From 1b9764fb5a17826f3befacf23294a4cd649cd504 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 22 Feb 2018 10:58:45 +0100 Subject: [PATCH] Revert "Improve config formatting" This reverts commit 3d0bac0df2df8565303e69aef7d4159a39d5cb7d. Uncomment again commented out value and bump version. Comment by Paul Wouters: The value of 3072 was tailored to cause a failure for ANY requries to isc.org, which are used a lot by attackers. Now with 4096, it will fit and the query can be abused again to cause amplification with that popular dns query. --- unbound.conf | 2 +- unbound.spec | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/unbound.conf b/unbound.conf index fbec6a9..6de0b3a 100644 --- a/unbound.conf +++ b/unbound.conf @@ -141,7 +141,7 @@ server: # Suggested values are 512 to 4096. Default is 4096. 65536 disables it. # 3072 causes +dnssec any isc.org queries to need TC=1. # Helps mitigating DDOS - # max-udp-size: 3072 + max-udp-size: 3072 # buffer size for handling DNS data. No messages larger than this # size can be sent or received, by UDP or TCP. In bytes. diff --git a/unbound.spec b/unbound.spec index 4fa08cb..091883d 100644 --- a/unbound.spec +++ b/unbound.spec @@ -21,7 +21,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.6.8 -Release: 5%{?extra_version:.%{extra_version}}%{?dist} +Release: 6%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://www.unbound.net/ Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz @@ -435,6 +435,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Thu Feb 22 2018 Petr Menšík - 1.6.8-6 +- Uncomment again original max-upd-size + * Wed Feb 21 2018 Petr Menšík - 1.6.8-5 - Use default RPM build flags and configure parameters (#1539097)