From 218baa837d3a8b76eef4b9a6b8069cceb3cb809b Mon Sep 17 00:00:00 2001 From: DistroBaker Date: Thu, 11 Feb 2021 16:57:05 +0000 Subject: [PATCH] Merged update from upstream sources This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/unbound.git#cf0e47e9b70b8c471b740bc51ede0a1ee2bfa0a6 --- .gitignore | 2 ++ sources | 4 ++-- unbound.conf | 54 ++++++++++++++++++++++++++++++---------------------- unbound.spec | 8 ++++++-- 4 files changed, 41 insertions(+), 27 deletions(-) diff --git a/.gitignore b/.gitignore index 9b0a67b..1911c71 100644 --- a/.gitignore +++ b/.gitignore @@ -63,3 +63,5 @@ unbound-1.4.5.tar.gz /unbound-1.12.0.tar.gz.asc /unbound-1.13.0.tar.gz /unbound-1.13.0.tar.gz.asc +/unbound-1.13.1.tar.gz +/unbound-1.13.1.tar.gz.asc diff --git a/sources b/sources index 6e5f7a7..c7d1af2 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.13.0.tar.gz) = d4f3c5a7df5d46f8b1ee32b61e68bdc0d63030820d236ecc51bc3ac356d15248acb9a5e0b6009e1936b03b751e8dd05a071a95ab239fdbbbb308442a59642ad5 -SHA512 (unbound-1.13.0.tar.gz.asc) = 924396fe8c92945386cedcfd5a52ec65b892b3dac20f2b6bf7dd99f7e263f5e3a11ce1f8f6ccc8107529c3be81d6b61d14e66bdda2d3e5c8bc8a8462b93c7d84 +SHA512 (unbound-1.13.1.tar.gz) = f4d26dca28dbcc33a5e65a55147fa01077c331292e88b6a87798cb6c3d4edb0515015d131fd893c92b74d22d9998a640f0adce404e6192d61ebe69a6a599287c +SHA512 (unbound-1.13.1.tar.gz.asc) = a4a943841c4db14b2d236b4b80ac80129148c42f7b3d82246b0e0150c1e3e3e294863d5c72d1ac41c2164126d1d10f9044554f97aa6d94019acb41b5f7ed7d34 diff --git a/unbound.conf b/unbound.conf index ae3fcf5..e414f9c 100644 --- a/unbound.conf +++ b/unbound.conf @@ -328,7 +328,7 @@ server: # The pid file can be absolute and outside of the chroot, it is # written just prior to performing the chroot and dropping permissions. # - # Additionally, unbound may need to access /dev/random (for entropy). + # Additionally, unbound may need to access /dev/urandom (for entropy). # How to do this is specific to your OS. # # If you give "" no chroot is performed. The path must not end in a /. @@ -393,6 +393,9 @@ server: # enable to not answer version.server and version.bind queries. # hide-version: no + # NSID identity (hex string, or "ascii_somestring"). default disabled. + # nsid: "aabbccdd" + # enable to not answer trustanchor.unbound queries. # hide-trustanchor: no @@ -413,7 +416,7 @@ server: # target-fetch-policy: "3 2 1 0 0" # Harden against very small EDNS buffer sizes. - # harden-short-bufsize: no + # harden-short-bufsize: yes # Harden against unseemly large queries. # harden-large-queries: no @@ -624,6 +627,13 @@ server: # A recommended value is 1800. # serve-expired-client-timeout: 0 + # Return the original TTL as received from the upstream name server rather + # than the decrementing TTL as stored in the cache. Enabling this feature + # does not impact cache expiry, it only changes the TTL unbound embeds in + # responses to queries. Note that enabling this feature implicitly disables + # enforcement of the configured minimum and maximum TTL. + # serve-original-ttl: no + # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. val-log-level: 1 @@ -733,8 +743,10 @@ server: # o inform acts like transparent, but logs client IP address # o inform_deny drops queries and logs client IP address # o inform_redirect redirects queries and logs client IP address - # o always_transparent, always_refuse, always_nxdomain, resolve in - # that way but ignore local data for that name + # o always_transparent, always_refuse, always_nxdomain, always_nodata, + # always_deny resolve in that way but ignore local data for + # that name + # o always_null returns 0.0.0.0 or ::0 for any name in the zone. # o noview breaks out of that view towards global local-zones. # # defaults are localhost address, reverse for 127.0.0.1 and ::1 @@ -784,6 +796,12 @@ server: # cipher setting for TLSv1.3 # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" + # Pad responses to padded queries received over TLS + # pad-responses: yes + + # Padded responses will be padded to the closest multiple of this size. + # pad-responses-block-size: 468 + # Use the SNI extension for TLS connections. Default is yes. # Changing the value requires a reload. # tls-use-sni: yes @@ -806,6 +824,12 @@ server: # Add system certs to the cert bundle, from the Windows Cert Store # tls-win-cert: no + # Pad queries over TLS upstreams + # pad-queries: yes + + # Padded queries will be padded to the closest multiple of this size. + # pad-queries-block-size: 128 + # Also serve tls on these port numbers (eg. 443, ...), by listing # tls-additional-port: portno for each of the port numbers. @@ -825,22 +849,6 @@ server: # service. # http-nodelay: yes - # HTTP endpoint to provide DNS-over-HTTPS service on. - # http-endpoint: "/dns-query" - - # HTTP/2 SETTINGS_MAX_CONCURRENT_STREAMS value to use. - # http-max-streams: 100 - - # Maximum number of bytes used for all HTTP/2 query buffers. - # http-query-buffer-size: 4m - - # Maximum number of bytes used for all HTTP/2 response buffers. - # http-response-buffer-size: 4m - - # Set TCP_NODELAY socket option on sockets used for DNS-over-HTTPS - # service. - # http-nodelay: yes - # Disable TLS for DNS-over-HTTP downstream service. # http-notls-downstream: no @@ -1115,7 +1123,7 @@ auth-zone: # IPSet # Add specify domain into set via ipset. -# Note: To enable ipset unbound needs run as root user. +# Note: To enable ipset unbound needs to run as root user. # ipset: # # set name for ip v4 addresses # name-v4: "list-v4" @@ -1130,7 +1138,7 @@ auth-zone: # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode # dnstap-bidirectional: yes -# dnstap-socket-path: "" +# dnstap-socket-path: "/etc/unbound/dnstap.sock" # # if "" use the unix socket in dnstap-socket-path, otherwise, # # set it to "IPaddress[@port]" of the destination. # dnstap-ip: "" @@ -1166,7 +1174,7 @@ auth-zone: # rpz: # name: "rpz.example.com" # zonefile: "rpz.example.com" -# master: 192.0.2.0 +# primary: 192.0.2.0 # allow-notify: 192.0.2.0/32 # url: http://www.example.com/rpz.example.org.zone # rpz-action-override: cname diff --git a/unbound.spec b/unbound.spec index d5a086e..6662cc2 100644 --- a/unbound.spec +++ b/unbound.spec @@ -36,8 +36,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.13.0 -Release: 2%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.13.1 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -458,6 +458,10 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Wed Feb 10 2021 Paul Wouters - 1.13.1-1 +- Resolves rhbz#1860887 unbound-1.13.1 is available +- Fixup unbound.conf + * Wed Jan 27 2021 Fedora Release Engineering - 1.13.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild