rpms
/
unbound
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import unbound-1.16.2-2.el9

This commit is contained in:
CentOS Sources 2022-09-27 05:33:06 -04:00 committed by Stepan Oksanichenko
parent 467ff08420
commit e2c2962b86
12 changed files with 153 additions and 559 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/unbound-1.13.1.tar.gz
SOURCES/unbound-1.16.2.tar.gz

2
.unbound.metadata
View File

@ -1 +1 @@
561522b06943f6d1c33bd78132db1f7020fc4fd1 SOURCES/unbound-1.13.1.tar.gz
9aea0e923b9d6779b5bc360094e24a4017e2bb25 SOURCES/unbound-1.16.2.tar.gz

216
SOURCES/icannbundle.pem
View File

@ -1,59 +1,3 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
Validity
Not Before: Dec 23 04:19:12 2009 GMT
Not After : Dec 18 04:19:12 2029 GMT
Subject: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:a0:db:70:b8:4f:34:da:9c:d4:d0:7e:bb:ea:15:
bc:e9:c9:11:2a:1f:61:2f:6a:b9:bd:3f:3d:76:a0:
9a:0a:f7:ee:93:6e:6e:55:53:84:8c:f2:2c:f1:82:
27:c8:0f:9a:cf:52:1b:54:da:28:d2:2c:30:8e:dd:
fb:92:20:33:2d:d6:c8:f1:0e:10:21:88:71:fa:84:
22:4b:5d:47:56:16:7c:9b:9f:5d:c3:11:79:9c:14:
e2:ff:c0:74:ac:dd:39:d7:e0:38:d8:b0:73:aa:fb:
d1:db:84:af:52:22:a8:f6:d5:9b:94:f4:e6:5d:5e:
e8:3f:87:90:0b:c7:1a:77:f5:2e:d3:8f:1a:ce:02:
1d:07:69:21:47:32:da:46:ae:00:4c:b6:a5:a2:9c:
39:c1:c0:4a:f6:d3:1c:ae:d3:6d:bb:c7:18:f0:7e:
ed:f6:80:ce:d0:01:2e:89:de:12:ba:ee:11:cb:a6:
7a:d7:0d:7c:f3:08:8d:72:9d:bf:55:75:13:70:bb:
31:22:4a:cb:e8:c0:aa:a4:09:aa:36:68:40:60:74:
9d:e7:19:81:43:22:52:fe:c9:2b:52:0f:41:13:36:
09:72:65:95:cc:89:ae:6f:56:17:16:34:73:52:a3:
04:ed:bd:88:82:8a:eb:d7:dc:82:52:9c:06:e1:52:
85:41
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
Signature Algorithm: sha256WithRSAEncryption
0f:f1:e9:82:a2:0a:87:9f:2d:94:60:5a:b2:c0:4b:a1:2f:2b:
3b:47:d5:0a:99:86:38:b2:ec:c6:3b:89:e4:6e:07:cf:14:c7:
c7:e8:cf:99:8f:aa:30:c3:19:70:b9:e6:6d:d6:3f:c8:68:26:
b2:a0:a5:37:42:ca:d8:62:80:d1:a2:5a:48:2e:1f:85:3f:0c:
7b:c2:c7:94:11:5f:19:2a:95:ac:a0:3a:03:d8:91:5b:2e:0d:
9c:7c:1f:2e:fc:e9:44:e1:16:26:73:1c:45:4a:65:c1:83:4c:
90:f3:f2:28:42:df:db:c4:e7:04:12:18:62:43:5e:bc:1f:6c:
84:e6:bc:49:32:df:61:d7:99:ee:e4:90:52:7b:0a:c2:91:8a:
98:62:66:b1:c8:e0:b7:5a:b5:46:7c:76:71:54:8e:cc:a4:81:
5c:19:db:d2:6f:66:b5:bb:2b:ae:6b:c9:74:04:a8:24:de:e8:
c5:d3:fc:2c:1c:d7:8f:db:6a:8d:c9:53:be:5d:50:73:ac:cf:
1f:93:c0:52:50:5b:a2:4f:fe:ad:65:36:17:46:d1:2d:e5:a2:
90:66:05:db:29:4e:5d:50:5d:e3:4f:da:a0:8f:f0:6b:e4:16:
70:dd:7f:f3:77:7d:b9:4e:f9:ec:c3:33:02:d7:e9:63:2f:31:
e7:40:61:a4
-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
@ -75,163 +19,3 @@ DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH
0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg
j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 11 (0xb)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
Validity
Not Before: Nov 8 23:39:47 2016 GMT
Not After : Nov 6 23:39:47 2026 GMT
Subject: O=ICANN, CN=ICANN EMAIL CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:d2:19:1e:22:69:33:f6:a4:d2:76:c5:80:11:75:
8e:d0:e8:6f:bf:89:f8:2a:6a:da:8a:85:28:40:ba:
c5:23:5f:47:ed:72:e2:8e:d3:5c:c8:8a:3a:99:a9:
57:2c:0a:2b:22:f3:54:7b:8b:f7:8c:21:a2:50:01:
4f:8b:af:34:df:72:fc:78:31:d0:1d:eb:bc:9b:e6:
fa:c1:84:d0:05:07:8a:74:53:a5:60:9e:eb:75:9e:
a8:5d:32:c8:02:32:e4:bf:cb:97:9b:7a:fa:2c:f6:
6a:1d:b8:57:ad:e3:03:22:93:d0:f4:4f:a8:b8:01:
db:82:33:98:b6:87:ed:3d:67:40:00:27:2e:d5:95:
d2:ad:36:46:14:c6:17:79:65:7f:65:f3:88:80:65:
7c:22:67:08:23:3c:cf:a5:10:38:72:30:97:92:6f:
20:4a:ba:24:4c:4a:c8:4a:a5:dc:2a:44:a1:29:78:
b4:9f:fe:84:ff:27:5b:3a:72:ea:31:c1:ad:06:22:
d6:44:a0:4a:57:32:9c:f2:46:47:d0:89:6e:20:23:
2c:ea:b0:83:7e:c1:f3:ea:da:dd:e3:63:59:97:21:
fa:1b:11:39:27:cf:82:8b:56:15:d4:36:92:0c:a5:
7e:80:e0:18:c9:50:08:42:0a:df:97:3c:9c:b8:0a:
4d:b1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Authority Key Identifier:
keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
X509v3 Subject Key Identifier:
7B:3F:BA:CE:A1:B3:A6:13:2E:5A:82:84:D4:D2:EA:A5:24:F1:CD:B4
Signature Algorithm: sha256WithRSAEncryption
0e:8a:c9:ea:6f:9c:e9:23:b6:9c:a6:a4:c2:d1:b1:ee:25:18:
24:2b:79:d4:a8:f2:99:b9:5c:91:4d:e6:2b:32:2e:01:f5:87:
95:64:fc:6d:f1:87:fa:24:b4:43:4b:49:f3:84:54:44:eb:af:
41:ab:49:ab:c8:b7:32:6c:14:83:5b:d7:2c:41:f9:89:d5:c4:
2b:9a:55:c5:b6:ad:17:d5:4d:bc:41:58:56:72:0d:db:b7:7d:
57:c6:a2:9c:7e:6b:67:ae:26:f8:26:45:bb:c4:95:2e:ea:71:
e3:b4:7a:69:95:a4:8a:80:f8:59:dc:88:6e:e1:a7:fc:bb:8e:
b2:aa:a8:b6:1b:2f:2c:97:a5:12:d5:82:ae:a0:e8:a6:15:fd:
d1:e0:5d:e4:84:b1:76:db:0a:e2:ca:58:2e:d3:df:48:4e:46:
ac:c6:35:79:17:99:ce:e9:be:2c:e4:c2:50:ff:5b:96:15:cd:
64:ac:1b:db:fe:d2:ac:43:61:c8:5f:ee:24:b6:a4:3b:d2:ff:
0a:f4:0c:88:58:a1:9d:a4:c1:1f:6a:6c:67:90:98:e8:1f:5e:
2d:55:60:91:26:2a:b1:66:80:e4:e6:0e:05:2c:75:a9:ca:0b:
e4:a0:8f:e1:47:a8:8f:61:5d:7c:ce:09:60:88:48:c3:46:bf:
be:7e:36:be
-----BEGIN CERTIFICATE-----
MIIDZDCCAkygAwIBAgIBCzANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTE2MTEwODIzMzk0N1oX
DTI2MTEwNjIzMzk0N1owKTEOMAwGA1UEChMFSUNBTk4xFzAVBgNVBAMTDklDQU5O
IEVNQUlMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0hkeImkz
9qTSdsWAEXWO0Ohvv4n4KmraioUoQLrFI19H7XLijtNcyIo6malXLAorIvNUe4v3
jCGiUAFPi68033L8eDHQHeu8m+b6wYTQBQeKdFOlYJ7rdZ6oXTLIAjLkv8uXm3r6
LPZqHbhXreMDIpPQ9E+ouAHbgjOYtoftPWdAACcu1ZXSrTZGFMYXeWV/ZfOIgGV8
ImcIIzzPpRA4cjCXkm8gSrokTErISqXcKkShKXi0n/6E/ydbOnLqMcGtBiLWRKBK
VzKc8kZH0IluICMs6rCDfsHz6trd42NZlyH6GxE5J8+Ci1YV1DaSDKV+gOAYyVAI
QgrflzycuApNsQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
AwIBBjAfBgNVHSMEGDAWgBS6UulJgySGUi/Hmc38jWtpCE3AUDAdBgNVHQ4EFgQU
ez+6zqGzphMuWoKE1NLqpSTxzbQwDQYJKoZIhvcNAQELBQADggEBAA6KyepvnOkj
tpympMLRse4lGCQredSo8pm5XJFN5isyLgH1h5Vk/G3xh/oktENLSfOEVETrr0Gr
SavItzJsFINb1yxB+YnVxCuaVcW2rRfVTbxBWFZyDdu3fVfGopx+a2euJvgmRbvE
lS7qceO0emmVpIqA+FnciG7hp/y7jrKqqLYbLyyXpRLVgq6g6KYV/dHgXeSEsXbb
CuLKWC7T30hORqzGNXkXmc7pvizkwlD/W5YVzWSsG9v+0qxDYchf7iS2pDvS/wr0
DIhYoZ2kwR9qbGeQmOgfXi1VYJEmKrFmgOTmDgUsdanKC+Sgj+FHqI9hXXzOCWCI
SMNGv75+Nr4=
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
Validity
Not Before: Nov 8 23:38:16 2016 GMT
Not After : Nov 6 23:38:16 2026 GMT
Subject: O=ICANN, CN=ICANN SSL CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:dd:c6:ab:bf:7c:66:9d:b3:2b:96:00:14:c7:60:
7a:8d:62:5b:26:4b:30:d7:b3:4c:82:69:c6:4d:4d:
73:f3:d4:91:21:5d:ab:35:f0:c8:04:0e:f4:a3:35:
e2:e1:18:a9:98:12:03:58:f8:9f:eb:77:54:5b:89:
81:26:c9:aa:c2:f4:c9:0c:82:57:2a:5e:05:e9:61:
17:cc:19:18:71:eb:35:83:c1:86:9d:ec:f1:6b:ca:
dd:a1:96:0b:95:d4:e1:0f:9e:24:6f:dc:3c:d0:28:
9e:f2:53:47:2b:a1:ad:32:03:c8:3f:0d:80:80:7d:
f0:02:d2:6e:5a:2c:44:21:9b:09:50:15:3f:a1:3d:
d3:c9:c8:24:e7:ea:4e:92:2f:94:90:2e:de:e7:68:
f6:c6:b3:90:1f:bc:c9:7b:a2:65:d7:11:e9:8b:f0:
3a:5a:b7:17:07:df:69:e3:6e:b9:54:6a:8e:3a:aa:
94:7f:2c:0a:a1:ad:ba:b7:d9:60:62:27:a7:71:40:
3b:8e:b0:84:7b:b8:c8:67:ef:66:ba:3d:ac:c3:85:
e5:86:bb:a7:9c:fd:b6:e1:c0:10:53:3d:d4:7e:1b:
09:e6:9f:22:5c:a7:27:09:7e:27:12:33:fa:df:9b:
20:2f:14:f7:17:c0:e4:1e:07:91:1f:f9:9a:cd:a8:
e2:c5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Authority Key Identifier:
keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
X509v3 Subject Key Identifier:
6E:77:A8:40:10:4A:D8:9C:0C:F2:B7:5A:3A:A5:2F:79:4A:61:14:D8
Signature Algorithm: sha256WithRSAEncryption
47:46:4f:c7:5f:46:e3:d1:dc:fc:2b:f8:fc:65:ce:36:b1:f4:
5f:ee:14:75:a3:d9:5f:de:75:4b:fa:7b:88:9f:10:8c:2e:97:
cc:35:1b:ce:24:d3:36:60:95:d5:ae:11:b6:3f:8b:f4:12:69:
85:b5:3b:2a:b6:ab:7a:81:85:c2:55:57:ed:d0:b5:e7:4f:54:
37:51:24:c9:d5:07:3a:ef:b6:c5:1a:3e:14:29:a7:a6:f8:08:
2a:0b:26:79:f9:62:85:4a:e5:ea:90:ca:71:38:16:91:4e:7e:
fd:e3:b3:f3:55:8f:5a:d0:86:cf:33:94:88:f1:90:99:cb:81:
e2:81:92:68:2f:c3:61:d5:52:8d:e6:9a:5b:00:83:42:27:88:
f6:d9:fa:d1:bc:bb:b0:bc:b5:14:0b:4e:1a:54:ef:fa:d6:9d:
c4:0c:fc:ed:15:ab:21:4b:45:b5:d9:3b:ed:3c:d5:1e:2e:7a:
83:6f:24:45:d4:4c:b4:ef:60:43:18:d0:84:5d:16:7b:f5:50:
80:b1:a9:c2:8f:3b:c8:90:08:fd:aa:17:13:19:38:19:d1:8e:
85:7c:1e:57:16:8c:f9:8a:e8:29:25:38:cd:bb:55:8e:4a:6a:
6f:e5:7d:fc:d7:55:d6:ae:38:07:96:c1:97:ff:e5:2b:4f:99:
2d:70:f2:08
-----BEGIN CERTIFICATE-----
MIIDYjCCAkqgAwIBAgIBCjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTE2MTEwODIzMzgxNloX
DTI2MTEwNjIzMzgxNlowJzEOMAwGA1UEChMFSUNBTk4xFTATBgNVBAMTDElDQU5O
IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN3Gq798Zp2z
K5YAFMdgeo1iWyZLMNezTIJpxk1Nc/PUkSFdqzXwyAQO9KM14uEYqZgSA1j4n+t3
VFuJgSbJqsL0yQyCVypeBelhF8wZGHHrNYPBhp3s8WvK3aGWC5XU4Q+eJG/cPNAo
nvJTRyuhrTIDyD8NgIB98ALSblosRCGbCVAVP6E908nIJOfqTpIvlJAu3udo9saz
kB+8yXuiZdcR6YvwOlq3FwffaeNuuVRqjjqqlH8sCqGturfZYGInp3FAO46whHu4
yGfvZro9rMOF5Ya7p5z9tuHAEFM91H4bCeafIlynJwl+JxIz+t+bIC8U9xfA5B4H
kR/5ms2o4sUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
AQYwHwYDVR0jBBgwFoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFG53
qEAQSticDPK3WjqlL3lKYRTYMA0GCSqGSIb3DQEBCwUAA4IBAQBHRk/HX0bj0dz8
K/j8Zc42sfRf7hR1o9lf3nVL+nuInxCMLpfMNRvOJNM2YJXVrhG2P4v0EmmFtTsq
tqt6gYXCVVft0LXnT1Q3USTJ1Qc677bFGj4UKaem+AgqCyZ5+WKFSuXqkMpxOBaR
Tn7947PzVY9a0IbPM5SI8ZCZy4HigZJoL8Nh1VKN5ppbAINCJ4j22frRvLuwvLUU
C04aVO/61p3EDPztFashS0W12TvtPNUeLnqDbyRF1Ey072BDGNCEXRZ79VCAsanC
jzvIkAj9qhcTGTgZ0Y6FfB5XFoz5iugpJTjNu1WOSmpv5X3811XWrjgHlsGX/+Ur
T5ktcPII
-----END CERTIFICATE-----

204
SOURCES/unbound-1.13.1-rh1952814.patch
View File

@ -1,204 +0,0 @@
diff --git a/config.h.in b/config.h.in
index 103ad9f..0bb29d9 100644
--- a/config.h.in
+++ b/config.h.in
@@ -847,6 +847,14 @@
/* Define if you enable libevent */
#undef USE_LIBEVENT
+/* WARNING! This is only for the libunbound on Linux and does not affect
+ unbound resolving daemon itself. This may severely limit the number of
+ available outgoing ports and thus decrease randomness. Define this only
+ when the target system restricts (e.g. some of SELinux enabled
+ distributions) the use of non-ephemeral ports. Define this to enable use of
+ /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range. */
+#undef USE_LINUX_IP_LOCAL_PORT_RANGE
+
/* Define if you want to use internal select based events */
#undef USE_MINI_EVENT
diff --git a/configure b/configure
index c91e8a3..826dce9 100755
--- a/configure
+++ b/configure
@@ -898,6 +898,7 @@ enable_ipsecmod
enable_ipset
with_libmnl
enable_explicit_port_randomisation
+enable_linux_ip_local_port_range
with_libunbound_only
'
ac_precious_vars='build_alias
@@ -1590,6 +1591,16 @@ Optional Features:
--disable-explicit-port-randomisation
disable explicit source port randomisation and rely
on the kernel to provide random source ports
+ --enable-linux-ip-local-port-range
+ WARNING! This is only for the libunbound on Linux
+ and does not affect unbound resolving daemon itself.
+ This may severely limit the number of available
+ outgoing ports and thus decrease randomness. Use
+ this option only when the target system restricts
+ the use of non-ephemeral ports. (e.g. some of
+ SELinux enabled distributions) Enable this option to
+ use /proc/sys/net/ipv4/ip_local_port_range as a
+ default outgoing port range
Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
@@ -4202,6 +4213,13 @@ else
else on_mingw="no"; fi
fi
+# are we on Linux?
+if uname -s 2>&1 | grep -i linux >/dev/null; then on_linux="yes"
+else
+ if echo $host $target | grep linux >/dev/null; then on_linux="yes"
+ else on_linux="no"; fi
+fi
+
#
# Determine configuration file
# the eval is to evaluate shell expansion twice
@@ -21588,6 +21606,23 @@ $as_echo "#define DISABLE_EXPLICIT_PORT_RANDOMISATION 1" >>confdefs.h
;;
esac
+if test $on_linux = "yes"; then
+ # Check whether --enable-linux-ip-local-port-range was given.
+if test "${enable_linux_ip_local_port_range+set}" = set; then :
+ enableval=$enable_linux_ip_local_port_range;
+fi
+
+ case "$enable_linux_ip_local_port_range" in
+ yes)
+
+$as_echo "#define USE_LINUX_IP_LOCAL_PORT_RANGE 1" >>confdefs.h
+
+ ;;
+ no|*)
+ ;;
+ esac
+fi
+
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if ${MAKE:-make} supports $< with implicit rule in scope" >&5
$as_echo_n "checking if ${MAKE:-make} supports $< with implicit rule in scope... " >&6; }
diff --git a/configure.ac b/configure.ac
index 2d88048..1207047 100644
--- a/configure.ac
+++ b/configure.ac
@@ -152,6 +152,13 @@ else
else on_mingw="no"; fi
fi
+# are we on Linux?
+if uname -s 2>&1 | grep -i linux >/dev/null; then on_linux="yes"
+else
+ if echo $host $target | grep linux >/dev/null; then on_linux="yes"
+ else on_linux="no"; fi
+fi
+
#
# Determine configuration file
# the eval is to evaluate shell expansion twice
@@ -1847,6 +1854,17 @@ case "$enable_explicit_port_randomisation" in
;;
esac
+if test $on_linux = "yes"; then
+ AC_ARG_ENABLE(linux-ip-local-port-range, AC_HELP_STRING([--enable-linux-ip-local-port-range], [WARNING! This is only for the libunbound on Linux and does not affect unbound resolving daemon itself. This may severely limit the number of available outgoing ports and thus decrease randomness. Use this option only when the target system restricts the use of non-ephemeral ports. (e.g. some of SELinux enabled distributions) Enable this option to use /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range]))
+ case "$enable_linux_ip_local_port_range" in
+ yes)
+ AC_DEFINE([USE_LINUX_IP_LOCAL_PORT_RANGE], [1], [WARNING! This is only for the libunbound on Linux and does not affect unbound resolving daemon itself. This may severely limit the number of available outgoing ports and thus decrease randomness. Define this only when the target system restricts (e.g. some of SELinux enabled distributions) the use of non-ephemeral ports. Define this to enable use of /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range.])
+ ;;
+ no|*)
+ ;;
+ esac
+fi
+
AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope])
# on openBSD, the implicit rule make $< work.
diff --git a/libunbound/context.c b/libunbound/context.c
index cff2831..48d76d9 100644
--- a/libunbound/context.c
+++ b/libunbound/context.c
@@ -69,6 +69,7 @@ context_finalize(struct ub_ctx* ctx)
} else {
log_init(cfg->logfile, cfg->use_syslog, NULL);
}
+ cfg_apply_local_port_policy(cfg, 65536);
config_apply(cfg);
if(!modstack_setup(&ctx->mods, cfg->module_conf, ctx->env))
return UB_INITFAIL;
diff --git a/util/config_file.c b/util/config_file.c
index 4d87dee..6b90e48 100644
--- a/util/config_file.c
+++ b/util/config_file.c
@@ -1681,6 +1681,37 @@ int cfg_condense_ports(struct config_file* cfg, int** avail)
return num;
}
+void cfg_apply_local_port_policy(struct config_file* cfg, int num) {
+(void)cfg;
+(void)num;
+#ifdef USE_LINUX_IP_LOCAL_PORT_RANGE
+ {
+ int i = 0;
+ FILE* range_fd;
+ if ((range_fd = fopen(LINUX_IP_LOCAL_PORT_RANGE_PATH, "r")) != NULL) {
+ int min_port = 0;
+ int max_port = num - 1;
+ if (fscanf(range_fd, "%d %d", &min_port, &max_port) == 2) {
+ for(i=0; i<min_port; i++) {
+ cfg->outgoing_avail_ports[i] = 0;
+ }
+ for(i=max_port+1; i<num; i++) {
+ cfg->outgoing_avail_ports[i] = 0;
+ }
+ } else {
+ log_err("unexpected port range in %s",
+ LINUX_IP_LOCAL_PORT_RANGE_PATH);
+ }
+ fclose(range_fd);
+ } else {
+ log_warn("failed to read from file: %s (%s)",
+ LINUX_IP_LOCAL_PORT_RANGE_PATH,
+ strerror(errno));
+ }
+ }
+#endif
+}
+
/** print error with file and line number */
static void ub_c_error_va_list(const char *fmt, va_list args)
{
diff --git a/util/config_file.h b/util/config_file.h
index 7cf27cc..d091ef7 100644
--- a/util/config_file.h
+++ b/util/config_file.h
@@ -1172,6 +1172,13 @@ int cfg_mark_ports(const char* str, int allow, int* avail, int num);
*/
int cfg_condense_ports(struct config_file* cfg, int** avail);
+/**
+ * Apply system specific port range policy.
+ * @param cfg: config file.
+ * @param num: size of the array (65536).
+ */
+void cfg_apply_local_port_policy(struct config_file* cfg, int num);
+
/**
* Scan ports available
* @param avail: the array from cfg.
@@ -1301,5 +1308,9 @@ void w_config_adjust_directory(struct config_file* cfg);
/** debug option for unit tests. */
extern int fake_dsa, fake_sha1;
+#ifdef USE_LINUX_IP_LOCAL_PORT_RANGE
+#define LINUX_IP_LOCAL_PORT_RANGE_PATH "/proc/sys/net/ipv4/ip_local_port_range"
+#endif
+
#endif /* UTIL_CONFIG_FILE_H */

12
SOURCES/unbound-1.13.1-rh1977400.patch
View File

@ -1,12 +0,0 @@
diff --git a/util/net_help.c b/util/net_help.c
index 3b5527a..42a7666 100644
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -1172,6 +1172,7 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem, int wincert)
if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) {
log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION");
+ SSL_CTX_free(ctx);
return 0;
}
#endif

19
SOURCES/unbound-1.13.1-rh1977401.patch
View File

@ -1,19 +0,0 @@
diff --git a/dns64/dns64.c b/dns64/dns64.c
index c79bc9c..fddbc62 100644
--- a/dns64/dns64.c
+++ b/dns64/dns64.c
@@ -685,8 +685,12 @@ dns64_operate(struct module_qstate* qstate, enum module_ev event, int id,
switch(event) {
case module_event_new:
/* Tag this query as being new and fall through. */
- iq = (struct dns64_qstate*)regional_alloc(
- qstate->region, sizeof(*iq));
+ if (!(iq = (struct dns64_qstate*)regional_alloc(
+ qstate->region, sizeof(*iq)))) {
+ log_err("out of memory");
+ qstate->ext_state[id] = module_error;
+ return;
+ }
qstate->minfo[id] = iq;
iq->state = DNS64_NEW_QUERY;
iq->started_no_cache_store = qstate->no_cache_store;

15
SOURCES/unbound-1.13.1-rh1991005.patch
View File

@ -1,15 +0,0 @@
diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c
index d58f1b2..5bfe15b 100644
--- a/smallapp/unbound-control.c
+++ b/smallapp/unbound-control.c
@@ -492,9 +492,7 @@ static void ssl_path_err(const char* s, const char *path)
{
unsigned long err;
err = ERR_peek_error();
- if (ERR_GET_LIB(err) == ERR_LIB_SYS &&
- (ERR_GET_FUNC(err) == SYS_F_FOPEN ||
- ERR_GET_FUNC(err) == SYS_F_FREAD) ) {
+ if (ERR_GET_LIB(err) == ERR_LIB_SYS) {
fprintf(stderr, "error: %s\n%s: %s\n",
s, path, ERR_reason_error_string(err));
exit(1);

16
SOURCES/unbound-1.13.1.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAmAiOawACgkQn28cLX4E
X40R5A//ex9Fe0bR/JQNcpXAFMZ8Wvj7KOW+2VhUsPqVL8s3Iew/hlIqlmP4/dIG
htygqy8I1VbyIQIJ7HSkQderPLMjyDw7+K7fCNhzzPZO+OMAiXsSslvKXrCBClGI
1MOAPsKpfV9C9yf4w8t5orvvxHlw21Vqnh9LTcAQekw1+NhCUw3uiLuIkyU4RLS8
LYdlWOuVhOe6cmR4XTZPGR8zlMZ7Owzgi+o3+g1Gknsr09B28ttJe9LuOg3jHp6I
LKRpROGZs+8iqYylb85mfEIwRO1lpj+k9D4A+CnJyhY9nUP4k9b/Ywe6qS16yWAs
s8mzZtAjAgrRCsM+C6hwVo0I2P9mVVy9WfFHNt1Mp4P4XdPbSc2CXLfyBfNkx1ty
kMnGBiehHC9oZ4QAwTnJ/Bevi0C5OlRt9BIVwvA0ymWGOOHXE4i2SxhUWMEx399s
2Uqpr3mBd0ZO0HRvKNOY14vF/O1ja+oNTPvnMJyzZKUeTRRHaKF1dr3fNrXlACtE
GgHihHGaVSM1PA5z4S5Jo6PuZqwn+QBCUYhjFjlsF5d6h8srksxJAnh4GbPRJiUl
AJEUSCQFOk6dJmrWVLDa+MP003T5DfouJzQX5WZr+M5fNVD1xhZs49Ea4ATSZPrw
SM+/n+G/UlFue89qqvCrTMErNBXKINRZlir7yIi4UsEiyDUal2E=
=n/aJ
-----END PGP SIGNATURE-----

16
SOURCES/unbound-1.16.2.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAmLnudYACgkQn28cLX4E
X43GmRAAoROXbktLR2AXGEECgPCFlHag9oNZosa3J5yR2vaV4e8eA6AMzPyZbl7P
LnLon8PZZR+pTW+dDRqakvzJIwXkLeONFgEdvd0cAghWAtPrKCDZIkCyeQj0OOv3
wt1pRRl2PXUKNZZf0bzpTUIhVsHF/w5f5T/mFAZm49rUDboj77xgokmaFK4kei0I
Gz4W8Vx3TIwwJc8nea8GtCYIg3UKmR/TMznMFExAoKdMllzKuJnGx5lR/eU0+NRc
uwWEQhNJrHXZyWethp9swLCrOmDHcgBJOd04TqcDwSIZrw9VuT3/Uza3Tw73N7kr
PZvF2xSOASL+i91QP6tnkmQD5pAORVpUFN3NePEWV5922iG/pVipaYBbEyV3dfph
Y4QGwj8G6ppcfjV7gmlxsAOM2gnhD3rDqFmkxau6zB1kktHnV2aqlzIQo396ZBJQ
hKyIAJlNvpTiFaACD7/cFkE80awJnCD/qvXATN//BWHKytgO8eYg7fZGrxjbpIQk
XV/vVlOJWRXPyPBnp8MQyCIDe2eq2ELlMfYw62/TNDuj2qKsM/W03cem3GlveOa6
tw8RVfFFjwZlCLbXSbmsKo+mWJ3jCAvb3/gql52vJDE5FuRz7MvptIVU6DVE1O+J
mQ3AoQ2Mq9iHsZePfze4sq531DMlWTgBMwqfBTWqMaTC/8VH5rg=
=Ax9n
-----END PGP SIGNATURE-----

1
SOURCES/unbound-keygen.service
View File

@ -13,7 +13,6 @@ Type=oneshot
Group=unbound
ExecStart=/usr/sbin/unbound-control-setup -d /etc/unbound/
ExecStart=/sbin/restorecon /etc/unbound/*
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

131
SOURCES/unbound.conf
View File

@ -98,14 +98,14 @@ server:
# num-queries-per-thread, or, use as many as the OS will allow you.
# outgoing-range: 4096
# permit unbound to use this port number or port range for
# permit Unbound to use this port number or port range for
# making outgoing queries, using an outgoing interface.
# Only ephemeral ports are allowed by SElinux
outgoing-port-permit: 32768-60999
# deny unbound the use this of port number or port range for
# deny Unbound the use this of port number or port range for
# making outgoing queries, using an outgoing interface.
# Use this to make sure unbound does not grab a UDP port that some
# Use this to make sure Unbound does not grab a UDP port that some
# other server on this computer needs. The default is to avoid
# IANA-assigned port numbers.
# If multiple outgoing-port-permit and outgoing-port-avoid options
@ -238,7 +238,7 @@ server:
# do-ip6: yes
# Enable UDP, "yes" or "no".
# NOTE: if setting up an unbound on tls443 for public use, you might want to
# NOTE: if setting up an Unbound on tls443 for public use, you might want to
# disable UDP to avoid being used in DNS amplification attacks.
# do-udp: yes
@ -275,7 +275,7 @@ server:
# use-systemd: no
# Detach from the terminal, run in background, "yes" or "no".
# Set the value to "no" when unbound runs as systemd service.
# Set the value to "no" when Unbound runs as systemd service.
# do-daemonize: yes
# control which clients are allowed to make (recursive) queries
@ -328,7 +328,7 @@ server:
# The pid file can be absolute and outside of the chroot, it is
# written just prior to performing the chroot and dropping permissions.
#
# Additionally, unbound may need to access /dev/urandom (for entropy).
# Additionally, Unbound may need to access /dev/urandom (for entropy).
# How to do this is specific to your OS.
#
# If you give "" no chroot is performed. The path must not end in a /.
@ -393,18 +393,28 @@ server:
# enable to not answer version.server and version.bind queries.
# hide-version: no
# NSID identity (hex string, or "ascii_somestring"). default disabled.
# nsid: "aabbccdd"
# enable to not set the User-Agent HTTP header.
# hide-http-user-agent: no
# enable to not answer trustanchor.unbound queries.
# hide-trustanchor: no
# enable to not set the User-Agent HTTP header.
# hide-http-user-agent: no
# the identity to report. Leave "" or default to return hostname.
# identity: ""
# the version to report. Leave "" or default to return package version.
# version: ""
# NSID identity (hex string, or "ascii_somestring"). default disabled.
# nsid: "aabbccdd"
# User-Agent HTTP header to use. Leave "" or default to use package name
# and version.
# http-user-agent: ""
# the target fetch policy.
# series of integers describing the policy per dependency depth.
# The number of values in the list determines the maximum dependency
@ -532,7 +542,7 @@ server:
# Use several entries, one per domain name, to track multiple zones.
#
# If you want to perform DNSSEC validation, run unbound-anchor before
# you start unbound (i.e. in the system boot scripts). And enable:
# you start Unbound (i.e. in the system boot scripts). And enable:
# Please note usage of unbound-anchor root anchor is at your own risk
# and under the terms of our LICENSE (see that file in the source).
# auto-trust-anchor-file: "/var/lib/unbound/root.key"
@ -584,6 +594,10 @@ server:
# val-sig-skew-min: 3600
# val-sig-skew-max: 86400
# The maximum number the validator should restart validation with
# another authority in case of failed validation.
# val-max-restart: 5
# Should additional section of secure message also be kept clean of
# unsecure data. Useful to shield the users of this validator from
# potential bogus data in the additional section. All unsigned data
@ -599,7 +613,7 @@ server:
val-permissive-mode: no
# Ignore the CD flag in incoming queries and refuse them bogus data.
# Enable it if the only clients of unbound are legacy servers (w2008)
# Enable it if the only clients of Unbound are legacy servers (w2008)
# that set CD but cannot validate themselves.
# ignore-cd-flag: no
@ -616,7 +630,7 @@ server:
# that the expired records will be served as long as there are queries
# for it.
# serve-expired-ttl-reset: no
#
# TTL value to use when replying with expired data.
# serve-expired-reply-ttl: 30
#
@ -629,7 +643,7 @@ server:
# Return the original TTL as received from the upstream name server rather
# than the decrementing TTL as stored in the cache. Enabling this feature
# does not impact cache expiry, it only changes the TTL unbound embeds in
# does not impact cache expiry, it only changes the TTL Unbound embeds in
# responses to queries. Note that enabling this feature implicitly disables
# enforcement of the configured minimum and maximum TTL.
# serve-original-ttl: no
@ -642,7 +656,10 @@ server:
# keysize. Keep this table very short, as linear search is done.
# A message with an NSEC3 with larger count is marked insecure.
# List in ascending order the keysize and count values.
# val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
# val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150"
# if enabled, ZONEMD verification failures do not block the zone.
# zonemd-permissive-mode: no
# instruct the auto-trust-anchor-file probing to add anchors after ttl.
# add-holddown: 2592000 # 30 days
@ -719,9 +736,9 @@ server:
# Add example.com into ipset
# local-zone: "example.com" ipset
# If unbound is running service for the local host then it is useful
# If Unbound is running service for the local host then it is useful
# to perform lan-wide lookups to the upstream, and unblock the
# long list of local-zones above. If this unbound is a dns server
# long list of local-zones above. If this Unbound is a dns server
# for a network of computers, disabled is better and stops information
# leakage of local lan information.
# unblock-lan-zones: no
@ -795,6 +812,10 @@ server:
# tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
# cipher setting for TLSv1.3
# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
# Fedora/RHEL: use system-wide crypto policies
tls-ciphers: "PROFILE=SYSTEM"
# TODO: ask system-wide crypto people what to use here
#tls-ciphersuites: "PROFILE=SYSTEM" # does not work
# Pad responses to padded queries received over TLS
# pad-responses: yes
@ -901,7 +922,7 @@ server:
# the number of servers that will be used in the fast server selection.
# fast-server-num: 3
# Specific options for ipsecmod. unbound needs to be configured with
# Specific options for ipsecmod. Unbound needs to be configured with
# --enable-ipsecmod for these to take effect.
#
# Enable or disable ipsecmod (it still needs to be defined in
@ -915,7 +936,7 @@ server:
# ipsecmod-hook: "./my_executable"
ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook
# When enabled unbound will reply with SERVFAIL if the return value of
# When enabled Unbound will reply with SERVFAIL if the return value of
# the ipsecmod-hook is not 0.
# ipsecmod-strict: no
#
@ -931,6 +952,13 @@ server:
# ipsecmod-allow: "example.com"
# ipsecmod-allow: "nlnetlabs.nl"
# Timeout for REUSE entries in milliseconds.
# tcp-reuse-timeout: 60000
# Max number of queries on a reuse connection.
# max-reuse-tcp-queries: 200
# Timeout in milliseconds for TCP queries to auth servers.
# tcp-auth-query-timeout: 3000
# Python config section. To enable:
# o use --with-pythonmodule to configure before compiling.
# o list python in the module-config string (above) to enable.
@ -941,6 +969,17 @@ python:
# Script file to load
# python-script: "/etc/unbound/ubmodule-tst.py"
# Dynamic library config section. To enable:
# o use --with-dynlibmodule to configure before compiling.
# o list dynlib in the module-config string (above) to enable.
# It can be placed anywhere, the dynlib module is only a very thin wrapper
# to load modules dynamically.
# o and give a dynlib-file to run. If more than one dynlib entry is listed in
# the module-config then you need one dynlib-file per instance.
dynlib:
# Script file to load
# dynlib-file: "/etc/unbound/dynlib.so"
# Remote control config section.
remote-control:
# Enable remote control with unbound-control(8) here.
@ -966,10 +1005,10 @@ remote-control:
# For local sockets this option is ignored, and TLS is not used.
control-use-cert: "no"
# unbound server key file.
# Unbound server key file.
server-key-file: "/etc/unbound/unbound_server.key"
# unbound server certificate file.
# Unbound server certificate file.
server-cert-file: "/etc/unbound/unbound_server.pem"
# unbound-control key file.
@ -1036,29 +1075,32 @@ include: /etc/unbound/conf.d/*.conf
# notifies.
auth-zone:
name: "."
primary: 199.9.14.201 # b.root-servers.net
primary: 192.33.4.12 # c.root-servers.net
primary: 199.7.91.13 # d.root-servers.net
primary: 192.5.5.241 # f.root-servers.net
primary: 192.112.36.4 # g.root-servers.net
primary: 193.0.14.129 # k.root-servers.net
primary: 192.0.47.132 # xfr.cjr.dns.icann.org
primary: 192.0.32.132 # xfr.lax.dns.icann.org
primary: 2001:500:200::b # b.root-servers.net
primary: 2001:500:2::c # c.root-servers.net
primary: 2001:500:2d::d # d.root-servers.net
primary: 2001:500:2f::f # f.root-servers.net
primary: 2001:500:12::d0d # g.root-servers.net
primary: 2001:7fd::1 # k.root-servers.net
primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org
fallback-enabled: yes
for-downstream: no
for-upstream: yes
fallback-enabled: yes
master: 199.9.14.201 # b.root-servers.net
master: 192.33.4.12 # c.root-servers.net
master: 199.7.91.13 # d.root-servers.net
master: 192.5.5.241 # f.root-servers.net
master: 192.112.36.4 # g.root-servers.net
master: 193.0.14.129 # k.root-servers.net
master: 192.0.47.132 # xfr.cjr.dns.icann.org
master: 192.0.32.132 # xfr.lax.dns.icann.org
master: 2001:500:200::b # b.root-servers.net
master: 2001:500:2::c # c.root-servers.net
master: 2001:500:2d::d # d.root-servers.net
master: 2001:500:2f::f # f.root-servers.net
master: 2001:500:12::d0d # g.root-servers.net
master: 2001:7fd::1 # k.root-servers.net
master: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
master: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org
# auth-zone:
# name: "example.org"
# for-downstream: yes
# for-upstream: yes
# zonemd-check: no
# zonemd-reject-absence: no
# zonefile: "example.org.zone"
# Views
@ -1083,7 +1125,7 @@ auth-zone:
#
# DNSCrypt
# Caveats:
# 1. the keys/certs cannot be produced by unbound. You can use dnscrypt-wrapper
# 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper
# for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
# 2. dnscrypt channel attaches to an interface. you MUST set interfaces to
# listen on `dnscrypt-port` with the follo0wing snippet:
@ -1123,7 +1165,7 @@ auth-zone:
# IPSet
# Add specify domain into set via ipset.
# Note: To enable ipset unbound needs to run as root user.
# Note: To enable ipset Unbound needs to run as root user.
# ipset:
# # set name for ip v4 addresses
# name-v4: "list-v4"
@ -1146,7 +1188,7 @@ auth-zone:
# dnstap-tls: yes
# # name for authenticating the upstream server. or "" disabled.
# dnstap-tls-server-name: ""
# # if "", it uses the cert bundle from the main unbound config.
# # if "", it uses the cert bundle from the main Unbound config.
# dnstap-tls-cert-bundle: ""
# # key file for client authentication, or "" disabled.
# dnstap-tls-client-key-file: ""
@ -1166,10 +1208,11 @@ auth-zone:
# dnstap-log-forwarder-response-messages: no
# Response Policy Zones
# RPZ policies. Applied in order of configuration. QNAME and Response IP
# Address trigger are the only supported triggers. Supported actions are:
# NXDOMAIN, NODATA, PASSTHRU, DROP and Local Data. Policies can be loaded from
# file, using zone transfer, or using HTTP. The respip module needs to be added
# RPZ policies. Applied in order of configuration. QNAME, Response IP
# Address, nsdname, nsip and clientip triggers are supported. Supported
# actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp-only
# and drop. Policies can be loaded from a file, or using zone
# transfer, or using HTTP. The respip module needs to be added
# to the module-config, e.g.: module-config: "respip validator iterator".
# rpz:
# name: "rpz.example.com"
@ -1181,4 +1224,6 @@ auth-zone:
# rpz-cname-override: www.example.org
# rpz-log: yes
# rpz-log-name: "example policy"
# rpz-signal-nxdomain-ra: no
# for-downstream: no
# tags: "example"

78
SPECS/unbound.spec
View File

@ -20,13 +20,6 @@
%if 0%{?rhel}
%global with_munin 0
%if 0%{?with_python2} && 0%{?rhel} <= 6
# needed just for EPEL
%{!?__python2: %global __python2 /usr/bin/python2}
%{!?python2_sitelib: %global python2_sitelib %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")}
%{!?python2_sitearch: %global python2_sitearch %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
%endif
%if 0%{?rhel} <= 7
%global with_python3 0
%else
@ -36,8 +29,8 @@
Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound
Version: 1.13.1
Release: 12%{?extra_version:.%{extra_version}}%{?dist}
Version: 1.16.2
Release: 2%{?extra_version:.%{extra_version}}%{?dist}
License: BSD
Url: https://nlnetlabs.nl/projects/unbound/
Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
@ -60,11 +53,6 @@ Source17: unbound-anchor.service
Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
Source19: http://keys.gnupg.net/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key
# rhbz#1952814 upstream PR https://github.com/NLnetLabs/unbound/pull/415/files
Patch1: unbound-1.13.1-rh1952814.patch
Patch2: unbound-1.13.1-rh1991005.patch
Patch3: unbound-1.13.1-rh1977400.patch
Patch4: unbound-1.13.1-rh1977401.patch
BuildRequires: gcc, make
BuildRequires: flex, openssl-devel
@ -93,12 +81,14 @@ BuildRequires: systemd-rpm-macros
%else
BuildRequires: systemd
%endif
# Required for SVN versions
# BuildRequires: bison
# BuildRequires: automake autoconf libtool
# Required for SVN versions or modified configure.ac
BuildRequires: bison
BuildRequires: automake autoconf libtool
# Needed because /usr/sbin/unbound links unbound libs staticly
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
# unbound-keygen.service requires it, bug #2116790
Requires: openssl
%description
Unbound is a validating, recursive, and caching DNS(SEC) resolver.
@ -186,10 +176,10 @@ Python 3 modules and extensions for unbound
pushd %{pkgname}
# patches go here
%autopatch -p1
%autopatch -p2
# only for snapshots
# autoreconf -iv
autoreconf -iv
# copy common doc files - after here, since it may be patched
cp -pr doc pythonmod libunbound ../
@ -213,7 +203,7 @@ cp -a %{dir_primary} %{dir_secondary}
--with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\
--enable-sha2 --disable-gost --enable-ecdsa \\\
--with-rootkey-file=%{_sharedstatedir}/unbound/root.key \\\
--enable-linux-ip-local-port-range
--enable-linux-ip-local-port-range --disable-sha1
pushd %{dir_primary}
@ -315,13 +305,7 @@ rm %{buildroot}%{python2_sitearch}/*.la
rm %{buildroot}%{python3_sitearch}/*.la
%endif
# create softlink for all functions of libunbound man pages
for mpage in ub_ctx ub_result ub_ctx_create ub_ctx_delete ub_ctx_set_option ub_ctx_get_option ub_ctx_config ub_ctx_set_fwd ub_ctx_resolvconf ub_ctx_hosts ub_ctx_add_ta ub_ctx_add_ta_file ub_ctx_trustedkeys ub_ctx_debugout ub_ctx_debuglevel ub_ctx_async ub_poll ub_wait ub_fd ub_process ub_resolve ub_resolve_async ub_cancel ub_resolve_free ub_strerror ub_ctx_print_local_zones ub_ctx_zone_add ub_ctx_zone_remove ub_ctx_data_add ub_ctx_data_remove;
do
echo ".so man3/libunbound.3" > %{buildroot}%{_mandir}/man3/$mpage ;
done
mkdir -p %{buildroot}%{_localstatedir}/run/unbound
mkdir -p %{buildroot}%{_rundir}/unbound
# Install directories for easier config file drop in
@ -345,7 +329,6 @@ useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \
%systemd_post unbound-keygen.service
%post libs
%{?ldconfig}
%systemd_post unbound-anchor.timer
# start the timer only if installing the package to prevent starting it, if it was stopped on purpose
if [ "$1" -eq 1 ]; then
@ -365,7 +348,6 @@ fi
%systemd_postun unbound-keygen.service
%postun libs
%{?ldconfig}
%systemd_postun_with_restart unbound-anchor.timer
%check
@ -392,7 +374,7 @@ popd
%doc doc/CREDITS doc/FEATURES
%{_unitdir}/%{name}.service
%{_unitdir}/%{name}-keygen.service
%attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name}
%attr(0755,unbound,unbound) %dir %{_rundir}/%{name}
%attr(0644,root,root) %{_tmpfilesdir}/unbound.conf
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name}
@ -454,7 +436,9 @@ popd
%{_sbindir}/unbound-anchor
%{_libdir}/libunbound.so.*
%{_mandir}/man8/unbound-anchor*
%{_sysconfdir}/%{name}/icannbundle.pem
# icannbundle and root.key(s) should be replaced from package
# intentionally not using noreplace
%config %{_sysconfdir}/%{name}/icannbundle.pem
%{_unitdir}/unbound-anchor.timer
%{_unitdir}/unbound-anchor.service
%dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name}
@ -463,6 +447,38 @@ popd
%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
%changelog
* Tue Aug 09 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-2
- Require openssl tool for unbound-keygen (#2116802)
* Wed Aug 03 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-1
- Update to 1.16.2 (#2087120)
* Fri Jul 08 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-3
- Disable ED25519 and ED448 in FIPS mode (#2079548)
* Tue Jun 07 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-2
- Restart keygen service before every unbound start (#2094336)
* Sat Jun 04 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-1
- Update to 1.16.0 (#2087120)
* Mon May 02 2022 Petr Menšík <pemensik@redhat.com> - 1.15.0-1
- Update to 1.15.0 (#2030608)
- Update icannbundle.pem
* Mon May 02 2022 Paul Wouters <paul.wouters@aiven.io> - 1.13.2-1
- Resolves: rhbz#1992985 unbound-1.13.2 is available
- Use system-wide crypto policies
* Mon May 02 2022 Petr Menšík <pemensik@redhat.com> - 1.13.1-15
- Export unbound-devel to CRB repository (#2056116)
* Tue Apr 26 2022 Petr Menšík <pemensik@redhat.com> - 1.13.1-14
- Stop creating wrong devel manual pages (#2071943)
* Thu Mar 31 2022 Petr Menšík <pemensik@redhat.com> - 1.13.1-13
- Disable SHA-1 support (#2070495)
* Fri Feb 11 2022 Artem Egorenkov <aegorenk@redhat.com> - 1.13.1-12
- Fixed error in the patch
- Resolves: rhbz#1977401