+* Tue May 21 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-9
- Use /var/lib/unbound/root.anchor (more consistent with other distros) - Enable round-robin (with noths() patch) - Enable minimal responses
This commit is contained in:
parent
463a11e746
commit
259a0ee4dc
@ -323,11 +323,11 @@ server:
|
||||
prefetch-key: yes
|
||||
|
||||
# if yes, Unbound rotates RRSet order in response.
|
||||
# rrset-roundrobin: no
|
||||
rrset-roundrobin: yes
|
||||
|
||||
# if yes, Unbound doesn't insert authority/additional sections
|
||||
# into response messages when those sections are not required.
|
||||
# minimal-responses: no
|
||||
minimal-responses: yes
|
||||
|
||||
# module configuration of the server. A string with identifiers
|
||||
# separated by spaces. "iterator" or "validator iterator"
|
||||
@ -362,7 +362,7 @@ server:
|
||||
#
|
||||
# trusted-keys-file: /etc/unbound/rootkey.bind
|
||||
trusted-keys-file: /etc/unbound/keys.d/*.key
|
||||
auto-trust-anchor-file: "/var/lib/unbound/root.key"
|
||||
auto-trust-anchor-file: "/var/lib/unbound/root.anchor"
|
||||
|
||||
# Ignore chain of trust. Domain is treated as insecure.
|
||||
# domain-insecure: "example.com"
|
||||
|
@ -1,3 +1,3 @@
|
||||
# Look to see if the DNSSEC Root key got rolled, if so check trust and update
|
||||
|
||||
10 3 1 * * unbound /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem
|
||||
10 3 1 * * unbound /usr/sbin/unbound-anchor -a /var/lib/unbound/root.anchor -c /etc/unbound/icannbundle.pem
|
||||
|
@ -9,7 +9,7 @@ Wants=nss-lookup.target
|
||||
[Service]
|
||||
Type=simple
|
||||
EnvironmentFile=-/etc/sysconfig/unbound
|
||||
ExecStartPre=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem
|
||||
ExecStartPre=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.anchor -c /etc/unbound/icannbundle.pem
|
||||
ExecStartPre=/usr/sbin/unbound-checkconf
|
||||
ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS
|
||||
|
||||
|
18
unbound.spec
18
unbound.spec
@ -11,7 +11,7 @@
|
||||
Summary: Validating, recursive, and caching DNS(SEC) resolver
|
||||
Name: unbound
|
||||
Version: 1.4.20
|
||||
Release: 8%{?dist}
|
||||
Release: 9%{?dist}
|
||||
License: BSD
|
||||
Url: http://www.nlnetlabs.nl/unbound/
|
||||
Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
|
||||
@ -118,7 +118,7 @@ export CXXFLAGS="$RPM_OPT_FLAGS -fPIE -pie"
|
||||
--with-pythonmodule --with-pyunbound \
|
||||
%endif
|
||||
--enable-sha2 --disable-gost --disable-ecdsa \
|
||||
--with-rootkey-file=%{_sharedstatedir}/unbound/root.key
|
||||
--with-rootkey-file=%{_sharedstatedir}/unbound/root.anchor
|
||||
|
||||
%{__make} %{?_smp_mflags}
|
||||
%{__make} %{?_smp_mflags} streamtcp
|
||||
@ -155,7 +155,7 @@ install -m 0644 %{SOURCE8} %{buildroot}%{_sysconfdir}/tmpfiles.d/unbound.conf
|
||||
# install root and DLV key - we keep a copy of the root key in old location,
|
||||
# in case user has changed the configuration and we wouldn't update it there
|
||||
install -m 0644 %{SOURCE5} %{SOURCE6} %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/
|
||||
install -m 0644 %{SOURCE13} %{buildroot}%{_sharedstatedir}/unbound/root.key
|
||||
install -m 0644 %{SOURCE13} %{buildroot}%{_sharedstatedir}/unbound/
|
||||
|
||||
# remove static library from install (fedora packaging guidelines)
|
||||
rm %{buildroot}%{_libdir}/*.la
|
||||
@ -232,11 +232,10 @@ echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control
|
||||
%{_sysconfdir}/%{name}/icannbundle.pem
|
||||
%attr(0644,root,root) %{_sysconfdir}/cron.d/unbound-anchor
|
||||
%dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name}
|
||||
%attr(0644,unbound,unbound) %config(noreplace) %{_sharedstatedir}/%{name}/root.key
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key
|
||||
%attr(0644,unbound,unbound) %config(noreplace) %{_sharedstatedir}/%{name}/root.anchor
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key
|
||||
# just left for backwards compat with user changed unbound.conf files - format is different!
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.anchor
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key
|
||||
%doc doc/README doc/LICENSE
|
||||
|
||||
%pre libs
|
||||
@ -253,7 +252,7 @@ exit 0
|
||||
|
||||
%post libs
|
||||
/sbin/ldconfig
|
||||
%{_sbindir}/runuser --command="%{_sbindir}/unbound-anchor -a %{_sharedstatedir}/unbound/root.key -c %{_sysconfdir}/unbound/icannbundle.pem" --shell /bin/sh unbound ||:
|
||||
%{_sbindir}/runuser --command="%{_sbindir}/unbound-anchor -a %{_sharedstatedir}/unbound/root.anchor -c %{_sysconfdir}/unbound/icannbundle.pem" --shell /bin/sh unbound ||:
|
||||
|
||||
%preun
|
||||
%systemd_preun unbound.service
|
||||
@ -279,6 +278,11 @@ exit 0
|
||||
/bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || :
|
||||
|
||||
%changelog
|
||||
* Tue May 21 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-9
|
||||
- Use /var/lib/unbound/root.anchor (more consistent with other distros)
|
||||
- Enable round-robin (with noths() patch)
|
||||
- Enable minimal responses
|
||||
|
||||
* Mon Apr 22 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-8
|
||||
- Refix
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user