diff --git a/unbound.conf b/unbound.conf index 5d73c55..99bc8d6 100644 --- a/unbound.conf +++ b/unbound.conf @@ -60,7 +60,7 @@ server: # number of ports to allocate per thread, determines the size of the # port range that can be open simultaneously. - # outgoing-range: 256 + # outgoing-range: 4096 # permit unbound to use this port number or port range for # making outgoing queries, using an outgoing interface. @@ -83,6 +83,10 @@ server: # 0 is system default. Use 4m to catch query spikes for busy servers. # so-rcvbuf: 0 + # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option). + # 0 is system default. Use 4m to handle spikes on very busy servers. + # so-sndbuf: 0 + # EDNS reassembly buffer to advertise to UDP peers (the actual buffer # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts). # edns-buffer-size: 4096 @@ -123,24 +127,18 @@ server: # cache. Items are not cached for longer. In seconds. # cache-max-ttl: 86400 - # the time to live (TTL) value for cached roundtrip times and - # EDNS version information for hosts. In seconds. + # the time to live (TTL) value for cached roundtrip times, lameness + # and EDNS version information for hosts. In seconds. # infra-host-ttl: 900 - # the time to live (TTL) value for cached lame delegations. In sec. - # infra-lame-ttl: 900 - # the number of slabs to use for the Infrastructure cache. # the number of slabs must be a power of 2. # more slabs reduce lock contention, but fragment memory usage. # infra-cache-slabs: 4 - # the maximum number of hosts that are cached (roundtrip times, EDNS). + # the maximum number of hosts that are cached (roundtrip, EDNS, lame). # infra-cache-numhosts: 10000 - # the maximum size of the lame zones cached per host. in bytes. - # infra-cache-lame-size: 10k - # Enable IPv4, "yes" or "no". # do-ip4: yes @@ -153,6 +151,10 @@ server: # Enable TCP, "yes" or "no". # do-tcp: yes + # upstream connections use TCP only (and no UDP), "yes" or "no" + # useful for tunneling scenarios, default no. + # tcp-upstream: no + # Detach from the terminal, run in background, "yes" or "no". # do-daemonize: yes @@ -258,6 +260,9 @@ server: # Default on, which insists on dnssec data for trust-anchored zones. harden-dnssec-stripped: yes + # Harden against queries that fall under dnssec-signed nxdomain names. + harden-below-nxdomain: yes + # Harden the referral path by performing additional queries for # infrastructure data. Validates the replies (if possible). # Default off, because the lookups burden the server. Experimental @@ -266,7 +271,8 @@ server: # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. - use-caps-for-id: yes + # (this now fails on all GoDaddy customer domains, so disabled) + use-caps-for-id: no # Enforce privacy of these addresses. Strips them away from answers. # It may cause DNSSEC validation to additionally mark it as bogus. @@ -412,6 +418,7 @@ server: # o transparent serves local data, but resolves normally for other names # o redirect serves the zone data for any subdomain in the zone. # o nodefault can be used to normally resolve AS112 zones. + # o typetransparent resolves normally for other types and other names # # defaults are localhost address, reverse for 127.0.0.1 and ::1 # and nxdomain for AS112 zones. If you configure one of these zones @@ -438,6 +445,17 @@ server: # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" + # service clients over SSL (on the TCP sockets), with plain DNS inside + # the SSL stream. Give the certificate to use and private key. + # default is "" (disabled). requires restart to take effect. + # ssl-service-key: "path/to/privatekeyfile.key" + # ssl-service-pem: "path/to/publiccertfile.pem" + # ssl-port: 443 + + # request upstream over SSL (with plain DNS inside the SSL stream). + # Default is no. Can be turned on and off with unbound-control. + # ssl-upstream: no + ## Python config section. To enable: ## o use --with-pythonmodule to configure before compiling. ## o list python in the module-config string (above) to enable. diff --git a/unbound.spec b/unbound.spec index a4003e6..2a2dcb3 100644 --- a/unbound.spec +++ b/unbound.spec @@ -22,7 +22,6 @@ Source6: dlv.isc.org.key Source7: unbound-keygen.service Source8: tmpfiles-unbound.conf Patch1: unbound-1.2-glob.patch -Patch2: unbound-1.4.13-edns1480.patch Group: System Environment/Daemons BuildRequires: flex, openssl-devel , ldns-devel >= 1.5.0, @@ -95,7 +94,6 @@ Python modules and extensions for unbound %prep %setup -q %patch1 -p1 -%patch2 -p0 %build %configure --with-ldns= --with-libevent --with-pthreads --with-ssl \ @@ -222,10 +220,13 @@ fi /bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || : %changelog -* Mon Dec 19 2011 Paul Wouters - 1.4.13-2 +* Mon Dec 19 2011 Paul Wouters - 1.4.14-1 - Upgraded to 1.4.14 for CVE-2011-4528 / VU#209659 - SSL-wrapped query support for dnssec-trigger - EDNS handling changes +- Removed integrated EDNS patches +- Disabled use-caps-for-id, GoDaddy domains now break on it +- Enabled new harden-below-nxdomain * Thu Sep 15 2011 Paul Wouters - 1.4.13-1 - Upgraded to 1.4.13