unbound/unbound-fedora-config.patch
Fedor Vorobev c80eb42b5f Update to 1.25.1
This release contains fixes for 11 CVEs.
See https://nlnetlabs.nl/projects/unbound/security-advisories/ for
additional information.

Resolves: RHEL-177800
Resolves: RHEL-177821
Resolves: RHEL-177919
Resolves: RHEL-184834
Resolves: RHEL-186687
Resolves: RHEL-187093
Resolves: RHEL-187343
Resolves: RHEL-191732
Resolves: RHEL-191734
Resolves: RHEL-191737
Resolves: RHEL-191739

Resolves-Vulnerability: CVE-2026-42959
Resolves-Vulnerability: CVE-2026-33278
Resolves-Vulnerability: CVE-2026-42944
Resolves-Vulnerability: CVE-2026-40622
Resolves-Vulnerability: CVE-2026-44390
Resolves-Vulnerability: CVE-2026-42534
Resolves-Vulnerability: CVE-2026-41292
Resolves-Vulnerability: CVE-2026-32792
Resolves-Vulnerability: CVE-2026-42923
Resolves-Vulnerability: CVE-2026-42960
Resolves-Vulnerability: CVE-2026-44608
2026-07-03 11:04:44 +02:00

114 lines
4.1 KiB
Diff

From b57a1fbfb38399a40f6bde25dd49c82468e97298 Mon Sep 17 00:00:00 2001
From: Tomas Korbar <tkorbar@redhat.com>
Date: Tue, 4 Feb 2025 09:48:12 +0100
Subject: [PATCH] Customize unbound.conf for Fedora defaults
Set some Fedora/RHEL specific changes to example configuration file. By
patching upstream provided config file we would not need to manually
update external copy in source RPM.
---
doc/example.conf.in | 33 +++++++++++++++++++++++++++++++--
1 file changed, 31 insertions(+), 2 deletions(-)
diff --git a/unbound-1.25.1/doc/example.conf.in b/unbound-1.25.1/doc/example.conf.in
index 2c6d63409..d722fc4dd 100644
--- a/unbound-1.25.1/doc/example.conf.in
+++ b/unbound-1.25.1/doc/example.conf.in
@@ -51,11 +51,19 @@ server:
# specify 0.0.0.0 and ::0 to bind to all available interfaces.
# specify every interface[@port] on a new 'interface:' labelled line.
# The listen interfaces are not changed on reload, only on restart.
+ # interface: 0.0.0.0
+ # interface: ::0
# interface: 192.0.2.153
# interface: 192.0.2.154
# interface: 192.0.2.154@5003
# interface: 2001:db8::5
# interface: eth0@5003
+ #
+ # for dns over tls and raw dns over port 80
+ # interface: 0.0.0.0@443
+ # interface: ::0@443
+ # interface: 0.0.0.0@80
+ # interface: ::0@80
# enable this feature to copy the source address of queries to reply.
# Socket options are not supported on all platforms. experimental.
@@ -298,6 +306,8 @@ server:
# nat64-prefix: 64:ff9b::0/96
# Enable UDP, "yes" or "no".
+ # NOTE: if setting up an Unbound on tls443 for public use, you might want to
+ # disable UDP to avoid being used in DNS amplification attacks.
# do-udp: yes
# Enable TCP, "yes" or "no".
@@ -333,6 +343,9 @@ server:
# can be dropped. Default is 0, disabled. In seconds, such as 3.
# sock-queue-timeout: 0
+ # Fedora note: do not activate this - not compiled in because
+ # it causes frequent unbound crashes. Also, socket activation
+ # is bad when you have things like dnsmasq also running with libvirt.
# Use systemd socket activation for UDP, TCP, and control sockets.
# use-systemd: no
@@ -927,6 +940,8 @@ server:
# you need to do the reverse notation yourself.
# local-data-ptr: "192.0.2.3 www.example.com"
+ include: /etc/unbound/local.d/*.conf
+
# tag a localzone with a list of tag names (in "" with spaces between)
# local-zone-tag: "example.com" "tag2 tag3"
@@ -953,8 +968,8 @@ server:
# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
# Give the certificate to use and private key.
# default is "" (disabled). requires restart to take effect.
- # tls-service-key: "path/to/privatekeyfile.key"
- # tls-service-pem: "path/to/publiccertfile.pem"
+ # tls-service-key: "/etc/unbound/unbound_server.key"
+ # tls-service-pem: "/etc/unbound/unbound_server.pem"
# tls-port: 853
# https-port: 443
# quic-port: 853
@@ -1212,6 +1227,12 @@ remote-control:
# unbound-control certificate file.
# control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
+# Default Fedora settings
+include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf"
+
+# Stub and Forward zones
+include: "@sysconfdir@/unbound/conf.d/*.conf"
+
# Stub zones.
# Create entries like below, to make all queries for 'example.com' and
# 'example.org' go to the given list of nameservers. list zero or more
@@ -1232,6 +1253,10 @@ remote-control:
# name: "example.org"
# stub-host: ns.example.com.
+# You can now also dynamically create and delete stub-zone's using
+# unbound-control stub_add domain.com 1.2.3.4 5.6.7.8
+# unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8
+
# Forward zones
# Create entries like below, to make all queries for 'example.com' and
# 'example.org' go to the given list of servers. These servers have to handle
@@ -1249,6 +1274,10 @@ remote-control:
# forward-zone:
# name: "example.org"
# forward-host: fwd.example.com
+#
+# You can now also dynamically create and delete forward-zone's using
+# unbound-control forward_add domain.com 1.2.3.4 5.6.7.8
+# unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8
# Authority zones
# The data for these zones is kept locally, from a file or downloaded.
--
2.54.0