Required to keep it maintained by the unbound-anchor.service. Do not
reset it to vendor file again on package upgrade. If it were once
modified, keep it modified.
Resolves: rhbz#2142368
To reduce rebase burden, just modify upstream example with our Fedora
specific changes. The result should be the same, but without the need to
manually add new features into separate config file.
Some tests are failing, caused by SHA-1 disabled on openssl in those
branches. Skip those tests only on RHEL branches, where this should be a
problem.
Related: https://github.com/NLnetLabs/unbound/pull/770
Points to static data, which would be overwritten by
unbound-anchor.service. Makes default key kept intact and dynamic data
put instead of symlink.
Ignore most of file properties of %_localstatedir/unbound/root.key,
default symlink is replaced with anchor maintained regular file.
Resolves: rhbz#2132103
They do not require unbound in any sense. They can work with just
unbound-libs and therefore should be installable independently of main
bigger daemon.
It has the service and requires unbound user created. Make it separate,
because some users of unbound-libs might not want or need anchor
maintenance. Make it also easier to add custom options to unbound-anchor
running from the service.
Do not start timer from unbound.service, start instead unbound-anchor
service before starting unbound. It would ensure root anchor is in the
place. Run it from single place from both timer and unbound service.
Rely on condition of unbound-keygen service. If it does stop after
generating them, then it will recreate also after restart later. That
might be the case if someone removes these certificates.
Devel manual pages install correct manual pages with 3.gz suffix. But
there are also additional links just with .gz suffix. They are created
only in spec file. I think they were needed before unbound contained
proper installation of manuals for development. It is missing .3 suffix.
But it is not necessary anymore, because such recipe already exists in
upstream Makefile.in.
Resolves: rhbz#2078929
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-15-0
- Fix#596: unset the RA bit when a query is blocked by an unbound RPZ nxdomain reply.
The option rpz-signal-nxdomain-ra allows to signal that a domain is externally
blocked to clients when it is blocked with NXDOMAIN by unsetting RA.
- Add rpz: for-downstream: yesno option, where the RPZ zone is authoritatively answered
for, so the RPZ zone contents can be checked with DNS queries directed at the RPZ zone.
- Merge PR #616: Update ratelimit logic. It also introduces ratelimit-backoff and
ip-ratelimit-backoff configuration options.
- Change aggressive-nsec default to yes.