From 081333f107eb25b558fb882daf3b7b56ffcd9b92 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Aug 09 2022 17:20:52 +0000 Subject: Merge branch 'f36' into f35 --- diff --git a/.gitignore b/.gitignore index dbd8714..7bd5a0c 100644 --- a/.gitignore +++ b/.gitignore @@ -67,6 +67,8 @@ unbound-1.4.5.tar.gz /unbound-1.13.1.tar.gz.asc /unbound-1.13.2.tar.gz /unbound-1.13.2.tar.gz.asc +/unbound-1.15.0.tar.gz +/unbound-1.15.0.tar.gz.asc /unbound-1.16.0.tar.gz /unbound-1.16.0.tar.gz.asc /unbound-1.16.2.tar.gz diff --git a/unbound-anchor.service b/unbound-anchor.service index cd949e5..59683c8 100644 --- a/unbound-anchor.service +++ b/unbound-anchor.service @@ -5,5 +5,6 @@ Documentation=man:unbound-anchor(8) [Service] Type=oneshot User=unbound -ExecStart=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R +EnvironmentFile=-/etc/sysconfig/unbound +ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi' SuccessExitStatus=1 diff --git a/unbound.conf b/unbound.conf index 977d39f..2d7d6a7 100644 --- a/unbound.conf +++ b/unbound.conf @@ -185,6 +185,10 @@ server: # perform connect for UDP sockets to mitigate ICMP side channel. # udp-connect: yes + # The number of retries, per upstream nameserver in a delegation, when + # a throwaway response (also timeouts) is received. + # outbound-msg-retry: 5 + # msec for waiting for an unknown server to reply. Increase if you # are behind a slow satellite link, to eg. 1128. # unknown-server-time-limit: 376 @@ -216,6 +220,9 @@ server: # minimum wait time for responses, increase if uplink is long. In msec. # infra-cache-min-rtt: 50 + # maximum wait time for responses. In msec. + # infra-cache-max-rtt: 120000 + # enable to make server probe down hosts more frequently. # infra-keep-probing: no @@ -393,9 +400,6 @@ server: # enable to not answer version.server and version.bind queries. # hide-version: no - # enable to not set the User-Agent HTTP header. - # hide-http-user-agent: no - # enable to not answer trustanchor.unbound queries. # hide-trustanchor: no @@ -697,6 +701,7 @@ server: # local-zone: "localhost." nodefault # local-zone: "127.in-addr.arpa." nodefault # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault + # local-zone: "home.arpa." nodefault # local-zone: "onion." nodefault # local-zone: "test." nodefault # local-zone: "invalid." nodefault @@ -844,6 +849,8 @@ server: # Add system certs to the cert bundle, from the Windows Cert Store # tls-win-cert: no + # and on other systems, the default openssl certificates + # tls-system-cert: no # Pad queries over TLS upstreams # pad-queries: yes @@ -893,6 +900,10 @@ server: # 0 blocks when ratelimited, otherwise let 1/xth traffic through # ratelimit-factor: 10 + # Aggressive rate limit when the limit is reached and until demand has + # decreased in a 2 second rate window. + # ratelimit-backoff: no + # override the ratelimit for a specific domain name. # give this setting multiple times to have multiple overrides. # ratelimit-for-domain: example.com 1000 @@ -913,6 +924,10 @@ server: # 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through # ip-ratelimit-factor: 10 + # Aggressive rate limit when the limit is reached and until demand has + # decreased in a 2 second rate window. + # ip-ratelimit-backoff: no + # Limit the number of connections simultaneous from a netblock # tcp-connection-limit: 192.0.2.0/24 12 @@ -922,6 +937,14 @@ server: # the number of servers that will be used in the fast server selection. # fast-server-num: 3 + # Enable to attach Extended DNS Error codes (RFC8914) to responses. + ede: yes + + # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale + # Answer as EDNS0 option to expired responses. + # Note that the ede option above needs to be enabled for this to work. + ede-serve-expired: yes + # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. # @@ -1033,6 +1056,7 @@ include: /etc/unbound/conf.d/*.conf # stub-addr: 192.0.2.68 # stub-prime: no # stub-first: no +# stub-tcp-upstream: no # stub-tls-upstream: no # stub-no-cache: no # stub-zone: @@ -1054,6 +1078,7 @@ include: /etc/unbound/conf.d/*.conf # forward-addr: 192.0.2.68 # forward-addr: 192.0.2.73@5355 # forward to port 5355. # forward-first: no +# forward-tcp-upstream: no # forward-tls-upstream: no # forward-no-cache: no # forward-zone: @@ -1124,6 +1149,7 @@ auth-zone: # another crypto library # # DNSCrypt +# o enable, use --enable-dnscrypt to configure before compiling. # Caveats: # 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper # for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage @@ -1144,7 +1170,9 @@ auth-zone: # dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert # CacheDB -# Enable external backend DB as auxiliary cache. Specify the backend name +# External backend DB as auxiliary cache. +# To enable, use --enable-cachedb to configure before compiling. +# Specify the backend name # (default is "testframe", which has no use other than for debugging and # testing) and backend-specific options. The 'cachedb' module must be # included in module-config, just before the iterator module. @@ -1154,6 +1182,7 @@ auth-zone: # secret-seed: "default" # # # For "redis" backend: +# # (to enable, use --with-libhiredis to configure before compiling) # # redis server's IP address or host name # redis-server-host: 127.0.0.1 # # redis server's TCP port @@ -1165,7 +1194,9 @@ auth-zone: # IPSet # Add specify domain into set via ipset. -# Note: To enable ipset Unbound needs to run as root user. +# To enable: +# o use --enable-ipset to configure before compiling; +# o Unbound then needs to run as root user. # ipset: # # set name for ip v4 addresses # name-v4: "list-v4" @@ -1173,9 +1204,10 @@ auth-zone: # name-v6: "list-v6" # -# Dnstap logging support, if compiled in. To enable, set the dnstap-enable -# to yes and also some of dnstap-log-..-messages to yes. And select an -# upstream log destination, by socket path, TCP or TLS destination. +# Dnstap logging support, if compiled in by using --enable-dnstap to configure. +# To enable, set the dnstap-enable to yes and also some of +# dnstap-log-..-messages to yes. And select an upstream log destination, by +# socket path, TCP or TLS destination. # dnstap: # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode diff --git a/unbound.service b/unbound.service index c59ffbf..ffaf783 100644 --- a/unbound.service +++ b/unbound.service @@ -3,7 +3,8 @@ Description=Unbound recursive Domain Name Server After=network-online.target After=unbound-keygen.service Wants=unbound-keygen.service -Wants=unbound-anchor.timer +After=unbound-anchor.service +Wants=unbound-anchor.service Before=nss-lookup.target Wants=nss-lookup.target @@ -11,7 +12,6 @@ Wants=nss-lookup.target Type=simple EnvironmentFile=-/etc/sysconfig/unbound ExecStartPre=/usr/sbin/unbound-checkconf -ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_UNBOUND_ANCHOR" == "yes" ]; then /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R; else echo "Updates of root keys with unbound-anchor is disabled"; fi' ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS ExecReload=/usr/sbin/unbound-control reload diff --git a/unbound.spec b/unbound.spec index 47c7d46..859792e 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.16.2 -Release: 2%{?extra_version:.%{extra_version}}%{?dist} +Release: 3%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -88,6 +88,8 @@ BuildRequires: systemd # Needed because /usr/sbin/unbound links unbound libs staticly Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-anchor%{?_isa} = %{version}-%{release} +Recommends: %{name}-utils%{?_isa} = %{version}-%{release} # unbound-keygen.service requires it, bug #2116790 Requires: openssl @@ -123,14 +125,31 @@ The devel package contains the unbound library and the include files %package libs Summary: Libraries used by the unbound server and client applications -Requires(pre): shadow-utils +Recommends: %{name}-anchor %if ! 0%{with_python2} # Make explicit conflict with no longer provided python package Obsoletes: python2-unbound < 1.9.3 %endif %description libs -Contains libraries used by the unbound server and client applications +Contains libraries used by the unbound server and client applications. + +%package anchor +Requires(pre): shadow-utils +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Summary: DNSSEC trust anchor maintaining tool + +%description anchor +Contains tool maintaining trust anchor using RFC 5011 key rollover algorithm. + +%package utils +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Summary: Unbound DNS lookup utilities + +%description utils +Contains tools for making DNS queries. Can make queries to DNS servers +also over TLS connection or validate DNSSEC signatures. Similar to +bind-utils. %if 0%{with_python2} %package -n python2-unbound @@ -319,7 +338,7 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 -%pre libs +%pre anchor getent group unbound >/dev/null || groupadd -r unbound getent passwd unbound >/dev/null || \ useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \ @@ -329,7 +348,7 @@ useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \ %systemd_post unbound.service %systemd_post unbound-keygen.service -%post libs +%post anchor %systemd_post unbound-anchor.timer # start the timer only if installing the package to prevent starting it, if it was stopped on purpose if [ "$1" -eq 1 ]; then @@ -341,7 +360,7 @@ fi %systemd_preun unbound.service %systemd_preun unbound-keygen.service -%preun libs +%preun anchor %systemd_preun unbound-anchor.timer %postun @@ -378,7 +397,6 @@ popd %attr(0755,unbound,unbound) %dir %{_rundir}/%{name} %attr(0644,root,root) %{_tmpfilesdir}/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf -%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name} %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d %attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d/*.key %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/conf.d @@ -393,9 +411,6 @@ popd %{_sbindir}/unbound-checkconf %{_sbindir}/unbound-control %{_sbindir}/unbound-control-setup -%{_sbindir}/unbound-host -%{_sbindir}/unbound-streamtcp -%{_mandir}/man1/* %{_mandir}/man5/* %exclude %{_mandir}/man8/unbound-anchor* %{_mandir}/man8/* @@ -434,20 +449,34 @@ popd %doc doc/README %license doc/LICENSE %attr(0755,root,root) %dir %{_sysconfdir}/%{name} -%{_sbindir}/unbound-anchor %{_libdir}/libunbound.so.* +%dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name} +%attr(0644,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key +# just left for backwards compat with user changed unbound.conf files - format is different! +%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key + +%files anchor +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name} +%{_sbindir}/unbound-anchor %{_mandir}/man8/unbound-anchor* # icannbundle and root.key(s) should be replaced from package # intentionally not using noreplace %config %{_sysconfdir}/%{name}/icannbundle.pem %{_unitdir}/unbound-anchor.timer %{_unitdir}/unbound-anchor.service -%dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name} -%attr(0644,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key -# just left for backwards compat with user changed unbound.conf files - format is different! -%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key + +%files utils +%{_sbindir}/unbound-host +%{_sbindir}/unbound-streamtcp +%{_mandir}/man1/unbound-* %changelog +* Tue Aug 09 2022 Paul Wouters - 1.16.2-3 +- sync up to upstream unbound.conf +- Enable Extended DNS Error codes (RFC8914) +- Move unbound-anchor to separate package +- Move unbound-host and unbound-streamtcp to unbound-utils package + * Tue Aug 09 2022 Petr Menšík - 1.16.2-2 - Require openssl tool for unbound-keygen (#2116790) diff --git a/unbound.sysconfig b/unbound.sysconfig index fae3306..adcf8fd 100644 --- a/unbound.sysconfig +++ b/unbound.sysconfig @@ -1,3 +1,7 @@ -# for extra debug, add "-v -v" or change verbosity: in unbound.conf +# uncomment following line to skip anchor refresh before unbound start +#DISABLE_UNBOUND_ANCHOR=yes +# Better way is systemctl mask unbound-anchor.service +UNBOUND_ANCHOR_OPTIONS="-f /etc/resolv.conf -R" +# for extra debug, add "-v -v" or change verbosity: in unbound.conf UNBOUND_OPTIONS=""