Update to 1.24.1 (rhbz#2405698)

Fix CVE-2025-11411 (possible domain hijacking attack), reported by Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan from Tsinghua University. https://nlnetlabs.nl/projects/unbound/download/#unbound-1-24-1
Update to 1.23.1 (rhbz#2380450)
2025-10-24 19:11:51 +02:00 · 2025-07-21 15:42:34 +02:00 · 2025-06-10 14:46:34 +02:00 · 2025-06-10 14:46:34 +02:00 · 2025-06-10 14:46:34 +02:00 · 2025-02-10 20:58:34 +01:00
13 changed files with 160 additions and 303 deletions
--- a/mkroot.sh
+++ b/mkroot.sh
@ -1,17 +0,0 @@
-#!/bin/sh
-
-SOURCE="/usr/share/dns-root-data/root.key"
-DEST="${1:-root.key}"
-
-mk_key() {
-echo "# Generated from $SOURCE"
-echo "# Use /var/lib/unbound/root.key instead."
-echo "trusted-keys {"
-while read DOMAIN CLS TYPE FLAGS PROTO ALG KEYDATA COMMENT KEYTAG; do
-echo "$DOMAIN $CLS $TYPE $FLAGS $PROTO $ALG \"$KEYDATA\" # $KEYTAG"
-done < "$SOURCE"
-echo "};"
-}
-
-mk_key > "$DEST"
-touch -r "$SOURCE" "$DEST"
--- a/nlnetlabs2026-g2.asc
+++ b/nlnetlabs2026-g2.asc
@ -1,24 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQGNBGc7H5IBDADOZfJwZ6zZ/4JbbR2hef4261/zh7YpdjUREUs0dMQSbf+x7sAE
-50JgvLQWlvA8sDHzbUMQ9cAYZBGGE6iHb50KboeEfuiP5BdiLe8XWKlo1EIh+Idz
-0+e1binxwvXV1/9ACm/UHPRuWjkG7vrP+mVRuhfKglO6xSDxV1cwjYTRtvRtQx8D
-+kTdZzprvtzkU7OIWeczKFJRhVHzNDHYFG9SuxvDA9cbVm1KPVJEkRBwoSBPeB0z
-Z3LSib2uT6Lc/ghAijOwIpR+zNYKOYxRhzoFArrLa0Fs4nq6//LA42/aVjSienEJ
-SR5CVUbZy14WuUsYCkV+ZoORVRYZOcjtPG7FUKDXKzY9/iNhEAZ3OMK7Np2Xq/YO
-gaOiUDFXLHU1n2UVH1rwkMiS2o4EMqvO7gINmnL/ccpI2wj2QrQ+JZ9y1Xky7dQM
-LIIbtp40e0kGocgyba484rW17xlvXRxb1Pjn93JygD6WcraLLNh9jq87hW/J37qi
-S4DL+GUe10H8SeEAEQEAAbQ6TkxuZXQgTGFicyByZWxlYXNlcyBzaWduaW5nIGtl
-eSBHMiA8cmVsZWFzZXNAbmxuZXRsYWJzLm5sPokBzgQTAQoAOBYhBCMQGGkMTZA+
-9BkUaqFEMj3qrN9FBQJnOx+SAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ
-EKFEMj3qrN9FZigL/0aVsJ48oe7vko1Mwg9DucFoCL8CESAarA40in1Bauq7p/pT
-l5UcNnFPLO8HBAHWGWtDI63pEhNzHacPzSI94GKS4TUMGzCV1H/c0KnxB7wAO55b
-HEQOZJ+kFRBFXWxbXORtp86NZuyCvVoSA4QAcnCf4m5ZEBb72H2cmy8xP+/HLkbS
-rpr5pyoUWtCYM8FxnjM3bClXSGOlWNl9cSXLqyyVjxvc7cOAS8ytL/zoVStoBmi/
-OwQbeJfAiqDMnipBJNzOHlfniKXE0FGDozKCHWP88ifs8A8OUNtJng7cNq7EQf9K
-vTvbJCcF4akUUcXnx4gv9Z1ZQ93Jg5X7h+0MP7Ut4z9hKSIAOowru7GXGEt256Ja
-eE1nSviDcqUtZpyqCLjpCDFGPMwSPzSwlPXjJVlVxPkDvPuNt2LUIEd8BR8Wo7z+
-NA5uM/zTHkQXEdUgCcl/rHy6moHYV3Q+YbMb17zU37a5vLb+wQ74doaiYo3b8KoV
-K6vVKMmB0qru6ERJ3g==
-=4R8U
-----END PGP PUBLIC KEY BLOCK-----
--- a/plans/all.fmf
+++ b/plans/all.fmf
@ -1,7 +1,7 @@
 summary: Test plan with all Fedora tests
 discover:
       how: fmf
-       url: https://gitlab.com/redhat/centos-stream/tests/unbound.git
+       url: https://src.fedoraproject.org/tests/unbound.git
 execute:
       how: tmt

--- a/plans/tier1-public.fmf
+++ b/plans/tier1-public.fmf
@ -1,7 +1,7 @@
 summary: Public (Fedora) Tier1 beakerlib tests
 discover:
    how: fmf
-    url: https://gitlab.com/redhat/centos-stream/tests/unbound.git
+    url: https://src.fedoraproject.org/tests/unbound.git
    filter: 'tier: 1'
 execute:
    how: tmt
--- a/root.anchor
+++ b/root.anchor
@ -1,2 +1 @@
-.	172800	IN	DNSKEY	257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ;{id = 38696 (ksk), size = 2048b}
 .       172800  IN      DNSKEY  257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}
--- a/root.key
+++ b/root.key
@ -0,0 +1,6 @@
+; // The root key in bind format. This can be read by most tools, including
+; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this
+trusted-keys {
+"." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326
+
+};
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (unbound-1.24.2.tar.gz) = 655d63ec5305323e84d82691425d74d98c332d0028517bd729d191e5f968ce9481b49ec7447d4c4906dce7997a998a115db36e911a59d2d877da5840c2080261
-SHA512 (unbound-1.24.2.tar.gz.asc) = 66a3e569a606cc3ed7dac9b411fba347da150728427619bdbf12ac57a5d7db1fc17963b1ba052a95d6c6fed67a6f0c1b5920318f6cd34e5091750626dd63fb21
+SHA512 (unbound-1.24.1.tar.gz) = 0332053ff6b2a2b6743fe33460950780a26e2cad236d21a9219e7b1a04576a9887342d59bc244c02c405e93812168175bc3dbe5481a201296899e77cbd201ea5
+SHA512 (unbound-1.24.1.tar.gz.asc) = 64f7baa0af069093f2d2a52d00fa41c26dd3a4a8eb39fbf90ae7355725121583f7dcd79257c064fa13d05f7bb0c602fe30104859a41164a81664cd4c1e275f30
--- a/tmpfiles-unbound-libs.conf
+++ b/tmpfiles-unbound-libs.conf
@ -1,2 +0,0 @@
-d /var/lib/unbound          0755  unbound unbound -
-L /var/lib/unbound/root.key -     -       -       -   ../../../etc/unbound/dnssec-root.key
--- a/unbound-1.24-quic-on-demand-only.patch
+++ b/unbound-1.24-quic-on-demand-only.patch
@ -1,171 +0,0 @@
-From 1dfe06278c1446558b5043d7c57cd901e7d96829 Mon Sep 17 00:00:00 2001
-From: Petr Mensik <pemensik@redhat.com>
-Date: Mon, 24 Nov 2025 13:44:14 +0100
-Subject: [PATCH] Do not initialize quic_table unless it is enabled
-
-Fedora in FIPS mode might fail to initialize ngtcp2 library, because
-some ciphers desired are not available.
-
-Make it possible to skip initialization by setting explicitly quic_port
-to 0. Unless we have some listeners for port 853 configured, skip its
-initialization as well.
-
-Related: https://pagure.io/freeipa/issue/9877
---
- daemon/daemon.c           | 14 +++++++++-----
- services/listen_dnsport.c | 14 +++++++++++---
- util/configparser.y       | 15 +++++++++------
- util/netevent.c           |  3 +++
- 4 files changed, 32 insertions(+), 14 deletions(-)
-
-diff --git a/daemon/daemon.c b/daemon/daemon.c
-index f882bb9ad..a9cc25c67 100644
--- a/daemon/daemon.c
-+++ b/daemon/daemon.c
-@@ -558,9 +558,11 @@ daemon_create_workers(struct daemon* daemon)
- 	verbose(VERB_ALGO, "total of %d outgoing ports available", numport);
- 
- #ifdef HAVE_NGTCP2
-	daemon->doq_table = doq_table_create(daemon->cfg, daemon->rand);
-	if(!daemon->doq_table)
-		fatal_exit("could not create doq_table: out of memory");
-+	if (cfg_has_quic(daemon->cfg)) {
-+		daemon->doq_table = doq_table_create(daemon->cfg, daemon->rand);
-+		if(!daemon->doq_table)
-+			fatal_exit("could not create doq_table: out of memory");
-+	}
- #endif
- 	
- 	daemon->num = (daemon->cfg->num_threads?daemon->cfg->num_threads:1);
-@@ -917,8 +919,10 @@ daemon_cleanup(struct daemon* daemon)
- 	daemon->dnscenv = NULL;
- #endif
- #ifdef HAVE_NGTCP2
-	doq_table_delete(daemon->doq_table);
-	daemon->doq_table = NULL;
-+	if (daemon->doq_table) {
-+		doq_table_delete(daemon->doq_table);
-+		daemon->doq_table = NULL;
-+	}
- #endif
- 	daemon->cfg = NULL;
- }
-diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c
-index f7fcca194..ab8f1ba72 100644
--- a/services/listen_dnsport.c
-+++ b/services/listen_dnsport.c
-@@ -1564,7 +1564,7 @@ listen_create(struct comm_base* base, struct listen_port* ports,
- 			cp = comm_point_create_udp(base, ports->fd,
- 				front->udp_buff, ports->pp2_enabled, cb,
- 				cb_arg, ports->socket);
-		} else if(ports->ftype == listen_type_doq) {
-+		} else if(ports->ftype == listen_type_doq && doq_table) {
- #ifndef HAVE_NGTCP2
- 			log_warn("Unbound is not compiled with "
- 				"ngtcp2. This is required to use DNS "
-@@ -3275,7 +3275,11 @@ nghttp2_session_callbacks* http2_req_callbacks_create(void)
- struct doq_table*
- doq_table_create(struct config_file* cfg, struct ub_randstate* rnd)
- {
-	struct doq_table* table = calloc(1, sizeof(*table));
-+	struct doq_table* table;
-+
-+	if (!cfg->quic_port)
-+		return NULL;
-+	table = calloc(1, sizeof(*table));
- 	if(!table)
- 		return NULL;
- #ifdef USE_NGTCP2_CRYPTO_OSSL
-@@ -3354,7 +3358,7 @@ conn_tree_del(rbnode_type* node, void* arg)
- {
- 	struct doq_table* table = (struct doq_table*)arg;
- 	struct doq_conn* conn;
-	if(!node)
-+	if(!node || !table)
- 		return;
- 	conn = (struct doq_conn*)node->key;
- 	if(conn->timer.timer_in_list) {
-@@ -3413,6 +3417,7 @@ doq_timer_find_time(struct doq_table* table, struct timeval* tv)
- {
- 	struct doq_timer key;
- 	struct rbnode_type* node;
-+	log_assert(table != NULL);
- 	memset(&key, 0, sizeof(key));
- 	key.time.tv_sec = tv->tv_sec;
- 	key.time.tv_usec = tv->tv_usec;
-@@ -4922,6 +4927,7 @@ doq_conid_find(struct doq_table* table, const uint8_t* data, size_t datalen)
- 	key.node.key = &key;
- 	key.cid = (void*)data;
- 	key.cidlen = datalen;
-+	log_assert(table != NULL);
- 	node = rbtree_search(table->conid_tree, &key);
- 	if(node)
- 		return (struct doq_conid*)node->key;
-@@ -5662,6 +5668,8 @@ doq_table_quic_size_available(struct doq_table* table,
- 	struct config_file* cfg, size_t mem)
- {
- 	size_t cur;
-+	if (!table)
-+		return 0;
- 	lock_basic_lock(&table->size_lock);
- 	cur = table->current_size;
- 	lock_basic_unlock(&table->size_lock);
-diff --git a/util/configparser.y b/util/configparser.y
-index bf9c196fc..f159b8cec 100644
--- a/util/configparser.y
-+++ b/util/configparser.y
-@@ -1235,14 +1235,17 @@ server_http_notls_downstream: VAR_HTTP_NOTLS_DOWNSTREAM STRING_ARG
- server_quic_port: VAR_QUIC_PORT STRING_ARG
- 	{
- 		OUTYY(("P(server_quic_port:%s)\n", $2));
-+		if(atoi($2) == 0 && strcmp($2,"0")!=0)
-+			yyerror("port number expected");
-+		else {
-+			cfg_parser->cfg->quic_port = atoi($2);
- #ifndef HAVE_NGTCP2
-		log_warn("%s:%d: Unbound is not compiled with "
-			"ngtcp2. This is required to use DNS "
-			"over QUIC.", cfg_parser->filename, cfg_parser->line);
-+			if (cfg_parser->cfg->quic_port != 0)
-+				log_warn("%s:%d: Unbound is not compiled with "
-+					"ngtcp2. This is required to use DNS "
-+					"over QUIC.", cfg_parser->filename, cfg_parser->line);
- #endif
-		if(atoi($2) == 0)
-			yyerror("port number expected");
-		else cfg_parser->cfg->quic_port = atoi($2);
-+		}
- 		free($2);
- 	};
- server_quic_size: VAR_QUIC_SIZE STRING_ARG
-diff --git a/util/netevent.c b/util/netevent.c
-index aedcb5e07..93db16675 100644
--- a/util/netevent.c
-+++ b/util/netevent.c
-@@ -2723,6 +2723,7 @@ doq_server_socket_create(struct doq_table* table, struct ub_randstate* rnd,
- {
- 	size_t doq_buffer_size = 4096; /* bytes buffer size, for one packet. */
- 	struct doq_server_socket* doq_socket;
-+	log_assert(doq_table != NULL);
- 	doq_socket = calloc(1, sizeof(*doq_socket));
- 	if(!doq_socket) {
- 		return NULL;
-@@ -2804,6 +2805,7 @@ doq_lookup_repinfo(struct doq_table* table, struct comm_reply* repinfo)
- {
- 	struct doq_conn* conn;
- 	struct doq_conn_key key;
-+	log_assert(table != NULL);
- 	doq_conn_key_from_repinfo(&key, repinfo);
- 	lock_rw_rdlock(&table->lock);
- 	conn = doq_conn_find(table, &key.paddr.addr,
-@@ -5880,6 +5882,7 @@ comm_point_create_doq(struct comm_base *base, int fd, sldns_buffer* buffer,
- 	struct config_file* cfg)
- {
- #ifdef HAVE_NGTCP2
-+	log_assert(table != NULL);
- 	struct comm_point* c = (struct comm_point*)calloc(1,
- 		sizeof(struct comm_point));
- 	short evbits;
-- 
-2.52.0
-
--- a/unbound-1.24-swig-function.patch
+++ b/unbound-1.24-swig-function.patch
@ -1,26 +0,0 @@
-From 0fc825def2f812af70189a01b0fe66e1c5050aec Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
-Date: Fri, 24 Oct 2025 20:20:50 +0200
-Subject: [PATCH] Use $action instead of $function in python SWIG interface
-
-$function is not supported since SWIG 4.4.0.
---
- libunbound/python/libunbound.i | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libunbound/python/libunbound.i b/libunbound/python/libunbound.i
-index dc12514..4576844 100644
--- a/libunbound/python/libunbound.i
-+++ b/libunbound/python/libunbound.i
-@@ -853,7 +853,7 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104']
- %{ 
-   //printf("resolve_start(%lX)\n",(long unsigned int)arg1);
-   Py_BEGIN_ALLOW_THREADS 
-  $function 
-+  $action 
-   Py_END_ALLOW_THREADS 
-   //printf("resolve_stop()\n");
- %} 
-- 
-2.51.0
-
--- a/unbound-fedora-config.patch
+++ b/unbound-fedora-config.patch
@ -14,16 +14,6 @@ diff --git a/doc/example.conf.in b/doc/example.conf.in
 index 59090c6..3a86809 100644
 --- a/doc/example.conf.in
 +++ b/doc/example.conf.in
-@@ -8,6 +8,9 @@
- # Use this anywhere in the file to include other text into this file.
- #include: "otherfile.conf"
-
-+# Default Fedora settings
-+include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf"
-+
- # Use this anywhere in the file to include other text, that explicitly starts a
- # clause, into this file. Text after this directive needs to start a clause.
- #include-toplevel: "otherfile.conf"
@@ -51,11 +51,19 @@ server:
 	# specify 0.0.0.0 and ::0 to bind to all available interfaces.
 	# specify every interface[@port] on a new 'interface:' labelled line.
@ -83,10 +73,13 @@ index 59090c6..3a86809 100644
 	# tls-port: 853
 	# https-port: 443
 	# quic-port: 853
-@@ -1166,6 +1181,9 @@ remote-control:
+@@ -1166,6 +1181,12 @@ remote-control:
 	# unbound-control certificate file.
 	# control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
-
+ 
+# Default Fedora settings
+include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf"
+
 +# Stub and Forward zones
 +include: "@sysconfdir@/unbound/conf.d/*.conf"
 +
--- a/unbound.spec
+++ b/unbound.spec
@ -4,10 +4,6 @@
 %bcond_without dnstap
 %bcond_without systemd
 %bcond_without doh
-%if 0%{?fedora} >= 43 && !0%{?rhel}
-# Do not build with QUIC support in RHEL, until we have also client support.
-%bcond_without ngtcp2
-%endif
 %if 0%{?rhel} && ! 0%{?epel}
 %bcond_with redis
 %else
@ -40,7 +36,7 @@

 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
-Version: 1.24.2
+Version: 1.24.1
 Release: %autorelease %{?extra_version:-e %{extra_version}}
 License: BSD-3-Clause
 Url: https://nlnetlabs.nl/projects/unbound/
@ -49,7 +45,7 @@ Source: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
 Source1: unbound.service
 Source3: unbound.munin
 Source4: unbound_munin_
-Source5: mkroot.sh
+Source5: root.key
 Source7: unbound-keygen.service
 Source8: tmpfiles-unbound.conf
 Source9: example.com.key
@ -62,8 +58,8 @@ Source15: unbound-anchor.timer
 Source16: unbound-munin.README
 Source17: unbound-anchor.service
 Source18: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
-# https://nlnetlabs.nl/signing-keys/
-Source19: https://nlnetlabs.nl/downloads/keys/releases-g2.asc#/nlnetlabs2026-g2.asc
+# source: https://nlnetlabs.nl/people/
+Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key
 Source20: unbound.sysusers
 Source21: remote-control.conf
 Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc
@ -74,14 +70,9 @@ Source26: remote-control-include.conf
 Source27: fedora-defaults.conf
 Source28: module-setup.sh
 Source29: unbound-initrd.conf
-Source30: tmpfiles-unbound-libs.conf

 # Downstream configuration changes
 Patch1:   unbound-fedora-config.patch
-# https://github.com/NLnetLabs/unbound/pull/1331
-Patch2:   unbound-1.24-swig-function.patch
-# https://github.com/NLnetLabs/unbound/pull/1381
-Patch3:   unbound-1.24-quic-on-demand-only.patch

 BuildRequires: gcc, make
 BuildRequires: openssl-devel
@ -93,9 +84,8 @@ BuildRequires: automake autoconf libtool
 BuildRequires: autoconf-archive
 # Regenerate config parser too
 BuildRequires: bison flex byacc
-BuildRequires: dns-root-data

-%if 0%{?fedora} || 0%{?rhel} >= 9
+%if 0%{?fedora}
 BuildRequires: gnupg2
 %endif
 %if 0%{with_python2}
@ -121,9 +111,6 @@ BuildRequires: systemd-rpm-macros
 %else
 BuildRequires: systemd
 %endif
-%if %{with ngtcp2}
-BuildRequires: ngtcp2-crypto-ossl-devel
-%endif

 # Needed because /usr/sbin/unbound links unbound libs staticly
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@ -165,7 +152,7 @@ The devel package contains the unbound library and the include files
 %package libs
 Summary: Libraries used by the unbound server and client applications
 Recommends: %{name}-anchor
-Requires: dns-root-data
+%{?sysusers_requires_compat}
 %if ! 0%{with_python2}
 # Make explicit conflict with no longer provided python package
 Obsoletes: python2-unbound < 1.9.3
@ -225,8 +212,7 @@ Unbound dracut module allowing use of Unbound for name resolution
 in initramfs.

 %prep
-%if 0%{?fedora} || 0%{?rhel} >= 9
-# TODO: Remove Yorgos.asc and extra verification once releases start to be signed by new g2 key
+%if 0%{?fedora}
 %{gpgverify} --keyring='%{SOURCE22}' --signature='%{SOURCE18}' --data='%{SOURCE0}' || \
 %{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}'
 %endif
@ -297,9 +283,6 @@ autoreconf -fiv
 %if %{with redis}
            --with-libhiredis \
            --enable-cachedb \
-%endif
-%if %{with ngtcp2}
-            --with-libngtcp2 \
 %endif
            %{configure_args}

@ -315,9 +298,6 @@ pushd %{dir_secondary}
 %endif
 %if %{with systemd}
            --enable-systemd \
-%endif
-%if %{with ngtcp2}
-            --with-libngtcp2 \
 %endif
            %{configure_args}

@ -360,20 +340,22 @@ done
 %endif

 # install streamtcp man page
-install -p -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1
-install -p -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc
+install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1
+install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc

 # Install tmpfiles.d config
 install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound
-install -p -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf
-install -p -m 0644 %{SOURCE30} %{buildroot}%{_tmpfilesdir}/unbound-libs.conf
+install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf

 # install root - we keep a copy of the root key in old location,
 # in case user has changed the configuration and we wouldn't update it there
-sh %{SOURCE5} root.key
-install -m 0644 root.key %{buildroot}%{_sysconfdir}/unbound/
-ln -sr "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key" "%{buildroot}%{_sharedstatedir}/unbound/root.key"
-ln -sr "%{buildroot}%{_datadir}/dns-root-data/root.key" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key"
+install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/
+install -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/dnssec-root.key
+# make initial key static
+pushd %{buildroot}%{_sharedstatedir}/unbound
+  KEYPATH=$(realpath --relative-to="%{buildroot}%{_sharedstatedir}/unbound" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key")
+  ln -s "$KEYPATH" root.key
+popd

 # remove static library from install (fedora packaging guidelines)
 rm %{buildroot}%{_libdir}/*.la
@ -413,6 +395,8 @@ mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
 install -p -m 0755 %{SOURCE28} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
 install -p -m 0644 %{SOURCE29} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound

+%pre libs
+%sysusers_create_compat %{SOURCE20}

 %post
 %systemd_post unbound.service
@ -440,13 +424,6 @@ fi
 %postun anchor
 %systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer

-%triggerun -- unbound < 1.23.1-4
-if [ "$(stat -c '%%a %%G' %{_sysconfdir}/%{name}/unbound_control.key 2>/dev/null)" = '600 unbound' ]; then
-   # change permissions of existing key just once, where it were generated with wrong perms
-   %{_bindir}/chmod g+r "%{_sysconfdir}/%{name}/unbound_control.key" || :
-fi
-
-
 %check
 export OPENSSL_CONF="%{buildroot}%{_sysconfdir}/unbound/openssl-sha1.conf"
 make check
@ -522,11 +499,10 @@ popd
 %{_sysusersdir}/%{name}.conf
 %{_libdir}/libunbound.so.8*
 %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name}
-%config %verify(not link owner group size mtime mode md5) %{_sharedstatedir}/%{name}/root.key
+%config(noreplace) %verify(not link user group) %{_sharedstatedir}/%{name}/root.key
 # just left for backwards compat with user changed unbound.conf files - format is different!
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-root.key
-%attr(0644,root,root) %{_tmpfilesdir}/unbound-libs.conf
+%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
+%attr(0644,root,root) %config %{_sysconfdir}/%{name}/dnssec-root.key

 %files anchor
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name}
--- a/wouter.nlnetlabs.nl.key
+++ b/wouter.nlnetlabs.nl.key
@ -0,0 +1,123 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xsFNBE2v/RwBEACyQpJlpCeSZBV1QUH7jNEp5xGdo6OnX2h9XoZ4ZPsb+u6OT+xE
+SH45ncnISUh8rPCygbeWOoPR/yOBzh+lYoGxQ5iUHtwRrhHq04sQe/qFpXDO2xs6
+1pTcPU2PnH7Rsr2qp6fZLPHuXLolD7NJfaSib8sVeMM0/ecyl/L2bBg9NpaGDX0x
+TQh95M8o6AFo6UKWApBpgsvEZr2aH/B8b9KnCWFhfJyheEM7DamksdZNsKxXQyq3
+l/ROfdsMLZGF8vPbYV/v11G4keyaLpn8AbBpybIiw9SYDwf2ENk3+e1NFfMaiiyE
+qn9+aaLTKCY87TMUuoN3s3jWOOy5tHXzf6DbKhub4Awsby3DH5YpPhi4N2vj2pAX
+Vpl5+m78cH29JLzT+HAoyZ4tq1r3m0P5QogNqYwqxkKWYOjDilNDBiKiDdgtrLYG
+x+ABovKG/FvToJoaCL4AFaVCzWmL2uHkSgyBN0FPHatCB1UeEkcQit6T8E2NQqmF
+WjUMXSWHHajSMG95+L5PdLHz/Ku0o3Csvlt2pkElYZmzJBfnOM9JevdsmKr/ruJC
+/DCZAn5w2S/9ZF5qfo2F9HUKIwE/dChR29HcN8V4nqZs9oCvEMfFhHmrfwDc5hed
+hvb6mAkvSFFtKIrygLIVeWRj3FE9sGp6sr4VwOLYTFRNk7mAsWD1rZApeQARAQAB
+zSdXLkMuQS4gV2lqbmdhYXJkcyA8d291dGVyQG5sbmV0bGFicy5ubD7CwX4EEwEC
+ACgFAk2v/RwCGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJ9v
+HC1+BF+N3yoQAIynfrvZ/8RNAv9lLcSc2PX3fvG7oRJEJSy9uMyIbMtb/a1BVCeh
+XjR8GhHJ5D/Z3jRWBQKw1rLLvOqbuBGkpKMR100ZVF4z/8e6CWtTAOFy28f1JQw2
+8kilN7K6vjno21S1JJ1XJAdoFdicyb1SW2r+KYod6fjSyF0lb71od+sdnSE9O/xd
+Cqyyu6cX+AwfDcuJ6Y8iOWu8CeWAz41LR1QBUQkCb/08mVfCEu+Cj+M31jjPDZEy
+UAw219vr4QFe0o3t+Msv0AUZvcRkW6+8qP5lO6I5we/33WBLZH70lhFvYtobM7HO
+MCjheRZguSzvRqEETfTjia1uVi3Yz2qM4CFdJIZF6Er79yKcB3jYquultrnlHdXZ
+/IZsHVRk6JfiqFkz9u1T9PkvMoQ452aUomGTg9xQchnKpe1E8osKgLulaY+izTEq
+Z8pH/HWWJ/YT13/n8pxK9EbC/8SkVhyXNehOSAGDZar+tjVBofgzS8r+GDyv+pBT
+SmjitIrVXZNuhigLp1o7Tvs4kjKlcFnLhfDHJ+yb5JyiZd01bVvaqnfRhACqXfWl
+oC0uslRbegoYwJUgX0BOrsOuHGH2SfGjd/QnA0bcEXM2kp1Dp1gqtcEd5Qitm647
+Yz+leWkhrmMmtTwqumXoAcvgzthJFUPcAzuhXZNfqQJMOGRxAGVI0P97wsF+BBMB
+AgAoAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVu+rZAUJDQIVSAAKCRCf
+bxwtfgRfjdrWEACMQK0xYtZtAvLL/8CCcCi92Oi1rtXRGWnRy7JX020hftmWliMq
+4P0F3CJKVLhgZ/ldp8OOqmfDfmwLMVSaCQ86Ubqn7Ofrf8Ku8SGQuIMxY2ODB97h
+ouY4bnDHaM2Cqi6JkBN+G1tgdwqN/kcecF2tq3ql2k7eX91++A+F5ApIu1silzJP
+L4Z8W6MVOdKrtzEM7t61hRlsbpEPj72vbVBZ1hmTiIL4VWwdxQYamxBoOeneskyD
+DG+iMCI3P1GG3EQkk+9Aect/iH9uruE0mxn2aKN8cfuoR93cPF/ozCxS5ItwAVnN
+e39WRO1GT2zYaFgYm0lf9czcpRsRzNbGw938lZ3iPUiZe+ybKgLKkVmvrkM59ljH
+T99SrC14VXxgQwSs4gS3rdzbY9tPps62Z1q+xCVfTx1IY5P4nt59xwQV0Iw+pV9S
+/mVcOnPXl1UKb0ttOdYJErrq3RpF/D2g/NDtL0OWqIa8LvrBlyQYmWPKvKw76vt4
+bJ3NU31jSc0ow/j7EOVjOst86s629zmtnbJjWVr6LOy5EDUPusmqHv1t4Z4RMjf8
+OrJdNbFJoRXZv8FbW4NzXeGtMf8k6vKeejpdMH4+eLuoZG7dchU1JccfgqfwWpy0
+ojmb59drJcaQgVC6Jvw9l0TmGPNIsE4UrIWocaFgv4dOKvHA2hcnMDM8rsLBlQQT
+AQIAPwIbIwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQTt+qPyyk5usFaBr46f
+bxwtfgRfjQUCWaU4BQUJEZjVaQAKCRCfbxwtfgRfjb1YEACjkhtkyZkYURUmSZNL
+2IK/Zencv7DZGRfFrzijROFtHbe//H8o2ZhlyiaFSA/dT1ehjsukkR0oFkYadA+q
+Ui06WpxGmd/jf8hP4yTUZkwOhQAesWoNmnhKePNaVMKY8DP57bA+N2pdCcGu7gUt
+Yzq2JoTAtV+P/PE2w+H9eyBAulv6iUckM5/qvGfJPl8HB9BtgOpGN79otVWO6ebM
+4TQ3cZYI9BDQnt9cF2pviex+z1iLZVJ8UeRxSxYhrBKPJioi0Q1OgcKyO56t7Eot
+zxKl5TzprgvdX4cdls+lehD8StlE2Xv/TScHvdOhJuVBrn3a3QjZPb4qSsz74leW
+5/EIQmozBy+qf8AHcCmTXwb2U7oHOct7cVyS5+bFx+ThpV5OK0rjTH1LMNiuTeAN
+46c1y3prjZRpQUlgVwj06q3Zz/fzDyueUS/r4lW4nAf/VNZy/rTS2HYPoZbHZVCt
+GpDIfag6fV6V97Pd3zfhTf2wmsJsw9Xhktp/o7rMBRSMhvL4oevOXb0JSG2583Q/
+JnCCceB4NxRRxsgkRYHwdnXN9FnOPSa4NyvF4rzpPksLGZrhvm+lBvzVn/e40Q/K
+lxvSlnn2vW/WBM4pBq1jsoJrd/JkTdijZV7mt7HQ2bCLXAPgfZjy7n79WiCQVHg7
+iYnNikiNWR5TR7JcvdkxOdiA/8LBlQQTAQgAPwIbIwYLCQgHAwIGFQgCCQoLBBYC
+AwECHgECF4AWIQTt+qPyyk5usFaBr46fbxwtfgRfjQUCXe4JdQUJGaQN2QAKCRCf
+bxwtfgRfjQ8gEACe+49aDQHRuZdDHK1VCJKzhb+MvfdIjvl8eQxljpG9Uz5Y17Bx
+4SWfuLHCeGlh1m6IOAWeW4g6Wowm1ec1PkVa79TdrkKb0MxfLSat6iDbiuVjDxy2
+bWokW0/cPzJ/FoWDtEC0H9UTAMb5QGBDZUbLuwX7ZjvMkAhH15/hO9Gj4RHoH1RJ
+GJALRtZzjtzsJqL53kW/EV59V1T79Nocyx018iw50Jn02mI8wYJZ9HZc5C7D+K59
+vcqLRZgkrJrObw0sEv3YFOBYp/1DemH2nHPMBSKMmN5RAcr32guUjd4BEWf2Q7Ao
+Qnhdi161W0YKCW4JAmOoQ4bQ0wfE9Q5aUIGhUF52L+ac8Hy7dByaCExCA/WTqQQ
+/iVPybmpJQhFonWt/fmpxbE2wKThSEOHTO67e5e3JfUb0vNKssyZojao4h1MF5nv
+aPNKoybWwKnpNM0ORcyl+aogKwW7E15TEU0TE5//gAsFwRDcCnSEKnksgM0321m1
+7RDfJbCajIv47DHDYE3yvhRZjCJCaw0Gow1sDRWjdOFpmIixD5/vx5uxyqSHPuGA
+sXlEvl+Z3Rdc5bQ7pAWu7UNpR3hnJPfg8KL2xqOF75VKG9/NjLE80yj8wdVoCfDv
+vizrBtOXnHI49gCMCfNqbGIb5yVhmTdeo7li+Te9hlJ2DrHnujGJlFe+p87BTQRN
+r/0cARAApvDKeVLiSazESdTY9KsSWsqoB38pvOsu25M49tEjc5TtY5LwKNckqkeR
+lJ83O8dFG7UBVuGwLKaf/6OR/pe24upZ27eOOWW7sXvQNv5aXlOYfF+mjIhUINqj
+q4pKDmO1c9J7h5d+auOVfzcgfotg3BVCaKn56ucjiQJ059uUMfgWTvVlibnoJ7de
+Zcgt8v7VcLK9jv+P8QJHTIyDzJd+JjdjuHXqC/A37T5G9Z84x8wYrQY6mZmOIYaM
+jwIKdgFeN+nLk5henARUz4MTFUW4j9hHpuyAFomDQ93/wkHZ9IEChTxdZnfvsd//
+Z45vfcX9dQM+tuR8XCYThVsScI1TnwR46hi5NkfmHo3HVxwB8/owJ+FZDsTNBbJd
+7AVy27Xk4L5hLe7BwLDtFMyOp4lOipCM7//mtFB9mTzqnOwiSSyTRlwGUBJkzQFW
+Qa0Z6bfYwA6+y1dn19H519GW49irtl+2+W8W4N8oLriIjPvqrQOyaELFcRfV6FfL
+i09HPhHVbejOqIEbOtfuN0+mjrrGAwortfTBjfw80N+W90BTvta4K2SyjHcJTkDY
+ehfOo/5IMpGtDsOgvsCbDaFRnNJuYtSqQmvWk1KIPIw6CkdJtZa3+q3YA7D7ovOV
+H1OBTKNdBjc+X4W8L5R9MCymXWvgiP+52Sv1VIcZmsnCBrwK490AEQEAAcLBZQQY
+AQIADwUCTa/9HAIbDAUJCWYBgAAKCRCfbxwtfgRfjTY/D/9+kX8LeqBhwDdwy3ud
+V67KmVmytwGMfzBHbAyBdy84X06ip/If/VkjL+2Sv5Uml/cOOzGZT7y/KEt0uXQz
+gOZhGP5Y0OREf4kSzfb7tsGu3ZjTp5uJe7HiJr8uqYGfx94TQG/A3x1C7MlxOGmW
+DK/Eh/eNVeNd+3yyDEzl2p7a0yUhI8LtzllVrEDX+G4rz+mdDw4tfPDqzRPzPvVt
+PfqnfofHP5r2dshGe7+pCTC+o0jHWpaiFkEiIrR3PbZ9tV6+F5LzCUJJP5nepz6C
+ShpLHq9ST6qZiw5ZpdznHW0kVl96YxgynJq9Y4dqD/8nOfTzdHhXXEogGvRfcxat
+xeZF7YNFhUU2p+CswAjRKCUzZAz0hDAu+dJ+fw4Odx7ii8uiwhEnEHoo8rPETkXw
+UK1je4MCzMRSy0Gippzk/oZ7noIml+Njas/UygavUOQm8bcPqGfWeFqvM2C7ZobL
+2iV0fX/bhEmQyosiWJ0nHuKdwDYygYs/4LtZLxwiKli/lm6IDz1028j6/98Z81gG
+oltXWokTYAPEgcBuhyiSLSQ1wojTVMYt9rPKMBakTzP+0FoWqoNafWOlHovP6iUB
+2Igll2ZT3AvrBQ8jAbRbuUl46QpBaKsl+pBo86az0fRkMxv0N4dQv4Q7Z0g71u9N
+Tpaq1vtAZOwc0kl3uGNK18PnV8LBZQQYAQIADwIbDAUCVu+raQUJDQIVTQAKCRCf
+bxwtfgRfjVnYEACZ1E/FfLDi4vLUd9diImmNN/zWDHxTsO/VG3lt50rSoJM5NGB4
+RlwcbUKhah2fD44FFiIqGIvKD9hRgB51dVRIkaR3ozVtXRBKxJJqWj38wf2FDLtU
+XC5/JHYb0sjAc3ad2sA9xEmEBVO1lWK3J6h4gKZiAGlWz3oeOSve3vrTKsBlP0Cu
+rUeb4WTVpw4drBJD7cDh8SJ4/Cq76UFx8lW0xR+pHZHcd0/Ir5v5HnnEgbnut4Ix
+eY3/CGBfQfSQHylK7ifmPWq+dflC/ZdfHY1V96EHKPM44ZLwiczoY3qp5nkmEc3B
+Y6+P8Ch5gddOYaY18wpedarswnpOLQD2Xbsj66Eh0IZuuuZGyfOqJNaWbP33L27e
+g35XQNTgyhuZmDyRKL6yAbhU74TXCCvze/kkfqDn2ouCtM8/kqLX1v0+NkBxlhZU
+kTTVDyclZtwu6Vypus3+j2Zqk8sXeUZI64sjXpzwOcMZxdl3QuyxMktExWzk9Q5D
+YqO+pj/YGt1vp2M0YgSUWNWCvfBcjEPFgaljyqz3BdvR/LYohnXuQL9SWObF+sIF
+c9D0w/yORYQcKP5kSWVC/qwFdC61OGeSDnQ/0o0T5PefhYS82gsIrjQ+HIJ7CLUT
+k7kBNljvtfpoWegH02feR0kSRoCXA6x+YHT4fmB41pW8S1V5a5dEltA/JMLBfAQY
+AQIAJgIbDBYhBO36o/LKTm6wVoGvjp9vHC1+BF+NBQJZpTgKBQkRmNVuAAoJEJ9v
+HC1+BF+NyNQP/A3h+cOOkYUxyKpNHdtlIfCn8db5tHXSCbE19Qi7EK1SiK5atjo+
+VoRtB+L01kH6GCx5oZjeIhUdzYFwEUsdCDgwD6r0dKFwKIGa4TFcfnx+Z5B+HZgL
+Yc6ac5PEHF1qZVXZH9GSGeNw5h2yyqf4yhvetSN6L2id14m5XXJV5e7NfOgmaSnG
+0Z+wQvPSiu+Q00XpENT8HFSTSCjRATjk12rpy6TPeeC52NK1gLhGDRHN0k6m+vm4
+yoC+Nd6iPQpnc+5xs7NDnq2dFuSTp7UTGebzPhhdSQgujEFuYLwzQMZu1h5amtA+
+v9j7BYEJkOMC7bm1PNNA2QQ6QfH8Hf+mJeINyJO8A5KS3ceP+eo3SLR8T0hPzu9g
+ZuZ22Hn3DXQh1VNRshaLKgNvoXpL3dQ48d1SFFKhEDpy2HSXUq2fs5rH0uszFGes
+G7K6EQRAYRcDrCkt9fdfkvCSxAFw9d+472xThzgKcN+MkOec+SaY+xlVULjEfCWy
+RVC8Opam4mTm/XT4mVLxP/qnsy7kEhLoc/ouB+lY/ks06LpZJvCXL6WfA9You1Fi
+1Mg7GhSh9JKg6X6E8Trm+N4dxJGut1xbbGmmKXqfi4pej9KlkdeM9t1df/vWKlPa
+7Hzd8H0btgJx066wC4yt0ghxtsJXBsCDxWLfzaSRZ2/eP16mHqxDjsQQwsF8BBgB
+CAAmAhsMFiEE7fqj8spObrBWga+On28cLX4EX40FAl3uCX0FCRmkDeEACgkQn28c
+LX4EX43TQA/+JV8ReMRJCn3Cfqbe5ycFn8p6dIVnJiQuhiEyu5yzdpSkKyzcVFJO
+bQcqw7s50FJuLUbxdvbcuGIaoTu7dhBoUXO5tOuIQAsKTfGfgoOgelJm+/q2h645
+EnAVINGbMDXrmo4/UFJkNjUMA6SQi/yiam7N0y58eoDC4sGmBKuN2EW2MoWahlXw
+8SS1+Ab9qVBs/RqbSy6f1nJL39aPpPDmvyJOSYtHnNSFlYWVhr0zGAi5rnswlFGr
+ECGbHpr5FajUK7zcmtNPbi7F30K48xfF3XnDIeIBcerrEBQMaPUZcBlddGhmSVVJ
+ZU/YhR35JNgPnmp33gOuZaRiW9lauZFwsMQBIBkLpJWoUtu8QLkyC0HmJzVRep0/
+s1RkzaJ+1G1BzXTQiXaLaUQWG5h3pcMD8fxY5qp9KbG/+10bY0sRbRBXgS6mz7dd
+HaBtg/E8ty2nEB1HDXA9HAHu7KlH9e96sPZjz9C46ZiOXe6ZAOk6wBYts4RG4bCQ
+9pGORJ+P2Jr2pz1NZQbs1AhnjJixTsfZfsGZ5lHxGLjIyxtdGB/irLEqNTIMek2y
+p4CShmWoZwN0V3aGYMe/rC4tSXG79IeKNwF3Vd5MHtB+hcJG2qztBtKQuW29rbRA
+5bNxwTWe8skwOKsxXnP9RC974k0XkPS+VwgmVgNN1ewS/0oHvmEP71Q=
+=Oqje
+-----END PGP PUBLIC KEY BLOCK-----
Author	SHA1	Message	Date
Petr Menšík	7340797731	Update to 1.24.1 (rhbz#2405698) Fix CVE-2025-11411 (possible domain hijacking attack), reported by Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan from Tsinghua University. https://nlnetlabs.nl/projects/unbound/download/#unbound-1-24-1	2025-10-24 19:11:51 +02:00
Tomas Korbar	ef56edf89a	Update to 1.23.1 (rhbz#2380450) https://github.com/NLnetLabs/unbound/releases/tag/release-1.23.1 This security release fixes the Rebirthday Attack CVE-2025-5994.	2025-07-21 15:42:34 +02:00
Petr Menšík	4e98844521	Remove group access from unbound_server.key It were ensured by the generation script, that the generated key would be readable just by the user. Since PR #1220 is the control channel key readable by group too, but make generated server key marked for the root only. Do not show in list of modified files.	2025-06-10 14:46:34 +02:00
Petr Menšík	ee7a29df52	Add wildcard into gitignore for new upstreams	2025-06-10 14:46:34 +02:00
Petr Menšík	483c74cc4d	Update to 1.23.0 (rhbz#2362019) Features: - Increase the default of max-global-quota to 200 from 128 after operational feedback. Still keeping the possible amplification factor (CAMP related issues) in the hundreds. - Fix #1175: serve-expired does not adhere to secure-by-default principle. The default value of serve-expired-client-timeout is set to 1800 as suggested by RFC8767. - For #1175, the default value of serve-expired-ttl is set to 86400 (1 day) as suggested by RFC8767. - For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT. - Add resolver.arpa and service.arpa to the default locally served zones. - Merge #1042: Fast Reload. The unbound-control fast_reload is added. It reads changed config in a thread, then only briefly pauses the service threads, that keep running. DNS service is only interrupted briefly, less than a second. - Merge #1019: Redis read-only replica support. Introduces new 'redis-replica-*' options for the Redis cache backend. - Merge #902: DNS Error Reporting (RFC 9567). Introduces new configuration option 'dns-error-reporting' and new statistics for 'num.dns_error_reports'. And bug fixes. https://nlnetlabs.nl/projects/unbound/download/#unbound-1-23-0	2025-06-10 14:46:34 +02:00
Tomas Korbar	eb147cf192	Fix ownership and mode record of rundir Previous change introduced mode change and group change of rundir but it was not changed in files section, so fix that.	2025-02-10 20:58:34 +01:00
Tomas Korbar	dd92a31cec	Add possibility to disable unbound-anchor by file presence	2025-02-10 15:44:08 +01:00