbound-1_1_1-0_fc11
rpms:unbound-1_1_0-2_fc11
rpms:unbound-1_1_0-1_fc11
rpms:unbound-1_0_2-5_el5
rpms:unbound-1_0_2-5_fc9
rpms:unbound-1_0_2-5_fc10
rpms:unbound-1_0_2-5_fc11
rpms:F-9-start
rpms:F-9-split
rpms:F-10-start
rpms:F-10-split
rpms:EL-5-start
rpms:EL-5-split
..
compare: rpms:f38
Branches Tags
rpms:main
rpms:rawhide
rpms:f42
rpms:f43
rpms:f41
rpms:f40
rpms:f39
rpms:f38
rpms:f37
rpms:f36
rpms:f35
rpms:f34
rpms:unbound-1.13.2-rebase
rpms:f33
rpms:f31
rpms:f32
rpms:f30
rpms:f29
rpms:f28
rpms:f27
rpms:f26
rpms:f25
rpms:f24
rpms:el6
rpms:f23
rpms:f22
rpms:f20
rpms:f21
rpms:f18
rpms:f19
rpms:el5
rpms:f17
rpms:f16
rpms:f15
rpms:f14
rpms:f11
rpms:f9
rpms:f10
rpms:f12
rpms:f13
rpms:unbound-1_4_5-2_fc14
rpms:unbound-1_4_5-1_fc14
rpms:unbound-1_4_4-2_fc11
rpms:unbound-1_4_4-1_fc11
rpms:unbound-1_4_4-2_fc12
rpms:unbound-1_4_4-1_fc12
rpms:unbound-1_4_4-2_fc13
rpms:unbound-1_4_4-1_fc13
rpms:unbound-1_4_4-1_el6
rpms:unbound-1_4_4-2_fc14
rpms:unbound-1_4_4-1_fc14
rpms:unbound-1_4_4-1_el5
rpms:unbound-1_4_3-1_el5
rpms:unbound-1_3_4-1_el5_1
rpms:unbound-1_4_3-2_fc12
rpms:EL-6-start
rpms:EL-6-split
rpms:unbound-1_4_3-1_fc12
rpms:unbound-1_4_3-1_fc14
rpms:unbound-1_4_2-1_fc14
rpms:unbound-1_4_1-5_fc14
rpms:unbound-1_4_1-3_fc14
rpms:unbound-1_4_1-2_fc12
rpms:unbound-1_4_1-2_fc14
rpms:unbound-1_4_1-1_fc13
rpms:F-13-start
rpms:F-13-split
rpms:unbound-1_3_4-1_el5
rpms:unbound-1_3_4-2_fc12
rpms:unbound-1_3_4-2_fc11
rpms:unbound-1_3_4-2_fc10
rpms:unbound-1_3_4-1_fc10
rpms:unbound-1_3_4-2_fc13
rpms:unbound-1_3_3-2_fc12
rpms:F-12-start
rpms:F-12-split
rpms:unbound-1_3_3-1_fc12
rpms:unbound-1_3_0-3_fc12
rpms:unbound-1_3_0-1_fc9
rpms:unbound-1_3_0-2_fc12
rpms:unbound-1_3_0-1_fc12
rpms:unbound-1_2_1-7_fc12
rpms:unbound-1_2_1-6_fc12
rpms:unbound-1_2_1-1_el5
rpms:unbound-1_2_1-5_fc11
rpms:F-11-start
rpms:F-11-split
rpms:unbound-1_2_1-4_fc11
rpms:unbound-1_2_1-3_fc11
rpms:unbound-1_2_1-2_fc11
rpms:unbound-1_2_1-1_fc11
rpms:unbound-1_2_0-4_el5
rpms:unbound-1_2_0-3_el5
rpms:unbound-1_2_0-2_el5
rpms:unbound-1_2_0-1_el5
rpms:unbound-1_2_0-2_fc10
rpms:unbound-1_2_0-1_fc10
rpms:unbound-1_2_0-3_fc9
rpms:unbound-1_2_0-2_fc9
rpms:unbound-1_2_0-1_fc9
rpms:unbound-1_2_0-2_fc11
rpms:unbound-1_2_0-1_fc11
rpms:unbound-1_1_1-7_fc11
rpms:unbound-1_1_1-6_fc11
rpms:unbound-1_1_1-5_fc11
rpms:unbound-1_1_1-4_fc11
rpms:unbound-1_1_1-3_fc11
rpms:unbound-1_1_1-2_fc11
rpms:unbound-1_1_1-0_fc11
rpms:unbound-1_1_0-2_fc11
rpms:unbound-1_1_0-1_fc11
rpms:unbound-1_0_2-5_el5
rpms:unbound-1_0_2-5_fc9
rpms:unbound-1_0_2-5_fc10
rpms:unbound-1_0_2-5_fc11
rpms:F-9-start
rpms:F-9-split
rpms:F-10-start
rpms:F-10-split
rpms:EL-5-start
rpms:EL-5-split

8 commits
rawhide ... f38

Author SHA1 Message Date
Petr Menšík
175ae85efc Update to 1.19.3 (rhbz#2268404) 
- Fix CVE-2024-1931, Denial of service when trimming EDE text on
  positive replies. (rhbz#2268419)
- Use the origin (DNAME) TTL for synthesized CNAMEs as per RFC 6672.
- Bug fixes

https://nlnetlabs.nl/projects/unbound/download/#unbound-1-19-3
 2024-04-12 20:20:39 +02:00
Paul Wouters
ed8fe8728b
 		Merge branch 'rawhide' into f38 2024-03-01 11:10:43 -05:00
Petr Menšík
b0e90924f0 Ensure only unbound group members can make changes 
unbound-control should allow only privileged users from unbound group to
modify running instance.
 2024-02-14 00:30:10 +01:00
Paul Wouters
fa87c910e9 Update to 1.19.1 for CVE-2023-50387, CVE-2023-50868 
Resolves: CVE-2023-50387 (KeyTrap Denial of Service)
Resolves: CVE-2023-50868 (NSEC3 Denial of Service)
 2024-02-14 00:29:32 +01:00
Petr Menšík
5281431bea Generate configuration file from upstream example.conf 
To reduce rebase burden, just modify upstream example with our Fedora
specific changes. The result should be the same, but without the need to
manually add new features into separate config file.
 2023-11-13 15:18:41 +01:00
Petr Menšík
e3509d767e Update to 1.19.0 (#2248686) 
- New disable-edns-do option

Changes:
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-19-0
https://lists.nlnetlabs.nl/pipermail/unbound-users/2023-November/008186.html
 2023-11-13 15:18:38 +01:00
Paul Wouters
5a1d5b57ac
 		Fix for resolving outlook.com via forwarders 
- See https://github.com/NLnetLabs/unbound/issues/946
 2023-10-11 21:23:38 -04:00
Petr Menšík
397e2e5b05 Update to 1.18.0 
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-18-0

- NAT64 support
- Downstream DNS cookies
- EDE caching
- Set max-udp-size default to 1232

Resolves: rhbz#2236097
 2023-09-05 15:28:32 +02:00
27 changed files with 1597 additions and 1018 deletions
Download patch file Download diff file Expand all files Collapse all files

14
.gitignore vendored
View file

@ -87,17 +87,3 @@ unbound-1.4.5.tar.gz
/unbound-1.19.1.tar.gz.asc
/unbound-1.19.3.tar.gz
/unbound-1.19.3.tar.gz.asc
/unbound-1.20.0.tar.gz
/unbound-1.20.0.tar.gz.asc
/unbound-1.21.0.tar.gz
/unbound-1.21.0.tar.gz.asc
/unbound-1.21.1.tar.gz
/unbound-1.21.1.tar.gz.asc
/unbound-1.22.0.tar.gz
/unbound-1.22.0.tar.gz.asc
/unbound-1.23.0.tar.gz
/unbound-1.23.0.tar.gz.asc
/unbound-1.23.1.tar.gz
/unbound-1.23.1.tar.gz.asc
/unbound-1.*.tar.gz
/unbound-1.*.tar.gz.asc

128
Yorgos.asc
View file

@ -1,128 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFfYHeYBEAC/8SdeXNspt9ZIoZRSL9juNLHA17TXcHdKSthgWBtwwWZbUPq8
SJr7Y+hr6jMCDKY9800QzLF0nLkyXnZgaBcvR0rRbCT/qvALJ0fpfjcotapZ1hBv
omb9s8Bo28uKn8tbTMXYNsElUae4Ch/CrU1vfe50YoyQgLR8UBa15gV+2RmC+6jI
qxDYS8sylWlDn6Qim+77feLlObPnNdzgfWGZo14eJByTsz0qrh8aS/BS1FAsnEQ6
W6AqukhpuKuWvoAUXKjfguXQolxeexubmKaLcGOTvecw+cbh/a5SPHRtRVr9qTxp
elk6UEpakY5K9UtZkrG55VWih/4KqY9bNyhJBtpAk1fXA+mYfx5BcFpECYdU9kz4
UgV5jK0HYRHQTLC91PPVQgH86we+Aae6TaJneCLEIzBK36TgAP8RKrvFfPUym5OP
YbWOom27QTKfRVcyxPKglJxrTSWixnKWS/pqxNY8hF9Ne4crRAF4wX2yBVbGnjNr
S9TpYmjMwURbuYm+rWZk/8w5OJG60V3wax56c0jn/42O3Y2hzQ+PbOv2M4UuuajS
2YL3/KUsRLBapUpPQjzChwzdr/vzFEhk9XxK2VGMN+dh2HjYwDFendc5csyt/cVr
g3LssVS2bKy5g3IhrzCKAk0Sky4S5t/mcN+lWztNvCijuLz58GCym5GwJQARAQAB
tCtZb3Jnb3MgVGhlc3NhbG9uaWtlZnMgPHlvcmdvc0BubG5ldGxhYnMubmw+iQJX
BBMBCABBAhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAhkBFiEElI60IyLF0At5
NA9dz/M0TZCHpJAFAmjWhkcFCRLfm+EACgkQz/M0TZCHpJANXhAAvTpKNl5+kU1d
lcFrXx4pgi/knhe0y1Z+ENQWVDYTs9v+lMoyCRQuAt1Cir1LAGWfRBdTQh60I6Dc
BDj+15pFJCv/dyZiQLPUgxLtIxkwIUSjELp8JevNHhGMNz7QWdG4SEpG2aF/D2Zz
kvaoomPGjRyo/bkgR2la6eqrCOxYVP+FT7682yf0bCvSTs1kTrnwFY93s7O2RciI
MS0XWcHPtoi96JxhzUIT+v0gSFuitZhRGPh9pyIcHmRER1yKugvMp6xF5UjNIcfL
ScrNlGXgjc6EJiGXS5CHliIlxlAxs4J1T9JiGQZOAW/CPxe4IND34DhqwvQcJdtL
8jt1b2xUcuFfYNa3SY671OnLt3EhwMsYDaSIXrPqW8R6XuaSxhb4sL/okHkb833b
CgaWvjQZgRm1h0R2IY5C3kHotsLUd2fygrtVVvaLxGEoi9UBsKoLu2kHEJnV5HJO
jfJMBBGgGFscfk3p1v4SAA30xPR7i6O2KDmFsVzL6xKbnFMMmayEVfWzGXmxB7lv
ob6HrJIvVH6mx64OsAY0LQI6abQI3TTZn13+RNxuATQS+j0tqbZvVJtWFw41eqsU
OqeNF9W323uvhJcjDyYquAREIivFXkzxa9y3rgQfB9OX9usD79aij4y/YLqZxafl
InYUlMGygNOGXruFRZ7DD6zciK2Zu7W0K0dlb3JnZSBUaGVzc2Fsb25pa2VmcyA8
Z2VvcmdlQG5sbmV0bGFicy5ubD6JAlQEEwEIAD4CGyMFCwkIBwIGFQgJCgsCBBYC
AwECHgECF4AWIQSUjrQjIsXQC3k0D13P8zRNkIekkAUCaNaGWAUJEt+b4QAKCRDP
8zRNkIekkKovEACQkeEImQeer9jsY066WyIpvrhcy6xtWjeW8v1ZasRoi+DOFWeA
18O5iD34UaIPPGFRu6PRdSMLdUqtelFgONVDnXEuqOGAptMcCI4wp4+NIFd00v0J
9A9ur7xWt0Q0O1fMjFOMPa5oQK9dg1MCI0/RWRObOPf3cIr2NhgWwBuKTCluKyFc
mnRQXwyxBGCBRvK5zKmA8BBlnHuPfunTAcduNSExUx3e0w5BD5lcG4YeyuR+IRcY
HJPGU20f634dDSJGKJvGxjpaCxGQNca6s8Mpkq3lm/D3Ia4Vpw/HdiSawv/U71S/
4F6lctMjvoS73Ao9DZ4iDPqkHJ73HidNp7n25SLnXKruZsnXitjYT8ueP7byeLPi
7IvqoENXoXNqNfDuXfqri/WnHPYWbKIdj5WWFeaR3Ws+szw3Wql7mJ1cNFWbNCE7
rGFPhSNyG3n6mlEBUKUYn8FuOF9PHwwWl86GHLI6O4xOIohESyrZrq2mJS61sSq6
AAQ7cqx6UMNJdBcgB5Ry7qRUF6ZmowZZu3aWFF4dW+LwMvuaFjKzShsKzj8GCE0B
pQDjy+IeWM2mBVneuCicWwvbSzVWx+Ow42QRvmH8Ja9PqoIYeJQUiMr1+aAG6kUK
3VW4iugsu3/oFIlFrkYZy9YEfCOEMgqRKL/cuBJTZt0OPFRE/9O/M/FVmIkBHAQS
AQIABgUCV9kUOAAKCRAwkY2CdXJCIju1B/oCvf1kWYndNeLS6U2O6DtFAL2Ia5tY
Zukcyqb1hkYcrBiMZbQN94gX5a+6Q4pdd2n241r1ZuSWdwUhRUbF4mvbZMVsavnk
cvrRGviVIUXf71W0O/IsmQ9oN0Finhpf14Y4z/xqF8DpvJdkWc6X5g+RJuko6q2w
B7x2UfSyF4USp47LSmUQnC59IF8jzaElgBha3gwEuXL3d2qBepoV/e9RiXJClUAT
+O7qdxzDq1eiZ+NXUjDCmrkuWjHLAZAv0jx1KUTCQ2no62UM95igtJ+Kn56Lc2+J
CqFJztaZeX8CgXXryxNpsyhZJ33dIoLCT03K25wrV5Y+eag05slQ9sC3iQI9BBMB
CAAnBQJX2RCwAhsjBQkFo5qABQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEM/z
NE2Qh6SQ3JUP/2G3bRNObS7zsfN3rjkbjLxaDOwNggRdbeXM5rHDVEG9SWesCGaI
vyQdkSGQoIaKUgNv7Yp8O8pEnD4IwdhNSaXVIB3pBtdOD0UM1wuxRpfqJOUxZEoW
T2Jr31Tg2qepp6nT7UmdiF7uCBDy8Jm6k6Q+6UT58cPaesRQdSPi6Go7ho2/xVvK
Ve9ufSTSTdG5+7bJDu6Iv7sydKUEG4jPDqo+jjVLn1X6Rfp+E4JAvOvFrSJHW5sa
A332xV40GeV+aM1ndP7dPkz8+AGB3QD7JF2DLcqvLo0TYOvjnlOGYcNp8gzp23g9
KFwe2sdbdtVpuWaJUSpXXiUZnFzrrVxDNiEBjqsPa5ysOxzJ+1gUbcrIjUeNeAFh
us4XL+IidPATnhTIX3X/uPRB87KaTaA8XUqsuSd2DM9mLxdHKC9Jf8D1t+ywYrek
Cp+K80vCtFPWBM4+w8nGugTNKJEGIXZDGFOF/c7r6xKkaOYK0Y+IGJawlV5LaADl
BmQpPk0ubYclwb07FcegaHSxxIqUo/kbyt1YV5mU+QVymZ+xyvIBrnW8hBuNWRvU
5acnIZibCERayo8ZuI+r/X3bLHfDx0oh2h+cL3utNZUqmgZNR0Di8P+x0hUYsYPO
TJaDBSgvxUtY0Ci+OWX38kffGGvhW3CM8V6skdVc8cp7Db7gxase4BxxtC5HZW9y
Z2UgVGhlc3NhbG9uaWtlZnMgPGdlb3JnZUBvcGVubmV0bGFicy5jb20+iQJUBBMB
CAA+AhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEElI60IyLF0At5NA9dz/M0
TZCHpJAFAmjWhlgFCRLfm+EACgkQz/M0TZCHpJCWag/+MJOLW1tBNPA9sBcjl9V4
Cjc2TIR/r8RRGv5lstVXlXc5T4SR48UvQTxaUU+KJia5POsaAsw9yk7Zz4r7ul0D
Vd9tzHCcwxl46e0Kwn2VGBMHThsWC7QDuK7b+4AlxeO4EDWRPPw4BCB7aTxJzA3N
O4qpEF4TVeb97uyNQr2YaTGUzSI58vCgXgeOpH9ivomQi1nCxZbdrFh2yKJ+H4EH
gI8+D9iSnJMI16RS1dE7Pa85IG+qPd3owAbOlc+tBsSvdbFdRufQZeiNGKfQno1E
oygZt8svcuKpGAG1flzpPu5LE9oMsIDia9hcn4YFqr80F5bW1rUvFeC0rYp9/0ui
6lo34PAhEieB8XzjbpDDEnlkziRoz2YNVJmZOWrCAMI1bUFI5/+YWuJTXCGF62dE
dO7aBWoUkchkGGSGKbPW9KYdmqMdfOeuqZRBhKs8bgHIArJ+kvglhCJr/qNX5T8p
oCHE5bnEwFxnH2Q6a2ffpMpOExGvPaoAWlym/ID/MMet0riZ2izFUdmjEkA0HUaa
7h5x1dKMhHzYDXOW8Ksx9vE24gLrjfqfvIiYpErn+SVs0KUqkR0BRWLRYjyq/Bj/
btTQXcDeYpQj4tL2cX3Eosqaoy5NDGCK4yqWOxENOJ/YcO5dTPJDNsHlc2JSdejz
a4g8AHFlkpPn0tlflbuE7q6JARwEEgECAAYFAlfZFDwACgkQMJGNgnVyQiIHjAf/
VrPMgIRjRTYi4cxOr5ewaim1hgJZO1oCJoMopwIvpZ2kAUqL/uPMT3wREe5bi79H
jXYcaX+RbrV4ZdzaajDUFCj867KGErxqtRkANJ1eNLcQmVwGNoFeTQbgEOBfKq1t
hRfMqHF3fxCPJp4z4U3kBPUpIQPERjgUdkH8fxZ34Omo1SLO1b0dVqsneezccBVv
Hj7gVoaWw65Ov7vngwNCKH3fjOkcoINTH/nEw4WWh6UV5ZN49GRqa6oWdUJMZbgB
w8z357RLN6YLe7KMh4oGpUIvfH6Vfq6CIb6s9pfgjAvq8O7p9n0/0FG77j84MuGw
fdhq8eSazO/j9LUCBM+8k4kCPQQTAQgAJwUCV9kQiwIbIwUJBaOagAULCQgHAgYV
CAkKCwIEFgIDAQIeAQIXgAAKCRDP8zRNkIekkN9pD/wI8JAyjJEIjUJNLRuARDDv
pJrQjAo/02naPcGs4yyUd7yRkhzVKLFLvif8XICxxLWk6FdT0PJeKGTvRoe2+Rje
c14rO30niRymWkBi36iDW46Dpt7Jx+LUDhUMYPL+woKSoHmbBGWLSYXKxaD8F93A
nVs97nP4PWpspv2BFiuwKGsSsOyyQPPvr7jCin3H5oPH9qDnIV0KonAYbzzEKod5
t0Rgzo/nWXZBFXWC5xvKeghwkdT++gYS/ThvQY2ua6A1XRE8BntyldD081NPi3NO
dWa9m8ufFOJsEEiWcpdT+EWoDw5JyGAR7U3IOVl3BTo7shdcYEvRVrDMBpac+ItG
WvogUv7alBdHWi48amvZE06RI/nDJ/rxj13S/4POgMHU++aQI5a1G5H3jBu4cehH
4iT1UKmozfzVEfcHb2dsaKnnuFzQxmol0lZu1ETyof+Lxvs+wErN0QR+VDNweJEJ
PMXiEcjASdLtrEKgFSP2B5yGGzt93C+HbD+VQOU359aAnvVjbTAVz8izuMphd6Bz
Ix1q//q2VmxqjjT3Iv30hBRX02x2M8gsP/e49XWEll7stkMtbYhBU0sHQ2CqzLGh
gJN3ecpi2sKWVqN8HUZOwJFj6f9ZX76YSM23wIugHfscMAVJUXvBrbd151WIshOf
FFPo62sYGt+SEMXWeRcHjbQuWW9yZ29zIFRoZXNzYWxvbmlrZWZzIDx5b3Jnb3NA
b3Blbm5ldGxhYnMuY29tPokCVAQTAQgAPgIbIwULCQgHAgYVCAkKCwIEFgIDAQIe
AQIXgBYhBJSOtCMixdALeTQPXc/zNE2Qh6SQBQJo1oZYBQkS35vhAAoJEM/zNE2Q
h6SQjBkP/0IvctNT9T+DtGZyMiw/Jna9G3QhtW7exhlxzqqX3tFmZpaJj3VswyqA
5hx5BdJEShC8qNEqrBCHxcCZgsLvR3GKc/0LTgP7+7VH/ugAScrlVeI8rB6V1jn5
cnfY5fsfOQ8i0b/8C+CiEe0TW90VRHjYV6DWMdUfqQb3E/snl23RMFeTL0Qrrk8H
Lo3MTko7TeKRYOV/g/qQkb9CFQZNyzgIjD7uZi8or8qFJ/uZTnlBq5/NRDB5Z3ew
7WXc3QrRUXmbbDzdnIeCtu5vmuk+hc69gbOst9nWf3y2qlK7BjZqT+PqKZa/fa/i
5pZpv1hB8DrA2WTIpN7iXhCvABXSEoUOJaLkRSJVDqzvuaeqOEPrk1aJSMWoio/w
8RRa1L7k6m81Dc0dqYbBOSI4MCNm8ZawQI2L4qRs5QORg4nRnAevFgkzhJKFYF2N
jzX/2xlAuOym126DODC9qJSJZR7uTOJXh0yqknfkPgDXjchpzq+Q+CM+jYo6AGas
/XPAuRQCQaLSYr9UPL7Fn62//ysZQAyAkJQR1u7UwAd6/UTTMVZpUJsLQyMyikF7
UT4K7MWrvkZxMRPhGan0P2pRe36M9BBjYRTp0TIr+UjUT8iBfjdrttI9DQlkcEeQ
rKhcE31KqjwJMdiuzbpqqXaEss9AFuJng3Owewt4wAft3eu1U7PWuQINBFfYHeYB
EAC2h9yjSe2SgtcB0H+E0ndaewaZaQCE7q+RO43dotGH9eFnVwE4/ftcK1SN42ih
lF5OnTaKPyXvgQ6U8W8VB8eLjeTwA/dSXuJX7kJpEK8saPqJP6zTUmPqp/GSzS6Y
rhKLfpFn4chmywpDFcGNMz0sYXiJgPqKL7W0KuG+ziPToAeWl8ckeXyl77/lHVhW
YylaQJEASklqCViPXSp9vI7/57UEm4MQPXwsDBOwuVVqcSu3ZM5MtY9XlbVPNCYm
ZIMqmh8HgYwbiq9dTfJi+6v17+uDQGZewWK/WwFM+9dDx7YkTeOBiUduYtJPW64N
W/RJ7pskbLAy+OZApTZWg0cISN6GOmPN3F0AiWzUjvSMREHhFHyxj4Y15vuDOFvP
GFxr4xBiyMX1JLCKK6OFnyPfoJ9v/o3UgrQgLrfXCmKdvkwBCgJvN3Fsxzha6Dtf
6RcZ02fr7SCZZhdBrlrflvC1uWZ0g3A87ss7h4Iw3njlO3aX6Bo9R4VOLUkiRKi4
hmQBxPvXxI2ERmKRomo6lrMaDMzIjD4APSM1vUfZguzQxVYpM8lwy1COeqxsj5p+
LH6f/EU+4dXZwooJ1uanBOvG2ntnz8SErE+e7wNYE4a/fb8xYM4j7p6qYtnNZPb8
sj8bvx8iWXp4A1csVetyVSchBhTVQhhNos6ouYpc4ibrYwARAQABiQI8BBgBCAAm
AhsMFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmjWhoAFCRLfnBoACgkQz/M0TZCH
pJA4sA/7BZrP4nwWF1eQVliMWJ1KKG+sHizK4c+ZiB67aFJw4pLDCL5o6unOWH8V
ocr1pWC/BMmLG4K77O2qadhUH7mzXm/ddZ/DVF3xHTvTmG1W1bLd6zj3k6qOFYq8
yPS2QNTa3+3oNbtZQ+RpvhCAmv2Dc1GMPNP2hKR/Ju9r9NwGWBEDQBtiMZ7872QJ
yR3IFyfQGRvj+GBbEBvJwCFmaRb3eDorhaNhM0b0c/RbIueEWD40nkCUtmM4Zrc1
0HLod8Li8C4j8sIqIdfTKo1RiJUUg86q1K3pGA86hoOzeaihZekcm6wMwGlhXymb
Ng41yB/ZTedl9wk+XEEcD6HZMCXyfh55hBdWG06aEhMIALjOCj2VkRnDLmOKLgDZ
kg7OOQxDfKACCCvk72HZG3qKtaN9oNH1oeaVwc3ytWR8y2hQJcCxmoQsLn+Xvkgc
aYRNklPW2z8817J3fmvvwS0o6sOWRHLb0XAc+NZg4lEQOgwVFrE0XIAgkXHLQbuQ
GRpRzRncHX95RXMzGb1+8kpWEcM7gazgUA3omoAumwNEqmeBX1TmEtDop1k5RFCS
UWbv+A2s2GSAb05MHY0InIhMxzJXEa5+dJDPSvZnbiGRGhQitEe4eIlmPcNA1lB+
ADFE2UTzcpRTo5cOKfrXyZXr6JCEl2+tB3o5m0v7FRdr6+zIS5g=
=Ubkv
-----END PGP PUBLIC KEY BLOCK-----

229
fedora-defaults.conf
View file

@ -1,229 +0,0 @@
# Fedora distribution defaults
server:
# verbosity number, 0 is least verbose. 1 is default.
verbosity: 1
# print statistics to the log (for every thread) every N seconds.
# Set to "" or 0 to disable. Default is disabled.
# Needs to be disabled for munin plugin
statistics-interval: 0
# enable cumulative statistics, without clearing them after printing.
# Needs to be disabled for munin plugin
statistics-cumulative: no
# enable extended statistics (query types, answer codes, status)
# Needs to be enabled for munin plugin
extended-statistics: yes
# number of threads to create. 1 disables threading.
# num-threads: 1
num-threads: 4
# specify the interfaces to answer queries from by ip-address.
# The default is to listen to localhost (127.0.0.1 and ::1).
# specify 0.0.0.0 and ::0 to bind to all available interfaces.
# specify every interface[@port] on a new 'interface:' labelled line.
# The listen interfaces are not changed on reload, only on restart.
# interface: 0.0.0.0
# interface: ::0
# interface: 192.0.2.153
# interface: 192.0.2.154
# interface: 192.0.2.154@5003
# interface: 2001:DB8::5
# interface: eth0@5003
#
# for dns over tls and raw dns over port 80
# interface: 0.0.0.0@443
# interface: ::0@443
# interface: 0.0.0.0@80
# interface: ::0@80
# enable this feature to copy the source address of queries to reply.
# Socket options are not supported on all platforms. experimental.
# interface-automatic: yes
#
# NOTE: Enable this option when specifying interface 0.0.0.0 or ::0
# NOTE: Disabled per Fedora policy not to listen to * on default install
# NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled
interface-automatic: no
# permit Unbound to use this port number or port range for
# making outgoing queries, using an outgoing interface.
# Only ephemeral ports are allowed by SElinux
outgoing-port-permit: 32768-60999
# IANA-assigned port numbers.
# If multiple outgoing-port-permit and outgoing-port-avoid options
# are present, they are processed in order.
# Our SElinux policy does not allow non-ephemeral ports to be used
outgoing-port-avoid: 0-32767
outgoing-port-avoid: 61000-65535
# use SO_REUSEPORT to distribute queries over threads.
# at extreme load it could be better to turn it off to distribute even.
so-reuseport: yes
# use IP_TRANSPARENT so the interface: addresses can be non-local
# and you can config non-existing IPs that are going to work later on
# (uses IP_BINDANY on FreeBSD).
ip-transparent: yes
# Enable UDP, "yes" or "no".
# NOTE: if setting up an Unbound on tls443 for public use, you might want to
# disable UDP to avoid being used in DNS amplification attacks.
# do-udp: yes
# Enable EDNS TCP keepalive option.
edns-tcp-keepalive: yes
# Fedora note: do not activate this - not compiled in because
# it causes frequent unbound crashes. Also, socket activation
# is bad when you have things like dnsmasq also running with libvirt.
# Use systemd socket activation for UDP, TCP, and control sockets.
# use-systemd: no
# If you give "" no chroot is performed. The path must not end in a /.
# chroot: "/etc/unbound"
chroot: ""
# If you give a server: directory: dir before include: file statements
# then those includes can be relative to the working directory.
directory: "/etc/unbound"
# print UTC timestamp in ascii to logfile, default is epoch in seconds.
log-time-ascii: yes
# Harden against unseemly large queries.
harden-large-queries: yes
# Harden against unverified (outside-zone, including sibling zone) glue rrsets
harden-unverified-glue: yes
# Default off, because the lookups burden the server. Experimental
# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
harden-referral-path: yes
# Sent minimum amount of information to upstream servers to enhance
# privacy. Only sent minimum required labels of the QNAME and set QTYPE
# to A when possible.
qname-minimisation: yes
# Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
# and other denials, using information from previous NXDOMAINs answers.
aggressive-nsec: yes
# threshold, a warning is printed and a defensive action is taken,
# the cache is cleared to flush potential poison out of it.
# A suggested value is 10000000, the default is 0 (turned off).
unwanted-reply-threshold: 10000000
# if yes, perform prefetching of almost expired message cache entries.
prefetch: yes
# if yes, perform key lookups adjacent to normal lookups.
prefetch-key: yes
# deny queries of type ANY with an empty response.
deny-any: yes
# if yes, Unbound rotates RRSet order in response.
rrset-roundrobin: yes
# if yes, Unbound doesn't insert authority/additional sections
# into response messages when those sections are not required.
minimal-responses: yes
# module configuration of the server. A string with identifiers
# separated by spaces. Syntax: "[dns64] [validator] iterator"
# most modules have to be listed at the beginning of the line,
# except cachedb(just before iterator), and python (at the beginning,
# or, just before the iterator).
# For redis cachedb use:
# "ipsecmod validator cachedb iterator"
module-config: "ipsecmod validator iterator"
# trust anchor signaling sends a RFC8145 key tag query after priming.
trust-anchor-signaling: yes
# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
root-key-sentinel: yes
# the trusted-keys { name flag proto algo "key"; }; clauses are read.
# you need external update procedures to track changes in keys.
# trusted-keys-file: ""
#
trusted-keys-file: /etc/unbound/keys.d/*.key
auto-trust-anchor-file: "/var/lib/unbound/root.key"
# Should additional section of secure message also be kept clean of
# unsecure data. Useful to shield the users of this validator from
# potential bogus data in the additional section. All unsigned data
# in the additional section is removed from secure messages.
val-clean-additional: yes
# Turn permissive mode on to permit bogus messages. Thus, messages
# for which security checks failed will be returned to clients,
# instead of SERVFAIL. It still performs the security checks, which
# result in interesting log files and possibly the AD bit in
# replies if the message is found secure. The default is off.
# NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
val-permissive-mode: no
# Serve expired responses from cache, with serve-expired-reply-ttl in
# the response, and then attempt to fetch the data afresh.
serve-expired: yes
# Limit serving of expired responses to configured seconds after
# expiration. 0 disables the limit.
serve-expired-ttl: 14400
# Have the validator log failed validations for your diagnosis.
# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
val-log-level: 1
# service clients over TLS (on the TCP sockets) with plain DNS inside
# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
# Give the certificate to use and private key.
# default is "" (disabled). requires restart to take effect.
# tls-service-key: "/etc/unbound/unbound_server.key"
# tls-service-pem: "/etc/unbound/unbound_server.pem"
# Fedora/RHEL: use system-wide crypto policies
tls-ciphers: "PROFILE=SYSTEM"
# Enable to attach Extended DNS Error codes (RFC8914) to responses.
# Fedora defaults to yes.
ede: yes
# Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale
# Answer as EDNS0 option to expired responses.
# Note that the ede option above needs to be enabled for this to work.
# Fedora defaults to yes.
ede-serve-expired: yes
# Enable or disable ipsecmod (it still needs to be defined in
# module-config above). Can be used when ipsecmod needs to be
# enabled/disabled via remote-control(below).
# Fedora: module will be enabled on-demand by libreswan
ipsecmod-enabled: no
# Path to executable external hook. It must be defined when ipsecmod is
# listed in module-config (above).
ipsecmod-hook: /usr/libexec/ipsec/_unbound-hook
python:
# Script file to load
# python-script: "/etc/unbound/ubmodule-tst.py"
# Remote control config section moved into own remote-control.conf
# the module-config then you need one dynlib-file per instance.
dynlib:
# Script file to load
# dynlib-file: "/etc/unbound/dynlib.so"
# Fedora: DNSCrypt support not enabled since it requires linking to
# another crypto library
#

17
mkroot.sh
View file

@ -1,17 +0,0 @@
#!/bin/sh
SOURCE="/usr/share/dns-root-data/root.key"
DEST="${1:-root.key}"
mk_key() {
echo "# Generated from $SOURCE"
echo "# Use /var/lib/unbound/root.key instead."
echo "trusted-keys {"
while read DOMAIN CLS TYPE FLAGS PROTO ALG KEYDATA COMMENT KEYTAG; do
echo "$DOMAIN $CLS $TYPE $FLAGS $PROTO $ALG \"$KEYDATA\" # $KEYTAG"
done < "$SOURCE"
echo "};"
}
mk_key > "$DEST"
touch -r "$SOURCE" "$DEST"

44
module-setup.sh
View file

@ -1,44 +0,0 @@
#!/usr/bin/bash
check() {
require_binaries unbound unbound-checkconf unbound-control || return 1
# the module will be only included if explicitly required either
# by configuration or another module
return 255
}
depends() {
# because of pid file we need sysusers to create unbound user
echo systemd systemd-sysusers
return 0
}
install() {
# We have to make unbound wanted by network-online target to make sure
# there is a synchronization point when other services are able
# to make queries
inst_simple "$moddir"/unbound-initrd.conf /etc/systemd/system/unbound.service.d/unbound-initrd.conf
# /etc and /var/lib do not have its variables
inst_multiple -o \
"$systemdsystemunitdir"/unbound.service \
/etc/unbound/conf.d/remote-control.conf \
/etc/unbound/openssl-sha1.conf \
/usr/share/unbound/fedora-defaults.conf \
/usr/share/unbound/conf.d/*.conf \
/etc/unbound/local.d/*.conf \
/etc/unbound/keys.d/*.key \
/etc/unbound/unbound.conf \
/etc/unbound/unbound_control.key \
/etc/unbound/unbound_control.pem \
/etc/unbound/unbound_server.key \
/etc/unbound/unbound_server.pem \
"$sysusers"/unbound.conf \
"$tmpfilesdir"/unbound.conf \
/var/lib/unbound/root.key \
unbound \
unbound-checkconf \
unbound-control
$SYSTEMCTL -q --root "$initdir" enable unbound.service
}

24
nlnetlabs2026-g2.asc
View file

@ -1,24 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBGc7H5IBDADOZfJwZ6zZ/4JbbR2hef4261/zh7YpdjUREUs0dMQSbf+x7sAE
50JgvLQWlvA8sDHzbUMQ9cAYZBGGE6iHb50KboeEfuiP5BdiLe8XWKlo1EIh+Idz
0+e1binxwvXV1/9ACm/UHPRuWjkG7vrP+mVRuhfKglO6xSDxV1cwjYTRtvRtQx8D
+kTdZzprvtzkU7OIWeczKFJRhVHzNDHYFG9SuxvDA9cbVm1KPVJEkRBwoSBPeB0z
Z3LSib2uT6Lc/ghAijOwIpR+zNYKOYxRhzoFArrLa0Fs4nq6//LA42/aVjSienEJ
SR5CVUbZy14WuUsYCkV+ZoORVRYZOcjtPG7FUKDXKzY9/iNhEAZ3OMK7Np2Xq/YO
gaOiUDFXLHU1n2UVH1rwkMiS2o4EMqvO7gINmnL/ccpI2wj2QrQ+JZ9y1Xky7dQM
LIIbtp40e0kGocgyba484rW17xlvXRxb1Pjn93JygD6WcraLLNh9jq87hW/J37qi
S4DL+GUe10H8SeEAEQEAAbQ6TkxuZXQgTGFicyByZWxlYXNlcyBzaWduaW5nIGtl
eSBHMiA8cmVsZWFzZXNAbmxuZXRsYWJzLm5sPokBzgQTAQoAOBYhBCMQGGkMTZA+
9BkUaqFEMj3qrN9FBQJnOx+SAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ
EKFEMj3qrN9FZigL/0aVsJ48oe7vko1Mwg9DucFoCL8CESAarA40in1Bauq7p/pT
l5UcNnFPLO8HBAHWGWtDI63pEhNzHacPzSI94GKS4TUMGzCV1H/c0KnxB7wAO55b
HEQOZJ+kFRBFXWxbXORtp86NZuyCvVoSA4QAcnCf4m5ZEBb72H2cmy8xP+/HLkbS
rpr5pyoUWtCYM8FxnjM3bClXSGOlWNl9cSXLqyyVjxvc7cOAS8ytL/zoVStoBmi/
OwQbeJfAiqDMnipBJNzOHlfniKXE0FGDozKCHWP88ifs8A8OUNtJng7cNq7EQf9K
vTvbJCcF4akUUcXnx4gv9Z1ZQ93Jg5X7h+0MP7Ut4z9hKSIAOowru7GXGEt256Ja
eE1nSviDcqUtZpyqCLjpCDFGPMwSPzSwlPXjJVlVxPkDvPuNt2LUIEd8BR8Wo7z+
NA5uM/zTHkQXEdUgCcl/rHy6moHYV3Q+YbMb17zU37a5vLb+wQ74doaiYo3b8KoV
K6vVKMmB0qru6ERJ3g==
=4R8U
-----END PGP PUBLIC KEY BLOCK-----

8
openssl-sha1.conf
View file

@ -1,8 +0,0 @@
# OpenSSL configuration file to allow SHA1 validation,
# regardless of crypto-policy selected.
# Use it by adding into /etc/sysconfig/unbound:
# OPENSSL_CONF=/etc/unbound/openssl-sha1.conf
.include = /etc/ssl/openssl.cnf
[evp_properties]
rh-allow-sha1-signatures = yes

2
plans/all.fmf
View file

@ -1,7 +1,7 @@
summary: Test plan with all Fedora tests
discover:
how: fmf
url: https://gitlab.com/redhat/centos-stream/tests/unbound.git
url: https://src.fedoraproject.org/tests/unbound.git
execute:
how: tmt

2
plans/tier1-public.fmf
View file

@ -1,7 +1,7 @@
summary: Public (Fedora) Tier1 beakerlib tests
discover:
how: fmf
url: https://gitlab.com/redhat/centos-stream/tests/unbound.git
url: https://src.fedoraproject.org/tests/unbound.git
filter: 'tier: 1'
execute:
how: tmt

4
remote-control-include.conf
View file

@ -1,4 +0,0 @@
# Previous defaults allowed any process to change settings, CVE-2023-1488
# If you want to modify remote configuration, replace this file with
# contents of included file and modify afterwards.
include: "/usr/share/unbound/conf.d/remote-control.conf"

26
remote-control.conf
View file

@ -1,26 +0,0 @@
# Remote control config section update.
# Previous defaults allowed any process to change settings, CVE-2023-1488
# This file can be used also by: unbound-control -c <path>
remote-control:
# Enable remote control with unbound-control(8) here.
# set up the keys and certificates with unbound-control-setup.
control-enable: yes
# set to an absolute path to use a unix local name pipe, certificates
# are not used for that, so key and cert files need not be present.
control-interface: "/run/unbound/control"
# For local sockets this option is ignored, and TLS is not used.
control-use-cert: "yes"
# Unbound server key file.
server-key-file: "/etc/unbound/unbound_server.key"
# Unbound server certificate file.
server-cert-file: "/etc/unbound/unbound_server.pem"
# unbound-control key file.
control-key-file: "/etc/unbound/unbound_control.key"
# unbound-control certificate file.
control-cert-file: "/etc/unbound/unbound_control.pem"

1
root.anchor
View file

@ -1,2 +1 @@
. 172800 IN DNSKEY 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ;{id = 38696 (ksk), size = 2048b}
. 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}

6
root.key Normal file
View file

@ -0,0 +1,6 @@
; // The root key in bind format. This can be read by most tools, including
; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this
trusted-keys {
"." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326
};

4
sources
View file

@ -1,2 +1,2 @@
SHA512 (unbound-1.24.2.tar.gz) = 655d63ec5305323e84d82691425d74d98c332d0028517bd729d191e5f968ce9481b49ec7447d4c4906dce7997a998a115db36e911a59d2d877da5840c2080261
SHA512 (unbound-1.24.2.tar.gz.asc) = 66a3e569a606cc3ed7dac9b411fba347da150728427619bdbf12ac57a5d7db1fc17963b1ba052a95d6c6fed67a6f0c1b5920318f6cd34e5091750626dd63fb21
SHA512 (unbound-1.19.3.tar.gz) = f860614f090a5a081cceff8ca7f4b3d416c00a251ae14ceb6b4159dc8cd022f025592074d3d78aee2f86c3eeae9d1a314713e4740aa91062579143199accd159
SHA512 (unbound-1.19.3.tar.gz.asc) = 1b6437d7ac4394ab7d6eb0d12f22b39538152f9c88175a5368263059950b8e6b093fa5392d1ff37874effef7a422afa9c690f766802208979a99500a4bea5906

2
tmpfiles-unbound-libs.conf
View file

@ -1,2 +0,0 @@
d /var/lib/unbound 0755 unbound unbound -
L /var/lib/unbound/root.key - - - - ../../../etc/unbound/dnssec-root.key

2
tmpfiles-unbound.conf
View file

@ -1 +1 @@
D /run/unbound 0775 unbound root -
D /run/unbound 0755 unbound unbound -

171
unbound-1.24-quic-on-demand-only.patch
View file

@ -1,171 +0,0 @@
From 1dfe06278c1446558b5043d7c57cd901e7d96829 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Mon, 24 Nov 2025 13:44:14 +0100
Subject: [PATCH] Do not initialize quic_table unless it is enabled
Fedora in FIPS mode might fail to initialize ngtcp2 library, because
some ciphers desired are not available.
Make it possible to skip initialization by setting explicitly quic_port
to 0. Unless we have some listeners for port 853 configured, skip its
initialization as well.
Related: https://pagure.io/freeipa/issue/9877
---
daemon/daemon.c | 14 +++++++++-----
services/listen_dnsport.c | 14 +++++++++++---
util/configparser.y | 15 +++++++++------
util/netevent.c | 3 +++
4 files changed, 32 insertions(+), 14 deletions(-)
diff --git a/daemon/daemon.c b/daemon/daemon.c
index f882bb9ad..a9cc25c67 100644
--- a/daemon/daemon.c
+++ b/daemon/daemon.c
@@ -558,9 +558,11 @@ daemon_create_workers(struct daemon* daemon)
verbose(VERB_ALGO, "total of %d outgoing ports available", numport);
#ifdef HAVE_NGTCP2
- daemon->doq_table = doq_table_create(daemon->cfg, daemon->rand);
- if(!daemon->doq_table)
- fatal_exit("could not create doq_table: out of memory");
+ if (cfg_has_quic(daemon->cfg)) {
+ daemon->doq_table = doq_table_create(daemon->cfg, daemon->rand);
+ if(!daemon->doq_table)
+ fatal_exit("could not create doq_table: out of memory");
+ }
#endif
daemon->num = (daemon->cfg->num_threads?daemon->cfg->num_threads:1);
@@ -917,8 +919,10 @@ daemon_cleanup(struct daemon* daemon)
daemon->dnscenv = NULL;
#endif
#ifdef HAVE_NGTCP2
- doq_table_delete(daemon->doq_table);
- daemon->doq_table = NULL;
+ if (daemon->doq_table) {
+ doq_table_delete(daemon->doq_table);
+ daemon->doq_table = NULL;
+ }
#endif
daemon->cfg = NULL;
}
diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c
index f7fcca194..ab8f1ba72 100644
--- a/services/listen_dnsport.c
+++ b/services/listen_dnsport.c
@@ -1564,7 +1564,7 @@ listen_create(struct comm_base* base, struct listen_port* ports,
cp = comm_point_create_udp(base, ports->fd,
front->udp_buff, ports->pp2_enabled, cb,
cb_arg, ports->socket);
- } else if(ports->ftype == listen_type_doq) {
+ } else if(ports->ftype == listen_type_doq && doq_table) {
#ifndef HAVE_NGTCP2
log_warn("Unbound is not compiled with "
"ngtcp2. This is required to use DNS "
@@ -3275,7 +3275,11 @@ nghttp2_session_callbacks* http2_req_callbacks_create(void)
struct doq_table*
doq_table_create(struct config_file* cfg, struct ub_randstate* rnd)
{
- struct doq_table* table = calloc(1, sizeof(*table));
+ struct doq_table* table;
+
+ if (!cfg->quic_port)
+ return NULL;
+ table = calloc(1, sizeof(*table));
if(!table)
return NULL;
#ifdef USE_NGTCP2_CRYPTO_OSSL
@@ -3354,7 +3358,7 @@ conn_tree_del(rbnode_type* node, void* arg)
{
struct doq_table* table = (struct doq_table*)arg;
struct doq_conn* conn;
- if(!node)
+ if(!node || !table)
return;
conn = (struct doq_conn*)node->key;
if(conn->timer.timer_in_list) {
@@ -3413,6 +3417,7 @@ doq_timer_find_time(struct doq_table* table, struct timeval* tv)
{
struct doq_timer key;
struct rbnode_type* node;
+ log_assert(table != NULL);
memset(&key, 0, sizeof(key));
key.time.tv_sec = tv->tv_sec;
key.time.tv_usec = tv->tv_usec;
@@ -4922,6 +4927,7 @@ doq_conid_find(struct doq_table* table, const uint8_t* data, size_t datalen)
key.node.key = &key;
key.cid = (void*)data;
key.cidlen = datalen;
+ log_assert(table != NULL);
node = rbtree_search(table->conid_tree, &key);
if(node)
return (struct doq_conid*)node->key;
@@ -5662,6 +5668,8 @@ doq_table_quic_size_available(struct doq_table* table,
struct config_file* cfg, size_t mem)
{
size_t cur;
+ if (!table)
+ return 0;
lock_basic_lock(&table->size_lock);
cur = table->current_size;
lock_basic_unlock(&table->size_lock);
diff --git a/util/configparser.y b/util/configparser.y
index bf9c196fc..f159b8cec 100644
--- a/util/configparser.y
+++ b/util/configparser.y
@@ -1235,14 +1235,17 @@ server_http_notls_downstream: VAR_HTTP_NOTLS_DOWNSTREAM STRING_ARG
server_quic_port: VAR_QUIC_PORT STRING_ARG
{
OUTYY(("P(server_quic_port:%s)\n", $2));
+ if(atoi($2) == 0 && strcmp($2,"0")!=0)
+ yyerror("port number expected");
+ else {
+ cfg_parser->cfg->quic_port = atoi($2);
#ifndef HAVE_NGTCP2
- log_warn("%s:%d: Unbound is not compiled with "
- "ngtcp2. This is required to use DNS "
- "over QUIC.", cfg_parser->filename, cfg_parser->line);
+ if (cfg_parser->cfg->quic_port != 0)
+ log_warn("%s:%d: Unbound is not compiled with "
+ "ngtcp2. This is required to use DNS "
+ "over QUIC.", cfg_parser->filename, cfg_parser->line);
#endif
- if(atoi($2) == 0)
- yyerror("port number expected");
- else cfg_parser->cfg->quic_port = atoi($2);
+ }
free($2);
};
server_quic_size: VAR_QUIC_SIZE STRING_ARG
diff --git a/util/netevent.c b/util/netevent.c
index aedcb5e07..93db16675 100644
--- a/util/netevent.c
+++ b/util/netevent.c
@@ -2723,6 +2723,7 @@ doq_server_socket_create(struct doq_table* table, struct ub_randstate* rnd,
{
size_t doq_buffer_size = 4096; /* bytes buffer size, for one packet. */
struct doq_server_socket* doq_socket;
+ log_assert(doq_table != NULL);
doq_socket = calloc(1, sizeof(*doq_socket));
if(!doq_socket) {
return NULL;
@@ -2804,6 +2805,7 @@ doq_lookup_repinfo(struct doq_table* table, struct comm_reply* repinfo)
{
struct doq_conn* conn;
struct doq_conn_key key;
+ log_assert(table != NULL);
doq_conn_key_from_repinfo(&key, repinfo);
lock_rw_rdlock(&table->lock);
conn = doq_conn_find(table, &key.paddr.addr,
@@ -5880,6 +5882,7 @@ comm_point_create_doq(struct comm_base *base, int fd, sldns_buffer* buffer,
struct config_file* cfg)
{
#ifdef HAVE_NGTCP2
+ log_assert(table != NULL);
struct comm_point* c = (struct comm_point*)calloc(1,
sizeof(struct comm_point));
short evbits;
--
2.52.0

26
unbound-1.24-swig-function.patch
View file

@ -1,26 +0,0 @@
From 0fc825def2f812af70189a01b0fe66e1c5050aec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Fri, 24 Oct 2025 20:20:50 +0200
Subject: [PATCH] Use $action instead of $function in python SWIG interface
$function is not supported since SWIG 4.4.0.
---
libunbound/python/libunbound.i | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libunbound/python/libunbound.i b/libunbound/python/libunbound.i
index dc12514..4576844 100644
--- a/libunbound/python/libunbound.i
+++ b/libunbound/python/libunbound.i
@@ -853,7 +853,7 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104']
%{
//printf("resolve_start(%lX)\n",(long unsigned int)arg1);
Py_BEGIN_ALLOW_THREADS
- $function
+ $action
Py_END_ALLOW_THREADS
//printf("resolve_stop()\n");
%}
--
2.51.0

2
unbound-anchor.service
View file

@ -6,5 +6,5 @@ Documentation=man:unbound-anchor(8)
Type=oneshot
User=unbound
EnvironmentFile=-/etc/sysconfig/unbound
ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ] || [ -f /run/unbound/anchor-disable ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi'
ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi'
SuccessExitStatus=1

118
unbound-as112-networks.conf
View file

@ -1,118 +0,0 @@
# Allow forwarding of private ranges, which are marked forwardable by IANA
# https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
# https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
# https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml
# RFC 6303: Locally Served DNS Zones (https://www.rfc-editor.org/rfc/rfc6303.html)
#
# Using this configuration file will simplify forwarding to potentially private ranges.
# Enables forwarding of networks marked as forwardable at IANA special registry.
# This is useful when upstream forwarder may be still inside private network. That is the case
# when unbound works as a localhost DNS cache, not network wide resolver.
server:
# RFC 8375: Special-Use Domain 'home.arpa.'
local-zone: "home.arpa." nodefault
# RFC 1918: Address Allocation for Private Internets
local-zone: "10.in-addr.arpa." nodefault
local-zone: "16.172.in-addr.arpa." nodefault
local-zone: "17.172.in-addr.arpa." nodefault
local-zone: "18.172.in-addr.arpa." nodefault
local-zone: "19.172.in-addr.arpa." nodefault
local-zone: "20.172.in-addr.arpa." nodefault
local-zone: "21.172.in-addr.arpa." nodefault
local-zone: "22.172.in-addr.arpa." nodefault
local-zone: "23.172.in-addr.arpa." nodefault
local-zone: "24.172.in-addr.arpa." nodefault
local-zone: "25.172.in-addr.arpa." nodefault
local-zone: "26.172.in-addr.arpa." nodefault
local-zone: "27.172.in-addr.arpa." nodefault
local-zone: "28.172.in-addr.arpa." nodefault
local-zone: "29.172.in-addr.arpa." nodefault
local-zone: "30.172.in-addr.arpa." nodefault
local-zone: "31.172.in-addr.arpa." nodefault
local-zone: "168.192.in-addr.arpa." nodefault
# RFC 6598: IANA-Reserved IPv4 Prefix for Shared Address Space
local-zone: "64.100.in-addr.arpa." nodefault
local-zone: "65.100.in-addr.arpa." nodefault
local-zone: "66.100.in-addr.arpa." nodefault
local-zone: "67.100.in-addr.arpa." nodefault
local-zone: "68.100.in-addr.arpa." nodefault
local-zone: "69.100.in-addr.arpa." nodefault
local-zone: "70.100.in-addr.arpa." nodefault
local-zone: "71.100.in-addr.arpa." nodefault
local-zone: "72.100.in-addr.arpa." nodefault
local-zone: "73.100.in-addr.arpa." nodefault
local-zone: "74.100.in-addr.arpa." nodefault
local-zone: "75.100.in-addr.arpa." nodefault
local-zone: "76.100.in-addr.arpa." nodefault
local-zone: "77.100.in-addr.arpa." nodefault
local-zone: "78.100.in-addr.arpa." nodefault
local-zone: "79.100.in-addr.arpa." nodefault
local-zone: "80.100.in-addr.arpa." nodefault
local-zone: "81.100.in-addr.arpa." nodefault
local-zone: "82.100.in-addr.arpa." nodefault
local-zone: "83.100.in-addr.arpa." nodefault
local-zone: "84.100.in-addr.arpa." nodefault
local-zone: "85.100.in-addr.arpa." nodefault
local-zone: "86.100.in-addr.arpa." nodefault
local-zone: "87.100.in-addr.arpa." nodefault
local-zone: "88.100.in-addr.arpa." nodefault
local-zone: "89.100.in-addr.arpa." nodefault
local-zone: "90.100.in-addr.arpa." nodefault
local-zone: "91.100.in-addr.arpa." nodefault
local-zone: "92.100.in-addr.arpa." nodefault
local-zone: "93.100.in-addr.arpa." nodefault
local-zone: "94.100.in-addr.arpa." nodefault
local-zone: "95.100.in-addr.arpa." nodefault
local-zone: "96.100.in-addr.arpa." nodefault
local-zone: "97.100.in-addr.arpa." nodefault
local-zone: "98.100.in-addr.arpa." nodefault
local-zone: "99.100.in-addr.arpa." nodefault
local-zone: "100.100.in-addr.arpa." nodefault
local-zone: "101.100.in-addr.arpa." nodefault
local-zone: "102.100.in-addr.arpa." nodefault
local-zone: "103.100.in-addr.arpa." nodefault
local-zone: "104.100.in-addr.arpa." nodefault
local-zone: "105.100.in-addr.arpa." nodefault
local-zone: "106.100.in-addr.arpa." nodefault
local-zone: "107.100.in-addr.arpa." nodefault
local-zone: "108.100.in-addr.arpa." nodefault
local-zone: "109.100.in-addr.arpa." nodefault
local-zone: "110.100.in-addr.arpa." nodefault
local-zone: "111.100.in-addr.arpa." nodefault
local-zone: "112.100.in-addr.arpa." nodefault
local-zone: "113.100.in-addr.arpa." nodefault
local-zone: "114.100.in-addr.arpa." nodefault
local-zone: "115.100.in-addr.arpa." nodefault
local-zone: "116.100.in-addr.arpa." nodefault
local-zone: "117.100.in-addr.arpa." nodefault
local-zone: "118.100.in-addr.arpa." nodefault
local-zone: "119.100.in-addr.arpa." nodefault
local-zone: "120.100.in-addr.arpa." nodefault
local-zone: "121.100.in-addr.arpa." nodefault
local-zone: "122.100.in-addr.arpa." nodefault
local-zone: "123.100.in-addr.arpa." nodefault
local-zone: "124.100.in-addr.arpa." nodefault
local-zone: "125.100.in-addr.arpa." nodefault
local-zone: "126.100.in-addr.arpa." nodefault
local-zone: "127.100.in-addr.arpa." nodefault
# RFC 4193: Unique Local IPv6 Unicast Addresses
local-zone: "d.f.ip6.arpa." nodefault
# RFC 2606: Reserved Top Level DNS Names
local-zone: "test." nodefault
domain-insecure: "test"
domain-insecure: "example"
# RFC 6762: Multicast DNS, Appendix G
domain-insecure: "local"
domain-insecure: "intranet"
domain-insecure: "private"
domain-insecure: "corp"
domain-insecure: "home"
domain-insecure: "lan"
# draft-davies-internal-tld
domain-insecure: "internal"

495
unbound-fedora-config.patch
View file

@ -1,30 +1,60 @@
From 6e2d042505a006ab5fd703631661e68d1cdc66df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Fri, 15 Nov 2024 13:25:34 +0100
From 17d4cc5fea24faa55358b7c36fdae0cd9bdd48b6 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Fri, 10 Nov 2023 12:58:31 +0100
Subject: [PATCH] Customize unbound.conf for Fedora defaults
Set some Fedora/RHEL specific changes to example configuration file. By
patching upstream provided config file we would not need to manually
update external copy in source RPM.
---
doc/example.conf.in | 33 +++++++++++++++++++++++++++++++--
1 file changed, 31 insertions(+), 2 deletions(-)
unbound-1.19.3/doc/example.conf.in | 194 ++++++++++++++++++-----------
1 file changed, 124 insertions(+), 70 deletions(-)
diff --git a/doc/example.conf.in b/doc/example.conf.in
index 59090c6..3a86809 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -8,6 +8,9 @@
# Use this anywhere in the file to include other text into this file.
#include: "otherfile.conf"
+# Default Fedora settings
+include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf"
+
# Use this anywhere in the file to include other text, that explicitly starts a
# clause, into this file. Text after this directive needs to start a clause.
#include-toplevel: "otherfile.conf"
@@ -51,11 +51,19 @@ server:
diff --git a/unbound-1.19.3/doc/example.conf.in b/unbound-1.19.3/doc/example.conf.in
index d791cf8..af163b2 100644
--- a/unbound-1.19.3/doc/example.conf.in
+++ b/unbound-1.19.3/doc/example.conf.in
@@ -17,11 +17,12 @@ server:
# whitespace is not necessary, but looks cleaner.
# verbosity number, 0 is least verbose. 1 is default.
- # verbosity: 1
+ verbosity: 1
# print statistics to the log (for every thread) every N seconds.
# Set to "" or 0 to disable. Default is disabled.
- # statistics-interval: 0
+ # Needs to be disabled for munin plugin
+ statistics-interval: 0
# enable shm for stats, default no. if you enable also enable
# statistics-interval, every time it also writes stats to the
@@ -32,11 +33,13 @@ server:
# shm-key: 11777
# enable cumulative statistics, without clearing them after printing.
- # statistics-cumulative: no
+ # Needs to be disabled for munin plugin
+ statistics-cumulative: no
# enable extended statistics (query types, answer codes, status)
- # printed from unbound-control. Default off, because of speed.
- # extended-statistics: no
+ # printed from unbound-control. default off, because of speed.
+ # Needs to be enabled for munin plugin
+ extended-statistics: yes
# Inhibits selected extended statistics (qtype, qclass, qopcode, rcode,
# rpz-actions) from printing if their value is 0.
@@ -44,22 +47,35 @@ server:
# statistics-inhibit-zero: yes
# number of threads to create. 1 disables threading.
- # num-threads: 1
+ num-threads: 4
# specify the interfaces to answer queries from by ip-address.
# The default is to listen to localhost (127.0.0.1 and ::1).
# specify 0.0.0.0 and ::0 to bind to all available interfaces.
# specify every interface[@port] on a new 'interface:' labelled line.
# The listen interfaces are not changed on reload, only on restart.
@ -44,7 +74,53 @@ index 59090c6..3a86809 100644
# enable this feature to copy the source address of queries to reply.
# Socket options are not supported on all platforms. experimental.
@@ -285,6 +293,8 @@ server:
- # interface-automatic: no
+ # interface-automatic: yes
+ #
+ # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0
+ # NOTE: Disabled per Fedora policy not to listen to * on default install
+ # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled
+ interface-automatic: no
# instead of the default port, open additional ports separated by
# spaces when interface-automatic is enabled, by listing them here.
@@ -94,7 +110,8 @@ server:
# permit Unbound to use this port number or port range for
# making outgoing queries, using an outgoing interface.
- # outgoing-port-permit: 32768
+ # Only ephemeral ports are allowed by SElinux
+ outgoing-port-permit: 32768-60999
# deny Unbound the use this of port number or port range for
# making outgoing queries, using an outgoing interface.
@@ -103,7 +120,9 @@ server:
# IANA-assigned port numbers.
# If multiple outgoing-port-permit and outgoing-port-avoid options
# are present, they are processed in order.
- # outgoing-port-avoid: "3200-3208"
+ # Our SElinux policy does not allow non-ephemeral ports to be used
+ outgoing-port-avoid: 0-32767
+ outgoing-port-avoid: 61000-65535
# number of outgoing simultaneous tcp buffers to hold per thread.
# outgoing-num-tcp: 10
@@ -121,12 +140,12 @@ server:
# use SO_REUSEPORT to distribute queries over threads.
# at extreme load it could be better to turn it off to distribute even.
- # so-reuseport: yes
+ so-reuseport: yes
# use IP_TRANSPARENT so the interface: addresses can be non-local
# and you can config non-existing IPs that are going to work later on
# (uses IP_BINDANY on FreeBSD).
- # ip-transparent: no
+ ip-transparent: yes
# use IP_FREEBIND so the interface: addresses can be non-local
# and you can bind to nonexisting IPs and interfaces that are down.
@@ -256,6 +275,8 @@ server:
# nat64-prefix: 64:ff9b::0/96
# Enable UDP, "yes" or "no".
@ -53,7 +129,16 @@ index 59090c6..3a86809 100644
# do-udp: yes
# Enable TCP, "yes" or "no".
@@ -320,6 +330,9 @@ server:
@@ -281,7 +302,7 @@ server:
# tcp-idle-timeout: 30000
# Enable EDNS TCP keepalive option.
- # edns-tcp-keepalive: no
+ edns-tcp-keepalive: yes
# Timeout for EDNS TCP keepalive, in msec.
# edns-tcp-keepalive-timeout: 120000
@@ -290,6 +311,9 @@ server:
# can be dropped. Default is 0, disabled. In seconds, such as 3.
# sock-queue-timeout: 0
@ -63,7 +148,188 @@ index 59090c6..3a86809 100644
# Use systemd socket activation for UDP, TCP, and control sockets.
# use-systemd: no
@@ -906,6 +919,8 @@ server:
@@ -403,6 +427,7 @@ server:
#
# If you give "" no chroot is performed. The path must not end in a /.
# chroot: "@UNBOUND_CHROOT_DIR@"
+ chroot: ""
# if given, user privileges are dropped (after binding port),
# and the given username is assumed. Default is user "unbound".
@@ -414,7 +439,7 @@ server:
# is not changed.
# If you give a server: directory: dir before include: file statements
# then those includes can be relative to the working directory.
- # directory: "@UNBOUND_RUN_DIR@"
+ directory: "/etc/unbound"
# the log file, "" means log to stderr.
# Use of this option sets use-syslog to "no".
@@ -429,7 +454,7 @@ server:
# log-identity: ""
# print UTC timestamp in ascii to logfile, default is epoch in seconds.
- # log-time-ascii: no
+ log-time-ascii: yes
# print one line with time, IP, name, type, class for every query.
# log-queries: no
@@ -501,22 +526,22 @@ server:
# harden-large-queries: no
# Harden against out of zone rrsets, to avoid spoofing attempts.
- # harden-glue: yes
+ harden-glue: yes
# Harden against receiving dnssec-stripped data. If you turn it
# off, failing to validate dnskey data for a trustanchor will
# trigger insecure mode for that zone (like without a trustanchor).
# Default on, which insists on dnssec data for trust-anchored zones.
- # harden-dnssec-stripped: yes
+ harden-dnssec-stripped: yes
# Harden against queries that fall under dnssec-signed nxdomain names.
- # harden-below-nxdomain: yes
+ harden-below-nxdomain: yes
# Harden the referral path by performing additional queries for
# infrastructure data. Validates the replies (if possible).
# Default off, because the lookups burden the server. Experimental
# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
- # harden-referral-path: no
+ harden-referral-path: yes
# Harden against algorithm downgrade when multiple algorithms are
# advertised in the DS record. If no, allows the weakest algorithm
@@ -530,7 +555,7 @@ server:
# Sent minimum amount of information to upstream servers to enhance
# privacy. Only sent minimum required labels of the QNAME and set QTYPE
# to A when possible.
- # qname-minimisation: yes
+ qname-minimisation: yes
# QNAME minimisation in strict mode. Do not fall-back to sending full
# QNAME to potentially broken nameservers. A lot of domains will not be
@@ -540,7 +565,7 @@ server:
# Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
# and other denials, using information from previous NXDOMAINs answers.
- # aggressive-nsec: yes
+ aggressive-nsec: yes
# Use 0x20-encoded random bits in the query to foil spoof attempts.
# This feature is an experimental implementation of draft dns-0x20.
@@ -573,7 +598,7 @@ server:
# threshold, a warning is printed and a defensive action is taken,
# the cache is cleared to flush potential poison out of it.
# A suggested value is 10000000, the default is 0 (turned off).
- # unwanted-reply-threshold: 0
+ unwanted-reply-threshold: 10000000
# Do not query the following addresses. No DNS queries are sent there.
# List one address per entry. List classless netblocks with /size,
@@ -585,20 +610,20 @@ server:
# do-not-query-localhost: yes
# if yes, perform prefetching of almost expired message cache entries.
- # prefetch: no
+ prefetch: yes
# if yes, perform key lookups adjacent to normal lookups.
- # prefetch-key: no
+ prefetch-key: yes
# deny queries of type ANY with an empty response.
- # deny-any: no
+ deny-any: yes
# if yes, Unbound rotates RRSet order in response.
- # rrset-roundrobin: yes
+ rrset-roundrobin: yes
# if yes, Unbound doesn't insert authority/additional sections
# into response messages when those sections are not required.
- # minimal-responses: yes
+ minimal-responses: yes
# true to disable DNSSEC lameness check in iterator.
# disable-dnssec-lame-check: no
@@ -608,7 +633,9 @@ server:
# most modules have to be listed at the beginning of the line,
# except cachedb(just before iterator), and python (at the beginning,
# or, just before the iterator).
- # module-config: "validator iterator"
+ # For redis cachedb use:
+ # "ipsecmod validator cachedb iterator"
+ module-config: "ipsecmod validator iterator"
# File with trusted keys, kept uptodate using RFC5011 probes,
# initial file like trust-anchor-file, then it stores metadata.
@@ -622,10 +649,10 @@ server:
# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
# trust anchor signaling sends a RFC8145 key tag query after priming.
- # trust-anchor-signaling: yes
+ trust-anchor-signaling: yes
# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
- # root-key-sentinel: yes
+ root-key-sentinel: yes
# File with trusted keys for validation. Specify more than one file
# with several entries, one file per entry.
@@ -646,6 +673,9 @@ server:
# the trusted-keys { name flag proto algo "key"; }; clauses are read.
# you need external update procedures to track changes in keys.
# trusted-keys-file: ""
+ #
+ trusted-keys-file: /etc/unbound/keys.d/*.key
+ auto-trust-anchor-file: "/var/lib/unbound/root.key"
# Ignore chain of trust. Domain is treated as insecure.
# domain-insecure: "example.com"
@@ -673,14 +703,15 @@ server:
# unsecure data. Useful to shield the users of this validator from
# potential bogus data in the additional section. All unsigned data
# in the additional section is removed from secure messages.
- # val-clean-additional: yes
+ val-clean-additional: yes
# Turn permissive mode on to permit bogus messages. Thus, messages
# for which security checks failed will be returned to clients,
# instead of SERVFAIL. It still performs the security checks, which
# result in interesting log files and possibly the AD bit in
# replies if the message is found secure. The default is off.
- # val-permissive-mode: no
+ # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
+ val-permissive-mode: no
# Ignore the CD flag in incoming queries and refuse them bogus data.
# Enable it if the only clients of Unbound are legacy servers (w2008)
@@ -694,11 +725,11 @@ server:
# Serve expired responses from cache, with serve-expired-reply-ttl in
# the response, and then attempt to fetch the data afresh.
- # serve-expired: no
+ serve-expired: yes
#
# Limit serving of expired responses to configured seconds after
# expiration. 0 disables the limit.
- # serve-expired-ttl: 0
+ serve-expired-ttl: 14400
#
# Set the TTL of expired records to the serve-expired-ttl value after a
# failed attempt to retrieve the record from upstream. This makes sure
@@ -725,7 +756,7 @@ server:
# Have the validator log failed validations for your diagnosis.
# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
- # val-log-level: 0
+ val-log-level: 1
# It is possible to configure NSEC3 maximum iteration counts per
# keysize. Keep this table very short, as linear search is done.
@@ -869,6 +900,8 @@ server:
# you need to do the reverse notation yourself.
# local-data-ptr: "192.0.2.3 www.example.com"
@ -72,7 +338,7 @@ index 59090c6..3a86809 100644
# tag a localzone with a list of tag names (in "" with spaces between)
# local-zone-tag: "example.com" "tag2 tag3"
@@ -916,8 +931,8 @@ server:
@@ -879,8 +912,8 @@ server:
# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
# Give the certificate to use and private key.
# default is "" (disabled). requires restart to take effect.
@ -82,18 +348,108 @@ index 59090c6..3a86809 100644
+ # tls-service-pem: "/etc/unbound/unbound_server.pem"
# tls-port: 853
# https-port: 443
# quic-port: 853
@@ -1166,6 +1181,9 @@ remote-control:
# unbound-control certificate file.
# control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
+# Stub and Forward zones
+include: "@sysconfdir@/unbound/conf.d/*.conf"
@@ -888,6 +921,8 @@ server:
# tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
# cipher setting for TLSv1.3
# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
+ # Fedora/RHEL: use system-wide crypto policies
+ tls-ciphers: "PROFILE=SYSTEM"
# Pad responses to padded queries received over TLS
# pad-responses: yes
@@ -1024,12 +1059,12 @@ server:
# cookie-secret: <128 bit random hex string>
# Enable to attach Extended DNS Error codes (RFC8914) to responses.
- # ede: no
+ ede: yes
# Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale
# Answer as EDNS0 option to expired responses.
# Note that the ede option above needs to be enabled for this to work.
- # ede-serve-expired: no
+ ede-serve-expired: yes
# Specific options for ipsecmod. Unbound needs to be configured with
# --enable-ipsecmod for these to take effect.
@@ -1037,12 +1072,14 @@ server:
# Enable or disable ipsecmod (it still needs to be defined in
# module-config above). Can be used when ipsecmod needs to be
# enabled/disabled via remote-control(below).
- # ipsecmod-enabled: yes
- #
+ # Fedora: module will be enabled on-demand by libreswan
+ ipsecmod-enabled: no
+
# Path to executable external hook. It must be defined when ipsecmod is
# listed in module-config (above).
# ipsecmod-hook: "./my_executable"
- #
+ ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook
+
# When enabled Unbound will reply with SERVFAIL if the return value of
# the ipsecmod-hook is not 0.
# ipsecmod-strict: no
@@ -1075,7 +1112,7 @@ server:
# o and give a python-script to run.
python:
# Script file to load
- # python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py"
+ # python-script: "/etc/unbound/ubmodule-tst.py"
# Dynamic library config section. To enable:
# o use --with-dynlibmodule to configure before compiling.
@@ -1086,13 +1123,14 @@ python:
# the module-config then you need one dynlib-file per instance.
dynlib:
# Script file to load
- # dynlib-file: "@UNBOUND_SHARE_DIR@/dynlib.so"
+ # dynlib-file: "/etc/unbound/dynlib.so"
# Remote control config section.
remote-control:
# Enable remote control with unbound-control(8) here.
# set up the keys and certificates with unbound-control-setup.
- # control-enable: no
+ # Note: required for unbound-munin package
+ control-enable: yes
# what interfaces are listened to for remote control.
# give 0.0.0.0 and ::0 to listen to all interfaces.
@@ -1100,6 +1138,7 @@ remote-control:
# are not used for that, so key and cert files need not be present.
# control-interface: 127.0.0.1
# control-interface: ::1
+ control-interface: "/run/unbound/control"
# port number for remote control operations.
# control-port: 8953
@@ -1109,16 +1148,19 @@ remote-control:
# control-use-cert: "yes"
# Unbound server key file.
- # server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key"
+ server-key-file: "/etc/unbound/unbound_server.key"
# Unbound server certificate file.
- # server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem"
+ server-cert-file: "/etc/unbound/unbound_server.pem"
# unbound-control key file.
- # control-key-file: "@UNBOUND_RUN_DIR@/unbound_control.key"
+ control-key-file: "/etc/unbound/unbound_control.key"
# unbound-control certificate file.
- # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
+ control-cert-file: "/etc/unbound/unbound_control.pem"
+
+# Stub and Forward zones
+include: /etc/unbound/conf.d/*.conf
# Stub zones.
# Create entries like below, to make all queries for 'example.com' and
# 'example.org' go to the given list of nameservers. list zero or more
@@ -1186,6 +1207,10 @@ remote-control:
@@ -1140,6 +1182,10 @@ remote-control:
# name: "example.org"
# stub-host: ns.example.com.
@ -104,7 +460,7 @@ index 59090c6..3a86809 100644
# Forward zones
# Create entries like below, to make all queries for 'example.com' and
# 'example.org' go to the given list of servers. These servers have to handle
@@ -1203,6 +1228,10 @@ remote-control:
@@ -1157,6 +1203,10 @@ remote-control:
# forward-zone:
# name: "example.org"
# forward-host: fwd.example.com
@ -115,6 +471,75 @@ index 59090c6..3a86809 100644
# Authority zones
# The data for these zones is kept locally, from a file or downloaded.
@@ -1167,27 +1217,28 @@ remote-control:
# download it), primary: fetches with AXFR and IXFR, or url to zonefile.
# With allow-notify: you can give additional (apart from primaries and urls)
# sources of notifies.
-# auth-zone:
-# name: "."
-# primary: 170.247.170.2 # b.root-servers.net
-# primary: 192.33.4.12 # c.root-servers.net
-# primary: 199.7.91.13 # d.root-servers.net
-# primary: 192.5.5.241 # f.root-servers.net
-# primary: 192.112.36.4 # g.root-servers.net
-# primary: 193.0.14.129 # k.root-servers.net
-# primary: 192.0.47.132 # xfr.cjr.dns.icann.org
-# primary: 192.0.32.132 # xfr.lax.dns.icann.org
-# primary: 2801:1b8:10::b # b.root-servers.net
-# primary: 2001:500:2::c # c.root-servers.net
-# primary: 2001:500:2d::d # d.root-servers.net
-# primary: 2001:500:2f::f # f.root-servers.net
-# primary: 2001:500:12::d0d # g.root-servers.net
-# primary: 2001:7fd::1 # k.root-servers.net
-# primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
-# primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org
-# fallback-enabled: yes
-# for-downstream: no
-# for-upstream: yes
+ auth-zone:
+ name: "."
+ primary: 170.247.170.2 # b.root-servers.net
+ primary: 192.33.4.12 # c.root-servers.net
+ primary: 199.7.91.13 # d.root-servers.net
+ primary: 192.5.5.241 # f.root-servers.net
+ primary: 192.112.36.4 # g.root-servers.net
+ primary: 193.0.14.129 # k.root-servers.net
+ primary: 192.0.47.132 # xfr.cjr.dns.icann.org
+ primary: 192.0.32.132 # xfr.lax.dns.icann.org
+ primary: 2801:1b8:10::b # b.root-servers.net
+ primary: 2001:500:2::c # c.root-servers.net
+ primary: 2001:500:2d::d # d.root-servers.net
+ primary: 2001:500:2f::f # f.root-servers.net
+ primary: 2001:500:12::d0d # g.root-servers.net
+ primary: 2001:7fd::1 # k.root-servers.net
+ primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
+ primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org
+ fallback-enabled: yes
+ for-downstream: no
+ for-upstream: yes
+
# auth-zone:
# name: "example.org"
# for-downstream: yes
@@ -1213,6 +1264,9 @@ remote-control:
# name: "anotherview"
# local-zone: "example.com" refuse
+# Fedora: DNSCrypt support not enabled since it requires linking to
+# another crypto library
+#
# DNSCrypt
# To enable, use --enable-dnscrypt to configure before compiling.
# Caveats:
@@ -1285,7 +1339,7 @@ remote-control:
# dnstap-enable: no
# # if set to yes frame streams will be used in bidirectional mode
# dnstap-bidirectional: yes
-# dnstap-socket-path: "@DNSTAP_SOCKET_PATH@"
+# dnstap-socket-path: "/etc/unbound/dnstap.sock"
# # if "" use the unix socket in dnstap-socket-path, otherwise,
# # set it to "IPaddress[@port]" of the destination.
# dnstap-ip: ""
--
2.47.0
2.44.0

5
unbound-initrd.conf
View file

@ -1,5 +0,0 @@
[Unit]
Before=network-online.target
[Install]
WantedBy=network-online.target

30
unbound-local-root.conf
View file

@ -1,30 +0,0 @@
# Authority zones
# The data for these zones is kept locally, from a file or downloaded.
# The data can be served to downstream clients, or used instead of the
# upstream (which saves a lookup to the upstream).
#
# Download local root copy and answer TLD queries from it. Because
# auth-zone has higher precedence, defined forward-zones to internal
# only TLD will not work. Use stub-zone or disable this zone.
# Good for a network-wide resolvers, worse for a localhost caching forwarder.
auth-zone:
name: "."
primary: 170.247.170.2 # b.root-servers.net
primary: 192.33.4.12 # c.root-servers.net
primary: 199.7.91.13 # d.root-servers.net
primary: 192.5.5.241 # f.root-servers.net
primary: 192.112.36.4 # g.root-servers.net
primary: 193.0.14.129 # k.root-servers.net
primary: 192.0.47.132 # xfr.cjr.dns.icann.org
primary: 192.0.32.132 # xfr.lax.dns.icann.org
primary: 2801:1b8:10::b # b.root-servers.net
primary: 2001:500:2::c # c.root-servers.net
primary: 2001:500:2d::d # d.root-servers.net
primary: 2001:500:2f::f # f.root-servers.net
primary: 2001:500:12::d0d # g.root-servers.net
primary: 2001:7fd::1 # k.root-servers.net
primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org
fallback-enabled: yes
for-downstream: no
for-upstream: yes

7
unbound.service
View file

@ -1,9 +1,6 @@
[Unit]
Description=Unbound recursive Domain Name Server
After=network.target
# Use ip-freebind: yes or add After=network-online.target, rhbz#2338429,
# if interface: specifies exact address, not localhost nor wildcard
#After=network-online.target
After=network-online.target
After=unbound-keygen.service
Wants=unbound-keygen.service
After=unbound-anchor.service
@ -12,7 +9,7 @@ Before=nss-lookup.target
Wants=nss-lookup.target
[Service]
Type=notify
Type=simple
EnvironmentFile=-/etc/sysconfig/unbound
ExecStartPre=/usr/sbin/unbound-checkconf
ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS

1122
unbound.spec
View file

File diff suppressed because it is too large Load diff

3
unbound.sysconfig
View file

@ -5,6 +5,3 @@ UNBOUND_ANCHOR_OPTIONS="-f /etc/resolv.conf -R"
# for extra debug, add "-v -v" or change verbosity: in unbound.conf
UNBOUND_OPTIONS=""
# Uncoment to validate SHA1 in any crypto policy
# OPENSSL_CONF=/etc/unbound/openssl-sha1.conf

123
wouter.nlnetlabs.nl.key Normal file
View file

@ -0,0 +1,123 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
xsFNBE2v/RwBEACyQpJlpCeSZBV1QUH7jNEp5xGdo6OnX2h9XoZ4ZPsb+u6OT+xE
SH45ncnISUh8rPCygbeWOoPR/yOBzh+lYoGxQ5iUHtwRrhHq04sQe/qFpXDO2xs6
1pTcPU2PnH7Rsr2qp6fZLPHuXLolD7NJfaSib8sVeMM0/ecyl/L2bBg9NpaGDX0x
TQh95M8o6AFo6UKWApBpgsvEZr2aH/B8b9KnCWFhfJyheEM7DamksdZNsKxXQyq3
l/ROfdsMLZGF8vPbYV/v11G4keyaLpn8AbBpybIiw9SYDwf2ENk3+e1NFfMaiiyE
qn9+aaLTKCY87TMUuoN3s3jWOOy5tHXzf6DbKhub4Awsby3DH5YpPhi4N2vj2pAX
Vpl5+m78cH29JLzT+HAoyZ4tq1r3m0P5QogNqYwqxkKWYOjDilNDBiKiDdgtrLYG
x+ABovKG/FvToJoaCL4AFaVCzWmL2uHkSgyBN0FPHatCB1UeEkcQit6T8E2NQqmF
WjUMXSWHHajSMG95+L5PdLHz/Ku0o3Csvlt2pkElYZmzJBfnOM9JevdsmKr/ruJC
/DCZAn5w2S/9ZF5qfo2F9HUKIwE/dChR29HcN8V4nqZs9oCvEMfFhHmrfwDc5hed
hvb6mAkvSFFtKIrygLIVeWRj3FE9sGp6sr4VwOLYTFRNk7mAsWD1rZApeQARAQAB
zSdXLkMuQS4gV2lqbmdhYXJkcyA8d291dGVyQG5sbmV0bGFicy5ubD7CwX4EEwEC
ACgFAk2v/RwCGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJ9v
HC1+BF+N3yoQAIynfrvZ/8RNAv9lLcSc2PX3fvG7oRJEJSy9uMyIbMtb/a1BVCeh
XjR8GhHJ5D/Z3jRWBQKw1rLLvOqbuBGkpKMR100ZVF4z/8e6CWtTAOFy28f1JQw2
8kilN7K6vjno21S1JJ1XJAdoFdicyb1SW2r+KYod6fjSyF0lb71od+sdnSE9O/xd
Cqyyu6cX+AwfDcuJ6Y8iOWu8CeWAz41LR1QBUQkCb/08mVfCEu+Cj+M31jjPDZEy
UAw219vr4QFe0o3t+Msv0AUZvcRkW6+8qP5lO6I5we/33WBLZH70lhFvYtobM7HO
MCjheRZguSzvRqEETfTjia1uVi3Yz2qM4CFdJIZF6Er79yKcB3jYquultrnlHdXZ
/IZsHVRk6JfiqFkz9u1T9PkvMoQ452aUomGTg9xQchnKpe1E8osKgLulaY+izTEq
Z8pH/HWWJ/YT13/n8pxK9EbC/8SkVhyXNehOSAGDZar+tjVBofgzS8r+GDyv+pBT
SmjitIrVXZNuhigLp1o7Tvs4kjKlcFnLhfDHJ+yb5JyiZd01bVvaqnfRhACqXfWl
oC0uslRbegoYwJUgX0BOrsOuHGH2SfGjd/QnA0bcEXM2kp1Dp1gqtcEd5Qitm647
Yz+leWkhrmMmtTwqumXoAcvgzthJFUPcAzuhXZNfqQJMOGRxAGVI0P97wsF+BBMB
AgAoAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVu+rZAUJDQIVSAAKCRCf
bxwtfgRfjdrWEACMQK0xYtZtAvLL/8CCcCi92Oi1rtXRGWnRy7JX020hftmWliMq
4P0F3CJKVLhgZ/ldp8OOqmfDfmwLMVSaCQ86Ubqn7Ofrf8Ku8SGQuIMxY2ODB97h
ouY4bnDHaM2Cqi6JkBN+G1tgdwqN/kcecF2tq3ql2k7eX91++A+F5ApIu1silzJP
L4Z8W6MVOdKrtzEM7t61hRlsbpEPj72vbVBZ1hmTiIL4VWwdxQYamxBoOeneskyD
DG+iMCI3P1GG3EQkk+9Aect/iH9uruE0mxn2aKN8cfuoR93cPF/ozCxS5ItwAVnN
e39WRO1GT2zYaFgYm0lf9czcpRsRzNbGw938lZ3iPUiZe+ybKgLKkVmvrkM59ljH
T99SrC14VXxgQwSs4gS3rdzbY9tPps62Z1q+xCVfTx1IY5P4nt59xwQV0Iw+pV9S
/mVcOnPXl1UKb0ttOdYJErrq3RpF/D2g/NDtL0OWqIa8LvrBlyQYmWPKvKw76vt4
bJ3NU31jSc0ow/j7EOVjOst86s629zmtnbJjWVr6LOy5EDUPusmqHv1t4Z4RMjf8
OrJdNbFJoRXZv8FbW4NzXeGtMf8k6vKeejpdMH4+eLuoZG7dchU1JccfgqfwWpy0
ojmb59drJcaQgVC6Jvw9l0TmGPNIsE4UrIWocaFgv4dOKvHA2hcnMDM8rsLBlQQT
AQIAPwIbIwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQTt+qPyyk5usFaBr46f
bxwtfgRfjQUCWaU4BQUJEZjVaQAKCRCfbxwtfgRfjb1YEACjkhtkyZkYURUmSZNL
2IK/Zencv7DZGRfFrzijROFtHbe//H8o2ZhlyiaFSA/dT1ehjsukkR0oFkYadA+q
Ui06WpxGmd/jf8hP4yTUZkwOhQAesWoNmnhKePNaVMKY8DP57bA+N2pdCcGu7gUt
Yzq2JoTAtV+P/PE2w+H9eyBAulv6iUckM5/qvGfJPl8HB9BtgOpGN79otVWO6ebM
4TQ3cZYI9BDQnt9cF2pviex+z1iLZVJ8UeRxSxYhrBKPJioi0Q1OgcKyO56t7Eot
zxKl5TzprgvdX4cdls+lehD8StlE2Xv/TScHvdOhJuVBrn3a3QjZPb4qSsz74leW
5/EIQmozBy+qf8AHcCmTXwb2U7oHOct7cVyS5+bFx+ThpV5OK0rjTH1LMNiuTeAN
46c1y3prjZRpQUlgVwj06q3Zz/fzDyueUS/r4lW4nAf/VNZy/rTS2HYPoZbHZVCt
GpDIfag6fV6V97Pd3zfhTf2wmsJsw9Xhktp/o7rMBRSMhvL4oevOXb0JSG2583Q/
JnCCceB4NxRRxsgkRYHwdnXN9FnOPSa4NyvF4rzpPksLGZrhvm+lBvzVn/e40Q/K
lxvSlnn2vW/WBM4pBq1jsoJrd/JkTdijZV7mt7HQ2bCLXAPgfZjy7n79WiCQVHg7
iYnNikiNWR5TR7JcvdkxOdiA/8LBlQQTAQgAPwIbIwYLCQgHAwIGFQgCCQoLBBYC
AwECHgECF4AWIQTt+qPyyk5usFaBr46fbxwtfgRfjQUCXe4JdQUJGaQN2QAKCRCf
bxwtfgRfjQ8gEACe+49aDQHRuZdDHK1VCJKzhb+MvfdIjvl8eQxljpG9Uz5Y17Bx
4SWfuLHCeGlh1m6IOAWeW4g6Wowm1ec1PkVa79TdrkKb0MxfLSat6iDbiuVjDxy2
bWokW0/cPzJ/FoWDtEC0H9UTAMb5QGBDZUbLuwX7ZjvMkAhH15/hO9Gj4RHoH1RJ
GJALRtZzjtzsJqL53kW/EV59V1T79Nocyx018iw50Jn02mI8wYJZ9HZc5C7D+K59
vcqLRZgkrJrObw0sEv3YFOBYp/1DemH2nHPMBSKMmN5RAcr32guUjd4BEWf2Q7Ao
+Qnhdi161W0YKCW4JAmOoQ4bQ0wfE9Q5aUIGhUF52L+ac8Hy7dByaCExCA/WTqQQ
/iVPybmpJQhFonWt/fmpxbE2wKThSEOHTO67e5e3JfUb0vNKssyZojao4h1MF5nv
aPNKoybWwKnpNM0ORcyl+aogKwW7E15TEU0TE5//gAsFwRDcCnSEKnksgM0321m1
7RDfJbCajIv47DHDYE3yvhRZjCJCaw0Gow1sDRWjdOFpmIixD5/vx5uxyqSHPuGA
sXlEvl+Z3Rdc5bQ7pAWu7UNpR3hnJPfg8KL2xqOF75VKG9/NjLE80yj8wdVoCfDv
vizrBtOXnHI49gCMCfNqbGIb5yVhmTdeo7li+Te9hlJ2DrHnujGJlFe+p87BTQRN
r/0cARAApvDKeVLiSazESdTY9KsSWsqoB38pvOsu25M49tEjc5TtY5LwKNckqkeR
lJ83O8dFG7UBVuGwLKaf/6OR/pe24upZ27eOOWW7sXvQNv5aXlOYfF+mjIhUINqj
q4pKDmO1c9J7h5d+auOVfzcgfotg3BVCaKn56ucjiQJ059uUMfgWTvVlibnoJ7de
Zcgt8v7VcLK9jv+P8QJHTIyDzJd+JjdjuHXqC/A37T5G9Z84x8wYrQY6mZmOIYaM
jwIKdgFeN+nLk5henARUz4MTFUW4j9hHpuyAFomDQ93/wkHZ9IEChTxdZnfvsd//
Z45vfcX9dQM+tuR8XCYThVsScI1TnwR46hi5NkfmHo3HVxwB8/owJ+FZDsTNBbJd
7AVy27Xk4L5hLe7BwLDtFMyOp4lOipCM7//mtFB9mTzqnOwiSSyTRlwGUBJkzQFW
Qa0Z6bfYwA6+y1dn19H519GW49irtl+2+W8W4N8oLriIjPvqrQOyaELFcRfV6FfL
i09HPhHVbejOqIEbOtfuN0+mjrrGAwortfTBjfw80N+W90BTvta4K2SyjHcJTkDY
ehfOo/5IMpGtDsOgvsCbDaFRnNJuYtSqQmvWk1KIPIw6CkdJtZa3+q3YA7D7ovOV
H1OBTKNdBjc+X4W8L5R9MCymXWvgiP+52Sv1VIcZmsnCBrwK490AEQEAAcLBZQQY
AQIADwUCTa/9HAIbDAUJCWYBgAAKCRCfbxwtfgRfjTY/D/9+kX8LeqBhwDdwy3ud
V67KmVmytwGMfzBHbAyBdy84X06ip/If/VkjL+2Sv5Uml/cOOzGZT7y/KEt0uXQz
gOZhGP5Y0OREf4kSzfb7tsGu3ZjTp5uJe7HiJr8uqYGfx94TQG/A3x1C7MlxOGmW
DK/Eh/eNVeNd+3yyDEzl2p7a0yUhI8LtzllVrEDX+G4rz+mdDw4tfPDqzRPzPvVt
PfqnfofHP5r2dshGe7+pCTC+o0jHWpaiFkEiIrR3PbZ9tV6+F5LzCUJJP5nepz6C
ShpLHq9ST6qZiw5ZpdznHW0kVl96YxgynJq9Y4dqD/8nOfTzdHhXXEogGvRfcxat
xeZF7YNFhUU2p+CswAjRKCUzZAz0hDAu+dJ+fw4Odx7ii8uiwhEnEHoo8rPETkXw
UK1je4MCzMRSy0Gippzk/oZ7noIml+Njas/UygavUOQm8bcPqGfWeFqvM2C7ZobL
2iV0fX/bhEmQyosiWJ0nHuKdwDYygYs/4LtZLxwiKli/lm6IDz1028j6/98Z81gG
oltXWokTYAPEgcBuhyiSLSQ1wojTVMYt9rPKMBakTzP+0FoWqoNafWOlHovP6iUB
2Igll2ZT3AvrBQ8jAbRbuUl46QpBaKsl+pBo86az0fRkMxv0N4dQv4Q7Z0g71u9N
Tpaq1vtAZOwc0kl3uGNK18PnV8LBZQQYAQIADwIbDAUCVu+raQUJDQIVTQAKCRCf
bxwtfgRfjVnYEACZ1E/FfLDi4vLUd9diImmNN/zWDHxTsO/VG3lt50rSoJM5NGB4
RlwcbUKhah2fD44FFiIqGIvKD9hRgB51dVRIkaR3ozVtXRBKxJJqWj38wf2FDLtU
XC5/JHYb0sjAc3ad2sA9xEmEBVO1lWK3J6h4gKZiAGlWz3oeOSve3vrTKsBlP0Cu
rUeb4WTVpw4drBJD7cDh8SJ4/Cq76UFx8lW0xR+pHZHcd0/Ir5v5HnnEgbnut4Ix
eY3/CGBfQfSQHylK7ifmPWq+dflC/ZdfHY1V96EHKPM44ZLwiczoY3qp5nkmEc3B
Y6+P8Ch5gddOYaY18wpedarswnpOLQD2Xbsj66Eh0IZuuuZGyfOqJNaWbP33L27e
g35XQNTgyhuZmDyRKL6yAbhU74TXCCvze/kkfqDn2ouCtM8/kqLX1v0+NkBxlhZU
kTTVDyclZtwu6Vypus3+j2Zqk8sXeUZI64sjXpzwOcMZxdl3QuyxMktExWzk9Q5D
YqO+pj/YGt1vp2M0YgSUWNWCvfBcjEPFgaljyqz3BdvR/LYohnXuQL9SWObF+sIF
c9D0w/yORYQcKP5kSWVC/qwFdC61OGeSDnQ/0o0T5PefhYS82gsIrjQ+HIJ7CLUT
k7kBNljvtfpoWegH02feR0kSRoCXA6x+YHT4fmB41pW8S1V5a5dEltA/JMLBfAQY
AQIAJgIbDBYhBO36o/LKTm6wVoGvjp9vHC1+BF+NBQJZpTgKBQkRmNVuAAoJEJ9v
HC1+BF+NyNQP/A3h+cOOkYUxyKpNHdtlIfCn8db5tHXSCbE19Qi7EK1SiK5atjo+
VoRtB+L01kH6GCx5oZjeIhUdzYFwEUsdCDgwD6r0dKFwKIGa4TFcfnx+Z5B+HZgL
Yc6ac5PEHF1qZVXZH9GSGeNw5h2yyqf4yhvetSN6L2id14m5XXJV5e7NfOgmaSnG
0Z+wQvPSiu+Q00XpENT8HFSTSCjRATjk12rpy6TPeeC52NK1gLhGDRHN0k6m+vm4
yoC+Nd6iPQpnc+5xs7NDnq2dFuSTp7UTGebzPhhdSQgujEFuYLwzQMZu1h5amtA+
v9j7BYEJkOMC7bm1PNNA2QQ6QfH8Hf+mJeINyJO8A5KS3ceP+eo3SLR8T0hPzu9g
ZuZ22Hn3DXQh1VNRshaLKgNvoXpL3dQ48d1SFFKhEDpy2HSXUq2fs5rH0uszFGes
G7K6EQRAYRcDrCkt9fdfkvCSxAFw9d+472xThzgKcN+MkOec+SaY+xlVULjEfCWy
RVC8Opam4mTm/XT4mVLxP/qnsy7kEhLoc/ouB+lY/ks06LpZJvCXL6WfA9You1Fi
1Mg7GhSh9JKg6X6E8Trm+N4dxJGut1xbbGmmKXqfi4pej9KlkdeM9t1df/vWKlPa
7Hzd8H0btgJx066wC4yt0ghxtsJXBsCDxWLfzaSRZ2/eP16mHqxDjsQQwsF8BBgB
CAAmAhsMFiEE7fqj8spObrBWga+On28cLX4EX40FAl3uCX0FCRmkDeEACgkQn28c
LX4EX43TQA/+JV8ReMRJCn3Cfqbe5ycFn8p6dIVnJiQuhiEyu5yzdpSkKyzcVFJO
bQcqw7s50FJuLUbxdvbcuGIaoTu7dhBoUXO5tOuIQAsKTfGfgoOgelJm+/q2h645
EnAVINGbMDXrmo4/UFJkNjUMA6SQi/yiam7N0y58eoDC4sGmBKuN2EW2MoWahlXw
8SS1+Ab9qVBs/RqbSy6f1nJL39aPpPDmvyJOSYtHnNSFlYWVhr0zGAi5rnswlFGr
ECGbHpr5FajUK7zcmtNPbi7F30K48xfF3XnDIeIBcerrEBQMaPUZcBlddGhmSVVJ
ZU/YhR35JNgPnmp33gOuZaRiW9lauZFwsMQBIBkLpJWoUtu8QLkyC0HmJzVRep0/
s1RkzaJ+1G1BzXTQiXaLaUQWG5h3pcMD8fxY5qp9KbG/+10bY0sRbRBXgS6mz7dd
HaBtg/E8ty2nEB1HDXA9HAHu7KlH9e96sPZjz9C46ZiOXe6ZAOk6wBYts4RG4bCQ
9pGORJ+P2Jr2pz1NZQbs1AhnjJixTsfZfsGZ5lHxGLjIyxtdGB/irLEqNTIMek2y
p4CShmWoZwN0V3aGYMe/rC4tSXG79IeKNwF3Vd5MHtB+hcJG2qztBtKQuW29rbRA
5bNxwTWe8skwOKsxXnP9RC974k0XkPS+VwgmVgNN1ewS/0oHvmEP71Q=
=Oqje
-----END PGP PUBLIC KEY BLOCK-----