From 9f47e3244ee236f9d7ec19990ab5a476cb087cce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 2 Jul 2024 18:43:33 +0200 Subject: [PATCH] Update to 1.20.0 https://nlnetlabs.nl/projects/unbound/download/#unbound-1-20-0 Resolves: RHEL-36025 --- .gitignore | 2 + sources | 4 +- unbound-1.19-b.root-servers.net-conf.patch | 38 -------- unbound-1.19-b.root-servers.net.patch | 35 ------- unbound-fedora-config.patch | 102 ++++++++++----------- unbound.spec | 7 +- 6 files changed, 53 insertions(+), 135 deletions(-) delete mode 100644 unbound-1.19-b.root-servers.net-conf.patch delete mode 100644 unbound-1.19-b.root-servers.net.patch diff --git a/.gitignore b/.gitignore index c4bf873..a231159 100644 --- a/.gitignore +++ b/.gitignore @@ -83,3 +83,5 @@ unbound-1.4.5.tar.gz /unbound-1.18.0.tar.gz.asc /unbound-1.19.0.tar.gz /unbound-1.19.0.tar.gz.asc +/unbound-1.20.0.tar.gz +/unbound-1.20.0.tar.gz.asc diff --git a/sources b/sources index 4adc154..5a055a7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.19.0.tar.gz) = c7df997ab003d098f53ac97ffb4c8428ab28e24573ff21e21782cbeadca42edadeb5b0db53ce954c9ff3106a5edb36eb47109240c554a44d9aac75727b66aeb4 -SHA512 (unbound-1.19.0.tar.gz.asc) = 63aa94192de7840f7abe43367e2c3f5d3fd42b8d72c08a5645cf28e2c0ad2e11d54f3aa645384fff5d4dfe66bc7ee25d81bd967780a992b54956343974206580 +SHA512 (unbound-1.20.0.tar.gz) = 2f6bc76c03b71ca1c2cd2331dc72d62f51493d15e17c59af46b400e542fcabff22e6b9d33f750a3e5f918a0116f45afa760651b2d5aa2feadac151cbbd71b0bd +SHA512 (unbound-1.20.0.tar.gz.asc) = 1586a320077c606c5c19f251615df54a61854f51acca02df1d391dcc2287aff2c641b009aeee1a98392f63719d70b6bac23ebb7d86b780f8a27cda6e114fc0ad diff --git a/unbound-1.19-b.root-servers.net-conf.patch b/unbound-1.19-b.root-servers.net-conf.patch deleted file mode 100644 index c3f41c9..0000000 --- a/unbound-1.19-b.root-servers.net-conf.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 101f9efb8de8e5e41fe40d05461276299e4c8980 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Tue, 16 Jan 2024 16:13:29 +0100 -Subject: [PATCH] Update b.root-servers.net also in example config file - -Addition to commit a8739bad76d4d179290627e989c7ef236345bda6, which -updated only address specified in code. But addresses provided in -example configuration were not updated, I think they should be updated -too. ---- - unbound-1.19.0/doc/example.conf.in | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/unbound-1.19.0/doc/example.conf.in b/unbound-1.19.0/doc/example.conf.in -index b79a322..3a15357 100644 ---- a/unbound-1.19.0/doc/example.conf.in -+++ b/unbound-1.19.0/doc/example.conf.in -@@ -1203,7 +1203,7 @@ include: /etc/unbound/conf.d/*.conf - # notifies. - auth-zone: - name: "." -- primary: 199.9.14.201 # b.root-servers.net -+ primary: 170.247.170.2 # b.root-servers.net - primary: 192.33.4.12 # c.root-servers.net - primary: 199.7.91.13 # d.root-servers.net - primary: 192.5.5.241 # f.root-servers.net -@@ -1211,7 +1211,7 @@ auth-zone: - primary: 193.0.14.129 # k.root-servers.net - primary: 192.0.47.132 # xfr.cjr.dns.icann.org - primary: 192.0.32.132 # xfr.lax.dns.icann.org -- primary: 2001:500:200::b # b.root-servers.net -+ primary: 2801:1b8:10::b # b.root-servers.net - primary: 2001:500:2::c # c.root-servers.net - primary: 2001:500:2d::d # d.root-servers.net - primary: 2001:500:2f::f # f.root-servers.net --- -2.43.0 - diff --git a/unbound-1.19-b.root-servers.net.patch b/unbound-1.19-b.root-servers.net.patch deleted file mode 100644 index c3b9a47..0000000 --- a/unbound-1.19-b.root-servers.net.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 72c65bfc2fe35cf4f0665a5e3f173f4f8f6f151b Mon Sep 17 00:00:00 2001 -From: "W.C.A. Wijngaards" -Date: Wed, 6 Dec 2023 13:25:58 +0100 -Subject: [PATCH] - Updated IPv4 and IPv6 address for b.root-servers.net in - root hints. - ---- - unbound-1.19.0/iterator/iter_hints.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/unbound-1.19.0/iterator/iter_hints.c b/unbound-1.19.0/iterator/iter_hints.c -index a60d9a6..6b56daa 100644 ---- a/unbound-1.19.0/iterator/iter_hints.c -+++ b/unbound-1.19.0/iterator/iter_hints.c -@@ -129,7 +129,7 @@ compile_time_root_prime(int do_ip4, int do_ip6) - dp->has_parent_side_NS = 1; - if(do_ip4) { - if(!ah(dp, "A.ROOT-SERVERS.NET.", "198.41.0.4")) goto failed; -- if(!ah(dp, "B.ROOT-SERVERS.NET.", "199.9.14.201")) goto failed; -+ if(!ah(dp, "B.ROOT-SERVERS.NET.", "170.247.170.2")) goto failed; - if(!ah(dp, "C.ROOT-SERVERS.NET.", "192.33.4.12")) goto failed; - if(!ah(dp, "D.ROOT-SERVERS.NET.", "199.7.91.13")) goto failed; - if(!ah(dp, "E.ROOT-SERVERS.NET.", "192.203.230.10")) goto failed; -@@ -144,7 +144,7 @@ compile_time_root_prime(int do_ip4, int do_ip6) - } - if(do_ip6) { - if(!ah(dp, "A.ROOT-SERVERS.NET.", "2001:503:ba3e::2:30")) goto failed; -- if(!ah(dp, "B.ROOT-SERVERS.NET.", "2001:500:200::b")) goto failed; -+ if(!ah(dp, "B.ROOT-SERVERS.NET.", "2801:1b8:10::b")) goto failed; - if(!ah(dp, "C.ROOT-SERVERS.NET.", "2001:500:2::c")) goto failed; - if(!ah(dp, "D.ROOT-SERVERS.NET.", "2001:500:2d::d")) goto failed; - if(!ah(dp, "E.ROOT-SERVERS.NET.", "2001:500:a8::e")) goto failed; --- -2.43.0 - diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index a249d2c..880816f 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,4 +1,4 @@ -From ecfc3a96a0d38cc31fb871d98789467434c7afda Mon Sep 17 00:00:00 2001 +From 135a7be6a2b30b74a9fc239adac45f08ad4eace7 Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Fri, 10 Nov 2023 12:58:31 +0100 Subject: [PATCH] Customize unbound.conf for Fedora defaults @@ -7,13 +7,13 @@ Set some Fedora/RHEL specific changes to example configuration file. By patching upstream provided config file we would not need to manually update external copy in source RPM. --- - unbound-1.19.0/doc/example.conf.in | 205 ++++++++++++++++++----------- - 1 file changed, 131 insertions(+), 74 deletions(-) + unbound-1.20.0/doc/example.conf.in | 199 +++++++++++++++++++---------- + 1 file changed, 128 insertions(+), 71 deletions(-) -diff --git a/unbound-1.19.0/doc/example.conf.in b/unbound-1.19.0/doc/example.conf.in -index fe0dde6..b79a322 100644 ---- a/unbound-1.19.0/doc/example.conf.in -+++ b/unbound-1.19.0/doc/example.conf.in +diff --git a/unbound-1.20.0/doc/example.conf.in b/unbound-1.20.0/doc/example.conf.in +index 0368c8d..5873db5 100644 +--- a/unbound-1.20.0/doc/example.conf.in ++++ b/unbound-1.20.0/doc/example.conf.in @@ -17,11 +17,12 @@ server: # whitespace is not necessary, but looks cleaner. @@ -120,7 +120,7 @@ index fe0dde6..b79a322 100644 # use IP_FREEBIND so the interface: addresses can be non-local # and you can bind to nonexisting IPs and interfaces that are down. -@@ -256,6 +275,8 @@ server: +@@ -276,6 +295,8 @@ server: # nat64-prefix: 64:ff9b::0/96 # Enable UDP, "yes" or "no". @@ -129,16 +129,16 @@ index fe0dde6..b79a322 100644 # do-udp: yes # Enable TCP, "yes" or "no". -@@ -281,7 +302,7 @@ server: +@@ -301,7 +322,7 @@ server: # tcp-idle-timeout: 30000 # Enable EDNS TCP keepalive option. - # edns-tcp-keepalive: no + edns-tcp-keepalive: yes - # Timeout for EDNS TCP keepalive, in msec. - # edns-tcp-keepalive-timeout: 120000 -@@ -290,6 +311,9 @@ server: + # Timeout for EDNS TCP keepalive, in msec. Overrides tcp-idle-timeout + # if edns-tcp-keepalive is set. +@@ -311,6 +332,9 @@ server: # can be dropped. Default is 0, disabled. In seconds, such as 3. # sock-queue-timeout: 0 @@ -148,7 +148,7 @@ index fe0dde6..b79a322 100644 # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no -@@ -402,6 +426,7 @@ server: +@@ -424,6 +448,7 @@ server: # # If you give "" no chroot is performed. The path must not end in a /. # chroot: "@UNBOUND_CHROOT_DIR@" @@ -156,7 +156,7 @@ index fe0dde6..b79a322 100644 # if given, user privileges are dropped (after binding port), # and the given username is assumed. Default is user "unbound". -@@ -413,7 +438,7 @@ server: +@@ -435,7 +460,7 @@ server: # is not changed. # If you give a server: directory: dir before include: file statements # then those includes can be relative to the working directory. @@ -165,7 +165,7 @@ index fe0dde6..b79a322 100644 # the log file, "" means log to stderr. # Use of this option sets use-syslog to "no". -@@ -428,7 +453,7 @@ server: +@@ -450,7 +475,7 @@ server: # log-identity: "" # print UTC timestamp in ascii to logfile, default is epoch in seconds. @@ -174,7 +174,7 @@ index fe0dde6..b79a322 100644 # print one line with time, IP, name, type, class for every query. # log-queries: no -@@ -497,22 +522,22 @@ server: +@@ -522,22 +547,22 @@ server: # harden-large-queries: no # Harden against out of zone rrsets, to avoid spoofing attempts. @@ -201,7 +201,7 @@ index fe0dde6..b79a322 100644 # Harden against algorithm downgrade when multiple algorithms are # advertised in the DS record. If no, allows the weakest algorithm -@@ -526,7 +551,7 @@ server: +@@ -551,7 +576,7 @@ server: # Sent minimum amount of information to upstream servers to enhance # privacy. Only sent minimum required labels of the QNAME and set QTYPE # to A when possible. @@ -210,7 +210,7 @@ index fe0dde6..b79a322 100644 # QNAME minimisation in strict mode. Do not fall-back to sending full # QNAME to potentially broken nameservers. A lot of domains will not be -@@ -536,7 +561,7 @@ server: +@@ -561,7 +586,7 @@ server: # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN # and other denials, using information from previous NXDOMAINs answers. @@ -219,7 +219,7 @@ index fe0dde6..b79a322 100644 # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. -@@ -569,7 +594,7 @@ server: +@@ -594,7 +619,7 @@ server: # threshold, a warning is printed and a defensive action is taken, # the cache is cleared to flush potential poison out of it. # A suggested value is 10000000, the default is 0 (turned off). @@ -228,7 +228,7 @@ index fe0dde6..b79a322 100644 # Do not query the following addresses. No DNS queries are sent there. # List one address per entry. List classless netblocks with /size, -@@ -581,20 +606,20 @@ server: +@@ -606,20 +631,20 @@ server: # do-not-query-localhost: yes # if yes, perform prefetching of almost expired message cache entries. @@ -254,7 +254,7 @@ index fe0dde6..b79a322 100644 # true to disable DNSSEC lameness check in iterator. # disable-dnssec-lame-check: no -@@ -604,7 +629,9 @@ server: +@@ -629,7 +654,9 @@ server: # most modules have to be listed at the beginning of the line, # except cachedb(just before iterator), and python (at the beginning, # or, just before the iterator). @@ -265,7 +265,7 @@ index fe0dde6..b79a322 100644 # File with trusted keys, kept uptodate using RFC5011 probes, # initial file like trust-anchor-file, then it stores metadata. -@@ -618,10 +645,10 @@ server: +@@ -643,10 +670,10 @@ server: # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" # trust anchor signaling sends a RFC8145 key tag query after priming. @@ -278,7 +278,7 @@ index fe0dde6..b79a322 100644 # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry. -@@ -642,6 +669,9 @@ server: +@@ -667,6 +694,9 @@ server: # the trusted-keys { name flag proto algo "key"; }; clauses are read. # you need external update procedures to track changes in keys. # trusted-keys-file: "" @@ -288,7 +288,7 @@ index fe0dde6..b79a322 100644 # Ignore chain of trust. Domain is treated as insecure. # domain-insecure: "example.com" -@@ -669,14 +699,15 @@ server: +@@ -694,14 +724,15 @@ server: # unsecure data. Useful to shield the users of this validator from # potential bogus data in the additional section. All unsigned data # in the additional section is removed from secure messages. @@ -306,7 +306,7 @@ index fe0dde6..b79a322 100644 # Ignore the CD flag in incoming queries and refuse them bogus data. # Enable it if the only clients of Unbound are legacy servers (w2008) -@@ -690,11 +721,11 @@ server: +@@ -715,11 +746,11 @@ server: # Serve expired responses from cache, with serve-expired-reply-ttl in # the response, and then attempt to fetch the data afresh. @@ -320,7 +320,7 @@ index fe0dde6..b79a322 100644 # # Set the TTL of expired records to the serve-expired-ttl value after a # failed attempt to retrieve the record from upstream. This makes sure -@@ -721,7 +752,7 @@ server: +@@ -746,7 +777,7 @@ server: # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. @@ -329,7 +329,7 @@ index fe0dde6..b79a322 100644 # It is possible to configure NSEC3 maximum iteration counts per # keysize. Keep this table very short, as linear search is done. -@@ -865,6 +896,8 @@ server: +@@ -890,6 +921,8 @@ server: # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" @@ -338,7 +338,7 @@ index fe0dde6..b79a322 100644 # tag a localzone with a list of tag names (in "" with spaces between) # local-zone-tag: "example.com" "tag2 tag3" -@@ -875,8 +908,8 @@ server: +@@ -900,8 +933,8 @@ server: # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. # Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. @@ -349,7 +349,7 @@ index fe0dde6..b79a322 100644 # tls-port: 853 # https-port: 443 -@@ -884,6 +917,8 @@ server: +@@ -909,6 +942,8 @@ server: # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" # cipher setting for TLSv1.3 # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" @@ -358,8 +358,8 @@ index fe0dde6..b79a322 100644 # Pad responses to padded queries received over TLS # pad-responses: yes -@@ -1005,12 +1040,12 @@ server: - # fast-server-num: 3 +@@ -1045,12 +1080,12 @@ server: + # cookie-secret: <128 bit random hex string> # Enable to attach Extended DNS Error codes (RFC8914) to responses. - # ede: no @@ -373,7 +373,7 @@ index fe0dde6..b79a322 100644 # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. -@@ -1018,12 +1053,14 @@ server: +@@ -1058,12 +1093,14 @@ server: # Enable or disable ipsecmod (it still needs to be defined in # module-config above). Can be used when ipsecmod needs to be # enabled/disabled via remote-control(below). @@ -391,7 +391,7 @@ index fe0dde6..b79a322 100644 # When enabled Unbound will reply with SERVFAIL if the return value of # the ipsecmod-hook is not 0. # ipsecmod-strict: no -@@ -1056,7 +1093,7 @@ server: +@@ -1096,7 +1133,7 @@ server: # o and give a python-script to run. python: # Script file to load @@ -400,7 +400,7 @@ index fe0dde6..b79a322 100644 # Dynamic library config section. To enable: # o use --with-dynlibmodule to configure before compiling. -@@ -1067,13 +1104,18 @@ python: +@@ -1107,13 +1144,18 @@ python: # the module-config then you need one dynlib-file per instance. dynlib: # Script file to load @@ -421,7 +421,7 @@ index fe0dde6..b79a322 100644 # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. -@@ -1087,19 +1129,22 @@ remote-control: +@@ -1127,19 +1169,22 @@ remote-control: # for localhost, you can disable use of TLS by setting this to "no" # For local sockets this option is ignored, and TLS is not used. @@ -449,7 +449,7 @@ index fe0dde6..b79a322 100644 # Stub zones. # Create entries like below, to make all queries for 'example.com' and -@@ -1121,6 +1166,10 @@ remote-control: +@@ -1161,6 +1206,10 @@ remote-control: # name: "example.org" # stub-host: ns.example.com. @@ -460,7 +460,7 @@ index fe0dde6..b79a322 100644 # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle -@@ -1138,6 +1187,10 @@ remote-control: +@@ -1178,6 +1227,10 @@ remote-control: # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -471,16 +471,13 @@ index fe0dde6..b79a322 100644 # Authority zones # The data for these zones is kept locally, from a file or downloaded. -@@ -1145,30 +1198,31 @@ remote-control: - # upstream (which saves a lookup to the upstream). The first example - # has a copy of the root for local usage. The second serves example.org - # authoritatively. zonefile: reads from file (and writes to it if you also --# download it), primary: fetches with AXFR and IXFR, or url to zonefile. --# With allow-notify: you can give additional (apart from primaries and urls) --# sources of notifies. +@@ -1188,27 +1241,28 @@ remote-control: + # download it), primary: fetches with AXFR and IXFR, or url to zonefile. + # With allow-notify: you can give additional (apart from primaries and urls) + # sources of notifies. -# auth-zone: -# name: "." --# primary: 199.9.14.201 # b.root-servers.net +-# primary: 170.247.170.2 # b.root-servers.net -# primary: 192.33.4.12 # c.root-servers.net -# primary: 199.7.91.13 # d.root-servers.net -# primary: 192.5.5.241 # f.root-servers.net @@ -488,7 +485,7 @@ index fe0dde6..b79a322 100644 -# primary: 193.0.14.129 # k.root-servers.net -# primary: 192.0.47.132 # xfr.cjr.dns.icann.org -# primary: 192.0.32.132 # xfr.lax.dns.icann.org --# primary: 2001:500:200::b # b.root-servers.net +-# primary: 2801:1b8:10::b # b.root-servers.net -# primary: 2001:500:2::c # c.root-servers.net -# primary: 2001:500:2d::d # d.root-servers.net -# primary: 2001:500:2f::f # f.root-servers.net @@ -499,12 +496,9 @@ index fe0dde6..b79a322 100644 -# fallback-enabled: yes -# for-downstream: no -# for-upstream: yes -+# download it), master: fetches with AXFR and IXFR, or url to zonefile. -+# With allow-notify: you can give additional (apart from masters) sources of -+# notifies. +auth-zone: + name: "." -+ primary: 199.9.14.201 # b.root-servers.net ++ primary: 170.247.170.2 # b.root-servers.net + primary: 192.33.4.12 # c.root-servers.net + primary: 199.7.91.13 # d.root-servers.net + primary: 192.5.5.241 # f.root-servers.net @@ -512,7 +506,7 @@ index fe0dde6..b79a322 100644 + primary: 193.0.14.129 # k.root-servers.net + primary: 192.0.47.132 # xfr.cjr.dns.icann.org + primary: 192.0.32.132 # xfr.lax.dns.icann.org -+ primary: 2001:500:200::b # b.root-servers.net ++ primary: 2801:1b8:10::b # b.root-servers.net + primary: 2001:500:2::c # c.root-servers.net + primary: 2001:500:2d::d # d.root-servers.net + primary: 2001:500:2f::f # f.root-servers.net @@ -527,7 +521,7 @@ index fe0dde6..b79a322 100644 # auth-zone: # name: "example.org" # for-downstream: yes -@@ -1194,6 +1248,9 @@ remote-control: +@@ -1234,6 +1288,9 @@ remote-control: # name: "anotherview" # local-zone: "example.com" refuse @@ -537,7 +531,7 @@ index fe0dde6..b79a322 100644 # DNSCrypt # To enable, use --enable-dnscrypt to configure before compiling. # Caveats: -@@ -1266,7 +1323,7 @@ remote-control: +@@ -1309,7 +1366,7 @@ remote-control: # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode # dnstap-bidirectional: yes @@ -547,5 +541,5 @@ index fe0dde6..b79a322 100644 # # set it to "IPaddress[@port]" of the destination. # dnstap-ip: "" -- -2.41.0 +2.45.2 diff --git a/unbound.spec b/unbound.spec index 7c07131..d8a9036 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.19.0 +Version: 1.20.0 Release: %autorelease %{?extra_version:-e %{extra_version}} License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ @@ -57,11 +57,6 @@ Source20: unbound.sysusers # Downstream configuration changes Patch1: unbound-fedora-config.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2253461 -# https://github.com/NLnetLabs/unbound/commit/a8739bad76d4d179290627e989c7ef236345bda6 -Patch2: unbound-1.19-b.root-servers.net.patch -# https://github.com/NLnetLabs/unbound/pull/993 -Patch3: unbound-1.19-b.root-servers.net-conf.patch BuildRequires: gcc, make BuildRequires: flex, openssl-devel