rpms
/
unbound
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Merged update from upstream sources 

This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/unbound.git#b29f943a4c335573eadbb8511cc76b34bd450b18
This commit is contained in:
DistroBaker 2020-12-10 01:48:09 +01:00
parent 0ddc5a48dd
commit 087959bbbc
5 changed files with 123 additions and 101 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -59,3 +59,5 @@ unbound-1.4.5.tar.gz
/unbound-1.10.0.tar.gz.asc
/unbound-1.10.1.tar.gz
/unbound-1.10.1.tar.gz.asc
/unbound-1.12.0.tar.gz
/unbound-1.12.0.tar.gz.asc

4
sources
View File

@ -1,2 +1,2 @@
SHA512 (unbound-1.10.1.tar.gz) = d07f3ac0e751c17a3ff7d99518c22529cf6856861218564a2ca073422905525cb9ddaf76c9600187946fadb7324343bcd85c34ff06bd322e0ea621a2d258bb85
SHA512 (unbound-1.10.1.tar.gz.asc) = 95d32b4ebfac501a1ae481c9211a88f7ad115e51a470794c6273bea7fedff62cef71445a4110b686938657b9450502bd5d47935e4552d3a9fc740b1348d6d991
SHA512 (unbound-1.12.0.tar.gz) = 90d99bc65e9ba62e50a7809dbf1e98889d0fc9fd50cf3cc99b726c67bcaeda0c2bc176d09f84771adb9796833b595591462f96e949d6969a47d6898d8fae3479
SHA512 (unbound-1.12.0.tar.gz.asc) = b9db74bde4cd2ecbd9ba04468716135f4a45b437f17e92564f0e595e5e3462e955808aa1f0dea17a9a6fd1403c32e4eff7815f22e630229db10f50080c9a85a3

74
unbound-1.10.0-auth-callback.patch
View File

@ -1,74 +0,0 @@
--- a/services/authzone.c 2020-04-16 13:01:10.550618034 +0200
+++ b/services/authzone.c 2020-04-16 13:07:04.624476160 +0200
@@ -5331,7 +5331,7 @@
log_assert(xfr->task_transfer);
lock_basic_lock(&xfr->lock);
env = xfr->task_transfer->env;
- if(env->outnet->want_to_quit) {
+ if(!env || env->outnet->want_to_quit) {
lock_basic_unlock(&xfr->lock);
return; /* stop on quit */
}
@@ -5770,7 +5770,7 @@
log_assert(xfr->task_transfer);
lock_basic_lock(&xfr->lock);
env = xfr->task_transfer->env;
- if(env->outnet->want_to_quit) {
+ if(!env || env->outnet->want_to_quit) {
lock_basic_unlock(&xfr->lock);
return; /* stop on quit */
}
@@ -5812,7 +5812,7 @@
log_assert(xfr->task_transfer);
lock_basic_lock(&xfr->lock);
env = xfr->task_transfer->env;
- if(env->outnet->want_to_quit) {
+ if(!env || env->outnet->want_to_quit) {
lock_basic_unlock(&xfr->lock);
return 0; /* stop on quit */
}
@@ -5893,7 +5893,7 @@
log_assert(xfr->task_transfer);
lock_basic_lock(&xfr->lock);
env = xfr->task_transfer->env;
- if(env->outnet->want_to_quit) {
+ if(!env || env->outnet->want_to_quit) {
lock_basic_unlock(&xfr->lock);
return 0; /* stop on quit */
}
@@ -6107,7 +6107,7 @@
log_assert(xfr->task_probe);
lock_basic_lock(&xfr->lock);
env = xfr->task_probe->env;
- if(env->outnet->want_to_quit) {
+ if(!env || env->outnet->want_to_quit) {
lock_basic_unlock(&xfr->lock);
return; /* stop on quit */
}
@@ -6143,7 +6143,7 @@
log_assert(xfr->task_probe);
lock_basic_lock(&xfr->lock);
env = xfr->task_probe->env;
- if(env->outnet->want_to_quit) {
+ if(!env || env->outnet->want_to_quit) {
lock_basic_unlock(&xfr->lock);
return 0; /* stop on quit */
}
@@ -6388,7 +6388,7 @@
log_assert(xfr->task_probe);
lock_basic_lock(&xfr->lock);
env = xfr->task_probe->env;
- if(env->outnet->want_to_quit) {
+ if(!env || env->outnet->want_to_quit) {
lock_basic_unlock(&xfr->lock);
return; /* stop on quit */
}
@@ -6465,7 +6465,7 @@
log_assert(xfr->task_nextprobe);
lock_basic_lock(&xfr->lock);
env = xfr->task_nextprobe->env;
- if(env->outnet->want_to_quit) {
+ if(!env || env->outnet->want_to_quit) {
lock_basic_unlock(&xfr->lock);
return; /* stop on quit */
}

119
unbound.conf
View File

@ -5,9 +5,13 @@
#
# this is a comment.
#Use this to include other text into the file.
# Use this anywhere in the file to include other text into this file.
#include: "otherfile.conf"
# Use this anywhere in the file to include other text, that explicitly starts a
# clause, into this file. Text after this directive needs to start a clause.
#include-toplevel: "otherfile.conf"
# The server clause sets the main parameters.
server:
# whitespace is not necessary, but looks cleaner.
@ -86,6 +90,9 @@ server:
# Set this to yes to prefer ipv6 upstream servers over ipv4.
# prefer-ip6: no
# Prefer ipv4 upstream servers, even if ipv6 is available.
# prefer-ip4: no
# number of ports to allocate per thread, determines the size of the
# port range that can be open simultaneously. About double the
# num-queries-per-thread, or, use as many as the OS will allow you.
@ -135,9 +142,14 @@ server:
# Linux only. On Linux you also have ip-transparent that is similar.
# ip-freebind: no
# the value of the Differentiated Services Codepoint (DSCP)
# in the differentiated services field (DS) of the outgoing
# IP packets
# ip-dscp: 0
# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
# is set with msg-buffer-size). 1472 can solve fragmentation (timeouts)
# edns-buffer-size: 4096
# edns-buffer-size: 1232
# Maximum UDP response size (not applied to TCP response).
# Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
@ -444,8 +456,8 @@ server:
# Domains (and domains in them) without support for dns-0x20 and
# the fallback fails because they keep sending different answers.
# caps-whitelist: "licdn.com"
# caps-whitelist: "senderbase.org"
# caps-exempt: "licdn.com"
# caps-exempt: "senderbase.org"
# Enforce privacy of these addresses. Strips them away from answers.
# It may cause DNSSEC validation to additionally mark it as bogus.
@ -522,11 +534,6 @@ server:
# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
root-key-sentinel: yes
# File with DLV trusted keys. Same format as trust-anchor-file.
# There can be only one DLV configured, it is trusted from root down.
# DLV is going to be decommissioned. Please do not use it any more.
# dlv-anchor-file: "dlv.isc.org.key"
# File with trusted keys for validation. Specify more than one file
# with several entries, one file per entry.
# Zone file format, with DS and DNSKEY entries.
@ -587,8 +594,8 @@ server:
# that set CD but cannot validate themselves.
# ignore-cd-flag: no
# Serve expired responses from cache, with TTL 0 in the response,
# and then attempt to fetch the data afresh.
# Serve expired responses from cache, with serve-expired-reply-ttl in
# the response, and then attempt to fetch the data afresh.
serve-expired: yes
#
# Limit serving of expired responses to configured seconds after
@ -606,7 +613,7 @@ server:
#
# Time in milliseconds before replying to the client with expired data.
# This essentially enables the serve-stale behavior as specified in
# draft-ietf-dnsop-serve-stale-10 that first tries to resolve before
# RFC 8767 that first tries to resolve before
# immediately responding with expired data. 0 disables this behavior.
# A recommended value is 1800.
# serve-expired-client-timeout: 0
@ -644,7 +651,7 @@ server:
# more slabs reduce lock contention, but fragment memory usage.
# key-cache-slabs: 4
# the amount of memory to use for the negative cache (used for DLV).
# the amount of memory to use for the negative cache.
# plain value in bytes or you can append k, m or G. default is "1Mb".
# neg-cache-size: 1m
@ -757,18 +764,24 @@ server:
# add a netblock specific override to a localzone, with zone type
# local-zone-override: "example.com" 192.0.2.0/24 refuse
# service clients over TLS (on the TCP sockets), with plain DNS inside
# the TLS stream. Give the certificate to use and private key.
# service clients over TLS (on the TCP sockets) with plain DNS inside
# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
# Give the certificate to use and private key.
# default is "" (disabled). requires restart to take effect.
# tls-service-key: "/etc/unbound/unbound_server.key"
# tls-service-pem: "/etc/unbound/unbound_server.pem"
# tls-port: 853
# https-port: 443
# cipher setting for TLSv1.2
# tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
# cipher setting for TLSv1.3
# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
# Use the SNI extension for TLS connections. Default is yes.
# Changing the value requires a reload.
# tls-use-sni: yes
# Add the secret file for TLS Session Ticket.
# Secret file must be 80 bytes of random data.
# First key use to encrypt and decrypt TLS session tickets.
@ -790,6 +803,38 @@ server:
# Also serve tls on these port numbers (eg. 443, ...), by listing
# tls-additional-port: portno for each of the port numbers.
# HTTP endpoint to provide DNS-over-HTTPS service on.
# http-endpoint: "/dns-query"
# HTTP/2 SETTINGS_MAX_CONCURRENT_STREAMS value to use.
# http-max-streams: 100
# Maximum number of bytes used for all HTTP/2 query buffers.
# http-query-buffer-size: 4m
# Maximum number of bytes used for all HTTP/2 response buffers.
# http-response-buffer-size: 4m
# Set TCP_NODELAY socket option on sockets used for DNS-over-HTTPS
# service.
# http-nodelay: yes
# HTTP endpoint to provide DNS-over-HTTPS service on.
# http-endpoint: "/dns-query"
# HTTP/2 SETTINGS_MAX_CONCURRENT_STREAMS value to use.
# http-max-streams: 100
# Maximum number of bytes used for all HTTP/2 query buffers.
# http-query-buffer-size: 4m
# Maximum number of bytes used for all HTTP/2 response buffers.
# http-response-buffer-size: 4m
# Set TCP_NODELAY socket option on sockets used for DNS-over-HTTPS
# service.
# http-nodelay: yes
# DNS64 prefix. Must be specified when DNS64 is use.
# Enable dns64 in module-config. Used to synthesize IPv6 from IPv4.
# dns64-prefix: 64:ff9b::0/96
@ -865,9 +910,9 @@ server:
# ipsecmod-ignore-bogus: no
#
# Domains for which ipsecmod will be triggered. If not defined (default)
# all domains are treated as being whitelisted.
# ipsecmod-whitelist: "libreswan.org"
# ipsecmod-whitelist: "nlnetlabs.nl"
# all domains are treated as being allowed.
# ipsecmod-allow: "example.com"
# ipsecmod-allow: "nlnetlabs.nl"
# Python config section. To enable:
# o use --with-pythonmodule to configure before compiling.
@ -1056,10 +1101,12 @@ auth-zone:
# redis-server-port: 6379
# # timeout (in ms) for communication with the redis server
# redis-timeout: 100
# # set timeout on redis records based on DNS response TTL
# redis-expire-records: no
# IPSet
# Add specify domain into set via ipset.
# Note: To enable ipset needs run unbound as root user.
# Note: To enable ipset unbound needs run as root user.
# ipset:
# # set name for ip v4 addresses
# name-v4: "list-v4"
@ -1067,6 +1114,40 @@ auth-zone:
# name-v6: "list-v6"
#
# Dnstap logging support, if compiled in. To enable, set the dnstap-enable
# to yes and also some of dnstap-log-..-messages to yes. And select an
# upstream log destination, by socket path, TCP or TLS destination.
# dnstap:
# dnstap-enable: no
# # if set to yes frame streams will be used in bidirectional mode
# dnstap-bidirectional: yes
# dnstap-socket-path: ""
# # if "" use the unix socket in dnstap-socket-path, otherwise,
# # set it to "IPaddress[@port]" of the destination.
# dnstap-ip: ""
# # if set to yes if you want to use TLS to dnstap-ip, no for TCP.
# dnstap-tls: yes
# # name for authenticating the upstream server. or "" disabled.
# dnstap-tls-server-name: ""
# # if "", it uses the cert bundle from the main unbound config.
# dnstap-tls-cert-bundle: ""
# # key file for client authentication, or "" disabled.
# dnstap-tls-client-key-file: ""
# # cert file for client authentication, or "" disabled.
# dnstap-tls-client-cert-file: ""
# dnstap-send-identity: no
# dnstap-send-version: no
# # if "" it uses the hostname.
# dnstap-identity: ""
# # if "" it uses the package version.
# dnstap-version: ""
# dnstap-log-resolver-query-messages: no
# dnstap-log-resolver-response-messages: no
# dnstap-log-client-query-messages: no
# dnstap-log-client-response-messages: no
# dnstap-log-forwarder-query-messages: no
# dnstap-log-forwarder-response-messages: no
# Response Policy Zones
# RPZ policies. Applied in order of configuration. QNAME and Response IP
# Address trigger are the only supported triggers. Supported actions are:

25
unbound.spec
View File

@ -1,8 +1,9 @@
%{?!with_python2: %global with_python2 0}
%{?!with_python3: %global with_python3 1}
%{?!with_munin: %global with_munin 1}
%bcond_with dnstap
%bcond_without dnstap
%bcond_with systemd
%bcond_without doh
%global _hardened_build 1
@ -35,8 +36,8 @@
Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound
Version: 1.10.1
Release: 5%{?extra_version:.%{extra_version}}%{?dist}
Version: 1.12.0
Release: 1%{?extra_version:.%{extra_version}}%{?dist}
License: BSD
Url: https://nlnetlabs.nl/projects/unbound/
Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
@ -59,14 +60,15 @@ Source17: unbound-anchor.service
Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
Source19: http://keys.gnupg.net/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key
# https://github.com/NLnetLabs/unbound/issues/220
Patch0: unbound-1.10.0-auth-callback.patch
#Patch0: # No patches
BuildRequires: gcc, make
BuildRequires: flex, openssl-devel
BuildRequires: libevent-devel expat-devel
BuildRequires: pkgconfig
%if 0%{?fedora}
BuildRequires: gnupg2
%endif
%if 0%{with_python2}
BuildRequires: python2-devel swig
%endif
@ -79,6 +81,9 @@ BuildRequires: fstrm-devel protobuf-c-devel
%if %{with systemd}
BuildRequires: systemd-devel
%endif
%if %{with doh}
BuildRequires: libnghttp2-devel
%endif
%if 0%{?fedora} >= 30
BuildRequires: systemd-rpm-macros
%else
@ -159,7 +164,9 @@ Python 3 modules and extensions for unbound
%prep
%{?gpgverify:%gpgverify -k 19 -s 18 -d 0}
%if 0%{?fedora}
%gpgverify -k 19 -s 18 -d 0
%endif
%global pkgname %{name}-%{version}%{?extra_version}
%if 0%{with_python2} && 0%{with_python3}
@ -214,6 +221,9 @@ pushd %{dir_primary}
%endif
%if %{with systemd}
--enable-systemd \
%endif
%if %{with doh}
--with-libnghttp2 \
%endif
%{configure_args}
@ -448,6 +458,9 @@ popd
%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
%changelog
* Tue Oct 13 2020 Petr Menšík <pemensik@redhat.com> - 1.12.0-1
- Update to 1.12.0 (#1860887)
* Tue Sep 15 2020 Petr Menšík <pemensik@redhat.com> - 1.10.1-5
- Move command line tools to utils subpackage