- Resolves rhbz#1860887 unbound-1.13.1 is available

- Fixup unbound.conf

.gitignore

@@ -63,3 +63,4 @@ unbound-1.4.5.tar.gz
 /unbound-1.12.0.tar.gz.asc
 /unbound-1.13.0.tar.gz
 /unbound-1.13.0.tar.gz.asc
+/unbound-1.13.1.tar.gz

sources

@@ -1,2 +1 @@
-SHA512 (unbound-1.13.0.tar.gz) = d4f3c5a7df5d46f8b1ee32b61e68bdc0d63030820d236ecc51bc3ac356d15248acb9a5e0b6009e1936b03b751e8dd05a071a95ab239fdbbbb308442a59642ad5
-SHA512 (unbound-1.13.0.tar.gz.asc) = 924396fe8c92945386cedcfd5a52ec65b892b3dac20f2b6bf7dd99f7e263f5e3a11ce1f8f6ccc8107529c3be81d6b61d14e66bdda2d3e5c8bc8a8462b93c7d84
+SHA512 (unbound-1.13.1.tar.gz) = f4d26dca28dbcc33a5e65a55147fa01077c331292e88b6a87798cb6c3d4edb0515015d131fd893c92b74d22d9998a640f0adce404e6192d61ebe69a6a599287c

unbound.conf

@@ -328,7 +328,7 @@ server:
 	# The pid file can be absolute and outside of the chroot, it is
 	# written just prior to performing the chroot and dropping permissions.
 	#
-	# Additionally, unbound may need to access /dev/random (for entropy).
+	# Additionally, unbound may need to access /dev/urandom (for entropy).
 	# How to do this is specific to your OS.
 	#
 	# If you give "" no chroot is performed. The path must not end in a /.
@@ -393,6 +393,9 @@ server:
 	# enable to not answer version.server and version.bind queries.
 	# hide-version: no
 
+	# NSID identity (hex string, or "ascii_somestring"). default disabled.
+	# nsid: "aabbccdd"
+
 	# enable to not answer trustanchor.unbound queries.
 	# hide-trustanchor: no
 
@@ -413,7 +416,7 @@ server:
 	# target-fetch-policy: "3 2 1 0 0"
 
 	# Harden against very small EDNS buffer sizes.
-	# harden-short-bufsize: no
+	# harden-short-bufsize: yes
 
 	# Harden against unseemly large queries.
 	# harden-large-queries: no
@@ -624,6 +627,13 @@ server:
 	# A recommended value is 1800.
 	# serve-expired-client-timeout: 0
 
+	# Return the original TTL as received from the upstream name server rather
+	# than the decrementing TTL as stored in the cache.  Enabling this feature
+	# does not impact cache expiry, it only changes the TTL unbound embeds in
+	# responses to queries. Note that enabling this feature implicitly disables
+	# enforcement of the configured minimum and maximum TTL.
+	# serve-original-ttl: no
+
 	# Have the validator log failed validations for your diagnosis.
 	# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
 	val-log-level: 1
@@ -733,8 +743,10 @@ server:
 	# o inform acts like transparent, but logs client IP address
 	# o inform_deny drops queries and logs client IP address
 	# o inform_redirect redirects queries and logs client IP address
-	# o always_transparent, always_refuse, always_nxdomain, resolve in
-	#   that way but ignore local data for that name
+	# o always_transparent, always_refuse, always_nxdomain, always_nodata,
+	#   always_deny resolve in that way but ignore local data for
+	#   that name
+	# o always_null returns 0.0.0.0 or ::0 for any name in the zone.
 	# o noview breaks out of that view towards global local-zones.
 	#
 	# defaults are localhost address, reverse for 127.0.0.1 and ::1
@@ -784,6 +796,12 @@ server:
 	# cipher setting for TLSv1.3
 	# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
 
+	# Pad responses to padded queries received over TLS
+	# pad-responses: yes
+
+	# Padded responses will be padded to the closest multiple of this size.
+	# pad-responses-block-size: 468
+
 	# Use the SNI extension for TLS connections.  Default is yes.
 	# Changing the value requires a reload.
 	# tls-use-sni: yes
@@ -806,6 +824,12 @@ server:
 	# Add system certs to the cert bundle, from the Windows Cert Store
 	# tls-win-cert: no
 
+	# Pad queries over TLS upstreams
+	# pad-queries: yes
+
+	# Padded queries will be padded to the closest multiple of this size.
+	# pad-queries-block-size: 128
+
 	# Also serve tls on these port numbers (eg. 443, ...), by listing
 	# tls-additional-port: portno for each of the port numbers.
 
@@ -825,22 +849,6 @@ server:
 	# service.
 	# http-nodelay: yes
 
-	# HTTP endpoint to provide DNS-over-HTTPS service on.
-	# http-endpoint: "/dns-query"
-
-	# HTTP/2 SETTINGS_MAX_CONCURRENT_STREAMS value to use.
-	# http-max-streams: 100
-
-	# Maximum number of bytes used for all HTTP/2 query buffers.
-	# http-query-buffer-size: 4m
-
-	# Maximum number of bytes used for all HTTP/2 response buffers.
-	# http-response-buffer-size: 4m
-
-	# Set TCP_NODELAY socket option on sockets used for DNS-over-HTTPS
-	# service.
-	# http-nodelay: yes
-
 	# Disable TLS for DNS-over-HTTP downstream service.
 	# http-notls-downstream: no
 
@@ -1115,7 +1123,7 @@ auth-zone:
 
 # IPSet
 # Add specify domain into set via ipset.
-# Note: To enable ipset unbound needs run as root user.
+# Note: To enable ipset unbound needs to run as root user.
 # ipset:
 #     # set name for ip v4 addresses
 #     name-v4: "list-v4"
@@ -1130,7 +1138,7 @@ auth-zone:
 # 	dnstap-enable: no
 # 	# if set to yes frame streams will be used in bidirectional mode
 # 	dnstap-bidirectional: yes
-# 	dnstap-socket-path: ""
+# 	dnstap-socket-path: "/etc/unbound/dnstap.sock"
 # 	# if "" use the unix socket in dnstap-socket-path, otherwise,
 # 	# set it to "IPaddress[@port]" of the destination.
 # 	dnstap-ip: ""
@@ -1166,7 +1174,7 @@ auth-zone:
 # rpz:
 #     name: "rpz.example.com"
 #     zonefile: "rpz.example.com"
-#     master: 192.0.2.0
+#     primary: 192.0.2.0
 #     allow-notify: 192.0.2.0/32
 #     url: http://www.example.com/rpz.example.org.zone
 #     rpz-action-override: cname

unbound.spec

@@ -36,8 +36,8 @@
 
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
-Version: 1.13.0
-Release: 2%{?extra_version:.%{extra_version}}%{?dist}
+Version: 1.13.1
+Release: 1%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: https://nlnetlabs.nl/projects/unbound/
 Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
@@ -458,6 +458,10 @@ popd
 %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
 
 %changelog
+* Wed Feb 10 2021 Paul Wouters <pwouters@redhat.com> - 1.13.1-1
+- Resolves rhbz#1860887 unbound-1.13.1 is available
+- Fixup unbound.conf
+
 * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.13.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild