From 087959bbbcfba695bfbc8be21512b53ab7843c3c Mon Sep 17 00:00:00 2001 From: DistroBaker Date: Thu, 10 Dec 2020 01:48:09 +0100 Subject: [PATCH] Merged update from upstream sources This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/unbound.git#b29f943a4c335573eadbb8511cc76b34bd450b18 --- .gitignore | 2 + sources | 4 +- unbound-1.10.0-auth-callback.patch | 74 ------------------ unbound.conf | 119 ++++++++++++++++++++++++----- unbound.spec | 25 ++++-- 5 files changed, 123 insertions(+), 101 deletions(-) delete mode 100644 unbound-1.10.0-auth-callback.patch diff --git a/.gitignore b/.gitignore index 68c7ed8..ff034dd 100644 --- a/.gitignore +++ b/.gitignore @@ -59,3 +59,5 @@ unbound-1.4.5.tar.gz /unbound-1.10.0.tar.gz.asc /unbound-1.10.1.tar.gz /unbound-1.10.1.tar.gz.asc +/unbound-1.12.0.tar.gz +/unbound-1.12.0.tar.gz.asc diff --git a/sources b/sources index 5a8f28c..8c72027 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.10.1.tar.gz) = d07f3ac0e751c17a3ff7d99518c22529cf6856861218564a2ca073422905525cb9ddaf76c9600187946fadb7324343bcd85c34ff06bd322e0ea621a2d258bb85 -SHA512 (unbound-1.10.1.tar.gz.asc) = 95d32b4ebfac501a1ae481c9211a88f7ad115e51a470794c6273bea7fedff62cef71445a4110b686938657b9450502bd5d47935e4552d3a9fc740b1348d6d991 +SHA512 (unbound-1.12.0.tar.gz) = 90d99bc65e9ba62e50a7809dbf1e98889d0fc9fd50cf3cc99b726c67bcaeda0c2bc176d09f84771adb9796833b595591462f96e949d6969a47d6898d8fae3479 +SHA512 (unbound-1.12.0.tar.gz.asc) = b9db74bde4cd2ecbd9ba04468716135f4a45b437f17e92564f0e595e5e3462e955808aa1f0dea17a9a6fd1403c32e4eff7815f22e630229db10f50080c9a85a3 diff --git a/unbound-1.10.0-auth-callback.patch b/unbound-1.10.0-auth-callback.patch deleted file mode 100644 index c4d01b8..0000000 --- a/unbound-1.10.0-auth-callback.patch +++ /dev/null @@ -1,74 +0,0 @@ ---- a/services/authzone.c 2020-04-16 13:01:10.550618034 +0200 -+++ b/services/authzone.c 2020-04-16 13:07:04.624476160 +0200 -@@ -5331,7 +5331,7 @@ - log_assert(xfr->task_transfer); - lock_basic_lock(&xfr->lock); - env = xfr->task_transfer->env; -- if(env->outnet->want_to_quit) { -+ if(!env || env->outnet->want_to_quit) { - lock_basic_unlock(&xfr->lock); - return; /* stop on quit */ - } -@@ -5770,7 +5770,7 @@ - log_assert(xfr->task_transfer); - lock_basic_lock(&xfr->lock); - env = xfr->task_transfer->env; -- if(env->outnet->want_to_quit) { -+ if(!env || env->outnet->want_to_quit) { - lock_basic_unlock(&xfr->lock); - return; /* stop on quit */ - } -@@ -5812,7 +5812,7 @@ - log_assert(xfr->task_transfer); - lock_basic_lock(&xfr->lock); - env = xfr->task_transfer->env; -- if(env->outnet->want_to_quit) { -+ if(!env || env->outnet->want_to_quit) { - lock_basic_unlock(&xfr->lock); - return 0; /* stop on quit */ - } -@@ -5893,7 +5893,7 @@ - log_assert(xfr->task_transfer); - lock_basic_lock(&xfr->lock); - env = xfr->task_transfer->env; -- if(env->outnet->want_to_quit) { -+ if(!env || env->outnet->want_to_quit) { - lock_basic_unlock(&xfr->lock); - return 0; /* stop on quit */ - } -@@ -6107,7 +6107,7 @@ - log_assert(xfr->task_probe); - lock_basic_lock(&xfr->lock); - env = xfr->task_probe->env; -- if(env->outnet->want_to_quit) { -+ if(!env || env->outnet->want_to_quit) { - lock_basic_unlock(&xfr->lock); - return; /* stop on quit */ - } -@@ -6143,7 +6143,7 @@ - log_assert(xfr->task_probe); - lock_basic_lock(&xfr->lock); - env = xfr->task_probe->env; -- if(env->outnet->want_to_quit) { -+ if(!env || env->outnet->want_to_quit) { - lock_basic_unlock(&xfr->lock); - return 0; /* stop on quit */ - } -@@ -6388,7 +6388,7 @@ - log_assert(xfr->task_probe); - lock_basic_lock(&xfr->lock); - env = xfr->task_probe->env; -- if(env->outnet->want_to_quit) { -+ if(!env || env->outnet->want_to_quit) { - lock_basic_unlock(&xfr->lock); - return; /* stop on quit */ - } -@@ -6465,7 +6465,7 @@ - log_assert(xfr->task_nextprobe); - lock_basic_lock(&xfr->lock); - env = xfr->task_nextprobe->env; -- if(env->outnet->want_to_quit) { -+ if(!env || env->outnet->want_to_quit) { - lock_basic_unlock(&xfr->lock); - return; /* stop on quit */ - } diff --git a/unbound.conf b/unbound.conf index b130f9b..dfbd635 100644 --- a/unbound.conf +++ b/unbound.conf @@ -5,9 +5,13 @@ # # this is a comment. -#Use this to include other text into the file. +# Use this anywhere in the file to include other text into this file. #include: "otherfile.conf" +# Use this anywhere in the file to include other text, that explicitly starts a +# clause, into this file. Text after this directive needs to start a clause. +#include-toplevel: "otherfile.conf" + # The server clause sets the main parameters. server: # whitespace is not necessary, but looks cleaner. @@ -86,6 +90,9 @@ server: # Set this to yes to prefer ipv6 upstream servers over ipv4. # prefer-ip6: no + # Prefer ipv4 upstream servers, even if ipv6 is available. + # prefer-ip4: no + # number of ports to allocate per thread, determines the size of the # port range that can be open simultaneously. About double the # num-queries-per-thread, or, use as many as the OS will allow you. @@ -135,9 +142,14 @@ server: # Linux only. On Linux you also have ip-transparent that is similar. # ip-freebind: no + # the value of the Differentiated Services Codepoint (DSCP) + # in the differentiated services field (DS) of the outgoing + # IP packets + # ip-dscp: 0 + # EDNS reassembly buffer to advertise to UDP peers (the actual buffer # is set with msg-buffer-size). 1472 can solve fragmentation (timeouts) - # edns-buffer-size: 4096 + # edns-buffer-size: 1232 # Maximum UDP response size (not applied to TCP response). # Suggested values are 512 to 4096. Default is 4096. 65536 disables it. @@ -444,8 +456,8 @@ server: # Domains (and domains in them) without support for dns-0x20 and # the fallback fails because they keep sending different answers. - # caps-whitelist: "licdn.com" - # caps-whitelist: "senderbase.org" + # caps-exempt: "licdn.com" + # caps-exempt: "senderbase.org" # Enforce privacy of these addresses. Strips them away from answers. # It may cause DNSSEC validation to additionally mark it as bogus. @@ -522,11 +534,6 @@ server: # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) root-key-sentinel: yes - # File with DLV trusted keys. Same format as trust-anchor-file. - # There can be only one DLV configured, it is trusted from root down. - # DLV is going to be decommissioned. Please do not use it any more. - # dlv-anchor-file: "dlv.isc.org.key" - # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry. # Zone file format, with DS and DNSKEY entries. @@ -587,8 +594,8 @@ server: # that set CD but cannot validate themselves. # ignore-cd-flag: no - # Serve expired responses from cache, with TTL 0 in the response, - # and then attempt to fetch the data afresh. + # Serve expired responses from cache, with serve-expired-reply-ttl in + # the response, and then attempt to fetch the data afresh. serve-expired: yes # # Limit serving of expired responses to configured seconds after @@ -606,7 +613,7 @@ server: # # Time in milliseconds before replying to the client with expired data. # This essentially enables the serve-stale behavior as specified in - # draft-ietf-dnsop-serve-stale-10 that first tries to resolve before + # RFC 8767 that first tries to resolve before # immediately responding with expired data. 0 disables this behavior. # A recommended value is 1800. # serve-expired-client-timeout: 0 @@ -644,7 +651,7 @@ server: # more slabs reduce lock contention, but fragment memory usage. # key-cache-slabs: 4 - # the amount of memory to use for the negative cache (used for DLV). + # the amount of memory to use for the negative cache. # plain value in bytes or you can append k, m or G. default is "1Mb". # neg-cache-size: 1m @@ -757,18 +764,24 @@ server: # add a netblock specific override to a localzone, with zone type # local-zone-override: "example.com" 192.0.2.0/24 refuse - # service clients over TLS (on the TCP sockets), with plain DNS inside - # the TLS stream. Give the certificate to use and private key. + # service clients over TLS (on the TCP sockets) with plain DNS inside + # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. + # Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. # tls-service-key: "/etc/unbound/unbound_server.key" # tls-service-pem: "/etc/unbound/unbound_server.pem" # tls-port: 853 + # https-port: 443 # cipher setting for TLSv1.2 # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" # cipher setting for TLSv1.3 # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" + # Use the SNI extension for TLS connections. Default is yes. + # Changing the value requires a reload. + # tls-use-sni: yes + # Add the secret file for TLS Session Ticket. # Secret file must be 80 bytes of random data. # First key use to encrypt and decrypt TLS session tickets. @@ -790,6 +803,38 @@ server: # Also serve tls on these port numbers (eg. 443, ...), by listing # tls-additional-port: portno for each of the port numbers. + # HTTP endpoint to provide DNS-over-HTTPS service on. + # http-endpoint: "/dns-query" + + # HTTP/2 SETTINGS_MAX_CONCURRENT_STREAMS value to use. + # http-max-streams: 100 + + # Maximum number of bytes used for all HTTP/2 query buffers. + # http-query-buffer-size: 4m + + # Maximum number of bytes used for all HTTP/2 response buffers. + # http-response-buffer-size: 4m + + # Set TCP_NODELAY socket option on sockets used for DNS-over-HTTPS + # service. + # http-nodelay: yes + + # HTTP endpoint to provide DNS-over-HTTPS service on. + # http-endpoint: "/dns-query" + + # HTTP/2 SETTINGS_MAX_CONCURRENT_STREAMS value to use. + # http-max-streams: 100 + + # Maximum number of bytes used for all HTTP/2 query buffers. + # http-query-buffer-size: 4m + + # Maximum number of bytes used for all HTTP/2 response buffers. + # http-response-buffer-size: 4m + + # Set TCP_NODELAY socket option on sockets used for DNS-over-HTTPS + # service. + # http-nodelay: yes + # DNS64 prefix. Must be specified when DNS64 is use. # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. # dns64-prefix: 64:ff9b::0/96 @@ -865,9 +910,9 @@ server: # ipsecmod-ignore-bogus: no # # Domains for which ipsecmod will be triggered. If not defined (default) - # all domains are treated as being whitelisted. - # ipsecmod-whitelist: "libreswan.org" - # ipsecmod-whitelist: "nlnetlabs.nl" + # all domains are treated as being allowed. + # ipsecmod-allow: "example.com" + # ipsecmod-allow: "nlnetlabs.nl" # Python config section. To enable: # o use --with-pythonmodule to configure before compiling. @@ -1056,10 +1101,12 @@ auth-zone: # redis-server-port: 6379 # # timeout (in ms) for communication with the redis server # redis-timeout: 100 +# # set timeout on redis records based on DNS response TTL +# redis-expire-records: no # IPSet # Add specify domain into set via ipset. -# Note: To enable ipset needs run unbound as root user. +# Note: To enable ipset unbound needs run as root user. # ipset: # # set name for ip v4 addresses # name-v4: "list-v4" @@ -1067,6 +1114,40 @@ auth-zone: # name-v6: "list-v6" # +# Dnstap logging support, if compiled in. To enable, set the dnstap-enable +# to yes and also some of dnstap-log-..-messages to yes. And select an +# upstream log destination, by socket path, TCP or TLS destination. +# dnstap: +# dnstap-enable: no +# # if set to yes frame streams will be used in bidirectional mode +# dnstap-bidirectional: yes +# dnstap-socket-path: "" +# # if "" use the unix socket in dnstap-socket-path, otherwise, +# # set it to "IPaddress[@port]" of the destination. +# dnstap-ip: "" +# # if set to yes if you want to use TLS to dnstap-ip, no for TCP. +# dnstap-tls: yes +# # name for authenticating the upstream server. or "" disabled. +# dnstap-tls-server-name: "" +# # if "", it uses the cert bundle from the main unbound config. +# dnstap-tls-cert-bundle: "" +# # key file for client authentication, or "" disabled. +# dnstap-tls-client-key-file: "" +# # cert file for client authentication, or "" disabled. +# dnstap-tls-client-cert-file: "" +# dnstap-send-identity: no +# dnstap-send-version: no +# # if "" it uses the hostname. +# dnstap-identity: "" +# # if "" it uses the package version. +# dnstap-version: "" +# dnstap-log-resolver-query-messages: no +# dnstap-log-resolver-response-messages: no +# dnstap-log-client-query-messages: no +# dnstap-log-client-response-messages: no +# dnstap-log-forwarder-query-messages: no +# dnstap-log-forwarder-response-messages: no + # Response Policy Zones # RPZ policies. Applied in order of configuration. QNAME and Response IP # Address trigger are the only supported triggers. Supported actions are: diff --git a/unbound.spec b/unbound.spec index 606f361..8bed946 100644 --- a/unbound.spec +++ b/unbound.spec @@ -1,8 +1,9 @@ %{?!with_python2: %global with_python2 0} %{?!with_python3: %global with_python3 1} %{?!with_munin: %global with_munin 1} -%bcond_with dnstap +%bcond_without dnstap %bcond_with systemd +%bcond_without doh %global _hardened_build 1 @@ -35,8 +36,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.10.1 -Release: 5%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.12.0 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -59,14 +60,15 @@ Source17: unbound-anchor.service Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc Source19: http://keys.gnupg.net/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key -# https://github.com/NLnetLabs/unbound/issues/220 -Patch0: unbound-1.10.0-auth-callback.patch +#Patch0: # No patches BuildRequires: gcc, make BuildRequires: flex, openssl-devel BuildRequires: libevent-devel expat-devel BuildRequires: pkgconfig +%if 0%{?fedora} BuildRequires: gnupg2 +%endif %if 0%{with_python2} BuildRequires: python2-devel swig %endif @@ -79,6 +81,9 @@ BuildRequires: fstrm-devel protobuf-c-devel %if %{with systemd} BuildRequires: systemd-devel %endif +%if %{with doh} +BuildRequires: libnghttp2-devel +%endif %if 0%{?fedora} >= 30 BuildRequires: systemd-rpm-macros %else @@ -159,7 +164,9 @@ Python 3 modules and extensions for unbound %prep -%{?gpgverify:%gpgverify -k 19 -s 18 -d 0} +%if 0%{?fedora} +%gpgverify -k 19 -s 18 -d 0 +%endif %global pkgname %{name}-%{version}%{?extra_version} %if 0%{with_python2} && 0%{with_python3} @@ -214,6 +221,9 @@ pushd %{dir_primary} %endif %if %{with systemd} --enable-systemd \ +%endif +%if %{with doh} + --with-libnghttp2 \ %endif %{configure_args} @@ -448,6 +458,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Tue Oct 13 2020 Petr Menšík - 1.12.0-1 +- Update to 1.12.0 (#1860887) + * Tue Sep 15 2020 Petr Menšík - 1.10.1-5 - Move command line tools to utils subpackage