- Resolves: rhbz#1992985 unbound-1.13.2 is available

- Use system-wide crypto policies
This commit is contained in:
Paul Wouters 2021-08-12 17:58:22 -04:00
parent d747677049
commit 0ce96eb790
No known key found for this signature in database
GPG Key ID: DB48D2E5122468BF
4 changed files with 73 additions and 39 deletions

2
.gitignore vendored
View File

@ -65,3 +65,5 @@ unbound-1.4.5.tar.gz
/unbound-1.13.0.tar.gz.asc
/unbound-1.13.1.tar.gz
/unbound-1.13.1.tar.gz.asc
/unbound-1.13.2.tar.gz
/unbound-1.13.2.tar.gz.asc

View File

@ -1,2 +1,2 @@
SHA512 (unbound-1.13.1.tar.gz) = f4d26dca28dbcc33a5e65a55147fa01077c331292e88b6a87798cb6c3d4edb0515015d131fd893c92b74d22d9998a640f0adce404e6192d61ebe69a6a599287c
SHA512 (unbound-1.13.1.tar.gz.asc) = a4a943841c4db14b2d236b4b80ac80129148c42f7b3d82246b0e0150c1e3e3e294863d5c72d1ac41c2164126d1d10f9044554f97aa6d94019acb41b5f7ed7d34
SHA512 (unbound-1.13.2.tar.gz) = 1e89441446e7a25c6a49bded645f8b348c1758c3be54e3a986041cb1f00c45d152fd469dc52666fb820574db9d51b16f1627dc8afcb9519508d4833ca358191a
SHA512 (unbound-1.13.2.tar.gz.asc) = b905f5f981361131e7a8d3403df632603304778bd7d4fffba8d113c4246d8133f26903a5af53d21b979b652cbae8f6e92620d3a262d8b2837ab8c2a5712650ee

View File

@ -393,18 +393,28 @@ server:
# enable to not answer version.server and version.bind queries.
# hide-version: no
# NSID identity (hex string, or "ascii_somestring"). default disabled.
# nsid: "aabbccdd"
# enable to not set the User-Agent HTTP header.
# hide-http-user-agent: no
# enable to not answer trustanchor.unbound queries.
# hide-trustanchor: no
# enable to not set the User-Agent HTTP header.
# hide-http-user-agent: no
# the identity to report. Leave "" or default to return hostname.
# identity: ""
# the version to report. Leave "" or default to return package version.
# version: ""
# NSID identity (hex string, or "ascii_somestring"). default disabled.
# nsid: "aabbccdd"
# User-Agent HTTP header to use. Leave "" or default to use package name
# and version.
# http-user-agent: ""
# the target fetch policy.
# series of integers describing the policy per dependency depth.
# The number of values in the list determines the maximum dependency
@ -584,6 +594,10 @@ server:
# val-sig-skew-min: 3600
# val-sig-skew-max: 86400
# The maximum number the validator should restart validation with
# another authority in case of failed validation.
# val-max-restart: 5
# Should additional section of secure message also be kept clean of
# unsecure data. Useful to shield the users of this validator from
# potential bogus data in the additional section. All unsigned data
@ -616,7 +630,7 @@ server:
# that the expired records will be served as long as there are queries
# for it.
# serve-expired-ttl-reset: no
#
# TTL value to use when replying with expired data.
# serve-expired-reply-ttl: 30
#
@ -642,7 +656,10 @@ server:
# keysize. Keep this table very short, as linear search is done.
# A message with an NSEC3 with larger count is marked insecure.
# List in ascending order the keysize and count values.
# val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
# val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150"
# if enabled, ZONEMD verification failures do not block the zone.
# zonemd-permissive-mode: no
# instruct the auto-trust-anchor-file probing to add anchors after ttl.
# add-holddown: 2592000 # 30 days
@ -795,6 +812,10 @@ server:
# tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
# cipher setting for TLSv1.3
# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
# Fedora/RHEL: use system-wide crypto policies
tls-ciphers: "PROFILE=SYSTEM"
# TODO: ask system-wide crypto people what to use here
#tls-ciphersuites: "PROFILE=SYSTEM" # does not work
# Pad responses to padded queries received over TLS
# pad-responses: yes
@ -931,6 +952,13 @@ server:
# ipsecmod-allow: "example.com"
# ipsecmod-allow: "nlnetlabs.nl"
# Timeout for REUSE entries in milliseconds.
# tcp-reuse-timeout: 60000
# Max number of queries on a reuse connection.
# max-reuse-tcp-queries: 200
# Timeout in milliseconds for TCP queries to auth servers.
# tcp-auth-query-timeout: 3000
# Python config section. To enable:
# o use --with-pythonmodule to configure before compiling.
# o list python in the module-config string (above) to enable.
@ -941,6 +969,17 @@ python:
# Script file to load
# python-script: "/etc/unbound/ubmodule-tst.py"
# Dynamic library config section. To enable:
# o use --with-dynlibmodule to configure before compiling.
# o list dynlib in the module-config string (above) to enable.
# It can be placed anywhere, the dynlib module is only a very thin wrapper
# to load modules dynamically.
# o and give a dynlib-file to run. If more than one dynlib entry is listed in
# the module-config then you need one dynlib-file per instance.
dynlib:
# Script file to load
# dynlib-file: "/etc/unbound/dynlib.so"
# Remote control config section.
remote-control:
# Enable remote control with unbound-control(8) here.
@ -1036,29 +1075,32 @@ include: /etc/unbound/conf.d/*.conf
# notifies.
auth-zone:
name: "."
primary: 199.9.14.201 # b.root-servers.net
primary: 192.33.4.12 # c.root-servers.net
primary: 199.7.91.13 # d.root-servers.net
primary: 192.5.5.241 # f.root-servers.net
primary: 192.112.36.4 # g.root-servers.net
primary: 193.0.14.129 # k.root-servers.net
primary: 192.0.47.132 # xfr.cjr.dns.icann.org
primary: 192.0.32.132 # xfr.lax.dns.icann.org
primary: 2001:500:200::b # b.root-servers.net
primary: 2001:500:2::c # c.root-servers.net
primary: 2001:500:2d::d # d.root-servers.net
primary: 2001:500:2f::f # f.root-servers.net
primary: 2001:500:12::d0d # g.root-servers.net
primary: 2001:7fd::1 # k.root-servers.net
primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org
fallback-enabled: yes
for-downstream: no
for-upstream: yes
fallback-enabled: yes
master: 199.9.14.201 # b.root-servers.net
master: 192.33.4.12 # c.root-servers.net
master: 199.7.91.13 # d.root-servers.net
master: 192.5.5.241 # f.root-servers.net
master: 192.112.36.4 # g.root-servers.net
master: 193.0.14.129 # k.root-servers.net
master: 192.0.47.132 # xfr.cjr.dns.icann.org
master: 192.0.32.132 # xfr.lax.dns.icann.org
master: 2001:500:200::b # b.root-servers.net
master: 2001:500:2::c # c.root-servers.net
master: 2001:500:2d::d # d.root-servers.net
master: 2001:500:2f::f # f.root-servers.net
master: 2001:500:12::d0d # g.root-servers.net
master: 2001:7fd::1 # k.root-servers.net
master: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
master: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org
# auth-zone:
# name: "example.org"
# for-downstream: yes
# for-upstream: yes
# zonemd-check: no
# zonemd-reject-absence: no
# zonefile: "example.org.zone"
# Views

View File

@ -20,13 +20,6 @@
%if 0%{?rhel}
%global with_munin 0
%if 0%{?with_python2} && 0%{?rhel} <= 6
# needed just for EPEL
%{!?__python2: %global __python2 /usr/bin/python2}
%{!?python2_sitelib: %global python2_sitelib %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")}
%{!?python2_sitearch: %global python2_sitearch %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
%endif
%if 0%{?rhel} <= 7
%global with_python3 0
%else
@ -36,8 +29,8 @@
Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound
Version: 1.13.1
Release: 8%{?extra_version:.%{extra_version}}%{?dist}
Version: 1.13.2
Release: 1%{?extra_version:.%{extra_version}}%{?dist}
License: BSD
Url: https://nlnetlabs.nl/projects/unbound/
Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
@ -61,13 +54,6 @@ Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_vers
# source: https://nlnetlabs.nl/people/
Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key
# Backport two fixes:
# https://github.com/NLnetLabs/unbound/commit/e0d426ebb10653a78bf5c4053198f6ac19bfcd3e
# https://github.com/NLnetLabs/unbound/pull/427
# Fix build on Python 3.10 (rhbz#1889726).
Patch1: unbound-python310.patch
# rhbz#1935101 upstream PR https://github.com/NLnetLabs/unbound/pull/415/files
Patch2: unbound-1.13.1-rh1935101.patch
BuildRequires: gcc, make
BuildRequires: flex, openssl-devel
@ -466,6 +452,10 @@ popd
%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
%changelog
* Thu Aug 12 2021 Paul Wouters <paul.wouters@aiven.io> - 1.13.2-1
- Resolves: rhbz#1992985 unbound-1.13.2 is available
- Use system-wide crypto policies
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.13.1-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild