Commit Graph

56 Commits

Author SHA1 Message Date
Petr Menšík
1da004f437 Update to 1.17.0 (#2134348)
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-17-0

New Features:

- Merge #753: ACL per interface. (New interface-* configuration options).
- Merge #760: PROXYv2 downstream support. (New proxy-protocol-port configuration option).
2022-11-01 16:05:52 +01:00
Paul Wouters
cb937b3e49
pull in new options of upstream unbound.conf and enable EDE (RFC8914) 2022-08-09 11:08:18 -04:00
Petr Menšík
c469ecef15 Import few changes to configuration 2022-03-29 17:28:39 +02:00
Paul Wouters
0ce96eb790
- Resolves: rhbz#1992985 unbound-1.13.2 is available
- Use system-wide crypto policies
2021-08-12 17:58:22 -04:00
Paul Wouters
809b23a9f1 - Resolves rhbz#1860887 unbound-1.13.1 is available
- Fixup unbound.conf
2021-02-09 21:11:43 -05:00
Petr Menšík
f70050e6d6 Update default configuration from 1.13.0
Add new additions to default configuration. None of them is uncommented,
but some of they changed default values.
2020-12-10 19:46:23 +01:00
Petr Menšík
ac21a84ee9 Enable DNSTAP
Allows easy recording of incoming and outgoing queries.
2020-11-10 17:11:48 +01:00
Petr Menšík
07b18f13c3 Enable DNS over HTTPS 2020-11-10 17:11:48 +01:00
Petr Menšík
ee9c33779e Update config file to 1.12.0
Use new defaults from example.conf in Fedora shipped default file.
Don't include dnstap and DoH features yet.
2020-11-10 17:11:48 +01:00
Paul Wouters
b2855b7bff * Tue May 19 2020 Paul Wouters <pwouters@redhat.com> - 1.10.1-1
- Resolves: rhbz#1837279 unbound-1.10.1 is available
- Resolves: rhbz#1837598 CVE-2020-12662 unbound: insufficient control of network message volume leads to DoS
- Resolves: rhbz#1837609 CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers
- Updated unbound.conf for new options in 1.10.1
2020-05-19 15:12:15 -04:00
Paul Wouters
ed8559effa - Resolves: rhbz#1667742 SELinux is preventing unbound from 'name_bind' accesses on the udp_socket port 61000. 2020-04-29 17:29:43 -04:00
Paul Wouters
5bfdf89e03 * Tue Aug 27 2019 Paul Wouters <pwouters@redhat.com> - 1.9.3-1
- Updated to 1.9.3
- Resolves: rhbz#1672578 unbound-1.9.2 is available
- Resolves: rhbz#1694831 [/usr/lib/tmpfiles.d/unbound.conf:1] Line references path below legacy directory /var/run/
- Resolves: rhbz# 1667387 [abrt] unbound: memmove(): unbound killed by SIGABRT
2019-08-27 12:14:51 -04:00
Paul Wouters
2cd0b94125 * Tue Dec 04 2018 Paul Wouters <pwouters@redhat.com> - 1.8.2-1
- Updated to 1.8.2.
- Enabled deny ANY query support and edns-tcp-keepalive
- Set serve-stale timeout to 4h
- Updated unbound.conf for latest options
2018-12-04 13:58:11 -05:00
Paul Wouters
e9cb729533 * Mon Jun 11 2018 Paul Wouters <pwouters@redhat.com> - 1.7.2-1
- Resolves rhbz#1589807 unbound-1.7.2 is available
- Add patch to fix stub/forward zone not returning ServFail when TTL expires
- Enabled the new root-key-sentinel option
2018-06-11 16:49:15 -04:00
Paul Wouters
5a52aae95e * Thu Mar 15 2018 Paul Wouters <pwouters@redhat.com> - 1.7.0-1
- Updated to 1.7.0 (aggressive nsec, local root support, bugfixes)
2018-03-15 17:56:52 -04:00
Petr Menšík
1b9764fb5a Revert "Improve config formatting"
This reverts commit 3d0bac0df2.

Uncomment again commented out value and bump version.

Comment by Paul Wouters:
The value of 3072 was tailored to cause a failure for ANY requries to isc.org,
which are used a lot by attackers. Now with 4096,
it will fit and the query can be abused again to
cause amplification with that popular dns query.
2018-02-22 11:05:25 +01:00
Petr Menšík
3d0bac0df2 Improve config formatting 2018-02-21 11:41:24 +01:00
Paul Wouters
594dd4101a - Enable RFC 8145 Trust Anchor Signaling to help the root zone get keytag statistics 2017-10-02 16:52:53 -04:00
Paul Wouters
115c5666a2 * Fri Sep 22 2017 Paul Wouters <pwouters@redhat.com> - 1.6.6-1
- Resolves: rhbz#1483572 unbound-1.6.6 is available
- Resolves: rhbz#1465575 unbound fails to start up, complains about missing ipsecmod-hook (edit)
2017-09-22 12:47:01 -04:00
Paul Wouters
bd329fe8e7 - update unbound.conf to 1.6.14 feature set
Allow ipsecmod to be enabled via libreswan unbound-control command
2017-06-22 11:17:37 -04:00
Paul Wouters
a57c3b8b64 * Wed Apr 26 2017 Paul Wouters <pwouters@redhat.com> - 1.6.2-1
- Update to 1.6.2 (rhbz#1425649)
- Updated unbound.conf with new options
2017-04-26 21:46:09 -04:00
Paul Wouters
be41633bf0 * Tue Sep 27 2016 Paul Wouters <pwouters@redhat.com> - 1.5.10-1
- Updated to 1.5.10 (better TCP handling, bugfixes)
- Install pkgconfig file in -devel package
- Updated unbound.conf
2016-09-27 19:26:26 -04:00
Paul Wouters
a147b9358d - Fix upper port range to 60999 because that's what selinux allows 2016-07-07 19:22:06 +03:00
Paul Wouters
8e51532c90 * Wed Mar 02 2016 Paul Wouters <pwouters@redhat.com> - 1.5.8-1
- Update to 1.5.8 which incorporates rhbz#1294339 fix
- Updated unbound.conf with new upstream options
- Enabled ip-transparent: yes (see rhbz#1291449)
2016-03-02 12:35:36 -05:00
Tomas Hozza
ee4b516864 Merged some lines from the latest upstream configuration version
Especially the port for remote control is now 8953

Signed-off-by: Tomas Hozza <thozza@redhat.com>
2016-01-21 12:34:47 +01:00
Paul Wouters
ec26998079 * Fri Dec 11 2015 Paul Wouters <pwouters@redhat.com> - 1.5.7-1
- Update to 1.5.7
- Enable query minimalization for enhanced DNS query privacy
- Enable nxdomain hardening to assist with query minimalization and SBLs
- Updated default unbound.conf for new features from upstream.
2015-12-11 10:06:07 -05:00
Paul Wouters
cd4af25f21 fix commented address range in unbound.conf
(I am not doing a build for this - it will go out whenever we do a new build)
2015-09-23 11:24:27 -04:00
Tomas Hozza
c5473f18c9 Revert "Use low maximum negative cache TTL (5 sec) (#1229596)"
This reverts commit d8ef6e9f01.
2015-06-16 21:50:42 +02:00
Tomas Hozza
d8ef6e9f01 Use low maximum negative cache TTL (5 sec) (#1229596)
Signed-off-by: Tomas Hozza <thozza@redhat.com>
2015-06-15 19:35:41 +02:00
Tomas Hozza
9727819990 Add new options from upstream example.conf to default unbound.conf (commented out)
Signed-off-by: Tomas Hozza <thozza@redhat.com>
2015-06-15 19:32:20 +02:00
Tomas Hozza
6b19dd7ea5 Removed usage of DLV from the default configuration (#1223363)
Signed-off-by: Tomas Hozza <thozza@redhat.com>
2015-05-26 13:02:06 +02:00
Paul Wouters
24ebb22384 unbound.conf: also add outgoing-port-avoid: 0-32767 to ensure we
don't hit the SElinux restrictions of ephemeral ports
2013-09-19 10:25:20 -04:00
Paul Wouters
90b7fa1c7e * Thu Sep 19 2013 Paul Wouters <pwouters@redhat.com> - 1.4.21-1
- Updated to 1.4.21,
- Enabled new max-udp-size: 3072 (so ANY isc.org won't fit)
- Removed patched merged in by upstream
- Enable statistics-cumulative for munin-plugin
- Updated unbound.conf
2013-09-19 10:21:30 -04:00
Paul Wouters
cfcdefa766 * Mon Aug 12 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-16
- Change unbound.conf to only use ephemeral ports (32768-65535)
2013-08-12 11:55:20 -04:00
Paul Wouters
3f230f2522 * fixup unbound.conf and the service file to use root.key, not root.anchor 2013-05-28 18:06:00 -04:00
Paul Wouters
259a0ee4dc +* Tue May 21 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-9
- Use /var/lib/unbound/root.anchor (more consistent with other distros)
- Enable round-robin (with noths() patch)
- Enable minimal responses
2013-05-24 16:42:52 -04:00
Paul Wouters
79e69dc533 * move/rename root key to /var/lib/unbound/root.key 2013-04-08 11:04:39 -04:00
Paul Wouters
90deaa6495 * add unbound-anchor support and more flexible config directories 2012-11-03 17:12:29 -04:00
Paul Wouters
6f8d333aae * Wed Sep 26 2012 Paul Wouters <pwouters@redhat.com> - 1.4.18-4
- Patch to allow wildcards in include: statements
- Add directories /etc/unbound/keys.d,conf.d,local.d with
  example entries
2012-09-26 12:38:51 -04:00
Paul Wouters
186df7a017 * update unbound.conf with the new options 2012-05-24 14:01:15 -04:00
Paul Wouters
6920848c7e * Mon Feb 27 2012 Paul Wouters <pwouters@redhat.com> - 1.4.16-2
- Don't ghost the directory (rhbz#788805)
- Patch for unbound to support unbound-control forward_zone
  (needed for openswan in XAUTH mode)
2012-02-27 21:03:44 -05:00
Paul Wouters
3bde9d279c * Fri Jan 27 2012 Paul Wouters <pwouters@redhat.com> - 1.4.15-1
- Upgraded to 1.4.15
- Updated unbound.conf to show how to configure listening on tls443
2012-01-27 12:08:41 -05:00
Paul Wouters
9af263621b * Mon Dec 19 2011 Paul Wouters <paul@cypherpunks.ca> - 1.4.14-1
- Upgraded to 1.4.14 for CVE-2011-4528 / VU#209659
- SSL-wrapped query support for dnssec-trigger
- EDNS handling changes
- Removed integrated EDNS patches
- Disabled use-caps-for-id, GoDaddy domains now break on it
- Enabled new harden-below-nxdomain
2011-12-19 10:29:22 -05:00
Paul Wouters
4c0de488f0 * Tue Jan 25 2011 Paul Wouters <paul@xelerance.com> - 1.4.8-1
- Updated to 1.4.8
- Enable root key for DNSSEC
- Fix unbound-munin to use proper file (could cause excessive logging)
- Build unbound-python per default
- Disable gost as Fedora/EPEL does not allow ECC and has mangled openssl
2011-01-25 20:56:16 -05:00
Paul Wouters
67d14129ba Revert "Disable IPv6 per default, as it causes strong ipv4 degradation on machines"
This reverts commit ba73b71d51.
2010-10-26 11:18:45 -04:00
Paul Wouters
ba73b71d51 Disable IPv6 per default, as it causes strong ipv4 degradation on machines
with no or bad IPv6. Added comments in unbound.conf pointing to discussion
and test sites.
2010-10-26 10:32:35 -04:00
Paul Wouters
243e7f46b8 - Updated to 1.4.2
- Updated unbound.conf with new options
- Enabled pre-fetching DNSKEY records (DNSSEC speedup)
- Enabled re-fetching popular records before they expire
- Enabled logging of DNSSEC validation errors
2010-03-09 15:48:42 +00:00
Paul Wouters
4a09e96e47 - Removed dependancy for dnssec-conf
- Added ISC DLV key (formerly in dnssec-conf)
- Fixup old DLV locations in unbound.conf file via %post
2010-02-23 20:32:08 +00:00
Paul Wouters
24585b987f merge spec file 2009-01-14 14:57:11 +00:00
Paul Wouters
09de94e566 bump version, fix .cvsignore. Fix cvs anomalies. 2008-12-02 02:13:31 +00:00