From c629eae5a4d0558ba3051264836ee1302a3dc189 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 31 2020 09:38:26 +0000 Subject: import unbound-1.6.6-3.el7 --- diff --git a/SOURCES/root.anchor b/SOURCES/root.anchor index 1d2f75d..d13dec7 100644 --- a/SOURCES/root.anchor +++ b/SOURCES/root.anchor @@ -1,2 +1 @@ -. 98799 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} . 98799 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} diff --git a/SOURCES/root.key b/SOURCES/root.key index d8aca0c..6c5622c 100644 --- a/SOURCES/root.key +++ b/SOURCES/root.key @@ -1,7 +1,6 @@ ; // The root key in bind format. This can be read by most tools, including ; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this trusted-keys { -"." 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0="; // key id = 19036 "." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326 }; diff --git a/SOURCES/unbound-1.6.6-fix-domain-insecure-for-stub-zone.patch b/SOURCES/unbound-1.6.6-fix-domain-insecure-for-stub-zone.patch new file mode 100644 index 0000000..33e00a7 --- /dev/null +++ b/SOURCES/unbound-1.6.6-fix-domain-insecure-for-stub-zone.patch @@ -0,0 +1,45 @@ +From 52aeaf4924ec3f6689e6aafedbe41473d2bda992 Mon Sep 17 00:00:00 2001 +From: Wouter Wijngaards +Date: Tue, 14 Nov 2017 10:01:44 +0000 +Subject: [PATCH] - Fix #2882: Unbound behaviour changes (wrong) when + domain-insecure is set for stub zone. It no longer searches for DNSSEC + information. + +git-svn-id: file:///svn/unbound/trunk@4404 be551aaa-1e26-0410-a405-d3ace91eadb9 +--- + iterator/iter_utils.c | 5 +++++ + iterator/iter_utils.h | 2 +- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c +index 0b1b456..70cab40 100644 +--- a/iterator/iter_utils.c ++++ b/iterator/iter_utils.c +@@ -656,6 +656,11 @@ iter_indicates_dnssec(struct module_env* env, struct delegpt* dp, + /* a trust anchor exists with this name, RRSIGs expected */ + if((a=anchor_find(env->anchors, dp->name, dp->namelabs, dp->namelen, + dclass))) { ++ if(a->numDS == 0 && a->numDNSKEY == 0) { ++ /* insecure trust point */ ++ lock_basic_unlock(&a->lock); ++ return 0; ++ } + lock_basic_unlock(&a->lock); + return 1; + } +diff --git a/iterator/iter_utils.h b/iterator/iter_utils.h +index 50c5fc0..5b6df7f 100644 +--- a/iterator/iter_utils.h ++++ b/iterator/iter_utils.h +@@ -193,7 +193,7 @@ int iter_indicates_dnssec_fwd(struct module_env* env, + * @param dp: delegation point. + * @param msg: delegation message, with DS if a secure referral. + * @param dclass: class of query. +- * @return 1 if dnssec is expected, 0 if not. ++ * @return 1 if dnssec is expected, 0 if not or insecure point above qname. + */ + int iter_indicates_dnssec(struct module_env* env, struct delegpt* dp, + struct dns_msg* msg, uint16_t dclass); +-- +2.20.1 + diff --git a/SOURCES/unbound-1.6.6-rh1775706.patch b/SOURCES/unbound-1.6.6-rh1775706.patch new file mode 100644 index 0000000..a6bc5fd --- /dev/null +++ b/SOURCES/unbound-1.6.6-rh1775706.patch @@ -0,0 +1,160 @@ +From d905fd132a536e9149c91816704500c659e154f0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Renaud=20M=C3=A9trich?= +Date: Tue, 26 Nov 2019 16:32:03 +0100 +Subject: [PATCH] Changed log lock from 'quick' to 'basic' because this is an + I/O lock. + +We cannot use a 'quick' lock (i.e. lock spinning on the CPU) for the log +lock because it can wait a lot on I/Os. Using a 'quick' lock leads to +eating the CPU for no good reason. + +Example of 'pidstat' output when using various locks for log_lock: + +- 'quick' lock and slow log file system (tail -f on the log file on XFS on RHEL 8) + +04:15:11 PM UID TGID TID %usr %system %CPU CPU Command +04:15:21 PM 998 16431 - 100.00 4.20 100.00 2 unbound +04:15:21 PM 998 - 16431 31.00 1.00 32.00 2 |__unbound +04:15:21 PM 998 - 16432 31.30 0.80 32.10 0 |__unbound +04:15:21 PM 998 - 16433 30.20 1.40 31.60 1 |__unbound +04:15:21 PM 998 - 16434 30.70 1.00 31.70 3 |__unbound + +- 'quick' lock and log file system being fast + +04:15:40 PM UID TGID TID %usr %system %CPU CPU Command +04:15:50 PM 998 16431 - 10.00 1.60 11.60 1 unbound +04:15:50 PM 998 - 16431 2.50 0.50 3.00 1 |__unbound +04:15:50 PM 998 - 16432 2.30 0.40 2.70 3 |__unbound +04:15:50 PM 998 - 16433 2.70 0.30 3.00 0 |__unbound +04:15:50 PM 998 - 16434 2.60 0.40 3.00 2 |__unbound + +- 'basic' lock (this commit) and slow log file system (tail -f on the log file on XFS on RHEL 8) + +04:29:48 PM UID TGID TID %usr %system %CPU CPU Command +04:29:58 PM 998 11632 - 7.10 14.10 21.20 3 unbound +04:29:58 PM 998 - 11632 1.70 3.20 4.90 3 |__unbound +04:29:58 PM 998 - 11633 1.60 3.30 4.90 1 |__unbound +04:29:58 PM 998 - 11634 2.00 4.10 6.10 1 |__unbound +04:29:58 PM 998 - 11635 1.90 3.50 5.40 1 |__unbound + +We can see in the above example, when 'basic' lock is used, that CPU +isn't consumed when log file system is slow. + +Another reproducer scenario: put the log file on a NFS share with 'sync' +option. +--- + util/log.c | 30 +++++++++++++++--------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +diff --git a/util/log.c b/util/log.c +index c14b458..5b31854 100644 +--- a/util/log.c ++++ b/util/log.c +@@ -70,7 +70,7 @@ static int key_created = 0; + static ub_thread_key_type logkey; + #ifndef THREADS_DISABLED + /** pthread mutex to protect FILE* */ +-static lock_quick_type log_lock; ++static lock_basic_type log_lock; + #endif + /** the identity of this executable/process */ + static const char* ident="unbound"; +@@ -90,18 +90,18 @@ log_init(const char* filename, int use_syslog, const char* chrootdir) + if(!key_created) { + key_created = 1; + ub_thread_key_create(&logkey, NULL); +- lock_quick_init(&log_lock); ++ lock_basic_init(&log_lock); + } +- lock_quick_lock(&log_lock); ++ lock_basic_lock(&log_lock); + if(logfile + #if defined(HAVE_SYSLOG_H) || defined(UB_ON_WINDOWS) + || logging_to_syslog + #endif + ) { +- lock_quick_unlock(&log_lock); /* verbose() needs the lock */ ++ lock_basic_unlock(&log_lock); /* verbose() needs the lock */ + verbose(VERB_QUERY, "switching log to %s", + use_syslog?"syslog":(filename&&filename[0]?filename:"stderr")); +- lock_quick_lock(&log_lock); ++ lock_basic_lock(&log_lock); + } + if(logfile && logfile != stderr) { + FILE* cl = logfile; +@@ -119,7 +119,7 @@ log_init(const char* filename, int use_syslog, const char* chrootdir) + * chroot and no longer be able to access dev/log and so on */ + openlog(ident, LOG_NDELAY, LOG_DAEMON); + logging_to_syslog = 1; +- lock_quick_unlock(&log_lock); ++ lock_basic_unlock(&log_lock); + return; + } + #elif defined(UB_ON_WINDOWS) +@@ -128,13 +128,13 @@ log_init(const char* filename, int use_syslog, const char* chrootdir) + } + if(use_syslog) { + logging_to_syslog = 1; +- lock_quick_unlock(&log_lock); ++ lock_basic_unlock(&log_lock); + return; + } + #endif /* HAVE_SYSLOG_H */ + if(!filename || !filename[0]) { + logfile = stderr; +- lock_quick_unlock(&log_lock); ++ lock_basic_unlock(&log_lock); + return; + } + /* open the file for logging */ +@@ -143,7 +143,7 @@ log_init(const char* filename, int use_syslog, const char* chrootdir) + filename += strlen(chrootdir); + f = fopen(filename, "a"); + if(!f) { +- lock_quick_unlock(&log_lock); ++ lock_basic_unlock(&log_lock); + log_err("Could not open logfile %s: %s", filename, + strerror(errno)); + return; +@@ -153,14 +153,14 @@ log_init(const char* filename, int use_syslog, const char* chrootdir) + setvbuf(f, NULL, (int)_IOLBF, 0); + #endif + logfile = f; +- lock_quick_unlock(&log_lock); ++ lock_basic_unlock(&log_lock); + } + + void log_file(FILE *f) + { +- lock_quick_lock(&log_lock); ++ lock_basic_lock(&log_lock); + logfile = f; +- lock_quick_unlock(&log_lock); ++ lock_basic_unlock(&log_lock); + } + + void log_thread_set(int* num) +@@ -239,9 +239,9 @@ log_vmsg(int pri, const char* type, + return; + } + #endif /* HAVE_SYSLOG_H */ +- lock_quick_lock(&log_lock); ++ lock_basic_lock(&log_lock); + if(!logfile) { +- lock_quick_unlock(&log_lock); ++ lock_basic_unlock(&log_lock); + return; + } + if(log_now) +@@ -268,7 +268,7 @@ log_vmsg(int pri, const char* type, + /* line buffering does not work on windows */ + fflush(logfile); + #endif +- lock_quick_unlock(&log_lock); ++ lock_basic_unlock(&log_lock); + } + + /** +-- +2.21.0 + diff --git a/SPECS/unbound.spec b/SPECS/unbound.spec index fcb5457..353575d 100644 --- a/SPECS/unbound.spec +++ b/SPECS/unbound.spec @@ -12,7 +12,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.6.6 -Release: 1%{?dist} +Release: 3%{?dist} License: BSD Url: https://unbound.net/ Source: https://www.unbound.net/downloads/%{name}-%{version}.tar.gz @@ -39,6 +39,9 @@ Patch3: unbound-1.6.3-print-test-fails.patch Patch4: unbound-1.6.3-coverity.patch # Randomize outgoing port too, do not fail on two running builds on one host Patch5: unbound-1.6.6-test-fwd_oneport.patch +Patch6: unbound-1.6.6-fix-domain-insecure-for-stub-zone.patch +Patch7: unbound-1.6.6-rh1775706.patch + Group: System Environment/Daemons BuildRequires: openssl-devel %if %{with_test} @@ -137,6 +140,8 @@ Python modules and extensions for unbound %patch3 -p1 -b .testlog %patch4 -p1 -b .coverity %patch5 -p1 -b .test-fwd_oneport +%patch6 -p1 -b .domain-insecure +%patch7 -p1 -b .rh1775706 # regrnerate config parser due to new options added echo "#include \"config.h\"" > util/configlexer.c || echo "Failed to create configlexer" @@ -348,6 +353,14 @@ fi %endif %changelog +* Tue Dec 03 2019 Petr Menšík - 1.6.6-3 +- Lower CPU usage on slow log I/O (#1775706) + +* Thu Jul 25 2019 Martin Osvald - 1.6.6-2 +- Do not search for DNSSEC info when domain-insecure is set + for stub zone (#1678550) +- Remove KSK-2010 from configuration files - it has been revoked (#1665503) + * Wed Oct 11 2017 Petr Menšík - 1.6.6-1 - Rebase to 1.6.6 - Enable RFC 8145 Trust Anchor Signaling to help the root zone get keytag statistics