If the user has already modified configuration file unbound.conf, our
change of defaults would not affect them. Let's move the change to extra
file, which will be applied even when main config file were not
modified.
Correct new config snippet typo in CVE id
; Resolves: CVE-2024-1488
Resolves: RHEL-25501
Those algorithms are not accepted by current FIPS mode. Disable them in
that mode, because they are not allowed. Might change once they are
added.
Resolves: rhbz#2079548
Rely on condition of unbound-keygen service. If it does stop after
generating them, then it will recreate also after restart later. That
might be the case if someone removes these certificates.
(cherry picked from commit 9cab78fef5)
Resolves: rhbz#2094336
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-15-0
- Fix#596: unset the RA bit when a query is blocked by an unbound RPZ nxdomain reply.
The option rpz-signal-nxdomain-ra allows to signal that a domain is externally
blocked to clients when it is blocked with NXDOMAIN by unsetting RA.
- Add rpz: for-downstream: yesno option, where the RPZ zone is authoritatively answered
for, so the RPZ zone contents can be checked with DNS queries directed at the RPZ zone.
- Merge PR #616: Update ratelimit logic. It also introduces ratelimit-backoff and
ip-ratelimit-backoff configuration options.
- Change aggressive-nsec default to yes.
(cherry picked from commit 84e89add4a)
Resolves: rhbz#2087120
Devel manual pages install correct manual pages with 3.gz suffix. But
there are also additional links just with .gz suffix. They are created
only in spec file. I think they were needed before unbound contained
proper installation of manuals for development. It is missing .3 suffix.
But it is not necessary anymore, because such recipe already exists in
upstream Makefile.in.
Resolves: rhbz#2071943
Crypto policy DEFAULT and FIPS would never pass on any name signed by
RSASHA1 or under such zone. Make all those signatures insecure
regardless on policy. It would make it insecure even in cases where it
were not mandatory, but would not fail with SERVFAIL in any
crypto-policy setting.
Resolves: rhbz#2070495