rpms/unbound
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: rpms:c8
Branches Tags
rpms:c8
rpms:c9-beta
rpms:c10s
rpms:c9s
rpms:c10
rpms:c9
rpms:c8s
rpms:c10s-RHEL-73862
rpms:c8-beta
rpms:imports/c9-beta/unbound-1.24.2-2.el9
rpms:imports/c10s/unbound-1.24.2-7.el10
rpms:imports/c10s/unbound-1.24.2-6.el10
rpms:imports/c10/unbound-1.20.0-15.el10_1
rpms:imports/c10s/unbound-1.24.2-3.el10
rpms:imports/c10s/unbound-1.20.0-18.el10
rpms:imports/c10/unbound-1.20.0-13.el10
rpms:imports/c9/unbound-1.16.2-21.el9
rpms:imports/c9-beta/unbound-1.16.2-21.el9
rpms:imports/c10s/unbound-1.20.0-15.el10
rpms:imports/c10/unbound-1.20.0-12.el10_0
rpms:imports/c8/unbound-1.16.2-5.9.el8_10
rpms:imports/c10s/unbound-1.20.0-13.el10
rpms:imports/c9/unbound-1.16.2-19.el9_6.1
rpms:imports/c9/unbound-1.16.2-19.el9_6
rpms:imports/c10s/unbound-1.20.0-11.el10
rpms:imports/c9/unbound-1.16.2-18.el9_6
rpms:imports/c10/unbound-1.20.0-10.el10_0
rpms:imports/c10/unbound-1.20.0-9.el10_0
rpms:imports/c10s/unbound-1.20.0-10.el10
rpms:imports/c9/unbound-1.16.2-17.el9
rpms:imports/c9-beta/unbound-1.16.2-17.el9
rpms:imports/c10s/unbound-1.20.0-9.el10
rpms:imports/c10s/unbound-1.20.0-8.el10
rpms:imports/c10s/unbound-1.20.0-7.el10
rpms:imports/c8/unbound-1.16.2-5.8.el8_10
rpms:imports/c9/unbound-1.16.2-8.el9_5.1
rpms:imports/c10s/unbound-1.20.0-2.el10
rpms:imports/c9-beta/unbound-1.16.2-8.el9
rpms:imports/c10s/unbound-1.20.0-1.el10
rpms:imports/c10s/unbound-1.19.0-10.el10
rpms:imports/c9/unbound-1.16.2-3.el9_3.5
rpms:imports/c8/unbound-1.16.2-5.el8_9.6
rpms:imports/c9/unbound-1.16.2-3.el9_3.1
rpms:imports/c8/unbound-1.16.2-5.el8_9.2
rpms:imports/c8/unbound-1.16.2-5.el8
rpms:imports/c9/unbound-1.16.2-3.el9
rpms:imports/c9-beta/unbound-1.16.2-3.el9
rpms:imports/c8-beta/unbound-1.16.2-5.el8
rpms:imports/c8s/unbound-1.16.2-5.el8
rpms:imports/c9/unbound-1.16.2-2.el9
rpms:imports/c8/unbound-1.16.2-2.el8
rpms:imports/c8-beta/unbound-1.16.2-2.el8
rpms:imports/c9-beta/unbound-1.16.2-2.el9
rpms:imports/c8s/unbound-1.16.2-2.el8
rpms:imports/c8s/unbound-1.16.0-2.el8
rpms:imports/c9/unbound-1.13.1-13.el9_0
rpms:imports/c9-beta/unbound-1.13.1-12.el9
rpms:imports/c9-beta/unbound-1.13.1-9.el9
rpms:imports/c8/unbound-1.7.3-17.el8
rpms:imports/c8-beta/unbound-1.7.3-17.el8
rpms:imports/c8-beta/unbound-1.7.3-15.el8
rpms:imports/c8-beta/unbound-1.7.3-14.el8
rpms:imports/c8-beta/unbound-1.7.3-10.el8
rpms:imports/c8-beta/unbound-1.7.3-8.el8
rpms:imports/c8s/unbound-1.7.3-17.el8
rpms:imports/c8s/unbound-1.7.3-15.el8
rpms:imports/c8s/unbound-1.7.3-14.el8
rpms:imports/c8s/unbound-1.7.3-11.el8
rpms:imports/c8s/unbound-1.7.3-10.el8
rpms:imports/c8/unbound-1.7.3-15.el8
rpms:imports/c8/unbound-1.7.3-14.el8
rpms:imports/c8/unbound-1.7.3-11.el8_2
rpms:imports/c8/unbound-1.7.3-10.el8
rpms:imports/c8/unbound-1.7.3-8.el8
..
compare: rpms:c9-beta
Branches Tags
rpms:c9-beta
rpms:c10s
rpms:c9s
rpms:c10
rpms:c9
rpms:c8
rpms:c8s
rpms:c10s-RHEL-73862
rpms:c8-beta
rpms:imports/c9-beta/unbound-1.24.2-2.el9
rpms:imports/c10s/unbound-1.24.2-7.el10
rpms:imports/c10s/unbound-1.24.2-6.el10
rpms:imports/c10/unbound-1.20.0-15.el10_1
rpms:imports/c10s/unbound-1.24.2-3.el10
rpms:imports/c10s/unbound-1.20.0-18.el10
rpms:imports/c10/unbound-1.20.0-13.el10
rpms:imports/c9/unbound-1.16.2-21.el9
rpms:imports/c9-beta/unbound-1.16.2-21.el9
rpms:imports/c10s/unbound-1.20.0-15.el10
rpms:imports/c10/unbound-1.20.0-12.el10_0
rpms:imports/c8/unbound-1.16.2-5.9.el8_10
rpms:imports/c10s/unbound-1.20.0-13.el10
rpms:imports/c9/unbound-1.16.2-19.el9_6.1
rpms:imports/c9/unbound-1.16.2-19.el9_6
rpms:imports/c10s/unbound-1.20.0-11.el10
rpms:imports/c9/unbound-1.16.2-18.el9_6
rpms:imports/c10/unbound-1.20.0-10.el10_0
rpms:imports/c10/unbound-1.20.0-9.el10_0
rpms:imports/c10s/unbound-1.20.0-10.el10
rpms:imports/c9/unbound-1.16.2-17.el9
rpms:imports/c9-beta/unbound-1.16.2-17.el9
rpms:imports/c10s/unbound-1.20.0-9.el10
rpms:imports/c10s/unbound-1.20.0-8.el10
rpms:imports/c10s/unbound-1.20.0-7.el10
rpms:imports/c8/unbound-1.16.2-5.8.el8_10
rpms:imports/c9/unbound-1.16.2-8.el9_5.1
rpms:imports/c10s/unbound-1.20.0-2.el10
rpms:imports/c9-beta/unbound-1.16.2-8.el9
rpms:imports/c10s/unbound-1.20.0-1.el10
rpms:imports/c10s/unbound-1.19.0-10.el10
rpms:imports/c9/unbound-1.16.2-3.el9_3.5
rpms:imports/c8/unbound-1.16.2-5.el8_9.6
rpms:imports/c9/unbound-1.16.2-3.el9_3.1
rpms:imports/c8/unbound-1.16.2-5.el8_9.2
rpms:imports/c8/unbound-1.16.2-5.el8
rpms:imports/c9/unbound-1.16.2-3.el9
rpms:imports/c9-beta/unbound-1.16.2-3.el9
rpms:imports/c8-beta/unbound-1.16.2-5.el8
rpms:imports/c8s/unbound-1.16.2-5.el8
rpms:imports/c9/unbound-1.16.2-2.el9
rpms:imports/c8/unbound-1.16.2-2.el8
rpms:imports/c8-beta/unbound-1.16.2-2.el8
rpms:imports/c9-beta/unbound-1.16.2-2.el9
rpms:imports/c8s/unbound-1.16.2-2.el8
rpms:imports/c8s/unbound-1.16.0-2.el8
rpms:imports/c9/unbound-1.13.1-13.el9_0
rpms:imports/c9-beta/unbound-1.13.1-12.el9
rpms:imports/c9-beta/unbound-1.13.1-9.el9
rpms:imports/c8/unbound-1.7.3-17.el8
rpms:imports/c8-beta/unbound-1.7.3-17.el8
rpms:imports/c8-beta/unbound-1.7.3-15.el8
rpms:imports/c8-beta/unbound-1.7.3-14.el8
rpms:imports/c8-beta/unbound-1.7.3-10.el8
rpms:imports/c8-beta/unbound-1.7.3-8.el8
rpms:imports/c8s/unbound-1.7.3-17.el8
rpms:imports/c8s/unbound-1.7.3-15.el8
rpms:imports/c8s/unbound-1.7.3-14.el8
rpms:imports/c8s/unbound-1.7.3-11.el8
rpms:imports/c8s/unbound-1.7.3-10.el8
rpms:imports/c8/unbound-1.7.3-15.el8
rpms:imports/c8/unbound-1.7.3-14.el8
rpms:imports/c8/unbound-1.7.3-11.el8_2
rpms:imports/c8/unbound-1.7.3-10.el8
rpms:imports/c8/unbound-1.7.3-8.el8

No commits in common. "c8" and "c9-beta" have entirely different histories.
c8 ... c9-beta

27 changed files with 1641 additions and 5792 deletions
Show Stats Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/unbound-1.16.2.tar.gz
SOURCES/unbound-1.24.2.tar.gz

2
.unbound.metadata
View File

@ -1 +1 @@
9aea0e923b9d6779b5bc360094e24a4017e2bb25 SOURCES/unbound-1.16.2.tar.gz
89220193962044660fb5ec375601b3faccd4bd5b SOURCES/unbound-1.24.2.tar.gz

128
SOURCES/Yorgos.asc Normal file
View File

@ -0,0 +1,128 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFfYHeYBEAC/8SdeXNspt9ZIoZRSL9juNLHA17TXcHdKSthgWBtwwWZbUPq8
SJr7Y+hr6jMCDKY9800QzLF0nLkyXnZgaBcvR0rRbCT/qvALJ0fpfjcotapZ1hBv
omb9s8Bo28uKn8tbTMXYNsElUae4Ch/CrU1vfe50YoyQgLR8UBa15gV+2RmC+6jI
qxDYS8sylWlDn6Qim+77feLlObPnNdzgfWGZo14eJByTsz0qrh8aS/BS1FAsnEQ6
W6AqukhpuKuWvoAUXKjfguXQolxeexubmKaLcGOTvecw+cbh/a5SPHRtRVr9qTxp
elk6UEpakY5K9UtZkrG55VWih/4KqY9bNyhJBtpAk1fXA+mYfx5BcFpECYdU9kz4
UgV5jK0HYRHQTLC91PPVQgH86we+Aae6TaJneCLEIzBK36TgAP8RKrvFfPUym5OP
YbWOom27QTKfRVcyxPKglJxrTSWixnKWS/pqxNY8hF9Ne4crRAF4wX2yBVbGnjNr
S9TpYmjMwURbuYm+rWZk/8w5OJG60V3wax56c0jn/42O3Y2hzQ+PbOv2M4UuuajS
2YL3/KUsRLBapUpPQjzChwzdr/vzFEhk9XxK2VGMN+dh2HjYwDFendc5csyt/cVr
g3LssVS2bKy5g3IhrzCKAk0Sky4S5t/mcN+lWztNvCijuLz58GCym5GwJQARAQAB
tCtZb3Jnb3MgVGhlc3NhbG9uaWtlZnMgPHlvcmdvc0BubG5ldGxhYnMubmw+iQJX
BBMBCABBAhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAhkBFiEElI60IyLF0At5
NA9dz/M0TZCHpJAFAmbz0CwFCRD85cYACgkQz/M0TZCHpJBVnhAAkcd79Twxj/tt
C4q2Xpq75+Ew6YR9gLqYiV5vEd6fu0oyhuVoUlfTkjH4ALIoGIKaO9yAVUXsrGrs
n1aJPo1Mw3q6mIwtQOxXz/W44LuFzcvZkHtCYX4YyLrUHXZPvl+r4eYkTOcyyQMU
BmbuvWhufv8MBilvWltQLxfLlgihbfuIrxqjAYDhqCffpgUiZyCut2rrenIgeh1f
DvC+GjZ3cfb1UsIpzm19yr4NCiTHkLkCOAAcAUFwWWeO/jfUsSvFQEHUnYNRREzI
Lth9NlKwPtsOVi+wcNnWQtFQb11BMr407xBib7hLSIFiqvOiYgQABjZdWN+snCRP
ZZSruigjE9ateOloJwmBqrSJLAywxvDE0ivqfSj51W5eJc/JLSXvjrOuW28dJCr8
RV9PjC9X7zuTiFLzV8SVH71Z43Rix8n7AOp3wgRe3SygEyQXPj4qbm5HHVsx9GEA
zn495L99dJ4wZgjkbEsGhzwUx7N9FHEGS/sz3LiEq+ZYckR6gzTMMrQJgbsS9lnK
9xlXsp37uIYvx9W9JZXtS+AZhw0q3osMYBF68HPX8B9GBYlkQWmWSIMfzRYcD2n1
5+XsfERK4mxcTWl2sCYpt8Sy3tADj9nQDabAlGUd/hlFS1dvDVQjGh6ER5S0nZjY
nmRsLl8nOTKhb2xY+2p1sDjxxQYJJQe0K0dlb3JnZSBUaGVzc2Fsb25pa2VmcyA8
Z2VvcmdlQG5sbmV0bGFicy5ubD6JAlQEEwEIAD4CGyMFCwkIBwIGFQgJCgsCBBYC
AwECHgECF4AWIQSUjrQjIsXQC3k0D13P8zRNkIekkAUCZvPQPQUJEPzlxgAKCRDP
8zRNkIekkFfCEACheY1yr2Z+LPjm/Nd2eA4CFFO7nUQHI+a6lYBd57txrRuIicuG
pGjOhnvcioRwICiKNLJD3YTU+WOd+sbO7BXH2sw2KdU9NK1ojKX/SQiTg6upfJsu
gbgar2oPvR88B7oSiuonZnhEf72HfWKDSBXHpi6KC6S3JZ+o50NB3GBpwUL1lfKW
ovymYbN6tYQfqw/+AP5jUUNpkclC0RbcW69rpvrHHqeQV1AVKkm/jNQpWLKYTGF7
bbdLkgMh3rHp8gmF0/GuK+oyL7xD+TEXfr3iqlDIVuxbxDN8xTti1RrERU/MWQar
qOSFZcr4t+nlwThJidDLF/u3h0Ymrjz92VTfCgELIwCKxGX7jAyLZHzuWAp+0Pr/
yuHodbweGNcGVoXmIpK93/WZcfFlBcyQLECVcijmxd7Euk0xDk76RQpuuL5VOWqn
aZcf2uNfppwKFZJjcXwK+EQbwN7+RFNvLrwoRn/1xM57T5AYBAgSvKb6h0G5KwW6
tJfJdSu1MHfCZS1hH1Gr4+UG+VbLCVmQ9N/lUs0bcD7pK+bA1W0YnsIVuaQ+YZUh
KrJoCUF0kVDtW9ETZkp0iVBm1Q9xgTGaxUTVmctOyAbdCLyHNra4fo1BAdGlu+IP
qAcktaBUKFxWxRxf9O5kGihce9anK8CJ/TCnQ7wSvyYrlAoBoQaS78VzYYkBHAQS
AQIABgUCV9kUOAAKCRAwkY2CdXJCIju1B/oCvf1kWYndNeLS6U2O6DtFAL2Ia5tY
Zukcyqb1hkYcrBiMZbQN94gX5a+6Q4pdd2n241r1ZuSWdwUhRUbF4mvbZMVsavnk
cvrRGviVIUXf71W0O/IsmQ9oN0Finhpf14Y4z/xqF8DpvJdkWc6X5g+RJuko6q2w
B7x2UfSyF4USp47LSmUQnC59IF8jzaElgBha3gwEuXL3d2qBepoV/e9RiXJClUAT
+O7qdxzDq1eiZ+NXUjDCmrkuWjHLAZAv0jx1KUTCQ2no62UM95igtJ+Kn56Lc2+J
CqFJztaZeX8CgXXryxNpsyhZJ33dIoLCT03K25wrV5Y+eag05slQ9sC3iQI9BBMB
CAAnBQJX2RCwAhsjBQkFo5qABQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEM/z
NE2Qh6SQ3JUP/2G3bRNObS7zsfN3rjkbjLxaDOwNggRdbeXM5rHDVEG9SWesCGaI
vyQdkSGQoIaKUgNv7Yp8O8pEnD4IwdhNSaXVIB3pBtdOD0UM1wuxRpfqJOUxZEoW
T2Jr31Tg2qepp6nT7UmdiF7uCBDy8Jm6k6Q+6UT58cPaesRQdSPi6Go7ho2/xVvK
Ve9ufSTSTdG5+7bJDu6Iv7sydKUEG4jPDqo+jjVLn1X6Rfp+E4JAvOvFrSJHW5sa
A332xV40GeV+aM1ndP7dPkz8+AGB3QD7JF2DLcqvLo0TYOvjnlOGYcNp8gzp23g9
KFwe2sdbdtVpuWaJUSpXXiUZnFzrrVxDNiEBjqsPa5ysOxzJ+1gUbcrIjUeNeAFh
us4XL+IidPATnhTIX3X/uPRB87KaTaA8XUqsuSd2DM9mLxdHKC9Jf8D1t+ywYrek
Cp+K80vCtFPWBM4+w8nGugTNKJEGIXZDGFOF/c7r6xKkaOYK0Y+IGJawlV5LaADl
BmQpPk0ubYclwb07FcegaHSxxIqUo/kbyt1YV5mU+QVymZ+xyvIBrnW8hBuNWRvU
5acnIZibCERayo8ZuI+r/X3bLHfDx0oh2h+cL3utNZUqmgZNR0Di8P+x0hUYsYPO
TJaDBSgvxUtY0Ci+OWX38kffGGvhW3CM8V6skdVc8cp7Db7gxase4BxxtC5HZW9y
Z2UgVGhlc3NhbG9uaWtlZnMgPGdlb3JnZUBvcGVubmV0bGFicy5jb20+iQJUBBMB
CAA+AhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEElI60IyLF0At5NA9dz/M0
TZCHpJAFAmbz0D0FCRD85cYACgkQz/M0TZCHpJBnFw/8CRLGJnNAP43mBniIP5R1
/10i4xG5s1Ka/y5C3aRgZUNaGMPLF8VmrC26HTPNhmduhn3j9gnBuSHgRAJUWs2K
o1q0A2/O5fFJvqPyEUl30gG8qkzFl5UGRUr7VNtBa6VpI7g78d3P4/H8THB0tYZ3
GZv980QXwTE11aXjvPQu4e8sMOR1OVEEH+6hW1T0SvEKAMV1BHwuZAmC6HTfx5e7
iGNWu/dwJsmwzqcAkuTTSqlmzZdIjZWJDL8pfnschkVilC3pEpEk5ExSkt/onOD2
WCAKJUiPR6gRI2H6fE0PF8iG9isisvNhQ3MrWUIKS+1WOotoG7Bu7ob46viJKQuN
9t7KBqjdftjJHjmVop3mfX0UUEDPjkZXK5R/aUspXi4IGdM+9JijqxveicQegOhM
LcE8039Z0AaXn9IA0kQB05A4a+CEnoPL7qe+fIBJM5hZDrpMe4fAAGxiQzbRpdkZ
CrXmT+CRkhc/BvUJ5yoE1q++9Fw9eyMbPOak6GLckCIPy+Mqi4z+ZXNCtcPs3Qbc
/7AY8qyswRsD2t5bbe4g+fLEt9IsN3UvKFUKnQ88jcn9Zmps69msMDm9jEj/qo+j
QCriLLu8E1ZwhedNVOQN89w4Zww/BUyEnL4hng8Tw+RTV8Jtq5EvAleW5sZsnTzA
zn1ysZUyO/Pu7Br2jnGRAQyJARwEEgECAAYFAlfZFDwACgkQMJGNgnVyQiIHjAf/
VrPMgIRjRTYi4cxOr5ewaim1hgJZO1oCJoMopwIvpZ2kAUqL/uPMT3wREe5bi79H
jXYcaX+RbrV4ZdzaajDUFCj867KGErxqtRkANJ1eNLcQmVwGNoFeTQbgEOBfKq1t
hRfMqHF3fxCPJp4z4U3kBPUpIQPERjgUdkH8fxZ34Omo1SLO1b0dVqsneezccBVv
Hj7gVoaWw65Ov7vngwNCKH3fjOkcoINTH/nEw4WWh6UV5ZN49GRqa6oWdUJMZbgB
w8z357RLN6YLe7KMh4oGpUIvfH6Vfq6CIb6s9pfgjAvq8O7p9n0/0FG77j84MuGw
fdhq8eSazO/j9LUCBM+8k4kCPQQTAQgAJwUCV9kQiwIbIwUJBaOagAULCQgHAgYV
CAkKCwIEFgIDAQIeAQIXgAAKCRDP8zRNkIekkN9pD/wI8JAyjJEIjUJNLRuARDDv
pJrQjAo/02naPcGs4yyUd7yRkhzVKLFLvif8XICxxLWk6FdT0PJeKGTvRoe2+Rje
c14rO30niRymWkBi36iDW46Dpt7Jx+LUDhUMYPL+woKSoHmbBGWLSYXKxaD8F93A
nVs97nP4PWpspv2BFiuwKGsSsOyyQPPvr7jCin3H5oPH9qDnIV0KonAYbzzEKod5
t0Rgzo/nWXZBFXWC5xvKeghwkdT++gYS/ThvQY2ua6A1XRE8BntyldD081NPi3NO
dWa9m8ufFOJsEEiWcpdT+EWoDw5JyGAR7U3IOVl3BTo7shdcYEvRVrDMBpac+ItG
WvogUv7alBdHWi48amvZE06RI/nDJ/rxj13S/4POgMHU++aQI5a1G5H3jBu4cehH
4iT1UKmozfzVEfcHb2dsaKnnuFzQxmol0lZu1ETyof+Lxvs+wErN0QR+VDNweJEJ
PMXiEcjASdLtrEKgFSP2B5yGGzt93C+HbD+VQOU359aAnvVjbTAVz8izuMphd6Bz
Ix1q//q2VmxqjjT3Iv30hBRX02x2M8gsP/e49XWEll7stkMtbYhBU0sHQ2CqzLGh
gJN3ecpi2sKWVqN8HUZOwJFj6f9ZX76YSM23wIugHfscMAVJUXvBrbd151WIshOf
FFPo62sYGt+SEMXWeRcHjbQuWW9yZ29zIFRoZXNzYWxvbmlrZWZzIDx5b3Jnb3NA
b3Blbm5ldGxhYnMuY29tPokCVAQTAQgAPgIbIwULCQgHAgYVCAkKCwIEFgIDAQIe
AQIXgBYhBJSOtCMixdALeTQPXc/zNE2Qh6SQBQJm89A9BQkQ/OXGAAoJEM/zNE2Q
h6SQOf4QAIp5fEn+vVOqDuLrv8Li61UDVPE3v5b9ocPR7OMENeFpRH7K2p8xFkAM
f6JeS2ehbIjyUS8iGc+mZOalvZynJdOiHtys5r4lZanm1Rl+mWXb+nHGE/Oi4gQ3
aEF/AwolbKi9oNXAiCtA3hmaI6FYWtAh5XOnyMG140dhlXMWzvN1ZAWXWioS33Fp
n9Z7xOsyG2Bmky69JjUQPD119noD4pEFtCipciiACVNdHGfI8QDT/8pMAxv/Q7tW
+7gyFztT1XvKONWyCfHjf1x60JQNPPM31x3xUVRz/sK+GyLq6VLiydvSZeUX3CzM
4bHixKKkSyvsX+bc9K/iLrXwZFhRdrRbpVQFpsdxv48mN5WsDlpN17KgMCyNiMDV
0VagYjZC5AurOo2mmS7PKAYGILaq3YwQ3nXYiuWfdXVW6EXtw/vdFOjFU6ppbaA3
1+xyMDOLSGLr7f+gdZvlEc+5MX1F3mHpmuKN7clUju/HEOdVq1Bbla7BplPgqCaH
ZYCg/VHNt7ue7MYeEgTJ8OGgUDRNPa3PdU3YHRCuwJH1UzinD39K8R9/g9qiGJbC
87//1FGZp9lhIE5tja6F5pJ5GwJK9zC0iGj2NrwBvTKhuyF6W3ZQc2voYQn+gIq4
sfbned7qpvpjLcMgIv/y82iVm2EtKtKYl982aA9S53pHqjV27kieuQINBFfYHeYB
EAC2h9yjSe2SgtcB0H+E0ndaewaZaQCE7q+RO43dotGH9eFnVwE4/ftcK1SN42ih
lF5OnTaKPyXvgQ6U8W8VB8eLjeTwA/dSXuJX7kJpEK8saPqJP6zTUmPqp/GSzS6Y
rhKLfpFn4chmywpDFcGNMz0sYXiJgPqKL7W0KuG+ziPToAeWl8ckeXyl77/lHVhW
YylaQJEASklqCViPXSp9vI7/57UEm4MQPXwsDBOwuVVqcSu3ZM5MtY9XlbVPNCYm
ZIMqmh8HgYwbiq9dTfJi+6v17+uDQGZewWK/WwFM+9dDx7YkTeOBiUduYtJPW64N
W/RJ7pskbLAy+OZApTZWg0cISN6GOmPN3F0AiWzUjvSMREHhFHyxj4Y15vuDOFvP
GFxr4xBiyMX1JLCKK6OFnyPfoJ9v/o3UgrQgLrfXCmKdvkwBCgJvN3Fsxzha6Dtf
6RcZ02fr7SCZZhdBrlrflvC1uWZ0g3A87ss7h4Iw3njlO3aX6Bo9R4VOLUkiRKi4
hmQBxPvXxI2ERmKRomo6lrMaDMzIjD4APSM1vUfZguzQxVYpM8lwy1COeqxsj5p+
LH6f/EU+4dXZwooJ1uanBOvG2ntnz8SErE+e7wNYE4a/fb8xYM4j7p6qYtnNZPb8
sj8bvx8iWXp4A1csVetyVSchBhTVQhhNos6ouYpc4ibrYwARAQABiQI8BBgBCAAm
AhsMFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmbz0dUFCRD8528ACgkQz/M0TZCH
pJA7hg/7Bh0jb7nrp2EuU4BWK55VG+3zbrye/NdDy6eo3sVVOOO1r+jBMoJK3m1A
GWUx40ogZjRn8GMtJfxkL6wsep2P775smm7x1TH6s2dgreTj9J66gitKEgxF0tjo
JztmGJ8YKSGE4wKi37KvvSqCm1ecA8akBzJVo0B8/GtXpg+y/q3/KSY1ujW7Ihu3
60JXT1FRXOiYfrzUKIBm8/UVnv7guPudaJf0eU4btoy4Ywzn1UXyi8BdxPIQrQDR
tt69ffcjX8BIEloK7FURLre/LhbVxlssdWYIEFQhIlb+nghZlUbWHf0Ue3L0SFFS
xV5otzQL2WjJKtCnTpSopSUmwYyT7wyAL1RokOemXL47WOfiLjiGuS+K/4lT7VHS
fdLsYinS0LYr5dmhc05s//kLyQ0OSKNh3SNAN+lM/klLE/pFwM4mo56C+seNEvCm
sT53VPOOwp6JwsLKSqm8pu1fbVjT6laMc9BPi6KUjN/f7ZahCXNXOrA2uLnTlxw/
ns1sOXSWZDWciZeL3kJeUQER5YZ59hzLYWAiJ+5KblWRlBMXb71FUp0Mh9V3dA5O
BX3IlcF54qE50chGzLnfQf1YLuh13xxxc2WsdMZjiCj8CVDMkD6ekShfQK8nyQsK
SJgdXcnw1CxcAVvsROtecUiD+DWrJcYExjSZ+zcI4+aRhp7uNt8=
=iknu
-----END PGP PUBLIC KEY BLOCK-----

44
SOURCES/module-setup.sh Normal file
View File

@ -0,0 +1,44 @@
#!/usr/bin/bash
check() {
require_binaries unbound unbound-checkconf unbound-control || return 1
# the module will be only included if explicitly required either
# by configuration or another module
return 255
}
depends() {
# because of pid file we need sysusers to create unbound user
echo systemd systemd-sysusers
return 0
}
install() {
# We have to make unbound wanted by network-online target to make sure
# there is a synchronization point when other services are able
# to make queries
inst_simple "$moddir"/unbound-initrd.conf /etc/systemd/system/unbound.service.d/unbound-initrd.conf
# /etc and /var/lib do not have its variables
inst_multiple -o \
"$systemdsystemunitdir"/unbound.service \
/etc/unbound/conf.d/remote-control.conf \
/etc/unbound/openssl-sha1.conf \
/usr/share/unbound/fedora-defaults.conf \
/usr/share/unbound/conf.d/*.conf \
/etc/unbound/local.d/*.conf \
/etc/unbound/keys.d/*.key \
/etc/unbound/unbound.conf \
/etc/unbound/unbound_control.key \
/etc/unbound/unbound_control.pem \
/etc/unbound/unbound_server.key \
/etc/unbound/unbound_server.pem \
"$sysusers"/unbound.conf \
"$tmpfilesdir"/unbound.conf \
/var/lib/unbound/root.key \
unbound \
unbound-checkconf \
unbound-control
$SYSTEMCTL -q --root "$initdir" enable unbound.service
}

1
SOURCES/root.anchor
View File

@ -1 +1,2 @@
. 172800 IN DNSKEY 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ;{id = 38696 (ksk), size = 2048b}
. 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}

1
SOURCES/root.key
View File

@ -1,5 +1,6 @@
; // The root key in bind format. This can be read by most tools, including
; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this
trusted-keys {
"." 257 3 8 "AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc="; // key id = 38696
"." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326
};

2
SOURCES/tmpfiles-unbound-libs.conf Normal file
View File

@ -0,0 +1,2 @@
d /var/lib/unbound 0755 unbound unbound -
L /var/lib/unbound/root.key - - - - ../../../etc/unbound/dnssec-root.key

2
SOURCES/tmpfiles-unbound.conf
View File

@ -1 +1 @@
D /run/unbound 0755 unbound unbound -
D /run/unbound 0775 unbound root -

85
SOURCES/unbound-1.15-source-compat.patch
View File

@ -1,85 +0,0 @@
From fbde301c2706a5d0c9c3942fe84693f2b7a6b16c Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Sat, 7 May 2022 10:05:33 +0200
Subject: [PATCH] Use reserved RCODE, fake source version
Use RCODE value assigned for a private use. Previous value were possible
returned value.
Fake source version to be still 1.7.x. Hide real version into micro
version component and export it also in a proper way with _REAL
suffixes. Should workaround any source code detection to support correct
callback format. Fixes compilation error in libreswan.
Use preprocessed unbound.h to prevent failures
Swig complains about wrong @ variable formats. Make it use preprocessed
header instead of a template.
---
libunbound/python/libunbound.i | 4 ++--
libunbound/unbound.h | 13 ++++++++++---
services/mesh.h | 2 +-
3 files changed, 13 insertions(+), 6 deletions(-)
diff --git a/libunbound/python/libunbound.i b/libunbound/python/libunbound.i
index c9549bf90..f01e9111e 100644
--- a/libunbound/python/libunbound.i
+++ b/libunbound/python/libunbound.i
@@ -53,7 +53,7 @@
#ifdef HAVE_ARPA_INET_H
#include <arpa/inet.h>
#endif
- #include "libunbound/unbound.h"
+ #include "unbound.h"
%}
%pythoncode %{
@@ -855,7 +855,7 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104']
//printf("resolve_stop()\n");
%}
-%include "libunbound/unbound.h"
+%include "unbound.h"
%inline %{
//SWIG will see the ub_ctx as a class
diff --git a/libunbound/unbound.h b/libunbound/unbound.h
index c822d3f89..82660bd51 100644
--- a/libunbound/unbound.h
+++ b/libunbound/unbound.h
@@ -102,9 +102,16 @@ extern "C" {
#endif
/** the version of this header file */
-#define UNBOUND_VERSION_MAJOR @UNBOUND_VERSION_MAJOR@
-#define UNBOUND_VERSION_MINOR @UNBOUND_VERSION_MINOR@
-#define UNBOUND_VERSION_MICRO @UNBOUND_VERSION_MICRO@
+/* Because of RHEL compat change, callback type remains at
+ * 1.7.3 version. To prevent source-level incompatibility,
+ * fake still old version. Export real version in _REAL
+ * suffix definitions. */
+#define UNBOUND_VERSION_MAJOR 1
+#define UNBOUND_VERSION_MINOR 7
+#define UNBOUND_VERSION_MICRO @UNBOUND_VERSION_MAJOR@@UNBOUND_VERSION_MINOR@@UNBOUND_VERSION_MICRO@
+#define UNBOUND_VERSION_MAJOR_REAL @UNBOUND_VERSION_MAJOR@
+#define UNBOUND_VERSION_MINOR_REAL @UNBOUND_VERSION_MINOR@
+#define UNBOUND_VERSION_MICRO_REAL @UNBOUND_VERSION_MICRO@
/**
* The validation context is created to hold the resolver status,
diff --git a/services/mesh.h b/services/mesh.h
index 9c6f958ff..c0cbf355e 100644
--- a/services/mesh.h
+++ b/services/mesh.h
@@ -237,7 +237,7 @@ struct mesh_reply {
/* RHEL 8 compatibility layer.
* Special rcode to send was_ratelimited to callback without adding
* extra parameter. It is ORed to the rcode parameter of the callback. */
-#define LDNS_RCODE_RATELIMITED 0x100
+#define LDNS_RCODE_RATELIMITED 0xf80
#define RCODE_IS_RATELIMITED(rcode) ((rcode & LDNS_RCODE_RATELIMITED) != 0)
#define RCODE_NOT_RATELIMITED(rcode) (rcode & ~LDNS_RCODE_RATELIMITED)
--
2.34.1

471
SOURCES/unbound-1.15-soversion2-compat.patch
View File

@ -1,471 +0,0 @@
From 605d66f0b6b8f7c308010f455058299d25c1d2ee Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Fri, 6 May 2022 16:36:39 +0200
Subject: [PATCH] Rework ABI breaking change to compatible way
Upstream commit 749d1b9ebc6fcb79824afd0471a1cfc12ca861b1 introduced
was_ratelimited variable to every async callback. Such change led to ABI
break and increase of soname of libunbound.
Use rcode to pass that boolean inside rcode variable. Allows keeping
original callback prototype, but does not lose data. Extra integer bit
operations should be very small price. Much better than ABI break.
Make current version compatible back to .2 version.
---
unbound-1.16.2/configure.ac | 2 +-
unbound-1.16.2/daemon/worker.c | 6 ++--
unbound-1.16.2/libunbound/libworker.c | 34 +++++++++++++++--------
unbound-1.16.2/libunbound/unbound-event.h | 3 +-
unbound-1.16.2/libunbound/unbound.h | 13 +++++----
unbound-1.16.2/libunbound/worker.h | 6 ++--
unbound-1.16.2/services/authzone.c | 11 ++++----
unbound-1.16.2/services/authzone.h | 9 ++----
unbound-1.16.2/services/mesh.c | 17 ++++++++----
unbound-1.16.2/services/mesh.h | 9 +++++-
unbound-1.16.2/smallapp/worker_cb.c | 6 ++--
unbound-1.16.2/validator/autotrust.c | 2 +-
unbound-1.16.2/validator/autotrust.h | 2 +-
13 files changed, 72 insertions(+), 48 deletions(-)
diff --git a/unbound-1.16.2/configure.ac b/unbound-1.16.2/configure.ac
index 224501b..71f066c 100644
--- a/unbound-1.16.2/configure.ac
+++ b/unbound-1.16.2/configure.ac
@@ -19,7 +19,7 @@ AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
LIBUNBOUND_CURRENT=9
LIBUNBOUND_REVISION=18
-LIBUNBOUND_AGE=1
+LIBUNBOUND_AGE=7
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
# 1.0.2 had 0:14:0
diff --git a/unbound-1.16.2/daemon/worker.c b/unbound-1.16.2/daemon/worker.c
index 010c4dc..2b87a41 100644
--- a/unbound-1.16.2/daemon/worker.c
+++ b/unbound-1.16.2/daemon/worker.c
@@ -2268,21 +2268,21 @@ void libworker_handle_control_cmd(struct tube* ATTR_UNUSED(tube),
void libworker_fg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
- char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
+ char* ATTR_UNUSED(why_bogus))
{
log_assert(0);
}
void libworker_bg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
- char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
+ char* ATTR_UNUSED(why_bogus))
{
log_assert(0);
}
void libworker_event_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
- char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
+ char* ATTR_UNUSED(why_bogus))
{
log_assert(0);
}
diff --git a/unbound-1.16.2/libunbound/libworker.c b/unbound-1.16.2/libunbound/libworker.c
index 11bf5f9..6895119 100644
--- a/unbound-1.16.2/libunbound/libworker.c
+++ b/unbound-1.16.2/libunbound/libworker.c
@@ -549,9 +549,10 @@ libworker_enter_result(struct ub_result* res, sldns_buffer* buf,
/** fillup fg results */
static void
libworker_fillup_fg(struct ctx_query* q, int rcode, sldns_buffer* buf,
- enum sec_status s, char* why_bogus, int was_ratelimited)
+ enum sec_status s, char* why_bogus)
{
- q->res->was_ratelimited = was_ratelimited;
+ q->res->was_ratelimited = RCODE_IS_RATELIMITED(rcode);
+ rcode = RCODE_NOT_RATELIMITED(rcode);
if(why_bogus)
q->res->why_bogus = strdup(why_bogus);
if(rcode != 0) {
@@ -575,13 +576,13 @@ libworker_fillup_fg(struct ctx_query* q, int rcode, sldns_buffer* buf,
void
libworker_fg_done_cb(void* arg, int rcode, sldns_buffer* buf, enum sec_status s,
- char* why_bogus, int was_ratelimited)
+ char* why_bogus)
{
struct ctx_query* q = (struct ctx_query*)arg;
/* fg query is done; exit comm base */
comm_base_exit(q->w->base);
- libworker_fillup_fg(q, rcode, buf, s, why_bogus, was_ratelimited);
+ libworker_fillup_fg(q, rcode, buf, s, why_bogus);
}
/** setup qinfo and edns */
@@ -634,7 +635,7 @@ int libworker_fg(struct ub_ctx* ctx, struct ctx_query* q)
NULL, 0, NULL, 0, NULL)) {
regional_free_all(w->env->scratch);
libworker_fillup_fg(q, LDNS_RCODE_NOERROR,
- w->back->udp_buff, sec_status_insecure, NULL, 0);
+ w->back->udp_buff, sec_status_insecure, NULL);
libworker_delete(w);
free(qinfo.qname);
return UB_NOERROR;
@@ -643,7 +644,7 @@ int libworker_fg(struct ub_ctx* ctx, struct ctx_query* q)
w->env, &qinfo, &edns, NULL, w->back->udp_buff, w->env->scratch)) {
regional_free_all(w->env->scratch);
libworker_fillup_fg(q, LDNS_RCODE_NOERROR,
- w->back->udp_buff, sec_status_insecure, NULL, 0);
+ w->back->udp_buff, sec_status_insecure, NULL);
libworker_delete(w);
free(qinfo.qname);
return UB_NOERROR;
@@ -665,7 +666,7 @@ int libworker_fg(struct ub_ctx* ctx, struct ctx_query* q)
void
libworker_event_done_cb(void* arg, int rcode, sldns_buffer* buf,
- enum sec_status s, char* why_bogus, int was_ratelimited)
+ enum sec_status s, char* why_bogus)
{
struct ctx_query* q = (struct ctx_query*)arg;
ub_event_callback_type cb = q->cb_event;
@@ -688,7 +689,7 @@ libworker_event_done_cb(void* arg, int rcode, sldns_buffer* buf,
else if(s == sec_status_secure)
sec = 2;
(*cb)(cb_arg, rcode, (buf?(void*)sldns_buffer_begin(buf):NULL),
- (buf?(int)sldns_buffer_limit(buf):0), sec, why_bogus, was_ratelimited);
+ (buf?(int)sldns_buffer_limit(buf):0), sec, why_bogus);
}
}
@@ -715,7 +716,7 @@ int libworker_attach_mesh(struct ub_ctx* ctx, struct ctx_query* q,
regional_free_all(w->env->scratch);
free(qinfo.qname);
libworker_event_done_cb(q, LDNS_RCODE_NOERROR,
- w->back->udp_buff, sec_status_insecure, NULL, 0);
+ w->back->udp_buff, sec_status_insecure, NULL);
return UB_NOERROR;
}
if(ctx->env->auth_zones && auth_zones_answer(ctx->env->auth_zones,
@@ -723,7 +724,7 @@ int libworker_attach_mesh(struct ub_ctx* ctx, struct ctx_query* q,
regional_free_all(w->env->scratch);
free(qinfo.qname);
libworker_event_done_cb(q, LDNS_RCODE_NOERROR,
- w->back->udp_buff, sec_status_insecure, NULL, 0);
+ w->back->udp_buff, sec_status_insecure, NULL);
return UB_NOERROR;
}
/* process new query */
@@ -788,12 +789,23 @@ add_bg_result(struct libworker* w, struct ctx_query* q, sldns_buffer* pkt,
}
}
+
+void
+libworker_bg_done_cb_compat(void* arg, int rcode, sldns_buffer* buf, enum sec_status s,
+ char* why_bogus)
+{
+ rcode = RCODE_NOT_RATELIMITED(rcode);
+ libworker_bg_done_cb(arg, rcode, buf, s, why_bogus);
+}
+
void
libworker_bg_done_cb(void* arg, int rcode, sldns_buffer* buf, enum sec_status s,
- char* why_bogus, int was_ratelimited)
+ char* why_bogus)
{
+ int was_ratelimited = RCODE_IS_RATELIMITED(rcode);
struct ctx_query* q = (struct ctx_query*)arg;
+ rcode = RCODE_NOT_RATELIMITED(rcode);
if(q->cancelled || q->w->back->want_to_quit) {
if(q->w->is_bg_thread) {
/* delete it now */
diff --git a/unbound-1.16.2/libunbound/unbound-event.h b/unbound-1.16.2/libunbound/unbound-event.h
index a5d5c03..70aa4c8 100644
--- a/unbound-1.16.2/libunbound/unbound-event.h
+++ b/unbound-1.16.2/libunbound/unbound-event.h
@@ -170,7 +170,8 @@ struct ub_event {
struct ub_event_vmt* vmt;
};
-typedef void (*ub_event_callback_type)(void*, int, void*, int, int, char*, int);
+/* Uses define LDNS_RCODE_RATELIMITED from services/mesh.h */
+typedef void (*ub_event_callback_type)(void*, int, void*, int, int, char*);
/**
* Create a resolving and validation context.
diff --git a/unbound-1.16.2/libunbound/unbound.h b/unbound-1.16.2/libunbound/unbound.h
index c779d18..f6d5c7c 100644
--- a/unbound-1.16.2/libunbound/unbound.h
+++ b/unbound-1.16.2/libunbound/unbound.h
@@ -203,18 +203,19 @@ struct ub_result {
*/
char* why_bogus;
+ /**
+ * TTL for the result, in seconds. If the security is bogus, then
+ * you also cannot trust this value.
+ */
+ int ttl;
+
/**
* If the query or one of its subqueries was ratelimited. Useful if
* ratelimiting is enabled and answer to the client is SERVFAIL as a
* result.
+ * RHEL8 Change, moved after ttl.
*/
int was_ratelimited;
-
- /**
- * TTL for the result, in seconds. If the security is bogus, then
- * you also cannot trust this value.
- */
- int ttl;
};
/**
diff --git a/unbound-1.16.2/libunbound/worker.h b/unbound-1.16.2/libunbound/worker.h
index 0fa5bfa..8b64b4d 100644
--- a/unbound-1.16.2/libunbound/worker.h
+++ b/unbound-1.16.2/libunbound/worker.h
@@ -90,15 +90,15 @@ void libworker_handle_control_cmd(struct tube* tube, uint8_t* msg, size_t len,
/** mesh callback with fg results */
void libworker_fg_done_cb(void* arg, int rcode, sldns_buffer* buf,
- enum sec_status s, char* why_bogus, int was_ratelimited);
+ enum sec_status s, char* why_bogus);
/** mesh callback with bg results */
void libworker_bg_done_cb(void* arg, int rcode, sldns_buffer* buf,
- enum sec_status s, char* why_bogus, int was_ratelimited);
+ enum sec_status s, char* why_bogus);
/** mesh callback with event results */
void libworker_event_done_cb(void* arg, int rcode, struct sldns_buffer* buf,
- enum sec_status s, char* why_bogus, int was_ratelimited);
+ enum sec_status s, char* why_bogus);
/**
* Worker signal handler function. User argument is the worker itself.
diff --git a/unbound-1.16.2/services/authzone.c b/unbound-1.16.2/services/authzone.c
index b9e0b11..c72949f 100644
--- a/unbound-1.16.2/services/authzone.c
+++ b/unbound-1.16.2/services/authzone.c
@@ -5656,8 +5656,7 @@ xfr_master_add_addrs(struct auth_master* m, struct ub_packed_rrset_key* rrset,
/** callback for task_transfer lookup of host name, of A or AAAA */
void auth_xfer_transfer_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
- enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus),
- int ATTR_UNUSED(was_ratelimited))
+ enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus))
{
struct auth_xfer* xfr = (struct auth_xfer*)arg;
struct module_env* env;
@@ -5669,6 +5668,7 @@ void auth_xfer_transfer_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
return; /* stop on quit */
}
+ rcode = RCODE_NOT_RATELIMITED(rcode);
/* process result */
if(rcode == LDNS_RCODE_NOERROR) {
uint16_t wanted_qtype = LDNS_RR_TYPE_A;
@@ -6717,8 +6717,7 @@ xfr_probe_send_or_end(struct auth_xfer* xfr, struct module_env* env)
/** callback for task_probe lookup of host name, of A or AAAA */
void auth_xfer_probe_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
- enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus),
- int ATTR_UNUSED(was_ratelimited))
+ enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus))
{
struct auth_xfer* xfr = (struct auth_xfer*)arg;
struct module_env* env;
@@ -6730,6 +6729,7 @@ void auth_xfer_probe_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
return; /* stop on quit */
}
+ rcode = RCODE_NOT_RATELIMITED(rcode);
/* process result */
if(rcode == LDNS_RCODE_NOERROR) {
uint16_t wanted_qtype = LDNS_RR_TYPE_A;
@@ -8212,7 +8212,7 @@ auth_zone_verify_zonemd_key_with_ds(struct auth_zone* z,
/** callback for ZONEMD lookup of DNSKEY */
void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
- enum sec_status sec, char* why_bogus, int ATTR_UNUSED(was_ratelimited))
+ enum sec_status sec, char* why_bogus)
{
struct auth_zone* z = (struct auth_zone*)arg;
struct module_env* env;
@@ -8234,6 +8234,7 @@ void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DS)
typestr = "DS";
downprot = env->cfg->harden_algo_downgrade;
+ rcode = RCODE_NOT_RATELIMITED(rcode);
/* process result */
if(sec == sec_status_bogus) {
diff --git a/unbound-1.16.2/services/authzone.h b/unbound-1.16.2/services/authzone.h
index 07614ed..b339fc1 100644
--- a/unbound-1.16.2/services/authzone.h
+++ b/unbound-1.16.2/services/authzone.h
@@ -690,12 +690,10 @@ void auth_xfer_probe_timer_callback(void* arg);
void auth_xfer_transfer_timer_callback(void* arg);
/** mesh callback for task_probe on lookup of host names */
void auth_xfer_probe_lookup_callback(void* arg, int rcode,
- struct sldns_buffer* buf, enum sec_status sec, char* why_bogus,
- int was_ratelimited);
+ struct sldns_buffer* buf, enum sec_status sec, char* why_bogus);
/** mesh callback for task_transfer on lookup of host names */
void auth_xfer_transfer_lookup_callback(void* arg, int rcode,
- struct sldns_buffer* buf, enum sec_status sec, char* why_bogus,
- int was_ratelimited);
+ struct sldns_buffer* buf, enum sec_status sec, char* why_bogus);
/*
* Compares two 32-bit serial numbers as defined in RFC1982. Returns
@@ -774,8 +772,7 @@ void auth_zone_verify_zonemd(struct auth_zone* z, struct module_env* env,
/** mesh callback for zonemd on lookup of dnskey */
void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode,
- struct sldns_buffer* buf, enum sec_status sec, char* why_bogus,
- int was_ratelimited);
+ struct sldns_buffer* buf, enum sec_status sec, char* why_bogus);
/**
* Check the ZONEMD records that need online DNSSEC chain lookups,
diff --git a/unbound-1.16.2/services/mesh.c b/unbound-1.16.2/services/mesh.c
index 30bcf7c..fc3c690 100644
--- a/unbound-1.16.2/services/mesh.c
+++ b/unbound-1.16.2/services/mesh.c
@@ -63,6 +63,7 @@
#include "util/data/dname.h"
#include "respip/respip.h"
#include "services/listen_dnsport.h"
+#include "libunbound/unbound-event.h"
#ifdef CLIENT_SUBNET
#include "edns-subnet/subnetmod.h"
@@ -1012,7 +1013,7 @@ mesh_state_cleanup(struct mesh_state* mstate)
mstate->cb_list = cb->next;
fptr_ok(fptr_whitelist_mesh_cb(cb->cb));
(*cb->cb)(cb->cb_arg, LDNS_RCODE_SERVFAIL, NULL,
- sec_status_unchecked, NULL, 0);
+ sec_status_unchecked, NULL);
log_assert(mesh->num_reply_addrs > 0);
mesh->num_reply_addrs--;
}
@@ -1268,8 +1269,9 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
r->edns.opt_list_inplace_cb_out = NULL;
}
fptr_ok(fptr_whitelist_mesh_cb(r->cb));
- (*r->cb)(r->cb_arg, rcode, r->buf, sec_status_unchecked, NULL,
- was_ratelimited);
+ if (was_ratelimited)
+ rcode |= LDNS_RCODE_RATELIMITED;
+ (*r->cb)(r->cb_arg, rcode, r->buf, sec_status_unchecked, NULL);
} else {
size_t udp_size = r->edns.udp_size;
sldns_buffer_clear(r->buf);
@@ -1287,11 +1289,14 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
{
fptr_ok(fptr_whitelist_mesh_cb(r->cb));
(*r->cb)(r->cb_arg, LDNS_RCODE_SERVFAIL, r->buf,
- sec_status_unchecked, NULL, 0);
+ sec_status_unchecked, NULL);
} else {
fptr_ok(fptr_whitelist_mesh_cb(r->cb));
- (*r->cb)(r->cb_arg, LDNS_RCODE_NOERROR, r->buf,
- rep->security, reason, was_ratelimited);
+ rcode = LDNS_RCODE_NOERROR;
+ if (was_ratelimited)
+ rcode |= LDNS_RCODE_RATELIMITED;
+ (*r->cb)(r->cb_arg, rcode, r->buf,
+ rep->security, reason);
}
}
free(reason);
diff --git a/unbound-1.16.2/services/mesh.h b/unbound-1.16.2/services/mesh.h
index 3be9b63..5050d6c 100644
--- a/unbound-1.16.2/services/mesh.h
+++ b/unbound-1.16.2/services/mesh.h
@@ -234,13 +234,20 @@ struct mesh_reply {
struct http2_stream* h2_stream;
};
+/* RHEL 8 compatibility layer.
+ * Special rcode to send was_ratelimited to callback without adding
+ * extra parameter. It is ORed to the rcode parameter of the callback. */
+#define LDNS_RCODE_RATELIMITED 0x100
+#define RCODE_IS_RATELIMITED(rcode) ((rcode & LDNS_RCODE_RATELIMITED) != 0)
+#define RCODE_NOT_RATELIMITED(rcode) (rcode & ~LDNS_RCODE_RATELIMITED)
+
/**
* Mesh result callback func.
* called as func(cb_arg, rcode, buffer_with_reply, security, why_bogus,
* was_ratelimited);
*/
typedef void (*mesh_cb_func_type)(void* cb_arg, int rcode, struct sldns_buffer*,
- enum sec_status, char* why_bogus, int was_ratelimited);
+ enum sec_status, char* why_bogus);
/**
* Callback to result routine
diff --git a/unbound-1.16.2/smallapp/worker_cb.c b/unbound-1.16.2/smallapp/worker_cb.c
index c689817..c7b1653 100644
--- a/unbound-1.16.2/smallapp/worker_cb.c
+++ b/unbound-1.16.2/smallapp/worker_cb.c
@@ -159,21 +159,21 @@ void libworker_handle_control_cmd(struct tube* ATTR_UNUSED(tube),
void libworker_fg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
struct sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
- char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
+ char* ATTR_UNUSED(why_bogus))
{
log_assert(0);
}
void libworker_bg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
struct sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
- char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
+ char* ATTR_UNUSED(why_bogus))
{
log_assert(0);
}
void libworker_event_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
struct sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
- char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
+ char* ATTR_UNUSED(why_bogus))
{
log_assert(0);
}
diff --git a/unbound-1.16.2/validator/autotrust.c b/unbound-1.16.2/validator/autotrust.c
index 3cdf9ce..40b3e35 100644
--- a/unbound-1.16.2/validator/autotrust.c
+++ b/unbound-1.16.2/validator/autotrust.c
@@ -2331,7 +2331,7 @@ autr_debug_print(struct val_anchors* anchors)
void probe_answer_cb(void* arg, int ATTR_UNUSED(rcode),
sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(sec),
- char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
+ char* ATTR_UNUSED(why_bogus))
{
/* retry was set before the query was done,
* re-querytime is set when query succeeded, but that may not
diff --git a/unbound-1.16.2/validator/autotrust.h b/unbound-1.16.2/validator/autotrust.h
index 057f2b6..c549798 100644
--- a/unbound-1.16.2/validator/autotrust.h
+++ b/unbound-1.16.2/validator/autotrust.h
@@ -206,6 +206,6 @@ void autr_debug_print(struct val_anchors* anchors);
/** callback for query answer to 5011 probe */
void probe_answer_cb(void* arg, int rcode, struct sldns_buffer* buf,
- enum sec_status sec, char* errinf, int was_ratelimited);
+ enum sec_status sec, char* errinf);
#endif /* VALIDATOR_AUTOTRUST_H */
--
2.37.1

218
SOURCES/unbound-1.16-CVE-2022-3204.patch
View File

@ -1,218 +0,0 @@
From 7af485f0fc9926425681ba0280ab6c2c8dd04530 Mon Sep 17 00:00:00 2001
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Wed, 21 Sep 2022 11:10:38 +0200
Subject: [PATCH] - Patch for CVE-2022-3204 Non-Responsive Delegation Attack.
---
unbound-1.16.2/iterator/iter_delegpt.c | 3 +++
unbound-1.16.2/iterator/iter_delegpt.h | 2 ++
unbound-1.16.2/iterator/iter_utils.c | 3 +++
unbound-1.16.2/iterator/iter_utils.h | 9 +++++++
unbound-1.16.2/iterator/iterator.c | 36 +++++++++++++++++++++++++-
unbound-1.16.2/services/cache/dns.c | 3 +++
unbound-1.16.2/services/mesh.c | 7 +++++
unbound-1.16.2/services/mesh.h | 11 ++++++++
8 files changed, 73 insertions(+), 1 deletion(-)
diff --git a/unbound-1.16.2/iterator/iter_delegpt.c b/unbound-1.16.2/iterator/iter_delegpt.c
index 4bffa1b..fd07aaa 100644
--- a/unbound-1.16.2/iterator/iter_delegpt.c
+++ b/unbound-1.16.2/iterator/iter_delegpt.c
@@ -78,6 +78,7 @@ struct delegpt* delegpt_copy(struct delegpt* dp, struct regional* region)
if(!delegpt_add_ns(copy, region, ns->name, ns->lame,
ns->tls_auth_name, ns->port))
return NULL;
+ copy->nslist->cache_lookup_count = ns->cache_lookup_count;
copy->nslist->resolved = ns->resolved;
copy->nslist->got4 = ns->got4;
copy->nslist->got6 = ns->got6;
@@ -121,6 +122,7 @@ delegpt_add_ns(struct delegpt* dp, struct regional* region, uint8_t* name,
ns->namelen = len;
dp->nslist = ns;
ns->name = regional_alloc_init(region, name, ns->namelen);
+ ns->cache_lookup_count = 0;
ns->resolved = 0;
ns->got4 = 0;
ns->got6 = 0;
@@ -620,6 +622,7 @@ int delegpt_add_ns_mlc(struct delegpt* dp, uint8_t* name, uint8_t lame,
}
ns->next = dp->nslist;
dp->nslist = ns;
+ ns->cache_lookup_count = 0;
ns->resolved = 0;
ns->got4 = 0;
ns->got6 = 0;
diff --git a/unbound-1.16.2/iterator/iter_delegpt.h b/unbound-1.16.2/iterator/iter_delegpt.h
index 62c8edc..586597a 100644
--- a/unbound-1.16.2/iterator/iter_delegpt.h
+++ b/unbound-1.16.2/iterator/iter_delegpt.h
@@ -101,6 +101,8 @@ struct delegpt_ns {
uint8_t* name;
/** length of name */
size_t namelen;
+ /** number of cache lookups for the name */
+ int cache_lookup_count;
/**
* If the name has been resolved. false if not queried for yet.
* true if the A, AAAA queries have been generated.
diff --git a/unbound-1.16.2/iterator/iter_utils.c b/unbound-1.16.2/iterator/iter_utils.c
index 3e13e59..56b184a 100644
--- a/unbound-1.16.2/iterator/iter_utils.c
+++ b/unbound-1.16.2/iterator/iter_utils.c
@@ -1209,6 +1209,9 @@ int iter_lookup_parent_glue_from_cache(struct module_env* env,
struct delegpt_ns* ns;
size_t num = delegpt_count_targets(dp);
for(ns = dp->nslist; ns; ns = ns->next) {
+ if(ns->cache_lookup_count > ITERATOR_NAME_CACHELOOKUP_MAX_PSIDE)
+ continue;
+ ns->cache_lookup_count++;
/* get cached parentside A */
akey = rrset_cache_lookup(env->rrset_cache, ns->name,
ns->namelen, LDNS_RR_TYPE_A, qinfo->qclass,
diff --git a/unbound-1.16.2/iterator/iter_utils.h b/unbound-1.16.2/iterator/iter_utils.h
index 8583fde..850be96 100644
--- a/unbound-1.16.2/iterator/iter_utils.h
+++ b/unbound-1.16.2/iterator/iter_utils.h
@@ -62,6 +62,15 @@ struct ub_packed_rrset_key;
struct module_stack;
struct outside_network;
+/* max number of lookups in the cache for target nameserver names.
+ * This stops, for large delegations, N*N lookups in the cache. */
+#define ITERATOR_NAME_CACHELOOKUP_MAX 3
+/* max number of lookups in the cache for parentside glue for nameserver names
+ * This stops, for larger delegations, N*N lookups in the cache.
+ * It is a little larger than the nonpside max, so it allows a couple extra
+ * lookups of parent side glue. */
+#define ITERATOR_NAME_CACHELOOKUP_MAX_PSIDE 5
+
/**
* Process config options and set iterator module state.
* Sets default values if no config is found.
diff --git a/unbound-1.16.2/iterator/iterator.c b/unbound-1.16.2/iterator/iterator.c
index 25e5cfe..da9b799 100644
--- a/unbound-1.16.2/iterator/iterator.c
+++ b/unbound-1.16.2/iterator/iterator.c
@@ -1218,6 +1218,15 @@ generate_dnskey_prefetch(struct module_qstate* qstate,
(qstate->query_flags&BIT_RD) && !(qstate->query_flags&BIT_CD)){
return;
}
+ /* we do not generate this prefetch when the query list is full,
+ * the query is fetched, if needed, when the validator wants it.
+ * At that time the validator waits for it, after spawning it.
+ * This means there is one state that uses cpu and a socket, the
+ * spawned while this one waits, and not several at the same time,
+ * if we had created the lookup here. And this helps to keep
+ * the total load down, but the query still succeeds to resolve. */
+ if(mesh_jostle_exceeded(qstate->env->mesh))
+ return;
/* if the DNSKEY is in the cache this lookup will stop quickly */
log_nametypeclass(VERB_ALGO, "schedule dnskey prefetch",
@@ -1911,6 +1920,14 @@ query_for_targets(struct module_qstate* qstate, struct iter_qstate* iq,
return 0;
}
query_count++;
+ /* If the mesh query list is full, exit the loop here.
+ * This makes the routine spawn one query at a time,
+ * and this means there is no query state load
+ * increase, because the spawned state uses cpu and a
+ * socket while this state waits for that spawned
+ * state. Next time we can look up further targets */
+ if(mesh_jostle_exceeded(qstate->env->mesh))
+ break;
}
/* Send the A request. */
if(ie->supports_ipv4 &&
@@ -1925,6 +1942,9 @@ query_for_targets(struct module_qstate* qstate, struct iter_qstate* iq,
return 0;
}
query_count++;
+ /* If the mesh query list is full, exit the loop. */
+ if(mesh_jostle_exceeded(qstate->env->mesh))
+ break;
}
/* mark this target as in progress. */
@@ -2085,6 +2105,15 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
}
ns->done_pside6 = 1;
query_count++;
+ if(mesh_jostle_exceeded(qstate->env->mesh)) {
+ /* Wait for the lookup; do not spawn multiple
+ * lookups at a time. */
+ verbose(VERB_ALGO, "try parent-side glue lookup");
+ iq->num_target_queries += query_count;
+ target_count_increase(iq, query_count);
+ qstate->ext_state[id] = module_wait_subquery;
+ return 0;
+ }
}
if(ie->supports_ipv4 && !ns->done_pside4) {
/* Send the A request. */
@@ -2560,7 +2589,12 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
if(iq->depth < ie->max_dependency_depth
&& iq->num_target_queries == 0
&& (!iq->target_count || iq->target_count[TARGET_COUNT_NX]==0)
- && iq->sent_count < TARGET_FETCH_STOP) {
+ && iq->sent_count < TARGET_FETCH_STOP
+ /* if the mesh query list is full, then do not waste cpu
+ * and sockets to fetch promiscuous targets. They can be
+ * looked up when needed. */
+ && !mesh_jostle_exceeded(qstate->env->mesh)
+ ) {
tf_policy = ie->target_fetch_policy[iq->depth];
}
diff --git a/unbound-1.16.2/services/cache/dns.c b/unbound-1.16.2/services/cache/dns.c
index 6bca8d8..b6e5697 100644
--- a/unbound-1.16.2/services/cache/dns.c
+++ b/unbound-1.16.2/services/cache/dns.c
@@ -404,6 +404,9 @@ cache_fill_missing(struct module_env* env, uint16_t qclass,
struct ub_packed_rrset_key* akey;
time_t now = *env->now;
for(ns = dp->nslist; ns; ns = ns->next) {
+ if(ns->cache_lookup_count > ITERATOR_NAME_CACHELOOKUP_MAX)
+ continue;
+ ns->cache_lookup_count++;
akey = rrset_cache_lookup(env->rrset_cache, ns->name,
ns->namelen, LDNS_RR_TYPE_A, qclass, 0, now, 0);
if(akey) {
diff --git a/unbound-1.16.2/services/mesh.c b/unbound-1.16.2/services/mesh.c
index 30bcf7c..2a41194 100644
--- a/unbound-1.16.2/services/mesh.c
+++ b/unbound-1.16.2/services/mesh.c
@@ -2240,3 +2240,10 @@ mesh_serve_expired_callback(void* arg)
mesh_do_callback(mstate, LDNS_RCODE_NOERROR, msg->rep, c, &tv);
}
}
+
+int mesh_jostle_exceeded(struct mesh_area* mesh)
+{
+ if(mesh->all.count < mesh->max_reply_states)
+ return 0;
+ return 1;
+}
diff --git a/unbound-1.16.2/services/mesh.h b/unbound-1.16.2/services/mesh.h
index 3be9b63..25121a6 100644
--- a/unbound-1.16.2/services/mesh.h
+++ b/unbound-1.16.2/services/mesh.h
@@ -685,4 +685,15 @@ struct dns_msg*
mesh_serve_expired_lookup(struct module_qstate* qstate,
struct query_info* lookup_qinfo);
+/**
+ * See if the mesh has space for more queries. You can allocate queries
+ * anyway, but this checks for the allocated space.
+ * @param mesh: mesh area.
+ * @return true if the query list is full.
+ * It checks the number of all queries, not just number of reply states,
+ * that have a client address. So that spawned queries count too,
+ * that were created by the iterator, or other modules.
+ */
+int mesh_jostle_exceeded(struct mesh_area* mesh);
+
#endif /* SERVICES_MESH_H */
--
2.37.3

2304
SOURCES/unbound-1.16-CVE-2023-50387-CVE-2023-50868.patch
View File

File diff suppressed because it is too large Load Diff

16
SOURCES/unbound-1.16.2.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAmLnudYACgkQn28cLX4E
X43GmRAAoROXbktLR2AXGEECgPCFlHag9oNZosa3J5yR2vaV4e8eA6AMzPyZbl7P
LnLon8PZZR+pTW+dDRqakvzJIwXkLeONFgEdvd0cAghWAtPrKCDZIkCyeQj0OOv3
wt1pRRl2PXUKNZZf0bzpTUIhVsHF/w5f5T/mFAZm49rUDboj77xgokmaFK4kei0I
Gz4W8Vx3TIwwJc8nea8GtCYIg3UKmR/TMznMFExAoKdMllzKuJnGx5lR/eU0+NRc
uwWEQhNJrHXZyWethp9swLCrOmDHcgBJOd04TqcDwSIZrw9VuT3/Uza3Tw73N7kr
PZvF2xSOASL+i91QP6tnkmQD5pAORVpUFN3NePEWV5922iG/pVipaYBbEyV3dfph
Y4QGwj8G6ppcfjV7gmlxsAOM2gnhD3rDqFmkxau6zB1kktHnV2aqlzIQo396ZBJQ
hKyIAJlNvpTiFaACD7/cFkE80awJnCD/qvXATN//BWHKytgO8eYg7fZGrxjbpIQk
XV/vVlOJWRXPyPBnp8MQyCIDe2eq2ELlMfYw62/TNDuj2qKsM/W03cem3GlveOa6
tw8RVfFFjwZlCLbXSbmsKo+mWJ3jCAvb3/gql52vJDE5FuRz7MvptIVU6DVE1O+J
mQ3AoQ2Mq9iHsZePfze4sq531DMlWTgBMwqfBTWqMaTC/8VH5rg=
=Ax9n
-----END PGP SIGNATURE-----

249
SOURCES/unbound-1.21-CVE-2024-8508.patch
View File

@ -1,249 +0,0 @@
From 34de24d58bb5aa6fe3551512fc17cac08f65d93e Mon Sep 17 00:00:00 2001
From: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
Date: Thu, 3 Oct 2024 14:46:57 +0200
Subject: [PATCH] - Fix CVE-2024-8508, unbounded name compression could lead to
denial of service.
---
unbound-1.16.2/util/data/msgencode.c | 77 +++++++++++++++++-----------
1 file changed, 46 insertions(+), 31 deletions(-)
diff --git a/unbound-1.16.2/util/data/msgencode.c b/unbound-1.16.2/util/data/msgencode.c
index fe21cfb..f9e95e6 100644
--- a/unbound-1.16.2/util/data/msgencode.c
+++ b/unbound-1.16.2/util/data/msgencode.c
@@ -62,6 +62,10 @@
#define RETVAL_TRUNC -4
/** return code that means all is peachy keen. Equal to DNS rcode NOERROR */
#define RETVAL_OK 0
+/** Max compressions we are willing to perform; more than that will result
+ * in semi-compressed messages, or truncated even on TCP for huge messages, to
+ * avoid locking the CPU for long */
+#define MAX_COMPRESSION_PER_MESSAGE 120
/**
* Data structure to help domain name compression in outgoing messages.
@@ -284,15 +288,17 @@ write_compressed_dname(sldns_buffer* pkt, uint8_t* dname, int labs,
/** compress owner name of RR, return RETVAL_OUTMEM RETVAL_TRUNC */
static int
-compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
- struct regional* region, struct compress_tree_node** tree,
- size_t owner_pos, uint16_t* owner_ptr, int owner_labs)
+compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
+ struct regional* region, struct compress_tree_node** tree,
+ size_t owner_pos, uint16_t* owner_ptr, int owner_labs,
+ size_t* compress_count)
{
struct compress_tree_node* p;
struct compress_tree_node** insertpt = NULL;
if(!*owner_ptr) {
/* compress first time dname */
- if((p = compress_tree_lookup(tree, key->rk.dname,
+ if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
+ (p = compress_tree_lookup(tree, key->rk.dname,
owner_labs, &insertpt))) {
if(p->labs == owner_labs)
/* avoid ptr chains, since some software is
@@ -301,6 +307,7 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
if(!write_compressed_dname(pkt, key->rk.dname,
owner_labs, p))
return RETVAL_TRUNC;
+ (*compress_count)++;
/* check if typeclass+4 ttl + rdatalen is available */
if(sldns_buffer_remaining(pkt) < 4+4+2)
return RETVAL_TRUNC;
@@ -313,7 +320,8 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
if(owner_pos <= PTR_MAX_OFFSET)
*owner_ptr = htons(PTR_CREATE(owner_pos));
}
- if(!compress_tree_store(key->rk.dname, owner_labs,
+ if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
+ !compress_tree_store(key->rk.dname, owner_labs,
owner_pos, region, p, insertpt))
return RETVAL_OUTMEM;
} else {
@@ -333,20 +341,24 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
/** compress any domain name to the packet, return RETVAL_* */
static int
-compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs,
- struct regional* region, struct compress_tree_node** tree)
+compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs,
+ struct regional* region, struct compress_tree_node** tree,
+ size_t* compress_count)
{
struct compress_tree_node* p;
struct compress_tree_node** insertpt = NULL;
size_t pos = sldns_buffer_position(pkt);
- if((p = compress_tree_lookup(tree, dname, labs, &insertpt))) {
+ if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
+ (p = compress_tree_lookup(tree, dname, labs, &insertpt))) {
if(!write_compressed_dname(pkt, dname, labs, p))
return RETVAL_TRUNC;
+ (*compress_count)++;
} else {
if(!dname_buffer_write(pkt, dname))
return RETVAL_TRUNC;
}
- if(!compress_tree_store(dname, labs, pos, region, p, insertpt))
+ if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
+ !compress_tree_store(dname, labs, pos, region, p, insertpt))
return RETVAL_OUTMEM;
return RETVAL_OK;
}
@@ -364,9 +376,9 @@ type_rdata_compressable(struct ub_packed_rrset_key* key)
/** compress domain names in rdata, return RETVAL_* */
static int
-compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen,
- struct regional* region, struct compress_tree_node** tree,
- const sldns_rr_descriptor* desc)
+compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen,
+ struct regional* region, struct compress_tree_node** tree,
+ const sldns_rr_descriptor* desc, size_t* compress_count)
{
int labs, r, rdf = 0;
size_t dname_len, len, pos = sldns_buffer_position(pkt);
@@ -380,8 +392,8 @@ compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen,
switch(desc->_wireformat[rdf]) {
case LDNS_RDF_TYPE_DNAME:
labs = dname_count_size_labels(rdata, &dname_len);
- if((r=compress_any_dname(rdata, pkt, labs, region,
- tree)) != RETVAL_OK)
+ if((r=compress_any_dname(rdata, pkt, labs, region,
+ tree, compress_count)) != RETVAL_OK)
return r;
rdata += dname_len;
todolen -= dname_len;
@@ -449,7 +461,8 @@ static int
packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
uint16_t* num_rrs, time_t timenow, struct regional* region,
int do_data, int do_sig, struct compress_tree_node** tree,
- sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset)
+ sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset,
+ size_t* compress_count)
{
size_t i, j, owner_pos;
int r, owner_labs;
@@ -477,9 +490,9 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
for(i=0; i<data->count; i++) {
/* rrset roundrobin */
j = (i + rr_offset) % data->count;
- if((r=compress_owner(key, pkt, region, tree,
- owner_pos, &owner_ptr, owner_labs))
- != RETVAL_OK)
+ if((r=compress_owner(key, pkt, region, tree,
+ owner_pos, &owner_ptr, owner_labs,
+ compress_count)) != RETVAL_OK)
return r;
sldns_buffer_write(pkt, &key->rk.type, 2);
sldns_buffer_write(pkt, &key->rk.rrset_class, 2);
@@ -489,8 +502,8 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
else sldns_buffer_write_u32(pkt, data->rr_ttl[j]-adjust);
if(c) {
if((r=compress_rdata(pkt, data->rr_data[j],
- data->rr_len[j], region, tree, c))
- != RETVAL_OK)
+ data->rr_len[j], region, tree, c,
+ compress_count)) != RETVAL_OK)
return r;
} else {
if(sldns_buffer_remaining(pkt) < data->rr_len[j])
@@ -510,9 +523,9 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
return RETVAL_TRUNC;
sldns_buffer_write(pkt, &owner_ptr, 2);
} else {
- if((r=compress_any_dname(key->rk.dname,
- pkt, owner_labs, region, tree))
- != RETVAL_OK)
+ if((r=compress_any_dname(key->rk.dname,
+ pkt, owner_labs, region, tree,
+ compress_count)) != RETVAL_OK)
return r;
if(sldns_buffer_remaining(pkt) <
4+4+data->rr_len[i])
@@ -544,7 +557,8 @@ static int
insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
sldns_buffer* pkt, size_t rrsets_before, time_t timenow,
struct regional* region, struct compress_tree_node** tree,
- sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset)
+ sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset,
+ size_t* compress_count)
{
int r;
size_t i, setstart;
@@ -560,7 +574,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
setstart = sldns_buffer_position(pkt);
if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i],
pkt, num_rrs, timenow, region, 1, 1, tree,
- s, qtype, dnssec, rr_offset))
+ s, qtype, dnssec, rr_offset, compress_count))
!= RETVAL_OK) {
/* Bad, but if due to size must set TC bit */
/* trim off the rrset neatly. */
@@ -573,7 +587,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
setstart = sldns_buffer_position(pkt);
if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i],
pkt, num_rrs, timenow, region, 1, 0, tree,
- s, qtype, dnssec, rr_offset))
+ s, qtype, dnssec, rr_offset, compress_count))
!= RETVAL_OK) {
sldns_buffer_set_position(pkt, setstart);
return r;
@@ -584,7 +598,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
setstart = sldns_buffer_position(pkt);
if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i],
pkt, num_rrs, timenow, region, 0, 1, tree,
- s, qtype, dnssec, rr_offset))
+ s, qtype, dnssec, rr_offset, compress_count))
!= RETVAL_OK) {
sldns_buffer_set_position(pkt, setstart);
return r;
@@ -677,6 +691,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
struct compress_tree_node* tree = 0;
int r;
size_t rr_offset;
+ size_t compress_count=0;
sldns_buffer_clear(buffer);
if(udpsize < sldns_buffer_limit(buffer))
@@ -723,7 +738,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
arep.rrsets = &qinfo->local_alias->rrset;
if((r=insert_section(&arep, 1, &ancount, buffer, 0,
timezero, region, &tree, LDNS_SECTION_ANSWER,
- qinfo->qtype, dnssec, rr_offset)) != RETVAL_OK) {
+ qinfo->qtype, dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
if(r == RETVAL_TRUNC) {
/* create truncated message */
sldns_buffer_write_u16_at(buffer, 6, ancount);
@@ -738,7 +753,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
/* insert answer section */
if((r=insert_section(rep, rep->an_numrrsets, &ancount, buffer,
0, timenow, region, &tree, LDNS_SECTION_ANSWER, qinfo->qtype,
- dnssec, rr_offset)) != RETVAL_OK) {
+ dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
if(r == RETVAL_TRUNC) {
/* create truncated message */
sldns_buffer_write_u16_at(buffer, 6, ancount);
@@ -756,7 +771,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
if((r=insert_section(rep, rep->ns_numrrsets, &nscount, buffer,
rep->an_numrrsets, timenow, region, &tree,
LDNS_SECTION_AUTHORITY, qinfo->qtype,
- dnssec, rr_offset)) != RETVAL_OK) {
+ dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
if(r == RETVAL_TRUNC) {
/* create truncated message */
sldns_buffer_write_u16_at(buffer, 8, nscount);
@@ -773,7 +788,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
if((r=insert_section(rep, rep->ar_numrrsets, &arcount, buffer,
rep->an_numrrsets + rep->ns_numrrsets, timenow, region,
&tree, LDNS_SECTION_ADDITIONAL, qinfo->qtype,
- dnssec, rr_offset)) != RETVAL_OK) {
+ dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
if(r == RETVAL_TRUNC) {
/* no need to set TC bit, this is the additional */
sldns_buffer_write_u16_at(buffer, 10, arcount);
--
2.47.0

2255
SOURCES/unbound-1.23.1-CVE-2025-5994.patch
View File

File diff suppressed because it is too large Load Diff

17
SOURCES/unbound-1.24.2.tar.gz.asc Normal file
View File

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
iQJIBAABCAAyFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmkm1EQUHGdlb3JnZUBu
bG5ldGxhYnMubmwACgkQz/M0TZCHpJBShg//WYjN8jarUIfeH1IhnnqxTBxZ5CvT
WUkgQy5laBIeWRE9l+rWdG7KRVjIH5wDLN9kuwSA6daO1owwxubrj20czkyaByFi
Mfb2V0FgpUwvfqXILEW0taEzQyGnzJy/UPV3nZXWWaLeRIrjVb5rNtazprQMlFSV
1OhCJX77BI1NNC87/I5HGPO5dAR8epe3+6tdXP29vDJHnkWkEvy17y8uTxDwRA/b
Yip9yiT7HbOHQsQhfFwQ747Tzc6CZ8XkRPLd2QNWA6tGaqQINDJv7N8/VqxqnjXF
wtpsRpn/qBx8m3T6u6/au0LiwnGUikmPyjsPZapIvlgP/BW33wU/HO2AxQWFO234
5wdZ37BSchvHJFPtNJXX3Wak4FcWbe41GlP9dHCD74D/d1uG9DyeuMC5aoGStQZu
ldMzCoNwLKS4bfQyFsNA1rldinNRtoz7/Ac2Y9+Z6VhI6d/uqb+FBmenavvqQblz
bFccL0nQ4I4xjhGFqSjfTrQgwHQnyKKTToZzTSABqssG97m3F6twdrcZOqYCotLN
9ttXdwEwOUIpVD2UUbjS3LfZHBuQDjIETqgC89UZb6cOVzLbTFfnAQBDhFTGvqq5
ohhAiZa9ePg8gXuziPtxp7AyQ+izvWESn7Af1yuXu315xuU7OG/7Wh1wyN2wjD5+
vbIU556z7rrFT30=
=vyR7
-----END PGP SIGNATURE-----

61
SOURCES/unbound-1.25-tls-crypto-policy-default.patch Normal file
View File

@ -0,0 +1,61 @@
From 87e5c3ccad91c72166ed72c7366d8681308d84a8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Mon, 9 Feb 2026 15:40:51 +0100
Subject: [PATCH] Add a new build-time option for system TLS
We want to use crypto-policy provided configuration always in our
builds. Allow changing the default of tls-use-system-policy-versions at
build time by a simple configure parameter.
---
unbound-1.24.2/configure.ac | 11 +++++++++++
unbound-1.24.2/util/config_file.c | 5 ++++-
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/unbound-1.24.2/configure.ac b/unbound-1.24.2/configure.ac
index 6a43fd5..13c910f 100644
--- a/unbound-1.24.2/configure.ac
+++ b/unbound-1.24.2/configure.ac
@@ -2067,6 +2067,17 @@ case "$enable_ipsecmod" in
;;
esac
+# check for system TLS preference if requested
+AC_ARG_ENABLE(system-tls, AS_HELP_STRING([--enable-system-tls],[Enable preference of system configured TLS socket options]))
+case "$enable_system_tls" in
+ yes)
+ AC_DEFINE([USE_SYSTEM_TLS], [1], [Define to 1 to prefer TLS crypto settings from the system.])
+ ;;
+ no|*)
+ # nothing
+ ;;
+esac
+
# check for ipset if requested
AC_ARG_ENABLE(ipset, AS_HELP_STRING([--enable-ipset],[enable ipset module]))
case "$enable_ipset" in
diff --git a/unbound-1.24.2/util/config_file.c b/unbound-1.24.2/util/config_file.c
index 1565b05..8079ec9 100644
--- a/unbound-1.24.2/util/config_file.c
+++ b/unbound-1.24.2/util/config_file.c
@@ -71,6 +71,9 @@
#ifdef HAVE_PWD_H
#include <pwd.h>
#endif
+#ifndef USE_SYSTEM_TLS
+#define USE_SYSTEM_TLS 0
+#endif
/** from cfg username, after daemonize setup performed */
uid_t cfg_uid = (uid_t)-1;
@@ -129,7 +132,7 @@ config_create(void)
cfg->tls_cert_bundle = NULL;
cfg->tls_win_cert = 0;
cfg->tls_use_sni = 1;
- cfg->tls_use_system_policy_versions = 0;
+ cfg->tls_use_system_policy_versions = USE_SYSTEM_TLS;
cfg->https_port = UNBOUND_DNS_OVER_HTTPS_PORT;
if(!(cfg->http_endpoint = strdup("/dns-query"))) goto error_exit;
cfg->http_max_streams = 100;
--
2.52.0

483
SOURCES/unbound-1.25-tls-crypto-policy.patch Normal file
View File

@ -0,0 +1,483 @@
From 315d29b33f9766e7ecb91fcfd4c1238d92aefd9e Mon Sep 17 00:00:00 2001
From: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
Date: Mon, 22 Sep 2025 18:22:36 +0200
Subject: [PATCH] - Fix #1346: [FR] Please allow back TLS 1.2.
'tls-use-system-policy-versions' is introduced to allow Unbound to use any
system available TLS version when serving TLS.
---
unbound-1.24.2/daemon/remote.c | 2 +-
unbound-1.24.2/daemon/unbound.c | 2 +-
unbound-1.24.2/dnstap/unbound-dnstap-socket.c | 2 +-
unbound-1.24.2/doc/example.conf.in | 26 ++++++---
unbound-1.24.2/doc/unbound.conf.5.in | 55 ++++++++++++++-----
unbound-1.24.2/doc/unbound.conf.rst | 32 ++++++++---
unbound-1.24.2/util/config_file.c | 3 +
unbound-1.24.2/util/config_file.h | 2 +
unbound-1.24.2/util/configlexer.lex | 1 +
unbound-1.24.2/util/configparser.y | 11 ++++
unbound-1.24.2/util/net_help.c | 54 +++++++++---------
unbound-1.24.2/util/net_help.h | 8 ++-
unbound-1.24.2/winrc/win_svc.c | 4 +-
13 files changed, 138 insertions(+), 64 deletions(-)
diff --git a/unbound-1.24.2/daemon/remote.c b/unbound-1.24.2/daemon/remote.c
index d8ee7fa..06d1d34 100644
--- a/unbound-1.24.2/daemon/remote.c
+++ b/unbound-1.24.2/daemon/remote.c
@@ -153,7 +153,7 @@ remote_setup_ctx(struct daemon_remote* rc, struct config_file* cfg)
log_crypto_err("could not SSL_CTX_new");
return 0;
}
- if(!listen_sslctx_setup(rc->ctx)) {
+ if(!listen_sslctx_setup(rc->ctx, cfg->tls_use_system_policy_versions)) {
return 0;
}
diff --git a/unbound-1.24.2/daemon/unbound.c b/unbound-1.24.2/daemon/unbound.c
index 164d0fb..6888047 100644
--- a/unbound-1.24.2/daemon/unbound.c
+++ b/unbound-1.24.2/daemon/unbound.c
@@ -473,7 +473,7 @@ setup_listen_sslctx(void** ctx, int is_dot, int is_doh, struct config_file* cfg)
cfg->tls_ciphers, cfg->tls_ciphersuites,
(cfg->tls_session_ticket_keys.first &&
cfg->tls_session_ticket_keys.first->str[0] != 0),
- is_dot, is_doh))) {
+ is_dot, is_doh, cfg->tls_use_system_policy_versions))) {
fatal_exit("could not set up listen SSL_CTX");
}
}
diff --git a/unbound-1.24.2/dnstap/unbound-dnstap-socket.c b/unbound-1.24.2/dnstap/unbound-dnstap-socket.c
index a01627d..c0d344c 100644
--- a/unbound-1.24.2/dnstap/unbound-dnstap-socket.c
+++ b/unbound-1.24.2/dnstap/unbound-dnstap-socket.c
@@ -347,7 +347,7 @@ static struct tap_socket* tap_socket_new_tlsaccept(char* ip,
s->ev_cb = ev_cb;
s->data = data;
s->sslctx = listen_sslctx_create(server_key, server_cert, verifypem,
- NULL, NULL, 0, 0, 0);
+ NULL, NULL, 0, 0, 0, 0);
if(!s->sslctx) {
log_err("could not create ssl context");
free(s->ip);
diff --git a/unbound-1.24.2/doc/example.conf.in b/unbound-1.24.2/doc/example.conf.in
index cf10b85..ecdc65c 100644
--- a/unbound-1.24.2/doc/example.conf.in
+++ b/unbound-1.24.2/doc/example.conf.in
@@ -950,21 +950,26 @@ server:
# https-port: 443
# quic-port: 853
+ # Also serve tls on these port numbers (eg. 443, ...), by listing
+ # tls-additional-port: portno for each of the port numbers.
+
# cipher setting for TLSv1.2
# tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
# cipher setting for TLSv1.3
# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
- # Pad responses to padded queries received over TLS
- # pad-responses: yes
-
- # Padded responses will be padded to the closest multiple of this size.
- # pad-responses-block-size: 468
-
# Use the SNI extension for TLS connections. Default is yes.
# Changing the value requires a reload.
# tls-use-sni: yes
+ # Allow general-purpose version-flexible TLS server configuration that
+ # may be further restricted by the system's policy.
+ # Use only if you want to support legacy TLS client connections.
+ # Default is no and Unbound will only use the latest available TLS
+ # version.
+ # Changing the value requires a reload.
+ # tls-use-system-policy-versions: no
+
# Add the secret file for TLS Session Ticket.
# Secret file must be 80 bytes of random data.
# First key use to encrypt and decrypt TLS session tickets.
@@ -985,15 +990,18 @@ server:
# and on other systems, the default openssl certificates
# tls-system-cert: no
+ # Pad responses to padded queries received over TLS
+ # pad-responses: yes
+
+ # Padded responses will be padded to the closest multiple of this size.
+ # pad-responses-block-size: 468
+
# Pad queries over TLS upstreams
# pad-queries: yes
# Padded queries will be padded to the closest multiple of this size.
# pad-queries-block-size: 128
- # Also serve tls on these port numbers (eg. 443, ...), by listing
- # tls-additional-port: portno for each of the port numbers.
-
# HTTP endpoint to provide DNS-over-HTTPS service on.
# http-endpoint: "/dns-query"
diff --git a/unbound-1.24.2/doc/unbound.conf.5.in b/unbound-1.24.2/doc/unbound.conf.5.in
index a5857ac..7ec7860 100644
--- a/unbound-1.24.2/doc/unbound.conf.5.in
+++ b/unbound-1.24.2/doc/unbound.conf.5.in
@@ -1218,6 +1218,47 @@ Default: \(dq\(dq
.UNINDENT
.INDENT 0.0
.TP
+.B tls\-use\-sni: \fI<yes or no>\fP
+Enable or disable sending the SNI extension on TLS connections.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Changing the value requires a reload.
+.UNINDENT
+.UNINDENT
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
+.TP
+.B tls\-use\-system\-policy\-versions: \fI<yes or no>\fP
+Enable or disable general\-puspose version\-flexible TLS server configuration
+when serving TLS.
+This will allow the whole list of available TLS versions provided by the
+crypto library, which may have been further restricted by the system\(aqs
+crypto policy.
+.sp
+By default Unbound only uses the latest available TLS version.
+.sp
+\fBCAUTION:\fP
+.INDENT 7.0
+.INDENT 3.5
+Use only if you want to support legacy TLS client connections.
+.UNINDENT
+.UNINDENT
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Changing the value requires a reload.
+.UNINDENT
+.UNINDENT
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
.B pad\-responses: \fI<yes or no>\fP
If enabled, TLS serviced queries that contained an EDNS Padding option will
cause responses padded to the closest multiple of the size specified in
@@ -1251,20 +1292,6 @@ Default: 128
.UNINDENT
.INDENT 0.0
.TP
-.B tls\-use\-sni: \fI<yes or no>\fP
-Enable or disable sending the SNI extension on TLS connections.
-.sp
-\fBNOTE:\fP
-.INDENT 7.0
-.INDENT 3.5
-Changing the value requires a reload.
-.UNINDENT
-.UNINDENT
-.sp
-Default: yes
-.UNINDENT
-.INDENT 0.0
-.TP
.B https\-port: \fI<number>\fP
The port number on which to provide DNS\-over\-HTTPS service.
Only interfaces configured with that port number as @number get the HTTPS
diff --git a/unbound-1.24.2/doc/unbound.conf.rst b/unbound-1.24.2/doc/unbound.conf.rst
index d83816c..555b1c8 100644
--- a/unbound-1.24.2/doc/unbound.conf.rst
+++ b/unbound-1.24.2/doc/unbound.conf.rst
@@ -1103,6 +1103,30 @@ These options are part of the **server:** clause.
Default: ""
+@@UAHL@unbound.conf@tls-use-sni@@: *<yes or no>*
+ Enable or disable sending the SNI extension on TLS connections.
+
+ .. note:: Changing the value requires a reload.
+
+ Default: yes
+
+
+@@UAHL@unbound.conf@tls-use-system-policy-versions@@: *<yes or no>*
+ Enable or disable general-puspose version-flexible TLS server configuration
+ when serving TLS.
+ This will allow the whole list of available TLS versions provided by the
+ crypto library, which may have been further restricted by the system's
+ crypto policy.
+
+ By default Unbound only uses the latest available TLS version.
+
+ .. caution:: Use only if you want to support legacy TLS client connections.
+
+ .. note:: Changing the value requires a reload.
+
+ Default: no
+
+
@@UAHL@unbound.conf@pad-responses@@: *<yes or no>*
If enabled, TLS serviced queries that contained an EDNS Padding option will
cause responses padded to the closest multiple of the size specified in
@@ -1132,14 +1156,6 @@ These options are part of the **server:** clause.
Default: 128
-@@UAHL@unbound.conf@tls-use-sni@@: *<yes or no>*
- Enable or disable sending the SNI extension on TLS connections.
-
- .. note:: Changing the value requires a reload.
-
- Default: yes
-
-
@@UAHL@unbound.conf@https-port@@: *<number>*
The port number on which to provide DNS-over-HTTPS service.
Only interfaces configured with that port number as @number get the HTTPS
diff --git a/unbound-1.24.2/util/config_file.c b/unbound-1.24.2/util/config_file.c
index 25c2b3e..1565b05 100644
--- a/unbound-1.24.2/util/config_file.c
+++ b/unbound-1.24.2/util/config_file.c
@@ -129,6 +129,7 @@ config_create(void)
cfg->tls_cert_bundle = NULL;
cfg->tls_win_cert = 0;
cfg->tls_use_sni = 1;
+ cfg->tls_use_system_policy_versions = 0;
cfg->https_port = UNBOUND_DNS_OVER_HTTPS_PORT;
if(!(cfg->http_endpoint = strdup("/dns-query"))) goto error_exit;
cfg->http_max_streams = 100;
@@ -629,6 +630,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
else S_STR("tls-ciphers:", tls_ciphers)
else S_STR("tls-ciphersuites:", tls_ciphersuites)
else S_YNO("tls-use-sni:", tls_use_sni)
+ else S_YNO("tls-use-system-policy-versions:", tls_use_system_policy_versions)
else S_NUMBER_NONZERO("https-port:", https_port)
else S_STR("http-endpoint:", http_endpoint)
else S_NUMBER_NONZERO("http-max-streams:", http_max_streams)
@@ -1181,6 +1183,7 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_STR(opt, "tls-ciphers", tls_ciphers)
else O_STR(opt, "tls-ciphersuites", tls_ciphersuites)
else O_YNO(opt, "tls-use-sni", tls_use_sni)
+ else O_YNO(opt, "tls-use-system-policy-versions", tls_use_system_policy_versions)
else O_DEC(opt, "https-port", https_port)
else O_STR(opt, "http-endpoint", http_endpoint)
else O_UNS(opt, "http-max-streams", http_max_streams)
diff --git a/unbound-1.24.2/util/config_file.h b/unbound-1.24.2/util/config_file.h
index f77538b..59b4ae5 100644
--- a/unbound-1.24.2/util/config_file.h
+++ b/unbound-1.24.2/util/config_file.h
@@ -148,6 +148,8 @@ struct config_file {
char* tls_ciphersuites;
/** if SNI is to be used */
int tls_use_sni;
+ /** if all TLS versions can be used; based on system policy (if any) */
+ int tls_use_system_policy_versions;
/** port on which to provide DNS over HTTPS service */
int https_port;
diff --git a/unbound-1.24.2/util/configlexer.lex b/unbound-1.24.2/util/configlexer.lex
index 0ba8d60..22f98e4 100644
--- a/unbound-1.24.2/util/configlexer.lex
+++ b/unbound-1.24.2/util/configlexer.lex
@@ -262,6 +262,7 @@ tls-session-ticket-keys{COLON} { YDVAR(1, VAR_TLS_SESSION_TICKET_KEYS) }
tls-ciphers{COLON} { YDVAR(1, VAR_TLS_CIPHERS) }
tls-ciphersuites{COLON} { YDVAR(1, VAR_TLS_CIPHERSUITES) }
tls-use-sni{COLON} { YDVAR(1, VAR_TLS_USE_SNI) }
+tls-use-system-policy-versions{COLON} { YDVAR(1, VAR_TLS_USE_SYSTEM_POLICY_VERSIONS) }
https-port{COLON} { YDVAR(1, VAR_HTTPS_PORT) }
http-endpoint{COLON} { YDVAR(1, VAR_HTTP_ENDPOINT) }
http-max-streams{COLON} { YDVAR(1, VAR_HTTP_MAX_STREAMS) }
diff --git a/unbound-1.24.2/util/configparser.y b/unbound-1.24.2/util/configparser.y
index bef1fd3..bf9c196 100644
--- a/unbound-1.24.2/util/configparser.y
+++ b/unbound-1.24.2/util/configparser.y
@@ -199,6 +199,7 @@ extern struct config_parser_state* cfg_parser;
%token VAR_DISCARD_TIMEOUT VAR_WAIT_LIMIT VAR_WAIT_LIMIT_COOKIE
%token VAR_WAIT_LIMIT_NETBLOCK VAR_WAIT_LIMIT_COOKIE_NETBLOCK
%token VAR_STREAM_WAIT_SIZE VAR_TLS_CIPHERS VAR_TLS_CIPHERSUITES VAR_TLS_USE_SNI
+%token VAR_TLS_USE_SYSTEM_POLICY_VERSIONS
%token VAR_IPSET VAR_IPSET_NAME_V4 VAR_IPSET_NAME_V6
%token VAR_TLS_SESSION_TICKET_KEYS VAR_RPZ VAR_TAGS VAR_RPZ_ACTION_OVERRIDE
%token VAR_RPZ_CNAME_OVERRIDE VAR_RPZ_LOG VAR_RPZ_LOG_NAME
@@ -347,6 +348,7 @@ content_server: server_num_threads | server_verbosity | server_port |
server_tls_ciphersuites | server_tls_session_ticket_keys |
server_answer_cookie | server_cookie_secret | server_ip_ratelimit_cookie |
server_tls_use_sni | server_edns_client_string |
+ server_tls_use_system_policy_versions |
server_edns_client_string_opcode | server_nsid |
server_zonemd_permissive_mode | server_max_reuse_tcp_queries |
server_tcp_reuse_timeout | server_tcp_auth_query_timeout |
@@ -1155,6 +1157,15 @@ server_tls_use_sni: VAR_TLS_USE_SNI STRING_ARG
free($2);
}
;
+server_tls_use_system_policy_versions: VAR_TLS_USE_SYSTEM_POLICY_VERSIONS STRING_ARG
+ {
+ OUTYY(("P(server_tls_use_system_policy_versions:%s)\n", $2));
+ if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+ yyerror("expected yes or no.");
+ else cfg_parser->cfg->tls_use_system_policy_versions = (strcmp($2, "yes")==0);
+ free($2);
+ }
+ ;
server_https_port: VAR_HTTPS_PORT STRING_ARG
{
OUTYY(("P(server_https_port:%s)\n", $2));
diff --git a/unbound-1.24.2/util/net_help.c b/unbound-1.24.2/util/net_help.c
index 6ce0d91..426ace9 100644
--- a/unbound-1.24.2/util/net_help.c
+++ b/unbound-1.24.2/util/net_help.c
@@ -1226,7 +1226,7 @@ setup_ticket_keys_cb(void* sslctx)
#endif /* HAVE_SSL */
int
-listen_sslctx_setup(void* ctxt)
+listen_sslctx_setup(void* ctxt, int use_system_versions)
{
#ifdef HAVE_SSL
SSL_CTX* ctx = (SSL_CTX*)ctxt;
@@ -1238,35 +1238,37 @@ listen_sslctx_setup(void* ctxt)
return 0;
}
#endif
- if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
- != SSL_OP_NO_SSLv3){
- log_crypto_err("could not set SSL_OP_NO_SSLv3");
- return 0;
- }
+ if(!use_system_versions) {
+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
+ != SSL_OP_NO_SSLv3){
+ log_crypto_err("could not set SSL_OP_NO_SSLv3");
+ return 0;
+ }
#if defined(SSL_OP_NO_TLSv1) && defined(SSL_OP_NO_TLSv1_1)
- /* if we have tls 1.1 disable 1.0 */
- if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1) & SSL_OP_NO_TLSv1)
- != SSL_OP_NO_TLSv1){
- log_crypto_err("could not set SSL_OP_NO_TLSv1");
- return 0;
- }
+ /* if we have tls 1.1 disable 1.0 */
+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1) & SSL_OP_NO_TLSv1)
+ != SSL_OP_NO_TLSv1){
+ log_crypto_err("could not set SSL_OP_NO_TLSv1");
+ return 0;
+ }
#endif
#if defined(SSL_OP_NO_TLSv1_1) && defined(SSL_OP_NO_TLSv1_2)
- /* if we have tls 1.2 disable 1.1 */
- if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1) & SSL_OP_NO_TLSv1_1)
- != SSL_OP_NO_TLSv1_1){
- log_crypto_err("could not set SSL_OP_NO_TLSv1_1");
- return 0;
- }
+ /* if we have tls 1.2 disable 1.1 */
+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1) & SSL_OP_NO_TLSv1_1)
+ != SSL_OP_NO_TLSv1_1){
+ log_crypto_err("could not set SSL_OP_NO_TLSv1_1");
+ return 0;
+ }
#endif
#if defined(SSL_OP_NO_TLSv1_2) && defined(SSL_OP_NO_TLSv1_3)
- /* if we have tls 1.3 disable 1.2 */
- if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2) & SSL_OP_NO_TLSv1_2)
- != SSL_OP_NO_TLSv1_2){
- log_crypto_err("could not set SSL_OP_NO_TLSv1_2");
- return 0;
- }
+ /* if we have tls 1.3 disable 1.2 */
+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2) & SSL_OP_NO_TLSv1_2)
+ != SSL_OP_NO_TLSv1_2){
+ log_crypto_err("could not set SSL_OP_NO_TLSv1_2");
+ return 0;
+ }
#endif
+ }
#if defined(SSL_OP_NO_RENEGOTIATION)
/* disable client renegotiation */
if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
@@ -1341,7 +1343,7 @@ listen_sslctx_setup_2(void* ctxt)
void* listen_sslctx_create(const char* key, const char* pem,
const char* verifypem, const char* tls_ciphers,
const char* tls_ciphersuites, int set_ticket_keys_cb,
- int is_dot, int is_doh)
+ int is_dot, int is_doh, int use_system_versions)
{
#ifdef HAVE_SSL
SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method());
@@ -1359,7 +1361,7 @@ void* listen_sslctx_create(const char* key, const char* pem,
SSL_CTX_free(ctx);
return NULL;
}
- if(!listen_sslctx_setup(ctx)) {
+ if(!listen_sslctx_setup(ctx, use_system_versions)) {
SSL_CTX_free(ctx);
return NULL;
}
diff --git a/unbound-1.24.2/util/net_help.h b/unbound-1.24.2/util/net_help.h
index 278e370..7b8a206 100644
--- a/unbound-1.24.2/util/net_help.h
+++ b/unbound-1.24.2/util/net_help.h
@@ -478,9 +478,11 @@ void log_cert(unsigned level, const char* str, void* cert);
/**
* Set SSL_OP_NOxxx options on SSL context to disable bad crypto
* @param ctxt: SSL_CTX*
+ * @param use_system_versions: rely on the system policy (if any) for allowed
+ * TLS versions
* @return false on failure.
*/
-int listen_sslctx_setup(void* ctxt);
+int listen_sslctx_setup(void* ctxt, int use_system_versions);
/**
* Further setup of listening SSL context, after keys loaded.
@@ -499,12 +501,14 @@ void listen_sslctx_setup_2(void* ctxt);
* to be set.
* @param is_dot: if the TLS connection is for DoT to set the appropriate ALPN.
* @param is_doh: if the TLS connection is for DoH to set the appropriate ALPN.
+ * @param use_system_versions: rely on the system policy (if any) for allowed
+ * TLS versions
* return SSL_CTX* or NULL on failure (logged).
*/
void* listen_sslctx_create(const char* key, const char* pem,
const char* verifypem, const char* tls_ciphers,
const char* tls_ciphersuites, int set_ticket_keys_cb,
- int is_dot, int is_doh);
+ int is_dot, int is_doh, int use_system_versions);
/**
* create SSL connect context
diff --git a/unbound-1.24.2/winrc/win_svc.c b/unbound-1.24.2/winrc/win_svc.c
index 429b045..6fca0c7 100644
--- a/unbound-1.24.2/winrc/win_svc.c
+++ b/unbound-1.24.2/winrc/win_svc.c
@@ -369,7 +369,7 @@ service_init(int r, struct daemon** d, struct config_file** c)
cfg->tls_ciphers, cfg->tls_ciphersuites,
(cfg->tls_session_ticket_keys.first &&
cfg->tls_session_ticket_keys.first->str[0] != 0),
- 1, 0))) {
+ 1, 0, cfg->tls_use_system_policy_versions))) {
fatal_exit("could not set up listen SSL_CTX");
}
#ifdef HAVE_NGHTTP2_NGHTTP2_H
@@ -379,7 +379,7 @@ service_init(int r, struct daemon** d, struct config_file** c)
cfg->tls_ciphers, cfg->tls_ciphersuites,
(cfg->tls_session_ticket_keys.first &&
cfg->tls_session_ticket_keys.first->str[0] != 0),
- 0, 1))) {
+ 0, 1, cfg->tls_use_system_policy_versions))) {
fatal_exit("could not set up listen doh SSL_CTX");
}
}
--
2.52.0

118
SOURCES/unbound-as112-networks.conf Normal file
View File

@ -0,0 +1,118 @@
# Allow forwarding of private ranges, which are marked forwardable by IANA
# https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
# https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
# https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml
# RFC 6303: Locally Served DNS Zones (https://www.rfc-editor.org/rfc/rfc6303.html)
#
# Using this configuration file will simplify forwarding to potentially private ranges.
# Enables forwarding of networks marked as forwardable at IANA special registry.
# This is useful when upstream forwarder may be still inside private network. That is the case
# when unbound works as a localhost DNS cache, not network wide resolver.
server:
# RFC 8375: Special-Use Domain 'home.arpa.'
local-zone: "home.arpa." nodefault
# RFC 1918: Address Allocation for Private Internets
local-zone: "10.in-addr.arpa." nodefault
local-zone: "16.172.in-addr.arpa." nodefault
local-zone: "17.172.in-addr.arpa." nodefault
local-zone: "18.172.in-addr.arpa." nodefault
local-zone: "19.172.in-addr.arpa." nodefault
local-zone: "20.172.in-addr.arpa." nodefault
local-zone: "21.172.in-addr.arpa." nodefault
local-zone: "22.172.in-addr.arpa." nodefault
local-zone: "23.172.in-addr.arpa." nodefault
local-zone: "24.172.in-addr.arpa." nodefault
local-zone: "25.172.in-addr.arpa." nodefault
local-zone: "26.172.in-addr.arpa." nodefault
local-zone: "27.172.in-addr.arpa." nodefault
local-zone: "28.172.in-addr.arpa." nodefault
local-zone: "29.172.in-addr.arpa." nodefault
local-zone: "30.172.in-addr.arpa." nodefault
local-zone: "31.172.in-addr.arpa." nodefault
local-zone: "168.192.in-addr.arpa." nodefault
# RFC 6598: IANA-Reserved IPv4 Prefix for Shared Address Space
local-zone: "64.100.in-addr.arpa." nodefault
local-zone: "65.100.in-addr.arpa." nodefault
local-zone: "66.100.in-addr.arpa." nodefault
local-zone: "67.100.in-addr.arpa." nodefault
local-zone: "68.100.in-addr.arpa." nodefault
local-zone: "69.100.in-addr.arpa." nodefault
local-zone: "70.100.in-addr.arpa." nodefault
local-zone: "71.100.in-addr.arpa." nodefault
local-zone: "72.100.in-addr.arpa." nodefault
local-zone: "73.100.in-addr.arpa." nodefault
local-zone: "74.100.in-addr.arpa." nodefault
local-zone: "75.100.in-addr.arpa." nodefault
local-zone: "76.100.in-addr.arpa." nodefault
local-zone: "77.100.in-addr.arpa." nodefault
local-zone: "78.100.in-addr.arpa." nodefault
local-zone: "79.100.in-addr.arpa." nodefault
local-zone: "80.100.in-addr.arpa." nodefault
local-zone: "81.100.in-addr.arpa." nodefault
local-zone: "82.100.in-addr.arpa." nodefault
local-zone: "83.100.in-addr.arpa." nodefault
local-zone: "84.100.in-addr.arpa." nodefault
local-zone: "85.100.in-addr.arpa." nodefault
local-zone: "86.100.in-addr.arpa." nodefault
local-zone: "87.100.in-addr.arpa." nodefault
local-zone: "88.100.in-addr.arpa." nodefault
local-zone: "89.100.in-addr.arpa." nodefault
local-zone: "90.100.in-addr.arpa." nodefault
local-zone: "91.100.in-addr.arpa." nodefault
local-zone: "92.100.in-addr.arpa." nodefault
local-zone: "93.100.in-addr.arpa." nodefault
local-zone: "94.100.in-addr.arpa." nodefault
local-zone: "95.100.in-addr.arpa." nodefault
local-zone: "96.100.in-addr.arpa." nodefault
local-zone: "97.100.in-addr.arpa." nodefault
local-zone: "98.100.in-addr.arpa." nodefault
local-zone: "99.100.in-addr.arpa." nodefault
local-zone: "100.100.in-addr.arpa." nodefault
local-zone: "101.100.in-addr.arpa." nodefault
local-zone: "102.100.in-addr.arpa." nodefault
local-zone: "103.100.in-addr.arpa." nodefault
local-zone: "104.100.in-addr.arpa." nodefault
local-zone: "105.100.in-addr.arpa." nodefault
local-zone: "106.100.in-addr.arpa." nodefault
local-zone: "107.100.in-addr.arpa." nodefault
local-zone: "108.100.in-addr.arpa." nodefault
local-zone: "109.100.in-addr.arpa." nodefault
local-zone: "110.100.in-addr.arpa." nodefault
local-zone: "111.100.in-addr.arpa." nodefault
local-zone: "112.100.in-addr.arpa." nodefault
local-zone: "113.100.in-addr.arpa." nodefault
local-zone: "114.100.in-addr.arpa." nodefault
local-zone: "115.100.in-addr.arpa." nodefault
local-zone: "116.100.in-addr.arpa." nodefault
local-zone: "117.100.in-addr.arpa." nodefault
local-zone: "118.100.in-addr.arpa." nodefault
local-zone: "119.100.in-addr.arpa." nodefault
local-zone: "120.100.in-addr.arpa." nodefault
local-zone: "121.100.in-addr.arpa." nodefault
local-zone: "122.100.in-addr.arpa." nodefault
local-zone: "123.100.in-addr.arpa." nodefault
local-zone: "124.100.in-addr.arpa." nodefault
local-zone: "125.100.in-addr.arpa." nodefault
local-zone: "126.100.in-addr.arpa." nodefault
local-zone: "127.100.in-addr.arpa." nodefault
# RFC 4193: Unique Local IPv6 Unicast Addresses
local-zone: "d.f.ip6.arpa." nodefault
# RFC 2606: Reserved Top Level DNS Names
local-zone: "test." nodefault
domain-insecure: "test"
domain-insecure: "example"
# RFC 6762: Multicast DNS, Appendix G
domain-insecure: "local"
domain-insecure: "intranet"
domain-insecure: "private"
domain-insecure: "corp"
domain-insecure: "home"
domain-insecure: "lan"
# draft-davies-internal-tld
domain-insecure: "internal"

113
SOURCES/unbound-fedora-config.patch Normal file
View File

@ -0,0 +1,113 @@
From a8be97bada623287cdd911c7a4549bbceef9fea0 Mon Sep 17 00:00:00 2001
From: Tomas Korbar <tkorbar@redhat.com>
Date: Tue, 4 Feb 2025 09:48:12 +0100
Subject: [PATCH] Customize unbound.conf for Fedora defaults
Set some Fedora/RHEL specific changes to example configuration file. By
patching upstream provided config file we would not need to manually
update external copy in source RPM.
---
unbound-1.24.2/doc/example.conf.in | 33 ++++++++++++++++++++++++++++--
1 file changed, 31 insertions(+), 2 deletions(-)
diff --git a/unbound-1.24.2/doc/example.conf.in b/unbound-1.24.2/doc/example.conf.in
index fda565c..cf10b85 100644
--- a/unbound-1.24.2/doc/example.conf.in
+++ b/unbound-1.24.2/doc/example.conf.in
@@ -51,11 +51,19 @@ server:
# specify 0.0.0.0 and ::0 to bind to all available interfaces.
# specify every interface[@port] on a new 'interface:' labelled line.
# The listen interfaces are not changed on reload, only on restart.
+ # interface: 0.0.0.0
+ # interface: ::0
# interface: 192.0.2.153
# interface: 192.0.2.154
# interface: 192.0.2.154@5003
# interface: 2001:DB8::5
# interface: eth0@5003
+ #
+ # for dns over tls and raw dns over port 80
+ # interface: 0.0.0.0@443
+ # interface: ::0@443
+ # interface: 0.0.0.0@80
+ # interface: ::0@80
# enable this feature to copy the source address of queries to reply.
# Socket options are not supported on all platforms. experimental.
@@ -295,6 +303,8 @@ server:
# nat64-prefix: 64:ff9b::0/96
# Enable UDP, "yes" or "no".
+ # NOTE: if setting up an Unbound on tls443 for public use, you might want to
+ # disable UDP to avoid being used in DNS amplification attacks.
# do-udp: yes
# Enable TCP, "yes" or "no".
@@ -330,6 +340,9 @@ server:
# can be dropped. Default is 0, disabled. In seconds, such as 3.
# sock-queue-timeout: 0
+ # Fedora note: do not activate this - not compiled in because
+ # it causes frequent unbound crashes. Also, socket activation
+ # is bad when you have things like dnsmasq also running with libvirt.
# Use systemd socket activation for UDP, TCP, and control sockets.
# use-systemd: no
@@ -919,6 +932,8 @@ server:
# you need to do the reverse notation yourself.
# local-data-ptr: "192.0.2.3 www.example.com"
+ include: /etc/unbound/local.d/*.conf
+
# tag a localzone with a list of tag names (in "" with spaces between)
# local-zone-tag: "example.com" "tag2 tag3"
@@ -929,8 +944,8 @@ server:
# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
# Give the certificate to use and private key.
# default is "" (disabled). requires restart to take effect.
- # tls-service-key: "path/to/privatekeyfile.key"
- # tls-service-pem: "path/to/publiccertfile.pem"
+ # tls-service-key: "/etc/unbound/unbound_server.key"
+ # tls-service-pem: "/etc/unbound/unbound_server.pem"
# tls-port: 853
# https-port: 443
# quic-port: 853
@@ -1184,6 +1199,12 @@ remote-control:
# unbound-control certificate file.
# control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
+# Default Fedora settings
+include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf"
+
+# Stub and Forward zones
+include: "@sysconfdir@/unbound/conf.d/*.conf"
+
# Stub zones.
# Create entries like below, to make all queries for 'example.com' and
# 'example.org' go to the given list of nameservers. list zero or more
@@ -1204,6 +1225,10 @@ remote-control:
# name: "example.org"
# stub-host: ns.example.com.
+# You can now also dynamically create and delete stub-zone's using
+# unbound-control stub_add domain.com 1.2.3.4 5.6.7.8
+# unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8
+
# Forward zones
# Create entries like below, to make all queries for 'example.com' and
# 'example.org' go to the given list of servers. These servers have to handle
@@ -1221,6 +1246,10 @@ remote-control:
# forward-zone:
# name: "example.org"
# forward-host: fwd.example.com
+#
+# You can now also dynamically create and delete forward-zone's using
+# unbound-control forward_add domain.com 1.2.3.4 5.6.7.8
+# unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8
# Authority zones
# The data for these zones is kept locally, from a file or downloaded.
--
2.52.0

5
SOURCES/unbound-initrd.conf Normal file
View File

@ -0,0 +1,5 @@
[Unit]
Before=network-online.target
[Install]
WantedBy=network-online.target

30
SOURCES/unbound-local-root.conf Normal file
View File

@ -0,0 +1,30 @@
# Authority zones
# The data for these zones is kept locally, from a file or downloaded.
# The data can be served to downstream clients, or used instead of the
# upstream (which saves a lookup to the upstream).
#
# Download local root copy and answer TLD queries from it. Because
# auth-zone has higher precedence, defined forward-zones to internal
# only TLD will not work. Use stub-zone or disable this zone.
# Good for a network-wide resolvers, worse for a localhost caching forwarder.
auth-zone:
name: "."
primary: 170.247.170.2 # b.root-servers.net
primary: 192.33.4.12 # c.root-servers.net
primary: 199.7.91.13 # d.root-servers.net
primary: 192.5.5.241 # f.root-servers.net
primary: 192.112.36.4 # g.root-servers.net
primary: 193.0.14.129 # k.root-servers.net
primary: 192.0.47.132 # xfr.cjr.dns.icann.org
primary: 192.0.32.132 # xfr.lax.dns.icann.org
primary: 2801:1b8:10::b # b.root-servers.net
primary: 2001:500:2::c # c.root-servers.net
primary: 2001:500:2d::d # d.root-servers.net
primary: 2001:500:2f::f # f.root-servers.net
primary: 2001:500:12::d0d # g.root-servers.net
primary: 2001:7fd::1 # k.root-servers.net
primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org
fallback-enabled: yes
for-downstream: no
for-upstream: yes

42
SOURCES/unbound.conf
View File

@ -1071,27 +1071,27 @@ include: /etc/unbound/conf.d/*.conf
# download it), master: fetches with AXFR and IXFR, or url to zonefile.
# With allow-notify: you can give additional (apart from masters) sources of
# notifies.
auth-zone:
name: "."
primary: 199.9.14.201 # b.root-servers.net
primary: 192.33.4.12 # c.root-servers.net
primary: 199.7.91.13 # d.root-servers.net
primary: 192.5.5.241 # f.root-servers.net
primary: 192.112.36.4 # g.root-servers.net
primary: 193.0.14.129 # k.root-servers.net
primary: 192.0.47.132 # xfr.cjr.dns.icann.org
primary: 192.0.32.132 # xfr.lax.dns.icann.org
primary: 2001:500:200::b # b.root-servers.net
primary: 2001:500:2::c # c.root-servers.net
primary: 2001:500:2d::d # d.root-servers.net
primary: 2001:500:2f::f # f.root-servers.net
primary: 2001:500:12::d0d # g.root-servers.net
primary: 2001:7fd::1 # k.root-servers.net
primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org
fallback-enabled: yes
for-downstream: no
for-upstream: yes
#auth-zone:
# name: "."
# primary: 199.9.14.201 # b.root-servers.net
# primary: 192.33.4.12 # c.root-servers.net
# primary: 199.7.91.13 # d.root-servers.net
# primary: 192.5.5.241 # f.root-servers.net
# primary: 192.112.36.4 # g.root-servers.net
# primary: 193.0.14.129 # k.root-servers.net
# primary: 192.0.47.132 # xfr.cjr.dns.icann.org
# primary: 192.0.32.132 # xfr.lax.dns.icann.org
# primary: 2001:500:200::b # b.root-servers.net
# primary: 2001:500:2::c # c.root-servers.net
# primary: 2001:500:2d::d # d.root-servers.net
# primary: 2001:500:2f::f # f.root-servers.net
# primary: 2001:500:12::d0d # g.root-servers.net
# primary: 2001:7fd::1 # k.root-servers.net
# primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
# primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org
# fallback-enabled: yes
# for-downstream: no
# for-upstream: yes
# auth-zone:
# name: "example.org"

4
SOURCES/unbound.service
View File

@ -8,10 +8,10 @@ Before=nss-lookup.target
Wants=nss-lookup.target
[Service]
Type=simple
Type=notify
EnvironmentFile=-/etc/sysconfig/unbound
ExecStartPre=/usr/sbin/unbound-checkconf
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_UNBOUND_ANCHOR" == "yes" ]; then /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R; else echo "Updates of root keys with unbound-anchor is disabled"; fi'
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_UNBOUND_ANCHOR" == "yes" ] && [ ! -f /run/unbound/anchor-disable ]; then /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R; else echo "Updates of root keys with unbound-anchor is disabled"; fi'
ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS
ExecReload=/usr/sbin/unbound-control reload

1
SOURCES/unbound.sysusers Normal file
View File

@ -0,0 +1 @@
u unbound - "Unbound DNS resolver" /var/lib/unbound /sbin/nologin

212
SOURCES/wouter.nlnetlabs.nl.key Normal file
View File

@ -0,0 +1,212 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Public Key Server -- Get "0x9f6f1c2d7e045f8d "</title>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<style type="text/css">
/*<![CDATA[*/
.uid { color: green; text-decoration: underline; }
.warn { color: red; font-weight: bold; }
/*]]>*/
</style></head><body><h1>Public Key Server -- Get "0x9f6f1c2d7e045f8d "</h1>
<pre>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.6
Comment: Hostname: sks.pod02.fleetstreetops.com
mQINBE2v/RwBEACyQpJlpCeSZBV1QUH7jNEp5xGdo6OnX2h9XoZ4ZPsb+u6OT+xESH45ncnI
SUh8rPCygbeWOoPR/yOBzh+lYoGxQ5iUHtwRrhHq04sQe/qFpXDO2xs61pTcPU2PnH7Rsr2q
p6fZLPHuXLolD7NJfaSib8sVeMM0/ecyl/L2bBg9NpaGDX0xTQh95M8o6AFo6UKWApBpgsvE
Zr2aH/B8b9KnCWFhfJyheEM7DamksdZNsKxXQyq3l/ROfdsMLZGF8vPbYV/v11G4keyaLpn8
AbBpybIiw9SYDwf2ENk3+e1NFfMaiiyEqn9+aaLTKCY87TMUuoN3s3jWOOy5tHXzf6DbKhub
4Awsby3DH5YpPhi4N2vj2pAXVpl5+m78cH29JLzT+HAoyZ4tq1r3m0P5QogNqYwqxkKWYOjD
ilNDBiKiDdgtrLYGx+ABovKG/FvToJoaCL4AFaVCzWmL2uHkSgyBN0FPHatCB1UeEkcQit6T
8E2NQqmFWjUMXSWHHajSMG95+L5PdLHz/Ku0o3Csvlt2pkElYZmzJBfnOM9JevdsmKr/ruJC
/DCZAn5w2S/9ZF5qfo2F9HUKIwE/dChR29HcN8V4nqZs9oCvEMfFhHmrfwDc5hedhvb6mAkv
SFFtKIrygLIVeWRj3FE9sGp6sr4VwOLYTFRNk7mAsWD1rZApeQARAQABtCdXLkMuQS4gV2lq
bmdhYXJkcyA8d291dGVyQG5sbmV0bGFicy5ubD6IRgQQEQIABgUCThRSKQAKCRD5yv3rOc/E
3iiwAJ0SIjqFSwBm7sEZf2nn4JhkWKoG0gCfTD0g9RhtJFZa+0rdtMGUpYtDA1aIRgQQEQIA
BgUCT/FYZQAKCRDidkIqx06dxeI6AJ9JZvcA78yRPDAMS+TklrNhFbEixgCgwiltuquOD4Qw
vTS+NZr1ECUit8+IRgQTEQIABgUCTa///wAKCRCQMuo3A6Gk+Ot2AKCi4IvI/AT2kSzy0pWH
Zfrpl93zlACZAaBqkUKcA1jxk8HtqDYtuCRhSfiIRgQTEQIABgUCTb7dfwAKCRCL5TxDRLCU
K/4yAJ9Zgx/YRiu/X+KLDTQoYXTxNNbCHACfcBLrfl5uABiyOzBC+/R5rXnoRaqIRgQTEQIA
BgUCV+zVuQAKCRAjc9NHiaFq+OY4AKC6GV6dlBdvo4bEaJpWPHh9WShqIwCgjJi+haVoUR52
ovPF0zsXx6/um+GITAQTEQIADAUCTbAJsgWDCWX06gAKCRC039xrdgkihyx4AJ9iuMMszOpC
jRYkVjTgmDyVmAA5uACg7qmMbKb03FbTFdd5VG5/6RTiPtSJARwEEAECAAYFAlTvL9UACgkQ
lumWUDlMmaxLZgf/WeQK3FqemgsgcNCfkPuE9XpSdyJhQ+n1Yb6tAK4osry7H3lFBQIKTpmX
SxauZDazYt6G4BYWsA0ARBwZVOaEaIbFRHFWs3/SLynNf9ZGBw8FumIMlEw3+tUdZck6u7pU
q1OFeL1HWRLEC/njyLe7zAFHHWwMUIL9ZAZGiknADbqiiyF/JTcv4cpfNhdRAFzRriUJ2zYf
0r6vKnf8pjc9QfDricAq/WzfANycfaSqx5GEBokxZY3lq/oLe4dGpZmrGecvBMtmTRHAG0Ln
sNwXVujej3sU0vfhkZ1A0lnKoZCOTwGTPkL3dkOwbUdoYiYakTjM8NKav/TxNDxdaG/QbYkB
HAQQAQgABgUCVnyBkgAKCRAIbcKm1AudBFrsB/9oKXW7oiQ7eJJ036fsfM5UODQGoXc1XO0R
TEV/8pBRSDhqOVwRUsPqgtU6p2UWJbwxgB7MmPt3Z4cXs+ff1jkTzn/iefMyB7W6NogotrTt
Nlj8x30Y9dVJB4KSHnQW2Gsf/OmZM9cDBAuyK3j3yLWkn65FRKVoH/4sYil1Tm/ogEC8vdvX
RpwsCaZG8HOLDphjjU0JErE1jWk2L+P0TeGCmbrsfhORxTaCROjvcJ0fQsdX7kcA262iRrU0
xDlBBYZA9wyGfd4wf+zIt7LcVBjNNvIUdUC3Uf0prYJawaG2/YV6R7eY4ooJxTutadugLmZp
fBRiITflLZssO3YAW9RxiQEcBBMBCgAGBQJU7y/ZAAoJEMFDUWYtzEe6MyQIALSGlZ4X0LJw
6zNoHGVxC0P911NBtDRO2/Hfg38UMT8KjQ1jOynm1KZm67viNOVGRGWar23PNppofpViZSlQ
xUXUyLXVajcV9klg7RV7GC/3P2dvrCjELHXJ6w8qrcUKDighjbdctHXiQ9W5nU1IWPTLdg+z
cvTbSVybvLwcbu5kzUzlYvesetJjSWnU9PXswed2cN9sqN3ikrWlYv4qHp6RwrLBN/VjZQov
AxXN68PHxLz8GNxZTO9Aa4j4CheejXPVHDhqqw/K0XI86hnvZX7kwy4KBq/o4Kl+fstaOM6T
571D2fljTVztmsKZBhiuKm1t8/Ltoifch+bpFx5AZkaJAhwEEAECAAYFAk2+3aIACgkQi0GC
sRlrLScyHw//accdcVbHGYLwS0imk5SMEJX2bdu87uXqseeMU5OhnYip4ySQ727VihGYkhmL
c/o1dIEznvFudWc/fMEi0x3R5J53Qbt3XQEUjOgZUoeomQJCItoJsDRoItvgdUvj3o6hVWhu
+8PL6oC2J/JAHvfsMKiaTBHrUcNdgovLPGo5bcZCJwOxqPLYPLW2fCkanY9EhbyVAsFIiuH4
+8tSDnqrgZFATyDqhqAYP96CanJrSalB6l/2r10q3V/OxcyCwys5w54FExhQAhpwThpbpFcK
kBrM647ak7x8dZha4C/RltwkFn6jFp2sNUSEa0USTOTyDw7WkqgZZOWvauQ+fKgSOJwWU+MR
cs11bNEGtwBu+wPheeyAlITu7A9PIrMZTmmJKy124I7ZvfXF3NZrHVm2KanLaWqHrso8tYg4
9C7ptSCEZlgLHaeOl1wOOLbH6OneB3mQqf2u0elWYv64sbEqmFwd0C4rFeT7VSFSDLc1AsZB
zc4WveDPnjzMXE2KLIwP+/x+betpntuYKYzYov0fryS79fjwu5JGh0gfEDITSta+tPRAYqKf
mCt/jpeZxUQBfI6SW6LyP2Go8uYlbplV5IJuZ04c2Pr/9G/e3vh4O/kJmDZo4EX9op9TKJpg
w/shReVuUAP9E24rD0oEyiWnHu/ZsgMtaVKQc2SsIghSG8eJAhwEEAEKAAYFAlTvL+sACgkQ
V0EnLQMH4n8IuA//cZqhGvBiSNpRkSjjZWu5BY7fhMOdshiVPkEZmILRytnXnxVcu+PuuIk0
kXfgt/jcS762dBZK3UOVAAsGsLfkisLN18UGWKhokNUWybSmdmhTb6Ns5tJbZfnFTaSjA3Gk
Z+R/U8O1tNHTmqBfYHTSq8utpIi1JEJRf5itUYytP75nt0rnjpYTFEbvKgukgZldLDk581Zc
x4Y6pj1ILrxtqF369yBtYIEkHFcYDuXsApTIXY1G4V5mq4t9QCk07E2ZKZ2aJjaCA7VeD+vR
8Z50oyu4kuc1RdFnP8TfQUAr/tYIFinuzKSqELu9b+JSPO3qawXaq9Y+X42XWkeQSeu7SNl2
xqe1uVhHd8qduf8U438fUOBeY+gpae9e2IPbErU+itmd+m+WlHp8FUH2pS6VlXXhBrBPEZ3+
8ph9wUtSAenFVyT1leu21pMuP2nNpD2nTsNlYcX9gA/vkA7bQyOtaEOC+8zNHtZYhx4u/nmI
+yZ4Cc95CmfwTE0/fRX+T+jK2x5ZGRZMudygnKRbnod+OgnNVBWIykGSzULKgLY9i5PlxCA2
a7FUoLpIOW4OJSgo6WNsBc3j48RjqNm3cUcLco1kDcoGaQ43dGyLVGMlB332u6m2W+g+AwGm
vhJQh3yy5XYvRXRzfiHvWUok8ess1/0qSRua22JY14KBxJF80EeJAhwEEwECAAYFAk2wI04A
CgkQ5fj4IS93pJjaOw/8DG4fn6z4LYmY3MsLNu2Efg9YflaWPkD+z0iLPGUHhrzObIIMfGL0
kpqYJSbvYqYUSIR8AjQGwRrJVidBqOX9bK7ZVPPvsX61hjt6e0T0O2Q6JuDMCfseiseLBo/a
6DJu2P7LfDNGaath0WMonOxnqs+kRG8SVyTqmbnyC0AwthgYB57CIyNuz3MPkQr7pJNmyWFv
kUYs7Z2Awq0hyD9M1KAV8igqFGYjrZAJoSv1nX6OzGRCSFmxqKwmCd7OtHLpqdNHos5CLhrj
ouLJwiNt8gv7w06owYFxEsctAGqjVjvvtD0L19Skp3jgLAro6x53UFUtxm+Z/8YLLh+lNHJx
JMDQu5CpSn3zLwRkF/cYgINOa1CS1yceynlbRGxrIb2vSfmnZeNZ2cTwedM/+9C044DfIB1y
9FmmZBaXOaA4ITjvcEf2FpFn9MdF+zN8N8AN5m1y/qftFqgG0P40AQ0hQAhk+F8JxD7wVh65
jcj62f287L1h8EDo/NE1JH8dAb9dUlJQeohAkiIMurDYLYRop9u+ogtUtRpMKXTwgNUanIq7
oTYpNunbI1NUXc9Fdi9Z8OYZagHlo4v6T3fqvaRbGElncoF6faz7les2zh2S8etACX7mNsxV
c6kXIpdHqoHKGShdxtb+PhRirbIxdCzlFstk5c9zpsCJCr/yu+pCL6KJAiIEEAECAAwFAk2w
CcoFgwll9NIACgkQVGoRHjtqqmQGaRAAuHuKIupTerS7qrEIkyOvECN06fg+U/caYv3Qpue0
4ZC2aIk4oK/7wsuhEsMLCL3J1JFYCCmbc0QfYBtzIM5lu9SX7/1R8/+VnCvYvME8tKdMdQAM
BWq4ZG5Bi9rH8j+450mjgmPRC0s8tmmfp62gB9zBAd/poVZQOVSUV43HE3n6Vkxj0ediGEmw
GakB2pPtAY7HAaLxRdXidwjNTzpAz7JPinoZgpz/MYseuxSSyhIqqREYn/ynX1+YQhu1l4X6
rpIsVWawMv93PhO42Y3Ny6SvC/hnZ1J+Y359quClHTQ/ogrbZrbhlKtpJNeNOCBKUzgIuT3/
PSy1XheYQR2m8SbOmOMpgInr16i3ijsYBKI6qdoxB//YCkFCJmxfCUqRGPe6sAW2n9ow4VmE
rAUDEqYTPDzkRA5zBY6C6cMugoClY8LidDwKHGXjbPMLz+CnWIVsC8BedjQcfPkuQs/P4QtQ
+UYwt6UiFywYe4Na9JfJsYDwkUaKgZadva/JFxGkm7ApMpeMBuZUDIl9qptKipdmRrMnBx9l
fvBqrrXYKPEzVMW0FpX9D5F1L4k5u3x4B0VDZ9WPJgkSKFQIMatDxFsyJNWZmh/0dODC/LKF
mZZCk3B34rr91He99MzKNrrq3vZSlbMKoCQYjDGQDWVXCplwjq1zCt/JSZUJYVhwbcyJAiIE
EQECAAwFAlRgbtMFgwK1j8kACgkQBhyEc3tNEByR3A/+MKwW1tgIspbnE8WEGjdNJtXUHQUv
UJHFTuoBNKZA/uAYxe7FLoSKQI8lH5PgJrLnu8lq0Z7h4BObnx7F4NrB1ixTtMGgRXD1amVY
Gw6STlXH6Fhr/0RvBTg/wbdm/nFFdaEEhclMNHY/mW69bcqGjHjcnk6nOmlVrYegWRGjGgTI
JBqHUhoX2+VixkMrBDSESBpHHQHlwsOlT9T0v3pCVHQz9I/WygQpn0bjgWEISyZkWbLcmJVZ
yYYmWU9WWw8n16qFChdO6BTEjChuzVupLS5LoBgxCJkh9gl4F6VGRg2kVvsQoxE0CKbM+4qy
qAAK2jrgQZRg4ihC2WmOpr9X0mrjO38Bz/tmZL389ZBzj9S3VO8otgBRgDbJvNHm8EjWdQHj
SOE2x5/F2T69g8IK3S/vkkKrySsjSlD/NJpWwldkUh1RtO7wFO2Zk+2+vr55joOjKApXKQgO
7PKw2awkL91UWWHAvJ3tTq/16FUypnY9RHM9rHtU8XDLCp4iEzE7rzIywEwX4fUAut4CRf8m
u3czrhdPh+oQyOyQHZJMdX0mCKZREPgKo2ca5iAFtzOzrgD5OTCD/Pz4+99+gLEMOML1bWQ4
R43L4YyrB1UIQUAvVmLDhn19bUcIS+wZ3kKI0et24wqjkaIsLSSounGBPxB4jOLhG0BBojzV
dvqUElOJAiIEEwECAAwFAk2wAP4Fgwll/Z4ACgkQrImYjct//fHn8Q/+JdXKAXtSq5ReGTDR
F3PcpsQK9q0LGvdyNPZ91oSkGl2UpcRhQ2KqTY0RJa7CZdk/3jG9G8aRuAmC6O5MhcsVU36j
zBTanDgiSqFEpJCLXWWkPbwWIXdL3/FVm/1iYkDNqOZkWsYxU6BixgrDJoKcIZctt2igZqqa
qdJYJ8tdbEXfW67rx+cu+DTXuZIuBwFETNix8zL7XpCQZAOG79IvBNaSaJr0x90tn+6rlLrk
w6+NCXFjzm9aDNGyyWTs7s4kLfDR1LbBGpJNL+kmWmF9hkQTFHDxwNmHPyhjZcHVXaRfdl86
ahClxBT6hitmurAGDIjjqy0d3Rs41Q3rcm9AZUWH4YbtRn2hXC/VCzsDvZvsjFB258mj4oDl
jcgeuoY4uJEK8EJa9RJ6z3+UATcDaZTmlWhmb3UhG6suhz4hjmC4Y+JcovSVvq9AJksLJA74
m6TxExiKzCGwy9xw1gcgJlFD4iVarfV4+jv5YGuPipPwz1ho6+P4uUOOtLFVHesSQ7S0W8eX
rMdbu1Plw+m+fad/Asb8SoUm4ckfCwgoDMZsrGHBLhMa9D7AW/4z478DWqM6aZnZlpK4pNk+
/jyW8cPDfjRePFKC/zH2Vm679JGgT13qQUJF1fja4KOSEi0lIKegPCRVJ1h0MseVgd2Qa9vX
2VJwbZkrnoBa6VZH8dqJAj4EEwECACgCGyMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJW
76tkBQkNAhVIAAoJEJ9vHC1+BF+N2tYQAIxArTFi1m0C8sv/wIJwKL3Y6LWu1dEZadHLslfT
bSF+2ZaWIyrg/QXcIkpUuGBn+V2nw46qZ8N+bAsxVJoJDzpRuqfs5+t/wq7xIZC4gzFjY4MH
3uGi5jhucMdozYKqLomQE34bW2B3Co3+Rx5wXa2reqXaTt5f3X74D4XkCki7WyKXMk8vhnxb
oxU50qu3MQzu3rWFGWxukQ+Pva9tUFnWGZOIgvhVbB3FBhqbEGg56d6yTIMMb6IwIjc/UYbc
RCST70B5y3+If26u4TSbGfZoo3xx+6hH3dw8X+jMLFLki3ABWc17f1ZE7UZPbNhoWBibSV/1
zNylGxHM1sbD3fyVneI9SJl77JsqAsqRWa+uQzn2WMdP31KsLXhVfGBDBKziBLet3Ntj20+m
zrZnWr7EJV9PHUhjk/ie3n3HBBXQjD6lX1L+ZVw6c9eXVQpvS2051gkSuurdGkX8PaD80O0v
Q5aohrwu+sGXJBiZY8q8rDvq+3hsnc1TfWNJzSjD+PsQ5WM6y3zqzrb3Oa2dsmNZWvos7LkQ
NQ+6yaoe/W3hnhEyN/w6sl01sUmhFdm/wVtbg3Nd4a0x/yTq8p56Ol0wfj54u6hkbt1yFTUl
xx+Cp/BanLSiOZvn12slxpCBULom/D2XROYY80iwThSshahxoWC/h04q8cDaFycwMzyuiQI+
BBMBAgAoBQJNr/0cAhsjBQkJZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCfbxwt
fgRfjd8qEACMp3672f/ETQL/ZS3EnNj1937xu6ESRCUsvbjMiGzLW/2tQVQnoV40fBoRyeQ/
2d40VgUCsNayy7zqm7gRpKSjEddNGVReM//HuglrUwDhctvH9SUMNvJIpTeyur456NtUtSSd
VyQHaBXYnMm9Ultq/imKHen40shdJW+9aHfrHZ0hPTv8XQqssrunF/gMHw3LiemPIjlrvAnl
gM+NS0dUAVEJAm/9PJlXwhLvgo/jN9Y4zw2RMlAMNtfb6+EBXtKN7fjLL9AFGb3EZFuvvKj+
ZTuiOcHv991gS2R+9JYRb2LaGzOxzjAo4XkWYLks70ahBE3044mtblYt2M9qjOAhXSSGRehK
+/cinAd42Krrpba55R3V2fyGbB1UZOiX4qhZM/btU/T5LzKEOOdmlKJhk4PcUHIZyqXtRPKL
CoC7pWmPos0xKmfKR/x1lif2E9d/5/KcSvRGwv/EpFYclzXoTkgBg2Wq/rY1QaH4M0vK/hg8
r/qQU0po4rSK1V2TboYoC6daO077OJIypXBZy4Xwxyfsm+ScomXdNW1b2qp30YQAql31paAt
LrJUW3oKGMCVIF9ATq7Drhxh9knxo3f0JwNG3BFzNpKdQ6dYKrXBHeUIrZuuO2M/pXlpIa5j
JrU8Krpl6AHL4M7YSRVD3AM7oV2TX6kCTDhkcQBlSND/e4kCVQQTAQIAPwIbIwYLCQgHAwIG
FQgCCQoLBBYCAwECHgECF4AWIQTt+qPyyk5usFaBr46fbxwtfgRfjQUCWaU4BQUJEZjVaQAK
CRCfbxwtfgRfjb1YEACjkhtkyZkYURUmSZNL2IK/Zencv7DZGRfFrzijROFtHbe//H8o2Zhl
yiaFSA/dT1ehjsukkR0oFkYadA+qUi06WpxGmd/jf8hP4yTUZkwOhQAesWoNmnhKePNaVMKY
8DP57bA+N2pdCcGu7gUtYzq2JoTAtV+P/PE2w+H9eyBAulv6iUckM5/qvGfJPl8HB9BtgOpG
N79otVWO6ebM4TQ3cZYI9BDQnt9cF2pviex+z1iLZVJ8UeRxSxYhrBKPJioi0Q1OgcKyO56t
7EotzxKl5TzprgvdX4cdls+lehD8StlE2Xv/TScHvdOhJuVBrn3a3QjZPb4qSsz74leW5/EI
QmozBy+qf8AHcCmTXwb2U7oHOct7cVyS5+bFx+ThpV5OK0rjTH1LMNiuTeAN46c1y3prjZRp
QUlgVwj06q3Zz/fzDyueUS/r4lW4nAf/VNZy/rTS2HYPoZbHZVCtGpDIfag6fV6V97Pd3zfh
Tf2wmsJsw9Xhktp/o7rMBRSMhvL4oevOXb0JSG2583Q/JnCCceB4NxRRxsgkRYHwdnXN9FnO
PSa4NyvF4rzpPksLGZrhvm+lBvzVn/e40Q/KlxvSlnn2vW/WBM4pBq1jsoJrd/JkTdijZV7m
t7HQ2bCLXAPgfZjy7n79WiCQVHg7iYnNikiNWR5TR7JcvdkxOdiA/4kCVQQTAQgAPwIbIwYL
CQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQTt+qPyyk5usFaBr46fbxwtfgRfjQUCXe4JdQUJ
GaQN2QAKCRCfbxwtfgRfjQ8gEACe+49aDQHRuZdDHK1VCJKzhb+MvfdIjvl8eQxljpG9Uz5Y
17Bx4SWfuLHCeGlh1m6IOAWeW4g6Wowm1ec1PkVa79TdrkKb0MxfLSat6iDbiuVjDxy2bWok
W0/cPzJ/FoWDtEC0H9UTAMb5QGBDZUbLuwX7ZjvMkAhH15/hO9Gj4RHoH1RJGJALRtZzjtzs
JqL53kW/EV59V1T79Nocyx018iw50Jn02mI8wYJZ9HZc5C7D+K59vcqLRZgkrJrObw0sEv3Y
FOBYp/1DemH2nHPMBSKMmN5RAcr32guUjd4BEWf2Q7Ao+Qnhdi161W0YKCW4JAmOoQ4bQ0wf
E9Q5aUIGhUF52L+ac8Hy7dByaCExCA/WTqQQ/iVPybmpJQhFonWt/fmpxbE2wKThSEOHTO67
e5e3JfUb0vNKssyZojao4h1MF5nvaPNKoybWwKnpNM0ORcyl+aogKwW7E15TEU0TE5//gAsF
wRDcCnSEKnksgM0321m17RDfJbCajIv47DHDYE3yvhRZjCJCaw0Gow1sDRWjdOFpmIixD5/v
x5uxyqSHPuGAsXlEvl+Z3Rdc5bQ7pAWu7UNpR3hnJPfg8KL2xqOF75VKG9/NjLE80yj8wdVo
CfDvvizrBtOXnHI49gCMCfNqbGIb5yVhmTdeo7li+Te9hlJ2DrHnujGJlFe+p7kCDQRNr/0c
ARAApvDKeVLiSazESdTY9KsSWsqoB38pvOsu25M49tEjc5TtY5LwKNckqkeRlJ83O8dFG7UB
VuGwLKaf/6OR/pe24upZ27eOOWW7sXvQNv5aXlOYfF+mjIhUINqjq4pKDmO1c9J7h5d+auOV
fzcgfotg3BVCaKn56ucjiQJ059uUMfgWTvVlibnoJ7deZcgt8v7VcLK9jv+P8QJHTIyDzJd+
JjdjuHXqC/A37T5G9Z84x8wYrQY6mZmOIYaMjwIKdgFeN+nLk5henARUz4MTFUW4j9hHpuyA
FomDQ93/wkHZ9IEChTxdZnfvsd//Z45vfcX9dQM+tuR8XCYThVsScI1TnwR46hi5NkfmHo3H
VxwB8/owJ+FZDsTNBbJd7AVy27Xk4L5hLe7BwLDtFMyOp4lOipCM7//mtFB9mTzqnOwiSSyT
RlwGUBJkzQFWQa0Z6bfYwA6+y1dn19H519GW49irtl+2+W8W4N8oLriIjPvqrQOyaELFcRfV
6FfLi09HPhHVbejOqIEbOtfuN0+mjrrGAwortfTBjfw80N+W90BTvta4K2SyjHcJTkDYehfO
o/5IMpGtDsOgvsCbDaFRnNJuYtSqQmvWk1KIPIw6CkdJtZa3+q3YA7D7ovOVH1OBTKNdBjc+
X4W8L5R9MCymXWvgiP+52Sv1VIcZmsnCBrwK490AEQEAAYkCJQQYAQIADwIbDAUCVu+raQUJ
DQIVTQAKCRCfbxwtfgRfjVnYEACZ1E/FfLDi4vLUd9diImmNN/zWDHxTsO/VG3lt50rSoJM5
NGB4RlwcbUKhah2fD44FFiIqGIvKD9hRgB51dVRIkaR3ozVtXRBKxJJqWj38wf2FDLtUXC5/
JHYb0sjAc3ad2sA9xEmEBVO1lWK3J6h4gKZiAGlWz3oeOSve3vrTKsBlP0CurUeb4WTVpw4d
rBJD7cDh8SJ4/Cq76UFx8lW0xR+pHZHcd0/Ir5v5HnnEgbnut4IxeY3/CGBfQfSQHylK7ifm
PWq+dflC/ZdfHY1V96EHKPM44ZLwiczoY3qp5nkmEc3BY6+P8Ch5gddOYaY18wpedarswnpO
LQD2Xbsj66Eh0IZuuuZGyfOqJNaWbP33L27eg35XQNTgyhuZmDyRKL6yAbhU74TXCCvze/kk
fqDn2ouCtM8/kqLX1v0+NkBxlhZUkTTVDyclZtwu6Vypus3+j2Zqk8sXeUZI64sjXpzwOcMZ
xdl3QuyxMktExWzk9Q5DYqO+pj/YGt1vp2M0YgSUWNWCvfBcjEPFgaljyqz3BdvR/LYohnXu
QL9SWObF+sIFc9D0w/yORYQcKP5kSWVC/qwFdC61OGeSDnQ/0o0T5PefhYS82gsIrjQ+HIJ7
CLUTk7kBNljvtfpoWegH02feR0kSRoCXA6x+YHT4fmB41pW8S1V5a5dEltA/JIkCJQQYAQIA
DwUCTa/9HAIbDAUJCWYBgAAKCRCfbxwtfgRfjTY/D/9+kX8LeqBhwDdwy3udV67KmVmytwGM
fzBHbAyBdy84X06ip/If/VkjL+2Sv5Uml/cOOzGZT7y/KEt0uXQzgOZhGP5Y0OREf4kSzfb7
tsGu3ZjTp5uJe7HiJr8uqYGfx94TQG/A3x1C7MlxOGmWDK/Eh/eNVeNd+3yyDEzl2p7a0yUh
I8LtzllVrEDX+G4rz+mdDw4tfPDqzRPzPvVtPfqnfofHP5r2dshGe7+pCTC+o0jHWpaiFkEi
IrR3PbZ9tV6+F5LzCUJJP5nepz6CShpLHq9ST6qZiw5ZpdznHW0kVl96YxgynJq9Y4dqD/8n
OfTzdHhXXEogGvRfcxatxeZF7YNFhUU2p+CswAjRKCUzZAz0hDAu+dJ+fw4Odx7ii8uiwhEn
EHoo8rPETkXwUK1je4MCzMRSy0Gippzk/oZ7noIml+Njas/UygavUOQm8bcPqGfWeFqvM2C7
ZobL2iV0fX/bhEmQyosiWJ0nHuKdwDYygYs/4LtZLxwiKli/lm6IDz1028j6/98Z81gGoltX
WokTYAPEgcBuhyiSLSQ1wojTVMYt9rPKMBakTzP+0FoWqoNafWOlHovP6iUB2Igll2ZT3Avr
BQ8jAbRbuUl46QpBaKsl+pBo86az0fRkMxv0N4dQv4Q7Z0g71u9NTpaq1vtAZOwc0kl3uGNK
18PnV4kCPAQYAQIAJgIbDBYhBO36o/LKTm6wVoGvjp9vHC1+BF+NBQJZpTgKBQkRmNVuAAoJ
EJ9vHC1+BF+NyNQP/A3h+cOOkYUxyKpNHdtlIfCn8db5tHXSCbE19Qi7EK1SiK5atjo+VoRt
B+L01kH6GCx5oZjeIhUdzYFwEUsdCDgwD6r0dKFwKIGa4TFcfnx+Z5B+HZgLYc6ac5PEHF1q
ZVXZH9GSGeNw5h2yyqf4yhvetSN6L2id14m5XXJV5e7NfOgmaSnG0Z+wQvPSiu+Q00XpENT8
HFSTSCjRATjk12rpy6TPeeC52NK1gLhGDRHN0k6m+vm4yoC+Nd6iPQpnc+5xs7NDnq2dFuST
p7UTGebzPhhdSQgujEFuYLwzQMZu1h5amtA+v9j7BYEJkOMC7bm1PNNA2QQ6QfH8Hf+mJeIN
yJO8A5KS3ceP+eo3SLR8T0hPzu9gZuZ22Hn3DXQh1VNRshaLKgNvoXpL3dQ48d1SFFKhEDpy
2HSXUq2fs5rH0uszFGesG7K6EQRAYRcDrCkt9fdfkvCSxAFw9d+472xThzgKcN+MkOec+SaY
+xlVULjEfCWyRVC8Opam4mTm/XT4mVLxP/qnsy7kEhLoc/ouB+lY/ks06LpZJvCXL6WfA9Yo
u1Fi1Mg7GhSh9JKg6X6E8Trm+N4dxJGut1xbbGmmKXqfi4pej9KlkdeM9t1df/vWKlPa7Hzd
8H0btgJx066wC4yt0ghxtsJXBsCDxWLfzaSRZ2/eP16mHqxDjsQQiQI8BBgBCAAmAhsMFiEE
7fqj8spObrBWga+On28cLX4EX40FAl3uCX0FCRmkDeEACgkQn28cLX4EX43TQA/+JV8ReMRJ
Cn3Cfqbe5ycFn8p6dIVnJiQuhiEyu5yzdpSkKyzcVFJObQcqw7s50FJuLUbxdvbcuGIaoTu7
dhBoUXO5tOuIQAsKTfGfgoOgelJm+/q2h645EnAVINGbMDXrmo4/UFJkNjUMA6SQi/yiam7N
0y58eoDC4sGmBKuN2EW2MoWahlXw8SS1+Ab9qVBs/RqbSy6f1nJL39aPpPDmvyJOSYtHnNSF
lYWVhr0zGAi5rnswlFGrECGbHpr5FajUK7zcmtNPbi7F30K48xfF3XnDIeIBcerrEBQMaPUZ
cBlddGhmSVVJZU/YhR35JNgPnmp33gOuZaRiW9lauZFwsMQBIBkLpJWoUtu8QLkyC0HmJzVR
ep0/s1RkzaJ+1G1BzXTQiXaLaUQWG5h3pcMD8fxY5qp9KbG/+10bY0sRbRBXgS6mz7ddHaBt
g/E8ty2nEB1HDXA9HAHu7KlH9e96sPZjz9C46ZiOXe6ZAOk6wBYts4RG4bCQ9pGORJ+P2Jr2
pz1NZQbs1AhnjJixTsfZfsGZ5lHxGLjIyxtdGB/irLEqNTIMek2yp4CShmWoZwN0V3aGYMe/
rC4tSXG79IeKNwF3Vd5MHtB+hcJG2qztBtKQuW29rbRA5bNxwTWe8skwOKsxXnP9RC974k0X
kPS+VwgmVgNN1ewS/0oHvmEP71Q=
=ZSkT
-----END PGP PUBLIC KEY BLOCK-----
</pre>
</body></html>

567
SPECS/unbound.spec
View File

@ -1,43 +1,40 @@
%{?!with_python2: %global with_python2 0}
%{?!with_python3: %global with_python3 1}
%{?!with_munin: %global with_munin 1}
%bcond_without dnstap
%bcond_without systemd
%bcond_without doh
%global _hardened_build 1
%global forgeurl https://github.com/NLnetLabs/%{name}
#global extra_version rc1
#%%global extra_version rc1
%if 0%{with_python2}
%global python_primary %{__python2}
%endif # with_python2
%endif
%if 0%{with_python3}
%global python_primary %{__python3}
%endif # with_python3
%endif
%if 0%{?rhel}
%global with_munin 0
%if 0%{?with_python2} && 0%{?rhel} <= 6
# needed just for EPEL
%{!?__python2: %global __python2 /usr/bin/python2}
%{!?python2_sitelib: %global python2_sitelib %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")}
%{!?python2_sitearch: %global python2_sitearch %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
%endif # with_python2 && rhel <= 6
%if 0%{?rhel} <= 7
%global with_python3 0
%else
%global with_python2 0
%endif # rhel <= 7
%endif # rhel
%endif
%endif
Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound
Version: 1.16.2
Release: 5.9%{?extra_version:.%{extra_version}}%{?dist}
Version: 1.24.2
Release: 2%{?extra_version:.%{extra_version}}%{?dist}
License: BSD
Url: https://www.unbound.net/
Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
Url: https://nlnetlabs.nl/projects/unbound/
Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
Source1: unbound.service
Source2: unbound.conf
Source3: unbound.munin
@ -55,45 +52,58 @@ Source15: unbound-anchor.timer
Source16: unbound-munin.README
Source17: unbound-anchor.service
Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
Source19: http://keys.gnupg.net/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key
Source20: https://nlnetlabs.nl/downloads/keys/Yorgos.asc
Source21: remote-control.conf
Source22: unbound-local-root.conf
Source23: module-setup.sh
Source24: unbound-initrd.conf
Source25: unbound.sysusers
Source26: unbound-as112-networks.conf
Source27: tmpfiles-unbound-libs.conf
# Reverts ABI change done in version 1.8.0 (bz#2027735)
# Makes possible backward binary compatibility with a new features
Patch1: unbound-1.15-soversion2-compat.patch
Patch2: unbound-1.15-source-compat.patch
# https://github.com/NLnetLabs/unbound/commit/137719522a8ea5b380fbb6206d2466f402f5b554
Patch3: unbound-1.16-CVE-2022-3204.patch
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2023-50387_CVE-2023-50868.diff
Patch4: unbound-1.16-CVE-2023-50387-CVE-2023-50868.patch
# https://github.com/NLnetLabs/unbound/commit/b7c61d7cc256d6a174e6179622c7fa968272c259
Patch5: unbound-1.21-CVE-2024-8508.patch
# The patch for CVE-2025-5994 requires certain changes fixing bugs in subnet module
# that is why we have to backport these commits. They have their respective tests
# backported with them.
# https://github.com/NLnetLabs/unbound/commit/0f08cc6d5577ad4747749c55229e16df8711ee32
# https://github.com/NLnetLabs/unbound/commit/6d0812b56731af130e8bc7e1572388934beb9b3b
# https://github.com/NLnetLabs/unbound/commit/be626f7c5330dc414a582a04b537ea79d5c452fb
# https://github.com/NLnetLabs/unbound/commit/5bf82f246481098a6473f296b21fc1229d276c0f
# https://github.com/NLnetLabs/unbound/commit/a1150078f29e14b36c8e4d9d05a263a5e6abbc5b
Patch6: unbound-1.23.1-CVE-2025-5994.patch
# Downstream configuration changes
Patch1: unbound-fedora-config.patch
# https://github.com/NLnetLabs/unbound/pull/1349
Patch2: %{forgeurl}/pull/1349.patch#/unbound-1.25-tls-crypto-policy.patch
# https://github.com/NLnetLabs/unbound/pull/1401
Patch3: %{forgeurl}/pull/1401.patch#/unbound-1.25-tls-crypto-policy-default.patch
BuildRequires: gdb
BuildRequires: gcc, make
BuildRequires: byacc, flex, openssl-devel
BuildRequires: libevent-devel expat-devel
BuildRequires: gcc
BuildRequires: make
BuildRequires: flex
BuildRequires: byacc
BuildRequires: openssl-devel
BuildRequires: libevent-devel
BuildRequires: expat-devel
BuildRequires: pkgconfig
%if 0%{?fedora} || 0%{?rhel} >= 10
BuildRequires: gnupg2
%endif
%if 0%{with_python2}
BuildRequires: python2-devel swig
%endif # with_python
%endif
%if 0%{with_python3}
BuildRequires: python3-devel swig
%endif # with_python3
%endif
%if %{with dnstap}
BuildRequires: fstrm-devel protobuf-c-devel
%endif
%if %{with systemd}
BuildRequires: systemd-devel
%endif
%if %{with doh}
BuildRequires: libnghttp2-devel
%endif
%if 0%{?fedora} >= 30
BuildRequires: systemd-rpm-macros
%else
BuildRequires: systemd
# Required for SVN versions
%endif
# Required for SVN versions or modified configure.ac
BuildRequires: bison
BuildRequires: automake autoconf libtool
%{?systemd_requires}
# Needed because /usr/sbin/unbound links unbound libs staticly
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
# unbound-keygen.service requires it, bug #2116790
@ -131,8 +141,11 @@ The devel package contains the unbound library and the include files
%package libs
Summary: Libraries used by the unbound server and client applications
%{?systemd_requires}
Requires(pre): shadow-utils
%{?sysusers_requires_compat}
%if ! 0%{with_python2}
# Make explicit conflict with no longer provided python package
Obsoletes: python2-unbound < 1.9.3
%endif
%description libs
Contains libraries used by the unbound server and client applications
@ -147,19 +160,34 @@ Obsoletes: unbound-python < %{version}-%{release}
%description -n python2-unbound
Python 2 modules and extensions for unbound
%endif # with_python
%endif
%if 0%{with_python3}
%package -n python3-unbound
Summary: Python 3 modules and extensions for unbound
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%if ! 0%{with_python2}
# Make explicit conflict with no longer provided python package
Conflicts: python2-unbound < 1.9.3
%endif
%description -n python3-unbound
Python 3 modules and extensions for unbound
%endif # with_python3
%endif
%package dracut
Summary: Unbound dracut module
Requires: dracut%{?_isa}
Requires: %{name}%{?_isa} = %{version}-%{release}
%description dracut
Unbound dracut module allowing use of Unbound for name resolution
in initramfs.
%prep
%if 0%{?fedora} || 0%{?rhel} >= 10
%{gpgverify} --keyring='%{SOURCE20}' --signature='%{SOURCE18}' --data='%{SOURCE0}'
%endif
%global pkgname %{name}-%{version}%{?extra_version}
%if 0%{with_python2} && 0%{with_python3}
@ -169,19 +197,16 @@ Python 3 modules and extensions for unbound
%global python_secondary %{__python2}
%else
%global dir_primary %{pkgname}
%endif # with_python2 && with_python3
%endif
%setup -qcn %{pkgname}
%autosetup -c -N -n %{pkgname}
pushd %{pkgname}
# patches go here
%autopatch -p2
%patch1 -p2 -b .solib2-compat
%patch2 -p1 -b .srccompat
%patch3 -p2 -b .CVE-2022-3204
%patch4 -p2 -b .CVE-2023-50387-CVE-2023-50868
%patch5 -p2 -b .CVE-2024-8508
%patch6 -p2 -b .CVE-2025-5994
# only for snapshots
autoreconf -fiv
# copy common doc files - after here, since it may be patched
cp -pr doc pythonmod libunbound ../
@ -193,30 +218,40 @@ cp -a %{dir_primary} %{dir_secondary}
%endif
%build
# This is needed to rebuild the configure script to support Python 3.x
# autoreconf -iv
# ./configure script common arguments
%global configure_args --with-libevent --with-pthreads --with-ssl \\\
--disable-rpath --disable-static \\\
--enable-relro-now --enable-pie \\\
--enable-subnet --enable-ipsecmod \\\
--with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\
--with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \\\
--with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\
--enable-sha2 --disable-gost --enable-ecdsa \\\
--with-rootkey-file=%{_sharedstatedir}/unbound/root.key \\\
--enable-linux-ip-local-port-range
--enable-linux-ip-local-port-range --disable-sha1 \\\
--enable-system-tls
pushd %{dir_primary}
# configure.ac is modified, force refresh
autoreconf -fiv
%configure \
%if 0%{?python_primary:1}
--with-pythonmodule --with-pyunbound PYTHON=%{python_primary} \
%endif # python_primary
%endif
%if %{with dnstap}
--enable-dnstap \
%endif
%if %{with systemd}
--enable-systemd \
%endif
%if %{with doh}
--with-libnghttp2 \
%endif
%{configure_args}
%{__make} %{?_smp_mflags}
%{__make} %{?_smp_mflags} streamtcp
%make_build
%make_build streamtcp
popd
@ -224,11 +259,17 @@ popd
pushd %{dir_secondary}
%configure \
--with-pythonmodule --with-pyunbound PYTHON=%{python_secondary} \
%if %{with dnstap}
--enable-dnstap \
%endif
%if %{with systemd}
--enable-systemd \
%endif
%{configure_args}
%{__make} %{?_smp_mflags}
%make_build
popd
%endif # python_secondary
%endif
%install
@ -237,12 +278,12 @@ install -p -m 0644 %{SOURCE16} .
%if 0%{?python_secondary:1}
# install first secondary build. It will be overwritten by primary
pushd %{dir_secondary}
%{__make} DESTDIR=%{buildroot} unbound-event-install install
%make_install unbound-event-install
popd
%endif # python_secondary
%endif
pushd %{dir_primary}
%{__make} DESTDIR=%{buildroot} unbound-event-install install
%make_install unbound-event-install
install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp
popd
@ -254,6 +295,7 @@ install -p -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/unbound-anchor.service
install -p -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound
install -p -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/unbound
install -p -m 0644 %{SOURCE14} %{buildroot}%{_sysconfdir}/sysconfig/unbound
install -p -D -m 0644 %{SOURCE25} %{buildroot}%{_sysusersdir}/%{name}.conf
%if %{with_munin}
# Install munin plugin and its softlinks
install -d -m 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d
@ -267,18 +309,22 @@ done
pushd %{dir_primary}
# install streamtcp man page
install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1
install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc
install -p -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1
install -p -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc
popd
# Install tmpfiles.d config
install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound
install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf
install -p -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf
install -p -m 0644 %{SOURCE27} %{buildroot}%{_tmpfilesdir}/unbound-libs.conf
# install root - we keep a copy of the root key in old location,
# in case user has changed the configuration and we wouldn't update it there
install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/
install -m 0644 %{SOURCE13} %{buildroot}%{_sharedstatedir}/unbound/root.key
install -p -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/
install -p -m 0644 %{SOURCE13} %{buildroot}%{_sharedstatedir}/unbound/root.key
# local root zone fetch to separated configuration file
install -p -m 0644 %{SOURCE22} %{buildroot}%{_sysconfdir}/unbound/
# remove static library from install (fedora packaging guidelines)
rm %{buildroot}%{_libdir}/*.la
@ -286,13 +332,13 @@ rm %{buildroot}%{_libdir}/*.la
%if 0%{with_python2}
rm %{buildroot}%{python2_sitearch}/*.la
%endif # with_python
%endif
%if 0%{with_python3}
rm %{buildroot}%{python3_sitearch}/*.la
%endif # with_python3
%endif
mkdir -p %{buildroot}%{_localstatedir}/run/unbound
mkdir -p %{buildroot}%{_rundir}/unbound
# Install directories for easier config file drop in
@ -301,23 +347,28 @@ install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/
install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/
install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/
ln -s ../unbound-local-root.conf %{buildroot}%{_sysconfdir}/unbound/conf.d/unbound-local-root.conf
mkdir -p %{buildroot}%{_datadir}/%{name}/conf.d
install -p -m 0644 %{SOURCE26} %{buildroot}%{_datadir}/%{name}/conf.d/
# Link unbound-control-setup.8 manpage to unbound-control.8
echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8
# install dracut module
mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
install -p -m 0755 %{SOURCE23} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
install -p -m 0644 %{SOURCE24} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
%pre libs
getent group unbound >/dev/null || groupadd -r unbound
getent passwd unbound >/dev/null || \
useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \
-c "Unbound DNS resolver" unbound
%sysusers_create_compat %{SOURCE25}
%post
%systemd_post unbound.service
%systemd_post unbound-keygen.service
%post libs
%{?ldconfig}
%systemd_post unbound-anchor.timer
# start the timer only if installing the package to prevent starting it, if it was stopped on purpose
if [ "$1" -eq 1 ]; then
@ -337,19 +388,17 @@ fi
%systemd_postun unbound-keygen.service
%postun libs
%{?ldconfig}
%systemd_postun_with_restart unbound-anchor.timer
%triggerun -- unbound < 1.4.12-4
# Save the current service runlevel info
# User must manually run systemd-sysv-convert --apply unbound
# to migrate them to systemd targets
/usr/bin/systemd-sysv-convert --save unbound >/dev/null 2>&1 ||:
# Run these because the SysV package being removed won't do them
/sbin/chkconfig --del unbound >/dev/null 2>&1 || :
/bin/systemctl try-restart unbound.service >/dev/null 2>&1 || :
/bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || :
# this trigger ensures that if user changed their config
# prior the move of root auth-zone to separate file in 1.16.2-18, we do not
# force the change of root auth-zone on them
%triggerpostun -- unbound < 1.16.2-18
if [ -f %{_sysconfdir}/%{name}/unbound.conf.rpmnew ] \
&& [ -L %{_sysconfdir}/%{name}/conf.d/unbound-local-root.conf ] \
&& [ "$(readlink -f %{_sysconfdir}/%{name}/conf.d/unbound-local-root.conf)" == "%{_sysconfdir}/%{name}/unbound-local-root.conf" ]; then
rm -f %{_sysconfdir}/%{name}/conf.d/unbound-local-root.conf
fi
%check
pushd %{dir_primary}
@ -368,27 +417,30 @@ pushd %{dir_secondary}
#popd
make check
popd
%endif # python_secondary
%endif
%files
%doc doc/CREDITS doc/FEATURES
%{_unitdir}/%{name}.service
%{_unitdir}/%{name}-keygen.service
%attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name}
%attr(0775,unbound,root) %dir %{_rundir}/%{name}
%attr(0644,root,root) %{_tmpfilesdir}/unbound.conf
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound-local-root.conf
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name}
%dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d
%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d/*.key
%dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/conf.d
%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d/*.conf
%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d/example.com.conf
%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d/remote-control.conf
%verify(not mtime) %config(missingok, noreplace) %{_sysconfdir}/%{name}/conf.d/unbound-local-root.conf
%dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/local.d
%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/local.d/*.conf
%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.pem
%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.key
%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.pem
%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key
%ghost %attr(0600,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key
%{_sbindir}/unbound
%{_sbindir}/unbound-checkconf
%{_sbindir}/unbound-control
@ -399,6 +451,7 @@ popd
%{_mandir}/man5/*
%exclude %{_mandir}/man8/unbound-anchor*
%{_mandir}/man8/*
%{_datadir}/%{name}/
%if 0%{with_python2}
%files -n python2-unbound
@ -434,118 +487,288 @@ popd
%doc doc/README
%license doc/LICENSE
%attr(0755,root,root) %dir %{_sysconfdir}/%{name}
%{_sysusersdir}/%{name}.conf
%attr(0644,root,root) %{_tmpfilesdir}/unbound-libs.conf
%{_sbindir}/unbound-anchor
%{_libdir}/libunbound.so.*
%{_mandir}/man8/unbound-anchor*
%{_sysconfdir}/%{name}/icannbundle.pem
# icannbundle and root.key(s) should be replaced from package
# intentionally not using noreplace
%config %{_sysconfdir}/%{name}/icannbundle.pem
%{_unitdir}/unbound-anchor.timer
%{_unitdir}/unbound-anchor.service
%dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name}
%attr(0644,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key
%attr(0644,unbound,unbound) %verify(not md5 mtime size) %config %{_sharedstatedir}/%{name}/root.key
# just left for backwards compat with user changed unbound.conf files - format is different!
%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
# modification of root.key is maintained by unbound-achor.service and is intentional, so let rpm know
%verify(not md5 size mtime) %{_sharedstatedir}/%{name}/root.key
%files dracut
%{_prefix}/lib/dracut/modules.d/99unbound
%changelog
* Thu Jul 24 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-5.9
- Fix RebirthDay Attack (CVE-2025-5994)
- Resolves: RHEL-104123
* Mon Feb 09 2026 Petr Menšík <pemensik@redhat.com> - 1.24.2-2
- Switch TLS configuration to follow TLS sockets by crypto-policy again
(RHEL-147860)
- Change the default of tls-use-system-policy-versions at build-time
* Tue Nov 12 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.8
* Tue Nov 11 2025 Petr Menšík <pemensik@redhat.com> - 1.16.2-24
- Add new root key 38696 (RHEL-77716)
* Tue Nov 11 2025 Petr Menšík <pemensik@redhat.com> - 1.16.2-23
- Do not verify root.key in libs (RHEL-64339)
* Tue Nov 11 2025 Petr Menšík <pemensik@redhat.com> - 1.16.2-22
- Create root key if missing automatically (RHEL-127540)
* Mon Jul 28 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-21
- Fix RebirthDay Attack (CVE-2025-5994)
- Resolves: RHEL-104129
* Wed Jul 16 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-20
- Fix verification of unbound-control key files
- Resolves: RHEL-65396
* Tue Jun 24 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-19
- Fix regression on update introduced by local-root symlink
- Resolves: RHEL-92255
* Wed May 14 2025 Petr Menšík <pemensik@redhat.com> - 1.16.2-18
- Prevent unbounded name compression (CVE-2024-8508)
* Tue May 28 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.7
- Rebuild to propagate to CentOS Stream (RHEL-25500)
* Mon Feb 10 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-17
- Add as112 networks config file
- Resolves: RHEL-78696
* Mon Mar 11 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.6
* Mon Feb 10 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-16
- Add possibility to disable unbound-anchor by file presence
- Resolves: RHEL-78694
* Sun Feb 09 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-15
- Add sysusers support needed to propagate user to initramfs
- Resolves: RHEL-77789
* Sun Feb 09 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-14
- Change service type to notify
- Resolves: RHEL-77790
* Wed Feb 05 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-13
- Add noreplace to root zone config link
- Resolves: RHEL-77788
* Tue Feb 04 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-12
- Backport +t flag to forward_add and stub_add control commands
- Resolves: RHEL-77791
* Tue Feb 04 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-11
- Enabled libsystemd and change unbound service type to notify-reload
- Resolves: RHEL-77790
* Tue Feb 04 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-10
- Add dracut module
- Resolves: RHEL-77789
* Tue Feb 04 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-9
- Move automatic root zone fetching to drop-in
- Resolves: RHEL-77788
* Mon Mar 11 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-8
- Ensure group access correction reaches also updated configs (CVE-2024-1488)
* Wed Feb 28 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.3
* Wed Feb 28 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-7
- Ensure only unbound group can change configuration (CVE-2024-1488)
* Fri Feb 16 2024 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-5.1
* Fri Feb 16 2024 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-6
- Fix KeyTrap - Extreme CPU consumption in DNSSEC validator CVE-2023-50387
- Fix Preparing an NSEC3 closest encloser proof can exhaust CPU resources CVE-2023-50868
- Resolves: RHEL-25428
- Resolves: RHEL-25423
* Sat Oct 15 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-5
- Stop creating wrong devel manual pages (#2135322)
* Sat Oct 15 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-4
- Apply correctly previous change (CVE-2022-3204)
- Resolves: RHEL-25671
- Resolves: RHEL-25643
* Tue Oct 11 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-3
- Fix NRDelegation attack leading to uncontrolled resource consumption
(CVE-2022-3204)
* Tue Aug 09 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-2
- Require openssl tool for unbound-keygen (#2018806)
- Require openssl tool for unbound-keygen (#2116802)
* Wed Aug 03 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-1
- Update to 1.16.2 (#2027735)
- Update to 1.16.2 (#2087120)
* Wed Jun 15 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-2
- Restart keygen service before every unbound start (#1959468)
* Fri Jul 08 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-3
- Disable ED25519 and ED448 in FIPS mode (#2079548)
* Wed Jun 15 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-1
- Upgrade to 9.16.0 (#2027735)
- Update to recent version with compatibility with RHEL8 (#2027735)
- Ensure also source level compatibility with previous version
* Tue Jun 07 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-2
- Restart keygen service before every unbound start (#2094336)
* Thu May 19 2022 Richard Lescak <rlescak@gmail.com> - 1.7.3-18
- Change file mode before owner when configuring remote control unix socket to avoid AVC denials
- Resolves: rhbz#2038251
* Sat Jun 04 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-1
- Update to 1.16.0 (#2087120)
* Mon Apr 26 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.7.3-17
* Mon May 02 2022 Petr Menšík <pemensik@redhat.com> - 1.15.0-1
- Update to 1.15.0 (#2030608)
- Update icannbundle.pem
* Mon May 02 2022 Paul Wouters <paul.wouters@aiven.io> - 1.13.2-1
- Resolves: rhbz#1992985 unbound-1.13.2 is available
- Use system-wide crypto policies
* Mon May 02 2022 Petr Menšík <pemensik@redhat.com> - 1.13.1-15
- Export unbound-devel to CRB repository (#2056116)
* Tue Apr 26 2022 Petr Menšík <pemensik@redhat.com> - 1.13.1-14
- Stop creating wrong devel manual pages (#2071943)
* Thu Mar 31 2022 Petr Menšík <pemensik@redhat.com> - 1.13.1-13
- Disable SHA-1 support (#2070495)
* Fri Feb 11 2022 Artem Egorenkov <aegorenk@redhat.com> - 1.13.1-12
- Fixed error in the patch
- Resolves: rhbz#1977401
* Thu Feb 10 2022 Artem Egorenkov <aegorenk@redhat.com> - 1.13.1-11
- regional_alloc() failure handled
- Resolves: rhbz#1977401
* Thu Feb 10 2022 Artem Egorenkov <aegorenk@redhat.com> - 1.13.1-10
- RESOURCE_LEAK fixed
- Resolves: rhbz#1977400
* Tue Aug 10 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.13.1-9
- Don't use delted OpenSSL macroses
- Resolves: rhbz#1991005
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.13.1-8
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.13.1-7
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Tue Jun 08 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.13.1-6
- Changelog date fixed
- Rebuild for new gating.yaml
- Resolves: rhbz#1951923
* Mon Apr 26 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.13.1-5
- Option --enable-linux-ip-local-port-range added to use system configured port range for libunbound on Linux
- Resolves: rhbz#1830625
- Resolves: rhbz#1952814
* Tue Apr 06 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.7.3-16
* Tue Apr 20 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.13.1-4
- Don't start unbound-anchor before unbound service if DISABLE_UNBOUND_ANCHOR
environment variable equals to "yes"
- Resolves: rhbz#1922448
- Resolves: rhbz#1951923
* Tue Sep 01 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-15
- Fix SPEC file to not check md5 mtime and size of /var/lib/unbound/root.key
- Resolves: rhbz#1714175
- Use system-wide crypto policy setting (PROFILE=SYSTEM) instead of custom setting
- Resolves: rhbz#1842837
- Enable additional logging in unbound
- Resolves: rhbz#1850460
- security hardening from x41 report
- Resolves: rhbz#1859933
- symbolic link traversal when writing PID file
- Resolves: rhbz#1899058
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.13.1-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Thu May 28 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-14
- Fix unbound-1.7.3-amplifying-an-incoming-query.patch patch
- Resolves: rhbz#1839178 (CVE-2020-12662)
* Wed Feb 10 2021 Paul Wouters <pwouters@redhat.com> - 1.13.1-1
- Resolves rhbz#1860887 unbound-1.13.1 is available
- Fixup unbound.conf
* Mon May 25 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-13
- Fix two previous patches and add missing patch lines to %%prep
- Fix amplifying an incoming query into a large number of queries directed to a target
- Resolves: rhbz#1839178 (CVE-2020-12662)
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.13.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Apr 21 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-12
- Remove KSK-2010 from configuration files
- Resolves: rhbz#1665502
- Replace legacy directory /var/run/ with /run
- Resolves: rhbz#1766463
- Resolves: rhbz#1805978
- Fix memory leak when DNS over TLS forwarding is configured
- Resolves: rhbz#1819870
* Thu Dec 10 2020 Petr Menšík <pemensik@redhat.com> - 1.13.0-1
- Update to 1.13.0
* Thu Apr 16 2020 Artem Egorenkov <aegorenk@redhat.com> - 1.7.3-11
- Resolves bz1818761. unbound crash fixed.
* Tue Oct 13 2020 Petr Menšík <pemensik@redhat.com> - 1.12.0-1
- Update to 1.12.0 (#1860887)
* Tue Dec 10 2019 Tomas Korbar <tkorbar@redhat.com> - 1.7.3-10
- Secure ipsec mode (#1772061)
- CVE-2019-18934
* Tue Sep 15 2020 Petr Menšík <pemensik@redhat.com> - 1.10.1-5
- Move command line tools to utils subpackage
* Tue Dec 10 2019 Tomas Korbar <tkorbar@redhat.com> - 1.7.3-9
- Use pthread_mutex_t locks when dealing with I/O operations (#1775708)
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 1.10.1-3
- Use make macros
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
* Fri May 22 2020 Miro Hrončok <mhroncok@redhat.com> - 1.10.1-2
- Rebuilt for Python 3.9
* Tue May 19 2020 Paul Wouters <pwouters@redhat.com> - 1.10.1-1
- Resolves: rhbz#1837279 unbound-1.10.1 is available
- Resolves: rhbz#1837598 CVE-2020-12662 unbound: insufficient control of network message volume leads to DoS
- Resolves: rhbz#1837609 CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers
- Updated unbound.conf for new options in 1.10.1
* Wed Apr 29 2020 Paul Wouters <pwouters@redhat.com> - 1.10.0-3
- Resolves: rhbz#1667742 SELinux is preventing unbound from 'name_bind' accesses on the udp_socket port 61000.
* Thu Apr 16 2020 Artem Egorenkov <aegorenk@redhat.com> - 1.10.0-2
- Resolves: rhbz#1824536 unbound crash
* Thu Mar 19 2020 Petr Menšík <pemensik@redhat.com> - 1.10.0-1
- Update to 1.10.0 (#1805199)
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Dec 13 2019 Paul Wouters <pwouters@redhat.com> - 1.9.6-1
- Resolves: rhbz#1758107 unbound-1.9.5 is available
- Resolves: CVE-2019-18934
* Fri Nov 01 2019 Paul Wouters <pwouters@redhat.com> - 1.9.4-1
- Fix build on rhel/centos systems
- Resolves: rhbz#1767955 (CVE-2019-16866) uninitialized memory accesses leads to crash via a crafted NOTIFY query
* Thu Sep 26 2019 Petr Menšík <pihhan@gmail.com> - 1.9.3-2
- Obsolete no longer provided python2 subpackage (#1749400)
* Tue Aug 27 2019 Paul Wouters <pwouters@redhat.com> - 1.9.3-1
- Updated to 1.9.3
- Resolves: rhbz#1672578 unbound-1.9.2 is available
- Resolves: rhbz#1694831 [/usr/lib/tmpfiles.d/unbound.conf:1] Line references path below legacy directory /var/run/
- Resolves: rhbz# 1667387 [abrt] unbound: memmove(): unbound killed by SIGABRT
* Thu Aug 22 2019 Miro Hrončok <mhroncok@redhat.com> - 1.8.3-8
- Subpackage python2-unbound has been removed
See https://fedoraproject.org/wiki/Changes/Mass_Python_2_Package_Removal
* Thu Aug 15 2019 Miro Hrončok <mhroncok@redhat.com> - 1.8.3-7
- Rebuilt for Python 3.8
* Mon Aug 5 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.8.3-6
- Drop install-time requirements on systemd (#1723777)
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.3-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Jan 11 2019 Paul Wouters <pwouters@redhat.com> - 1.8.3-3
- Remove KSK-2010 from configs - it has been revoked
* Wed Dec 12 2018 Paul Wouters <pwouters@redhat.com> - 1.8.3-2
- Another dns64 fixup
* Wed Dec 12 2018 Paul Wouters <pwouters@redhat.com> - 1.8.3-1
- Updated to 1.8.3 with fixes the dns64 bug and has some other minor fixes
* Mon Dec 10 2018 Paul Wouters <pwouters@redhat.com> - 1.8.2-2
- Fix dns64 allocation in wrong region for returned internal queries.
* Tue Dec 04 2018 Paul Wouters <pwouters@redhat.com> - 1.8.2-1
- Updated to 1.8.2.
- Enabled deny ANY query support and edns-tcp-keepalive
- Set serve-stale timeout to 4h
- Updated unbound.conf for latest options
* Mon Oct 22 2018 Petr Menšík <pemensik@redhat.com> - 1.8.1-2
- Allow group by default to unbound-control (#1640259)
* Mon Oct 08 2018 Petr Menšík <pemensik@redhat.com> - 1.8.1-1
- Update to 1.8.1
* Mon Oct 01 2018 Petr Menšík <pemensik@redhat.com> - 1.8.0-2
- Skip ipv6 forwarders without ipv6 support (#1633874)
* Wed Sep 19 2018 Petr Menšík <pemensik@redhat.com> - 1.8.0-1
- Rebase to 1.8.0
* Tue Aug 14 2018 Paul Wouters <pwouters@redhat.com> - 1.7.3-9
- Fix for restarting unbound service after deleting key/pem files for remote control
* Tue Jul 31 2018 Petr Menšík <pemensik@redhat.com> - 1.7.3-8
- Release memory in unbound-host
@ -574,8 +797,16 @@ popd
* Wed Jun 27 2018 Petr Menšík <pemensik@redhat.com> - 1.7.2-3
- Remove last python2 dependency from python3 build
* Mon Jun 25 2018 Tomas Hozza <thozza@redhat.com> - 1.7.0-6
- Disable Python2 support
* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 1.7.2-2
- Rebuilt for Python 3.7
* Mon Jun 11 2018 Paul Wouters <pwouters@redhat.com> - 1.7.2-1
- Resolves rhbz#1589807 unbound-1.7.2 is available
- Add patch to fix stub/forward zone not returning ServFail when TTL expires
- Enabled the new root-key-sentinel option
* Wed May 30 2018 Petr Menšík <pemensik@redhat.com> - 1.7.1-1
- Update to 1.7.1 (#1574495)
* Mon Apr 09 2018 Petr Menšík <pemensik@redhat.com> - 1.7.0-5
- Require gcc and make on build