* Tue Dec 04 2018 Paul Wouters <pwouters@redhat.com> - 1.8.2-1

- Updated to 1.8.2.
- Enabled deny ANY query support and edns-tcp-keepalive
- Set serve-stale timeout to 4h
- Updated unbound.conf for latest options

unbound.conf

@@ -165,6 +165,10 @@ server:
 	# msec to wait before close of port on timeout UDP. 0 disables.
 	# delay-close: 0
 
+	# msec for waiting for an unknown server to reply.  Increase if you
+	# are behind a slow satellite link, to eg. 1128.
+	# unknown-server-time-limit: 376
+
 	# the amount of memory to use for the RRset cache.
 	# plain value in bytes or you can append k, m or G. default is "4Mb".
 	# rrset-cache-size: 4m
@@ -234,6 +238,15 @@ server:
 	# Default is 0, system default MSS.
 	# outgoing-tcp-mss: 0
 
+	# Idle TCP timeout, connection closed in milliseconds
+	# tcp-idle-timeout: 30000
+
+	# Enable EDNS TCP keepalive option.
+	edns-tcp-keepalive: yes
+
+	# Timeout for EDNS TCP keepalive, in msec.
+	# edns-tcp-keepalive-timeout: 120000
+
 	# Fedora note: do not activate this - can cause a crash
 	# Use systemd socket activation for UDP, TCP, and control sockets.
 	# use-systemd: no
@@ -333,6 +346,13 @@ server:
 	# timetoresolve, fromcache and responsesize.
 	# log-replies: no
 
+	# log the local-zone actions, like local-zone type inform is enabled
+	# also for the other local zone types.
+	# log-local-actions: no
+
+	# print log lines that say why queries return SERVFAIL to clients.
+	# log-servfail: no
+
 	# the pid file. Can be an absolute path outside of chroot/work dir.
 	pidfile: "/var/run/unbound/unbound.pid"
 
@@ -396,7 +416,7 @@ server:
 
 	# Sent minimum amount of information to upstream servers to enhance
 	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
-	# to NS when possible.
+	# to A when possible.
 	qname-minimisation: yes
 
 	# QNAME minimisation in strict mode. Do not fall-back to sending full
@@ -457,6 +477,9 @@ server:
 	# if yes, perform key lookups adjacent to normal lookups.
 	prefetch-key: yes
 
+	# deny queries of type ANY with an empty response.
+	deny-any: yes
+
 	# if yes, Unbound rotates RRSet order in response.
 	rrset-roundrobin: yes
 
@@ -555,6 +578,16 @@ server:
 	# Serve expired responses from cache, with TTL 0 in the response,
 	# and then attempt to fetch the data afresh.
 	serve-expired: yes
+	#
+	# Limit serving of expired responses to configured seconds after
+	# expiration. 0 disables the limit.
+	serve-expired-ttl: 14400
+	#
+	# Set the TTL of expired records to the serve-expired-ttl value after a
+	# failed attempt to retrieve the record from upstream. This makes sure
+	# that the expired records will be served as long as there are queries
+	# for it.
+	# serve-expired-ttl-reset: no
 
 	# Have the validator log failed validations for your diagnosis.
 	# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
@@ -698,14 +731,14 @@ server:
 	# add a netblock specific override to a localzone, with zone type
 	# local-zone-override: "example.com" 192.0.2.0/24 refuse
 
-	# service clients over SSL (on the TCP sockets), with plain DNS inside
-	# the SSL stream.  Give the certificate to use and private key.
+	# service clients over TLS (on the TCP sockets), with plain DNS inside
+	# the TLS stream.  Give the certificate to use and private key.
 	# default is "" (disabled).  requires restart to take effect.
 	# tls-service-key: "/etc/unbound/unbound_server.key"
 	# tls-service-pem: "/etc/unbound/unbound_server.pem"
 	# tls-port: 853
 	#
-	# request upstream over SSL (with plain DNS inside the SSL stream).
+	# request upstream over TLS (with plain DNS inside the TLS stream).
 	# Default is no.  Can be turned on and off with unbound-control.
 	# tls-upstream: no
 
@@ -716,12 +749,15 @@ server:
 	# tls-win-cert: no
 
 	# Also serve tls on these port numbers (eg. 443, ...), by listing
-	# tls-additional-ports: portno for each of the port numbers.
+	# tls-additional-port: portno for each of the port numbers.
 
 	# DNS64 prefix. Must be specified when DNS64 is use.
 	# Enable dns64 in module-config.  Used to synthesize IPv6 from IPv4.
 	# dns64-prefix: 64:ff9b::0/96
 
+	# DNS64 ignore AAAA records for these domains and use A instead.
+	# dns64-ignore-aaaa: "example.com"
+
 	# ratelimit for uncached, new queries, this limits recursion effort.
 	# ratelimiting is experimental, and may help against randomqueryflood.
 	# if 0(default) it is disabled, otherwise state qps allowed per zone.
@@ -735,12 +771,6 @@ server:
 	# 0 blocks when ratelimited, otherwise let 1/xth traffic through
 	# ratelimit-factor: 10
 
-	# what is considered a low rtt (ping time for upstream server), in msec
-	# low-rtt: 45
-	# select low rtt this many times out of 1000. 0 means the fast server
-	# select is disabled.  prefetches are not sped up.
-	# low-rtt-permil: 0
-
 	# override the ratelimit for a specific domain name.
 	# give this setting multiple times to have multiple overrides.
 	# ratelimit-for-domain: example.com 1000
@@ -761,6 +791,15 @@ server:
 	# 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through
 	# ip-ratelimit-factor: 10
 
+	# Limit the number of connections simultaneous from a netblock
+	# tcp-connection-limit: 192.0.2.0/24 12
+
+	# select from the fastest servers this many times out of 1000. 0 means
+	# the fast server select is disabled. prefetches are not sped up.
+	# fast-server-permil: 0
+	# the number of servers that will be used in the fast server selection.
+	# fast-server-num: 3
+
 	# Specific options for ipsecmod. unbound needs to be configured with
 	# --enable-ipsecmod for these to take effect.
 	#
@@ -812,12 +851,18 @@ remote-control:
 
 	# what interfaces are listened to for remote control.
 	# give 0.0.0.0 and ::0 to listen to all interfaces.
+	# set to an absolute path to use a unix local name pipe, certificates
+	# are not used for that, so key and cert files need not be present.
 	# control-interface: 127.0.0.1
 	# control-interface: ::1
 
 	# port number for remote control operations.
 	# control-port: 8953
 
+	# for localhost, you can disable use of TLS by setting this to "no"
+	# For local sockets this option is ignored, and TLS is not used.
+	control-use-cert: "no"
+
 	# unbound server key file.
 	server-key-file: "/etc/unbound/unbound_server.key"
 
@@ -847,6 +892,7 @@ include: /etc/unbound/conf.d/*.conf
 #	stub-prime: no
 #	stub-first: no
 #	stub-tls-upstream: no
+#	stub-no-cache: no
 # stub-zone:
 #	name: "example.org"
 #	stub-host: ns.example.com.
@@ -882,6 +928,8 @@ include: /etc/unbound/conf.d/*.conf
 # has a copy of the root for local usage.  The second serves example.org
 # authoritatively.  zonefile: reads from file (and writes to it if you also
 # download it), master: fetches with AXFR and IXFR, or url to zonefile.
+# With allow-notify: you can give additional (apart from masters) sources of
+# notifies.
 auth-zone:
 	name: "."
 	for-downstream: no
@@ -948,6 +996,7 @@ auth-zone:
 #     backend: "testframe"
 #     # secret seed string to calculate hashed keys
 #     secret-seed: "default"
+#
 #     # For "redis" backend:
 #     # redis server's IP address or host name
 #     redis-server-host: 127.0.0.1

unbound.spec

@@ -33,8 +33,8 @@
 
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
-Version: 1.8.1
-Release: 2%{?extra_version:.%{extra_version}}%{?dist}
+Version: 1.8.2
+Release: 1%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: https://www.unbound.net/
 Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
@@ -420,6 +420,12 @@ popd
 %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
 
 %changelog
+* Tue Dec 04 2018 Paul Wouters <pwouters@redhat.com> - 1.8.2-1
+- Updated to 1.8.2.
+- Enabled deny ANY query support and edns-tcp-keepalive
+- Set serve-stale timeout to 4h
+- Updated unbound.conf for latest options
+
 * Mon Oct 22 2018 Petr Menšík <pemensik@redhat.com> - 1.8.1-2
 - Allow group by default to unbound-control (#1640259)