From 809b23a9f131bcca011ef38298761775793312a7 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Tue, 9 Feb 2021 20:41:54 -0500 Subject: [PATCH] - Resolves rhbz#1860887 unbound-1.13.1 is available - Fixup unbound.conf --- .gitignore | 1 + sources | 3 +-- unbound.conf | 54 ++++++++++++++++++++++++++++++---------------------- unbound.spec | 8 ++++++-- 4 files changed, 39 insertions(+), 27 deletions(-) diff --git a/.gitignore b/.gitignore index 9b0a67b..823aa06 100644 --- a/.gitignore +++ b/.gitignore @@ -63,3 +63,4 @@ unbound-1.4.5.tar.gz /unbound-1.12.0.tar.gz.asc /unbound-1.13.0.tar.gz /unbound-1.13.0.tar.gz.asc +/unbound-1.13.1.tar.gz diff --git a/sources b/sources index 6e5f7a7..0e8cbee 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -SHA512 (unbound-1.13.0.tar.gz) = d4f3c5a7df5d46f8b1ee32b61e68bdc0d63030820d236ecc51bc3ac356d15248acb9a5e0b6009e1936b03b751e8dd05a071a95ab239fdbbbb308442a59642ad5 -SHA512 (unbound-1.13.0.tar.gz.asc) = 924396fe8c92945386cedcfd5a52ec65b892b3dac20f2b6bf7dd99f7e263f5e3a11ce1f8f6ccc8107529c3be81d6b61d14e66bdda2d3e5c8bc8a8462b93c7d84 +SHA512 (unbound-1.13.1.tar.gz) = f4d26dca28dbcc33a5e65a55147fa01077c331292e88b6a87798cb6c3d4edb0515015d131fd893c92b74d22d9998a640f0adce404e6192d61ebe69a6a599287c diff --git a/unbound.conf b/unbound.conf index ae3fcf5..e414f9c 100644 --- a/unbound.conf +++ b/unbound.conf @@ -328,7 +328,7 @@ server: # The pid file can be absolute and outside of the chroot, it is # written just prior to performing the chroot and dropping permissions. # - # Additionally, unbound may need to access /dev/random (for entropy). + # Additionally, unbound may need to access /dev/urandom (for entropy). # How to do this is specific to your OS. # # If you give "" no chroot is performed. The path must not end in a /. @@ -393,6 +393,9 @@ server: # enable to not answer version.server and version.bind queries. # hide-version: no + # NSID identity (hex string, or "ascii_somestring"). default disabled. + # nsid: "aabbccdd" + # enable to not answer trustanchor.unbound queries. # hide-trustanchor: no @@ -413,7 +416,7 @@ server: # target-fetch-policy: "3 2 1 0 0" # Harden against very small EDNS buffer sizes. - # harden-short-bufsize: no + # harden-short-bufsize: yes # Harden against unseemly large queries. # harden-large-queries: no @@ -624,6 +627,13 @@ server: # A recommended value is 1800. # serve-expired-client-timeout: 0 + # Return the original TTL as received from the upstream name server rather + # than the decrementing TTL as stored in the cache. Enabling this feature + # does not impact cache expiry, it only changes the TTL unbound embeds in + # responses to queries. Note that enabling this feature implicitly disables + # enforcement of the configured minimum and maximum TTL. + # serve-original-ttl: no + # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. val-log-level: 1 @@ -733,8 +743,10 @@ server: # o inform acts like transparent, but logs client IP address # o inform_deny drops queries and logs client IP address # o inform_redirect redirects queries and logs client IP address - # o always_transparent, always_refuse, always_nxdomain, resolve in - # that way but ignore local data for that name + # o always_transparent, always_refuse, always_nxdomain, always_nodata, + # always_deny resolve in that way but ignore local data for + # that name + # o always_null returns 0.0.0.0 or ::0 for any name in the zone. # o noview breaks out of that view towards global local-zones. # # defaults are localhost address, reverse for 127.0.0.1 and ::1 @@ -784,6 +796,12 @@ server: # cipher setting for TLSv1.3 # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" + # Pad responses to padded queries received over TLS + # pad-responses: yes + + # Padded responses will be padded to the closest multiple of this size. + # pad-responses-block-size: 468 + # Use the SNI extension for TLS connections. Default is yes. # Changing the value requires a reload. # tls-use-sni: yes @@ -806,6 +824,12 @@ server: # Add system certs to the cert bundle, from the Windows Cert Store # tls-win-cert: no + # Pad queries over TLS upstreams + # pad-queries: yes + + # Padded queries will be padded to the closest multiple of this size. + # pad-queries-block-size: 128 + # Also serve tls on these port numbers (eg. 443, ...), by listing # tls-additional-port: portno for each of the port numbers. @@ -825,22 +849,6 @@ server: # service. # http-nodelay: yes - # HTTP endpoint to provide DNS-over-HTTPS service on. - # http-endpoint: "/dns-query" - - # HTTP/2 SETTINGS_MAX_CONCURRENT_STREAMS value to use. - # http-max-streams: 100 - - # Maximum number of bytes used for all HTTP/2 query buffers. - # http-query-buffer-size: 4m - - # Maximum number of bytes used for all HTTP/2 response buffers. - # http-response-buffer-size: 4m - - # Set TCP_NODELAY socket option on sockets used for DNS-over-HTTPS - # service. - # http-nodelay: yes - # Disable TLS for DNS-over-HTTP downstream service. # http-notls-downstream: no @@ -1115,7 +1123,7 @@ auth-zone: # IPSet # Add specify domain into set via ipset. -# Note: To enable ipset unbound needs run as root user. +# Note: To enable ipset unbound needs to run as root user. # ipset: # # set name for ip v4 addresses # name-v4: "list-v4" @@ -1130,7 +1138,7 @@ auth-zone: # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode # dnstap-bidirectional: yes -# dnstap-socket-path: "" +# dnstap-socket-path: "/etc/unbound/dnstap.sock" # # if "" use the unix socket in dnstap-socket-path, otherwise, # # set it to "IPaddress[@port]" of the destination. # dnstap-ip: "" @@ -1166,7 +1174,7 @@ auth-zone: # rpz: # name: "rpz.example.com" # zonefile: "rpz.example.com" -# master: 192.0.2.0 +# primary: 192.0.2.0 # allow-notify: 192.0.2.0/32 # url: http://www.example.com/rpz.example.org.zone # rpz-action-override: cname diff --git a/unbound.spec b/unbound.spec index d5a086e..6662cc2 100644 --- a/unbound.spec +++ b/unbound.spec @@ -36,8 +36,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.13.0 -Release: 2%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.13.1 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -458,6 +458,10 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Wed Feb 10 2021 Paul Wouters - 1.13.1-1 +- Resolves rhbz#1860887 unbound-1.13.1 is available +- Fixup unbound.conf + * Wed Jan 27 2021 Fedora Release Engineering - 1.13.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild