* Tue Dec 04 2018 Paul Wouters <pwouters@redhat.com> - 1.8.2-1

- Updated to 1.8.2.
- Enabled deny ANY query support and edns-tcp-keepalive
- Set serve-stale timeout to 4h
- Updated unbound.conf for latest options
This commit is contained in:
Paul Wouters 2018-12-04 13:58:11 -05:00
parent 9d074af91d
commit 2cd0b94125
2 changed files with 68 additions and 13 deletions

View File

@ -165,6 +165,10 @@ server:
# msec to wait before close of port on timeout UDP. 0 disables. # msec to wait before close of port on timeout UDP. 0 disables.
# delay-close: 0 # delay-close: 0
# msec for waiting for an unknown server to reply. Increase if you
# are behind a slow satellite link, to eg. 1128.
# unknown-server-time-limit: 376
# the amount of memory to use for the RRset cache. # the amount of memory to use for the RRset cache.
# plain value in bytes or you can append k, m or G. default is "4Mb". # plain value in bytes or you can append k, m or G. default is "4Mb".
# rrset-cache-size: 4m # rrset-cache-size: 4m
@ -234,6 +238,15 @@ server:
# Default is 0, system default MSS. # Default is 0, system default MSS.
# outgoing-tcp-mss: 0 # outgoing-tcp-mss: 0
# Idle TCP timeout, connection closed in milliseconds
# tcp-idle-timeout: 30000
# Enable EDNS TCP keepalive option.
edns-tcp-keepalive: yes
# Timeout for EDNS TCP keepalive, in msec.
# edns-tcp-keepalive-timeout: 120000
# Fedora note: do not activate this - can cause a crash # Fedora note: do not activate this - can cause a crash
# Use systemd socket activation for UDP, TCP, and control sockets. # Use systemd socket activation for UDP, TCP, and control sockets.
# use-systemd: no # use-systemd: no
@ -333,6 +346,13 @@ server:
# timetoresolve, fromcache and responsesize. # timetoresolve, fromcache and responsesize.
# log-replies: no # log-replies: no
# log the local-zone actions, like local-zone type inform is enabled
# also for the other local zone types.
# log-local-actions: no
# print log lines that say why queries return SERVFAIL to clients.
# log-servfail: no
# the pid file. Can be an absolute path outside of chroot/work dir. # the pid file. Can be an absolute path outside of chroot/work dir.
pidfile: "/var/run/unbound/unbound.pid" pidfile: "/var/run/unbound/unbound.pid"
@ -396,7 +416,7 @@ server:
# Sent minimum amount of information to upstream servers to enhance # Sent minimum amount of information to upstream servers to enhance
# privacy. Only sent minimum required labels of the QNAME and set QTYPE # privacy. Only sent minimum required labels of the QNAME and set QTYPE
# to NS when possible. # to A when possible.
qname-minimisation: yes qname-minimisation: yes
# QNAME minimisation in strict mode. Do not fall-back to sending full # QNAME minimisation in strict mode. Do not fall-back to sending full
@ -457,6 +477,9 @@ server:
# if yes, perform key lookups adjacent to normal lookups. # if yes, perform key lookups adjacent to normal lookups.
prefetch-key: yes prefetch-key: yes
# deny queries of type ANY with an empty response.
deny-any: yes
# if yes, Unbound rotates RRSet order in response. # if yes, Unbound rotates RRSet order in response.
rrset-roundrobin: yes rrset-roundrobin: yes
@ -555,6 +578,16 @@ server:
# Serve expired responses from cache, with TTL 0 in the response, # Serve expired responses from cache, with TTL 0 in the response,
# and then attempt to fetch the data afresh. # and then attempt to fetch the data afresh.
serve-expired: yes serve-expired: yes
#
# Limit serving of expired responses to configured seconds after
# expiration. 0 disables the limit.
serve-expired-ttl: 14400
#
# Set the TTL of expired records to the serve-expired-ttl value after a
# failed attempt to retrieve the record from upstream. This makes sure
# that the expired records will be served as long as there are queries
# for it.
# serve-expired-ttl-reset: no
# Have the validator log failed validations for your diagnosis. # Have the validator log failed validations for your diagnosis.
# 0: off. 1: A line per failed user query. 2: With reason and bad IP. # 0: off. 1: A line per failed user query. 2: With reason and bad IP.
@ -698,14 +731,14 @@ server:
# add a netblock specific override to a localzone, with zone type # add a netblock specific override to a localzone, with zone type
# local-zone-override: "example.com" 192.0.2.0/24 refuse # local-zone-override: "example.com" 192.0.2.0/24 refuse
# service clients over SSL (on the TCP sockets), with plain DNS inside # service clients over TLS (on the TCP sockets), with plain DNS inside
# the SSL stream. Give the certificate to use and private key. # the TLS stream. Give the certificate to use and private key.
# default is "" (disabled). requires restart to take effect. # default is "" (disabled). requires restart to take effect.
# tls-service-key: "/etc/unbound/unbound_server.key" # tls-service-key: "/etc/unbound/unbound_server.key"
# tls-service-pem: "/etc/unbound/unbound_server.pem" # tls-service-pem: "/etc/unbound/unbound_server.pem"
# tls-port: 853 # tls-port: 853
# #
# request upstream over SSL (with plain DNS inside the SSL stream). # request upstream over TLS (with plain DNS inside the TLS stream).
# Default is no. Can be turned on and off with unbound-control. # Default is no. Can be turned on and off with unbound-control.
# tls-upstream: no # tls-upstream: no
@ -716,12 +749,15 @@ server:
# tls-win-cert: no # tls-win-cert: no
# Also serve tls on these port numbers (eg. 443, ...), by listing # Also serve tls on these port numbers (eg. 443, ...), by listing
# tls-additional-ports: portno for each of the port numbers. # tls-additional-port: portno for each of the port numbers.
# DNS64 prefix. Must be specified when DNS64 is use. # DNS64 prefix. Must be specified when DNS64 is use.
# Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4.
# dns64-prefix: 64:ff9b::0/96 # dns64-prefix: 64:ff9b::0/96
# DNS64 ignore AAAA records for these domains and use A instead.
# dns64-ignore-aaaa: "example.com"
# ratelimit for uncached, new queries, this limits recursion effort. # ratelimit for uncached, new queries, this limits recursion effort.
# ratelimiting is experimental, and may help against randomqueryflood. # ratelimiting is experimental, and may help against randomqueryflood.
# if 0(default) it is disabled, otherwise state qps allowed per zone. # if 0(default) it is disabled, otherwise state qps allowed per zone.
@ -735,12 +771,6 @@ server:
# 0 blocks when ratelimited, otherwise let 1/xth traffic through # 0 blocks when ratelimited, otherwise let 1/xth traffic through
# ratelimit-factor: 10 # ratelimit-factor: 10
# what is considered a low rtt (ping time for upstream server), in msec
# low-rtt: 45
# select low rtt this many times out of 1000. 0 means the fast server
# select is disabled. prefetches are not sped up.
# low-rtt-permil: 0
# override the ratelimit for a specific domain name. # override the ratelimit for a specific domain name.
# give this setting multiple times to have multiple overrides. # give this setting multiple times to have multiple overrides.
# ratelimit-for-domain: example.com 1000 # ratelimit-for-domain: example.com 1000
@ -761,6 +791,15 @@ server:
# 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through # 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through
# ip-ratelimit-factor: 10 # ip-ratelimit-factor: 10
# Limit the number of connections simultaneous from a netblock
# tcp-connection-limit: 192.0.2.0/24 12
# select from the fastest servers this many times out of 1000. 0 means
# the fast server select is disabled. prefetches are not sped up.
# fast-server-permil: 0
# the number of servers that will be used in the fast server selection.
# fast-server-num: 3
# Specific options for ipsecmod. unbound needs to be configured with # Specific options for ipsecmod. unbound needs to be configured with
# --enable-ipsecmod for these to take effect. # --enable-ipsecmod for these to take effect.
# #
@ -812,12 +851,18 @@ remote-control:
# what interfaces are listened to for remote control. # what interfaces are listened to for remote control.
# give 0.0.0.0 and ::0 to listen to all interfaces. # give 0.0.0.0 and ::0 to listen to all interfaces.
# set to an absolute path to use a unix local name pipe, certificates
# are not used for that, so key and cert files need not be present.
# control-interface: 127.0.0.1 # control-interface: 127.0.0.1
# control-interface: ::1 # control-interface: ::1
# port number for remote control operations. # port number for remote control operations.
# control-port: 8953 # control-port: 8953
# for localhost, you can disable use of TLS by setting this to "no"
# For local sockets this option is ignored, and TLS is not used.
control-use-cert: "no"
# unbound server key file. # unbound server key file.
server-key-file: "/etc/unbound/unbound_server.key" server-key-file: "/etc/unbound/unbound_server.key"
@ -847,6 +892,7 @@ include: /etc/unbound/conf.d/*.conf
# stub-prime: no # stub-prime: no
# stub-first: no # stub-first: no
# stub-tls-upstream: no # stub-tls-upstream: no
# stub-no-cache: no
# stub-zone: # stub-zone:
# name: "example.org" # name: "example.org"
# stub-host: ns.example.com. # stub-host: ns.example.com.
@ -882,6 +928,8 @@ include: /etc/unbound/conf.d/*.conf
# has a copy of the root for local usage. The second serves example.org # has a copy of the root for local usage. The second serves example.org
# authoritatively. zonefile: reads from file (and writes to it if you also # authoritatively. zonefile: reads from file (and writes to it if you also
# download it), master: fetches with AXFR and IXFR, or url to zonefile. # download it), master: fetches with AXFR and IXFR, or url to zonefile.
# With allow-notify: you can give additional (apart from masters) sources of
# notifies.
auth-zone: auth-zone:
name: "." name: "."
for-downstream: no for-downstream: no
@ -948,6 +996,7 @@ auth-zone:
# backend: "testframe" # backend: "testframe"
# # secret seed string to calculate hashed keys # # secret seed string to calculate hashed keys
# secret-seed: "default" # secret-seed: "default"
#
# # For "redis" backend: # # For "redis" backend:
# # redis server's IP address or host name # # redis server's IP address or host name
# redis-server-host: 127.0.0.1 # redis-server-host: 127.0.0.1

View File

@ -33,8 +33,8 @@
Summary: Validating, recursive, and caching DNS(SEC) resolver Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound Name: unbound
Version: 1.8.1 Version: 1.8.2
Release: 2%{?extra_version:.%{extra_version}}%{?dist} Release: 1%{?extra_version:.%{extra_version}}%{?dist}
License: BSD License: BSD
Url: https://www.unbound.net/ Url: https://www.unbound.net/
Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
@ -420,6 +420,12 @@ popd
%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
%changelog %changelog
* Tue Dec 04 2018 Paul Wouters <pwouters@redhat.com> - 1.8.2-1
- Updated to 1.8.2.
- Enabled deny ANY query support and edns-tcp-keepalive
- Set serve-stale timeout to 4h
- Updated unbound.conf for latest options
* Mon Oct 22 2018 Petr Menšík <pemensik@redhat.com> - 1.8.1-2 * Mon Oct 22 2018 Petr Menšík <pemensik@redhat.com> - 1.8.1-2
- Allow group by default to unbound-control (#1640259) - Allow group by default to unbound-control (#1640259)