rpms/unbound
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI unbound-1.20.0-9.el10

Browse Source
This commit is contained in:
eabdullin 2025-05-14 15:29:14 +00:00
parent 922840efb9
commit 845398e4b6
41 changed files with 1201 additions and 4778 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/unbound-1.16.2.tar.gz
unbound-1.20.0.tar.gz

1
.unbound.metadata
View File

@ -1 +0,0 @@
9aea0e923b9d6779b5bc360094e24a4017e2bb25 SOURCES/unbound-1.16.2.tar.gz

9
SOURCES/remote-control.conf
View File

@ -1,9 +0,0 @@
# Remote control config section update.
# Previous defaults allowed any process to change settings, CVE-2024-1488
remote-control:
# set to an absolute path to use a unix local name pipe, certificates
# are not used for that, so key and cert files need not be present.
control-interface: "/run/unbound/control"
# For local sockets this option is ignored, and TLS is not used.
control-use-cert: "yes"

1
SOURCES/tmpfiles-unbound.conf
View File

@ -1 +0,0 @@
D /run/unbound 0755 unbound unbound -

85
SOURCES/unbound-1.15-source-compat.patch
View File

@ -1,85 +0,0 @@
From fbde301c2706a5d0c9c3942fe84693f2b7a6b16c Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Sat, 7 May 2022 10:05:33 +0200
Subject: [PATCH] Use reserved RCODE, fake source version
Use RCODE value assigned for a private use. Previous value were possible
returned value.
Fake source version to be still 1.7.x. Hide real version into micro
version component and export it also in a proper way with _REAL
suffixes. Should workaround any source code detection to support correct
callback format. Fixes compilation error in libreswan.
Use preprocessed unbound.h to prevent failures
Swig complains about wrong @ variable formats. Make it use preprocessed
header instead of a template.
---
libunbound/python/libunbound.i | 4 ++--
libunbound/unbound.h | 13 ++++++++++---
services/mesh.h | 2 +-
3 files changed, 13 insertions(+), 6 deletions(-)
diff --git a/libunbound/python/libunbound.i b/libunbound/python/libunbound.i
index c9549bf90..f01e9111e 100644
--- a/libunbound/python/libunbound.i
+++ b/libunbound/python/libunbound.i
@@ -53,7 +53,7 @@
#ifdef HAVE_ARPA_INET_H
#include <arpa/inet.h>
#endif
- #include "libunbound/unbound.h"
+ #include "unbound.h"
%}
%pythoncode %{
@@ -855,7 +855,7 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104']
//printf("resolve_stop()\n");
%}
-%include "libunbound/unbound.h"
+%include "unbound.h"
%inline %{
//SWIG will see the ub_ctx as a class
diff --git a/libunbound/unbound.h b/libunbound/unbound.h
index c822d3f89..82660bd51 100644
--- a/libunbound/unbound.h
+++ b/libunbound/unbound.h
@@ -102,9 +102,16 @@ extern "C" {
#endif
/** the version of this header file */
-#define UNBOUND_VERSION_MAJOR @UNBOUND_VERSION_MAJOR@
-#define UNBOUND_VERSION_MINOR @UNBOUND_VERSION_MINOR@
-#define UNBOUND_VERSION_MICRO @UNBOUND_VERSION_MICRO@
+/* Because of RHEL compat change, callback type remains at
+ * 1.7.3 version. To prevent source-level incompatibility,
+ * fake still old version. Export real version in _REAL
+ * suffix definitions. */
+#define UNBOUND_VERSION_MAJOR 1
+#define UNBOUND_VERSION_MINOR 7
+#define UNBOUND_VERSION_MICRO @UNBOUND_VERSION_MAJOR@@UNBOUND_VERSION_MINOR@@UNBOUND_VERSION_MICRO@
+#define UNBOUND_VERSION_MAJOR_REAL @UNBOUND_VERSION_MAJOR@
+#define UNBOUND_VERSION_MINOR_REAL @UNBOUND_VERSION_MINOR@
+#define UNBOUND_VERSION_MICRO_REAL @UNBOUND_VERSION_MICRO@
/**
* The validation context is created to hold the resolver status,
diff --git a/services/mesh.h b/services/mesh.h
index 9c6f958ff..c0cbf355e 100644
--- a/services/mesh.h
+++ b/services/mesh.h
@@ -237,7 +237,7 @@ struct mesh_reply {
/* RHEL 8 compatibility layer.
* Special rcode to send was_ratelimited to callback without adding
* extra parameter. It is ORed to the rcode parameter of the callback. */
-#define LDNS_RCODE_RATELIMITED 0x100
+#define LDNS_RCODE_RATELIMITED 0xf80
#define RCODE_IS_RATELIMITED(rcode) ((rcode & LDNS_RCODE_RATELIMITED) != 0)
#define RCODE_NOT_RATELIMITED(rcode) (rcode & ~LDNS_RCODE_RATELIMITED)
--
2.34.1

471
SOURCES/unbound-1.15-soversion2-compat.patch
View File

@ -1,471 +0,0 @@
From 605d66f0b6b8f7c308010f455058299d25c1d2ee Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Fri, 6 May 2022 16:36:39 +0200
Subject: [PATCH] Rework ABI breaking change to compatible way
Upstream commit 749d1b9ebc6fcb79824afd0471a1cfc12ca861b1 introduced
was_ratelimited variable to every async callback. Such change led to ABI
break and increase of soname of libunbound.
Use rcode to pass that boolean inside rcode variable. Allows keeping
original callback prototype, but does not lose data. Extra integer bit
operations should be very small price. Much better than ABI break.
Make current version compatible back to .2 version.
---
unbound-1.16.2/configure.ac | 2 +-
unbound-1.16.2/daemon/worker.c | 6 ++--
unbound-1.16.2/libunbound/libworker.c | 34 +++++++++++++++--------
unbound-1.16.2/libunbound/unbound-event.h | 3 +-
unbound-1.16.2/libunbound/unbound.h | 13 +++++----
unbound-1.16.2/libunbound/worker.h | 6 ++--
unbound-1.16.2/services/authzone.c | 11 ++++----
unbound-1.16.2/services/authzone.h | 9 ++----
unbound-1.16.2/services/mesh.c | 17 ++++++++----
unbound-1.16.2/services/mesh.h | 9 +++++-
unbound-1.16.2/smallapp/worker_cb.c | 6 ++--
unbound-1.16.2/validator/autotrust.c | 2 +-
unbound-1.16.2/validator/autotrust.h | 2 +-
13 files changed, 72 insertions(+), 48 deletions(-)
diff --git a/unbound-1.16.2/configure.ac b/unbound-1.16.2/configure.ac
index 224501b..71f066c 100644
--- a/unbound-1.16.2/configure.ac
+++ b/unbound-1.16.2/configure.ac
@@ -19,7 +19,7 @@ AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
LIBUNBOUND_CURRENT=9
LIBUNBOUND_REVISION=18
-LIBUNBOUND_AGE=1
+LIBUNBOUND_AGE=7
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
# 1.0.2 had 0:14:0
diff --git a/unbound-1.16.2/daemon/worker.c b/unbound-1.16.2/daemon/worker.c
index 010c4dc..2b87a41 100644
--- a/unbound-1.16.2/daemon/worker.c
+++ b/unbound-1.16.2/daemon/worker.c
@@ -2268,21 +2268,21 @@ void libworker_handle_control_cmd(struct tube* ATTR_UNUSED(tube),
void libworker_fg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
- char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
+ char* ATTR_UNUSED(why_bogus))
{
log_assert(0);
}
void libworker_bg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
- char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
+ char* ATTR_UNUSED(why_bogus))
{
log_assert(0);
}
void libworker_event_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
- char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
+ char* ATTR_UNUSED(why_bogus))
{
log_assert(0);
}
diff --git a/unbound-1.16.2/libunbound/libworker.c b/unbound-1.16.2/libunbound/libworker.c
index 11bf5f9..6895119 100644
--- a/unbound-1.16.2/libunbound/libworker.c
+++ b/unbound-1.16.2/libunbound/libworker.c
@@ -549,9 +549,10 @@ libworker_enter_result(struct ub_result* res, sldns_buffer* buf,
/** fillup fg results */
static void
libworker_fillup_fg(struct ctx_query* q, int rcode, sldns_buffer* buf,
- enum sec_status s, char* why_bogus, int was_ratelimited)
+ enum sec_status s, char* why_bogus)
{
- q->res->was_ratelimited = was_ratelimited;
+ q->res->was_ratelimited = RCODE_IS_RATELIMITED(rcode);
+ rcode = RCODE_NOT_RATELIMITED(rcode);
if(why_bogus)
q->res->why_bogus = strdup(why_bogus);
if(rcode != 0) {
@@ -575,13 +576,13 @@ libworker_fillup_fg(struct ctx_query* q, int rcode, sldns_buffer* buf,
void
libworker_fg_done_cb(void* arg, int rcode, sldns_buffer* buf, enum sec_status s,
- char* why_bogus, int was_ratelimited)
+ char* why_bogus)
{
struct ctx_query* q = (struct ctx_query*)arg;
/* fg query is done; exit comm base */
comm_base_exit(q->w->base);
- libworker_fillup_fg(q, rcode, buf, s, why_bogus, was_ratelimited);
+ libworker_fillup_fg(q, rcode, buf, s, why_bogus);
}
/** setup qinfo and edns */
@@ -634,7 +635,7 @@ int libworker_fg(struct ub_ctx* ctx, struct ctx_query* q)
NULL, 0, NULL, 0, NULL)) {
regional_free_all(w->env->scratch);
libworker_fillup_fg(q, LDNS_RCODE_NOERROR,
- w->back->udp_buff, sec_status_insecure, NULL, 0);
+ w->back->udp_buff, sec_status_insecure, NULL);
libworker_delete(w);
free(qinfo.qname);
return UB_NOERROR;
@@ -643,7 +644,7 @@ int libworker_fg(struct ub_ctx* ctx, struct ctx_query* q)
w->env, &qinfo, &edns, NULL, w->back->udp_buff, w->env->scratch)) {
regional_free_all(w->env->scratch);
libworker_fillup_fg(q, LDNS_RCODE_NOERROR,
- w->back->udp_buff, sec_status_insecure, NULL, 0);
+ w->back->udp_buff, sec_status_insecure, NULL);
libworker_delete(w);
free(qinfo.qname);
return UB_NOERROR;
@@ -665,7 +666,7 @@ int libworker_fg(struct ub_ctx* ctx, struct ctx_query* q)
void
libworker_event_done_cb(void* arg, int rcode, sldns_buffer* buf,
- enum sec_status s, char* why_bogus, int was_ratelimited)
+ enum sec_status s, char* why_bogus)
{
struct ctx_query* q = (struct ctx_query*)arg;
ub_event_callback_type cb = q->cb_event;
@@ -688,7 +689,7 @@ libworker_event_done_cb(void* arg, int rcode, sldns_buffer* buf,
else if(s == sec_status_secure)
sec = 2;
(*cb)(cb_arg, rcode, (buf?(void*)sldns_buffer_begin(buf):NULL),
- (buf?(int)sldns_buffer_limit(buf):0), sec, why_bogus, was_ratelimited);
+ (buf?(int)sldns_buffer_limit(buf):0), sec, why_bogus);
}
}
@@ -715,7 +716,7 @@ int libworker_attach_mesh(struct ub_ctx* ctx, struct ctx_query* q,
regional_free_all(w->env->scratch);
free(qinfo.qname);
libworker_event_done_cb(q, LDNS_RCODE_NOERROR,
- w->back->udp_buff, sec_status_insecure, NULL, 0);
+ w->back->udp_buff, sec_status_insecure, NULL);
return UB_NOERROR;
}
if(ctx->env->auth_zones && auth_zones_answer(ctx->env->auth_zones,
@@ -723,7 +724,7 @@ int libworker_attach_mesh(struct ub_ctx* ctx, struct ctx_query* q,
regional_free_all(w->env->scratch);
free(qinfo.qname);
libworker_event_done_cb(q, LDNS_RCODE_NOERROR,
- w->back->udp_buff, sec_status_insecure, NULL, 0);
+ w->back->udp_buff, sec_status_insecure, NULL);
return UB_NOERROR;
}
/* process new query */
@@ -788,12 +789,23 @@ add_bg_result(struct libworker* w, struct ctx_query* q, sldns_buffer* pkt,
}
}
+
+void
+libworker_bg_done_cb_compat(void* arg, int rcode, sldns_buffer* buf, enum sec_status s,
+ char* why_bogus)
+{
+ rcode = RCODE_NOT_RATELIMITED(rcode);
+ libworker_bg_done_cb(arg, rcode, buf, s, why_bogus);
+}
+
void
libworker_bg_done_cb(void* arg, int rcode, sldns_buffer* buf, enum sec_status s,
- char* why_bogus, int was_ratelimited)
+ char* why_bogus)
{
+ int was_ratelimited = RCODE_IS_RATELIMITED(rcode);
struct ctx_query* q = (struct ctx_query*)arg;
+ rcode = RCODE_NOT_RATELIMITED(rcode);
if(q->cancelled || q->w->back->want_to_quit) {
if(q->w->is_bg_thread) {
/* delete it now */
diff --git a/unbound-1.16.2/libunbound/unbound-event.h b/unbound-1.16.2/libunbound/unbound-event.h
index a5d5c03..70aa4c8 100644
--- a/unbound-1.16.2/libunbound/unbound-event.h
+++ b/unbound-1.16.2/libunbound/unbound-event.h
@@ -170,7 +170,8 @@ struct ub_event {
struct ub_event_vmt* vmt;
};
-typedef void (*ub_event_callback_type)(void*, int, void*, int, int, char*, int);
+/* Uses define LDNS_RCODE_RATELIMITED from services/mesh.h */
+typedef void (*ub_event_callback_type)(void*, int, void*, int, int, char*);
/**
* Create a resolving and validation context.
diff --git a/unbound-1.16.2/libunbound/unbound.h b/unbound-1.16.2/libunbound/unbound.h
index c779d18..f6d5c7c 100644
--- a/unbound-1.16.2/libunbound/unbound.h
+++ b/unbound-1.16.2/libunbound/unbound.h
@@ -203,18 +203,19 @@ struct ub_result {
*/
char* why_bogus;
+ /**
+ * TTL for the result, in seconds. If the security is bogus, then
+ * you also cannot trust this value.
+ */
+ int ttl;
+
/**
* If the query or one of its subqueries was ratelimited. Useful if
* ratelimiting is enabled and answer to the client is SERVFAIL as a
* result.
+ * RHEL8 Change, moved after ttl.
*/
int was_ratelimited;
-
- /**
- * TTL for the result, in seconds. If the security is bogus, then
- * you also cannot trust this value.
- */
- int ttl;
};
/**
diff --git a/unbound-1.16.2/libunbound/worker.h b/unbound-1.16.2/libunbound/worker.h
index 0fa5bfa..8b64b4d 100644
--- a/unbound-1.16.2/libunbound/worker.h
+++ b/unbound-1.16.2/libunbound/worker.h
@@ -90,15 +90,15 @@ void libworker_handle_control_cmd(struct tube* tube, uint8_t* msg, size_t len,
/** mesh callback with fg results */
void libworker_fg_done_cb(void* arg, int rcode, sldns_buffer* buf,
- enum sec_status s, char* why_bogus, int was_ratelimited);
+ enum sec_status s, char* why_bogus);
/** mesh callback with bg results */
void libworker_bg_done_cb(void* arg, int rcode, sldns_buffer* buf,
- enum sec_status s, char* why_bogus, int was_ratelimited);
+ enum sec_status s, char* why_bogus);
/** mesh callback with event results */
void libworker_event_done_cb(void* arg, int rcode, struct sldns_buffer* buf,
- enum sec_status s, char* why_bogus, int was_ratelimited);
+ enum sec_status s, char* why_bogus);
/**
* Worker signal handler function. User argument is the worker itself.
diff --git a/unbound-1.16.2/services/authzone.c b/unbound-1.16.2/services/authzone.c
index b9e0b11..c72949f 100644
--- a/unbound-1.16.2/services/authzone.c
+++ b/unbound-1.16.2/services/authzone.c
@@ -5656,8 +5656,7 @@ xfr_master_add_addrs(struct auth_master* m, struct ub_packed_rrset_key* rrset,
/** callback for task_transfer lookup of host name, of A or AAAA */
void auth_xfer_transfer_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
- enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus),
- int ATTR_UNUSED(was_ratelimited))
+ enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus))
{
struct auth_xfer* xfr = (struct auth_xfer*)arg;
struct module_env* env;
@@ -5669,6 +5668,7 @@ void auth_xfer_transfer_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
return; /* stop on quit */
}
+ rcode = RCODE_NOT_RATELIMITED(rcode);
/* process result */
if(rcode == LDNS_RCODE_NOERROR) {
uint16_t wanted_qtype = LDNS_RR_TYPE_A;
@@ -6717,8 +6717,7 @@ xfr_probe_send_or_end(struct auth_xfer* xfr, struct module_env* env)
/** callback for task_probe lookup of host name, of A or AAAA */
void auth_xfer_probe_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
- enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus),
- int ATTR_UNUSED(was_ratelimited))
+ enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus))
{
struct auth_xfer* xfr = (struct auth_xfer*)arg;
struct module_env* env;
@@ -6730,6 +6729,7 @@ void auth_xfer_probe_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
return; /* stop on quit */
}
+ rcode = RCODE_NOT_RATELIMITED(rcode);
/* process result */
if(rcode == LDNS_RCODE_NOERROR) {
uint16_t wanted_qtype = LDNS_RR_TYPE_A;
@@ -8212,7 +8212,7 @@ auth_zone_verify_zonemd_key_with_ds(struct auth_zone* z,
/** callback for ZONEMD lookup of DNSKEY */
void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
- enum sec_status sec, char* why_bogus, int ATTR_UNUSED(was_ratelimited))
+ enum sec_status sec, char* why_bogus)
{
struct auth_zone* z = (struct auth_zone*)arg;
struct module_env* env;
@@ -8234,6 +8234,7 @@ void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DS)
typestr = "DS";
downprot = env->cfg->harden_algo_downgrade;
+ rcode = RCODE_NOT_RATELIMITED(rcode);
/* process result */
if(sec == sec_status_bogus) {
diff --git a/unbound-1.16.2/services/authzone.h b/unbound-1.16.2/services/authzone.h
index 07614ed..b339fc1 100644
--- a/unbound-1.16.2/services/authzone.h
+++ b/unbound-1.16.2/services/authzone.h
@@ -690,12 +690,10 @@ void auth_xfer_probe_timer_callback(void* arg);
void auth_xfer_transfer_timer_callback(void* arg);
/** mesh callback for task_probe on lookup of host names */
void auth_xfer_probe_lookup_callback(void* arg, int rcode,
- struct sldns_buffer* buf, enum sec_status sec, char* why_bogus,
- int was_ratelimited);
+ struct sldns_buffer* buf, enum sec_status sec, char* why_bogus);
/** mesh callback for task_transfer on lookup of host names */
void auth_xfer_transfer_lookup_callback(void* arg, int rcode,
- struct sldns_buffer* buf, enum sec_status sec, char* why_bogus,
- int was_ratelimited);
+ struct sldns_buffer* buf, enum sec_status sec, char* why_bogus);
/*
* Compares two 32-bit serial numbers as defined in RFC1982. Returns
@@ -774,8 +772,7 @@ void auth_zone_verify_zonemd(struct auth_zone* z, struct module_env* env,
/** mesh callback for zonemd on lookup of dnskey */
void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode,
- struct sldns_buffer* buf, enum sec_status sec, char* why_bogus,
- int was_ratelimited);
+ struct sldns_buffer* buf, enum sec_status sec, char* why_bogus);
/**
* Check the ZONEMD records that need online DNSSEC chain lookups,
diff --git a/unbound-1.16.2/services/mesh.c b/unbound-1.16.2/services/mesh.c
index 30bcf7c..fc3c690 100644
--- a/unbound-1.16.2/services/mesh.c
+++ b/unbound-1.16.2/services/mesh.c
@@ -63,6 +63,7 @@
#include "util/data/dname.h"
#include "respip/respip.h"
#include "services/listen_dnsport.h"
+#include "libunbound/unbound-event.h"
#ifdef CLIENT_SUBNET
#include "edns-subnet/subnetmod.h"
@@ -1012,7 +1013,7 @@ mesh_state_cleanup(struct mesh_state* mstate)
mstate->cb_list = cb->next;
fptr_ok(fptr_whitelist_mesh_cb(cb->cb));
(*cb->cb)(cb->cb_arg, LDNS_RCODE_SERVFAIL, NULL,
- sec_status_unchecked, NULL, 0);
+ sec_status_unchecked, NULL);
log_assert(mesh->num_reply_addrs > 0);
mesh->num_reply_addrs--;
}
@@ -1268,8 +1269,9 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
r->edns.opt_list_inplace_cb_out = NULL;
}
fptr_ok(fptr_whitelist_mesh_cb(r->cb));
- (*r->cb)(r->cb_arg, rcode, r->buf, sec_status_unchecked, NULL,
- was_ratelimited);
+ if (was_ratelimited)
+ rcode |= LDNS_RCODE_RATELIMITED;
+ (*r->cb)(r->cb_arg, rcode, r->buf, sec_status_unchecked, NULL);
} else {
size_t udp_size = r->edns.udp_size;
sldns_buffer_clear(r->buf);
@@ -1287,11 +1289,14 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
{
fptr_ok(fptr_whitelist_mesh_cb(r->cb));
(*r->cb)(r->cb_arg, LDNS_RCODE_SERVFAIL, r->buf,
- sec_status_unchecked, NULL, 0);
+ sec_status_unchecked, NULL);
} else {
fptr_ok(fptr_whitelist_mesh_cb(r->cb));
- (*r->cb)(r->cb_arg, LDNS_RCODE_NOERROR, r->buf,
- rep->security, reason, was_ratelimited);
+ rcode = LDNS_RCODE_NOERROR;
+ if (was_ratelimited)
+ rcode |= LDNS_RCODE_RATELIMITED;
+ (*r->cb)(r->cb_arg, rcode, r->buf,
+ rep->security, reason);
}
}
free(reason);
diff --git a/unbound-1.16.2/services/mesh.h b/unbound-1.16.2/services/mesh.h
index 3be9b63..5050d6c 100644
--- a/unbound-1.16.2/services/mesh.h
+++ b/unbound-1.16.2/services/mesh.h
@@ -234,13 +234,20 @@ struct mesh_reply {
struct http2_stream* h2_stream;
};
+/* RHEL 8 compatibility layer.
+ * Special rcode to send was_ratelimited to callback without adding
+ * extra parameter. It is ORed to the rcode parameter of the callback. */
+#define LDNS_RCODE_RATELIMITED 0x100
+#define RCODE_IS_RATELIMITED(rcode) ((rcode & LDNS_RCODE_RATELIMITED) != 0)
+#define RCODE_NOT_RATELIMITED(rcode) (rcode & ~LDNS_RCODE_RATELIMITED)
+
/**
* Mesh result callback func.
* called as func(cb_arg, rcode, buffer_with_reply, security, why_bogus,
* was_ratelimited);
*/
typedef void (*mesh_cb_func_type)(void* cb_arg, int rcode, struct sldns_buffer*,
- enum sec_status, char* why_bogus, int was_ratelimited);
+ enum sec_status, char* why_bogus);
/**
* Callback to result routine
diff --git a/unbound-1.16.2/smallapp/worker_cb.c b/unbound-1.16.2/smallapp/worker_cb.c
index c689817..c7b1653 100644
--- a/unbound-1.16.2/smallapp/worker_cb.c
+++ b/unbound-1.16.2/smallapp/worker_cb.c
@@ -159,21 +159,21 @@ void libworker_handle_control_cmd(struct tube* ATTR_UNUSED(tube),
void libworker_fg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
struct sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
- char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
+ char* ATTR_UNUSED(why_bogus))
{
log_assert(0);
}
void libworker_bg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
struct sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
- char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
+ char* ATTR_UNUSED(why_bogus))
{
log_assert(0);
}
void libworker_event_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
struct sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
- char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
+ char* ATTR_UNUSED(why_bogus))
{
log_assert(0);
}
diff --git a/unbound-1.16.2/validator/autotrust.c b/unbound-1.16.2/validator/autotrust.c
index 3cdf9ce..40b3e35 100644
--- a/unbound-1.16.2/validator/autotrust.c
+++ b/unbound-1.16.2/validator/autotrust.c
@@ -2331,7 +2331,7 @@ autr_debug_print(struct val_anchors* anchors)
void probe_answer_cb(void* arg, int ATTR_UNUSED(rcode),
sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(sec),
- char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
+ char* ATTR_UNUSED(why_bogus))
{
/* retry was set before the query was done,
* re-querytime is set when query succeeded, but that may not
diff --git a/unbound-1.16.2/validator/autotrust.h b/unbound-1.16.2/validator/autotrust.h
index 057f2b6..c549798 100644
--- a/unbound-1.16.2/validator/autotrust.h
+++ b/unbound-1.16.2/validator/autotrust.h
@@ -206,6 +206,6 @@ void autr_debug_print(struct val_anchors* anchors);
/** callback for query answer to 5011 probe */
void probe_answer_cb(void* arg, int rcode, struct sldns_buffer* buf,
- enum sec_status sec, char* errinf, int was_ratelimited);
+ enum sec_status sec, char* errinf);
#endif /* VALIDATOR_AUTOTRUST_H */
--
2.37.1

218
SOURCES/unbound-1.16-CVE-2022-3204.patch
View File

@ -1,218 +0,0 @@
From 7af485f0fc9926425681ba0280ab6c2c8dd04530 Mon Sep 17 00:00:00 2001
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Wed, 21 Sep 2022 11:10:38 +0200
Subject: [PATCH] - Patch for CVE-2022-3204 Non-Responsive Delegation Attack.
---
unbound-1.16.2/iterator/iter_delegpt.c | 3 +++
unbound-1.16.2/iterator/iter_delegpt.h | 2 ++
unbound-1.16.2/iterator/iter_utils.c | 3 +++
unbound-1.16.2/iterator/iter_utils.h | 9 +++++++
unbound-1.16.2/iterator/iterator.c | 36 +++++++++++++++++++++++++-
unbound-1.16.2/services/cache/dns.c | 3 +++
unbound-1.16.2/services/mesh.c | 7 +++++
unbound-1.16.2/services/mesh.h | 11 ++++++++
8 files changed, 73 insertions(+), 1 deletion(-)
diff --git a/unbound-1.16.2/iterator/iter_delegpt.c b/unbound-1.16.2/iterator/iter_delegpt.c
index 4bffa1b..fd07aaa 100644
--- a/unbound-1.16.2/iterator/iter_delegpt.c
+++ b/unbound-1.16.2/iterator/iter_delegpt.c
@@ -78,6 +78,7 @@ struct delegpt* delegpt_copy(struct delegpt* dp, struct regional* region)
if(!delegpt_add_ns(copy, region, ns->name, ns->lame,
ns->tls_auth_name, ns->port))
return NULL;
+ copy->nslist->cache_lookup_count = ns->cache_lookup_count;
copy->nslist->resolved = ns->resolved;
copy->nslist->got4 = ns->got4;
copy->nslist->got6 = ns->got6;
@@ -121,6 +122,7 @@ delegpt_add_ns(struct delegpt* dp, struct regional* region, uint8_t* name,
ns->namelen = len;
dp->nslist = ns;
ns->name = regional_alloc_init(region, name, ns->namelen);
+ ns->cache_lookup_count = 0;
ns->resolved = 0;
ns->got4 = 0;
ns->got6 = 0;
@@ -620,6 +622,7 @@ int delegpt_add_ns_mlc(struct delegpt* dp, uint8_t* name, uint8_t lame,
}
ns->next = dp->nslist;
dp->nslist = ns;
+ ns->cache_lookup_count = 0;
ns->resolved = 0;
ns->got4 = 0;
ns->got6 = 0;
diff --git a/unbound-1.16.2/iterator/iter_delegpt.h b/unbound-1.16.2/iterator/iter_delegpt.h
index 62c8edc..586597a 100644
--- a/unbound-1.16.2/iterator/iter_delegpt.h
+++ b/unbound-1.16.2/iterator/iter_delegpt.h
@@ -101,6 +101,8 @@ struct delegpt_ns {
uint8_t* name;
/** length of name */
size_t namelen;
+ /** number of cache lookups for the name */
+ int cache_lookup_count;
/**
* If the name has been resolved. false if not queried for yet.
* true if the A, AAAA queries have been generated.
diff --git a/unbound-1.16.2/iterator/iter_utils.c b/unbound-1.16.2/iterator/iter_utils.c
index 3e13e59..56b184a 100644
--- a/unbound-1.16.2/iterator/iter_utils.c
+++ b/unbound-1.16.2/iterator/iter_utils.c
@@ -1209,6 +1209,9 @@ int iter_lookup_parent_glue_from_cache(struct module_env* env,
struct delegpt_ns* ns;
size_t num = delegpt_count_targets(dp);
for(ns = dp->nslist; ns; ns = ns->next) {
+ if(ns->cache_lookup_count > ITERATOR_NAME_CACHELOOKUP_MAX_PSIDE)
+ continue;
+ ns->cache_lookup_count++;
/* get cached parentside A */
akey = rrset_cache_lookup(env->rrset_cache, ns->name,
ns->namelen, LDNS_RR_TYPE_A, qinfo->qclass,
diff --git a/unbound-1.16.2/iterator/iter_utils.h b/unbound-1.16.2/iterator/iter_utils.h
index 8583fde..850be96 100644
--- a/unbound-1.16.2/iterator/iter_utils.h
+++ b/unbound-1.16.2/iterator/iter_utils.h
@@ -62,6 +62,15 @@ struct ub_packed_rrset_key;
struct module_stack;
struct outside_network;
+/* max number of lookups in the cache for target nameserver names.
+ * This stops, for large delegations, N*N lookups in the cache. */
+#define ITERATOR_NAME_CACHELOOKUP_MAX 3
+/* max number of lookups in the cache for parentside glue for nameserver names
+ * This stops, for larger delegations, N*N lookups in the cache.
+ * It is a little larger than the nonpside max, so it allows a couple extra
+ * lookups of parent side glue. */
+#define ITERATOR_NAME_CACHELOOKUP_MAX_PSIDE 5
+
/**
* Process config options and set iterator module state.
* Sets default values if no config is found.
diff --git a/unbound-1.16.2/iterator/iterator.c b/unbound-1.16.2/iterator/iterator.c
index 25e5cfe..da9b799 100644
--- a/unbound-1.16.2/iterator/iterator.c
+++ b/unbound-1.16.2/iterator/iterator.c
@@ -1218,6 +1218,15 @@ generate_dnskey_prefetch(struct module_qstate* qstate,
(qstate->query_flags&BIT_RD) && !(qstate->query_flags&BIT_CD)){
return;
}
+ /* we do not generate this prefetch when the query list is full,
+ * the query is fetched, if needed, when the validator wants it.
+ * At that time the validator waits for it, after spawning it.
+ * This means there is one state that uses cpu and a socket, the
+ * spawned while this one waits, and not several at the same time,
+ * if we had created the lookup here. And this helps to keep
+ * the total load down, but the query still succeeds to resolve. */
+ if(mesh_jostle_exceeded(qstate->env->mesh))
+ return;
/* if the DNSKEY is in the cache this lookup will stop quickly */
log_nametypeclass(VERB_ALGO, "schedule dnskey prefetch",
@@ -1911,6 +1920,14 @@ query_for_targets(struct module_qstate* qstate, struct iter_qstate* iq,
return 0;
}
query_count++;
+ /* If the mesh query list is full, exit the loop here.
+ * This makes the routine spawn one query at a time,
+ * and this means there is no query state load
+ * increase, because the spawned state uses cpu and a
+ * socket while this state waits for that spawned
+ * state. Next time we can look up further targets */
+ if(mesh_jostle_exceeded(qstate->env->mesh))
+ break;
}
/* Send the A request. */
if(ie->supports_ipv4 &&
@@ -1925,6 +1942,9 @@ query_for_targets(struct module_qstate* qstate, struct iter_qstate* iq,
return 0;
}
query_count++;
+ /* If the mesh query list is full, exit the loop. */
+ if(mesh_jostle_exceeded(qstate->env->mesh))
+ break;
}
/* mark this target as in progress. */
@@ -2085,6 +2105,15 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
}
ns->done_pside6 = 1;
query_count++;
+ if(mesh_jostle_exceeded(qstate->env->mesh)) {
+ /* Wait for the lookup; do not spawn multiple
+ * lookups at a time. */
+ verbose(VERB_ALGO, "try parent-side glue lookup");
+ iq->num_target_queries += query_count;
+ target_count_increase(iq, query_count);
+ qstate->ext_state[id] = module_wait_subquery;
+ return 0;
+ }
}
if(ie->supports_ipv4 && !ns->done_pside4) {
/* Send the A request. */
@@ -2560,7 +2589,12 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
if(iq->depth < ie->max_dependency_depth
&& iq->num_target_queries == 0
&& (!iq->target_count || iq->target_count[TARGET_COUNT_NX]==0)
- && iq->sent_count < TARGET_FETCH_STOP) {
+ && iq->sent_count < TARGET_FETCH_STOP
+ /* if the mesh query list is full, then do not waste cpu
+ * and sockets to fetch promiscuous targets. They can be
+ * looked up when needed. */
+ && !mesh_jostle_exceeded(qstate->env->mesh)
+ ) {
tf_policy = ie->target_fetch_policy[iq->depth];
}
diff --git a/unbound-1.16.2/services/cache/dns.c b/unbound-1.16.2/services/cache/dns.c
index 6bca8d8..b6e5697 100644
--- a/unbound-1.16.2/services/cache/dns.c
+++ b/unbound-1.16.2/services/cache/dns.c
@@ -404,6 +404,9 @@ cache_fill_missing(struct module_env* env, uint16_t qclass,
struct ub_packed_rrset_key* akey;
time_t now = *env->now;
for(ns = dp->nslist; ns; ns = ns->next) {
+ if(ns->cache_lookup_count > ITERATOR_NAME_CACHELOOKUP_MAX)
+ continue;
+ ns->cache_lookup_count++;
akey = rrset_cache_lookup(env->rrset_cache, ns->name,
ns->namelen, LDNS_RR_TYPE_A, qclass, 0, now, 0);
if(akey) {
diff --git a/unbound-1.16.2/services/mesh.c b/unbound-1.16.2/services/mesh.c
index 30bcf7c..2a41194 100644
--- a/unbound-1.16.2/services/mesh.c
+++ b/unbound-1.16.2/services/mesh.c
@@ -2240,3 +2240,10 @@ mesh_serve_expired_callback(void* arg)
mesh_do_callback(mstate, LDNS_RCODE_NOERROR, msg->rep, c, &tv);
}
}
+
+int mesh_jostle_exceeded(struct mesh_area* mesh)
+{
+ if(mesh->all.count < mesh->max_reply_states)
+ return 0;
+ return 1;
+}
diff --git a/unbound-1.16.2/services/mesh.h b/unbound-1.16.2/services/mesh.h
index 3be9b63..25121a6 100644
--- a/unbound-1.16.2/services/mesh.h
+++ b/unbound-1.16.2/services/mesh.h
@@ -685,4 +685,15 @@ struct dns_msg*
mesh_serve_expired_lookup(struct module_qstate* qstate,
struct query_info* lookup_qinfo);
+/**
+ * See if the mesh has space for more queries. You can allocate queries
+ * anyway, but this checks for the allocated space.
+ * @param mesh: mesh area.
+ * @return true if the query list is full.
+ * It checks the number of all queries, not just number of reply states,
+ * that have a client address. So that spawned queries count too,
+ * that were created by the iterator, or other modules.
+ */
+int mesh_jostle_exceeded(struct mesh_area* mesh);
+
#endif /* SERVICES_MESH_H */
--
2.37.3

2304
SOURCES/unbound-1.16-CVE-2023-50387-CVE-2023-50868.patch
View File

File diff suppressed because it is too large Load Diff

16
SOURCES/unbound-1.16.2.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAmLnudYACgkQn28cLX4E
X43GmRAAoROXbktLR2AXGEECgPCFlHag9oNZosa3J5yR2vaV4e8eA6AMzPyZbl7P
LnLon8PZZR+pTW+dDRqakvzJIwXkLeONFgEdvd0cAghWAtPrKCDZIkCyeQj0OOv3
wt1pRRl2PXUKNZZf0bzpTUIhVsHF/w5f5T/mFAZm49rUDboj77xgokmaFK4kei0I
Gz4W8Vx3TIwwJc8nea8GtCYIg3UKmR/TMznMFExAoKdMllzKuJnGx5lR/eU0+NRc
uwWEQhNJrHXZyWethp9swLCrOmDHcgBJOd04TqcDwSIZrw9VuT3/Uza3Tw73N7kr
PZvF2xSOASL+i91QP6tnkmQD5pAORVpUFN3NePEWV5922iG/pVipaYBbEyV3dfph
Y4QGwj8G6ppcfjV7gmlxsAOM2gnhD3rDqFmkxau6zB1kktHnV2aqlzIQo396ZBJQ
hKyIAJlNvpTiFaACD7/cFkE80awJnCD/qvXATN//BWHKytgO8eYg7fZGrxjbpIQk
XV/vVlOJWRXPyPBnp8MQyCIDe2eq2ELlMfYw62/TNDuj2qKsM/W03cem3GlveOa6
tw8RVfFFjwZlCLbXSbmsKo+mWJ3jCAvb3/gql52vJDE5FuRz7MvptIVU6DVE1O+J
mQ3AoQ2Mq9iHsZePfze4sq531DMlWTgBMwqfBTWqMaTC/8VH5rg=
=Ax9n
-----END PGP SIGNATURE-----

249
SOURCES/unbound-1.21-CVE-2024-8508.patch
View File

@ -1,249 +0,0 @@
From 34de24d58bb5aa6fe3551512fc17cac08f65d93e Mon Sep 17 00:00:00 2001
From: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
Date: Thu, 3 Oct 2024 14:46:57 +0200
Subject: [PATCH] - Fix CVE-2024-8508, unbounded name compression could lead to
denial of service.
---
unbound-1.16.2/util/data/msgencode.c | 77 +++++++++++++++++-----------
1 file changed, 46 insertions(+), 31 deletions(-)
diff --git a/unbound-1.16.2/util/data/msgencode.c b/unbound-1.16.2/util/data/msgencode.c
index fe21cfb..f9e95e6 100644
--- a/unbound-1.16.2/util/data/msgencode.c
+++ b/unbound-1.16.2/util/data/msgencode.c
@@ -62,6 +62,10 @@
#define RETVAL_TRUNC -4
/** return code that means all is peachy keen. Equal to DNS rcode NOERROR */
#define RETVAL_OK 0
+/** Max compressions we are willing to perform; more than that will result
+ * in semi-compressed messages, or truncated even on TCP for huge messages, to
+ * avoid locking the CPU for long */
+#define MAX_COMPRESSION_PER_MESSAGE 120
/**
* Data structure to help domain name compression in outgoing messages.
@@ -284,15 +288,17 @@ write_compressed_dname(sldns_buffer* pkt, uint8_t* dname, int labs,
/** compress owner name of RR, return RETVAL_OUTMEM RETVAL_TRUNC */
static int
-compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
- struct regional* region, struct compress_tree_node** tree,
- size_t owner_pos, uint16_t* owner_ptr, int owner_labs)
+compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
+ struct regional* region, struct compress_tree_node** tree,
+ size_t owner_pos, uint16_t* owner_ptr, int owner_labs,
+ size_t* compress_count)
{
struct compress_tree_node* p;
struct compress_tree_node** insertpt = NULL;
if(!*owner_ptr) {
/* compress first time dname */
- if((p = compress_tree_lookup(tree, key->rk.dname,
+ if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
+ (p = compress_tree_lookup(tree, key->rk.dname,
owner_labs, &insertpt))) {
if(p->labs == owner_labs)
/* avoid ptr chains, since some software is
@@ -301,6 +307,7 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
if(!write_compressed_dname(pkt, key->rk.dname,
owner_labs, p))
return RETVAL_TRUNC;
+ (*compress_count)++;
/* check if typeclass+4 ttl + rdatalen is available */
if(sldns_buffer_remaining(pkt) < 4+4+2)
return RETVAL_TRUNC;
@@ -313,7 +320,8 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
if(owner_pos <= PTR_MAX_OFFSET)
*owner_ptr = htons(PTR_CREATE(owner_pos));
}
- if(!compress_tree_store(key->rk.dname, owner_labs,
+ if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
+ !compress_tree_store(key->rk.dname, owner_labs,
owner_pos, region, p, insertpt))
return RETVAL_OUTMEM;
} else {
@@ -333,20 +341,24 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
/** compress any domain name to the packet, return RETVAL_* */
static int
-compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs,
- struct regional* region, struct compress_tree_node** tree)
+compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs,
+ struct regional* region, struct compress_tree_node** tree,
+ size_t* compress_count)
{
struct compress_tree_node* p;
struct compress_tree_node** insertpt = NULL;
size_t pos = sldns_buffer_position(pkt);
- if((p = compress_tree_lookup(tree, dname, labs, &insertpt))) {
+ if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
+ (p = compress_tree_lookup(tree, dname, labs, &insertpt))) {
if(!write_compressed_dname(pkt, dname, labs, p))
return RETVAL_TRUNC;
+ (*compress_count)++;
} else {
if(!dname_buffer_write(pkt, dname))
return RETVAL_TRUNC;
}
- if(!compress_tree_store(dname, labs, pos, region, p, insertpt))
+ if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
+ !compress_tree_store(dname, labs, pos, region, p, insertpt))
return RETVAL_OUTMEM;
return RETVAL_OK;
}
@@ -364,9 +376,9 @@ type_rdata_compressable(struct ub_packed_rrset_key* key)
/** compress domain names in rdata, return RETVAL_* */
static int
-compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen,
- struct regional* region, struct compress_tree_node** tree,
- const sldns_rr_descriptor* desc)
+compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen,
+ struct regional* region, struct compress_tree_node** tree,
+ const sldns_rr_descriptor* desc, size_t* compress_count)
{
int labs, r, rdf = 0;
size_t dname_len, len, pos = sldns_buffer_position(pkt);
@@ -380,8 +392,8 @@ compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen,
switch(desc->_wireformat[rdf]) {
case LDNS_RDF_TYPE_DNAME:
labs = dname_count_size_labels(rdata, &dname_len);
- if((r=compress_any_dname(rdata, pkt, labs, region,
- tree)) != RETVAL_OK)
+ if((r=compress_any_dname(rdata, pkt, labs, region,
+ tree, compress_count)) != RETVAL_OK)
return r;
rdata += dname_len;
todolen -= dname_len;
@@ -449,7 +461,8 @@ static int
packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
uint16_t* num_rrs, time_t timenow, struct regional* region,
int do_data, int do_sig, struct compress_tree_node** tree,
- sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset)
+ sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset,
+ size_t* compress_count)
{
size_t i, j, owner_pos;
int r, owner_labs;
@@ -477,9 +490,9 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
for(i=0; i<data->count; i++) {
/* rrset roundrobin */
j = (i + rr_offset) % data->count;
- if((r=compress_owner(key, pkt, region, tree,
- owner_pos, &owner_ptr, owner_labs))
- != RETVAL_OK)
+ if((r=compress_owner(key, pkt, region, tree,
+ owner_pos, &owner_ptr, owner_labs,
+ compress_count)) != RETVAL_OK)
return r;
sldns_buffer_write(pkt, &key->rk.type, 2);
sldns_buffer_write(pkt, &key->rk.rrset_class, 2);
@@ -489,8 +502,8 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
else sldns_buffer_write_u32(pkt, data->rr_ttl[j]-adjust);
if(c) {
if((r=compress_rdata(pkt, data->rr_data[j],
- data->rr_len[j], region, tree, c))
- != RETVAL_OK)
+ data->rr_len[j], region, tree, c,
+ compress_count)) != RETVAL_OK)
return r;
} else {
if(sldns_buffer_remaining(pkt) < data->rr_len[j])
@@ -510,9 +523,9 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
return RETVAL_TRUNC;
sldns_buffer_write(pkt, &owner_ptr, 2);
} else {
- if((r=compress_any_dname(key->rk.dname,
- pkt, owner_labs, region, tree))
- != RETVAL_OK)
+ if((r=compress_any_dname(key->rk.dname,
+ pkt, owner_labs, region, tree,
+ compress_count)) != RETVAL_OK)
return r;
if(sldns_buffer_remaining(pkt) <
4+4+data->rr_len[i])
@@ -544,7 +557,8 @@ static int
insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
sldns_buffer* pkt, size_t rrsets_before, time_t timenow,
struct regional* region, struct compress_tree_node** tree,
- sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset)
+ sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset,
+ size_t* compress_count)
{
int r;
size_t i, setstart;
@@ -560,7 +574,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
setstart = sldns_buffer_position(pkt);
if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i],
pkt, num_rrs, timenow, region, 1, 1, tree,
- s, qtype, dnssec, rr_offset))
+ s, qtype, dnssec, rr_offset, compress_count))
!= RETVAL_OK) {
/* Bad, but if due to size must set TC bit */
/* trim off the rrset neatly. */
@@ -573,7 +587,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
setstart = sldns_buffer_position(pkt);
if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i],
pkt, num_rrs, timenow, region, 1, 0, tree,
- s, qtype, dnssec, rr_offset))
+ s, qtype, dnssec, rr_offset, compress_count))
!= RETVAL_OK) {
sldns_buffer_set_position(pkt, setstart);
return r;
@@ -584,7 +598,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
setstart = sldns_buffer_position(pkt);
if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i],
pkt, num_rrs, timenow, region, 0, 1, tree,
- s, qtype, dnssec, rr_offset))
+ s, qtype, dnssec, rr_offset, compress_count))
!= RETVAL_OK) {
sldns_buffer_set_position(pkt, setstart);
return r;
@@ -677,6 +691,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
struct compress_tree_node* tree = 0;
int r;
size_t rr_offset;
+ size_t compress_count=0;
sldns_buffer_clear(buffer);
if(udpsize < sldns_buffer_limit(buffer))
@@ -723,7 +738,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
arep.rrsets = &qinfo->local_alias->rrset;
if((r=insert_section(&arep, 1, &ancount, buffer, 0,
timezero, region, &tree, LDNS_SECTION_ANSWER,
- qinfo->qtype, dnssec, rr_offset)) != RETVAL_OK) {
+ qinfo->qtype, dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
if(r == RETVAL_TRUNC) {
/* create truncated message */
sldns_buffer_write_u16_at(buffer, 6, ancount);
@@ -738,7 +753,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
/* insert answer section */
if((r=insert_section(rep, rep->an_numrrsets, &ancount, buffer,
0, timenow, region, &tree, LDNS_SECTION_ANSWER, qinfo->qtype,
- dnssec, rr_offset)) != RETVAL_OK) {
+ dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
if(r == RETVAL_TRUNC) {
/* create truncated message */
sldns_buffer_write_u16_at(buffer, 6, ancount);
@@ -756,7 +771,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
if((r=insert_section(rep, rep->ns_numrrsets, &nscount, buffer,
rep->an_numrrsets, timenow, region, &tree,
LDNS_SECTION_AUTHORITY, qinfo->qtype,
- dnssec, rr_offset)) != RETVAL_OK) {
+ dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
if(r == RETVAL_TRUNC) {
/* create truncated message */
sldns_buffer_write_u16_at(buffer, 8, nscount);
@@ -773,7 +788,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
if((r=insert_section(rep, rep->ar_numrrsets, &arcount, buffer,
rep->an_numrrsets + rep->ns_numrrsets, timenow, region,
&tree, LDNS_SECTION_ADDITIONAL, qinfo->qtype,
- dnssec, rr_offset)) != RETVAL_OK) {
+ dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
if(r == RETVAL_TRUNC) {
/* no need to set TC bit, this is the additional */
sldns_buffer_write_u16_at(buffer, 10, arcount);
--
2.47.0

9
SOURCES/unbound-anchor.service
View File

@ -1,9 +0,0 @@
[Unit]
Description=update of the root trust anchor for DNSSEC validation in unbound
Documentation=man:unbound-anchor(8)
[Service]
Type=oneshot
User=unbound
ExecStart=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R
SuccessExitStatus=1

1227
SOURCES/unbound.conf
View File

File diff suppressed because it is too large Load Diff

3
SOURCES/unbound.sysconfig
View File

@ -1,3 +0,0 @@
# for extra debug, add "-v -v" or change verbosity: in unbound.conf
UNBOUND_OPTIONS=""

0
SOURCES/block-example.com.conf → block-example.com.conf
View File

0
SOURCES/example.com.conf → example.com.conf
View File

0
SOURCES/example.com.key → example.com.key
View File

226
fedora-defaults.conf Normal file
View File

@ -0,0 +1,226 @@
# Fedora distribution defaults
server:
# verbosity number, 0 is least verbose. 1 is default.
verbosity: 1
# print statistics to the log (for every thread) every N seconds.
# Set to "" or 0 to disable. Default is disabled.
# Needs to be disabled for munin plugin
statistics-interval: 0
# enable cumulative statistics, without clearing them after printing.
# Needs to be disabled for munin plugin
statistics-cumulative: no
# enable extended statistics (query types, answer codes, status)
# Needs to be enabled for munin plugin
extended-statistics: yes
# number of threads to create. 1 disables threading.
# num-threads: 1
num-threads: 4
# specify the interfaces to answer queries from by ip-address.
# The default is to listen to localhost (127.0.0.1 and ::1).
# specify 0.0.0.0 and ::0 to bind to all available interfaces.
# specify every interface[@port] on a new 'interface:' labelled line.
# The listen interfaces are not changed on reload, only on restart.
# interface: 0.0.0.0
# interface: ::0
# interface: 192.0.2.153
# interface: 192.0.2.154
# interface: 192.0.2.154@5003
# interface: 2001:DB8::5
# interface: eth0@5003
#
# for dns over tls and raw dns over port 80
# interface: 0.0.0.0@443
# interface: ::0@443
# interface: 0.0.0.0@80
# interface: ::0@80
# enable this feature to copy the source address of queries to reply.
# Socket options are not supported on all platforms. experimental.
# interface-automatic: yes
#
# NOTE: Enable this option when specifying interface 0.0.0.0 or ::0
# NOTE: Disabled per Fedora policy not to listen to * on default install
# NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled
interface-automatic: no
# permit Unbound to use this port number or port range for
# making outgoing queries, using an outgoing interface.
# Only ephemeral ports are allowed by SElinux
outgoing-port-permit: 32768-60999
# IANA-assigned port numbers.
# If multiple outgoing-port-permit and outgoing-port-avoid options
# are present, they are processed in order.
# Our SElinux policy does not allow non-ephemeral ports to be used
outgoing-port-avoid: 0-32767
outgoing-port-avoid: 61000-65535
# use SO_REUSEPORT to distribute queries over threads.
# at extreme load it could be better to turn it off to distribute even.
so-reuseport: yes
# use IP_TRANSPARENT so the interface: addresses can be non-local
# and you can config non-existing IPs that are going to work later on
# (uses IP_BINDANY on FreeBSD).
ip-transparent: yes
# Enable UDP, "yes" or "no".
# NOTE: if setting up an Unbound on tls443 for public use, you might want to
# disable UDP to avoid being used in DNS amplification attacks.
# do-udp: yes
# Enable EDNS TCP keepalive option.
edns-tcp-keepalive: yes
# Fedora note: do not activate this - not compiled in because
# it causes frequent unbound crashes. Also, socket activation
# is bad when you have things like dnsmasq also running with libvirt.
# Use systemd socket activation for UDP, TCP, and control sockets.
# use-systemd: no
# If you give "" no chroot is performed. The path must not end in a /.
# chroot: "/etc/unbound"
chroot: ""
# If you give a server: directory: dir before include: file statements
# then those includes can be relative to the working directory.
directory: "/etc/unbound"
# print UTC timestamp in ascii to logfile, default is epoch in seconds.
log-time-ascii: yes
# Harden against unseemly large queries.
harden-large-queries: yes
# Default off, because the lookups burden the server. Experimental
# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
harden-referral-path: yes
# Sent minimum amount of information to upstream servers to enhance
# privacy. Only sent minimum required labels of the QNAME and set QTYPE
# to A when possible.
qname-minimisation: yes
# Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
# and other denials, using information from previous NXDOMAINs answers.
aggressive-nsec: yes
# threshold, a warning is printed and a defensive action is taken,
# the cache is cleared to flush potential poison out of it.
# A suggested value is 10000000, the default is 0 (turned off).
unwanted-reply-threshold: 10000000
# if yes, perform prefetching of almost expired message cache entries.
prefetch: yes
# if yes, perform key lookups adjacent to normal lookups.
prefetch-key: yes
# deny queries of type ANY with an empty response.
deny-any: yes
# if yes, Unbound rotates RRSet order in response.
rrset-roundrobin: yes
# if yes, Unbound doesn't insert authority/additional sections
# into response messages when those sections are not required.
minimal-responses: yes
# module configuration of the server. A string with identifiers
# separated by spaces. Syntax: "[dns64] [validator] iterator"
# most modules have to be listed at the beginning of the line,
# except cachedb(just before iterator), and python (at the beginning,
# or, just before the iterator).
# For redis cachedb use:
# "ipsecmod validator cachedb iterator"
module-config: "ipsecmod validator iterator"
# trust anchor signaling sends a RFC8145 key tag query after priming.
trust-anchor-signaling: yes
# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
root-key-sentinel: yes
# the trusted-keys { name flag proto algo "key"; }; clauses are read.
# you need external update procedures to track changes in keys.
# trusted-keys-file: ""
#
trusted-keys-file: /etc/unbound/keys.d/*.key
auto-trust-anchor-file: "/var/lib/unbound/root.key"
# Should additional section of secure message also be kept clean of
# unsecure data. Useful to shield the users of this validator from
# potential bogus data in the additional section. All unsigned data
# in the additional section is removed from secure messages.
val-clean-additional: yes
# Turn permissive mode on to permit bogus messages. Thus, messages
# for which security checks failed will be returned to clients,
# instead of SERVFAIL. It still performs the security checks, which
# result in interesting log files and possibly the AD bit in
# replies if the message is found secure. The default is off.
# NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
val-permissive-mode: no
# Serve expired responses from cache, with serve-expired-reply-ttl in
# the response, and then attempt to fetch the data afresh.
serve-expired: yes
# Limit serving of expired responses to configured seconds after
# expiration. 0 disables the limit.
serve-expired-ttl: 14400
# Have the validator log failed validations for your diagnosis.
# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
val-log-level: 1
# service clients over TLS (on the TCP sockets) with plain DNS inside
# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
# Give the certificate to use and private key.
# default is "" (disabled). requires restart to take effect.
# tls-service-key: "/etc/unbound/unbound_server.key"
# tls-service-pem: "/etc/unbound/unbound_server.pem"
# Fedora/RHEL: use system-wide crypto policies
tls-ciphers: "PROFILE=SYSTEM"
# Enable to attach Extended DNS Error codes (RFC8914) to responses.
# Fedora defaults to yes.
ede: yes
# Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale
# Answer as EDNS0 option to expired responses.
# Note that the ede option above needs to be enabled for this to work.
# Fedora defaults to yes.
ede-serve-expired: yes
# Enable or disable ipsecmod (it still needs to be defined in
# module-config above). Can be used when ipsecmod needs to be
# enabled/disabled via remote-control(below).
# Fedora: module will be enabled on-demand by libreswan
ipsecmod-enabled: no
# Path to executable external hook. It must be defined when ipsecmod is
# listed in module-config (above).
ipsecmod-hook: /usr/libexec/ipsec/_unbound-hook
python:
# Script file to load
# python-script: "/etc/unbound/ubmodule-tst.py"
# Remote control config section moved into own remote-control.conf
# the module-config then you need one dynlib-file per instance.
dynlib:
# Script file to load
# dynlib-file: "/etc/unbound/dynlib.so"
# Fedora: DNSCrypt support not enabled since it requires linking to
# another crypto library
#

0
SOURCES/icannbundle.pem → icannbundle.pem
View File

44
module-setup.sh Normal file
View File

@ -0,0 +1,44 @@
#!/usr/bin/bash
check() {
require_binaries unbound unbound-checkconf unbound-control || return 1
# the module will be only included if explicitly required either
# by configuration or another module
return 255
}
depends() {
# because of pid file we need sysusers to create unbound user
echo systemd systemd-sysusers
return 0
}
install() {
# We have to make unbound wanted by network-online target to make sure
# there is a synchronization point when other services are able
# to make queries
inst_simple "$moddir"/unbound-initrd.conf /etc/systemd/system/unbound.service.d/unbound-initrd.conf
# /etc and /var/lib do not have its variables
inst_multiple -o \
"$systemdsystemunitdir"/unbound.service \
/etc/unbound/conf.d/remote-control.conf \
/etc/unbound/openssl-sha1.conf \
/usr/share/unbound/fedora-defaults.conf \
/usr/share/unbound/conf.d/*.conf \
/etc/unbound/local.d/*.conf \
/etc/unbound/keys.d/*.key \
/etc/unbound/unbound.conf \
/etc/unbound/unbound_control.key \
/etc/unbound/unbound_control.pem \
/etc/unbound/unbound_server.key \
/etc/unbound/unbound_server.pem \
"$sysusers"/unbound.conf \
"$tmpfilesdir"/unbound.conf \
/var/lib/unbound/root.key \
unbound \
unbound-checkconf \
unbound-control
$SYSTEMCTL -q --root "$initdir" enable unbound.service
}

4
remote-control-include.conf Normal file
View File

@ -0,0 +1,4 @@
# Previous defaults allowed any process to change settings, CVE-2023-1488
# If you want to modify remote configuration, replace this file with
# contents of included file and modify afterwards.
include: "/usr/share/unbound/conf.d/remote-control.conf"

26
remote-control.conf Normal file
View File

@ -0,0 +1,26 @@
# Remote control config section update.
# Previous defaults allowed any process to change settings, CVE-2023-1488
# This file can be used also by: unbound-control -c <path>
remote-control:
# Enable remote control with unbound-control(8) here.
# set up the keys and certificates with unbound-control-setup.
control-enable: yes
# set to an absolute path to use a unix local name pipe, certificates
# are not used for that, so key and cert files need not be present.
control-interface: "/run/unbound/control"
# For local sockets this option is ignored, and TLS is not used.
control-use-cert: "yes"
# Unbound server key file.
server-key-file: "/etc/unbound/unbound_server.key"
# Unbound server certificate file.
server-cert-file: "/etc/unbound/unbound_server.pem"
# unbound-control key file.
control-key-file: "/etc/unbound/unbound_control.key"
# unbound-control certificate file.
control-cert-file: "/etc/unbound/unbound_control.pem"

0
SOURCES/root.anchor → root.anchor
View File

1
SOURCES/root.key → root.key
View File

@ -2,4 +2,5 @@
; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this
trusted-keys {
"." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326
};

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (unbound-1.20.0.tar.gz) = 2f6bc76c03b71ca1c2cd2331dc72d62f51493d15e17c59af46b400e542fcabff22e6b9d33f750a3e5f918a0116f45afa760651b2d5aa2feadac151cbbd71b0bd

1
tmpfiles-unbound.conf Normal file
View File

@ -0,0 +1 @@
D /run/unbound 0775 unbound root -

16
unbound-1.20.0.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAmY7MtIACgkQn28cLX4E
X43TZw//UOLWFXCT36DydXV2gi8vAB9xIFOGj7LbfOSIu8mg2gOvxaBFcC3qb8iB
Wh4prktm+ANRyrmaDq5jlhG2JS0JGYCAGXntN8O09IZt8cx5s1N4UWOOOHp/XEcF
spQpohJlJMnDl+WuIW0rGUnME4mytEBd/HwIM2Q4XyhXOEQj4hEW1tGlNF1qNq5b
8KV5AbRa1OMPeaOaLUb3rg4Wll90twKnlVsdAga1GzYHYHIjbrvso8TbEAZQOzk1
Vu20zwNV1mFNRQcBhhkRBSirmZQ3p73HDT3j3yZZ7D2VaZyi1TQSNxCKAkBpM7NX
ZXBXHpYjf/9kei8vMeQBE4pIoXgcSAASyHh1FNZ8vzyklR8lP8grNtgn1R7ACryN
U1W+0Mh4gjZLjK4sgfouunqpuDpKnpb7a/b19D4fqGBYen+V/BBwARbdxPABs2fK
Y5kMnSIM3eZPZD2PnLEL8uqfuES1QZ9OkhGvEX9jhO3plYWzUDa7J/5eFqyUEpPc
zkAlQvJySW1T18U7YWPLM7ipsVIZc7XPkvEHpit6cSj7f4wUPurJio2glOHwXafZ
+mmzb7nFahTE6tmvOF3dBbvxRpzYtHI6qa1tNTVR9EFJsc8Bm9a8dcI6Jd4e6M2i
XWA32DOSppyEdLz3aEmpIQLT3VpSPRHuLB+slfi+xsBcwNJHL4w=
=mEBa
-----END PGP SIGNATURE-----

10
unbound-anchor.service Normal file
View File

@ -0,0 +1,10 @@
[Unit]
Description=update of the root trust anchor for DNSSEC validation in unbound
Documentation=man:unbound-anchor(8)
[Service]
Type=oneshot
User=unbound
EnvironmentFile=-/etc/sysconfig/unbound
ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ] || [ -f /run/unbound/anchor-disable ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi'
SuccessExitStatus=1

0
SOURCES/unbound-anchor.timer → unbound-anchor.timer
View File

118
unbound-as112-networks.conf Normal file
View File

@ -0,0 +1,118 @@
# Allow forwarding of private ranges, which are marked forwardable by IANA
# https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
# https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
# https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml
# RFC 6303: Locally Served DNS Zones (https://www.rfc-editor.org/rfc/rfc6303.html)
#
# Using this configuration file will simplify forwarding to potentially private ranges.
# Enables forwarding of networks marked as forwardable at IANA special registry.
# This is useful when upstream forwarder may be still inside private network. That is the case
# when unbound works as a localhost DNS cache, not network wide resolver.
server:
# RFC 8375: Special-Use Domain 'home.arpa.'
local-zone: "home.arpa." nodefault
# RFC 1918: Address Allocation for Private Internets
local-zone: "10.in-addr.arpa." nodefault
local-zone: "16.172.in-addr.arpa." nodefault
local-zone: "17.172.in-addr.arpa." nodefault
local-zone: "18.172.in-addr.arpa." nodefault
local-zone: "19.172.in-addr.arpa." nodefault
local-zone: "20.172.in-addr.arpa." nodefault
local-zone: "21.172.in-addr.arpa." nodefault
local-zone: "22.172.in-addr.arpa." nodefault
local-zone: "23.172.in-addr.arpa." nodefault
local-zone: "24.172.in-addr.arpa." nodefault
local-zone: "25.172.in-addr.arpa." nodefault
local-zone: "26.172.in-addr.arpa." nodefault
local-zone: "27.172.in-addr.arpa." nodefault
local-zone: "28.172.in-addr.arpa." nodefault
local-zone: "29.172.in-addr.arpa." nodefault
local-zone: "30.172.in-addr.arpa." nodefault
local-zone: "31.172.in-addr.arpa." nodefault
local-zone: "168.192.in-addr.arpa." nodefault
# RFC 6598: IANA-Reserved IPv4 Prefix for Shared Address Space
local-zone: "64.100.in-addr.arpa." nodefault
local-zone: "65.100.in-addr.arpa." nodefault
local-zone: "66.100.in-addr.arpa." nodefault
local-zone: "67.100.in-addr.arpa." nodefault
local-zone: "68.100.in-addr.arpa." nodefault
local-zone: "69.100.in-addr.arpa." nodefault
local-zone: "70.100.in-addr.arpa." nodefault
local-zone: "71.100.in-addr.arpa." nodefault
local-zone: "72.100.in-addr.arpa." nodefault
local-zone: "73.100.in-addr.arpa." nodefault
local-zone: "74.100.in-addr.arpa." nodefault
local-zone: "75.100.in-addr.arpa." nodefault
local-zone: "76.100.in-addr.arpa." nodefault
local-zone: "77.100.in-addr.arpa." nodefault
local-zone: "78.100.in-addr.arpa." nodefault
local-zone: "79.100.in-addr.arpa." nodefault
local-zone: "80.100.in-addr.arpa." nodefault
local-zone: "81.100.in-addr.arpa." nodefault
local-zone: "82.100.in-addr.arpa." nodefault
local-zone: "83.100.in-addr.arpa." nodefault
local-zone: "84.100.in-addr.arpa." nodefault
local-zone: "85.100.in-addr.arpa." nodefault
local-zone: "86.100.in-addr.arpa." nodefault
local-zone: "87.100.in-addr.arpa." nodefault
local-zone: "88.100.in-addr.arpa." nodefault
local-zone: "89.100.in-addr.arpa." nodefault
local-zone: "90.100.in-addr.arpa." nodefault
local-zone: "91.100.in-addr.arpa." nodefault
local-zone: "92.100.in-addr.arpa." nodefault
local-zone: "93.100.in-addr.arpa." nodefault
local-zone: "94.100.in-addr.arpa." nodefault
local-zone: "95.100.in-addr.arpa." nodefault
local-zone: "96.100.in-addr.arpa." nodefault
local-zone: "97.100.in-addr.arpa." nodefault
local-zone: "98.100.in-addr.arpa." nodefault
local-zone: "99.100.in-addr.arpa." nodefault
local-zone: "100.100.in-addr.arpa." nodefault
local-zone: "101.100.in-addr.arpa." nodefault
local-zone: "102.100.in-addr.arpa." nodefault
local-zone: "103.100.in-addr.arpa." nodefault
local-zone: "104.100.in-addr.arpa." nodefault
local-zone: "105.100.in-addr.arpa." nodefault
local-zone: "106.100.in-addr.arpa." nodefault
local-zone: "107.100.in-addr.arpa." nodefault
local-zone: "108.100.in-addr.arpa." nodefault
local-zone: "109.100.in-addr.arpa." nodefault
local-zone: "110.100.in-addr.arpa." nodefault
local-zone: "111.100.in-addr.arpa." nodefault
local-zone: "112.100.in-addr.arpa." nodefault
local-zone: "113.100.in-addr.arpa." nodefault
local-zone: "114.100.in-addr.arpa." nodefault
local-zone: "115.100.in-addr.arpa." nodefault
local-zone: "116.100.in-addr.arpa." nodefault
local-zone: "117.100.in-addr.arpa." nodefault
local-zone: "118.100.in-addr.arpa." nodefault
local-zone: "119.100.in-addr.arpa." nodefault
local-zone: "120.100.in-addr.arpa." nodefault
local-zone: "121.100.in-addr.arpa." nodefault
local-zone: "122.100.in-addr.arpa." nodefault
local-zone: "123.100.in-addr.arpa." nodefault
local-zone: "124.100.in-addr.arpa." nodefault
local-zone: "125.100.in-addr.arpa." nodefault
local-zone: "126.100.in-addr.arpa." nodefault
local-zone: "127.100.in-addr.arpa." nodefault
# RFC 4193: Unique Local IPv6 Unicast Addresses
local-zone: "d.f.ip6.arpa." nodefault
# RFC 2606: Reserved Top Level DNS Names
local-zone: "test." nodefault
domain-insecure: "test"
domain-insecure: "example"
# RFC 6762: Multicast DNS, Appendix G
domain-insecure: "local"
domain-insecure: "intranet"
domain-insecure: "private"
domain-insecure: "corp"
domain-insecure: "home"
domain-insecure: "lan"
# draft-davies-internal-tld
domain-insecure: "internal"

113
unbound-fedora-config.patch Normal file
View File

@ -0,0 +1,113 @@
From 56187754cbd38f3623b56d9dc97fbe4b5b5d87e8 Mon Sep 17 00:00:00 2001
From: Tomas Korbar <tkorbar@redhat.com>
Date: Tue, 4 Feb 2025 09:48:12 +0100
Subject: [PATCH 1/1] Customize unbound.conf for Fedora defaults
Set some Fedora/RHEL specific changes to example configuration file. By
patching upstream provided config file we would not need to manually
update external copy in source RPM.
---
unbound-1.20.0/doc/example.conf.in | 33 ++++++++++++++++++++++++++++--
1 file changed, 31 insertions(+), 2 deletions(-)
diff --git a/unbound-1.20.0/doc/example.conf.in b/unbound-1.20.0/doc/example.conf.in
index 0368c8d..3ca085e 100644
--- a/unbound-1.20.0/doc/example.conf.in
+++ b/unbound-1.20.0/doc/example.conf.in
@@ -51,11 +51,19 @@ server:
# specify 0.0.0.0 and ::0 to bind to all available interfaces.
# specify every interface[@port] on a new 'interface:' labelled line.
# The listen interfaces are not changed on reload, only on restart.
+ # interface: 0.0.0.0
+ # interface: ::0
# interface: 192.0.2.153
# interface: 192.0.2.154
# interface: 192.0.2.154@5003
# interface: 2001:DB8::5
# interface: eth0@5003
+ #
+ # for dns over tls and raw dns over port 80
+ # interface: 0.0.0.0@443
+ # interface: ::0@443
+ # interface: 0.0.0.0@80
+ # interface: ::0@80
# enable this feature to copy the source address of queries to reply.
# Socket options are not supported on all platforms. experimental.
@@ -276,6 +284,8 @@ server:
# nat64-prefix: 64:ff9b::0/96
# Enable UDP, "yes" or "no".
+ # NOTE: if setting up an Unbound on tls443 for public use, you might want to
+ # disable UDP to avoid being used in DNS amplification attacks.
# do-udp: yes
# Enable TCP, "yes" or "no".
@@ -311,6 +321,9 @@ server:
# can be dropped. Default is 0, disabled. In seconds, such as 3.
# sock-queue-timeout: 0
+ # Fedora note: do not activate this - not compiled in because
+ # it causes frequent unbound crashes. Also, socket activation
+ # is bad when you have things like dnsmasq also running with libvirt.
# Use systemd socket activation for UDP, TCP, and control sockets.
# use-systemd: no
@@ -890,6 +903,8 @@ server:
# you need to do the reverse notation yourself.
# local-data-ptr: "192.0.2.3 www.example.com"
+ include: /etc/unbound/local.d/*.conf
+
# tag a localzone with a list of tag names (in "" with spaces between)
# local-zone-tag: "example.com" "tag2 tag3"
@@ -900,8 +915,8 @@ server:
# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
# Give the certificate to use and private key.
# default is "" (disabled). requires restart to take effect.
- # tls-service-key: "path/to/privatekeyfile.key"
- # tls-service-pem: "path/to/publiccertfile.pem"
+ # tls-service-key: "/etc/unbound/unbound_server.key"
+ # tls-service-pem: "/etc/unbound/unbound_server.pem"
# tls-port: 853
# https-port: 443
@@ -1141,6 +1156,12 @@ remote-control:
# unbound-control certificate file.
# control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
+# Default Fedora settings
+include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf"
+
+# Stub and Forward zones
+include: "@sysconfdir@/unbound/conf.d/*.conf"
+
# Stub zones.
# Create entries like below, to make all queries for 'example.com' and
# 'example.org' go to the given list of nameservers. list zero or more
@@ -1161,6 +1182,10 @@ remote-control:
# name: "example.org"
# stub-host: ns.example.com.
+# You can now also dynamically create and delete stub-zone's using
+# unbound-control stub_add domain.com 1.2.3.4 5.6.7.8
+# unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8
+
# Forward zones
# Create entries like below, to make all queries for 'example.com' and
# 'example.org' go to the given list of servers. These servers have to handle
@@ -1178,6 +1203,10 @@ remote-control:
# forward-zone:
# name: "example.org"
# forward-host: fwd.example.com
+#
+# You can now also dynamically create and delete forward-zone's using
+# unbound-control forward_add domain.com 1.2.3.4 5.6.7.8
+# unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8
# Authority zones
# The data for these zones is kept locally, from a file or downloaded.
--
2.48.1

5
unbound-initrd.conf Normal file
View File

@ -0,0 +1,5 @@
[Unit]
Before=network-online.target
[Install]
WantedBy=network-online.target

0
SOURCES/unbound-keygen.service → unbound-keygen.service
View File

30
unbound-local-root.conf Normal file
View File

@ -0,0 +1,30 @@
# Authority zones
# The data for these zones is kept locally, from a file or downloaded.
# The data can be served to downstream clients, or used instead of the
# upstream (which saves a lookup to the upstream).
#
# Download local root copy and answer TLD queries from it. Because
# auth-zone has higher precedence, defined forward-zones to internal
# only TLD will not work. Use stub-zone or disable this zone.
# Good for a network-wide resolvers, worse for a localhost caching forwarder.
auth-zone:
name: "."
primary: 170.247.170.2 # b.root-servers.net
primary: 192.33.4.12 # c.root-servers.net
primary: 199.7.91.13 # d.root-servers.net
primary: 192.5.5.241 # f.root-servers.net
primary: 192.112.36.4 # g.root-servers.net
primary: 193.0.14.129 # k.root-servers.net
primary: 192.0.47.132 # xfr.cjr.dns.icann.org
primary: 192.0.32.132 # xfr.lax.dns.icann.org
primary: 2801:1b8:10::b # b.root-servers.net
primary: 2001:500:2::c # c.root-servers.net
primary: 2001:500:2d::d # d.root-servers.net
primary: 2001:500:2f::f # f.root-servers.net
primary: 2001:500:12::d0d # g.root-servers.net
primary: 2001:7fd::1 # k.root-servers.net
primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org
fallback-enabled: yes
for-downstream: no
for-upstream: yes

0
SOURCES/unbound-munin.README → unbound-munin.README
View File

0
SOURCES/unbound.munin → unbound.munin
View File

10
SOURCES/unbound.service → unbound.service
View File

@ -1,19 +1,23 @@
[Unit]
Description=Unbound recursive Domain Name Server
After=network.target
# Use ip-freebind: yes or add After=network-online.target, rhbz#2338429,
# if interface: specifies exact address, not localhost nor wildcard
#After=network-online.target
After=unbound-keygen.service
Wants=unbound-keygen.service
Wants=unbound-anchor.timer
After=unbound-anchor.service
Wants=unbound-anchor.service
Before=nss-lookup.target
Wants=nss-lookup.target
[Service]
Type=simple
Type=notify
EnvironmentFile=-/etc/sysconfig/unbound
ExecStartPre=/usr/sbin/unbound-checkconf
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_UNBOUND_ANCHOR" == "yes" ]; then /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R; else echo "Updates of root keys with unbound-anchor is disabled"; fi'
ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS
ExecReload=/usr/sbin/unbound-control reload
Restart=on-abnormal
[Install]
WantedBy=multi-user.target

648
SPECS/unbound.spec → unbound.spec
View File

@ -1,6 +1,20 @@
## START: Set by rpmautospec
## (rpmautospec version 0.6.5)
## RPMAUTOSPEC: autorelease, autochangelog
%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
release_number = 9;
base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
print(release_number + base_release_number - 1);
}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
## END: Set by rpmautospec
%{?!with_python2: %global with_python2 0}
%{?!with_python3: %global with_python3 1}
%{?!with_munin: %global with_munin 1}
%bcond_without dnstap
%bcond_without systemd
%bcond_without doh
%bcond_with redis
%global _hardened_build 1
@ -8,38 +22,30 @@
%if 0%{with_python2}
%global python_primary %{__python2}
%endif # with_python2
%endif
%if 0%{with_python3}
%global python_primary %{__python3}
%endif # with_python3
%endif
%if 0%{?rhel}
%global with_munin 0
%if 0%{?with_python2} && 0%{?rhel} <= 6
# needed just for EPEL
%{!?__python2: %global __python2 /usr/bin/python2}
%{!?python2_sitelib: %global python2_sitelib %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")}
%{!?python2_sitearch: %global python2_sitearch %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
%endif # with_python2 && rhel <= 6
%if 0%{?rhel} <= 7
%global with_python3 0
%else
%global with_python2 0
%endif # rhel <= 7
%endif # rhel
%endif
%endif
Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound
Version: 1.16.2
Release: 5.8%{?extra_version:.%{extra_version}}%{?dist}
License: BSD
Url: https://www.unbound.net/
Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
Version: 1.20.0
Release: %autorelease %{?extra_version:-e %{extra_version}}
License: BSD-3-Clause
Url: https://nlnetlabs.nl/projects/unbound/
Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
Source1: unbound.service
Source2: unbound.conf
Source3: unbound.munin
Source4: unbound_munin_
Source5: root.key
@ -55,38 +61,58 @@ Source15: unbound-anchor.timer
Source16: unbound-munin.README
Source17: unbound-anchor.service
Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
# source: https://nlnetlabs.nl/people/
Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key
Source20: unbound.sysusers
Source21: remote-control.conf
Source22: unbound-as112-networks.conf
Source23: unbound-local-root.conf
Source24: remote-control-include.conf
Source25: fedora-defaults.conf
Source26: module-setup.sh
Source27: unbound-initrd.conf
# Reverts ABI change done in version 1.8.0 (bz#2027735)
# Makes possible backward binary compatibility with a new features
Patch1: unbound-1.15-soversion2-compat.patch
Patch2: unbound-1.15-source-compat.patch
# https://github.com/NLnetLabs/unbound/commit/137719522a8ea5b380fbb6206d2466f402f5b554
Patch3: unbound-1.16-CVE-2022-3204.patch
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2023-50387_CVE-2023-50868.diff
Patch4: unbound-1.16-CVE-2023-50387-CVE-2023-50868.patch
# https://github.com/NLnetLabs/unbound/commit/b7c61d7cc256d6a174e6179622c7fa968272c259
Patch5: unbound-1.21-CVE-2024-8508.patch
# Downstream configuration changes
Patch1: unbound-fedora-config.patch
BuildRequires: gdb
BuildRequires: gcc, make
BuildRequires: byacc, flex, openssl-devel
BuildRequires: flex, openssl-devel
BuildRequires: libevent-devel expat-devel
BuildRequires: pkgconfig
%if 0%{?fedora}
BuildRequires: gnupg2
%endif
%if 0%{with_python2}
BuildRequires: python2-devel swig
%endif # with_python
%endif
%if 0%{with_python3}
BuildRequires: python3-devel swig
%endif # with_python3
%endif
%if %{with dnstap}
BuildRequires: fstrm-devel protobuf-c-devel
%endif
%if %{with systemd}
BuildRequires: systemd-devel
%endif
%if %{with doh}
BuildRequires: libnghttp2-devel
%endif
%if %{with redis}
BuildRequires: hiredis-devel
%endif
%if 0%{?fedora} >= 30 || 0%{?rhel} >= 9
BuildRequires: systemd-rpm-macros
%else
BuildRequires: systemd
%endif
# Required for SVN versions
BuildRequires: bison
BuildRequires: automake autoconf libtool
# BuildRequires: bison
# BuildRequires: automake autoconf libtool
%{?systemd_requires}
# Needed because /usr/sbin/unbound links unbound libs staticly
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-anchor%{?_isa} = %{version}-%{release}
Recommends: %{name}-utils%{?_isa} = %{version}-%{release}
# unbound-keygen.service requires it, bug #2116790
Requires: openssl
@ -122,11 +148,31 @@ The devel package contains the unbound library and the include files
%package libs
Summary: Libraries used by the unbound server and client applications
%{?systemd_requires}
Requires(pre): shadow-utils
Recommends: %{name}-anchor
%{?sysusers_requires_compat}
%if ! 0%{with_python2}
# Make explicit conflict with no longer provided python package
Obsoletes: python2-unbound < 1.9.3
%endif
%description libs
Contains libraries used by the unbound server and client applications
Contains libraries used by the unbound server and client applications.
%package anchor
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Summary: DNSSEC trust anchor maintaining tool
%description anchor
Contains tool maintaining trust anchor using RFC 5011 key rollover algorithm.
%package utils
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Summary: Unbound DNS lookup utilities
%description utils
Contains tools for making DNS queries. Can make queries to DNS servers
also over TLS connection or validate DNSSEC signatures. Similar to
bind-utils.
%if 0%{with_python2}
%package -n python2-unbound
@ -138,19 +184,34 @@ Obsoletes: unbound-python < %{version}-%{release}
%description -n python2-unbound
Python 2 modules and extensions for unbound
%endif # with_python
%endif
%if 0%{with_python3}
%package -n python3-unbound
Summary: Python 3 modules and extensions for unbound
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%if ! 0%{with_python2}
# Make explicit conflict with no longer provided python package
Conflicts: python2-unbound < 1.9.3
%endif
%description -n python3-unbound
Python 3 modules and extensions for unbound
%endif # with_python3
%endif
%package dracut
Summary: Unbound dracut module
Requires: dracut%{?_isa}
Requires: %{name}%{?_isa} = %{version}-%{release}
%description dracut
Unbound dracut module allowing use of Unbound for name resolution
in initramfs.
%prep
%if 0%{?fedora}
%{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}'
%endif
%global pkgname %{name}-%{version}%{?extra_version}
%if 0%{with_python2} && 0%{with_python3}
@ -160,21 +221,28 @@ Python 3 modules and extensions for unbound
%global python_secondary %{__python2}
%else
%global dir_primary %{pkgname}
%endif # with_python2 && with_python3
%endif
%setup -qcn %{pkgname}
%autosetup -c -N -n %{pkgname}
pushd %{pkgname}
# patches go here
%autopatch -p2
%patch1 -p2 -b .solib2-compat
%patch2 -p1 -b .srccompat
%patch3 -p2 -b .CVE-2022-3204
%patch4 -p2 -b .CVE-2023-50387-CVE-2023-50868
%patch5 -p2 -b .CVE-2024-8508
# only for snapshots
# autoreconf -iv
# copy common doc files - after here, since it may be patched
cp -pr doc pythonmod libunbound ../
%if 0%{?rhel} > 8
# SHA-1 breaks some tests. Disable just some tests because of that.
# This got broken in ELN
ls testdata/*.rpl
for TEST in autotrust_init_fail autotrust_init_failsig; do
mv testdata/${TEST}.rpl{,-disabled}
done
%endif
popd
%if 0%{with_python2} && 0%{with_python3}
@ -183,30 +251,49 @@ cp -a %{dir_primary} %{dir_secondary}
%endif
%build
# This is needed to rebuild the configure script to support Python 3.x
# autoreconf -iv
# ./configure script common arguments
%global configure_args --with-libevent --with-pthreads --with-ssl \\\
--disable-rpath --disable-static \\\
--enable-relro-now --enable-pie \\\
--enable-subnet --enable-ipsecmod \\\
--with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\
--with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \\\
--with-share-dir=%{_datadir}/%{name} \\\
--with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\
--enable-sha2 --disable-gost --enable-ecdsa \\\
--with-rootkey-file=%{_sharedstatedir}/unbound/root.key \\\
--enable-linux-ip-local-port-range
--with-rootkey-file=%{_sharedstatedir}/%{name}/root.key \\\
--with-username=unbound \\\
--enable-linux-ip-local-port-range \\\
pushd %{dir_primary}
# configure.ac is modified, force refresh
autoreconf -fiv
%configure \
%if 0%{?python_primary:1}
--with-pythonmodule --with-pyunbound PYTHON=%{python_primary} \
%endif # python_primary
%endif
%if %{with dnstap}
--enable-dnstap \
%endif
%if %{with systemd}
--enable-systemd \
%endif
%if %{with doh}
--with-libnghttp2 \
%endif
%if 0%{?rhel}
--disable-sha1 \
%endif
%if %{with redis}
--with-libhiredis \
--enable-cachedb \
%endif
%{configure_args}
%{__make} %{?_smp_mflags}
%{__make} %{?_smp_mflags} streamtcp
%make_build
%make_build streamtcp
popd
@ -214,11 +301,17 @@ popd
pushd %{dir_secondary}
%configure \
--with-pythonmodule --with-pyunbound PYTHON=%{python_secondary} \
%if %{with dnstap}
--enable-dnstap \
%endif
%if %{with systemd}
--enable-systemd \
%endif
%{configure_args}
%{__make} %{?_smp_mflags}
%make_build
popd
%endif # python_secondary
%endif
%install
@ -227,13 +320,14 @@ install -p -m 0644 %{SOURCE16} .
%if 0%{?python_secondary:1}
# install first secondary build. It will be overwritten by primary
pushd %{dir_secondary}
%{__make} DESTDIR=%{buildroot} unbound-event-install install
%make_install unbound-event-install
popd
%endif # python_secondary
%endif
pushd %{dir_primary}
%{__make} DESTDIR=%{buildroot} unbound-event-install install
%make_install unbound-event-install
install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp
install -p -m 0755 doc/example.conf %{buildroot}%{_sysconfdir}/unbound/unbound.conf
popd
install -d -m 0755 %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig
@ -241,9 +335,9 @@ install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service
install -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/unbound-keygen.service
install -p -m 0644 %{SOURCE15} %{buildroot}%{_unitdir}/unbound-anchor.timer
install -p -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/unbound-anchor.service
install -p -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound
install -p -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/unbound
install -p -m 0644 %{SOURCE14} %{buildroot}%{_sysconfdir}/sysconfig/unbound
install -p -D -m 0644 %{SOURCE20} %{buildroot}%{_sysusersdir}/%{name}.conf
%if %{with_munin}
# Install munin plugin and its softlinks
install -d -m 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d
@ -268,7 +362,12 @@ install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf
# install root - we keep a copy of the root key in old location,
# in case user has changed the configuration and we wouldn't update it there
install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/
install -m 0644 %{SOURCE13} %{buildroot}%{_sharedstatedir}/unbound/root.key
install -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/dnssec-root.key
# make initial key static
pushd %{buildroot}%{_sharedstatedir}/unbound
KEYPATH=$(realpath --relative-to="%{buildroot}%{_sharedstatedir}/unbound" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key")
ln -s "$KEYPATH" root.key
popd
# remove static library from install (fedora packaging guidelines)
rm %{buildroot}%{_libdir}/*.la
@ -276,13 +375,13 @@ rm %{buildroot}%{_libdir}/*.la
%if 0%{with_python2}
rm %{buildroot}%{python2_sitearch}/*.la
%endif # with_python
%endif
%if 0%{with_python3}
rm %{buildroot}%{python3_sitearch}/*.la
%endif # with_python3
%endif
mkdir -p %{buildroot}%{_localstatedir}/run/unbound
mkdir -p %{buildroot}%{_rundir}/unbound
# Install directories for easier config file drop in
@ -290,25 +389,32 @@ mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d}
install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/
install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/
install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/
install -p -m 0644 %{SOURCE24} %{buildroot}%{_sysconfdir}/unbound/conf.d/remote-control.conf
mkdir -p %{buildroot}%{_datadir}/%{name}/conf.d
install -p -m 0644 %{SOURCE21} %{buildroot}%{_datadir}/%{name}/conf.d/
install -p -m 0644 %{SOURCE22} %{buildroot}%{_datadir}/%{name}/conf.d/
install -p -m 0644 %{SOURCE23} %{buildroot}%{_datadir}/%{name}/conf.d/
install -p -m 0644 %{SOURCE25} %{buildroot}%{_datadir}/%{name}/
# Link unbound-control-setup.8 manpage to unbound-control.8
echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8
# install dracut module
mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
install -p -m 0755 %{SOURCE26} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
install -p -m 0644 %{SOURCE27} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
%pre libs
getent group unbound >/dev/null || groupadd -r unbound
getent passwd unbound >/dev/null || \
useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \
-c "Unbound DNS resolver" unbound
%sysusers_create_compat %{SOURCE20}
%post
%systemd_post unbound.service
%systemd_post unbound-keygen.service
%post libs
%{?ldconfig}
%systemd_post unbound-anchor.timer
%post anchor
%systemd_post unbound-anchor.service unbound-anchor.timer
# start the timer only if installing the package to prevent starting it, if it was stopped on purpose
if [ "$1" -eq 1 ]; then
# the Unit is in presets, but would be started after reboot
@ -319,27 +425,15 @@ fi
%systemd_preun unbound.service
%systemd_preun unbound-keygen.service
%preun libs
%systemd_preun unbound-anchor.timer
%preun anchor
%systemd_preun unbound-anchor.service unbound-anchor.timer
%postun
%systemd_postun_with_restart unbound.service
%systemd_postun unbound-keygen.service
%postun libs
%{?ldconfig}
%systemd_postun_with_restart unbound-anchor.timer
%triggerun -- unbound < 1.4.12-4
# Save the current service runlevel info
# User must manually run systemd-sysv-convert --apply unbound
# to migrate them to systemd targets
/usr/bin/systemd-sysv-convert --save unbound >/dev/null 2>&1 ||:
# Run these because the SysV package being removed won't do them
/sbin/chkconfig --del unbound >/dev/null 2>&1 || :
/bin/systemctl try-restart unbound.service >/dev/null 2>&1 || :
/bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || :
%postun anchor
%systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer
%check
pushd %{dir_primary}
@ -358,17 +452,16 @@ pushd %{dir_secondary}
#popd
make check
popd
%endif # python_secondary
%endif
%files
%doc doc/CREDITS doc/FEATURES
%{_unitdir}/%{name}.service
%{_unitdir}/%{name}-keygen.service
%attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name}
%attr(0775,unbound,root) %dir %{_rundir}/%{name}
%attr(0644,root,root) %{_tmpfilesdir}/unbound.conf
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name}
%dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d
%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d/*.key
%dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/conf.d
@ -383,9 +476,7 @@ popd
%{_sbindir}/unbound-checkconf
%{_sbindir}/unbound-control
%{_sbindir}/unbound-control-setup
%{_sbindir}/unbound-host
%{_sbindir}/unbound-streamtcp
%{_mandir}/man1/*
%{_datadir}/%{name}/
%{_mandir}/man5/*
%exclude %{_mandir}/man8/unbound-anchor*
%{_mandir}/man8/*
@ -424,114 +515,299 @@ popd
%doc doc/README
%license doc/LICENSE
%attr(0755,root,root) %dir %{_sysconfdir}/%{name}
%{_sbindir}/unbound-anchor
%{_libdir}/libunbound.so.*
%{_mandir}/man8/unbound-anchor*
%{_sysconfdir}/%{name}/icannbundle.pem
%{_unitdir}/unbound-anchor.timer
%{_unitdir}/unbound-anchor.service
%{_sysusersdir}/%{name}.conf
%{_libdir}/libunbound.so.8*
%dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name}
%attr(0644,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key
%config(noreplace) %verify(not link user group) %{_sharedstatedir}/%{name}/root.key
# just left for backwards compat with user changed unbound.conf files - format is different!
%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
# modification of root.key is maintained by unbound-achor.service and is intentional, so let rpm know
%verify(not md5 size mtime) %{_sharedstatedir}/%{name}/root.key
%attr(0644,root,root) %config %{_sysconfdir}/%{name}/dnssec-root.key
%files anchor
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name}
%{_sbindir}/unbound-anchor
%{_mandir}/man8/unbound-anchor*
# icannbundle and root.key(s) should be replaced from package
# intentionally not using noreplace
%config %{_sysconfdir}/%{name}/icannbundle.pem
%{_unitdir}/unbound-anchor.timer
%{_unitdir}/unbound-anchor.service
%files utils
%{_sbindir}/unbound-host
%{_sbindir}/unbound-streamtcp
%{_mandir}/man1/unbound-*
%files dracut
%{_prefix}/lib/dracut/modules.d/99unbound
%changelog
* Tue Nov 12 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.8
- Prevent unbounded name compression (CVE-2024-8508)
## START: Generated by rpmautospec
* Mon Feb 10 2025 Tomas Korbar <tkorbar@redhat.com> - 1.20.0-9
- Add possibility to disable unbound-anchor by file presence
* Tue May 28 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.7
- Rebuild to propagate to CentOS Stream (RHEL-25500)
* Fri Feb 07 2025 Tomas Korbar <tkorbar@redhat.com> - 1.20.0-8
- Change service type to notify
* Mon Mar 11 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.6
- Ensure group access correction reaches also updated configs (CVE-2024-1488)
* Tue Feb 04 2025 Tomas Korbar <tkorbar@redhat.com> - 1.20.0-7
- Enabled libsystemd and change unbound service type to notify-reload
* Wed Feb 28 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.3
- Ensure only unbound group can change configuration (CVE-2024-1488)
* Tue Feb 04 2025 Tomas Korbar <tkorbar@redhat.com> - 1.20.0-6
- Add dracut module
* Fri Feb 16 2024 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-5.1
- Fix KeyTrap - Extreme CPU consumption in DNSSEC validator CVE-2023-50387
- Fix Preparing an NSEC3 closest encloser proof can exhaust CPU resources CVE-2023-50868
- Resolves: RHEL-25428
- Resolves: RHEL-25423
* Tue Feb 04 2025 Tomas Korbar <tkorbar@redhat.com> - 1.20.0-5
- Use ip-freebind: yes or add After=network-online.target
* Sat Oct 15 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-5
- Stop creating wrong devel manual pages (#2135322)
* Tue Feb 04 2025 Tomas Korbar <tkorbar@redhat.com> - 1.20.0-4
- Move defaults to separate configuration file
* Sat Oct 15 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-4
- Apply correctly previous change (CVE-2022-3204)
* Tue Feb 04 2025 Tomas Korbar <tkorbar@redhat.com> - 1.20.0-3
- Deactivate automatic root zone fetching
* Tue Oct 11 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-3
- Fix NRDelegation attack leading to uncontrolled resource consumption
(CVE-2022-3204)
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1.20.0-2
- Bump release for October 2024 mass rebuild:
* Tue Jul 02 2024 Petr Menšík <pemensik@redhat.com> - 1.20.0-1
- Update to 1.20.0
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.19.0-10
- Bump release for June 2024 mass rebuild
* Tue May 28 2024 psklenar@redhat.com <psklenar@redhat.com> - 1.19.0-9
- c10s init plans for unbound
* Mon Jan 29 2024 Petr Menšík <pemensik@redhat.com> - 1.19.0-8
- Always auto-restart on crash events
* Mon Jan 29 2024 Petr Menšík <pemensik@redhat.com> - 1.19.0-7
- Update address of b.root-servers.net (#2253461)
* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.19.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Thu Nov 02 2023 Petr Menšík <pemensik@redhat.com> - 1.19.0-1
- Update to 1.19.0 (#2248686)
* Wed Sep 06 2023 Petr Menšík <pemensik@redhat.com> - 1.18.0-2
- Skip failing tests on ELN builds
* Fri Sep 01 2023 Petr Menšík <pemensik@redhat.com> - 1.18.0-1
- Update to 1.18.0 (#2236097)
* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.17.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 1.17.1-3
- Rebuilt for Python 3.12
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.17.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Fri Jan 13 2023 Paul Wouters <paul.wouters@aiven.io - 1.17.1-1
- Resolved rhbz#2160397 unbound-1.17.1 is available (bugfix release)
- Add support for building with redis
* Thu Dec 01 2022 Petr Menšík <pemensik@redhat.com> - 1.17.0-2
- Move unbound user creation to libs (#2149036)
- Use systemd-sysusers for user creation (#2105416)
- Keep original DNSSEC root key as config (#2132103)
* Tue Nov 01 2022 Petr Menšík <pemensik@redhat.com> - 1.17.0-1
- Update to 1.17.0 (#2134348)
* Wed Oct 05 2022 Petr Menšík <pemensik@redhat.com> - 1.16.3-3
- Correct issues made by unbound-anchor package split (#2110858)
* Fri Sep 30 2022 Petr Menšík <pemensik@redhat.com> - 1.16.3-2
- Update License tag to SPDX identifier
* Fri Sep 23 2022 Petr Menšík <pemensik@redhat.com> - 1.16.3-1
- Update to 1.16.3 (#2128638)
* Tue Aug 09 2022 Paul Wouters <pwouters@redhat.com> - 1.16.2-3
- sync up to upstream unbound.conf
- Enable Extended DNS Error codes (RFC8914)
* Tue Aug 09 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-2
- Require openssl tool for unbound-keygen (#2018806)
- Require openssl tool for unbound-keygen (#2116790)
* Wed Aug 03 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-1
- Update to 1.16.2 (#2027735)
- Update to 1.16.2 (#2105947) for CVE-2022-30698 and CVE-2022-30699
* Wed Jun 15 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-2
- Restart keygen service before every unbound start (#1959468)
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.16.0-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Wed Jun 15 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-1
- Upgrade to 9.16.0 (#2027735)
- Update to recent version with compatibility with RHEL8 (#2027735)
- Ensure also source level compatibility with previous version
* Mon Jun 27 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-6
- Move unbound-anchor to separate package
- Move unbound-host and unbound-streamtcp to unbound-utils package
* Thu May 19 2022 Richard Lescak <rlescak@gmail.com> - 1.7.3-18
- Change file mode before owner when configuring remote control unix socket to avoid AVC denials
- Resolves: rhbz#2038251
* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 1.16.0-5
- Rebuilt for Python 3.11
* Mon Apr 26 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.7.3-17
* Tue Jun 07 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-4
- Restart keygen service before every unbound start
* Sat Jun 04 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-1
- Update to 1.16.0
* Tue Apr 26 2022 Petr Menšík <pemensik@redhat.com> - 1.15.0-3
- Stop creating wrong devel manual pages (#2078929)
* Wed Apr 20 2022 Petr Menšík <pemensik@redhat.com> - 1.15.0-2
- Update icannbundle.pem
* Tue Mar 29 2022 Petr Menšík <pemensik@redhat.com> - 1.15.0-1
- Update to 1.15.0 (#2030608)
* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.13.2-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Sat Nov 06 2021 Adrian Reber <adrian@lisas.de> - 1.13.2-4
- Rebuilt for protobuf 3.19.0
* Mon Oct 25 2021 Adrian Reber <adrian@lisas.de> - 1.13.2-3
- Rebuilt for protobuf 3.18.1
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 1.13.2-2
- Rebuilt with OpenSSL 3.0.0
* Thu Aug 12 2021 Paul Wouters <paul.wouters@aiven.io> - 1.13.2-1
- Resolves: rhbz#1992985 unbound-1.13.2 is available
- Use system-wide crypto policies
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.13.1-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Wed Jun 02 2021 Python Maint <python-maint@redhat.com> - 1.13.1-7
- Rebuilt for Python 3.10
* Fri Apr 23 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.13.1-6
- Option --enable-linux-ip-local-port-range added to use system configured port range for libunbound on Linux
- Resolves: rhbz#1830625
- Resolves: rhbz#1935101
* Tue Apr 06 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.7.3-16
* Tue Apr 13 2021 Paul Wouters <pwouters@redhat.com> - 1.13.1-5
- Fix unbound.service to use After=network-online.target
* Tue Apr 06 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.13.1-4
- Don't start unbound-anchor before unbound service if DISABLE_UNBOUND_ANCHOR
environment variable equals to "yes"
- Resolves: rhbz#1922448
* Tue Sep 01 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-15
- Fix SPEC file to not check md5 mtime and size of /var/lib/unbound/root.key
- Resolves: rhbz#1714175
- Use system-wide crypto policy setting (PROFILE=SYSTEM) instead of custom setting
- Resolves: rhbz#1842837
- Enable additional logging in unbound
- Resolves: rhbz#1850460
- security hardening from x41 report
- Resolves: rhbz#1859933
- symbolic link traversal when writing PID file
- Resolves: rhbz#1899058
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.13.1-3
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Thu May 28 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-14
- Fix unbound-1.7.3-amplifying-an-incoming-query.patch patch
- Resolves: rhbz#1839178 (CVE-2020-12662)
* Mon Feb 15 2021 Victor Stinner <vstinner@python.org> - 1.13.1-2
- Fix build on Python 3.10 (rhbz#1889726).
* Mon May 25 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-13
- Fix two previous patches and add missing patch lines to %%prep
- Fix amplifying an incoming query into a large number of queries directed to a target
- Resolves: rhbz#1839178 (CVE-2020-12662)
* Wed Feb 10 2021 Paul Wouters <pwouters@redhat.com> - 1.13.1-1
- Resolves rhbz#1860887 unbound-1.13.1 is available
- Fixup unbound.conf
* Tue Apr 21 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-12
- Remove KSK-2010 from configuration files
- Resolves: rhbz#1665502
- Replace legacy directory /var/run/ with /run
- Resolves: rhbz#1766463
- Resolves: rhbz#1805978
- Fix memory leak when DNS over TLS forwarding is configured
- Resolves: rhbz#1819870
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.13.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Thu Apr 16 2020 Artem Egorenkov <aegorenk@redhat.com> - 1.7.3-11
- Resolves bz1818761. unbound crash fixed.
* Thu Dec 10 2020 Petr Menšík <pemensik@redhat.com> - 1.13.0-1
- Update to 1.13.0
* Tue Dec 10 2019 Tomas Korbar <tkorbar@redhat.com> - 1.7.3-10
- Secure ipsec mode (#1772061)
- CVE-2019-18934
* Tue Oct 13 2020 Petr Menšík <pemensik@redhat.com> - 1.12.0-1
- Update to 1.12.0 (#1860887)
* Tue Dec 10 2019 Tomas Korbar <tkorbar@redhat.com> - 1.7.3-9
- Use pthread_mutex_t locks when dealing with I/O operations (#1775708)
* Tue Sep 15 2020 Petr Menšík <pemensik@redhat.com> - 1.10.1-5
- Move command line tools to utils subpackage
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 1.10.1-3
- Use make macros
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
* Fri May 22 2020 Miro Hrončok <mhroncok@redhat.com> - 1.10.1-2
- Rebuilt for Python 3.9
* Tue May 19 2020 Paul Wouters <pwouters@redhat.com> - 1.10.1-1
- Resolves: rhbz#1837279 unbound-1.10.1 is available
- Resolves: rhbz#1837598 CVE-2020-12662 unbound: insufficient control of network message volume leads to DoS
- Resolves: rhbz#1837609 CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers
- Updated unbound.conf for new options in 1.10.1
* Wed Apr 29 2020 Paul Wouters <pwouters@redhat.com> - 1.10.0-3
- Resolves: rhbz#1667742 SELinux is preventing unbound from 'name_bind' accesses on the udp_socket port 61000.
* Thu Apr 16 2020 Artem Egorenkov <aegorenk@redhat.com> - 1.10.0-2
- Resolves: rhbz#1824536 unbound crash
* Thu Mar 19 2020 Petr Menšík <pemensik@redhat.com> - 1.10.0-1
- Update to 1.10.0 (#1805199)
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Dec 13 2019 Paul Wouters <pwouters@redhat.com> - 1.9.6-1
- Resolves: rhbz#1758107 unbound-1.9.5 is available
- Resolves: CVE-2019-18934
* Fri Nov 01 2019 Paul Wouters <pwouters@redhat.com> - 1.9.4-1
- Fix build on rhel/centos systems
- Resolves: rhbz#1767955 (CVE-2019-16866) uninitialized memory accesses leads to crash via a crafted NOTIFY query
* Thu Sep 26 2019 Petr Menšík <pihhan@gmail.com> - 1.9.3-2
- Obsolete no longer provided python2 subpackage (#1749400)
* Tue Aug 27 2019 Paul Wouters <pwouters@redhat.com> - 1.9.3-1
- Updated to 1.9.3
- Resolves: rhbz#1672578 unbound-1.9.2 is available
- Resolves: rhbz#1694831 [/usr/lib/tmpfiles.d/unbound.conf:1] Line references path below legacy directory /var/run/
- Resolves: rhbz# 1667387 [abrt] unbound: memmove(): unbound killed by SIGABRT
* Thu Aug 22 2019 Miro Hrončok <mhroncok@redhat.com> - 1.8.3-8
- Subpackage python2-unbound has been removed
See https://fedoraproject.org/wiki/Changes/Mass_Python_2_Package_Removal
* Thu Aug 15 2019 Miro Hrončok <mhroncok@redhat.com> - 1.8.3-7
- Rebuilt for Python 3.8
* Mon Aug 5 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.8.3-6
- Drop install-time requirements on systemd (#1723777)
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.3-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Jan 11 2019 Paul Wouters <pwouters@redhat.com> - 1.8.3-3
- Remove KSK-2010 from configs - it has been revoked
* Wed Dec 12 2018 Paul Wouters <pwouters@redhat.com> - 1.8.3-2
- Another dns64 fixup
* Wed Dec 12 2018 Paul Wouters <pwouters@redhat.com> - 1.8.3-1
- Updated to 1.8.3 with fixes the dns64 bug and has some other minor fixes
* Mon Dec 10 2018 Paul Wouters <pwouters@redhat.com> - 1.8.2-2
- Fix dns64 allocation in wrong region for returned internal queries.
* Tue Dec 04 2018 Paul Wouters <pwouters@redhat.com> - 1.8.2-1
- Updated to 1.8.2.
- Enabled deny ANY query support and edns-tcp-keepalive
- Set serve-stale timeout to 4h
- Updated unbound.conf for latest options
* Mon Oct 22 2018 Petr Menšík <pemensik@redhat.com> - 1.8.1-2
- Allow group by default to unbound-control (#1640259)
* Mon Oct 08 2018 Petr Menšík <pemensik@redhat.com> - 1.8.1-1
- Update to 1.8.1
* Mon Oct 01 2018 Petr Menšík <pemensik@redhat.com> - 1.8.0-2
- Skip ipv6 forwarders without ipv6 support (#1633874)
* Wed Sep 19 2018 Petr Menšík <pemensik@redhat.com> - 1.8.0-1
- Rebase to 1.8.0
* Tue Aug 14 2018 Paul Wouters <pwouters@redhat.com> - 1.7.3-9
- Fix for restarting unbound service after deleting key/pem files for remote control
* Tue Jul 31 2018 Petr Menšík <pemensik@redhat.com> - 1.7.3-8
- Release memory in unbound-host
@ -560,8 +836,16 @@ popd
* Wed Jun 27 2018 Petr Menšík <pemensik@redhat.com> - 1.7.2-3
- Remove last python2 dependency from python3 build
* Mon Jun 25 2018 Tomas Hozza <thozza@redhat.com> - 1.7.0-6
- Disable Python2 support
* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 1.7.2-2
- Rebuilt for Python 3.7
* Mon Jun 11 2018 Paul Wouters <pwouters@redhat.com> - 1.7.2-1
- Resolves rhbz#1589807 unbound-1.7.2 is available
- Add patch to fix stub/forward zone not returning ServFail when TTL expires
- Enabled the new root-key-sentinel option
* Wed May 30 2018 Petr Menšík <pemensik@redhat.com> - 1.7.1-1
- Update to 1.7.1 (#1574495)
* Mon Apr 09 2018 Petr Menšík <pemensik@redhat.com> - 1.7.0-5
- Require gcc and make on build
@ -616,7 +900,7 @@ popd
* Fri Sep 22 2017 Paul Wouters <pwouters@redhat.com> - 1.6.6-1
- Resolves: rhbz#1483572 unbound-1.6.6 is available
- Resolves: rhbz#1465575 unbound fails to start up, complains about missing ipsecmod-hook (edit)
- Resolves: rhbz#1465575 unbound fails to start up, complains about missing ipsecmod-hook (edit)
* Wed Aug 16 2017 Paul Wouters <pwouters@redhat.com> - 1.6.4-4
- Rebuilt with KSK2017 added to root.key and root.anchor
@ -820,7 +1104,7 @@ popd
- run test suite during the build
* Thu Sep 19 2013 Paul Wouters <pwouters@redhat.com> - 1.4.21-1
- Updated to 1.4.21,
- Updated to 1.4.21,
- Enabled new max-udp-size: 3072 (so ANY isc.org won't fit)
- Removed patched merged in by upstream
- Enable statistics-cumulative for munin-plugin
@ -943,7 +1227,7 @@ popd
- Updated to 1.4.17 (which mostly brings in patches we already
applied from svn trunk)
* Wed Feb 29 2012 Paul Wouters <pwouters@redhat.com> - 1.4.16-3
* Wed Feb 29 2012 Paul Wouters <pwouters@redhat.com> - 1.4.16-3
- Since the daemon links to the libs staticly, add Requires:
(this is rhbz#745288)
- Package up streamtcp as unbound-streamtcp (for monitoring)
@ -1036,7 +1320,7 @@ popd
- Upgraded to 1.4.5
* Mon May 31 2010 Paul Wouters <paul@xelerance.com> - 1.4.4-2
- Added accidentally omitted svn patches to cvs
- Added accidentally omitted svn patches to cvs
* Mon May 31 2010 Paul Wouters <paul@xelerance.com> - 1.4.4-1
- Upgraded to 1.4.4 with svn patches
@ -1046,7 +1330,7 @@ popd
- Update to 1.4.3 that fixes 64bit crasher
* Tue Mar 09 2010 Paul Wouters <paul@xelerance.com> - 1.4.2-1
- Updated to 1.4.2
- Updated to 1.4.2
- Updated unbound.conf with new options
- Enabled pre-fetching DNSKEY records (DNSSEC speedup)
- Enabled re-fetching popular records before they expire
@ -1195,7 +1479,7 @@ popd
causes unbound to listen on 0.0.0.0 instead of 127.0.0.1
* Sun Oct 19 2008 Paul Wouters <paul@xelerance.com> - 1.0.2-3
- Split off unbound-libs, make build verbose
- Split off unbound-libs, make build verbose
* Thu Oct 9 2008 Paul Wouters <paul@xelerance.com> - 1.0.2-2
- FSB compliance, chroot fixes, initscript fixes
@ -1218,3 +1502,5 @@ popd
* Wed Apr 23 2008 Wouter Wijngaards <wouter@nlnetlabs.nl> - 0.11
- Initial version.
## END: Generated by rpmautospec

7
unbound.sysconfig Normal file
View File

@ -0,0 +1,7 @@
# uncomment following line to skip anchor refresh before unbound start
#DISABLE_UNBOUND_ANCHOR=yes
# Better way is systemctl mask unbound-anchor.service
UNBOUND_ANCHOR_OPTIONS="-f /etc/resolv.conf -R"
# for extra debug, add "-v -v" or change verbosity: in unbound.conf
UNBOUND_OPTIONS=""

1
unbound.sysusers Normal file
View File

@ -0,0 +1 @@
u unbound - "Unbound DNS resolver" /var/lib/unbound /sbin/nologin

0
SOURCES/unbound_munin_ → unbound_munin_
View File

123
wouter.nlnetlabs.nl.key Normal file
View File

@ -0,0 +1,123 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
xsFNBE2v/RwBEACyQpJlpCeSZBV1QUH7jNEp5xGdo6OnX2h9XoZ4ZPsb+u6OT+xE
SH45ncnISUh8rPCygbeWOoPR/yOBzh+lYoGxQ5iUHtwRrhHq04sQe/qFpXDO2xs6
1pTcPU2PnH7Rsr2qp6fZLPHuXLolD7NJfaSib8sVeMM0/ecyl/L2bBg9NpaGDX0x
TQh95M8o6AFo6UKWApBpgsvEZr2aH/B8b9KnCWFhfJyheEM7DamksdZNsKxXQyq3
l/ROfdsMLZGF8vPbYV/v11G4keyaLpn8AbBpybIiw9SYDwf2ENk3+e1NFfMaiiyE
qn9+aaLTKCY87TMUuoN3s3jWOOy5tHXzf6DbKhub4Awsby3DH5YpPhi4N2vj2pAX
Vpl5+m78cH29JLzT+HAoyZ4tq1r3m0P5QogNqYwqxkKWYOjDilNDBiKiDdgtrLYG
x+ABovKG/FvToJoaCL4AFaVCzWmL2uHkSgyBN0FPHatCB1UeEkcQit6T8E2NQqmF
WjUMXSWHHajSMG95+L5PdLHz/Ku0o3Csvlt2pkElYZmzJBfnOM9JevdsmKr/ruJC
/DCZAn5w2S/9ZF5qfo2F9HUKIwE/dChR29HcN8V4nqZs9oCvEMfFhHmrfwDc5hed
hvb6mAkvSFFtKIrygLIVeWRj3FE9sGp6sr4VwOLYTFRNk7mAsWD1rZApeQARAQAB
zSdXLkMuQS4gV2lqbmdhYXJkcyA8d291dGVyQG5sbmV0bGFicy5ubD7CwX4EEwEC
ACgFAk2v/RwCGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJ9v
HC1+BF+N3yoQAIynfrvZ/8RNAv9lLcSc2PX3fvG7oRJEJSy9uMyIbMtb/a1BVCeh
XjR8GhHJ5D/Z3jRWBQKw1rLLvOqbuBGkpKMR100ZVF4z/8e6CWtTAOFy28f1JQw2
8kilN7K6vjno21S1JJ1XJAdoFdicyb1SW2r+KYod6fjSyF0lb71od+sdnSE9O/xd
Cqyyu6cX+AwfDcuJ6Y8iOWu8CeWAz41LR1QBUQkCb/08mVfCEu+Cj+M31jjPDZEy
UAw219vr4QFe0o3t+Msv0AUZvcRkW6+8qP5lO6I5we/33WBLZH70lhFvYtobM7HO
MCjheRZguSzvRqEETfTjia1uVi3Yz2qM4CFdJIZF6Er79yKcB3jYquultrnlHdXZ
/IZsHVRk6JfiqFkz9u1T9PkvMoQ452aUomGTg9xQchnKpe1E8osKgLulaY+izTEq
Z8pH/HWWJ/YT13/n8pxK9EbC/8SkVhyXNehOSAGDZar+tjVBofgzS8r+GDyv+pBT
SmjitIrVXZNuhigLp1o7Tvs4kjKlcFnLhfDHJ+yb5JyiZd01bVvaqnfRhACqXfWl
oC0uslRbegoYwJUgX0BOrsOuHGH2SfGjd/QnA0bcEXM2kp1Dp1gqtcEd5Qitm647
Yz+leWkhrmMmtTwqumXoAcvgzthJFUPcAzuhXZNfqQJMOGRxAGVI0P97wsF+BBMB
AgAoAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVu+rZAUJDQIVSAAKCRCf
bxwtfgRfjdrWEACMQK0xYtZtAvLL/8CCcCi92Oi1rtXRGWnRy7JX020hftmWliMq
4P0F3CJKVLhgZ/ldp8OOqmfDfmwLMVSaCQ86Ubqn7Ofrf8Ku8SGQuIMxY2ODB97h
ouY4bnDHaM2Cqi6JkBN+G1tgdwqN/kcecF2tq3ql2k7eX91++A+F5ApIu1silzJP
L4Z8W6MVOdKrtzEM7t61hRlsbpEPj72vbVBZ1hmTiIL4VWwdxQYamxBoOeneskyD
DG+iMCI3P1GG3EQkk+9Aect/iH9uruE0mxn2aKN8cfuoR93cPF/ozCxS5ItwAVnN
e39WRO1GT2zYaFgYm0lf9czcpRsRzNbGw938lZ3iPUiZe+ybKgLKkVmvrkM59ljH
T99SrC14VXxgQwSs4gS3rdzbY9tPps62Z1q+xCVfTx1IY5P4nt59xwQV0Iw+pV9S
/mVcOnPXl1UKb0ttOdYJErrq3RpF/D2g/NDtL0OWqIa8LvrBlyQYmWPKvKw76vt4
bJ3NU31jSc0ow/j7EOVjOst86s629zmtnbJjWVr6LOy5EDUPusmqHv1t4Z4RMjf8
OrJdNbFJoRXZv8FbW4NzXeGtMf8k6vKeejpdMH4+eLuoZG7dchU1JccfgqfwWpy0
ojmb59drJcaQgVC6Jvw9l0TmGPNIsE4UrIWocaFgv4dOKvHA2hcnMDM8rsLBlQQT
AQIAPwIbIwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQTt+qPyyk5usFaBr46f
bxwtfgRfjQUCWaU4BQUJEZjVaQAKCRCfbxwtfgRfjb1YEACjkhtkyZkYURUmSZNL
2IK/Zencv7DZGRfFrzijROFtHbe//H8o2ZhlyiaFSA/dT1ehjsukkR0oFkYadA+q
Ui06WpxGmd/jf8hP4yTUZkwOhQAesWoNmnhKePNaVMKY8DP57bA+N2pdCcGu7gUt
Yzq2JoTAtV+P/PE2w+H9eyBAulv6iUckM5/qvGfJPl8HB9BtgOpGN79otVWO6ebM
4TQ3cZYI9BDQnt9cF2pviex+z1iLZVJ8UeRxSxYhrBKPJioi0Q1OgcKyO56t7Eot
zxKl5TzprgvdX4cdls+lehD8StlE2Xv/TScHvdOhJuVBrn3a3QjZPb4qSsz74leW
5/EIQmozBy+qf8AHcCmTXwb2U7oHOct7cVyS5+bFx+ThpV5OK0rjTH1LMNiuTeAN
46c1y3prjZRpQUlgVwj06q3Zz/fzDyueUS/r4lW4nAf/VNZy/rTS2HYPoZbHZVCt
GpDIfag6fV6V97Pd3zfhTf2wmsJsw9Xhktp/o7rMBRSMhvL4oevOXb0JSG2583Q/
JnCCceB4NxRRxsgkRYHwdnXN9FnOPSa4NyvF4rzpPksLGZrhvm+lBvzVn/e40Q/K
lxvSlnn2vW/WBM4pBq1jsoJrd/JkTdijZV7mt7HQ2bCLXAPgfZjy7n79WiCQVHg7
iYnNikiNWR5TR7JcvdkxOdiA/8LBlQQTAQgAPwIbIwYLCQgHAwIGFQgCCQoLBBYC
AwECHgECF4AWIQTt+qPyyk5usFaBr46fbxwtfgRfjQUCXe4JdQUJGaQN2QAKCRCf
bxwtfgRfjQ8gEACe+49aDQHRuZdDHK1VCJKzhb+MvfdIjvl8eQxljpG9Uz5Y17Bx
4SWfuLHCeGlh1m6IOAWeW4g6Wowm1ec1PkVa79TdrkKb0MxfLSat6iDbiuVjDxy2
bWokW0/cPzJ/FoWDtEC0H9UTAMb5QGBDZUbLuwX7ZjvMkAhH15/hO9Gj4RHoH1RJ
GJALRtZzjtzsJqL53kW/EV59V1T79Nocyx018iw50Jn02mI8wYJZ9HZc5C7D+K59
vcqLRZgkrJrObw0sEv3YFOBYp/1DemH2nHPMBSKMmN5RAcr32guUjd4BEWf2Q7Ao
+Qnhdi161W0YKCW4JAmOoQ4bQ0wfE9Q5aUIGhUF52L+ac8Hy7dByaCExCA/WTqQQ
/iVPybmpJQhFonWt/fmpxbE2wKThSEOHTO67e5e3JfUb0vNKssyZojao4h1MF5nv
aPNKoybWwKnpNM0ORcyl+aogKwW7E15TEU0TE5//gAsFwRDcCnSEKnksgM0321m1
7RDfJbCajIv47DHDYE3yvhRZjCJCaw0Gow1sDRWjdOFpmIixD5/vx5uxyqSHPuGA
sXlEvl+Z3Rdc5bQ7pAWu7UNpR3hnJPfg8KL2xqOF75VKG9/NjLE80yj8wdVoCfDv
vizrBtOXnHI49gCMCfNqbGIb5yVhmTdeo7li+Te9hlJ2DrHnujGJlFe+p87BTQRN
r/0cARAApvDKeVLiSazESdTY9KsSWsqoB38pvOsu25M49tEjc5TtY5LwKNckqkeR
lJ83O8dFG7UBVuGwLKaf/6OR/pe24upZ27eOOWW7sXvQNv5aXlOYfF+mjIhUINqj
q4pKDmO1c9J7h5d+auOVfzcgfotg3BVCaKn56ucjiQJ059uUMfgWTvVlibnoJ7de
Zcgt8v7VcLK9jv+P8QJHTIyDzJd+JjdjuHXqC/A37T5G9Z84x8wYrQY6mZmOIYaM
jwIKdgFeN+nLk5henARUz4MTFUW4j9hHpuyAFomDQ93/wkHZ9IEChTxdZnfvsd//
Z45vfcX9dQM+tuR8XCYThVsScI1TnwR46hi5NkfmHo3HVxwB8/owJ+FZDsTNBbJd
7AVy27Xk4L5hLe7BwLDtFMyOp4lOipCM7//mtFB9mTzqnOwiSSyTRlwGUBJkzQFW
Qa0Z6bfYwA6+y1dn19H519GW49irtl+2+W8W4N8oLriIjPvqrQOyaELFcRfV6FfL
i09HPhHVbejOqIEbOtfuN0+mjrrGAwortfTBjfw80N+W90BTvta4K2SyjHcJTkDY
ehfOo/5IMpGtDsOgvsCbDaFRnNJuYtSqQmvWk1KIPIw6CkdJtZa3+q3YA7D7ovOV
H1OBTKNdBjc+X4W8L5R9MCymXWvgiP+52Sv1VIcZmsnCBrwK490AEQEAAcLBZQQY
AQIADwUCTa/9HAIbDAUJCWYBgAAKCRCfbxwtfgRfjTY/D/9+kX8LeqBhwDdwy3ud
V67KmVmytwGMfzBHbAyBdy84X06ip/If/VkjL+2Sv5Uml/cOOzGZT7y/KEt0uXQz
gOZhGP5Y0OREf4kSzfb7tsGu3ZjTp5uJe7HiJr8uqYGfx94TQG/A3x1C7MlxOGmW
DK/Eh/eNVeNd+3yyDEzl2p7a0yUhI8LtzllVrEDX+G4rz+mdDw4tfPDqzRPzPvVt
PfqnfofHP5r2dshGe7+pCTC+o0jHWpaiFkEiIrR3PbZ9tV6+F5LzCUJJP5nepz6C
ShpLHq9ST6qZiw5ZpdznHW0kVl96YxgynJq9Y4dqD/8nOfTzdHhXXEogGvRfcxat
xeZF7YNFhUU2p+CswAjRKCUzZAz0hDAu+dJ+fw4Odx7ii8uiwhEnEHoo8rPETkXw
UK1je4MCzMRSy0Gippzk/oZ7noIml+Njas/UygavUOQm8bcPqGfWeFqvM2C7ZobL
2iV0fX/bhEmQyosiWJ0nHuKdwDYygYs/4LtZLxwiKli/lm6IDz1028j6/98Z81gG
oltXWokTYAPEgcBuhyiSLSQ1wojTVMYt9rPKMBakTzP+0FoWqoNafWOlHovP6iUB
2Igll2ZT3AvrBQ8jAbRbuUl46QpBaKsl+pBo86az0fRkMxv0N4dQv4Q7Z0g71u9N
Tpaq1vtAZOwc0kl3uGNK18PnV8LBZQQYAQIADwIbDAUCVu+raQUJDQIVTQAKCRCf
bxwtfgRfjVnYEACZ1E/FfLDi4vLUd9diImmNN/zWDHxTsO/VG3lt50rSoJM5NGB4
RlwcbUKhah2fD44FFiIqGIvKD9hRgB51dVRIkaR3ozVtXRBKxJJqWj38wf2FDLtU
XC5/JHYb0sjAc3ad2sA9xEmEBVO1lWK3J6h4gKZiAGlWz3oeOSve3vrTKsBlP0Cu
rUeb4WTVpw4drBJD7cDh8SJ4/Cq76UFx8lW0xR+pHZHcd0/Ir5v5HnnEgbnut4Ix
eY3/CGBfQfSQHylK7ifmPWq+dflC/ZdfHY1V96EHKPM44ZLwiczoY3qp5nkmEc3B
Y6+P8Ch5gddOYaY18wpedarswnpOLQD2Xbsj66Eh0IZuuuZGyfOqJNaWbP33L27e
g35XQNTgyhuZmDyRKL6yAbhU74TXCCvze/kkfqDn2ouCtM8/kqLX1v0+NkBxlhZU
kTTVDyclZtwu6Vypus3+j2Zqk8sXeUZI64sjXpzwOcMZxdl3QuyxMktExWzk9Q5D
YqO+pj/YGt1vp2M0YgSUWNWCvfBcjEPFgaljyqz3BdvR/LYohnXuQL9SWObF+sIF
c9D0w/yORYQcKP5kSWVC/qwFdC61OGeSDnQ/0o0T5PefhYS82gsIrjQ+HIJ7CLUT
k7kBNljvtfpoWegH02feR0kSRoCXA6x+YHT4fmB41pW8S1V5a5dEltA/JMLBfAQY
AQIAJgIbDBYhBO36o/LKTm6wVoGvjp9vHC1+BF+NBQJZpTgKBQkRmNVuAAoJEJ9v
HC1+BF+NyNQP/A3h+cOOkYUxyKpNHdtlIfCn8db5tHXSCbE19Qi7EK1SiK5atjo+
VoRtB+L01kH6GCx5oZjeIhUdzYFwEUsdCDgwD6r0dKFwKIGa4TFcfnx+Z5B+HZgL
Yc6ac5PEHF1qZVXZH9GSGeNw5h2yyqf4yhvetSN6L2id14m5XXJV5e7NfOgmaSnG
0Z+wQvPSiu+Q00XpENT8HFSTSCjRATjk12rpy6TPeeC52NK1gLhGDRHN0k6m+vm4
yoC+Nd6iPQpnc+5xs7NDnq2dFuSTp7UTGebzPhhdSQgujEFuYLwzQMZu1h5amtA+
v9j7BYEJkOMC7bm1PNNA2QQ6QfH8Hf+mJeINyJO8A5KS3ceP+eo3SLR8T0hPzu9g
ZuZ22Hn3DXQh1VNRshaLKgNvoXpL3dQ48d1SFFKhEDpy2HSXUq2fs5rH0uszFGes
G7K6EQRAYRcDrCkt9fdfkvCSxAFw9d+472xThzgKcN+MkOec+SaY+xlVULjEfCWy
RVC8Opam4mTm/XT4mVLxP/qnsy7kEhLoc/ouB+lY/ks06LpZJvCXL6WfA9You1Fi
1Mg7GhSh9JKg6X6E8Trm+N4dxJGut1xbbGmmKXqfi4pej9KlkdeM9t1df/vWKlPa
7Hzd8H0btgJx066wC4yt0ghxtsJXBsCDxWLfzaSRZ2/eP16mHqxDjsQQwsF8BBgB
CAAmAhsMFiEE7fqj8spObrBWga+On28cLX4EX40FAl3uCX0FCRmkDeEACgkQn28c
LX4EX43TQA/+JV8ReMRJCn3Cfqbe5ycFn8p6dIVnJiQuhiEyu5yzdpSkKyzcVFJO
bQcqw7s50FJuLUbxdvbcuGIaoTu7dhBoUXO5tOuIQAsKTfGfgoOgelJm+/q2h645
EnAVINGbMDXrmo4/UFJkNjUMA6SQi/yiam7N0y58eoDC4sGmBKuN2EW2MoWahlXw
8SS1+Ab9qVBs/RqbSy6f1nJL39aPpPDmvyJOSYtHnNSFlYWVhr0zGAi5rnswlFGr
ECGbHpr5FajUK7zcmtNPbi7F30K48xfF3XnDIeIBcerrEBQMaPUZcBlddGhmSVVJ
ZU/YhR35JNgPnmp33gOuZaRiW9lauZFwsMQBIBkLpJWoUtu8QLkyC0HmJzVRep0/
s1RkzaJ+1G1BzXTQiXaLaUQWG5h3pcMD8fxY5qp9KbG/+10bY0sRbRBXgS6mz7dd
HaBtg/E8ty2nEB1HDXA9HAHu7KlH9e96sPZjz9C46ZiOXe6ZAOk6wBYts4RG4bCQ
9pGORJ+P2Jr2pz1NZQbs1AhnjJixTsfZfsGZ5lHxGLjIyxtdGB/irLEqNTIMek2y
p4CShmWoZwN0V3aGYMe/rC4tSXG79IeKNwF3Vd5MHtB+hcJG2qztBtKQuW29rbRA
5bNxwTWe8skwOKsxXnP9RC974k0XkPS+VwgmVgNN1ewS/0oHvmEP71Q=
=Oqje
-----END PGP PUBLIC KEY BLOCK-----