unbound 1.17.1

Signed-off-by: Toshaan Bharvani <toshaan@powerel.org>
2023-05-14 23:07:38 +02:00 · 2023-05-14 23:07:38 +02:00 · 3178272385
parent daefcd82d2
commit 3178272385
3 changed files with 61 additions and 27 deletions
--- a/SOURCES/unbound.conf
+++ b/SOURCES/unbound.conf
@ -41,6 +41,11 @@ server:
 	# Needs to be enabled for munin plugin
 	extended-statistics: yes

+	# Inhibits selected extended statistics (qtype, qclass, qopcode, rcode,
+	# rpz-actions) from printing if their value is 0.
+	# Default on.
+	# statistics-inhibit-zero: yes
+
 	# number of threads to create. 1 disables threading.
 	num-threads: 4

@ -148,7 +153,7 @@ server:
 	# ip-dscp: 0

 	# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
-	# is set with msg-buffer-size). 1472 can solve fragmentation (timeouts)
+	# is set with msg-buffer-size).
 	# edns-buffer-size: 1232

 	# Maximum UDP response size (not applied to TCP response).
@ -189,6 +194,15 @@ server:
 	# a throwaway response (also timeouts) is received.
 	# outbound-msg-retry: 5

+	# Hard limit on the number of outgoing queries Unbound will make while
+	# resolving a name, making sure large NS sets do not loop.
+	# It resets on query restarts (e.g., CNAME) and referrals.
+	# max-sent-count: 32
+
+	# Hard limit on the number of times Unbound is allowed to restart a
+	# query upon encountering a CNAME record.
+	# max-query-restarts: 11
+
 	# msec for waiting for an unknown server to reply.  Increase if you
 	# are behind a slow satellite link, to eg. 1128.
 	# unknown-server-time-limit: 376
@ -234,7 +248,8 @@ server:
 	# the maximum number of hosts that are cached (roundtrip, EDNS, lame).
 	# infra-cache-numhosts: 10000

-	# define a number of tags here, use with local-zone, access-control.
+	# define a number of tags here, use with local-zone, access-control,
+	# interface-*.
 	# repeat the define-tag statement to add additional tags.
 	# define-tag: "tag1 tag2 tag3"

@ -277,7 +292,9 @@ server:
 	# Timeout for EDNS TCP keepalive, in msec.
 	# edns-tcp-keepalive-timeout: 120000

-	# Fedora note: do not activate this - can cause a crash
+	# Fedora note: do not activate this - not compiled in because
+	# it causes frequent unbound crashes. Also, socket activation
+	# is bad when you have things like dnsmasq also running with libvirt.
 	# Use systemd socket activation for UDP, TCP, and control sockets.
 	# use-systemd: no

@ -293,9 +310,7 @@ server:
 	# allow_snoop (recursive and nonrecursive ok)
 	# deny_non_local (drop queries unless can be answered from local-data)
 	# refuse_non_local (like deny_non_local but polite error reply).
-	# access-control: 0.0.0.0/0 refuse
 	# access-control: 127.0.0.0/8 allow
-	# access-control: ::0/0 refuse
 	# access-control: ::1 allow
 	# access-control: ::ffff:127.0.0.1 allow

@ -539,6 +554,8 @@ server:
 	# most modules have to be listed at the beginning of the line,
 	# except cachedb(just before iterator), and python (at the beginning,
 	# or, just before the iterator).
+	# For redis cachedb use:
+	#    "ipsecmod validator cachedb iterator"
 	module-config: "ipsecmod validator iterator"

 	# File with trusted keys, kept uptodate using RFC5011 probes,
@ -546,7 +563,8 @@ server:
 	# Use several entries, one per domain name, to track multiple zones.
 	#
 	# If you want to perform DNSSEC validation, run unbound-anchor before
-	# you start Unbound (i.e. in the system boot scripts).  And enable:
+	# you start Unbound (i.e. in the system boot scripts).
+	# And then enable the auto-trust-anchor-file config item.
 	# Please note usage of unbound-anchor root anchor is at your own risk
 	# and under the terms of our LICENSE (see that file in the source).
 	# auto-trust-anchor-file: "/var/lib/unbound/root.key"
--- a/SOURCES/unbound.sysusers
+++ b/SOURCES/unbound.sysusers
@ -0,0 +1 @@
+u unbound - "Unbound DNS resolver" /var/lib/unbound /sbin/nologin
--- a/SPECS/unbound.spec
+++ b/SPECS/unbound.spec
@ -4,6 +4,7 @@
 %bcond_without dnstap
 %bcond_with    systemd
 %bcond_without doh
+%bcond_with    redis

 %global _hardened_build 1

@ -29,7 +30,7 @@

 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
-Version: 1.16.3
+Version: 1.17.1
 Release: 1%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: https://nlnetlabs.nl/projects/unbound/
@ -53,6 +54,7 @@ Source17: unbound-anchor.service
 Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
 # source: https://nlnetlabs.nl/people/
 Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key
+Source20: unbound.sysusers


 BuildRequires: gcc, make
@ -77,6 +79,9 @@ BuildRequires: systemd-devel
 %if %{with doh}
 BuildRequires: libnghttp2-devel
 %endif
+%if %{with redis}
+BuildRequires: redis-devel
+%endif
 %if 0%{?fedora} >= 30
 BuildRequires: systemd-rpm-macros
 %else
@ -92,6 +97,7 @@ Requires: %{name}-anchor%{?_isa} = %{version}-%{release}
 Recommends: %{name}-utils%{?_isa} = %{version}-%{release}
 # unbound-keygen.service requires it, bug #2116790
 Requires: openssl
+Requires(pre): systemd-sysusers

 %description
 Unbound is a validating, recursive, and caching DNS(SEC) resolver.
@ -179,7 +185,7 @@ Python 3 modules and extensions for unbound

 %prep
 %if 0%{?fedora}
-%gpgverify -k 19 -s 18 -d 0
+%{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}'
 %endif
 %global pkgname %{name}-%{version}%{?extra_version}

@ -223,7 +229,8 @@ cp -a %{dir_primary} %{dir_secondary}
            --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\
            --enable-sha2 --disable-gost --enable-ecdsa \\\
            --with-rootkey-file=%{_sharedstatedir}/unbound/root.key \\\
-            --enable-linux-ip-local-port-range
+            --enable-linux-ip-local-port-range \\\
+

 pushd %{dir_primary}

@ -239,6 +246,10 @@ pushd %{dir_primary}
 %endif
 %if %{with doh}
            --with-libnghttp2 \
+%endif
+%if %{with redis}
+            --with-libhiredis \
+            --enable-cachedb \
 %endif
            %{configure_args}

@ -287,6 +298,7 @@ install -p -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/unbound-anchor.service
 install -p -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound
 install -p -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/unbound
 install -p -m 0644 %{SOURCE14} %{buildroot}%{_sysconfdir}/sysconfig/unbound
+install -p -D -m 0644 %{SOURCE20} %{buildroot}%{_sysusersdir}/%{name}.sysusers
 %if %{with_munin}
 # Install munin plugin and its softlinks
 install -d -m 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d
@ -338,18 +350,15 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8


-%pre anchor
-getent group unbound >/dev/null || groupadd -r unbound
-getent passwd unbound >/dev/null || \
-useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \
-c "Unbound DNS resolver" unbound
+%pre libs
+%sysusers_create_compat %{SOURCE20}

 %post
 %systemd_post unbound.service
 %systemd_post unbound-keygen.service

 %post anchor
-%systemd_post unbound-anchor.timer
+%systemd_post unbound-anchor.service unbound-anchor.timer
 # start the timer only if installing the package to prevent starting it, if it was stopped on purpose
 if [ "$1" -eq 1 ]; then
    # the Unit is in presets, but would be started after reboot
@ -361,14 +370,14 @@ fi
 %systemd_preun unbound-keygen.service

 %preun anchor
-%systemd_preun unbound-anchor.timer
+%systemd_preun unbound-anchor.service unbound-anchor.timer

 %postun
 %systemd_postun_with_restart unbound.service
 %systemd_postun unbound-keygen.service

-%postun libs
-%systemd_postun_with_restart unbound-anchor.timer
+%postun anchor
+%systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer

 %check
 pushd %{dir_primary}
@ -449,7 +458,8 @@ popd
 %doc doc/README
 %license doc/LICENSE
 %attr(0755,root,root) %dir %{_sysconfdir}/%{name}
-%{_libdir}/libunbound.so.*
+%{_sysusersdir}/%{name}.sysusers
+%{_libdir}/libunbound.so.8*
 %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name}
 %attr(0644,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key
 # just left for backwards compat with user changed unbound.conf files - format is different!
@ -471,6 +481,17 @@ popd
 %{_mandir}/man1/unbound-*

 %changelog
+* Fri Jan 13 2023 Paul Wouters <paul.wouters@aiven.io - 1.17.1-1
+- Resolved rhbz#2160397 unbound-1.17.1 is available (bugfix release)
+- Add support for building with redis
+
+* Thu Dec 01 2022 Petr Menšík <pemensik@redhat.com> - 1.16.3-3
+- Move unbound user creation to libs (#2149036)
+- Use systemd-sysusers for user creation (#2105416)
+
+* Wed Oct 05 2022 Petr Menšík <pemensik@redhat.com> - 1.16.3-2
+- Correct issues made by unbound-anchor package split (#2110858)
+
 * Fri Sep 23 2022 Petr Menšík <pemensik@redhat.com> - 1.16.3-1
 - Update to 1.16.3 (#2128638)

@ -482,18 +503,12 @@ popd
 - Require openssl tool for unbound-keygen (#2116790)

 * Wed Aug 03 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-1
- Update to 1.16.2 (#2105947) for CVE-2022-30698 and CVE-2022-30699
+- Update to 1.16.2 (#2105947)

-* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.16.0-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
-* Mon Jun 27 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-6
+* Mon Jun 27 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-5
 - Move unbound-anchor to separate package
 - Move unbound-host and unbound-streamtcp to unbound-utils package

-* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 1.16.0-5
- Rebuilt for Python 3.11
-
 * Tue Jun 07 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-4
 - Restart keygen service before every unbound start
				`@ -0,0 +1 @@`
				`u unbound - "Unbound DNS resolver" /var/lib/unbound /sbin/nologin`