From be41633bf08c03220fb95929e2aa80732df562a0 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Sep 27 2016 23:26:26 +0000 Subject: * Tue Sep 27 2016 Paul Wouters - 1.5.10-1 - Updated to 1.5.10 (better TCP handling, bugfixes) - Install pkgconfig file in -devel package - Updated unbound.conf --- diff --git a/unbound.conf b/unbound.conf index 4c92332..5b9c8d7 100644 --- a/unbound.conf +++ b/unbound.conf @@ -1,7 +1,7 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version 1.5.8. +# See unbound.conf(5) man page, version 1.5.10. # # this is a comment. @@ -69,6 +69,15 @@ server: # outgoing-interface: 2001:DB8::5 # outgoing-interface: 2001:DB8::6 + # Specify a netblock to use remainder 64 bits as random bits for + # upstream queries. Uses freebind option (Linux). + # outgoing-interface: 2001:DB8::/64 + # Also (Linux:) ip -6 addr add 2001:db8::/64 dev lo + # And: ip -6 route add local 2001:db8::/64 dev lo + # And set prefer-ip6: yes to use the ip6 randomness from a netblock. + # Set this to yes to prefer ipv6 upstream servers over ipv4. + # prefer-ip6: no + # number of ports to allocate per thread, determines the size of the # port range that can be open simultaneously. About double the # num-queries-per-thread, or, use as many as the OS will allow you. @@ -84,6 +93,8 @@ server: # Use this to make sure unbound does not grab a UDP port that some # other server on this computer needs. The default is to avoid # IANA-assigned port numbers. + # If multiple outgoing-port-permit and outgoing-port-avoid options + # are present, they are processed in order. # Our SElinux policy does not allow non-ephemeral ports to be used outgoing-port-avoid: 0-32767 @@ -109,6 +120,11 @@ server: # (uses IP_BINDANY on FreeBSD). ip-transparent: yes + # use IP_FREEBIND so the interface: addresses can be non-local + # and you can bind to nonexisting IPs and interfaces that are down. + # Linux only. On Linux you also have ip-transparent that is similar. + # ip-freebind: no + # EDNS reassembly buffer to advertise to UDP peers (the actual buffer # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts). # edns-buffer-size: 4096 @@ -175,6 +191,10 @@ server: # the maximum number of hosts that are cached (roundtrip, EDNS, lame). # infra-cache-numhosts: 10000 + # define a number of tags here, use with local-zone, access-control. + # repeat the define-tag statement to add additional tags. + # define-tag: "tag1 tag2 tag3" + # Enable IPv4, "yes" or "no". # do-ip4: yes @@ -217,6 +237,20 @@ server: # access-control: ::1 allow # access-control: ::ffff:127.0.0.1 allow + # tag access-control with list of tags (in "" with spaces between) + # Clients using this access control element use localzones that + # are tagged with one of these tags. + # access-control-tag: 192.0.2.0/24 "tag2 tag3" + + # set action for particular tag for given access control element + # if you have multiple tag values, the tag used to lookup the action + # is the first tag match between access-control-tag and local-zone-tag + # where "first" comes from the order of the define-tag values. + # access-control-tag-action: 192.0.2.0/24 tag3 refuse + + # set redirect data for particular tag for access control element + # access-control-tag-data: 192.0.2.0/24 tag2 "A 127.0.0.1" + # if given, a chroot(2) is done to the given directory. # i.e. you can chroot to the working directory, for example, # for extra security, but make sure all files are in that directory. @@ -251,6 +285,8 @@ server: # the working directory. The relative files in this config are # relative to this directory. If you give "" the working directory # is not changed. + # If you give a server: directory: dir before include: file statements + # then those includes can be relative to the working directory. directory: "/etc/unbound" # the log file, "" means log to stderr. @@ -332,12 +368,12 @@ server: # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. - # (enabling used to cause some failures, like on GoDaddy customer domains) # use-caps-for-id: no # Domains (and domains in them) without support for dns-0x20 and # the fallback fails because they keep sending different answers. # caps-whitelist: "licdn.com" + # caps-whitelist: "senderbase.org" # Enforce privacy of these addresses. Strips them away from answers. # It may cause DNSSEC validation to additionally mark it as bogus. @@ -385,6 +421,9 @@ server: # into response messages when those sections are not required. minimal-responses: yes + # true to disable DNSSEC lameness check in iterator. + # disable-dnssec-lame-check: no + # module configuration of the server. A string with identifiers # separated by spaces. Syntax: "[dns64] [validator] iterator" # module-config: "validator iterator" @@ -410,11 +449,6 @@ server: # Note this gets out of date, use auto-trust-anchor-file please. # trust-anchor-file: "" - # File with trusted keys, kept uptodate using RFC5011 probes, - # initial file like trust-anchor-file, then it stores metadata. - # Use several entries, one per domain name, to track multiple zones. - # auto-trust-anchor-file: "" - # Trusted key for validation. DS or DNSKEY. specify the RR on a # single line, surrounded by "". TTL is ignored. class is IN default. # Note this gets out of date, use auto-trust-anchor-file please. @@ -429,7 +463,6 @@ server: # you need external update procedures to track changes in keys. # trusted-keys-file: "" # - # trusted-keys-file: /etc/unbound/rootkey.bind trusted-keys-file: /etc/unbound/keys.d/*.key auto-trust-anchor-file: "/var/lib/unbound/root.key" @@ -490,7 +523,8 @@ server: # If the value 0 is given, missing anchors are not removed. # keep-missing: 31622400 # 366 days - # debug option that allows very small holddown times for key rollover + # debug option that allows very small holddown times for key rollover, + # otherwise the RFC mandates probe intervals must be at least 1 hour. # permit-small-holddown: no # the amount of memory to use for the key cache. @@ -549,7 +583,7 @@ server: # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa. - # if unbound is running service for the local host then it is useful + # If unbound is running service for the local host then it is useful # to perform lan-wide lookups to the upstream, and unblock the # long list of local-zones above. If this unbound is a dns server # for a network of computers, disabled is better and stops information @@ -572,6 +606,8 @@ server: # o typetransparent resolves normally for other types and other names # o inform resolves normally, but logs client IP address # o inform_deny drops queries and logs client IP address + # o always_transparent, always_refuse, always_nxdomain, resolve in + # that way but ignore local data for that name. # # defaults are localhost address, reverse for 127.0.0.1 and ::1 # and nxdomain for AS112 zones. If you configure one of these zones @@ -600,13 +636,19 @@ server: include: /etc/unbound/local.d/*.conf + # tag a localzone with a list of tag names (in "" with spaces between) + # local-zone-tag: "example.com" "tag2 tag3" + + # add a netblock specific override to a localzone, with zone type + # local-zone-override: "example.com" 192.0.2.0/24 refuse + # service clients over SSL (on the TCP sockets), with plain DNS inside # the SSL stream. Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. # ssl-service-key: "/etc/unbound/unbound_server.key" # ssl-service-pem: "/etc/unbound/unbound_server.pem" # ssl-port: 443 - + # # request upstream over SSL (with plain DNS inside the SSL stream). # Default is no. Can be turned on and off with unbound-control. # ssl-upstream: no @@ -633,7 +675,7 @@ server: # ratelimit-for-domain: example.com 1000 # override the ratelimits for all domains below a domain name # can give this multiple times, the name closest to the zone is used. - # ratelimit-below-domain: example 1000 + # ratelimit-below-domain: com 1000 # Python config section. To enable: # o use --with-pythonmodule to configure before compiling. @@ -675,7 +717,6 @@ remote-control: control-cert-file: "/etc/unbound/unbound_control.pem" # Stub and Forward zones - include: /etc/unbound/conf.d/*.conf # Stub zones. @@ -694,6 +735,7 @@ include: /etc/unbound/conf.d/*.conf # stub-zone: # name: "example.org" # stub-host: ns.example.com. + # You can now also dynamically create and delete stub-zone's using # unbound-control stub_add domain.com 1.2.3.4 5.6.7.8 # unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8 diff --git a/unbound.spec b/unbound.spec index 4d086f6..344d3b9 100644 --- a/unbound.spec +++ b/unbound.spec @@ -20,8 +20,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.5.9 -Release: 4%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.5.10 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: http://www.nlnetlabs.nl/unbound/ Source: http://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz @@ -44,11 +44,10 @@ Source15: unbound-anchor.timer Source16: unbound-munin.README Source17: unbound-anchor.service -Patch1: unbound-1.5.9-iterator.patch - Group: System Environment/Daemons BuildRequires: flex, openssl-devel BuildRequires: libevent-devel expat-devel +BuildRequires: pkgconfig %if 0%{with_python} BuildRequires: python2-devel swig %endif # with_python @@ -93,6 +92,7 @@ Plugin for the munin / munin-node monitoring package Summary: Development package that includes the unbound header files Group: Development/Libraries Requires: %{name}-libs%{?_isa} = %{version}-%{release}, openssl-devel +Requires: pkgconfig %description devel The devel package contains the unbound library and the include files @@ -137,7 +137,6 @@ Python 3 modules and extensions for unbound %prep %{?extra_version:%global pkgname %{name}-%{version}%{extra_version}}%{!?extra_version:%global pkgname %{name}-%{version}} %setup -qcn %{pkgname} -%patch1 -p0 %if 0%{with_python} mv %{pkgname} %{pkgname}_python2 @@ -245,6 +244,8 @@ pushd %{pkgname}_python2 # install streamtcp man page install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1 +install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc + %if 0%{with_python} popd %endif # with_python @@ -261,6 +262,7 @@ install -m 0644 %{SOURCE13} %{buildroot}%{_sharedstatedir}/unbound/root.key # remove static library from install (fedora packaging guidelines) rm %{buildroot}%{_libdir}/*.la + %if 0%{with_python} rm %{buildroot}%{python2_sitearch}/*.la %endif # with_python @@ -333,7 +335,6 @@ fi /bin/systemctl try-restart unbound.service >/dev/null 2>&1 || : /bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || : - %check %if 0%{with_python} pushd %{pkgname}_python2 @@ -411,6 +412,7 @@ popd %{_libdir}/libunbound.so %{_includedir}/unbound.h %{_mandir}/man3/* +%{_libdir}/pkgconfig/*.pc %files libs %doc doc/README @@ -430,6 +432,11 @@ popd %changelog +* Tue Sep 27 2016 Paul Wouters - 1.5.10-1 +- Updated to 1.5.10 (better TCP handling, bugfixes) +- Install pkgconfig file in -devel package +- Updated unbound.conf + * Tue Jul 19 2016 Fedora Release Engineering - 1.5.9-4 - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages