* Tue Sep 27 2016 Paul Wouters <pwouters@redhat.com> - 1.5.10-1

- Updated to 1.5.10 (better TCP handling, bugfixes) - Install pkgconfig file in -devel package - Updated unbound.conf
2016-09-27 19:26:26 -04:00 · 2016-09-27 19:26:26 -04:00 · be41633bf0
commit be41633bf0
parent b2ddf2a810
2 changed files with 68 additions and 19 deletions
--- a/unbound.conf
+++ b/unbound.conf
@ -1,7 +1,7 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.5.8.
+# See unbound.conf(5) man page, version 1.5.10.
 #
 # this is a comment.

@ -69,6 +69,15 @@ server:
 	# outgoing-interface: 2001:DB8::5
 	# outgoing-interface: 2001:DB8::6

+	# Specify a netblock to use remainder 64 bits as random bits for
+	# upstream queries.  Uses freebind option (Linux).
+	# outgoing-interface: 2001:DB8::/64
+	# Also (Linux:) ip -6 addr add 2001:db8::/64 dev lo
+	# And: ip -6 route add local 2001:db8::/64 dev lo
+	# And set prefer-ip6: yes to use the ip6 randomness from a netblock.
+	# Set this to yes to prefer ipv6 upstream servers over ipv4.
+	# prefer-ip6: no
+
 	# number of ports to allocate per thread, determines the size of the
 	# port range that can be open simultaneously.  About double the
 	# num-queries-per-thread, or, use as many as the OS will allow you.
@ -84,6 +93,8 @@ server:
 	# Use this to make sure unbound does not grab a UDP port that some
 	# other server on this computer needs. The default is to avoid
 	# IANA-assigned port numbers.
+	# If multiple outgoing-port-permit and outgoing-port-avoid options
+	# are present, they are processed in order.
 	# Our SElinux policy does not allow non-ephemeral ports to be used
 	outgoing-port-avoid: 0-32767

@ -109,6 +120,11 @@ server:
 	# (uses IP_BINDANY on FreeBSD).
 	ip-transparent: yes

+	# use IP_FREEBIND so the interface: addresses can be non-local
+	# and you can bind to nonexisting IPs and interfaces that are down.
+	# Linux only.  On Linux you also have ip-transparent that is similar.
+	# ip-freebind: no
+
 	# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
 	# is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
 	# edns-buffer-size: 4096
@ -175,6 +191,10 @@ server:
 	# the maximum number of hosts that are cached (roundtrip, EDNS, lame).
 	# infra-cache-numhosts: 10000

+	# define a number of tags here, use with local-zone, access-control.
+	# repeat the define-tag statement to add additional tags.
+	# define-tag: "tag1 tag2 tag3"
+
 	# Enable IPv4, "yes" or "no".
 	# do-ip4: yes

@ -217,6 +237,20 @@ server:
 	# access-control: ::1 allow
 	# access-control: ::ffff:127.0.0.1 allow

+	# tag access-control with list of tags (in "" with spaces between)
+	# Clients using this access control element use localzones that
+	# are tagged with one of these tags.
+	# access-control-tag: 192.0.2.0/24 "tag2 tag3"
+
+	# set action for particular tag for given access control element
+	# if you have multiple tag values, the tag used to lookup the action
+	# is the first tag match between access-control-tag and local-zone-tag
+	# where "first" comes from the order of the define-tag values.
+	# access-control-tag-action: 192.0.2.0/24 tag3 refuse
+
+	# set redirect data for particular tag for access control element
+	# access-control-tag-data: 192.0.2.0/24 tag2 "A 127.0.0.1"
+
 	# if given, a chroot(2) is done to the given directory.
 	# i.e. you can chroot to the working directory, for example,
 	# for extra security, but make sure all files are in that directory.
@ -251,6 +285,8 @@ server:
 	# the working directory. The relative files in this config are
 	# relative to this directory. If you give "" the working directory
 	# is not changed.
+	# If you give a server: directory: dir before include: file statements
+	# then those includes can be relative to the working directory.
 	directory: "/etc/unbound"

 	# the log file, "" means log to stderr.
@ -332,12 +368,12 @@ server:

 	# Use 0x20-encoded random bits in the query to foil spoof attempts.
 	# This feature is an experimental implementation of draft dns-0x20.
-	# (enabling used to cause some failures, like on GoDaddy customer domains)
 	# use-caps-for-id: no

 	# Domains (and domains in them) without support for dns-0x20 and
 	# the fallback fails because they keep sending different answers.
 	# caps-whitelist: "licdn.com"
+	# caps-whitelist: "senderbase.org"

 	# Enforce privacy of these addresses. Strips them away from answers.
 	# It may cause DNSSEC validation to additionally mark it as bogus.
@ -385,6 +421,9 @@ server:
 	# into response messages when those sections are not required.
 	minimal-responses: yes

+	# true to disable DNSSEC lameness check in iterator.
+	# disable-dnssec-lame-check: no
+
 	# module configuration of the server. A string with identifiers
 	# separated by spaces. Syntax: "[dns64] [validator] iterator"
 	# module-config: "validator iterator"
@ -410,11 +449,6 @@ server:
 	# Note this gets out of date, use auto-trust-anchor-file please.
 	# trust-anchor-file: ""

-	# File with trusted keys, kept uptodate using RFC5011 probes,
-	# initial file like trust-anchor-file, then it stores metadata.
-	# Use several entries, one per domain name, to track multiple zones.
-	# auto-trust-anchor-file: ""
-
 	# Trusted key for validation. DS or DNSKEY. specify the RR on a
 	# single line, surrounded by "". TTL is ignored. class is IN default.
 	# Note this gets out of date, use auto-trust-anchor-file please.
@ -429,7 +463,6 @@ server:
 	# you need external update procedures to track changes in keys.
 	# trusted-keys-file: ""
 	#
-	# trusted-keys-file: /etc/unbound/rootkey.bind
 	trusted-keys-file: /etc/unbound/keys.d/*.key
 	auto-trust-anchor-file: "/var/lib/unbound/root.key"

@ -490,7 +523,8 @@ server:
 	# If the value 0 is given, missing anchors are not removed.
 	# keep-missing: 31622400 # 366 days

-	# debug option that allows very small holddown times for key rollover
+	# debug option that allows very small holddown times for key rollover,
+	# otherwise the RFC mandates probe intervals must be at least 1 hour.
 	# permit-small-holddown: no

 	# the amount of memory to use for the key cache.
@ -549,7 +583,7 @@ server:
 	# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
 	# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.

-	# if unbound is running service for the local host then it is useful
+	# If unbound is running service for the local host then it is useful
 	# to perform lan-wide lookups to the upstream, and unblock the
 	# long list of local-zones above.  If this unbound is a dns server
 	# for a network of computers, disabled is better and stops information
@ -572,6 +606,8 @@ server:
 	# o typetransparent resolves normally for other types and other names
 	# o inform resolves normally, but logs client IP address
 	# o inform_deny drops queries and logs client IP address
+	# o always_transparent, always_refuse, always_nxdomain, resolve in
+	#   that way but ignore local data for that name.
 	#
 	# defaults are localhost address, reverse for 127.0.0.1 and ::1
 	# and nxdomain for AS112 zones. If you configure one of these zones
@ -600,13 +636,19 @@ server:

 	include: /etc/unbound/local.d/*.conf

+	# tag a localzone with a list of tag names (in "" with spaces between)
+	# local-zone-tag: "example.com" "tag2 tag3"
+
+	# add a netblock specific override to a localzone, with zone type
+	# local-zone-override: "example.com" 192.0.2.0/24 refuse
+
 	# service clients over SSL (on the TCP sockets), with plain DNS inside
 	# the SSL stream.  Give the certificate to use and private key.
 	# default is "" (disabled).  requires restart to take effect.
 	# ssl-service-key: "/etc/unbound/unbound_server.key"
 	# ssl-service-pem: "/etc/unbound/unbound_server.pem"
 	# ssl-port: 443
-
+	#
 	# request upstream over SSL (with plain DNS inside the SSL stream).
 	# Default is no.  Can be turned on and off with unbound-control.
 	# ssl-upstream: no
@ -633,7 +675,7 @@ server:
 	# ratelimit-for-domain: example.com 1000
 	# override the ratelimits for all domains below a domain name
 	# can give this multiple times, the name closest to the zone is used.
-	# ratelimit-below-domain: example 1000
+	# ratelimit-below-domain: com 1000

 # Python config section. To enable:
 # o use --with-pythonmodule to configure before compiling.
@ -675,7 +717,6 @@ remote-control:
 	control-cert-file: "/etc/unbound/unbound_control.pem"

 # Stub and Forward zones
-
 include: /etc/unbound/conf.d/*.conf

 # Stub zones.
@ -694,6 +735,7 @@ include: /etc/unbound/conf.d/*.conf
 # stub-zone:
 #	name: "example.org"
 #	stub-host: ns.example.com.
+
 # You can now also dynamically create and delete stub-zone's using
 # unbound-control stub_add domain.com 1.2.3.4 5.6.7.8
 # unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8
--- a/unbound.spec
+++ b/unbound.spec
@ -20,8 +20,8 @@

 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
-Version: 1.5.9
-Release: 4%{?extra_version:.%{extra_version}}%{?dist}
+Version: 1.5.10
+Release: 1%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: http://www.nlnetlabs.nl/unbound/
 Source: http://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
@ -44,11 +44,10 @@ Source15: unbound-anchor.timer
 Source16: unbound-munin.README
 Source17: unbound-anchor.service

-Patch1: unbound-1.5.9-iterator.patch
-
 Group: System Environment/Daemons
 BuildRequires: flex, openssl-devel
 BuildRequires: libevent-devel expat-devel
+BuildRequires: pkgconfig
 %if 0%{with_python}
 BuildRequires: python2-devel swig
 %endif # with_python
@ -93,6 +92,7 @@ Plugin for the munin / munin-node monitoring package
 Summary: Development package that includes the unbound header files
 Group: Development/Libraries
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}, openssl-devel
+Requires: pkgconfig

 %description devel
 The devel package contains the unbound library and the include files
@ -137,7 +137,6 @@ Python 3 modules and extensions for unbound
 %prep
 %{?extra_version:%global pkgname %{name}-%{version}%{extra_version}}%{!?extra_version:%global pkgname %{name}-%{version}}
 %setup -qcn %{pkgname}
-%patch1 -p0

 %if 0%{with_python}
 mv %{pkgname} %{pkgname}_python2
@ -245,6 +244,8 @@ pushd %{pkgname}_python2
 # install streamtcp man page
 install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1

+install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc
+
 %if 0%{with_python}
 popd
 %endif # with_python
@ -261,6 +262,7 @@ install -m 0644 %{SOURCE13} %{buildroot}%{_sharedstatedir}/unbound/root.key
 # remove static library from install (fedora packaging guidelines)
 rm %{buildroot}%{_libdir}/*.la

+
 %if 0%{with_python}
 rm %{buildroot}%{python2_sitearch}/*.la
 %endif # with_python
@ -333,7 +335,6 @@ fi
 /bin/systemctl try-restart unbound.service >/dev/null 2>&1 || :
 /bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || :

-
 %check
 %if 0%{with_python}
 pushd %{pkgname}_python2
@ -411,6 +412,7 @@ popd
 %{_libdir}/libunbound.so
 %{_includedir}/unbound.h
 %{_mandir}/man3/*
+%{_libdir}/pkgconfig/*.pc

 %files libs
 %doc doc/README
@ -430,6 +432,11 @@ popd


 %changelog
+* Tue Sep 27 2016 Paul Wouters <pwouters@redhat.com> - 1.5.10-1
+- Updated to 1.5.10 (better TCP handling, bugfixes)
+- Install pkgconfig file in -devel package
+- Updated unbound.conf
+
 * Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.5.9-4
 - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages