From 218f551c2490d49fc5ce06cb04c0ac6b814e5cef Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Wed, 11 Oct 2023 16:55:31 -0400 Subject: [PATCH] Fix for resolving outlook.com via forwarders - See https://github.com/NLnetLabs/unbound/issues/946 - Use autochangelog macro --- unbound-1.18-outlook.patch | 228 +++++++++ unbound.spec | 922 +------------------------------------ 2 files changed, 233 insertions(+), 917 deletions(-) create mode 100644 unbound-1.18-outlook.patch diff --git a/unbound-1.18-outlook.patch b/unbound-1.18-outlook.patch new file mode 100644 index 0000000..6689bbc --- /dev/null +++ b/unbound-1.18-outlook.patch @@ -0,0 +1,228 @@ +diff --git a/Makefile.in b/Makefile.in +index 627a650f6..22fb75c12 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -793,7 +793,7 @@ iter_priv.lo iter_priv.o: $(srcdir)/iterator/iter_priv.c config.h $(srcdir)/iter + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/sbuffer.h + iter_resptype.lo iter_resptype.o: $(srcdir)/iterator/iter_resptype.c config.h \ +- $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \ ++ $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iterator.h $(srcdir)/util/log.h \ + $(srcdir)/services/cache/dns.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/data/dname.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h +diff --git a/iterator/iter_resptype.c b/iterator/iter_resptype.c +index e85595b84..38e186e79 100644 +--- a/iterator/iter_resptype.c ++++ b/iterator/iter_resptype.c +@@ -42,6 +42,7 @@ + #include "config.h" + #include "iterator/iter_resptype.h" + #include "iterator/iter_delegpt.h" ++#include "iterator/iterator.h" + #include "services/cache/dns.h" + #include "util/net_help.h" + #include "util/data/dname.h" +@@ -105,7 +106,8 @@ response_type_from_cache(struct dns_msg* msg, + + enum response_type + response_type_from_server(int rdset, +- struct dns_msg* msg, struct query_info* request, struct delegpt* dp) ++ struct dns_msg* msg, struct query_info* request, struct delegpt* dp, ++ int* empty_nodata_found) + { + uint8_t* origzone = (uint8_t*)"\000"; /* the default */ + struct ub_packed_rrset_key* s; +@@ -284,13 +286,22 @@ response_type_from_server(int rdset, + + /* If we've gotten this far, this is NOERROR/NODATA (which could + * be an entirely empty message) */ +- /* but ignore entirely empty messages, noerror/nodata has a soa +- * negative ttl value in the authority section, this makes it try +- * again at another authority. And turns it from a 5 second empty +- * message into a 5 second servfail response. */ ++ /* For entirely empty messages, try again, at first, then accept ++ * it it happens more. A regular noerror/nodata response has a soa ++ * negative ttl value in the authority section. This makes it try ++ * again at another authority. And decides between storing a 5 second ++ * empty message or a 5 second servfail response. */ + if(msg->rep->an_numrrsets == 0 && msg->rep->ns_numrrsets == 0 && +- msg->rep->ar_numrrsets == 0) +- return RESPONSE_TYPE_THROWAWAY; ++ msg->rep->ar_numrrsets == 0) { ++ if(empty_nodata_found) { ++ /* detect as throwaway at first, but accept later. */ ++ (*empty_nodata_found)++; ++ if(*empty_nodata_found < EMPTY_NODATA_RETRY_COUNT) ++ return RESPONSE_TYPE_THROWAWAY; ++ return RESPONSE_TYPE_ANSWER; ++ } ++ return RESPONSE_TYPE_ANSWER; ++ } + /* check if recursive answer; saying it has empty cache */ + if( (msg->rep->flags&BIT_RA) && !(msg->rep->flags&BIT_AA) && !rdset) + return RESPONSE_TYPE_REC_LAME; +diff --git a/iterator/iter_resptype.h b/iterator/iter_resptype.h +index fee9ef35f..bfd4b664f 100644 +--- a/iterator/iter_resptype.h ++++ b/iterator/iter_resptype.h +@@ -119,9 +119,11 @@ enum response_type response_type_from_cache(struct dns_msg* msg, + * @param request: the request that generated the response. + * @param dp: The delegation point that was being queried + * when the response was returned. ++ * @param empty_nodata_found: flag to keep track of empty nodata detection. + * @return the response type (CNAME or ANSWER). + */ + enum response_type response_type_from_server(int rdset, +- struct dns_msg* msg, struct query_info* request, struct delegpt* dp); ++ struct dns_msg* msg, struct query_info* request, struct delegpt* dp, ++ int* empty_nodata_found); + + #endif /* ITERATOR_ITER_RESPTYPE_H */ +diff --git a/iterator/iterator.c b/iterator/iterator.c +index 9f78aa17d..106e2877e 100644 +--- a/iterator/iterator.c ++++ b/iterator/iterator.c +@@ -2940,7 +2940,7 @@ static int + processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, + struct iter_env* ie, int id) + { +- int dnsseclame = 0, origtypecname = 0; ++ int dnsseclame = 0, origtypecname = 0, orig_empty_nodata_found; + enum response_type type; + + iq->num_current_queries--; +@@ -2960,12 +2960,25 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, + return next_state(iq, QUERYTARGETS_STATE); + } + iq->timeout_count = 0; ++ orig_empty_nodata_found = iq->empty_nodata_found; + type = response_type_from_server( + (int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd), +- iq->response, &iq->qinfo_out, iq->dp); ++ iq->response, &iq->qinfo_out, iq->dp, &iq->empty_nodata_found); + iq->chase_to_rd = 0; + /* remove TC flag, if this is erroneously set by TCP upstream */ + iq->response->rep->flags &= ~BIT_TC; ++ if(orig_empty_nodata_found != iq->empty_nodata_found && ++ iq->empty_nodata_found < EMPTY_NODATA_RETRY_COUNT) { ++ /* try to search at another server */ ++ if(qstate->reply) { ++ struct delegpt_addr* a = delegpt_find_addr( ++ iq->dp, &qstate->reply->remote_addr, ++ qstate->reply->remote_addrlen); ++ /* make selection disprefer it */ ++ if(a) a->lame = 1; ++ } ++ return next_state(iq, QUERYTARGETS_STATE); ++ } + if(type == RESPONSE_TYPE_REFERRAL && (iq->chase_flags&BIT_RD) && + !iq->auth_zone_response) { + /* When forwarding (RD bit is set), we handle referrals +@@ -3501,7 +3514,7 @@ processPrimeResponse(struct module_qstate* qstate, int id) + iq->response->rep->flags &= ~(BIT_RD|BIT_RA); /* ignore rec-lame */ + type = response_type_from_server( + (int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd), +- iq->response, &iq->qchase, iq->dp); ++ iq->response, &iq->qchase, iq->dp, NULL); + if(type == RESPONSE_TYPE_ANSWER) { + qstate->return_rcode = LDNS_RCODE_NOERROR; + qstate->return_msg = iq->response; +diff --git a/iterator/iterator.h b/iterator/iterator.h +index fad7f03e6..e253f3f7e 100644 +--- a/iterator/iterator.h ++++ b/iterator/iterator.h +@@ -101,6 +101,8 @@ extern int BLACKLIST_PENALTY; + * Chosen so that the UNKNOWN_SERVER_NICENESS falls within the band of a + * fast server, this causes server exploration as a side benefit. msec. */ + #define RTT_BAND 400 ++/** Number of retries for empty nodata packets before it is accepted. */ ++#define EMPTY_NODATA_RETRY_COUNT 2 + + /** + * Global state for the iterator. +@@ -415,6 +417,11 @@ struct iter_qstate { + */ + int refetch_glue; + ++ /** ++ * This flag detects that a completely empty nodata was received, ++ * already so that it is accepted later. */ ++ int empty_nodata_found; ++ + /** list of pending queries to authoritative servers. */ + struct outbound_list outlist; + +diff --git a/testdata/iter_ignore_empty.rpl b/testdata/iter_ignore_empty.rpl +index c70dd7e8d..4b2f695b8 100644 +--- a/testdata/iter_ignore_empty.rpl ++++ b/testdata/iter_ignore_empty.rpl +@@ -78,6 +78,18 @@ example2.com. IN NS ns2.example2.com. + SECTION ADDITIONAL + ns2.example2.com. IN A 1.2.3.5 + ENTRY_END ++ ++ENTRY_BEGIN ++MATCH opcode subdomain ++ADJUST copy_id copy_query ++REPLY QR NOERROR ++SECTION QUESTION ++foo.com. IN NS ++SECTION AUTHORITY ++foo.com. IN NS ns.foo.com. ++SECTION ADDITIONAL ++ns.foo.com. IN A 1.2.3.5 ++ENTRY_END + RANGE_END + + ; ns.example.com. +@@ -172,6 +184,27 @@ www.example.com. IN A + SECTION ANSWER + www.example.com. IN A 10.20.30.40 + ENTRY_END ++ ++; foo.com ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY QR AA NOERROR ++SECTION QUESTION ++www.foo.com. IN A ++SECTION ANSWER ++ENTRY_END ++ ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY QR AA NOERROR ++SECTION QUESTION ++ns.foo.com. IN AAAA ++SECTION ANSWER ++SECTION AUTHORITY ++;foo.com. IN SOA ns2.foo.com root.foo.com 4 14400 3600 604800 3600 ++ENTRY_END + RANGE_END + + STEP 1 QUERY +@@ -195,4 +228,21 @@ ENTRY_END + ; wait for pending nameserver lookups. + STEP 20 TRAFFIC + ++; Test that a nodata stays a nodata. ++STEP 30 QUERY ++ENTRY_BEGIN ++REPLY RD ++SECTION QUESTION ++www.foo.com. IN A ++ENTRY_END ++ ++STEP 40 CHECK_ANSWER ++ENTRY_BEGIN ++MATCH all ++REPLY QR RD RA NOERROR ++SECTION QUESTION ++www.foo.com. IN A ++SECTION ANSWER ++ENTRY_END ++ + SCENARIO_END diff --git a/unbound.spec b/unbound.spec index 7f97e5d..ba98372 100644 --- a/unbound.spec +++ b/unbound.spec @@ -31,7 +31,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.18.0 -Release: 2%{?extra_version:.%{extra_version}}%{?dist} +Release: 3%{?extra_version:.%{extra_version}}%{?dist} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -56,7 +56,8 @@ Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_vers Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key Source20: unbound.sysusers -#Patch1: +# https://github.com/NLnetLabs/unbound/issues/946 +Patch1: unbound-1.18-outlook.patch BuildRequires: gcc, make BuildRequires: flex, openssl-devel @@ -202,7 +203,7 @@ Python 3 modules and extensions for unbound pushd %{pkgname} # patches go here -%autopatch -p2 +%autopatch -p1 # only for snapshots # autoreconf -iv @@ -499,917 +500,4 @@ popd %{_mandir}/man1/unbound-* %changelog -* Wed Sep 06 2023 Petr Menšík - 1.18.0-2 -- Skip failing tests on ELN builds - -* Fri Sep 01 2023 Petr Menšík - 1.18.0-1 -- Update to 1.18.0 (#2236097) - -* Sat Jul 22 2023 Fedora Release Engineering - 1.17.1-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - -* Tue Jun 13 2023 Python Maint - 1.17.1-3 -- Rebuilt for Python 3.12 - -* Sat Jan 21 2023 Fedora Release Engineering - 1.17.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - -* Fri Jan 13 2023 Paul Wouters - 1.17.0-2 -- Move unbound user creation to libs (#2149036) -- Use systemd-sysusers for user creation (#2105416) -- Keep original DNSSEC root key as config (#2132103) - -* Tue Nov 01 2022 Petr Menšík - 1.17.0-1 -- Update to 1.17.0 (#2134348) - -* Wed Oct 05 2022 Petr Menšík - 1.16.3-3 -- Correct issues made by unbound-anchor package split (#2110858) - -* Fri Sep 30 2022 Petr Menšík - 1.16.3-2 -- Update License tag to SPDX identifier - -* Fri Sep 23 2022 Petr Menšík - 1.16.3-1 -- Update to 1.16.3 (#2128638) - -* Tue Aug 09 2022 Paul Wouters - 1.16.2-3 -- sync up to upstream unbound.conf -- Enable Extended DNS Error codes (RFC8914) - -* Tue Aug 09 2022 Petr Menšík - 1.16.2-2 -- Require openssl tool for unbound-keygen (#2116790) - -* Wed Aug 03 2022 Petr Menšík - 1.16.2-1 -- Update to 1.16.2 (#2105947) for CVE-2022-30698 and CVE-2022-30699 - -* Sat Jul 23 2022 Fedora Release Engineering - 1.16.0-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - -* Mon Jun 27 2022 Petr Menšík - 1.16.0-6 -- Move unbound-anchor to separate package -- Move unbound-host and unbound-streamtcp to unbound-utils package - -* Mon Jun 13 2022 Python Maint - 1.16.0-5 -- Rebuilt for Python 3.11 - -* Tue Jun 07 2022 Petr Menšík - 1.16.0-4 -- Restart keygen service before every unbound start - -* Sat Jun 04 2022 Petr Menšík - 1.16.0-1 -- Update to 1.16.0 - -* Tue Apr 26 2022 Petr Menšík - 1.15.0-3 -- Stop creating wrong devel manual pages (#2078929) - -* Wed Apr 20 2022 Petr Menšík - 1.15.0-2 -- Update icannbundle.pem - -* Tue Mar 29 2022 Petr Menšík - 1.15.0-1 -- Update to 1.15.0 (#2030608) - -* Sat Jan 22 2022 Fedora Release Engineering - 1.13.2-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Sat Nov 06 2021 Adrian Reber - 1.13.2-4 -- Rebuilt for protobuf 3.19.0 - -* Mon Oct 25 2021 Adrian Reber - 1.13.2-3 -- Rebuilt for protobuf 3.18.1 - -* Tue Sep 14 2021 Sahana Prasad - 1.13.2-2 -- Rebuilt with OpenSSL 3.0.0 - -* Thu Aug 12 2021 Paul Wouters - 1.13.2-1 -- Resolves: rhbz#1992985 unbound-1.13.2 is available -- Use system-wide crypto policies - -* Fri Jul 23 2021 Fedora Release Engineering - 1.13.1-8 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Wed Jun 02 2021 Python Maint - 1.13.1-7 -- Rebuilt for Python 3.10 - -* Fri Apr 23 2021 Artem Egorenkov - 1.13.1-6 -- Option --enable-linux-ip-local-port-range added to use system configured port range for libunbound on Linux -- Resolves: rhbz#1935101 - -* Tue Apr 13 2021 Paul Wouters - 1.13.1-5 -- Fix unbound.service to use After=network-online.target - -* Tue Apr 06 2021 Artem Egorenkov - 1.13.1-4 -- Don't start unbound-anchor before unbound service if DISABLE_UNBOUND_ANCHOR - environment variable equals to "yes" - -* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 1.13.1-3 -- Rebuilt for updated systemd-rpm-macros - See https://pagure.io/fesco/issue/2583. - -* Mon Feb 15 2021 Victor Stinner - 1.13.1-2 -- Fix build on Python 3.10 (rhbz#1889726). - -* Wed Feb 10 2021 Paul Wouters - 1.13.1-1 -- Resolves rhbz#1860887 unbound-1.13.1 is available -- Fixup unbound.conf - -* Wed Jan 27 2021 Fedora Release Engineering - 1.13.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Thu Dec 10 2020 Petr Menšík - 1.13.0-1 -- Update to 1.13.0 - -* Tue Oct 13 2020 Petr Menšík - 1.12.0-1 -- Update to 1.12.0 (#1860887) - -* Tue Sep 15 2020 Petr Menšík - 1.10.1-5 -- Move command line tools to utils subpackage - -* Wed Jul 29 2020 Fedora Release Engineering - 1.10.1-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Tue Jul 14 2020 Tom Stellard - 1.10.1-3 -- Use make macros -- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro - -* Fri May 22 2020 Miro Hrončok - 1.10.1-2 -- Rebuilt for Python 3.9 - -* Tue May 19 2020 Paul Wouters - 1.10.1-1 -- Resolves: rhbz#1837279 unbound-1.10.1 is available -- Resolves: rhbz#1837598 CVE-2020-12662 unbound: insufficient control of network message volume leads to DoS -- Resolves: rhbz#1837609 CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers -- Updated unbound.conf for new options in 1.10.1 - -* Wed Apr 29 2020 Paul Wouters - 1.10.0-3 -- Resolves: rhbz#1667742 SELinux is preventing unbound from 'name_bind' accesses on the udp_socket port 61000. - -* Thu Apr 16 2020 Artem Egorenkov - 1.10.0-2 -- Resolves: rhbz#1824536 unbound crash - -* Thu Mar 19 2020 Petr Menšík - 1.10.0-1 -- Update to 1.10.0 (#1805199) - -* Fri Jan 31 2020 Fedora Release Engineering - 1.9.6-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Fri Dec 13 2019 Paul Wouters - 1.9.6-1 -- Resolves: rhbz#1758107 unbound-1.9.5 is available -- Resolves: CVE-2019-18934 - -* Fri Nov 01 2019 Paul Wouters - 1.9.4-1 -- Fix build on rhel/centos systems -- Resolves: rhbz#1767955 (CVE-2019-16866) uninitialized memory accesses leads to crash via a crafted NOTIFY query - -* Thu Sep 26 2019 Petr Menšík - 1.9.3-2 -- Obsolete no longer provided python2 subpackage (#1749400) - -* Tue Aug 27 2019 Paul Wouters - 1.9.3-1 -- Updated to 1.9.3 -- Resolves: rhbz#1672578 unbound-1.9.2 is available -- Resolves: rhbz#1694831 [/usr/lib/tmpfiles.d/unbound.conf:1] Line references path below legacy directory /var/run/ -- Resolves: rhbz# 1667387 [abrt] unbound: memmove(): unbound killed by SIGABRT - -* Thu Aug 22 2019 Miro Hrončok - 1.8.3-8 -- Subpackage python2-unbound has been removed - See https://fedoraproject.org/wiki/Changes/Mass_Python_2_Package_Removal - -* Thu Aug 15 2019 Miro Hrončok - 1.8.3-7 -- Rebuilt for Python 3.8 - -* Mon Aug 5 2019 Zbigniew Jędrzejewski-Szmek - 1.8.3-6 -- Drop install-time requirements on systemd (#1723777) - -* Sat Jul 27 2019 Fedora Release Engineering - 1.8.3-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Sun Feb 03 2019 Fedora Release Engineering - 1.8.3-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Fri Jan 11 2019 Paul Wouters - 1.8.3-3 -- Remove KSK-2010 from configs - it has been revoked - -* Wed Dec 12 2018 Paul Wouters - 1.8.3-2 -- Another dns64 fixup - -* Wed Dec 12 2018 Paul Wouters - 1.8.3-1 -- Updated to 1.8.3 with fixes the dns64 bug and has some other minor fixes - -* Mon Dec 10 2018 Paul Wouters - 1.8.2-2 -- Fix dns64 allocation in wrong region for returned internal queries. - -* Tue Dec 04 2018 Paul Wouters - 1.8.2-1 -- Updated to 1.8.2. -- Enabled deny ANY query support and edns-tcp-keepalive -- Set serve-stale timeout to 4h -- Updated unbound.conf for latest options - -* Mon Oct 22 2018 Petr Menšík - 1.8.1-2 -- Allow group by default to unbound-control (#1640259) - -* Mon Oct 08 2018 Petr Menšík - 1.8.1-1 -- Update to 1.8.1 - -* Mon Oct 01 2018 Petr Menšík - 1.8.0-2 -- Skip ipv6 forwarders without ipv6 support (#1633874) - -* Wed Sep 19 2018 Petr Menšík - 1.8.0-1 -- Rebase to 1.8.0 - -* Tue Aug 14 2018 Paul Wouters - 1.7.3-9 -- Fix for restarting unbound service after deleting key/pem files for remote control - -* Tue Jul 31 2018 Petr Menšík - 1.7.3-8 -- Release memory in unbound-host - -* Mon Jul 23 2018 Petr Menšík - 1.7.3-7 -- Remove unused Group tag - -* Wed Jul 18 2018 Petr Menšík - 1.7.3-6 -- Cleanup generated client and server keys (#1601773) - -* Sat Jul 14 2018 Fedora Release Engineering - 1.7.3-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Mon Jul 09 2018 Petr Menšík - 1.7.3-4 -- Do not call ldconfig if possible - -* Wed Jul 04 2018 Petr Menšík - 1.7.3-3 -- Update trust anchors also behind firewall (#1598078) - -* Mon Jul 02 2018 Miro Hrončok - 1.7.3-2 -- Rebuilt for Python 3.7 - -* Wed Jun 27 2018 Petr Menšík - 1.7.3-1 -- Update to 1.7.3 (#1593708) - -* Wed Jun 27 2018 Petr Menšík - 1.7.2-3 -- Remove last python2 dependency from python3 build - -* Tue Jun 19 2018 Miro Hrončok - 1.7.2-2 -- Rebuilt for Python 3.7 - -* Mon Jun 11 2018 Paul Wouters - 1.7.2-1 -- Resolves rhbz#1589807 unbound-1.7.2 is available -- Add patch to fix stub/forward zone not returning ServFail when TTL expires -- Enabled the new root-key-sentinel option - -* Wed May 30 2018 Petr Menšík - 1.7.1-1 -- Update to 1.7.1 (#1574495) - -* Mon Apr 09 2018 Petr Menšík - 1.7.0-5 -- Require gcc and make on build -- Remove group, simplify systemd requires -- Simplify building with single python version, make python3 primary - -* Mon Apr 09 2018 Paul Wouters - 1.7.0-4 -- Patch for prefetching after flushing cache - -* Fri Apr 06 2018 Paul Wouters - 1.7.0-3 -- Patch for referral with auth-zone: response - - -* Wed Mar 21 2018 Paul Wouters - 1.7.0-2 -- Patch for broken Aggressive NSEC + stub-zone configuration causing NXDOMAIN at TTL expiry - -* Thu Mar 15 2018 Paul Wouters - 1.7.0-1 -- Updated to 1.7.0 (aggressive nsec, local root support, bugfixes) - -* Thu Feb 22 2018 Petr Menšík - 1.6.8-6 -- Uncomment again original max-upd-size - -* Wed Feb 21 2018 Petr Menšík - 1.6.8-5 -- Use default RPM build flags and configure parameters (#1539097) - -* Wed Feb 21 2018 Petr Menšík - 1.6.8-4 -- Remove group writable bit from some config files (#1528445) - -* Wed Feb 14 2018 Filipe Rosset - 1.6.8-3 -- rebuilt due new libevent 2.1.8 - -* Fri Feb 09 2018 Igor Gnatenko - 1.6.8-2 -- Escape macros in %%changelog - -* Mon Jan 22 2018 Paul Wouters - 1.6.8-1 -- Resolves rhbz#1483572 unbound-1.6.8 is available -- Resolves rhbz#1507049 CVE-2017-15105 unbound: Improper validation of wildcard synthesized NSEC records -- Resolves rhbz#1536518 CVE-2017-15105 unbound: Improper validation of wildcard synthesized NSEC records [fedora-all] - -* Sun Dec 17 2017 Zbigniew Jędrzejewski-Szmek - 1.6.7-2 -- Python 2 binary package renamed to python2-unbound - See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 - -* Thu Oct 12 2017 Paul Wouters - 1.6.7-1 -- Updated to 1.6.7 (minor bugfixes) - -* Tue Oct 03 2017 Petr Menšík - 1.6.6-3 -- Update icannbundle.pem - -* Mon Oct 02 2017 Paul Wouters - 1.6.6-2 -- Enable RFC 8145 Trust Anchor Signaling to help the root zone get keytag statistics - -* Fri Sep 22 2017 Paul Wouters - 1.6.6-1 -- Resolves: rhbz#1483572 unbound-1.6.6 is available -- Resolves: rhbz#1465575 unbound fails to start up, complains about missing ipsecmod-hook (edit) - -* Wed Aug 16 2017 Paul Wouters - 1.6.4-4 -- Rebuilt with KSK2017 added to root.key and root.anchor -- Remove noreplace for root key files. We can only improve these files over local copies - -* Thu Aug 03 2017 Fedora Release Engineering - 1.6.4-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Thu Jul 27 2017 Fedora Release Engineering - 1.6.4-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Sun Jul 02 2017 Paul Wouters - 1.6.4-1 -- Updated to 1.6.4 full release, patch to allow missing ipsechook -- Resolves rhbz#1465575 unbound fails to start up, complains about missing ipsecmod-hook - -* Thu Jun 22 2017 Paul Wouters - 1.6.4-0.rc2 -- Update to 1.6.4 (esubnet, ipsecmod support, bugfixes) - -* Tue Jun 13 2017 Paul Wouters - 1.6.3-1 -- Updated to 1.6.3 (fixes assertion failure when receiving malformed packet with 0x20 enabled) - -* Thu Jun 08 2017 Paul Wouters - 1.6.2-2 -- Patch for cmd: unbound-control set_option val-permissive-mode: yes - -* Wed Apr 26 2017 Paul Wouters - 1.6.2-1 -- Update to 1.6.2 (rhbz#1425649) -- Updated unbound.conf with new options - -* Wed Mar 22 2017 Paul Wouters - 1.6.0-6 -- Call make unbound-event-install to install unbound-event.h - -* Sat Feb 11 2017 Fedora Release Engineering - 1.6.0-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Wed Jan 18 2017 Paul Wouters - 1.6.0-4 -- Remove obsoleted DLV key - -* Mon Jan 02 2017 Paul Wouters - 1.6.0-3 -- Actually remove dependency because minimum is always satisfied - -* Mon Jan 02 2017 Paul Wouters - 1.6.0-2 -- Depend on openssl-libs, not opensl - -* Wed Dec 21 2016 Kevin Fenzi - 1.6.0-1 -- Update to 1.6.0 - -* Mon Dec 19 2016 Miro Hrončok - 1.5.10-3 -- Rebuild for Python 3.6 - -* Wed Oct 26 2016 Ilya Evseev - 1.5.10-2 -- Bugfix building without python2 and python3 -- Fixup streamtcp build (Paul) - -* Tue Sep 27 2016 Paul Wouters - 1.5.10-1 -- Updated to 1.5.10 (better TCP handling, bugfixes) -- Install pkgconfig file in -devel package -- Updated unbound.conf - -* Tue Jul 19 2016 Fedora Release Engineering - 1.5.9-4 -- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages - -* Thu Jul 07 2016 Paul Wouters - 1.5.9-3 -- Fix upper port range to 60999 because that's what selinux allows - -* Thu Jun 16 2016 Paul Wouters - 1.5.9-2 -- Patch for allowing more queries before failure (needed for query minimalization) - -* Mon Jun 13 2016 Paul Wouters - 1.5.9-1 -- Updated to 1.5.9 - -* Thu Apr 21 2016 Toshio Kuratomi - 1.5.8-2 -- Fix streamtcp to link against libpython3.x instead of libpython2.x - -* Wed Mar 02 2016 Paul Wouters - 1.5.8-1 -- Update to 1.5.8 (rhbz#1313831) which incorporates rhbz#1294339 patch -- Updated unbound.conf with new upstream options -- Enabled ip-transparent: yes (see rhbz#1291449) - -* Fri Feb 05 2016 Fedora Release Engineering - 1.5.7-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - -* Thu Jan 21 2016 Tomas Hozza - 1.5.7-2 -- Fix escaping of shell chars in unbound-control-setup (#1294339) - -* Fri Dec 11 2015 Paul Wouters - 1.5.7-1 -- Update to 1.5.7 -- Enable query minimalization for enhanced DNS query privacy -- Enable nxdomain hardening to assist with query minimalization and SBLs -- Updated default unbound.conf for new features from upstream. - -* Fri Nov 13 2015 Tomas Hozza - 1.5.6-1 -- Update to 1.5.6 (#1176729) - -* Wed Nov 04 2015 Robert Kuska - 1.5.5-2 -- Rebuilt for Python3.5 rebuild - -* Wed Oct 07 2015 Tomas Hozza - 1.5.5-1 -- New upstream release 1.5.5 (#1269137) -- Removed the anchor update from %%post section of -libs subpackage (#1269137#c2) - -* Tue Sep 15 2015 Tomas Hozza - 1.5.4-5 -- Removed dependency and ordering on unbound-anchor.service in unbound.service - -* Thu Sep 03 2015 Tomas Hozza - 1.5.4-4 -- Prefer Python3 build over Python2 build for now (#1254566) - -* Mon Jul 20 2015 Tomas Hozza - 1.5.4-3 -- Added ExecReload section to unbound.service (#1195785) -- Removed After syslog.target since it is not needed any more - -* Thu Jul 16 2015 Tomas Hozza - 1.5.4-2 -- Start unbound-anchor.timer only on new installations -- Rename root.anchor to root.key in %%post section - -* Tue Jul 14 2015 Paul Wouters - 1.5.4-1 -- Update to 1.5.4 -- Removed patches merged into upstream - -* Tue Jun 16 2015 Tomas Hozza - 1.5.3-8 -- Revert: Use low maximum negative cache TTL (5 sec) (#1229596) - -* Mon Jun 15 2015 Tomas Hozza - 1.5.3-7 -- Add option for maximum negative cache TTL (#1229599) -- Use low maximum negative cache TTL (5 sec) (#1229596) - -* Tue May 26 2015 Tomas Hozza - 1.5.3-6 -- Removed usage of DLV from the default configuration (#1223363) - -* Wed May 13 2015 Tomas Hozza - 1.5.3-5 -- unbound.service now Wants unbound-anchor.timer -- unbound-anchor man page moved to the unbound-libs - -* Mon May 11 2015 Paul Wouters - 1.5.3-4 -- Fixup scriptlets causing systemctl: command not found -- Resolves rhbz#1219587 Error in PREIN scriptlet in rpm package unbound-libs - -* Mon Apr 27 2015 Tomas Hozza - 1.5.3-3 -- migrate cronjob to systemd timer unit (#1177285) -- change the period for unbound-anchor from monthly to daily (#1180267) -- Thanks to Tomasz Torcz for the initial patch - -* Thu Apr 16 2015 Tomas Hozza - 1.5.3-2 -- Fix FTBFS (#1206129) -- Build python3-unbound and python-unbound bindings for Python 3 and 2 (#1188080) - -* Mon Mar 16 2015 Paul Wouters - 1.5.3-1 -- Updated to 1.5.3 which is a bugfix on 1.5.2 for sighup handling -- Updated to 1.5.2 which fixes DNSSEC validation with different - trust anchors upstream, local-zone has a new keyword 'inform' - -* Mon Feb 02 2015 Paul Wouters - 1.5.1-4 -- Build with --enable-ecdsa - -* Sun Feb 01 2015 Paul Wouters - 1.5.1-3 -- Fix post to create root.anchor, not root.key, to match cron job - -* Tue Dec 09 2014 Paul Wouters - 1.5.1-2 -- Change systemd-units to systemd -- Use _tmpfilesdir macro, don't mark tmpfiles as config - -* Tue Dec 09 2014 Paul Wouters - 1.5.1-1 -- Update to 1.5.1 for CVE-2014-8602 (rhbz#1172066) -- Removed unbound-aarch64.patch which was merged upstream -- Don't require autotools for non snapshots or run autoreconf - -* Fri Nov 28 2014 Tomas Hozza - 1.5.1-0.1.rc1 -- update to 1.5.1rc1 - -* Fri Nov 28 2014 Marcin Juszkiewicz - 1.5.0-3 -- fix build on aarch64 - -* Wed Nov 26 2014 Tomas Hozza - 1.5.0-2 -- Fix race condition in arc4random (#1166878) - -* Wed Nov 19 2014 Tomas Hozza - 1.5.0-1 -- update to 1.5.0 - -* Wed Sep 24 2014 Pavel Šimerda - 1.4.22-6 -- Resolves: #1115489 - build with python 3.x for fedora >= 22 - -* Thu Aug 21 2014 Kevin Fenzi - 1.4.22-5 -- Rebuild for rpm bug 1131960 - -* Mon Aug 18 2014 Fedora Release Engineering - 1.4.22-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild - -* Sun Jun 08 2014 Fedora Release Engineering - 1.4.22-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild - -* Thu May 01 2014 Paul Wouters - 1.4.22-2 -- Added flushcache patch (SVN commit 3125) - -* Thu Mar 13 2014 Paul Wouters - 1.4.22-1 -- Updated to 1.4.22 -- No longer requires the ldns library - -* Thu Jan 16 2014 Tomas Hozza - 1.4.21-3 -- Fix segfault on adding insecure forward zone when using only iterator (#1054192) - -* Mon Oct 21 2013 Tomas Hozza - 1.4.21-2 -- run test suite during the build - -* Thu Sep 19 2013 Paul Wouters - 1.4.21-1 -- Updated to 1.4.21, -- Enabled new max-udp-size: 3072 (so ANY isc.org won't fit) -- Removed patched merged in by upstream -- Enable statistics-cumulative for munin-plugin -- Added outgoing-port-avoid: 0-32767 conformant to SElinux restrictions -- Updated unbound.conf - -* Mon Aug 26 2013 Tomas Hozza - 1.4.20-19 -- Fix errors found by static analysis of source - -* Mon Aug 12 2013 Paul Wouters - 1.4.20-18 -- Change unbound.conf to only use ephemeral ports (32768-65535) - -* Sun Aug 04 2013 Fedora Release Engineering - 1.4.20-17 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild - -* Mon Jul 22 2013 Tomas Hozza - 1.4.20-16 -- provide man page for unbound-streamtcp - -* Mon Jul 08 2013 Paul Wouters - 1.4.20-15 -- Re-introduce hardening flags for full relro and pie -- Fixes compilation failure for python module - -* Wed Jul 03 2013 Tomas Hozza - 1.4.20-14 -- remove missing unbound-rootkey.service from post/preun/postun sections -- don't hardcode hardening flags, let hardened build macro handles it - -* Sat Jun 01 2013 Paul Wouters - 1.4.20-13 -- Run unbound-anchor as user unbound in unbound.service - -* Tue May 28 2013 Paul Wouters - 1.4.20-12 -- Enable round-robin (with noths() patch) -- Change cron and systemd service to use root.key, not root.anchor - -* Sat May 25 2013 Paul Wouters - 1.4.20-10 -- Use /var/lib/unbound/root.key (more consistent with other distros) -- Enable minimal responses - -* Mon Apr 22 2013 Paul Wouters - 1.4.20-8 -- Refix - -* Fri Apr 19 2013 Paul Wouters - 1.4.20-7 -- Fix runuser call in post. - -* Tue Apr 16 2013 Paul Wouters - 1.4.20-6 -- /var/lib/unbound should be owned by unbound. group write is not enough - -* Fri Apr 12 2013 Paul Wouters - 1.4.20-5 -- Fix cron job syntax (rhbz#951725) -- Use install -p to prevent .rpmnew files that are identical to originals - -* Mon Apr 8 2013 Paul Wouters - 1.4.20-4 -- Updated to 1.4.20 -- Build with full RELRO (not use -z,relro but with -z,relo,-z,now) -- Fixup man page for unbound-control-setup -- unbound.service should start before nss-lookup.target (rhbz#919955) -- Removed patch for rhbz#888759 merged in upstream -- Move root.anchor to /var/lib/unbound to make selinux policy easier for updating (rhbz#896599/rhbz#891008) -- Move cronjob for root.anchor from unbound to unbound-libs, require crontabs -- /etc/unbound (and all) should be owned by unbound-libs (rhbz#909691) -- Remove Obsolete/Provides for dnssec-conf which was last seen in f13 -- Ensure any unbound-anchor failure in post is ignored - -* Tue Mar 05 2013 Adam Tkac - 1.4.19-5 -- build with full RELRO -- symlink unbound-control-setup.8 manpage to unbound-control.8 - -* Fri Feb 15 2013 Fedora Release Engineering - 1.4.19-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild - -* Wed Dec 12 2012 Paul Wouters - 1.4.19-3 -- Updated to 1.4.19 - this integrates all existing patches -- Patch for unbound-anchor (rhbz#888759) - -* Fri Nov 09 2012 Paul Wouters - 1.4.18-6 -- Patch to ensure stube-zone's aren't lost when using dnssec-triggerd -- added unbound-munin.README file - -* Wed Sep 26 2012 Paul Wouters - 1.4.18-5 -- Patch to allow wildcards in include: statements -- Add directories /etc/unbound/keys.d,conf.d,local.d with - example entries -- Added /etc/unbound/root.anchor, maintained by unbound-anchor - which is installed as monthly cron and PreExec in systemd config - (root.key is unused, but left installed in case people depend on it) -- Native systemd (simple) and /etc/sysconfig/unbound support -- Run unbound-checkconf in PreExec -- Moved trust anchor related files to unbound-libs, as they can - be used without the daemon. -- sub packages now depends on base package of same arch -- Build munin package as noarch -- unbound-anchor moved to unbound-libs package. It is needed - to update the root.anchor key file. - -* Tue Sep 04 2012 Paul Wouters - 1.4.18-3 -- Fix openssl thread locking bug under high query load - -* Thu Aug 23 2012 Paul Wouters - 1.4.18-2 -- Use new systemd-rpm macros (rhbz#850351) -- Clean up old obsoleted dnssec-conf from < fedora 15 - -* Fri Aug 03 2012 Paul Wouters - 1.4.18-1 -- Updated to 1.4.18 (FIPS related fixes mostly) -- Removed patches that were merged in upstream -- Added comment to root.key - -* Mon Jul 23 2012 Paul Wouters - 1.4.17-5 -- Fix for unbound crasher (upstream bug #452) -- Support libunbound functions in man pages and place in -devel - -* Sun Jul 22 2012 Fedora Release Engineering - 1.4.17-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild - -* Tue Jul 03 2012 Paul Wouters - 1.4.17-3 -- unbound FIPS patches for MD5,randomness (rhbz#835106) - -* Fri Jun 15 2012 Adam Tkac - 1.4.17-2 -- don't build unbound-munin on RHEL - -* Thu May 24 2012 Paul Wouters - 1.4.17-1 -- Updated to 1.4.17 (which mostly brings in patches we already - applied from svn trunk) - -* Wed Feb 29 2012 Paul Wouters - 1.4.16-3 -- Since the daemon links to the libs staticly, add Requires: - (this is rhbz#745288) -- Package up streamtcp as unbound-streamtcp (for monitoring) - -* Mon Feb 27 2012 Paul Wouters - 1.4.16-2 -- Don't ghost the directory (rhbz#788805) -- Patch for unbound to support unbound-control forward_zone - (needed for openswan in XAUTH mode) - -* Thu Feb 02 2012 Paul Wouters - 1.4.16-1 -- Upgraded to 1.4.16, which was relesed due to the soname - and some DNSSEC validation failures - -* Wed Feb 01 2012 Paul Wouters - 1.4.15-2 -- Patch for SONAME version (libtool's -version-number vs -version-info) - -* Fri Jan 27 2012 Paul Wouters - 1.4.15-1 -- Upgraded to 1.4.15 -- Updated unbound.conf to show how to configure listening on tls443 - -* Sat Jan 14 2012 Fedora Release Engineering - 1.4.14-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild - -* Mon Dec 19 2011 Paul Wouters - 1.4.14-1 -- Upgraded to 1.4.14 for CVE-2011-4528 / VU#209659 -- SSL-wrapped query support for dnssec-trigger -- EDNS handling changes -- Removed integrated EDNS patches -- Disabled use-caps-for-id, GoDaddy domains now break on it -- Enabled new harden-below-nxdomain - -* Thu Sep 15 2011 Paul Wouters - 1.4.13-1 -- Upgraded to 1.4.13 -- Removed merged in pythonmod patch -- Added EDNS1480 patch to fix unbound on broken EDNS/UDP networks -- Fix python to go into sitearch instead of sitelib - -* Wed Sep 14 2011 Tom Callaway - 1.4.12-4 -- convert to systemd, tmpfiles.d - -* Mon Aug 08 2011 Paul Wouters - 1.4.12-3 -- Added pythonmod docs and examples - -* Mon Aug 08 2011 Paul Wouters - 1.4.12-2 -- Fix for python module load in the server (Tom Hendrikx) -- No longer enable --enable-debug as it causes degraded performance - under load. - -* Mon Jul 18 2011 Paul Wouters - 1.4.12-1 -- Updated to 1.4.12 - -* Sun Jul 03 2011 Paul Wouters - 1.4.11-1 -- Updated to 1.4.11 -- removed integrated CVE patch -- updated stock unbound.conf for new options introduced - -* Mon Jun 06 2011 Paul Wouters - 1.4.10-1 -- Added ghost for /var/run/unbound (bz#656710) - -* Mon Jun 06 2011 Paul Wouters - 1.4.9-3 -- rebuilt - -* Wed May 25 2011 Paul Wouters - 1.4.9-2 -- Applied patch for CVE-2011-1922 DoS vulnerability - -* Sun Mar 27 2011 Paul Wouters - 1.4.9-1 -- Updated to 1.4.9 - -* Sat Feb 12 2011 Paul Wouters - 1.4.8-2 -- rebuilt - -* Tue Jan 25 2011 Paul Wouters - 1.4.8-1 -- Updated to 1.4.8 -- Enable root key for DNSSEC -- Fix unbound-munin to use proper file (could cause excessive logging) -- Build unbound-python per default -- Disable gost as Fedora/EPEL does not allow ECC and has mangled openssl - -* Tue Oct 26 2010 Paul Wouters - 1.4.5-4 -- Revert last build - it was on the wrong branch - -* Tue Oct 26 2010 Paul Wouters - 1.4.5-3 -- Disable do-ipv6 per default - causes severe degradation on non-ipv6 machines - (see comments in inbound.conf) - -* Tue Jun 15 2010 Paul Wouters - 1.4.5-2 -- Bump release - forgot to upload the new tar ball. - -* Tue Jun 15 2010 Paul Wouters - 1.4.5-1 -- Upgraded to 1.4.5 - -* Mon May 31 2010 Paul Wouters - 1.4.4-2 -- Added accidentally omitted svn patches to cvs - -* Mon May 31 2010 Paul Wouters - 1.4.4-1 -- Upgraded to 1.4.4 with svn patches -- Obsolete dnssec-conf to ensure it is de-installed - -* Thu Mar 11 2010 Paul Wouters - 1.4.3-1 -- Update to 1.4.3 that fixes 64bit crasher - -* Tue Mar 09 2010 Paul Wouters - 1.4.2-1 -- Updated to 1.4.2 -- Updated unbound.conf with new options -- Enabled pre-fetching DNSKEY records (DNSSEC speedup) -- Enabled re-fetching popular records before they expire -- Enabled logging of DNSSEC validation errors - -* Mon Mar 01 2010 Paul Wouters - 1.4.1-5 -- Overriding -D_GNU_SOURCE is no longer needed. This fixes DSO issues - with pthreads - -* Wed Feb 24 2010 Paul Wouters - 1.4.1-3 -- Change make/configure lines to attempt to fix -lphtread linking issue - -* Thu Feb 18 2010 Paul Wouters - 1.4.1-2 -- Removed dependancy for dnssec-conf -- Added ISC DLV key (formerly in dnssec-conf) -- Fixup old DLV locations in unbound.conf file via %%post -- Fix parent child disagreement handling and no-ipv6 present [svn r1953] - -* Tue Jan 05 2010 Paul Wouters - 1.4.1-1 -- Updated to 1.4.1 -- Changed %%define to %%global - -* Thu Oct 08 2009 Paul Wouters - 1.3.4-2 -- Bump version - -* Thu Oct 08 2009 Paul Wouters - 1.3.4-1 -- Upgraded to 1.3.4. Security fix with validating NSEC3 records - -* Fri Aug 21 2009 Tomas Mraz - 1.3.3-2 -- rebuilt with new openssl - -* Mon Aug 17 2009 Paul Wouters - 1.3.3-1 -- Updated to 1.3.3 - -* Sun Jul 26 2009 Fedora Release Engineering - 1.3.0-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild - -* Sat Jun 20 2009 Paul Wouters - 1.3.0-2 -- Added missing glob patch to cvs -- Place python macros within the %%with_python check - -* Sat Jun 20 2009 Paul Wouters - 1.3.0-1 -- Updated to 1.3.0 -- Added unbound-python sub package. disabled for now -- Patch from svn to fix DLV lookups -- Patches from svn to detect wrong truncated response from BIND 9.6.1 with - minimal-responses) -- Added Default-Start and Default-Stop to unbound.init -- Re-enabled --enable-sha2 -- Re-enabled glob.patch - -* Wed May 20 2009 Paul Wouters - 1.2.1-7 -- unbound-iterator.patch was not commited - -* Wed May 20 2009 Paul Wouters - 1.2.1-6 -- Fix for https://bugzilla.redhat.com/show_bug.cgi?id=499793 - -* Tue Mar 17 2009 Paul Wouters - 1.2.1-5 -- Use --nocheck to avoid giving an error on missing unbound-remote certs/keys - -* Tue Mar 10 2009 Adam Tkac - 1.2.1-4 -- enable DNSSEC only if it is enabled in sysconfig/dnssec - -* Mon Mar 09 2009 Adam Tkac - 1.2.1-3 -- add DNSSEC support to initscript and enabled it per default -- add requires dnssec-conf - -* Wed Feb 25 2009 Fedora Release Engineering - 1.2.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild - -* Tue Feb 10 2009 Paul Wouters - 1.2.0-2 -- rebuild with new openssl - -* Wed Jan 14 2009 Paul Wouters - 1.1.1-7 -- Modified scandir patch to silently fail when wildcard matches nothing -- Patch to allow unbound-checkconf to find empty wildcard matches - -* Mon Jan 5 2009 Paul Wouters - 1.1.1-6 -- Added scandir patch for trusted-keys-file: option, which - is used to load multiple dnssec keys in bind file format - -* Mon Dec 8 2008 Paul Wouters - 1.1.1-4 -- Added Requires: for selinux-policy >= 3.5.13-33 for proper SElinux rules. - -* Mon Dec 1 2008 Paul Wouters - 1.1.1-3 -- We did not own the /etc/unbound directory (#474020) -- Fixed cvs anomalies - -* Fri Nov 28 2008 Adam Tkac - 1.1.1-2 -- removed all obsolete chroot related stuff -- label control certs after generation correctly - -* Thu Nov 20 2008 Paul Wouters - 1.1.1-1 -- Updated to unbound 1.1.1 which fixes a crasher and - addresses nlnetlabs bug #219 - -* Wed Nov 19 2008 Paul Wouters - 1.1.0-3 -- Remove the chroot, obsoleted by SElinux -- Add additional munin plugin links supported by unbound plugin -- Move configuration directory from /var/lib/unbound to /etc/unbound -- Modified unbound.init and unbound.conf to account for chroot changes -- Updated unbound.conf with new available options -- Enabled dns-0x20 protection per default - -* Wed Nov 19 2008 Adam Tkac - 1.1.0-2 -- unbound-1.1.0-log_open.patch - - make sure log is opened before chroot call - - tracked as http://www.nlnetlabs.nl/bugs/show_bug.cgi?id=219 -- removed /dev/log and /var/run/unbound and /etc/resolv.conf from - chroot, not needed -- don't mount files in chroot, it causes problems during updates -- fixed typo in default config file - -* Fri Nov 14 2008 Paul Wouters - 1.1.0-1 -- Updated to version 1.1.0 -- Updated unbound.conf's statistics options and remote-control - to work properly for munin -- Added unbound-munin package -- Generate unbound remote-control key/certs on first startup -- Required ldns is now 1.4.0 - -* Wed Oct 22 2008 Paul Wouters - 1.0.2-5 -- Only call ldconfig in -libs package -- Move configure into build section -- devel subpackage should only depend on libs subpackage - -* Tue Oct 21 2008 Paul Wouters - 1.0.2-4 -- Fix CFLAGS getting lost in build -- Don't enable interface-automatic:yes because that - causes unbound to listen on 0.0.0.0 instead of 127.0.0.1 - -* Sun Oct 19 2008 Paul Wouters - 1.0.2-3 -- Split off unbound-libs, make build verbose - -* Thu Oct 9 2008 Paul Wouters - 1.0.2-2 -- FSB compliance, chroot fixes, initscript fixes - -* Thu Sep 11 2008 Paul Wouters - 1.0.2-1 -- Upgraded to 1.0.2 - -* Wed Jul 16 2008 Paul Wouters - 1.0.1-1 -- upgraded to new release - -* Wed May 21 2008 Paul Wouters - 1.0.0-2 -- Build against ldns-1.3.0 - -* Wed May 21 2008 Paul Wouters - 1.0.0-1 -- Split of -devel package, fixed dependancies, make rpmlint happy - -* Fri Apr 25 2008 Wouter Wijngaards - 0.12 -- Using parts from ports collection entry by Jaap Akkerhuis. -- Using Fedoraproject wiki guidelines. - -* Wed Apr 23 2008 Wouter Wijngaards - 0.11 -- Initial version. +%autochangelog