- Updated to 1.4.2
- Updated unbound.conf with new options - Enabled pre-fetching DNSKEY records (DNSSEC speedup) - Enabled re-fetching popular records before they expire - Enabled logging of DNSSEC validation errors
This commit is contained in:
parent
cd8741f710
commit
243e7f46b8
@ -7,3 +7,4 @@ unbound-1.3.1.tar.gz
|
||||
unbound-1.3.3.tar.gz
|
||||
unbound-1.3.4.tar.gz
|
||||
unbound-1.4.1.tar.gz
|
||||
unbound-1.4.2.tar.gz
|
||||
|
1
sources
1
sources
@ -1 +1,2 @@
|
||||
1e03ef9618e4bca02005bd99bc6af75c unbound-1.4.1.tar.gz
|
||||
9d9ff135b5ff2003c55c089cfe34e3e6 unbound-1.4.2.tar.gz
|
||||
|
60
unbound.conf
60
unbound.conf
@ -79,6 +79,14 @@ server:
|
||||
# number of incoming simultaneous tcp buffers to hold per thread.
|
||||
# incoming-num-tcp: 10
|
||||
|
||||
# buffer size for UDP port 53 incoming (SO_RCVBUF socket option).
|
||||
# 0 is system default. Use 4m to catch query spikes for busy servers.
|
||||
# so-rcvbuf: 0
|
||||
|
||||
# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
|
||||
# is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
|
||||
# edns-buffer-size: 4096
|
||||
|
||||
# buffer size for handling DNS data. No messages larger than this
|
||||
# size can be sent or received, by UDP or TCP. In bytes.
|
||||
# msg-buffer-size: 65552
|
||||
@ -107,6 +115,10 @@ server:
|
||||
# more slabs reduce lock contention, but fragment memory usage.
|
||||
# rrset-cache-slabs: 4
|
||||
|
||||
# the time to live (TTL) value lower bound, in seconds. Default 0.
|
||||
# If more than an hour could easily give trouble due to stale data.
|
||||
# cache-min-ttl: 0
|
||||
|
||||
# the time to live (TTL) value cap for RRsets and messages in the
|
||||
# cache. Items are not cached for longer. In seconds.
|
||||
# cache-max-ttl: 86400
|
||||
@ -199,6 +211,9 @@ server:
|
||||
# log to, with identity "unbound". If yes, it overrides the logfile.
|
||||
# use-syslog: yes
|
||||
|
||||
# print UTC timestamp in ascii to logfile, default is epoch in seconds.
|
||||
log-time-ascii: yes
|
||||
|
||||
# the pid file. Can be an absolute path outside of chroot/work dir.
|
||||
pidfile: "/var/run/unbound/unbound.pid"
|
||||
|
||||
@ -285,6 +300,12 @@ server:
|
||||
# if no, localhost can be queried (for testing and debugging).
|
||||
# do-not-query-localhost: yes
|
||||
|
||||
# if yes, perform prefetching of almost expired message cache entries.
|
||||
prefetch: yes
|
||||
|
||||
# if yes, perform key lookups adjacent to normal lookups.
|
||||
prefetch-key: yes
|
||||
|
||||
# module configuration of the server. A string with identifiers
|
||||
# separated by spaces. "iterator" or "validator iterator"
|
||||
# module-config: "validator iterator"
|
||||
@ -299,6 +320,11 @@ server:
|
||||
# Zone file format, with DS and DNSKEY entries.
|
||||
# trust-anchor-file: ""
|
||||
|
||||
# File with trusted keys, kept uptodate using RFC5011 probes,
|
||||
# initial file like trust-anchor-file, then it stores metadata.
|
||||
# Use several entries, one per domain name, to track multiple zones.
|
||||
# auto-trust-anchor-file: ""
|
||||
|
||||
# Trusted key for validation. DS or DNSKEY. specify the RR on a
|
||||
# single line, surrounded by "". TTL is ignored. class is IN default.
|
||||
# (These examples are from August 2007 and may not be valid anymore).
|
||||
@ -311,6 +337,9 @@ server:
|
||||
# the trusted-keys { name flag proto algo "key"; }; clauses are read.
|
||||
# trusted-keys-file: ""
|
||||
|
||||
# Ignore chain of trust. Domain is treated as insecure.
|
||||
# domain-insecure: "example.com"
|
||||
|
||||
# Override the date for validation with a specific fixed date.
|
||||
# Do not set this unless you are debugging signature inception
|
||||
# and expiration. "" or "0" turns the feature off.
|
||||
@ -320,6 +349,12 @@ server:
|
||||
# some of the revalidation, until the time interval expires. in secs.
|
||||
# val-bogus-ttl: 60
|
||||
|
||||
# The signature inception and expiration dates are allowed to be off
|
||||
# by 10% of the lifetime of the signature from our local clock.
|
||||
# This leeway is capped with a minimum and a maximum. In seconds.
|
||||
# val-sig-skew-min: 3600
|
||||
# val-sig-skew-max: 86400
|
||||
|
||||
# Should additional section of secure message also be kept clean of
|
||||
# unsecure data. Useful to shield the users of this validator from
|
||||
# potential bogus data in the additional section. All unsigned data
|
||||
@ -334,12 +369,26 @@ server:
|
||||
# NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
|
||||
val-permissive-mode: no
|
||||
|
||||
# Have the validator log failed validations for your diagnosis.
|
||||
# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
|
||||
val-log-level: 1
|
||||
|
||||
# It is possible to configure NSEC3 maximum iteration counts per
|
||||
# keysize. Keep this table very short, as linear search is done.
|
||||
# A message with an NSEC3 with larger count is marked insecure.
|
||||
# List in ascending order the keysize and count values.
|
||||
# val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
|
||||
|
||||
# instruct the auto-trust-anchor-file probing to add anchors after ttl.
|
||||
# add-holddown: 2592000 # 30 days
|
||||
|
||||
# instruct the auto-trust-anchor-file probing to del anchors after ttl.
|
||||
# del-holddown: 2592000 # 30 days
|
||||
|
||||
# auto-trust-anchor-file probing removes missing anchors after ttl.
|
||||
# If the value 0 is given, missing anchors are not removed.
|
||||
# keep-missing: 31622400 # 366 days
|
||||
|
||||
# the amount of memory to use for the key cache.
|
||||
# plain value in bytes or you can append k, m or G. default is "4Mb".
|
||||
# key-cache-size: 4m
|
||||
@ -359,7 +408,7 @@ server:
|
||||
# o deny serves local data (if any), else, drops queries.
|
||||
# o refuse serves local data (if any), else, replies with error.
|
||||
# o static serves local data, else, nxdomain or nodata answer.
|
||||
# o transparent serves local data, else, resolves normally .
|
||||
# o transparent serves local data, but resolves normally for other names
|
||||
# o redirect serves the zone data for any subdomain in the zone.
|
||||
# o nodefault can be used to normally resolve AS112 zones.
|
||||
#
|
||||
@ -388,6 +437,15 @@ server:
|
||||
# you need to do the reverse notation yourself.
|
||||
# local-data-ptr: "192.0.2.3 www.example.com"
|
||||
|
||||
## Python config section. To enable:
|
||||
## o use --with-pythonmodule to configure before compiling.
|
||||
## o list python in the module-config string (above) to enable.
|
||||
## o and give a python-script to run.
|
||||
#python:
|
||||
# # Script file to load
|
||||
# # python-script: "/etc/unbound/ubmodule-tst.py"
|
||||
|
||||
|
||||
# Remote control config section.
|
||||
remote-control:
|
||||
# Enable remote control with unbound-control(8) here.
|
||||
|
11
unbound.spec
11
unbound.spec
@ -8,8 +8,8 @@
|
||||
|
||||
Summary: Validating, recursive, and caching DNS(SEC) resolver
|
||||
Name: unbound
|
||||
Version: 1.4.1
|
||||
Release: 5%{?dist}
|
||||
Version: 1.4.2
|
||||
Release: 1%{?dist}
|
||||
License: BSD
|
||||
Url: http://www.nlnetlabs.nl/unbound/
|
||||
Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
|
||||
@ -192,6 +192,13 @@ fi
|
||||
%postun libs -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Tue Mar 09 2010 Paul Wouters <paul@xelerance.com> - 1.4.2-1
|
||||
- Updated to 1.4.2
|
||||
- Updated unbound.conf with new options
|
||||
- Enabled pre-fetching DNSKEY records (DNSSEC speedup)
|
||||
- Enabled re-fetching popular records before they expire
|
||||
- Enabled logging of DNSSEC validation errors
|
||||
|
||||
* Mon Mar 01 2010 Paul Wouters <paul@xelerance.com> - 1.4.1-5
|
||||
- Overriding -D_GNU_SOURCE is no longer needed. This fixes DSO issues
|
||||
with pthreads
|
||||
|
Loading…
Reference in New Issue
Block a user