+* Tue May 21 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-9

- Use /var/lib/unbound/root.anchor (more consistent with other distros)
- Enable round-robin (with noths() patch)
- Enable minimal responses
This commit is contained in:
Paul Wouters 2013-05-24 16:42:52 -04:00
parent 463a11e746
commit 259a0ee4dc
4 changed files with 16 additions and 12 deletions

View File

@ -323,11 +323,11 @@ server:
prefetch-key: yes
# if yes, Unbound rotates RRSet order in response.
# rrset-roundrobin: no
rrset-roundrobin: yes
# if yes, Unbound doesn't insert authority/additional sections
# into response messages when those sections are not required.
# minimal-responses: no
minimal-responses: yes
# module configuration of the server. A string with identifiers
# separated by spaces. "iterator" or "validator iterator"
@ -362,7 +362,7 @@ server:
#
# trusted-keys-file: /etc/unbound/rootkey.bind
trusted-keys-file: /etc/unbound/keys.d/*.key
auto-trust-anchor-file: "/var/lib/unbound/root.key"
auto-trust-anchor-file: "/var/lib/unbound/root.anchor"
# Ignore chain of trust. Domain is treated as insecure.
# domain-insecure: "example.com"

View File

@ -1,3 +1,3 @@
# Look to see if the DNSSEC Root key got rolled, if so check trust and update
10 3 1 * * unbound /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem
10 3 1 * * unbound /usr/sbin/unbound-anchor -a /var/lib/unbound/root.anchor -c /etc/unbound/icannbundle.pem

View File

@ -9,7 +9,7 @@ Wants=nss-lookup.target
[Service]
Type=simple
EnvironmentFile=-/etc/sysconfig/unbound
ExecStartPre=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem
ExecStartPre=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.anchor -c /etc/unbound/icannbundle.pem
ExecStartPre=/usr/sbin/unbound-checkconf
ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS

View File

@ -11,7 +11,7 @@
Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound
Version: 1.4.20
Release: 8%{?dist}
Release: 9%{?dist}
License: BSD
Url: http://www.nlnetlabs.nl/unbound/
Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
@ -118,7 +118,7 @@ export CXXFLAGS="$RPM_OPT_FLAGS -fPIE -pie"
--with-pythonmodule --with-pyunbound \
%endif
--enable-sha2 --disable-gost --disable-ecdsa \
--with-rootkey-file=%{_sharedstatedir}/unbound/root.key
--with-rootkey-file=%{_sharedstatedir}/unbound/root.anchor
%{__make} %{?_smp_mflags}
%{__make} %{?_smp_mflags} streamtcp
@ -155,7 +155,7 @@ install -m 0644 %{SOURCE8} %{buildroot}%{_sysconfdir}/tmpfiles.d/unbound.conf
# install root and DLV key - we keep a copy of the root key in old location,
# in case user has changed the configuration and we wouldn't update it there
install -m 0644 %{SOURCE5} %{SOURCE6} %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/
install -m 0644 %{SOURCE13} %{buildroot}%{_sharedstatedir}/unbound/root.key
install -m 0644 %{SOURCE13} %{buildroot}%{_sharedstatedir}/unbound/
# remove static library from install (fedora packaging guidelines)
rm %{buildroot}%{_libdir}/*.la
@ -232,11 +232,10 @@ echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control
%{_sysconfdir}/%{name}/icannbundle.pem
%attr(0644,root,root) %{_sysconfdir}/cron.d/unbound-anchor
%dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name}
%attr(0644,unbound,unbound) %config(noreplace) %{_sharedstatedir}/%{name}/root.key
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key
%attr(0644,unbound,unbound) %config(noreplace) %{_sharedstatedir}/%{name}/root.anchor
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key
# just left for backwards compat with user changed unbound.conf files - format is different!
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.anchor
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key
%doc doc/README doc/LICENSE
%pre libs
@ -253,7 +252,7 @@ exit 0
%post libs
/sbin/ldconfig
%{_sbindir}/runuser --command="%{_sbindir}/unbound-anchor -a %{_sharedstatedir}/unbound/root.key -c %{_sysconfdir}/unbound/icannbundle.pem" --shell /bin/sh unbound ||:
%{_sbindir}/runuser --command="%{_sbindir}/unbound-anchor -a %{_sharedstatedir}/unbound/root.anchor -c %{_sysconfdir}/unbound/icannbundle.pem" --shell /bin/sh unbound ||:
%preun
%systemd_preun unbound.service
@ -279,6 +278,11 @@ exit 0
/bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || :
%changelog
* Tue May 21 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-9
- Use /var/lib/unbound/root.anchor (more consistent with other distros)
- Enable round-robin (with noths() patch)
- Enable minimal responses
* Mon Apr 22 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-8
- Refix