Update to 1.15.0

https://nlnetlabs.nl/projects/unbound/download/#unbound-1-15-0

- Fix #596: unset the RA bit when a query is blocked by an unbound RPZ nxdomain reply.
  The option rpz-signal-nxdomain-ra allows to signal that a domain is externally
  blocked to clients when it is blocked with NXDOMAIN by unsetting RA.
- Add rpz: for-downstream: yesno option, where the RPZ zone is authoritatively answered
  for, so the RPZ zone contents can be checked with DNS queries directed at the RPZ zone.
- Merge PR #616: Update ratelimit logic. It also introduces ratelimit-backoff and
  ip-ratelimit-backoff configuration options.
- Change aggressive-nsec default to yes.

(cherry picked from commit 84e89add4a)

Resolves: rhbz#2087120

.gitignore

@@ -67,3 +67,5 @@ unbound-1.4.5.tar.gz
 /unbound-1.13.1.tar.gz.asc
 /unbound-1.13.2.tar.gz
 /unbound-1.13.2.tar.gz.asc
+/unbound-1.15.0.tar.gz
+/unbound-1.15.0.tar.gz.asc

sources

@@ -1,2 +1,2 @@
-SHA512 (unbound-1.13.2.tar.gz) = 1e89441446e7a25c6a49bded645f8b348c1758c3be54e3a986041cb1f00c45d152fd469dc52666fb820574db9d51b16f1627dc8afcb9519508d4833ca358191a
-SHA512 (unbound-1.13.2.tar.gz.asc) = b905f5f981361131e7a8d3403df632603304778bd7d4fffba8d113c4246d8133f26903a5af53d21b979b652cbae8f6e92620d3a262d8b2837ab8c2a5712650ee
+SHA512 (unbound-1.15.0.tar.gz) = c5dab305694c14f64e05080700bb52f6e6bf5b76f15e1fde34e35c932cb3ffed0de2c03b570cf4bfe18165cb10e82e67ee9b12c6583295380f88c2c03800cc1f
+SHA512 (unbound-1.15.0.tar.gz.asc) = 123818a855689ee3d402fd8f4b5a4646c08d5602e4544ce872d132c4c0de4a79c9efcc2d49324bf58ab06521f02deef795d89bdf632eee758e6ec36b408ea54a

unbound-1.13.1-rh1977400.patch

@@ -1,12 +0,0 @@
-diff --git a/util/net_help.c b/util/net_help.c
-index 3b5527a..42a7666 100644
---- a/util/net_help.c
-+++ b/util/net_help.c
-@@ -1172,6 +1172,7 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem, int wincert)
- 	if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
- 		SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) {
- 		log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION");
-+		SSL_CTX_free(ctx);
- 		return 0;
- 	}
- #endif

unbound-1.13.1-rh1977401.patch

@@ -1,19 +0,0 @@
-diff --git a/dns64/dns64.c b/dns64/dns64.c
-index c79bc9c..fddbc62 100644
---- a/dns64/dns64.c
-+++ b/dns64/dns64.c
-@@ -685,8 +685,12 @@ dns64_operate(struct module_qstate* qstate, enum module_ev event, int id,
- 	switch(event) {
- 		case module_event_new:
- 			/* Tag this query as being new and fall through. */
--			iq = (struct dns64_qstate*)regional_alloc(
--				qstate->region, sizeof(*iq));
-+			if (!(iq = (struct dns64_qstate*)regional_alloc(
-+							qstate->region, sizeof(*iq)))) {
-+				log_err("out of memory");
-+				qstate->ext_state[id] = module_error;
-+				return;
-+			}
- 			qstate->minfo[id] = iq;
- 			iq->state = DNS64_NEW_QUERY;
- 			iq->started_no_cache_store = qstate->no_cache_store;

unbound.spec

@@ -29,7 +29,7 @@
 
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
-Version: 1.13.2
+Version: 1.15.0
 Release: 1%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: https://nlnetlabs.nl/projects/unbound/
@@ -53,9 +53,6 @@ Source17: unbound-anchor.service
 Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
 Source19: http://keys.gnupg.net/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key
 
-Patch3: unbound-1.13.1-rh1977400.patch
-Patch4: unbound-1.13.1-rh1977401.patch
-
 BuildRequires: gcc, make
 BuildRequires: flex, openssl-devel
 BuildRequires: libevent-devel expat-devel
@@ -447,6 +444,9 @@ popd
 %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
 
 %changelog
+* Mon May 02 2022 Petr Menšík <pemensik@redhat.com> - 1.15.0-1
+- Update to 1.15.0 (#2030608)
+
 * Mon May 02 2022 Paul Wouters <paul.wouters@aiven.io> - 1.13.2-1
 - Resolves: rhbz#1992985 unbound-1.13.2 is available
 - Use system-wide crypto policies