* Tue Sep 27 2016 Paul Wouters <pwouters@redhat.com> - 1.5.10-1

- Updated to 1.5.10 (better TCP handling, bugfixes)
- Install pkgconfig file in -devel package
- Updated unbound.conf
This commit is contained in:
Paul Wouters 2016-09-27 19:26:26 -04:00
parent b2ddf2a810
commit be41633bf0
2 changed files with 68 additions and 19 deletions

View File

@ -1,7 +1,7 @@
# #
# Example configuration file. # Example configuration file.
# #
# See unbound.conf(5) man page, version 1.5.8. # See unbound.conf(5) man page, version 1.5.10.
# #
# this is a comment. # this is a comment.
@ -69,6 +69,15 @@ server:
# outgoing-interface: 2001:DB8::5 # outgoing-interface: 2001:DB8::5
# outgoing-interface: 2001:DB8::6 # outgoing-interface: 2001:DB8::6
# Specify a netblock to use remainder 64 bits as random bits for
# upstream queries. Uses freebind option (Linux).
# outgoing-interface: 2001:DB8::/64
# Also (Linux:) ip -6 addr add 2001:db8::/64 dev lo
# And: ip -6 route add local 2001:db8::/64 dev lo
# And set prefer-ip6: yes to use the ip6 randomness from a netblock.
# Set this to yes to prefer ipv6 upstream servers over ipv4.
# prefer-ip6: no
# number of ports to allocate per thread, determines the size of the # number of ports to allocate per thread, determines the size of the
# port range that can be open simultaneously. About double the # port range that can be open simultaneously. About double the
# num-queries-per-thread, or, use as many as the OS will allow you. # num-queries-per-thread, or, use as many as the OS will allow you.
@ -84,6 +93,8 @@ server:
# Use this to make sure unbound does not grab a UDP port that some # Use this to make sure unbound does not grab a UDP port that some
# other server on this computer needs. The default is to avoid # other server on this computer needs. The default is to avoid
# IANA-assigned port numbers. # IANA-assigned port numbers.
# If multiple outgoing-port-permit and outgoing-port-avoid options
# are present, they are processed in order.
# Our SElinux policy does not allow non-ephemeral ports to be used # Our SElinux policy does not allow non-ephemeral ports to be used
outgoing-port-avoid: 0-32767 outgoing-port-avoid: 0-32767
@ -109,6 +120,11 @@ server:
# (uses IP_BINDANY on FreeBSD). # (uses IP_BINDANY on FreeBSD).
ip-transparent: yes ip-transparent: yes
# use IP_FREEBIND so the interface: addresses can be non-local
# and you can bind to nonexisting IPs and interfaces that are down.
# Linux only. On Linux you also have ip-transparent that is similar.
# ip-freebind: no
# EDNS reassembly buffer to advertise to UDP peers (the actual buffer # EDNS reassembly buffer to advertise to UDP peers (the actual buffer
# is set with msg-buffer-size). 1480 can solve fragmentation (timeouts). # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
# edns-buffer-size: 4096 # edns-buffer-size: 4096
@ -175,6 +191,10 @@ server:
# the maximum number of hosts that are cached (roundtrip, EDNS, lame). # the maximum number of hosts that are cached (roundtrip, EDNS, lame).
# infra-cache-numhosts: 10000 # infra-cache-numhosts: 10000
# define a number of tags here, use with local-zone, access-control.
# repeat the define-tag statement to add additional tags.
# define-tag: "tag1 tag2 tag3"
# Enable IPv4, "yes" or "no". # Enable IPv4, "yes" or "no".
# do-ip4: yes # do-ip4: yes
@ -217,6 +237,20 @@ server:
# access-control: ::1 allow # access-control: ::1 allow
# access-control: ::ffff:127.0.0.1 allow # access-control: ::ffff:127.0.0.1 allow
# tag access-control with list of tags (in "" with spaces between)
# Clients using this access control element use localzones that
# are tagged with one of these tags.
# access-control-tag: 192.0.2.0/24 "tag2 tag3"
# set action for particular tag for given access control element
# if you have multiple tag values, the tag used to lookup the action
# is the first tag match between access-control-tag and local-zone-tag
# where "first" comes from the order of the define-tag values.
# access-control-tag-action: 192.0.2.0/24 tag3 refuse
# set redirect data for particular tag for access control element
# access-control-tag-data: 192.0.2.0/24 tag2 "A 127.0.0.1"
# if given, a chroot(2) is done to the given directory. # if given, a chroot(2) is done to the given directory.
# i.e. you can chroot to the working directory, for example, # i.e. you can chroot to the working directory, for example,
# for extra security, but make sure all files are in that directory. # for extra security, but make sure all files are in that directory.
@ -251,6 +285,8 @@ server:
# the working directory. The relative files in this config are # the working directory. The relative files in this config are
# relative to this directory. If you give "" the working directory # relative to this directory. If you give "" the working directory
# is not changed. # is not changed.
# If you give a server: directory: dir before include: file statements
# then those includes can be relative to the working directory.
directory: "/etc/unbound" directory: "/etc/unbound"
# the log file, "" means log to stderr. # the log file, "" means log to stderr.
@ -332,12 +368,12 @@ server:
# Use 0x20-encoded random bits in the query to foil spoof attempts. # Use 0x20-encoded random bits in the query to foil spoof attempts.
# This feature is an experimental implementation of draft dns-0x20. # This feature is an experimental implementation of draft dns-0x20.
# (enabling used to cause some failures, like on GoDaddy customer domains)
# use-caps-for-id: no # use-caps-for-id: no
# Domains (and domains in them) without support for dns-0x20 and # Domains (and domains in them) without support for dns-0x20 and
# the fallback fails because they keep sending different answers. # the fallback fails because they keep sending different answers.
# caps-whitelist: "licdn.com" # caps-whitelist: "licdn.com"
# caps-whitelist: "senderbase.org"
# Enforce privacy of these addresses. Strips them away from answers. # Enforce privacy of these addresses. Strips them away from answers.
# It may cause DNSSEC validation to additionally mark it as bogus. # It may cause DNSSEC validation to additionally mark it as bogus.
@ -385,6 +421,9 @@ server:
# into response messages when those sections are not required. # into response messages when those sections are not required.
minimal-responses: yes minimal-responses: yes
# true to disable DNSSEC lameness check in iterator.
# disable-dnssec-lame-check: no
# module configuration of the server. A string with identifiers # module configuration of the server. A string with identifiers
# separated by spaces. Syntax: "[dns64] [validator] iterator" # separated by spaces. Syntax: "[dns64] [validator] iterator"
# module-config: "validator iterator" # module-config: "validator iterator"
@ -410,11 +449,6 @@ server:
# Note this gets out of date, use auto-trust-anchor-file please. # Note this gets out of date, use auto-trust-anchor-file please.
# trust-anchor-file: "" # trust-anchor-file: ""
# File with trusted keys, kept uptodate using RFC5011 probes,
# initial file like trust-anchor-file, then it stores metadata.
# Use several entries, one per domain name, to track multiple zones.
# auto-trust-anchor-file: ""
# Trusted key for validation. DS or DNSKEY. specify the RR on a # Trusted key for validation. DS or DNSKEY. specify the RR on a
# single line, surrounded by "". TTL is ignored. class is IN default. # single line, surrounded by "". TTL is ignored. class is IN default.
# Note this gets out of date, use auto-trust-anchor-file please. # Note this gets out of date, use auto-trust-anchor-file please.
@ -429,7 +463,6 @@ server:
# you need external update procedures to track changes in keys. # you need external update procedures to track changes in keys.
# trusted-keys-file: "" # trusted-keys-file: ""
# #
# trusted-keys-file: /etc/unbound/rootkey.bind
trusted-keys-file: /etc/unbound/keys.d/*.key trusted-keys-file: /etc/unbound/keys.d/*.key
auto-trust-anchor-file: "/var/lib/unbound/root.key" auto-trust-anchor-file: "/var/lib/unbound/root.key"
@ -490,7 +523,8 @@ server:
# If the value 0 is given, missing anchors are not removed. # If the value 0 is given, missing anchors are not removed.
# keep-missing: 31622400 # 366 days # keep-missing: 31622400 # 366 days
# debug option that allows very small holddown times for key rollover # debug option that allows very small holddown times for key rollover,
# otherwise the RFC mandates probe intervals must be at least 1 hour.
# permit-small-holddown: no # permit-small-holddown: no
# the amount of memory to use for the key cache. # the amount of memory to use for the key cache.
@ -549,7 +583,7 @@ server:
# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa. # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
# if unbound is running service for the local host then it is useful # If unbound is running service for the local host then it is useful
# to perform lan-wide lookups to the upstream, and unblock the # to perform lan-wide lookups to the upstream, and unblock the
# long list of local-zones above. If this unbound is a dns server # long list of local-zones above. If this unbound is a dns server
# for a network of computers, disabled is better and stops information # for a network of computers, disabled is better and stops information
@ -572,6 +606,8 @@ server:
# o typetransparent resolves normally for other types and other names # o typetransparent resolves normally for other types and other names
# o inform resolves normally, but logs client IP address # o inform resolves normally, but logs client IP address
# o inform_deny drops queries and logs client IP address # o inform_deny drops queries and logs client IP address
# o always_transparent, always_refuse, always_nxdomain, resolve in
# that way but ignore local data for that name.
# #
# defaults are localhost address, reverse for 127.0.0.1 and ::1 # defaults are localhost address, reverse for 127.0.0.1 and ::1
# and nxdomain for AS112 zones. If you configure one of these zones # and nxdomain for AS112 zones. If you configure one of these zones
@ -600,13 +636,19 @@ server:
include: /etc/unbound/local.d/*.conf include: /etc/unbound/local.d/*.conf
# tag a localzone with a list of tag names (in "" with spaces between)
# local-zone-tag: "example.com" "tag2 tag3"
# add a netblock specific override to a localzone, with zone type
# local-zone-override: "example.com" 192.0.2.0/24 refuse
# service clients over SSL (on the TCP sockets), with plain DNS inside # service clients over SSL (on the TCP sockets), with plain DNS inside
# the SSL stream. Give the certificate to use and private key. # the SSL stream. Give the certificate to use and private key.
# default is "" (disabled). requires restart to take effect. # default is "" (disabled). requires restart to take effect.
# ssl-service-key: "/etc/unbound/unbound_server.key" # ssl-service-key: "/etc/unbound/unbound_server.key"
# ssl-service-pem: "/etc/unbound/unbound_server.pem" # ssl-service-pem: "/etc/unbound/unbound_server.pem"
# ssl-port: 443 # ssl-port: 443
#
# request upstream over SSL (with plain DNS inside the SSL stream). # request upstream over SSL (with plain DNS inside the SSL stream).
# Default is no. Can be turned on and off with unbound-control. # Default is no. Can be turned on and off with unbound-control.
# ssl-upstream: no # ssl-upstream: no
@ -633,7 +675,7 @@ server:
# ratelimit-for-domain: example.com 1000 # ratelimit-for-domain: example.com 1000
# override the ratelimits for all domains below a domain name # override the ratelimits for all domains below a domain name
# can give this multiple times, the name closest to the zone is used. # can give this multiple times, the name closest to the zone is used.
# ratelimit-below-domain: example 1000 # ratelimit-below-domain: com 1000
# Python config section. To enable: # Python config section. To enable:
# o use --with-pythonmodule to configure before compiling. # o use --with-pythonmodule to configure before compiling.
@ -675,7 +717,6 @@ remote-control:
control-cert-file: "/etc/unbound/unbound_control.pem" control-cert-file: "/etc/unbound/unbound_control.pem"
# Stub and Forward zones # Stub and Forward zones
include: /etc/unbound/conf.d/*.conf include: /etc/unbound/conf.d/*.conf
# Stub zones. # Stub zones.
@ -694,6 +735,7 @@ include: /etc/unbound/conf.d/*.conf
# stub-zone: # stub-zone:
# name: "example.org" # name: "example.org"
# stub-host: ns.example.com. # stub-host: ns.example.com.
# You can now also dynamically create and delete stub-zone's using # You can now also dynamically create and delete stub-zone's using
# unbound-control stub_add domain.com 1.2.3.4 5.6.7.8 # unbound-control stub_add domain.com 1.2.3.4 5.6.7.8
# unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8 # unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8

View File

@ -20,8 +20,8 @@
Summary: Validating, recursive, and caching DNS(SEC) resolver Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound Name: unbound
Version: 1.5.9 Version: 1.5.10
Release: 4%{?extra_version:.%{extra_version}}%{?dist} Release: 1%{?extra_version:.%{extra_version}}%{?dist}
License: BSD License: BSD
Url: http://www.nlnetlabs.nl/unbound/ Url: http://www.nlnetlabs.nl/unbound/
Source: http://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz Source: http://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
@ -44,11 +44,10 @@ Source15: unbound-anchor.timer
Source16: unbound-munin.README Source16: unbound-munin.README
Source17: unbound-anchor.service Source17: unbound-anchor.service
Patch1: unbound-1.5.9-iterator.patch
Group: System Environment/Daemons Group: System Environment/Daemons
BuildRequires: flex, openssl-devel BuildRequires: flex, openssl-devel
BuildRequires: libevent-devel expat-devel BuildRequires: libevent-devel expat-devel
BuildRequires: pkgconfig
%if 0%{with_python} %if 0%{with_python}
BuildRequires: python2-devel swig BuildRequires: python2-devel swig
%endif # with_python %endif # with_python
@ -93,6 +92,7 @@ Plugin for the munin / munin-node monitoring package
Summary: Development package that includes the unbound header files Summary: Development package that includes the unbound header files
Group: Development/Libraries Group: Development/Libraries
Requires: %{name}-libs%{?_isa} = %{version}-%{release}, openssl-devel Requires: %{name}-libs%{?_isa} = %{version}-%{release}, openssl-devel
Requires: pkgconfig
%description devel %description devel
The devel package contains the unbound library and the include files The devel package contains the unbound library and the include files
@ -137,7 +137,6 @@ Python 3 modules and extensions for unbound
%prep %prep
%{?extra_version:%global pkgname %{name}-%{version}%{extra_version}}%{!?extra_version:%global pkgname %{name}-%{version}} %{?extra_version:%global pkgname %{name}-%{version}%{extra_version}}%{!?extra_version:%global pkgname %{name}-%{version}}
%setup -qcn %{pkgname} %setup -qcn %{pkgname}
%patch1 -p0
%if 0%{with_python} %if 0%{with_python}
mv %{pkgname} %{pkgname}_python2 mv %{pkgname} %{pkgname}_python2
@ -245,6 +244,8 @@ pushd %{pkgname}_python2
# install streamtcp man page # install streamtcp man page
install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1 install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1
install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc
%if 0%{with_python} %if 0%{with_python}
popd popd
%endif # with_python %endif # with_python
@ -261,6 +262,7 @@ install -m 0644 %{SOURCE13} %{buildroot}%{_sharedstatedir}/unbound/root.key
# remove static library from install (fedora packaging guidelines) # remove static library from install (fedora packaging guidelines)
rm %{buildroot}%{_libdir}/*.la rm %{buildroot}%{_libdir}/*.la
%if 0%{with_python} %if 0%{with_python}
rm %{buildroot}%{python2_sitearch}/*.la rm %{buildroot}%{python2_sitearch}/*.la
%endif # with_python %endif # with_python
@ -333,7 +335,6 @@ fi
/bin/systemctl try-restart unbound.service >/dev/null 2>&1 || : /bin/systemctl try-restart unbound.service >/dev/null 2>&1 || :
/bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || : /bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || :
%check %check
%if 0%{with_python} %if 0%{with_python}
pushd %{pkgname}_python2 pushd %{pkgname}_python2
@ -411,6 +412,7 @@ popd
%{_libdir}/libunbound.so %{_libdir}/libunbound.so
%{_includedir}/unbound.h %{_includedir}/unbound.h
%{_mandir}/man3/* %{_mandir}/man3/*
%{_libdir}/pkgconfig/*.pc
%files libs %files libs
%doc doc/README %doc doc/README
@ -430,6 +432,11 @@ popd
%changelog %changelog
* Tue Sep 27 2016 Paul Wouters <pwouters@redhat.com> - 1.5.10-1
- Updated to 1.5.10 (better TCP handling, bugfixes)
- Install pkgconfig file in -devel package
- Updated unbound.conf
* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.5.9-4 * Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.5.9-4
- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages