Move defaults to separate configuration file

Place distribution defaults into file provided in /usr/share/unbound. Include that file from default configuration before conf.d/*.conf is included, to ensure similar order is kept. Rely on remote-control to be configured by conf.d/remote-control.conf only. Moved parts from orinal unbound.conf to single file together. Resolves: RHEL-77780
2025-02-04 09:25:14 +01:00 · 2025-02-04 09:25:14 +01:00 · cc9a5c9d7b
commit cc9a5c9d7b
parent 31ef264918
7 changed files with 441 additions and 405 deletions
--- a/fedora-defaults.conf
+++ b/fedora-defaults.conf
@ -0,0 +1,226 @@
 # Fedora distribution defaults
 server:
 	# verbosity number, 0 is least verbose. 1 is default.
 	verbosity: 1
 	# print statistics to the log (for every thread) every N seconds.
 	# Set to "" or 0 to disable. Default is disabled.
 	# Needs to be disabled for munin plugin
 	statistics-interval: 0
 	# enable cumulative statistics, without clearing them after printing.
 	# Needs to be disabled for munin plugin
 	statistics-cumulative: no
 	# enable extended statistics (query types, answer codes, status)
 	# Needs to be enabled for munin plugin
 	extended-statistics: yes
 	# number of threads to create. 1 disables threading.
 	# num-threads: 1
 	num-threads: 4
 	# specify the interfaces to answer queries from by ip-address.
 	# The default is to listen to localhost (127.0.0.1 and ::1).
 	# specify 0.0.0.0 and ::0 to bind to all available interfaces.
 	# specify every interface[@port] on a new 'interface:' labelled line.
 	# The listen interfaces are not changed on reload, only on restart.
 	# interface: 0.0.0.0
 	# interface: ::0
 	# interface: 192.0.2.153
 	# interface: 192.0.2.154
 	# interface: 192.0.2.154@5003
 	# interface: 2001:DB8::5
 	# interface: eth0@5003
 	#
 	# for dns over tls and raw dns over port 80
 	# interface: 0.0.0.0@443
 	# interface: ::0@443
 	# interface: 0.0.0.0@80
 	# interface: ::0@80
 	# enable this feature to copy the source address of queries to reply.
 	# Socket options are not supported on all platforms. experimental.
 	# interface-automatic: yes
 	#
 	# NOTE: Enable this option when specifying interface 0.0.0.0 or ::0
 	# NOTE: Disabled per Fedora policy not to listen to * on default install
 	# NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled
 	interface-automatic: no
 	# permit Unbound to use this port number or port range for
 	# making outgoing queries, using an outgoing interface.
 	# Only ephemeral ports are allowed by SElinux
 	outgoing-port-permit: 32768-60999
 	# IANA-assigned port numbers.
 	# If multiple outgoing-port-permit and outgoing-port-avoid options
 	# are present, they are processed in order.
 	# Our SElinux policy does not allow non-ephemeral ports to be used
 	outgoing-port-avoid: 0-32767
 	outgoing-port-avoid: 61000-65535
 	# use SO_REUSEPORT to distribute queries over threads.
 	# at extreme load it could be better to turn it off to distribute even.
 	so-reuseport: yes
 	# use IP_TRANSPARENT so the interface: addresses can be non-local
 	# and you can config non-existing IPs that are going to work later on
 	# (uses IP_BINDANY on FreeBSD).
 	ip-transparent: yes
 	# Enable UDP, "yes" or "no".
 	# NOTE: if setting up an Unbound on tls443 for public use, you might want to
 	# disable UDP to avoid being used in DNS amplification attacks.
 	# do-udp: yes
 	# Enable EDNS TCP keepalive option.
 	edns-tcp-keepalive: yes
 	# Fedora note: do not activate this - not compiled in because
 	# it causes frequent unbound crashes. Also, socket activation
 	# is bad when you have things like dnsmasq also running with libvirt.
 	# Use systemd socket activation for UDP, TCP, and control sockets.
 	# use-systemd: no
 	# If you give "" no chroot is performed. The path must not end in a /.
 	# chroot: "/etc/unbound"
 	chroot: ""
 	# If you give a server: directory: dir before include: file statements
 	# then those includes can be relative to the working directory.
 	directory: "/etc/unbound"
 	# print UTC timestamp in ascii to logfile, default is epoch in seconds.
 	log-time-ascii: yes
 	# Harden against unseemly large queries.
 	harden-large-queries: yes
 	# Default off, because the lookups burden the server.  Experimental
 	# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
 	harden-referral-path: yes
 	# Sent minimum amount of information to upstream servers to enhance
 	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
 	# to A when possible.
 	qname-minimisation: yes
 	# Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
 	# and other denials, using information from previous NXDOMAINs answers.
 	aggressive-nsec: yes
 	# threshold, a warning is printed and a defensive action is taken,
 	# the cache is cleared to flush potential poison out of it.
 	# A suggested value is 10000000, the default is 0 (turned off).
 	unwanted-reply-threshold: 10000000
 	# if yes, perform prefetching of almost expired message cache entries.
 	prefetch: yes
 	# if yes, perform key lookups adjacent to normal lookups.
 	prefetch-key: yes
 	# deny queries of type ANY with an empty response.
 	deny-any: yes
 	# if yes, Unbound rotates RRSet order in response.
 	rrset-roundrobin: yes
 	# if yes, Unbound doesn't insert authority/additional sections
 	# into response messages when those sections are not required.
 	minimal-responses: yes
 	# module configuration of the server. A string with identifiers
 	# separated by spaces. Syntax: "[dns64] [validator] iterator"
 	# most modules have to be listed at the beginning of the line,
 	# except cachedb(just before iterator), and python (at the beginning,
 	# or, just before the iterator).
 	# For redis cachedb use:
 	#    "ipsecmod validator cachedb iterator"
 	module-config: "ipsecmod validator iterator"
 	# trust anchor signaling sends a RFC8145 key tag query after priming.
 	trust-anchor-signaling: yes
 	# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
 	root-key-sentinel: yes
 	# the trusted-keys { name flag proto algo "key"; }; clauses are read.
 	# you need external update procedures to track changes in keys.
 	# trusted-keys-file: ""
 	#
 	trusted-keys-file: /etc/unbound/keys.d/*.key
 	auto-trust-anchor-file: "/var/lib/unbound/root.key"
 	# Should additional section of secure message also be kept clean of
 	# unsecure data. Useful to shield the users of this validator from
 	# potential bogus data in the additional section. All unsigned data
 	# in the additional section is removed from secure messages.
 	val-clean-additional: yes
 	# Turn permissive mode on to permit bogus messages. Thus, messages
 	# for which security checks failed will be returned to clients,
 	# instead of SERVFAIL. It still performs the security checks, which
 	# result in interesting log files and possibly the AD bit in
 	# replies if the message is found secure. The default is off.
 	# NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
 	val-permissive-mode: no
 	# Serve expired responses from cache, with serve-expired-reply-ttl in
 	# the response, and then attempt to fetch the data afresh.
 	serve-expired: yes
 	# Limit serving of expired responses to configured seconds after
 	# expiration. 0 disables the limit.
 	serve-expired-ttl: 14400
 	# Have the validator log failed validations for your diagnosis.
 	# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
 	val-log-level: 1
 	# service clients over TLS (on the TCP sockets) with plain DNS inside
 	# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
 	# Give the certificate to use and private key.
 	# default is "" (disabled).  requires restart to take effect.
 	# tls-service-key: "/etc/unbound/unbound_server.key"
 	# tls-service-pem: "/etc/unbound/unbound_server.pem"
 	# Fedora/RHEL: use system-wide crypto policies
 	tls-ciphers: "PROFILE=SYSTEM"
 	# Enable to attach Extended DNS Error codes (RFC8914) to responses.
 	# Fedora defaults to yes.
 	ede: yes
 	# Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale
 	# Answer as EDNS0 option to expired responses.
 	# Note that the ede option above needs to be enabled for this to work.
 	# Fedora defaults to yes.
 	ede-serve-expired: yes
 	# Enable or disable ipsecmod (it still needs to be defined in
 	# module-config above). Can be used when ipsecmod needs to be
 	# enabled/disabled via remote-control(below).
 	# Fedora: module will be enabled on-demand by libreswan
 	ipsecmod-enabled: no
 	# Path to executable external hook. It must be defined when ipsecmod is
 	# listed in module-config (above).
 	ipsecmod-hook: /usr/libexec/ipsec/_unbound-hook
 python:
 	# Script file to load
 	# python-script: "/etc/unbound/ubmodule-tst.py"
 # Remote control config section moved into own remote-control.conf
 #   the module-config then you need one dynlib-file per instance.
 dynlib:
 	# Script file to load
 	# dynlib-file: "/etc/unbound/dynlib.so"
 # Fedora: DNSCrypt support not enabled since it requires linking to
 #         another crypto library
 #
--- a/remote-control-include.conf
+++ b/remote-control-include.conf
@ -0,0 +1,4 @@
 # Previous defaults allowed any process to change settings, CVE-2023-1488
 # If you want to modify remote configuration, replace this file with
 # contents of included file and modify afterwards.
 include: "/usr/share/unbound/conf.d/remote-control.conf"
--- a/remote-control.conf
+++ b/remote-control.conf
@ -0,0 +1,26 @@
 # Remote control config section update.
 # Previous defaults allowed any process to change settings, CVE-2023-1488
 # This file can be used also by: unbound-control -c <path>
 remote-control:
 	# Enable remote control with unbound-control(8) here.
 	# set up the keys and certificates with unbound-control-setup.
 	control-enable: yes
 	# set to an absolute path to use a unix local name pipe, certificates
 	# are not used for that, so key and cert files need not be present.
 	control-interface: "/run/unbound/control"
 	# For local sockets this option is ignored, and TLS is not used.
 	control-use-cert: "yes"
 	# Unbound server key file.
 	server-key-file: "/etc/unbound/unbound_server.key"
 	# Unbound server certificate file.
 	server-cert-file: "/etc/unbound/unbound_server.pem"
 	# unbound-control key file.
 	control-key-file: "/etc/unbound/unbound_control.key"
 	# unbound-control certificate file.
 	control-cert-file: "/etc/unbound/unbound_control.pem"
--- a/unbound-as112-networks.conf
+++ b/unbound-as112-networks.conf
@ -0,0 +1,118 @@
 # Allow forwarding of private ranges, which are marked forwardable by IANA
 # https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
 # https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
 # https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml
 # RFC 6303: Locally Served DNS Zones (https://www.rfc-editor.org/rfc/rfc6303.html)
 #
 # Using this configuration file will simplify forwarding to potentially private ranges.
 # Enables forwarding of networks marked as forwardable at IANA special registry.
 # This is useful when upstream forwarder may be still inside private network. That is the case
 # when unbound works as a localhost DNS cache, not network wide resolver.
 server:
 	# RFC 8375: Special-Use Domain 'home.arpa.'
 	local-zone: "home.arpa." nodefault
 	# RFC 1918: Address Allocation for Private Internets
 	local-zone: "10.in-addr.arpa." nodefault
 	local-zone: "16.172.in-addr.arpa." nodefault
 	local-zone: "17.172.in-addr.arpa." nodefault
 	local-zone: "18.172.in-addr.arpa." nodefault
 	local-zone: "19.172.in-addr.arpa." nodefault
 	local-zone: "20.172.in-addr.arpa." nodefault
 	local-zone: "21.172.in-addr.arpa." nodefault
 	local-zone: "22.172.in-addr.arpa." nodefault
 	local-zone: "23.172.in-addr.arpa." nodefault
 	local-zone: "24.172.in-addr.arpa." nodefault
 	local-zone: "25.172.in-addr.arpa." nodefault
 	local-zone: "26.172.in-addr.arpa." nodefault
 	local-zone: "27.172.in-addr.arpa." nodefault
 	local-zone: "28.172.in-addr.arpa." nodefault
 	local-zone: "29.172.in-addr.arpa." nodefault
 	local-zone: "30.172.in-addr.arpa." nodefault
 	local-zone: "31.172.in-addr.arpa." nodefault
 	local-zone: "168.192.in-addr.arpa." nodefault
 	# RFC 6598: IANA-Reserved IPv4 Prefix for Shared Address Space
 	local-zone: "64.100.in-addr.arpa." nodefault
 	local-zone: "65.100.in-addr.arpa." nodefault
 	local-zone: "66.100.in-addr.arpa." nodefault
 	local-zone: "67.100.in-addr.arpa." nodefault
 	local-zone: "68.100.in-addr.arpa." nodefault
 	local-zone: "69.100.in-addr.arpa." nodefault
 	local-zone: "70.100.in-addr.arpa." nodefault
 	local-zone: "71.100.in-addr.arpa." nodefault
 	local-zone: "72.100.in-addr.arpa." nodefault
 	local-zone: "73.100.in-addr.arpa." nodefault
 	local-zone: "74.100.in-addr.arpa." nodefault
 	local-zone: "75.100.in-addr.arpa." nodefault
 	local-zone: "76.100.in-addr.arpa." nodefault
 	local-zone: "77.100.in-addr.arpa." nodefault
 	local-zone: "78.100.in-addr.arpa." nodefault
 	local-zone: "79.100.in-addr.arpa." nodefault
 	local-zone: "80.100.in-addr.arpa." nodefault
 	local-zone: "81.100.in-addr.arpa." nodefault
 	local-zone: "82.100.in-addr.arpa." nodefault
 	local-zone: "83.100.in-addr.arpa." nodefault
 	local-zone: "84.100.in-addr.arpa." nodefault
 	local-zone: "85.100.in-addr.arpa." nodefault
 	local-zone: "86.100.in-addr.arpa." nodefault
 	local-zone: "87.100.in-addr.arpa." nodefault
 	local-zone: "88.100.in-addr.arpa." nodefault
 	local-zone: "89.100.in-addr.arpa." nodefault
 	local-zone: "90.100.in-addr.arpa." nodefault
 	local-zone: "91.100.in-addr.arpa." nodefault
 	local-zone: "92.100.in-addr.arpa." nodefault
 	local-zone: "93.100.in-addr.arpa." nodefault
 	local-zone: "94.100.in-addr.arpa." nodefault
 	local-zone: "95.100.in-addr.arpa." nodefault
 	local-zone: "96.100.in-addr.arpa." nodefault
 	local-zone: "97.100.in-addr.arpa." nodefault
 	local-zone: "98.100.in-addr.arpa." nodefault
 	local-zone: "99.100.in-addr.arpa." nodefault
 	local-zone: "100.100.in-addr.arpa." nodefault
 	local-zone: "101.100.in-addr.arpa." nodefault
 	local-zone: "102.100.in-addr.arpa." nodefault
 	local-zone: "103.100.in-addr.arpa." nodefault
 	local-zone: "104.100.in-addr.arpa." nodefault
 	local-zone: "105.100.in-addr.arpa." nodefault
 	local-zone: "106.100.in-addr.arpa." nodefault
 	local-zone: "107.100.in-addr.arpa." nodefault
 	local-zone: "108.100.in-addr.arpa." nodefault
 	local-zone: "109.100.in-addr.arpa." nodefault
 	local-zone: "110.100.in-addr.arpa." nodefault
 	local-zone: "111.100.in-addr.arpa." nodefault
 	local-zone: "112.100.in-addr.arpa." nodefault
 	local-zone: "113.100.in-addr.arpa." nodefault
 	local-zone: "114.100.in-addr.arpa." nodefault
 	local-zone: "115.100.in-addr.arpa." nodefault
 	local-zone: "116.100.in-addr.arpa." nodefault
 	local-zone: "117.100.in-addr.arpa." nodefault
 	local-zone: "118.100.in-addr.arpa." nodefault
 	local-zone: "119.100.in-addr.arpa." nodefault
 	local-zone: "120.100.in-addr.arpa." nodefault
 	local-zone: "121.100.in-addr.arpa." nodefault
 	local-zone: "122.100.in-addr.arpa." nodefault
 	local-zone: "123.100.in-addr.arpa." nodefault
 	local-zone: "124.100.in-addr.arpa." nodefault
 	local-zone: "125.100.in-addr.arpa." nodefault
 	local-zone: "126.100.in-addr.arpa." nodefault
 	local-zone: "127.100.in-addr.arpa." nodefault
 	# RFC 4193: Unique Local IPv6 Unicast Addresses
 	local-zone: "d.f.ip6.arpa." nodefault
 	# RFC 2606: Reserved Top Level DNS Names
 	local-zone:      "test." nodefault
 	domain-insecure: "test"
 	domain-insecure: "example"
 	# RFC 6762: Multicast DNS, Appendix G
 	domain-insecure: "local"
 	domain-insecure: "intranet"
 	domain-insecure: "private"
 	domain-insecure: "corp"
 	domain-insecure: "home"
 	domain-insecure: "lan"
 	# draft-davies-internal-tld
 	domain-insecure: "internal"
--- a/unbound-fedora-config.patch
+++ b/unbound-fedora-config.patch
@ -1,60 +1,20 @@
-From 135a7be6a2b30b74a9fc239adac45f08ad4eace7 Mon Sep 17 00:00:00 2001
+From 56187754cbd38f3623b56d9dc97fbe4b5b5d87e8 Mon Sep 17 00:00:00 2001
-From: Petr Mensik <pemensik@redhat.com>
+From: Tomas Korbar <tkorbar@redhat.com>
-Date: Fri, 10 Nov 2023 12:58:31 +0100
+Date: Tue, 4 Feb 2025 09:48:12 +0100
-Subject: [PATCH] Customize unbound.conf for Fedora defaults
+Subject: [PATCH 1/1] Customize unbound.conf for Fedora defaults
 Set some Fedora/RHEL specific changes to example configuration file. By
 patching upstream provided config file we would not need to manually
 update external copy in source RPM.
 ---
- unbound-1.20.0/doc/example.conf.in | 199 +++++++++++++++++++----------
+ unbound-1.20.0/doc/example.conf.in | 33 ++++++++++++++++++++++++++++--
- 1 file changed, 128 insertions(+), 71 deletions(-)
+ 1 file changed, 31 insertions(+), 2 deletions(-)
 diff --git a/unbound-1.20.0/doc/example.conf.in b/unbound-1.20.0/doc/example.conf.in
-index 0368c8d..5873db5 100644
+index 0368c8d..3ca085e 100644
 --- a/unbound-1.20.0/doc/example.conf.in
 +++ b/unbound-1.20.0/doc/example.conf.in
-@@ -17,11 +17,12 @@ server:
+@@ -51,11 +51,19 @@ server:
 	# whitespace is not necessary, but looks cleaner.
 	# verbosity number, 0 is least verbose. 1 is default.
 -	# verbosity: 1
 +	verbosity: 1
 	# print statistics to the log (for every thread) every N seconds.
 	# Set to "" or 0 to disable. Default is disabled.
 -	# statistics-interval: 0
 +	# Needs to be disabled for munin plugin
 +	statistics-interval: 0
 	# enable shm for stats, default no.  if you enable also enable
 	# statistics-interval, every time it also writes stats to the
@@ -32,11 +33,13 @@ server:
 	# shm-key: 11777
 	# enable cumulative statistics, without clearing them after printing.
 -	# statistics-cumulative: no
 +	# Needs to be disabled for munin plugin
 +	statistics-cumulative: no
 	# enable extended statistics (query types, answer codes, status)
 -	# printed from unbound-control. Default off, because of speed.
 -	# extended-statistics: no
 +	# printed from unbound-control. default off, because of speed.
 +	# Needs to be enabled for munin plugin
 +	extended-statistics: yes
 	# Inhibits selected extended statistics (qtype, qclass, qopcode, rcode,
 	# rpz-actions) from printing if their value is 0.
@@ -44,22 +47,35 @@ server:
 	# statistics-inhibit-zero: yes
 	# number of threads to create. 1 disables threading.
 -	# num-threads: 1
 +	num-threads: 4
 	# specify the interfaces to answer queries from by ip-address.
 	# The default is to listen to localhost (127.0.0.1 and ::1).
 	# specify 0.0.0.0 and ::0 to bind to all available interfaces.
 	# specify every interface[@port] on a new 'interface:' labelled line.
 	# The listen interfaces are not changed on reload, only on restart.
@ -74,53 +34,7 @@ index 0368c8d..5873db5 100644
 	# enable this feature to copy the source address of queries to reply.
 	# Socket options are not supported on all platforms. experimental.
-	# interface-automatic: no
+@@ -276,6 +284,8 @@ server:
 +	# interface-automatic: yes
 +	#
 +	# NOTE: Enable this option when specifying interface 0.0.0.0 or ::0
 +	# NOTE: Disabled per Fedora policy not to listen to * on default install
 +	# NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled
 +	interface-automatic: no
 	# instead of the default port, open additional ports separated by
 	# spaces when interface-automatic is enabled, by listing them here.
@@ -94,7 +110,8 @@ server:
 	# permit Unbound to use this port number or port range for
 	# making outgoing queries, using an outgoing interface.
 -	# outgoing-port-permit: 32768
 +	# Only ephemeral ports are allowed by SElinux
 +	outgoing-port-permit: 32768-60999
 	# deny Unbound the use this of port number or port range for
 	# making outgoing queries, using an outgoing interface.
@@ -103,7 +120,9 @@ server:
 	# IANA-assigned port numbers.
 	# If multiple outgoing-port-permit and outgoing-port-avoid options
 	# are present, they are processed in order.
 -	# outgoing-port-avoid: "3200-3208"
 +	# Our SElinux policy does not allow non-ephemeral ports to be used
 +	outgoing-port-avoid: 0-32767
 +	outgoing-port-avoid: 61000-65535
 	# number of outgoing simultaneous tcp buffers to hold per thread.
 	# outgoing-num-tcp: 10
@@ -121,12 +140,12 @@ server:
 	# use SO_REUSEPORT to distribute queries over threads.
 	# at extreme load it could be better to turn it off to distribute even.
 -	# so-reuseport: yes
 +	so-reuseport: yes
 	# use IP_TRANSPARENT so the interface: addresses can be non-local
 	# and you can config non-existing IPs that are going to work later on
 	# (uses IP_BINDANY on FreeBSD).
 -	# ip-transparent: no
 +	ip-transparent: yes
 	# use IP_FREEBIND so the interface: addresses can be non-local
 	# and you can bind to nonexisting IPs and interfaces that are down.
@@ -276,6 +295,8 @@ server:
 	# nat64-prefix: 64:ff9b::0/96
 	# Enable UDP, "yes" or "no".
@ -129,16 +43,7 @@ index 0368c8d..5873db5 100644
 	# do-udp: yes
 	# Enable TCP, "yes" or "no".
-@@ -301,7 +322,7 @@ server:
+@@ -311,6 +321,9 @@ server:
 	# tcp-idle-timeout: 30000
 	# Enable EDNS TCP keepalive option.
 -	# edns-tcp-keepalive: no
 +	edns-tcp-keepalive: yes
 	# Timeout for EDNS TCP keepalive, in msec. Overrides tcp-idle-timeout
 	# if edns-tcp-keepalive is set.
@@ -311,6 +332,9 @@ server:
 	# can be dropped. Default is 0, disabled. In seconds, such as 3.
 	# sock-queue-timeout: 0
@ -148,188 +53,7 @@ index 0368c8d..5873db5 100644
 	# Use systemd socket activation for UDP, TCP, and control sockets.
 	# use-systemd: no
-@@ -424,6 +448,7 @@ server:
+@@ -890,6 +903,8 @@ server:
 	#
 	# If you give "" no chroot is performed. The path must not end in a /.
 	# chroot: "@UNBOUND_CHROOT_DIR@"
 +	chroot: ""
 	# if given, user privileges are dropped (after binding port),
 	# and the given username is assumed. Default is user "unbound".
@@ -435,7 +460,7 @@ server:
 	# is not changed.
 	# If you give a server: directory: dir before include: file statements
 	# then those includes can be relative to the working directory.
 -	# directory: "@UNBOUND_RUN_DIR@"
 +	directory: "/etc/unbound"
 	# the log file, "" means log to stderr.
 	# Use of this option sets use-syslog to "no".
@@ -450,7 +475,7 @@ server:
 	# log-identity: ""
 	# print UTC timestamp in ascii to logfile, default is epoch in seconds.
 -	# log-time-ascii: no
 +	log-time-ascii: yes
 	# print one line with time, IP, name, type, class for every query.
 	# log-queries: no
@@ -522,22 +547,22 @@ server:
 	# harden-large-queries: no
 	# Harden against out of zone rrsets, to avoid spoofing attempts.
 -	# harden-glue: yes
 +	harden-glue: yes
 	# Harden against receiving dnssec-stripped data. If you turn it
 	# off, failing to validate dnskey data for a trustanchor will
 	# trigger insecure mode for that zone (like without a trustanchor).
 	# Default on, which insists on dnssec data for trust-anchored zones.
 -	# harden-dnssec-stripped: yes
 +	harden-dnssec-stripped: yes
 	# Harden against queries that fall under dnssec-signed nxdomain names.
 -	# harden-below-nxdomain: yes
 +	harden-below-nxdomain: yes
 	# Harden the referral path by performing additional queries for
 	# infrastructure data.  Validates the replies (if possible).
 	# Default off, because the lookups burden the server.  Experimental
 	# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
 -	# harden-referral-path: no
 +	harden-referral-path: yes
 	# Harden against algorithm downgrade when multiple algorithms are
 	# advertised in the DS record.  If no, allows the weakest algorithm
@@ -551,7 +576,7 @@ server:
 	# Sent minimum amount of information to upstream servers to enhance
 	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
 	# to A when possible.
 -	# qname-minimisation: yes
 +	qname-minimisation: yes
 	# QNAME minimisation in strict mode. Do not fall-back to sending full
 	# QNAME to potentially broken nameservers. A lot of domains will not be
@@ -561,7 +586,7 @@ server:
 	# Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
 	# and other denials, using information from previous NXDOMAINs answers.
 -	# aggressive-nsec: yes
 +	aggressive-nsec: yes
 	# Use 0x20-encoded random bits in the query to foil spoof attempts.
 	# This feature is an experimental implementation of draft dns-0x20.
@@ -594,7 +619,7 @@ server:
 	# threshold, a warning is printed and a defensive action is taken,
 	# the cache is cleared to flush potential poison out of it.
 	# A suggested value is 10000000, the default is 0 (turned off).
 -	# unwanted-reply-threshold: 0
 +	unwanted-reply-threshold: 10000000
 	# Do not query the following addresses. No DNS queries are sent there.
 	# List one address per entry. List classless netblocks with /size,
@@ -606,20 +631,20 @@ server:
 	# do-not-query-localhost: yes
 	# if yes, perform prefetching of almost expired message cache entries.
 -	# prefetch: no
 +	prefetch: yes
 	# if yes, perform key lookups adjacent to normal lookups.
 -	# prefetch-key: no
 +	prefetch-key: yes
 	# deny queries of type ANY with an empty response.
 -	# deny-any: no
 +	deny-any: yes
 	# if yes, Unbound rotates RRSet order in response.
 -	# rrset-roundrobin: yes
 +	rrset-roundrobin: yes
 	# if yes, Unbound doesn't insert authority/additional sections
 	# into response messages when those sections are not required.
 -	# minimal-responses: yes
 +	minimal-responses: yes
 	# true to disable DNSSEC lameness check in iterator.
 	# disable-dnssec-lame-check: no
@@ -629,7 +654,9 @@ server:
 	# most modules have to be listed at the beginning of the line,
 	# except cachedb(just before iterator), and python (at the beginning,
 	# or, just before the iterator).
 -	# module-config: "validator iterator"
 +	# For redis cachedb use:
 +	#    "ipsecmod validator cachedb iterator"
 +	module-config: "ipsecmod validator iterator"
 	# File with trusted keys, kept uptodate using RFC5011 probes,
 	# initial file like trust-anchor-file, then it stores metadata.
@@ -643,10 +670,10 @@ server:
 	# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
 	# trust anchor signaling sends a RFC8145 key tag query after priming.
 -	# trust-anchor-signaling: yes
 +	trust-anchor-signaling: yes
 	# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
 -	# root-key-sentinel: yes
 +	root-key-sentinel: yes
 	# File with trusted keys for validation. Specify more than one file
 	# with several entries, one file per entry.
@@ -667,6 +694,9 @@ server:
 	# the trusted-keys { name flag proto algo "key"; }; clauses are read.
 	# you need external update procedures to track changes in keys.
 	# trusted-keys-file: ""
 +	#
 +	trusted-keys-file: /etc/unbound/keys.d/*.key
 +	auto-trust-anchor-file: "/var/lib/unbound/root.key"
 	# Ignore chain of trust. Domain is treated as insecure.
 	# domain-insecure: "example.com"
@@ -694,14 +724,15 @@ server:
 	# unsecure data. Useful to shield the users of this validator from
 	# potential bogus data in the additional section. All unsigned data
 	# in the additional section is removed from secure messages.
 -	# val-clean-additional: yes
 +	val-clean-additional: yes
 	# Turn permissive mode on to permit bogus messages. Thus, messages
 	# for which security checks failed will be returned to clients,
 	# instead of SERVFAIL. It still performs the security checks, which
 	# result in interesting log files and possibly the AD bit in
 	# replies if the message is found secure. The default is off.
 -	# val-permissive-mode: no
 +	# NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
 +	val-permissive-mode: no
 	# Ignore the CD flag in incoming queries and refuse them bogus data.
 	# Enable it if the only clients of Unbound are legacy servers (w2008)
@@ -715,11 +746,11 @@ server:
 	# Serve expired responses from cache, with serve-expired-reply-ttl in
 	# the response, and then attempt to fetch the data afresh.
 -	# serve-expired: no
 +	serve-expired: yes
 	#
 	# Limit serving of expired responses to configured seconds after
 	# expiration. 0 disables the limit.
 -	# serve-expired-ttl: 0
 +	serve-expired-ttl: 14400
 	#
 	# Set the TTL of expired records to the serve-expired-ttl value after a
 	# failed attempt to retrieve the record from upstream. This makes sure
@@ -746,7 +777,7 @@ server:
 	# Have the validator log failed validations for your diagnosis.
 	# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
 -	# val-log-level: 0
 +	val-log-level: 1
 	# It is possible to configure NSEC3 maximum iteration counts per
 	# keysize. Keep this table very short, as linear search is done.
@@ -890,6 +921,8 @@ server:
 	# you need to do the reverse notation yourself.
 	# local-data-ptr: "192.0.2.3 www.example.com"
@ -338,7 +62,7 @@ index 0368c8d..5873db5 100644
 	# tag a localzone with a list of tag names (in "" with spaces between)
 	# local-zone-tag: "example.com" "tag2 tag3"
-@@ -900,8 +933,8 @@ server:
+@@ -900,8 +915,8 @@ server:
 	# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
 	# Give the certificate to use and private key.
 	# default is "" (disabled).  requires restart to take effect.
@ -349,107 +73,20 @@ index 0368c8d..5873db5 100644
 	# tls-port: 853
 	# https-port: 443
-@@ -909,6 +942,8 @@ server:
+@@ -1141,6 +1156,12 @@ remote-control:
 	# tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
 	# cipher setting for TLSv1.3
 	# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
 +	# Fedora/RHEL: use system-wide crypto policies
 +	tls-ciphers: "PROFILE=SYSTEM"
 	# Pad responses to padded queries received over TLS
 	# pad-responses: yes
@@ -1045,12 +1080,12 @@ server:
 	# cookie-secret: <128 bit random hex string>
 	# Enable to attach Extended DNS Error codes (RFC8914) to responses.
 -	# ede: no
 +	ede: yes
 	# Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale
 	# Answer as EDNS0 option to expired responses.
 	# Note that the ede option above needs to be enabled for this to work.
 -	# ede-serve-expired: no
 +	ede-serve-expired: yes
 	# Specific options for ipsecmod. Unbound needs to be configured with
 	# --enable-ipsecmod for these to take effect.
@@ -1058,12 +1093,14 @@ server:
 	# Enable or disable ipsecmod (it still needs to be defined in
 	# module-config above). Can be used when ipsecmod needs to be
 	# enabled/disabled via remote-control(below).
 -	# ipsecmod-enabled: yes
 -	#
 +	# Fedora: module will be enabled on-demand by libreswan
 +	ipsecmod-enabled: no
 +
 	# Path to executable external hook. It must be defined when ipsecmod is
 	# listed in module-config (above).
 	# ipsecmod-hook: "./my_executable"
 -	#
 +	ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook
 +
 	# When enabled Unbound will reply with SERVFAIL if the return value of
 	# the ipsecmod-hook is not 0.
 	# ipsecmod-strict: no
@@ -1096,7 +1133,7 @@ server:
 # o and give a python-script to run.
 python:
 	# Script file to load
 -	# python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py"
 +	# python-script: "/etc/unbound/ubmodule-tst.py"
 # Dynamic library config section. To enable:
 # o use --with-dynlibmodule to configure before compiling.
@@ -1107,13 +1144,18 @@ python:
 #   the module-config then you need one dynlib-file per instance.
 dynlib:
 	# Script file to load
 -	# dynlib-file: "@UNBOUND_SHARE_DIR@/dynlib.so"
 +	# dynlib-file: "/etc/unbound/dynlib.so"
 # Remote control config section.
 remote-control:
 	# Enable remote control with unbound-control(8) here.
 	# set up the keys and certificates with unbound-control-setup.
 -	# control-enable: no
 +	# Note: required for unbound-munin package
 +	control-enable: yes
 +
 +	# Set to no and use an absolute path as control-interface to use
 +	# a unix local named pipe for unbound-control.
 +	# control-use-cert: yes
 	# what interfaces are listened to for remote control.
 	# give 0.0.0.0 and ::0 to listen to all interfaces.
@@ -1127,19 +1169,22 @@ remote-control:
 	# for localhost, you can disable use of TLS by setting this to "no"
 	# For local sockets this option is ignored, and TLS is not used.
 -	# control-use-cert: "yes"
 +	control-use-cert: "no"
 	# Unbound server key file.
 -	# server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key"
 +	server-key-file: "/etc/unbound/unbound_server.key"
 	# Unbound server certificate file.
 -	# server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem"
 +	server-cert-file: "/etc/unbound/unbound_server.pem"
 	# unbound-control key file.
 -	# control-key-file: "@UNBOUND_RUN_DIR@/unbound_control.key"
 +	control-key-file: "/etc/unbound/unbound_control.key"
 	# unbound-control certificate file.
-	# control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
+ 	# control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
-+	control-cert-file: "/etc/unbound/unbound_control.pem"
+ 
 +# Default Fedora settings
 +include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf"
 +
 +# Stub and Forward zones
-+include: /etc/unbound/conf.d/*.conf
+include: "@sysconfdir@/unbound/conf.d/*.conf"
- 
+
 # Stub zones.
 # Create entries like below, to make all queries for 'example.com' and
-@@ -1161,6 +1206,10 @@ remote-control:
+ # 'example.org' go to the given list of nameservers. list zero or more
@@ -1161,6 +1182,10 @@ remote-control:
 #	name: "example.org"
 #	stub-host: ns.example.com.
@ -460,7 +97,7 @@ index 0368c8d..5873db5 100644
 # Forward zones
 # Create entries like below, to make all queries for 'example.com' and
 # 'example.org' go to the given list of servers. These servers have to handle
-@@ -1178,6 +1227,10 @@ remote-control:
+@@ -1178,6 +1203,10 @@ remote-control:
 # forward-zone:
 # 	name: "example.org"
 # 	forward-host: fwd.example.com
@ -471,25 +108,6 @@ index 0368c8d..5873db5 100644
 # Authority zones
 # The data for these zones is kept locally, from a file or downloaded.
@@ -1234,6 +1288,9 @@ remote-control:
 #	name: "anotherview"
 #	local-zone: "example.com" refuse
 +# Fedora: DNSCrypt support not enabled since it requires linking to
 +#         another crypto library
 +#
 # DNSCrypt
 # To enable, use --enable-dnscrypt to configure before compiling.
 # Caveats:
@@ -1309,7 +1366,7 @@ remote-control:
 # 	dnstap-enable: no
 # 	# if set to yes frame streams will be used in bidirectional mode
 # 	dnstap-bidirectional: yes
 -# 	dnstap-socket-path: "@DNSTAP_SOCKET_PATH@"
 +# 	dnstap-socket-path: "/etc/unbound/dnstap.sock"
 # 	# if "" use the unix socket in dnstap-socket-path, otherwise,
 # 	# set it to "IPaddress[@port]" of the destination.
 # 	dnstap-ip: ""
 -- 
-2.45.2
+2.48.1
--- a/unbound-local-root.conf
+++ b/unbound-local-root.conf
@ -0,0 +1,30 @@
 # Authority zones
 # The data for these zones is kept locally, from a file or downloaded.
 # The data can be served to downstream clients, or used instead of the
 # upstream (which saves a lookup to the upstream).
 #
 # Download local root copy and answer TLD queries from it. Because
 # auth-zone has higher precedence, defined forward-zones to internal
 # only TLD will not work. Use stub-zone or disable this zone.
 # Good for a network-wide resolvers, worse for a localhost caching forwarder.
 auth-zone:
 	name: "."
 	primary: 170.247.170.2        # b.root-servers.net
 	primary: 192.33.4.12          # c.root-servers.net
 	primary: 199.7.91.13          # d.root-servers.net
 	primary: 192.5.5.241          # f.root-servers.net
 	primary: 192.112.36.4         # g.root-servers.net
 	primary: 193.0.14.129         # k.root-servers.net
 	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
 	primary: 192.0.32.132         # xfr.lax.dns.icann.org
 	primary: 2801:1b8:10::b       # b.root-servers.net
 	primary: 2001:500:2::c        # c.root-servers.net
 	primary: 2001:500:2d::d       # d.root-servers.net
 	primary: 2001:500:2f::f       # f.root-servers.net
 	primary: 2001:500:12::d0d     # g.root-servers.net
 	primary: 2001:7fd::1          # k.root-servers.net
 	primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
 	primary: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
 	fallback-enabled: yes
 	for-downstream: no
 	for-upstream: yes
--- a/unbound.spec
+++ b/unbound.spec
@ -54,6 +54,11 @@ Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_vers
 # source: https://nlnetlabs.nl/people/
 Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key
 Source20: unbound.sysusers
 Source21: remote-control.conf
 Source22: unbound-as112-networks.conf
 Source23: unbound-local-root.conf
 Source24: remote-control-include.conf
 Source25: fedora-defaults.conf
 # Downstream configuration changes
 Patch1:   unbound-fedora-config.patch
@ -235,6 +240,7 @@ cp -a %{dir_primary} %{dir_secondary}
            --enable-relro-now --enable-pie \\\
            --enable-subnet --enable-ipsecmod \\\
            --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\
            --with-share-dir=%{_datadir}/%{name} \\\
            --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\
            --enable-sha2 --disable-gost --enable-ecdsa \\\
            --with-rootkey-file=%{_sharedstatedir}/%{name}/root.key \\\
@ -363,6 +369,13 @@ mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d}
 install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/
 install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/
 install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
 install -p -m 0644 %{SOURCE24} %{buildroot}%{_sysconfdir}/unbound/conf.d/remote-control.conf
 mkdir -p %{buildroot}%{_datadir}/%{name}/conf.d
 install -p -m 0644 %{SOURCE21} %{buildroot}%{_datadir}/%{name}/conf.d/
 install -p -m 0644 %{SOURCE22} %{buildroot}%{_datadir}/%{name}/conf.d/
 install -p -m 0644 %{SOURCE23} %{buildroot}%{_datadir}/%{name}/conf.d/
 install -p -m 0644 %{SOURCE25} %{buildroot}%{_datadir}/%{name}/
 # Link unbound-control-setup.8 manpage to unbound-control.8
 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8
@ -438,6 +451,7 @@ popd
 %{_sbindir}/unbound-checkconf
 %{_sbindir}/unbound-control
 %{_sbindir}/unbound-control-setup
 %{_datadir}/%{name}/
 %{_mandir}/man5/*
 %exclude %{_mandir}/man8/unbound-anchor*
 %{_mandir}/man8/*