rpms/unbound
7
0
Fork 0
Code Issues Pull Requests Releases Activity

pull in new options of upstream unbound.conf and enable EDE (RFC8914)

Browse Source
This commit is contained in:
Paul Wouters 2022-08-09 11:06:18 -04:00
parent 7722f4b9bb
commit cb937b3e49
No known key found for this signature in database
GPG Key ID: DB48D2E5122468BF
2 changed files with 45 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
unbound.conf
View File

@ -185,6 +185,10 @@ server:
# perform connect for UDP sockets to mitigate ICMP side channel. # perform connect for UDP sockets to mitigate ICMP side channel.
# udp-connect: yes # udp-connect: yes
# The number of retries, per upstream nameserver in a delegation, when
# a throwaway response (also timeouts) is received.
# outbound-msg-retry: 5
# msec for waiting for an unknown server to reply. Increase if you # msec for waiting for an unknown server to reply. Increase if you
# are behind a slow satellite link, to eg. 1128. # are behind a slow satellite link, to eg. 1128.
# unknown-server-time-limit: 376 # unknown-server-time-limit: 376
@ -216,6 +220,9 @@ server:
# minimum wait time for responses, increase if uplink is long. In msec. # minimum wait time for responses, increase if uplink is long. In msec.
# infra-cache-min-rtt: 50 # infra-cache-min-rtt: 50
# maximum wait time for responses. In msec.
# infra-cache-max-rtt: 120000
# enable to make server probe down hosts more frequently. # enable to make server probe down hosts more frequently.
# infra-keep-probing: no # infra-keep-probing: no
@ -393,9 +400,6 @@ server:
# enable to not answer version.server and version.bind queries. # enable to not answer version.server and version.bind queries.
# hide-version: no # hide-version: no
# enable to not set the User-Agent HTTP header.
# hide-http-user-agent: no
# enable to not answer trustanchor.unbound queries. # enable to not answer trustanchor.unbound queries.
# hide-trustanchor: no # hide-trustanchor: no
@ -697,6 +701,7 @@ server:
# local-zone: "localhost." nodefault # local-zone: "localhost." nodefault
# local-zone: "127.in-addr.arpa." nodefault # local-zone: "127.in-addr.arpa." nodefault
# local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
# local-zone: "home.arpa." nodefault
# local-zone: "onion." nodefault # local-zone: "onion." nodefault
# local-zone: "test." nodefault # local-zone: "test." nodefault
# local-zone: "invalid." nodefault # local-zone: "invalid." nodefault
@ -844,6 +849,8 @@ server:
# Add system certs to the cert bundle, from the Windows Cert Store # Add system certs to the cert bundle, from the Windows Cert Store
# tls-win-cert: no # tls-win-cert: no
# and on other systems, the default openssl certificates
# tls-system-cert: no
# Pad queries over TLS upstreams # Pad queries over TLS upstreams
# pad-queries: yes # pad-queries: yes
@ -893,6 +900,10 @@ server:
# 0 blocks when ratelimited, otherwise let 1/xth traffic through # 0 blocks when ratelimited, otherwise let 1/xth traffic through
# ratelimit-factor: 10 # ratelimit-factor: 10
# Aggressive rate limit when the limit is reached and until demand has
# decreased in a 2 second rate window.
# ratelimit-backoff: no
# override the ratelimit for a specific domain name. # override the ratelimit for a specific domain name.
# give this setting multiple times to have multiple overrides. # give this setting multiple times to have multiple overrides.
# ratelimit-for-domain: example.com 1000 # ratelimit-for-domain: example.com 1000
@ -913,6 +924,10 @@ server:
# 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through # 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through
# ip-ratelimit-factor: 10 # ip-ratelimit-factor: 10
# Aggressive rate limit when the limit is reached and until demand has
# decreased in a 2 second rate window.
# ip-ratelimit-backoff: no
# Limit the number of connections simultaneous from a netblock # Limit the number of connections simultaneous from a netblock
# tcp-connection-limit: 192.0.2.0/24 12 # tcp-connection-limit: 192.0.2.0/24 12
@ -922,6 +937,14 @@ server:
# the number of servers that will be used in the fast server selection. # the number of servers that will be used in the fast server selection.
# fast-server-num: 3 # fast-server-num: 3
# Enable to attach Extended DNS Error codes (RFC8914) to responses.
ede: yes
# Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale
# Answer as EDNS0 option to expired responses.
# Note that the ede option above needs to be enabled for this to work.
ede-serve-expired: yes
# Specific options for ipsecmod. Unbound needs to be configured with # Specific options for ipsecmod. Unbound needs to be configured with
# --enable-ipsecmod for these to take effect. # --enable-ipsecmod for these to take effect.
# #
@ -1033,6 +1056,7 @@ include: /etc/unbound/conf.d/*.conf
# stub-addr: 192.0.2.68 # stub-addr: 192.0.2.68
# stub-prime: no # stub-prime: no
# stub-first: no # stub-first: no
# stub-tcp-upstream: no
# stub-tls-upstream: no # stub-tls-upstream: no
# stub-no-cache: no # stub-no-cache: no
# stub-zone: # stub-zone:
@ -1054,6 +1078,7 @@ include: /etc/unbound/conf.d/*.conf
# forward-addr: 192.0.2.68 # forward-addr: 192.0.2.68
# forward-addr: 192.0.2.73@5355 # forward to port 5355. # forward-addr: 192.0.2.73@5355 # forward to port 5355.
# forward-first: no # forward-first: no
# forward-tcp-upstream: no
# forward-tls-upstream: no # forward-tls-upstream: no
# forward-no-cache: no # forward-no-cache: no
# forward-zone: # forward-zone:
@ -1124,6 +1149,7 @@ auth-zone:
# another crypto library # another crypto library
# #
# DNSCrypt # DNSCrypt
# o enable, use --enable-dnscrypt to configure before compiling.
# Caveats: # Caveats:
# 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper # 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper
# for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage # for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
@ -1144,7 +1170,9 @@ auth-zone:
# dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert # dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert
# CacheDB # CacheDB
# Enable external backend DB as auxiliary cache. Specify the backend name # External backend DB as auxiliary cache.
# To enable, use --enable-cachedb to configure before compiling.
# Specify the backend name
# (default is "testframe", which has no use other than for debugging and # (default is "testframe", which has no use other than for debugging and
# testing) and backend-specific options. The 'cachedb' module must be # testing) and backend-specific options. The 'cachedb' module must be
# included in module-config, just before the iterator module. # included in module-config, just before the iterator module.
@ -1154,6 +1182,7 @@ auth-zone:
# secret-seed: "default" # secret-seed: "default"
# #
# # For "redis" backend: # # For "redis" backend:
# # (to enable, use --with-libhiredis to configure before compiling)
# # redis server's IP address or host name # # redis server's IP address or host name
# redis-server-host: 127.0.0.1 # redis-server-host: 127.0.0.1
# # redis server's TCP port # # redis server's TCP port
@ -1165,7 +1194,9 @@ auth-zone:
# IPSet # IPSet
# Add specify domain into set via ipset. # Add specify domain into set via ipset.
# Note: To enable ipset Unbound needs to run as root user. # To enable:
# o use --enable-ipset to configure before compiling;
# o Unbound then needs to run as root user.
# ipset: # ipset:
# # set name for ip v4 addresses # # set name for ip v4 addresses
# name-v4: "list-v4" # name-v4: "list-v4"
@ -1173,9 +1204,10 @@ auth-zone:
# name-v6: "list-v6" # name-v6: "list-v6"
# #
# Dnstap logging support, if compiled in. To enable, set the dnstap-enable # Dnstap logging support, if compiled in by using --enable-dnstap to configure.
# to yes and also some of dnstap-log-..-messages to yes. And select an # To enable, set the dnstap-enable to yes and also some of
# upstream log destination, by socket path, TCP or TLS destination. # dnstap-log-..-messages to yes. And select an upstream log destination, by
# socket path, TCP or TLS destination.
# dnstap: # dnstap:
# dnstap-enable: no # dnstap-enable: no
# # if set to yes frame streams will be used in bidirectional mode # # if set to yes frame streams will be used in bidirectional mode

6
unbound.spec
View File

@ -30,7 +30,7 @@
Summary: Validating, recursive, and caching DNS(SEC) resolver Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound Name: unbound
Version: 1.16.2 Version: 1.16.2
Release: 2%{?extra_version:.%{extra_version}}%{?dist} Release: 3%{?extra_version:.%{extra_version}}%{?dist}
License: BSD License: BSD
Url: https://nlnetlabs.nl/projects/unbound/ Url: https://nlnetlabs.nl/projects/unbound/
Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
@ -471,6 +471,10 @@ popd
%{_mandir}/man1/unbound-* %{_mandir}/man1/unbound-*
%changelog %changelog
* Tue Aug 09 2022 Paul Wouters <pwouters@redhat.com> - 1.16.2-3
- sync up to upstream unbound.conf
- Enable Extended DNS Error codes (RFC8914)
* Tue Aug 09 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-2 * Tue Aug 09 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-2
- Require openssl tool for unbound-keygen (#2116790) - Require openssl tool for unbound-keygen (#2116790)