* Thu Mar 15 2018 Paul Wouters <pwouters@redhat.com> - 1.7.0-1

- Updated to 1.7.0 (aggressive nsec, local root support, bugfixes)

.gitignore

@@ -45,3 +45,4 @@ unbound-1.4.5.tar.gz
 /unbound-1.6.6.tar.gz
 /unbound-1.6.7.tar.gz
 /unbound-1.6.8.tar.gz
+/unbound-1.7.0.tar.gz

sources

@@ -1 +1 @@
-SHA512 (unbound-1.6.8.tar.gz) = 653d88d5dbc8cf25f7261e4a9869b6591843c7ff27b5d63f979a94505daafbbb61e05d46bedd2d01230355d5f08dd9fe14ed04c5c7340f3f27581b61ad6edfa3
+SHA512 (unbound-1.7.0.tar.gz) = 49b07643da2a89d8ceedce1295f550f74a76f4f11c2df54df55e9c42f03bad1b133789c7b36fb3c4f37d6b331ac302ecfd1249e8ebaaa4333beda8fa250b61d9

unbound.conf

@@ -222,6 +222,10 @@ server:
 	# useful for tunneling scenarios, default no.
 	# tcp-upstream: no
 
+	# upstream connections also use UDP (even if do-udp is no).
+	# useful if if you want UDP upstream, but don't provide UDP downstream.
+	# udp-upstream-without-downstream: no
+
 	# Maximum segment size (MSS) of TCP socket on which the server
 	# responds to queries. Default is 0, system default MSS.
 	# tcp-mss: 0
@@ -311,7 +315,7 @@ server:
 	# logfile: ""
 
 	# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
-	# log to, with identity "unbound". If yes, it overrides the logfile.
+	# log to. If yes, it overrides the logfile.
 	# use-syslog: yes
  
 	# Log identity to report. if empty, defaults to the name of argv[0]
@@ -400,6 +404,10 @@ server:
 	# This option only has effect when qname-minimisation is enabled.
 	# qname-minimisation-strict: no
 
+	# Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
+	# and other denials, using information from previous NXDOMAINs answers.
+	aggressive-nsec: yes
+
 	# Use 0x20-encoded random bits in the query to foil spoof attempts.
 	# This feature is an experimental implementation of draft dns-0x20.
 	# use-caps-for-id: no
@@ -540,7 +548,7 @@ server:
 	# that set CD but cannot validate themselves.
 	# ignore-cd-flag: no
 
-	# Serve expired reponses from cache, with TTL 0 in the response,
+	# Serve expired responses from cache, with TTL 0 in the response,
 	# and then attempt to fetch the data afresh.
 	serve-expired: yes
 
@@ -651,6 +659,7 @@ server:
 	# o inform_deny drops queries and logs client IP address
 	# o always_transparent, always_refuse, always_nxdomain, resolve in
 	#   that way but ignore local data for that name.
+	# o noview breaks out of that view towards global local-zones.
 	#
 	# defaults are localhost address, reverse for 127.0.0.1 and ::1
 	# and nxdomain for AS112 zones. If you configure one of these zones
@@ -688,13 +697,13 @@ server:
 	# service clients over SSL (on the TCP sockets), with plain DNS inside
 	# the SSL stream.  Give the certificate to use and private key.
 	# default is "" (disabled).  requires restart to take effect.
-	# ssl-service-key: "/etc/unbound/unbound_server.key"
-	# ssl-service-pem: "/etc/unbound/unbound_server.pem"
-	# ssl-port: 443
+	# tls-service-key: "/etc/unbound/unbound_server.key"
+	# tls-service-pem: "/etc/unbound/unbound_server.pem"
+	# tls-port: 853
 	#
 	# request upstream over SSL (with plain DNS inside the SSL stream).
 	# Default is no.  Can be turned on and off with unbound-control.
-	# ssl-upstream: no
+	# tls-upstream: no
 
 	# DNS64 prefix. Must be specified when DNS64 is use.
 	# Enable dns64 in module-config.  Used to synthesize IPv6 from IPv4.
@@ -745,7 +754,7 @@ server:
 	# Path to executable external hook. It must be defined when ipsecmod is
 	# listed in module-config (above).
 	# ipsecmod-hook: "./my_executable"
-	ipsecmod-hook:/usr/libexec/ipsec/unbound-hook.py
+	ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook
 
 	# When enabled unbound will reply with SERVFAIL if the return value of
 	# the ipsecmod-hook is not 0.
@@ -818,7 +827,7 @@ include: /etc/unbound/conf.d/*.conf
 #	stub-addr: 192.0.2.68
 #	stub-prime: no
 #	stub-first: no
-#	stub-ssl-upstream: no
+#	stub-tls-upstream: no
 # stub-zone:
 #	name: "example.org"
 #	stub-host: ns.example.com.
@@ -838,7 +847,7 @@ include: /etc/unbound/conf.d/*.conf
 # 	forward-addr: 192.0.2.68
 # 	forward-addr: 192.0.2.73@5355  # forward to port 5355.
 # 	forward-first: no
-# 	forward-ssl-upstream: no
+# 	forward-tls-upstream: no
 # forward-zone:
 # 	name: "example.org"
 # 	forward-host: fwd.example.com
@@ -847,6 +856,30 @@ include: /etc/unbound/conf.d/*.conf
 # unbound-control forward_add domain.com 1.2.3.4 5.6.7.8
 # unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8
 
+# Authority zones
+# The data for these zones is kept locally, from a file or downloaded.
+# The data can be served to downstream clients, or used instead of the
+# upstream (which saves a lookup to the upstream).  The first example
+# has a copy of the root for local usage.  The second serves example.org
+# authoritatively.  zonefile: reads from file (and writes to it if you also
+# download it), master: fetches with AXFR and IXFR, or url to zonefile.
+auth-zone:
+	name: "."
+	for-downstream: no
+	for-upstream: yes
+	fallback-enabled: yes
+	master: b.root-servers.net
+	master: c.root-servers.net
+	master: e.root-servers.net
+	master: f.root-servers.net
+	master: g.root-servers.net
+	master: k.root-servers.net
+# auth-zone:
+#	name: "example.org"
+#	for-downstream: yes
+#	for-upstream: yes
+#	zonefile: "example.org.zone"
+
 # Views
 # Create named views. Name must be unique. Map views to requests using
 # the access-control-view option. Views can contain zero or more local-zone

unbound.spec

@@ -20,8 +20,8 @@
 
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
-Version: 1.6.8
-Release: 6%{?extra_version:.%{extra_version}}%{?dist}
+Version: 1.7.0
+Release: 1%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: https://www.unbound.net/
 Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
@@ -435,6 +435,9 @@ popd
 %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
 
 %changelog
+* Thu Mar 15 2018 Paul Wouters <pwouters@redhat.com> - 1.7.0-1
+- Updated to 1.7.0 (aggressive nsec, local root support, bugfixes)
+
 * Thu Feb 22 2018 Petr Menšík <pemensik@redhat.com> - 1.6.8-6
 - Uncomment again original max-upd-size