From e9cb7295334d6e0306636c5a17e079cb3587c554 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Mon, 11 Jun 2018 16:49:15 -0400 Subject: [PATCH] * Mon Jun 11 2018 Paul Wouters - 1.7.2-1 - Resolves rhbz#1589807 unbound-1.7.2 is available - Add patch to fix stub/forward zone not returning ServFail when TTL expires - Enabled the new root-key-sentinel option --- .gitignore | 1 + sources | 2 +- unbound.conf | 30 ++++++++++++++++++++++++++++-- unbound.spec | 11 ++++++++++- 4 files changed, 40 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index d22f405..41fc8ab 100644 --- a/.gitignore +++ b/.gitignore @@ -47,3 +47,4 @@ unbound-1.4.5.tar.gz /unbound-1.6.8.tar.gz /unbound-1.7.0.tar.gz /unbound-1.7.1.tar.gz +/unbound-1.7.2.tar.gz diff --git a/sources b/sources index 67b3ef3..52a7b76 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (unbound-1.7.1.tar.gz) = 99a68abf1f60f6ea80cf2973906df44da9c577d8cac969824af1ce9ca385a2e84dd684937480da87cb73c7dc41ad5c00b0013ec74103eadb8fd7dc6f98a89255 +SHA512 (unbound-1.7.2.tar.gz) = a5b0794b15d72a89bd6090f6febca3199e8c66f779c5da7f07dfbacc17bd62f340a3392b9086d39f28f7ab5942aba24810347fbf0e1ea22c5641d2b00fb29387 diff --git a/unbound.conf b/unbound.conf index 4ea0823..2de6b64 100644 --- a/unbound.conf +++ b/unbound.conf @@ -246,7 +246,8 @@ server: # to this server. Specify classless netblocks with /size and action. # By default everything is refused, except for localhost. # Choose deny (drop message), refuse (polite error reply), - # allow (recursive ok), allow_snoop (recursive and nonrecursive ok) + # allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on), + # allow_snoop (recursive and nonrecursive ok) # deny_non_local (drop queries unless can be answered from local-data) # refuse_non_local (like deny_non_local but polite error reply). # access-control: 0.0.0.0/0 refuse @@ -483,6 +484,9 @@ server: # trust anchor signaling sends a RFC8145 key tag query after priming. trust-anchor-signaling: yes + # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) + root-key-sentinel: yes + # File with DLV trusted keys. Same format as trust-anchor-file. # There can be only one DLV configured, it is trusted from root down. # DLV is going to be decommissioned. Please do not use it any more. @@ -658,7 +662,7 @@ server: # o inform acts like transparent, but logs client IP address # o inform_deny drops queries and logs client IP address # o always_transparent, always_refuse, always_nxdomain, resolve in - # that way but ignore local data for that name. + # that way but ignore local data for that name # o noview breaks out of that view towards global local-zones. # # defaults are localhost address, reverse for 127.0.0.1 and ::1 @@ -705,6 +709,15 @@ server: # Default is no. Can be turned on and off with unbound-control. # tls-upstream: no + # Certificates used to authenticate connections made upstream. + # tls-cert-bundle: "" + + # Add system certs to the cert bundle, from the Windows Cert Store + # tls-win-cert: no + + # Also serve tls on these port numbers (eg. 443, ...), by listing + # tls-additional-ports: portno for each of the port numbers. + # DNS64 prefix. Must be specified when DNS64 is use. # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. # dns64-prefix: 64:ff9b::0/96 @@ -722,6 +735,12 @@ server: # 0 blocks when ratelimited, otherwise let 1/xth traffic through # ratelimit-factor: 10 + # what is considered a low rtt (ping time for upstream server), in msec + # low-rtt: 45 + # select low rtt this many times out of 1000. 0 means the fast server + # select is disabled. prefetches are not sped up. + # low-rtt-permil: 0 + # override the ratelimit for a specific domain name. # give this setting multiple times to have multiple overrides. # ratelimit-for-domain: example.com 1000 @@ -929,3 +948,10 @@ auth-zone: # backend: "testframe" # # secret seed string to calculate hashed keys # secret-seed: "default" +# # For "redis" backend: +# # redis server's IP address or host name +# redis-server-host: 127.0.0.1 +# # redis server's TCP port +# redis-server-port: 6379 +# # timeout (in ms) for communication with the redis server +# redis-timeout: 100 diff --git a/unbound.spec b/unbound.spec index d311c6a..96fe8b7 100644 --- a/unbound.spec +++ b/unbound.spec @@ -33,7 +33,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.7.1 +Version: 1.7.2 Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://www.unbound.net/ @@ -55,6 +55,8 @@ Source15: unbound-anchor.timer Source16: unbound-munin.README Source17: unbound-anchor.service +Patch1: unbound-1.7.2-stub-fwd-ttl.patch + BuildRequires: gcc, make BuildRequires: flex, openssl-devel BuildRequires: libevent-devel expat-devel @@ -158,6 +160,8 @@ Python 3 modules and extensions for unbound %setup -qcn %{pkgname} pushd %{pkgname} +%patch1 -p1 + # only for snapshots # autoreconf -iv @@ -424,6 +428,11 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Mon Jun 11 2018 Paul Wouters - 1.7.2-1 +- Resolves rhbz#1589807 unbound-1.7.2 is available +- Add patch to fix stub/forward zone not returning ServFail when TTL expires +- Enabled the new root-key-sentinel option + * Wed May 30 2018 Petr Menšík - 1.7.1-1 - Update to 1.7.1 (#1574495)