From 310edfb9c3113d4f34bff6b925d719c6ae56b7ae Mon Sep 17 00:00:00 2001 From: basebuilder_pel7x64builder0 Date: Sun, 21 Oct 2018 11:32:41 +0200 Subject: [PATCH] unbound package update 1.8.1 Signed-off-by: basebuilder_pel7x64builder0 --- SOURCES/unbound-anchor.service | 2 +- SOURCES/unbound-keygen.service | 6 ++- SOURCES/unbound.conf | 30 +++++++++++++- SOURCES/unbound.service | 2 +- SPECS/unbound.spec | 76 +++++++++++++++++++++++++--------- 5 files changed, 92 insertions(+), 24 deletions(-) diff --git a/SOURCES/unbound-anchor.service b/SOURCES/unbound-anchor.service index 26656b36..cd949e50 100644 --- a/SOURCES/unbound-anchor.service +++ b/SOURCES/unbound-anchor.service @@ -5,5 +5,5 @@ Documentation=man:unbound-anchor(8) [Service] Type=oneshot User=unbound -ExecStart=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem +ExecStart=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R SuccessExitStatus=1 diff --git a/SOURCES/unbound-keygen.service b/SOURCES/unbound-keygen.service index ccb2376b..f5e65352 100644 --- a/SOURCES/unbound-keygen.service +++ b/SOURCES/unbound-keygen.service @@ -2,7 +2,11 @@ Description=Unbound Control Key And Certificate Generator After=syslog.target Before=unbound.service -ConditionPathExists=!/etc/unbound/unbound_control.key +ConditionPathExists=|!/etc/unbound/unbound_control.pem +ConditionPathExists=|!/etc/unbound/unbound_control.key +ConditionPathExists=|!/etc/unbound/unbound_server.pem +ConditionPathExists=|!/etc/unbound/unbound_server.key +PartOf=unbound.service [Service] Type=oneshot diff --git a/SOURCES/unbound.conf b/SOURCES/unbound.conf index 4ea08233..2de6b641 100644 --- a/SOURCES/unbound.conf +++ b/SOURCES/unbound.conf @@ -246,7 +246,8 @@ server: # to this server. Specify classless netblocks with /size and action. # By default everything is refused, except for localhost. # Choose deny (drop message), refuse (polite error reply), - # allow (recursive ok), allow_snoop (recursive and nonrecursive ok) + # allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on), + # allow_snoop (recursive and nonrecursive ok) # deny_non_local (drop queries unless can be answered from local-data) # refuse_non_local (like deny_non_local but polite error reply). # access-control: 0.0.0.0/0 refuse @@ -483,6 +484,9 @@ server: # trust anchor signaling sends a RFC8145 key tag query after priming. trust-anchor-signaling: yes + # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) + root-key-sentinel: yes + # File with DLV trusted keys. Same format as trust-anchor-file. # There can be only one DLV configured, it is trusted from root down. # DLV is going to be decommissioned. Please do not use it any more. @@ -658,7 +662,7 @@ server: # o inform acts like transparent, but logs client IP address # o inform_deny drops queries and logs client IP address # o always_transparent, always_refuse, always_nxdomain, resolve in - # that way but ignore local data for that name. + # that way but ignore local data for that name # o noview breaks out of that view towards global local-zones. # # defaults are localhost address, reverse for 127.0.0.1 and ::1 @@ -705,6 +709,15 @@ server: # Default is no. Can be turned on and off with unbound-control. # tls-upstream: no + # Certificates used to authenticate connections made upstream. + # tls-cert-bundle: "" + + # Add system certs to the cert bundle, from the Windows Cert Store + # tls-win-cert: no + + # Also serve tls on these port numbers (eg. 443, ...), by listing + # tls-additional-ports: portno for each of the port numbers. + # DNS64 prefix. Must be specified when DNS64 is use. # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. # dns64-prefix: 64:ff9b::0/96 @@ -722,6 +735,12 @@ server: # 0 blocks when ratelimited, otherwise let 1/xth traffic through # ratelimit-factor: 10 + # what is considered a low rtt (ping time for upstream server), in msec + # low-rtt: 45 + # select low rtt this many times out of 1000. 0 means the fast server + # select is disabled. prefetches are not sped up. + # low-rtt-permil: 0 + # override the ratelimit for a specific domain name. # give this setting multiple times to have multiple overrides. # ratelimit-for-domain: example.com 1000 @@ -929,3 +948,10 @@ auth-zone: # backend: "testframe" # # secret seed string to calculate hashed keys # secret-seed: "default" +# # For "redis" backend: +# # redis server's IP address or host name +# redis-server-host: 127.0.0.1 +# # redis server's TCP port +# redis-server-port: 6379 +# # timeout (in ms) for communication with the redis server +# redis-timeout: 100 diff --git a/SOURCES/unbound.service b/SOURCES/unbound.service index 7062e491..287fe8dc 100644 --- a/SOURCES/unbound.service +++ b/SOURCES/unbound.service @@ -11,7 +11,7 @@ Wants=nss-lookup.target Type=simple EnvironmentFile=-/etc/sysconfig/unbound ExecStartPre=/usr/sbin/unbound-checkconf -ExecStartPre=-/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem +ExecStartPre=-/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS ExecReload=/usr/sbin/unbound-control reload diff --git a/SPECS/unbound.spec b/SPECS/unbound.spec index 2c4202aa..3a1baebc 100644 --- a/SPECS/unbound.spec +++ b/SPECS/unbound.spec @@ -4,7 +4,7 @@ %global _hardened_build 1 -#global extra_version rc1 +#%%global extra_version rc1 %if 0%{with_python2} %global python_primary %{__python2} @@ -14,7 +14,6 @@ %global python_primary %{__python3} %endif # with_python3 -%if 0%{?rhel} %global with_munin 0 %if 0%{?with_python2} && 0%{?rhel} <= 6 @@ -24,16 +23,12 @@ %{!?python2_sitearch: %global python2_sitearch %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")} %endif # with_python2 && rhel <= 6 -%if 0%{?rhel} <= 7 %global with_python3 1 -%else %global with_python2 1 -%endif # rhel <= 7 -%endif # rhel Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.7.3 +Version: 1.8.1 Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://www.unbound.net/ @@ -88,7 +83,6 @@ as a server, but are linked into an application) are easily possible. %if %{with_munin} %package munin Summary: Plugin for the munin / munin-node monitoring package -Group: System Environment/Daemons Requires: munin-node Requires: %{name} = %{version}-%{release}, bc BuildArch: noarch @@ -99,7 +93,6 @@ Plugin for the munin / munin-node monitoring package %package devel Summary: Development package that includes the unbound header files -Group: Development/Libraries Requires: %{name}-libs%{?_isa} = %{version}-%{release}, openssl-devel Requires: pkgconfig @@ -108,12 +101,7 @@ The devel package contains the unbound library and the include files %package libs Summary: Libraries used by the unbound server and client applications -Group: Applications/System -Requires(post): /sbin/ldconfig -Requires(post): systemd -Requires(postun): /sbin/ldconfig -Requires(postun): systemd -Requires(preun): systemd +%{?systemd_requires} Requires(pre): shadow-utils %description libs @@ -123,7 +111,6 @@ Contains libraries used by the unbound server and client applications %package -n python2-unbound %{?python_provide:%python_provide python2-unbound} Summary: Python 2 modules and extensions for unbound -Group: Applications/System Requires: %{name}-libs%{?_isa} = %{version}-%{release} Provides: unbound-python = %{version}-%{release} Obsoletes: unbound-python < %{version}-%{release} @@ -135,7 +122,6 @@ Python 2 modules and extensions for unbound %if 0%{with_python3} %package -n python3-unbound Summary: Python 3 modules and extensions for unbound -Group: Applications/System Requires: %{name}-libs%{?_isa} = %{version}-%{release} %description -n python3-unbound @@ -158,6 +144,7 @@ Python 3 modules and extensions for unbound %setup -qcn %{pkgname} pushd %{pkgname} + # only for snapshots # autoreconf -iv @@ -299,7 +286,7 @@ useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \ %systemd_post unbound-keygen.service %post libs -/sbin/ldconfig +%{?ldconfig} %systemd_post unbound-anchor.timer # start the timer only if installing the package to prevent starting it, if it was stopped on purpose if [ "$1" -eq 1 ]; then @@ -319,7 +306,7 @@ fi %systemd_postun unbound-keygen.service %postun libs -/sbin/ldconfig +%{?ldconfig} %systemd_postun_with_restart unbound-anchor.timer %triggerun -- unbound < 1.4.12-4 @@ -367,6 +354,10 @@ popd %attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d/*.conf %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/local.d %attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/local.d/*.conf +%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.pem +%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.key +%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.pem +%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key %{_sbindir}/unbound %{_sbindir}/unbound-checkconf %{_sbindir}/unbound-control @@ -424,6 +415,53 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Mon Oct 08 2018 Petr Menšík - 1.8.1-1 +- Update to 1.8.1 + +* Mon Oct 01 2018 Petr Menšík - 1.8.0-2 +- Skip ipv6 forwarders without ipv6 support (#1633874) + +* Wed Sep 19 2018 Petr Menšík - 1.8.0-1 +- Rebase to 1.8.0 + +* Tue Aug 14 2018 Paul Wouters - 1.7.3-9 +- Fix for restarting unbound service after deleting key/pem files for remote control + +* Tue Jul 31 2018 Petr Menšík - 1.7.3-8 +- Release memory in unbound-host + +* Mon Jul 23 2018 Petr Menšík - 1.7.3-7 +- Remove unused Group tag + +* Wed Jul 18 2018 Petr Menšík - 1.7.3-6 +- Cleanup generated client and server keys (#1601773) + +* Sat Jul 14 2018 Fedora Release Engineering - 1.7.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Mon Jul 09 2018 Petr Menšík - 1.7.3-4 +- Do not call ldconfig if possible + +* Wed Jul 04 2018 Petr Menšík - 1.7.3-3 +- Update trust anchors also behind firewall (#1598078) + +* Mon Jul 02 2018 Miro Hrončok - 1.7.3-2 +- Rebuilt for Python 3.7 + +* Wed Jun 27 2018 Petr Menšík - 1.7.3-1 +- Update to 1.7.3 (#1593708) + +* Wed Jun 27 2018 Petr Menšík - 1.7.2-3 +- Remove last python2 dependency from python3 build + +* Tue Jun 19 2018 Miro Hrončok - 1.7.2-2 +- Rebuilt for Python 3.7 + +* Mon Jun 11 2018 Paul Wouters - 1.7.2-1 +- Resolves rhbz#1589807 unbound-1.7.2 is available +- Add patch to fix stub/forward zone not returning ServFail when TTL expires +- Enabled the new root-key-sentinel option + * Wed May 30 2018 Petr Menšík - 1.7.1-1 - Update to 1.7.1 (#1574495)