diff --git a/.gitignore b/.gitignore index 1b3e3ab..0142c97 100644 --- a/.gitignore +++ b/.gitignore @@ -42,3 +42,4 @@ unbound-1.4.5.tar.gz /unbound-1.6.3.tar.gz /unbound-1.6.4rc2.tar.gz /unbound-1.6.4.tar.gz +/unbound-1.6.6.tar.gz diff --git a/sources b/sources index 5d44dd7..25b956b 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (unbound-1.6.4.tar.gz) = 1abf50552c97b304884f07372f9fb05f9f30354647cf5299192deac81fa28a41d89d84ee092baef644a6069d0f545d36e7e814c9b8f83f21a7a53572d9a91907 +SHA512 (unbound-1.6.6.tar.gz) = 910fd0956b8828d3db0511a85bf6ab6c4c3982f17c70ccb7123d1de1650d24c2906bc29ac4ea83fd7d95d8af29e2cbc88df666f365e51296f552292ef9753016 diff --git a/unbound.conf b/unbound.conf index 695a1bc..8a74aec 100644 --- a/unbound.conf +++ b/unbound.conf @@ -134,7 +134,7 @@ server: # ip-freebind: no # EDNS reassembly buffer to advertise to UDP peers (the actual buffer - # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts). + # is set with msg-buffer-size). 1472 can solve fragmentation (timeouts). # edns-buffer-size: 4096 # Maximum UDP response size (not applied to TCP response). @@ -587,6 +587,8 @@ server: # local-zone: "127.in-addr.arpa." nodefault # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault # local-zone: "onion." nodefault + # local-zone: "test." nodefault + # local-zone: "invalid." nodefault # local-zone: "10.in-addr.arpa." nodefault # local-zone: "16.172.in-addr.arpa." nodefault # local-zone: "17.172.in-addr.arpa." nodefault @@ -641,7 +643,7 @@ server: # o redirect serves the zone data for any subdomain in the zone. # o nodefault can be used to normally resolve AS112 zones. # o typetransparent resolves normally for other types and other names - # o inform resolves normally, but logs client IP address + # o inform acts like transparent, but logs client IP address # o inform_deny drops queries and logs client IP address # o always_transparent, always_refuse, always_nxdomain, resolve in # that way but ignore local data for that name. @@ -727,13 +729,35 @@ server: # 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through # ip-ratelimit-factor: 10 - # IPsec module for Opportunistic IPsec - # Libreswan will enable this via unbound-control - #ipsecmod-enabled:yes - #ipsecmod-hook:/usr/libexec/ipsec/unbound-hook.py - #ipsecmod-ignore-bogus:no - #ipsecmod-max-ttl:3600 - #ipsecmod-whitelist:libreswan.org + # Specific options for ipsecmod. unbound needs to be configured with + # --enable-ipsecmod for these to take effect. + # + # Enable or disable ipsecmod (it still needs to be defined in + # module-config above). Can be used when ipsecmod needs to be + # enabled/disabled via remote-control(below). + # Fedora: module will be enabled on-demand by libreswan + ipsecmod-enabled: no + + # Path to executable external hook. It must be defined when ipsecmod is + # listed in module-config (above). + # ipsecmod-hook: "./my_executable" + ipsecmod-hook:/usr/libexec/ipsec/unbound-hook.py + + # When enabled unbound will reply with SERVFAIL if the return value of + # the ipsecmod-hook is not 0. + # ipsecmod-strict: no + # + # Maximum time to live (TTL) for cached A/AAAA records with IPSECKEY. + # ipsecmod-max-ttl: 3600 + # + # Reply with A/AAAA even if the relevant IPSECKEY is bogus. Mainly used for + # testing. + # ipsecmod-ignore-bogus: no + # + # Domains for which ipsecmod will be triggered. If not defined (default) + # all domains are treated as being whitelisted. + # ipsecmod-whitelist: "libreswan.org" + # ipsecmod-whitelist: "nlnetlabs.nl" # Python config section. To enable: # o use --with-pythonmodule to configure before compiling. @@ -790,6 +814,7 @@ include: /etc/unbound/conf.d/*.conf # stub-addr: 192.0.2.68 # stub-prime: no # stub-first: no +# stub-ssl-upstream: no # stub-zone: # name: "example.org" # stub-host: ns.example.com. @@ -809,6 +834,7 @@ include: /etc/unbound/conf.d/*.conf # forward-addr: 192.0.2.68 # forward-addr: 192.0.2.73@5355 # forward to port 5355. # forward-first: no +# forward-ssl-upstream: no # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -856,3 +882,13 @@ include: /etc/unbound/conf.d/*.conf # dnscrypt-secret-key: /path/unbound-conf/keys2/1.key # dnscrypt-provider-cert: /path/unbound-conf/keys1/1.cert # dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert + +# CacheDB +# Enable external backend DB as auxiliary cache. Specify the backend name +# (default is "testframe", which has no use other than for debugging and +# testing) and backend-specific options. The 'cachedb' module must be +# included in module-config. +# cachedb: +# backend: "testframe" +# # secret seed string to calculate hashed keys +# secret-seed: "default" diff --git a/unbound.spec b/unbound.spec index 89f458c..75ae339 100644 --- a/unbound.spec +++ b/unbound.spec @@ -20,8 +20,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.6.4 -Release: 4%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.6.6 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://www.unbound.net/ Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz @@ -43,8 +43,6 @@ Source15: unbound-anchor.timer Source16: unbound-munin.README Source17: unbound-anchor.service -Patch1: unbound-1.6.4-ipsechook-check.patch - Group: System Environment/Daemons BuildRequires: flex, openssl-devel BuildRequires: libevent-devel expat-devel @@ -137,9 +135,6 @@ Python 3 modules and extensions for unbound %prep %{?extra_version:%global pkgname %{name}-%{version}%{extra_version}}%{!?extra_version:%global pkgname %{name}-%{version}} %setup -qcn %{pkgname} -pushd %{pkgname} -%patch1 -p1 -popd %if 0%{with_python} mv %{pkgname} %{pkgname}_python2 @@ -444,6 +439,10 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Fri Sep 22 2017 Paul Wouters - 1.6.6-1 +- Resolves: rhbz#1483572 unbound-1.6.6 is available +- Resolves: rhbz#1465575 unbound fails to start up, complains about missing ipsecmod-hook (edit) + * Wed Aug 16 2017 Paul Wouters - 1.6.4-4 - Rebuilt with KSK2017 added to root.key and root.anchor - Remove noreplace for root key files. We can only improve these files over local copies