Previous fix did not work, because new configure was not regenerated
after changing configure.ac. Make new configure on every build.
Resolves: RHEL-147790
Allow simple switch to change default of that option. Use it on Red Hat
builds where we want crypto-policy to be a primary source of such
configuration. Of course keep ability to disable that or reconfigure
explicit TLS settings.
Resolves: RHEL-147790
- Fixes CVE-2025-11411
Features from 1.24:
- Increase default to `num-queries-per-thread: 2048`
- num.valops in extended statistics
- unbound-control cache_lookup <domains> support
- zone status for auth-zones
Features from 1.23:
- Increase the default of max-global-quota to 200 from 128
- The default value of serve-expired-client-timeout is set to 1800
- Support for RESINFO RRType 261 (RFC9606).
- Add resolver.arpa and service.arpa to the default locally served zones.
- Fast Reload. The unbound-control fast_reload is added.
- DNS Error Reporting (RFC 9567).
Features from 1.22:
- Add iter-scrub-ns, iter-scrub-cname and max-global-quota configuration options.
- Merge patch to fix for glue that is outside of zone, with `harden-unverified-glue`
- log timestamps in ISO8601 format with timezone
- DNS over QUIC. This adds `quic-port: 853` and `quic-size: 8m`.
Requires ngtcp2, not yet in RHEL.
Features from 1.21:
- Clear both in-memory and cachedb module cache with `unbound-control flush*` commands.
- Add dnstap-sample-rate that logs only 1/N messages.
- Add root key 38696 from 2024 for DNSSEC validation.
- Cookie secret file. Adds `cookie-secret-file option.
And a lot of bug fixes.
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-24-2
Resolves: RHEL-123204
Do it only once when upgrading from the old version, which generated the
key wrong way. If the administrator wants to have control just for root
user, make it possible afterwards.
Resolves: RHEL-73862
A multi-vendor cache poisoning vulnerability named "Rebirthday Attack"
has been discovered in caching resolvers that support EDNS Client Subnet
(ECS).
Resolves: RHEL-104121
notify-reload was a mistake. It unconditionally sends signal
to service process additionally to executing ExecReload which
does not make sense.
Resolves: RHEL-77611
"notify-reload" service type allows unbound to notify systemd
not only about its readiness on startup but also about start and
finish of reloading process.
Resolves: RHEL-77611
Dracut module allows unbound to be used as resolver in initramfs.
It is set before to network-online.target to ensure that other
services which depend on name resolution have general synchronization
point when they can expect unbound to be configured and listening.
Resolves: RHEL-77613
if interface: specifies exact address, not localhost nor wildcard. It
should not be used by default when only localhost listening is enabled.
Default configuration does not need it.
Resolves: RHEL-77616
Place distribution defaults into file provided in /usr/share/unbound.
Include that file from default configuration before conf.d/*.conf is
included, to ensure similar order is kept.
Rely on remote-control to be configured by conf.d/remote-control.conf
only. Moved parts from orinal unbound.conf to single file together.
Resolves: RHEL-77780
Automatic maintained root zone is great for network resolvers, which are
used by multiple machines. Its usage on every common device is not
desired however, especially when used as localhost only cache daemon.
Make it simple to activate local root zone by creating
symlink in directory /etc/unbound/conf.d to
/usr/share/unbound/conf.d/unbound-local-root.conf.
But have it deactivated in default configuration.
Resolves: RHEL-77614
Although no way of crashing is known, ensure unbound will restart itself
in case of crash. That should minimize possible damage and allow less
degraded service until a fix for crashes arrives.
Do not try to restart on configuration failures. There restarts will not
likely to fix the issue anyway.
Finish Paul's conversion to autorelease. Used rpmautospec convert to
migrate old part of changelog into a separate file. That should still
include old changelog entries in the package.
[skip changelog]
Required to keep it maintained by the unbound-anchor.service. Do not
reset it to vendor file again on package upgrade. If it were once
modified, keep it modified.
Resolves: rhbz#2142368
To reduce rebase burden, just modify upstream example with our Fedora
specific changes. The result should be the same, but without the need to
manually add new features into separate config file.
Some tests are failing, caused by SHA-1 disabled on openssl in those
branches. Skip those tests only on RHEL branches, where this should be a
problem.
Related: https://github.com/NLnetLabs/unbound/pull/770
Points to static data, which would be overwritten by
unbound-anchor.service. Makes default key kept intact and dynamic data
put instead of symlink.
Ignore most of file properties of %_localstatedir/unbound/root.key,
default symlink is replaced with anchor maintained regular file.
Resolves: rhbz#2132103
