* Fri Sep 22 2017 Paul Wouters <pwouters@redhat.com> - 1.6.6-1

- Resolves: rhbz#1483572 unbound-1.6.6 is available
- Resolves: rhbz#1465575 unbound fails to start up, complains about missing ipsecmod-hook (edit)
This commit is contained in:
Paul Wouters 2017-09-22 12:46:45 -04:00
parent 8906a869c6
commit 115c5666a2
4 changed files with 53 additions and 17 deletions

1
.gitignore vendored
View File

@ -42,3 +42,4 @@ unbound-1.4.5.tar.gz
/unbound-1.6.3.tar.gz
/unbound-1.6.4rc2.tar.gz
/unbound-1.6.4.tar.gz
/unbound-1.6.6.tar.gz

View File

@ -1 +1 @@
SHA512 (unbound-1.6.4.tar.gz) = 1abf50552c97b304884f07372f9fb05f9f30354647cf5299192deac81fa28a41d89d84ee092baef644a6069d0f545d36e7e814c9b8f83f21a7a53572d9a91907
SHA512 (unbound-1.6.6.tar.gz) = 910fd0956b8828d3db0511a85bf6ab6c4c3982f17c70ccb7123d1de1650d24c2906bc29ac4ea83fd7d95d8af29e2cbc88df666f365e51296f552292ef9753016

View File

@ -134,7 +134,7 @@ server:
# ip-freebind: no
# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
# is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
# is set with msg-buffer-size). 1472 can solve fragmentation (timeouts).
# edns-buffer-size: 4096
# Maximum UDP response size (not applied to TCP response).
@ -587,6 +587,8 @@ server:
# local-zone: "127.in-addr.arpa." nodefault
# local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
# local-zone: "onion." nodefault
# local-zone: "test." nodefault
# local-zone: "invalid." nodefault
# local-zone: "10.in-addr.arpa." nodefault
# local-zone: "16.172.in-addr.arpa." nodefault
# local-zone: "17.172.in-addr.arpa." nodefault
@ -641,7 +643,7 @@ server:
# o redirect serves the zone data for any subdomain in the zone.
# o nodefault can be used to normally resolve AS112 zones.
# o typetransparent resolves normally for other types and other names
# o inform resolves normally, but logs client IP address
# o inform acts like transparent, but logs client IP address
# o inform_deny drops queries and logs client IP address
# o always_transparent, always_refuse, always_nxdomain, resolve in
# that way but ignore local data for that name.
@ -727,13 +729,35 @@ server:
# 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through
# ip-ratelimit-factor: 10
# IPsec module for Opportunistic IPsec
# Libreswan will enable this via unbound-control
#ipsecmod-enabled:yes
#ipsecmod-hook:/usr/libexec/ipsec/unbound-hook.py
#ipsecmod-ignore-bogus:no
#ipsecmod-max-ttl:3600
#ipsecmod-whitelist:libreswan.org
# Specific options for ipsecmod. unbound needs to be configured with
# --enable-ipsecmod for these to take effect.
#
# Enable or disable ipsecmod (it still needs to be defined in
# module-config above). Can be used when ipsecmod needs to be
# enabled/disabled via remote-control(below).
# Fedora: module will be enabled on-demand by libreswan
ipsecmod-enabled: no
# Path to executable external hook. It must be defined when ipsecmod is
# listed in module-config (above).
# ipsecmod-hook: "./my_executable"
ipsecmod-hook:/usr/libexec/ipsec/unbound-hook.py
# When enabled unbound will reply with SERVFAIL if the return value of
# the ipsecmod-hook is not 0.
# ipsecmod-strict: no
#
# Maximum time to live (TTL) for cached A/AAAA records with IPSECKEY.
# ipsecmod-max-ttl: 3600
#
# Reply with A/AAAA even if the relevant IPSECKEY is bogus. Mainly used for
# testing.
# ipsecmod-ignore-bogus: no
#
# Domains for which ipsecmod will be triggered. If not defined (default)
# all domains are treated as being whitelisted.
# ipsecmod-whitelist: "libreswan.org"
# ipsecmod-whitelist: "nlnetlabs.nl"
# Python config section. To enable:
# o use --with-pythonmodule to configure before compiling.
@ -790,6 +814,7 @@ include: /etc/unbound/conf.d/*.conf
# stub-addr: 192.0.2.68
# stub-prime: no
# stub-first: no
# stub-ssl-upstream: no
# stub-zone:
# name: "example.org"
# stub-host: ns.example.com.
@ -809,6 +834,7 @@ include: /etc/unbound/conf.d/*.conf
# forward-addr: 192.0.2.68
# forward-addr: 192.0.2.73@5355 # forward to port 5355.
# forward-first: no
# forward-ssl-upstream: no
# forward-zone:
# name: "example.org"
# forward-host: fwd.example.com
@ -856,3 +882,13 @@ include: /etc/unbound/conf.d/*.conf
# dnscrypt-secret-key: /path/unbound-conf/keys2/1.key
# dnscrypt-provider-cert: /path/unbound-conf/keys1/1.cert
# dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert
# CacheDB
# Enable external backend DB as auxiliary cache. Specify the backend name
# (default is "testframe", which has no use other than for debugging and
# testing) and backend-specific options. The 'cachedb' module must be
# included in module-config.
# cachedb:
# backend: "testframe"
# # secret seed string to calculate hashed keys
# secret-seed: "default"

View File

@ -20,8 +20,8 @@
Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound
Version: 1.6.4
Release: 4%{?extra_version:.%{extra_version}}%{?dist}
Version: 1.6.6
Release: 1%{?extra_version:.%{extra_version}}%{?dist}
License: BSD
Url: https://www.unbound.net/
Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
@ -43,8 +43,6 @@ Source15: unbound-anchor.timer
Source16: unbound-munin.README
Source17: unbound-anchor.service
Patch1: unbound-1.6.4-ipsechook-check.patch
Group: System Environment/Daemons
BuildRequires: flex, openssl-devel
BuildRequires: libevent-devel expat-devel
@ -137,9 +135,6 @@ Python 3 modules and extensions for unbound
%prep
%{?extra_version:%global pkgname %{name}-%{version}%{extra_version}}%{!?extra_version:%global pkgname %{name}-%{version}}
%setup -qcn %{pkgname}
pushd %{pkgname}
%patch1 -p1
popd
%if 0%{with_python}
mv %{pkgname} %{pkgname}_python2
@ -444,6 +439,10 @@ popd
%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
%changelog
* Fri Sep 22 2017 Paul Wouters <pwouters@redhat.com> - 1.6.6-1
- Resolves: rhbz#1483572 unbound-1.6.6 is available
- Resolves: rhbz#1465575 unbound fails to start up, complains about missing ipsecmod-hook (edit)
* Wed Aug 16 2017 Paul Wouters <pwouters@redhat.com> - 1.6.4-4
- Rebuilt with KSK2017 added to root.key and root.anchor
- Remove noreplace for root key files. We can only improve these files over local copies