update to 1.17.1

- Resolved rhbz#2160397 unbound-1.17.1 is available (bugfix release) - Add support for building with redis - update unbound.conf
2023-01-13 19:17:50 -05:00 · 2023-01-13 19:17:50 -05:00 · 668ceaffe5
commit 668ceaffe5
parent 00b1b0c570
2 changed files with 40 additions and 9 deletions
--- a/unbound.conf
+++ b/unbound.conf
@ -41,6 +41,11 @@ server:
 	# Needs to be enabled for munin plugin
 	extended-statistics: yes

+	# Inhibits selected extended statistics (qtype, qclass, qopcode, rcode,
+	# rpz-actions) from printing if their value is 0.
+	# Default on.
+	# statistics-inhibit-zero: yes
+
 	# number of threads to create. 1 disables threading.
 	num-threads: 4

@ -152,7 +157,7 @@ server:
 	# ip-dscp: 0

 	# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
-	# is set with msg-buffer-size). 1472 can solve fragmentation (timeouts)
+	# is set with msg-buffer-size).
 	# edns-buffer-size: 1232

 	# Maximum UDP response size (not applied to TCP response).
@ -193,6 +198,15 @@ server:
 	# a throwaway response (also timeouts) is received.
 	# outbound-msg-retry: 5

+	# Hard limit on the number of outgoing queries Unbound will make while
+	# resolving a name, making sure large NS sets do not loop.
+	# It resets on query restarts (e.g., CNAME) and referrals.
+	# max-sent-count: 32
+
+	# Hard limit on the number of times Unbound is allowed to restart a
+	# query upon encountering a CNAME record.
+	# max-query-restarts: 11
+
 	# msec for waiting for an unknown server to reply.  Increase if you
 	# are behind a slow satellite link, to eg. 1128.
 	# unknown-server-time-limit: 376
@ -238,7 +252,8 @@ server:
 	# the maximum number of hosts that are cached (roundtrip, EDNS, lame).
 	# infra-cache-numhosts: 10000

-	# define a number of tags here, use with local-zone, access-control.
+	# define a number of tags here, use with local-zone, access-control,
+	# interface-*.
 	# repeat the define-tag statement to add additional tags.
 	# define-tag: "tag1 tag2 tag3"

@ -281,7 +296,9 @@ server:
 	# Timeout for EDNS TCP keepalive, in msec.
 	# edns-tcp-keepalive-timeout: 120000

-	# Fedora note: do not activate this - can cause a crash
+	# Fedora note: do not activate this - not compiled in because
+	# it causes frequent unbound crashes. Also, socket activation
+	# is bad when you have things like dnsmasq also running with libvirt.
 	# Use systemd socket activation for UDP, TCP, and control sockets.
 	# use-systemd: no

@ -297,9 +314,7 @@ server:
 	# allow_snoop (recursive and nonrecursive ok)
 	# deny_non_local (drop queries unless can be answered from local-data)
 	# refuse_non_local (like deny_non_local but polite error reply).
-	# access-control: 0.0.0.0/0 refuse
 	# access-control: 127.0.0.0/8 allow
-	# access-control: ::0/0 refuse
 	# access-control: ::1 allow
 	# access-control: ::ffff:127.0.0.1 allow

@ -595,6 +610,8 @@ server:
 	# most modules have to be listed at the beginning of the line,
 	# except cachedb(just before iterator), and python (at the beginning,
 	# or, just before the iterator).
+	# For redis cachedb use:
+	#    "ipsecmod validator cachedb iterator"
 	module-config: "ipsecmod validator iterator"

 	# File with trusted keys, kept uptodate using RFC5011 probes,
@ -602,7 +619,8 @@ server:
 	# Use several entries, one per domain name, to track multiple zones.
 	#
 	# If you want to perform DNSSEC validation, run unbound-anchor before
-	# you start Unbound (i.e. in the system boot scripts).  And enable:
+	# you start Unbound (i.e. in the system boot scripts).
+	# And then enable the auto-trust-anchor-file config item.
 	# Please note usage of unbound-anchor root anchor is at your own risk
 	# and under the terms of our LICENSE (see that file in the source).
 	# auto-trust-anchor-file: "/var/lib/unbound/root.key"
--- a/unbound.spec
+++ b/unbound.spec
@ -4,6 +4,7 @@
 %bcond_without dnstap
 %bcond_with    systemd
 %bcond_without doh
+%bcond_with redis

 %global _hardened_build 1

@ -29,8 +30,8 @@

 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
-Version: 1.17.0
-Release: 2%{?extra_version:.%{extra_version}}%{?dist}
+Version: 1.17.1
+Release: 1%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD-3-Clause
 Url: https://nlnetlabs.nl/projects/unbound/
 Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
@ -78,6 +79,9 @@ BuildRequires: systemd-devel
 %if %{with doh}
 BuildRequires: libnghttp2-devel
 %endif
+%if %{with redis}
+BuildRequires: redis-devel
+%endif
 %if 0%{?fedora} >= 30 || 0%{?rhel} >= 9
 BuildRequires: systemd-rpm-macros
 %else
@ -225,7 +229,8 @@ cp -a %{dir_primary} %{dir_secondary}
            --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\
            --enable-sha2 --disable-gost --enable-ecdsa \\\
            --with-rootkey-file=%{_sharedstatedir}/unbound/root.key \\\
-            --enable-linux-ip-local-port-range
+            --enable-linux-ip-local-port-range \\\
+

 pushd %{dir_primary}

@ -244,6 +249,10 @@ pushd %{dir_primary}
 %endif
 %if 0%{?rhel}
            --disable-sha1 \
+%endif
+%if %{with redis}
+            --with-libhiredis \
+            --enable-cachedb \
 %endif
            %{configure_args}

@ -481,6 +490,10 @@ popd
 %{_mandir}/man1/unbound-*

 %changelog
+* Fri Jan 13 2023 Paul Wouters <paul.wouters@aiven.io - 1.17.1-1
+- Resolved rhbz#2160397 unbound-1.17.1 is available (bugfix release)
+- Add support for building with redis
+
 * Thu Dec 01 2022 Petr Menšík <pemensik@redhat.com> - 1.17.0-2
 - Move unbound user creation to libs (#2149036)
 - Use systemd-sysusers for user creation (#2105416)