Update to 1.20.0

https://nlnetlabs.nl/projects/unbound/download/#unbound-1-20-0 Resolves: RHEL-36025
2024-07-02 18:43:33 +02:00 · 2024-07-02 18:43:33 +02:00 · 9f47e3244e
commit 9f47e3244e
parent 4a31070712
6 changed files with 53 additions and 135 deletions
--- a/.gitignore
+++ b/.gitignore
@ -83,3 +83,5 @@ unbound-1.4.5.tar.gz
 /unbound-1.18.0.tar.gz.asc
 /unbound-1.19.0.tar.gz
 /unbound-1.19.0.tar.gz.asc
 /unbound-1.20.0.tar.gz
 /unbound-1.20.0.tar.gz.asc
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (unbound-1.19.0.tar.gz) = c7df997ab003d098f53ac97ffb4c8428ab28e24573ff21e21782cbeadca42edadeb5b0db53ce954c9ff3106a5edb36eb47109240c554a44d9aac75727b66aeb4
+SHA512 (unbound-1.20.0.tar.gz) = 2f6bc76c03b71ca1c2cd2331dc72d62f51493d15e17c59af46b400e542fcabff22e6b9d33f750a3e5f918a0116f45afa760651b2d5aa2feadac151cbbd71b0bd
-SHA512 (unbound-1.19.0.tar.gz.asc) = 63aa94192de7840f7abe43367e2c3f5d3fd42b8d72c08a5645cf28e2c0ad2e11d54f3aa645384fff5d4dfe66bc7ee25d81bd967780a992b54956343974206580
+SHA512 (unbound-1.20.0.tar.gz.asc) = 1586a320077c606c5c19f251615df54a61854f51acca02df1d391dcc2287aff2c641b009aeee1a98392f63719d70b6bac23ebb7d86b780f8a27cda6e114fc0ad
--- a/unbound-1.19-b.root-servers.net-conf.patch
+++ b/unbound-1.19-b.root-servers.net-conf.patch
@ -1,38 +0,0 @@
 From 101f9efb8de8e5e41fe40d05461276299e4c8980 Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Tue, 16 Jan 2024 16:13:29 +0100
 Subject: [PATCH] Update b.root-servers.net also in example config file
 Addition to commit a8739bad76d4d179290627e989c7ef236345bda6, which
 updated only address specified in code. But addresses provided in
 example configuration were not updated, I think they should be updated
 too.
 ---
 unbound-1.19.0/doc/example.conf.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/unbound-1.19.0/doc/example.conf.in b/unbound-1.19.0/doc/example.conf.in
 index b79a322..3a15357 100644
 --- a/unbound-1.19.0/doc/example.conf.in
 +++ b/unbound-1.19.0/doc/example.conf.in
@@ -1203,7 +1203,7 @@ include: /etc/unbound/conf.d/*.conf
 # notifies.
 auth-zone:
 	name: "."
 -	primary: 199.9.14.201         # b.root-servers.net
 +	primary: 170.247.170.2        # b.root-servers.net
 	primary: 192.33.4.12          # c.root-servers.net
 	primary: 199.7.91.13          # d.root-servers.net
 	primary: 192.5.5.241          # f.root-servers.net
@@ -1211,7 +1211,7 @@ auth-zone:
 	primary: 193.0.14.129         # k.root-servers.net
 	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
 	primary: 192.0.32.132         # xfr.lax.dns.icann.org
 -	primary: 2001:500:200::b      # b.root-servers.net
 +	primary: 2801:1b8:10::b       # b.root-servers.net
 	primary: 2001:500:2::c        # c.root-servers.net
 	primary: 2001:500:2d::d       # d.root-servers.net
 	primary: 2001:500:2f::f       # f.root-servers.net
 -- 
 2.43.0
--- a/unbound-1.19-b.root-servers.net.patch
+++ b/unbound-1.19-b.root-servers.net.patch
@ -1,35 +0,0 @@
 From 72c65bfc2fe35cf4f0665a5e3f173f4f8f6f151b Mon Sep 17 00:00:00 2001
 From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
 Date: Wed, 6 Dec 2023 13:25:58 +0100
 Subject: [PATCH] - Updated IPv4 and IPv6 address for b.root-servers.net in
 root hints.
 ---
 unbound-1.19.0/iterator/iter_hints.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/unbound-1.19.0/iterator/iter_hints.c b/unbound-1.19.0/iterator/iter_hints.c
 index a60d9a6..6b56daa 100644
 --- a/unbound-1.19.0/iterator/iter_hints.c
 +++ b/unbound-1.19.0/iterator/iter_hints.c
@@ -129,7 +129,7 @@ compile_time_root_prime(int do_ip4, int do_ip6)
 	dp->has_parent_side_NS = 1;
       if(do_ip4) {
 	if(!ah(dp, "A.ROOT-SERVERS.NET.", "198.41.0.4"))	goto failed;
 -	if(!ah(dp, "B.ROOT-SERVERS.NET.", "199.9.14.201")) goto failed;
 +	if(!ah(dp, "B.ROOT-SERVERS.NET.", "170.247.170.2"))	goto failed;
 	if(!ah(dp, "C.ROOT-SERVERS.NET.", "192.33.4.12"))	goto failed;
 	if(!ah(dp, "D.ROOT-SERVERS.NET.", "199.7.91.13"))	goto failed;
 	if(!ah(dp, "E.ROOT-SERVERS.NET.", "192.203.230.10")) goto failed;
@@ -144,7 +144,7 @@ compile_time_root_prime(int do_ip4, int do_ip6)
       }
       if(do_ip6) {
 	if(!ah(dp, "A.ROOT-SERVERS.NET.", "2001:503:ba3e::2:30")) goto failed;
 -	if(!ah(dp, "B.ROOT-SERVERS.NET.", "2001:500:200::b")) goto failed;
 +	if(!ah(dp, "B.ROOT-SERVERS.NET.", "2801:1b8:10::b")) goto failed;
 	if(!ah(dp, "C.ROOT-SERVERS.NET.", "2001:500:2::c")) goto failed;
 	if(!ah(dp, "D.ROOT-SERVERS.NET.", "2001:500:2d::d")) goto failed;
 	if(!ah(dp, "E.ROOT-SERVERS.NET.", "2001:500:a8::e")) goto failed;
 -- 
 2.43.0
--- a/unbound-fedora-config.patch
+++ b/unbound-fedora-config.patch
@ -1,4 +1,4 @@
-From ecfc3a96a0d38cc31fb871d98789467434c7afda Mon Sep 17 00:00:00 2001
+From 135a7be6a2b30b74a9fc239adac45f08ad4eace7 Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Fri, 10 Nov 2023 12:58:31 +0100
 Subject: [PATCH] Customize unbound.conf for Fedora defaults
@ -7,13 +7,13 @@ Set some Fedora/RHEL specific changes to example configuration file. By
 patching upstream provided config file we would not need to manually
 update external copy in source RPM.
 ---
- unbound-1.19.0/doc/example.conf.in | 205 ++++++++++++++++++-----------
+ unbound-1.20.0/doc/example.conf.in | 199 +++++++++++++++++++----------
- 1 file changed, 131 insertions(+), 74 deletions(-)
+ 1 file changed, 128 insertions(+), 71 deletions(-)
-diff --git a/unbound-1.19.0/doc/example.conf.in b/unbound-1.19.0/doc/example.conf.in
+diff --git a/unbound-1.20.0/doc/example.conf.in b/unbound-1.20.0/doc/example.conf.in
-index fe0dde6..b79a322 100644
+index 0368c8d..5873db5 100644
--- a/unbound-1.19.0/doc/example.conf.in
+--- a/unbound-1.20.0/doc/example.conf.in
-+++ b/unbound-1.19.0/doc/example.conf.in
+++ b/unbound-1.20.0/doc/example.conf.in
@@ -17,11 +17,12 @@ server:
 	# whitespace is not necessary, but looks cleaner.
@ -120,7 +120,7 @@ index fe0dde6..b79a322 100644
 	# use IP_FREEBIND so the interface: addresses can be non-local
 	# and you can bind to nonexisting IPs and interfaces that are down.
-@@ -256,6 +275,8 @@ server:
+@@ -276,6 +295,8 @@ server:
 	# nat64-prefix: 64:ff9b::0/96
 	# Enable UDP, "yes" or "no".
@ -129,16 +129,16 @@ index fe0dde6..b79a322 100644
 	# do-udp: yes
 	# Enable TCP, "yes" or "no".
-@@ -281,7 +302,7 @@ server:
+@@ -301,7 +322,7 @@ server:
 	# tcp-idle-timeout: 30000
 	# Enable EDNS TCP keepalive option.
 -	# edns-tcp-keepalive: no
 +	edns-tcp-keepalive: yes
- 	# Timeout for EDNS TCP keepalive, in msec.
+ 	# Timeout for EDNS TCP keepalive, in msec. Overrides tcp-idle-timeout
- 	# edns-tcp-keepalive-timeout: 120000
+ 	# if edns-tcp-keepalive is set.
-@@ -290,6 +311,9 @@ server:
+@@ -311,6 +332,9 @@ server:
 	# can be dropped. Default is 0, disabled. In seconds, such as 3.
 	# sock-queue-timeout: 0
@ -148,7 +148,7 @@ index fe0dde6..b79a322 100644
 	# Use systemd socket activation for UDP, TCP, and control sockets.
 	# use-systemd: no
-@@ -402,6 +426,7 @@ server:
+@@ -424,6 +448,7 @@ server:
 	#
 	# If you give "" no chroot is performed. The path must not end in a /.
 	# chroot: "@UNBOUND_CHROOT_DIR@"
@ -156,7 +156,7 @@ index fe0dde6..b79a322 100644
 	# if given, user privileges are dropped (after binding port),
 	# and the given username is assumed. Default is user "unbound".
-@@ -413,7 +438,7 @@ server:
+@@ -435,7 +460,7 @@ server:
 	# is not changed.
 	# If you give a server: directory: dir before include: file statements
 	# then those includes can be relative to the working directory.
@ -165,7 +165,7 @@ index fe0dde6..b79a322 100644
 	# the log file, "" means log to stderr.
 	# Use of this option sets use-syslog to "no".
-@@ -428,7 +453,7 @@ server:
+@@ -450,7 +475,7 @@ server:
 	# log-identity: ""
 	# print UTC timestamp in ascii to logfile, default is epoch in seconds.
@ -174,7 +174,7 @@ index fe0dde6..b79a322 100644
 	# print one line with time, IP, name, type, class for every query.
 	# log-queries: no
-@@ -497,22 +522,22 @@ server:
+@@ -522,22 +547,22 @@ server:
 	# harden-large-queries: no
 	# Harden against out of zone rrsets, to avoid spoofing attempts.
@ -201,7 +201,7 @@ index fe0dde6..b79a322 100644
 	# Harden against algorithm downgrade when multiple algorithms are
 	# advertised in the DS record.  If no, allows the weakest algorithm
-@@ -526,7 +551,7 @@ server:
+@@ -551,7 +576,7 @@ server:
 	# Sent minimum amount of information to upstream servers to enhance
 	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
 	# to A when possible.
@ -210,7 +210,7 @@ index fe0dde6..b79a322 100644
 	# QNAME minimisation in strict mode. Do not fall-back to sending full
 	# QNAME to potentially broken nameservers. A lot of domains will not be
-@@ -536,7 +561,7 @@ server:
+@@ -561,7 +586,7 @@ server:
 	# Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
 	# and other denials, using information from previous NXDOMAINs answers.
@ -219,7 +219,7 @@ index fe0dde6..b79a322 100644
 	# Use 0x20-encoded random bits in the query to foil spoof attempts.
 	# This feature is an experimental implementation of draft dns-0x20.
-@@ -569,7 +594,7 @@ server:
+@@ -594,7 +619,7 @@ server:
 	# threshold, a warning is printed and a defensive action is taken,
 	# the cache is cleared to flush potential poison out of it.
 	# A suggested value is 10000000, the default is 0 (turned off).
@ -228,7 +228,7 @@ index fe0dde6..b79a322 100644
 	# Do not query the following addresses. No DNS queries are sent there.
 	# List one address per entry. List classless netblocks with /size,
-@@ -581,20 +606,20 @@ server:
+@@ -606,20 +631,20 @@ server:
 	# do-not-query-localhost: yes
 	# if yes, perform prefetching of almost expired message cache entries.
@ -254,7 +254,7 @@ index fe0dde6..b79a322 100644
 	# true to disable DNSSEC lameness check in iterator.
 	# disable-dnssec-lame-check: no
-@@ -604,7 +629,9 @@ server:
+@@ -629,7 +654,9 @@ server:
 	# most modules have to be listed at the beginning of the line,
 	# except cachedb(just before iterator), and python (at the beginning,
 	# or, just before the iterator).
@ -265,7 +265,7 @@ index fe0dde6..b79a322 100644
 	# File with trusted keys, kept uptodate using RFC5011 probes,
 	# initial file like trust-anchor-file, then it stores metadata.
-@@ -618,10 +645,10 @@ server:
+@@ -643,10 +670,10 @@ server:
 	# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
 	# trust anchor signaling sends a RFC8145 key tag query after priming.
@ -278,7 +278,7 @@ index fe0dde6..b79a322 100644
 	# File with trusted keys for validation. Specify more than one file
 	# with several entries, one file per entry.
-@@ -642,6 +669,9 @@ server:
+@@ -667,6 +694,9 @@ server:
 	# the trusted-keys { name flag proto algo "key"; }; clauses are read.
 	# you need external update procedures to track changes in keys.
 	# trusted-keys-file: ""
@ -288,7 +288,7 @@ index fe0dde6..b79a322 100644
 	# Ignore chain of trust. Domain is treated as insecure.
 	# domain-insecure: "example.com"
-@@ -669,14 +699,15 @@ server:
+@@ -694,14 +724,15 @@ server:
 	# unsecure data. Useful to shield the users of this validator from
 	# potential bogus data in the additional section. All unsigned data
 	# in the additional section is removed from secure messages.
@ -306,7 +306,7 @@ index fe0dde6..b79a322 100644
 	# Ignore the CD flag in incoming queries and refuse them bogus data.
 	# Enable it if the only clients of Unbound are legacy servers (w2008)
-@@ -690,11 +721,11 @@ server:
+@@ -715,11 +746,11 @@ server:
 	# Serve expired responses from cache, with serve-expired-reply-ttl in
 	# the response, and then attempt to fetch the data afresh.
@ -320,7 +320,7 @@ index fe0dde6..b79a322 100644
 	#
 	# Set the TTL of expired records to the serve-expired-ttl value after a
 	# failed attempt to retrieve the record from upstream. This makes sure
-@@ -721,7 +752,7 @@ server:
+@@ -746,7 +777,7 @@ server:
 	# Have the validator log failed validations for your diagnosis.
 	# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
@ -329,7 +329,7 @@ index fe0dde6..b79a322 100644
 	# It is possible to configure NSEC3 maximum iteration counts per
 	# keysize. Keep this table very short, as linear search is done.
-@@ -865,6 +896,8 @@ server:
+@@ -890,6 +921,8 @@ server:
 	# you need to do the reverse notation yourself.
 	# local-data-ptr: "192.0.2.3 www.example.com"
@ -338,7 +338,7 @@ index fe0dde6..b79a322 100644
 	# tag a localzone with a list of tag names (in "" with spaces between)
 	# local-zone-tag: "example.com" "tag2 tag3"
-@@ -875,8 +908,8 @@ server:
+@@ -900,8 +933,8 @@ server:
 	# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
 	# Give the certificate to use and private key.
 	# default is "" (disabled).  requires restart to take effect.
@ -349,7 +349,7 @@ index fe0dde6..b79a322 100644
 	# tls-port: 853
 	# https-port: 443
-@@ -884,6 +917,8 @@ server:
+@@ -909,6 +942,8 @@ server:
 	# tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
 	# cipher setting for TLSv1.3
 	# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
@ -358,8 +358,8 @@ index fe0dde6..b79a322 100644
 	# Pad responses to padded queries received over TLS
 	# pad-responses: yes
-@@ -1005,12 +1040,12 @@ server:
+@@ -1045,12 +1080,12 @@ server:
- 	# fast-server-num: 3
+ 	# cookie-secret: <128 bit random hex string>
 	# Enable to attach Extended DNS Error codes (RFC8914) to responses.
 -	# ede: no
@ -373,7 +373,7 @@ index fe0dde6..b79a322 100644
 	# Specific options for ipsecmod. Unbound needs to be configured with
 	# --enable-ipsecmod for these to take effect.
-@@ -1018,12 +1053,14 @@ server:
+@@ -1058,12 +1093,14 @@ server:
 	# Enable or disable ipsecmod (it still needs to be defined in
 	# module-config above). Can be used when ipsecmod needs to be
 	# enabled/disabled via remote-control(below).
@ -391,7 +391,7 @@ index fe0dde6..b79a322 100644
 	# When enabled Unbound will reply with SERVFAIL if the return value of
 	# the ipsecmod-hook is not 0.
 	# ipsecmod-strict: no
-@@ -1056,7 +1093,7 @@ server:
+@@ -1096,7 +1133,7 @@ server:
 # o and give a python-script to run.
 python:
 	# Script file to load
@ -400,7 +400,7 @@ index fe0dde6..b79a322 100644
 # Dynamic library config section. To enable:
 # o use --with-dynlibmodule to configure before compiling.
-@@ -1067,13 +1104,18 @@ python:
+@@ -1107,13 +1144,18 @@ python:
 #   the module-config then you need one dynlib-file per instance.
 dynlib:
 	# Script file to load
@ -421,7 +421,7 @@ index fe0dde6..b79a322 100644
 	# what interfaces are listened to for remote control.
 	# give 0.0.0.0 and ::0 to listen to all interfaces.
-@@ -1087,19 +1129,22 @@ remote-control:
+@@ -1127,19 +1169,22 @@ remote-control:
 	# for localhost, you can disable use of TLS by setting this to "no"
 	# For local sockets this option is ignored, and TLS is not used.
@ -449,7 +449,7 @@ index fe0dde6..b79a322 100644
 # Stub zones.
 # Create entries like below, to make all queries for 'example.com' and
-@@ -1121,6 +1166,10 @@ remote-control:
+@@ -1161,6 +1206,10 @@ remote-control:
 #	name: "example.org"
 #	stub-host: ns.example.com.
@ -460,7 +460,7 @@ index fe0dde6..b79a322 100644
 # Forward zones
 # Create entries like below, to make all queries for 'example.com' and
 # 'example.org' go to the given list of servers. These servers have to handle
-@@ -1138,6 +1187,10 @@ remote-control:
+@@ -1178,6 +1227,10 @@ remote-control:
 # forward-zone:
 # 	name: "example.org"
 # 	forward-host: fwd.example.com
@ -471,16 +471,13 @@ index fe0dde6..b79a322 100644
 # Authority zones
 # The data for these zones is kept locally, from a file or downloaded.
-@@ -1145,30 +1198,31 @@ remote-control:
+@@ -1188,27 +1241,28 @@ remote-control:
- # upstream (which saves a lookup to the upstream).  The first example
+ # download it), primary: fetches with AXFR and IXFR, or url to zonefile.
- # has a copy of the root for local usage.  The second serves example.org
+ # With allow-notify: you can give additional (apart from primaries and urls)
- # authoritatively.  zonefile: reads from file (and writes to it if you also
+ # sources of notifies.
 -# download it), primary: fetches with AXFR and IXFR, or url to zonefile.
 -# With allow-notify: you can give additional (apart from primaries and urls)
 -# sources of notifies.
 -# auth-zone:
 -#	name: "."
-#	primary: 199.9.14.201         # b.root-servers.net
+-#	primary: 170.247.170.2        # b.root-servers.net
 -#	primary: 192.33.4.12          # c.root-servers.net
 -#	primary: 199.7.91.13          # d.root-servers.net
 -#	primary: 192.5.5.241          # f.root-servers.net
@ -488,7 +485,7 @@ index fe0dde6..b79a322 100644
 -#	primary: 193.0.14.129         # k.root-servers.net
 -#	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
 -#	primary: 192.0.32.132         # xfr.lax.dns.icann.org
-#	primary: 2001:500:200::b      # b.root-servers.net
+-#	primary: 2801:1b8:10::b       # b.root-servers.net
 -#	primary: 2001:500:2::c        # c.root-servers.net
 -#	primary: 2001:500:2d::d       # d.root-servers.net
 -#	primary: 2001:500:2f::f       # f.root-servers.net
@ -499,12 +496,9 @@ index fe0dde6..b79a322 100644
 -#	fallback-enabled: yes
 -#	for-downstream: no
 -#	for-upstream: yes
 +# download it), master: fetches with AXFR and IXFR, or url to zonefile.
 +# With allow-notify: you can give additional (apart from masters) sources of
 +# notifies.
 +auth-zone:
 +	name: "."
-+	primary: 199.9.14.201         # b.root-servers.net
+	primary: 170.247.170.2        # b.root-servers.net
 +	primary: 192.33.4.12          # c.root-servers.net
 +	primary: 199.7.91.13          # d.root-servers.net
 +	primary: 192.5.5.241          # f.root-servers.net
@ -512,7 +506,7 @@ index fe0dde6..b79a322 100644
 +	primary: 193.0.14.129         # k.root-servers.net
 +	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
 +	primary: 192.0.32.132         # xfr.lax.dns.icann.org
-+	primary: 2001:500:200::b      # b.root-servers.net
+	primary: 2801:1b8:10::b       # b.root-servers.net
 +	primary: 2001:500:2::c        # c.root-servers.net
 +	primary: 2001:500:2d::d       # d.root-servers.net
 +	primary: 2001:500:2f::f       # f.root-servers.net
@ -527,7 +521,7 @@ index fe0dde6..b79a322 100644
 # auth-zone:
 #	name: "example.org"
 #	for-downstream: yes
-@@ -1194,6 +1248,9 @@ remote-control:
+@@ -1234,6 +1288,9 @@ remote-control:
 #	name: "anotherview"
 #	local-zone: "example.com" refuse
@ -537,7 +531,7 @@ index fe0dde6..b79a322 100644
 # DNSCrypt
 # To enable, use --enable-dnscrypt to configure before compiling.
 # Caveats:
-@@ -1266,7 +1323,7 @@ remote-control:
+@@ -1309,7 +1366,7 @@ remote-control:
 # 	dnstap-enable: no
 # 	# if set to yes frame streams will be used in bidirectional mode
 # 	dnstap-bidirectional: yes
@ -547,5 +541,5 @@ index fe0dde6..b79a322 100644
 # 	# set it to "IPaddress[@port]" of the destination.
 # 	dnstap-ip: ""
 -- 
-2.41.0
+2.45.2
--- a/unbound.spec
+++ b/unbound.spec
@ -30,7 +30,7 @@
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
-Version: 1.19.0
+Version: 1.20.0
 Release: %autorelease %{?extra_version:-e %{extra_version}}
 License: BSD-3-Clause
 Url: https://nlnetlabs.nl/projects/unbound/
@ -57,11 +57,6 @@ Source20: unbound.sysusers
 # Downstream configuration changes
 Patch1:   unbound-fedora-config.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2253461
 # https://github.com/NLnetLabs/unbound/commit/a8739bad76d4d179290627e989c7ef236345bda6
 Patch2:   unbound-1.19-b.root-servers.net.patch
 # https://github.com/NLnetLabs/unbound/pull/993
 Patch3:   unbound-1.19-b.root-servers.net-conf.patch
 BuildRequires: gcc, make
 BuildRequires: flex, openssl-devel
`@ -1,2 +1,2 @@`
	`SHA512 (unbound-1.19.0.tar.gz) = c7df997ab003d098f53ac97ffb4c8428ab28e24573ff21e21782cbeadca42edadeb5b0db53ce954c9ff3106a5edb36eb47109240c554a44d9aac75727b66aeb4`	`SHA512 (unbound-1.20.0.tar.gz) = 2f6bc76c03b71ca1c2cd2331dc72d62f51493d15e17c59af46b400e542fcabff22e6b9d33f750a3e5f918a0116f45afa760651b2d5aa2feadac151cbbd71b0bd`
	`SHA512 (unbound-1.19.0.tar.gz.asc) = 63aa94192de7840f7abe43367e2c3f5d3fd42b8d72c08a5645cf28e2c0ad2e11d54f3aa645384fff5d4dfe66bc7ee25d81bd967780a992b54956343974206580`	`SHA512 (unbound-1.20.0.tar.gz.asc) = 1586a320077c606c5c19f251615df54a61854f51acca02df1d391dcc2287aff2c641b009aeee1a98392f63719d70b6bac23ebb7d86b780f8a27cda6e114fc0ad`