* Tue Dec 04 2018 Paul Wouters <pwouters@redhat.com> - 1.8.2-1

- Updated to 1.8.2. - Enabled deny ANY query support and edns-tcp-keepalive - Set serve-stale timeout to 4h - Updated unbound.conf for latest options
2018-12-04 13:58:11 -05:00 · 2018-12-04 13:58:11 -05:00 · 2cd0b94125
commit 2cd0b94125
parent 9d074af91d
2 changed files with 68 additions and 13 deletions
--- a/unbound.conf
+++ b/unbound.conf
@ -165,6 +165,10 @@ server:
 	# msec to wait before close of port on timeout UDP. 0 disables.
 	# delay-close: 0
 	# msec for waiting for an unknown server to reply.  Increase if you
 	# are behind a slow satellite link, to eg. 1128.
 	# unknown-server-time-limit: 376
 	# the amount of memory to use for the RRset cache.
 	# plain value in bytes or you can append k, m or G. default is "4Mb".
 	# rrset-cache-size: 4m
@ -234,6 +238,15 @@ server:
 	# Default is 0, system default MSS.
 	# outgoing-tcp-mss: 0
 	# Idle TCP timeout, connection closed in milliseconds
 	# tcp-idle-timeout: 30000
 	# Enable EDNS TCP keepalive option.
 	edns-tcp-keepalive: yes
 	# Timeout for EDNS TCP keepalive, in msec.
 	# edns-tcp-keepalive-timeout: 120000
 	# Fedora note: do not activate this - can cause a crash
 	# Use systemd socket activation for UDP, TCP, and control sockets.
 	# use-systemd: no
@ -333,6 +346,13 @@ server:
 	# timetoresolve, fromcache and responsesize.
 	# log-replies: no
 	# log the local-zone actions, like local-zone type inform is enabled
 	# also for the other local zone types.
 	# log-local-actions: no
 	# print log lines that say why queries return SERVFAIL to clients.
 	# log-servfail: no
 	# the pid file. Can be an absolute path outside of chroot/work dir.
 	pidfile: "/var/run/unbound/unbound.pid"
@ -396,7 +416,7 @@ server:
 	# Sent minimum amount of information to upstream servers to enhance
 	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
-	# to NS when possible.
+	# to A when possible.
 	qname-minimisation: yes
 	# QNAME minimisation in strict mode. Do not fall-back to sending full
@ -457,6 +477,9 @@ server:
 	# if yes, perform key lookups adjacent to normal lookups.
 	prefetch-key: yes
 	# deny queries of type ANY with an empty response.
 	deny-any: yes
 	# if yes, Unbound rotates RRSet order in response.
 	rrset-roundrobin: yes
@ -555,6 +578,16 @@ server:
 	# Serve expired responses from cache, with TTL 0 in the response,
 	# and then attempt to fetch the data afresh.
 	serve-expired: yes
 	#
 	# Limit serving of expired responses to configured seconds after
 	# expiration. 0 disables the limit.
 	serve-expired-ttl: 14400
 	#
 	# Set the TTL of expired records to the serve-expired-ttl value after a
 	# failed attempt to retrieve the record from upstream. This makes sure
 	# that the expired records will be served as long as there are queries
 	# for it.
 	# serve-expired-ttl-reset: no
 	# Have the validator log failed validations for your diagnosis.
 	# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
@ -698,14 +731,14 @@ server:
 	# add a netblock specific override to a localzone, with zone type
 	# local-zone-override: "example.com" 192.0.2.0/24 refuse
-	# service clients over SSL (on the TCP sockets), with plain DNS inside
+	# service clients over TLS (on the TCP sockets), with plain DNS inside
-	# the SSL stream.  Give the certificate to use and private key.
+	# the TLS stream.  Give the certificate to use and private key.
 	# default is "" (disabled).  requires restart to take effect.
 	# tls-service-key: "/etc/unbound/unbound_server.key"
 	# tls-service-pem: "/etc/unbound/unbound_server.pem"
 	# tls-port: 853
 	#
-	# request upstream over SSL (with plain DNS inside the SSL stream).
+	# request upstream over TLS (with plain DNS inside the TLS stream).
 	# Default is no.  Can be turned on and off with unbound-control.
 	# tls-upstream: no
@ -716,12 +749,15 @@ server:
 	# tls-win-cert: no
 	# Also serve tls on these port numbers (eg. 443, ...), by listing
-	# tls-additional-ports: portno for each of the port numbers.
+	# tls-additional-port: portno for each of the port numbers.
 	# DNS64 prefix. Must be specified when DNS64 is use.
 	# Enable dns64 in module-config.  Used to synthesize IPv6 from IPv4.
 	# dns64-prefix: 64:ff9b::0/96
 	# DNS64 ignore AAAA records for these domains and use A instead.
 	# dns64-ignore-aaaa: "example.com"
 	# ratelimit for uncached, new queries, this limits recursion effort.
 	# ratelimiting is experimental, and may help against randomqueryflood.
 	# if 0(default) it is disabled, otherwise state qps allowed per zone.
@ -735,12 +771,6 @@ server:
 	# 0 blocks when ratelimited, otherwise let 1/xth traffic through
 	# ratelimit-factor: 10
 	# what is considered a low rtt (ping time for upstream server), in msec
 	# low-rtt: 45
 	# select low rtt this many times out of 1000. 0 means the fast server
 	# select is disabled.  prefetches are not sped up.
 	# low-rtt-permil: 0
 	# override the ratelimit for a specific domain name.
 	# give this setting multiple times to have multiple overrides.
 	# ratelimit-for-domain: example.com 1000
@ -761,6 +791,15 @@ server:
 	# 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through
 	# ip-ratelimit-factor: 10
 	# Limit the number of connections simultaneous from a netblock
 	# tcp-connection-limit: 192.0.2.0/24 12
 	# select from the fastest servers this many times out of 1000. 0 means
 	# the fast server select is disabled. prefetches are not sped up.
 	# fast-server-permil: 0
 	# the number of servers that will be used in the fast server selection.
 	# fast-server-num: 3
 	# Specific options for ipsecmod. unbound needs to be configured with
 	# --enable-ipsecmod for these to take effect.
 	#
@ -812,12 +851,18 @@ remote-control:
 	# what interfaces are listened to for remote control.
 	# give 0.0.0.0 and ::0 to listen to all interfaces.
 	# set to an absolute path to use a unix local name pipe, certificates
 	# are not used for that, so key and cert files need not be present.
 	# control-interface: 127.0.0.1
 	# control-interface: ::1
 	# port number for remote control operations.
 	# control-port: 8953
 	# for localhost, you can disable use of TLS by setting this to "no"
 	# For local sockets this option is ignored, and TLS is not used.
 	control-use-cert: "no"
 	# unbound server key file.
 	server-key-file: "/etc/unbound/unbound_server.key"
@ -847,6 +892,7 @@ include: /etc/unbound/conf.d/*.conf
 #	stub-prime: no
 #	stub-first: no
 #	stub-tls-upstream: no
 #	stub-no-cache: no
 # stub-zone:
 #	name: "example.org"
 #	stub-host: ns.example.com.
@ -882,6 +928,8 @@ include: /etc/unbound/conf.d/*.conf
 # has a copy of the root for local usage.  The second serves example.org
 # authoritatively.  zonefile: reads from file (and writes to it if you also
 # download it), master: fetches with AXFR and IXFR, or url to zonefile.
 # With allow-notify: you can give additional (apart from masters) sources of
 # notifies.
 auth-zone:
 	name: "."
 	for-downstream: no
@ -948,6 +996,7 @@ auth-zone:
 #     backend: "testframe"
 #     # secret seed string to calculate hashed keys
 #     secret-seed: "default"
 #
 #     # For "redis" backend:
 #     # redis server's IP address or host name
 #     redis-server-host: 127.0.0.1
--- a/unbound.spec
+++ b/unbound.spec
@ -33,8 +33,8 @@
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
-Version: 1.8.1
+Version: 1.8.2
-Release: 2%{?extra_version:.%{extra_version}}%{?dist}
+Release: 1%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: https://www.unbound.net/
 Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
@ -420,6 +420,12 @@ popd
 %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
 %changelog
 * Tue Dec 04 2018 Paul Wouters <pwouters@redhat.com> - 1.8.2-1
 - Updated to 1.8.2.
 - Enabled deny ANY query support and edns-tcp-keepalive
 - Set serve-stale timeout to 4h
 - Updated unbound.conf for latest options
 * Mon Oct 22 2018 Petr Menšík <pemensik@redhat.com> - 1.8.1-2
 - Allow group by default to unbound-control (#1640259)