From 668ceaffe5564700fae979d1617d36fe28a8d493 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Fri, 13 Jan 2023 19:17:50 -0500 Subject: [PATCH] update to 1.17.1 - Resolved rhbz#2160397 unbound-1.17.1 is available (bugfix release) - Add support for building with redis - update unbound.conf --- unbound.conf | 30 ++++++++++++++++++++++++------ unbound.spec | 19 ++++++++++++++++--- 2 files changed, 40 insertions(+), 9 deletions(-) diff --git a/unbound.conf b/unbound.conf index 2b6dc59..54c4d7b 100644 --- a/unbound.conf +++ b/unbound.conf @@ -41,6 +41,11 @@ server: # Needs to be enabled for munin plugin extended-statistics: yes + # Inhibits selected extended statistics (qtype, qclass, qopcode, rcode, + # rpz-actions) from printing if their value is 0. + # Default on. + # statistics-inhibit-zero: yes + # number of threads to create. 1 disables threading. num-threads: 4 @@ -152,7 +157,7 @@ server: # ip-dscp: 0 # EDNS reassembly buffer to advertise to UDP peers (the actual buffer - # is set with msg-buffer-size). 1472 can solve fragmentation (timeouts) + # is set with msg-buffer-size). # edns-buffer-size: 1232 # Maximum UDP response size (not applied to TCP response). @@ -193,6 +198,15 @@ server: # a throwaway response (also timeouts) is received. # outbound-msg-retry: 5 + # Hard limit on the number of outgoing queries Unbound will make while + # resolving a name, making sure large NS sets do not loop. + # It resets on query restarts (e.g., CNAME) and referrals. + # max-sent-count: 32 + + # Hard limit on the number of times Unbound is allowed to restart a + # query upon encountering a CNAME record. + # max-query-restarts: 11 + # msec for waiting for an unknown server to reply. Increase if you # are behind a slow satellite link, to eg. 1128. # unknown-server-time-limit: 376 @@ -238,7 +252,8 @@ server: # the maximum number of hosts that are cached (roundtrip, EDNS, lame). # infra-cache-numhosts: 10000 - # define a number of tags here, use with local-zone, access-control. + # define a number of tags here, use with local-zone, access-control, + # interface-*. # repeat the define-tag statement to add additional tags. # define-tag: "tag1 tag2 tag3" @@ -281,7 +296,9 @@ server: # Timeout for EDNS TCP keepalive, in msec. # edns-tcp-keepalive-timeout: 120000 - # Fedora note: do not activate this - can cause a crash + # Fedora note: do not activate this - not compiled in because + # it causes frequent unbound crashes. Also, socket activation + # is bad when you have things like dnsmasq also running with libvirt. # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no @@ -297,9 +314,7 @@ server: # allow_snoop (recursive and nonrecursive ok) # deny_non_local (drop queries unless can be answered from local-data) # refuse_non_local (like deny_non_local but polite error reply). - # access-control: 0.0.0.0/0 refuse # access-control: 127.0.0.0/8 allow - # access-control: ::0/0 refuse # access-control: ::1 allow # access-control: ::ffff:127.0.0.1 allow @@ -595,6 +610,8 @@ server: # most modules have to be listed at the beginning of the line, # except cachedb(just before iterator), and python (at the beginning, # or, just before the iterator). + # For redis cachedb use: + # "ipsecmod validator cachedb iterator" module-config: "ipsecmod validator iterator" # File with trusted keys, kept uptodate using RFC5011 probes, @@ -602,7 +619,8 @@ server: # Use several entries, one per domain name, to track multiple zones. # # If you want to perform DNSSEC validation, run unbound-anchor before - # you start Unbound (i.e. in the system boot scripts). And enable: + # you start Unbound (i.e. in the system boot scripts). + # And then enable the auto-trust-anchor-file config item. # Please note usage of unbound-anchor root anchor is at your own risk # and under the terms of our LICENSE (see that file in the source). # auto-trust-anchor-file: "/var/lib/unbound/root.key" diff --git a/unbound.spec b/unbound.spec index 94f4cf3..c2cab90 100644 --- a/unbound.spec +++ b/unbound.spec @@ -4,6 +4,7 @@ %bcond_without dnstap %bcond_with systemd %bcond_without doh +%bcond_with redis %global _hardened_build 1 @@ -29,8 +30,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.17.0 -Release: 2%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.17.1 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -78,6 +79,9 @@ BuildRequires: systemd-devel %if %{with doh} BuildRequires: libnghttp2-devel %endif +%if %{with redis} +BuildRequires: redis-devel +%endif %if 0%{?fedora} >= 30 || 0%{?rhel} >= 9 BuildRequires: systemd-rpm-macros %else @@ -225,7 +229,8 @@ cp -a %{dir_primary} %{dir_secondary} --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\ --enable-sha2 --disable-gost --enable-ecdsa \\\ --with-rootkey-file=%{_sharedstatedir}/unbound/root.key \\\ - --enable-linux-ip-local-port-range + --enable-linux-ip-local-port-range \\\ + pushd %{dir_primary} @@ -244,6 +249,10 @@ pushd %{dir_primary} %endif %if 0%{?rhel} --disable-sha1 \ +%endif +%if %{with redis} + --with-libhiredis \ + --enable-cachedb \ %endif %{configure_args} @@ -481,6 +490,10 @@ popd %{_mandir}/man1/unbound-* %changelog +* Fri Jan 13 2023 Paul Wouters - 1.17.0-2 - Move unbound user creation to libs (#2149036) - Use systemd-sysusers for user creation (#2105416)