From cb937b3e49b030dd835362643c60f5188be63d48 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Tue, 9 Aug 2022 11:06:18 -0400 Subject: [PATCH] pull in new options of upstream unbound.conf and enable EDE (RFC8914) --- unbound.conf | 48 ++++++++++++++++++++++++++++++++++++++++-------- unbound.spec | 6 +++++- 2 files changed, 45 insertions(+), 9 deletions(-) diff --git a/unbound.conf b/unbound.conf index 977d39f..2d7d6a7 100644 --- a/unbound.conf +++ b/unbound.conf @@ -185,6 +185,10 @@ server: # perform connect for UDP sockets to mitigate ICMP side channel. # udp-connect: yes + # The number of retries, per upstream nameserver in a delegation, when + # a throwaway response (also timeouts) is received. + # outbound-msg-retry: 5 + # msec for waiting for an unknown server to reply. Increase if you # are behind a slow satellite link, to eg. 1128. # unknown-server-time-limit: 376 @@ -216,6 +220,9 @@ server: # minimum wait time for responses, increase if uplink is long. In msec. # infra-cache-min-rtt: 50 + # maximum wait time for responses. In msec. + # infra-cache-max-rtt: 120000 + # enable to make server probe down hosts more frequently. # infra-keep-probing: no @@ -393,9 +400,6 @@ server: # enable to not answer version.server and version.bind queries. # hide-version: no - # enable to not set the User-Agent HTTP header. - # hide-http-user-agent: no - # enable to not answer trustanchor.unbound queries. # hide-trustanchor: no @@ -697,6 +701,7 @@ server: # local-zone: "localhost." nodefault # local-zone: "127.in-addr.arpa." nodefault # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault + # local-zone: "home.arpa." nodefault # local-zone: "onion." nodefault # local-zone: "test." nodefault # local-zone: "invalid." nodefault @@ -844,6 +849,8 @@ server: # Add system certs to the cert bundle, from the Windows Cert Store # tls-win-cert: no + # and on other systems, the default openssl certificates + # tls-system-cert: no # Pad queries over TLS upstreams # pad-queries: yes @@ -893,6 +900,10 @@ server: # 0 blocks when ratelimited, otherwise let 1/xth traffic through # ratelimit-factor: 10 + # Aggressive rate limit when the limit is reached and until demand has + # decreased in a 2 second rate window. + # ratelimit-backoff: no + # override the ratelimit for a specific domain name. # give this setting multiple times to have multiple overrides. # ratelimit-for-domain: example.com 1000 @@ -913,6 +924,10 @@ server: # 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through # ip-ratelimit-factor: 10 + # Aggressive rate limit when the limit is reached and until demand has + # decreased in a 2 second rate window. + # ip-ratelimit-backoff: no + # Limit the number of connections simultaneous from a netblock # tcp-connection-limit: 192.0.2.0/24 12 @@ -922,6 +937,14 @@ server: # the number of servers that will be used in the fast server selection. # fast-server-num: 3 + # Enable to attach Extended DNS Error codes (RFC8914) to responses. + ede: yes + + # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale + # Answer as EDNS0 option to expired responses. + # Note that the ede option above needs to be enabled for this to work. + ede-serve-expired: yes + # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. # @@ -1033,6 +1056,7 @@ include: /etc/unbound/conf.d/*.conf # stub-addr: 192.0.2.68 # stub-prime: no # stub-first: no +# stub-tcp-upstream: no # stub-tls-upstream: no # stub-no-cache: no # stub-zone: @@ -1054,6 +1078,7 @@ include: /etc/unbound/conf.d/*.conf # forward-addr: 192.0.2.68 # forward-addr: 192.0.2.73@5355 # forward to port 5355. # forward-first: no +# forward-tcp-upstream: no # forward-tls-upstream: no # forward-no-cache: no # forward-zone: @@ -1124,6 +1149,7 @@ auth-zone: # another crypto library # # DNSCrypt +# o enable, use --enable-dnscrypt to configure before compiling. # Caveats: # 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper # for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage @@ -1144,7 +1170,9 @@ auth-zone: # dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert # CacheDB -# Enable external backend DB as auxiliary cache. Specify the backend name +# External backend DB as auxiliary cache. +# To enable, use --enable-cachedb to configure before compiling. +# Specify the backend name # (default is "testframe", which has no use other than for debugging and # testing) and backend-specific options. The 'cachedb' module must be # included in module-config, just before the iterator module. @@ -1154,6 +1182,7 @@ auth-zone: # secret-seed: "default" # # # For "redis" backend: +# # (to enable, use --with-libhiredis to configure before compiling) # # redis server's IP address or host name # redis-server-host: 127.0.0.1 # # redis server's TCP port @@ -1165,7 +1194,9 @@ auth-zone: # IPSet # Add specify domain into set via ipset. -# Note: To enable ipset Unbound needs to run as root user. +# To enable: +# o use --enable-ipset to configure before compiling; +# o Unbound then needs to run as root user. # ipset: # # set name for ip v4 addresses # name-v4: "list-v4" @@ -1173,9 +1204,10 @@ auth-zone: # name-v6: "list-v6" # -# Dnstap logging support, if compiled in. To enable, set the dnstap-enable -# to yes and also some of dnstap-log-..-messages to yes. And select an -# upstream log destination, by socket path, TCP or TLS destination. +# Dnstap logging support, if compiled in by using --enable-dnstap to configure. +# To enable, set the dnstap-enable to yes and also some of +# dnstap-log-..-messages to yes. And select an upstream log destination, by +# socket path, TCP or TLS destination. # dnstap: # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode diff --git a/unbound.spec b/unbound.spec index 5154212..69f962f 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.16.2 -Release: 2%{?extra_version:.%{extra_version}}%{?dist} +Release: 3%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -471,6 +471,10 @@ popd %{_mandir}/man1/unbound-* %changelog +* Tue Aug 09 2022 Paul Wouters - 1.16.2-3 +- sync up to upstream unbound.conf +- Enable Extended DNS Error codes (RFC8914) + * Tue Aug 09 2022 Petr Menšík - 1.16.2-2 - Require openssl tool for unbound-keygen (#2116790)