From 2cd0b94125f7cd88cdb777a8f546f3480bbd750a Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Tue, 4 Dec 2018 13:58:11 -0500 Subject: [PATCH] * Tue Dec 04 2018 Paul Wouters - 1.8.2-1 - Updated to 1.8.2. - Enabled deny ANY query support and edns-tcp-keepalive - Set serve-stale timeout to 4h - Updated unbound.conf for latest options --- unbound.conf | 71 ++++++++++++++++++++++++++++++++++++++++++++-------- unbound.spec | 10 ++++++-- 2 files changed, 68 insertions(+), 13 deletions(-) diff --git a/unbound.conf b/unbound.conf index 2de6b64..9326b4c 100644 --- a/unbound.conf +++ b/unbound.conf @@ -165,6 +165,10 @@ server: # msec to wait before close of port on timeout UDP. 0 disables. # delay-close: 0 + # msec for waiting for an unknown server to reply. Increase if you + # are behind a slow satellite link, to eg. 1128. + # unknown-server-time-limit: 376 + # the amount of memory to use for the RRset cache. # plain value in bytes or you can append k, m or G. default is "4Mb". # rrset-cache-size: 4m @@ -234,6 +238,15 @@ server: # Default is 0, system default MSS. # outgoing-tcp-mss: 0 + # Idle TCP timeout, connection closed in milliseconds + # tcp-idle-timeout: 30000 + + # Enable EDNS TCP keepalive option. + edns-tcp-keepalive: yes + + # Timeout for EDNS TCP keepalive, in msec. + # edns-tcp-keepalive-timeout: 120000 + # Fedora note: do not activate this - can cause a crash # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no @@ -333,6 +346,13 @@ server: # timetoresolve, fromcache and responsesize. # log-replies: no + # log the local-zone actions, like local-zone type inform is enabled + # also for the other local zone types. + # log-local-actions: no + + # print log lines that say why queries return SERVFAIL to clients. + # log-servfail: no + # the pid file. Can be an absolute path outside of chroot/work dir. pidfile: "/var/run/unbound/unbound.pid" @@ -396,7 +416,7 @@ server: # Sent minimum amount of information to upstream servers to enhance # privacy. Only sent minimum required labels of the QNAME and set QTYPE - # to NS when possible. + # to A when possible. qname-minimisation: yes # QNAME minimisation in strict mode. Do not fall-back to sending full @@ -457,6 +477,9 @@ server: # if yes, perform key lookups adjacent to normal lookups. prefetch-key: yes + # deny queries of type ANY with an empty response. + deny-any: yes + # if yes, Unbound rotates RRSet order in response. rrset-roundrobin: yes @@ -555,6 +578,16 @@ server: # Serve expired responses from cache, with TTL 0 in the response, # and then attempt to fetch the data afresh. serve-expired: yes + # + # Limit serving of expired responses to configured seconds after + # expiration. 0 disables the limit. + serve-expired-ttl: 14400 + # + # Set the TTL of expired records to the serve-expired-ttl value after a + # failed attempt to retrieve the record from upstream. This makes sure + # that the expired records will be served as long as there are queries + # for it. + # serve-expired-ttl-reset: no # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. @@ -698,14 +731,14 @@ server: # add a netblock specific override to a localzone, with zone type # local-zone-override: "example.com" 192.0.2.0/24 refuse - # service clients over SSL (on the TCP sockets), with plain DNS inside - # the SSL stream. Give the certificate to use and private key. + # service clients over TLS (on the TCP sockets), with plain DNS inside + # the TLS stream. Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. # tls-service-key: "/etc/unbound/unbound_server.key" # tls-service-pem: "/etc/unbound/unbound_server.pem" # tls-port: 853 # - # request upstream over SSL (with plain DNS inside the SSL stream). + # request upstream over TLS (with plain DNS inside the TLS stream). # Default is no. Can be turned on and off with unbound-control. # tls-upstream: no @@ -716,12 +749,15 @@ server: # tls-win-cert: no # Also serve tls on these port numbers (eg. 443, ...), by listing - # tls-additional-ports: portno for each of the port numbers. + # tls-additional-port: portno for each of the port numbers. # DNS64 prefix. Must be specified when DNS64 is use. # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. # dns64-prefix: 64:ff9b::0/96 + # DNS64 ignore AAAA records for these domains and use A instead. + # dns64-ignore-aaaa: "example.com" + # ratelimit for uncached, new queries, this limits recursion effort. # ratelimiting is experimental, and may help against randomqueryflood. # if 0(default) it is disabled, otherwise state qps allowed per zone. @@ -735,12 +771,6 @@ server: # 0 blocks when ratelimited, otherwise let 1/xth traffic through # ratelimit-factor: 10 - # what is considered a low rtt (ping time for upstream server), in msec - # low-rtt: 45 - # select low rtt this many times out of 1000. 0 means the fast server - # select is disabled. prefetches are not sped up. - # low-rtt-permil: 0 - # override the ratelimit for a specific domain name. # give this setting multiple times to have multiple overrides. # ratelimit-for-domain: example.com 1000 @@ -761,6 +791,15 @@ server: # 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through # ip-ratelimit-factor: 10 + # Limit the number of connections simultaneous from a netblock + # tcp-connection-limit: 192.0.2.0/24 12 + + # select from the fastest servers this many times out of 1000. 0 means + # the fast server select is disabled. prefetches are not sped up. + # fast-server-permil: 0 + # the number of servers that will be used in the fast server selection. + # fast-server-num: 3 + # Specific options for ipsecmod. unbound needs to be configured with # --enable-ipsecmod for these to take effect. # @@ -812,12 +851,18 @@ remote-control: # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. + # set to an absolute path to use a unix local name pipe, certificates + # are not used for that, so key and cert files need not be present. # control-interface: 127.0.0.1 # control-interface: ::1 # port number for remote control operations. # control-port: 8953 + # for localhost, you can disable use of TLS by setting this to "no" + # For local sockets this option is ignored, and TLS is not used. + control-use-cert: "no" + # unbound server key file. server-key-file: "/etc/unbound/unbound_server.key" @@ -847,6 +892,7 @@ include: /etc/unbound/conf.d/*.conf # stub-prime: no # stub-first: no # stub-tls-upstream: no +# stub-no-cache: no # stub-zone: # name: "example.org" # stub-host: ns.example.com. @@ -882,6 +928,8 @@ include: /etc/unbound/conf.d/*.conf # has a copy of the root for local usage. The second serves example.org # authoritatively. zonefile: reads from file (and writes to it if you also # download it), master: fetches with AXFR and IXFR, or url to zonefile. +# With allow-notify: you can give additional (apart from masters) sources of +# notifies. auth-zone: name: "." for-downstream: no @@ -948,6 +996,7 @@ auth-zone: # backend: "testframe" # # secret seed string to calculate hashed keys # secret-seed: "default" +# # # For "redis" backend: # # redis server's IP address or host name # redis-server-host: 127.0.0.1 diff --git a/unbound.spec b/unbound.spec index db998ee..778a85c 100644 --- a/unbound.spec +++ b/unbound.spec @@ -33,8 +33,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.8.1 -Release: 2%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.8.2 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://www.unbound.net/ Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz @@ -420,6 +420,12 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Tue Dec 04 2018 Paul Wouters - 1.8.2-1 +- Updated to 1.8.2. +- Enabled deny ANY query support and edns-tcp-keepalive +- Set serve-stale timeout to 4h +- Updated unbound.conf for latest options + * Mon Oct 22 2018 Petr Menšík - 1.8.1-2 - Allow group by default to unbound-control (#1640259)