import CS unbound-1.16.2-17.el9

2025-03-11 08:16:43 +00:00 · 2025-03-11 08:16:43 +00:00 · cbf7fe1da8
commit cbf7fe1da8
parent 98b69e4e61
10 changed files with 429 additions and 33 deletions
--- a/SOURCES/module-setup.sh
+++ b/SOURCES/module-setup.sh
@ -0,0 +1,44 @@
 #!/usr/bin/bash
 check() {
    require_binaries unbound unbound-checkconf unbound-control || return 1
    # the module will be only included if explicitly required either
    # by configuration or another module
    return 255
 }
 depends() {
    # because of pid file we need sysusers to create unbound user
    echo systemd systemd-sysusers
    return 0
 }
 install() {
    # We have to make unbound wanted by network-online target to make sure
    # there is a synchronization point when other services are able
    # to make queries
    inst_simple "$moddir"/unbound-initrd.conf /etc/systemd/system/unbound.service.d/unbound-initrd.conf
    # /etc and /var/lib do not have its variables
    inst_multiple -o \
    "$systemdsystemunitdir"/unbound.service \
    /etc/unbound/conf.d/remote-control.conf \
    /etc/unbound/openssl-sha1.conf \
    /usr/share/unbound/fedora-defaults.conf \
    /usr/share/unbound/conf.d/*.conf \
    /etc/unbound/local.d/*.conf \
    /etc/unbound/keys.d/*.key \
    /etc/unbound/unbound.conf \
    /etc/unbound/unbound_control.key \
    /etc/unbound/unbound_control.pem \
    /etc/unbound/unbound_server.key \
    /etc/unbound/unbound_server.pem \
    "$sysusers"/unbound.conf \
    "$tmpfilesdir"/unbound.conf \
    /var/lib/unbound/root.key \
    unbound \
    unbound-checkconf \
    unbound-control
    $SYSTEMCTL -q --root "$initdir" enable unbound.service
 }
--- a/SOURCES/tmpfiles-unbound.conf
+++ b/SOURCES/tmpfiles-unbound.conf
@ -1 +1 @@
-D /run/unbound 0755 unbound unbound -
+D /run/unbound 0775 unbound root -
--- a/SOURCES/unbound-1.16-control-t-flag.patch
+++ b/SOURCES/unbound-1.16-control-t-flag.patch
@ -0,0 +1,129 @@
 commit 6d1e61173bbf44dae458c361be63217f7e9e5599
 Author: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
 Date:   Thu Mar 28 09:58:03 2024 +0100
    - Fix #1034: DoT forward-zone via unbound-control.
 diff --git a/unbound-1.16.2/daemon/remote.c b/unbound-1.16.2/daemon/remote.c
 index 5d79eafd..cbce1198 100644
 --- a/unbound-1.16.2/daemon/remote.c
 +++ b/unbound-1.16.2/daemon/remote.c
@@ -2097,7 +2097,7 @@ do_forward(RES* ssl, struct worker* worker, char* args)
 static int
 parse_fs_args(RES* ssl, char* args, uint8_t** nm, struct delegpt** dp,
 -	int* insecure, int* prime)
 +	int* insecure, int* prime, int* tls)
 {
 	char* zonename;
 	char* rest;
@@ -2112,6 +2112,8 @@ parse_fs_args(RES* ssl, char* args, uint8_t** nm, struct delegpt** dp,
 				*insecure = 1;
 			else if(*args == 'p' && prime)
 				*prime = 1;
 +			else if(*args == 't' && tls)
 +				*tls = 1;
 			else {
 				(void)ssl_printf(ssl, "error: unknown option %s\n", args);
 				return 0;
@@ -2144,11 +2146,13 @@ static void
 do_forward_add(RES* ssl, struct worker* worker, char* args)
 {
 	struct iter_forwards* fwd = worker->env.fwds;
 -	int insecure = 0;
 +	int insecure = 0, tls = 0;
 	uint8_t* nm = NULL;
 	struct delegpt* dp = NULL;
 -	if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, NULL))
 +	if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, NULL, &tls))
 		return;
 +	if(tls)
 +		dp->ssl_upstream = 1;
 	if(insecure && worker->env.anchors) {
 		if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
 			nm)) {
@@ -2174,7 +2178,7 @@ do_forward_remove(RES* ssl, struct worker* worker, char* args)
 	struct iter_forwards* fwd = worker->env.fwds;
 	int insecure = 0;
 	uint8_t* nm = NULL;
 -	if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL))
 +	if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL, NULL))
 		return;
 	if(insecure && worker->env.anchors)
 		anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
@@ -2189,11 +2193,13 @@ static void
 do_stub_add(RES* ssl, struct worker* worker, char* args)
 {
 	struct iter_forwards* fwd = worker->env.fwds;
 -	int insecure = 0, prime = 0;
 +	int insecure = 0, prime = 0, tls = 0;
 	uint8_t* nm = NULL;
 	struct delegpt* dp = NULL;
 -	if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, &prime))
 +	if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, &prime, &tls))
 		return;
 +	if(tls)
 +		dp->ssl_upstream = 1;
 	if(insecure && worker->env.anchors) {
 		if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
 			nm)) {
@@ -2232,7 +2238,7 @@ do_stub_remove(RES* ssl, struct worker* worker, char* args)
 	struct iter_forwards* fwd = worker->env.fwds;
 	int insecure = 0;
 	uint8_t* nm = NULL;
 -	if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL))
 +	if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL, NULL))
 		return;
 	if(insecure && worker->env.anchors)
 		anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
 diff --git a/unbound-1.16.2/doc/unbound-control.8.in b/unbound-1.16.2/doc/unbound-control.8.in
 index 7823de3a..642b4c94 100644
 --- a/unbound-1.16.2/doc/unbound-control.8.in
 +++ b/unbound-1.16.2/doc/unbound-control.8.in
@@ -239,22 +239,24 @@ still be bogus, use \fBflush_zone\fR to remove it), does not affect the config f
 .B insecure_remove \fIzone
 Removes domain\-insecure for the given zone.
 .TP
 -.B forward_add \fR[\fI+i\fR] \fIzone addr ...
 +.B forward_add \fR[\fI+it\fR] \fIzone addr ...
 Add a new forward zone to running Unbound.  With +i option also adds a
 \fIdomain\-insecure\fR for the zone (so it can resolve insecurely if you have
 a DNSSEC root trust anchor configured for other names).
 The addr can be IP4, IP6 or nameserver names, like \fIforward-zone\fR config
 in unbound.conf.
 +The +t option sets it to use tls upstream, like \fIforward\-tls\-upstream\fR: yes.
 .TP
 .B forward_remove \fR[\fI+i\fR] \fIzone
 Remove a forward zone from running Unbound.  The +i also removes a
 \fIdomain\-insecure\fR for the zone.
 .TP
 -.B stub_add \fR[\fI+ip\fR] \fIzone addr ...
 +.B stub_add \fR[\fI+ipt\fR] \fIzone addr ...
 Add a new stub zone to running Unbound.  With +i option also adds a
 \fIdomain\-insecure\fR for the zone.  With +p the stub zone is set to prime,
 without it it is set to notprime.  The addr can be IP4, IP6 or nameserver
 names, like the \fIstub-zone\fR config in unbound.conf.
 +The +t option sets it to use tls upstream, like \fIstub\-tls\-upstream\fR: yes.
 .TP
 .B stub_remove \fR[\fI+i\fR] \fIzone
 Remove a stub zone from running Unbound.  The +i also removes a
 diff --git a/unbound-1.16.2/smallapp/unbound-control.c b/unbound-1.16.2/smallapp/unbound-control.c
 index c4f73006..57b0787d 100644
 --- a/unbound-1.16.2/smallapp/unbound-control.c
 +++ b/unbound-1.16.2/smallapp/unbound-control.c
@@ -150,12 +150,13 @@ usage(void)
 	printf("  list_local_data		list local-data RRs in use\n");
 	printf("  insecure_add zone 		add domain-insecure zone\n");
 	printf("  insecure_remove zone		remove domain-insecure zone\n");
 -	printf("  forward_add [+i] zone addr..	add forward-zone with servers\n");
 +	printf("  forward_add [+it] zone addr..	add forward-zone with servers\n");
 	printf("  forward_remove [+i] zone	remove forward zone\n");
 -	printf("  stub_add [+ip] zone addr..	add stub-zone with servers\n");
 +	printf("  stub_add [+ipt] zone addr..	add stub-zone with servers\n");
 	printf("  stub_remove [+i] zone		remove stub zone\n");
 	printf("		+i		also do dnssec insecure point\n");
 	printf("		+p		set stub to use priming\n");
 +	printf("		+t		set to use tls upstream\n");
 	printf("  forward [off | addr ...]	without arg show forward setup\n");
 	printf("				or off to turn off root forwarding\n");
 	printf("				or give list of ip addresses\n");
--- a/SOURCES/unbound-as112-networks.conf
+++ b/SOURCES/unbound-as112-networks.conf
@ -0,0 +1,118 @@
 # Allow forwarding of private ranges, which are marked forwardable by IANA
 # https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
 # https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
 # https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml
 # RFC 6303: Locally Served DNS Zones (https://www.rfc-editor.org/rfc/rfc6303.html)
 #
 # Using this configuration file will simplify forwarding to potentially private ranges.
 # Enables forwarding of networks marked as forwardable at IANA special registry.
 # This is useful when upstream forwarder may be still inside private network. That is the case
 # when unbound works as a localhost DNS cache, not network wide resolver.
 server:
 	# RFC 8375: Special-Use Domain 'home.arpa.'
 	local-zone: "home.arpa." nodefault
 	# RFC 1918: Address Allocation for Private Internets
 	local-zone: "10.in-addr.arpa." nodefault
 	local-zone: "16.172.in-addr.arpa." nodefault
 	local-zone: "17.172.in-addr.arpa." nodefault
 	local-zone: "18.172.in-addr.arpa." nodefault
 	local-zone: "19.172.in-addr.arpa." nodefault
 	local-zone: "20.172.in-addr.arpa." nodefault
 	local-zone: "21.172.in-addr.arpa." nodefault
 	local-zone: "22.172.in-addr.arpa." nodefault
 	local-zone: "23.172.in-addr.arpa." nodefault
 	local-zone: "24.172.in-addr.arpa." nodefault
 	local-zone: "25.172.in-addr.arpa." nodefault
 	local-zone: "26.172.in-addr.arpa." nodefault
 	local-zone: "27.172.in-addr.arpa." nodefault
 	local-zone: "28.172.in-addr.arpa." nodefault
 	local-zone: "29.172.in-addr.arpa." nodefault
 	local-zone: "30.172.in-addr.arpa." nodefault
 	local-zone: "31.172.in-addr.arpa." nodefault
 	local-zone: "168.192.in-addr.arpa." nodefault
 	# RFC 6598: IANA-Reserved IPv4 Prefix for Shared Address Space
 	local-zone: "64.100.in-addr.arpa." nodefault
 	local-zone: "65.100.in-addr.arpa." nodefault
 	local-zone: "66.100.in-addr.arpa." nodefault
 	local-zone: "67.100.in-addr.arpa." nodefault
 	local-zone: "68.100.in-addr.arpa." nodefault
 	local-zone: "69.100.in-addr.arpa." nodefault
 	local-zone: "70.100.in-addr.arpa." nodefault
 	local-zone: "71.100.in-addr.arpa." nodefault
 	local-zone: "72.100.in-addr.arpa." nodefault
 	local-zone: "73.100.in-addr.arpa." nodefault
 	local-zone: "74.100.in-addr.arpa." nodefault
 	local-zone: "75.100.in-addr.arpa." nodefault
 	local-zone: "76.100.in-addr.arpa." nodefault
 	local-zone: "77.100.in-addr.arpa." nodefault
 	local-zone: "78.100.in-addr.arpa." nodefault
 	local-zone: "79.100.in-addr.arpa." nodefault
 	local-zone: "80.100.in-addr.arpa." nodefault
 	local-zone: "81.100.in-addr.arpa." nodefault
 	local-zone: "82.100.in-addr.arpa." nodefault
 	local-zone: "83.100.in-addr.arpa." nodefault
 	local-zone: "84.100.in-addr.arpa." nodefault
 	local-zone: "85.100.in-addr.arpa." nodefault
 	local-zone: "86.100.in-addr.arpa." nodefault
 	local-zone: "87.100.in-addr.arpa." nodefault
 	local-zone: "88.100.in-addr.arpa." nodefault
 	local-zone: "89.100.in-addr.arpa." nodefault
 	local-zone: "90.100.in-addr.arpa." nodefault
 	local-zone: "91.100.in-addr.arpa." nodefault
 	local-zone: "92.100.in-addr.arpa." nodefault
 	local-zone: "93.100.in-addr.arpa." nodefault
 	local-zone: "94.100.in-addr.arpa." nodefault
 	local-zone: "95.100.in-addr.arpa." nodefault
 	local-zone: "96.100.in-addr.arpa." nodefault
 	local-zone: "97.100.in-addr.arpa." nodefault
 	local-zone: "98.100.in-addr.arpa." nodefault
 	local-zone: "99.100.in-addr.arpa." nodefault
 	local-zone: "100.100.in-addr.arpa." nodefault
 	local-zone: "101.100.in-addr.arpa." nodefault
 	local-zone: "102.100.in-addr.arpa." nodefault
 	local-zone: "103.100.in-addr.arpa." nodefault
 	local-zone: "104.100.in-addr.arpa." nodefault
 	local-zone: "105.100.in-addr.arpa." nodefault
 	local-zone: "106.100.in-addr.arpa." nodefault
 	local-zone: "107.100.in-addr.arpa." nodefault
 	local-zone: "108.100.in-addr.arpa." nodefault
 	local-zone: "109.100.in-addr.arpa." nodefault
 	local-zone: "110.100.in-addr.arpa." nodefault
 	local-zone: "111.100.in-addr.arpa." nodefault
 	local-zone: "112.100.in-addr.arpa." nodefault
 	local-zone: "113.100.in-addr.arpa." nodefault
 	local-zone: "114.100.in-addr.arpa." nodefault
 	local-zone: "115.100.in-addr.arpa." nodefault
 	local-zone: "116.100.in-addr.arpa." nodefault
 	local-zone: "117.100.in-addr.arpa." nodefault
 	local-zone: "118.100.in-addr.arpa." nodefault
 	local-zone: "119.100.in-addr.arpa." nodefault
 	local-zone: "120.100.in-addr.arpa." nodefault
 	local-zone: "121.100.in-addr.arpa." nodefault
 	local-zone: "122.100.in-addr.arpa." nodefault
 	local-zone: "123.100.in-addr.arpa." nodefault
 	local-zone: "124.100.in-addr.arpa." nodefault
 	local-zone: "125.100.in-addr.arpa." nodefault
 	local-zone: "126.100.in-addr.arpa." nodefault
 	local-zone: "127.100.in-addr.arpa." nodefault
 	# RFC 4193: Unique Local IPv6 Unicast Addresses
 	local-zone: "d.f.ip6.arpa." nodefault
 	# RFC 2606: Reserved Top Level DNS Names
 	local-zone:      "test." nodefault
 	domain-insecure: "test"
 	domain-insecure: "example"
 	# RFC 6762: Multicast DNS, Appendix G
 	domain-insecure: "local"
 	domain-insecure: "intranet"
 	domain-insecure: "private"
 	domain-insecure: "corp"
 	domain-insecure: "home"
 	domain-insecure: "lan"
 	# draft-davies-internal-tld
 	domain-insecure: "internal"
--- a/SOURCES/unbound-initrd.conf
+++ b/SOURCES/unbound-initrd.conf
@ -0,0 +1,5 @@
 [Unit]
 Before=network-online.target
 [Install]
 WantedBy=network-online.target
--- a/SOURCES/unbound-local-root.conf
+++ b/SOURCES/unbound-local-root.conf
@ -0,0 +1,30 @@
 # Authority zones
 # The data for these zones is kept locally, from a file or downloaded.
 # The data can be served to downstream clients, or used instead of the
 # upstream (which saves a lookup to the upstream).
 #
 # Download local root copy and answer TLD queries from it. Because
 # auth-zone has higher precedence, defined forward-zones to internal
 # only TLD will not work. Use stub-zone or disable this zone.
 # Good for a network-wide resolvers, worse for a localhost caching forwarder.
 auth-zone:
 	name: "."
 	primary: 170.247.170.2        # b.root-servers.net
 	primary: 192.33.4.12          # c.root-servers.net
 	primary: 199.7.91.13          # d.root-servers.net
 	primary: 192.5.5.241          # f.root-servers.net
 	primary: 192.112.36.4         # g.root-servers.net
 	primary: 193.0.14.129         # k.root-servers.net
 	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
 	primary: 192.0.32.132         # xfr.lax.dns.icann.org
 	primary: 2801:1b8:10::b       # b.root-servers.net
 	primary: 2001:500:2::c        # c.root-servers.net
 	primary: 2001:500:2d::d       # d.root-servers.net
 	primary: 2001:500:2f::f       # f.root-servers.net
 	primary: 2001:500:12::d0d     # g.root-servers.net
 	primary: 2001:7fd::1          # k.root-servers.net
 	primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
 	primary: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
 	fallback-enabled: yes
 	for-downstream: no
 	for-upstream: yes
--- a/SOURCES/unbound.conf
+++ b/SOURCES/unbound.conf
@ -1071,27 +1071,27 @@ include: /etc/unbound/conf.d/*.conf
 # download it), master: fetches with AXFR and IXFR, or url to zonefile.
 # With allow-notify: you can give additional (apart from masters) sources of
 # notifies.
-auth-zone:
+#auth-zone:
-	name: "."
+#	name: "."
-	primary: 199.9.14.201         # b.root-servers.net
+#	primary: 199.9.14.201         # b.root-servers.net
-	primary: 192.33.4.12          # c.root-servers.net
+#	primary: 192.33.4.12          # c.root-servers.net
-	primary: 199.7.91.13          # d.root-servers.net
+#	primary: 199.7.91.13          # d.root-servers.net
-	primary: 192.5.5.241          # f.root-servers.net
+#	primary: 192.5.5.241          # f.root-servers.net
-	primary: 192.112.36.4         # g.root-servers.net
+#	primary: 192.112.36.4         # g.root-servers.net
-	primary: 193.0.14.129         # k.root-servers.net
+#	primary: 193.0.14.129         # k.root-servers.net
-	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
+#	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
-	primary: 192.0.32.132         # xfr.lax.dns.icann.org
+#	primary: 192.0.32.132         # xfr.lax.dns.icann.org
-	primary: 2001:500:200::b      # b.root-servers.net
+#	primary: 2001:500:200::b      # b.root-servers.net
-	primary: 2001:500:2::c        # c.root-servers.net
+#	primary: 2001:500:2::c        # c.root-servers.net
-	primary: 2001:500:2d::d       # d.root-servers.net
+#	primary: 2001:500:2d::d       # d.root-servers.net
-	primary: 2001:500:2f::f       # f.root-servers.net
+#	primary: 2001:500:2f::f       # f.root-servers.net
-	primary: 2001:500:12::d0d     # g.root-servers.net
+#	primary: 2001:500:12::d0d     # g.root-servers.net
-	primary: 2001:7fd::1          # k.root-servers.net
+#	primary: 2001:7fd::1          # k.root-servers.net
-	primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
+#	primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
-	primary: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
+#	primary: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
-	fallback-enabled: yes
+#	fallback-enabled: yes
-	for-downstream: no
+#	for-downstream: no
-	for-upstream: yes
+#	for-upstream: yes
 # auth-zone:
 #	name: "example.org"
--- a/SOURCES/unbound.service
+++ b/SOURCES/unbound.service
@ -8,10 +8,10 @@ Before=nss-lookup.target
 Wants=nss-lookup.target
 [Service]
-Type=simple
+Type=notify
 EnvironmentFile=-/etc/sysconfig/unbound
 ExecStartPre=/usr/sbin/unbound-checkconf
-ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_UNBOUND_ANCHOR" == "yes" ]; then /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R; else echo "Updates of root keys with unbound-anchor is disabled"; fi'
+ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_UNBOUND_ANCHOR" == "yes" ] && [ ! -f /run/unbound/anchor-disable ]; then /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R; else echo "Updates of root keys with unbound-anchor is disabled"; fi'
 ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS
 ExecReload=/usr/sbin/unbound-control reload
--- a/SOURCES/unbound.sysusers
+++ b/SOURCES/unbound.sysusers
@ -0,0 +1 @@
 u unbound - "Unbound DNS resolver" /var/lib/unbound /sbin/nologin
--- a/SPECS/unbound.spec
+++ b/SPECS/unbound.spec
@ -2,7 +2,7 @@
 %{?!with_python3:     %global with_python3     1}
 %{?!with_munin:       %global with_munin       1}
 %bcond_without dnstap
-%bcond_with    systemd
+%bcond_without systemd
 %bcond_without doh
 %global _hardened_build 1
@ -30,7 +30,7 @@
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
 Version: 1.16.2
-Release: 8%{?extra_version:.%{extra_version}}%{?dist}
+Release: 17%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: https://nlnetlabs.nl/projects/unbound/
 Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
@ -53,11 +53,18 @@ Source17: unbound-anchor.service
 Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
 Source19: http://keys.gnupg.net/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key
 Source21: remote-control.conf
 Source22: unbound-local-root.conf
 Source23: module-setup.sh
 Source24: unbound-initrd.conf
 Source25: unbound.sysusers
 Source26: unbound-as112-networks.conf
 # https://github.com/NLnetLabs/unbound/commit/137719522a8ea5b380fbb6206d2466f402f5b554
 Patch1: unbound-1.16-CVE-2022-3204.patch
 # https://nlnetlabs.nl/downloads/unbound/patch_CVE-2023-50387_CVE-2023-50868.diff
 Patch4: unbound-1.16-CVE-2023-50387-CVE-2023-50868.patch
 # https://github.com/NLnetLabs/unbound/commit/6d1e61173
 Patch5: unbound-1.16-control-t-flag.patch
 BuildRequires: gcc, make
 BuildRequires: flex, openssl-devel
@ -127,7 +134,7 @@ The devel package contains the unbound library and the include files
 %package libs
 Summary: Libraries used by the unbound server and client applications
-Requires(pre): shadow-utils
+%{?sysusers_requires_compat}
 %if ! 0%{with_python2}
 # Make explicit conflict with no longer provided python package
 Obsoletes: python2-unbound < 1.9.3
@ -161,6 +168,14 @@ Conflicts: python2-unbound < 1.9.3
 Python 3 modules and extensions for unbound
 %endif
 %package dracut
 Summary: Unbound dracut module
 Requires: dracut%{?_isa}
 Requires: %{name}%{?_isa} = %{version}-%{release}
 %description dracut
 Unbound dracut module allowing use of Unbound for name resolution
 in initramfs.
 %prep
 %if 0%{?fedora}
@ -272,6 +287,7 @@ install -p -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/unbound-anchor.service
 install -p -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound
 install -p -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/unbound
 install -p -m 0644 %{SOURCE14} %{buildroot}%{_sysconfdir}/sysconfig/unbound
 install -p -D -m 0644 %{SOURCE25} %{buildroot}%{_sysusersdir}/%{name}.conf
 %if %{with_munin}
 # Install munin plugin and its softlinks
 install -d -m 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d
@ -298,6 +314,9 @@ install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf
 install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/
 install -m 0644 %{SOURCE13} %{buildroot}%{_sharedstatedir}/unbound/root.key
 # local root zone fetch to separated configuration file
 install -p -m 0644 %{SOURCE22} %{buildroot}%{_sysconfdir}/unbound/
 # remove static library from install (fedora packaging guidelines)
 rm %{buildroot}%{_libdir}/*.la
@ -319,16 +338,22 @@ install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/
 install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/
 install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
 install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/
 ln -s ../unbound-local-root.conf %{buildroot}%{_sysconfdir}/unbound/conf.d/unbound-local-root.conf
 mkdir -p %{buildroot}%{_datadir}/%{name}/conf.d
 install -p -m 0644 %{SOURCE26} %{buildroot}%{_datadir}/%{name}/conf.d/
 # Link unbound-control-setup.8 manpage to unbound-control.8
 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8
 # install dracut module
 mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
 install -p -m 0755 %{SOURCE23} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
 install -p -m 0644 %{SOURCE24} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
 %pre libs
-getent group unbound >/dev/null || groupadd -r unbound
+%sysusers_create_compat %{SOURCE25}
 getent passwd unbound >/dev/null || \
 useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \
 -c "Unbound DNS resolver" unbound
 %post
 %systemd_post unbound.service
@ -380,14 +405,17 @@ popd
 %doc doc/CREDITS doc/FEATURES
 %{_unitdir}/%{name}.service
 %{_unitdir}/%{name}-keygen.service
-%attr(0755,unbound,unbound) %dir %{_rundir}/%{name}
+%attr(0775,unbound,root) %dir %{_rundir}/%{name}
 %attr(0644,root,root) %{_tmpfilesdir}/unbound.conf
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound-local-root.conf
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name}
 %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d
 %attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d/*.key
 %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/conf.d
-%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d/*.conf
+%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d/example.com.conf
 %attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d/remote-control.conf
 %verify(not mtime) %config(missingok, noreplace) %{_sysconfdir}/%{name}/conf.d/unbound-local-root.conf
 %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/local.d
 %attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/local.d/*.conf
 %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.pem
@ -404,6 +432,7 @@ popd
 %{_mandir}/man5/*
 %exclude %{_mandir}/man8/unbound-anchor*
 %{_mandir}/man8/*
 %{_datadir}/%{name}/
 %if 0%{with_python2}
 %files -n python2-unbound
@ -439,6 +468,7 @@ popd
 %doc doc/README
 %license doc/LICENSE
 %attr(0755,root,root) %dir %{_sysconfdir}/%{name}
 %{_sysusersdir}/%{name}.conf
 %{_sbindir}/unbound-anchor
 %{_libdir}/libunbound.so.*
 %{_mandir}/man8/unbound-anchor*
@ -452,7 +482,46 @@ popd
 # just left for backwards compat with user changed unbound.conf files - format is different!
 %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
 %files dracut
 %{_prefix}/lib/dracut/modules.d/99unbound
 %changelog
 * Mon Feb 10 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-17
 - Add as112 networks config file
 - Resolves: RHEL-78696
 * Mon Feb 10 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-16
 - Add possibility to disable unbound-anchor by file presence
 - Resolves: RHEL-78694
 * Sun Feb 09 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-15
 - Add sysusers support needed to propagate user to initramfs
 - Resolves: RHEL-77789
 * Sun Feb 09 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-14
 - Change service type to notify
 - Resolves: RHEL-77790
 * Wed Feb 05 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-13
 - Add noreplace to root zone config link
 - Resolves: RHEL-77788
 * Tue Feb 04 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-12
 - Backport +t flag to forward_add and stub_add control commands
 - Resolves: RHEL-77791
 * Tue Feb 04 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-11
 - Enabled libsystemd and change unbound service type to notify-reload
 - Resolves: RHEL-77790
 * Tue Feb 04 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-10
 - Add dracut module
 - Resolves: RHEL-77789
 * Tue Feb 04 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-9
 - Move automatic root zone fetching to drop-in
 - Resolves: RHEL-77788
 * Mon Mar 11 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-8
 - Ensure group access correction reaches also updated configs (CVE-2024-1488)
`@ -1 +1 @@`
	`D /run/unbound 0755 unbound unbound -`	`D /run/unbound 0775 unbound root -`
		`@ -0,0 +1 @@`
							`u unbound - "Unbound DNS resolver" /var/lib/unbound /sbin/nologin`