diff --git a/.cvsignore b/.cvsignore index 7e4f350..335f187 100644 --- a/.cvsignore +++ b/.cvsignore @@ -7,3 +7,4 @@ unbound-1.3.1.tar.gz unbound-1.3.3.tar.gz unbound-1.3.4.tar.gz unbound-1.4.1.tar.gz +unbound-1.4.2.tar.gz diff --git a/sources b/sources index 627518a..4dd41bf 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ 1e03ef9618e4bca02005bd99bc6af75c unbound-1.4.1.tar.gz +9d9ff135b5ff2003c55c089cfe34e3e6 unbound-1.4.2.tar.gz diff --git a/unbound.conf b/unbound.conf index 6109f5b..2f32c73 100644 --- a/unbound.conf +++ b/unbound.conf @@ -78,7 +78,15 @@ server: # number of incoming simultaneous tcp buffers to hold per thread. # incoming-num-tcp: 10 - + + # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). + # 0 is system default. Use 4m to catch query spikes for busy servers. + # so-rcvbuf: 0 + + # EDNS reassembly buffer to advertise to UDP peers (the actual buffer + # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts). + # edns-buffer-size: 4096 + # buffer size for handling DNS data. No messages larger than this # size can be sent or received, by UDP or TCP. In bytes. # msg-buffer-size: 65552 @@ -106,7 +114,11 @@ server: # the number of slabs must be a power of 2. # more slabs reduce lock contention, but fragment memory usage. # rrset-cache-slabs: 4 - + + # the time to live (TTL) value lower bound, in seconds. Default 0. + # If more than an hour could easily give trouble due to stale data. + # cache-min-ttl: 0 + # the time to live (TTL) value cap for RRsets and messages in the # cache. Items are not cached for longer. In seconds. # cache-max-ttl: 86400 @@ -199,6 +211,9 @@ server: # log to, with identity "unbound". If yes, it overrides the logfile. # use-syslog: yes + # print UTC timestamp in ascii to logfile, default is epoch in seconds. + log-time-ascii: yes + # the pid file. Can be an absolute path outside of chroot/work dir. pidfile: "/var/run/unbound/unbound.pid" @@ -284,7 +299,13 @@ server: # if yes, the above default do-not-query-address entries are present. # if no, localhost can be queried (for testing and debugging). # do-not-query-localhost: yes - + + # if yes, perform prefetching of almost expired message cache entries. + prefetch: yes + + # if yes, perform key lookups adjacent to normal lookups. + prefetch-key: yes + # module configuration of the server. A string with identifiers # separated by spaces. "iterator" or "validator iterator" # module-config: "validator iterator" @@ -299,6 +320,11 @@ server: # Zone file format, with DS and DNSKEY entries. # trust-anchor-file: "" + # File with trusted keys, kept uptodate using RFC5011 probes, + # initial file like trust-anchor-file, then it stores metadata. + # Use several entries, one per domain name, to track multiple zones. + # auto-trust-anchor-file: "" + # Trusted key for validation. DS or DNSKEY. specify the RR on a # single line, surrounded by "". TTL is ignored. class is IN default. # (These examples are from August 2007 and may not be valid anymore). @@ -310,7 +336,10 @@ server: # but has a different file format. Format is BIND-9 style format, # the trusted-keys { name flag proto algo "key"; }; clauses are read. # trusted-keys-file: "" - + + # Ignore chain of trust. Domain is treated as insecure. + # domain-insecure: "example.com" + # Override the date for validation with a specific fixed date. # Do not set this unless you are debugging signature inception # and expiration. "" or "0" turns the feature off. @@ -319,7 +348,13 @@ server: # The time to live for bogus data, rrsets and messages. This avoids # some of the revalidation, until the time interval expires. in secs. # val-bogus-ttl: 60 - + + # The signature inception and expiration dates are allowed to be off + # by 10% of the lifetime of the signature from our local clock. + # This leeway is capped with a minimum and a maximum. In seconds. + # val-sig-skew-min: 3600 + # val-sig-skew-max: 86400 + # Should additional section of secure message also be kept clean of # unsecure data. Useful to shield the users of this validator from # potential bogus data in the additional section. All unsigned data @@ -333,6 +368,10 @@ server: # replies if the message is found secure. The default is off. # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY val-permissive-mode: no + + # Have the validator log failed validations for your diagnosis. + # 0: off. 1: A line per failed user query. 2: With reason and bad IP. + val-log-level: 1 # It is possible to configure NSEC3 maximum iteration counts per # keysize. Keep this table very short, as linear search is done. @@ -340,6 +379,16 @@ server: # List in ascending order the keysize and count values. # val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500" + # instruct the auto-trust-anchor-file probing to add anchors after ttl. + # add-holddown: 2592000 # 30 days + + # instruct the auto-trust-anchor-file probing to del anchors after ttl. + # del-holddown: 2592000 # 30 days + + # auto-trust-anchor-file probing removes missing anchors after ttl. + # If the value 0 is given, missing anchors are not removed. + # keep-missing: 31622400 # 366 days + # the amount of memory to use for the key cache. # plain value in bytes or you can append k, m or G. default is "4Mb". # key-cache-size: 4m @@ -359,7 +408,7 @@ server: # o deny serves local data (if any), else, drops queries. # o refuse serves local data (if any), else, replies with error. # o static serves local data, else, nxdomain or nodata answer. - # o transparent serves local data, else, resolves normally . + # o transparent serves local data, but resolves normally for other names # o redirect serves the zone data for any subdomain in the zone. # o nodefault can be used to normally resolve AS112 zones. # @@ -388,6 +437,15 @@ server: # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" +## Python config section. To enable: +## o use --with-pythonmodule to configure before compiling. +## o list python in the module-config string (above) to enable. +## o and give a python-script to run. +#python: +# # Script file to load +# # python-script: "/etc/unbound/ubmodule-tst.py" + + # Remote control config section. remote-control: # Enable remote control with unbound-control(8) here. diff --git a/unbound.spec b/unbound.spec index 1a36905..94ee8f6 100644 --- a/unbound.spec +++ b/unbound.spec @@ -8,8 +8,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.4.1 -Release: 5%{?dist} +Version: 1.4.2 +Release: 1%{?dist} License: BSD Url: http://www.nlnetlabs.nl/unbound/ Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz @@ -192,6 +192,13 @@ fi %postun libs -p /sbin/ldconfig %changelog +* Tue Mar 09 2010 Paul Wouters - 1.4.2-1 +- Updated to 1.4.2 +- Updated unbound.conf with new options +- Enabled pre-fetching DNSKEY records (DNSSEC speedup) +- Enabled re-fetching popular records before they expire +- Enabled logging of DNSSEC validation errors + * Mon Mar 01 2010 Paul Wouters - 1.4.1-5 - Overriding -D_GNU_SOURCE is no longer needed. This fixes DSO issues with pthreads