* Thu Sep 19 2013 Paul Wouters <pwouters@redhat.com> - 1.4.21-1

- Updated to 1.4.21, - Enabled new max-udp-size: 3072 (so ANY isc.org won't fit) - Removed patched merged in by upstream - Enable statistics-cumulative for munin-plugin - Updated unbound.conf
2013-09-19 10:21:30 -04:00 · 2013-09-19 10:21:30 -04:00 · 90b7fa1c7e
commit 90b7fa1c7e
parent 720e14aefa
4 changed files with 21 additions and 10 deletions
--- a/.gitignore
+++ b/.gitignore
@ -24,3 +24,4 @@ unbound-1.4.5.tar.gz
 /unbound-1.4.18.tar.gz
 /unbound-1.4.19.tar.gz
 /unbound-1.4.20.tar.gz
+/unbound-1.4.21.tar.gz
--- a/2
+++ b/2
@ -1 +1 @@
-1f2d0b490fd7928a708a326beda21948  unbound-1.4.20.tar.gz
+0aa8db06ea784bf7879060bd1f6551c8  unbound-1.4.21.tar.gz
--- a/unbound.conf
+++ b/unbound.conf
@ -20,7 +20,7 @@ server:

 	# enable cumulative statistics, without clearing them after printing.
 	# Needed for munin plugin
-	statistics-cumulative: no
+	statistics-cumulative: yes

 	# enable extended statistics (query types, answer codes, status)
 	# printed from unbound-control. default off, because of speed.
@ -72,6 +72,7 @@ server:

 	# permit unbound to use this port number or port range for
 	# making outgoing queries, using an outgoing interface.
+	# Only ephemeral ports are allowed by SElinux
 	outgoing-port-permit: 32768-65535

 	# deny unbound the use this of port number or port range for
@ -99,6 +100,11 @@ server:
 	# is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
 	# edns-buffer-size: 4096

+	# Maximum UDP response size (not applied to TCP response).
+	# Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
+	# 3072 causes +dnssec any isc.org queries to need TC=1. Helps mitigating DDOS
+	max-udp-size: 3072
+
 	# buffer size for handling DNS data. No messages larger than this
 	# size can be sent or received, by UDP or TCP. In bytes.
 	# msg-buffer-size: 65552
@ -226,6 +232,9 @@ server:
 	# print UTC timestamp in ascii to logfile, default is epoch in seconds.
 	log-time-ascii: yes

+	# print one line with time, IP, name, type, class for every query.
+	# log-queries: no
+
 	# the pid file. Can be an absolute path outside of chroot/work dir.
 	pidfile: "/var/run/unbound/unbound.pid"

--- a/unbound.spec
+++ b/unbound.spec
@ -10,8 +10,8 @@

 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
-Version: 1.4.20
-Release: 19%{?dist}
+Version: 1.4.21
+Release: 1%{?dist}
 License: BSD
 Url: http://www.nlnetlabs.nl/unbound/
 Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
@ -32,9 +32,6 @@ Source13: root.anchor
 Source14: unbound.sysconfig
 Source15: unbound.cron
 Source16: unbound-munin.README
-Patch1: unbound-1.4.20-roundrobin.patch
-Patch2: unbound-1.4.20-streamtcp-manpage.patch
-Patch3: unbound-1.4.20-coverity_scan.patch

 Group: System Environment/Daemons
 BuildRequires: flex, openssl-devel , ldns-devel >= 1.6.13
@ -108,9 +105,6 @@ Python modules and extensions for unbound

 %prep
 %setup -q 
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1

 %build
 export LDFLAGS="-Wl,-z,relro,-z,now -pie -specs=/usr/lib/rpm/redhat/redhat-hardened-ld"
@ -283,6 +277,13 @@ exit 0
 /bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || :

 %changelog
+* Thu Sep 19 2013 Paul Wouters <pwouters@redhat.com> - 1.4.21-1
+- Updated to 1.4.21, 
+- Enabled new max-udp-size: 3072 (so ANY isc.org won't fit)
+- Removed patched merged in by upstream
+- Enable statistics-cumulative for munin-plugin
+- Updated unbound.conf
+
 * Mon Aug 26 2013 Tomas Hozza <thozza@redhat.com> - 1.4.20-19
 - Fix errors found by static analysis of source