* Fri Dec 11 2015 Paul Wouters <pwouters@redhat.com> - 1.5.7-1

- Update to 1.5.7 - Enable query minimalization for enhanced DNS query privacy - Enable nxdomain hardening to assist with query minimalization and SBLs - Updated default unbound.conf for new features from upstream.
2015-12-11 10:06:07 -05:00 · 2015-12-11 10:06:07 -05:00 · ec26998079
commit ec26998079
parent 86e8e4801e
4 changed files with 71 additions and 14 deletions
--- a/.gitignore
+++ b/.gitignore
@ -33,3 +33,4 @@ unbound-1.4.5.tar.gz
 /unbound-1.5.4.tar.gz
 /unbound-1.5.5.tar.gz
 /unbound-1.5.6.tar.gz
 /unbound-1.5.7.tar.gz
--- a/2
+++ b/2
@ -1 +1 @@
-691a34abd8e9257dd65b70f28326c1f0  unbound-1.5.6.tar.gz
+a1253cbbb339dbca03404dcc58365d71  unbound-1.5.7.tar.gz
--- a/unbound.conf
+++ b/unbound.conf
@ -15,16 +15,16 @@ server:
 	# print statistics to the log (for every thread) every N seconds.
 	# Set to "" or 0 to disable. Default is disabled.
-	# Needed for munin plugin
+	# Needs to be disabled for munin plugin
 	statistics-interval: 0
 	# enable cumulative statistics, without clearing them after printing.
-	# Needed for munin plugin
+	# Needs to be disabled for munin plugin
-	statistics-cumulative: yes
+	statistics-cumulative: no
 	# enable extended statistics (query types, answer codes, status)
 	# printed from unbound-control. default off, because of speed.
-	# Needed for munin plugin
+	# Needs to be enabled for munin plugin
 	extended-statistics: yes
 	# number of threads to create. 1 disables threading.
@ -33,12 +33,13 @@ server:
 	# specify the interfaces to answer queries from by ip-address.
 	# The default is to listen to localhost (127.0.0.1 and ::1).
 	# specify 0.0.0.0 and ::0 to bind to all available interfaces.
-	# specify every interface on a new 'interface:' labelled line.
+	# specify every interface[@port] on a new 'interface:' labelled line.
 	# The listen interfaces are not changed on reload, only on restart.
 	# interface: 0.0.0.0
 	# interface: ::0
 	# interface: 192.0.2.153
 	# interface: 192.0.2.154
 	# interface: 192.0.2.154@5003
 	# interface: 2001:DB8::5
 	#
 	# for dns over tls and raw dns over port 80
@ -101,6 +102,10 @@ server:
 	# use SO_REUSEPORT to distribute queries over threads.
 	# so-reuseport: no
 	# use IP_TRANSPARENT so the interface: addresses can be non-local
 	# and you can config non-existing IPs that are going to work later on
 	# ip-transparent: no
 	# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
 	# is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
 	# edns-buffer-size: 4096
@ -255,7 +260,7 @@ server:
 	pidfile: "/var/run/unbound/unbound.pid"
 	# file to read root hints from.
-	# get one from ftp://FTP.INTERNIC.NET/domain/named.cache
+	# get one from https://www.internic.net/domain/named.cache
 	# root-hints: ""
 	# enable to not answer id.server and hostname.bind queries.
@ -304,11 +309,25 @@ server:
 	# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
 	harden-referral-path: yes
 	# Harden against algorithm downgrade when multiple algorithms are
 	# advertised in the DS record.  If no, allows the weakest algorithm
 	# to validate the zone.
 	# harden-algo-downgrade: no
 	# Sent minimum amount of information to upstream servers to enhance 
 	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
 	# to NS when possible.
 	qname-minimisation: yes
 	# Use 0x20-encoded random bits in the query to foil spoof attempts.
 	# This feature is an experimental implementation of draft dns-0x20.
-	# (this now fails on all GoDaddy customer domains, so disabled)
+	# (enabling used to cause some failures, like on GoDaddy customer domains)
 	use-caps-for-id: no
 	# Domains (and domains in them) without support for dns-0x20 and
 	# the fallback fails because they keep sending different answers.
 	# caps-whitelist: "licdn.com"
 	# Enforce privacy of these addresses. Strips them away from answers.
 	# It may cause DNSSEC validation to additionally mark it as bogus.
 	# Protects against 'DNS Rebinding' (uses browser as network proxy).
@ -320,6 +339,7 @@ server:
 	# private-address: 169.254.0.0/16
 	# private-address: fd00::/8
 	# private-address: fe80::/10
 	# private-address: ::ffff:0:0/96
 	# Allow the domain (and its subdomains) to contain private addresses.
 	# local-data statements are allowed to contain private addresses too.
@ -355,7 +375,7 @@ server:
 	minimal-responses: yes
 	# module configuration of the server. A string with identifiers
-	# separated by spaces. "iterator" or "validator iterator"
+	# separated by spaces. Syntax: "[dns64] [validator] iterator"
 	# module-config: "validator iterator"
 	# File with trusted keys, kept uptodate using RFC5011 probes,
@ -389,6 +409,7 @@ server:
 	# Trusted key for validation. DS or DNSKEY. specify the RR on a
 	# single line, surrounded by "". TTL is ignored. class is IN default.
 	# Note this gets out of date, use auto-trust-anchor-file please.
 	# (These examples are from August 2007 and may not be valid anymore).
 	# trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ=="
 	# trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A"
@ -397,6 +418,7 @@ server:
 	# with several entries, one file per entry. Like trust-anchor-file
 	# but has a different file format. Format is BIND-9 style format,
 	# the trusted-keys { name flag proto algo "key"; }; clauses are read.
 	# you need external update procedures to track changes in keys.
 	# trusted-keys-file: ""
 	#
 	# trusted-keys-file: /etc/unbound/rootkey.bind
@ -408,7 +430,7 @@ server:
 	# Override the date for validation with a specific fixed date.
 	# Do not set this unless you are debugging signature inception
-	# and expiration. "" or "0" turns the feature off.
+	# and expiration. "" or "0" turns the feature off. -1 ignores date.
 	# val-override-date: ""
 	# The time to live for bogus data, rrsets and messages. This avoids
@ -416,7 +438,7 @@ server:
 	# val-bogus-ttl: 60
 	# The signature inception and expiration dates are allowed to be off
-	# by 10% of the lifetime of the signature from our local clock.
+	# by 10% of the signature lifetime (expir-incep) from our local clock.
 	# This leeway is capped with a minimum and a maximum.  In seconds.
 	# val-sig-skew-min: 3600
 	# val-sig-skew-max: 86400
@ -460,6 +482,9 @@ server:
 	# If the value 0 is given, missing anchors are not removed.
 	# keep-missing: 31622400 # 366 days
 	# debug option that allows very small holddown times for key rollover
 	# permit-small-holddown: no
 	# the amount of memory to use for the key cache.
 	# plain value in bytes or you can append k, m or G. default is "4Mb".
 	# key-cache-size: 4m
@ -533,6 +558,7 @@ server:
 	# o nodefault can be used to normally resolve AS112 zones.
 	# o typetransparent resolves normally for other types and other names
 	# o inform resolves normally, but logs client IP address
 	# o inform_deny drops queries and logs client IP address
 	#
 	# defaults are localhost address, reverse for 127.0.0.1 and ::1
 	# and nxdomain for AS112 zones. If you configure one of these zones
@ -576,6 +602,26 @@ server:
 	# Enable dns64 in module-config.  Used to synthesize IPv6 from IPv4.
 	# dns64-prefix: 64:ff9b::0/96
 	# ratelimit for uncached, new queries, this limits recursion effort.
 	# ratelimiting is experimental, and may help against randomqueryflood.
 	# if 0(default) it is disabled, otherwise state qps allowed per zone.
 	# ratelimit: 0
 	# ratelimits are tracked in a cache, size in bytes of cache (or k,m).
 	# ratelimit-size: 4m
 	# ratelimit cache slabs, reduces lock contention if equal to cpucount.
 	# ratelimit-slabs: 4
 	# 0 blocks when ratelimited, otherwise let 1/xth traffic through
 	# ratelimit-factor: 10
 	# override the ratelimit for a specific domain name.
 	# give this setting multiple times to have multiple overrides.
 	# ratelimit-for-domain: example.com 1000
 	# override the ratelimits for all domains below a domain name
 	# can give this multiple times, the name closest to the zone is used.
 	# ratelimit-below-domain: example 1000
 # Python config section. To enable:
 # o use --with-pythonmodule to configure before compiling.
 # o list python in the module-config string (above) to enable.
@ -624,10 +670,14 @@ include: /etc/unbound/conf.d/*.conf
 # 'example.org' go to the given list of nameservers. list zero or more
 # nameservers by hostname or by ipaddress. If you set stub-prime to yes,
 # the list is treated as priming hints (default is no).
 # With stub-first yes, it attempts without the stub if it fails.
 # Consider adding domain-insecure: name and local-zone: name nodefault
 # to the server: section if the stub is a locally served zone.
 # stub-zone:
 #	name: "example.com"
 #	stub-addr: 192.0.2.68
-#	stub-prime: "no"
+#	stub-prime: no
 #	stub-first: no
 # stub-zone:
 #	name: "example.org"
 #	stub-host: ns.example.com.
--- a/unbound.spec
+++ b/unbound.spec
@ -20,7 +20,7 @@
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
-Version: 1.5.6
+Version: 1.5.7
 Release: 1%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: http://www.nlnetlabs.nl/unbound/
@ -429,6 +429,12 @@ popd
 %changelog
 * Fri Dec 11 2015 Paul Wouters <pwouters@redhat.com> - 1.5.7-1
 - Update to 1.5.7
 - Enable query minimalization for enhanced DNS query privacy
 - Enable nxdomain hardening to assist with query minimalization and SBLs
 - Updated default unbound.conf for new features from upstream.
 * Fri Nov 13 2015 Tomas Hozza <thozza@redhat.com> - 1.5.6-1
 - Update to 1.5.6 (#1176729)
`@ -1 +1 @@`
	`691a34abd8e9257dd65b70f28326c1f0 unbound-1.5.6.tar.gz`	`a1253cbbb339dbca03404dcc58365d71 unbound-1.5.7.tar.gz`