* Mon Dec 19 2011 Paul Wouters <paul@cypherpunks.ca> - 1.4.14-1

- Upgraded to 1.4.14 for CVE-2011-4528 / VU#209659 - SSL-wrapped query support for dnssec-trigger - EDNS handling changes - Removed integrated EDNS patches - Disabled use-caps-for-id, GoDaddy domains now break on it - Enabled new harden-below-nxdomain
2011-12-19 10:29:22 -05:00 · 2011-12-19 10:29:22 -05:00 · 9af263621b
commit 9af263621b
parent d576f6ecc2
2 changed files with 33 additions and 14 deletions
--- a/unbound.conf
+++ b/unbound.conf
@ -60,7 +60,7 @@ server:

 	# number of ports to allocate per thread, determines the size of the
 	# port range that can be open simultaneously. 
-	# outgoing-range: 256
+	# outgoing-range: 4096
 	
 	# permit unbound to use this port number or port range for
 	# making outgoing queries, using an outgoing interface.
@ -83,6 +83,10 @@ server:
 	# 0 is system default.  Use 4m to catch query spikes for busy servers.
 	# so-rcvbuf: 0

+	# buffer size for UDP port 53 outgoing (SO_SNDBUF socket option).
+	# 0 is system default.  Use 4m to handle spikes on very busy servers.
+	# so-sndbuf: 0
+
 	# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
 	# is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
 	# edns-buffer-size: 4096
@ -123,24 +127,18 @@ server:
 	# cache. Items are not cached for longer. In seconds.
 	# cache-max-ttl: 86400

-	# the time to live (TTL) value for cached roundtrip times and
-	# EDNS version information for hosts. In seconds.
+	# the time to live (TTL) value for cached roundtrip times, lameness
+	# and EDNS version information for hosts. In seconds.
 	# infra-host-ttl: 900

-	# the time to live (TTL) value for cached lame delegations. In sec.
-	# infra-lame-ttl: 900
-
 	# the number of slabs to use for the Infrastructure cache.
 	# the number of slabs must be a power of 2.
 	# more slabs reduce lock contention, but fragment memory usage.
 	# infra-cache-slabs: 4

-	# the maximum number of hosts that are cached (roundtrip times, EDNS).
+	# the maximum number of hosts that are cached (roundtrip, EDNS, lame).
 	# infra-cache-numhosts: 10000

-	# the maximum size of the lame zones cached per host. in bytes.
-	# infra-cache-lame-size: 10k
-
 	# Enable IPv4, "yes" or "no".
 	# do-ip4: yes

@ -153,6 +151,10 @@ server:
 	# Enable TCP, "yes" or "no".
 	# do-tcp: yes

+	# upstream connections use TCP only (and no UDP), "yes" or "no"
+	# useful for tunneling scenarios, default no.
+	# tcp-upstream: no
+
 	# Detach from the terminal, run in background, "yes" or "no".
 	# do-daemonize: yes

@ -258,6 +260,9 @@ server:
 	# Default on, which insists on dnssec data for trust-anchored zones.
 	harden-dnssec-stripped: yes

+	# Harden against queries that fall under dnssec-signed nxdomain names.
+	harden-below-nxdomain: yes
+
        # Harden the referral path by performing additional queries for
 	# infrastructure data.  Validates the replies (if possible).
 	# Default off, because the lookups burden the server.  Experimental 
@ -266,7 +271,8 @@ server:

 	# Use 0x20-encoded random bits in the query to foil spoof attempts.
 	# This feature is an experimental implementation of draft dns-0x20.
-	use-caps-for-id: yes
+	# (this now fails on all GoDaddy customer domains, so disabled)
+	use-caps-for-id: no
 	
 	# Enforce privacy of these addresses. Strips them away from answers. 
 	# It may cause DNSSEC validation to additionally mark it as bogus. 
@ -412,6 +418,7 @@ server:
 	# o transparent serves local data, but resolves normally for other names
 	# o redirect serves the zone data for any subdomain in the zone.
 	# o nodefault can be used to normally resolve AS112 zones.
+	# o typetransparent resolves normally for other types and other names
 	#
 	# defaults are localhost address, reverse for 127.0.0.1 and ::1
 	# and nxdomain for AS112 zones. If you configure one of these zones
@ -438,6 +445,17 @@ server:
 	# you need to do the reverse notation yourself.
 	# local-data-ptr: "192.0.2.3 www.example.com"

+	# service clients over SSL (on the TCP sockets), with plain DNS inside
+	# the SSL stream.  Give the certificate to use and private key.
+	# default is "" (disabled).  requires restart to take effect.
+	# ssl-service-key: "path/to/privatekeyfile.key"
+	# ssl-service-pem: "path/to/publiccertfile.pem"
+	# ssl-port: 443
+
+	# request upstream over SSL (with plain DNS inside the SSL stream).
+	# Default is no.  Can be turned on and off with unbound-control.
+	# ssl-upstream: no
+
 ## Python config section. To enable:
 ## o use --with-pythonmodule to configure before compiling.
 ## o list python in the module-config string (above) to enable.
--- a/unbound.spec
+++ b/unbound.spec
@ -22,7 +22,6 @@ Source6: dlv.isc.org.key
 Source7: unbound-keygen.service
 Source8: tmpfiles-unbound.conf
 Patch1: unbound-1.2-glob.patch
-Patch2: unbound-1.4.13-edns1480.patch

 Group: System Environment/Daemons
 BuildRequires: flex, openssl-devel , ldns-devel >= 1.5.0, 
@ -95,7 +94,6 @@ Python modules and extensions for unbound
 %prep
 %setup -q 
 %patch1 -p1
-%patch2 -p0

 %build
 %configure  --with-ldns= --with-libevent --with-pthreads --with-ssl \
@ -222,10 +220,13 @@ fi
 /bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || :

 %changelog
-* Mon Dec 19 2011 Paul Wouters <paul@xelerance.com> - 1.4.13-2
+* Mon Dec 19 2011 Paul Wouters <paul@cypherpunks.ca> - 1.4.14-1
 - Upgraded to 1.4.14 for CVE-2011-4528 / VU#209659
 - SSL-wrapped query support for dnssec-trigger
 - EDNS handling changes
+- Removed integrated EDNS patches
+- Disabled use-caps-for-id, GoDaddy domains now break on it
+- Enabled new harden-below-nxdomain

 * Thu Sep 15 2011 Paul Wouters <paul@xelerance.com> - 1.4.13-1
 - Upgraded to 1.4.13