* Fri Jan 27 2012 Paul Wouters <pwouters@redhat.com> - 1.4.15-1

- Upgraded to 1.4.15
- Updated unbound.conf to show how to configure listening on tls443

.gitignore

@@ -18,3 +18,4 @@ unbound-1.4.5.tar.gz
 /unbound-1.4.12.tar.gz
 /unbound-1.4.13.tar.gz
 /unbound-1.4.14.tar.gz
+/unbound-1.4.15.tar.gz

sources

@@ -1,2 +1 @@
-7e3b27dee2b97640dd2e1783253317ab  unbound-1.4.13.tar.gz
-cd69fdaaa6af01ea0b6fbc59802f74ba  unbound-1.4.14.tar.gz
+99173a6548e0e2ec9bfac7a5d025f79e  unbound-1.4.15.tar.gz

unbound.conf

@@ -40,12 +40,20 @@ server:
 	# interface: 192.0.2.153
 	# interface: 192.0.2.154
 	# interface: 2001:DB8::5
+	#
+	# for dns over tls and raw dns over port 80 
+	# interface: 0.0.0.0@443
+	# interface: ::0@443
+	# interface: 0.0.0.0@80
+	# interface: ::0@80
 	
 	# enable this feature to copy the source address of queries to reply.
 	# Socket options are not supported on all platforms. experimental. 
+	# interface-automatic: yes
+	#
 	# NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 
 	# NOTE: Disabled per Fedora policy not to listen to * on default install
-	# interface-automatic: yes
+	# NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled
 	interface-automatic: no
 
 	# port to answer queries from
@@ -146,6 +154,8 @@ server:
 	# do-ip6: yes
 
 	# Enable UDP, "yes" or "no".
+	# NOTE: if setting up an unbound on tls443 for public use, you might want to
+	# disable UDP to avoid being used in DNS amplification attacks.
 	# do-udp: yes
 
 	# Enable TCP, "yes" or "no".
@@ -448,8 +458,8 @@ server:
 	# service clients over SSL (on the TCP sockets), with plain DNS inside
 	# the SSL stream.  Give the certificate to use and private key.
 	# default is "" (disabled).  requires restart to take effect.
-	# ssl-service-key: "path/to/privatekeyfile.key"
-	# ssl-service-pem: "path/to/publiccertfile.pem"
+	# ssl-service-key: "/etc/unbound/unbound_server.key"
+	# ssl-service-pem: "/etc/unbound/unbound_server.pem"
 	# ssl-port: 443
 
 	# request upstream over SSL (with plain DNS inside the SSL stream).

unbound.spec

@@ -1,4 +1,3 @@
-# not ready yet
 %{?!with_python:      %global with_python      1}
 
 %if %{with_python}
@@ -8,8 +7,8 @@
 
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
-Version: 1.4.14
-Release: 2%{?dist}
+Version: 1.4.15
+Release: 1%{?dist}
 License: BSD
 Url: http://www.nlnetlabs.nl/unbound/
 Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
@@ -191,11 +190,11 @@ sed -i "s:/etc/pki/dnssec-keys[/]*dlv:/etc/unbound:" %{_sysconfdir}/unbound/unbo
 
 %preun
 if [ $1 -eq 0 ]; then
-	# Package removal, not upgrade
-	/bin/systemctl --no-reload disable unbound.service > /dev/null 2>&1 || :
-	/bin/systemctl stop unbound.service > /dev/null 2>&1 || :
-	/bin/systemctl --no-reload disable unbound-keygen.service > /dev/null 2>&1 || :
-	/bin/systemctl stop unbound-keygen.service > /dev/null 2>&1 || :
+    # Package removal, not upgrade
+    /bin/systemctl --no-reload disable unbound.service > /dev/null 2>&1 || :
+    /bin/systemctl stop unbound.service > /dev/null 2>&1 || :
+    /bin/systemctl --no-reload disable unbound-keygen.service > /dev/null 2>&1 || :
+    /bin/systemctl stop unbound-keygen.service > /dev/null 2>&1 || :
 fi
 
 %postun 
@@ -220,6 +219,10 @@ fi
 /bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || :
 
 %changelog
+* Fri Jan 27 2012 Paul Wouters <pwouters@redhat.com> - 1.4.15-1
+- Upgraded to 1.4.15
+- Updated unbound.conf to show how to configure listening on tls443
+
 * Sat Jan 14 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.14-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild