From 1f499f1636ee5c9f8622aa16827b8c90f4f0507d Mon Sep 17 00:00:00 2001 From: Toshaan Bharvani Date: Fri, 22 Dec 2023 01:27:31 +0100 Subject: [PATCH] update to 1.19.0 Signed-off-by: Toshaan Bharvani --- SOURCES/icannbundle.pem | 21 + SOURCES/unbound-fedora-config.patch | 551 +++++++++++++ SPECS/unbound.spec | 1105 ++++++++++++--------------- 3 files changed, 1055 insertions(+), 622 deletions(-) create mode 100644 SOURCES/icannbundle.pem create mode 100644 SOURCES/unbound-fedora-config.patch diff --git a/SOURCES/icannbundle.pem b/SOURCES/icannbundle.pem new file mode 100644 index 0000000..ceeef5b --- /dev/null +++ b/SOURCES/icannbundle.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX +DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O +IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB +MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb +cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S +G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg +ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2 +paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7 +MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29 +iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B +Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3 +DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH +6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD +2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h +15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF +0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg +j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk +-----END CERTIFICATE----- diff --git a/SOURCES/unbound-fedora-config.patch b/SOURCES/unbound-fedora-config.patch new file mode 100644 index 0000000..a249d2c --- /dev/null +++ b/SOURCES/unbound-fedora-config.patch @@ -0,0 +1,551 @@ +From ecfc3a96a0d38cc31fb871d98789467434c7afda Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Fri, 10 Nov 2023 12:58:31 +0100 +Subject: [PATCH] Customize unbound.conf for Fedora defaults + +Set some Fedora/RHEL specific changes to example configuration file. By +patching upstream provided config file we would not need to manually +update external copy in source RPM. +--- + unbound-1.19.0/doc/example.conf.in | 205 ++++++++++++++++++----------- + 1 file changed, 131 insertions(+), 74 deletions(-) + +diff --git a/unbound-1.19.0/doc/example.conf.in b/unbound-1.19.0/doc/example.conf.in +index fe0dde6..b79a322 100644 +--- a/unbound-1.19.0/doc/example.conf.in ++++ b/unbound-1.19.0/doc/example.conf.in +@@ -17,11 +17,12 @@ server: + # whitespace is not necessary, but looks cleaner. + + # verbosity number, 0 is least verbose. 1 is default. +- # verbosity: 1 ++ verbosity: 1 + + # print statistics to the log (for every thread) every N seconds. + # Set to "" or 0 to disable. Default is disabled. +- # statistics-interval: 0 ++ # Needs to be disabled for munin plugin ++ statistics-interval: 0 + + # enable shm for stats, default no. if you enable also enable + # statistics-interval, every time it also writes stats to the +@@ -32,11 +33,13 @@ server: + # shm-key: 11777 + + # enable cumulative statistics, without clearing them after printing. +- # statistics-cumulative: no ++ # Needs to be disabled for munin plugin ++ statistics-cumulative: no + + # enable extended statistics (query types, answer codes, status) +- # printed from unbound-control. Default off, because of speed. +- # extended-statistics: no ++ # printed from unbound-control. default off, because of speed. ++ # Needs to be enabled for munin plugin ++ extended-statistics: yes + + # Inhibits selected extended statistics (qtype, qclass, qopcode, rcode, + # rpz-actions) from printing if their value is 0. +@@ -44,22 +47,35 @@ server: + # statistics-inhibit-zero: yes + + # number of threads to create. 1 disables threading. +- # num-threads: 1 ++ num-threads: 4 + + # specify the interfaces to answer queries from by ip-address. + # The default is to listen to localhost (127.0.0.1 and ::1). + # specify 0.0.0.0 and ::0 to bind to all available interfaces. + # specify every interface[@port] on a new 'interface:' labelled line. + # The listen interfaces are not changed on reload, only on restart. ++ # interface: 0.0.0.0 ++ # interface: ::0 + # interface: 192.0.2.153 + # interface: 192.0.2.154 + # interface: 192.0.2.154@5003 + # interface: 2001:DB8::5 + # interface: eth0@5003 ++ # ++ # for dns over tls and raw dns over port 80 ++ # interface: 0.0.0.0@443 ++ # interface: ::0@443 ++ # interface: 0.0.0.0@80 ++ # interface: ::0@80 + + # enable this feature to copy the source address of queries to reply. + # Socket options are not supported on all platforms. experimental. +- # interface-automatic: no ++ # interface-automatic: yes ++ # ++ # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 ++ # NOTE: Disabled per Fedora policy not to listen to * on default install ++ # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled ++ interface-automatic: no + + # instead of the default port, open additional ports separated by + # spaces when interface-automatic is enabled, by listing them here. +@@ -94,7 +110,8 @@ server: + + # permit Unbound to use this port number or port range for + # making outgoing queries, using an outgoing interface. +- # outgoing-port-permit: 32768 ++ # Only ephemeral ports are allowed by SElinux ++ outgoing-port-permit: 32768-60999 + + # deny Unbound the use this of port number or port range for + # making outgoing queries, using an outgoing interface. +@@ -103,7 +120,9 @@ server: + # IANA-assigned port numbers. + # If multiple outgoing-port-permit and outgoing-port-avoid options + # are present, they are processed in order. +- # outgoing-port-avoid: "3200-3208" ++ # Our SElinux policy does not allow non-ephemeral ports to be used ++ outgoing-port-avoid: 0-32767 ++ outgoing-port-avoid: 61000-65535 + + # number of outgoing simultaneous tcp buffers to hold per thread. + # outgoing-num-tcp: 10 +@@ -121,12 +140,12 @@ server: + + # use SO_REUSEPORT to distribute queries over threads. + # at extreme load it could be better to turn it off to distribute even. +- # so-reuseport: yes ++ so-reuseport: yes + + # use IP_TRANSPARENT so the interface: addresses can be non-local + # and you can config non-existing IPs that are going to work later on + # (uses IP_BINDANY on FreeBSD). +- # ip-transparent: no ++ ip-transparent: yes + + # use IP_FREEBIND so the interface: addresses can be non-local + # and you can bind to nonexisting IPs and interfaces that are down. +@@ -256,6 +275,8 @@ server: + # nat64-prefix: 64:ff9b::0/96 + + # Enable UDP, "yes" or "no". ++ # NOTE: if setting up an Unbound on tls443 for public use, you might want to ++ # disable UDP to avoid being used in DNS amplification attacks. + # do-udp: yes + + # Enable TCP, "yes" or "no". +@@ -281,7 +302,7 @@ server: + # tcp-idle-timeout: 30000 + + # Enable EDNS TCP keepalive option. +- # edns-tcp-keepalive: no ++ edns-tcp-keepalive: yes + + # Timeout for EDNS TCP keepalive, in msec. + # edns-tcp-keepalive-timeout: 120000 +@@ -290,6 +311,9 @@ server: + # can be dropped. Default is 0, disabled. In seconds, such as 3. + # sock-queue-timeout: 0 + ++ # Fedora note: do not activate this - not compiled in because ++ # it causes frequent unbound crashes. Also, socket activation ++ # is bad when you have things like dnsmasq also running with libvirt. + # Use systemd socket activation for UDP, TCP, and control sockets. + # use-systemd: no + +@@ -402,6 +426,7 @@ server: + # + # If you give "" no chroot is performed. The path must not end in a /. + # chroot: "@UNBOUND_CHROOT_DIR@" ++ chroot: "" + + # if given, user privileges are dropped (after binding port), + # and the given username is assumed. Default is user "unbound". +@@ -413,7 +438,7 @@ server: + # is not changed. + # If you give a server: directory: dir before include: file statements + # then those includes can be relative to the working directory. +- # directory: "@UNBOUND_RUN_DIR@" ++ directory: "/etc/unbound" + + # the log file, "" means log to stderr. + # Use of this option sets use-syslog to "no". +@@ -428,7 +453,7 @@ server: + # log-identity: "" + + # print UTC timestamp in ascii to logfile, default is epoch in seconds. +- # log-time-ascii: no ++ log-time-ascii: yes + + # print one line with time, IP, name, type, class for every query. + # log-queries: no +@@ -497,22 +522,22 @@ server: + # harden-large-queries: no + + # Harden against out of zone rrsets, to avoid spoofing attempts. +- # harden-glue: yes ++ harden-glue: yes + + # Harden against receiving dnssec-stripped data. If you turn it + # off, failing to validate dnskey data for a trustanchor will + # trigger insecure mode for that zone (like without a trustanchor). + # Default on, which insists on dnssec data for trust-anchored zones. +- # harden-dnssec-stripped: yes ++ harden-dnssec-stripped: yes + + # Harden against queries that fall under dnssec-signed nxdomain names. +- # harden-below-nxdomain: yes ++ harden-below-nxdomain: yes + + # Harden the referral path by performing additional queries for + # infrastructure data. Validates the replies (if possible). + # Default off, because the lookups burden the server. Experimental + # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. +- # harden-referral-path: no ++ harden-referral-path: yes + + # Harden against algorithm downgrade when multiple algorithms are + # advertised in the DS record. If no, allows the weakest algorithm +@@ -526,7 +551,7 @@ server: + # Sent minimum amount of information to upstream servers to enhance + # privacy. Only sent minimum required labels of the QNAME and set QTYPE + # to A when possible. +- # qname-minimisation: yes ++ qname-minimisation: yes + + # QNAME minimisation in strict mode. Do not fall-back to sending full + # QNAME to potentially broken nameservers. A lot of domains will not be +@@ -536,7 +561,7 @@ server: + + # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN + # and other denials, using information from previous NXDOMAINs answers. +- # aggressive-nsec: yes ++ aggressive-nsec: yes + + # Use 0x20-encoded random bits in the query to foil spoof attempts. + # This feature is an experimental implementation of draft dns-0x20. +@@ -569,7 +594,7 @@ server: + # threshold, a warning is printed and a defensive action is taken, + # the cache is cleared to flush potential poison out of it. + # A suggested value is 10000000, the default is 0 (turned off). +- # unwanted-reply-threshold: 0 ++ unwanted-reply-threshold: 10000000 + + # Do not query the following addresses. No DNS queries are sent there. + # List one address per entry. List classless netblocks with /size, +@@ -581,20 +606,20 @@ server: + # do-not-query-localhost: yes + + # if yes, perform prefetching of almost expired message cache entries. +- # prefetch: no ++ prefetch: yes + + # if yes, perform key lookups adjacent to normal lookups. +- # prefetch-key: no ++ prefetch-key: yes + + # deny queries of type ANY with an empty response. +- # deny-any: no ++ deny-any: yes + + # if yes, Unbound rotates RRSet order in response. +- # rrset-roundrobin: yes ++ rrset-roundrobin: yes + + # if yes, Unbound doesn't insert authority/additional sections + # into response messages when those sections are not required. +- # minimal-responses: yes ++ minimal-responses: yes + + # true to disable DNSSEC lameness check in iterator. + # disable-dnssec-lame-check: no +@@ -604,7 +629,9 @@ server: + # most modules have to be listed at the beginning of the line, + # except cachedb(just before iterator), and python (at the beginning, + # or, just before the iterator). +- # module-config: "validator iterator" ++ # For redis cachedb use: ++ # "ipsecmod validator cachedb iterator" ++ module-config: "ipsecmod validator iterator" + + # File with trusted keys, kept uptodate using RFC5011 probes, + # initial file like trust-anchor-file, then it stores metadata. +@@ -618,10 +645,10 @@ server: + # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" + + # trust anchor signaling sends a RFC8145 key tag query after priming. +- # trust-anchor-signaling: yes ++ trust-anchor-signaling: yes + + # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) +- # root-key-sentinel: yes ++ root-key-sentinel: yes + + # File with trusted keys for validation. Specify more than one file + # with several entries, one file per entry. +@@ -642,6 +669,9 @@ server: + # the trusted-keys { name flag proto algo "key"; }; clauses are read. + # you need external update procedures to track changes in keys. + # trusted-keys-file: "" ++ # ++ trusted-keys-file: /etc/unbound/keys.d/*.key ++ auto-trust-anchor-file: "/var/lib/unbound/root.key" + + # Ignore chain of trust. Domain is treated as insecure. + # domain-insecure: "example.com" +@@ -669,14 +699,15 @@ server: + # unsecure data. Useful to shield the users of this validator from + # potential bogus data in the additional section. All unsigned data + # in the additional section is removed from secure messages. +- # val-clean-additional: yes ++ val-clean-additional: yes + + # Turn permissive mode on to permit bogus messages. Thus, messages + # for which security checks failed will be returned to clients, + # instead of SERVFAIL. It still performs the security checks, which + # result in interesting log files and possibly the AD bit in + # replies if the message is found secure. The default is off. +- # val-permissive-mode: no ++ # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY ++ val-permissive-mode: no + + # Ignore the CD flag in incoming queries and refuse them bogus data. + # Enable it if the only clients of Unbound are legacy servers (w2008) +@@ -690,11 +721,11 @@ server: + + # Serve expired responses from cache, with serve-expired-reply-ttl in + # the response, and then attempt to fetch the data afresh. +- # serve-expired: no ++ serve-expired: yes + # + # Limit serving of expired responses to configured seconds after + # expiration. 0 disables the limit. +- # serve-expired-ttl: 0 ++ serve-expired-ttl: 14400 + # + # Set the TTL of expired records to the serve-expired-ttl value after a + # failed attempt to retrieve the record from upstream. This makes sure +@@ -721,7 +752,7 @@ server: + + # Have the validator log failed validations for your diagnosis. + # 0: off. 1: A line per failed user query. 2: With reason and bad IP. +- # val-log-level: 0 ++ val-log-level: 1 + + # It is possible to configure NSEC3 maximum iteration counts per + # keysize. Keep this table very short, as linear search is done. +@@ -865,6 +896,8 @@ server: + # you need to do the reverse notation yourself. + # local-data-ptr: "192.0.2.3 www.example.com" + ++ include: /etc/unbound/local.d/*.conf ++ + # tag a localzone with a list of tag names (in "" with spaces between) + # local-zone-tag: "example.com" "tag2 tag3" + +@@ -875,8 +908,8 @@ server: + # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. + # Give the certificate to use and private key. + # default is "" (disabled). requires restart to take effect. +- # tls-service-key: "path/to/privatekeyfile.key" +- # tls-service-pem: "path/to/publiccertfile.pem" ++ # tls-service-key: "/etc/unbound/unbound_server.key" ++ # tls-service-pem: "/etc/unbound/unbound_server.pem" + # tls-port: 853 + # https-port: 443 + +@@ -884,6 +917,8 @@ server: + # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" + # cipher setting for TLSv1.3 + # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" ++ # Fedora/RHEL: use system-wide crypto policies ++ tls-ciphers: "PROFILE=SYSTEM" + + # Pad responses to padded queries received over TLS + # pad-responses: yes +@@ -1005,12 +1040,12 @@ server: + # fast-server-num: 3 + + # Enable to attach Extended DNS Error codes (RFC8914) to responses. +- # ede: no ++ ede: yes + + # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale + # Answer as EDNS0 option to expired responses. + # Note that the ede option above needs to be enabled for this to work. +- # ede-serve-expired: no ++ ede-serve-expired: yes + + # Specific options for ipsecmod. Unbound needs to be configured with + # --enable-ipsecmod for these to take effect. +@@ -1018,12 +1053,14 @@ server: + # Enable or disable ipsecmod (it still needs to be defined in + # module-config above). Can be used when ipsecmod needs to be + # enabled/disabled via remote-control(below). +- # ipsecmod-enabled: yes +- # ++ # Fedora: module will be enabled on-demand by libreswan ++ ipsecmod-enabled: no ++ + # Path to executable external hook. It must be defined when ipsecmod is + # listed in module-config (above). + # ipsecmod-hook: "./my_executable" +- # ++ ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook ++ + # When enabled Unbound will reply with SERVFAIL if the return value of + # the ipsecmod-hook is not 0. + # ipsecmod-strict: no +@@ -1056,7 +1093,7 @@ server: + # o and give a python-script to run. + python: + # Script file to load +- # python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py" ++ # python-script: "/etc/unbound/ubmodule-tst.py" + + # Dynamic library config section. To enable: + # o use --with-dynlibmodule to configure before compiling. +@@ -1067,13 +1104,18 @@ python: + # the module-config then you need one dynlib-file per instance. + dynlib: + # Script file to load +- # dynlib-file: "@UNBOUND_SHARE_DIR@/dynlib.so" ++ # dynlib-file: "/etc/unbound/dynlib.so" + + # Remote control config section. + remote-control: + # Enable remote control with unbound-control(8) here. + # set up the keys and certificates with unbound-control-setup. +- # control-enable: no ++ # Note: required for unbound-munin package ++ control-enable: yes ++ ++ # Set to no and use an absolute path as control-interface to use ++ # a unix local named pipe for unbound-control. ++ # control-use-cert: yes + + # what interfaces are listened to for remote control. + # give 0.0.0.0 and ::0 to listen to all interfaces. +@@ -1087,19 +1129,22 @@ remote-control: + + # for localhost, you can disable use of TLS by setting this to "no" + # For local sockets this option is ignored, and TLS is not used. +- # control-use-cert: "yes" ++ control-use-cert: "no" + + # Unbound server key file. +- # server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key" ++ server-key-file: "/etc/unbound/unbound_server.key" + + # Unbound server certificate file. +- # server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem" ++ server-cert-file: "/etc/unbound/unbound_server.pem" + + # unbound-control key file. +- # control-key-file: "@UNBOUND_RUN_DIR@/unbound_control.key" ++ control-key-file: "/etc/unbound/unbound_control.key" + + # unbound-control certificate file. +- # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem" ++ control-cert-file: "/etc/unbound/unbound_control.pem" ++ ++# Stub and Forward zones ++include: /etc/unbound/conf.d/*.conf + + # Stub zones. + # Create entries like below, to make all queries for 'example.com' and +@@ -1121,6 +1166,10 @@ remote-control: + # name: "example.org" + # stub-host: ns.example.com. + ++# You can now also dynamically create and delete stub-zone's using ++# unbound-control stub_add domain.com 1.2.3.4 5.6.7.8 ++# unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8 ++ + # Forward zones + # Create entries like below, to make all queries for 'example.com' and + # 'example.org' go to the given list of servers. These servers have to handle +@@ -1138,6 +1187,10 @@ remote-control: + # forward-zone: + # name: "example.org" + # forward-host: fwd.example.com ++# ++# You can now also dynamically create and delete forward-zone's using ++# unbound-control forward_add domain.com 1.2.3.4 5.6.7.8 ++# unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8 + + # Authority zones + # The data for these zones is kept locally, from a file or downloaded. +@@ -1145,30 +1198,31 @@ remote-control: + # upstream (which saves a lookup to the upstream). The first example + # has a copy of the root for local usage. The second serves example.org + # authoritatively. zonefile: reads from file (and writes to it if you also +-# download it), primary: fetches with AXFR and IXFR, or url to zonefile. +-# With allow-notify: you can give additional (apart from primaries and urls) +-# sources of notifies. +-# auth-zone: +-# name: "." +-# primary: 199.9.14.201 # b.root-servers.net +-# primary: 192.33.4.12 # c.root-servers.net +-# primary: 199.7.91.13 # d.root-servers.net +-# primary: 192.5.5.241 # f.root-servers.net +-# primary: 192.112.36.4 # g.root-servers.net +-# primary: 193.0.14.129 # k.root-servers.net +-# primary: 192.0.47.132 # xfr.cjr.dns.icann.org +-# primary: 192.0.32.132 # xfr.lax.dns.icann.org +-# primary: 2001:500:200::b # b.root-servers.net +-# primary: 2001:500:2::c # c.root-servers.net +-# primary: 2001:500:2d::d # d.root-servers.net +-# primary: 2001:500:2f::f # f.root-servers.net +-# primary: 2001:500:12::d0d # g.root-servers.net +-# primary: 2001:7fd::1 # k.root-servers.net +-# primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org +-# primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org +-# fallback-enabled: yes +-# for-downstream: no +-# for-upstream: yes ++# download it), master: fetches with AXFR and IXFR, or url to zonefile. ++# With allow-notify: you can give additional (apart from masters) sources of ++# notifies. ++auth-zone: ++ name: "." ++ primary: 199.9.14.201 # b.root-servers.net ++ primary: 192.33.4.12 # c.root-servers.net ++ primary: 199.7.91.13 # d.root-servers.net ++ primary: 192.5.5.241 # f.root-servers.net ++ primary: 192.112.36.4 # g.root-servers.net ++ primary: 193.0.14.129 # k.root-servers.net ++ primary: 192.0.47.132 # xfr.cjr.dns.icann.org ++ primary: 192.0.32.132 # xfr.lax.dns.icann.org ++ primary: 2001:500:200::b # b.root-servers.net ++ primary: 2001:500:2::c # c.root-servers.net ++ primary: 2001:500:2d::d # d.root-servers.net ++ primary: 2001:500:2f::f # f.root-servers.net ++ primary: 2001:500:12::d0d # g.root-servers.net ++ primary: 2001:7fd::1 # k.root-servers.net ++ primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org ++ primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org ++ fallback-enabled: yes ++ for-downstream: no ++ for-upstream: yes ++ + # auth-zone: + # name: "example.org" + # for-downstream: yes +@@ -1194,6 +1248,9 @@ remote-control: + # name: "anotherview" + # local-zone: "example.com" refuse + ++# Fedora: DNSCrypt support not enabled since it requires linking to ++# another crypto library ++# + # DNSCrypt + # To enable, use --enable-dnscrypt to configure before compiling. + # Caveats: +@@ -1266,7 +1323,7 @@ remote-control: + # dnstap-enable: no + # # if set to yes frame streams will be used in bidirectional mode + # dnstap-bidirectional: yes +-# dnstap-socket-path: "@DNSTAP_SOCKET_PATH@" ++# dnstap-socket-path: "/etc/unbound/dnstap.sock" + # # if "" use the unix socket in dnstap-socket-path, otherwise, + # # set it to "IPaddress[@port]" of the destination. + # dnstap-ip: "" +-- +2.41.0 + diff --git a/SPECS/unbound.spec b/SPECS/unbound.spec index d05953a..b3f7542 100644 --- a/SPECS/unbound.spec +++ b/SPECS/unbound.spec @@ -4,12 +4,9 @@ %bcond_without dnstap %bcond_with systemd %bcond_without doh -%bcond_with redis - +%bcond_with redis %global _hardened_build 1 -#%%global extra_version rc1 - %if 0%{with_python2} %global python_primary %{__python2} %endif @@ -18,25 +15,16 @@ %global python_primary %{__python3} %endif -%if 0%{?rhel} %global with_munin 0 -%if 0%{?rhel} <= 7 -%global with_python3 0 -%else -%global with_python2 0 -%endif -%endif - Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.17.1 +Version: 1.19.0 Release: 1%{?extra_version:.%{extra_version}}%{?dist} -License: BSD +License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz Source1: unbound.service -Source2: unbound.conf Source3: unbound.munin Source4: unbound_munin_ Source5: root.key @@ -56,6 +44,8 @@ Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_vers Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key Source20: unbound.sysusers +# Downstream configuration changes +Patch1: unbound-fedora-config.patch BuildRequires: gcc, make BuildRequires: flex, openssl-devel @@ -80,9 +70,9 @@ BuildRequires: systemd-devel BuildRequires: libnghttp2-devel %endif %if %{with redis} -BuildRequires: redis-devel +BuildRequires: hiredis-devel %endif -%if 0%{?fedora} >= 30 +%if 0%{?fedora} >= 30 || 0%{?rhel} >= 9 BuildRequires: systemd-rpm-macros %else BuildRequires: systemd @@ -97,7 +87,6 @@ Requires: %{name}-anchor%{?_isa} = %{version}-%{release} Recommends: %{name}-utils%{?_isa} = %{version}-%{release} # unbound-keygen.service requires it, bug #2116790 Requires: openssl -#Requires(pre): systemd-standalone-sysusers %description Unbound is a validating, recursive, and caching DNS(SEC) resolver. @@ -132,6 +121,7 @@ The devel package contains the unbound library and the include files %package libs Summary: Libraries used by the unbound server and client applications Recommends: %{name}-anchor +%{?sysusers_requires_compat} %if ! 0%{with_python2} # Make explicit conflict with no longer provided python package Obsoletes: python2-unbound < 1.9.3 @@ -141,7 +131,6 @@ Obsoletes: python2-unbound < 1.9.3 Contains libraries used by the unbound server and client applications. %package anchor -Requires(pre): shadow-utils Requires: %{name}-libs%{?_isa} = %{version}-%{release} Summary: DNSSEC trust anchor maintaining tool @@ -202,13 +191,22 @@ Python 3 modules and extensions for unbound pushd %{pkgname} # patches go here -%autopatch -p1 +%autopatch -p2 # only for snapshots # autoreconf -iv # copy common doc files - after here, since it may be patched cp -pr doc pythonmod libunbound ../ + +%if 0%{?rhel} > 8 + # SHA-1 breaks some tests. Disable just some tests because of that. + # This got broken in ELN + ls testdata/*.rpl + for TEST in autotrust_init_fail autotrust_init_failsig; do + mv testdata/${TEST}.rpl{,-disabled} + done +%endif popd %if 0%{with_python2} && 0%{with_python3} @@ -228,7 +226,8 @@ cp -a %{dir_primary} %{dir_secondary} --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\ --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\ --enable-sha2 --disable-gost --enable-ecdsa \\\ - --with-rootkey-file=%{_sharedstatedir}/unbound/root.key \\\ + --with-rootkey-file=%{_sharedstatedir}/%{name}/root.key \\\ + --with-username=unbound \\\ --enable-linux-ip-local-port-range \\\ @@ -247,6 +246,9 @@ pushd %{dir_primary} %if %{with doh} --with-libnghttp2 \ %endif +%if 0%{?rhel} + --disable-sha1 \ +%endif %if %{with redis} --with-libhiredis \ --enable-cachedb \ @@ -288,6 +290,7 @@ popd pushd %{dir_primary} %make_install unbound-event-install install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp +install -p -m 0755 doc/example.conf %{buildroot}%{_sysconfdir}/unbound/unbound.conf popd install -d -m 0755 %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig @@ -295,7 +298,6 @@ install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service install -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/unbound-keygen.service install -p -m 0644 %{SOURCE15} %{buildroot}%{_unitdir}/unbound-anchor.timer install -p -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/unbound-anchor.service -install -p -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound install -p -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/unbound install -p -m 0644 %{SOURCE14} %{buildroot}%{_sysconfdir}/sysconfig/unbound install -p -D -m 0644 %{SOURCE20} %{buildroot}%{_sysusersdir}/%{name}.sysusers @@ -323,7 +325,12 @@ install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf # install root - we keep a copy of the root key in old location, # in case user has changed the configuration and we wouldn't update it there install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/ -install -m 0644 %{SOURCE13} %{buildroot}%{_sharedstatedir}/unbound/root.key +install -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/dnssec-root.key +# make initial key static +pushd %{buildroot}%{_sharedstatedir}/unbound + KEYPATH=$(realpath --relative-to="%{buildroot}%{_sharedstatedir}/unbound" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key") + ln -s "$KEYPATH" root.key +popd # remove static library from install (fedora packaging guidelines) rm %{buildroot}%{_libdir}/*.la @@ -461,9 +468,10 @@ popd %{_sysusersdir}/%{name}.sysusers %{_libdir}/libunbound.so.8* %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name} -%attr(0644,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key +%verify(not size mtime filedigest link mode user group) %{_sharedstatedir}/%{name}/root.key # just left for backwards compat with user changed unbound.conf files - format is different! %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key +%attr(0644,root,root) %config %{_sysconfdir}/%{name}/dnssec-root.key %files anchor %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name} @@ -481,48 +489,122 @@ popd %{_mandir}/man1/unbound-* %changelog -* Fri Jan 13 2023 Paul Wouters - 1.19.0-2 +- Generate configuration file from upstream example.conf + +* Fri Nov 10 2023 Petr Menšík - 1.19.0-1 +- Update to 1.19.0 (#2248686) +- New disable-edns-do option + +* Wed Oct 11 2023 Paul Wouters - 1.18.0-4 +- Fix for resolving outlook.com via forwarders +- See https://github.com/NLnetLabs/unbound/issues/946 +- Use autochangelog macro + +* Tue Sep 26 2023 Petr Menšík - 1.18.0-3 +- Correct dependencies on creating the unbound user + +* Wed Sep 06 2023 Petr Menšík - 1.18.0-2 +- Skip failing tests on ELN builds + +* Fri Sep 01 2023 Petr Menšík - 1.18.0-1 +- Update to 1.18.0 + +* Sat Jul 22 2023 Fedora Release Engineering - 1.17.1-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Tue Jun 13 2023 Python Maint - 1.17.1-6 +- Rebuilt for Python 3.12 + +* Fri Apr 07 2023 Chloe Kudryavtsev - 1.17.1-5 +- fix building with redis + +* Sat Jan 21 2023 Fedora Release Engineering - 1.17.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Sat Jan 14 2023 Paul Wouters - 1.17.1-3 +- clarify gpgverify a bit to make it look less magical + +* Sat Jan 14 2023 Paul Wouters - 1.17.1-2 +- update sources + +* Sat Jan 14 2023 Paul Wouters - 1.17.1-1 +- update to 1.17.1 - Resolved rhbz#2160397 unbound-1.17.1 is available (bugfix release) - Add support for building with redis +- update unbound.conf -* Thu Dec 01 2022 Petr Menšík - 1.16.3-3 -- Move unbound user creation to libs (#2149036) +* Mon Jan 02 2023 Petr Menšík - 1.17.0-5 +- Use static dnssec-root.key with link from lib + +* Mon Jan 02 2023 Petr Menšík - 1.17.0-4 - Use systemd-sysusers for user creation (#2105416) -* Wed Oct 05 2022 Petr Menšík - 1.16.3-2 -- Correct issues made by unbound-anchor package split (#2110858) +* Mon Jan 02 2023 Petr Menšík - 1.17.0-3 +- Move unbound user creation to libs (#2149036) + +* Thu Dec 08 2022 Yaakov Selkowitz - 1.17.0-2 +- Disable SHA-1 support in ELN + +* Tue Nov 01 2022 Petr Menšík - 1.17.0-1 +- Update to 1.17.0 (#2134348) + +* Tue Oct 11 2022 Petr Menšík - 1.16.3-3 +- Correct issues made by unbound-anchor package split + +* Fri Sep 30 2022 Petr Menšík - 1.16.3-2 +- Update License tag to SPDX identifier * Fri Sep 23 2022 Petr Menšík - 1.16.3-1 -- Update to 1.16.3 (#2128638) +- Update to 1.16.3 -* Tue Aug 09 2022 Paul Wouters - 1.16.2-3 -- sync up to upstream unbound.conf -- Enable Extended DNS Error codes (RFC8914) +* Tue Aug 09 2022 Paul Wouters - 1.16.2-4 +- pull in new options of upstream unbound.conf and enable EDE (RFC8914) + +* Tue Aug 09 2022 Paul Wouters - 1.16.2-3 +- fix changelog entry * Tue Aug 09 2022 Petr Menšík - 1.16.2-2 - Require openssl tool for unbound-keygen (#2116790) * Wed Aug 03 2022 Petr Menšík - 1.16.2-1 -- Update to 1.16.2 (#2105947) +- Update to 0.16.2 (#2105947) + +* Sat Jul 23 2022 Fedora Release Engineering - 1.16.0-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild * Mon Jun 27 2022 Petr Menšík - 1.16.0-5 -- Move unbound-anchor to separate package -- Move unbound-host and unbound-streamtcp to unbound-utils package +- Move host and streamtcp utilities to separate package -* Tue Jun 07 2022 Petr Menšík - 1.16.0-4 -- Restart keygen service before every unbound start +* Mon Jun 27 2022 Petr Menšík - 1.16.0-4 +- Move unbound-anchor to separate package + +* Mon Jun 13 2022 Python Maint - 1.16.0-3 +- Rebuilt for Python 3.11 + +* Tue Jun 07 2022 Petr Menšík - 1.16.0-2 +- Do not keep keygen running, check certs each time * Sat Jun 04 2022 Petr Menšík - 1.16.0-1 - Update to 1.16.0 -* Tue Apr 26 2022 Petr Menšík - 1.15.0-3 -- Stop creating wrong devel manual pages (#2078929) +* Tue Apr 26 2022 Petr Menšík - 1.15.0-6 +- Stop creating wrong devel manual pages -* Wed Apr 20 2022 Petr Menšík - 1.15.0-2 -- Update icannbundle.pem +* Wed Apr 20 2022 Petr Sklenar - 1.15.0-5 +- Adding fmf plan + +* Wed Apr 20 2022 Petr Menšík - 1.15.0-4 +- Add lint exceptions to avoid errors on updates + +* Wed Apr 20 2022 Petr Menšík - 1.15.0-3 +- Update icann bundle, fix spec errors + +* Tue Mar 29 2022 Petr Menšík - 1.15.0-2 +- Import few changes to configuration * Tue Mar 29 2022 Petr Menšík - 1.15.0-1 -- Update to 1.15.0 (#2030608) +- Update to 1.15.0 * Sat Jan 22 2022 Fedora Release Engineering - 1.13.2-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild @@ -537,103 +619,159 @@ popd - Rebuilt with OpenSSL 3.0.0 * Thu Aug 12 2021 Paul Wouters - 1.13.2-1 -- Resolves: rhbz#1992985 unbound-1.13.2 is available -- Use system-wide crypto policies +- Resolves: rhbz#1992985 unbound-1.13.2 is available - Use system-wide + crypto policies -* Fri Jul 23 2021 Fedora Release Engineering - 1.13.1-8 +* Fri Jul 23 2021 Fedora Release Engineering - 1.13.1-10 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild -* Wed Jun 02 2021 Python Maint - 1.13.1-7 +* Thu Jun 24 2021 Petr Menšík - 1.13.1-9 +- Update source signer's key link + +* Wed Jun 02 2021 Python Maint - 1.13.1-8 - Rebuilt for Python 3.10 -* Fri Apr 23 2021 Artem Egorenkov - 1.13.1-6 -- Option --enable-linux-ip-local-port-range added to use system configured port range for libunbound on Linux -- Resolves: rhbz#1935101 +* Sat Apr 24 2021 Artem Egorenkov - 1.13.1-7 +- Option --enable-linux-ip-local-port-range added to use system configured + port range for libunbound on Linux -* Tue Apr 13 2021 Paul Wouters - 1.13.1-5 +* Tue Apr 13 2021 Paul Wouters - 1.13.1-6 - Fix unbound.service to use After=network-online.target -* Tue Apr 06 2021 Artem Egorenkov - 1.13.1-4 -- Don't start unbound-anchor before unbound service if DISABLE_UNBOUND_ANCHOR - environment variable equals to "yes" +* Wed Apr 07 2021 Artem Egorenkov - 1.13.1-5 +- DISABLE_UNBOUND_ANCHOR == "yes" disable unbound-anchor on unbound.service + startup -* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 1.13.1-3 +* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 1.13.1-4 - Rebuilt for updated systemd-rpm-macros - See https://pagure.io/fesco/issue/2583. -* Mon Feb 15 2021 Victor Stinner - 1.13.1-2 -- Fix build on Python 3.10 (rhbz#1889726). +* Tue Feb 16 2021 Victor Stinner - 1.13.1-3 +- Fix build on Python 3.10 + +* Wed Feb 10 2021 Paul Wouters - 1.13.1-2 +- add gpg sig * Wed Feb 10 2021 Paul Wouters - 1.13.1-1 -- Resolves rhbz#1860887 unbound-1.13.1 is available -- Fixup unbound.conf +- Resolves rhbz#1860887 unbound-1.13.1 is available - Fixup unbound.conf -* Wed Jan 27 2021 Fedora Release Engineering - 1.13.0-2 +* Wed Jan 27 2021 Fedora Release Engineering - 1.13.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild +* Thu Dec 10 2020 Petr Menšík - 1.13.0-2 +- Update default configuration from 1.13.0 + * Thu Dec 10 2020 Petr Menšík - 1.13.0-1 - Update to 1.13.0 -* Tue Oct 13 2020 Petr Menšík - 1.12.0-1 -- Update to 1.12.0 (#1860887) +* Tue Nov 10 2020 Petr Menšík - 1.12.0-5 +- Build on EPEL without signature check -* Tue Sep 15 2020 Petr Menšík - 1.10.1-5 -- Move command line tools to utils subpackage +* Tue Nov 10 2020 Petr Menšík - 1.12.0-4 +- Enable DNSTAP -* Wed Jul 29 2020 Fedora Release Engineering - 1.10.1-4 +* Tue Nov 10 2020 Petr Menšík - 1.12.0-3 +- Enable DNS over HTTPS + +* Tue Nov 10 2020 Petr Menšík - 1.12.0-2 +- Update config file to 1.12.0 + +* Tue Nov 10 2020 Petr Menšík - 1.12.0-1 +- Update to 1.12.0 +- DNS flag day 2020 applied +- DNS over HTTPS support +- EDNS client tag support + +* Fri Sep 18 2020 Anna Khaitovich - 1.10.1-8 +- Revert "Rebuilt for rawhide" + +* Fri Sep 18 2020 Anna Khaitovich - 1.10.1-7 +- Rebuilt for rawhide + +* Tue Sep 15 2020 Petr Menšík - 1.10.1-6 +- Rebuilt for libevent rebase + +* Wed Jul 29 2020 Fedora Release Engineering - 1.10.1-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild -* Tue Jul 14 2020 Tom Stellard - 1.10.1-3 +* Tue Jul 14 2020 Tom Stellard - 1.10.1-4 - Use make macros -- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro -* Fri May 22 2020 Miro Hrončok - 1.10.1-2 +* Fri May 22 2020 Miro Hrončok - 1.10.1-3 - Rebuilt for Python 3.9 +* Tue May 19 2020 Paul Wouters - 1.10.1-2 +- update sources for sig file + * Tue May 19 2020 Paul Wouters - 1.10.1-1 -- Resolves: rhbz#1837279 unbound-1.10.1 is available -- Resolves: rhbz#1837598 CVE-2020-12662 unbound: insufficient control of network message volume leads to DoS -- Resolves: rhbz#1837609 CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers -- Updated unbound.conf for new options in 1.10.1 +- * Tue May 19 2020 Paul Wouters - 1.10.1-1 - + Resolves: rhbz#1837279 unbound-1.10.1 is available - Resolves: + rhbz#1837598 CVE-2020-12662 unbound: insufficient control of network + message volume leads to DoS - Resolves: rhbz#1837609 CVE-2020-12663 + unbound: infinite loop via malformed DNS answers received from upstream + servers - Updated unbound.conf for new options in 1.10.1 -* Wed Apr 29 2020 Paul Wouters - 1.10.0-3 -- Resolves: rhbz#1667742 SELinux is preventing unbound from 'name_bind' accesses on the udp_socket port 61000. +* Wed Apr 29 2020 Paul Wouters - 1.10.0-6 +- Resolves: rhbz#1667742 SELinux is preventing unbound from 'name_bind' + accesses on the udp_socket port 61000. -* Thu Apr 16 2020 Artem Egorenkov - 1.10.0-2 -- Resolves: rhbz#1824536 unbound crash +* Thu Apr 16 2020 Artem Egorenkov - 1.10.0-5 +- Upstream isue linked for patch + +* Thu Apr 16 2020 Artem Egorenkov - 1.10.0-4 +- bz1824536. Crash on termination fixed. + +* Fri Mar 20 2020 Petr Menšík - 1.10.0-3 +- Add dnstap and systemd option build support + +* Thu Mar 19 2020 Petr Menšík - 1.10.0-2 +- Add source signature verification * Thu Mar 19 2020 Petr Menšík - 1.10.0-1 - Update to 1.10.0 (#1805199) +* Thu Mar 19 2020 Petr Menšík - 1.9.6-3 +- Use autopatch for new patches + * Fri Jan 31 2020 Fedora Release Engineering - 1.9.6-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild * Fri Dec 13 2019 Paul Wouters - 1.9.6-1 -- Resolves: rhbz#1758107 unbound-1.9.5 is available -- Resolves: CVE-2019-18934 +- * Fri Dec 13 2019 Paul Wouters - 1.9.6-1 - + Resolves: rhbz#1758107 unbound-1.9.5 is available - Resolves: + CVE-2019-18934 * Fri Nov 01 2019 Paul Wouters - 1.9.4-1 -- Fix build on rhel/centos systems -- Resolves: rhbz#1767955 (CVE-2019-16866) uninitialized memory accesses leads to crash via a crafted NOTIFY query +- * Fri Nov 01 2019 Paul Wouters - 1.9.4-1 - Fix + build on rhel/centos systems - Resolves: rhbz#1767955 (CVE-2019-16866) + uninitialized memory accesses leads to crash via a crafted NOTIFY query + +* Thu Sep 26 2019 Petr Menšík - 1.9.3-3 +- Make obsoleted package removed without asking * Thu Sep 26 2019 Petr Menšík - 1.9.3-2 - Obsolete no longer provided python2 subpackage (#1749400) * Tue Aug 27 2019 Paul Wouters - 1.9.3-1 -- Updated to 1.9.3 -- Resolves: rhbz#1672578 unbound-1.9.2 is available -- Resolves: rhbz#1694831 [/usr/lib/tmpfiles.d/unbound.conf:1] Line references path below legacy directory /var/run/ -- Resolves: rhbz# 1667387 [abrt] unbound: memmove(): unbound killed by SIGABRT +- * Tue Aug 27 2019 Paul Wouters - 1.9.3-1 - Updated + to 1.9.3 - Resolves: rhbz#1672578 unbound-1.9.2 is available - Resolves: + rhbz#1694831 [/usr/lib/tmpfiles.d/unbound.conf:1] Line references path + below legacy directory /var/run/ - Resolves: rhbz# 1667387 [abrt] + unbound: memmove(): unbound killed by SIGABRT -* Thu Aug 22 2019 Miro Hrončok - 1.8.3-8 +* Thu Aug 22 2019 Miro Hrončok - 1.8.3-10 - Subpackage python2-unbound has been removed - See https://fedoraproject.org/wiki/Changes/Mass_Python_2_Package_Removal -* Thu Aug 15 2019 Miro Hrončok - 1.8.3-7 +* Thu Aug 15 2019 Miro Hrončok - 1.8.3-9 - Rebuilt for Python 3.8 -* Mon Aug 5 2019 Zbigniew Jędrzejewski-Szmek - 1.8.3-6 -- Drop install-time requirements on systemd (#1723777) +* Mon Aug 05 2019 Zbigniew Jędrzejewski-Szmek - 1.8.3-8 +- Drop trailing comments afer %%endif + +* Mon Aug 05 2019 Zbigniew Jędrzejewski-Szmek - 1.8.3-7 +- Remove very old trigger + +* Mon Aug 05 2019 Zbigniew Jędrzejewski-Szmek - 1.8.3-6 +- Drop build-time and install-time requirements on systemd * Sat Jul 27 2019 Fedora Release Engineering - 1.8.3-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild @@ -644,20 +782,22 @@ popd * Fri Jan 11 2019 Paul Wouters - 1.8.3-3 - Remove KSK-2010 from configs - it has been revoked -* Wed Dec 12 2018 Paul Wouters - 1.8.3-2 +* Fri Jan 11 2019 Paul Wouters - 1.8.3-2 - Another dns64 fixup * Wed Dec 12 2018 Paul Wouters - 1.8.3-1 - Updated to 1.8.3 with fixes the dns64 bug and has some other minor fixes -* Mon Dec 10 2018 Paul Wouters - 1.8.2-2 +* Mon Dec 10 2018 Paul Wouters - 1.8.2-3 - Fix dns64 allocation in wrong region for returned internal queries. +* Tue Dec 04 2018 Paul Wouters - 1.8.2-2 +- new sources + * Tue Dec 04 2018 Paul Wouters - 1.8.2-1 -- Updated to 1.8.2. -- Enabled deny ANY query support and edns-tcp-keepalive -- Set serve-stale timeout to 4h -- Updated unbound.conf for latest options +- * Tue Dec 04 2018 Paul Wouters - 1.8.2-1 - Updated + to 1.8.2. - Enabled deny ANY query support and edns-tcp-keepalive - Set + serve-stale timeout to 4h - Updated unbound.conf for latest options * Mon Oct 22 2018 Petr Menšík - 1.8.1-2 - Allow group by default to unbound-control (#1640259) @@ -665,79 +805,120 @@ popd * Mon Oct 08 2018 Petr Menšík - 1.8.1-1 - Update to 1.8.1 -* Mon Oct 01 2018 Petr Menšík - 1.8.0-2 -- Skip ipv6 forwarders without ipv6 support (#1633874) +* Mon Oct 01 2018 Petr Menšík - 1.8.0-3 +- Fix #4188: IPv6 forwarders without ipv6 result in SERVFAIL, fixes qname + minimisation with a forwarder when connectivity has issues from rejecting + responses. -* Wed Sep 19 2018 Petr Menšík - 1.8.0-1 +* Wed Sep 19 2018 Petr Menšík - 1.8.0-2 +- Reset release and add changelog + +* Mon Sep 17 2018 Petr Menšík - 1.8.0-1 - Rebase to 1.8.0 -* Tue Aug 14 2018 Paul Wouters - 1.7.3-9 -- Fix for restarting unbound service after deleting key/pem files for remote control +* Wed Aug 15 2018 Paul Wouters - 1.7.3-13 +- Ensure if even one of the required files is missing, to restart the + keyservice -* Tue Jul 31 2018 Petr Menšík - 1.7.3-8 +* Tue Aug 14 2018 Paul Wouters - 1.7.3-12 +- Fix for restarting unbound service after deleting key/pem files for + remote control + +* Tue Aug 14 2018 Paul Wouters - 1.7.3-11 +- Ensure keygen service is restart as part of the unbound service restart + +* Tue Jul 31 2018 Petr Menšík - 1.7.3-10 - Release memory in unbound-host -* Mon Jul 23 2018 Petr Menšík - 1.7.3-7 +* Mon Jul 30 2018 Petr Menšík - 1.7.3-9 +- Remove unused patches from repo + +* Mon Jul 23 2018 Petr Menšík - 1.7.3-8 - Remove unused Group tag -* Wed Jul 18 2018 Petr Menšík - 1.7.3-6 +* Wed Jul 18 2018 Petr Menšík - 1.7.3-7 - Cleanup generated client and server keys (#1601773) -* Sat Jul 14 2018 Fedora Release Engineering - 1.7.3-5 +* Sat Jul 14 2018 Fedora Release Engineering - 1.7.3-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild -* Mon Jul 09 2018 Petr Menšík - 1.7.3-4 -- Do not call ldconfig if possible +* Mon Jul 09 2018 Petr Menšík - 1.7.3-5 +- Do not call ldconfig if possible - Use systemd macros also for library -* Wed Jul 04 2018 Petr Menšík - 1.7.3-3 -- Update trust anchors also behind firewall (#1598078) +* Wed Jul 04 2018 Petr Menšík - 1.7.3-4 +- Prefer local resolvers over direct root access. Enables successful trust + anchor updates also when no direct queries are available, but local + resolvers support dnssec. Fixes bug #1598078 -* Mon Jul 02 2018 Miro Hrončok - 1.7.3-2 +* Mon Jul 02 2018 Miro Hrončok - 1.7.3-3 - Rebuilt for Python 3.7 +* Wed Jun 27 2018 Petr Menšík - 1.7.3-2 +- Update sources to 1.7.3 + * Wed Jun 27 2018 Petr Menšík - 1.7.3-1 - Update to 1.7.3 (#1593708) -* Wed Jun 27 2018 Petr Menšík - 1.7.2-3 +* Wed Jun 27 2018 Petr Menšík - 1.7.2-4 - Remove last python2 dependency from python3 build -* Tue Jun 19 2018 Miro Hrončok - 1.7.2-2 +* Tue Jun 19 2018 Miro Hrončok - 1.7.2-3 - Rebuilt for Python 3.7 +* Mon Jun 11 2018 Paul Wouters - 1.7.2-2 +- add unbound-1.7.2-stub-fwd-ttl.patch + * Mon Jun 11 2018 Paul Wouters - 1.7.2-1 -- Resolves rhbz#1589807 unbound-1.7.2 is available -- Add patch to fix stub/forward zone not returning ServFail when TTL expires -- Enabled the new root-key-sentinel option +- * Mon Jun 11 2018 Paul Wouters - 1.7.2-1 - Resolves + rhbz#1589807 unbound-1.7.2 is available - Add patch to fix stub/forward + zone not returning ServFail when TTL expires - Enabled the new root-key- + sentinel option * Wed May 30 2018 Petr Menšík - 1.7.1-1 - Update to 1.7.1 (#1574495) +* Mon Apr 09 2018 Petr Menšík - 1.7.0-8 +- Fix disabled python versions in non-Fedora builds + +* Mon Apr 09 2018 Petr Menšík - 1.7.0-7 +- Make primary python3 version, but install it last + +* Mon Apr 09 2018 Petr Menšík - 1.7.0-6 +- Simplify building with single python version + * Mon Apr 09 2018 Petr Menšík - 1.7.0-5 -- Require gcc and make on build -- Remove group, simplify systemd requires -- Simplify building with single python version, make python3 primary +- Require gcc and make on build Remove group, simplify systemd requires * Mon Apr 09 2018 Paul Wouters - 1.7.0-4 -- Patch for prefetching after flushing cache +- * Mon Apr 09 2018 Paul Wouters - 1.7.0-4 - Patch + for prefetching after flushing cache * Fri Apr 06 2018 Paul Wouters - 1.7.0-3 -- Patch for referral with auth-zone: response - +- * Fri Apr 06 2018 Paul Wouters - 1.7.0-3 - Patch + for referral with auth-zone: response * Wed Mar 21 2018 Paul Wouters - 1.7.0-2 -- Patch for broken Aggressive NSEC + stub-zone configuration causing NXDOMAIN at TTL expiry +- Patch for broken Aggressive NSEC + stub-zone configuration causing + NXDOMAIN at TTL expiry * Thu Mar 15 2018 Paul Wouters - 1.7.0-1 -- Updated to 1.7.0 (aggressive nsec, local root support, bugfixes) +- * Thu Mar 15 2018 Paul Wouters - 1.7.0-1 - Updated + to 1.7.0 (aggressive nsec, local root support, bugfixes) -* Thu Feb 22 2018 Petr Menšík - 1.6.8-6 -- Uncomment again original max-upd-size +* Thu Feb 22 2018 Petr Menšík - 1.6.8-8 +- Revert "Improve config formatting" -* Wed Feb 21 2018 Petr Menšík - 1.6.8-5 +* Wed Feb 21 2018 Petr Menšík - 1.6.8-7 +- Bump the spec instead, previous is already built + +* Wed Feb 21 2018 Petr Menšík - 1.6.8-6 - Use default RPM build flags and configure parameters (#1539097) +* Wed Feb 21 2018 Petr Menšík - 1.6.8-5 +- Improve config formatting + * Wed Feb 21 2018 Petr Menšík - 1.6.8-4 -- Remove group writable bit from some config files (#1528445) +- Remove group write permission to installed examples * Wed Feb 14 2018 Filipe Rosset - 1.6.8-3 - rebuilt due new libevent 2.1.8 @@ -746,13 +927,14 @@ popd - Escape macros in %%changelog * Mon Jan 22 2018 Paul Wouters - 1.6.8-1 -- Resolves rhbz#1483572 unbound-1.6.8 is available -- Resolves rhbz#1507049 CVE-2017-15105 unbound: Improper validation of wildcard synthesized NSEC records -- Resolves rhbz#1536518 CVE-2017-15105 unbound: Improper validation of wildcard synthesized NSEC records [fedora-all] +- * Mon Jan 22 2018 Paul Wouters - 1.6.8-1 - Resolves + rhbz#1483572 unbound-1.6.8 is available - Resolves rhbz#1507049 + CVE-2017-15105 unbound: Improper validation of wildcard synthesized NSEC + records - Resolves rhbz#1536518 CVE-2017-15105 unbound: Improper + validation of wildcard synthesized NSEC records [fedora-all] * Sun Dec 17 2017 Zbigniew Jędrzejewski-Szmek - 1.6.7-2 - Python 2 binary package renamed to python2-unbound - See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 * Thu Oct 12 2017 Paul Wouters - 1.6.7-1 - Updated to 1.6.7 (minor bugfixes) @@ -761,50 +943,77 @@ popd - Update icannbundle.pem * Mon Oct 02 2017 Paul Wouters - 1.6.6-2 -- Enable RFC 8145 Trust Anchor Signaling to help the root zone get keytag statistics +- Enable RFC 8145 Trust Anchor Signaling to help the root zone get keytag + statistics * Fri Sep 22 2017 Paul Wouters - 1.6.6-1 -- Resolves: rhbz#1483572 unbound-1.6.6 is available -- Resolves: rhbz#1465575 unbound fails to start up, complains about missing ipsecmod-hook (edit) +- * Fri Sep 22 2017 Paul Wouters - 1.6.6-1 - + Resolves: rhbz#1483572 unbound-1.6.6 is available - Resolves: + rhbz#1465575 unbound fails to start up, complains about missing ipsecmod- + hook (edit) -* Wed Aug 16 2017 Paul Wouters - 1.6.4-4 -- Rebuilt with KSK2017 added to root.key and root.anchor -- Remove noreplace for root key files. We can only improve these files over local copies +* Wed Sep 06 2017 genodeftest - 1.6.4-8 +- Update upstream URL and use HTTPS where possible -* Thu Aug 03 2017 Fedora Release Engineering - 1.6.4-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild +* Wed Aug 16 2017 Paul Wouters - 1.6.4-7 +- * Wed Aug 16 2017 Paul Wouters - 1.6.4-4 - Rebuilt + with KSK2017 added to root.key and root.anchor - Remove noreplace for + root key files. We can only improve these files over local copies -* Thu Jul 27 2017 Fedora Release Engineering - 1.6.4-2 +* Thu Aug 03 2017 Fedora Release Engineering - 1.6.4-6 +- Rebuilt for + https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1.6.4-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild -* Sun Jul 02 2017 Paul Wouters - 1.6.4-1 -- Updated to 1.6.4 full release, patch to allow missing ipsechook -- Resolves rhbz#1465575 unbound fails to start up, complains about missing ipsecmod-hook +* Sun Jul 02 2017 Paul Wouters - 1.6.4-4 +- added unbound-1.6.4-ipsechook-check.patch -* Thu Jun 22 2017 Paul Wouters - 1.6.4-0.rc2 +* Sun Jul 02 2017 Paul Wouters - 1.6.4-3 +- * Sun Jul 02 2017 Paul Wouters - 1.6.4-1 - Updated + to 1.6.4 full release, patch to allow missing ipsechook - Resolves + rhbz#1465575 unbound fails to start up, complains about missing ipsecmod- + hook + +* Thu Jun 22 2017 Paul Wouters - 1.6.4-2 +- newsources + +* Thu Jun 22 2017 Paul Wouters - 1.6.4-1 - Update to 1.6.4 (esubnet, ipsecmod support, bugfixes) +* Thu Jun 22 2017 Paul Wouters - 1.6.3-2 +- update unbound.conf to 1.6.14 feature set + * Tue Jun 13 2017 Paul Wouters - 1.6.3-1 -- Updated to 1.6.3 (fixes assertion failure when receiving malformed packet with 0x20 enabled) +- Updated to 1.6.3 (fixes assertion failure when receiving malformed packet + with 0x20 enabled) * Thu Jun 08 2017 Paul Wouters - 1.6.2-2 - Patch for cmd: unbound-control set_option val-permissive-mode: yes -* Wed Apr 26 2017 Paul Wouters - 1.6.2-1 -- Update to 1.6.2 (rhbz#1425649) -- Updated unbound.conf with new options +* Thu Apr 27 2017 Paul Wouters - 1.6.2-1 +- * Wed Apr 26 2017 Paul Wouters - 1.6.2-1 - Update + to 1.6.2 (rhbz#1425649) - Updated unbound.conf with new options -* Wed Mar 22 2017 Paul Wouters - 1.6.0-6 +* Wed Mar 22 2017 Paul Wouters - 1.6.0-8 +- only call install once doing both actions + +* Wed Mar 22 2017 Paul Wouters - 1.6.0-7 - Call make unbound-event-install to install unbound-event.h -* Sat Feb 11 2017 Fedora Release Engineering - 1.6.0-5 +* Sat Feb 11 2017 Fedora Release Engineering - 1.6.0-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild +* Wed Jan 18 2017 Paul Wouters - 1.6.0-5 +- fixup dlv/root key install + * Wed Jan 18 2017 Paul Wouters - 1.6.0-4 - Remove obsoleted DLV key * Mon Jan 02 2017 Paul Wouters - 1.6.0-3 -- Actually remove dependency because minimum is always satisfied +- Actually remove dependency because minimum is always satisfied (and + otherwise we need a %%{isa} requirement) * Mon Jan 02 2017 Paul Wouters - 1.6.0-2 - Depend on openssl-libs, not opensl @@ -812,49 +1021,60 @@ popd * Wed Dec 21 2016 Kevin Fenzi - 1.6.0-1 - Update to 1.6.0 -* Mon Dec 19 2016 Miro Hrončok - 1.5.10-3 +* Mon Dec 19 2016 Miro Hrončok - 1.5.10-4 - Rebuild for Python 3.6 -* Wed Oct 26 2016 Ilya Evseev - 1.5.10-2 -- Bugfix building without python2 and python3 -- Fixup streamtcp build (Paul) +* Fri Nov 04 2016 Paul Wouters - 1.5.10-3 +- * Wed Oct 26 2016 Ilya Evseev - 1.5.10-2 - Bugfix + building without python2 and python3 - Fixup streamtcp build (Paul) + +* Tue Sep 27 2016 Paul Wouters - 1.5.10-2 +- new sources * Tue Sep 27 2016 Paul Wouters - 1.5.10-1 -- Updated to 1.5.10 (better TCP handling, bugfixes) -- Install pkgconfig file in -devel package -- Updated unbound.conf +- * Tue Sep 27 2016 Paul Wouters - 1.5.10-1 - Updated + to 1.5.10 (better TCP handling, bugfixes) - Install pkgconfig file in + -devel package - Updated unbound.conf -* Tue Jul 19 2016 Fedora Release Engineering - 1.5.9-4 -- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages +* Tue Jul 19 2016 Fedora Release Engineering - 1.5.9-4 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_ + Packages * Thu Jul 07 2016 Paul Wouters - 1.5.9-3 - Fix upper port range to 60999 because that's what selinux allows * Thu Jun 16 2016 Paul Wouters - 1.5.9-2 -- Patch for allowing more queries before failure (needed for query minimalization) +- Patch for allowing more queries before failure (needed for query + minimalization) * Mon Jun 13 2016 Paul Wouters - 1.5.9-1 - Updated to 1.5.9 -* Thu Apr 21 2016 Toshio Kuratomi - 1.5.8-2 +* Thu Apr 21 2016 Toshio Kuratomi - 1.5.8-3 - Fix streamtcp to link against libpython3.x instead of libpython2.x -* Wed Mar 02 2016 Paul Wouters - 1.5.8-1 -- Update to 1.5.8 (rhbz#1313831) which incorporates rhbz#1294339 patch -- Updated unbound.conf with new upstream options -- Enabled ip-transparent: yes (see rhbz#1291449) +* Wed Mar 02 2016 Paul Wouters - 1.5.8-2 +- update changelog line -* Fri Feb 05 2016 Fedora Release Engineering - 1.5.7-3 +* Wed Mar 02 2016 Paul Wouters - 1.5.8-1 +- * Wed Mar 02 2016 Paul Wouters - 1.5.8-1 - Update + to 1.5.8 which incorporates rhbz#1294339 fix - Updated unbound.conf with + new upstream options - Enabled ip-transparent: yes (see rhbz#1291449) + +* Fri Feb 05 2016 Fedora Release Engineering - 1.5.7-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild -* Thu Jan 21 2016 Tomas Hozza - 1.5.7-2 +* Thu Jan 21 2016 Tomas Hozza - 1.5.7-3 - Fix escaping of shell chars in unbound-control-setup (#1294339) +* Thu Jan 21 2016 Tomas Hozza - 1.5.7-2 +- Merged some lines from the latest upstream configuration version + * Fri Dec 11 2015 Paul Wouters - 1.5.7-1 -- Update to 1.5.7 -- Enable query minimalization for enhanced DNS query privacy -- Enable nxdomain hardening to assist with query minimalization and SBLs -- Updated default unbound.conf for new features from upstream. +- * Fri Dec 11 2015 Paul Wouters - 1.5.7-1 - Update + to 1.5.7 - Enable query minimalization for enhanced DNS query privacy - + Enable nxdomain hardening to assist with query minimalization and SBLs - + Updated default unbound.conf for new features from upstream. * Fri Nov 13 2015 Tomas Hozza - 1.5.6-1 - Update to 1.5.6 (#1176729) @@ -864,77 +1084,115 @@ popd * Wed Oct 07 2015 Tomas Hozza - 1.5.5-1 - New upstream release 1.5.5 (#1269137) -- Removed the anchor update from %%post section of -libs subpackage (#1269137#c2) +- Removed the anchor update from %%post section of -libs subpackage + (#1269137#c2) -* Tue Sep 15 2015 Tomas Hozza - 1.5.4-5 -- Removed dependency and ordering on unbound-anchor.service in unbound.service +* Wed Sep 23 2015 Paul Wouters - 1.5.4-8 +- fix commented address range in unbound.conf -* Thu Sep 03 2015 Tomas Hozza - 1.5.4-4 +* Tue Sep 15 2015 Tomas Hozza - 1.5.4-7 +- Removed dependency and ordering on unbound-anchor.service in + unbound.service + +* Thu Sep 03 2015 Tomas Hozza - 1.5.4-6 - Prefer Python3 build over Python2 build for now (#1254566) -* Mon Jul 20 2015 Tomas Hozza - 1.5.4-3 -- Added ExecReload section to unbound.service (#1195785) +* Mon Jul 20 2015 Tomas Hozza - 1.5.4-5 - Removed After syslog.target since it is not needed any more +* Mon Jul 20 2015 Tomas Hozza - 1.5.4-4 +- Added ExecReload section to unbound.service (#1195785) + +* Thu Jul 16 2015 Tomas Hozza - 1.5.4-3 +- Rename root.anchor to root.key in %%post section + * Thu Jul 16 2015 Tomas Hozza - 1.5.4-2 - Start unbound-anchor.timer only on new installations -- Rename root.anchor to root.key in %%post section * Tue Jul 14 2015 Paul Wouters - 1.5.4-1 -- Update to 1.5.4 -- Removed patches merged into upstream +- * Tue Jul 14 2015 Paul Wouters - 1.5.4-1 - Update + to 1.5.4 - Removed patches merged into upstream -* Tue Jun 16 2015 Tomas Hozza - 1.5.3-8 -- Revert: Use low maximum negative cache TTL (5 sec) (#1229596) +* Tue Jun 16 2015 Tomas Hozza - 1.5.3-14 +- Revert: Use low maximum negative cache TTL (5 sec) -* Mon Jun 15 2015 Tomas Hozza - 1.5.3-7 -- Add option for maximum negative cache TTL (#1229599) +* Tue Jun 16 2015 Tomas Hozza - 1.5.3-13 +- Revert "Use low maximum negative cache TTL (5 sec) (#1229596)" + +* Mon Jun 15 2015 Tomas Hozza - 1.5.3-12 - Use low maximum negative cache TTL (5 sec) (#1229596) -* Tue May 26 2015 Tomas Hozza - 1.5.3-6 +* Mon Jun 15 2015 Tomas Hozza - 1.5.3-11 +- Add new options from upstream example.conf to default unbound.conf + (commented out) + +* Mon Jun 15 2015 Tomas Hozza - 1.5.3-10 +- Add option for maximum negative cache TTL (#1229599) + +* Tue May 26 2015 Tomas Hozza - 1.5.3-9 - Removed usage of DLV from the default configuration (#1223363) -* Wed May 13 2015 Tomas Hozza - 1.5.3-5 +* Wed May 13 2015 Tomas Hozza - 1.5.3-8 - unbound.service now Wants unbound-anchor.timer - unbound-anchor man page moved to the unbound-libs -* Mon May 11 2015 Paul Wouters - 1.5.3-4 -- Fixup scriptlets causing systemctl: command not found -- Resolves rhbz#1219587 Error in PREIN scriptlet in rpm package unbound-libs +* Mon May 11 2015 Paul Wouters - 1.5.3-7 +- Fixup scriptlets causing systemctl: command not found - Resolves + rhbz#1219587 Error in PREIN scriptlet in rpm package unbound-libs -* Mon Apr 27 2015 Tomas Hozza - 1.5.3-3 +* Mon Apr 27 2015 Tomas Hozza - 1.5.3-6 - migrate cronjob to systemd timer unit (#1177285) - change the period for unbound-anchor from monthly to daily (#1180267) - Thanks to Tomasz Torcz for the initial patch -* Thu Apr 16 2015 Tomas Hozza - 1.5.3-2 +* Thu Apr 16 2015 Tomas Hozza - 1.5.3-5 +- Add patches to the repo + +* Thu Apr 16 2015 Tomas Hozza - 1.5.3-4 +- Fix FTBFS and build Python 2 and 3 bindings - Fix FTBFS (#1206129) -- Build python3-unbound and python-unbound bindings for Python 3 and 2 (#1188080) +- Build python3-unbound and python-unbound bindings for Python 3 and 2 + (#1188080) + +* Mon Apr 13 2015 Tomas Hozza - 1.5.3-3 +- Fix install command when creating directories + +* Mon Apr 13 2015 Tomas Hozza - 1.5.3-2 +- Remove unused patch * Mon Mar 16 2015 Paul Wouters - 1.5.3-1 -- Updated to 1.5.3 which is a bugfix on 1.5.2 for sighup handling -- Updated to 1.5.2 which fixes DNSSEC validation with different - trust anchors upstream, local-zone has a new keyword 'inform' +- * Mon Mar 16 2015 Paul Wouters - 1.5.3-1 - Updated + to 1.5.3 which is a bugfix on 1.5.2 for sighup handling - Updated to + 1.5.2 which fixes DNSSEC validation with different trust anchors + upstream, local-zone has a new keyword 'inform' -* Mon Feb 02 2015 Paul Wouters - 1.5.1-4 +* Mon Feb 02 2015 Paul Wouters - 1.5.1-8 - Build with --enable-ecdsa -* Sun Feb 01 2015 Paul Wouters - 1.5.1-3 +* Sun Feb 01 2015 Paul Wouters - 1.5.1-7 - Fix post to create root.anchor, not root.key, to match cron job +* Wed Dec 10 2014 Paul Wouters - 1.5.1-6 +- fixup tmpfiles copying + +* Tue Dec 09 2014 Paul Wouters - 1.5.1-5 +- bump master with updated changes + +* Tue Dec 09 2014 Paul Wouters - 1.5.1-4 +- Change systemd-units to systemd - Use _tmpfilesdir macro, don't mark + tmpfiles as config + +* Tue Dec 09 2014 Paul Wouters - 1.5.1-3 +- add CVE rhbz to changelog + * Tue Dec 09 2014 Paul Wouters - 1.5.1-2 -- Change systemd-units to systemd -- Use _tmpfilesdir macro, don't mark tmpfiles as config +- Update to 1.5.1 for CVE-2014-8602 - Removed unbound-aarch64.patch which + was merged upstream -* Tue Dec 09 2014 Paul Wouters - 1.5.1-1 -- Update to 1.5.1 for CVE-2014-8602 (rhbz#1172066) -- Removed unbound-aarch64.patch which was merged upstream -- Don't require autotools for non snapshots or run autoreconf - -* Fri Nov 28 2014 Tomas Hozza - 1.5.1-0.1.rc1 +* Fri Nov 28 2014 Tomas Hozza - 1.5.1-1 - update to 1.5.1rc1 -* Fri Nov 28 2014 Marcin Juszkiewicz - 1.5.0-3 +* Fri Nov 28 2014 Peter Robinson - 1.5.0-3 - fix build on aarch64 * Wed Nov 26 2014 Tomas Hozza - 1.5.0-2 @@ -943,427 +1201,30 @@ popd * Wed Nov 19 2014 Tomas Hozza - 1.5.0-1 - update to 1.5.0 -* Wed Sep 24 2014 Pavel Šimerda - 1.4.22-6 +* Wed Sep 24 2014 Pavel Šimerda - 1.4.22-10 +- add missing part of the python 3.x patch + +* Wed Sep 24 2014 Pavel Šimerda - 1.4.22-9 - Resolves: #1115489 - build with python 3.x for fedora >= 22 -* Thu Aug 21 2014 Kevin Fenzi - 1.4.22-5 +* Fri Sep 19 2014 Pavel Šimerda - 1.4.22-8 +- Revert "new version 1.4.22" + +* Thu Sep 18 2014 Pavel Šimerda - 1.4.22-7 +- new version 1.4.22 + +* Thu Aug 21 2014 Kevin Fenzi - 1.4.22-6 - Rebuild for rpm bug 1131960 -* Mon Aug 18 2014 Fedora Release Engineering - 1.4.22-4 +* Mon Aug 18 2014 Peter Robinson - 1.4.22-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild -* Sun Jun 08 2014 Fedora Release Engineering - 1.4.22-3 +* Sun Jun 08 2014 Dennis Gilmore - 1.4.22-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild -* Thu May 01 2014 Paul Wouters - 1.4.22-2 -- Added flushcache patch (SVN commit 3125) +* Thu May 01 2014 Paul Wouters - 1.4.22-3 +- * Thu May 01 2014 Paul Wouters - 1.4.22-2 - Added + flushcache patch (SVN commit 3125) -* Thu Mar 13 2014 Paul Wouters - 1.4.22-1 -- Updated to 1.4.22 -- No longer requires the ldns library - -* Thu Jan 16 2014 Tomas Hozza - 1.4.21-3 -- Fix segfault on adding insecure forward zone when using only iterator (#1054192) - -* Mon Oct 21 2013 Tomas Hozza - 1.4.21-2 -- run test suite during the build - -* Thu Sep 19 2013 Paul Wouters - 1.4.21-1 -- Updated to 1.4.21, -- Enabled new max-udp-size: 3072 (so ANY isc.org won't fit) -- Removed patched merged in by upstream -- Enable statistics-cumulative for munin-plugin -- Added outgoing-port-avoid: 0-32767 conformant to SElinux restrictions -- Updated unbound.conf - -* Mon Aug 26 2013 Tomas Hozza - 1.4.20-19 -- Fix errors found by static analysis of source - -* Mon Aug 12 2013 Paul Wouters - 1.4.20-18 -- Change unbound.conf to only use ephemeral ports (32768-65535) - -* Sun Aug 04 2013 Fedora Release Engineering - 1.4.20-17 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild - -* Mon Jul 22 2013 Tomas Hozza - 1.4.20-16 -- provide man page for unbound-streamtcp - -* Mon Jul 08 2013 Paul Wouters - 1.4.20-15 -- Re-introduce hardening flags for full relro and pie -- Fixes compilation failure for python module - -* Wed Jul 03 2013 Tomas Hozza - 1.4.20-14 -- remove missing unbound-rootkey.service from post/preun/postun sections -- don't hardcode hardening flags, let hardened build macro handles it - -* Sat Jun 01 2013 Paul Wouters - 1.4.20-13 -- Run unbound-anchor as user unbound in unbound.service - -* Tue May 28 2013 Paul Wouters - 1.4.20-12 -- Enable round-robin (with noths() patch) -- Change cron and systemd service to use root.key, not root.anchor - -* Sat May 25 2013 Paul Wouters - 1.4.20-10 -- Use /var/lib/unbound/root.key (more consistent with other distros) -- Enable minimal responses - -* Mon Apr 22 2013 Paul Wouters - 1.4.20-8 -- Refix - -* Fri Apr 19 2013 Paul Wouters - 1.4.20-7 -- Fix runuser call in post. - -* Tue Apr 16 2013 Paul Wouters - 1.4.20-6 -- /var/lib/unbound should be owned by unbound. group write is not enough - -* Fri Apr 12 2013 Paul Wouters - 1.4.20-5 -- Fix cron job syntax (rhbz#951725) -- Use install -p to prevent .rpmnew files that are identical to originals - -* Mon Apr 8 2013 Paul Wouters - 1.4.20-4 -- Updated to 1.4.20 -- Build with full RELRO (not use -z,relro but with -z,relo,-z,now) -- Fixup man page for unbound-control-setup -- unbound.service should start before nss-lookup.target (rhbz#919955) -- Removed patch for rhbz#888759 merged in upstream -- Move root.anchor to /var/lib/unbound to make selinux policy easier for updating (rhbz#896599/rhbz#891008) -- Move cronjob for root.anchor from unbound to unbound-libs, require crontabs -- /etc/unbound (and all) should be owned by unbound-libs (rhbz#909691) -- Remove Obsolete/Provides for dnssec-conf which was last seen in f13 -- Ensure any unbound-anchor failure in post is ignored - -* Tue Mar 05 2013 Adam Tkac - 1.4.19-5 -- build with full RELRO -- symlink unbound-control-setup.8 manpage to unbound-control.8 - -* Fri Feb 15 2013 Fedora Release Engineering - 1.4.19-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild - -* Wed Dec 12 2012 Paul Wouters - 1.4.19-3 -- Updated to 1.4.19 - this integrates all existing patches -- Patch for unbound-anchor (rhbz#888759) - -* Fri Nov 09 2012 Paul Wouters - 1.4.18-6 -- Patch to ensure stube-zone's aren't lost when using dnssec-triggerd -- added unbound-munin.README file - -* Wed Sep 26 2012 Paul Wouters - 1.4.18-5 -- Patch to allow wildcards in include: statements -- Add directories /etc/unbound/keys.d,conf.d,local.d with - example entries -- Added /etc/unbound/root.anchor, maintained by unbound-anchor - which is installed as monthly cron and PreExec in systemd config - (root.key is unused, but left installed in case people depend on it) -- Native systemd (simple) and /etc/sysconfig/unbound support -- Run unbound-checkconf in PreExec -- Moved trust anchor related files to unbound-libs, as they can - be used without the daemon. -- sub packages now depends on base package of same arch -- Build munin package as noarch -- unbound-anchor moved to unbound-libs package. It is needed - to update the root.anchor key file. - -* Tue Sep 04 2012 Paul Wouters - 1.4.18-3 -- Fix openssl thread locking bug under high query load - -* Thu Aug 23 2012 Paul Wouters - 1.4.18-2 -- Use new systemd-rpm macros (rhbz#850351) -- Clean up old obsoleted dnssec-conf from < fedora 15 - -* Fri Aug 03 2012 Paul Wouters - 1.4.18-1 -- Updated to 1.4.18 (FIPS related fixes mostly) -- Removed patches that were merged in upstream -- Added comment to root.key - -* Mon Jul 23 2012 Paul Wouters - 1.4.17-5 -- Fix for unbound crasher (upstream bug #452) -- Support libunbound functions in man pages and place in -devel - -* Sun Jul 22 2012 Fedora Release Engineering - 1.4.17-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild - -* Tue Jul 03 2012 Paul Wouters - 1.4.17-3 -- unbound FIPS patches for MD5,randomness (rhbz#835106) - -* Fri Jun 15 2012 Adam Tkac - 1.4.17-2 -- don't build unbound-munin on RHEL - -* Thu May 24 2012 Paul Wouters - 1.4.17-1 -- Updated to 1.4.17 (which mostly brings in patches we already - applied from svn trunk) - -* Wed Feb 29 2012 Paul Wouters - 1.4.16-3 -- Since the daemon links to the libs staticly, add Requires: - (this is rhbz#745288) -- Package up streamtcp as unbound-streamtcp (for monitoring) - -* Mon Feb 27 2012 Paul Wouters - 1.4.16-2 -- Don't ghost the directory (rhbz#788805) -- Patch for unbound to support unbound-control forward_zone - (needed for openswan in XAUTH mode) - -* Thu Feb 02 2012 Paul Wouters - 1.4.16-1 -- Upgraded to 1.4.16, which was relesed due to the soname - and some DNSSEC validation failures - -* Wed Feb 01 2012 Paul Wouters - 1.4.15-2 -- Patch for SONAME version (libtool's -version-number vs -version-info) - -* Fri Jan 27 2012 Paul Wouters - 1.4.15-1 -- Upgraded to 1.4.15 -- Updated unbound.conf to show how to configure listening on tls443 - -* Sat Jan 14 2012 Fedora Release Engineering - 1.4.14-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild - -* Mon Dec 19 2011 Paul Wouters - 1.4.14-1 -- Upgraded to 1.4.14 for CVE-2011-4528 / VU#209659 -- SSL-wrapped query support for dnssec-trigger -- EDNS handling changes -- Removed integrated EDNS patches -- Disabled use-caps-for-id, GoDaddy domains now break on it -- Enabled new harden-below-nxdomain - -* Thu Sep 15 2011 Paul Wouters - 1.4.13-1 -- Upgraded to 1.4.13 -- Removed merged in pythonmod patch -- Added EDNS1480 patch to fix unbound on broken EDNS/UDP networks -- Fix python to go into sitearch instead of sitelib - -* Wed Sep 14 2011 Tom Callaway - 1.4.12-4 -- convert to systemd, tmpfiles.d - -* Mon Aug 08 2011 Paul Wouters - 1.4.12-3 -- Added pythonmod docs and examples - -* Mon Aug 08 2011 Paul Wouters - 1.4.12-2 -- Fix for python module load in the server (Tom Hendrikx) -- No longer enable --enable-debug as it causes degraded performance - under load. - -* Mon Jul 18 2011 Paul Wouters - 1.4.12-1 -- Updated to 1.4.12 - -* Sun Jul 03 2011 Paul Wouters - 1.4.11-1 -- Updated to 1.4.11 -- removed integrated CVE patch -- updated stock unbound.conf for new options introduced - -* Mon Jun 06 2011 Paul Wouters - 1.4.10-1 -- Added ghost for /var/run/unbound (bz#656710) - -* Mon Jun 06 2011 Paul Wouters - 1.4.9-3 -- rebuilt - -* Wed May 25 2011 Paul Wouters - 1.4.9-2 -- Applied patch for CVE-2011-1922 DoS vulnerability - -* Sun Mar 27 2011 Paul Wouters - 1.4.9-1 -- Updated to 1.4.9 - -* Sat Feb 12 2011 Paul Wouters - 1.4.8-2 -- rebuilt - -* Tue Jan 25 2011 Paul Wouters - 1.4.8-1 -- Updated to 1.4.8 -- Enable root key for DNSSEC -- Fix unbound-munin to use proper file (could cause excessive logging) -- Build unbound-python per default -- Disable gost as Fedora/EPEL does not allow ECC and has mangled openssl - -* Tue Oct 26 2010 Paul Wouters - 1.4.5-4 -- Revert last build - it was on the wrong branch - -* Tue Oct 26 2010 Paul Wouters - 1.4.5-3 -- Disable do-ipv6 per default - causes severe degradation on non-ipv6 machines - (see comments in inbound.conf) - -* Tue Jun 15 2010 Paul Wouters - 1.4.5-2 -- Bump release - forgot to upload the new tar ball. - -* Tue Jun 15 2010 Paul Wouters - 1.4.5-1 -- Upgraded to 1.4.5 - -* Mon May 31 2010 Paul Wouters - 1.4.4-2 -- Added accidentally omitted svn patches to cvs - -* Mon May 31 2010 Paul Wouters - 1.4.4-1 -- Upgraded to 1.4.4 with svn patches -- Obsolete dnssec-conf to ensure it is de-installed - -* Thu Mar 11 2010 Paul Wouters - 1.4.3-1 -- Update to 1.4.3 that fixes 64bit crasher - -* Tue Mar 09 2010 Paul Wouters - 1.4.2-1 -- Updated to 1.4.2 -- Updated unbound.conf with new options -- Enabled pre-fetching DNSKEY records (DNSSEC speedup) -- Enabled re-fetching popular records before they expire -- Enabled logging of DNSSEC validation errors - -* Mon Mar 01 2010 Paul Wouters - 1.4.1-5 -- Overriding -D_GNU_SOURCE is no longer needed. This fixes DSO issues - with pthreads - -* Wed Feb 24 2010 Paul Wouters - 1.4.1-3 -- Change make/configure lines to attempt to fix -lphtread linking issue - -* Thu Feb 18 2010 Paul Wouters - 1.4.1-2 -- Removed dependancy for dnssec-conf -- Added ISC DLV key (formerly in dnssec-conf) -- Fixup old DLV locations in unbound.conf file via %%post -- Fix parent child disagreement handling and no-ipv6 present [svn r1953] - -* Tue Jan 05 2010 Paul Wouters - 1.4.1-1 -- Updated to 1.4.1 -- Changed %%define to %%global - -* Thu Oct 08 2009 Paul Wouters - 1.3.4-2 -- Bump version - -* Thu Oct 08 2009 Paul Wouters - 1.3.4-1 -- Upgraded to 1.3.4. Security fix with validating NSEC3 records - -* Fri Aug 21 2009 Tomas Mraz - 1.3.3-2 -- rebuilt with new openssl - -* Mon Aug 17 2009 Paul Wouters - 1.3.3-1 -- Updated to 1.3.3 - -* Sun Jul 26 2009 Fedora Release Engineering - 1.3.0-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild - -* Sat Jun 20 2009 Paul Wouters - 1.3.0-2 -- Added missing glob patch to cvs -- Place python macros within the %%with_python check - -* Sat Jun 20 2009 Paul Wouters - 1.3.0-1 -- Updated to 1.3.0 -- Added unbound-python sub package. disabled for now -- Patch from svn to fix DLV lookups -- Patches from svn to detect wrong truncated response from BIND 9.6.1 with - minimal-responses) -- Added Default-Start and Default-Stop to unbound.init -- Re-enabled --enable-sha2 -- Re-enabled glob.patch - -* Wed May 20 2009 Paul Wouters - 1.2.1-7 -- unbound-iterator.patch was not commited - -* Wed May 20 2009 Paul Wouters - 1.2.1-6 -- Fix for https://bugzilla.redhat.com/show_bug.cgi?id=499793 - -* Tue Mar 17 2009 Paul Wouters - 1.2.1-5 -- Use --nocheck to avoid giving an error on missing unbound-remote certs/keys - -* Tue Mar 10 2009 Adam Tkac - 1.2.1-4 -- enable DNSSEC only if it is enabled in sysconfig/dnssec - -* Mon Mar 09 2009 Adam Tkac - 1.2.1-3 -- add DNSSEC support to initscript and enabled it per default -- add requires dnssec-conf - -* Wed Feb 25 2009 Fedora Release Engineering - 1.2.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild - -* Tue Feb 10 2009 Paul Wouters - 1.2.0-2 -- rebuild with new openssl - -* Wed Jan 14 2009 Paul Wouters - 1.1.1-7 -- Modified scandir patch to silently fail when wildcard matches nothing -- Patch to allow unbound-checkconf to find empty wildcard matches - -* Mon Jan 5 2009 Paul Wouters - 1.1.1-6 -- Added scandir patch for trusted-keys-file: option, which - is used to load multiple dnssec keys in bind file format - -* Mon Dec 8 2008 Paul Wouters - 1.1.1-4 -- Added Requires: for selinux-policy >= 3.5.13-33 for proper SElinux rules. - -* Mon Dec 1 2008 Paul Wouters - 1.1.1-3 -- We did not own the /etc/unbound directory (#474020) -- Fixed cvs anomalies - -* Fri Nov 28 2008 Adam Tkac - 1.1.1-2 -- removed all obsolete chroot related stuff -- label control certs after generation correctly - -* Thu Nov 20 2008 Paul Wouters - 1.1.1-1 -- Updated to unbound 1.1.1 which fixes a crasher and - addresses nlnetlabs bug #219 - -* Wed Nov 19 2008 Paul Wouters - 1.1.0-3 -- Remove the chroot, obsoleted by SElinux -- Add additional munin plugin links supported by unbound plugin -- Move configuration directory from /var/lib/unbound to /etc/unbound -- Modified unbound.init and unbound.conf to account for chroot changes -- Updated unbound.conf with new available options -- Enabled dns-0x20 protection per default - -* Wed Nov 19 2008 Adam Tkac - 1.1.0-2 -- unbound-1.1.0-log_open.patch - - make sure log is opened before chroot call - - tracked as http://www.nlnetlabs.nl/bugs/show_bug.cgi?id=219 -- removed /dev/log and /var/run/unbound and /etc/resolv.conf from - chroot, not needed -- don't mount files in chroot, it causes problems during updates -- fixed typo in default config file - -* Fri Nov 14 2008 Paul Wouters - 1.1.0-1 -- Updated to version 1.1.0 -- Updated unbound.conf's statistics options and remote-control - to work properly for munin -- Added unbound-munin package -- Generate unbound remote-control key/certs on first startup -- Required ldns is now 1.4.0 - -* Wed Oct 22 2008 Paul Wouters - 1.0.2-5 -- Only call ldconfig in -libs package -- Move configure into build section -- devel subpackage should only depend on libs subpackage - -* Tue Oct 21 2008 Paul Wouters - 1.0.2-4 -- Fix CFLAGS getting lost in build -- Don't enable interface-automatic:yes because that - causes unbound to listen on 0.0.0.0 instead of 127.0.0.1 - -* Sun Oct 19 2008 Paul Wouters - 1.0.2-3 -- Split off unbound-libs, make build verbose - -* Thu Oct 9 2008 Paul Wouters - 1.0.2-2 -- FSB compliance, chroot fixes, initscript fixes - -* Thu Sep 11 2008 Paul Wouters - 1.0.2-1 -- Upgraded to 1.0.2 - -* Wed Jul 16 2008 Paul Wouters - 1.0.1-1 -- upgraded to new release - -* Wed May 21 2008 Paul Wouters - 1.0.0-2 -- Build against ldns-1.3.0 - -* Wed May 21 2008 Paul Wouters - 1.0.0-1 -- Split of -devel package, fixed dependancies, make rpmlint happy - -* Fri Apr 25 2008 Wouter Wijngaards - 0.12 -- Using parts from ports collection entry by Jaap Akkerhuis. -- Using Fedoraproject wiki guidelines. - -* Wed Apr 23 2008 Wouter Wijngaards - 0.11 -- Initial version. +* Fri Mar 14 2014 Paul Wouters - 1.4.22-2 +- RPMAUTOSPEC: unresolvable merge