diff --git a/.gitignore b/.gitignore index 37ee9ae..b66a204 100644 --- a/.gitignore +++ b/.gitignore @@ -45,3 +45,4 @@ unbound-1.4.5.tar.gz /unbound-1.6.6.tar.gz /unbound-1.6.7.tar.gz /unbound-1.6.8.tar.gz +/unbound-1.7.0.tar.gz diff --git a/sources b/sources index fb39f26..266aa79 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (unbound-1.6.8.tar.gz) = 653d88d5dbc8cf25f7261e4a9869b6591843c7ff27b5d63f979a94505daafbbb61e05d46bedd2d01230355d5f08dd9fe14ed04c5c7340f3f27581b61ad6edfa3 +SHA512 (unbound-1.7.0.tar.gz) = 49b07643da2a89d8ceedce1295f550f74a76f4f11c2df54df55e9c42f03bad1b133789c7b36fb3c4f37d6b331ac302ecfd1249e8ebaaa4333beda8fa250b61d9 diff --git a/unbound.conf b/unbound.conf index 6de0b3a..4ea0823 100644 --- a/unbound.conf +++ b/unbound.conf @@ -222,6 +222,10 @@ server: # useful for tunneling scenarios, default no. # tcp-upstream: no + # upstream connections also use UDP (even if do-udp is no). + # useful if if you want UDP upstream, but don't provide UDP downstream. + # udp-upstream-without-downstream: no + # Maximum segment size (MSS) of TCP socket on which the server # responds to queries. Default is 0, system default MSS. # tcp-mss: 0 @@ -311,7 +315,7 @@ server: # logfile: "" # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to - # log to, with identity "unbound". If yes, it overrides the logfile. + # log to. If yes, it overrides the logfile. # use-syslog: yes # Log identity to report. if empty, defaults to the name of argv[0] @@ -400,6 +404,10 @@ server: # This option only has effect when qname-minimisation is enabled. # qname-minimisation-strict: no + # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN + # and other denials, using information from previous NXDOMAINs answers. + aggressive-nsec: yes + # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. # use-caps-for-id: no @@ -540,7 +548,7 @@ server: # that set CD but cannot validate themselves. # ignore-cd-flag: no - # Serve expired reponses from cache, with TTL 0 in the response, + # Serve expired responses from cache, with TTL 0 in the response, # and then attempt to fetch the data afresh. serve-expired: yes @@ -651,6 +659,7 @@ server: # o inform_deny drops queries and logs client IP address # o always_transparent, always_refuse, always_nxdomain, resolve in # that way but ignore local data for that name. + # o noview breaks out of that view towards global local-zones. # # defaults are localhost address, reverse for 127.0.0.1 and ::1 # and nxdomain for AS112 zones. If you configure one of these zones @@ -688,13 +697,13 @@ server: # service clients over SSL (on the TCP sockets), with plain DNS inside # the SSL stream. Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. - # ssl-service-key: "/etc/unbound/unbound_server.key" - # ssl-service-pem: "/etc/unbound/unbound_server.pem" - # ssl-port: 443 + # tls-service-key: "/etc/unbound/unbound_server.key" + # tls-service-pem: "/etc/unbound/unbound_server.pem" + # tls-port: 853 # # request upstream over SSL (with plain DNS inside the SSL stream). # Default is no. Can be turned on and off with unbound-control. - # ssl-upstream: no + # tls-upstream: no # DNS64 prefix. Must be specified when DNS64 is use. # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. @@ -745,7 +754,7 @@ server: # Path to executable external hook. It must be defined when ipsecmod is # listed in module-config (above). # ipsecmod-hook: "./my_executable" - ipsecmod-hook:/usr/libexec/ipsec/unbound-hook.py + ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook # When enabled unbound will reply with SERVFAIL if the return value of # the ipsecmod-hook is not 0. @@ -818,7 +827,7 @@ include: /etc/unbound/conf.d/*.conf # stub-addr: 192.0.2.68 # stub-prime: no # stub-first: no -# stub-ssl-upstream: no +# stub-tls-upstream: no # stub-zone: # name: "example.org" # stub-host: ns.example.com. @@ -838,7 +847,7 @@ include: /etc/unbound/conf.d/*.conf # forward-addr: 192.0.2.68 # forward-addr: 192.0.2.73@5355 # forward to port 5355. # forward-first: no -# forward-ssl-upstream: no +# forward-tls-upstream: no # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -847,6 +856,30 @@ include: /etc/unbound/conf.d/*.conf # unbound-control forward_add domain.com 1.2.3.4 5.6.7.8 # unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8 +# Authority zones +# The data for these zones is kept locally, from a file or downloaded. +# The data can be served to downstream clients, or used instead of the +# upstream (which saves a lookup to the upstream). The first example +# has a copy of the root for local usage. The second serves example.org +# authoritatively. zonefile: reads from file (and writes to it if you also +# download it), master: fetches with AXFR and IXFR, or url to zonefile. +auth-zone: + name: "." + for-downstream: no + for-upstream: yes + fallback-enabled: yes + master: b.root-servers.net + master: c.root-servers.net + master: e.root-servers.net + master: f.root-servers.net + master: g.root-servers.net + master: k.root-servers.net +# auth-zone: +# name: "example.org" +# for-downstream: yes +# for-upstream: yes +# zonefile: "example.org.zone" + # Views # Create named views. Name must be unique. Map views to requests using # the access-control-view option. Views can contain zero or more local-zone diff --git a/unbound.spec b/unbound.spec index 091883d..b76e625 100644 --- a/unbound.spec +++ b/unbound.spec @@ -20,8 +20,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.6.8 -Release: 6%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.7.0 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://www.unbound.net/ Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz @@ -435,6 +435,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Thu Mar 15 2018 Paul Wouters - 1.7.0-1 +- Updated to 1.7.0 (aggressive nsec, local root support, bugfixes) + * Thu Feb 22 2018 Petr Menšík - 1.6.8-6 - Uncomment again original max-upd-size