.fmf/version

@@ -1 +0,0 @@
-1

.gitignore

@@ -1,87 +1 @@
-unbound-1.1.1.tar.gz
-unbound-1.2.0.tar.gz
-unbound-1.2.1.tar.gz
-unbound-1.3.0.tar.gz
-unbound-1.3.2.tar.gz
-unbound-1.3.1.tar.gz
-unbound-1.3.3.tar.gz
-unbound-1.3.4.tar.gz
-unbound-1.4.1.tar.gz
-unbound-1.4.2.tar.gz
-unbound-1.4.3.tar.gz
-unbound-1.4.4.tar.gz
-unbound-1.4.5.tar.gz
-/unbound-1.4.8.tar.gz
-/unbound-1.4.9.tar.gz
-/unbound-1.4.10.tar.gz
-/unbound-1.4.11.tar.gz
-/unbound-1.4.12.tar.gz
-/unbound-1.4.13.tar.gz
-/unbound-1.4.14.tar.gz
-/unbound-1.4.15.tar.gz
-/unbound-1.4.16.tar.gz
-/unbound-1.4.17.tar.gz
-/unbound-1.4.18.tar.gz
-/unbound-1.4.19.tar.gz
-/unbound-1.4.20.tar.gz
-/unbound-1.4.21.tar.gz
-/unbound-1.4.22.tar.gz
-/unbound-1.5.0.tar.gz
-/unbound-1.5.1rc1.tar.gz
-/unbound-1.5.1.tar.gz
-/unbound-1.5.3.tar.gz
-/unbound-1.5.4.tar.gz
-/unbound-1.5.5.tar.gz
-/unbound-1.5.6.tar.gz
-/unbound-1.5.7.tar.gz
-/unbound-1.5.8.tar.gz
-/unbound-1.5.9.tar.gz
-/unbound-1.5.10.tar.gz
-/unbound-1.6.0.tar.gz
-/unbound-1.6.2.tar.gz
-/unbound-1.6.3.tar.gz
-/unbound-1.6.4rc2.tar.gz
-/unbound-1.6.4.tar.gz
-/unbound-1.6.6.tar.gz
-/unbound-1.6.7.tar.gz
-/unbound-1.6.8.tar.gz
-/unbound-1.7.0.tar.gz
-/unbound-1.7.1.tar.gz
-/unbound-1.7.2.tar.gz
-/unbound-1.7.3.tar.gz
-/unbound-1.8.0.tar.gz
-/unbound-1.8.1.tar.gz
-/unbound-1.8.2.tar.gz
-/unbound-1.8.3.tar.gz
-/unbound-1.9.4.tar.gz
-/unbound-1.9.6.tar.gz
-/unbound-1.10.0.tar.gz
-/unbound-1.10.0.tar.gz.asc
-/unbound-1.10.1.tar.gz
-/unbound-1.10.1.tar.gz.asc
-/unbound-1.12.0.tar.gz
-/unbound-1.12.0.tar.gz.asc
-/unbound-1.13.0.tar.gz
-/unbound-1.13.0.tar.gz.asc
-/unbound-1.13.1.tar.gz
-/unbound-1.13.1.tar.gz.asc
-/unbound-1.13.2.tar.gz
-/unbound-1.13.2.tar.gz.asc
-/unbound-1.15.0.tar.gz
-/unbound-1.15.0.tar.gz.asc
-/unbound-1.16.0.tar.gz
-/unbound-1.16.0.tar.gz.asc
-/unbound-1.16.2.tar.gz
-/unbound-1.16.2.tar.gz.asc
-/unbound-1.16.3.tar.gz
-/unbound-1.16.3.tar.gz.asc
-/unbound-1.17.0.tar.gz
-/unbound-1.17.0.tar.gz.asc
-/unbound-1.17.1.tar.gz
-/unbound-1.17.1.tar.gz.asc
-/unbound-1.18.0.tar.gz
-/unbound-1.18.0.tar.gz.asc
-/unbound-1.19.0.tar.gz
-/unbound-1.19.0.tar.gz.asc
-/unbound-1.20.0.tar.gz
-/unbound-1.20.0.tar.gz.asc
+SOURCES/unbound-1.16.2.tar.gz

.unbound.metadata

@@ -0,0 +1 @@
+9aea0e923b9d6779b5bc360094e24a4017e2bb25 SOURCES/unbound-1.16.2.tar.gz

SOURCES/remote-control.conf

@@ -0,0 +1,9 @@
+# Remote control config section update.
+# Previous defaults allowed any process to change settings, CVE-2024-1488
+remote-control:
+    # set to an absolute path to use a unix local name pipe, certificates
+    # are not used for that, so key and cert files need not be present.
+    control-interface: "/run/unbound/control"
+
+    # For local sockets this option is ignored, and TLS is not used.
+    control-use-cert: "yes"

SOURCES/root.key

@@ -2,5 +2,4 @@
 ; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this
 trusted-keys {
 "." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326
-
 };

SOURCES/unbound-1.15-source-compat.patch

@@ -0,0 +1,85 @@
+From fbde301c2706a5d0c9c3942fe84693f2b7a6b16c Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Sat, 7 May 2022 10:05:33 +0200
+Subject: [PATCH] Use reserved RCODE, fake source version
+
+Use RCODE value assigned for a private use. Previous value were possible
+returned value.
+
+Fake source version to be still 1.7.x. Hide real version into micro
+version component and export it also in a proper way with _REAL
+suffixes. Should workaround any source code detection to support correct
+callback format. Fixes compilation error in libreswan.
+
+Use preprocessed unbound.h to prevent failures
+
+Swig complains about wrong @ variable formats. Make it use preprocessed
+header instead of a template.
+---
+ libunbound/python/libunbound.i |  4 ++--
+ libunbound/unbound.h           | 13 ++++++++++---
+ services/mesh.h                |  2 +-
+ 3 files changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/libunbound/python/libunbound.i b/libunbound/python/libunbound.i
+index c9549bf90..f01e9111e 100644
+--- a/libunbound/python/libunbound.i
++++ b/libunbound/python/libunbound.i
+@@ -53,7 +53,7 @@
+    #ifdef HAVE_ARPA_INET_H
+    #include <arpa/inet.h>
+    #endif
+-   #include "libunbound/unbound.h"
++   #include "unbound.h"
+ %}
+ 
+ %pythoncode %{
+@@ -855,7 +855,7 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104']
+   //printf("resolve_stop()\n");
+ %} 
+ 
+-%include "libunbound/unbound.h"
++%include "unbound.h"
+ 
+ %inline %{
+   //SWIG will see the ub_ctx as a class
+diff --git a/libunbound/unbound.h b/libunbound/unbound.h
+index c822d3f89..82660bd51 100644
+--- a/libunbound/unbound.h
++++ b/libunbound/unbound.h
+@@ -102,9 +102,16 @@ extern "C" {
+ #endif
+ 
+ /** the version of this header file */
+-#define UNBOUND_VERSION_MAJOR @UNBOUND_VERSION_MAJOR@
+-#define UNBOUND_VERSION_MINOR @UNBOUND_VERSION_MINOR@
+-#define UNBOUND_VERSION_MICRO @UNBOUND_VERSION_MICRO@
++/* Because of RHEL compat change, callback type remains at
++ * 1.7.3 version. To prevent source-level incompatibility,
++ * fake still old version. Export real version in _REAL
++ * suffix definitions. */
++#define UNBOUND_VERSION_MAJOR 1
++#define UNBOUND_VERSION_MINOR 7
++#define UNBOUND_VERSION_MICRO @UNBOUND_VERSION_MAJOR@@UNBOUND_VERSION_MINOR@@UNBOUND_VERSION_MICRO@
++#define UNBOUND_VERSION_MAJOR_REAL @UNBOUND_VERSION_MAJOR@
++#define UNBOUND_VERSION_MINOR_REAL @UNBOUND_VERSION_MINOR@
++#define UNBOUND_VERSION_MICRO_REAL @UNBOUND_VERSION_MICRO@
+ 
+ /**
+  * The validation context is created to hold the resolver status,
+diff --git a/services/mesh.h b/services/mesh.h
+index 9c6f958ff..c0cbf355e 100644
+--- a/services/mesh.h
++++ b/services/mesh.h
+@@ -237,7 +237,7 @@ struct mesh_reply {
+ /* RHEL 8 compatibility layer.
+  * Special rcode to send was_ratelimited to callback without adding
+  * extra parameter. It is ORed to the rcode parameter of the callback. */
+-#define LDNS_RCODE_RATELIMITED 0x100
++#define LDNS_RCODE_RATELIMITED 0xf80
+ #define RCODE_IS_RATELIMITED(rcode) ((rcode & LDNS_RCODE_RATELIMITED) != 0)
+ #define RCODE_NOT_RATELIMITED(rcode) (rcode & ~LDNS_RCODE_RATELIMITED)
+ 
+-- 
+2.34.1
+

SOURCES/unbound-1.15-soversion2-compat.patch

@@ -0,0 +1,471 @@
+From 605d66f0b6b8f7c308010f455058299d25c1d2ee Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Fri, 6 May 2022 16:36:39 +0200
+Subject: [PATCH] Rework ABI breaking change to compatible way
+
+Upstream commit 749d1b9ebc6fcb79824afd0471a1cfc12ca861b1 introduced
+was_ratelimited variable to every async callback. Such change led to ABI
+break and increase of soname of libunbound.
+
+Use rcode to pass that boolean inside rcode variable. Allows keeping
+original callback prototype, but does not lose data. Extra integer bit
+operations should be very small price. Much better than ABI break.
+
+Make current version compatible back to .2 version.
+---
+ unbound-1.16.2/configure.ac               |  2 +-
+ unbound-1.16.2/daemon/worker.c            |  6 ++--
+ unbound-1.16.2/libunbound/libworker.c     | 34 +++++++++++++++--------
+ unbound-1.16.2/libunbound/unbound-event.h |  3 +-
+ unbound-1.16.2/libunbound/unbound.h       | 13 +++++----
+ unbound-1.16.2/libunbound/worker.h        |  6 ++--
+ unbound-1.16.2/services/authzone.c        | 11 ++++----
+ unbound-1.16.2/services/authzone.h        |  9 ++----
+ unbound-1.16.2/services/mesh.c            | 17 ++++++++----
+ unbound-1.16.2/services/mesh.h            |  9 +++++-
+ unbound-1.16.2/smallapp/worker_cb.c       |  6 ++--
+ unbound-1.16.2/validator/autotrust.c      |  2 +-
+ unbound-1.16.2/validator/autotrust.h      |  2 +-
+ 13 files changed, 72 insertions(+), 48 deletions(-)
+
+diff --git a/unbound-1.16.2/configure.ac b/unbound-1.16.2/configure.ac
+index 224501b..71f066c 100644
+--- a/unbound-1.16.2/configure.ac
++++ b/unbound-1.16.2/configure.ac
+@@ -19,7 +19,7 @@ AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
+ 
+ LIBUNBOUND_CURRENT=9
+ LIBUNBOUND_REVISION=18
+-LIBUNBOUND_AGE=1
++LIBUNBOUND_AGE=7
+ # 1.0.0 had 0:12:0
+ # 1.0.1 had 0:13:0
+ # 1.0.2 had 0:14:0
+diff --git a/unbound-1.16.2/daemon/worker.c b/unbound-1.16.2/daemon/worker.c
+index 010c4dc..2b87a41 100644
+--- a/unbound-1.16.2/daemon/worker.c
++++ b/unbound-1.16.2/daemon/worker.c
+@@ -2268,21 +2268,21 @@ void libworker_handle_control_cmd(struct tube* ATTR_UNUSED(tube),
+ 
+ void libworker_fg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
+ 	sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
+-	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
++	char* ATTR_UNUSED(why_bogus))
+ {
+ 	log_assert(0);
+ }
+ 
+ void libworker_bg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
+ 	sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
+-	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
++	char* ATTR_UNUSED(why_bogus))
+ {
+ 	log_assert(0);
+ }
+ 
+ void libworker_event_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
+ 	sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
+-	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
++	char* ATTR_UNUSED(why_bogus))
+ {
+ 	log_assert(0);
+ }
+diff --git a/unbound-1.16.2/libunbound/libworker.c b/unbound-1.16.2/libunbound/libworker.c
+index 11bf5f9..6895119 100644
+--- a/unbound-1.16.2/libunbound/libworker.c
++++ b/unbound-1.16.2/libunbound/libworker.c
+@@ -549,9 +549,10 @@ libworker_enter_result(struct ub_result* res, sldns_buffer* buf,
+ /** fillup fg results */
+ static void
+ libworker_fillup_fg(struct ctx_query* q, int rcode, sldns_buffer* buf, 
+-	enum sec_status s, char* why_bogus, int was_ratelimited)
++	enum sec_status s, char* why_bogus)
+ {
+-	q->res->was_ratelimited = was_ratelimited;
++	q->res->was_ratelimited = RCODE_IS_RATELIMITED(rcode);
++	rcode = RCODE_NOT_RATELIMITED(rcode);
+ 	if(why_bogus)
+ 		q->res->why_bogus = strdup(why_bogus);
+ 	if(rcode != 0) {
+@@ -575,13 +576,13 @@ libworker_fillup_fg(struct ctx_query* q, int rcode, sldns_buffer* buf,
+ 
+ void
+ libworker_fg_done_cb(void* arg, int rcode, sldns_buffer* buf, enum sec_status s,
+-	char* why_bogus, int was_ratelimited)
++	char* why_bogus)
+ {
+ 	struct ctx_query* q = (struct ctx_query*)arg;
+ 	/* fg query is done; exit comm base */
+ 	comm_base_exit(q->w->base);
+ 
+-	libworker_fillup_fg(q, rcode, buf, s, why_bogus, was_ratelimited);
++	libworker_fillup_fg(q, rcode, buf, s, why_bogus);
+ }
+ 
+ /** setup qinfo and edns */
+@@ -634,7 +635,7 @@ int libworker_fg(struct ub_ctx* ctx, struct ctx_query* q)
+ 		NULL, 0, NULL, 0, NULL)) {
+ 		regional_free_all(w->env->scratch);
+ 		libworker_fillup_fg(q, LDNS_RCODE_NOERROR, 
+-			w->back->udp_buff, sec_status_insecure, NULL, 0);
++			w->back->udp_buff, sec_status_insecure, NULL);
+ 		libworker_delete(w);
+ 		free(qinfo.qname);
+ 		return UB_NOERROR;
+@@ -643,7 +644,7 @@ int libworker_fg(struct ub_ctx* ctx, struct ctx_query* q)
+ 		w->env, &qinfo, &edns, NULL, w->back->udp_buff, w->env->scratch)) {
+ 		regional_free_all(w->env->scratch);
+ 		libworker_fillup_fg(q, LDNS_RCODE_NOERROR, 
+-			w->back->udp_buff, sec_status_insecure, NULL, 0);
++			w->back->udp_buff, sec_status_insecure, NULL);
+ 		libworker_delete(w);
+ 		free(qinfo.qname);
+ 		return UB_NOERROR;
+@@ -665,7 +666,7 @@ int libworker_fg(struct ub_ctx* ctx, struct ctx_query* q)
+ 
+ void
+ libworker_event_done_cb(void* arg, int rcode, sldns_buffer* buf,
+-	enum sec_status s, char* why_bogus, int was_ratelimited)
++	enum sec_status s, char* why_bogus)
+ {
+ 	struct ctx_query* q = (struct ctx_query*)arg;
+ 	ub_event_callback_type cb = q->cb_event;
+@@ -688,7 +689,7 @@ libworker_event_done_cb(void* arg, int rcode, sldns_buffer* buf,
+ 		else if(s == sec_status_secure)
+ 			sec = 2;
+ 		(*cb)(cb_arg, rcode, (buf?(void*)sldns_buffer_begin(buf):NULL),
+-			(buf?(int)sldns_buffer_limit(buf):0), sec, why_bogus, was_ratelimited);
++			(buf?(int)sldns_buffer_limit(buf):0), sec, why_bogus);
+ 	}
+ }
+ 
+@@ -715,7 +716,7 @@ int libworker_attach_mesh(struct ub_ctx* ctx, struct ctx_query* q,
+ 		regional_free_all(w->env->scratch);
+ 		free(qinfo.qname);
+ 		libworker_event_done_cb(q, LDNS_RCODE_NOERROR,
+-			w->back->udp_buff, sec_status_insecure, NULL, 0);
++			w->back->udp_buff, sec_status_insecure, NULL);
+ 		return UB_NOERROR;
+ 	}
+ 	if(ctx->env->auth_zones && auth_zones_answer(ctx->env->auth_zones,
+@@ -723,7 +724,7 @@ int libworker_attach_mesh(struct ub_ctx* ctx, struct ctx_query* q,
+ 		regional_free_all(w->env->scratch);
+ 		free(qinfo.qname);
+ 		libworker_event_done_cb(q, LDNS_RCODE_NOERROR,
+-			w->back->udp_buff, sec_status_insecure, NULL, 0);
++			w->back->udp_buff, sec_status_insecure, NULL);
+ 		return UB_NOERROR;
+ 	}
+ 	/* process new query */
+@@ -788,12 +789,23 @@ add_bg_result(struct libworker* w, struct ctx_query* q, sldns_buffer* pkt,
+ 	}
+ }
+ 
++
++void
++libworker_bg_done_cb_compat(void* arg, int rcode, sldns_buffer* buf, enum sec_status s,
++	char* why_bogus)
++{
++	rcode = RCODE_NOT_RATELIMITED(rcode);
++	libworker_bg_done_cb(arg, rcode, buf, s, why_bogus);
++}
++
+ void
+ libworker_bg_done_cb(void* arg, int rcode, sldns_buffer* buf, enum sec_status s,
+-	char* why_bogus, int was_ratelimited)
++	char* why_bogus)
+ {
++	int was_ratelimited = RCODE_IS_RATELIMITED(rcode);
+ 	struct ctx_query* q = (struct ctx_query*)arg;
+ 
++	rcode = RCODE_NOT_RATELIMITED(rcode);
+ 	if(q->cancelled || q->w->back->want_to_quit) {
+ 		if(q->w->is_bg_thread) {
+ 			/* delete it now */
+diff --git a/unbound-1.16.2/libunbound/unbound-event.h b/unbound-1.16.2/libunbound/unbound-event.h
+index a5d5c03..70aa4c8 100644
+--- a/unbound-1.16.2/libunbound/unbound-event.h
++++ b/unbound-1.16.2/libunbound/unbound-event.h
+@@ -170,7 +170,8 @@ struct ub_event {
+ 	struct ub_event_vmt* vmt;
+ };
+ 
+-typedef void (*ub_event_callback_type)(void*, int, void*, int, int, char*, int);
++/* Uses define LDNS_RCODE_RATELIMITED from services/mesh.h */
++typedef void (*ub_event_callback_type)(void*, int, void*, int, int, char*);
+ 
+ /**
+  * Create a resolving and validation context.
+diff --git a/unbound-1.16.2/libunbound/unbound.h b/unbound-1.16.2/libunbound/unbound.h
+index c779d18..f6d5c7c 100644
+--- a/unbound-1.16.2/libunbound/unbound.h
++++ b/unbound-1.16.2/libunbound/unbound.h
+@@ -203,18 +203,19 @@ struct ub_result {
+ 	 */
+ 	char* why_bogus;
+ 
++	/**
++	 * TTL for the result, in seconds.  If the security is bogus, then
++	 * you also cannot trust this value.
++	 */
++	int ttl;
++
+ 	/**
+ 	 * If the query or one of its subqueries was ratelimited.  Useful if
+ 	 * ratelimiting is enabled and answer to the client is SERVFAIL as a
+ 	 * result.
++	 * RHEL8 Change, moved after ttl.
+ 	 */
+ 	int was_ratelimited;
+-
+-	/**
+-	 * TTL for the result, in seconds.  If the security is bogus, then
+-	 * you also cannot trust this value.
+-	 */
+-	int ttl;
+ };
+ 
+ /**
+diff --git a/unbound-1.16.2/libunbound/worker.h b/unbound-1.16.2/libunbound/worker.h
+index 0fa5bfa..8b64b4d 100644
+--- a/unbound-1.16.2/libunbound/worker.h
++++ b/unbound-1.16.2/libunbound/worker.h
+@@ -90,15 +90,15 @@ void libworker_handle_control_cmd(struct tube* tube, uint8_t* msg, size_t len,
+ 
+ /** mesh callback with fg results */
+ void libworker_fg_done_cb(void* arg, int rcode, sldns_buffer* buf, 
+-	enum sec_status s, char* why_bogus, int was_ratelimited);
++	enum sec_status s, char* why_bogus);
+ 
+ /** mesh callback with bg results */
+ void libworker_bg_done_cb(void* arg, int rcode, sldns_buffer* buf, 
+-	enum sec_status s, char* why_bogus, int was_ratelimited);
++	enum sec_status s, char* why_bogus);
+ 
+ /** mesh callback with event results */
+ void libworker_event_done_cb(void* arg, int rcode, struct sldns_buffer* buf, 
+-	enum sec_status s, char* why_bogus, int was_ratelimited);
++	enum sec_status s, char* why_bogus);
+ 
+ /**
+  * Worker signal handler function. User argument is the worker itself.
+diff --git a/unbound-1.16.2/services/authzone.c b/unbound-1.16.2/services/authzone.c
+index b9e0b11..c72949f 100644
+--- a/unbound-1.16.2/services/authzone.c
++++ b/unbound-1.16.2/services/authzone.c
+@@ -5656,8 +5656,7 @@ xfr_master_add_addrs(struct auth_master* m, struct ub_packed_rrset_key* rrset,
+ 
+ /** callback for task_transfer lookup of host name, of A or AAAA */
+ void auth_xfer_transfer_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
+-	enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus),
+-	int ATTR_UNUSED(was_ratelimited))
++	enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus))
+ {
+ 	struct auth_xfer* xfr = (struct auth_xfer*)arg;
+ 	struct module_env* env;
+@@ -5669,6 +5668,7 @@ void auth_xfer_transfer_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
+ 		return; /* stop on quit */
+ 	}
+ 
++	rcode = RCODE_NOT_RATELIMITED(rcode);
+ 	/* process result */
+ 	if(rcode == LDNS_RCODE_NOERROR) {
+ 		uint16_t wanted_qtype = LDNS_RR_TYPE_A;
+@@ -6717,8 +6717,7 @@ xfr_probe_send_or_end(struct auth_xfer* xfr, struct module_env* env)
+ 
+ /** callback for task_probe lookup of host name, of A or AAAA */
+ void auth_xfer_probe_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
+-	enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus),
+-	int ATTR_UNUSED(was_ratelimited))
++	enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus))
+ {
+ 	struct auth_xfer* xfr = (struct auth_xfer*)arg;
+ 	struct module_env* env;
+@@ -6730,6 +6729,7 @@ void auth_xfer_probe_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
+ 		return; /* stop on quit */
+ 	}
+ 
++	rcode = RCODE_NOT_RATELIMITED(rcode);
+ 	/* process result */
+ 	if(rcode == LDNS_RCODE_NOERROR) {
+ 		uint16_t wanted_qtype = LDNS_RR_TYPE_A;
+@@ -8212,7 +8212,7 @@ auth_zone_verify_zonemd_key_with_ds(struct auth_zone* z,
+ 
+ /** callback for ZONEMD lookup of DNSKEY */
+ void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
+-	enum sec_status sec, char* why_bogus, int ATTR_UNUSED(was_ratelimited))
++	enum sec_status sec, char* why_bogus)
+ {
+ 	struct auth_zone* z = (struct auth_zone*)arg;
+ 	struct module_env* env;
+@@ -8234,6 +8234,7 @@ void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
+ 	if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DS)
+ 		typestr = "DS";
+ 	downprot = env->cfg->harden_algo_downgrade;
++	rcode = RCODE_NOT_RATELIMITED(rcode);
+ 
+ 	/* process result */
+ 	if(sec == sec_status_bogus) {
+diff --git a/unbound-1.16.2/services/authzone.h b/unbound-1.16.2/services/authzone.h
+index 07614ed..b339fc1 100644
+--- a/unbound-1.16.2/services/authzone.h
++++ b/unbound-1.16.2/services/authzone.h
+@@ -690,12 +690,10 @@ void auth_xfer_probe_timer_callback(void* arg);
+ void auth_xfer_transfer_timer_callback(void* arg);
+ /** mesh callback for task_probe on lookup of host names */
+ void auth_xfer_probe_lookup_callback(void* arg, int rcode,
+-	struct sldns_buffer* buf, enum sec_status sec, char* why_bogus,
+-	int was_ratelimited);
++	struct sldns_buffer* buf, enum sec_status sec, char* why_bogus);
+ /** mesh callback for task_transfer on lookup of host names */
+ void auth_xfer_transfer_lookup_callback(void* arg, int rcode,
+-	struct sldns_buffer* buf, enum sec_status sec, char* why_bogus,
+-	int was_ratelimited);
++	struct sldns_buffer* buf, enum sec_status sec, char* why_bogus);
+ 
+ /*
+  * Compares two 32-bit serial numbers as defined in RFC1982.  Returns
+@@ -774,8 +772,7 @@ void auth_zone_verify_zonemd(struct auth_zone* z, struct module_env* env,
+ 
+ /** mesh callback for zonemd on lookup of dnskey */
+ void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode,
+-	struct sldns_buffer* buf, enum sec_status sec, char* why_bogus,
+-	int was_ratelimited);
++	struct sldns_buffer* buf, enum sec_status sec, char* why_bogus);
+ 
+ /**
+  * Check the ZONEMD records that need online DNSSEC chain lookups,
+diff --git a/unbound-1.16.2/services/mesh.c b/unbound-1.16.2/services/mesh.c
+index 30bcf7c..fc3c690 100644
+--- a/unbound-1.16.2/services/mesh.c
++++ b/unbound-1.16.2/services/mesh.c
+@@ -63,6 +63,7 @@
+ #include "util/data/dname.h"
+ #include "respip/respip.h"
+ #include "services/listen_dnsport.h"
++#include "libunbound/unbound-event.h"
+ 
+ #ifdef CLIENT_SUBNET
+ #include "edns-subnet/subnetmod.h"
+@@ -1012,7 +1013,7 @@ mesh_state_cleanup(struct mesh_state* mstate)
+ 			mstate->cb_list = cb->next;
+ 			fptr_ok(fptr_whitelist_mesh_cb(cb->cb));
+ 			(*cb->cb)(cb->cb_arg, LDNS_RCODE_SERVFAIL, NULL,
+-				sec_status_unchecked, NULL, 0);
++				sec_status_unchecked, NULL);
+ 			log_assert(mesh->num_reply_addrs > 0);
+ 			mesh->num_reply_addrs--;
+ 		}
+@@ -1268,8 +1269,9 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
+ 					r->edns.opt_list_inplace_cb_out = NULL;
+ 		}
+ 		fptr_ok(fptr_whitelist_mesh_cb(r->cb));
+-		(*r->cb)(r->cb_arg, rcode, r->buf, sec_status_unchecked, NULL,
+-			was_ratelimited);
++		if (was_ratelimited)
++			rcode |= LDNS_RCODE_RATELIMITED;
++		(*r->cb)(r->cb_arg, rcode, r->buf, sec_status_unchecked, NULL);
+ 	} else {
+ 		size_t udp_size = r->edns.udp_size;
+ 		sldns_buffer_clear(r->buf);
+@@ -1287,11 +1289,14 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
+ 		{
+ 			fptr_ok(fptr_whitelist_mesh_cb(r->cb));
+ 			(*r->cb)(r->cb_arg, LDNS_RCODE_SERVFAIL, r->buf,
+-				sec_status_unchecked, NULL, 0);
++				sec_status_unchecked, NULL);
+ 		} else {
+ 			fptr_ok(fptr_whitelist_mesh_cb(r->cb));
+-			(*r->cb)(r->cb_arg, LDNS_RCODE_NOERROR, r->buf,
+-				rep->security, reason, was_ratelimited);
++			rcode = LDNS_RCODE_NOERROR;
++			if (was_ratelimited)
++				rcode |= LDNS_RCODE_RATELIMITED;
++			(*r->cb)(r->cb_arg, rcode, r->buf,
++				rep->security, reason);
+ 		}
+ 	}
+ 	free(reason);
+diff --git a/unbound-1.16.2/services/mesh.h b/unbound-1.16.2/services/mesh.h
+index 3be9b63..5050d6c 100644
+--- a/unbound-1.16.2/services/mesh.h
++++ b/unbound-1.16.2/services/mesh.h
+@@ -234,13 +234,20 @@ struct mesh_reply {
+ 	struct http2_stream* h2_stream;
+ };
+ 
++/* RHEL 8 compatibility layer.
++ * Special rcode to send was_ratelimited to callback without adding
++ * extra parameter. It is ORed to the rcode parameter of the callback. */
++#define LDNS_RCODE_RATELIMITED 0x100
++#define RCODE_IS_RATELIMITED(rcode) ((rcode & LDNS_RCODE_RATELIMITED) != 0)
++#define RCODE_NOT_RATELIMITED(rcode) (rcode & ~LDNS_RCODE_RATELIMITED)
++
+ /** 
+  * Mesh result callback func.
+  * called as func(cb_arg, rcode, buffer_with_reply, security, why_bogus,
+  *		was_ratelimited);
+  */
+ typedef void (*mesh_cb_func_type)(void* cb_arg, int rcode, struct sldns_buffer*,
+-	enum sec_status, char* why_bogus, int was_ratelimited);
++	enum sec_status, char* why_bogus);
+ 
+ /**
+  * Callback to result routine
+diff --git a/unbound-1.16.2/smallapp/worker_cb.c b/unbound-1.16.2/smallapp/worker_cb.c
+index c689817..c7b1653 100644
+--- a/unbound-1.16.2/smallapp/worker_cb.c
++++ b/unbound-1.16.2/smallapp/worker_cb.c
+@@ -159,21 +159,21 @@ void libworker_handle_control_cmd(struct tube* ATTR_UNUSED(tube),
+ 
+ void libworker_fg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode), 
+ 	struct sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
+-	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
++	char* ATTR_UNUSED(why_bogus))
+ {
+ 	log_assert(0);
+ }
+ 
+ void libworker_bg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode), 
+ 	struct sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
+-	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
++	char* ATTR_UNUSED(why_bogus))
+ {
+ 	log_assert(0);
+ }
+ 
+ void libworker_event_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode), 
+ 	struct sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
+-	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
++	char* ATTR_UNUSED(why_bogus))
+ {
+ 	log_assert(0);
+ }
+diff --git a/unbound-1.16.2/validator/autotrust.c b/unbound-1.16.2/validator/autotrust.c
+index 3cdf9ce..40b3e35 100644
+--- a/unbound-1.16.2/validator/autotrust.c
++++ b/unbound-1.16.2/validator/autotrust.c
+@@ -2331,7 +2331,7 @@ autr_debug_print(struct val_anchors* anchors)
+ 
+ void probe_answer_cb(void* arg, int ATTR_UNUSED(rcode), 
+ 	sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(sec),
+-	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
++	char* ATTR_UNUSED(why_bogus))
+ {
+ 	/* retry was set before the query was done,
+ 	 * re-querytime is set when query succeeded, but that may not
+diff --git a/unbound-1.16.2/validator/autotrust.h b/unbound-1.16.2/validator/autotrust.h
+index 057f2b6..c549798 100644
+--- a/unbound-1.16.2/validator/autotrust.h
++++ b/unbound-1.16.2/validator/autotrust.h
+@@ -206,6 +206,6 @@ void autr_debug_print(struct val_anchors* anchors);
+ 
+ /** callback for query answer to 5011 probe */
+ void probe_answer_cb(void* arg, int rcode, struct sldns_buffer* buf, 
+-	enum sec_status sec, char* errinf, int was_ratelimited);
++	enum sec_status sec, char* errinf);
+ 
+ #endif /* VALIDATOR_AUTOTRUST_H */
+-- 
+2.37.1
+

SOURCES/unbound-1.16-CVE-2022-3204.patch

@@ -0,0 +1,218 @@
+From 7af485f0fc9926425681ba0280ab6c2c8dd04530 Mon Sep 17 00:00:00 2001
+From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
+Date: Wed, 21 Sep 2022 11:10:38 +0200
+Subject: [PATCH] - Patch for CVE-2022-3204 Non-Responsive Delegation Attack.
+
+---
+ unbound-1.16.2/iterator/iter_delegpt.c |  3 +++
+ unbound-1.16.2/iterator/iter_delegpt.h |  2 ++
+ unbound-1.16.2/iterator/iter_utils.c   |  3 +++
+ unbound-1.16.2/iterator/iter_utils.h   |  9 +++++++
+ unbound-1.16.2/iterator/iterator.c     | 36 +++++++++++++++++++++++++-
+ unbound-1.16.2/services/cache/dns.c    |  3 +++
+ unbound-1.16.2/services/mesh.c         |  7 +++++
+ unbound-1.16.2/services/mesh.h         | 11 ++++++++
+ 8 files changed, 73 insertions(+), 1 deletion(-)
+
+diff --git a/unbound-1.16.2/iterator/iter_delegpt.c b/unbound-1.16.2/iterator/iter_delegpt.c
+index 4bffa1b..fd07aaa 100644
+--- a/unbound-1.16.2/iterator/iter_delegpt.c
++++ b/unbound-1.16.2/iterator/iter_delegpt.c
+@@ -78,6 +78,7 @@ struct delegpt* delegpt_copy(struct delegpt* dp, struct regional* region)
+ 		if(!delegpt_add_ns(copy, region, ns->name, ns->lame,
+ 			ns->tls_auth_name, ns->port))
+ 			return NULL;
++		copy->nslist->cache_lookup_count = ns->cache_lookup_count;
+ 		copy->nslist->resolved = ns->resolved;
+ 		copy->nslist->got4 = ns->got4;
+ 		copy->nslist->got6 = ns->got6;
+@@ -121,6 +122,7 @@ delegpt_add_ns(struct delegpt* dp, struct regional* region, uint8_t* name,
+ 	ns->namelen = len;
+ 	dp->nslist = ns;
+ 	ns->name = regional_alloc_init(region, name, ns->namelen);
++	ns->cache_lookup_count = 0;
+ 	ns->resolved = 0;
+ 	ns->got4 = 0;
+ 	ns->got6 = 0;
+@@ -620,6 +622,7 @@ int delegpt_add_ns_mlc(struct delegpt* dp, uint8_t* name, uint8_t lame,
+ 	}
+ 	ns->next = dp->nslist;
+ 	dp->nslist = ns;
++	ns->cache_lookup_count = 0;
+ 	ns->resolved = 0;
+ 	ns->got4 = 0;
+ 	ns->got6 = 0;
+diff --git a/unbound-1.16.2/iterator/iter_delegpt.h b/unbound-1.16.2/iterator/iter_delegpt.h
+index 62c8edc..586597a 100644
+--- a/unbound-1.16.2/iterator/iter_delegpt.h
++++ b/unbound-1.16.2/iterator/iter_delegpt.h
+@@ -101,6 +101,8 @@ struct delegpt_ns {
+ 	uint8_t* name;
+ 	/** length of name */
+ 	size_t namelen;
++	/** number of cache lookups for the name */
++	int cache_lookup_count;
+ 	/** 
+ 	 * If the name has been resolved. false if not queried for yet.
+ 	 * true if the A, AAAA queries have been generated.
+diff --git a/unbound-1.16.2/iterator/iter_utils.c b/unbound-1.16.2/iterator/iter_utils.c
+index 3e13e59..56b184a 100644
+--- a/unbound-1.16.2/iterator/iter_utils.c
++++ b/unbound-1.16.2/iterator/iter_utils.c
+@@ -1209,6 +1209,9 @@ int iter_lookup_parent_glue_from_cache(struct module_env* env,
+ 	struct delegpt_ns* ns;
+ 	size_t num = delegpt_count_targets(dp);
+ 	for(ns = dp->nslist; ns; ns = ns->next) {
++		if(ns->cache_lookup_count > ITERATOR_NAME_CACHELOOKUP_MAX_PSIDE)
++			continue;
++		ns->cache_lookup_count++;
+ 		/* get cached parentside A */
+ 		akey = rrset_cache_lookup(env->rrset_cache, ns->name,
+ 			ns->namelen, LDNS_RR_TYPE_A, qinfo->qclass,
+diff --git a/unbound-1.16.2/iterator/iter_utils.h b/unbound-1.16.2/iterator/iter_utils.h
+index 8583fde..850be96 100644
+--- a/unbound-1.16.2/iterator/iter_utils.h
++++ b/unbound-1.16.2/iterator/iter_utils.h
+@@ -62,6 +62,15 @@ struct ub_packed_rrset_key;
+ struct module_stack;
+ struct outside_network;
+ 
++/* max number of lookups in the cache for target nameserver names.
++ * This stops, for large delegations, N*N lookups in the cache. */
++#define ITERATOR_NAME_CACHELOOKUP_MAX	3
++/* max number of lookups in the cache for parentside glue for nameserver names
++ * This stops, for larger delegations, N*N lookups in the cache.
++ * It is a little larger than the nonpside max, so it allows a couple extra
++ * lookups of parent side glue. */
++#define ITERATOR_NAME_CACHELOOKUP_MAX_PSIDE	5
++
+ /**
+  * Process config options and set iterator module state.
+  * Sets default values if no config is found.
+diff --git a/unbound-1.16.2/iterator/iterator.c b/unbound-1.16.2/iterator/iterator.c
+index 25e5cfe..da9b799 100644
+--- a/unbound-1.16.2/iterator/iterator.c
++++ b/unbound-1.16.2/iterator/iterator.c
+@@ -1218,6 +1218,15 @@ generate_dnskey_prefetch(struct module_qstate* qstate,
+ 		(qstate->query_flags&BIT_RD) && !(qstate->query_flags&BIT_CD)){
+ 		return;
+ 	}
++	/* we do not generate this prefetch when the query list is full,
++	 * the query is fetched, if needed, when the validator wants it.
++	 * At that time the validator waits for it, after spawning it.
++	 * This means there is one state that uses cpu and a socket, the
++	 * spawned while this one waits, and not several at the same time,
++	 * if we had created the lookup here. And this helps to keep
++	 * the total load down, but the query still succeeds to resolve. */
++	if(mesh_jostle_exceeded(qstate->env->mesh))
++		return;
+ 
+ 	/* if the DNSKEY is in the cache this lookup will stop quickly */
+ 	log_nametypeclass(VERB_ALGO, "schedule dnskey prefetch", 
+@@ -1911,6 +1920,14 @@ query_for_targets(struct module_qstate* qstate, struct iter_qstate* iq,
+ 				return 0;
+ 			}
+ 			query_count++;
++			/* If the mesh query list is full, exit the loop here.
++			 * This makes the routine spawn one query at a time,
++			 * and this means there is no query state load
++			 * increase, because the spawned state uses cpu and a
++			 * socket while this state waits for that spawned
++			 * state. Next time we can look up further targets */
++			if(mesh_jostle_exceeded(qstate->env->mesh))
++				break;
+ 		}
+ 		/* Send the A request. */
+ 		if(ie->supports_ipv4 &&
+@@ -1925,6 +1942,9 @@ query_for_targets(struct module_qstate* qstate, struct iter_qstate* iq,
+ 				return 0;
+ 			}
+ 			query_count++;
++			/* If the mesh query list is full, exit the loop. */
++			if(mesh_jostle_exceeded(qstate->env->mesh))
++				break;
+ 		}
+ 
+ 		/* mark this target as in progress. */
+@@ -2085,6 +2105,15 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
+ 			}
+ 			ns->done_pside6 = 1;
+ 			query_count++;
++			if(mesh_jostle_exceeded(qstate->env->mesh)) {
++				/* Wait for the lookup; do not spawn multiple
++				 * lookups at a time. */
++				verbose(VERB_ALGO, "try parent-side glue lookup");
++				iq->num_target_queries += query_count;
++				target_count_increase(iq, query_count);
++				qstate->ext_state[id] = module_wait_subquery;
++				return 0;
++			}
+ 		}
+ 		if(ie->supports_ipv4 && !ns->done_pside4) {
+ 			/* Send the A request. */
+@@ -2560,7 +2589,12 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
+ 	if(iq->depth < ie->max_dependency_depth
+ 		&& iq->num_target_queries == 0
+ 		&& (!iq->target_count || iq->target_count[TARGET_COUNT_NX]==0)
+-		&& iq->sent_count < TARGET_FETCH_STOP) {
++		&& iq->sent_count < TARGET_FETCH_STOP
++		/* if the mesh query list is full, then do not waste cpu
++		 * and sockets to fetch promiscuous targets. They can be
++		 * looked up when needed. */
++		&& !mesh_jostle_exceeded(qstate->env->mesh)
++		) {
+ 		tf_policy = ie->target_fetch_policy[iq->depth];
+ 	}
+ 
+diff --git a/unbound-1.16.2/services/cache/dns.c b/unbound-1.16.2/services/cache/dns.c
+index 6bca8d8..b6e5697 100644
+--- a/unbound-1.16.2/services/cache/dns.c
++++ b/unbound-1.16.2/services/cache/dns.c
+@@ -404,6 +404,9 @@ cache_fill_missing(struct module_env* env, uint16_t qclass,
+ 	struct ub_packed_rrset_key* akey;
+ 	time_t now = *env->now;
+ 	for(ns = dp->nslist; ns; ns = ns->next) {
++		if(ns->cache_lookup_count > ITERATOR_NAME_CACHELOOKUP_MAX)
++			continue;
++		ns->cache_lookup_count++;
+ 		akey = rrset_cache_lookup(env->rrset_cache, ns->name, 
+ 			ns->namelen, LDNS_RR_TYPE_A, qclass, 0, now, 0);
+ 		if(akey) {
+diff --git a/unbound-1.16.2/services/mesh.c b/unbound-1.16.2/services/mesh.c
+index 30bcf7c..2a41194 100644
+--- a/unbound-1.16.2/services/mesh.c
++++ b/unbound-1.16.2/services/mesh.c
+@@ -2240,3 +2240,10 @@ mesh_serve_expired_callback(void* arg)
+ 		mesh_do_callback(mstate, LDNS_RCODE_NOERROR, msg->rep, c, &tv);
+ 	}
+ }
++
++int mesh_jostle_exceeded(struct mesh_area* mesh)
++{
++	if(mesh->all.count < mesh->max_reply_states)
++		return 0;
++	return 1;
++}
+diff --git a/unbound-1.16.2/services/mesh.h b/unbound-1.16.2/services/mesh.h
+index 3be9b63..25121a6 100644
+--- a/unbound-1.16.2/services/mesh.h
++++ b/unbound-1.16.2/services/mesh.h
+@@ -685,4 +685,15 @@ struct dns_msg*
+ mesh_serve_expired_lookup(struct module_qstate* qstate,
+ 	struct query_info* lookup_qinfo);
+ 
++/**
++ * See if the mesh has space for more queries. You can allocate queries
++ * anyway, but this checks for the allocated space.
++ * @param mesh: mesh area.
++ * @return true if the query list is full.
++ * 	It checks the number of all queries, not just number of reply states,
++ * 	that have a client address. So that spawned queries count too,
++ * 	that were created by the iterator, or other modules.
++ */
++int mesh_jostle_exceeded(struct mesh_area* mesh);
++
+ #endif /* SERVICES_MESH_H */
+-- 
+2.37.3
+

SOURCES/unbound-1.16.2.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAmLnudYACgkQn28cLX4E
+X43GmRAAoROXbktLR2AXGEECgPCFlHag9oNZosa3J5yR2vaV4e8eA6AMzPyZbl7P
+LnLon8PZZR+pTW+dDRqakvzJIwXkLeONFgEdvd0cAghWAtPrKCDZIkCyeQj0OOv3
+wt1pRRl2PXUKNZZf0bzpTUIhVsHF/w5f5T/mFAZm49rUDboj77xgokmaFK4kei0I
+Gz4W8Vx3TIwwJc8nea8GtCYIg3UKmR/TMznMFExAoKdMllzKuJnGx5lR/eU0+NRc
+uwWEQhNJrHXZyWethp9swLCrOmDHcgBJOd04TqcDwSIZrw9VuT3/Uza3Tw73N7kr
+PZvF2xSOASL+i91QP6tnkmQD5pAORVpUFN3NePEWV5922iG/pVipaYBbEyV3dfph
+Y4QGwj8G6ppcfjV7gmlxsAOM2gnhD3rDqFmkxau6zB1kktHnV2aqlzIQo396ZBJQ
+hKyIAJlNvpTiFaACD7/cFkE80awJnCD/qvXATN//BWHKytgO8eYg7fZGrxjbpIQk
+XV/vVlOJWRXPyPBnp8MQyCIDe2eq2ELlMfYw62/TNDuj2qKsM/W03cem3GlveOa6
+tw8RVfFFjwZlCLbXSbmsKo+mWJ3jCAvb3/gql52vJDE5FuRz7MvptIVU6DVE1O+J
+mQ3AoQ2Mq9iHsZePfze4sq531DMlWTgBMwqfBTWqMaTC/8VH5rg=
+=Ax9n
+-----END PGP SIGNATURE-----

SOURCES/unbound-1.21-CVE-2024-8508.patch

@@ -0,0 +1,249 @@
+From 34de24d58bb5aa6fe3551512fc17cac08f65d93e Mon Sep 17 00:00:00 2001
+From: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
+Date: Thu, 3 Oct 2024 14:46:57 +0200
+Subject: [PATCH] - Fix CVE-2024-8508, unbounded name compression could lead to
+ denial of service.
+
+---
+ unbound-1.16.2/util/data/msgencode.c | 77 +++++++++++++++++-----------
+ 1 file changed, 46 insertions(+), 31 deletions(-)
+
+diff --git a/unbound-1.16.2/util/data/msgencode.c b/unbound-1.16.2/util/data/msgencode.c
+index fe21cfb..f9e95e6 100644
+--- a/unbound-1.16.2/util/data/msgencode.c
++++ b/unbound-1.16.2/util/data/msgencode.c
+@@ -62,6 +62,10 @@
+ #define RETVAL_TRUNC	-4
+ /** return code that means all is peachy keen. Equal to DNS rcode NOERROR */
+ #define RETVAL_OK	0
++/** Max compressions we are willing to perform; more than that will result
++ *  in semi-compressed messages, or truncated even on TCP for huge messages, to
++ *  avoid locking the CPU for long */
++#define MAX_COMPRESSION_PER_MESSAGE 120
+ 
+ /**
+  * Data structure to help domain name compression in outgoing messages.
+@@ -284,15 +288,17 @@ write_compressed_dname(sldns_buffer* pkt, uint8_t* dname, int labs,
+ 
+ /** compress owner name of RR, return RETVAL_OUTMEM RETVAL_TRUNC */
+ static int
+-compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt, 
+-	struct regional* region, struct compress_tree_node** tree, 
+-	size_t owner_pos, uint16_t* owner_ptr, int owner_labs)
++compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
++	struct regional* region, struct compress_tree_node** tree,
++	size_t owner_pos, uint16_t* owner_ptr, int owner_labs,
++	size_t* compress_count)
+ {
+ 	struct compress_tree_node* p;
+ 	struct compress_tree_node** insertpt = NULL;
+ 	if(!*owner_ptr) {
+ 		/* compress first time dname */
+-		if((p = compress_tree_lookup(tree, key->rk.dname, 
++		if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
++			(p = compress_tree_lookup(tree, key->rk.dname,
+ 			owner_labs, &insertpt))) {
+ 			if(p->labs == owner_labs) 
+ 				/* avoid ptr chains, since some software is
+@@ -301,6 +307,7 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
+ 			if(!write_compressed_dname(pkt, key->rk.dname, 
+ 				owner_labs, p))
+ 				return RETVAL_TRUNC;
++			(*compress_count)++;
+ 			/* check if typeclass+4 ttl + rdatalen is available */
+ 			if(sldns_buffer_remaining(pkt) < 4+4+2)
+ 				return RETVAL_TRUNC;
+@@ -313,7 +320,8 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
+ 			if(owner_pos <= PTR_MAX_OFFSET)
+ 				*owner_ptr = htons(PTR_CREATE(owner_pos));
+ 		}
+-		if(!compress_tree_store(key->rk.dname, owner_labs, 
++		if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
++			!compress_tree_store(key->rk.dname, owner_labs,
+ 			owner_pos, region, p, insertpt))
+ 			return RETVAL_OUTMEM;
+ 	} else {
+@@ -333,20 +341,24 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
+ 
+ /** compress any domain name to the packet, return RETVAL_* */
+ static int
+-compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs, 
+-	struct regional* region, struct compress_tree_node** tree)
++compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs,
++	struct regional* region, struct compress_tree_node** tree,
++	size_t* compress_count)
+ {
+ 	struct compress_tree_node* p;
+ 	struct compress_tree_node** insertpt = NULL;
+ 	size_t pos = sldns_buffer_position(pkt);
+-	if((p = compress_tree_lookup(tree, dname, labs, &insertpt))) {
++	if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
++		(p = compress_tree_lookup(tree, dname, labs, &insertpt))) {
+ 		if(!write_compressed_dname(pkt, dname, labs, p))
+ 			return RETVAL_TRUNC;
++		(*compress_count)++;
+ 	} else {
+ 		if(!dname_buffer_write(pkt, dname))
+ 			return RETVAL_TRUNC;
+ 	}
+-	if(!compress_tree_store(dname, labs, pos, region, p, insertpt))
++	if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
++		!compress_tree_store(dname, labs, pos, region, p, insertpt))
+ 		return RETVAL_OUTMEM;
+ 	return RETVAL_OK;
+ }
+@@ -364,9 +376,9 @@ type_rdata_compressable(struct ub_packed_rrset_key* key)
+ 
+ /** compress domain names in rdata, return RETVAL_* */
+ static int
+-compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen, 
+-	struct regional* region, struct compress_tree_node** tree, 
+-	const sldns_rr_descriptor* desc)
++compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen,
++	struct regional* region, struct compress_tree_node** tree,
++	const sldns_rr_descriptor* desc, size_t* compress_count)
+ {
+ 	int labs, r, rdf = 0;
+ 	size_t dname_len, len, pos = sldns_buffer_position(pkt);
+@@ -380,8 +392,8 @@ compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen,
+ 		switch(desc->_wireformat[rdf]) {
+ 		case LDNS_RDF_TYPE_DNAME:
+ 			labs = dname_count_size_labels(rdata, &dname_len);
+-			if((r=compress_any_dname(rdata, pkt, labs, region, 
+-				tree)) != RETVAL_OK)
++			if((r=compress_any_dname(rdata, pkt, labs, region,
++				tree, compress_count)) != RETVAL_OK)
+ 				return r;
+ 			rdata += dname_len;
+ 			todolen -= dname_len;
+@@ -449,7 +461,8 @@ static int
+ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt, 
+ 	uint16_t* num_rrs, time_t timenow, struct regional* region,
+ 	int do_data, int do_sig, struct compress_tree_node** tree,
+-	sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset)
++	sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset,
++	size_t* compress_count)
+ {
+ 	size_t i, j, owner_pos;
+ 	int r, owner_labs;
+@@ -477,9 +490,9 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
+ 		for(i=0; i<data->count; i++) {
+ 			/* rrset roundrobin */
+ 			j = (i + rr_offset) % data->count;
+-			if((r=compress_owner(key, pkt, region, tree, 
+-				owner_pos, &owner_ptr, owner_labs))
+-				!= RETVAL_OK)
++			if((r=compress_owner(key, pkt, region, tree,
++				owner_pos, &owner_ptr, owner_labs,
++				compress_count)) != RETVAL_OK)
+ 				return r;
+ 			sldns_buffer_write(pkt, &key->rk.type, 2);
+ 			sldns_buffer_write(pkt, &key->rk.rrset_class, 2);
+@@ -489,8 +502,8 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
+ 			else	sldns_buffer_write_u32(pkt, data->rr_ttl[j]-adjust);
+ 			if(c) {
+ 				if((r=compress_rdata(pkt, data->rr_data[j],
+-					data->rr_len[j], region, tree, c))
+-					!= RETVAL_OK)
++					data->rr_len[j], region, tree, c,
++					compress_count)) != RETVAL_OK)
+ 					return r;
+ 			} else {
+ 				if(sldns_buffer_remaining(pkt) < data->rr_len[j])
+@@ -510,9 +523,9 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
+ 					return RETVAL_TRUNC;
+ 				sldns_buffer_write(pkt, &owner_ptr, 2);
+ 			} else {
+-				if((r=compress_any_dname(key->rk.dname, 
+-					pkt, owner_labs, region, tree))
+-					!= RETVAL_OK)
++				if((r=compress_any_dname(key->rk.dname,
++					pkt, owner_labs, region, tree,
++					compress_count)) != RETVAL_OK)
+ 					return r;
+ 				if(sldns_buffer_remaining(pkt) < 
+ 					4+4+data->rr_len[i])
+@@ -544,7 +557,8 @@ static int
+ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
+ 	sldns_buffer* pkt, size_t rrsets_before, time_t timenow, 
+ 	struct regional* region, struct compress_tree_node** tree,
+-	sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset)
++	sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset,
++	size_t* compress_count)
+ {
+ 	int r;
+ 	size_t i, setstart;
+@@ -560,7 +574,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
+ 			setstart = sldns_buffer_position(pkt);
+ 			if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i], 
+ 				pkt, num_rrs, timenow, region, 1, 1, tree,
+-				s, qtype, dnssec, rr_offset))
++				s, qtype, dnssec, rr_offset, compress_count))
+ 				!= RETVAL_OK) {
+ 				/* Bad, but if due to size must set TC bit */
+ 				/* trim off the rrset neatly. */
+@@ -573,7 +587,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
+ 			setstart = sldns_buffer_position(pkt);
+ 			if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i], 
+ 				pkt, num_rrs, timenow, region, 1, 0, tree,
+-				s, qtype, dnssec, rr_offset))
++				s, qtype, dnssec, rr_offset, compress_count))
+ 				!= RETVAL_OK) {
+ 				sldns_buffer_set_position(pkt, setstart);
+ 				return r;
+@@ -584,7 +598,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
+ 			setstart = sldns_buffer_position(pkt);
+ 			if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i], 
+ 				pkt, num_rrs, timenow, region, 0, 1, tree,
+-				s, qtype, dnssec, rr_offset))
++				s, qtype, dnssec, rr_offset, compress_count))
+ 				!= RETVAL_OK) {
+ 				sldns_buffer_set_position(pkt, setstart);
+ 				return r;
+@@ -677,6 +691,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
+ 	struct compress_tree_node* tree = 0;
+ 	int r;
+ 	size_t rr_offset;
++	size_t compress_count=0;
+ 
+ 	sldns_buffer_clear(buffer);
+ 	if(udpsize < sldns_buffer_limit(buffer))
+@@ -723,7 +738,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
+ 		arep.rrsets = &qinfo->local_alias->rrset;
+ 		if((r=insert_section(&arep, 1, &ancount, buffer, 0,
+ 			timezero, region, &tree, LDNS_SECTION_ANSWER,
+-			qinfo->qtype, dnssec, rr_offset)) != RETVAL_OK) {
++			qinfo->qtype, dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
+ 			if(r == RETVAL_TRUNC) {
+ 				/* create truncated message */
+ 				sldns_buffer_write_u16_at(buffer, 6, ancount);
+@@ -738,7 +753,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
+ 	/* insert answer section */
+ 	if((r=insert_section(rep, rep->an_numrrsets, &ancount, buffer,
+ 		0, timenow, region, &tree, LDNS_SECTION_ANSWER, qinfo->qtype,
+-		dnssec, rr_offset)) != RETVAL_OK) {
++		dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
+ 		if(r == RETVAL_TRUNC) {
+ 			/* create truncated message */
+ 			sldns_buffer_write_u16_at(buffer, 6, ancount);
+@@ -756,7 +771,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
+ 		if((r=insert_section(rep, rep->ns_numrrsets, &nscount, buffer,
+ 			rep->an_numrrsets, timenow, region, &tree,
+ 			LDNS_SECTION_AUTHORITY, qinfo->qtype,
+-			dnssec, rr_offset)) != RETVAL_OK) {
++			dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
+ 			if(r == RETVAL_TRUNC) {
+ 				/* create truncated message */
+ 				sldns_buffer_write_u16_at(buffer, 8, nscount);
+@@ -773,7 +788,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
+ 			if((r=insert_section(rep, rep->ar_numrrsets, &arcount, buffer,
+ 				rep->an_numrrsets + rep->ns_numrrsets, timenow, region,
+ 				&tree, LDNS_SECTION_ADDITIONAL, qinfo->qtype,
+-				dnssec, rr_offset)) != RETVAL_OK) {
++				dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
+ 				if(r == RETVAL_TRUNC) {
+ 					/* no need to set TC bit, this is the additional */
+ 					sldns_buffer_write_u16_at(buffer, 10, arcount);
+-- 
+2.47.0
+

SOURCES/unbound-anchor.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=update of the root trust anchor for DNSSEC validation in unbound
+Documentation=man:unbound-anchor(8)
+
+[Service]
+Type=oneshot
+User=unbound
+ExecStart=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R
+SuccessExitStatus=1

SOURCES/unbound.service

@@ -1,10 +1,9 @@
 [Unit]
 Description=Unbound recursive Domain Name Server
-After=network-online.target
+After=network.target
 After=unbound-keygen.service
 Wants=unbound-keygen.service
-After=unbound-anchor.service
-Wants=unbound-anchor.service
+Wants=unbound-anchor.timer
 Before=nss-lookup.target
 Wants=nss-lookup.target
 
@@ -12,9 +11,9 @@ Wants=nss-lookup.target
 Type=simple
 EnvironmentFile=-/etc/sysconfig/unbound
 ExecStartPre=/usr/sbin/unbound-checkconf
+ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_UNBOUND_ANCHOR" == "yes" ]; then /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R; else echo "Updates of root keys with unbound-anchor is disabled"; fi'
 ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS
 ExecReload=/usr/sbin/unbound-control reload
-Restart=on-abnormal
 
 [Install]
 WantedBy=multi-user.target

SOURCES/unbound.sysconfig

@@ -0,0 +1,3 @@
+# for extra debug, add "-v -v" or change verbosity: in unbound.conf
+
+UNBOUND_OPTIONS=""

SPECS/unbound.spec

@@ -1,226 +1,537 @@
-* Thu Nov 02 2023 Petr Menšík <pemensik@redhat.com> - 1.19.0-1
-- Update to 1.19.0 (#2248686)
+%{?!with_python2:     %global with_python2     0}
+%{?!with_python3:     %global with_python3     1}
+%{?!with_munin:       %global with_munin       1}
 
-* Wed Sep 06 2023 Petr Menšík <pemensik@redhat.com> - 1.18.0-2
-- Skip failing tests on ELN builds
+%global _hardened_build 1
 
-* Fri Sep 01 2023 Petr Menšík <pemensik@redhat.com> - 1.18.0-1
-- Update to 1.18.0 (#2236097)
+#global extra_version rc1
 
-* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.17.1-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+%if 0%{with_python2}
+%global python_primary %{__python2}
+%endif # with_python2
 
-* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 1.17.1-3
-- Rebuilt for Python 3.12
+%if 0%{with_python3}
+%global python_primary %{__python3}
+%endif # with_python3
 
-* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.17.1-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+%if 0%{?rhel}
+%global with_munin   0
 
-* Fri Jan 13 2023 Paul Wouters <paul.wouters@aiven.io - 1.17.1-1
-- Resolved rhbz#2160397 unbound-1.17.1 is available (bugfix release)
-- Add support for building with redis
+%if 0%{?with_python2} && 0%{?rhel} <= 6
+# needed just for EPEL
+%{!?__python2: %global __python2 /usr/bin/python2}
+%{!?python2_sitelib: %global python2_sitelib %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")}
+%{!?python2_sitearch: %global python2_sitearch %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
+%endif # with_python2 && rhel <= 6
 
-* Thu Dec 01 2022 Petr Menšík <pemensik@redhat.com> - 1.17.0-2
-- Move unbound user creation to libs (#2149036)
-- Use systemd-sysusers for user creation (#2105416)
-- Keep original DNSSEC root key as config (#2132103)
+%if 0%{?rhel} <= 7
+%global with_python3 0
+%else
+%global with_python2 0
+%endif # rhel <= 7
+%endif # rhel
 
-* Tue Nov 01 2022 Petr Menšík <pemensik@redhat.com> - 1.17.0-1
-- Update to 1.17.0 (#2134348)
+Summary: Validating, recursive, and caching DNS(SEC) resolver
+Name: unbound
+Version: 1.16.2
+Release: 5.8%{?extra_version:.%{extra_version}}%{?dist}
+License: BSD
+Url: https://www.unbound.net/
+Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
+Source1: unbound.service
+Source2: unbound.conf
+Source3: unbound.munin
+Source4: unbound_munin_
+Source5: root.key
+Source7: unbound-keygen.service
+Source8: tmpfiles-unbound.conf
+Source9: example.com.key
+Source10: example.com.conf
+Source11: block-example.com.conf
+Source12: https://data.iana.org/root-anchors/icannbundle.pem
+Source13: root.anchor
+Source14: unbound.sysconfig
+Source15: unbound-anchor.timer
+Source16: unbound-munin.README
+Source17: unbound-anchor.service
+Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
+Source21: remote-control.conf
 
-* Wed Oct 05 2022 Petr Menšík <pemensik@redhat.com> - 1.16.3-3
-- Correct issues made by unbound-anchor package split (#2110858)
+# Reverts ABI change done in version 1.8.0 (bz#2027735)
+# Makes possible backward binary compatibility with a new features
+Patch1:   unbound-1.15-soversion2-compat.patch
+Patch2:   unbound-1.15-source-compat.patch
+# https://github.com/NLnetLabs/unbound/commit/137719522a8ea5b380fbb6206d2466f402f5b554
+Patch3:   unbound-1.16-CVE-2022-3204.patch
+# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2023-50387_CVE-2023-50868.diff
+Patch4: unbound-1.16-CVE-2023-50387-CVE-2023-50868.patch
+# https://github.com/NLnetLabs/unbound/commit/b7c61d7cc256d6a174e6179622c7fa968272c259
+Patch5: unbound-1.21-CVE-2024-8508.patch
 
-* Fri Sep 30 2022 Petr Menšík <pemensik@redhat.com> - 1.16.3-2
-- Update License tag to SPDX identifier
+BuildRequires: gdb
+BuildRequires: gcc, make
+BuildRequires: byacc, flex, openssl-devel
+BuildRequires: libevent-devel expat-devel
+BuildRequires: pkgconfig
+%if 0%{with_python2}
+BuildRequires: python2-devel swig
+%endif # with_python
+%if 0%{with_python3}
+BuildRequires: python3-devel swig
+%endif # with_python3
+BuildRequires: systemd
+# Required for SVN versions
+BuildRequires: bison
+BuildRequires: automake autoconf libtool
 
-* Fri Sep 23 2022 Petr Menšík <pemensik@redhat.com> - 1.16.3-1
-- Update to 1.16.3 (#2128638)
+%{?systemd_requires}
+# Needed because /usr/sbin/unbound links unbound libs staticly
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+# unbound-keygen.service requires it, bug #2116790
+Requires: openssl
 
-* Tue Aug 09 2022 Paul Wouters <pwouters@redhat.com> - 1.16.2-3
-- sync up to upstream unbound.conf
-- Enable Extended DNS Error codes (RFC8914)
+%description
+Unbound is a validating, recursive, and caching DNS(SEC) resolver.
+
+The C implementation of Unbound is developed and maintained by NLnet
+Labs. It is based on ideas and algorithms taken from a java prototype
+developed by Verisign labs, Nominet, Kirei and ep.net.
+
+Unbound is designed as a set of modular components, so that also
+DNSSEC (secure DNS) validation and stub-resolvers (that do not run
+as a server, but are linked into an application) are easily possible.
+
+%if %{with_munin}
+%package munin
+Summary: Plugin for the munin / munin-node monitoring package
+Requires: munin-node
+Requires: %{name} = %{version}-%{release}, bc
+BuildArch: noarch
+
+%description munin
+Plugin for the munin / munin-node monitoring package
+%endif
+
+%package devel
+Summary: Development package that includes the unbound header files
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}, openssl-devel
+Requires: pkgconfig
+
+%description devel
+The devel package contains the unbound library and the include files
+
+%package libs
+Summary: Libraries used by the unbound server and client applications
+%{?systemd_requires}
+Requires(pre): shadow-utils
+
+%description libs
+Contains libraries used by the unbound server and client applications
+
+%if 0%{with_python2}
+%package -n python2-unbound
+%{?python_provide:%python_provide python2-unbound}
+Summary: Python 2 modules and extensions for unbound
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+Provides: unbound-python = %{version}-%{release}
+Obsoletes: unbound-python < %{version}-%{release}
+
+%description -n python2-unbound
+Python 2 modules and extensions for unbound
+%endif # with_python
+
+%if 0%{with_python3}
+%package -n python3-unbound
+Summary: Python 3 modules and extensions for unbound
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+
+%description -n python3-unbound
+Python 3 modules and extensions for unbound
+%endif # with_python3
+
+
+%prep
+%global pkgname %{name}-%{version}%{?extra_version}
+
+%if 0%{with_python2} && 0%{with_python3}
+%global dir_primary %{pkgname}_python3
+%global python_primary %{__python3}
+%global dir_secondary %{pkgname}_python2
+%global python_secondary %{__python2}
+%else
+%global dir_primary %{pkgname}
+%endif # with_python2 && with_python3
+
+%setup -qcn %{pkgname}
+
+pushd %{pkgname}
+
+%patch1 -p2 -b .solib2-compat
+%patch2 -p1 -b .srccompat
+%patch3 -p2 -b .CVE-2022-3204
+%patch4 -p2 -b .CVE-2023-50387-CVE-2023-50868
+%patch5 -p2 -b .CVE-2024-8508
+
+
+# copy common doc files - after here, since it may be patched
+cp -pr doc pythonmod libunbound ../
+popd
+
+%if 0%{with_python2} && 0%{with_python3}
+mv %{pkgname} %{dir_primary}
+cp -a %{dir_primary} %{dir_secondary}
+%endif
+
+%build
+# ./configure script common arguments
+%global configure_args --with-libevent --with-pthreads --with-ssl \\\
+            --disable-rpath --disable-static \\\
+            --enable-relro-now --enable-pie \\\
+            --enable-subnet --enable-ipsecmod \\\
+            --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\
+            --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \\\
+            --enable-sha2 --disable-gost --enable-ecdsa \\\
+            --with-rootkey-file=%{_sharedstatedir}/unbound/root.key \\\
+            --enable-linux-ip-local-port-range
+
+pushd %{dir_primary}
+
+# configure.ac is modified, force refresh
+autoreconf -fiv
+
+%configure  \
+%if 0%{?python_primary:1}
+            --with-pythonmodule --with-pyunbound PYTHON=%{python_primary} \
+%endif # python_primary
+            %{configure_args}
+
+%{__make} %{?_smp_mflags}
+%{__make} %{?_smp_mflags} streamtcp
+
+popd
+
+%if 0%{?python_secondary:1}
+pushd %{dir_secondary}
+%configure  \
+            --with-pythonmodule --with-pyunbound PYTHON=%{python_secondary} \
+            %{configure_args}
+
+%{__make} %{?_smp_mflags}
+popd
+%endif # python_secondary
+
+
+%install
+install -p -m 0644 %{SOURCE16} .
+
+%if 0%{?python_secondary:1}
+# install first secondary build. It will be overwritten by primary
+pushd %{dir_secondary}
+%{__make} DESTDIR=%{buildroot} unbound-event-install install
+popd
+%endif # python_secondary
+
+pushd %{dir_primary}
+%{__make} DESTDIR=%{buildroot} unbound-event-install install
+install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp
+popd
+
+install -d -m 0755 %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig
+install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service
+install -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/unbound-keygen.service
+install -p -m 0644 %{SOURCE15} %{buildroot}%{_unitdir}/unbound-anchor.timer
+install -p -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/unbound-anchor.service
+install -p -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound
+install -p -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/unbound
+install -p -m 0644 %{SOURCE14} %{buildroot}%{_sysconfdir}/sysconfig/unbound
+%if %{with_munin}
+# Install munin plugin and its softlinks
+install -d -m 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d
+install -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/munin/plugin-conf.d/unbound
+install -d -m 0755 %{buildroot}%{_datadir}/munin/plugins/
+install -p -m 0755 %{SOURCE4} %{buildroot}%{_datadir}/munin/plugins/unbound
+for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unbound_munin_by_type unbound_munin_by_class unbound_munin_by_opcode unbound_munin_by_rcode unbound_munin_by_flags unbound_munin_histogram; do
+    ln -s unbound %{buildroot}%{_datadir}/munin/plugins/$plugin
+done
+%endif
+
+pushd %{dir_primary}
+# install streamtcp man page
+install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1
+install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc
+popd
+
+# Install tmpfiles.d config
+install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound
+install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf
+
+# install root - we keep a copy of the root key in old location,
+# in case user has changed the configuration and we wouldn't update it there
+install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/
+install -m 0644 %{SOURCE13} %{buildroot}%{_sharedstatedir}/unbound/root.key
+
+# remove static library from install (fedora packaging guidelines)
+rm %{buildroot}%{_libdir}/*.la
+
+
+%if 0%{with_python2}
+rm %{buildroot}%{python2_sitearch}/*.la
+%endif # with_python
+
+%if 0%{with_python3}
+rm %{buildroot}%{python3_sitearch}/*.la
+%endif # with_python3
+
+mkdir -p %{buildroot}%{_localstatedir}/run/unbound
+
+# Install directories for easier config file drop in
+
+mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d}
+install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/
+install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/
+install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
+install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/
+
+# Link unbound-control-setup.8 manpage to unbound-control.8
+echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8
+
+
+%pre libs
+getent group unbound >/dev/null || groupadd -r unbound
+getent passwd unbound >/dev/null || \
+useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \
+-c "Unbound DNS resolver" unbound
+
+%post
+%systemd_post unbound.service
+%systemd_post unbound-keygen.service
+
+%post libs
+%{?ldconfig}
+%systemd_post unbound-anchor.timer
+# start the timer only if installing the package to prevent starting it, if it was stopped on purpose
+if [ "$1" -eq 1 ]; then
+    # the Unit is in presets, but would be started after reboot
+    /bin/systemctl start unbound-anchor.timer >/dev/null 2>&1 || :
+fi
+
+%preun
+%systemd_preun unbound.service
+%systemd_preun unbound-keygen.service
+
+%preun libs
+%systemd_preun unbound-anchor.timer
+
+%postun
+%systemd_postun_with_restart unbound.service
+%systemd_postun unbound-keygen.service
+
+%postun libs
+%{?ldconfig}
+%systemd_postun_with_restart unbound-anchor.timer
+
+%triggerun -- unbound < 1.4.12-4
+# Save the current service runlevel info
+# User must manually run systemd-sysv-convert --apply unbound
+# to migrate them to systemd targets
+/usr/bin/systemd-sysv-convert --save unbound >/dev/null 2>&1 ||:
+
+# Run these because the SysV package being removed won't do them
+/sbin/chkconfig --del unbound >/dev/null 2>&1 || :
+/bin/systemctl try-restart unbound.service >/dev/null 2>&1 || :
+/bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || :
+
+%check
+pushd %{dir_primary}
+#pushd pythonmod
+#make test
+#popd
+
+make check
+
+popd
+
+%if 0%{?python_secondary:1}
+pushd %{dir_secondary}
+#pushd pythonmod
+#make test
+#popd
+make check
+popd
+%endif # python_secondary
+
+
+%files
+%doc doc/CREDITS doc/FEATURES
+%{_unitdir}/%{name}.service
+%{_unitdir}/%{name}-keygen.service
+%attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name}
+%attr(0644,root,root) %{_tmpfilesdir}/unbound.conf
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name}
+%dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d
+%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d/*.key
+%dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/conf.d
+%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d/*.conf
+%dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/local.d
+%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/local.d/*.conf
+%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.pem
+%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.key
+%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.pem
+%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key
+%{_sbindir}/unbound
+%{_sbindir}/unbound-checkconf
+%{_sbindir}/unbound-control
+%{_sbindir}/unbound-control-setup
+%{_sbindir}/unbound-host
+%{_sbindir}/unbound-streamtcp
+%{_mandir}/man1/*
+%{_mandir}/man5/*
+%exclude %{_mandir}/man8/unbound-anchor*
+%{_mandir}/man8/*
+
+%if 0%{with_python2}
+%files -n python2-unbound
+%license pythonmod/LICENSE
+%{python2_sitearch}/*
+%doc libunbound/python/examples/*
+%doc pythonmod/examples/*
+%endif
+
+%if 0%{with_python3}
+%files -n python3-unbound
+%license pythonmod/LICENSE
+%{python3_sitearch}/*
+%doc libunbound/python/examples/*
+%doc pythonmod/examples/*
+%endif
+
+%if 0%{with_munin}
+%files munin
+%doc unbound-munin.README
+%config(noreplace) %{_sysconfdir}/munin/plugin-conf.d/unbound
+%{_datadir}/munin/plugins/unbound*
+%endif
+
+%files devel
+%{_libdir}/libunbound.so
+%{_includedir}/unbound.h
+%{_includedir}/unbound-event.h
+%{_mandir}/man3/*
+%{_libdir}/pkgconfig/*.pc
+
+%files libs
+%doc doc/README
+%license doc/LICENSE
+%attr(0755,root,root) %dir %{_sysconfdir}/%{name}
+%{_sbindir}/unbound-anchor
+%{_libdir}/libunbound.so.*
+%{_mandir}/man8/unbound-anchor*
+%{_sysconfdir}/%{name}/icannbundle.pem
+%{_unitdir}/unbound-anchor.timer
+%{_unitdir}/unbound-anchor.service
+%dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name}
+%attr(0644,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key
+# just left for backwards compat with user changed unbound.conf files - format is different!
+%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
+# modification of root.key is maintained by unbound-achor.service and is intentional, so let rpm know
+%verify(not md5 size mtime) %{_sharedstatedir}/%{name}/root.key
+
+%changelog
+* Tue Nov 12 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.8
+- Prevent unbounded name compression (CVE-2024-8508)
+
+* Tue May 28 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.7
+- Rebuild to propagate to CentOS Stream (RHEL-25500)
+
+* Mon Mar 11 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.6
+- Ensure group access correction reaches also updated configs (CVE-2024-1488)
+
+* Wed Feb 28 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.3
+- Ensure only unbound group can change configuration (CVE-2024-1488)
+
+* Fri Feb 16 2024 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-5.1
+- Fix KeyTrap - Extreme CPU consumption in DNSSEC validator CVE-2023-50387
+- Fix Preparing an NSEC3 closest encloser proof can exhaust CPU resources CVE-2023-50868
+- Resolves: RHEL-25428
+- Resolves: RHEL-25423
+
+* Sat Oct 15 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-5
+- Stop creating wrong devel manual pages (#2135322)
+
+* Sat Oct 15 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-4
+- Apply correctly previous change (CVE-2022-3204)
+
+* Tue Oct 11 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-3
+- Fix NRDelegation attack leading to uncontrolled resource consumption
+  (CVE-2022-3204)
 
 * Tue Aug 09 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-2
-- Require openssl tool for unbound-keygen (#2116790)
+- Require openssl tool for unbound-keygen (#2018806)
 
 * Wed Aug 03 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-1
-- Update to 1.16.2 (#2105947) for CVE-2022-30698 and CVE-2022-30699
+- Update to 1.16.2 (#2027735)
 
-* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.16.0-7
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+* Wed Jun 15 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-2
+- Restart keygen service before every unbound start (#1959468)
 
-* Mon Jun 27 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-6
-- Move unbound-anchor to separate package
-- Move unbound-host and unbound-streamtcp to unbound-utils package
+* Wed Jun 15 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-1
+- Upgrade to 9.16.0 (#2027735)
+- Update to recent version with compatibility with RHEL8 (#2027735)
+- Ensure also source level compatibility with previous version
 
-* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 1.16.0-5
-- Rebuilt for Python 3.11
+* Thu May 19 2022 Richard Lescak <rlescak@gmail.com> - 1.7.3-18
+- Change file mode before owner when configuring remote control unix socket to avoid AVC denials
+- Resolves: rhbz#2038251
 
-* Tue Jun 07 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-4
-- Restart keygen service before every unbound start
-
-* Sat Jun 04 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-1
-- Update to 1.16.0
-
-* Tue Apr 26 2022 Petr Menšík <pemensik@redhat.com> - 1.15.0-3
-- Stop creating wrong devel manual pages (#2078929)
-
-* Wed Apr 20 2022 Petr Menšík <pemensik@redhat.com> - 1.15.0-2
-- Update icannbundle.pem
-
-* Tue Mar 29 2022 Petr Menšík <pemensik@redhat.com> - 1.15.0-1
-- Update to 1.15.0 (#2030608)
-
-* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.13.2-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
-* Sat Nov 06 2021 Adrian Reber <adrian@lisas.de> - 1.13.2-4
-- Rebuilt for protobuf 3.19.0
-
-* Mon Oct 25 2021 Adrian Reber <adrian@lisas.de> - 1.13.2-3
-- Rebuilt for protobuf 3.18.1
-
-* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 1.13.2-2
-- Rebuilt with OpenSSL 3.0.0
-
-* Thu Aug 12 2021 Paul Wouters <paul.wouters@aiven.io> - 1.13.2-1
-- Resolves: rhbz#1992985 unbound-1.13.2 is available
-- Use system-wide crypto policies
-
-* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.13.1-8
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-
-* Wed Jun 02 2021 Python Maint <python-maint@redhat.com> - 1.13.1-7
-- Rebuilt for Python 3.10
-
-* Fri Apr 23 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.13.1-6
+* Mon Apr 26 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.7.3-17
 - Option --enable-linux-ip-local-port-range added to use system configured port range for libunbound on Linux
-- Resolves: rhbz#1935101
+- Resolves: rhbz#1830625
 
-* Tue Apr 13 2021 Paul Wouters <pwouters@redhat.com> - 1.13.1-5
-- Fix unbound.service to use After=network-online.target
-
-* Tue Apr 06 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.13.1-4
+* Tue Apr 06 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.7.3-16
 - Don't start unbound-anchor before unbound service if DISABLE_UNBOUND_ANCHOR
   environment variable equals to "yes"
+- Resolves: rhbz#1922448
 
-* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.13.1-3
-- Rebuilt for updated systemd-rpm-macros
-  See https://pagure.io/fesco/issue/2583.
+* Tue Sep 01 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-15
+- Fix SPEC file to not check md5 mtime and size of /var/lib/unbound/root.key
+- Resolves: rhbz#1714175
+- Use system-wide crypto policy setting (PROFILE=SYSTEM) instead of custom setting
+- Resolves: rhbz#1842837
+- Enable additional logging in unbound
+- Resolves: rhbz#1850460
+- security hardening from x41 report
+- Resolves: rhbz#1859933
+- symbolic link traversal when writing PID file
+- Resolves: rhbz#1899058
 
-* Mon Feb 15 2021 Victor Stinner <vstinner@python.org> - 1.13.1-2
-- Fix build on Python 3.10 (rhbz#1889726).
+* Thu May 28 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-14
+- Fix unbound-1.7.3-amplifying-an-incoming-query.patch patch
+- Resolves: rhbz#1839178 (CVE-2020-12662)
 
-* Wed Feb 10 2021 Paul Wouters <pwouters@redhat.com> - 1.13.1-1
-- Resolves rhbz#1860887 unbound-1.13.1 is available
-- Fixup unbound.conf
+* Mon May 25 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-13
+- Fix two previous patches and add missing patch lines to %%prep
+- Fix amplifying an incoming query into a large number of queries directed to a target
+- Resolves: rhbz#1839178 (CVE-2020-12662)
 
-* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.13.0-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+* Tue Apr 21 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-12
+- Remove KSK-2010 from configuration files
+- Resolves: rhbz#1665502
+- Replace legacy directory /var/run/ with /run
+- Resolves: rhbz#1766463
+- Resolves: rhbz#1805978
+- Fix memory leak when DNS over TLS forwarding is configured
+- Resolves: rhbz#1819870
 
-* Thu Dec 10 2020 Petr Menšík <pemensik@redhat.com> - 1.13.0-1
-- Update to 1.13.0
+* Thu Apr 16 2020 Artem Egorenkov <aegorenk@redhat.com> - 1.7.3-11
+- Resolves bz1818761. unbound crash fixed.
 
-* Tue Oct 13 2020 Petr Menšík <pemensik@redhat.com> - 1.12.0-1
-- Update to 1.12.0 (#1860887)
+* Tue Dec 10 2019 Tomas Korbar <tkorbar@redhat.com> - 1.7.3-10
+- Secure ipsec mode (#1772061)
+- CVE-2019-18934
 
-* Tue Sep 15 2020 Petr Menšík <pemensik@redhat.com> - 1.10.1-5
-- Move command line tools to utils subpackage
-
-* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.1-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 1.10.1-3
-- Use make macros
-- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
-
-* Fri May 22 2020 Miro Hrončok <mhroncok@redhat.com> - 1.10.1-2
-- Rebuilt for Python 3.9
-
-* Tue May 19 2020 Paul Wouters <pwouters@redhat.com> - 1.10.1-1
-- Resolves: rhbz#1837279 unbound-1.10.1 is available
-- Resolves: rhbz#1837598 CVE-2020-12662 unbound: insufficient control of network message volume leads to DoS
-- Resolves: rhbz#1837609 CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers
-- Updated unbound.conf for new options in 1.10.1
-
-* Wed Apr 29 2020 Paul Wouters <pwouters@redhat.com> - 1.10.0-3
-- Resolves: rhbz#1667742 SELinux is preventing unbound from 'name_bind' accesses on the udp_socket port 61000.
-
-* Thu Apr 16 2020 Artem Egorenkov <aegorenk@redhat.com> - 1.10.0-2
-- Resolves: rhbz#1824536 unbound crash
-
-* Thu Mar 19 2020 Petr Menšík <pemensik@redhat.com> - 1.10.0-1
-- Update to 1.10.0 (#1805199)
-
-* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.6-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Fri Dec 13 2019 Paul Wouters <pwouters@redhat.com> - 1.9.6-1
-- Resolves: rhbz#1758107 unbound-1.9.5 is available
-- Resolves: CVE-2019-18934
-
-* Fri Nov 01 2019 Paul Wouters <pwouters@redhat.com> - 1.9.4-1
-- Fix build on rhel/centos systems
-- Resolves: rhbz#1767955 (CVE-2019-16866) uninitialized memory accesses leads to crash via a crafted NOTIFY query
-
-* Thu Sep 26 2019 Petr Menšík <pihhan@gmail.com> - 1.9.3-2
-- Obsolete no longer provided python2 subpackage (#1749400)
-
-* Tue Aug 27 2019 Paul Wouters <pwouters@redhat.com> - 1.9.3-1
-- Updated to 1.9.3
-- Resolves: rhbz#1672578 unbound-1.9.2 is available
-- Resolves: rhbz#1694831 [/usr/lib/tmpfiles.d/unbound.conf:1] Line references path below legacy directory /var/run/
-- Resolves: rhbz# 1667387 [abrt] unbound: memmove(): unbound killed by SIGABRT
-
-* Thu Aug 22 2019 Miro Hrončok <mhroncok@redhat.com> - 1.8.3-8
-- Subpackage python2-unbound has been removed
-  See https://fedoraproject.org/wiki/Changes/Mass_Python_2_Package_Removal
-
-* Thu Aug 15 2019 Miro Hrončok <mhroncok@redhat.com> - 1.8.3-7
-- Rebuilt for Python 3.8
-
-* Mon Aug  5 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.8.3-6
-- Drop install-time requirements on systemd (#1723777)
-
-* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.3-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.3-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Fri Jan 11 2019 Paul Wouters <pwouters@redhat.com> - 1.8.3-3
-- Remove KSK-2010 from configs - it has been revoked
-
-* Wed Dec 12 2018 Paul Wouters <pwouters@redhat.com> - 1.8.3-2
-- Another dns64 fixup
-
-* Wed Dec 12 2018 Paul Wouters <pwouters@redhat.com> - 1.8.3-1
-- Updated to 1.8.3 with fixes the dns64 bug and has some other minor fixes
-
-* Mon Dec 10 2018 Paul Wouters <pwouters@redhat.com> - 1.8.2-2
-- Fix dns64 allocation in wrong region for returned internal queries.
-
-* Tue Dec 04 2018 Paul Wouters <pwouters@redhat.com> - 1.8.2-1
-- Updated to 1.8.2.
-- Enabled deny ANY query support and edns-tcp-keepalive
-- Set serve-stale timeout to 4h
-- Updated unbound.conf for latest options
-
-* Mon Oct 22 2018 Petr Menšík <pemensik@redhat.com> - 1.8.1-2
-- Allow group by default to unbound-control (#1640259)
-
-* Mon Oct 08 2018 Petr Menšík <pemensik@redhat.com> - 1.8.1-1
-- Update to 1.8.1
-
-* Mon Oct 01 2018 Petr Menšík <pemensik@redhat.com> - 1.8.0-2
-- Skip ipv6 forwarders without ipv6 support (#1633874)
-
-* Wed Sep 19 2018 Petr Menšík <pemensik@redhat.com> - 1.8.0-1
-- Rebase to 1.8.0
-
-* Tue Aug 14 2018 Paul Wouters <pwouters@redhat.com> - 1.7.3-9
-- Fix for restarting unbound service after deleting key/pem files for remote control
+* Tue Dec 10 2019 Tomas Korbar <tkorbar@redhat.com> - 1.7.3-9
+- Use pthread_mutex_t locks when dealing with I/O operations (#1775708)
 
 * Tue Jul 31 2018 Petr Menšík <pemensik@redhat.com> - 1.7.3-8
 - Release memory in unbound-host
@@ -249,16 +560,8 @@
 * Wed Jun 27 2018 Petr Menšík <pemensik@redhat.com> - 1.7.2-3
 - Remove last python2 dependency from python3 build
 
-* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 1.7.2-2
-- Rebuilt for Python 3.7
-
-* Mon Jun 11 2018 Paul Wouters <pwouters@redhat.com> - 1.7.2-1
-- Resolves rhbz#1589807 unbound-1.7.2 is available
-- Add patch to fix stub/forward zone not returning ServFail when TTL expires
-- Enabled the new root-key-sentinel option
-
-* Wed May 30 2018 Petr Menšík <pemensik@redhat.com> - 1.7.1-1
-- Update to 1.7.1 (#1574495)
+* Mon Jun 25 2018 Tomas Hozza <thozza@redhat.com> - 1.7.0-6
+- Disable Python2 support
 
 * Mon Apr 09 2018 Petr Menšík <pemensik@redhat.com> - 1.7.0-5
 - Require gcc and make on build
@@ -313,7 +616,7 @@
 
 * Fri Sep 22 2017 Paul Wouters <pwouters@redhat.com> - 1.6.6-1
 - Resolves: rhbz#1483572 unbound-1.6.6 is available
-- Resolves: rhbz#1465575 unbound fails to start up, complains about missing ipsecmod-hook (edit)
+- Resolves: rhbz#1465575 unbound fails to start up, complains about missing ipsecmod-hook (edit) 
 
 * Wed Aug 16 2017 Paul Wouters <pwouters@redhat.com> - 1.6.4-4
 - Rebuilt with KSK2017 added to root.key and root.anchor
@@ -517,7 +820,7 @@
 - run test suite during the build
 
 * Thu Sep 19 2013 Paul Wouters <pwouters@redhat.com> - 1.4.21-1
-- Updated to 1.4.21,
+- Updated to 1.4.21, 
 - Enabled new max-udp-size: 3072 (so ANY isc.org won't fit)
 - Removed patched merged in by upstream
 - Enable statistics-cumulative for munin-plugin
@@ -640,7 +943,7 @@
 - Updated to 1.4.17 (which mostly brings in patches we already
   applied from svn trunk)
 
-* Wed Feb 29 2012 Paul Wouters <pwouters@redhat.com> - 1.4.16-3
+* Wed Feb 29 2012 Paul Wouters <pwouters@redhat.com> - 1.4.16-3 
 - Since the daemon links to the libs staticly, add Requires:
   (this is rhbz#745288)
 - Package up streamtcp as unbound-streamtcp (for monitoring)
@@ -733,7 +1036,7 @@
 - Upgraded to 1.4.5
 
 * Mon May 31 2010 Paul Wouters <paul@xelerance.com> - 1.4.4-2
-- Added accidentally omitted svn patches to cvs
+- Added accidentally omitted svn patches to cvs 
 
 * Mon May 31 2010 Paul Wouters <paul@xelerance.com> - 1.4.4-1
 - Upgraded to 1.4.4 with svn patches
@@ -743,7 +1046,7 @@
 - Update to 1.4.3 that fixes 64bit crasher
 
 * Tue Mar 09 2010 Paul Wouters <paul@xelerance.com> - 1.4.2-1
-- Updated to 1.4.2
+- Updated to 1.4.2 
 - Updated unbound.conf with new options
 - Enabled pre-fetching DNSKEY records (DNSSEC speedup)
 - Enabled re-fetching popular records before they expire
@@ -892,7 +1195,7 @@
   causes unbound to listen on 0.0.0.0 instead of 127.0.0.1
 
 * Sun Oct 19 2008 Paul Wouters <paul@xelerance.com> - 1.0.2-3
-- Split off unbound-libs, make build verbose
+- Split off unbound-libs, make build verbose 
 
 * Thu Oct  9 2008 Paul Wouters <paul@xelerance.com> - 1.0.2-2
 - FSB compliance, chroot fixes, initscript fixes

ci.fmf

@@ -1 +0,0 @@
-resultsdb-testcase: separate

gating.yaml

@@ -1,25 +0,0 @@
---- !Policy
-product_versions:
-  - fedora-*
-decision_context: bodhi_update_push_testing
-subject_type: koji_build
-rules:
-  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional}
- 
-#Rawhide
---- !Policy
-product_versions:
-  - fedora-*
-decision_context: bodhi_update_push_stable
-subject_type: koji_build
-rules:
-  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional}
- 
-#gating rhel
---- !Policy
-product_versions:
-  - rhel-*
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-public.functional}
-  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-internal.functional}

plans.fmf

@@ -1,36 +0,0 @@
-/tier1-internal:
-  plan:
-    import:
-      url: https://src.fedoraproject.org/tests/unbound.git
-      name: /plans/tier1/internal
-
-/tier1-public:
-  plan:
-    import:
-      url: https://src.fedoraproject.org/tests/unbound.git
-      name: /plans/tier1/public
-
-/tier2-tier3-internal:
-  plan:
-    import:
-      url: https://src.fedoraproject.org/tests/unbound.git
-      name: /plans/tier2-tier3/internal
-
-/tier2-tier3-public:
-  plan:
-    import:
-      url: https://src.fedoraproject.org/tests/unbound.git
-      name: /plans/tier2-tier3/public
-
-/others-internal:
-  plan:
-    import:
-      url: https://src.fedoraproject.org/tests/unbound.git
-      name: /plans/others/internal
-
-/others-public:
-  plan:
-    import:
-      url: https://src.fedoraproject.org/tests/unbound.git
-      name: /plans/others/public
-

sources

@@ -1,2 +0,0 @@
-SHA512 (unbound-1.20.0.tar.gz) = 2f6bc76c03b71ca1c2cd2331dc72d62f51493d15e17c59af46b400e542fcabff22e6b9d33f750a3e5f918a0116f45afa760651b2d5aa2feadac151cbbd71b0bd
-SHA512 (unbound-1.20.0.tar.gz.asc) = 1586a320077c606c5c19f251615df54a61854f51acca02df1d391dcc2287aff2c641b009aeee1a98392f63719d70b6bac23ebb7d86b780f8a27cda6e114fc0ad

unbound-1.13.1-rh1935101.patch

@@ -1,204 +0,0 @@
-diff --git a/config.h.in b/config.h.in
-index 103ad9f..0bb29d9 100644
---- a/config.h.in
-+++ b/config.h.in
-@@ -847,6 +847,14 @@
- /* Define if you enable libevent */
- #undef USE_LIBEVENT
- 
-+/* WARNING! This is only for the libunbound on Linux and does not affect
-+   unbound resolving daemon itself. This may severely limit the number of
-+   available outgoing ports and thus decrease randomness. Define this only
-+   when the target system restricts (e.g. some of SELinux enabled
-+   distributions) the use of non-ephemeral ports. Define this to enable use of
-+   /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range. */
-+#undef USE_LINUX_IP_LOCAL_PORT_RANGE
-+
- /* Define if you want to use internal select based events */
- #undef USE_MINI_EVENT
- 
-diff --git a/configure b/configure
-index c91e8a3..826dce9 100755
---- a/configure
-+++ b/configure
-@@ -898,6 +898,7 @@ enable_ipsecmod
- enable_ipset
- with_libmnl
- enable_explicit_port_randomisation
-+enable_linux_ip_local_port_range
- with_libunbound_only
- '
-       ac_precious_vars='build_alias
-@@ -1590,6 +1591,16 @@ Optional Features:
-   --disable-explicit-port-randomisation
-                           disable explicit source port randomisation and rely
-                           on the kernel to provide random source ports
-+  --enable-linux-ip-local-port-range
-+                          WARNING! This is only for the libunbound on Linux
-+                          and does not affect unbound resolving daemon itself.
-+                          This may severely limit the number of available
-+                          outgoing ports and thus decrease randomness. Use
-+                          this option only when the target system restricts
-+                          the use of non-ephemeral ports. (e.g. some of
-+                          SELinux enabled distributions) Enable this option to
-+                          use /proc/sys/net/ipv4/ip_local_port_range as a
-+                          default outgoing port range
- 
- Optional Packages:
-   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
-@@ -4202,6 +4213,13 @@ else
- 	else on_mingw="no"; fi
- fi
- 
-+# are we on Linux?
-+if uname -s 2>&1 | grep -i linux >/dev/null; then on_linux="yes"
-+else
-+	if echo $host $target | grep linux >/dev/null; then on_linux="yes"
-+	else on_linux="no"; fi
-+fi
-+
- #
- # Determine configuration file
- # the eval is to evaluate shell expansion twice
-@@ -21588,6 +21606,23 @@ $as_echo "#define DISABLE_EXPLICIT_PORT_RANDOMISATION 1" >>confdefs.h
- 		;;
- esac
- 
-+if test $on_linux = "yes"; then
-+	# Check whether --enable-linux-ip-local-port-range was given.
-+if test "${enable_linux_ip_local_port_range+set}" = set; then :
-+  enableval=$enable_linux_ip_local_port_range;
-+fi
-+
-+	case "$enable_linux_ip_local_port_range" in
-+		yes)
-+
-+$as_echo "#define USE_LINUX_IP_LOCAL_PORT_RANGE 1" >>confdefs.h
-+
-+			;;
-+		no|*)
-+			;;
-+	esac
-+fi
-+
- 
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking if ${MAKE:-make} supports $< with implicit rule in scope" >&5
- $as_echo_n "checking if ${MAKE:-make} supports $< with implicit rule in scope... " >&6; }
-diff --git a/configure.ac b/configure.ac
-index 2d88048..1207047 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -152,6 +152,13 @@ else
- 	else on_mingw="no"; fi
- fi
- 
-+# are we on Linux?
-+if uname -s 2>&1 | grep -i linux >/dev/null; then on_linux="yes"
-+else
-+	if echo $host $target | grep linux >/dev/null; then on_linux="yes"
-+	else on_linux="no"; fi
-+fi
-+
- #
- # Determine configuration file
- # the eval is to evaluate shell expansion twice
-@@ -1847,6 +1854,17 @@ case "$enable_explicit_port_randomisation" in
- 		;;
- esac
- 
-+if test $on_linux = "yes"; then
-+	AC_ARG_ENABLE(linux-ip-local-port-range, AC_HELP_STRING([--enable-linux-ip-local-port-range], [WARNING! This is only for the libunbound on Linux and does not affect unbound resolving daemon itself. This may severely limit the number of available outgoing ports and thus decrease randomness. Use this option only when the target system restricts the use of non-ephemeral ports. (e.g. some of SELinux enabled distributions) Enable this option to use /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range]))
-+	case "$enable_linux_ip_local_port_range" in
-+		yes)
-+			AC_DEFINE([USE_LINUX_IP_LOCAL_PORT_RANGE], [1], [WARNING! This is only for the libunbound on Linux and does not affect unbound resolving daemon itself. This may severely limit the number of available outgoing ports and thus decrease randomness. Define this only when the target system restricts (e.g. some of SELinux enabled distributions) the use of non-ephemeral ports. Define this to enable use of /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range.])
-+			;;
-+		no|*)
-+			;;
-+	esac
-+fi
-+
- 
- AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope])
- # on openBSD, the implicit rule make $< work.
-diff --git a/libunbound/context.c b/libunbound/context.c
-index cff2831..48d76d9 100644
---- a/libunbound/context.c
-+++ b/libunbound/context.c
-@@ -69,6 +69,7 @@ context_finalize(struct ub_ctx* ctx)
- 	} else {
- 		log_init(cfg->logfile, cfg->use_syslog, NULL);
- 	}
-+	cfg_apply_local_port_policy(cfg, 65536);
- 	config_apply(cfg);
- 	if(!modstack_setup(&ctx->mods, cfg->module_conf, ctx->env))
- 		return UB_INITFAIL;
-diff --git a/util/config_file.c b/util/config_file.c
-index 4d87dee..6b90e48 100644
---- a/util/config_file.c
-+++ b/util/config_file.c
-@@ -1681,6 +1681,37 @@ int cfg_condense_ports(struct config_file* cfg, int** avail)
- 	return num;
- }
- 
-+void cfg_apply_local_port_policy(struct config_file* cfg, int num) {
-+(void)cfg;
-+(void)num;
-+#ifdef USE_LINUX_IP_LOCAL_PORT_RANGE
-+	{
-+		int i = 0;
-+		FILE* range_fd;
-+		if ((range_fd = fopen(LINUX_IP_LOCAL_PORT_RANGE_PATH, "r")) != NULL) {
-+			int min_port = 0;
-+			int max_port = num - 1;
-+			if (fscanf(range_fd, "%d %d", &min_port, &max_port) == 2) {
-+				for(i=0; i<min_port; i++) {
-+					cfg->outgoing_avail_ports[i] = 0;
-+				}
-+				for(i=max_port+1; i<num; i++) {
-+					cfg->outgoing_avail_ports[i] = 0;
-+				}
-+			} else {
-+				log_err("unexpected port range in %s",
-+						LINUX_IP_LOCAL_PORT_RANGE_PATH);
-+			}
-+			fclose(range_fd);
-+		} else {
-+			log_warn("failed to read from file: %s (%s)",
-+					LINUX_IP_LOCAL_PORT_RANGE_PATH,
-+					strerror(errno));
-+		}
-+	}
-+#endif
-+}
-+
- /** print error with file and line number */
- static void ub_c_error_va_list(const char *fmt, va_list args)
- {
-diff --git a/util/config_file.h b/util/config_file.h
-index 7cf27cc..d091ef7 100644
---- a/util/config_file.h
-+++ b/util/config_file.h
-@@ -1172,6 +1172,13 @@ int cfg_mark_ports(const char* str, int allow, int* avail, int num);
-  */
- int cfg_condense_ports(struct config_file* cfg, int** avail);
- 
-+/**
-+ * Apply system specific port range policy.
-+ * @param cfg: config file.
-+ * @param num: size of the array (65536).
-+ */
-+void cfg_apply_local_port_policy(struct config_file* cfg, int num);
-+
- /**
-  * Scan ports available
-  * @param avail: the array from cfg.
-@@ -1301,5 +1308,9 @@ void w_config_adjust_directory(struct config_file* cfg);
- /** debug option for unit tests. */
- extern int fake_dsa, fake_sha1;
- 
-+#ifdef USE_LINUX_IP_LOCAL_PORT_RANGE
-+#define LINUX_IP_LOCAL_PORT_RANGE_PATH "/proc/sys/net/ipv4/ip_local_port_range"
-+#endif
-+
- #endif /* UTIL_CONFIG_FILE_H */
- 

unbound-1.8.0-rh1633874.patch

@@ -1,39 +0,0 @@
-From 9be04e6fac3f4ee8fa08d3671dac41d2156d2ced Mon Sep 17 00:00:00 2001
-From: Wouter Wijngaards <wouter@nlnetlabs.nl>
-Date: Thu, 27 Sep 2018 08:19:29 +0000
-Subject: [PATCH] - Fix #4188: IPv6 forwarders without ipv6 result in SERVFAIL,
- fixes   qname minimisation with a forwarder when connectivity has issues  
- from rejecting responses.
-
-git-svn-id: file:///svn/unbound/trunk@4916 be551aaa-1e26-0410-a405-d3ace91eadb9
----
- iterator/iterator.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/iterator/iterator.c b/iterator/iterator.c
-index 7baf92b7..2f26bd33 100644
---- a/iterator/iterator.c
-+++ b/iterator/iterator.c
-@@ -2174,7 +2174,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
- 		return 0;
- 	}
- 
--	if(iq->minimisation_state == INIT_MINIMISE_STATE) {
-+	if(iq->minimisation_state == INIT_MINIMISE_STATE
-+		&& !(iq->chase_flags & BIT_RD)) {
- 		/* (Re)set qinfo_out to (new) delegation point, except when
- 		 * qinfo_out is already a subdomain of dp. This happens when
- 		 * increasing by more than one label at once (QNAMEs with more
-@@ -2715,7 +2716,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
- 			sock_list_insert(&qstate->reply_origin, 
- 				&qstate->reply->addr, qstate->reply->addrlen, 
- 				qstate->region);
--		if(iq->minimisation_state != DONOT_MINIMISE_STATE) {
-+		if(iq->minimisation_state != DONOT_MINIMISE_STATE
-+			&& !(iq->chase_flags & BIT_RD)) {
- 			if(FLAGS_GET_RCODE(iq->response->rep->flags) != 
- 				LDNS_RCODE_NOERROR) {
- 				if(qstate->env->cfg->qname_minimisation_strict)
--- 
-2.14.4
-

unbound-1.8.1-keygen-group-rights.patch

@@ -1,29 +0,0 @@
-From 6429b5c298b10b96feb6b90c111948df97269f40 Mon Sep 17 00:00:00 2001
-From: Wouter Wijngaards <wouter@nlnetlabs.nl>
-Date: Mon, 22 Oct 2018 10:07:13 +0000
-Subject: [PATCH] - Fix #4192: unbound-control-setup generates keys not
- readable by   group.
-
-git-svn-id: file:///svn/unbound/trunk@4942 be551aaa-1e26-0410-a405-d3ace91eadb9
----
- smallapp/unbound-control-setup.sh.in | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/smallapp/unbound-control-setup.sh.in b/smallapp/unbound-control-setup.sh.in
-index 0d759f44..f4024b43 100644
---- a/smallapp/unbound-control-setup.sh.in
-+++ b/smallapp/unbound-control-setup.sh.in
-@@ -148,8 +148,8 @@ test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem"
- # echo "empty password is used, simply click OK on the password dialog box."
- # openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate"
- 
--# remove unused permissions
--chmod o-rw $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key
-+# set desired permissions
-+chmod 0640 $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key
- 
- # remove crap
- rm -f request.cfg
--- 
-2.14.4
-

unbound-1.8.2-dns64.patch

@@ -1,13 +0,0 @@
-diff --git a/dns64/dns64.c b/dns64/dns64.c
-index 6c81192..77e6890 100644
---- a/dns64/dns64.c
-+++ b/dns64/dns64.c
-@@ -925,7 +925,7 @@ dns64_inform_super(struct module_qstate* qstate, int id,
- 	 * successful or not. This lets the state machine terminate.
- 	 */
- 	if(!super_dq) {
--		super_dq = (struct dns64_qstate*)regional_alloc(qstate->region,
-+		super_dq = (struct dns64_qstate*)regional_alloc(super->region,
- 			sizeof(*super_dq));
- 		super->minfo[id] = super_dq;
- 		memset(super_dq, 0, sizeof(*super_dq));

unbound-aarch64.patch

@@ -1,22 +0,0 @@
-Index: unbound-1.5.0/compat/getentropy_linux.c
-===================================================================
---- unbound-1.5.0.orig/compat/getentropy_linux.c
-+++ unbound-1.5.0/compat/getentropy_linux.c
-@@ -102,7 +102,7 @@ getentropy(void *buf, size_t len)
- 	if (ret != -1)
- 		return (ret);
- 
--#ifdef CTL_MAXNAME
-+#ifdef SYS__sysctl
- 	/*
- 	 * Try to use sysctl CTL_KERN, KERN_RANDOM, RANDOM_UUID.
- 	 * sysctl is a failsafe API, so it guarantees a result.  This
-@@ -235,7 +235,7 @@ nodevrandom:
- 	return -1;
- }
- 
--#ifdef CTL_MAXNAME
-+#ifdef SYS__sysctl
- static int
- getentropy_sysctl(void *buf, size_t len)
- {

unbound-anchor.service

@@ -1,10 +0,0 @@
-[Unit]
-Description=update of the root trust anchor for DNSSEC validation in unbound
-Documentation=man:unbound-anchor(8)
-
-[Service]
-Type=oneshot
-User=unbound
-EnvironmentFile=-/etc/sysconfig/unbound
-ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi'
-SuccessExitStatus=1

unbound-fedora-config.patch

@@ -1,545 +0,0 @@
-From 135a7be6a2b30b74a9fc239adac45f08ad4eace7 Mon Sep 17 00:00:00 2001
-From: Petr Mensik <pemensik@redhat.com>
-Date: Fri, 10 Nov 2023 12:58:31 +0100
-Subject: [PATCH] Customize unbound.conf for Fedora defaults
-
-Set some Fedora/RHEL specific changes to example configuration file. By
-patching upstream provided config file we would not need to manually
-update external copy in source RPM.
----
- unbound-1.20.0/doc/example.conf.in | 199 +++++++++++++++++++----------
- 1 file changed, 128 insertions(+), 71 deletions(-)
-
-diff --git a/unbound-1.20.0/doc/example.conf.in b/unbound-1.20.0/doc/example.conf.in
-index 0368c8d..5873db5 100644
---- a/unbound-1.20.0/doc/example.conf.in
-+++ b/unbound-1.20.0/doc/example.conf.in
-@@ -17,11 +17,12 @@ server:
- 	# whitespace is not necessary, but looks cleaner.
- 
- 	# verbosity number, 0 is least verbose. 1 is default.
--	# verbosity: 1
-+	verbosity: 1
- 
- 	# print statistics to the log (for every thread) every N seconds.
- 	# Set to "" or 0 to disable. Default is disabled.
--	# statistics-interval: 0
-+	# Needs to be disabled for munin plugin
-+	statistics-interval: 0
- 
- 	# enable shm for stats, default no.  if you enable also enable
- 	# statistics-interval, every time it also writes stats to the
-@@ -32,11 +33,13 @@ server:
- 	# shm-key: 11777
- 
- 	# enable cumulative statistics, without clearing them after printing.
--	# statistics-cumulative: no
-+	# Needs to be disabled for munin plugin
-+	statistics-cumulative: no
- 
- 	# enable extended statistics (query types, answer codes, status)
--	# printed from unbound-control. Default off, because of speed.
--	# extended-statistics: no
-+	# printed from unbound-control. default off, because of speed.
-+	# Needs to be enabled for munin plugin
-+	extended-statistics: yes
- 
- 	# Inhibits selected extended statistics (qtype, qclass, qopcode, rcode,
- 	# rpz-actions) from printing if their value is 0.
-@@ -44,22 +47,35 @@ server:
- 	# statistics-inhibit-zero: yes
- 
- 	# number of threads to create. 1 disables threading.
--	# num-threads: 1
-+	num-threads: 4
- 
- 	# specify the interfaces to answer queries from by ip-address.
- 	# The default is to listen to localhost (127.0.0.1 and ::1).
- 	# specify 0.0.0.0 and ::0 to bind to all available interfaces.
- 	# specify every interface[@port] on a new 'interface:' labelled line.
- 	# The listen interfaces are not changed on reload, only on restart.
-+	# interface: 0.0.0.0
-+	# interface: ::0
- 	# interface: 192.0.2.153
- 	# interface: 192.0.2.154
- 	# interface: 192.0.2.154@5003
- 	# interface: 2001:DB8::5
- 	# interface: eth0@5003
-+	#
-+	# for dns over tls and raw dns over port 80
-+	# interface: 0.0.0.0@443
-+	# interface: ::0@443
-+	# interface: 0.0.0.0@80
-+	# interface: ::0@80
- 
- 	# enable this feature to copy the source address of queries to reply.
- 	# Socket options are not supported on all platforms. experimental.
--	# interface-automatic: no
-+	# interface-automatic: yes
-+	#
-+	# NOTE: Enable this option when specifying interface 0.0.0.0 or ::0
-+	# NOTE: Disabled per Fedora policy not to listen to * on default install
-+	# NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled
-+	interface-automatic: no
- 
- 	# instead of the default port, open additional ports separated by
- 	# spaces when interface-automatic is enabled, by listing them here.
-@@ -94,7 +110,8 @@ server:
- 
- 	# permit Unbound to use this port number or port range for
- 	# making outgoing queries, using an outgoing interface.
--	# outgoing-port-permit: 32768
-+	# Only ephemeral ports are allowed by SElinux
-+	outgoing-port-permit: 32768-60999
- 
- 	# deny Unbound the use this of port number or port range for
- 	# making outgoing queries, using an outgoing interface.
-@@ -103,7 +120,9 @@ server:
- 	# IANA-assigned port numbers.
- 	# If multiple outgoing-port-permit and outgoing-port-avoid options
- 	# are present, they are processed in order.
--	# outgoing-port-avoid: "3200-3208"
-+	# Our SElinux policy does not allow non-ephemeral ports to be used
-+	outgoing-port-avoid: 0-32767
-+	outgoing-port-avoid: 61000-65535
- 
- 	# number of outgoing simultaneous tcp buffers to hold per thread.
- 	# outgoing-num-tcp: 10
-@@ -121,12 +140,12 @@ server:
- 
- 	# use SO_REUSEPORT to distribute queries over threads.
- 	# at extreme load it could be better to turn it off to distribute even.
--	# so-reuseport: yes
-+	so-reuseport: yes
- 
- 	# use IP_TRANSPARENT so the interface: addresses can be non-local
- 	# and you can config non-existing IPs that are going to work later on
- 	# (uses IP_BINDANY on FreeBSD).
--	# ip-transparent: no
-+	ip-transparent: yes
- 
- 	# use IP_FREEBIND so the interface: addresses can be non-local
- 	# and you can bind to nonexisting IPs and interfaces that are down.
-@@ -276,6 +295,8 @@ server:
- 	# nat64-prefix: 64:ff9b::0/96
- 
- 	# Enable UDP, "yes" or "no".
-+	# NOTE: if setting up an Unbound on tls443 for public use, you might want to
-+	# disable UDP to avoid being used in DNS amplification attacks.
- 	# do-udp: yes
- 
- 	# Enable TCP, "yes" or "no".
-@@ -301,7 +322,7 @@ server:
- 	# tcp-idle-timeout: 30000
- 
- 	# Enable EDNS TCP keepalive option.
--	# edns-tcp-keepalive: no
-+	edns-tcp-keepalive: yes
- 
- 	# Timeout for EDNS TCP keepalive, in msec. Overrides tcp-idle-timeout
- 	# if edns-tcp-keepalive is set.
-@@ -311,6 +332,9 @@ server:
- 	# can be dropped. Default is 0, disabled. In seconds, such as 3.
- 	# sock-queue-timeout: 0
- 
-+	# Fedora note: do not activate this - not compiled in because
-+	# it causes frequent unbound crashes. Also, socket activation
-+	# is bad when you have things like dnsmasq also running with libvirt.
- 	# Use systemd socket activation for UDP, TCP, and control sockets.
- 	# use-systemd: no
- 
-@@ -424,6 +448,7 @@ server:
- 	#
- 	# If you give "" no chroot is performed. The path must not end in a /.
- 	# chroot: "@UNBOUND_CHROOT_DIR@"
-+	chroot: ""
- 
- 	# if given, user privileges are dropped (after binding port),
- 	# and the given username is assumed. Default is user "unbound".
-@@ -435,7 +460,7 @@ server:
- 	# is not changed.
- 	# If you give a server: directory: dir before include: file statements
- 	# then those includes can be relative to the working directory.
--	# directory: "@UNBOUND_RUN_DIR@"
-+	directory: "/etc/unbound"
- 
- 	# the log file, "" means log to stderr.
- 	# Use of this option sets use-syslog to "no".
-@@ -450,7 +475,7 @@ server:
- 	# log-identity: ""
- 
- 	# print UTC timestamp in ascii to logfile, default is epoch in seconds.
--	# log-time-ascii: no
-+	log-time-ascii: yes
- 
- 	# print one line with time, IP, name, type, class for every query.
- 	# log-queries: no
-@@ -522,22 +547,22 @@ server:
- 	# harden-large-queries: no
- 
- 	# Harden against out of zone rrsets, to avoid spoofing attempts.
--	# harden-glue: yes
-+	harden-glue: yes
- 
- 	# Harden against receiving dnssec-stripped data. If you turn it
- 	# off, failing to validate dnskey data for a trustanchor will
- 	# trigger insecure mode for that zone (like without a trustanchor).
- 	# Default on, which insists on dnssec data for trust-anchored zones.
--	# harden-dnssec-stripped: yes
-+	harden-dnssec-stripped: yes
- 
- 	# Harden against queries that fall under dnssec-signed nxdomain names.
--	# harden-below-nxdomain: yes
-+	harden-below-nxdomain: yes
- 
- 	# Harden the referral path by performing additional queries for
- 	# infrastructure data.  Validates the replies (if possible).
- 	# Default off, because the lookups burden the server.  Experimental
- 	# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
--	# harden-referral-path: no
-+	harden-referral-path: yes
- 
- 	# Harden against algorithm downgrade when multiple algorithms are
- 	# advertised in the DS record.  If no, allows the weakest algorithm
-@@ -551,7 +576,7 @@ server:
- 	# Sent minimum amount of information to upstream servers to enhance
- 	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
- 	# to A when possible.
--	# qname-minimisation: yes
-+	qname-minimisation: yes
- 
- 	# QNAME minimisation in strict mode. Do not fall-back to sending full
- 	# QNAME to potentially broken nameservers. A lot of domains will not be
-@@ -561,7 +586,7 @@ server:
- 
- 	# Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
- 	# and other denials, using information from previous NXDOMAINs answers.
--	# aggressive-nsec: yes
-+	aggressive-nsec: yes
- 
- 	# Use 0x20-encoded random bits in the query to foil spoof attempts.
- 	# This feature is an experimental implementation of draft dns-0x20.
-@@ -594,7 +619,7 @@ server:
- 	# threshold, a warning is printed and a defensive action is taken,
- 	# the cache is cleared to flush potential poison out of it.
- 	# A suggested value is 10000000, the default is 0 (turned off).
--	# unwanted-reply-threshold: 0
-+	unwanted-reply-threshold: 10000000
- 
- 	# Do not query the following addresses. No DNS queries are sent there.
- 	# List one address per entry. List classless netblocks with /size,
-@@ -606,20 +631,20 @@ server:
- 	# do-not-query-localhost: yes
- 
- 	# if yes, perform prefetching of almost expired message cache entries.
--	# prefetch: no
-+	prefetch: yes
- 
- 	# if yes, perform key lookups adjacent to normal lookups.
--	# prefetch-key: no
-+	prefetch-key: yes
- 
- 	# deny queries of type ANY with an empty response.
--	# deny-any: no
-+	deny-any: yes
- 
- 	# if yes, Unbound rotates RRSet order in response.
--	# rrset-roundrobin: yes
-+	rrset-roundrobin: yes
- 
- 	# if yes, Unbound doesn't insert authority/additional sections
- 	# into response messages when those sections are not required.
--	# minimal-responses: yes
-+	minimal-responses: yes
- 
- 	# true to disable DNSSEC lameness check in iterator.
- 	# disable-dnssec-lame-check: no
-@@ -629,7 +654,9 @@ server:
- 	# most modules have to be listed at the beginning of the line,
- 	# except cachedb(just before iterator), and python (at the beginning,
- 	# or, just before the iterator).
--	# module-config: "validator iterator"
-+	# For redis cachedb use:
-+	#    "ipsecmod validator cachedb iterator"
-+	module-config: "ipsecmod validator iterator"
- 
- 	# File with trusted keys, kept uptodate using RFC5011 probes,
- 	# initial file like trust-anchor-file, then it stores metadata.
-@@ -643,10 +670,10 @@ server:
- 	# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
- 
- 	# trust anchor signaling sends a RFC8145 key tag query after priming.
--	# trust-anchor-signaling: yes
-+	trust-anchor-signaling: yes
- 
- 	# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
--	# root-key-sentinel: yes
-+	root-key-sentinel: yes
- 
- 	# File with trusted keys for validation. Specify more than one file
- 	# with several entries, one file per entry.
-@@ -667,6 +694,9 @@ server:
- 	# the trusted-keys { name flag proto algo "key"; }; clauses are read.
- 	# you need external update procedures to track changes in keys.
- 	# trusted-keys-file: ""
-+	#
-+	trusted-keys-file: /etc/unbound/keys.d/*.key
-+	auto-trust-anchor-file: "/var/lib/unbound/root.key"
- 
- 	# Ignore chain of trust. Domain is treated as insecure.
- 	# domain-insecure: "example.com"
-@@ -694,14 +724,15 @@ server:
- 	# unsecure data. Useful to shield the users of this validator from
- 	# potential bogus data in the additional section. All unsigned data
- 	# in the additional section is removed from secure messages.
--	# val-clean-additional: yes
-+	val-clean-additional: yes
- 
- 	# Turn permissive mode on to permit bogus messages. Thus, messages
- 	# for which security checks failed will be returned to clients,
- 	# instead of SERVFAIL. It still performs the security checks, which
- 	# result in interesting log files and possibly the AD bit in
- 	# replies if the message is found secure. The default is off.
--	# val-permissive-mode: no
-+	# NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
-+	val-permissive-mode: no
- 
- 	# Ignore the CD flag in incoming queries and refuse them bogus data.
- 	# Enable it if the only clients of Unbound are legacy servers (w2008)
-@@ -715,11 +746,11 @@ server:
- 
- 	# Serve expired responses from cache, with serve-expired-reply-ttl in
- 	# the response, and then attempt to fetch the data afresh.
--	# serve-expired: no
-+	serve-expired: yes
- 	#
- 	# Limit serving of expired responses to configured seconds after
- 	# expiration. 0 disables the limit.
--	# serve-expired-ttl: 0
-+	serve-expired-ttl: 14400
- 	#
- 	# Set the TTL of expired records to the serve-expired-ttl value after a
- 	# failed attempt to retrieve the record from upstream. This makes sure
-@@ -746,7 +777,7 @@ server:
- 
- 	# Have the validator log failed validations for your diagnosis.
- 	# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
--	# val-log-level: 0
-+	val-log-level: 1
- 
- 	# It is possible to configure NSEC3 maximum iteration counts per
- 	# keysize. Keep this table very short, as linear search is done.
-@@ -890,6 +921,8 @@ server:
- 	# you need to do the reverse notation yourself.
- 	# local-data-ptr: "192.0.2.3 www.example.com"
- 
-+	include: /etc/unbound/local.d/*.conf
-+
- 	# tag a localzone with a list of tag names (in "" with spaces between)
- 	# local-zone-tag: "example.com" "tag2 tag3"
- 
-@@ -900,8 +933,8 @@ server:
- 	# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
- 	# Give the certificate to use and private key.
- 	# default is "" (disabled).  requires restart to take effect.
--	# tls-service-key: "path/to/privatekeyfile.key"
--	# tls-service-pem: "path/to/publiccertfile.pem"
-+	# tls-service-key: "/etc/unbound/unbound_server.key"
-+	# tls-service-pem: "/etc/unbound/unbound_server.pem"
- 	# tls-port: 853
- 	# https-port: 443
- 
-@@ -909,6 +942,8 @@ server:
- 	# tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
- 	# cipher setting for TLSv1.3
- 	# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
-+	# Fedora/RHEL: use system-wide crypto policies
-+	tls-ciphers: "PROFILE=SYSTEM"
- 
- 	# Pad responses to padded queries received over TLS
- 	# pad-responses: yes
-@@ -1045,12 +1080,12 @@ server:
- 	# cookie-secret: <128 bit random hex string>
- 
- 	# Enable to attach Extended DNS Error codes (RFC8914) to responses.
--	# ede: no
-+	ede: yes
- 
- 	# Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale
- 	# Answer as EDNS0 option to expired responses.
- 	# Note that the ede option above needs to be enabled for this to work.
--	# ede-serve-expired: no
-+	ede-serve-expired: yes
- 
- 	# Specific options for ipsecmod. Unbound needs to be configured with
- 	# --enable-ipsecmod for these to take effect.
-@@ -1058,12 +1093,14 @@ server:
- 	# Enable or disable ipsecmod (it still needs to be defined in
- 	# module-config above). Can be used when ipsecmod needs to be
- 	# enabled/disabled via remote-control(below).
--	# ipsecmod-enabled: yes
--	#
-+	# Fedora: module will be enabled on-demand by libreswan
-+	ipsecmod-enabled: no
-+
- 	# Path to executable external hook. It must be defined when ipsecmod is
- 	# listed in module-config (above).
- 	# ipsecmod-hook: "./my_executable"
--	#
-+	ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook
-+
- 	# When enabled Unbound will reply with SERVFAIL if the return value of
- 	# the ipsecmod-hook is not 0.
- 	# ipsecmod-strict: no
-@@ -1096,7 +1133,7 @@ server:
- # o and give a python-script to run.
- python:
- 	# Script file to load
--	# python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py"
-+	# python-script: "/etc/unbound/ubmodule-tst.py"
- 
- # Dynamic library config section. To enable:
- # o use --with-dynlibmodule to configure before compiling.
-@@ -1107,13 +1144,18 @@ python:
- #   the module-config then you need one dynlib-file per instance.
- dynlib:
- 	# Script file to load
--	# dynlib-file: "@UNBOUND_SHARE_DIR@/dynlib.so"
-+	# dynlib-file: "/etc/unbound/dynlib.so"
- 
- # Remote control config section.
- remote-control:
- 	# Enable remote control with unbound-control(8) here.
- 	# set up the keys and certificates with unbound-control-setup.
--	# control-enable: no
-+	# Note: required for unbound-munin package
-+	control-enable: yes
-+
-+	# Set to no and use an absolute path as control-interface to use
-+	# a unix local named pipe for unbound-control.
-+	# control-use-cert: yes
- 
- 	# what interfaces are listened to for remote control.
- 	# give 0.0.0.0 and ::0 to listen to all interfaces.
-@@ -1127,19 +1169,22 @@ remote-control:
- 
- 	# for localhost, you can disable use of TLS by setting this to "no"
- 	# For local sockets this option is ignored, and TLS is not used.
--	# control-use-cert: "yes"
-+	control-use-cert: "no"
- 
- 	# Unbound server key file.
--	# server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key"
-+	server-key-file: "/etc/unbound/unbound_server.key"
- 
- 	# Unbound server certificate file.
--	# server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem"
-+	server-cert-file: "/etc/unbound/unbound_server.pem"
- 
- 	# unbound-control key file.
--	# control-key-file: "@UNBOUND_RUN_DIR@/unbound_control.key"
-+	control-key-file: "/etc/unbound/unbound_control.key"
- 
- 	# unbound-control certificate file.
--	# control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
-+	control-cert-file: "/etc/unbound/unbound_control.pem"
-+
-+# Stub and Forward zones
-+include: /etc/unbound/conf.d/*.conf
- 
- # Stub zones.
- # Create entries like below, to make all queries for 'example.com' and
-@@ -1161,6 +1206,10 @@ remote-control:
- #	name: "example.org"
- #	stub-host: ns.example.com.
- 
-+# You can now also dynamically create and delete stub-zone's using
-+# unbound-control stub_add domain.com 1.2.3.4 5.6.7.8
-+# unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8
-+
- # Forward zones
- # Create entries like below, to make all queries for 'example.com' and
- # 'example.org' go to the given list of servers. These servers have to handle
-@@ -1178,6 +1227,10 @@ remote-control:
- # forward-zone:
- # 	name: "example.org"
- # 	forward-host: fwd.example.com
-+#
-+# You can now also dynamically create and delete forward-zone's using
-+# unbound-control forward_add domain.com 1.2.3.4 5.6.7.8
-+# unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8
- 
- # Authority zones
- # The data for these zones is kept locally, from a file or downloaded.
-@@ -1188,27 +1241,28 @@ remote-control:
- # download it), primary: fetches with AXFR and IXFR, or url to zonefile.
- # With allow-notify: you can give additional (apart from primaries and urls)
- # sources of notifies.
--# auth-zone:
--#	name: "."
--#	primary: 170.247.170.2        # b.root-servers.net
--#	primary: 192.33.4.12          # c.root-servers.net
--#	primary: 199.7.91.13          # d.root-servers.net
--#	primary: 192.5.5.241          # f.root-servers.net
--#	primary: 192.112.36.4         # g.root-servers.net
--#	primary: 193.0.14.129         # k.root-servers.net
--#	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
--#	primary: 192.0.32.132         # xfr.lax.dns.icann.org
--#	primary: 2801:1b8:10::b       # b.root-servers.net
--#	primary: 2001:500:2::c        # c.root-servers.net
--#	primary: 2001:500:2d::d       # d.root-servers.net
--#	primary: 2001:500:2f::f       # f.root-servers.net
--#	primary: 2001:500:12::d0d     # g.root-servers.net
--#	primary: 2001:7fd::1          # k.root-servers.net
--#	primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
--#	primary: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
--#	fallback-enabled: yes
--#	for-downstream: no
--#	for-upstream: yes
-+auth-zone:
-+	name: "."
-+	primary: 170.247.170.2        # b.root-servers.net
-+	primary: 192.33.4.12          # c.root-servers.net
-+	primary: 199.7.91.13          # d.root-servers.net
-+	primary: 192.5.5.241          # f.root-servers.net
-+	primary: 192.112.36.4         # g.root-servers.net
-+	primary: 193.0.14.129         # k.root-servers.net
-+	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
-+	primary: 192.0.32.132         # xfr.lax.dns.icann.org
-+	primary: 2801:1b8:10::b       # b.root-servers.net
-+	primary: 2001:500:2::c        # c.root-servers.net
-+	primary: 2001:500:2d::d       # d.root-servers.net
-+	primary: 2001:500:2f::f       # f.root-servers.net
-+	primary: 2001:500:12::d0d     # g.root-servers.net
-+	primary: 2001:7fd::1          # k.root-servers.net
-+	primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
-+	primary: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
-+	fallback-enabled: yes
-+	for-downstream: no
-+	for-upstream: yes
-+
- # auth-zone:
- #	name: "example.org"
- #	for-downstream: yes
-@@ -1234,6 +1288,9 @@ remote-control:
- #	name: "anotherview"
- #	local-zone: "example.com" refuse
- 
-+# Fedora: DNSCrypt support not enabled since it requires linking to
-+#         another crypto library
-+#
- # DNSCrypt
- # To enable, use --enable-dnscrypt to configure before compiling.
- # Caveats:
-@@ -1309,7 +1366,7 @@ remote-control:
- # 	dnstap-enable: no
- # 	# if set to yes frame streams will be used in bidirectional mode
- # 	dnstap-bidirectional: yes
--# 	dnstap-socket-path: "@DNSTAP_SOCKET_PATH@"
-+# 	dnstap-socket-path: "/etc/unbound/dnstap.sock"
- # 	# if "" use the unix socket in dnstap-socket-path, otherwise,
- # 	# set it to "IPaddress[@port]" of the destination.
- # 	dnstap-ip: ""
--- 
-2.45.2
-

unbound-python310.patch

@@ -1,107 +0,0 @@
-Fix build on Python 3.10 (rhbz#1889726).
-
-Backport two fixes:
-* https://github.com/NLnetLabs/unbound/commit/e0d426ebb10653a78bf5c4053198f6ac19bfcd3e
-* https://github.com/NLnetLabs/unbound/pull/427
-
-diff --git a/libunbound/python/libunbound.i b/libunbound/python/libunbound.i
-index a23c45b9c..ab244a6fb 100644
---- a/libunbound/python/libunbound.i
-+++ b/libunbound/python/libunbound.i
-@@ -916,7 +916,13 @@ int _ub_resolve_async(struct ub_ctx* ctx, char* name, int rrtype, int rrclass, v
-       struct cb_data* id;
-       id = (struct cb_data*) iddata;
-       arglist = Py_BuildValue("(OiO)",id->data,status, SWIG_NewPointerObj(SWIG_as_voidptr(result), SWIGTYPE_p_ub_result, 0 |  0 ));   // Build argument list
-+#if PY_MAJOR_VERSION <= 2 || (PY_MAJOR_VERSION == 3 && PY_MINOR_VERSION < 9)
-+      /* for python before 3.9 */
-       fresult = PyEval_CallObject(id->func,arglist);     // Call Python
-+#else
-+      /* for python 3.9 and newer */
-+      fresult = PyObject_Call(id->func,arglist,NULL);
-+#endif
-       Py_DECREF(id->func);
-       Py_DECREF(id->data);
-       free(id);
-diff --git a/pythonmod/pythonmod.c b/pythonmod/pythonmod.c
-index 9006429ef..040ff7051 100644
---- a/pythonmod/pythonmod.c
-+++ b/pythonmod/pythonmod.c
-@@ -299,7 +299,10 @@ int pythonmod_init(struct module_env* env, int id)
-       PyImport_AppendInittab(SWIG_name, (void*)SWIG_init);
- #endif
-       Py_Initialize();
-+#if PY_MAJOR_VERSION <= 2 || (PY_MAJOR_VERSION == 3 && PY_MINOR_VERSION <= 6)
-+      /* initthreads only for python 3.6 and older */
-       PyEval_InitThreads();
-+#endif
-       SWIG_init();
-       mainthr = PyEval_SaveThread();
-    }
-@@ -354,6 +357,8 @@ int pythonmod_init(struct module_env* env, int id)
-    /* TODO: deallocation of pe->... if an error occurs */
- 
-    if (PyRun_SimpleFile(script_py, pe->fname) < 0) {
-+#if PY_MAJOR_VERSION <= 2 || (PY_MAJOR_VERSION == 3 && PY_MINOR_VERSION < 9)
-+      /* for python before 3.9 */
-       log_err("pythonmod: can't parse Python script %s", pe->fname);
-       /* print the error to logs too, run it again */
-       fseek(script_py, 0, SEEK_SET);
-@@ -369,9 +374,45 @@ int pythonmod_init(struct module_env* env, int id)
-       /* ignore the NULL return of _node, it is NULL due to the parse failure
-        * that we are expecting */
-       (void)PyParser_SimpleParseFile(script_py, pe->fname, Py_file_input);
-+#else
-+      /* for python 3.9 and newer */
-+      char* fstr = NULL;
-+      size_t flen = 0;
-+      log_err("pythonmod: can't parse Python script %s", pe->fname);
-+      /* print the error to logs too, run it again */
-+      fseek(script_py, 0, SEEK_END);
-+      flen = (size_t)ftell(script_py);
-+      fstr = malloc(flen+1);
-+      if(!fstr) {
-+	      log_err("malloc failure to print parse error");
-+	      PyGILState_Release(gil);
-+	      fclose(script_py);
-+	      return 0;
-+      }
-+      fseek(script_py, 0, SEEK_SET);
-+      if(fread(fstr, flen, 1, script_py) < 1) {
-+	      log_err("file read failed to print parse error: %s: %s",
-+		pe->fname, strerror(errno));
-+	      PyGILState_Release(gil);
-+	      fclose(script_py);
-+	      free(fstr);
-+	      return 0;
-+      }
-+      fstr[flen] = 0;
-+      /* we compile the string, but do not run it, to stop side-effects */
-+      /* ignore the NULL return of _node, it is NULL due to the parse failure
-+       * that we are expecting */
-+      (void)Py_CompileString(fstr, pe->fname, Py_file_input);
-+#endif
-       log_py_err();
-       PyGILState_Release(gil);
-       fclose(script_py);
-+#if PY_MAJOR_VERSION <= 2 || (PY_MAJOR_VERSION == 3 && PY_MINOR_VERSION < 9)
-+      /* no cleanup needed for python before 3.9 */
-+#else
-+      /* cleanup for python 3.9 and newer */
-+      free(fstr);
-+#endif
-       return 0;
-    }
- #if PY_MAJOR_VERSION < 3
-diff --git a/pythonmod/pythonmod.c b/pythonmod/pythonmod.c
-index 040ff70..6e60d02 100644
---- a/pythonmod/pythonmod.c
-+++ b/pythonmod/pythonmod.c
-@@ -338,7 +338,7 @@ int pythonmod_init(struct module_env* env, int id)
-    PyFileObject = PyFile_FromString((char*)pe->fname, "r");
-    script_py = PyFile_AsFile(PyFileObject);
- #else
--   script_py = _Py_fopen(pe->fname, "r");
-+   script_py = fopen(pe->fname, "r");
- #endif
-    if (script_py == NULL)
-    {

unbound.rpmlintrc

@@ -1,30 +0,0 @@
-addFilter(r'crypto-policy-non-compliance-openssl')
-
-# Ignore generated certificates
-addFilter(r'non-readable /etc/unbound/unbound_control.key')
-addFilter(r'non-readable /etc/unbound/unbound_control.pem')
-addFilter(r'non-readable /etc/unbound/unbound_server.key')
-addFilter(r'non-readable /etc/unbound/unbound_server.pem')
-
-addFilter(r'non-standard-gid /etc/unbound/unbound_control.pem')
-addFilter(r'non-standard-gid /etc/unbound/unbound_control.key')
-addFilter(r'non-standard-gid /etc/unbound/unbound_server.pem')
-addFilter(r'non-standard-gid /etc/unbound/unbound_server.key')
-
-# Yes, it is indeed certificate
-addFilter(r'pem-certificate /etc/unbound/icannbundle.pem')
-
-# These files are intentionally replaceable.
-addFilter(r'conffile-without-noreplace-flag /etc/unbound/icannbundle.pem')
-addFilter(r'conffile-without-noreplace-flag /etc/unbound/root.key')
-addFilter(r'conffile-without-noreplace-flag /var/lib/unbound/root.key')
-
-# ldconfig is no longer required
-addFilter(r'post[iu]n-without-ldconfig /usr/lib64/libunbound.so')
-
-# Ignore unbound owned files 
-addFilter(r'non-standard-[ug]id (/var/lib|/etc|/run)/unbound')
-
-# Ignore spelling errors
-addFilter(r'spelling-error %description -l en_US ep ')
-addFilter(r'spelling-error %description -l en_US resolvers ')

unbound.spec

@@ -1,503 +0,0 @@
-%{?!with_python2:     %global with_python2     0}
-%{?!with_python3:     %global with_python3     1}
-%{?!with_munin:       %global with_munin       1}
-%bcond_without dnstap
-%bcond_with    systemd
-%bcond_without doh
-%bcond_with redis
-
-%global _hardened_build 1
-
-#global extra_version rc1
-
-%if 0%{with_python2}
-%global python_primary %{__python2}
-%endif
-
-%if 0%{with_python3}
-%global python_primary %{__python3}
-%endif
-
-%if 0%{?rhel}
-%global with_munin   0
-
-%if 0%{?rhel} <= 7
-%global with_python3 0
-%else
-%global with_python2 0
-%endif
-%endif
-
-Summary: Validating, recursive, and caching DNS(SEC) resolver
-Name: unbound
-Version: 1.20.0
-Release: %autorelease %{?extra_version:-e %{extra_version}}
-License: BSD-3-Clause
-Url: https://nlnetlabs.nl/projects/unbound/
-Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
-Source1: unbound.service
-Source3: unbound.munin
-Source4: unbound_munin_
-Source5: root.key
-Source7: unbound-keygen.service
-Source8: tmpfiles-unbound.conf
-Source9: example.com.key
-Source10: example.com.conf
-Source11: block-example.com.conf
-Source12: https://data.iana.org/root-anchors/icannbundle.pem
-Source13: root.anchor
-Source14: unbound.sysconfig
-Source15: unbound-anchor.timer
-Source16: unbound-munin.README
-Source17: unbound-anchor.service
-Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
-# source: https://nlnetlabs.nl/people/
-Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key
-Source20: unbound.sysusers
-
-# Downstream configuration changes
-Patch1:   unbound-fedora-config.patch
-
-BuildRequires: gcc, make
-BuildRequires: flex, openssl-devel
-BuildRequires: libevent-devel expat-devel
-BuildRequires: pkgconfig
-%if 0%{?fedora}
-BuildRequires: gnupg2
-%endif
-%if 0%{with_python2}
-BuildRequires: python2-devel swig
-%endif
-%if 0%{with_python3}
-BuildRequires: python3-devel swig
-%endif
-%if %{with dnstap}
-BuildRequires: fstrm-devel protobuf-c-devel
-%endif
-%if %{with systemd}
-BuildRequires: systemd-devel
-%endif
-%if %{with doh}
-BuildRequires: libnghttp2-devel
-%endif
-%if %{with redis}
-BuildRequires: hiredis-devel
-%endif
-%if 0%{?fedora} >= 30 || 0%{?rhel} >= 9
-BuildRequires: systemd-rpm-macros
-%else
-BuildRequires: systemd
-%endif
-# Required for SVN versions
-# BuildRequires: bison
-# BuildRequires: automake autoconf libtool
-
-# Needed because /usr/sbin/unbound links unbound libs staticly
-Requires: %{name}-libs%{?_isa} = %{version}-%{release}
-Requires: %{name}-anchor%{?_isa} = %{version}-%{release}
-Recommends: %{name}-utils%{?_isa} = %{version}-%{release}
-# unbound-keygen.service requires it, bug #2116790
-Requires: openssl
-
-%description
-Unbound is a validating, recursive, and caching DNS(SEC) resolver.
-
-The C implementation of Unbound is developed and maintained by NLnet
-Labs. It is based on ideas and algorithms taken from a java prototype
-developed by Verisign labs, Nominet, Kirei and ep.net.
-
-Unbound is designed as a set of modular components, so that also
-DNSSEC (secure DNS) validation and stub-resolvers (that do not run
-as a server, but are linked into an application) are easily possible.
-
-%if %{with_munin}
-%package munin
-Summary: Plugin for the munin / munin-node monitoring package
-Requires: munin-node
-Requires: %{name} = %{version}-%{release}, bc
-BuildArch: noarch
-
-%description munin
-Plugin for the munin / munin-node monitoring package
-%endif
-
-%package devel
-Summary: Development package that includes the unbound header files
-Requires: %{name}-libs%{?_isa} = %{version}-%{release}, openssl-devel
-Requires: pkgconfig
-
-%description devel
-The devel package contains the unbound library and the include files
-
-%package libs
-Summary: Libraries used by the unbound server and client applications
-Recommends: %{name}-anchor
-%{?sysusers_requires_compat}
-%if ! 0%{with_python2}
-# Make explicit conflict with no longer provided python package
-Obsoletes: python2-unbound < 1.9.3
-%endif
-
-%description libs
-Contains libraries used by the unbound server and client applications.
-
-%package anchor
-Requires: %{name}-libs%{?_isa} = %{version}-%{release}
-Summary: DNSSEC trust anchor maintaining tool
-
-%description anchor
-Contains tool maintaining trust anchor using RFC 5011 key rollover algorithm.
-
-%package utils
-Requires: %{name}-libs%{?_isa} = %{version}-%{release}
-Summary: Unbound DNS lookup utilities
-
-%description utils
-Contains tools for making DNS queries. Can make queries to DNS servers
-also over TLS connection or validate DNSSEC signatures. Similar to
-bind-utils.
-
-%if 0%{with_python2}
-%package -n python2-unbound
-%{?python_provide:%python_provide python2-unbound}
-Summary: Python 2 modules and extensions for unbound
-Requires: %{name}-libs%{?_isa} = %{version}-%{release}
-Provides: unbound-python = %{version}-%{release}
-Obsoletes: unbound-python < %{version}-%{release}
-
-%description -n python2-unbound
-Python 2 modules and extensions for unbound
-%endif
-
-%if 0%{with_python3}
-%package -n python3-unbound
-Summary: Python 3 modules and extensions for unbound
-Requires: %{name}-libs%{?_isa} = %{version}-%{release}
-%if ! 0%{with_python2}
-# Make explicit conflict with no longer provided python package
-Conflicts: python2-unbound < 1.9.3
-%endif
-
-%description -n python3-unbound
-Python 3 modules and extensions for unbound
-%endif
-
-
-%prep
-%if 0%{?fedora}
-%{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}'
-%endif
-%global pkgname %{name}-%{version}%{?extra_version}
-
-%if 0%{with_python2} && 0%{with_python3}
-%global dir_primary %{pkgname}_python3
-%global python_primary %{__python3}
-%global dir_secondary %{pkgname}_python2
-%global python_secondary %{__python2}
-%else
-%global dir_primary %{pkgname}
-%endif
-
-%autosetup -c -N -n %{pkgname}
-
-pushd %{pkgname}
-# patches go here
-%autopatch -p2
-
-# only for snapshots
-# autoreconf -iv
-
-# copy common doc files - after here, since it may be patched
-cp -pr doc pythonmod libunbound ../
-
-%if 0%{?rhel} > 8
-  # SHA-1 breaks some tests. Disable just some tests because of that.
-  # This got broken in ELN
-  ls testdata/*.rpl
-  for TEST in autotrust_init_fail autotrust_init_failsig; do
-    mv testdata/${TEST}.rpl{,-disabled} 
-  done
-%endif
-popd
-
-%if 0%{with_python2} && 0%{with_python3}
-mv %{pkgname} %{dir_primary}
-cp -a %{dir_primary} %{dir_secondary}
-%endif
-
-%build
-# This is needed to rebuild the configure script to support Python 3.x
-# autoreconf -iv
-
-# ./configure script common arguments
-%global configure_args --with-libevent --with-pthreads --with-ssl \\\
-            --disable-rpath --disable-static \\\
-            --enable-relro-now --enable-pie \\\
-            --enable-subnet --enable-ipsecmod \\\
-            --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\
-            --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\
-            --enable-sha2 --disable-gost --enable-ecdsa \\\
-            --with-rootkey-file=%{_sharedstatedir}/%{name}/root.key \\\
-            --with-username=unbound \\\
-            --enable-linux-ip-local-port-range \\\
-
-
-pushd %{dir_primary}
-
-%configure  \
-%if 0%{?python_primary:1}
-            --with-pythonmodule --with-pyunbound PYTHON=%{python_primary} \
-%endif
-%if %{with dnstap}
-            --enable-dnstap \
-%endif
-%if %{with systemd}
-            --enable-systemd \
-%endif
-%if %{with doh}
-            --with-libnghttp2 \
-%endif
-%if 0%{?rhel}
-            --disable-sha1 \
-%endif
-%if %{with redis}
-            --with-libhiredis \
-            --enable-cachedb \
-%endif
-            %{configure_args}
-
-%make_build
-%make_build streamtcp
-
-popd
-
-%if 0%{?python_secondary:1}
-pushd %{dir_secondary}
-%configure  \
-            --with-pythonmodule --with-pyunbound PYTHON=%{python_secondary} \
-%if %{with dnstap}
-            --enable-dnstap \
-%endif
-%if %{with systemd}
-            --enable-systemd \
-%endif
-            %{configure_args}
-
-%make_build
-popd
-%endif
-
-
-%install
-install -p -m 0644 %{SOURCE16} .
-
-%if 0%{?python_secondary:1}
-# install first secondary build. It will be overwritten by primary
-pushd %{dir_secondary}
-%make_install unbound-event-install
-popd
-%endif
-
-pushd %{dir_primary}
-%make_install unbound-event-install
-install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp
-install -p -m 0755 doc/example.conf %{buildroot}%{_sysconfdir}/unbound/unbound.conf
-popd
-
-install -d -m 0755 %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig
-install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service
-install -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/unbound-keygen.service
-install -p -m 0644 %{SOURCE15} %{buildroot}%{_unitdir}/unbound-anchor.timer
-install -p -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/unbound-anchor.service
-install -p -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/unbound
-install -p -m 0644 %{SOURCE14} %{buildroot}%{_sysconfdir}/sysconfig/unbound
-install -p -D -m 0644 %{SOURCE20} %{buildroot}%{_sysusersdir}/%{name}.conf
-%if %{with_munin}
-# Install munin plugin and its softlinks
-install -d -m 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d
-install -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/munin/plugin-conf.d/unbound
-install -d -m 0755 %{buildroot}%{_datadir}/munin/plugins/
-install -p -m 0755 %{SOURCE4} %{buildroot}%{_datadir}/munin/plugins/unbound
-for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unbound_munin_by_type unbound_munin_by_class unbound_munin_by_opcode unbound_munin_by_rcode unbound_munin_by_flags unbound_munin_histogram; do
-    ln -s unbound %{buildroot}%{_datadir}/munin/plugins/$plugin
-done
-%endif
-
-pushd %{dir_primary}
-# install streamtcp man page
-install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1
-install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc
-popd
-
-# Install tmpfiles.d config
-install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound
-install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf
-
-# install root - we keep a copy of the root key in old location,
-# in case user has changed the configuration and we wouldn't update it there
-install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/
-install -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/dnssec-root.key
-# make initial key static
-pushd %{buildroot}%{_sharedstatedir}/unbound
-  KEYPATH=$(realpath --relative-to="%{buildroot}%{_sharedstatedir}/unbound" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key")
-  ln -s "$KEYPATH" root.key
-popd
-
-# remove static library from install (fedora packaging guidelines)
-rm %{buildroot}%{_libdir}/*.la
-
-
-%if 0%{with_python2}
-rm %{buildroot}%{python2_sitearch}/*.la
-%endif
-
-%if 0%{with_python3}
-rm %{buildroot}%{python3_sitearch}/*.la
-%endif
-
-mkdir -p %{buildroot}%{_rundir}/unbound
-
-# Install directories for easier config file drop in
-
-mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d}
-install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/
-install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/
-install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
-
-# Link unbound-control-setup.8 manpage to unbound-control.8
-echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8
-
-
-%pre libs
-%sysusers_create_compat %{SOURCE20}
-
-%post
-%systemd_post unbound.service
-%systemd_post unbound-keygen.service
-
-%post anchor
-%systemd_post unbound-anchor.service unbound-anchor.timer
-# start the timer only if installing the package to prevent starting it, if it was stopped on purpose
-if [ "$1" -eq 1 ]; then
-    # the Unit is in presets, but would be started after reboot
-    /bin/systemctl start unbound-anchor.timer >/dev/null 2>&1 || :
-fi
-
-%preun
-%systemd_preun unbound.service
-%systemd_preun unbound-keygen.service
-
-%preun anchor
-%systemd_preun unbound-anchor.service unbound-anchor.timer
-
-%postun
-%systemd_postun_with_restart unbound.service
-%systemd_postun unbound-keygen.service
-
-%postun anchor
-%systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer
-
-%check
-pushd %{dir_primary}
-#pushd pythonmod
-#make test
-#popd
-
-make check
-
-popd
-
-%if 0%{?python_secondary:1}
-pushd %{dir_secondary}
-#pushd pythonmod
-#make test
-#popd
-make check
-popd
-%endif
-
-
-%files
-%doc doc/CREDITS doc/FEATURES
-%{_unitdir}/%{name}.service
-%{_unitdir}/%{name}-keygen.service
-%attr(0755,unbound,unbound) %dir %{_rundir}/%{name}
-%attr(0644,root,root) %{_tmpfilesdir}/unbound.conf
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
-%dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d
-%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d/*.key
-%dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/conf.d
-%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d/*.conf
-%dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/local.d
-%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/local.d/*.conf
-%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.pem
-%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.key
-%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.pem
-%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key
-%{_sbindir}/unbound
-%{_sbindir}/unbound-checkconf
-%{_sbindir}/unbound-control
-%{_sbindir}/unbound-control-setup
-%{_mandir}/man5/*
-%exclude %{_mandir}/man8/unbound-anchor*
-%{_mandir}/man8/*
-
-%if 0%{with_python2}
-%files -n python2-unbound
-%license pythonmod/LICENSE
-%{python2_sitearch}/*
-%doc libunbound/python/examples/*
-%doc pythonmod/examples/*
-%endif
-
-%if 0%{with_python3}
-%files -n python3-unbound
-%license pythonmod/LICENSE
-%{python3_sitearch}/*
-%doc libunbound/python/examples/*
-%doc pythonmod/examples/*
-%endif
-
-%if 0%{with_munin}
-%files munin
-%doc unbound-munin.README
-%config(noreplace) %{_sysconfdir}/munin/plugin-conf.d/unbound
-%{_datadir}/munin/plugins/unbound*
-%endif
-
-%files devel
-%{_libdir}/libunbound.so
-%{_includedir}/unbound.h
-%{_includedir}/unbound-event.h
-%{_mandir}/man3/*
-%{_libdir}/pkgconfig/*.pc
-
-%files libs
-%doc doc/README
-%license doc/LICENSE
-%attr(0755,root,root) %dir %{_sysconfdir}/%{name}
-%{_sysusersdir}/%{name}.conf
-%{_libdir}/libunbound.so.8*
-%dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name}
-%config(noreplace) %verify(not link user group) %{_sharedstatedir}/%{name}/root.key
-# just left for backwards compat with user changed unbound.conf files - format is different!
-%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
-%attr(0644,root,root) %config %{_sysconfdir}/%{name}/dnssec-root.key
-
-%files anchor
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name}
-%{_sbindir}/unbound-anchor
-%{_mandir}/man8/unbound-anchor*
-# icannbundle and root.key(s) should be replaced from package
-# intentionally not using noreplace
-%config %{_sysconfdir}/%{name}/icannbundle.pem
-%{_unitdir}/unbound-anchor.timer
-%{_unitdir}/unbound-anchor.service
-
-%files utils
-%{_sbindir}/unbound-host
-%{_sbindir}/unbound-streamtcp
-%{_mandir}/man1/unbound-*
-
-%changelog
-%autochangelog

unbound.sysconfig

@@ -1,7 +0,0 @@
-# uncomment following line to skip anchor refresh before unbound start
-#DISABLE_UNBOUND_ANCHOR=yes
-# Better way is systemctl mask unbound-anchor.service
-UNBOUND_ANCHOR_OPTIONS="-f /etc/resolv.conf -R"
-
-# for extra debug, add "-v -v" or change verbosity: in unbound.conf
-UNBOUND_OPTIONS=""

unbound.sysusers

@@ -1 +0,0 @@
-u unbound - "Unbound DNS resolver" /var/lib/unbound /sbin/nologin

wouter.nlnetlabs.nl.key

@@ -1,123 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-xsFNBE2v/RwBEACyQpJlpCeSZBV1QUH7jNEp5xGdo6OnX2h9XoZ4ZPsb+u6OT+xE
-SH45ncnISUh8rPCygbeWOoPR/yOBzh+lYoGxQ5iUHtwRrhHq04sQe/qFpXDO2xs6
-1pTcPU2PnH7Rsr2qp6fZLPHuXLolD7NJfaSib8sVeMM0/ecyl/L2bBg9NpaGDX0x
-TQh95M8o6AFo6UKWApBpgsvEZr2aH/B8b9KnCWFhfJyheEM7DamksdZNsKxXQyq3
-l/ROfdsMLZGF8vPbYV/v11G4keyaLpn8AbBpybIiw9SYDwf2ENk3+e1NFfMaiiyE
-qn9+aaLTKCY87TMUuoN3s3jWOOy5tHXzf6DbKhub4Awsby3DH5YpPhi4N2vj2pAX
-Vpl5+m78cH29JLzT+HAoyZ4tq1r3m0P5QogNqYwqxkKWYOjDilNDBiKiDdgtrLYG
-x+ABovKG/FvToJoaCL4AFaVCzWmL2uHkSgyBN0FPHatCB1UeEkcQit6T8E2NQqmF
-WjUMXSWHHajSMG95+L5PdLHz/Ku0o3Csvlt2pkElYZmzJBfnOM9JevdsmKr/ruJC
-/DCZAn5w2S/9ZF5qfo2F9HUKIwE/dChR29HcN8V4nqZs9oCvEMfFhHmrfwDc5hed
-hvb6mAkvSFFtKIrygLIVeWRj3FE9sGp6sr4VwOLYTFRNk7mAsWD1rZApeQARAQAB
-zSdXLkMuQS4gV2lqbmdhYXJkcyA8d291dGVyQG5sbmV0bGFicy5ubD7CwX4EEwEC
-ACgFAk2v/RwCGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJ9v
-HC1+BF+N3yoQAIynfrvZ/8RNAv9lLcSc2PX3fvG7oRJEJSy9uMyIbMtb/a1BVCeh
-XjR8GhHJ5D/Z3jRWBQKw1rLLvOqbuBGkpKMR100ZVF4z/8e6CWtTAOFy28f1JQw2
-8kilN7K6vjno21S1JJ1XJAdoFdicyb1SW2r+KYod6fjSyF0lb71od+sdnSE9O/xd
-Cqyyu6cX+AwfDcuJ6Y8iOWu8CeWAz41LR1QBUQkCb/08mVfCEu+Cj+M31jjPDZEy
-UAw219vr4QFe0o3t+Msv0AUZvcRkW6+8qP5lO6I5we/33WBLZH70lhFvYtobM7HO
-MCjheRZguSzvRqEETfTjia1uVi3Yz2qM4CFdJIZF6Er79yKcB3jYquultrnlHdXZ
-/IZsHVRk6JfiqFkz9u1T9PkvMoQ452aUomGTg9xQchnKpe1E8osKgLulaY+izTEq
-Z8pH/HWWJ/YT13/n8pxK9EbC/8SkVhyXNehOSAGDZar+tjVBofgzS8r+GDyv+pBT
-SmjitIrVXZNuhigLp1o7Tvs4kjKlcFnLhfDHJ+yb5JyiZd01bVvaqnfRhACqXfWl
-oC0uslRbegoYwJUgX0BOrsOuHGH2SfGjd/QnA0bcEXM2kp1Dp1gqtcEd5Qitm647
-Yz+leWkhrmMmtTwqumXoAcvgzthJFUPcAzuhXZNfqQJMOGRxAGVI0P97wsF+BBMB
-AgAoAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVu+rZAUJDQIVSAAKCRCf
-bxwtfgRfjdrWEACMQK0xYtZtAvLL/8CCcCi92Oi1rtXRGWnRy7JX020hftmWliMq
-4P0F3CJKVLhgZ/ldp8OOqmfDfmwLMVSaCQ86Ubqn7Ofrf8Ku8SGQuIMxY2ODB97h
-ouY4bnDHaM2Cqi6JkBN+G1tgdwqN/kcecF2tq3ql2k7eX91++A+F5ApIu1silzJP
-L4Z8W6MVOdKrtzEM7t61hRlsbpEPj72vbVBZ1hmTiIL4VWwdxQYamxBoOeneskyD
-DG+iMCI3P1GG3EQkk+9Aect/iH9uruE0mxn2aKN8cfuoR93cPF/ozCxS5ItwAVnN
-e39WRO1GT2zYaFgYm0lf9czcpRsRzNbGw938lZ3iPUiZe+ybKgLKkVmvrkM59ljH
-T99SrC14VXxgQwSs4gS3rdzbY9tPps62Z1q+xCVfTx1IY5P4nt59xwQV0Iw+pV9S
-/mVcOnPXl1UKb0ttOdYJErrq3RpF/D2g/NDtL0OWqIa8LvrBlyQYmWPKvKw76vt4
-bJ3NU31jSc0ow/j7EOVjOst86s629zmtnbJjWVr6LOy5EDUPusmqHv1t4Z4RMjf8
-OrJdNbFJoRXZv8FbW4NzXeGtMf8k6vKeejpdMH4+eLuoZG7dchU1JccfgqfwWpy0
-ojmb59drJcaQgVC6Jvw9l0TmGPNIsE4UrIWocaFgv4dOKvHA2hcnMDM8rsLBlQQT
-AQIAPwIbIwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQTt+qPyyk5usFaBr46f
-bxwtfgRfjQUCWaU4BQUJEZjVaQAKCRCfbxwtfgRfjb1YEACjkhtkyZkYURUmSZNL
-2IK/Zencv7DZGRfFrzijROFtHbe//H8o2ZhlyiaFSA/dT1ehjsukkR0oFkYadA+q
-Ui06WpxGmd/jf8hP4yTUZkwOhQAesWoNmnhKePNaVMKY8DP57bA+N2pdCcGu7gUt
-Yzq2JoTAtV+P/PE2w+H9eyBAulv6iUckM5/qvGfJPl8HB9BtgOpGN79otVWO6ebM
-4TQ3cZYI9BDQnt9cF2pviex+z1iLZVJ8UeRxSxYhrBKPJioi0Q1OgcKyO56t7Eot
-zxKl5TzprgvdX4cdls+lehD8StlE2Xv/TScHvdOhJuVBrn3a3QjZPb4qSsz74leW
-5/EIQmozBy+qf8AHcCmTXwb2U7oHOct7cVyS5+bFx+ThpV5OK0rjTH1LMNiuTeAN
-46c1y3prjZRpQUlgVwj06q3Zz/fzDyueUS/r4lW4nAf/VNZy/rTS2HYPoZbHZVCt
-GpDIfag6fV6V97Pd3zfhTf2wmsJsw9Xhktp/o7rMBRSMhvL4oevOXb0JSG2583Q/
-JnCCceB4NxRRxsgkRYHwdnXN9FnOPSa4NyvF4rzpPksLGZrhvm+lBvzVn/e40Q/K
-lxvSlnn2vW/WBM4pBq1jsoJrd/JkTdijZV7mt7HQ2bCLXAPgfZjy7n79WiCQVHg7
-iYnNikiNWR5TR7JcvdkxOdiA/8LBlQQTAQgAPwIbIwYLCQgHAwIGFQgCCQoLBBYC
-AwECHgECF4AWIQTt+qPyyk5usFaBr46fbxwtfgRfjQUCXe4JdQUJGaQN2QAKCRCf
-bxwtfgRfjQ8gEACe+49aDQHRuZdDHK1VCJKzhb+MvfdIjvl8eQxljpG9Uz5Y17Bx
-4SWfuLHCeGlh1m6IOAWeW4g6Wowm1ec1PkVa79TdrkKb0MxfLSat6iDbiuVjDxy2
-bWokW0/cPzJ/FoWDtEC0H9UTAMb5QGBDZUbLuwX7ZjvMkAhH15/hO9Gj4RHoH1RJ
-GJALRtZzjtzsJqL53kW/EV59V1T79Nocyx018iw50Jn02mI8wYJZ9HZc5C7D+K59
-vcqLRZgkrJrObw0sEv3YFOBYp/1DemH2nHPMBSKMmN5RAcr32guUjd4BEWf2Q7Ao
-+Qnhdi161W0YKCW4JAmOoQ4bQ0wfE9Q5aUIGhUF52L+ac8Hy7dByaCExCA/WTqQQ
-/iVPybmpJQhFonWt/fmpxbE2wKThSEOHTO67e5e3JfUb0vNKssyZojao4h1MF5nv
-aPNKoybWwKnpNM0ORcyl+aogKwW7E15TEU0TE5//gAsFwRDcCnSEKnksgM0321m1
-7RDfJbCajIv47DHDYE3yvhRZjCJCaw0Gow1sDRWjdOFpmIixD5/vx5uxyqSHPuGA
-sXlEvl+Z3Rdc5bQ7pAWu7UNpR3hnJPfg8KL2xqOF75VKG9/NjLE80yj8wdVoCfDv
-vizrBtOXnHI49gCMCfNqbGIb5yVhmTdeo7li+Te9hlJ2DrHnujGJlFe+p87BTQRN
-r/0cARAApvDKeVLiSazESdTY9KsSWsqoB38pvOsu25M49tEjc5TtY5LwKNckqkeR
-lJ83O8dFG7UBVuGwLKaf/6OR/pe24upZ27eOOWW7sXvQNv5aXlOYfF+mjIhUINqj
-q4pKDmO1c9J7h5d+auOVfzcgfotg3BVCaKn56ucjiQJ059uUMfgWTvVlibnoJ7de
-Zcgt8v7VcLK9jv+P8QJHTIyDzJd+JjdjuHXqC/A37T5G9Z84x8wYrQY6mZmOIYaM
-jwIKdgFeN+nLk5henARUz4MTFUW4j9hHpuyAFomDQ93/wkHZ9IEChTxdZnfvsd//
-Z45vfcX9dQM+tuR8XCYThVsScI1TnwR46hi5NkfmHo3HVxwB8/owJ+FZDsTNBbJd
-7AVy27Xk4L5hLe7BwLDtFMyOp4lOipCM7//mtFB9mTzqnOwiSSyTRlwGUBJkzQFW
-Qa0Z6bfYwA6+y1dn19H519GW49irtl+2+W8W4N8oLriIjPvqrQOyaELFcRfV6FfL
-i09HPhHVbejOqIEbOtfuN0+mjrrGAwortfTBjfw80N+W90BTvta4K2SyjHcJTkDY
-ehfOo/5IMpGtDsOgvsCbDaFRnNJuYtSqQmvWk1KIPIw6CkdJtZa3+q3YA7D7ovOV
-H1OBTKNdBjc+X4W8L5R9MCymXWvgiP+52Sv1VIcZmsnCBrwK490AEQEAAcLBZQQY
-AQIADwUCTa/9HAIbDAUJCWYBgAAKCRCfbxwtfgRfjTY/D/9+kX8LeqBhwDdwy3ud
-V67KmVmytwGMfzBHbAyBdy84X06ip/If/VkjL+2Sv5Uml/cOOzGZT7y/KEt0uXQz
-gOZhGP5Y0OREf4kSzfb7tsGu3ZjTp5uJe7HiJr8uqYGfx94TQG/A3x1C7MlxOGmW
-DK/Eh/eNVeNd+3yyDEzl2p7a0yUhI8LtzllVrEDX+G4rz+mdDw4tfPDqzRPzPvVt
-PfqnfofHP5r2dshGe7+pCTC+o0jHWpaiFkEiIrR3PbZ9tV6+F5LzCUJJP5nepz6C
-ShpLHq9ST6qZiw5ZpdznHW0kVl96YxgynJq9Y4dqD/8nOfTzdHhXXEogGvRfcxat
-xeZF7YNFhUU2p+CswAjRKCUzZAz0hDAu+dJ+fw4Odx7ii8uiwhEnEHoo8rPETkXw
-UK1je4MCzMRSy0Gippzk/oZ7noIml+Njas/UygavUOQm8bcPqGfWeFqvM2C7ZobL
-2iV0fX/bhEmQyosiWJ0nHuKdwDYygYs/4LtZLxwiKli/lm6IDz1028j6/98Z81gG
-oltXWokTYAPEgcBuhyiSLSQ1wojTVMYt9rPKMBakTzP+0FoWqoNafWOlHovP6iUB
-2Igll2ZT3AvrBQ8jAbRbuUl46QpBaKsl+pBo86az0fRkMxv0N4dQv4Q7Z0g71u9N
-Tpaq1vtAZOwc0kl3uGNK18PnV8LBZQQYAQIADwIbDAUCVu+raQUJDQIVTQAKCRCf
-bxwtfgRfjVnYEACZ1E/FfLDi4vLUd9diImmNN/zWDHxTsO/VG3lt50rSoJM5NGB4
-RlwcbUKhah2fD44FFiIqGIvKD9hRgB51dVRIkaR3ozVtXRBKxJJqWj38wf2FDLtU
-XC5/JHYb0sjAc3ad2sA9xEmEBVO1lWK3J6h4gKZiAGlWz3oeOSve3vrTKsBlP0Cu
-rUeb4WTVpw4drBJD7cDh8SJ4/Cq76UFx8lW0xR+pHZHcd0/Ir5v5HnnEgbnut4Ix
-eY3/CGBfQfSQHylK7ifmPWq+dflC/ZdfHY1V96EHKPM44ZLwiczoY3qp5nkmEc3B
-Y6+P8Ch5gddOYaY18wpedarswnpOLQD2Xbsj66Eh0IZuuuZGyfOqJNaWbP33L27e
-g35XQNTgyhuZmDyRKL6yAbhU74TXCCvze/kkfqDn2ouCtM8/kqLX1v0+NkBxlhZU
-kTTVDyclZtwu6Vypus3+j2Zqk8sXeUZI64sjXpzwOcMZxdl3QuyxMktExWzk9Q5D
-YqO+pj/YGt1vp2M0YgSUWNWCvfBcjEPFgaljyqz3BdvR/LYohnXuQL9SWObF+sIF
-c9D0w/yORYQcKP5kSWVC/qwFdC61OGeSDnQ/0o0T5PefhYS82gsIrjQ+HIJ7CLUT
-k7kBNljvtfpoWegH02feR0kSRoCXA6x+YHT4fmB41pW8S1V5a5dEltA/JMLBfAQY
-AQIAJgIbDBYhBO36o/LKTm6wVoGvjp9vHC1+BF+NBQJZpTgKBQkRmNVuAAoJEJ9v
-HC1+BF+NyNQP/A3h+cOOkYUxyKpNHdtlIfCn8db5tHXSCbE19Qi7EK1SiK5atjo+
-VoRtB+L01kH6GCx5oZjeIhUdzYFwEUsdCDgwD6r0dKFwKIGa4TFcfnx+Z5B+HZgL
-Yc6ac5PEHF1qZVXZH9GSGeNw5h2yyqf4yhvetSN6L2id14m5XXJV5e7NfOgmaSnG
-0Z+wQvPSiu+Q00XpENT8HFSTSCjRATjk12rpy6TPeeC52NK1gLhGDRHN0k6m+vm4
-yoC+Nd6iPQpnc+5xs7NDnq2dFuSTp7UTGebzPhhdSQgujEFuYLwzQMZu1h5amtA+
-v9j7BYEJkOMC7bm1PNNA2QQ6QfH8Hf+mJeINyJO8A5KS3ceP+eo3SLR8T0hPzu9g
-ZuZ22Hn3DXQh1VNRshaLKgNvoXpL3dQ48d1SFFKhEDpy2HSXUq2fs5rH0uszFGes
-G7K6EQRAYRcDrCkt9fdfkvCSxAFw9d+472xThzgKcN+MkOec+SaY+xlVULjEfCWy
-RVC8Opam4mTm/XT4mVLxP/qnsy7kEhLoc/ouB+lY/ks06LpZJvCXL6WfA9You1Fi
-1Mg7GhSh9JKg6X6E8Trm+N4dxJGut1xbbGmmKXqfi4pej9KlkdeM9t1df/vWKlPa
-7Hzd8H0btgJx066wC4yt0ghxtsJXBsCDxWLfzaSRZ2/eP16mHqxDjsQQwsF8BBgB
-CAAmAhsMFiEE7fqj8spObrBWga+On28cLX4EX40FAl3uCX0FCRmkDeEACgkQn28c
-LX4EX43TQA/+JV8ReMRJCn3Cfqbe5ycFn8p6dIVnJiQuhiEyu5yzdpSkKyzcVFJO
-bQcqw7s50FJuLUbxdvbcuGIaoTu7dhBoUXO5tOuIQAsKTfGfgoOgelJm+/q2h645
-EnAVINGbMDXrmo4/UFJkNjUMA6SQi/yiam7N0y58eoDC4sGmBKuN2EW2MoWahlXw
-8SS1+Ab9qVBs/RqbSy6f1nJL39aPpPDmvyJOSYtHnNSFlYWVhr0zGAi5rnswlFGr
-ECGbHpr5FajUK7zcmtNPbi7F30K48xfF3XnDIeIBcerrEBQMaPUZcBlddGhmSVVJ
-ZU/YhR35JNgPnmp33gOuZaRiW9lauZFwsMQBIBkLpJWoUtu8QLkyC0HmJzVRep0/
-s1RkzaJ+1G1BzXTQiXaLaUQWG5h3pcMD8fxY5qp9KbG/+10bY0sRbRBXgS6mz7dd
-HaBtg/E8ty2nEB1HDXA9HAHu7KlH9e96sPZjz9C46ZiOXe6ZAOk6wBYts4RG4bCQ
-9pGORJ+P2Jr2pz1NZQbs1AhnjJixTsfZfsGZ5lHxGLjIyxtdGB/irLEqNTIMek2y
-p4CShmWoZwN0V3aGYMe/rC4tSXG79IeKNwF3Vd5MHtB+hcJG2qztBtKQuW29rbRA
-5bNxwTWe8skwOKsxXnP9RC974k0XkPS+VwgmVgNN1ewS/0oHvmEP71Q=
-=Oqje
------END PGP PUBLIC KEY BLOCK-----