* Tue Sep 27 2016 Paul Wouters <pwouters@redhat.com> - 1.5.10-1
- Updated to 1.5.10 (better TCP handling, bugfixes) - Install pkgconfig file in -devel package - Updated unbound.conf
This commit is contained in:
parent
b2ddf2a810
commit
be41633bf0
68
unbound.conf
68
unbound.conf
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# Example configuration file.
|
# Example configuration file.
|
||||||
#
|
#
|
||||||
# See unbound.conf(5) man page, version 1.5.8.
|
# See unbound.conf(5) man page, version 1.5.10.
|
||||||
#
|
#
|
||||||
# this is a comment.
|
# this is a comment.
|
||||||
|
|
||||||
@ -69,6 +69,15 @@ server:
|
|||||||
# outgoing-interface: 2001:DB8::5
|
# outgoing-interface: 2001:DB8::5
|
||||||
# outgoing-interface: 2001:DB8::6
|
# outgoing-interface: 2001:DB8::6
|
||||||
|
|
||||||
|
# Specify a netblock to use remainder 64 bits as random bits for
|
||||||
|
# upstream queries. Uses freebind option (Linux).
|
||||||
|
# outgoing-interface: 2001:DB8::/64
|
||||||
|
# Also (Linux:) ip -6 addr add 2001:db8::/64 dev lo
|
||||||
|
# And: ip -6 route add local 2001:db8::/64 dev lo
|
||||||
|
# And set prefer-ip6: yes to use the ip6 randomness from a netblock.
|
||||||
|
# Set this to yes to prefer ipv6 upstream servers over ipv4.
|
||||||
|
# prefer-ip6: no
|
||||||
|
|
||||||
# number of ports to allocate per thread, determines the size of the
|
# number of ports to allocate per thread, determines the size of the
|
||||||
# port range that can be open simultaneously. About double the
|
# port range that can be open simultaneously. About double the
|
||||||
# num-queries-per-thread, or, use as many as the OS will allow you.
|
# num-queries-per-thread, or, use as many as the OS will allow you.
|
||||||
@ -84,6 +93,8 @@ server:
|
|||||||
# Use this to make sure unbound does not grab a UDP port that some
|
# Use this to make sure unbound does not grab a UDP port that some
|
||||||
# other server on this computer needs. The default is to avoid
|
# other server on this computer needs. The default is to avoid
|
||||||
# IANA-assigned port numbers.
|
# IANA-assigned port numbers.
|
||||||
|
# If multiple outgoing-port-permit and outgoing-port-avoid options
|
||||||
|
# are present, they are processed in order.
|
||||||
# Our SElinux policy does not allow non-ephemeral ports to be used
|
# Our SElinux policy does not allow non-ephemeral ports to be used
|
||||||
outgoing-port-avoid: 0-32767
|
outgoing-port-avoid: 0-32767
|
||||||
|
|
||||||
@ -109,6 +120,11 @@ server:
|
|||||||
# (uses IP_BINDANY on FreeBSD).
|
# (uses IP_BINDANY on FreeBSD).
|
||||||
ip-transparent: yes
|
ip-transparent: yes
|
||||||
|
|
||||||
|
# use IP_FREEBIND so the interface: addresses can be non-local
|
||||||
|
# and you can bind to nonexisting IPs and interfaces that are down.
|
||||||
|
# Linux only. On Linux you also have ip-transparent that is similar.
|
||||||
|
# ip-freebind: no
|
||||||
|
|
||||||
# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
|
# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
|
||||||
# is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
|
# is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
|
||||||
# edns-buffer-size: 4096
|
# edns-buffer-size: 4096
|
||||||
@ -175,6 +191,10 @@ server:
|
|||||||
# the maximum number of hosts that are cached (roundtrip, EDNS, lame).
|
# the maximum number of hosts that are cached (roundtrip, EDNS, lame).
|
||||||
# infra-cache-numhosts: 10000
|
# infra-cache-numhosts: 10000
|
||||||
|
|
||||||
|
# define a number of tags here, use with local-zone, access-control.
|
||||||
|
# repeat the define-tag statement to add additional tags.
|
||||||
|
# define-tag: "tag1 tag2 tag3"
|
||||||
|
|
||||||
# Enable IPv4, "yes" or "no".
|
# Enable IPv4, "yes" or "no".
|
||||||
# do-ip4: yes
|
# do-ip4: yes
|
||||||
|
|
||||||
@ -217,6 +237,20 @@ server:
|
|||||||
# access-control: ::1 allow
|
# access-control: ::1 allow
|
||||||
# access-control: ::ffff:127.0.0.1 allow
|
# access-control: ::ffff:127.0.0.1 allow
|
||||||
|
|
||||||
|
# tag access-control with list of tags (in "" with spaces between)
|
||||||
|
# Clients using this access control element use localzones that
|
||||||
|
# are tagged with one of these tags.
|
||||||
|
# access-control-tag: 192.0.2.0/24 "tag2 tag3"
|
||||||
|
|
||||||
|
# set action for particular tag for given access control element
|
||||||
|
# if you have multiple tag values, the tag used to lookup the action
|
||||||
|
# is the first tag match between access-control-tag and local-zone-tag
|
||||||
|
# where "first" comes from the order of the define-tag values.
|
||||||
|
# access-control-tag-action: 192.0.2.0/24 tag3 refuse
|
||||||
|
|
||||||
|
# set redirect data for particular tag for access control element
|
||||||
|
# access-control-tag-data: 192.0.2.0/24 tag2 "A 127.0.0.1"
|
||||||
|
|
||||||
# if given, a chroot(2) is done to the given directory.
|
# if given, a chroot(2) is done to the given directory.
|
||||||
# i.e. you can chroot to the working directory, for example,
|
# i.e. you can chroot to the working directory, for example,
|
||||||
# for extra security, but make sure all files are in that directory.
|
# for extra security, but make sure all files are in that directory.
|
||||||
@ -251,6 +285,8 @@ server:
|
|||||||
# the working directory. The relative files in this config are
|
# the working directory. The relative files in this config are
|
||||||
# relative to this directory. If you give "" the working directory
|
# relative to this directory. If you give "" the working directory
|
||||||
# is not changed.
|
# is not changed.
|
||||||
|
# If you give a server: directory: dir before include: file statements
|
||||||
|
# then those includes can be relative to the working directory.
|
||||||
directory: "/etc/unbound"
|
directory: "/etc/unbound"
|
||||||
|
|
||||||
# the log file, "" means log to stderr.
|
# the log file, "" means log to stderr.
|
||||||
@ -332,12 +368,12 @@ server:
|
|||||||
|
|
||||||
# Use 0x20-encoded random bits in the query to foil spoof attempts.
|
# Use 0x20-encoded random bits in the query to foil spoof attempts.
|
||||||
# This feature is an experimental implementation of draft dns-0x20.
|
# This feature is an experimental implementation of draft dns-0x20.
|
||||||
# (enabling used to cause some failures, like on GoDaddy customer domains)
|
|
||||||
# use-caps-for-id: no
|
# use-caps-for-id: no
|
||||||
|
|
||||||
# Domains (and domains in them) without support for dns-0x20 and
|
# Domains (and domains in them) without support for dns-0x20 and
|
||||||
# the fallback fails because they keep sending different answers.
|
# the fallback fails because they keep sending different answers.
|
||||||
# caps-whitelist: "licdn.com"
|
# caps-whitelist: "licdn.com"
|
||||||
|
# caps-whitelist: "senderbase.org"
|
||||||
|
|
||||||
# Enforce privacy of these addresses. Strips them away from answers.
|
# Enforce privacy of these addresses. Strips them away from answers.
|
||||||
# It may cause DNSSEC validation to additionally mark it as bogus.
|
# It may cause DNSSEC validation to additionally mark it as bogus.
|
||||||
@ -385,6 +421,9 @@ server:
|
|||||||
# into response messages when those sections are not required.
|
# into response messages when those sections are not required.
|
||||||
minimal-responses: yes
|
minimal-responses: yes
|
||||||
|
|
||||||
|
# true to disable DNSSEC lameness check in iterator.
|
||||||
|
# disable-dnssec-lame-check: no
|
||||||
|
|
||||||
# module configuration of the server. A string with identifiers
|
# module configuration of the server. A string with identifiers
|
||||||
# separated by spaces. Syntax: "[dns64] [validator] iterator"
|
# separated by spaces. Syntax: "[dns64] [validator] iterator"
|
||||||
# module-config: "validator iterator"
|
# module-config: "validator iterator"
|
||||||
@ -410,11 +449,6 @@ server:
|
|||||||
# Note this gets out of date, use auto-trust-anchor-file please.
|
# Note this gets out of date, use auto-trust-anchor-file please.
|
||||||
# trust-anchor-file: ""
|
# trust-anchor-file: ""
|
||||||
|
|
||||||
# File with trusted keys, kept uptodate using RFC5011 probes,
|
|
||||||
# initial file like trust-anchor-file, then it stores metadata.
|
|
||||||
# Use several entries, one per domain name, to track multiple zones.
|
|
||||||
# auto-trust-anchor-file: ""
|
|
||||||
|
|
||||||
# Trusted key for validation. DS or DNSKEY. specify the RR on a
|
# Trusted key for validation. DS or DNSKEY. specify the RR on a
|
||||||
# single line, surrounded by "". TTL is ignored. class is IN default.
|
# single line, surrounded by "". TTL is ignored. class is IN default.
|
||||||
# Note this gets out of date, use auto-trust-anchor-file please.
|
# Note this gets out of date, use auto-trust-anchor-file please.
|
||||||
@ -429,7 +463,6 @@ server:
|
|||||||
# you need external update procedures to track changes in keys.
|
# you need external update procedures to track changes in keys.
|
||||||
# trusted-keys-file: ""
|
# trusted-keys-file: ""
|
||||||
#
|
#
|
||||||
# trusted-keys-file: /etc/unbound/rootkey.bind
|
|
||||||
trusted-keys-file: /etc/unbound/keys.d/*.key
|
trusted-keys-file: /etc/unbound/keys.d/*.key
|
||||||
auto-trust-anchor-file: "/var/lib/unbound/root.key"
|
auto-trust-anchor-file: "/var/lib/unbound/root.key"
|
||||||
|
|
||||||
@ -490,7 +523,8 @@ server:
|
|||||||
# If the value 0 is given, missing anchors are not removed.
|
# If the value 0 is given, missing anchors are not removed.
|
||||||
# keep-missing: 31622400 # 366 days
|
# keep-missing: 31622400 # 366 days
|
||||||
|
|
||||||
# debug option that allows very small holddown times for key rollover
|
# debug option that allows very small holddown times for key rollover,
|
||||||
|
# otherwise the RFC mandates probe intervals must be at least 1 hour.
|
||||||
# permit-small-holddown: no
|
# permit-small-holddown: no
|
||||||
|
|
||||||
# the amount of memory to use for the key cache.
|
# the amount of memory to use for the key cache.
|
||||||
@ -549,7 +583,7 @@ server:
|
|||||||
# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
|
# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
|
||||||
# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
|
# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
|
||||||
|
|
||||||
# if unbound is running service for the local host then it is useful
|
# If unbound is running service for the local host then it is useful
|
||||||
# to perform lan-wide lookups to the upstream, and unblock the
|
# to perform lan-wide lookups to the upstream, and unblock the
|
||||||
# long list of local-zones above. If this unbound is a dns server
|
# long list of local-zones above. If this unbound is a dns server
|
||||||
# for a network of computers, disabled is better and stops information
|
# for a network of computers, disabled is better and stops information
|
||||||
@ -572,6 +606,8 @@ server:
|
|||||||
# o typetransparent resolves normally for other types and other names
|
# o typetransparent resolves normally for other types and other names
|
||||||
# o inform resolves normally, but logs client IP address
|
# o inform resolves normally, but logs client IP address
|
||||||
# o inform_deny drops queries and logs client IP address
|
# o inform_deny drops queries and logs client IP address
|
||||||
|
# o always_transparent, always_refuse, always_nxdomain, resolve in
|
||||||
|
# that way but ignore local data for that name.
|
||||||
#
|
#
|
||||||
# defaults are localhost address, reverse for 127.0.0.1 and ::1
|
# defaults are localhost address, reverse for 127.0.0.1 and ::1
|
||||||
# and nxdomain for AS112 zones. If you configure one of these zones
|
# and nxdomain for AS112 zones. If you configure one of these zones
|
||||||
@ -600,13 +636,19 @@ server:
|
|||||||
|
|
||||||
include: /etc/unbound/local.d/*.conf
|
include: /etc/unbound/local.d/*.conf
|
||||||
|
|
||||||
|
# tag a localzone with a list of tag names (in "" with spaces between)
|
||||||
|
# local-zone-tag: "example.com" "tag2 tag3"
|
||||||
|
|
||||||
|
# add a netblock specific override to a localzone, with zone type
|
||||||
|
# local-zone-override: "example.com" 192.0.2.0/24 refuse
|
||||||
|
|
||||||
# service clients over SSL (on the TCP sockets), with plain DNS inside
|
# service clients over SSL (on the TCP sockets), with plain DNS inside
|
||||||
# the SSL stream. Give the certificate to use and private key.
|
# the SSL stream. Give the certificate to use and private key.
|
||||||
# default is "" (disabled). requires restart to take effect.
|
# default is "" (disabled). requires restart to take effect.
|
||||||
# ssl-service-key: "/etc/unbound/unbound_server.key"
|
# ssl-service-key: "/etc/unbound/unbound_server.key"
|
||||||
# ssl-service-pem: "/etc/unbound/unbound_server.pem"
|
# ssl-service-pem: "/etc/unbound/unbound_server.pem"
|
||||||
# ssl-port: 443
|
# ssl-port: 443
|
||||||
|
#
|
||||||
# request upstream over SSL (with plain DNS inside the SSL stream).
|
# request upstream over SSL (with plain DNS inside the SSL stream).
|
||||||
# Default is no. Can be turned on and off with unbound-control.
|
# Default is no. Can be turned on and off with unbound-control.
|
||||||
# ssl-upstream: no
|
# ssl-upstream: no
|
||||||
@ -633,7 +675,7 @@ server:
|
|||||||
# ratelimit-for-domain: example.com 1000
|
# ratelimit-for-domain: example.com 1000
|
||||||
# override the ratelimits for all domains below a domain name
|
# override the ratelimits for all domains below a domain name
|
||||||
# can give this multiple times, the name closest to the zone is used.
|
# can give this multiple times, the name closest to the zone is used.
|
||||||
# ratelimit-below-domain: example 1000
|
# ratelimit-below-domain: com 1000
|
||||||
|
|
||||||
# Python config section. To enable:
|
# Python config section. To enable:
|
||||||
# o use --with-pythonmodule to configure before compiling.
|
# o use --with-pythonmodule to configure before compiling.
|
||||||
@ -675,7 +717,6 @@ remote-control:
|
|||||||
control-cert-file: "/etc/unbound/unbound_control.pem"
|
control-cert-file: "/etc/unbound/unbound_control.pem"
|
||||||
|
|
||||||
# Stub and Forward zones
|
# Stub and Forward zones
|
||||||
|
|
||||||
include: /etc/unbound/conf.d/*.conf
|
include: /etc/unbound/conf.d/*.conf
|
||||||
|
|
||||||
# Stub zones.
|
# Stub zones.
|
||||||
@ -694,6 +735,7 @@ include: /etc/unbound/conf.d/*.conf
|
|||||||
# stub-zone:
|
# stub-zone:
|
||||||
# name: "example.org"
|
# name: "example.org"
|
||||||
# stub-host: ns.example.com.
|
# stub-host: ns.example.com.
|
||||||
|
|
||||||
# You can now also dynamically create and delete stub-zone's using
|
# You can now also dynamically create and delete stub-zone's using
|
||||||
# unbound-control stub_add domain.com 1.2.3.4 5.6.7.8
|
# unbound-control stub_add domain.com 1.2.3.4 5.6.7.8
|
||||||
# unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8
|
# unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8
|
||||||
|
19
unbound.spec
19
unbound.spec
@ -20,8 +20,8 @@
|
|||||||
|
|
||||||
Summary: Validating, recursive, and caching DNS(SEC) resolver
|
Summary: Validating, recursive, and caching DNS(SEC) resolver
|
||||||
Name: unbound
|
Name: unbound
|
||||||
Version: 1.5.9
|
Version: 1.5.10
|
||||||
Release: 4%{?extra_version:.%{extra_version}}%{?dist}
|
Release: 1%{?extra_version:.%{extra_version}}%{?dist}
|
||||||
License: BSD
|
License: BSD
|
||||||
Url: http://www.nlnetlabs.nl/unbound/
|
Url: http://www.nlnetlabs.nl/unbound/
|
||||||
Source: http://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
|
Source: http://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
|
||||||
@ -44,11 +44,10 @@ Source15: unbound-anchor.timer
|
|||||||
Source16: unbound-munin.README
|
Source16: unbound-munin.README
|
||||||
Source17: unbound-anchor.service
|
Source17: unbound-anchor.service
|
||||||
|
|
||||||
Patch1: unbound-1.5.9-iterator.patch
|
|
||||||
|
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
BuildRequires: flex, openssl-devel
|
BuildRequires: flex, openssl-devel
|
||||||
BuildRequires: libevent-devel expat-devel
|
BuildRequires: libevent-devel expat-devel
|
||||||
|
BuildRequires: pkgconfig
|
||||||
%if 0%{with_python}
|
%if 0%{with_python}
|
||||||
BuildRequires: python2-devel swig
|
BuildRequires: python2-devel swig
|
||||||
%endif # with_python
|
%endif # with_python
|
||||||
@ -93,6 +92,7 @@ Plugin for the munin / munin-node monitoring package
|
|||||||
Summary: Development package that includes the unbound header files
|
Summary: Development package that includes the unbound header files
|
||||||
Group: Development/Libraries
|
Group: Development/Libraries
|
||||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}, openssl-devel
|
Requires: %{name}-libs%{?_isa} = %{version}-%{release}, openssl-devel
|
||||||
|
Requires: pkgconfig
|
||||||
|
|
||||||
%description devel
|
%description devel
|
||||||
The devel package contains the unbound library and the include files
|
The devel package contains the unbound library and the include files
|
||||||
@ -137,7 +137,6 @@ Python 3 modules and extensions for unbound
|
|||||||
%prep
|
%prep
|
||||||
%{?extra_version:%global pkgname %{name}-%{version}%{extra_version}}%{!?extra_version:%global pkgname %{name}-%{version}}
|
%{?extra_version:%global pkgname %{name}-%{version}%{extra_version}}%{!?extra_version:%global pkgname %{name}-%{version}}
|
||||||
%setup -qcn %{pkgname}
|
%setup -qcn %{pkgname}
|
||||||
%patch1 -p0
|
|
||||||
|
|
||||||
%if 0%{with_python}
|
%if 0%{with_python}
|
||||||
mv %{pkgname} %{pkgname}_python2
|
mv %{pkgname} %{pkgname}_python2
|
||||||
@ -245,6 +244,8 @@ pushd %{pkgname}_python2
|
|||||||
# install streamtcp man page
|
# install streamtcp man page
|
||||||
install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1
|
install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1
|
||||||
|
|
||||||
|
install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc
|
||||||
|
|
||||||
%if 0%{with_python}
|
%if 0%{with_python}
|
||||||
popd
|
popd
|
||||||
%endif # with_python
|
%endif # with_python
|
||||||
@ -261,6 +262,7 @@ install -m 0644 %{SOURCE13} %{buildroot}%{_sharedstatedir}/unbound/root.key
|
|||||||
# remove static library from install (fedora packaging guidelines)
|
# remove static library from install (fedora packaging guidelines)
|
||||||
rm %{buildroot}%{_libdir}/*.la
|
rm %{buildroot}%{_libdir}/*.la
|
||||||
|
|
||||||
|
|
||||||
%if 0%{with_python}
|
%if 0%{with_python}
|
||||||
rm %{buildroot}%{python2_sitearch}/*.la
|
rm %{buildroot}%{python2_sitearch}/*.la
|
||||||
%endif # with_python
|
%endif # with_python
|
||||||
@ -333,7 +335,6 @@ fi
|
|||||||
/bin/systemctl try-restart unbound.service >/dev/null 2>&1 || :
|
/bin/systemctl try-restart unbound.service >/dev/null 2>&1 || :
|
||||||
/bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || :
|
/bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || :
|
||||||
|
|
||||||
|
|
||||||
%check
|
%check
|
||||||
%if 0%{with_python}
|
%if 0%{with_python}
|
||||||
pushd %{pkgname}_python2
|
pushd %{pkgname}_python2
|
||||||
@ -411,6 +412,7 @@ popd
|
|||||||
%{_libdir}/libunbound.so
|
%{_libdir}/libunbound.so
|
||||||
%{_includedir}/unbound.h
|
%{_includedir}/unbound.h
|
||||||
%{_mandir}/man3/*
|
%{_mandir}/man3/*
|
||||||
|
%{_libdir}/pkgconfig/*.pc
|
||||||
|
|
||||||
%files libs
|
%files libs
|
||||||
%doc doc/README
|
%doc doc/README
|
||||||
@ -430,6 +432,11 @@ popd
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Sep 27 2016 Paul Wouters <pwouters@redhat.com> - 1.5.10-1
|
||||||
|
- Updated to 1.5.10 (better TCP handling, bugfixes)
|
||||||
|
- Install pkgconfig file in -devel package
|
||||||
|
- Updated unbound.conf
|
||||||
|
|
||||||
* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.5.9-4
|
* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.5.9-4
|
||||||
- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
|
- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user